From 62bf8ed9e48c18169c43ae6c44f345f401bd4393 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Sun, 3 Jun 2007 17:46:37 +0000 Subject: - Update to new upstream release. --- src/Makefile.am | 2 +- src/Makefile.in | 17 +- src/_copyright/Makefile.in | 15 + src/_updown/Makefile.in | 15 + src/_updown_espmark/Makefile.in | 15 + src/charon/Makefile.am | 195 +- src/charon/Makefile.in | 1933 ++++++++++--------- src/charon/bus/bus.c | 73 +- src/charon/bus/bus.h | 11 + src/charon/config/backend_manager.c | 229 +++ src/charon/config/backend_manager.h | 124 ++ src/charon/config/backends/backend.h | 96 + src/charon/config/backends/local_backend.c | 274 +++ src/charon/config/backends/local_backend.h | 60 + src/charon/config/backends/writeable_backend.h | 64 + src/charon/config/child_cfg.c | 449 +++++ src/charon/config/child_cfg.h | 251 +++ src/charon/config/configuration.c | 162 -- src/charon/config/configuration.h | 102 - src/charon/config/connections/connection.c | 404 ---- src/charon/config/connections/connection.h | 292 --- src/charon/config/connections/connection_store.h | 118 -- .../config/connections/local_connection_store.c | 237 --- .../config/connections/local_connection_store.h | 62 - .../config/credentials/local_credential_store.c | 360 ++-- .../config/credentials/local_credential_store.h | 3 +- src/charon/config/ike_cfg.c | 228 +++ src/charon/config/ike_cfg.h | 151 ++ src/charon/config/peer_cfg.c | 479 +++++ src/charon/config/peer_cfg.h | 368 ++++ src/charon/config/policies/local_policy_store.c | 282 --- src/charon/config/policies/local_policy_store.h | 60 - src/charon/config/policies/policy.c | 635 ------- src/charon/config/policies/policy.h | 413 ---- src/charon/config/policies/policy_store.h | 119 -- src/charon/config/proposal.c | 103 +- src/charon/config/proposal.h | 12 +- src/charon/config/traffic_selector.c | 20 + src/charon/control/interface_manager.c | 705 +++++++ src/charon/control/interface_manager.h | 192 ++ src/charon/control/interfaces/dbus_interface.c | 479 +++++ src/charon/control/interfaces/dbus_interface.h | 57 + src/charon/control/interfaces/interface.h | 59 + src/charon/control/interfaces/stroke_interface.c | 1728 +++++++++++++++++ src/charon/control/interfaces/stroke_interface.h | 60 + src/charon/control/interfaces/xml_interface.c | 63 + src/charon/control/interfaces/xml_interface.h | 57 + src/charon/daemon.c | 107 +- src/charon/daemon.h | 156 +- src/charon/encoding/message.c | 81 +- src/charon/kernel/kernel_interface.c | 1974 ++++++++++++++++++++ src/charon/kernel/kernel_interface.h | 335 ++++ src/charon/network/receiver.c | 377 ++++ src/charon/network/receiver.h | 81 + src/charon/network/sender.c | 155 ++ src/charon/network/sender.h | 74 + src/charon/network/socket.c | 44 +- src/charon/processing/event_queue.c | 290 +++ src/charon/processing/event_queue.h | 118 ++ src/charon/processing/job_queue.c | 139 ++ src/charon/processing/job_queue.h | 100 + src/charon/processing/jobs/acquire_job.c | 98 + src/charon/processing/jobs/acquire_job.h | 60 + src/charon/processing/jobs/delete_child_sa_job.c | 113 ++ src/charon/processing/jobs/delete_child_sa_job.h | 68 + src/charon/processing/jobs/delete_ike_sa_job.c | 126 ++ src/charon/processing/jobs/delete_ike_sa_job.h | 66 + src/charon/processing/jobs/job.c | 39 + src/charon/processing/jobs/job.h | 165 ++ src/charon/processing/jobs/process_message_job.c | 106 ++ src/charon/processing/jobs/process_message_job.h | 58 + src/charon/processing/jobs/rekey_child_sa_job.c | 112 ++ src/charon/processing/jobs/rekey_child_sa_job.h | 65 + src/charon/processing/jobs/rekey_ike_sa_job.c | 120 ++ src/charon/processing/jobs/rekey_ike_sa_job.h | 60 + src/charon/processing/jobs/retransmit_job.c | 109 ++ src/charon/processing/jobs/retransmit_job.h | 64 + src/charon/processing/jobs/send_dpd_job.c | 110 ++ src/charon/processing/jobs/send_dpd_job.h | 67 + src/charon/processing/jobs/send_keepalive_job.c | 103 + src/charon/processing/jobs/send_keepalive_job.h | 66 + src/charon/processing/scheduler.c | 104 ++ src/charon/processing/scheduler.h | 68 + src/charon/processing/thread_pool.c | 183 ++ src/charon/processing/thread_pool.h | 87 + src/charon/queues/event_queue.c | 290 --- src/charon/queues/event_queue.h | 118 -- src/charon/queues/job_queue.c | 139 -- src/charon/queues/job_queue.h | 100 - src/charon/queues/jobs/acquire_job.c | 98 - src/charon/queues/jobs/acquire_job.h | 60 - src/charon/queues/jobs/delete_child_sa_job.c | 113 -- src/charon/queues/jobs/delete_child_sa_job.h | 68 - src/charon/queues/jobs/delete_ike_sa_job.c | 126 -- src/charon/queues/jobs/delete_ike_sa_job.h | 66 - src/charon/queues/jobs/initiate_job.c | 112 -- src/charon/queues/jobs/initiate_job.h | 61 - src/charon/queues/jobs/job.c | 39 - src/charon/queues/jobs/job.h | 165 -- src/charon/queues/jobs/process_message_job.c | 106 -- src/charon/queues/jobs/process_message_job.h | 58 - src/charon/queues/jobs/rekey_child_sa_job.c | 112 -- src/charon/queues/jobs/rekey_child_sa_job.h | 65 - src/charon/queues/jobs/rekey_ike_sa_job.c | 120 -- src/charon/queues/jobs/rekey_ike_sa_job.h | 60 - src/charon/queues/jobs/retransmit_job.c | 109 -- src/charon/queues/jobs/retransmit_job.h | 64 - src/charon/queues/jobs/route_job.c | 125 -- src/charon/queues/jobs/route_job.h | 59 - src/charon/queues/jobs/send_dpd_job.c | 110 -- src/charon/queues/jobs/send_dpd_job.h | 68 - src/charon/queues/jobs/send_keepalive_job.c | 103 - src/charon/queues/jobs/send_keepalive_job.h | 67 - src/charon/sa/authenticators/eap/eap_method.c | 35 +- src/charon/sa/authenticators/eap/eap_sim.c | 104 +- src/charon/sa/authenticators/eap_authenticator.c | 58 +- src/charon/sa/authenticators/psk_authenticator.c | 10 +- src/charon/sa/authenticators/rsa_authenticator.c | 37 +- src/charon/sa/child_sa.c | 231 +-- src/charon/sa/child_sa.h | 44 +- src/charon/sa/ike_sa.c | 713 ++++--- src/charon/sa/ike_sa.h | 124 +- src/charon/sa/ike_sa_id.c | 28 - src/charon/sa/ike_sa_manager.c | 24 +- src/charon/sa/task_manager.c | 22 +- src/charon/sa/task_manager.h | 40 + src/charon/sa/tasks/child_create.c | 259 ++- src/charon/sa/tasks/child_create.h | 6 +- src/charon/sa/tasks/child_delete.c | 22 + src/charon/sa/tasks/child_rekey.c | 19 +- src/charon/sa/tasks/ike_auth.c | 66 +- src/charon/sa/tasks/ike_cert.c | 50 +- src/charon/sa/tasks/ike_config.c | 45 +- src/charon/sa/tasks/ike_config.h | 5 +- src/charon/sa/tasks/ike_delete.c | 3 +- src/charon/sa/tasks/ike_init.c | 137 +- src/charon/sa/tasks/ike_rekey.c | 77 +- src/charon/threads/kernel_interface.c | 1964 ------------------- src/charon/threads/kernel_interface.h | 331 ---- src/charon/threads/receiver.c | 372 ---- src/charon/threads/receiver.h | 81 - src/charon/threads/scheduler.c | 102 - src/charon/threads/scheduler.h | 68 - src/charon/threads/sender.c | 149 -- src/charon/threads/sender.h | 74 - src/charon/threads/stroke_interface.c | 1456 --------------- src/charon/threads/stroke_interface.h | 61 - src/charon/threads/thread_pool.c | 181 -- src/charon/threads/thread_pool.h | 87 - src/include/Makefile.am | 2 + src/include/Makefile.in | 358 ++++ src/include/linux/ipsec.h | 46 + src/include/linux/netlink.h | 241 +++ src/include/linux/pfkeyv2.h | 348 ++++ src/include/linux/rtnetlink.h | 1072 +++++++++++ src/include/linux/udp.h | 63 + src/include/linux/xfrm.h | 343 ++++ src/ipsec/Makefile.in | 15 + src/ipsec/ipsec.in | 12 +- src/libcrypto/Makefile.am | 4 +- src/libcrypto/Makefile.in | 55 +- src/libcrypto/libdes/des_opts.c | 620 ------ src/libcrypto/libdes/speed.c | 329 ---- src/libfreeswan/Makefile.in | 15 + src/libfreeswan/ipsec_ah.h | 124 -- src/libfreeswan/ipsec_encap.h | 88 - src/libfreeswan/ipsec_eroute.h | 21 - src/libfreeswan/ipsec_errs.h | 21 - src/libfreeswan/ipsec_esp.h | 140 -- src/libfreeswan/ipsec_ipe4.h | 41 - src/libfreeswan/ipsec_kversion.h | 36 - src/libfreeswan/ipsec_life.h | 22 - src/libfreeswan/ipsec_md5h.h | 57 - src/libfreeswan/ipsec_rcv.h | 124 -- src/libfreeswan/ipsec_sa.h | 86 - src/libfreeswan/ipsec_sha1.h | 47 - src/libfreeswan/ipsec_tunnel.h | 139 +- src/libfreeswan/ipsec_xform.h | 190 -- src/libfreeswan/pfkey.h | 172 -- src/libfreeswan/pfkey_v2_debug.c | 49 - src/libfreeswan/pfkey_v2_ext_bits.c | 65 - src/libfreeswan/pfkey_v2_parse.c | 225 --- src/libfreeswan/radij.h | 79 - src/libstrongswan/Makefile.am | 1 + src/libstrongswan/Makefile.in | 26 +- src/libstrongswan/asn1/asn1.c | 40 + src/libstrongswan/asn1/asn1.h | 2 + src/libstrongswan/asn1/oid.c | 283 +-- src/libstrongswan/asn1/oid.h | 112 +- src/libstrongswan/asn1/oid.txt | 7 +- src/libstrongswan/chunk.c | 1 + src/libstrongswan/credential_store.h | 47 +- src/libstrongswan/crypto/ac.c | 665 +++++++ src/libstrongswan/crypto/ac.h | 81 + src/libstrongswan/crypto/ca.c | 179 +- src/libstrongswan/crypto/ca.h | 38 +- src/libstrongswan/crypto/certinfo.c | 48 - src/libstrongswan/crypto/crl.c | 80 +- src/libstrongswan/crypto/crl.h | 9 + src/libstrongswan/crypto/ocsp.c | 2 +- src/libstrongswan/crypto/x509.c | 261 ++- src/libstrongswan/crypto/x509.h | 76 +- src/libstrongswan/library.h | 9 + src/libstrongswan/printf_hook.h | 16 - src/libstrongswan/utils/fetcher.c | 3 + src/libstrongswan/utils/host.c | 2 +- src/libstrongswan/utils/identification.c | 16 +- src/openac/Makefile.in | 15 + src/openac/build.c | 261 ++- src/openac/openac.c | 628 +++---- src/pluto/Makefile.am | 3 +- src/pluto/Makefile.in | 18 +- src/pluto/crl.c | 14 +- src/pluto/crl.h | 1 + src/pluto/fetch.c | 3 + src/pluto/kernel_netlink.c | 4 +- src/pluto/keys.c | 2 +- src/pluto/linux26/netlink.h | 90 - src/pluto/linux26/rtnetlink.h | 562 ------ src/pluto/linux26/xfrm.h | 233 --- src/pluto/modecfg.c | 3 +- src/pluto/oid.c | 283 +-- src/pluto/oid.h | 115 +- src/pluto/oid.txt | 1 + src/pluto/plutomain.c | 29 + src/pluto/vendor.c | 4 +- src/pluto/vendor.h | 2 + src/pluto/xauth.c | 2 +- src/pluto/xauth.h | 2 +- src/scepclient/Makefile.in | 15 + src/starter/Makefile.in | 15 + src/starter/args.c | 8 +- src/starter/confread.h | 40 +- src/starter/invokecharon.c | 17 +- src/starter/invokepluto.c | 5 + src/starter/ipsec.conf.5 | 18 +- src/starter/starterstroke.c | 3 +- src/starter/y.tab.c | 2 +- src/starter/y.tab.h | 2 +- src/stroke/Makefile.in | 15 + src/stroke/stroke.c | 5 + src/stroke/stroke.h | 23 +- src/stroke/stroke_keywords.c | 108 +- src/stroke/stroke_keywords.h | 5 + src/stroke/stroke_keywords.txt | 5 + src/whack/Makefile.in | 15 + 246 files changed, 20019 insertions(+), 17757 deletions(-) create mode 100644 src/charon/config/backend_manager.c create mode 100644 src/charon/config/backend_manager.h create mode 100644 src/charon/config/backends/backend.h create mode 100644 src/charon/config/backends/local_backend.c create mode 100644 src/charon/config/backends/local_backend.h create mode 100644 src/charon/config/backends/writeable_backend.h create mode 100644 src/charon/config/child_cfg.c create mode 100644 src/charon/config/child_cfg.h delete mode 100755 src/charon/config/configuration.c delete mode 100755 src/charon/config/configuration.h delete mode 100644 src/charon/config/connections/connection.c delete mode 100644 src/charon/config/connections/connection.h delete mode 100755 src/charon/config/connections/connection_store.h delete mode 100644 src/charon/config/connections/local_connection_store.c delete mode 100644 src/charon/config/connections/local_connection_store.h create mode 100644 src/charon/config/ike_cfg.c create mode 100644 src/charon/config/ike_cfg.h create mode 100644 src/charon/config/peer_cfg.c create mode 100644 src/charon/config/peer_cfg.h delete mode 100644 src/charon/config/policies/local_policy_store.c delete mode 100644 src/charon/config/policies/local_policy_store.h delete mode 100644 src/charon/config/policies/policy.c delete mode 100644 src/charon/config/policies/policy.h delete mode 100755 src/charon/config/policies/policy_store.h create mode 100644 src/charon/control/interface_manager.c create mode 100644 src/charon/control/interface_manager.h create mode 100644 src/charon/control/interfaces/dbus_interface.c create mode 100644 src/charon/control/interfaces/dbus_interface.h create mode 100644 src/charon/control/interfaces/interface.h create mode 100755 src/charon/control/interfaces/stroke_interface.c create mode 100644 src/charon/control/interfaces/stroke_interface.h create mode 100644 src/charon/control/interfaces/xml_interface.c create mode 100644 src/charon/control/interfaces/xml_interface.h create mode 100644 src/charon/kernel/kernel_interface.c create mode 100644 src/charon/kernel/kernel_interface.h create mode 100644 src/charon/network/receiver.c create mode 100644 src/charon/network/receiver.h create mode 100644 src/charon/network/sender.c create mode 100644 src/charon/network/sender.h create mode 100644 src/charon/processing/event_queue.c create mode 100644 src/charon/processing/event_queue.h create mode 100644 src/charon/processing/job_queue.c create mode 100644 src/charon/processing/job_queue.h create mode 100644 src/charon/processing/jobs/acquire_job.c create mode 100644 src/charon/processing/jobs/acquire_job.h create mode 100644 src/charon/processing/jobs/delete_child_sa_job.c create mode 100644 src/charon/processing/jobs/delete_child_sa_job.h create mode 100644 src/charon/processing/jobs/delete_ike_sa_job.c create mode 100644 src/charon/processing/jobs/delete_ike_sa_job.h create mode 100644 src/charon/processing/jobs/job.c create mode 100644 src/charon/processing/jobs/job.h create mode 100644 src/charon/processing/jobs/process_message_job.c create mode 100644 src/charon/processing/jobs/process_message_job.h create mode 100644 src/charon/processing/jobs/rekey_child_sa_job.c create mode 100644 src/charon/processing/jobs/rekey_child_sa_job.h create mode 100644 src/charon/processing/jobs/rekey_ike_sa_job.c create mode 100644 src/charon/processing/jobs/rekey_ike_sa_job.h create mode 100644 src/charon/processing/jobs/retransmit_job.c create mode 100644 src/charon/processing/jobs/retransmit_job.h create mode 100644 src/charon/processing/jobs/send_dpd_job.c create mode 100644 src/charon/processing/jobs/send_dpd_job.h create mode 100644 src/charon/processing/jobs/send_keepalive_job.c create mode 100644 src/charon/processing/jobs/send_keepalive_job.h create mode 100644 src/charon/processing/scheduler.c create mode 100644 src/charon/processing/scheduler.h create mode 100644 src/charon/processing/thread_pool.c create mode 100644 src/charon/processing/thread_pool.h delete mode 100644 src/charon/queues/event_queue.c delete mode 100644 src/charon/queues/event_queue.h delete mode 100644 src/charon/queues/job_queue.c delete mode 100644 src/charon/queues/job_queue.h delete mode 100644 src/charon/queues/jobs/acquire_job.c delete mode 100644 src/charon/queues/jobs/acquire_job.h delete mode 100644 src/charon/queues/jobs/delete_child_sa_job.c delete mode 100644 src/charon/queues/jobs/delete_child_sa_job.h delete mode 100644 src/charon/queues/jobs/delete_ike_sa_job.c delete mode 100644 src/charon/queues/jobs/delete_ike_sa_job.h delete mode 100644 src/charon/queues/jobs/initiate_job.c delete mode 100644 src/charon/queues/jobs/initiate_job.h delete mode 100644 src/charon/queues/jobs/job.c delete mode 100644 src/charon/queues/jobs/job.h delete mode 100644 src/charon/queues/jobs/process_message_job.c delete mode 100644 src/charon/queues/jobs/process_message_job.h delete mode 100644 src/charon/queues/jobs/rekey_child_sa_job.c delete mode 100644 src/charon/queues/jobs/rekey_child_sa_job.h delete mode 100644 src/charon/queues/jobs/rekey_ike_sa_job.c delete mode 100644 src/charon/queues/jobs/rekey_ike_sa_job.h delete mode 100644 src/charon/queues/jobs/retransmit_job.c delete mode 100644 src/charon/queues/jobs/retransmit_job.h delete mode 100644 src/charon/queues/jobs/route_job.c delete mode 100644 src/charon/queues/jobs/route_job.h delete mode 100644 src/charon/queues/jobs/send_dpd_job.c delete mode 100644 src/charon/queues/jobs/send_dpd_job.h delete mode 100644 src/charon/queues/jobs/send_keepalive_job.c delete mode 100644 src/charon/queues/jobs/send_keepalive_job.h delete mode 100644 src/charon/threads/kernel_interface.c delete mode 100644 src/charon/threads/kernel_interface.h delete mode 100644 src/charon/threads/receiver.c delete mode 100644 src/charon/threads/receiver.h delete mode 100644 src/charon/threads/scheduler.c delete mode 100644 src/charon/threads/scheduler.h delete mode 100644 src/charon/threads/sender.c delete mode 100644 src/charon/threads/sender.h delete mode 100755 src/charon/threads/stroke_interface.c delete mode 100644 src/charon/threads/stroke_interface.h delete mode 100644 src/charon/threads/thread_pool.c delete mode 100644 src/charon/threads/thread_pool.h create mode 100644 src/include/Makefile.am create mode 100644 src/include/Makefile.in create mode 100644 src/include/linux/ipsec.h create mode 100644 src/include/linux/netlink.h create mode 100644 src/include/linux/pfkeyv2.h create mode 100644 src/include/linux/rtnetlink.h create mode 100644 src/include/linux/udp.h create mode 100644 src/include/linux/xfrm.h delete mode 100644 src/libcrypto/libdes/des_opts.c delete mode 100644 src/libcrypto/libdes/speed.c create mode 100644 src/libstrongswan/crypto/ac.c create mode 100644 src/libstrongswan/crypto/ac.h delete mode 100644 src/pluto/linux26/netlink.h delete mode 100644 src/pluto/linux26/rtnetlink.h delete mode 100644 src/pluto/linux26/xfrm.h (limited to 'src') diff --git a/src/Makefile.am b/src/Makefile.am index a3f90f39e..204a211e4 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1 +1 @@ -SUBDIRS = libfreeswan libcrypto libstrongswan pluto whack charon stroke starter openac scepclient ipsec _updown _updown_espmark _copyright +SUBDIRS = include libfreeswan libcrypto libstrongswan pluto whack charon stroke starter openac scepclient ipsec _updown _updown_espmark _copyright diff --git a/src/Makefile.in b/src/Makefile.in index 6fa95d413..9fb649725 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -99,6 +99,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -111,6 +112,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -121,8 +123,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -144,6 +150,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -153,6 +160,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -166,9 +175,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -183,7 +196,9 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ -SUBDIRS = libfreeswan libcrypto libstrongswan pluto whack charon stroke starter openac scepclient ipsec _updown _updown_espmark _copyright +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +SUBDIRS = include libfreeswan libcrypto libstrongswan pluto whack charon stroke starter openac scepclient ipsec _updown _updown_espmark _copyright all: all-recursive .SUFFIXES: diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index 7e78b9185..68d2f0484 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -115,6 +115,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -127,6 +128,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -137,8 +139,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -160,6 +166,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -169,6 +176,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -182,9 +191,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -199,6 +212,8 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ _copyright_SOURCES = _copyright.c dist_man8_MANS = _copyright.8 INCLUDES = -I$(top_srcdir)/src/libfreeswan diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index ccb176fbc..9118eef49 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -98,6 +98,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -110,6 +111,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -120,8 +122,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -143,6 +149,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -152,6 +159,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -165,9 +174,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -182,6 +195,8 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ dist_ipsec_SCRIPTS = _updown dist_man8_MANS = _updown.8 all: all-am diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in index 0286c8f58..da105b469 100644 --- a/src/_updown_espmark/Makefile.in +++ b/src/_updown_espmark/Makefile.in @@ -98,6 +98,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -110,6 +111,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -120,8 +122,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -143,6 +149,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -152,6 +159,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -165,9 +174,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -182,6 +195,8 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ dist_ipsec_SCRIPTS = _updown_espmark dist_man8_MANS = _updown_espmark.8 all: all-am diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index 9522b6e6d..a64d9fa70 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -1,87 +1,144 @@ -# SUBDIRS = . testing -eap_LTLIBRARIES = libeapidentity.la - -# always build EAP Identity module -libeapidentity_la_SOURCES = sa/authenticators/eap/eap_identity.h sa/authenticators/eap/eap_identity.c -libeapidentity_la_LDFLAGS = -module - -# build optional EAP modules -if BUILD_EAP_SIM - eap_LTLIBRARIES += libeapsim.la - libeapsim_la_SOURCES = sa/authenticators/eap/eap_sim.h sa/authenticators/eap/eap_sim.c - libeapsim_la_LDFLAGS = -module -endif ipsec_PROGRAMS = charon charon_SOURCES = \ bus/bus.c bus/bus.h \ -bus/listeners/sys_logger.c bus/listeners/sys_logger.h \ bus/listeners/file_logger.c bus/listeners/file_logger.h \ -config/connections/connection.c config/connections/connection.h \ -config/connections/local_connection_store.c config/connections/local_connection_store.h config/connections/connection_store.h \ -config/policies/policy.c config/policies/policy.h \ -config/policies/local_policy_store.c config/policies/policy_store.h config/policies/local_policy_store.h \ +bus/listeners/sys_logger.c bus/listeners/sys_logger.h \ +config/backends/backend.h config/backends/writeable_backend.h \ +config/backend_manager.c config/backend_manager.h \ +config/child_cfg.c config/child_cfg.h \ config/credentials/local_credential_store.c config/credentials/local_credential_store.h \ +config/ike_cfg.c config/ike_cfg.h \ +config/peer_cfg.c config/peer_cfg.h \ +config/proposal.c config/proposal.h \ config/traffic_selector.c config/traffic_selector.h \ -config/proposal.c config/proposal.h config/configuration.c config/configuration.h \ -sa/authenticators/eap_authenticator.h sa/authenticators/eap_authenticator.c \ -sa/authenticators/eap/eap_method.h sa/authenticators/eap/eap_method.c \ -sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \ -sa/ike_sa_id.c sa/ike_sa_id.h sa/tasks/task.c sa/tasks/task.h \ -sa/tasks/ike_init.c sa/tasks/ike_init.h \ -sa/tasks/ike_natd.c sa/tasks/ike_natd.h \ +control/interfaces/interface.h \ +control/interface_manager.c control/interface_manager.h \ +daemon.c daemon.h \ +encoding/generator.c encoding/generator.h \ +encoding/message.c encoding/message.h \ +encoding/parser.c encoding/parser.h \ +encoding/payloads/auth_payload.c encoding/payloads/auth_payload.h \ +encoding/payloads/cert_payload.c encoding/payloads/cert_payload.h \ +encoding/payloads/certreq_payload.c encoding/payloads/certreq_payload.h \ +encoding/payloads/configuration_attribute.c encoding/payloads/configuration_attribute.h \ +encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \ +encoding/payloads/delete_payload.c encoding/payloads/delete_payload.h \ +encoding/payloads/eap_payload.c encoding/payloads/eap_payload.h \ +encoding/payloads/encodings.c encoding/payloads/encodings.h \ +encoding/payloads/encryption_payload.c encoding/payloads/encryption_payload.h \ +encoding/payloads/id_payload.c encoding/payloads/id_payload.h \ +encoding/payloads/ike_header.c encoding/payloads/ike_header.h \ +encoding/payloads/ke_payload.c encoding/payloads/ke_payload.h \ +encoding/payloads/nonce_payload.c encoding/payloads/nonce_payload.h \ +encoding/payloads/notify_payload.c encoding/payloads/notify_payload.h \ +encoding/payloads/payload.c encoding/payloads/payload.h \ +encoding/payloads/proposal_substructure.c encoding/payloads/proposal_substructure.h \ +encoding/payloads/sa_payload.c encoding/payloads/sa_payload.h \ +encoding/payloads/traffic_selector_substructure.c encoding/payloads/traffic_selector_substructure.h \ +encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \ +encoding/payloads/transform_substructure.c encoding/payloads/transform_substructure.h \ +encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \ +encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \ +encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \ +kernel/kernel_interface.c kernel/kernel_interface.h \ +network/packet.c network/packet.h \ +network/receiver.c network/receiver.h \ +network/sender.c network/sender.h \ +network/socket.c network/socket.h \ +processing/event_queue.c processing/event_queue.h \ +processing/job_queue.c processing/job_queue.h \ +processing/jobs/acquire_job.c processing/jobs/acquire_job.h \ +processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \ +processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \ +processing/jobs/job.c processing/jobs/job.h \ +processing/jobs/process_message_job.c processing/jobs/process_message_job.h \ +processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \ +processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \ +processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \ +processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \ +processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \ +processing/scheduler.c processing/scheduler.h \ +processing/thread_pool.c processing/thread_pool.h \ +sa/authenticators/authenticator.c sa/authenticators/authenticator.h \ +sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \ +sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \ +sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \ +sa/authenticators/rsa_authenticator.c sa/authenticators/rsa_authenticator.h \ +sa/child_sa.c sa/child_sa.h \ +sa/ike_sa.c sa/ike_sa.h \ +sa/ike_sa_id.c sa/ike_sa_id.h \ +sa/ike_sa_manager.c sa/ike_sa_manager.h \ +sa/task_manager.c sa/task_manager.h \ +sa/tasks/child_create.c sa/tasks/child_create.h \ +sa/tasks/child_delete.c sa/tasks/child_delete.h \ +sa/tasks/child_rekey.c sa/tasks/child_rekey.h \ sa/tasks/ike_auth.c sa/tasks/ike_auth.h \ -sa/tasks/ike_config.c sa/tasks/ike_config.h \ sa/tasks/ike_cert.c sa/tasks/ike_cert.h \ -sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \ +sa/tasks/ike_config.c sa/tasks/ike_config.h \ sa/tasks/ike_delete.c sa/tasks/ike_delete.h \ sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \ -sa/tasks/child_create.c sa/tasks/child_create.h \ -sa/tasks/child_delete.c sa/tasks/child_delete.h \ -sa/tasks/child_rekey.c sa/tasks/child_rekey.h \ -sa/authenticators/authenticator.c sa/authenticators/authenticator.h \ -sa/authenticators/rsa_authenticator.c sa/authenticators/rsa_authenticator.h \ -sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \ -sa/task_manager.c sa/task_manager.h encoding/payloads/encryption_payload.c \ -encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \ -encoding/payloads/configuration_attribute.h encoding/payloads/proposal_substructure.h \ -encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \ -encoding/payloads/configuration_attribute.c encoding/payloads/transform_substructure.c \ -encoding/payloads/encryption_payload.h encoding/payloads/auth_payload.c encoding/payloads/ike_header.c \ -encoding/payloads/transform_substructure.h encoding/payloads/nonce_payload.c encoding/payloads/cert_payload.h \ -encoding/payloads/eap_payload.c encoding/payloads/ike_header.h encoding/payloads/auth_payload.h \ -encoding/payloads/ts_payload.c encoding/payloads/traffic_selector_substructure.h encoding/payloads/nonce_payload.h \ -encoding/payloads/notify_payload.c encoding/payloads/eap_payload.h encoding/payloads/notify_payload.h \ -encoding/payloads/ts_payload.h encoding/payloads/id_payload.c encoding/payloads/ke_payload.c \ -encoding/payloads/unknown_payload.c encoding/payloads/encodings.c encoding/payloads/id_payload.h \ -encoding/payloads/cp_payload.c encoding/payloads/delete_payload.c encoding/payloads/sa_payload.c \ -encoding/payloads/ke_payload.h encoding/payloads/unknown_payload.h encoding/payloads/encodings.h \ -encoding/payloads/certreq_payload.c encoding/payloads/cp_payload.h encoding/payloads/delete_payload.h \ -encoding/payloads/sa_payload.h encoding/payloads/vendor_id_payload.c encoding/payloads/certreq_payload.h \ -encoding/payloads/vendor_id_payload.h encoding/payloads/proposal_substructure.c encoding/payloads/payload.c \ -encoding/parser.h encoding/message.c encoding/generator.c encoding/message.h encoding/generator.h \ -encoding/parser.c daemon.c daemon.h network/packet.c \ -network/socket.c network/packet.h network/socket.h queues/jobs/job.h queues/jobs/job.c \ -queues/jobs/retransmit_job.h queues/jobs/initiate_job.h \ -queues/jobs/process_message_job.h queues/jobs/process_message_job.c \ -queues/jobs/delete_ike_sa_job.c queues/jobs/delete_ike_sa_job.h \ -queues/jobs/retransmit_job.c queues/jobs/initiate_job.c \ -queues/jobs/send_keepalive_job.c queues/jobs/send_keepalive_job.h \ -queues/jobs/rekey_child_sa_job.c queues/jobs/rekey_child_sa_job.h queues/jobs/delete_child_sa_job.c queues/jobs/delete_child_sa_job.h \ -queues/jobs/send_dpd_job.c queues/jobs/send_dpd_job.h queues/jobs/route_job.c queues/jobs/route_job.h \ -queues/jobs/acquire_job.c queues/jobs/acquire_job.h queues/jobs/rekey_ike_sa_job.c queues/jobs/rekey_ike_sa_job.h \ -queues/job_queue.c queues/event_queue.c queues/job_queue.h queues/event_queue.h \ -threads/kernel_interface.c threads/thread_pool.c threads/scheduler.c threads/sender.c \ -threads/sender.h threads/kernel_interface.h threads/scheduler.h threads/receiver.c threads/stroke_interface.c \ -threads/thread_pool.h threads/receiver.h threads/stroke_interface.h - -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke -AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" +sa/tasks/ike_init.c sa/tasks/ike_init.h \ +sa/tasks/ike_natd.c sa/tasks/ike_natd.h \ +sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \ +sa/tasks/task.c sa/tasks/task.h + + +INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke +AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ + -DIPSEC_EAPDIR=\"${eapdir}\" -DIPSEC_BACKENDDIR=\"${backenddir}\" -DIPSEC_INTERFACEDIR=\"${interfacedir}\" charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp -lpthread -lm -ldl if USE_LIBCURL - charon_LDADD += -lcurl + charon_LDADD += -lcurl +endif + + +# build EAP plugins, EAP-Identity is always built +################################################# +eap_LTLIBRARIES = + +eap_LTLIBRARIES += libeapidentity.la +libeapidentity_la_SOURCES = sa/authenticators/eap/eap_identity.h sa/authenticators/eap/eap_identity.c +libeapidentity_la_LDFLAGS = -module + +if BUILD_EAP_SIM + eap_LTLIBRARIES += libeapsim.la + libeapsim_la_SOURCES = sa/authenticators/eap/eap_sim.h sa/authenticators/eap/eap_sim.c + libeapsim_la_LDFLAGS = -module +endif + +# build backends, local backend is always built +############################################### +backend_LTLIBRARIES = + +backend_LTLIBRARIES += liblocal.la +liblocal_la_SOURCES = config/backends/local_backend.h config/backends/local_backend.c +liblocal_la_LDFLAGS = -module + +# build control interfaces, stroke interface is always built +############################################################ +interface_LTLIBRARIES = + +interface_LTLIBRARIES += libstroke.la +libstroke_la_SOURCES = control/interfaces/stroke_interface.h control/interfaces/stroke_interface.c +libstroke_la_LDFLAGS = -module + +if USE_LIBDBUS + interface_LTLIBRARIES += libdbus.la + libdbus_la_SOURCES = control/interfaces/dbus_interface.h control/interfaces/dbus_interface.c + libdbus_la_LDFLAGS = -module + libdbus_la_LIBADD = ${dbus_LIBS} + INCLUDES += ${dbus_CFLAGS} +endif + +if USE_LIBXML + interface_LTLIBRARIES += libxml.la + libxml_la_SOURCES = control/interfaces/xml_interface.h control/interfaces/xml_interface.c + libxml_la_LDFLAGS = -module + libxml_la_LIBADD = ${xml_LIBS} + INCLUDES += ${xml_CFLAGS} endif diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index 0f2979d32..9f4177f60 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -14,8 +14,6 @@ @SET_MAKE@ -# SUBDIRS = . testing - srcdir = @srcdir@ top_srcdir = @top_srcdir@ @@ -39,11 +37,13 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ - -# build optional EAP modules -@BUILD_EAP_SIM_TRUE@am__append_1 = libeapsim.la ipsec_PROGRAMS = charon$(EXEEXT) -@USE_LIBCURL_TRUE@am__append_2 = -lcurl +@USE_LIBCURL_TRUE@am__append_1 = -lcurl +@BUILD_EAP_SIM_TRUE@am__append_2 = libeapsim.la +@USE_LIBDBUS_TRUE@am__append_3 = libdbus.la +@USE_LIBDBUS_TRUE@am__append_4 = ${dbus_CFLAGS} +@USE_LIBXML_TRUE@am__append_5 = libxml.la +@USE_LIBXML_TRUE@am__append_6 = ${xml_CFLAGS} subdir = src/charon DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -58,9 +58,20 @@ am__vpath_adj = case $$p in \ *) f=$$p;; \ esac; am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; -am__installdirs = "$(DESTDIR)$(eapdir)" "$(DESTDIR)$(ipsecdir)" +am__installdirs = "$(DESTDIR)$(backenddir)" "$(DESTDIR)$(eapdir)" \ + "$(DESTDIR)$(interfacedir)" "$(DESTDIR)$(ipsecdir)" +backendLTLIBRARIES_INSTALL = $(INSTALL) eapLTLIBRARIES_INSTALL = $(INSTALL) -LTLIBRARIES = $(eap_LTLIBRARIES) +interfaceLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(backend_LTLIBRARIES) $(eap_LTLIBRARIES) \ + $(interface_LTLIBRARIES) +am__DEPENDENCIES_1 = +@USE_LIBDBUS_TRUE@libdbus_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am__libdbus_la_SOURCES_DIST = control/interfaces/dbus_interface.h \ + control/interfaces/dbus_interface.c +@USE_LIBDBUS_TRUE@am_libdbus_la_OBJECTS = dbus_interface.lo +libdbus_la_OBJECTS = $(am_libdbus_la_OBJECTS) +@USE_LIBDBUS_TRUE@am_libdbus_la_rpath = -rpath $(interfacedir) libeapidentity_la_LIBADD = am_libeapidentity_la_OBJECTS = eap_identity.lo libeapidentity_la_OBJECTS = $(am_libeapidentity_la_OBJECTS) @@ -70,49 +81,56 @@ am__libeapsim_la_SOURCES_DIST = sa/authenticators/eap/eap_sim.h \ @BUILD_EAP_SIM_TRUE@am_libeapsim_la_OBJECTS = eap_sim.lo libeapsim_la_OBJECTS = $(am_libeapsim_la_OBJECTS) @BUILD_EAP_SIM_TRUE@am_libeapsim_la_rpath = -rpath $(eapdir) +liblocal_la_LIBADD = +am_liblocal_la_OBJECTS = local_backend.lo +liblocal_la_OBJECTS = $(am_liblocal_la_OBJECTS) +libstroke_la_LIBADD = +am_libstroke_la_OBJECTS = stroke_interface.lo +libstroke_la_OBJECTS = $(am_libstroke_la_OBJECTS) +@USE_LIBXML_TRUE@libxml_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am__libxml_la_SOURCES_DIST = control/interfaces/xml_interface.h \ + control/interfaces/xml_interface.c +@USE_LIBXML_TRUE@am_libxml_la_OBJECTS = xml_interface.lo +libxml_la_OBJECTS = $(am_libxml_la_OBJECTS) +@USE_LIBXML_TRUE@am_libxml_la_rpath = -rpath $(interfacedir) ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(ipsec_PROGRAMS) -am_charon_OBJECTS = bus.$(OBJEXT) sys_logger.$(OBJEXT) \ - file_logger.$(OBJEXT) connection.$(OBJEXT) \ - local_connection_store.$(OBJEXT) policy.$(OBJEXT) \ - local_policy_store.$(OBJEXT) local_credential_store.$(OBJEXT) \ - traffic_selector.$(OBJEXT) proposal.$(OBJEXT) \ - configuration.$(OBJEXT) eap_authenticator.$(OBJEXT) \ - eap_method.$(OBJEXT) child_sa.$(OBJEXT) ike_sa.$(OBJEXT) \ - ike_sa_manager.$(OBJEXT) ike_sa_id.$(OBJEXT) task.$(OBJEXT) \ - ike_init.$(OBJEXT) ike_natd.$(OBJEXT) ike_auth.$(OBJEXT) \ - ike_config.$(OBJEXT) ike_cert.$(OBJEXT) ike_rekey.$(OBJEXT) \ - ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) child_create.$(OBJEXT) \ +am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \ + sys_logger.$(OBJEXT) backend_manager.$(OBJEXT) \ + child_cfg.$(OBJEXT) local_credential_store.$(OBJEXT) \ + ike_cfg.$(OBJEXT) peer_cfg.$(OBJEXT) proposal.$(OBJEXT) \ + traffic_selector.$(OBJEXT) interface_manager.$(OBJEXT) \ + daemon.$(OBJEXT) generator.$(OBJEXT) message.$(OBJEXT) \ + parser.$(OBJEXT) auth_payload.$(OBJEXT) cert_payload.$(OBJEXT) \ + certreq_payload.$(OBJEXT) configuration_attribute.$(OBJEXT) \ + cp_payload.$(OBJEXT) delete_payload.$(OBJEXT) \ + eap_payload.$(OBJEXT) encodings.$(OBJEXT) \ + encryption_payload.$(OBJEXT) id_payload.$(OBJEXT) \ + ike_header.$(OBJEXT) ke_payload.$(OBJEXT) \ + nonce_payload.$(OBJEXT) notify_payload.$(OBJEXT) \ + payload.$(OBJEXT) proposal_substructure.$(OBJEXT) \ + sa_payload.$(OBJEXT) traffic_selector_substructure.$(OBJEXT) \ + transform_attribute.$(OBJEXT) transform_substructure.$(OBJEXT) \ + ts_payload.$(OBJEXT) unknown_payload.$(OBJEXT) \ + vendor_id_payload.$(OBJEXT) kernel_interface.$(OBJEXT) \ + packet.$(OBJEXT) receiver.$(OBJEXT) sender.$(OBJEXT) \ + socket.$(OBJEXT) event_queue.$(OBJEXT) job_queue.$(OBJEXT) \ + acquire_job.$(OBJEXT) delete_child_sa_job.$(OBJEXT) \ + delete_ike_sa_job.$(OBJEXT) job.$(OBJEXT) \ + process_message_job.$(OBJEXT) rekey_child_sa_job.$(OBJEXT) \ + rekey_ike_sa_job.$(OBJEXT) retransmit_job.$(OBJEXT) \ + send_dpd_job.$(OBJEXT) send_keepalive_job.$(OBJEXT) \ + scheduler.$(OBJEXT) thread_pool.$(OBJEXT) \ + authenticator.$(OBJEXT) eap_authenticator.$(OBJEXT) \ + eap_method.$(OBJEXT) psk_authenticator.$(OBJEXT) \ + rsa_authenticator.$(OBJEXT) child_sa.$(OBJEXT) \ + ike_sa.$(OBJEXT) ike_sa_id.$(OBJEXT) ike_sa_manager.$(OBJEXT) \ + task_manager.$(OBJEXT) child_create.$(OBJEXT) \ child_delete.$(OBJEXT) child_rekey.$(OBJEXT) \ - authenticator.$(OBJEXT) rsa_authenticator.$(OBJEXT) \ - psk_authenticator.$(OBJEXT) task_manager.$(OBJEXT) \ - encryption_payload.$(OBJEXT) cert_payload.$(OBJEXT) \ - traffic_selector_substructure.$(OBJEXT) \ - transform_attribute.$(OBJEXT) \ - configuration_attribute.$(OBJEXT) \ - transform_substructure.$(OBJEXT) auth_payload.$(OBJEXT) \ - ike_header.$(OBJEXT) nonce_payload.$(OBJEXT) \ - eap_payload.$(OBJEXT) ts_payload.$(OBJEXT) \ - notify_payload.$(OBJEXT) id_payload.$(OBJEXT) \ - ke_payload.$(OBJEXT) unknown_payload.$(OBJEXT) \ - encodings.$(OBJEXT) cp_payload.$(OBJEXT) \ - delete_payload.$(OBJEXT) sa_payload.$(OBJEXT) \ - certreq_payload.$(OBJEXT) vendor_id_payload.$(OBJEXT) \ - proposal_substructure.$(OBJEXT) payload.$(OBJEXT) \ - message.$(OBJEXT) generator.$(OBJEXT) parser.$(OBJEXT) \ - daemon.$(OBJEXT) packet.$(OBJEXT) socket.$(OBJEXT) \ - job.$(OBJEXT) process_message_job.$(OBJEXT) \ - delete_ike_sa_job.$(OBJEXT) retransmit_job.$(OBJEXT) \ - initiate_job.$(OBJEXT) send_keepalive_job.$(OBJEXT) \ - rekey_child_sa_job.$(OBJEXT) delete_child_sa_job.$(OBJEXT) \ - send_dpd_job.$(OBJEXT) route_job.$(OBJEXT) \ - acquire_job.$(OBJEXT) rekey_ike_sa_job.$(OBJEXT) \ - job_queue.$(OBJEXT) event_queue.$(OBJEXT) \ - kernel_interface.$(OBJEXT) thread_pool.$(OBJEXT) \ - scheduler.$(OBJEXT) sender.$(OBJEXT) receiver.$(OBJEXT) \ - stroke_interface.$(OBJEXT) + ike_auth.$(OBJEXT) ike_cert.$(OBJEXT) ike_config.$(OBJEXT) \ + ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) ike_init.$(OBJEXT) \ + ike_natd.$(OBJEXT) ike_rekey.$(OBJEXT) task.$(OBJEXT) charon_OBJECTS = $(am_charon_OBJECTS) -am__DEPENDENCIES_1 = charon_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(am__DEPENDENCIES_1) @@ -127,10 +145,13 @@ LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \ CCLD = $(CC) LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libeapidentity_la_SOURCES) $(libeapsim_la_SOURCES) \ - $(charon_SOURCES) -DIST_SOURCES = $(libeapidentity_la_SOURCES) \ - $(am__libeapsim_la_SOURCES_DIST) $(charon_SOURCES) +SOURCES = $(libdbus_la_SOURCES) $(libeapidentity_la_SOURCES) \ + $(libeapsim_la_SOURCES) $(liblocal_la_SOURCES) \ + $(libstroke_la_SOURCES) $(libxml_la_SOURCES) $(charon_SOURCES) +DIST_SOURCES = $(am__libdbus_la_SOURCES_DIST) \ + $(libeapidentity_la_SOURCES) $(am__libeapsim_la_SOURCES_DIST) \ + $(liblocal_la_SOURCES) $(libstroke_la_SOURCES) \ + $(am__libxml_la_SOURCES_DIST) $(charon_SOURCES) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -178,6 +199,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -190,6 +212,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -200,8 +223,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -223,6 +250,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -232,6 +260,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -245,9 +275,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -262,79 +296,125 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ -eap_LTLIBRARIES = libeapidentity.la $(am__append_1) - -# always build EAP Identity module -libeapidentity_la_SOURCES = sa/authenticators/eap/eap_identity.h sa/authenticators/eap/eap_identity.c -libeapidentity_la_LDFLAGS = -module -@BUILD_EAP_SIM_TRUE@libeapsim_la_SOURCES = sa/authenticators/eap/eap_sim.h sa/authenticators/eap/eap_sim.c -@BUILD_EAP_SIM_TRUE@libeapsim_la_LDFLAGS = -module +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ charon_SOURCES = \ bus/bus.c bus/bus.h \ -bus/listeners/sys_logger.c bus/listeners/sys_logger.h \ bus/listeners/file_logger.c bus/listeners/file_logger.h \ -config/connections/connection.c config/connections/connection.h \ -config/connections/local_connection_store.c config/connections/local_connection_store.h config/connections/connection_store.h \ -config/policies/policy.c config/policies/policy.h \ -config/policies/local_policy_store.c config/policies/policy_store.h config/policies/local_policy_store.h \ +bus/listeners/sys_logger.c bus/listeners/sys_logger.h \ +config/backends/backend.h config/backends/writeable_backend.h \ +config/backend_manager.c config/backend_manager.h \ +config/child_cfg.c config/child_cfg.h \ config/credentials/local_credential_store.c config/credentials/local_credential_store.h \ +config/ike_cfg.c config/ike_cfg.h \ +config/peer_cfg.c config/peer_cfg.h \ +config/proposal.c config/proposal.h \ config/traffic_selector.c config/traffic_selector.h \ -config/proposal.c config/proposal.h config/configuration.c config/configuration.h \ -sa/authenticators/eap_authenticator.h sa/authenticators/eap_authenticator.c \ -sa/authenticators/eap/eap_method.h sa/authenticators/eap/eap_method.c \ -sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \ -sa/ike_sa_id.c sa/ike_sa_id.h sa/tasks/task.c sa/tasks/task.h \ -sa/tasks/ike_init.c sa/tasks/ike_init.h \ -sa/tasks/ike_natd.c sa/tasks/ike_natd.h \ +control/interfaces/interface.h \ +control/interface_manager.c control/interface_manager.h \ +daemon.c daemon.h \ +encoding/generator.c encoding/generator.h \ +encoding/message.c encoding/message.h \ +encoding/parser.c encoding/parser.h \ +encoding/payloads/auth_payload.c encoding/payloads/auth_payload.h \ +encoding/payloads/cert_payload.c encoding/payloads/cert_payload.h \ +encoding/payloads/certreq_payload.c encoding/payloads/certreq_payload.h \ +encoding/payloads/configuration_attribute.c encoding/payloads/configuration_attribute.h \ +encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \ +encoding/payloads/delete_payload.c encoding/payloads/delete_payload.h \ +encoding/payloads/eap_payload.c encoding/payloads/eap_payload.h \ +encoding/payloads/encodings.c encoding/payloads/encodings.h \ +encoding/payloads/encryption_payload.c encoding/payloads/encryption_payload.h \ +encoding/payloads/id_payload.c encoding/payloads/id_payload.h \ +encoding/payloads/ike_header.c encoding/payloads/ike_header.h \ +encoding/payloads/ke_payload.c encoding/payloads/ke_payload.h \ +encoding/payloads/nonce_payload.c encoding/payloads/nonce_payload.h \ +encoding/payloads/notify_payload.c encoding/payloads/notify_payload.h \ +encoding/payloads/payload.c encoding/payloads/payload.h \ +encoding/payloads/proposal_substructure.c encoding/payloads/proposal_substructure.h \ +encoding/payloads/sa_payload.c encoding/payloads/sa_payload.h \ +encoding/payloads/traffic_selector_substructure.c encoding/payloads/traffic_selector_substructure.h \ +encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \ +encoding/payloads/transform_substructure.c encoding/payloads/transform_substructure.h \ +encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \ +encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \ +encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \ +kernel/kernel_interface.c kernel/kernel_interface.h \ +network/packet.c network/packet.h \ +network/receiver.c network/receiver.h \ +network/sender.c network/sender.h \ +network/socket.c network/socket.h \ +processing/event_queue.c processing/event_queue.h \ +processing/job_queue.c processing/job_queue.h \ +processing/jobs/acquire_job.c processing/jobs/acquire_job.h \ +processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \ +processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \ +processing/jobs/job.c processing/jobs/job.h \ +processing/jobs/process_message_job.c processing/jobs/process_message_job.h \ +processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \ +processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \ +processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \ +processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \ +processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \ +processing/scheduler.c processing/scheduler.h \ +processing/thread_pool.c processing/thread_pool.h \ +sa/authenticators/authenticator.c sa/authenticators/authenticator.h \ +sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \ +sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \ +sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \ +sa/authenticators/rsa_authenticator.c sa/authenticators/rsa_authenticator.h \ +sa/child_sa.c sa/child_sa.h \ +sa/ike_sa.c sa/ike_sa.h \ +sa/ike_sa_id.c sa/ike_sa_id.h \ +sa/ike_sa_manager.c sa/ike_sa_manager.h \ +sa/task_manager.c sa/task_manager.h \ +sa/tasks/child_create.c sa/tasks/child_create.h \ +sa/tasks/child_delete.c sa/tasks/child_delete.h \ +sa/tasks/child_rekey.c sa/tasks/child_rekey.h \ sa/tasks/ike_auth.c sa/tasks/ike_auth.h \ -sa/tasks/ike_config.c sa/tasks/ike_config.h \ sa/tasks/ike_cert.c sa/tasks/ike_cert.h \ -sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \ +sa/tasks/ike_config.c sa/tasks/ike_config.h \ sa/tasks/ike_delete.c sa/tasks/ike_delete.h \ sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \ -sa/tasks/child_create.c sa/tasks/child_create.h \ -sa/tasks/child_delete.c sa/tasks/child_delete.h \ -sa/tasks/child_rekey.c sa/tasks/child_rekey.h \ -sa/authenticators/authenticator.c sa/authenticators/authenticator.h \ -sa/authenticators/rsa_authenticator.c sa/authenticators/rsa_authenticator.h \ -sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \ -sa/task_manager.c sa/task_manager.h encoding/payloads/encryption_payload.c \ -encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \ -encoding/payloads/configuration_attribute.h encoding/payloads/proposal_substructure.h \ -encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \ -encoding/payloads/configuration_attribute.c encoding/payloads/transform_substructure.c \ -encoding/payloads/encryption_payload.h encoding/payloads/auth_payload.c encoding/payloads/ike_header.c \ -encoding/payloads/transform_substructure.h encoding/payloads/nonce_payload.c encoding/payloads/cert_payload.h \ -encoding/payloads/eap_payload.c encoding/payloads/ike_header.h encoding/payloads/auth_payload.h \ -encoding/payloads/ts_payload.c encoding/payloads/traffic_selector_substructure.h encoding/payloads/nonce_payload.h \ -encoding/payloads/notify_payload.c encoding/payloads/eap_payload.h encoding/payloads/notify_payload.h \ -encoding/payloads/ts_payload.h encoding/payloads/id_payload.c encoding/payloads/ke_payload.c \ -encoding/payloads/unknown_payload.c encoding/payloads/encodings.c encoding/payloads/id_payload.h \ -encoding/payloads/cp_payload.c encoding/payloads/delete_payload.c encoding/payloads/sa_payload.c \ -encoding/payloads/ke_payload.h encoding/payloads/unknown_payload.h encoding/payloads/encodings.h \ -encoding/payloads/certreq_payload.c encoding/payloads/cp_payload.h encoding/payloads/delete_payload.h \ -encoding/payloads/sa_payload.h encoding/payloads/vendor_id_payload.c encoding/payloads/certreq_payload.h \ -encoding/payloads/vendor_id_payload.h encoding/payloads/proposal_substructure.c encoding/payloads/payload.c \ -encoding/parser.h encoding/message.c encoding/generator.c encoding/message.h encoding/generator.h \ -encoding/parser.c daemon.c daemon.h network/packet.c \ -network/socket.c network/packet.h network/socket.h queues/jobs/job.h queues/jobs/job.c \ -queues/jobs/retransmit_job.h queues/jobs/initiate_job.h \ -queues/jobs/process_message_job.h queues/jobs/process_message_job.c \ -queues/jobs/delete_ike_sa_job.c queues/jobs/delete_ike_sa_job.h \ -queues/jobs/retransmit_job.c queues/jobs/initiate_job.c \ -queues/jobs/send_keepalive_job.c queues/jobs/send_keepalive_job.h \ -queues/jobs/rekey_child_sa_job.c queues/jobs/rekey_child_sa_job.h queues/jobs/delete_child_sa_job.c queues/jobs/delete_child_sa_job.h \ -queues/jobs/send_dpd_job.c queues/jobs/send_dpd_job.h queues/jobs/route_job.c queues/jobs/route_job.h \ -queues/jobs/acquire_job.c queues/jobs/acquire_job.h queues/jobs/rekey_ike_sa_job.c queues/jobs/rekey_ike_sa_job.h \ -queues/job_queue.c queues/event_queue.c queues/job_queue.h queues/event_queue.h \ -threads/kernel_interface.c threads/thread_pool.c threads/scheduler.c threads/sender.c \ -threads/sender.h threads/kernel_interface.h threads/scheduler.h threads/receiver.c threads/stroke_interface.c \ -threads/thread_pool.h threads/receiver.h threads/stroke_interface.h - -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke -AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" +sa/tasks/ike_init.c sa/tasks/ike_init.h \ +sa/tasks/ike_natd.c sa/tasks/ike_natd.h \ +sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \ +sa/tasks/task.c sa/tasks/task.h + +INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke \ + $(am__append_4) $(am__append_6) +AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ + -DIPSEC_EAPDIR=\"${eapdir}\" -DIPSEC_BACKENDDIR=\"${backenddir}\" -DIPSEC_INTERFACEDIR=\"${interfacedir}\" + charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \ - -lgmp -lpthread -lm -ldl $(am__append_2) + -lgmp -lpthread -lm -ldl $(am__append_1) + +# build EAP plugins, EAP-Identity is always built +################################################# +eap_LTLIBRARIES = libeapidentity.la $(am__append_2) +libeapidentity_la_SOURCES = sa/authenticators/eap/eap_identity.h sa/authenticators/eap/eap_identity.c +libeapidentity_la_LDFLAGS = -module +@BUILD_EAP_SIM_TRUE@libeapsim_la_SOURCES = sa/authenticators/eap/eap_sim.h sa/authenticators/eap/eap_sim.c +@BUILD_EAP_SIM_TRUE@libeapsim_la_LDFLAGS = -module + +# build backends, local backend is always built +############################################### +backend_LTLIBRARIES = liblocal.la +liblocal_la_SOURCES = config/backends/local_backend.h config/backends/local_backend.c +liblocal_la_LDFLAGS = -module + +# build control interfaces, stroke interface is always built +############################################################ +interface_LTLIBRARIES = libstroke.la $(am__append_3) $(am__append_5) +libstroke_la_SOURCES = control/interfaces/stroke_interface.h control/interfaces/stroke_interface.c +libstroke_la_LDFLAGS = -module +@USE_LIBDBUS_TRUE@libdbus_la_SOURCES = control/interfaces/dbus_interface.h control/interfaces/dbus_interface.c +@USE_LIBDBUS_TRUE@libdbus_la_LDFLAGS = -module +@USE_LIBDBUS_TRUE@libdbus_la_LIBADD = ${dbus_LIBS} +@USE_LIBXML_TRUE@libxml_la_SOURCES = control/interfaces/xml_interface.h control/interfaces/xml_interface.c +@USE_LIBXML_TRUE@libxml_la_LDFLAGS = -module +@USE_LIBXML_TRUE@libxml_la_LIBADD = ${xml_LIBS} all: all-am .SUFFIXES: @@ -368,6 +448,33 @@ $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-backendLTLIBRARIES: $(backend_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(backenddir)" || $(mkdir_p) "$(DESTDIR)$(backenddir)" + @list='$(backend_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(backendLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(backenddir)/$$f'"; \ + $(LIBTOOL) --mode=install $(backendLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(backenddir)/$$f"; \ + else :; fi; \ + done + +uninstall-backendLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @set -x; list='$(backend_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(backenddir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(backenddir)/$$p"; \ + done + +clean-backendLTLIBRARIES: + -test -z "$(backend_LTLIBRARIES)" || rm -f $(backend_LTLIBRARIES) + @list='$(backend_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done install-eapLTLIBRARIES: $(eap_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(eapdir)" || $(mkdir_p) "$(DESTDIR)$(eapdir)" @@ -395,10 +502,45 @@ clean-eapLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done +install-interfaceLTLIBRARIES: $(interface_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(interfacedir)" || $(mkdir_p) "$(DESTDIR)$(interfacedir)" + @list='$(interface_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(interfaceLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(interfacedir)/$$f'"; \ + $(LIBTOOL) --mode=install $(interfaceLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(interfacedir)/$$f"; \ + else :; fi; \ + done + +uninstall-interfaceLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @set -x; list='$(interface_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(interfacedir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(interfacedir)/$$p"; \ + done + +clean-interfaceLTLIBRARIES: + -test -z "$(interface_LTLIBRARIES)" || rm -f $(interface_LTLIBRARIES) + @list='$(interface_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libdbus.la: $(libdbus_la_OBJECTS) $(libdbus_la_DEPENDENCIES) + $(LINK) $(am_libdbus_la_rpath) $(libdbus_la_LDFLAGS) $(libdbus_la_OBJECTS) $(libdbus_la_LIBADD) $(LIBS) libeapidentity.la: $(libeapidentity_la_OBJECTS) $(libeapidentity_la_DEPENDENCIES) $(LINK) -rpath $(eapdir) $(libeapidentity_la_LDFLAGS) $(libeapidentity_la_OBJECTS) $(libeapidentity_la_LIBADD) $(LIBS) libeapsim.la: $(libeapsim_la_OBJECTS) $(libeapsim_la_DEPENDENCIES) $(LINK) $(am_libeapsim_la_rpath) $(libeapsim_la_LDFLAGS) $(libeapsim_la_OBJECTS) $(libeapsim_la_LIBADD) $(LIBS) +liblocal.la: $(liblocal_la_OBJECTS) $(liblocal_la_DEPENDENCIES) + $(LINK) -rpath $(backenddir) $(liblocal_la_LDFLAGS) $(liblocal_la_OBJECTS) $(liblocal_la_LIBADD) $(LIBS) +libstroke.la: $(libstroke_la_OBJECTS) $(libstroke_la_DEPENDENCIES) + $(LINK) -rpath $(interfacedir) $(libstroke_la_LDFLAGS) $(libstroke_la_OBJECTS) $(libstroke_la_LIBADD) $(LIBS) +libxml.la: $(libxml_la_OBJECTS) $(libxml_la_DEPENDENCIES) + $(LINK) $(am_libxml_la_rpath) $(libxml_la_LDFLAGS) $(libxml_la_OBJECTS) $(libxml_la_LIBADD) $(LIBS) install-ipsecPROGRAMS: $(ipsec_PROGRAMS) @$(NORMAL_INSTALL) test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)" @@ -440,18 +582,19 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acquire_job.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_payload.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bus.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_payload.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certreq_payload.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_cfg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_create.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_delete.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_rekey.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_sa.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/configuration.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/configuration_attribute.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connection.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cp_payload.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/daemon.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dbus_interface.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_child_sa_job.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_ike_sa_job.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_payload.Po@am__quote@ @@ -468,6 +611,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id_payload.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_cfg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_config.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_delete.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_dpd.Po@am__quote@ @@ -478,21 +622,20 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_id.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_manager.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_job.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/interface_manager.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/job.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/job_queue.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_connection_store.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_backend.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_credential_store.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_policy_store.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/message.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_payload.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/notify_payload.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/policy.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer_cfg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/process_message_job.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_substructure.Po@am__quote@ @@ -501,7 +644,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_child_sa_job.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_ike_sa_job.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/retransmit_job.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/route_job.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rsa_authenticator.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sa_payload.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Po@am__quote@ @@ -509,7 +651,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_keepalive_job.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_interface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_interface.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Po@am__quote@ @@ -521,6 +663,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ts_payload.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unknown_payload.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vendor_id_payload.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xml_interface.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ @@ -543,6 +686,13 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +dbus_interface.lo: control/interfaces/dbus_interface.c +@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT dbus_interface.lo -MD -MP -MF "$(DEPDIR)/dbus_interface.Tpo" -c -o dbus_interface.lo `test -f 'control/interfaces/dbus_interface.c' || echo '$(srcdir)/'`control/interfaces/dbus_interface.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/dbus_interface.Tpo" "$(DEPDIR)/dbus_interface.Plo"; else rm -f "$(DEPDIR)/dbus_interface.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='control/interfaces/dbus_interface.c' object='dbus_interface.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o dbus_interface.lo `test -f 'control/interfaces/dbus_interface.c' || echo '$(srcdir)/'`control/interfaces/dbus_interface.c + eap_identity.lo: sa/authenticators/eap/eap_identity.c @am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_identity.lo -MD -MP -MF "$(DEPDIR)/eap_identity.Tpo" -c -o eap_identity.lo `test -f 'sa/authenticators/eap/eap_identity.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_identity.c; \ @am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_identity.Tpo" "$(DEPDIR)/eap_identity.Plo"; else rm -f "$(DEPDIR)/eap_identity.Tpo"; exit 1; fi @@ -557,6 +707,27 @@ eap_sim.lo: sa/authenticators/eap/eap_sim.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_sim.lo `test -f 'sa/authenticators/eap/eap_sim.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_sim.c +local_backend.lo: config/backends/local_backend.c +@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_backend.lo -MD -MP -MF "$(DEPDIR)/local_backend.Tpo" -c -o local_backend.lo `test -f 'config/backends/local_backend.c' || echo '$(srcdir)/'`config/backends/local_backend.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/local_backend.Tpo" "$(DEPDIR)/local_backend.Plo"; else rm -f "$(DEPDIR)/local_backend.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/backends/local_backend.c' object='local_backend.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_backend.lo `test -f 'config/backends/local_backend.c' || echo '$(srcdir)/'`config/backends/local_backend.c + +stroke_interface.lo: control/interfaces/stroke_interface.c +@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stroke_interface.lo -MD -MP -MF "$(DEPDIR)/stroke_interface.Tpo" -c -o stroke_interface.lo `test -f 'control/interfaces/stroke_interface.c' || echo '$(srcdir)/'`control/interfaces/stroke_interface.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/stroke_interface.Tpo" "$(DEPDIR)/stroke_interface.Plo"; else rm -f "$(DEPDIR)/stroke_interface.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='control/interfaces/stroke_interface.c' object='stroke_interface.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stroke_interface.lo `test -f 'control/interfaces/stroke_interface.c' || echo '$(srcdir)/'`control/interfaces/stroke_interface.c + +xml_interface.lo: control/interfaces/xml_interface.c +@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xml_interface.lo -MD -MP -MF "$(DEPDIR)/xml_interface.Tpo" -c -o xml_interface.lo `test -f 'control/interfaces/xml_interface.c' || echo '$(srcdir)/'`control/interfaces/xml_interface.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/xml_interface.Tpo" "$(DEPDIR)/xml_interface.Plo"; else rm -f "$(DEPDIR)/xml_interface.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='control/interfaces/xml_interface.c' object='xml_interface.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xml_interface.lo `test -f 'control/interfaces/xml_interface.c' || echo '$(srcdir)/'`control/interfaces/xml_interface.c + bus.o: bus/bus.c @am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.o -MD -MP -MF "$(DEPDIR)/bus.Tpo" -c -o bus.o `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c; \ @am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/bus.Tpo" "$(DEPDIR)/bus.Po"; else rm -f "$(DEPDIR)/bus.Tpo"; exit 1; fi @@ -571,20 +742,6 @@ bus.obj: bus/bus.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.obj `if test -f 'bus/bus.c'; then $(CYGPATH_W) 'bus/bus.c'; else $(CYGPATH_W) '$(srcdir)/bus/bus.c'; fi` -sys_logger.o: bus/listeners/sys_logger.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.o -MD -MP -MF "$(DEPDIR)/sys_logger.Tpo" -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sys_logger.Tpo" "$(DEPDIR)/sys_logger.Po"; else rm -f "$(DEPDIR)/sys_logger.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='bus/listeners/sys_logger.c' object='sys_logger.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c - -sys_logger.obj: bus/listeners/sys_logger.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.obj -MD -MP -MF "$(DEPDIR)/sys_logger.Tpo" -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sys_logger.Tpo" "$(DEPDIR)/sys_logger.Po"; else rm -f "$(DEPDIR)/sys_logger.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='bus/listeners/sys_logger.c' object='sys_logger.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi` - file_logger.o: bus/listeners/file_logger.c @am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.o -MD -MP -MF "$(DEPDIR)/file_logger.Tpo" -c -o file_logger.o `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c; \ @am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/file_logger.Tpo" "$(DEPDIR)/file_logger.Po"; else rm -f "$(DEPDIR)/file_logger.Tpo"; exit 1; fi @@ -599,61 +756,47 @@ file_logger.obj: bus/listeners/file_logger.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.obj `if test -f 'bus/listeners/file_logger.c'; then $(CYGPATH_W) 'bus/listeners/file_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/file_logger.c'; fi` -connection.o: config/connections/connection.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connection.o -MD -MP -MF "$(DEPDIR)/connection.Tpo" -c -o connection.o `test -f 'config/connections/connection.c' || echo '$(srcdir)/'`config/connections/connection.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/connection.Tpo" "$(DEPDIR)/connection.Po"; else rm -f "$(DEPDIR)/connection.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/connections/connection.c' object='connection.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connection.o `test -f 'config/connections/connection.c' || echo '$(srcdir)/'`config/connections/connection.c - -connection.obj: config/connections/connection.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connection.obj -MD -MP -MF "$(DEPDIR)/connection.Tpo" -c -o connection.obj `if test -f 'config/connections/connection.c'; then $(CYGPATH_W) 'config/connections/connection.c'; else $(CYGPATH_W) '$(srcdir)/config/connections/connection.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/connection.Tpo" "$(DEPDIR)/connection.Po"; else rm -f "$(DEPDIR)/connection.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/connections/connection.c' object='connection.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connection.obj `if test -f 'config/connections/connection.c'; then $(CYGPATH_W) 'config/connections/connection.c'; else $(CYGPATH_W) '$(srcdir)/config/connections/connection.c'; fi` - -local_connection_store.o: config/connections/local_connection_store.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_connection_store.o -MD -MP -MF "$(DEPDIR)/local_connection_store.Tpo" -c -o local_connection_store.o `test -f 'config/connections/local_connection_store.c' || echo '$(srcdir)/'`config/connections/local_connection_store.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/local_connection_store.Tpo" "$(DEPDIR)/local_connection_store.Po"; else rm -f "$(DEPDIR)/local_connection_store.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/connections/local_connection_store.c' object='local_connection_store.o' libtool=no @AMDEPBACKSLASH@ +sys_logger.o: bus/listeners/sys_logger.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.o -MD -MP -MF "$(DEPDIR)/sys_logger.Tpo" -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sys_logger.Tpo" "$(DEPDIR)/sys_logger.Po"; else rm -f "$(DEPDIR)/sys_logger.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='bus/listeners/sys_logger.c' object='sys_logger.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_connection_store.o `test -f 'config/connections/local_connection_store.c' || echo '$(srcdir)/'`config/connections/local_connection_store.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c -local_connection_store.obj: config/connections/local_connection_store.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_connection_store.obj -MD -MP -MF "$(DEPDIR)/local_connection_store.Tpo" -c -o local_connection_store.obj `if test -f 'config/connections/local_connection_store.c'; then $(CYGPATH_W) 'config/connections/local_connection_store.c'; else $(CYGPATH_W) '$(srcdir)/config/connections/local_connection_store.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/local_connection_store.Tpo" "$(DEPDIR)/local_connection_store.Po"; else rm -f "$(DEPDIR)/local_connection_store.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/connections/local_connection_store.c' object='local_connection_store.obj' libtool=no @AMDEPBACKSLASH@ +sys_logger.obj: bus/listeners/sys_logger.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.obj -MD -MP -MF "$(DEPDIR)/sys_logger.Tpo" -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sys_logger.Tpo" "$(DEPDIR)/sys_logger.Po"; else rm -f "$(DEPDIR)/sys_logger.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='bus/listeners/sys_logger.c' object='sys_logger.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_connection_store.obj `if test -f 'config/connections/local_connection_store.c'; then $(CYGPATH_W) 'config/connections/local_connection_store.c'; else $(CYGPATH_W) '$(srcdir)/config/connections/local_connection_store.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi` -policy.o: config/policies/policy.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT policy.o -MD -MP -MF "$(DEPDIR)/policy.Tpo" -c -o policy.o `test -f 'config/policies/policy.c' || echo '$(srcdir)/'`config/policies/policy.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/policy.Tpo" "$(DEPDIR)/policy.Po"; else rm -f "$(DEPDIR)/policy.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/policies/policy.c' object='policy.o' libtool=no @AMDEPBACKSLASH@ +backend_manager.o: config/backend_manager.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.o -MD -MP -MF "$(DEPDIR)/backend_manager.Tpo" -c -o backend_manager.o `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/backend_manager.Tpo" "$(DEPDIR)/backend_manager.Po"; else rm -f "$(DEPDIR)/backend_manager.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/backend_manager.c' object='backend_manager.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o policy.o `test -f 'config/policies/policy.c' || echo '$(srcdir)/'`config/policies/policy.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.o `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c -policy.obj: config/policies/policy.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT policy.obj -MD -MP -MF "$(DEPDIR)/policy.Tpo" -c -o policy.obj `if test -f 'config/policies/policy.c'; then $(CYGPATH_W) 'config/policies/policy.c'; else $(CYGPATH_W) '$(srcdir)/config/policies/policy.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/policy.Tpo" "$(DEPDIR)/policy.Po"; else rm -f "$(DEPDIR)/policy.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/policies/policy.c' object='policy.obj' libtool=no @AMDEPBACKSLASH@ +backend_manager.obj: config/backend_manager.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.obj -MD -MP -MF "$(DEPDIR)/backend_manager.Tpo" -c -o backend_manager.obj `if test -f 'config/backend_manager.c'; then $(CYGPATH_W) 'config/backend_manager.c'; else $(CYGPATH_W) '$(srcdir)/config/backend_manager.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/backend_manager.Tpo" "$(DEPDIR)/backend_manager.Po"; else rm -f "$(DEPDIR)/backend_manager.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/backend_manager.c' object='backend_manager.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o policy.obj `if test -f 'config/policies/policy.c'; then $(CYGPATH_W) 'config/policies/policy.c'; else $(CYGPATH_W) '$(srcdir)/config/policies/policy.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.obj `if test -f 'config/backend_manager.c'; then $(CYGPATH_W) 'config/backend_manager.c'; else $(CYGPATH_W) '$(srcdir)/config/backend_manager.c'; fi` -local_policy_store.o: config/policies/local_policy_store.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_policy_store.o -MD -MP -MF "$(DEPDIR)/local_policy_store.Tpo" -c -o local_policy_store.o `test -f 'config/policies/local_policy_store.c' || echo '$(srcdir)/'`config/policies/local_policy_store.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/local_policy_store.Tpo" "$(DEPDIR)/local_policy_store.Po"; else rm -f "$(DEPDIR)/local_policy_store.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/policies/local_policy_store.c' object='local_policy_store.o' libtool=no @AMDEPBACKSLASH@ +child_cfg.o: config/child_cfg.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.o -MD -MP -MF "$(DEPDIR)/child_cfg.Tpo" -c -o child_cfg.o `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_cfg.Tpo" "$(DEPDIR)/child_cfg.Po"; else rm -f "$(DEPDIR)/child_cfg.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/child_cfg.c' object='child_cfg.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_policy_store.o `test -f 'config/policies/local_policy_store.c' || echo '$(srcdir)/'`config/policies/local_policy_store.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.o `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c -local_policy_store.obj: config/policies/local_policy_store.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_policy_store.obj -MD -MP -MF "$(DEPDIR)/local_policy_store.Tpo" -c -o local_policy_store.obj `if test -f 'config/policies/local_policy_store.c'; then $(CYGPATH_W) 'config/policies/local_policy_store.c'; else $(CYGPATH_W) '$(srcdir)/config/policies/local_policy_store.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/local_policy_store.Tpo" "$(DEPDIR)/local_policy_store.Po"; else rm -f "$(DEPDIR)/local_policy_store.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/policies/local_policy_store.c' object='local_policy_store.obj' libtool=no @AMDEPBACKSLASH@ +child_cfg.obj: config/child_cfg.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.obj -MD -MP -MF "$(DEPDIR)/child_cfg.Tpo" -c -o child_cfg.obj `if test -f 'config/child_cfg.c'; then $(CYGPATH_W) 'config/child_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/child_cfg.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_cfg.Tpo" "$(DEPDIR)/child_cfg.Po"; else rm -f "$(DEPDIR)/child_cfg.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/child_cfg.c' object='child_cfg.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_policy_store.obj `if test -f 'config/policies/local_policy_store.c'; then $(CYGPATH_W) 'config/policies/local_policy_store.c'; else $(CYGPATH_W) '$(srcdir)/config/policies/local_policy_store.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.obj `if test -f 'config/child_cfg.c'; then $(CYGPATH_W) 'config/child_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/child_cfg.c'; fi` local_credential_store.o: config/credentials/local_credential_store.c @am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_credential_store.o -MD -MP -MF "$(DEPDIR)/local_credential_store.Tpo" -c -o local_credential_store.o `test -f 'config/credentials/local_credential_store.c' || echo '$(srcdir)/'`config/credentials/local_credential_store.c; \ @@ -669,19 +812,33 @@ local_credential_store.obj: config/credentials/local_credential_store.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_credential_store.obj `if test -f 'config/credentials/local_credential_store.c'; then $(CYGPATH_W) 'config/credentials/local_credential_store.c'; else $(CYGPATH_W) '$(srcdir)/config/credentials/local_credential_store.c'; fi` -traffic_selector.o: config/traffic_selector.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.o -MD -MP -MF "$(DEPDIR)/traffic_selector.Tpo" -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/traffic_selector.Tpo" "$(DEPDIR)/traffic_selector.Po"; else rm -f "$(DEPDIR)/traffic_selector.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/traffic_selector.c' object='traffic_selector.o' libtool=no @AMDEPBACKSLASH@ +ike_cfg.o: config/ike_cfg.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.o -MD -MP -MF "$(DEPDIR)/ike_cfg.Tpo" -c -o ike_cfg.o `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_cfg.Tpo" "$(DEPDIR)/ike_cfg.Po"; else rm -f "$(DEPDIR)/ike_cfg.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/ike_cfg.c' object='ike_cfg.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.o `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c -traffic_selector.obj: config/traffic_selector.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.obj -MD -MP -MF "$(DEPDIR)/traffic_selector.Tpo" -c -o traffic_selector.obj `if test -f 'config/traffic_selector.c'; then $(CYGPATH_W) 'config/traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/config/traffic_selector.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/traffic_selector.Tpo" "$(DEPDIR)/traffic_selector.Po"; else rm -f "$(DEPDIR)/traffic_selector.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/traffic_selector.c' object='traffic_selector.obj' libtool=no @AMDEPBACKSLASH@ +ike_cfg.obj: config/ike_cfg.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.obj -MD -MP -MF "$(DEPDIR)/ike_cfg.Tpo" -c -o ike_cfg.obj `if test -f 'config/ike_cfg.c'; then $(CYGPATH_W) 'config/ike_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/ike_cfg.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_cfg.Tpo" "$(DEPDIR)/ike_cfg.Po"; else rm -f "$(DEPDIR)/ike_cfg.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/ike_cfg.c' object='ike_cfg.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.obj `if test -f 'config/traffic_selector.c'; then $(CYGPATH_W) 'config/traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/config/traffic_selector.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.obj `if test -f 'config/ike_cfg.c'; then $(CYGPATH_W) 'config/ike_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/ike_cfg.c'; fi` + +peer_cfg.o: config/peer_cfg.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.o -MD -MP -MF "$(DEPDIR)/peer_cfg.Tpo" -c -o peer_cfg.o `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/peer_cfg.Tpo" "$(DEPDIR)/peer_cfg.Po"; else rm -f "$(DEPDIR)/peer_cfg.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/peer_cfg.c' object='peer_cfg.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.o `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c + +peer_cfg.obj: config/peer_cfg.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.obj -MD -MP -MF "$(DEPDIR)/peer_cfg.Tpo" -c -o peer_cfg.obj `if test -f 'config/peer_cfg.c'; then $(CYGPATH_W) 'config/peer_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/peer_cfg.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/peer_cfg.Tpo" "$(DEPDIR)/peer_cfg.Po"; else rm -f "$(DEPDIR)/peer_cfg.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/peer_cfg.c' object='peer_cfg.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.obj `if test -f 'config/peer_cfg.c'; then $(CYGPATH_W) 'config/peer_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/peer_cfg.c'; fi` proposal.o: config/proposal.c @am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.o -MD -MP -MF "$(DEPDIR)/proposal.Tpo" -c -o proposal.o `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c; \ @@ -697,355 +854,313 @@ proposal.obj: config/proposal.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.obj `if test -f 'config/proposal.c'; then $(CYGPATH_W) 'config/proposal.c'; else $(CYGPATH_W) '$(srcdir)/config/proposal.c'; fi` -configuration.o: config/configuration.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration.o -MD -MP -MF "$(DEPDIR)/configuration.Tpo" -c -o configuration.o `test -f 'config/configuration.c' || echo '$(srcdir)/'`config/configuration.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/configuration.Tpo" "$(DEPDIR)/configuration.Po"; else rm -f "$(DEPDIR)/configuration.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/configuration.c' object='configuration.o' libtool=no @AMDEPBACKSLASH@ +traffic_selector.o: config/traffic_selector.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.o -MD -MP -MF "$(DEPDIR)/traffic_selector.Tpo" -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/traffic_selector.Tpo" "$(DEPDIR)/traffic_selector.Po"; else rm -f "$(DEPDIR)/traffic_selector.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/traffic_selector.c' object='traffic_selector.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration.o `test -f 'config/configuration.c' || echo '$(srcdir)/'`config/configuration.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c -configuration.obj: config/configuration.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration.obj -MD -MP -MF "$(DEPDIR)/configuration.Tpo" -c -o configuration.obj `if test -f 'config/configuration.c'; then $(CYGPATH_W) 'config/configuration.c'; else $(CYGPATH_W) '$(srcdir)/config/configuration.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/configuration.Tpo" "$(DEPDIR)/configuration.Po"; else rm -f "$(DEPDIR)/configuration.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/configuration.c' object='configuration.obj' libtool=no @AMDEPBACKSLASH@ +traffic_selector.obj: config/traffic_selector.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.obj -MD -MP -MF "$(DEPDIR)/traffic_selector.Tpo" -c -o traffic_selector.obj `if test -f 'config/traffic_selector.c'; then $(CYGPATH_W) 'config/traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/config/traffic_selector.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/traffic_selector.Tpo" "$(DEPDIR)/traffic_selector.Po"; else rm -f "$(DEPDIR)/traffic_selector.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/traffic_selector.c' object='traffic_selector.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration.obj `if test -f 'config/configuration.c'; then $(CYGPATH_W) 'config/configuration.c'; else $(CYGPATH_W) '$(srcdir)/config/configuration.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.obj `if test -f 'config/traffic_selector.c'; then $(CYGPATH_W) 'config/traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/config/traffic_selector.c'; fi` -eap_authenticator.o: sa/authenticators/eap_authenticator.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.o -MD -MP -MF "$(DEPDIR)/eap_authenticator.Tpo" -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_authenticator.Tpo" "$(DEPDIR)/eap_authenticator.Po"; else rm -f "$(DEPDIR)/eap_authenticator.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.o' libtool=no @AMDEPBACKSLASH@ +interface_manager.o: control/interface_manager.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT interface_manager.o -MD -MP -MF "$(DEPDIR)/interface_manager.Tpo" -c -o interface_manager.o `test -f 'control/interface_manager.c' || echo '$(srcdir)/'`control/interface_manager.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/interface_manager.Tpo" "$(DEPDIR)/interface_manager.Po"; else rm -f "$(DEPDIR)/interface_manager.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='control/interface_manager.c' object='interface_manager.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o interface_manager.o `test -f 'control/interface_manager.c' || echo '$(srcdir)/'`control/interface_manager.c -eap_authenticator.obj: sa/authenticators/eap_authenticator.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.obj -MD -MP -MF "$(DEPDIR)/eap_authenticator.Tpo" -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_authenticator.Tpo" "$(DEPDIR)/eap_authenticator.Po"; else rm -f "$(DEPDIR)/eap_authenticator.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.obj' libtool=no @AMDEPBACKSLASH@ +interface_manager.obj: control/interface_manager.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT interface_manager.obj -MD -MP -MF "$(DEPDIR)/interface_manager.Tpo" -c -o interface_manager.obj `if test -f 'control/interface_manager.c'; then $(CYGPATH_W) 'control/interface_manager.c'; else $(CYGPATH_W) '$(srcdir)/control/interface_manager.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/interface_manager.Tpo" "$(DEPDIR)/interface_manager.Po"; else rm -f "$(DEPDIR)/interface_manager.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='control/interface_manager.c' object='interface_manager.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o interface_manager.obj `if test -f 'control/interface_manager.c'; then $(CYGPATH_W) 'control/interface_manager.c'; else $(CYGPATH_W) '$(srcdir)/control/interface_manager.c'; fi` -eap_method.o: sa/authenticators/eap/eap_method.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.o -MD -MP -MF "$(DEPDIR)/eap_method.Tpo" -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_method.Tpo" "$(DEPDIR)/eap_method.Po"; else rm -f "$(DEPDIR)/eap_method.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/eap/eap_method.c' object='eap_method.o' libtool=no @AMDEPBACKSLASH@ +generator.o: encoding/generator.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.o -MD -MP -MF "$(DEPDIR)/generator.Tpo" -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/generator.Tpo" "$(DEPDIR)/generator.Po"; else rm -f "$(DEPDIR)/generator.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/generator.c' object='generator.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c -eap_method.obj: sa/authenticators/eap/eap_method.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.obj -MD -MP -MF "$(DEPDIR)/eap_method.Tpo" -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_method.Tpo" "$(DEPDIR)/eap_method.Po"; else rm -f "$(DEPDIR)/eap_method.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/eap/eap_method.c' object='eap_method.obj' libtool=no @AMDEPBACKSLASH@ +generator.obj: encoding/generator.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.obj -MD -MP -MF "$(DEPDIR)/generator.Tpo" -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/generator.Tpo" "$(DEPDIR)/generator.Po"; else rm -f "$(DEPDIR)/generator.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/generator.c' object='generator.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi` -child_sa.o: sa/child_sa.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.o -MD -MP -MF "$(DEPDIR)/child_sa.Tpo" -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_sa.Tpo" "$(DEPDIR)/child_sa.Po"; else rm -f "$(DEPDIR)/child_sa.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/child_sa.c' object='child_sa.o' libtool=no @AMDEPBACKSLASH@ +message.o: encoding/message.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.o -MD -MP -MF "$(DEPDIR)/message.Tpo" -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/message.Tpo" "$(DEPDIR)/message.Po"; else rm -f "$(DEPDIR)/message.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/message.c' object='message.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c -child_sa.obj: sa/child_sa.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.obj -MD -MP -MF "$(DEPDIR)/child_sa.Tpo" -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_sa.Tpo" "$(DEPDIR)/child_sa.Po"; else rm -f "$(DEPDIR)/child_sa.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/child_sa.c' object='child_sa.obj' libtool=no @AMDEPBACKSLASH@ +message.obj: encoding/message.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.obj -MD -MP -MF "$(DEPDIR)/message.Tpo" -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/message.Tpo" "$(DEPDIR)/message.Po"; else rm -f "$(DEPDIR)/message.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/message.c' object='message.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi` -ike_sa.o: sa/ike_sa.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.o -MD -MP -MF "$(DEPDIR)/ike_sa.Tpo" -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_sa.Tpo" "$(DEPDIR)/ike_sa.Po"; else rm -f "$(DEPDIR)/ike_sa.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/ike_sa.c' object='ike_sa.o' libtool=no @AMDEPBACKSLASH@ +parser.o: encoding/parser.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.o -MD -MP -MF "$(DEPDIR)/parser.Tpo" -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/parser.Tpo" "$(DEPDIR)/parser.Po"; else rm -f "$(DEPDIR)/parser.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/parser.c' object='parser.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c -ike_sa.obj: sa/ike_sa.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.obj -MD -MP -MF "$(DEPDIR)/ike_sa.Tpo" -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_sa.Tpo" "$(DEPDIR)/ike_sa.Po"; else rm -f "$(DEPDIR)/ike_sa.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/ike_sa.c' object='ike_sa.obj' libtool=no @AMDEPBACKSLASH@ +parser.obj: encoding/parser.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.obj -MD -MP -MF "$(DEPDIR)/parser.Tpo" -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/parser.Tpo" "$(DEPDIR)/parser.Po"; else rm -f "$(DEPDIR)/parser.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/parser.c' object='parser.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi` -ike_sa_manager.o: sa/ike_sa_manager.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.o -MD -MP -MF "$(DEPDIR)/ike_sa_manager.Tpo" -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_sa_manager.Tpo" "$(DEPDIR)/ike_sa_manager.Po"; else rm -f "$(DEPDIR)/ike_sa_manager.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/ike_sa_manager.c' object='ike_sa_manager.o' libtool=no @AMDEPBACKSLASH@ +auth_payload.o: encoding/payloads/auth_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.o -MD -MP -MF "$(DEPDIR)/auth_payload.Tpo" -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/auth_payload.Tpo" "$(DEPDIR)/auth_payload.Po"; else rm -f "$(DEPDIR)/auth_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/auth_payload.c' object='auth_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c -ike_sa_manager.obj: sa/ike_sa_manager.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.obj -MD -MP -MF "$(DEPDIR)/ike_sa_manager.Tpo" -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_sa_manager.Tpo" "$(DEPDIR)/ike_sa_manager.Po"; else rm -f "$(DEPDIR)/ike_sa_manager.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/ike_sa_manager.c' object='ike_sa_manager.obj' libtool=no @AMDEPBACKSLASH@ +auth_payload.obj: encoding/payloads/auth_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.obj -MD -MP -MF "$(DEPDIR)/auth_payload.Tpo" -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/auth_payload.Tpo" "$(DEPDIR)/auth_payload.Po"; else rm -f "$(DEPDIR)/auth_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/auth_payload.c' object='auth_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi` -ike_sa_id.o: sa/ike_sa_id.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.o -MD -MP -MF "$(DEPDIR)/ike_sa_id.Tpo" -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_sa_id.Tpo" "$(DEPDIR)/ike_sa_id.Po"; else rm -f "$(DEPDIR)/ike_sa_id.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/ike_sa_id.c' object='ike_sa_id.o' libtool=no @AMDEPBACKSLASH@ +cert_payload.o: encoding/payloads/cert_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.o -MD -MP -MF "$(DEPDIR)/cert_payload.Tpo" -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/cert_payload.Tpo" "$(DEPDIR)/cert_payload.Po"; else rm -f "$(DEPDIR)/cert_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/cert_payload.c' object='cert_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c -ike_sa_id.obj: sa/ike_sa_id.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.obj -MD -MP -MF "$(DEPDIR)/ike_sa_id.Tpo" -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_sa_id.Tpo" "$(DEPDIR)/ike_sa_id.Po"; else rm -f "$(DEPDIR)/ike_sa_id.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/ike_sa_id.c' object='ike_sa_id.obj' libtool=no @AMDEPBACKSLASH@ +cert_payload.obj: encoding/payloads/cert_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.obj -MD -MP -MF "$(DEPDIR)/cert_payload.Tpo" -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/cert_payload.Tpo" "$(DEPDIR)/cert_payload.Po"; else rm -f "$(DEPDIR)/cert_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/cert_payload.c' object='cert_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi` -task.o: sa/tasks/task.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.o -MD -MP -MF "$(DEPDIR)/task.Tpo" -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/task.Tpo" "$(DEPDIR)/task.Po"; else rm -f "$(DEPDIR)/task.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/task.c' object='task.o' libtool=no @AMDEPBACKSLASH@ +certreq_payload.o: encoding/payloads/certreq_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.o -MD -MP -MF "$(DEPDIR)/certreq_payload.Tpo" -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/certreq_payload.Tpo" "$(DEPDIR)/certreq_payload.Po"; else rm -f "$(DEPDIR)/certreq_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/certreq_payload.c' object='certreq_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c -task.obj: sa/tasks/task.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.obj -MD -MP -MF "$(DEPDIR)/task.Tpo" -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/task.Tpo" "$(DEPDIR)/task.Po"; else rm -f "$(DEPDIR)/task.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/task.c' object='task.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi` - -ike_init.o: sa/tasks/ike_init.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.o -MD -MP -MF "$(DEPDIR)/ike_init.Tpo" -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_init.Tpo" "$(DEPDIR)/ike_init.Po"; else rm -f "$(DEPDIR)/ike_init.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_init.c' object='ike_init.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c - -ike_init.obj: sa/tasks/ike_init.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.obj -MD -MP -MF "$(DEPDIR)/ike_init.Tpo" -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_init.Tpo" "$(DEPDIR)/ike_init.Po"; else rm -f "$(DEPDIR)/ike_init.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_init.c' object='ike_init.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi` - -ike_natd.o: sa/tasks/ike_natd.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.o -MD -MP -MF "$(DEPDIR)/ike_natd.Tpo" -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_natd.Tpo" "$(DEPDIR)/ike_natd.Po"; else rm -f "$(DEPDIR)/ike_natd.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_natd.c' object='ike_natd.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c - -ike_natd.obj: sa/tasks/ike_natd.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.obj -MD -MP -MF "$(DEPDIR)/ike_natd.Tpo" -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_natd.Tpo" "$(DEPDIR)/ike_natd.Po"; else rm -f "$(DEPDIR)/ike_natd.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_natd.c' object='ike_natd.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi` - -ike_auth.o: sa/tasks/ike_auth.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.o -MD -MP -MF "$(DEPDIR)/ike_auth.Tpo" -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_auth.Tpo" "$(DEPDIR)/ike_auth.Po"; else rm -f "$(DEPDIR)/ike_auth.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_auth.c' object='ike_auth.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c - -ike_auth.obj: sa/tasks/ike_auth.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.obj -MD -MP -MF "$(DEPDIR)/ike_auth.Tpo" -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_auth.Tpo" "$(DEPDIR)/ike_auth.Po"; else rm -f "$(DEPDIR)/ike_auth.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_auth.c' object='ike_auth.obj' libtool=no @AMDEPBACKSLASH@ +certreq_payload.obj: encoding/payloads/certreq_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.obj -MD -MP -MF "$(DEPDIR)/certreq_payload.Tpo" -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/certreq_payload.Tpo" "$(DEPDIR)/certreq_payload.Po"; else rm -f "$(DEPDIR)/certreq_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/certreq_payload.c' object='certreq_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi` -ike_config.o: sa/tasks/ike_config.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.o -MD -MP -MF "$(DEPDIR)/ike_config.Tpo" -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_config.Tpo" "$(DEPDIR)/ike_config.Po"; else rm -f "$(DEPDIR)/ike_config.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_config.c' object='ike_config.o' libtool=no @AMDEPBACKSLASH@ +configuration_attribute.o: encoding/payloads/configuration_attribute.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.o -MD -MP -MF "$(DEPDIR)/configuration_attribute.Tpo" -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/configuration_attribute.Tpo" "$(DEPDIR)/configuration_attribute.Po"; else rm -f "$(DEPDIR)/configuration_attribute.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c -ike_config.obj: sa/tasks/ike_config.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.obj -MD -MP -MF "$(DEPDIR)/ike_config.Tpo" -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_config.Tpo" "$(DEPDIR)/ike_config.Po"; else rm -f "$(DEPDIR)/ike_config.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_config.c' object='ike_config.obj' libtool=no @AMDEPBACKSLASH@ +configuration_attribute.obj: encoding/payloads/configuration_attribute.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.obj -MD -MP -MF "$(DEPDIR)/configuration_attribute.Tpo" -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/configuration_attribute.Tpo" "$(DEPDIR)/configuration_attribute.Po"; else rm -f "$(DEPDIR)/configuration_attribute.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi` -ike_cert.o: sa/tasks/ike_cert.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert.o -MD -MP -MF "$(DEPDIR)/ike_cert.Tpo" -c -o ike_cert.o `test -f 'sa/tasks/ike_cert.c' || echo '$(srcdir)/'`sa/tasks/ike_cert.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_cert.Tpo" "$(DEPDIR)/ike_cert.Po"; else rm -f "$(DEPDIR)/ike_cert.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_cert.c' object='ike_cert.o' libtool=no @AMDEPBACKSLASH@ +cp_payload.o: encoding/payloads/cp_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.o -MD -MP -MF "$(DEPDIR)/cp_payload.Tpo" -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/cp_payload.Tpo" "$(DEPDIR)/cp_payload.Po"; else rm -f "$(DEPDIR)/cp_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/cp_payload.c' object='cp_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert.o `test -f 'sa/tasks/ike_cert.c' || echo '$(srcdir)/'`sa/tasks/ike_cert.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c -ike_cert.obj: sa/tasks/ike_cert.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert.obj -MD -MP -MF "$(DEPDIR)/ike_cert.Tpo" -c -o ike_cert.obj `if test -f 'sa/tasks/ike_cert.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_cert.Tpo" "$(DEPDIR)/ike_cert.Po"; else rm -f "$(DEPDIR)/ike_cert.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_cert.c' object='ike_cert.obj' libtool=no @AMDEPBACKSLASH@ +cp_payload.obj: encoding/payloads/cp_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.obj -MD -MP -MF "$(DEPDIR)/cp_payload.Tpo" -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/cp_payload.Tpo" "$(DEPDIR)/cp_payload.Po"; else rm -f "$(DEPDIR)/cp_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/cp_payload.c' object='cp_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert.obj `if test -f 'sa/tasks/ike_cert.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi` -ike_rekey.o: sa/tasks/ike_rekey.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.o -MD -MP -MF "$(DEPDIR)/ike_rekey.Tpo" -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_rekey.Tpo" "$(DEPDIR)/ike_rekey.Po"; else rm -f "$(DEPDIR)/ike_rekey.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_rekey.c' object='ike_rekey.o' libtool=no @AMDEPBACKSLASH@ +delete_payload.o: encoding/payloads/delete_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.o -MD -MP -MF "$(DEPDIR)/delete_payload.Tpo" -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/delete_payload.Tpo" "$(DEPDIR)/delete_payload.Po"; else rm -f "$(DEPDIR)/delete_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/delete_payload.c' object='delete_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c -ike_rekey.obj: sa/tasks/ike_rekey.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.obj -MD -MP -MF "$(DEPDIR)/ike_rekey.Tpo" -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_rekey.Tpo" "$(DEPDIR)/ike_rekey.Po"; else rm -f "$(DEPDIR)/ike_rekey.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_rekey.c' object='ike_rekey.obj' libtool=no @AMDEPBACKSLASH@ +delete_payload.obj: encoding/payloads/delete_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.obj -MD -MP -MF "$(DEPDIR)/delete_payload.Tpo" -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/delete_payload.Tpo" "$(DEPDIR)/delete_payload.Po"; else rm -f "$(DEPDIR)/delete_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/delete_payload.c' object='delete_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi` -ike_delete.o: sa/tasks/ike_delete.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.o -MD -MP -MF "$(DEPDIR)/ike_delete.Tpo" -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_delete.Tpo" "$(DEPDIR)/ike_delete.Po"; else rm -f "$(DEPDIR)/ike_delete.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_delete.c' object='ike_delete.o' libtool=no @AMDEPBACKSLASH@ +eap_payload.o: encoding/payloads/eap_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.o -MD -MP -MF "$(DEPDIR)/eap_payload.Tpo" -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_payload.Tpo" "$(DEPDIR)/eap_payload.Po"; else rm -f "$(DEPDIR)/eap_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/eap_payload.c' object='eap_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c -ike_delete.obj: sa/tasks/ike_delete.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.obj -MD -MP -MF "$(DEPDIR)/ike_delete.Tpo" -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_delete.Tpo" "$(DEPDIR)/ike_delete.Po"; else rm -f "$(DEPDIR)/ike_delete.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_delete.c' object='ike_delete.obj' libtool=no @AMDEPBACKSLASH@ +eap_payload.obj: encoding/payloads/eap_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.obj -MD -MP -MF "$(DEPDIR)/eap_payload.Tpo" -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_payload.Tpo" "$(DEPDIR)/eap_payload.Po"; else rm -f "$(DEPDIR)/eap_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/eap_payload.c' object='eap_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi` -ike_dpd.o: sa/tasks/ike_dpd.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.o -MD -MP -MF "$(DEPDIR)/ike_dpd.Tpo" -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_dpd.Tpo" "$(DEPDIR)/ike_dpd.Po"; else rm -f "$(DEPDIR)/ike_dpd.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_dpd.c' object='ike_dpd.o' libtool=no @AMDEPBACKSLASH@ +encodings.o: encoding/payloads/encodings.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.o -MD -MP -MF "$(DEPDIR)/encodings.Tpo" -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/encodings.Tpo" "$(DEPDIR)/encodings.Po"; else rm -f "$(DEPDIR)/encodings.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/encodings.c' object='encodings.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c -ike_dpd.obj: sa/tasks/ike_dpd.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.obj -MD -MP -MF "$(DEPDIR)/ike_dpd.Tpo" -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_dpd.Tpo" "$(DEPDIR)/ike_dpd.Po"; else rm -f "$(DEPDIR)/ike_dpd.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_dpd.c' object='ike_dpd.obj' libtool=no @AMDEPBACKSLASH@ +encodings.obj: encoding/payloads/encodings.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.obj -MD -MP -MF "$(DEPDIR)/encodings.Tpo" -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/encodings.Tpo" "$(DEPDIR)/encodings.Po"; else rm -f "$(DEPDIR)/encodings.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/encodings.c' object='encodings.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi` -child_create.o: sa/tasks/child_create.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.o -MD -MP -MF "$(DEPDIR)/child_create.Tpo" -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_create.Tpo" "$(DEPDIR)/child_create.Po"; else rm -f "$(DEPDIR)/child_create.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/child_create.c' object='child_create.o' libtool=no @AMDEPBACKSLASH@ +encryption_payload.o: encoding/payloads/encryption_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.o -MD -MP -MF "$(DEPDIR)/encryption_payload.Tpo" -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/encryption_payload.Tpo" "$(DEPDIR)/encryption_payload.Po"; else rm -f "$(DEPDIR)/encryption_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/encryption_payload.c' object='encryption_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c -child_create.obj: sa/tasks/child_create.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.obj -MD -MP -MF "$(DEPDIR)/child_create.Tpo" -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_create.Tpo" "$(DEPDIR)/child_create.Po"; else rm -f "$(DEPDIR)/child_create.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/child_create.c' object='child_create.obj' libtool=no @AMDEPBACKSLASH@ +encryption_payload.obj: encoding/payloads/encryption_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.obj -MD -MP -MF "$(DEPDIR)/encryption_payload.Tpo" -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/encryption_payload.Tpo" "$(DEPDIR)/encryption_payload.Po"; else rm -f "$(DEPDIR)/encryption_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/encryption_payload.c' object='encryption_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi` -child_delete.o: sa/tasks/child_delete.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.o -MD -MP -MF "$(DEPDIR)/child_delete.Tpo" -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_delete.Tpo" "$(DEPDIR)/child_delete.Po"; else rm -f "$(DEPDIR)/child_delete.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/child_delete.c' object='child_delete.o' libtool=no @AMDEPBACKSLASH@ +id_payload.o: encoding/payloads/id_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.o -MD -MP -MF "$(DEPDIR)/id_payload.Tpo" -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/id_payload.Tpo" "$(DEPDIR)/id_payload.Po"; else rm -f "$(DEPDIR)/id_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/id_payload.c' object='id_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c -child_delete.obj: sa/tasks/child_delete.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.obj -MD -MP -MF "$(DEPDIR)/child_delete.Tpo" -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_delete.Tpo" "$(DEPDIR)/child_delete.Po"; else rm -f "$(DEPDIR)/child_delete.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/child_delete.c' object='child_delete.obj' libtool=no @AMDEPBACKSLASH@ +id_payload.obj: encoding/payloads/id_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.obj -MD -MP -MF "$(DEPDIR)/id_payload.Tpo" -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/id_payload.Tpo" "$(DEPDIR)/id_payload.Po"; else rm -f "$(DEPDIR)/id_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/id_payload.c' object='id_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi` -child_rekey.o: sa/tasks/child_rekey.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.o -MD -MP -MF "$(DEPDIR)/child_rekey.Tpo" -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_rekey.Tpo" "$(DEPDIR)/child_rekey.Po"; else rm -f "$(DEPDIR)/child_rekey.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/child_rekey.c' object='child_rekey.o' libtool=no @AMDEPBACKSLASH@ +ike_header.o: encoding/payloads/ike_header.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.o -MD -MP -MF "$(DEPDIR)/ike_header.Tpo" -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_header.Tpo" "$(DEPDIR)/ike_header.Po"; else rm -f "$(DEPDIR)/ike_header.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/ike_header.c' object='ike_header.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c -child_rekey.obj: sa/tasks/child_rekey.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.obj -MD -MP -MF "$(DEPDIR)/child_rekey.Tpo" -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_rekey.Tpo" "$(DEPDIR)/child_rekey.Po"; else rm -f "$(DEPDIR)/child_rekey.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/child_rekey.c' object='child_rekey.obj' libtool=no @AMDEPBACKSLASH@ +ike_header.obj: encoding/payloads/ike_header.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.obj -MD -MP -MF "$(DEPDIR)/ike_header.Tpo" -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_header.Tpo" "$(DEPDIR)/ike_header.Po"; else rm -f "$(DEPDIR)/ike_header.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/ike_header.c' object='ike_header.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi` -authenticator.o: sa/authenticators/authenticator.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.o -MD -MP -MF "$(DEPDIR)/authenticator.Tpo" -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/authenticator.Tpo" "$(DEPDIR)/authenticator.Po"; else rm -f "$(DEPDIR)/authenticator.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/authenticator.c' object='authenticator.o' libtool=no @AMDEPBACKSLASH@ +ke_payload.o: encoding/payloads/ke_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.o -MD -MP -MF "$(DEPDIR)/ke_payload.Tpo" -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ke_payload.Tpo" "$(DEPDIR)/ke_payload.Po"; else rm -f "$(DEPDIR)/ke_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/ke_payload.c' object='ke_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c -authenticator.obj: sa/authenticators/authenticator.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.obj -MD -MP -MF "$(DEPDIR)/authenticator.Tpo" -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/authenticator.Tpo" "$(DEPDIR)/authenticator.Po"; else rm -f "$(DEPDIR)/authenticator.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/authenticator.c' object='authenticator.obj' libtool=no @AMDEPBACKSLASH@ +ke_payload.obj: encoding/payloads/ke_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.obj -MD -MP -MF "$(DEPDIR)/ke_payload.Tpo" -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ke_payload.Tpo" "$(DEPDIR)/ke_payload.Po"; else rm -f "$(DEPDIR)/ke_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/ke_payload.c' object='ke_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi` -rsa_authenticator.o: sa/authenticators/rsa_authenticator.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_authenticator.o -MD -MP -MF "$(DEPDIR)/rsa_authenticator.Tpo" -c -o rsa_authenticator.o `test -f 'sa/authenticators/rsa_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/rsa_authenticator.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rsa_authenticator.Tpo" "$(DEPDIR)/rsa_authenticator.Po"; else rm -f "$(DEPDIR)/rsa_authenticator.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/rsa_authenticator.c' object='rsa_authenticator.o' libtool=no @AMDEPBACKSLASH@ +nonce_payload.o: encoding/payloads/nonce_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.o -MD -MP -MF "$(DEPDIR)/nonce_payload.Tpo" -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/nonce_payload.Tpo" "$(DEPDIR)/nonce_payload.Po"; else rm -f "$(DEPDIR)/nonce_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/nonce_payload.c' object='nonce_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_authenticator.o `test -f 'sa/authenticators/rsa_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/rsa_authenticator.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c -rsa_authenticator.obj: sa/authenticators/rsa_authenticator.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_authenticator.obj -MD -MP -MF "$(DEPDIR)/rsa_authenticator.Tpo" -c -o rsa_authenticator.obj `if test -f 'sa/authenticators/rsa_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/rsa_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/rsa_authenticator.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rsa_authenticator.Tpo" "$(DEPDIR)/rsa_authenticator.Po"; else rm -f "$(DEPDIR)/rsa_authenticator.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/rsa_authenticator.c' object='rsa_authenticator.obj' libtool=no @AMDEPBACKSLASH@ +nonce_payload.obj: encoding/payloads/nonce_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.obj -MD -MP -MF "$(DEPDIR)/nonce_payload.Tpo" -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/nonce_payload.Tpo" "$(DEPDIR)/nonce_payload.Po"; else rm -f "$(DEPDIR)/nonce_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/nonce_payload.c' object='nonce_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_authenticator.obj `if test -f 'sa/authenticators/rsa_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/rsa_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/rsa_authenticator.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi` -psk_authenticator.o: sa/authenticators/psk_authenticator.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.o -MD -MP -MF "$(DEPDIR)/psk_authenticator.Tpo" -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/psk_authenticator.Tpo" "$(DEPDIR)/psk_authenticator.Po"; else rm -f "$(DEPDIR)/psk_authenticator.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.o' libtool=no @AMDEPBACKSLASH@ +notify_payload.o: encoding/payloads/notify_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.o -MD -MP -MF "$(DEPDIR)/notify_payload.Tpo" -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/notify_payload.Tpo" "$(DEPDIR)/notify_payload.Po"; else rm -f "$(DEPDIR)/notify_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/notify_payload.c' object='notify_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c -psk_authenticator.obj: sa/authenticators/psk_authenticator.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.obj -MD -MP -MF "$(DEPDIR)/psk_authenticator.Tpo" -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/psk_authenticator.Tpo" "$(DEPDIR)/psk_authenticator.Po"; else rm -f "$(DEPDIR)/psk_authenticator.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.obj' libtool=no @AMDEPBACKSLASH@ +notify_payload.obj: encoding/payloads/notify_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.obj -MD -MP -MF "$(DEPDIR)/notify_payload.Tpo" -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/notify_payload.Tpo" "$(DEPDIR)/notify_payload.Po"; else rm -f "$(DEPDIR)/notify_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/notify_payload.c' object='notify_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi` -task_manager.o: sa/task_manager.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.o -MD -MP -MF "$(DEPDIR)/task_manager.Tpo" -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/task_manager.Tpo" "$(DEPDIR)/task_manager.Po"; else rm -f "$(DEPDIR)/task_manager.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/task_manager.c' object='task_manager.o' libtool=no @AMDEPBACKSLASH@ +payload.o: encoding/payloads/payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.o -MD -MP -MF "$(DEPDIR)/payload.Tpo" -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/payload.Tpo" "$(DEPDIR)/payload.Po"; else rm -f "$(DEPDIR)/payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/payload.c' object='payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c -task_manager.obj: sa/task_manager.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.obj -MD -MP -MF "$(DEPDIR)/task_manager.Tpo" -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/task_manager.Tpo" "$(DEPDIR)/task_manager.Po"; else rm -f "$(DEPDIR)/task_manager.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/task_manager.c' object='task_manager.obj' libtool=no @AMDEPBACKSLASH@ +payload.obj: encoding/payloads/payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.obj -MD -MP -MF "$(DEPDIR)/payload.Tpo" -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/payload.Tpo" "$(DEPDIR)/payload.Po"; else rm -f "$(DEPDIR)/payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/payload.c' object='payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi` -encryption_payload.o: encoding/payloads/encryption_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.o -MD -MP -MF "$(DEPDIR)/encryption_payload.Tpo" -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/encryption_payload.Tpo" "$(DEPDIR)/encryption_payload.Po"; else rm -f "$(DEPDIR)/encryption_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/encryption_payload.c' object='encryption_payload.o' libtool=no @AMDEPBACKSLASH@ +proposal_substructure.o: encoding/payloads/proposal_substructure.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.o -MD -MP -MF "$(DEPDIR)/proposal_substructure.Tpo" -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/proposal_substructure.Tpo" "$(DEPDIR)/proposal_substructure.Po"; else rm -f "$(DEPDIR)/proposal_substructure.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c -encryption_payload.obj: encoding/payloads/encryption_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.obj -MD -MP -MF "$(DEPDIR)/encryption_payload.Tpo" -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/encryption_payload.Tpo" "$(DEPDIR)/encryption_payload.Po"; else rm -f "$(DEPDIR)/encryption_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/encryption_payload.c' object='encryption_payload.obj' libtool=no @AMDEPBACKSLASH@ +proposal_substructure.obj: encoding/payloads/proposal_substructure.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.obj -MD -MP -MF "$(DEPDIR)/proposal_substructure.Tpo" -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/proposal_substructure.Tpo" "$(DEPDIR)/proposal_substructure.Po"; else rm -f "$(DEPDIR)/proposal_substructure.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi` -cert_payload.o: encoding/payloads/cert_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.o -MD -MP -MF "$(DEPDIR)/cert_payload.Tpo" -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/cert_payload.Tpo" "$(DEPDIR)/cert_payload.Po"; else rm -f "$(DEPDIR)/cert_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/cert_payload.c' object='cert_payload.o' libtool=no @AMDEPBACKSLASH@ +sa_payload.o: encoding/payloads/sa_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.o -MD -MP -MF "$(DEPDIR)/sa_payload.Tpo" -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sa_payload.Tpo" "$(DEPDIR)/sa_payload.Po"; else rm -f "$(DEPDIR)/sa_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/sa_payload.c' object='sa_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c -cert_payload.obj: encoding/payloads/cert_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.obj -MD -MP -MF "$(DEPDIR)/cert_payload.Tpo" -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/cert_payload.Tpo" "$(DEPDIR)/cert_payload.Po"; else rm -f "$(DEPDIR)/cert_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/cert_payload.c' object='cert_payload.obj' libtool=no @AMDEPBACKSLASH@ +sa_payload.obj: encoding/payloads/sa_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.obj -MD -MP -MF "$(DEPDIR)/sa_payload.Tpo" -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sa_payload.Tpo" "$(DEPDIR)/sa_payload.Po"; else rm -f "$(DEPDIR)/sa_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/sa_payload.c' object='sa_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi` traffic_selector_substructure.o: encoding/payloads/traffic_selector_substructure.c @am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.o -MD -MP -MF "$(DEPDIR)/traffic_selector_substructure.Tpo" -c -o traffic_selector_substructure.o `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c; \ @@ -1075,20 +1190,6 @@ transform_attribute.obj: encoding/payloads/transform_attribute.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.obj `if test -f 'encoding/payloads/transform_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/transform_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_attribute.c'; fi` -configuration_attribute.o: encoding/payloads/configuration_attribute.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.o -MD -MP -MF "$(DEPDIR)/configuration_attribute.Tpo" -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/configuration_attribute.Tpo" "$(DEPDIR)/configuration_attribute.Po"; else rm -f "$(DEPDIR)/configuration_attribute.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c - -configuration_attribute.obj: encoding/payloads/configuration_attribute.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.obj -MD -MP -MF "$(DEPDIR)/configuration_attribute.Tpo" -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/configuration_attribute.Tpo" "$(DEPDIR)/configuration_attribute.Po"; else rm -f "$(DEPDIR)/configuration_attribute.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi` - transform_substructure.o: encoding/payloads/transform_substructure.c @am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.o -MD -MP -MF "$(DEPDIR)/transform_substructure.Tpo" -c -o transform_substructure.o `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c; \ @am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/transform_substructure.Tpo" "$(DEPDIR)/transform_substructure.Po"; else rm -f "$(DEPDIR)/transform_substructure.Tpo"; exit 1; fi @@ -1103,593 +1204,621 @@ transform_substructure.obj: encoding/payloads/transform_substructure.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.obj `if test -f 'encoding/payloads/transform_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/transform_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_substructure.c'; fi` -auth_payload.o: encoding/payloads/auth_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.o -MD -MP -MF "$(DEPDIR)/auth_payload.Tpo" -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/auth_payload.Tpo" "$(DEPDIR)/auth_payload.Po"; else rm -f "$(DEPDIR)/auth_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/auth_payload.c' object='auth_payload.o' libtool=no @AMDEPBACKSLASH@ +ts_payload.o: encoding/payloads/ts_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.o -MD -MP -MF "$(DEPDIR)/ts_payload.Tpo" -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ts_payload.Tpo" "$(DEPDIR)/ts_payload.Po"; else rm -f "$(DEPDIR)/ts_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/ts_payload.c' object='ts_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c -auth_payload.obj: encoding/payloads/auth_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.obj -MD -MP -MF "$(DEPDIR)/auth_payload.Tpo" -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/auth_payload.Tpo" "$(DEPDIR)/auth_payload.Po"; else rm -f "$(DEPDIR)/auth_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/auth_payload.c' object='auth_payload.obj' libtool=no @AMDEPBACKSLASH@ +ts_payload.obj: encoding/payloads/ts_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.obj -MD -MP -MF "$(DEPDIR)/ts_payload.Tpo" -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ts_payload.Tpo" "$(DEPDIR)/ts_payload.Po"; else rm -f "$(DEPDIR)/ts_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/ts_payload.c' object='ts_payload.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi` -ike_header.o: encoding/payloads/ike_header.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.o -MD -MP -MF "$(DEPDIR)/ike_header.Tpo" -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_header.Tpo" "$(DEPDIR)/ike_header.Po"; else rm -f "$(DEPDIR)/ike_header.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/ike_header.c' object='ike_header.o' libtool=no @AMDEPBACKSLASH@ +unknown_payload.o: encoding/payloads/unknown_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.o -MD -MP -MF "$(DEPDIR)/unknown_payload.Tpo" -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/unknown_payload.Tpo" "$(DEPDIR)/unknown_payload.Po"; else rm -f "$(DEPDIR)/unknown_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/unknown_payload.c' object='unknown_payload.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c + +unknown_payload.obj: encoding/payloads/unknown_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.obj -MD -MP -MF "$(DEPDIR)/unknown_payload.Tpo" -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/unknown_payload.Tpo" "$(DEPDIR)/unknown_payload.Po"; else rm -f "$(DEPDIR)/unknown_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/unknown_payload.c' object='unknown_payload.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi` + +vendor_id_payload.o: encoding/payloads/vendor_id_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.o -MD -MP -MF "$(DEPDIR)/vendor_id_payload.Tpo" -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/vendor_id_payload.Tpo" "$(DEPDIR)/vendor_id_payload.Po"; else rm -f "$(DEPDIR)/vendor_id_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c + +vendor_id_payload.obj: encoding/payloads/vendor_id_payload.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.obj -MD -MP -MF "$(DEPDIR)/vendor_id_payload.Tpo" -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/vendor_id_payload.Tpo" "$(DEPDIR)/vendor_id_payload.Po"; else rm -f "$(DEPDIR)/vendor_id_payload.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi` + +kernel_interface.o: kernel/kernel_interface.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.o -MD -MP -MF "$(DEPDIR)/kernel_interface.Tpo" -c -o kernel_interface.o `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/kernel_interface.Tpo" "$(DEPDIR)/kernel_interface.Po"; else rm -f "$(DEPDIR)/kernel_interface.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='kernel/kernel_interface.c' object='kernel_interface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.o `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c -ike_header.obj: encoding/payloads/ike_header.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.obj -MD -MP -MF "$(DEPDIR)/ike_header.Tpo" -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_header.Tpo" "$(DEPDIR)/ike_header.Po"; else rm -f "$(DEPDIR)/ike_header.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/ike_header.c' object='ike_header.obj' libtool=no @AMDEPBACKSLASH@ +kernel_interface.obj: kernel/kernel_interface.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.obj -MD -MP -MF "$(DEPDIR)/kernel_interface.Tpo" -c -o kernel_interface.obj `if test -f 'kernel/kernel_interface.c'; then $(CYGPATH_W) 'kernel/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_interface.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/kernel_interface.Tpo" "$(DEPDIR)/kernel_interface.Po"; else rm -f "$(DEPDIR)/kernel_interface.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='kernel/kernel_interface.c' object='kernel_interface.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.obj `if test -f 'kernel/kernel_interface.c'; then $(CYGPATH_W) 'kernel/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_interface.c'; fi` -nonce_payload.o: encoding/payloads/nonce_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.o -MD -MP -MF "$(DEPDIR)/nonce_payload.Tpo" -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/nonce_payload.Tpo" "$(DEPDIR)/nonce_payload.Po"; else rm -f "$(DEPDIR)/nonce_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/nonce_payload.c' object='nonce_payload.o' libtool=no @AMDEPBACKSLASH@ +packet.o: network/packet.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.o -MD -MP -MF "$(DEPDIR)/packet.Tpo" -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/packet.Tpo" "$(DEPDIR)/packet.Po"; else rm -f "$(DEPDIR)/packet.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network/packet.c' object='packet.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c -nonce_payload.obj: encoding/payloads/nonce_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.obj -MD -MP -MF "$(DEPDIR)/nonce_payload.Tpo" -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/nonce_payload.Tpo" "$(DEPDIR)/nonce_payload.Po"; else rm -f "$(DEPDIR)/nonce_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/nonce_payload.c' object='nonce_payload.obj' libtool=no @AMDEPBACKSLASH@ +packet.obj: network/packet.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.obj -MD -MP -MF "$(DEPDIR)/packet.Tpo" -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/packet.Tpo" "$(DEPDIR)/packet.Po"; else rm -f "$(DEPDIR)/packet.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network/packet.c' object='packet.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi` -eap_payload.o: encoding/payloads/eap_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.o -MD -MP -MF "$(DEPDIR)/eap_payload.Tpo" -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_payload.Tpo" "$(DEPDIR)/eap_payload.Po"; else rm -f "$(DEPDIR)/eap_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/eap_payload.c' object='eap_payload.o' libtool=no @AMDEPBACKSLASH@ +receiver.o: network/receiver.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.o -MD -MP -MF "$(DEPDIR)/receiver.Tpo" -c -o receiver.o `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/receiver.Tpo" "$(DEPDIR)/receiver.Po"; else rm -f "$(DEPDIR)/receiver.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network/receiver.c' object='receiver.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.o `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c -eap_payload.obj: encoding/payloads/eap_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.obj -MD -MP -MF "$(DEPDIR)/eap_payload.Tpo" -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_payload.Tpo" "$(DEPDIR)/eap_payload.Po"; else rm -f "$(DEPDIR)/eap_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/eap_payload.c' object='eap_payload.obj' libtool=no @AMDEPBACKSLASH@ +receiver.obj: network/receiver.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.obj -MD -MP -MF "$(DEPDIR)/receiver.Tpo" -c -o receiver.obj `if test -f 'network/receiver.c'; then $(CYGPATH_W) 'network/receiver.c'; else $(CYGPATH_W) '$(srcdir)/network/receiver.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/receiver.Tpo" "$(DEPDIR)/receiver.Po"; else rm -f "$(DEPDIR)/receiver.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network/receiver.c' object='receiver.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.obj `if test -f 'network/receiver.c'; then $(CYGPATH_W) 'network/receiver.c'; else $(CYGPATH_W) '$(srcdir)/network/receiver.c'; fi` -ts_payload.o: encoding/payloads/ts_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.o -MD -MP -MF "$(DEPDIR)/ts_payload.Tpo" -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ts_payload.Tpo" "$(DEPDIR)/ts_payload.Po"; else rm -f "$(DEPDIR)/ts_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/ts_payload.c' object='ts_payload.o' libtool=no @AMDEPBACKSLASH@ +sender.o: network/sender.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.o -MD -MP -MF "$(DEPDIR)/sender.Tpo" -c -o sender.o `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sender.Tpo" "$(DEPDIR)/sender.Po"; else rm -f "$(DEPDIR)/sender.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network/sender.c' object='sender.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.o `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c -ts_payload.obj: encoding/payloads/ts_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.obj -MD -MP -MF "$(DEPDIR)/ts_payload.Tpo" -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ts_payload.Tpo" "$(DEPDIR)/ts_payload.Po"; else rm -f "$(DEPDIR)/ts_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/ts_payload.c' object='ts_payload.obj' libtool=no @AMDEPBACKSLASH@ +sender.obj: network/sender.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.obj -MD -MP -MF "$(DEPDIR)/sender.Tpo" -c -o sender.obj `if test -f 'network/sender.c'; then $(CYGPATH_W) 'network/sender.c'; else $(CYGPATH_W) '$(srcdir)/network/sender.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sender.Tpo" "$(DEPDIR)/sender.Po"; else rm -f "$(DEPDIR)/sender.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network/sender.c' object='sender.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.obj `if test -f 'network/sender.c'; then $(CYGPATH_W) 'network/sender.c'; else $(CYGPATH_W) '$(srcdir)/network/sender.c'; fi` -notify_payload.o: encoding/payloads/notify_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.o -MD -MP -MF "$(DEPDIR)/notify_payload.Tpo" -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/notify_payload.Tpo" "$(DEPDIR)/notify_payload.Po"; else rm -f "$(DEPDIR)/notify_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/notify_payload.c' object='notify_payload.o' libtool=no @AMDEPBACKSLASH@ +socket.o: network/socket.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.o -MD -MP -MF "$(DEPDIR)/socket.Tpo" -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/socket.Tpo" "$(DEPDIR)/socket.Po"; else rm -f "$(DEPDIR)/socket.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network/socket.c' object='socket.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c -notify_payload.obj: encoding/payloads/notify_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.obj -MD -MP -MF "$(DEPDIR)/notify_payload.Tpo" -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/notify_payload.Tpo" "$(DEPDIR)/notify_payload.Po"; else rm -f "$(DEPDIR)/notify_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/notify_payload.c' object='notify_payload.obj' libtool=no @AMDEPBACKSLASH@ +socket.obj: network/socket.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.obj -MD -MP -MF "$(DEPDIR)/socket.Tpo" -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/socket.Tpo" "$(DEPDIR)/socket.Po"; else rm -f "$(DEPDIR)/socket.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network/socket.c' object='socket.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi` -id_payload.o: encoding/payloads/id_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.o -MD -MP -MF "$(DEPDIR)/id_payload.Tpo" -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/id_payload.Tpo" "$(DEPDIR)/id_payload.Po"; else rm -f "$(DEPDIR)/id_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/id_payload.c' object='id_payload.o' libtool=no @AMDEPBACKSLASH@ +event_queue.o: processing/event_queue.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT event_queue.o -MD -MP -MF "$(DEPDIR)/event_queue.Tpo" -c -o event_queue.o `test -f 'processing/event_queue.c' || echo '$(srcdir)/'`processing/event_queue.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/event_queue.Tpo" "$(DEPDIR)/event_queue.Po"; else rm -f "$(DEPDIR)/event_queue.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/event_queue.c' object='event_queue.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o event_queue.o `test -f 'processing/event_queue.c' || echo '$(srcdir)/'`processing/event_queue.c -id_payload.obj: encoding/payloads/id_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.obj -MD -MP -MF "$(DEPDIR)/id_payload.Tpo" -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/id_payload.Tpo" "$(DEPDIR)/id_payload.Po"; else rm -f "$(DEPDIR)/id_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/id_payload.c' object='id_payload.obj' libtool=no @AMDEPBACKSLASH@ +event_queue.obj: processing/event_queue.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT event_queue.obj -MD -MP -MF "$(DEPDIR)/event_queue.Tpo" -c -o event_queue.obj `if test -f 'processing/event_queue.c'; then $(CYGPATH_W) 'processing/event_queue.c'; else $(CYGPATH_W) '$(srcdir)/processing/event_queue.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/event_queue.Tpo" "$(DEPDIR)/event_queue.Po"; else rm -f "$(DEPDIR)/event_queue.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/event_queue.c' object='event_queue.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o event_queue.obj `if test -f 'processing/event_queue.c'; then $(CYGPATH_W) 'processing/event_queue.c'; else $(CYGPATH_W) '$(srcdir)/processing/event_queue.c'; fi` -ke_payload.o: encoding/payloads/ke_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.o -MD -MP -MF "$(DEPDIR)/ke_payload.Tpo" -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ke_payload.Tpo" "$(DEPDIR)/ke_payload.Po"; else rm -f "$(DEPDIR)/ke_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/ke_payload.c' object='ke_payload.o' libtool=no @AMDEPBACKSLASH@ +job_queue.o: processing/job_queue.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job_queue.o -MD -MP -MF "$(DEPDIR)/job_queue.Tpo" -c -o job_queue.o `test -f 'processing/job_queue.c' || echo '$(srcdir)/'`processing/job_queue.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/job_queue.Tpo" "$(DEPDIR)/job_queue.Po"; else rm -f "$(DEPDIR)/job_queue.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/job_queue.c' object='job_queue.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job_queue.o `test -f 'processing/job_queue.c' || echo '$(srcdir)/'`processing/job_queue.c -ke_payload.obj: encoding/payloads/ke_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.obj -MD -MP -MF "$(DEPDIR)/ke_payload.Tpo" -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ke_payload.Tpo" "$(DEPDIR)/ke_payload.Po"; else rm -f "$(DEPDIR)/ke_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/ke_payload.c' object='ke_payload.obj' libtool=no @AMDEPBACKSLASH@ +job_queue.obj: processing/job_queue.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job_queue.obj -MD -MP -MF "$(DEPDIR)/job_queue.Tpo" -c -o job_queue.obj `if test -f 'processing/job_queue.c'; then $(CYGPATH_W) 'processing/job_queue.c'; else $(CYGPATH_W) '$(srcdir)/processing/job_queue.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/job_queue.Tpo" "$(DEPDIR)/job_queue.Po"; else rm -f "$(DEPDIR)/job_queue.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/job_queue.c' object='job_queue.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job_queue.obj `if test -f 'processing/job_queue.c'; then $(CYGPATH_W) 'processing/job_queue.c'; else $(CYGPATH_W) '$(srcdir)/processing/job_queue.c'; fi` -unknown_payload.o: encoding/payloads/unknown_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.o -MD -MP -MF "$(DEPDIR)/unknown_payload.Tpo" -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/unknown_payload.Tpo" "$(DEPDIR)/unknown_payload.Po"; else rm -f "$(DEPDIR)/unknown_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/unknown_payload.c' object='unknown_payload.o' libtool=no @AMDEPBACKSLASH@ +acquire_job.o: processing/jobs/acquire_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.o -MD -MP -MF "$(DEPDIR)/acquire_job.Tpo" -c -o acquire_job.o `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/acquire_job.Tpo" "$(DEPDIR)/acquire_job.Po"; else rm -f "$(DEPDIR)/acquire_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/acquire_job.c' object='acquire_job.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.o `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c -unknown_payload.obj: encoding/payloads/unknown_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.obj -MD -MP -MF "$(DEPDIR)/unknown_payload.Tpo" -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/unknown_payload.Tpo" "$(DEPDIR)/unknown_payload.Po"; else rm -f "$(DEPDIR)/unknown_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/unknown_payload.c' object='unknown_payload.obj' libtool=no @AMDEPBACKSLASH@ +acquire_job.obj: processing/jobs/acquire_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.obj -MD -MP -MF "$(DEPDIR)/acquire_job.Tpo" -c -o acquire_job.obj `if test -f 'processing/jobs/acquire_job.c'; then $(CYGPATH_W) 'processing/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/acquire_job.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/acquire_job.Tpo" "$(DEPDIR)/acquire_job.Po"; else rm -f "$(DEPDIR)/acquire_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/acquire_job.c' object='acquire_job.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.obj `if test -f 'processing/jobs/acquire_job.c'; then $(CYGPATH_W) 'processing/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/acquire_job.c'; fi` -encodings.o: encoding/payloads/encodings.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.o -MD -MP -MF "$(DEPDIR)/encodings.Tpo" -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/encodings.Tpo" "$(DEPDIR)/encodings.Po"; else rm -f "$(DEPDIR)/encodings.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/encodings.c' object='encodings.o' libtool=no @AMDEPBACKSLASH@ +delete_child_sa_job.o: processing/jobs/delete_child_sa_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.o -MD -MP -MF "$(DEPDIR)/delete_child_sa_job.Tpo" -c -o delete_child_sa_job.o `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/delete_child_sa_job.Tpo" "$(DEPDIR)/delete_child_sa_job.Po"; else rm -f "$(DEPDIR)/delete_child_sa_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.o `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c -encodings.obj: encoding/payloads/encodings.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.obj -MD -MP -MF "$(DEPDIR)/encodings.Tpo" -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/encodings.Tpo" "$(DEPDIR)/encodings.Po"; else rm -f "$(DEPDIR)/encodings.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/encodings.c' object='encodings.obj' libtool=no @AMDEPBACKSLASH@ +delete_child_sa_job.obj: processing/jobs/delete_child_sa_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.obj -MD -MP -MF "$(DEPDIR)/delete_child_sa_job.Tpo" -c -o delete_child_sa_job.obj `if test -f 'processing/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_child_sa_job.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/delete_child_sa_job.Tpo" "$(DEPDIR)/delete_child_sa_job.Po"; else rm -f "$(DEPDIR)/delete_child_sa_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.obj `if test -f 'processing/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_child_sa_job.c'; fi` -cp_payload.o: encoding/payloads/cp_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.o -MD -MP -MF "$(DEPDIR)/cp_payload.Tpo" -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/cp_payload.Tpo" "$(DEPDIR)/cp_payload.Po"; else rm -f "$(DEPDIR)/cp_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/cp_payload.c' object='cp_payload.o' libtool=no @AMDEPBACKSLASH@ +delete_ike_sa_job.o: processing/jobs/delete_ike_sa_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.o -MD -MP -MF "$(DEPDIR)/delete_ike_sa_job.Tpo" -c -o delete_ike_sa_job.o `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/delete_ike_sa_job.Tpo" "$(DEPDIR)/delete_ike_sa_job.Po"; else rm -f "$(DEPDIR)/delete_ike_sa_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.o `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c -cp_payload.obj: encoding/payloads/cp_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.obj -MD -MP -MF "$(DEPDIR)/cp_payload.Tpo" -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/cp_payload.Tpo" "$(DEPDIR)/cp_payload.Po"; else rm -f "$(DEPDIR)/cp_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/cp_payload.c' object='cp_payload.obj' libtool=no @AMDEPBACKSLASH@ +delete_ike_sa_job.obj: processing/jobs/delete_ike_sa_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.obj -MD -MP -MF "$(DEPDIR)/delete_ike_sa_job.Tpo" -c -o delete_ike_sa_job.obj `if test -f 'processing/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_ike_sa_job.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/delete_ike_sa_job.Tpo" "$(DEPDIR)/delete_ike_sa_job.Po"; else rm -f "$(DEPDIR)/delete_ike_sa_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.obj `if test -f 'processing/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_ike_sa_job.c'; fi` -delete_payload.o: encoding/payloads/delete_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.o -MD -MP -MF "$(DEPDIR)/delete_payload.Tpo" -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/delete_payload.Tpo" "$(DEPDIR)/delete_payload.Po"; else rm -f "$(DEPDIR)/delete_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/delete_payload.c' object='delete_payload.o' libtool=no @AMDEPBACKSLASH@ +job.o: processing/jobs/job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.o -MD -MP -MF "$(DEPDIR)/job.Tpo" -c -o job.o `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/job.Tpo" "$(DEPDIR)/job.Po"; else rm -f "$(DEPDIR)/job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/job.c' object='job.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.o `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c -delete_payload.obj: encoding/payloads/delete_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.obj -MD -MP -MF "$(DEPDIR)/delete_payload.Tpo" -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/delete_payload.Tpo" "$(DEPDIR)/delete_payload.Po"; else rm -f "$(DEPDIR)/delete_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/delete_payload.c' object='delete_payload.obj' libtool=no @AMDEPBACKSLASH@ +job.obj: processing/jobs/job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.obj -MD -MP -MF "$(DEPDIR)/job.Tpo" -c -o job.obj `if test -f 'processing/jobs/job.c'; then $(CYGPATH_W) 'processing/jobs/job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/job.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/job.Tpo" "$(DEPDIR)/job.Po"; else rm -f "$(DEPDIR)/job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/job.c' object='job.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.obj `if test -f 'processing/jobs/job.c'; then $(CYGPATH_W) 'processing/jobs/job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/job.c'; fi` -sa_payload.o: encoding/payloads/sa_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.o -MD -MP -MF "$(DEPDIR)/sa_payload.Tpo" -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sa_payload.Tpo" "$(DEPDIR)/sa_payload.Po"; else rm -f "$(DEPDIR)/sa_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/sa_payload.c' object='sa_payload.o' libtool=no @AMDEPBACKSLASH@ +process_message_job.o: processing/jobs/process_message_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.o -MD -MP -MF "$(DEPDIR)/process_message_job.Tpo" -c -o process_message_job.o `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/process_message_job.Tpo" "$(DEPDIR)/process_message_job.Po"; else rm -f "$(DEPDIR)/process_message_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/process_message_job.c' object='process_message_job.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.o `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c -sa_payload.obj: encoding/payloads/sa_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.obj -MD -MP -MF "$(DEPDIR)/sa_payload.Tpo" -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sa_payload.Tpo" "$(DEPDIR)/sa_payload.Po"; else rm -f "$(DEPDIR)/sa_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/sa_payload.c' object='sa_payload.obj' libtool=no @AMDEPBACKSLASH@ +process_message_job.obj: processing/jobs/process_message_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.obj -MD -MP -MF "$(DEPDIR)/process_message_job.Tpo" -c -o process_message_job.obj `if test -f 'processing/jobs/process_message_job.c'; then $(CYGPATH_W) 'processing/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/process_message_job.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/process_message_job.Tpo" "$(DEPDIR)/process_message_job.Po"; else rm -f "$(DEPDIR)/process_message_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/process_message_job.c' object='process_message_job.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.obj `if test -f 'processing/jobs/process_message_job.c'; then $(CYGPATH_W) 'processing/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/process_message_job.c'; fi` -certreq_payload.o: encoding/payloads/certreq_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.o -MD -MP -MF "$(DEPDIR)/certreq_payload.Tpo" -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/certreq_payload.Tpo" "$(DEPDIR)/certreq_payload.Po"; else rm -f "$(DEPDIR)/certreq_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/certreq_payload.c' object='certreq_payload.o' libtool=no @AMDEPBACKSLASH@ +rekey_child_sa_job.o: processing/jobs/rekey_child_sa_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.o -MD -MP -MF "$(DEPDIR)/rekey_child_sa_job.Tpo" -c -o rekey_child_sa_job.o `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rekey_child_sa_job.Tpo" "$(DEPDIR)/rekey_child_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_child_sa_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.o `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c -certreq_payload.obj: encoding/payloads/certreq_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.obj -MD -MP -MF "$(DEPDIR)/certreq_payload.Tpo" -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/certreq_payload.Tpo" "$(DEPDIR)/certreq_payload.Po"; else rm -f "$(DEPDIR)/certreq_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/certreq_payload.c' object='certreq_payload.obj' libtool=no @AMDEPBACKSLASH@ +rekey_child_sa_job.obj: processing/jobs/rekey_child_sa_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.obj -MD -MP -MF "$(DEPDIR)/rekey_child_sa_job.Tpo" -c -o rekey_child_sa_job.obj `if test -f 'processing/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_child_sa_job.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rekey_child_sa_job.Tpo" "$(DEPDIR)/rekey_child_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_child_sa_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.obj `if test -f 'processing/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_child_sa_job.c'; fi` -vendor_id_payload.o: encoding/payloads/vendor_id_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.o -MD -MP -MF "$(DEPDIR)/vendor_id_payload.Tpo" -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/vendor_id_payload.Tpo" "$(DEPDIR)/vendor_id_payload.Po"; else rm -f "$(DEPDIR)/vendor_id_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.o' libtool=no @AMDEPBACKSLASH@ +rekey_ike_sa_job.o: processing/jobs/rekey_ike_sa_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.o -MD -MP -MF "$(DEPDIR)/rekey_ike_sa_job.Tpo" -c -o rekey_ike_sa_job.o `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rekey_ike_sa_job.Tpo" "$(DEPDIR)/rekey_ike_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_ike_sa_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.o `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c -vendor_id_payload.obj: encoding/payloads/vendor_id_payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.obj -MD -MP -MF "$(DEPDIR)/vendor_id_payload.Tpo" -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/vendor_id_payload.Tpo" "$(DEPDIR)/vendor_id_payload.Po"; else rm -f "$(DEPDIR)/vendor_id_payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.obj' libtool=no @AMDEPBACKSLASH@ +rekey_ike_sa_job.obj: processing/jobs/rekey_ike_sa_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.obj -MD -MP -MF "$(DEPDIR)/rekey_ike_sa_job.Tpo" -c -o rekey_ike_sa_job.obj `if test -f 'processing/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_ike_sa_job.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rekey_ike_sa_job.Tpo" "$(DEPDIR)/rekey_ike_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_ike_sa_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.obj `if test -f 'processing/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_ike_sa_job.c'; fi` -proposal_substructure.o: encoding/payloads/proposal_substructure.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.o -MD -MP -MF "$(DEPDIR)/proposal_substructure.Tpo" -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/proposal_substructure.Tpo" "$(DEPDIR)/proposal_substructure.Po"; else rm -f "$(DEPDIR)/proposal_substructure.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.o' libtool=no @AMDEPBACKSLASH@ +retransmit_job.o: processing/jobs/retransmit_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.o -MD -MP -MF "$(DEPDIR)/retransmit_job.Tpo" -c -o retransmit_job.o `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/retransmit_job.Tpo" "$(DEPDIR)/retransmit_job.Po"; else rm -f "$(DEPDIR)/retransmit_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/retransmit_job.c' object='retransmit_job.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.o `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c -proposal_substructure.obj: encoding/payloads/proposal_substructure.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.obj -MD -MP -MF "$(DEPDIR)/proposal_substructure.Tpo" -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/proposal_substructure.Tpo" "$(DEPDIR)/proposal_substructure.Po"; else rm -f "$(DEPDIR)/proposal_substructure.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.obj' libtool=no @AMDEPBACKSLASH@ +retransmit_job.obj: processing/jobs/retransmit_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.obj -MD -MP -MF "$(DEPDIR)/retransmit_job.Tpo" -c -o retransmit_job.obj `if test -f 'processing/jobs/retransmit_job.c'; then $(CYGPATH_W) 'processing/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/retransmit_job.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/retransmit_job.Tpo" "$(DEPDIR)/retransmit_job.Po"; else rm -f "$(DEPDIR)/retransmit_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/retransmit_job.c' object='retransmit_job.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.obj `if test -f 'processing/jobs/retransmit_job.c'; then $(CYGPATH_W) 'processing/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/retransmit_job.c'; fi` -payload.o: encoding/payloads/payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.o -MD -MP -MF "$(DEPDIR)/payload.Tpo" -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/payload.Tpo" "$(DEPDIR)/payload.Po"; else rm -f "$(DEPDIR)/payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/payload.c' object='payload.o' libtool=no @AMDEPBACKSLASH@ +send_dpd_job.o: processing/jobs/send_dpd_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.o -MD -MP -MF "$(DEPDIR)/send_dpd_job.Tpo" -c -o send_dpd_job.o `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/send_dpd_job.Tpo" "$(DEPDIR)/send_dpd_job.Po"; else rm -f "$(DEPDIR)/send_dpd_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/send_dpd_job.c' object='send_dpd_job.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.o `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c -payload.obj: encoding/payloads/payload.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.obj -MD -MP -MF "$(DEPDIR)/payload.Tpo" -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/payload.Tpo" "$(DEPDIR)/payload.Po"; else rm -f "$(DEPDIR)/payload.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/payloads/payload.c' object='payload.obj' libtool=no @AMDEPBACKSLASH@ +send_dpd_job.obj: processing/jobs/send_dpd_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.obj -MD -MP -MF "$(DEPDIR)/send_dpd_job.Tpo" -c -o send_dpd_job.obj `if test -f 'processing/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'processing/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_dpd_job.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/send_dpd_job.Tpo" "$(DEPDIR)/send_dpd_job.Po"; else rm -f "$(DEPDIR)/send_dpd_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/send_dpd_job.c' object='send_dpd_job.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.obj `if test -f 'processing/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'processing/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_dpd_job.c'; fi` -message.o: encoding/message.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.o -MD -MP -MF "$(DEPDIR)/message.Tpo" -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/message.Tpo" "$(DEPDIR)/message.Po"; else rm -f "$(DEPDIR)/message.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/message.c' object='message.o' libtool=no @AMDEPBACKSLASH@ +send_keepalive_job.o: processing/jobs/send_keepalive_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.o -MD -MP -MF "$(DEPDIR)/send_keepalive_job.Tpo" -c -o send_keepalive_job.o `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/send_keepalive_job.Tpo" "$(DEPDIR)/send_keepalive_job.Po"; else rm -f "$(DEPDIR)/send_keepalive_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.o `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c -message.obj: encoding/message.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.obj -MD -MP -MF "$(DEPDIR)/message.Tpo" -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/message.Tpo" "$(DEPDIR)/message.Po"; else rm -f "$(DEPDIR)/message.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/message.c' object='message.obj' libtool=no @AMDEPBACKSLASH@ +send_keepalive_job.obj: processing/jobs/send_keepalive_job.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.obj -MD -MP -MF "$(DEPDIR)/send_keepalive_job.Tpo" -c -o send_keepalive_job.obj `if test -f 'processing/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'processing/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_keepalive_job.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/send_keepalive_job.Tpo" "$(DEPDIR)/send_keepalive_job.Po"; else rm -f "$(DEPDIR)/send_keepalive_job.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.obj `if test -f 'processing/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'processing/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_keepalive_job.c'; fi` -generator.o: encoding/generator.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.o -MD -MP -MF "$(DEPDIR)/generator.Tpo" -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/generator.Tpo" "$(DEPDIR)/generator.Po"; else rm -f "$(DEPDIR)/generator.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/generator.c' object='generator.o' libtool=no @AMDEPBACKSLASH@ +scheduler.o: processing/scheduler.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.o -MD -MP -MF "$(DEPDIR)/scheduler.Tpo" -c -o scheduler.o `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/scheduler.Tpo" "$(DEPDIR)/scheduler.Po"; else rm -f "$(DEPDIR)/scheduler.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/scheduler.c' object='scheduler.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.o `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c -generator.obj: encoding/generator.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.obj -MD -MP -MF "$(DEPDIR)/generator.Tpo" -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/generator.Tpo" "$(DEPDIR)/generator.Po"; else rm -f "$(DEPDIR)/generator.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/generator.c' object='generator.obj' libtool=no @AMDEPBACKSLASH@ +scheduler.obj: processing/scheduler.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.obj -MD -MP -MF "$(DEPDIR)/scheduler.Tpo" -c -o scheduler.obj `if test -f 'processing/scheduler.c'; then $(CYGPATH_W) 'processing/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/processing/scheduler.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/scheduler.Tpo" "$(DEPDIR)/scheduler.Po"; else rm -f "$(DEPDIR)/scheduler.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/scheduler.c' object='scheduler.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.obj `if test -f 'processing/scheduler.c'; then $(CYGPATH_W) 'processing/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/processing/scheduler.c'; fi` -parser.o: encoding/parser.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.o -MD -MP -MF "$(DEPDIR)/parser.Tpo" -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/parser.Tpo" "$(DEPDIR)/parser.Po"; else rm -f "$(DEPDIR)/parser.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/parser.c' object='parser.o' libtool=no @AMDEPBACKSLASH@ +thread_pool.o: processing/thread_pool.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_pool.o -MD -MP -MF "$(DEPDIR)/thread_pool.Tpo" -c -o thread_pool.o `test -f 'processing/thread_pool.c' || echo '$(srcdir)/'`processing/thread_pool.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/thread_pool.Tpo" "$(DEPDIR)/thread_pool.Po"; else rm -f "$(DEPDIR)/thread_pool.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/thread_pool.c' object='thread_pool.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_pool.o `test -f 'processing/thread_pool.c' || echo '$(srcdir)/'`processing/thread_pool.c -parser.obj: encoding/parser.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.obj -MD -MP -MF "$(DEPDIR)/parser.Tpo" -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/parser.Tpo" "$(DEPDIR)/parser.Po"; else rm -f "$(DEPDIR)/parser.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='encoding/parser.c' object='parser.obj' libtool=no @AMDEPBACKSLASH@ +thread_pool.obj: processing/thread_pool.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_pool.obj -MD -MP -MF "$(DEPDIR)/thread_pool.Tpo" -c -o thread_pool.obj `if test -f 'processing/thread_pool.c'; then $(CYGPATH_W) 'processing/thread_pool.c'; else $(CYGPATH_W) '$(srcdir)/processing/thread_pool.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/thread_pool.Tpo" "$(DEPDIR)/thread_pool.Po"; else rm -f "$(DEPDIR)/thread_pool.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/thread_pool.c' object='thread_pool.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_pool.obj `if test -f 'processing/thread_pool.c'; then $(CYGPATH_W) 'processing/thread_pool.c'; else $(CYGPATH_W) '$(srcdir)/processing/thread_pool.c'; fi` -packet.o: network/packet.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.o -MD -MP -MF "$(DEPDIR)/packet.Tpo" -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/packet.Tpo" "$(DEPDIR)/packet.Po"; else rm -f "$(DEPDIR)/packet.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network/packet.c' object='packet.o' libtool=no @AMDEPBACKSLASH@ +authenticator.o: sa/authenticators/authenticator.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.o -MD -MP -MF "$(DEPDIR)/authenticator.Tpo" -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/authenticator.Tpo" "$(DEPDIR)/authenticator.Po"; else rm -f "$(DEPDIR)/authenticator.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/authenticator.c' object='authenticator.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c -packet.obj: network/packet.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.obj -MD -MP -MF "$(DEPDIR)/packet.Tpo" -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/packet.Tpo" "$(DEPDIR)/packet.Po"; else rm -f "$(DEPDIR)/packet.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network/packet.c' object='packet.obj' libtool=no @AMDEPBACKSLASH@ +authenticator.obj: sa/authenticators/authenticator.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.obj -MD -MP -MF "$(DEPDIR)/authenticator.Tpo" -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/authenticator.Tpo" "$(DEPDIR)/authenticator.Po"; else rm -f "$(DEPDIR)/authenticator.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/authenticator.c' object='authenticator.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi` -socket.o: network/socket.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.o -MD -MP -MF "$(DEPDIR)/socket.Tpo" -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/socket.Tpo" "$(DEPDIR)/socket.Po"; else rm -f "$(DEPDIR)/socket.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network/socket.c' object='socket.o' libtool=no @AMDEPBACKSLASH@ +eap_authenticator.o: sa/authenticators/eap_authenticator.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.o -MD -MP -MF "$(DEPDIR)/eap_authenticator.Tpo" -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_authenticator.Tpo" "$(DEPDIR)/eap_authenticator.Po"; else rm -f "$(DEPDIR)/eap_authenticator.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c -socket.obj: network/socket.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.obj -MD -MP -MF "$(DEPDIR)/socket.Tpo" -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/socket.Tpo" "$(DEPDIR)/socket.Po"; else rm -f "$(DEPDIR)/socket.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network/socket.c' object='socket.obj' libtool=no @AMDEPBACKSLASH@ +eap_authenticator.obj: sa/authenticators/eap_authenticator.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.obj -MD -MP -MF "$(DEPDIR)/eap_authenticator.Tpo" -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_authenticator.Tpo" "$(DEPDIR)/eap_authenticator.Po"; else rm -f "$(DEPDIR)/eap_authenticator.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi` -job.o: queues/jobs/job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.o -MD -MP -MF "$(DEPDIR)/job.Tpo" -c -o job.o `test -f 'queues/jobs/job.c' || echo '$(srcdir)/'`queues/jobs/job.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/job.Tpo" "$(DEPDIR)/job.Po"; else rm -f "$(DEPDIR)/job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/job.c' object='job.o' libtool=no @AMDEPBACKSLASH@ +eap_method.o: sa/authenticators/eap/eap_method.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.o -MD -MP -MF "$(DEPDIR)/eap_method.Tpo" -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_method.Tpo" "$(DEPDIR)/eap_method.Po"; else rm -f "$(DEPDIR)/eap_method.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/eap/eap_method.c' object='eap_method.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.o `test -f 'queues/jobs/job.c' || echo '$(srcdir)/'`queues/jobs/job.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c -job.obj: queues/jobs/job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.obj -MD -MP -MF "$(DEPDIR)/job.Tpo" -c -o job.obj `if test -f 'queues/jobs/job.c'; then $(CYGPATH_W) 'queues/jobs/job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/job.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/job.Tpo" "$(DEPDIR)/job.Po"; else rm -f "$(DEPDIR)/job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/job.c' object='job.obj' libtool=no @AMDEPBACKSLASH@ +eap_method.obj: sa/authenticators/eap/eap_method.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.obj -MD -MP -MF "$(DEPDIR)/eap_method.Tpo" -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/eap_method.Tpo" "$(DEPDIR)/eap_method.Po"; else rm -f "$(DEPDIR)/eap_method.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/eap/eap_method.c' object='eap_method.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.obj `if test -f 'queues/jobs/job.c'; then $(CYGPATH_W) 'queues/jobs/job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/job.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi` -process_message_job.o: queues/jobs/process_message_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.o -MD -MP -MF "$(DEPDIR)/process_message_job.Tpo" -c -o process_message_job.o `test -f 'queues/jobs/process_message_job.c' || echo '$(srcdir)/'`queues/jobs/process_message_job.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/process_message_job.Tpo" "$(DEPDIR)/process_message_job.Po"; else rm -f "$(DEPDIR)/process_message_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/process_message_job.c' object='process_message_job.o' libtool=no @AMDEPBACKSLASH@ +psk_authenticator.o: sa/authenticators/psk_authenticator.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.o -MD -MP -MF "$(DEPDIR)/psk_authenticator.Tpo" -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/psk_authenticator.Tpo" "$(DEPDIR)/psk_authenticator.Po"; else rm -f "$(DEPDIR)/psk_authenticator.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.o `test -f 'queues/jobs/process_message_job.c' || echo '$(srcdir)/'`queues/jobs/process_message_job.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c -process_message_job.obj: queues/jobs/process_message_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.obj -MD -MP -MF "$(DEPDIR)/process_message_job.Tpo" -c -o process_message_job.obj `if test -f 'queues/jobs/process_message_job.c'; then $(CYGPATH_W) 'queues/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/process_message_job.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/process_message_job.Tpo" "$(DEPDIR)/process_message_job.Po"; else rm -f "$(DEPDIR)/process_message_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/process_message_job.c' object='process_message_job.obj' libtool=no @AMDEPBACKSLASH@ +psk_authenticator.obj: sa/authenticators/psk_authenticator.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.obj -MD -MP -MF "$(DEPDIR)/psk_authenticator.Tpo" -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/psk_authenticator.Tpo" "$(DEPDIR)/psk_authenticator.Po"; else rm -f "$(DEPDIR)/psk_authenticator.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.obj `if test -f 'queues/jobs/process_message_job.c'; then $(CYGPATH_W) 'queues/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/process_message_job.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi` -delete_ike_sa_job.o: queues/jobs/delete_ike_sa_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.o -MD -MP -MF "$(DEPDIR)/delete_ike_sa_job.Tpo" -c -o delete_ike_sa_job.o `test -f 'queues/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`queues/jobs/delete_ike_sa_job.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/delete_ike_sa_job.Tpo" "$(DEPDIR)/delete_ike_sa_job.Po"; else rm -f "$(DEPDIR)/delete_ike_sa_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@ +rsa_authenticator.o: sa/authenticators/rsa_authenticator.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_authenticator.o -MD -MP -MF "$(DEPDIR)/rsa_authenticator.Tpo" -c -o rsa_authenticator.o `test -f 'sa/authenticators/rsa_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/rsa_authenticator.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rsa_authenticator.Tpo" "$(DEPDIR)/rsa_authenticator.Po"; else rm -f "$(DEPDIR)/rsa_authenticator.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/rsa_authenticator.c' object='rsa_authenticator.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.o `test -f 'queues/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`queues/jobs/delete_ike_sa_job.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_authenticator.o `test -f 'sa/authenticators/rsa_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/rsa_authenticator.c -delete_ike_sa_job.obj: queues/jobs/delete_ike_sa_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.obj -MD -MP -MF "$(DEPDIR)/delete_ike_sa_job.Tpo" -c -o delete_ike_sa_job.obj `if test -f 'queues/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/delete_ike_sa_job.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/delete_ike_sa_job.Tpo" "$(DEPDIR)/delete_ike_sa_job.Po"; else rm -f "$(DEPDIR)/delete_ike_sa_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@ +rsa_authenticator.obj: sa/authenticators/rsa_authenticator.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_authenticator.obj -MD -MP -MF "$(DEPDIR)/rsa_authenticator.Tpo" -c -o rsa_authenticator.obj `if test -f 'sa/authenticators/rsa_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/rsa_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/rsa_authenticator.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rsa_authenticator.Tpo" "$(DEPDIR)/rsa_authenticator.Po"; else rm -f "$(DEPDIR)/rsa_authenticator.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/rsa_authenticator.c' object='rsa_authenticator.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.obj `if test -f 'queues/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/delete_ike_sa_job.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_authenticator.obj `if test -f 'sa/authenticators/rsa_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/rsa_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/rsa_authenticator.c'; fi` -retransmit_job.o: queues/jobs/retransmit_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.o -MD -MP -MF "$(DEPDIR)/retransmit_job.Tpo" -c -o retransmit_job.o `test -f 'queues/jobs/retransmit_job.c' || echo '$(srcdir)/'`queues/jobs/retransmit_job.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/retransmit_job.Tpo" "$(DEPDIR)/retransmit_job.Po"; else rm -f "$(DEPDIR)/retransmit_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/retransmit_job.c' object='retransmit_job.o' libtool=no @AMDEPBACKSLASH@ +child_sa.o: sa/child_sa.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.o -MD -MP -MF "$(DEPDIR)/child_sa.Tpo" -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_sa.Tpo" "$(DEPDIR)/child_sa.Po"; else rm -f "$(DEPDIR)/child_sa.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/child_sa.c' object='child_sa.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.o `test -f 'queues/jobs/retransmit_job.c' || echo '$(srcdir)/'`queues/jobs/retransmit_job.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c -retransmit_job.obj: queues/jobs/retransmit_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.obj -MD -MP -MF "$(DEPDIR)/retransmit_job.Tpo" -c -o retransmit_job.obj `if test -f 'queues/jobs/retransmit_job.c'; then $(CYGPATH_W) 'queues/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/retransmit_job.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/retransmit_job.Tpo" "$(DEPDIR)/retransmit_job.Po"; else rm -f "$(DEPDIR)/retransmit_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/retransmit_job.c' object='retransmit_job.obj' libtool=no @AMDEPBACKSLASH@ +child_sa.obj: sa/child_sa.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.obj -MD -MP -MF "$(DEPDIR)/child_sa.Tpo" -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_sa.Tpo" "$(DEPDIR)/child_sa.Po"; else rm -f "$(DEPDIR)/child_sa.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/child_sa.c' object='child_sa.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.obj `if test -f 'queues/jobs/retransmit_job.c'; then $(CYGPATH_W) 'queues/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/retransmit_job.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi` -initiate_job.o: queues/jobs/initiate_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_job.o -MD -MP -MF "$(DEPDIR)/initiate_job.Tpo" -c -o initiate_job.o `test -f 'queues/jobs/initiate_job.c' || echo '$(srcdir)/'`queues/jobs/initiate_job.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/initiate_job.Tpo" "$(DEPDIR)/initiate_job.Po"; else rm -f "$(DEPDIR)/initiate_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/initiate_job.c' object='initiate_job.o' libtool=no @AMDEPBACKSLASH@ +ike_sa.o: sa/ike_sa.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.o -MD -MP -MF "$(DEPDIR)/ike_sa.Tpo" -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_sa.Tpo" "$(DEPDIR)/ike_sa.Po"; else rm -f "$(DEPDIR)/ike_sa.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/ike_sa.c' object='ike_sa.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_job.o `test -f 'queues/jobs/initiate_job.c' || echo '$(srcdir)/'`queues/jobs/initiate_job.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c -initiate_job.obj: queues/jobs/initiate_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_job.obj -MD -MP -MF "$(DEPDIR)/initiate_job.Tpo" -c -o initiate_job.obj `if test -f 'queues/jobs/initiate_job.c'; then $(CYGPATH_W) 'queues/jobs/initiate_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/initiate_job.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/initiate_job.Tpo" "$(DEPDIR)/initiate_job.Po"; else rm -f "$(DEPDIR)/initiate_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/initiate_job.c' object='initiate_job.obj' libtool=no @AMDEPBACKSLASH@ +ike_sa.obj: sa/ike_sa.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.obj -MD -MP -MF "$(DEPDIR)/ike_sa.Tpo" -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_sa.Tpo" "$(DEPDIR)/ike_sa.Po"; else rm -f "$(DEPDIR)/ike_sa.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/ike_sa.c' object='ike_sa.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_job.obj `if test -f 'queues/jobs/initiate_job.c'; then $(CYGPATH_W) 'queues/jobs/initiate_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/initiate_job.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi` -send_keepalive_job.o: queues/jobs/send_keepalive_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.o -MD -MP -MF "$(DEPDIR)/send_keepalive_job.Tpo" -c -o send_keepalive_job.o `test -f 'queues/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`queues/jobs/send_keepalive_job.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/send_keepalive_job.Tpo" "$(DEPDIR)/send_keepalive_job.Po"; else rm -f "$(DEPDIR)/send_keepalive_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/send_keepalive_job.c' object='send_keepalive_job.o' libtool=no @AMDEPBACKSLASH@ +ike_sa_id.o: sa/ike_sa_id.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.o -MD -MP -MF "$(DEPDIR)/ike_sa_id.Tpo" -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_sa_id.Tpo" "$(DEPDIR)/ike_sa_id.Po"; else rm -f "$(DEPDIR)/ike_sa_id.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/ike_sa_id.c' object='ike_sa_id.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.o `test -f 'queues/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`queues/jobs/send_keepalive_job.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c -send_keepalive_job.obj: queues/jobs/send_keepalive_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.obj -MD -MP -MF "$(DEPDIR)/send_keepalive_job.Tpo" -c -o send_keepalive_job.obj `if test -f 'queues/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'queues/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/send_keepalive_job.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/send_keepalive_job.Tpo" "$(DEPDIR)/send_keepalive_job.Po"; else rm -f "$(DEPDIR)/send_keepalive_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/send_keepalive_job.c' object='send_keepalive_job.obj' libtool=no @AMDEPBACKSLASH@ +ike_sa_id.obj: sa/ike_sa_id.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.obj -MD -MP -MF "$(DEPDIR)/ike_sa_id.Tpo" -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_sa_id.Tpo" "$(DEPDIR)/ike_sa_id.Po"; else rm -f "$(DEPDIR)/ike_sa_id.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/ike_sa_id.c' object='ike_sa_id.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.obj `if test -f 'queues/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'queues/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/send_keepalive_job.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi` -rekey_child_sa_job.o: queues/jobs/rekey_child_sa_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.o -MD -MP -MF "$(DEPDIR)/rekey_child_sa_job.Tpo" -c -o rekey_child_sa_job.o `test -f 'queues/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`queues/jobs/rekey_child_sa_job.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rekey_child_sa_job.Tpo" "$(DEPDIR)/rekey_child_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_child_sa_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.o' libtool=no @AMDEPBACKSLASH@ +ike_sa_manager.o: sa/ike_sa_manager.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.o -MD -MP -MF "$(DEPDIR)/ike_sa_manager.Tpo" -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_sa_manager.Tpo" "$(DEPDIR)/ike_sa_manager.Po"; else rm -f "$(DEPDIR)/ike_sa_manager.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/ike_sa_manager.c' object='ike_sa_manager.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.o `test -f 'queues/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`queues/jobs/rekey_child_sa_job.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c -rekey_child_sa_job.obj: queues/jobs/rekey_child_sa_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.obj -MD -MP -MF "$(DEPDIR)/rekey_child_sa_job.Tpo" -c -o rekey_child_sa_job.obj `if test -f 'queues/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/rekey_child_sa_job.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rekey_child_sa_job.Tpo" "$(DEPDIR)/rekey_child_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_child_sa_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@ +ike_sa_manager.obj: sa/ike_sa_manager.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.obj -MD -MP -MF "$(DEPDIR)/ike_sa_manager.Tpo" -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_sa_manager.Tpo" "$(DEPDIR)/ike_sa_manager.Po"; else rm -f "$(DEPDIR)/ike_sa_manager.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/ike_sa_manager.c' object='ike_sa_manager.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.obj `if test -f 'queues/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/rekey_child_sa_job.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi` -delete_child_sa_job.o: queues/jobs/delete_child_sa_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.o -MD -MP -MF "$(DEPDIR)/delete_child_sa_job.Tpo" -c -o delete_child_sa_job.o `test -f 'queues/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`queues/jobs/delete_child_sa_job.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/delete_child_sa_job.Tpo" "$(DEPDIR)/delete_child_sa_job.Po"; else rm -f "$(DEPDIR)/delete_child_sa_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/delete_child_sa_job.c' object='delete_child_sa_job.o' libtool=no @AMDEPBACKSLASH@ +task_manager.o: sa/task_manager.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.o -MD -MP -MF "$(DEPDIR)/task_manager.Tpo" -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/task_manager.Tpo" "$(DEPDIR)/task_manager.Po"; else rm -f "$(DEPDIR)/task_manager.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/task_manager.c' object='task_manager.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.o `test -f 'queues/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`queues/jobs/delete_child_sa_job.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c -delete_child_sa_job.obj: queues/jobs/delete_child_sa_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.obj -MD -MP -MF "$(DEPDIR)/delete_child_sa_job.Tpo" -c -o delete_child_sa_job.obj `if test -f 'queues/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/delete_child_sa_job.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/delete_child_sa_job.Tpo" "$(DEPDIR)/delete_child_sa_job.Po"; else rm -f "$(DEPDIR)/delete_child_sa_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/delete_child_sa_job.c' object='delete_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@ +task_manager.obj: sa/task_manager.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.obj -MD -MP -MF "$(DEPDIR)/task_manager.Tpo" -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/task_manager.Tpo" "$(DEPDIR)/task_manager.Po"; else rm -f "$(DEPDIR)/task_manager.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/task_manager.c' object='task_manager.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.obj `if test -f 'queues/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/delete_child_sa_job.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi` -send_dpd_job.o: queues/jobs/send_dpd_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.o -MD -MP -MF "$(DEPDIR)/send_dpd_job.Tpo" -c -o send_dpd_job.o `test -f 'queues/jobs/send_dpd_job.c' || echo '$(srcdir)/'`queues/jobs/send_dpd_job.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/send_dpd_job.Tpo" "$(DEPDIR)/send_dpd_job.Po"; else rm -f "$(DEPDIR)/send_dpd_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/send_dpd_job.c' object='send_dpd_job.o' libtool=no @AMDEPBACKSLASH@ +child_create.o: sa/tasks/child_create.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.o -MD -MP -MF "$(DEPDIR)/child_create.Tpo" -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_create.Tpo" "$(DEPDIR)/child_create.Po"; else rm -f "$(DEPDIR)/child_create.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/child_create.c' object='child_create.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.o `test -f 'queues/jobs/send_dpd_job.c' || echo '$(srcdir)/'`queues/jobs/send_dpd_job.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c -send_dpd_job.obj: queues/jobs/send_dpd_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.obj -MD -MP -MF "$(DEPDIR)/send_dpd_job.Tpo" -c -o send_dpd_job.obj `if test -f 'queues/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'queues/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/send_dpd_job.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/send_dpd_job.Tpo" "$(DEPDIR)/send_dpd_job.Po"; else rm -f "$(DEPDIR)/send_dpd_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/send_dpd_job.c' object='send_dpd_job.obj' libtool=no @AMDEPBACKSLASH@ +child_create.obj: sa/tasks/child_create.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.obj -MD -MP -MF "$(DEPDIR)/child_create.Tpo" -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_create.Tpo" "$(DEPDIR)/child_create.Po"; else rm -f "$(DEPDIR)/child_create.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/child_create.c' object='child_create.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.obj `if test -f 'queues/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'queues/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/send_dpd_job.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi` -route_job.o: queues/jobs/route_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT route_job.o -MD -MP -MF "$(DEPDIR)/route_job.Tpo" -c -o route_job.o `test -f 'queues/jobs/route_job.c' || echo '$(srcdir)/'`queues/jobs/route_job.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/route_job.Tpo" "$(DEPDIR)/route_job.Po"; else rm -f "$(DEPDIR)/route_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/route_job.c' object='route_job.o' libtool=no @AMDEPBACKSLASH@ +child_delete.o: sa/tasks/child_delete.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.o -MD -MP -MF "$(DEPDIR)/child_delete.Tpo" -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_delete.Tpo" "$(DEPDIR)/child_delete.Po"; else rm -f "$(DEPDIR)/child_delete.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/child_delete.c' object='child_delete.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o route_job.o `test -f 'queues/jobs/route_job.c' || echo '$(srcdir)/'`queues/jobs/route_job.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c -route_job.obj: queues/jobs/route_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT route_job.obj -MD -MP -MF "$(DEPDIR)/route_job.Tpo" -c -o route_job.obj `if test -f 'queues/jobs/route_job.c'; then $(CYGPATH_W) 'queues/jobs/route_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/route_job.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/route_job.Tpo" "$(DEPDIR)/route_job.Po"; else rm -f "$(DEPDIR)/route_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/route_job.c' object='route_job.obj' libtool=no @AMDEPBACKSLASH@ +child_delete.obj: sa/tasks/child_delete.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.obj -MD -MP -MF "$(DEPDIR)/child_delete.Tpo" -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_delete.Tpo" "$(DEPDIR)/child_delete.Po"; else rm -f "$(DEPDIR)/child_delete.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/child_delete.c' object='child_delete.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o route_job.obj `if test -f 'queues/jobs/route_job.c'; then $(CYGPATH_W) 'queues/jobs/route_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/route_job.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi` -acquire_job.o: queues/jobs/acquire_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.o -MD -MP -MF "$(DEPDIR)/acquire_job.Tpo" -c -o acquire_job.o `test -f 'queues/jobs/acquire_job.c' || echo '$(srcdir)/'`queues/jobs/acquire_job.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/acquire_job.Tpo" "$(DEPDIR)/acquire_job.Po"; else rm -f "$(DEPDIR)/acquire_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/acquire_job.c' object='acquire_job.o' libtool=no @AMDEPBACKSLASH@ +child_rekey.o: sa/tasks/child_rekey.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.o -MD -MP -MF "$(DEPDIR)/child_rekey.Tpo" -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_rekey.Tpo" "$(DEPDIR)/child_rekey.Po"; else rm -f "$(DEPDIR)/child_rekey.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/child_rekey.c' object='child_rekey.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.o `test -f 'queues/jobs/acquire_job.c' || echo '$(srcdir)/'`queues/jobs/acquire_job.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c -acquire_job.obj: queues/jobs/acquire_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.obj -MD -MP -MF "$(DEPDIR)/acquire_job.Tpo" -c -o acquire_job.obj `if test -f 'queues/jobs/acquire_job.c'; then $(CYGPATH_W) 'queues/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/acquire_job.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/acquire_job.Tpo" "$(DEPDIR)/acquire_job.Po"; else rm -f "$(DEPDIR)/acquire_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/acquire_job.c' object='acquire_job.obj' libtool=no @AMDEPBACKSLASH@ +child_rekey.obj: sa/tasks/child_rekey.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.obj -MD -MP -MF "$(DEPDIR)/child_rekey.Tpo" -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/child_rekey.Tpo" "$(DEPDIR)/child_rekey.Po"; else rm -f "$(DEPDIR)/child_rekey.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/child_rekey.c' object='child_rekey.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.obj `if test -f 'queues/jobs/acquire_job.c'; then $(CYGPATH_W) 'queues/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/acquire_job.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi` -rekey_ike_sa_job.o: queues/jobs/rekey_ike_sa_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.o -MD -MP -MF "$(DEPDIR)/rekey_ike_sa_job.Tpo" -c -o rekey_ike_sa_job.o `test -f 'queues/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`queues/jobs/rekey_ike_sa_job.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rekey_ike_sa_job.Tpo" "$(DEPDIR)/rekey_ike_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_ike_sa_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@ +ike_auth.o: sa/tasks/ike_auth.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.o -MD -MP -MF "$(DEPDIR)/ike_auth.Tpo" -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_auth.Tpo" "$(DEPDIR)/ike_auth.Po"; else rm -f "$(DEPDIR)/ike_auth.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_auth.c' object='ike_auth.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.o `test -f 'queues/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`queues/jobs/rekey_ike_sa_job.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c -rekey_ike_sa_job.obj: queues/jobs/rekey_ike_sa_job.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.obj -MD -MP -MF "$(DEPDIR)/rekey_ike_sa_job.Tpo" -c -o rekey_ike_sa_job.obj `if test -f 'queues/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/rekey_ike_sa_job.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/rekey_ike_sa_job.Tpo" "$(DEPDIR)/rekey_ike_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_ike_sa_job.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@ +ike_auth.obj: sa/tasks/ike_auth.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.obj -MD -MP -MF "$(DEPDIR)/ike_auth.Tpo" -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_auth.Tpo" "$(DEPDIR)/ike_auth.Po"; else rm -f "$(DEPDIR)/ike_auth.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_auth.c' object='ike_auth.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.obj `if test -f 'queues/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/rekey_ike_sa_job.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi` -job_queue.o: queues/job_queue.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job_queue.o -MD -MP -MF "$(DEPDIR)/job_queue.Tpo" -c -o job_queue.o `test -f 'queues/job_queue.c' || echo '$(srcdir)/'`queues/job_queue.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/job_queue.Tpo" "$(DEPDIR)/job_queue.Po"; else rm -f "$(DEPDIR)/job_queue.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/job_queue.c' object='job_queue.o' libtool=no @AMDEPBACKSLASH@ +ike_cert.o: sa/tasks/ike_cert.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert.o -MD -MP -MF "$(DEPDIR)/ike_cert.Tpo" -c -o ike_cert.o `test -f 'sa/tasks/ike_cert.c' || echo '$(srcdir)/'`sa/tasks/ike_cert.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_cert.Tpo" "$(DEPDIR)/ike_cert.Po"; else rm -f "$(DEPDIR)/ike_cert.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_cert.c' object='ike_cert.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job_queue.o `test -f 'queues/job_queue.c' || echo '$(srcdir)/'`queues/job_queue.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert.o `test -f 'sa/tasks/ike_cert.c' || echo '$(srcdir)/'`sa/tasks/ike_cert.c -job_queue.obj: queues/job_queue.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job_queue.obj -MD -MP -MF "$(DEPDIR)/job_queue.Tpo" -c -o job_queue.obj `if test -f 'queues/job_queue.c'; then $(CYGPATH_W) 'queues/job_queue.c'; else $(CYGPATH_W) '$(srcdir)/queues/job_queue.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/job_queue.Tpo" "$(DEPDIR)/job_queue.Po"; else rm -f "$(DEPDIR)/job_queue.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/job_queue.c' object='job_queue.obj' libtool=no @AMDEPBACKSLASH@ +ike_cert.obj: sa/tasks/ike_cert.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert.obj -MD -MP -MF "$(DEPDIR)/ike_cert.Tpo" -c -o ike_cert.obj `if test -f 'sa/tasks/ike_cert.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_cert.Tpo" "$(DEPDIR)/ike_cert.Po"; else rm -f "$(DEPDIR)/ike_cert.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_cert.c' object='ike_cert.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job_queue.obj `if test -f 'queues/job_queue.c'; then $(CYGPATH_W) 'queues/job_queue.c'; else $(CYGPATH_W) '$(srcdir)/queues/job_queue.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert.obj `if test -f 'sa/tasks/ike_cert.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert.c'; fi` -event_queue.o: queues/event_queue.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT event_queue.o -MD -MP -MF "$(DEPDIR)/event_queue.Tpo" -c -o event_queue.o `test -f 'queues/event_queue.c' || echo '$(srcdir)/'`queues/event_queue.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/event_queue.Tpo" "$(DEPDIR)/event_queue.Po"; else rm -f "$(DEPDIR)/event_queue.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/event_queue.c' object='event_queue.o' libtool=no @AMDEPBACKSLASH@ +ike_config.o: sa/tasks/ike_config.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.o -MD -MP -MF "$(DEPDIR)/ike_config.Tpo" -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_config.Tpo" "$(DEPDIR)/ike_config.Po"; else rm -f "$(DEPDIR)/ike_config.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_config.c' object='ike_config.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o event_queue.o `test -f 'queues/event_queue.c' || echo '$(srcdir)/'`queues/event_queue.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c -event_queue.obj: queues/event_queue.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT event_queue.obj -MD -MP -MF "$(DEPDIR)/event_queue.Tpo" -c -o event_queue.obj `if test -f 'queues/event_queue.c'; then $(CYGPATH_W) 'queues/event_queue.c'; else $(CYGPATH_W) '$(srcdir)/queues/event_queue.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/event_queue.Tpo" "$(DEPDIR)/event_queue.Po"; else rm -f "$(DEPDIR)/event_queue.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='queues/event_queue.c' object='event_queue.obj' libtool=no @AMDEPBACKSLASH@ +ike_config.obj: sa/tasks/ike_config.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.obj -MD -MP -MF "$(DEPDIR)/ike_config.Tpo" -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_config.Tpo" "$(DEPDIR)/ike_config.Po"; else rm -f "$(DEPDIR)/ike_config.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_config.c' object='ike_config.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o event_queue.obj `if test -f 'queues/event_queue.c'; then $(CYGPATH_W) 'queues/event_queue.c'; else $(CYGPATH_W) '$(srcdir)/queues/event_queue.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi` -kernel_interface.o: threads/kernel_interface.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.o -MD -MP -MF "$(DEPDIR)/kernel_interface.Tpo" -c -o kernel_interface.o `test -f 'threads/kernel_interface.c' || echo '$(srcdir)/'`threads/kernel_interface.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/kernel_interface.Tpo" "$(DEPDIR)/kernel_interface.Po"; else rm -f "$(DEPDIR)/kernel_interface.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='threads/kernel_interface.c' object='kernel_interface.o' libtool=no @AMDEPBACKSLASH@ +ike_delete.o: sa/tasks/ike_delete.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.o -MD -MP -MF "$(DEPDIR)/ike_delete.Tpo" -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_delete.Tpo" "$(DEPDIR)/ike_delete.Po"; else rm -f "$(DEPDIR)/ike_delete.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_delete.c' object='ike_delete.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.o `test -f 'threads/kernel_interface.c' || echo '$(srcdir)/'`threads/kernel_interface.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c -kernel_interface.obj: threads/kernel_interface.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.obj -MD -MP -MF "$(DEPDIR)/kernel_interface.Tpo" -c -o kernel_interface.obj `if test -f 'threads/kernel_interface.c'; then $(CYGPATH_W) 'threads/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/threads/kernel_interface.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/kernel_interface.Tpo" "$(DEPDIR)/kernel_interface.Po"; else rm -f "$(DEPDIR)/kernel_interface.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='threads/kernel_interface.c' object='kernel_interface.obj' libtool=no @AMDEPBACKSLASH@ +ike_delete.obj: sa/tasks/ike_delete.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.obj -MD -MP -MF "$(DEPDIR)/ike_delete.Tpo" -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_delete.Tpo" "$(DEPDIR)/ike_delete.Po"; else rm -f "$(DEPDIR)/ike_delete.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_delete.c' object='ike_delete.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.obj `if test -f 'threads/kernel_interface.c'; then $(CYGPATH_W) 'threads/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/threads/kernel_interface.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi` -thread_pool.o: threads/thread_pool.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_pool.o -MD -MP -MF "$(DEPDIR)/thread_pool.Tpo" -c -o thread_pool.o `test -f 'threads/thread_pool.c' || echo '$(srcdir)/'`threads/thread_pool.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/thread_pool.Tpo" "$(DEPDIR)/thread_pool.Po"; else rm -f "$(DEPDIR)/thread_pool.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='threads/thread_pool.c' object='thread_pool.o' libtool=no @AMDEPBACKSLASH@ +ike_dpd.o: sa/tasks/ike_dpd.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.o -MD -MP -MF "$(DEPDIR)/ike_dpd.Tpo" -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_dpd.Tpo" "$(DEPDIR)/ike_dpd.Po"; else rm -f "$(DEPDIR)/ike_dpd.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_dpd.c' object='ike_dpd.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_pool.o `test -f 'threads/thread_pool.c' || echo '$(srcdir)/'`threads/thread_pool.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c -thread_pool.obj: threads/thread_pool.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_pool.obj -MD -MP -MF "$(DEPDIR)/thread_pool.Tpo" -c -o thread_pool.obj `if test -f 'threads/thread_pool.c'; then $(CYGPATH_W) 'threads/thread_pool.c'; else $(CYGPATH_W) '$(srcdir)/threads/thread_pool.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/thread_pool.Tpo" "$(DEPDIR)/thread_pool.Po"; else rm -f "$(DEPDIR)/thread_pool.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='threads/thread_pool.c' object='thread_pool.obj' libtool=no @AMDEPBACKSLASH@ +ike_dpd.obj: sa/tasks/ike_dpd.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.obj -MD -MP -MF "$(DEPDIR)/ike_dpd.Tpo" -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_dpd.Tpo" "$(DEPDIR)/ike_dpd.Po"; else rm -f "$(DEPDIR)/ike_dpd.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_dpd.c' object='ike_dpd.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_pool.obj `if test -f 'threads/thread_pool.c'; then $(CYGPATH_W) 'threads/thread_pool.c'; else $(CYGPATH_W) '$(srcdir)/threads/thread_pool.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi` -scheduler.o: threads/scheduler.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.o -MD -MP -MF "$(DEPDIR)/scheduler.Tpo" -c -o scheduler.o `test -f 'threads/scheduler.c' || echo '$(srcdir)/'`threads/scheduler.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/scheduler.Tpo" "$(DEPDIR)/scheduler.Po"; else rm -f "$(DEPDIR)/scheduler.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='threads/scheduler.c' object='scheduler.o' libtool=no @AMDEPBACKSLASH@ +ike_init.o: sa/tasks/ike_init.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.o -MD -MP -MF "$(DEPDIR)/ike_init.Tpo" -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_init.Tpo" "$(DEPDIR)/ike_init.Po"; else rm -f "$(DEPDIR)/ike_init.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_init.c' object='ike_init.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.o `test -f 'threads/scheduler.c' || echo '$(srcdir)/'`threads/scheduler.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c -scheduler.obj: threads/scheduler.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.obj -MD -MP -MF "$(DEPDIR)/scheduler.Tpo" -c -o scheduler.obj `if test -f 'threads/scheduler.c'; then $(CYGPATH_W) 'threads/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/threads/scheduler.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/scheduler.Tpo" "$(DEPDIR)/scheduler.Po"; else rm -f "$(DEPDIR)/scheduler.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='threads/scheduler.c' object='scheduler.obj' libtool=no @AMDEPBACKSLASH@ +ike_init.obj: sa/tasks/ike_init.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.obj -MD -MP -MF "$(DEPDIR)/ike_init.Tpo" -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_init.Tpo" "$(DEPDIR)/ike_init.Po"; else rm -f "$(DEPDIR)/ike_init.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_init.c' object='ike_init.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.obj `if test -f 'threads/scheduler.c'; then $(CYGPATH_W) 'threads/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/threads/scheduler.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi` -sender.o: threads/sender.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.o -MD -MP -MF "$(DEPDIR)/sender.Tpo" -c -o sender.o `test -f 'threads/sender.c' || echo '$(srcdir)/'`threads/sender.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sender.Tpo" "$(DEPDIR)/sender.Po"; else rm -f "$(DEPDIR)/sender.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='threads/sender.c' object='sender.o' libtool=no @AMDEPBACKSLASH@ +ike_natd.o: sa/tasks/ike_natd.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.o -MD -MP -MF "$(DEPDIR)/ike_natd.Tpo" -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_natd.Tpo" "$(DEPDIR)/ike_natd.Po"; else rm -f "$(DEPDIR)/ike_natd.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_natd.c' object='ike_natd.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.o `test -f 'threads/sender.c' || echo '$(srcdir)/'`threads/sender.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c -sender.obj: threads/sender.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.obj -MD -MP -MF "$(DEPDIR)/sender.Tpo" -c -o sender.obj `if test -f 'threads/sender.c'; then $(CYGPATH_W) 'threads/sender.c'; else $(CYGPATH_W) '$(srcdir)/threads/sender.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/sender.Tpo" "$(DEPDIR)/sender.Po"; else rm -f "$(DEPDIR)/sender.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='threads/sender.c' object='sender.obj' libtool=no @AMDEPBACKSLASH@ +ike_natd.obj: sa/tasks/ike_natd.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.obj -MD -MP -MF "$(DEPDIR)/ike_natd.Tpo" -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_natd.Tpo" "$(DEPDIR)/ike_natd.Po"; else rm -f "$(DEPDIR)/ike_natd.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_natd.c' object='ike_natd.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.obj `if test -f 'threads/sender.c'; then $(CYGPATH_W) 'threads/sender.c'; else $(CYGPATH_W) '$(srcdir)/threads/sender.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi` -receiver.o: threads/receiver.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.o -MD -MP -MF "$(DEPDIR)/receiver.Tpo" -c -o receiver.o `test -f 'threads/receiver.c' || echo '$(srcdir)/'`threads/receiver.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/receiver.Tpo" "$(DEPDIR)/receiver.Po"; else rm -f "$(DEPDIR)/receiver.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='threads/receiver.c' object='receiver.o' libtool=no @AMDEPBACKSLASH@ +ike_rekey.o: sa/tasks/ike_rekey.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.o -MD -MP -MF "$(DEPDIR)/ike_rekey.Tpo" -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_rekey.Tpo" "$(DEPDIR)/ike_rekey.Po"; else rm -f "$(DEPDIR)/ike_rekey.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_rekey.c' object='ike_rekey.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.o `test -f 'threads/receiver.c' || echo '$(srcdir)/'`threads/receiver.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c -receiver.obj: threads/receiver.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.obj -MD -MP -MF "$(DEPDIR)/receiver.Tpo" -c -o receiver.obj `if test -f 'threads/receiver.c'; then $(CYGPATH_W) 'threads/receiver.c'; else $(CYGPATH_W) '$(srcdir)/threads/receiver.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/receiver.Tpo" "$(DEPDIR)/receiver.Po"; else rm -f "$(DEPDIR)/receiver.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='threads/receiver.c' object='receiver.obj' libtool=no @AMDEPBACKSLASH@ +ike_rekey.obj: sa/tasks/ike_rekey.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.obj -MD -MP -MF "$(DEPDIR)/ike_rekey.Tpo" -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_rekey.Tpo" "$(DEPDIR)/ike_rekey.Po"; else rm -f "$(DEPDIR)/ike_rekey.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/ike_rekey.c' object='ike_rekey.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.obj `if test -f 'threads/receiver.c'; then $(CYGPATH_W) 'threads/receiver.c'; else $(CYGPATH_W) '$(srcdir)/threads/receiver.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi` -stroke_interface.o: threads/stroke_interface.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stroke_interface.o -MD -MP -MF "$(DEPDIR)/stroke_interface.Tpo" -c -o stroke_interface.o `test -f 'threads/stroke_interface.c' || echo '$(srcdir)/'`threads/stroke_interface.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/stroke_interface.Tpo" "$(DEPDIR)/stroke_interface.Po"; else rm -f "$(DEPDIR)/stroke_interface.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='threads/stroke_interface.c' object='stroke_interface.o' libtool=no @AMDEPBACKSLASH@ +task.o: sa/tasks/task.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.o -MD -MP -MF "$(DEPDIR)/task.Tpo" -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/task.Tpo" "$(DEPDIR)/task.Po"; else rm -f "$(DEPDIR)/task.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/task.c' object='task.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stroke_interface.o `test -f 'threads/stroke_interface.c' || echo '$(srcdir)/'`threads/stroke_interface.c +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c -stroke_interface.obj: threads/stroke_interface.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stroke_interface.obj -MD -MP -MF "$(DEPDIR)/stroke_interface.Tpo" -c -o stroke_interface.obj `if test -f 'threads/stroke_interface.c'; then $(CYGPATH_W) 'threads/stroke_interface.c'; else $(CYGPATH_W) '$(srcdir)/threads/stroke_interface.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/stroke_interface.Tpo" "$(DEPDIR)/stroke_interface.Po"; else rm -f "$(DEPDIR)/stroke_interface.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='threads/stroke_interface.c' object='stroke_interface.obj' libtool=no @AMDEPBACKSLASH@ +task.obj: sa/tasks/task.c +@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.obj -MD -MP -MF "$(DEPDIR)/task.Tpo" -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/task.Tpo" "$(DEPDIR)/task.Po"; else rm -f "$(DEPDIR)/task.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/tasks/task.c' object='task.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stroke_interface.obj `if test -f 'threads/stroke_interface.c'; then $(CYGPATH_W) 'threads/stroke_interface.c'; else $(CYGPATH_W) '$(srcdir)/threads/stroke_interface.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi` mostlyclean-libtool: -rm -f *.lo @@ -1780,7 +1909,7 @@ check-am: all-am check: check-am all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) installdirs: - for dir in "$(DESTDIR)$(eapdir)" "$(DESTDIR)$(ipsecdir)"; do \ + for dir in "$(DESTDIR)$(backenddir)" "$(DESTDIR)$(eapdir)" "$(DESTDIR)$(interfacedir)" "$(DESTDIR)$(ipsecdir)"; do \ test -z "$$dir" || $(mkdir_p) "$$dir"; \ done install: install-am @@ -1809,8 +1938,9 @@ maintainer-clean-generic: @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-eapLTLIBRARIES clean-generic clean-ipsecPROGRAMS \ - clean-libtool mostlyclean-am +clean-am: clean-backendLTLIBRARIES clean-eapLTLIBRARIES clean-generic \ + clean-interfaceLTLIBRARIES clean-ipsecPROGRAMS clean-libtool \ + mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) @@ -1828,7 +1958,8 @@ info: info-am info-am: -install-data-am: install-eapLTLIBRARIES install-ipsecPROGRAMS +install-data-am: install-backendLTLIBRARIES install-eapLTLIBRARIES \ + install-interfaceLTLIBRARIES install-ipsecPROGRAMS install-exec-am: @@ -1856,22 +1987,26 @@ ps: ps-am ps-am: -uninstall-am: uninstall-eapLTLIBRARIES uninstall-info-am \ +uninstall-am: uninstall-backendLTLIBRARIES uninstall-eapLTLIBRARIES \ + uninstall-info-am uninstall-interfaceLTLIBRARIES \ uninstall-ipsecPROGRAMS .PHONY: CTAGS GTAGS all all-am check check-am clean \ - clean-eapLTLIBRARIES clean-generic clean-ipsecPROGRAMS \ - clean-libtool ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-eapLTLIBRARIES \ - install-exec install-exec-am install-info install-info-am \ + clean-backendLTLIBRARIES clean-eapLTLIBRARIES clean-generic \ + clean-interfaceLTLIBRARIES clean-ipsecPROGRAMS clean-libtool \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am \ + install-backendLTLIBRARIES install-data install-data-am \ + install-eapLTLIBRARIES install-exec install-exec-am \ + install-info install-info-am install-interfaceLTLIBRARIES \ install-ipsecPROGRAMS install-man install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-eapLTLIBRARIES \ - uninstall-info-am uninstall-ipsecPROGRAMS + tags uninstall uninstall-am uninstall-backendLTLIBRARIES \ + uninstall-eapLTLIBRARIES uninstall-info-am \ + uninstall-interfaceLTLIBRARIES uninstall-ipsecPROGRAMS # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c index 740663d5c..5f46cd29e 100644 --- a/src/charon/bus/bus.c +++ b/src/charon/bus/bus.c @@ -184,6 +184,28 @@ static void add_listener(private_bus_t *this, bus_listener_t *listener) pthread_mutex_unlock(&this->mutex); } +/** + * Implementation of bus_t.remove_listener. + */ +static void remove_listener(private_bus_t *this, bus_listener_t *listener) +{ + iterator_t *iterator; + bus_listener_t *current; + + pthread_mutex_lock(&this->mutex); + iterator = this->listeners->create_iterator(this->listeners, TRUE); + while (iterator->iterate(iterator, (void**)¤t)) + { + if (current == listener) + { + iterator->remove(iterator); + break; + } + } + iterator->destroy(iterator); + pthread_mutex_unlock(&this->mutex); +} + /** * Get the listener object for the calling thread */ @@ -216,6 +238,32 @@ static active_listener_t *get_active_listener(private_bus_t *this) return found; } +typedef struct cancel_info_t cancel_info_t; + +/** + * cancellation info to cancel a listening operation cleanly + */ +struct cancel_info_t { + /** + * mutex to unlock on cancellation + */ + pthread_mutex_t *mutex; + + /** + * listener to unregister + */ + active_listener_t *listener; +}; + +/** + * disable a listener to cleanly clean up + */ +static void unregister(cancel_info_t *info) +{ + info->listener->state = UNREGISTERED; + pthread_mutex_unlock(info->mutex); +} + /** * Implementation of bus_t.listen. */ @@ -223,14 +271,24 @@ static signal_t listen_(private_bus_t *this, level_t *level, int *thread, ike_sa_t **ike_sa, char** format, va_list* args) { active_listener_t *listener; + int oldstate; + cancel_info_t info; pthread_mutex_lock(&this->mutex); listener = get_active_listener(this); /* go "listening", say hello to a thread which have a signal for us */ listener->state = LISTENING; pthread_cond_broadcast(&listener->cond); - /* wait until it has us delivered a signal, and go back to "registered" */ + /* wait until it has us delivered a signal, and go back to "registered". + * we allow cancellation here, but must cleanly disable the listener. */ + info.mutex = &this->mutex; + info.listener = listener; + pthread_cleanup_push((void*)unregister, &info); + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); pthread_cond_wait(&listener->cond, &this->mutex); + pthread_setcancelstate(oldstate, NULL); + pthread_cleanup_pop(0); + pthread_mutex_unlock(&this->mutex); /* return signal values */ @@ -299,7 +357,6 @@ static void vsignal(private_bus_t *this, signal_t signal, level_t level, while (iterator->iterate(iterator, (void**)&listener)) { va_list args_copy; - va_copy(args_copy, args); if (!listener->signal(listener, signal, level, thread, ike_sa, format, args_copy)) @@ -315,8 +372,11 @@ static void vsignal(private_bus_t *this, signal_t signal, level_t level, iterator = this->active_listeners->create_iterator(this->active_listeners, TRUE); while (iterator->iterate(iterator, (void**)&active_listener)) { - /* wait until it is back */ - while (active_listener->state == REGISTERED) + /* wait until all threads are registered. But if the thread raising + * the signal is the same as the one that listens, we skip it. + * Otherwise we would deadlock. */ + while (active_listener->id != pthread_self() && + active_listener->state == REGISTERED) { pthread_cond_wait(&active_listener->cond, &this->mutex); } @@ -339,7 +399,9 @@ static void vsignal(private_bus_t *this, signal_t signal, level_t level, iterator->reset(iterator); while (iterator->iterate(iterator, (void**)&active_listener)) { - while (active_listener->state == REGISTERED) + /* do not wait for ourself, it won't happen (see above) */ + while (active_listener->id != pthread_self() && + active_listener->state == REGISTERED) { pthread_cond_wait(&active_listener->cond, &this->mutex); } @@ -380,6 +442,7 @@ bus_t *bus_create() private_bus_t *this = malloc_thing(private_bus_t); this->public.add_listener = (void(*)(bus_t*,bus_listener_t*))add_listener; + this->public.remove_listener = (void(*)(bus_t*,bus_listener_t*))remove_listener; this->public.listen = (signal_t(*)(bus_t*,level_t*,int*,ike_sa_t**,char**,va_list*))listen_; this->public.set_listen_state = (void(*)(bus_t*,bool))set_listen_state; this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa; diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h index 200525fb7..4b46c7e82 100644 --- a/src/charon/bus/bus.h +++ b/src/charon/bus/bus.h @@ -265,6 +265,14 @@ struct bus_t { */ void (*add_listener) (bus_t *this, bus_listener_t *listener); + /** + * @brief Unregister a listener from the bus. + * + * @param this bus + * @param listener listener to unregister. + */ + void (*remove_listener) (bus_t *this, bus_listener_t *listener); + /** * @brief Listen actively on the bus. * @@ -275,6 +283,9 @@ struct bus_t { * it processes a signal, registration is required. This is done through * the set_listen_state() method, see below. * + * The listen() function is (has) a thread cancellation point, so might + * want to register cleanup handlers. + * * @param this bus * @param level verbosity level of the signal * @param thread receives thread number emitted the signal diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c new file mode 100644 index 000000000..6df68c700 --- /dev/null +++ b/src/charon/config/backend_manager.c @@ -0,0 +1,229 @@ +/** + * @file backend_manager.c + * + * @brief Implementation of backend_manager_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "backend_manager.h" + +#include +#include +#include +#include + +#include +#include +#include + + +typedef struct private_backend_manager_t private_backend_manager_t; + +/** + * Private data of an backend_manager_t object. + */ +struct private_backend_manager_t { + + /** + * Public part of backend_manager_t object. + */ + backend_manager_t public; + + /** + * list of registered backends + */ + linked_list_t *backends; + + /** + * Additional list of writable backends. + */ + linked_list_t *writeable; + + /** + * List of dlopen() handles we used to open backends + */ + linked_list_t *handles; +}; + +/** + * implements backend_manager_t.get_ike_cfg. + */ +static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, + host_t *my_host, host_t *other_host) +{ + backend_t *backend; + ike_cfg_t *config = NULL; + iterator_t *iterator = this->backends->create_iterator(this->backends, TRUE); + while (config == NULL && iterator->iterate(iterator, (void**)&backend)) + { + config = backend->get_ike_cfg(backend, my_host, other_host); + } + iterator->destroy(iterator); + return config; +} + +/** + * implements backend_manager_t.get_peer_cfg. + */ +static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, + identification_t *my_id, identification_t *other_id, + ca_info_t *other_ca_info) +{ + backend_t *backend; + peer_cfg_t *config = NULL; + iterator_t *iterator = this->backends->create_iterator(this->backends, TRUE); + while (config == NULL && iterator->iterate(iterator, (void**)&backend)) + { + config = backend->get_peer_cfg(backend, my_id, other_id, other_ca_info); + } + iterator->destroy(iterator); + return config; +} + +/** + * implements backend_manager_t.add_peer_cfg. + */ +static void add_peer_cfg(private_backend_manager_t *this, peer_cfg_t *config) +{ + writeable_backend_t *backend; + + if (this->writeable->get_first(this->writeable, (void**)&backend) == SUCCESS) + { + backend->add_cfg(backend, config); + } +} + +/** + * implements backend_manager_t.create_iterator. + */ +static iterator_t* create_iterator(private_backend_manager_t *this) +{ + writeable_backend_t *backend; + + if (this->writeable->get_first(this->writeable, (void**)&backend) == SUCCESS) + { + return backend->create_iterator(backend); + } + /* give out an empty iterator if we have no writable backend*/ + return this->writeable->create_iterator(this->writeable, TRUE); +} + +/** + * load the configuration backend modules + */ +static void load_backends(private_backend_manager_t *this) +{ + struct dirent* entry; + DIR* dir; + + dir = opendir(IPSEC_BACKENDDIR); + if (dir == NULL) + { + DBG1(DBG_CFG, "error opening backend modules directory "IPSEC_BACKENDDIR); + return; + } + + DBG1(DBG_CFG, "loading backend modules from '"IPSEC_BACKENDDIR"'"); + + while ((entry = readdir(dir)) != NULL) + { + char file[256]; + backend_t *backend; + backend_constructor_t constructor; + void *handle; + char *ending; + + snprintf(file, sizeof(file), IPSEC_BACKENDDIR"/%s", entry->d_name); + + ending = entry->d_name + strlen(entry->d_name) - 3; + if (ending <= entry->d_name || !streq(ending, ".so")) + { + /* skip anything which does not look like a library */ + DBG2(DBG_CFG, " skipping %s, doesn't look like a library", + entry->d_name); + continue; + } + /* try to load the library */ + handle = dlopen(file, RTLD_LAZY); + if (handle == NULL) + { + DBG1(DBG_CFG, " opening backend module %s failed: %s", + entry->d_name, dlerror()); + continue; + } + constructor = dlsym(handle, "backend_create"); + if (constructor == NULL) + { + DBG1(DBG_CFG, " backend module %s has no backend_create() " + "function, skipped", entry->d_name); + dlclose(handle); + continue; + } + + backend = constructor(); + if (backend == NULL) + { + DBG1(DBG_CFG, " unable to create instance of backend " + "module %s, skipped", entry->d_name); + dlclose(handle); + continue; + } + DBG1(DBG_CFG, " loaded backend module successfully from %s", entry->d_name); + this->backends->insert_last(this->backends, backend); + if (backend->is_writeable(backend)) + { + this->writeable->insert_last(this->writeable, backend); + } + this->handles->insert_last(this->handles, handle); + } + closedir(dir); +} + +/** + * Implementation of backend_manager_t.destroy. + */ +static void destroy(private_backend_manager_t *this) +{ + this->backends->destroy_offset(this->backends, offsetof(backend_t, destroy)); + this->writeable->destroy(this->writeable); + this->handles->destroy_function(this->handles, (void*)dlclose); + free(this); +} + +/* + * Described in header-file + */ +backend_manager_t *backend_manager_create() +{ + private_backend_manager_t *this = malloc_thing(private_backend_manager_t); + + this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg; + this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,identification_t*,identification_t*,ca_info_t*))get_peer_cfg; + this->public.add_peer_cfg = (void (*)(backend_manager_t*,peer_cfg_t*))add_peer_cfg; + this->public.create_iterator = (iterator_t* (*)(backend_manager_t*))create_iterator; + this->public.destroy = (void (*)(backend_manager_t*))destroy; + + this->backends = linked_list_create(); + this->writeable = linked_list_create(); + this->handles = linked_list_create(); + + load_backends(this); + + return &this->public; +} + diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h new file mode 100644 index 000000000..22a19a218 --- /dev/null +++ b/src/charon/config/backend_manager.h @@ -0,0 +1,124 @@ +/** + * @file backend_manager.h + * + * @brief Interface backend_manager_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef BACKEND_MANAGER_H_ +#define BACKEND_MANAGER_H_ + +typedef struct backend_manager_t backend_manager_t; + +#include +#include +#include +#include +#include +#include + + +/** + * @brief A loader and multiplexer to use multiple backends. + * + * Charon allows the use of multiple configuration backends simultaneously. To + * access all this backends by a single call, this class wraps multiple + * backends behind a single object. It is also responsible for loading + * the backend modules and cleaning them up. + * A backend may be writeable or not. All backends implement the backend_t + * interface, those who are writeable additionally implement the + * writeable_backend_t interface. Adding configs to the backend_manager will + * be redirected to the first writeable backend. + * @verbatim + + +---------+ +-----------+ +--------------+ | + | | | | +--------------+ | | + | daemon |----->| backend_- | +--------------+ |-+ <==|==> IPC + | core | | manager |---->| backends |-+ | + | |----->| | +--------------+ | + | | | | | + +---------+ +-----------+ | + + @endverbatim + * + * @b Constructors: + * - backend_manager_create() + * + * @ingroup config + */ +struct backend_manager_t { + + /** + * @brief Get an ike_config identified by two hosts. + * + * @param this calling object + * @param my_host address of own host + * @param other_host address of remote host + * @return matching ike_config, or NULL if none found + */ + ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this, + host_t *my_host, host_t *other_host); + + /** + * @brief Get a peer_config identified by two IDs and the peer's certificate issuer + * + * @param this calling object + * @param my_id own ID + * @param other_id peer ID + * @param other_ca_info info record on issuer of peer certificate + * @return matching peer_config, or NULL if none found + */ + peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, + identification_t *my_id, identification_t *other_id, + ca_info_t *other_ca_info); + + /** + * @brief Add a peer_config to the first found writable backend. + * + * @param this calling object + * @param config peer_config to add to the backend + */ + void (*add_peer_cfg)(backend_manager_t *this, peer_cfg_t *config); + + /** + * @brief Create an iterator over all peer configs of the writable backend. + * + * @param this calling object + * @return iterator over peer configs + */ + iterator_t* (*create_iterator)(backend_manager_t *this); + + /** + * @brief Destroys a backend_manager_t object. + * + * @param this calling object + */ + void (*destroy) (backend_manager_t *this); +}; + +/** + * @brief Creates a new instance of the manager and loads all backends. + * + * @return backend_manager instance + * + * @ingroup config + */ +backend_manager_t* backend_manager_create(void); + +#endif /*BACKEND_MANAGER_H_*/ + diff --git a/src/charon/config/backends/backend.h b/src/charon/config/backends/backend.h new file mode 100644 index 000000000..acab660b6 --- /dev/null +++ b/src/charon/config/backends/backend.h @@ -0,0 +1,96 @@ +/** + * @file backend.h + * + * @brief Interface backend_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef BACKEND_H_ +#define BACKEND_H_ + +typedef struct backend_t backend_t; + +#include +#include +#include +#include + +/** + * @brief The interface for a configuration backend. + * + * A configuration backend is loaded by the backend_manager. It does the actual + * configuration lookup for the method it implements. See backend_manager_t for + * more information. + * + * @b Constructors: + * - implementations constructors + * + * @ingroup backends + */ +struct backend_t { + + /** + * @brief Get an ike_cfg identified by two hosts. + * + * @param this calling object + * @param my_host address of own host + * @param other_host address of remote host + * @return matching ike_config, or NULL if none found + */ + ike_cfg_t *(*get_ike_cfg)(backend_t *this, + host_t *my_host, host_t *other_host); + + /** + * @brief Get a peer_cfg identified by two IDs. + * + * Select a config based on the two IDs and the other's certificate issuer + * + * @param this calling object + * @param my_id own ID + * @param other_id peer ID + * @param other_ca_info info record on issuer of peer certificate + * @return matching peer_config, or NULL if none found + */ + peer_cfg_t *(*get_peer_cfg)(backend_t *this, + identification_t *my_id, identification_t *other_id, + ca_info_t *other_ca_info); + + /** + * @brief Check if a backend is writable and implements writable_backend_t. + * + * @param this calling object + * @return TRUE if backend implements writable_backend_t. + */ + bool (*is_writeable)(backend_t *this); + + /** + * @brief Destroy a backend. + * + * @param this calling object + */ + void (*destroy)(backend_t *this); +}; + + +/** + * Construction to create a backend. + */ +typedef backend_t*(*backend_constructor_t)(void); + +#endif /* BACKEND_H_ */ + diff --git a/src/charon/config/backends/local_backend.c b/src/charon/config/backends/local_backend.c new file mode 100644 index 000000000..2e80cc870 --- /dev/null +++ b/src/charon/config/backends/local_backend.c @@ -0,0 +1,274 @@ +/** + * @file local_backend.c + * + * @brief Implementation of local_backend_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include "local_backend.h" + +#include +#include +#include + + +typedef struct private_local_backend_t private_local_backend_t; + +/** + * Private data of an local_backend_t object + */ +struct private_local_backend_t { + + /** + * Public part + */ + local_backend_t public; + + /** + * list of configs + */ + linked_list_t *cfgs; + + /** + * Mutex to exclusivly access list + */ + pthread_mutex_t mutex; +}; + +/** + * implements backen_t.get_ike_cfg. + */ +static ike_cfg_t *get_ike_cfg(private_local_backend_t *this, + host_t *my_host, host_t *other_host) +{ + peer_cfg_t *peer; + ike_cfg_t *current, *found = NULL; + iterator_t *iterator; + host_t *my_candidate, *other_candidate; + enum { + MATCH_NONE = 0x00, + MATCH_ANY = 0x01, + MATCH_ME = 0x04, + MATCH_OTHER = 0x08, + } prio, best = MATCH_ANY; + + DBG2(DBG_CFG, "looking for a config for %H...%H", + my_host, other_host); + + iterator = this->cfgs->create_iterator_locked(this->cfgs, &this->mutex); + while (iterator->iterate(iterator, (void**)&peer)) + { + prio = MATCH_NONE; + current = peer->get_ike_cfg(peer); + my_candidate = current->get_my_host(current); + other_candidate = current->get_other_host(current); + + if (my_candidate->ip_equals(my_candidate, my_host)) + { + prio += MATCH_ME; + } + else if (my_candidate->is_anyaddr(my_candidate)) + { + prio += MATCH_ANY; + } + + if (other_candidate->ip_equals(other_candidate, other_host)) + { + prio += MATCH_OTHER; + } + else if (other_candidate->is_anyaddr(other_candidate)) + { + prio += MATCH_ANY; + } + + DBG2(DBG_CFG, " candidate '%s': %H...%H, prio %d", + peer->get_name(peer), my_candidate, other_candidate, prio); + + /* we require at least two MATCH_ANY */ + if (prio > best) + { + best = prio; + found = current; + } + } + if (found) + { + found->get_ref(found); + } + iterator->destroy(iterator); + return found; +} + +#define PRIO_NO_MATCH_FOUND 256 + +/** + * implements backend_t.get_peer. + */ +static peer_cfg_t *get_peer_cfg(private_local_backend_t *this, + identification_t *my_id, identification_t *other_id, + ca_info_t *other_ca_info) +{ + peer_cfg_t *current, *found = NULL; + iterator_t *iterator; + identification_t *my_candidate, *other_candidate; + int best = PRIO_NO_MATCH_FOUND; + + DBG2(DBG_CFG, "looking for a config for %D...%D", my_id, other_id); + + iterator = this->cfgs->create_iterator_locked(this->cfgs, &this->mutex); + while (iterator->iterate(iterator, (void**)¤t)) + { + int wc1, wc2; + + my_candidate = current->get_my_id(current); + other_candidate = current->get_other_id(current); + + if (my_candidate->matches(my_candidate, my_id, &wc1) + && other_id->matches(other_id, other_candidate, &wc2)) + { + int prio = (wc1 + wc2) * (MAX_CA_PATH_LEN + 1); + int pathlen = 0; + identification_t *other_candidate_ca = current->get_other_ca(current); + + /* are there any ca constraints? */ + if (other_candidate_ca->get_type(other_candidate_ca) != ID_ANY) + { + ca_info_t *ca_info = other_ca_info; + + for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++) + { + if (ca_info == NULL) + { + prio = PRIO_NO_MATCH_FOUND; + break; + } + else + { + x509_t *cacert = ca_info->get_certificate(ca_info); + identification_t *other_ca = cacert->get_subject(cacert); + + if (other_candidate_ca->equals(other_candidate_ca, other_ca)) + { + /* found a ca match */ + break; + } + if (cacert->is_self_signed(cacert)) + { + /* reached the root ca without a match */ + prio = PRIO_NO_MATCH_FOUND; + break; + } + /* move a level upward in the trust path hierarchy */ + ca_info = charon->credentials->get_issuer(charon->credentials, cacert); + } + } + if (pathlen == MAX_CA_PATH_LEN) + { + DBG1(DBG_CFG, "maximum ca path length of %d levels reached", MAX_CA_PATH_LEN); + prio = PRIO_NO_MATCH_FOUND; + } + } + if (prio == PRIO_NO_MATCH_FOUND) + { + DBG2(DBG_CFG, " candidate '%s': %D...%D, no ca match", + current->get_name(current), my_candidate, other_candidate); + } + else + { + prio += pathlen; + DBG2(DBG_CFG, " candidate '%s': %D...%D, prio %d", + current->get_name(current), my_candidate, other_candidate, prio); + + if (prio < best) + { + found = current; + best = prio; + } + } + } + } + if (found) + { + DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d", + found->get_name(found), + found->get_my_id(found), + found->get_other_id(found), + best); + found->get_ref(found); + } + iterator->destroy(iterator); + return found; +} + +/** + * Implementation of backend_t.is_writable. + */ +static bool is_writeable(private_local_backend_t *this) +{ + return TRUE; +} + +/** + * Implementation of writable_backend_t.create_iterator. + */ +static iterator_t* create_iterator(private_local_backend_t *this) +{ + return this->cfgs->create_iterator_locked(this->cfgs, &this->mutex); +} + +/** + * Implementation of writable_backend_t.add_peer_cfg. + */ +static void add_cfg(private_local_backend_t *this, peer_cfg_t *config) +{ + pthread_mutex_lock(&this->mutex); + this->cfgs->insert_last(this->cfgs, config); + pthread_mutex_unlock(&this->mutex); +} + +/** + * Implementation of backend_t.destroy. + */ +static void destroy(private_local_backend_t *this) +{ + this->cfgs->destroy_offset(this->cfgs, offsetof(peer_cfg_t, destroy)); + free(this); +} + +/** + * Described in header. + */ +backend_t *backend_create(void) +{ + private_local_backend_t *this = malloc_thing(private_local_backend_t); + + this->public.backend.backend.get_ike_cfg = (ike_cfg_t* (*)(backend_t*, host_t*, host_t*))get_ike_cfg; + this->public.backend.backend.get_peer_cfg = (peer_cfg_t* (*)(backend_t*,identification_t*,identification_t*,ca_info_t*))get_peer_cfg; + this->public.backend.backend.is_writeable = (bool(*) (backend_t*))is_writeable; + this->public.backend.backend.destroy = (void (*)(backend_t*))destroy; + this->public.backend.create_iterator = (iterator_t* (*)(writeable_backend_t*))create_iterator; + this->public.backend.add_cfg = (void (*)(writeable_backend_t*,peer_cfg_t*))add_cfg; + + /* private variables */ + this->cfgs = linked_list_create(); + pthread_mutex_init(&this->mutex, NULL); + + return &this->public.backend.backend; +} diff --git a/src/charon/config/backends/local_backend.h b/src/charon/config/backends/local_backend.h new file mode 100644 index 000000000..b33c6443b --- /dev/null +++ b/src/charon/config/backends/local_backend.h @@ -0,0 +1,60 @@ +/** + * @file local_backend.h + * + * @brief Interface of local_backend_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef LOCAL_BACKEND_H_ +#define LOCAL_BACKEND_H_ + +typedef struct local_backend_t local_backend_t; + +#include +#include + +/** + * @brief An in-memory backend to store configurations. + * + * The local_backend_t stores the configuration in a simple list. It + * implements both, backend_t and writeable_backend_t. + * + * @b Constructors: + * - local_backend_create() + * + * @ingroup backends + */ +struct local_backend_t { + + /** + * Implements writable_backend_t interface + */ + writeable_backend_t backend; +}; + +/** + * @brief Create a backend_t instance implemented as local backend. + * + * @return backend instance + * + * @ingroup backends + */ +backend_t *backend_create(void); + +#endif /* LOCAL_BACKEND_H_ */ + diff --git a/src/charon/config/backends/writeable_backend.h b/src/charon/config/backends/writeable_backend.h new file mode 100644 index 000000000..ea62f62c9 --- /dev/null +++ b/src/charon/config/backends/writeable_backend.h @@ -0,0 +1,64 @@ +/** + * @file writeable_backend.h + * + * @brief Interface of writeable_backend_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef WRITEABLE_BACKEND_H_ +#define WRITEABLE_BACKEND_H_ + +typedef struct writeable_backend_t writeable_backend_t; + +#include +#include + +/** + * @brief A writeable backend extends backend_t by modification functions. + * + * @b Constructors: + * - writeable_backend_create() + * + * @ingroup backends + */ +struct writeable_backend_t { + + /** + * Implements backend_t interface + */ + backend_t backend; + + /** + * @brief Add a peer_config to the backend. + * + * @param this calling object + * @param config peer_config to add to the backend + */ + void (*add_cfg)(writeable_backend_t *this, peer_cfg_t *config); + + /** + * @brief Create an iterator over all peer configs. + * + * @param this calling object + * @return iterator over peer configs + */ + iterator_t* (*create_iterator)(writeable_backend_t *this); +}; + +#endif /* WRITEABLE_BACKEND_H_ */ + diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c new file mode 100644 index 000000000..e9f0e5249 --- /dev/null +++ b/src/charon/config/child_cfg.c @@ -0,0 +1,449 @@ +/** + * @file child_cfg.c + * + * @brief Implementation of child_cfg_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + + +#include "child_cfg.h" + +#include + +ENUM(mode_names, MODE_TRANSPORT, MODE_BEET, + "TRANSPORT", + "TUNNEL", + "2", + "3", + "BEET", +); + +typedef struct private_child_cfg_t private_child_cfg_t; + +/** + * Private data of an child_cfg_t object + */ +struct private_child_cfg_t { + + /** + * Public part + */ + child_cfg_t public; + + /** + * Number of references hold by others to this child_cfg + */ + refcount_t refcount; + + /** + * Name of the child_cfg, used to query it + */ + char *name; + + /** + * list for all proposals + */ + linked_list_t *proposals; + + /** + * list for traffic selectors for my site + */ + linked_list_t *my_ts; + + /** + * list for traffic selectors for others site + */ + linked_list_t *other_ts; + + /** + * updown script + */ + char *updown; + + /** + * allow host access + */ + bool hostaccess; + + /** + * Mode to propose for a initiated CHILD: tunnel/transport + */ + mode_t mode; + + /** + * Time before an SA gets invalid + */ + u_int32_t lifetime; + + /** + * Time before an SA gets rekeyed + */ + u_int32_t rekeytime; + + /** + * Time, which specifies the range of a random value + * substracted from rekeytime. + */ + u_int32_t jitter; +}; + +/** + * Implementation of child_cfg_t.get_name + */ +static char *get_name(private_child_cfg_t *this) +{ + return this->name; +} + +/** + * Implementation of child_cfg_t.add_proposal + */ +static void add_proposal(private_child_cfg_t *this, proposal_t *proposal) +{ + this->proposals->insert_last(this->proposals, proposal); +} + +/** + * strip out DH groups from a proposal + */ +static void strip_dh_from_proposal(proposal_t *proposal) +{ + iterator_t *iterator; + algorithm_t *algo; + + iterator = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP); + while (iterator->iterate(iterator, (void**)&algo)) + { + iterator->remove(iterator); + free(algo); + } + iterator->destroy(iterator); +} + +/** + * Implementation of child_cfg_t.get_proposals + */ +static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh) +{ + iterator_t *iterator; + proposal_t *current; + linked_list_t *proposals = linked_list_create(); + + iterator = this->proposals->create_iterator(this->proposals, TRUE); + while (iterator->iterate(iterator, (void**)¤t)) + { + current = current->clone(current); + if (strip_dh) + { + strip_dh_from_proposal(current); + } + proposals->insert_last(proposals, current); + } + iterator->destroy(iterator); + + return proposals; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static proposal_t* select_proposal(private_child_cfg_t*this, + linked_list_t *proposals, bool strip_dh) +{ + iterator_t *stored_iter, *supplied_iter; + proposal_t *stored, *supplied, *selected = NULL; + + stored_iter = this->proposals->create_iterator(this->proposals, TRUE); + supplied_iter = proposals->create_iterator(proposals, TRUE); + + /* compare all stored proposals with all supplied. Stored ones are preferred. */ + while (stored_iter->iterate(stored_iter, (void**)&stored)) + { + stored = stored->clone(stored); + supplied_iter->reset(supplied_iter); + while (supplied_iter->iterate(supplied_iter, (void**)&supplied)) + { + if (strip_dh) + { + strip_dh_from_proposal(stored); + } + selected = stored->select(stored, supplied); + if (selected) + { + break; + } + } + stored->destroy(stored); + if (selected) + { + break; + } + } + stored_iter->destroy(stored_iter); + supplied_iter->destroy(supplied_iter); + return selected; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static void add_traffic_selector(private_child_cfg_t *this, bool local, + traffic_selector_t *ts) +{ + if (local) + { + this->my_ts->insert_last(this->my_ts, ts); + } + else + { + this->other_ts->insert_last(this->other_ts, ts); + } +} + +/** + * Implementation of child_cfg_t.get_name + */ +static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool local, + linked_list_t *supplied, + host_t *host) +{ + iterator_t *i1, *i2; + traffic_selector_t *ts1, *ts2, *selected; + linked_list_t *result = linked_list_create(); + + if (local) + { + i1 = this->my_ts->create_iterator(this->my_ts, TRUE); + } + else + { + i1 = this->other_ts->create_iterator(this->other_ts, FALSE); + } + + /* no list supplied, just fetch the stored traffic selectors */ + if (supplied == NULL) + { + while (i1->iterate(i1, (void**)&ts1)) + { + /* we make a copy of the TS, this allows us to update dynamic TS' */ + ts1 = ts1->clone(ts1); + if (host) + { + ts1->set_address(ts1, host); + } + result->insert_last(result, ts1); + } + i1->destroy(i1); + } + else + { + DBG2(DBG_CFG, "selecting traffic selectors"); + i2 = supplied->create_iterator(supplied, TRUE); + /* iterate over all stored selectors */ + while (i1->iterate(i1, (void**)&ts1)) + { + /* we make a copy of the TS, as we have to update dynamic TS' */ + ts1 = ts1->clone(ts1); + if (host) + { + ts1->set_address(ts1, host); + } + + i2->reset(i2); + /* iterate over all supplied traffic selectors */ + while (i2->iterate(i2, (void**)&ts2)) + { + DBG2(DBG_CFG, "stored %R <=> %R received", ts1, ts2); + selected = ts1->get_subset(ts1, ts2); + if (selected) + { + result->insert_last(result, selected); + DBG2(DBG_CFG, "found traffic selector for %s: %R", + local ? "us" : "other", selected); + } + } + ts1->destroy(ts1); + } + i1->destroy(i1); + i2->destroy(i2); + } + + /* remove any redundant traffic selectors in the list */ + i1 = result->create_iterator(result, TRUE); + i2 = result->create_iterator(result, TRUE); + while (i1->iterate(i1, (void**)&ts1)) + { + while (i2->iterate(i2, (void**)&ts2)) + { + if (ts1 != ts2) + { + if (ts2->is_contained_in(ts2, ts1)) + { + i2->remove(i2); + ts2->destroy(ts2); + i1->reset(i1); + break; + } + if (ts1->is_contained_in(ts1, ts2)) + { + i1->remove(i1); + ts1->destroy(ts1); + i2->reset(i2); + break; + } + } + } + } + i1->destroy(i1); + i2->destroy(i2); + + return result; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static char* get_updown(private_child_cfg_t *this) +{ + return this->updown; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static bool get_hostaccess(private_child_cfg_t *this) +{ + return this->hostaccess; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey) +{ + if (rekey) + { + if (this->jitter == 0) + { + return this->rekeytime; + } + return this->rekeytime - (random() % this->jitter); + } + return this->lifetime; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static mode_t get_mode(private_child_cfg_t *this) +{ + return this->mode; +} + +/** + * Implementation of child_cfg_t.get_dh_group. + */ +static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this) +{ + iterator_t *iterator; + proposal_t *proposal; + algorithm_t *algo; + diffie_hellman_group_t dh_group = MODP_NONE; + + iterator = this->proposals->create_iterator(this->proposals, TRUE); + while (iterator->iterate(iterator, (void**)&proposal)) + { + if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo)) + { + dh_group = algo->algorithm; + break; + } + } + iterator->destroy(iterator); + return dh_group; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static void get_ref(private_child_cfg_t *this) +{ + ref_get(&this->refcount); +} + +/** + * Implements child_cfg_t.destroy. + */ +static void destroy(private_child_cfg_t *this) +{ + if (ref_put(&this->refcount)) + { + this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy)); + this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy)); + this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy)); + if (this->updown) + { + free(this->updown); + } + free(this->name); + free(this); + } +} + +/* + * Described in header-file + */ +child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, + u_int32_t rekeytime, u_int32_t jitter, + char *updown, bool hostaccess, mode_t mode) +{ + private_child_cfg_t *this = malloc_thing(private_child_cfg_t); + + /* public functions */ + this->public.get_name = (char* (*) (child_cfg_t*))get_name; + this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector; + this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors; + this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal; + this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals; + this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal; + this->public.get_updown = (char* (*) (child_cfg_t*))get_updown; + this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess; + this->public.get_mode = (mode_t (*) (child_cfg_t *))get_mode; + this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime; + this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group; + this->public.get_ref = (void (*) (child_cfg_t*))get_ref; + this->public.destroy = (void (*) (child_cfg_t*))destroy; + + /* apply init values */ + this->name = strdup(name); + this->lifetime = lifetime; + this->rekeytime = rekeytime; + this->jitter = jitter; + this->updown = updown ? strdup(updown) : NULL; + this->hostaccess = hostaccess; + this->mode = mode; + + /* initialize private members*/ + this->refcount = 1; + this->proposals = linked_list_create(); + this->my_ts = linked_list_create(); + this->other_ts = linked_list_create(); + + return &this->public; +} diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h new file mode 100644 index 000000000..e1a6553b4 --- /dev/null +++ b/src/charon/config/child_cfg.h @@ -0,0 +1,251 @@ +/** + * @file child_cfg.h + * + * @brief Interface of child_cfg_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef CHILD_CFG_H_ +#define CHILD_CFG_H_ + +typedef enum mode_t mode_t; +typedef struct child_cfg_t child_cfg_t; + +#include +#include +#include + +/** + * @brief Mode of an CHILD_SA. + * + * These are equal to those defined in XFRM, so don't change. + * + * @ingroup config + */ +enum mode_t { + /** transport mode, no inner address */ + MODE_TRANSPORT = 0, + /** tunnel mode, inner and outer addresses */ + MODE_TUNNEL = 1, + /** BEET mode, tunnel mode but fixed, bound inner addresses */ + MODE_BEET = 4, +}; + +/** + * enum names for mode_t. + */ +extern enum_name_t *mode_names; + +/** + * @brief A child_cfg_t defines the config template for a CHILD_SA. + * + * After creation, proposals and traffic selectors may be added to the config. + * A child_cfg object is referenced multiple times, and is not thread save. + * Reading from the object is save, adding things is not allowed while other + * threads may access the object. + * A reference counter handles the number of references hold to this config. + * + * @see peer_cfg_t to get an overview over the configurations. + * + * @b Constructors: + * - child_cfg_create() + * + * @ingroup config + */ +struct child_cfg_t { + + /** + * @brief Get the name of the child_cfg. + * + * @param this calling object + * @return child_cfg's name + */ + char *(*get_name) (child_cfg_t *this); + + /** + * @brief Add a proposal to the list. + * + * The proposals are stored by priority, first added + * is the most prefered. + * After add, proposal is owned by child_cfg. + * + * @param this calling object + * @param proposal proposal to add + */ + void (*add_proposal) (child_cfg_t *this, proposal_t *proposal); + + /** + * @brief Get the list of proposals for the CHILD_SA. + * + * Resulting list and all of its proposals must be freed after use. + * + * @param this calling object + * @param strip_dh TRUE strip out diffie hellman groups + * @return list of proposals + */ + linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh); + + /** + * @brief Select a proposal from a supplied list. + * + * Returned propsal is newly created and must be destroyed after usage. + * + * @param this calling object + * @param proposals list from from wich proposals are selected + * @param strip_dh TRUE strip out diffie hellman groups + * @return selected proposal, or NULL if nothing matches + */ + proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals, + bool strip_dh); + + /** + * @brief Add a traffic selector to the config. + * + * Use the "local" parameter to add it for the local or the remote side. + * After add, traffic selector is owned by child_cfg. + * + * @param this calling object + * @param local TRUE for local side, FALSE for remote + * @param ts traffic_selector to add + */ + void (*add_traffic_selector)(child_cfg_t *this, bool local, + traffic_selector_t *ts); + + /** + * @brief Get a list of traffic selectors to use for the CHILD_SA. + * + * The config contains two set of traffic selectors, one for the local + * side, one for the remote side. + * If a list with traffic selectors is supplied, these are used to narrow + * down the traffic selector list to the greatest common divisor. + * Some traffic selector may be "dymamic", meaning they are narrowed down + * to a specific address (host-to-host or virtual-IP setups). Use + * the "host" parameter to narrow such traffic selectors to that address. + * Resulted list and its traffic selectors must be destroyed after use. + * + * @param this calling object + * @param local TRUE for TS on local side, FALSE for remote + * @param supplied list with TS to select from, or NULL + * @param host address to use for narrowing "dynamic" TS', or NULL + * @return list containing the traffic selectors + */ + linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local, + linked_list_t *supplied, + host_t *host); + + /** + * @brief Get the updown script to run for the CHILD_SA. + * + * @param this calling object + * @return path to updown script + */ + char* (*get_updown)(child_cfg_t *this); + + /** + * @brief Should we allow access to the local host (gateway)? + * + * @param this calling object + * @return value of hostaccess flag + */ + bool (*get_hostaccess) (child_cfg_t *this); + + /** + * @brief Get the lifetime of a CHILD_SA. + * + * If "rekey" is set to TRUE, a lifetime is returned before the first + * rekeying should be started. If it is FALSE, the actual lifetime is + * returned when the CHILD_SA must be deleted. + * The rekey time automatically contains a jitter to avoid simlutaneous + * rekeying. + * + * @param this child_cfg + * @param rekey TRUE to get rekey time + * @return lifetime in seconds + */ + u_int32_t (*get_lifetime) (child_cfg_t *this, bool rekey); + + /** + * @brief Get the mode to use for the CHILD_SA. + * + * The mode is either tunnel, transport or BEET. The peer must agree + * on the method, fallback is tunnel mode. + * + * @param this child_cfg + * @return lifetime in seconds + */ + mode_t (*get_mode) (child_cfg_t *this); + + /** + * @brief Get the DH group to use for CHILD_SA setup. + * + * @param this calling object + * @return dh group to use + */ + diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this); + + /** + * @brief Get a new reference. + * + * Get a new reference to this child_cfg by increasing + * it's internal reference counter. + * Do not call get_ref or any other function until you + * already have a reference. Otherwise the object may get + * destroyed while calling get_ref(), + * + * @param this calling object + */ + void (*get_ref) (child_cfg_t *this); + + /** + * @brief Destroys the child_cfg object. + * + * Decrements the internal reference counter and + * destroys the child_cfg when it reaches zero. + * + * @param this calling object + */ + void (*destroy) (child_cfg_t *this); +}; + +/** + * @brief Create a configuration template for CHILD_SA setup. + * + * The "name" string gets cloned. + * Lifetimes are in seconds. To prevent to peers to start rekeying at the + * same time, a jitter may be specified. Rekeying of an SA starts at + * (rekeytime - random(0, jitter)). You should specify + * lifetime > rekeytime > jitter. + * After a call to create, a reference is obtained (refcount = 1). + * + * @param name name of the child_cfg + * @param lifetime lifetime after CHILD_SA expires and gets deleted + * @param rekeytime time when rekeying should be initiated + * @param jitter range of randomization time to remove from rekeytime + * @param updown updown script to execute on up/down event + * @param hostaccess TRUE to allow access to the local host + * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET + * @return child_cfg_t object + * + * @ingroup config + */ +child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, + u_int32_t rekeytime, u_int32_t jitter, + char *updown, bool hostaccess, mode_t mode); + +#endif /* CHILD_CFG_H_ */ diff --git a/src/charon/config/configuration.c b/src/charon/config/configuration.c deleted file mode 100755 index 488ba9a5e..000000000 --- a/src/charon/config/configuration.c +++ /dev/null @@ -1,162 +0,0 @@ -/** - * @file configuration.c - * - * @brief Implementation of configuration_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include - -#include "configuration.h" - -#include - -/** - * Timeout in milliseconds after that a half open IKE_SA gets deleted. - */ -#define HALF_OPEN_IKE_SA_TIMEOUT 30000 - -/** - * Retransmission uses a backoff algorithm. The timeout is calculated using - * TIMEOUT * (BASE ** try). - * When try reaches TRIES, retransmission is given up. - * - * Using an initial TIMEOUT of 4s, a BASE of 1.8, and 5 TRIES gives us: - * - * | relative | absolute - * --------------------------------------------------------- - * 4s * (1.8 ** (0 % 5)) = 4s 4s - * 4s * (1.8 ** (1 % 5)) = 7s 11s - * 4s * (1.8 ** (2 % 5)) = 13s 24s - * 4s * (1.8 ** (3 % 5)) = 23s 47s - * 4s * (1.8 ** (4 % 5)) = 42s 89s - * 4s * (1.8 ** (5 % 5)) = 76s 165s - * - * The peer is considered dead after 2min 45s when no reply comes in. - */ - -/** - * First retransmit timeout in milliseconds. - * Timeout value is increasing in each retransmit round. - */ -#define RETRANSMIT_TIMEOUT 4000 - -/** - * Base which is raised to the power of the retransmission count. - */ -#define RETRANSMIT_BASE 1.8 - -/** - * Number of retransmits done in a retransmit sequence - */ -#define RETRANSMIT_TRIES 5 - -/** - * Keepalive interval in seconds. - */ -#define KEEPALIVE_INTERVAL 20 - -/** - * retry interval in seconds. - */ -#define RETRY_INTERVAL 30 - -/** - * jitter to user for retrying - */ -#define RETRY_JITTER 20 - - -typedef struct private_configuration_t private_configuration_t; - -/** - * Private data of an configuration_t object. - */ -struct private_configuration_t { - - /** - * Public part of configuration_t object. - */ - configuration_t public; - -}; - -/** - * Implementation of configuration_t.get_retransmit_timeout. - */ -static u_int32_t get_retransmit_timeout (private_configuration_t *this, - u_int32_t retransmit_count) -{ - if (retransmit_count > RETRANSMIT_TRIES) - { - /* give up */ - return 0; - } - return (u_int32_t) - (RETRANSMIT_TIMEOUT * pow(RETRANSMIT_BASE, retransmit_count)); -} - -/** - * Implementation of configuration_t.get_half_open_ike_sa_timeout. - */ -static u_int32_t get_half_open_ike_sa_timeout (private_configuration_t *this) -{ - return HALF_OPEN_IKE_SA_TIMEOUT; -} - -/** - * Implementation of configuration_t.get_keepalive_interval. - */ -static u_int32_t get_keepalive_interval (private_configuration_t *this) -{ - return KEEPALIVE_INTERVAL; -} - -/** - * Implementation of configuration_t.get_retry_interval. - */ -static u_int32_t get_retry_interval (private_configuration_t *this) -{ - return RETRY_INTERVAL - (random() % RETRY_JITTER); -} - -/** - * Implementation of configuration_t.destroy. - */ -static void destroy(private_configuration_t *this) -{ - free(this); -} - -/* - * Described in header-file - */ -configuration_t *configuration_create() -{ - private_configuration_t *this = malloc_thing(private_configuration_t); - - /* public functions */ - this->public.destroy = (void(*)(configuration_t*))destroy; - this->public.get_retransmit_timeout = (u_int32_t (*) (configuration_t*,u_int32_t))get_retransmit_timeout; - this->public.get_half_open_ike_sa_timeout = (u_int32_t (*) (configuration_t*)) get_half_open_ike_sa_timeout; - this->public.get_keepalive_interval = (u_int32_t (*) (configuration_t*)) get_keepalive_interval; - this->public.get_retry_interval = (u_int32_t (*) (configuration_t*)) get_retry_interval; - - return (&this->public); -} diff --git a/src/charon/config/configuration.h b/src/charon/config/configuration.h deleted file mode 100755 index c1207171d..000000000 --- a/src/charon/config/configuration.h +++ /dev/null @@ -1,102 +0,0 @@ -/** - * @file configuration.h - * - * @brief Interface configuration_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef CONFIGURATION_H_ -#define CONFIGURATION_H_ - -typedef struct configuration_t configuration_t; - -#include - -/** - * @brief The interface for various daemon related configs. - * - * @b Constructors: - * - configuration_create() - * - * @ingroup config - */ -struct configuration_t { - - /** - * @brief Returns the retransmit timeout. - * - * A return value of zero means the request should not be - * retransmitted again. - * - * @param this calling object - * @param retransmitted number of times a message was retransmitted so far - * @return time in milliseconds, when to do next retransmit - */ - u_int32_t (*get_retransmit_timeout) (configuration_t *this, - u_int32_t retransmitted); - - /** - * @brief Returns the timeout for an half open IKE_SA in ms. - * - * Half open means that the IKE_SA is still on a not established state - * - * @param this calling object - * @return timeout in milliseconds (ms) - */ - u_int32_t (*get_half_open_ike_sa_timeout) (configuration_t *this); - - /** - * @brief Returns the keepalive interval in s. - * - * The keepalive interval defines the idle time after which a - * NAT keepalive packet should be sent. - * - * @param this calling object - * @return interval in s - */ - u_int32_t (*get_keepalive_interval) (configuration_t *this); - - /** - * @brief Returns the interval to retry a failed action again. - * - * In some situations, the protocol may be in a state where processing - * is not possible and an action must be retried (e.g. rekeying). - * - * @param this calling object - * @return interval in s - */ - u_int32_t (*get_retry_interval) (configuration_t *this); - - /** - * @brief Destroys a configuration_t object. - * - * @param this calling object - */ - void (*destroy) (configuration_t *this); -}; - -/** - * @brief Creates a configuration backend. - * - * @return static_configuration_t object - * - * @ingroup config - */ -configuration_t *configuration_create(void); - -#endif /*CONFIGURATION_H_*/ diff --git a/src/charon/config/connections/connection.c b/src/charon/config/connections/connection.c deleted file mode 100644 index ffe508992..000000000 --- a/src/charon/config/connections/connection.c +++ /dev/null @@ -1,404 +0,0 @@ -/** - * @file connection.c - * - * @brief Implementation of connection_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include - -#include -#include - -ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND, - "CERT_ALWAYS_SEND", - "CERT_SEND_IF_ASKED", - "CERT_NEVER_SEND" -); - -typedef struct private_connection_t private_connection_t; - -/** - * Private data of an connection_t object - */ -struct private_connection_t { - - /** - * Public part - */ - connection_t public; - - /** - * Number of references hold by others to this connection - */ - refcount_t refcount; - - /** - * Name of the connection - */ - char *name; - - /** - * Does charon handle this connection? Or can he ignore it? - */ - bool ikev2; - - /** - * should we send a certificate request? - */ - cert_policy_t certreq_policy; - - /** - * should we send a certificates? - */ - cert_policy_t cert_policy; - - /** - * ID of us - */ - identification_t *my_id; - - /** - * Host information of my host. - */ - host_t *my_host; - - /** - * Host information of other host. - */ - host_t *other_host; - - /** - * Interval to send DPD liveness checks on inactivity - */ - u_int32_t dpd_delay; - - /** - * Number of retransmission sequences to send bevore giving up - */ - u_int32_t keyingtries; - - /** - * Supported proposals - */ - linked_list_t *proposals; - - /** - * Time before an SA gets invalid - */ - u_int32_t soft_lifetime; - - /** - * Time before an SA gets rekeyed - */ - u_int32_t hard_lifetime; - - /** - * Use full reauthentication instead of rekeying - */ - bool reauth; - - /** - * Time, which specifies the range of a random value - * substracted from soft_lifetime. - */ - u_int32_t jitter; -}; - -/** - * Implementation of connection_t.get_name. - */ -static char *get_name (private_connection_t *this) -{ - return this->name; -} - -/** - * Implementation of connection_t.is_ikev2. - */ -static bool is_ikev2 (private_connection_t *this) -{ - return this->ikev2; -} - -/** - * Implementation of connection_t.get_certreq_policy. - */ -static cert_policy_t get_certreq_policy (private_connection_t *this) -{ - return this->certreq_policy; -} - -/** - * Implementation of connection_t.get_cert_policy. - */ -static cert_policy_t get_cert_policy (private_connection_t *this) -{ - return this->cert_policy; -} - -/** - * Implementation of connection_t.get_my_host. - */ -static host_t *get_my_host (private_connection_t *this) -{ - return this->my_host; -} - -/** - * Implementation of connection_t.get_other_host. - */ -static host_t *get_other_host (private_connection_t *this) -{ - return this->other_host; -} - -/** - * Implementation of connection_t.get_proposals. - */ -static linked_list_t* get_proposals(private_connection_t *this) -{ - iterator_t *iterator; - proposal_t *current; - linked_list_t *proposals = linked_list_create(); - - iterator = this->proposals->create_iterator(this->proposals, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - current = current->clone(current); - proposals->insert_last(proposals, (void*)current); - } - iterator->destroy(iterator); - - return proposals; -} - -/** - * Implementation of connection_t.select_proposal. - */ -static proposal_t *select_proposal(private_connection_t *this, linked_list_t *proposals) -{ - iterator_t *stored_iter, *supplied_iter; - proposal_t *stored, *supplied, *selected; - - stored_iter = this->proposals->create_iterator(this->proposals, TRUE); - supplied_iter = proposals->create_iterator(proposals, TRUE); - - /* compare all stored proposals with all supplied. Stored ones are preferred. */ - while (stored_iter->iterate(stored_iter, (void**)&stored)) - { - supplied_iter->reset(supplied_iter); - - while (supplied_iter->iterate(supplied_iter, (void**)&supplied)) - { - selected = stored->select(stored, supplied); - if (selected) - { - /* they match, return */ - stored_iter->destroy(stored_iter); - supplied_iter->destroy(supplied_iter); - return selected; - } - } - } - /* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */ - stored_iter->destroy(stored_iter); - supplied_iter->destroy(supplied_iter); - - return NULL; -} - -/** - * Implementation of connection_t.add_proposal. - */ -static void add_proposal(private_connection_t *this, proposal_t *proposal) -{ - this->proposals->insert_last(this->proposals, proposal); -} - -/** - * Implementation of connection_t.get_dpd_delay. - */ -static u_int32_t get_dpd_delay(private_connection_t *this) -{ - return this->dpd_delay; -} - -/** - * Implementation of connection_t.get_keyingtries. - */ -static u_int32_t get_keyingtries(private_connection_t *this) -{ - return this->keyingtries; -} - -/** - * Implementation of connection_t.get_dh_group. - */ -static diffie_hellman_group_t get_dh_group(private_connection_t *this) -{ - iterator_t *iterator; - proposal_t *proposal; - algorithm_t *algo; - diffie_hellman_group_t dh_group = MODP_NONE; - - iterator = this->proposals->create_iterator(this->proposals, TRUE); - while (iterator->iterate(iterator, (void**)&proposal)) - { - if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo)) - { - dh_group = algo->algorithm; - break; - } - } - iterator->destroy(iterator); - return dh_group; -} - -/** - * Implementation of connection_t.check_dh_group. - */ -static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh_group) -{ - iterator_t *prop_iter, *alg_iter; - proposal_t *proposal; - algorithm_t *algo; - - prop_iter = this->proposals->create_iterator(this->proposals, TRUE); - while (prop_iter->iterate(prop_iter, (void**)&proposal)) - { - alg_iter = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP); - while (alg_iter->iterate(alg_iter, (void**)&algo)) - { - if (algo->algorithm == dh_group) - { - prop_iter->destroy(prop_iter); - alg_iter->destroy(alg_iter); - return TRUE; - } - } - alg_iter->destroy(alg_iter); - } - prop_iter->destroy(prop_iter); - return FALSE; -} -/** - * Implementation of connection_t.get_soft_lifetime - */ -static u_int32_t get_soft_lifetime(private_connection_t *this) -{ - if (this->jitter == 0) - { - return this->soft_lifetime ; - } - return this->soft_lifetime - (random() % this->jitter); -} - -/** - * Implementation of connection_t.get_hard_lifetime. - */ -static u_int32_t get_hard_lifetime(private_connection_t *this) -{ - return this->hard_lifetime; -} - -/** - * Implementation of connection_t.get_reauth. - */ -static bool get_reauth(private_connection_t *this) -{ - return this->reauth; -} - -/** - * Implementation of connection_t.get_ref. - */ -static void get_ref(private_connection_t *this) -{ - ref_get(&this->refcount); -} - -/** - * Implementation of connection_t.destroy. - */ -static void destroy(private_connection_t *this) -{ - if (ref_put(&this->refcount)) - { - this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy)); - this->my_host->destroy(this->my_host); - this->other_host->destroy(this->other_host); - free(this->name); - free(this); - } -} - -/** - * Described in header. - */ -connection_t * connection_create(char *name, bool ikev2, - cert_policy_t cert_policy, - cert_policy_t certreq_policy, - host_t *my_host, host_t *other_host, - u_int32_t dpd_delay, bool reauth, - u_int32_t keyingtries, - u_int32_t hard_lifetime, - u_int32_t soft_lifetime, u_int32_t jitter) -{ - private_connection_t *this = malloc_thing(private_connection_t); - - /* public functions */ - this->public.get_name = (char*(*)(connection_t*))get_name; - this->public.is_ikev2 = (bool(*)(connection_t*))is_ikev2; - this->public.get_cert_policy = (cert_policy_t(*)(connection_t*))get_cert_policy; - this->public.get_certreq_policy = (cert_policy_t(*)(connection_t*))get_certreq_policy; - this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host; - this->public.get_other_host = (host_t*(*)(connection_t*))get_other_host; - this->public.get_proposals = (linked_list_t*(*)(connection_t*))get_proposals; - this->public.select_proposal = (proposal_t*(*)(connection_t*,linked_list_t*))select_proposal; - this->public.add_proposal = (void(*)(connection_t*, proposal_t*)) add_proposal; - this->public.get_dpd_delay = (u_int32_t(*)(connection_t*)) get_dpd_delay; - this->public.get_reauth = (bool(*)(connection_t*)) get_reauth; - this->public.get_keyingtries = (u_int32_t(*)(connection_t*)) get_keyingtries; - this->public.get_dh_group = (diffie_hellman_group_t(*)(connection_t*)) get_dh_group; - this->public.check_dh_group = (bool(*)(connection_t*,diffie_hellman_group_t)) check_dh_group; - this->public.get_soft_lifetime = (u_int32_t (*) (connection_t *))get_soft_lifetime; - this->public.get_hard_lifetime = (u_int32_t (*) (connection_t *))get_hard_lifetime; - this->public.get_ref = (void(*)(connection_t*))get_ref; - this->public.destroy = (void(*)(connection_t*))destroy; - - /* private variables */ - this->refcount = 1; - this->name = strdup(name); - this->ikev2 = ikev2; - this->cert_policy = cert_policy; - this->certreq_policy = certreq_policy; - this->my_host = my_host; - this->other_host = other_host; - this->dpd_delay = dpd_delay; - this->reauth = reauth; - this->keyingtries = keyingtries; - this->hard_lifetime = hard_lifetime; - this->soft_lifetime = soft_lifetime; - this->jitter = jitter; - - this->proposals = linked_list_create(); - - return &this->public; -} diff --git a/src/charon/config/connections/connection.h b/src/charon/config/connections/connection.h deleted file mode 100644 index d0788876f..000000000 --- a/src/charon/config/connections/connection.h +++ /dev/null @@ -1,292 +0,0 @@ -/** - * @file connection.h - * - * @brief Interface of connection_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef CONNECTION_H_ -#define CONNECTION_H_ - -typedef enum cert_policy_t cert_policy_t; -typedef struct connection_t connection_t; - -#include -#include -#include -#include -#include -#include - - -/** - * Certificate sending policy. This is also used for certificate - * requests when using this definition for the other peer. If - * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its - * included. - * - * @ingroup config - * - * @warning These definitions must be the same as in pluto/starter, - * as they are sent over the stroke socket. - */ -enum cert_policy_t { - /** always send certificates, even when not requested */ - CERT_ALWAYS_SEND = 0, - /** send certificate upon cert request */ - CERT_SEND_IF_ASKED = 1, - /** never send a certificate, even when requested */ - CERT_NEVER_SEND = 2, -}; - -/** - * enum strings for cert_policy_t - * - * @ingroup config - */ -extern enum_name_t *cert_policy_names; - -/** - * @brief A connection_t defines the rules to set up an IKE_SA. - * - * @b Constructors: - * - connection_create() - * - * @ingroup config - */ -struct connection_t { - - /** - * @brief Get my address as host_t object. - * - * Object is NOT getting cloned. - * - * @param this calling object - * @return host information as host_t object - */ - host_t *(*get_my_host) (connection_t *this); - - /** - * @brief Get others address as host_t object. - * - * Object is NOT getting cloned. - * - * @param this calling object - * @return host information as host_t object - */ - host_t *(*get_other_host) (connection_t *this); - - /** - * @brief Returns a list of all supported proposals. - * - * Returned list and its proposals must be destroyed after usage. - * - * @param this calling object - * @return list containing all the proposals - */ - linked_list_t *(*get_proposals) (connection_t *this); - - /** - * @brief Adds a proposal to the list. - * - * The first added proposal has the highest priority, the last - * added the lowest. - * - * @param this calling object - * @param proposal proposal to add - */ - void (*add_proposal) (connection_t *this, proposal_t *proposal); - - /** - * @brief Select a proposed from suggested proposals. - * - * Returned proposal must be destroyed after usage. - * - * @param this calling object - * @param proposals list of proposals to select from - * @return selected proposal, or NULL if none matches. - */ - proposal_t *(*select_proposal) (connection_t *this, linked_list_t *proposals); - - /** - * @brief Get the DPD check interval. - * - * @param this calling object - * @return dpd_delay in seconds - */ - u_int32_t (*get_dpd_delay) (connection_t *this); - - /** - * @brief Should a full reauthentication be done instead of rekeying? - * - * @param this calling object - * @return TRUE to use full reauthentication - */ - bool (*get_reauth) (connection_t *this); - - /** - * @brief Get the max number of retransmission sequences. - * - * @param this calling object - * @return max number of retransmission sequences - */ - u_int32_t (*get_keyingtries) (connection_t *this); - - /** - * @brief Get the connection name. - * - * Name must not be freed, since it points to - * internal data. - * - * @param this calling object - * @return name of the connection - */ - char* (*get_name) (connection_t *this); - - /** - * @brief Check if the connection is marked as an IKEv2 connection. - * - * Since all connections (IKEv1+2) are loaded, but charon handles - * only those marked with IKEv2, this flag can tell us if we must - * ignore a connection on initiaton. Then pluto will do it for us. - * - * @param this calling object - * @return - TRUE, if this is an IKEv2 connection - */ - bool (*is_ikev2) (connection_t *this); - - /** - * @brief Should be sent a certificate request for this connection? - * - * A certificate request contains serials of our trusted CA certificates. - * This flag says if such a request is sent on connection setup to - * the peer. It should be omitted when CERT_SEND_NEVER, sended otherwise. - * - * @param this calling object - * @return certificate request sending policy - */ - cert_policy_t (*get_certreq_policy) (connection_t *this); - - /** - * @brief Should be sent a certificate for this connection? - * - * Return the policy used to send the certificate. - * - * @param this calling object - * @return certificate sending policy - */ - cert_policy_t (*get_cert_policy) (connection_t *this); - - /** - * @brief Get the DH group to use for connection initialization. - * - * @param this calling object - * @return dh group to use for initialization - */ - diffie_hellman_group_t (*get_dh_group) (connection_t *this); - - /** - * @brief Check if a suggested dh group is acceptable. - * - * If we guess a wrong DH group for IKE_SA_INIT, the other - * peer will send us a offer. But is this acceptable for us? - * - * @param this calling object - * @return TRUE if group acceptable - */ - bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group); - - /** - * @brief Get the lifetime of a connection, before IKE_SA rekeying starts. - * - * A call to this function automatically adds a jitter to - * avoid simultanous rekeying. - * - * @param this calling object - * @return lifetime in seconds - */ - u_int32_t (*get_soft_lifetime) (connection_t *this); - - /** - * @brief Get the lifetime of a connection, before IKE_SA gets deleted. - * - * @param this calling object - * @return lifetime in seconds - */ - u_int32_t (*get_hard_lifetime) (connection_t *this); - - /** - * @brief Get a new reference to this connection. - * - * Get a new reference to this connection by increasing - * it's internal reference counter. - * Do not call get_ref or any other function until you - * already have a reference. Otherwise the object may get - * destroyed while calling get_ref(), - * - * @param this calling object - */ - void (*get_ref) (connection_t *this); - - /** - * @brief Destroys a connection_t object. - * - * Decrements the internal reference counter and - * destroys the connection when it reaches zero. - * - * @param this calling object - */ - void (*destroy) (connection_t *this); -}; - -/** - * @brief Creates a connection_t object. - * - * Supplied hosts become owned by connection, so - * do not modify or destroy them after a call to - * connection_create(). Name gets cloned internally. - * The retrasmit sequence number says how fast we give up when the peer - * does not respond. A high value may bridge-over temporary connection - * problems, a small value can detect dead peers faster. - * - * @param name connection identifier - * @param ikev2 TRUE if this is an IKEv2 connection - * @param cert_policy certificate send policy - * @param cert_req_policy certificate request send policy - * @param my_host host_t representing local address - * @param other_host host_t representing remote address - * @param dpd_delay interval of DPD liveness checks - * @param reauth use full reauthentication instead of rekeying - * @param keyingtries number of retransmit sequences to use - * @param hard_lifetime lifetime before deleting an IKE_SA - * @param soft_lifetime lifetime before rekeying an IKE_SA - * @param jitter range of randomization time - * @return connection_t object. - * - * @ingroup config - */ -connection_t * connection_create(char *name, bool ikev2, - cert_policy_t cert_pol, cert_policy_t req_pol, - host_t *my_host, host_t *other_host, - u_int32_t dpd_delay, bool reauth, - u_int32_t keyingtries, - u_int32_t hard_lifetime, u_int32_t soft_lifetime, - u_int32_t jitter); - -#endif /* CONNECTION_H_ */ diff --git a/src/charon/config/connections/connection_store.h b/src/charon/config/connections/connection_store.h deleted file mode 100755 index 70f209d3b..000000000 --- a/src/charon/config/connections/connection_store.h +++ /dev/null @@ -1,118 +0,0 @@ -/** - * @file connection_store.h - * - * @brief Interface connection_store_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef CONNECTION_STORE_H_ -#define CONNECTION_STORE_H_ - -typedef struct connection_store_t connection_store_t; - -#include -#include -#include - -/** - * @brief The interface for a store of connection_t's. - * - * @b Constructors: - * - stroke_create() - * - * @ingroup config - */ -struct connection_store_t { - - /** - * @brief Returns a connection definition identified by two hosts. - * - * This call is usefull to get a connection identified by addresses. - * It may be used after kernel request for traffic protection. - * The returned connection gets created/cloned and therefore must - * be destroyed after usage. - * - * @param this calling object - * @param my_id own address of connection - * @param other_id others address of connection - * @return - * - connection_t, if found - * - NULL otherwise - */ - connection_t *(*get_connection_by_hosts)(connection_store_t *this, - host_t *my_host, host_t *other_host); - - /** - * @brief Returns a connection identified by its name. - * - * This call is usefull to get a connection identified its - * name, as on an connection setup. - * - * @param this calling object - * @param name name of the connection to get - * @return - * - connection_t, if found - * - NULL otherwise - */ - connection_t *(*get_connection_by_name) (connection_store_t *this, char *name); - - /** - * @brief Add a connection to the store. - * - * After a successful call, the connection is owned by the store and may - * not be manipulated nor destroyed. - * - * @param this calling object - * @param connection connection to add - * @return - * - SUCCESS, or - * - FAILED - */ - status_t (*add_connection) (connection_store_t *this, connection_t *connection); - - /** - * @brief Delete a connection from the store. - * - * Remove a connection from the connection store, identified - * by the connections name. - * - * @param this calling object - * @param name name of the connection to delete - * @return - * - SUCCESS, or - * - NOT_FOUND - */ - status_t (*delete_connection) (connection_store_t *this, char *name); - - /** - * @brief Get an iterator for the stored connections. - * - * @param this calling object - * @return iterator over all stored connections - */ - iterator_t* (*create_iterator) (connection_store_t *this); - - /** - * @brief Destroys a connection_store_t object. - * - * @param this calling object - */ - void (*destroy) (connection_store_t *this); -}; - -#endif /* CONNECTION_STORE_H_ */ diff --git a/src/charon/config/connections/local_connection_store.c b/src/charon/config/connections/local_connection_store.c deleted file mode 100644 index df4ec230a..000000000 --- a/src/charon/config/connections/local_connection_store.c +++ /dev/null @@ -1,237 +0,0 @@ -/** - * @file local_connection_store.c - * - * @brief Implementation of local_connection_store_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include - -#include "local_connection_store.h" - -#include -#include - - -typedef struct private_local_connection_store_t private_local_connection_store_t; - -/** - * Private data of an local_connection_store_t object - */ -struct private_local_connection_store_t { - - /** - * Public part - */ - local_connection_store_t public; - - /** - * stored connection - */ - linked_list_t *connections; - - /** - * Mutex to exclusivly access connection list - */ - pthread_mutex_t mutex; -}; - - -/** - * Implementation of connection_store_t.get_connection_by_hosts. - */ -static connection_t *get_connection_by_hosts(private_local_connection_store_t *this, host_t *my_host, host_t *other_host) -{ - typedef enum { - PRIO_UNDEFINED= 0x00, - PRIO_ADDR_ANY= 0x01, - PRIO_ADDR_MATCH= 0x02 - } prio_t; - - prio_t best_prio = PRIO_UNDEFINED; - - iterator_t *iterator; - connection_t *candidate; - connection_t *found = NULL; - - DBG2(DBG_CFG, "looking for connection for host pair %H...%H", - my_host, other_host); - - pthread_mutex_lock(&(this->mutex)); - iterator = this->connections->create_iterator(this->connections, TRUE); - /* determine closest matching connection */ - while (iterator->iterate(iterator, (void**)&candidate)) - { - host_t *candidate_my_host; - host_t *candidate_other_host; - - candidate_my_host = candidate->get_my_host(candidate); - candidate_other_host = candidate->get_other_host(candidate); - - /* my_host addresses must match*/ - if (my_host->ip_equals(my_host, candidate_my_host)) - { - prio_t prio = PRIO_UNDEFINED; - - /* exact match of peer host address or wildcard address? */ - if (other_host->ip_equals(other_host, candidate_other_host)) - { - prio |= PRIO_ADDR_MATCH; - } - else if (candidate_other_host->is_anyaddr(candidate_other_host)) - { - prio |= PRIO_ADDR_ANY; - } - - DBG2(DBG_CFG, "candidate connection \"%s\": %H...%H (prio=%d)", - candidate->get_name(candidate), - candidate_my_host, candidate_other_host, prio); - - if (prio > best_prio) - { - found = candidate; - best_prio = prio; - } - } - } - iterator->destroy(iterator); - - if (found) - { - DBG2(DBG_CFG, "found matching connection \"%s\": %H...%H (prio=%d)", - found->get_name(found), found->get_my_host(found), - found->get_other_host(found), best_prio); - - /* give out a new reference to it */ - found->get_ref(found); - } - pthread_mutex_unlock(&(this->mutex)); - return found; -} - -/** - * Implementation of connection_store_t.get_connection_by_name. - */ -static connection_t *get_connection_by_name(private_local_connection_store_t *this, char *name) -{ - iterator_t *iterator; - connection_t *current, *found = NULL; - - pthread_mutex_lock(&(this->mutex)); - iterator = this->connections->create_iterator(this->connections, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (strcmp(name, current->get_name(current)) == 0) - { - found = current; - break; - } - } - iterator->destroy(iterator); - pthread_mutex_unlock(&(this->mutex)); - - if (found) - { - /* get a new reference for it */ - found->get_ref(found); - } - return found; -} - -/** - * Implementation of connection_store_t.delete_connection. - */ -static status_t delete_connection(private_local_connection_store_t *this, char *name) -{ - iterator_t *iterator; - connection_t *current; - bool found = FALSE; - - pthread_mutex_lock(&(this->mutex)); - iterator = this->connections->create_iterator(this->connections, TRUE); - while (iterator->iterate(iterator, (void **)¤t)) - { - if (strcmp(current->get_name(current), name) == 0) - { - /* remove connection from list, and destroy it */ - iterator->remove(iterator); - current->destroy(current); - found = TRUE; - break; - } - } - iterator->destroy(iterator); - pthread_mutex_unlock(&(this->mutex)); - if (found) - { - return SUCCESS; - } - return NOT_FOUND; -} - -/** - * Implementation of connection_store_t.add_connection. - */ -static status_t add_connection(private_local_connection_store_t *this, connection_t *connection) -{ - pthread_mutex_lock(&(this->mutex)); - this->connections->insert_last(this->connections, connection); - pthread_mutex_unlock(&(this->mutex)); - return SUCCESS; -} - -/** - * Implementation of connection_store_t.create_iterator. - */ -static iterator_t* create_iterator(private_local_connection_store_t *this) -{ - return this->connections->create_iterator_locked(this->connections, - &this->mutex); -} - -/** - * Implementation of connection_store_t.destroy. - */ -static void destroy (private_local_connection_store_t *this) -{ - pthread_mutex_lock(&(this->mutex)); - this->connections->destroy_offset(this->connections, offsetof(connection_t, destroy)); - pthread_mutex_unlock(&(this->mutex)); - free(this); -} - -/** - * Described in header. - */ -local_connection_store_t * local_connection_store_create(void) -{ - private_local_connection_store_t *this = malloc_thing(private_local_connection_store_t); - - this->public.connection_store.get_connection_by_hosts = (connection_t*(*)(connection_store_t*,host_t*,host_t*))get_connection_by_hosts; - this->public.connection_store.get_connection_by_name = (connection_t*(*)(connection_store_t*,char*))get_connection_by_name; - this->public.connection_store.delete_connection = (status_t(*)(connection_store_t*,char*))delete_connection; - this->public.connection_store.add_connection = (status_t(*)(connection_store_t*,connection_t*))add_connection; - this->public.connection_store.create_iterator = (iterator_t*(*)(connection_store_t*))create_iterator; - this->public.connection_store.destroy = (void(*)(connection_store_t*))destroy; - - /* private variables */ - this->connections = linked_list_create(); - pthread_mutex_init(&(this->mutex), NULL); - - return (&this->public); -} diff --git a/src/charon/config/connections/local_connection_store.h b/src/charon/config/connections/local_connection_store.h deleted file mode 100644 index e78ed809a..000000000 --- a/src/charon/config/connections/local_connection_store.h +++ /dev/null @@ -1,62 +0,0 @@ -/** - * @file local_connection_store.h - * - * @brief Interface of local_connection_store_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef LOCAL_CONNECTION_H_ -#define LOCAL_CONNECTION_H_ - -typedef struct local_connection_store_t local_connection_store_t; - -#include -#include - -/** - * @brief A connection_store_t implementation using a simple connection list. - * - * The local_connection_store_t class implements the connection_store_t interface - * as simple as possible. connection_t's are stored in an in-memory list. - * - * @b Constructors: - * - local_connection_store_create() - * - * @todo Make thread-save first - * @todo Add remove_connection method - * - * @ingroup config - */ -struct local_connection_store_t { - - /** - * Implements connection_store_t interface - */ - connection_store_t connection_store; -}; - -/** - * @brief Creates a local_connection_store_t instance. - * - * @return connection store instance. - * - * @ingroup config - */ -local_connection_store_t * local_connection_store_create(void); - -#endif /* LOCAL_CONNECTION_H_ */ diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c index b7b71b9e7..6964345b3 100644 --- a/src/charon/config/credentials/local_credential_store.c +++ b/src/charon/config/credentials/local_credential_store.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include @@ -32,13 +33,13 @@ #include #include #include +#include #include #include #include "local_credential_store.h" #define PATH_BUF 256 -#define MAX_CA_PATH_LEN 7 typedef struct shared_key_t shared_key_t; @@ -103,24 +104,25 @@ static shared_key_t *shared_key_create(chunk_t secret) | | ca_info_t | | +--------------------------+ +---------------+ | char *name | -| x509_t |<--| x509_t *cacert | +----------------------+ -+---------------+ | linked_list_t *certinfos |-->| certinfo_t | -| chunk_t keyid | | linked_list_t *ocspuris | +----------------------+ -+---------------+ | crl_t *crl | | chunk_t serialNumber | +| x509_t |<--| x509_t *cacert | ++---------------+ | linked_list_t *attrcerts | +----------------------+ +| chunk_t keyid | | linked_list_t *certinfos |-->| certinfo_t | ++---------------+ | linked_list_t *ocspuris | +----------------------+ + | | crl_t *crl | | chunk_t serialNumber | | | linked_list_t *crluris | | cert_status_t status | - | | pthread_mutex_t mutex | | time_t thisUpdate | -+---------------+ +--------------------------+ | time_t nextUpdate | -| x509_t | | | bool once | -+---------------+ | +----------------------+ -| chunk_t keyid | | | -+---------------+ +------------------------- + +----------------------+ - | | ca_info_t | | certinfo_t | - | +--------------------------+ +----------------------+ -+---------------+ | char *name | | chunk_t serialNumber | -| x509_t |<--| x509_t *cacert | | cert_status_t status | -+---------------+ | linked_list_t *certinfos | | time_t thisUpdate | -| chunk_t keyid | | linked_list_t *ocspuris | | time_t nextUpdate | -+---------------+ | crl_t *crl | | bool once | ++---------------+ | pthread_mutex_t mutex | | time_t thisUpdate | +| x509_t | +--------------------------+ | time_t nextUpdate | ++---------------+ | | bool once | +| chunk_t keyid | | +----------------------+ ++---------------+ +------------------------- + | + | | ca_info_t | +----------------------+ + | +--------------------------+ | certinfo_t | ++---------------+ | char *name | +----------------------+ +| x509_t |<--| x509_t *cacert | | chunk_t serialNumber | ++---------------+ | linked_list_t *attrcerts | | cert_status_t status | +| chunk_t keyid | | linked_list_t *certinfos | | time_t thisUpdate | ++---------------+ | linked_list_t *ocspuris | | time_t nextUpdate | + | | crl_t *crl | | bool once | | | linked_list_t *crluris | +----------------------+ | | pthread_mutex_t mutex; | | | +--------------------------+ @@ -169,11 +171,6 @@ struct private_local_credential_store_t { * list of X.509 CA information records */ linked_list_t *ca_infos; - - /** - * enforce strict crl policy - */ - bool strict; }; @@ -302,39 +299,29 @@ static rsa_public_key_t *get_rsa_public_key(private_local_credential_store_t *th } /** - * Implementation of local_credential_store_t.get_trusted_public_key. + * Implementation of credential_store_t.get_issuer. */ -static rsa_public_key_t *get_trusted_public_key(private_local_credential_store_t *this, - identification_t *id) +static ca_info_t* get_issuer(private_local_credential_store_t *this, x509_t *cert) { - cert_status_t status; - err_t ugh; - - x509_t *cert = get_certificate(this, id); - - if (cert == NULL) - return NULL; + ca_info_t *found = cert->get_ca_info(cert); - ugh = cert->is_valid(cert, NULL); - if (ugh != NULL) + if (found == NULL) { - DBG1(DBG_CFG, "certificate %s", ugh); - return NULL; - } + iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE); + ca_info_t *ca_info; - status = cert->get_status(cert); - if (status == CERT_REVOKED || status == CERT_UNTRUSTED || (this->strict && status != CERT_GOOD)) - { - DBG1(DBG_CFG, "certificate status: %N", cert_status_names, status); - return NULL; - } - if (status == CERT_GOOD && cert->get_until(cert) < time(NULL)) - { - DBG1(DBG_CFG, "certificate is good but crl is stale"); - return NULL; + while (iterator->iterate(iterator, (void**)&ca_info)) + { + if (ca_info->is_cert_issuer(ca_info, cert)) + { + found = ca_info; + cert->set_ca_info(cert, found); + break; + } + } + iterator->destroy(iterator); } - - return cert->get_public_key(cert); + return found; } /** @@ -434,29 +421,6 @@ static x509_t* get_ca_certificate_by_keyid(private_local_credential_store_t *thi return found; } -/** - * Implementation of credential_store_t.get_issuer. - */ -static ca_info_t* get_issuer(private_local_credential_store_t *this, const x509_t *cert) -{ - ca_info_t *found = NULL; - ca_info_t *ca_info; - - iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE); - - while (iterator->iterate(iterator, (void**)&ca_info)) - { - if (ca_info->is_cert_issuer(ca_info, cert)) - { - found = ca_info; - break; - } - } - iterator->destroy(iterator); - - return found; -} - /** * Find an exact copy of a certificate in a linked list */ @@ -509,13 +473,13 @@ static void add_uris(ca_info_t *issuer, x509_t *cert) /** * Implementation of credential_store_t.is_trusted */ -static bool is_trusted(private_local_credential_store_t *this, x509_t *cert) +static bool is_trusted(private_local_credential_store_t *this, const char *label, x509_t *cert) { int pathlen; time_t until = UNDEFINED_TIME; x509_t *cert_to_be_trusted = cert; - DBG2(DBG_CFG, "establishing trust in certificate:"); + DBG1(DBG_CFG, "establishing trust in %s certificate:", label); for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++) { @@ -525,8 +489,8 @@ static bool is_trusted(private_local_credential_store_t *this, x509_t *cert) rsa_public_key_t *issuer_public_key; bool valid_signature; - DBG2(DBG_CFG, "subject: '%D'", cert->get_subject(cert)); - DBG2(DBG_CFG, "issuer: '%D'", cert->get_issuer(cert)); + DBG1(DBG_CFG, "subject: '%D'", cert->get_subject(cert)); + DBG1(DBG_CFG, "issuer: '%D'", cert->get_issuer(cert)); ugh = cert->is_valid(cert, &until); if (ugh != NULL) @@ -558,18 +522,19 @@ static bool is_trusted(private_local_credential_store_t *this, x509_t *cert) /* check if cert is a self-signed root ca */ if (pathlen > 0 && cert->is_self_signed(cert)) { - DBG2(DBG_CFG, "reached self-signed root ca"); + DBG1(DBG_CFG, "reached self-signed root ca"); cert_to_be_trusted->set_until(cert_to_be_trusted, until); cert_to_be_trusted->set_status(cert_to_be_trusted, CERT_GOOD); return TRUE; } else { - /* go up one step in the trust chain */ + DBG1(DBG_CFG, "going up one step in the certificate trust chain (%d)", + pathlen + 1); cert = issuer_cert; } } - DBG1(DBG_CFG, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN); + DBG1(DBG_CFG, "maximum ca path length of %d levels reached", MAX_CA_PATH_LEN); return FALSE; } @@ -584,7 +549,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f x509_t *end_cert = cert; x509_t *cert_copy = find_certificate(this->certs, end_cert); - DBG2(DBG_CFG, "verifying end entity certificate:"); + DBG1(DBG_CFG, "verifying end entity certificate up to trust anchor:"); *found = (cert_copy != NULL); if (*found) @@ -595,14 +560,16 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++) { + bool valid_signature; err_t ugh = NULL; ca_info_t *issuer; x509_t *issuer_cert; rsa_public_key_t *issuer_public_key; - bool valid_signature; + chunk_t keyid = cert->get_keyid(cert); DBG1(DBG_CFG, "subject: '%D'", cert->get_subject(cert)); DBG1(DBG_CFG, "issuer: '%D'", cert->get_issuer(cert)); + DBG1(DBG_CFG, "keyid: %#B", &keyid); ugh = cert->is_valid(cert, &until); if (ugh != NULL) @@ -647,24 +614,29 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f } else { + bool strict; time_t nextUpdate; cert_status_t status; certinfo_t *certinfo = certinfo_create(cert->get_serialNumber(cert)); - certinfo->set_nextUpdate(certinfo, until); - if (pathlen == 0) { /* add any crl and ocsp uris contained in the certificate under test */ add_uris(issuer, cert); } + strict = issuer->is_strict(issuer); + DBG1(DBG_CFG, "issuer %s a strict crl policy", + strict ? "enforces":"does not enforce"); + /* first check certificate revocation using ocsp */ status = issuer->verify_by_ocsp(issuer, certinfo, &this->public.credential_store); /* if ocsp service is not available then fall back to crl */ - if ((status == CERT_UNDEFINED) || (status == CERT_UNKNOWN && this->strict)) + if ((status == CERT_UNDEFINED) || (status == CERT_UNKNOWN && strict)) { + + certinfo->set_status(certinfo, CERT_UNKNOWN); status = issuer->verify_by_crl(issuer, certinfo, CRL_DIR); } @@ -674,23 +646,23 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f switch (status) { case CERT_GOOD: - /* set nextUpdate */ - cert->set_until(cert, nextUpdate); + /* with strict crl policy the public key must have the same + * lifetime as the validity of the ocsp status or crl lifetime + */ + if (strict) + { + cert->set_until(cert, nextUpdate); + until = (nextUpdate < until)? nextUpdate : until; + } /* if status information is stale */ - if (this->strict && nextUpdate < time(NULL)) + if (strict && nextUpdate < time(NULL)) { DBG2(DBG_CFG, "certificate is good but status is stale"); certinfo->destroy(certinfo); return FALSE; } DBG1(DBG_CFG, "certificate is good"); - - /* with strict crl policy the public key must have the same - * lifetime as the validity of the ocsp status or crl lifetime - */ - if (this->strict && nextUpdate < until) - until = nextUpdate; break; case CERT_REVOKED: { @@ -724,7 +696,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f case CERT_UNDEFINED: default: DBG1(DBG_CFG, "certificate status unknown"); - if (this->strict) + if (strict) { /* update status of end certificate in the credential store */ if (cert_copy) @@ -738,13 +710,96 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f } certinfo->destroy(certinfo); } - /* go up one step in the trust chain */ + DBG1(DBG_CFG, "going up one step in the certificate trust chain (%d)", + pathlen + 1); cert = issuer_cert; } - DBG1(DBG_CFG, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN); + DBG1(DBG_CFG, "maximum ca path length of %d levels reached", MAX_CA_PATH_LEN); return FALSE; } +/** + * Implementation of local_credential_store_t.verify_signature. + */ +static status_t verify_signature(private_local_credential_store_t *this, + chunk_t hash, chunk_t sig, + identification_t *id, ca_info_t **issuer_p) +{ + iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE); + status_t sig_status; + x509_t *cert; + + /* default return values in case of failure */ + sig_status = NOT_FOUND; + *issuer_p = NULL; + + while (iterator->iterate(iterator, (void**)&cert)) + { + if (id->equals(id, cert->get_subject(cert)) + || cert->equals_subjectAltName(cert, id)) + { + rsa_public_key_t *public_key = cert->get_public_key(cert); + cert_status_t cert_status = cert->get_status(cert); + + DBG2(DBG_CFG, "found candidate peer certificate"); + + if (cert_status == CERT_UNDEFINED || cert->get_until(cert) < time(NULL)) + { + bool found; + + if (!verify(this, cert, &found)) + { + sig_status = VERIFY_ERROR; + DBG1(DBG_CFG, "candidate peer certificate was not successfully verified"); + continue; + } + *issuer_p = get_issuer(this, cert); + } + else + { + ca_info_t *issuer = get_issuer(this, cert); + chunk_t keyid = public_key->get_keyid(public_key); + + DBG2(DBG_CFG, "subject: '%D'", cert->get_subject(cert)); + DBG2(DBG_CFG, "issuer: '%D'", cert->get_issuer(cert)); + DBG2(DBG_CFG, "keyid: %#B", &keyid); + + if (issuer == NULL) + { + DBG1(DBG_CFG, "candidate peer certificate has no retrievable issuer"); + sig_status = NOT_FOUND; + continue; + } + if (cert_status == CERT_REVOKED || cert_status == CERT_UNTRUSTED + || ((issuer)->is_strict(issuer) && cert_status != CERT_GOOD)) + { + DBG1(DBG_CFG, "candidate peer certificate has an inacceptable status: %N", cert_status_names, cert_status); + sig_status = VERIFY_ERROR; + continue; + } + *issuer_p = issuer; + } + sig_status = public_key->verify_emsa_pkcs1_signature(public_key, hash, sig); + if (sig_status == SUCCESS) + { + DBG2(DBG_CFG, "candidate peer certificate has a matching RSA public key"); + break; + } + else + { + DBG1(DBG_CFG, "candidate peer certificate has a non-matching RSA public key"); + *issuer_p = NULL; + } + } + } + iterator->destroy(iterator); + if (sig_status == NOT_FOUND) + { + DBG1(DBG_CFG, "no candidate peer certificate found"); + } + return sig_status; +} + /** * Add a unique certificate to a linked list */ @@ -770,7 +825,7 @@ static x509_t* add_certificate(linked_list_t *certs, x509_t *cert) /** * Add a unique ca info record to a linked list */ -static void add_ca_info(private_local_credential_store_t *this, ca_info_t *ca_info) +static ca_info_t* add_ca_info(private_local_credential_store_t *this, ca_info_t *ca_info) { ca_info_t *current_ca_info; ca_info_t *found_ca_info = NULL; @@ -791,11 +846,13 @@ static void add_ca_info(private_local_credential_store_t *this, ca_info_t *ca_in { current_ca_info->add_info(current_ca_info, ca_info); ca_info->destroy(ca_info); + ca_info = found_ca_info; } else { this->ca_infos->insert_last(this->ca_infos, (void*)ca_info); } + return ca_info; } /** @@ -886,12 +943,12 @@ static void load_auth_certificates(private_local_credential_store_t *this, struct stat stb; DIR* dir; - DBG1(DBG_CFG, "loading %s certificates from '%s/'", label, path); + DBG1(DBG_CFG, "loading %s certificates from '%s'", label, path); dir = opendir(path); if (dir == NULL) { - DBG1(DBG_CFG, "error opening %s certs directory %s'", label, path); + DBG1(DBG_CFG, "error opening %s certs directory '%s'", label, path); return; } @@ -962,18 +1019,89 @@ static void load_ca_certificates(private_local_credential_store_t *this) while (iterator->iterate(iterator, (void **)&ca_info)) { - x509_t *cacert = ca_info->get_certificate(ca_info); - ca_info_t *issuer = get_issuer(this, cacert); - - if (issuer) + if (ca_info->is_ca(ca_info)) { - add_uris(issuer, cacert); + x509_t *cacert = ca_info->get_certificate(ca_info); + ca_info_t *issuer = get_issuer(this, cacert); + + if (issuer) + { + add_uris(issuer, cacert); + } } } iterator->destroy(iterator); } } +/** + * Implements local_credential_store_t.load_aa_certificates + */ +static void load_aa_certificates(private_local_credential_store_t *this) +{ + load_auth_certificates(this, AUTH_AA, "aa", AA_CERTIFICATE_DIR); +} + +/** + * Add a unique attribute certificate to a linked list + */ +static void add_attr_certificate(private_local_credential_store_t *this, x509ac_t *cert) +{ + /* TODO add a new attribute certificate to the linked list */ +} + +/** + * Implements local_credential_store_t.load_attr_certificates + */ +static void load_attr_certificates(private_local_credential_store_t *this) +{ + struct dirent* entry; + struct stat stb; + DIR* dir; + + const char *path = ATTR_CERTIFICATE_DIR; + + DBG1(DBG_CFG, "loading attribute certificates from '%s'", path); + + dir = opendir(ATTR_CERTIFICATE_DIR); + if (dir == NULL) + { + DBG1(DBG_CFG, "error opening attribute certs directory '%s'", path); + return; + } + + while ((entry = readdir(dir)) != NULL) + { + char file[PATH_BUF]; + + snprintf(file, sizeof(file), "%s/%s", path, entry->d_name); + + if (stat(file, &stb) == -1) + { + continue; + } + /* try to parse all regular files */ + if (stb.st_mode & S_IFREG) + { + x509ac_t *cert = x509ac_create_from_file(file); + + if (cert) + { + err_t ugh = cert->is_valid(cert, NULL); + + if (ugh != NULL) + { + DBG1(DBG_CFG, "warning: attribute certificate %s", ugh); + } + add_attr_certificate(this, cert); + } + } + } + closedir(dir); + + +} + /** * Implements local_credential_store_t.load_ocsp_certificates */ @@ -993,7 +1121,7 @@ static void add_crl(private_local_credential_store_t *this, crl_t *crl, const ch while (iterator->iterate(iterator, (void**)&ca_info)) { - if (ca_info->is_crl_issuer(ca_info, crl)) + if (ca_info->is_ca(ca_info) && ca_info->is_crl_issuer(ca_info, crl)) { char buffer[BUF_LEN]; chunk_t uri = { buffer, 7 + strlen(path) }; @@ -1027,12 +1155,12 @@ static void load_crls(private_local_credential_store_t *this) DIR* dir; crl_t *crl; - DBG1(DBG_CFG, "loading crls from '%s/'", CRL_DIR); + DBG1(DBG_CFG, "loading crls from '%s'", CRL_DIR); dir = opendir(CRL_DIR); if (dir == NULL) { - DBG1(DBG_CFG, "error opening crl directory %s'", CRL_DIR); + DBG1(DBG_CFG, "error opening crl directory '%s'", CRL_DIR); return; } @@ -1300,7 +1428,8 @@ error: } else { - DBG1(DBG_CFG, "could not open file '%s'", SECRETS_FILE); + DBG1(DBG_CFG, "could not open file '%s': %s", SECRETS_FILE, + strerror(errno)); } } @@ -1321,7 +1450,7 @@ static void destroy(private_local_credential_store_t *this) /** * Described in header. */ -local_credential_store_t * local_credential_store_create(bool strict) +local_credential_store_t * local_credential_store_create(void) { private_local_credential_store_t *this = malloc_thing(private_local_credential_store_t); @@ -1330,21 +1459,23 @@ local_credential_store_t * local_credential_store_create(bool strict) this->public.credential_store.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key; this->public.credential_store.get_rsa_private_key = (rsa_private_key_t* (*) (credential_store_t*,rsa_public_key_t*))get_rsa_private_key; this->public.credential_store.has_rsa_private_key = (bool (*) (credential_store_t*,rsa_public_key_t*))has_rsa_private_key; - this->public.credential_store.get_trusted_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_trusted_public_key; this->public.credential_store.get_certificate = (x509_t* (*) (credential_store_t*,identification_t*))get_certificate; this->public.credential_store.get_auth_certificate = (x509_t* (*) (credential_store_t*,u_int,identification_t*))get_auth_certificate; this->public.credential_store.get_ca_certificate_by_keyid = (x509_t* (*) (credential_store_t*,chunk_t))get_ca_certificate_by_keyid; - this->public.credential_store.get_issuer = (ca_info_t* (*) (credential_store_t*,const x509_t*))get_issuer; - this->public.credential_store.is_trusted = (bool (*) (credential_store_t*,x509_t*))is_trusted; + this->public.credential_store.get_issuer = (ca_info_t* (*) (credential_store_t*,x509_t*))get_issuer; + this->public.credential_store.is_trusted = (bool (*) (credential_store_t*,const char*,x509_t*))is_trusted; + this->public.credential_store.verify_signature = (status_t (*) (credential_store_t*,chunk_t,chunk_t,identification_t*,ca_info_t**))verify_signature; this->public.credential_store.verify = (bool (*) (credential_store_t*,x509_t*,bool*))verify; this->public.credential_store.add_end_certificate = (x509_t* (*) (credential_store_t*,x509_t*))add_end_certificate; this->public.credential_store.add_auth_certificate = (x509_t* (*) (credential_store_t*,x509_t*,u_int))add_auth_certificate; - this->public.credential_store.add_ca_info = (void (*) (credential_store_t*,ca_info_t*))add_ca_info; + this->public.credential_store.add_ca_info = (ca_info_t* (*) (credential_store_t*,ca_info_t*))add_ca_info; this->public.credential_store.release_ca_info = (status_t (*) (credential_store_t*,const char*))release_ca_info; this->public.credential_store.create_cert_iterator = (iterator_t* (*) (credential_store_t*))create_cert_iterator; this->public.credential_store.create_auth_cert_iterator = (iterator_t* (*) (credential_store_t*))create_auth_cert_iterator; this->public.credential_store.create_cainfo_iterator = (iterator_t* (*) (credential_store_t*))create_cainfo_iterator; this->public.credential_store.load_ca_certificates = (void (*) (credential_store_t*))load_ca_certificates; + this->public.credential_store.load_aa_certificates = (void (*) (credential_store_t*))load_aa_certificates; + this->public.credential_store.load_attr_certificates = (void (*) (credential_store_t*))load_attr_certificates; this->public.credential_store.load_ocsp_certificates = (void (*) (credential_store_t*))load_ocsp_certificates; this->public.credential_store.load_crls = (void (*) (credential_store_t*))load_crls; this->public.credential_store.load_secrets = (void (*) (credential_store_t*))load_secrets; @@ -1357,7 +1488,6 @@ local_credential_store_t * local_credential_store_create(bool strict) this->certs = linked_list_create(); this->auth_certs = linked_list_create(); this->ca_infos = linked_list_create(); - this->strict = strict; return (&this->public); } diff --git a/src/charon/config/credentials/local_credential_store.h b/src/charon/config/credentials/local_credential_store.h index 88a94d6f9..87a12663a 100644 --- a/src/charon/config/credentials/local_credential_store.h +++ b/src/charon/config/credentials/local_credential_store.h @@ -54,11 +54,10 @@ struct local_credential_store_t { /** * @brief Creates a local_credential_store_t instance. * - * @param strict enforce a strict crl policy * @return credential store instance. * * @ingroup config */ -local_credential_store_t *local_credential_store_create(bool strict); +local_credential_store_t *local_credential_store_create(void); #endif /* LOCAL_CREDENTIAL_H_ */ diff --git a/src/charon/config/ike_cfg.c b/src/charon/config/ike_cfg.c new file mode 100644 index 000000000..35f46a6b7 --- /dev/null +++ b/src/charon/config/ike_cfg.c @@ -0,0 +1,228 @@ +/** + * @file ike_cfg.c + * + * @brief Implementation of ike_cfg_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ike_cfg.h" + +#include + + +typedef struct private_ike_cfg_t private_ike_cfg_t; + +/** + * Private data of an ike_cfg_t object + */ +struct private_ike_cfg_t { + + /** + * Public part + */ + ike_cfg_t public; + + /** + * Number of references hold by others to this ike_cfg + */ + refcount_t refcount; + + /** + * Address of local host + */ + host_t *my_host; + + /** + * Address of remote host + */ + host_t *other_host; + + /** + * should we send a certificate request? + */ + bool certreq; + + /** + * List of proposals to use + */ + linked_list_t *proposals; +}; + +/** + * Implementation of ike_cfg_t.certreq. + */ +static bool send_certreq(private_ike_cfg_t *this) +{ + return this->certreq; +} + +/** + * Implementation of ike_cfg_t.get_my_host. + */ +static host_t *get_my_host (private_ike_cfg_t *this) +{ + return this->my_host; +} + +/** + * Implementation of ike_cfg_t.get_other_host. + */ +static host_t *get_other_host (private_ike_cfg_t *this) +{ + return this->other_host; +} + +/** + * Implementation of ike_cfg_t.add_proposal. + */ +static void add_proposal(private_ike_cfg_t *this, proposal_t *proposal) +{ + this->proposals->insert_last(this->proposals, proposal); +} + +/** + * Implementation of ike_cfg_t.get_proposals. + */ +static linked_list_t* get_proposals(private_ike_cfg_t *this) +{ + iterator_t *iterator; + proposal_t *current; + linked_list_t *proposals = linked_list_create(); + + iterator = this->proposals->create_iterator(this->proposals, TRUE); + while (iterator->iterate(iterator, (void**)¤t)) + { + current = current->clone(current); + proposals->insert_last(proposals, (void*)current); + } + iterator->destroy(iterator); + + return proposals; +} + +/** + * Implementation of ike_cfg_t.select_proposal. + */ +static proposal_t *select_proposal(private_ike_cfg_t *this, + linked_list_t *proposals) +{ + iterator_t *stored_iter, *supplied_iter; + proposal_t *stored, *supplied, *selected; + + stored_iter = this->proposals->create_iterator(this->proposals, TRUE); + supplied_iter = proposals->create_iterator(proposals, TRUE); + + /* compare all stored proposals with all supplied. Stored ones are preferred.*/ + while (stored_iter->iterate(stored_iter, (void**)&stored)) + { + supplied_iter->reset(supplied_iter); + + while (supplied_iter->iterate(supplied_iter, (void**)&supplied)) + { + selected = stored->select(stored, supplied); + if (selected) + { + /* they match, return */ + stored_iter->destroy(stored_iter); + supplied_iter->destroy(supplied_iter); + return selected; + } + } + } + /* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */ + stored_iter->destroy(stored_iter); + supplied_iter->destroy(supplied_iter); + + return NULL; +} + +/** + * Implementation of ike_cfg_t.get_dh_group. + */ +static diffie_hellman_group_t get_dh_group(private_ike_cfg_t *this) +{ + iterator_t *iterator; + proposal_t *proposal; + algorithm_t *algo; + diffie_hellman_group_t dh_group = MODP_NONE; + + iterator = this->proposals->create_iterator(this->proposals, TRUE); + while (iterator->iterate(iterator, (void**)&proposal)) + { + if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo)) + { + dh_group = algo->algorithm; + break; + } + } + iterator->destroy(iterator); + return dh_group; +} + +/** + * Implementation of ike_cfg_t.get_ref. + */ +static void get_ref(private_ike_cfg_t *this) +{ + ref_get(&this->refcount); +} + +/** + * Implementation of ike_cfg_t.destroy. + */ +static void destroy(private_ike_cfg_t *this) +{ + if (ref_put(&this->refcount)) + { + this->proposals->destroy_offset(this->proposals, + offsetof(proposal_t, destroy)); + this->my_host->destroy(this->my_host); + this->other_host->destroy(this->other_host); + free(this); + } +} + +/** + * Described in header. + */ +ike_cfg_t *ike_cfg_create(bool certreq, host_t *my_host, host_t *other_host) +{ + private_ike_cfg_t *this = malloc_thing(private_ike_cfg_t); + + /* public functions */ + this->public.send_certreq = (bool(*)(ike_cfg_t*))send_certreq; + this->public.get_my_host = (host_t*(*)(ike_cfg_t*))get_my_host; + this->public.get_other_host = (host_t*(*)(ike_cfg_t*))get_other_host; + this->public.add_proposal = (void(*)(ike_cfg_t*, proposal_t*)) add_proposal; + this->public.get_proposals = (linked_list_t*(*)(ike_cfg_t*))get_proposals; + this->public.select_proposal = (proposal_t*(*)(ike_cfg_t*,linked_list_t*))select_proposal; + this->public.get_dh_group = (diffie_hellman_group_t(*)(ike_cfg_t*)) get_dh_group; + this->public.get_ref = (void(*)(ike_cfg_t*))get_ref; + this->public.destroy = (void(*)(ike_cfg_t*))destroy; + + /* private variables */ + this->refcount = 1; + this->certreq = certreq; + this->my_host = my_host; + this->other_host = other_host; + + this->proposals = linked_list_create(); + + return &this->public; +} diff --git a/src/charon/config/ike_cfg.h b/src/charon/config/ike_cfg.h new file mode 100644 index 000000000..bcdc90d9e --- /dev/null +++ b/src/charon/config/ike_cfg.h @@ -0,0 +1,151 @@ +/** + * @file ike_cfg.h + * + * @brief Interface of ike_cfg_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef IKE_CFG_H_ +#define IKE_CFG_H_ + +typedef struct ike_cfg_t ike_cfg_t; + +#include +#include +#include +#include +#include +#include + +/** + * @brief An ike_cfg_t defines the rules to set up an IKE_SA. + * + * @see peer_cfg_t to get an overview over the configurations. + * + * @b Constructors: + * - ike_cfg_create() + * + * @ingroup config + */ +struct ike_cfg_t { + + /** + * @brief Get own address. + * + * @param this calling object + * @return host information as host_t object + */ + host_t* (*get_my_host) (ike_cfg_t *this); + + /** + * @brief Get peers address. + * + * @param this calling object + * @return host information as host_t object + */ + host_t* (*get_other_host) (ike_cfg_t *this); + + /** + * @brief Adds a proposal to the list. + * + * The first added proposal has the highest priority, the last + * added the lowest. + * + * @param this calling object + * @param proposal proposal to add + */ + void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal); + + /** + * @brief Returns a list of all supported proposals. + * + * Returned list and its proposals must be destroyed after use. + * + * @param this calling object + * @return list containing all the proposals + */ + linked_list_t* (*get_proposals) (ike_cfg_t *this); + + /** + * @brief Select a proposed from suggested proposals. + * + * Returned proposal must be destroyed after use. + * + * @param this calling object + * @param proposals list of proposals to select from + * @return selected proposal, or NULL if none matches. + */ + proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals); + + /** + * @brief Should we send a certificate request in IKE_SA_INIT? + * + * @param this calling object + * @return certificate request sending policy + */ + bool (*send_certreq) (ike_cfg_t *this); + + /** + * @brief Get the DH group to use for IKE_SA setup. + * + * @param this calling object + * @return dh group to use for initialization + */ + diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this); + + /** + * @brief Get a new reference to this ike_cfg. + * + * Get a new reference to this ike_cfg by increasing + * it's internal reference counter. + * Do not call get_ref or any other function until you + * already have a reference. Otherwise the object may get + * destroyed while calling get_ref(), + * + * @param this calling object + */ + void (*get_ref) (ike_cfg_t *this); + + /** + * @brief Destroys a ike_cfg_t object. + * + * Decrements the internal reference counter and + * destroys the ike_cfg when it reaches zero. + * + * @param this calling object + */ + void (*destroy) (ike_cfg_t *this); +}; + +/** + * @brief Creates a ike_cfg_t object. + * + * Supplied hosts become owned by ike_cfg, the name gets cloned. + * + * @param name ike_cfg identifier + * @param certreq TRUE to send a certificate request + * @param my_host host_t representing local address + * @param other_host host_t representing remote address + * @return ike_cfg_t object. + * + * @ingroup config + */ +ike_cfg_t *ike_cfg_create(bool certreq, host_t *my_host, host_t *other_host); + +#endif /* IKE_CFG_H_ */ diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c new file mode 100644 index 000000000..1d9176e0d --- /dev/null +++ b/src/charon/config/peer_cfg.c @@ -0,0 +1,479 @@ +/** + * @file peer_cfg.c + * + * @brief Implementation of peer_cfg_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +#include "peer_cfg.h" + +#include +#include + +ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND, + "CERT_ALWAYS_SEND", + "CERT_SEND_IF_ASKED", + "CERT_NEVER_SEND" +); + +ENUM(dpd_action_names, DPD_NONE, DPD_RESTART, + "DPD_NONE", + "DPD_CLEAR", + "DPD_ROUTE", + "DPD_RESTART" +); + +typedef struct private_peer_cfg_t private_peer_cfg_t; + +/** + * Private data of an peer_cfg_t object + */ +struct private_peer_cfg_t { + + /** + * Public part + */ + peer_cfg_t public; + + /** + * Number of references hold by others to this peer_cfg + */ + refcount_t refcount; + + /** + * Name of the peer_cfg, used to query it + */ + char *name; + + /** + * IKE version to use for initiation + */ + u_int ike_version; + + /** + * IKE config associated to this peer config + */ + ike_cfg_t *ike_cfg; + + /** + * list of child configs associated to this peer config + */ + linked_list_t *child_cfgs; + + /** + * mutex to lock access to list of child_cfgs + */ + pthread_mutex_t mutex; + + /** + * id to use to identify us + */ + identification_t *my_id; + + /** + * allowed id for other + */ + identification_t *other_id; + + /** + * we have a cert issued by this CA + */ + identification_t *my_ca; + + /** + * we require the other end to have a cert issued by this CA + */ + identification_t *other_ca; + + /** + * should we send a certificate + */ + cert_policy_t cert_policy; + + /** + * Method to use for own authentication data + */ + auth_method_t auth_method; + + /** + * EAP type to use for peer authentication + */ + eap_type_t eap_type; + + /** + * number of tries after giving up if peer does not respond + */ + u_int32_t keyingtries; + + /** + * user reauthentication instead of rekeying + */ + bool use_reauth; + + /** + * Time before an SA gets invalid + */ + u_int32_t lifetime; + + /** + * Time before an SA gets rekeyed + */ + u_int32_t rekeytime; + + /** + * Time, which specifies the range of a random value + * substracted from lifetime. + */ + u_int32_t jitter; + + /** + * What to do with an SA when other peer seams to be dead? + */ + bool dpd_delay; + + /** + * What to do with CHILDren when other peer seams to be dead? + */ + bool dpd_action; + + /** + * virtual IP to use locally + */ + host_t *my_virtual_ip; + + /** + * virtual IP to use remotly + */ + host_t *other_virtual_ip; +}; + +/** + * Implementation of peer_cfg_t.get_name + */ +static char *get_name(private_peer_cfg_t *this) +{ + return this->name; +} + +/** + * Implementation of peer_cfg_t.get_ike_version + */ +static u_int get_ike_version(private_peer_cfg_t *this) +{ + return this->ike_version; +} + +/** + * Implementation of peer_cfg_t.get_ike_cfg + */ +static ike_cfg_t* get_ike_cfg(private_peer_cfg_t *this) +{ + return this->ike_cfg; +} + +/** + * Implementation of peer_cfg_t.add_child_cfg. + */ +static void add_child_cfg(private_peer_cfg_t *this, child_cfg_t *child_cfg) +{ + pthread_mutex_lock(&this->mutex); + this->child_cfgs->insert_last(this->child_cfgs, child_cfg); + pthread_mutex_unlock(&this->mutex); +} + +/** + * Implementation of peer_cfg_t.create_child_cfg_iterator. + */ +static iterator_t* create_child_cfg_iterator(private_peer_cfg_t *this) +{ + return this->child_cfgs->create_iterator_locked(this->child_cfgs, + &this->mutex); +} + +/** + * Check if child_cfg contains traffic selectors + */ +static bool contains_ts(child_cfg_t *child, bool mine, linked_list_t *ts, + host_t *host) +{ + linked_list_t *selected; + bool contains = FALSE; + + selected = child->get_traffic_selectors(child, mine, ts, host); + contains = selected->get_count(selected); + selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy)); + return contains; +} + +/** + * Implementation of peer_cfg_t.select_child_cfg + */ +static child_cfg_t* select_child_cfg(private_peer_cfg_t *this, + linked_list_t *my_ts, + linked_list_t *other_ts, + host_t *my_host, host_t *other_host) +{ + child_cfg_t *current, *found = NULL; + iterator_t *iterator; + + iterator = create_child_cfg_iterator(this); + while (iterator->iterate(iterator, (void**)¤t)) + { + if (contains_ts(current, TRUE, my_ts, my_host) && + contains_ts(current, FALSE, other_ts, other_host)) + { + found = current; + found->get_ref(found); + break; + } + } + iterator->destroy(iterator); + return found; +} + +/** + * Implementation of peer_cfg_t.get_my_id + */ +static identification_t *get_my_id(private_peer_cfg_t *this) +{ + return this->my_id; +} + +/** + * Implementation of peer_cfg_t.get_other_id + */ +static identification_t *get_other_id(private_peer_cfg_t *this) +{ + return this->other_id; +} + +/** + * Implementation of peer_cfg_t.get_my_ca + */ +static identification_t *get_my_ca(private_peer_cfg_t *this) +{ + return this->my_ca; +} + +static identification_t *get_other_ca(private_peer_cfg_t *this) +{ + return this->other_ca; +} + +/** + * Implementation of peer_cfg_t.get_cert_policy. + */ +static cert_policy_t get_cert_policy(private_peer_cfg_t *this) +{ + return this->cert_policy; +} + +/** + * Implementation of connection_t.auth_method_t. + */ +static auth_method_t get_auth_method(private_peer_cfg_t *this) +{ + return this->auth_method; +} + +/** + * Implementation of connection_t.get_eap_type. + */ +static eap_type_t get_eap_type(private_peer_cfg_t *this) +{ + return this->eap_type; +} + +/** + * Implementation of connection_t.get_keyingtries. + */ +static u_int32_t get_keyingtries(private_peer_cfg_t *this) +{ + return this->keyingtries; +} + +/** + * Implementation of peer_cfg_t.get_soft_lifetime + */ +static u_int32_t get_lifetime(private_peer_cfg_t *this, bool rekey) +{ + if (rekey) + { + if (this->jitter == 0) + { + return this->rekeytime; + } + return this->rekeytime - (random() % this->jitter); + } + return this->lifetime; +} + +/** + * Implementation of peer_cfg_t.use_reauth. + */ +static bool use_reauth(private_peer_cfg_t *this, bool rekey) +{ + return this->use_reauth; +} + +/** + * Implements peer_cfg_t.get_dpd_delay + */ +static u_int32_t get_dpd_delay(private_peer_cfg_t *this) +{ + return this->dpd_delay; +} + +/** + * Implements peer_cfg_t.get_dpd_action + */ +static dpd_action_t get_dpd_action(private_peer_cfg_t *this) +{ + return this->dpd_action; +} + +/** + * Implementation of peer_cfg_t.get_my_virtual_ip. + */ +static host_t* get_my_virtual_ip(private_peer_cfg_t *this) +{ + if (this->my_virtual_ip == NULL) + { + return NULL; + } + return this->my_virtual_ip->clone(this->my_virtual_ip); +} + +/** + * Implementation of peer_cfg_t.get_other_virtual_ip. + */ +static host_t* get_other_virtual_ip(private_peer_cfg_t *this, host_t *suggestion) +{ + if (this->other_virtual_ip == NULL) + { /* disallow */ + return NULL; + } + if (!this->other_virtual_ip->is_anyaddr(this->other_virtual_ip)) + { /* force own configuration */ + return this->other_virtual_ip->clone(this->other_virtual_ip); + } + if (suggestion == NULL || suggestion->is_anyaddr(suggestion)) + { + return NULL; + } + return suggestion->clone(suggestion); +} + +/** + * Implements peer_cfg_t.get_ref. + */ +static void get_ref(private_peer_cfg_t *this) +{ + ref_get(&this->refcount); +} + +/** + * Implements peer_cfg_t.destroy. + */ +static void destroy(private_peer_cfg_t *this) +{ + if (ref_put(&this->refcount)) + { + this->ike_cfg->destroy(this->ike_cfg); + this->child_cfgs->destroy_offset(this->child_cfgs, offsetof(child_cfg_t, destroy)); + this->my_id->destroy(this->my_id); + this->other_id->destroy(this->other_id); + DESTROY_IF(this->my_ca); + DESTROY_IF(this->other_ca); + + DESTROY_IF(this->my_virtual_ip); + DESTROY_IF(this->other_virtual_ip); + free(this->name); + free(this); + } +} + +/* + * Described in header-file + */ +peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, + identification_t *my_id, identification_t *other_id, + identification_t *my_ca, identification_t *other_ca, + cert_policy_t cert_policy, auth_method_t auth_method, + eap_type_t eap_type, u_int32_t keyingtries, + u_int32_t lifetime, u_int32_t rekeytime, + u_int32_t jitter, bool reauth, + u_int32_t dpd_delay, dpd_action_t dpd_action, + host_t *my_virtual_ip, host_t *other_virtual_ip) +{ + private_peer_cfg_t *this = malloc_thing(private_peer_cfg_t); + + /* public functions */ + this->public.get_name = (char* (*) (peer_cfg_t *))get_name; + this->public.get_ike_version = (u_int(*) (peer_cfg_t *))get_ike_version; + this->public.get_ike_cfg = (ike_cfg_t* (*) (peer_cfg_t *))get_ike_cfg; + this->public.add_child_cfg = (void (*) (peer_cfg_t *, child_cfg_t*))add_child_cfg; + this->public.create_child_cfg_iterator = (iterator_t* (*) (peer_cfg_t *))create_child_cfg_iterator; + this->public.select_child_cfg = (child_cfg_t* (*) (peer_cfg_t *,linked_list_t*,linked_list_t*,host_t*,host_t*))select_child_cfg; + this->public.get_my_id = (identification_t* (*)(peer_cfg_t*))get_my_id; + this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id; + this->public.get_my_ca = (identification_t* (*)(peer_cfg_t *))get_my_ca; + this->public.get_other_ca = (identification_t* (*)(peer_cfg_t *))get_other_ca; + this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy; + this->public.get_auth_method = (auth_method_t (*) (peer_cfg_t *))get_auth_method; + this->public.get_eap_type = (eap_type_t (*) (peer_cfg_t *))get_eap_type; + this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries; + this->public.get_lifetime = (u_int32_t (*) (peer_cfg_t *, bool rekey))get_lifetime; + this->public.use_reauth = (bool (*) (peer_cfg_t *))use_reauth; + this->public.get_dpd_delay = (u_int32_t (*) (peer_cfg_t *))get_dpd_delay; + this->public.get_dpd_action = (dpd_action_t (*) (peer_cfg_t *))get_dpd_action; + this->public.get_my_virtual_ip = (host_t* (*) (peer_cfg_t *))get_my_virtual_ip; + this->public.get_other_virtual_ip = (host_t* (*) (peer_cfg_t *, host_t *))get_other_virtual_ip; + this->public.get_ref = (void(*)(peer_cfg_t *))get_ref; + this->public.destroy = (void(*)(peer_cfg_t *))destroy; + + /* apply init values */ + this->name = strdup(name); + this->ike_version = ike_version; + this->ike_cfg = ike_cfg; + this->child_cfgs = linked_list_create(); + pthread_mutex_init(&this->mutex, NULL); + this->my_id = my_id; + this->other_id = other_id; + this->my_ca = my_ca; + this->other_ca = other_ca; + this->cert_policy = cert_policy; + this->auth_method = auth_method; + this->eap_type = eap_type; + this->keyingtries = keyingtries; + this->lifetime = lifetime; + this->rekeytime = rekeytime; + this->jitter = jitter; + this->use_reauth = reauth; + this->dpd_delay = dpd_delay; + this->dpd_action = dpd_action; + this->my_virtual_ip = my_virtual_ip; + this->other_virtual_ip = other_virtual_ip; + this->refcount = 1; + + return &this->public; +} diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h new file mode 100644 index 000000000..63c87674c --- /dev/null +++ b/src/charon/config/peer_cfg.h @@ -0,0 +1,368 @@ +/** + * @file peer_cfg.h + * + * @brief Interface of peer_cfg_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef PEER_CFG_H_ +#define PEER_CFG_H_ + +typedef enum dpd_action_t dpd_action_t; +typedef enum cert_policy_t cert_policy_t; +typedef struct peer_cfg_t peer_cfg_t; + +#include +#include +#include +#include +#include +#include +#include +#include + +/** + * Certificate sending policy. This is also used for certificate + * requests when using this definition for the other peer. If + * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its + * included. + * + * @ingroup config + * + * @warning These definitions must be the same as in pluto/starter, + * as they are sent over the stroke socket. + */ +enum cert_policy_t { + /** always send certificates, even when not requested */ + CERT_ALWAYS_SEND = 0, + /** send certificate upon cert request */ + CERT_SEND_IF_ASKED = 1, + /** never send a certificate, even when requested */ + CERT_NEVER_SEND = 2, +}; + +/** + * enum strings for cert_policy_t + * + * @ingroup config + */ +extern enum_name_t *cert_policy_names; + +/** + * @brief Actions to take when a peer does not respond (dead peer detected). + * + * These values are the same as in pluto/starter, so do not modify them! + * + * @ingroup config + */ +enum dpd_action_t { + /** DPD disabled */ + DPD_NONE, + /** remove CHILD_SAs without replacement */ + DPD_CLEAR, + /** route the CHILD_SAs to resetup when needed */ + DPD_ROUTE, + /** restart CHILD_SAs in a new IKE_SA, immediately */ + DPD_RESTART, +}; + +/** + * enum names for dpd_action_t. + */ +extern enum_name_t *dpd_action_names; + +/** + * @brief Configuration of a peer, specified by IDs. + * + * The peer config defines a connection between two given IDs. It contains + * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains + * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer. + * @verbatim + + +-------------------+ +---------------+ + +---------------+ | peer_cfg | +---------------+ | + | ike_cfg | +-------------------+ | child_cfg | | + +---------------+ | - ids | +---------------+ | + | - hosts | 1 1 | - cas | 1 n | - proposals | | + | - proposals |<------| - auth info |-------->| - traffic sel | | + | - ... | | - dpd config | | - ... |-+ + +---------------+ | - ... | +---------------+ + +-------------------+ + @endverbatim + * + * @b Constructors: + * - peer_cfg_create() + * + * @ingroup config + */ +struct peer_cfg_t { + + /** + * @brief Get the name of the peer_cfg. + * + * Returned object is not getting cloned. + * + * @param this calling object + * @return peer_cfg's name + */ + char* (*get_name) (peer_cfg_t *this); + + /** + * @brief Get the IKE version to use for initiating. + * + * @param this calling object + * @return IKE major version + */ + u_int (*get_ike_version)(peer_cfg_t *this); + + /** + * @brief Get the IKE config to use for initiaton. + * + * @param this calling object + * @return the IKE config to use + */ + ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this); + + /** + * @brief Attach a CHILD config. + * + * @param this calling object + * @param child_cfg CHILD config to add + */ + void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg); + + /** + * @brief Create an iterator for all attached CHILD configs. + * + * @param this calling object + * @return an iterator over all CHILD configs. + */ + iterator_t* (*create_child_cfg_iterator) (peer_cfg_t *this); + + /** + * @brief Select a CHILD config from traffic selectors. + * + * @param this calling object + * @param my_ts TS for local side + * @param other_ts TS for remote side + * @param my_host host to narrow down dynamic TS for local side + * @param other_host host to narrow down dynamic TS for remote side + * @return selected CHILD config, or NULL if no match found + */ + child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts, + linked_list_t *other_ts, host_t *my_host, + host_t *other_host); + + /** + * @brief Get own ID. + * + * @param this calling object + * @return own id + */ + identification_t* (*get_my_id)(peer_cfg_t *this); + + /** + * @brief Get peers ID. + * + * @param this calling object + * @return other id + */ + identification_t* (*get_other_id)(peer_cfg_t *this); + + /** + * @brief Get own CA. + * + * @param this calling object + * @return own ca + */ + identification_t* (*get_my_ca)(peer_cfg_t *this); + + /** + * @brief Get peers CA. + * + * @param this calling object + * @return other ca + */ + identification_t* (*get_other_ca)(peer_cfg_t *this); + + /** + * @brief Should be sent a certificate for this connection? + * + * @param this calling object + * @return certificate sending policy + */ + cert_policy_t (*get_cert_policy) (peer_cfg_t *this); + + /** + * @brief Get the authentication method to use to authenticate us. + * + * @param this calling object + * @return authentication method + */ + auth_method_t (*get_auth_method) (peer_cfg_t *this); + + /** + * @brief Get the EAP type to use for peer authentication. + * + * @param this calling object + * @return authentication method + */ + eap_type_t (*get_eap_type) (peer_cfg_t *this); + + /** + * @brief Get the max number of retries after timeout. + * + * @param this calling object + * @return max number retries + */ + u_int32_t (*get_keyingtries) (peer_cfg_t *this); + + /** + * @brief Get the lifetime of a IKE_SA. + * + * If "rekey" is set to TRUE, a lifetime is returned before the first + * rekeying should be started. If it is FALSE, the actual lifetime is + * returned when the IKE_SA must be deleted. + * The rekey time automatically contains a jitter to avoid simlutaneous + * rekeying. + * + * @param this child_config + * @param rekey TRUE to get rekey time + * @return lifetime in seconds + */ + u_int32_t (*get_lifetime) (peer_cfg_t *this, bool rekey); + + /** + * @brief Should a full reauthentication be done instead of rekeying? + * + * @param this calling object + * @return TRUE to use full reauthentication + */ + bool (*use_reauth) (peer_cfg_t *this); + + /** + * @brief Get the DPD check interval. + * + * @param this calling object + * @return dpd_delay in seconds + */ + u_int32_t (*get_dpd_delay) (peer_cfg_t *this); + + /** + * @brief What should be done with a CHILD_SA, when other peer does not respond. + * + * @param this calling object + * @return dpd action + */ + dpd_action_t (*get_dpd_action) (peer_cfg_t *this); + + /** + * @brief Get a virtual IP for the local peer. + * + * If no virtual IP should be used, NULL is returned. %any means to request + * a virtual IP using configuration payloads. A specific address is also + * used for a request and may be changed by the server. + * + * @param this peer_cfg + * @param suggestion NULL, %any or specific + * @return clone of an IP, %any or NULL + */ + host_t* (*get_my_virtual_ip) (peer_cfg_t *this); + + /** + * @brief Get a virtual IP for the remote peer. + * + * An IP may be supplied, if one was requested by the initiator. However, + * the suggestion is not more as it says, any address may be returned, even + * NULL to not use virtual IPs. + * + * @param this peer_cfg + * @param suggestion NULL, %any or specific + * @return clone of an IP to use + */ + host_t* (*get_other_virtual_ip) (peer_cfg_t *this, host_t *suggestion); + + /** + * @brief Get a new reference. + * + * Get a new reference to this peer_cfg by increasing + * it's internal reference counter. + * Do not call get_ref or any other function until you + * already have a reference. Otherwise the object may get + * destroyed while calling get_ref(), + * + * @param this calling object + */ + void (*get_ref) (peer_cfg_t *this); + + /** + * @brief Destroys the peer_cfg object. + * + * Decrements the internal reference counter and + * destroys the peer_cfg when it reaches zero. + * + * @param this calling object + */ + void (*destroy) (peer_cfg_t *this); +}; + +/** + * @brief Create a configuration object for IKE_AUTH and later. + * + * name-string gets cloned, ID's not. + * Virtual IPs are used if they are != NULL. A %any host means the virtual + * IP should be obtained from the other peer. + * Lifetimes are in seconds. To prevent to peers to start rekeying at the + * same time, a jitter may be specified. Rekeying of an SA starts at + * (rekeylifetime - random(0, jitter)). + * + * @param name name of the peer_cfg + * @param ike_version which IKE version we sould use for this peer + * @param ike_cfg IKE config to use when acting as initiator + * @param my_id identification_t for ourselves + * @param other_id identification_t for the remote guy + * @param my_ca CA to use for us + * @param other_ca CA to use for other + * @param cert_policy should we send a certificate payload? + * @param auth_method auth method to use to authenticate us + * @param eap_type EAP type to use for peer authentication + * @param keyingtries how many keying tries should be done before giving up + * @param lifetime lifetime before deleting an SA + * @param rekeytime lifetime before rekeying an SA + * @param jitter range of random to substract from rekeytime + * @param use_reauth sould be done reauthentication instead of rekeying? + * @param dpd_delay after how many seconds of inactivity to check DPD + * @param dpd_action what to do with CHILD_SAs when detected a dead peer + * @param my_virtual_ip virtual IP for local host, or NULL + * @param other_virtual_ip virtual IP for remote host, or NULL + * @return peer_cfg_t object + * + * @ingroup config + */ +peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg, + identification_t *my_id, identification_t *other_id, + identification_t *my_ca, identification_t *other_ca, + cert_policy_t cert_policy, auth_method_t auth_method, + eap_type_t eap_type, u_int32_t keyingtries, + u_int32_t lifetime, u_int32_t rekeytime, + u_int32_t jitter, bool use_reauth, + u_int32_t dpd_delay, dpd_action_t dpd_action, + host_t *my_virtual_ip, host_t *other_virtual_ip); + +#endif /* PEER_CFG_H_ */ diff --git a/src/charon/config/policies/local_policy_store.c b/src/charon/config/policies/local_policy_store.c deleted file mode 100644 index dd22b43a0..000000000 --- a/src/charon/config/policies/local_policy_store.c +++ /dev/null @@ -1,282 +0,0 @@ -/** - * @file local_policy_store.c - * - * @brief Implementation of local_policy_store_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include - -#include "local_policy_store.h" - -#include -#include - - -typedef struct private_local_policy_store_t private_local_policy_store_t; - -/** - * Private data of an local_policy_store_t object - */ -struct private_local_policy_store_t { - - /** - * Public part - */ - local_policy_store_t public; - - /** - * list of policy_t's - */ - linked_list_t *policies; - - /** - * Mutex to exclusivly access list - */ - pthread_mutex_t mutex; -}; - -/** - * Implementation of policy_store_t.add_policy. - */ -static void add_policy(private_local_policy_store_t *this, policy_t *policy) -{ - pthread_mutex_lock(&(this->mutex)); - this->policies->insert_last(this->policies, (void*)policy); - pthread_mutex_unlock(&(this->mutex)); -} - -/** - * Check if a policy contains traffic selectors - */ -static bool contains_traffic_selectors(policy_t *policy, bool mine, - linked_list_t *ts, host_t *host) -{ - linked_list_t *selected; - bool contains = FALSE; - - if (mine) - { - selected = policy->select_my_traffic_selectors(policy, ts, host); - } - else - { - selected = policy->select_other_traffic_selectors(policy, ts, host); - } - if (selected->get_count(selected)) - { - contains = TRUE; - } - selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy)); - return contains; -} - -/** - * Implementation of policy_store_t.get_policy. - */ -static policy_t *get_policy(private_local_policy_store_t *this, - identification_t *my_id, identification_t *other_id, - linked_list_t *my_ts, linked_list_t *other_ts, - host_t *my_host, host_t *other_host) -{ - typedef enum { - PRIO_UNDEFINED = 0x00, - PRIO_TS_MISMATCH = 0x01, - PRIO_ID_ANY = 0x02, - PRIO_ID_MATCH = PRIO_ID_ANY + MAX_WILDCARDS, - } prio_t; - - prio_t best_prio = PRIO_UNDEFINED; - - iterator_t *iterator; - policy_t *candidate; - policy_t *found = NULL; - traffic_selector_t *ts; - - DBG1(DBG_CFG, "searching policy for '%D'...'%D'", my_id, other_id); - iterator = my_ts->create_iterator(my_ts, TRUE); - while (iterator->iterate(iterator, (void**)&ts)) - { - DBG1(DBG_CFG, " local TS: %R", ts); - } - iterator->destroy(iterator); - iterator = other_ts->create_iterator(other_ts, TRUE); - while (iterator->iterate(iterator, (void**)&ts)) - { - DBG1(DBG_CFG, " remote TS: %R", ts); - } - iterator->destroy(iterator); - - pthread_mutex_lock(&(this->mutex)); - iterator = this->policies->create_iterator(this->policies, TRUE); - - /* determine closest matching policy */ - while (iterator->iterate(iterator, (void**)&candidate)) - { - identification_t *candidate_my_id; - identification_t *candidate_other_id; - int wildcards; - - candidate_my_id = candidate->get_my_id(candidate); - candidate_other_id = candidate->get_other_id(candidate); - - /* my_id is either %any or if set must match exactly */ - if (candidate_my_id->matches(candidate_my_id, my_id, &wildcards)) - { - prio_t prio = PRIO_UNDEFINED; - - /* wildcard match for other_id */ - if (!other_id->matches(other_id, candidate_other_id, &wildcards)) - { - continue; - } - prio = PRIO_ID_MATCH - wildcards; - - /* only accept if traffic selectors match */ - if (!contains_traffic_selectors(candidate, TRUE, my_ts, my_host) || - !contains_traffic_selectors(candidate, FALSE, other_ts, other_host)) - { - DBG2(DBG_CFG, "candidate '%s' inacceptable due traffic " - "selector mismatch", candidate->get_name(candidate)); - prio = PRIO_TS_MISMATCH; - } - - DBG2(DBG_CFG, "candidate policy '%s': '%D'...'%D' (prio=%d)", - candidate->get_name(candidate), - candidate_my_id, candidate_other_id, prio); - - if (prio > best_prio) - { - found = candidate; - best_prio = prio; - } - } - } - iterator->destroy(iterator); - - if (found) - { - DBG1(DBG_CFG, "found matching policy '%s': '%D'...'%D' (prio=%d)", - found->get_name(found), found->get_my_id(found), - found->get_other_id(found), best_prio); - /* give out a new reference to it */ - found->get_ref(found); - } - pthread_mutex_unlock(&(this->mutex)); - return found; -} - -/** - * Implementation of policy_store_t.get_policy_by_name. - */ -static policy_t *get_policy_by_name(private_local_policy_store_t *this, char *name) -{ - iterator_t *iterator; - policy_t *current, *found = NULL; - - DBG2(DBG_CFG, "looking for policy '%s'", name); - - pthread_mutex_lock(&(this->mutex)); - iterator = this->policies->create_iterator(this->policies, TRUE); - while (iterator->iterate(iterator, (void **)¤t)) - { - if (strcmp(current->get_name(current), name) == 0) - { - found = current; - } - } - iterator->destroy(iterator); - pthread_mutex_unlock(&(this->mutex)); - - /* give out a new reference */ - found->get_ref(found); - return found; -} - -/** - * Implementation of policy_store_t.delete_policy. - */ -static status_t delete_policy(private_local_policy_store_t *this, char *name) -{ - iterator_t *iterator; - policy_t *current; - bool found = FALSE; - - pthread_mutex_lock(&(this->mutex)); - iterator = this->policies->create_iterator(this->policies, TRUE); - while (iterator->iterate(iterator, (void **)¤t)) - { - if (strcmp(current->get_name(current), name) == 0) - { - /* remove policy from list, and destroy it */ - iterator->remove(iterator); - current->destroy(current); - found = TRUE; - /* we do not break here, as there may be multipe policies */ - } - } - iterator->destroy(iterator); - pthread_mutex_unlock(&(this->mutex)); - if (found) - { - return SUCCESS; - } - return NOT_FOUND; -} - -/** - * Implementation of policy_store_t.create_iterator. - */ -static iterator_t* create_iterator(private_local_policy_store_t *this) -{ - return this->policies->create_iterator_locked(this->policies, - &this->mutex); -} - -/** - * Implementation of policy_store_t.destroy. - */ -static void destroy(private_local_policy_store_t *this) -{ - pthread_mutex_lock(&(this->mutex)); - this->policies->destroy_offset(this->policies, offsetof(policy_t, destroy)); - pthread_mutex_unlock(&(this->mutex)); - free(this); -} - -/** - * Described in header. - */ -local_policy_store_t *local_policy_store_create(void) -{ - private_local_policy_store_t *this = malloc_thing(private_local_policy_store_t); - - this->public.policy_store.add_policy = (void (*) (policy_store_t*,policy_t*))add_policy; - this->public.policy_store.get_policy = (policy_t* (*) (policy_store_t*,identification_t*,identification_t*, - linked_list_t*,linked_list_t*,host_t*,host_t*))get_policy; - this->public.policy_store.get_policy_by_name = (policy_t* (*) (policy_store_t*,char*))get_policy_by_name; - this->public.policy_store.delete_policy = (status_t (*) (policy_store_t*,char*))delete_policy; - this->public.policy_store.create_iterator = (iterator_t* (*) (policy_store_t*))create_iterator; - this->public.policy_store.destroy = (void (*) (policy_store_t*))destroy; - - /* private variables */ - this->policies = linked_list_create(); - pthread_mutex_init(&(this->mutex), NULL); - - return (&this->public); -} diff --git a/src/charon/config/policies/local_policy_store.h b/src/charon/config/policies/local_policy_store.h deleted file mode 100644 index 01d5d2d60..000000000 --- a/src/charon/config/policies/local_policy_store.h +++ /dev/null @@ -1,60 +0,0 @@ -/** - * @file local_policy_store.h - * - * @brief Interface of local_policy_store_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef LOCAL_POLICY_STORE_H_ -#define LOCAL_POLICY_STORE_H_ - -typedef struct local_policy_store_t local_policy_store_t; - -#include -#include - - -/** - * @brief A policy_store_t implementation using a simple policy lists. - * - * The local_policy_store_t class implements the policy_store_t interface - * as simple as possible. The policies are stored in a in-memory list. - * - * @b Constructors: - * - local_policy_store_create() - * - * @ingroup config - */ -struct local_policy_store_t { - - /** - * Implements policy_store_t interface - */ - policy_store_t policy_store; -}; - -/** - * @brief Creates a local_policy_store_t instance. - * - * @return policy store instance. - * - * @ingroup config - */ -local_policy_store_t *local_policy_store_create(void); - -#endif /* LOCAL_POLICY_STORE_H_ */ diff --git a/src/charon/config/policies/policy.c b/src/charon/config/policies/policy.c deleted file mode 100644 index 363d1609f..000000000 --- a/src/charon/config/policies/policy.c +++ /dev/null @@ -1,635 +0,0 @@ -/** - * @file policy.c - * - * @brief Implementation of policy_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include - -#include "policy.h" - -#include -#include -#include - -ENUM(dpd_action_names, DPD_NONE, DPD_RESTART, - "DPD_NONE", - "DPD_CLEAR", - "DPD_ROUTE", - "DPD_RESTART" -); - -ENUM(mode_names, MODE_TRANSPORT, MODE_BEET, - "TRANSPORT", - "TUNNEL", - "2", - "3", - "BEET" -); - -typedef struct private_policy_t private_policy_t; - -/** - * Private data of an policy_t object - */ -struct private_policy_t { - - /** - * Public part - */ - policy_t public; - - /** - * Number of references hold by others to this policy - */ - refcount_t refcount; - - /** - * Name of the policy, used to query it - */ - char *name; - - /** - * id to use to identify us - */ - identification_t *my_id; - - /** - * allowed id for other - */ - identification_t *other_id; - - /** - * virtual IP to use locally - */ - host_t *my_virtual_ip; - - /** - * virtual IP to use remotly - */ - host_t *other_virtual_ip; - - /** - * Method to use for own authentication data - */ - auth_method_t auth_method; - - /** - * EAP type to use for peer authentication - */ - eap_type_t eap_type; - - /** - * we have a cert issued by this CA - */ - identification_t *my_ca; - - /** - * we require the other end to have a cert issued by this CA - */ - identification_t *other_ca; - - /** - * updown script - */ - char *updown; - - /** - * allow host access - */ - bool hostaccess; - - /** - * list for all proposals - */ - linked_list_t *proposals; - - /** - * list for traffic selectors for my site - */ - linked_list_t *my_ts; - - /** - * list for traffic selectors for others site - */ - linked_list_t *other_ts; - - /** - * Time before an SA gets invalid - */ - u_int32_t soft_lifetime; - - /** - * Time before an SA gets rekeyed - */ - u_int32_t hard_lifetime; - - /** - * Time, which specifies the range of a random value - * substracted from soft_lifetime. - */ - u_int32_t jitter; - - /** - * What to do with an SA when other peer seams to be dead? - */ - bool dpd_action; - - /** - * Mode to propose for a initiated CHILD: tunnel/transport - */ - mode_t mode; -}; - -/** - * Implementation of policy_t.get_name - */ -static char *get_name(private_policy_t *this) -{ - return this->name; -} - -/** - * Implementation of policy_t.get_my_id - */ -static identification_t *get_my_id(private_policy_t *this) -{ - return this->my_id; -} - -/** - * Implementation of policy_t.get_other_id - */ -static identification_t *get_other_id(private_policy_t *this) -{ - return this->other_id; -} - -/** - * Implementation of policy_t.get_my_ca - */ -static identification_t *get_my_ca(private_policy_t *this) -{ - return this->my_ca; -} - -/** - * Implementation of policy_t.get_other_ca - */ -static identification_t *get_other_ca(private_policy_t *this) -{ - return this->other_ca; -} - -/** - * Implementation of connection_t.auth_method_t. - */ -static auth_method_t get_auth_method(private_policy_t *this) -{ - return this->auth_method; -} - -/** - * Implementation of connection_t.get_eap_type. - */ -static eap_type_t get_eap_type(private_policy_t *this) -{ - return this->eap_type; -} - -/** - * Get traffic selectors, with wildcard-address update - */ -static linked_list_t *get_traffic_selectors(private_policy_t *this, - linked_list_t *list, host_t *host) -{ - iterator_t *iterator; - traffic_selector_t *current; - linked_list_t *result = linked_list_create(); - - iterator = list->create_iterator(list, TRUE); - - while (iterator->iterate(iterator, (void**)¤t)) - { - /* we make a copy of the TS, this allows us to update wildcard - * addresses in it. We won't pollute the shared policy. */ - current = current->clone(current); - if (host) - { - current->set_address(current, host); - } - - result->insert_last(result, (void*)current); - } - iterator->destroy(iterator); - return result; -} - -/** - * Implementation of policy_t.get_my_traffic_selectors - */ -static linked_list_t *get_my_traffic_selectors(private_policy_t *this, host_t *me) -{ - return get_traffic_selectors(this, this->my_ts, me); -} - -/** - * Implementation of policy_t.get_other_traffic_selectors - */ -static linked_list_t *get_other_traffic_selectors(private_policy_t *this, host_t *other) -{ - return get_traffic_selectors(this, this->other_ts, other); -} - -/** - * Narrow traffic selectors, with wildcard-address update in "stored". - */ -static linked_list_t *select_traffic_selectors(private_policy_t *this, - linked_list_t *stored, - linked_list_t *supplied, - host_t *host) -{ - iterator_t *supplied_iter, *stored_iter, *i1, *i2; - traffic_selector_t *supplied_ts, *stored_ts, *selected_ts, *ts1, *ts2; - linked_list_t *selected = linked_list_create(); - - DBG2(DBG_CFG, "selecting traffic selectors"); - - stored_iter = stored->create_iterator(stored, TRUE); - supplied_iter = supplied->create_iterator(supplied, TRUE); - - /* iterate over all stored selectors */ - while (stored_iter->iterate(stored_iter, (void**)&stored_ts)) - { - /* we make a copy of the TS, this allows us to update wildcard - * addresses in it. We won't pollute the shared policy. */ - stored_ts = stored_ts->clone(stored_ts); - if (host) - { - stored_ts->set_address(stored_ts, host); - } - - supplied_iter->reset(supplied_iter); - /* iterate over all supplied traffic selectors */ - while (supplied_iter->iterate(supplied_iter, (void**)&supplied_ts)) - { - DBG2(DBG_CFG, "stored %R <=> %R received", - stored_ts, supplied_ts); - - selected_ts = stored_ts->get_subset(stored_ts, supplied_ts); - if (selected_ts) - { - /* got a match, add to list */ - selected->insert_last(selected, (void*)selected_ts); - - DBG2(DBG_CFG, "found traffic selector for %s: %R", - stored == this->my_ts ? "us" : "other", selected_ts); - } - } - stored_ts->destroy(stored_ts); - } - stored_iter->destroy(stored_iter); - supplied_iter->destroy(supplied_iter); - - /* remove any redundant traffic selectors in the list */ - i1 = selected->create_iterator(selected, TRUE); - i2 = selected->create_iterator(selected, TRUE); - while (i1->iterate(i1, (void**)&ts1)) - { - while (i2->iterate(i2, (void**)&ts2)) - { - if (ts1 != ts2) - { - if (ts2->is_contained_in(ts2, ts1)) - { - i2->remove(i2); - ts2->destroy(ts2); - i1->reset(i1); - break; - } - if (ts1->is_contained_in(ts1, ts2)) - { - i1->remove(i1); - ts1->destroy(ts1); - i2->reset(i2); - break; - } - } - } - } - i1->destroy(i1); - i2->destroy(i2); - - return selected; -} - -/** - * Implementation of private_policy_t.select_my_traffic_selectors - */ -static linked_list_t *select_my_traffic_selectors(private_policy_t *this, - linked_list_t *supplied, - host_t *me) -{ - return select_traffic_selectors(this, this->my_ts, supplied, me); -} - -/** - * Implementation of private_policy_t.select_other_traffic_selectors - */ -static linked_list_t *select_other_traffic_selectors(private_policy_t *this, - linked_list_t *supplied, - host_t* other) -{ - return select_traffic_selectors(this, this->other_ts, supplied, other); -} - -/** - * Implementation of policy_t.get_proposal_iterator - */ -static linked_list_t *get_proposals(private_policy_t *this) -{ - iterator_t *iterator; - proposal_t *current; - linked_list_t *proposals = linked_list_create(); - - iterator = this->proposals->create_iterator(this->proposals, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - current = current->clone(current); - proposals->insert_last(proposals, (void*)current); - } - iterator->destroy(iterator); - - return proposals; -} - -/** - * Implementation of policy_t.select_proposal - */ -static proposal_t *select_proposal(private_policy_t *this, linked_list_t *proposals) -{ - iterator_t *stored_iter, *supplied_iter; - proposal_t *stored, *supplied, *selected; - - stored_iter = this->proposals->create_iterator(this->proposals, TRUE); - supplied_iter = proposals->create_iterator(proposals, TRUE); - - /* compare all stored proposals with all supplied. Stored ones are preferred. */ - while (stored_iter->iterate(stored_iter, (void**)&stored)) - { - supplied_iter->reset(supplied_iter); - while (supplied_iter->iterate(supplied_iter, (void**)&supplied)) - { - selected = stored->select(stored, supplied); - if (selected) - { - /* they match, return */ - stored_iter->destroy(stored_iter); - supplied_iter->destroy(supplied_iter); - return selected; - } - } - } - - /* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */ - stored_iter->destroy(stored_iter); - supplied_iter->destroy(supplied_iter); - - return NULL; -} - -/** - * Implementation of policy_t.add_authorities - */ -static void add_authorities(private_policy_t *this, identification_t *my_ca, identification_t *other_ca) -{ - this->my_ca = my_ca; - this->other_ca = other_ca; -} - -/** - * Implementation of policy_t.get_updown - */ -static char* get_updown(private_policy_t *this) -{ - return this->updown; -} - -/** - * Implementation of policy_t.get_hostaccess - */ -static bool get_hostaccess(private_policy_t *this) -{ - return this->hostaccess; -} - -/** - * Implements policy_t.get_dpd_action - */ -static dpd_action_t get_dpd_action(private_policy_t *this) -{ - return this->dpd_action; -} - -/** - * Implementation of policy_t.add_my_traffic_selector - */ -static void add_my_traffic_selector(private_policy_t *this, traffic_selector_t *traffic_selector) -{ - this->my_ts->insert_last(this->my_ts, (void*)traffic_selector); -} - -/** - * Implementation of policy_t.add_other_traffic_selector - */ -static void add_other_traffic_selector(private_policy_t *this, traffic_selector_t *traffic_selector) -{ - this->other_ts->insert_last(this->other_ts, (void*)traffic_selector); -} - -/** - * Implementation of policy_t.add_proposal - */ -static void add_proposal(private_policy_t *this, proposal_t *proposal) -{ - this->proposals->insert_last(this->proposals, (void*)proposal); -} - -/** - * Implementation of policy_t.get_soft_lifetime - */ -static u_int32_t get_soft_lifetime(private_policy_t *this) -{ - if (this->jitter == 0) - { - return this->soft_lifetime ; - } - return this->soft_lifetime - (random() % this->jitter); -} - -/** - * Implementation of policy_t.get_hard_lifetime - */ -static u_int32_t get_hard_lifetime(private_policy_t *this) -{ - return this->hard_lifetime; -} - -/** - * Implementation of policy_t.get_mode. - */ -static mode_t get_mode(private_policy_t *this) -{ - return this->mode; -} - -/** - * Implementation of policy_t.get_virtual_ip. - */ -static host_t* get_virtual_ip(private_policy_t *this, host_t *suggestion) -{ - if (suggestion == NULL) - { - if (this->my_virtual_ip) - { - return this->my_virtual_ip->clone(this->my_virtual_ip); - } - return NULL; - } - if (this->other_virtual_ip) - { - return this->other_virtual_ip->clone(this->other_virtual_ip); - } - if (suggestion->is_anyaddr(suggestion)) - { - return NULL; - } - return suggestion->clone(suggestion); -} - -/** - * Implements policy_t.get_ref. - */ -static void get_ref(private_policy_t *this) -{ - ref_get(&this->refcount); -} - -/** - * Implements policy_t.destroy. - */ -static void destroy(private_policy_t *this) -{ - if (ref_put(&this->refcount)) - { - - this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy)); - this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy)); - this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy)); - - /* delete certification authorities */ - DESTROY_IF(this->my_ca); - DESTROY_IF(this->other_ca); - - /* delete updown script */ - if (this->updown) - { - free(this->updown); - } - - /* delete ids */ - this->my_id->destroy(this->my_id); - this->other_id->destroy(this->other_id); - DESTROY_IF(this->my_virtual_ip); - DESTROY_IF(this->other_virtual_ip); - - free(this->name); - free(this); - } -} - -/* - * Described in header-file - */ -policy_t *policy_create(char *name, identification_t *my_id, identification_t *other_id, - host_t *my_virtual_ip, host_t *other_virtual_ip, - auth_method_t auth_method, eap_type_t eap_type, - u_int32_t hard_lifetime, u_int32_t soft_lifetime, - u_int32_t jitter, char *updown, bool hostaccess, - mode_t mode, dpd_action_t dpd_action) -{ - private_policy_t *this = malloc_thing(private_policy_t); - - /* public functions */ - this->public.get_name = (char* (*) (policy_t*))get_name; - this->public.get_my_id = (identification_t* (*) (policy_t*))get_my_id; - this->public.get_other_id = (identification_t* (*) (policy_t*))get_other_id; - this->public.get_my_ca = (identification_t* (*) (policy_t*))get_my_ca; - this->public.get_other_ca = (identification_t* (*) (policy_t*))get_other_ca; - this->public.get_auth_method = (auth_method_t (*) (policy_t*)) get_auth_method; - this->public.get_eap_type = (eap_type_t (*) (policy_t*)) get_eap_type; - this->public.get_my_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_my_traffic_selectors; - this->public.get_other_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_other_traffic_selectors; - this->public.select_my_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_my_traffic_selectors; - this->public.select_other_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_other_traffic_selectors; - this->public.get_proposals = (linked_list_t* (*) (policy_t*))get_proposals; - this->public.select_proposal = (proposal_t* (*) (policy_t*,linked_list_t*))select_proposal; - this->public.add_my_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_my_traffic_selector; - this->public.add_other_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_other_traffic_selector; - this->public.add_proposal = (void (*) (policy_t*,proposal_t*))add_proposal; - this->public.add_authorities = (void (*) (policy_t*,identification_t*,identification_t*))add_authorities; - this->public.get_updown = (char* (*) (policy_t*))get_updown; - this->public.get_hostaccess = (bool (*) (policy_t*))get_hostaccess; - this->public.get_dpd_action = (dpd_action_t (*) (policy_t*))get_dpd_action; - this->public.get_soft_lifetime = (u_int32_t (*) (policy_t *))get_soft_lifetime; - this->public.get_hard_lifetime = (u_int32_t (*) (policy_t *))get_hard_lifetime; - this->public.get_mode = (mode_t (*) (policy_t *))get_mode; - this->public.get_virtual_ip = (host_t* (*)(policy_t*,host_t*))get_virtual_ip; - this->public.get_ref = (void (*) (policy_t*))get_ref; - this->public.destroy = (void (*) (policy_t*))destroy; - - /* apply init values */ - this->name = strdup(name); - this->my_id = my_id; - this->other_id = other_id; - this->my_virtual_ip = my_virtual_ip; - this->other_virtual_ip = other_virtual_ip; - this->auth_method = auth_method; - this->eap_type = eap_type; - this->hard_lifetime = hard_lifetime; - this->soft_lifetime = soft_lifetime; - this->jitter = jitter; - this->updown = (updown == NULL) ? NULL : strdup(updown); - this->hostaccess = hostaccess; - this->dpd_action = dpd_action; - this->mode = mode; - - /* initialize private members*/ - this->refcount = 1; - this->my_ca = NULL; - this->other_ca = NULL; - this->proposals = linked_list_create(); - this->my_ts = linked_list_create(); - this->other_ts = linked_list_create(); - - return &this->public; -} diff --git a/src/charon/config/policies/policy.h b/src/charon/config/policies/policy.h deleted file mode 100644 index d8916b29e..000000000 --- a/src/charon/config/policies/policy.h +++ /dev/null @@ -1,413 +0,0 @@ -/** - * @file policy.h - * - * @brief Interface of policy_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef POLICY_H_ -#define POLICY_H_ - -typedef enum dpd_action_t dpd_action_t; -typedef struct policy_t policy_t; - -#include -#include -#include -#include -#include -#include - - -/** - * @brief Actions to take when a peer does not respond (dead peer detected). - * - * These values are the same as in pluto/starter, so do not modify them! - * - * @ingroup config - */ -enum dpd_action_t { - /** DPD disabled */ - DPD_NONE, - /** remove CHILD_SA without replacement */ - DPD_CLEAR, - /** route the CHILD_SA to resetup when needed */ - DPD_ROUTE, - /** restart CHILD_SA in a new IKE_SA, immediately */ - DPD_RESTART, -}; - -/** - * enum names for dpd_action_t. - */ -extern enum_name_t *dpd_action_names; - -/** - * @brief Mode of an IPsec SA. - * - * These are equal to those defined in XFRM, so don't change. - * - * @ingroup config - */ -enum mode_t { - /** transport mode, no inner address */ - MODE_TRANSPORT = 0, - /** tunnel mode, inner and outer addresses */ - MODE_TUNNEL = 1, - /** BEET mode, tunnel mode but fixed, bound inner addresses */ - MODE_BEET = 4, -}; - -/** - * enum names for mode_t. - */ -extern enum_name_t *mode_names; - -/** - * @brief A policy_t defines the policies to apply to CHILD_SAs. - * - * The given two IDs identify a policy. These rules define how - * child SAs may be set up and which traffic may be IPsec'ed. - * - * @b Constructors: - * - policy_create() - * - * @ingroup config - */ -struct policy_t { - - /** - * @brief Get the name of the policy. - * - * Returned object is not getting cloned. - * - * @param this calling object - * @return policy's name - */ - char *(*get_name) (policy_t *this); - - /** - * @brief Get own id. - * - * Returned object is not getting cloned. - * - * @param this calling object - * @return own id - */ - identification_t *(*get_my_id) (policy_t *this); - - /** - * @brief Get peer id. - * - * Returned object is not getting cloned. - * - * @param this calling object - * @return other id - */ - identification_t *(*get_other_id) (policy_t *this); - - /** - * @brief Get own ca. - * - * Returned object is not getting cloned. - * - * @param this calling object - * @return own ca - */ - identification_t *(*get_my_ca) (policy_t *this); - - /** - * @brief Get peer ca. - * - * Returned object is not getting cloned. - * - * @param this calling object - * @return other ca - */ - identification_t *(*get_other_ca) (policy_t *this); - - /** - * @brief Get the authentication method to use. - * - * @param this calling object - * @return authentication method - */ - auth_method_t (*get_auth_method) (policy_t *this); - - /** - * @brief Get the EAP type to use for peer authentication. - * - * @param this calling object - * @return authentication method - */ - eap_type_t (*get_eap_type) (policy_t *this); - - /** - * @brief Get configured traffic selectors for our site. - * - * Returns a list with all traffic selectors for the local - * site. List and items must be destroyed after usage. - * - * @param this calling object - * @return list with traffic selectors - */ - linked_list_t *(*get_my_traffic_selectors) (policy_t *this, host_t *me); - - /** - * @brief Get configured traffic selectors for others site. - * - * Returns a list with all traffic selectors for the remote - * site. List and items must be destroyed after usage. - * - * @param this calling object - * @return list with traffic selectors - */ - linked_list_t *(*get_other_traffic_selectors) (policy_t *this, host_t* other); - - /** - * @brief Select traffic selectors from a supplied list for local site. - * - * Resulted list and traffic selectors must be destroyed after usage. - * As the traffic selectors may contain a wildcard address (0.0.0.0) for - * addresses we don't know in previous, an address may be supplied to - * replace these 0.0.0.0 addresses on-the-fly. - * - * @param this calling object - * @param supplied linked list with traffic selectors - * @param me host address used by us - * @return list containing the selected traffic selectors - */ - linked_list_t *(*select_my_traffic_selectors) (policy_t *this, - linked_list_t *supplied, - host_t *me); - - /** - * @brief Select traffic selectors from a supplied list for remote site. - * - * Resulted list and traffic selectors must be destroyed after usage. - * As the traffic selectors may contain a wildcard address (0.0.0.0) for - * addresses we don't know in previous, an address may be supplied to - * replace these 0.0.0.0 addresses on-the-fly. - * - * @param this calling object - * @param supplied linked list with traffic selectors - * @return list containing the selected traffic selectors - */ - linked_list_t *(*select_other_traffic_selectors) (policy_t *this, - linked_list_t *supplied, - host_t *other); - - /** - * @brief Get the list of internally stored proposals. - * - * policy_t does store proposals for AH/ESP, IKE proposals are in - * the connection_t. - * Resulting list and all of its proposals must be freed after usage. - * - * @param this calling object - * @return lists with proposals - */ - linked_list_t *(*get_proposals) (policy_t *this); - - /** - * @brief Select a proposal from a supplied list. - * - * Returned propsal is newly created and must be destroyed after usage. - * - * @param this calling object - * @param proposals list from from wich proposals are selected - * @return selected proposal, or NULL if nothing matches - */ - proposal_t *(*select_proposal) (policy_t *this, linked_list_t *proposals); - - /** - * @brief Add a traffic selector to the list for local site. - * - * After add, traffic selector is owned by policy. - * - * @param this calling object - * @param traffic_selector traffic_selector to add - */ - void (*add_my_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector); - - /** - * @brief Add a traffic selector to the list for remote site. - * - * After add, traffic selector is owned by policy. - * - * @param this calling object - * @param traffic_selector traffic_selector to add - */ - void (*add_other_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector); - - /** - * @brief Add a proposal to the list. - * - * The proposals are stored by priority, first added - * is the most prefered. - * After add, proposal is owned by policy. - * - * @param this calling object - * @param proposal proposal to add - */ - void (*add_proposal) (policy_t *this, proposal_t *proposal); - - /** - * @brief Add certification authorities. - * - * @param this calling object - * @param my_ca issuer of my certificate - * @param other_ca required issuer of the peer's certificate - */ - void (*add_authorities) (policy_t *this, identification_t *my_ca, identification_t *other_ca); - - /** - * @brief Get updown script - * - * @param this calling object - * @return path to updown script - */ - char* (*get_updown) (policy_t *this); - - /** - * @brief Get hostaccess flag - * - * @param this calling object - * @return value of hostaccess flag - */ - bool (*get_hostaccess) (policy_t *this); - - /** - * @brief What should be done with a CHILD_SA, when other peer does not respond. - * - * @param this calling object - * @return dpd action - */ - dpd_action_t (*get_dpd_action) (policy_t *this); - - /** - * @brief Get the lifetime of a policy, before rekeying starts. - * - * A call to this function automatically adds a jitter to - * avoid simultanous rekeying. - * - * @param this policy - * @return lifetime in seconds - */ - u_int32_t (*get_soft_lifetime) (policy_t *this); - - /** - * @brief Get the lifetime of a policy, before SA gets deleted. - * - * @param this policy - * @return lifetime in seconds - */ - u_int32_t (*get_hard_lifetime) (policy_t *this); - - /** - * @brief Get the mode to use for the CHILD_SA, tunnel, transport or BEET. - * - * @param this policy - * @return lifetime in seconds - */ - mode_t (*get_mode) (policy_t *this); - - /** - * @brief Get a virtual IP for the local or the remote host. - * - * By supplying NULL as IP, an IP for the local host is requested. It - * may be %any or specific. - * By supplying %any as host, an IP from the pool is selected to be - * served to the peer. - * If a specified host is supplied, it is checked if this address - * is acceptable to serve to the peer. If so, it is returned. Otherwise, - * an alternative IP is returned. - * In any mode, this call may return NULL indicating virtual IP should - * not be used. - * - * @param this policy - * @param suggestion NULL, %any or specific, see description - * @return clone of an IP to use, or NULL - */ - host_t* (*get_virtual_ip) (policy_t *this, host_t *suggestion); - - /** - * @brief Get a new reference. - * - * Get a new reference to this policy by increasing - * it's internal reference counter. - * Do not call get_ref or any other function until you - * already have a reference. Otherwise the object may get - * destroyed while calling get_ref(), - * - * @param this calling object - */ - void (*get_ref) (policy_t *this); - - /** - * @brief Destroys the policy object. - * - * Decrements the internal reference counter and - * destroys the policy when it reaches zero. - * - * @param this calling object - */ - void (*destroy) (policy_t *this); -}; - -/** - * @brief Create a configuration object for IKE_AUTH and later. - * - * name-string gets cloned, ID's not. - * Virtual IPs are used if they are != NULL. A %any host means the virtual - * IP should be obtained from the other peer. - * Lifetimes are in seconds. To prevent to peers to start rekeying at the - * same time, a jitter may be specified. Rekeying of an SA starts at - * (soft_lifetime - random(0, jitter)). After a successful rekeying, - * the hard_lifetime limit counter is reset. You should specify - * hard_lifetime > soft_lifetime > jitter. - * After a call to create, a reference is obtained (refcount = 1). - * - * @param name name of the policy - * @param my_id identification_t for ourselves - * @param other_id identification_t for the remote guy - * @param my_virtual_ip virtual IP for local host, or NULL - * @param other_virtual_ip virtual IP for remote host, or NULL - * @param auth_method Authentication method to use for our(!) auth data - * @param eap_type EAP type to use for peer authentication - * @param hard_lifetime lifetime before deleting an SA - * @param soft_lifetime lifetime before rekeying an SA - * @param jitter range of randomization time - * @param updown updown script to execute on up/down event - * @param hostaccess allow access to the host itself (used by the updown script) - * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET - * @param dpd_action what to to with a CHILD_SA when other peer does not respond - * @return policy_t object - * - * @ingroup config - */ -policy_t *policy_create(char *name, - identification_t *my_id, identification_t *other_id, - host_t *my_virtual_ip, host_t *other_virtual_ip, - auth_method_t auth_method, eap_type_t eap_type, - u_int32_t hard_lifetime, u_int32_t soft_lifetime, - u_int32_t jitter, char *updown, bool hostaccess, - mode_t mode, dpd_action_t dpd_action); - -#endif /* POLICY_H_ */ diff --git a/src/charon/config/policies/policy_store.h b/src/charon/config/policies/policy_store.h deleted file mode 100755 index cd8870953..000000000 --- a/src/charon/config/policies/policy_store.h +++ /dev/null @@ -1,119 +0,0 @@ -/** - * @file policy_store.h - * - * @brief Interface policy_store_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef POLICY_STORE_H_ -#define POLICY_STORE_H_ - -typedef struct policy_store_t policy_store_t; - -#include -#include -#include - - -/** - * @brief The interface for a store of policy_t's. - * - * The store uses reference counting to manage their lifetime. Call - * destroy() for a policy which is returned from the store after usage. - * - * @b Constructors: - * - stroke_create() - * - * @ingroup config - */ -struct policy_store_t { - - /** - * @brief Returns a policy identified by two IDs and a set of traffic selectors. - * - * other_id must be fully qualified. my_id may be %any, as the - * other peer may not include an IDr Request. - * - * @param this calling object - * @param my_id own ID of the policy - * @param other_id others ID of the policy - * @param my_ts traffic selectors requested for local host - * @param other_ts traffic selectors requested for remote host - * @param my_host host to use for wilcards in TS compare - * @param other_host host to use for wildcards in TS compare - * @return - * - matching policy_t, if found - * - NULL otherwise - */ - policy_t *(*get_policy) (policy_store_t *this, - identification_t *my_id, identification_t *other_id, - linked_list_t *my_ts, linked_list_t *other_ts, - host_t *my_host, host_t* other_host); - - /** - * @brief Returns a policy identified by a connection name. - * - * @param this calling object - * @param name name of the policy - * @return - * - matching policy_t, if found - * - NULL otherwise - */ - policy_t *(*get_policy_by_name) (policy_store_t *this, char *name); - - /** - * @brief Add a policy to the list. - * - * The policy is owned by the store after the call. Do - * not modify nor free. - * - * @param this calling object - * @param policy policy to add - */ - void (*add_policy) (policy_store_t *this, policy_t *policy); - - /** - * @brief Delete a policy from the store. - * - * Remove a policy from the store identified by its name. - * - * @param this calling object - * @param policy policy to add - * @return - * - SUCCESS, or - * - NOT_FOUND - */ - status_t (*delete_policy) (policy_store_t *this, char *name); - - /** - * @brief Get an iterator for the stored policies. - * - * @param this calling object - * @return iterator over all stored policies - */ - iterator_t* (*create_iterator) (policy_store_t *this); - - /** - * @brief Destroys a policy_store_t object. - * - * @param this calling object - */ - void (*destroy) (policy_store_t *this); -}; - -#endif /*POLICY_STORE_H_*/ diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c index dcab8cbdd..cff9859c1 100644 --- a/src/charon/config/proposal.c +++ b/src/charon/config/proposal.c @@ -143,39 +143,6 @@ static void add_algorithm(private_proposal_t *this, transform_type_t type, u_int } } -/** - * Implements proposal_t.get_algorithm. - */ -static bool get_algorithm(private_proposal_t *this, transform_type_t type, algorithm_t** algo) -{ - linked_list_t *list; - switch (type) - { - case ENCRYPTION_ALGORITHM: - list = this->encryption_algos; - break; - case INTEGRITY_ALGORITHM: - list = this->integrity_algos; - break; - case PSEUDO_RANDOM_FUNCTION: - list = this->prf_algos; - break; - case DIFFIE_HELLMAN_GROUP: - list = this->dh_groups; - break; - case EXTENDED_SEQUENCE_NUMBERS: - list = this->esns; - break; - default: - return FALSE; - } - if (list->get_first(list, (void**)algo) != SUCCESS) - { - return FALSE; - } - return TRUE; -} - /** * Implements proposal_t.create_algorithm_iterator. */ @@ -199,6 +166,50 @@ static iterator_t *create_algorithm_iterator(private_proposal_t *this, transform return NULL; } +/** + * Implements proposal_t.get_algorithm. + */ +static bool get_algorithm(private_proposal_t *this, transform_type_t type, algorithm_t** algo) +{ + iterator_t *iterator = create_algorithm_iterator(this, type); + if (iterator->iterate(iterator, (void**)algo)) + { + iterator->destroy(iterator); + return TRUE; + } + iterator->destroy(iterator); + return FALSE; +} + +/** + * Implements proposal_t.has_dh_group + */ +static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group) +{ + algorithm_t *current; + iterator_t *iterator; + bool result = FALSE; + + iterator = this->dh_groups->create_iterator(this->dh_groups, TRUE); + if (iterator->get_count(iterator)) + { + while (iterator->iterate(iterator, (void**)¤t)) + { + if (current->algorithm == group) + { + result = TRUE; + break; + } + } + } + else if (group == MODP_NONE) + { + result = TRUE; + } + iterator->destroy(iterator); + return result; +} + /** * Find a matching alg/keysize in two linked lists */ @@ -399,6 +410,10 @@ static proposal_t *clone_(private_proposal_t *this) return &clone->public; } +/** + * add a algorithm identified by a string to the proposal. + * TODO: we could use gperf here. + */ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) { if (strncmp(alg.ptr, "null", alg.len) == 0) @@ -443,8 +458,9 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) { add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0); } - } - else if (strncmp(alg.ptr, "sha256", alg.len) == 0) + } + else if (strncmp(alg.ptr, "sha256", alg.len) == 0 || + strncmp(alg.ptr, "sha2_256", alg.len) == 0) { add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); if (this->protocol == PROTO_IKE) @@ -452,7 +468,8 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0); } } - else if (strncmp(alg.ptr, "sha384", alg.len) == 0) + else if (strncmp(alg.ptr, "sha384", alg.len) == 0 || + strncmp(alg.ptr, "sha2_384", alg.len) == 0) { add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); if (this->protocol == PROTO_IKE) @@ -460,7 +477,8 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0); } } - else if (strncmp(alg.ptr, "sha512", alg.len) == 0) + else if (strncmp(alg.ptr, "sha512", alg.len) == 0 || + strncmp(alg.ptr, "sha2_512", alg.len) == 0) { add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); if (this->protocol == PROTO_IKE) @@ -476,6 +494,14 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0); } } + else if (strncmp(alg.ptr, "aesxcbc", alg.len) == 0) + { + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); + if (this->protocol == PROTO_IKE) + { + add_algorithm(this, PSEUDO_RANDOM_FUNCTION, AUTH_AES_XCBC_96, 0); + } + } else if (strncmp(alg.ptr, "modp768", alg.len) == 0) { add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0); @@ -530,6 +556,7 @@ proposal_t *proposal_create(protocol_id_t protocol) this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,size_t))add_algorithm; this->public.create_algorithm_iterator = (iterator_t* (*)(proposal_t*,transform_type_t))create_algorithm_iterator; this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,algorithm_t**))get_algorithm; + this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group; this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*))select_proposal; this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol; this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi; @@ -586,11 +613,13 @@ proposal_t *proposal_create_default(protocol_id_t protocol) add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); break; case PROTO_AH: add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); break; diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h index abcb40999..379550f44 100644 --- a/src/charon/config/proposal.h +++ b/src/charon/config/proposal.h @@ -102,6 +102,8 @@ extern enum_name_t *extended_sequence_numbers_names; /** * Struct used to store different kinds of algorithms. The internal * lists of algorithms contain such structures. + * + * @ingroup config */ struct algorithm_t { /** @@ -162,7 +164,6 @@ struct proposal_t { * @brief Get the algorithm for a type to use. * * If there are multiple algorithms, only the first is returned. - * Result is still owned by proposal, do not modify! * * @param this calling object * @param type kind of algorithm @@ -170,6 +171,15 @@ struct proposal_t { * @return TRUE if algorithm of this kind available */ bool (*get_algorithm) (proposal_t *this, transform_type_t type, algorithm_t** algo); + + /** + * @brief Check if the proposal has a specific DH group. + * + * @param this calling object + * @param group group to check for + * @return TRUE if algorithm included + */ + bool (*has_dh_group) (proposal_t *this, diffie_hellman_group_t group); /** * @brief Compare two proposal, and select a matching subset. diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c index 2fb012e16..b399074d1 100644 --- a/src/charon/config/traffic_selector.c +++ b/src/charon/config/traffic_selector.c @@ -167,6 +167,8 @@ static int print(FILE *stream, const struct printf_info *info, const void *const *args) { private_traffic_selector_t *this = *((private_traffic_selector_t**)(args[0])); + linked_list_t *list = *((linked_list_t**)(args[0])); + iterator_t *iterator; char addr_str[INET6_ADDRSTRLEN] = ""; char *serv_proto = NULL; u_int8_t mask; @@ -179,6 +181,24 @@ static int print(FILE *stream, const struct printf_info *info, return fprintf(stream, "(null)"); } + if (info->alt) + { + iterator = list->create_iterator(list, TRUE); + while (iterator->iterate(iterator, (void**)&this)) + { + /* call recursivly */ + written += fprintf(stream, "%R ", this); + } + iterator->destroy(iterator); + return written; + } + + if (this->dynamic) + { + return fprintf(stream, "dynamic/%d", + this->type == TS_IPV4_ADDR_RANGE ? 32 : 128); + } + if (this->type == TS_IPV4_ADDR_RANGE) { inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str)); diff --git a/src/charon/control/interface_manager.c b/src/charon/control/interface_manager.c new file mode 100644 index 000000000..700174c5b --- /dev/null +++ b/src/charon/control/interface_manager.c @@ -0,0 +1,705 @@ +/** + * @file interface_manager.c + * + * @brief Implementation of interface_manager_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "interface_manager.h" + +#include +#include +#include +#include + +#include +#include +#include + + +typedef struct private_interface_manager_t private_interface_manager_t; +typedef struct interface_bus_listener_t interface_bus_listener_t; + +/** + * Private data of an stroke_t object. + */ +struct private_interface_manager_t { + + /** + * Public part of stroke_t object. + */ + interface_manager_t public; + + /** + * a list of all loaded interfaces + */ + linked_list_t *interfaces; + + /** + * dlopen() handles of interfaces + */ + linked_list_t *handles; +}; + +/** + * helper struct to map bus listener callbacks to interface callbacks + */ +struct interface_bus_listener_t { + + /** + * bus listener callback function (called) + */ + bus_listener_t listener; + + /** + * IKE_SA to use for message filtering + */ + ike_sa_t *ike_sa; + + /** + * interface callback (listener gets redirected to here) + */ + interface_manager_cb_t callback; + + /** + * user parameter to pass to callback + */ + void *param; + + /** + * caller has cancelled its listening subscription + */ + bool cancelled; +}; + +/** + * Implementation of interface_manager_t.create_ike_sa_iterator. + */ +static iterator_t* create_ike_sa_iterator(interface_manager_t *this) +{ + return charon->ike_sa_manager->create_iterator(charon->ike_sa_manager); +} + +/** + * listener function for initiate + */ +static bool initiate_listener(interface_bus_listener_t *this, signal_t signal, + level_t level, int thread, ike_sa_t *ike_sa, + char* format, va_list args) +{ + if (this->ike_sa == ike_sa) + { + if (!this->callback(this->param, signal, level, ike_sa, format, args)) + { + this->cancelled = TRUE; + return FALSE; + } + switch (signal) + { + case IKE_UP_FAILED: + case CHILD_UP_FAILED: + case CHILD_UP_SUCCESS: + { + return FALSE; + } + default: + break; + } + } + return TRUE; +} + +/** + * listener function for terminate_ike + */ +static bool terminate_ike_listener(interface_bus_listener_t *this, signal_t signal, + level_t level, int thread, ike_sa_t *ike_sa, + char* format, va_list args) +{ + if (this->ike_sa == ike_sa) + { + if (!this->callback(this->param, signal, level, ike_sa, format, args)) + { + this->cancelled = TRUE; + return FALSE; + } + switch (signal) + { + case IKE_DOWN_FAILED: + case IKE_DOWN_SUCCESS: + { + return FALSE; + } + default: + break; + } + } + return TRUE; +} + +/** + * listener function for terminate_child + */ +static bool terminate_child_listener(interface_bus_listener_t *this, signal_t signal, + level_t level, int thread, ike_sa_t *ike_sa, + char* format, va_list args) +{ + if (this->ike_sa == ike_sa) + { + if (!this->callback(this->param, signal, level, ike_sa, format, args)) + { + this->cancelled = TRUE; + return FALSE; + } + switch (signal) + { + case IKE_DOWN_FAILED: + case IKE_DOWN_SUCCESS: + case CHILD_DOWN_FAILED: + case CHILD_DOWN_SUCCESS: + { + return FALSE; + } + default: + break; + } + } + return TRUE; +} + +/** + * listener function for route + */ +static bool route_listener(interface_bus_listener_t *this, signal_t signal, + level_t level, int thread, ike_sa_t *ike_sa, + char* format, va_list args) +{ + if (this->ike_sa == ike_sa) + { + if (!this->callback(this->param, signal, level, ike_sa, format, args)) + { + this->cancelled = TRUE; + return FALSE; + } + switch (signal) + { + case CHILD_ROUTE_SUCCESS: + case CHILD_ROUTE_FAILED: + { + return FALSE; + } + default: + break; + } + } + return TRUE; +} + +/** + * listener function for unroute + */ +static bool unroute_listener(interface_bus_listener_t *this, signal_t signal, + level_t level, int thread, ike_sa_t *ike_sa, + char* format, va_list args) +{ + if (this->ike_sa == ike_sa) + { + if (!this->callback(this->param, signal, level, ike_sa, format, args)) + { + this->cancelled = TRUE; + return FALSE; + } + switch (signal) + { + case CHILD_UNROUTE_SUCCESS: + case CHILD_UNROUTE_FAILED: + { + return FALSE; + } + default: + break; + } + } + return TRUE; +} + +/** + * remove a previously registered listener from the bus + */ +static void remove_listener(interface_bus_listener_t *listener) +{ + charon->bus->remove_listener(charon->bus, &listener->listener); +} + +/** + * Implementation of interface_manager_t.initiate. + */ +static status_t initiate(private_interface_manager_t *this, + peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, + interface_manager_cb_t callback, void *param) +{ + ike_sa_t *ike_sa; + ike_cfg_t *ike_cfg; + status_t retval = FAILED; + interface_bus_listener_t listener; + + ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); + ike_sa = charon->ike_sa_manager->checkout_by_peer(charon->ike_sa_manager, + ike_cfg->get_my_host(ike_cfg), ike_cfg->get_other_host(ike_cfg), + peer_cfg->get_my_id(peer_cfg), peer_cfg->get_other_id(peer_cfg)); + + if (ike_sa->get_peer_cfg(ike_sa) == NULL) + { + ike_sa->set_peer_cfg(ike_sa, peer_cfg); + } + peer_cfg->destroy(peer_cfg); + + listener.listener.signal = (void*)initiate_listener; + listener.callback = callback; + listener.ike_sa = ike_sa; + listener.param = param; + listener.cancelled = FALSE; + + /* we listen passively to catch the signals we are raising in + * ike_sa->delete(). */ + if (callback) + { + charon->bus->add_listener(charon->bus, &listener.listener); + } + charon->bus->set_listen_state(charon->bus, TRUE); + if (ike_sa->initiate(ike_sa, child_cfg) != SUCCESS) + { + charon->bus->set_listen_state(charon->bus, FALSE); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); + return FAILED; + } + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + + /* wait until we get a result */ + while (TRUE) + { + level_t level; + signal_t signal; + int thread; + ike_sa_t *current; + char* format; + va_list args; + + /* stop listening if the passive listener returned FALSE */ + if (listener.cancelled) + { + retval = NEED_MORE; + break; + } + pthread_cleanup_push((void*)remove_listener, &listener); + signal = charon->bus->listen(charon->bus, &level, &thread, + ¤t, &format, &args); + pthread_cleanup_pop(0); + /* ike_sa is a valid pointer until we get one of the signals */ + if (ike_sa == current) + { + switch (signal) + { + case CHILD_UP_SUCCESS: + retval = SUCCESS; + case CHILD_UP_FAILED: + case IKE_UP_FAILED: + break; + default: + continue; + } + break; + } + } + charon->bus->set_listen_state(charon->bus, FALSE); + return retval; +} + +/** + * Implementation of interface_manager_t.terminate_ike. + */ +static status_t terminate_ike(interface_manager_t *this, u_int32_t unique_id, + interface_manager_cb_t callback, void *param) +{ + ike_sa_t *ike_sa; + status_t status = FAILED;; + interface_bus_listener_t listener; + + ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, + unique_id, FALSE); + if (ike_sa == NULL) + { + return NOT_FOUND; + } + + /* we listen passively to catch the signals we are raising in + * ike_sa->delete(). */ + listener.listener.signal = (void*)terminate_ike_listener; + listener.callback = callback; + listener.ike_sa = ike_sa; + listener.param = param; + listener.cancelled = FALSE; + if (callback) + { + charon->bus->add_listener(charon->bus, &listener.listener); + } + charon->bus->set_listen_state(charon->bus, TRUE); + status = ike_sa->delete(ike_sa); + if (status == DESTROY_ME) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); + } + else + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + + /* wait until IKE_SA is cleanly deleted using a delete message */ + while (TRUE) + { + level_t level; + signal_t signal; + int thread; + ike_sa_t *current; + char* format; + va_list args; + + /* stop listening if the passive listener returned FALSE */ + if (listener.cancelled) + { + status = NEED_MORE; + break; + } + pthread_cleanup_push((void*)remove_listener, &listener); + signal = charon->bus->listen(charon->bus, &level, &thread, + ¤t, &format, &args); + pthread_cleanup_pop(0); + + /* even if we checked in the IKE_SA, the pointer is valid until + * we get an IKE_DOWN_... */ + if (ike_sa == current) + { + switch (signal) + { + case IKE_DOWN_FAILED: + case IKE_DOWN_SUCCESS: + { + status = SUCCESS; + break; + } + default: + continue; + } + break; + } + } + } + charon->bus->set_listen_state(charon->bus, FALSE); + + return status; +} + +/** + * Implementation of interface_manager_t.terminate_child. + */ +static status_t terminate_child(interface_manager_t *this, u_int32_t reqid, + interface_manager_cb_t callback, void *param) +{ + ike_sa_t *ike_sa; + child_sa_t *child_sa; + iterator_t *iterator; + status_t status = FAILED; + interface_bus_listener_t listener; + + ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, + reqid, TRUE); + if (ike_sa == NULL) + { + return NOT_FOUND; + } + + iterator = ike_sa->create_child_sa_iterator(ike_sa); + while (iterator->iterate(iterator, (void**)&child_sa)) + { + if (child_sa->get_state(child_sa) != CHILD_ROUTED && + child_sa->get_reqid(child_sa) == reqid) + { + break; + } + child_sa = NULL; + } + iterator->destroy(iterator); + + if (child_sa == NULL) + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return NOT_FOUND; + } + + listener.listener.signal = (void*)terminate_child_listener; + listener.callback = callback; + listener.ike_sa = ike_sa; + listener.param = param; + listener.cancelled = FALSE; + + /* we listen passively to catch the signals we are raising */ + if (callback) + { + charon->bus->add_listener(charon->bus, &listener.listener); + } + charon->bus->set_listen_state(charon->bus, TRUE); + status = ike_sa->delete_child_sa(ike_sa, child_sa->get_protocol(child_sa), + child_sa->get_spi(child_sa, TRUE)); + if (status == DESTROY_ME) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); + } + else + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + + /* wait until CHILD_SA is cleanly deleted using a delete message */ + while (TRUE) + { + level_t level; + signal_t signal; + int thread; + ike_sa_t *current; + char* format; + va_list args; + + /* stop listening if the passive listener returned FALSE */ + if (listener.cancelled) + { + status = NEED_MORE; + break; + } + pthread_cleanup_push((void*)remove_listener, &listener); + signal = charon->bus->listen(charon->bus, &level, &thread, + ¤t, &format, &args); + pthread_cleanup_pop(0); + /* even if we checked in the IKE_SA, the pointer is valid until + * we get an IKE_DOWN_... */ + if (ike_sa == current) + { + switch (signal) + { + case IKE_DOWN_FAILED: + case IKE_DOWN_SUCCESS: + case CHILD_DOWN_FAILED: + case CHILD_DOWN_SUCCESS: + { + status = SUCCESS; + break; + } + default: + continue; + } + break; + } + } + } + charon->bus->set_listen_state(charon->bus, FALSE); + + return status; +} + +/** + * Implementation of interface_manager_t.route. + */ +static status_t route(interface_manager_t *this, + peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, + interface_manager_cb_t callback, void *param) +{ + ike_sa_t *ike_sa; + ike_cfg_t *ike_cfg; + status_t status = SUCCESS; + + ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); + + ike_sa = charon->ike_sa_manager->checkout_by_peer(charon->ike_sa_manager, + ike_cfg->get_my_host(ike_cfg), ike_cfg->get_other_host(ike_cfg), + peer_cfg->get_my_id(peer_cfg), peer_cfg->get_other_id(peer_cfg)); + + if (ike_sa->get_peer_cfg(ike_sa) == NULL) + { + ike_sa->set_peer_cfg(ike_sa, peer_cfg); + } + + /* we listen passively only, as routing is done by one thread only */ + if (callback) + { + interface_bus_listener_t listener; + + listener.listener.signal = (void*)route_listener; + listener.callback = callback; + listener.ike_sa = ike_sa; + listener.param = param; + listener.cancelled = FALSE; + charon->bus->add_listener(charon->bus, &listener.listener); + } + + if (ike_sa->route(ike_sa, child_cfg) != SUCCESS) + { + status = FAILED; + } + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return status; +} + +/** + * Implementation of interface_manager_t.unroute. + */ +static status_t unroute(interface_manager_t *this, u_int32_t reqid, + interface_manager_cb_t callback, void *param) +{ + ike_sa_t *ike_sa; + status_t status; + + ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, + reqid, TRUE); + if (ike_sa == NULL) + { + return NOT_FOUND; + } + + /* we listen passively only, as routing is done by one thread only */ + if (callback) + { + interface_bus_listener_t listener; + + listener.listener.signal = (void*)unroute_listener; + listener.callback = callback; + listener.ike_sa = ike_sa; + listener.param = param; + listener.cancelled = FALSE; + charon->bus->add_listener(charon->bus, &listener.listener); + } + status = ike_sa->unroute(ike_sa, reqid); + if (status == DESTROY_ME) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); + status = SUCCESS; + } + else + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + return status; +} + +/** + * load the control interface modules + */ +static void load_interfaces(private_interface_manager_t *this) +{ + struct dirent* entry; + DIR* dir; + + dir = opendir(IPSEC_INTERFACEDIR); + if (dir == NULL) + { + DBG1(DBG_CFG, "error opening interface modules directory "IPSEC_INTERFACEDIR); + return; + } + + DBG1(DBG_CFG, "loading control interface modules from '"IPSEC_INTERFACEDIR"'"); + + while ((entry = readdir(dir)) != NULL) + { + char file[256]; + interface_t *interface; + interface_constructor_t constructor; + void *handle; + char *ending; + + snprintf(file, sizeof(file), IPSEC_INTERFACEDIR"/%s", entry->d_name); + + ending = entry->d_name + strlen(entry->d_name) - 3; + if (ending <= entry->d_name || !streq(ending, ".so")) + { + /* skip anything which does not look like a library */ + DBG2(DBG_CFG, " skipping %s, doesn't look like a library", + entry->d_name); + continue; + } + /* try to load the library */ + handle = dlopen(file, RTLD_LAZY); + if (handle == NULL) + { + DBG1(DBG_CFG, " opening control interface module %s failed: %s", + entry->d_name, dlerror()); + continue; + } + constructor = dlsym(handle, "interface_create"); + if (constructor == NULL) + { + DBG1(DBG_CFG, " interface module %s has no interface_create() " + "function, skipped", entry->d_name); + dlclose(handle); + continue; + } + + interface = constructor(); + if (interface == NULL) + { + DBG1(DBG_CFG, " unable to create instance of interface " + "module %s, skipped", entry->d_name); + dlclose(handle); + continue; + } + DBG1(DBG_CFG, " loaded control interface module successfully from %s", entry->d_name); + this->interfaces->insert_last(this->interfaces, interface); + this->handles->insert_last(this->handles, handle); + } + closedir(dir); +} + + +/** + * Implementation of stroke_t.destroy. + */ +static void destroy(private_interface_manager_t *this) +{ + this->interfaces->destroy_offset(this->interfaces, offsetof(interface_t, destroy)); + this->handles->destroy_function(this->handles, (void*)dlclose); + free(this); +} + +/* + * Described in header-file + */ +interface_manager_t *interface_manager_create(void) +{ + private_interface_manager_t *this = malloc_thing(private_interface_manager_t); + + this->public.create_ike_sa_iterator = (iterator_t*(*)(interface_manager_t*))create_ike_sa_iterator; + this->public.initiate = (status_t(*)(interface_manager_t*,peer_cfg_t*,child_cfg_t*,bool(*)(void*,signal_t,level_t,ike_sa_t*,char*,va_list),void*))initiate; + this->public.terminate_ike = (status_t(*)(interface_manager_t*,u_int32_t,interface_manager_cb_t, void*))terminate_ike; + this->public.terminate_child = (status_t(*)(interface_manager_t*,u_int32_t,interface_manager_cb_t, void *param))terminate_child; + this->public.route = (status_t(*)(interface_manager_t*,peer_cfg_t*, child_cfg_t*,interface_manager_cb_t,void*))route; + this->public.unroute = (status_t(*)(interface_manager_t*,u_int32_t,interface_manager_cb_t,void*))unroute; + this->public.destroy = (void (*)(interface_manager_t*))destroy; + + this->interfaces = linked_list_create(); + this->handles = linked_list_create(); + + load_interfaces(this); + + return &this->public; +} + diff --git a/src/charon/control/interface_manager.h b/src/charon/control/interface_manager.h new file mode 100644 index 000000000..06a5fe6c4 --- /dev/null +++ b/src/charon/control/interface_manager.h @@ -0,0 +1,192 @@ +/** + * @file interface_manager.h + * + * @brief Interface of interface_manager_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef INTERFACE_MANAGER_H_ +#define INTERFACE_MANAGER_H_ + +#include + +/** + * callback to log things triggered by interface_manager. + * + * @param param echoed parameter supplied when function invoked + * @param signal type of signal + * @param level verbosity level if log + * @param ike_sa associated IKE_SA, if any + * @param format printf like format string + * @param args list of arguments to use for format + * @return FALSE to return from invoked function + * @ingroup control + */ +typedef bool(*interface_manager_cb_t)(void* param, signal_t signal, level_t level, + ike_sa_t* ike_sa, char* format, va_list args); + +typedef struct interface_manager_t interface_manager_t; + +/** + * @brief The interface_manager loads control interfaces and has helper methods. + * + * One job of the interface manager is to load pluggable control interface + * modules, implemented as interface_t. + * @verbatim + + +---------+ +------------+ +--------------+ | + | | | |<----- +--------------+ | | + | daemon |<-----| interface- | +--------------+ |-+ <==|==> IPC + | core | | manager |<----| interfaces |-+ | + | |<-----| | +--------------+ | + | | | | | + +---------+ +------------+ | + + @endverbatim + * The manager does not really use the interfaces, instead, the interface + * use the manager to fullfill their tasks (initiating, terminating, ...). + * The interface_manager starts actions by creating jobs. It then tries to + * evaluate the result of the operation by listening on the bus. + * + * @b Constructors: + * - interface_manager_create() + * + * @ingroup control + */ +struct interface_manager_t { + + /** + * @brief Create an iterator for all IKE_SAs. + * + * The iterator blocks the IKE_SA manager until it gets destroyed. Do + * not call another interface/manager method while the iterator is alive. + * + * @param this calling object + * @return iterator, locks IKE_SA manager until destroyed + */ + iterator_t* (*create_ike_sa_iterator)(interface_manager_t *this); + + /** + * @brief Initiate a CHILD_SA, and if required, an IKE_SA. + * + * The inititate() function is synchronous and thus blocks until the + * IKE_SA is established or failed. Because of this, the initiate() function + * contains a thread cancellation point. + * + * @param this calling object + * @param peer_cfg peer_cfg to use for IKE_SA setup + * @param child_cfg child_cfg to set up CHILD_SA from + * @param cb logging callback + * @param param parameter to include in each call of cb + * @return + * - SUCCESS, if CHILD_SA established + * - FAILED, if setup failed + * - NEED_MORE, if callback returned FALSE + */ + status_t (*initiate)(interface_manager_t *this, + peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, + interface_manager_cb_t callback, void *param); + + /** + * @brief Terminate an IKE_SA and all of its CHILD_SAs. + * + * The terminate() function is synchronous and thus blocks until the + * IKE_SA is properly deleted, or the delete timed out. + * The terminate() function contains a thread cancellation point. + * + * @param this calling object + * @param unique_id unique id of the IKE_SA to terminate. + * @param cb logging callback + * @param param parameter to include in each call of cb + * @return + * - SUCCESS, if CHILD_SA terminated + * - NOT_FOUND, if no such CHILD_SA found + * - NEED_MORE, if callback returned FALSE + */ + status_t (*terminate_ike)(interface_manager_t *this, u_int32_t unique_id, + interface_manager_cb_t callback, void *param); + + /** + * @brief Terminate a CHILD_SA. + * + * @param this calling object + * @param reqid reqid of the CHILD_SA to terminate + * @param cb logging callback + * @param param parameter to include in each call of cb + * @return + * - SUCCESS, if CHILD_SA terminated + * - NOT_FOUND, if no such CHILD_SA found + * - NEED_MORE, if callback returned FALSE + */ + status_t (*terminate_child)(interface_manager_t *this, u_int32_t reqid, + interface_manager_cb_t callback, void *param); + + /** + * @brief Route a CHILD_SA (install triggering policies). + * + * @param this calling object + * @param peer_cfg peer_cfg to use for IKE_SA setup, if triggered + * @param child_cfg child_cfg to route + * @param cb logging callback + * @param param parameter to include in each call of cb + * @return + * - SUCCESS, if CHILD_SA routed + * - FAILED, if routing failed + * - NEED_MORE, if callback returned FALSE + */ + status_t (*route)(interface_manager_t *this, + peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, + interface_manager_cb_t callback, void *param); + + /** + * @brief Unroute a routed CHILD_SA (uninstall triggering policies). + * + * Only the route is removed, not the CHILD_SAs the route triggered. + * + * @param this calling object + * @param reqid reqid of the CHILD_SA to unroute + * @param cb logging callback + * @param param parameter to include in each call of cb + * @return + * - SUCCESS, if CHILD_SA terminated + * - NOT_FOUND, if no such CHILD_SA routed + * - NEED_MORE, if callback returned FALSE + */ + status_t (*unroute)(interface_manager_t *this, u_int32_t reqid, + interface_manager_cb_t callback, void *param); + + /** + * @brief Destroy a interface_manager_t instance. + * + * @param this interface_manager_t objec to destroy + */ + void (*destroy) (interface_manager_t *this); +}; + + +/** + * @brief Creates a interface_manager instance and loads all interface modules. + * + * @return interface_manager_t object + * + * @ingroup control + */ +interface_manager_t *interface_manager_create(void); + +#endif /* INTERFACE_MANAGER_H_ */ + diff --git a/src/charon/control/interfaces/dbus_interface.c b/src/charon/control/interfaces/dbus_interface.c new file mode 100644 index 000000000..443df635c --- /dev/null +++ b/src/charon/control/interfaces/dbus_interface.c @@ -0,0 +1,479 @@ +/** + * @file dbus_interface.c + * + * @brief Implementation of dbus_interface_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define DBUS_API_SUBJECT_TO_CHANGE +#include +#include +#include +#include + +#include "dbus_interface.h" + +#include +#include + + +#define NM_DBUS_SERVICE_STRONG "org.freedesktop.NetworkManager.strongswan" +#define NM_DBUS_INTERFACE_STRONG "org.freedesktop.NetworkManager.strongswan" +#define NM_DBUS_PATH_STRONG "/org/freedesktop/NetworkManager/strongswan" + +typedef struct private_dbus_interface_t private_dbus_interface_t; + +/** + * Private data of an dbus_interface_t object. + */ +struct private_dbus_interface_t { + + /** + * Public part of dbus_t object. + */ + dbus_interface_t public; + + /** + * DBUS connection + */ + DBusConnection* conn; + + /** + * error value used here and there + */ + DBusError err; + + /** + * state of the daemon + */ + NMVPNState state; + + /** + * dispatcher thread for DBUS messages + */ + pthread_t thread; + + /** + * name of the currently active connection + */ + char *name; +}; + +/** + * set daemon state and send StateChange signal to the bus + */ +static void set_state(private_dbus_interface_t *this, NMVPNState state) +{ + DBusMessage* msg; + + msg = dbus_message_new_signal(NM_DBUS_PATH_STRONG, NM_DBUS_INTERFACE_STRONG, NM_DBUS_VPN_SIGNAL_STATE_CHANGE); + + if (!dbus_message_append_args(msg, DBUS_TYPE_UINT32, &this->state, + DBUS_TYPE_UINT32, &state, DBUS_TYPE_INVALID) || + !dbus_connection_send(this->conn, msg, NULL)) + { + DBG1(DBG_CFG, "unable to send DBUS StateChange signal"); + } + dbus_connection_flush(this->conn); + dbus_message_unref(msg); + this->state = state; +} + + +/** + * get the child_cfg with the same name as the peer cfg + */ +static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name) +{ + child_cfg_t *current, *found = NULL; + iterator_t *iterator; + + iterator = peer_cfg->create_child_cfg_iterator(peer_cfg); + while (iterator->iterate(iterator, (void**)¤t)) + { + if (streq(current->get_name(current), name)) + { + found = current; + found->get_ref(found); + break; + } + } + iterator->destroy(iterator); + return found; +} + +/** + * get a peer configuration by its name, or a name of its children + */ +static peer_cfg_t *get_peer_cfg_by_name(char *name) +{ + iterator_t *i1, *i2; + peer_cfg_t *current, *found = NULL; + child_cfg_t *child; + + i1 = charon->backends->create_iterator(charon->backends); + while (i1->iterate(i1, (void**)¤t)) + { + /* compare peer_cfgs name first */ + if (streq(current->get_name(current), name)) + { + found = current; + found->get_ref(found); + break; + } + /* compare all child_cfg names otherwise */ + i2 = current->create_child_cfg_iterator(current); + while (i2->iterate(i2, (void**)&child)) + { + if (streq(child->get_name(child), name)) + { + found = current; + found->get_ref(found); + break; + } + } + i2->destroy(i2); + if (found) + { + break; + } + } + i1->destroy(i1); + return found; +} + +/** + * logging dummy + */ +static bool dbus_log(void *param, signal_t signal, level_t level, + ike_sa_t *ike_sa, char *format, va_list args) +{ + return TRUE; +} + + +/** + * process NetworkManagers startConnection method call + */ +static bool start_connection(private_dbus_interface_t *this, DBusMessage* msg) +{ + DBusMessage *reply, *signal; + char *name, *user, **data, **passwords, **routes; + int data_count, passwords_count, routes_count; + u_int32_t me, other, p2p, netmask, mss; + char *dev, *domain, *banner; + const dbus_int32_t array[] = {}; + const dbus_int32_t *varray = array; + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg; + status_t status = FAILED; + + dbus_error_free(&this->err); + + if (!dbus_message_get_args(msg, &this->err, + DBUS_TYPE_STRING, &name, DBUS_TYPE_STRING, &user, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &passwords, &passwords_count, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &data, &data_count, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &routes, &routes_count, + DBUS_TYPE_INVALID)) + { + return FALSE; + } + set_state(this, NM_VPN_STATE_STARTING); + + peer_cfg = get_peer_cfg_by_name(name); + if (peer_cfg) + { + free(this->name); + this->name = strdup(peer_cfg->get_name(peer_cfg)); + child_cfg = get_child_from_peer(peer_cfg, name); + if (child_cfg) + { + status = charon->interfaces->initiate(charon->interfaces, peer_cfg, + child_cfg, dbus_log, NULL); + } + else + { + peer_cfg->destroy(peer_cfg); + } + } + reply = dbus_message_new_method_return(msg); + dbus_connection_send(this->conn, reply, NULL); + dbus_message_unref(reply); + + if (status == SUCCESS) + { + + set_state(this, NM_VPN_STATE_STARTED); + signal = dbus_message_new_signal(NM_DBUS_PATH_STRONG, + NM_DBUS_INTERFACE_STRONG, + NM_DBUS_VPN_SIGNAL_IP4_CONFIG); + me = other = p2p = mss = netmask = 0; + dev = domain = banner = ""; + if (dbus_message_append_args(signal, + DBUS_TYPE_UINT32, &other, + DBUS_TYPE_STRING, &dev, + DBUS_TYPE_UINT32, &me, + DBUS_TYPE_UINT32, &p2p, + DBUS_TYPE_UINT32, &netmask, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT32, &varray, 0, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT32, &varray, 0, + DBUS_TYPE_UINT32, &mss, + DBUS_TYPE_STRING, &domain, + DBUS_TYPE_STRING, &banner, DBUS_TYPE_INVALID)) + { + dbus_connection_send(this->conn, signal, NULL); + } + dbus_message_unref(signal); + } + else + { + set_state(this, NM_VPN_STATE_STOPPED); + } + + dbus_connection_flush(this->conn); + return TRUE; +} + +/** + * process NetworkManagers stopConnection method call + */ +static bool stop_connection(private_dbus_interface_t *this, DBusMessage* msg) +{ + u_int32_t id; + iterator_t *iterator; + ike_sa_t *ike_sa; + + if (this->name == NULL) + { + return FALSE; + } + + dbus_error_free(&this->err); + + set_state(this, NM_VPN_STATE_STOPPING); + + iterator = charon->interfaces->create_ike_sa_iterator(charon->interfaces); + while (iterator->iterate(iterator, (void**)&ike_sa)) + { + child_sa_t *child_sa; + iterator_t *children; + + if (this->name && streq(this->name, ike_sa->get_name(ike_sa))) + { + id = ike_sa->get_unique_id(ike_sa); + iterator->destroy(iterator); + charon->interfaces->terminate_ike(charon->interfaces, id, NULL, NULL); + set_state(this, NM_VPN_STATE_STOPPED); + return TRUE;; + } + children = ike_sa->create_child_sa_iterator(ike_sa); + while (children->iterate(children, (void**)&child_sa)) + { + if (this->name && streq(this->name, child_sa->get_name(child_sa))) + { + id = child_sa->get_reqid(child_sa); + children->destroy(children); + iterator->destroy(iterator); + charon->interfaces->terminate_child(charon->interfaces, id, NULL, NULL); + set_state(this, NM_VPN_STATE_STOPPED); + return TRUE; + } + } + children->destroy(children); + } + iterator->destroy(iterator); + set_state(this, NM_VPN_STATE_STOPPED); + return TRUE; +} + +/** + * process NetworkManagers getState method call + */ +static bool get_state(private_dbus_interface_t *this, DBusMessage* msg) +{ + DBusMessage* reply; + reply = dbus_message_new_method_return(msg); + if (!reply || !dbus_message_append_args(reply, + DBUS_TYPE_UINT32, &this->state, + DBUS_TYPE_INVALID)) + { + return FALSE; + } + dbus_connection_send(this->conn, reply, NULL); + return TRUE; +} + +/** + * Handle incoming messages + */ +static DBusHandlerResult message_handler(DBusConnection *con, DBusMessage *msg, + private_dbus_interface_t *this) +{ + bool handled; + + if (dbus_message_is_method_call(msg, NM_DBUS_INTERFACE_STRONG, + "startConnection")) + { + handled = start_connection(this, msg); + } + else if (dbus_message_is_method_call(msg, NM_DBUS_INTERFACE_STRONG, + "stopConnection")) + { + handled = stop_connection(this, msg); + } + else if (dbus_message_is_method_call(msg, NM_DBUS_INTERFACE_STRONG, + "getState")) + { + handled = get_state(this, msg); + } + else + { + DBG1(DBG_CFG, "ignoring DBUS message %s.%s", + dbus_message_get_interface(msg), dbus_message_get_member(msg)); + handled = FALSE; + } + + if (handled) + { + return DBUS_HANDLER_RESULT_HANDLED; + } + return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; +} + +/** + * Handle received signals + +static DBusHandlerResult signal_handler(DBusConnection *con, DBusMessage *msg, + private_dbus_interface_t *this) +{ + bool handled; + + if (dbus_message_is_signal(msg, NM_DBUS_INTERFACE, "VPNConnectionStateChange")) + { + NMVPNState state; + char *name; + + if (dbus_message_get_args(msg, &this->err, DBUS_TYPE_STRING, &name, + DBUS_TYPE_UINT32, &state, DBUS_TYPE_INVALID)) + { + DBG1(DBG_CFG, "got state %d for %s", state, name); + } + handled = TRUE; + } + else + { + DBG1(DBG_CFG, "ignoring DBUS signal %s.%s", + dbus_message_get_interface(msg), dbus_message_get_member(msg)); + handled = FALSE; + } + if (handled) + { + return DBUS_HANDLER_RESULT_HANDLED; + } + return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; +} */ + +/** + * dispatcher function processed by a seperate thread + */ +static void dispatch(private_dbus_interface_t *this) +{ + charon->drop_capabilities(charon, TRUE); + + while (dbus_connection_read_write_dispatch(this->conn, -1)) + { + /* nothing */ + } +} + +/** + * Implementation of interface_t.destroy. + */ +static void destroy(private_dbus_interface_t *this) +{ + pthread_cancel(this->thread); + pthread_join(this->thread, NULL); + dbus_connection_close(this->conn); + dbus_error_free(&this->err); + dbus_shutdown(); + free(this->name); + free(this); +} + +/* + * Described in header file + */ +interface_t *interface_create() +{ + int ret; + DBusObjectPathVTable v = {NULL, (void*)&message_handler, NULL, NULL, NULL, NULL}; + private_dbus_interface_t *this = malloc_thing(private_dbus_interface_t); + + this->public.interface.destroy = (void (*)(interface_t*))destroy; + + dbus_error_init(&this->err); + this->conn = dbus_bus_get(DBUS_BUS_SYSTEM, &this->err); + if (dbus_error_is_set(&this->err)) + { + DBG1(DBG_CFG, "unable to open DBUS connection: %s", this->err.message); + charon->kill(charon, "DBUS initialization failed"); + } + dbus_connection_set_exit_on_disconnect(this->conn, FALSE); + + ret = dbus_bus_request_name(this->conn, NM_DBUS_SERVICE_STRONG, + DBUS_NAME_FLAG_REPLACE_EXISTING , &this->err); + if (dbus_error_is_set(&this->err)) + { + DBG1(DBG_CFG, "unable to set DBUS name: %s", this->err.message); + charon->kill(charon, "unable to set DBUS name"); + } + if (ret != DBUS_REQUEST_NAME_REPLY_PRIMARY_OWNER) + { + charon->kill(charon, "DBUS name already owned"); + } + if (!dbus_connection_register_object_path(this->conn, NM_DBUS_PATH_STRONG, &v, this)) + { + charon->kill(charon, "unable to register DBUS message handler"); + } + /* + if (!dbus_connection_add_filter(this->conn, (void*)signal_handler, this, NULL)) + { + charon->kill(charon, "unable to register DBUS signal handler"); + } + + dbus_bus_add_match(this->conn, "type='signal', " + "interface='" NM_DBUS_INTERFACE_VPN "'," + "path='" NM_DBUS_PATH_VPN "'", &this->err); + if (dbus_error_is_set (&this->err)) + { + charon->kill(charon, "unable to add DBUS signal match"); + }*/ + + this->name = NULL; + this->state = NM_VPN_STATE_INIT; + set_state(this, NM_VPN_STATE_STOPPED); + + if (pthread_create(&this->thread, NULL, (void*(*)(void*))dispatch, this) != 0) + { + charon->kill(charon, "unable to create stroke thread"); + } + + return &this->public.interface; +} + diff --git a/src/charon/control/interfaces/dbus_interface.h b/src/charon/control/interfaces/dbus_interface.h new file mode 100644 index 000000000..0ce57bbbc --- /dev/null +++ b/src/charon/control/interfaces/dbus_interface.h @@ -0,0 +1,57 @@ +/** + * @file dbus_interface.h + * + * @brief Interface of dbus_interface_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef DBUS_INTERFACE_H_ +#define DBUS_INTERFACE_H_ + +typedef struct dbus_interface_t dbus_interface_t; + +#include + +/** + * @brief The DBUS interface uses the DBUS system bus to communicate. + * + * @b Constructors: + * - dbus_interface_create() + * + * @ingroup interfaces + */ +struct dbus_interface_t { + + /** + * implements interface_t. + */ + interface_t interface; +}; + + +/** + * @brief Create the DBUS interface. + * + * @return stroke_t object + * + * @ingroup interfaces + */ +interface_t *interface_create(); + +#endif /* DBUS_INTERFACE_H_ */ + diff --git a/src/charon/control/interfaces/interface.h b/src/charon/control/interfaces/interface.h new file mode 100644 index 000000000..955f4a4eb --- /dev/null +++ b/src/charon/control/interfaces/interface.h @@ -0,0 +1,59 @@ +/** + * @file interface.h + * + * @brief Interface of interface_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef INTERFACE_H_ +#define INTERFACE_H_ + +typedef struct interface_t interface_t; + +/** + * @brief Interface for a controller. + * + * An interface controls the daemon by calling functions on the + * interface_manager. All interfaces are manager by the interface_manager + * in a generic way, so they need their own class. + * + * @b Constructors: + * - interface_create() of one of the modules + * + * @ingroup interfaces + */ +struct interface_t { + + /** + * @brief Destroy all interfaces + * + * @param this stroke_t objec to destroy + */ + void (*destroy) (interface_t *this); +}; + + +/** + * Constructor in a control interface module to create the interface. + * + * @ingroup interfaces + */ +typedef interface_t*(*interface_constructor_t)(void); + +#endif /* INTERFACE_H_ */ + diff --git a/src/charon/control/interfaces/stroke_interface.c b/src/charon/control/interfaces/stroke_interface.c new file mode 100755 index 000000000..6e3427e8e --- /dev/null +++ b/src/charon/control/interfaces/stroke_interface.c @@ -0,0 +1,1728 @@ +/** + * @file stroke_interface.c + * + * @brief Implementation of stroke_interface_t. + * + */ + +/* + * Copyright (C) 2006-2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "stroke_interface.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define IKE_PORT 500 +#define PATH_BUF 256 +#define STROKE_THREADS 3 + +struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET}; + + +typedef struct private_stroke_interface_t private_stroke_interface_t; + +/** + * Private data of an stroke_interfacet object. + */ +struct private_stroke_interface_t { + + /** + * Public part of stroke_interfacet object. + */ + stroke_interface_t public; + + /** + * Unix socket to listen for strokes + */ + int socket; + + /** + * Thread which reads from the Socket + */ + pthread_t threads[STROKE_THREADS]; +}; + +typedef struct stroke_log_info_t stroke_log_info_t; + +/** + * helper struct to say what and where to log when using controller callback + */ +struct stroke_log_info_t { + + /** + * level to log up to + */ + level_t level; + + /** + * where to write log + */ + FILE* out; +}; + +/** + * Helper function which corrects the string pointers + * in a stroke_msg_t. Strings in a stroke_msg sent over "wire" + * contains RELATIVE addresses (relative to the beginning of the + * stroke_msg). They must be corrected if they reach our address + * space... + */ +static void pop_string(stroke_msg_t *msg, char **string) +{ + if (*string == NULL) + return; + + /* check for sanity of string pointer and string */ + if (string < (char**)msg + || string > (char**)msg + sizeof(stroke_msg_t) + || (unsigned long)*string < (unsigned long)((char*)msg->buffer - (char*)msg) + || (unsigned long)*string > msg->length) + { + *string = "(invalid pointer in stroke msg)"; + } + else + { + *string = (char*)msg + (unsigned long)*string; + } +} + +/** + * Load end entitity certificate + */ +static x509_t* load_end_certificate(const char *filename, identification_t **idp) +{ + char path[PATH_BUF]; + x509_t *cert; + + if (*filename == '/') + { + /* absolute path name */ + snprintf(path, sizeof(path), "%s", filename); + } + else + { + /* relative path name */ + snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename); + } + + cert = x509_create_from_file(path, "end entity"); + + if (cert) + { + identification_t *id = *idp; + identification_t *subject = cert->get_subject(cert); + + err_t ugh = cert->is_valid(cert, NULL); + + if (ugh != NULL) + { + DBG1(DBG_CFG, "warning: certificate %s", ugh); + } + if (!id->equals(id, subject) && !cert->equals_subjectAltName(cert, id)) + { + id->destroy(id); + id = subject; + *idp = id->clone(id); + } + return charon->credentials->add_end_certificate(charon->credentials, cert); + } + return NULL; +} + +/** + * Load ca certificate + */ +static x509_t* load_ca_certificate(const char *filename) +{ + char path[PATH_BUF]; + x509_t *cert; + + if (*filename == '/') + { + /* absolute path name */ + snprintf(path, sizeof(path), "%s", filename); + } + else + { + /* relative path name */ + snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename); + } + + cert = x509_create_from_file(path, "ca"); + + if (cert) + { + if (cert->is_ca(cert)) + { + return charon->credentials->add_auth_certificate(charon->credentials, cert, AUTH_CA); + } + else + { + DBG1(DBG_CFG, " CA basic constraints flag not set, cert discarded"); + cert->destroy(cert); + } + } + return NULL; +} + +/** + * Pop the strings of a stroke_end_t struct and log them for debugging purposes + */ +static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end) +{ + pop_string(msg, &end->address); + pop_string(msg, &end->subnet); + pop_string(msg, &end->sourceip); + pop_string(msg, &end->id); + pop_string(msg, &end->cert); + pop_string(msg, &end->ca); + pop_string(msg, &end->groups); + pop_string(msg, &end->updown); + + DBG2(DBG_CFG, " %s=%s", label, end->address); + DBG2(DBG_CFG, " %ssubnet=%s", label, end->subnet); + DBG2(DBG_CFG, " %ssourceip=%s", label, end->sourceip); + DBG2(DBG_CFG, " %sid=%s", label, end->id); + DBG2(DBG_CFG, " %scert=%s", label, end->cert); + DBG2(DBG_CFG, " %sca=%s", label, end->ca); + DBG2(DBG_CFG, " %sgroups=%s", label, end->groups); + DBG2(DBG_CFG, " %supdown=%s", label, end->updown); +} + +/** + * Add a connection to the configuration list + */ +static void stroke_add_conn(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out) +{ + ike_cfg_t *ike_cfg; + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg; + identification_t *my_id, *other_id; + identification_t *my_ca = NULL; + identification_t *other_ca = NULL; + bool my_ca_same = FALSE; + bool other_ca_same =FALSE; + host_t *my_host, *other_host, *my_subnet, *other_subnet; + host_t *my_vip = NULL, *other_vip = NULL; + proposal_t *proposal; + traffic_selector_t *my_ts, *other_ts; + char *interface; + bool use_existing = FALSE; + iterator_t *iterator; + + pop_string(msg, &msg->add_conn.name); + DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name); + DBG2(DBG_CFG, "conn %s", msg->add_conn.name); + pop_end(msg, "left", &msg->add_conn.me); + pop_end(msg, "right", &msg->add_conn.other); + pop_string(msg, &msg->add_conn.algorithms.ike); + pop_string(msg, &msg->add_conn.algorithms.esp); + DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike); + DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp); + + my_host = msg->add_conn.me.address? + host_create_from_string(msg->add_conn.me.address, IKE_PORT) : NULL; + if (my_host == NULL) + { + DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.me.address); + return; + } + + other_host = msg->add_conn.other.address ? + host_create_from_string(msg->add_conn.other.address, IKE_PORT) : NULL; + if (other_host == NULL) + { + DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.other.address); + my_host->destroy(my_host); + return; + } + + interface = charon->kernel_interface->get_interface(charon->kernel_interface, + other_host); + if (interface) + { + stroke_end_t tmp_end; + host_t *tmp_host; + + DBG2(DBG_CFG, "left is other host, swapping ends\n"); + + tmp_host = my_host; + my_host = other_host; + other_host = tmp_host; + + tmp_end = msg->add_conn.me; + msg->add_conn.me = msg->add_conn.other; + msg->add_conn.other = tmp_end; + free(interface); + } + if (!interface) + { + interface = charon->kernel_interface->get_interface( + charon->kernel_interface, my_host); + if (!interface) + { + DBG1(DBG_CFG, "left nor right host is our side, aborting\n"); + goto destroy_hosts; + } + free(interface); + } + + my_id = identification_create_from_string(msg->add_conn.me.id ? + msg->add_conn.me.id : msg->add_conn.me.address); + if (my_id == NULL) + { + DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id); + goto destroy_hosts; + } + + other_id = identification_create_from_string(msg->add_conn.other.id ? + msg->add_conn.other.id : msg->add_conn.other.address); + if (other_id == NULL) + { + DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id); + my_id->destroy(my_id); + goto destroy_hosts; + } + + my_subnet = host_create_from_string(msg->add_conn.me.subnet ? + msg->add_conn.me.subnet : msg->add_conn.me.address, IKE_PORT); + if (my_subnet == NULL) + { + DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet); + goto destroy_ids; + } + + other_subnet = host_create_from_string(msg->add_conn.other.subnet ? + msg->add_conn.other.subnet : msg->add_conn.other.address, IKE_PORT); + if (other_subnet == NULL) + { + DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet); + my_subnet->destroy(my_subnet); + goto destroy_ids; + } + + if (msg->add_conn.me.virtual_ip) + { + my_vip = host_create_from_string(msg->add_conn.me.sourceip, 0); + } + if (msg->add_conn.other.virtual_ip) + { + other_vip = host_create_from_string(msg->add_conn.other.sourceip, 0); + } + + if (msg->add_conn.me.tohost) + { + my_ts = traffic_selector_create_dynamic(msg->add_conn.me.protocol, + my_host->get_family(my_host) == AF_INET ? + TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE, + msg->add_conn.me.port ? msg->add_conn.me.port : 0, + msg->add_conn.me.port ? msg->add_conn.me.port : 65535); + } + else + { + my_ts = traffic_selector_create_from_subnet(my_subnet, + msg->add_conn.me.subnet ? msg->add_conn.me.subnet_mask : 0, + msg->add_conn.me.protocol, msg->add_conn.me.port); + } + my_subnet->destroy(my_subnet); + + if (msg->add_conn.other.tohost) + { + other_ts = traffic_selector_create_dynamic(msg->add_conn.other.protocol, + other_host->get_family(other_host) == AF_INET ? + TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE, + msg->add_conn.other.port ? msg->add_conn.other.port : 0, + msg->add_conn.other.port ? msg->add_conn.other.port : 65535); + } + else + { + other_ts = traffic_selector_create_from_subnet(other_subnet, + msg->add_conn.other.subnet ? msg->add_conn.other.subnet_mask : 0, + msg->add_conn.other.protocol, msg->add_conn.other.port); + } + other_subnet->destroy(other_subnet); + + if (msg->add_conn.me.ca) + { + if (streq(msg->add_conn.me.ca, "%same")) + { + my_ca_same = TRUE; + } + else + { + my_ca = identification_create_from_string(msg->add_conn.me.ca); + } + } + if (msg->add_conn.other.ca) + { + if (streq(msg->add_conn.other.ca, "%same")) + { + other_ca_same = TRUE; + } + else + { + other_ca = identification_create_from_string(msg->add_conn.other.ca); + } + } + if (msg->add_conn.me.cert) + { + x509_t *cert = load_end_certificate(msg->add_conn.me.cert, &my_id); + + if (cert) + { + ca_info_t *ca_info; + + if (cert->is_self_signed(cert)) + { + /* a self-signed certificate is its own ca */ + ca_info = ca_info_create(NULL, cert); + ca_info = charon->credentials->add_ca_info(charon->credentials, ca_info); + cert->set_ca_info(cert, ca_info); + } + else + { + /* get_issuer() automatically sets cert->ca_info */ + ca_info = charon->credentials->get_issuer(charon->credentials, cert); + } + if (my_ca == NULL && !my_ca_same) + { + identification_t *issuer = cert->get_issuer(cert); + + my_ca = issuer->clone(issuer); + } + } + } + if (msg->add_conn.other.cert) + { + x509_t *cert = load_end_certificate(msg->add_conn.other.cert, &other_id); + + if (cert) + { + ca_info_t *ca_info; + + if (cert->is_self_signed(cert)) + { + /* a self-signed certificate is its own ca */ + ca_info = ca_info_create(NULL, cert); + ca_info = charon->credentials->add_ca_info(charon->credentials, ca_info); + cert->set_ca_info(cert, ca_info); + } + else + { + /* get_issuer() automatically sets cert->ca_info */ + ca_info = charon->credentials->get_issuer(charon->credentials, cert); + } + if (other_ca == NULL && !other_ca_same) + { + identification_t *issuer = cert->get_issuer(cert); + + other_ca = issuer->clone(issuer); + } + } + } + if (other_ca_same && my_ca) + { + other_ca = my_ca->clone(my_ca); + } + else if (my_ca_same && other_ca) + { + my_ca = other_ca->clone(other_ca); + } + if (my_ca == NULL) + { + my_ca = identification_create_from_string("%any"); + } + if (other_ca == NULL) + { + other_ca = identification_create_from_string("%any"); + } + DBG2(DBG_CFG, " my ca: '%D'", my_ca); + DBG2(DBG_CFG, " other ca:'%D'", other_ca); + + /* have a look for an (almost) identical peer config to reuse */ + iterator = charon->backends->create_iterator(charon->backends); + while (iterator->iterate(iterator, (void**)&peer_cfg)) + { + ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); + if (my_id->equals(my_id, peer_cfg->get_my_id(peer_cfg)) + && other_id->equals(other_id, peer_cfg->get_other_id(peer_cfg)) + && my_host->equals(my_host, ike_cfg->get_my_host(ike_cfg)) + && other_host->equals(other_host, ike_cfg->get_other_host(ike_cfg)) + && other_ca->equals(other_ca, peer_cfg->get_other_ca(peer_cfg)) + && peer_cfg->get_ike_version(peer_cfg) == (msg->add_conn.ikev2 ? 2 : 1) + && peer_cfg->get_auth_method(peer_cfg) == msg->add_conn.auth_method + && peer_cfg->get_eap_type(peer_cfg) == msg->add_conn.eap_type) + { + DBG1(DBG_CFG, "reusing existing configuration '%s'", + peer_cfg->get_name(peer_cfg)); + use_existing = TRUE; + break; + } + } + iterator->destroy(iterator); + + if (use_existing) + { + DESTROY_IF(my_vip); + DESTROY_IF(other_vip); + my_host->destroy(my_host); + my_id->destroy(my_id); + my_ca->destroy(my_ca); + other_host->destroy(other_host); + other_id->destroy(other_id); + other_ca->destroy(other_ca); + } + else + { + ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND, + my_host, other_host); + + if (msg->add_conn.algorithms.ike) + { + char *proposal_string; + char *strict = msg->add_conn.algorithms.ike + strlen(msg->add_conn.algorithms.ike) - 1; + + if (*strict == '!') + *strict = '\0'; + else + strict = NULL; + + while ((proposal_string = strsep(&msg->add_conn.algorithms.ike, ","))) + { + proposal = proposal_create_from_string(PROTO_IKE, proposal_string); + if (proposal == NULL) + { + DBG1(DBG_CFG, "invalid IKE proposal string: %s", proposal_string); + my_id->destroy(my_id); + other_id->destroy(other_id); + my_ts->destroy(my_ts); + other_ts->destroy(other_ts); + my_ca->destroy(my_ca); + other_ca->destroy(other_ca); + ike_cfg->destroy(ike_cfg); + return; + } + ike_cfg->add_proposal(ike_cfg, proposal); + } + if (!strict) + { + proposal = proposal_create_default(PROTO_IKE); + ike_cfg->add_proposal(ike_cfg, proposal); + } + } + else + { + proposal = proposal_create_default(PROTO_IKE); + ike_cfg->add_proposal(ike_cfg, proposal); + } + + + peer_cfg = peer_cfg_create(msg->add_conn.name, msg->add_conn.ikev2 ? 2 : 1, + ike_cfg, my_id, other_id, my_ca, other_ca, msg->add_conn.me.sendcert, + msg->add_conn.auth_method, msg->add_conn.eap_type, + msg->add_conn.rekey.tries, msg->add_conn.rekey.ike_lifetime, + msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin, + msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, + msg->add_conn.rekey.reauth, msg->add_conn.dpd.delay, + msg->add_conn.dpd.action,my_vip, other_vip); + } + + child_cfg = child_cfg_create( + msg->add_conn.name, msg->add_conn.rekey.ipsec_lifetime, + msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin, + msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, + msg->add_conn.me.updown, msg->add_conn.me.hostaccess, + msg->add_conn.mode); + + peer_cfg->add_child_cfg(peer_cfg, child_cfg); + + child_cfg->add_traffic_selector(child_cfg, TRUE, my_ts); + child_cfg->add_traffic_selector(child_cfg, FALSE, other_ts); + + if (msg->add_conn.algorithms.esp) + { + char *proposal_string; + char *strict = msg->add_conn.algorithms.esp + strlen(msg->add_conn.algorithms.esp) - 1; + + if (*strict == '!') + *strict = '\0'; + else + strict = NULL; + + while ((proposal_string = strsep(&msg->add_conn.algorithms.esp, ","))) + { + proposal = proposal_create_from_string(PROTO_ESP, proposal_string); + if (proposal == NULL) + { + DBG1(DBG_CFG, "invalid ESP proposal string: %s", proposal_string); + peer_cfg->destroy(peer_cfg); + return; + } + child_cfg->add_proposal(child_cfg, proposal); + } + if (!strict) + { + proposal = proposal_create_default(PROTO_ESP); + child_cfg->add_proposal(child_cfg, proposal); + } + } + else + { + proposal = proposal_create_default(PROTO_ESP); + child_cfg->add_proposal(child_cfg, proposal); + } + + if (!use_existing) + { + /* add config to backend */ + charon->backends->add_peer_cfg(charon->backends, peer_cfg); + DBG1(DBG_CFG, "added configuration '%s': %H[%D]...%H[%D]", + msg->add_conn.name, my_host, my_id, other_host, other_id); + } + return; + + /* mopping up after parsing errors */ + +destroy_ids: + my_id->destroy(my_id); + other_id->destroy(other_id); + +destroy_hosts: + my_host->destroy(my_host); + other_host->destroy(other_host); +} + +/** + * Delete a connection from the list + */ +static void stroke_del_conn(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out) +{ + iterator_t *peer_iter, *child_iter; + peer_cfg_t *peer, *child; + + pop_string(msg, &(msg->del_conn.name)); + DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name); + + peer_iter = charon->backends->create_iterator(charon->backends); + while (peer_iter->iterate(peer_iter, (void**)&peer)) + { + /* remove peer config with such a name */ + if (streq(peer->get_name(peer), msg->del_conn.name)) + { + peer_iter->remove(peer_iter); + peer->destroy(peer); + continue; + } + /* remove any child with such a name */ + child_iter = peer->create_child_cfg_iterator(peer); + while (child_iter->iterate(child_iter, (void**)&child)) + { + if (streq(child->get_name(child), msg->del_conn.name)) + { + child_iter->remove(child_iter); + child->destroy(child); + } + } + child_iter->destroy(child_iter); + } + peer_iter->destroy(peer_iter); + + fprintf(out, "deleted connection '%s'\n", msg->del_conn.name); +} + +/** + * get the child_cfg with the same name as the peer cfg + */ +static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name) +{ + child_cfg_t *current, *found = NULL; + iterator_t *iterator; + + iterator = peer_cfg->create_child_cfg_iterator(peer_cfg); + while (iterator->iterate(iterator, (void**)¤t)) + { + if (streq(current->get_name(current), name)) + { + found = current; + found->get_ref(found); + break; + } + } + iterator->destroy(iterator); + return found; +} + +/** + * logging to the stroke interface + */ +static bool stroke_log(stroke_log_info_t *info, signal_t signal, level_t level, + ike_sa_t *ike_sa, char *format, va_list args) +{ + if (level <= info->level) + { + if (vfprintf(info->out, format, args) < 0 || + fprintf(info->out, "\n") < 0 || + fflush(info->out) != 0) + { + return FALSE; + } + } + return TRUE; +} + +/** + * get a peer configuration by its name, or a name of its children + */ +static peer_cfg_t *get_peer_cfg_by_name(char *name) +{ + iterator_t *i1, *i2; + peer_cfg_t *current, *found = NULL; + child_cfg_t *child; + + i1 = charon->backends->create_iterator(charon->backends); + while (i1->iterate(i1, (void**)¤t)) + { + /* compare peer_cfgs name first */ + if (streq(current->get_name(current), name)) + { + found = current; + found->get_ref(found); + break; + } + /* compare all child_cfg names otherwise */ + i2 = current->create_child_cfg_iterator(current); + while (i2->iterate(i2, (void**)&child)) + { + if (streq(child->get_name(child), name)) + { + found = current; + found->get_ref(found); + break; + } + } + i2->destroy(i2); + if (found) + { + break; + } + } + i1->destroy(i1); + return found; +} + +/** + * initiate a connection by name + */ +static void stroke_initiate(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out) +{ + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg; + stroke_log_info_t info; + + pop_string(msg, &(msg->initiate.name)); + DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name); + + peer_cfg = get_peer_cfg_by_name(msg->initiate.name); + if (peer_cfg == NULL) + { + fprintf(out, "no config named '%s'\n", msg->initiate.name); + return; + } + if (peer_cfg->get_ike_version(peer_cfg) != 2) + { + DBG1(DBG_CFG, "ignoring initiation request for IKEv%d config", + peer_cfg->get_ike_version(peer_cfg)); + peer_cfg->destroy(peer_cfg); + return; + } + + child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name); + if (child_cfg == NULL) + { + fprintf(out, "no child config named '%s'\n", msg->initiate.name); + peer_cfg->destroy(peer_cfg); + return; + } + + info.out = out; + info.level = msg->output_verbosity; + + charon->interfaces->initiate(charon->interfaces, peer_cfg, child_cfg, + (interface_manager_cb_t)stroke_log, &info); +} + +/** + * route a policy (install SPD entries) + */ +static void stroke_route(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out) +{ + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg; + stroke_log_info_t info; + + pop_string(msg, &(msg->route.name)); + DBG1(DBG_CFG, "received stroke: route '%s'", msg->route.name); + + peer_cfg = get_peer_cfg_by_name(msg->route.name); + if (peer_cfg == NULL) + { + fprintf(out, "no config named '%s'\n", msg->route.name); + return; + } + if (peer_cfg->get_ike_version(peer_cfg) != 2) + { + peer_cfg->destroy(peer_cfg); + return; + } + + child_cfg = get_child_from_peer(peer_cfg, msg->route.name); + if (child_cfg == NULL) + { + fprintf(out, "no child config named '%s'\n", msg->route.name); + peer_cfg->destroy(peer_cfg); + return; + } + + info.out = out; + info.level = msg->output_verbosity; + charon->interfaces->route(charon->interfaces, peer_cfg, child_cfg, + (interface_manager_cb_t)stroke_log, &info); + peer_cfg->destroy(peer_cfg); + child_cfg->destroy(child_cfg); +} + +/** + * unroute a policy + */ +static void stroke_unroute(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out) +{ + char *name; + ike_sa_t *ike_sa; + iterator_t *iterator; + stroke_log_info_t info; + + pop_string(msg, &(msg->terminate.name)); + name = msg->terminate.name; + + info.out = out; + info.level = msg->output_verbosity; + + iterator = charon->interfaces->create_ike_sa_iterator(charon->interfaces); + while (iterator->iterate(iterator, (void**)&ike_sa)) + { + child_sa_t *child_sa; + iterator_t *children; + u_int32_t id; + + children = ike_sa->create_child_sa_iterator(ike_sa); + while (children->iterate(children, (void**)&child_sa)) + { + if (child_sa->get_state(child_sa) == CHILD_ROUTED && + streq(name, child_sa->get_name(child_sa))) + { + id = child_sa->get_reqid(child_sa); + children->destroy(children); + iterator->destroy(iterator); + charon->interfaces->unroute(charon->interfaces, id, + (interface_manager_cb_t)stroke_log, &info); + return; + } + } + children->destroy(children); + } + iterator->destroy(iterator); + DBG1(DBG_CFG, "no such SA found"); +} + +/** + * terminate a connection by name + */ +static void stroke_terminate(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out) +{ + char *string, *pos = NULL, *name = NULL; + u_int32_t id = 0; + bool child; + int len; + ike_sa_t *ike_sa; + iterator_t *iterator; + stroke_log_info_t info; + + pop_string(msg, &(msg->terminate.name)); + string = msg->terminate.name; + DBG1(DBG_CFG, "received stroke: terminate '%s'", string); + + len = strlen(string); + if (len < 1) + { + DBG1(DBG_CFG, "error parsing string"); + return; + } + switch (string[len-1]) + { + case '}': + child = TRUE; + pos = strchr(string, '{'); + break; + case ']': + child = FALSE; + pos = strchr(string, '['); + break; + default: + name = string; + child = FALSE; + break; + } + + if (name) + { + /* is a single name */ + } + else if (pos == string + len - 2) + { /* is name[] or name{} */ + string[len-2] = '\0'; + name = string; + } + else + { /* is name[123] or name{23} */ + string[len-1] = '\0'; + id = atoi(pos + 1); + if (id == 0) + { + DBG1(DBG_CFG, "error parsing string"); + return; + } + } + + info.out = out; + info.level = msg->output_verbosity; + + iterator = charon->interfaces->create_ike_sa_iterator(charon->interfaces); + while (iterator->iterate(iterator, (void**)&ike_sa)) + { + child_sa_t *child_sa; + iterator_t *children; + + if (child) + { + children = ike_sa->create_child_sa_iterator(ike_sa); + while (children->iterate(children, (void**)&child_sa)) + { + if ((name && streq(name, child_sa->get_name(child_sa))) || + (id && id == child_sa->get_reqid(child_sa))) + { + id = child_sa->get_reqid(child_sa); + children->destroy(children); + iterator->destroy(iterator); + + charon->interfaces->terminate_child(charon->interfaces, id, + (interface_manager_cb_t)stroke_log, &info); + return; + } + } + children->destroy(children); + } + else if ((name && streq(name, ike_sa->get_name(ike_sa))) || + (id && id == ike_sa->get_unique_id(ike_sa))) + { + id = ike_sa->get_unique_id(ike_sa); + /* unlock manager first */ + iterator->destroy(iterator); + + charon->interfaces->terminate_ike(charon->interfaces, id, + (interface_manager_cb_t)stroke_log, &info); + return; + } + + } + iterator->destroy(iterator); + DBG1(DBG_CFG, "no such SA found"); +} + +/** + * Add a ca information record to the cainfo list + */ +static void stroke_add_ca(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out) +{ + x509_t *cacert; + ca_info_t *ca_info; + + pop_string(msg, &msg->add_ca.name); + pop_string(msg, &msg->add_ca.cacert); + pop_string(msg, &msg->add_ca.crluri); + pop_string(msg, &msg->add_ca.crluri2); + pop_string(msg, &msg->add_ca.ocspuri); + pop_string(msg, &msg->add_ca.ocspuri2); + + DBG1(DBG_CFG, "received stroke: add ca '%s'", msg->add_ca.name); + + DBG2(DBG_CFG, "ca %s", msg->add_ca.name); + DBG2(DBG_CFG, " cacert=%s", msg->add_ca.cacert); + DBG2(DBG_CFG, " crluri=%s", msg->add_ca.crluri); + DBG2(DBG_CFG, " crluri2=%s", msg->add_ca.crluri2); + DBG2(DBG_CFG, " ocspuri=%s", msg->add_ca.ocspuri); + DBG2(DBG_CFG, " ocspuri2=%s", msg->add_ca.ocspuri2); + + if (msg->add_ca.cacert == NULL) + { + DBG1(DBG_CFG, "missing cacert parameter\n"); + return; + } + + cacert = load_ca_certificate(msg->add_ca.cacert); + + if (cacert == NULL) + { + return; + } + ca_info = ca_info_create(msg->add_ca.name, cacert); + + if (msg->add_ca.crluri) + { + chunk_t uri = { msg->add_ca.crluri, strlen(msg->add_ca.crluri) }; + + ca_info->add_crluri(ca_info, uri); + } + if (msg->add_ca.crluri2) + { + chunk_t uri = { msg->add_ca.crluri2, strlen(msg->add_ca.crluri2) }; + + ca_info->add_crluri(ca_info, uri); + } + if (msg->add_ca.ocspuri) + { + chunk_t uri = { msg->add_ca.ocspuri, strlen(msg->add_ca.ocspuri) }; + + ca_info->add_ocspuri(ca_info, uri); + } + if (msg->add_ca.ocspuri2) + { + chunk_t uri = { msg->add_ca.ocspuri2, strlen(msg->add_ca.ocspuri2) }; + + ca_info->add_ocspuri(ca_info, uri); + } + charon->credentials->add_ca_info(charon->credentials, ca_info); + DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name); + +} + +/** + * Delete a ca information record from the cainfo list + */ +static void stroke_del_ca(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out) +{ + status_t status; + + pop_string(msg, &(msg->del_ca.name)); + DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name); + + status = charon->credentials->release_ca_info(charon->credentials, + msg->del_ca.name); + + if (status == SUCCESS) + { + fprintf(out, "deleted ca '%s'\n", msg->del_ca.name); + } + else + { + fprintf(out, "no ca named '%s'\n", msg->del_ca.name); + } +} + +/** + * log an IKE_SA to out + */ +static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) +{ + peer_cfg_t *cfg = ike_sa->get_peer_cfg(ike_sa); + ike_sa_id_t *id = ike_sa->get_id(ike_sa); + u_int32_t next, now = time(NULL); + + fprintf(out, "%12s[%d]: %N, %H[%D]...%H[%D]\n", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), + ike_sa_state_names, ike_sa->get_state(ike_sa), + ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa), + ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa)); + + if (all) + { + fprintf(out, "%12s[%d]: IKE SPIs: 0x%0llx_i%s 0x%0llx_r%s, ", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), + id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "", + id->get_responder_spi(id), id->is_initiator(id) ? "" : ""); + + ike_sa->get_stats(ike_sa, &next); + if (next) + { + fprintf(out, "%s in %V\n", cfg->use_reauth(cfg) ? + "reauthentication" : "rekeying", &now, &next); + } + else + { + fprintf(out, "rekeying disabled\n"); + } + } +} + +/** + * log an CHILD_SA to out + */ +static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) +{ + u_int32_t rekey, now = time(NULL); + u_int32_t use_in, use_out, use_fwd; + encryption_algorithm_t encr_alg; + integrity_algorithm_t int_alg; + size_t encr_len, int_len; + mode_t mode; + + child_sa->get_stats(child_sa, &mode, &encr_alg, &encr_len, + &int_alg, &int_len, &rekey, &use_in, &use_out, + &use_fwd); + + fprintf(out, "%12s{%d}: %N, %N", + child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), + child_sa_state_names, child_sa->get_state(child_sa), + mode_names, mode); + + if (child_sa->get_state(child_sa) == CHILD_INSTALLED) + { + fprintf(out, ", %N SPIs: 0x%0x_i 0x%0x_o", + protocol_id_names, child_sa->get_protocol(child_sa), + htonl(child_sa->get_spi(child_sa, TRUE)), + htonl(child_sa->get_spi(child_sa, FALSE))); + + if (all) + { + fprintf(out, "\n%12s{%d}: ", child_sa->get_name(child_sa), + child_sa->get_reqid(child_sa)); + + + if (child_sa->get_protocol(child_sa) == PROTO_ESP) + { + fprintf(out, "%N", encryption_algorithm_names, encr_alg); + + if (encr_len) + { + fprintf(out, "-%d", encr_len); + } + fprintf(out, "/"); + } + + fprintf(out, "%N", integrity_algorithm_names, int_alg); + if (int_len) + { + fprintf(out, "-%d", int_len); + } + fprintf(out, ", rekeying "); + + if (rekey) + { + fprintf(out, "in %V", &now, &rekey); + } + else + { + fprintf(out, "disabled"); + } + + fprintf(out, ", last use: "); + use_in = max(use_in, use_fwd); + if (use_in) + { + fprintf(out, "%ds_i ", now - use_in); + } + else + { + fprintf(out, "no_i "); + } + if (use_out) + { + fprintf(out, "%ds_o ", now - use_out); + } + else + { + fprintf(out, "no_o "); + } + } + } + + fprintf(out, "\n%12s{%d}: %#R=== %#R\n", + child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), + child_sa->get_traffic_selectors(child_sa, TRUE), + child_sa->get_traffic_selectors(child_sa, FALSE)); +} + +/** + * show status of daemon + */ +static void stroke_status(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out, bool all) +{ + iterator_t *iterator, *children; + linked_list_t *list; + host_t *host; + peer_cfg_t *peer_cfg; + ike_cfg_t *ike_cfg; + child_cfg_t *child_cfg; + ike_sa_t *ike_sa; + char *name = NULL; + + if (msg->status.name) + { + pop_string(msg, &(msg->status.name)); + name = msg->status.name; + } + + if (all) + { + leak_detective_status(out); + + fprintf(out, "Performance:\n"); + fprintf(out, " worker threads: %d idle of %d,", + charon->thread_pool->get_idle_threads(charon->thread_pool), + charon->thread_pool->get_pool_size(charon->thread_pool)); + fprintf(out, " job queue load: %d,", + charon->job_queue->get_count(charon->job_queue)); + fprintf(out, " scheduled events: %d\n", + charon->event_queue->get_count(charon->event_queue)); + list = charon->kernel_interface->create_address_list(charon->kernel_interface); + + fprintf(out, "Listening on %d IP addresses:\n", list->get_count(list)); + while (list->remove_first(list, (void**)&host) == SUCCESS) + { + fprintf(out, " %H\n", host); + host->destroy(host); + } + list->destroy(list); + + fprintf(out, "Connections:\n"); + iterator = charon->backends->create_iterator(charon->backends); + while (iterator->iterate(iterator, (void**)&peer_cfg)) + { + if (peer_cfg->get_ike_version(peer_cfg) != 2 || + (name && !streq(name, peer_cfg->get_name(peer_cfg)))) + { + continue; + } + + ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); + fprintf(out, "%12s: %H[%D]...%H[%D]\n", peer_cfg->get_name(peer_cfg), + ike_cfg->get_my_host(ike_cfg), peer_cfg->get_my_id(peer_cfg), + ike_cfg->get_other_host(ike_cfg), peer_cfg->get_other_id(peer_cfg)); + { + identification_t *my_ca = peer_cfg->get_my_ca(peer_cfg); + identification_t *other_ca = peer_cfg->get_other_ca(peer_cfg); + + if (my_ca->get_type(my_ca) != ID_ANY + || other_ca->get_type(other_ca) != ID_ANY) + { + fprintf(out, "%12s: CAs: '%D'...'%D'\n", peer_cfg->get_name(peer_cfg), + my_ca, other_ca); + } + } + children = peer_cfg->create_child_cfg_iterator(peer_cfg); + while (children->iterate(children, (void**)&child_cfg)) + { + linked_list_t *my_ts, *other_ts; + my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); + other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL); + fprintf(out, "%12s: %#R=== %#R\n", child_cfg->get_name(child_cfg), + my_ts, other_ts); + my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); + other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy)); + } + children->destroy(children); + } + iterator->destroy(iterator); + } + + iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager); + if (all && iterator->get_count(iterator) > 0) + { + fprintf(out, "Security Associations:\n"); + } + while (iterator->iterate(iterator, (void**)&ike_sa)) + { + bool ike_printed = FALSE; + child_sa_t *child_sa; + iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa); + + if (name == NULL || streq(name, ike_sa->get_name(ike_sa))) + { + log_ike_sa(out, ike_sa, all); + ike_printed = TRUE; + } + + while (children->iterate(children, (void**)&child_sa)) + { + if (name == NULL || streq(name, child_sa->get_name(child_sa))) + { + if (!ike_printed) + { + log_ike_sa(out, ike_sa, all); + ike_printed = TRUE; + } + log_child_sa(out, child_sa, all); + } + } + children->destroy(children); + } + iterator->destroy(iterator); +} + +/** + * list all authority certificates matching a specified flag + */ +static void list_auth_certificates(private_stroke_interface_t *this, u_int flag, + const char *label, bool utc, FILE *out) +{ + bool first = TRUE; + x509_t *cert; + + iterator_t *iterator = charon->credentials->create_auth_cert_iterator(charon->credentials); + + while (iterator->iterate(iterator, (void**)&cert)) + { + if (cert->has_authority_flag(cert, flag)) + { + if (first) + { + fprintf(out, "\n"); + fprintf(out, "List of X.509 %s Certificates:\n", label); + fprintf(out, "\n"); + first = FALSE; + } + cert->list(cert, out, utc); + fprintf(out, "\n"); + } + } + iterator->destroy(iterator); +} + +/** + * list various information + */ +static void stroke_list(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out) +{ + iterator_t *iterator; + + if (msg->list.flags & LIST_CERTS) + { + x509_t *cert; + + iterator = charon->credentials->create_cert_iterator(charon->credentials); + if (iterator->get_count(iterator)) + { + fprintf(out, "\n"); + fprintf(out, "List of X.509 End Entity Certificates:\n"); + fprintf(out, "\n"); + } + while (iterator->iterate(iterator, (void**)&cert)) + { + cert->list(cert, out, msg->list.utc); + if (charon->credentials->has_rsa_private_key( + charon->credentials, cert->get_public_key(cert))) + { + fprintf(out, ", has private key"); + } + fprintf(out, "\n"); + + } + iterator->destroy(iterator); + } + if (msg->list.flags & LIST_CACERTS) + { + list_auth_certificates(this, AUTH_CA, "CA", msg->list.utc, out); + } + if (msg->list.flags & LIST_OCSPCERTS) + { + list_auth_certificates(this, AUTH_OCSP, "OCSP", msg->list.utc, out); + } + if (msg->list.flags & LIST_AACERTS) + { + list_auth_certificates(this, AUTH_AA, "AA", msg->list.utc, out); + } + if (msg->list.flags & LIST_CAINFOS) + { + ca_info_t *ca_info; + bool first = TRUE; + + iterator = charon->credentials->create_cainfo_iterator(charon->credentials); + while (iterator->iterate(iterator, (void**)&ca_info)) + { + if (ca_info->is_ca(ca_info)) + { + if (first) + { + fprintf(out, "\n"); + fprintf(out, "List of X.509 CA Information Records:\n"); + fprintf(out, "\n"); + first = FALSE; + } + ca_info->list(ca_info, out, msg->list.utc); + } + } + iterator->destroy(iterator); + } + if (msg->list.flags & LIST_CRLS) + { + ca_info_t *ca_info; + bool first = TRUE; + + iterator = charon->credentials->create_cainfo_iterator(charon->credentials); + while (iterator->iterate(iterator, (void **)&ca_info)) + { + if (ca_info->is_ca(ca_info) && ca_info->has_crl(ca_info)) + { + if (first) + { + fprintf(out, "\n"); + fprintf(out, "List of X.509 CRLs:\n"); + fprintf(out, "\n"); + first = FALSE; + } + ca_info->list_crl(ca_info, out, msg->list.utc); + } + } + iterator->destroy(iterator); + } + if (msg->list.flags & LIST_OCSP) + { + ca_info_t *ca_info; + bool first = TRUE; + + iterator = charon->credentials->create_cainfo_iterator(charon->credentials); + while (iterator->iterate(iterator, (void **)&ca_info)) + { + if (ca_info->is_ca(ca_info) && ca_info->has_certinfos(ca_info)) + { + if (first) + { + fprintf(out, "\n"); + fprintf(out, "List of OCSP responses:\n"); + first = FALSE; + } + fprintf(out, "\n"); + ca_info->list_certinfos(ca_info, out, msg->list.utc); + } + } + iterator->destroy(iterator); + } +} + +/** + * reread various information + */ +static void stroke_reread(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out) +{ + if (msg->reread.flags & REREAD_CACERTS) + { + charon->credentials->load_ca_certificates(charon->credentials); + } + if (msg->reread.flags & REREAD_OCSPCERTS) + { + charon->credentials->load_ocsp_certificates(charon->credentials); + } + if (msg->reread.flags & REREAD_CRLS) + { + charon->credentials->load_crls(charon->credentials); + } +} + +/** + * purge various information + */ +static void stroke_purge(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out) +{ + if (msg->purge.flags & PURGE_OCSP) + { + iterator_t *iterator = charon->credentials->create_cainfo_iterator(charon->credentials); + ca_info_t *ca_info; + + while (iterator->iterate(iterator, (void**)&ca_info)) + { + if (ca_info->is_ca(ca_info)) + { + ca_info->purge_ocsp(ca_info); + } + } + iterator->destroy(iterator); + } +} + +signal_t get_signal_from_logtype(char *type) +{ + if (strcasecmp(type, "any") == 0) return SIG_ANY; + else if (strcasecmp(type, "mgr") == 0) return DBG_MGR; + else if (strcasecmp(type, "ike") == 0) return DBG_IKE; + else if (strcasecmp(type, "chd") == 0) return DBG_CHD; + else if (strcasecmp(type, "job") == 0) return DBG_JOB; + else if (strcasecmp(type, "cfg") == 0) return DBG_CFG; + else if (strcasecmp(type, "knl") == 0) return DBG_KNL; + else if (strcasecmp(type, "net") == 0) return DBG_NET; + else if (strcasecmp(type, "enc") == 0) return DBG_ENC; + else if (strcasecmp(type, "lib") == 0) return DBG_LIB; + else return -1; +} + +/** + * set the verbosity debug output + */ +static void stroke_loglevel(private_stroke_interface_t *this, + stroke_msg_t *msg, FILE *out) +{ + signal_t signal; + + pop_string(msg, &(msg->loglevel.type)); + DBG1(DBG_CFG, "received stroke: loglevel %d for %s", + msg->loglevel.level, msg->loglevel.type); + + signal = get_signal_from_logtype(msg->loglevel.type); + if (signal < 0) + { + fprintf(out, "invalid type (%s)!\n", msg->loglevel.type); + return; + } + + charon->outlog->set_level(charon->outlog, signal, msg->loglevel.level); + charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level); +} + +/** + * process a stroke request from the socket pointed by "fd" + */ +static void stroke_process(private_stroke_interface_t *this, int strokefd) +{ + stroke_msg_t *msg; + u_int16_t msg_length; + ssize_t bytes_read; + FILE *out; + + /* peek the length */ + bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK); + if (bytes_read != sizeof(msg_length)) + { + DBG1(DBG_CFG, "reading length of stroke message failed"); + close(strokefd); + return; + } + + /* read message */ + msg = malloc(msg_length); + bytes_read = recv(strokefd, msg, msg_length, 0); + if (bytes_read != msg_length) + { + DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno)); + close(strokefd); + return; + } + + out = fdopen(dup(strokefd), "w"); + if (out == NULL) + { + DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno)); + close(strokefd); + free(msg); + return; + } + + DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length); + + switch (msg->type) + { + case STR_INITIATE: + stroke_initiate(this, msg, out); + break; + case STR_ROUTE: + stroke_route(this, msg, out); + break; + case STR_UNROUTE: + stroke_unroute(this, msg, out); + break; + case STR_TERMINATE: + stroke_terminate(this, msg, out); + break; + case STR_STATUS: + stroke_status(this, msg, out, FALSE); + break; + case STR_STATUS_ALL: + stroke_status(this, msg, out, TRUE); + break; + case STR_ADD_CONN: + stroke_add_conn(this, msg, out); + break; + case STR_DEL_CONN: + stroke_del_conn(this, msg, out); + break; + case STR_ADD_CA: + stroke_add_ca(this, msg, out); + break; + case STR_DEL_CA: + stroke_del_ca(this, msg, out); + break; + case STR_LOGLEVEL: + stroke_loglevel(this, msg, out); + break; + case STR_LIST: + stroke_list(this, msg, out); + break; + case STR_REREAD: + stroke_reread(this, msg, out); + break; + case STR_PURGE: + stroke_purge(this, msg, out); + break; + default: + DBG1(DBG_CFG, "received unknown stroke"); + } + fclose(out); + close(strokefd); + free(msg); +} + +/** + * Implementation of private_stroke_interface_t.stroke_receive. + */ +static void stroke_receive(private_stroke_interface_t *this) +{ + struct sockaddr_un strokeaddr; + int strokeaddrlen = sizeof(strokeaddr); + int oldstate; + int strokefd; + + charon->drop_capabilities(charon, TRUE); + + /* ignore sigpipe. writing over the pipe back to the console + * only fails if SIGPIPE is ignored. */ + signal(SIGPIPE, SIG_IGN); + + /* disable cancellation by default */ + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); + + while (TRUE) + { + /* wait for connections, but allow thread to terminate */ + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen); + pthread_setcancelstate(oldstate, NULL); + + if (strokefd < 0) + { + DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno)); + continue; + } + stroke_process(this, strokefd); + } +} + +/** + * Implementation of interface_t.destroy. + */ +static void destroy(private_stroke_interface_t *this) +{ + int i; + + for (i = 0; i < STROKE_THREADS; i++) + { + pthread_cancel(this->threads[i]); + pthread_join(this->threads[i], NULL); + } + + close(this->socket); + unlink(socket_addr.sun_path); + free(this); +} + +/* + * Described in header-file + */ +interface_t *interface_create() +{ + private_stroke_interface_t *this = malloc_thing(private_stroke_interface_t); + mode_t old; + int i; + + /* public functions */ + this->public.interface.destroy = (void (*)(interface_t*))destroy; + + /* set up unix socket */ + this->socket = socket(AF_UNIX, SOCK_STREAM, 0); + if (this->socket == -1) + { + DBG1(DBG_CFG, "could not create stroke socket"); + free(this); + return NULL; + } + + old = umask(~S_IRWXU); + if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0) + { + DBG1(DBG_CFG, "could not bind stroke socket: %s", strerror(errno)); + close(this->socket); + free(this); + return NULL; + } + umask(old); + + if (listen(this->socket, 0) < 0) + { + DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno)); + close(this->socket); + unlink(socket_addr.sun_path); + free(this); + return NULL; + } + + /* start threads reading from the socket */ + for (i = 0; i < STROKE_THREADS; i++) + { + if (pthread_create(&this->threads[i], NULL, (void*(*)(void*))stroke_receive, this) != 0) + { + charon->kill(charon, "unable to create stroke thread"); + } + } + + return &this->public.interface; +} diff --git a/src/charon/control/interfaces/stroke_interface.h b/src/charon/control/interfaces/stroke_interface.h new file mode 100644 index 000000000..f1b68023a --- /dev/null +++ b/src/charon/control/interfaces/stroke_interface.h @@ -0,0 +1,60 @@ +/** + * @file stroke_interface.h + * + * @brief Interface of stroke_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef STROKE_INTERFACE_H_ +#define STROKE_INTERFACE_H_ + +typedef struct stroke_interface_t stroke_interface_t; + +#include + +/** + * @brief Simple configuration interface using unix-sockets. + * + * Stroke is a home-brewed communication interface inspired by whack. It + * uses a unix socket (/var/run/charon.ctl). + * + * @b Constructors: + * - stroke_create() + * + * @ingroup interfaces + */ +struct stroke_interface_t { + + /** + * implements interface_t. + */ + interface_t interface; +}; + + +/** + * @brief Create the stroke interface and listen on the socket. + * + * @return interface_t for the stroke interface + * + * @ingroup interfaces + */ +interface_t *interface_create(void); + +#endif /* STROKE_INTERFACE_H_ */ + diff --git a/src/charon/control/interfaces/xml_interface.c b/src/charon/control/interfaces/xml_interface.c new file mode 100644 index 000000000..e570f2543 --- /dev/null +++ b/src/charon/control/interfaces/xml_interface.c @@ -0,0 +1,63 @@ +/** + * @file xml_interface.c + * + * @brief Implementation of xml_interface_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include "xml_interface.h" + +#include +#include + + +typedef struct private_xml_interface_t private_xml_interface_t; + +/** + * Private data of an xml_interface_t object. + */ +struct private_xml_interface_t { + + /** + * Public part of xml_t object. + */ + xml_interface_t public; +}; + + +/** + * Implementation of itnerface_t.destroy. + */ +static void destroy(private_xml_interface_t *this) +{ + free(this); +} + +/* + * Described in header file + */ +interface_t *interface_create() +{ + private_xml_interface_t *this = malloc_thing(private_xml_interface_t); + + this->public.interface.destroy = (void (*)(xml_interface_t*))destroy; + + return &this->public.interface; +} diff --git a/src/charon/control/interfaces/xml_interface.h b/src/charon/control/interfaces/xml_interface.h new file mode 100644 index 000000000..6d88c3842 --- /dev/null +++ b/src/charon/control/interfaces/xml_interface.h @@ -0,0 +1,57 @@ +/** + * @file xml_interface.h + * + * @brief Interface of xml_interface_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef XML_INTERFACE_H_ +#define XML_INTERFACE_H_ + +typedef struct xml_interface_t xml_interface_t; + +#include + +/** + * @brief The XML interface uses a socket to communicate using XML. + * + * @b Constructors: + * - xml_interface_create() + * + * @ingroup interfaces + */ +struct xml_interface_t { + + /** + * implements interface_t. + */ + interface_t interface; +}; + + +/** + * @brief Create the XML interface. + * + * @return stroke_t object + * + * @ingroup interfaces + */ +interface_t *interface_create(void); + +#endif /* XML_INTERFACE_H_ */ + diff --git a/src/charon/daemon.c b/src/charon/daemon.c index 7671aea86..62e29b365 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -23,6 +23,8 @@ */ #include +#include +#include #include #include #include @@ -42,10 +44,13 @@ #include #include #include -#include -#include +#include #include +/* on some distros, a capset definition is missing */ +#ifdef NO_CAPSET_DEFINED +extern int capset(cap_user_header_t hdrp, const cap_user_data_t datap); +#endif /* NO_CAPSET_DEFINED */ typedef struct private_daemon_t private_daemon_t; @@ -165,7 +170,7 @@ static void destroy(private_daemon_t *this) /* we don't want to receive anything anymore... */ DESTROY_IF(this->public.receiver); /* ignore all incoming user requests */ - DESTROY_IF(this->public.stroke); + DESTROY_IF(this->public.interfaces); /* stop scheduing jobs */ DESTROY_IF(this->public.scheduler); /* stop processing jobs */ @@ -177,11 +182,8 @@ static void destroy(private_daemon_t *this) /* destroy other infrastructure */ DESTROY_IF(this->public.job_queue); DESTROY_IF(this->public.event_queue); - DESTROY_IF(this->public.configuration); DESTROY_IF(this->public.credentials); - DESTROY_IF(this->public.connections); - DESTROY_IF(this->public.policies); - sched_yield(); + DESTROY_IF(this->public.backends); /* we hope the sender could send the outstanding deletes, but * we shut down here at any cost */ DESTROY_IF(this->public.sender); @@ -195,6 +197,7 @@ static void destroy(private_daemon_t *this) free(this); } + /** * Enforce daemon shutdown, with a given reason to do so. */ @@ -218,11 +221,50 @@ static void kill_daemon(private_daemon_t *this, char *reason) } } +/** + * drop daemon capabilities + */ +static void drop_capabilities(private_daemon_t *this, bool full) +{ + struct __user_cap_header_struct hdr; + struct __user_cap_data_struct data; + /* CAP_NET_ADMIN is needed to use netlink */ + u_int32_t keep = (1<public.syslog->set_level(this->public.syslog, - signal, levels[signal]); - } - else + this->public.syslog->set_level(this->public.syslog, + signal, levels[signal]); + if (!syslog) { this->public.outlog->set_level(this->public.outlog, signal, levels[signal]); @@ -259,14 +298,12 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog, DBG1(DBG_DMN, "starting charon (strongSwan Version %s)", VERSION); - this->public.configuration = configuration_create(); this->public.socket = socket_create(IKEV2_UDP_PORT, IKEV2_NATT_PORT); this->public.ike_sa_manager = ike_sa_manager_create(); this->public.job_queue = job_queue_create(); this->public.event_queue = event_queue_create(); - this->public.connections = (connection_store_t*)local_connection_store_create(); - this->public.policies = (policy_store_t*)local_policy_store_create(); - this->public.credentials = (credential_store_t*)local_credential_store_create(strict); + this->public.credentials = (credential_store_t*)local_credential_store_create(); + this->public.backends = backend_manager_create(); /* initialize fetcher_t class */ fetcher_initialize(); @@ -274,12 +311,14 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog, /* load secrets, ca certificates and crls */ credentials = this->public.credentials; credentials->load_ca_certificates(credentials); + credentials->load_aa_certificates(credentials); + credentials->load_attr_certificates(credentials); credentials->load_ocsp_certificates(credentials); credentials->load_crls(credentials); credentials->load_secrets(credentials); /* start building threads, we are multi-threaded NOW */ - this->public.stroke = stroke_create(); + this->public.interfaces = interface_manager_create(); this->public.sender = sender_create(); this->public.receiver = receiver_create(); this->public.scheduler = scheduler_create(); @@ -327,22 +366,21 @@ private_daemon_t *daemon_create(void) /* assign methods */ this->public.kill = (void (*) (daemon_t*,char*))kill_daemon; + this->public.drop_capabilities = (void(*)(daemon_t*,bool))drop_capabilities; /* NULL members for clean destruction */ this->public.socket = NULL; this->public.ike_sa_manager = NULL; this->public.job_queue = NULL; this->public.event_queue = NULL; - this->public.configuration = NULL; this->public.credentials = NULL; - this->public.connections = NULL; - this->public.policies = NULL; + this->public.backends = NULL; this->public.sender= NULL; this->public.receiver = NULL; this->public.scheduler = NULL; this->public.kernel_interface = NULL; this->public.thread_pool = NULL; - this->public.stroke = NULL; + this->public.interfaces = NULL; this->public.bus = NULL; this->public.outlog = NULL; this->public.syslog = NULL; @@ -399,7 +437,7 @@ static void usage(const char *msg) int main(int argc, char *argv[]) { u_int crl_check_interval = 0; - bool strict_crl_policy = FALSE; + strict_t strict_crl_policy = STRICT_NO; bool cache_crls = FALSE; bool use_syslog = FALSE; char *eapdir = IPSEC_EAPDIR; @@ -412,6 +450,11 @@ int main(int argc, char *argv[]) level_t levels[DBG_MAX]; int signal; + prctl(PR_SET_KEEPCAPS, 1); + + /* drop the capabilities we won't need at all */ + drop_capabilities(NULL, FALSE); + /* use CTRL loglevel for default */ for (signal = 0; signal < DBG_MAX; signal++) { @@ -425,7 +468,7 @@ int main(int argc, char *argv[]) { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'v' }, { "use-syslog", no_argument, NULL, 'l' }, - { "strictcrlpolicy", no_argument, NULL, 'r' }, + { "strictcrlpolicy", required_argument, NULL, 'r' }, { "cachecrls", no_argument, NULL, 'C' }, { "crlcheckinterval", required_argument, NULL, 'x' }, { "eapdir", required_argument, NULL, 'e' }, @@ -458,7 +501,7 @@ int main(int argc, char *argv[]) use_syslog = TRUE; continue; case 'r': - strict_crl_policy = TRUE; + strict_crl_policy = atoi(optarg); continue; case 'C': cache_crls = TRUE; @@ -484,13 +527,13 @@ int main(int argc, char *argv[]) charon = (daemon_t*)private_charon; /* initialize daemon */ - initialize(private_charon, strict_crl_policy, use_syslog, levels); + initialize(private_charon, use_syslog, levels); /* load pluggable EAP modules */ eap_method_load(eapdir); - /* set cache_crls and crl_check_interval options */ - ca_info_set_options(cache_crls, crl_check_interval); + /* set strict_crl_policy, cache_crls and crl_check_interval options */ + ca_info_set_options(strict_crl_policy, cache_crls, crl_check_interval); /* check/setup PID file */ if (stat(PID_FILE, &stb) == 0) @@ -516,6 +559,9 @@ int main(int argc, char *argv[]) } list->destroy(list); + /* drop additional capabilites (bind & root) */ + drop_capabilities(private_charon, TRUE); + /* run daemon */ run(private_charon); @@ -527,3 +573,4 @@ int main(int argc, char *argv[]) return 0; } + diff --git a/src/charon/daemon.h b/src/charon/daemon.h index 420262474..640bc6a09 100644 --- a/src/charon/daemon.h +++ b/src/charon/daemon.h @@ -29,22 +29,20 @@ typedef struct daemon_t daemon_t; #include -#include -#include -#include -#include -#include -#include +#include +#include #include +#include +#include +#include +#include +#include +#include #include #include #include #include -#include -#include -#include -#include -#include +#include /** * @defgroup charon charon @@ -97,6 +95,14 @@ typedef struct daemon_t daemon_t; * netlink socket. It waits for kernel events and processes them appropriately. */ +/** + * @defgroup bus bus + * + * Signaling bus and its listeners. + * + * @ingroup charon + */ + /** * @defgroup config config * @@ -105,6 +111,38 @@ typedef struct daemon_t daemon_t; * @ingroup charon */ +/** + * @defgroup backends backends + * + * Classes implementing configuration backends. + * + * @ingroup config + */ + +/** + * @defgroup credentials credentials + * + * Trust chain verification and certificate store. + * + * @ingroup config + */ + +/** + * @defgroup control control + * + * Handling of loadable control interface modules. + * + * @ingroup charon + */ + +/** + * @defgroup interfaces interfaces + * + * Classes which control the daemon using IPC mechanisms. + * + * @ingroup control + */ + /** * @defgroup encoding encoding * @@ -122,52 +160,49 @@ typedef struct daemon_t daemon_t; */ /** - * @defgroup network network + * @defgroup kernel kernel * - * Classes for network relevant stuff. + * Classes to configure and query the kernel. * * @ingroup charon */ /** - * @defgroup queues queues + * @defgroup network network * - * Different kind of queues - * (thread save lists). + * Classes for sending and receiving UDP packets over the network. * * @ingroup charon */ /** - * @defgroup jobs jobs + * @defgroup processing processing * - * Jobs used in job queue and event queue. + * Queueing, scheduling and processing of jobs * - * @ingroup queues + * @ingroup charon */ /** - * @defgroup sa sa + * @defgroup jobs jobs * - * Security associations for IKE and IPSec, - * and some helper classes. + * Jobs to queue, schedule and process. * - * @ingroup charon + * @ingroup processing */ /** - * @defgroup tasks tasks + * @defgroup sa sa * - * Tasks process and build message payloads. They are used to create - * and process multiple exchanges. + * Security associations for IKE and IPSec, and its helper classes. * - * @ingroup sa + * @ingroup charon */ /** * @defgroup authenticators authenticators * - * Authenticator classes to prove identity of peer. + * Authenticator classes to prove identity of a peer. * * @ingroup sa */ @@ -175,25 +210,18 @@ typedef struct daemon_t daemon_t; /** * @defgroup eap eap * - * EAP authentication module interface and it's implementations. + * EAP module loader, interface and it's implementations. * * @ingroup authenticators */ - + /** - * @defgroup threads threads - * - * Threaded classes, which will do their job alone. - * - * @ingroup charon - */ - -/** - * @defgroup bus bus + * @defgroup tasks tasks * - * Signaling bus and its listeners. + * Tasks process and build message payloads. They are used to create + * and process multiple exchanges. * - * @ingroup charon + * @ingroup sa */ /** @@ -263,12 +291,26 @@ typedef struct daemon_t daemon_t; #define CERTIFICATE_DIR IPSEC_D_DIR "/certs" /** - * Default directory for trusted CA certificates + * Default directory for trusted Certification Authority certificates * * @ingroup charon */ #define CA_CERTIFICATE_DIR IPSEC_D_DIR "/cacerts" +/** + * Default directory for Authorization Authority certificates + * + * @ingroup charon + */ +#define AA_CERTIFICATE_DIR IPSEC_D_DIR "/aacerts" + +/** + * Default directory for Attribute certificates + * + * @ingroup charon + */ +#define ATTR_CERTIFICATE_DIR IPSEC_D_DIR "/acerts" + /** * Default directory for OCSP signing certificates * @@ -317,19 +359,9 @@ struct daemon_t { ike_sa_manager_t *ike_sa_manager; /** - * A configuration_t instance. + * Manager for the different configuration backends. */ - configuration_t *configuration; - - /** - * A connection_store_t instance. - */ - connection_store_t *connections; - - /** - * A policy_store_t instance. - */ - policy_store_t *policies; + backend_manager_t *backends; /** * A credential_store_t instance. @@ -382,15 +414,23 @@ struct daemon_t { kernel_interface_t *kernel_interface; /** - * IPC interface, as whack in pluto + * Interfaces for IPC + */ + interface_manager_t *interfaces; + + /** + * @brief Let the calling thread drop its capabilities. + * + * @param this calling daemon + * @param full TRUE to drop as many as possible */ - stroke_t *stroke; + void (*drop_capabilities) (daemon_t *this, bool full); /** * @brief Shut down the daemon. * - * @param this the daemon to kill - * @param reason describtion why it will be killed + * @param this the daemon to kill + * @param reason describtion why it will be killed */ void (*kill) (daemon_t *this, char *reason); }; diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c index 5f3f91f8b..b31b21afa 100644 --- a/src/charon/encoding/message.c +++ b/src/charon/encoding/message.c @@ -24,7 +24,6 @@ #include #include -#include #include "message.h" @@ -603,72 +602,50 @@ static payload_t *get_payload(private_message_t *this, payload_type_t type) } /** - * output handler in printf() + * get a string representation of the message */ -static int print(FILE *stream, const struct printf_info *info, - const void *const *args) +static char* get_string(private_message_t *this, char *buf, int len) { - private_message_t *this = *((private_message_t**)(args[0])); iterator_t *iterator; payload_t *payload; - bool first = TRUE; - size_t total_written = 0; - size_t written; + int written; + char *pos = buf; - if (this == NULL) + written = snprintf(pos, len, "%N %s [", + exchange_type_names, this->exchange_type, + this->is_request ? "request" : "response"); + if (written >= len || written < 0) { - return fprintf(stream, "(null)"); + return ""; } + pos += written; + len -= written; - written = fprintf(stream, "%N %s [", - exchange_type_names, this->exchange_type, - this->is_request ? "request" : "response"); - if (written < 0) + if (this->payloads->get_count(this->payloads) == 0) { - return written; + snprintf(pos, len, "]"); + return buf; } - total_written += written; iterator = this->payloads->create_iterator(this->payloads, TRUE); while (iterator->iterate(iterator, (void**)&payload)) { - if (!first) + written = snprintf(pos, len, "%N ", payload_type_short_names, + payload->get_type(payload)); + if (written >= len || written < 0) { - written = fprintf(stream, " "); - if (written < 0) - { - return written; - } - total_written += written; - } - else - { - first = FALSE; - } - written = fprintf(stream, "%N", payload_type_short_names, - payload->get_type(payload)); - if (written < 0) - { - return written; + return buf; } - total_written += written; + pos += written; + len -= written; } iterator->destroy(iterator); - written = fprintf(stream, "]"); - if (written < 0) - { - return written; - } - total_written += written; - return total_written; -} - -/** - * register printf() handlers - */ -static void __attribute__ ((constructor))print_register() -{ - register_printf_function(PRINTF_MESSAGE, print, arginfo_ptr); + + /* remove last space */ + pos--; + len++; + snprintf(pos, len, "]"); + return buf; } /** @@ -757,6 +734,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* iterator_t *iterator; status_t status; chunk_t packet_data; + char str[128]; if (is_encoded(this)) { @@ -765,7 +743,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* return SUCCESS; } - DBG1(DBG_ENC, "generating %M", this); + DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str))); if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED) { @@ -1162,6 +1140,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t { status_t status = SUCCESS; payload_type_t current_payload_type; + char str[128]; current_payload_type = this->first_payload; @@ -1231,7 +1210,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t return status; } - DBG1(DBG_ENC, "parsed %M", this); + DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str))); return SUCCESS; } diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c new file mode 100644 index 000000000..d82783b03 --- /dev/null +++ b/src/charon/kernel/kernel_interface.c @@ -0,0 +1,1974 @@ +/** + * @file kernel_interface.c + * + * @brief Implementation of kernel_interface_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2006-2007 Tobias Brunner + * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser + * Copyright (C) 2006 Daniel Roethlisberger + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * Copyright (C) 2003 Herbert Xu. + * + * Based on xfrm code from pluto. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "kernel_interface.h" + +#include +#include +#include +#include +#include + +/** kernel level protocol identifiers */ +#define KERNEL_ESP 50 +#define KERNEL_AH 51 + +/** default priority of installed policies */ +#define PRIO_LOW 3000 +#define PRIO_HIGH 2000 + +#define BUFFER_SIZE 1024 + +/** + * returns a pointer to the first rtattr following the nlmsghdr *nlh and the + * 'usual' netlink data x like 'struct xfrm_usersa_info' + */ +#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x)))) +/** + * returns a pointer to the next rtattr following rta. + * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!! + */ +#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len))) +/** + * returns the total size of attached rta data + * (after 'usual' netlink data x like 'struct xfrm_usersa_info') + */ +#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x)) + +typedef struct kernel_algorithm_t kernel_algorithm_t; + +/** + * Mapping from the algorithms defined in IKEv2 to + * kernel level algorithm names and their key length + */ +struct kernel_algorithm_t { + /** + * Identifier specified in IKEv2 + */ + int ikev2_id; + + /** + * Name of the algorithm, as used as kernel identifier + */ + char *name; + + /** + * Key length in bits, if fixed size + */ + u_int key_size; +}; +#define END_OF_LIST -1 + +/** + * Algorithms for encryption + */ +kernel_algorithm_t encryption_algs[] = { +/* {ENCR_DES_IV64, "***", 0}, */ + {ENCR_DES, "des", 64}, + {ENCR_3DES, "des3_ede", 192}, +/* {ENCR_RC5, "***", 0}, */ +/* {ENCR_IDEA, "***", 0}, */ + {ENCR_CAST, "cast128", 0}, + {ENCR_BLOWFISH, "blowfish", 0}, +/* {ENCR_3IDEA, "***", 0}, */ +/* {ENCR_DES_IV32, "***", 0}, */ + {ENCR_NULL, "cipher_null", 0}, + {ENCR_AES_CBC, "aes", 0}, +/* {ENCR_AES_CTR, "***", 0}, */ + {END_OF_LIST, NULL, 0}, +}; + +/** + * Algorithms for integrity protection + */ +kernel_algorithm_t integrity_algs[] = { + {AUTH_HMAC_MD5_96, "md5", 128}, + {AUTH_HMAC_SHA1_96, "sha1", 160}, + {AUTH_HMAC_SHA2_256_128, "sha256", 256}, + {AUTH_HMAC_SHA2_384_192, "sha384", 384}, + {AUTH_HMAC_SHA2_512_256, "sha512", 512}, +/* {AUTH_DES_MAC, "***", 0}, */ +/* {AUTH_KPDK_MD5, "***", 0}, */ + {AUTH_AES_XCBC_96, "xcbc(aes)", 128}, + {END_OF_LIST, NULL, 0}, +}; + +/** + * Look up a kernel algorithm name and its key size + */ +char* lookup_algorithm(kernel_algorithm_t *kernel_algo, + algorithm_t *ikev2_algo, u_int *key_size) +{ + while (kernel_algo->ikev2_id != END_OF_LIST) + { + if (ikev2_algo->algorithm == kernel_algo->ikev2_id) + { + /* match, evaluate key length */ + if (ikev2_algo->key_size) + { /* variable length */ + *key_size = ikev2_algo->key_size; + } + else + { /* fixed length */ + *key_size = kernel_algo->key_size; + } + return kernel_algo->name; + } + kernel_algo++; + } + return NULL; +} + +typedef struct route_entry_t route_entry_t; + +/** + * installed routing entry + */ +struct route_entry_t { + + /** Index of the interface the route is bound to */ + int if_index; + + /** Source ip of the route */ + host_t *src_ip; + + /** gateway for this route */ + host_t *gateway; + + /** Destination net */ + chunk_t dst_net; + + /** Destination net prefixlen */ + u_int8_t prefixlen; +}; + +/** + * destroy an route_entry_t object + */ +static void route_entry_destroy(route_entry_t *this) +{ + this->src_ip->destroy(this->src_ip); + this->gateway->destroy(this->gateway); + chunk_free(&this->dst_net); + free(this); +} + +typedef struct policy_entry_t policy_entry_t; + +/** + * installed kernel policy. + */ +struct policy_entry_t { + + /** direction of this policy: in, out, forward */ + u_int8_t direction; + + /** reqid of the policy */ + u_int32_t reqid; + + /** parameters of installed policy */ + struct xfrm_selector sel; + + /** associated route installed for this policy */ + route_entry_t *route; + + /** by how many CHILD_SA's this policy is used */ + u_int refcount; +}; + +typedef struct vip_entry_t vip_entry_t; + +/** + * Installed virtual ip + */ +struct vip_entry_t { + /** Index of the interface the ip is bound to */ + u_int8_t if_index; + + /** The ip address */ + host_t *ip; + + /** Number of times this IP is used */ + u_int refcount; +}; + +/** + * destroy a vip_entry_t object + */ +static void vip_entry_destroy(vip_entry_t *this) +{ + this->ip->destroy(this->ip); + free(this); +} + +typedef struct address_entry_t address_entry_t; + +/** + * an address found on the system, containg address and interface info + */ +struct address_entry_t { + + /** address of this entry */ + host_t *host; + + /** interface index */ + int ifindex; + + /** name of the index */ + char ifname[IFNAMSIZ]; +}; + +/** + * destroy an address entry + */ +static void address_entry_destroy(address_entry_t *this) +{ + this->host->destroy(this->host); + free(this); +} + +typedef struct private_kernel_interface_t private_kernel_interface_t; + +/** + * Private variables and functions of kernel_interface class. + */ +struct private_kernel_interface_t { + /** + * Public part of the kernel_interface_t object. + */ + kernel_interface_t public; + + /** + * List of installed policies (kernel_entry_t) + */ + linked_list_t *policies; + + /** + * Mutex locks access to policies + */ + pthread_mutex_t policies_mutex; + + /** + * List of installed virtual IPs. (vip_entry_t) + */ + linked_list_t *vips; + + /** + * Mutex to lock access to vips. + */ + pthread_mutex_t vips_mutex; + + /** + * netlink xfrm socket to receive acquire and expire events + */ + int socket_xfrm_events; + + /** + * Netlink xfrm socket (IPsec) + */ + int socket_xfrm; + + /** + * Netlink rt socket (routing) + */ + int socket_rt; + + /** + * Thread receiving events from kernel + */ + pthread_t event_thread; +}; + +/** + * convert a host_t to a struct xfrm_address + */ +static void host2xfrm(host_t *host, xfrm_address_t *xfrm) +{ + chunk_t chunk = host->get_address(host); + memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t))); +} + +/** + * convert a traffic selector address range to subnet and its mask. + */ +static void ts2subnet(traffic_selector_t* ts, + xfrm_address_t *net, u_int8_t *mask) +{ + /* there is no way to do this cleanly, as the address range may + * be anything else but a subnet. We use from_addr as subnet + * and try to calculate a usable subnet mask. + */ + int byte, bit; + bool found = FALSE; + chunk_t from, to; + size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16; + + from = ts->get_from_address(ts); + to = ts->get_to_address(ts); + + *mask = (size * 8); + /* go trough all bits of the addresses, beginning in the front. + * as long as they are equal, the subnet gets larger + */ + for (byte = 0; byte < size; byte++) + { + for (bit = 7; bit >= 0; bit--) + { + if ((1<get_from_port(ts); + to = ts->get_to_port(ts); + + if (from == to) + { + *port = htons(from); + *mask = ~0; + } + else + { + *port = 0; + *mask = 0; + } +} + +/** + * convert a pair of traffic_selectors to a xfrm_selector + */ +static struct xfrm_selector ts2selector(traffic_selector_t *src, + traffic_selector_t *dst) +{ + struct xfrm_selector sel; + + memset(&sel, 0, sizeof(sel)); + sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6; + /* src or dest proto may be "any" (0), use more restrictive one */ + sel.proto = max(src->get_protocol(src), dst->get_protocol(dst)); + ts2subnet(dst, &sel.daddr, &sel.prefixlen_d); + ts2subnet(src, &sel.saddr, &sel.prefixlen_s); + ts2ports(dst, &sel.dport, &sel.dport_mask); + ts2ports(src, &sel.sport, &sel.sport_mask); + sel.ifindex = 0; + sel.user = 0; + + return sel; +} + +/** + * Creates an rtattr and adds it to the netlink message + */ +static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, + size_t buflen) +{ + struct rtattr *rta; + + if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen) + { + DBG1(DBG_KNL, "unable to add attribute, buffer too small"); + return; + } + + rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len)); + rta->rta_type = rta_type; + rta->rta_len = RTA_LENGTH(data.len); + memcpy(RTA_DATA(rta), data.ptr, data.len); + hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len; +} + +/** + * Receives events from kernel + */ +static void receive_events(private_kernel_interface_t *this) +{ + charon->drop_capabilities(charon, TRUE); + + while(TRUE) + { + unsigned char response[512]; + struct nlmsghdr *hdr; + struct sockaddr_nl addr; + socklen_t addr_len = sizeof(addr); + int len; + + hdr = (struct nlmsghdr*)response; + len = recvfrom(this->socket_xfrm_events, response, sizeof(response), + 0, (struct sockaddr*)&addr, &addr_len); + if (len < 0) + { + if (errno == EINTR) + { + /* interrupted, try again */ + continue; + } + charon->kill(charon, "unable to receive netlink events"); + } + + if (!NLMSG_OK(hdr, len)) + { + /* bad netlink message */ + continue; + } + + if (addr.nl_pid != 0) + { + /* not from kernel. not interested, try another one */ + continue; + } + + /* we handle ACQUIRE and EXPIRE messages directly */ + if (hdr->nlmsg_type == XFRM_MSG_ACQUIRE) + { + u_int32_t reqid = 0; + job_t *job; + struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire); + size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl); + if (RTA_OK(rtattr, rtsize)) + { + if (rtattr->rta_type == XFRMA_TMPL) + { + struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr); + reqid = tmpl->reqid; + } + } + if (reqid == 0) + { + DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found"); + } + else + { + DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE"); + DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", + reqid); + job = (job_t*)acquire_job_create(reqid); + charon->job_queue->add(charon->job_queue, job); + } + } + else if (hdr->nlmsg_type == XFRM_MSG_EXPIRE) + { + job_t *job; + protocol_id_t protocol; + u_int32_t spi, reqid; + struct xfrm_user_expire *expire; + + expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr); + protocol = expire->state.id.proto == KERNEL_ESP ? + PROTO_ESP : PROTO_AH; + spi = expire->state.id.spi; + reqid = expire->state.reqid; + + DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE"); + DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)", + expire->hard ? "delete" : "rekey", protocol_id_names, + protocol, ntohl(spi), reqid); + if (expire->hard) + { + job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi); + } + else + { + job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi); + } + charon->job_queue->add(charon->job_queue, job); + } + } +} + +/** + * send a netlink message and wait for a reply + */ +static status_t netlink_send(int socket, struct nlmsghdr *in, + struct nlmsghdr **out, size_t *out_len) +{ + int len, addr_len; + struct sockaddr_nl addr; + chunk_t result = chunk_empty, tmp; + struct nlmsghdr *msg, peek; + + static int seq = 200; + static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; + + + pthread_mutex_lock(&mutex); + + in->nlmsg_seq = ++seq; + in->nlmsg_pid = getpid(); + + memset(&addr, 0, sizeof(addr)); + addr.nl_family = AF_NETLINK; + addr.nl_pid = 0; + addr.nl_groups = 0; + + while (TRUE) + { + len = sendto(socket, in, in->nlmsg_len, 0, + (struct sockaddr*)&addr, sizeof(addr)); + + if (len != in->nlmsg_len) + { + if (errno == EINTR) + { + /* interrupted, try again */ + continue; + } + pthread_mutex_unlock(&mutex); + DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno)); + return FAILED; + } + break; + } + + while (TRUE) + { + char buf[1024]; + tmp.len = sizeof(buf); + tmp.ptr = buf; + msg = (struct nlmsghdr*)tmp.ptr; + + memset(&addr, 0, sizeof(addr)); + addr.nl_family = AF_NETLINK; + addr.nl_pid = getpid(); + addr.nl_groups = 0; + addr_len = sizeof(addr); + + len = recvfrom(socket, tmp.ptr, tmp.len, 0, + (struct sockaddr*)&addr, &addr_len); + + if (len < 0) + { + if (errno == EINTR) + { + DBG1(DBG_IKE, "got interrupted"); + /* interrupted, try again */ + continue; + } + DBG1(DBG_IKE, "error reading from netlink socket: %s", strerror(errno)); + pthread_mutex_unlock(&mutex); + return FAILED; + } + if (!NLMSG_OK(msg, len)) + { + DBG1(DBG_IKE, "received corrupted netlink message"); + pthread_mutex_unlock(&mutex); + return FAILED; + } + if (msg->nlmsg_seq != seq) + { + DBG1(DBG_IKE, "received invalid netlink sequence number"); + if (msg->nlmsg_seq < seq) + { + continue; + } + pthread_mutex_unlock(&mutex); + return FAILED; + } + + tmp.len = len; + result = chunk_cata("cc", result, tmp); + + /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence + * numbers to detect multi header messages */ + len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT, + (struct sockaddr*)&addr, &addr_len); + + if (len == sizeof(peek) && peek.nlmsg_seq == seq) + { + /* seems to be multipart */ + continue; + } + break; + } + + *out_len = result.len; + *out = (struct nlmsghdr*)clalloc(result.ptr, result.len); + + pthread_mutex_unlock(&mutex); + + return SUCCESS; +} + +/** + * send a netlink message and wait for its acknowlegde + */ +static status_t netlink_send_ack(int socket, struct nlmsghdr *in) +{ + struct nlmsghdr *out, *hdr; + size_t len; + + if (netlink_send(socket, in, &out, &len) != SUCCESS) + { + return FAILED; + } + hdr = out; + while (NLMSG_OK(hdr, len)) + { + switch (hdr->nlmsg_type) + { + case NLMSG_ERROR: + { + struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr); + + if (err->error) + { + DBG1(DBG_KNL, "received netlink error: %s (%d)", + strerror(-err->error), -err->error); + free(out); + return FAILED; + } + free(out); + return SUCCESS; + } + default: + hdr = NLMSG_NEXT(hdr, len); + continue; + case NLMSG_DONE: + break; + } + break; + } + DBG1(DBG_KNL, "netlink request not acknowlegded"); + free(out); + return FAILED; +} + +/** + * Create a list of local addresses. + */ +static linked_list_t *create_address_list(private_kernel_interface_t *this) +{ + char request[BUFFER_SIZE]; + struct nlmsghdr *out, *hdr; + struct rtgenmsg *msg; + size_t len; + linked_list_t *list; + + DBG2(DBG_IKE, "getting local address list"); + + list = linked_list_create(); + + memset(&request, 0, sizeof(request)); + + hdr = (struct nlmsghdr*)&request; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)); + hdr->nlmsg_type = RTM_GETADDR; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT; + msg = (struct rtgenmsg*)NLMSG_DATA(hdr); + msg->rtgen_family = AF_UNSPEC; + + if (netlink_send(this->socket_rt, hdr, &out, &len) == SUCCESS) + { + hdr = out; + while (NLMSG_OK(hdr, len)) + { + switch (hdr->nlmsg_type) + { + case RTM_NEWADDR: + { + struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr)); + struct rtattr *rta = IFA_RTA(msg); + size_t rtasize = IFA_PAYLOAD (hdr); + host_t *host = NULL; + char *name = NULL; + chunk_t local = chunk_empty, address = chunk_empty; + + while(RTA_OK(rta, rtasize)) + { + switch (rta->rta_type) + { + case IFA_LOCAL: + local.ptr = RTA_DATA(rta); + local.len = RTA_PAYLOAD(rta); + break; + case IFA_ADDRESS: + address.ptr = RTA_DATA(rta); + address.len = RTA_PAYLOAD(rta); + break; + case IFA_LABEL: + name = RTA_DATA(rta); + break; + } + rta = RTA_NEXT(rta, rtasize); + } + + /* For PPP interfaces, we need the IFA_LOCAL address, + * IFA_ADDRESS is the peers address. But IFA_LOCAL is + * not included in all cases, so fallback to IFA_ADDRESS. */ + if (local.ptr) + { + host = host_create_from_chunk(msg->ifa_family, local, 0); + } + else if (address.ptr) + { + host = host_create_from_chunk(msg->ifa_family, address, 0); + } + + if (host) + { + address_entry_t *entry; + + entry = malloc_thing(address_entry_t); + entry->host = host; + entry->ifindex = msg->ifa_index; + if (name) + { + memcpy(entry->ifname, name, IFNAMSIZ); + } + else + { + strcpy(entry->ifname, "(unknown)"); + } + list->insert_last(list, entry); + } + hdr = NLMSG_NEXT(hdr, len); + continue; + } + default: + hdr = NLMSG_NEXT(hdr, len); + continue; + case NLMSG_DONE: + break; + } + break; + } + free(out); + } + else + { + DBG1(DBG_IKE, "unable to get local address list"); + } + + return list; +} + +/** + * Implements kernel_interface_t.create_address_list. + */ +static linked_list_t *create_address_list_public(private_kernel_interface_t *this) +{ + linked_list_t *result, *list; + address_entry_t *entry; + + result = linked_list_create(); + list = create_address_list(this); + while (list->remove_last(list, (void**)&entry) == SUCCESS) + { + result->insert_last(result, entry->host); + free(entry); + } + list->destroy(list); + + return result; +} + +/** + * implementation of kernel_interface_t.get_interface_name + */ +static char *get_interface_name(private_kernel_interface_t *this, host_t* ip) +{ + linked_list_t *list; + address_entry_t *entry; + char *name = NULL; + + DBG2(DBG_IKE, "getting interface name for %H", ip); + + list = create_address_list(this); + while (!name && list->remove_last(list, (void**)&entry) == SUCCESS) + { + if (ip->ip_equals(ip, entry->host)) + { + name = strdup(entry->ifname); + } + address_entry_destroy(entry); + } + list->destroy_function(list, (void*)address_entry_destroy); + + if (name) + { + DBG2(DBG_IKE, "%H is on interface %s", ip, name); + } + else + { + DBG2(DBG_IKE, "%H is not a local address", ip); + } + return name; +} + +/** + * Tries to find an ip address of a local interface that is included in the + * supplied traffic selector. + */ +static status_t get_address_by_ts(private_kernel_interface_t *this, + traffic_selector_t *ts, host_t **ip) +{ + address_entry_t *entry; + host_t *host; + int family; + linked_list_t *list; + bool found = FALSE; + + DBG2(DBG_IKE, "getting a local address in traffic selector %R", ts); + + /* if we have a family which includes localhost, we do not + * search for an IP, we use the default */ + family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6; + + if (family == AF_INET) + { + host = host_create_from_string("127.0.0.1", 0); + } + else + { + host = host_create_from_string("::1", 0); + } + + if (ts->includes(ts, host)) + { + *ip = host_create_any(family); + host->destroy(host); + DBG2(DBG_IKE, "using host %H", *ip); + return SUCCESS; + } + host->destroy(host); + + list = create_address_list(this); + while (!found && list->remove_last(list, (void**)&entry) == SUCCESS) + { + if (ts->includes(ts, entry->host)) + { + found = TRUE; + *ip = entry->host->clone(entry->host); + } + address_entry_destroy(entry); + } + list->destroy_function(list, (void*)address_entry_destroy); + + if (!found) + { + DBG1(DBG_IKE, "no local address found in traffic selector %R", ts); + return FAILED; + } + DBG2(DBG_IKE, "using host %H", *ip); + return SUCCESS; +} + +/** + * get the interface of a local address + */ +static int get_interface_index(private_kernel_interface_t *this, host_t* ip) +{ + linked_list_t *list; + address_entry_t *entry; + int ifindex = 0; + + DBG2(DBG_IKE, "getting iface for %H", ip); + + list = create_address_list(this); + while (!ifindex && list->remove_last(list, (void**)&entry) == SUCCESS) + { + if (ip->ip_equals(ip, entry->host)) + { + ifindex = entry->ifindex; + } + address_entry_destroy(entry); + } + list->destroy_function(list, (void*)address_entry_destroy); + + if (ifindex == 0) + { + DBG1(DBG_IKE, "unable to get interface for %H", ip); + } + return ifindex; +} + +/** + * Manages the creation and deletion of ip addresses on an interface. + * By setting the appropriate nlmsg_type, the ip will be set or unset. + */ +static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type, + int flags, int if_index, host_t *ip) +{ + unsigned char request[BUFFER_SIZE]; + struct nlmsghdr *hdr; + struct ifaddrmsg *msg; + chunk_t chunk; + + memset(&request, 0, sizeof(request)); + + chunk = ip->get_address(ip); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; + hdr->nlmsg_type = nlmsg_type; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg)); + + msg = (struct ifaddrmsg*)NLMSG_DATA(hdr); + msg->ifa_family = ip->get_family(ip); + msg->ifa_flags = 0; + msg->ifa_prefixlen = 8 * chunk.len; + msg->ifa_scope = RT_SCOPE_UNIVERSE; + msg->ifa_index = if_index; + + add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request)); + + return netlink_send_ack(this->socket_rt, hdr); +} + +/** + * Manages source routes in the routing table. + * By setting the appropriate nlmsg_type, the route added or r. + */ +static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type, + int flags, route_entry_t *route) +{ + unsigned char request[BUFFER_SIZE]; + struct nlmsghdr *hdr; + struct rtmsg *msg; + chunk_t chunk; + + /* if route is 0.0.0.0/0, we can't install it, as it would + * overwrite the default route. Instead, we add two routes: + * 0.0.0.0/1 and 128.0.0.0/1 + * TODO: use metrics instead */ + if (route->prefixlen == 0) + { + route_entry_t half; + status_t status; + + half.dst_net = chunk_alloca(route->dst_net.len); + memset(half.dst_net.ptr, 0, half.dst_net.len); + half.src_ip = route->src_ip; + half.gateway = route->gateway; + half.if_index = route->if_index; + half.prefixlen = 1; + + status = manage_srcroute(this, nlmsg_type, flags, &half); + half.dst_net.ptr[0] |= 0x80; + status = manage_srcroute(this, nlmsg_type, flags, &half); + return status; + } + + memset(&request, 0, sizeof(request)); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; + hdr->nlmsg_type = nlmsg_type; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); + + msg = (struct rtmsg*)NLMSG_DATA(hdr); + msg->rtm_family = route->src_ip->get_family(route->src_ip); + msg->rtm_dst_len = route->prefixlen; + msg->rtm_table = RT_TABLE_MAIN; + msg->rtm_protocol = RTPROT_STATIC; + msg->rtm_type = RTN_UNICAST; + msg->rtm_scope = RT_SCOPE_UNIVERSE; + + add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request)); + chunk = route->src_ip->get_address(route->src_ip); + add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request)); + chunk = route->gateway->get_address(route->gateway); + add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request)); + chunk.ptr = (char*)&route->if_index; + chunk.len = sizeof(route->if_index); + add_attribute(hdr, RTA_OIF, chunk, sizeof(request)); + + return netlink_send_ack(this->socket_rt, hdr); +} + + +/** + * Implementation of kernel_interface_t.add_ip. + */ +static status_t add_ip(private_kernel_interface_t *this, + host_t *virtual_ip, host_t *iface_ip) +{ + int targetif; + vip_entry_t *listed; + iterator_t *iterator; + + DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip); + + targetif = get_interface_index(this, iface_ip); + if (targetif == 0) + { + DBG1(DBG_KNL, "unable to add virtual IP %H, no iface found for %H", + virtual_ip, iface_ip); + return FAILED; + } + + /* beware of deadlocks (e.g. send/receive packets while holding the lock) */ + iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex)); + while (iterator->iterate(iterator, (void**)&listed)) + { + if (listed->if_index == targetif && + virtual_ip->ip_equals(virtual_ip, listed->ip)) + { + listed->refcount++; + iterator->destroy(iterator); + DBG2(DBG_KNL, "virtual IP %H already added to iface %d reusing it", + virtual_ip, targetif); + return SUCCESS; + } + } + iterator->destroy(iterator); + + if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL, + targetif, virtual_ip) == SUCCESS) + { + listed = malloc_thing(vip_entry_t); + listed->ip = virtual_ip->clone(virtual_ip); + listed->if_index = targetif; + listed->refcount = 1; + this->vips->insert_last(this->vips, listed); + DBG2(DBG_KNL, "virtual IP %H added to iface %d", + virtual_ip, targetif); + return SUCCESS; + } + + DBG2(DBG_KNL, "unable to add virtual IP %H to iface %d", + virtual_ip, targetif); + return FAILED; +} + +/** + * Implementation of kernel_interface_t.del_ip. + */ +static status_t del_ip(private_kernel_interface_t *this, + host_t *virtual_ip, host_t *iface_ip) +{ + int targetif; + vip_entry_t *listed; + iterator_t *iterator; + + DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip); + + targetif = get_interface_index(this, iface_ip); + if (targetif == 0) + { + DBG1(DBG_KNL, "unable to delete virtual IP %H, no iface found for %H", + virtual_ip, iface_ip); + return FAILED; + } + + /* beware of deadlocks (e.g. send/receive packets while holding the lock) */ + iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex)); + while (iterator->iterate(iterator, (void**)&listed)) + { + if (listed->if_index == targetif && + virtual_ip->ip_equals(virtual_ip, listed->ip)) + { + listed->refcount--; + if (listed->refcount == 0) + { + iterator->remove(iterator); + vip_entry_destroy(listed); + iterator->destroy(iterator); + return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip); + } + iterator->destroy(iterator); + DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting", + virtual_ip); + return SUCCESS; + } + } + iterator->destroy(iterator); + + DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip); + return FAILED; +} + +/** + * Implementation of kernel_interface_t.get_spi. + */ +static status_t get_spi(private_kernel_interface_t *this, + host_t *src, host_t *dst, + protocol_id_t protocol, u_int32_t reqid, + u_int32_t *spi) +{ + unsigned char request[BUFFER_SIZE]; + struct nlmsghdr *hdr, *out; + struct xfrm_userspi_info *userspi; + u_int32_t received_spi = 0; + size_t len; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "getting SPI for reqid %d", reqid); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST; + hdr->nlmsg_type = XFRM_MSG_ALLOCSPI; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info)); + + userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr); + host2xfrm(src, &userspi->info.saddr); + host2xfrm(dst, &userspi->info.id.daddr); + userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; + userspi->info.mode = TRUE; /* tunnel mode */ + userspi->info.reqid = reqid; + userspi->info.family = src->get_family(src); + userspi->min = 0xc0000000; + userspi->max = 0xcFFFFFFF; + + if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) + { + hdr = out; + while (NLMSG_OK(hdr, len)) + { + switch (hdr->nlmsg_type) + { + case XFRM_MSG_NEWSA: + { + struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr); + received_spi = usersa->id.spi; + break; + } + case NLMSG_ERROR: + { + struct nlmsgerr *err = NLMSG_DATA(hdr); + + DBG1(DBG_KNL, "allocating SPI failed: %s (%d)", + strerror(-err->error), -err->error); + break; + } + default: + hdr = NLMSG_NEXT(hdr, len); + continue; + case NLMSG_DONE: + break; + } + break; + } + free(out); + } + + if (received_spi == 0) + { + DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid); + return FAILED; + } + + DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid); + + *spi = received_spi; + return SUCCESS; +} + +/** + * Implementation of kernel_interface_t.add_sa. + */ +static status_t add_sa(private_kernel_interface_t *this, + host_t *src, host_t *dst, u_int32_t spi, + protocol_id_t protocol, u_int32_t reqid, + u_int64_t expire_soft, u_int64_t expire_hard, + algorithm_t *enc_alg, algorithm_t *int_alg, + prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode, + bool replace) +{ + unsigned char request[BUFFER_SIZE]; + char *alg_name; + u_int key_size; + struct nlmsghdr *hdr; + struct xfrm_usersa_info *sa; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; + hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); + + sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr); + host2xfrm(src, &sa->saddr); + host2xfrm(dst, &sa->id.daddr); + sa->id.spi = spi; + sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; + sa->family = src->get_family(src); + sa->mode = mode; + sa->replay_window = 32; + sa->reqid = reqid; + /* we currently do not expire SAs by volume/packet count */ + sa->lft.soft_byte_limit = XFRM_INF; + sa->lft.hard_byte_limit = XFRM_INF; + sa->lft.soft_packet_limit = XFRM_INF; + sa->lft.hard_packet_limit = XFRM_INF; + /* we use lifetimes since added, not since used */ + sa->lft.soft_add_expires_seconds = expire_soft; + sa->lft.hard_add_expires_seconds = expire_hard; + sa->lft.soft_use_expires_seconds = 0; + sa->lft.hard_use_expires_seconds = 0; + + struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info); + + if (enc_alg->algorithm != ENCR_UNDEFINED) + { + rthdr->rta_type = XFRMA_ALG_CRYPT; + alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size); + if (alg_name == NULL) + { + DBG1(DBG_KNL, "algorithm %N not supported by kernel!", + encryption_algorithm_names, enc_alg->algorithm); + return FAILED; + } + DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", + encryption_algorithm_names, enc_alg->algorithm, key_size); + + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size); + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); + algo->alg_key_len = key_size; + strcpy(algo->alg_name, alg_name); + prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key); + + rthdr = XFRM_RTA_NEXT(rthdr); + } + + if (int_alg->algorithm != AUTH_UNDEFINED) + { + rthdr->rta_type = XFRMA_ALG_AUTH; + alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size); + if (alg_name == NULL) + { + DBG1(DBG_KNL, "algorithm %N not supported by kernel!", + integrity_algorithm_names, int_alg->algorithm); + return FAILED; + } + DBG2(DBG_KNL, " using integrity algorithm %N with key size %d", + integrity_algorithm_names, int_alg->algorithm, key_size); + + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size); + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); + algo->alg_key_len = key_size; + strcpy(algo->alg_name, alg_name); + prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key); + + rthdr = XFRM_RTA_NEXT(rthdr); + } + + /* TODO: add IPComp here */ + + if (natt) + { + rthdr->rta_type = XFRMA_ENCAP; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl)); + + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr); + encap->encap_type = UDP_ENCAP_ESPINUDP; + encap->encap_sport = htons(natt->sport); + encap->encap_dport = htons(natt->dport); + memset(&encap->encap_oa, 0, sizeof (xfrm_address_t)); + /* encap_oa could probably be derived from the + * traffic selectors [rfc4306, p39]. In the netlink kernel implementation + * pluto does the same as we do here but it uses encap_oa in the + * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates + * the kernel ignores it anyway + * -> does that mean that NAT-T encap doesn't work in transport mode? + * No. The reason the kernel ignores NAT-OA is that it recomputes + * (or, rather, just ignores) the checksum. If packets pass + * the IPsec checks it marks them "checksum ok" so OA isn't needed. */ + rthdr = XFRM_RTA_NEXT(rthdr); + } + + if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) + { + DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi); + return FAILED; + } + return SUCCESS; +} + +/** + * Implementation of kernel_interface_t.update_sa. + */ +static status_t update_sa(private_kernel_interface_t *this, + host_t *src, host_t *dst, + host_t *new_src, host_t *new_dst, + host_diff_t src_changes, host_diff_t dst_changes, + u_int32_t spi, protocol_id_t protocol) +{ + unsigned char request[BUFFER_SIZE]; + struct nlmsghdr *hdr, *out = NULL; + struct xfrm_usersa_id *sa_id; + struct xfrm_usersa_info *sa = NULL; + size_t len; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST; + hdr->nlmsg_type = XFRM_MSG_GETSA; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); + + sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); + host2xfrm(dst, &sa_id->daddr); + sa_id->spi = spi; + sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; + sa_id->family = dst->get_family(dst); + + if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) + { + hdr = out; + while (NLMSG_OK(hdr, len)) + { + switch (hdr->nlmsg_type) + { + case XFRM_MSG_NEWSA: + { + sa = NLMSG_DATA(hdr); + break; + } + case NLMSG_ERROR: + { + struct nlmsgerr *err = NLMSG_DATA(hdr); + DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)", + strerror(-err->error), -err->error); + break; + } + default: + hdr = NLMSG_NEXT(hdr, len); + continue; + case NLMSG_DONE: + break; + } + break; + } + } + if (sa == NULL) + { + DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi); + free(out); + return FAILED; + } + + DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x", spi); + + hdr = out; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; + hdr->nlmsg_type = XFRM_MSG_UPDSA; + + if (src_changes & HOST_DIFF_ADDR) + { + host2xfrm(new_src, &sa->saddr); + } + + if (dst_changes & HOST_DIFF_ADDR) + { + hdr->nlmsg_type = XFRM_MSG_NEWSA; + host2xfrm(new_dst, &sa->id.daddr); + } + + if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT) + { + struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info); + size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info); + while (RTA_OK(rtattr, rtsize)) + { + if (rtattr->rta_type == XFRMA_ENCAP) + { + struct xfrm_encap_tmpl* encap; + encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr); + encap->encap_sport = ntohs(new_src->get_port(new_src)); + encap->encap_dport = ntohs(new_dst->get_port(new_dst)); + break; + } + rtattr = RTA_NEXT(rtattr, rtsize); + } + } + if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) + { + DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi); + free(out); + return FAILED; + } + free(out); + + if (dst_changes & HOST_DIFF_ADDR) + { + return this->public.del_sa(&this->public, dst, spi, protocol); + } + return SUCCESS; +} + +/** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_kernel_interface_t *this, host_t *dst, + u_int32_t spi, protocol_id_t protocol, + u_int32_t *use_time) +{ + unsigned char request[BUFFER_SIZE]; + struct nlmsghdr *out = NULL, *hdr; + struct xfrm_usersa_id *sa_id; + struct xfrm_usersa_info *sa = NULL; + size_t len; + + DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi); + memset(&request, 0, sizeof(request)); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST; + hdr->nlmsg_type = XFRM_MSG_GETSA; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); + + sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); + host2xfrm(dst, &sa_id->daddr); + sa_id->spi = spi; + sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; + sa_id->family = dst->get_family(dst); + + if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) + { + hdr = out; + while (NLMSG_OK(hdr, len)) + { + switch (hdr->nlmsg_type) + { + case XFRM_MSG_NEWSA: + { + sa = NLMSG_DATA(hdr); + break; + } + case NLMSG_ERROR: + { + struct nlmsgerr *err = NLMSG_DATA(hdr); + DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)", + strerror(-err->error), -err->error); + break; + } + default: + hdr = NLMSG_NEXT(hdr, len); + continue; + case NLMSG_DONE: + break; + } + break; + } + } + + if (sa == NULL) + { + DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi); + free(out); + return FAILED; + } + + *use_time = sa->curlft.use_time; + free (out); + return SUCCESS; +} + +/** + * Implementation of kernel_interface_t.del_sa. + */ +static status_t del_sa(private_kernel_interface_t *this, host_t *dst, + u_int32_t spi, protocol_id_t protocol) +{ + unsigned char request[BUFFER_SIZE]; + struct nlmsghdr *hdr; + struct xfrm_usersa_id *sa_id; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; + hdr->nlmsg_type = XFRM_MSG_DELSA; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); + + sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); + host2xfrm(dst, &sa_id->daddr); + sa_id->spi = spi; + sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; + sa_id->family = dst->get_family(dst); + + if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) + { + DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi); + return FAILED; + } + DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi); + return SUCCESS; +} + +/** + * Implementation of kernel_interface_t.add_policy. + */ +static status_t add_policy(private_kernel_interface_t *this, + host_t *src, host_t *dst, + traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, + policy_dir_t direction, protocol_id_t protocol, + u_int32_t reqid, bool high_prio, mode_t mode, + bool update) +{ + iterator_t *iterator; + policy_entry_t *current, *policy; + bool found = FALSE; + unsigned char request[BUFFER_SIZE]; + struct xfrm_userpolicy_info *policy_info; + struct nlmsghdr *hdr; + + /* create a policy */ + policy = malloc_thing(policy_entry_t); + memset(policy, 0, sizeof(policy_entry_t)); + policy->sel = ts2selector(src_ts, dst_ts); + policy->direction = direction; + + /* find the policy, which matches EXACTLY */ + pthread_mutex_lock(&this->policies_mutex); + iterator = this->policies->create_iterator(this->policies, TRUE); + while (iterator->iterate(iterator, (void**)¤t)) + { + if (memcmp(¤t->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 && + policy->direction == current->direction) + { + /* use existing policy */ + if (!update) + { + current->refcount++; + DBG2(DBG_KNL, "policy %R===%R already exists, increasing ", + "refcount", src_ts, dst_ts); + } + free(policy); + policy = current; + found = TRUE; + break; + } + } + iterator->destroy(iterator); + if (!found) + { /* apply the new one, if we have no such policy */ + this->policies->insert_last(this->policies, policy); + policy->refcount = 1; + } + + DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts); + + memset(&request, 0, sizeof(request)); + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; + hdr->nlmsg_type = XFRM_MSG_UPDPOLICY; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info)); + + policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); + policy_info->sel = policy->sel; + policy_info->dir = policy->direction; + /* calculate priority based on source selector size, small size = high prio */ + policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW; + policy_info->priority -= policy->sel.prefixlen_s * 10; + policy_info->priority -= policy->sel.proto ? 2 : 0; + policy_info->priority -= policy->sel.sport_mask ? 1 : 0; + policy_info->action = XFRM_POLICY_ALLOW; + policy_info->share = XFRM_SHARE_ANY; + pthread_mutex_unlock(&this->policies_mutex); + + /* policies don't expire */ + policy_info->lft.soft_byte_limit = XFRM_INF; + policy_info->lft.soft_packet_limit = XFRM_INF; + policy_info->lft.hard_byte_limit = XFRM_INF; + policy_info->lft.hard_packet_limit = XFRM_INF; + policy_info->lft.soft_add_expires_seconds = 0; + policy_info->lft.hard_add_expires_seconds = 0; + policy_info->lft.soft_use_expires_seconds = 0; + policy_info->lft.hard_use_expires_seconds = 0; + + struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info); + rthdr->rta_type = XFRMA_TMPL; + + rthdr->rta_len = sizeof(struct xfrm_user_tmpl); + rthdr->rta_len = RTA_LENGTH(rthdr->rta_len); + + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr); + tmpl->reqid = reqid; + tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP; + tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; + tmpl->mode = mode; + tmpl->family = src->get_family(src); + + host2xfrm(src, &tmpl->saddr); + host2xfrm(dst, &tmpl->id.daddr); + + if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) + { + DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts); + return FAILED; + } + + /* install a route, if: + * - we are NOT updating a policy + * - this is a forward policy (to just get one for each child) + * - we are in tunnel mode + * - we are not using IPv6 (does not work correctly yet!) + */ + if (policy->route == NULL && direction == POLICY_FWD && + mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6) + { + policy->route = malloc_thing(route_entry_t); + if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS) + { + policy->route->gateway = dst->clone(dst); + policy->route->if_index = get_interface_index(this, dst); + policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16); + memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len); + policy->route->prefixlen = policy->sel.prefixlen_s; + + if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL, + policy->route) != SUCCESS) + { + DBG1(DBG_KNL, "unable to install source route for %H", + policy->route->src_ip); + route_entry_destroy(policy->route); + policy->route = NULL; + } + } + else + { + free(policy->route); + policy->route = NULL; + } + } + + return SUCCESS; +} + +/** + * Implementation of kernel_interface_t.query_policy. + */ +static status_t query_policy(private_kernel_interface_t *this, + traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, + policy_dir_t direction, u_int32_t *use_time) +{ + unsigned char request[BUFFER_SIZE]; + struct nlmsghdr *out = NULL, *hdr; + struct xfrm_userpolicy_id *policy_id; + struct xfrm_userpolicy_info *policy = NULL; + size_t len; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST; + hdr->nlmsg_type = XFRM_MSG_GETPOLICY; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id)); + + policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr); + policy_id->sel = ts2selector(src_ts, dst_ts); + policy_id->dir = direction; + + if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) + { + hdr = out; + while (NLMSG_OK(hdr, len)) + { + switch (hdr->nlmsg_type) + { + case XFRM_MSG_NEWPOLICY: + { + policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); + break; + } + case NLMSG_ERROR: + { + struct nlmsgerr *err = NLMSG_DATA(hdr); + DBG1(DBG_KNL, "querying policy failed: %s (%d)", + strerror(-err->error), -err->error); + break; + } + default: + hdr = NLMSG_NEXT(hdr, len); + continue; + case NLMSG_DONE: + break; + } + break; + } + } + + if (policy == NULL) + { + DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts); + free(out); + return FAILED; + } + *use_time = (time_t)policy->curlft.use_time; + + free(out); + return SUCCESS; +} + +/** + * Implementation of kernel_interface_t.del_policy. + */ +static status_t del_policy(private_kernel_interface_t *this, + traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, + policy_dir_t direction) +{ + policy_entry_t *current, policy, *to_delete = NULL; + route_entry_t *route; + unsigned char request[BUFFER_SIZE]; + struct nlmsghdr *hdr; + struct xfrm_userpolicy_id *policy_id; + iterator_t *iterator; + + DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts); + + /* create a policy */ + memset(&policy, 0, sizeof(policy_entry_t)); + policy.sel = ts2selector(src_ts, dst_ts); + policy.direction = direction; + + /* find the policy */ + pthread_mutex_lock(&this->policies_mutex); + iterator = this->policies->create_iterator(this->policies, TRUE); + while (iterator->iterate(iterator, (void**)¤t)) + { + if (memcmp(¤t->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 && + policy.direction == current->direction) + { + to_delete = current; + if (--to_delete->refcount > 0) + { + /* is used by more SAs, keep in kernel */ + DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); + iterator->destroy(iterator); + pthread_mutex_unlock(&this->policies_mutex); + return SUCCESS; + } + /* remove if last reference */ + iterator->remove(iterator); + break; + } + } + iterator->destroy(iterator); + pthread_mutex_unlock(&this->policies_mutex); + if (!to_delete) + { + DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts); + return NOT_FOUND; + } + + memset(&request, 0, sizeof(request)); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; + hdr->nlmsg_type = XFRM_MSG_DELPOLICY; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id)); + + policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr); + policy_id->sel = to_delete->sel; + policy_id->dir = direction; + + route = to_delete->route; + free(to_delete); + + if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) + { + DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts); + return FAILED; + } + + if (route) + { + if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS) + { + DBG1(DBG_KNL, "error uninstalling route installed with " + "policy %R===%R", src_ts, dst_ts); + } + route_entry_destroy(route); + } + return SUCCESS; +} + +/** + * Implementation of kernel_interface_t.destroy. + */ +static void destroy(private_kernel_interface_t *this) +{ + pthread_cancel(this->event_thread); + pthread_join(this->event_thread, NULL); + close(this->socket_xfrm_events); + close(this->socket_xfrm); + close(this->socket_rt); + this->vips->destroy(this->vips); + this->policies->destroy(this->policies); + free(this); +} + +/* + * Described in header. + */ +kernel_interface_t *kernel_interface_create() +{ + private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t); + struct sockaddr_nl addr; + + /* public functions */ + this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi; + this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa; + this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa; + this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa; + this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa; + this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy; + this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; + this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy; + + this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name; + this->public.create_address_list = (linked_list_t*(*)(kernel_interface_t*))create_address_list_public; + this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip; + this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip; + this->public.destroy = (void(*)(kernel_interface_t*)) destroy; + + /* private members */ + this->vips = linked_list_create(); + this->policies = linked_list_create(); + pthread_mutex_init(&this->policies_mutex,NULL); + pthread_mutex_init(&this->vips_mutex,NULL); + + addr.nl_family = AF_NETLINK; + addr.nl_pid = 0; + addr.nl_groups = 0; + + /* create and bind XFRM socket */ + this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); + if (this->socket_xfrm <= 0) + { + charon->kill(charon, "unable to create XFRM netlink socket"); + } + + if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr))) + { + charon->kill(charon, "unable to bind XFRM netlink socket"); + } + + /* create and bind RT socket */ + this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); + if (this->socket_rt <= 0) + { + charon->kill(charon, "unable to create RT netlink socket"); + } + + if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr))) + { + charon->kill(charon, "unable to bind RT netlink socket"); + } + + /* create and bind XFRM socket for ACQUIRE & EXPIRE */ + addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE; + this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); + if (this->socket_xfrm_events <= 0) + { + charon->kill(charon, "unable to create XFRM event socket"); + } + + if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr))) + { + charon->kill(charon, "unable to bind XFRM event socket"); + } + + /* create a thread receiving ACQUIRE & EXPIRE events */ + if (pthread_create(&this->event_thread, NULL, + (void*(*)(void*))receive_events, this)) + { + charon->kill(charon, "unable to create xfrm event dispatcher thread"); + } + + return &this->public; +} + +/* vim: set ts=4 sw=4 noet: */ diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h new file mode 100644 index 000000000..2a3eaff7a --- /dev/null +++ b/src/charon/kernel/kernel_interface.h @@ -0,0 +1,335 @@ +/** + * @file kernel_interface.h + * + * @brief Interface of kernel_interface_t. + * + */ + +/* + * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef KERNEL_INTERFACE_H_ +#define KERNEL_INTERFACE_H_ + +typedef struct natt_conf_t natt_conf_t; +typedef enum policy_dir_t policy_dir_t; +typedef struct kernel_interface_t kernel_interface_t; + +#include +#include +#include + +/** + * Configuration for NAT-T + * + * @ingroup kernel + */ +struct natt_conf_t { + /** source port to use for UDP-encapsulated packets */ + u_int16_t sport; + /** dest port to use for UDP-encapsulated packets */ + u_int16_t dport; +}; + +/** + * Direction of a policy. These are equal to those + * defined in xfrm.h, but we want to stay implementation + * neutral here. + * + * @ingroup kernel + */ +enum policy_dir_t { + /** Policy for inbound traffic */ + POLICY_IN = 0, + /** Policy for outbound traffic */ + POLICY_OUT = 1, + /** Policy for forwarded traffic */ + POLICY_FWD = 2, +}; + +/** + * @brief Interface to the kernel. + * + * The kernel interface handles the communication with the kernel + * for SA and policy management. It allows setup of these, and provides + * further the handling of kernel events. + * Policy information are cached in the interface. This is necessary to do + * reference counting. The Linux kernel does not allow the same policy + * installed twice, but we need this as CHILD_SA exist multiple times + * when rekeying. Thats why we do reference counting of policies. + * + * @b Constructors: + * - kernel_interface_create() + * + * @ingroup kernel + */ +struct kernel_interface_t { + + /** + * @brief Get a SPI from the kernel. + * + * @warning get_spi() implicitely creates an SA with + * the allocated SPI, therefore the replace flag + * in add_sa() must be set when installing this SA. + * + * @param this calling object + * @param src source address of SA + * @param dst destination address of SA + * @param protocol protocol for SA (ESP/AH) + * @param reqid unique ID for this SA + * @param[out] spi allocated spi + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ + status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst, + protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi); + + /** + * @brief Add an SA to the SAD. + * + * add_sa() may update an already allocated + * SPI (via get_spi). In this case, the replace + * flag must be set. + * This function does install a single SA for a + * single protocol in one direction. The kernel-interface + * gets the keys itself from the PRF, as we don't know + * his algorithms and key sizes. + * + * @param this calling object + * @param src source address for this SA + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param reqid unique ID for this SA + * @param expire_soft lifetime in seconds before rekeying + * @param expire_hard lieftime in seconds before delete + * @param enc_alg Algorithm to use for encryption (ESP only) + * @param int_alg Algorithm to use for integrity protection + * @param prf_plus PRF to derive keys from + * @param natt NAT-T Configuration, or NULL of no NAT-T used + * @param mode mode of the SA (tunnel, transport) + * @param replace Should an already installed SA be updated? + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ + status_t (*add_sa) (kernel_interface_t *this, + host_t *src, host_t *dst, u_int32_t spi, + protocol_id_t protocol, u_int32_t reqid, + u_int64_t expire_soft, u_int64_t expire_hard, + algorithm_t *enc_alg, algorithm_t *int_alg, + prf_plus_t *prf_plus, natt_conf_t *natt, + mode_t mode, bool update); + + /** + * @brief Update the hosts on an installed SA. + * + * We cannot directly update the destination address as the kernel + * requires the spi, the protocol AND the destination address (and family) + * to identify SAs. Therefore if the destination address changed we + * create a new SA and delete the old one. + * + * @param this calling object + * @param dst destination address for this SA + * @param spi SPI of the SA + * @param protocol protocol for this SA (ESP/AH) + * @param new_src new source address for this SA + * @param new_dst new destination address for this SA + * @param src_changes changes in src + * @param dst_changes changes in dst + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ + status_t (*update_sa)(kernel_interface_t *this, host_t *dst, u_int32_t spi, + protocol_id_t protocol, + host_t *new_src, host_t *new_dst, + host_diff_t src_changes, host_diff_t dst_changes); + + /** + * @brief Query the use time of an SA. + * + * The use time of an SA is not the time of the last usage, but + * the time of the first usage of the SA. + * + * @param this calling object + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param[out] use_time the time of this SA's last use + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ + status_t (*query_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi, + protocol_id_t protocol, u_int32_t *use_time); + + /** + * @brief Delete a previusly installed SA from the SAD. + * + * @param this calling object + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ + status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi, + protocol_id_t protocol); + + /** + * @brief Add a policy to the SPD. + * + * A policy is always associated to an SA. Traffic which matches a + * policy is handled by the SA with the same reqid. + * If the update flag is set, the policy is updated with the new + * src/dst addresses. + * If the update flag is not set, but a such policy is already in the + * kernel, the reference count to this policy is increased. + * + * @param this calling object + * @param src source address of SA + * @param dst dest address of SA + * @param src_ts traffic selector to match traffic source + * @param dst_ts traffic selector to match traffic dest + * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param protocol protocol to use to protect traffic (AH/ESP) + * @param reqid uniqe ID of an SA to use to enforce policy + * @param high_prio if TRUE, uses a higher priority than any with FALSE + * @param mode mode of SA (tunnel, transport) + * @param update update an existing policy, if TRUE + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ + status_t (*add_policy) (kernel_interface_t *this, + host_t *src, host_t *dst, + traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, + policy_dir_t direction, protocol_id_t protocol, + u_int32_t reqid, bool high_prio, + mode_t mode, bool update); + + /** + * @brief Query the use time of a policy. + * + * The use time of a policy is the time the policy was used + * for the last time. + * + * @param this calling object + * @param src_ts traffic selector to match traffic source + * @param dst_ts traffic selector to match traffic dest + * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param[out] use_time the time of this SA's last use + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ + status_t (*query_policy) (kernel_interface_t *this, + traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, + policy_dir_t direction, u_int32_t *use_time); + + /** + * @brief Remove a policy from the SPD. + * + * The kernel interface implements reference counting for policies. + * If the same policy is installed multiple times (in the case of rekeying), + * the reference counter is increased. del_policy() decreases the ref counter + * and removes the policy only when no more references are available. + * + * @param this calling object + * @param src_ts traffic selector to match traffic source + * @param dst_ts traffic selector to match traffic dest + * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ + status_t (*del_policy) (kernel_interface_t *this, + traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, + policy_dir_t direction); + + /** + * @brief Get the interface name of a local address. + * + * @param this calling object + * @param host address to get interface name from + * @return allocated interface name, or NULL if not found + */ + char* (*get_interface) (kernel_interface_t *this, host_t *host); + + /** + * @brief Creates a list of all local addresses. + * + * @param this calling object + * @return allocated list with host_t objects + */ + linked_list_t *(*create_address_list) (kernel_interface_t *this); + + /** + * @brief Add a virtual IP to an interface. + * + * Virtual IPs are attached to an interface. If an IP is added multiple + * times, the IP is refcounted and not removed until del_ip() was called + * as many times as add_ip(). + * The virtual IP is attached to the interface where the iface_ip is found. + * + * @param this calling object + * @param virtual_ip virtual ip address to assign + * @param iface_ip IP of an interface to attach virtual IP + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ + status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip, + host_t *iface_ip); + + /** + * @brief Remove a virtual IP from an interface. + * + * The kernel interface uses refcounting, see add_ip(). + * + * @param this calling object + * @param virtual_ip virtual ip address to assign + * @param iface_ip IP of an interface to remove virtual IP from + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ + status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip, + host_t *iface_ip); + + /** + * @brief Destroys a kernel_interface object. + * + * @param kernel_interface_t calling object + */ + void (*destroy) (kernel_interface_t *kernel_interface); +}; + +/** + * @brief Creates an object of type kernel_interface_t. + * + * @ingroup kernel + */ +kernel_interface_t *kernel_interface_create(void); + +#endif /*KERNEL_INTERFACE_H_*/ diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c new file mode 100644 index 000000000..9b4bf71ac --- /dev/null +++ b/src/charon/network/receiver.c @@ -0,0 +1,377 @@ +/** + * @file receiver.c + * + * @brief Implementation of receiver_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include + +#include "receiver.h" + +#include +#include +#include +#include +#include +#include + +/** length of the full cookie, including time (u_int32_t + SHA1()) */ +#define COOKIE_LENGTH 24 +/** lifetime of a cookie, in seconds */ +#define COOKIE_LIFETIME 10 +/** how many times to reuse the secret */ +#define COOKIE_REUSE 10000 +/** require cookies after half open IKE_SAs */ +#define COOKIE_TRESHOLD 10 +/** how many half open IKE_SAs per peer before blocking */ +#define BLOCK_TRESHOLD 5 +/** length of the secret to use for cookie calculation */ +#define SECRET_LENGTH 16 + +typedef struct private_receiver_t private_receiver_t; + +/** + * Private data of a receiver_t object. + */ +struct private_receiver_t { + /** + * Public part of a receiver_t object. + */ + receiver_t public; + + /** + * Assigned thread. + */ + pthread_t assigned_thread; + + /** + * current secret to use for cookie calculation + */ + char secret[SECRET_LENGTH]; + + /** + * previous secret used to verify older cookies + */ + char secret_old[SECRET_LENGTH]; + + /** + * how many times we have used "secret" so far + */ + u_int32_t secret_used; + + /** + * time we did the cookie switch + */ + u_int32_t secret_switch; + + /** + * time offset to use, hides our system time + */ + u_int32_t secret_offset; + + /** + * the randomizer to use for secret generation + */ + randomizer_t *randomizer; + + /** + * hasher to use for cookie calculation + */ + hasher_t *hasher; +}; + +/** + * send a notify back to the sender + */ +static void send_notify(message_t *request, notify_type_t type, chunk_t data) +{ + if (request->get_request(request) && + request->get_exchange_type(request) == IKE_SA_INIT) + { + message_t *response; + host_t *src, *dst; + packet_t *packet; + ike_sa_id_t *ike_sa_id; + + response = message_create(); + dst = request->get_source(request); + src = request->get_destination(request); + response->set_source(response, src->clone(src)); + response->set_destination(response, dst->clone(dst)); + response->set_exchange_type(response, request->get_exchange_type(request)); + response->set_request(response, FALSE); + response->set_message_id(response, 0); + ike_sa_id = request->get_ike_sa_id(request); + ike_sa_id->switch_initiator(ike_sa_id); + response->set_ike_sa_id(response, ike_sa_id); + response->add_notify(response, FALSE, type, data); + if (response->generate(response, NULL, NULL, &packet) == SUCCESS) + { + charon->sender->send(charon->sender, packet); + response->destroy(response); + } + } +} + +/** + * build a cookie + */ +static chunk_t cookie_build(private_receiver_t *this, message_t *message, + u_int32_t t, chunk_t secret) +{ + u_int64_t spi = message->get_initiator_spi(message); + host_t *ip = message->get_source(message); + chunk_t input, hash = chunk_alloca(this->hasher->get_hash_size(this->hasher)); + + /* COOKIE = t | sha1( IPi | SPIi | t | secret ) */ + input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi), + chunk_from_thing(t), secret); + this->hasher->get_hash(this->hasher, input, hash.ptr); + return chunk_cat("cc", chunk_from_thing(t), hash); +} + +/** + * verify a received cookie + */ +static bool cookie_verify(private_receiver_t *this, message_t *message, + chunk_t cookie) +{ + u_int32_t t, now; + chunk_t reference; + chunk_t secret; + + now = time(NULL); + t = *(u_int32_t*)cookie.ptr; + + if (cookie.len != COOKIE_LENGTH || + t < now - this->secret_offset - COOKIE_LIFETIME) + { + DBG2(DBG_NET, "received cookie lifetime expired, rejecting"); + return FALSE; + } + + /* check if cookie is derived from old_secret */ + if (t + this->secret_offset > this->secret_switch) + { + secret = chunk_from_thing(this->secret); + } + else + { + secret = chunk_from_thing(this->secret_old); + } + + /* compare own calculation against received */ + reference = cookie_build(this, message, t, secret); + if (chunk_equals(reference, cookie)) + { + chunk_free(&reference); + return TRUE; + } + chunk_free(&reference); + return FALSE; +} + +/** + * check if cookies are required, and if so, a valid cookie is included + */ +static bool cookie_required(private_receiver_t *this, message_t *message) +{ + bool failed = FALSE; + + if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager, + NULL) >= COOKIE_TRESHOLD) + { + /* check for a cookie. We don't use our parser here and do it + * quick and dirty for performance reasons. + * we assume to cookie is the first payload (which is a MUST), and + * the cookies SPI length is zero. */ + packet_t *packet = message->get_packet(message); + chunk_t data = packet->get_data(packet); + if (data.len < + IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH + COOKIE_LENGTH || + *(data.ptr + 16) != NOTIFY || + *(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE)) + { + /* no cookie found */ + failed = TRUE; + } + else + { + data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH; + data.len = COOKIE_LENGTH; + if (!cookie_verify(this, message, data)) + { + DBG2(DBG_NET, "found cookie, but content invalid"); + failed = TRUE; + } + } + packet->destroy(packet); + } + return failed; +} + +/** + * check if peer has to many half open IKE_SAs + */ +static bool peer_to_aggressive(private_receiver_t *this, message_t *message) +{ + if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager, + message->get_source(message)) >= BLOCK_TRESHOLD) + { + return TRUE; + } + return FALSE; +} + +/** + * Implementation of receiver_t.receive_packets. + */ +static void receive_packets(private_receiver_t *this) +{ + packet_t *packet; + message_t *message; + job_t *job; + + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); + DBG1(DBG_NET, "receiver thread running, thread_ID: %06u", + (int)pthread_self()); + + charon->drop_capabilities(charon, TRUE); + + while (TRUE) + { + /* read in a packet */ + if (charon->socket->receive(charon->socket, &packet) != SUCCESS) + { + DBG2(DBG_NET, "receiving from socket failed!"); + /* try again after a delay */ + sleep(1); + continue; + } + + /* parse message header */ + message = message_create_from_packet(packet); + if (message->parse_header(message) != SUCCESS) + { + DBG1(DBG_NET, "received invalid IKE header from %H - ignored", + packet->get_source(packet)); + message->destroy(message); + continue; + } + + /* check IKE major version */ + if (message->get_major_version(message) != IKE_MAJOR_VERSION) + { + DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, " + "sending INVALID_MAJOR_VERSION", message->get_major_version(message), + message->get_minor_version(message), packet->get_source(packet)); + send_notify(message, INVALID_MAJOR_VERSION, chunk_empty); + message->destroy(message); + continue; + } + + if (message->get_request(message) && + message->get_exchange_type(message) == IKE_SA_INIT) + { + /* check for cookies */ + if (cookie_required(this, message)) + { + u_int32_t now = time(NULL); + chunk_t cookie = cookie_build(this, message, now - this->secret_offset, + chunk_from_thing(this->secret)); + + DBG2(DBG_NET, "received packet from: %#H to %#H", + message->get_source(message), + message->get_destination(message)); + DBG2(DBG_NET, "sending COOKIE notify to %H", + message->get_source(message)); + send_notify(message, COOKIE, cookie); + chunk_free(&cookie); + if (++this->secret_used > COOKIE_REUSE) + { + /* create new cookie */ + DBG1(DBG_NET, "generating new cookie secret after %d uses", + this->secret_used); + memcpy(this->secret_old, this->secret, SECRET_LENGTH); + this->randomizer->get_pseudo_random_bytes(this->randomizer, + SECRET_LENGTH, this->secret); + this->secret_switch = now; + this->secret_used = 0; + } + message->destroy(message); + continue; + } + + /* check if peer has not too many IKE_SAs half open */ + if (peer_to_aggressive(this, message)) + { + DBG1(DBG_NET, "ignoring IKE_SA setup from %H, " + "peer to aggressive", message->get_source(message)); + message->destroy(message); + continue; + } + } + job = (job_t *)process_message_job_create(message); + charon->job_queue->add(charon->job_queue, job); + } +} + +/** + * Implementation of receiver_t.destroy. + */ +static void destroy(private_receiver_t *this) +{ + pthread_cancel(this->assigned_thread); + pthread_join(this->assigned_thread, NULL); + this->randomizer->destroy(this->randomizer); + this->hasher->destroy(this->hasher); + free(this); +} + +/* + * Described in header. + */ +receiver_t *receiver_create() +{ + private_receiver_t *this = malloc_thing(private_receiver_t); + u_int32_t now = time(NULL); + + this->public.destroy = (void(*)(receiver_t*)) destroy; + + this->randomizer = randomizer_create(); + this->hasher = hasher_create(HASH_SHA1); + this->secret_switch = now; + this->secret_offset = random() % now; + this->secret_used = 0; + this->randomizer->get_pseudo_random_bytes(this->randomizer, SECRET_LENGTH, + this->secret); + memcpy(this->secret_old, this->secret, SECRET_LENGTH); + + if (pthread_create(&this->assigned_thread, NULL, + (void*)receive_packets, this) != 0) + { + free(this); + charon->kill(charon, "unable to create receiver thread"); + } + + return &this->public; +} diff --git a/src/charon/network/receiver.h b/src/charon/network/receiver.h new file mode 100644 index 000000000..1bfa7b764 --- /dev/null +++ b/src/charon/network/receiver.h @@ -0,0 +1,81 @@ +/** + * @file receiver.h + * + * @brief Interface of receiver_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef RECEIVER_H_ +#define RECEIVER_H_ + +typedef struct receiver_t receiver_t; + +#include +#include + +/** + * @brief Receives packets from the socket and adds them to the job queue. + * + * The receiver starts a thread, wich reads on the blocking socket. A received + * packet is preparsed and a process_message_job is queued in the job queue. + * + * To endure DoS attacks, cookies are enabled when to many IKE_SAs are half + * open. The calculation of cookies is slightly different from the proposed + * method in RFC4306. We do not include a nonce, because we think the advantage + * we gain does not justify the overhead to parse the whole message. + * Instead of VersionIdOfSecret, we include a timestamp. This allows us to + * find out wich key was used for cookie creation. Further, we can set a + * lifetime for the cookie, which allows us to reuse the secret for a longer + * time. + * COOKIE = time | sha1( IPi | SPIi | time | secret ) + * + * The secret is changed after a certain amount of cookies sent. The old + * secret is stored to allow a clean migration between secret changes. + * + * Further, the number of half-initiated IKE_SAs is limited per peer. This + * mades it impossible for a peer to flood the server with its real IP address. + * + * @b Constructors: + * - receiver_create() + * + * @ingroup network + */ +struct receiver_t { + + /** + * @brief Destroys a receiver_t object. + * + * @param receiver receiver object + */ + void (*destroy) (receiver_t *receiver); +}; + +/** + * @brief Create a receiver_t object. + * + * The receiver thread will start working, get data + * from the socket and add those packets to the job queue. + * + * @return receiver_t object + * + * @ingroup network + */ +receiver_t * receiver_create(void); + +#endif /*RECEIVER_H_*/ diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c new file mode 100644 index 000000000..933b8c192 --- /dev/null +++ b/src/charon/network/sender.c @@ -0,0 +1,155 @@ +/** + * @file sender.c + * + * @brief Implementation of sender_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +#include "sender.h" + +#include +#include + + +typedef struct private_sender_t private_sender_t; + +/** + * Private data of a sender_t object. + */ +struct private_sender_t { + /** + * Public part of a sender_t object. + */ + sender_t public; + + /** + * Assigned thread. + */ + pthread_t assigned_thread; + + /** + * The packets are stored in a linked list + */ + linked_list_t *list; + + /** + * mutex to synchronize access to list + */ + pthread_mutex_t mutex; + + /** + * condvar to signal for packets in list + */ + pthread_cond_t condvar; +}; + +/** + * implements sender_t.send + */ +static void send_(private_sender_t *this, packet_t *packet) +{ + host_t *src, *dst; + + src = packet->get_source(packet); + dst = packet->get_destination(packet); + DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst); + + pthread_mutex_lock(&this->mutex); + this->list->insert_last(this->list, packet); + pthread_mutex_unlock(&this->mutex); + pthread_cond_signal(&this->condvar); +} + +/** + * Implementation of private_sender_t.send_packets. + */ +static void send_packets(private_sender_t * this) +{ + /* cancellation disabled by default */ + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); + DBG1(DBG_NET, "sender thread running, thread_ID: %06u", (int)pthread_self()); + + charon->drop_capabilities(charon, TRUE); + + while (TRUE) + { + packet_t *packet; + int oldstate; + + pthread_mutex_lock(&this->mutex); + /* go to wait while no packets available */ + while (this->list->get_count(this->list) == 0) + { + /* add cleanup handler, wait for packet, remove cleanup handler */ + pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&this->mutex); + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + pthread_cond_wait(&this->condvar, &this->mutex); + + pthread_setcancelstate(oldstate, NULL); + pthread_cleanup_pop(0); + } + this->list->remove_first(this->list, (void**)&packet); + pthread_mutex_unlock(&this->mutex); + + charon->socket->send(charon->socket, packet); + packet->destroy(packet); + } +} + +/** + * Implementation of sender_t.destroy. + */ +static void destroy(private_sender_t *this) +{ + /* send all packets in the queue */ + while (this->list->get_count(this->list)) + { + sched_yield(); + } + pthread_cancel(this->assigned_thread); + pthread_join(this->assigned_thread, NULL); + this->list->destroy(this->list); + free(this); +} + +/* + * Described in header. + */ +sender_t * sender_create() +{ + private_sender_t *this = malloc_thing(private_sender_t); + + this->public.send = (void(*)(sender_t*,packet_t*))send_; + this->public.destroy = (void(*)(sender_t*)) destroy; + + this->list = linked_list_create(); + pthread_mutex_init(&this->mutex, NULL); + pthread_cond_init(&this->condvar, NULL); + + if (pthread_create(&this->assigned_thread, NULL, + (void*)send_packets, this) != 0) + { + charon->kill(charon, "unable to create sender thread"); + } + + return &(this->public); +} diff --git a/src/charon/network/sender.h b/src/charon/network/sender.h new file mode 100644 index 000000000..6f2a06891 --- /dev/null +++ b/src/charon/network/sender.h @@ -0,0 +1,74 @@ +/** + * @file sender.h + * + * @brief Interface of sender_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef SENDER_H_ +#define SENDER_H_ + +typedef struct sender_t sender_t; + +#include +#include + +/** + * @brief Thread responsible for sending packets over the socket. + * + * @b Constructors: + * - sender_create() + * + * @ingroup network + */ +struct sender_t { + + /** + * @brief Send a packet over the network. + * + * This function is non blocking and adds the packet to a queue. + * Whenever the sender thread things it's good to send the packet, + * it'll do so. + * + * @param this calling object + * @param packet packet to send + */ + void (*send) (sender_t *this, packet_t *packet); + + /** + * @brief Destroys a sender object. + * + * @param this calling object + */ + void (*destroy) (sender_t *this); +}; + +/** + * @brief Create the sender thread. + * + * The thread will start to work, getting packets + * from its queue and sends them out. + * + * @return created sender object + * + * @ingroup network + */ +sender_t * sender_create(void); + +#endif /*SENDER_H_*/ diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c index 00ba22d5a..dd231ebed 100644 --- a/src/charon/network/socket.c +++ b/src/charon/network/socket.c @@ -176,7 +176,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet) bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0); if (bytes_read < 0) { - DBG1(DBG_NET, "error reading from IPv4 socket: %m"); + DBG1(DBG_NET, "error reading from IPv4 socket: %s", strerror(errno)); return FAILED; } DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read); @@ -238,7 +238,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet) bytes_read = recvmsg(this->recv6, &msg, 0); if (bytes_read < 0) { - DBG1(DBG_NET, "error reading from IPv6 socket: %m"); + DBG1(DBG_NET, "error reading from IPv6 socket: %s", strerror(errno)); return FAILED; } DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read); @@ -428,7 +428,7 @@ status_t sender(private_socket_t *this, packet_t *packet) if (bytes_sent != data.len) { - DBG1(DBG_NET, "error writing to socket: %m"); + DBG1(DBG_NET, "error writing to socket: %s", strerror(errno)); return FAILED; } return SUCCESS; @@ -477,13 +477,14 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port) skt = socket(family, SOCK_DGRAM, IPPROTO_UDP); if (skt < 0) { - DBG1(DBG_NET, "could not open send socket: %m"); + DBG1(DBG_NET, "could not open send socket: %s", strerror(errno)); return 0; } if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0) { - DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %m"); + DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %s", + strerror(errno)); close(skt); return 0; } @@ -497,7 +498,8 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port) if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { - DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %m"); + DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %s", + strerror(errno)); close(skt); return 0; } @@ -507,7 +509,8 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port) policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND; if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { - DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %m"); + DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %s", + strerror(errno)); close(skt); return 0; } @@ -515,7 +518,8 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port) /* bind the send socket */ if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0) { - DBG1(DBG_NET, "unable to bind send socket: %m"); + DBG1(DBG_NET, "unable to bind send socket: %s", + strerror(errno)); close(skt); return 0; } @@ -525,7 +529,8 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port) /* enable UDP decapsulation globally, only for one socket needed */ if (setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0) { - DBG1(DBG_NET, "unable to set UDP_ENCAP: %m; NAT-T may fail"); + DBG1(DBG_NET, "unable to set UDP_ENCAP: %s; NAT-T may fail", + strerror(errno)); } } @@ -606,14 +611,15 @@ static int open_recv_socket(private_socket_t *this, int family) skt = socket(family, SOCK_RAW, IPPROTO_UDP); if (skt < 0) { - DBG1(DBG_NET, "unable to create raw socket: %m"); + DBG1(DBG_NET, "unable to create raw socket: %s", strerror(errno)); return 0; } if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER, &ikev2_filter, sizeof(ikev2_filter)) < 0) { - DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %m"); + DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %s", + strerror(errno)); close(skt); return 0; } @@ -623,7 +629,8 @@ static int open_recv_socket(private_socket_t *this, int family) * 2 or 50 depending on kernel header version */ setsockopt(skt, sol, IPV6_2292PKTINFO, &on, sizeof(on)) < 0) { - DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %m"); + DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %s", + strerror(errno)); close(skt); return 0; } @@ -637,7 +644,8 @@ static int open_recv_socket(private_socket_t *this, int family) if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { - DBG1(DBG_NET, "unable to set IPSEC_POLICY on raw socket: %m"); + DBG1(DBG_NET, "unable to set IPSEC_POLICY on raw socket: %s", + strerror(errno)); close(skt); return 0; } @@ -682,6 +690,7 @@ static void destroy(private_socket_t *this) */ socket_t *socket_create(u_int16_t port, u_int16_t natt_port) { + int key; private_socket_t *this = malloc_thing(private_socket_t); /* public functions */ @@ -698,6 +707,15 @@ socket_t *socket_create(u_int16_t port, u_int16_t natt_port) this->send4_natt = 0; this->send6_natt = 0; + /* we open a AF_KEY socket to autoload the af_key module. Otherwise + * setsockopt(IPSEC_POLICY) won't work. */ + key = socket(AF_KEY, SOCK_RAW, PF_KEY_V2); + if (key == 0) + { + charon->kill(charon, "could not open AF_KEY socket"); + } + close(key); + this->recv4 = open_recv_socket(this, AF_INET); if (this->recv4 == 0) { diff --git a/src/charon/processing/event_queue.c b/src/charon/processing/event_queue.c new file mode 100644 index 000000000..40bcb1ed8 --- /dev/null +++ b/src/charon/processing/event_queue.c @@ -0,0 +1,290 @@ +/** + * @file event_queue.c + * + * @brief Implementation of event_queue_t + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +#include "event_queue.h" + +#include +#include + + + +typedef struct event_t event_t; + +/** + * Event containing a job and a schedule time + */ +struct event_t { + /** + * Time to fire the event. + */ + timeval_t time; + + /** + * Every event has its assigned job. + */ + job_t * job; +}; + +/** + * destroy an event and its job + */ +static void event_destroy(event_t *event) +{ + event->job->destroy(event->job); + free(event); +} + +typedef struct private_event_queue_t private_event_queue_t; + +/** + * Private Variables and Functions of event_queue_t class. + */ +struct private_event_queue_t { + /** + * Public part. + */ + event_queue_t public; + + /** + * The events are stored in a linked list of type linked_list_t. + */ + linked_list_t *list; + + /** + * Access to linked_list is locked through this mutex. + */ + pthread_mutex_t mutex; + + /** + * If the queue is empty or an event has not to be fired + * a thread has to wait. + * + * This condvar is used to wake up such a thread. + */ + pthread_cond_t condvar; +}; + +/** + * Returns the difference of to timeval structs in milliseconds + */ +static long time_difference(struct timeval *end_time, struct timeval *start_time) +{ + time_t s; + suseconds_t us; + + s = (end_time->tv_sec - start_time->tv_sec); + us = (end_time->tv_usec - start_time->tv_usec); + return ((s * 1000) + us/1000); +} + +/** + * Implements event_queue_t.get_count + */ +static int get_count(private_event_queue_t *this) +{ + int count; + pthread_mutex_lock(&(this->mutex)); + count = this->list->get_count(this->list); + pthread_mutex_unlock(&(this->mutex)); + return count; +} + +/** + * Implements event_queue_t.get + */ +static job_t *get(private_event_queue_t *this) +{ + timespec_t timeout; + timeval_t current_time; + event_t * next_event; + job_t *job; + int oldstate; + + pthread_mutex_lock(&(this->mutex)); + + while (TRUE) + { + while(this->list->get_count(this->list) == 0) + { + /* add mutex unlock handler for cancellation, enable cancellation */ + pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&(this->mutex)); + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + + pthread_cond_wait( &(this->condvar), &(this->mutex)); + + /* reset cancellation, remove mutex-unlock handler (without executing) */ + pthread_setcancelstate(oldstate, NULL); + pthread_cleanup_pop(0); + } + + this->list->get_first(this->list, (void **)&next_event); + + gettimeofday(¤t_time, NULL); + long difference = time_difference(¤t_time,&(next_event->time)); + if (difference <= 0) + { + timeout.tv_sec = next_event->time.tv_sec; + timeout.tv_nsec = next_event->time.tv_usec * 1000; + + /* add mutex unlock handler for cancellation, enable cancellation */ + pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&(this->mutex)); + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + + pthread_cond_timedwait(&(this->condvar), &(this->mutex), &timeout); + + /* reset cancellation, remove mutex-unlock handler (without executing) */ + pthread_setcancelstate(oldstate, NULL); + pthread_cleanup_pop(0); + } + else + { + /* event available */ + this->list->remove_first(this->list, (void **)&next_event); + job = next_event->job; + free(next_event); + break; + } + } + pthread_cond_signal( &(this->condvar)); + pthread_mutex_unlock(&(this->mutex)); + + return job; +} + +/** + * Implements function add_absolute of event_queue_t. + * See #event_queue_s.add_absolute for description. + */ +static void add_absolute(private_event_queue_t *this, job_t *job, timeval_t time) +{ + event_t *event; + event_t *current_event; + iterator_t *iterator; + + /* create event */ + event = malloc_thing(event_t); + event->time = time; + event->job = job; + + pthread_mutex_lock(&(this->mutex)); + + /* while just used to break out */ + while(TRUE) + { + if (this->list->get_count(this->list) == 0) + { + this->list->insert_first(this->list,event); + break; + } + + /* check last entry */ + this->list->get_last(this->list,(void **) ¤t_event); + + if (time_difference(&(event->time), &(current_event->time)) >= 0) + { + /* my event has to be fired after the last event in list */ + this->list->insert_last(this->list,event); + break; + } + + /* check first entry */ + this->list->get_first(this->list,(void **) ¤t_event); + + if (time_difference(&(event->time), &(current_event->time)) < 0) + { + /* my event has to be fired before the first event in list */ + this->list->insert_first(this->list,event); + break; + } + + iterator = this->list->create_iterator(this->list,TRUE); + iterator->iterate(iterator, (void**)¤t_event); + /* first element has not to be checked (already done) */ + while(iterator->iterate(iterator, (void**)¤t_event)) + { + if (time_difference(&(event->time), &(current_event->time)) <= 0) + { + /* my event has to be fired before the current event in list */ + iterator->insert_before(iterator,event); + break; + } + } + iterator->destroy(iterator); + break; + } + + pthread_cond_signal( &(this->condvar)); + pthread_mutex_unlock(&(this->mutex)); +} + +/** + * Implements event_queue_t.add_relative. + */ +static void add_relative(event_queue_t *this, job_t *job, u_int32_t ms) +{ + timeval_t current_time; + timeval_t time; + + time_t s = ms / 1000; + suseconds_t us = (ms - s * 1000) * 1000; + + gettimeofday(¤t_time, NULL); + + time.tv_usec = (current_time.tv_usec + us) % 1000000; + time.tv_sec = current_time.tv_sec + (current_time.tv_usec + us)/1000000 + s; + + this->add_absolute(this, job, time); +} + + +/** + * Implements event_queue_t.destroy. + */ +static void event_queue_destroy(private_event_queue_t *this) +{ + this->list->destroy_function(this->list, (void*)event_destroy); + free(this); +} + +/* + * Documented in header + */ +event_queue_t *event_queue_create() +{ + private_event_queue_t *this = malloc_thing(private_event_queue_t); + + this->public.get_count = (int (*) (event_queue_t *event_queue)) get_count; + this->public.get = (job_t *(*) (event_queue_t *event_queue)) get; + this->public.add_absolute = (void (*) (event_queue_t *event_queue, job_t *job, timeval_t time)) add_absolute; + this->public.add_relative = (void (*) (event_queue_t *event_queue, job_t *job, u_int32_t ms)) add_relative; + this->public.destroy = (void (*) (event_queue_t *event_queue)) event_queue_destroy; + + this->list = linked_list_create(); + pthread_mutex_init(&(this->mutex), NULL); + pthread_cond_init(&(this->condvar), NULL); + + return (&this->public); +} diff --git a/src/charon/processing/event_queue.h b/src/charon/processing/event_queue.h new file mode 100644 index 000000000..c85286bf2 --- /dev/null +++ b/src/charon/processing/event_queue.h @@ -0,0 +1,118 @@ +/** + * @file event_queue.h + * + * @brief Interface of job_queue_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef EVENT_QUEUE_H_ +#define EVENT_QUEUE_H_ + +typedef struct event_queue_t event_queue_t; + +#include + +#include +#include + +/** + * @brief Event-Queue used to store timed events. + * + * Added events are sorted. The get method blocks until + * the time is elapsed to process the next event. The get + * method is called from the scheduler_t thread, which + * will add the jobs to to job_queue_t for further processing. + * + * Although the event-queue is based on a linked_list_t + * all access functions are thread-save implemented. + * + * @b Constructors: + * - event_queue_create() + * + * @ingroup processing + */ +struct event_queue_t { + + /** + * @brief Returns number of events in queue. + * + * @param event_queue calling object + * @return number of events in queue + */ + int (*get_count) (event_queue_t *event_queue); + + /** + * @brief Get the next job from the event-queue. + * + * If no event is pending, this function blocks until a job can be returned. + * + * @param event_queue calling object + * @param[out] job pointer to a job pointer where to job is returned to + * @return next job + */ + job_t *(*get) (event_queue_t *event_queue); + + /** + * @brief Adds a event to the queue, using a relative time. + * + * This function is non blocking and adds a job_t at a specific time to the list. + * The specific job object has to get destroyed by the thread which + * removes the job. + * + * @param event_queue calling object + * @param[in] job job to add to the queue (job is not copied) + * @param[in] time relative time, when the event has to get fired + */ + void (*add_relative) (event_queue_t *event_queue, job_t *job, u_int32_t ms); + + /** + * @brief Adds a event to the queue, using an absolute time. + * + * This function is non blocking and adds a job_t at a specific time to the list. + * The specific job object has to get destroyed by the thread which + * removes the job. + * + * @param event_queue calling object + * @param[in] job job to add to the queue (job is not copied) + * @param[in] time absolute time, when the event has to get fired + */ + void (*add_absolute) (event_queue_t *event_queue, job_t *job, timeval_t time); + + /** + * @brief Destroys a event_queue object. + * + * @warning The caller of this function has to make sure + * that no thread is going to add or get an event from the event_queue + * after calling this function. + * + * @param event_queue calling object + */ + void (*destroy) (event_queue_t *event_queue); +}; + +/** + * @brief Creates an empty event_queue. + * + * @returns event_queue_t object + * + * @ingroup processing + */ +event_queue_t *event_queue_create(void); + +#endif /*EVENT_QUEUE_H_*/ diff --git a/src/charon/processing/job_queue.c b/src/charon/processing/job_queue.c new file mode 100644 index 000000000..2310ca6ff --- /dev/null +++ b/src/charon/processing/job_queue.c @@ -0,0 +1,139 @@ +/** + * @file job_queue.c + * + * @brief Implementation of job_queue_t + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +#include "job_queue.h" + +#include + + +typedef struct private_job_queue_t private_job_queue_t; + +/** + * @brief Private Variables and Functions of job_queue class + * + */ +struct private_job_queue_t { + + /** + * public members + */ + job_queue_t public; + + /** + * The jobs are stored in a linked list + */ + linked_list_t *list; + + /** + * access to linked_list is locked through this mutex + */ + pthread_mutex_t mutex; + + /** + * If the queue is empty a thread has to wait + * This condvar is used to wake up such a thread + */ + pthread_cond_t condvar; +}; + + +/** + * implements job_queue_t.get_count + */ +static int get_count(private_job_queue_t *this) +{ + int count; + pthread_mutex_lock(&(this->mutex)); + count = this->list->get_count(this->list); + pthread_mutex_unlock(&(this->mutex)); + return count; +} + +/** + * implements job_queue_t.get + */ +static job_t *get(private_job_queue_t *this) +{ + int oldstate; + job_t *job; + pthread_mutex_lock(&(this->mutex)); + /* go to wait while no jobs available */ + while(this->list->get_count(this->list) == 0) + { + /* add mutex unlock handler for cancellation, enable cancellation */ + pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&(this->mutex)); + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + + pthread_cond_wait( &(this->condvar), &(this->mutex)); + + /* reset cancellation, remove mutex-unlock handler (without executing) */ + pthread_setcancelstate(oldstate, NULL); + pthread_cleanup_pop(0); + } + this->list->remove_first(this->list, (void **)&job); + pthread_mutex_unlock(&(this->mutex)); + return job; +} + +/** + * implements function job_queue_t.add + */ +static void add(private_job_queue_t *this, job_t *job) +{ + pthread_mutex_lock(&(this->mutex)); + this->list->insert_last(this->list,job); + pthread_cond_signal( &(this->condvar)); + pthread_mutex_unlock(&(this->mutex)); +} + +/** + * implements job_queue_t.destroy + */ +static void job_queue_destroy (private_job_queue_t *this) +{ + this->list->destroy_offset(this->list, offsetof(job_t, destroy)); + free(this); +} + +/* + * + * Documented in header + */ +job_queue_t *job_queue_create(void) +{ + private_job_queue_t *this = malloc_thing(private_job_queue_t); + + this->public.get_count = (int(*)(job_queue_t*))get_count; + this->public.get = (job_t*(*)(job_queue_t*))get; + this->public.add = (void(*)(job_queue_t*, job_t*))add; + this->public.destroy = (void(*)(job_queue_t*))job_queue_destroy; + + this->list = linked_list_create(); + pthread_mutex_init(&(this->mutex), NULL); + pthread_cond_init(&(this->condvar), NULL); + + return (&this->public); +} diff --git a/src/charon/processing/job_queue.h b/src/charon/processing/job_queue.h new file mode 100644 index 000000000..9b58588ae --- /dev/null +++ b/src/charon/processing/job_queue.h @@ -0,0 +1,100 @@ +/** + * @file job_queue.h + * + * @brief Interface of job_queue_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef JOB_QUEUE_H_ +#define JOB_QUEUE_H_ + +typedef struct job_queue_t job_queue_t; + +#include +#include + +/** + * @brief The job queue stores jobs, which will be processed by the thread_pool_t. + * + * Jobs are added from various sources, from the threads and + * from the event_queue_t. + * Although the job-queue is based on a linked_list_t + * all access functions are thread-save implemented. + * + * @b Constructors: + * - job_queue_create() + * + * @ingroup processing + */ +struct job_queue_t { + + /** + * @brief Returns number of jobs in queue. + * + * @param job_queue_t calling object + * @returns number of items in queue + */ + int (*get_count) (job_queue_t *job_queue); + + /** + * @brief Get the next job from the queue. + * + * If the queue is empty, this function blocks until a job can be returned. + * After using, the returned job has to get destroyed by the caller. + * + * @param job_queue_t calling object + * @param[out] job pointer to a job pointer where to job is returned to + * @return next job + */ + job_t *(*get) (job_queue_t *job_queue); + + /** + * @brief Adds a job to the queue. + * + * This function is non blocking and adds a job_t to the list. + * The specific job object has to get destroyed by the thread which + * removes the job. + * + * @param job_queue_t calling object + * @param job job to add to the queue (job is not copied) + */ + void (*add) (job_queue_t *job_queue, job_t *job); + + /** + * @brief Destroys a job_queue object. + * + * @warning The caller of this function has to make sure + * that no thread is going to add or get a job from the job_queue + * after calling this function. + * + * @param job_queue_t calling object + */ + void (*destroy) (job_queue_t *job_queue); +}; + +/** + * @brief Creates an empty job_queue. + * + * @return job_queue_t object + * + * @ingroup processing + */ +job_queue_t *job_queue_create(void); + +#endif /*JOB_QUEUE_H_*/ diff --git a/src/charon/processing/jobs/acquire_job.c b/src/charon/processing/jobs/acquire_job.c new file mode 100644 index 000000000..b4ffb258d --- /dev/null +++ b/src/charon/processing/jobs/acquire_job.c @@ -0,0 +1,98 @@ +/** + * @file acquire_job.c + * + * @brief Implementation of acquire_job_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "acquire_job.h" + +#include + + +typedef struct private_acquire_job_t private_acquire_job_t; + +/** + * Private data of an acquire_job_t object. + */ +struct private_acquire_job_t { + /** + * Public acquire_job_t interface. + */ + acquire_job_t public; + + /** + * reqid of the child to rekey + */ + u_int32_t reqid; +}; + +/** + * Implementation of job_t.get_type. + */ +static job_type_t get_type(private_acquire_job_t *this) +{ + return ACQUIRE; +} + +/** + * Implementation of job_t.execute. + */ +static status_t execute(private_acquire_job_t *this) +{ + ike_sa_t *ike_sa; + + ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, + this->reqid, TRUE); + if (ike_sa == NULL) + { + DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for acquiring", + this->reqid); + return DESTROY_ME; + } + ike_sa->acquire(ike_sa, this->reqid); + + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return DESTROY_ME; +} + +/** + * Implementation of job_t.destroy. + */ +static void destroy(private_acquire_job_t *this) +{ + free(this); +} + +/* + * Described in header + */ +acquire_job_t *acquire_job_create(u_int32_t reqid) +{ + private_acquire_job_t *this = malloc_thing(private_acquire_job_t); + + /* interface functions */ + this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; + this->public.job_interface.execute = (status_t (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + + /* private variables */ + this->reqid = reqid; + + return &(this->public); +} diff --git a/src/charon/processing/jobs/acquire_job.h b/src/charon/processing/jobs/acquire_job.h new file mode 100644 index 000000000..226966215 --- /dev/null +++ b/src/charon/processing/jobs/acquire_job.h @@ -0,0 +1,60 @@ +/** + * @file acquire_job.h + * + * @brief Interface of acquire_job_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef ACQUIRE_JOB_H_ +#define ACQUIRE_JOB_H_ + +typedef struct acquire_job_t acquire_job_t; + +#include +#include + +/** + * @brief Class representing an ACQUIRE Job. + * + * This job initiates a CHILD SA on kernel request. + * + * @b Constructors: + * - acquire_job_create() + * + * @ingroup jobs + */ +struct acquire_job_t { + /** + * The job_t interface. + */ + job_t job_interface; +}; + +/** + * @brief Creates a job of type ACQUIRE. + * + * We use the reqid to find the routed CHILD_SA. + * + * @param reqid reqid of the CHILD_SA to acquire + * @return acquire_job_t object + * + * @ingroup jobs + */ +acquire_job_t *acquire_job_create(u_int32_t reqid); + +#endif /* REKEY_CHILD_SA_JOB_H_ */ diff --git a/src/charon/processing/jobs/delete_child_sa_job.c b/src/charon/processing/jobs/delete_child_sa_job.c new file mode 100644 index 000000000..f694696b0 --- /dev/null +++ b/src/charon/processing/jobs/delete_child_sa_job.c @@ -0,0 +1,113 @@ +/** + * @file delete_child_sa_job.c + * + * @brief Implementation of delete_child_sa_job_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "delete_child_sa_job.h" + +#include + + +typedef struct private_delete_child_sa_job_t private_delete_child_sa_job_t; + +/** + * Private data of an delete_child_sa_job_t object. + */ +struct private_delete_child_sa_job_t { + /** + + * Public delete_child_sa_job_t interface. + */ + delete_child_sa_job_t public; + + /** + * reqid of the CHILD_SA + */ + u_int32_t reqid; + + /** + * protocol of the CHILD_SA (ESP/AH) + */ + protocol_id_t protocol; + + /** + * inbound SPI of the CHILD_SA + */ + u_int32_t spi; +}; + +/** + * Implementation of job_t.get_type. + */ +static job_type_t get_type(private_delete_child_sa_job_t *this) +{ + return DELETE_CHILD_SA; +} + +/** + * Implementation of job_t.execute. + */ +static status_t execute(private_delete_child_sa_job_t *this) +{ + ike_sa_t *ike_sa; + + ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, + this->reqid, TRUE); + if (ike_sa == NULL) + { + DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for delete", + this->reqid); + return DESTROY_ME; + } + ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi); + + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return DESTROY_ME; +} + +/** + * Implementation of job_t.destroy. + */ +static void destroy(private_delete_child_sa_job_t *this) +{ + free(this); +} + +/* + * Described in header + */ +delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, + protocol_id_t protocol, + u_int32_t spi) +{ + private_delete_child_sa_job_t *this = malloc_thing(private_delete_child_sa_job_t); + + /* interface functions */ + this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; + this->public.job_interface.execute = (status_t (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + + /* private variables */ + this->reqid = reqid; + this->protocol = protocol; + this->spi = spi; + + return &(this->public); +} diff --git a/src/charon/processing/jobs/delete_child_sa_job.h b/src/charon/processing/jobs/delete_child_sa_job.h new file mode 100644 index 000000000..0b90e008d --- /dev/null +++ b/src/charon/processing/jobs/delete_child_sa_job.h @@ -0,0 +1,68 @@ +/** + * @file delete_child_sa_job.h + * + * @brief Interface of delete_child_sa_job_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef DELETE_CHILD_SA_JOB_H_ +#define DELETE_CHILD_SA_JOB_H_ + +typedef struct delete_child_sa_job_t delete_child_sa_job_t; + +#include +#include +#include +#include + + +/** + * @brief Class representing an DELETE_CHILD_SA Job. + * + * This job initiates the delete of a CHILD SA. + * + * @b Constructors: + * - delete_child_sa_job_create() + * + * @ingroup jobs + */ +struct delete_child_sa_job_t { + /** + * The job_t interface. + */ + job_t job_interface; +}; + +/** + * @brief Creates a job of type DELETE_CHILD_SA. + * + * The CHILD_SA is identified by its reqid, protocol (AH/ESP) and its + * inbound SPI. + * + * @param reqid reqid of the CHILD_SA, as used in kernel + * @param protocol protocol of the CHILD_SA + * @param spi security parameter index of the CHILD_SA + * @return delete_child_sa_job_t object + * + * @ingroup jobs + */ +delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, + protocol_id_t protocol, + u_int32_t spi); + +#endif /* DELETE_CHILD_SA_JOB_H_ */ diff --git a/src/charon/processing/jobs/delete_ike_sa_job.c b/src/charon/processing/jobs/delete_ike_sa_job.c new file mode 100644 index 000000000..706155aa6 --- /dev/null +++ b/src/charon/processing/jobs/delete_ike_sa_job.c @@ -0,0 +1,126 @@ +/** + * @file delete_ike_sa_job.c + * + * @brief Implementation of delete_ike_sa_job_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "delete_ike_sa_job.h" + +#include + +typedef struct private_delete_ike_sa_job_t private_delete_ike_sa_job_t; + +/** + * Private data of an delete_ike_sa_job_t Object + */ +struct private_delete_ike_sa_job_t { + /** + * public delete_ike_sa_job_t interface + */ + delete_ike_sa_job_t public; + + /** + * ID of the ike_sa to delete + */ + ike_sa_id_t *ike_sa_id; + + /** + * Should the IKE_SA be deleted if it is in ESTABLISHED state? + */ + bool delete_if_established; +}; + +/** + * Implements job_t.get_type. + */ +static job_type_t get_type(private_delete_ike_sa_job_t *this) +{ + return DELETE_IKE_SA; +} + +/** + * Implementation of job_t.execute. + */ +static status_t execute(private_delete_ike_sa_job_t *this) +{ + ike_sa_t *ike_sa; + + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, + this->ike_sa_id); + if (ike_sa) + { + if (this->delete_if_established) + { + if (ike_sa->delete(ike_sa) == DESTROY_ME) + { + charon->ike_sa_manager->checkin_and_destroy( + charon->ike_sa_manager, ike_sa); + } + else + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + } + else + { + /* destroy only if not ESTABLISHED */ + if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED) + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + else + { + DBG1(DBG_JOB, "deleting half open IKE_SA after timeout"); + charon->ike_sa_manager->checkin_and_destroy( + charon->ike_sa_manager, ike_sa); + } + } + } + return DESTROY_ME; +} + +/** + * Implements job_t.destroy. + */ +static void destroy(private_delete_ike_sa_job_t *this) +{ + this->ike_sa_id->destroy(this->ike_sa_id); + free(this); +} + +/* + * Described in header + */ +delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id, + bool delete_if_established) +{ + private_delete_ike_sa_job_t *this = malloc_thing(private_delete_ike_sa_job_t); + + /* interface functions */ + this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; + this->public.job_interface.execute = (status_t (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*)(job_t *)) destroy;; + + /* private variables */ + this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + this->delete_if_established = delete_if_established; + + return &(this->public); +} diff --git a/src/charon/processing/jobs/delete_ike_sa_job.h b/src/charon/processing/jobs/delete_ike_sa_job.h new file mode 100644 index 000000000..11bb46e73 --- /dev/null +++ b/src/charon/processing/jobs/delete_ike_sa_job.h @@ -0,0 +1,66 @@ +/** + * @file delete_ike_sa_job.h + * + * @brief Interface of delete_ike_sa_job_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef DELETE_IKE_SA_JOB_H_ +#define DELETE_IKE_SA_JOB_H_ + +typedef struct delete_ike_sa_job_t delete_ike_sa_job_t; + +#include +#include +#include + + +/** + * @brief Class representing an DELETE_IKE_SA Job. + * + * This job is responsible for deleting established or half open IKE_SAs. + * A half open IKE_SA is every IKE_SA which hasn't reache the SA_ESTABLISHED + * state. + * + * @b Constructors: + * - delete_ike_sa_job_create() + * + * @ingroup jobs + */ +struct delete_ike_sa_job_t { + + /** + * The job_t interface. + */ + job_t job_interface; +}; + +/** + * @brief Creates a job of type DELETE_IKE_SA. + * + * @param ike_sa_id id of the IKE_SA to delete + * @param delete_if_established should the IKE_SA be deleted if it is established? + * @return created delete_ike_sa_job_t object + * + * @ingroup jobs + */ +delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id, + bool delete_if_established); + +#endif /* DELETE_IKE_SA_JOB_H_ */ diff --git a/src/charon/processing/jobs/job.c b/src/charon/processing/jobs/job.c new file mode 100644 index 000000000..d32d1bc61 --- /dev/null +++ b/src/charon/processing/jobs/job.c @@ -0,0 +1,39 @@ +/** + * @file job.c + * + * @brief Interface additions to job_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + + +#include "job.h" + +ENUM(job_type_names, PROCESS_MESSAGE, SEND_DPD, + "PROCESS_MESSAGE", + "RETRANSMIT", + "INITIATE", + "ROUTE", + "ACQUIRE", + "DELETE_IKE_SA", + "DELETE_CHILD_SA", + "REKEY_CHILD_SA", + "REKEY_IKE_SA", + "SEND_KEEPALIVE", + "SEND_DPD", +); diff --git a/src/charon/processing/jobs/job.h b/src/charon/processing/jobs/job.h new file mode 100644 index 000000000..28632672d --- /dev/null +++ b/src/charon/processing/jobs/job.h @@ -0,0 +1,165 @@ +/** + * @file job.h + * + * @brief Interface job_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef JOB_H_ +#define JOB_H_ + +typedef enum job_type_t job_type_t; +typedef struct job_t job_t; + +#include + +/** + * @brief Definition of the various job types. + * + * @ingroup jobs + */ +enum job_type_t { + /** + * Process an incoming IKEv2-Message. + * + * Job is implemented in class process_message_job_t + */ + PROCESS_MESSAGE, + + /** + * Retransmit an IKEv2-Message. + * + * Job is implemented in class retransmit_job_t + */ + RETRANSMIT, + + /** + * Set up a CHILD_SA, optional with an IKE_SA. + * + * Job is implemented in class initiate_job_t + */ + INITIATE, + + /** + * Install SPD entries. + * + * Job is implemented in class route_job_t + */ + ROUTE, + + /** + * React on a acquire message from the kernel (e.g. setup CHILD_SA) + * + * Job is implemented in class acquire_job_t + */ + ACQUIRE, + + /** + * Delete an IKE_SA. + * + * Job is implemented in class delete_ike_sa_job_t + */ + DELETE_IKE_SA, + + /** + * Delete a CHILD_SA. + * + * Job is implemented in class delete_child_sa_job_t + */ + DELETE_CHILD_SA, + + /** + * Rekey a CHILD_SA. + * + * Job is implemented in class rekey_child_sa_job_t + */ + REKEY_CHILD_SA, + + /** + * Rekey an IKE_SA. + * + * Job is implemented in class rekey_ike_sa_job_t + */ + REKEY_IKE_SA, + + /** + * Send a keepalive packet. + * + * Job is implemented in class type send_keepalive_job_t + */ + SEND_KEEPALIVE, + + /** + * Send a DPD packet. + * + * Job is implemented in class type send_dpd_job_t + */ + SEND_DPD +}; + +/** + * enum name for job_type_t + * + * @ingroup jobs + */ +extern enum_name_t *job_type_names; + + +/** + * @brief Job-Interface as it is stored in the job queue. + * + * A job consists of a job-type and one or more assigned values. + * + * @b Constructors: + * - None, use specific implementation of the interface. + * + * @ingroup jobs + */ +struct job_t { + + /** + * @brief get type of job. + * + * @param this calling object + * @return type of this job + */ + job_type_t (*get_type) (job_t *this); + + /** + * @brief Execute a job. + * + * Call the internall job routine to process the + * job. If this method returns DESTROY_ME, the job + * must be destroyed by the caller. + * + * @param this calling object + * @return status of job execution + */ + status_t (*execute) (job_t *this); + + /** + * @brief Destroys a job_t object + * + * @param job_t calling object + */ + void (*destroy) (job_t *job); +}; + + +#endif /* JOB_H_ */ diff --git a/src/charon/processing/jobs/process_message_job.c b/src/charon/processing/jobs/process_message_job.c new file mode 100644 index 000000000..ee7484bbd --- /dev/null +++ b/src/charon/processing/jobs/process_message_job.c @@ -0,0 +1,106 @@ +/** + * @file process_message_job.h + * + * @brief Implementation of process_message_job_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + + +#include "process_message_job.h" + +#include + +typedef struct private_process_message_job_t private_process_message_job_t; + +/** + * Private data of an process_message_job_t Object + */ +struct private_process_message_job_t { + /** + * public process_message_job_t interface + */ + process_message_job_t public; + + /** + * Message associated with this job + */ + message_t *message; +}; + +/** + * Implements job_t.get_type. + */ +static job_type_t get_type(private_process_message_job_t *this) +{ + return PROCESS_MESSAGE; +} + +/** + * Implementation of job_t.execute. + */ +static status_t execute(private_process_message_job_t *this) +{ + ike_sa_t *ike_sa; + + ike_sa = charon->ike_sa_manager->checkout_by_message(charon->ike_sa_manager, + this->message); + if (ike_sa) + { + DBG1(DBG_NET, "received packet: from %#H to %#H", + this->message->get_source(this->message), + this->message->get_destination(this->message)); + if (ike_sa->process_message(ike_sa, this->message) == DESTROY_ME) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + ike_sa); + } + else + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + } + return DESTROY_ME; +} + +/** + * Implements job_t.destroy. + */ +static void destroy(private_process_message_job_t *this) +{ + this->message->destroy(this->message); + free(this); +} + +/* + * Described in header + */ +process_message_job_t *process_message_job_create(message_t *message) +{ + private_process_message_job_t *this = malloc_thing(private_process_message_job_t); + + /* interface functions */ + this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; + this->public.job_interface.execute = (status_t (*) (job_t *)) execute; + this->public.job_interface.destroy = (void(*)(job_t*))destroy; + + /* private variables */ + this->message = message; + + return &(this->public); +} diff --git a/src/charon/processing/jobs/process_message_job.h b/src/charon/processing/jobs/process_message_job.h new file mode 100644 index 000000000..5bb18155a --- /dev/null +++ b/src/charon/processing/jobs/process_message_job.h @@ -0,0 +1,58 @@ +/** + * @file process_message_job.h + * + * @brief Interface of process_message_job_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef PROCESS_MESSAGE_JOB_H_ +#define PROCESS_MESSAGE_JOB_H_ + +typedef struct process_message_job_t process_message_job_t; + +#include +#include +#include + +/** + * @brief Class representing an PROCESS_MESSAGE job. + * + * @b Constructors: + * - process_message_job_create() + * + * @ingroup jobs + */ +struct process_message_job_t { + /** + * implements job_t interface + */ + job_t job_interface; +}; + +/** + * @brief Creates a job of type PROCESS_MESSAGE. + * + * @param message message to process + * @return created process_message_job_t object + * + * @ingroup jobs + */ +process_message_job_t *process_message_job_create(message_t *message); + +#endif /*PROCESS_MESSAGE_JOB_H_*/ diff --git a/src/charon/processing/jobs/rekey_child_sa_job.c b/src/charon/processing/jobs/rekey_child_sa_job.c new file mode 100644 index 000000000..3422b614d --- /dev/null +++ b/src/charon/processing/jobs/rekey_child_sa_job.c @@ -0,0 +1,112 @@ +/** + * @file rekey_child_sa_job.c + * + * @brief Implementation of rekey_child_sa_job_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "rekey_child_sa_job.h" + +#include + + +typedef struct private_rekey_child_sa_job_t private_rekey_child_sa_job_t; + +/** + * Private data of an rekey_child_sa_job_t object. + */ +struct private_rekey_child_sa_job_t { + /** + * Public rekey_child_sa_job_t interface. + */ + rekey_child_sa_job_t public; + + /** + * reqid of the child to rekey + */ + u_int32_t reqid; + + /** + * protocol of the CHILD_SA (ESP/AH) + */ + protocol_id_t protocol; + + /** + * inbound SPI of the CHILD_SA + */ + u_int32_t spi; +}; + +/** + * Implementation of job_t.get_type. + */ +static job_type_t get_type(private_rekey_child_sa_job_t *this) +{ + return REKEY_CHILD_SA; +} + +/** + * Implementation of job_t.execute. + */ +static status_t execute(private_rekey_child_sa_job_t *this) +{ + ike_sa_t *ike_sa; + + ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, + this->reqid, TRUE); + if (ike_sa == NULL) + { + DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for rekeying", + this->reqid); + return DESTROY_ME; + } + ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi); + + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return DESTROY_ME; +} + +/** + * Implementation of job_t.destroy. + */ +static void destroy(private_rekey_child_sa_job_t *this) +{ + free(this); +} + +/* + * Described in header + */ +rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, + protocol_id_t protocol, + u_int32_t spi) +{ + private_rekey_child_sa_job_t *this = malloc_thing(private_rekey_child_sa_job_t); + + /* interface functions */ + this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; + this->public.job_interface.execute = (status_t (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + + /* private variables */ + this->reqid = reqid; + this->protocol = protocol; + this->spi = spi; + + return &(this->public); +} diff --git a/src/charon/processing/jobs/rekey_child_sa_job.h b/src/charon/processing/jobs/rekey_child_sa_job.h new file mode 100644 index 000000000..df86070bc --- /dev/null +++ b/src/charon/processing/jobs/rekey_child_sa_job.h @@ -0,0 +1,65 @@ +/** + * @file rekey_child_sa_job.h + * + * @brief Interface of rekey_child_sa_job_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef REKEY_CHILD_SA_JOB_H_ +#define REKEY_CHILD_SA_JOB_H_ + +typedef struct rekey_child_sa_job_t rekey_child_sa_job_t; + +#include +#include +#include +#include + +/** + * @brief Class representing an REKEY_CHILD_SA Job. + * + * This job initiates the rekeying of a CHILD SA. + * + * @b Constructors: + * - rekey_child_sa_job_create() + * + * @ingroup jobs + */ +struct rekey_child_sa_job_t { + /** + * The job_t interface. + */ + job_t job_interface; +}; + +/** + * @brief Creates a job of type REKEY_CHILD_SA. + * + * The CHILD_SA is identified by its protocol (AH/ESP) and its + * inbound SPI. + * + * @param reqid reqid of the CHILD_SA to rekey + * @param protocol protocol of the CHILD_SA + * @param spi security parameter index of the CHILD_SA + * @return rekey_child_sa_job_t object + * + * @ingroup jobs + */ +rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, protocol_id_t protocol, u_int32_t spi); + +#endif /* REKEY_CHILD_SA_JOB_H_ */ diff --git a/src/charon/processing/jobs/rekey_ike_sa_job.c b/src/charon/processing/jobs/rekey_ike_sa_job.c new file mode 100644 index 000000000..f6c058634 --- /dev/null +++ b/src/charon/processing/jobs/rekey_ike_sa_job.c @@ -0,0 +1,120 @@ +/** + * @file rekey_ike_sa_job.c + * + * @brief Implementation of rekey_ike_sa_job_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "rekey_ike_sa_job.h" + +#include + + +typedef struct private_rekey_ike_sa_job_t private_rekey_ike_sa_job_t; + +/** + * Private data of an rekey_ike_sa_job_t object. + */ +struct private_rekey_ike_sa_job_t { + /** + * Public rekey_ike_sa_job_t interface. + */ + rekey_ike_sa_job_t public; + + /** + * ID of the IKE_SA to rekey + */ + ike_sa_id_t *ike_sa_id; + + /** + * force reauthentication of the peer (full IKE_SA setup) + */ + bool reauth; +}; + +/** + * Implementation of job_t.get_type. + */ +static job_type_t get_type(private_rekey_ike_sa_job_t *this) +{ + return REKEY_IKE_SA; +} + +/** + * Implementation of job_t.execute. + */ +static status_t execute(private_rekey_ike_sa_job_t *this) +{ + ike_sa_t *ike_sa; + status_t status = SUCCESS; + + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, + this->ike_sa_id); + if (ike_sa == NULL) + { + DBG2(DBG_JOB, "IKE_SA to rekey not found"); + return DESTROY_ME; + } + + if (this->reauth) + { + ike_sa->reestablish(ike_sa); + } + else + { + status = ike_sa->rekey(ike_sa); + } + + if (status == DESTROY_ME) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); + } + else + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + return DESTROY_ME; +} + +/** + * Implementation of job_t.destroy. + */ +static void destroy(private_rekey_ike_sa_job_t *this) +{ + this->ike_sa_id->destroy(this->ike_sa_id); + free(this); +} + +/* + * Described in header + */ +rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth) +{ + private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t); + + /* interface functions */ + this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; + this->public.job_interface.execute = (status_t (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + + /* private variables */ + this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + this->reauth = reauth; + + return &(this->public); +} diff --git a/src/charon/processing/jobs/rekey_ike_sa_job.h b/src/charon/processing/jobs/rekey_ike_sa_job.h new file mode 100644 index 000000000..4031b3813 --- /dev/null +++ b/src/charon/processing/jobs/rekey_ike_sa_job.h @@ -0,0 +1,60 @@ +/** + * @file rekey_ike_sa_job.h + * + * @brief Interface of rekey_ike_sa_job_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef REKEY_IKE_SA_JOB_H_ +#define REKEY_IKE_SA_JOB_H_ + +typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t; + +#include +#include +#include + +/** + * @brief Class representing an REKEY_IKE_SA Job. + * + * This job initiates the rekeying of an IKE_SA. + * + * @b Constructors: + * - rekey_ike_sa_job_create() + * + * @ingroup jobs + */ +struct rekey_ike_sa_job_t { + /** + * The job_t interface. + */ + job_t job_interface; +}; + +/** + * @brief Creates a job of type REKEY_IKE_SA. + * + * @param ike_sa_id ID of the IKE_SA to rekey + * @param reauth TRUE to reauthenticate peer, FALSE for rekeying only + * @return rekey_ike_sa_job_t object + * + * @ingroup jobs + */ +rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth); + +#endif /* REKEY_IKE_SA_JOB_H_ */ diff --git a/src/charon/processing/jobs/retransmit_job.c b/src/charon/processing/jobs/retransmit_job.c new file mode 100644 index 000000000..5bfa20dfd --- /dev/null +++ b/src/charon/processing/jobs/retransmit_job.c @@ -0,0 +1,109 @@ +/** + * @file retransmit_job.c + * + * @brief Implementation of retransmit_job_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "retransmit_job.h" + +#include + +typedef struct private_retransmit_job_t private_retransmit_job_t; + +/** + * Private data of an retransmit_job_t Object. + */ +struct private_retransmit_job_t { + /** + * Public retransmit_job_t interface. + */ + retransmit_job_t public; + + /** + * Message ID of the request to resend. + */ + u_int32_t message_id; + + /** + * ID of the IKE_SA which the message belongs to. + */ + ike_sa_id_t *ike_sa_id; +}; + +/** + * Implements job_t.get_type. + */ +static job_type_t get_type(private_retransmit_job_t *this) +{ + return RETRANSMIT; +} + +/** + * Implementation of job_t.execute. + */ +static status_t execute(private_retransmit_job_t *this) +{ + ike_sa_t *ike_sa; + + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, + this->ike_sa_id); + if (ike_sa) + { + if (ike_sa->retransmit(ike_sa, this->message_id) == DESTROY_ME) + { + /* retransmitted to many times, giving up */ + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + ike_sa); + } + else + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + } + return DESTROY_ME; +} + +/** + * Implements job_t.destroy. + */ +static void destroy(private_retransmit_job_t *this) +{ + this->ike_sa_id->destroy(this->ike_sa_id); + free(this); +} + +/* + * Described in header. + */ +retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa_id) +{ + private_retransmit_job_t *this = malloc_thing(private_retransmit_job_t); + + /* interface functions */ + this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; + this->public.job_interface.execute = (status_t (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + + /* private variables */ + this->message_id = message_id; + this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + + return &this->public; +} diff --git a/src/charon/processing/jobs/retransmit_job.h b/src/charon/processing/jobs/retransmit_job.h new file mode 100644 index 000000000..93bb548e7 --- /dev/null +++ b/src/charon/processing/jobs/retransmit_job.h @@ -0,0 +1,64 @@ +/** + * @file retransmit_job.h + * + * @brief Interface of retransmit_job_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef RETRANSMIT_JOB_H_ +#define RETRANSMIT_JOB_H_ + +typedef struct retransmit_job_t retransmit_job_t; + +#include +#include +#include + +/** + * @brief Class representing an retransmit Job. + * + * This job is scheduled every time a request is sent over the + * wire. If the response to the request is not received at schedule + * time, the retransmission will be initiated. + * + * @b Constructors: + * - retransmit_job_create() + * + * @ingroup jobs + */ +struct retransmit_job_t { + /** + * The job_t interface. + */ + job_t job_interface; +}; + +/** + * @brief Creates a job of type retransmit. + * + * @param message_id message_id of the request to resend + * @param ike_sa_id identification of the ike_sa as ike_sa_id_t + * @return retransmit_job_t object + * + * @ingroup jobs + */ +retransmit_job_t *retransmit_job_create(u_int32_t message_id, + ike_sa_id_t *ike_sa_id); + +#endif /* RETRANSMIT_JOB_H_ */ diff --git a/src/charon/processing/jobs/send_dpd_job.c b/src/charon/processing/jobs/send_dpd_job.c new file mode 100644 index 000000000..7294d78d5 --- /dev/null +++ b/src/charon/processing/jobs/send_dpd_job.c @@ -0,0 +1,110 @@ +/** + * @file send_dpd_job.c + * + * @brief Implementation of send_dpd_job_t. + * + */ + +/* + * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + + +#include + +#include "send_dpd_job.h" + +#include +#include + + +typedef struct private_send_dpd_job_t private_send_dpd_job_t; + +/** + * Private data of an send_dpd_job_t Object + */ +struct private_send_dpd_job_t { + /** + * public send_dpd_job_t interface + */ + send_dpd_job_t public; + + /** + * ID of the IKE_SA which the message belongs to. + */ + ike_sa_id_t *ike_sa_id; +}; + +/** + * Implements send_dpd_job_t.get_type. + */ +static job_type_t get_type(private_send_dpd_job_t *this) +{ + return SEND_DPD; +} + +/** + * Implementation of job_t.execute. + */ +static status_t execute(private_send_dpd_job_t *this) +{ + ike_sa_t *ike_sa; + + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, + this->ike_sa_id); + if (ike_sa == NULL) + { + return DESTROY_ME; + } + + if (ike_sa->send_dpd(ike_sa) == DESTROY_ME) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); + } + else + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + return DESTROY_ME; +} + +/** + * Implements job_t.destroy. + */ +static void destroy(private_send_dpd_job_t *this) +{ + this->ike_sa_id->destroy(this->ike_sa_id); + free(this); +} + +/* + * Described in header + */ +send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id) +{ + private_send_dpd_job_t *this = malloc_thing(private_send_dpd_job_t); + + /* interface functions */ + this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; + this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + this->public.job_interface.execute = (status_t (*) (job_t *)) execute; + + /* public functions */ + this->public.destroy = (void (*)(send_dpd_job_t *)) destroy; + + /* private variables */ + this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + + return &(this->public); +} diff --git a/src/charon/processing/jobs/send_dpd_job.h b/src/charon/processing/jobs/send_dpd_job.h new file mode 100644 index 000000000..26c9e2e81 --- /dev/null +++ b/src/charon/processing/jobs/send_dpd_job.h @@ -0,0 +1,67 @@ +/** + * @file send_dpd_job.h + * + * @brief Interface of send_dpd_job_t. + */ + +/* + * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef SEND_DPD_JOB_H_ +#define SEND_DPD_JOB_H_ + +typedef struct send_dpd_job_t send_dpd_job_t; + +#include +#include +#include + +/** + * @brief Class representing a SEND_DPD Job. + * + * Job to periodically send a Dead Peer Detection (DPD) request, + * ie. an IKE request with no payloads other than the encrypted payload + * required by the syntax. + * + * @b Constructors: + * - send_dpd_job_create() + * + * @ingroup jobs + */ +struct send_dpd_job_t { + /** + * implements job_t interface + */ + job_t job_interface; + + /** + * @brief Destroys an send_dpd_job_t object. + * + * @param this send_dpd_job_t object to destroy + */ + void (*destroy) (send_dpd_job_t *this); +}; + +/** + * @brief Creates a job of type SEND_DPD. + * + * @param ike_sa_id identification of the ike_sa as ike_sa_id_t object (gets cloned) + * @return initiate_ike_sa_job_t object + * + * @ingroup jobs + */ +send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id); + +#endif /*SEND_DPD_JOB_H_*/ diff --git a/src/charon/processing/jobs/send_keepalive_job.c b/src/charon/processing/jobs/send_keepalive_job.c new file mode 100644 index 000000000..1c1cb288e --- /dev/null +++ b/src/charon/processing/jobs/send_keepalive_job.c @@ -0,0 +1,103 @@ +/** + * @file send_keepalive_job.c + * + * @brief Implementation of send_keepalive_job_t. + * + */ + +/* + * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + + +#include + +#include "send_keepalive_job.h" + +#include +#include + + +typedef struct private_send_keepalive_job_t private_send_keepalive_job_t; + +/** + * Private data of an send_keepalive_job_t Object + */ +struct private_send_keepalive_job_t { + /** + * public send_keepalive_job_t interface + */ + send_keepalive_job_t public; + + /** + * ID of the IKE_SA which the message belongs to. + */ + ike_sa_id_t *ike_sa_id; +}; + +/** + * Implements send_keepalive_job_t.get_type. + */ +static job_type_t get_type(private_send_keepalive_job_t *this) +{ + return SEND_KEEPALIVE; +} + +/** + * Implementation of job_t.execute. + */ +static status_t execute(private_send_keepalive_job_t *this) +{ + ike_sa_t *ike_sa; + + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, + this->ike_sa_id); + if (ike_sa == NULL) + { + return DESTROY_ME; + } + ike_sa->send_keepalive(ike_sa); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return DESTROY_ME; +} + +/** + * Implements job_t.destroy. + */ +static void destroy(private_send_keepalive_job_t *this) +{ + this->ike_sa_id->destroy(this->ike_sa_id); + free(this); +} + +/* + * Described in header + */ +send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id) +{ + private_send_keepalive_job_t *this = malloc_thing(private_send_keepalive_job_t); + + /* interface functions */ + this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; + this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + this->public.job_interface.execute = (status_t (*) (job_t *)) execute; + + /* public functions */ + this->public.destroy = (void (*)(send_keepalive_job_t *)) destroy; + + /* private variables */ + this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + + return &(this->public); +} diff --git a/src/charon/processing/jobs/send_keepalive_job.h b/src/charon/processing/jobs/send_keepalive_job.h new file mode 100644 index 000000000..f7b38337e --- /dev/null +++ b/src/charon/processing/jobs/send_keepalive_job.h @@ -0,0 +1,66 @@ +/** + * @file send_keepalive_job.h + * + * @brief Interface of send_keepalive_job_t. + */ + +/* + * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef SEND_KEEPALIVE_JOB_H_ +#define SEND_KEEPALIVE_JOB_H_ + +typedef struct send_keepalive_job_t send_keepalive_job_t; + +#include +#include +#include + +/** + * @brief Class representing a SEND_KEEPALIVE Job. + * + * This job will send a NAT keepalive packet if the IKE SA is still alive, + * and reinsert itself into the event queue. + * + * @b Constructors: + * - send_keepalive_job_create() + * + * @ingroup jobs + */ +struct send_keepalive_job_t { + /** + * implements job_t interface + */ + job_t job_interface; + + /** + * @brief Destroys an send_keepalive_job_t object. + * + * @param this send_keepalive_job_t object to destroy + */ + void (*destroy) (send_keepalive_job_t *this); +}; + +/** + * @brief Creates a job of type SEND_KEEPALIVE. + * + * @param ike_sa_id identification of the ike_sa as ike_sa_id_t object (gets cloned) + * @return initiate_ike_sa_job_t object + * + * @ingroup jobs + */ +send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id); + +#endif /*SEND_KEEPALIVE_JOB_H_*/ diff --git a/src/charon/processing/scheduler.c b/src/charon/processing/scheduler.c new file mode 100644 index 000000000..7249e43e6 --- /dev/null +++ b/src/charon/processing/scheduler.c @@ -0,0 +1,104 @@ +/** + * @file scheduler.c + * + * @brief Implementation of scheduler_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +#include "scheduler.h" + +#include +#include + + +typedef struct private_scheduler_t private_scheduler_t; + +/** + * Private data of a scheduler_t object. + */ +struct private_scheduler_t { + /** + * Public part of a scheduler_t object. + */ + scheduler_t public; + + /** + * Assigned thread. + */ + pthread_t assigned_thread; +}; + +/** + * Implementation of private_scheduler_t.get_events. + */ +static void get_events(private_scheduler_t * this) +{ + job_t *current_job; + + /* cancellation disabled by default */ + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); + + DBG1(DBG_JOB, "scheduler thread running, thread_ID: %06u", + (int)pthread_self()); + + charon->drop_capabilities(charon, TRUE); + + while (TRUE) + { + DBG2(DBG_JOB, "waiting for next event..."); + /* get a job, this block until one is available */ + current_job = charon->event_queue->get(charon->event_queue); + /* queue the job in the job queue, workers will eat them */ + DBG2(DBG_JOB, "got event, adding job %N to job-queue", + job_type_names, current_job->get_type(current_job)); + charon->job_queue->add(charon->job_queue, current_job); + } +} + +/** + * Implementation of scheduler_t.destroy. + */ +static void destroy(private_scheduler_t *this) +{ + pthread_cancel(this->assigned_thread); + pthread_join(this->assigned_thread, NULL); + free(this); +} + +/* + * Described in header. + */ +scheduler_t * scheduler_create() +{ + private_scheduler_t *this = malloc_thing(private_scheduler_t); + + this->public.destroy = (void(*)(scheduler_t*)) destroy; + + if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))get_events, this) != 0) + { + /* thread could not be created */ + free(this); + charon->kill(charon, "unable to create scheduler thread"); + } + + return &(this->public); +} diff --git a/src/charon/processing/scheduler.h b/src/charon/processing/scheduler.h new file mode 100644 index 000000000..bea93e7c9 --- /dev/null +++ b/src/charon/processing/scheduler.h @@ -0,0 +1,68 @@ +/** + * @file scheduler.h + * + * @brief Interface of scheduler_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef SCHEDULER_H_ +#define SCHEDULER_H_ + +typedef struct scheduler_t scheduler_t; + +#include + +/** + * @brief The scheduler thread is responsible for timed events. + * + * The scheduler thread takes out jobs from the event-queue and adds them + * to the job-queue. + * + * Starts a thread which does the work, since event-queue is blocking. + * + * @b Constructors: + * - scheduler_create() + * + * @ingroup processing + */ +struct scheduler_t { + + /** + * @brief Destroys a scheduler object. + * + * @param scheduler calling object + */ + void (*destroy) (scheduler_t *scheduler); +}; + +/** + * @brief Create a scheduler with its associated thread. + * + * The thread will start to get jobs form the event queue + * and adds them to the job queue. + * + * @return + * - scheduler_t object + * - NULL if thread could not be started + * + * @ingroup processing + */ +scheduler_t * scheduler_create(void); + +#endif /*SCHEDULER_H_*/ diff --git a/src/charon/processing/thread_pool.c b/src/charon/processing/thread_pool.c new file mode 100644 index 000000000..a9891da15 --- /dev/null +++ b/src/charon/processing/thread_pool.c @@ -0,0 +1,183 @@ +/** + * @file thread_pool.c + * + * @brief Implementation of thread_pool_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include +#include + +#include "thread_pool.h" + +#include +#include + + +typedef struct private_thread_pool_t private_thread_pool_t; + +/** + * @brief Private data of thread_pool_t class. + */ +struct private_thread_pool_t { + /** + * Public thread_pool_t interface. + */ + thread_pool_t public; + + /** + * Number of running threads. + */ + u_int pool_size; + + /** + * Number of threads waiting for work + */ + u_int idle_threads; + + /** + * Array of thread ids. + */ + pthread_t *threads; +}; + +/** + * Implementation of private_thread_pool_t.process_jobs. + */ +static void process_jobs(private_thread_pool_t *this) +{ + job_t *job; + status_t status; + + /* cancellation disabled by default */ + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); + + DBG1(DBG_JOB, "worker thread running, thread_ID: %06u", + (int)pthread_self()); + + charon->drop_capabilities(charon, TRUE); + + while (TRUE) + { + /* TODO: should be atomic, but is not mission critical */ + this->idle_threads++; + job = charon->job_queue->get(charon->job_queue); + this->idle_threads--; + + status = job->execute(job); + + if (status == DESTROY_ME) + { + job->destroy(job); + } + } +} + +/** + * Implementation of thread_pool_t.get_pool_size. + */ +static u_int get_pool_size(private_thread_pool_t *this) +{ + return this->pool_size; +} + +/** + * Implementation of thread_pool_t.get_idle_threads. + */ +static u_int get_idle_threads(private_thread_pool_t *this) +{ + return this->idle_threads; +} + +/** + * Implementation of thread_pool_t.destroy. + */ +static void destroy(private_thread_pool_t *this) +{ + int current; + /* flag thread for termination */ + for (current = 0; current < this->pool_size; current++) + { + DBG1(DBG_JOB, "cancelling worker thread #%d", current+1); + pthread_cancel(this->threads[current]); + } + + /* wait for all threads */ + for (current = 0; current < this->pool_size; current++) { + if (pthread_join(this->threads[current], NULL) == 0) + { + DBG1(DBG_JOB, "worker thread #%d terminated", current+1); + } + else + { + DBG1(DBG_JOB, "could not terminate worker thread #%d", current+1); + } + } + + /* free mem */ + free(this->threads); + free(this); +} + +/* + * Described in header. + */ +thread_pool_t *thread_pool_create(size_t pool_size) +{ + int current; + private_thread_pool_t *this = malloc_thing(private_thread_pool_t); + + /* fill in public fields */ + this->public.destroy = (void(*)(thread_pool_t*))destroy; + this->public.get_pool_size = (u_int(*)(thread_pool_t*))get_pool_size; + this->public.get_idle_threads = (u_int(*)(thread_pool_t*))get_idle_threads; + + /* initialize member */ + this->pool_size = pool_size; + this->idle_threads = 0; + this->threads = malloc(sizeof(pthread_t) * pool_size); + + /* try to create as many threads as possible, up to pool_size */ + for (current = 0; current < pool_size; current++) + { + if (pthread_create(&(this->threads[current]), NULL, + (void*(*)(void*))process_jobs, this) == 0) + { + DBG1(DBG_JOB, "created worker thread #%d", current+1); + } + else + { + /* creation failed, is it the first one? */ + if (current == 0) + { + free(this->threads); + free(this); + charon->kill(charon, "could not create any worker threads"); + } + /* not all threads could be created, but at least one :-/ */ + DBG1(DBG_JOB, "could only create %d from requested %d threads!", + current, pool_size); + this->pool_size = current; + break; + } + } + return (thread_pool_t*)this; +} diff --git a/src/charon/processing/thread_pool.h b/src/charon/processing/thread_pool.h new file mode 100644 index 000000000..09a6312a8 --- /dev/null +++ b/src/charon/processing/thread_pool.h @@ -0,0 +1,87 @@ +/** + * @file thread_pool.h + * + * @brief Interface of thread_pool_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef THREAD_POOL_H_ +#define THREAD_POOL_H_ + +typedef struct thread_pool_t thread_pool_t; + +#include + +#include + +/** + * @brief A thread_pool consists of a pool of threads processing jobs from the job queue. + * + * Current implementation uses as many threads as specified in constructor. + * A more improved version would dynamically increase thread count if necessary. + * + * @b Constructors: + * - thread_pool_create() + * + * @todo Add support for dynamic thread handling + * + * @ingroup processing + */ +struct thread_pool_t { + + /** + * @brief Return currently instanciated thread count. + * + * @param thread_pool calling object + * @return size of thread pool + */ + u_int (*get_pool_size) (thread_pool_t *thread_pool); + + /** + * @brief Get the number of threads currently waiting for work. + * + * @param thread_pool calling object + * @return number of idle threads + */ + u_int (*get_idle_threads) (thread_pool_t *thread_pool); + + /** + * @brief Destroy a thread_pool_t object. + * + * Sends cancellation request to all threads and AWAITS their termination. + * + * @param thread_pool calling object + */ + void (*destroy) (thread_pool_t *thread_pool); +}; + +/** + * @brief Create the thread pool using using pool_size of threads. + * + * @param pool_size desired pool size + * @return + * - thread_pool_t object if one ore more threads could be started, or + * - NULL if no threads could be created + * + * @ingroup processing + */ +thread_pool_t *thread_pool_create(size_t pool_size); + + +#endif /*THREAD_POOL_H_*/ diff --git a/src/charon/queues/event_queue.c b/src/charon/queues/event_queue.c deleted file mode 100644 index 40bcb1ed8..000000000 --- a/src/charon/queues/event_queue.c +++ /dev/null @@ -1,290 +0,0 @@ -/** - * @file event_queue.c - * - * @brief Implementation of event_queue_t - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include - -#include "event_queue.h" - -#include -#include - - - -typedef struct event_t event_t; - -/** - * Event containing a job and a schedule time - */ -struct event_t { - /** - * Time to fire the event. - */ - timeval_t time; - - /** - * Every event has its assigned job. - */ - job_t * job; -}; - -/** - * destroy an event and its job - */ -static void event_destroy(event_t *event) -{ - event->job->destroy(event->job); - free(event); -} - -typedef struct private_event_queue_t private_event_queue_t; - -/** - * Private Variables and Functions of event_queue_t class. - */ -struct private_event_queue_t { - /** - * Public part. - */ - event_queue_t public; - - /** - * The events are stored in a linked list of type linked_list_t. - */ - linked_list_t *list; - - /** - * Access to linked_list is locked through this mutex. - */ - pthread_mutex_t mutex; - - /** - * If the queue is empty or an event has not to be fired - * a thread has to wait. - * - * This condvar is used to wake up such a thread. - */ - pthread_cond_t condvar; -}; - -/** - * Returns the difference of to timeval structs in milliseconds - */ -static long time_difference(struct timeval *end_time, struct timeval *start_time) -{ - time_t s; - suseconds_t us; - - s = (end_time->tv_sec - start_time->tv_sec); - us = (end_time->tv_usec - start_time->tv_usec); - return ((s * 1000) + us/1000); -} - -/** - * Implements event_queue_t.get_count - */ -static int get_count(private_event_queue_t *this) -{ - int count; - pthread_mutex_lock(&(this->mutex)); - count = this->list->get_count(this->list); - pthread_mutex_unlock(&(this->mutex)); - return count; -} - -/** - * Implements event_queue_t.get - */ -static job_t *get(private_event_queue_t *this) -{ - timespec_t timeout; - timeval_t current_time; - event_t * next_event; - job_t *job; - int oldstate; - - pthread_mutex_lock(&(this->mutex)); - - while (TRUE) - { - while(this->list->get_count(this->list) == 0) - { - /* add mutex unlock handler for cancellation, enable cancellation */ - pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&(this->mutex)); - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - - pthread_cond_wait( &(this->condvar), &(this->mutex)); - - /* reset cancellation, remove mutex-unlock handler (without executing) */ - pthread_setcancelstate(oldstate, NULL); - pthread_cleanup_pop(0); - } - - this->list->get_first(this->list, (void **)&next_event); - - gettimeofday(¤t_time, NULL); - long difference = time_difference(¤t_time,&(next_event->time)); - if (difference <= 0) - { - timeout.tv_sec = next_event->time.tv_sec; - timeout.tv_nsec = next_event->time.tv_usec * 1000; - - /* add mutex unlock handler for cancellation, enable cancellation */ - pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&(this->mutex)); - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - - pthread_cond_timedwait(&(this->condvar), &(this->mutex), &timeout); - - /* reset cancellation, remove mutex-unlock handler (without executing) */ - pthread_setcancelstate(oldstate, NULL); - pthread_cleanup_pop(0); - } - else - { - /* event available */ - this->list->remove_first(this->list, (void **)&next_event); - job = next_event->job; - free(next_event); - break; - } - } - pthread_cond_signal( &(this->condvar)); - pthread_mutex_unlock(&(this->mutex)); - - return job; -} - -/** - * Implements function add_absolute of event_queue_t. - * See #event_queue_s.add_absolute for description. - */ -static void add_absolute(private_event_queue_t *this, job_t *job, timeval_t time) -{ - event_t *event; - event_t *current_event; - iterator_t *iterator; - - /* create event */ - event = malloc_thing(event_t); - event->time = time; - event->job = job; - - pthread_mutex_lock(&(this->mutex)); - - /* while just used to break out */ - while(TRUE) - { - if (this->list->get_count(this->list) == 0) - { - this->list->insert_first(this->list,event); - break; - } - - /* check last entry */ - this->list->get_last(this->list,(void **) ¤t_event); - - if (time_difference(&(event->time), &(current_event->time)) >= 0) - { - /* my event has to be fired after the last event in list */ - this->list->insert_last(this->list,event); - break; - } - - /* check first entry */ - this->list->get_first(this->list,(void **) ¤t_event); - - if (time_difference(&(event->time), &(current_event->time)) < 0) - { - /* my event has to be fired before the first event in list */ - this->list->insert_first(this->list,event); - break; - } - - iterator = this->list->create_iterator(this->list,TRUE); - iterator->iterate(iterator, (void**)¤t_event); - /* first element has not to be checked (already done) */ - while(iterator->iterate(iterator, (void**)¤t_event)) - { - if (time_difference(&(event->time), &(current_event->time)) <= 0) - { - /* my event has to be fired before the current event in list */ - iterator->insert_before(iterator,event); - break; - } - } - iterator->destroy(iterator); - break; - } - - pthread_cond_signal( &(this->condvar)); - pthread_mutex_unlock(&(this->mutex)); -} - -/** - * Implements event_queue_t.add_relative. - */ -static void add_relative(event_queue_t *this, job_t *job, u_int32_t ms) -{ - timeval_t current_time; - timeval_t time; - - time_t s = ms / 1000; - suseconds_t us = (ms - s * 1000) * 1000; - - gettimeofday(¤t_time, NULL); - - time.tv_usec = (current_time.tv_usec + us) % 1000000; - time.tv_sec = current_time.tv_sec + (current_time.tv_usec + us)/1000000 + s; - - this->add_absolute(this, job, time); -} - - -/** - * Implements event_queue_t.destroy. - */ -static void event_queue_destroy(private_event_queue_t *this) -{ - this->list->destroy_function(this->list, (void*)event_destroy); - free(this); -} - -/* - * Documented in header - */ -event_queue_t *event_queue_create() -{ - private_event_queue_t *this = malloc_thing(private_event_queue_t); - - this->public.get_count = (int (*) (event_queue_t *event_queue)) get_count; - this->public.get = (job_t *(*) (event_queue_t *event_queue)) get; - this->public.add_absolute = (void (*) (event_queue_t *event_queue, job_t *job, timeval_t time)) add_absolute; - this->public.add_relative = (void (*) (event_queue_t *event_queue, job_t *job, u_int32_t ms)) add_relative; - this->public.destroy = (void (*) (event_queue_t *event_queue)) event_queue_destroy; - - this->list = linked_list_create(); - pthread_mutex_init(&(this->mutex), NULL); - pthread_cond_init(&(this->condvar), NULL); - - return (&this->public); -} diff --git a/src/charon/queues/event_queue.h b/src/charon/queues/event_queue.h deleted file mode 100644 index cd275123b..000000000 --- a/src/charon/queues/event_queue.h +++ /dev/null @@ -1,118 +0,0 @@ -/** - * @file event_queue.h - * - * @brief Interface of job_queue_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef EVENT_QUEUE_H_ -#define EVENT_QUEUE_H_ - -typedef struct event_queue_t event_queue_t; - -#include - -#include -#include - -/** - * @brief Event-Queue used to store timed events. - * - * Added events are sorted. The get method blocks until - * the time is elapsed to process the next event. The get - * method is called from the scheduler_t thread, which - * will add the jobs to to job_queue_t for further processing. - * - * Although the event-queue is based on a linked_list_t - * all access functions are thread-save implemented. - * - * @b Constructors: - * - event_queue_create() - * - * @ingroup queues - */ -struct event_queue_t { - - /** - * @brief Returns number of events in queue. - * - * @param event_queue calling object - * @return number of events in queue - */ - int (*get_count) (event_queue_t *event_queue); - - /** - * @brief Get the next job from the event-queue. - * - * If no event is pending, this function blocks until a job can be returned. - * - * @param event_queue calling object - * @param[out] job pointer to a job pointer where to job is returned to - * @return next job - */ - job_t *(*get) (event_queue_t *event_queue); - - /** - * @brief Adds a event to the queue, using a relative time. - * - * This function is non blocking and adds a job_t at a specific time to the list. - * The specific job object has to get destroyed by the thread which - * removes the job. - * - * @param event_queue calling object - * @param[in] job job to add to the queue (job is not copied) - * @param[in] time relative time, when the event has to get fired - */ - void (*add_relative) (event_queue_t *event_queue, job_t *job, u_int32_t ms); - - /** - * @brief Adds a event to the queue, using an absolute time. - * - * This function is non blocking and adds a job_t at a specific time to the list. - * The specific job object has to get destroyed by the thread which - * removes the job. - * - * @param event_queue calling object - * @param[in] job job to add to the queue (job is not copied) - * @param[in] time absolute time, when the event has to get fired - */ - void (*add_absolute) (event_queue_t *event_queue, job_t *job, timeval_t time); - - /** - * @brief Destroys a event_queue object. - * - * @warning The caller of this function has to make sure - * that no thread is going to add or get an event from the event_queue - * after calling this function. - * - * @param event_queue calling object - */ - void (*destroy) (event_queue_t *event_queue); -}; - -/** - * @brief Creates an empty event_queue. - * - * @returns event_queue_t object - * - * @ingroup queues - */ -event_queue_t *event_queue_create(void); - -#endif /*EVENT_QUEUE_H_*/ diff --git a/src/charon/queues/job_queue.c b/src/charon/queues/job_queue.c deleted file mode 100644 index 2310ca6ff..000000000 --- a/src/charon/queues/job_queue.c +++ /dev/null @@ -1,139 +0,0 @@ -/** - * @file job_queue.c - * - * @brief Implementation of job_queue_t - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include - -#include "job_queue.h" - -#include - - -typedef struct private_job_queue_t private_job_queue_t; - -/** - * @brief Private Variables and Functions of job_queue class - * - */ -struct private_job_queue_t { - - /** - * public members - */ - job_queue_t public; - - /** - * The jobs are stored in a linked list - */ - linked_list_t *list; - - /** - * access to linked_list is locked through this mutex - */ - pthread_mutex_t mutex; - - /** - * If the queue is empty a thread has to wait - * This condvar is used to wake up such a thread - */ - pthread_cond_t condvar; -}; - - -/** - * implements job_queue_t.get_count - */ -static int get_count(private_job_queue_t *this) -{ - int count; - pthread_mutex_lock(&(this->mutex)); - count = this->list->get_count(this->list); - pthread_mutex_unlock(&(this->mutex)); - return count; -} - -/** - * implements job_queue_t.get - */ -static job_t *get(private_job_queue_t *this) -{ - int oldstate; - job_t *job; - pthread_mutex_lock(&(this->mutex)); - /* go to wait while no jobs available */ - while(this->list->get_count(this->list) == 0) - { - /* add mutex unlock handler for cancellation, enable cancellation */ - pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&(this->mutex)); - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - - pthread_cond_wait( &(this->condvar), &(this->mutex)); - - /* reset cancellation, remove mutex-unlock handler (without executing) */ - pthread_setcancelstate(oldstate, NULL); - pthread_cleanup_pop(0); - } - this->list->remove_first(this->list, (void **)&job); - pthread_mutex_unlock(&(this->mutex)); - return job; -} - -/** - * implements function job_queue_t.add - */ -static void add(private_job_queue_t *this, job_t *job) -{ - pthread_mutex_lock(&(this->mutex)); - this->list->insert_last(this->list,job); - pthread_cond_signal( &(this->condvar)); - pthread_mutex_unlock(&(this->mutex)); -} - -/** - * implements job_queue_t.destroy - */ -static void job_queue_destroy (private_job_queue_t *this) -{ - this->list->destroy_offset(this->list, offsetof(job_t, destroy)); - free(this); -} - -/* - * - * Documented in header - */ -job_queue_t *job_queue_create(void) -{ - private_job_queue_t *this = malloc_thing(private_job_queue_t); - - this->public.get_count = (int(*)(job_queue_t*))get_count; - this->public.get = (job_t*(*)(job_queue_t*))get; - this->public.add = (void(*)(job_queue_t*, job_t*))add; - this->public.destroy = (void(*)(job_queue_t*))job_queue_destroy; - - this->list = linked_list_create(); - pthread_mutex_init(&(this->mutex), NULL); - pthread_cond_init(&(this->condvar), NULL); - - return (&this->public); -} diff --git a/src/charon/queues/job_queue.h b/src/charon/queues/job_queue.h deleted file mode 100644 index c971ba514..000000000 --- a/src/charon/queues/job_queue.h +++ /dev/null @@ -1,100 +0,0 @@ -/** - * @file job_queue.h - * - * @brief Interface of job_queue_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef JOB_QUEUE_H_ -#define JOB_QUEUE_H_ - -typedef struct job_queue_t job_queue_t; - -#include -#include - -/** - * @brief The job queue stores jobs, which will be processed by the thread_pool_t. - * - * Jobs are added from various sources, from the threads and - * from the event_queue_t. - * Although the job-queue is based on a linked_list_t - * all access functions are thread-save implemented. - * - * @b Constructors: - * - job_queue_create() - * - * @ingroup queues - */ -struct job_queue_t { - - /** - * @brief Returns number of jobs in queue. - * - * @param job_queue_t calling object - * @returns number of items in queue - */ - int (*get_count) (job_queue_t *job_queue); - - /** - * @brief Get the next job from the queue. - * - * If the queue is empty, this function blocks until a job can be returned. - * After using, the returned job has to get destroyed by the caller. - * - * @param job_queue_t calling object - * @param[out] job pointer to a job pointer where to job is returned to - * @return next job - */ - job_t *(*get) (job_queue_t *job_queue); - - /** - * @brief Adds a job to the queue. - * - * This function is non blocking and adds a job_t to the list. - * The specific job object has to get destroyed by the thread which - * removes the job. - * - * @param job_queue_t calling object - * @param job job to add to the queue (job is not copied) - */ - void (*add) (job_queue_t *job_queue, job_t *job); - - /** - * @brief Destroys a job_queue object. - * - * @warning The caller of this function has to make sure - * that no thread is going to add or get a job from the job_queue - * after calling this function. - * - * @param job_queue_t calling object - */ - void (*destroy) (job_queue_t *job_queue); -}; - -/** - * @brief Creates an empty job_queue. - * - * @return job_queue_t object - * - * @ingroup queues - */ -job_queue_t *job_queue_create(void); - -#endif /*JOB_QUEUE_H_*/ diff --git a/src/charon/queues/jobs/acquire_job.c b/src/charon/queues/jobs/acquire_job.c deleted file mode 100644 index b4ffb258d..000000000 --- a/src/charon/queues/jobs/acquire_job.c +++ /dev/null @@ -1,98 +0,0 @@ -/** - * @file acquire_job.c - * - * @brief Implementation of acquire_job_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "acquire_job.h" - -#include - - -typedef struct private_acquire_job_t private_acquire_job_t; - -/** - * Private data of an acquire_job_t object. - */ -struct private_acquire_job_t { - /** - * Public acquire_job_t interface. - */ - acquire_job_t public; - - /** - * reqid of the child to rekey - */ - u_int32_t reqid; -}; - -/** - * Implementation of job_t.get_type. - */ -static job_type_t get_type(private_acquire_job_t *this) -{ - return ACQUIRE; -} - -/** - * Implementation of job_t.execute. - */ -static status_t execute(private_acquire_job_t *this) -{ - ike_sa_t *ike_sa; - - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - this->reqid, TRUE); - if (ike_sa == NULL) - { - DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for acquiring", - this->reqid); - return DESTROY_ME; - } - ike_sa->acquire(ike_sa, this->reqid); - - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - return DESTROY_ME; -} - -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_acquire_job_t *this) -{ - free(this); -} - -/* - * Described in header - */ -acquire_job_t *acquire_job_create(u_int32_t reqid) -{ - private_acquire_job_t *this = malloc_thing(private_acquire_job_t); - - /* interface functions */ - this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; - this->public.job_interface.execute = (status_t (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; - - /* private variables */ - this->reqid = reqid; - - return &(this->public); -} diff --git a/src/charon/queues/jobs/acquire_job.h b/src/charon/queues/jobs/acquire_job.h deleted file mode 100644 index 54f1b9b5b..000000000 --- a/src/charon/queues/jobs/acquire_job.h +++ /dev/null @@ -1,60 +0,0 @@ -/** - * @file acquire_job.h - * - * @brief Interface of acquire_job_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef ACQUIRE_JOB_H_ -#define ACQUIRE_JOB_H_ - -typedef struct acquire_job_t acquire_job_t; - -#include -#include - -/** - * @brief Class representing an ACQUIRE Job. - * - * This job initiates a CHILD SA on kernel request. - * - * @b Constructors: - * - acquire_job_create() - * - * @ingroup jobs - */ -struct acquire_job_t { - /** - * The job_t interface. - */ - job_t job_interface; -}; - -/** - * @brief Creates a job of type ACQUIRE. - * - * We use the reqid to find the routed CHILD_SA. - * - * @param reqid reqid of the CHILD_SA to acquire - * @return acquire_job_t object - * - * @ingroup jobs - */ -acquire_job_t *acquire_job_create(u_int32_t reqid); - -#endif /* REKEY_CHILD_SA_JOB_H_ */ diff --git a/src/charon/queues/jobs/delete_child_sa_job.c b/src/charon/queues/jobs/delete_child_sa_job.c deleted file mode 100644 index f694696b0..000000000 --- a/src/charon/queues/jobs/delete_child_sa_job.c +++ /dev/null @@ -1,113 +0,0 @@ -/** - * @file delete_child_sa_job.c - * - * @brief Implementation of delete_child_sa_job_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "delete_child_sa_job.h" - -#include - - -typedef struct private_delete_child_sa_job_t private_delete_child_sa_job_t; - -/** - * Private data of an delete_child_sa_job_t object. - */ -struct private_delete_child_sa_job_t { - /** - - * Public delete_child_sa_job_t interface. - */ - delete_child_sa_job_t public; - - /** - * reqid of the CHILD_SA - */ - u_int32_t reqid; - - /** - * protocol of the CHILD_SA (ESP/AH) - */ - protocol_id_t protocol; - - /** - * inbound SPI of the CHILD_SA - */ - u_int32_t spi; -}; - -/** - * Implementation of job_t.get_type. - */ -static job_type_t get_type(private_delete_child_sa_job_t *this) -{ - return DELETE_CHILD_SA; -} - -/** - * Implementation of job_t.execute. - */ -static status_t execute(private_delete_child_sa_job_t *this) -{ - ike_sa_t *ike_sa; - - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - this->reqid, TRUE); - if (ike_sa == NULL) - { - DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for delete", - this->reqid); - return DESTROY_ME; - } - ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi); - - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - return DESTROY_ME; -} - -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_delete_child_sa_job_t *this) -{ - free(this); -} - -/* - * Described in header - */ -delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, - protocol_id_t protocol, - u_int32_t spi) -{ - private_delete_child_sa_job_t *this = malloc_thing(private_delete_child_sa_job_t); - - /* interface functions */ - this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; - this->public.job_interface.execute = (status_t (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; - - /* private variables */ - this->reqid = reqid; - this->protocol = protocol; - this->spi = spi; - - return &(this->public); -} diff --git a/src/charon/queues/jobs/delete_child_sa_job.h b/src/charon/queues/jobs/delete_child_sa_job.h deleted file mode 100644 index 9c2e4fa4d..000000000 --- a/src/charon/queues/jobs/delete_child_sa_job.h +++ /dev/null @@ -1,68 +0,0 @@ -/** - * @file delete_child_sa_job.h - * - * @brief Interface of delete_child_sa_job_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef DELETE_CHILD_SA_JOB_H_ -#define DELETE_CHILD_SA_JOB_H_ - -typedef struct delete_child_sa_job_t delete_child_sa_job_t; - -#include -#include -#include -#include - - -/** - * @brief Class representing an DELETE_CHILD_SA Job. - * - * This job initiates the delete of a CHILD SA. - * - * @b Constructors: - * - delete_child_sa_job_create() - * - * @ingroup jobs - */ -struct delete_child_sa_job_t { - /** - * The job_t interface. - */ - job_t job_interface; -}; - -/** - * @brief Creates a job of type DELETE_CHILD_SA. - * - * The CHILD_SA is identified by its reqid, protocol (AH/ESP) and its - * inbound SPI. - * - * @param reqid reqid of the CHILD_SA, as used in kernel - * @param protocol protocol of the CHILD_SA - * @param spi security parameter index of the CHILD_SA - * @return delete_child_sa_job_t object - * - * @ingroup jobs - */ -delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, - protocol_id_t protocol, - u_int32_t spi); - -#endif /* DELETE_CHILD_SA_JOB_H_ */ diff --git a/src/charon/queues/jobs/delete_ike_sa_job.c b/src/charon/queues/jobs/delete_ike_sa_job.c deleted file mode 100644 index 706155aa6..000000000 --- a/src/charon/queues/jobs/delete_ike_sa_job.c +++ /dev/null @@ -1,126 +0,0 @@ -/** - * @file delete_ike_sa_job.c - * - * @brief Implementation of delete_ike_sa_job_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "delete_ike_sa_job.h" - -#include - -typedef struct private_delete_ike_sa_job_t private_delete_ike_sa_job_t; - -/** - * Private data of an delete_ike_sa_job_t Object - */ -struct private_delete_ike_sa_job_t { - /** - * public delete_ike_sa_job_t interface - */ - delete_ike_sa_job_t public; - - /** - * ID of the ike_sa to delete - */ - ike_sa_id_t *ike_sa_id; - - /** - * Should the IKE_SA be deleted if it is in ESTABLISHED state? - */ - bool delete_if_established; -}; - -/** - * Implements job_t.get_type. - */ -static job_type_t get_type(private_delete_ike_sa_job_t *this) -{ - return DELETE_IKE_SA; -} - -/** - * Implementation of job_t.execute. - */ -static status_t execute(private_delete_ike_sa_job_t *this) -{ - ike_sa_t *ike_sa; - - ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, - this->ike_sa_id); - if (ike_sa) - { - if (this->delete_if_established) - { - if (ike_sa->delete(ike_sa) == DESTROY_ME) - { - charon->ike_sa_manager->checkin_and_destroy( - charon->ike_sa_manager, ike_sa); - } - else - { - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - } - } - else - { - /* destroy only if not ESTABLISHED */ - if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED) - { - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - } - else - { - DBG1(DBG_JOB, "deleting half open IKE_SA after timeout"); - charon->ike_sa_manager->checkin_and_destroy( - charon->ike_sa_manager, ike_sa); - } - } - } - return DESTROY_ME; -} - -/** - * Implements job_t.destroy. - */ -static void destroy(private_delete_ike_sa_job_t *this) -{ - this->ike_sa_id->destroy(this->ike_sa_id); - free(this); -} - -/* - * Described in header - */ -delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id, - bool delete_if_established) -{ - private_delete_ike_sa_job_t *this = malloc_thing(private_delete_ike_sa_job_t); - - /* interface functions */ - this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; - this->public.job_interface.execute = (status_t (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t *)) destroy;; - - /* private variables */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); - this->delete_if_established = delete_if_established; - - return &(this->public); -} diff --git a/src/charon/queues/jobs/delete_ike_sa_job.h b/src/charon/queues/jobs/delete_ike_sa_job.h deleted file mode 100644 index 43701a354..000000000 --- a/src/charon/queues/jobs/delete_ike_sa_job.h +++ /dev/null @@ -1,66 +0,0 @@ -/** - * @file delete_ike_sa_job.h - * - * @brief Interface of delete_ike_sa_job_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef DELETE_IKE_SA_JOB_H_ -#define DELETE_IKE_SA_JOB_H_ - -typedef struct delete_ike_sa_job_t delete_ike_sa_job_t; - -#include -#include -#include - - -/** - * @brief Class representing an DELETE_IKE_SA Job. - * - * This job is responsible for deleting established or half open IKE_SAs. - * A half open IKE_SA is every IKE_SA which hasn't reache the SA_ESTABLISHED - * state. - * - * @b Constructors: - * - delete_ike_sa_job_create() - * - * @ingroup jobs - */ -struct delete_ike_sa_job_t { - - /** - * The job_t interface. - */ - job_t job_interface; -}; - -/** - * @brief Creates a job of type DELETE_IKE_SA. - * - * @param ike_sa_id id of the IKE_SA to delete - * @param delete_if_established should the IKE_SA be deleted if it is established? - * @return created delete_ike_sa_job_t object - * - * @ingroup jobs - */ -delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id, - bool delete_if_established); - -#endif /* DELETE_IKE_SA_JOB_H_ */ diff --git a/src/charon/queues/jobs/initiate_job.c b/src/charon/queues/jobs/initiate_job.c deleted file mode 100644 index af50663d6..000000000 --- a/src/charon/queues/jobs/initiate_job.c +++ /dev/null @@ -1,112 +0,0 @@ -/** - * @file initiate_job.c - * - * @brief Implementation of initiate_job_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include - -#include "initiate_job.h" - -#include - -typedef struct private_initiate_job_t private_initiate_job_t; - -/** - * Private data of an initiate_job_t Object - */ -struct private_initiate_job_t { - /** - * public initiate_job_t interface - */ - initiate_job_t public; - - /** - * associated connection to initiate - */ - connection_t *connection; - - /** - * associated policy to initiate - */ - policy_t *policy; -}; - -/** - * Implements initiate_job_t.get_type. - */ -static job_type_t get_type(private_initiate_job_t *this) -{ - return INITIATE; -} - -/** - * Implementation of job_t.execute. - */ -static status_t execute(private_initiate_job_t *this) -{ - ike_sa_t *ike_sa; - - ike_sa = charon->ike_sa_manager->checkout_by_peer(charon->ike_sa_manager, - this->connection->get_my_host(this->connection), - this->connection->get_other_host(this->connection), - this->policy->get_my_id(this->policy), - this->policy->get_other_id(this->policy)); - - if (ike_sa->initiate(ike_sa, this->connection, this->policy) != SUCCESS) - { - DBG1(DBG_JOB, "initiation failed, going to delete IKE_SA"); - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); - return DESTROY_ME; - } - - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - return DESTROY_ME; -} - -/** - * Implements job_t.destroy. - */ -static void destroy(private_initiate_job_t *this) -{ - this->connection->destroy(this->connection); - this->policy->destroy(this->policy); - free(this); -} - -/* - * Described in header - */ -initiate_job_t *initiate_job_create(connection_t *connection, policy_t *policy) -{ - private_initiate_job_t *this = malloc_thing(private_initiate_job_t); - - /* interface functions */ - this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; - this->public.job_interface.execute = (status_t (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; - - /* private variables */ - this->connection = connection; - this->policy = policy; - - return &this->public; -} diff --git a/src/charon/queues/jobs/initiate_job.h b/src/charon/queues/jobs/initiate_job.h deleted file mode 100644 index af1dd9ece..000000000 --- a/src/charon/queues/jobs/initiate_job.h +++ /dev/null @@ -1,61 +0,0 @@ -/** - * @file initiate_job.h - * - * @brief Interface of initiate_job_t. - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef INITIATE_IKE_SA_JOB_H_ -#define INITIATE_IKE_SA_JOB_H_ - -typedef struct initiate_job_t initiate_job_t; - -#include -#include -#include -#include - -/** - * @brief Class representing an INITIATE_IKE_SA Job. - * - * This job is created if an IKE_SA should be iniated. - * - * @b Constructors: - * - initiate_job_create() - * - * @ingroup jobs - */ -struct initiate_job_t { - /** - * implements job_t interface - */ - job_t job_interface; -}; - -/** - * @brief Creates a job of type INITIATE_IKE_SA. - * - * @param connection connection_t to initialize - * @param policy policy to set up - * @return initiate_job_t object - * - * @ingroup jobs - */ -initiate_job_t *initiate_job_create(connection_t *connection, policy_t *policy); - -#endif /*INITIATE_IKE_SA_JOB_H_*/ diff --git a/src/charon/queues/jobs/job.c b/src/charon/queues/jobs/job.c deleted file mode 100644 index d32d1bc61..000000000 --- a/src/charon/queues/jobs/job.c +++ /dev/null @@ -1,39 +0,0 @@ -/** - * @file job.c - * - * @brief Interface additions to job_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include "job.h" - -ENUM(job_type_names, PROCESS_MESSAGE, SEND_DPD, - "PROCESS_MESSAGE", - "RETRANSMIT", - "INITIATE", - "ROUTE", - "ACQUIRE", - "DELETE_IKE_SA", - "DELETE_CHILD_SA", - "REKEY_CHILD_SA", - "REKEY_IKE_SA", - "SEND_KEEPALIVE", - "SEND_DPD", -); diff --git a/src/charon/queues/jobs/job.h b/src/charon/queues/jobs/job.h deleted file mode 100644 index 28632672d..000000000 --- a/src/charon/queues/jobs/job.h +++ /dev/null @@ -1,165 +0,0 @@ -/** - * @file job.h - * - * @brief Interface job_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef JOB_H_ -#define JOB_H_ - -typedef enum job_type_t job_type_t; -typedef struct job_t job_t; - -#include - -/** - * @brief Definition of the various job types. - * - * @ingroup jobs - */ -enum job_type_t { - /** - * Process an incoming IKEv2-Message. - * - * Job is implemented in class process_message_job_t - */ - PROCESS_MESSAGE, - - /** - * Retransmit an IKEv2-Message. - * - * Job is implemented in class retransmit_job_t - */ - RETRANSMIT, - - /** - * Set up a CHILD_SA, optional with an IKE_SA. - * - * Job is implemented in class initiate_job_t - */ - INITIATE, - - /** - * Install SPD entries. - * - * Job is implemented in class route_job_t - */ - ROUTE, - - /** - * React on a acquire message from the kernel (e.g. setup CHILD_SA) - * - * Job is implemented in class acquire_job_t - */ - ACQUIRE, - - /** - * Delete an IKE_SA. - * - * Job is implemented in class delete_ike_sa_job_t - */ - DELETE_IKE_SA, - - /** - * Delete a CHILD_SA. - * - * Job is implemented in class delete_child_sa_job_t - */ - DELETE_CHILD_SA, - - /** - * Rekey a CHILD_SA. - * - * Job is implemented in class rekey_child_sa_job_t - */ - REKEY_CHILD_SA, - - /** - * Rekey an IKE_SA. - * - * Job is implemented in class rekey_ike_sa_job_t - */ - REKEY_IKE_SA, - - /** - * Send a keepalive packet. - * - * Job is implemented in class type send_keepalive_job_t - */ - SEND_KEEPALIVE, - - /** - * Send a DPD packet. - * - * Job is implemented in class type send_dpd_job_t - */ - SEND_DPD -}; - -/** - * enum name for job_type_t - * - * @ingroup jobs - */ -extern enum_name_t *job_type_names; - - -/** - * @brief Job-Interface as it is stored in the job queue. - * - * A job consists of a job-type and one or more assigned values. - * - * @b Constructors: - * - None, use specific implementation of the interface. - * - * @ingroup jobs - */ -struct job_t { - - /** - * @brief get type of job. - * - * @param this calling object - * @return type of this job - */ - job_type_t (*get_type) (job_t *this); - - /** - * @brief Execute a job. - * - * Call the internall job routine to process the - * job. If this method returns DESTROY_ME, the job - * must be destroyed by the caller. - * - * @param this calling object - * @return status of job execution - */ - status_t (*execute) (job_t *this); - - /** - * @brief Destroys a job_t object - * - * @param job_t calling object - */ - void (*destroy) (job_t *job); -}; - - -#endif /* JOB_H_ */ diff --git a/src/charon/queues/jobs/process_message_job.c b/src/charon/queues/jobs/process_message_job.c deleted file mode 100644 index ee7484bbd..000000000 --- a/src/charon/queues/jobs/process_message_job.c +++ /dev/null @@ -1,106 +0,0 @@ -/** - * @file process_message_job.h - * - * @brief Implementation of process_message_job_t. - * - */ - -/* - * Copyright (C) 2005-2007 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include "process_message_job.h" - -#include - -typedef struct private_process_message_job_t private_process_message_job_t; - -/** - * Private data of an process_message_job_t Object - */ -struct private_process_message_job_t { - /** - * public process_message_job_t interface - */ - process_message_job_t public; - - /** - * Message associated with this job - */ - message_t *message; -}; - -/** - * Implements job_t.get_type. - */ -static job_type_t get_type(private_process_message_job_t *this) -{ - return PROCESS_MESSAGE; -} - -/** - * Implementation of job_t.execute. - */ -static status_t execute(private_process_message_job_t *this) -{ - ike_sa_t *ike_sa; - - ike_sa = charon->ike_sa_manager->checkout_by_message(charon->ike_sa_manager, - this->message); - if (ike_sa) - { - DBG1(DBG_NET, "received packet: from %#H to %#H", - this->message->get_source(this->message), - this->message->get_destination(this->message)); - if (ike_sa->process_message(ike_sa, this->message) == DESTROY_ME) - { - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, - ike_sa); - } - else - { - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - } - } - return DESTROY_ME; -} - -/** - * Implements job_t.destroy. - */ -static void destroy(private_process_message_job_t *this) -{ - this->message->destroy(this->message); - free(this); -} - -/* - * Described in header - */ -process_message_job_t *process_message_job_create(message_t *message) -{ - private_process_message_job_t *this = malloc_thing(private_process_message_job_t); - - /* interface functions */ - this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; - this->public.job_interface.execute = (status_t (*) (job_t *)) execute; - this->public.job_interface.destroy = (void(*)(job_t*))destroy; - - /* private variables */ - this->message = message; - - return &(this->public); -} diff --git a/src/charon/queues/jobs/process_message_job.h b/src/charon/queues/jobs/process_message_job.h deleted file mode 100644 index 2e60a298c..000000000 --- a/src/charon/queues/jobs/process_message_job.h +++ /dev/null @@ -1,58 +0,0 @@ -/** - * @file process_message_job.h - * - * @brief Interface of process_message_job_t. - * - */ - -/* - * Copyright (C) 2005-2007 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef PROCESS_MESSAGE_JOB_H_ -#define PROCESS_MESSAGE_JOB_H_ - -typedef struct process_message_job_t process_message_job_t; - -#include -#include -#include - -/** - * @brief Class representing an PROCESS_MESSAGE job. - * - * @b Constructors: - * - process_message_job_create() - * - * @ingroup jobs - */ -struct process_message_job_t { - /** - * implements job_t interface - */ - job_t job_interface; -}; - -/** - * @brief Creates a job of type PROCESS_MESSAGE. - * - * @param message message to process - * @return created process_message_job_t object - * - * @ingroup jobs - */ -process_message_job_t *process_message_job_create(message_t *message); - -#endif /*PROCESS_MESSAGE_JOB_H_*/ diff --git a/src/charon/queues/jobs/rekey_child_sa_job.c b/src/charon/queues/jobs/rekey_child_sa_job.c deleted file mode 100644 index 3422b614d..000000000 --- a/src/charon/queues/jobs/rekey_child_sa_job.c +++ /dev/null @@ -1,112 +0,0 @@ -/** - * @file rekey_child_sa_job.c - * - * @brief Implementation of rekey_child_sa_job_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "rekey_child_sa_job.h" - -#include - - -typedef struct private_rekey_child_sa_job_t private_rekey_child_sa_job_t; - -/** - * Private data of an rekey_child_sa_job_t object. - */ -struct private_rekey_child_sa_job_t { - /** - * Public rekey_child_sa_job_t interface. - */ - rekey_child_sa_job_t public; - - /** - * reqid of the child to rekey - */ - u_int32_t reqid; - - /** - * protocol of the CHILD_SA (ESP/AH) - */ - protocol_id_t protocol; - - /** - * inbound SPI of the CHILD_SA - */ - u_int32_t spi; -}; - -/** - * Implementation of job_t.get_type. - */ -static job_type_t get_type(private_rekey_child_sa_job_t *this) -{ - return REKEY_CHILD_SA; -} - -/** - * Implementation of job_t.execute. - */ -static status_t execute(private_rekey_child_sa_job_t *this) -{ - ike_sa_t *ike_sa; - - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - this->reqid, TRUE); - if (ike_sa == NULL) - { - DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for rekeying", - this->reqid); - return DESTROY_ME; - } - ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi); - - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - return DESTROY_ME; -} - -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_rekey_child_sa_job_t *this) -{ - free(this); -} - -/* - * Described in header - */ -rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, - protocol_id_t protocol, - u_int32_t spi) -{ - private_rekey_child_sa_job_t *this = malloc_thing(private_rekey_child_sa_job_t); - - /* interface functions */ - this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; - this->public.job_interface.execute = (status_t (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; - - /* private variables */ - this->reqid = reqid; - this->protocol = protocol; - this->spi = spi; - - return &(this->public); -} diff --git a/src/charon/queues/jobs/rekey_child_sa_job.h b/src/charon/queues/jobs/rekey_child_sa_job.h deleted file mode 100644 index 19e1b5d32..000000000 --- a/src/charon/queues/jobs/rekey_child_sa_job.h +++ /dev/null @@ -1,65 +0,0 @@ -/** - * @file rekey_child_sa_job.h - * - * @brief Interface of rekey_child_sa_job_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef REKEY_CHILD_SA_JOB_H_ -#define REKEY_CHILD_SA_JOB_H_ - -typedef struct rekey_child_sa_job_t rekey_child_sa_job_t; - -#include -#include -#include -#include - -/** - * @brief Class representing an REKEY_CHILD_SA Job. - * - * This job initiates the rekeying of a CHILD SA. - * - * @b Constructors: - * - rekey_child_sa_job_create() - * - * @ingroup jobs - */ -struct rekey_child_sa_job_t { - /** - * The job_t interface. - */ - job_t job_interface; -}; - -/** - * @brief Creates a job of type REKEY_CHILD_SA. - * - * The CHILD_SA is identified by its protocol (AH/ESP) and its - * inbound SPI. - * - * @param reqid reqid of the CHILD_SA to rekey - * @param protocol protocol of the CHILD_SA - * @param spi security parameter index of the CHILD_SA - * @return rekey_child_sa_job_t object - * - * @ingroup jobs - */ -rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, protocol_id_t protocol, u_int32_t spi); - -#endif /* REKEY_CHILD_SA_JOB_H_ */ diff --git a/src/charon/queues/jobs/rekey_ike_sa_job.c b/src/charon/queues/jobs/rekey_ike_sa_job.c deleted file mode 100644 index 2539d997e..000000000 --- a/src/charon/queues/jobs/rekey_ike_sa_job.c +++ /dev/null @@ -1,120 +0,0 @@ -/** - * @file rekey_ike_sa_job.c - * - * @brief Implementation of rekey_ike_sa_job_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "rekey_ike_sa_job.h" - -#include - - -typedef struct private_rekey_ike_sa_job_t private_rekey_ike_sa_job_t; - -/** - * Private data of an rekey_ike_sa_job_t object. - */ -struct private_rekey_ike_sa_job_t { - /** - * Public rekey_ike_sa_job_t interface. - */ - rekey_ike_sa_job_t public; - - /** - * ID of the IKE_SA to rekey - */ - ike_sa_id_t *ike_sa_id; - - /** - * force reauthentication of the peer (full IKE_SA setup) - */ - bool reauth; -}; - -/** - * Implementation of job_t.get_type. - */ -static job_type_t get_type(private_rekey_ike_sa_job_t *this) -{ - return REKEY_IKE_SA; -} - -/** - * Implementation of job_t.execute. - */ -static status_t execute(private_rekey_ike_sa_job_t *this) -{ - ike_sa_t *ike_sa; - status_t status = SUCCESS; - - ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, - this->ike_sa_id); - if (ike_sa == NULL) - { - DBG2(DBG_JOB, "IKE_SA %J to rekey not found", this->ike_sa_id); - return DESTROY_ME; - } - - if (this->reauth) - { - ike_sa->reestablish(ike_sa); - } - else - { - status = ike_sa->rekey(ike_sa); - } - - if (status == DESTROY_ME) - { - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); - } - else - { - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - } - return DESTROY_ME; -} - -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_rekey_ike_sa_job_t *this) -{ - this->ike_sa_id->destroy(this->ike_sa_id); - free(this); -} - -/* - * Described in header - */ -rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth) -{ - private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t); - - /* interface functions */ - this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; - this->public.job_interface.execute = (status_t (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; - - /* private variables */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); - this->reauth = reauth; - - return &(this->public); -} diff --git a/src/charon/queues/jobs/rekey_ike_sa_job.h b/src/charon/queues/jobs/rekey_ike_sa_job.h deleted file mode 100644 index f3e336fb3..000000000 --- a/src/charon/queues/jobs/rekey_ike_sa_job.h +++ /dev/null @@ -1,60 +0,0 @@ -/** - * @file rekey_ike_sa_job.h - * - * @brief Interface of rekey_ike_sa_job_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef REKEY_IKE_SA_JOB_H_ -#define REKEY_IKE_SA_JOB_H_ - -typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t; - -#include -#include -#include - -/** - * @brief Class representing an REKEY_IKE_SA Job. - * - * This job initiates the rekeying of an IKE_SA. - * - * @b Constructors: - * - rekey_ike_sa_job_create() - * - * @ingroup jobs - */ -struct rekey_ike_sa_job_t { - /** - * The job_t interface. - */ - job_t job_interface; -}; - -/** - * @brief Creates a job of type REKEY_IKE_SA. - * - * @param ike_sa_id ID of the IKE_SA to rekey - * @param reauth TRUE to reauthenticate peer, FALSE for rekeying only - * @return rekey_ike_sa_job_t object - * - * @ingroup jobs - */ -rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth); - -#endif /* REKEY_IKE_SA_JOB_H_ */ diff --git a/src/charon/queues/jobs/retransmit_job.c b/src/charon/queues/jobs/retransmit_job.c deleted file mode 100644 index 5bfa20dfd..000000000 --- a/src/charon/queues/jobs/retransmit_job.c +++ /dev/null @@ -1,109 +0,0 @@ -/** - * @file retransmit_job.c - * - * @brief Implementation of retransmit_job_t. - * - */ - -/* - * Copyright (C) 2005-2007 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "retransmit_job.h" - -#include - -typedef struct private_retransmit_job_t private_retransmit_job_t; - -/** - * Private data of an retransmit_job_t Object. - */ -struct private_retransmit_job_t { - /** - * Public retransmit_job_t interface. - */ - retransmit_job_t public; - - /** - * Message ID of the request to resend. - */ - u_int32_t message_id; - - /** - * ID of the IKE_SA which the message belongs to. - */ - ike_sa_id_t *ike_sa_id; -}; - -/** - * Implements job_t.get_type. - */ -static job_type_t get_type(private_retransmit_job_t *this) -{ - return RETRANSMIT; -} - -/** - * Implementation of job_t.execute. - */ -static status_t execute(private_retransmit_job_t *this) -{ - ike_sa_t *ike_sa; - - ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, - this->ike_sa_id); - if (ike_sa) - { - if (ike_sa->retransmit(ike_sa, this->message_id) == DESTROY_ME) - { - /* retransmitted to many times, giving up */ - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, - ike_sa); - } - else - { - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - } - } - return DESTROY_ME; -} - -/** - * Implements job_t.destroy. - */ -static void destroy(private_retransmit_job_t *this) -{ - this->ike_sa_id->destroy(this->ike_sa_id); - free(this); -} - -/* - * Described in header. - */ -retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa_id) -{ - private_retransmit_job_t *this = malloc_thing(private_retransmit_job_t); - - /* interface functions */ - this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; - this->public.job_interface.execute = (status_t (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; - - /* private variables */ - this->message_id = message_id; - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); - - return &this->public; -} diff --git a/src/charon/queues/jobs/retransmit_job.h b/src/charon/queues/jobs/retransmit_job.h deleted file mode 100644 index 19e29b909..000000000 --- a/src/charon/queues/jobs/retransmit_job.h +++ /dev/null @@ -1,64 +0,0 @@ -/** - * @file retransmit_job.h - * - * @brief Interface of retransmit_job_t. - * - */ - -/* - * Copyright (C) 2005-2007 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef RETRANSMIT_JOB_H_ -#define RETRANSMIT_JOB_H_ - -typedef struct retransmit_job_t retransmit_job_t; - -#include -#include -#include - -/** - * @brief Class representing an retransmit Job. - * - * This job is scheduled every time a request is sent over the - * wire. If the response to the request is not received at schedule - * time, the retransmission will be initiated. - * - * @b Constructors: - * - retransmit_job_create() - * - * @ingroup jobs - */ -struct retransmit_job_t { - /** - * The job_t interface. - */ - job_t job_interface; -}; - -/** - * @brief Creates a job of type retransmit. - * - * @param message_id message_id of the request to resend - * @param ike_sa_id identification of the ike_sa as ike_sa_id_t - * @return retransmit_job_t object - * - * @ingroup jobs - */ -retransmit_job_t *retransmit_job_create(u_int32_t message_id, - ike_sa_id_t *ike_sa_id); - -#endif /* RETRANSMIT_JOB_H_ */ diff --git a/src/charon/queues/jobs/route_job.c b/src/charon/queues/jobs/route_job.c deleted file mode 100644 index bb6281dcc..000000000 --- a/src/charon/queues/jobs/route_job.c +++ /dev/null @@ -1,125 +0,0 @@ -/** - * @file route_job.c - * - * @brief Implementation of route_job_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include - -#include "route_job.h" - -#include - -typedef struct private_route_job_t private_route_job_t; - -/** - * Private data of an route_job_t Object - */ -struct private_route_job_t { - /** - * public route_job_t interface - */ - route_job_t public; - - /** - * associated connection to route - */ - connection_t *connection; - - /** - * associated policy to route - */ - policy_t *policy; - - /** - * route or unroute? - */ - bool route; -}; - -/** - * Implements route_job_t.get_type. - */ -static job_type_t get_type(private_route_job_t *this) -{ - return ROUTE; -} - -/** - * Implementation of job_t.execute. - */ -static status_t execute(private_route_job_t *this) -{ - ike_sa_t *ike_sa; - - ike_sa = charon->ike_sa_manager->checkout_by_peer(charon->ike_sa_manager, - this->connection->get_my_host(this->connection), - this->connection->get_other_host(this->connection), - this->policy->get_my_id(this->policy), - this->policy->get_other_id(this->policy)); - if (this->route) - { - if (ike_sa->route(ike_sa, this->connection, this->policy) != SUCCESS) - { - DBG1(DBG_JOB, "routing failed"); - } - } - else - { - if (ike_sa->unroute(ike_sa, this->policy) == DESTROY_ME) - { - DBG1(DBG_JOB, "removing IKE_SA, as last routed CHILD_SA unrouted"); - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); - return DESTROY_ME; - } - } - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - return DESTROY_ME; -} - -/** - * Implements job_t.destroy. - */ -static void destroy(private_route_job_t *this) -{ - this->connection->destroy(this->connection); - this->policy->destroy(this->policy); - free(this); -} - -/* - * Described in header - */ -route_job_t *route_job_create(connection_t *connection, policy_t *policy, bool route) -{ - private_route_job_t *this = malloc_thing(private_route_job_t); - - /* interface functions */ - this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; - this->public.job_interface.execute = (status_t (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; - - /* private variables */ - this->connection = connection; - this->policy = policy; - this->route = route; - - return &this->public; -} diff --git a/src/charon/queues/jobs/route_job.h b/src/charon/queues/jobs/route_job.h deleted file mode 100644 index 2743a70ab..000000000 --- a/src/charon/queues/jobs/route_job.h +++ /dev/null @@ -1,59 +0,0 @@ -/** - * @file route_job.h - * - * @brief Interface of route_job_t. - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef ROUTE_JOB_H_ -#define ROUTE_JOB_H_ - -typedef struct route_job_t route_job_t; - -#include -#include -#include -#include - -/** - * @brief Class representing an ROUTE Job. - * - * @b Constructors: - * - route_job_create() - * - * @ingroup jobs - */ -struct route_job_t { - /** - * implements job_t interface - */ - job_t job_interface; -}; - -/** - * @brief Creates a job of type ROUTE. - * - * @param connection connection used for routing - * @param policy policy to set up - * @param route TRUE to route, FALSE to unroute - * @return route_job_t object - * - * @ingroup jobs - */ -route_job_t *route_job_create(connection_t *connection, policy_t *policy, bool route); - -#endif /*ROUTE_JOB_H_*/ diff --git a/src/charon/queues/jobs/send_dpd_job.c b/src/charon/queues/jobs/send_dpd_job.c deleted file mode 100644 index 7294d78d5..000000000 --- a/src/charon/queues/jobs/send_dpd_job.c +++ /dev/null @@ -1,110 +0,0 @@ -/** - * @file send_dpd_job.c - * - * @brief Implementation of send_dpd_job_t. - * - */ - -/* - * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include - -#include "send_dpd_job.h" - -#include -#include - - -typedef struct private_send_dpd_job_t private_send_dpd_job_t; - -/** - * Private data of an send_dpd_job_t Object - */ -struct private_send_dpd_job_t { - /** - * public send_dpd_job_t interface - */ - send_dpd_job_t public; - - /** - * ID of the IKE_SA which the message belongs to. - */ - ike_sa_id_t *ike_sa_id; -}; - -/** - * Implements send_dpd_job_t.get_type. - */ -static job_type_t get_type(private_send_dpd_job_t *this) -{ - return SEND_DPD; -} - -/** - * Implementation of job_t.execute. - */ -static status_t execute(private_send_dpd_job_t *this) -{ - ike_sa_t *ike_sa; - - ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, - this->ike_sa_id); - if (ike_sa == NULL) - { - return DESTROY_ME; - } - - if (ike_sa->send_dpd(ike_sa) == DESTROY_ME) - { - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); - } - else - { - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - } - return DESTROY_ME; -} - -/** - * Implements job_t.destroy. - */ -static void destroy(private_send_dpd_job_t *this) -{ - this->ike_sa_id->destroy(this->ike_sa_id); - free(this); -} - -/* - * Described in header - */ -send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id) -{ - private_send_dpd_job_t *this = malloc_thing(private_send_dpd_job_t); - - /* interface functions */ - this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; - this->public.job_interface.execute = (status_t (*) (job_t *)) execute; - - /* public functions */ - this->public.destroy = (void (*)(send_dpd_job_t *)) destroy; - - /* private variables */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); - - return &(this->public); -} diff --git a/src/charon/queues/jobs/send_dpd_job.h b/src/charon/queues/jobs/send_dpd_job.h deleted file mode 100644 index f3900f9a2..000000000 --- a/src/charon/queues/jobs/send_dpd_job.h +++ /dev/null @@ -1,68 +0,0 @@ -/** - * @file send_dpd_job.h - * - * @brief Interface of send_dpd_job_t. - */ - -/* - * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef SEND_DPD_JOB_H_ -#define SEND_DPD_JOB_H_ - -typedef struct send_dpd_job_t send_dpd_job_t; - -#include -#include -#include -#include - -/** - * @brief Class representing a SEND_DPD Job. - * - * Job to periodically send a Dead Peer Detection (DPD) request, - * ie. an IKE request with no payloads other than the encrypted payload - * required by the syntax. - * - * @b Constructors: - * - send_dpd_job_create() - * - * @ingroup jobs - */ -struct send_dpd_job_t { - /** - * implements job_t interface - */ - job_t job_interface; - - /** - * @brief Destroys an send_dpd_job_t object. - * - * @param this send_dpd_job_t object to destroy - */ - void (*destroy) (send_dpd_job_t *this); -}; - -/** - * @brief Creates a job of type SEND_DPD. - * - * @param ike_sa_id identification of the ike_sa as ike_sa_id_t object (gets cloned) - * @return initiate_ike_sa_job_t object - * - * @ingroup jobs - */ -send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id); - -#endif /*SEND_DPD_JOB_H_*/ diff --git a/src/charon/queues/jobs/send_keepalive_job.c b/src/charon/queues/jobs/send_keepalive_job.c deleted file mode 100644 index 1c1cb288e..000000000 --- a/src/charon/queues/jobs/send_keepalive_job.c +++ /dev/null @@ -1,103 +0,0 @@ -/** - * @file send_keepalive_job.c - * - * @brief Implementation of send_keepalive_job_t. - * - */ - -/* - * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - - -#include - -#include "send_keepalive_job.h" - -#include -#include - - -typedef struct private_send_keepalive_job_t private_send_keepalive_job_t; - -/** - * Private data of an send_keepalive_job_t Object - */ -struct private_send_keepalive_job_t { - /** - * public send_keepalive_job_t interface - */ - send_keepalive_job_t public; - - /** - * ID of the IKE_SA which the message belongs to. - */ - ike_sa_id_t *ike_sa_id; -}; - -/** - * Implements send_keepalive_job_t.get_type. - */ -static job_type_t get_type(private_send_keepalive_job_t *this) -{ - return SEND_KEEPALIVE; -} - -/** - * Implementation of job_t.execute. - */ -static status_t execute(private_send_keepalive_job_t *this) -{ - ike_sa_t *ike_sa; - - ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, - this->ike_sa_id); - if (ike_sa == NULL) - { - return DESTROY_ME; - } - ike_sa->send_keepalive(ike_sa); - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - return DESTROY_ME; -} - -/** - * Implements job_t.destroy. - */ -static void destroy(private_send_keepalive_job_t *this) -{ - this->ike_sa_id->destroy(this->ike_sa_id); - free(this); -} - -/* - * Described in header - */ -send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id) -{ - private_send_keepalive_job_t *this = malloc_thing(private_send_keepalive_job_t); - - /* interface functions */ - this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; - this->public.job_interface.execute = (status_t (*) (job_t *)) execute; - - /* public functions */ - this->public.destroy = (void (*)(send_keepalive_job_t *)) destroy; - - /* private variables */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); - - return &(this->public); -} diff --git a/src/charon/queues/jobs/send_keepalive_job.h b/src/charon/queues/jobs/send_keepalive_job.h deleted file mode 100644 index c7d05be65..000000000 --- a/src/charon/queues/jobs/send_keepalive_job.h +++ /dev/null @@ -1,67 +0,0 @@ -/** - * @file send_keepalive_job.h - * - * @brief Interface of send_keepalive_job_t. - */ - -/* - * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef SEND_KEEPALIVE_JOB_H_ -#define SEND_KEEPALIVE_JOB_H_ - -typedef struct send_keepalive_job_t send_keepalive_job_t; - -#include -#include -#include -#include - -/** - * @brief Class representing a SEND_KEEPALIVE Job. - * - * This job will send a NAT keepalive packet if the IKE SA is still alive, - * and reinsert itself into the event queue. - * - * @b Constructors: - * - send_keepalive_job_create() - * - * @ingroup jobs - */ -struct send_keepalive_job_t { - /** - * implements job_t interface - */ - job_t job_interface; - - /** - * @brief Destroys an send_keepalive_job_t object. - * - * @param this send_keepalive_job_t object to destroy - */ - void (*destroy) (send_keepalive_job_t *this); -}; - -/** - * @brief Creates a job of type SEND_KEEPALIVE. - * - * @param ike_sa_id identification of the ike_sa as ike_sa_id_t object (gets cloned) - * @return initiate_ike_sa_job_t object - * - * @ingroup jobs - */ -send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id); - -#endif /*SEND_KEEPALIVE_JOB_H_*/ diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c index a4d8abb58..e4a58f0a3 100644 --- a/src/charon/sa/authenticators/eap/eap_method.c +++ b/src/charon/sa/authenticators/eap/eap_method.c @@ -85,7 +85,7 @@ void eap_method_unload() while (modules->remove_last(modules, (void**)&entry) == SUCCESS) { - DBG2(DBG_CFG, "unloaded module for %s", eap_type_names, entry->type); + DBG2(DBG_CFG, "unloaded module for %N", eap_type_names, entry->type); dlclose(entry->handle); free(entry); } @@ -100,27 +100,10 @@ void eap_method_unload() void eap_method_load(char *directory) { struct dirent* entry; - struct stat stb; DIR* dir; eap_method_unload(); modules = linked_list_create(); - - if (stat(directory, &stb) == -1 || !(stb.st_mode & S_IFDIR)) - { - DBG1(DBG_CFG, "error opening EAP modules directory %s", directory); - return; - } - if (stb.st_uid != 0) - { - DBG1(DBG_CFG, "EAP modules directory %s not owned by root, skipped", directory); - return; - } - if (stb.st_mode & S_IWOTH || stb.st_mode & S_IWGRP) - { - DBG1(DBG_CFG, "EAP modules directory %s writable by others, skipped", directory); - return; - } dir = opendir(directory); if (dir == NULL) @@ -141,12 +124,6 @@ void eap_method_load(char *directory) snprintf(file, sizeof(file), "%s/%s", directory, entry->d_name); - if (stat(file, &stb) == -1 || !(stb.st_mode & S_IFREG)) - { - DBG2(DBG_CFG, " skipping %s, doesn't look like a file", - entry->d_name); - continue; - } ending = entry->d_name + strlen(entry->d_name) - 3; if (ending <= entry->d_name || !streq(ending, ".so")) { @@ -155,16 +132,6 @@ void eap_method_load(char *directory) entry->d_name); continue; } - if (stb.st_uid != 0) - { - DBG1(DBG_CFG, " skipping %s, file is not owned by root", entry->d_name); - return; - } - if (stb.st_mode & S_IWOTH || stb.st_mode & S_IWGRP) - { - DBG1(DBG_CFG, " skipping %s, file is writeable by others", entry->d_name); - continue; - } /* try to load the library */ module.handle = dlopen(file, RTLD_LAZY); diff --git a/src/charon/sa/authenticators/eap/eap_sim.c b/src/charon/sa/authenticators/eap/eap_sim.c index 3dc59fb6b..38d7f2534 100644 --- a/src/charon/sa/authenticators/eap/eap_sim.c +++ b/src/charon/sa/authenticators/eap/eap_sim.c @@ -398,6 +398,30 @@ static status_t process_start(private_eap_sim_t *this, eap_payload_t *in, /* only include AT_IDENTITY if requested */ include_id = AT_IDENTITY; break; + case AT_NOTIFICATION: + { + u_int16_t code = 0; + if (data.len == 2) + { + code = ntohs(*(u_int16_t*)data.ptr); + } + if (code <= 32767) /* no success bit */ + { + DBG1(DBG_IKE, "received %N error %d", + sim_attribute_names, attribute, code); + *out = build_payload(this, + in->get_identifier(in), SIM_CLIENT_ERROR, + AT_CLIENT_ERROR_CODE, client_error_general, + AT_END); + return NEED_MORE; + } + else + { + DBG1(DBG_IKE, "received %N code %d", + sim_attribute_names, attribute, code); + } + break; + } default: DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N", sim_attribute_names, attribute); @@ -456,6 +480,30 @@ static status_t process_challenge(private_eap_sim_t *this, eap_payload_t *in, memset(data.ptr, 0, data.len); break; } + case AT_NOTIFICATION: + { + u_int16_t code = 0; + if (data.len == 2) + { + code = ntohs(*(u_int16_t*)data.ptr); + } + if (code <= 32767) /* no success bit */ + { + DBG1(DBG_IKE, "received %N error %d", + sim_attribute_names, attribute, code); + *out = build_payload(this, + in->get_identifier(in), SIM_CLIENT_ERROR, + AT_CLIENT_ERROR_CODE, client_error_general, + AT_END); + return NEED_MORE; + } + else + { + DBG1(DBG_IKE, "received %N code %d", + sim_attribute_names, attribute, code); + } + break; + } default: DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N", sim_attribute_names, attribute); @@ -472,7 +520,7 @@ static status_t process_challenge(private_eap_sim_t *this, eap_payload_t *in, *out = build_payload(this, identifier, SIM_CLIENT_ERROR, AT_CLIENT_ERROR_CODE, client_error_insufficient, AT_END); - return FAILED; + return NEED_MORE; } if (mac.len != MAC_LEN) { @@ -556,6 +604,58 @@ static status_t process_challenge(private_eap_sim_t *this, eap_payload_t *in, return NEED_MORE; } +/** + * process an EAP-SIM/Request/Notification message + */ +static status_t process_notification(private_eap_sim_t *this, eap_payload_t *in, + eap_payload_t **out) +{ + chunk_t message, data; + sim_attribute_t attribute; + + message = in->get_data(in); + read_header(&message); + + while ((attribute = read_attribute(&message, &data)) != AT_END) + { + switch (attribute) + { + case AT_NOTIFICATION: + { + u_int16_t code = 0; + if (data.len == 2) + { + code = ntohs(*(u_int16_t*)data.ptr); + } + if (code <= 32767) /* no success bit */ + { + DBG1(DBG_IKE, "received %N error %d", + sim_attribute_names, attribute, code); + *out = build_payload(this, + in->get_identifier(in), SIM_CLIENT_ERROR, + AT_CLIENT_ERROR_CODE, client_error_general, + AT_END); + return NEED_MORE; + } + else + { + DBG1(DBG_IKE, "received %N code %d", + sim_attribute_names, attribute, code); + } + break; + } + default: + DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N", + sim_attribute_names, attribute); + break; + } + } + /* reply with empty notification */ + *out = build_payload(this, in->get_identifier(in), SIM_NOTIFICATION, AT_END); + return NEED_MORE; +} + + /** * Implementation of eap_method_t.process for the peer */ @@ -574,6 +674,8 @@ static status_t process(private_eap_sim_t *this, return process_start(this, in, out); case SIM_CHALLENGE: return process_challenge(this, in, out); + case SIM_NOTIFICATION: + return process_notification(this, in, out); default: DBG1(DBG_IKE, "unable to process EAP_SIM subtype %N", sim_subtype_names, type); diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c index 6c8ca8d8f..6e2f73a43 100644 --- a/src/charon/sa/authenticators/eap_authenticator.c +++ b/src/charon/sa/authenticators/eap_authenticator.c @@ -25,7 +25,7 @@ #include "eap_authenticator.h" #include -#include +#include #include typedef struct private_eap_authenticator_t private_eap_authenticator_t; @@ -61,21 +61,31 @@ struct private_eap_authenticator_t { chunk_t msk; }; +/** + * reuse shared key signature function from PSK authenticator + */ extern chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce, - chunk_t secret, identification_t *id, - prf_t *prf_skp, prf_t *prf); - + chunk_t secret, identification_t *id, + chunk_t skp, prf_t *prf); /** * Implementation of authenticator_t.verify. */ static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init, chunk_t my_nonce, auth_payload_t *auth_payload) { - chunk_t auth_data, recv_auth_data; + chunk_t auth_data, recv_auth_data, secret; identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa); - auth_data = build_shared_key_signature(ike_sa_init, my_nonce, this->msk, - other_id, this->ike_sa->get_auth_verify(this->ike_sa), + if (this->msk.len) + { /* use MSK if EAP method established one... */ + secret = this->msk; + } + else + { /* ... or use SKp if not */ + secret = this->ike_sa->get_skp_verify(this->ike_sa); + } + auth_data = build_shared_key_signature(ike_sa_init, my_nonce, secret, + other_id, this->ike_sa->get_skp_verify(this->ike_sa), this->ike_sa->get_prf(this->ike_sa)); recv_auth_data = auth_payload->get_data(auth_payload); @@ -98,14 +108,22 @@ static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init, static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init, chunk_t other_nonce, auth_payload_t **auth_payload) { - chunk_t auth_data; + chunk_t auth_data, secret; identification_t *my_id = this->ike_sa->get_my_id(this->ike_sa); DBG1(DBG_IKE, "authentication of '%D' (myself) with %N", my_id, auth_method_names, AUTH_EAP); - - auth_data = build_shared_key_signature(ike_sa_init, other_nonce, this->msk, - my_id, this->ike_sa->get_auth_build(this->ike_sa), + + if (this->msk.len) + { /* use MSK if EAP method established one... */ + secret = this->msk; + } + else + { /* ... or use SKp if not */ + secret = this->ike_sa->get_skp_build(this->ike_sa); + } + auth_data = build_shared_key_signature(ike_sa_init, other_nonce, secret, + my_id, this->ike_sa->get_skp_build(this->ike_sa), this->ike_sa->get_prf(this->ike_sa)); *auth_payload = auth_payload_create(); @@ -233,13 +251,14 @@ static status_t process_server(private_eap_authenticator_t *this, DBG1(DBG_IKE, "EAP method %N succeded, MSK established", eap_type_names, this->method->get_type(this->method)); this->msk = chunk_clone(this->msk); - *out = eap_payload_create_code(EAP_SUCCESS); - return SUCCESS; } - DBG1(DBG_IKE, "EAP method %N succeded, but no MSK established", - eap_type_names, this->method->get_type(this->method)); - *out = eap_payload_create_code(EAP_FAILURE); - return FAILED; + else + { + DBG1(DBG_IKE, "EAP method %N succeded, no MSK established", + eap_type_names, this->method->get_type(this->method)); + } + *out = eap_payload_create_code(EAP_SUCCESS); + return SUCCESS; case FAILED: default: DBG1(DBG_IKE, "EAP method %N failed for peer %D", @@ -290,11 +309,8 @@ static status_t process(private_eap_authenticator_t *this, eap_payload_t *in, if (this->method->get_msk(this->method, &this->msk) == SUCCESS) { this->msk = chunk_clone(this->msk); - return SUCCESS; } - DBG1(DBG_IKE, "EAP method %N has no MSK established", - eap_type_names, this->method->get_type(this->method)); - return FAILED; + return SUCCESS; } case EAP_FAILURE: default: diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c index 43aec0971..37465d029 100644 --- a/src/charon/sa/authenticators/psk_authenticator.c +++ b/src/charon/sa/authenticators/psk_authenticator.c @@ -25,7 +25,6 @@ #include "psk_authenticator.h" -#include #include /** @@ -78,11 +77,12 @@ chunk_t build_tbs_octets(chunk_t ike_sa_init, chunk_t nonce, */ chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id, - prf_t *prf_skp, prf_t *prf) + chunk_t skp, prf_t *prf) { chunk_t key_pad, key, auth_data, octets; - octets = build_tbs_octets(ike_sa_init, nonce, id, prf_skp); + prf->set_key(prf, skp); + octets = build_tbs_octets(ike_sa_init, nonce, id, prf); /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), ) */ key_pad.ptr = IKEV2_KEY_PAD; key_pad.len = IKEV2_KEY_PAD_LENGTH; @@ -122,7 +122,7 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init, } auth_data = build_shared_key_signature(ike_sa_init, my_nonce, shared_key, - other_id, this->ike_sa->get_auth_verify(this->ike_sa), + other_id, this->ike_sa->get_skp_verify(this->ike_sa), this->ike_sa->get_prf(this->ike_sa)); chunk_free(&shared_key); @@ -165,7 +165,7 @@ static status_t build(private_psk_authenticator_t *this, chunk_t ike_sa_init, } auth_data = build_shared_key_signature(ike_sa_init, other_nonce, shared_key, - my_id, this->ike_sa->get_auth_build(this->ike_sa), + my_id, this->ike_sa->get_skp_build(this->ike_sa), this->ike_sa->get_prf(this->ike_sa)); DBG2(DBG_IKE, "successfully created shared key MAC"); chunk_free(&shared_key); diff --git a/src/charon/sa/authenticators/rsa_authenticator.c b/src/charon/sa/authenticators/rsa_authenticator.c index dfa01e332..e5c5cd60e 100644 --- a/src/charon/sa/authenticators/rsa_authenticator.c +++ b/src/charon/sa/authenticators/rsa_authenticator.c @@ -25,7 +25,6 @@ #include "rsa_authenticator.h" -#include #include @@ -61,8 +60,9 @@ static status_t verify(private_rsa_authenticator_t *this, chunk_t ike_sa_init, { status_t status; chunk_t auth_data, octets; - rsa_public_key_t *public_key; identification_t *other_id; + ca_info_t *issuer; + prf_t *prf; other_id = this->ike_sa->get_other_id(this->ike_sa); @@ -71,27 +71,20 @@ static status_t verify(private_rsa_authenticator_t *this, chunk_t ike_sa_init, return INVALID_ARG; } auth_data = auth_payload->get_data(auth_payload); - public_key = charon->credentials->get_trusted_public_key(charon->credentials, - other_id); - if (public_key == NULL) - { - DBG1(DBG_IKE, "no RSA public key found for '%D'", other_id); - return NOT_FOUND; - } - octets = build_tbs_octets(ike_sa_init, my_nonce, other_id, - this->ike_sa->get_auth_verify(this->ike_sa)); - status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data); + prf = this->ike_sa->get_prf(this->ike_sa); + prf->set_key(prf, this->ike_sa->get_skp_verify(this->ike_sa)); + octets = build_tbs_octets(ike_sa_init, my_nonce, other_id, prf); + status = charon->credentials->verify_signature(charon->credentials, + octets, auth_data, other_id, &issuer); chunk_free(&octets); - if (status != SUCCESS) + if (status == SUCCESS) { - DBG1(DBG_IKE, "RSA signature verification failed"); - return status; + this->ike_sa->set_other_ca(this->ike_sa, issuer); + DBG1(DBG_IKE, "authentication of '%D' with %N successful", + other_id, auth_method_names, AUTH_RSA); } - - DBG1(DBG_IKE, "authentication of '%D' with %N successful", - other_id, auth_method_names, AUTH_RSA); - return SUCCESS; + return status; } /** @@ -107,6 +100,7 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init, rsa_public_key_t *my_pubkey; rsa_private_key_t *my_key; identification_t *my_id; + prf_t *prf; my_id = this->ike_sa->get_my_id(this->ike_sa); DBG1(DBG_IKE, "authentication of '%D' (myself) with %N", @@ -131,8 +125,9 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init, } DBG2(DBG_IKE, "matching RSA private key found"); - octets = build_tbs_octets(ike_sa_init, other_nonce, my_id, - this->ike_sa->get_auth_build(this->ike_sa)); + prf = this->ike_sa->get_prf(this->ike_sa); + prf->set_key(prf, this->ike_sa->get_skp_build(this->ike_sa)); + octets = build_tbs_octets(ike_sa_init, other_nonce, my_id, prf); status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1, octets, &auth_data); chunk_free(&octets); diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c index 19131389d..1e7b6cb2c 100644 --- a/src/charon/sa/child_sa.c +++ b/src/charon/sa/child_sa.c @@ -27,7 +27,6 @@ #include #include -#include #include @@ -154,9 +153,9 @@ struct private_child_sa_t { host_t *virtual_ip; /** - * policy used to create this child + * config used to create this child */ - policy_t *policy; + child_cfg_t *config; }; /** @@ -164,7 +163,7 @@ struct private_child_sa_t { */ static char *get_name(private_child_sa_t *this) { - return this->policy->get_name(this->policy);; + return this->config->get_name(this->config); } /** @@ -204,11 +203,57 @@ static child_sa_state_t get_state(private_child_sa_t *this) } /** - * Implements child_sa_t.get_policy + * Implements child_sa_t.get_config */ -static policy_t* get_policy(private_child_sa_t *this) +static child_cfg_t* get_config(private_child_sa_t *this) { - return this->policy; + return this->config; +} + +/** + * Implementation of child_sa_t.get_stats. + */ +static void get_stats(private_child_sa_t *this, mode_t *mode, + encryption_algorithm_t *encr_algo, size_t *encr_len, + integrity_algorithm_t *int_algo, size_t *int_len, + u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out, + u_int32_t *use_fwd) +{ + sa_policy_t *policy; + iterator_t *iterator; + u_int32_t in = 0, out = 0, fwd = 0, time; + + iterator = this->policies->create_iterator(this->policies, TRUE); + while (iterator->iterate(iterator, (void**)&policy)) + { + + if (charon->kernel_interface->query_policy(charon->kernel_interface, + policy->other_ts, policy->my_ts, POLICY_IN, &time) == SUCCESS) + { + in = max(in, time); + } + if (charon->kernel_interface->query_policy(charon->kernel_interface, + policy->my_ts, policy->other_ts, POLICY_OUT, &time) == SUCCESS) + { + out = max(out, time); + } + if (charon->kernel_interface->query_policy(charon->kernel_interface, + policy->other_ts, policy->my_ts, POLICY_FWD, &time) == SUCCESS) + { + fwd = max(fwd, time); + } + } + iterator->destroy(iterator); + + *mode = this->mode; + *encr_algo = this->encryption.algorithm; + *encr_len = this->encryption.key_size; + *int_algo = this->integrity.algorithm; + *int_len = this->integrity.key_size; + *rekey = this->rekey_time; + *use_in = in; + *use_out = out; + *use_fwd = fwd; } /** @@ -220,7 +265,7 @@ static void updown(private_child_sa_t *this, bool up) iterator_t *iterator; char *script; - script = this->policy->get_updown(this->policy); + script = this->config->get_updown(this->config); if (script == NULL) { @@ -300,7 +345,7 @@ static void updown(private_child_sa_t *this, bool up) policy->my_ts->is_host(policy->my_ts, this->me.addr) ? "-host" : "-client", this->me.addr->get_family(this->me.addr) == AF_INET ? "" : "-ipv6", - this->policy->get_name(this->policy), + this->config->get_name(this->config), ifname ? ifname : "(unknown)", this->reqid, this->me.addr, @@ -316,7 +361,7 @@ static void updown(private_child_sa_t *this, bool up) policy->other_ts->get_from_port(policy->other_ts), policy->other_ts->get_protocol(policy->other_ts), virtual_ip, - this->policy->get_hostaccess(this->policy) ? + this->config->get_hostaccess(this->config) ? "PLUTO_HOST_ACCESS='1' " : "", script); free(ifname); @@ -528,8 +573,8 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, natt = NULL; } - soft = this->policy->get_soft_lifetime(this->policy); - hard = this->policy->get_hard_lifetime(this->policy); + soft = this->config->get_lifetime(this->config, TRUE); + hard = this->config->get_lifetime(this->config, FALSE); /* send SA down to the kernel */ DBG2(DBG_CHD, " SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst); @@ -542,7 +587,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, this->encryption = *enc_algo; this->integrity = *int_algo; this->install_time = time(NULL); - this->rekey_time = soft; + this->rekey_time = this->install_time + soft; return status; } @@ -628,7 +673,7 @@ static status_t add_policies(private_child_sa_t *this, if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts)) { DBG2(DBG_CHD, - "CHILD_SA policy uses two different IP families, ignored"); + "CHILD_SA policy uses two different IP families - ignored"); continue; } @@ -637,7 +682,7 @@ static status_t add_policies(private_child_sa_t *this, my_ts->get_protocol(my_ts) && other_ts->get_protocol(other_ts)) { DBG2(DBG_CHD, - "CHILD_SA policy uses two different protocols, ignored"); + "CHILD_SA policy uses two different protocols - ignored"); continue; } @@ -665,10 +710,10 @@ static status_t add_policies(private_child_sa_t *this, policy = malloc_thing(sa_policy_t); policy->my_ts = my_ts->clone(my_ts); policy->other_ts = other_ts->clone(other_ts); - this->policies->insert_last(this->policies, (void*)policy); + this->policies->insert_last(this->policies, policy); /* add to separate list to query them via get_*_traffic_selectors() */ - this->my_ts->insert_last(this->my_ts, (void*)policy->my_ts); - this->other_ts->insert_last(this->other_ts, (void*)policy->other_ts); + this->my_ts->insert_last(this->my_ts, policy->my_ts); + this->other_ts->insert_last(this->other_ts, policy->other_ts); } } my_iter->destroy(my_iter); @@ -685,18 +730,14 @@ static status_t add_policies(private_child_sa_t *this, } /** - * Implementation of child_sa_t.get_my_traffic_selectors. + * Implementation of child_sa_t.get_traffic_selectors. */ -static linked_list_t *get_my_traffic_selectors(private_child_sa_t *this) -{ - return this->my_ts; -} - -/** - * Implementation of child_sa_t.get_my_traffic_selectors. - */ -static linked_list_t *get_other_traffic_selectors(private_child_sa_t *this) +static linked_list_t *get_traffic_selectors(private_child_sa_t *this, bool local) { + if (local) + { + return this->my_ts; + } return this->other_ts; } @@ -740,126 +781,6 @@ static status_t get_use_time(private_child_sa_t *this, bool inbound, time_t *use return status; } -/** - * output handler in printf() - */ -static int print(FILE *stream, const struct printf_info *info, - const void *const *args) -{ - private_child_sa_t *this = *((private_child_sa_t**)(args[0])); - iterator_t *iterator; - sa_policy_t *policy; - u_int32_t now, rekeying; - u_int32_t use, use_in, use_fwd; - status_t status; - size_t written = 0; - - if (this == NULL) - { - return fprintf(stream, "(null)"); - } - - now = time(NULL); - - written += fprintf(stream, "%12s{%d}: %N, %N", - this->policy->get_name(this->policy), this->reqid, - child_sa_state_names, this->state, - mode_names, this->mode); - - if (this->state == CHILD_INSTALLED) - { - written += fprintf(stream, ", %N SPIs: 0x%0x_i 0x%0x_o", - protocol_id_names, this->protocol, - htonl(this->me.spi), htonl(this->other.spi)); - - if (info->alt) - { - written += fprintf(stream, "\n%12s{%d}: ", - this->policy->get_name(this->policy), - this->reqid); - - if (this->protocol == PROTO_ESP) - { - written += fprintf(stream, "%N", encryption_algorithm_names, - this->encryption.algorithm); - - if (this->encryption.key_size) - { - written += fprintf(stream, "-%d", this->encryption.key_size); - } - written += fprintf(stream, "/"); - } - - written += fprintf(stream, "%N", integrity_algorithm_names, - this->integrity.algorithm); - if (this->integrity.key_size) - { - written += fprintf(stream, "-%d", this->integrity.key_size); - } - written += fprintf(stream, ", rekeying "); - - /* calculate rekey times */ - if (this->rekey_time) - { - rekeying = this->install_time + this->rekey_time - now; - written += fprintf(stream, "in %ds", rekeying); - } - else - { - written += fprintf(stream, "disabled"); - } - } - } - iterator = this->policies->create_iterator(this->policies, TRUE); - while (iterator->iterate(iterator, (void**)&policy)) - { - written += fprintf(stream, "\n%12s{%d}: %R===%R, last use: ", - this->policy->get_name(this->policy), this->reqid, - policy->my_ts, policy->other_ts); - - /* query time of last policy use */ - - /* inbound: POLICY_IN or POLICY_FWD */ - status = charon->kernel_interface->query_policy(charon->kernel_interface, - policy->other_ts, policy->my_ts, POLICY_IN, &use_in); - use_in = (status == SUCCESS)? use_in : 0; - status = charon->kernel_interface->query_policy(charon->kernel_interface, - policy->other_ts, policy->my_ts, POLICY_FWD, &use_fwd); - use_fwd = (status == SUCCESS)? use_fwd : 0; - use = max(use_in, use_fwd); - if (use) - { - written += fprintf(stream, "%ds_i ", now - use); - } - else - { - written += fprintf(stream, "no_i "); - } - - /* outbound: POLICY_OUT */ - status = charon->kernel_interface->query_policy(charon->kernel_interface, - policy->my_ts, policy->other_ts, POLICY_OUT, &use); - if (status == SUCCESS && use) - { - written += fprintf(stream, "%ds_o ", now - use); - } - else - { - written += fprintf(stream, "no_o "); - } - } - iterator->destroy(iterator); - return written; -} - -/** - * register printf() handlers - */ -static void __attribute__ ((constructor))print_register() -{ - register_printf_function(PRINTF_CHILD_SA, print, arginfo_ptr); -} - /** * Update the host adress/port of a SA */ @@ -1066,7 +987,7 @@ static void destroy(private_child_sa_t *this) this->other.addr->destroy(this->other.addr); this->me.id->destroy(this->me.id); this->other.id->destroy(this->other.id); - this->policy->destroy(this->policy); + this->config->destroy(this->config); DESTROY_IF(this->virtual_ip); free(this); } @@ -1076,7 +997,7 @@ static void destroy(private_child_sa_t *this) */ child_sa_t * child_sa_create(host_t *me, host_t* other, identification_t *my_id, identification_t *other_id, - policy_t *policy, u_int32_t rekey, bool use_natt) + child_cfg_t *config, u_int32_t rekey, bool use_natt) { static u_int32_t reqid = 0; private_child_sa_t *this = malloc_thing(private_child_sa_t); @@ -1086,17 +1007,17 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->public.get_reqid = (u_int32_t(*)(child_sa_t*))get_reqid; this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi; this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol; + this->public.get_stats = (void(*)(child_sa_t*, mode_t*,encryption_algorithm_t*,size_t*,integrity_algorithm_t*,size_t*,u_int32_t*,u_int32_t*,u_int32_t*,u_int32_t*))get_stats; this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc; this->public.add = (status_t(*)(child_sa_t*,proposal_t*,mode_t,prf_plus_t*))add; this->public.update = (status_t(*)(child_sa_t*,proposal_t*,mode_t,prf_plus_t*))update; this->public.update_hosts = (status_t (*)(child_sa_t*,host_t*,host_t*,host_diff_t,host_diff_t))update_hosts; this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,mode_t))add_policies; - this->public.get_my_traffic_selectors = (linked_list_t*(*)(child_sa_t*))get_my_traffic_selectors; - this->public.get_other_traffic_selectors = (linked_list_t*(*)(child_sa_t*))get_other_traffic_selectors; + this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors; this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time; this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state; this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state; - this->public.get_policy = (policy_t*(*)(child_sa_t*))get_policy; + this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config; this->public.set_virtual_ip = (void(*)(child_sa_t*,host_t*))set_virtual_ip; this->public.destroy = (void(*)(child_sa_t*))destroy; @@ -1123,8 +1044,8 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->protocol = PROTO_NONE; this->mode = MODE_TUNNEL; this->virtual_ip = NULL; - this->policy = policy; - policy->get_ref(policy); + this->config = config; + config->get_ref(config); return &this->public; } diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h index 216e56659..cf5f3e7d7 100644 --- a/src/charon/sa/child_sa.h +++ b/src/charon/sa/child_sa.h @@ -32,7 +32,7 @@ typedef struct child_sa_t child_sa_t; #include #include #include -#include +#include /** * Where we should start with reqid enumeration @@ -101,7 +101,7 @@ extern enum_name_t *child_sa_state_names; struct child_sa_t { /** - * @brief Get the name of the policy this CHILD_SA uses. + * @brief Get the name of the config this CHILD_SA uses. * * @param this calling object * @return name @@ -140,6 +140,25 @@ struct child_sa_t { */ protocol_id_t (*get_protocol) (child_sa_t *this); + /** + * @brief Get info and statistics about this CHILD_SA. + * + * @param mode mode this IKE_SA uses + * @param encr_algo encryption algorithm used by this CHILD_SA. + * @param encr_len key length of the algorithm, if any + * @param int_algo integrity algorithm used by this CHILD_SA + * @param int_len key length of the algorithm, if any + * @param rekey time when rekeying is scheduled + * @param use_in time when last traffic was seen coming in + * @param use_out time when last traffic was seen going out + * @param use_fwd time when last traffic was getting forwarded + */ + void (*get_stats)(child_sa_t *this, mode_t *mode, + encryption_algorithm_t *encr, size_t *encr_len, + integrity_algorithm_t *int_algo, size_t *int_len, + u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out, + u_int32_t *use_fwd); + /** * @brief Allocate SPIs for given proposals. * @@ -214,17 +233,10 @@ struct child_sa_t { * @brief Get the traffic selectors of added policies of local host. * * @param this calling object + * @param local TRUE for own traffic selectors, FALSE for remote * @return list of traffic selectors */ - linked_list_t* (*get_my_traffic_selectors) (child_sa_t *this); - - /** - * @brief Get the traffic selectors of added policies of remote host. - * - * @param this calling object - * @return list of traffic selectors - */ - linked_list_t* (*get_other_traffic_selectors) (child_sa_t *this); + linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local); /** * @brief Get the time of this child_sa_t's last use (i.e. last use of any of its policies) @@ -251,12 +263,12 @@ struct child_sa_t { void (*set_state) (child_sa_t *this, child_sa_state_t state); /** - * @brief Get the policy used to set up this child sa. + * @brief Get the config used to set up this child sa. * * @param this calling object - * @return policy + * @return child_cfg */ - policy_t* (*get_policy) (child_sa_t *this); + child_cfg_t* (*get_config) (child_sa_t *this); /** * @brief Set the virtual IP used received from IRAS. @@ -284,7 +296,7 @@ struct child_sa_t { * @param other remote address * @param my_id id of own peer * @param other_id id of remote peer - * @param policy policy this CHILD_SA instantiates + * @param config config to use for this CHILD_SA * @param reqid reqid of old CHILD_SA when rekeying, 0 otherwise * @param use_natt TRUE if NAT traversal is used * @return child_sa_t object @@ -293,6 +305,6 @@ struct child_sa_t { */ child_sa_t * child_sa_create(host_t *me, host_t *other, identification_t *my_id, identification_t* other_id, - policy_t *policy, u_int32_t reqid, bool use_natt); + child_cfg_t *config, u_int32_t reqid, bool use_natt); #endif /*CHILD_SA_H_*/ diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index 68aba3064..8b4b53e10 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -26,6 +26,7 @@ #include #include #include +#include #include "ike_sa.h" @@ -56,13 +57,11 @@ #include #include #include -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include +#include +#include #ifndef RESOLV_CONF @@ -105,14 +104,14 @@ struct private_ike_sa_t { ike_sa_state_t state; /** - * connection used to establish this IKE_SA. + * IKE configuration used to set up this IKE_SA */ - connection_t *connection; + ike_cfg_t *ike_cfg; /** * Peer and authentication information to establish IKE_SA. */ - policy_t *policy; + peer_cfg_t *peer_cfg; /** * Juggles tasks to process messages @@ -139,6 +138,11 @@ struct private_ike_sa_t { */ identification_t *other_id; + /** + * CA that issued the certificate of other + */ + ca_info_t *other_ca; + /** * Linked List containing the child sa's of the current IKE_SA. */ @@ -175,14 +179,14 @@ struct private_ike_sa_t { prf_t *child_prf; /** - * PRF to build outging authentication data + * Key to build outging authentication data (SKp) */ - prf_t *auth_build; + chunk_t skp_build; /** - * PRF to verify incoming authentication data + * Key to verify incoming authentication data (SKp) */ - prf_t *auth_verify; + chunk_t skp_verify; /** * NAT status of local host. @@ -273,79 +277,126 @@ static u_int32_t get_unique_id(private_ike_sa_t *this) */ static char *get_name(private_ike_sa_t *this) { - if (this->connection) + if (this->peer_cfg) { - return this->connection->get_name(this->connection); + return this->peer_cfg->get_name(this->peer_cfg); } return "(unnamed)"; } + /** - * Implementation of ike_sa_t.get_connection + * Implementation of ike_sa_t.get_stats. */ -static connection_t* get_connection(private_ike_sa_t *this) +static void get_stats(private_ike_sa_t *this, u_int32_t *next_rekeying) { - return this->connection; + if (next_rekeying) + { + *next_rekeying = this->time.rekey; + } } /** - * Implementation of ike_sa_t.set_connection + * Implementation of ike_sa_t.get_my_host. */ -static void set_connection(private_ike_sa_t *this, connection_t *connection) +static host_t *get_my_host(private_ike_sa_t *this) { - this->connection = connection; - connection->get_ref(connection); + return this->my_host; } /** - * Implementation of ike_sa_t.get_policy + * Implementation of ike_sa_t.set_my_host. */ -static policy_t *get_policy(private_ike_sa_t *this) +static void set_my_host(private_ike_sa_t *this, host_t *me) { - return this->policy; + DESTROY_IF(this->my_host); + this->my_host = me; } /** - * Implementation of ike_sa_t.set_policy + * Implementation of ike_sa_t.get_other_host. */ -static void set_policy(private_ike_sa_t *this, policy_t *policy) +static host_t *get_other_host(private_ike_sa_t *this) { - policy->get_ref(policy); - this->policy = policy; + return this->other_host; } /** - * Implementation of ike_sa_t.get_my_host. + * Implementation of ike_sa_t.set_other_host. */ -static host_t *get_my_host(private_ike_sa_t *this) +static void set_other_host(private_ike_sa_t *this, host_t *other) { - return this->my_host; + DESTROY_IF(this->other_host); + this->other_host = other; } /** - * Implementation of ike_sa_t.set_my_host. + * Implementation of ike_sa_t.get_peer_cfg */ -static void set_my_host(private_ike_sa_t *this, host_t *me) +static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this) { - DESTROY_IF(this->my_host); - this->my_host = me; + return this->peer_cfg; } /** - * Implementation of ike_sa_t.get_other_host. + * Implementation of ike_sa_t.set_peer_cfg */ -static host_t *get_other_host(private_ike_sa_t *this) +static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg) { - return this->other_host; + peer_cfg->get_ref(peer_cfg); + this->peer_cfg = peer_cfg; + + if (this->ike_cfg == NULL) + { + this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); + this->ike_cfg->get_ref(this->ike_cfg); + } + + /* apply values, so we are ready to initate/acquire */ + if (this->my_host->is_anyaddr(this->my_host)) + { + host_t *me = this->ike_cfg->get_my_host(this->ike_cfg); + + set_my_host(this, me->clone(me)); + } + if (this->other_host->is_anyaddr(this->other_host)) + { + host_t *other = this->ike_cfg->get_other_host(this->ike_cfg); + + set_other_host(this, other->clone(other)); + } + /* apply IDs if they are not already set */ + if (this->my_id->contains_wildcards(this->my_id)) + { + identification_t *my_id = this->peer_cfg->get_my_id(this->peer_cfg); + + DESTROY_IF(this->my_id); + this->my_id = my_id->clone(my_id); + } + if (this->other_id->contains_wildcards(this->other_id)) + { + identification_t *other_id = this->peer_cfg->get_other_id(this->peer_cfg); + + DESTROY_IF(this->other_id); + this->other_id = other_id->clone(other_id); + } } /** - * Implementation of ike_sa_t.set_other_host. + * Implementation of ike_sa_t.get_ike_cfg */ -static void set_other_host(private_ike_sa_t *this, host_t *other) +static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this) { - DESTROY_IF(this->other_host); - this->other_host = other; + return this->ike_cfg; +} + +/** + * Implementation of ike_sa_t.set_ike_cfg + */ +static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg) +{ + ike_cfg->get_ref(ike_cfg); + this->ike_cfg = ike_cfg; } /** @@ -356,7 +407,7 @@ static status_t send_dpd(private_ike_sa_t *this) send_dpd_job_t *job; time_t diff, delay; - delay = this->connection->get_dpd_delay(this->connection); + delay = this->peer_cfg->get_dpd_delay(this->peer_cfg); if (delay == 0) { @@ -402,15 +453,14 @@ static status_t send_dpd(private_ike_sa_t *this) static void send_keepalive(private_ike_sa_t *this) { send_keepalive_job_t *job; - time_t last_out, now, diff, interval; + time_t last_out, now, diff; last_out = get_use_time(this, FALSE); now = time(NULL); diff = now - last_out; - interval = charon->configuration->get_keepalive_interval(charon->configuration); - if (diff >= interval) + if (diff >= KEEPALIVE_INTERVAL) { packet_t *packet; chunk_t data; @@ -428,7 +478,7 @@ static void send_keepalive(private_ike_sa_t *this) } job = send_keepalive_job_create(this->ike_sa_id); charon->event_queue->add_relative(charon->event_queue, (job_t*)job, - (interval - diff) * 1000); + (KEEPALIVE_INTERVAL - diff) * 1000); } /** @@ -464,9 +514,9 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state) send_dpd(this); /* schedule rekeying/reauthentication */ - soft = this->connection->get_soft_lifetime(this->connection); - hard = this->connection->get_hard_lifetime(this->connection); - reauth = this->connection->get_reauth(this->connection); + soft = this->peer_cfg->get_lifetime(this->peer_cfg, TRUE); + hard = this->peer_cfg->get_lifetime(this->peer_cfg, FALSE); + reauth = this->peer_cfg->use_reauth(this->peer_cfg); DBG1(DBG_IKE, "scheduling %s in %ds, maximum lifetime %ds", reauth ? "reauthentication": "rekeying", soft, hard); @@ -492,9 +542,8 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state) { /* delete may fail if a packet gets lost, so set a timeout */ job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE); - charon->event_queue->add_relative(charon->event_queue, job, - charon->configuration->get_half_open_ike_sa_timeout( - charon->configuration)); + charon->event_queue->add_relative(charon->event_queue, job, + HALF_OPEN_IKE_SA_TIMEOUT); break; } default: @@ -521,7 +570,7 @@ static void reset(private_ike_sa_t *this) } /** - * Update connection host, as addresses may change (NAT) + * Update hosts, as addresses may change (NAT) */ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other) { @@ -696,16 +745,16 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) me = message->get_destination(message); other = message->get_source(message); - /* if this IKE_SA is virgin, we check for a connection */ - if (this->connection == NULL) + /* if this IKE_SA is virgin, we check for a config */ + if (this->ike_cfg == NULL) { job_t *job; - this->connection = charon->connections->get_connection_by_hosts( - charon->connections, me, other); - if (this->connection == NULL) + this->ike_cfg = charon->backends->get_ike_cfg(charon->backends, + me, other); + if (this->ike_cfg == NULL) { - /* no connection found for these hosts, destroy */ - DBG1(DBG_IKE, "no connection found for %H...%H, sending %N", + /* no config found for these hosts, destroy */ + DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N", me, other, notify_type_names, NO_PROPOSAL_CHOSEN); send_notify_response(this, message, NO_PROPOSAL_CHOSEN); return DESTROY_ME; @@ -713,11 +762,10 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) /* add a timeout if peer does not establish it completely */ job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE); charon->event_queue->add_relative(charon->event_queue, job, - charon->configuration->get_half_open_ike_sa_timeout( - charon->configuration)); + HALF_OPEN_IKE_SA_TIMEOUT); } - - /* check if message is trustworthy, and update connection information */ + + /* check if message is trustworthy, and update host information */ if (this->state == IKE_CREATED || message->get_exchange_type(message) != IKE_SA_INIT) { @@ -728,47 +776,15 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) } } -/** - * apply the connection/policy information to this IKE_SA - */ -static void apply_config(private_ike_sa_t *this, - connection_t *connection, policy_t *policy) -{ - host_t *me, *other; - identification_t *my_id, *other_id; - - if (this->connection == NULL && this->policy == NULL) - { - this->connection = connection; - connection->get_ref(connection); - this->policy = policy; - policy->get_ref(policy); - - me = connection->get_my_host(connection); - other = connection->get_other_host(connection); - my_id = policy->get_my_id(policy); - other_id = policy->get_other_id(policy); - set_my_host(this, me->clone(me)); - set_other_host(this, other->clone(other)); - DESTROY_IF(this->my_id); - DESTROY_IF(this->other_id); - this->my_id = my_id->clone(my_id); - this->other_id = other_id->clone(other_id); - } -} - /** * Implementation of ike_sa_t.initiate. */ -static status_t initiate(private_ike_sa_t *this, - connection_t *connection, policy_t *policy) +static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg) { task_t *task; if (this->state == IKE_CREATED) { - /* if we aren't established/establishing, do so */ - apply_config(this, connection, policy); if (this->other_host->is_anyaddr(this->other_host)) { @@ -785,11 +801,12 @@ static status_t initiate(private_ike_sa_t *this, this->task_manager->queue_task(this->task_manager, task); task = (task_t*)ike_auth_create(&this->public, TRUE); this->task_manager->queue_task(this->task_manager, task); - task = (task_t*)ike_config_create(&this->public, policy); + task = (task_t*)ike_config_create(&this->public, TRUE); this->task_manager->queue_task(this->task_manager, task); } - task = (task_t*)child_create_create(&this->public, policy); + task = (task_t*)child_create_create(&this->public, child_cfg); + child_cfg->destroy(child_cfg); this->task_manager->queue_task(this->task_manager, task); return this->task_manager->initiate(this->task_manager); @@ -800,7 +817,7 @@ static status_t initiate(private_ike_sa_t *this, */ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid) { - policy_t *policy; + child_cfg_t *child_cfg; iterator_t *iterator; child_sa_t *current, *child_sa = NULL; task_t *task; @@ -833,7 +850,6 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid) return FAILED; } - policy = child_sa->get_policy(child_sa); if (this->state == IKE_CREATED) { @@ -845,52 +861,24 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid) this->task_manager->queue_task(this->task_manager, task); task = (task_t*)ike_auth_create(&this->public, TRUE); this->task_manager->queue_task(this->task_manager, task); - task = (task_t*)ike_config_create(&this->public, policy); + task = (task_t*)ike_config_create(&this->public, TRUE); this->task_manager->queue_task(this->task_manager, task); } - child_create = child_create_create(&this->public, policy); + child_cfg = child_sa->get_config(child_sa); + child_create = child_create_create(&this->public, child_cfg); child_create->use_reqid(child_create, reqid); this->task_manager->queue_task(this->task_manager, (task_t*)child_create); return this->task_manager->initiate(this->task_manager); } -/** - * compare two lists of traffic selectors for equality - */ -static bool ts_list_equals(linked_list_t *l1, linked_list_t *l2) -{ - bool equals = TRUE; - iterator_t *i1, *i2; - traffic_selector_t *t1, *t2; - - if (l1->get_count(l1) != l2->get_count(l2)) - { - return FALSE; - } - - i1 = l1->create_iterator(l1, TRUE); - i2 = l2->create_iterator(l2, TRUE); - while (i1->iterate(i1, (void**)&t1) && i2->iterate(i2, (void**)&t2)) - { - if (!t1->equals(t1, t2)) - { - equals = FALSE; - break; - } - } - i1->destroy(i1); - i2->destroy(i2); - return equals; -} - /** * Implementation of ike_sa_t.route. */ -static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t *policy) +static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg) { - child_sa_t *child_sa = NULL; + child_sa_t *child_sa; iterator_t *iterator; linked_list_t *my_ts, *other_ts; status_t status; @@ -901,27 +889,12 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t iterator = this->child_sas->create_iterator(this->child_sas, TRUE); while (iterator->iterate(iterator, (void**)&child_sa)) { - if (child_sa->get_state(child_sa) == CHILD_ROUTED) + if (child_sa->get_state(child_sa) == CHILD_ROUTED && + streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg))) { - linked_list_t *my_ts_conf, *other_ts_conf; - - my_ts = child_sa->get_my_traffic_selectors(child_sa); - other_ts = child_sa->get_other_traffic_selectors(child_sa); - - my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host); - other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host); - - if (ts_list_equals(my_ts, my_ts_conf) && - ts_list_equals(other_ts, other_ts_conf)) - { - iterator->destroy(iterator); - my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy)); - other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy)); - SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a policy already routed"); - return FAILED; - } - my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy)); - other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy)); + iterator->destroy(iterator); + SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a config already routed"); + return FAILED; } } iterator->destroy(iterator); @@ -934,9 +907,6 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t "unable to route CHILD_SA, as its IKE_SA gets deleted"); return FAILED; case IKE_CREATED: - /* apply connection information, we need it to acquire */ - apply_config(this, connection, policy); - break; case IKE_CONNECTING: case IKE_ESTABLISHED: default: @@ -944,29 +914,37 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t } /* install kernel policies */ - child_sa = child_sa_create(this->my_host, this->other_host, - this->my_id, this->other_id, policy, FALSE, 0); + child_sa = child_sa_create(this->my_host, this->other_host, this->my_id, + this->other_id, child_cfg, FALSE, 0); - my_ts = policy->get_my_traffic_selectors(policy, this->my_host); - other_ts = policy->get_other_traffic_selectors(policy, this->other_host); + my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, + this->my_host); + other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, + this->other_host); status = child_sa->add_policies(child_sa, my_ts, other_ts, - policy->get_mode(policy)); + child_cfg->get_mode(child_cfg)); my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy)); - this->child_sas->insert_last(this->child_sas, child_sa); - SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed"); + if (status == SUCCESS) + { + this->child_sas->insert_last(this->child_sas, child_sa); + SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed"); + } + else + { + SIG(CHILD_ROUTE_FAILED, "routing CHILD_SA failed"); + } return status; } /** * Implementation of ike_sa_t.unroute. */ -static status_t unroute(private_ike_sa_t *this, policy_t *policy) +static status_t unroute(private_ike_sa_t *this, u_int32_t reqid) { iterator_t *iterator; - child_sa_t *child_sa = NULL; + child_sa_t *child_sa; bool found = FALSE; - linked_list_t *my_ts, *other_ts, *my_ts_conf, *other_ts_conf; SIG(CHILD_UNROUTE_START, "unrouting CHILD_SA"); @@ -974,27 +952,14 @@ static status_t unroute(private_ike_sa_t *this, policy_t *policy) iterator = this->child_sas->create_iterator(this->child_sas, TRUE); while (iterator->iterate(iterator, (void**)&child_sa)) { - if (child_sa->get_state(child_sa) == CHILD_ROUTED) + if (child_sa->get_state(child_sa) == CHILD_ROUTED && + child_sa->get_reqid(child_sa) == reqid) { - my_ts = child_sa->get_my_traffic_selectors(child_sa); - other_ts = child_sa->get_other_traffic_selectors(child_sa); - - my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host); - other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host); - - if (ts_list_equals(my_ts, my_ts_conf) && - ts_list_equals(other_ts, other_ts_conf)) - { - iterator->remove(iterator); - SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted"); - child_sa->destroy(child_sa); - my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy)); - other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy)); - found = TRUE; - break; - } - my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy)); - other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy)); + iterator->remove(iterator); + SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted"); + child_sa->destroy(child_sa); + found = TRUE; + break; } } iterator->destroy(iterator); @@ -1021,7 +986,7 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id) this->time.outbound = time(NULL); if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS) { - policy_t *policy; + child_cfg_t *child_cfg; child_sa_t* child_sa; linked_list_t *to_route, *to_restart; iterator_t *iterator; @@ -1032,7 +997,7 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id) case IKE_CONNECTING: { /* retry IKE_SA_INIT if we have multiple keyingtries */ - u_int32_t tries = this->connection->get_keyingtries(this->connection); + u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg); this->keyingtry++; if (tries == 0 || tries > this->keyingtry) { @@ -1060,23 +1025,23 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id) iterator = this->child_sas->create_iterator(this->child_sas, TRUE); while (iterator->iterate(iterator, (void**)&child_sa)) { - policy = child_sa->get_policy(child_sa); + child_cfg = child_sa->get_config(child_sa); if (child_sa->get_state(child_sa) == CHILD_ROUTED) { /* reroute routed CHILD_SAs */ - to_route->insert_last(to_route, policy); + to_route->insert_last(to_route, child_cfg); } else { /* use DPD action for established CHILD_SAs */ - switch (policy->get_dpd_action(policy)) + switch (this->peer_cfg->get_dpd_action(this->peer_cfg)) { case DPD_ROUTE: - to_route->insert_last(to_route, policy); + to_route->insert_last(to_route, child_cfg); break; case DPD_RESTART: - to_restart->insert_last(to_restart, policy); + to_restart->insert_last(to_restart, child_cfg); break; default: break; @@ -1094,15 +1059,15 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id) new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new( charon->ike_sa_manager, TRUE); - apply_config(new, this->connection, this->policy); - /* use actual used host, not the wildcarded one in connection */ + set_peer_cfg(new, this->peer_cfg); + /* use actual used host, not the wildcarded one in config */ new->other_host->destroy(new->other_host); new->other_host = this->other_host->clone(this->other_host); /* install routes */ - while (to_route->remove_last(to_route, (void**)&policy) == SUCCESS) + while (to_route->remove_last(to_route, (void**)&child_cfg) == SUCCESS) { - route(new, new->connection, policy); + route(new, child_cfg); } /* restart children */ @@ -1114,14 +1079,14 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id) new->task_manager->queue_task(new->task_manager, task); task = (task_t*)ike_cert_create(&new->public, TRUE); new->task_manager->queue_task(new->task_manager, task); - task = (task_t*)ike_config_create(&new->public, new->policy); + task = (task_t*)ike_config_create(&new->public, TRUE); new->task_manager->queue_task(new->task_manager, task); task = (task_t*)ike_auth_create(&new->public, TRUE); new->task_manager->queue_task(new->task_manager, task); - while (to_restart->remove_last(to_restart, (void**)&policy) == SUCCESS) + while (to_restart->remove_last(to_restart, (void**)&child_cfg) == SUCCESS) { - task = (task_t*)child_create_create(&new->public, policy); + task = (task_t*)child_create_create(&new->public, child_cfg); new->task_manager->queue_task(new->task_manager, task); } new->task_manager->initiate(new->task_manager); @@ -1152,19 +1117,19 @@ static prf_t *get_child_prf(private_ike_sa_t *this) } /** - * Implementation of ike_sa_t.get_auth_bild + * Implementation of ike_sa_t.get_skp_bild */ -static prf_t *get_auth_build(private_ike_sa_t *this) +static chunk_t get_skp_build(private_ike_sa_t *this) { - return this->auth_build; + return this->skp_build; } /** - * Implementation of ike_sa_t.get_auth_verify + * Implementation of ike_sa_t.get_skp_verify */ -static prf_t *get_auth_verify(private_ike_sa_t *this) +static chunk_t get_skp_verify(private_ike_sa_t *this) { - return this->auth_verify; + return this->skp_verify; } /** @@ -1209,6 +1174,71 @@ static void set_other_id(private_ike_sa_t *this, identification_t *other) this->other_id = other; } +/** + * Implementation of ike_sa_t.get_other_ca. + */ +static ca_info_t* get_other_ca(private_ike_sa_t *this) +{ + return this->other_ca; +} + +/** + * Implementation of ike_sa_t.set_other_ca. + */ +static void set_other_ca(private_ike_sa_t *this, ca_info_t *other_ca) +{ + this->other_ca = other_ca; +} + +/** + * Implementation of ike_sa_t.set_virtual_ip + */ +static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip) +{ + if (local) + { + DBG1(DBG_IKE, "installing new virtual IP %H", ip); + if (this->my_virtual_ip) + { + DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip); + charon->kernel_interface->del_ip(charon->kernel_interface, + this->my_virtual_ip, + this->my_host); + this->my_virtual_ip->destroy(this->my_virtual_ip); + } + if (charon->kernel_interface->add_ip(charon->kernel_interface, ip, + this->my_host) == SUCCESS) + { + this->my_virtual_ip = ip->clone(ip); + } + else + { + DBG1(DBG_IKE, "installing virtual IP %H failed", ip); + this->my_virtual_ip = NULL; + } + } + else + { + DESTROY_IF(this->other_virtual_ip); + this->other_virtual_ip = ip->clone(ip); + } +} + +/** + * Implementation of ike_sa_t.get_virtual_ip + */ +static host_t* get_virtual_ip(private_ike_sa_t *this, bool local) +{ + if (local) + { + return this->my_virtual_ip; + } + else + { + return this->other_virtual_ip; + } +} + /** * Implementation of ike_sa_t.derive_keys. */ @@ -1223,7 +1253,6 @@ static status_t derive_keys(private_ike_sa_t *this, size_t key_size; crypter_t *crypter_i, *crypter_r; signer_t *signer_i, *signer_r; - prf_t *prf_i, *prf_r; u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)]; chunk_t spi_i = chunk_from_buf(spi_i_buf); chunk_t spi_r = chunk_from_buf(spi_r_buf); @@ -1364,31 +1393,27 @@ static status_t derive_keys(private_ike_sa_t *this, this->crypter_out = crypter_r; } - /* SK_pi/SK_pr used for authentication => prf_auth_i, prf_auth_r */ - proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo); - prf_i = prf_create(algo->algorithm); - prf_r = prf_create(algo->algorithm); - - key_size = prf_i->get_key_size(prf_i); + /* SK_pi/SK_pr used for authentication => stored for later */ + key_size = this->prf->get_key_size(this->prf); prf_plus->allocate_bytes(prf_plus, key_size, &key); DBG4(DBG_IKE, "Sk_pi secret %B", &key); - prf_i->set_key(prf_i, key); - chunk_free(&key); - + if (initiator) + { + this->skp_build = key; + } + else + { + this->skp_verify = key; + } prf_plus->allocate_bytes(prf_plus, key_size, &key); DBG4(DBG_IKE, "Sk_pr secret %B", &key); - prf_r->set_key(prf_r, key); - chunk_free(&key); - if (initiator) { - this->auth_verify = prf_r; - this->auth_build = prf_i; + this->skp_verify = key; } else { - this->auth_verify = prf_i; - this->auth_build = prf_r; + this->skp_build = key; } /* all done, prf_plus not needed anymore */ @@ -1507,8 +1532,6 @@ static status_t delete_(private_ike_sa_t *this) switch (this->state) { case IKE_ESTABLISHED: - DBG1(DBG_IKE, "deleting IKE_SA"); - /* do not log when rekeyed */ case IKE_REKEYING: ike_delete = ike_delete_create(&this->public, TRUE); this->task_manager->queue_task(this->task_manager, &ike_delete->task); @@ -1542,16 +1565,21 @@ static void reestablish(private_ike_sa_t *this) private_ike_sa_t *other; iterator_t *iterator; child_sa_t *child_sa; - policy_t *policy; + child_cfg_t *child_cfg; task_t *task; job_t *job; other = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new( charon->ike_sa_manager, TRUE); - apply_config(other, this->connection, this->policy); + set_peer_cfg(other, this->peer_cfg); other->other_host->destroy(other->other_host); other->other_host = this->other_host->clone(this->other_host); + if (this->my_virtual_ip) + { + /* if we already have a virtual IP, we reuse it */ + set_virtual_ip(other, TRUE, this->my_virtual_ip); + } if (this->state == IKE_ESTABLISHED) { @@ -1561,7 +1589,7 @@ static void reestablish(private_ike_sa_t *this) other->task_manager->queue_task(other->task_manager, task); task = (task_t*)ike_cert_create(&other->public, TRUE); other->task_manager->queue_task(other->task_manager, task); - task = (task_t*)ike_config_create(&other->public, other->policy); + task = (task_t*)ike_config_create(&other->public, TRUE); other->task_manager->queue_task(other->task_manager, task); task = (task_t*)ike_auth_create(&other->public, TRUE); other->task_manager->queue_task(other->task_manager, task); @@ -1583,8 +1611,8 @@ static void reestablish(private_ike_sa_t *this) } default: { - policy = child_sa->get_policy(child_sa); - task = (task_t*)child_create_create(&other->public, policy); + child_cfg = child_sa->get_config(child_sa); + task = (task_t*)child_create_create(&other->public, child_cfg); other->task_manager->queue_task(other->task_manager, task); break; } @@ -1677,55 +1705,6 @@ static void enable_natt(private_ike_sa_t *this, bool local) } } -/** - * Implementation of ike_sa_t.set_virtual_ip - */ -static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip) -{ - if (local) - { - DBG1(DBG_IKE, "installing new virtual IP %H", ip); - if (this->my_virtual_ip) - { - DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip); - charon->kernel_interface->del_ip(charon->kernel_interface, - this->my_virtual_ip, - this->my_host); - this->my_virtual_ip->destroy(this->my_virtual_ip); - } - if (charon->kernel_interface->add_ip(charon->kernel_interface, ip, - this->my_host) == SUCCESS) - { - this->my_virtual_ip = ip->clone(ip); - } - else - { - DBG1(DBG_IKE, "installing virtual IP %H failed", ip); - this->my_virtual_ip = NULL; - } - } - else - { - DESTROY_IF(this->other_virtual_ip); - this->other_virtual_ip = ip->clone(ip); - } -} - -/** - * Implementation of ike_sa_t.get_virtual_ip - */ -static host_t* get_virtual_ip(private_ike_sa_t *this, bool local) -{ - if (local) - { - return this->my_virtual_ip; - } - else - { - return this->other_virtual_ip; - } -} - /** * Implementation of ike_sa_t.remove_dns_server */ @@ -1747,7 +1726,8 @@ static void remove_dns_servers(private_ike_sa_t *this) file = fopen(RESOLV_CONF, "r"); if (file == NULL || stat(RESOLV_CONF, &stats) != 0) { - DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF); + DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s", + RESOLV_CONF, strerror(errno)); return; } @@ -1755,7 +1735,7 @@ static void remove_dns_servers(private_ike_sa_t *this) if (fread(contents.ptr, 1, contents.len, file) != contents.len) { - DBG1(DBG_IKE, "unable to read DNS configuration file: %m"); + DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno)); fclose(file); return; } @@ -1764,7 +1744,8 @@ static void remove_dns_servers(private_ike_sa_t *this) file = fopen(RESOLV_CONF, "w"); if (file == NULL) { - DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF); + DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s", + RESOLV_CONF, strerror(errno)); return; } @@ -1820,7 +1801,8 @@ static void add_dns_server(private_ike_sa_t *this, host_t *dns) file = fopen(RESOLV_CONF, "a+"); if (file == NULL || stat(RESOLV_CONF, &stats) != 0) { - DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF); + DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s", + RESOLV_CONF, strerror(errno)); return; } @@ -1828,7 +1810,7 @@ static void add_dns_server(private_ike_sa_t *this, host_t *dns) if (fread(contents.ptr, 1, contents.len, file) != contents.len) { - DBG1(DBG_IKE, "unable to read DNS configuration file: %m"); + DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno)); fclose(file); return; } @@ -1837,14 +1819,15 @@ static void add_dns_server(private_ike_sa_t *this, host_t *dns) file = fopen(RESOLV_CONF, "w"); if (file == NULL) { - DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF); + DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s", + RESOLV_CONF, strerror(errno)); return; } if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n", dns, this->other_id) < 0) { - DBG1(DBG_IKE, "unable to write DNS configuration: %m"); + DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno)); } else { @@ -1855,50 +1838,6 @@ static void add_dns_server(private_ike_sa_t *this, host_t *dns) fclose(file); } -/** - * output handler in printf() - */ -static int print(FILE *stream, const struct printf_info *info, - const void *const *args) -{ - int written = 0; - bool reauth = FALSE; - private_ike_sa_t *this = *((private_ike_sa_t**)(args[0])); - - if (this->connection) - { - reauth = this->connection->get_reauth(this->connection); - } - - if (this == NULL) - { - return fprintf(stream, "(null)"); - } - - written = fprintf(stream, "%12s[%d]: %N, %H[%D]...%H[%D]", get_name(this), - this->unique_id, ike_sa_state_names, this->state, - this->my_host, this->my_id, this->other_host, - this->other_id); - written += fprintf(stream, "\n%12s[%d]: IKE SPIs: %J, %s in %ds", - get_name(this), this->unique_id, this->ike_sa_id, - this->connection && reauth? "reauthentication":"rekeying", - this->time.rekey - time(NULL)); - - if (info->alt) - { - - } - return written; -} - -/** - * register printf() handlers - */ -static void __attribute__ ((constructor))print_register() -{ - register_printf_function(PRINTF_IKE_SA, print, arginfo_ptr); -} - /** * Implementation of ike_sa_t.destroy. */ @@ -1912,8 +1851,8 @@ static void destroy(private_ike_sa_t *this) DESTROY_IF(this->signer_out); DESTROY_IF(this->prf); DESTROY_IF(this->child_prf); - DESTROY_IF(this->auth_verify); - DESTROY_IF(this->auth_build); + chunk_free(&this->skp_verify); + chunk_free(&this->skp_build); if (this->my_virtual_ip) { @@ -1931,8 +1870,8 @@ static void destroy(private_ike_sa_t *this) DESTROY_IF(this->my_id); DESTROY_IF(this->other_id); - DESTROY_IF(this->connection); - DESTROY_IF(this->policy); + DESTROY_IF(this->ike_cfg); + DESTROY_IF(this->peer_cfg); this->ike_sa_id->destroy(this->ike_sa_id); this->task_manager->destroy(this->task_manager); @@ -1948,54 +1887,57 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) static u_int32_t unique_id = 0; /* Public functions */ - this->public.get_state = (ike_sa_state_t(*)(ike_sa_t*)) get_state; - this->public.set_state = (void(*)(ike_sa_t*,ike_sa_state_t)) set_state; - this->public.get_name = (char*(*)(ike_sa_t*))get_name; - this->public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message; - this->public.initiate = (status_t(*)(ike_sa_t*,connection_t*,policy_t*)) initiate; - this->public.route = (status_t(*)(ike_sa_t*,connection_t*,policy_t*)) route; - this->public.unroute = (status_t(*)(ike_sa_t*,policy_t*)) unroute; - this->public.acquire = (status_t(*)(ike_sa_t*,u_int32_t)) acquire; - this->public.get_connection = (connection_t*(*)(ike_sa_t*))get_connection; - this->public.set_connection = (void(*)(ike_sa_t*,connection_t*))set_connection; - this->public.get_policy = (policy_t*(*)(ike_sa_t*))get_policy; - this->public.set_policy = (void(*)(ike_sa_t*,policy_t*))set_policy; - this->public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id; - this->public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host; - this->public.set_my_host = (void(*)(ike_sa_t*,host_t*)) set_my_host; - this->public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host; - this->public.set_other_host = (void(*)(ike_sa_t*,host_t*)) set_other_host; - this->public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id; - this->public.set_my_id = (void(*)(ike_sa_t*,identification_t*)) set_my_id; - this->public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id; - this->public.set_other_id = (void(*)(ike_sa_t*,identification_t*)) set_other_id; - this->public.retransmit = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit; - this->public.delete = (status_t(*)(ike_sa_t*))delete_; - this->public.destroy = (void(*)(ike_sa_t*))destroy; + this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state; + this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state; + this->public.get_stats = (void (*)(ike_sa_t*,u_int32_t*))get_stats; + this->public.get_name = (char* (*)(ike_sa_t*))get_name; + this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message; + this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate; + this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route; + this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute; + this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire; + this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg; + this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg; + this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg; + this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg; + this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id; + this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host; + this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host; + this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host; + this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host; + this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id; + this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id; + this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id; + this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id; + this->public.get_other_ca = (ca_info_t* (*)(ike_sa_t*)) get_other_ca; + this->public.set_other_ca = (void (*)(ike_sa_t*,ca_info_t*)) set_other_ca; + this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit; + this->public.delete = (status_t (*)(ike_sa_t*))delete_; + this->public.destroy = (void (*)(ike_sa_t*))destroy; this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd; this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive; - this->public.get_prf = (prf_t *(*) (ike_sa_t *)) get_prf; - this->public.get_child_prf = (prf_t *(*) (ike_sa_t *)) get_child_prf; - this->public.get_auth_verify = (prf_t *(*) (ike_sa_t *)) get_auth_verify; - this->public.get_auth_build = (prf_t *(*) (ike_sa_t *)) get_auth_build; - this->public.derive_keys = (status_t (*) (ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys; - this->public.add_child_sa = (void (*) (ike_sa_t*,child_sa_t*)) add_child_sa; + this->public.get_prf = (prf_t* (*)(ike_sa_t*)) get_prf; + this->public.get_child_prf = (prf_t* (*)(ike_sa_t *)) get_child_prf; + this->public.get_skp_verify = (chunk_t (*)(ike_sa_t *)) get_skp_verify; + this->public.get_skp_build = (chunk_t (*)(ike_sa_t *)) get_skp_build; + this->public.derive_keys = (status_t (*)(ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys; + this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa; this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa; this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator; - this->public.rekey_child_sa = (status_t(*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa; - this->public.delete_child_sa = (status_t(*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa; + this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa; + this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa; this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa; - this->public.enable_natt = (void(*)(ike_sa_t*, bool)) enable_natt; - this->public.is_natt_enabled = (bool(*)(ike_sa_t*)) is_natt_enabled; - this->public.rekey = (status_t(*)(ike_sa_t*))rekey; - this->public.reestablish = (void(*)(ike_sa_t*))reestablish; - this->public.inherit = (status_t(*)(ike_sa_t*,ike_sa_t*))inherit; - this->public.generate_message = (status_t(*)(ike_sa_t*,message_t*,packet_t**))generate_message; - this->public.reset = (void(*)(ike_sa_t*))reset; - this->public.get_unique_id = (u_int32_t(*)(ike_sa_t*))get_unique_id; - this->public.set_virtual_ip = (void(*)(ike_sa_t*,bool,host_t*))set_virtual_ip; - this->public.get_virtual_ip = (host_t*(*)(ike_sa_t*,bool))get_virtual_ip; - this->public.add_dns_server = (void(*)(ike_sa_t*,host_t*))add_dns_server; + this->public.enable_natt = (void (*)(ike_sa_t*, bool)) enable_natt; + this->public.is_natt_enabled = (bool (*)(ike_sa_t*)) is_natt_enabled; + this->public.rekey = (status_t (*)(ike_sa_t*))rekey; + this->public.reestablish = (void (*)(ike_sa_t*))reestablish; + this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit; + this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message; + this->public.reset = (void (*)(ike_sa_t*))reset; + this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id; + this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip; + this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip; + this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server; /* initialize private fields */ this->ike_sa_id = ike_sa_id->clone(ike_sa_id); @@ -2004,13 +1946,14 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->other_host = host_create_any(AF_INET); this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty); this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty); + this->other_ca = NULL; this->crypter_in = NULL; this->crypter_out = NULL; this->signer_in = NULL; this->signer_out = NULL; this->prf = NULL; - this->auth_verify = NULL; - this->auth_build = NULL; + this->skp_verify = chunk_empty; + this->skp_build = chunk_empty; this->child_prf = NULL; this->nat_here = FALSE; this->nat_there = FALSE; @@ -2019,8 +1962,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->time.established = 0; this->time.rekey = 0; this->time.delete = 0; - this->connection = NULL; - this->policy = NULL; + this->ike_cfg = NULL; + this->peer_cfg = NULL; this->task_manager = task_manager_create(&this->public); this->unique_id = ++unique_id; this->my_virtual_ip = NULL; diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h index 604ec94a9..76942b208 100644 --- a/src/charon/sa/ike_sa.h +++ b/src/charon/sa/ike_sa.h @@ -34,14 +34,42 @@ typedef struct ike_sa_t ike_sa_t; #include #include #include -#include #include #include #include #include -#include -#include -#include +#include +#include +#include + +/** + * Timeout in milliseconds after that a half open IKE_SA gets deleted. + * + * @ingroup sa + */ +#define HALF_OPEN_IKE_SA_TIMEOUT 30000 + +/** + * Interval to send keepalives when NATed, in seconds. + * + * @ingroup sa + */ +#define KEEPALIVE_INTERVAL 20 + +/** + * After which time rekeying should be retried if it failed, in seconds. + * + * @ingroup sa + */ +#define RETRY_INTERVAL 30 + +/** + * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry. + * + * @ingroup sa + */ +#define RETRY_JITTER 20 + /** * @brief State of an IKE_SA. @@ -156,6 +184,13 @@ struct ike_sa_t { */ ike_sa_state_t (*get_state) (ike_sa_t *this); + /** + * @brief Get some statistics about this IKE_SA. + * + * @param next_rekeying when the next rekeying is scheduled + */ + void (*get_stats)(ike_sa_t *this, u_int32_t *next_rekeying); + /** * @brief Set the state of the IKE_SA. * @@ -221,7 +256,7 @@ struct ike_sa_t { void (*set_my_id) (ike_sa_t *this, identification_t *me); /** - * @brief Get the other peers identification. + * @brief Get the other peer's identification. * * @param this calling object * @return identification @@ -229,7 +264,7 @@ struct ike_sa_t { identification_t* (*get_other_id) (ike_sa_t *this); /** - * @brief Set the other peers identification. + * @brief Set the other peer's identification. * * @param this calling object * @param other identification @@ -237,51 +272,65 @@ struct ike_sa_t { void (*set_other_id) (ike_sa_t *this, identification_t *other); /** - * @brief Get the connection used by this IKE_SA. + * @brief Get the other peer's certification authority + * + * @param this calling object + * @return ca_info_t record of other ca + */ + ca_info_t* (*get_other_ca) (ike_sa_t *this); + + /** + * @brief Set the other peer's certification authority + * + * @param this calling object + * @param other_ca ca_info_t record of other ca + */ + void (*set_other_ca) (ike_sa_t *this, ca_info_t *other_ca); + + /** + * @brief Get the config used to setup this IKE_SA. * * @param this calling object - * @return connection + * @return ike_config */ - connection_t* (*get_connection) (ike_sa_t *this); + ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this); /** - * @brief Set the connection to use with this IKE_SA. + * @brief Set the config to setup this IKE_SA. * * @param this calling object - * @param connection connection to use + * @param config ike_config to use */ - void (*set_connection) (ike_sa_t *this, connection_t* connection); + void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config); /** - * @brief Get the policy used by this IKE_SA. + * @brief Get the peer config used by this IKE_SA. * * @param this calling object - * @return policy + * @return peer_config */ - policy_t* (*get_policy) (ike_sa_t *this); + peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this); /** - * @brief Set the policy to use with this IKE_SA. + * @brief Set the peer config to use with this IKE_SA. * * @param this calling object - * @param policy policy to use + * @param config peer_config to use */ - void (*set_policy) (ike_sa_t *this, policy_t *policy); + void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config); /** * @brief Initiate a new connection. * - * The policy/connection is owned by the IKE_SA after the call, so - * do not modify or destroy it. + * The configs are owned by the IKE_SA after the call. * * @param this calling object - * @param connection connection to initiate - * @param policy policy to set up + * @param child_cfg child config to create CHILD from * @return * - SUCCESS if initialization started - * - DESTROY_ME if initialization failed and IKE_SA MUST be deleted + * - DESTROY_ME if initialization failed */ - status_t (*initiate) (ike_sa_t *this, connection_t *connection, policy_t *policy); + status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg); /** * @brief Route a policy in the kernel. @@ -290,28 +339,27 @@ struct ike_sa_t { * the kernel requests connection setup from the IKE_SA via acquire(). * * @param this calling object - * @param connection connection definition used for routing - * @param policy policy to route + * @param child_cfg child config to route * @return * - SUCCESS if routed successfully * - FAILED if routing failed */ - status_t (*route) (ike_sa_t *this, connection_t *connection, policy_t *policy); + status_t (*route) (ike_sa_t *this, child_cfg_t *child_cfg); /** * @brief Unroute a policy in the kernel previously routed. * * @param this calling object - * @param policy policy to route + * @param reqid reqid of CHILD_SA to unroute * @return * - SUCCESS if route removed - * - DESTROY_ME if last route was removed from - * an IKE_SA which was not established + * - NOT_FOUND if CHILD_SA not found + * - DESTROY_ME if last CHILD_SA was unrouted */ - status_t (*unroute) (ike_sa_t *this, policy_t *policy); + status_t (*unroute) (ike_sa_t *this, u_int32_t reqid); /** - * @brief Acquire connection setup for a policy. + * @brief Acquire connection setup for an installed kernel policy. * * If an installed policy raises an acquire, the kernel calls * this function to establish the CHILD_SA (and maybe the IKE_SA). @@ -320,7 +368,7 @@ struct ike_sa_t { * @param reqid reqid of the CHILD_SA the policy belongs to. * @return * - SUCCESS if initialization started - * - DESTROY_ME if initialization failed and IKE_SA MUST be deleted + * - DESTROY_ME if initialization failed */ status_t (*acquire) (ike_sa_t *this, u_int32_t reqid); @@ -456,7 +504,7 @@ struct ike_sa_t { bool initiator, prf_t *child_prf, prf_t *old_prf); /** - * @brief Get the multi purpose prf. + * @brief Get a multi purpose prf for the negotiated PRF function. * * @param this calling object * @return pointer to prf_t object @@ -472,20 +520,20 @@ struct ike_sa_t { prf_t *(*get_child_prf) (ike_sa_t *this); /** - * @brief Get the prf to build outgoing authentication data. + * @brief Get the key to build outgoing authentication data. * * @param this calling object * @return pointer to prf_t object */ - prf_t *(*get_auth_build) (ike_sa_t *this); + chunk_t (*get_skp_build) (ike_sa_t *this); /** - * @brief Get the prf to verify incoming authentication data. + * @brief Get the key to verify incoming authentication data. * * @param this calling object * @return pointer to prf_t object */ - prf_t *(*get_auth_verify) (ike_sa_t *this); + chunk_t (*get_skp_verify) (ike_sa_t *this); /** * @brief Associates a child SA to this IKE SA diff --git a/src/charon/sa/ike_sa_id.c b/src/charon/sa/ike_sa_id.c index c143fc0ba..a838c0b8a 100644 --- a/src/charon/sa/ike_sa_id.c +++ b/src/charon/sa/ike_sa_id.c @@ -24,7 +24,6 @@ #include "ike_sa_id.h" -#include #include @@ -152,33 +151,6 @@ static ike_sa_id_t* clone_(private_ike_sa_id_t *this) return ike_sa_id_create(this->initiator_spi, this->responder_spi, this->is_initiator_flag); } -/** - * output handler in printf() - */ -static int print(FILE *stream, const struct printf_info *info, - const void *const *args) -{ - private_ike_sa_id_t *this = *((private_ike_sa_id_t**)(args[0])); - - if (this == NULL) - { - return fprintf(stream, "(null)"); - } - return fprintf(stream, "0x%0llx_i%s 0x%0llx_r%s", - this->initiator_spi, - this->is_initiator_flag ? "*" : "", - this->responder_spi, - this->is_initiator_flag ? "" : "*"); -} - -/** - * register printf() handlers - */ -static void __attribute__ ((constructor))print_register() -{ - register_printf_function(PRINTF_IKE_SA_ID, print, arginfo_ptr); -} - /** * Implementation of ike_sa_id_t.destroy. */ diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c index 791ef805e..a62ec5e3c 100644 --- a/src/charon/sa/ike_sa_manager.c +++ b/src/charon/sa/ike_sa_manager.c @@ -322,8 +322,8 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id ike_sa_t *ike_sa = NULL; entry_t *entry; - DBG2(DBG_MGR, "checkout IKE_SA: %J, %d IKE_SAs in manager", - ike_sa_id, this->ike_sa_list->get_count(this->ike_sa_list)); + DBG2(DBG_MGR, "checkout IKE_SA, %d IKE_SAs in manager", + this->ike_sa_list->get_count(this->ike_sa_list)); pthread_mutex_lock(&(this->mutex)); if (get_entry_by_id(this, ike_sa_id, &entry) == SUCCESS) @@ -356,13 +356,14 @@ static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator) { id = ike_sa_id_create(0, get_next_spi(this), FALSE); } - entry = entry_create(id); + entry = entry_create(id); + id->destroy(id); pthread_mutex_lock(&this->mutex); this->ike_sa_list->insert_last(this->ike_sa_list, entry); entry->checked_out = TRUE; pthread_mutex_unlock(&this->mutex); - DBG2(DBG_MGR, "created IKE_SA: %J, %d IKE_SAs in manager", - id, this->ike_sa_list->get_count(this->ike_sa_list)); + DBG2(DBG_MGR, "created IKE_SA, %d IKE_SAs in manager", + this->ike_sa_list->get_count(this->ike_sa_list)); return entry->ike_sa; } @@ -378,8 +379,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, id = id->clone(id); id->switch_initiator(id); - DBG2(DBG_MGR, "checkout IKE_SA: %J by message, %d IKE_SAs in manager", - id, this->ike_sa_list->get_count(this->ike_sa_list)); + DBG2(DBG_MGR, "checkout IKE_SA by message, %d IKE_SAs in manager", + this->ike_sa_list->get_count(this->ike_sa_list)); if (message->get_request(message) && message->get_exchange_type(message) == IKE_SA_INIT) @@ -439,7 +440,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, } else { - DBG1(DBG_MGR, "ignoring message for %J, no such IKE_SA", id); + chunk_free(&hash); + DBG1(DBG_MGR, "ignoring message, no such IKE_SA"); } } else @@ -554,7 +556,7 @@ static ike_sa_t* checkout_by_peer(private_ike_sa_manager_t *this, /* create entry */ new_entry = entry_create(new_ike_sa_id); - DBG2(DBG_MGR, "created IKE_SA: %J", new_ike_sa_id); + DBG2(DBG_MGR, "created IKE_SA"); new_ike_sa_id->destroy(new_ike_sa_id); this->ike_sa_list->insert_last(this->ike_sa_list, new_entry); @@ -720,7 +722,7 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) ike_sa_id = ike_sa->get_id(ike_sa); - DBG2(DBG_MGR, "checkin IKE_SA: %J", ike_sa_id); + DBG2(DBG_MGR, "checkin IKE_SA"); pthread_mutex_lock(&(this->mutex)); @@ -767,7 +769,7 @@ static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ik ike_sa_id_t *ike_sa_id; ike_sa_id = ike_sa->get_id(ike_sa); - DBG2(DBG_MGR, "checkin and destroy IKE_SA: %J", ike_sa_id); + DBG2(DBG_MGR, "checkin and destroy IKE_SA"); pthread_mutex_lock(&(this->mutex)); diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c index 844300735..e67508ed1 100644 --- a/src/charon/sa/task_manager.c +++ b/src/charon/sa/task_manager.c @@ -22,6 +22,8 @@ #include "task_manager.h" +#include + #include #include #include @@ -35,7 +37,7 @@ #include #include #include -#include +#include typedef struct exchange_t exchange_t; @@ -210,9 +212,12 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id) u_int32_t timeout; job_t *job; - timeout = charon->configuration->get_retransmit_timeout( - charon->configuration, this->initiating.retransmitted); - if (timeout == 0) + if (this->initiating.retransmitted <= RETRANSMIT_TRIES) + { + timeout = (u_int32_t)(RETRANSMIT_TIMEOUT * + pow(RETRANSMIT_BASE, this->initiating.retransmitted)); + } + else { DBG1(DBG_IKE, "giving up after %d retransmits", this->initiating.retransmitted - 1); @@ -262,6 +267,7 @@ static status_t build_request(private_task_manager_t *this) case IKE_CREATED: if (activate_task(this, IKE_INIT)) { + this->initiating.mid = 0; exchange = IKE_SA_INIT; activate_task(this, IKE_NATD); activate_task(this, IKE_CERT); @@ -274,7 +280,6 @@ static status_t build_request(private_task_manager_t *this) if (activate_task(this, CHILD_CREATE)) { exchange = CREATE_CHILD_SA; - activate_task(this, IKE_CONFIG); break; } if (activate_task(this, CHILD_DELETE)) @@ -328,6 +333,11 @@ static status_t build_request(private_task_manager_t *this) case IKE_AUTHENTICATE: exchange = IKE_AUTH; break; + case CHILD_CREATE: + case CHILD_REKEY: + case IKE_REKEY: + exchange = CREATE_CHILD_SA; + break; default: continue; } @@ -577,7 +587,7 @@ static status_t process_request(private_task_manager_t *this, this->passive_tasks->insert_last(this->passive_tasks, task); task = (task_t*)ike_auth_create(this->ike_sa, FALSE); this->passive_tasks->insert_last(this->passive_tasks, task); - task = (task_t*)ike_config_create(this->ike_sa, NULL); + task = (task_t*)ike_config_create(this->ike_sa, FALSE); this->passive_tasks->insert_last(this->passive_tasks, task); task = (task_t*)child_create_create(this->ike_sa, NULL); this->passive_tasks->insert_last(this->passive_tasks, task); diff --git a/src/charon/sa/task_manager.h b/src/charon/sa/task_manager.h index c766d4a65..fb34aab6a 100644 --- a/src/charon/sa/task_manager.h +++ b/src/charon/sa/task_manager.h @@ -30,6 +30,28 @@ typedef struct task_manager_t task_manager_t; #include #include +/** + * First retransmit timeout in milliseconds. + * + * @ingroup sa + */ +#define RETRANSMIT_TIMEOUT 4000 + +/** + * Base which is raised to the power of the retransmission try. + * + * @ingroup sa + */ +#define RETRANSMIT_BASE 1.8 + +/** + * Number of retransmits done before giving up. + * + * @ingroup sa + */ +#define RETRANSMIT_TRIES 5 + + /** * @brief The task manager, juggles task and handles message exchanges. * @@ -43,6 +65,24 @@ typedef struct task_manager_t task_manager_t; * For the initial IKE_SA setup, several tasks are queued: One for the * unauthenticated IKE_SA setup, one for authentication, one for CHILD_SA setup * and maybe one for virtual IP assignement. + * The task manager is also responsible for retransmission. It uses a backoff + * algorithm. The timeout is calculated using + * RETRANSMIT_TIMEOUT * (RETRANSMIT_BASE ** try). + * When try reaches RETRANSMIT_TRIES, retransmission is given up. + * + * Using an initial TIMEOUT of 4s, a BASE of 1.8, and 5 TRIES gives us: + * @verbatim + | relative | absolute + --------------------------------------------------------- + 4s * (1.8 ** 0) = 4s 4s + 4s * (1.8 ** 1) = 7s 11s + 4s * (1.8 ** 2) = 13s 24s + 4s * (1.8 ** 3) = 23s 47s + 4s * (1.8 ** 4) = 42s 89s + 4s * (1.8 ** 5) = 76s 165s + + @endberbatim + * The peer is considered dead after 2min 45s when no reply comes in. * * @b Constructors: * - task_manager_create() diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c index 781d679f2..f70730b05 100644 --- a/src/charon/sa/tasks/child_create.c +++ b/src/charon/sa/tasks/child_create.c @@ -26,6 +26,7 @@ #include #include #include +#include #include #include #include @@ -64,9 +65,9 @@ struct private_child_create_t { chunk_t other_nonce; /** - * policy to create the CHILD_SA from + * config to create the CHILD_SA from */ - policy_t *policy; + child_cfg_t *config; /** * list of proposal candidates @@ -88,6 +89,16 @@ struct private_child_create_t { */ linked_list_t *tsr; + /** + * optional diffie hellman exchange + */ + diffie_hellman_t *dh; + + /** + * group used for DH exchange + */ + diffie_hellman_group_t dh_group; + /** * mode the new CHILD_SA uses (transport/tunnel/beet) */ @@ -162,21 +173,29 @@ static bool ts_list_is_host(linked_list_t *list, host_t *host) } /** - * Install a CHILD_SA for usage + * Install a CHILD_SA for usage, return value: + * - FAILED: no acceptable proposal + * - INVALID_ARG: diffie hellman group inacceptable + * - NOT_FOUND: TS inacceptable */ -static status_t select_and_install(private_child_create_t *this) +static status_t select_and_install(private_child_create_t *this, bool no_dh) { prf_plus_t *prf_plus; status_t status; - chunk_t nonce_i, nonce_r, seed; + chunk_t nonce_i, nonce_r, secret, seed; linked_list_t *my_ts, *other_ts; host_t *me, *other, *other_vip, *my_vip; - if (this->proposals == NULL || this->tsi == NULL || this->tsr == NULL) + if (this->proposals == NULL) { - SIG(CHILD_UP_FAILED, "SA/TS payloads missing in message"); + SIG(CHILD_UP_FAILED, "SA payload missing in message"); return FAILED; } + if (this->tsi == NULL || this->tsr == NULL) + { + SIG(CHILD_UP_FAILED, "TS payloads missing in message"); + return NOT_FOUND; + } if (this->initiator) { @@ -198,36 +217,61 @@ static status_t select_and_install(private_child_create_t *this) my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE); other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE); - this->proposal = this->policy->select_proposal(this->policy, this->proposals); - + this->proposal = this->config->select_proposal(this->config, this->proposals, + no_dh); if (this->proposal == NULL) { SIG(CHILD_UP_FAILED, "no acceptable proposal found"); return FAILED; } - if (this->initiator && my_vip) - { /* if we have a virtual IP, shorten our TS to the minimum */ - my_ts = this->policy->select_my_traffic_selectors(this->policy, my_ts, - my_vip); + if (!this->proposal->has_dh_group(this->proposal, this->dh_group)) + { + algorithm_t *algo; + if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP, + &algo)) + { + u_int16_t group = algo->algorithm; + SIG(CHILD_UP_FAILED, "DH group %N inacceptable, requesting %N", + diffie_hellman_group_names, this->dh_group, + diffie_hellman_group_names, group); + this->dh_group = group; + return INVALID_ARG; + } + else + { + SIG(CHILD_UP_FAILED, "no acceptable proposal found"); + return FAILED; + } + } + + if (my_vip == NULL) + { + my_vip = me; + } + else if (this->initiator) + { /* to setup firewall rules correctly, CHILD_SA needs the virtual IP */ this->child_sa->set_virtual_ip(this->child_sa, my_vip); } - else - { /* shorten in the host2host case only */ - my_ts = this->policy->select_my_traffic_selectors(this->policy, - my_ts, me); - } - if (other_vip) - { /* if other has a virtual IP, shorten it's traffic selectors to it */ - other_ts = this->policy->select_other_traffic_selectors(this->policy, - other_ts, other_vip); + if (other_vip == NULL) + { + other_vip = other; } - else - { /* use his host for the host2host case */ - other_ts = this->policy->select_other_traffic_selectors(this->policy, - other_ts, other); + + my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts, + my_vip); + other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts, + other_vip); + + if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0) + { + my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); + other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy)); + SIG(CHILD_UP_FAILED, "no acceptable traffic selectors found"); + return NOT_FOUND; } + this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy)); this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy)); if (this->initiator) @@ -241,13 +285,6 @@ static status_t select_and_install(private_child_create_t *this) this->tsi = other_ts; } - if (this->tsi->get_count(this->tsi) == 0 || - this->tsr->get_count(this->tsr) == 0) - { - SIG(CHILD_UP_FAILED, "no acceptable traffic selectors found"); - return FAILED; - } - if (!this->initiator) { /* check if requested mode is acceptable, downgrade if required */ @@ -279,7 +316,20 @@ static status_t select_and_install(private_child_create_t *this) } } - seed = chunk_cata("cc", nonce_i, nonce_r); + if (this->dh) + { + if (this->dh->get_shared_secret(this->dh, &secret) != SUCCESS) + { + SIG(CHILD_UP_FAILED, "DH exchange incomplete"); + return FAILED; + } + DBG3(DBG_IKE, "DH secret %B", &secret); + seed = chunk_cata("mcc", secret, nonce_i, nonce_r); + } + else + { + seed = chunk_cata("cc", nonce_i, nonce_r); + } prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed); if (this->initiator) @@ -297,7 +347,7 @@ static status_t select_and_install(private_child_create_t *this) if (status != SUCCESS) { SIG(CHILD_UP_FAILED, "unable to install IPsec SA (SAD) in kernel"); - return status; + return FAILED; } status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts, @@ -306,7 +356,7 @@ static status_t select_and_install(private_child_create_t *this) if (status != SUCCESS) { SIG(CHILD_UP_FAILED, "unable to install IPsec policies (SPD) in kernel"); - return status; + return NOT_FOUND; } /* add to IKE_SA, and remove from task */ this->child_sa->set_state(this->child_sa, CHILD_INSTALLED); @@ -321,8 +371,9 @@ static status_t select_and_install(private_child_create_t *this) static void build_payloads(private_child_create_t *this, message_t *message) { sa_payload_t *sa_payload; - ts_payload_t *ts_payload; nonce_payload_t *nonce_payload; + ke_payload_t *ke_payload; + ts_payload_t *ts_payload; /* add SA payload */ if (this->initiator) @@ -343,6 +394,13 @@ static void build_payloads(private_child_create_t *this, message_t *message) message->add_payload(message, (payload_t*)nonce_payload); } + /* diffie hellman exchange, if PFS enabled */ + if (this->dh) + { + ke_payload = ke_payload_create_from_diffie_hellman(this->dh); + message->add_payload(message, (payload_t*)ke_payload); + } + /* add TSi/TSr payloads */ ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi); message->add_payload(message, (payload_t*)ts_payload); @@ -371,6 +429,7 @@ static void process_payloads(private_child_create_t *this, message_t *message) iterator_t *iterator; payload_t *payload; sa_payload_t *sa_payload; + ke_payload_t *ke_payload; ts_payload_t *ts_payload; notify_payload_t *notify_payload; @@ -386,6 +445,19 @@ static void process_payloads(private_child_create_t *this, message_t *message) sa_payload = (sa_payload_t*)payload; this->proposals = sa_payload->get_proposals(sa_payload); break; + case KEY_EXCHANGE: + ke_payload = (ke_payload_t*)payload; + if (!this->initiator) + { + this->dh_group = ke_payload->get_dh_group_number(ke_payload); + this->dh = diffie_hellman_create(this->dh_group); + } + if (this->dh) + { + this->dh->set_other_public_value(this->dh, + ke_payload->get_key_exchange_data(ke_payload)); + } + break; case TRAFFIC_SELECTOR_INITIATOR: ts_payload = (ts_payload_t*)payload; this->tsi = ts_payload->get_traffic_selectors(ts_payload); @@ -421,6 +493,7 @@ static void process_payloads(private_child_create_t *this, message_t *message) static status_t build_i(private_child_create_t *this, message_t *message) { host_t *me, *other, *vip; + peer_cfg_t *peer_cfg; switch (message->get_exchange_type(message)) { @@ -432,6 +505,10 @@ static status_t build_i(private_child_create_t *this, message_t *message) message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty); return SUCCESS; } + if (this->dh_group == MODP_NONE) + { + this->dh_group = this->config->get_dh_group(this->config); + } break; case IKE_AUTH: if (!message->get_payload(message, ID_INITIATOR)) @@ -448,25 +525,30 @@ static status_t build_i(private_child_create_t *this, message_t *message) me = this->ike_sa->get_my_host(this->ike_sa); other = this->ike_sa->get_other_host(this->ike_sa); - vip = this->policy->get_virtual_ip(this->policy, NULL); + peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + vip = peer_cfg->get_my_virtual_ip(peer_cfg); if (vip) { /* propose a 0.0.0.0/0 subnet when we use virtual ip */ - this->tsi = this->policy->get_my_traffic_selectors(this->policy, NULL); + this->tsi = this->config->get_traffic_selectors(this->config, TRUE, + NULL, NULL); vip->destroy(vip); } else { /* but shorten a 0.0.0.0/0 subnet to the actual address if host2host */ - this->tsi = this->policy->get_my_traffic_selectors(this->policy, me); + this->tsi = this->config->get_traffic_selectors(this->config, TRUE, + NULL, me); } - this->tsr = this->policy->get_other_traffic_selectors(this->policy, other); - this->proposals = this->policy->get_proposals(this->policy); - this->mode = this->policy->get_mode(this->policy); + this->tsr = this->config->get_traffic_selectors(this->config, FALSE, + NULL, other); + this->proposals = this->config->get_proposals(this->config, + this->dh_group == MODP_NONE); + this->mode = this->config->get_mode(this->config); this->child_sa = child_sa_create(me, other, this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa), - this->policy, this->reqid, + this->config, this->reqid, this->ike_sa->is_natt_enabled(this->ike_sa)); if (this->child_sa->alloc(this->child_sa, this->proposals) != SUCCESS) @@ -475,6 +557,11 @@ static status_t build_i(private_child_create_t *this, message_t *message) return FAILED; } + if (this->dh_group != MODP_NONE) + { + this->dh = diffie_hellman_create(this->dh_group); + } + build_payloads(this, message); this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy)); @@ -492,6 +579,8 @@ static status_t build_i(private_child_create_t *this, message_t *message) */ static status_t process_r(private_child_create_t *this, message_t *message) { + peer_cfg_t *peer_cfg; + switch (message->get_exchange_type(message)) { case IKE_SA_INIT: @@ -517,18 +606,13 @@ static status_t process_r(private_child_create_t *this, message_t *message) return NEED_MORE; } - this->policy = charon->policies->get_policy(charon->policies, - this->ike_sa->get_my_id(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa), - this->tsr, this->tsi, - this->ike_sa->get_my_host(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa)); - - if (this->policy && this->ike_sa->get_policy(this->ike_sa) == NULL) + peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + if (peer_cfg) { - this->ike_sa->set_policy(this->ike_sa, this->policy); + this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr, this->tsi, + this->ike_sa->get_my_host(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa)); } - return NEED_MORE; } @@ -537,6 +621,8 @@ static status_t process_r(private_child_create_t *this, message_t *message) */ static status_t build_r(private_child_create_t *this, message_t *message) { + bool no_dh = TRUE; + switch (message->get_exchange_type(message)) { case IKE_SA_INIT: @@ -547,6 +633,7 @@ static status_t build_r(private_child_create_t *this, message_t *message) message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty); return SUCCESS; } + no_dh = FALSE; break; case IKE_AUTH: if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION)) @@ -565,10 +652,11 @@ static status_t build_r(private_child_create_t *this, message_t *message) return SUCCESS; } - if (this->policy == NULL) + if (this->config == NULL) { - SIG(CHILD_UP_FAILED, "no acceptable policy found"); - message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty); + SIG(CHILD_UP_FAILED, "traffic selectors %#R=== %#R inacceptable", + this->tsr, this->tsi); + message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty); return SUCCESS; } @@ -576,13 +664,27 @@ static status_t build_r(private_child_create_t *this, message_t *message) this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa), - this->policy, this->reqid, + this->config, this->reqid, this->ike_sa->is_natt_enabled(this->ike_sa)); - if (select_and_install(this) != SUCCESS) + switch (select_and_install(this, no_dh)) { - message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty); - return SUCCESS; + case SUCCESS: + break; + case NOT_FOUND: + message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty); + return SUCCESS; + case INVALID_ARG: + { + u_int16_t group = htons(this->dh_group); + message->add_notify(message, FALSE, INVALID_KE_PAYLOAD, + chunk_from_thing(group)); + return SUCCESS; + } + case FAILED: + default: + message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty); + return SUCCESS; } build_payloads(this, message); @@ -599,6 +701,7 @@ static status_t process_i(private_child_create_t *this, message_t *message) { iterator_t *iterator; payload_t *payload; + bool no_dh = TRUE; switch (message->get_exchange_type(message)) { @@ -606,6 +709,7 @@ static status_t process_i(private_child_create_t *this, message_t *message) return get_nonce(message, &this->other_nonce); case CREATE_CHILD_SA: get_nonce(message, &this->other_nonce); + no_dh = FALSE; break; case IKE_AUTH: if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION)) @@ -643,6 +747,22 @@ static status_t process_i(private_child_create_t *this, message_t *message) /* an error in CHILD_SA creation is not critical */ return SUCCESS; } + case INVALID_KE_PAYLOAD: + { + chunk_t data; + diffie_hellman_group_t bad_group; + + bad_group = this->dh_group; + data = notify->get_notification_data(notify); + this->dh_group = ntohs(*((u_int16_t*)data.ptr)); + DBG1(DBG_IKE, "peer didn't accept DH group %N, " + "it requested %N", diffie_hellman_group_names, + bad_group, diffie_hellman_group_names, this->dh_group); + + this->public.task.migrate(&this->public.task, this->ike_sa); + iterator->destroy(iterator); + return NEED_MORE; + } default: break; } @@ -652,7 +772,7 @@ static status_t process_i(private_child_create_t *this, message_t *message) process_payloads(this, message); - if (select_and_install(this) == SUCCESS) + if (select_and_install(this, no_dh) == SUCCESS) { SIG(CHILD_UP_SUCCESS, "established CHILD_SA successfully"); } @@ -716,6 +836,7 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa) } DESTROY_IF(this->child_sa); DESTROY_IF(this->proposal); + DESTROY_IF(this->dh); if (this->proposals) { this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy)); @@ -725,6 +846,7 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa) this->proposals = NULL; this->tsi = NULL; this->tsr = NULL; + this->dh = NULL; this->child_sa = NULL; this->mode = MODE_TUNNEL; this->reqid = 0; @@ -751,19 +873,20 @@ static void destroy(private_child_create_t *this) DESTROY_IF(this->child_sa); } DESTROY_IF(this->proposal); + DESTROY_IF(this->dh); if (this->proposals) { this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy)); } - DESTROY_IF(this->policy); + DESTROY_IF(this->config); free(this); } /* * Described in header. */ -child_create_t *child_create_create(ike_sa_t *ike_sa, policy_t *policy) +child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config) { private_child_create_t *this = malloc_thing(private_child_create_t); @@ -773,12 +896,12 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, policy_t *policy) this->public.task.get_type = (task_type_t(*)(task_t*))get_type; this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; this->public.task.destroy = (void(*)(task_t*))destroy; - if (policy) + if (config) { this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; this->initiator = TRUE; - policy->get_ref(policy); + config->get_ref(config); } else { @@ -788,13 +911,15 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, policy_t *policy) } this->ike_sa = ike_sa; - this->policy = policy; + this->config = config; this->my_nonce = chunk_empty; this->other_nonce = chunk_empty; this->proposals = NULL; this->proposal = NULL; this->tsi = NULL; this->tsr = NULL; + this->dh = NULL; + this->dh_group = MODP_NONE; this->child_sa = NULL; this->mode = MODE_TUNNEL; this->reqid = 0; diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h index 200d37457..9f4815215 100644 --- a/src/charon/sa/tasks/child_create.h +++ b/src/charon/sa/tasks/child_create.h @@ -28,7 +28,7 @@ typedef struct child_create_t child_create_t; #include #include #include -#include +#include /** * @brief Task of type CHILD_CREATE, established a new CHILD_SA. @@ -80,9 +80,9 @@ struct child_create_t { * @brief Create a new child_create task. * * @param ike_sa IKE_SA this task works for - * @param policy policy if task initiator, NULL if responder + * @param config child_cfg if task initiator, NULL if responder * @return child_create task to handle by the task_manager */ -child_create_t *child_create_create(ike_sa_t *ike_sa, policy_t *policy); +child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config); #endif /* CHILD_CREATE_H_ */ diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c index 23d509de5..d0b34a276 100644 --- a/src/charon/sa/tasks/child_delete.c +++ b/src/charon/sa/tasks/child_delete.c @@ -176,11 +176,30 @@ static void destroy_children(private_child_delete_t *this) iterator->destroy(iterator); } +/** + * send closing signals for all CHILD_SAs over the bus + */ +static void log_children(private_child_delete_t *this) +{ + iterator_t *iterator; + child_sa_t *child_sa; + + iterator = this->child_sas->create_iterator(this->child_sas, TRUE); + while (iterator->iterate(iterator, (void**)&child_sa)) + { + SIG(CHILD_DOWN_START, "closing CHILD_SA %#R=== %#R", + child_sa->get_traffic_selectors(child_sa, TRUE), + child_sa->get_traffic_selectors(child_sa, FALSE)); + } + iterator->destroy(iterator); +} + /** * Implementation of task_t.build for initiator */ static status_t build_i(private_child_delete_t *this, message_t *message) { + log_children(this); build_payloads(this, message); return NEED_MORE; } @@ -196,6 +215,7 @@ static status_t process_i(private_child_delete_t *this, message_t *message) process_payloads(this, message); destroy_children(this); + SIG(CHILD_DOWN_SUCCESS, "CHILD_SA closed"); return SUCCESS; } @@ -205,6 +225,7 @@ static status_t process_i(private_child_delete_t *this, message_t *message) static status_t process_r(private_child_delete_t *this, message_t *message) { process_payloads(this, message); + log_children(this); return NEED_MORE; } @@ -219,6 +240,7 @@ static status_t build_r(private_child_delete_t *this, message_t *message) build_payloads(this, message); } destroy_children(this); + SIG(CHILD_DOWN_SUCCESS, "CHILD_SA closed"); return SUCCESS; } diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c index 745895dbb..4f3c69034 100644 --- a/src/charon/sa/tasks/child_rekey.c +++ b/src/charon/sa/tasks/child_rekey.c @@ -27,7 +27,7 @@ #include #include #include -#include +#include typedef struct private_child_rekey_t private_child_rekey_t; @@ -183,7 +183,12 @@ static status_t process_i(private_child_rekey_t *this, message_t *message) u_int32_t spi; child_sa_t *to_delete; - this->child_create->task.process(&this->child_create->task, message); + if (this->child_create->task.process(&this->child_create->task, message) == NEED_MORE) + { + /* bad DH group while rekeying, try again */ + this->child_create->task.migrate(&this->child_create->task, this->ike_sa); + return NEED_MORE; + } if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL) { /* establishing new child failed, reuse old. but not when we @@ -192,8 +197,8 @@ static status_t process_i(private_child_rekey_t *this, message_t *message) this->collision->get_type(this->collision) == CHILD_DELETE)) { job_t *job; - u_int32_t retry = charon->configuration->get_retry_interval( - charon->configuration); + u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER); + job = (job_t*)rekey_child_sa_job_create( this->child_sa->get_reqid(this->child_sa), this->child_sa->get_protocol(this->child_sa), @@ -315,8 +320,8 @@ static void destroy(private_child_rekey_t *this) */ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, child_sa_t *child_sa) { + child_cfg_t *config; private_child_rekey_t *this = malloc_thing(private_child_rekey_t); - policy_t *policy; this->public.collide = (void (*)(child_rekey_t*,task_t*))collide; this->public.task.get_type = (task_type_t(*)(task_t*))get_type; @@ -327,8 +332,8 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, child_sa_t *child_sa) this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; this->initiator = TRUE; - policy = child_sa->get_policy(child_sa); - this->child_create = child_create_create(ike_sa, policy); + config = child_sa->get_config(child_sa); + this->child_create = child_create_create(ike_sa, config); } else { diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index 541e1bb37..d0dd49aee 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -100,18 +100,18 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message) { authenticator_t *auth; auth_payload_t *auth_payload; - policy_t *policy; + peer_cfg_t *config; auth_method_t method; status_t status; /* create own authenticator and add auth payload */ - policy = this->ike_sa->get_policy(this->ike_sa); - if (!policy) + config = this->ike_sa->get_peer_cfg(this->ike_sa); + if (!config) { - SIG(IKE_UP_FAILED, "unable to authenticate, no policy found"); + SIG(IKE_UP_FAILED, "unable to authenticate, no peer config found"); return FAILED; } - method = policy->get_auth_method(policy); + method = config->get_auth_method(config); auth = authenticator_create(this->ike_sa, method); if (auth == NULL) @@ -140,15 +140,15 @@ static status_t build_id(private_ike_auth_t *this, message_t *message) { identification_t *me, *other; id_payload_t *id; - policy_t *policy; + peer_cfg_t *config; me = this->ike_sa->get_my_id(this->ike_sa); other = this->ike_sa->get_other_id(this->ike_sa); - policy = this->ike_sa->get_policy(this->ike_sa); + config = this->ike_sa->get_peer_cfg(this->ike_sa); if (me->contains_wildcards(me)) { - me = policy->get_my_id(policy); + me = config->get_my_id(config); if (me->contains_wildcards(me)) { SIG(IKE_UP_FAILED, "negotiation of own ID failed"); @@ -202,7 +202,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message) auth->destroy(auth); if (status != SUCCESS) { - SIG(IKE_UP_FAILED, "authentication of %D using %N failed", + SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed", this->ike_sa->get_other_id(this->ike_sa), auth_method_names, auth_method); return FAILED; @@ -215,7 +215,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message) */ static status_t process_id(private_ike_auth_t *this, message_t *message) { - identification_t *id; + identification_t *id, *req; id_payload_t *idr, *idi; idi = (id_payload_t*)message->get_payload(message, ID_INITIATOR); @@ -230,6 +230,13 @@ static status_t process_id(private_ike_auth_t *this, message_t *message) if (this->initiator) { id = idr->get_identification(idr); + req = this->ike_sa->get_other_id(this->ike_sa); + if (!id->matches(id, req, NULL)) + { + SIG(IKE_UP_FAILED, "peer ID %D unacceptable, %D required", id, req); + id->destroy(id); + return FAILED; + } this->ike_sa->set_other_id(this->ike_sa, id); } else @@ -346,7 +353,7 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message) if (!this->peer_authenticated) { - SIG(IKE_UP_FAILED, "authentication of %D using %N failed", + SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed", this->ike_sa->get_other_id(this->ike_sa), auth_method_names, AUTH_EAP); if (this->initiator) @@ -444,7 +451,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message) this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap; break; default: - SIG(IKE_UP_FAILED, "authentication of %D using %N failed", + SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed", this->ike_sa->get_other_id(this->ike_sa), auth_method_names, AUTH_EAP); status = FAILED; @@ -459,7 +466,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message) */ static status_t build_i(private_ike_auth_t *this, message_t *message) { - policy_t *policy; + peer_cfg_t *config; if (message->get_exchange_type(message) == IKE_SA_INIT) { @@ -471,8 +478,8 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) return FAILED; } - policy = this->ike_sa->get_policy(this->ike_sa); - if (policy->get_auth_method(policy) == AUTH_EAP) + config = this->ike_sa->get_peer_cfg(this->ike_sa); + if (config->get_auth_method(config) == AUTH_EAP) { this->eap_auth = eap_authenticator_create(this->ike_sa); } @@ -488,10 +495,12 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) } /** - * Implementation of task_t.process for initiator + * Implementation of task_t.process for responder */ static status_t process_r(private_ike_auth_t *this, message_t *message) -{ +{ + peer_cfg_t *config; + if (message->get_exchange_type(message) == IKE_SA_INIT) { return collect_other_init_data(this, message); @@ -514,6 +523,17 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) default: break; } + + config = charon->backends->get_peer_cfg(charon->backends, + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa), + this->ike_sa->get_other_ca(this->ike_sa)); + if (config) + { + this->ike_sa->set_peer_cfg(this->ike_sa, config); + config->destroy(config); + } + return NEED_MORE; } @@ -522,7 +542,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) */ static status_t build_r(private_ike_auth_t *this, message_t *message) { - policy_t *policy; + peer_cfg_t *config; eap_type_t eap_type; eap_payload_t *eap_payload; status_t status; @@ -532,10 +552,12 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) return collect_my_init_data(this, message); } - policy = this->ike_sa->get_policy(this->ike_sa); - if (policy == NULL) + config = this->ike_sa->get_peer_cfg(this->ike_sa); + if (config == NULL) { - SIG(IKE_UP_FAILED, "no acceptable policy found"); + SIG(IKE_UP_FAILED, "no matching config found for %D...%D", + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); return FAILED; } @@ -567,7 +589,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) } /* initiate EAP authenitcation */ - eap_type = policy->get_eap_type(policy); + eap_type = config->get_eap_type(config); status = this->eap_auth->initiate(this->eap_auth, eap_type, &eap_payload); message->add_payload(message, (payload_t*)eap_payload); if (status != NEED_MORE) diff --git a/src/charon/sa/tasks/ike_cert.c b/src/charon/sa/tasks/ike_cert.c index 160600742..880ed9c42 100644 --- a/src/charon/sa/tasks/ike_cert.c +++ b/src/charon/sa/tasks/ike_cert.c @@ -84,7 +84,7 @@ static void process_certreqs(private_ike_cert_t *this, message_t *message) encoding = certreq->get_cert_encoding(certreq); if (encoding != CERT_X509_SIGNATURE) { - DBG1(DBG_IKE, "certreq payload %N not supported, ignored", + DBG1(DBG_IKE, "certreq payload %N not supported - ignored", cert_encoding_names, encoding); continue; } @@ -125,7 +125,7 @@ static void process_certs(private_ike_cert_t *this, message_t *message) encoding = cert_payload->get_cert_encoding(cert_payload); if (encoding != CERT_X509_SIGNATURE) { - DBG1(DBG_IKE, "certificate payload %N not supported, ignored", + DBG1(DBG_IKE, "certificate payload %N not supported - ignored", cert_encoding_names, encoding); continue; } @@ -134,31 +134,29 @@ static void process_certs(private_ike_cert_t *this, message_t *message) cert = x509_create_from_chunk(cert_data, 0); if (cert) { - if (charon->credentials->verify(charon->credentials, - cert, &found)) + if (charon->credentials->verify(charon->credentials, cert, &found)) { - DBG2(DBG_IKE, "received end entity certificate is trusted, " - "added to store"); - if (!found) + DBG2(DBG_IKE, "received end entity certificate is trusted - " + "added to store"); + if (found) { - charon->credentials->add_end_certificate( - charon->credentials, cert); + cert->destroy(cert); } else { - cert->destroy(cert); + charon->credentials->add_end_certificate(charon->credentials, cert); } } else { - DBG1(DBG_IKE, "received end entity certificate is not " - "trusted, discarded"); + DBG1(DBG_IKE, "received end entity certificate is not trusted - " + "discarded"); cert->destroy(cert); } } else { - DBG1(DBG_IKE, "parsing of received certificate failed, discarded"); + DBG1(DBG_IKE, "parsing of received certificate failed - discarded"); chunk_free(&cert_data); } } @@ -171,20 +169,20 @@ static void process_certs(private_ike_cert_t *this, message_t *message) */ static void build_certreqs(private_ike_cert_t *this, message_t *message) { - connection_t *connection; - policy_t *policy; + ike_cfg_t *ike_cfg; + peer_cfg_t *peer_cfg; identification_t *ca; certreq_payload_t *certreq; - connection = this->ike_sa->get_connection(this->ike_sa); + ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); - if (connection->get_certreq_policy(connection) != CERT_NEVER_SEND) + if (ike_cfg->send_certreq(ike_cfg) != CERT_NEVER_SEND) { - policy = this->ike_sa->get_policy(this->ike_sa); + peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - if (policy) + if (peer_cfg) { - ca = policy->get_other_ca(policy); + ca = peer_cfg->get_other_ca(peer_cfg); if (ca && ca->get_type(ca) != ID_ANY) { @@ -212,17 +210,15 @@ static void build_certreqs(private_ike_cert_t *this, message_t *message) */ static void build_certs(private_ike_cert_t *this, message_t *message) { - policy_t *policy; - connection_t *connection; + peer_cfg_t *peer_cfg; x509_t *cert; cert_payload_t *payload; - policy = this->ike_sa->get_policy(this->ike_sa); - connection = this->ike_sa->get_connection(this->ike_sa); + peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - if (policy && policy->get_auth_method(policy) == AUTH_RSA) + if (peer_cfg && peer_cfg->get_auth_method(peer_cfg) == AUTH_RSA) { - switch (connection->get_cert_policy(connection)) + switch (peer_cfg->get_cert_policy(peer_cfg)) { case CERT_NEVER_SEND: break; @@ -236,7 +232,7 @@ static void build_certs(private_ike_cert_t *this, message_t *message) { /* TODO: respect CA cert request */ cert = charon->credentials->get_certificate(charon->credentials, - policy->get_my_id(policy)); + peer_cfg->get_my_id(peer_cfg)); if (cert) { payload = cert_payload_create_from_x509(cert); diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c index ce29b9220..3c73395a5 100644 --- a/src/charon/sa/tasks/ike_config.c +++ b/src/charon/sa/tasks/ike_config.c @@ -48,11 +48,6 @@ struct private_ike_config_t { */ bool initiator; - /** - * associated policy with virtual IP configuration - */ - policy_t *policy; - /** * virtual ip */ @@ -266,7 +261,20 @@ static status_t build_i(private_ike_config_t *this, message_t *message) if (message->get_exchange_type(message) == IKE_AUTH && message->get_payload(message, ID_INITIATOR)) { - this->virtual_ip = this->policy->get_virtual_ip(this->policy, NULL); + peer_cfg_t *config; + host_t *vip; + + /* reuse virtual IP if we already have one */ + vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE); + if (vip) + { + this->virtual_ip = vip->clone(vip); + } + else + { + config = this->ike_sa->get_peer_cfg(this->ike_sa); + this->virtual_ip = config->get_my_virtual_ip(config); + } build_payloads(this, message, CFG_REQUEST); } @@ -295,17 +303,18 @@ static status_t build_r(private_ike_config_t *this, message_t *message) if (message->get_exchange_type(message) == IKE_AUTH && message->get_payload(message, EXTENSIBLE_AUTHENTICATION) == NULL) { - this->policy = this->ike_sa->get_policy(this->ike_sa); + peer_cfg_t *config = this->ike_sa->get_peer_cfg(this->ike_sa); - if (this->policy && this->virtual_ip) + if (config && this->virtual_ip) { host_t *ip; DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip); - ip = this->policy->get_virtual_ip(this->policy, this->virtual_ip); + ip = config->get_other_virtual_ip(config, this->virtual_ip); if (ip == NULL || ip->is_anyaddr(ip)) { DBG1(DBG_IKE, "not assigning a virtual IP to peer"); + DESTROY_IF(ip); return SUCCESS; } DBG1(DBG_IKE, "assigning virtual IP %H to peer", ip); @@ -340,13 +349,20 @@ static status_t process_i(private_ike_config_t *this, message_t *message) !message->get_payload(message, EXTENSIBLE_AUTHENTICATION)) { host_t *ip; + peer_cfg_t *config; DESTROY_IF(this->virtual_ip); this->virtual_ip = NULL; process_payloads(this, message); + + if (this->virtual_ip == NULL) + { /* force a configured virtual IP, even server didn't return one */ + config = this->ike_sa->get_peer_cfg(this->ike_sa); + this->virtual_ip = config->get_my_virtual_ip(config); + } - if (this->virtual_ip) + if (this->virtual_ip && !this->virtual_ip->is_anyaddr(this->virtual_ip)) { this->ike_sa->set_virtual_ip(this->ike_sa, TRUE, this->virtual_ip); @@ -398,7 +414,7 @@ static void destroy(private_ike_config_t *this) /* * Described in header. */ -ike_config_t *ike_config_create(ike_sa_t *ike_sa, policy_t *policy) +ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator) { private_ike_config_t *this = malloc_thing(private_ike_config_t); @@ -406,21 +422,18 @@ ike_config_t *ike_config_create(ike_sa_t *ike_sa, policy_t *policy) this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; this->public.task.destroy = (void(*)(task_t*))destroy; - if (policy) + if (initiator) { this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; - this->initiator = TRUE; } else { this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; - this->initiator = FALSE; } - + this->initiator = initiator; this->ike_sa = ike_sa; - this->policy = policy; this->virtual_ip = NULL; this->dns = linked_list_create(); diff --git a/src/charon/sa/tasks/ike_config.h b/src/charon/sa/tasks/ike_config.h index 0c9b961b4..a7cfddff0 100644 --- a/src/charon/sa/tasks/ike_config.h +++ b/src/charon/sa/tasks/ike_config.h @@ -28,7 +28,6 @@ typedef struct ike_config_t ike_config_t; #include #include #include -#include /** * @brief Task of type IKE_CONFIG, sets up a virtual IP and other @@ -51,9 +50,9 @@ struct ike_config_t { * @brief Create a new ike_config task. * * @param ike_sa IKE_SA this task works for - * @param policy policy for the initiator, NULL for the responder + * @param initiator TRUE for initiator * @return ike_config task to handle by the task_manager */ -ike_config_t *ike_config_create(ike_sa_t *ike_sa, policy_t *policy); +ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator); #endif /* IKE_CONFIG_H_ */ diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c index 9c4fdac0e..1a3656ca6 100644 --- a/src/charon/sa/tasks/ike_delete.c +++ b/src/charon/sa/tasks/ike_delete.c @@ -28,7 +28,7 @@ typedef struct private_ike_delete_t private_ike_delete_t; -/** +/**file * Private members of a ike_delete_t task. */ struct private_ike_delete_t { @@ -94,7 +94,6 @@ static status_t process_r(private_ike_delete_t *this, message_t *message) DBG1(DBG_IKE, "deleting IKE_SA on request"); break; case IKE_REKEYING: - DBG1(DBG_IKE, "initiated rekeying, but received delete for IKE_SA"); break; default: break; diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c index 0b493666a..f78b5dd66 100644 --- a/src/charon/sa/tasks/ike_init.c +++ b/src/charon/sa/tasks/ike_init.c @@ -57,9 +57,9 @@ struct private_ike_init_t { bool initiator; /** - * Connection established by this IKE_SA + * IKE config to establish */ - connection_t *connection; + ike_cfg_t *config; /** * diffie hellman group to use @@ -69,7 +69,7 @@ struct private_ike_init_t { /** * Diffie hellman object used to generate public DH value. */ - diffie_hellman_t *diffie_hellman; + diffie_hellman_t *dh; /** * nonce chosen by us @@ -117,11 +117,11 @@ static void build_payloads(private_ike_init_t *this, message_t *message) id = this->ike_sa->get_id(this->ike_sa); - this->connection = this->ike_sa->get_connection(this->ike_sa); + this->config = this->ike_sa->get_ike_cfg(this->ike_sa); if (this->initiator) { - proposal_list = this->connection->get_proposals(this->connection); + proposal_list = this->config->get_proposals(this->config); if (this->old_sa) { /* include SPI of new IKE_SA when we are rekeying */ @@ -151,7 +151,7 @@ static void build_payloads(private_ike_init_t *this, message_t *message) nonce_payload->set_nonce(nonce_payload, this->my_nonce); message->add_payload(message, (payload_t*)nonce_payload); - ke_payload = ke_payload_create_from_diffie_hellman(this->diffie_hellman); + ke_payload = ke_payload_create_from_diffie_hellman(this->dh); message->add_payload(message, (payload_t*)ke_payload); } @@ -174,8 +174,8 @@ static void process_payloads(private_ike_init_t *this, message_t *message) linked_list_t *proposal_list; proposal_list = sa_payload->get_proposals(sa_payload); - this->proposal = this->connection->select_proposal( - this->connection, proposal_list); + this->proposal = this->config->select_proposal(this->config, + proposal_list); proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy)); break; @@ -183,34 +183,16 @@ static void process_payloads(private_ike_init_t *this, message_t *message) case KEY_EXCHANGE: { ke_payload_t *ke_payload = (ke_payload_t*)payload; - diffie_hellman_group_t dh_group; - chunk_t key_data; - dh_group = ke_payload->get_dh_group_number(ke_payload); - - if (this->initiator) + this->dh_group = ke_payload->get_dh_group_number(ke_payload); + if (!this->initiator) { - if (dh_group != this->dh_group) - { - DBG1(DBG_IKE, "received a DH group not requested (%N)", - diffie_hellman_group_names, dh_group); - break; - } + this->dh = diffie_hellman_create(this->dh_group); } - else + if (this->dh) { - this->dh_group = dh_group; - if (!this->connection->check_dh_group(this->connection, - dh_group)) - { - break; - } - this->diffie_hellman = diffie_hellman_create(dh_group); - } - if (this->diffie_hellman) - { - key_data = ke_payload->get_key_exchange_data(ke_payload); - this->diffie_hellman->set_other_public_value(this->diffie_hellman, key_data); + this->dh->set_other_public_value(this->dh, + ke_payload->get_key_exchange_data(ke_payload)); } break; } @@ -235,9 +217,9 @@ static status_t build_i(private_ike_init_t *this, message_t *message) randomizer_t *randomizer; status_t status; - this->connection = this->ike_sa->get_connection(this->ike_sa); + this->config = this->ike_sa->get_ike_cfg(this->ike_sa); SIG(IKE_UP_START, "initiating IKE_SA to %H", - this->connection->get_other_host(this->connection)); + this->config->get_other_host(this->config)); this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING); if (this->retry++ >= MAX_RETRIES) @@ -247,11 +229,11 @@ static status_t build_i(private_ike_init_t *this, message_t *message) } /* if the DH group is set via use_dh_group(), we already have a DH object */ - if (!this->diffie_hellman) + if (!this->dh) { - this->dh_group = this->connection->get_dh_group(this->connection); - this->diffie_hellman = diffie_hellman_create(this->dh_group); - if (this->diffie_hellman == NULL) + this->dh_group = this->config->get_dh_group(this->config); + this->dh = diffie_hellman_create(this->dh_group); + if (this->dh == NULL) { SIG(IKE_UP_FAILED, "configured DH group %N not supported", diffie_hellman_group_names, this->dh_group); @@ -291,7 +273,7 @@ static status_t process_r(private_ike_init_t *this, message_t *message) { randomizer_t *randomizer; - this->connection = this->ike_sa->get_connection(this->ike_sa); + this->config = this->ike_sa->get_ike_cfg(this->ike_sa); SIG(IKE_UP_FAILED, "%H is initiating an IKE_SA", message->get_source(message)); this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING); @@ -326,25 +308,29 @@ static status_t build_r(private_ike_init_t *this, message_t *message) return FAILED; } - if (this->diffie_hellman == NULL || - this->diffie_hellman->get_shared_secret(this->diffie_hellman, - &secret) != SUCCESS) + if (this->dh == NULL || + !this->proposal->has_dh_group(this->proposal, this->dh_group) || + this->dh->get_shared_secret(this->dh, &secret) != SUCCESS) { - chunk_t chunk; - u_int16_t dh_enc; - - SIG(IKE_UP_FAILED, "received inacceptable DH group (%N)", - diffie_hellman_group_names, this->dh_group); - this->dh_group = this->connection->get_dh_group(this->connection); - dh_enc = htons(this->dh_group); - chunk.ptr = (u_int8_t*)&dh_enc; - chunk.len = sizeof(dh_enc); - message->add_notify(message, TRUE, INVALID_KE_PAYLOAD, chunk); - DBG1(DBG_IKE, "requesting DH group %N", - diffie_hellman_group_names, this->dh_group); + algorithm_t *algo; + if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP, + &algo)) + { + u_int16_t group = algo->algorithm; + SIG(CHILD_UP_FAILED, "DH group %N inacceptable, requesting %N", + diffie_hellman_group_names, this->dh_group, + diffie_hellman_group_names, group); + this->dh_group = group; + group = htons(group); + message->add_notify(message, FALSE, INVALID_KE_PAYLOAD, + chunk_from_thing(group)); + } + else + { + SIG(IKE_UP_FAILED, "no acceptable proposal found"); + } return FAILED; } - if (this->old_sa) { @@ -405,27 +391,20 @@ static status_t process_i(private_ike_init_t *this, message_t *message) case INVALID_KE_PAYLOAD: { chunk_t data; - diffie_hellman_group_t old_dh_group; + diffie_hellman_group_t bad_group; - old_dh_group = this->dh_group; + bad_group = this->dh_group; data = notify->get_notification_data(notify); this->dh_group = ntohs(*((u_int16_t*)data.ptr)); - - DBG1(DBG_IKE, "peer didn't accept DH group %N, it requested" - " %N", diffie_hellman_group_names, old_dh_group, - diffie_hellman_group_names, this->dh_group); - if (!this->connection->check_dh_group(this->connection, - this->dh_group)) - { - DBG1(DBG_IKE, "requested DH group %N not acceptable, " - "giving up", diffie_hellman_group_names, - this->dh_group); - iterator->destroy(iterator); - return FAILED; + DBG1(DBG_IKE, "peer didn't accept DH group %N, " + "it requested %N", diffie_hellman_group_names, + bad_group, diffie_hellman_group_names, this->dh_group); + + if (this->old_sa == NULL) + { /* reset the IKE_SA if we are not rekeying */ + this->ike_sa->reset(this->ike_sa); } - this->ike_sa->reset(this->ike_sa); - iterator->destroy(iterator); return NEED_MORE; } @@ -470,9 +449,9 @@ static status_t process_i(private_ike_init_t *this, message_t *message) return FAILED; } - if (this->diffie_hellman == NULL || - this->diffie_hellman->get_shared_secret(this->diffie_hellman, - &secret) != SUCCESS) + if (this->dh == NULL || + !this->proposal->has_dh_group(this->proposal, this->dh_group) || + this->dh->get_shared_secret(this->dh, &secret) != SUCCESS) { SIG(IKE_UP_FAILED, "peers DH group selection invalid"); return FAILED; @@ -539,12 +518,12 @@ static chunk_t get_lower_nonce(private_ike_init_t *this) static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa) { DESTROY_IF(this->proposal); - DESTROY_IF(this->diffie_hellman); + DESTROY_IF(this->dh); chunk_free(&this->other_nonce); this->ike_sa = ike_sa; this->proposal = NULL; - this->diffie_hellman = diffie_hellman_create(this->dh_group); + this->dh = diffie_hellman_create(this->dh_group); } /** @@ -553,7 +532,7 @@ static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa) static void destroy(private_ike_init_t *this) { DESTROY_IF(this->proposal); - DESTROY_IF(this->diffie_hellman); + DESTROY_IF(this->dh); chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); chunk_free(&this->cookie); @@ -585,12 +564,12 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa) this->ike_sa = ike_sa; this->initiator = initiator; this->dh_group = MODP_NONE; - this->diffie_hellman = NULL; + this->dh = NULL; this->my_nonce = chunk_empty; this->other_nonce = chunk_empty; this->cookie = chunk_empty; this->proposal = NULL; - this->connection = NULL; + this->config = NULL; this->old_sa = old_sa; this->retry = 0; diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c index a33e7ee34..d54fc3524 100644 --- a/src/charon/sa/tasks/ike_rekey.c +++ b/src/charon/sa/tasks/ike_rekey.c @@ -26,8 +26,8 @@ #include #include #include -#include -#include +#include +#include typedef struct private_ike_rekey_t private_ike_rekey_t; @@ -73,21 +73,20 @@ struct private_ike_rekey_t { */ static status_t build_i(private_ike_rekey_t *this, message_t *message) { - connection_t *connection; - policy_t *policy; + peer_cfg_t *peer_cfg; - this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, - TRUE); - - connection = this->ike_sa->get_connection(this->ike_sa); - policy = this->ike_sa->get_policy(this->ike_sa); - this->new_sa->set_connection(this->new_sa, connection); - this->new_sa->set_policy(this->new_sa, policy); - - this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa); + /* create new SA only on first try */ + if (this->new_sa == NULL) + { + this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, + TRUE); + + peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + this->new_sa->set_peer_cfg(this->new_sa, peer_cfg); + this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa); + this->ike_sa->set_state(this->ike_sa, IKE_REKEYING); + } this->ike_init->task.build(&this->ike_init->task, message); - - this->ike_sa->set_state(this->ike_sa, IKE_REKEYING); return NEED_MORE; } @@ -97,8 +96,7 @@ static status_t build_i(private_ike_rekey_t *this, message_t *message) */ static status_t process_r(private_ike_rekey_t *this, message_t *message) { - connection_t *connection; - policy_t *policy; + peer_cfg_t *peer_cfg; iterator_t *iterator; child_sa_t *child_sa; @@ -129,11 +127,8 @@ static status_t process_r(private_ike_rekey_t *this, message_t *message) this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, FALSE); - connection = this->ike_sa->get_connection(this->ike_sa); - policy = this->ike_sa->get_policy(this->ike_sa); - this->new_sa->set_connection(this->new_sa, connection); - this->new_sa->set_policy(this->new_sa, policy); - + peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + this->new_sa->set_peer_cfg(this->new_sa, peer_cfg); this->ike_init = ike_init_create(this->new_sa, FALSE, this->ike_sa); this->ike_init->task.process(&this->ike_init->task, message); @@ -171,23 +166,29 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message) job_t *job; ike_sa_id_t *to_delete; - if (this->ike_init->task.process(&this->ike_init->task, message) == FAILED) + switch (this->ike_init->task.process(&this->ike_init->task, message)) { - /* rekeying failed, fallback to old SA */ - if (!(this->collision && - this->collision->get_type(this->collision) == IKE_DELETE)) - { - job_t *job; - u_int32_t retry = charon->configuration->get_retry_interval( - charon->configuration); - job = (job_t*)rekey_ike_sa_job_create( - this->ike_sa->get_id(this->ike_sa), FALSE); - DBG1(DBG_IKE, "IKE_SA rekeying failed, " - "trying again in %d seconds", retry); - this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - charon->event_queue->add_relative(charon->event_queue, job, retry * 1000); - } - return SUCCESS; + case FAILED: + /* rekeying failed, fallback to old SA */ + if (!(this->collision && + this->collision->get_type(this->collision) == IKE_DELETE)) + { + job_t *job; + u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER); + job = (job_t*)rekey_ike_sa_job_create( + this->ike_sa->get_id(this->ike_sa), FALSE); + DBG1(DBG_IKE, "IKE_SA rekeying failed, " + "trying again in %d seconds", retry); + this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); + charon->event_queue->add_relative(charon->event_queue, job, retry * 1000); + } + return SUCCESS; + case NEED_MORE: + /* bad dh group, try again */ + this->ike_init->task.migrate(&this->ike_init->task, this->new_sa); + return NEED_MORE; + default: + break; } this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED); diff --git a/src/charon/threads/kernel_interface.c b/src/charon/threads/kernel_interface.c deleted file mode 100644 index 4a70d2ecf..000000000 --- a/src/charon/threads/kernel_interface.c +++ /dev/null @@ -1,1964 +0,0 @@ -/** - * @file kernel_interface.c - * - * @brief Implementation of kernel_interface_t. - * - */ - -/* - * Copyright (C) 2005-2007 Martin Willi - * Copyright (C) 2006-2007 Tobias Brunner - * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser - * Copyright (C) 2006 Daniel Roethlisberger - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * Copyright (C) 2003 Herbert Xu. - * - * Based on xfrm code from pluto. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "kernel_interface.h" - -#include -#include -#include -#include -#include - -/** kernel level protocol identifiers */ -#define KERNEL_ESP 50 -#define KERNEL_AH 51 - -/** default priority of installed policies */ -#define PRIO_LOW 3000 -#define PRIO_HIGH 2000 - -#define BUFFER_SIZE 1024 - -/** - * returns a pointer to the first rtattr following the nlmsghdr *nlh and the - * 'usual' netlink data x like 'struct xfrm_usersa_info' - */ -#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x)))) -/** - * returns a pointer to the next rtattr following rta. - * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!! - */ -#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len))) -/** - * returns the total size of attached rta data - * (after 'usual' netlink data x like 'struct xfrm_usersa_info') - */ -#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x)) - -typedef struct kernel_algorithm_t kernel_algorithm_t; - -/** - * Mapping from the algorithms defined in IKEv2 to - * kernel level algorithm names and their key length - */ -struct kernel_algorithm_t { - /** - * Identifier specified in IKEv2 - */ - int ikev2_id; - - /** - * Name of the algorithm, as used as kernel identifier - */ - char *name; - - /** - * Key length in bits, if fixed size - */ - u_int key_size; -}; -#define END_OF_LIST -1 - -/** - * Algorithms for encryption - */ -kernel_algorithm_t encryption_algs[] = { -/* {ENCR_DES_IV64, "***", 0}, */ - {ENCR_DES, "des", 64}, - {ENCR_3DES, "des3_ede", 192}, -/* {ENCR_RC5, "***", 0}, */ -/* {ENCR_IDEA, "***", 0}, */ - {ENCR_CAST, "cast128", 0}, - {ENCR_BLOWFISH, "blowfish", 0}, -/* {ENCR_3IDEA, "***", 0}, */ -/* {ENCR_DES_IV32, "***", 0}, */ - {ENCR_NULL, "cipher_null", 0}, - {ENCR_AES_CBC, "aes", 0}, -/* {ENCR_AES_CTR, "***", 0}, */ - {END_OF_LIST, NULL, 0}, -}; - -/** - * Algorithms for integrity protection - */ -kernel_algorithm_t integrity_algs[] = { - {AUTH_HMAC_MD5_96, "md5", 128}, - {AUTH_HMAC_SHA1_96, "sha1", 160}, - {AUTH_HMAC_SHA2_256_128, "sha256", 256}, - {AUTH_HMAC_SHA2_384_192, "sha384", 384}, - {AUTH_HMAC_SHA2_512_256, "sha512", 512}, -/* {AUTH_DES_MAC, "***", 0}, */ -/* {AUTH_KPDK_MD5, "***", 0}, */ -/* {AUTH_AES_XCBC_96, "***", 0}, */ - {END_OF_LIST, NULL, 0}, -}; - -/** - * Look up a kernel algorithm name and its key size - */ -char* lookup_algorithm(kernel_algorithm_t *kernel_algo, - algorithm_t *ikev2_algo, u_int *key_size) -{ - while (kernel_algo->ikev2_id != END_OF_LIST) - { - if (ikev2_algo->algorithm == kernel_algo->ikev2_id) - { - /* match, evaluate key length */ - if (ikev2_algo->key_size) - { /* variable length */ - *key_size = ikev2_algo->key_size; - } - else - { /* fixed length */ - *key_size = kernel_algo->key_size; - } - return kernel_algo->name; - } - kernel_algo++; - } - return NULL; -} - -typedef struct route_entry_t route_entry_t; - -/** - * installed routing entry - */ -struct route_entry_t { - - /** Index of the interface the route is bound to */ - int if_index; - - /** Source ip of the route */ - host_t *src_ip; - - /** Destination net */ - chunk_t dst_net; - - /** Destination net prefixlen */ - u_int8_t prefixlen; -}; - -/** - * destroy an route_entry_t object - */ -static void route_entry_destroy(route_entry_t *this) -{ - this->src_ip->destroy(this->src_ip); - chunk_free(&this->dst_net); - free(this); -} - -typedef struct policy_entry_t policy_entry_t; - -/** - * installed kernel policy. - */ -struct policy_entry_t { - - /** direction of this policy: in, out, forward */ - u_int8_t direction; - - /** reqid of the policy */ - u_int32_t reqid; - - /** parameters of installed policy */ - struct xfrm_selector sel; - - /** associated route installed for this policy */ - route_entry_t *route; - - /** by how many CHILD_SA's this policy is used */ - u_int refcount; -}; - -typedef struct vip_entry_t vip_entry_t; - -/** - * Installed virtual ip - */ -struct vip_entry_t { - /** Index of the interface the ip is bound to */ - u_int8_t if_index; - - /** The ip address */ - host_t *ip; - - /** Number of times this IP is used */ - u_int refcount; -}; - -/** - * destroy a vip_entry_t object - */ -static void vip_entry_destroy(vip_entry_t *this) -{ - this->ip->destroy(this->ip); - free(this); -} - -typedef struct address_entry_t address_entry_t; - -/** - * an address found on the system, containg address and interface info - */ -struct address_entry_t { - - /** address of this entry */ - host_t *host; - - /** interface index */ - int ifindex; - - /** name of the index */ - char ifname[IFNAMSIZ]; -}; - -/** - * destroy an address entry - */ -static void address_entry_destroy(address_entry_t *this) -{ - this->host->destroy(this->host); - free(this); -} - -typedef struct private_kernel_interface_t private_kernel_interface_t; - -/** - * Private variables and functions of kernel_interface class. - */ -struct private_kernel_interface_t { - /** - * Public part of the kernel_interface_t object. - */ - kernel_interface_t public; - - /** - * List of installed policies (kernel_entry_t) - */ - linked_list_t *policies; - - /** - * Mutex locks access to policies - */ - pthread_mutex_t policies_mutex; - - /** - * List of installed virtual IPs. (vip_entry_t) - */ - linked_list_t *vips; - - /** - * Mutex to lock access to vips. - */ - pthread_mutex_t vips_mutex; - - /** - * netlink xfrm socket to receive acquire and expire events - */ - int socket_xfrm_events; - - /** - * Netlink xfrm socket (IPsec) - */ - int socket_xfrm; - - /** - * Netlink rt socket (routing) - */ - int socket_rt; - - /** - * Thread receiving events from kernel - */ - pthread_t event_thread; -}; - -/** - * convert a host_t to a struct xfrm_address - */ -static void host2xfrm(host_t *host, xfrm_address_t *xfrm) -{ - chunk_t chunk = host->get_address(host); - memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t))); -} - -/** - * convert a traffic selector address range to subnet and its mask. - */ -static void ts2subnet(traffic_selector_t* ts, - xfrm_address_t *net, u_int8_t *mask) -{ - /* there is no way to do this cleanly, as the address range may - * be anything else but a subnet. We use from_addr as subnet - * and try to calculate a usable subnet mask. - */ - int byte, bit; - bool found = FALSE; - chunk_t from, to; - size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16; - - from = ts->get_from_address(ts); - to = ts->get_to_address(ts); - - *mask = (size * 8); - /* go trough all bits of the addresses, beginning in the front. - * as long as they are equal, the subnet gets larger - */ - for (byte = 0; byte < size; byte++) - { - for (bit = 7; bit >= 0; bit--) - { - if ((1<get_from_port(ts); - to = ts->get_to_port(ts); - - if (from == to) - { - *port = htons(from); - *mask = ~0; - } - else - { - *port = 0; - *mask = 0; - } -} - -/** - * convert a pair of traffic_selectors to a xfrm_selector - */ -static struct xfrm_selector ts2selector(traffic_selector_t *src, - traffic_selector_t *dst) -{ - struct xfrm_selector sel; - - memset(&sel, 0, sizeof(sel)); - sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6; - /* src or dest proto may be "any" (0), use more restrictive one */ - sel.proto = max(src->get_protocol(src), dst->get_protocol(dst)); - ts2subnet(dst, &sel.daddr, &sel.prefixlen_d); - ts2subnet(src, &sel.saddr, &sel.prefixlen_s); - ts2ports(dst, &sel.dport, &sel.dport_mask); - ts2ports(src, &sel.sport, &sel.sport_mask); - sel.ifindex = 0; - sel.user = 0; - - return sel; -} - -/** - * Creates an rtattr and adds it to the netlink message - */ -static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, - size_t buflen) -{ - struct rtattr *rta; - - if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen) - { - DBG1(DBG_KNL, "unable to add attribute, buffer too small"); - return; - } - - rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len)); - rta->rta_type = rta_type; - rta->rta_len = RTA_LENGTH(data.len); - memcpy(RTA_DATA(rta), data.ptr, data.len); - hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len; -} - -/** - * Receives events from kernel - */ -static void receive_events(private_kernel_interface_t *this) -{ - while(TRUE) - { - unsigned char response[512]; - struct nlmsghdr *hdr; - struct sockaddr_nl addr; - socklen_t addr_len = sizeof(addr); - int len; - - hdr = (struct nlmsghdr*)response; - len = recvfrom(this->socket_xfrm_events, response, sizeof(response), - 0, (struct sockaddr*)&addr, &addr_len); - if (len < 0) - { - if (errno == EINTR) - { - /* interrupted, try again */ - continue; - } - charon->kill(charon, "unable to receive netlink events"); - } - - if (!NLMSG_OK(hdr, len)) - { - /* bad netlink message */ - continue; - } - - if (addr.nl_pid != 0) - { - /* not from kernel. not interested, try another one */ - continue; - } - - /* we handle ACQUIRE and EXPIRE messages directly */ - if (hdr->nlmsg_type == XFRM_MSG_ACQUIRE) - { - u_int32_t reqid = 0; - job_t *job; - struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire); - size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl); - if (RTA_OK(rtattr, rtsize)) - { - if (rtattr->rta_type == XFRMA_TMPL) - { - struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr); - reqid = tmpl->reqid; - } - } - if (reqid == 0) - { - DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found"); - } - else - { - DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE"); - DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", - reqid); - job = (job_t*)acquire_job_create(reqid); - charon->job_queue->add(charon->job_queue, job); - } - } - else if (hdr->nlmsg_type == XFRM_MSG_EXPIRE) - { - job_t *job; - protocol_id_t protocol; - u_int32_t spi, reqid; - struct xfrm_user_expire *expire; - - expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr); - protocol = expire->state.id.proto == KERNEL_ESP ? - PROTO_ESP : PROTO_AH; - spi = expire->state.id.spi; - reqid = expire->state.reqid; - - DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE"); - DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)", - expire->hard ? "delete" : "rekey", protocol_id_names, - protocol, ntohl(spi), reqid); - if (expire->hard) - { - job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi); - } - else - { - job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi); - } - charon->job_queue->add(charon->job_queue, job); - } - } -} - -/** - * send a netlink message and wait for a reply - */ -static status_t netlink_send(int socket, struct nlmsghdr *in, - struct nlmsghdr **out, size_t *out_len) -{ - int len, addr_len; - struct sockaddr_nl addr; - chunk_t result = chunk_empty, tmp; - struct nlmsghdr *msg, peek; - - static int seq = 200; - static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; - - - pthread_mutex_lock(&mutex); - - in->nlmsg_seq = ++seq; - in->nlmsg_pid = getpid(); - - memset(&addr, 0, sizeof(addr)); - addr.nl_family = AF_NETLINK; - addr.nl_pid = 0; - addr.nl_groups = 0; - - while (TRUE) - { - len = sendto(socket, in, in->nlmsg_len, 0, - (struct sockaddr*)&addr, sizeof(addr)); - - if (len != in->nlmsg_len) - { - if (errno == EINTR) - { - /* interrupted, try again */ - continue; - } - pthread_mutex_unlock(&mutex); - DBG1(DBG_KNL, "error sending to netlink socket: %m"); - return FAILED; - } - break; - } - - while (TRUE) - { - char buf[1024]; - tmp.len = sizeof(buf); - tmp.ptr = buf; - msg = (struct nlmsghdr*)tmp.ptr; - - memset(&addr, 0, sizeof(addr)); - addr.nl_family = AF_NETLINK; - addr.nl_pid = getpid(); - addr.nl_groups = 0; - addr_len = sizeof(addr); - - len = recvfrom(socket, tmp.ptr, tmp.len, 0, - (struct sockaddr*)&addr, &addr_len); - - if (len < 0) - { - if (errno == EINTR) - { - DBG1(DBG_IKE, "got interrupted"); - /* interrupted, try again */ - continue; - } - DBG1(DBG_IKE, "error reading from netlink socket: %m"); - pthread_mutex_unlock(&mutex); - return FAILED; - } - if (!NLMSG_OK(msg, len)) - { - DBG1(DBG_IKE, "received corrupted netlink message"); - pthread_mutex_unlock(&mutex); - return FAILED; - } - if (msg->nlmsg_seq != seq) - { - DBG1(DBG_IKE, "received invalid netlink sequence number"); - if (msg->nlmsg_seq < seq) - { - continue; - } - pthread_mutex_unlock(&mutex); - return FAILED; - } - - tmp.len = len; - result = chunk_cata("cc", result, tmp); - - /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence - * numbers to detect multi header messages */ - len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT, - (struct sockaddr*)&addr, &addr_len); - - if (len == sizeof(peek) && peek.nlmsg_seq == seq) - { - /* seems to be multipart */ - continue; - } - break; - } - - *out_len = result.len; - *out = (struct nlmsghdr*)clalloc(result.ptr, result.len); - - pthread_mutex_unlock(&mutex); - - return SUCCESS; -} - -/** - * send a netlink message and wait for its acknowlegde - */ -static status_t netlink_send_ack(int socket, struct nlmsghdr *in) -{ - struct nlmsghdr *out, *hdr; - size_t len; - - if (netlink_send(socket, in, &out, &len) != SUCCESS) - { - return FAILED; - } - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case NLMSG_ERROR: - { - struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr); - - if (err->error) - { - DBG1(DBG_KNL, "received netlink error: %s (%d)", - strerror(-err->error), -err->error); - free(out); - return FAILED; - } - free(out); - return SUCCESS; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - DBG1(DBG_KNL, "netlink request not acknowlegded"); - free(out); - return FAILED; -} - -/** - * Create a list of local addresses. - */ -static linked_list_t *create_address_list(private_kernel_interface_t *this) -{ - char request[BUFFER_SIZE]; - struct nlmsghdr *out, *hdr; - struct rtgenmsg *msg; - size_t len; - linked_list_t *list; - - DBG2(DBG_IKE, "getting local address list"); - - list = linked_list_create(); - - memset(&request, 0, sizeof(request)); - - hdr = (struct nlmsghdr*)&request; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)); - hdr->nlmsg_type = RTM_GETADDR; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT; - msg = (struct rtgenmsg*)NLMSG_DATA(hdr); - msg->rtgen_family = AF_UNSPEC; - - if (netlink_send(this->socket_rt, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case RTM_NEWADDR: - { - struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr)); - struct rtattr *rta = IFA_RTA(msg); - size_t rtasize = IFA_PAYLOAD (hdr); - host_t *host = NULL; - char *name = NULL; - chunk_t local = chunk_empty, address = chunk_empty; - - while(RTA_OK(rta, rtasize)) - { - switch (rta->rta_type) - { - case IFA_LOCAL: - local.ptr = RTA_DATA(rta); - local.len = RTA_PAYLOAD(rta); - break; - case IFA_ADDRESS: - address.ptr = RTA_DATA(rta); - address.len = RTA_PAYLOAD(rta); - break; - case IFA_LABEL: - name = RTA_DATA(rta); - break; - } - rta = RTA_NEXT(rta, rtasize); - } - - /* For PPP interfaces, we need the IFA_LOCAL address, - * IFA_ADDRESS is the peers address. But IFA_LOCAL is - * not included in all cases, so fallback to IFA_ADDRESS. */ - if (local.ptr) - { - host = host_create_from_chunk(msg->ifa_family, local, 0); - } - else if (address.ptr) - { - host = host_create_from_chunk(msg->ifa_family, address, 0); - } - - if (host) - { - address_entry_t *entry; - - entry = malloc_thing(address_entry_t); - entry->host = host; - entry->ifindex = msg->ifa_index; - if (name) - { - memcpy(entry->ifname, name, IFNAMSIZ); - } - else - { - strcpy(entry->ifname, "(unknown)"); - } - list->insert_last(list, entry); - } - hdr = NLMSG_NEXT(hdr, len); - continue; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - free(out); - } - else - { - DBG1(DBG_IKE, "unable to get local address list"); - } - - return list; -} - -/** - * Implements kernel_interface_t.create_address_list. - */ -static linked_list_t *create_address_list_public(private_kernel_interface_t *this) -{ - linked_list_t *result, *list; - address_entry_t *entry; - - result = linked_list_create(); - list = create_address_list(this); - while (list->remove_last(list, (void**)&entry) == SUCCESS) - { - result->insert_last(result, entry->host); - free(entry); - } - list->destroy(list); - - return result; -} - -/** - * implementation of kernel_interface_t.get_interface_name - */ -static char *get_interface_name(private_kernel_interface_t *this, host_t* ip) -{ - linked_list_t *list; - address_entry_t *entry; - char *name = NULL; - - DBG2(DBG_IKE, "getting interface name for %H", ip); - - list = create_address_list(this); - while (!name && list->remove_last(list, (void**)&entry) == SUCCESS) - { - if (ip->ip_equals(ip, entry->host)) - { - name = strdup(entry->ifname); - } - address_entry_destroy(entry); - } - list->destroy_function(list, (void*)address_entry_destroy); - - if (name) - { - DBG2(DBG_IKE, "%H is on interface %s", ip, name); - } - else - { - DBG2(DBG_IKE, "%H is not a local address", ip); - } - return name; -} - -/** - * Tries to find an ip address of a local interface that is included in the - * supplied traffic selector. - */ -static status_t get_address_by_ts(private_kernel_interface_t *this, - traffic_selector_t *ts, host_t **ip) -{ - address_entry_t *entry; - host_t *host; - int family; - linked_list_t *list; - bool found = FALSE; - - DBG2(DBG_IKE, "getting a local address in traffic selector %R", ts); - - /* if we have a family which includes localhost, we do not - * search for an IP, we use the default */ - family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6; - - if (family == AF_INET) - { - host = host_create_from_string("127.0.0.1", 0); - } - else - { - host = host_create_from_string("::1", 0); - } - - if (ts->includes(ts, host)) - { - *ip = host_create_any(family); - host->destroy(host); - DBG2(DBG_IKE, "using host %H", *ip); - return SUCCESS; - } - host->destroy(host); - - list = create_address_list(this); - while (!found && list->remove_last(list, (void**)&entry) == SUCCESS) - { - if (ts->includes(ts, entry->host)) - { - found = TRUE; - *ip = entry->host->clone(entry->host); - } - address_entry_destroy(entry); - } - list->destroy_function(list, (void*)address_entry_destroy); - - if (!found) - { - DBG1(DBG_IKE, "no local address found in traffic selector %R", ts); - return FAILED; - } - DBG2(DBG_IKE, "using host %H", *ip); - return SUCCESS; -} - -/** - * get the interface of a local address - */ -static int get_interface_index(private_kernel_interface_t *this, host_t* ip) -{ - linked_list_t *list; - address_entry_t *entry; - int ifindex = 0; - - DBG2(DBG_IKE, "getting iface for %H", ip); - - list = create_address_list(this); - while (!ifindex && list->remove_last(list, (void**)&entry) == SUCCESS) - { - if (ip->ip_equals(ip, entry->host)) - { - ifindex = entry->ifindex; - } - address_entry_destroy(entry); - } - list->destroy_function(list, (void*)address_entry_destroy); - - if (ifindex == 0) - { - DBG1(DBG_IKE, "unable to get interface for %H", ip); - } - return ifindex; -} - -/** - * Manages the creation and deletion of ip addresses on an interface. - * By setting the appropriate nlmsg_type, the ip will be set or unset. - */ -static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type, - int flags, int if_index, host_t *ip) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *hdr; - struct ifaddrmsg *msg; - chunk_t chunk; - - memset(&request, 0, sizeof(request)); - - chunk = ip->get_address(ip); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; - hdr->nlmsg_type = nlmsg_type; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg)); - - msg = (struct ifaddrmsg*)NLMSG_DATA(hdr); - msg->ifa_family = ip->get_family(ip); - msg->ifa_flags = 0; - msg->ifa_prefixlen = 8 * chunk.len; - msg->ifa_scope = RT_SCOPE_UNIVERSE; - msg->ifa_index = if_index; - - add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request)); - - return netlink_send_ack(this->socket_rt, hdr); -} - -/** - * Manages source routes in the routing table. - * By setting the appropriate nlmsg_type, the route added or r. - */ -static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type, - int flags, route_entry_t *route) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *hdr; - struct rtmsg *msg; - chunk_t chunk; - - /* if route is 0.0.0.0/0, we can't install it, as it would - * overwrite the default route. Instead, we add two routes: - * 0.0.0.0/1 and 128.0.0.0/1 - * TODO: use metrics instead */ - if (route->prefixlen == 0) - { - route_entry_t half; - status_t status; - - half.dst_net = chunk_alloca(route->dst_net.len); - memset(half.dst_net.ptr, 0, half.dst_net.len); - half.src_ip = route->src_ip; - half.if_index = route->if_index; - half.prefixlen = 1; - - status = manage_srcroute(this, nlmsg_type, flags, &half); - half.dst_net.ptr[0] |= 0x80; - status = manage_srcroute(this, nlmsg_type, flags, &half); - return status; - } - - memset(&request, 0, sizeof(request)); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; - hdr->nlmsg_type = nlmsg_type; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); - - msg = (struct rtmsg*)NLMSG_DATA(hdr); - msg->rtm_family = route->src_ip->get_family(route->src_ip); - msg->rtm_dst_len = route->prefixlen; - msg->rtm_table = RT_TABLE_MAIN; - msg->rtm_protocol = RTPROT_STATIC; - msg->rtm_type = RTN_UNICAST; - msg->rtm_scope = RT_SCOPE_UNIVERSE; - - add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request)); - chunk = route->src_ip->get_address(route->src_ip); - add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request)); - chunk.ptr = (char*)&route->if_index; - chunk.len = sizeof(route->if_index); - add_attribute(hdr, RTA_OIF, chunk, sizeof(request)); - - return netlink_send_ack(this->socket_rt, hdr); -} - - -/** - * Implementation of kernel_interface_t.add_ip. - */ -static status_t add_ip(private_kernel_interface_t *this, - host_t *virtual_ip, host_t *iface_ip) -{ - int targetif; - vip_entry_t *listed; - iterator_t *iterator; - - DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip); - - targetif = get_interface_index(this, iface_ip); - if (targetif == 0) - { - DBG1(DBG_KNL, "unable to add virtual IP %H, no iface found for %H", - virtual_ip, iface_ip); - return FAILED; - } - - /* beware of deadlocks (e.g. send/receive packets while holding the lock) */ - iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex)); - while (iterator->iterate(iterator, (void**)&listed)) - { - if (listed->if_index == targetif && - virtual_ip->ip_equals(virtual_ip, listed->ip)) - { - listed->refcount++; - iterator->destroy(iterator); - DBG2(DBG_KNL, "virtual IP %H already added to iface %d reusing it", - virtual_ip, targetif); - return SUCCESS; - } - } - iterator->destroy(iterator); - - if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL, - targetif, virtual_ip) == SUCCESS) - { - listed = malloc_thing(vip_entry_t); - listed->ip = virtual_ip->clone(virtual_ip); - listed->if_index = targetif; - listed->refcount = 1; - this->vips->insert_last(this->vips, listed); - DBG2(DBG_KNL, "virtual IP %H added to iface %d", - virtual_ip, targetif); - return SUCCESS; - } - - DBG2(DBG_KNL, "unable to add virtual IP %H to iface %d", - virtual_ip, targetif); - return FAILED; -} - -/** - * Implementation of kernel_interface_t.del_ip. - */ -static status_t del_ip(private_kernel_interface_t *this, - host_t *virtual_ip, host_t *iface_ip) -{ - int targetif; - vip_entry_t *listed; - iterator_t *iterator; - - DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip); - - targetif = get_interface_index(this, iface_ip); - if (targetif == 0) - { - DBG1(DBG_KNL, "unable to delete virtual IP %H, no iface found for %H", - virtual_ip, iface_ip); - return FAILED; - } - - /* beware of deadlocks (e.g. send/receive packets while holding the lock) */ - iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex)); - while (iterator->iterate(iterator, (void**)&listed)) - { - if (listed->if_index == targetif && - virtual_ip->ip_equals(virtual_ip, listed->ip)) - { - listed->refcount--; - if (listed->refcount == 0) - { - iterator->remove(iterator); - vip_entry_destroy(listed); - iterator->destroy(iterator); - return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip); - } - iterator->destroy(iterator); - DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting", - virtual_ip); - return SUCCESS; - } - } - iterator->destroy(iterator); - - DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip); - return FAILED; -} - -/** - * Implementation of kernel_interface_t.get_spi. - */ -static status_t get_spi(private_kernel_interface_t *this, - host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, - u_int32_t *spi) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *hdr, *out; - struct xfrm_userspi_info *userspi; - u_int32_t received_spi = 0; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "getting SPI for reqid %d", reqid); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_ALLOCSPI; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info)); - - userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr); - host2xfrm(src, &userspi->info.saddr); - host2xfrm(dst, &userspi->info.id.daddr); - userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; - userspi->info.mode = TRUE; /* tunnel mode */ - userspi->info.reqid = reqid; - userspi->info.family = src->get_family(src); - userspi->min = 0xc0000000; - userspi->max = 0xcFFFFFFF; - - if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWSA: - { - struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr); - received_spi = usersa->id.spi; - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - - DBG1(DBG_KNL, "allocating SPI failed: %s (%d)", - strerror(-err->error), -err->error); - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - free(out); - } - - if (received_spi == 0) - { - DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid); - return FAILED; - } - - DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid); - - *spi = received_spi; - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.add_sa. - */ -static status_t add_sa(private_kernel_interface_t *this, - host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, - u_int64_t expire_soft, u_int64_t expire_hard, - algorithm_t *enc_alg, algorithm_t *int_alg, - prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode, - bool replace) -{ - unsigned char request[BUFFER_SIZE]; - char *alg_name; - u_int key_size; - struct nlmsghdr *hdr; - struct xfrm_usersa_info *sa; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); - - sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr); - host2xfrm(src, &sa->saddr); - host2xfrm(dst, &sa->id.daddr); - sa->id.spi = spi; - sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; - sa->family = src->get_family(src); - sa->mode = mode; - sa->replay_window = 32; - sa->reqid = reqid; - /* we currently do not expire SAs by volume/packet count */ - sa->lft.soft_byte_limit = XFRM_INF; - sa->lft.hard_byte_limit = XFRM_INF; - sa->lft.soft_packet_limit = XFRM_INF; - sa->lft.hard_packet_limit = XFRM_INF; - /* we use lifetimes since added, not since used */ - sa->lft.soft_add_expires_seconds = expire_soft; - sa->lft.hard_add_expires_seconds = expire_hard; - sa->lft.soft_use_expires_seconds = 0; - sa->lft.hard_use_expires_seconds = 0; - - struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info); - - if (enc_alg->algorithm != ENCR_UNDEFINED) - { - rthdr->rta_type = XFRMA_ALG_CRYPT; - alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size); - if (alg_name == NULL) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - encryption_algorithm_names, enc_alg->algorithm); - return FAILED; - } - DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", - encryption_algorithm_names, enc_alg->algorithm, key_size); - - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size); - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); - algo->alg_key_len = key_size; - strcpy(algo->alg_name, alg_name); - prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key); - - rthdr = XFRM_RTA_NEXT(rthdr); - } - - if (int_alg->algorithm != AUTH_UNDEFINED) - { - rthdr->rta_type = XFRMA_ALG_AUTH; - alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size); - if (alg_name == NULL) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - integrity_algorithm_names, int_alg->algorithm); - return FAILED; - } - DBG2(DBG_KNL, " using integrity algorithm %N with key size %d", - integrity_algorithm_names, int_alg->algorithm, key_size); - - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size); - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); - algo->alg_key_len = key_size; - strcpy(algo->alg_name, alg_name); - prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key); - - rthdr = XFRM_RTA_NEXT(rthdr); - } - - /* TODO: add IPComp here */ - - if (natt) - { - rthdr->rta_type = XFRMA_ENCAP; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl)); - - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr); - encap->encap_type = UDP_ENCAP_ESPINUDP; - encap->encap_sport = htons(natt->sport); - encap->encap_dport = htons(natt->dport); - memset(&encap->encap_oa, 0, sizeof (xfrm_address_t)); - /* encap_oa could probably be derived from the - * traffic selectors [rfc4306, p39]. In the netlink kernel implementation - * pluto does the same as we do here but it uses encap_oa in the - * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates - * the kernel ignores it anyway - * -> does that mean that NAT-T encap doesn't work in transport mode? - * No. The reason the kernel ignores NAT-OA is that it recomputes - * (or, rather, just ignores) the checksum. If packets pass - * the IPsec checks it marks them "checksum ok" so OA isn't needed. */ - rthdr = XFRM_RTA_NEXT(rthdr); - } - - if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi); - return FAILED; - } - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.update_sa. - */ -static status_t update_sa(private_kernel_interface_t *this, - host_t *src, host_t *dst, - host_t *new_src, host_t *new_dst, - host_diff_t src_changes, host_diff_t dst_changes, - u_int32_t spi, protocol_id_t protocol) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *hdr, *out = NULL; - struct xfrm_usersa_id *sa_id; - struct xfrm_usersa_info *sa = NULL; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_GETSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); - - sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); - host2xfrm(dst, &sa_id->daddr); - sa_id->spi = spi; - sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; - sa_id->family = dst->get_family(dst); - - if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWSA: - { - sa = NLMSG_DATA(hdr); - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)", - strerror(-err->error), -err->error); - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - } - if (sa == NULL) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi); - free(out); - return FAILED; - } - - DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x", spi); - - hdr = out; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = XFRM_MSG_UPDSA; - - if (src_changes & HOST_DIFF_ADDR) - { - host2xfrm(new_src, &sa->saddr); - } - - if (dst_changes & HOST_DIFF_ADDR) - { - hdr->nlmsg_type = XFRM_MSG_NEWSA; - host2xfrm(new_dst, &sa->id.daddr); - } - - if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT) - { - struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info); - size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info); - while (RTA_OK(rtattr, rtsize)) - { - if (rtattr->rta_type == XFRMA_ENCAP) - { - struct xfrm_encap_tmpl* encap; - encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr); - encap->encap_sport = ntohs(new_src->get_port(new_src)); - encap->encap_dport = ntohs(new_dst->get_port(new_dst)); - break; - } - rtattr = RTA_NEXT(rtattr, rtsize); - } - } - if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi); - free(out); - return FAILED; - } - free(out); - - if (dst_changes & HOST_DIFF_ADDR) - { - return this->public.del_sa(&this->public, dst, spi, protocol); - } - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.query_sa. - */ -static status_t query_sa(private_kernel_interface_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, - u_int32_t *use_time) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *out = NULL, *hdr; - struct xfrm_usersa_id *sa_id; - struct xfrm_usersa_info *sa = NULL; - size_t len; - - DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi); - memset(&request, 0, sizeof(request)); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_GETSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); - - sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); - host2xfrm(dst, &sa_id->daddr); - sa_id->spi = spi; - sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; - sa_id->family = dst->get_family(dst); - - if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWSA: - { - sa = NLMSG_DATA(hdr); - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)", - strerror(-err->error), -err->error); - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - } - - if (sa == NULL) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi); - free(out); - return FAILED; - } - - *use_time = sa->curlft.use_time; - free (out); - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.del_sa. - */ -static status_t del_sa(private_kernel_interface_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *hdr; - struct xfrm_usersa_id *sa_id; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = XFRM_MSG_DELSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); - - sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); - host2xfrm(dst, &sa_id->daddr); - sa_id->spi = spi; - sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; - sa_id->family = dst->get_family(dst); - - if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi); - return FAILED; - } - DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi); - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.add_policy. - */ -static status_t add_policy(private_kernel_interface_t *this, - host_t *src, host_t *dst, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, protocol_id_t protocol, - u_int32_t reqid, bool high_prio, mode_t mode, - bool update) -{ - iterator_t *iterator; - policy_entry_t *current, *policy; - bool found = FALSE; - unsigned char request[BUFFER_SIZE]; - struct xfrm_userpolicy_info *policy_info; - struct nlmsghdr *hdr; - - /* create a policy */ - policy = malloc_thing(policy_entry_t); - memset(policy, 0, sizeof(policy_entry_t)); - policy->sel = ts2selector(src_ts, dst_ts); - policy->direction = direction; - - /* find the policy, which matches EXACTLY */ - pthread_mutex_lock(&this->policies_mutex); - iterator = this->policies->create_iterator(this->policies, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (memcmp(¤t->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 && - policy->direction == current->direction) - { - /* use existing policy */ - if (!update) - { - current->refcount++; - DBG2(DBG_KNL, "policy %R===%R already exists, increasing ", - "refcount", src_ts, dst_ts); - } - free(policy); - policy = current; - found = TRUE; - break; - } - } - iterator->destroy(iterator); - if (!found) - { /* apply the new one, if we have no such policy */ - this->policies->insert_last(this->policies, policy); - policy->refcount = 1; - } - - DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts); - - memset(&request, 0, sizeof(request)); - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = XFRM_MSG_UPDPOLICY; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info)); - - policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); - policy_info->sel = policy->sel; - policy_info->dir = policy->direction; - /* calculate priority based on source selector size, small size = high prio */ - policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW; - policy_info->priority -= policy->sel.prefixlen_s * 10; - policy_info->priority -= policy->sel.proto ? 2 : 0; - policy_info->priority -= policy->sel.sport_mask ? 1 : 0; - policy_info->action = XFRM_POLICY_ALLOW; - policy_info->share = XFRM_SHARE_ANY; - pthread_mutex_unlock(&this->policies_mutex); - - /* policies don't expire */ - policy_info->lft.soft_byte_limit = XFRM_INF; - policy_info->lft.soft_packet_limit = XFRM_INF; - policy_info->lft.hard_byte_limit = XFRM_INF; - policy_info->lft.hard_packet_limit = XFRM_INF; - policy_info->lft.soft_add_expires_seconds = 0; - policy_info->lft.hard_add_expires_seconds = 0; - policy_info->lft.soft_use_expires_seconds = 0; - policy_info->lft.hard_use_expires_seconds = 0; - - struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info); - rthdr->rta_type = XFRMA_TMPL; - - rthdr->rta_len = sizeof(struct xfrm_user_tmpl); - rthdr->rta_len = RTA_LENGTH(rthdr->rta_len); - - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr); - tmpl->reqid = reqid; - tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP; - tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode; - tmpl->family = src->get_family(src); - - host2xfrm(src, &tmpl->saddr); - host2xfrm(dst, &tmpl->id.daddr); - - if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts); - return FAILED; - } - - /* install a route, if: - * - we are NOT updating a policy - * - this is a forward policy (to just get one for each child) - * - we are in tunnel mode - * - we are not using IPv6 (does not work correctly yet!) - */ - if (policy->route == NULL && direction == POLICY_FWD && - mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6) - { - policy->route = malloc_thing(route_entry_t); - if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS) - { - policy->route->if_index = get_interface_index(this, dst); - policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16); - memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len); - policy->route->prefixlen = policy->sel.prefixlen_s; - - if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL, - policy->route) != SUCCESS) - { - DBG1(DBG_KNL, "unable to install source route for %H", - policy->route->src_ip); - route_entry_destroy(policy->route); - policy->route = NULL; - } - } - else - { - free(policy->route); - policy->route = NULL; - } - } - - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.query_policy. - */ -static status_t query_policy(private_kernel_interface_t *this, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t *use_time) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *out = NULL, *hdr; - struct xfrm_userpolicy_id *policy_id; - struct xfrm_userpolicy_info *policy = NULL; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_GETPOLICY; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id)); - - policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr); - policy_id->sel = ts2selector(src_ts, dst_ts); - policy_id->dir = direction; - - if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWPOLICY: - { - policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying policy failed: %s (%d)", - strerror(-err->error), -err->error); - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - } - - if (policy == NULL) - { - DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts); - free(out); - return FAILED; - } - *use_time = (time_t)policy->curlft.use_time; - - free(out); - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.del_policy. - */ -static status_t del_policy(private_kernel_interface_t *this, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction) -{ - policy_entry_t *current, policy, *to_delete = NULL; - route_entry_t *route; - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *hdr; - struct xfrm_userpolicy_id *policy_id; - iterator_t *iterator; - - DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts); - - /* create a policy */ - memset(&policy, 0, sizeof(policy_entry_t)); - policy.sel = ts2selector(src_ts, dst_ts); - policy.direction = direction; - - /* find the policy */ - pthread_mutex_lock(&this->policies_mutex); - iterator = this->policies->create_iterator(this->policies, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (memcmp(¤t->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 && - policy.direction == current->direction) - { - to_delete = current; - if (--to_delete->refcount > 0) - { - /* is used by more SAs, keep in kernel */ - DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); - iterator->destroy(iterator); - pthread_mutex_unlock(&this->policies_mutex); - return SUCCESS; - } - /* remove if last reference */ - iterator->remove(iterator); - break; - } - } - iterator->destroy(iterator); - pthread_mutex_unlock(&this->policies_mutex); - if (!to_delete) - { - DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts); - return NOT_FOUND; - } - - memset(&request, 0, sizeof(request)); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = XFRM_MSG_DELPOLICY; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id)); - - policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr); - policy_id->sel = to_delete->sel; - policy_id->dir = direction; - - route = to_delete->route; - free(to_delete); - - if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts); - return FAILED; - } - - if (route) - { - if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS) - { - DBG1(DBG_KNL, "error uninstalling route installed with " - "policy %R===%R", src_ts, dst_ts); - } - route_entry_destroy(route); - } - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.destroy. - */ -static void destroy(private_kernel_interface_t *this) -{ - pthread_cancel(this->event_thread); - pthread_join(this->event_thread, NULL); - close(this->socket_xfrm_events); - close(this->socket_xfrm); - close(this->socket_rt); - this->vips->destroy(this->vips); - this->policies->destroy(this->policies); - free(this); -} - -/* - * Described in header. - */ -kernel_interface_t *kernel_interface_create() -{ - private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t); - struct sockaddr_nl addr; - - /* public functions */ - this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi; - this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa; - this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa; - this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa; - this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa; - this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy; - this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; - this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy; - - this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name; - this->public.create_address_list = (linked_list_t*(*)(kernel_interface_t*))create_address_list_public; - this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip; - this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip; - this->public.destroy = (void(*)(kernel_interface_t*)) destroy; - - /* private members */ - this->vips = linked_list_create(); - this->policies = linked_list_create(); - pthread_mutex_init(&this->policies_mutex,NULL); - pthread_mutex_init(&this->vips_mutex,NULL); - - addr.nl_family = AF_NETLINK; - addr.nl_pid = 0; - addr.nl_groups = 0; - - /* create and bind XFRM socket */ - this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); - if (this->socket_xfrm <= 0) - { - charon->kill(charon, "unable to create XFRM netlink socket"); - } - - if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr))) - { - charon->kill(charon, "unable to bind XFRM netlink socket"); - } - - /* create and bind RT socket */ - this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); - if (this->socket_rt <= 0) - { - charon->kill(charon, "unable to create RT netlink socket"); - } - - if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr))) - { - charon->kill(charon, "unable to bind RT netlink socket"); - } - - /* create and bind XFRM socket for ACQUIRE & EXPIRE */ - addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE; - this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); - if (this->socket_xfrm_events <= 0) - { - charon->kill(charon, "unable to create XFRM event socket"); - } - - if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr))) - { - charon->kill(charon, "unable to bind XFRM event socket"); - } - - /* create a thread receiving ACQUIRE & EXPIRE events */ - if (pthread_create(&this->event_thread, NULL, - (void*(*)(void*))receive_events, this)) - { - charon->kill(charon, "unable to create xfrm event dispatcher thread"); - } - - return &this->public; -} - -/* vim: set ts=4 sw=4 noet: */ diff --git a/src/charon/threads/kernel_interface.h b/src/charon/threads/kernel_interface.h deleted file mode 100644 index 34b06f594..000000000 --- a/src/charon/threads/kernel_interface.h +++ /dev/null @@ -1,331 +0,0 @@ -/** - * @file kernel_interface.h - * - * @brief Interface of kernel_interface_t. - * - */ - -/* - * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef KERNEL_INTERFACE_H_ -#define KERNEL_INTERFACE_H_ - -typedef struct natt_conf_t natt_conf_t; -typedef enum policy_dir_t policy_dir_t; -typedef struct kernel_interface_t kernel_interface_t; - -#include -#include -#include - -/** - * Configuration for NAT-T - */ -struct natt_conf_t { - /** source port to use for UDP-encapsulated packets */ - u_int16_t sport; - /** dest port to use for UDP-encapsulated packets */ - u_int16_t dport; -}; - -/** - * Direction of a policy. These are equal to those - * defined in xfrm.h, but we want to stay implementation - * neutral here. - */ -enum policy_dir_t { - /** Policy for inbound traffic */ - POLICY_IN = 0, - /** Policy for outbound traffic */ - POLICY_OUT = 1, - /** Policy for forwarded traffic */ - POLICY_FWD = 2, -}; - -/** - * @brief Interface to the kernel. - * - * The kernel interface handles the communication with the kernel - * for SA and policy management. It allows setup of these, and provides - * further the handling of kernel events. - * Policy information are cached in the interface. This is necessary to do - * reference counting. The Linux kernel does not allow the same policy - * installed twice, but we need this as CHILD_SA exist multiple times - * when rekeying. Thats why we do reference counting of policies. - * - * @b Constructors: - * - kernel_interface_create() - * - * @ingroup threads - */ -struct kernel_interface_t { - - /** - * @brief Get a SPI from the kernel. - * - * @warning get_spi() implicitely creates an SA with - * the allocated SPI, therefore the replace flag - * in add_sa() must be set when installing this SA. - * - * @param this calling object - * @param src source address of SA - * @param dst destination address of SA - * @param protocol protocol for SA (ESP/AH) - * @param reqid unique ID for this SA - * @param[out] spi allocated spi - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi); - - /** - * @brief Add an SA to the SAD. - * - * add_sa() may update an already allocated - * SPI (via get_spi). In this case, the replace - * flag must be set. - * This function does install a single SA for a - * single protocol in one direction. The kernel-interface - * gets the keys itself from the PRF, as we don't know - * his algorithms and key sizes. - * - * @param this calling object - * @param src source address for this SA - * @param dst destination address for this SA - * @param spi SPI allocated by us or remote peer - * @param protocol protocol for this SA (ESP/AH) - * @param reqid unique ID for this SA - * @param expire_soft lifetime in seconds before rekeying - * @param expire_hard lieftime in seconds before delete - * @param enc_alg Algorithm to use for encryption (ESP only) - * @param int_alg Algorithm to use for integrity protection - * @param prf_plus PRF to derive keys from - * @param natt NAT-T Configuration, or NULL of no NAT-T used - * @param mode mode of the SA (tunnel, transport) - * @param replace Should an already installed SA be updated? - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*add_sa) (kernel_interface_t *this, - host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, - u_int64_t expire_soft, u_int64_t expire_hard, - algorithm_t *enc_alg, algorithm_t *int_alg, - prf_plus_t *prf_plus, natt_conf_t *natt, - mode_t mode, bool update); - - /** - * @brief Update the hosts on an installed SA. - * - * We cannot directly update the destination address as the kernel - * requires the spi, the protocol AND the destination address (and family) - * to identify SAs. Therefore if the destination address changed we - * create a new SA and delete the old one. - * - * @param this calling object - * @param dst destination address for this SA - * @param spi SPI of the SA - * @param protocol protocol for this SA (ESP/AH) - * @param new_src new source address for this SA - * @param new_dst new destination address for this SA - * @param src_changes changes in src - * @param dst_changes changes in dst - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*update_sa)(kernel_interface_t *this, host_t *dst, u_int32_t spi, - protocol_id_t protocol, - host_t *new_src, host_t *new_dst, - host_diff_t src_changes, host_diff_t dst_changes); - - /** - * @brief Query the use time of an SA. - * - * The use time of an SA is not the time of the last usage, but - * the time of the first usage of the SA. - * - * @param this calling object - * @param dst destination address for this SA - * @param spi SPI allocated by us or remote peer - * @param protocol protocol for this SA (ESP/AH) - * @param[out] use_time the time of this SA's last use - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*query_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t *use_time); - - /** - * @brief Delete a previusly installed SA from the SAD. - * - * @param this calling object - * @param dst destination address for this SA - * @param spi SPI allocated by us or remote peer - * @param protocol protocol for this SA (ESP/AH) - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi, - protocol_id_t protocol); - - /** - * @brief Add a policy to the SPD. - * - * A policy is always associated to an SA. Traffic which matches a - * policy is handled by the SA with the same reqid. - * If the update flag is set, the policy is updated with the new - * src/dst addresses. - * If the update flag is not set, but a such policy is already in the - * kernel, the reference count to this policy is increased. - * - * @param this calling object - * @param src source address of SA - * @param dst dest address of SA - * @param src_ts traffic selector to match traffic source - * @param dst_ts traffic selector to match traffic dest - * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD - * @param protocol protocol to use to protect traffic (AH/ESP) - * @param reqid uniqe ID of an SA to use to enforce policy - * @param high_prio if TRUE, uses a higher priority than any with FALSE - * @param mode mode of SA (tunnel, transport) - * @param update update an existing policy, if TRUE - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*add_policy) (kernel_interface_t *this, - host_t *src, host_t *dst, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, protocol_id_t protocol, - u_int32_t reqid, bool high_prio, - mode_t mode, bool update); - - /** - * @brief Query the use time of a policy. - * - * The use time of a policy is the time the policy was used - * for the last time. - * - * @param this calling object - * @param src_ts traffic selector to match traffic source - * @param dst_ts traffic selector to match traffic dest - * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD - * @param[out] use_time the time of this SA's last use - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*query_policy) (kernel_interface_t *this, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t *use_time); - - /** - * @brief Remove a policy from the SPD. - * - * The kernel interface implements reference counting for policies. - * If the same policy is installed multiple times (in the case of rekeying), - * the reference counter is increased. del_policy() decreases the ref counter - * and removes the policy only when no more references are available. - * - * @param this calling object - * @param src_ts traffic selector to match traffic source - * @param dst_ts traffic selector to match traffic dest - * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*del_policy) (kernel_interface_t *this, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction); - - /** - * @brief Get the interface name of a local address. - * - * @param this calling object - * @param host address to get interface name from - * @return allocated interface name, or NULL if not found - */ - char* (*get_interface) (kernel_interface_t *this, host_t *host); - - /** - * @brief Creates a list of all local addresses. - * - * @param this calling object - * @return allocated list with host_t objects - */ - linked_list_t *(*create_address_list) (kernel_interface_t *this); - - /** - * @brief Add a virtual IP to an interface. - * - * Virtual IPs are attached to an interface. If an IP is added multiple - * times, the IP is refcounted and not removed until del_ip() was called - * as many times as add_ip(). - * The virtual IP is attached to the interface where the iface_ip is found. - * - * @param this calling object - * @param virtual_ip virtual ip address to assign - * @param iface_ip IP of an interface to attach virtual IP - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip, - host_t *iface_ip); - - /** - * @brief Remove a virtual IP from an interface. - * - * The kernel interface uses refcounting, see add_ip(). - * - * @param this calling object - * @param virtual_ip virtual ip address to assign - * @param iface_ip IP of an interface to remove virtual IP from - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip, - host_t *iface_ip); - - /** - * @brief Destroys a kernel_interface object. - * - * @param kernel_interface_t calling object - */ - void (*destroy) (kernel_interface_t *kernel_interface); -}; - -/** - * @brief Creates an object of type kernel_interface_t. - * - * @ingroup threads - */ -kernel_interface_t *kernel_interface_create(void); - -#endif /*KERNEL_INTERFACE_H_*/ diff --git a/src/charon/threads/receiver.c b/src/charon/threads/receiver.c deleted file mode 100644 index 7195c162d..000000000 --- a/src/charon/threads/receiver.c +++ /dev/null @@ -1,372 +0,0 @@ -/** - * @file receiver.c - * - * @brief Implementation of receiver_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include - -#include "receiver.h" - -#include -#include -#include -#include -#include -#include - -/** length of the full cookie, including time (u_int32_t + SHA1()) */ -#define COOKIE_LENGTH 24 -/** lifetime of a cookie, in seconds */ -#define COOKIE_LIFETIME 10 -/** how many times to reuse the secret */ -#define COOKIE_REUSE 10000 -/** require cookies after half open IKE_SAs */ -#define COOKIE_TRESHOLD 10 -/** how many half open IKE_SAs per peer before blocking */ -#define BLOCK_TRESHOLD 5 -/** length of the secret to use for cookie calculation */ -#define SECRET_LENGTH 16 - -typedef struct private_receiver_t private_receiver_t; - -/** - * Private data of a receiver_t object. - */ -struct private_receiver_t { - /** - * Public part of a receiver_t object. - */ - receiver_t public; - - /** - * Assigned thread. - */ - pthread_t assigned_thread; - - /** - * current secret to use for cookie calculation - */ - char secret[SECRET_LENGTH]; - - /** - * previous secret used to verify older cookies - */ - char secret_old[SECRET_LENGTH]; - - /** - * how many times we have used "secret" so far - */ - u_int32_t secret_used; - - /** - * time we did the cookie switch - */ - u_int32_t secret_switch; - - /** - * time offset to use, hides our system time - */ - u_int32_t secret_offset; - - /** - * the randomizer to use for secret generation - */ - randomizer_t *randomizer; - - /** - * hasher to use for cookie calculation - */ - hasher_t *hasher; -}; - -/** - * send a notify back to the sender - */ -static void send_notify(message_t *request, notify_type_t type, chunk_t data) -{ - if (request->get_request(request) && - request->get_exchange_type(request) == IKE_SA_INIT) - { - message_t *response; - host_t *src, *dst; - packet_t *packet; - ike_sa_id_t *ike_sa_id; - - response = message_create(); - dst = request->get_source(request); - src = request->get_destination(request); - response->set_source(response, src->clone(src)); - response->set_destination(response, dst->clone(dst)); - response->set_exchange_type(response, request->get_exchange_type(request)); - response->set_request(response, FALSE); - response->set_message_id(response, 0); - ike_sa_id = request->get_ike_sa_id(request); - ike_sa_id->switch_initiator(ike_sa_id); - response->set_ike_sa_id(response, ike_sa_id); - response->add_notify(response, FALSE, type, data); - if (response->generate(response, NULL, NULL, &packet) == SUCCESS) - { - charon->sender->send(charon->sender, packet); - response->destroy(response); - } - } -} - -/** - * build a cookie - */ -static chunk_t cookie_build(private_receiver_t *this, message_t *message, - u_int32_t t, chunk_t secret) -{ - u_int64_t spi = message->get_initiator_spi(message); - host_t *ip = message->get_source(message); - chunk_t input, hash = chunk_alloca(this->hasher->get_hash_size(this->hasher)); - - /* COOKIE = t | sha1( IPi | SPIi | t | secret ) */ - input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi), - chunk_from_thing(t), secret); - this->hasher->get_hash(this->hasher, input, hash.ptr); - return chunk_cat("cc", chunk_from_thing(t), hash); -} - -/** - * verify a received cookie - */ -static bool cookie_verify(private_receiver_t *this, message_t *message, - chunk_t cookie) -{ - u_int32_t t, now; - chunk_t reference; - chunk_t secret; - - now = time(NULL); - t = *(u_int32_t*)cookie.ptr; - - if (cookie.len != COOKIE_LENGTH || - t < now - this->secret_offset - COOKIE_LIFETIME) - { - DBG2(DBG_NET, "received cookie lifetime expired, rejecting"); - return FALSE; - } - - /* check if cookie is derived from old_secret */ - if (t + this->secret_offset > this->secret_switch) - { - secret = chunk_from_thing(this->secret); - } - else - { - secret = chunk_from_thing(this->secret_old); - } - - /* compare own calculation against received */ - reference = cookie_build(this, message, t, secret); - if (chunk_equals(reference, cookie)) - { - chunk_free(&reference); - return TRUE; - } - chunk_free(&reference); - return FALSE; -} - -/** - * check if cookies are required, and if so, a valid cookie is included - */ -static bool cookie_required(private_receiver_t *this, message_t *message) -{ - bool failed = FALSE; - - if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager, - NULL) >= COOKIE_TRESHOLD) - { - /* check for a cookie. We don't use our parser here and do it - * quick and dirty for performance reasons. - * we assume to cookie is the first payload (which is a MUST), and - * the cookies SPI length is zero. */ - packet_t *packet = message->get_packet(message); - chunk_t data = packet->get_data(packet); - if (data.len < - IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH + COOKIE_LENGTH || - *(data.ptr + 16) != NOTIFY || - *(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE)) - { - /* no cookie found */ - failed = TRUE; - } - else - { - data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH; - data.len = COOKIE_LENGTH; - if (!cookie_verify(this, message, data)) - { - DBG2(DBG_NET, "found cookie, but content invalid"); - failed = TRUE; - } - } - packet->destroy(packet); - } - return failed; -} - -/** - * check if peer has to many half open IKE_SAs - */ -static bool peer_to_aggressive(private_receiver_t *this, message_t *message) -{ - if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager, - message->get_source(message)) >= BLOCK_TRESHOLD) - { - return TRUE; - } - return FALSE; -} - -/** - * Implementation of receiver_t.receive_packets. - */ -static void receive_packets(private_receiver_t *this) -{ - packet_t *packet; - message_t *message; - job_t *job; - - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - DBG1(DBG_NET, "receiver thread running, thread_ID: %06u", - (int)pthread_self()); - - while (TRUE) - { - /* read in a packet */ - if (charon->socket->receive(charon->socket, &packet) != SUCCESS) - { - DBG1(DBG_NET, "receiving from socket failed!"); - continue; - } - - /* parse message header */ - message = message_create_from_packet(packet); - if (message->parse_header(message) != SUCCESS) - { - DBG1(DBG_NET, "received invalid IKE header from %H, ignored", - packet->get_source(packet)); - message->destroy(message); - continue; - } - - /* check IKE major version */ - if (message->get_major_version(message) != IKE_MAJOR_VERSION) - { - DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, " - "sending INVALID_MAJOR_VERSION", message->get_major_version(message), - message->get_minor_version(message), packet->get_source(packet)); - send_notify(message, INVALID_MAJOR_VERSION, chunk_empty); - message->destroy(message); - continue; - } - - if (message->get_request(message) && - message->get_exchange_type(message) == IKE_SA_INIT) - { - /* check for cookies */ - if (cookie_required(this, message)) - { - u_int32_t now = time(NULL); - chunk_t cookie = cookie_build(this, message, now - this->secret_offset, - chunk_from_thing(this->secret)); - - DBG2(DBG_NET, "received packet from: %#H to %#H", - message->get_source(message), - message->get_destination(message)); - DBG2(DBG_NET, "sending COOKIE notify to %H", - message->get_source(message)); - send_notify(message, COOKIE, cookie); - chunk_free(&cookie); - if (++this->secret_used > COOKIE_REUSE) - { - /* create new cookie */ - DBG1(DBG_NET, "generating new cookie secret after %d uses", - this->secret_used); - memcpy(this->secret_old, this->secret, SECRET_LENGTH); - this->randomizer->get_pseudo_random_bytes(this->randomizer, - SECRET_LENGTH, this->secret); - this->secret_switch = now; - this->secret_used = 0; - } - message->destroy(message); - continue; - } - - /* check if peer has not too many IKE_SAs half open */ - if (peer_to_aggressive(this, message)) - { - DBG1(DBG_NET, "ignoring IKE_SA setup from %H, " - "peer to aggressive", message->get_source(message)); - message->destroy(message); - continue; - } - } - job = (job_t *)process_message_job_create(message); - charon->job_queue->add(charon->job_queue, job); - } -} - -/** - * Implementation of receiver_t.destroy. - */ -static void destroy(private_receiver_t *this) -{ - pthread_cancel(this->assigned_thread); - pthread_join(this->assigned_thread, NULL); - this->randomizer->destroy(this->randomizer); - this->hasher->destroy(this->hasher); - free(this); -} - -/* - * Described in header. - */ -receiver_t *receiver_create() -{ - private_receiver_t *this = malloc_thing(private_receiver_t); - u_int32_t now = time(NULL); - - this->public.destroy = (void(*)(receiver_t*)) destroy; - - this->randomizer = randomizer_create(); - this->hasher = hasher_create(HASH_SHA1); - this->secret_switch = now; - this->secret_offset = random() % now; - this->secret_used = 0; - this->randomizer->get_pseudo_random_bytes(this->randomizer, SECRET_LENGTH, - this->secret); - memcpy(this->secret_old, this->secret, SECRET_LENGTH); - - if (pthread_create(&this->assigned_thread, NULL, - (void*)receive_packets, this) != 0) - { - free(this); - charon->kill(charon, "unable to create receiver thread"); - } - - return &this->public; -} diff --git a/src/charon/threads/receiver.h b/src/charon/threads/receiver.h deleted file mode 100644 index 68d9136c0..000000000 --- a/src/charon/threads/receiver.h +++ /dev/null @@ -1,81 +0,0 @@ -/** - * @file receiver.h - * - * @brief Interface of receiver_t. - * - */ - -/* - * Copyright (C) 2005-2007 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef RECEIVER_H_ -#define RECEIVER_H_ - -typedef struct receiver_t receiver_t; - -#include -#include - -/** - * @brief Receives packets from the socket and adds them to the job queue. - * - * The receiver starts a thread, wich reads on the blocking socket. A received - * packet is preparsed and a process_message_job is queued in the job queue. - * - * To endure DoS attacks, cookies are enabled when to many IKE_SAs are half - * open. The calculation of cookies is slightly different from the proposed - * method in RFC4306. We do not include a nonce, because we think the advantage - * we gain does not justify the overhead to parse the whole message. - * Instead of VersionIdOfSecret, we include a timestamp. This allows us to - * find out wich key was used for cookie creation. Further, we can set a - * lifetime for the cookie, which allows us to reuse the secret for a longer - * time. - * COOKIE = time | sha1( IPi | SPIi | time | secret ) - * - * The secret is changed after a certain amount of cookies sent. The old - * secret is stored to allow a clean migration between secret changes. - * - * Further, the number of half-initiated IKE_SAs is limited per peer. This - * mades it impossible for a peer to flood the server with its real IP address. - * - * @b Constructors: - * - receiver_create() - * - * @ingroup threads - */ -struct receiver_t { - - /** - * @brief Destroys a receiver_t object. - * - * @param receiver receiver object - */ - void (*destroy) (receiver_t *receiver); -}; - -/** - * @brief Create a receiver_t object. - * - * The receiver thread will start working, get data - * from the socket and add those packets to the job queue. - * - * @return receiver_t object - * - * @ingroup threads - */ -receiver_t * receiver_create(void); - -#endif /*RECEIVER_H_*/ diff --git a/src/charon/threads/scheduler.c b/src/charon/threads/scheduler.c deleted file mode 100644 index 74091e3a3..000000000 --- a/src/charon/threads/scheduler.c +++ /dev/null @@ -1,102 +0,0 @@ -/** - * @file scheduler.c - * - * @brief Implementation of scheduler_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include - -#include "scheduler.h" - -#include -#include - - -typedef struct private_scheduler_t private_scheduler_t; - -/** - * Private data of a scheduler_t object. - */ -struct private_scheduler_t { - /** - * Public part of a scheduler_t object. - */ - scheduler_t public; - - /** - * Assigned thread. - */ - pthread_t assigned_thread; -}; - -/** - * Implementation of private_scheduler_t.get_events. - */ -static void get_events(private_scheduler_t * this) -{ - job_t *current_job; - - /* cancellation disabled by default */ - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - - DBG1(DBG_JOB, "scheduler thread running, thread_ID: %06u", - (int)pthread_self()); - - while (TRUE) - { - DBG2(DBG_JOB, "waiting for next event..."); - /* get a job, this block until one is available */ - current_job = charon->event_queue->get(charon->event_queue); - /* queue the job in the job queue, workers will eat them */ - DBG2(DBG_JOB, "got event, adding job %N to job-queue", - job_type_names, current_job->get_type(current_job)); - charon->job_queue->add(charon->job_queue, current_job); - } -} - -/** - * Implementation of scheduler_t.destroy. - */ -static void destroy(private_scheduler_t *this) -{ - pthread_cancel(this->assigned_thread); - pthread_join(this->assigned_thread, NULL); - free(this); -} - -/* - * Described in header. - */ -scheduler_t * scheduler_create() -{ - private_scheduler_t *this = malloc_thing(private_scheduler_t); - - this->public.destroy = (void(*)(scheduler_t*)) destroy; - - if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))get_events, this) != 0) - { - /* thread could not be created */ - free(this); - charon->kill(charon, "unable to create scheduler thread"); - } - - return &(this->public); -} diff --git a/src/charon/threads/scheduler.h b/src/charon/threads/scheduler.h deleted file mode 100644 index daecce3c6..000000000 --- a/src/charon/threads/scheduler.h +++ /dev/null @@ -1,68 +0,0 @@ -/** - * @file scheduler.h - * - * @brief Interface of scheduler_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef SCHEDULER_H_ -#define SCHEDULER_H_ - -typedef struct scheduler_t scheduler_t; - -#include - -/** - * @brief The scheduler thread is responsible for timed events. - * - * The scheduler thread takes out jobs from the event-queue and adds them - * to the job-queue. - * - * Starts a thread which does the work, since event-queue is blocking. - * - * @b Constructors: - * - scheduler_create() - * - * @ingroup threads - */ -struct scheduler_t { - - /** - * @brief Destroys a scheduler object. - * - * @param scheduler calling object - */ - void (*destroy) (scheduler_t *scheduler); -}; - -/** - * @brief Create a scheduler with its associated thread. - * - * The thread will start to get jobs form the event queue - * and adds them to the job queue. - * - * @return - * - scheduler_t object - * - NULL if thread could not be started - * - * @ingroup threads - */ -scheduler_t * scheduler_create(void); - -#endif /*SCHEDULER_H_*/ diff --git a/src/charon/threads/sender.c b/src/charon/threads/sender.c deleted file mode 100644 index c1cd0a68c..000000000 --- a/src/charon/threads/sender.c +++ /dev/null @@ -1,149 +0,0 @@ -/** - * @file sender.c - * - * @brief Implementation of sender_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include - -#include "sender.h" - -#include -#include - - -typedef struct private_sender_t private_sender_t; - -/** - * Private data of a sender_t object. - */ -struct private_sender_t { - /** - * Public part of a sender_t object. - */ - sender_t public; - - /** - * Assigned thread. - */ - pthread_t assigned_thread; - - /** - * The packets are stored in a linked list - */ - linked_list_t *list; - - /** - * mutex to synchronize access to list - */ - pthread_mutex_t mutex; - - /** - * condvar to signal for packets in list - */ - pthread_cond_t condvar; -}; - -/** - * implements sender_t.send - */ -static void send_(private_sender_t *this, packet_t *packet) -{ - host_t *src, *dst; - - src = packet->get_source(packet); - dst = packet->get_destination(packet); - DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst); - - pthread_mutex_lock(&this->mutex); - this->list->insert_last(this->list, packet); - pthread_mutex_unlock(&this->mutex); - pthread_cond_signal(&this->condvar); -} - -/** - * Implementation of private_sender_t.send_packets. - */ -static void send_packets(private_sender_t * this) -{ - - /* cancellation disabled by default */ - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - DBG1(DBG_NET, "sender thread running, thread_ID: %06u", (int)pthread_self()); - - while (TRUE) - { - packet_t *packet; - int oldstate; - - pthread_mutex_lock(&this->mutex); - /* go to wait while no packets available */ - while (this->list->get_count(this->list) == 0) - { - /* add cleanup handler, wait for packet, remove cleanup handler */ - pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&this->mutex); - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - pthread_cond_wait(&this->condvar, &this->mutex); - - pthread_setcancelstate(oldstate, NULL); - pthread_cleanup_pop(0); - } - this->list->remove_first(this->list, (void**)&packet); - pthread_mutex_unlock(&this->mutex); - - charon->socket->send(charon->socket, packet); - packet->destroy(packet); - } -} - -/** - * Implementation of sender_t.destroy. - */ -static void destroy(private_sender_t *this) -{ - pthread_cancel(this->assigned_thread); - pthread_join(this->assigned_thread, NULL); - this->list->destroy_offset(this->list, offsetof(packet_t, destroy)); - free(this); -} - -/* - * Described in header. - */ -sender_t * sender_create() -{ - private_sender_t *this = malloc_thing(private_sender_t); - - this->public.send = (void(*)(sender_t*,packet_t*))send_; - this->public.destroy = (void(*)(sender_t*)) destroy; - - this->list = linked_list_create(); - pthread_mutex_init(&this->mutex, NULL); - pthread_cond_init(&this->condvar, NULL); - - if (pthread_create(&this->assigned_thread, NULL, - (void*)send_packets, this) != 0) - { - charon->kill(charon, "unable to create sender thread"); - } - - return &(this->public); -} diff --git a/src/charon/threads/sender.h b/src/charon/threads/sender.h deleted file mode 100644 index 4f42f6f9e..000000000 --- a/src/charon/threads/sender.h +++ /dev/null @@ -1,74 +0,0 @@ -/** - * @file sender.h - * - * @brief Interface of sender_t. - * - */ - -/* - * Copyright (C) 2005-2007 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef SENDER_H_ -#define SENDER_H_ - -typedef struct sender_t sender_t; - -#include -#include - -/** - * @brief Thread responsible for sending packets over the socket. - * - * @b Constructors: - * - sender_create() - * - * @ingroup threads - */ -struct sender_t { - - /** - * @brief Send a packet over the network. - * - * This function is non blocking and adds the packet to a queue. - * Whenever the sender thread things it's good to send the packet, - * it'll do so. - * - * @param this calling object - * @param packet packet to send - */ - void (*send) (sender_t *this, packet_t *packet); - - /** - * @brief Destroys a sender object. - * - * @param this calling object - */ - void (*destroy) (sender_t *this); -}; - -/** - * @brief Create the sender thread. - * - * The thread will start to work, getting packets - * from its queue and sends them out. - * - * @return created sender object - * - * @ingroup threads - */ -sender_t * sender_create(void); - -#endif /*SENDER_H_*/ diff --git a/src/charon/threads/stroke_interface.c b/src/charon/threads/stroke_interface.c deleted file mode 100755 index a9074debb..000000000 --- a/src/charon/threads/stroke_interface.c +++ /dev/null @@ -1,1456 +0,0 @@ -/** - * @file stroke.c - * - * @brief Implementation of stroke_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "stroke_interface.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define IKE_PORT 500 -#define PATH_BUF 256 - - -struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET}; - - -typedef struct private_stroke_t private_stroke_t; - -/** - * Private data of an stroke_t object. - */ -struct private_stroke_t { - - /** - * Public part of stroke_t object. - */ - stroke_t public; - - /** - * Output stream (stroke console) - */ - FILE *out; - - /** - * Unix socket to listen for strokes - */ - int socket; - - /** - * Thread which reads from the Socket - */ - pthread_t assigned_thread; -}; - -/** - * Helper function which corrects the string pointers - * in a stroke_msg_t. Strings in a stroke_msg sent over "wire" - * contains RELATIVE addresses (relative to the beginning of the - * stroke_msg). They must be corrected if they reach our address - * space... - */ -static void pop_string(stroke_msg_t *msg, char **string) -{ - if (*string == NULL) - return; - - /* check for sanity of string pointer and string */ - if (string < (char**)msg - || string > (char**)msg + sizeof(stroke_msg_t) - || (unsigned long)*string < (unsigned long)((char*)msg->buffer - (char*)msg) - || (unsigned long)*string > msg->length) - { - *string = "(invalid pointer in stroke msg)"; - } - else - { - *string = (char*)msg + (unsigned long)*string; - } -} - -/** - * Load end entitity certificate - */ -static x509_t* load_end_certificate(const char *filename, identification_t **idp) -{ - char path[PATH_BUF]; - x509_t *cert; - - if (*filename == '/') - { - /* absolute path name */ - snprintf(path, sizeof(path), "%s", filename); - } - else - { - /* relative path name */ - snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename); - } - - cert = x509_create_from_file(path, "end entity"); - - if (cert) - { - identification_t *id = *idp; - identification_t *subject = cert->get_subject(cert); - - err_t ugh = cert->is_valid(cert, NULL); - - if (ugh != NULL) - { - DBG1(DBG_CFG, "warning: certificate %s", ugh); - } - if (!id->equals(id, subject) && !cert->equals_subjectAltName(cert, id)) - { - id->destroy(id); - id = subject; - *idp = id->clone(id); - } - return charon->credentials->add_end_certificate(charon->credentials, cert); - } - return NULL; -} - -/** - * Load ca certificate - */ -static x509_t* load_ca_certificate(const char *filename) -{ - char path[PATH_BUF]; - x509_t *cert; - - if (*filename == '/') - { - /* absolute path name */ - snprintf(path, sizeof(path), "%s", filename); - } - else - { - /* relative path name */ - snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename); - } - - cert = x509_create_from_file(path, "ca"); - - if (cert) - { - if (cert->is_ca(cert)) - { - return charon->credentials->add_auth_certificate(charon->credentials, cert, AUTH_CA); - } - else - { - DBG1(DBG_CFG, " CA basic constraints flag not set, cert discarded"); - cert->destroy(cert); - } - } - return NULL; -} - -/** - * Add a connection to the configuration list - */ -static void stroke_add_conn(stroke_msg_t *msg, FILE *out) -{ - connection_t *connection; - policy_t *policy; - identification_t *my_id, *other_id; - identification_t *my_ca = NULL; - identification_t *other_ca = NULL; - bool my_ca_same = FALSE; - bool other_ca_same =FALSE; - host_t *my_host, *other_host, *my_subnet, *other_subnet; - host_t *my_vip = NULL, *other_vip = NULL; - proposal_t *proposal; - traffic_selector_t *my_ts, *other_ts; - char *interface; - - pop_string(msg, &msg->add_conn.name); - pop_string(msg, &msg->add_conn.me.address); - pop_string(msg, &msg->add_conn.other.address); - pop_string(msg, &msg->add_conn.me.subnet); - pop_string(msg, &msg->add_conn.other.subnet); - pop_string(msg, &msg->add_conn.me.sourceip); - pop_string(msg, &msg->add_conn.other.sourceip); - pop_string(msg, &msg->add_conn.me.id); - pop_string(msg, &msg->add_conn.other.id); - pop_string(msg, &msg->add_conn.me.cert); - pop_string(msg, &msg->add_conn.other.cert); - pop_string(msg, &msg->add_conn.me.ca); - pop_string(msg, &msg->add_conn.other.ca); - pop_string(msg, &msg->add_conn.me.updown); - pop_string(msg, &msg->add_conn.other.updown); - pop_string(msg, &msg->add_conn.algorithms.ike); - pop_string(msg, &msg->add_conn.algorithms.esp); - - DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name); - - DBG2(DBG_CFG, "conn %s", msg->add_conn.name); - DBG2(DBG_CFG, " left=%s", msg->add_conn.me.address); - DBG2(DBG_CFG, " right=%s", msg->add_conn.other.address); - DBG2(DBG_CFG, " leftsubnet=%s", msg->add_conn.me.subnet); - DBG2(DBG_CFG, " rightsubnet=%s", msg->add_conn.other.subnet); - DBG2(DBG_CFG, " leftsourceip=%s", msg->add_conn.me.sourceip); - DBG2(DBG_CFG, " rightsourceip=%s", msg->add_conn.other.sourceip); - DBG2(DBG_CFG, " leftid=%s", msg->add_conn.me.id); - DBG2(DBG_CFG, " rightid=%s", msg->add_conn.other.id); - DBG2(DBG_CFG, " leftcert=%s", msg->add_conn.me.cert); - DBG2(DBG_CFG, " rightcert=%s", msg->add_conn.other.cert); - DBG2(DBG_CFG, " leftca=%s", msg->add_conn.me.ca); - DBG2(DBG_CFG, " rightca=%s", msg->add_conn.other.ca); - DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike); - DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp); - - my_host = msg->add_conn.me.address? - host_create_from_string(msg->add_conn.me.address, IKE_PORT) : NULL; - if (my_host == NULL) - { - DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.me.address); - return; - } - - other_host = msg->add_conn.other.address ? - host_create_from_string(msg->add_conn.other.address, IKE_PORT) : NULL; - if (other_host == NULL) - { - DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.other.address); - my_host->destroy(my_host); - return; - } - - interface = charon->kernel_interface->get_interface(charon->kernel_interface, - other_host); - if (interface) - { - stroke_end_t tmp_end; - host_t *tmp_host; - - DBG2(DBG_CFG, "left is other host, swapping ends\n"); - - tmp_host = my_host; - my_host = other_host; - other_host = tmp_host; - - tmp_end = msg->add_conn.me; - msg->add_conn.me = msg->add_conn.other; - msg->add_conn.other = tmp_end; - free(interface); - } - if (!interface) - { - interface = charon->kernel_interface->get_interface( - charon->kernel_interface, my_host); - if (!interface) - { - DBG1(DBG_CFG, "left nor right host is our side, aborting\n"); - goto destroy_hosts; - } - free(interface); - } - - my_id = identification_create_from_string(msg->add_conn.me.id ? - msg->add_conn.me.id : msg->add_conn.me.address); - if (my_id == NULL) - { - DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id); - goto destroy_hosts; - } - - other_id = identification_create_from_string(msg->add_conn.other.id ? - msg->add_conn.other.id : msg->add_conn.other.address); - if (other_id == NULL) - { - DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id); - my_id->destroy(my_id); - goto destroy_hosts; - } - - my_subnet = host_create_from_string(msg->add_conn.me.subnet ? - msg->add_conn.me.subnet : msg->add_conn.me.address, IKE_PORT); - if (my_subnet == NULL) - { - DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet); - goto destroy_ids; - } - - other_subnet = host_create_from_string(msg->add_conn.other.subnet ? - msg->add_conn.other.subnet : msg->add_conn.other.address, IKE_PORT); - if (other_subnet == NULL) - { - DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet); - my_subnet->destroy(my_subnet); - goto destroy_ids; - } - - if (msg->add_conn.me.virtual_ip) - { - my_vip = host_create_from_string(msg->add_conn.me.sourceip, 0); - } - other_vip = host_create_from_string(msg->add_conn.other.sourceip, 0); - - if (msg->add_conn.me.tohost) - { - my_ts = traffic_selector_create_dynamic(msg->add_conn.me.protocol, - my_host->get_family(my_host) == AF_INET ? - TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE, - msg->add_conn.me.port ? msg->add_conn.me.port : 0, - msg->add_conn.me.port ? msg->add_conn.me.port : 65535); - } - else - { - my_ts = traffic_selector_create_from_subnet(my_subnet, - msg->add_conn.me.subnet ? msg->add_conn.me.subnet_mask : 0, - msg->add_conn.me.protocol, msg->add_conn.me.port); - } - my_subnet->destroy(my_subnet); - - if (msg->add_conn.other.tohost) - { - other_ts = traffic_selector_create_dynamic(msg->add_conn.other.protocol, - other_host->get_family(other_host) == AF_INET ? - TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE, - msg->add_conn.other.port ? msg->add_conn.other.port : 0, - msg->add_conn.other.port ? msg->add_conn.other.port : 65535); - } - else - { - other_ts = traffic_selector_create_from_subnet(other_subnet, - msg->add_conn.other.subnet ? msg->add_conn.other.subnet_mask : 0, - msg->add_conn.other.protocol, msg->add_conn.other.port); - } - other_subnet->destroy(other_subnet); - - if (msg->add_conn.me.ca) - { - if (streq(msg->add_conn.me.ca, "%same")) - { - my_ca_same = TRUE; - } - else - { - my_ca = identification_create_from_string(msg->add_conn.me.ca); - } - } - if (msg->add_conn.other.ca) - { - if (streq(msg->add_conn.other.ca, "%same")) - { - other_ca_same = TRUE; - } - else - { - other_ca = identification_create_from_string(msg->add_conn.other.ca); - } - } - if (msg->add_conn.me.cert) - { - x509_t *cert = load_end_certificate(msg->add_conn.me.cert, &my_id); - - if (my_ca == NULL && !my_ca_same && cert) - { - identification_t *issuer = cert->get_issuer(cert); - - my_ca = issuer->clone(issuer); - } - } - if (msg->add_conn.other.cert) - { - x509_t *cert = load_end_certificate(msg->add_conn.other.cert, &other_id); - - if (other_ca == NULL && !other_ca_same && cert) - { - identification_t *issuer = cert->get_issuer(cert); - - other_ca = issuer->clone(issuer); - } - } - if (other_ca_same && my_ca) - { - other_ca = my_ca->clone(my_ca); - } - else if (my_ca_same && other_ca) - { - my_ca = other_ca->clone(other_ca); - } - if (my_ca == NULL) - { - my_ca = identification_create_from_string("%any"); - } - if (other_ca == NULL) - { - other_ca = identification_create_from_string("%any"); - } - DBG2(DBG_CFG, " my ca: '%D'", my_ca); - DBG2(DBG_CFG, " other ca:'%D'", other_ca); - DBG2(DBG_CFG, " updown: '%s'", msg->add_conn.me.updown); - - connection = connection_create(msg->add_conn.name, - msg->add_conn.ikev2, - msg->add_conn.me.sendcert, - msg->add_conn.other.sendcert, - my_host, other_host, - msg->add_conn.dpd.delay, - msg->add_conn.rekey.reauth, - msg->add_conn.rekey.tries, - msg->add_conn.rekey.ike_lifetime, - msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin, - msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100); - - if (msg->add_conn.algorithms.ike) - { - char *proposal_string; - char *strict = msg->add_conn.algorithms.ike + strlen(msg->add_conn.algorithms.ike) - 1; - - if (*strict == '!') - *strict = '\0'; - else - strict = NULL; - - while ((proposal_string = strsep(&msg->add_conn.algorithms.ike, ","))) - { - proposal = proposal_create_from_string(PROTO_IKE, proposal_string); - if (proposal == NULL) - { - DBG1(DBG_CFG, "invalid IKE proposal string: %s", proposal_string); - my_id->destroy(my_id); - other_id->destroy(other_id); - my_ts->destroy(my_ts); - other_ts->destroy(other_ts); - my_ca->destroy(my_ca); - other_ca->destroy(other_ca); - connection->destroy(connection); - return; - } - connection->add_proposal(connection, proposal); - } - if (!strict) - { - proposal = proposal_create_default(PROTO_IKE); - connection->add_proposal(connection, proposal); - } - } - else - { - proposal = proposal_create_default(PROTO_IKE); - connection->add_proposal(connection, proposal); - } - - policy = policy_create(msg->add_conn.name, my_id, other_id, my_vip, other_vip, - msg->add_conn.auth_method, msg->add_conn.eap_type, - msg->add_conn.rekey.ipsec_lifetime, - msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin, - msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, - msg->add_conn.me.updown, msg->add_conn.me.hostaccess, - msg->add_conn.mode, msg->add_conn.dpd.action); - policy->add_my_traffic_selector(policy, my_ts); - policy->add_other_traffic_selector(policy, other_ts); - policy->add_authorities(policy, my_ca, other_ca); - - if (msg->add_conn.algorithms.esp) - { - char *proposal_string; - char *strict = msg->add_conn.algorithms.esp + strlen(msg->add_conn.algorithms.esp) - 1; - - if (*strict == '!') - *strict = '\0'; - else - strict = NULL; - - while ((proposal_string = strsep(&msg->add_conn.algorithms.esp, ","))) - { - proposal = proposal_create_from_string(PROTO_ESP, proposal_string); - if (proposal == NULL) - { - DBG1(DBG_CFG, "invalid ESP proposal string: %s", proposal_string); - policy->destroy(policy); - connection->destroy(connection); - return; - } - policy->add_proposal(policy, proposal); - } - if (!strict) - { - proposal = proposal_create_default(PROTO_ESP); - policy->add_proposal(policy, proposal); - } - } - else - { - proposal = proposal_create_default(PROTO_ESP); - policy->add_proposal(policy, proposal); - } - - /* add to global connection list */ - charon->connections->add_connection(charon->connections, connection); - DBG1(DBG_CFG, "added connection '%s': %H[%D]...%H[%D]", - msg->add_conn.name, my_host, my_id, other_host, other_id); - /* add to global policy list */ - charon->policies->add_policy(charon->policies, policy); - - return; - - /* mopping up after parsing errors */ - -destroy_ids: - my_id->destroy(my_id); - other_id->destroy(other_id); - -destroy_hosts: - my_host->destroy(my_host); - other_host->destroy(other_host); -} - -/** - * Delete a connection from the list - */ -static void stroke_del_conn(stroke_msg_t *msg, FILE *out) -{ - status_t status; - - pop_string(msg, &(msg->del_conn.name)); - DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name); - - status = charon->connections->delete_connection(charon->connections, - msg->del_conn.name); - charon->policies->delete_policy(charon->policies, msg->del_conn.name); - if (status == SUCCESS) - { - fprintf(out, "deleted connection '%s'\n", msg->del_conn.name); - } - else - { - fprintf(out, "no connection named '%s'\n", msg->del_conn.name); - } -} - -/** - * initiate a connection by name - */ -static void stroke_initiate(stroke_msg_t *msg, FILE *out) -{ - initiate_job_t *job; - connection_t *connection; - policy_t *policy; - ike_sa_t *init_ike_sa = NULL; - signal_t signal; - - pop_string(msg, &(msg->initiate.name)); - DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name); - - connection = charon->connections->get_connection_by_name(charon->connections, - msg->initiate.name); - if (connection == NULL) - { - if (msg->output_verbosity >= 0) - { - fprintf(out, "no connection named '%s'\n", msg->initiate.name); - } - return; - } - if (!connection->is_ikev2(connection)) - { - connection->destroy(connection); - return; - } - - policy = charon->policies->get_policy_by_name(charon->policies, - msg->initiate.name); - if (policy == NULL) - { - if (msg->output_verbosity >= 0) - { - fprintf(out, "no policy named '%s'\n", msg->initiate.name); - } - connection->destroy(connection); - return; - } - - job = initiate_job_create(connection, policy); - charon->bus->set_listen_state(charon->bus, TRUE); - charon->job_queue->add(charon->job_queue, (job_t*)job); - while (TRUE) - { - level_t level; - int thread; - ike_sa_t *ike_sa; - char* format; - va_list args; - - signal = charon->bus->listen(charon->bus, &level, &thread, &ike_sa, &format, &args); - - if ((init_ike_sa == NULL || ike_sa == init_ike_sa) && - level <= msg->output_verbosity) - { - if (vfprintf(out, format, args) < 0 || - fprintf(out, "\n") < 0 || - fflush(out)) - { - charon->bus->set_listen_state(charon->bus, FALSE); - break; - } - } - - switch (signal) - { - case CHILD_UP_SUCCESS: - case CHILD_UP_FAILED: - case IKE_UP_FAILED: - if (ike_sa == init_ike_sa) - { - charon->bus->set_listen_state(charon->bus, FALSE); - return; - } - continue; - case CHILD_UP_START: - case IKE_UP_START: - if (init_ike_sa == NULL) - { - init_ike_sa = ike_sa; - } - continue; - default: - continue; - } - } -} - -/** - * route/unroute a policy (install SPD entries) - */ -static void stroke_route(stroke_msg_t *msg, FILE *out, bool route) -{ - route_job_t *job; - connection_t *connection; - policy_t *policy; - - pop_string(msg, &(msg->route.name)); - DBG1(DBG_CFG, "received stroke: %s '%s'", - route ? "route" : "unroute", msg->route.name); - - /* we wouldn't need a connection, but we only want to route policies - * whose connections are keyexchange=ikev2. */ - connection = charon->connections->get_connection_by_name(charon->connections, - msg->route.name); - if (connection == NULL) - { - fprintf(out, "no connection named '%s'\n", msg->route.name); - return; - } - if (!connection->is_ikev2(connection)) - { - connection->destroy(connection); - return; - } - - policy = charon->policies->get_policy_by_name(charon->policies, - msg->route.name); - if (policy == NULL) - { - fprintf(out, "no policy named '%s'\n", msg->route.name); - connection->destroy(connection); - return; - } - fprintf(out, "%s policy '%s'\n", - route ? "routing" : "unrouting", msg->route.name); - job = route_job_create(connection, policy, route); - charon->job_queue->add(charon->job_queue, (job_t*)job); -} - -/** - * terminate a connection by name - */ -static void stroke_terminate(stroke_msg_t *msg, FILE *out) -{ - char *string, *pos = NULL, *name = NULL; - u_int32_t id = 0; - bool child; - int len; - status_t status = SUCCESS;; - ike_sa_t *ike_sa; - - pop_string(msg, &(msg->terminate.name)); - string = msg->terminate.name; - DBG1(DBG_CFG, "received stroke: terminate '%s'", string); - - len = strlen(string); - if (len < 1) - { - DBG1(DBG_CFG, "error parsing string"); - return; - } - switch (string[len-1]) - { - case '}': - child = TRUE; - pos = strchr(string, '{'); - break; - case ']': - child = FALSE; - pos = strchr(string, '['); - break; - default: - name = string; - child = FALSE; - break; - } - - if (name) - { /* must be a single name */ - DBG1(DBG_CFG, "check out by single name '%s'", name); - ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager, - name, child); - } - else if (pos == string + len - 2) - { /* must be name[] or name{} */ - string[len-2] = '\0'; - DBG1(DBG_CFG, "check out by name '%s'", string); - ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager, - string, child); - } - else - { /* must be name[123] or name{23} */ - string[len-1] = '\0'; - id = atoi(pos + 1); - if (id == 0) - { - DBG1(DBG_CFG, "error parsing string"); - return; - } - DBG1(DBG_CFG, "check out by id '%d'", id); - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - id, child); - } - if (ike_sa == NULL) - { - DBG1(DBG_CFG, "no such IKE_SA found"); - return; - } - - if (!child) - { - status = ike_sa->delete(ike_sa); - } - else - { - child_sa_t *child_sa; - iterator_t *iterator = ike_sa->create_child_sa_iterator(ike_sa); - while (iterator->iterate(iterator, (void**)&child_sa)) - { - if ((id && id == child_sa->get_reqid(child_sa)) || - (string && streq(string, child_sa->get_name(child_sa)))) - { - u_int32_t spi = child_sa->get_spi(child_sa, TRUE); - protocol_id_t proto = child_sa->get_protocol(child_sa); - - status = ike_sa->delete_child_sa(ike_sa, proto, spi); - break; - } - } - iterator->destroy(iterator); - } - if (status == DESTROY_ME) - { - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, - ike_sa); - return; - } - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); -} - -/** - * Add a ca information record to the cainfo list - */ -static void stroke_add_ca(stroke_msg_t *msg, FILE *out) -{ - x509_t *cacert; - ca_info_t *ca_info; - - pop_string(msg, &msg->add_ca.name); - pop_string(msg, &msg->add_ca.cacert); - pop_string(msg, &msg->add_ca.crluri); - pop_string(msg, &msg->add_ca.crluri2); - pop_string(msg, &msg->add_ca.ocspuri); - pop_string(msg, &msg->add_ca.ocspuri2); - - DBG1(DBG_CFG, "received stroke: add ca '%s'", msg->add_ca.name); - - DBG2(DBG_CFG, "ca %s", msg->add_ca.name); - DBG2(DBG_CFG, " cacert=%s", msg->add_ca.cacert); - DBG2(DBG_CFG, " crluri=%s", msg->add_ca.crluri); - DBG2(DBG_CFG, " crluri2=%s", msg->add_ca.crluri2); - DBG2(DBG_CFG, " ocspuri=%s", msg->add_ca.ocspuri); - DBG2(DBG_CFG, " ocspuri2=%s", msg->add_ca.ocspuri2); - - if (msg->add_ca.cacert == NULL) - { - DBG1(DBG_CFG, "missing cacert parameter\n"); - return; - } - - cacert = load_ca_certificate(msg->add_ca.cacert); - - if (cacert == NULL) - { - return; - } - ca_info = ca_info_create(msg->add_ca.name, cacert); - - if (msg->add_ca.crluri) - { - chunk_t uri = { msg->add_ca.crluri, strlen(msg->add_ca.crluri) }; - - ca_info->add_crluri(ca_info, uri); - } - if (msg->add_ca.crluri2) - { - chunk_t uri = { msg->add_ca.crluri2, strlen(msg->add_ca.crluri2) }; - - ca_info->add_crluri(ca_info, uri); - } - if (msg->add_ca.ocspuri) - { - chunk_t uri = { msg->add_ca.ocspuri, strlen(msg->add_ca.ocspuri) }; - - ca_info->add_ocspuri(ca_info, uri); - } - if (msg->add_ca.ocspuri2) - { - chunk_t uri = { msg->add_ca.ocspuri2, strlen(msg->add_ca.ocspuri2) }; - - ca_info->add_ocspuri(ca_info, uri); - } - charon->credentials->add_ca_info(charon->credentials, ca_info); - DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name); - -} - -/** - * Delete a ca information record from the cainfo list - */ -static void stroke_del_ca(stroke_msg_t *msg, FILE *out) -{ - status_t status; - - pop_string(msg, &(msg->del_ca.name)); - DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name); - - status = charon->credentials->release_ca_info(charon->credentials, - msg->del_ca.name); - - if (status == SUCCESS) - { - fprintf(out, "deleted ca '%s'\n", msg->del_ca.name); - } - else - { - fprintf(out, "no ca named '%s'\n", msg->del_ca.name); - } -} - -/** - * show status of daemon - */ -static void stroke_statusall(stroke_msg_t *msg, FILE *out) -{ - iterator_t *iterator; - linked_list_t *list; - host_t *host; - connection_t *connection; - policy_t *policy; - ike_sa_t *ike_sa; - char *name = NULL; - - leak_detective_status(out); - - fprintf(out, "Performance:\n"); - fprintf(out, " worker threads: %d idle of %d,", - charon->thread_pool->get_idle_threads(charon->thread_pool), - charon->thread_pool->get_pool_size(charon->thread_pool)); - fprintf(out, " job queue load: %d,", - charon->job_queue->get_count(charon->job_queue)); - fprintf(out, " scheduled events: %d\n", - charon->event_queue->get_count(charon->event_queue)); - list = charon->kernel_interface->create_address_list(charon->kernel_interface); - - fprintf(out, "Listening on %d IP addresses:\n", list->get_count(list)); - while (list->remove_first(list, (void**)&host) == SUCCESS) - { - fprintf(out, " %H\n", host); - host->destroy(host); - } - list->destroy(list); - - if (msg->status.name) - { - pop_string(msg, &(msg->status.name)); - name = msg->status.name; - } - - iterator = charon->connections->create_iterator(charon->connections); - if (iterator->get_count(iterator) > 0) - { - fprintf(out, "Connections:\n"); - } - while (iterator->iterate(iterator, (void**)&connection)) - { - if (connection->is_ikev2(connection) - && (name == NULL || streq(name, connection->get_name(connection)))) - { - fprintf(out, "%12s: %H...%H\n", - connection->get_name(connection), - connection->get_my_host(connection), - connection->get_other_host(connection)); - } - } - iterator->destroy(iterator); - - iterator = charon->policies->create_iterator(charon->policies); - if (iterator->get_count(iterator) > 0) - { - fprintf(out, "Policies:\n"); - } - while (iterator->iterate(iterator, (void**)&policy)) - { - if (name == NULL || streq(name, policy->get_name(policy))) - { - fprintf(out, "%12s: '%D'...'%D'\n", - policy->get_name(policy), - policy->get_my_id(policy), - policy->get_other_id(policy)); - } - } - iterator->destroy(iterator); - - iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager); - if (iterator->get_count(iterator) > 0) - { - fprintf(out, "Security Associations:\n"); - } - while (iterator->iterate(iterator, (void**)&ike_sa)) - { - bool ike_sa_printed = FALSE; - child_sa_t *child_sa; - iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa); - - /* print IKE_SA */ - if (name == NULL || strncmp(name, ike_sa->get_name(ike_sa), strlen(name)) == 0) - { - fprintf(out, "%#K\n", ike_sa); - ike_sa_printed = TRUE; - } - - while (children->iterate(children, (void**)&child_sa)) - { - bool child_sa_match = name == NULL || - strncmp(name, child_sa->get_name(child_sa), strlen(name)) == 0; - - /* print IKE_SA if its name differs from the CHILD_SA's name */ - if (!ike_sa_printed && child_sa_match) - { - fprintf(out, "%#K\n", ike_sa); - ike_sa_printed = TRUE; - } - - /* print CHILD_SA */ - if (child_sa_match) - { - fprintf(out, "%#P\n", child_sa); - } - } - children->destroy(children); - } - iterator->destroy(iterator); -} - -/** - * show status of daemon - */ -static void stroke_status(stroke_msg_t *msg, FILE *out) -{ - iterator_t *iterator; - ike_sa_t *ike_sa; - char *name = NULL; - - if (msg->status.name) - { - pop_string(msg, &(msg->status.name)); - name = msg->status.name; - } - - iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager); - while (iterator->iterate(iterator, (void**)&ike_sa)) - { - bool ike_sa_printed = FALSE; - child_sa_t *child_sa; - iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa); - - /* print IKE_SA */ - if (name == NULL || strncmp(name, ike_sa->get_name(ike_sa), strlen(name)) == 0) - { - fprintf(out, "%K\n", ike_sa); - ike_sa_printed = TRUE; - } - - while (children->iterate(children, (void**)&child_sa)) - { - bool child_sa_match = name == NULL || - strncmp(name, child_sa->get_name(child_sa), strlen(name)) == 0; - - /* print IKE_SA if its name differs from the CHILD_SA's name */ - if (!ike_sa_printed && child_sa_match) - { - fprintf(out, "%K\n", ike_sa); - ike_sa_printed = TRUE; - } - - /* print CHILD_SA */ - if (child_sa_match) - { - fprintf(out, "%P\n", child_sa); - } - } - children->destroy(children); - } - iterator->destroy(iterator); -} - -/** - * list all authority certificates matching a specified flag - */ -static void list_auth_certificates(u_int flag, const char *label, bool utc, FILE *out) -{ - bool first = TRUE; - x509_t *cert; - - iterator_t *iterator = charon->credentials->create_auth_cert_iterator(charon->credentials); - - while (iterator->iterate(iterator, (void**)&cert)) - { - if (cert->has_authority_flag(cert, flag)) - { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 %s Certificates:\n", label); - fprintf(out, "\n"); - first = FALSE; - } - fprintf(out, "%#Q\n", cert, utc); - } - } - iterator->destroy(iterator); -} - -/** - * list various information - */ -static void stroke_list(stroke_msg_t *msg, FILE *out) -{ - iterator_t *iterator; - - if (msg->list.flags & LIST_CERTS) - { - x509_t *cert; - - iterator = charon->credentials->create_cert_iterator(charon->credentials); - if (iterator->get_count(iterator)) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 End Entity Certificates:\n"); - fprintf(out, "\n"); - } - while (iterator->iterate(iterator, (void**)&cert)) - { - fprintf(out, "%#Q", cert, msg->list.utc); - if (charon->credentials->has_rsa_private_key( - charon->credentials, cert->get_public_key(cert))) - { - fprintf(out, ", has private key"); - } - fprintf(out, "\n"); - - } - iterator->destroy(iterator); - } - if (msg->list.flags & LIST_CACERTS) - { - list_auth_certificates(AUTH_CA, "CA", msg->list.utc, out); - } - if (msg->list.flags & LIST_CAINFOS) - { - ca_info_t *ca_info; - - iterator = charon->credentials->create_cainfo_iterator(charon->credentials); - if (iterator->get_count(iterator)) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 CA Information Records:\n"); - fprintf(out, "\n"); - } - while (iterator->iterate(iterator, (void**)&ca_info)) - { - fprintf(out, "%#W", ca_info, msg->list.utc); - } - iterator->destroy(iterator); - } - if (msg->list.flags & LIST_CRLS) - { - ca_info_t *ca_info; - bool first = TRUE; - - iterator = charon->credentials->create_cainfo_iterator(charon->credentials); - - while (iterator->iterate(iterator, (void **)&ca_info)) - { - if (ca_info->has_crl(ca_info)) - { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 CRLs:\n"); - fprintf(out, "\n"); - first = FALSE; - } - ca_info->list_crl(ca_info, out, msg->list.utc); - } - } - iterator->destroy(iterator); - } - if (msg->list.flags & LIST_OCSPCERTS) - { - list_auth_certificates(AUTH_OCSP, "OCSP", msg->list.utc, out); - } - if (msg->list.flags & LIST_OCSP) - { - ca_info_t *ca_info; - bool first = TRUE; - - iterator = charon->credentials->create_cainfo_iterator(charon->credentials); - - while (iterator->iterate(iterator, (void **)&ca_info)) - { - if (ca_info->has_certinfos(ca_info)) - { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of OCSP responses:\n"); - first = FALSE; - } - fprintf(out, "\n"); - ca_info->list_certinfos(ca_info, out, msg->list.utc); - } - } - iterator->destroy(iterator); - } -} - -/** - * reread various information - */ -static void stroke_reread(stroke_msg_t *msg, FILE *out) -{ - if (msg->reread.flags & REREAD_CACERTS) - { - charon->credentials->load_ca_certificates(charon->credentials); - } - if (msg->reread.flags & REREAD_OCSPCERTS) - { - charon->credentials->load_ocsp_certificates(charon->credentials); - } - if (msg->reread.flags & REREAD_CRLS) - { - charon->credentials->load_crls(charon->credentials); - } -} - -/** - * purge various information - */ -static void stroke_purge(stroke_msg_t *msg, FILE *out) -{ - if (msg->purge.flags & PURGE_OCSP) - { - iterator_t *iterator = charon->credentials->create_cainfo_iterator(charon->credentials); - ca_info_t *ca_info; - - while (iterator->iterate(iterator, (void**)&ca_info)) - { - ca_info->purge_ocsp(ca_info); - } - iterator->destroy(iterator); - } -} - -signal_t get_signal_from_logtype(char *type) -{ - if (strcasecmp(type, "any") == 0) return SIG_ANY; - else if (strcasecmp(type, "mgr") == 0) return DBG_MGR; - else if (strcasecmp(type, "ike") == 0) return DBG_IKE; - else if (strcasecmp(type, "chd") == 0) return DBG_CHD; - else if (strcasecmp(type, "job") == 0) return DBG_JOB; - else if (strcasecmp(type, "cfg") == 0) return DBG_CFG; - else if (strcasecmp(type, "knl") == 0) return DBG_KNL; - else if (strcasecmp(type, "net") == 0) return DBG_NET; - else if (strcasecmp(type, "enc") == 0) return DBG_ENC; - else if (strcasecmp(type, "lib") == 0) return DBG_LIB; - else return -1; -} - -/** - * set the verbosity debug output - */ -static void stroke_loglevel(stroke_msg_t *msg, FILE *out) -{ - signal_t signal; - - pop_string(msg, &(msg->loglevel.type)); - DBG1(DBG_CFG, "received stroke: loglevel %d for %s", - msg->loglevel.level, msg->loglevel.type); - - signal = get_signal_from_logtype(msg->loglevel.type); - if (signal < 0) - { - fprintf(out, "invalid type (%s)!\n", msg->loglevel.type); - return; - } - - charon->outlog->set_level(charon->outlog, signal, msg->loglevel.level); - charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level); -} - -/** - * process a stroke request from the socket pointed by "fd" - */ -static void stroke_process(int *fd) -{ - stroke_msg_t *msg; - u_int16_t msg_length; - ssize_t bytes_read; - FILE *out; - int strokefd = *fd; - - /* peek the length */ - bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK); - if (bytes_read != sizeof(msg_length)) - { - DBG1(DBG_CFG, "reading length of stroke message failed"); - close(strokefd); - return; - } - - /* read message */ - msg = malloc(msg_length); - bytes_read = recv(strokefd, msg, msg_length, 0); - if (bytes_read != msg_length) - { - DBG1(DBG_CFG, "reading stroke message failed: %m"); - close(strokefd); - return; - } - - out = fdopen(dup(strokefd), "w"); - if (out == NULL) - { - DBG1(DBG_CFG, "opening stroke output channel failed: %m"); - close(strokefd); - free(msg); - return; - } - - DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length); - - switch (msg->type) - { - case STR_INITIATE: - stroke_initiate(msg, out); - break; - case STR_ROUTE: - stroke_route(msg, out, TRUE); - break; - case STR_UNROUTE: - stroke_route(msg, out, FALSE); - break; - case STR_TERMINATE: - stroke_terminate(msg, out); - break; - case STR_STATUS: - stroke_status(msg, out); - break; - case STR_STATUS_ALL: - stroke_statusall(msg, out); - break; - case STR_ADD_CONN: - stroke_add_conn(msg, out); - break; - case STR_DEL_CONN: - stroke_del_conn(msg, out); - break; - case STR_ADD_CA: - stroke_add_ca(msg, out); - break; - case STR_DEL_CA: - stroke_del_ca(msg, out); - break; - case STR_LOGLEVEL: - stroke_loglevel(msg, out); - break; - case STR_LIST: - stroke_list(msg, out); - break; - case STR_REREAD: - stroke_reread(msg, out); - break; - case STR_PURGE: - stroke_purge(msg, out); - break; - default: - DBG1(DBG_CFG, "received unknown stroke"); - } - fclose(out); - close(strokefd); - free(msg); -} - -/** - * Implementation of private_stroke_t.stroke_receive. - */ -static void stroke_receive(private_stroke_t *this) -{ - struct sockaddr_un strokeaddr; - int strokeaddrlen = sizeof(strokeaddr); - int strokefd; - int oldstate; - pthread_t thread; - - /* ignore sigpipe. writing over the pipe back to the console - * only fails if SIGPIPE is ignored. */ - signal(SIGPIPE, SIG_IGN); - - /* disable cancellation by default */ - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - - while (TRUE) - { - /* wait for connections, but allow thread to terminate */ - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen); - pthread_setcancelstate(oldstate, NULL); - - if (strokefd < 0) - { - DBG1(DBG_CFG, "accepting stroke connection failed: %m"); - continue; - } - - /* handle request asynchronously */ - if (pthread_create(&thread, NULL, (void*(*)(void*))stroke_process, (void*)&strokefd) != 0) - { - DBG1(DBG_CFG, "failed to spawn stroke thread: %m"); - } - /* detach so the thread terminates cleanly */ - pthread_detach(thread); - } -} - -/** - * Implementation of stroke_t.destroy. - */ -static void destroy(private_stroke_t *this) -{ - pthread_cancel(this->assigned_thread); - pthread_join(this->assigned_thread, NULL); - - close(this->socket); - unlink(socket_addr.sun_path); - free(this); -} - -/* - * Described in header-file - */ -stroke_t *stroke_create() -{ - private_stroke_t *this = malloc_thing(private_stroke_t); - mode_t old; - - /* public functions */ - this->public.destroy = (void (*)(stroke_t*))destroy; - - /* set up unix socket */ - this->socket = socket(AF_UNIX, SOCK_STREAM, 0); - if (this->socket == -1) - { - DBG1(DBG_CFG, "could not create whack socket"); - free(this); - return NULL; - } - - old = umask(~S_IRWXU); - if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0) - { - DBG1(DBG_CFG, "could not bind stroke socket: %m"); - close(this->socket); - free(this); - return NULL; - } - umask(old); - - if (listen(this->socket, 0) < 0) - { - DBG1(DBG_CFG, "could not listen on stroke socket: %m"); - close(this->socket); - unlink(socket_addr.sun_path); - free(this); - return NULL; - } - - /* start a thread reading from the socket */ - if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))stroke_receive, this) != 0) - { - DBG1(DBG_CFG, "could not spawn stroke thread"); - close(this->socket); - unlink(socket_addr.sun_path); - free(this); - return NULL; - } - - return (&this->public); -} diff --git a/src/charon/threads/stroke_interface.h b/src/charon/threads/stroke_interface.h deleted file mode 100644 index 0def5167e..000000000 --- a/src/charon/threads/stroke_interface.h +++ /dev/null @@ -1,61 +0,0 @@ -/** - * @file stroke.h - * - * @brief Interface of stroke_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef STROKE_INTERFACE_H_ -#define STROKE_INTERFACE_H_ - -typedef struct stroke_t stroke_t; - -/** - * @brief Stroke is a configuration and control interface which - * allows other processes to modify charons behavior. - * - * stroke_t allows config manipulation (as whack in pluto). - * Messages of type stroke_msg_t's are sent over a unix socket - * (/var/run/charon.ctl). - * - * @b Constructors: - * - stroke_create() - * - * @ingroup threads - */ -struct stroke_t { - - /** - * @brief Destroy a stroke_t instance. - * - * @param this stroke_t objec to destroy - */ - void (*destroy) (stroke_t *this); -}; - - -/** - * @brief Create the stroke interface and listen on the socket. - * - * @return stroke_t object - * - * @ingroup threads - */ -stroke_t *stroke_create(void); - -#endif /* STROKE_INTERFACE_H_ */ diff --git a/src/charon/threads/thread_pool.c b/src/charon/threads/thread_pool.c deleted file mode 100644 index 052b5aab9..000000000 --- a/src/charon/threads/thread_pool.c +++ /dev/null @@ -1,181 +0,0 @@ -/** - * @file thread_pool.c - * - * @brief Implementation of thread_pool_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include -#include - -#include "thread_pool.h" - -#include -#include - - -typedef struct private_thread_pool_t private_thread_pool_t; - -/** - * @brief Private data of thread_pool_t class. - */ -struct private_thread_pool_t { - /** - * Public thread_pool_t interface. - */ - thread_pool_t public; - - /** - * Number of running threads. - */ - u_int pool_size; - - /** - * Number of threads waiting for work - */ - u_int idle_threads; - - /** - * Array of thread ids. - */ - pthread_t *threads; -} ; - -/** - * Implementation of private_thread_pool_t.process_jobs. - */ -static void process_jobs(private_thread_pool_t *this) -{ - job_t *job; - status_t status; - - /* cancellation disabled by default */ - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - - DBG1(DBG_JOB, "worker thread running, thread_ID: %06u", - (int)pthread_self()); - - while (TRUE) - { - /* TODO: should be atomic, but is not mission critical */ - this->idle_threads++; - job = charon->job_queue->get(charon->job_queue); - this->idle_threads--; - - status = job->execute(job); - - if (status == DESTROY_ME) - { - job->destroy(job); - } - } -} - -/** - * Implementation of thread_pool_t.get_pool_size. - */ -static u_int get_pool_size(private_thread_pool_t *this) -{ - return this->pool_size; -} - -/** - * Implementation of thread_pool_t.get_idle_threads. - */ -static u_int get_idle_threads(private_thread_pool_t *this) -{ - return this->idle_threads; -} - -/** - * Implementation of thread_pool_t.destroy. - */ -static void destroy(private_thread_pool_t *this) -{ - int current; - /* flag thread for termination */ - for (current = 0; current < this->pool_size; current++) - { - DBG1(DBG_JOB, "cancelling worker thread #%d", current+1); - pthread_cancel(this->threads[current]); - } - - /* wait for all threads */ - for (current = 0; current < this->pool_size; current++) { - if (pthread_join(this->threads[current], NULL) == 0) - { - DBG1(DBG_JOB, "worker thread #%d terminated", current+1); - } - else - { - DBG1(DBG_JOB, "could not terminate worker thread #%d", current+1); - } - } - - /* free mem */ - free(this->threads); - free(this); -} - -/* - * Described in header. - */ -thread_pool_t *thread_pool_create(size_t pool_size) -{ - int current; - private_thread_pool_t *this = malloc_thing(private_thread_pool_t); - - /* fill in public fields */ - this->public.destroy = (void(*)(thread_pool_t*))destroy; - this->public.get_pool_size = (u_int(*)(thread_pool_t*))get_pool_size; - this->public.get_idle_threads = (u_int(*)(thread_pool_t*))get_idle_threads; - - /* initialize member */ - this->pool_size = pool_size; - this->idle_threads = 0; - this->threads = malloc(sizeof(pthread_t) * pool_size); - - /* try to create as many threads as possible, up to pool_size */ - for (current = 0; current < pool_size; current++) - { - if (pthread_create(&(this->threads[current]), NULL, - (void*(*)(void*))process_jobs, this) == 0) - { - DBG1(DBG_JOB, "created worker thread #%d", current+1); - } - else - { - /* creation failed, is it the first one? */ - if (current == 0) - { - free(this->threads); - free(this); - charon->kill(charon, "could not create any worker threads"); - } - /* not all threads could be created, but at least one :-/ */ - DBG1(DBG_JOB, "could only create %d from requested %d threads!", - current, pool_size); - this->pool_size = current; - break; - } - } - return (thread_pool_t*)this; -} diff --git a/src/charon/threads/thread_pool.h b/src/charon/threads/thread_pool.h deleted file mode 100644 index 8e1989bda..000000000 --- a/src/charon/threads/thread_pool.h +++ /dev/null @@ -1,87 +0,0 @@ -/** - * @file thread_pool.h - * - * @brief Interface of thread_pool_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef THREAD_POOL_H_ -#define THREAD_POOL_H_ - -typedef struct thread_pool_t thread_pool_t; - -#include - -#include - -/** - * @brief A thread_pool consists of a pool of threads processing jobs from the job queue. - * - * Current implementation uses as many threads as specified in constructor. - * A more improved version would dynamically increase thread count if necessary. - * - * @b Constructors: - * - thread_pool_create() - * - * @todo Add support for dynamic thread handling - * - * @ingroup threads - */ -struct thread_pool_t { - - /** - * @brief Return currently instanciated thread count. - * - * @param thread_pool calling object - * @return size of thread pool - */ - u_int (*get_pool_size) (thread_pool_t *thread_pool); - - /** - * @brief Get the number of threads currently waiting for work. - * - * @param thread_pool calling object - * @return number of idle threads - */ - u_int (*get_idle_threads) (thread_pool_t *thread_pool); - - /** - * @brief Destroy a thread_pool_t object. - * - * Sends cancellation request to all threads and AWAITS their termination. - * - * @param thread_pool calling object - */ - void (*destroy) (thread_pool_t *thread_pool); -}; - -/** - * @brief Create the thread pool using using pool_size of threads. - * - * @param pool_size desired pool size - * @return - * - thread_pool_t object if one ore more threads could be started, or - * - NULL if no threads could be created - * - * @ingroup threads - */ -thread_pool_t *thread_pool_create(size_t pool_size); - - -#endif /*THREAD_POOL_H_*/ diff --git a/src/include/Makefile.am b/src/include/Makefile.am new file mode 100644 index 000000000..c7e9ca9ff --- /dev/null +++ b/src/include/Makefile.am @@ -0,0 +1,2 @@ +EXTRA_DIST = linux/ipsec.h linux/netlink.h linux/rtnetlink.h \ + linux/pfkeyv2.h linux/udp.h linux/xfrm.h diff --git a/src/include/Makefile.in b/src/include/Makefile.in new file mode 100644 index 000000000..68477343f --- /dev/null +++ b/src/include/Makefile.in @@ -0,0 +1,358 @@ +# Makefile.in generated by automake 1.9.6 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ +srcdir = @srcdir@ +top_srcdir = @top_srcdir@ +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +top_builddir = ../.. +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +INSTALL = @INSTALL@ +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/include +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +SOURCES = +DIST_SOURCES = +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMDEP_FALSE = @AMDEP_FALSE@ +AMDEP_TRUE = @AMDEP_TRUE@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@ +BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +RANLIB = @RANLIB@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@ +USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@ +USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ +USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ +USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ +USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ +USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ +USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ +USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ +USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ +USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ +USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@ +USE_VENDORID_FALSE = @USE_VENDORID_FALSE@ +USE_VENDORID_TRUE = @USE_VENDORID_TRUE@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__fastdepCC_FALSE = @am__fastdepCC_FALSE@ +am__fastdepCC_TRUE = @am__fastdepCC_TRUE@ +am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@ +am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +backenddir = @backenddir@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +confdir = @confdir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ +docdir = @docdir@ +dvidir = @dvidir@ +eapdir = @eapdir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +interfacedir = @interfacedir@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linuxdir = @linuxdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +EXTRA_DIST = linux/ipsec.h linux/netlink.h linux/rtnetlink.h \ + linux/pfkeyv2.h linux/udp.h linux/xfrm.h + +all: all-am + +.SUFFIXES: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/include/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/include/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +distclean-libtool: + -rm -f libtool +uninstall-info-am: +tags: TAGS +TAGS: + +ctags: CTAGS +CTAGS: + + +distdir: $(DISTFILES) + $(mkdir_p) $(distdir)/linux + @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ + list='$(DISTFILES)'; for file in $$list; do \ + case $$file in \ + $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ + $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ + esac; \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test "$$dir" != "$$file" && test "$$dir" != "."; then \ + dir="/$$dir"; \ + $(mkdir_p) "$(distdir)$$dir"; \ + else \ + dir=''; \ + fi; \ + if test -d $$d/$$file; then \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic distclean-libtool + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: + +install-exec-am: + +install-info: install-info-am + +install-man: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-info-am + +.PHONY: all all-am check check-am clean clean-generic clean-libtool \ + distclean distclean-generic distclean-libtool distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-exec install-exec-am \ + install-info install-info-am install-man install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am \ + uninstall-info-am + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/include/linux/ipsec.h b/src/include/linux/ipsec.h new file mode 100644 index 000000000..81ac63a18 --- /dev/null +++ b/src/include/linux/ipsec.h @@ -0,0 +1,46 @@ +#ifndef _LINUX_IPSEC_H +#define _LINUX_IPSEC_H + +/* The definitions, required to talk to KAME racoon IKE. */ + +#include "pfkeyv2.h" + +#define IPSEC_PORT_ANY 0 +#define IPSEC_ULPROTO_ANY 255 +#define IPSEC_PROTO_ANY 255 + +enum { + IPSEC_MODE_ANY = 0, /* We do not support this for SA */ + IPSEC_MODE_TRANSPORT = 1, + IPSEC_MODE_TUNNEL = 2 +}; + +enum { + IPSEC_DIR_ANY = 0, + IPSEC_DIR_INBOUND = 1, + IPSEC_DIR_OUTBOUND = 2, + IPSEC_DIR_FWD = 3, /* It is our own */ + IPSEC_DIR_MAX = 4, + IPSEC_DIR_INVALID = 5 +}; + +enum { + IPSEC_POLICY_DISCARD = 0, + IPSEC_POLICY_NONE = 1, + IPSEC_POLICY_IPSEC = 2, + IPSEC_POLICY_ENTRUST = 3, + IPSEC_POLICY_BYPASS = 4 +}; + +enum { + IPSEC_LEVEL_DEFAULT = 0, + IPSEC_LEVEL_USE = 1, + IPSEC_LEVEL_REQUIRE = 2, + IPSEC_LEVEL_UNIQUE = 3 +}; + +#define IPSEC_MANUAL_REQID_MAX 0x3fff + +#define IPSEC_REPLAYWSIZE 32 + +#endif /* _LINUX_IPSEC_H */ diff --git a/src/include/linux/netlink.h b/src/include/linux/netlink.h new file mode 100644 index 000000000..af65dc499 --- /dev/null +++ b/src/include/linux/netlink.h @@ -0,0 +1,241 @@ +#ifndef __LINUX_NETLINK_H +#define __LINUX_NETLINK_H + +#include /* for sa_family_t */ +#include + +#define NETLINK_ROUTE 0 /* Routing/device hook */ +#define NETLINK_W1 1 /* 1-wire subsystem */ +#define NETLINK_USERSOCK 2 /* Reserved for user mode socket protocols */ +#define NETLINK_FIREWALL 3 /* Firewalling hook */ +#define NETLINK_INET_DIAG 4 /* INET socket monitoring */ +#define NETLINK_NFLOG 5 /* netfilter/iptables ULOG */ +#define NETLINK_XFRM 6 /* ipsec */ +#define NETLINK_SELINUX 7 /* SELinux event notifications */ +#define NETLINK_ISCSI 8 /* Open-iSCSI */ +#define NETLINK_AUDIT 9 /* auditing */ +#define NETLINK_FIB_LOOKUP 10 +#define NETLINK_CONNECTOR 11 +#define NETLINK_NETFILTER 12 /* netfilter subsystem */ +#define NETLINK_IP6_FW 13 +#define NETLINK_DNRTMSG 14 /* DECnet routing messages */ +#define NETLINK_KOBJECT_UEVENT 15 /* Kernel messages to userspace */ +#define NETLINK_GENERIC 16 + +#define MAX_LINKS 32 + +struct sockaddr_nl +{ + sa_family_t nl_family; /* AF_NETLINK */ + unsigned short nl_pad; /* zero */ + __u32 nl_pid; /* process pid */ + __u32 nl_groups; /* multicast groups mask */ +}; + +struct nlmsghdr +{ + __u32 nlmsg_len; /* Length of message including header */ + __u16 nlmsg_type; /* Message content */ + __u16 nlmsg_flags; /* Additional flags */ + __u32 nlmsg_seq; /* Sequence number */ + __u32 nlmsg_pid; /* Sending process PID */ +}; + +/* Flags values */ + +#define NLM_F_REQUEST 1 /* It is request message. */ +#define NLM_F_MULTI 2 /* Multipart message, terminated by NLMSG_DONE */ +#define NLM_F_ACK 4 /* Reply with ack, with zero or error code */ +#define NLM_F_ECHO 8 /* Echo this request */ + +/* Modifiers to GET request */ +#define NLM_F_ROOT 0x100 /* specify tree root */ +#define NLM_F_MATCH 0x200 /* return all matching */ +#define NLM_F_ATOMIC 0x400 /* atomic GET */ +#define NLM_F_DUMP (NLM_F_ROOT|NLM_F_MATCH) + +/* Modifiers to NEW request */ +#define NLM_F_REPLACE 0x100 /* Override existing */ +#define NLM_F_EXCL 0x200 /* Do not touch, if it exists */ +#define NLM_F_CREATE 0x400 /* Create, if it does not exist */ +#define NLM_F_APPEND 0x800 /* Add to end of list */ + +/* + 4.4BSD ADD NLM_F_CREATE|NLM_F_EXCL + 4.4BSD CHANGE NLM_F_REPLACE + + True CHANGE NLM_F_CREATE|NLM_F_REPLACE + Append NLM_F_CREATE + Check NLM_F_EXCL + */ + +#define NLMSG_ALIGNTO 4 +#define NLMSG_ALIGN(len) ( ((len)+NLMSG_ALIGNTO-1) & ~(NLMSG_ALIGNTO-1) ) +#define NLMSG_HDRLEN ((int) NLMSG_ALIGN(sizeof(struct nlmsghdr))) +#define NLMSG_LENGTH(len) ((len)+NLMSG_ALIGN(NLMSG_HDRLEN)) +#define NLMSG_SPACE(len) NLMSG_ALIGN(NLMSG_LENGTH(len)) +#define NLMSG_DATA(nlh) ((void*)(((char*)nlh) + NLMSG_LENGTH(0))) +#define NLMSG_NEXT(nlh,len) ((len) -= NLMSG_ALIGN((nlh)->nlmsg_len), \ + (struct nlmsghdr*)(((char*)(nlh)) + NLMSG_ALIGN((nlh)->nlmsg_len))) +#define NLMSG_OK(nlh,len) ((len) >= (int)sizeof(struct nlmsghdr) && \ + (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \ + (nlh)->nlmsg_len <= (len)) +#define NLMSG_PAYLOAD(nlh,len) ((nlh)->nlmsg_len - NLMSG_SPACE((len))) + +#define NLMSG_NOOP 0x1 /* Nothing. */ +#define NLMSG_ERROR 0x2 /* Error */ +#define NLMSG_DONE 0x3 /* End of a dump */ +#define NLMSG_OVERRUN 0x4 /* Data lost */ + +#define NLMSG_MIN_TYPE 0x10 /* < 0x10: reserved control messages */ + +struct nlmsgerr +{ + int error; + struct nlmsghdr msg; +}; + +#define NETLINK_ADD_MEMBERSHIP 1 +#define NETLINK_DROP_MEMBERSHIP 2 +#define NETLINK_PKTINFO 3 + +struct nl_pktinfo +{ + __u32 group; +}; + +#define NET_MAJOR 36 /* Major 36 is reserved for networking */ + +enum { + NETLINK_UNCONNECTED = 0, + NETLINK_CONNECTED, +}; + +/* + * <------- NLA_HDRLEN ------> <-- NLA_ALIGN(payload)--> + * +---------------------+- - -+- - - - - - - - - -+- - -+ + * | Header | Pad | Payload | Pad | + * | (struct nlattr) | ing | | ing | + * +---------------------+- - -+- - - - - - - - - -+- - -+ + * <-------------- nlattr->nla_len --------------> + */ + +struct nlattr +{ + __u16 nla_len; + __u16 nla_type; +}; + +#define NLA_ALIGNTO 4 +#define NLA_ALIGN(len) (((len) + NLA_ALIGNTO - 1) & ~(NLA_ALIGNTO - 1)) +#define NLA_HDRLEN ((int) NLA_ALIGN(sizeof(struct nlattr))) + +#ifdef __KERNEL__ + +#include +#include + +struct netlink_skb_parms +{ + struct ucred creds; /* Skb credentials */ + __u32 pid; + __u32 dst_pid; + __u32 dst_group; + kernel_cap_t eff_cap; + __u32 loginuid; /* Login (audit) uid */ + __u32 sid; /* SELinux security id */ +}; + +#define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) +#define NETLINK_CREDS(skb) (&NETLINK_CB((skb)).creds) + + +extern struct sock *netlink_kernel_create(int unit, unsigned int groups, void (*input)(struct sock *sk, int len), struct module *module); +extern void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err); +extern int netlink_has_listeners(struct sock *sk, unsigned int group); +extern int netlink_unicast(struct sock *ssk, struct sk_buff *skb, __u32 pid, int nonblock); +extern int netlink_broadcast(struct sock *ssk, struct sk_buff *skb, __u32 pid, + __u32 group, gfp_t allocation); +extern void netlink_set_err(struct sock *ssk, __u32 pid, __u32 group, int code); +extern int netlink_register_notifier(struct notifier_block *nb); +extern int netlink_unregister_notifier(struct notifier_block *nb); + +/* finegrained unicast helpers: */ +struct sock *netlink_getsockbyfilp(struct file *filp); +int netlink_attachskb(struct sock *sk, struct sk_buff *skb, int nonblock, + long timeo, struct sock *ssk); +void netlink_detachskb(struct sock *sk, struct sk_buff *skb); +int netlink_sendskb(struct sock *sk, struct sk_buff *skb, int protocol); + +/* + * skb should fit one page. This choice is good for headerless malloc. + */ +#define NLMSG_GOODORDER 0 +#define NLMSG_GOODSIZE (SKB_MAX_ORDER(0, NLMSG_GOODORDER)) + + +struct netlink_callback +{ + struct sk_buff *skb; + struct nlmsghdr *nlh; + int (*dump)(struct sk_buff * skb, struct netlink_callback *cb); + int (*done)(struct netlink_callback *cb); + int family; + long args[5]; +}; + +struct netlink_notify +{ + int pid; + int protocol; +}; + +static __inline__ struct nlmsghdr * +__nlmsg_put(struct sk_buff *skb, __u32 pid, __u32 seq, int type, int len, int flags) +{ + struct nlmsghdr *nlh; + int size = NLMSG_LENGTH(len); + + nlh = (struct nlmsghdr*)skb_put(skb, NLMSG_ALIGN(size)); + nlh->nlmsg_type = type; + nlh->nlmsg_len = size; + nlh->nlmsg_flags = flags; + nlh->nlmsg_pid = pid; + nlh->nlmsg_seq = seq; + memset(NLMSG_DATA(nlh) + len, 0, NLMSG_ALIGN(size) - size); + return nlh; +} + +#define NLMSG_NEW(skb, pid, seq, type, len, flags) \ +({ if (skb_tailroom(skb) < (int)NLMSG_SPACE(len)) \ + goto nlmsg_failure; \ + __nlmsg_put(skb, pid, seq, type, len, flags); }) + +#define NLMSG_PUT(skb, pid, seq, type, len) \ + NLMSG_NEW(skb, pid, seq, type, len, 0) + +#define NLMSG_NEW_ANSWER(skb, cb, type, len, flags) \ + NLMSG_NEW(skb, NETLINK_CB((cb)->skb).pid, \ + (cb)->nlh->nlmsg_seq, type, len, flags) + +#define NLMSG_END(skb, nlh) \ +({ (nlh)->nlmsg_len = (skb)->tail - (unsigned char *) (nlh); \ + (skb)->len; }) + +#define NLMSG_CANCEL(skb, nlh) \ +({ skb_trim(skb, (unsigned char *) (nlh) - (skb)->data); \ + -1; }) + +extern int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + struct nlmsghdr *nlh, + int (*dump)(struct sk_buff *skb, struct netlink_callback*), + int (*done)(struct netlink_callback*)); + + +#define NL_NONROOT_RECV 0x1 +#define NL_NONROOT_SEND 0x2 +extern void netlink_set_nonroot(int protocol, unsigned flag); + +#endif /* __KERNEL__ */ + +#endif /* __LINUX_NETLINK_H */ diff --git a/src/include/linux/pfkeyv2.h b/src/include/linux/pfkeyv2.h new file mode 100644 index 000000000..bac0fb389 --- /dev/null +++ b/src/include/linux/pfkeyv2.h @@ -0,0 +1,348 @@ +/* PF_KEY user interface, this is defined by rfc2367 so + * do not make arbitrary modifications or else this header + * file will not be compliant. + */ + +#ifndef _LINUX_PFKEY2_H +#define _LINUX_PFKEY2_H + +#include + +#define PF_KEY_V2 2 +#define PFKEYV2_REVISION 199806L + +struct sadb_msg { + uint8_t sadb_msg_version; + uint8_t sadb_msg_type; + uint8_t sadb_msg_errno; + uint8_t sadb_msg_satype; + uint16_t sadb_msg_len; + uint16_t sadb_msg_reserved; + uint32_t sadb_msg_seq; + uint32_t sadb_msg_pid; +} __attribute__((packed)); +/* sizeof(struct sadb_msg) == 16 */ + +struct sadb_ext { + uint16_t sadb_ext_len; + uint16_t sadb_ext_type; +} __attribute__((packed)); +/* sizeof(struct sadb_ext) == 4 */ + +struct sadb_sa { + uint16_t sadb_sa_len; + uint16_t sadb_sa_exttype; + uint32_t sadb_sa_spi; + uint8_t sadb_sa_replay; + uint8_t sadb_sa_state; + uint8_t sadb_sa_auth; + uint8_t sadb_sa_encrypt; + uint32_t sadb_sa_flags; +} __attribute__((packed)); +/* sizeof(struct sadb_sa) == 16 */ + +struct sadb_lifetime { + uint16_t sadb_lifetime_len; + uint16_t sadb_lifetime_exttype; + uint32_t sadb_lifetime_allocations; + uint64_t sadb_lifetime_bytes; + uint64_t sadb_lifetime_addtime; + uint64_t sadb_lifetime_usetime; +} __attribute__((packed)); +/* sizeof(struct sadb_lifetime) == 32 */ + +struct sadb_address { + uint16_t sadb_address_len; + uint16_t sadb_address_exttype; + uint8_t sadb_address_proto; + uint8_t sadb_address_prefixlen; + uint16_t sadb_address_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_address) == 8 */ + +struct sadb_key { + uint16_t sadb_key_len; + uint16_t sadb_key_exttype; + uint16_t sadb_key_bits; + uint16_t sadb_key_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_key) == 8 */ + +struct sadb_ident { + uint16_t sadb_ident_len; + uint16_t sadb_ident_exttype; + uint16_t sadb_ident_type; + uint16_t sadb_ident_reserved; + uint64_t sadb_ident_id; +} __attribute__((packed)); +/* sizeof(struct sadb_ident) == 16 */ + +struct sadb_sens { + uint16_t sadb_sens_len; + uint16_t sadb_sens_exttype; + uint32_t sadb_sens_dpd; + uint8_t sadb_sens_sens_level; + uint8_t sadb_sens_sens_len; + uint8_t sadb_sens_integ_level; + uint8_t sadb_sens_integ_len; + uint32_t sadb_sens_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_sens) == 16 */ + +/* followed by: + uint64_t sadb_sens_bitmap[sens_len]; + uint64_t sadb_integ_bitmap[integ_len]; */ + +struct sadb_prop { + uint16_t sadb_prop_len; + uint16_t sadb_prop_exttype; + uint8_t sadb_prop_replay; + uint8_t sadb_prop_reserved[3]; +} __attribute__((packed)); +/* sizeof(struct sadb_prop) == 8 */ + +/* followed by: + struct sadb_comb sadb_combs[(sadb_prop_len + + sizeof(uint64_t) - sizeof(struct sadb_prop)) / + sizeof(struct sadb_comb)]; */ + +struct sadb_comb { + uint8_t sadb_comb_auth; + uint8_t sadb_comb_encrypt; + uint16_t sadb_comb_flags; + uint16_t sadb_comb_auth_minbits; + uint16_t sadb_comb_auth_maxbits; + uint16_t sadb_comb_encrypt_minbits; + uint16_t sadb_comb_encrypt_maxbits; + uint32_t sadb_comb_reserved; + uint32_t sadb_comb_soft_allocations; + uint32_t sadb_comb_hard_allocations; + uint64_t sadb_comb_soft_bytes; + uint64_t sadb_comb_hard_bytes; + uint64_t sadb_comb_soft_addtime; + uint64_t sadb_comb_hard_addtime; + uint64_t sadb_comb_soft_usetime; + uint64_t sadb_comb_hard_usetime; +} __attribute__((packed)); +/* sizeof(struct sadb_comb) == 72 */ + +struct sadb_supported { + uint16_t sadb_supported_len; + uint16_t sadb_supported_exttype; + uint32_t sadb_supported_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_supported) == 8 */ + +/* followed by: + struct sadb_alg sadb_algs[(sadb_supported_len + + sizeof(uint64_t) - sizeof(struct sadb_supported)) / + sizeof(struct sadb_alg)]; */ + +struct sadb_alg { + uint8_t sadb_alg_id; + uint8_t sadb_alg_ivlen; + uint16_t sadb_alg_minbits; + uint16_t sadb_alg_maxbits; + uint16_t sadb_alg_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_alg) == 8 */ + +struct sadb_spirange { + uint16_t sadb_spirange_len; + uint16_t sadb_spirange_exttype; + uint32_t sadb_spirange_min; + uint32_t sadb_spirange_max; + uint32_t sadb_spirange_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_spirange) == 16 */ + +struct sadb_x_kmprivate { + uint16_t sadb_x_kmprivate_len; + uint16_t sadb_x_kmprivate_exttype; + u_int32_t sadb_x_kmprivate_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_x_kmprivate) == 8 */ + +struct sadb_x_sa2 { + uint16_t sadb_x_sa2_len; + uint16_t sadb_x_sa2_exttype; + uint8_t sadb_x_sa2_mode; + uint8_t sadb_x_sa2_reserved1; + uint16_t sadb_x_sa2_reserved2; + uint32_t sadb_x_sa2_sequence; + uint32_t sadb_x_sa2_reqid; +} __attribute__((packed)); +/* sizeof(struct sadb_x_sa2) == 16 */ + +struct sadb_x_policy { + uint16_t sadb_x_policy_len; + uint16_t sadb_x_policy_exttype; + uint16_t sadb_x_policy_type; + uint8_t sadb_x_policy_dir; + uint8_t sadb_x_policy_reserved; + uint32_t sadb_x_policy_id; + uint32_t sadb_x_policy_priority; +} __attribute__((packed)); +/* sizeof(struct sadb_x_policy) == 16 */ + +struct sadb_x_ipsecrequest { + uint16_t sadb_x_ipsecrequest_len; + uint16_t sadb_x_ipsecrequest_proto; + uint8_t sadb_x_ipsecrequest_mode; + uint8_t sadb_x_ipsecrequest_level; + uint16_t sadb_x_ipsecrequest_reserved1; + uint32_t sadb_x_ipsecrequest_reqid; + uint32_t sadb_x_ipsecrequest_reserved2; +} __attribute__((packed)); +/* sizeof(struct sadb_x_ipsecrequest) == 16 */ + +/* This defines the TYPE of Nat Traversal in use. Currently only one + * type of NAT-T is supported, draft-ietf-ipsec-udp-encaps-06 + */ +struct sadb_x_nat_t_type { + uint16_t sadb_x_nat_t_type_len; + uint16_t sadb_x_nat_t_type_exttype; + uint8_t sadb_x_nat_t_type_type; + uint8_t sadb_x_nat_t_type_reserved[3]; +} __attribute__((packed)); +/* sizeof(struct sadb_x_nat_t_type) == 8 */ + +/* Pass a NAT Traversal port (Source or Dest port) */ +struct sadb_x_nat_t_port { + uint16_t sadb_x_nat_t_port_len; + uint16_t sadb_x_nat_t_port_exttype; + uint16_t sadb_x_nat_t_port_port; + uint16_t sadb_x_nat_t_port_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_x_nat_t_port) == 8 */ + +/* Generic LSM security context */ +struct sadb_x_sec_ctx { + uint16_t sadb_x_sec_len; + uint16_t sadb_x_sec_exttype; + uint8_t sadb_x_ctx_alg; /* LSMs: e.g., selinux == 1 */ + uint8_t sadb_x_ctx_doi; + uint16_t sadb_x_ctx_len; +} __attribute__((packed)); +/* sizeof(struct sadb_sec_ctx) = 8 */ + +/* Message types */ +#define SADB_RESERVED 0 +#define SADB_GETSPI 1 +#define SADB_UPDATE 2 +#define SADB_ADD 3 +#define SADB_DELETE 4 +#define SADB_GET 5 +#define SADB_ACQUIRE 6 +#define SADB_REGISTER 7 +#define SADB_EXPIRE 8 +#define SADB_FLUSH 9 +#define SADB_DUMP 10 +#define SADB_X_PROMISC 11 +#define SADB_X_PCHANGE 12 +#define SADB_X_SPDUPDATE 13 +#define SADB_X_SPDADD 14 +#define SADB_X_SPDDELETE 15 +#define SADB_X_SPDGET 16 +#define SADB_X_SPDACQUIRE 17 +#define SADB_X_SPDDUMP 18 +#define SADB_X_SPDFLUSH 19 +#define SADB_X_SPDSETIDX 20 +#define SADB_X_SPDEXPIRE 21 +#define SADB_X_SPDDELETE2 22 +#define SADB_X_NAT_T_NEW_MAPPING 23 +#define SADB_MAX 23 + +/* Security Association flags */ +#define SADB_SAFLAGS_PFS 1 +#define SADB_SAFLAGS_NOPMTUDISC 0x20000000 +#define SADB_SAFLAGS_DECAP_DSCP 0x40000000 +#define SADB_SAFLAGS_NOECN 0x80000000 + +/* Security Association states */ +#define SADB_SASTATE_LARVAL 0 +#define SADB_SASTATE_MATURE 1 +#define SADB_SASTATE_DYING 2 +#define SADB_SASTATE_DEAD 3 +#define SADB_SASTATE_MAX 3 + +/* Security Association types */ +#define SADB_SATYPE_UNSPEC 0 +#define SADB_SATYPE_AH 2 +#define SADB_SATYPE_ESP 3 +#define SADB_SATYPE_RSVP 5 +#define SADB_SATYPE_OSPFV2 6 +#define SADB_SATYPE_RIPV2 7 +#define SADB_SATYPE_MIP 8 +#define SADB_X_SATYPE_IPCOMP 9 +#define SADB_SATYPE_MAX 9 + +/* Authentication algorithms */ +#define SADB_AALG_NONE 0 +#define SADB_AALG_MD5HMAC 2 +#define SADB_AALG_SHA1HMAC 3 +#define SADB_X_AALG_SHA2_256HMAC 5 +#define SADB_X_AALG_SHA2_384HMAC 6 +#define SADB_X_AALG_SHA2_512HMAC 7 +#define SADB_X_AALG_RIPEMD160HMAC 8 +#define SADB_X_AALG_NULL 251 /* kame */ +#define SADB_AALG_MAX 251 + +/* Encryption algorithms */ +#define SADB_EALG_NONE 0 +#define SADB_EALG_DESCBC 2 +#define SADB_EALG_3DESCBC 3 +#define SADB_X_EALG_CASTCBC 6 +#define SADB_X_EALG_BLOWFISHCBC 7 +#define SADB_EALG_NULL 11 +#define SADB_X_EALG_AESCBC 12 +#define SADB_EALG_MAX 253 /* last EALG */ +/* private allocations should use 249-255 (RFC2407) */ +#define SADB_X_EALG_SERPENTCBC 252 /* draft-ietf-ipsec-ciph-aes-cbc-00 */ +#define SADB_X_EALG_TWOFISHCBC 253 /* draft-ietf-ipsec-ciph-aes-cbc-00 */ + +/* Compression algorithms */ +#define SADB_X_CALG_NONE 0 +#define SADB_X_CALG_OUI 1 +#define SADB_X_CALG_DEFLATE 2 +#define SADB_X_CALG_LZS 3 +#define SADB_X_CALG_LZJH 4 +#define SADB_X_CALG_MAX 4 + +/* Extension Header values */ +#define SADB_EXT_RESERVED 0 +#define SADB_EXT_SA 1 +#define SADB_EXT_LIFETIME_CURRENT 2 +#define SADB_EXT_LIFETIME_HARD 3 +#define SADB_EXT_LIFETIME_SOFT 4 +#define SADB_EXT_ADDRESS_SRC 5 +#define SADB_EXT_ADDRESS_DST 6 +#define SADB_EXT_ADDRESS_PROXY 7 +#define SADB_EXT_KEY_AUTH 8 +#define SADB_EXT_KEY_ENCRYPT 9 +#define SADB_EXT_IDENTITY_SRC 10 +#define SADB_EXT_IDENTITY_DST 11 +#define SADB_EXT_SENSITIVITY 12 +#define SADB_EXT_PROPOSAL 13 +#define SADB_EXT_SUPPORTED_AUTH 14 +#define SADB_EXT_SUPPORTED_ENCRYPT 15 +#define SADB_EXT_SPIRANGE 16 +#define SADB_X_EXT_KMPRIVATE 17 +#define SADB_X_EXT_POLICY 18 +#define SADB_X_EXT_SA2 19 +/* The next four entries are for setting up NAT Traversal */ +#define SADB_X_EXT_NAT_T_TYPE 20 +#define SADB_X_EXT_NAT_T_SPORT 21 +#define SADB_X_EXT_NAT_T_DPORT 22 +#define SADB_X_EXT_NAT_T_OA 23 +#define SADB_X_EXT_SEC_CTX 24 +#define SADB_EXT_MAX 24 + +/* Identity Extension values */ +#define SADB_IDENTTYPE_RESERVED 0 +#define SADB_IDENTTYPE_PREFIX 1 +#define SADB_IDENTTYPE_FQDN 2 +#define SADB_IDENTTYPE_USERFQDN 3 +#define SADB_IDENTTYPE_MAX 3 + +#endif /* !(_LINUX_PFKEY2_H) */ diff --git a/src/include/linux/rtnetlink.h b/src/include/linux/rtnetlink.h new file mode 100644 index 000000000..56bf7b01c --- /dev/null +++ b/src/include/linux/rtnetlink.h @@ -0,0 +1,1072 @@ +#ifndef __LINUX_RTNETLINK_H +#define __LINUX_RTNETLINK_H + +#include "netlink.h" + +/**** + * Routing/neighbour discovery messages. + ****/ + +/* Types of messages */ + +enum { + RTM_BASE = 16, +#define RTM_BASE RTM_BASE + + RTM_NEWLINK = 16, +#define RTM_NEWLINK RTM_NEWLINK + RTM_DELLINK, +#define RTM_DELLINK RTM_DELLINK + RTM_GETLINK, +#define RTM_GETLINK RTM_GETLINK + RTM_SETLINK, +#define RTM_SETLINK RTM_SETLINK + + RTM_NEWADDR = 20, +#define RTM_NEWADDR RTM_NEWADDR + RTM_DELADDR, +#define RTM_DELADDR RTM_DELADDR + RTM_GETADDR, +#define RTM_GETADDR RTM_GETADDR + + RTM_NEWROUTE = 24, +#define RTM_NEWROUTE RTM_NEWROUTE + RTM_DELROUTE, +#define RTM_DELROUTE RTM_DELROUTE + RTM_GETROUTE, +#define RTM_GETROUTE RTM_GETROUTE + + RTM_NEWNEIGH = 28, +#define RTM_NEWNEIGH RTM_NEWNEIGH + RTM_DELNEIGH, +#define RTM_DELNEIGH RTM_DELNEIGH + RTM_GETNEIGH, +#define RTM_GETNEIGH RTM_GETNEIGH + + RTM_NEWRULE = 32, +#define RTM_NEWRULE RTM_NEWRULE + RTM_DELRULE, +#define RTM_DELRULE RTM_DELRULE + RTM_GETRULE, +#define RTM_GETRULE RTM_GETRULE + + RTM_NEWQDISC = 36, +#define RTM_NEWQDISC RTM_NEWQDISC + RTM_DELQDISC, +#define RTM_DELQDISC RTM_DELQDISC + RTM_GETQDISC, +#define RTM_GETQDISC RTM_GETQDISC + + RTM_NEWTCLASS = 40, +#define RTM_NEWTCLASS RTM_NEWTCLASS + RTM_DELTCLASS, +#define RTM_DELTCLASS RTM_DELTCLASS + RTM_GETTCLASS, +#define RTM_GETTCLASS RTM_GETTCLASS + + RTM_NEWTFILTER = 44, +#define RTM_NEWTFILTER RTM_NEWTFILTER + RTM_DELTFILTER, +#define RTM_DELTFILTER RTM_DELTFILTER + RTM_GETTFILTER, +#define RTM_GETTFILTER RTM_GETTFILTER + + RTM_NEWACTION = 48, +#define RTM_NEWACTION RTM_NEWACTION + RTM_DELACTION, +#define RTM_DELACTION RTM_DELACTION + RTM_GETACTION, +#define RTM_GETACTION RTM_GETACTION + + RTM_NEWPREFIX = 52, +#define RTM_NEWPREFIX RTM_NEWPREFIX + RTM_GETPREFIX = 54, +#define RTM_GETPREFIX RTM_GETPREFIX + + RTM_GETMULTICAST = 58, +#define RTM_GETMULTICAST RTM_GETMULTICAST + + RTM_GETANYCAST = 62, +#define RTM_GETANYCAST RTM_GETANYCAST + + RTM_NEWNEIGHTBL = 64, +#define RTM_NEWNEIGHTBL RTM_NEWNEIGHTBL + RTM_GETNEIGHTBL = 66, +#define RTM_GETNEIGHTBL RTM_GETNEIGHTBL + RTM_SETNEIGHTBL, +#define RTM_SETNEIGHTBL RTM_SETNEIGHTBL + + __RTM_MAX, +#define RTM_MAX (((__RTM_MAX + 3) & ~3) - 1) +}; + +#define RTM_NR_MSGTYPES (RTM_MAX + 1 - RTM_BASE) +#define RTM_NR_FAMILIES (RTM_NR_MSGTYPES >> 2) +#define RTM_FAM(cmd) (((cmd) - RTM_BASE) >> 2) + +/* + Generic structure for encapsulation of optional route information. + It is reminiscent of sockaddr, but with sa_family replaced + with attribute type. + */ + +struct rtattr +{ + unsigned short rta_len; + unsigned short rta_type; +}; + +/* Macros to handle rtattributes */ + +#define RTA_ALIGNTO 4 +#define RTA_ALIGN(len) ( ((len)+RTA_ALIGNTO-1) & ~(RTA_ALIGNTO-1) ) +#define RTA_OK(rta,len) ((len) >= (int)sizeof(struct rtattr) && \ + (rta)->rta_len >= sizeof(struct rtattr) && \ + (rta)->rta_len <= (len)) +#define RTA_NEXT(rta,attrlen) ((attrlen) -= RTA_ALIGN((rta)->rta_len), \ + (struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len))) +#define RTA_LENGTH(len) (RTA_ALIGN(sizeof(struct rtattr)) + (len)) +#define RTA_SPACE(len) RTA_ALIGN(RTA_LENGTH(len)) +#define RTA_DATA(rta) ((void*)(((char*)(rta)) + RTA_LENGTH(0))) +#define RTA_PAYLOAD(rta) ((int)((rta)->rta_len) - RTA_LENGTH(0)) + + + + +/****************************************************************************** + * Definitions used in routing table administration. + ****/ + +struct rtmsg +{ + unsigned char rtm_family; + unsigned char rtm_dst_len; + unsigned char rtm_src_len; + unsigned char rtm_tos; + + unsigned char rtm_table; /* Routing table id */ + unsigned char rtm_protocol; /* Routing protocol; see below */ + unsigned char rtm_scope; /* See below */ + unsigned char rtm_type; /* See below */ + + unsigned rtm_flags; +}; + +/* rtm_type */ + +enum +{ + RTN_UNSPEC, + RTN_UNICAST, /* Gateway or direct route */ + RTN_LOCAL, /* Accept locally */ + RTN_BROADCAST, /* Accept locally as broadcast, + send as broadcast */ + RTN_ANYCAST, /* Accept locally as broadcast, + but send as unicast */ + RTN_MULTICAST, /* Multicast route */ + RTN_BLACKHOLE, /* Drop */ + RTN_UNREACHABLE, /* Destination is unreachable */ + RTN_PROHIBIT, /* Administratively prohibited */ + RTN_THROW, /* Not in this table */ + RTN_NAT, /* Translate this address */ + RTN_XRESOLVE, /* Use external resolver */ + __RTN_MAX +}; + +#define RTN_MAX (__RTN_MAX - 1) + + +/* rtm_protocol */ + +#define RTPROT_UNSPEC 0 +#define RTPROT_REDIRECT 1 /* Route installed by ICMP redirects; + not used by current IPv4 */ +#define RTPROT_KERNEL 2 /* Route installed by kernel */ +#define RTPROT_BOOT 3 /* Route installed during boot */ +#define RTPROT_STATIC 4 /* Route installed by administrator */ + +/* Values of protocol >= RTPROT_STATIC are not interpreted by kernel; + they are just passed from user and back as is. + It will be used by hypothetical multiple routing daemons. + Note that protocol values should be standardized in order to + avoid conflicts. + */ + +#define RTPROT_GATED 8 /* Apparently, GateD */ +#define RTPROT_RA 9 /* RDISC/ND router advertisements */ +#define RTPROT_MRT 10 /* Merit MRT */ +#define RTPROT_ZEBRA 11 /* Zebra */ +#define RTPROT_BIRD 12 /* BIRD */ +#define RTPROT_DNROUTED 13 /* DECnet routing daemon */ +#define RTPROT_XORP 14 /* XORP */ +#define RTPROT_NTK 15 /* Netsukuku */ + +/* rtm_scope + + Really it is not scope, but sort of distance to the destination. + NOWHERE are reserved for not existing destinations, HOST is our + local addresses, LINK are destinations, located on directly attached + link and UNIVERSE is everywhere in the Universe. + + Intermediate values are also possible f.e. interior routes + could be assigned a value between UNIVERSE and LINK. +*/ + +enum rt_scope_t +{ + RT_SCOPE_UNIVERSE=0, +/* User defined values */ + RT_SCOPE_SITE=200, + RT_SCOPE_LINK=253, + RT_SCOPE_HOST=254, + RT_SCOPE_NOWHERE=255 +}; + +/* rtm_flags */ + +#define RTM_F_NOTIFY 0x100 /* Notify user of route change */ +#define RTM_F_CLONED 0x200 /* This route is cloned */ +#define RTM_F_EQUALIZE 0x400 /* Multipath equalizer: NI */ +#define RTM_F_PREFIX 0x800 /* Prefix addresses */ + +/* Reserved table identifiers */ + +enum rt_class_t +{ + RT_TABLE_UNSPEC=0, +/* User defined values */ + RT_TABLE_DEFAULT=253, + RT_TABLE_MAIN=254, + RT_TABLE_LOCAL=255, + __RT_TABLE_MAX +}; +#define RT_TABLE_MAX (__RT_TABLE_MAX - 1) + + + +/* Routing message attributes */ + +enum rtattr_type_t +{ + RTA_UNSPEC, + RTA_DST, + RTA_SRC, + RTA_IIF, + RTA_OIF, + RTA_GATEWAY, + RTA_PRIORITY, + RTA_PREFSRC, + RTA_METRICS, + RTA_MULTIPATH, + RTA_PROTOINFO, + RTA_FLOW, + RTA_CACHEINFO, + RTA_SESSION, + RTA_MP_ALGO, + __RTA_MAX +}; + +#define RTA_MAX (__RTA_MAX - 1) + +#define RTM_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct rtmsg)))) +#define RTM_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct rtmsg)) + +/* RTM_MULTIPATH --- array of struct rtnexthop. + * + * "struct rtnexthop" describes all necessary nexthop information, + * i.e. parameters of path to a destination via this nexthop. + * + * At the moment it is impossible to set different prefsrc, mtu, window + * and rtt for different paths from multipath. + */ + +struct rtnexthop +{ + unsigned short rtnh_len; + unsigned char rtnh_flags; + unsigned char rtnh_hops; + int rtnh_ifindex; +}; + +/* rtnh_flags */ + +#define RTNH_F_DEAD 1 /* Nexthop is dead (used by multipath) */ +#define RTNH_F_PERVASIVE 2 /* Do recursive gateway lookup */ +#define RTNH_F_ONLINK 4 /* Gateway is forced on link */ + +/* Macros to handle hexthops */ + +#define RTNH_ALIGNTO 4 +#define RTNH_ALIGN(len) ( ((len)+RTNH_ALIGNTO-1) & ~(RTNH_ALIGNTO-1) ) +#define RTNH_OK(rtnh,len) ((rtnh)->rtnh_len >= sizeof(struct rtnexthop) && \ + ((int)(rtnh)->rtnh_len) <= (len)) +#define RTNH_NEXT(rtnh) ((struct rtnexthop*)(((char*)(rtnh)) + RTNH_ALIGN((rtnh)->rtnh_len))) +#define RTNH_LENGTH(len) (RTNH_ALIGN(sizeof(struct rtnexthop)) + (len)) +#define RTNH_SPACE(len) RTNH_ALIGN(RTNH_LENGTH(len)) +#define RTNH_DATA(rtnh) ((struct rtattr*)(((char*)(rtnh)) + RTNH_LENGTH(0))) + +/* RTM_CACHEINFO */ + +struct rta_cacheinfo +{ + __u32 rta_clntref; + __u32 rta_lastuse; + __s32 rta_expires; + __u32 rta_error; + __u32 rta_used; + +#define RTNETLINK_HAVE_PEERINFO 1 + __u32 rta_id; + __u32 rta_ts; + __u32 rta_tsage; +}; + +/* RTM_METRICS --- array of struct rtattr with types of RTAX_* */ + +enum +{ + RTAX_UNSPEC, +#define RTAX_UNSPEC RTAX_UNSPEC + RTAX_LOCK, +#define RTAX_LOCK RTAX_LOCK + RTAX_MTU, +#define RTAX_MTU RTAX_MTU + RTAX_WINDOW, +#define RTAX_WINDOW RTAX_WINDOW + RTAX_RTT, +#define RTAX_RTT RTAX_RTT + RTAX_RTTVAR, +#define RTAX_RTTVAR RTAX_RTTVAR + RTAX_SSTHRESH, +#define RTAX_SSTHRESH RTAX_SSTHRESH + RTAX_CWND, +#define RTAX_CWND RTAX_CWND + RTAX_ADVMSS, +#define RTAX_ADVMSS RTAX_ADVMSS + RTAX_REORDERING, +#define RTAX_REORDERING RTAX_REORDERING + RTAX_HOPLIMIT, +#define RTAX_HOPLIMIT RTAX_HOPLIMIT + RTAX_INITCWND, +#define RTAX_INITCWND RTAX_INITCWND + RTAX_FEATURES, +#define RTAX_FEATURES RTAX_FEATURES + __RTAX_MAX +}; + +#define RTAX_MAX (__RTAX_MAX - 1) + +#define RTAX_FEATURE_ECN 0x00000001 +#define RTAX_FEATURE_SACK 0x00000002 +#define RTAX_FEATURE_TIMESTAMP 0x00000004 +#define RTAX_FEATURE_ALLFRAG 0x00000008 + +struct rta_session +{ + __u8 proto; + __u8 pad1; + __u16 pad2; + + union { + struct { + __u16 sport; + __u16 dport; + } ports; + + struct { + __u8 type; + __u8 code; + __u16 ident; + } icmpt; + + __u32 spi; + } u; +}; + + +/********************************************************* + * Interface address. + ****/ + +struct ifaddrmsg +{ + unsigned char ifa_family; + unsigned char ifa_prefixlen; /* The prefix length */ + unsigned char ifa_flags; /* Flags */ + unsigned char ifa_scope; /* See above */ + int ifa_index; /* Link index */ +}; + +enum +{ + IFA_UNSPEC, + IFA_ADDRESS, + IFA_LOCAL, + IFA_LABEL, + IFA_BROADCAST, + IFA_ANYCAST, + IFA_CACHEINFO, + IFA_MULTICAST, + __IFA_MAX +}; + +#define IFA_MAX (__IFA_MAX - 1) + +/* ifa_flags */ + +#define IFA_F_SECONDARY 0x01 +#define IFA_F_TEMPORARY IFA_F_SECONDARY + +#define IFA_F_DEPRECATED 0x20 +#define IFA_F_TENTATIVE 0x40 +#define IFA_F_PERMANENT 0x80 + +struct ifa_cacheinfo +{ + __u32 ifa_prefered; + __u32 ifa_valid; + __u32 cstamp; /* created timestamp, hundredths of seconds */ + __u32 tstamp; /* updated timestamp, hundredths of seconds */ +}; + + +#define IFA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg)))) +#define IFA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifaddrmsg)) + +/* + Important comment: + IFA_ADDRESS is prefix address, rather than local interface address. + It makes no difference for normally configured broadcast interfaces, + but for point-to-point IFA_ADDRESS is DESTINATION address, + local address is supplied in IFA_LOCAL attribute. + */ + +/************************************************************** + * Neighbour discovery. + ****/ + +struct ndmsg +{ + unsigned char ndm_family; + unsigned char ndm_pad1; + unsigned short ndm_pad2; + int ndm_ifindex; /* Link index */ + __u16 ndm_state; + __u8 ndm_flags; + __u8 ndm_type; +}; + +enum +{ + NDA_UNSPEC, + NDA_DST, + NDA_LLADDR, + NDA_CACHEINFO, + NDA_PROBES, + __NDA_MAX +}; + +#define NDA_MAX (__NDA_MAX - 1) + +#define NDA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg)))) +#define NDA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg)) + +/* + * Neighbor Cache Entry Flags + */ + +#define NTF_PROXY 0x08 /* == ATF_PUBL */ +#define NTF_ROUTER 0x80 + +/* + * Neighbor Cache Entry States. + */ + +#define NUD_INCOMPLETE 0x01 +#define NUD_REACHABLE 0x02 +#define NUD_STALE 0x04 +#define NUD_DELAY 0x08 +#define NUD_PROBE 0x10 +#define NUD_FAILED 0x20 + +/* Dummy states */ +#define NUD_NOARP 0x40 +#define NUD_PERMANENT 0x80 +#define NUD_NONE 0x00 + + +struct nda_cacheinfo +{ + __u32 ndm_confirmed; + __u32 ndm_used; + __u32 ndm_updated; + __u32 ndm_refcnt; +}; + + +/***************************************************************** + * Neighbour tables specific messages. + * + * To retrieve the neighbour tables send RTM_GETNEIGHTBL with the + * NLM_F_DUMP flag set. Every neighbour table configuration is + * spread over multiple messages to avoid running into message + * size limits on systems with many interfaces. The first message + * in the sequence transports all not device specific data such as + * statistics, configuration, and the default parameter set. + * This message is followed by 0..n messages carrying device + * specific parameter sets. + * Although the ordering should be sufficient, NDTA_NAME can be + * used to identify sequences. The initial message can be identified + * by checking for NDTA_CONFIG. The device specific messages do + * not contain this TLV but have NDTPA_IFINDEX set to the + * corresponding interface index. + * + * To change neighbour table attributes, send RTM_SETNEIGHTBL + * with NDTA_NAME set. Changeable attribute include NDTA_THRESH[1-3], + * NDTA_GC_INTERVAL, and all TLVs in NDTA_PARMS unless marked + * otherwise. Device specific parameter sets can be changed by + * setting NDTPA_IFINDEX to the interface index of the corresponding + * device. + ****/ + +struct ndt_stats +{ + __u64 ndts_allocs; + __u64 ndts_destroys; + __u64 ndts_hash_grows; + __u64 ndts_res_failed; + __u64 ndts_lookups; + __u64 ndts_hits; + __u64 ndts_rcv_probes_mcast; + __u64 ndts_rcv_probes_ucast; + __u64 ndts_periodic_gc_runs; + __u64 ndts_forced_gc_runs; +}; + +enum { + NDTPA_UNSPEC, + NDTPA_IFINDEX, /* __u32, unchangeable */ + NDTPA_REFCNT, /* __u32, read-only */ + NDTPA_REACHABLE_TIME, /* __u64, read-only, msecs */ + NDTPA_BASE_REACHABLE_TIME, /* __u64, msecs */ + NDTPA_RETRANS_TIME, /* __u64, msecs */ + NDTPA_GC_STALETIME, /* __u64, msecs */ + NDTPA_DELAY_PROBE_TIME, /* __u64, msecs */ + NDTPA_QUEUE_LEN, /* __u32 */ + NDTPA_APP_PROBES, /* __u32 */ + NDTPA_UCAST_PROBES, /* __u32 */ + NDTPA_MCAST_PROBES, /* __u32 */ + NDTPA_ANYCAST_DELAY, /* __u64, msecs */ + NDTPA_PROXY_DELAY, /* __u64, msecs */ + NDTPA_PROXY_QLEN, /* __u32 */ + NDTPA_LOCKTIME, /* __u64, msecs */ + __NDTPA_MAX +}; +#define NDTPA_MAX (__NDTPA_MAX - 1) + +struct ndtmsg +{ + __u8 ndtm_family; + __u8 ndtm_pad1; + __u16 ndtm_pad2; +}; + +struct ndt_config +{ + __u16 ndtc_key_len; + __u16 ndtc_entry_size; + __u32 ndtc_entries; + __u32 ndtc_last_flush; /* delta to now in msecs */ + __u32 ndtc_last_rand; /* delta to now in msecs */ + __u32 ndtc_hash_rnd; + __u32 ndtc_hash_mask; + __u32 ndtc_hash_chain_gc; + __u32 ndtc_proxy_qlen; +}; + +enum { + NDTA_UNSPEC, + NDTA_NAME, /* char *, unchangeable */ + NDTA_THRESH1, /* __u32 */ + NDTA_THRESH2, /* __u32 */ + NDTA_THRESH3, /* __u32 */ + NDTA_CONFIG, /* struct ndt_config, read-only */ + NDTA_PARMS, /* nested TLV NDTPA_* */ + NDTA_STATS, /* struct ndt_stats, read-only */ + NDTA_GC_INTERVAL, /* __u64, msecs */ + __NDTA_MAX +}; +#define NDTA_MAX (__NDTA_MAX - 1) + +#define NDTA_RTA(r) ((struct rtattr*)(((char*)(r)) + \ + NLMSG_ALIGN(sizeof(struct ndtmsg)))) +#define NDTA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndtmsg)) + + +/**** + * General form of address family dependent message. + ****/ + +struct rtgenmsg +{ + unsigned char rtgen_family; +}; + +/***************************************************************** + * Link layer specific messages. + ****/ + +/* struct ifinfomsg + * passes link level specific information, not dependent + * on network protocol. + */ + +struct ifinfomsg +{ + unsigned char ifi_family; + unsigned char __ifi_pad; + unsigned short ifi_type; /* ARPHRD_* */ + int ifi_index; /* Link index */ + unsigned ifi_flags; /* IFF_* flags */ + unsigned ifi_change; /* IFF_* change mask */ +}; + +/******************************************************************** + * prefix information + ****/ + +struct prefixmsg +{ + unsigned char prefix_family; + unsigned char prefix_pad1; + unsigned short prefix_pad2; + int prefix_ifindex; + unsigned char prefix_type; + unsigned char prefix_len; + unsigned char prefix_flags; + unsigned char prefix_pad3; +}; + +enum +{ + PREFIX_UNSPEC, + PREFIX_ADDRESS, + PREFIX_CACHEINFO, + __PREFIX_MAX +}; + +#define PREFIX_MAX (__PREFIX_MAX - 1) + +struct prefix_cacheinfo +{ + __u32 preferred_time; + __u32 valid_time; +}; + +/* The struct should be in sync with struct net_device_stats */ +struct rtnl_link_stats +{ + __u32 rx_packets; /* total packets received */ + __u32 tx_packets; /* total packets transmitted */ + __u32 rx_bytes; /* total bytes received */ + __u32 tx_bytes; /* total bytes transmitted */ + __u32 rx_errors; /* bad packets received */ + __u32 tx_errors; /* packet transmit problems */ + __u32 rx_dropped; /* no space in linux buffers */ + __u32 tx_dropped; /* no space available in linux */ + __u32 multicast; /* multicast packets received */ + __u32 collisions; + + /* detailed rx_errors: */ + __u32 rx_length_errors; + __u32 rx_over_errors; /* receiver ring buff overflow */ + __u32 rx_crc_errors; /* recved pkt with crc error */ + __u32 rx_frame_errors; /* recv'd frame alignment error */ + __u32 rx_fifo_errors; /* recv'r fifo overrun */ + __u32 rx_missed_errors; /* receiver missed packet */ + + /* detailed tx_errors */ + __u32 tx_aborted_errors; + __u32 tx_carrier_errors; + __u32 tx_fifo_errors; + __u32 tx_heartbeat_errors; + __u32 tx_window_errors; + + /* for cslip etc */ + __u32 rx_compressed; + __u32 tx_compressed; +}; + +/* The struct should be in sync with struct ifmap */ +struct rtnl_link_ifmap +{ + __u64 mem_start; + __u64 mem_end; + __u64 base_addr; + __u16 irq; + __u8 dma; + __u8 port; +}; + +enum +{ + IFLA_UNSPEC, + IFLA_ADDRESS, + IFLA_BROADCAST, + IFLA_IFNAME, + IFLA_MTU, + IFLA_LINK, + IFLA_QDISC, + IFLA_STATS, + IFLA_COST, +#define IFLA_COST IFLA_COST + IFLA_PRIORITY, +#define IFLA_PRIORITY IFLA_PRIORITY + IFLA_MASTER, +#define IFLA_MASTER IFLA_MASTER + IFLA_WIRELESS, /* Wireless Extension event - see wireless.h */ +#define IFLA_WIRELESS IFLA_WIRELESS + IFLA_PROTINFO, /* Protocol specific information for a link */ +#define IFLA_PROTINFO IFLA_PROTINFO + IFLA_TXQLEN, +#define IFLA_TXQLEN IFLA_TXQLEN + IFLA_MAP, +#define IFLA_MAP IFLA_MAP + IFLA_WEIGHT, +#define IFLA_WEIGHT IFLA_WEIGHT + IFLA_OPERSTATE, + IFLA_LINKMODE, + __IFLA_MAX +}; + + +#define IFLA_MAX (__IFLA_MAX - 1) + +#define IFLA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifinfomsg)))) +#define IFLA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifinfomsg)) + +/* ifi_flags. + + IFF_* flags. + + The only change is: + IFF_LOOPBACK, IFF_BROADCAST and IFF_POINTOPOINT are + more not changeable by user. They describe link media + characteristics and set by device driver. + + Comments: + - Combination IFF_BROADCAST|IFF_POINTOPOINT is invalid + - If neither of these three flags are set; + the interface is NBMA. + + - IFF_MULTICAST does not mean anything special: + multicasts can be used on all not-NBMA links. + IFF_MULTICAST means that this media uses special encapsulation + for multicast frames. Apparently, all IFF_POINTOPOINT and + IFF_BROADCAST devices are able to use multicasts too. + */ + +/* IFLA_LINK. + For usual devices it is equal ifi_index. + If it is a "virtual interface" (f.e. tunnel), ifi_link + can point to real physical interface (f.e. for bandwidth calculations), + or maybe 0, what means, that real media is unknown (usual + for IPIP tunnels, when route to endpoint is allowed to change) + */ + +/* Subtype attributes for IFLA_PROTINFO */ +enum +{ + IFLA_INET6_UNSPEC, + IFLA_INET6_FLAGS, /* link flags */ + IFLA_INET6_CONF, /* sysctl parameters */ + IFLA_INET6_STATS, /* statistics */ + IFLA_INET6_MCAST, /* MC things. What of them? */ + IFLA_INET6_CACHEINFO, /* time values and max reasm size */ + __IFLA_INET6_MAX +}; + +#define IFLA_INET6_MAX (__IFLA_INET6_MAX - 1) + +struct ifla_cacheinfo +{ + __u32 max_reasm_len; + __u32 tstamp; /* ipv6InterfaceTable updated timestamp */ + __u32 reachable_time; + __u32 retrans_time; +}; + +/***************************************************************** + * Traffic control messages. + ****/ + +struct tcmsg +{ + unsigned char tcm_family; + unsigned char tcm__pad1; + unsigned short tcm__pad2; + int tcm_ifindex; + __u32 tcm_handle; + __u32 tcm_parent; + __u32 tcm_info; +}; + +enum +{ + TCA_UNSPEC, + TCA_KIND, + TCA_OPTIONS, + TCA_STATS, + TCA_XSTATS, + TCA_RATE, + TCA_FCNT, + TCA_STATS2, + __TCA_MAX +}; + +#define TCA_MAX (__TCA_MAX - 1) + +#define TCA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcmsg)))) +#define TCA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcmsg)) + +#ifndef __KERNEL__ +/* RTnetlink multicast groups - backwards compatibility for userspace */ +#define RTMGRP_LINK 1 +#define RTMGRP_NOTIFY 2 +#define RTMGRP_NEIGH 4 +#define RTMGRP_TC 8 + +#define RTMGRP_IPV4_IFADDR 0x10 +#define RTMGRP_IPV4_MROUTE 0x20 +#define RTMGRP_IPV4_ROUTE 0x40 +#define RTMGRP_IPV4_RULE 0x80 + +#define RTMGRP_IPV6_IFADDR 0x100 +#define RTMGRP_IPV6_MROUTE 0x200 +#define RTMGRP_IPV6_ROUTE 0x400 +#define RTMGRP_IPV6_IFINFO 0x800 + +#define RTMGRP_DECnet_IFADDR 0x1000 +#define RTMGRP_DECnet_ROUTE 0x4000 + +#define RTMGRP_IPV6_PREFIX 0x20000 +#endif + +/* RTnetlink multicast groups */ +enum rtnetlink_groups { + RTNLGRP_NONE, +#define RTNLGRP_NONE RTNLGRP_NONE + RTNLGRP_LINK, +#define RTNLGRP_LINK RTNLGRP_LINK + RTNLGRP_NOTIFY, +#define RTNLGRP_NOTIFY RTNLGRP_NOTIFY + RTNLGRP_NEIGH, +#define RTNLGRP_NEIGH RTNLGRP_NEIGH + RTNLGRP_TC, +#define RTNLGRP_TC RTNLGRP_TC + RTNLGRP_IPV4_IFADDR, +#define RTNLGRP_IPV4_IFADDR RTNLGRP_IPV4_IFADDR + RTNLGRP_IPV4_MROUTE, +#define RTNLGRP_IPV4_MROUTE RTNLGRP_IPV4_MROUTE + RTNLGRP_IPV4_ROUTE, +#define RTNLGRP_IPV4_ROUTE RTNLGRP_IPV4_ROUTE + RTNLGRP_IPV4_RULE, +#define RTNLGRP_IPV4_RULE RTNLGRP_IPV4_RULE + RTNLGRP_IPV6_IFADDR, +#define RTNLGRP_IPV6_IFADDR RTNLGRP_IPV6_IFADDR + RTNLGRP_IPV6_MROUTE, +#define RTNLGRP_IPV6_MROUTE RTNLGRP_IPV6_MROUTE + RTNLGRP_IPV6_ROUTE, +#define RTNLGRP_IPV6_ROUTE RTNLGRP_IPV6_ROUTE + RTNLGRP_IPV6_IFINFO, +#define RTNLGRP_IPV6_IFINFO RTNLGRP_IPV6_IFINFO + RTNLGRP_DECnet_IFADDR, +#define RTNLGRP_DECnet_IFADDR RTNLGRP_DECnet_IFADDR + RTNLGRP_NOP2, + RTNLGRP_DECnet_ROUTE, +#define RTNLGRP_DECnet_ROUTE RTNLGRP_DECnet_ROUTE + RTNLGRP_NOP3, + RTNLGRP_NOP4, + RTNLGRP_IPV6_PREFIX, +#define RTNLGRP_IPV6_PREFIX RTNLGRP_IPV6_PREFIX + __RTNLGRP_MAX +}; +#define RTNLGRP_MAX (__RTNLGRP_MAX - 1) + +/* TC action piece */ +struct tcamsg +{ + unsigned char tca_family; + unsigned char tca__pad1; + unsigned short tca__pad2; +}; +#define TA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcamsg)))) +#define TA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcamsg)) +#define TCA_ACT_TAB 1 /* attr type must be >=1 */ +#define TCAA_MAX 1 + +/* End of information exported to user level */ + +#ifdef __KERNEL__ + +#include +#include + +extern size_t rtattr_strlcpy(char *dest, const struct rtattr *rta, size_t size); +static __inline__ int rtattr_strcmp(const struct rtattr *rta, const char *str) +{ + int len = strlen(str) + 1; + return len > rta->rta_len || memcmp(RTA_DATA(rta), str, len); +} + +extern int rtattr_parse(struct rtattr *tb[], int maxattr, struct rtattr *rta, int len); + +#define rtattr_parse_nested(tb, max, rta) \ + rtattr_parse((tb), (max), RTA_DATA((rta)), RTA_PAYLOAD((rta))) + +extern struct sock *rtnl; + +struct rtnetlink_link +{ + int (*doit)(struct sk_buff *, struct nlmsghdr*, void *attr); + int (*dumpit)(struct sk_buff *, struct netlink_callback *cb); +}; + +extern struct rtnetlink_link * rtnetlink_links[NPROTO]; +extern int rtnetlink_send(struct sk_buff *skb, __u32 pid, __u32 group, int echo); +extern int rtnetlink_put_metrics(struct sk_buff *skb, __u32 *metrics); + +extern void __rta_fill(struct sk_buff *skb, int attrtype, int attrlen, const void *data); + +#define RTA_PUT(skb, attrtype, attrlen, data) \ +({ if (unlikely(skb_tailroom(skb) < (int)RTA_SPACE(attrlen))) \ + goto rtattr_failure; \ + __rta_fill(skb, attrtype, attrlen, data); }) + +#define RTA_APPEND(skb, attrlen, data) \ +({ if (unlikely(skb_tailroom(skb) < (int)(attrlen))) \ + goto rtattr_failure; \ + memcpy(skb_put(skb, attrlen), data, attrlen); }) + +#define RTA_PUT_NOHDR(skb, attrlen, data) \ +({ RTA_APPEND(skb, RTA_ALIGN(attrlen), data); \ + memset(skb->tail - (RTA_ALIGN(attrlen) - attrlen), 0, \ + RTA_ALIGN(attrlen) - attrlen); }) + +#define RTA_PUT_U8(skb, attrtype, value) \ +({ __u8 _tmp = (value); \ + RTA_PUT(skb, attrtype, sizeof(__u8), &_tmp); }) + +#define RTA_PUT_U16(skb, attrtype, value) \ +({ __u16 _tmp = (value); \ + RTA_PUT(skb, attrtype, sizeof(__u16), &_tmp); }) + +#define RTA_PUT_U32(skb, attrtype, value) \ +({ __u32 _tmp = (value); \ + RTA_PUT(skb, attrtype, sizeof(__u32), &_tmp); }) + +#define RTA_PUT_U64(skb, attrtype, value) \ +({ __u64 _tmp = (value); \ + RTA_PUT(skb, attrtype, sizeof(__u64), &_tmp); }) + +#define RTA_PUT_SECS(skb, attrtype, value) \ + RTA_PUT_U64(skb, attrtype, (value) / HZ) + +#define RTA_PUT_MSECS(skb, attrtype, value) \ + RTA_PUT_U64(skb, attrtype, jiffies_to_msecs(value)) + +#define RTA_PUT_STRING(skb, attrtype, value) \ + RTA_PUT(skb, attrtype, strlen(value) + 1, value) + +#define RTA_PUT_FLAG(skb, attrtype) \ + RTA_PUT(skb, attrtype, 0, NULL); + +#define RTA_NEST(skb, type) \ +({ struct rtattr *__start = (struct rtattr *) (skb)->tail; \ + RTA_PUT(skb, type, 0, NULL); \ + __start; }) + +#define RTA_NEST_END(skb, start) \ +({ (start)->rta_len = ((skb)->tail - (unsigned char *) (start)); \ + (skb)->len; }) + +#define RTA_NEST_CANCEL(skb, start) \ +({ if (start) \ + skb_trim(skb, (unsigned char *) (start) - (skb)->data); \ + -1; }) + +#define RTA_GET_U8(rta) \ +({ if (!rta || RTA_PAYLOAD(rta) < sizeof(__u8)) \ + goto rtattr_failure; \ + *(__u8 *) RTA_DATA(rta); }) + +#define RTA_GET_U16(rta) \ +({ if (!rta || RTA_PAYLOAD(rta) < sizeof(__u16)) \ + goto rtattr_failure; \ + *(__u16 *) RTA_DATA(rta); }) + +#define RTA_GET_U32(rta) \ +({ if (!rta || RTA_PAYLOAD(rta) < sizeof(__u32)) \ + goto rtattr_failure; \ + *(__u32 *) RTA_DATA(rta); }) + +#define RTA_GET_U64(rta) \ +({ __u64 _tmp; \ + if (!rta || RTA_PAYLOAD(rta) < sizeof(__u64)) \ + goto rtattr_failure; \ + memcpy(&_tmp, RTA_DATA(rta), sizeof(_tmp)); \ + _tmp; }) + +#define RTA_GET_FLAG(rta) (!!(rta)) + +#define RTA_GET_SECS(rta) ((unsigned long) RTA_GET_U64(rta) * HZ) +#define RTA_GET_MSECS(rta) (msecs_to_jiffies((unsigned long) RTA_GET_U64(rta))) + +static __inline__ struct rtattr * +__rta_reserve(struct sk_buff *skb, int attrtype, int attrlen) +{ + struct rtattr *rta; + int size = RTA_LENGTH(attrlen); + + rta = (struct rtattr*)skb_put(skb, RTA_ALIGN(size)); + rta->rta_type = attrtype; + rta->rta_len = size; + memset(RTA_DATA(rta) + attrlen, 0, RTA_ALIGN(size) - size); + return rta; +} + +#define __RTA_PUT(skb, attrtype, attrlen) \ +({ if (unlikely(skb_tailroom(skb) < (int)RTA_SPACE(attrlen))) \ + goto rtattr_failure; \ + __rta_reserve(skb, attrtype, attrlen); }) + +extern void rtmsg_ifinfo(int type, struct net_device *dev, unsigned change); + +/* RTNL is used as a global lock for all changes to network configuration */ +extern void rtnl_lock(void); +extern void rtnl_unlock(void); +extern int rtnl_trylock(void); + +extern void rtnetlink_init(void); +extern void __rtnl_unlock(void); + +#define ASSERT_RTNL() do { \ + if (unlikely(rtnl_trylock())) { \ + rtnl_unlock(); \ + printk(KERN_ERR "RTNL: assertion failed at %s (%d)\n", \ + __FILE__, __LINE__); \ + dump_stack(); \ + } \ +} while(0) + +#define BUG_TRAP(x) do { \ + if (unlikely(!(x))) { \ + printk(KERN_ERR "KERNEL: assertion (%s) failed at %s (%d)\n", \ + #x, __FILE__ , __LINE__); \ + } \ +} while(0) + +#endif /* __KERNEL__ */ + + +#endif /* __LINUX_RTNETLINK_H */ diff --git a/src/include/linux/udp.h b/src/include/linux/udp.h new file mode 100644 index 000000000..2ee121bd0 --- /dev/null +++ b/src/include/linux/udp.h @@ -0,0 +1,63 @@ +/* + * INET An implementation of the TCP/IP protocol suite for the LINUX + * operating system. INET is implemented using the BSD Socket + * interface as the means of communication with the user level. + * + * Definitions for the UDP protocol. + * + * Version: @(#)udp.h 1.0.2 04/28/93 + * + * Author: Fred N. van Kempen, + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + */ +#ifndef _LINUX_UDP_H +#define _LINUX_UDP_H + +#include + +struct udphdr { + __u16 source; + __u16 dest; + __u16 len; + __u16 check; +}; + +/* UDP socket options */ +#define UDP_CORK 1 /* Never send partially complete segments */ +#define UDP_ENCAP 100 /* Set the socket to accept encapsulated packets */ + +/* UDP encapsulation types */ +#define UDP_ENCAP_ESPINUDP_NON_IKE 1 /* draft-ietf-ipsec-nat-t-ike-00/01 */ +#define UDP_ENCAP_ESPINUDP 2 /* draft-ietf-ipsec-udp-encaps-06 */ + +#ifdef __KERNEL__ +#include +#include + +#include + +struct udp_sock { + /* inet_sock has to be the first member */ + struct inet_sock inet; + int pending; /* Any pending frames ? */ + unsigned int corkflag; /* Cork is required */ + __u16 encap_type; /* Is this an Encapsulation socket? */ + /* + * Following member retains the infomation to create a UDP header + * when the socket is uncorked. + */ + __u16 len; /* total length of pending frames */ +}; + +static __inline__ struct udp_sock *udp_sk(const struct sock *sk) +{ + return (struct udp_sock *)sk; +} + +#endif + +#endif /* _LINUX_UDP_H */ diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h new file mode 100644 index 000000000..6b42cc474 --- /dev/null +++ b/src/include/linux/xfrm.h @@ -0,0 +1,343 @@ +#ifndef _LINUX_XFRM_H +#define _LINUX_XFRM_H + +#include + +/* All of the structures in this file may not change size as they are + * passed into the kernel from userspace via netlink sockets. + */ + +/* Structure to encapsulate addresses. I do not want to use + * "standard" structure. My apologies. + */ +typedef union +{ + __u32 a4; + __u32 a6[4]; +} xfrm_address_t; + +/* Ident of a specific xfrm_state. It is used on input to lookup + * the state by (spi,daddr,ah/esp) or to store information about + * spi, protocol and tunnel address on output. + */ +struct xfrm_id +{ + xfrm_address_t daddr; + __u32 spi; + __u8 proto; +}; + +struct xfrm_sec_ctx { + __u8 ctx_doi; + __u8 ctx_alg; + __u16 ctx_len; + __u32 ctx_sid; + char ctx_str[0]; +}; + +/* Security Context Domains of Interpretation */ +#define XFRM_SC_DOI_RESERVED 0 +#define XFRM_SC_DOI_LSM 1 + +/* Security Context Algorithms */ +#define XFRM_SC_ALG_RESERVED 0 +#define XFRM_SC_ALG_SELINUX 1 + +/* Selector, used as selector both on policy rules (SPD) and SAs. */ + +struct xfrm_selector +{ + xfrm_address_t daddr; + xfrm_address_t saddr; + __u16 dport; + __u16 dport_mask; + __u16 sport; + __u16 sport_mask; + __u16 family; + __u8 prefixlen_d; + __u8 prefixlen_s; + __u8 proto; + int ifindex; + uid_t user; +}; + +#define XFRM_INF (~(__u64)0) + +struct xfrm_lifetime_cfg +{ + __u64 soft_byte_limit; + __u64 hard_byte_limit; + __u64 soft_packet_limit; + __u64 hard_packet_limit; + __u64 soft_add_expires_seconds; + __u64 hard_add_expires_seconds; + __u64 soft_use_expires_seconds; + __u64 hard_use_expires_seconds; +}; + +struct xfrm_lifetime_cur +{ + __u64 bytes; + __u64 packets; + __u64 add_time; + __u64 use_time; +}; + +struct xfrm_replay_state +{ + __u32 oseq; + __u32 seq; + __u32 bitmap; +}; + +struct xfrm_algo { + char alg_name[64]; + int alg_key_len; /* in bits */ + char alg_key[0]; +}; + +struct xfrm_stats { + __u32 replay_window; + __u32 replay; + __u32 integrity_failed; +}; + +enum +{ + XFRM_POLICY_IN = 0, + XFRM_POLICY_OUT = 1, + XFRM_POLICY_FWD = 2, + XFRM_POLICY_MAX = 3 +}; + +enum +{ + XFRM_SHARE_ANY, /* No limitations */ + XFRM_SHARE_SESSION, /* For this session only */ + XFRM_SHARE_USER, /* For this user only */ + XFRM_SHARE_UNIQUE /* Use once */ +}; + +/* Netlink configuration messages. */ +enum { + XFRM_MSG_BASE = 0x10, + + XFRM_MSG_NEWSA = 0x10, +#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA + XFRM_MSG_DELSA, +#define XFRM_MSG_DELSA XFRM_MSG_DELSA + XFRM_MSG_GETSA, +#define XFRM_MSG_GETSA XFRM_MSG_GETSA + + XFRM_MSG_NEWPOLICY, +#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY + XFRM_MSG_DELPOLICY, +#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY + XFRM_MSG_GETPOLICY, +#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY + + XFRM_MSG_ALLOCSPI, +#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI + XFRM_MSG_ACQUIRE, +#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE + XFRM_MSG_EXPIRE, +#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE + + XFRM_MSG_UPDPOLICY, +#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY + XFRM_MSG_UPDSA, +#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA + + XFRM_MSG_POLEXPIRE, +#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE + + XFRM_MSG_FLUSHSA, +#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA + XFRM_MSG_FLUSHPOLICY, +#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY + + XFRM_MSG_NEWAE, +#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE + XFRM_MSG_GETAE, +#define XFRM_MSG_GETAE XFRM_MSG_GETAE + __XFRM_MSG_MAX +}; +#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1) + +#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE) + +/* + * Generic LSM security context for comunicating to user space + * NOTE: Same format as sadb_x_sec_ctx + */ +struct xfrm_user_sec_ctx { + __u16 len; + __u16 exttype; + __u8 ctx_alg; /* LSMs: e.g., selinux == 1 */ + __u8 ctx_doi; + __u16 ctx_len; +}; + +struct xfrm_user_tmpl { + struct xfrm_id id; + __u16 family; + xfrm_address_t saddr; + __u32 reqid; + __u8 mode; + __u8 share; + __u8 optional; + __u32 aalgos; + __u32 ealgos; + __u32 calgos; +}; + +struct xfrm_encap_tmpl { + __u16 encap_type; + __u16 encap_sport; + __u16 encap_dport; + xfrm_address_t encap_oa; +}; + +/* AEVENT flags */ +enum xfrm_ae_ftype_t { + XFRM_AE_UNSPEC, + XFRM_AE_RTHR=1, /* replay threshold*/ + XFRM_AE_RVAL=2, /* replay value */ + XFRM_AE_LVAL=4, /* lifetime value */ + XFRM_AE_ETHR=8, /* expiry timer threshold */ + XFRM_AE_CR=16, /* Event cause is replay update */ + XFRM_AE_CE=32, /* Event cause is timer expiry */ + XFRM_AE_CU=64, /* Event cause is policy update */ + __XFRM_AE_MAX + +#define XFRM_AE_MAX (__XFRM_AE_MAX - 1) +}; + +/* Netlink message attributes. */ +enum xfrm_attr_type_t { + XFRMA_UNSPEC, + XFRMA_ALG_AUTH, /* struct xfrm_algo */ + XFRMA_ALG_CRYPT, /* struct xfrm_algo */ + XFRMA_ALG_COMP, /* struct xfrm_algo */ + XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */ + XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ + XFRMA_SA, + XFRMA_POLICY, + XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */ + XFRMA_LTIME_VAL, + XFRMA_REPLAY_VAL, + XFRMA_REPLAY_THRESH, + XFRMA_ETIMER_THRESH, + __XFRMA_MAX + +#define XFRMA_MAX (__XFRMA_MAX - 1) +}; + +struct xfrm_usersa_info { + struct xfrm_selector sel; + struct xfrm_id id; + xfrm_address_t saddr; + struct xfrm_lifetime_cfg lft; + struct xfrm_lifetime_cur curlft; + struct xfrm_stats stats; + __u32 seq; + __u32 reqid; + __u16 family; + __u8 mode; /* 0=transport,1=tunnel */ + __u8 replay_window; + __u8 flags; +#define XFRM_STATE_NOECN 1 +#define XFRM_STATE_DECAP_DSCP 2 +#define XFRM_STATE_NOPMTUDISC 4 +}; + +struct xfrm_usersa_id { + xfrm_address_t daddr; + __u32 spi; + __u16 family; + __u8 proto; +}; + +struct xfrm_aevent_id { + struct xfrm_usersa_id sa_id; + __u32 flags; +}; + +struct xfrm_userspi_info { + struct xfrm_usersa_info info; + __u32 min; + __u32 max; +}; + +struct xfrm_userpolicy_info { + struct xfrm_selector sel; + struct xfrm_lifetime_cfg lft; + struct xfrm_lifetime_cur curlft; + __u32 priority; + __u32 index; + __u8 dir; + __u8 action; +#define XFRM_POLICY_ALLOW 0 +#define XFRM_POLICY_BLOCK 1 + __u8 flags; +#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ + __u8 share; +}; + +struct xfrm_userpolicy_id { + struct xfrm_selector sel; + __u32 index; + __u8 dir; +}; + +struct xfrm_user_acquire { + struct xfrm_id id; + xfrm_address_t saddr; + struct xfrm_selector sel; + struct xfrm_userpolicy_info policy; + __u32 aalgos; + __u32 ealgos; + __u32 calgos; + __u32 seq; +}; + +struct xfrm_user_expire { + struct xfrm_usersa_info state; + __u8 hard; +}; + +struct xfrm_user_polexpire { + struct xfrm_userpolicy_info pol; + __u8 hard; +}; + +struct xfrm_usersa_flush { + __u8 proto; +}; + +#ifndef __KERNEL__ +/* backwards compatibility for userspace */ +#define XFRMGRP_ACQUIRE 1 +#define XFRMGRP_EXPIRE 2 +#define XFRMGRP_SA 4 +#define XFRMGRP_POLICY 8 +#endif + +enum xfrm_nlgroups { + XFRMNLGRP_NONE, +#define XFRMNLGRP_NONE XFRMNLGRP_NONE + XFRMNLGRP_ACQUIRE, +#define XFRMNLGRP_ACQUIRE XFRMNLGRP_ACQUIRE + XFRMNLGRP_EXPIRE, +#define XFRMNLGRP_EXPIRE XFRMNLGRP_EXPIRE + XFRMNLGRP_SA, +#define XFRMNLGRP_SA XFRMNLGRP_SA + XFRMNLGRP_POLICY, +#define XFRMNLGRP_POLICY XFRMNLGRP_POLICY + XFRMNLGRP_AEVENTS, +#define XFRMNLGRP_AEVENTS XFRMNLGRP_AEVENTS + __XFRMNLGRP_MAX +}; +#define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1) + +#endif /* _LINUX_XFRM_H */ diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index eaf0e9d79..3a12ba5b9 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -98,6 +98,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -110,6 +111,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -120,8 +122,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -143,6 +149,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -152,6 +159,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -165,9 +174,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -182,6 +195,8 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ sbin_SCRIPTS = ipsec CLEANFILES = ipsec dist_man8_MANS = ipsec.8 diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in index bd74b6f16..067d24784 100755 --- a/src/ipsec/ipsec.in +++ b/src/ipsec/ipsec.in @@ -111,10 +111,8 @@ down) fi exit 0 ;; -listalgs|listpubkeys|listaacerts|\ -listacerts|listgroups|\listcards|\ -rereadsecrets|rereadgroups|\ -rereadaacerts|rereadacerts) +listalgs|listpubkeys|\listcards|\ +rereadsecrets|rereadgroups) op="$1" shift if test -e $IPSEC_PLUTO_PID @@ -123,9 +121,11 @@ rereadaacerts|rereadacerts) fi exit 0 ;; -listcerts|listcacerts|listocspcerts|\ +listcerts|listcacerts|listaacerts|\ +listacerts|listgroups|listocspcerts|\ listcainfos|listcrls|listocsp|listall|\ -rereadcacerts|rereadocspcerts|rereadcrls|\ +rereadcacerts|rereadaacerts|rereadacerts|\ +rereadocspcerts|rereadcrls|\ rereadall|purgeocsp) op="$1" shift diff --git a/src/libcrypto/Makefile.am b/src/libcrypto/Makefile.am index 23066033d..4416c8daf 100644 --- a/src/libcrypto/Makefile.am +++ b/src/libcrypto/Makefile.am @@ -5,7 +5,7 @@ include/md32_common.h include/cbc_generic.h include/hmac_generic.h libblowfish/b libblowfish/bf_pi.h libblowfish/bf_locl.h libblowfish/bf_enc.c libsha2/hmac_sha2.c libsha2/sha2.h libsha2/hmac_sha2.h \ libsha2/sha2.c libserpent/serpent_cbc.c libserpent/serpent_cbc.h libserpent/serpent.c libserpent/serpent.h \ libtwofish/twofish_cbc.h libtwofish/twofish_cbc.c libtwofish/twofish.c libtwofish/twofish.h libdes/des_enc.c \ -libdes/podd.h libdes/sk.h libdes/set_key.c libdes/speed.c libdes/fcrypt_b.c libdes/fcrypt.c libdes/destest.c \ -libdes/spr.h libdes/cbc_enc.c libdes/ecb_enc.c libdes/des_opts.c libdes/des_locl.h libdes/des_ver.h libdes/des.h +libdes/podd.h libdes/sk.h libdes/set_key.c libdes/fcrypt_b.c libdes/fcrypt.c libdes/destest.c \ +libdes/spr.h libdes/cbc_enc.c libdes/ecb_enc.c libdes/des_locl.h libdes/des_ver.h libdes/des.h INCLUDES = -I$(top_srcdir)/src/libcrypto/include diff --git a/src/libcrypto/Makefile.in b/src/libcrypto/Makefile.in index 63b7d4907..dca1b18e7 100644 --- a/src/libcrypto/Makefile.in +++ b/src/libcrypto/Makefile.in @@ -52,9 +52,9 @@ am_libcrypto_a_OBJECTS = aes_xcbc_mac.$(OBJEXT) aes_cbc.$(OBJEXT) \ aes.$(OBJEXT) bf_skey.$(OBJEXT) bf_enc.$(OBJEXT) \ hmac_sha2.$(OBJEXT) sha2.$(OBJEXT) serpent_cbc.$(OBJEXT) \ serpent.$(OBJEXT) twofish_cbc.$(OBJEXT) twofish.$(OBJEXT) \ - des_enc.$(OBJEXT) set_key.$(OBJEXT) speed.$(OBJEXT) \ - fcrypt_b.$(OBJEXT) fcrypt.$(OBJEXT) destest.$(OBJEXT) \ - cbc_enc.$(OBJEXT) ecb_enc.$(OBJEXT) des_opts.$(OBJEXT) + des_enc.$(OBJEXT) set_key.$(OBJEXT) fcrypt_b.$(OBJEXT) \ + fcrypt.$(OBJEXT) destest.$(OBJEXT) cbc_enc.$(OBJEXT) \ + ecb_enc.$(OBJEXT) libcrypto_a_OBJECTS = $(am_libcrypto_a_OBJECTS) DEFAULT_INCLUDES = -I. -I$(srcdir) depcomp = $(SHELL) $(top_srcdir)/depcomp @@ -116,6 +116,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -128,6 +129,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -138,8 +140,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -161,6 +167,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -170,6 +177,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -183,9 +192,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -200,6 +213,8 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ noinst_LIBRARIES = libcrypto.a libcrypto_a_SOURCES = \ libaes/aes_xcbc_mac.c libaes/aes_cbc.c libaes/aes_xcbc_mac.h libaes/aes_cbc.h libaes/aes.c libaes/aes.h \ @@ -207,8 +222,8 @@ include/md32_common.h include/cbc_generic.h include/hmac_generic.h libblowfish/b libblowfish/bf_pi.h libblowfish/bf_locl.h libblowfish/bf_enc.c libsha2/hmac_sha2.c libsha2/sha2.h libsha2/hmac_sha2.h \ libsha2/sha2.c libserpent/serpent_cbc.c libserpent/serpent_cbc.h libserpent/serpent.c libserpent/serpent.h \ libtwofish/twofish_cbc.h libtwofish/twofish_cbc.c libtwofish/twofish.c libtwofish/twofish.h libdes/des_enc.c \ -libdes/podd.h libdes/sk.h libdes/set_key.c libdes/speed.c libdes/fcrypt_b.c libdes/fcrypt.c libdes/destest.c \ -libdes/spr.h libdes/cbc_enc.c libdes/ecb_enc.c libdes/des_opts.c libdes/des_locl.h libdes/des_ver.h libdes/des.h +libdes/podd.h libdes/sk.h libdes/set_key.c libdes/fcrypt_b.c libdes/fcrypt.c libdes/destest.c \ +libdes/spr.h libdes/cbc_enc.c libdes/ecb_enc.c libdes/des_locl.h libdes/des_ver.h libdes/des.h INCLUDES = -I$(top_srcdir)/src/libcrypto/include all: all-am @@ -265,7 +280,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bf_skey.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cbc_enc.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_enc.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_opts.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/destest.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ecb_enc.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fcrypt.Po@am__quote@ @@ -275,7 +289,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serpent_cbc.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_key.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha2.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/speed.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish_cbc.Po@am__quote@ @@ -482,20 +495,6 @@ set_key.obj: libdes/set_key.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_key.obj `if test -f 'libdes/set_key.c'; then $(CYGPATH_W) 'libdes/set_key.c'; else $(CYGPATH_W) '$(srcdir)/libdes/set_key.c'; fi` -speed.o: libdes/speed.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT speed.o -MD -MP -MF "$(DEPDIR)/speed.Tpo" -c -o speed.o `test -f 'libdes/speed.c' || echo '$(srcdir)/'`libdes/speed.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/speed.Tpo" "$(DEPDIR)/speed.Po"; else rm -f "$(DEPDIR)/speed.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='libdes/speed.c' object='speed.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o speed.o `test -f 'libdes/speed.c' || echo '$(srcdir)/'`libdes/speed.c - -speed.obj: libdes/speed.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT speed.obj -MD -MP -MF "$(DEPDIR)/speed.Tpo" -c -o speed.obj `if test -f 'libdes/speed.c'; then $(CYGPATH_W) 'libdes/speed.c'; else $(CYGPATH_W) '$(srcdir)/libdes/speed.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/speed.Tpo" "$(DEPDIR)/speed.Po"; else rm -f "$(DEPDIR)/speed.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='libdes/speed.c' object='speed.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o speed.obj `if test -f 'libdes/speed.c'; then $(CYGPATH_W) 'libdes/speed.c'; else $(CYGPATH_W) '$(srcdir)/libdes/speed.c'; fi` - fcrypt_b.o: libdes/fcrypt_b.c @am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fcrypt_b.o -MD -MP -MF "$(DEPDIR)/fcrypt_b.Tpo" -c -o fcrypt_b.o `test -f 'libdes/fcrypt_b.c' || echo '$(srcdir)/'`libdes/fcrypt_b.c; \ @am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/fcrypt_b.Tpo" "$(DEPDIR)/fcrypt_b.Po"; else rm -f "$(DEPDIR)/fcrypt_b.Tpo"; exit 1; fi @@ -566,20 +565,6 @@ ecb_enc.obj: libdes/ecb_enc.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ecb_enc.obj `if test -f 'libdes/ecb_enc.c'; then $(CYGPATH_W) 'libdes/ecb_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/ecb_enc.c'; fi` -des_opts.o: libdes/des_opts.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_opts.o -MD -MP -MF "$(DEPDIR)/des_opts.Tpo" -c -o des_opts.o `test -f 'libdes/des_opts.c' || echo '$(srcdir)/'`libdes/des_opts.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/des_opts.Tpo" "$(DEPDIR)/des_opts.Po"; else rm -f "$(DEPDIR)/des_opts.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='libdes/des_opts.c' object='des_opts.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_opts.o `test -f 'libdes/des_opts.c' || echo '$(srcdir)/'`libdes/des_opts.c - -des_opts.obj: libdes/des_opts.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_opts.obj -MD -MP -MF "$(DEPDIR)/des_opts.Tpo" -c -o des_opts.obj `if test -f 'libdes/des_opts.c'; then $(CYGPATH_W) 'libdes/des_opts.c'; else $(CYGPATH_W) '$(srcdir)/libdes/des_opts.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/des_opts.Tpo" "$(DEPDIR)/des_opts.Po"; else rm -f "$(DEPDIR)/des_opts.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='libdes/des_opts.c' object='des_opts.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_opts.obj `if test -f 'libdes/des_opts.c'; then $(CYGPATH_W) 'libdes/des_opts.c'; else $(CYGPATH_W) '$(srcdir)/libdes/des_opts.c'; fi` - mostlyclean-libtool: -rm -f *.lo diff --git a/src/libcrypto/libdes/des_opts.c b/src/libcrypto/libdes/des_opts.c deleted file mode 100644 index b6693c405..000000000 --- a/src/libcrypto/libdes/des_opts.c +++ /dev/null @@ -1,620 +0,0 @@ -/* crypto/des/des_opts.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* define PART1, PART2, PART3 or PART4 to build only with a few of the options. - * This is for machines with 64k code segment size restrictions. */ - -#ifndef MSDOS -#define TIMES -#endif - -#include -#ifndef MSDOS -#include -#else -#include -extern void exit(); -#endif -#include -#ifndef VMS -#ifndef _IRIX -#include -#endif -#ifdef TIMES -#include -#include -#endif -#else /* VMS */ -#include -struct tms { - time_t tms_utime; - time_t tms_stime; - time_t tms_uchild; /* I dunno... */ - time_t tms_uchildsys; /* so these names are a guess :-) */ - } -#endif -#ifndef TIMES -#include -#endif - -#ifdef sun -#include -#include -#endif - -#include "des_locl.h" -#include "spr.h" - -#define DES_DEFAULT_OPTIONS - -#if !defined(PART1) && !defined(PART2) && !defined(PART3) && !defined(PART4) -#define PART1 -#define PART2 -#define PART3 -#define PART4 -#endif - -#ifdef PART1 - -#undef DES_UNROLL -#undef DES_RISC1 -#undef DES_RISC2 -#undef DES_PTR -#undef D_ENCRYPT -#define des_encrypt des_encrypt_u4_cisc_idx -#define des_encrypt2 des_encrypt2_u4_cisc_idx -#define des_encrypt3 des_encrypt3_u4_cisc_idx -#define des_decrypt3 des_decrypt3_u4_cisc_idx -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#define DES_UNROLL -#undef DES_RISC1 -#undef DES_RISC2 -#undef DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u16_cisc_idx -#define des_encrypt2 des_encrypt2_u16_cisc_idx -#define des_encrypt3 des_encrypt3_u16_cisc_idx -#define des_decrypt3 des_decrypt3_u16_cisc_idx -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#undef DES_UNROLL -#define DES_RISC1 -#undef DES_RISC2 -#undef DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc1_idx -#define des_encrypt2 des_encrypt2_u4_risc1_idx -#define des_encrypt3 des_encrypt3_u4_risc1_idx -#define des_decrypt3 des_decrypt3_u4_risc1_idx -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#endif - -#ifdef PART2 - -#undef DES_UNROLL -#undef DES_RISC1 -#define DES_RISC2 -#undef DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc2_idx -#define des_encrypt2 des_encrypt2_u4_risc2_idx -#define des_encrypt3 des_encrypt3_u4_risc2_idx -#define des_decrypt3 des_decrypt3_u4_risc2_idx -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#define DES_UNROLL -#define DES_RISC1 -#undef DES_RISC2 -#undef DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc1_idx -#define des_encrypt2 des_encrypt2_u16_risc1_idx -#define des_encrypt3 des_encrypt3_u16_risc1_idx -#define des_decrypt3 des_decrypt3_u16_risc1_idx -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#define DES_UNROLL -#undef DES_RISC1 -#define DES_RISC2 -#undef DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc2_idx -#define des_encrypt2 des_encrypt2_u16_risc2_idx -#define des_encrypt3 des_encrypt3_u16_risc2_idx -#define des_decrypt3 des_decrypt3_u16_risc2_idx -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#endif - -#ifdef PART3 - -#undef DES_UNROLL -#undef DES_RISC1 -#undef DES_RISC2 -#define DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u4_cisc_ptr -#define des_encrypt2 des_encrypt2_u4_cisc_ptr -#define des_encrypt3 des_encrypt3_u4_cisc_ptr -#define des_decrypt3 des_decrypt3_u4_cisc_ptr -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#define DES_UNROLL -#undef DES_RISC1 -#undef DES_RISC2 -#define DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u16_cisc_ptr -#define des_encrypt2 des_encrypt2_u16_cisc_ptr -#define des_encrypt3 des_encrypt3_u16_cisc_ptr -#define des_decrypt3 des_decrypt3_u16_cisc_ptr -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#undef DES_UNROLL -#define DES_RISC1 -#undef DES_RISC2 -#define DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc1_ptr -#define des_encrypt2 des_encrypt2_u4_risc1_ptr -#define des_encrypt3 des_encrypt3_u4_risc1_ptr -#define des_decrypt3 des_decrypt3_u4_risc1_ptr -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#endif - -#ifdef PART4 - -#undef DES_UNROLL -#undef DES_RISC1 -#define DES_RISC2 -#define DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc2_ptr -#define des_encrypt2 des_encrypt2_u4_risc2_ptr -#define des_encrypt3 des_encrypt3_u4_risc2_ptr -#define des_decrypt3 des_decrypt3_u4_risc2_ptr -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#define DES_UNROLL -#define DES_RISC1 -#undef DES_RISC2 -#define DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc1_ptr -#define des_encrypt2 des_encrypt2_u16_risc1_ptr -#define des_encrypt3 des_encrypt3_u16_risc1_ptr -#define des_decrypt3 des_decrypt3_u16_risc1_ptr -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#define DES_UNROLL -#undef DES_RISC1 -#define DES_RISC2 -#define DES_PTR -#undef D_ENCRYPT -#undef des_encrypt -#undef des_encrypt2 -#undef des_encrypt3 -#undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc2_ptr -#define des_encrypt2 des_encrypt2_u16_risc2_ptr -#define des_encrypt3 des_encrypt3_u16_risc2_ptr -#define des_decrypt3 des_decrypt3_u16_risc2_ptr -#undef HEADER_DES_LOCL_H -#include "des_enc.c" - -#endif - -/* The following if from times(3) man page. It may need to be changed */ -#ifndef HZ -# ifndef CLK_TCK -# ifndef _BSD_CLK_TCK_ /* FreeBSD fix */ -# ifndef VMS -# define HZ 100.0 -# else /* VMS */ -# define HZ 100.0 -# endif -# else /* _BSD_CLK_TCK_ */ -# define HZ ((double)_BSD_CLK_TCK_) -# endif -# else /* CLK_TCK */ -# define HZ ((double)CLK_TCK) -# endif -#endif - -#define BUFSIZE ((long)1024) -long run=0; - -#ifndef NOPROTO -double Time_F(int s); -#else -double Time_F(); -#endif - -#ifdef SIGALRM -#if defined(__STDC__) || defined(sgi) -#define SIGRETTYPE void -#else -#define SIGRETTYPE int -#endif - -#ifndef NOPROTO -SIGRETTYPE sig_done(int sig); -#else -SIGRETTYPE sig_done(); -#endif - -SIGRETTYPE sig_done(sig) -int sig; - { - signal(SIGALRM,sig_done); - run=0; -#ifdef LINT - sig=sig; -#endif - } -#endif - -#define START 0 -#define STOP 1 - -double Time_F(s) -int s; - { - double ret; -#ifdef TIMES - static struct tms tstart,tend; - - if (s == START) - { - times(&tstart); - return(0); - } - else - { - times(&tend); - ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ; - return((ret == 0.0)?1e-6:ret); - } -#else /* !times() */ - static struct timeb tstart,tend; - long i; - - if (s == START) - { - ftime(&tstart); - return(0); - } - else - { - ftime(&tend); - i=(long)tend.millitm-(long)tstart.millitm; - ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; - return((ret == 0.0)?1e-6:ret); - } -#endif - } - -#ifdef SIGALRM -#define print_name(name) fprintf(stderr,"Doing %s's for 10 seconds\n",name); alarm(10); -#else -#define print_name(name) fprintf(stderr,"Doing %s %ld times\n",name,cb); -#endif - -#define time_it(func,name,index) \ - print_name(name); \ - Time_F(START); \ - for (count=0,run=1; COND(cb); count++) \ - { \ - unsigned long d[2]; \ - func(d,&(sch[0]),DES_ENCRYPT); \ - } \ - tm[index]=Time_F(STOP); \ - fprintf(stderr,"%ld %s's in %.2f second\n",count,name,tm[index]); \ - tm[index]=((double)COUNT(cb))/tm[index]; - -#define print_it(name,index) \ - fprintf(stderr,"%s bytes per sec = %12.2f (%5.1fuS)\n",name, \ - tm[index]*8,1.0e6/tm[index]); - -int main(argc,argv) -int argc; -char **argv; - { - long count; - static unsigned char buf[BUFSIZE]; - static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0}; - static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12}; - static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34}; - des_key_schedule sch,sch2,sch3; - double d,tm[16],max=0; - int rank[16]; - char *str[16]; - int max_idx=0,i,num=0,j; -#ifndef SIGALARM - long ca,cb,cc,cd,ce; -#endif - - for (i=0; i<12; i++) - { - tm[i]=0.0; - rank[i]=0; - } - -#ifndef TIMES - fprintf(stderr,"To get the most acurate results, try to run this\n"); - fprintf(stderr,"program when this computer is idle.\n"); -#endif - - des_set_key((C_Block *)key,sch); - des_set_key((C_Block *)key2,sch2); - des_set_key((C_Block *)key3,sch3); - -#ifndef SIGALRM - fprintf(stderr,"First we calculate the approximate speed ...\n"); - des_set_key((C_Block *)key,sch); - count=10; - do { - long i; - unsigned long data[2]; - - count*=2; - Time_F(START); - for (i=count; i; i--) - des_encrypt(data,&(sch[0]),DES_ENCRYPT); - d=Time_F(STOP); - } while (d < 3.0); - ca=count; - cb=count*3; - cc=count*3*8/BUFSIZE+1; - cd=count*8/BUFSIZE+1; - - ce=count/20+1; -#define COND(d) (count != (d)) -#define COUNT(d) (d) -#else -#define COND(c) (run) -#define COUNT(d) (count) - signal(SIGALRM,sig_done); - alarm(10); -#endif - -#ifdef PART1 - time_it(des_encrypt_u4_cisc_idx, "des_encrypt_u4_cisc_idx ", 0); - time_it(des_encrypt_u16_cisc_idx, "des_encrypt_u16_cisc_idx ", 1); - time_it(des_encrypt_u4_risc1_idx, "des_encrypt_u4_risc1_idx ", 2); - num+=3; -#endif -#ifdef PART2 - time_it(des_encrypt_u16_risc1_idx,"des_encrypt_u16_risc1_idx", 3); - time_it(des_encrypt_u4_risc2_idx, "des_encrypt_u4_risc2_idx ", 4); - time_it(des_encrypt_u16_risc2_idx,"des_encrypt_u16_risc2_idx", 5); - num+=3; -#endif -#ifdef PART3 - time_it(des_encrypt_u4_cisc_ptr, "des_encrypt_u4_cisc_ptr ", 6); - time_it(des_encrypt_u16_cisc_ptr, "des_encrypt_u16_cisc_ptr ", 7); - time_it(des_encrypt_u4_risc1_ptr, "des_encrypt_u4_risc1_ptr ", 8); - num+=3; -#endif -#ifdef PART4 - time_it(des_encrypt_u16_risc1_ptr,"des_encrypt_u16_risc1_ptr", 9); - time_it(des_encrypt_u4_risc2_ptr, "des_encrypt_u4_risc2_ptr ",10); - time_it(des_encrypt_u16_risc2_ptr,"des_encrypt_u16_risc2_ptr",11); - num+=3; -#endif - -#ifdef PART1 - str[0]=" 4 c i"; - print_it("des_encrypt_u4_cisc_idx ",0); - max=tm[0]; - max_idx=0; - str[1]="16 c i"; - print_it("des_encrypt_u16_cisc_idx ",1); - if (max < tm[1]) { max=tm[1]; max_idx=1; } - str[2]=" 4 r1 i"; - print_it("des_encrypt_u4_risc1_idx ",2); - if (max < tm[2]) { max=tm[2]; max_idx=2; } -#endif -#ifdef PART2 - str[3]="16 r1 i"; - print_it("des_encrypt_u16_risc1_idx",3); - if (max < tm[3]) { max=tm[3]; max_idx=3; } - str[4]=" 4 r2 i"; - print_it("des_encrypt_u4_risc2_idx ",4); - if (max < tm[4]) { max=tm[4]; max_idx=4; } - str[5]="16 r2 i"; - print_it("des_encrypt_u16_risc2_idx",5); - if (max < tm[5]) { max=tm[5]; max_idx=5; } -#endif -#ifdef PART3 - str[6]=" 4 c p"; - print_it("des_encrypt_u4_cisc_ptr ",6); - if (max < tm[6]) { max=tm[6]; max_idx=6; } - str[7]="16 c p"; - print_it("des_encrypt_u16_cisc_ptr ",7); - if (max < tm[7]) { max=tm[7]; max_idx=7; } - str[8]=" 4 r1 p"; - print_it("des_encrypt_u4_risc1_ptr ",8); - if (max < tm[8]) { max=tm[8]; max_idx=8; } -#endif -#ifdef PART4 - str[9]="16 r1 p"; - print_it("des_encrypt_u16_risc1_ptr",9); - if (max < tm[9]) { max=tm[9]; max_idx=9; } - str[10]=" 4 r2 p"; - print_it("des_encrypt_u4_risc2_ptr ",10); - if (max < tm[10]) { max=tm[10]; max_idx=10; } - str[11]="16 r2 p"; - print_it("des_encrypt_u16_risc2_ptr",11); - if (max < tm[11]) { max=tm[11]; max_idx=11; } -#endif - printf("options des ecb/s\n"); - printf("%s %12.2f 100.0%%\n",str[max_idx],tm[max_idx]); - d=tm[max_idx]; - tm[max_idx]= -2.0; - max= -1.0; - for (;;) - { - for (i=0; i<12; i++) - { - if (max < tm[i]) { max=tm[i]; j=i; } - } - if (max < 0.0) break; - printf("%s %12.2f %4.1f%%\n",str[j],tm[j],tm[j]/d*100.0); - tm[j]= -2.0; - max= -1.0; - } - - switch (max_idx) - { - case 0: - printf("-DDES_DEFAULT_OPTIONS\n"); - break; - case 1: - printf("-DDES_UNROLL\n"); - break; - case 2: - printf("-DDES_RISC1\n"); - break; - case 3: - printf("-DDES_UNROLL -DDES_RISC1\n"); - break; - case 4: - printf("-DDES_RISC2\n"); - break; - case 5: - printf("-DDES_UNROLL -DDES_RISC2\n"); - break; - case 6: - printf("-DDES_PTR\n"); - break; - case 7: - printf("-DDES_UNROLL -DDES_PTR\n"); - break; - case 8: - printf("-DDES_RISC1 -DDES_PTR\n"); - break; - case 9: - printf("-DDES_UNROLL -DDES_RISC1 -DDES_PTR\n"); - break; - case 10: - printf("-DDES_RISC2 -DDES_PTR\n"); - break; - case 11: - printf("-DDES_UNROLL -DDES_RISC2 -DDES_PTR\n"); - break; - } - exit(0); -#if defined(LINT) || defined(MSDOS) - return(0); -#endif - } diff --git a/src/libcrypto/libdes/speed.c b/src/libcrypto/libdes/speed.c deleted file mode 100644 index e3d753b2e..000000000 --- a/src/libcrypto/libdes/speed.c +++ /dev/null @@ -1,329 +0,0 @@ -/* crypto/des/speed.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* 11-Sep-92 Andrew Daviel Support for Silicon Graphics IRIX added */ -/* 06-Apr-92 Luke Brennan Support for VMS and add extra signal calls */ - -#ifndef MSDOS -#define TIMES -#endif - -#include -#ifndef MSDOS -#include -#else -#include -extern int exit(); -#endif -#include -#ifndef VMS -#ifndef _IRIX -#include -#endif -#ifdef TIMES -#include -#include -#endif -#else /* VMS */ -#include -struct tms { - time_t tms_utime; - time_t tms_stime; - time_t tms_uchild; /* I dunno... */ - time_t tms_uchildsys; /* so these names are a guess :-) */ - } -#endif -#ifndef TIMES -#include -#endif - -#ifdef sun -#include -#include -#endif - -#include "des_locl.h" - -/* The following if from times(3) man page. It may need to be changed */ -#ifndef HZ -# ifndef CLK_TCK -# ifndef _BSD_CLK_TCK_ /* FreeBSD fix */ -# ifndef VMS -# define HZ 100.0 -# else /* VMS */ -# define HZ 100.0 -# endif -# else /* _BSD_CLK_TCK_ */ -# define HZ ((double)_BSD_CLK_TCK_) -# endif -# else /* CLK_TCK */ -# define HZ ((double)CLK_TCK) -# endif -#endif - -#define BUFSIZE ((long)1024) -long run=0; - -#ifndef NOPROTO -double Time_F(int s); -#else -double Time_F(); -#endif - -#ifdef SIGALRM -#if defined(__STDC__) || defined(sgi) || defined(_AIX) -#define SIGRETTYPE void -#else -#define SIGRETTYPE int -#endif - -#ifndef NOPROTO -SIGRETTYPE sig_done(int sig); -#else -SIGRETTYPE sig_done(); -#endif - -SIGRETTYPE sig_done(sig) -int sig; - { - signal(SIGALRM,sig_done); - run=0; -#ifdef LINT - sig=sig; -#endif - } -#endif - -#define START 0 -#define STOP 1 - -double Time_F(s) -int s; - { - double ret; -#ifdef TIMES - static struct tms tstart,tend; - - if (s == START) - { - times(&tstart); - return(0); - } - else - { - times(&tend); - ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ; - return((ret == 0.0)?1e-6:ret); - } -#else /* !times() */ - static struct timeb tstart,tend; - long i; - - if (s == START) - { - ftime(&tstart); - return(0); - } - else - { - ftime(&tend); - i=(long)tend.millitm-(long)tstart.millitm; - ret=((double)(tend.time-tstart.time))+((double)i)/1e3; - return((ret == 0.0)?1e-6:ret); - } -#endif - } - -int main(argc,argv) -int argc; -char **argv; - { - long count; - static unsigned char buf[BUFSIZE]; - static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0}; - static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12}; - static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34}; - des_key_schedule sch,sch2,sch3; - double a,b,c,d,e; -#ifndef SIGALRM - long ca,cb,cc,cd,ce; -#endif - -#ifndef TIMES - printf("To get the most acurate results, try to run this\n"); - printf("program when this computer is idle.\n"); -#endif - - des_set_key((C_Block *)key2,sch2); - des_set_key((C_Block *)key3,sch3); - -#ifndef SIGALRM - printf("First we calculate the approximate speed ...\n"); - des_set_key((C_Block *)key,sch); - count=10; - do { - long i; - DES_LONG data[2]; - - count*=2; - Time_F(START); - for (i=count; i; i--) - des_encrypt(data,&(sch[0]),DES_ENCRYPT); - d=Time_F(STOP); - } while (d < 3.0); - ca=count; - cb=count*3; - cc=count*3*8/BUFSIZE+1; - cd=count*8/BUFSIZE+1; - ce=count/20+1; - printf("Doing set_key %ld times\n",ca); -#define COND(d) (count != (d)) -#define COUNT(d) (d) -#else -#define COND(c) (run) -#define COUNT(d) (count) - signal(SIGALRM,sig_done); - printf("Doing set_key for 10 seconds\n"); - alarm(10); -#endif - - Time_F(START); - for (count=0,run=1; COND(ca); count++) - des_set_key((C_Block *)key,sch); - d=Time_F(STOP); - printf("%ld set_key's in %.2f seconds\n",count,d); - a=((double)COUNT(ca))/d; - -#ifdef SIGALRM - printf("Doing des_encrypt's for 10 seconds\n"); - alarm(10); -#else - printf("Doing des_encrypt %ld times\n",cb); -#endif - Time_F(START); - for (count=0,run=1; COND(cb); count++) - { - DES_LONG data[2]; - - des_encrypt(data,&(sch[0]),DES_ENCRYPT); - } - d=Time_F(STOP); - printf("%ld des_encrypt's in %.2f second\n",count,d); - b=((double)COUNT(cb)*8)/d; - -#ifdef SIGALRM - printf("Doing des_cbc_encrypt on %ld byte blocks for 10 seconds\n", - BUFSIZE); - alarm(10); -#else - printf("Doing des_cbc_encrypt %ld times on %ld byte blocks\n",cc, - BUFSIZE); -#endif - Time_F(START); - for (count=0,run=1; COND(cc); count++) - des_ncbc_encrypt((C_Block *)buf,(C_Block *)buf,BUFSIZE,&(sch[0]), - (C_Block *)&(key[0]),DES_ENCRYPT); - d=Time_F(STOP); - printf("%ld des_cbc_encrypt's of %ld byte blocks in %.2f second\n", - count,BUFSIZE,d); - c=((double)COUNT(cc)*BUFSIZE)/d; - -#ifdef SIGALRM - printf("Doing des_ede_cbc_encrypt on %ld byte blocks for 10 seconds\n", - BUFSIZE); - alarm(10); -#else - printf("Doing des_ede_cbc_encrypt %ld times on %ld byte blocks\n",cd, - BUFSIZE); -#endif - Time_F(START); - for (count=0,run=1; COND(cd); count++) - des_ede3_cbc_encrypt((C_Block *)buf,(C_Block *)buf,BUFSIZE, - &(sch[0]), - &(sch2[0]), - &(sch3[0]), - (C_Block *)&(key[0]), - DES_ENCRYPT); - d=Time_F(STOP); - printf("%ld des_ede_cbc_encrypt's of %ld byte blocks in %.2f second\n", - count,BUFSIZE,d); - d=((double)COUNT(cd)*BUFSIZE)/d; - -#ifdef SIGALRM - printf("Doing crypt for 10 seconds\n"); - alarm(10); -#else - printf("Doing crypt %ld times\n",ce); -#endif - Time_F(START); - for (count=0,run=1; COND(ce); count++) - crypt("testing1","ef"); - e=Time_F(STOP); - printf("%ld crypts in %.2f second\n",count,e); - e=((double)COUNT(ce))/e; - - printf("set_key per sec = %12.2f (%9.3fuS)\n",a,1.0e6/a); - printf("DES raw ecb bytes per sec = %12.2f (%9.3fuS)\n",b,8.0e6/b); - printf("DES cbc bytes per sec = %12.2f (%9.3fuS)\n",c,8.0e6/c); - printf("DES ede cbc bytes per sec = %12.2f (%9.3fuS)\n",d,8.0e6/d); - printf("crypt per sec = %12.2f (%9.3fuS)\n",e,1.0e6/e); - exit(0); -#if defined(LINT) || defined(MSDOS) - return(0); -#endif - } diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in index 97b53d7c0..fa57d5aab 100644 --- a/src/libfreeswan/Makefile.in +++ b/src/libfreeswan/Makefile.in @@ -129,6 +129,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -141,6 +142,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -151,8 +153,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -174,6 +180,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -183,6 +190,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -196,9 +205,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -213,6 +226,8 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ noinst_LIBRARIES = libfreeswan.a libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \ atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ diff --git a/src/libfreeswan/ipsec_ah.h b/src/libfreeswan/ipsec_ah.h index e088288d3..7a250248e 100644 --- a/src/libfreeswan/ipsec_ah.h +++ b/src/libfreeswan/ipsec_ah.h @@ -109,127 +109,3 @@ struct ahhdr /* Generic AH header */ extern int debug_ah; #endif /* CONFIG_IPSEC_DEBUG */ #endif /* __KERNEL__ */ - -/* - * $Log: ipsec_ah.h,v $ - * Revision 1.2 2004/03/22 21:53:18 as - * merged alg-0.8.1 branch with HEAD - * - * Revision 1.1.4.1 2004/03/16 09:48:18 as - * alg-0.8.1rc12 patch merged - * - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.20 2003/02/06 02:21:34 rgb - * - * Moved "struct auth_alg" from ipsec_rcv.c to ipsec_ah.h . - * Changed "struct ah" to "struct ahhdr" and "struct esp" to "struct esphdr". - * Removed "#ifdef INBOUND_POLICY_CHECK_eroute" dead code. - * - * Revision 1.19 2002/09/16 21:19:13 mcr - * fixes for west-ah-icmp-01 - length of AH header must be - * calculated properly, and next_header field properly copied. - * - * Revision 1.18 2002/05/14 02:37:02 rgb - * Change reference from _TDB to _IPSA. - * - * Revision 1.17 2002/04/24 07:36:46 mcr - * Moved from ./klips/net/ipsec/ipsec_ah.h,v - * - * Revision 1.16 2002/02/20 01:27:06 rgb - * Ditched a pile of structs only used by the old Netlink interface. - * - * Revision 1.15 2001/12/11 02:35:57 rgb - * Change "struct net_device" to "struct device" for 2.2 compatibility. - * - * Revision 1.14 2001/11/26 09:23:47 rgb - * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. - * - * Revision 1.13.2.1 2001/09/25 02:18:24 mcr - * replace "struct device" with "struct netdevice" - * - * Revision 1.13 2001/06/14 19:35:08 rgb - * Update copyright date. - * - * Revision 1.12 2000/09/12 03:21:20 rgb - * Cleared out unused htonq. - * - * Revision 1.11 2000/09/08 19:12:55 rgb - * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG. - * - * Revision 1.10 2000/01/21 06:13:10 rgb - * Tidied up spacing. - * Added macros for HMAC padding magic numbers.(kravietz) - * - * Revision 1.9 1999/12/07 18:16:23 rgb - * Fixed comments at end of #endif lines. - * - * Revision 1.8 1999/04/11 00:28:56 henry - * GPL boilerplate - * - * Revision 1.7 1999/04/06 04:54:25 rgb - * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes - * patch shell fixes. - * - * Revision 1.6 1999/01/26 02:06:01 rgb - * Removed CONFIG_IPSEC_ALGO_SWITCH macro. - * - * Revision 1.5 1999/01/22 06:17:49 rgb - * Updated macro comments. - * Added context types to support algorithm switch code. - * 64-bit clean-up -- converting 'u long long' to __u64. - * - * Revision 1.4 1998/07/14 15:54:56 rgb - * Add #ifdef __KERNEL__ to protect kernel-only structures. - * - * Revision 1.3 1998/06/30 18:05:16 rgb - * Comment out references to htonq. - * - * Revision 1.2 1998/06/25 19:33:46 rgb - * Add prototype for protocol receive function. - * Rearrange for more logical layout. - * - * Revision 1.1 1998/06/18 21:27:43 henry - * move sources from klips/src to klips/net/ipsec, to keep stupid - * kernel-build scripts happier in the presence of symlinks - * - * Revision 1.4 1998/05/18 22:28:43 rgb - * Disable key printing facilities from /proc/net/ipsec_*. - * - * Revision 1.3 1998/04/21 21:29:07 rgb - * Rearrange debug switches to change on the fly debug output from user - * space. Only kernel changes checked in at this time. radij.c was also - * changed to temporarily remove buggy debugging code in rj_delete causing - * an OOPS and hence, netlink device open errors. - * - * Revision 1.2 1998/04/12 22:03:17 rgb - * Updated ESP-3DES-HMAC-MD5-96, - * ESP-DES-HMAC-MD5-96, - * AH-HMAC-MD5-96, - * AH-HMAC-SHA1-96 since Henry started freeswan cvs repository - * from old standards (RFC182[5-9] to new (as of March 1998) drafts. - * - * Fixed eroute references in /proc/net/ipsec*. - * - * Started to patch module unloading memory leaks in ipsec_netlink and - * radij tree unloading. - * - * Revision 1.1 1998/04/09 03:05:55 henry - * sources moved up from linux/net/ipsec - * - * Revision 1.1.1.1 1998/04/08 05:35:02 henry - * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 - * - * Revision 0.4 1997/01/15 01:28:15 ji - * Added definitions for new AH transforms. - * - * Revision 0.3 1996/11/20 14:35:48 ji - * Minor Cleanup. - * Rationalized debugging code. - * - * Revision 0.2 1996/11/02 00:18:33 ji - * First limited release. - * - * - */ diff --git a/src/libfreeswan/ipsec_encap.h b/src/libfreeswan/ipsec_encap.h index 17cd69269..f95259466 100644 --- a/src/libfreeswan/ipsec_encap.h +++ b/src/libfreeswan/ipsec_encap.h @@ -53,91 +53,3 @@ struct sockaddr_encap #define _IPSEC_ENCAP_H_ #endif /* _IPSEC_ENCAP_H_ */ - -/* - * $Log: ipsec_encap.h,v $ - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.17 2002/04/24 07:36:46 mcr - * Moved from ./klips/net/ipsec/ipsec_encap.h,v - * - * Revision 1.16 2001/11/26 09:23:47 rgb - * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. - * - * Revision 1.15.2.1 2001/09/25 02:18:54 mcr - * struct eroute moved to ipsec_eroute.h - * - * Revision 1.15 2001/09/14 16:58:36 rgb - * Added support for storing the first and last packets through a HOLD. - * - * Revision 1.14 2001/09/08 21:13:31 rgb - * Added pfkey ident extension support for ISAKMPd. (NetCelo) - * - * Revision 1.13 2001/06/14 19:35:08 rgb - * Update copyright date. - * - * Revision 1.12 2001/05/27 06:12:10 rgb - * Added structures for pid, packet count and last access time to eroute. - * Added packet count to beginning of /proc/net/ipsec_eroute. - * - * Revision 1.11 2000/09/08 19:12:56 rgb - * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG. - * - * Revision 1.10 2000/03/22 16:15:36 rgb - * Fixed renaming of dev_get (MB). - * - * Revision 1.9 2000/01/21 06:13:26 rgb - * Added a macro for AF_ENCAP - * - * Revision 1.8 1999/12/31 14:56:55 rgb - * MB fix for 2.3 dev-use-count. - * - * Revision 1.7 1999/11/18 04:09:18 rgb - * Replaced all kernel version macros to shorter, readable form. - * - * Revision 1.6 1999/09/24 00:34:13 rgb - * Add Marc Boucher's support for 2.3.xx+. - * - * Revision 1.5 1999/04/11 00:28:57 henry - * GPL boilerplate - * - * Revision 1.4 1999/04/06 04:54:25 rgb - * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes - * patch shell fixes. - * - * Revision 1.3 1998/10/19 14:44:28 rgb - * Added inclusion of freeswan.h. - * sa_id structure implemented and used: now includes protocol. - * - * Revision 1.2 1998/07/14 18:19:33 rgb - * Added #ifdef __KERNEL__ directives to restrict scope of header. - * - * Revision 1.1 1998/06/18 21:27:44 henry - * move sources from klips/src to klips/net/ipsec, to keep stupid - * kernel-build scripts happier in the presence of symlinks - * - * Revision 1.2 1998/04/21 21:29:10 rgb - * Rearrange debug switches to change on the fly debug output from user - * space. Only kernel changes checked in at this time. radij.c was also - * changed to temporarily remove buggy debugging code in rj_delete causing - * an OOPS and hence, netlink device open errors. - * - * Revision 1.1 1998/04/09 03:05:58 henry - * sources moved up from linux/net/ipsec - * - * Revision 1.1.1.1 1998/04/08 05:35:02 henry - * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 - * - * Revision 0.4 1997/01/15 01:28:15 ji - * Minor cosmetic changes. - * - * Revision 0.3 1996/11/20 14:35:48 ji - * Minor Cleanup. - * Rationalized debugging code. - * - * Revision 0.2 1996/11/02 00:18:33 ji - * First limited release. - * - * - */ diff --git a/src/libfreeswan/ipsec_eroute.h b/src/libfreeswan/ipsec_eroute.h index 2ee2a10b8..9bba4bfb4 100644 --- a/src/libfreeswan/ipsec_eroute.h +++ b/src/libfreeswan/ipsec_eroute.h @@ -80,24 +80,3 @@ struct eroute #define _IPSEC_EROUTE_H_ #endif /* _IPSEC_EROUTE_H_ */ - -/* - * $Log: ipsec_eroute.h,v $ - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.3 2002/04/24 07:36:46 mcr - * Moved from ./klips/net/ipsec/ipsec_eroute.h,v - * - * Revision 1.2 2001/11/26 09:16:13 rgb - * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. - * - * Revision 1.1.2.1 2001/09/25 02:18:54 mcr - * struct eroute moved to ipsec_eroute.h - * - * - * Local variables: - * c-file-style: "linux" - * End: - * - */ diff --git a/src/libfreeswan/ipsec_errs.h b/src/libfreeswan/ipsec_errs.h index f14b5e675..39cfece2b 100644 --- a/src/libfreeswan/ipsec_errs.h +++ b/src/libfreeswan/ipsec_errs.h @@ -30,24 +30,3 @@ struct ipsec_errs { __u32 ips_encpad_errs; /* # of encryption pad errors*/ __u32 ips_replaywin_errs; /* # of pkt sequence errors */ }; - -/* - * $Log: ipsec_errs.h,v $ - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.3 2002/04/24 07:36:46 mcr - * Moved from ./klips/net/ipsec/ipsec_errs.h,v - * - * Revision 1.2 2001/11/26 09:16:13 rgb - * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. - * - * Revision 1.1.2.1 2001/09/25 02:25:57 mcr - * lifetime structure created and common functions created. - * - * - * Local variables: - * c-file-style: "linux" - * End: - * - */ diff --git a/src/libfreeswan/ipsec_esp.h b/src/libfreeswan/ipsec_esp.h index c7d5ea15d..90ef28e9b 100644 --- a/src/libfreeswan/ipsec_esp.h +++ b/src/libfreeswan/ipsec_esp.h @@ -78,143 +78,3 @@ struct esphdr extern int debug_esp; #endif /* CONFIG_IPSEC_DEBUG */ #endif /* __KERNEL__ */ - -/* - * $Log: ipsec_esp.h,v $ - * Revision 1.2 2004/03/22 21:53:18 as - * merged alg-0.8.1 branch with HEAD - * - * Revision 1.1.4.1 2004/03/16 09:48:18 as - * alg-0.8.1rc12 patch merged - * - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.21 2003/02/06 02:21:34 rgb - * - * Moved "struct auth_alg" from ipsec_rcv.c to ipsec_ah.h . - * Changed "struct ah" to "struct ahhdr" and "struct esp" to "struct esphdr". - * Removed "#ifdef INBOUND_POLICY_CHECK_eroute" dead code. - * - * Revision 1.20 2002/05/14 02:37:02 rgb - * Change reference from _TDB to _IPSA. - * - * Revision 1.19 2002/04/24 07:55:32 mcr - * #include patches and Makefiles for post-reorg compilation. - * - * Revision 1.18 2002/04/24 07:36:46 mcr - * Moved from ./klips/net/ipsec/ipsec_esp.h,v - * - * Revision 1.17 2002/02/20 01:27:07 rgb - * Ditched a pile of structs only used by the old Netlink interface. - * - * Revision 1.16 2001/12/11 02:35:57 rgb - * Change "struct net_device" to "struct device" for 2.2 compatibility. - * - * Revision 1.15 2001/11/26 09:23:48 rgb - * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. - * - * Revision 1.14.2.3 2001/10/23 04:16:42 mcr - * get definition of des_key_schedule from des.h - * - * Revision 1.14.2.2 2001/10/22 20:33:13 mcr - * use "des_key_schedule" structure instead of cooking our own. - * - * Revision 1.14.2.1 2001/09/25 02:18:25 mcr - * replace "struct device" with "struct netdevice" - * - * Revision 1.14 2001/06/14 19:35:08 rgb - * Update copyright date. - * - * Revision 1.13 2000/09/08 19:12:56 rgb - * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG. - * - * Revision 1.12 2000/08/01 14:51:50 rgb - * Removed _all_ remaining traces of DES. - * - * Revision 1.11 2000/01/10 16:36:20 rgb - * Ditch last of EME option flags, including initiator. - * - * Revision 1.10 1999/12/07 18:16:22 rgb - * Fixed comments at end of #endif lines. - * - * Revision 1.9 1999/04/11 00:28:57 henry - * GPL boilerplate - * - * Revision 1.8 1999/04/06 04:54:25 rgb - * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes - * patch shell fixes. - * - * Revision 1.7 1999/01/26 02:06:00 rgb - * Removed CONFIG_IPSEC_ALGO_SWITCH macro. - * - * Revision 1.6 1999/01/22 15:22:05 rgb - * Re-enable IV in the espblkrply_edata structure to avoid breaking pluto - * until pluto can be fixed properly. - * - * Revision 1.5 1999/01/22 06:18:16 rgb - * Updated macro comments. - * Added key schedule types to support algorithm switch code. - * - * Revision 1.4 1998/08/12 00:07:32 rgb - * Added data structures for new xforms: null, {,3}dessha1. - * - * Revision 1.3 1998/07/14 15:57:01 rgb - * Add #ifdef __KERNEL__ to protect kernel-only structures. - * - * Revision 1.2 1998/06/25 19:33:46 rgb - * Add prototype for protocol receive function. - * Rearrange for more logical layout. - * - * Revision 1.1 1998/06/18 21:27:45 henry - * move sources from klips/src to klips/net/ipsec, to keep stupid - * kernel-build scripts happier in the presence of symlinks - * - * Revision 1.6 1998/06/05 02:28:08 rgb - * Minor comment fix. - * - * Revision 1.5 1998/05/27 22:34:00 rgb - * Changed structures to accomodate key separation. - * - * Revision 1.4 1998/05/18 22:28:43 rgb - * Disable key printing facilities from /proc/net/ipsec_*. - * - * Revision 1.3 1998/04/21 21:29:07 rgb - * Rearrange debug switches to change on the fly debug output from user - * space. Only kernel changes checked in at this time. radij.c was also - * changed to temporarily remove buggy debugging code in rj_delete causing - * an OOPS and hence, netlink device open errors. - * - * Revision 1.2 1998/04/12 22:03:20 rgb - * Updated ESP-3DES-HMAC-MD5-96, - * ESP-DES-HMAC-MD5-96, - * AH-HMAC-MD5-96, - * AH-HMAC-SHA1-96 since Henry started freeswan cvs repository - * from old standards (RFC182[5-9] to new (as of March 1998) drafts. - * - * Fixed eroute references in /proc/net/ipsec*. - * - * Started to patch module unloading memory leaks in ipsec_netlink and - * radij tree unloading. - * - * Revision 1.1 1998/04/09 03:06:00 henry - * sources moved up from linux/net/ipsec - * - * Revision 1.1.1.1 1998/04/08 05:35:02 henry - * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 - * - * Revision 0.5 1997/06/03 04:24:48 ji - * Added ESP-3DES-MD5-96 transform. - * - * Revision 0.4 1997/01/15 01:28:15 ji - * Added definitions for new ESP transforms. - * - * Revision 0.3 1996/11/20 14:35:48 ji - * Minor Cleanup. - * Rationalized debugging code. - * - * Revision 0.2 1996/11/02 00:18:33 ji - * First limited release. - * - * - */ diff --git a/src/libfreeswan/ipsec_ipe4.h b/src/libfreeswan/ipsec_ipe4.h index 73b6ae899..14d1eadee 100644 --- a/src/libfreeswan/ipsec_ipe4.h +++ b/src/libfreeswan/ipsec_ipe4.h @@ -25,44 +25,3 @@ struct ipe4_xdata /* transform table data */ }; #define EMT_IPE4_ULEN 8 /* coming from user mode */ - - -/* - * $Log: ipsec_ipe4.h,v $ - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.5 2002/04/24 07:36:46 mcr - * Moved from ./klips/net/ipsec/ipsec_ipe4.h,v - * - * Revision 1.4 2001/06/14 19:35:08 rgb - * Update copyright date. - * - * Revision 1.3 1999/04/11 00:28:57 henry - * GPL boilerplate - * - * Revision 1.2 1999/04/06 04:54:25 rgb - * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes - * patch shell fixes. - * - * Revision 1.1 1998/06/18 21:27:47 henry - * move sources from klips/src to klips/net/ipsec, to keep stupid - * kernel-build scripts happier in the presence of symlinks - * - * Revision 1.1 1998/04/09 03:06:07 henry - * sources moved up from linux/net/ipsec - * - * Revision 1.1.1.1 1998/04/08 05:35:03 henry - * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 - * - * Revision 0.4 1997/01/15 01:28:15 ji - * No changes. - * - * Revision 0.3 1996/11/20 14:48:53 ji - * Release update only. - * - * Revision 0.2 1996/11/02 00:18:33 ji - * First limited release. - * - * - */ diff --git a/src/libfreeswan/ipsec_kversion.h b/src/libfreeswan/ipsec_kversion.h index 7bf56ac7f..332c21bd5 100644 --- a/src/libfreeswan/ipsec_kversion.h +++ b/src/libfreeswan/ipsec_kversion.h @@ -189,39 +189,3 @@ #endif /* !SPINLOCK_23 */ #endif /* _FREESWAN_KVERSIONS_H */ - -/* - * $Log: ipsec_kversion.h,v $ - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.7 2003/07/31 22:48:08 mcr - * derive NET25-ness from presence of NETLINK_XFRM macro. - * - * Revision 1.6 2003/06/24 20:22:32 mcr - * added new global: ipsecdevices[] so that we can keep track of - * the ipsecX devices. They will be referenced with dev_hold(), - * so 2.2 may need this as well. - * - * Revision 1.5 2003/04/03 17:38:09 rgb - * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}. - * - * Revision 1.4 2002/04/24 07:36:46 mcr - * Moved from ./klips/net/ipsec/ipsec_kversion.h,v - * - * Revision 1.3 2002/04/12 03:21:17 mcr - * three parameter version of ip_select_ident appears first - * in 2.4.2 (RH7.1) not 2.4.4. - * - * Revision 1.2 2002/03/08 21:35:22 rgb - * Defined LINUX_KERNEL_HAS_SNPRINTF to shut up compiler warnings after - * 2.4.9. (Andreas Piesk). - * - * Revision 1.1 2002/01/29 02:11:42 mcr - * removal of kversions.h - sources that needed it now use ipsec_param.h. - * updating of IPv6 structures to match latest in6.h version. - * removed dead code from freeswan.h that also duplicated kversions.h - * code. - * - * - */ diff --git a/src/libfreeswan/ipsec_life.h b/src/libfreeswan/ipsec_life.h index 4cf270272..598a73665 100644 --- a/src/libfreeswan/ipsec_life.h +++ b/src/libfreeswan/ipsec_life.h @@ -88,25 +88,3 @@ enum ipsec_life_type { #define _IPSEC_LIFE_H_ #endif /* _IPSEC_LIFE_H_ */ - - -/* - * $Log: ipsec_life.h,v $ - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.3 2002/04/24 07:36:46 mcr - * Moved from ./klips/net/ipsec/ipsec_life.h,v - * - * Revision 1.2 2001/11/26 09:16:14 rgb - * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. - * - * Revision 1.1.2.1 2001/09/25 02:25:58 mcr - * lifetime structure created and common functions created. - * - * - * Local variables: - * c-file-style: "linux" - * End: - * - */ diff --git a/src/libfreeswan/ipsec_md5h.h b/src/libfreeswan/ipsec_md5h.h index 3fc54bc82..a79c8256f 100644 --- a/src/libfreeswan/ipsec_md5h.h +++ b/src/libfreeswan/ipsec_md5h.h @@ -81,60 +81,3 @@ void MD5Update PROTO_LIST void MD5Final PROTO_LIST ((unsigned char [16], void *)); #endif /* _IPSEC_MD5H_H_ */ - -/* - * $Log: ipsec_md5h.h,v $ - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.8 2002/09/10 01:45:09 mcr - * changed type of MD5_CTX and SHA1_CTX to void * so that - * the function prototypes would match, and could be placed - * into a pointer to a function. - * - * Revision 1.7 2002/04/24 07:36:46 mcr - * Moved from ./klips/net/ipsec/ipsec_md5h.h,v - * - * Revision 1.6 1999/12/13 13:59:13 rgb - * Quick fix to argument size to Update bugs. - * - * Revision 1.5 1999/12/07 18:16:23 rgb - * Fixed comments at end of #endif lines. - * - * Revision 1.4 1999/04/06 04:54:26 rgb - * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes - * patch shell fixes. - * - * Revision 1.3 1999/01/22 06:19:58 rgb - * 64-bit clean-up. - * - * Revision 1.2 1998/11/30 13:22:54 rgb - * Rationalised all the klips kernel file headers. They are much shorter - * now and won't conflict under RH5.2. - * - * Revision 1.1 1998/06/18 21:27:48 henry - * move sources from klips/src to klips/net/ipsec, to keep stupid - * kernel-build scripts happier in the presence of symlinks - * - * Revision 1.2 1998/04/23 20:54:03 rgb - * Fixed md5 and sha1 include file nesting issues, to be cleaned up when - * verified. - * - * Revision 1.1 1998/04/09 03:04:21 henry - * sources moved up from linux/net/ipsec - * these two include files modified not to include others except in kernel - * - * Revision 1.1.1.1 1998/04/08 05:35:03 henry - * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 - * - * Revision 0.4 1997/01/15 01:28:15 ji - * No changes. - * - * Revision 0.3 1996/11/20 14:48:53 ji - * Release update only. - * - * Revision 0.2 1996/11/02 00:18:33 ji - * First limited release. - * - * - */ diff --git a/src/libfreeswan/ipsec_rcv.h b/src/libfreeswan/ipsec_rcv.h index 3ae239bf9..063ccf462 100644 --- a/src/libfreeswan/ipsec_rcv.h +++ b/src/libfreeswan/ipsec_rcv.h @@ -70,127 +70,3 @@ extern int debug_rcv; #endif /* CONFIG_IPSEC_DEBUG */ extern int sysctl_ipsec_inbound_policy_check; #endif /* __KERNEL__ */ - -/* - * $Log: ipsec_rcv.h,v $ - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.17 2002/09/03 16:32:32 mcr - * definitions of ipsec_birth_reply. - * - * Revision 1.16 2002/05/14 02:36:00 rgb - * Change references to _TDB to _IPSA. - * - * Revision 1.15 2002/04/24 07:36:47 mcr - * Moved from ./klips/net/ipsec/ipsec_rcv.h,v - * - * Revision 1.14 2001/09/07 22:15:48 rgb - * Fix for removal of transport layer protocol handler arg in 2.4.4. - * - * Revision 1.13 2001/06/14 19:35:09 rgb - * Update copyright date. - * - * Revision 1.12 2001/03/16 07:36:44 rgb - * Fixed #endif comment to sate compiler. - * - * Revision 1.11 2000/09/21 04:34:21 rgb - * Moved declaration of sysctl_ipsec_inbound_policy_check outside - * CONFIG_IPSEC_DEBUG. (MB) - * - * Revision 1.10 2000/09/18 02:36:10 rgb - * Exported sysctl_ipsec_inbound_policy_check for skb_decompress(). - * - * Revision 1.9 2000/09/08 19:12:56 rgb - * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG. - * - * Revision 1.8 1999/11/18 04:09:19 rgb - * Replaced all kernel version macros to shorter, readable form. - * - * Revision 1.7 1999/05/25 01:45:37 rgb - * Fix version macros for 2.0.x as a module. - * - * Revision 1.6 1999/05/08 21:24:27 rgb - * Add includes for 2.2.x include into net/ipv4/protocol.c - * - * Revision 1.5 1999/05/05 22:02:32 rgb - * Add a quick and dirty port to 2.2 kernels by Marc Boucher . - * - * Revision 1.4 1999/04/11 00:28:59 henry - * GPL boilerplate - * - * Revision 1.3 1999/04/06 04:54:27 rgb - * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes - * patch shell fixes. - * - * Revision 1.2 1999/01/22 20:06:59 rgb - * Fixed cut-and-paste error from ipsec_esp.h. - * - * Revision 1.1 1999/01/21 20:29:12 rgb - * Converted from transform switching to algorithm switching. - * - * Log: ipsec_esp.h,v - * Revision 1.4 1998/08/12 00:07:32 rgb - * Added data structures for new xforms: null, {,3}dessha1. - * - * Revision 1.3 1998/07/14 15:57:01 rgb - * Add #ifdef __KERNEL__ to protect kernel-only structures. - * - * Revision 1.2 1998/06/25 19:33:46 rgb - * Add prototype for protocol receive function. - * Rearrange for more logical layout. - * - * Revision 1.1 1998/06/18 21:27:45 henry - * move sources from klips/src to klips/net/ipsec, to keep stupid - * kernel-build scripts happier in the presence of symlinks - * - * Revision 1.6 1998/06/05 02:28:08 rgb - * Minor comment fix. - * - * Revision 1.5 1998/05/27 22:34:00 rgb - * Changed structures to accomodate key separation. - * - * Revision 1.4 1998/05/18 22:28:43 rgb - * Disable key printing facilities from /proc/net/ipsec_*. - * - * Revision 1.3 1998/04/21 21:29:07 rgb - * Rearrange debug switches to change on the fly debug output from user - * space. Only kernel changes checked in at this time. radij.c was also - * changed to temporarily remove buggy debugging code in rj_delete causing - * an OOPS and hence, netlink device open errors. - * - * Revision 1.2 1998/04/12 22:03:20 rgb - * Updated ESP-3DES-HMAC-MD5-96, - * ESP-DES-HMAC-MD5-96, - * AH-HMAC-MD5-96, - * AH-HMAC-SHA1-96 since Henry started freeswan cvs repository - * from old standards (RFC182[5-9] to new (as of March 1998) drafts. - * - * Fixed eroute references in /proc/net/ipsec*. - * - * Started to patch module unloading memory leaks in ipsec_netlink and - * radij tree unloading. - * - * Revision 1.1 1998/04/09 03:06:00 henry - * sources moved up from linux/net/ipsec - * - * Revision 1.1.1.1 1998/04/08 05:35:02 henry - * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 - * - * Revision 0.5 1997/06/03 04:24:48 ji - * Added ESP-3DES-MD5-96 transform. - * - * Revision 0.4 1997/01/15 01:28:15 ji - * Added definitions for new ESP transforms. - * - * Revision 0.3 1996/11/20 14:35:48 ji - * Minor Cleanup. - * Rationalized debugging code. - * - * Revision 0.2 1996/11/02 00:18:33 ji - * First limited release. - * - * - */ - - diff --git a/src/libfreeswan/ipsec_sa.h b/src/libfreeswan/ipsec_sa.h index 555df42d3..4dd682569 100644 --- a/src/libfreeswan/ipsec_sa.h +++ b/src/libfreeswan/ipsec_sa.h @@ -250,89 +250,3 @@ enum ipsec_direction { #define _IPSEC_SA_H_ #endif /* _IPSEC_SA_H_ */ - -/* - * $Log: ipsec_sa.h,v $ - * Revision 1.3 2004/04/28 08:07:11 as - * added dhr's freeswan-2.06 changes - * - * Revision 1.2 2004/03/22 21:53:18 as - * merged alg-0.8.1 branch with HEAD - * - * Revision 1.1.2.1.2.1 2004/03/16 09:48:18 as - * alg-0.8.1rc12 patch merged - * - * Revision 1.1.2.1 2004/03/15 22:30:06 as - * nat-0.6c patch merged - * - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.15 2003/05/11 00:53:09 mcr - * IPsecSAref_t and macros were moved to freeswan.h. - * - * Revision 1.14 2003/02/12 19:31:55 rgb - * Fixed bug in "file seen" machinery. - * Updated copyright year. - * - * Revision 1.13 2003/01/30 02:31:52 rgb - * - * Re-wrote comments describing SAref system for accuracy. - * Rename SAref table macro names for clarity. - * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug. - * Transmit error code through to caller from callee for better diagnosis of problems. - * Enclose all macro arguments in parens to avoid any possible obscrure bugs. - * - * Revision 1.12 2002/10/07 18:31:19 rgb - * Change comment to reflect the flexible nature of the main and sub-table widths. - * Added a counter for the number of unused entries in each subtable. - * Further break up host field type macro to host field. - * Move field width sanity checks to ipsec_sa.c - * Define a mask for an entire saref. - * - * Revision 1.11 2002/09/20 15:40:33 rgb - * Re-write most of the SAref macros and types to eliminate any pointer references to Entrys. - * Fixed SAref/nfmark macros. - * Rework saref freeslist. - * Place all ipsec sadb globals into one struct. - * Restrict some bits to kernel context for use to klips utils. - * - * Revision 1.10 2002/09/20 05:00:34 rgb - * Update copyright date. - * - * Revision 1.9 2002/09/17 17:19:29 mcr - * make it compile even if there is no netfilter - we lost - * functionality, but it works, especially on 2.2. - * - * Revision 1.8 2002/07/28 22:59:53 mcr - * clarified/expanded one comment. - * - * Revision 1.7 2002/07/26 08:48:31 rgb - * Added SA ref table code. - * - * Revision 1.6 2002/05/31 17:27:48 rgb - * Comment fix. - * - * Revision 1.5 2002/05/27 18:55:03 rgb - * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT. - * - * Revision 1.4 2002/05/23 07:13:36 rgb - * Convert "usecount" to "refcount" to remove ambiguity. - * - * Revision 1.3 2002/04/24 07:36:47 mcr - * Moved from ./klips/net/ipsec/ipsec_sa.h,v - * - * Revision 1.2 2001/11/26 09:16:15 rgb - * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. - * - * Revision 1.1.2.1 2001/09/25 02:24:58 mcr - * struct tdb -> struct ipsec_sa. - * sa(tdb) manipulation functions renamed and moved to ipsec_sa.c - * ipsec_xform.c removed. header file still contains useful things. - * - * - * Local variables: - * c-file-style: "linux" - * End: - * - */ diff --git a/src/libfreeswan/ipsec_sha1.h b/src/libfreeswan/ipsec_sha1.h index 116170e6b..1319081ad 100644 --- a/src/libfreeswan/ipsec_sha1.h +++ b/src/libfreeswan/ipsec_sha1.h @@ -30,50 +30,3 @@ void SHA1Final(unsigned char digest[20], void *context); #endif /* _IPSEC_SHA1_H_ */ - -/* - * $Log: ipsec_sha1.h,v $ - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.7 2002/09/10 01:45:09 mcr - * changed type of MD5_CTX and SHA1_CTX to void * so that - * the function prototypes would match, and could be placed - * into a pointer to a function. - * - * Revision 1.6 2002/04/24 07:36:47 mcr - * Moved from ./klips/net/ipsec/ipsec_sha1.h,v - * - * Revision 1.5 1999/12/13 13:59:13 rgb - * Quick fix to argument size to Update bugs. - * - * Revision 1.4 1999/12/07 18:16:23 rgb - * Fixed comments at end of #endif lines. - * - * Revision 1.3 1999/04/06 04:54:27 rgb - * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes - * patch shell fixes. - * - * Revision 1.2 1998/11/30 13:22:54 rgb - * Rationalised all the klips kernel file headers. They are much shorter - * now and won't conflict under RH5.2. - * - * Revision 1.1 1998/06/18 21:27:50 henry - * move sources from klips/src to klips/net/ipsec, to keep stupid - * kernel-build scripts happier in the presence of symlinks - * - * Revision 1.2 1998/04/23 20:54:05 rgb - * Fixed md5 and sha1 include file nesting issues, to be cleaned up when - * verified. - * - * Revision 1.1 1998/04/09 03:04:21 henry - * sources moved up from linux/net/ipsec - * these two include files modified not to include others except in kernel - * - * Revision 1.1.1.1 1998/04/08 05:35:04 henry - * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 - * - * Revision 0.4 1997/01/15 01:28:15 ji - * New transform - * - */ diff --git a/src/libfreeswan/ipsec_tunnel.h b/src/libfreeswan/ipsec_tunnel.h index 3b25e95e1..672755946 100644 --- a/src/libfreeswan/ipsec_tunnel.h +++ b/src/libfreeswan/ipsec_tunnel.h @@ -16,6 +16,7 @@ * RCSID $Id: ipsec_tunnel.h,v 1.1 2004/03/15 20:35:25 as Exp $ */ +#include #ifdef NET_21 # define DEV_QUEUE_XMIT(skb, device, pri) {\ @@ -125,141 +126,3 @@ extern int sysctl_ipsec_debug_verbose; #define DB_TN_OXFS 0x0080 #define DB_TN_REVEC 0x0100 #endif /* CONFIG_IPSEC_DEBUG */ - -/* - * $Log: ipsec_tunnel.h,v $ - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.28 2003/06/24 20:22:32 mcr - * added new global: ipsecdevices[] so that we can keep track of - * the ipsecX devices. They will be referenced with dev_hold(), - * so 2.2 may need this as well. - * - * Revision 1.27 2003/04/03 17:38:09 rgb - * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}. - * - * Revision 1.26 2003/02/12 19:32:20 rgb - * Updated copyright year. - * - * Revision 1.25 2002/05/27 18:56:07 rgb - * Convert to dynamic ipsec device allocation. - * - * Revision 1.24 2002/04/24 07:36:48 mcr - * Moved from ./klips/net/ipsec/ipsec_tunnel.h,v - * - * Revision 1.23 2001/11/06 19:50:44 rgb - * Moved IP_SEND, ICMP_SEND, DEV_QUEUE_XMIT macros to ipsec_tunnel.h for - * use also by pfkey_v2_parser.c - * - * Revision 1.22 2001/09/15 16:24:05 rgb - * Re-inject first and last HOLD packet when an eroute REPLACE is done. - * - * Revision 1.21 2001/06/14 19:35:10 rgb - * Update copyright date. - * - * Revision 1.20 2000/09/15 11:37:02 rgb - * Merge in heavily modified Svenning Soerensen's - * IPCOMP zlib deflate code. - * - * Revision 1.19 2000/09/08 19:12:56 rgb - * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG. - * - * Revision 1.18 2000/07/28 13:50:54 rgb - * Changed enet_statistics to net_device_stats and added back compatibility - * for pre-2.1.19. - * - * Revision 1.17 1999/11/19 01:12:15 rgb - * Purge unneeded proc_info prototypes, now that static linking uses - * dynamic proc_info registration. - * - * Revision 1.16 1999/11/18 18:51:00 rgb - * Changed all device registrations for static linking to - * dynamic to reduce the number and size of patches. - * - * Revision 1.15 1999/11/18 04:14:21 rgb - * Replaced all kernel version macros to shorter, readable form. - * Added CONFIG_PROC_FS compiler directives in case it is shut off. - * Added Marc Boucher's 2.3.25 proc patches. - * - * Revision 1.14 1999/05/25 02:50:10 rgb - * Fix kernel version macros for 2.0.x static linking. - * - * Revision 1.13 1999/05/25 02:41:06 rgb - * Add ipsec_klipsdebug support for static linking. - * - * Revision 1.12 1999/05/05 22:02:32 rgb - * Add a quick and dirty port to 2.2 kernels by Marc Boucher . - * - * Revision 1.11 1999/04/29 15:19:50 rgb - * Add return values to init and cleanup functions. - * - * Revision 1.10 1999/04/16 16:02:39 rgb - * Bump up macro to 4 ipsec I/Fs. - * - * Revision 1.9 1999/04/15 15:37:25 rgb - * Forward check changes from POST1_00 branch. - * - * Revision 1.5.2.1 1999/04/02 04:26:14 rgb - * Backcheck from HEAD, pre1.0. - * - * Revision 1.8 1999/04/11 00:29:01 henry - * GPL boilerplate - * - * Revision 1.7 1999/04/06 04:54:28 rgb - * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes - * patch shell fixes. - * - * Revision 1.6 1999/03/31 05:44:48 rgb - * Keep PMTU reduction private. - * - * Revision 1.5 1999/02/10 22:31:20 rgb - * Change rebuild_header member to reflect generality of link layer. - * - * Revision 1.4 1998/12/01 13:22:04 rgb - * Added support for debug printing of version info. - * - * Revision 1.3 1998/07/29 20:42:46 rgb - * Add a macro for clearing all tunnel devices. - * Rearrange structures and declarations for sharing with userspace. - * - * Revision 1.2 1998/06/25 20:01:45 rgb - * Make prototypes available for ipsec_init and ipsec proc_dir_entries - * for static linking. - * - * Revision 1.1 1998/06/18 21:27:50 henry - * move sources from klips/src to klips/net/ipsec, to keep stupid - * kernel-build scripts happier in the presence of symlinks - * - * Revision 1.3 1998/05/18 21:51:50 rgb - * Added macros for num of I/F's and a procfs debug switch. - * - * Revision 1.2 1998/04/21 21:29:09 rgb - * Rearrange debug switches to change on the fly debug output from user - * space. Only kernel changes checked in at this time. radij.c was also - * changed to temporarily remove buggy debugging code in rj_delete causing - * an OOPS and hence, netlink device open errors. - * - * Revision 1.1 1998/04/09 03:06:13 henry - * sources moved up from linux/net/ipsec - * - * Revision 1.1.1.1 1998/04/08 05:35:05 henry - * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 - * - * Revision 0.5 1997/06/03 04:24:48 ji - * Added transport mode. - * Changed the way routing is done. - * Lots of bug fixes. - * - * Revision 0.4 1997/01/15 01:28:15 ji - * No changes. - * - * Revision 0.3 1996/11/20 14:39:04 ji - * Minor cleanups. - * Rationalized debugging code. - * - * Revision 0.2 1996/11/02 00:18:33 ji - * First limited release. - * - * - */ diff --git a/src/libfreeswan/ipsec_xform.h b/src/libfreeswan/ipsec_xform.h index 1dc6b6083..80beb7345 100644 --- a/src/libfreeswan/ipsec_xform.h +++ b/src/libfreeswan/ipsec_xform.h @@ -82,193 +82,3 @@ static inline const char *auth_name_id (unsigned id) { #define _IPSEC_XFORM_H_ #endif /* _IPSEC_XFORM_H_ */ - -/* - * $Log: ipsec_xform.h,v $ - * Revision 1.3 2004/09/29 22:26:13 as - * included ipsec_policy.h - * - * Revision 1.2 2004/03/22 21:53:18 as - * merged alg-0.8.1 branch with HEAD - * - * Revision 1.1.4.1 2004/03/16 09:48:18 as - * alg-0.8.1rc12 patch merged - * - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.36 2002/04/24 07:36:48 mcr - * Moved from ./klips/net/ipsec/ipsec_xform.h,v - * - * Revision 1.35 2001/11/26 09:23:51 rgb - * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. - * - * Revision 1.33.2.1 2001/09/25 02:24:58 mcr - * struct tdb -> struct ipsec_sa. - * sa(tdb) manipulation functions renamed and moved to ipsec_sa.c - * ipsec_xform.c removed. header file still contains useful things. - * - * Revision 1.34 2001/11/06 19:47:17 rgb - * Changed lifetime_packets to uint32 from uint64. - * - * Revision 1.33 2001/09/08 21:13:34 rgb - * Added pfkey ident extension support for ISAKMPd. (NetCelo) - * - * Revision 1.32 2001/07/06 07:40:01 rgb - * Reformatted for readability. - * Added inbound policy checking fields for use with IPIP SAs. - * - * Revision 1.31 2001/06/14 19:35:11 rgb - * Update copyright date. - * - * Revision 1.30 2001/05/30 08:14:03 rgb - * Removed vestiges of esp-null transforms. - * - * Revision 1.29 2001/01/30 23:42:47 rgb - * Allow pfkey msgs from pid other than user context required for ACQUIRE - * and subsequent ADD or UDATE. - * - * Revision 1.28 2000/11/06 04:30:40 rgb - * Add Svenning's adaptive content compression. - * - * Revision 1.27 2000/09/19 00:38:25 rgb - * Fixed algorithm name bugs introduced for ipcomp. - * - * Revision 1.26 2000/09/17 21:36:48 rgb - * Added proto2txt macro. - * - * Revision 1.25 2000/09/17 18:56:47 rgb - * Added IPCOMP support. - * - * Revision 1.24 2000/09/12 19:34:12 rgb - * Defined XF_IP6 from Gerhard for ipv6 tunnel support. - * - * Revision 1.23 2000/09/12 03:23:14 rgb - * Cleaned out now unused tdb_xform and tdb_xdata members of struct tdb. - * - * Revision 1.22 2000/09/08 19:12:56 rgb - * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG. - * - * Revision 1.21 2000/09/01 18:32:43 rgb - * Added (disabled) sensitivity members to tdb struct. - * - * Revision 1.20 2000/08/30 05:31:01 rgb - * Removed all the rest of the references to tdb_spi, tdb_proto, tdb_dst. - * Kill remainder of tdb_xform, tdb_xdata, xformsw. - * - * Revision 1.19 2000/08/01 14:51:52 rgb - * Removed _all_ remaining traces of DES. - * - * Revision 1.18 2000/01/21 06:17:45 rgb - * Tidied up spacing. - * - * Revision 1.17 1999/11/17 15:53:40 rgb - * Changed all occurrences of #include "../../../lib/freeswan.h" - * to #include which works due to -Ilibfreeswan in the - * klips/net/ipsec/Makefile. - * - * Revision 1.16 1999/10/16 04:23:07 rgb - * Add stats for replaywin_errs, replaywin_max_sequence_difference, - * authentication errors, encryption size errors, encryption padding - * errors, and time since last packet. - * - * Revision 1.15 1999/10/16 00:29:11 rgb - * Added SA lifetime packet counting variables. - * - * Revision 1.14 1999/10/01 00:04:14 rgb - * Added tdb structure locking. - * Add function to initialize tdb hash table. - * - * Revision 1.13 1999/04/29 15:20:57 rgb - * dd return values to init and cleanup functions. - * Eliminate unnessessary usage of tdb_xform member to further switch - * away from the transform switch to the algorithm switch. - * Change gettdb parameter to a pointer to reduce stack loading and - * facilitate parameter sanity checking. - * Add a parameter to tdbcleanup to be able to delete a class of SAs. - * - * Revision 1.12 1999/04/15 15:37:25 rgb - * Forward check changes from POST1_00 branch. - * - * Revision 1.9.2.2 1999/04/13 20:35:57 rgb - * Fix spelling mistake in comment. - * - * Revision 1.9.2.1 1999/03/30 17:13:52 rgb - * Extend struct tdb to support pfkey. - * - * Revision 1.11 1999/04/11 00:29:01 henry - * GPL boilerplate - * - * Revision 1.10 1999/04/06 04:54:28 rgb - * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes - * patch shell fixes. - * - * Revision 1.9 1999/01/26 02:09:31 rgb - * Removed CONFIG_IPSEC_ALGO_SWITCH macro. - * Removed dead code. - * - * Revision 1.8 1999/01/22 06:29:35 rgb - * Added algorithm switch code. - * Cruft clean-out. - * - * Revision 1.7 1998/11/10 05:37:35 rgb - * Add support for SA direction flag. - * - * Revision 1.6 1998/10/19 14:44:29 rgb - * Added inclusion of freeswan.h. - * sa_id structure implemented and used: now includes protocol. - * - * Revision 1.5 1998/08/12 00:12:30 rgb - * Added macros for new xforms. Added prototypes for new xforms. - * - * Revision 1.4 1998/07/28 00:04:20 rgb - * Add macro for clearing the SA table. - * - * Revision 1.3 1998/07/14 18:06:46 rgb - * Added #ifdef __KERNEL__ directives to restrict scope of header. - * - * Revision 1.2 1998/06/23 03:02:19 rgb - * Created a prototype for ipsec_tdbcleanup when it was moved from - * ipsec_init.c. - * - * Revision 1.1 1998/06/18 21:27:51 henry - * move sources from klips/src to klips/net/ipsec, to keep stupid - * kernel-build scripts happier in the presence of symlinks - * - * Revision 1.4 1998/06/11 05:55:31 rgb - * Added transform version string pointer to xformsw structure definition. - * Added extern declarations for transform version strings. - * - * Revision 1.3 1998/05/18 22:02:54 rgb - * Modify the *_zeroize function prototypes to include one parameter. - * - * Revision 1.2 1998/04/21 21:29:08 rgb - * Rearrange debug switches to change on the fly debug output from user - * space. Only kernel changes checked in at this time. radij.c was also - * changed to temporarily remove buggy debugging code in rj_delete causing - * an OOPS and hence, netlink device open errors. - * - * Revision 1.1 1998/04/09 03:06:14 henry - * sources moved up from linux/net/ipsec - * - * Revision 1.1.1.1 1998/04/08 05:35:06 henry - * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 - * - * Revision 0.5 1997/06/03 04:24:48 ji - * Added ESP-3DES-MD5-96 - * - * Revision 0.4 1997/01/15 01:28:15 ji - * Added new transforms. - * - * Revision 0.3 1996/11/20 14:39:04 ji - * Minor cleanups. - * Rationalized debugging code. - * - * Revision 0.2 1996/11/02 00:18:33 ji - * First limited release. - * - * Local variables: - * c-file-style: "linux" - * End: - * - */ diff --git a/src/libfreeswan/pfkey.h b/src/libfreeswan/pfkey.h index afa5ce032..01c404677 100644 --- a/src/libfreeswan/pfkey.h +++ b/src/libfreeswan/pfkey.h @@ -324,175 +324,3 @@ pfkey_v2_sadb_type_string(int sadb_type); #endif /* __NET_IPSEC_PF_KEY_H */ - -/* - * $Log: pfkey.h,v $ - * Revision 1.2 2004/03/22 21:53:18 as - * merged alg-0.8.1 branch with HEAD - * - * Revision 1.1.2.1.2.1 2004/03/16 09:48:18 as - * alg-0.8.1rc12 patch merged - * - * Revision 1.1.2.1 2004/03/15 22:30:06 as - * nat-0.6c patch merged - * - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.42 2003/08/25 22:08:19 mcr - * removed pfkey_proto_init() from pfkey.h for 2.6 support. - * - * Revision 1.41 2003/05/07 17:28:57 mcr - * new function pfkey_debug_func added for us in debugging from - * pfkey library. - * - * Revision 1.40 2003/01/30 02:31:34 rgb - * - * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug. - * - * Revision 1.39 2002/09/20 15:40:21 rgb - * Switch from pfkey_alloc_ipsec_sa() to ipsec_sa_alloc(). - * Added ref parameter to pfkey_sa_build(). - * Cleaned out unused cruft. - * - * Revision 1.38 2002/05/14 02:37:24 rgb - * Change all references to tdb, TDB or Tunnel Descriptor Block to ips, - * ipsec_sa or ipsec_sa. - * Added function prototypes for the functions moved to - * pfkey_v2_ext_process.c. - * - * Revision 1.37 2002/04/24 07:36:49 mcr - * Moved from ./lib/pfkey.h,v - * - * Revision 1.36 2002/01/20 20:34:49 mcr - * added pfkey_v2_sadb_type_string to decode sadb_type to string. - * - * Revision 1.35 2001/11/27 05:27:47 mcr - * pfkey parses are now maintained by a structure - * that includes their name for debug purposes. - * - * Revision 1.34 2001/11/26 09:23:53 rgb - * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. - * - * Revision 1.33 2001/11/06 19:47:47 rgb - * Added packet parameter to lifetime and comb structures. - * - * Revision 1.32 2001/09/08 21:13:34 rgb - * Added pfkey ident extension support for ISAKMPd. (NetCelo) - * - * Revision 1.31 2001/06/14 19:35:16 rgb - * Update copyright date. - * - * Revision 1.30 2001/02/27 07:04:52 rgb - * Added satype2name prototype. - * - * Revision 1.29 2001/02/26 19:59:33 rgb - * Ditch unused sadb_satype2proto[], replaced by satype2proto(). - * - * Revision 1.28 2000/10/10 20:10:19 rgb - * Added support for debug_ipcomp and debug_verbose to klipsdebug. - * - * Revision 1.27 2000/09/21 04:20:45 rgb - * Fixed array size off-by-one error. (Thanks Svenning!) - * - * Revision 1.26 2000/09/12 03:26:05 rgb - * Added pfkey_acquire prototype. - * - * Revision 1.25 2000/09/08 19:21:28 rgb - * Fix pfkey_prop_build() parameter to be only single indirection. - * - * Revision 1.24 2000/09/01 18:46:42 rgb - * Added a supported algorithms array lists, one per satype and registered - * existing algorithms. - * Fixed pfkey_list_{insert,remove}_{socket,support}() to allow change to - * list. - * - * Revision 1.23 2000/08/27 01:55:26 rgb - * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code. - * - * Revision 1.22 2000/08/20 21:39:23 rgb - * Added kernel prototypes for kernel funcitions pfkey_upmsg() and - * pfkey_expire(). - * - * Revision 1.21 2000/08/15 17:29:23 rgb - * Fixes from SZI to untested pfkey_prop_build(). - * - * Revision 1.20 2000/05/10 20:14:19 rgb - * Fleshed out sensitivity, proposal and supported extensions. - * - * Revision 1.19 2000/03/16 14:07:23 rgb - * Renamed ALIGN macro to avoid fighting with others in kernel. - * - * Revision 1.18 2000/01/22 23:24:06 rgb - * Added prototypes for proto2satype(), satype2proto() and proto2name(). - * - * Revision 1.17 2000/01/21 06:26:59 rgb - * Converted from double tdb arguments to one structure (extr) - * containing pointers to all temporary information structures. - * Added klipsdebug switching capability. - * Dropped unused argument to pfkey_x_satype_build(). - * - * Revision 1.16 1999/12/29 21:17:41 rgb - * Changed pfkey_msg_build() I/F to include a struct sadb_msg** - * parameter for cleaner manipulation of extensions[] and to guard - * against potential memory leaks. - * Changed the I/F to pfkey_msg_free() for the same reason. - * - * Revision 1.15 1999/12/09 23:12:54 rgb - * Added macro for BITS_PER_OCTET. - * Added argument to pfkey_sa_build() to do eroutes. - * - * Revision 1.14 1999/12/08 20:33:25 rgb - * Changed sa_family_t to uint16_t for 2.0.xx compatibility. - * - * Revision 1.13 1999/12/07 19:53:40 rgb - * Removed unused first argument from extension parsers. - * Changed __u* types to uint* to avoid use of asm/types.h and - * sys/types.h in userspace code. - * Added function prototypes for pfkey message and extensions - * initialisation and cleanup. - * - * Revision 1.12 1999/12/01 22:19:38 rgb - * Change pfkey_sa_build to accept an SPI in network byte order. - * - * Revision 1.11 1999/11/27 11:55:26 rgb - * Added extern sadb_satype2proto to enable moving protocol lookup table - * to lib/pfkey_v2_parse.c. - * Delete unused, moved typedefs. - * Add argument to pfkey_msg_parse() for direction. - * Consolidated the 4 1-d extension bitmap arrays into one 4-d array. - * - * Revision 1.10 1999/11/23 22:29:21 rgb - * This file has been moved in the distribution from klips/net/ipsec to - * lib. - * Add macros for dealing with alignment and rounding up more opaquely. - * The uint_t type defines have been moved to freeswan.h to avoid - * chicken-and-egg problems. - * Add macros for dealing with alignment and rounding up more opaque. - * Added prototypes for using extention header bitmaps. - * Added prototypes of all the build functions. - * - * Revision 1.9 1999/11/20 21:59:48 rgb - * Moved socketlist type declarations and prototypes for shared use. - * Slightly modified scope of sockaddr_key declaration. - * - * Revision 1.8 1999/11/17 14:34:25 rgb - * Protect sa_family_t from being used in userspace with GLIBC<2. - * - * Revision 1.7 1999/10/27 19:40:35 rgb - * Add a maximum PFKEY packet size macro. - * - * Revision 1.6 1999/10/26 16:58:58 rgb - * Created a sockaddr_key and key_opt socket extension structures. - * - * Revision 1.5 1999/06/10 05:24:41 rgb - * Renamed variables to reduce confusion. - * - * Revision 1.4 1999/04/29 15:21:11 rgb - * Add pfkey support to debugging. - * Add return values to init and cleanup functions. - * - * Revision 1.3 1999/04/15 17:58:07 rgb - * Add RCSID labels. - * - */ diff --git a/src/libfreeswan/pfkey_v2_debug.c b/src/libfreeswan/pfkey_v2_debug.c index 8430766aa..8b4be384f 100644 --- a/src/libfreeswan/pfkey_v2_debug.c +++ b/src/libfreeswan/pfkey_v2_debug.c @@ -126,52 +126,3 @@ pfkey_v2_sadb_type_string(int sadb_type) return "unknown-sadb-type"; } } - - - - -/* - * $Log: pfkey_v2_debug.c,v $ - * Revision 1.2 2004/03/22 21:53:18 as - * merged alg-0.8.1 branch with HEAD - * - * Revision 1.1.2.1 2004/03/15 22:30:06 as - * nat-0.6c patch merged - * - * Revision 1.1 2004/03/15 20:35:26 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.7 2002/09/20 05:01:26 rgb - * Fixed limit inclusion error in both type and ext string conversion. - * - * Revision 1.6 2002/04/24 07:55:32 mcr - * #include patches and Makefiles for post-reorg compilation. - * - * Revision 1.5 2002/04/24 07:36:40 mcr - * Moved from ./lib/pfkey_v2_debug.c,v - * - * Revision 1.4 2002/01/29 22:25:36 rgb - * Re-add ipsec_kversion.h to keep MALLOC happy. - * - * Revision 1.3 2002/01/29 01:59:09 mcr - * removal of kversions.h - sources that needed it now use ipsec_param.h. - * updating of IPv6 structures to match latest in6.h version. - * removed dead code from freeswan.h that also duplicated kversions.h - * code. - * - * Revision 1.2 2002/01/20 20:34:50 mcr - * added pfkey_v2_sadb_type_string to decode sadb_type to string. - * - * Revision 1.1 2001/11/27 05:30:06 mcr - * initial set of debug strings for pfkey debugging. - * this will eventually only be included for debug builds. - * - * Revision 1.1 2001/09/21 04:12:03 mcr - * first compilable version. - * - * - * Local variables: - * c-file-style: "linux" - * End: - * - */ diff --git a/src/libfreeswan/pfkey_v2_ext_bits.c b/src/libfreeswan/pfkey_v2_ext_bits.c index b41941848..280438750 100644 --- a/src/libfreeswan/pfkey_v2_ext_bits.c +++ b/src/libfreeswan/pfkey_v2_ext_bits.c @@ -722,68 +722,3 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/] } } }; - -/* - * $Log: pfkey_v2_ext_bits.c,v $ - * Revision 1.2 2004/03/22 21:53:18 as - * merged alg-0.8.1 branch with HEAD - * - * Revision 1.1.2.1 2004/03/15 22:30:06 as - * nat-0.6c patch merged - * - * Revision 1.1 2004/03/15 20:35:26 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.15 2002/04/24 07:55:32 mcr - * #include patches and Makefiles for post-reorg compilation. - * - * Revision 1.14 2002/04/24 07:36:40 mcr - * Moved from ./lib/pfkey_v2_ext_bits.c,v - * - * Revision 1.13 2002/01/29 22:25:36 rgb - * Re-add ipsec_kversion.h to keep MALLOC happy. - * - * Revision 1.12 2002/01/29 01:59:10 mcr - * removal of kversions.h - sources that needed it now use ipsec_param.h. - * updating of IPv6 structures to match latest in6.h version. - * removed dead code from freeswan.h that also duplicated kversions.h - * code. - * - * Revision 1.11 2001/10/18 04:45:24 rgb - * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h, - * lib/freeswan.h version macros moved to lib/kversions.h. - * Other compiler directive cleanups. - * - * Revision 1.10 2001/09/08 21:13:35 rgb - * Added pfkey ident extension support for ISAKMPd. (NetCelo) - * - * Revision 1.9 2001/06/14 19:35:16 rgb - * Update copyright date. - * - * Revision 1.8 2001/03/26 23:07:36 rgb - * Remove requirement for auth and enc key from UPDATE. - * - * Revision 1.7 2000/09/12 22:35:37 rgb - * Restructured to remove unused extensions from CLEARFLOW messages. - * - * Revision 1.6 2000/09/09 06:39:01 rgb - * Added comments for clarity. - * - * Revision 1.5 2000/06/02 22:54:14 rgb - * Added Gerhard Gessler's struct sockaddr_storage mods for IPv6 support. - * - * Revision 1.4 2000/01/21 06:27:56 rgb - * Added address cases for eroute flows. - * Added comments for each message type. - * Added klipsdebug switching capability. - * Fixed GRPSA bitfields. - * - * Revision 1.3 1999/12/01 22:20:27 rgb - * Remove requirement for a proxy address in an incoming getspi message. - * - * Revision 1.2 1999/11/27 11:57:06 rgb - * Consolidated the 4 1-d extension bitmap arrays into one 4-d array. - * Add CVS log entry to bottom of file. - * Cleaned out unused bits. - * - */ diff --git a/src/libfreeswan/pfkey_v2_parse.c b/src/libfreeswan/pfkey_v2_parse.c index 440aa8c1d..c19ec1c99 100644 --- a/src/libfreeswan/pfkey_v2_parse.c +++ b/src/libfreeswan/pfkey_v2_parse.c @@ -1597,228 +1597,3 @@ errlab: return error; } - -/* - * $Log: pfkey_v2_parse.c,v $ - * Revision 1.4 2004/06/13 20:35:07 as - * removed references to ipsec_netlink.h - * - * Revision 1.3 2004/03/30 10:00:17 as - * 64 bit issues - * - * Revision 1.2 2004/03/22 21:53:18 as - * merged alg-0.8.1 branch with HEAD - * - * Revision 1.1.2.1 2004/03/15 22:30:06 as - * nat-0.6c patch merged - * - * Revision 1.1 2004/03/15 20:35:26 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.53 2003/01/30 02:32:09 rgb - * - * Rename SAref table macro names for clarity. - * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug. - * - * Revision 1.52 2002/12/30 06:53:07 mcr - * deal with short SA structures... #if 0 out for now. Probably - * not quite the right way. - * - * Revision 1.51 2002/12/13 18:16:02 mcr - * restored sa_ref code - * - * Revision 1.50 2002/12/13 18:06:52 mcr - * temporarily removed sadb_x_sa_ref reference for 2.xx - * - * Revision 1.49 2002/10/05 05:02:58 dhr - * - * C labels go on statements - * - * Revision 1.48 2002/09/20 15:40:45 rgb - * Added sadb_x_sa_ref to struct sadb_sa. - * - * Revision 1.47 2002/09/20 05:01:31 rgb - * Fixed usage of pfkey_lib_debug. - * Format for function declaration style consistency. - * Added text labels to elucidate numeric values presented. - * Re-organised debug output to reduce noise in output. - * - * Revision 1.46 2002/07/24 18:44:54 rgb - * Type fiddling to tame ia64 compiler. - * - * Revision 1.45 2002/05/23 07:14:11 rgb - * Cleaned up %p variants to 0p%p for test suite cleanup. - * - * Revision 1.44 2002/04/24 07:55:32 mcr - * #include patches and Makefiles for post-reorg compilation. - * - * Revision 1.43 2002/04/24 07:36:40 mcr - * Moved from ./lib/pfkey_v2_parse.c,v - * - * Revision 1.42 2002/01/29 22:25:36 rgb - * Re-add ipsec_kversion.h to keep MALLOC happy. - * - * Revision 1.41 2002/01/29 01:59:10 mcr - * removal of kversions.h - sources that needed it now use ipsec_param.h. - * updating of IPv6 structures to match latest in6.h version. - * removed dead code from freeswan.h that also duplicated kversions.h - * code. - * - * Revision 1.40 2002/01/20 20:34:50 mcr - * added pfkey_v2_sadb_type_string to decode sadb_type to string. - * - * Revision 1.39 2001/11/27 05:29:22 mcr - * pfkey parses are now maintained by a structure - * that includes their name for debug purposes. - * DEBUGGING() macro changed so that it takes a debug - * level so that pf_key() can use this to decode the - * structures without innundanting humans. - * Also uses pfkey_v2_sadb_ext_string() in messages. - * - * Revision 1.38 2001/11/06 19:47:47 rgb - * Added packet parameter to lifetime and comb structures. - * - * Revision 1.37 2001/10/18 04:45:24 rgb - * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h, - * lib/freeswan.h version macros moved to lib/kversions.h. - * Other compiler directive cleanups. - * - * Revision 1.36 2001/06/14 19:35:16 rgb - * Update copyright date. - * - * Revision 1.35 2001/05/03 19:44:51 rgb - * Standardise on SENDERR() macro. - * - * Revision 1.34 2001/03/16 07:41:51 rgb - * Put freeswan.h include before pluto includes. - * - * Revision 1.33 2001/02/27 07:13:51 rgb - * Added satype2name() function. - * Added text to default satype_tbl entry. - * Added satype2name() conversions for most satype debug output. - * - * Revision 1.32 2001/02/26 20:01:09 rgb - * Added internal IP protocol 61 for magic SAs. - * Ditch unused sadb_satype2proto[], replaced by satype2proto(). - * Re-formatted debug output (split lines, consistent spacing). - * Removed acquire, register and expire requirements for a known satype. - * Changed message type checking to a switch structure. - * Verify expected NULL auth for IPCOMP. - * Enforced spi > 0x100 requirement, now that pass uses a magic SA for - * appropriate message types. - * - * Revision 1.31 2000/12/01 07:09:00 rgb - * Added ipcomp sanity check to require encalgo is set. - * - * Revision 1.30 2000/11/17 18:10:30 rgb - * Fixed bugs mostly relating to spirange, to treat all spi variables as - * network byte order since this is the way PF_KEYv2 stored spis. - * - * Revision 1.29 2000/10/12 00:02:39 rgb - * Removed 'format, ##' nonsense from debug macros for RH7.0. - * - * Revision 1.28 2000/09/20 16:23:04 rgb - * Remove over-paranoid extension check in the presence of sadb_msg_errno. - * - * Revision 1.27 2000/09/20 04:04:21 rgb - * Changed static functions to DEBUG_NO_STATIC to reveal function names in - * oopsen. - * - * Revision 1.26 2000/09/15 11:37:02 rgb - * Merge in heavily modified Svenning Soerensen's - * IPCOMP zlib deflate code. - * - * Revision 1.25 2000/09/12 22:35:37 rgb - * Restructured to remove unused extensions from CLEARFLOW messages. - * - * Revision 1.24 2000/09/12 18:59:54 rgb - * Added Gerhard's IPv6 support to pfkey parts of libfreeswan. - * - * Revision 1.23 2000/09/12 03:27:00 rgb - * Moved DEBUGGING definition to compile kernel with debug off. - * - * Revision 1.22 2000/09/09 06:39:27 rgb - * Restrict pfkey errno check to downward messages only. - * - * Revision 1.21 2000/09/08 19:22:34 rgb - * Enabled pfkey_sens_parse(). - * Added check for errno on downward acquire messages only. - * - * Revision 1.20 2000/09/01 18:48:23 rgb - * Fixed reserved check bug and added debug output in - * pfkey_supported_parse(). - * Fixed debug output label bug in pfkey_ident_parse(). - * - * Revision 1.19 2000/08/27 01:55:26 rgb - * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code. - * - * Revision 1.18 2000/08/24 17:00:36 rgb - * Ignore unknown extensions instead of failing. - * - * Revision 1.17 2000/06/02 22:54:14 rgb - * Added Gerhard Gessler's struct sockaddr_storage mods for IPv6 support. - * - * Revision 1.16 2000/05/10 19:25:11 rgb - * Fleshed out proposal and supported extensions. - * - * Revision 1.15 2000/01/24 21:15:31 rgb - * Added disabled pluto pfkey lib debug flag. - * Added algo debugging reporting. - * - * Revision 1.14 2000/01/22 23:24:29 rgb - * Added new functions proto2satype() and satype2proto() and lookup - * table satype_tbl. Also added proto2name() since it was easy. - * - * Revision 1.13 2000/01/21 09:43:59 rgb - * Cast ntohl(spi) as (unsigned long int) to shut up compiler. - * - * Revision 1.12 2000/01/21 06:28:19 rgb - * Added address cases for eroute flows. - * Indented compiler directives for readability. - * Added klipsdebug switching capability. - * - * Revision 1.11 1999/12/29 21:14:59 rgb - * Fixed debug text cut and paste typo. - * - * Revision 1.10 1999/12/10 17:45:24 rgb - * Added address debugging. - * - * Revision 1.9 1999/12/09 23:11:42 rgb - * Ditched include since we no longer use memset(). - * Use new pfkey_extensions_init() instead of memset(). - * Added check for SATYPE in pfkey_msg_build(). - * Tidy up comments and debugging comments. - * - * Revision 1.8 1999/12/07 19:55:26 rgb - * Removed unused first argument from extension parsers. - * Removed static pluto debug flag. - * Moved message type and state checking to pfkey_msg_parse(). - * Changed print[fk] type from lx to x to quiet compiler. - * Removed redundant remain check. - * Changed __u* types to uint* to avoid use of asm/types.h and - * sys/types.h in userspace code. - * - * Revision 1.7 1999/12/01 22:20:51 rgb - * Moved pfkey_lib_debug variable into the library. - * Added pfkey version check into header parsing. - * Added check for SATYPE only for those extensions that require a - * non-zero value. - * - * Revision 1.6 1999/11/27 11:58:05 rgb - * Added ipv6 headers. - * Moved sadb_satype2proto protocol lookup table from - * klips/net/ipsec/pfkey_v2_parser.c. - * Enable lifetime_current checking. - * Debugging error messages added. - * Add argument to pfkey_msg_parse() for direction. - * Consolidated the 4 1-d extension bitmap arrays into one 4-d array. - * Add CVS log entry to bottom of file. - * Moved auth and enc alg check to pfkey_msg_parse(). - * Enable accidentally disabled spirange parsing. - * Moved protocol/algorithm checks from klips/net/ipsec/pfkey_v2_parser.c - * - * Local variables: - * c-file-style: "linux" - * End: - * - */ diff --git a/src/libfreeswan/radij.h b/src/libfreeswan/radij.h index 2a66093a0..7fe30a6ea 100644 --- a/src/libfreeswan/radij.h +++ b/src/libfreeswan/radij.h @@ -199,82 +199,3 @@ extern int maj_keylen; #endif /* __KERNEL__ */ #endif /* _RADIJ_H_ */ - - -/* - * $Log: radij.h,v $ - * Revision 1.1 2004/03/15 20:35:25 as - * added files from freeswan-2.04-x509-1.5.3 - * - * Revision 1.12 2002/04/24 07:36:48 mcr - * Moved from ./klips/net/ipsec/radij.h,v - * - * Revision 1.11 2001/09/20 15:33:00 rgb - * Min/max cleanup. - * - * Revision 1.10 1999/11/18 04:09:20 rgb - * Replaced all kernel version macros to shorter, readable form. - * - * Revision 1.9 1999/05/05 22:02:33 rgb - * Add a quick and dirty port to 2.2 kernels by Marc Boucher . - * - * Revision 1.8 1999/04/29 15:24:58 rgb - * Add check for existence of macros min/max. - * - * Revision 1.7 1999/04/11 00:29:02 henry - * GPL boilerplate - * - * Revision 1.6 1999/04/06 04:54:29 rgb - * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes - * patch shell fixes. - * - * Revision 1.5 1999/01/22 06:30:32 rgb - * 64-bit clean-up. - * - * Revision 1.4 1998/11/30 13:22:55 rgb - * Rationalised all the klips kernel file headers. They are much shorter - * now and won't conflict under RH5.2. - * - * Revision 1.3 1998/10/25 02:43:27 rgb - * Change return type on rj_addroute and rj_delete and add and argument - * to the latter to be able to transmit more infomation about errors. - * - * Revision 1.2 1998/07/14 18:09:51 rgb - * Add a routine to clear eroute table. - * Added #ifdef __KERNEL__ directives to restrict scope of header. - * - * Revision 1.1 1998/06/18 21:30:22 henry - * move sources from klips/src to klips/net/ipsec to keep stupid kernel - * build scripts happier about symlinks - * - * Revision 1.4 1998/05/25 20:34:16 rgb - * Remove temporary ipsec_walk, rj_deltree and rj_delnodes functions. - * - * Rename ipsec_rj_walker (ipsec_walk) to ipsec_rj_walker_procprint and - * add ipsec_rj_walker_delete. - * - * Recover memory for eroute table on unload of module. - * - * Revision 1.3 1998/04/22 16:51:37 rgb - * Tidy up radij debug code from recent rash of modifications to debug code. - * - * Revision 1.2 1998/04/14 17:30:38 rgb - * Fix up compiling errors for radij tree memory reclamation. - * - * Revision 1.1 1998/04/09 03:06:16 henry - * sources moved up from linux/net/ipsec - * - * Revision 1.1.1.1 1998/04/08 05:35:04 henry - * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 - * - * Revision 0.4 1997/01/15 01:28:15 ji - * No changes. - * - * Revision 0.3 1996/11/20 14:44:45 ji - * Release update only. - * - * Revision 0.2 1996/11/02 00:18:33 ji - * First limited release. - * - * - */ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index b103be193..292abc0a4 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -11,6 +11,7 @@ asn1/asn1.c asn1/asn1.h \ asn1/oid.c asn1/oid.h \ asn1/pem.c asn1/pem.h \ asn1/ttodata.c asn1/ttodata.h \ +crypto/ac.c crypto/ac.h \ crypto/ca.c crypto/ca.h \ crypto/certinfo.c crypto/certinfo.h \ crypto/crl.c crypto/crl.h \ diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index e5c5c758e..015308449 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -60,7 +60,7 @@ am__DEPENDENCIES_1 = libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \ - printf_hook.lo asn1.lo oid.lo pem.lo ttodata.lo ca.lo \ + printf_hook.lo asn1.lo oid.lo pem.lo ttodata.lo ac.lo ca.lo \ certinfo.lo crl.lo crypter.lo aes_cbc_crypter.lo \ des_crypter.lo diffie_hellman.lo hasher.lo sha1_hasher.lo \ sha2_hasher.lo md5_hasher.lo hmac.lo ocsp.lo fips_prf.lo \ @@ -129,6 +129,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -141,6 +142,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -151,8 +153,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -174,6 +180,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -183,6 +190,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -196,9 +205,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -213,6 +226,8 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ lib_LTLIBRARIES = libstrongswan.la libstrongswan_la_SOURCES = \ credential_store.h \ @@ -225,6 +240,7 @@ asn1/asn1.c asn1/asn1.h \ asn1/oid.c asn1/oid.h \ asn1/pem.c asn1/pem.h \ asn1/ttodata.c asn1/ttodata.h \ +crypto/ac.c crypto/ac.h \ crypto/ca.c crypto/ca.h \ crypto/certinfo.c crypto/certinfo.h \ crypto/crl.c crypto/crl.h \ @@ -333,6 +349,7 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ac.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_cbc_crypter.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Plo@am__quote@ @@ -421,6 +438,13 @@ ttodata.lo: asn1/ttodata.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ttodata.lo `test -f 'asn1/ttodata.c' || echo '$(srcdir)/'`asn1/ttodata.c +ac.lo: crypto/ac.c +@am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ac.lo -MD -MP -MF "$(DEPDIR)/ac.Tpo" -c -o ac.lo `test -f 'crypto/ac.c' || echo '$(srcdir)/'`crypto/ac.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ac.Tpo" "$(DEPDIR)/ac.Plo"; else rm -f "$(DEPDIR)/ac.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/ac.c' object='ac.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ac.lo `test -f 'crypto/ac.c' || echo '$(srcdir)/'`crypto/ac.c + ca.lo: crypto/ca.c @am__fastdepCC_TRUE@ if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ca.lo -MD -MP -MF "$(DEPDIR)/ca.Tpo" -c -o ca.lo `test -f 'crypto/ca.c' || echo '$(srcdir)/'`crypto/ca.c; \ @am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ca.Tpo" "$(DEPDIR)/ca.Plo"; else rm -f "$(DEPDIR)/ca.Tpo"; exit 1; fi diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 91a6621d4..2a0aa4ff6 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -731,3 +731,43 @@ chunk_t timetoasn1(const time_t *time, asn1_t type) formatted_time.len = strlen(buf); return asn1_simple_object(type, formatted_time); } + +/** + * ASN.1 definition of time + */ +static const asn1Object_t timeObjects[] = { + { 0, "utcTime", ASN1_UTCTIME, ASN1_OPT|ASN1_BODY }, /* 0 */ + { 0, "end opt", ASN1_EOC, ASN1_END }, /* 1 */ + { 0, "generalizeTime",ASN1_GENERALIZEDTIME, ASN1_OPT|ASN1_BODY }, /* 2 */ + { 0, "end opt", ASN1_EOC, ASN1_END } /* 3 */ +}; +#define TIME_UTC 0 +#define TIME_GENERALIZED 2 +#define TIME_ROOF 4 + +/** + * extracts and converts a UTCTIME or GENERALIZEDTIME object + */ +time_t parse_time(chunk_t blob, int level0) +{ + asn1_ctx_t ctx; + chunk_t object; + u_int level; + int objectID = 0; + + asn1_init(&ctx, blob, level0, FALSE, FALSE); + + while (objectID < TIME_ROOF) + { + if (!extract_object(timeObjects, &objectID, &object, &level, &ctx)) + return 0; + + if (objectID == TIME_UTC || objectID == TIME_GENERALIZED) + { + return asn1totime(&object, (objectID == TIME_UTC) + ? ASN1_UTCTIME : ASN1_GENERALIZEDTIME); + } + objectID++; + } + return 0; +} diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index 5ab519ec8..365ccb438 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -124,6 +124,8 @@ extern void asn1_init(asn1_ctx_t *ctx, chunk_t blob, u_int level0, bool implicit extern bool extract_object(asn1Object_t const *objects, u_int *objectID, chunk_t *object, u_int *level, asn1_ctx_t *ctx); extern bool parse_asn1_simple_object(chunk_t *object, asn1_t type, u_int level, const char* name); extern int parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *parameters); +extern time_t parse_time(chunk_t blob, int level0); + extern bool is_asn1(chunk_t blob); extern void code_asn1_length(size_t length, chunk_t *code); diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 4b0632de2..48df1b7c4 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -28,7 +28,7 @@ const oid_t oid_names[] = { { 0x01, 0, 1, "pilotAttributeType" }, /* 15 */ { 0x01, 17, 0, "UID" }, /* 16 */ { 0x19, 0, 0, "DC" }, /* 17 */ - {0x55, 51, 1, "X.500" }, /* 18 */ + {0x55, 52, 1, "X.500" }, /* 18 */ { 0x04, 36, 1, "X.509" }, /* 19 */ { 0x03, 21, 0, "CN" }, /* 20 */ { 0x04, 22, 0, "S" }, /* 21 */ @@ -54,144 +54,145 @@ const oid_t oid_names[] = { { 0x11, 42, 0, "subjectAltName" }, /* 41 */ { 0x12, 43, 0, "issuerAltName" }, /* 42 */ { 0x13, 44, 0, "basicConstraints" }, /* 43 */ - { 0x15, 45, 0, "reasonCode" }, /* 44 */ - { 0x1F, 46, 0, "crlDistributionPoints" }, /* 45 */ - { 0x20, 47, 0, "certificatePolicies" }, /* 46 */ - { 0x23, 48, 0, "authorityKeyIdentifier" }, /* 47 */ - { 0x25, 49, 0, "extendedKeyUsage" }, /* 48 */ - { 0x37, 50, 0, "targetInformation" }, /* 49 */ - { 0x38, 0, 0, "noRevAvail" }, /* 50 */ - {0x2A, 88, 1, "" }, /* 51 */ - { 0x86, 0, 1, "" }, /* 52 */ - { 0x48, 0, 1, "" }, /* 53 */ - { 0x86, 0, 1, "" }, /* 54 */ - { 0xF7, 0, 1, "" }, /* 55 */ - { 0x0D, 0, 1, "RSADSI" }, /* 56 */ - { 0x01, 83, 1, "PKCS" }, /* 57 */ - { 0x01, 66, 1, "PKCS-1" }, /* 58 */ - { 0x01, 60, 0, "rsaEncryption" }, /* 59 */ - { 0x02, 61, 0, "md2WithRSAEncryption" }, /* 60 */ - { 0x04, 62, 0, "md5WithRSAEncryption" }, /* 61 */ - { 0x05, 63, 0, "sha-1WithRSAEncryption" }, /* 62 */ - { 0x0B, 64, 0, "sha256WithRSAEncryption"}, /* 63 */ - { 0x0C, 65, 0, "sha384WithRSAEncryption"}, /* 64 */ - { 0x0D, 0, 0, "sha512WithRSAEncryption"}, /* 65 */ - { 0x07, 73, 1, "PKCS-7" }, /* 66 */ - { 0x01, 68, 0, "data" }, /* 67 */ - { 0x02, 69, 0, "signedData" }, /* 68 */ - { 0x03, 70, 0, "envelopedData" }, /* 69 */ - { 0x04, 71, 0, "signedAndEnvelopedData" }, /* 70 */ - { 0x05, 72, 0, "digestedData" }, /* 71 */ - { 0x06, 0, 0, "encryptedData" }, /* 72 */ - { 0x09, 0, 1, "PKCS-9" }, /* 73 */ - { 0x01, 75, 0, "E" }, /* 74 */ - { 0x02, 76, 0, "unstructuredName" }, /* 75 */ - { 0x03, 77, 0, "contentType" }, /* 76 */ - { 0x04, 78, 0, "messageDigest" }, /* 77 */ - { 0x05, 79, 0, "signingTime" }, /* 78 */ - { 0x06, 80, 0, "counterSignature" }, /* 79 */ - { 0x07, 81, 0, "challengePassword" }, /* 80 */ - { 0x08, 82, 0, "unstructuredAddress" }, /* 81 */ - { 0x0E, 0, 0, "extensionRequest" }, /* 82 */ - { 0x02, 86, 1, "digestAlgorithm" }, /* 83 */ - { 0x02, 85, 0, "md2" }, /* 84 */ - { 0x05, 0, 0, "md5" }, /* 85 */ - { 0x03, 0, 1, "encryptionAlgorithm" }, /* 86 */ - { 0x07, 0, 0, "3des-ede-cbc" }, /* 87 */ - {0x2B, 149, 1, "" }, /* 88 */ - { 0x06, 136, 1, "dod" }, /* 89 */ - { 0x01, 0, 1, "internet" }, /* 90 */ - { 0x04, 105, 1, "private" }, /* 91 */ - { 0x01, 0, 1, "enterprise" }, /* 92 */ - { 0x82, 98, 1, "" }, /* 93 */ - { 0x37, 0, 1, "Microsoft" }, /* 94 */ - { 0x0A, 0, 1, "" }, /* 95 */ - { 0x03, 0, 1, "" }, /* 96 */ - { 0x03, 0, 0, "msSGC" }, /* 97 */ - { 0x89, 0, 1, "" }, /* 98 */ - { 0x31, 0, 1, "" }, /* 99 */ - { 0x01, 0, 1, "" }, /* 100 */ - { 0x01, 0, 1, "" }, /* 101 */ - { 0x02, 0, 1, "" }, /* 102 */ - { 0x02, 104, 0, "" }, /* 103 */ - { 0x4B, 0, 0, "TCGID" }, /* 104 */ - { 0x05, 0, 1, "security" }, /* 105 */ - { 0x05, 0, 1, "mechanisms" }, /* 106 */ - { 0x07, 0, 1, "id-pkix" }, /* 107 */ - { 0x01, 110, 1, "id-pe" }, /* 108 */ - { 0x01, 0, 0, "authorityInfoAccess" }, /* 109 */ - { 0x03, 120, 1, "id-kp" }, /* 110 */ - { 0x01, 112, 0, "serverAuth" }, /* 111 */ - { 0x02, 113, 0, "clientAuth" }, /* 112 */ - { 0x03, 114, 0, "codeSigning" }, /* 113 */ - { 0x04, 115, 0, "emailProtection" }, /* 114 */ - { 0x05, 116, 0, "ipsecEndSystem" }, /* 115 */ - { 0x06, 117, 0, "ipsecTunnel" }, /* 116 */ - { 0x07, 118, 0, "ipsecUser" }, /* 117 */ - { 0x08, 119, 0, "timeStamping" }, /* 118 */ - { 0x09, 0, 0, "ocspSigning" }, /* 119 */ - { 0x08, 122, 1, "id-otherNames" }, /* 120 */ - { 0x05, 0, 0, "xmppAddr" }, /* 121 */ - { 0x0A, 127, 1, "id-aca" }, /* 122 */ - { 0x01, 124, 0, "authenticationInfo" }, /* 123 */ - { 0x02, 125, 0, "accessIdentity" }, /* 124 */ - { 0x03, 126, 0, "chargingIdentity" }, /* 125 */ - { 0x04, 0, 0, "group" }, /* 126 */ - { 0x30, 0, 1, "id-ad" }, /* 127 */ - { 0x01, 0, 1, "ocsp" }, /* 128 */ - { 0x01, 130, 0, "basic" }, /* 129 */ - { 0x02, 131, 0, "nonce" }, /* 130 */ - { 0x03, 132, 0, "crl" }, /* 131 */ - { 0x04, 133, 0, "response" }, /* 132 */ - { 0x05, 134, 0, "noCheck" }, /* 133 */ - { 0x06, 135, 0, "archiveCutoff" }, /* 134 */ - { 0x07, 0, 0, "serviceLocator" }, /* 135 */ - { 0x0E, 142, 1, "oiw" }, /* 136 */ - { 0x03, 0, 1, "secsig" }, /* 137 */ - { 0x02, 0, 1, "algorithms" }, /* 138 */ - { 0x07, 140, 0, "des-cbc" }, /* 139 */ - { 0x1A, 141, 0, "sha-1" }, /* 140 */ - { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 141 */ - { 0x24, 0, 1, "TeleTrusT" }, /* 142 */ - { 0x03, 0, 1, "algorithm" }, /* 143 */ - { 0x03, 0, 1, "signatureAlgorithm" }, /* 144 */ - { 0x01, 0, 1, "rsaSignature" }, /* 145 */ - { 0x02, 147, 0, "rsaSigWithripemd160" }, /* 146 */ - { 0x03, 148, 0, "rsaSigWithripemd128" }, /* 147 */ - { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 148 */ - {0x60, 0, 1, "" }, /* 149 */ - { 0x86, 0, 1, "" }, /* 150 */ - { 0x48, 0, 1, "" }, /* 151 */ - { 0x01, 0, 1, "organization" }, /* 152 */ - { 0x65, 160, 1, "gov" }, /* 153 */ - { 0x03, 0, 1, "csor" }, /* 154 */ - { 0x04, 0, 1, "nistalgorithm" }, /* 155 */ - { 0x02, 0, 1, "hashalgs" }, /* 156 */ - { 0x01, 158, 0, "id-SHA-256" }, /* 157 */ - { 0x02, 159, 0, "id-SHA-384" }, /* 158 */ - { 0x03, 0, 0, "id-SHA-512" }, /* 159 */ - { 0x86, 0, 1, "" }, /* 160 */ - { 0xf8, 0, 1, "" }, /* 161 */ - { 0x42, 174, 1, "netscape" }, /* 162 */ - { 0x01, 169, 1, "" }, /* 163 */ - { 0x01, 165, 0, "nsCertType" }, /* 164 */ - { 0x03, 166, 0, "nsRevocationUrl" }, /* 165 */ - { 0x04, 167, 0, "nsCaRevocationUrl" }, /* 166 */ - { 0x08, 168, 0, "nsCaPolicyUrl" }, /* 167 */ - { 0x0d, 0, 0, "nsComment" }, /* 168 */ - { 0x03, 172, 1, "directory" }, /* 169 */ - { 0x01, 0, 1, "" }, /* 170 */ - { 0x03, 0, 0, "employeeNumber" }, /* 171 */ - { 0x04, 0, 1, "policy" }, /* 172 */ - { 0x01, 0, 0, "nsSGC" }, /* 173 */ - { 0x45, 0, 1, "verisign" }, /* 174 */ - { 0x01, 0, 1, "pki" }, /* 175 */ - { 0x09, 0, 1, "attributes" }, /* 176 */ - { 0x02, 178, 0, "messageType" }, /* 177 */ - { 0x03, 179, 0, "pkiStatus" }, /* 178 */ - { 0x04, 180, 0, "failInfo" }, /* 179 */ - { 0x05, 181, 0, "senderNonce" }, /* 180 */ - { 0x06, 182, 0, "recipientNonce" }, /* 181 */ - { 0x07, 183, 0, "transID" }, /* 182 */ - { 0x08, 0, 0, "extensionReq" } /* 183 */ + { 0x14, 45, 0, "crlNumber" }, /* 44 */ + { 0x15, 46, 0, "reasonCode" }, /* 45 */ + { 0x1F, 47, 0, "crlDistributionPoints" }, /* 46 */ + { 0x20, 48, 0, "certificatePolicies" }, /* 47 */ + { 0x23, 49, 0, "authorityKeyIdentifier" }, /* 48 */ + { 0x25, 50, 0, "extendedKeyUsage" }, /* 49 */ + { 0x37, 51, 0, "targetInformation" }, /* 50 */ + { 0x38, 0, 0, "noRevAvail" }, /* 51 */ + {0x2A, 89, 1, "" }, /* 52 */ + { 0x86, 0, 1, "" }, /* 53 */ + { 0x48, 0, 1, "" }, /* 54 */ + { 0x86, 0, 1, "" }, /* 55 */ + { 0xF7, 0, 1, "" }, /* 56 */ + { 0x0D, 0, 1, "RSADSI" }, /* 57 */ + { 0x01, 84, 1, "PKCS" }, /* 58 */ + { 0x01, 67, 1, "PKCS-1" }, /* 59 */ + { 0x01, 61, 0, "rsaEncryption" }, /* 60 */ + { 0x02, 62, 0, "md2WithRSAEncryption" }, /* 61 */ + { 0x04, 63, 0, "md5WithRSAEncryption" }, /* 62 */ + { 0x05, 64, 0, "sha-1WithRSAEncryption" }, /* 63 */ + { 0x0B, 65, 0, "sha256WithRSAEncryption"}, /* 64 */ + { 0x0C, 66, 0, "sha384WithRSAEncryption"}, /* 65 */ + { 0x0D, 0, 0, "sha512WithRSAEncryption"}, /* 66 */ + { 0x07, 74, 1, "PKCS-7" }, /* 67 */ + { 0x01, 69, 0, "data" }, /* 68 */ + { 0x02, 70, 0, "signedData" }, /* 69 */ + { 0x03, 71, 0, "envelopedData" }, /* 70 */ + { 0x04, 72, 0, "signedAndEnvelopedData" }, /* 71 */ + { 0x05, 73, 0, "digestedData" }, /* 72 */ + { 0x06, 0, 0, "encryptedData" }, /* 73 */ + { 0x09, 0, 1, "PKCS-9" }, /* 74 */ + { 0x01, 76, 0, "E" }, /* 75 */ + { 0x02, 77, 0, "unstructuredName" }, /* 76 */ + { 0x03, 78, 0, "contentType" }, /* 77 */ + { 0x04, 79, 0, "messageDigest" }, /* 78 */ + { 0x05, 80, 0, "signingTime" }, /* 79 */ + { 0x06, 81, 0, "counterSignature" }, /* 80 */ + { 0x07, 82, 0, "challengePassword" }, /* 81 */ + { 0x08, 83, 0, "unstructuredAddress" }, /* 82 */ + { 0x0E, 0, 0, "extensionRequest" }, /* 83 */ + { 0x02, 87, 1, "digestAlgorithm" }, /* 84 */ + { 0x02, 86, 0, "md2" }, /* 85 */ + { 0x05, 0, 0, "md5" }, /* 86 */ + { 0x03, 0, 1, "encryptionAlgorithm" }, /* 87 */ + { 0x07, 0, 0, "3des-ede-cbc" }, /* 88 */ + {0x2B, 150, 1, "" }, /* 89 */ + { 0x06, 137, 1, "dod" }, /* 90 */ + { 0x01, 0, 1, "internet" }, /* 91 */ + { 0x04, 106, 1, "private" }, /* 92 */ + { 0x01, 0, 1, "enterprise" }, /* 93 */ + { 0x82, 99, 1, "" }, /* 94 */ + { 0x37, 0, 1, "Microsoft" }, /* 95 */ + { 0x0A, 0, 1, "" }, /* 96 */ + { 0x03, 0, 1, "" }, /* 97 */ + { 0x03, 0, 0, "msSGC" }, /* 98 */ + { 0x89, 0, 1, "" }, /* 99 */ + { 0x31, 0, 1, "" }, /* 100 */ + { 0x01, 0, 1, "" }, /* 101 */ + { 0x01, 0, 1, "" }, /* 102 */ + { 0x02, 0, 1, "" }, /* 103 */ + { 0x02, 105, 0, "" }, /* 104 */ + { 0x4B, 0, 0, "TCGID" }, /* 105 */ + { 0x05, 0, 1, "security" }, /* 106 */ + { 0x05, 0, 1, "mechanisms" }, /* 107 */ + { 0x07, 0, 1, "id-pkix" }, /* 108 */ + { 0x01, 111, 1, "id-pe" }, /* 109 */ + { 0x01, 0, 0, "authorityInfoAccess" }, /* 110 */ + { 0x03, 121, 1, "id-kp" }, /* 111 */ + { 0x01, 113, 0, "serverAuth" }, /* 112 */ + { 0x02, 114, 0, "clientAuth" }, /* 113 */ + { 0x03, 115, 0, "codeSigning" }, /* 114 */ + { 0x04, 116, 0, "emailProtection" }, /* 115 */ + { 0x05, 117, 0, "ipsecEndSystem" }, /* 116 */ + { 0x06, 118, 0, "ipsecTunnel" }, /* 117 */ + { 0x07, 119, 0, "ipsecUser" }, /* 118 */ + { 0x08, 120, 0, "timeStamping" }, /* 119 */ + { 0x09, 0, 0, "ocspSigning" }, /* 120 */ + { 0x08, 123, 1, "id-otherNames" }, /* 121 */ + { 0x05, 0, 0, "xmppAddr" }, /* 122 */ + { 0x0A, 128, 1, "id-aca" }, /* 123 */ + { 0x01, 125, 0, "authenticationInfo" }, /* 124 */ + { 0x02, 126, 0, "accessIdentity" }, /* 125 */ + { 0x03, 127, 0, "chargingIdentity" }, /* 126 */ + { 0x04, 0, 0, "group" }, /* 127 */ + { 0x30, 0, 1, "id-ad" }, /* 128 */ + { 0x01, 0, 1, "ocsp" }, /* 129 */ + { 0x01, 131, 0, "basic" }, /* 130 */ + { 0x02, 132, 0, "nonce" }, /* 131 */ + { 0x03, 133, 0, "crl" }, /* 132 */ + { 0x04, 134, 0, "response" }, /* 133 */ + { 0x05, 135, 0, "noCheck" }, /* 134 */ + { 0x06, 136, 0, "archiveCutoff" }, /* 135 */ + { 0x07, 0, 0, "serviceLocator" }, /* 136 */ + { 0x0E, 143, 1, "oiw" }, /* 137 */ + { 0x03, 0, 1, "secsig" }, /* 138 */ + { 0x02, 0, 1, "algorithms" }, /* 139 */ + { 0x07, 141, 0, "des-cbc" }, /* 140 */ + { 0x1A, 142, 0, "sha-1" }, /* 141 */ + { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 142 */ + { 0x24, 0, 1, "TeleTrusT" }, /* 143 */ + { 0x03, 0, 1, "algorithm" }, /* 144 */ + { 0x03, 0, 1, "signatureAlgorithm" }, /* 145 */ + { 0x01, 0, 1, "rsaSignature" }, /* 146 */ + { 0x02, 148, 0, "rsaSigWithripemd160" }, /* 147 */ + { 0x03, 149, 0, "rsaSigWithripemd128" }, /* 148 */ + { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 149 */ + {0x60, 0, 1, "" }, /* 150 */ + { 0x86, 0, 1, "" }, /* 151 */ + { 0x48, 0, 1, "" }, /* 152 */ + { 0x01, 0, 1, "organization" }, /* 153 */ + { 0x65, 161, 1, "gov" }, /* 154 */ + { 0x03, 0, 1, "csor" }, /* 155 */ + { 0x04, 0, 1, "nistalgorithm" }, /* 156 */ + { 0x02, 0, 1, "hashalgs" }, /* 157 */ + { 0x01, 159, 0, "id-SHA-256" }, /* 158 */ + { 0x02, 160, 0, "id-SHA-384" }, /* 159 */ + { 0x03, 0, 0, "id-SHA-512" }, /* 160 */ + { 0x86, 0, 1, "" }, /* 161 */ + { 0xf8, 0, 1, "" }, /* 162 */ + { 0x42, 175, 1, "netscape" }, /* 163 */ + { 0x01, 170, 1, "" }, /* 164 */ + { 0x01, 166, 0, "nsCertType" }, /* 165 */ + { 0x03, 167, 0, "nsRevocationUrl" }, /* 166 */ + { 0x04, 168, 0, "nsCaRevocationUrl" }, /* 167 */ + { 0x08, 169, 0, "nsCaPolicyUrl" }, /* 168 */ + { 0x0d, 0, 0, "nsComment" }, /* 169 */ + { 0x03, 173, 1, "directory" }, /* 170 */ + { 0x01, 0, 1, "" }, /* 171 */ + { 0x03, 0, 0, "employeeNumber" }, /* 172 */ + { 0x04, 0, 1, "policy" }, /* 173 */ + { 0x01, 0, 0, "nsSGC" }, /* 174 */ + { 0x45, 0, 1, "verisign" }, /* 175 */ + { 0x01, 0, 1, "pki" }, /* 176 */ + { 0x09, 0, 1, "attributes" }, /* 177 */ + { 0x02, 179, 0, "messageType" }, /* 178 */ + { 0x03, 180, 0, "pkiStatus" }, /* 179 */ + { 0x04, 181, 0, "failInfo" }, /* 180 */ + { 0x05, 182, 0, "senderNonce" }, /* 181 */ + { 0x06, 183, 0, "recipientNonce" }, /* 182 */ + { 0x07, 184, 0, "transID" }, /* 183 */ + { 0x08, 0, 0, "extensionReq" } /* 184 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index f85997159..49260c9f4 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -22,59 +22,63 @@ extern const oid_t oid_names[]; #define OID_SUBJECT_KEY_ID 38 #define OID_SUBJECT_ALT_NAME 41 #define OID_BASIC_CONSTRAINTS 43 -#define OID_CRL_REASON_CODE 44 -#define OID_CRL_DISTRIBUTION_POINTS 45 -#define OID_AUTHORITY_KEY_ID 47 -#define OID_EXTENDED_KEY_USAGE 48 -#define OID_TARGET_INFORMATION 49 -#define OID_NO_REV_AVAIL 50 -#define OID_RSA_ENCRYPTION 59 -#define OID_MD2_WITH_RSA 60 -#define OID_MD5_WITH_RSA 61 -#define OID_SHA1_WITH_RSA 62 -#define OID_SHA256_WITH_RSA 63 -#define OID_SHA384_WITH_RSA 64 -#define OID_SHA512_WITH_RSA 65 -#define OID_PKCS7_DATA 67 -#define OID_PKCS7_SIGNED_DATA 68 -#define OID_PKCS7_ENVELOPED_DATA 69 -#define OID_PKCS7_SIGNED_ENVELOPED_DATA 70 -#define OID_PKCS7_DIGESTED_DATA 71 -#define OID_PKCS7_ENCRYPTED_DATA 72 -#define OID_PKCS9_EMAIL 74 -#define OID_PKCS9_CONTENT_TYPE 76 -#define OID_PKCS9_MESSAGE_DIGEST 77 -#define OID_PKCS9_SIGNING_TIME 78 -#define OID_MD2 84 -#define OID_MD5 85 -#define OID_3DES_EDE_CBC 87 -#define OID_AUTHORITY_INFO_ACCESS 109 -#define OID_OCSP_SIGNING 119 -#define OID_XMPP_ADDR 121 -#define OID_AUTHENTICATION_INFO 123 -#define OID_ACCESS_IDENTITY 124 -#define OID_CHARGING_IDENTITY 125 -#define OID_GROUP 126 -#define OID_OCSP 128 -#define OID_BASIC 129 -#define OID_NONCE 130 -#define OID_CRL 131 -#define OID_RESPONSE 132 -#define OID_NO_CHECK 133 -#define OID_ARCHIVE_CUTOFF 134 -#define OID_SERVICE_LOCATOR 135 -#define OID_DES_CBC 139 -#define OID_SHA1 140 -#define OID_SHA1_WITH_RSA_OIW 141 -#define OID_NS_REVOCATION_URL 165 -#define OID_NS_CA_REVOCATION_URL 166 -#define OID_NS_CA_POLICY_URL 167 -#define OID_NS_COMMENT 168 -#define OID_PKI_MESSAGE_TYPE 177 -#define OID_PKI_STATUS 178 -#define OID_PKI_FAIL_INFO 179 -#define OID_PKI_SENDER_NONCE 180 -#define OID_PKI_RECIPIENT_NONCE 181 -#define OID_PKI_TRANS_ID 182 +#define OID_CRL_NUMBER 44 +#define OID_CRL_REASON_CODE 45 +#define OID_CRL_DISTRIBUTION_POINTS 46 +#define OID_AUTHORITY_KEY_ID 48 +#define OID_EXTENDED_KEY_USAGE 49 +#define OID_TARGET_INFORMATION 50 +#define OID_NO_REV_AVAIL 51 +#define OID_RSA_ENCRYPTION 60 +#define OID_MD2_WITH_RSA 61 +#define OID_MD5_WITH_RSA 62 +#define OID_SHA1_WITH_RSA 63 +#define OID_SHA256_WITH_RSA 64 +#define OID_SHA384_WITH_RSA 65 +#define OID_SHA512_WITH_RSA 66 +#define OID_PKCS7_DATA 68 +#define OID_PKCS7_SIGNED_DATA 69 +#define OID_PKCS7_ENVELOPED_DATA 70 +#define OID_PKCS7_SIGNED_ENVELOPED_DATA 71 +#define OID_PKCS7_DIGESTED_DATA 72 +#define OID_PKCS7_ENCRYPTED_DATA 73 +#define OID_PKCS9_EMAIL 75 +#define OID_PKCS9_CONTENT_TYPE 77 +#define OID_PKCS9_MESSAGE_DIGEST 78 +#define OID_PKCS9_SIGNING_TIME 79 +#define OID_MD2 85 +#define OID_MD5 86 +#define OID_3DES_EDE_CBC 88 +#define OID_AUTHORITY_INFO_ACCESS 110 +#define OID_OCSP_SIGNING 120 +#define OID_XMPP_ADDR 122 +#define OID_AUTHENTICATION_INFO 124 +#define OID_ACCESS_IDENTITY 125 +#define OID_CHARGING_IDENTITY 126 +#define OID_GROUP 127 +#define OID_OCSP 129 +#define OID_BASIC 130 +#define OID_NONCE 131 +#define OID_CRL 132 +#define OID_RESPONSE 133 +#define OID_NO_CHECK 134 +#define OID_ARCHIVE_CUTOFF 135 +#define OID_SERVICE_LOCATOR 136 +#define OID_DES_CBC 140 +#define OID_SHA1 141 +#define OID_SHA1_WITH_RSA_OIW 142 +#define OID_SHA256 158 +#define OID_SHA384 159 +#define OID_SHA512 160 +#define OID_NS_REVOCATION_URL 166 +#define OID_NS_CA_REVOCATION_URL 167 +#define OID_NS_CA_POLICY_URL 168 +#define OID_NS_COMMENT 169 +#define OID_PKI_MESSAGE_TYPE 178 +#define OID_PKI_STATUS 179 +#define OID_PKI_FAIL_INFO 180 +#define OID_PKI_SENDER_NONCE 181 +#define OID_PKI_RECIPIENT_NONCE 182 +#define OID_PKI_TRANS_ID 183 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index eed46d59d..2b3c96ae3 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -42,6 +42,7 @@ 0x11 "subjectAltName" OID_SUBJECT_ALT_NAME 0x12 "issuerAltName" 0x13 "basicConstraints" OID_BASIC_CONSTRAINTS + 0x14 "crlNumber" OID_CRL_NUMBER 0x15 "reasonCode" OID_CRL_REASON_CODE 0x1F "crlDistributionPoints" OID_CRL_DISTRIBUTION_POINTS 0x20 "certificatePolicies" @@ -155,9 +156,9 @@ 0x03 "csor" 0x04 "nistalgorithm" 0x02 "hashalgs" - 0x01 "id-SHA-256" - 0x02 "id-SHA-384" - 0x03 "id-SHA-512" + 0x01 "id-SHA-256" OID_SHA256 + 0x02 "id-SHA-384" OID_SHA384 + 0x03 "id-SHA-512" OID_SHA512 0x86 "" 0xf8 "" 0x42 "netscape" diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c index cba823c22..d70e1723f 100644 --- a/src/libstrongswan/chunk.c +++ b/src/libstrongswan/chunk.c @@ -22,6 +22,7 @@ */ #include +#include #include "chunk.h" diff --git a/src/libstrongswan/credential_store.h b/src/libstrongswan/credential_store.h index 5d51981ec..dcbe43f52 100755 --- a/src/libstrongswan/credential_store.h +++ b/src/libstrongswan/credential_store.h @@ -87,15 +87,6 @@ struct credential_store_t { */ rsa_public_key_t* (*get_rsa_public_key) (credential_store_t *this, identification_t *id); - /** - * @brief Returns the RSA public key of a specific ID if is trusted - * - * @param this calling object - * @param id identification_t object identifiying the key. - * @return public key, or NULL if not found or not trusted - */ - rsa_public_key_t* (*get_trusted_public_key) (credential_store_t *this, identification_t *id); - /** * @brief Returns the RSA private key belonging to an RSA public key * @@ -151,16 +142,29 @@ struct credential_store_t { * @param cert certificate for which issuer ca info is required * @return ca info, or NULL if not found */ - ca_info_t* (*get_issuer) (credential_store_t *this, const x509_t* cert); + ca_info_t* (*get_issuer) (credential_store_t *this, x509_t* cert); + /** + * @brief Verify an RSA signature given the ID of the signer + * + * @param this calling object + * @param hash hash value to be verified. + * @param sig signature to be verified. + * @param id identification_t object identifiying the signer. + * @param issuer_p issuer of the signer's certificate (if not self-signed). + * @return status of the verification - SUCCESS if successful + */ + status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id, ca_info_t **issuer_p); + /** * @brief Verify an X.509 certificate up to trust anchor without any status checks * * @param this calling object + * @param label label characterizing the certificate to be verified * @param cert certificate to be verified * @return TRUE if trusted */ - bool (*is_trusted) (credential_store_t *this, x509_t *cert); + bool (*is_trusted) (credential_store_t *this, const char *label, x509_t *cert); /** * @brief Verify an X.509 certificate up to trust anchor including status checks @@ -196,8 +200,9 @@ struct credential_store_t { * * @param this calling object * @param ca_info ca info record to be added + * @return pointer to the added or already existing ca_info_t record */ - void (*add_ca_info) (credential_store_t *this, ca_info_t *ca_info); + ca_info_t* (*add_ca_info) (credential_store_t *this, ca_info_t *ca_info); /** * @brief Release a ca info record with a given name. @@ -243,6 +248,24 @@ struct credential_store_t { */ void (*load_ca_certificates) (credential_store_t *this); + /** + * @brief Loads authorization authority certificates from a default directory. + * + * Certificates in both DER and PEM format are accepted + * + * @param this calling object + */ + void (*load_aa_certificates) (credential_store_t *this); + + /** + * @brief Loads attribute certificates from a default directory. + * + * Certificates in both DER and PEM format are accepted + * + * @param this calling object + */ + void (*load_attr_certificates) (credential_store_t *this); + /** * @brief Loads ocsp certificates from a default directory. * diff --git a/src/libstrongswan/crypto/ac.c b/src/libstrongswan/crypto/ac.c new file mode 100644 index 000000000..47605e9e1 --- /dev/null +++ b/src/libstrongswan/crypto/ac.c @@ -0,0 +1,665 @@ +/** + * @file ac.c + * + * @brief Implementation of x509ac_t. + * + */ + +/* + * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler + * Copyright (C) 2003 Martin Berner, Lukas Suter + * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +#include +#include +#include + +#include "ac.h" + +typedef struct private_x509ac_t private_x509ac_t; + +/** + * Private data of a x509ac_t object. + */ +struct private_x509ac_t { + /** + * Public interface for this attribute certificate. + */ + x509ac_t public; + + /** + * Time when attribute certificate was installed + */ + time_t installed; + + /** + * X.509 attribute certificate in DER format + */ + chunk_t certificate; + + /** + * X.509 attribute certificate body over which signature is computed + */ + chunk_t certificateInfo; + + /** + * Version of the X.509 attribute certificate + */ + u_int version; + + /** + * Serial number of the X.509 attribute certificate + */ + chunk_t serialNumber; + + /** + * ID representing the issuer of the holder certificate + */ + identification_t *holderIssuer; + + /** + * Serial number of the holder certificate + */ + chunk_t holderSerial; + + /** + * ID representing the holder + */ + identification_t *entityName; + + /** + * ID representing the attribute certificate issuer + */ + identification_t *issuerName; + + /** + * Signature algorithm + */ + int sigAlg; + + /** + * Start time of certificate validity + */ + time_t notBefore; + + /** + * End time of certificate validity + */ + time_t notAfter; + + /** + * List of charging attributes + */ + linked_list_t *charging; + + /** + * List of groub attributes + */ + linked_list_t *groups; + + /** + * Authority Key Identifier + */ + chunk_t authKeyID; + + /** + * Authority Key Serial Number + */ + chunk_t authKeySerialNumber; + + /** + * No revocation information available + */ + bool noRevAvail; + + /** + * Signature algorithm (must be identical to sigAlg) + */ + int algorithm; + + /** + * Signature + */ + chunk_t signature; +}; + +/** + * definition of ietfAttribute kinds + */ +typedef enum { + IETF_ATTRIBUTE_OCTETS = 0, + IETF_ATTRIBUTE_OID = 1, + IETF_ATTRIBUTE_STRING = 2 +} ietfAttribute_t; + +/** + * access structure for an ietfAttribute + */ +typedef struct ietfAttr_t ietfAttr_t; + +struct ietfAttr_t { + /** + * IETF attribute kind + */ + ietfAttribute_t kind; + + /** + * IETF attribute valuse + */ + chunk_t value; + + /** + * Destroys the ietfAttr_t object. + * + * @param this ietfAttr_t to destroy + */ + void (*destroy) (ietfAttr_t *this); +}; + +/** + * Destroys an ietfAttr_t object + */ +static void ietfAttr_destroy(ietfAttr_t *this) +{ + free(this->value.ptr); + free(this); +} + +/** + * Creates an ietfAttr_t object. + */ +ietfAttr_t *ietfAttr_create(ietfAttribute_t kind, chunk_t value) +{ + ietfAttr_t *this = malloc_thing(ietfAttr_t); + + /* initialize */ + this->kind = kind; + this->value = chunk_clone(value); + + /* function */ + this->destroy = ietfAttr_destroy; + + return this; +} + +/** + * ASN.1 definition of ietfAttrSyntax + */ +static const asn1Object_t ietfAttrSyntaxObjects[] = +{ + { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT | + ASN1_BODY }, /* 1 */ + { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */ + { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */ + { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT | + ASN1_BODY }, /* 4 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */ + { 2, "oid", ASN1_OID, ASN1_OPT | + ASN1_BODY }, /* 6 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ + { 2, "string", ASN1_UTF8STRING, ASN1_OPT | + ASN1_BODY }, /* 8 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */ + { 1, "end loop", ASN1_EOC, ASN1_END } /* 10 */ +}; + +#define IETF_ATTR_OCTETS 4 +#define IETF_ATTR_OID 6 +#define IETF_ATTR_STRING 8 +#define IETF_ATTR_ROOF 11 + +/** + * ASN.1 definition of roleSyntax + */ +static const asn1Object_t roleSyntaxObjects[] = +{ + { 0, "roleSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "roleAuthority", ASN1_CONTEXT_C_0, ASN1_OPT | + ASN1_OBJ }, /* 1 */ + { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */ + { 1, "roleName", ASN1_CONTEXT_C_1, ASN1_OBJ } /* 3 */ +}; + +#define ROLE_ROOF 4 + +/** + * ASN.1 definition of an X509 attribute certificate + */ +static const asn1Object_t acObjects[] = +{ + { 0, "AttributeCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */ + { 1, "AttributeCertificateInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */ + { 2, "version", ASN1_INTEGER, ASN1_DEF | + ASN1_BODY }, /* 2 */ + { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */ + { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */ + { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */ + { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */ + { 4, "issuerUID", ASN1_BIT_STRING, ASN1_OPT | + ASN1_BODY }, /* 7 */ + { 4, "end opt", ASN1_EOC, ASN1_END }, /* 8 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 9 */ + { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT | + ASN1_OBJ }, /* 10 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ + { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */ + { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13*/ + { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT | + ASN1_BODY }, /* 14 */ + { 4, "end opt", ASN1_EOC, ASN1_END }, /* 15*/ + { 4, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 16 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 17 */ + { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */ + { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT | + ASN1_OBJ }, /* 19 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */ + { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */ + { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */ + { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */ + { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */ + { 5, "issuerUID", ASN1_BIT_STRING, ASN1_OPT | + ASN1_BODY }, /* 25 */ + { 5, "end opt", ASN1_EOC, ASN1_END }, /* 26 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 27 */ + { 3, "objectDigestInfo", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 28 */ + { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */ + { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */ + { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT | + ASN1_BODY }, /* 31 */ + { 5, "end opt", ASN1_EOC, ASN1_END }, /* 32 */ + { 5, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 33 */ + { 3, "end opt", ASN1_EOC, ASN1_END }, /* 34 */ + { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */ + { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */ + { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */ + { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */ + { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */ + { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */ + { 3, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 41 */ + { 4, "type", ASN1_OID, ASN1_BODY }, /* 42 */ + { 4, "values", ASN1_SET, ASN1_LOOP }, /* 43 */ + { 5, "value", ASN1_EOC, ASN1_RAW }, /* 44 */ + { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */ + { 2, "end loop", ASN1_EOC, ASN1_END }, /* 46 */ + { 2, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 47 */ + { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 48 */ + { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 49 */ + { 4, "critical", ASN1_BOOLEAN, ASN1_DEF | + ASN1_BODY }, /* 50 */ + { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 51 */ + { 2, "end loop", ASN1_EOC, ASN1_END }, /* 52 */ + { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 53 */ + { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY } /* 54 */ +}; + +#define AC_OBJ_CERTIFICATE 0 +#define AC_OBJ_CERTIFICATE_INFO 1 +#define AC_OBJ_VERSION 2 +#define AC_OBJ_HOLDER_ISSUER 5 +#define AC_OBJ_HOLDER_SERIAL 6 +#define AC_OBJ_ENTITY_NAME 10 +#define AC_OBJ_ISSUER_NAME 19 +#define AC_OBJ_ISSUER 23 +#define AC_OBJ_SIG_ALG 35 +#define AC_OBJ_SERIAL_NUMBER 36 +#define AC_OBJ_NOT_BEFORE 38 +#define AC_OBJ_NOT_AFTER 39 +#define AC_OBJ_ATTRIBUTE_TYPE 42 +#define AC_OBJ_ATTRIBUTE_VALUE 44 +#define AC_OBJ_EXTN_ID 49 +#define AC_OBJ_CRITICAL 50 +#define AC_OBJ_EXTN_VALUE 51 +#define AC_OBJ_ALGORITHM 53 +#define AC_OBJ_SIGNATURE 54 +#define AC_OBJ_ROOF 55 + +/** + * Implements x509ac_t.is_valid + */ +static err_t is_valid(const private_x509ac_t *this, time_t *until) +{ + time_t current_time = time(NULL); + + DBG2(" not before : %T", &this->notBefore); + DBG2(" current time: %T", ¤t_time); + DBG2(" not after : %T", &this->notAfter); + + if (until != NULL && + (*until == UNDEFINED_TIME || this->notAfter < *until)) + { + *until = this->notAfter; + } + if (current_time < this->notBefore) + { + return "is not valid yet"; + } + if (current_time > this->notAfter) + { + return "has expired"; + } + DBG2(" attribute certificate is valid"); + return NULL; +} + +/** + * parses a directoryName + */ +static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name) +{ + bool has_directoryName; + linked_list_t *list = linked_list_create(); + + parse_generalNames(blob, level, implicit, list); + has_directoryName = list->get_count(list) > 0; + + if (has_directoryName) + { + iterator_t *iterator = list->create_iterator(list, TRUE); + identification_t *directoryName; + bool first = TRUE; + + while (iterator->iterate(iterator, (void**)&directoryName)) + { + if (first) + { + *name = directoryName; + first = FALSE; + } + else + { + DBG1("more than one directory name - first selected"); + directoryName->destroy(directoryName); + } + } + iterator->destroy(iterator); + } + else + { + DBG1("no directoryName found"); + } + + list->destroy(list); + return has_directoryName; +} + +/** + * parses ietfAttrSyntax + */ +static void parse_ietfAttrSyntax(chunk_t blob, int level0, linked_list_t *list) +{ + asn1_ctx_t ctx; + chunk_t object; + u_int level; + int objectID = 0; + + asn1_init(&ctx, blob, level0, FALSE, FALSE); + + while (objectID < IETF_ATTR_ROOF) + { + if (!extract_object(ietfAttrSyntaxObjects, &objectID, &object, &level, &ctx)) + { + return; + } + + switch (objectID) + { + case IETF_ATTR_OCTETS: + case IETF_ATTR_OID: + case IETF_ATTR_STRING: + { + ietfAttribute_t kind = (objectID - IETF_ATTR_OCTETS) / 2; + ietfAttr_t *attr = ietfAttr_create(kind, object); + list->insert_last(list, (void *)attr); + } + break; + default: + break; + } + objectID++; + } +} + +/** + * parses roleSyntax + */ +static void parse_roleSyntax(chunk_t blob, int level0) +{ + asn1_ctx_t ctx; + chunk_t object; + u_int level; + int objectID = 0; + + asn1_init(&ctx, blob, level0, FALSE, FALSE); + while (objectID < ROLE_ROOF) + { + if (!extract_object(roleSyntaxObjects, &objectID, &object, &level, &ctx)) + { + return; + } + + switch (objectID) + { + default: + break; + } + objectID++; + } +} + +/** + * Parses an X.509 attribute certificate + */ +static bool parse_certificate(chunk_t blob, private_x509ac_t *this) +{ + asn1_ctx_t ctx; + bool critical; + chunk_t object; + u_int level; + u_int type = OID_UNKNOWN; + u_int extn_oid = OID_UNKNOWN; + int objectID = 0; + + asn1_init(&ctx, blob, 0, FALSE, FALSE); + while (objectID < AC_OBJ_ROOF) + { + if (!extract_object(acObjects, &objectID, &object, &level, &ctx)) + { + return FALSE; + } + + /* those objects which will parsed further need the next higher level */ + level++; + + switch (objectID) + { + case AC_OBJ_CERTIFICATE: + this->certificate = object; + break; + case AC_OBJ_CERTIFICATE_INFO: + this->certificateInfo = object; + break; + case AC_OBJ_VERSION: + this->version = (object.len) ? (1 + (u_int)*object.ptr) : 1; + DBG2(" v%d", this->version); + if (this->version != 2) + { + DBG1("v%d attribute certificates are not supported", this->version); + return FALSE; + } + break; + case AC_OBJ_HOLDER_ISSUER: + if (!parse_directoryName(object, level, FALSE, &this->holderIssuer)) + { + return FALSE; + } + break; + case AC_OBJ_HOLDER_SERIAL: + this->holderSerial = object; + break; + case AC_OBJ_ENTITY_NAME: + if (!parse_directoryName(object, level, TRUE, &this->entityName)) + { + return FALSE; + } + break; + case AC_OBJ_ISSUER_NAME: + if (!parse_directoryName(object, level, FALSE, &this->issuerName)) + { + return FALSE; + } + break; + case AC_OBJ_SIG_ALG: + this->sigAlg = parse_algorithmIdentifier(object, level, NULL); + break; + case AC_OBJ_SERIAL_NUMBER: + this->serialNumber = object; + break; + case AC_OBJ_NOT_BEFORE: + this->notBefore = asn1totime(&object, ASN1_GENERALIZEDTIME); + break; + case AC_OBJ_NOT_AFTER: + this->notAfter = asn1totime(&object, ASN1_GENERALIZEDTIME); + break; + case AC_OBJ_ATTRIBUTE_TYPE: + type = known_oid(object); + break; + case AC_OBJ_ATTRIBUTE_VALUE: + { + switch (type) + { + case OID_AUTHENTICATION_INFO: + DBG2(" need to parse authenticationInfo"); + break; + case OID_ACCESS_IDENTITY: + DBG2(" need to parse accessIdentity"); + break; + case OID_CHARGING_IDENTITY: + parse_ietfAttrSyntax(object, level, this->charging); + break; + case OID_GROUP: + parse_ietfAttrSyntax(object, level, this->groups); + break; + case OID_ROLE: + parse_roleSyntax(object, level); + break; + default: + break; + } + } + break; + case AC_OBJ_EXTN_ID: + extn_oid = known_oid(object); + break; + case AC_OBJ_CRITICAL: + critical = object.len && *object.ptr; + DBG2(" %s",(critical)?"TRUE":"FALSE"); + break; + case AC_OBJ_EXTN_VALUE: + { + switch (extn_oid) + { + case OID_CRL_DISTRIBUTION_POINTS: + DBG2(" need to parse crlDistributionPoints"); + break; + case OID_AUTHORITY_KEY_ID: + parse_authorityKeyIdentifier(object, level, + &this->authKeyID, &this->authKeySerialNumber); + break; + case OID_TARGET_INFORMATION: + DBG2(" need to parse targetInformation"); + break; + case OID_NO_REV_AVAIL: + this->noRevAvail = TRUE; + break; + default: + break; + } + } + break; + case AC_OBJ_ALGORITHM: + this->algorithm = parse_algorithmIdentifier(object, level, NULL); + break; + case AC_OBJ_SIGNATURE: + this->signature = object; + break; + default: + break; + } + objectID++; + } + this->installed = time(NULL); + return FALSE; +} + +/** + * Implements x509ac_t.destroy + */ +static void destroy(private_x509ac_t *this) +{ + DESTROY_IF(this->holderIssuer); + DESTROY_IF(this->entityName); + DESTROY_IF(this->issuerName); + this->charging->destroy_offset(this->charging, + offsetof(ietfAttr_t, destroy)); + this->groups->destroy_offset(this->groups, + offsetof(ietfAttr_t, destroy)); + free(this->certificate.ptr); + free(this); +} + +/** + * Described in header. + */ +x509ac_t *x509ac_create_from_chunk(chunk_t chunk) +{ + private_x509ac_t *this = malloc_thing(private_x509ac_t); + + /* initialize */ + this->holderIssuer = NULL; + this->entityName = NULL; + this->issuerName = NULL; + this->charging = linked_list_create(); + this->groups = linked_list_create(); + + /* public functions */ + this->public.is_valid = (err_t (*) (const x509ac_t*,time_t*))is_valid; + this->public.destroy = (void (*) (x509ac_t*))destroy; + + if (!parse_certificate(chunk, this)) + { + destroy(this); + return NULL; + } + return &this->public; +} + +/** + * Described in header. + */ +x509ac_t *x509ac_create_from_file(const char *filename) +{ + bool pgp = FALSE; + chunk_t chunk = chunk_empty; + + if (!pem_asn1_load_file(filename, NULL, "attribute certificate", &chunk, &pgp)) + { + return NULL; + } + return x509ac_create_from_chunk(chunk); +} + diff --git a/src/libstrongswan/crypto/ac.h b/src/libstrongswan/crypto/ac.h new file mode 100644 index 000000000..b7fd26c94 --- /dev/null +++ b/src/libstrongswan/crypto/ac.h @@ -0,0 +1,81 @@ +/** + * @file ac.h + * + * @brief Interface of x509ac_t. + * + */ + +/* + * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler + * Copyright (C) 2003 Martin Berner, Lukas Suter + * Copyright (C) 2007 Andreas Steffen + * + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef AC_H_ +#define AC_H_ + +typedef struct x509ac_t x509ac_t; + +/** + * @brief X.509 attribute certificate. + * + * @b Constructors: + * - x509ac_create_from_chunk() + * - x509ac_create_from_file() + * + * @ingroup crypto + */ +struct x509ac_t { + + /** + * @brief Checks the validity interval of the attribute certificate + * + * @param this certificate being examined + * @param until until = min(until, notAfter) + * @return NULL if the certificate is valid + */ + err_t (*is_valid) (const x509ac_t *this, time_t *until); + + /** + * @brief Destroys the attribute certificate. + * + * @param this certificate to destroy + */ + void (*destroy) (x509ac_t *this); +}; + +/** + * @brief Read a x509 attribute certificate from a DER encoded blob. + * + * @param chunk chunk containing DER encoded data + * @return created x509ac_t certificate, or NULL if invalid. + * + * @ingroup crypto + */ +x509ac_t *x509ac_create_from_chunk(chunk_t chunk); + +/** + * @brief Read a x509 attribute certificate from a DER encoded file. + * + * @param filename file containing DER encoded data + * @return created x509ac_t certificate, or NULL if invalid. + * + * @ingroup crypto + */ +x509ac_t *x509ac_create_from_file(const char *filename); + + +#endif /* AC_H_ */ + diff --git a/src/libstrongswan/crypto/ca.c b/src/libstrongswan/crypto/ca.c index 1f566a098..07413e805 100644 --- a/src/libstrongswan/crypto/ca.c +++ b/src/libstrongswan/crypto/ca.c @@ -29,6 +29,7 @@ #include "x509.h" #include "crl.h" #include "ca.h" +#include "ac.h" #include "certinfo.h" #include "ocsp.h" @@ -64,6 +65,11 @@ struct private_ca_info_t { */ x509_t *cacert; + /** + * List of attribute certificates + */ + linked_list_t *attrcerts; + /** * List of crl URIs */ @@ -94,6 +100,7 @@ struct private_ca_info_t { /** * static options set by ca_info_set_options() */ +static strict_t strict_crl_policy = STRICT_NO; static bool cache_crls = FALSE; static u_int crl_check_interval = 0; @@ -150,6 +157,31 @@ static bool is_crl_issuer(private_ca_info_t *this, const crl_t *crl) return crl->is_issuer(crl, this->cacert); } +/** + * Implements ca_info_t.is_ca + */ +static bool is_ca(private_ca_info_t *this) +{ + return this->cacert->is_ca(this->cacert); +} + +/** + * Implements ca_info_t.is_strict + */ +static bool is_strict(private_ca_info_t *this) +{ + bool strict = strict_crl_policy != STRICT_NO; + + if (strict_crl_policy == STRICT_IFURI) + { + pthread_mutex_lock(&(this->mutex)); + strict = this->crluris->get_count(this->crluris) > 0 || + this->ocspuris->get_count(this->ocspuris) > 0; + pthread_mutex_unlock(&(this->mutex)); + } + return strict; +} + /** * Implements ca_info_t.has_crl */ @@ -213,11 +245,9 @@ static void add_crl(private_ca_info_t *this, crl_t *crl) */ static void list_crl(private_ca_info_t *this, FILE *out, bool utc) { - pthread_mutex_lock(&(this->mutex)); - - fprintf(out, "%#U\n", this->crl, utc); - - pthread_mutex_unlock(&(this->mutex)); + pthread_mutex_lock(&this->mutex); + this->crl->list(this->crl, out, utc); + pthread_mutex_unlock(&this->mutex); } /** @@ -225,26 +255,42 @@ static void list_crl(private_ca_info_t *this, FILE *out, bool utc) */ static void list_certinfos(private_ca_info_t *this, FILE *out, bool utc) { - pthread_mutex_lock(&(this->mutex)); + iterator_t *iterator; + certinfo_t *certinfo; + chunk_t authkey; + pthread_mutex_lock(&this->mutex); + + authkey = this->cacert->get_subjectKeyID(this->cacert); fprintf(out," authname: '%D'\n", this->cacert->get_subject(this->cacert)); - { - chunk_t authkey = this->cacert->get_subjectKeyID(this->cacert); + fprintf(out," authkey: %#B\n", &authkey); - fprintf(out," authkey: %#B\n", &authkey); - } + iterator = this->certinfos->create_iterator(this->certinfos, TRUE); + while (iterator->iterate(iterator, (void**)&certinfo)) { - iterator_t *iterator = this->certinfos->create_iterator(this->certinfos, TRUE); - certinfo_t *certinfo; - - while (iterator->iterate(iterator, (void**)&certinfo)) + time_t nextUpdate, thisUpdate, now; + chunk_t serial; + + now = time(NULL); + nextUpdate = certinfo->get_nextUpdate(certinfo); + thisUpdate = certinfo->get_thisUpdate(certinfo); + serial = certinfo->get_serialNumber(certinfo); + + fprintf(out, "%#T, until %#T, ", &thisUpdate, utc, &nextUpdate, utc); + if (now > nextUpdate) { - fprintf(out, "%#Y\n", certinfo, utc); + fprintf(out, "expired (%V ago)\n", &now, &nextUpdate); } - iterator->destroy(iterator); + else + { + fprintf(out, "ok (expires in %V)\n", &now, &nextUpdate); + } + fprintf(out, " serial: %#B, %N\n", &serial, + cert_status_names, certinfo->get_status(certinfo)); } + iterator->destroy(iterator); - pthread_mutex_unlock(&(this->mutex)); + pthread_mutex_unlock(&this->mutex); } /** @@ -644,6 +690,8 @@ static void purge_ocsp(private_ca_info_t *this) */ static void destroy(private_ca_info_t *this) { + this->attrcerts->destroy_offset(this->attrcerts, + offsetof(x509ac_t, destroy)); this->crluris->destroy_offset(this->crluris, offsetof(identification_t, destroy)); this->ocspuris->destroy_offset(this->ocspuris, @@ -656,92 +704,59 @@ static void destroy(private_ca_info_t *this) } /** - * output handler in printf() + * list the info of this CA */ -static int print(FILE *stream, const struct printf_info *info, - const void *const *args) +static void list(private_ca_info_t* this, FILE* out, bool utc) { - private_ca_info_t *this = *((private_ca_info_t**)(args[0])); - bool utc = TRUE; - int written = 0; - const x509_t *cacert; + chunk_t chunk; + identification_t *uri; + iterator_t *iterator; + bool first; - if (info->alt) - { - utc = *((bool*)args[1]); - } - if (this == NULL) - { - return fprintf(stream, "(null)"); - } - pthread_mutex_lock(&(this->mutex)); - written += fprintf(stream, "%#T", &this->installed, utc); + fprintf(out, "%#T", &this->installed, utc); if (this->name) { - written += fprintf(stream, ", \"%s\"\n", this->name); + fprintf(out, ", \"%s\"\n", this->name); } else { - written += fprintf(stream, "\n"); + fprintf(out, "\n"); } - cacert = this->cacert; - written += fprintf(stream, " authname: '%D'\n", cacert->get_subject(cacert)); - { - chunk_t authkey = cacert->get_subjectKeyID(cacert); - - written += fprintf(stream, " authkey: %#B\n", &authkey); - } + fprintf(out, " authname: '%D'\n", this->cacert->get_subject(this->cacert)); + chunk = this->cacert->get_subjectKeyID(this->cacert); + fprintf(out, " authkey: %#B\n", &chunk); + chunk = this->cacert->get_keyid(this->cacert); + fprintf(out, " keyid: %#B\n", &chunk); + + first = TRUE; + iterator = this->crluris->create_iterator(this->crluris, TRUE); + while (iterator->iterate(iterator, (void**)&uri)) { - chunk_t keyid = cacert->get_keyid(cacert); - - written += fprintf(stream, " keyid: %#B\n", &keyid); - } - { - identification_t *crluri; - iterator_t *iterator = this->crluris->create_iterator(this->crluris, TRUE); - bool first = TRUE; - - while (iterator->iterate(iterator, (void**)&crluri)) - { - written += fprintf(stream, " %s '%D'\n", - first? "crluris:":" ", crluri); - first = FALSE; - } - iterator->destroy(iterator); + fprintf(out, " %s '%D'\n", first ? "crluris:":" ", uri); + first = FALSE; } + iterator->destroy(iterator); + + first = TRUE; + iterator = this->ocspuris->create_iterator(this->ocspuris, TRUE); + while (iterator->iterate(iterator, (void**)&uri)) { - identification_t *ocspuri; - iterator_t *iterator = this->ocspuris->create_iterator(this->ocspuris, TRUE); - bool first = TRUE; - - while (iterator->iterate(iterator, (void**)&ocspuri)) - { - written += fprintf(stream, " %s '%D'\n", - first? "ocspuris:":" ", ocspuri); - first = FALSE; - } - iterator->destroy(iterator); + fprintf(out, " %s '%D'\n", first ? "ocspuris:":" ", uri); + first = FALSE; } + iterator->destroy(iterator); pthread_mutex_unlock(&(this->mutex)); - return written; -} - -/** - * register printf() handlers - */ -static void __attribute__ ((constructor))print_register() -{ - register_printf_function(PRINTF_CAINFO, print, arginfo_ptr_alt_ptr_int); } /* * Described in header. */ -void ca_info_set_options(bool cache, u_int interval) +void ca_info_set_options(strict_t strict, bool cache, u_int interval) { + strict_crl_policy = strict; cache_crls = cache; crl_check_interval = interval; } @@ -757,6 +772,7 @@ ca_info_t *ca_info_create(const char *name, x509_t *cacert) this->installed = time(NULL); this->name = (name == NULL)? NULL:strdup(name); this->cacert = cacert; + this->attrcerts = linked_list_create(); this->crluris = linked_list_create(); this->ocspuris = linked_list_create(); this->certinfos = linked_list_create(); @@ -770,10 +786,13 @@ ca_info_t *ca_info_create(const char *name, x509_t *cacert) this->public.equals_name_release_info = (bool (*) (ca_info_t*,const char*))equals_name_release_info; this->public.is_cert_issuer = (bool (*) (ca_info_t*,const x509_t*))is_cert_issuer; this->public.is_crl_issuer = (bool (*) (ca_info_t*,const crl_t*))is_crl_issuer; + this->public.is_ca = (bool (*) (ca_info_t*))is_ca; + this->public.is_strict = (bool (*) (ca_info_t*))is_strict; this->public.add_info = (void (*) (ca_info_t*,const ca_info_t*))add_info; this->public.add_crl = (void (*) (ca_info_t*,crl_t*))add_crl; this->public.has_crl = (bool (*) (ca_info_t*))has_crl; this->public.has_certinfos = (bool (*) (ca_info_t*))has_certinfos; + this->public.list = (void (*) (ca_info_t*,FILE*,bool))list; this->public.list_crl = (void (*) (ca_info_t*,FILE*,bool))list_crl; this->public.list_certinfos = (void (*) (ca_info_t*,FILE*,bool))list_certinfos; this->public.add_crluri = (void (*) (ca_info_t*,chunk_t))add_crluri; diff --git a/src/libstrongswan/crypto/ca.h b/src/libstrongswan/crypto/ca.h index c494a4468..ff6271b15 100644 --- a/src/libstrongswan/crypto/ca.h +++ b/src/libstrongswan/crypto/ca.h @@ -26,13 +26,15 @@ typedef struct ca_info_t ca_info_t; #include -#include - -#include #include "x509.h" #include "crl.h" +#define MAX_CA_PATH_LEN 7 + +/*forward declaration */ +struct credential_store_t; + /** * @brief X.509 certification authority information record * @@ -80,6 +82,22 @@ struct ca_info_t { */ bool (*is_crl_issuer) (ca_info_t *this, const crl_t *crl); + /** + * @brief Checks if the ca certificate has the isCA flag set + * + * @param this ca info object + * @return TRUE if the isCA flag is set + */ + bool (*is_ca) (ca_info_t *this); + + /** + * @brief Checks if the ca enforces a strict crl policy + * + * @param this ca info object + * @return TRUE if the crl policy is strict + */ + bool (*is_strict) (ca_info_t *this); + /** * @brief Merges info from a secondary ca info object * @@ -112,6 +130,16 @@ struct ca_info_t { */ bool (*has_certinfos) (ca_info_t *this); + /** + * @brief Print the CA info onto the console + * + * @param this ca info object + * @param out output stream + * @param utc TRUE - utc + FALSE - local time + */ + void (*list) (ca_info_t *this, FILE *out, bool utc); + /** * @brief List the CRL onto the console * @@ -174,7 +202,7 @@ struct ca_info_t { * @param credentials credential store needed for trust path verification * @return certificate status */ - cert_status_t (*verify_by_ocsp) (ca_info_t* this, certinfo_t* certinfo, credential_store_t* credentials); + cert_status_t (*verify_by_ocsp) (ca_info_t* this, certinfo_t* certinfo, struct credential_store_t* credentials); /** * @brief Purge the OCSP certinfos of a ca info record @@ -199,7 +227,7 @@ struct ca_info_t { * * @ingroup crypto */ -void ca_info_set_options(bool cache, u_int interval); +void ca_info_set_options(strict_t strict, bool cache, u_int interval); /** * @brief Create a ca info record diff --git a/src/libstrongswan/crypto/certinfo.c b/src/libstrongswan/crypto/certinfo.c index 654e4c2bd..8a125e247 100644 --- a/src/libstrongswan/crypto/certinfo.c +++ b/src/libstrongswan/crypto/certinfo.c @@ -221,54 +221,6 @@ static void destroy(private_certinfo_t *this) free(this); } -/** - * output handler in printf() - */ -static int print(FILE *stream, const struct printf_info *info, - const void *const *args) -{ - private_certinfo_t *this = *((private_certinfo_t**)(args[0])); - bool utc = TRUE; - int written = 0; - time_t now; - - if (info->alt) - { - utc = *((bool*)args[1]); - } - - if (this == NULL) - { - return fprintf(stream, "(null)"); - } - - now = time(NULL); - - written += fprintf(stream, "%#T, until %#T, ", - &this->thisUpdate, utc, - &this->nextUpdate, utc); - if (now > this->nextUpdate) - { - written += fprintf(stream, "expired (%V ago)\n", &now, &this->nextUpdate); - } - else - { - written += fprintf(stream, "ok (expires in %V)\n", &now, &this->nextUpdate); - } - written += fprintf(stream, " serial: %#B, %N", - &this->serialNumber, - cert_status_names, this->status); - return written; -} - -/** - * register printf() handlers - */ -static void __attribute__ ((constructor))print_register() -{ - register_printf_function(PRINTF_CERTINFO, print, arginfo_ptr_alt_ptr_int); -} - /* * Described in header. */ diff --git a/src/libstrongswan/crypto/crl.c b/src/libstrongswan/crypto/crl.c index 00d6a3ac3..b4ae37b2e 100755 --- a/src/libstrongswan/crypto/crl.c +++ b/src/libstrongswan/crypto/crl.c @@ -39,10 +39,6 @@ #define CRL_WARNING_INTERVAL 7 /* days */ -extern char* check_expiry(time_t expiration_date, int warning_interval, bool strict); -extern time_t parse_time(chunk_t blob, int level0); -extern void parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, chunk_t *authKeySerialNumber); - /* access structure for a revoked certificate */ typedef struct revokedCert_t revokedCert_t; @@ -99,6 +95,11 @@ struct private_crl_t { */ identification_t *issuer; + /** + * CRL number + */ + chunk_t crlNumber; + /** * Time when the crl was generated */ @@ -291,6 +292,14 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl) { parse_authorityKeyIdentifier(object, level, &crl->authKeyID, &crl->authKeySerialNumber); } + else if (extn_oid == OID_CRL_NUMBER) + { + if (!parse_asn1_simple_object(&object, ASN1_INTEGER, level, "crlNumber")) + { + return FALSE; + } + crl->crlNumber = object; + } } break; case CRL_OBJ_ALGORITHM: @@ -416,66 +425,47 @@ static void destroy(private_crl_t *this) } /** - * output handler in printf() + * Implementation of crl_t.list. */ -static int print(FILE *stream, const struct printf_info *info, - const void *const *args) +static void list(private_crl_t *this, FILE* out, bool utc) { - private_crl_t *this = *((private_crl_t**)(args[0])); - bool utc = TRUE; - int written = 0; time_t now; - if (info->alt) - { - utc = *((bool*)args[1]); - } - - if (this == NULL) - { - return fprintf(stream, "(null)"); - } - now = time(NULL); - written += fprintf(stream, "%#T, revoked certs: %d\n", &this->installed, utc, + fprintf(out, "%#T, revoked certs: %d\n", &this->installed, utc, this->revokedCertificates->get_count(this->revokedCertificates)); - written += fprintf(stream, " issuer: '%D'\n", this->issuer); - written += fprintf(stream, " updates: this %#T\n", &this->thisUpdate, utc); - written += fprintf(stream, " next %#T ", &this->nextUpdate, utc); + fprintf(out, " issuer: '%D'\n", this->issuer); + if (this->crlNumber.ptr) + { + fprintf(out, " crlnumber: %#B\n", &this->crlNumber); + } + fprintf(out, " updates: this %#T\n", &this->thisUpdate, utc); + fprintf(out, " next %#T ", &this->nextUpdate, utc); if (this->nextUpdate == UNDEFINED_TIME) { - written += fprintf(stream, "ok (expires never)"); + fprintf(out, "ok (expires never)\n"); } else if (now > this->nextUpdate) { - written += fprintf(stream, "expired (%V ago)", &now, &this->nextUpdate); + fprintf(out, "expired (%V ago)\n", &now, &this->nextUpdate); } else if (now > this->nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24) { - written += fprintf(stream, "ok (expires in %V)", &now, &this->nextUpdate); + fprintf(out, "ok (expires in %V)\n", &now, &this->nextUpdate); } else { - written += fprintf(stream, "ok"); + fprintf(out, "ok\n"); } if (this->authKeyID.ptr) { - written += fprintf(stream, "\n authkey: %#B", &this->authKeyID); + fprintf(out, " authkey: %#B\n", &this->authKeyID); } if (this->authKeySerialNumber.ptr) { - written += fprintf(stream, "\n aserial: %#B", &this->authKeySerialNumber); + fprintf(out, " aserial: %#B\n", &this->authKeySerialNumber); } - return written; -} - -/** - * register printf() handlers - */ -static void __attribute__ ((constructor))print_register() -{ - register_printf_function(PRINTF_CRL, print, arginfo_ptr_alt_ptr_int); } /* @@ -489,6 +479,7 @@ crl_t *crl_create_from_chunk(chunk_t chunk) this->crlDistributionPoints = linked_list_create(); this->tbsCertList = chunk_empty; this->issuer = NULL; + this->crlNumber = chunk_empty; this->revokedCertificates = linked_list_create(); this->authKeyID = chunk_empty; this->authKeySerialNumber = chunk_empty; @@ -502,6 +493,7 @@ crl_t *crl_create_from_chunk(chunk_t chunk) this->public.verify = (bool (*) (const crl_t*,const rsa_public_key_t*))verify; this->public.get_status = (void (*) (const crl_t*,certinfo_t*))get_status; this->public.write_to_file = (bool (*) (const crl_t*,const char*,mode_t,bool))write_to_file; + this->public.list = (void(*)(crl_t*, FILE* out, bool utc))list; this->public.destroy = (void (*) (crl_t*))destroy; if (!parse_x509crl(chunk, 0, this)) @@ -520,14 +512,10 @@ crl_t *crl_create_from_file(const char *filename) { bool pgp = FALSE; chunk_t chunk = chunk_empty; - crl_t *crl = NULL; if (!pem_asn1_load_file(filename, NULL, "crl", &chunk, &pgp)) + { return NULL; - - crl = crl_create_from_chunk(chunk); - - if (crl == NULL) - free(chunk.ptr); - return crl; + } + return crl_create_from_chunk(chunk); } diff --git a/src/libstrongswan/crypto/crl.h b/src/libstrongswan/crypto/crl.h index 8a11fc390..a367c3aff 100755 --- a/src/libstrongswan/crypto/crl.h +++ b/src/libstrongswan/crypto/crl.h @@ -104,6 +104,15 @@ struct crl_t { * @param certinfo certinfo is updated */ void (*get_status) (const crl_t *this, certinfo_t *certinfo); + + /** + * @brief Log the info of this CRL to out. + * + * @param this calling object + * @param out stream to write to + * @param utc TRUE for UTC, FALSE for local time + */ + void (*list)(crl_t *this, FILE* out, bool utc); /** * @brief Write a der-encoded crl to a file diff --git a/src/libstrongswan/crypto/ocsp.c b/src/libstrongswan/crypto/ocsp.c index 471996c8e..0d8093e4a 100644 --- a/src/libstrongswan/crypto/ocsp.c +++ b/src/libstrongswan/crypto/ocsp.c @@ -770,7 +770,7 @@ static void ocsp_process_response(private_ocsp_t *this, response_t *res, credent if (res->responder_cert->is_ocsp_signer(res->responder_cert)) { DBG2("received certificate is ocsp signer"); - if (credentials->is_trusted(credentials, res->responder_cert)) + if (credentials->is_trusted(credentials, "OCSP signing", res->responder_cert)) { DBG1("received ocsp signer certificate is trusted"); ocsp_cert = credentials->add_auth_certificate(credentials, diff --git a/src/libstrongswan/crypto/x509.c b/src/libstrongswan/crypto/x509.c index 58fcff16d..5bf3f26d7 100755 --- a/src/libstrongswan/crypto/x509.c +++ b/src/libstrongswan/crypto/x509.c @@ -6,7 +6,12 @@ */ /* - * Copyright (C) 2006 Martin Willi + * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann + * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss + * Copyright (C) 2002 Mario Strasser + * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur + * Copyright (C) 2006 Martin Willi, Andreas Steffen + * * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -116,6 +121,11 @@ struct private_x509_t { */ identification_t *issuer; + /** + * link to the info recored of the certificate issuer + */ + ca_info_t *ca_info; + /** * Start time of certificate validity */ @@ -171,6 +181,11 @@ struct private_x509_t { */ chunk_t authKeySerialNumber; + /** + * Indicates if the certificate is self-signed + */ + bool isSelfSigned; + /** * CA basic constraints flag */ @@ -249,19 +264,6 @@ static const asn1Object_t basicConstraintsObjects[] = { #define BASIC_CONSTRAINTS_CA 1 #define BASIC_CONSTRAINTS_ROOF 4 -/** - * ASN.1 definition of time - */ -static const asn1Object_t timeObjects[] = { - { 0, "utcTime", ASN1_UTCTIME, ASN1_OPT|ASN1_BODY }, /* 0 */ - { 0, "end opt", ASN1_EOC, ASN1_END }, /* 1 */ - { 0, "generalizeTime",ASN1_GENERALIZEDTIME, ASN1_OPT|ASN1_BODY }, /* 2 */ - { 0, "end opt", ASN1_EOC, ASN1_END } /* 3 */ -}; -#define TIME_UTC 0 -#define TIME_GENERALIZED 2 -#define TIME_ROOF 4 - /** * ASN.1 definition of a keyIdentifier */ @@ -545,7 +547,7 @@ static identification_t *parse_generalName(chunk_t blob, int level0) /** * extracts one or several GNs and puts them into a chained list */ -static void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list) +void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list) { asn1_ctx_t ctx; chunk_t object; @@ -571,33 +573,6 @@ static void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_l return; } -/** - * extracts and converts a UTCTIME or GENERALIZEDTIME object - */ -time_t parse_time(chunk_t blob, int level0) -{ - asn1_ctx_t ctx; - chunk_t object; - u_int level; - int objectID = 0; - - asn1_init(&ctx, blob, level0, FALSE, FALSE); - - while (objectID < TIME_ROOF) - { - if (!extract_object(timeObjects, &objectID, &object, &level, &ctx)) - return 0; - - if (objectID == TIME_UTC || objectID == TIME_GENERALIZED) - { - return asn1totime(&object, (objectID == TIME_UTC) - ? ASN1_UTCTIME : ASN1_GENERALIZEDTIME); - } - objectID++; - } - return 0; -} - /** * extracts a keyIdentifier */ @@ -624,7 +599,11 @@ void parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, u_int level; int objectID = 0; + *authKeyID = chunk_empty; + *authKeySerialNumber = chunk_empty; + asn1_init(&ctx, blob, level0, FALSE, FALSE); + while (objectID < AUTH_KEY_ID_ROOF) { if (!extract_object(authorityKeyIdentifierObjects, &objectID, &object, &level, &ctx)) @@ -763,7 +742,7 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0, linked_list_t /** * Parses an X.509v3 certificate */ -static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert) +static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this) { asn1_ctx_t ctx; bool critical; @@ -779,38 +758,41 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert) { return FALSE; } + /* those objects which will parsed further need the next higher level */ level++; - switch (objectID) { + + switch (objectID) + { case X509_OBJ_CERTIFICATE: - cert->certificate = object; + this->certificate = object; break; case X509_OBJ_TBS_CERTIFICATE: - cert->tbsCertificate = object; + this->tbsCertificate = object; break; case X509_OBJ_VERSION: - cert->version = (object.len) ? (1+(u_int)*object.ptr) : 1; - DBG2(" v%d", cert->version); + this->version = (object.len) ? (1+(u_int)*object.ptr) : 1; + DBG2(" v%d", this->version); break; case X509_OBJ_SERIAL_NUMBER: - cert->serialNumber = object; + this->serialNumber = object; break; case X509_OBJ_SIG_ALG: - cert->sigAlg = parse_algorithmIdentifier(object, level, NULL); + this->sigAlg = parse_algorithmIdentifier(object, level, NULL); break; case X509_OBJ_ISSUER: - cert->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); - DBG2(" '%D'", cert->issuer); + this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); + DBG2(" '%D'", this->issuer); break; case X509_OBJ_NOT_BEFORE: - cert->notBefore = parse_time(object, level); + this->notBefore = parse_time(object, level); break; case X509_OBJ_NOT_AFTER: - cert->notAfter = parse_time(object, level); + this->notAfter = parse_time(object, level); break; case X509_OBJ_SUBJECT: - cert->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object); - DBG2(" '%D'", cert->subject); + this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object); + DBG2(" '%D'", this->subject); break; case X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM: if (parse_algorithmIdentifier(object, level, NULL) != OID_RSA_ENCRYPTION) @@ -832,7 +814,7 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert) } break; case X509_OBJ_RSA_PUBLIC_KEY: - cert->subjectPublicKey = object; + this->subjectPublicKey = object; break; case X509_OBJ_EXTN_ID: extn_oid = known_oid(object); @@ -843,27 +825,28 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert) break; case X509_OBJ_EXTN_VALUE: { - switch (extn_oid) { + switch (extn_oid) + { case OID_SUBJECT_KEY_ID: - cert->subjectKeyID = chunk_clone(parse_keyIdentifier(object, level, FALSE)); + this->subjectKeyID = chunk_clone(parse_keyIdentifier(object, level, FALSE)); break; case OID_SUBJECT_ALT_NAME: - parse_generalNames(object, level, FALSE, cert->subjectAltNames); + parse_generalNames(object, level, FALSE, this->subjectAltNames); break; case OID_BASIC_CONSTRAINTS: - cert->isCA = parse_basicConstraints(object, level); + this->isCA = parse_basicConstraints(object, level); break; case OID_CRL_DISTRIBUTION_POINTS: - parse_crlDistributionPoints(object, level, cert->crlDistributionPoints); + parse_crlDistributionPoints(object, level, this->crlDistributionPoints); break; case OID_AUTHORITY_KEY_ID: - parse_authorityKeyIdentifier(object, level , &cert->authKeyID, &cert->authKeySerialNumber); + parse_authorityKeyIdentifier(object, level , &this->authKeyID, &this->authKeySerialNumber); break; case OID_AUTHORITY_INFO_ACCESS: - parse_authorityInfoAccess(object, level, cert->ocspAccessLocations); + parse_authorityInfoAccess(object, level, this->ocspAccessLocations); break; case OID_EXTENDED_KEY_USAGE: - cert->isOcspSigner = parse_extendedKeyUsage(object, level); + this->isOcspSigner = parse_extendedKeyUsage(object, level); break; case OID_NS_REVOCATION_URL: case OID_NS_CA_REVOCATION_URL: @@ -878,10 +861,10 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert) break; } case X509_OBJ_ALGORITHM: - cert->algorithm = parse_algorithmIdentifier(object, level, NULL); + this->algorithm = parse_algorithmIdentifier(object, level, NULL); break; case X509_OBJ_SIGNATURE: - cert->signature = object; + this->signature = object; break; default: break; @@ -889,15 +872,16 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert) objectID++; } - if (cert->subjectKeyID.ptr == NULL) + /* generate the subjectKeyID if it is missing in the certificate */ + if (this->subjectKeyID.ptr == NULL) { hasher_t *hasher = hasher_create(HASH_SHA1); - hasher->allocate_hash(hasher, cert->subjectPublicKey, &cert->subjectKeyID); + hasher->allocate_hash(hasher, this->subjectPublicKey, &this->subjectKeyID); hasher->destroy(hasher); } - time(&cert->installed); + this->installed = time(NULL); return TRUE; } @@ -950,7 +934,7 @@ static bool is_ocsp_signer(const private_x509_t *this) */ static bool is_self_signed(const private_x509_t *this) { - return this->subject->equals(this->subject, this->issuer); + return this->isSelfSigned; } /** @@ -1042,6 +1026,22 @@ static identification_t *get_subject(const private_x509_t *this) return this->subject; } +/** + * Implements x509_t.set_ca_info + */ +static void set_ca_info(private_x509_t *this, ca_info_t *ca_info) +{ + this->ca_info = ca_info; +} + +/** + * Implements x509_t.get_ca_info + */ +static ca_info_t *get_ca_info(const private_x509_t *this) +{ + return this->ca_info; +} + /** * Implements x509_t.set_until */ @@ -1121,39 +1121,23 @@ static bool verify(const private_x509_t *this, const rsa_public_key_t *signer) { return signer->verify_emsa_pkcs1_signature(signer, this->tbsCertificate, this->signature) == SUCCESS; } - + /** - * output handler in printf() + * Implementation of x509_t.list. */ -static int print(FILE *stream, const struct printf_info *info, - const void *const *args) +static void list(private_x509_t *this, FILE *out, bool utc) { - private_x509_t *this = *((private_x509_t**)(args[0])); iterator_t *iterator; - bool utc = TRUE; - int written = 0; - - if (info->alt) - { - utc = *((bool*)(args[1])); - } - - if (this == NULL) - { - return fprintf(stream, "(null)"); - } - - /* determine the current time */ time_t now = time(NULL); - written += fprintf(stream, "%#T\n", &this->installed, utc); + fprintf(out, "%#T\n", &this->installed, utc); if (this->subjectAltNames->get_count(this->subjectAltNames)) { identification_t *subjectAltName; bool first = TRUE; - written += fprintf(stream, " altNames: "); + fprintf(out, " altNames: "); iterator = this->subjectAltNames->create_iterator(this->subjectAltNames, TRUE); while (iterator->iterate(iterator, (void**)&subjectAltName)) { @@ -1163,71 +1147,71 @@ static int print(FILE *stream, const struct printf_info *info, } else { - written += fprintf(stream, ", "); + fprintf(out, ", "); } - written += fprintf(stream, "'%D'", subjectAltName); + fprintf(out, "'%D'", subjectAltName); } iterator->destroy(iterator); - written += fprintf(stream, "\n"); + fprintf(out, "\n"); } - written += fprintf(stream, " subject: '%D'\n", this->subject); - written += fprintf(stream, " issuer: '%D'\n", this->issuer); - written += fprintf(stream, " serial: %#B\n", &this->serialNumber); - written += fprintf(stream, " validity: not before %#T, ", &this->notBefore, utc); + fprintf(out, " subject: '%D'\n", this->subject); + fprintf(out, " issuer: '%D'\n", this->issuer); + fprintf(out, " serial: %#B\n", &this->serialNumber); + fprintf(out, " validity: not before %#T, ", &this->notBefore, utc); if (now < this->notBefore) { - written += fprintf(stream, "not valid yet (valid in %V)\n", &now, &this->notBefore); + fprintf(out, "not valid yet (valid in %V)\n", &now, &this->notBefore); } else { - written += fprintf(stream, "ok\n"); + fprintf(out, "ok\n"); } - written += fprintf(stream, " not after %#T, ", &this->notAfter, utc); + fprintf(out, " not after %#T, ", &this->notAfter, utc); if (now > this->notAfter) { - written += fprintf(stream, "expired (%V ago)\n", &now, &this->notAfter); + fprintf(out, "expired (%V ago)\n", &now, &this->notAfter); } else { - written += fprintf(stream, "ok"); + fprintf(out, "ok"); if (now > this->notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24) { - written += fprintf(stream, " (expires in %V)", &now, &this->notAfter); + fprintf(out, " (expires in %V)", &now, &this->notAfter); } - written += fprintf(stream, " \n"); + fprintf(out, " \n"); } { chunk_t keyid = this->public_key->get_keyid(this->public_key); - written += fprintf(stream, " keyid: %#B\n", &keyid); + fprintf(out, " keyid: %#B\n", &keyid); } if (this->subjectKeyID.ptr) { - written += fprintf(stream, " subjkey: %#B\n", &this->subjectKeyID); + fprintf(out, " subjkey: %#B\n", &this->subjectKeyID); } if (this->authKeyID.ptr) { - written += fprintf(stream, " authkey: %#B\n", &this->authKeyID); + fprintf(out, " authkey: %#B\n", &this->authKeyID); } if (this->authKeySerialNumber.ptr) { - written += fprintf(stream, " aserial: %#B\n", &this->authKeySerialNumber); + fprintf(out, " aserial: %#B\n", &this->authKeySerialNumber); } - written += fprintf(stream, " pubkey: RSA %d bits", BITS_PER_BYTE * - this->public_key->get_keysize(this->public_key)); - written += fprintf(stream, ", status %N", - cert_status_names, this->status); + fprintf(out, " pubkey: RSA %d bits", BITS_PER_BYTE * + this->public_key->get_keysize(this->public_key)); + fprintf(out, ", status %N", + cert_status_names, this->status); switch (this->status) { case CERT_GOOD: - written += fprintf(stream, " until %#T", &this->until, utc); + fprintf(out, " until %#T", &this->until, utc); break; case CERT_REVOKED: - written += fprintf(stream, " on %#T", &this->until, utc); + fprintf(out, " on %#T", &this->until, utc); break; case CERT_UNKNOWN: case CERT_UNDEFINED: @@ -1235,15 +1219,6 @@ static int print(FILE *stream, const struct printf_info *info, default: break; } - return written; -} - -/** - * register printf() handlers - */ -static void __attribute__ ((constructor))print_register() -{ - register_printf_function(PRINTF_X509, print, arginfo_ptr_alt_ptr_int); } /** @@ -1277,6 +1252,7 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level) this->public_key = NULL; this->subject = NULL; this->issuer = NULL; + this->ca_info = NULL; this->subjectAltNames = linked_list_create(); this->crlDistributionPoints = linked_list_create(); this->ocspAccessLocations = linked_list_create(); @@ -1284,6 +1260,8 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level) this->authKeyID = chunk_empty; this->authKeySerialNumber = chunk_empty; this->authority_flags = AUTH_NONE; + this->isCA = FALSE; + this->isOcspSigner = FALSE; /* public functions */ this->public.equals = (bool (*) (const x509_t*,const x509_t*))equals; @@ -1300,6 +1278,8 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level) this->public.get_keyid = (chunk_t (*) (const x509_t*))get_keyid; this->public.get_issuer = (identification_t* (*) (const x509_t*))get_issuer; this->public.get_subject = (identification_t* (*) (const x509_t*))get_subject; + this->public.set_ca_info = (void (*) (x509_t*,ca_info_t*))set_ca_info; + this->public.get_ca_info = (ca_info_t* (*) (const x509_t*))get_ca_info; this->public.set_until = (void (*) (x509_t*,time_t))set_until; this->public.get_until = (time_t (*) (const x509_t*))get_until; this->public.set_status = (void (*) (x509_t*,cert_status_t))set_status; @@ -1310,6 +1290,7 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level) this->public.create_crluri_iterator = (iterator_t* (*) (const x509_t*))create_crluri_iterator; this->public.create_ocspuri_iterator = (iterator_t* (*) (const x509_t*))create_ocspuri_iterator; this->public.verify = (bool (*) (const x509_t*,const rsa_public_key_t*))verify; + this->public.list = (void(*)(x509_t*, FILE *out, bool utc))list; this->public.destroy = (void (*) (x509_t*))destroy; if (!parse_certificate(chunk, level, this)) @@ -1325,9 +1306,27 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level) destroy(this); return NULL; } + /* set trusted lifetime of public key to notAfter */ - this->status = is_self_signed(this)? CERT_GOOD:CERT_UNDEFINED; this->until = this->notAfter; + + /* check if the certificate is self-signed */ + this->isSelfSigned = FALSE; + if (this->subject->equals(this->subject, this->issuer)) + { + this->isSelfSigned = this->public_key->verify_emsa_pkcs1_signature(this->public_key, + this->tbsCertificate, this->signature) == SUCCESS; + } + if (this->isSelfSigned) + { + DBG2(" certificate is self-signed"); + this->status = CERT_GOOD; + } + else + { + this->status = CERT_UNDEFINED; + } + return &this->public; } @@ -1338,17 +1337,13 @@ x509_t *x509_create_from_file(const char *filename, const char *label) { bool pgp = FALSE; chunk_t chunk = chunk_empty; - x509_t *cert = NULL; char cert_label[BUF_LEN]; snprintf(cert_label, BUF_LEN, "%s certificate", label); if (!pem_asn1_load_file(filename, NULL, cert_label, &chunk, &pgp)) + { return NULL; - - cert = x509_create_from_chunk(chunk, 0); - - if (cert == NULL) - free(chunk.ptr); - return cert; + } + return x509_create_from_chunk(chunk, 0); } diff --git a/src/libstrongswan/crypto/x509.h b/src/libstrongswan/crypto/x509.h index a949d99d2..c6fe148d4 100755 --- a/src/libstrongswan/crypto/x509.h +++ b/src/libstrongswan/crypto/x509.h @@ -6,7 +6,12 @@ */ /* + * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann + * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss + * Copyright (C) 2002 Mario Strasser + * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur * Copyright (C) 2006 Martin Willi, Andreas Steffen + * * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -28,8 +33,10 @@ typedef struct x509_t x509_t; #include #include #include +#include #include #include +#include /* authority flags */ @@ -44,12 +51,8 @@ typedef struct x509_t x509_t; * @b Constructors: * - x509_create_from_chunk() * - x509_create_from_file() - * - * @todo more code cleanup needed! - * @todo fix unimplemented functions... - * @todo handle memory management * - * @ingroup transforms + * @ingroup crypto */ struct x509_t { @@ -151,7 +154,7 @@ struct x509_t { chunk_t (*get_keyid) (const x509_t *this); /** - * @brief Get the certificate issuer's ID. + * @brief Get the issuerDistinguishedName * * The resulting ID is always a identification_t * of type ID_DER_ASN1_DN. @@ -162,7 +165,7 @@ struct x509_t { identification_t *(*get_issuer) (const x509_t *this); /** - * @brief Get the subjectDistinguisheName. + * @brief Get the subjectDistinguishedName. * * The resulting ID is always a identification_t * of type ID_DER_ASN1_DN. @@ -172,6 +175,26 @@ struct x509_t { */ identification_t *(*get_subject) (const x509_t *this); + /** + * @brief Set a link ca info + * + * @param this calling object + * @param ca_info link to the info record of the issuing ca + */ + void (*set_ca_info) (x509_t *this, ca_info_t *ca_info); + + /** + * @brief Get the . + * + * The resulting ID is always a identification_t + * of type ID_DER_ASN1_DN. + * + * @param this calling object + * @return link to the info record of the issuing ca + * or NULL if it does not [yet] exist + */ + ca_info_t *(*get_ca_info) (const x509_t *this); + /** * @brief Create an iterator for the crlDistributionPoints. * @@ -257,7 +280,16 @@ struct x509_t { * @return TRUE if self-signed */ bool (*is_self_signed) (const x509_t *this); - + + /** + * @brief Log the certificate info to out. + * + * @param this calling object + * @param out stream to write to + * @param utc TRUE for UTC times, FALSE for local time + */ + void (*list)(x509_t *this, FILE *out, bool utc); + /** * @brief Destroys the certificate. * @@ -272,7 +304,7 @@ struct x509_t { * @param chunk chunk containing DER encoded data * @return created x509_t certificate, or NULL if invlid. * - * @ingroup transforms + * @ingroup crypto */ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level); @@ -283,8 +315,32 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level); * @param label label describing kind of certificate * @return created x509_t certificate, or NULL if invalid. * - * @ingroup transforms + * @ingroup crypto */ x509_t *x509_create_from_file(const char *filename, const char *label); +/** + * @brief Parses a DER encoded authorityKeyIdentifier + * + * @param blob blob containing DER encoded data + * @param level0 indicates the current parsing level + * @param authKeyID assigns the authorityKeyIdentifier + * @param authKeySerialNumber assigns the authKeySerialNumber + * + * @ingroup crypto + */ +void parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeyID, chunk_t *authKeySerialNumber); + +/** + * @brief Parses DER encoded generalNames + * + * @param blob blob containing DER encoded data + * @param level0 indicates the current parsing level + * @param implicit implicit coding is used + * @param list linked list of decoded generalNames + * + * @ingroup crypto + */ +void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list); + #endif /* X509_H_ */ diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h index 7c7f087f0..67a05f118 100644 --- a/src/libstrongswan/library.h +++ b/src/libstrongswan/library.h @@ -233,6 +233,15 @@ enum status_t { NEED_MORE, }; +/** + * used by strict_crl_policy + */ +typedef enum { + STRICT_NO, + STRICT_YES, + STRICT_IFURI +} strict_t; + /** * enum_names for type status_t. */ diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h index 45184a8f0..03bcf447d 100644 --- a/src/libstrongswan/printf_hook.h +++ b/src/libstrongswan/printf_hook.h @@ -38,30 +38,14 @@ #define PRINTF_IDENTIFICATION 'D' /** 1 argumnet: host_t *host; use #-modifier to include port number */ #define PRINTF_HOST 'H' -/** 1 argument: ike_sa_id_t *id */ -#define PRINTF_IKE_SA_ID 'J' /** 1 argument: ike_sa_t *ike_sa */ -#define PRINTF_IKE_SA 'K' -/** 1 argument: message_t *message */ -#define PRINTF_MESSAGE 'M' -/** 2 arguments: enum_name_t *name, long value */ #define PRINTF_ENUM 'N' /** 1 argument: child_sa_t *child_sa */ -#define PRINTF_CHILD_SA 'P' -/** 1 argument: traffic_selector_t *ts */ #define PRINTF_TRAFFIC_SELECTOR 'R' /** 1 argument: time_t *time; with #-modifier 2 arguments: time_t *time, bool utc */ #define PRINTF_TIME 'T' -/** 1 argument: x509_t *cert; with #-modifier 2 arguments: x509_t *cert, bool utc */ -#define PRINTF_X509 'Q' -/** 1 argument: crl_t *crl; with #-modifier 2 arguments: crl_t *crl, bool utc */ -#define PRINTF_CRL 'U' /** 2 arguments: time_t *begin, time_t *end */ #define PRINTF_TIME_DELTA 'V' -/** 1 argument: ca_info_t *ca_info; with #-modifier 2 arguments: ca_info_t *ca_info, bool utc */ -#define PRINTF_CAINFO 'W' -/** 1 argument: certinfo_t *certinfo; with #-modifier 2 arguments: certinfo_t *certinfo, bool utc */ -#define PRINTF_CERTINFO 'Y' /** * Generic arginfo handlers for printf() hooks diff --git a/src/libstrongswan/utils/fetcher.c b/src/libstrongswan/utils/fetcher.c index 6165cc1e1..7a06999aa 100644 --- a/src/libstrongswan/utils/fetcher.c +++ b/src/libstrongswan/utils/fetcher.c @@ -25,6 +25,9 @@ #endif /* LIBCURL */ #ifdef LIBLDAP +#ifndef LDAP_DEPRECATED +#define LDAP_DEPRECATED 1 +#endif #include #endif /* LIBLDAP */ diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c index 8cbfd6ab8..68e9c9500 100644 --- a/src/libstrongswan/utils/host.c +++ b/src/libstrongswan/utils/host.c @@ -325,7 +325,7 @@ static bool equals(private_host_t *this, private_host_t *other) { if (!ip_equals(this, other)) { - return FAILED; + return FALSE; } switch (this->address.sa_family) diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 341af39c0..673cbb828 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -738,8 +738,15 @@ static bool contains_wildcards(private_identification_t *this) */ static bool equals_binary(private_identification_t *this, private_identification_t *other) { - return this->type == other->type && - chunk_equals(this->encoded, other->encoded); + if (this->type == other->type) + { + if (this->type == ID_ANY) + { + return TRUE; + } + return chunk_equals(this->encoded, other->encoded); + } + return FALSE; } /** @@ -956,7 +963,10 @@ static identification_t *clone_(private_identification_t *this) private_identification_t *clone = identification_create(); clone->type = this->type; - clone->encoded = chunk_clone(this->encoded); + if (this->encoded.len) + { + clone->encoded = chunk_clone(this->encoded); + } clone->public.equals = this->public.equals; clone->public.matches = this->public.matches; diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index 8a2bee51f..67396085c 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -127,6 +127,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -139,6 +140,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -149,8 +151,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -172,6 +178,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -181,6 +188,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -194,9 +203,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -211,6 +224,8 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ openac_SOURCES = openac.c build.c build.h loglite.c INCLUDES = \ -I$(top_srcdir)/src/libfreeswan \ diff --git a/src/openac/build.c b/src/openac/build.c index bd3df6fee..0c6a2be3b 100644 --- a/src/openac/build.c +++ b/src/openac/build.c @@ -31,212 +31,201 @@ #include "build.h" static u_char ASN1_group_oid_str[] = { - 0x06, 0x08, - 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04 + 0x06, 0x08, + 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04 }; static const chunk_t ASN1_group_oid = strchunk(ASN1_group_oid_str); static u_char ASN1_authorityKeyIdentifier_oid_str[] = { - 0x06, 0x03, - 0x55, 0x1d, 0x23 + 0x06, 0x03, + 0x55, 0x1d, 0x23 }; static const chunk_t ASN1_authorityKeyIdentifier_oid = strchunk(ASN1_authorityKeyIdentifier_oid_str); static u_char ASN1_noRevAvail_ext_str[] = { - 0x30, 0x09, - 0x06, 0x03, - 0x55, 0x1d, 0x38, - 0x04, 0x02, - 0x05, 0x00 + 0x30, 0x09, + 0x06, 0x03, + 0x55, 0x1d, 0x38, + 0x04, 0x02, + 0x05, 0x00 }; static const chunk_t ASN1_noRevAvail_ext = strchunk(ASN1_noRevAvail_ext_str); -/* +/** * build directoryName */ -static chunk_t -build_directoryName(asn1_t tag, chunk_t name) +static chunk_t build_directoryName(asn1_t tag, chunk_t name) { - return asn1_wrap(tag, "m" - , asn1_simple_object(ASN1_CONTEXT_C_4, name)); + return asn1_wrap(tag, "m", + asn1_simple_object(ASN1_CONTEXT_C_4, name)); } -/* +/** * build holder */ -static chunk_t -build_holder(void) +static chunk_t build_holder(void) { - return asn1_wrap(ASN1_SEQUENCE, "mm" - , asn1_wrap(ASN1_CONTEXT_C_0, "mm" - , build_directoryName(ASN1_SEQUENCE, user->issuer) - , asn1_simple_object(ASN1_INTEGER, user->serialNumber) - ) - , build_directoryName(ASN1_CONTEXT_C_1, user->subject)); + return asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_CONTEXT_C_0, "mm", + build_directoryName(ASN1_SEQUENCE, user->issuer), + asn1_simple_object(ASN1_INTEGER, user->serialNumber) + ), + build_directoryName(ASN1_CONTEXT_C_1, user->subject)); } -/* +/** * build v2Form */ -static chunk_t -build_v2_form(void) +static chunk_t build_v2_form(void) { - return asn1_wrap(ASN1_CONTEXT_C_0, "m" - , build_directoryName(ASN1_SEQUENCE, signer->subject)); + return asn1_wrap(ASN1_CONTEXT_C_0, "m", + build_directoryName(ASN1_SEQUENCE, signer->subject)); } -/* +/** * build attrCertValidityPeriod */ -static chunk_t -build_attr_cert_validity(void) +static chunk_t build_attr_cert_validity(void) { - return asn1_wrap(ASN1_SEQUENCE, "mm" - , timetoasn1(¬Before, ASN1_GENERALIZEDTIME) - , timetoasn1(¬After, ASN1_GENERALIZEDTIME)); + return asn1_wrap(ASN1_SEQUENCE, "mm", + timetoasn1(¬Before, ASN1_GENERALIZEDTIME), + timetoasn1(¬After, ASN1_GENERALIZEDTIME)); } -/* +/** * build attributes */ -static chunk_t -build_ietfAttributes(ietfAttrList_t *list) +static chunk_t build_ietfAttributes(ietfAttrList_t *list) { - chunk_t ietfAttributes; - ietfAttrList_t *item = list; - size_t size = 0; - u_char *pos; - - /* precalculate the total size of all values */ - while (item != NULL) - { - size_t len = item->attr->value.len; - - size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len; - item = item->next; - } - pos = build_asn1_object(&ietfAttributes, ASN1_SEQUENCE, size); - - while (list != NULL) - { - ietfAttr_t *attr = list->attr; - asn1_t type = ASN1_NULL; - - switch (attr->kind) + chunk_t ietfAttributes; + ietfAttrList_t *item = list; + size_t size = 0; + u_char *pos; + + /* precalculate the total size of all values */ + while (item != NULL) { - case IETF_ATTRIBUTE_OCTETS: - type = ASN1_OCTET_STRING; - break; - case IETF_ATTRIBUTE_STRING: - type = ASN1_UTF8STRING; - break; - case IETF_ATTRIBUTE_OID: - type = ASN1_OID; - break; + size_t len = item->attr->value.len; + + size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len; + item = item->next; } - mv_chunk(&pos, asn1_simple_object(type, attr->value)); + pos = build_asn1_object(&ietfAttributes, ASN1_SEQUENCE, size); - list = list->next; - } + while (list != NULL) + { + ietfAttr_t *attr = list->attr; + asn1_t type = ASN1_NULL; + + switch (attr->kind) + { + case IETF_ATTRIBUTE_OCTETS: + type = ASN1_OCTET_STRING; + break; + case IETF_ATTRIBUTE_STRING: + type = ASN1_UTF8STRING; + break; + case IETF_ATTRIBUTE_OID: + type = ASN1_OID; + break; + } + mv_chunk(&pos, asn1_simple_object(type, attr->value)); + + list = list->next; + } - return asn1_wrap(ASN1_SEQUENCE, "m", ietfAttributes); + return asn1_wrap(ASN1_SEQUENCE, "m", ietfAttributes); } -/* +/** * build attribute type */ -static chunk_t -build_attribute_type(const chunk_t type, chunk_t content) +static chunk_t build_attribute_type(const chunk_t type, chunk_t content) { - return asn1_wrap(ASN1_SEQUENCE, "cm" - , type - , asn1_wrap(ASN1_SET, "m", content)); + return asn1_wrap(ASN1_SEQUENCE, "cm", + type, + asn1_wrap(ASN1_SET, "m", content)); } -/* +/** * build attributes */ -static chunk_t -build_attributes(void) +static chunk_t build_attributes(void) { - return asn1_wrap(ASN1_SEQUENCE, "m" - , build_attribute_type(ASN1_group_oid - , build_ietfAttributes(groups))); + return asn1_wrap(ASN1_SEQUENCE, "m", + build_attribute_type(ASN1_group_oid, + build_ietfAttributes(groups))); } -/* +/** * build authorityKeyIdentifier */ -static chunk_t -build_authorityKeyID(x509cert_t *signer) +static chunk_t build_authorityKeyID(x509cert_t *signer) { - chunk_t keyIdentifier = (signer->subjectKeyID.ptr == NULL) - ? empty_chunk - : asn1_simple_object(ASN1_CONTEXT_S_0 - , signer->subjectKeyID); - - chunk_t authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1 - , signer->issuer); - - chunk_t authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2 - , signer->serialNumber); - - return asn1_wrap(ASN1_SEQUENCE, "cm" - , ASN1_authorityKeyIdentifier_oid - , asn1_wrap(ASN1_OCTET_STRING, "m" - , asn1_wrap(ASN1_SEQUENCE, "mmm" - , keyIdentifier - , authorityCertIssuer - , authorityCertSerialNumber - ) - ) - ); + chunk_t keyIdentifier = (signer->subjectKeyID.ptr == NULL) + ? empty_chunk + : asn1_simple_object(ASN1_CONTEXT_S_0, + signer->subjectKeyID); + + chunk_t authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1, + signer->issuer); + + chunk_t authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2, + signer->serialNumber); + + return asn1_wrap(ASN1_SEQUENCE, "cm", + ASN1_authorityKeyIdentifier_oid, + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "mmm", + keyIdentifier, + authorityCertIssuer, + authorityCertSerialNumber + ) + ) + ); } -/* +/** * build extensions */ -static chunk_t -build_extensions(void) +static chunk_t build_extensions(void) { - return asn1_wrap(ASN1_SEQUENCE, "mc" - , build_authorityKeyID(signer) - , ASN1_noRevAvail_ext); + return asn1_wrap(ASN1_SEQUENCE, "mc", + build_authorityKeyID(signer), + ASN1_noRevAvail_ext); } -/* +/** * build attributeCertificateInfo */ -static chunk_t -build_attr_cert_info(void) +static chunk_t build_attr_cert_info(void) { - return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm" - , ASN1_INTEGER_1 - , build_holder() - , build_v2_form() - , ASN1_sha1WithRSA_id - , asn1_simple_object(ASN1_INTEGER, serial) - , build_attr_cert_validity() - , build_attributes() - , build_extensions()); + return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm", + ASN1_INTEGER_1, + build_holder(), + build_v2_form(), + ASN1_sha1WithRSA_id, + asn1_simple_object(ASN1_INTEGER, serial), + build_attr_cert_validity(), + build_attributes(), + build_extensions()); } -/* +/** * build an X.509 attribute certificate */ -chunk_t -build_attr_cert(void) +chunk_t build_attr_cert(void) { - chunk_t attributeCertificateInfo = build_attr_cert_info(); - chunk_t signatureValue = pkcs1_build_signature(attributeCertificateInfo - , OID_SHA1, signerkey, TRUE); - - return asn1_wrap(ASN1_SEQUENCE, "mcm" - , attributeCertificateInfo - , ASN1_sha1WithRSA_id - , signatureValue); + chunk_t attributeCertificateInfo = build_attr_cert_info(); + chunk_t signatureValue = pkcs1_build_signature(attributeCertificateInfo, + OID_SHA1, signerkey, TRUE); + + return asn1_wrap(ASN1_SEQUENCE, "mcm", + attributeCertificateInfo, + ASN1_sha1WithRSA_id, + signatureValue); } diff --git a/src/openac/openac.c b/src/openac/openac.c index 00f287b3a..e3f92fbd2 100755 --- a/src/openac/openac.c +++ b/src/openac/openac.c @@ -57,107 +57,113 @@ bool pkcs11_keep_state = FALSE; static void usage(const char *mess) { - if (mess != NULL && *mess != '\0') - fprintf(stderr, "%s\n", mess); - fprintf(stderr - , "Usage: openac" - " [--help]" - " [--version]" - " [--optionsfrom ]" - " [--quiet]" + if (mess != NULL && *mess != '\0') + { + fprintf(stderr, "%s\n", mess); + } + fprintf(stderr, "Usage: openac" + " [--help]" + " [--version]" + " [--optionsfrom ]" + " [--quiet]" #ifdef DEBUG - " \\\n\t" - " [--debug-all]" - " [--debug-parsing]" - " [--debug-raw]" - " [--debug-private]" + " \\\n\t" + " [--debug-all]" + " [--debug-parsing]" + " [--debug-raw]" + " [--debug-private]" #endif - " \\\n\t" - " [--days ]" - " [--hours ]" - " \\\n\t" - " [--startdate ]" - " [--enddate ]" - " \\\n\t" - " --cert " - " --key " - " [--password ]" - " \\\n\t" - " --usercert " - " --groups " - " --out " - "\n" - ); - exit(mess == NULL? 0 : 1); + " \\\n\t" + " [--days ]" + " [--hours ]" + " \\\n\t" + " [--startdate ]" + " [--enddate ]" + " \\\n\t" + " --cert " + " --key " + " [--password ]" + " \\\n\t" + " --usercert " + " --groups " + " --out " + "\n" + ); + exit(mess == NULL? 0 : 1); } -/* +/** * read the last serial number from file */ -static chunk_t -read_serial(void) +static chunk_t read_serial(void) { - MP_INT number; + MP_INT number; - char buf[BUF_LEN]; - char bytes[BUF_LEN]; + char buf[BUF_LEN]; + char bytes[BUF_LEN]; - FILE *fd = fopen(OPENAC_SERIAL, "r"); + FILE *fd = fopen(OPENAC_SERIAL, "r"); - /* serial number defaults to 0 */ - size_t len = 1; - bytes[0] = 0x00; + /* serial number defaults to 0 */ + size_t len = 1; + bytes[0] = 0x00; - if (fd) - { - if (fscanf(fd, "%s", buf)) + if (fd) { - err_t ugh = ttodata(buf, 0, 16, bytes, BUF_LEN, &len); - - if (ugh != NULL) - plog(" error reading serial number from %s: %s" - , OPENAC_SERIAL, ugh); + if (fscanf(fd, "%s", buf)) + { + err_t ugh = ttodata(buf, 0, 16, bytes, BUF_LEN, &len); + + if (ugh != NULL) + { + plog(" error reading serial number from %s: %s" + , OPENAC_SERIAL, ugh); + } + } + fclose(fd); } - fclose(fd); - } - else - plog(" file '%s' does not exist yet - serial number set to 01" + else + { + plog(" file '%s' does not exist yet - serial number set to 01" , OPENAC_SERIAL); + } - /* conversion of read serial number to a multiprecision integer - * and incrementing it by one - * and representing it as a two's complement octet string - */ - n_to_mpz(&number, bytes, len); - mpz_add_ui(&number, &number, 0x01); - serial = mpz_to_n(&number, 1 + mpz_sizeinbase(&number, 2)/BITS_PER_BYTE); - mpz_clear(&number); - - return serial; + /** + * conversion of read serial number to a multiprecision integer + * and incrementing it by one + * and representing it as a two's complement octet string + */ + n_to_mpz(&number, bytes, len); + mpz_add_ui(&number, &number, 0x01); + serial = mpz_to_n(&number, 1 + mpz_sizeinbase(&number, 2)/BITS_PER_BYTE); + mpz_clear(&number); + + return serial; } -/* +/** * write back the last serial number to file */ -static void -write_serial(chunk_t serial) +static void write_serial(chunk_t serial) { - char buf[BUF_LEN]; - - FILE *fd = fopen(OPENAC_SERIAL, "w"); - - if (fd) - { - datatot(serial.ptr, serial.len, 16, buf, BUF_LEN); - plog(" serial number is %s", buf); - fprintf(fd, "%s\n", buf); - fclose(fd); - } - else - plog(" could not open file '%s' for writing", OPENAC_SERIAL); + char buf[BUF_LEN]; + + FILE *fd = fopen(OPENAC_SERIAL, "w"); + + if (fd) + { + datatot(serial.ptr, serial.len, 16, buf, BUF_LEN); + plog(" serial number is %s", buf); + fprintf(fd, "%s\n", buf); + fclose(fd); + } + else + { + plog(" could not open file '%s' for writing", OPENAC_SERIAL); + } } -/* +/** * global variables accessible by both main() and build.c */ x509cert_t *user = NULL; @@ -171,268 +177,264 @@ time_t notAfter = 0; chunk_t serial; - -int -main(int argc, char **argv) +int main(int argc, char **argv) { - char *keyfile = NULL; - char *certfile = NULL; - char *usercertfile = NULL; - char *outfile = NULL; + char *keyfile = NULL; + char *certfile = NULL; + char *usercertfile = NULL; + char *outfile = NULL; - cert_t signercert = empty_cert; - cert_t usercert = empty_cert; + cert_t signercert = empty_cert; + cert_t usercert = empty_cert; - chunk_t attr_cert = empty_chunk; - x509acert_t *ac = NULL; + chunk_t attr_cert = empty_chunk; + x509acert_t *ac = NULL; - const time_t default_validity = 24*3600; /* 24 hours */ - time_t validity = 0; + const time_t default_validity = 24*3600; /* 24 hours */ + time_t validity = 0; - prompt_pass_t pass; + prompt_pass_t pass; - pass.secret[0] = '\0'; - pass.prompt = TRUE; - pass.fd = STDIN_FILENO; + pass.secret[0] = '\0'; + pass.prompt = TRUE; + pass.fd = STDIN_FILENO; - log_to_stderr = TRUE; + log_to_stderr = TRUE; - /* handle arguments */ - for (;;) - { + /* handle arguments */ + for (;;) + { # define DBG_OFFSET 256 - static const struct option long_opts[] = { - /* name, has_arg, flag, val */ - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, 'v' }, - { "optionsfrom", required_argument, NULL, '+' }, - { "quiet", no_argument, NULL, 'q' }, - { "cert", required_argument, NULL, 'c' }, - { "key", required_argument, NULL, 'k' }, - { "password", required_argument, NULL, 'p' }, - { "usercert", required_argument, NULL, 'u' }, - { "groups", required_argument, NULL, 'g' }, - { "days", required_argument, NULL, 'D' }, - { "hours", required_argument, NULL, 'H' }, - { "startdate", required_argument, NULL, 'S' }, - { "enddate", required_argument, NULL, 'E' }, - { "out", required_argument, NULL, 'o' }, + static const struct option long_opts[] = { + /* name, has_arg, flag, val */ + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'v' }, + { "optionsfrom", required_argument, NULL, '+' }, + { "quiet", no_argument, NULL, 'q' }, + { "cert", required_argument, NULL, 'c' }, + { "key", required_argument, NULL, 'k' }, + { "password", required_argument, NULL, 'p' }, + { "usercert", required_argument, NULL, 'u' }, + { "groups", required_argument, NULL, 'g' }, + { "days", required_argument, NULL, 'D' }, + { "hours", required_argument, NULL, 'H' }, + { "startdate", required_argument, NULL, 'S' }, + { "enddate", required_argument, NULL, 'E' }, + { "out", required_argument, NULL, 'o' }, #ifdef DEBUG - { "debug-all", no_argument, NULL, 'A' }, - { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET }, - { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET }, - { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET }, + { "debug-all", no_argument, NULL, 'A' }, + { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET }, + { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET }, + { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET }, #endif - { 0,0,0,0 } - }; + { 0,0,0,0 } + }; - int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:", long_opts, NULL); - - /* Note: "breaking" from case terminates loop */ - switch (c) - { - case EOF: /* end of flags */ - break; - - case 0: /* long option already handled */ - continue; - - case ':': /* diagnostic already printed by getopt_long */ - case '?': /* diagnostic already printed by getopt_long */ - usage(NULL); - break; /* not actually reached */ - - case 'h': /* --help */ - usage(NULL); - break; /* not actually reached */ - - case 'v': /* --version */ - printf("%s\n", openac_version); - exit(0); - break; /* not actually reached */ - - case '+': /* --optionsfrom */ - { - char path[BUF_LEN]; - - if (*optarg == '/') /* absolute pathname */ - strncpy(path, optarg, BUF_LEN); - else /* relative pathname */ - snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg); - optionsfrom(path, &argc, &argv, optind, stderr); - /* does not return on error */ - } - continue; - - case 'q': /* --quiet */ - log_to_stderr = TRUE; - continue; - - case 'c': /* --cert */ - certfile = optarg; - continue; - - case 'k': /* --key */ - keyfile = optarg; - continue; - - case 'p': /* --key */ - pass.prompt = FALSE; - strncpy(pass.secret, optarg, sizeof(pass.secret)); - continue; - - case 'u': /* --usercert */ - usercertfile = optarg; - continue; - - case 'g': /* --groups */ - decode_groups(optarg, &groups); - continue; - - case 'D': /* --days */ - if (optarg == NULL || !isdigit(optarg[0])) - usage("missing number of days"); - { - char *endptr; - long days = strtol(optarg, &endptr, 0); - - if (*endptr != '\0' || endptr == optarg - || days <= 0) - usage(" must be a positive number"); - validity += 24*3600*days; - } - continue; - - case 'H': /* --hours */ - if (optarg == NULL || !isdigit(optarg[0])) - usage("missing number of hours"); - { - char *endptr; - long hours = strtol(optarg, &endptr, 0); - - if (*endptr != '\0' || endptr == optarg - || hours <= 0) - usage(" must be a positive number"); - validity += 3600*hours; - } - continue; - - case 'S': /* --startdate */ - if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z') - usage("date format must be YYYYMMDDHHMMSSZ"); - { - chunk_t date = { optarg, 15 }; - notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME); - } - continue; - - case 'E': /* --enddate */ - if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z') - usage("date format must be YYYYMMDDHHMMSSZ"); - { - chunk_t date = { optarg, 15 }; - notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME); - } - continue; - - case 'o': /* --outt */ - outfile = optarg; - continue ; + int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:", long_opts, NULL); + + /* Note: "breaking" from case terminates loop */ + switch (c) + { + case EOF: /* end of flags */ + break; + + case 0: /* long option already handled */ + continue; + + case ':': /* diagnostic already printed by getopt_long */ + case '?': /* diagnostic already printed by getopt_long */ + usage(NULL); + break; /* not actually reached */ + + case 'h': /* --help */ + usage(NULL); + break; /* not actually reached */ + + case 'v': /* --version */ + printf("%s\n", openac_version); + exit(0); + break; /* not actually reached */ + + case '+': /* --optionsfrom */ + { + char path[BUF_LEN]; + + if (*optarg == '/') /* absolute pathname */ + strncpy(path, optarg, BUF_LEN); + else /* relative pathname */ + snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg); + optionsfrom(path, &argc, &argv, optind, stderr); + /* does not return on error */ + } + continue; + + case 'q': /* --quiet */ + log_to_stderr = TRUE; + continue; + + case 'c': /* --cert */ + certfile = optarg; + continue; + + case 'k': /* --key */ + keyfile = optarg; + continue; + + case 'p': /* --key */ + pass.prompt = FALSE; + strncpy(pass.secret, optarg, sizeof(pass.secret)); + continue; + + case 'u': /* --usercert */ + usercertfile = optarg; + continue; + + case 'g': /* --groups */ + decode_groups(optarg, &groups); + continue; + + case 'D': /* --days */ + if (optarg == NULL || !isdigit(optarg[0])) + usage("missing number of days"); + { + char *endptr; + long days = strtol(optarg, &endptr, 0); + + if (*endptr != '\0' || endptr == optarg || days <= 0) + usage(" must be a positive number"); + validity += 24*3600*days; + } + continue; + + case 'H': /* --hours */ + if (optarg == NULL || !isdigit(optarg[0])) + usage("missing number of hours"); + { + char *endptr; + long hours = strtol(optarg, &endptr, 0); + + if (*endptr != '\0' || endptr == optarg || hours <= 0) + usage(" must be a positive number"); + validity += 3600*hours; + } + continue; + + case 'S': /* --startdate */ + if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z') + usage("date format must be YYYYMMDDHHMMSSZ"); + { + chunk_t date = { optarg, 15 }; + notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME); + } + continue; + + case 'E': /* --enddate */ + if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z') + usage("date format must be YYYYMMDDHHMMSSZ"); + { + chunk_t date = { optarg, 15 }; + notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME); + } + continue; + + case 'o': /* --outt */ + outfile = optarg; + continue; #ifdef DEBUG - case 'A': /* --debug-all */ - base_debugging = DBG_ALL; - continue; + case 'A': /* --debug-all */ + base_debugging = DBG_ALL; + continue; #endif - default: + default: #ifdef DEBUG - if (c >= DBG_OFFSET) - { - base_debugging |= c - DBG_OFFSET; - continue; - } + if (c >= DBG_OFFSET) + { + base_debugging |= c - DBG_OFFSET; + continue; + } #undef DBG_OFFSET #endif - bad_case(c); + bad_case(c); + } + break; } - break; - } - init_log("openac"); - cur_debugging = base_debugging; + init_log("openac"); + cur_debugging = base_debugging; - if (optind != argc) - usage("unexpected argument"); + if (optind != argc) + usage("unexpected argument"); - /* load the signer's RSA private key */ - if (keyfile != NULL) - { - err_t ugh = NULL; + /* load the signer's RSA private key */ + if (keyfile != NULL) + { + err_t ugh = NULL; + + signerkey = alloc_thing(RSA_private_key_t, "RSA private key"); + ugh = load_rsa_private_key(keyfile, &pass, signerkey); + + if (ugh != NULL) + { + free_RSA_private_content(signerkey); + pfree(signerkey); + plog("%s", ugh); + exit(1); + } + } - signerkey = alloc_thing(RSA_private_key_t, "RSA private key"); - ugh = load_rsa_private_key(keyfile, &pass, signerkey); + /* load the signer's X.509 certificate */ + if (certfile != NULL) + { + if (!load_cert(certfile, "signer cert", &signercert)) + exit(1); + signer = signercert.u.x509; + } - if (ugh != NULL) + /* load the users's X.509 certificate */ + if (usercertfile != NULL) { - free_RSA_private_content(signerkey); - pfree(signerkey); - plog("%s", ugh); - exit(1); + if (!load_cert(usercertfile, "user cert", &usercert)) + exit(1); + user = usercert.u.x509; } - } - - /* load the signer's X.509 certificate */ - if (certfile != NULL) - { - if (!load_cert(certfile, "signer cert", &signercert)) - exit(1); - signer = signercert.u.x509; - } - - /* load the users's X.509 certificate */ - if (usercertfile != NULL) - { - if (!load_cert(usercertfile, "user cert", &usercert)) - exit(1); - user = usercert.u.x509; - } - - /* compute validity interval */ - validity = (validity)? validity : default_validity; - notBefore = (notBefore) ? notBefore : time(NULL); - notAfter = (notAfter) ? notAfter : notBefore + validity; - - /* build and parse attribute certificate */ - if (user != NULL && signer != NULL && signerkey != NULL) - { - /* read the serial number and increment it by one */ - serial = read_serial(); - - attr_cert = build_attr_cert(); - ac = alloc_thing(x509acert_t, "x509acert"); - *ac = empty_ac; - parse_ac(attr_cert, ac); + + /* compute validity interval */ + validity = (validity)? validity : default_validity; + notBefore = (notBefore) ? notBefore : time(NULL); + notAfter = (notAfter) ? notAfter : notBefore + validity; + + /* build and parse attribute certificate */ + if (user != NULL && signer != NULL && signerkey != NULL) + { + /* read the serial number and increment it by one */ + serial = read_serial(); + + attr_cert = build_attr_cert(); + ac = alloc_thing(x509acert_t, "x509acert"); + *ac = empty_ac; + parse_ac(attr_cert, ac); - /* write the attribute certificate to file */ - if (write_chunk(outfile, "attribute cert", attr_cert, 0022, TRUE)) - write_serial(serial); - } - - /* delete all dynamic objects */ - if (signerkey != NULL) - { - free_RSA_private_content(signerkey); - pfree(signerkey); - } - free_x509cert(signercert.u.x509); - free_x509cert(usercert.u.x509); - free_ietfAttrList(groups); - free_acert(ac); - pfree(serial.ptr); + /* write the attribute certificate to file */ + if (write_chunk(outfile, "attribute cert", attr_cert, 0022, TRUE)) + write_serial(serial); + } + + /* delete all dynamic objects */ + if (signerkey != NULL) + { + free_RSA_private_content(signerkey); + pfree(signerkey); + } + free_x509cert(signercert.u.x509); + free_x509cert(usercert.u.x509); + free_ietfAttrList(groups); + free_acert(ac); + pfree(serial.ptr); #ifdef LEAK_DETECTIVE - report_leaks(); + report_leaks(); #endif /* LEAK_DETECTIVE */ - close_log(); - exit(0); + close_log(); + exit(0); } diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index b1b848c76..7dd5f422b 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -64,12 +64,12 @@ xauth.c xauth.h \ x509.c x509.h \ alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \ alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \ -linux26/netlink.h linux26/rtnetlink.h linux26/xfrm.h \ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h _pluto_adns_SOURCES = adns.c adns.h INCLUDES = \ +-I${linuxdir} \ -I$(top_srcdir)/src/libfreeswan \ -I$(top_srcdir)/src/libcrypto \ -I$(top_srcdir)/src/whack @@ -137,4 +137,5 @@ install-exec-local : mkdir -p -m 755 $(confdir)/ipsec.d/crls mkdir -p -m 755 $(confdir)/ipsec.d/reqs mkdir -p -m 700 $(confdir)/ipsec.d/private + chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 1f996a065..e164717a9 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -164,6 +164,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -176,6 +177,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -186,8 +188,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -209,6 +215,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -218,6 +225,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -231,9 +240,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -248,6 +261,8 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ pluto_SOURCES = \ ac.c ac.h \ alg_info.c alg_info.h \ @@ -308,11 +323,11 @@ xauth.c xauth.h \ x509.c x509.h \ alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \ alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \ -linux26/netlink.h linux26/rtnetlink.h linux26/xfrm.h \ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h _pluto_adns_SOURCES = adns.c adns.h INCLUDES = \ +-I${linuxdir} \ -I$(top_srcdir)/src/libfreeswan \ -I$(top_srcdir)/src/libcrypto \ -I$(top_srcdir)/src/whack @@ -873,6 +888,7 @@ install-exec-local : mkdir -p -m 755 $(confdir)/ipsec.d/crls mkdir -p -m 755 $(confdir)/ipsec.d/reqs mkdir -p -m 700 $(confdir)/ipsec.d/private + chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/pluto/crl.c b/src/pluto/crl.c index 05e8d1402..dc8932769 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -121,6 +121,7 @@ const x509crl_t empty_x509crl = { /* extnValue */ { NULL, 0 } , /* authKeyID */ { NULL, 0 } , /* authKeySerialNumber */ + { NULL, 0 } , /* crlNumber */ OID_UNKNOWN , /* algorithm */ { NULL, 0 } /* signature */ }; @@ -491,6 +492,12 @@ parse_x509crl(chunk_t blob, u_int level0, x509crl_t *crl) parse_authorityKeyIdentifier(object, level , &crl->authKeyID, &crl->authKeySerialNumber); } + else if (extn_oid == OID_CRL_NUMBER) + { + if (!parse_asn1_simple_object(&object, ASN1_INTEGER, level, "crlNumber")) + return FALSE; + crl->crlNumber = object; + } } break; case CRL_OBJ_ALGORITHM: @@ -735,7 +742,12 @@ list_crls(bool utc, bool strict) timetoa(&crl->installed, utc), revoked); dntoa(buf, BUF_LEN, crl->issuer); whack_log(RC_COMMENT, " issuer: '%s'", buf); - + if (crl->crlNumber.ptr != NULL) + { + datatot(crl->crlNumber.ptr, crl->crlNumber.len, ':' + , buf, BUF_LEN); + whack_log(RC_COMMENT, " crlnumber: %s", buf); + } list_distribution_points(crl->distributionPoints); whack_log(RC_COMMENT, " updates: this %s", diff --git a/src/pluto/crl.h b/src/pluto/crl.h index 9f985b6cd..328539770 100644 --- a/src/pluto/crl.h +++ b/src/pluto/crl.h @@ -52,6 +52,7 @@ struct x509crl { /* extnValue */ chunk_t authKeyID; chunk_t authKeySerialNumber; + chunk_t crlNumber; /* signatureAlgorithm */ int algorithm; diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c index e3e56d3a8..8f48152f6 100644 --- a/src/pluto/fetch.c +++ b/src/pluto/fetch.c @@ -32,6 +32,9 @@ #include #ifdef LIBLDAP +#ifndef LDAP_DEPRECATED +#define LDAP_DEPRECATED 1 +#endif #include #endif diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c index 1947ddbac..9b9d7b9ed 100644 --- a/src/pluto/kernel_netlink.c +++ b/src/pluto/kernel_netlink.c @@ -24,10 +24,10 @@ #include #include #include +#include +#include #include "kameipsec.h" -#include "linux26/rtnetlink.h" -#include "linux26/xfrm.h" #include #include diff --git a/src/pluto/keys.c b/src/pluto/keys.c index eed81230f..1efe85228 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -647,7 +647,7 @@ xauth_get_secret(xauth_t *xauth_secret) * find a matching secret */ static bool -xauth_verify_secret(const xauth_t *xauth_secret) +xauth_verify_secret(const char *conn_name, const xauth_t *xauth_secret) { bool found = FALSE; secret_t *s; diff --git a/src/pluto/linux26/netlink.h b/src/pluto/linux26/netlink.h deleted file mode 100644 index 6b0896da6..000000000 --- a/src/pluto/linux26/netlink.h +++ /dev/null @@ -1,90 +0,0 @@ -#ifndef __LINUX_NETLINK_H -#define __LINUX_NETLINK_H - -#include -#include /* for sa_family_t */ - -#define NETLINK_ROUTE 0 /* Routing/device hook */ -#define NETLINK_SKIP 1 /* Reserved for ENskip */ -#define NETLINK_USERSOCK 2 /* Reserved for user mode socket protocols */ -#define NETLINK_FIREWALL 3 /* Firewalling hook */ -#define NETLINK_TCPDIAG 4 /* TCP socket monitoring */ -#define NETLINK_NFLOG 5 /* netfilter/iptables ULOG */ -#define NETLINK_XFRM 6 /* ipsec */ -#define NETLINK_ARPD 8 -#define NETLINK_ROUTE6 11 /* af_inet6 route comm channel */ -#define NETLINK_IP6_FW 13 -#define NETLINK_DNRTMSG 14 /* DECnet routing messages */ -#define NETLINK_TAPBASE 16 /* 16 to 31 are ethertap */ - -#define MAX_LINKS 32 - -struct sockaddr_nl -{ - sa_family_t nl_family; /* AF_NETLINK */ - unsigned short nl_pad; /* zero */ - uint32_t nl_pid; /* process pid */ - uint32_t nl_groups; /* multicast groups mask */ -}; - -struct nlmsghdr -{ - uint32_t nlmsg_len; /* Length of message including header */ - uint16_t nlmsg_type; /* Message content */ - uint16_t nlmsg_flags; /* Additional flags */ - uint32_t nlmsg_seq; /* Sequence number */ - uint32_t nlmsg_pid; /* Sending process PID */ -}; - -/* Flags values */ - -#define NLM_F_REQUEST 1 /* It is request message. */ -#define NLM_F_MULTI 2 /* Multipart message, terminated by NLMSG_DONE */ -#define NLM_F_ACK 4 /* Reply with ack, with zero or error code */ -#define NLM_F_ECHO 8 /* Echo this request */ - -/* Modifiers to GET request */ -#define NLM_F_ROOT 0x100 /* specify tree root */ -#define NLM_F_MATCH 0x200 /* return all matching */ -#define NLM_F_ATOMIC 0x400 /* atomic GET */ -#define NLM_F_DUMP (NLM_F_ROOT|NLM_F_MATCH) - -/* Modifiers to NEW request */ -#define NLM_F_REPLACE 0x100 /* Override existing */ -#define NLM_F_EXCL 0x200 /* Do not touch, if it exists */ -#define NLM_F_CREATE 0x400 /* Create, if it does not exist */ -#define NLM_F_APPEND 0x800 /* Add to end of list */ - -/* - 4.4BSD ADD NLM_F_CREATE|NLM_F_EXCL - 4.4BSD CHANGE NLM_F_REPLACE - - True CHANGE NLM_F_CREATE|NLM_F_REPLACE - Append NLM_F_CREATE - Check NLM_F_EXCL - */ - -#define NLMSG_ALIGNTO 4 -#define NLMSG_ALIGN(len) ( ((len)+NLMSG_ALIGNTO-1) & ~(NLMSG_ALIGNTO-1) ) -#define NLMSG_LENGTH(len) ((len)+NLMSG_ALIGN(sizeof(struct nlmsghdr))) -#define NLMSG_SPACE(len) NLMSG_ALIGN(NLMSG_LENGTH(len)) -#define NLMSG_DATA(nlh) ((void*)(((char*)nlh) + NLMSG_LENGTH(0))) -#define NLMSG_NEXT(nlh,len) ((len) -= NLMSG_ALIGN((nlh)->nlmsg_len), \ - (struct nlmsghdr*)(((char*)(nlh)) + NLMSG_ALIGN((nlh)->nlmsg_len))) -#define NLMSG_OK(nlh,len) ((len) > 0 && (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \ - (nlh)->nlmsg_len <= (len)) -#define NLMSG_PAYLOAD(nlh,len) ((nlh)->nlmsg_len - NLMSG_SPACE((len))) - -#define NLMSG_NOOP 0x1 /* Nothing. */ -#define NLMSG_ERROR 0x2 /* Error */ -#define NLMSG_DONE 0x3 /* End of a dump */ -#define NLMSG_OVERRUN 0x4 /* Data lost */ - -struct nlmsgerr -{ - int error; - struct nlmsghdr msg; -}; - -#define NET_MAJOR 36 /* Major 36 is reserved for networking */ -#endif /* __LINUX_NETLINK_H */ diff --git a/src/pluto/linux26/rtnetlink.h b/src/pluto/linux26/rtnetlink.h deleted file mode 100644 index 341bc1f86..000000000 --- a/src/pluto/linux26/rtnetlink.h +++ /dev/null @@ -1,562 +0,0 @@ -#ifndef __LINUX_RTNETLINK_H -#define __LINUX_RTNETLINK_H - -#include "netlink.h" -#include - -#define RTNL_DEBUG 1 - - -/**** - * Routing/neighbour discovery messages. - ****/ - -/* Types of messages */ - -#define RTM_BASE 0x10 - -#define RTM_NEWLINK (RTM_BASE+0) -#define RTM_DELLINK (RTM_BASE+1) -#define RTM_GETLINK (RTM_BASE+2) -#define RTM_SETLINK (RTM_BASE+3) - -#define RTM_NEWADDR (RTM_BASE+4) -#define RTM_DELADDR (RTM_BASE+5) -#define RTM_GETADDR (RTM_BASE+6) - -#define RTM_NEWROUTE (RTM_BASE+8) -#define RTM_DELROUTE (RTM_BASE+9) -#define RTM_GETROUTE (RTM_BASE+10) - -#define RTM_NEWNEIGH (RTM_BASE+12) -#define RTM_DELNEIGH (RTM_BASE+13) -#define RTM_GETNEIGH (RTM_BASE+14) - -#define RTM_NEWRULE (RTM_BASE+16) -#define RTM_DELRULE (RTM_BASE+17) -#define RTM_GETRULE (RTM_BASE+18) - -#define RTM_NEWQDISC (RTM_BASE+20) -#define RTM_DELQDISC (RTM_BASE+21) -#define RTM_GETQDISC (RTM_BASE+22) - -#define RTM_NEWTCLASS (RTM_BASE+24) -#define RTM_DELTCLASS (RTM_BASE+25) -#define RTM_GETTCLASS (RTM_BASE+26) - -#define RTM_NEWTFILTER (RTM_BASE+28) -#define RTM_DELTFILTER (RTM_BASE+29) -#define RTM_GETTFILTER (RTM_BASE+30) - -#define RTM_MAX (RTM_BASE+31) - -/* - Generic structure for encapsulation optional route information. - It is reminiscent of sockaddr, but with sa_family replaced - with attribute type. - */ - -struct rtattr -{ - unsigned short rta_len; - unsigned short rta_type; -}; - -/* Macros to handle rtattributes */ - -#define RTA_ALIGNTO 4 -#define RTA_ALIGN(len) ( ((len)+RTA_ALIGNTO-1) & ~(RTA_ALIGNTO-1) ) -#define RTA_OK(rta,len) ((len) > 0 && (rta)->rta_len >= sizeof(struct rtattr) && \ - (rta)->rta_len <= (len)) -#define RTA_NEXT(rta,attrlen) ((attrlen) -= RTA_ALIGN((rta)->rta_len), \ - (struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len))) -#define RTA_LENGTH(len) (RTA_ALIGN(sizeof(struct rtattr)) + (len)) -#define RTA_SPACE(len) RTA_ALIGN(RTA_LENGTH(len)) -#define RTA_DATA(rta) ((void*)(((char*)(rta)) + RTA_LENGTH(0))) -#define RTA_PAYLOAD(rta) ((int)((rta)->rta_len) - RTA_LENGTH(0)) - - - - -/****************************************************************************** - * Definitions used in routing table administation. - ****/ - -struct rtmsg -{ - unsigned char rtm_family; - unsigned char rtm_dst_len; - unsigned char rtm_src_len; - unsigned char rtm_tos; - - unsigned char rtm_table; /* Routing table id */ - unsigned char rtm_protocol; /* Routing protocol; see below */ - unsigned char rtm_scope; /* See below */ - unsigned char rtm_type; /* See below */ - - unsigned rtm_flags; -}; - -/* rtm_type */ - -enum -{ - RTN_UNSPEC, - RTN_UNICAST, /* Gateway or direct route */ - RTN_LOCAL, /* Accept locally */ - RTN_BROADCAST, /* Accept locally as broadcast, - send as broadcast */ - RTN_ANYCAST, /* Accept locally as broadcast, - but send as unicast */ - RTN_MULTICAST, /* Multicast route */ - RTN_BLACKHOLE, /* Drop */ - RTN_UNREACHABLE, /* Destination is unreachable */ - RTN_PROHIBIT, /* Administratively prohibited */ - RTN_THROW, /* Not in this table */ - RTN_NAT, /* Translate this address */ - RTN_XRESOLVE, /* Use external resolver */ -}; - -#define RTN_MAX RTN_XRESOLVE - - -/* rtm_protocol */ - -#define RTPROT_UNSPEC 0 -#define RTPROT_REDIRECT 1 /* Route installed by ICMP redirects; - not used by current IPv4 */ -#define RTPROT_KERNEL 2 /* Route installed by kernel */ -#define RTPROT_BOOT 3 /* Route installed during boot */ -#define RTPROT_STATIC 4 /* Route installed by administrator */ - -/* Values of protocol >= RTPROT_STATIC are not interpreted by kernel; - they just passed from user and back as is. - It will be used by hypothetical multiple routing daemons. - Note that protocol values should be standardized in order to - avoid conflicts. - */ - -#define RTPROT_GATED 8 /* Apparently, GateD */ -#define RTPROT_RA 9 /* RDISC/ND router advertisments */ -#define RTPROT_MRT 10 /* Merit MRT */ -#define RTPROT_ZEBRA 11 /* Zebra */ -#define RTPROT_BIRD 12 /* BIRD */ -#define RTPROT_DNROUTED 13 /* DECnet routing daemon */ - -/* rtm_scope - - Really it is not scope, but sort of distance to the destination. - NOWHERE are reserved for not existing destinations, HOST is our - local addresses, LINK are destinations, located on directly attached - link and UNIVERSE is everywhere in the Universe. - - Intermediate values are also possible f.e. interior routes - could be assigned a value between UNIVERSE and LINK. -*/ - -enum rt_scope_t -{ - RT_SCOPE_UNIVERSE=0, -/* User defined values */ - RT_SCOPE_SITE=200, - RT_SCOPE_LINK=253, - RT_SCOPE_HOST=254, - RT_SCOPE_NOWHERE=255 -}; - -/* rtm_flags */ - -#define RTM_F_NOTIFY 0x100 /* Notify user of route change */ -#define RTM_F_CLONED 0x200 /* This route is cloned */ -#define RTM_F_EQUALIZE 0x400 /* Multipath equalizer: NI */ - -/* Reserved table identifiers */ - -enum rt_class_t -{ - RT_TABLE_UNSPEC=0, -/* User defined values */ - RT_TABLE_DEFAULT=253, - RT_TABLE_MAIN=254, - RT_TABLE_LOCAL=255 -}; -#define RT_TABLE_MAX RT_TABLE_LOCAL - - - -/* Routing message attributes */ - -enum rtattr_type_t -{ - RTA_UNSPEC, - RTA_DST, - RTA_SRC, - RTA_IIF, - RTA_OIF, - RTA_GATEWAY, - RTA_PRIORITY, - RTA_PREFSRC, - RTA_METRICS, - RTA_MULTIPATH, - RTA_PROTOINFO, - RTA_FLOW, - RTA_CACHEINFO, - RTA_SESSION, -}; - -#define RTA_MAX RTA_SESSION - -#define RTM_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct rtmsg)))) -#define RTM_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct rtmsg)) - -/* RTM_MULTIPATH --- array of struct rtnexthop. - * - * "struct rtnexthop" describres all necessary nexthop information, - * i.e. parameters of path to a destination via this nextop. - * - * At the moment it is impossible to set different prefsrc, mtu, window - * and rtt for different paths from multipath. - */ - -struct rtnexthop -{ - unsigned short rtnh_len; - unsigned char rtnh_flags; - unsigned char rtnh_hops; - int rtnh_ifindex; -}; - -/* rtnh_flags */ - -#define RTNH_F_DEAD 1 /* Nexthop is dead (used by multipath) */ -#define RTNH_F_PERVASIVE 2 /* Do recursive gateway lookup */ -#define RTNH_F_ONLINK 4 /* Gateway is forced on link */ - -/* Macros to handle hexthops */ - -#define RTNH_ALIGNTO 4 -#define RTNH_ALIGN(len) ( ((len)+RTNH_ALIGNTO-1) & ~(RTNH_ALIGNTO-1) ) -#define RTNH_OK(rtnh,len) ((rtnh)->rtnh_len >= sizeof(struct rtnexthop) && \ - ((int)(rtnh)->rtnh_len) <= (len)) -#define RTNH_NEXT(rtnh) ((struct rtnexthop*)(((char*)(rtnh)) + RTNH_ALIGN((rtnh)->rtnh_len))) -#define RTNH_LENGTH(len) (RTNH_ALIGN(sizeof(struct rtnexthop)) + (len)) -#define RTNH_SPACE(len) RTNH_ALIGN(RTNH_LENGTH(len)) -#define RTNH_DATA(rtnh) ((struct rtattr*)(((char*)(rtnh)) + RTNH_LENGTH(0))) - -/* RTM_CACHEINFO */ - -struct rta_cacheinfo -{ - uint32_t rta_clntref; - uint32_t rta_lastuse; - int32_t rta_expires; - uint32_t rta_error; - uint32_t rta_used; - -#define RTNETLINK_HAVE_PEERINFO 1 - uint32_t rta_id; - uint32_t rta_ts; - uint32_t rta_tsage; -}; - -/* RTM_METRICS --- array of struct rtattr with types of RTAX_* */ - -enum -{ - RTAX_UNSPEC, -#define RTAX_UNSPEC RTAX_UNSPEC - RTAX_LOCK, -#define RTAX_LOCK RTAX_LOCK - RTAX_MTU, -#define RTAX_MTU RTAX_MTU - RTAX_WINDOW, -#define RTAX_WINDOW RTAX_WINDOW - RTAX_RTT, -#define RTAX_RTT RTAX_RTT - RTAX_RTTVAR, -#define RTAX_RTTVAR RTAX_RTTVAR - RTAX_SSTHRESH, -#define RTAX_SSTHRESH RTAX_SSTHRESH - RTAX_CWND, -#define RTAX_CWND RTAX_CWND - RTAX_ADVMSS, -#define RTAX_ADVMSS RTAX_ADVMSS - RTAX_REORDERING, -#define RTAX_REORDERING RTAX_REORDERING -}; - -#define RTAX_MAX RTAX_REORDERING - -struct rta_session -{ - uint8_t proto; - - union { - struct { - uint16_t sport; - uint16_t dport; - } ports; - - struct { - uint8_t type; - uint8_t code; - uint16_t ident; - } icmpt; - - uint32_t spi; - } u; -}; - - -/********************************************************* - * Interface address. - ****/ - -struct ifaddrmsg -{ - unsigned char ifa_family; - unsigned char ifa_prefixlen; /* The prefix length */ - unsigned char ifa_flags; /* Flags */ - unsigned char ifa_scope; /* See above */ - int ifa_index; /* Link index */ -}; - -enum -{ - IFA_UNSPEC, - IFA_ADDRESS, - IFA_LOCAL, - IFA_LABEL, - IFA_BROADCAST, - IFA_ANYCAST, - IFA_CACHEINFO -}; - -#define IFA_MAX IFA_CACHEINFO - -/* ifa_flags */ - -#define IFA_F_SECONDARY 0x01 -#define IFA_F_TEMPORARY IFA_F_SECONDARY - -#define IFA_F_DEPRECATED 0x20 -#define IFA_F_TENTATIVE 0x40 -#define IFA_F_PERMANENT 0x80 - -struct ifa_cacheinfo -{ - int32_t ifa_prefered; - int32_t ifa_valid; -}; - - -#define IFA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg)))) -#define IFA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifaddrmsg)) - -/* - Important comment: - IFA_ADDRESS is prefix address, rather than local interface address. - It makes no difference for normally configured broadcast interfaces, - but for point-to-point IFA_ADDRESS is DESTINATION address, - local address is supplied in IFA_LOCAL attribute. - */ - -/************************************************************** - * Neighbour discovery. - ****/ - -struct ndmsg -{ - unsigned char ndm_family; - unsigned char ndm_pad1; - unsigned short ndm_pad2; - int ndm_ifindex; /* Link index */ - uint16_t ndm_state; - uint8_t ndm_flags; - uint8_t ndm_type; -}; - -enum -{ - NDA_UNSPEC, - NDA_DST, - NDA_LLADDR, - NDA_CACHEINFO -}; - -#define NDA_MAX NDA_CACHEINFO - -#define NDA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg)))) -#define NDA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg)) - -/* - * Neighbor Cache Entry Flags - */ - -#define NTF_PROXY 0x08 /* == ATF_PUBL */ -#define NTF_ROUTER 0x80 - -/* - * Neighbor Cache Entry States. - */ - -#define NUD_INCOMPLETE 0x01 -#define NUD_REACHABLE 0x02 -#define NUD_STALE 0x04 -#define NUD_DELAY 0x08 -#define NUD_PROBE 0x10 -#define NUD_FAILED 0x20 - -/* Dummy states */ -#define NUD_NOARP 0x40 -#define NUD_PERMANENT 0x80 -#define NUD_NONE 0x00 - - -struct nda_cacheinfo -{ - uint32_t ndm_confirmed; - uint32_t ndm_used; - uint32_t ndm_updated; - uint32_t ndm_refcnt; -}; - -/**** - * General form of address family dependent message. - ****/ - -struct rtgenmsg -{ - unsigned char rtgen_family; -}; - -/***************************************************************** - * Link layer specific messages. - ****/ - -/* struct ifinfomsg - * passes link level specific information, not dependent - * on network protocol. - */ - -struct ifinfomsg -{ - unsigned char ifi_family; - unsigned char __ifi_pad; - unsigned short ifi_type; /* ARPHRD_* */ - int ifi_index; /* Link index */ - unsigned ifi_flags; /* IFF_* flags */ - unsigned ifi_change; /* IFF_* change mask */ -}; - -enum -{ - IFLA_UNSPEC, - IFLA_ADDRESS, - IFLA_BROADCAST, - IFLA_IFNAME, - IFLA_MTU, - IFLA_LINK, - IFLA_QDISC, - IFLA_STATS, - IFLA_COST, -#define IFLA_COST IFLA_COST - IFLA_PRIORITY, -#define IFLA_PRIORITY IFLA_PRIORITY - IFLA_MASTER, -#define IFLA_MASTER IFLA_MASTER - IFLA_WIRELESS, /* Wireless Extension event - see wireless.h */ -#define IFLA_WIRELESS IFLA_WIRELESS -}; - - -#define IFLA_MAX IFLA_WIRELESS - -#define IFLA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifinfomsg)))) -#define IFLA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifinfomsg)) - -/* ifi_flags. - - IFF_* flags. - - The only change is: - IFF_LOOPBACK, IFF_BROADCAST and IFF_POINTOPOINT are - more not changeable by user. They describe link media - characteristics and set by device driver. - - Comments: - - Combination IFF_BROADCAST|IFF_POINTOPOINT is invalid - - If neiher of these three flags are set; - the interface is NBMA. - - - IFF_MULTICAST does not mean anything special: - multicasts can be used on all not-NBMA links. - IFF_MULTICAST means that this media uses special encapsulation - for multicast frames. Apparently, all IFF_POINTOPOINT and - IFF_BROADCAST devices are able to use multicasts too. - */ - -/* IFLA_LINK. - For usual devices it is equal ifi_index. - If it is a "virtual interface" (f.e. tunnel), ifi_link - can point to real physical interface (f.e. for bandwidth calculations), - or maybe 0, what means, that real media is unknown (usual - for IPIP tunnels, when route to endpoint is allowed to change) - */ - -/***************************************************************** - * Traffic control messages. - ****/ - -struct tcmsg -{ - unsigned char tcm_family; - unsigned char tcm__pad1; - unsigned short tcm__pad2; - int tcm_ifindex; - uint32_t tcm_handle; - uint32_t tcm_parent; - uint32_t tcm_info; -}; - -enum -{ - TCA_UNSPEC, - TCA_KIND, - TCA_OPTIONS, - TCA_STATS, - TCA_XSTATS, - TCA_RATE, -}; - -#define TCA_MAX TCA_RATE - -#define TCA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcmsg)))) -#define TCA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcmsg)) - - -/* SUMMARY: maximal rtattr understood by kernel */ - -#define RTATTR_MAX RTA_MAX - -/* RTnetlink multicast groups */ - -#define RTMGRP_LINK 1 -#define RTMGRP_NOTIFY 2 -#define RTMGRP_NEIGH 4 -#define RTMGRP_TC 8 - -#define RTMGRP_IPV4_IFADDR 0x10 -#define RTMGRP_IPV4_MROUTE 0x20 -#define RTMGRP_IPV4_ROUTE 0x40 - -#define RTMGRP_IPV6_IFADDR 0x100 -#define RTMGRP_IPV6_MROUTE 0x200 -#define RTMGRP_IPV6_ROUTE 0x400 - -#define RTMGRP_DECnet_IFADDR 0x1000 -#define RTMGRP_DECnet_ROUTE 0x4000 - -/* End of information exported to user level */ - -#endif /* __LINUX_RTNETLINK_H */ diff --git a/src/pluto/linux26/xfrm.h b/src/pluto/linux26/xfrm.h deleted file mode 100644 index 4269ae29b..000000000 --- a/src/pluto/linux26/xfrm.h +++ /dev/null @@ -1,233 +0,0 @@ -#ifndef _LINUX_XFRM_H -#define _LINUX_XFRM_H - -#include - -/* All of the structures in this file may not change size as they are - * passed into the kernel from userspace via netlink sockets. - */ - -/* Structure to encapsulate addresses. I do not want to use - * "standard" structure. My apologies. - */ -typedef union -{ - uint32_t a4; - uint32_t a6[4]; -} xfrm_address_t; - -/* Ident of a specific xfrm_state. It is used on input to lookup - * the state by (spi,daddr,ah/esp) or to store information about - * spi, protocol and tunnel address on output. - */ -struct xfrm_id -{ - xfrm_address_t daddr; - uint32_t spi; - uint8_t proto; -}; - -/* Selector, used as selector both on policy rules (SPD) and SAs. */ - -struct xfrm_selector -{ - xfrm_address_t daddr; - xfrm_address_t saddr; - uint16_t dport; - uint16_t dport_mask; - uint16_t sport; - uint16_t sport_mask; - uint16_t family; - uint8_t prefixlen_d; - uint8_t prefixlen_s; - uint8_t proto; - int ifindex; - uid_t user; -}; - -#define XFRM_INF (~(uint64_t)0) - -struct xfrm_lifetime_cfg -{ - uint64_t soft_byte_limit; - uint64_t hard_byte_limit; - uint64_t soft_packet_limit; - uint64_t hard_packet_limit; - uint64_t soft_add_expires_seconds; - uint64_t hard_add_expires_seconds; - uint64_t soft_use_expires_seconds; - uint64_t hard_use_expires_seconds; -}; - -struct xfrm_lifetime_cur -{ - uint64_t bytes; - uint64_t packets; - uint64_t add_time; - uint64_t use_time; -}; - -struct xfrm_replay_state -{ - uint32_t oseq; - uint32_t seq; - uint32_t bitmap; -}; - -struct xfrm_algo { - char alg_name[64]; - int alg_key_len; /* in bits */ - char alg_key[0]; -}; - -struct xfrm_stats { - uint32_t replay_window; - uint32_t replay; - uint32_t integrity_failed; -}; - -enum -{ - XFRM_POLICY_IN = 0, - XFRM_POLICY_OUT = 1, - XFRM_POLICY_FWD = 2, - XFRM_POLICY_MAX = 3 -}; - -enum -{ - XFRM_SHARE_ANY, /* No limitations */ - XFRM_SHARE_SESSION, /* For this session only */ - XFRM_SHARE_USER, /* For this user only */ - XFRM_SHARE_UNIQUE /* Use once */ -}; - -/* Netlink configuration messages. */ -#define XFRM_MSG_BASE 0x10 - -#define XFRM_MSG_NEWSA (XFRM_MSG_BASE + 0) -#define XFRM_MSG_DELSA (XFRM_MSG_BASE + 1) -#define XFRM_MSG_GETSA (XFRM_MSG_BASE + 2) - -#define XFRM_MSG_NEWPOLICY (XFRM_MSG_BASE + 3) -#define XFRM_MSG_DELPOLICY (XFRM_MSG_BASE + 4) -#define XFRM_MSG_GETPOLICY (XFRM_MSG_BASE + 5) - -#define XFRM_MSG_ALLOCSPI (XFRM_MSG_BASE + 6) -#define XFRM_MSG_ACQUIRE (XFRM_MSG_BASE + 7) -#define XFRM_MSG_EXPIRE (XFRM_MSG_BASE + 8) - -#define XFRM_MSG_UPDPOLICY (XFRM_MSG_BASE + 9) -#define XFRM_MSG_UPDSA (XFRM_MSG_BASE + 10) - -#define XFRM_MSG_POLEXPIRE (XFRM_MSG_BASE + 11) - -#define XFRM_MSG_MAX (XFRM_MSG_POLEXPIRE+1) - -struct xfrm_user_tmpl { - struct xfrm_id id; - uint16_t family; - xfrm_address_t saddr; - uint32_t reqid; - uint8_t mode; - uint8_t share; - uint8_t optional; - uint32_t aalgos; - uint32_t ealgos; - uint32_t calgos; -}; - -struct xfrm_encap_tmpl { - uint16_t encap_type; - uint16_t encap_sport; - uint16_t encap_dport; - xfrm_address_t encap_oa; -}; - -/* Netlink message attributes. */ -enum xfrm_attr_type_t { - XFRMA_UNSPEC, - XFRMA_ALG_AUTH, /* struct xfrm_algo */ - XFRMA_ALG_CRYPT, /* struct xfrm_algo */ - XFRMA_ALG_COMP, /* struct xfrm_algo */ - XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */ - XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ - -#define XFRMA_MAX XFRMA_TMPL -}; - -struct xfrm_usersa_info { - struct xfrm_selector sel; - struct xfrm_id id; - xfrm_address_t saddr; - struct xfrm_lifetime_cfg lft; - struct xfrm_lifetime_cur curlft; - struct xfrm_stats stats; - uint32_t seq; - uint32_t reqid; - uint16_t family; - uint8_t mode; /* 0=transport,1=tunnel */ - uint8_t replay_window; - uint8_t flags; -#define XFRM_STATE_NOECN 1 -}; - -struct xfrm_usersa_id { - xfrm_address_t daddr; - uint32_t spi; - uint16_t family; - uint8_t proto; -}; - -struct xfrm_userspi_info { - struct xfrm_usersa_info info; - uint32_t min; - uint32_t max; -}; - -struct xfrm_userpolicy_info { - struct xfrm_selector sel; - struct xfrm_lifetime_cfg lft; - struct xfrm_lifetime_cur curlft; - uint32_t priority; - uint32_t index; - uint8_t dir; - uint8_t action; -#define XFRM_POLICY_ALLOW 0 -#define XFRM_POLICY_BLOCK 1 - uint8_t flags; -#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ - uint8_t share; -}; - -struct xfrm_userpolicy_id { - struct xfrm_selector sel; - uint32_t index; - uint8_t dir; -}; - -struct xfrm_user_acquire { - struct xfrm_id id; - xfrm_address_t saddr; - struct xfrm_selector sel; - struct xfrm_userpolicy_info policy; - uint32_t aalgos; - uint32_t ealgos; - uint32_t calgos; - uint32_t seq; -}; - -struct xfrm_user_expire { - struct xfrm_usersa_info state; - uint8_t hard; -}; - -struct xfrm_user_polexpire { - struct xfrm_userpolicy_info pol; - uint8_t hard; -}; - -#define XFRMGRP_ACQUIRE 1 -#define XFRMGRP_EXPIRE 2 - -#endif /* _LINUX_XFRM_H */ diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c index ab44a113e..cda6007c7 100644 --- a/src/pluto/modecfg.c +++ b/src/pluto/modecfg.c @@ -978,7 +978,8 @@ xauth_inR1(struct msg_digest *md) , ia.xauth_secret.user_password.ptr) ) /* verify the user credentials using a plugn function */ - st->st_xauth.status = xauth_module.verify_secret(&ia.xauth_secret); + st->st_xauth.status = xauth_module.verify_secret(st->st_connection->name + , &ia.xauth_secret); plog("extended authentication %s", st->st_xauth.status? "was successful":"failed"); } diff --git a/src/pluto/oid.c b/src/pluto/oid.c index 4b0632de2..48df1b7c4 100644 --- a/src/pluto/oid.c +++ b/src/pluto/oid.c @@ -28,7 +28,7 @@ const oid_t oid_names[] = { { 0x01, 0, 1, "pilotAttributeType" }, /* 15 */ { 0x01, 17, 0, "UID" }, /* 16 */ { 0x19, 0, 0, "DC" }, /* 17 */ - {0x55, 51, 1, "X.500" }, /* 18 */ + {0x55, 52, 1, "X.500" }, /* 18 */ { 0x04, 36, 1, "X.509" }, /* 19 */ { 0x03, 21, 0, "CN" }, /* 20 */ { 0x04, 22, 0, "S" }, /* 21 */ @@ -54,144 +54,145 @@ const oid_t oid_names[] = { { 0x11, 42, 0, "subjectAltName" }, /* 41 */ { 0x12, 43, 0, "issuerAltName" }, /* 42 */ { 0x13, 44, 0, "basicConstraints" }, /* 43 */ - { 0x15, 45, 0, "reasonCode" }, /* 44 */ - { 0x1F, 46, 0, "crlDistributionPoints" }, /* 45 */ - { 0x20, 47, 0, "certificatePolicies" }, /* 46 */ - { 0x23, 48, 0, "authorityKeyIdentifier" }, /* 47 */ - { 0x25, 49, 0, "extendedKeyUsage" }, /* 48 */ - { 0x37, 50, 0, "targetInformation" }, /* 49 */ - { 0x38, 0, 0, "noRevAvail" }, /* 50 */ - {0x2A, 88, 1, "" }, /* 51 */ - { 0x86, 0, 1, "" }, /* 52 */ - { 0x48, 0, 1, "" }, /* 53 */ - { 0x86, 0, 1, "" }, /* 54 */ - { 0xF7, 0, 1, "" }, /* 55 */ - { 0x0D, 0, 1, "RSADSI" }, /* 56 */ - { 0x01, 83, 1, "PKCS" }, /* 57 */ - { 0x01, 66, 1, "PKCS-1" }, /* 58 */ - { 0x01, 60, 0, "rsaEncryption" }, /* 59 */ - { 0x02, 61, 0, "md2WithRSAEncryption" }, /* 60 */ - { 0x04, 62, 0, "md5WithRSAEncryption" }, /* 61 */ - { 0x05, 63, 0, "sha-1WithRSAEncryption" }, /* 62 */ - { 0x0B, 64, 0, "sha256WithRSAEncryption"}, /* 63 */ - { 0x0C, 65, 0, "sha384WithRSAEncryption"}, /* 64 */ - { 0x0D, 0, 0, "sha512WithRSAEncryption"}, /* 65 */ - { 0x07, 73, 1, "PKCS-7" }, /* 66 */ - { 0x01, 68, 0, "data" }, /* 67 */ - { 0x02, 69, 0, "signedData" }, /* 68 */ - { 0x03, 70, 0, "envelopedData" }, /* 69 */ - { 0x04, 71, 0, "signedAndEnvelopedData" }, /* 70 */ - { 0x05, 72, 0, "digestedData" }, /* 71 */ - { 0x06, 0, 0, "encryptedData" }, /* 72 */ - { 0x09, 0, 1, "PKCS-9" }, /* 73 */ - { 0x01, 75, 0, "E" }, /* 74 */ - { 0x02, 76, 0, "unstructuredName" }, /* 75 */ - { 0x03, 77, 0, "contentType" }, /* 76 */ - { 0x04, 78, 0, "messageDigest" }, /* 77 */ - { 0x05, 79, 0, "signingTime" }, /* 78 */ - { 0x06, 80, 0, "counterSignature" }, /* 79 */ - { 0x07, 81, 0, "challengePassword" }, /* 80 */ - { 0x08, 82, 0, "unstructuredAddress" }, /* 81 */ - { 0x0E, 0, 0, "extensionRequest" }, /* 82 */ - { 0x02, 86, 1, "digestAlgorithm" }, /* 83 */ - { 0x02, 85, 0, "md2" }, /* 84 */ - { 0x05, 0, 0, "md5" }, /* 85 */ - { 0x03, 0, 1, "encryptionAlgorithm" }, /* 86 */ - { 0x07, 0, 0, "3des-ede-cbc" }, /* 87 */ - {0x2B, 149, 1, "" }, /* 88 */ - { 0x06, 136, 1, "dod" }, /* 89 */ - { 0x01, 0, 1, "internet" }, /* 90 */ - { 0x04, 105, 1, "private" }, /* 91 */ - { 0x01, 0, 1, "enterprise" }, /* 92 */ - { 0x82, 98, 1, "" }, /* 93 */ - { 0x37, 0, 1, "Microsoft" }, /* 94 */ - { 0x0A, 0, 1, "" }, /* 95 */ - { 0x03, 0, 1, "" }, /* 96 */ - { 0x03, 0, 0, "msSGC" }, /* 97 */ - { 0x89, 0, 1, "" }, /* 98 */ - { 0x31, 0, 1, "" }, /* 99 */ - { 0x01, 0, 1, "" }, /* 100 */ - { 0x01, 0, 1, "" }, /* 101 */ - { 0x02, 0, 1, "" }, /* 102 */ - { 0x02, 104, 0, "" }, /* 103 */ - { 0x4B, 0, 0, "TCGID" }, /* 104 */ - { 0x05, 0, 1, "security" }, /* 105 */ - { 0x05, 0, 1, "mechanisms" }, /* 106 */ - { 0x07, 0, 1, "id-pkix" }, /* 107 */ - { 0x01, 110, 1, "id-pe" }, /* 108 */ - { 0x01, 0, 0, "authorityInfoAccess" }, /* 109 */ - { 0x03, 120, 1, "id-kp" }, /* 110 */ - { 0x01, 112, 0, "serverAuth" }, /* 111 */ - { 0x02, 113, 0, "clientAuth" }, /* 112 */ - { 0x03, 114, 0, "codeSigning" }, /* 113 */ - { 0x04, 115, 0, "emailProtection" }, /* 114 */ - { 0x05, 116, 0, "ipsecEndSystem" }, /* 115 */ - { 0x06, 117, 0, "ipsecTunnel" }, /* 116 */ - { 0x07, 118, 0, "ipsecUser" }, /* 117 */ - { 0x08, 119, 0, "timeStamping" }, /* 118 */ - { 0x09, 0, 0, "ocspSigning" }, /* 119 */ - { 0x08, 122, 1, "id-otherNames" }, /* 120 */ - { 0x05, 0, 0, "xmppAddr" }, /* 121 */ - { 0x0A, 127, 1, "id-aca" }, /* 122 */ - { 0x01, 124, 0, "authenticationInfo" }, /* 123 */ - { 0x02, 125, 0, "accessIdentity" }, /* 124 */ - { 0x03, 126, 0, "chargingIdentity" }, /* 125 */ - { 0x04, 0, 0, "group" }, /* 126 */ - { 0x30, 0, 1, "id-ad" }, /* 127 */ - { 0x01, 0, 1, "ocsp" }, /* 128 */ - { 0x01, 130, 0, "basic" }, /* 129 */ - { 0x02, 131, 0, "nonce" }, /* 130 */ - { 0x03, 132, 0, "crl" }, /* 131 */ - { 0x04, 133, 0, "response" }, /* 132 */ - { 0x05, 134, 0, "noCheck" }, /* 133 */ - { 0x06, 135, 0, "archiveCutoff" }, /* 134 */ - { 0x07, 0, 0, "serviceLocator" }, /* 135 */ - { 0x0E, 142, 1, "oiw" }, /* 136 */ - { 0x03, 0, 1, "secsig" }, /* 137 */ - { 0x02, 0, 1, "algorithms" }, /* 138 */ - { 0x07, 140, 0, "des-cbc" }, /* 139 */ - { 0x1A, 141, 0, "sha-1" }, /* 140 */ - { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 141 */ - { 0x24, 0, 1, "TeleTrusT" }, /* 142 */ - { 0x03, 0, 1, "algorithm" }, /* 143 */ - { 0x03, 0, 1, "signatureAlgorithm" }, /* 144 */ - { 0x01, 0, 1, "rsaSignature" }, /* 145 */ - { 0x02, 147, 0, "rsaSigWithripemd160" }, /* 146 */ - { 0x03, 148, 0, "rsaSigWithripemd128" }, /* 147 */ - { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 148 */ - {0x60, 0, 1, "" }, /* 149 */ - { 0x86, 0, 1, "" }, /* 150 */ - { 0x48, 0, 1, "" }, /* 151 */ - { 0x01, 0, 1, "organization" }, /* 152 */ - { 0x65, 160, 1, "gov" }, /* 153 */ - { 0x03, 0, 1, "csor" }, /* 154 */ - { 0x04, 0, 1, "nistalgorithm" }, /* 155 */ - { 0x02, 0, 1, "hashalgs" }, /* 156 */ - { 0x01, 158, 0, "id-SHA-256" }, /* 157 */ - { 0x02, 159, 0, "id-SHA-384" }, /* 158 */ - { 0x03, 0, 0, "id-SHA-512" }, /* 159 */ - { 0x86, 0, 1, "" }, /* 160 */ - { 0xf8, 0, 1, "" }, /* 161 */ - { 0x42, 174, 1, "netscape" }, /* 162 */ - { 0x01, 169, 1, "" }, /* 163 */ - { 0x01, 165, 0, "nsCertType" }, /* 164 */ - { 0x03, 166, 0, "nsRevocationUrl" }, /* 165 */ - { 0x04, 167, 0, "nsCaRevocationUrl" }, /* 166 */ - { 0x08, 168, 0, "nsCaPolicyUrl" }, /* 167 */ - { 0x0d, 0, 0, "nsComment" }, /* 168 */ - { 0x03, 172, 1, "directory" }, /* 169 */ - { 0x01, 0, 1, "" }, /* 170 */ - { 0x03, 0, 0, "employeeNumber" }, /* 171 */ - { 0x04, 0, 1, "policy" }, /* 172 */ - { 0x01, 0, 0, "nsSGC" }, /* 173 */ - { 0x45, 0, 1, "verisign" }, /* 174 */ - { 0x01, 0, 1, "pki" }, /* 175 */ - { 0x09, 0, 1, "attributes" }, /* 176 */ - { 0x02, 178, 0, "messageType" }, /* 177 */ - { 0x03, 179, 0, "pkiStatus" }, /* 178 */ - { 0x04, 180, 0, "failInfo" }, /* 179 */ - { 0x05, 181, 0, "senderNonce" }, /* 180 */ - { 0x06, 182, 0, "recipientNonce" }, /* 181 */ - { 0x07, 183, 0, "transID" }, /* 182 */ - { 0x08, 0, 0, "extensionReq" } /* 183 */ + { 0x14, 45, 0, "crlNumber" }, /* 44 */ + { 0x15, 46, 0, "reasonCode" }, /* 45 */ + { 0x1F, 47, 0, "crlDistributionPoints" }, /* 46 */ + { 0x20, 48, 0, "certificatePolicies" }, /* 47 */ + { 0x23, 49, 0, "authorityKeyIdentifier" }, /* 48 */ + { 0x25, 50, 0, "extendedKeyUsage" }, /* 49 */ + { 0x37, 51, 0, "targetInformation" }, /* 50 */ + { 0x38, 0, 0, "noRevAvail" }, /* 51 */ + {0x2A, 89, 1, "" }, /* 52 */ + { 0x86, 0, 1, "" }, /* 53 */ + { 0x48, 0, 1, "" }, /* 54 */ + { 0x86, 0, 1, "" }, /* 55 */ + { 0xF7, 0, 1, "" }, /* 56 */ + { 0x0D, 0, 1, "RSADSI" }, /* 57 */ + { 0x01, 84, 1, "PKCS" }, /* 58 */ + { 0x01, 67, 1, "PKCS-1" }, /* 59 */ + { 0x01, 61, 0, "rsaEncryption" }, /* 60 */ + { 0x02, 62, 0, "md2WithRSAEncryption" }, /* 61 */ + { 0x04, 63, 0, "md5WithRSAEncryption" }, /* 62 */ + { 0x05, 64, 0, "sha-1WithRSAEncryption" }, /* 63 */ + { 0x0B, 65, 0, "sha256WithRSAEncryption"}, /* 64 */ + { 0x0C, 66, 0, "sha384WithRSAEncryption"}, /* 65 */ + { 0x0D, 0, 0, "sha512WithRSAEncryption"}, /* 66 */ + { 0x07, 74, 1, "PKCS-7" }, /* 67 */ + { 0x01, 69, 0, "data" }, /* 68 */ + { 0x02, 70, 0, "signedData" }, /* 69 */ + { 0x03, 71, 0, "envelopedData" }, /* 70 */ + { 0x04, 72, 0, "signedAndEnvelopedData" }, /* 71 */ + { 0x05, 73, 0, "digestedData" }, /* 72 */ + { 0x06, 0, 0, "encryptedData" }, /* 73 */ + { 0x09, 0, 1, "PKCS-9" }, /* 74 */ + { 0x01, 76, 0, "E" }, /* 75 */ + { 0x02, 77, 0, "unstructuredName" }, /* 76 */ + { 0x03, 78, 0, "contentType" }, /* 77 */ + { 0x04, 79, 0, "messageDigest" }, /* 78 */ + { 0x05, 80, 0, "signingTime" }, /* 79 */ + { 0x06, 81, 0, "counterSignature" }, /* 80 */ + { 0x07, 82, 0, "challengePassword" }, /* 81 */ + { 0x08, 83, 0, "unstructuredAddress" }, /* 82 */ + { 0x0E, 0, 0, "extensionRequest" }, /* 83 */ + { 0x02, 87, 1, "digestAlgorithm" }, /* 84 */ + { 0x02, 86, 0, "md2" }, /* 85 */ + { 0x05, 0, 0, "md5" }, /* 86 */ + { 0x03, 0, 1, "encryptionAlgorithm" }, /* 87 */ + { 0x07, 0, 0, "3des-ede-cbc" }, /* 88 */ + {0x2B, 150, 1, "" }, /* 89 */ + { 0x06, 137, 1, "dod" }, /* 90 */ + { 0x01, 0, 1, "internet" }, /* 91 */ + { 0x04, 106, 1, "private" }, /* 92 */ + { 0x01, 0, 1, "enterprise" }, /* 93 */ + { 0x82, 99, 1, "" }, /* 94 */ + { 0x37, 0, 1, "Microsoft" }, /* 95 */ + { 0x0A, 0, 1, "" }, /* 96 */ + { 0x03, 0, 1, "" }, /* 97 */ + { 0x03, 0, 0, "msSGC" }, /* 98 */ + { 0x89, 0, 1, "" }, /* 99 */ + { 0x31, 0, 1, "" }, /* 100 */ + { 0x01, 0, 1, "" }, /* 101 */ + { 0x01, 0, 1, "" }, /* 102 */ + { 0x02, 0, 1, "" }, /* 103 */ + { 0x02, 105, 0, "" }, /* 104 */ + { 0x4B, 0, 0, "TCGID" }, /* 105 */ + { 0x05, 0, 1, "security" }, /* 106 */ + { 0x05, 0, 1, "mechanisms" }, /* 107 */ + { 0x07, 0, 1, "id-pkix" }, /* 108 */ + { 0x01, 111, 1, "id-pe" }, /* 109 */ + { 0x01, 0, 0, "authorityInfoAccess" }, /* 110 */ + { 0x03, 121, 1, "id-kp" }, /* 111 */ + { 0x01, 113, 0, "serverAuth" }, /* 112 */ + { 0x02, 114, 0, "clientAuth" }, /* 113 */ + { 0x03, 115, 0, "codeSigning" }, /* 114 */ + { 0x04, 116, 0, "emailProtection" }, /* 115 */ + { 0x05, 117, 0, "ipsecEndSystem" }, /* 116 */ + { 0x06, 118, 0, "ipsecTunnel" }, /* 117 */ + { 0x07, 119, 0, "ipsecUser" }, /* 118 */ + { 0x08, 120, 0, "timeStamping" }, /* 119 */ + { 0x09, 0, 0, "ocspSigning" }, /* 120 */ + { 0x08, 123, 1, "id-otherNames" }, /* 121 */ + { 0x05, 0, 0, "xmppAddr" }, /* 122 */ + { 0x0A, 128, 1, "id-aca" }, /* 123 */ + { 0x01, 125, 0, "authenticationInfo" }, /* 124 */ + { 0x02, 126, 0, "accessIdentity" }, /* 125 */ + { 0x03, 127, 0, "chargingIdentity" }, /* 126 */ + { 0x04, 0, 0, "group" }, /* 127 */ + { 0x30, 0, 1, "id-ad" }, /* 128 */ + { 0x01, 0, 1, "ocsp" }, /* 129 */ + { 0x01, 131, 0, "basic" }, /* 130 */ + { 0x02, 132, 0, "nonce" }, /* 131 */ + { 0x03, 133, 0, "crl" }, /* 132 */ + { 0x04, 134, 0, "response" }, /* 133 */ + { 0x05, 135, 0, "noCheck" }, /* 134 */ + { 0x06, 136, 0, "archiveCutoff" }, /* 135 */ + { 0x07, 0, 0, "serviceLocator" }, /* 136 */ + { 0x0E, 143, 1, "oiw" }, /* 137 */ + { 0x03, 0, 1, "secsig" }, /* 138 */ + { 0x02, 0, 1, "algorithms" }, /* 139 */ + { 0x07, 141, 0, "des-cbc" }, /* 140 */ + { 0x1A, 142, 0, "sha-1" }, /* 141 */ + { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 142 */ + { 0x24, 0, 1, "TeleTrusT" }, /* 143 */ + { 0x03, 0, 1, "algorithm" }, /* 144 */ + { 0x03, 0, 1, "signatureAlgorithm" }, /* 145 */ + { 0x01, 0, 1, "rsaSignature" }, /* 146 */ + { 0x02, 148, 0, "rsaSigWithripemd160" }, /* 147 */ + { 0x03, 149, 0, "rsaSigWithripemd128" }, /* 148 */ + { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 149 */ + {0x60, 0, 1, "" }, /* 150 */ + { 0x86, 0, 1, "" }, /* 151 */ + { 0x48, 0, 1, "" }, /* 152 */ + { 0x01, 0, 1, "organization" }, /* 153 */ + { 0x65, 161, 1, "gov" }, /* 154 */ + { 0x03, 0, 1, "csor" }, /* 155 */ + { 0x04, 0, 1, "nistalgorithm" }, /* 156 */ + { 0x02, 0, 1, "hashalgs" }, /* 157 */ + { 0x01, 159, 0, "id-SHA-256" }, /* 158 */ + { 0x02, 160, 0, "id-SHA-384" }, /* 159 */ + { 0x03, 0, 0, "id-SHA-512" }, /* 160 */ + { 0x86, 0, 1, "" }, /* 161 */ + { 0xf8, 0, 1, "" }, /* 162 */ + { 0x42, 175, 1, "netscape" }, /* 163 */ + { 0x01, 170, 1, "" }, /* 164 */ + { 0x01, 166, 0, "nsCertType" }, /* 165 */ + { 0x03, 167, 0, "nsRevocationUrl" }, /* 166 */ + { 0x04, 168, 0, "nsCaRevocationUrl" }, /* 167 */ + { 0x08, 169, 0, "nsCaPolicyUrl" }, /* 168 */ + { 0x0d, 0, 0, "nsComment" }, /* 169 */ + { 0x03, 173, 1, "directory" }, /* 170 */ + { 0x01, 0, 1, "" }, /* 171 */ + { 0x03, 0, 0, "employeeNumber" }, /* 172 */ + { 0x04, 0, 1, "policy" }, /* 173 */ + { 0x01, 0, 0, "nsSGC" }, /* 174 */ + { 0x45, 0, 1, "verisign" }, /* 175 */ + { 0x01, 0, 1, "pki" }, /* 176 */ + { 0x09, 0, 1, "attributes" }, /* 177 */ + { 0x02, 179, 0, "messageType" }, /* 178 */ + { 0x03, 180, 0, "pkiStatus" }, /* 179 */ + { 0x04, 181, 0, "failInfo" }, /* 180 */ + { 0x05, 182, 0, "senderNonce" }, /* 181 */ + { 0x06, 183, 0, "recipientNonce" }, /* 182 */ + { 0x07, 184, 0, "transID" }, /* 183 */ + { 0x08, 0, 0, "extensionReq" } /* 184 */ }; diff --git a/src/pluto/oid.h b/src/pluto/oid.h index ccdfb2954..869a87eb0 100644 --- a/src/pluto/oid.h +++ b/src/pluto/oid.h @@ -19,60 +19,61 @@ extern const oid_t oid_names[]; #define OID_SUBJECT_KEY_ID 38 #define OID_SUBJECT_ALT_NAME 41 #define OID_BASIC_CONSTRAINTS 43 -#define OID_CRL_REASON_CODE 44 -#define OID_CRL_DISTRIBUTION_POINTS 45 -#define OID_AUTHORITY_KEY_ID 47 -#define OID_EXTENDED_KEY_USAGE 48 -#define OID_TARGET_INFORMATION 49 -#define OID_NO_REV_AVAIL 50 -#define OID_RSA_ENCRYPTION 59 -#define OID_MD2_WITH_RSA 60 -#define OID_MD5_WITH_RSA 61 -#define OID_SHA1_WITH_RSA 62 -#define OID_SHA256_WITH_RSA 63 -#define OID_SHA384_WITH_RSA 64 -#define OID_SHA512_WITH_RSA 65 -#define OID_PKCS7_DATA 67 -#define OID_PKCS7_SIGNED_DATA 68 -#define OID_PKCS7_ENVELOPED_DATA 69 -#define OID_PKCS7_SIGNED_ENVELOPED_DATA 70 -#define OID_PKCS7_DIGESTED_DATA 71 -#define OID_PKCS7_ENCRYPTED_DATA 72 -#define OID_PKCS9_EMAIL 74 -#define OID_PKCS9_CONTENT_TYPE 76 -#define OID_PKCS9_MESSAGE_DIGEST 77 -#define OID_PKCS9_SIGNING_TIME 78 -#define OID_MD2 84 -#define OID_MD5 85 -#define OID_3DES_EDE_CBC 87 -#define OID_AUTHORITY_INFO_ACCESS 109 -#define OID_OCSP_SIGNING 119 -#define OID_XMPP_ADDR 121 -#define OID_AUTHENTICATION_INFO 123 -#define OID_ACCESS_IDENTITY 124 -#define OID_CHARGING_IDENTITY 125 -#define OID_GROUP 126 -#define OID_OCSP 128 -#define OID_BASIC 129 -#define OID_NONCE 130 -#define OID_CRL 131 -#define OID_RESPONSE 132 -#define OID_NO_CHECK 133 -#define OID_ARCHIVE_CUTOFF 134 -#define OID_SERVICE_LOCATOR 135 -#define OID_DES_CBC 139 -#define OID_SHA1 140 -#define OID_SHA1_WITH_RSA_OIW 141 -#define OID_SHA256 157 -#define OID_SHA384 158 -#define OID_SHA512 159 -#define OID_NS_REVOCATION_URL 165 -#define OID_NS_CA_REVOCATION_URL 166 -#define OID_NS_CA_POLICY_URL 167 -#define OID_NS_COMMENT 168 -#define OID_PKI_MESSAGE_TYPE 177 -#define OID_PKI_STATUS 178 -#define OID_PKI_FAIL_INFO 179 -#define OID_PKI_SENDER_NONCE 180 -#define OID_PKI_RECIPIENT_NONCE 181 -#define OID_PKI_TRANS_ID 182 +#define OID_CRL_NUMBER 44 +#define OID_CRL_REASON_CODE 45 +#define OID_CRL_DISTRIBUTION_POINTS 46 +#define OID_AUTHORITY_KEY_ID 48 +#define OID_EXTENDED_KEY_USAGE 49 +#define OID_TARGET_INFORMATION 50 +#define OID_NO_REV_AVAIL 51 +#define OID_RSA_ENCRYPTION 60 +#define OID_MD2_WITH_RSA 61 +#define OID_MD5_WITH_RSA 62 +#define OID_SHA1_WITH_RSA 63 +#define OID_SHA256_WITH_RSA 64 +#define OID_SHA384_WITH_RSA 65 +#define OID_SHA512_WITH_RSA 66 +#define OID_PKCS7_DATA 68 +#define OID_PKCS7_SIGNED_DATA 69 +#define OID_PKCS7_ENVELOPED_DATA 70 +#define OID_PKCS7_SIGNED_ENVELOPED_DATA 71 +#define OID_PKCS7_DIGESTED_DATA 72 +#define OID_PKCS7_ENCRYPTED_DATA 73 +#define OID_PKCS9_EMAIL 75 +#define OID_PKCS9_CONTENT_TYPE 77 +#define OID_PKCS9_MESSAGE_DIGEST 78 +#define OID_PKCS9_SIGNING_TIME 79 +#define OID_MD2 85 +#define OID_MD5 86 +#define OID_3DES_EDE_CBC 88 +#define OID_AUTHORITY_INFO_ACCESS 110 +#define OID_OCSP_SIGNING 120 +#define OID_XMPP_ADDR 122 +#define OID_AUTHENTICATION_INFO 124 +#define OID_ACCESS_IDENTITY 125 +#define OID_CHARGING_IDENTITY 126 +#define OID_GROUP 127 +#define OID_OCSP 129 +#define OID_BASIC 130 +#define OID_NONCE 131 +#define OID_CRL 132 +#define OID_RESPONSE 133 +#define OID_NO_CHECK 134 +#define OID_ARCHIVE_CUTOFF 135 +#define OID_SERVICE_LOCATOR 136 +#define OID_DES_CBC 140 +#define OID_SHA1 141 +#define OID_SHA1_WITH_RSA_OIW 142 +#define OID_SHA256 158 +#define OID_SHA384 159 +#define OID_SHA512 160 +#define OID_NS_REVOCATION_URL 166 +#define OID_NS_CA_REVOCATION_URL 167 +#define OID_NS_CA_POLICY_URL 168 +#define OID_NS_COMMENT 169 +#define OID_PKI_MESSAGE_TYPE 178 +#define OID_PKI_STATUS 179 +#define OID_PKI_FAIL_INFO 180 +#define OID_PKI_SENDER_NONCE 181 +#define OID_PKI_RECIPIENT_NONCE 182 +#define OID_PKI_TRANS_ID 183 diff --git a/src/pluto/oid.txt b/src/pluto/oid.txt index e8750024e..2b3c96ae3 100644 --- a/src/pluto/oid.txt +++ b/src/pluto/oid.txt @@ -42,6 +42,7 @@ 0x11 "subjectAltName" OID_SUBJECT_ALT_NAME 0x12 "issuerAltName" 0x13 "basicConstraints" OID_BASIC_CONSTRAINTS + 0x14 "crlNumber" OID_CRL_NUMBER 0x15 "reasonCode" OID_CRL_REASON_CODE 0x1F "crlDistributionPoints" OID_CRL_DISTRIBUTION_POINTS 0x20 "certificatePolicies" diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index e235ff765..d9b2167c8 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -29,6 +29,8 @@ #include #include /* missing from on old systems */ #include +#include +#include #include @@ -64,6 +66,11 @@ #include "nat_traversal.h" #include "virtual.h" +/* on some distros, a capset() definition is missing */ +#ifdef NO_CAPSET_DEFINED +extern int capset(cap_user_header_t hdrp, const cap_user_data_t datap); +#endif /* NO_CAPSET_DEFINED */ + static void usage(const char *mess) { @@ -221,6 +228,8 @@ main(int argc, char **argv) bool force_keepalive = FALSE; char *virtual_private = NULL; int lockfd; + struct __user_cap_header_struct hdr; + struct __user_cap_data_struct data; /* handle arguments */ for (;;) @@ -596,6 +605,26 @@ main(int argc, char **argv) init_id(); init_fetch(); + /* drop unneeded capabilities and change UID/GID */ + hdr.version = _LINUX_CAPABILITY_VERSION; + hdr.pid = 0; + data.effective = data.permitted = 1<setup.strictcrlpolicy) { arg[argc++] = "--strictcrlpolicy"; + arg[argc++] = cfg->setup.strictcrlpolicy == STRICT_IFURI ? "2":"1"; } if (cfg->setup.cachecrls) { @@ -122,11 +124,9 @@ starter_start_charon (starter_config_t *cfg, bool debug) } if (cfg->setup.crlcheckinterval > 0) { - char buffer[BUF_LEN]; - - snprintf(buffer, BUF_LEN, "%u", cfg->setup.crlcheckinterval); + snprintf(buffer1, BUF_LEN, "%u", cfg->setup.crlcheckinterval); arg[argc++] = "--crlcheckinterval"; - arg[argc++] = buffer; + arg[argc++] = buffer1; } if (cfg->setup.eapdir) { @@ -135,7 +135,7 @@ starter_start_charon (starter_config_t *cfg, bool debug) } { /* parse debug string */ - char *pos, *level, *buf_pos, type[4], buffer[BUF_LEN]; + char *pos, *level, *buf_pos, type[4]; pos = cfg->setup.charondebug; buf_pos = buffer; while (pos && sscanf(pos, "%4s %d,", type, &level) == 2) @@ -181,7 +181,11 @@ starter_start_charon (starter_config_t *cfg, bool debug) FILE *f; plog("no %s file, generating RSA key", SECRETS_FILE); + seteuid(IPSEC_UID); + setegid(IPSEC_GID); system("ipsec scepclient --out pkcs1 --out cert-self --quiet"); + seteuid(0); + setegid(0); /* ipsec.secrets is root readable only */ oldmask = umask(0066); @@ -194,6 +198,7 @@ starter_start_charon (starter_config_t *cfg, bool debug) fprintf(f, ": RSA myKey.der\n"); fclose(f); } + chown(SECRETS_FILE, IPSEC_UID, IPSEC_GID); umask(oldmask); } @@ -207,6 +212,8 @@ starter_start_charon (starter_config_t *cfg, bool debug) /* child */ setsid(); sigprocmask(SIG_SETMASK, 0, NULL); + /* disable glibc's malloc checker, conflicts with leak detective */ + setenv("MALLOC_CHECK_", "0", 1); execv(arg[0], arg); plog("can't execv(%s,...): %s", arg[0], strerror(errno)); exit(1); diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c index 1b11b4a10..240d98391 100644 --- a/src/starter/invokepluto.c +++ b/src/starter/invokepluto.c @@ -216,7 +216,11 @@ starter_start_pluto (starter_config_t *cfg, bool debug) FILE *f; plog("no %s file, generating RSA key", SECRETS_FILE); + seteuid(IPSEC_UID); + setegid(IPSEC_GID); system("ipsec scepclient --out pkcs1 --out cert-self --quiet"); + seteuid(0); + setegid(0); /* ipsec.secrets is root readable only */ oldmask = umask(0066); @@ -229,6 +233,7 @@ starter_start_pluto (starter_config_t *cfg, bool debug) fprintf(f, ": RSA myKey.der\n"); fclose(f); } + chown(SECRETS_FILE, IPSEC_UID, IPSEC_GID); umask(oldmask); } diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 index 3e59190e3..c80c5166b 100644 --- a/src/starter/ipsec.conf.5 +++ b/src/starter/ipsec.conf.5 @@ -600,7 +600,16 @@ value is .B %modeconfig or .B %config, -an address is requested from the peer. +an address is requested from the peer. In IKEv2, a defined address is requested, +but the server may change it. If the server does not support it, the address +is enforced. +.TP +.B rightsourceip +The internal source IP to use in a tunnel for the remote peer. If the +value is +.B %config +on the responder side, the initiator must propose a address which is then echoed +back. .TP .B leftsubnetwithin Not relevant for IKEv2, as subnets are narrowed. @@ -678,13 +687,16 @@ Relevant only locally, other end need not agree on it. .B ike IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g. .B aes128-sha1-modp2048 -(encryption-integrity-dhgroup). +(encryption-integrity-dhgroup). In IKEv2, multiple algorithms and proposals +may be included, such as +.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. .TP .B esp ESP encryption/authentication algorithm to be used for the connection, e.g. .B 3des-md5 -(encryption-integrity). +(encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup +and rekeying include a separate diffe hellman exchange (IKEv2 only). .TP .B ah AH authentication algorithm to be used diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index fb8e74b8c..13c2f4326 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -156,6 +156,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->id = push_string(msg, conn_end->id); msg_end->cert = push_string(msg, conn_end->cert); msg_end->ca = push_string(msg, conn_end->ca); + msg_end->groups = push_string(msg, conn_end->groups); msg_end->updown = push_string(msg, conn_end->updown); ip_address2string(&conn_end->addr, buffer, sizeof(buffer)); msg_end->address = push_string(msg, buffer); @@ -167,7 +168,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->tohost = !conn_end->has_client; msg_end->protocol = conn_end->protocol; msg_end->port = conn_end->port; - msg_end->virtual_ip = conn_end->modecfg; + msg_end->virtual_ip = conn_end->modecfg || conn_end->has_srcip; ip_address2string(&conn_end->srcip, buffer, sizeof(buffer)); msg_end->sourceip = push_string(msg, buffer); } diff --git a/src/starter/y.tab.c b/src/starter/y.tab.c index 11a0373e9..49da832c0 100644 --- a/src/starter/y.tab.c +++ b/src/starter/y.tab.c @@ -172,7 +172,7 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len); typedef union YYSTYPE #line 56 "parser.y" { char *s; } -/* Line 193 of yacc.c. */ +/* Line 187 of yacc.c. */ #line 177 "y.tab.c" YYSTYPE; # define yystype YYSTYPE /* obsolescent; will be withdrawn */ diff --git a/src/starter/y.tab.h b/src/starter/y.tab.h index 4b55cb005..b4352e6b4 100644 --- a/src/starter/y.tab.h +++ b/src/starter/y.tab.h @@ -70,7 +70,7 @@ typedef union YYSTYPE #line 56 "parser.y" { char *s; } -/* Line 1528 of yacc.c. */ +/* Line 1488 of yacc.c. */ #line 75 "y.tab.h" YYSTYPE; # define yystype YYSTYPE /* obsolescent; will be withdrawn */ diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index 179bca750..a32dc8b90 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -111,6 +111,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -123,6 +124,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -133,8 +135,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -156,6 +162,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -165,6 +172,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -178,9 +187,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -195,6 +208,8 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ stroke_SOURCES = stroke.c stroke.h stroke_keywords.c stroke_keywords.h INCLUDES = -I$(top_srcdir)/src/libstrongswan EXTRA_DIST = stroke_keywords.txt diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index 5d3fd6e77..cd2e85caa 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -218,6 +218,9 @@ static int list_flags[] = { LIST_CERTS, LIST_CACERTS, LIST_OCSPCERTS, + LIST_AACERTS, + LIST_ACERTS, + LIST_GROUPS, LIST_CAINFOS, LIST_CRLS, LIST_OCSP, @@ -238,6 +241,8 @@ static int list(stroke_keyword_t kw, int utc) static int reread_flags[] = { REREAD_CACERTS, REREAD_OCSPCERTS, + REREAD_AACERTS, + REREAD_ACERTS, REREAD_CRLS, REREAD_ALL }; diff --git a/src/stroke/stroke.h b/src/stroke/stroke.h index 2eefb36c4..94e07d465 100644 --- a/src/stroke/stroke.h +++ b/src/stroke/stroke.h @@ -47,14 +47,20 @@ enum list_flag_t { LIST_CACERTS = 0x0002, /** list all ocsp signer certs */ LIST_OCSPCERTS = 0x0004, + /** list all aa certs */ + LIST_AACERTS = 0x0008, + /** list all attribute certs */ + LIST_ACERTS = 0x0010, + /** list all access control groups */ + LIST_GROUPS = 0x0020, /** list all ca information records */ - LIST_CAINFOS = 0x0008, + LIST_CAINFOS = 0x0040, /** list all crls */ - LIST_CRLS = 0x0010, + LIST_CRLS = 0x0080, /** list all ocsp cache entries */ - LIST_OCSP = 0x0020, + LIST_OCSP = 0x0100, /** all list options */ - LIST_ALL = 0x003F, + LIST_ALL = 0x01FF, }; typedef enum reread_flag_t reread_flag_t; @@ -70,10 +76,14 @@ enum reread_flag_t { REREAD_CACERTS = 0x0001, /** reread all ocsp signer certs */ REREAD_OCSPCERTS = 0x0002, + /** reread all aa certs */ + REREAD_AACERTS = 0x0004, + /** reread all attribute certs */ + REREAD_ACERTS = 0x0008, /** reread all crls */ - REREAD_CRLS = 0x0004, + REREAD_CRLS = 0x0010, /** all reread options */ - REREAD_ALL = 0x0007, + REREAD_ALL = 0x001F, }; typedef enum purge_flag_t purge_flag_t; @@ -98,6 +108,7 @@ struct stroke_end_t { char *id; char *cert; char *ca; + char *groups; char *updown; char *address; char *sourceip; diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c index 71d99ecad..11ac592ed 100644 --- a/src/stroke/stroke_keywords.c +++ b/src/stroke/stroke_keywords.c @@ -1,6 +1,6 @@ /* C code produced by gperf version 3.0.1 */ /* Command-line: /usr/bin/gperf -C -G -t */ -/* Computed positions: -k'2,7' */ +/* Computed positions: -k'1,5,7' */ #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \ && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \ @@ -56,12 +56,12 @@ struct stroke_token { stroke_keyword_t kw; }; -#define TOTAL_KEYWORDS 22 +#define TOTAL_KEYWORDS 27 #define MIN_WORD_LENGTH 2 #define MAX_WORD_LENGTH 15 -#define MIN_HASH_VALUE 2 -#define MAX_HASH_VALUE 33 -/* maximum key range = 32, duplicates = 0 */ +#define MIN_HASH_VALUE 3 +#define MAX_HASH_VALUE 40 +/* maximum key range = 38, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -77,32 +77,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 0, 34, 0, - 30, 0, 34, 34, 34, 5, 34, 34, 15, 34, - 0, 0, 0, 34, 10, 5, 5, 10, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, - 34, 34, 34, 34, 34, 34 + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 0, 41, 5, + 28, 0, 41, 5, 41, 20, 41, 41, 0, 41, + 41, 15, 0, 41, 10, 10, 0, 10, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 41, 41, 41, 41, 41, 41 }; register int hval = len; @@ -113,10 +113,13 @@ hash (str, len) /*FALLTHROUGH*/ case 6: case 5: + hval += asso_values[(unsigned char)str[4]]; + /*FALLTHROUGH*/ case 4: case 3: case 2: - hval += asso_values[(unsigned char)str[1]]; + case 1: + hval += asso_values[(unsigned char)str[0]]; break; } return hval; @@ -124,35 +127,42 @@ hash (str, len) static const struct stroke_token wordlist[] = { - {""}, {""}, + {""}, {""}, {""}, + {"add", STROKE_ADD}, + {""}, {""}, {""}, + {"listall", STROKE_LIST_ALL}, + {"loglevel", STROKE_LOGLEVEL}, + {""}, + {"listacerts", STROKE_LIST_ACERTS}, + {""}, {"up", STROKE_UP}, - {"del", STROKE_DEL}, - {"down", STROKE_DOWN}, + {"listcrls", STROKE_LIST_CRLS}, + {"purgeocsp", STROKE_PURGE_OCSP}, {"route", STROKE_ROUTE}, - {"delete", STROKE_DELETE}, - {"unroute", STROKE_UNROUTE}, - {"loglevel", STROKE_LOGLEVEL}, + {"listaacerts", STROKE_LIST_AACERTS}, + {""}, {""}, {"rereadall", STROKE_REREAD_ALL}, + {""}, + {"listcacerts", STROKE_LIST_CACERTS}, + {"rereadacerts", STROKE_REREAD_ACERTS,}, + {"rereadaacerts", STROKE_REREAD_AACERTS,}, + {"listcerts", STROKE_LIST_CERTS}, {"rereadcrls", STROKE_REREAD_CRLS}, {"status", STROKE_STATUS}, - {""}, + {"unroute", STROKE_UNROUTE}, {"rereadcacerts", STROKE_REREAD_CACERTS}, {"statusall", STROKE_STATUSALL}, - {"rereadocspcerts", STROKE_REREAD_OCSPCERTS}, - {"listcacerts", STROKE_LIST_CACERTS}, - {""}, + {"listgroups", STROKE_LIST_GROUPS}, + {"del", STROKE_DEL}, + {"down", STROKE_DOWN}, {"listocsp", STROKE_LIST_OCSP}, - {"purgeocsp", STROKE_PURGE_OCSP}, + {"delete", STROKE_DELETE}, {""}, {"listcainfos", STROKE_LIST_CAINFOS}, {""}, {"listocspcerts", STROKE_LIST_OCSPCERTS}, - {"listcerts", STROKE_LIST_CERTS}, - {""}, {""}, - {"listall", STROKE_LIST_ALL}, - {"listcrls", STROKE_LIST_CRLS}, - {""}, {""}, {""}, {""}, - {"add", STROKE_ADD} + {""}, + {"rereadocspcerts", STROKE_REREAD_OCSPCERTS} }; #ifdef __GNUC__ diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h index 2e7d7c385..2b4b40e52 100644 --- a/src/stroke/stroke_keywords.h +++ b/src/stroke/stroke_keywords.h @@ -32,12 +32,17 @@ typedef enum { STROKE_LIST_CERTS, STROKE_LIST_CACERTS, STROKE_LIST_OCSPCERTS, + STROKE_LIST_AACERTS, + STROKE_LIST_ACERTS, + STROKE_LIST_GROUPS, STROKE_LIST_CAINFOS, STROKE_LIST_CRLS, STROKE_LIST_OCSP, STROKE_LIST_ALL, STROKE_REREAD_CACERTS, STROKE_REREAD_OCSPCERTS, + STROKE_REREAD_AACERTS, + STROKE_REREAD_ACERTS, STROKE_REREAD_CRLS, STROKE_REREAD_ALL, STROKE_PURGE_OCSP diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt index 1e8afe19e..962b4c555 100644 --- a/src/stroke/stroke_keywords.txt +++ b/src/stroke/stroke_keywords.txt @@ -39,12 +39,17 @@ statusall, STROKE_STATUSALL listcerts, STROKE_LIST_CERTS listcacerts, STROKE_LIST_CACERTS listocspcerts, STROKE_LIST_OCSPCERTS +listaacerts, STROKE_LIST_AACERTS +listacerts, STROKE_LIST_ACERTS +listgroups, STROKE_LIST_GROUPS listcainfos, STROKE_LIST_CAINFOS listcrls, STROKE_LIST_CRLS listocsp, STROKE_LIST_OCSP listall, STROKE_LIST_ALL rereadcacerts, STROKE_REREAD_CACERTS rereadocspcerts, STROKE_REREAD_OCSPCERTS +rereadaacerts, STROKE_REREAD_AACERTS, +rereadacerts, STROKE_REREAD_ACERTS, rereadcrls, STROKE_REREAD_CRLS rereadall, STROKE_REREAD_ALL purgeocsp, STROKE_PURGE_OCSP diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in index d14f5e8ed..e9a7af85d 100644 --- a/src/whack/Makefile.in +++ b/src/whack/Makefile.in @@ -111,6 +111,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -123,6 +124,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -133,8 +135,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -156,6 +162,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -165,6 +172,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -178,9 +187,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -195,6 +208,8 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ whack_SOURCES = whack.c whack.h INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto whack_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a -- cgit v1.2.3