From 5dca9ea0e2931f0e2a056c7964d311bcc30a01b8 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 22 Oct 2015 11:43:58 +0200 Subject: Imported Upstream version 5.3.3 --- src/_updown/_updown.in | 10 +- src/charon-cmd/cmd/cmd_connection.c | 2 +- src/charon-tkm/src/tkm/tkm_encoder.c~ | 106 --- src/charon-tkm/tests/tests.c | 4 +- src/conftest/actions.c | 2 +- src/include/Makefile.am | 3 +- src/include/Makefile.in | 3 +- src/include/linux/netlink.h | 212 ++--- src/include/linux/rtnetlink.h | 707 ++++------------- src/include/linux/types.h | 172 ---- src/ipsec/_ipsec.8 | 2 +- src/libcharon/config/ike_cfg.c | 47 ++ src/libcharon/config/ike_cfg.h | 17 +- src/libcharon/control/controller.c | 54 +- src/libcharon/control/controller.h | 5 +- src/libcharon/daemon.c | 4 + src/libcharon/encoding/payloads/fragment_payload.c | 2 +- .../encoding/payloads/proposal_substructure.c | 11 + src/libcharon/network/receiver.c | 16 +- src/libcharon/plugins/eap_radius/eap_radius.c | 13 +- .../plugins/eap_radius/eap_radius_accounting.c | 28 +- src/libcharon/plugins/eap_tnc/eap_tnc.c | 4 + src/libcharon/plugins/eap_ttls/eap_ttls_peer.c | 9 +- .../plugins/error_notify/error_notify_listener.c | 8 +- src/libcharon/plugins/ha/ha_ctl.c | 85 +- src/libcharon/plugins/ha/ha_dispatcher.c | 12 +- src/libcharon/plugins/ha/ha_ike.c | 1 + src/libcharon/plugins/ha/ha_kernel.c | 21 +- src/libcharon/plugins/load_tester/load_tester.c | 1 + .../plugins/load_tester/load_tester_control.c | 2 +- .../plugins/load_tester/load_tester_plugin.c | 2 +- src/libcharon/plugins/medcli/medcli_config.c | 2 +- src/libcharon/plugins/osx_attr/osx_attr_handler.c | 30 +- src/libcharon/plugins/smp/smp.c | 2 +- src/libcharon/plugins/sql/sql_config.c | 11 +- src/libcharon/plugins/sql/sql_logger.c | 1 + src/libcharon/plugins/stroke/stroke_ca.c | 238 +++++- src/libcharon/plugins/stroke/stroke_ca.h | 30 +- src/libcharon/plugins/stroke/stroke_config.c | 83 +- src/libcharon/plugins/stroke/stroke_control.c | 4 +- src/libcharon/plugins/stroke/stroke_cred.c | 257 +++--- src/libcharon/plugins/stroke/stroke_cred.h | 15 +- src/libcharon/plugins/stroke/stroke_list.c | 2 +- src/libcharon/plugins/stroke/stroke_socket.c | 4 +- .../tnc_ifmap/tnc_ifmap_renew_session_job.h | 2 +- src/libcharon/plugins/uci/uci_control.c | 2 +- src/libcharon/plugins/updown/updown_listener.c | 18 +- src/libcharon/plugins/vici/Makefile.am | 1 + src/libcharon/plugins/vici/Makefile.in | 4 +- src/libcharon/plugins/vici/README.md | 124 +++ src/libcharon/plugins/vici/python/LICENSE | 2 + .../plugins/vici/python/vici/exception.py | 3 + src/libcharon/plugins/vici/python/vici/session.py | 138 ++-- src/libcharon/plugins/vici/ruby/lib/vici.rb | 6 +- src/libcharon/plugins/vici/suites/test_message.c | 31 + src/libcharon/plugins/vici/vici_authority.c | 750 ++++++++++++++++++ src/libcharon/plugins/vici/vici_authority.h | 62 ++ src/libcharon/plugins/vici/vici_config.c | 67 +- src/libcharon/plugins/vici/vici_config.h | 8 +- src/libcharon/plugins/vici/vici_control.c | 11 +- src/libcharon/plugins/vici/vici_cred.c | 7 + src/libcharon/plugins/vici/vici_cred.h | 8 + src/libcharon/plugins/vici/vici_logger.c | 48 +- src/libcharon/plugins/vici/vici_message.c | 40 + src/libcharon/plugins/vici/vici_message.h | 25 +- src/libcharon/plugins/vici/vici_plugin.c | 16 +- src/libcharon/plugins/vici/vici_query.c | 87 ++- .../plugins/whitelist/whitelist_listener.c | 2 +- .../processing/jobs/initiate_mediation_job.c | 4 +- .../processing/jobs/process_message_job.c | 14 +- src/libcharon/processing/jobs/rekey_child_sa_job.c | 5 +- src/libcharon/processing/jobs/start_action_job.c | 2 +- src/libcharon/sa/child_sa.c | 15 +- src/libcharon/sa/eap/eap_method.c | 3 +- src/libcharon/sa/ike_sa.c | 43 +- src/libcharon/sa/ike_sa_id.c | 4 +- src/libcharon/sa/ike_sa_manager.c | 67 +- src/libcharon/sa/ike_sa_manager.h | 9 +- src/libcharon/sa/ikev1/phase1.c | 2 +- src/libcharon/sa/ikev1/task_manager_v1.c | 35 +- src/libcharon/sa/ikev1/tasks/quick_mode.c | 26 +- src/libcharon/sa/ikev1/tasks/quick_mode.h | 11 + .../sa/ikev2/authenticators/eap_authenticator.c | 9 + .../sa/ikev2/authenticators/pubkey_authenticator.c | 2 +- src/libcharon/sa/ikev2/keymat_v2.c | 2 + src/libcharon/sa/ikev2/tasks/child_create.c | 36 +- src/libcharon/sa/ikev2/tasks/child_rekey.c | 18 +- src/libcharon/sa/ikev2/tasks/ike_rekey.c | 34 +- src/libcharon/sa/shunt_manager.c | 71 +- src/libcharon/sa/shunt_manager.h | 6 + src/libcharon/sa/trap_manager.c | 276 +++++-- src/libcharon/tests/Makefile.am | 4 + src/libcharon/tests/Makefile.in | 40 + src/libcharon/tests/libcharon_tests.c | 18 +- src/libcharon/tests/libcharon_tests.h | 2 + src/libcharon/tests/suites/test_ike_cfg.c | 118 +++ src/libcharon/tests/suites/test_message_chapoly.c | 138 ++++ .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 53 +- .../plugins/kernel_netlink/kernel_netlink_net.c | 40 +- .../plugins/kernel_netlink/kernel_netlink_shared.c | 16 +- .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 118 +-- .../plugins/kernel_pfroute/kernel_pfroute_net.c | 17 + src/libhydra/tests/hydra_tests.c | 4 +- src/libimcv/Android.mk | 7 +- src/libimcv/Makefile.am | 15 +- src/libimcv/Makefile.in | 74 +- src/libimcv/generic/generic_attr_bool.c | 248 ++++++ src/libimcv/generic/generic_attr_bool.h | 67 ++ src/libimcv/generic/generic_attr_chunk.c | 182 +++++ src/libimcv/generic/generic_attr_chunk.h | 60 ++ src/libimcv/generic/generic_attr_string.c | 183 +++++ src/libimcv/generic/generic_attr_string.h | 59 ++ src/libimcv/ietf/ietf_attr.c | 13 +- src/libimcv/ietf/ietf_attr_default_pwd_enabled.c | 242 ------ src/libimcv/ietf/ietf_attr_default_pwd_enabled.h | 65 -- src/libimcv/ietf/ietf_attr_fwd_enabled.c | 11 +- src/libimcv/ietf/ietf_attr_fwd_enabled.h | 9 +- src/libimcv/ietf/ietf_attr_port_filter.c | 10 +- src/libimcv/ietf/ietf_attr_port_filter.h | 8 +- src/libimcv/imc/imc_msg.c | 30 +- src/libimcv/imc/imc_os_info.c | 11 +- src/libimcv/imc/imc_os_info.h | 9 +- src/libimcv/imcv.c | 7 +- src/libimcv/imcv.h | 3 + src/libimcv/imv/imv_msg.c | 28 +- src/libimcv/ita/ita_attr.c | 5 +- src/libimcv/ita/ita_attr_device_id.c | 163 ---- src/libimcv/ita/ita_attr_device_id.h | 56 -- src/libimcv/pa_tnc/pa_tnc_msg.c | 10 +- src/libimcv/pa_tnc/pa_tnc_msg.h | 9 +- src/libimcv/plugins/imc_hcd/Makefile.am | 16 + src/libimcv/plugins/imc_hcd/Makefile.in | 763 ++++++++++++++++++ src/libimcv/plugins/imc_hcd/imc_hcd.c | 791 +++++++++++++++++++ src/libimcv/plugins/imc_hcd/imc_hcd_state.c | 176 +++++ src/libimcv/plugins/imc_hcd/imc_hcd_state.h | 50 ++ src/libimcv/plugins/imc_os/imc_os.c | 24 +- src/libimcv/plugins/imc_scanner/imc_scanner.c | 7 +- src/libimcv/plugins/imc_swid/imc_swid.c | 6 +- .../imv_attestation/imv_attestation_agent.c | 8 +- src/libimcv/plugins/imv_hcd/Makefile.am | 18 + src/libimcv/plugins/imv_hcd/Makefile.in | 767 ++++++++++++++++++ src/libimcv/plugins/imv_hcd/imv_hcd.c | 24 + src/libimcv/plugins/imv_hcd/imv_hcd_agent.c | 680 ++++++++++++++++ src/libimcv/plugins/imv_hcd/imv_hcd_agent.h | 36 + src/libimcv/plugins/imv_hcd/imv_hcd_state.c | 350 +++++++++ src/libimcv/plugins/imv_hcd/imv_hcd_state.h | 120 +++ src/libimcv/plugins/imv_os/imv_os_agent.c | 19 +- src/libimcv/plugins/imv_os/pacman.c | 21 +- .../plugins/imv_scanner/imv_scanner_agent.c | 4 +- src/libimcv/plugins/imv_swid/imv_swid_agent.c | 6 +- src/libimcv/pwg/pwg_attr.c | 123 +++ src/libimcv/pwg/pwg_attr.h | 75 ++ src/libimcv/pwg/pwg_attr_vendor_smi_code.c | 236 ++++++ src/libimcv/pwg/pwg_attr_vendor_smi_code.h | 65 ++ src/libimcv/seg/seg_contract.c | 6 +- src/libimcv/seg/seg_contract.h | 6 +- src/libimcv/seg/seg_env.c | 15 +- src/libimcv/seg/seg_env.h | 5 +- src/libimcv/suites/test_imcv_seg.c | 15 +- src/libipsec/Makefile.am | 9 +- src/libipsec/Makefile.in | 8 +- src/libipsec/esp_context.c | 1 + src/libipsec/tests/Makefile.am | 21 + src/libipsec/tests/Makefile.in | 870 +++++++++++++++++++++ src/libipsec/tests/ipsec_tests.c | 57 ++ src/libipsec/tests/ipsec_tests.h | 16 + src/libipsec/tests/suites/test_chapoly.c | 136 ++++ src/libpttls/pt_tls_client.c | 1 + src/libradius/radius_message.c | 9 +- src/libradius/radius_message.h | 5 + src/libstrongswan/Makefile.am | 9 +- src/libstrongswan/Makefile.in | 65 +- src/libstrongswan/asn1/asn1.c | 2 +- src/libstrongswan/credentials/auth_cfg.c | 39 +- .../credentials/certificates/ocsp_request.h | 2 +- .../credentials/certificates/ocsp_response.h | 2 +- src/libstrongswan/credentials/sets/mem_cred.c | 58 +- src/libstrongswan/credentials/sets/mem_cred.h | 12 +- src/libstrongswan/crypto/crypters/crypter.c | 8 +- src/libstrongswan/crypto/crypters/crypter.h | 1 + src/libstrongswan/crypto/iv/iv_gen.c | 1 + .../crypto/proposal/proposal_keywords_static.c | 295 ++++--- .../crypto/proposal/proposal_keywords_static.txt | 1 + src/libstrongswan/networking/host.c | 4 + src/libstrongswan/pen/pen.c | 6 +- src/libstrongswan/pen/pen.h | 3 +- .../plugins/bliss/bliss_private_key.c | 18 +- src/libstrongswan/plugins/bliss/bliss_public_key.c | 19 +- src/libstrongswan/plugins/bliss/bliss_utils.c | 83 +- src/libstrongswan/plugins/bliss/bliss_utils.h | 10 +- src/libstrongswan/plugins/chapoly/Makefile.am | 29 + src/libstrongswan/plugins/chapoly/Makefile.in | 810 +++++++++++++++++++ src/libstrongswan/plugins/chapoly/chapoly_aead.c | 333 ++++++++ src/libstrongswan/plugins/chapoly/chapoly_aead.h | 52 ++ src/libstrongswan/plugins/chapoly/chapoly_drv.c | 43 + src/libstrongswan/plugins/chapoly/chapoly_drv.h | 113 +++ .../plugins/chapoly/chapoly_drv_portable.c | 454 +++++++++++ .../plugins/chapoly/chapoly_drv_portable.h | 31 + .../plugins/chapoly/chapoly_drv_ssse3.c | 867 ++++++++++++++++++++ .../plugins/chapoly/chapoly_drv_ssse3.h | 31 + src/libstrongswan/plugins/chapoly/chapoly_plugin.c | 75 ++ src/libstrongswan/plugins/chapoly/chapoly_plugin.h | 42 + src/libstrongswan/plugins/des/des_crypter.c | 2 +- .../plugins/padlock/padlock_sha1_hasher.h | 2 +- .../plugins/pkcs11/pkcs11_public_key.c | 11 +- src/libstrongswan/plugins/plugin_feature.c | 18 +- src/libstrongswan/plugins/plugin_feature.h | 10 +- src/libstrongswan/plugins/test_vectors/Makefile.am | 1 + src/libstrongswan/plugins/test_vectors/Makefile.in | 14 +- .../plugins/test_vectors/test_vectors.h | 4 + .../test_vectors/test_vectors/chacha20poly1305.c | 107 +++ src/libstrongswan/selectors/traffic_selector.c | 3 +- src/libstrongswan/settings/settings.c | 69 +- src/libstrongswan/settings/settings.h | 54 ++ src/libstrongswan/settings/settings_lexer.c | 233 +++--- src/libstrongswan/settings/settings_lexer.l | 19 +- src/libstrongswan/settings/settings_parser.c | 171 ++-- src/libstrongswan/settings/settings_parser.h | 8 +- src/libstrongswan/settings/settings_parser.y | 39 +- src/libstrongswan/tests/suites/test_chunk.c | 2 +- src/libstrongswan/tests/suites/test_host.c | 6 + .../tests/suites/test_identification.c | 91 ++- src/libstrongswan/tests/suites/test_settings.c | 172 +++- .../tests/suites/test_traffic_selector.c | 594 +++++++++++++- src/libstrongswan/tests/test_runner.c | 2 +- src/libstrongswan/tests/test_suite.c | 2 +- src/libstrongswan/tests/tests.c | 4 +- src/libstrongswan/utils/capabilities.c | 60 +- src/libstrongswan/utils/identification.c | 48 +- src/libstrongswan/utils/identification.h | 15 +- .../utils/printf_hook/printf_hook_builtin.c | 3 +- .../utils/printf_hook/printf_hook_builtin.h | 2 +- .../utils/printf_hook/printf_hook_vstr.h | 2 +- src/libstrongswan/utils/utils.c | 107 ++- src/libstrongswan/utils/utils/string.c | 2 +- src/libtls/tests/tls_tests.c | 4 +- src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c | 8 +- src/libtncif/tncif_pa_subtypes.c | 57 +- src/libtncif/tncif_pa_subtypes.h | 31 +- src/pki/Makefile.am | 9 +- src/pki/Makefile.in | 39 +- src/pki/command.h | 2 +- src/pki/commands/dn.c | 146 ++++ src/pki/commands/issue.c | 35 +- src/pki/man/Makefile.am | 11 +- src/pki/man/Makefile.in | 37 +- src/pki/man/pki---dn.1.in | 56 ++ src/pki/man/pki---issue.1.in | 5 +- src/pki/man/pki.1.in | 6 +- src/starter/netkey.c | 13 - src/starter/netkey.h | 1 - src/starter/parser/conf_parser.h | 2 +- src/starter/parser/lexer.c | 266 +++---- src/starter/parser/lexer.l | 11 +- src/starter/parser/parser.c | 62 +- src/starter/parser/parser.h | 6 +- src/starter/parser/parser.y | 2 +- src/starter/starter.c | 1 - src/starter/starterstroke.c | 1 + src/starter/tests/suites/test_parser.c | 3 + src/stroke/stroke.c | 1 + src/swanctl/Makefile.am | 4 +- src/swanctl/Makefile.in | 12 +- src/swanctl/command.c | 2 +- src/swanctl/command.h | 2 +- src/swanctl/commands/list_authorities.c | 169 ++++ src/swanctl/commands/list_certs.c | 5 +- src/swanctl/commands/load_all.c | 8 +- src/swanctl/commands/load_authorities.c | 365 +++++++++ src/swanctl/commands/load_authorities.h | 26 + src/swanctl/swanctl.8.in | 8 +- src/swanctl/swanctl.conf | 25 + src/swanctl/swanctl.conf.5.main | 37 + src/swanctl/swanctl.opt | 38 + 274 files changed, 15974 insertions(+), 3054 deletions(-) delete mode 100644 src/charon-tkm/src/tkm/tkm_encoder.c~ delete mode 100644 src/include/linux/types.h create mode 100644 src/libcharon/plugins/vici/vici_authority.c create mode 100644 src/libcharon/plugins/vici/vici_authority.h create mode 100644 src/libcharon/tests/suites/test_ike_cfg.c create mode 100644 src/libcharon/tests/suites/test_message_chapoly.c create mode 100644 src/libimcv/generic/generic_attr_bool.c create mode 100644 src/libimcv/generic/generic_attr_bool.h create mode 100644 src/libimcv/generic/generic_attr_chunk.c create mode 100644 src/libimcv/generic/generic_attr_chunk.h create mode 100644 src/libimcv/generic/generic_attr_string.c create mode 100644 src/libimcv/generic/generic_attr_string.h delete mode 100644 src/libimcv/ietf/ietf_attr_default_pwd_enabled.c delete mode 100644 src/libimcv/ietf/ietf_attr_default_pwd_enabled.h delete mode 100644 src/libimcv/ita/ita_attr_device_id.c delete mode 100644 src/libimcv/ita/ita_attr_device_id.h create mode 100644 src/libimcv/plugins/imc_hcd/Makefile.am create mode 100644 src/libimcv/plugins/imc_hcd/Makefile.in create mode 100644 src/libimcv/plugins/imc_hcd/imc_hcd.c create mode 100644 src/libimcv/plugins/imc_hcd/imc_hcd_state.c create mode 100644 src/libimcv/plugins/imc_hcd/imc_hcd_state.h create mode 100644 src/libimcv/plugins/imv_hcd/Makefile.am create mode 100644 src/libimcv/plugins/imv_hcd/Makefile.in create mode 100644 src/libimcv/plugins/imv_hcd/imv_hcd.c create mode 100644 src/libimcv/plugins/imv_hcd/imv_hcd_agent.c create mode 100644 src/libimcv/plugins/imv_hcd/imv_hcd_agent.h create mode 100644 src/libimcv/plugins/imv_hcd/imv_hcd_state.c create mode 100644 src/libimcv/plugins/imv_hcd/imv_hcd_state.h create mode 100644 src/libimcv/pwg/pwg_attr.c create mode 100644 src/libimcv/pwg/pwg_attr.h create mode 100644 src/libimcv/pwg/pwg_attr_vendor_smi_code.c create mode 100644 src/libimcv/pwg/pwg_attr_vendor_smi_code.h create mode 100644 src/libipsec/tests/Makefile.am create mode 100644 src/libipsec/tests/Makefile.in create mode 100644 src/libipsec/tests/ipsec_tests.c create mode 100644 src/libipsec/tests/ipsec_tests.h create mode 100644 src/libipsec/tests/suites/test_chapoly.c create mode 100644 src/libstrongswan/plugins/chapoly/Makefile.am create mode 100644 src/libstrongswan/plugins/chapoly/Makefile.in create mode 100644 src/libstrongswan/plugins/chapoly/chapoly_aead.c create mode 100644 src/libstrongswan/plugins/chapoly/chapoly_aead.h create mode 100644 src/libstrongswan/plugins/chapoly/chapoly_drv.c create mode 100644 src/libstrongswan/plugins/chapoly/chapoly_drv.h create mode 100644 src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c create mode 100644 src/libstrongswan/plugins/chapoly/chapoly_drv_portable.h create mode 100644 src/libstrongswan/plugins/chapoly/chapoly_drv_ssse3.c create mode 100644 src/libstrongswan/plugins/chapoly/chapoly_drv_ssse3.h create mode 100644 src/libstrongswan/plugins/chapoly/chapoly_plugin.c create mode 100644 src/libstrongswan/plugins/chapoly/chapoly_plugin.h create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c create mode 100644 src/pki/commands/dn.c create mode 100644 src/pki/man/pki---dn.1.in create mode 100644 src/swanctl/commands/list_authorities.c create mode 100644 src/swanctl/commands/load_authorities.c create mode 100644 src/swanctl/commands/load_authorities.h (limited to 'src') diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index 4090fe074..6e7abca09 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -71,7 +71,7 @@ # PLUTO_MY_SOURCEIP6_$i # contains IPv4/IPv6 virtual IP received from a responder, # $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first # virtual IP, IPv4 or IPv6. # # PLUTO_MY_PROTOCOL @@ -94,6 +94,14 @@ # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # +# PLUTO_PEER_SOURCEIP +# PLUTO_PEER_SOURCEIP4_$i +# PLUTO_PEER_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP sent to an initiator, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c index 2c0b7b9d5..0c6a504e9 100644 --- a/src/charon-cmd/cmd/cmd_connection.c +++ b/src/charon-cmd/cmd/cmd_connection.c @@ -434,7 +434,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this) child_cfg = create_child_cfg(this, peer_cfg); if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, - controller_cb_empty, NULL, 0) != SUCCESS) + controller_cb_empty, NULL, 0, FALSE) != SUCCESS) { terminate(pid); } diff --git a/src/charon-tkm/src/tkm/tkm_encoder.c~ b/src/charon-tkm/src/tkm/tkm_encoder.c~ deleted file mode 100644 index 145615f14..000000000 --- a/src/charon-tkm/src/tkm/tkm_encoder.c~ +++ /dev/null @@ -1,106 +0,0 @@ -/* - * Copyright (C) 2013 Reto Buerki - * Copyright (C) 2013 Adrian-Ken Rueegsegger - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include - -#include "tkm_encoder.h" - -/** - * Build the SHA1 hash of pubkey(info) ASN.1 data. - */ -static bool hash_pubkey(chunk_t pubkey, chunk_t *hash) -{ - hasher_t *hasher; - - hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); - if (!hasher || !hasher->allocate_hash(hasher, pubkey, hash)) - { - DBG1(DBG_LIB, "SHA1 hash algorithm not supported, " - "fingerprinting failed"); - DESTROY_IF(hasher); - chunk_free(&pubkey); - return FALSE; - } - hasher->destroy(hasher); - chunk_free(&pubkey); - return TRUE; -} - -/** - * Encode the public key blob into subjectPublicKeyInfo. - */ -static bool build_pub_info(chunk_t *encoding, va_list args) -{ - chunk_t blob; - - if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob, - CRED_PART_END)) - { - *encoding = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), - asn1_bitstring("c", blob, 0)); - return TRUE; - } - return FALSE; -} - -/** - * Build the fingerprint of the subjectPublicKeyInfo object. - */ -static bool build_info_sha1(chunk_t *encoding, va_list args) -{ - chunk_t pubkey; - - if (build_pub_info(&pubkey, args)) - { - return hash_pubkey(pubkey, encoding); - } - return FALSE; -} - -/** - * Build the fingerprint of the subjectPublicKey object. - */ -static bool build_sha1(chunk_t *encoding, va_list args) -{ - chunk_t blob; - - if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob, - CRED_PART_END)) - { - return hash_pubkey(chunk_clone(blob), encoding); - } - return FALSE; -} - -/** - * See header. - */ -bool tkm_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, - va_list args) -{ - switch (type) - { - case KEYID_PUBKEY_INFO_SHA1: - return build_info_sha1(encoding, args); - case KEYID_PUBKEY_SHA1: - return build_sha1(encoding, args); - default: - return FALSE; - } -} diff --git a/src/charon-tkm/tests/tests.c b/src/charon-tkm/tests/tests.c index 669f4d500..ac152b690 100644 --- a/src/charon-tkm/tests/tests.c +++ b/src/charon-tkm/tests/tests.c @@ -36,8 +36,8 @@ static test_configuration_t tests[] = { #define TEST_SUITE(x) \ { .suite = x, }, -#define TEST_SUITE_DEPEND(x, type, args) \ - { .suite = x, .feature = PLUGIN_DEPENDS(type, args) }, +#define TEST_SUITE_DEPEND(x, type, ...) \ + { .suite = x, .feature = PLUGIN_DEPENDS(type, __VA_ARGS__) }, #include "tests.h" { .suite = NULL, } }; diff --git a/src/conftest/actions.c b/src/conftest/actions.c index 474672ca1..256b63d1b 100644 --- a/src/conftest/actions.c +++ b/src/conftest/actions.c @@ -65,7 +65,7 @@ static job_requeue_t initiate(char *config) { DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config); charon->controller->initiate(charon->controller, peer_cfg, child_cfg, - NULL, NULL, 0); + NULL, NULL, 0, FALSE); } else { diff --git a/src/include/Makefile.am b/src/include/Makefile.am index 5de713143..0284c094a 100644 --- a/src/include/Makefile.am +++ b/src/include/Makefile.am @@ -1,3 +1,2 @@ EXTRA_DIST = linux/if_alg.h linux/ipsec.h linux/netlink.h linux/rtnetlink.h \ - linux/pfkeyv2.h linux/udp.h linux/xfrm.h linux/types.h \ - sys/queue.h + linux/pfkeyv2.h linux/udp.h linux/xfrm.h sys/queue.h diff --git a/src/include/Makefile.in b/src/include/Makefile.in index 64be6ac4f..e2c3cd0c3 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -343,8 +343,7 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ EXTRA_DIST = linux/if_alg.h linux/ipsec.h linux/netlink.h linux/rtnetlink.h \ - linux/pfkeyv2.h linux/udp.h linux/xfrm.h linux/types.h \ - sys/queue.h + linux/pfkeyv2.h linux/udp.h linux/xfrm.h sys/queue.h all: all-am diff --git a/src/include/linux/netlink.h b/src/include/linux/netlink.h index 1aeee628b..777a1b7da 100644 --- a/src/include/linux/netlink.h +++ b/src/include/linux/netlink.h @@ -1,14 +1,15 @@ -#ifndef __LINUX_NETLINK_H -#define __LINUX_NETLINK_H +#ifndef _UAPI__LINUX_NETLINK_H +#define _UAPI__LINUX_NETLINK_H -#include /* for sa_family_t */ +#include +#include /* for __kernel_sa_family_t */ #include #define NETLINK_ROUTE 0 /* Routing/device hook */ -#define NETLINK_W1 1 /* 1-wire subsystem */ +#define NETLINK_UNUSED 1 /* Unused number */ #define NETLINK_USERSOCK 2 /* Reserved for user mode socket protocols */ -#define NETLINK_FIREWALL 3 /* Firewalling hook */ -#define NETLINK_INET_DIAG 4 /* INET socket monitoring */ +#define NETLINK_FIREWALL 3 /* Unused number, formerly ip_queue */ +#define NETLINK_SOCK_DIAG 4 /* socket monitoring */ #define NETLINK_NFLOG 5 /* netfilter/iptables ULOG */ #define NETLINK_XFRM 6 /* ipsec */ #define NETLINK_SELINUX 7 /* SELinux event notifications */ @@ -21,24 +22,29 @@ #define NETLINK_DNRTMSG 14 /* DECnet routing messages */ #define NETLINK_KOBJECT_UEVENT 15 /* Kernel messages to userspace */ #define NETLINK_GENERIC 16 +/* leave room for NETLINK_DM (DM Events) */ +#define NETLINK_SCSITRANSPORT 18 /* SCSI Transports */ +#define NETLINK_ECRYPTFS 19 +#define NETLINK_RDMA 20 +#define NETLINK_CRYPTO 21 /* Crypto layer */ + +#define NETLINK_INET_DIAG NETLINK_SOCK_DIAG #define MAX_LINKS 32 -struct sockaddr_nl -{ - sa_family_t nl_family; /* AF_NETLINK */ +struct sockaddr_nl { + __kernel_sa_family_t nl_family; /* AF_NETLINK */ unsigned short nl_pad; /* zero */ - __u32 nl_pid; /* process pid */ + __u32 nl_pid; /* port ID */ __u32 nl_groups; /* multicast groups mask */ }; -struct nlmsghdr -{ +struct nlmsghdr { __u32 nlmsg_len; /* Length of message including header */ __u16 nlmsg_type; /* Message content */ __u16 nlmsg_flags; /* Additional flags */ __u32 nlmsg_seq; /* Sequence number */ - __u32 nlmsg_pid; /* Sending process PID */ + __u32 nlmsg_pid; /* Sending process port ID */ }; /* Flags values */ @@ -47,6 +53,7 @@ struct nlmsghdr #define NLM_F_MULTI 2 /* Multipart message, terminated by NLMSG_DONE */ #define NLM_F_ACK 4 /* Reply with ack, with zero or error code */ #define NLM_F_ECHO 8 /* Echo this request */ +#define NLM_F_DUMP_INTR 16 /* Dump was inconsistent due to sequence change */ /* Modifiers to GET request */ #define NLM_F_ROOT 0x100 /* specify tree root */ @@ -69,10 +76,10 @@ struct nlmsghdr Check NLM_F_EXCL */ -#define NLMSG_ALIGNTO 4 +#define NLMSG_ALIGNTO 4U #define NLMSG_ALIGN(len) ( ((len)+NLMSG_ALIGNTO-1) & ~(NLMSG_ALIGNTO-1) ) #define NLMSG_HDRLEN ((int) NLMSG_ALIGN(sizeof(struct nlmsghdr))) -#define NLMSG_LENGTH(len) ((len)+NLMSG_ALIGN(NLMSG_HDRLEN)) +#define NLMSG_LENGTH(len) ((len) + NLMSG_HDRLEN) #define NLMSG_SPACE(len) NLMSG_ALIGN(NLMSG_LENGTH(len)) #define NLMSG_DATA(nlh) ((void*)(((char*)nlh) + NLMSG_LENGTH(0))) #define NLMSG_NEXT(nlh,len) ((len) -= NLMSG_ALIGN((nlh)->nlmsg_len), \ @@ -89,21 +96,54 @@ struct nlmsghdr #define NLMSG_MIN_TYPE 0x10 /* < 0x10: reserved control messages */ -struct nlmsgerr -{ +struct nlmsgerr { int error; struct nlmsghdr msg; }; -#define NETLINK_ADD_MEMBERSHIP 1 -#define NETLINK_DROP_MEMBERSHIP 2 -#define NETLINK_PKTINFO 3 - -struct nl_pktinfo -{ +#define NETLINK_ADD_MEMBERSHIP 1 +#define NETLINK_DROP_MEMBERSHIP 2 +#define NETLINK_PKTINFO 3 +#define NETLINK_BROADCAST_ERROR 4 +#define NETLINK_NO_ENOBUFS 5 +#define NETLINK_RX_RING 6 +#define NETLINK_TX_RING 7 +#define NETLINK_LISTEN_ALL_NSID 8 +#define NETLINK_LIST_MEMBERSHIPS 9 + +struct nl_pktinfo { __u32 group; }; +struct nl_mmap_req { + unsigned int nm_block_size; + unsigned int nm_block_nr; + unsigned int nm_frame_size; + unsigned int nm_frame_nr; +}; + +struct nl_mmap_hdr { + unsigned int nm_status; + unsigned int nm_len; + __u32 nm_group; + /* credentials */ + __u32 nm_pid; + __u32 nm_uid; + __u32 nm_gid; +}; + +enum nl_mmap_status { + NL_MMAP_STATUS_UNUSED, + NL_MMAP_STATUS_RESERVED, + NL_MMAP_STATUS_VALID, + NL_MMAP_STATUS_COPY, + NL_MMAP_STATUS_SKIP, +}; + +#define NL_MMAP_MSG_ALIGNMENT NLMSG_ALIGNTO +#define NL_MMAP_MSG_ALIGN(sz) __ALIGN_KERNEL(sz, NL_MMAP_MSG_ALIGNMENT) +#define NL_MMAP_HDRLEN NL_MMAP_MSG_ALIGN(sizeof(struct nl_mmap_hdr)) + #define NET_MAJOR 36 /* Major 36 is reserved for networking */ enum { @@ -120,122 +160,28 @@ enum { * <-------------- nlattr->nla_len --------------> */ -struct nlattr -{ +struct nlattr { __u16 nla_len; __u16 nla_type; }; -#define NLA_ALIGNTO 4 -#define NLA_ALIGN(len) (((len) + NLA_ALIGNTO - 1) & ~(NLA_ALIGNTO - 1)) -#define NLA_HDRLEN ((int) NLA_ALIGN(sizeof(struct nlattr))) - -#ifdef __KERNEL__ - -#include -#include - -struct netlink_skb_parms -{ - struct ucred creds; /* Skb credentials */ - __u32 pid; - __u32 dst_pid; - __u32 dst_group; - kernel_cap_t eff_cap; - __u32 loginuid; /* Login (audit) uid */ - __u32 sid; /* SELinux security id */ -}; - -#define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) -#define NETLINK_CREDS(skb) (&NETLINK_CB((skb)).creds) - - -extern struct sock *netlink_kernel_create(int unit, unsigned int groups, void (*input)(struct sock *sk, int len), struct module *module); -extern void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err); -extern int netlink_has_listeners(struct sock *sk, unsigned int group); -extern int netlink_unicast(struct sock *ssk, struct sk_buff *skb, __u32 pid, int nonblock); -extern int netlink_broadcast(struct sock *ssk, struct sk_buff *skb, __u32 pid, - __u32 group, gfp_t allocation); -extern void netlink_set_err(struct sock *ssk, __u32 pid, __u32 group, int code); -extern int netlink_register_notifier(struct notifier_block *nb); -extern int netlink_unregister_notifier(struct notifier_block *nb); - -/* finegrained unicast helpers: */ -struct sock *netlink_getsockbyfilp(struct file *filp); -int netlink_attachskb(struct sock *sk, struct sk_buff *skb, int nonblock, - long timeo, struct sock *ssk); -void netlink_detachskb(struct sock *sk, struct sk_buff *skb); -int netlink_sendskb(struct sock *sk, struct sk_buff *skb, int protocol); - /* - * skb should fit one page. This choice is good for headerless malloc. + * nla_type (16 bits) + * +---+---+-------------------------------+ + * | N | O | Attribute Type | + * +---+---+-------------------------------+ + * N := Carries nested attributes + * O := Payload stored in network byte order + * + * Note: The N and O flag are mutually exclusive. */ -#define NLMSG_GOODORDER 0 -#define NLMSG_GOODSIZE (SKB_MAX_ORDER(0, NLMSG_GOODORDER)) - - -struct netlink_callback -{ - struct sk_buff *skb; - struct nlmsghdr *nlh; - int (*dump)(struct sk_buff * skb, struct netlink_callback *cb); - int (*done)(struct netlink_callback *cb); - int family; - long args[5]; -}; - -struct netlink_notify -{ - int pid; - int protocol; -}; - -static __inline__ struct nlmsghdr * -__nlmsg_put(struct sk_buff *skb, __u32 pid, __u32 seq, int type, int len, int flags) -{ - struct nlmsghdr *nlh; - int size = NLMSG_LENGTH(len); - - nlh = (struct nlmsghdr*)skb_put(skb, NLMSG_ALIGN(size)); - nlh->nlmsg_type = type; - nlh->nlmsg_len = size; - nlh->nlmsg_flags = flags; - nlh->nlmsg_pid = pid; - nlh->nlmsg_seq = seq; - memset(NLMSG_DATA(nlh) + len, 0, NLMSG_ALIGN(size) - size); - return nlh; -} - -#define NLMSG_NEW(skb, pid, seq, type, len, flags) \ -({ if (skb_tailroom(skb) < (int)NLMSG_SPACE(len)) \ - goto nlmsg_failure; \ - __nlmsg_put(skb, pid, seq, type, len, flags); }) +#define NLA_F_NESTED (1 << 15) +#define NLA_F_NET_BYTEORDER (1 << 14) +#define NLA_TYPE_MASK ~(NLA_F_NESTED | NLA_F_NET_BYTEORDER) -#define NLMSG_PUT(skb, pid, seq, type, len) \ - NLMSG_NEW(skb, pid, seq, type, len, 0) - -#define NLMSG_NEW_ANSWER(skb, cb, type, len, flags) \ - NLMSG_NEW(skb, NETLINK_CB((cb)->skb).pid, \ - (cb)->nlh->nlmsg_seq, type, len, flags) - -#define NLMSG_END(skb, nlh) \ -({ (nlh)->nlmsg_len = (skb)->tail - (unsigned char *) (nlh); \ - (skb)->len; }) - -#define NLMSG_CANCEL(skb, nlh) \ -({ skb_trim(skb, (unsigned char *) (nlh) - (skb)->data); \ - -1; }) - -extern int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, - struct nlmsghdr *nlh, - int (*dump)(struct sk_buff *skb, struct netlink_callback*), - int (*done)(struct netlink_callback*)); - - -#define NL_NONROOT_RECV 0x1 -#define NL_NONROOT_SEND 0x2 -extern void netlink_set_nonroot(int protocol, unsigned flag); +#define NLA_ALIGNTO 4 +#define NLA_ALIGN(len) (((len) + NLA_ALIGNTO - 1) & ~(NLA_ALIGNTO - 1)) +#define NLA_HDRLEN ((int) NLA_ALIGN(sizeof(struct nlattr))) -#endif /* __KERNEL__ */ -#endif /* __LINUX_NETLINK_H */ +#endif /* _UAPI__LINUX_NETLINK_H */ diff --git a/src/include/linux/rtnetlink.h b/src/include/linux/rtnetlink.h index 56835d8bd..56f36a19c 100644 --- a/src/include/linux/rtnetlink.h +++ b/src/include/linux/rtnetlink.h @@ -1,7 +1,17 @@ -#ifndef __LINUX_RTNETLINK_H -#define __LINUX_RTNETLINK_H +#ifndef _UAPI__LINUX_RTNETLINK_H +#define _UAPI__LINUX_RTNETLINK_H #include "netlink.h" +#include +#include +#include + +/* rtnetlink families. Values up to 127 are reserved for real address + * families, values above 128 may be used arbitrarily. + */ +#define RTNL_FAMILY_IPMR 128 +#define RTNL_FAMILY_IP6MR 129 +#define RTNL_FAMILY_MAX 129 /**** * Routing/neighbour discovery messages. @@ -80,8 +90,6 @@ enum { RTM_NEWPREFIX = 52, #define RTM_NEWPREFIX RTM_NEWPREFIX - RTM_GETPREFIX = 54, -#define RTM_GETPREFIX RTM_GETPREFIX RTM_GETMULTICAST = 58, #define RTM_GETMULTICAST RTM_GETMULTICAST @@ -96,6 +104,40 @@ enum { RTM_SETNEIGHTBL, #define RTM_SETNEIGHTBL RTM_SETNEIGHTBL + RTM_NEWNDUSEROPT = 68, +#define RTM_NEWNDUSEROPT RTM_NEWNDUSEROPT + + RTM_NEWADDRLABEL = 72, +#define RTM_NEWADDRLABEL RTM_NEWADDRLABEL + RTM_DELADDRLABEL, +#define RTM_DELADDRLABEL RTM_DELADDRLABEL + RTM_GETADDRLABEL, +#define RTM_GETADDRLABEL RTM_GETADDRLABEL + + RTM_GETDCB = 78, +#define RTM_GETDCB RTM_GETDCB + RTM_SETDCB, +#define RTM_SETDCB RTM_SETDCB + + RTM_NEWNETCONF = 80, +#define RTM_NEWNETCONF RTM_NEWNETCONF + RTM_GETNETCONF = 82, +#define RTM_GETNETCONF RTM_GETNETCONF + + RTM_NEWMDB = 84, +#define RTM_NEWMDB RTM_NEWMDB + RTM_DELMDB = 85, +#define RTM_DELMDB RTM_DELMDB + RTM_GETMDB = 86, +#define RTM_GETMDB RTM_GETMDB + + RTM_NEWNSID = 88, +#define RTM_NEWNSID RTM_NEWNSID + RTM_DELNSID = 89, +#define RTM_DELNSID RTM_DELNSID + RTM_GETNSID = 90, +#define RTM_GETNSID RTM_GETNSID + __RTM_MAX, #define RTM_MAX (((__RTM_MAX + 3) & ~3) - 1) }; @@ -110,8 +152,7 @@ enum { with attribute type. */ -struct rtattr -{ +struct rtattr { unsigned short rta_len; unsigned short rta_type; }; @@ -137,8 +178,7 @@ struct rtattr * Definitions used in routing table administration. ****/ -struct rtmsg -{ +struct rtmsg { unsigned char rtm_family; unsigned char rtm_dst_len; unsigned char rtm_src_len; @@ -154,8 +194,7 @@ struct rtmsg /* rtm_type */ -enum -{ +enum { RTN_UNSPEC, RTN_UNICAST, /* Gateway or direct route */ RTN_LOCAL, /* Accept locally */ @@ -200,6 +239,9 @@ enum #define RTPROT_DNROUTED 13 /* DECnet routing daemon */ #define RTPROT_XORP 14 /* XORP */ #define RTPROT_NTK 15 /* Netsukuku */ +#define RTPROT_DHCP 16 /* DHCP client */ +#define RTPROT_MROUTED 17 /* Multicast daemon */ +#define RTPROT_BABEL 42 /* Babel daemon */ /* rtm_scope @@ -212,8 +254,7 @@ enum could be assigned a value between UNIVERSE and LINK. */ -enum rt_scope_t -{ +enum rt_scope_t { RT_SCOPE_UNIVERSE=0, /* User defined values */ RT_SCOPE_SITE=200, @@ -231,23 +272,20 @@ enum rt_scope_t /* Reserved table identifiers */ -enum rt_class_t -{ +enum rt_class_t { RT_TABLE_UNSPEC=0, /* User defined values */ + RT_TABLE_COMPAT=252, RT_TABLE_DEFAULT=253, RT_TABLE_MAIN=254, RT_TABLE_LOCAL=255, - __RT_TABLE_MAX + RT_TABLE_MAX=0xFFFFFFFF }; -#define RT_TABLE_MAX (__RT_TABLE_MAX - 1) - /* Routing message attributes */ -enum rtattr_type_t -{ +enum rtattr_type_t { RTA_UNSPEC, RTA_DST, RTA_SRC, @@ -258,12 +296,17 @@ enum rtattr_type_t RTA_PREFSRC, RTA_METRICS, RTA_MULTIPATH, - RTA_PROTOINFO, + RTA_PROTOINFO, /* no longer used */ RTA_FLOW, RTA_CACHEINFO, - RTA_SESSION, - RTA_MP_ALGO, + RTA_SESSION, /* no longer used */ + RTA_MP_ALGO, /* no longer used */ RTA_TABLE, + RTA_MARK, + RTA_MFC_STATS, + RTA_VIA, + RTA_NEWDST, + RTA_PREF, __RTA_MAX }; @@ -281,8 +324,7 @@ enum rtattr_type_t * and rtt for different paths from multipath. */ -struct rtnexthop -{ +struct rtnexthop { unsigned short rtnh_len; unsigned char rtnh_flags; unsigned char rtnh_hops; @@ -294,6 +336,10 @@ struct rtnexthop #define RTNH_F_DEAD 1 /* Nexthop is dead (used by multipath) */ #define RTNH_F_PERVASIVE 2 /* Do recursive gateway lookup */ #define RTNH_F_ONLINK 4 /* Gateway is forced on link */ +#define RTNH_F_OFFLOAD 8 /* offloaded route */ +#define RTNH_F_LINKDOWN 16 /* carrier-down on nexthop */ + +#define RTNH_COMPARE_MASK (RTNH_F_DEAD | RTNH_F_LINKDOWN) /* Macros to handle hexthops */ @@ -306,10 +352,15 @@ struct rtnexthop #define RTNH_SPACE(len) RTNH_ALIGN(RTNH_LENGTH(len)) #define RTNH_DATA(rtnh) ((struct rtattr*)(((char*)(rtnh)) + RTNH_LENGTH(0))) +/* RTA_VIA */ +struct rtvia { + __kernel_sa_family_t rtvia_family; + __u8 rtvia_addr[0]; +}; + /* RTM_CACHEINFO */ -struct rta_cacheinfo -{ +struct rta_cacheinfo { __u32 rta_clntref; __u32 rta_lastuse; __s32 rta_expires; @@ -324,8 +375,7 @@ struct rta_cacheinfo /* RTM_METRICS --- array of struct rtattr with types of RTAX_* */ -enum -{ +enum { RTAX_UNSPEC, #define RTAX_UNSPEC RTAX_UNSPEC RTAX_LOCK, @@ -352,6 +402,14 @@ enum #define RTAX_INITCWND RTAX_INITCWND RTAX_FEATURES, #define RTAX_FEATURES RTAX_FEATURES + RTAX_RTO_MIN, +#define RTAX_RTO_MIN RTAX_RTO_MIN + RTAX_INITRWND, +#define RTAX_INITRWND RTAX_INITRWND + RTAX_QUICKACK, +#define RTAX_QUICKACK RTAX_QUICKACK + RTAX_CC_ALGO, +#define RTAX_CC_ALGO RTAX_CC_ALGO __RTAX_MAX }; @@ -362,8 +420,7 @@ enum #define RTAX_FEATURE_TIMESTAMP 0x00000004 #define RTAX_FEATURE_ALLFRAG 0x00000008 -struct rta_session -{ +struct rta_session { __u8 proto; __u8 pad1; __u16 pad2; @@ -384,232 +441,17 @@ struct rta_session } u; }; - -/********************************************************* - * Interface address. - ****/ - -struct ifaddrmsg -{ - unsigned char ifa_family; - unsigned char ifa_prefixlen; /* The prefix length */ - unsigned char ifa_flags; /* Flags */ - unsigned char ifa_scope; /* See above */ - int ifa_index; /* Link index */ -}; - -enum -{ - IFA_UNSPEC, - IFA_ADDRESS, - IFA_LOCAL, - IFA_LABEL, - IFA_BROADCAST, - IFA_ANYCAST, - IFA_CACHEINFO, - IFA_MULTICAST, - __IFA_MAX -}; - -#define IFA_MAX (__IFA_MAX - 1) - -/* ifa_flags */ - -#define IFA_F_SECONDARY 0x01 -#define IFA_F_TEMPORARY IFA_F_SECONDARY - -#define IFA_F_DEPRECATED 0x20 -#define IFA_F_TENTATIVE 0x40 -#define IFA_F_PERMANENT 0x80 - -struct ifa_cacheinfo -{ - __u32 ifa_prefered; - __u32 ifa_valid; - __u32 cstamp; /* created timestamp, hundredths of seconds */ - __u32 tstamp; /* updated timestamp, hundredths of seconds */ -}; - - -#define IFA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg)))) -#define IFA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifaddrmsg)) - -/* - Important comment: - IFA_ADDRESS is prefix address, rather than local interface address. - It makes no difference for normally configured broadcast interfaces, - but for point-to-point IFA_ADDRESS is DESTINATION address, - local address is supplied in IFA_LOCAL attribute. - */ - -/************************************************************** - * Neighbour discovery. - ****/ - -struct ndmsg -{ - unsigned char ndm_family; - unsigned char ndm_pad1; - unsigned short ndm_pad2; - int ndm_ifindex; /* Link index */ - __u16 ndm_state; - __u8 ndm_flags; - __u8 ndm_type; -}; - -enum -{ - NDA_UNSPEC, - NDA_DST, - NDA_LLADDR, - NDA_CACHEINFO, - NDA_PROBES, - __NDA_MAX -}; - -#define NDA_MAX (__NDA_MAX - 1) - -#define NDA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg)))) -#define NDA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg)) - -/* - * Neighbor Cache Entry Flags - */ - -#define NTF_PROXY 0x08 /* == ATF_PUBL */ -#define NTF_ROUTER 0x80 - -/* - * Neighbor Cache Entry States. - */ - -#define NUD_INCOMPLETE 0x01 -#define NUD_REACHABLE 0x02 -#define NUD_STALE 0x04 -#define NUD_DELAY 0x08 -#define NUD_PROBE 0x10 -#define NUD_FAILED 0x20 - -/* Dummy states */ -#define NUD_NOARP 0x40 -#define NUD_PERMANENT 0x80 -#define NUD_NONE 0x00 - - -struct nda_cacheinfo -{ - __u32 ndm_confirmed; - __u32 ndm_used; - __u32 ndm_updated; - __u32 ndm_refcnt; -}; - - -/***************************************************************** - * Neighbour tables specific messages. - * - * To retrieve the neighbour tables send RTM_GETNEIGHTBL with the - * NLM_F_DUMP flag set. Every neighbour table configuration is - * spread over multiple messages to avoid running into message - * size limits on systems with many interfaces. The first message - * in the sequence transports all not device specific data such as - * statistics, configuration, and the default parameter set. - * This message is followed by 0..n messages carrying device - * specific parameter sets. - * Although the ordering should be sufficient, NDTA_NAME can be - * used to identify sequences. The initial message can be identified - * by checking for NDTA_CONFIG. The device specific messages do - * not contain this TLV but have NDTPA_IFINDEX set to the - * corresponding interface index. - * - * To change neighbour table attributes, send RTM_SETNEIGHTBL - * with NDTA_NAME set. Changeable attribute include NDTA_THRESH[1-3], - * NDTA_GC_INTERVAL, and all TLVs in NDTA_PARMS unless marked - * otherwise. Device specific parameter sets can be changed by - * setting NDTPA_IFINDEX to the interface index of the corresponding - * device. - ****/ - -struct ndt_stats -{ - __u64 ndts_allocs; - __u64 ndts_destroys; - __u64 ndts_hash_grows; - __u64 ndts_res_failed; - __u64 ndts_lookups; - __u64 ndts_hits; - __u64 ndts_rcv_probes_mcast; - __u64 ndts_rcv_probes_ucast; - __u64 ndts_periodic_gc_runs; - __u64 ndts_forced_gc_runs; -}; - -enum { - NDTPA_UNSPEC, - NDTPA_IFINDEX, /* __u32, unchangeable */ - NDTPA_REFCNT, /* __u32, read-only */ - NDTPA_REACHABLE_TIME, /* __u64, read-only, msecs */ - NDTPA_BASE_REACHABLE_TIME, /* __u64, msecs */ - NDTPA_RETRANS_TIME, /* __u64, msecs */ - NDTPA_GC_STALETIME, /* __u64, msecs */ - NDTPA_DELAY_PROBE_TIME, /* __u64, msecs */ - NDTPA_QUEUE_LEN, /* __u32 */ - NDTPA_APP_PROBES, /* __u32 */ - NDTPA_UCAST_PROBES, /* __u32 */ - NDTPA_MCAST_PROBES, /* __u32 */ - NDTPA_ANYCAST_DELAY, /* __u64, msecs */ - NDTPA_PROXY_DELAY, /* __u64, msecs */ - NDTPA_PROXY_QLEN, /* __u32 */ - NDTPA_LOCKTIME, /* __u64, msecs */ - __NDTPA_MAX -}; -#define NDTPA_MAX (__NDTPA_MAX - 1) - -struct ndtmsg -{ - __u8 ndtm_family; - __u8 ndtm_pad1; - __u16 ndtm_pad2; -}; - -struct ndt_config -{ - __u16 ndtc_key_len; - __u16 ndtc_entry_size; - __u32 ndtc_entries; - __u32 ndtc_last_flush; /* delta to now in msecs */ - __u32 ndtc_last_rand; /* delta to now in msecs */ - __u32 ndtc_hash_rnd; - __u32 ndtc_hash_mask; - __u32 ndtc_hash_chain_gc; - __u32 ndtc_proxy_qlen; -}; - -enum { - NDTA_UNSPEC, - NDTA_NAME, /* char *, unchangeable */ - NDTA_THRESH1, /* __u32 */ - NDTA_THRESH2, /* __u32 */ - NDTA_THRESH3, /* __u32 */ - NDTA_CONFIG, /* struct ndt_config, read-only */ - NDTA_PARMS, /* nested TLV NDTPA_* */ - NDTA_STATS, /* struct ndt_stats, read-only */ - NDTA_GC_INTERVAL, /* __u64, msecs */ - __NDTA_MAX +struct rta_mfc_stats { + __u64 mfcs_packets; + __u64 mfcs_bytes; + __u64 mfcs_wrong_if; }; -#define NDTA_MAX (__NDTA_MAX - 1) - -#define NDTA_RTA(r) ((struct rtattr*)(((char*)(r)) + \ - NLMSG_ALIGN(sizeof(struct ndtmsg)))) -#define NDTA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndtmsg)) - /**** * General form of address family dependent message. ****/ -struct rtgenmsg -{ +struct rtgenmsg { unsigned char rtgen_family; }; @@ -622,8 +464,7 @@ struct rtgenmsg * on network protocol. */ -struct ifinfomsg -{ +struct ifinfomsg { unsigned char ifi_family; unsigned char __ifi_pad; unsigned short ifi_type; /* ARPHRD_* */ @@ -636,8 +477,7 @@ struct ifinfomsg * prefix information ****/ -struct prefixmsg -{ +struct prefixmsg { unsigned char prefix_family; unsigned char prefix_pad1; unsigned short prefix_pad2; @@ -658,151 +498,17 @@ enum #define PREFIX_MAX (__PREFIX_MAX - 1) -struct prefix_cacheinfo -{ +struct prefix_cacheinfo { __u32 preferred_time; __u32 valid_time; }; -/* The struct should be in sync with struct net_device_stats */ -struct rtnl_link_stats -{ - __u32 rx_packets; /* total packets received */ - __u32 tx_packets; /* total packets transmitted */ - __u32 rx_bytes; /* total bytes received */ - __u32 tx_bytes; /* total bytes transmitted */ - __u32 rx_errors; /* bad packets received */ - __u32 tx_errors; /* packet transmit problems */ - __u32 rx_dropped; /* no space in linux buffers */ - __u32 tx_dropped; /* no space available in linux */ - __u32 multicast; /* multicast packets received */ - __u32 collisions; - - /* detailed rx_errors: */ - __u32 rx_length_errors; - __u32 rx_over_errors; /* receiver ring buff overflow */ - __u32 rx_crc_errors; /* recved pkt with crc error */ - __u32 rx_frame_errors; /* recv'd frame alignment error */ - __u32 rx_fifo_errors; /* recv'r fifo overrun */ - __u32 rx_missed_errors; /* receiver missed packet */ - - /* detailed tx_errors */ - __u32 tx_aborted_errors; - __u32 tx_carrier_errors; - __u32 tx_fifo_errors; - __u32 tx_heartbeat_errors; - __u32 tx_window_errors; - - /* for cslip etc */ - __u32 rx_compressed; - __u32 tx_compressed; -}; - -/* The struct should be in sync with struct ifmap */ -struct rtnl_link_ifmap -{ - __u64 mem_start; - __u64 mem_end; - __u64 base_addr; - __u16 irq; - __u8 dma; - __u8 port; -}; - -enum -{ - IFLA_UNSPEC, - IFLA_ADDRESS, - IFLA_BROADCAST, - IFLA_IFNAME, - IFLA_MTU, - IFLA_LINK, - IFLA_QDISC, - IFLA_STATS, - IFLA_COST, -#define IFLA_COST IFLA_COST - IFLA_PRIORITY, -#define IFLA_PRIORITY IFLA_PRIORITY - IFLA_MASTER, -#define IFLA_MASTER IFLA_MASTER - IFLA_WIRELESS, /* Wireless Extension event - see wireless.h */ -#define IFLA_WIRELESS IFLA_WIRELESS - IFLA_PROTINFO, /* Protocol specific information for a link */ -#define IFLA_PROTINFO IFLA_PROTINFO - IFLA_TXQLEN, -#define IFLA_TXQLEN IFLA_TXQLEN - IFLA_MAP, -#define IFLA_MAP IFLA_MAP - IFLA_WEIGHT, -#define IFLA_WEIGHT IFLA_WEIGHT - IFLA_OPERSTATE, - IFLA_LINKMODE, - __IFLA_MAX -}; - - -#define IFLA_MAX (__IFLA_MAX - 1) - -#define IFLA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifinfomsg)))) -#define IFLA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifinfomsg)) - -/* ifi_flags. - - IFF_* flags. - - The only change is: - IFF_LOOPBACK, IFF_BROADCAST and IFF_POINTOPOINT are - more not changeable by user. They describe link media - characteristics and set by device driver. - - Comments: - - Combination IFF_BROADCAST|IFF_POINTOPOINT is invalid - - If neither of these three flags are set; - the interface is NBMA. - - - IFF_MULTICAST does not mean anything special: - multicasts can be used on all not-NBMA links. - IFF_MULTICAST means that this media uses special encapsulation - for multicast frames. Apparently, all IFF_POINTOPOINT and - IFF_BROADCAST devices are able to use multicasts too. - */ - -/* IFLA_LINK. - For usual devices it is equal ifi_index. - If it is a "virtual interface" (f.e. tunnel), ifi_link - can point to real physical interface (f.e. for bandwidth calculations), - or maybe 0, what means, that real media is unknown (usual - for IPIP tunnels, when route to endpoint is allowed to change) - */ - -/* Subtype attributes for IFLA_PROTINFO */ -enum -{ - IFLA_INET6_UNSPEC, - IFLA_INET6_FLAGS, /* link flags */ - IFLA_INET6_CONF, /* sysctl parameters */ - IFLA_INET6_STATS, /* statistics */ - IFLA_INET6_MCAST, /* MC things. What of them? */ - IFLA_INET6_CACHEINFO, /* time values and max reasm size */ - __IFLA_INET6_MAX -}; - -#define IFLA_INET6_MAX (__IFLA_INET6_MAX - 1) - -struct ifla_cacheinfo -{ - __u32 max_reasm_len; - __u32 tstamp; /* ipv6InterfaceTable updated timestamp */ - __u32 reachable_time; - __u32 retrans_time; -}; /***************************************************************** * Traffic control messages. ****/ -struct tcmsg -{ +struct tcmsg { unsigned char tcm_family; unsigned char tcm__pad1; unsigned short tcm__pad2; @@ -812,8 +518,7 @@ struct tcmsg __u32 tcm_info; }; -enum -{ +enum { TCA_UNSPEC, TCA_KIND, TCA_OPTIONS, @@ -822,6 +527,7 @@ enum TCA_RATE, TCA_FCNT, TCA_STATS2, + TCA_STAB, __TCA_MAX }; @@ -830,6 +536,30 @@ enum #define TCA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcmsg)))) #define TCA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcmsg)) +/******************************************************************** + * Neighbor Discovery userland options + ****/ + +struct nduseroptmsg { + unsigned char nduseropt_family; + unsigned char nduseropt_pad1; + unsigned short nduseropt_opts_len; /* Total length of options */ + int nduseropt_ifindex; + __u8 nduseropt_icmp_type; + __u8 nduseropt_icmp_code; + unsigned short nduseropt_pad2; + unsigned int nduseropt_pad3; + /* Followed by one or more ND options */ +}; + +enum { + NDUSEROPT_UNSPEC, + NDUSEROPT_SRCADDR, + __NDUSEROPT_MAX +}; + +#define NDUSEROPT_MAX (__NDUSEROPT_MAX - 1) + #ifndef __KERNEL__ /* RTnetlink multicast groups - backwards compatibility for userspace */ #define RTMGRP_LINK 1 @@ -886,17 +616,37 @@ enum rtnetlink_groups { RTNLGRP_NOP2, RTNLGRP_DECnet_ROUTE, #define RTNLGRP_DECnet_ROUTE RTNLGRP_DECnet_ROUTE - RTNLGRP_NOP3, + RTNLGRP_DECnet_RULE, +#define RTNLGRP_DECnet_RULE RTNLGRP_DECnet_RULE RTNLGRP_NOP4, RTNLGRP_IPV6_PREFIX, #define RTNLGRP_IPV6_PREFIX RTNLGRP_IPV6_PREFIX + RTNLGRP_IPV6_RULE, +#define RTNLGRP_IPV6_RULE RTNLGRP_IPV6_RULE + RTNLGRP_ND_USEROPT, +#define RTNLGRP_ND_USEROPT RTNLGRP_ND_USEROPT + RTNLGRP_PHONET_IFADDR, +#define RTNLGRP_PHONET_IFADDR RTNLGRP_PHONET_IFADDR + RTNLGRP_PHONET_ROUTE, +#define RTNLGRP_PHONET_ROUTE RTNLGRP_PHONET_ROUTE + RTNLGRP_DCB, +#define RTNLGRP_DCB RTNLGRP_DCB + RTNLGRP_IPV4_NETCONF, +#define RTNLGRP_IPV4_NETCONF RTNLGRP_IPV4_NETCONF + RTNLGRP_IPV6_NETCONF, +#define RTNLGRP_IPV6_NETCONF RTNLGRP_IPV6_NETCONF + RTNLGRP_MDB, +#define RTNLGRP_MDB RTNLGRP_MDB + RTNLGRP_MPLS_ROUTE, +#define RTNLGRP_MPLS_ROUTE RTNLGRP_MPLS_ROUTE + RTNLGRP_NSID, +#define RTNLGRP_NSID RTNLGRP_NSID __RTNLGRP_MAX }; #define RTNLGRP_MAX (__RTNLGRP_MAX - 1) /* TC action piece */ -struct tcamsg -{ +struct tcamsg { unsigned char tca_family; unsigned char tca__pad1; unsigned short tca__pad2; @@ -906,168 +656,13 @@ struct tcamsg #define TCA_ACT_TAB 1 /* attr type must be >=1 */ #define TCAA_MAX 1 -/* End of information exported to user level */ - -#ifdef __KERNEL__ - -#include -#include - -extern size_t rtattr_strlcpy(char *dest, const struct rtattr *rta, size_t size); -static __inline__ int rtattr_strcmp(const struct rtattr *rta, const char *str) -{ - int len = strlen(str) + 1; - return len > rta->rta_len || memcmp(RTA_DATA(rta), str, len); -} - -extern int rtattr_parse(struct rtattr *tb[], int maxattr, struct rtattr *rta, int len); - -#define rtattr_parse_nested(tb, max, rta) \ - rtattr_parse((tb), (max), RTA_DATA((rta)), RTA_PAYLOAD((rta))) - -extern struct sock *rtnl; - -struct rtnetlink_link -{ - int (*doit)(struct sk_buff *, struct nlmsghdr*, void *attr); - int (*dumpit)(struct sk_buff *, struct netlink_callback *cb); -}; - -extern struct rtnetlink_link * rtnetlink_links[NPROTO]; -extern int rtnetlink_send(struct sk_buff *skb, __u32 pid, __u32 group, int echo); -extern int rtnetlink_put_metrics(struct sk_buff *skb, __u32 *metrics); +/* New extended info filters for IFLA_EXT_MASK */ +#define RTEXT_FILTER_VF (1 << 0) +#define RTEXT_FILTER_BRVLAN (1 << 1) +#define RTEXT_FILTER_BRVLAN_COMPRESSED (1 << 2) -extern void __rta_fill(struct sk_buff *skb, int attrtype, int attrlen, const void *data); - -#define RTA_PUT(skb, attrtype, attrlen, data) \ -({ if (unlikely(skb_tailroom(skb) < (int)RTA_SPACE(attrlen))) \ - goto rtattr_failure; \ - __rta_fill(skb, attrtype, attrlen, data); }) - -#define RTA_APPEND(skb, attrlen, data) \ -({ if (unlikely(skb_tailroom(skb) < (int)(attrlen))) \ - goto rtattr_failure; \ - memcpy(skb_put(skb, attrlen), data, attrlen); }) - -#define RTA_PUT_NOHDR(skb, attrlen, data) \ -({ RTA_APPEND(skb, RTA_ALIGN(attrlen), data); \ - memset(skb->tail - (RTA_ALIGN(attrlen) - attrlen), 0, \ - RTA_ALIGN(attrlen) - attrlen); }) - -#define RTA_PUT_U8(skb, attrtype, value) \ -({ __u8 _tmp = (value); \ - RTA_PUT(skb, attrtype, sizeof(__u8), &_tmp); }) - -#define RTA_PUT_U16(skb, attrtype, value) \ -({ __u16 _tmp = (value); \ - RTA_PUT(skb, attrtype, sizeof(__u16), &_tmp); }) - -#define RTA_PUT_U32(skb, attrtype, value) \ -({ __u32 _tmp = (value); \ - RTA_PUT(skb, attrtype, sizeof(__u32), &_tmp); }) - -#define RTA_PUT_U64(skb, attrtype, value) \ -({ __u64 _tmp = (value); \ - RTA_PUT(skb, attrtype, sizeof(__u64), &_tmp); }) - -#define RTA_PUT_SECS(skb, attrtype, value) \ - RTA_PUT_U64(skb, attrtype, (value) / HZ) - -#define RTA_PUT_MSECS(skb, attrtype, value) \ - RTA_PUT_U64(skb, attrtype, jiffies_to_msecs(value)) - -#define RTA_PUT_STRING(skb, attrtype, value) \ - RTA_PUT(skb, attrtype, strlen(value) + 1, value) - -#define RTA_PUT_FLAG(skb, attrtype) \ - RTA_PUT(skb, attrtype, 0, NULL); - -#define RTA_NEST(skb, type) \ -({ struct rtattr *__start = (struct rtattr *) (skb)->tail; \ - RTA_PUT(skb, type, 0, NULL); \ - __start; }) - -#define RTA_NEST_END(skb, start) \ -({ (start)->rta_len = ((skb)->tail - (unsigned char *) (start)); \ - (skb)->len; }) - -#define RTA_NEST_CANCEL(skb, start) \ -({ if (start) \ - skb_trim(skb, (unsigned char *) (start) - (skb)->data); \ - -1; }) - -#define RTA_GET_U8(rta) \ -({ if (!rta || RTA_PAYLOAD(rta) < sizeof(__u8)) \ - goto rtattr_failure; \ - *(__u8 *) RTA_DATA(rta); }) - -#define RTA_GET_U16(rta) \ -({ if (!rta || RTA_PAYLOAD(rta) < sizeof(__u16)) \ - goto rtattr_failure; \ - *(__u16 *) RTA_DATA(rta); }) - -#define RTA_GET_U32(rta) \ -({ if (!rta || RTA_PAYLOAD(rta) < sizeof(__u32)) \ - goto rtattr_failure; \ - *(__u32 *) RTA_DATA(rta); }) - -#define RTA_GET_U64(rta) \ -({ __u64 _tmp; \ - if (!rta || RTA_PAYLOAD(rta) < sizeof(__u64)) \ - goto rtattr_failure; \ - memcpy(&_tmp, RTA_DATA(rta), sizeof(_tmp)); \ - _tmp; }) +/* End of information exported to user level */ -#define RTA_GET_FLAG(rta) (!!(rta)) -#define RTA_GET_SECS(rta) ((unsigned long) RTA_GET_U64(rta) * HZ) -#define RTA_GET_MSECS(rta) (msecs_to_jiffies((unsigned long) RTA_GET_U64(rta))) -static __inline__ struct rtattr * -__rta_reserve(struct sk_buff *skb, int attrtype, int attrlen) -{ - struct rtattr *rta; - int size = RTA_LENGTH(attrlen); - - rta = (struct rtattr*)skb_put(skb, RTA_ALIGN(size)); - rta->rta_type = attrtype; - rta->rta_len = size; - memset(RTA_DATA(rta) + attrlen, 0, RTA_ALIGN(size) - size); - return rta; -} - -#define __RTA_PUT(skb, attrtype, attrlen) \ -({ if (unlikely(skb_tailroom(skb) < (int)RTA_SPACE(attrlen))) \ - goto rtattr_failure; \ - __rta_reserve(skb, attrtype, attrlen); }) - -extern void rtmsg_ifinfo(int type, struct net_device *dev, unsigned change); - -/* RTNL is used as a global lock for all changes to network configuration */ -extern void rtnl_lock(void); -extern void rtnl_unlock(void); -extern int rtnl_trylock(void); - -extern void rtnetlink_init(void); -extern void __rtnl_unlock(void); - -#define ASSERT_RTNL() do { \ - if (unlikely(rtnl_trylock())) { \ - rtnl_unlock(); \ - printk(KERN_ERR "RTNL: assertion failed at %s (%d)\n", \ - __FILE__, __LINE__); \ - dump_stack(); \ - } \ -} while(0) - -#define BUG_TRAP(x) do { \ - if (unlikely(!(x))) { \ - printk(KERN_ERR "KERNEL: assertion (%s) failed at %s (%d)\n", \ - #x, __FILE__ , __LINE__); \ - } \ -} while(0) - -#endif /* __KERNEL__ */ - - -#endif /* __LINUX_RTNETLINK_H */ +#endif /* _UAPI__LINUX_RTNETLINK_H */ diff --git a/src/include/linux/types.h b/src/include/linux/types.h deleted file mode 100644 index 22cfdc05e..000000000 --- a/src/include/linux/types.h +++ /dev/null @@ -1,172 +0,0 @@ -#ifndef _LINUX_TYPES_H -#define _LINUX_TYPES_H - - -#include -#include - -#ifndef __KERNEL_STRICT_NAMES - -typedef __u32 __kernel_dev_t; - -typedef __kernel_fd_set fd_set; -typedef __kernel_dev_t dev_t; -typedef __kernel_ino_t ino_t; -typedef __kernel_mode_t mode_t; -typedef __kernel_nlink_t nlink_t; -typedef __kernel_off_t off_t; -typedef __kernel_pid_t pid_t; -typedef __kernel_daddr_t daddr_t; -typedef __kernel_key_t key_t; -typedef __kernel_suseconds_t suseconds_t; -typedef __kernel_timer_t timer_t; -typedef __kernel_clockid_t clockid_t; -typedef __kernel_mqd_t mqd_t; - -typedef __kernel_uid_t uid_t; -typedef __kernel_gid_t gid_t; - -#if defined(__GNUC__) && !defined(__STRICT_ANSI__) -typedef __kernel_loff_t loff_t; -#endif - -/* - * The following typedefs are also protected by individual ifdefs for - * historical reasons: - */ -#ifndef _SIZE_T -#define _SIZE_T -typedef __kernel_size_t size_t; -#endif - -#ifndef _SSIZE_T -#define _SSIZE_T -typedef __kernel_ssize_t ssize_t; -#endif - -#ifndef _PTRDIFF_T -#define _PTRDIFF_T -typedef __kernel_ptrdiff_t ptrdiff_t; -#endif - -#ifndef _TIME_T -#define _TIME_T -typedef __kernel_time_t time_t; -#endif - -#ifndef _CLOCK_T -#define _CLOCK_T -typedef __kernel_clock_t clock_t; -#endif - -#ifndef _CADDR_T -#define _CADDR_T -typedef __kernel_caddr_t caddr_t; -#endif - -/* bsd */ -typedef unsigned char u_char; -typedef unsigned short u_short; -typedef unsigned int u_int; -typedef unsigned long u_long; - -/* sysv */ -typedef unsigned char unchar; -typedef unsigned short ushort; -typedef unsigned int uint; -typedef unsigned long ulong; - -#ifndef __BIT_TYPES_DEFINED__ -#define __BIT_TYPES_DEFINED__ - -typedef __u8 u_int8_t; -typedef __s8 int8_t; -typedef __u16 u_int16_t; -typedef __s16 int16_t; -typedef __u32 u_int32_t; -typedef __s32 int32_t; - -#endif /* !(__BIT_TYPES_DEFINED__) */ - -typedef __u8 uint8_t; -typedef __u16 uint16_t; -typedef __u32 uint32_t; - -#if defined(__GNUC__) && !defined(__STRICT_ANSI__) -typedef __u64 uint64_t; -typedef __u64 u_int64_t; -typedef __s64 int64_t; -#endif - -/* this is a special 64bit data type that is 8-byte aligned */ -#define aligned_u64 unsigned long long __attribute__((aligned(8))) -#define aligned_be64 __be64 __attribute__((aligned(8))) -#define aligned_le64 __le64 __attribute__((aligned(8))) - -/** - * The type used for indexing onto a disc or disc partition. - * - * Linux always considers sectors to be 512 bytes long independently - * of the devices real block size. - */ -#ifdef CONFIG_LBD -typedef u64 sector_t; -#else -typedef unsigned long sector_t; -#endif - -/* - * The type of the inode's block count. - */ -#ifdef CONFIG_LSF -typedef u64 blkcnt_t; -#else -typedef unsigned long blkcnt_t; -#endif - -/* - * The type of an index into the pagecache. Use a #define so asm/types.h - * can override it. - */ -#ifndef pgoff_t -#define pgoff_t unsigned long -#endif - -#endif /* __KERNEL_STRICT_NAMES */ - -/* - * Below are truly Linux-specific types that should never collide with - * any application/library that wants linux/types.h. - */ - -#ifdef __CHECKER__ -#define __bitwise__ __attribute__((bitwise)) -#else -#define __bitwise__ -#endif -#ifdef __CHECK_ENDIAN__ -#define __bitwise __bitwise__ -#else -#define __bitwise -#endif - -typedef __u16 __bitwise __le16; -typedef __u16 __bitwise __be16; -typedef __u32 __bitwise __le32; -typedef __u32 __bitwise __be32; -#if defined(__GNUC__) && !defined(__STRICT_ANSI__) -typedef __u64 __bitwise __le64; -typedef __u64 __bitwise __be64; -#endif -typedef __u16 __bitwise __sum16; -typedef __u32 __bitwise __wsum; - - -struct ustat { - __kernel_daddr_t f_tfree; - __kernel_ino_t f_tinode; - char f_fname[6]; - char f_fpack[6]; -}; - -#endif /* _LINUX_TYPES_H */ diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8 index f9c54f8a4..9795451e8 100644 --- a/src/ipsec/_ipsec.8 +++ b/src/ipsec/_ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2013-10-29" "5.3.1dr1" "strongSwan" +.TH IPSEC 8 "2013-10-29" "5.3.3dr5" "strongSwan" . .SH NAME . diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c index 9464ceb5d..dee9e4c29 100644 --- a/src/libcharon/config/ike_cfg.c +++ b/src/libcharon/config/ike_cfg.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012-2015 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -510,6 +511,52 @@ static void parse_addresses(char *str, linked_list_t *hosts, enumerator->destroy(enumerator); } +/** + * Described in header. + */ +int ike_cfg_get_family(ike_cfg_t *cfg, bool local) +{ + private_ike_cfg_t *this = (private_ike_cfg_t*)cfg; + enumerator_t *enumerator; + host_t *host; + char *str; + int family = AF_UNSPEC; + + if (local) + { + enumerator = this->my_hosts->create_enumerator(this->my_hosts); + } + else + { + enumerator = this->other_hosts->create_enumerator(this->other_hosts); + } + while (enumerator->enumerate(enumerator, &str)) + { + if (streq(str, "%any")) + { /* ignore %any as its family is undetermined */ + continue; + } + host = host_create_from_string(str, 0); + if (host) + { + if (family == AF_UNSPEC) + { + family = host->get_family(host); + } + else if (family != host->get_family(host)) + { + /* more than one address family defined */ + family = AF_UNSPEC; + host->destroy(host); + break; + } + } + DESTROY_IF(host); + } + enumerator->destroy(enumerator); + return family; +} + /** * Described in header. */ diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h index adfcabf70..a72960f4f 100644 --- a/src/libcharon/config/ike_cfg.h +++ b/src/libcharon/config/ike_cfg.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2015 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -160,7 +160,7 @@ struct ike_cfg_t { * * Returned list and its proposals must be destroyed after use. * - * @return list containing all the proposals + * @return list containing all the proposals */ linked_list_t* (*get_proposals) (ike_cfg_t *this); @@ -247,11 +247,22 @@ struct ike_cfg_t { * @param other_port IKE port to use as dest, 500 uses IKEv2 port floating * @param fragmentation use IKEv1 fragmentation * @param dscp DSCP value to send IKE packets with - * @return ike_cfg_t object. + * @return ike_cfg_t object. */ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap, char *me, u_int16_t my_port, char *other, u_int16_t other_port, fragmentation_t fragmentation, u_int8_t dscp); +/** + * Determine the address family of the local or remtoe address(es). If multiple + * families are configured AF_UNSPEC is returned. %any is ignored (%any4|6 are + * not though). + * + * @param this ike config to check + * @param local TRUE to check local addresses, FALSE for remote + * @return address family of address(es) if distinct + */ +int ike_cfg_get_family(ike_cfg_t *this, bool local); + #endif /** IKE_CFG_H_ @}*/ diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c index fd8349e2f..6dd54b473 100644 --- a/src/libcharon/control/controller.c +++ b/src/libcharon/control/controller.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2012 Tobias Brunner + * Copyright (C) 2011-2015 Tobias Brunner * Copyright (C) 2007-2011 Martin Willi * Copyright (C) 2011 revosec AG * Hochschule fuer Technik Rapperswil @@ -116,6 +116,11 @@ struct interface_listener_t { * spinlock to update the IKE_SA handle properly */ spinlock_t *lock; + + /** + * whether to check limits + */ + bool limits; }; @@ -358,7 +363,6 @@ METHOD(job_t, initiate_execute, job_requeue_t, listener->child_cfg->destroy(listener->child_cfg); peer_cfg->destroy(peer_cfg); listener->status = FAILED; - /* release listener */ listener_done(listener); return JOB_REQUEUE_NONE; } @@ -372,6 +376,49 @@ METHOD(job_t, initiate_execute, job_requeue_t, } peer_cfg->destroy(peer_cfg); + if (listener->limits && ike_sa->get_state(ike_sa) == IKE_CREATED) + { /* only check if we are not reusing an IKE_SA */ + u_int half_open, limit_half_open, limit_job_load; + + half_open = charon->ike_sa_manager->get_half_open_count( + charon->ike_sa_manager, NULL, FALSE); + limit_half_open = lib->settings->get_int(lib->settings, + "%s.init_limit_half_open", 0, lib->ns); + limit_job_load = lib->settings->get_int(lib->settings, + "%s.init_limit_job_load", 0, lib->ns); + if (limit_half_open && half_open >= limit_half_open) + { + DBG1(DBG_IKE, "abort IKE_SA initiation, half open IKE_SA count of " + "%d exceeds limit of %d", half_open, limit_half_open); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + ike_sa); + listener->child_cfg->destroy(listener->child_cfg); + listener->status = INVALID_STATE; + listener_done(listener); + return JOB_REQUEUE_NONE; + } + if (limit_job_load) + { + u_int jobs = 0, i; + + for (i = 0; i < JOB_PRIO_MAX; i++) + { + jobs += lib->processor->get_job_load(lib->processor, i); + } + if (jobs > limit_job_load) + { + DBG1(DBG_IKE, "abort IKE_SA initiation, job load of %d exceeds " + "limit of %d", jobs, limit_job_load); + charon->ike_sa_manager->checkin_and_destroy( + charon->ike_sa_manager, ike_sa); + listener->child_cfg->destroy(listener->child_cfg); + listener->status = INVALID_STATE; + listener_done(listener); + return JOB_REQUEUE_NONE; + } + } + } + if (ike_sa->initiate(ike_sa, listener->child_cfg, 0, NULL, NULL) == SUCCESS) { if (!listener->logger.callback) @@ -391,7 +438,7 @@ METHOD(job_t, initiate_execute, job_requeue_t, METHOD(controller_t, initiate, status_t, private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, - controller_cb_t callback, void *param, u_int timeout) + controller_cb_t callback, void *param, u_int timeout, bool limits) { interface_job_t *job; status_t status; @@ -414,6 +461,7 @@ METHOD(controller_t, initiate, status_t, .child_cfg = child_cfg, .peer_cfg = peer_cfg, .lock = spinlock_create(), + .limits = limits, }, .public = { .execute = _initiate_execute, diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h index 02f4ebb2b..5ffeac522 100644 --- a/src/libcharon/control/controller.h +++ b/src/libcharon/control/controller.h @@ -82,15 +82,18 @@ struct controller_t { * @param cb logging callback * @param param parameter to include in each call of cb * @param timeout timeout in ms to wait for callbacks, 0 to disable + * @param limits whether to check limits regarding IKE_SA initiation * @return * - SUCCESS, if CHILD_SA established * - FAILED, if setup failed * - NEED_MORE, if callback returned FALSE * - OUT_OF_RES if timed out + * - INVALID_STATE if limits prevented initiation */ status_t (*initiate)(controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, - controller_cb_t callback, void *param, u_int timeout); + controller_cb_t callback, void *param, u_int timeout, + bool limits); /** * Terminate an IKE_SA and all of its CHILD_SAs. diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index b1b8f57f0..316be7611 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -462,6 +462,10 @@ static void destroy(private_daemon_t *this) { this->public.traps->flush(this->public.traps); } + if (this->public.shunts) + { + this->public.shunts->flush(this->public.shunts); + } if (this->public.sender) { this->public.sender->flush(this->public.sender); diff --git a/src/libcharon/encoding/payloads/fragment_payload.c b/src/libcharon/encoding/payloads/fragment_payload.c index b861fcc68..7f158f548 100644 --- a/src/libcharon/encoding/payloads/fragment_payload.c +++ b/src/libcharon/encoding/payloads/fragment_payload.c @@ -222,4 +222,4 @@ fragment_payload_t *fragment_payload_create_from_data(u_int8_t num, bool last, this->data = chunk_clone(data); this->payload_length = get_header_length(this) + data.len; return &this->public; -} \ No newline at end of file +} diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 48dcfeb24..65ce667c7 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -914,6 +914,11 @@ static void add_to_proposal_v1_ike(proposal_t *proposal, if (encr != ENCR_UNDEFINED) { + if (encr == ENCR_AES_CBC && !key_length) + { /* some implementations don't send a Key Length attribute for + * AES-128, early drafts of RFC 3602 allowed that */ + key_length = 128; + } proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, key_length); } } @@ -962,6 +967,12 @@ static void add_to_proposal_v1(proposal_t *proposal, transform->get_transform_id(transform)); if (encr) { + if (encr == ENCR_AES_CBC && !key_length) + { /* some implementations don't send a Key Length attribute for + * AES-128, early drafts of RFC 3602 allowed that for IKE, some + * also seem to do it for ESP */ + key_length = 128; + } proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, key_length); } diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c index 6902c4847..a2f2016ff 100644 --- a/src/libcharon/network/receiver.c +++ b/src/libcharon/network/receiver.c @@ -322,16 +322,18 @@ static bool cookie_required(private_receiver_t *this, */ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message) { - u_int half_open; + u_int half_open, half_open_r; u_int32_t now; now = time_monotonic(NULL); half_open = charon->ike_sa_manager->get_half_open_count( - charon->ike_sa_manager, NULL); + charon->ike_sa_manager, NULL, FALSE); + half_open_r = charon->ike_sa_manager->get_half_open_count( + charon->ike_sa_manager, NULL, TRUE); /* check for cookies in IKEv2 */ if (message->get_major_version(message) == IKEV2_MAJOR_VERSION && - cookie_required(this, half_open, now) && !check_cookie(this, message)) + cookie_required(this, half_open_r, now) && !check_cookie(this, message)) { chunk_t cookie; @@ -372,7 +374,7 @@ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message) /* check if peer has too many IKE_SAs half open */ if (this->block_threshold && charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager, - message->get_source(message)) >= this->block_threshold) + message->get_source(message), TRUE) >= this->block_threshold) { DBG1(DBG_NET, "ignoring IKE_SA setup from %H, " "peer too aggressive", message->get_source(message)); @@ -381,7 +383,7 @@ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message) /* check if global half open IKE_SA limit reached */ if (this->init_limit_half_open && - half_open >= this->init_limit_half_open) + half_open >= this->init_limit_half_open) { DBG1(DBG_NET, "ignoring IKE_SA setup from %H, half open IKE_SA " "count of %d exceeds limit of %d", message->get_source(message), @@ -542,7 +544,9 @@ static job_requeue_t receive_packets(private_receiver_t *this) if (message->get_request(message) && message->get_exchange_type(message) == IKE_SA_INIT) { - if (this->initiator_only || drop_ike_sa_init(this, message)) + id = message->get_ike_sa_id(message); + if (this->initiator_only || !id->is_initiator(id) || + drop_ike_sa_init(this, message)) { message->destroy(message); return JOB_REQUEUE_DIRECT; diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c index 60d12dc1d..237f065fa 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.c +++ b/src/libcharon/plugins/eap_radius/eap_radius.c @@ -434,6 +434,9 @@ static void add_nameserver_attribute(eap_radius_provider_t *provider, case 31: /* MS-Secondary-NBNS-Server */ provider->add_attribute(provider, id, INTERNAL_IP4_NBNS, data); break; + case RAT_FRAMED_IPV6_DNS_SERVER: + provider->add_attribute(provider, id, INTERNAL_IP6_DNS, data); + break; } } @@ -515,9 +518,10 @@ static void process_cfg_attributes(radius_message_t *msg) enumerator = msg->create_enumerator(msg); while (enumerator->enumerate(enumerator, &type, &data)) { - if (type == RAT_FRAMED_IP_ADDRESS && data.len == 4) + if ((type == RAT_FRAMED_IP_ADDRESS && data.len == 4) || + (type == RAT_FRAMED_IPV6_ADDRESS && data.len == 16)) { - host = host_create_from_chunk(AF_INET, data, 0); + host = host_create_from_chunk(AF_UNSPEC, data, 0); if (host) { provider->add_framed_ip(provider, @@ -529,6 +533,11 @@ static void process_cfg_attributes(radius_message_t *msg) provider->add_attribute(provider, ike_sa->get_unique_id(ike_sa), INTERNAL_IP4_NETMASK, data); } + else if (type == RAT_FRAMED_IPV6_DNS_SERVER && data.len == 16) + { + add_nameserver_attribute(provider, + ike_sa->get_unique_id(ike_sa), type, data); + } } enumerator->destroy(enumerator); diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c index cef19305c..4b7260349 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c @@ -447,10 +447,8 @@ static void add_ike_sa_parameters(private_eap_radius_accounting_t *this, vip->get_address(vip)); break; case AF_INET6: - /* we currently assign /128 prefixes, only (reserved, length) */ - data = chunk_from_chars(0, 128); - data = chunk_cata("cc", data, vip->get_address(vip)); - message->add(message, RAT_FRAMED_IPV6_PREFIX, data); + message->add(message, RAT_FRAMED_IPV6_ADDRESS, + vip->get_address(vip)); break; default: break; @@ -694,6 +692,11 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) entry = get_or_create_entry(this, ike_sa->get_id(ike_sa), ike_sa->get_unique_id(ike_sa)); + if (entry->start_sent) + { + this->mutex->unlock(this->mutex); + return; + } entry->start_sent = TRUE; message = radius_message_create(RMC_ACCOUNTING_REQUEST); @@ -860,11 +863,6 @@ METHOD(listener_t, message_hook, bool, if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && !incoming && !message->get_request(message)) { - if (ike_sa->get_version(ike_sa) == IKEV1 && - message->get_exchange_type(message) == TRANSACTION) - { - send_start(this, ike_sa); - } if (ike_sa->get_version(ike_sa) == IKEV2 && message->get_exchange_type(message) == IKE_AUTH) { @@ -874,6 +872,17 @@ METHOD(listener_t, message_hook, bool, return TRUE; } +METHOD(listener_t, assign_vips, bool, + private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, bool assign) +{ + /* start accounting as soon as the virtual IP is set */ + if (assign && ike_sa->get_version(ike_sa) == IKEV1) + { + send_start(this, ike_sa); + } + return TRUE; +} + METHOD(listener_t, ike_rekey, bool, private_eap_radius_accounting_t *this, ike_sa_t *old, ike_sa_t *new) { @@ -1003,6 +1012,7 @@ eap_radius_accounting_t *eap_radius_accounting_create() .ike_updown = _ike_updown, .ike_rekey = _ike_rekey, .message = _message_hook, + .assign_vips = _assign_vips, .child_updown = _child_updown, .child_rekey = _child_rekey, .children_migrate = _children_migrate, diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c index f70f47ef6..350001bb4 100644 --- a/src/libcharon/plugins/eap_tnc/eap_tnc.c +++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c @@ -335,6 +335,10 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, free(this); return NULL; } + if (!is_server) + { + tnccs->set_auth_type(tnccs, TNC_AUTH_X509_CERT); + } this->tnccs = tnccs->get_ref(tnccs); this->tls_eap = tls_eap_create(type, &tnccs->tls, EAP_TNC_MAX_MESSAGE_LEN, diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c index 66c9deed8..e0b59a681 100644 --- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c @@ -112,6 +112,13 @@ METHOD(tls_application_t, process, status_t, eap_data = avp_data; break; } + else if (eap_len > reader->remaining(reader) + avp_data.len) + { + /* rough size check, ignoring AVP headers in remaining data */ + DBG1(DBG_IKE, "EAP packet too large for EAP-TTLS AVP(s)"); + chunk_free(&avp_data); + return FAILED; + } else if (avp_data.len == MAX_RADIUS_ATTRIBUTE_SIZE) { /* non-standard: EAP packet segmented into multiple AVPs */ @@ -128,7 +135,7 @@ METHOD(tls_application_t, process, status_t, if (avp_data.len > eap_data.len - eap_pos) { - DBG1(DBG_IKE, "AVP size to large to fit into EAP packet"); + DBG1(DBG_IKE, "AVP size too large to fit into EAP packet"); chunk_free(&avp_data); chunk_free(&eap_data); return FAILED; diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.c b/src/libcharon/plugins/error_notify/error_notify_listener.c index 13860fe50..f7a1f49ec 100644 --- a/src/libcharon/plugins/error_notify/error_notify_listener.c +++ b/src/libcharon/plugins/error_notify/error_notify_listener.c @@ -96,13 +96,13 @@ METHOD(listener_t, alert, bool, case ALERT_PROPOSAL_MISMATCH_IKE: msg.type = htonl(ERROR_NOTIFY_PROPOSAL_MISMATCH_IKE); list = va_arg(args, linked_list_t*); - snprintf(msg.str, sizeof(msg.str), "the received IKE_SA poposals " + snprintf(msg.str, sizeof(msg.str), "the received IKE_SA proposals " "did not match: %#P", list); break; case ALERT_PROPOSAL_MISMATCH_CHILD: msg.type = htonl(ERROR_NOTIFY_PROPOSAL_MISMATCH_CHILD); list = va_arg(args, linked_list_t*); - snprintf(msg.str, sizeof(msg.str), "the received CHILD_SA poposals " + snprintf(msg.str, sizeof(msg.str), "the received CHILD_SA proposals " "did not match: %#P", list); break; case ALERT_TS_MISMATCH: @@ -153,14 +153,14 @@ METHOD(listener_t, alert, bool, msg.type = htonl(ERROR_NOTIFY_CERT_EXPIRED); cert = va_arg(args, certificate_t*); cert->get_validity(cert, NULL, ¬_before, ¬_after); - snprintf(msg.str, sizeof(msg.str), "certificiate expired: '%Y' " + snprintf(msg.str, sizeof(msg.str), "certificate expired: '%Y' " "(valid from %T to %T)", cert->get_subject(cert), ¬_before, TRUE, ¬_after, TRUE); break; case ALERT_CERT_REVOKED: msg.type = htonl(ERROR_NOTIFY_CERT_REVOKED); cert = va_arg(args, certificate_t*); - snprintf(msg.str, sizeof(msg.str), "certificiate revoked: '%Y'", + snprintf(msg.str, sizeof(msg.str), "certificate revoked: '%Y'", cert->get_subject(cert)); break; case ALERT_CERT_NO_ISSUER: diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c index a95499742..54302e852 100644 --- a/src/libcharon/plugins/ha/ha_ctl.c +++ b/src/libcharon/plugins/ha/ha_ctl.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -50,6 +51,41 @@ struct private_ha_ctl_t { ha_cache_t *cache; }; +/** + * Change the permissions of the control FIFO, returns TRUE on success + */ +static bool change_fifo_permissions() +{ + if (chown(HA_FIFO, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) + { + DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s", + strerror(errno)); + return FALSE; + } + return TRUE; +} + +/** + * Deletes and creates the control FIFO, returns TRUE on success + */ +static bool recreate_fifo() +{ + mode_t old; + bool success = TRUE; + + unlink(HA_FIFO); + old = umask(S_IRWXO); + if (mkfifo(HA_FIFO, S_IRUSR | S_IWUSR) != 0) + { + DBG1(DBG_CFG, "creating HA FIFO %s failed: %s", HA_FIFO, + strerror(errno)); + success = FALSE; + } + umask(old); + return success && change_fifo_permissions(); +} + /** * FIFO dispatching function */ @@ -59,13 +95,26 @@ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this) bool oldstate; char buf[8]; u_int segment; + struct stat sb; oldstate = thread_cancelability(TRUE); fifo = open(HA_FIFO, O_RDONLY); thread_cancelability(oldstate); - if (fifo == -1) + if (fifo == -1 || fstat(fifo, &sb) != 0 || !S_ISFIFO(sb.st_mode)) { - DBG1(DBG_CFG, "opening HA fifo failed: %s", strerror(errno)); + if (fifo == -1 && errno != ENOENT) + { + DBG1(DBG_CFG, "opening HA FIFO failed: %s", strerror(errno)); + } + else + { + DBG1(DBG_CFG, "%s is not a FIFO, recreate it", HA_FIFO); + recreate_fifo(); + } + if (fifo != -1) + { + close(fifo); + } sleep(1); return JOB_REQUEUE_FAIR; } @@ -100,6 +149,7 @@ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this) METHOD(ha_ctl_t, destroy, void, private_ha_ctl_t *this) { + unlink(HA_FIFO); free(this); } @@ -109,7 +159,7 @@ METHOD(ha_ctl_t, destroy, void, ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) { private_ha_ctl_t *this; - mode_t old; + struct stat sb; INIT(this, .public = { @@ -119,20 +169,30 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) .cache = cache, ); - if (access(HA_FIFO, R_OK|W_OK) != 0) + if (stat(HA_FIFO, &sb) == 0) { - old = umask(S_IRWXO); - if (mkfifo(HA_FIFO, S_IRUSR | S_IWUSR) != 0) + if (!S_ISFIFO(sb.st_mode)) { - DBG1(DBG_CFG, "creating HA FIFO %s failed: %s", - HA_FIFO, strerror(errno)); + DBG1(DBG_CFG, "%s is not a FIFO, recreate it", HA_FIFO); + recreate_fifo(); + } + else if (access(HA_FIFO, R_OK|W_OK) != 0) + { + DBG1(DBG_CFG, "accessing HA FIFO %s denied, recreate it", HA_FIFO); + recreate_fifo(); + } + else + { + change_fifo_permissions(); } - umask(old); } - if (chown(HA_FIFO, lib->caps->get_uid(lib->caps), - lib->caps->get_gid(lib->caps)) != 0) + else if (errno == ENOENT) { - DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s", + recreate_fifo(); + } + else + { + DBG1(DBG_CFG, "accessing HA FIFO %s failed: %s", HA_FIFO, strerror(errno)); } @@ -141,4 +201,3 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); return &this->public; } - diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index 31eeb934e..afa099309 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -135,6 +135,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty; chunk_t secret = chunk_empty, old_skd = chunk_empty; chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty; + host_t *other = NULL; bool ok = FALSE; enumerator = message->create_attribute_enumerator(message); @@ -150,6 +151,9 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message old_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, value.ike_sa_id); break; + case HA_REMOTE_ADDR: + other = value.host->clone(value.host); + break; case HA_IKE_VERSION: version = value.u8; break; @@ -252,6 +256,11 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message charon->ike_sa_manager, old_sa); old_sa = NULL; } + if (other) + { + ike_sa->set_other_host(ike_sa, other); + other = NULL; + } ike_sa->set_state(ike_sa, IKE_CONNECTING); ike_sa->set_proposal(ike_sa, proposal); this->cache->cache(this->cache, ike_sa, message); @@ -270,6 +279,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message { charon->ike_sa_manager->checkin(charon->ike_sa_manager, old_sa); } + DESTROY_IF(other); DESTROY_IF(message); } @@ -637,7 +647,7 @@ static void process_child_add(private_ha_dispatcher_t *this, u_int32_t inbound_spi = 0, outbound_spi = 0; u_int16_t inbound_cpi = 0, outbound_cpi = 0; u_int8_t mode = MODE_TUNNEL, ipcomp = 0; - u_int16_t encr = ENCR_UNDEFINED, integ = AUTH_UNDEFINED, len = 0; + u_int16_t encr = 0, integ = 0, len = 0; u_int16_t esn = NO_EXT_SEQ_NUMBERS; u_int seg_i, seg_o; chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty; diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c index 6b4b53c9c..7492dd06e 100644 --- a/src/libcharon/plugins/ha/ha_ike.c +++ b/src/libcharon/plugins/ha/ha_ike.c @@ -138,6 +138,7 @@ METHOD(listener_t, ike_keys, bool, m->add_attribute(m, HA_PSK, shared->get_key(shared)); } } + m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa)); this->socket->push(this->socket, m); this->cache->cache(this->cache, ike_sa, m); diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c index eed89e0bf..bd43dc351 100644 --- a/src/libcharon/plugins/ha/ha_kernel.c +++ b/src/libcharon/plugins/ha/ha_kernel.c @@ -36,6 +36,8 @@ typedef enum { JHASH_LOOKUP2, /* new variant, http://burtleburtle.net/bob/c/lookup3.c, since 2.6.37 */ JHASH_LOOKUP3, + /* variant with different init values, since 4.1 */ + JHASH_LOOKUP3_1, } jhash_version_t; typedef struct private_ha_kernel_t private_ha_kernel_t; @@ -88,8 +90,15 @@ static jhash_version_t get_jhash_version() } /* FALL */ case 2: - DBG1(DBG_CFG, "detected Linux %d.%d, using new jhash", a, b); - return JHASH_LOOKUP3; + if (a < 4 || (a == 4 && b == 0)) + { + DBG1(DBG_CFG, "detected Linux %d.%d, using new jhash", + a, b); + return JHASH_LOOKUP3; + } + DBG1(DBG_CFG, "detected Linux %d.%d, using new jhash with " + "updated init values", a, b); + return JHASH_LOOKUP3_1; default: break; } @@ -126,6 +135,14 @@ static u_int32_t jhash(jhash_version_t version, u_int32_t a, u_int32_t b) b -= c; b -= a; b ^= (a << 10); c -= a; c -= b; c ^= (b >> 15); break; + case JHASH_LOOKUP3_1: + /* changed with 4.1: # of 32-bit words shifted by 2 and c is + * initialized. we only use the two word variant with SPIs, so it's + * unlikely that b is 0 in that case */ + c += ((b ? 2 : 1) << 2) + 0xdeadbeef; + a += ((b ? 2 : 1) << 2); + b += ((b ? 2 : 1) << 2); + /* FALL */ case JHASH_LOOKUP3: a += 0xdeadbeef; b += 0xdeadbeef; diff --git a/src/libcharon/plugins/load_tester/load_tester.c b/src/libcharon/plugins/load_tester/load_tester.c index b7b971ee8..f5a998ecc 100644 --- a/src/libcharon/plugins/load_tester/load_tester.c +++ b/src/libcharon/plugins/load_tester/load_tester.c @@ -21,6 +21,7 @@ #include #include #include +#include #include /** diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c index 5f089f5db..24076d443 100644 --- a/src/libcharon/plugins/load_tester/load_tester_control.c +++ b/src/libcharon/plugins/load_tester/load_tester_control.c @@ -239,7 +239,7 @@ static bool on_accept(private_load_tester_control_t *this, stream_t *io) switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg->get_ref(child_cfg), - (void*)initiate_cb, listener, 0)) + (void*)initiate_cb, listener, 0, FALSE)) { case NEED_MORE: /* Callback returns FALSE once it got track of this IKE_SA. diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c index e684f22ce..c7380b974 100644 --- a/src/libcharon/plugins/load_tester/load_tester_plugin.c +++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c @@ -152,7 +152,7 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this) charon->controller->initiate(charon->controller, peer_cfg, child_cfg->get_ref(child_cfg), - NULL, NULL, 0); + NULL, NULL, 0, FALSE); if (s) { sleep(s); diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index 1fb57b928..25b138387 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -314,7 +314,7 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg) peer_cfg->get_ref(peer_cfg); enumerator->destroy(enumerator); charon->controller->initiate(charon->controller, - peer_cfg, child_cfg, NULL, NULL, 0); + peer_cfg, child_cfg, NULL, NULL, 0, FALSE); } else { diff --git a/src/libcharon/plugins/osx_attr/osx_attr_handler.c b/src/libcharon/plugins/osx_attr/osx_attr_handler.c index d974b57ce..6baf76d35 100644 --- a/src/libcharon/plugins/osx_attr/osx_attr_handler.c +++ b/src/libcharon/plugins/osx_attr/osx_attr_handler.c @@ -31,6 +31,16 @@ struct private_osx_attr_handler_t { * Public interface */ osx_attr_handler_t public; + + /** + * Backup of original DNS servers, before we mess with it + */ + CFMutableArrayRef original; + + /** + * Append DNS servers to existing entries, instead of replacing + */ + bool append; }; /** @@ -110,7 +120,8 @@ static CFMutableArrayRef get_array_from_dict(CFDictionaryRef dict, /** * Add/Remove a DNS server to the configuration */ -static bool manage_dns(int family, chunk_t data, bool add) +static bool manage_dns(private_osx_attr_handler_t *this, + int family, chunk_t data, bool add) { SCDynamicStoreRef store; CFStringRef path, dns; @@ -138,6 +149,11 @@ static bool manage_dns(int family, chunk_t data, bool add) dns = CFStringCreateWithCString(NULL, buf, kCFStringEncodingUTF8); if (add) { + if (!this->append && !this->original) + { /* backup orignal config, start with empty set */ + this->original = arr; + arr = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); + } DBG1(DBG_CFG, "installing %s as DNS server", buf); CFArrayInsertValueAtIndex(arr, 0, dns); } @@ -150,6 +166,12 @@ static bool manage_dns(int family, chunk_t data, bool add) DBG1(DBG_CFG, "removing %s from DNS servers (%d)", buf, i); CFArrayRemoveValueAtIndex(arr, i); } + if (!this->append && this->original && CFArrayGetCount(arr) == 0) + { /* restore original config */ + CFRelease(arr); + arr = this->original; + this->original = NULL; + } } CFRelease(dns); CFDictionarySetValue(dict, CFSTR("ServerAddresses"), arr); @@ -175,7 +197,7 @@ METHOD(attribute_handler_t, handle, bool, switch (type) { case INTERNAL_IP4_DNS: - return manage_dns(AF_INET, data, TRUE); + return manage_dns(this, AF_INET, data, TRUE); default: return FALSE; } @@ -188,7 +210,7 @@ METHOD(attribute_handler_t, release, void, switch (type) { case INTERNAL_IP4_DNS: - manage_dns(AF_INET, data, FALSE); + manage_dns(this, AF_INET, data, FALSE); break; default: break; @@ -240,6 +262,8 @@ osx_attr_handler_t *osx_attr_handler_create() }, .destroy = _destroy, }, + .append = lib->settings->get_bool(lib->settings, + "%s.plugins.osx-attr.append", TRUE, lib->ns), ); return &this->public; diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c index 04bf382ed..2aa061fd2 100644 --- a/src/libcharon/plugins/smp/smp.c +++ b/src/libcharon/plugins/smp/smp.c @@ -488,7 +488,7 @@ static void request_control_initiate(xmlTextReaderPtr reader, { status = charon->controller->initiate(charon->controller, peer, child, (controller_cb_t)xml_callback, - writer, 0); + writer, 0, FALSE); } else { diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c index c47c7c0f8..ce24d180a 100644 --- a/src/libcharon/plugins/sql/sql_config.c +++ b/src/libcharon/plugins/sql/sql_config.c @@ -323,6 +323,14 @@ static peer_cfg_t *get_peer_cfg_by_id(private_sql_config_t *this, int id) return peer_cfg; } +/** + * Check if the two IDs match (the first one is optional) + */ +static inline bool id_matches(identification_t *id, identification_t *sql_id) +{ + return !id || id->matches(id, sql_id) || sql_id->matches(sql_id, id); +} + /** * Build a peer config from an SQL query */ @@ -352,8 +360,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, local_id = identification_create_from_encoding(l_type, l_data); remote_id = identification_create_from_encoding(r_type, r_data); - if ((me && !me->matches(me, local_id)) || - (other && !other->matches(other, remote_id))) + if (!id_matches(me, local_id) || !id_matches(other, remote_id)) { local_id->destroy(local_id); remote_id->destroy(remote_id); diff --git a/src/libcharon/plugins/sql/sql_logger.c b/src/libcharon/plugins/sql/sql_logger.c index 9a7a6e0ff..0fa06eac5 100644 --- a/src/libcharon/plugins/sql/sql_logger.c +++ b/src/libcharon/plugins/sql/sql_logger.c @@ -120,6 +120,7 @@ METHOD(logger_t, get_level, level_t, METHOD(sql_logger_t, destroy, void, private_sql_logger_t *this) { + this->recursive->destroy(this->recursive); free(this); } diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c index b470b81c6..13ed41e0e 100644 --- a/src/libcharon/plugins/stroke/stroke_ca.c +++ b/src/libcharon/plugins/stroke/stroke_ca.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -24,6 +24,13 @@ #include typedef struct private_stroke_ca_t private_stroke_ca_t; +typedef struct ca_section_t ca_section_t; +typedef struct ca_cert_t ca_cert_t; + +/** + * Provided by stroke_cred.c + */ +certificate_t *stroke_load_ca_cert(char *filename); /** * private data of stroke_ca @@ -41,17 +48,16 @@ struct private_stroke_ca_t { rwlock_t *lock; /** - * list of starters CA sections and its certificates (ca_section_t) + * list of CA sections and their certificates (ca_section_t) */ linked_list_t *sections; /** - * stroke credentials, stores our CA certificates + * list of all loaded CA certificates (ca_cert_t) */ - stroke_cred_t *cred; + linked_list_t *certs; }; -typedef struct ca_section_t ca_section_t; /** * loaded ipsec.conf CA sections @@ -64,7 +70,12 @@ struct ca_section_t { char *name; /** - * reference to cert in trusted_credential_t + * path/name of the certificate + */ + char *path; + + /** + * reference to cert */ certificate_t *cert; @@ -89,17 +100,38 @@ struct ca_section_t { char *certuribase; }; +/** + * loaded CA certificate + */ +struct ca_cert_t { + + /** + * reference to cert + */ + certificate_t *cert; + + /** + * The number of CA sections referring to this certificate + */ + u_int count; + + /** + * TRUE if this certificate was automatically loaded + */ + bool automatic; +}; + /** * create a new CA section */ -static ca_section_t *ca_section_create(char *name, certificate_t *cert) +static ca_section_t *ca_section_create(char *name, char *path) { ca_section_t *ca = malloc_thing(ca_section_t); ca->name = strdup(name); + ca->path = strdup(path); ca->crl = linked_list_create(); ca->ocsp = linked_list_create(); - ca->cert = cert; ca->hashes = linked_list_create(); ca->certuribase = NULL; return ca; @@ -115,10 +147,20 @@ static void ca_section_destroy(ca_section_t *this) this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy)); this->cert->destroy(this->cert); free(this->certuribase); + free(this->path); free(this->name); free(this); } +/** + * Destroy a ca cert entry + */ +static void ca_cert_destroy(ca_cert_t *this) +{ + this->cert->destroy(this->cert); + free(this); +} + /** * Data for the certificate enumerator */ @@ -141,7 +183,7 @@ static void cert_data_destroy(cert_data_t *data) /** * filter function for certs enumerator */ -static bool certs_filter(cert_data_t *data, ca_section_t **in, +static bool certs_filter(cert_data_t *data, ca_cert_t **in, certificate_t **out) { public_key_t *public; @@ -192,7 +234,7 @@ METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, ); this->lock->read_lock(this->lock); - enumerator = this->sections->create_enumerator(this->sections); + enumerator = this->certs->create_enumerator(this->certs); return enumerator_create_filter(enumerator, (void*)certs_filter, data, (void*)cert_data_destroy); } @@ -312,6 +354,81 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, data, (void*)cdp_data_destroy); } +/** + * Compare the given certificate to the ca_cert_t items in the list + */ +static bool match_cert(ca_cert_t *item, certificate_t *cert) +{ + return cert->equals(cert, item->cert); +} + +/** + * Match automatically added certificates and remove/destroy them if they are + * not referenced by CA sections. + */ +static bool remove_auto_certs(ca_cert_t *item, void *not_used) +{ + if (item->automatic) + { + item->automatic = FALSE; + if (!item->count) + { + ca_cert_destroy(item); + return TRUE; + } + } + return FALSE; +} + +/** + * Find the given certificate that was referenced by a section and remove it + * unless it was also loaded automatically or is used by other CA sections. + */ +static bool remove_cert(ca_cert_t *item, certificate_t *cert) +{ + if (item->count && cert->equals(cert, item->cert)) + { + if (--item->count == 0 && !item->automatic) + { + ca_cert_destroy(item); + return TRUE; + } + } + return FALSE; +} + +/** + * Adds a certificate to the certificate store + */ +static certificate_t *add_cert_internal(private_stroke_ca_t *this, + certificate_t *cert, bool automatic) +{ + ca_cert_t *found; + + if (this->certs->find_first(this->certs, (linked_list_match_t)match_cert, + (void**)&found, cert) == SUCCESS) + { + cert->destroy(cert); + cert = found->cert->get_ref(found->cert); + } + else + { + INIT(found, + .cert = cert->get_ref(cert) + ); + this->certs->insert_first(this->certs, found); + } + if (automatic) + { + found->automatic = TRUE; + } + else + { + found->count++; + } + return cert; +} + METHOD(stroke_ca_t, add, void, private_stroke_ca_t *this, stroke_msg_t *msg) { @@ -323,10 +440,10 @@ METHOD(stroke_ca_t, add, void, DBG1(DBG_CFG, "missing cacert parameter"); return; } - cert = this->cred->load_ca(this->cred, msg->add_ca.cacert); + cert = stroke_load_ca_cert(msg->add_ca.cacert); if (cert) { - ca = ca_section_create(msg->add_ca.name, cert); + ca = ca_section_create(msg->add_ca.name, msg->add_ca.cacert); if (msg->add_ca.crluri) { ca->crl->insert_last(ca->crl, strdup(msg->add_ca.crluri)); @@ -348,6 +465,7 @@ METHOD(stroke_ca_t, add, void, ca->certuribase = strdup(msg->add_ca.certuribase); } this->lock->write_lock(this->lock); + ca->cert = add_cert_internal(this, cert, FALSE); this->sections->insert_last(this->sections, ca); this->lock->unlock(this->lock); DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name); @@ -372,8 +490,12 @@ METHOD(stroke_ca_t, del, void, ca = NULL; } enumerator->destroy(enumerator); + if (ca) + { + this->certs->remove(this->certs, ca->cert, (void*)remove_cert); + } this->lock->unlock(this->lock); - if (ca == NULL) + if (!ca) { DBG1(DBG_CFG, "no ca named '%s' found\n", msg->del_ca.name); return; @@ -383,6 +505,88 @@ METHOD(stroke_ca_t, del, void, lib->credmgr->flush_cache(lib->credmgr, CERT_ANY); } +METHOD(stroke_ca_t, get_cert_ref, certificate_t*, + private_stroke_ca_t *this, certificate_t *cert) +{ + ca_cert_t *found; + + this->lock->read_lock(this->lock); + if (this->certs->find_first(this->certs, (linked_list_match_t)match_cert, + (void**)&found, cert) == SUCCESS) + { + cert->destroy(cert); + cert = found->cert->get_ref(found->cert); + } + this->lock->unlock(this->lock); + return cert; +} + +METHOD(stroke_ca_t, reload_certs, void, + private_stroke_ca_t *this) +{ + enumerator_t *enumerator; + certificate_t *cert; + ca_section_t *ca; + certificate_type_t type = CERT_X509; + + /* holding the write lock while loading/parsing certificates is not optimal, + * however, there usually are not that many ca sections configured */ + this->lock->write_lock(this->lock); + if (this->sections->get_count(this->sections)) + { + DBG1(DBG_CFG, "rereading ca certificates in ca sections"); + } + enumerator = this->sections->create_enumerator(this->sections); + while (enumerator->enumerate(enumerator, &ca)) + { + cert = stroke_load_ca_cert(ca->path); + if (cert) + { + if (cert->equals(cert, ca->cert)) + { + cert->destroy(cert); + } + else + { + this->certs->remove(this->certs, ca->cert, (void*)remove_cert); + ca->cert->destroy(ca->cert); + ca->cert = add_cert_internal(this, cert, FALSE); + } + } + else + { + DBG1(DBG_CFG, "failed to reload certificate '%s', removing ca '%s'", + ca->path, ca->name); + this->sections->remove_at(this->sections, enumerator); + this->certs->remove(this->certs, ca->cert, (void*)remove_cert); + ca_section_destroy(ca); + type = CERT_ANY; + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + lib->credmgr->flush_cache(lib->credmgr, type); +} + +METHOD(stroke_ca_t, replace_certs, void, + private_stroke_ca_t *this, mem_cred_t *certs) +{ + enumerator_t *enumerator; + certificate_t *cert; + + enumerator = certs->set.create_cert_enumerator(&certs->set, CERT_X509, + KEY_ANY, NULL, TRUE); + this->lock->write_lock(this->lock); + this->certs->remove(this->certs, NULL, (void*)remove_auto_certs); + while (enumerator->enumerate(enumerator, &cert)) + { + cert = add_cert_internal(this, cert->get_ref(cert), TRUE); + cert->destroy(cert); + } + this->lock->unlock(this->lock); + enumerator->destroy(enumerator); + lib->credmgr->flush_cache(lib->credmgr, CERT_X509); +} /** * list crl or ocsp URIs */ @@ -501,6 +705,7 @@ METHOD(stroke_ca_t, destroy, void, private_stroke_ca_t *this) { this->sections->destroy_function(this->sections, (void*)ca_section_destroy); + this->certs->destroy_function(this->certs, (void*)ca_cert_destroy); this->lock->destroy(this->lock); free(this); } @@ -508,7 +713,7 @@ METHOD(stroke_ca_t, destroy, void, /* * see header file */ -stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) +stroke_ca_t *stroke_ca_create() { private_stroke_ca_t *this; @@ -524,12 +729,15 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) .add = _add, .del = _del, .list = _list, + .get_cert_ref = _get_cert_ref, + .reload_certs = _reload_certs, + .replace_certs = _replace_certs, .check_for_hash_and_url = _check_for_hash_and_url, .destroy = _destroy, }, .sections = linked_list_create(), + .certs = linked_list_create(), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), - .cred = cred, ); return &this->public; diff --git a/src/libcharon/plugins/stroke/stroke_ca.h b/src/libcharon/plugins/stroke/stroke_ca.h index 21af912ea..2740006e2 100644 --- a/src/libcharon/plugins/stroke/stroke_ca.h +++ b/src/libcharon/plugins/stroke/stroke_ca.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -23,8 +23,7 @@ #define STROKE_CA_H_ #include - -#include "stroke_cred.h" +#include typedef struct stroke_ca_t stroke_ca_t; @@ -66,6 +65,29 @@ struct stroke_ca_t { */ void (*check_for_hash_and_url)(stroke_ca_t *this, certificate_t* cert); + /** + * Get a reference to a CA certificate if it is already stored, + * otherwise returns the same certificate. + * + * @param cert certificate to check + * @return reference to stored CA certifiate, or original + */ + certificate_t *(*get_cert_ref)(stroke_ca_t *this, certificate_t *cert); + + /** + * Reload CA certificates referenced in CA sections. Flushes the certificate + * cache. + */ + void (*reload_certs)(stroke_ca_t *this); + + /** + * Replace automatically loaded CA certificates. Flushes the certificate + * cache. + * + * @param certs credential set to take certificates from (not modified) + */ + void (*replace_certs)(stroke_ca_t *this, mem_cred_t *certs); + /** * Destroy a stroke_ca instance. */ @@ -75,6 +97,6 @@ struct stroke_ca_t { /** * Create a stroke_ca instance. */ -stroke_ca_t *stroke_ca_create(stroke_cred_t *cred); +stroke_ca_t *stroke_ca_create(); #endif /** STROKE_CA_H_ @}*/ diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 55ec7cdc9..f71719458 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -184,19 +184,16 @@ static void add_proposals(private_stroke_config_t *this, char *string, } /** - * Build an IKE config from a stroke message + * Check if any addresses in the given string are local */ -static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg) +static bool is_local(char *address, bool any_allowed) { enumerator_t *enumerator; - stroke_end_t tmp_end; - ike_cfg_t *ike_cfg; host_t *host; - u_int16_t ikeport; - char me[256], other[256], *token; - bool swapped = FALSE;; + char *token; + bool found = FALSE; - enumerator = enumerator_create_token(msg->add_conn.other.address, ",", " "); + enumerator = enumerator_create_token(address, ",", " "); while (enumerator->enumerate(enumerator, &token)) { if (!strchr(token, '/')) @@ -207,40 +204,60 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg if (hydra->kernel_interface->get_interface( hydra->kernel_interface, host, NULL)) { - DBG2(DBG_CFG, "left is other host, swapping ends"); - tmp_end = msg->add_conn.me; - msg->add_conn.me = msg->add_conn.other; - msg->add_conn.other = tmp_end; - swapped = TRUE; + found = TRUE; + } + else if (any_allowed && host->is_anyaddr(host)) + { + found = TRUE; } host->destroy(host); + if (found) + { + break; + } } } } enumerator->destroy(enumerator); + return found; +} - if (!swapped) +/** + * Swap ends if indicated by left|right + */ +static void swap_ends(stroke_msg_t *msg) +{ + if (!lib->settings->get_bool(lib->settings, "%s.plugins.stroke.allow_swap", + TRUE, lib->ns)) { - enumerator = enumerator_create_token(msg->add_conn.me.address, ",", " "); - while (enumerator->enumerate(enumerator, &token)) - { - if (!strchr(token, '/')) - { - host = host_create_from_dns(token, 0, 0); - if (host) - { - if (!hydra->kernel_interface->get_interface( - hydra->kernel_interface, host, NULL)) - { - DBG1(DBG_CFG, "left nor right host is our side, " - "assuming left=local"); - } - host->destroy(host); - } - } - } - enumerator->destroy(enumerator); + return; + } + + if (is_local(msg->add_conn.other.address, FALSE)) + { + stroke_end_t tmp_end; + + DBG2(DBG_CFG, "left is other host, swapping ends"); + tmp_end = msg->add_conn.me; + msg->add_conn.me = msg->add_conn.other; + msg->add_conn.other = tmp_end; + } + else if (!is_local(msg->add_conn.me.address, TRUE)) + { + DBG1(DBG_CFG, "left nor right host is our side, assuming left=local"); } +} + +/** + * Build an IKE config from a stroke message + */ +static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg) +{ + ike_cfg_t *ike_cfg; + u_int16_t ikeport; + char me[256], other[256]; + + swap_ends(msg); if (msg->add_conn.me.allow_any) { diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index 0084fbf93..0125d17c6 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -109,7 +109,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg if (msg->output_verbosity < 0) { charon->controller->initiate(charon->controller, peer_cfg, child_cfg, - NULL, NULL, 0); + NULL, NULL, 0, FALSE); } else { @@ -118,7 +118,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg status = charon->controller->initiate(charon->controller, peer_cfg, child_cfg, (controller_cb_t)stroke_log, - &info, this->timeout); + &info, this->timeout, FALSE); switch (status) { case SUCCESS: diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 5e423f1de..42928882a 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2013 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -74,11 +74,6 @@ struct private_stroke_cred_t { */ mem_cred_t *creds; - /** - * CA certificates - */ - mem_cred_t *cacerts; - /** * Attribute Authority certificates */ @@ -94,6 +89,11 @@ struct private_stroke_cred_t { * cache CRLs to disk? */ bool cachecrl; + + /** + * CA certificate store + */ + stroke_ca_t *ca; }; /** Length of smartcard specifier parts (module, keyid) */ @@ -182,70 +182,6 @@ static certificate_t *load_from_smartcard(smartcard_format_t format, return cred; } -METHOD(stroke_cred_t, load_ca, certificate_t*, - private_stroke_cred_t *this, char *filename) -{ - certificate_t *cert = NULL; - char path[PATH_MAX]; - - if (strpfx(filename, "%smartcard")) - { - smartcard_format_t format; - char module[SC_PART_LEN], keyid[SC_PART_LEN]; - u_int slot; - - format = parse_smartcard(filename, &slot, module, keyid); - if (format != SC_FORMAT_INVALID) - { - cert = (certificate_t*)load_from_smartcard(format, - slot, module, keyid, CRED_CERTIFICATE, CERT_X509); - } - } - else - { - if (*filename == '/') - { - snprintf(path, sizeof(path), "%s", filename); - } - else - { - snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename); - } - - if (this->force_ca_cert) - { /* we treat this certificate as a CA certificate even if it has no - * CA basic constraint */ - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, path, BUILD_X509_FLAG, X509_CA, - BUILD_END); - } - else - { - cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, path, - BUILD_END); - } - } - if (cert) - { - x509_t *x509 = (x509_t*)cert; - - if (!(x509->get_flags(x509) & X509_CA)) - { - DBG1(DBG_CFG, " ca certificate \"%Y\" misses ca basic constraint, " - "discarded", cert->get_subject(cert)); - cert->destroy(cert); - return NULL; - } - DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'", - cert->get_subject(cert), filename); - return this->creds->get_cert_ref(this->creds, cert); - } - return NULL; -} - METHOD(stroke_cred_t, load_peer, certificate_t*, private_stroke_cred_t *this, char *filename) { @@ -384,22 +320,52 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*, } /** - * Load a CA certificate from disk + * Load a CA certificate, optionally force it to be one */ -static void load_x509_ca(private_stroke_cred_t *this, char *file) +static certificate_t *load_ca_cert(char *filename, bool force_ca_cert) { - certificate_t *cert; + certificate_t *cert = NULL; + char path[PATH_MAX]; + + if (strpfx(filename, "%smartcard")) + { + smartcard_format_t format; + char module[SC_PART_LEN], keyid[SC_PART_LEN]; + u_int slot; - if (this->force_ca_cert) - { /* treat certificate as CA cert even it has no CA basic constraint */ - cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, file, - BUILD_X509_FLAG, X509_CA, BUILD_END); + format = parse_smartcard(filename, &slot, module, keyid); + if (format != SC_FORMAT_INVALID) + { + cert = (certificate_t*)load_from_smartcard(format, + slot, module, keyid, CRED_CERTIFICATE, CERT_X509); + } } else { - cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, file, BUILD_END); + if (*filename == '/') + { + snprintf(path, sizeof(path), "%s", filename); + } + else + { + snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename); + } + + if (force_ca_cert) + { /* we treat this certificate as a CA certificate even if it has no + * CA basic constraint */ + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, path, BUILD_X509_FLAG, X509_CA, + BUILD_END); + } + else + { + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, path, + BUILD_END); + } } if (cert) { @@ -410,13 +376,41 @@ static void load_x509_ca(private_stroke_cred_t *this, char *file) DBG1(DBG_CFG, " ca certificate \"%Y\" lacks ca basic constraint, " "discarded", cert->get_subject(cert)); cert->destroy(cert); + return NULL; } - else - { - DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'", - cert->get_subject(cert), file); - this->cacerts->add_cert(this->cacerts, TRUE, cert); - } + DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'", + cert->get_subject(cert), filename); + return cert; + } + return NULL; +} + +/** + * Used by stroke_ca.c + */ +certificate_t *stroke_load_ca_cert(char *filename) +{ + bool force_ca_cert; + + force_ca_cert = lib->settings->get_bool(lib->settings, + "%s.plugins.stroke.ignore_missing_ca_basic_constraint", + FALSE, lib->ns); + return load_ca_cert(filename, force_ca_cert); +} + +/** + * Load a CA certificate from disk + */ +static void load_x509_ca(private_stroke_cred_t *this, char *file, + mem_cred_t *creds) +{ + certificate_t *cert; + + cert = load_ca_cert(file, this->force_ca_cert); + if (cert) + { + cert = this->ca->get_cert_ref(this->ca, cert); + creds->add_cert(creds, TRUE, cert); } else { @@ -427,7 +421,8 @@ static void load_x509_ca(private_stroke_cred_t *this, char *file) /** * Load AA certificate with flags from disk */ -static void load_x509_aa(private_stroke_cred_t *this, char *file) +static void load_x509_aa(private_stroke_cred_t *this,char *file, + mem_cred_t *creds) { certificate_t *cert; @@ -438,7 +433,7 @@ static void load_x509_aa(private_stroke_cred_t *this, char *file) { DBG1(DBG_CFG, " loaded AA certificate \"%Y\" from '%s'", cert->get_subject(cert), file); - this->aacerts->add_cert(this->aacerts, TRUE, cert); + creds->add_cert(creds, TRUE, cert); } else { @@ -449,7 +444,8 @@ static void load_x509_aa(private_stroke_cred_t *this, char *file) /** * Load a certificate with flags from disk */ -static void load_x509(private_stroke_cred_t *this, char *file, x509_flag_t flag) +static void load_x509(private_stroke_cred_t *this, char *file, x509_flag_t flag, + mem_cred_t *creds) { certificate_t *cert; @@ -461,7 +457,7 @@ static void load_x509(private_stroke_cred_t *this, char *file, x509_flag_t flag) { DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'", cert->get_subject(cert), file); - this->creds->add_cert(this->creds, TRUE, cert); + creds->add_cert(creds, TRUE, cert); } else { @@ -472,7 +468,8 @@ static void load_x509(private_stroke_cred_t *this, char *file, x509_flag_t flag) /** * Load a CRL from a file */ -static void load_x509_crl(private_stroke_cred_t *this, char *file) +static void load_x509_crl(private_stroke_cred_t *this, char *file, + mem_cred_t *creds) { certificate_t *cert; @@ -480,8 +477,8 @@ static void load_x509_crl(private_stroke_cred_t *this, char *file) BUILD_FROM_FILE, file, BUILD_END); if (cert) { - this->creds->add_crl(this->creds, (crl_t*)cert); DBG1(DBG_CFG, " loaded crl from '%s'", file); + creds->add_crl(creds, (crl_t*)cert); } else { @@ -492,7 +489,8 @@ static void load_x509_crl(private_stroke_cred_t *this, char *file) /** * Load an attribute certificate from a file */ -static void load_x509_ac(private_stroke_cred_t *this, char *file) +static void load_x509_ac(private_stroke_cred_t *this, char *file, + mem_cred_t *creds) { certificate_t *cert; @@ -501,7 +499,7 @@ static void load_x509_ac(private_stroke_cred_t *this, char *file) if (cert) { DBG1(DBG_CFG, " loaded attribute certificate from '%s'", file); - this->creds->add_cert(this->creds, FALSE, cert); + creds->add_cert(creds, FALSE, cert); } else { @@ -513,7 +511,8 @@ static void load_x509_ac(private_stroke_cred_t *this, char *file) * load trusted certificates from a directory */ static void load_certdir(private_stroke_cred_t *this, char *path, - certificate_type_t type, x509_flag_t flag) + certificate_type_t type, x509_flag_t flag, + mem_cred_t *creds) { enumerator_t *enumerator; struct stat st; @@ -534,22 +533,22 @@ static void load_certdir(private_stroke_cred_t *this, char *path, case CERT_X509: if (flag & X509_CA) { - load_x509_ca(this, file); + load_x509_ca(this, file, creds); } else if (flag & X509_AA) { - load_x509_aa(this, file); + load_x509_aa(this, file, creds); } else { - load_x509(this, file, flag); + load_x509(this, file, flag, creds); } break; case CERT_X509_CRL: - load_x509_crl(this, file); + load_x509_crl(this, file, creds); break; case CERT_X509_AC: - load_x509_ac(this, file); + load_x509_ac(this, file, creds); break; default: break; @@ -1348,30 +1347,38 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets, */ static void load_certs(private_stroke_cred_t *this) { + mem_cred_t *creds; + DBG1(DBG_CFG, "loading ca certificates from '%s'", CA_CERTIFICATE_DIR); - load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA); + creds = mem_cred_create(); + load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA, creds); + this->ca->replace_certs(this->ca, creds); + creds->destroy(creds); DBG1(DBG_CFG, "loading aa certificates from '%s'", AA_CERTIFICATE_DIR); - load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA); + load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA, this->aacerts); DBG1(DBG_CFG, "loading ocsp signer certificates from '%s'", OCSP_CERTIFICATE_DIR); - load_certdir(this, OCSP_CERTIFICATE_DIR, CERT_X509, X509_OCSP_SIGNER); + load_certdir(this, OCSP_CERTIFICATE_DIR, CERT_X509, X509_OCSP_SIGNER, + this->creds); DBG1(DBG_CFG, "loading attribute certificates from '%s'", ATTR_CERTIFICATE_DIR); - load_certdir(this, ATTR_CERTIFICATE_DIR, CERT_X509_AC, 0); + load_certdir(this, ATTR_CERTIFICATE_DIR, CERT_X509_AC, 0, this->creds); DBG1(DBG_CFG, "loading crls from '%s'", CRL_DIR); - load_certdir(this, CRL_DIR, CERT_X509_CRL, 0); + load_certdir(this, CRL_DIR, CERT_X509_CRL, 0, this->creds); } METHOD(stroke_cred_t, reread, void, private_stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt) { + mem_cred_t *creds; + if (msg->reread.flags & REREAD_SECRETS) { DBG1(DBG_CFG, "rereading secrets"); @@ -1379,38 +1386,44 @@ METHOD(stroke_cred_t, reread, void, } if (msg->reread.flags & REREAD_CACERTS) { + /* first reload certificates in ca sections, so we can refer to them */ + this->ca->reload_certs(this->ca); + DBG1(DBG_CFG, "rereading ca certificates from '%s'", CA_CERTIFICATE_DIR); - this->cacerts->clear(this->cacerts); + creds = mem_cred_create(); + load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA, creds); + this->ca->replace_certs(this->ca, creds); + creds->destroy(creds); + } + if (msg->reread.flags & REREAD_AACERTS) + { + DBG1(DBG_CFG, "rereading aa certificates from '%s'", + AA_CERTIFICATE_DIR); + creds = mem_cred_create(); + load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA, creds); + this->aacerts->replace_certs(this->aacerts, creds, FALSE); + creds->destroy(creds); lib->credmgr->flush_cache(lib->credmgr, CERT_X509); - load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA); } if (msg->reread.flags & REREAD_OCSPCERTS) { DBG1(DBG_CFG, "rereading ocsp signer certificates from '%s'", OCSP_CERTIFICATE_DIR); load_certdir(this, OCSP_CERTIFICATE_DIR, CERT_X509, - X509_OCSP_SIGNER); - } - if (msg->reread.flags & REREAD_AACERTS) - { - DBG1(DBG_CFG, "rereading aa certificates from '%s'", - AA_CERTIFICATE_DIR); - this->aacerts->clear(this->aacerts); - lib->credmgr->flush_cache(lib->credmgr, CERT_X509); - load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA); + X509_OCSP_SIGNER, this->creds); } if (msg->reread.flags & REREAD_ACERTS) { DBG1(DBG_CFG, "rereading attribute certificates from '%s'", ATTR_CERTIFICATE_DIR); - load_certdir(this, ATTR_CERTIFICATE_DIR, CERT_X509_AC, 0); + load_certdir(this, ATTR_CERTIFICATE_DIR, CERT_X509_AC, 0, this->creds); } if (msg->reread.flags & REREAD_CRLS) { DBG1(DBG_CFG, "rereading crls from '%s'", CRL_DIR); - load_certdir(this, CRL_DIR, CERT_X509_CRL, 0); + load_certdir(this, CRL_DIR, CERT_X509_CRL, 0, this->creds); } } @@ -1424,10 +1437,8 @@ METHOD(stroke_cred_t, destroy, void, private_stroke_cred_t *this) { lib->credmgr->remove_set(lib->credmgr, &this->aacerts->set); - lib->credmgr->remove_set(lib->credmgr, &this->cacerts->set); lib->credmgr->remove_set(lib->credmgr, &this->creds->set); this->aacerts->destroy(this->aacerts); - this->cacerts->destroy(this->cacerts); this->creds->destroy(this->creds); free(this); } @@ -1435,7 +1446,7 @@ METHOD(stroke_cred_t, destroy, void, /* * see header file */ -stroke_cred_t *stroke_cred_create() +stroke_cred_t *stroke_cred_create(stroke_ca_t *ca) { private_stroke_cred_t *this; @@ -1449,7 +1460,6 @@ stroke_cred_t *stroke_cred_create() .cache_cert = (void*)_cache_cert, }, .reread = _reread, - .load_ca = _load_ca, .load_peer = _load_peer, .load_pubkey = _load_pubkey, .add_shared = _add_shared, @@ -1460,12 +1470,11 @@ stroke_cred_t *stroke_cred_create() "%s.plugins.stroke.secrets_file", SECRETS_FILE, lib->ns), .creds = mem_cred_create(), - .cacerts = mem_cred_create(), .aacerts = mem_cred_create(), + .ca = ca, ); lib->credmgr->add_set(lib->credmgr, &this->creds->set); - lib->credmgr->add_set(lib->credmgr, &this->cacerts->set); lib->credmgr->add_set(lib->credmgr, &this->aacerts->set); this->force_ca_cert = lib->settings->get_bool(lib->settings, diff --git a/src/libcharon/plugins/stroke/stroke_cred.h b/src/libcharon/plugins/stroke/stroke_cred.h index 9434629ef..33a0e3531 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.h +++ b/src/libcharon/plugins/stroke/stroke_cred.h @@ -29,6 +29,8 @@ #include #include +#include "stroke_ca.h" + typedef struct stroke_cred_t stroke_cred_t; /** @@ -49,17 +51,6 @@ struct stroke_cred_t { */ void (*reread)(stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt); - /** - * Load a CA certificate. - * - * This method does not add the loaded CA certificate to the internal - * credentail set, but returns it only. - * - * @param filename file to load CA cert from - * @return loaded certificate, or NULL - */ - certificate_t* (*load_ca)(stroke_cred_t *this, char *filename); - /** * Load a peer certificate and serve it through the credential_set. * @@ -103,6 +94,6 @@ struct stroke_cred_t { /** * Create a stroke_cred instance. */ -stroke_cred_t *stroke_cred_create(); +stroke_cred_t *stroke_cred_create(stroke_ca_t *ca); #endif /** STROKE_CRED_H_ @}*/ diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index 68b8232bc..c7e4c9c65 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -647,7 +647,7 @@ METHOD(stroke_list_t, status, void, enumerator->destroy(enumerator); half_open = charon->ike_sa_manager->get_half_open_count( - charon->ike_sa_manager, NULL); + charon->ike_sa_manager, NULL, FALSE); fprintf(out, "Security Associations (%u up, %u connecting):\n", charon->ike_sa_manager->get_count(charon->ike_sa_manager) - half_open, half_open); diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index db7e66f14..29563e32f 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -779,10 +779,10 @@ stroke_socket_t *stroke_socket_create() "%s.plugins.stroke.prevent_loglevel_changes", FALSE, lib->ns), ); - this->cred = stroke_cred_create(); + this->ca = stroke_ca_create(); + this->cred = stroke_cred_create(this->ca); this->attribute = stroke_attribute_create(); this->handler = stroke_handler_create(); - this->ca = stroke_ca_create(this->cred); this->config = stroke_config_create(this->ca, this->cred, this->attribute); this->control = stroke_control_create(); this->list = stroke_list_create(this->attribute); diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h index 91e8fe404..f1587a1f6 100644 --- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h +++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.h @@ -15,7 +15,7 @@ /** * @defgroup tnc_ifmap_renew_session_job tnc_ifmap_renew_session_job - * @{ @ingroup cjobs + * @{ @ingroup tnc_ifmap */ #ifndef TNC_IFMAP_RENEW_SESSION_JOB_H_ diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c index cebc389e7..a7d26e67d 100644 --- a/src/libcharon/plugins/uci/uci_control.c +++ b/src/libcharon/plugins/uci/uci_control.c @@ -147,7 +147,7 @@ static void initiate(private_uci_control_t *this, char *name) if (enumerator->enumerate(enumerator, &child_cfg) && charon->controller->initiate(charon->controller, peer_cfg, child_cfg->get_ref(child_cfg), - controller_cb_empty, NULL, 0) == SUCCESS) + controller_cb_empty, NULL, 0, FALSE) == SUCCESS) { write_fifo(this, "connection '%s' established\n", name); } diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c index be65d599f..96282bee0 100644 --- a/src/libcharon/plugins/updown/updown_listener.c +++ b/src/libcharon/plugins/updown/updown_listener.c @@ -169,31 +169,34 @@ static void push_dns_env(private_updown_listener_t *this, ike_sa_t *ike_sa, } /** - * Push variables for local virtual IPs + * Push variables for local/remote virtual IPs */ static void push_vip_env(private_updown_listener_t *this, ike_sa_t *ike_sa, - char *envp[], u_int count) + char *envp[], u_int count, bool local) { enumerator_t *enumerator; host_t *host; int v4 = 0, v6 = 0; bool first = TRUE; - enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE); + enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local); while (enumerator->enumerate(enumerator, &host)) { if (first) { /* legacy variable for first VIP */ first = FALSE; - push_env(envp, count, "PLUTO_MY_SOURCEIP=%H", host); + push_env(envp, count, "PLUTO_%s_SOURCEIP=%H", + local ? "MY" : "PEER", host); } switch (host->get_family(host)) { case AF_INET: - push_env(envp, count, "PLUTO_MY_SOURCEIP4_%d=%H", ++v4, host); + push_env(envp, count, "PLUTO_%s_SOURCEIP4_%d=%H", + local ? "MY" : "PEER", ++v4, host); break; case AF_INET6: - push_env(envp, count, "PLUTO_MY_SOURCEIP6_%d=%H", ++v6, host); + push_env(envp, count, "PLUTO_%s_SOURCEIP6_%d=%H", + local ? "MY" : "PEER", ++v6, host); break; default: continue; @@ -313,7 +316,8 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa, push_env(envp, countof(envp), "PLUTO_XAUTH_ID=%Y", ike_sa->get_other_eap_id(ike_sa)); } - push_vip_env(this, ike_sa, envp, countof(envp)); + push_vip_env(this, ike_sa, envp, countof(envp), TRUE); + push_vip_env(this, ike_sa, envp, countof(envp), FALSE); mark = config->get_mark(config, TRUE); if (mark.value) { diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am index b25396085..c99d23e4e 100644 --- a/src/libcharon/plugins/vici/Makefile.am +++ b/src/libcharon/plugins/vici/Makefile.am @@ -23,6 +23,7 @@ libstrongswan_vici_la_SOURCES = \ vici_config.h vici_config.c \ vici_cred.h vici_cred.c \ vici_attribute.h vici_attribute.c \ + vici_authority.h vici_authority.c \ vici_logger.h vici_logger.c \ vici_plugin.h vici_plugin.c diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in index b63226daa..1a7870ae9 100644 --- a/src/libcharon/plugins/vici/Makefile.in +++ b/src/libcharon/plugins/vici/Makefile.in @@ -136,7 +136,7 @@ libstrongswan_vici_la_LIBADD = am_libstrongswan_vici_la_OBJECTS = vici_socket.lo vici_message.lo \ vici_builder.lo vici_dispatcher.lo vici_query.lo \ vici_control.lo vici_config.lo vici_cred.lo vici_attribute.lo \ - vici_logger.lo vici_plugin.lo + vici_authority.lo vici_logger.lo vici_plugin.lo libstrongswan_vici_la_OBJECTS = $(am_libstrongswan_vici_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -543,6 +543,7 @@ libstrongswan_vici_la_SOURCES = \ vici_config.h vici_config.c \ vici_cred.h vici_cred.c \ vici_attribute.h vici_attribute.c \ + vici_authority.h vici_authority.c \ vici_logger.h vici_logger.c \ vici_plugin.h vici_plugin.c @@ -736,6 +737,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libvici.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_attribute.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_authority.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_builder.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_config.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_control.Plo@am__quote@ diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index 0ce4271b0..e20e8ab26 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -259,6 +259,7 @@ Initiates an SA while streaming _control-log_ events. { child = timeout = + init-limits = loglevel = } => { success = @@ -366,6 +367,27 @@ over vici. # completes after streaming list-cert events } +### list-authorities() ### + +List currently loaded certification authority information by streaming +_list-authority_ events. + + { + name = + } => { + # completes after streaming list-authority events + } + +### get-authorities() ### + +Return a list of currently loaded certification authority names. + + {} => { + authorities = [ + + ] + } + ### load-conn() ### Load a single connection definition into the daemon. An existing connection @@ -442,6 +464,32 @@ credential cache. errmsg = } +### load-authority() ### + +Load a single certification authority definition into the daemon. An existing +authority with the same name gets replaced. + + { + = { + # certification authority parameters + # refer to swanctl.conf(5) for details. + } => { + success = + errmsg = + } + } + +### unload-authority() ### + +Unload a previously loaded certification authority definition by name. + + { + name = + } => { + success = + errmsg = + } + ### load-pool() ### Load an in-memory virtual IP and configuration attribute pool. Existing @@ -673,6 +721,82 @@ _list-certs_ command. data = } +### list-authority ### + +The _list-authority_ event is issued to stream loaded certification authority +information during an active_list-authorities_ command. + + { + = { + cacert = + crl_uris = [ + + ] + ocsp_uris = [ + + ] + cert_uri_base = + } + } + +### ike-updown ### + +The _ike-updown_ event is issued when an IKE_SA is established or terminated. + + { + up = + = { + + } + } + +### ike-rekey ### + +The _ike-rekey_ event is issued when an IKE_SA is rekeyed. + + { + = { + old = { + + } + new = { + + } + } + } + +### child-updown ### + +The _child-updown_ event is issued when a CHILD_SA is established or terminated. + + { + up = + = { + + } + } + +### child-rekey ### + +The _child-rekey_ event is issued when a CHILD_SA is rekeyed. + + { + = { + + child-sas = { + = { + old = { + + } + new = { + + } + } + } + } + } # libvici C client library # diff --git a/src/libcharon/plugins/vici/python/LICENSE b/src/libcharon/plugins/vici/python/LICENSE index 111523ca8..54f2158dc 100644 --- a/src/libcharon/plugins/vici/python/LICENSE +++ b/src/libcharon/plugins/vici/python/LICENSE @@ -1,4 +1,6 @@ Copyright (c) 2015 Björn Schuberg +Copyright (c) 2015 Martin Willi +Copyright (c) 2015 Tobias Brunner Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/src/libcharon/plugins/vici/python/vici/exception.py b/src/libcharon/plugins/vici/python/vici/exception.py index 36384e556..757ac51a9 100644 --- a/src/libcharon/plugins/vici/python/vici/exception.py +++ b/src/libcharon/plugins/vici/python/vici/exception.py @@ -8,3 +8,6 @@ class SessionException(Exception): class CommandException(Exception): """Command result exception.""" + +class EventUnknownException(Exception): + """Event unknown exception.""" diff --git a/src/libcharon/plugins/vici/python/vici/session.py b/src/libcharon/plugins/vici/python/vici/session.py index dee58699d..283e3d13d 100644 --- a/src/libcharon/plugins/vici/python/vici/session.py +++ b/src/libcharon/plugins/vici/python/vici/session.py @@ -1,7 +1,7 @@ import collections import socket -from .exception import SessionException, CommandException +from .exception import SessionException, CommandException, EventUnknownException from .protocol import Transport, Packet, Message @@ -197,6 +197,16 @@ class Session(object): """ return self.handler.request("get-pools") + def listen(self, event_types): + """Register and listen for the given events. + + :param event_types: event types to register + :type event_types: list + :return: generator for streamed event responses as (event_type, dict) + :rtype: generator + """ + return self.handler.listen(event_types) + class SessionHandler(object): """Handles client command execution requests over vici.""" @@ -215,6 +225,32 @@ class SessionHandler(object): self.transport.send(packet) return Packet.parse(self.transport.receive()) + def _register_unregister(self, event_type, register): + """Register or unregister for the given event. + + :param event_type: event to register + :type event_type: str + :param register: whether to register or unregister + :type register: bool + """ + if register: + packet = Packet.register_event(event_type) + else: + packet = Packet.unregister_event(event_type) + response = self._communicate(packet) + if response.response_type == Packet.EVENT_UNKNOWN: + raise EventUnknownException( + "Unknown event type '{event}'".format(event=event_type) + ) + elif response.response_type != Packet.EVENT_CONFIRM: + raise SessionException( + "Unexpected response type {type}, " + "expected '{confirm}' (EVENT_CONFIRM)".format( + type=response.response_type, + confirm=Packet.EVENT_CONFIRM, + ) + ) + def request(self, command, message=None): """Send request with an optional message. @@ -265,57 +301,37 @@ class SessionHandler(object): if message is not None: message = Message.serialize(message) - # subscribe to event stream - packet = Packet.register_event(event_stream_type) - response = self._communicate(packet) - - if response.response_type != Packet.EVENT_CONFIRM: - raise SessionException( - "Unexpected response type {type}, " - "expected '{confirm}' (EVENT_CONFIRM)".format( - type=response.response_type, - confirm=Packet.EVENT_CONFIRM, - ) - ) - - # issue command, and read any event messages - packet = Packet.request(command, message) - self.transport.send(packet) - exited = False - while True: - response = Packet.parse(self.transport.receive()) - if response.response_type == Packet.EVENT: - if not exited: - try: - yield Message.deserialize(response.payload) - except GeneratorExit: - exited = True - pass + self._register_unregister(event_stream_type, True); + + try: + packet = Packet.request(command, message) + self.transport.send(packet) + exited = False + while True: + response = Packet.parse(self.transport.receive()) + if response.response_type == Packet.EVENT: + if not exited: + try: + yield Message.deserialize(response.payload) + except GeneratorExit: + exited = True + pass + else: + break + + if response.response_type == Packet.CMD_RESPONSE: + command_response = Message.deserialize(response.payload) else: - break - - if response.response_type == Packet.CMD_RESPONSE: - command_response = Message.deserialize(response.payload) - else: - raise SessionException( - "Unexpected response type {type}, " - "expected '{response}' (CMD_RESPONSE)".format( - type=response.response_type, - response=Packet.CMD_RESPONSE + raise SessionException( + "Unexpected response type {type}, " + "expected '{response}' (CMD_RESPONSE)".format( + type=response.response_type, + response=Packet.CMD_RESPONSE + ) ) - ) - # unsubscribe from event stream - packet = Packet.unregister_event(event_stream_type) - response = self._communicate(packet) - if response.response_type != Packet.EVENT_CONFIRM: - raise SessionException( - "Unexpected response type {type}, " - "expected '{confirm}' (EVENT_CONFIRM)".format( - type=response.response_type, - confirm=Packet.EVENT_CONFIRM, - ) - ) + finally: + self._register_unregister(event_stream_type, False); # evaluate command result, if any if "success" in command_response: @@ -325,3 +341,27 @@ class SessionHandler(object): errmsg=command_response["errmsg"] ) ) + + def listen(self, event_types): + """Register and listen for the given events. + + :param event_types: event types to register + :type event_types: list + :return: generator for streamed event responses as (event_type, dict) + :rtype: generator + """ + for event_type in event_types: + self._register_unregister(event_type, True) + + try: + while True: + response = Packet.parse(self.transport.receive()) + if response.response_type == Packet.EVENT: + try: + yield response.event_type, Message.deserialize(response.payload) + except GeneratorExit: + break + + finally: + for event_type in event_types: + self._register_unregister(event_type, False) diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb index f87e46e69..f8169add0 100644 --- a/src/libcharon/plugins/vici/ruby/lib/vici.rb +++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb @@ -247,7 +247,11 @@ module Vici def recv_all(len) encoding = "" while encoding.length < len do - encoding << @socket.recv(len - encoding.length) + data = @socket.recv(len - encoding.length) + if data.empty? + raise TransportError, "connection closed" + end + encoding << data end encoding end diff --git a/src/libcharon/plugins/vici/suites/test_message.c b/src/libcharon/plugins/vici/suites/test_message.c index e76d27332..045e34fff 100644 --- a/src/libcharon/plugins/vici/suites/test_message.c +++ b/src/libcharon/plugins/vici/suites/test_message.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * @@ -355,6 +358,33 @@ START_TEST(test_get_int) } END_TEST +START_TEST(test_get_bool) +{ + vici_message_t *m; + + m = build_getter_msg(); + + ck_assert(m->get_bool(m, TRUE, "key1")); + ck_assert(m->get_bool(m, FALSE, "key1")); + + ck_assert(m->get_bool(m, TRUE, "section1.key2")); + ck_assert(m->get_bool(m, TRUE, "section1.section2.key3")); + ck_assert(m->get_bool(m, TRUE, "section1.key4")); + ck_assert(m->get_bool(m, TRUE, "key5")); + ck_assert(m->get_bool(m, TRUE, "nonexistent")); + ck_assert(m->get_bool(m, TRUE, "n.o.n.e.x.i.s.t.e.n.t")); + + ck_assert(!m->get_bool(m, FALSE, "section1.key2")); + ck_assert(!m->get_bool(m, FALSE, "section1.section2.key3")); + ck_assert(!m->get_bool(m, FALSE, "section1.key4")); + ck_assert(!m->get_bool(m, FALSE, "key5")); + ck_assert(!m->get_bool(m, FALSE, "nonexistent")); + ck_assert(!m->get_bool(m, FALSE, "n.o.n.e.x.i.s.t.e.n.t")); + + m->destroy(m); +} +END_TEST + START_TEST(test_get_value) { vici_message_t *m; @@ -400,6 +430,7 @@ Suite *message_suite_create() tc = tcase_create("convenience getters"); tcase_add_test(tc, test_get_str); tcase_add_test(tc, test_get_int); + tcase_add_test(tc, test_get_bool); tcase_add_test(tc, test_get_value); suite_add_tcase(s, tc); diff --git a/src/libcharon/plugins/vici/vici_authority.c b/src/libcharon/plugins/vici/vici_authority.c new file mode 100644 index 000000000..94a7f68f6 --- /dev/null +++ b/src/libcharon/plugins/vici/vici_authority.c @@ -0,0 +1,750 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE + +#include "vici_authority.h" +#include "vici_builder.h" + +#include +#include +#include +#include + +#include + +typedef struct private_vici_authority_t private_vici_authority_t; + +/** + * Private data of an vici_authority_t object. + */ +struct private_vici_authority_t { + + /** + * Public vici_authority_t interface. + */ + vici_authority_t public; + + /** + * Dispatcher + */ + vici_dispatcher_t *dispatcher; + + /** + * credential backend managed by VICI used for our ca certificates + */ + vici_cred_t *cred; + + /** + * List of certification authorities + */ + linked_list_t *authorities; + + /** + * rwlock to lock access to certification authorities + */ + rwlock_t *lock; + +}; + +typedef struct authority_t authority_t; + +/** + * loaded certification authorities + */ +struct authority_t { + + /** + * Name of the certification authoritiy + */ + char *name; + + /** + * Reference to CA certificate + */ + certificate_t *cert; + + /** + * CRL URIs + */ + linked_list_t *crl_uris; + + /** + * OCSP URIs + */ + linked_list_t *ocsp_uris; + + /** + * Hashes of certificates issued by this CA + */ + linked_list_t *hashes; + + /** + * Base URI used for certificates from this CA + */ + char *cert_uri_base; +}; + +/** + * create a new certification authority + */ +static authority_t *authority_create(char *name) +{ + authority_t *authority; + + INIT(authority, + .name = strdup(name), + .crl_uris = linked_list_create(), + .ocsp_uris = linked_list_create(), + .hashes = linked_list_create(), + ); + + return authority; +} + +/** + * destroy a certification authority + */ +static void authority_destroy(authority_t *this) +{ + this->crl_uris->destroy_function(this->crl_uris, free); + this->ocsp_uris->destroy_function(this->ocsp_uris, free); + this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy)); + DESTROY_IF(this->cert); + free(this->cert_uri_base); + free(this->name); + free(this); +} + + +/** + * Create a (error) reply message + */ +static vici_message_t* create_reply(char *fmt, ...) +{ + vici_builder_t *builder; + va_list args; + + builder = vici_builder_create(); + builder->add_kv(builder, "success", fmt ? "no" : "yes"); + if (fmt) + { + va_start(args, fmt); + builder->vadd_kv(builder, "errmsg", fmt, args); + va_end(args); + } + return builder->finalize(builder); +} + +/** + * A rule to parse a key/value or list item + */ +typedef struct { + /** name of the key/value or list */ + char *name; + /** function to parse value */ + bool (*parse)(void *out, chunk_t value); + /** result, passed to parse() */ + void *out; +} parse_rule_t; + +/** + * Parse key/values using a rule-set + */ +static bool parse_rules(parse_rule_t *rules, int count, char *name, + chunk_t value, vici_message_t **reply) +{ + int i; + + for (i = 0; i < count; i++) + { + if (streq(name, rules[i].name)) + { + if (rules[i].parse(rules[i].out, value)) + { + return TRUE; + } + *reply = create_reply("invalid value for: %s, authority discarded", + name); + return FALSE; + } + } + *reply = create_reply("unknown option: %s, authority discarded", name); + return FALSE; +} + +/** + * Parse callback data, passed to each callback + */ +typedef struct { + private_vici_authority_t *this; + vici_message_t *reply; +} request_data_t; + +/** + * Data associated with an authority load + */ +typedef struct { + request_data_t *request; + authority_t *authority; +} load_data_t; + +/** + * Parse a string + */ +CALLBACK(parse_string, bool, + char **str, chunk_t v) +{ + if (!chunk_printable(v, NULL, ' ')) + { + return FALSE; + } + *str = strndup(v.ptr, v.len); + + return TRUE; +} + +/** + * Parse list of URIs + */ +CALLBACK(parse_uris, bool, + linked_list_t *out, chunk_t v) +{ + char *uri; + + if (!chunk_printable(v, NULL, ' ')) + { + return FALSE; + } + uri = strndup(v.ptr, v.len); + out->insert_last(out, uri); + + return TRUE; +} + +/** + * Parse a CA certificate + */ +CALLBACK(parse_cacert, bool, + certificate_t **cacert, chunk_t v) +{ + certificate_t *cert; + x509_t *x509; + + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_PEM, v, BUILD_END); + if (!cert) + { + return create_reply("parsing %N certificate failed", + certificate_type_names, CERT_X509); + } + x509 = (x509_t*)cert; + + if ((x509->get_flags(x509) & X509_CA) != X509_CA) + { + cert->destroy(cert); + return create_reply("certificate without CA flag, rejected"); + } + *cacert = cert; + + return TRUE; +} + +CALLBACK(authority_kv, bool, + load_data_t *data, vici_message_t *message, char *name, chunk_t value) +{ + parse_rule_t rules[] = { + { "cacert", parse_cacert, &data->authority->cert }, + { "cert_uri_base", parse_string, &data->authority->cert_uri_base }, + }; + + return parse_rules(rules, countof(rules), name, value, + &data->request->reply); +} + +CALLBACK(authority_li, bool, + load_data_t *data, vici_message_t *message, char *name, chunk_t value) +{ + parse_rule_t rules[] = { + { "crl_uris", parse_uris, data->authority->crl_uris }, + { "ocsp_uris", parse_uris, data->authority->ocsp_uris }, + }; + + return parse_rules(rules, countof(rules), name, value, + &data->request->reply); +} + +static void log_authority_data(authority_t *authority) +{ + enumerator_t *enumerator; + identification_t *subject; + bool first = TRUE; + char *uri; + + subject = authority->cert->get_subject(authority->cert); + DBG2(DBG_CFG, " cacert = %Y", subject); + + enumerator = authority->crl_uris->create_enumerator(authority->crl_uris); + while (enumerator->enumerate(enumerator, &uri)) + { + if (first) + { + DBG2(DBG_CFG, " crl_uris = %s", uri); + first = FALSE; + } + else + { + DBG2(DBG_CFG, " %s", uri); + } + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = authority->ocsp_uris->create_enumerator(authority->ocsp_uris); + while (enumerator->enumerate(enumerator, &uri)) + { + if (first) + { + DBG2(DBG_CFG, " ocsp_uris = %s", uri); + first = FALSE; + } + else + { + DBG2(DBG_CFG, " %s", uri); + } + } + enumerator->destroy(enumerator); + + if (authority->cert_uri_base) + { + DBG2(DBG_CFG, " cert_uri_base = %s", authority->cert_uri_base); + } +} + +CALLBACK(authority_sn, bool, + request_data_t *request, vici_message_t *message, + vici_parse_context_t *ctx, char *name) +{ + enumerator_t *enumerator; + linked_list_t *authorities; + authority_t *authority; + vici_cred_t *cred; + + load_data_t data = { + .request = request, + .authority = authority_create(name), + }; + + DBG2(DBG_CFG, " authority %s:", name); + + if (!message->parse(message, ctx, NULL, authority_kv, authority_li, &data) || + !data.authority->cert) + { + authority_destroy(data.authority); + return FALSE; + } + log_authority_data(data.authority); + + request->this->lock->write_lock(request->this->lock); + + authorities = request->this->authorities; + enumerator = authorities->create_enumerator(authorities); + while (enumerator->enumerate(enumerator, &authority)) + { + if (streq(authority->name, name)) + { + /* remove the old authority definition */ + authorities->remove_at(authorities, enumerator); + authority_destroy(authority); + break; + } + } + enumerator->destroy(enumerator); + authorities->insert_last(authorities, data.authority); + + cred = request->this->cred; + data.authority->cert = cred->add_cert(cred, data.authority->cert); + + request->this->lock->unlock(request->this->lock); + + return TRUE; +} + +CALLBACK(load_authority, vici_message_t*, + private_vici_authority_t *this, char *name, u_int id, vici_message_t *message) +{ + request_data_t request = { + .this = this, + }; + + if (!message->parse(message, NULL, authority_sn, NULL, NULL, &request)) + { + if (request.reply) + { + return request.reply; + } + return create_reply("parsing request failed"); + } + return create_reply(NULL); +} + +CALLBACK(unload_authority, vici_message_t*, + private_vici_authority_t *this, char *name, u_int id, vici_message_t *message) +{ + enumerator_t *enumerator; + authority_t *authority; + char *authority_name; + bool found = FALSE; + + authority_name = message->get_str(message, NULL, "name"); + if (!authority_name) + { + return create_reply("unload: missing authority name"); + } + + this->lock->write_lock(this->lock); + enumerator = this->authorities->create_enumerator(this->authorities); + while (enumerator->enumerate(enumerator, &authority)) + { + if (streq(authority->name, authority_name)) + { + this->authorities->remove_at(this->authorities, enumerator); + authority_destroy(authority); + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + + if (!found) + { + return create_reply("unload: authority '%s' not found", authority_name); + } + return create_reply(NULL); +} + +CALLBACK(get_authorities, vici_message_t*, + private_vici_authority_t *this, char *name, u_int id, + vici_message_t *message) +{ + vici_builder_t *builder; + enumerator_t *enumerator; + authority_t *authority; + + builder = vici_builder_create(); + builder->begin_list(builder, "authorities"); + + this->lock->read_lock(this->lock); + enumerator = this->authorities->create_enumerator(this->authorities); + while (enumerator->enumerate(enumerator, &authority)) + { + builder->add_li(builder, "%s", authority->name); + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + + builder->end_list(builder); + + return builder->finalize(builder); +} + +CALLBACK(list_authorities, vici_message_t*, + private_vici_authority_t *this, char *name, u_int id, vici_message_t *request) +{ + enumerator_t *enumerator, *e; + authority_t *authority; + vici_builder_t *b; + char *str, *uri; + + str = request->get_str(request, NULL, "name"); + + this->lock->read_lock(this->lock); + enumerator = this->authorities->create_enumerator(this->authorities); + while (enumerator->enumerate(enumerator, &authority)) + { + if (str && !streq(str, authority->name)) + { + continue; + } + b = vici_builder_create(); + + /* open authority section */ + b->begin_section(b, authority->name); + + /* subject DN of cacert */ + b->add_kv(b, "cacert", "%Y", + authority->cert->get_subject(authority->cert)); + + /* list of crl_uris */ + b->begin_list(b, "crl_uris"); + e = authority->crl_uris->create_enumerator(authority->crl_uris); + while (e->enumerate(e, &uri)) + { + b->add_li(b, "%s", uri); + } + e->destroy(e); + b->end_list(b); + + /* list of ocsp_uris */ + b->begin_list(b, "ocsp_uris"); + e = authority->ocsp_uris->create_enumerator(authority->ocsp_uris); + while (e->enumerate(e, &uri)) + { + b->add_li(b, "%s", uri); + } + e->destroy(e); + b->end_list(b); + + /* cert_uri_base */ + if (authority->cert_uri_base) + { + b->add_kv(b, "cert_uri_base", "%s", authority->cert_uri_base); + } + + /* close authority and raise event */ + b->end_section(b); + this->dispatcher->raise_event(this->dispatcher, "list-authority", id, + b->finalize(b)); + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + + b = vici_builder_create(); + return b->finalize(b); +} + +static void manage_command(private_vici_authority_t *this, + char *name, vici_command_cb_t cb, bool reg) +{ + this->dispatcher->manage_command(this->dispatcher, name, + reg ? cb : NULL, this); +} + +/** + * (Un-)register dispatcher functions + */ +static void manage_commands(private_vici_authority_t *this, bool reg) +{ + this->dispatcher->manage_event(this->dispatcher, "list-authority", reg); + + manage_command(this, "load-authority", load_authority, reg); + manage_command(this, "unload-authority", unload_authority, reg); + manage_command(this, "get-authorities", get_authorities, reg); + manage_command(this, "list-authorities", list_authorities, reg); +} + +/** + * data to pass to create_inner_cdp + */ +typedef struct { + private_vici_authority_t *this; + certificate_type_t type; + identification_t *id; +} cdp_data_t; + +/** + * destroy cdp enumerator data and unlock list + */ +static void cdp_data_destroy(cdp_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * inner enumerator constructor for CDP URIs + */ +static enumerator_t *create_inner_cdp(authority_t *authority, cdp_data_t *data) +{ + public_key_t *public; + enumerator_t *enumerator = NULL; + linked_list_t *list; + + if (data->type == CERT_X509_OCSP_RESPONSE) + { + list = authority->ocsp_uris; + } + else + { + list = authority->crl_uris; + } + + public = authority->cert->get_public_key(authority->cert); + if (public) + { + if (!data->id) + { + enumerator = list->create_enumerator(list); + } + else + { + if (public->has_fingerprint(public, data->id->get_encoding(data->id))) + { + enumerator = list->create_enumerator(list); + } + } + public->destroy(public); + } + return enumerator; +} + +/** + * inner enumerator constructor for "Hash and URL" + */ +static enumerator_t *create_inner_cdp_hashandurl(authority_t *authority, + cdp_data_t *data) +{ + enumerator_t *enumerator = NULL, *hash_enum; + identification_t *current; + + if (!data->id || !authority->cert_uri_base) + { + return NULL; + } + + hash_enum = authority->hashes->create_enumerator(authority->hashes); + while (hash_enum->enumerate(hash_enum, ¤t)) + { + if (current->matches(current, data->id)) + { + char *url, *hash; + + url = malloc(strlen(authority->cert_uri_base) + 40 + 1); + strcpy(url, authority->cert_uri_base); + hash = chunk_to_hex(current->get_encoding(current), NULL, FALSE).ptr; + strncat(url, hash, 40); + free(hash); + + enumerator = enumerator_create_single(url, free); + break; + } + } + hash_enum->destroy(hash_enum); + return enumerator; +} + +METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, + private_vici_authority_t *this, certificate_type_t type, + identification_t *id) +{ + cdp_data_t *data; + + switch (type) + { /* we serve CRLs, OCSP responders and URLs for "Hash and URL" */ + case CERT_X509: + case CERT_X509_CRL: + case CERT_X509_OCSP_RESPONSE: + case CERT_ANY: + break; + default: + return NULL; + } + data = malloc_thing(cdp_data_t); + data->this = this; + data->type = type; + data->id = id; + + this->lock->read_lock(this->lock); + + return enumerator_create_nested( + this->authorities->create_enumerator(this->authorities), + (type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : + (void*)create_inner_cdp, data, (void*)cdp_data_destroy); +} + +METHOD(vici_authority_t, check_for_hash_and_url, void, + private_vici_authority_t *this, certificate_t* cert) +{ + authority_t *authority; + enumerator_t *enumerator; + hasher_t *hasher; + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (hasher == NULL) + { + DBG1(DBG_CFG, "unable to use hash-and-url: sha1 not supported"); + return; + } + + this->lock->write_lock(this->lock); + enumerator = this->authorities->create_enumerator(this->authorities); + while (enumerator->enumerate(enumerator, &authority)) + { + if (authority->cert_uri_base && + cert->issued_by(cert, authority->cert, NULL)) + { + chunk_t hash, encoded; + + if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded)) + { + if (hasher->allocate_hash(hasher, encoded, &hash)) + { + authority->hashes->insert_last(authority->hashes, + identification_create_from_encoding(ID_KEY_ID, hash)); + chunk_free(&hash); + } + chunk_free(&encoded); + } + break; + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + + hasher->destroy(hasher); +} + +METHOD(vici_authority_t, destroy, void, + private_vici_authority_t *this) +{ + manage_commands(this, FALSE); + + this->authorities->destroy_function(this->authorities, + (void*)authority_destroy); + this->lock->destroy(this->lock); + free(this); +} + +/** + * See header + */ +vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher, + vici_cred_t *cred) +{ + private_vici_authority_t *this; + + INIT(this, + .public = { + .set = { + .create_private_enumerator = (void*)return_null, + .create_cert_enumerator = (void*)return_null, + .create_shared_enumerator = (void*)return_null, + .create_cdp_enumerator = _create_cdp_enumerator, + .cache_cert = (void*)nop, + }, + .check_for_hash_and_url = _check_for_hash_and_url, + .destroy = _destroy, + }, + .dispatcher = dispatcher, + .cred = cred, + .authorities = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + manage_commands(this, TRUE); + + return &this->public; +} diff --git a/src/libcharon/plugins/vici/vici_authority.h b/src/libcharon/plugins/vici/vici_authority.h new file mode 100644 index 000000000..dbeabae62 --- /dev/null +++ b/src/libcharon/plugins/vici/vici_authority.h @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup vici_authority vici_authority + * @{ @ingroup vici + */ + +#ifndef VICI_AUTHORITY_H_ +#define VICI_AUTHORITY_H_ + +#include "vici_dispatcher.h" +#include "vici_cred.h" + +typedef struct vici_authority_t vici_authority_t; + +/** + * In-memory certification authority backend, managed by VICI. + */ +struct vici_authority_t { + + /** + * Implements credential_set_t + */ + credential_set_t set; + + /** + * Check if a certificate can be made available through hash and URL. + * + * @param cert end entity certificate + */ + void (*check_for_hash_and_url)(vici_authority_t *this, certificate_t* cert); + + /** + * Destroy a vici_authority_t. + */ + void (*destroy)(vici_authority_t *this); +}; + +/** + * Create a vici_authority instance. + * + * @param dispatcher dispatcher to receive requests from + * @param cred in-memory credential backend managed by VICI + * @return authority backend + */ +vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher, + vici_cred_t *cred); + +#endif /** VICI_AUTHORITY_H_ @}*/ diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index d23259912..ea6d2958a 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -2,6 +2,9 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -93,6 +96,12 @@ struct private_vici_config_t { * Lock for conns list */ rwlock_t *lock; + + /** + * Auxiliary certification authority information + */ + vici_authority_t *authority; + }; METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, @@ -382,7 +391,7 @@ typedef struct { char* updown; bool hostaccess; bool ipcomp; - bool route; + bool policies; ipsec_mode_t mode; u_int32_t replay_window; action_t dpd_action; @@ -417,6 +426,7 @@ static void log_child_data(child_data_t *data, char *name) DBG2(DBG_CFG, " hostaccess = %u", data->hostaccess); DBG2(DBG_CFG, " ipcomp = %u", data->ipcomp); DBG2(DBG_CFG, " mode = %N", ipsec_mode_names, data->mode); + DBG2(DBG_CFG, " policies = %u", data->policies); if (data->replay_window != REPLAY_UNDEFINED) { DBG2(DBG_CFG, " replay_window = %u", data->replay_window); @@ -1040,15 +1050,21 @@ CALLBACK(parse_group, bool, /** * Parse a certificate; add as auth rule to config */ -static bool parse_cert(auth_cfg_t *cfg, auth_rule_t rule, chunk_t v) +static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v) { + vici_authority_t *authority; certificate_t *cert; cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_BLOB_PEM, v, BUILD_END); if (cert) { - cfg->add(cfg, rule, cert); + if (rule == AUTH_RULE_SUBJECT_CERT) + { + authority = auth->request->this->authority; + authority->check_for_hash_and_url(authority, cert); + } + auth->cfg->add(auth->cfg, rule, cert); return TRUE; } return FALSE; @@ -1058,18 +1074,18 @@ static bool parse_cert(auth_cfg_t *cfg, auth_rule_t rule, chunk_t v) * Parse subject certificates */ CALLBACK(parse_certs, bool, - auth_cfg_t *cfg, chunk_t v) + auth_data_t *auth, chunk_t v) { - return parse_cert(cfg, AUTH_RULE_SUBJECT_CERT, v); + return parse_cert(auth, AUTH_RULE_SUBJECT_CERT, v); } /** * Parse CA certificates */ CALLBACK(parse_cacerts, bool, - auth_cfg_t *cfg, chunk_t v) + auth_data_t *auth, chunk_t v) { - return parse_cert(cfg, AUTH_RULE_CA_CERT, v); + return parse_cert(auth, AUTH_RULE_CA_CERT, v); } /** @@ -1234,6 +1250,7 @@ CALLBACK(child_kv, bool, { "updown", parse_string, &child->updown }, { "hostaccess", parse_bool, &child->hostaccess }, { "mode", parse_mode, &child->mode }, + { "policies", parse_bool, &child->policies }, { "replay_window", parse_uint32, &child->replay_window }, { "rekey_time", parse_time, &child->lft.time.rekey }, { "life_time", parse_time, &child->lft.time.life }, @@ -1264,8 +1281,8 @@ CALLBACK(auth_li, bool, { parse_rule_t rules[] = { { "groups", parse_group, auth->cfg }, - { "certs", parse_certs, auth->cfg }, - { "cacerts", parse_cacerts, auth->cfg }, + { "certs", parse_certs, auth }, + { "cacerts", parse_cacerts, auth }, }; return parse_rules(rules, countof(rules), name, value, @@ -1341,6 +1358,7 @@ CALLBACK(children_sn, bool, .local_ts = linked_list_create(), .remote_ts = linked_list_create(), .mode = MODE_TUNNEL, + .policies = TRUE, .replay_window = REPLAY_UNDEFINED, .dpd_action = ACTION_NONE, .start_action = ACTION_NONE, @@ -1352,10 +1370,12 @@ CALLBACK(children_sn, bool, .jitter = LFT_UNDEFINED, }, .bytes = { + .rekey = LFT_UNDEFINED, .life = LFT_UNDEFINED, .jitter = LFT_UNDEFINED, }, .packets = { + .rekey = LFT_UNDEFINED, .life = LFT_UNDEFINED, .jitter = LFT_UNDEFINED, }, @@ -1408,6 +1428,15 @@ CALLBACK(children_sn, bool, { child.lft.packets.life = child.lft.packets.rekey * 110 / 100; } + /* if no soft lifetime specified, add one at hard lifetime - 10% */ + if (child.lft.bytes.rekey == LFT_UNDEFINED) + { + child.lft.bytes.rekey = child.lft.bytes.life * 90 / 100; + } + if (child.lft.packets.rekey == LFT_UNDEFINED) + { + child.lft.packets.rekey = child.lft.packets.life * 90 / 100; + } /* if no rand time defined, use difference of hard and soft */ if (child.lft.time.jitter == LFT_UNDEFINED) { @@ -1433,6 +1462,8 @@ CALLBACK(children_sn, bool, child.inactivity, child.reqid, &child.mark_in, &child.mark_out, child.tfc); + cfg->set_mipv6_options(cfg, FALSE, child.policies); + if (child.replay_window != REPLAY_UNDEFINED) { cfg->set_replay_window(cfg, child.replay_window); @@ -1558,7 +1589,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg)); charon->controller->initiate(charon->controller, peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), - NULL, NULL, 0); + NULL, NULL, 0, FALSE); break; case ACTION_ROUTE: DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg)); @@ -1958,20 +1989,20 @@ CALLBACK(unload_conn, vici_message_t*, { enumerator_t *enumerator; peer_cfg_t *cfg; + char *conn_name; bool found = FALSE; - char *conn; - conn = message->get_str(message, NULL, "name"); - if (!conn) + conn_name = message->get_str(message, NULL, "name"); + if (!conn_name) { - return create_reply("missing connection name to unload"); + return create_reply("unload: missing connection name"); } this->lock->write_lock(this->lock); enumerator = this->conns->create_enumerator(this->conns); while (enumerator->enumerate(enumerator, &cfg)) { - if (streq(cfg->get_name(cfg), conn)) + if (streq(cfg->get_name(cfg), conn_name)) { this->conns->remove_at(this->conns, enumerator); cfg->destroy(cfg); @@ -1984,7 +2015,7 @@ CALLBACK(unload_conn, vici_message_t*, if (!found) { - return create_reply("connection '%s' not found for unloading", conn); + return create_reply("unload: connection '%s' not found", conn_name); } return create_reply(NULL); } @@ -2042,7 +2073,8 @@ METHOD(vici_config_t, destroy, void, /** * See header */ -vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher) +vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher, + vici_authority_t *authority) { private_vici_config_t *this; @@ -2058,6 +2090,7 @@ vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher) .dispatcher = dispatcher, .conns = linked_list_create(), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .authority = authority, ); manage_commands(this, TRUE); diff --git a/src/libcharon/plugins/vici/vici_config.h b/src/libcharon/plugins/vici/vici_config.h index 820d5f300..c3245bf5c 100644 --- a/src/libcharon/plugins/vici/vici_config.h +++ b/src/libcharon/plugins/vici/vici_config.h @@ -2,6 +2,9 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -22,6 +25,7 @@ #define VICI_CONFIG_H_ #include "vici_dispatcher.h" +#include "vici_authority.h" #include @@ -46,8 +50,10 @@ struct vici_config_t { * Create a vici_config instance. * * @param dispatcher dispatcher to receive requests from + * @param authority Auxiliary certification authority information * @return config backend */ -vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher); +vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher, + vici_authority_t *authority); #endif /** VICI_CONFIG_H_ @}*/ diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c index 01d503644..752007c24 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c @@ -138,7 +138,7 @@ static child_cfg_t* find_child_cfg(char *name, peer_cfg_t **out) { enumerator_t *enumerator; peer_cfg_t *peer_cfg; - child_cfg_t *child_cfg; + child_cfg_t *child_cfg = NULL; enumerator = charon->backends->create_peer_cfg_enumerator( charon->backends, NULL, NULL, NULL, NULL, IKE_ANY); @@ -163,6 +163,7 @@ CALLBACK(initiate, vici_message_t*, peer_cfg_t *peer_cfg; char *child; u_int timeout; + bool limits; log_info_t log = { .dispatcher = this->dispatcher, .id = id, @@ -170,6 +171,7 @@ CALLBACK(initiate, vici_message_t*, child = request->get_str(request, NULL, "child"); timeout = request->get_int(request, 0, "timeout"); + limits = request->get_bool(request, FALSE, "init-limits"); log.level = request->get_int(request, 1, "loglevel"); if (!child) @@ -184,14 +186,17 @@ CALLBACK(initiate, vici_message_t*, { return send_reply(this, "CHILD_SA config '%s' not found", child); } - switch (charon->controller->initiate(charon->controller, - peer_cfg, child_cfg, (controller_cb_t)log_vici, &log, timeout)) + switch (charon->controller->initiate(charon->controller, peer_cfg, + child_cfg, (controller_cb_t)log_vici, &log, timeout, limits)) { case SUCCESS: return send_reply(this, NULL); case OUT_OF_RES: return send_reply(this, "CHILD_SA '%s' not established after %dms", child, timeout); + case INVALID_STATE: + return send_reply(this, "establishing CHILD_SA '%s' not possible " + "at the moment due to limits", child); case FAILED: default: return send_reply(this, "establishing CHILD_SA '%s' failed", child); diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c index d4c02de6d..ffdc034ea 100644 --- a/src/libcharon/plugins/vici/vici_cred.c +++ b/src/libcharon/plugins/vici/vici_cred.c @@ -294,6 +294,12 @@ static void manage_commands(private_vici_cred_t *this, bool reg) manage_command(this, "load-shared", load_shared, reg); } +METHOD(vici_cred_t, add_cert, certificate_t*, + private_vici_cred_t *this, certificate_t *cert) +{ + return this->creds->get_cert_ref(this->creds, cert); +} + METHOD(vici_cred_t, destroy, void, private_vici_cred_t *this) { @@ -313,6 +319,7 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher) INIT(this, .public = { + .add_cert = _add_cert, .destroy = _destroy, }, .dispatcher = dispatcher, diff --git a/src/libcharon/plugins/vici/vici_cred.h b/src/libcharon/plugins/vici/vici_cred.h index e109a27da..8359c0e88 100644 --- a/src/libcharon/plugins/vici/vici_cred.h +++ b/src/libcharon/plugins/vici/vici_cred.h @@ -30,6 +30,14 @@ typedef struct vici_cred_t vici_cred_t; */ struct vici_cred_t { + /** + * Add a certificate to the certificate store + * + * @param cert certificate to be added to store + * @return reference to certificate or cached copy + */ + certificate_t* (*add_cert)(vici_cred_t *this, certificate_t *cert); + /** * Destroy a vici_cred_t. */ diff --git a/src/libcharon/plugins/vici/vici_logger.c b/src/libcharon/plugins/vici/vici_logger.c index cffd65bad..6d3584ebd 100644 --- a/src/libcharon/plugins/vici/vici_logger.c +++ b/src/libcharon/plugins/vici/vici_logger.c @@ -18,6 +18,7 @@ #include #include +#include typedef struct private_vici_logger_t private_vici_logger_t; @@ -41,12 +42,55 @@ struct private_vici_logger_t { */ int recursive; + /** + * List of messages to raise async events + */ + linked_list_t *queue; + /** * Mutex to synchronize logging */ mutex_t *mutex; }; +/** + * Async callback to raise events for queued messages + */ +static job_requeue_t raise_events(private_vici_logger_t *this) +{ + vici_message_t *message; + u_int count; + + this->mutex->lock(this->mutex); + count = this->queue->get_count(this->queue); + this->queue->remove_first(this->queue, (void**)&message); + this->mutex->unlock(this->mutex); + + if (count > 0) + { + this->dispatcher->raise_event(this->dispatcher, "log", 0, message); + } + if (count > 1) + { + return JOB_REQUEUE_DIRECT; + } + return JOB_REQUEUE_NONE; +} + +/** + * Queue a message for async processing + */ +static void queue_messsage(private_vici_logger_t *this, vici_message_t *message) +{ + this->queue->insert_last(this->queue, message); + if (this->queue->get_count(this->queue) == 1) + { + lib->processor->queue_job(lib->processor, (job_t*) + callback_job_create((callback_job_cb_t)raise_events, + this, NULL, NULL)); + } +} + METHOD(logger_t, log_, void, private_vici_logger_t *this, debug_t group, level_t level, int thread, ike_sa_t* ike_sa, const char *msg) @@ -75,7 +119,7 @@ METHOD(logger_t, log_, void, message = builder->finalize(builder); if (message) { - this->dispatcher->raise_event(this->dispatcher, "log", 0, message); + queue_messsage(this, message); } } this->recursive--; @@ -101,6 +145,7 @@ METHOD(vici_logger_t, destroy, void, private_vici_logger_t *this) { manage_commands(this, FALSE); + this->queue->destroy_offset(this->queue, offsetof(vici_message_t, destroy)); this->mutex->destroy(this->mutex); free(this); } @@ -121,6 +166,7 @@ vici_logger_t *vici_logger_create(vici_dispatcher_t *dispatcher) .destroy = _destroy, }, .dispatcher = dispatcher, + .queue = linked_list_create(), .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), ); diff --git a/src/libcharon/plugins/vici/vici_message.c b/src/libcharon/plugins/vici/vici_message.c index e79fbc8d3..fb6e8a1ab 100644 --- a/src/libcharon/plugins/vici/vici_message.c +++ b/src/libcharon/plugins/vici/vici_message.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * @@ -385,6 +388,41 @@ METHOD(vici_message_t, get_int, int, return val; } +METHOD(vici_message_t, vget_bool, bool, + private_vici_message_t *this, bool def, char *fmt, va_list args) +{ + chunk_t value; + bool found; + char buf[16]; + + found = find_value(this, &value, fmt, args); + if (found) + { + if (value.len == 0) + { + return def; + } + if (chunk_printable(value, NULL, 0)) + { + snprintf(buf, sizeof(buf), "%.*s", (int)value.len, value.ptr); + return settings_value_as_bool(buf, def); + } + } + return def; +} + +METHOD(vici_message_t, get_bool, bool, + private_vici_message_t *this, bool def, char *fmt, ...) +{ + va_list args; + bool val; + + va_start(args, fmt); + val = vget_bool(this, def, fmt, args); + va_end(args); + return val; +} + METHOD(vici_message_t, vget_value, chunk_t, private_vici_message_t *this, chunk_t def, char *fmt, va_list args) { @@ -633,6 +671,8 @@ vici_message_t *vici_message_create_from_data(chunk_t data, bool cleanup) .vget_str = _vget_str, .get_int = _get_int, .vget_int = _vget_int, + .get_bool = _get_bool, + .vget_bool = _vget_bool, .get_value = _get_value, .vget_value = _vget_value, .get_encoding = _get_encoding, diff --git a/src/libcharon/plugins/vici/vici_message.h b/src/libcharon/plugins/vici/vici_message.h index 1a89cf829..d47e7a0f9 100644 --- a/src/libcharon/plugins/vici/vici_message.h +++ b/src/libcharon/plugins/vici/vici_message.h @@ -1,4 +1,7 @@ /* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * @@ -15,7 +18,7 @@ /** * @defgroup vici_message vici_message - * @{ @ingroup vici_dispatcher + * @{ @ingroup vici */ #ifndef VICI_MESSAGE_H_ @@ -137,6 +140,26 @@ struct vici_message_t { */ int (*vget_int)(vici_message_t *this, int def, char *fmt, va_list args); + /** + * Get the value of a key/value pair as boolean. + * + * @param def default value if not found + * @param fmt printf style format string for key, with sections + * @param ... arguments to fmt string + * @return value + */ + bool (*get_bool)(vici_message_t *this, bool def, char *fmt, ...); + + /** + * Get the value of a key/value pair as boolean, va_list variant + * + * @param def default value if not found + * @param fmt printf style format string for key, with sections + * @param args arguments to fmt string + * @return value + */ + bool (*vget_bool)(vici_message_t *this, bool def, char *fmt, va_list args); + /** * Get the raw value of a key/value pair. * diff --git a/src/libcharon/plugins/vici/vici_plugin.c b/src/libcharon/plugins/vici/vici_plugin.c index 7ae58a317..53ed8cdfb 100644 --- a/src/libcharon/plugins/vici/vici_plugin.c +++ b/src/libcharon/plugins/vici/vici_plugin.c @@ -2,6 +2,9 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -42,6 +45,7 @@ #include "vici_cred.h" #include "vici_config.h" #include "vici_attribute.h" +#include "vici_authority.h" #include "vici_logger.h" #include @@ -79,6 +83,11 @@ struct private_vici_plugin_t { */ vici_cred_t *cred; + /** + * Certification Authority backend + */ + vici_authority_t *authority; + /** * Configuration backend */ @@ -119,7 +128,10 @@ static bool register_vici(private_vici_plugin_t *this, this->query = vici_query_create(this->dispatcher); this->control = vici_control_create(this->dispatcher); this->cred = vici_cred_create(this->dispatcher); - this->config = vici_config_create(this->dispatcher); + this->authority = vici_authority_create(this->dispatcher, + this->cred); + lib->credmgr->add_set(lib->credmgr, &this->authority->set); + this->config = vici_config_create(this->dispatcher, this->authority); this->attrs = vici_attribute_create(this->dispatcher); this->logger = vici_logger_create(this->dispatcher); @@ -145,6 +157,8 @@ static bool register_vici(private_vici_plugin_t *this, this->logger->destroy(this->logger); this->attrs->destroy(this->attrs); this->config->destroy(this->config); + lib->credmgr->remove_set(lib->credmgr, &this->authority->set); + this->authority->destroy(this->authority); this->cred->destroy(this->cred); this->control->destroy(this->control); this->query->destroy(this->query); diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index d94d760b9..98d264fca 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -929,7 +929,7 @@ CALLBACK(stats, vici_message_t*, charon->ike_sa_manager->get_count(charon->ike_sa_manager)); b->add_kv(b, "half-open", "%u", charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager, - NULL)); + NULL, FALSE)); b->end_section(b); b->begin_list(b, "plugins"); @@ -1031,7 +1031,9 @@ static void manage_commands(private_vici_query_t *this, bool reg) this->dispatcher->manage_event(this->dispatcher, "list-conn", reg); this->dispatcher->manage_event(this->dispatcher, "list-cert", reg); this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg); + this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg); this->dispatcher->manage_event(this->dispatcher, "child-updown", reg); + this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg); manage_command(this, "list-sas", list_sas, reg); manage_command(this, "list-policies", list_policies, reg); manage_command(this, "list-conns", list_conns, reg); @@ -1054,10 +1056,14 @@ METHOD(listener_t, ike_updown, bool, now = time_monotonic(NULL); b = vici_builder_create(); + + if (up) + { + b->add_kv(b, "up", "yes"); + } + b->begin_section(b, ike_sa->get_name(ike_sa)); list_ike(this, b, ike_sa, now); - b->begin_section(b, "child-sas"); - b->end_section(b); b->end_section(b); this->dispatcher->raise_event(this->dispatcher, @@ -1066,6 +1072,35 @@ METHOD(listener_t, ike_updown, bool, return TRUE; } +METHOD(listener_t, ike_rekey, bool, + private_vici_query_t *this, ike_sa_t *old, ike_sa_t *new) +{ + vici_builder_t *b; + time_t now; + + if (!this->dispatcher->has_event_listeners(this->dispatcher, "ike-rekey")) + { + return TRUE; + } + + now = time_monotonic(NULL); + + b = vici_builder_create(); + b->begin_section(b, old->get_name(old)); + b->begin_section(b, "old"); + list_ike(this, b, old, now); + b->end_section(b); + b->begin_section(b, "new"); + list_ike(this, b, new, now); + b->end_section(b); + b->end_section(b); + + this->dispatcher->raise_event(this->dispatcher, + "ike-rekey", 0, b->finalize(b)); + + return TRUE; +} + METHOD(listener_t, child_updown, bool, private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) { @@ -1080,6 +1115,11 @@ METHOD(listener_t, child_updown, bool, now = time_monotonic(NULL); b = vici_builder_create(); + if (up) + { + b->add_kv(b, "up", "yes"); + } + b->begin_section(b, ike_sa->get_name(ike_sa)); list_ike(this, b, ike_sa, now); b->begin_section(b, "child-sas"); @@ -1097,6 +1137,45 @@ METHOD(listener_t, child_updown, bool, return TRUE; } +METHOD(listener_t, child_rekey, bool, + private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *old, + child_sa_t *new) +{ + vici_builder_t *b; + time_t now; + + if (!this->dispatcher->has_event_listeners(this->dispatcher, "child-rekey")) + { + return TRUE; + } + + now = time_monotonic(NULL); + b = vici_builder_create(); + + b->begin_section(b, ike_sa->get_name(ike_sa)); + list_ike(this, b, ike_sa, now); + b->begin_section(b, "child-sas"); + + b->begin_section(b, old->get_name(old)); + + b->begin_section(b, "old"); + list_child(this, b, old, now); + b->end_section(b); + b->begin_section(b, "new"); + list_child(this, b, new, now); + b->end_section(b); + + b->end_section(b); + + b->end_section(b); + b->end_section(b); + + this->dispatcher->raise_event(this->dispatcher, + "child-rekey", 0, b->finalize(b)); + + return TRUE; +} + METHOD(vici_query_t, destroy, void, private_vici_query_t *this) { @@ -1115,7 +1194,9 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher) .public = { .listener = { .ike_updown = _ike_updown, + .ike_rekey = _ike_rekey, .child_updown = _child_updown, + .child_rekey = _child_rekey, }, .destroy = _destroy, }, diff --git a/src/libcharon/plugins/whitelist/whitelist_listener.c b/src/libcharon/plugins/whitelist/whitelist_listener.c index d0357b410..7e5b2f4e0 100644 --- a/src/libcharon/plugins/whitelist/whitelist_listener.c +++ b/src/libcharon/plugins/whitelist/whitelist_listener.c @@ -52,7 +52,7 @@ struct private_whitelist_listener_t { */ static u_int hash(identification_t *key) { - return chunk_hash(key->get_encoding(key)); + return key->hash(key, 0); } /** diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c index 17ab83053..5b5fb9d98 100644 --- a/src/libcharon/processing/jobs/initiate_mediation_job.c +++ b/src/libcharon/processing/jobs/initiate_mediation_job.c @@ -119,8 +119,8 @@ METHOD(job_t, initiate, job_requeue_t, /* we need an additional reference because initiate consumes one */ mediation_cfg->get_ref(mediation_cfg); - if (charon->controller->initiate(charon->controller, mediation_cfg, - NULL, (controller_cb_t)initiate_callback, this, 0) != SUCCESS) + if (charon->controller->initiate(charon->controller, mediation_cfg, NULL, + (controller_cb_t)initiate_callback, this, 0, FALSE) != SUCCESS) { mediation_cfg->destroy(mediation_cfg); mediated_cfg->destroy(mediated_cfg); diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c index a6795e766..31f048db6 100644 --- a/src/libcharon/processing/jobs/process_message_job.c +++ b/src/libcharon/processing/jobs/process_message_job.c @@ -91,16 +91,26 @@ METHOD(job_t, get_priority, job_priority_t, { case IKE_AUTH: /* IKE auth is rather expensive and often blocking, low priority */ + case AGGRESSIVE: + case ID_PROT: + /* AM is basically IKE_SA_INIT/IKE_AUTH combined (without EAP/XAuth) + * MM is similar, but stretched out more */ return JOB_PRIO_LOW; case INFORMATIONAL: + case INFORMATIONAL_V1: /* INFORMATIONALs are inexpensive, for DPD we should have low * reaction times */ return JOB_PRIO_HIGH; case IKE_SA_INIT: - case CREATE_CHILD_SA: - default: /* IKE_SA_INIT is expensive, but we will drop them in the receiver * if we are overloaded */ + case CREATE_CHILD_SA: + case QUICK_MODE: + /* these may require DH, but if not they are relatively cheap */ + case TRANSACTION: + /* these are mostly cheap, however, if XAuth via RADIUS is used + * they may block */ + default: return JOB_PRIO_MEDIUM; } } diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.c b/src/libcharon/processing/jobs/rekey_child_sa_job.c index 8f17d39ab..057876b33 100644 --- a/src/libcharon/processing/jobs/rekey_child_sa_job.c +++ b/src/libcharon/processing/jobs/rekey_child_sa_job.c @@ -67,7 +67,10 @@ METHOD(job_t, execute, job_requeue_t, } else { - ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi); + if (ike_sa->get_state(ike_sa) != IKE_PASSIVE) + { + ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi); + } charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } return JOB_REQUEUE_NONE; diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c index 981473b5c..5e88ac230 100644 --- a/src/libcharon/processing/jobs/start_action_job.c +++ b/src/libcharon/processing/jobs/start_action_job.c @@ -61,7 +61,7 @@ METHOD(job_t, execute, job_requeue_t, charon->controller->initiate(charon->controller, peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), - NULL, NULL, 0); + NULL, NULL, 0, FALSE); break; case ACTION_ROUTE: DBG1(DBG_JOB, "start action: route '%s'", name); diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 94cf07c33..73f2ec9d3 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2011 Tobias Brunner + * Copyright (C) 2006-2015 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter @@ -106,6 +106,11 @@ struct private_child_sa_t { */ bool reqid_allocated; + /** + * Is the reqid statically configured + */ + bool static_reqid; + /* * Unique CHILD_SA identifier */ @@ -698,7 +703,7 @@ METHOD(child_sa_t, install, status_t, this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS, &esn, NULL); - if (!this->reqid_allocated && !this->reqid) + if (!this->reqid_allocated && !this->static_reqid) { status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface, my_ts, other_ts, this->mark_in, this->mark_out, @@ -826,7 +831,7 @@ METHOD(child_sa_t, add_policies, status_t, traffic_selector_t *my_ts, *other_ts; status_t status = SUCCESS; - if (!this->reqid_allocated && !this->reqid) + if (!this->reqid_allocated && !this->static_reqid) { /* trap policy, get or confirm reqid */ status = hydra->kernel_interface->alloc_reqid( @@ -1305,6 +1310,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->reqid = charon->traps->find_reqid(charon->traps, config); } } + else + { + this->static_reqid = TRUE; + } /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */ if (config->get_mode(config) == MODE_TRANSPORT && diff --git a/src/libcharon/sa/eap/eap_method.c b/src/libcharon/sa/eap/eap_method.c index a05e8c59a..9ce6ecf00 100644 --- a/src/libcharon/sa/eap/eap_method.c +++ b/src/libcharon/sa/eap/eap_method.c @@ -30,7 +30,8 @@ bool eap_method_register(plugin_t *plugin, plugin_feature_t *feature, { if (reg) { - charon->eap->add_method(charon->eap, feature->arg.eap, 0, + charon->eap->add_method(charon->eap, feature->arg.eap.type, + feature->arg.eap.vendor, feature->type == FEATURE_EAP_SERVER ? EAP_SERVER : EAP_PEER, (eap_constructor_t)data); } diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 3aafa4c13..dcf9d5f2c 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2014 Tobias Brunner + * Copyright (C) 2006-2015 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -487,8 +487,9 @@ METHOD(ike_sa_t, send_keepalive, void, send_keepalive_job_t *job; time_t last_out, now, diff; - if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0) - { /* disable keep alives if we are not NATed anymore */ + if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0 || + this->state == IKE_PASSIVE) + { /* disable keep alives if we are not NATed anymore, or we are passive */ return; } @@ -651,7 +652,7 @@ METHOD(ike_sa_t, get_state, ike_sa_state_t, METHOD(ike_sa_t, set_state, void, private_ike_sa_t *this, ike_sa_state_t state) { - bool trigger_dpd = FALSE; + bool trigger_dpd = FALSE, keepalives = FALSE; DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N", get_name(this), this->unique_id, @@ -722,6 +723,10 @@ METHOD(ike_sa_t, set_state, void, * so yet, so prevent that. */ this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED]; } + if (this->state == IKE_PASSIVE) + { + keepalives = TRUE; + } } break; } @@ -742,6 +747,10 @@ METHOD(ike_sa_t, set_state, void, DBG1(DBG_IKE, "DPD not supported by peer, disabled"); } } + if (keepalives) + { + send_keepalive(this); + } } METHOD(ike_sa_t, reset, void, @@ -1200,6 +1209,19 @@ static void resolve_hosts(private_ike_sa_t *this) break; } + /* if an IP address is set locally, use the same family to resolve remote */ + if (family == AF_UNSPEC && !this->remote_host) + { + if (this->local_host) + { + family = this->local_host->get_family(this->local_host); + } + else + { + family = ike_cfg_get_family(this->ike_cfg, TRUE); + } + } + if (this->remote_host) { host = this->remote_host->clone(this->remote_host); @@ -1211,7 +1233,18 @@ static void resolve_hosts(private_ike_sa_t *this) } if (host) { - set_other_host(this, host); + if (!host->is_anyaddr(host) || + this->other_host->is_anyaddr(this->other_host)) + { /* don't set to %any if we currently have an address, but the + * address family might have changed */ + set_other_host(this, host); + } + else + { /* reuse the original port as some implementations might not like + * initial IKE messages on other ports */ + this->other_host->set_port(this->other_host, host->get_port(host)); + host->destroy(host); + } } if (this->local_host) diff --git a/src/libcharon/sa/ike_sa_id.c b/src/libcharon/sa/ike_sa_id.c index 0f0f1ab63..e52086483 100644 --- a/src/libcharon/sa/ike_sa_id.c +++ b/src/libcharon/sa/ike_sa_id.c @@ -18,7 +18,7 @@ #include "ike_sa_id.h" #include - +#include typedef struct private_ike_sa_id_t private_ike_sa_id_t; @@ -90,6 +90,8 @@ METHOD(ike_sa_id_t, equals, bool, return FALSE; } return this->ike_version == other->ike_version && + (this->ike_version == IKEV1_MAJOR_VERSION || + this->is_initiator_flag == other->is_initiator_flag) && this->initiator_spi == other->initiator_spi && this->responder_spi == other->responder_spi; } diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 938f7848f..37d69874d 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2005-2011 Martin Willi * Copyright (C) 2011 revosec AG - * Copyright (C) 2008-2012 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -157,6 +157,8 @@ static bool entry_match_by_id(entry_t *entry, ike_sa_id_t *id) } if ((id->get_responder_spi(id) == 0 || entry->ike_sa_id->get_responder_spi(entry->ike_sa_id) == 0) && + (id->get_ike_version(id) == IKEV1_MAJOR_VERSION || + id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id)) && id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id)) { /* this is TRUE for IKE_SAs that we initiated but have not yet received a response */ @@ -204,6 +206,9 @@ struct half_open_t { /** the number of half-open IKE_SAs with that host */ u_int count; + + /** the number of half-open IKE_SAs we responded to with that host */ + u_int count_responder; }; /** @@ -358,6 +363,11 @@ struct private_ike_sa_manager_t { */ refcount_t half_open_count; + /** + * Total number of half-open IKE_SAs as responder. + */ + refcount_t half_open_count_responder; + /** * Hash table with connected_peers_t objects. */ @@ -383,6 +393,11 @@ struct private_ike_sa_manager_t { */ rng_t *rng; + /** + * Lock to access the RNG instance + */ + rwlock_t *rng_lock; + /** * reuse existing IKE_SAs in checkout_by_config */ @@ -730,9 +745,11 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) table_item_t *item; u_int row, segment; rwlock_t *lock; + ike_sa_id_t *ike_id; half_open_t *half_open; chunk_t addr; + ike_id = entry->ike_sa_id; addr = entry->other->get_address(entry->other); row = chunk_hash(addr) & this->table_mask; segment = row & this->segment_mask; @@ -745,7 +762,6 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) if (chunk_equals(addr, half_open->other)) { - half_open->count++; break; } item = item->next; @@ -755,7 +771,6 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) { INIT(half_open, .other = chunk_clone(addr), - .count = 1, ); INIT(item, .value = half_open, @@ -763,8 +778,14 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) ); this->half_open_table[row] = item; } - this->half_open_segments[segment].count++; + half_open->count++; ref_get(&this->half_open_count); + if (!ike_id->is_initiator(ike_id)) + { + half_open->count_responder++; + ref_get(&this->half_open_count_responder); + } + this->half_open_segments[segment].count++; lock->unlock(lock); } @@ -776,8 +797,10 @@ static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry) table_item_t *item, *prev = NULL; u_int row, segment; rwlock_t *lock; + ike_sa_id_t *ike_id; chunk_t addr; + ike_id = entry->ike_sa_id; addr = entry->other->get_address(entry->other); row = chunk_hash(addr) & this->table_mask; segment = row & this->segment_mask; @@ -790,6 +813,12 @@ static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry) if (chunk_equals(addr, half_open->other)) { + if (!ike_id->is_initiator(ike_id)) + { + half_open->count_responder--; + ignore_result(ref_put(&this->half_open_count_responder)); + } + ignore_result(ref_put(&this->half_open_count)); if (--half_open->count == 0) { if (prev) @@ -804,7 +833,6 @@ static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry) free(item); } this->half_open_segments[segment].count--; - ignore_result(ref_put(&this->half_open_count)); break; } prev = item; @@ -943,12 +971,14 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this) { u_int64_t spi; - if (this->rng && - this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) + this->rng_lock->read_lock(this->rng_lock); + if (!this->rng || + !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) { - return spi; + spi = 0; } - return 0; + this->rng_lock->unlock(this->rng_lock); + return spi; } /** @@ -1563,7 +1593,6 @@ METHOD(ike_sa_manager_t, checkin, void, put_half_open(this, entry); } else if (!entry->half_open && - !entry->ike_sa_id->is_initiator(entry->ike_sa_id) && ike_sa->get_state(ike_sa) == IKE_CONNECTING) { /* this is a new half-open SA */ @@ -1579,6 +1608,12 @@ METHOD(ike_sa_manager_t, checkin, void, entry = entry_create(); entry->ike_sa_id = ike_sa_id->clone(ike_sa_id); entry->ike_sa = ike_sa; + if (ike_sa->get_state(ike_sa) == IKE_CONNECTING) + { + entry->half_open = TRUE; + entry->other = other->clone(other); + put_half_open(this, entry); + } segment = put_entry(this, entry); } @@ -1937,7 +1972,7 @@ METHOD(ike_sa_manager_t, get_count, u_int, } METHOD(ike_sa_manager_t, get_half_open_count, u_int, - private_ike_sa_manager_t *this, host_t *ip) + private_ike_sa_manager_t *this, host_t *ip, bool responder_only) { table_item_t *item; u_int row, segment; @@ -1959,7 +1994,8 @@ METHOD(ike_sa_manager_t, get_half_open_count, u_int, if (chunk_equals(addr, half_open->other)) { - count = half_open->count; + count = responder_only ? half_open->count_responder + : half_open->count; break; } item = item->next; @@ -1968,7 +2004,8 @@ METHOD(ike_sa_manager_t, get_half_open_count, u_int, } else { - count = (u_int)ref_cur(&this->half_open_count); + count = responder_only ? (u_int)ref_cur(&this->half_open_count_responder) + : (u_int)ref_cur(&this->half_open_count); } return count; } @@ -2055,8 +2092,10 @@ METHOD(ike_sa_manager_t, flush, void, charon->bus->set_sa(charon->bus, NULL); unlock_all_segments(this); + this->rng_lock->write_lock(this->rng_lock); this->rng->destroy(this->rng); this->rng = NULL; + this->rng_lock->unlock(this->rng_lock); } METHOD(ike_sa_manager_t, destroy, void, @@ -2081,6 +2120,7 @@ METHOD(ike_sa_manager_t, destroy, void, free(this->connected_peers_segments); free(this->init_hashes_segments); + this->rng_lock->destroy(this->rng_lock); free(this); } @@ -2138,6 +2178,7 @@ ike_sa_manager_t *ike_sa_manager_create() free(this); return NULL; } + this->rng_lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->ikesa_limit = lib->settings->get_int(lib->settings, "%s.ikesa_limit", 0, lib->ns); diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h index f259d8e56..3ea928ea5 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -216,14 +216,15 @@ struct ike_sa_manager_t { * To prevent the server from resource exhaustion, cookies and other * mechanisms are used. The number of half open IKE_SAs is a good * indicator to see if a peer is flooding the server. - * If a host is supplied, only the number of half open IKE_SAs initiated - * from this IP are counted. - * Only SAs for which we are the responder are counted. + * If a host is supplied, only the number of half open IKE_SAs with this IP + * are counted. * * @param ip NULL for all, IP for half open IKE_SAs with IP + * @param responder_only TRUE to return only the number of responding SAs * @return number of half open IKE_SAs */ - u_int (*get_half_open_count) (ike_sa_manager_t *this, host_t *ip); + u_int (*get_half_open_count)(ike_sa_manager_t *this, host_t *ip, + bool responder_only); /** * Delete all existing IKE_SAs and destroy them immediately. diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c index c968b2a9c..b7047e8fc 100644 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@ -404,7 +404,7 @@ static auth_method_t get_pubkey_method(private_phase1_t *this, auth_cfg_t *auth) id = (identification_t*)auth->get(auth, AUTH_RULE_IDENTITY); if (id) { - private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, NULL); + private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth); if (private) { switch (private->get_type(private)) diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index ed547c4c2..678f99df1 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2014 Tobias Brunner + * Copyright (C) 2007-2015 Tobias Brunner * Copyright (C) 2007-2011 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -900,6 +900,34 @@ static bool process_dpd(private_task_manager_t *this, message_t *message) return TRUE; } +/** + * Check if we already have a quick mode task queued for the exchange with the + * given message ID + */ +static bool have_quick_mode_task(private_task_manager_t *this, u_int32_t mid) +{ + enumerator_t *enumerator; + quick_mode_t *qm; + task_t *task; + bool found = FALSE; + + enumerator = this->passive_tasks->create_enumerator(this->passive_tasks); + while (enumerator->enumerate(enumerator, &task)) + { + if (task->get_type(task) == TASK_QUICK_MODE) + { + qm = (quick_mode_t*)task; + if (qm->get_mid(qm) == mid) + { + found = TRUE; + break; + } + } + } + enumerator->destroy(enumerator); + return found; +} + /** * handle an incoming request message */ @@ -911,6 +939,7 @@ static status_t process_request(private_task_manager_t *this, bool send_response = FALSE, dpd = FALSE; if (message->get_exchange_type(message) == INFORMATIONAL_V1 || + message->get_exchange_type(message) == QUICK_MODE || this->passive_tasks->get_count(this->passive_tasks) == 0) { /* create tasks depending on request type, if not already some queued */ switch (message->get_exchange_type(message)) @@ -946,6 +975,10 @@ static status_t process_request(private_task_manager_t *this, "unestablished IKE_SA, ignored"); return FAILED; } + if (have_quick_mode_task(this, message->get_message_id(message))) + { + break; + } task = (task_t *)quick_mode_create(this->ike_sa, NULL, NULL, NULL); this->passive_tasks->insert_last(this->passive_tasks, task); diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 96edfd8d8..d6a3f2cd1 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * * Copyright (C) 2011 Martin Willi @@ -185,6 +185,11 @@ struct private_quick_mode_t { */ bool udp; + /** + * Message ID of handled quick mode exchange + */ + u_int32_t mid; + /** states of quick mode */ enum { QM_INIT, @@ -1019,6 +1024,11 @@ static void check_for_rekeyed_child(private_quick_mode_t *this) METHOD(task_t, process_r, status_t, private_quick_mode_t *this, message_t *message) { + if (this->mid && this->mid != message->get_message_id(message)) + { /* not responsible for this quick mode exchange */ + return NEED_MORE; + } + switch (this->state) { case QM_INIT: @@ -1188,6 +1198,11 @@ METHOD(task_t, process_r, status_t, METHOD(task_t, build_r, status_t, private_quick_mode_t *this, message_t *message) { + if (this->mid && this->mid != message->get_message_id(message)) + { /* not responsible for this quick mode exchange */ + return NEED_MORE; + } + switch (this->state) { case QM_INIT: @@ -1242,6 +1257,7 @@ METHOD(task_t, build_r, status_t, add_ts(this, message); this->state = QM_NEGOTIATED; + this->mid = message->get_message_id(message); return NEED_MORE; } case QM_NEGOTIATED: @@ -1335,6 +1351,12 @@ METHOD(task_t, get_type, task_type_t, return TASK_QUICK_MODE; } +METHOD(quick_mode_t, get_mid, u_int32_t, + private_quick_mode_t *this) +{ + return this->mid; +} + METHOD(quick_mode_t, use_reqid, void, private_quick_mode_t *this, u_int32_t reqid) { @@ -1368,6 +1390,7 @@ METHOD(task_t, migrate, void, this->ike_sa = ike_sa; this->keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa); this->state = QM_INIT; + this->mid = 0; this->tsi = NULL; this->tsr = NULL; this->proposal = NULL; @@ -1414,6 +1437,7 @@ quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config, .migrate = _migrate, .destroy = _destroy, }, + .get_mid = _get_mid, .use_reqid = _use_reqid, .use_marks = _use_marks, .rekey = _rekey, diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.h b/src/libcharon/sa/ikev1/tasks/quick_mode.h index ee9b64d13..062d63465 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.h +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.h @@ -1,4 +1,7 @@ /* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2011 Martin Willi * Copyright (C) 2011 revosec AG * @@ -37,6 +40,14 @@ struct quick_mode_t { */ task_t task; + /** + * Get the message ID of the quick mode exchange handled by this task as + * responder. + * + * @return message ID, or 0 (not defined yet or as initiator) + */ + u_int32_t (*get_mid)(quick_mode_t *this); + /** * Use a specific reqid to install this CHILD_SA. * diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c index f1442096c..91f6187f9 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c @@ -448,6 +448,8 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, identification_t *other_id; auth_cfg_t *auth; keymat_v2_t *keymat; + eap_type_t type; + u_int32_t vendor; auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH); @@ -478,6 +480,13 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, this->auth_complete = TRUE; auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); + + type = this->method->get_type(this->method, &vendor); + auth->add(auth, AUTH_RULE_EAP_TYPE, type); + if (vendor) + { + auth->add(auth, AUTH_RULE_EAP_VENDOR, vendor); + } return TRUE; } diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 151b49718..2284a484d 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -321,7 +321,7 @@ METHOD(authenticator_t, build, status_t, chunk_t auth_data; status_t status; auth_payload_t *auth_payload; - auth_method_t auth_method; + auth_method_t auth_method = AUTH_NONE; id = this->ike_sa->get_my_id(this->ike_sa); auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index 6fedc8eb5..fce0840e3 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -112,6 +112,7 @@ static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg, case ENCR_AES_GCM_ICV12: case ENCR_AES_GCM_ICV16: /* RFC 4106 */ + case ENCR_CHACHA20_POLY1305: salt_size = 4; break; case ENCR_AES_CCM_ICV8: @@ -527,6 +528,7 @@ METHOD(keymat_v2_t, derive_child_keys, bool, case ENCR_AES_GCM_ICV16: case ENCR_AES_CTR: case ENCR_NULL_AUTH_AES_GMAC: + case ENCR_CHACHA20_POLY1305: enc_size += 4; break; default: diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index e0f930c3c..e08f3dab1 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -144,6 +144,11 @@ struct private_child_create_t { */ ipcomp_transform_t ipcomp_received; + /** + * IPsec protocol + */ + protocol_id_t proto; + /** * Own allocated SPI */ @@ -260,23 +265,23 @@ static bool allocate_spi(private_child_create_t *this) { enumerator_t *enumerator; proposal_t *proposal; - protocol_id_t proto = PROTO_ESP; if (this->initiator) { + this->proto = PROTO_ESP; /* we just get a SPI for the first protocol. TODO: If we ever support * proposal lists with mixed protocols, we'd need multiple SPIs */ if (this->proposals->get_first(this->proposals, (void**)&proposal) == SUCCESS) { - proto = proposal->get_protocol(proposal); + this->proto = proposal->get_protocol(proposal); } } else { - proto = this->proposal->get_protocol(this->proposal); + this->proto = this->proposal->get_protocol(this->proposal); } - this->my_spi = this->child_sa->alloc_spi(this->child_sa, proto); + this->my_spi = this->child_sa->alloc_spi(this->child_sa, this->proto); if (this->my_spi) { if (this->initiator) @@ -1352,20 +1357,16 @@ METHOD(task_t, build_i_delete, status_t, private_child_create_t *this, message_t *message) { message->set_exchange_type(message, INFORMATIONAL); - if (this->child_sa && this->proposal) + if (this->my_spi && this->proto) { - protocol_id_t proto; delete_payload_t *del; - u_int32_t spi; - proto = this->proposal->get_protocol(this->proposal); - spi = this->child_sa->get_spi(this->child_sa, TRUE); - del = delete_payload_create(PLV2_DELETE, proto); - del->add_spi(del, spi); + del = delete_payload_create(PLV2_DELETE, this->proto); + del->add_spi(del, this->my_spi); message->add_payload(message, (payload_t*)del); DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x", - protocol_id_names, proto, ntohl(spi)); + protocol_id_names, this->proto, ntohl(this->my_spi)); } return NEED_MORE; } @@ -1375,9 +1376,13 @@ METHOD(task_t, build_i_delete, status_t, */ static status_t delete_failed_sa(private_child_create_t *this) { - this->public.task.build = _build_i_delete; - this->public.task.process = (void*)return_success; - return NEED_MORE; + if (this->my_spi && this->proto) + { + this->public.task.build = _build_i_delete; + this->public.task.process = (void*)return_success; + return NEED_MORE; + } + return SUCCESS; } METHOD(task_t, process_i, status_t, @@ -1596,6 +1601,7 @@ METHOD(task_t, migrate, void, this->tsi = NULL; this->tsr = NULL; this->dh = NULL; + this->nonceg = NULL; this->child_sa = NULL; this->mode = MODE_TUNNEL; this->ipcomp = IPCOMP_NONE; diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c index c806e19ca..c7a8a1342 100644 --- a/src/libcharon/sa/ikev2/tasks/child_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c @@ -170,13 +170,8 @@ METHOD(task_t, build_i, status_t, } config = this->child_sa->get_config(this->child_sa); - /* we just need the rekey notify ... */ - notify = notify_payload_create_from_protocol_and_type(PLV2_NOTIFY, - this->protocol, REKEY_SA); - notify->set_spi(notify, this->spi); - message->add_payload(message, (payload_t*)notify); - /* ... our CHILD_CREATE task does the hard work for us. */ + /* our CHILD_CREATE task does the hard work for us */ if (!this->child_create) { this->child_create = child_create_create(this->ike_sa, @@ -194,6 +189,14 @@ METHOD(task_t, build_i, status_t, schedule_delayed_rekey(this); return FAILED; } + if (message->get_exchange_type(message) == CREATE_CHILD_SA) + { + /* don't add the notify if the CHILD_CREATE task changed the exchange */ + notify = notify_payload_create_from_protocol_and_type(PLV2_NOTIFY, + this->protocol, REKEY_SA); + notify->set_spi(notify, this->spi); + message->add_payload(message, (payload_t*)notify); + } this->child_sa->set_state(this->child_sa, CHILD_REKEYING); return NEED_MORE; @@ -334,8 +337,7 @@ METHOD(task_t, process_i, status_t, if (this->child_create->task.process(&this->child_create->task, message) == NEED_MORE) { - /* bad DH group while rekeying, try again */ - this->child_create->task.migrate(&this->child_create->task, this->ike_sa); + /* bad DH group while rekeying, retry, or failure requiring deletion */ return NEED_MORE; } if (message->get_payload(message, PLV2_SECURITY_ASSOCIATION) == NULL) diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c index 1855517ce..eaba04e3a 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c @@ -116,7 +116,6 @@ static void establish_new(private_ike_rekey_t *this) lib->processor->queue_job(lib->processor, job); } this->new_sa = NULL; - /* set threads active IKE_SA after checkin */ charon->bus->set_sa(charon->bus, this->ike_sa); } } @@ -229,9 +228,10 @@ METHOD(task_t, build_r, status_t, if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED) { + charon->bus->set_sa(charon->bus, this->ike_sa); return SUCCESS; } - + charon->bus->set_sa(charon->bus, this->ike_sa); this->ike_sa->set_state(this->ike_sa, IKE_REKEYING); /* rekeying successful, delete the IKE_SA using a subtask */ @@ -335,15 +335,13 @@ METHOD(task_t, process_i, status_t, { charon->ike_sa_manager->checkin( charon->ike_sa_manager, this->new_sa); - /* set threads active IKE_SA after checkin */ - charon->bus->set_sa(charon->bus, this->ike_sa); } + charon->bus->set_sa(charon->bus, this->ike_sa); this->new_sa = NULL; establish_new(other); return SUCCESS; } } - /* set threads active IKE_SA after checkin */ charon->bus->set_sa(charon->bus, this->ike_sa); } @@ -372,9 +370,13 @@ METHOD(ike_rekey_t, collide, void, this->collision = other; } -METHOD(task_t, migrate, void, - private_ike_rekey_t *this, ike_sa_t *ike_sa) +/** + * Cleanup the task + */ +static void cleanup(private_ike_rekey_t *this) { + ike_sa_t *cur_sa; + if (this->ike_init) { this->ike_init->task.destroy(&this->ike_init->task); @@ -383,9 +385,16 @@ METHOD(task_t, migrate, void, { this->ike_delete->task.destroy(&this->ike_delete->task); } + cur_sa = charon->bus->get_sa(charon->bus); DESTROY_IF(this->new_sa); + charon->bus->set_sa(charon->bus, cur_sa); DESTROY_IF(this->collision); +} +METHOD(task_t, migrate, void, + private_ike_rekey_t *this, ike_sa_t *ike_sa) +{ + cleanup(this); this->collision = NULL; this->ike_sa = ike_sa; this->new_sa = NULL; @@ -396,16 +405,7 @@ METHOD(task_t, migrate, void, METHOD(task_t, destroy, void, private_ike_rekey_t *this) { - if (this->ike_init) - { - this->ike_init->task.destroy(&this->ike_init->task); - } - if (this->ike_delete) - { - this->ike_delete->task.destroy(&this->ike_delete->task); - } - DESTROY_IF(this->new_sa); - DESTROY_IF(this->collision); + cleanup(this); free(this); } diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c index 73e1abbf3..1a984435c 100644 --- a/src/libcharon/sa/shunt_manager.c +++ b/src/libcharon/sa/shunt_manager.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2011 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -18,8 +19,10 @@ #include #include #include +#include #include +#define INSTALL_DISABLED ((u_int)~0) typedef struct private_shunt_manager_t private_shunt_manager_t; @@ -37,6 +40,21 @@ struct private_shunt_manager_t { * Installed shunts, as child_cfg_t */ linked_list_t *shunts; + + /** + * Lock to safely access the list of shunts + */ + rwlock_t *lock; + + /** + * Number of threads currently installing shunts, or INSTALL_DISABLED + */ + u_int installing; + + /** + * Condvar to signal shunt installation + */ + rwlock_condvar_t *condvar; }; /** @@ -117,9 +135,15 @@ METHOD(shunt_manager_t, install, bool, { enumerator_t *enumerator; child_cfg_t *child_cfg; - bool found = FALSE; + bool found = FALSE, success; /* check if not already installed */ + this->lock->write_lock(this->lock); + if (this->installing == INSTALL_DISABLED) + { /* flush() has been called */ + this->lock->unlock(this->lock); + return FALSE; + } enumerator = this->shunts->create_enumerator(this->shunts); while (enumerator->enumerate(enumerator, &child_cfg)) { @@ -130,16 +154,29 @@ METHOD(shunt_manager_t, install, bool, } } enumerator->destroy(enumerator); - if (found) { DBG1(DBG_CFG, "shunt %N policy '%s' already installed", ipsec_mode_names, child->get_mode(child), child->get_name(child)); + this->lock->unlock(this->lock); return TRUE; } this->shunts->insert_last(this->shunts, child->get_ref(child)); + this->installing++; + this->lock->unlock(this->lock); - return install_shunt_policy(child); + success = install_shunt_policy(child); + + this->lock->write_lock(this->lock); + if (!success) + { + this->shunts->remove(this->shunts, child, NULL); + child->destroy(child); + } + this->installing--; + this->condvar->signal(this->condvar); + this->lock->unlock(this->lock); + return success; } /** @@ -215,6 +252,7 @@ METHOD(shunt_manager_t, uninstall, bool, enumerator_t *enumerator; child_cfg_t *child, *found = NULL; + this->lock->write_lock(this->lock); enumerator = this->shunts->create_enumerator(this->shunts); while (enumerator->enumerate(enumerator, &child)) { @@ -226,6 +264,7 @@ METHOD(shunt_manager_t, uninstall, bool, } } enumerator->destroy(enumerator); + this->lock->unlock(this->lock); if (!found) { @@ -239,20 +278,37 @@ METHOD(shunt_manager_t, uninstall, bool, METHOD(shunt_manager_t, create_enumerator, enumerator_t*, private_shunt_manager_t *this) { - return this->shunts->create_enumerator(this->shunts); + this->lock->read_lock(this->lock); + return enumerator_create_cleaner( + this->shunts->create_enumerator(this->shunts), + (void*)this->lock->unlock, this->lock); } -METHOD(shunt_manager_t, destroy, void, +METHOD(shunt_manager_t, flush, void, private_shunt_manager_t *this) { child_cfg_t *child; + this->lock->write_lock(this->lock); + while (this->installing) + { + this->condvar->wait(this->condvar, this->lock); + } while (this->shunts->remove_last(this->shunts, (void**)&child) == SUCCESS) { uninstall_shunt_policy(child); child->destroy(child); } - this->shunts->destroy(this->shunts); + this->installing = INSTALL_DISABLED; + this->lock->unlock(this->lock); +} + +METHOD(shunt_manager_t, destroy, void, + private_shunt_manager_t *this) +{ + this->shunts->destroy_offset(this->shunts, offsetof(child_cfg_t, destroy)); + this->lock->destroy(this->lock); + this->condvar->destroy(this->condvar); free(this); } @@ -268,9 +324,12 @@ shunt_manager_t *shunt_manager_create() .install = _install, .uninstall = _uninstall, .create_enumerator = _create_enumerator, + .flush = _flush, .destroy = _destroy, }, .shunts = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .condvar = rwlock_condvar_create(), ); return &this->public; diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h index 28a795dc9..c43f5db3d 100644 --- a/src/libcharon/sa/shunt_manager.h +++ b/src/libcharon/sa/shunt_manager.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2011 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -55,6 +56,11 @@ struct shunt_manager_t { */ enumerator_t* (*create_enumerator)(shunt_manager_t *this); + /** + * Clear any installed shunt. + */ + void (*flush)(shunt_manager_t *this); + /** * Destroy a shunt_manager_t. */ diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index d6ff3c8c5..63505c960 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2013 Tobias Brunner + * Copyright (C) 2011-2015 Tobias Brunner * Copyright (C) 2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -18,9 +18,12 @@ #include #include +#include #include +#include #include +#define INSTALL_DISABLED ((u_int)~0) typedef struct private_trap_manager_t private_trap_manager_t; typedef struct trap_listener_t trap_listener_t; @@ -66,6 +69,26 @@ struct private_trap_manager_t { */ trap_listener_t listener; + /** + * list of acquires we currently handle + */ + linked_list_t *acquires; + + /** + * mutex for list of acquires + */ + mutex_t *mutex; + + /** + * number of threads currently installing trap policies, or INSTALL_DISABLED + */ + u_int installing; + + /** + * condvar to signal trap policy installation + */ + rwlock_condvar_t *condvar; + /** * Whether to ignore traffic selectors from acquires */ @@ -80,23 +103,58 @@ typedef struct { char *name; /** ref to peer_cfg to initiate */ peer_cfg_t *peer_cfg; - /** ref to instanciated CHILD_SA */ + /** ref to instantiated CHILD_SA (i.e the trap policy) */ child_sa_t *child_sa; - /** TRUE if an acquire is pending */ - bool pending; + /** TRUE in case of wildcard Transport Mode SA */ + bool wildcard; +} entry_t; + +/** + * A handled acquire + */ +typedef struct { /** pending IKE_SA connecting upon acquire */ ike_sa_t *ike_sa; -} entry_t; + /** reqid of pending trap policy */ + u_int32_t reqid; + /** destination address (wildcard case) */ + host_t *dst; +} acquire_t; /** * actually uninstall and destroy an installed entry */ -static void destroy_entry(entry_t *entry) +static void destroy_entry(entry_t *this) +{ + this->child_sa->destroy(this->child_sa); + this->peer_cfg->destroy(this->peer_cfg); + free(this->name); + free(this); +} + +/** + * destroy a cached acquire entry + */ +static void destroy_acquire(acquire_t *this) { - entry->child_sa->destroy(entry->child_sa); - entry->peer_cfg->destroy(entry->peer_cfg); - free(entry->name); - free(entry); + DESTROY_IF(this->dst); + free(this); +} + +/** + * match an acquire entry by reqid + */ +static bool acquire_by_reqid(acquire_t *this, u_int32_t *reqid) +{ + return this->reqid == *reqid; +} + +/** + * match an acquire entry by destination address + */ +static bool acquire_by_dst(acquire_t *this, host_t *dst) +{ + return this->dst && this->dst->ip_equals(this->dst, dst); } METHOD(trap_manager_t, install, u_int32_t, @@ -113,32 +171,49 @@ METHOD(trap_manager_t, install, u_int32_t, linked_list_t *proposals; proposal_t *proposal; protocol_id_t proto = PROTO_ESP; + bool wildcard = FALSE; /* try to resolve addresses */ ike_cfg = peer->get_ike_cfg(peer); other = ike_cfg->resolve_other(ike_cfg, AF_UNSPEC); - if (!other || other->is_anyaddr(other)) + if (other && other->is_anyaddr(other) && + child->get_mode(child) == MODE_TRANSPORT) + { + /* allow wildcard for Transport Mode SAs */ + me = host_create_any(other->get_family(other)); + wildcard = TRUE; + } + else if (!other || other->is_anyaddr(other)) { DESTROY_IF(other); DBG1(DBG_CFG, "installing trap failed, remote address unknown"); return 0; } - me = ike_cfg->resolve_me(ike_cfg, other->get_family(other)); - if (!me || me->is_anyaddr(me)) + else { - DESTROY_IF(me); - me = hydra->kernel_interface->get_source_addr( - hydra->kernel_interface, other, NULL); - if (!me) + me = ike_cfg->resolve_me(ike_cfg, other->get_family(other)); + if (!me || me->is_anyaddr(me)) { - DBG1(DBG_CFG, "installing trap failed, local address unknown"); - other->destroy(other); - return 0; + DESTROY_IF(me); + me = hydra->kernel_interface->get_source_addr( + hydra->kernel_interface, other, NULL); + if (!me) + { + DBG1(DBG_CFG, "installing trap failed, local address unknown"); + other->destroy(other); + return 0; + } + me->set_port(me, ike_cfg->get_my_port(ike_cfg)); } - me->set_port(me, ike_cfg->get_my_port(ike_cfg)); } this->lock->write_lock(this->lock); + if (this->installing == INSTALL_DISABLED) + { /* flush() has been called */ + this->lock->unlock(this->lock); + me->destroy(me); + return 0; + } enumerator = this->traps->create_enumerator(this->traps); while (enumerator->enumerate(enumerator, &entry)) { @@ -160,6 +235,7 @@ METHOD(trap_manager_t, install, u_int32_t, { DBG1(DBG_CFG, "CHILD_SA '%s' is already being routed", found->name); this->lock->unlock(this->lock); + me->destroy(me); return 0; } /* config might have changed so update everything */ @@ -170,8 +246,10 @@ METHOD(trap_manager_t, install, u_int32_t, INIT(entry, .name = strdup(child->get_name(child)), .peer_cfg = peer->get_ref(peer), + .wildcard = wildcard, ); this->traps->insert_first(this->traps, entry); + this->installing++; /* don't hold lock while creating CHILD_SA and installing policies */ this->lock->unlock(this->lock); @@ -220,6 +298,11 @@ METHOD(trap_manager_t, install, u_int32_t, { destroy_entry(found); } + this->lock->write_lock(this->lock); + /* do this at the end, so entries created temporarily are also destroyed */ + this->installing--; + this->condvar->signal(this->condvar); + this->lock->unlock(this->lock); return reqid; } @@ -314,9 +397,12 @@ METHOD(trap_manager_t, acquire, void, { enumerator_t *enumerator; entry_t *entry, *found = NULL; + acquire_t *acquire; peer_cfg_t *peer; child_cfg_t *child; ike_sa_t *ike_sa; + host_t *host; + bool wildcard, ignore = FALSE; this->lock->read_lock(this->lock); enumerator = this->traps->create_enumerator(this->traps); @@ -333,11 +419,52 @@ METHOD(trap_manager_t, acquire, void, if (!found) { - DBG1(DBG_CFG, "trap not found, unable to acquire reqid %d",reqid); + DBG1(DBG_CFG, "trap not found, unable to acquire reqid %d", reqid); this->lock->unlock(this->lock); return; } - if (!cas_bool(&found->pending, FALSE, TRUE)) + reqid = found->child_sa->get_reqid(found->child_sa); + wildcard = found->wildcard; + + this->mutex->lock(this->mutex); + if (wildcard) + { /* for wildcard acquires we check that we don't have a pending acquire + * with the same peer */ + u_int8_t mask; + + dst->to_subnet(dst, &host, &mask); + if (this->acquires->find_first(this->acquires, (void*)acquire_by_dst, + (void**)&acquire, host) == SUCCESS) + { + host->destroy(host); + ignore = TRUE; + } + else + { + INIT(acquire, + .dst = host, + .reqid = reqid, + ); + this->acquires->insert_last(this->acquires, acquire); + } + } + else + { + if (this->acquires->find_first(this->acquires, (void*)acquire_by_reqid, + (void**)&acquire, &reqid) == SUCCESS) + { + ignore = TRUE; + } + else + { + INIT(acquire, + .reqid = reqid, + ); + this->acquires->insert_last(this->acquires, acquire); + } + } + this->mutex->unlock(this->mutex); + if (ignore) { DBG1(DBG_CFG, "ignoring acquire, connection attempt pending"); this->lock->unlock(this->lock); @@ -346,12 +473,40 @@ METHOD(trap_manager_t, acquire, void, peer = found->peer_cfg->get_ref(found->peer_cfg); child = found->child_sa->get_config(found->child_sa); child = child->get_ref(child); - reqid = found->child_sa->get_reqid(found->child_sa); /* don't hold the lock while checking out the IKE_SA */ this->lock->unlock(this->lock); - ike_sa = charon->ike_sa_manager->checkout_by_config( + if (wildcard) + { /* the peer config would match IKE_SAs with other peers */ + ike_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, + peer->get_ike_version(peer), TRUE); + if (ike_sa) + { + ike_cfg_t *ike_cfg; + u_int16_t port; + u_int8_t mask; + + ike_sa->set_peer_cfg(ike_sa, peer); + ike_cfg = ike_sa->get_ike_cfg(ike_sa); + + port = ike_cfg->get_other_port(ike_cfg); + dst->to_subnet(dst, &host, &mask); + host->set_port(host, port); + ike_sa->set_other_host(ike_sa, host); + + port = ike_cfg->get_my_port(ike_cfg); + src->to_subnet(src, &host, &mask); + host->set_port(host, port); + ike_sa->set_my_host(ike_sa, host); + + charon->bus->set_sa(charon->bus, ike_sa); + } + } + else + { + ike_sa = charon->ike_sa_manager->checkout_by_config( charon->ike_sa_manager, peer); + } if (ike_sa) { if (ike_sa->get_peer_cfg(ike_sa) == NULL) @@ -363,24 +518,29 @@ METHOD(trap_manager_t, acquire, void, * have a single TS that we can establish in a Quick Mode. */ src = dst = NULL; } + + this->mutex->lock(this->mutex); + acquire->ike_sa = ike_sa; + this->mutex->unlock(this->mutex); + if (ike_sa->initiate(ike_sa, child, reqid, src, dst) != DESTROY_ME) { - /* make sure the entry is still there */ - this->lock->read_lock(this->lock); - if (this->traps->find_first(this->traps, NULL, - (void**)&found) == SUCCESS) - { - found->ike_sa = ike_sa; - } - this->lock->unlock(this->lock); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } else { - ike_sa->destroy(ike_sa); - charon->bus->set_sa(charon->bus, NULL); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + ike_sa); } } + else + { + this->mutex->lock(this->mutex); + this->acquires->remove(this->acquires, acquire, NULL); + this->mutex->unlock(this->mutex); + destroy_acquire(acquire); + child->destroy(child); + } peer->destroy(peer); } @@ -391,26 +551,33 @@ static void complete(private_trap_manager_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa) { enumerator_t *enumerator; - entry_t *entry; + acquire_t *acquire; - this->lock->read_lock(this->lock); - enumerator = this->traps->create_enumerator(this->traps); - while (enumerator->enumerate(enumerator, &entry)) + this->mutex->lock(this->mutex); + enumerator = this->acquires->create_enumerator(this->acquires); + while (enumerator->enumerate(enumerator, &acquire)) { - if (entry->ike_sa != ike_sa) + if (!acquire->ike_sa || acquire->ike_sa != ike_sa) { continue; } - if (child_sa && child_sa->get_reqid(child_sa) != - entry->child_sa->get_reqid(entry->child_sa)) + if (child_sa) { - continue; + if (acquire->dst) + { + /* since every wildcard acquire results in a separate IKE_SA + * there is no need to compare the destination address */ + } + else if (child_sa->get_reqid(child_sa) != acquire->reqid) + { + continue; + } } - entry->ike_sa = NULL; - entry->pending = FALSE; + this->acquires->remove_at(this->acquires, enumerator); + destroy_acquire(acquire); } enumerator->destroy(enumerator); - this->lock->unlock(this->lock); + this->mutex->unlock(this->mutex); } METHOD(listener_t, ike_state_change, bool, @@ -444,14 +611,15 @@ METHOD(listener_t, child_state_change, bool, METHOD(trap_manager_t, flush, void, private_trap_manager_t *this) { - linked_list_t *traps; - /* since destroying the CHILD_SA results in events which require a read - * lock we cannot destroy the list while holding the write lock */ this->lock->write_lock(this->lock); - traps = this->traps; + while (this->installing) + { + this->condvar->wait(this->condvar, this->lock); + } + this->traps->destroy_function(this->traps, (void*)destroy_entry); this->traps = linked_list_create(); + this->installing = INSTALL_DISABLED; this->lock->unlock(this->lock); - traps->destroy_function(traps, (void*)destroy_entry); } METHOD(trap_manager_t, destroy, void, @@ -459,6 +627,9 @@ METHOD(trap_manager_t, destroy, void, { charon->bus->remove_listener(charon->bus, &this->listener.listener); this->traps->destroy_function(this->traps, (void*)destroy_entry); + this->acquires->destroy_function(this->acquires, (void*)destroy_acquire); + this->condvar->destroy(this->condvar); + this->mutex->destroy(this->mutex); this->lock->destroy(this->lock); free(this); } @@ -488,7 +659,10 @@ trap_manager_t *trap_manager_create(void) }, }, .traps = linked_list_create(), + .acquires = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .condvar = rwlock_condvar_create(), .ignore_acquire_ts = lib->settings->get_bool(lib->settings, "%s.ignore_acquire_ts", FALSE, lib->ns), ); diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am index c8be28594..5fd8ca26d 100644 --- a/src/libcharon/tests/Makefile.am +++ b/src/libcharon/tests/Makefile.am @@ -3,7 +3,9 @@ TESTS = libcharon_tests check_PROGRAMS = $(TESTS) libcharon_tests_SOURCES = \ + suites/test_ike_cfg.c \ suites/test_mem_pool.c \ + suites/test_message_chapoly.c \ libcharon_tests.h libcharon_tests.c libcharon_tests_CFLAGS = \ @@ -11,6 +13,8 @@ libcharon_tests_CFLAGS = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/tests \ + -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINS=\""${s_plugins}\"" \ @COVERAGE_CFLAGS@ libcharon_tests_LDFLAGS = @COVERAGE_LDFLAGS@ diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in index 7f4f4b24e..910aad928 100644 --- a/src/libcharon/tests/Makefile.in +++ b/src/libcharon/tests/Makefile.in @@ -102,7 +102,9 @@ CONFIG_CLEAN_VPATH_FILES = am__EXEEXT_1 = libcharon_tests$(EXEEXT) am__dirstamp = $(am__leading_dot)dirstamp am_libcharon_tests_OBJECTS = \ + suites/libcharon_tests-test_ike_cfg.$(OBJEXT) \ suites/libcharon_tests-test_mem_pool.$(OBJEXT) \ + suites/libcharon_tests-test_message_chapoly.$(OBJEXT) \ libcharon_tests-libcharon_tests.$(OBJEXT) libcharon_tests_OBJECTS = $(am_libcharon_tests_OBJECTS) libcharon_tests_DEPENDENCIES = \ @@ -427,7 +429,9 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ libcharon_tests_SOURCES = \ + suites/test_ike_cfg.c \ suites/test_mem_pool.c \ + suites/test_message_chapoly.c \ libcharon_tests.h libcharon_tests.c libcharon_tests_CFLAGS = \ @@ -435,6 +439,8 @@ libcharon_tests_CFLAGS = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libstrongswan/tests \ + -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINS=\""${s_plugins}\"" \ @COVERAGE_CFLAGS@ libcharon_tests_LDFLAGS = @COVERAGE_LDFLAGS@ @@ -493,8 +499,12 @@ suites/$(am__dirstamp): suites/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) suites/$(DEPDIR) @: > suites/$(DEPDIR)/$(am__dirstamp) +suites/libcharon_tests-test_ike_cfg.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) suites/libcharon_tests-test_mem_pool.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libcharon_tests-test_message_chapoly.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) libcharon_tests$(EXEEXT): $(libcharon_tests_OBJECTS) $(libcharon_tests_DEPENDENCIES) $(EXTRA_libcharon_tests_DEPENDENCIES) @rm -f libcharon_tests$(EXEEXT) @@ -508,7 +518,9 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcharon_tests-libcharon_tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_message_chapoly.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @@ -534,6 +546,20 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< +suites/libcharon_tests-test_ike_cfg.o: suites/test_ike_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_ike_cfg.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Tpo -c -o suites/libcharon_tests-test_ike_cfg.o `test -f 'suites/test_ike_cfg.c' || echo '$(srcdir)/'`suites/test_ike_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Tpo suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ike_cfg.c' object='suites/libcharon_tests-test_ike_cfg.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_ike_cfg.o `test -f 'suites/test_ike_cfg.c' || echo '$(srcdir)/'`suites/test_ike_cfg.c + +suites/libcharon_tests-test_ike_cfg.obj: suites/test_ike_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_ike_cfg.obj -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Tpo -c -o suites/libcharon_tests-test_ike_cfg.obj `if test -f 'suites/test_ike_cfg.c'; then $(CYGPATH_W) 'suites/test_ike_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_cfg.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Tpo suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ike_cfg.c' object='suites/libcharon_tests-test_ike_cfg.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_ike_cfg.obj `if test -f 'suites/test_ike_cfg.c'; then $(CYGPATH_W) 'suites/test_ike_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_cfg.c'; fi` + suites/libcharon_tests-test_mem_pool.o: suites/test_mem_pool.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_mem_pool.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo -c -o suites/libcharon_tests-test_mem_pool.o `test -f 'suites/test_mem_pool.c' || echo '$(srcdir)/'`suites/test_mem_pool.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po @@ -548,6 +574,20 @@ suites/libcharon_tests-test_mem_pool.obj: suites/test_mem_pool.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_mem_pool.obj `if test -f 'suites/test_mem_pool.c'; then $(CYGPATH_W) 'suites/test_mem_pool.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mem_pool.c'; fi` +suites/libcharon_tests-test_message_chapoly.o: suites/test_message_chapoly.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_message_chapoly.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_message_chapoly.Tpo -c -o suites/libcharon_tests-test_message_chapoly.o `test -f 'suites/test_message_chapoly.c' || echo '$(srcdir)/'`suites/test_message_chapoly.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_message_chapoly.Tpo suites/$(DEPDIR)/libcharon_tests-test_message_chapoly.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_message_chapoly.c' object='suites/libcharon_tests-test_message_chapoly.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_message_chapoly.o `test -f 'suites/test_message_chapoly.c' || echo '$(srcdir)/'`suites/test_message_chapoly.c + +suites/libcharon_tests-test_message_chapoly.obj: suites/test_message_chapoly.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_message_chapoly.obj -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_message_chapoly.Tpo -c -o suites/libcharon_tests-test_message_chapoly.obj `if test -f 'suites/test_message_chapoly.c'; then $(CYGPATH_W) 'suites/test_message_chapoly.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_message_chapoly.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_message_chapoly.Tpo suites/$(DEPDIR)/libcharon_tests-test_message_chapoly.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_message_chapoly.c' object='suites/libcharon_tests-test_message_chapoly.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_message_chapoly.obj `if test -f 'suites/test_message_chapoly.c'; then $(CYGPATH_W) 'suites/test_message_chapoly.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_message_chapoly.c'; fi` + libcharon_tests-libcharon_tests.o: libcharon_tests.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT libcharon_tests-libcharon_tests.o -MD -MP -MF $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo -c -o libcharon_tests-libcharon_tests.o `test -f 'libcharon_tests.c' || echo '$(srcdir)/'`libcharon_tests.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo $(DEPDIR)/libcharon_tests-libcharon_tests.Po diff --git a/src/libcharon/tests/libcharon_tests.c b/src/libcharon/tests/libcharon_tests.c index 1ed0f0c95..ec96de711 100644 --- a/src/libcharon/tests/libcharon_tests.c +++ b/src/libcharon/tests/libcharon_tests.c @@ -27,8 +27,8 @@ static test_configuration_t tests[] = { #define TEST_SUITE(x) \ { .suite = x, }, -#define TEST_SUITE_DEPEND(x, type, args) \ - { .suite = x, .feature = PLUGIN_DEPENDS(type, args) }, +#define TEST_SUITE_DEPEND(x, type, ...) \ + { .suite = x, .feature = PLUGIN_DEPENDS(type, __VA_ARGS__) }, #include "libcharon_tests.h" { .suite = NULL, } }; @@ -37,13 +37,27 @@ static bool test_runner_init(bool init) { if (init) { + char *plugins, *plugindir; + libhydra_init(); libcharon_init(); + + plugins = getenv("TESTS_PLUGINS") ?: + lib->settings->get_str(lib->settings, + "tests.load", PLUGINS); + plugindir = lib->settings->get_str(lib->settings, + "tests.plugindir", PLUGINDIR); + plugin_loader_add_plugindirs(plugindir, plugins); + if (!lib->plugins->load(lib->plugins, plugins)) + { + return FALSE; + } } else { lib->processor->set_threads(lib->processor, 0); lib->processor->cancel(lib->processor); + lib->plugins->unload(lib->plugins); libcharon_deinit(); libhydra_deinit(); } diff --git a/src/libcharon/tests/libcharon_tests.h b/src/libcharon/tests/libcharon_tests.h index dc9681aeb..fb82baccb 100644 --- a/src/libcharon/tests/libcharon_tests.h +++ b/src/libcharon/tests/libcharon_tests.h @@ -13,4 +13,6 @@ * for more details. */ +TEST_SUITE(ike_cfg_suite_create) TEST_SUITE(mem_pool_suite_create) +TEST_SUITE_DEPEND(message_chapoly_suite_create, AEAD, ENCR_CHACHA20_POLY1305, 32) diff --git a/src/libcharon/tests/suites/test_ike_cfg.c b/src/libcharon/tests/suites/test_ike_cfg.c new file mode 100644 index 000000000..8062179b9 --- /dev/null +++ b/src/libcharon/tests/suites/test_ike_cfg.c @@ -0,0 +1,118 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include + +static void assert_family(int expected, char *addr, bool local) +{ + ike_cfg_t *cfg; + int family; + + cfg = ike_cfg_create(IKEV2, FALSE, FALSE, local ? addr : "%any", 500, + local ? "%any" : addr, 500, FRAGMENTATION_NO, 0); + family = ike_cfg_get_family(cfg, local); + ck_assert_msg(expected == family, "expected family %d != %d (addr: '%s')", + expected, family, addr); + cfg->destroy(cfg); +} + +START_TEST(test_get_address_family_empty) +{ + assert_family(AF_UNSPEC, "", _i); +} +END_TEST + +START_TEST(test_get_address_family_addr) +{ + assert_family(AF_INET, "192.168.1.1", _i); + assert_family(AF_INET6, "fec::1", _i); +} +END_TEST + +START_TEST(test_get_address_family_multi) +{ + assert_family(AF_INET, "192.168.1.1,192.168.2.2", _i); + assert_family(AF_INET6, "fec::1,fec::2", _i); + + assert_family(AF_UNSPEC, "192.168.1.1,fec::1", _i); + assert_family(AF_UNSPEC, "fec::1,192.168.1.1", _i); +} +END_TEST + +START_TEST(test_get_address_family_any) +{ + assert_family(AF_UNSPEC, "%any", _i); + + assert_family(AF_INET, "%any4", _i); + assert_family(AF_INET, "0.0.0.0", _i); + + assert_family(AF_INET6, "%any6", _i); + assert_family(AF_INET6, "::", _i); + + assert_family(AF_INET, "192.168.1.1,%any", _i); + assert_family(AF_INET, "192.168.1.1,%any4", _i); + assert_family(AF_UNSPEC, "192.168.1.1,%any6", _i); + + assert_family(AF_INET6, "fec::1,%any", _i); + assert_family(AF_UNSPEC, "fec::1,%any4", _i); + assert_family(AF_INET6, "fec::1,%any6", _i); +} +END_TEST + +START_TEST(test_get_address_family_other) +{ + assert_family(AF_INET, "192.168.1.0", _i); + assert_family(AF_UNSPEC, "192.168.1.0/24", _i); + assert_family(AF_UNSPEC, "192.168.1.0-192.168.1.10", _i); + + assert_family(AF_INET, "192.168.1.0/24,192.168.2.1", _i); + assert_family(AF_INET, "192.168.1.0-192.168.1.10,192.168.2.1", _i); + assert_family(AF_INET6, "192.168.1.0/24,fec::1", _i); + assert_family(AF_INET6, "192.168.1.0-192.168.1.10,fec::1", _i); + + assert_family(AF_INET6, "fec::", _i); + assert_family(AF_UNSPEC, "fec::/64", _i); + assert_family(AF_UNSPEC, "fec::1-fec::10", _i); + + assert_family(AF_INET6, "fec::/64,fed::1", _i); + assert_family(AF_INET6, "fec::1-fec::10,fec::1", _i); + assert_family(AF_INET, "fec::/64,192.168.1.1", _i); + assert_family(AF_INET, "fec::1-fec::10,192.168.1.1", _i); + + assert_family(AF_UNSPEC, "strongswan.org", _i); + assert_family(AF_INET, "192.168.1.0,strongswan.org", _i); + assert_family(AF_INET6, "fec::1,strongswan.org", _i); +} +END_TEST + +Suite *ike_cfg_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("ike_cfg"); + + tc = tcase_create("ike_cfg_get_address_family"); + tcase_add_loop_test(tc, test_get_address_family_empty, 0, 2); + tcase_add_loop_test(tc, test_get_address_family_addr, 0, 2); + tcase_add_loop_test(tc, test_get_address_family_multi, 0, 2); + tcase_add_loop_test(tc, test_get_address_family_any, 0, 2); + tcase_add_loop_test(tc, test_get_address_family_other, 0, 2); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libcharon/tests/suites/test_message_chapoly.c b/src/libcharon/tests/suites/test_message_chapoly.c new file mode 100644 index 000000000..e871cf6c2 --- /dev/null +++ b/src/libcharon/tests/suites/test_message_chapoly.c @@ -0,0 +1,138 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include + +static aead_t *aead; + +static iv_gen_t *ivgen; + +METHOD(keymat_t, get_version, ike_version_t, + keymat_t *this) +{ + return IKEV2; +} + +METHOD(keymat_t, get_aead, aead_t*, + keymat_t *this, bool in) +{ + return aead; +} + +METHOD(aead_t, get_iv_gen, iv_gen_t*, + aead_t *this) +{ + return ivgen; +} + +METHOD(iv_gen_t, get_iv, bool, + iv_gen_t *this, u_int64_t seq, size_t size, u_int8_t *buffer) +{ + if (size != 8) + { + return FALSE; + } + memcpy(buffer, "\x10\x11\x12\x13\x14\x15\x16\x17", 8); + return TRUE; +} + +METHOD(iv_gen_t, allocate_iv, bool, + iv_gen_t *this, u_int64_t seq, size_t size, chunk_t *chunk) +{ + if (size != 8) + { + return FALSE; + } + *chunk = chunk_alloc(size); + return get_iv(this, seq, chunk->len, chunk->ptr); +} + +/** + * Appendix B draft-ietf-ipsecme-chacha20-poly1305-06 + */ +START_TEST(test_chacha20poly1305) +{ + u_int64_t spii, spir; + ike_sa_id_t *id; + message_t *m; + u_int32_t window = htonl(10); + chunk_t chunk, exp; + keymat_t keymat = { + .get_version = _get_version, + .create_dh = (void*)return_null, + .create_nonce_gen = (void*)return_null, + .get_aead = _get_aead, + }; + + m = message_create(IKEV2, 0); + m->set_exchange_type(m, INFORMATIONAL); + htoun64(&spii, 0xc0c1c2c3c4c5c6c7); + htoun64(&spir, 0xd0d1d2d3d4d5d6d7); + id = ike_sa_id_create(IKEV2, spii, spir, FALSE); + m->set_ike_sa_id(m, id); + id->destroy(id); + m->set_source(m, host_create_from_string("1.2.3.4", 4500)); + m->set_destination(m, host_create_from_string("4.3.2.1", 4500)); + m->set_message_id(m, 9); + m->add_notify(m, TRUE, SET_WINDOW_SIZE, chunk_from_thing(window)); + + aead = lib->crypto->create_aead(lib->crypto, ENCR_CHACHA20_POLY1305, 32, 4); + ck_assert(aead); + ck_assert(aead->set_key(aead, chunk_from_chars( + 0x80,0x81,0x82,0x83,0x84,0x85,0x86,0x87, + 0x88,0x89,0x8a,0x8b,0x8c,0x8d,0x8e,0x8f, + 0x90,0x91,0x92,0x93,0x94,0x95,0x96,0x97, + 0x98,0x99,0x9a,0x9b,0x9c,0x9d,0x9e,0x9f, + 0xa0,0xa1,0xa2,0xa3))); + INIT(ivgen, + .get_iv = _get_iv, + .allocate_iv = _allocate_iv, + .destroy = (void*)free, + ); + aead->get_iv_gen = _get_iv_gen, + + ck_assert(m->generate(m, &keymat, NULL) == SUCCESS); + chunk = m->get_packet_data(m); + exp = chunk_from_chars(0xc0,0xc1,0xc2,0xc3,0xc4,0xc5,0xc6,0xc7, + 0xd0,0xd1,0xd2,0xd3,0xd4,0xd5,0xd6,0xd7, + 0x2e,0x20,0x25,0x00,0x00,0x00,0x00,0x09, + 0x00,0x00,0x00,0x45,0x29,0x00,0x00,0x29, + 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17, + 0x61,0x03,0x94,0x70,0x1f,0x8d,0x01,0x7f, + 0x7c,0x12,0x92,0x48,0x89,0x6b,0x71,0xbf, + 0xe2,0x52,0x36,0xef,0xd7,0xcd,0xc6,0x70, + 0x66,0x90,0x63,0x15,0xb2); + ck_assert_msg(chunk_equals(chunk, exp), "got %B\nexp %B", &chunk, &exp); + ivgen->destroy(ivgen); + aead->destroy(aead); + m->destroy(m); +} +END_TEST + +Suite *message_chapoly_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("chapoly"); + + tc = tcase_create("ChaCha20Poly1305 IKEv2 encryption"); + tcase_add_test(tc, test_chacha20poly1305); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index f22e07d95..605476ef1 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -199,6 +199,7 @@ static kernel_algorithm_t encryption_algs[] = { /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */ {ENCR_SERPENT_CBC, "serpent" }, {ENCR_TWOFISH_CBC, "twofish" }, + {ENCR_CHACHA20_POLY1305, "rfc7539esp(chacha20,poly1305)"}, }; /** @@ -734,6 +735,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src, traffic_selector_t *dst) { struct xfrm_selector sel; + u_int16_t port; memset(&sel, 0, sizeof(sel)); sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6; @@ -746,13 +748,13 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src, if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) && (sel.dport || sel.sport)) { - /* the ICMP type is encoded in the most significant 8 bits and the ICMP - * code in the least significant 8 bits of the port. via XFRM we have - * to pass the ICMP type and code in the source and destination port - * fields, respectively. the port is in network byte order. */ - u_int16_t port = max(sel.dport, sel.sport); - sel.sport = htons(port & 0xff); - sel.dport = htons(port >> 8); + /* the kernel expects the ICMP type and code in the source and + * destination port fields, respectively. */ + port = ntohs(max(sel.dport, sel.sport)); + sel.sport = htons(traffic_selector_icmp_type(port)); + sel.sport_mask = sel.sport ? ~0 : 0; + sel.dport = htons(traffic_selector_icmp_code(port)); + sel.dport_mask = sel.dport ? ~0 : 0; } sel.ifindex = 0; sel.user = 0; @@ -1291,6 +1293,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, case ENCR_AES_GCM_ICV16: case ENCR_NULL_AUTH_AES_GMAC: case ENCR_CAMELLIA_CCM_ICV16: + case ENCR_CHACHA20_POLY1305: icv_size += 32; /* FALL */ case ENCR_AES_CCM_ICV12: @@ -2022,23 +2025,36 @@ METHOD(kernel_ipsec_t, flush_sas, status_t, netlink_buf_t request; struct nlmsghdr *hdr; struct xfrm_usersa_flush *flush; + struct { + u_int8_t proto; + char *name; + } protos[] = { + { IPPROTO_AH, "AH" }, + { IPPROTO_ESP, "ESP" }, + { IPPROTO_COMP, "IPComp" }, + }; + int i; memset(&request, 0, sizeof(request)); - DBG2(DBG_KNL, "flushing all SAD entries"); - hdr = &request.hdr; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; hdr->nlmsg_type = XFRM_MSG_FLUSHSA; hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush)); flush = NLMSG_DATA(hdr); - flush->proto = IPSEC_PROTO_ANY; - if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) + for (i = 0; i < countof(protos); i++) { - DBG1(DBG_KNL, "unable to flush SAD entries"); - return FAILED; + DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name); + + flush->proto = protos[i].proto; + + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) + { + DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name); + return FAILED; + } } return SUCCESS; } @@ -2057,6 +2073,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, ipsec_sa_t *ipsec = mapping->sa; struct xfrm_userpolicy_info *policy_info; struct nlmsghdr *hdr; + status_t status; int i; /* clone the policy so we are able to check it out again later */ @@ -2151,7 +2168,14 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, } this->mutex->unlock(this->mutex); - if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) + status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); + if (status == ALREADY_DONE && !update) + { + DBG1(DBG_KNL, "policy already exists, try to update it"); + hdr->nlmsg_type = XFRM_MSG_UPDPOLICY; + status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); + } + if (status != SUCCESS) { return FAILED; } @@ -2560,6 +2584,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t, if (!add_mark(hdr, sizeof(request), mark)) { + this->mutex->unlock(this->mutex); return FAILED; } diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c index 1515b01cc..4e5e02d07 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c @@ -490,6 +490,16 @@ struct private_kernel_netlink_net_t { */ bool rta_prefsrc_for_ipv6; + /** + * whether marks can be used in route lookups + */ + bool rta_mark; + + /** + * the mark excluded from the routing rule used for virtual IPs + */ + mark_t routing_mark; + /** * whether to prefer temporary IPv6 addresses over public ones */ @@ -1676,18 +1686,25 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest, family = dest->get_family(dest); hdr = &request.hdr; hdr->nlmsg_flags = NLM_F_REQUEST; - if (family == AF_INET || this->rta_prefsrc_for_ipv6 || - this->routing_table || match_net) - { /* kernels prior to 3.0 do not support RTA_PREFSRC for IPv6 routes. - * as we want to ignore routes with virtual IPs we cannot use DUMP - * if these routes are not installed in a separate table */ - hdr->nlmsg_flags |= NLM_F_DUMP; - } hdr->nlmsg_type = RTM_GETROUTE; hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); msg = NLMSG_DATA(hdr); msg->rtm_family = family; + if (!match_net && this->rta_mark && this->routing_mark.value) + { + /* if our routing rule excludes packets with a certain mark we can + * get the preferred route without having to dump all routes */ + chunk = chunk_from_thing(this->routing_mark.value); + netlink_add_attribute(hdr, RTA_MARK, chunk, sizeof(request)); + } + else if (family == AF_INET || this->rta_prefsrc_for_ipv6 || + this->routing_table || match_net) + { /* kernels prior to 3.0 do not support RTA_PREFSRC for IPv6 routes. + * as we want to ignore routes with virtual IPs we cannot use DUMP + * if these routes are not installed in a separate table */ + hdr->nlmsg_flags |= NLM_F_DUMP; + } if (candidate) { chunk = candidate->get_address(candidate); @@ -2412,6 +2429,10 @@ static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type, netlink_add_attribute(hdr, FRA_FWMARK, chunk, sizeof(request)); chunk = chunk_from_thing(mark.mask); netlink_add_attribute(hdr, FRA_FWMASK, chunk, sizeof(request)); + if (msg->rtm_flags & FIB_RULE_INVERT) + { + this->routing_mark = mark; + } } #else DBG1(DBG_KNL, "setting firewall mark on routing rule is not supported"); @@ -2435,6 +2456,10 @@ static void check_kernel_features(private_kernel_netlink_net_t *this) case 3: if (a == 2) { + if (b == 6 && c >= 36) + { + this->rta_mark = TRUE; + } DBG2(DBG_KNL, "detected Linux %d.%d.%d, no support for " "RTA_PREFSRC for IPv6 routes", a, b, c); break; @@ -2443,6 +2468,7 @@ static void check_kernel_features(private_kernel_netlink_net_t *this) case 2: /* only 3.x+ uses two part version numbers */ this->rta_prefsrc_for_ipv6 = TRUE; + this->rta_mark = TRUE; break; default: break; diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c index b0e3103d3..f7ce992a3 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c @@ -185,8 +185,8 @@ static ssize_t read_msg(private_netlink_socket_t *this, return -1; } } - len = recv(this->socket, buf, buflen, block ? 0 : MSG_DONTWAIT); - if (len == buflen) + len = recv(this->socket, buf, buflen, MSG_TRUNC|(block ? 0 : MSG_DONTWAIT)); + if (len > buflen) { DBG1(DBG_KNL, "netlink response exceeds buffer size"); return 0; @@ -571,7 +571,7 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names, .protocol = protocol, .names = names, .buflen = lib->settings->get_int(lib->settings, - "%s.plugins.kernel-netlink.buflen", 4096, lib->ns), + "%s.plugins.kernel-netlink.buflen", 0, lib->ns), .timeout = lib->settings->get_int(lib->settings, "%s.plugins.kernel-netlink.timeout", 0, lib->ns), .retries = lib->settings->get_int(lib->settings, @@ -582,6 +582,16 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names, .parallel = parallel, ); + if (!this->buflen) + { + long pagesize = sysconf(_SC_PAGESIZE); + if (pagesize == -1) + { + pagesize = 4096; + } + /* base this on NLMSG_GOODSIZE */ + this->buflen = min(pagesize, 8192); + } if (this->socket == -1) { DBG1(DBG_KNL, "unable to create netlink socket"); diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 3b32ba553..5027e1759 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -106,6 +106,12 @@ #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC #endif +#if !defined(SADB_X_EALG_AES_GCM_ICV8) && defined(SADB_X_EALG_AESGCM8) +#define SADB_X_EALG_AES_GCM_ICV8 SADB_X_EALG_AESGCM8 +#define SADB_X_EALG_AES_GCM_ICV12 SADB_X_EALG_AESGCM12 +#define SADB_X_EALG_AES_GCM_ICV16 SADB_X_EALG_AESGCM16 +#endif + #ifndef SOL_IP #define SOL_IP IPPROTO_IP #define SOL_IPV6 IPPROTO_IPV6 @@ -508,15 +514,30 @@ static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts, INIT(policy, .direction = dir, ); + u_int16_t port; + u_int8_t proto; src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask); dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask); /* src or dest proto may be "any" (0), use more restrictive one */ - policy->src.proto = max(src_ts->get_protocol(src_ts), - dst_ts->get_protocol(dst_ts)); - policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY; - policy->dst.proto = policy->src.proto; + proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts)); + /* map the ports to ICMP type/code how the Linux kernel expects them, that + * is, type in src, code in dst */ + if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) + { + port = max(policy->src.net->get_port(policy->src.net), + policy->dst.net->get_port(policy->dst.net)); + policy->src.net->set_port(policy->src.net, + traffic_selector_icmp_type(port)); + policy->dst.net->set_port(policy->dst.net, + traffic_selector_icmp_code(port)); + } + else if (!proto) + { + proto = IPSEC_PROTO_ANY; + } + policy->src.proto = policy->dst.proto = proto; return policy; } @@ -826,9 +847,11 @@ static kernel_algorithm_t encryption_algs[] = { /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */ /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */ /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */ -/* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */ -/* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */ -/* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */ +#ifdef SADB_X_EALG_AES_GCM_ICV8 /* assume the others are defined too */ + {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, + {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, + {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, +#endif {END_OF_LIST, 0 }, }; @@ -941,28 +964,6 @@ static size_t hostcpy(void *dest, host_t *host, bool include_port) return *len; } -/** - * Copy a host_t as sockaddr_t to the given memory location and map the port to - * ICMP/ICMPv6 message type/code as the Linux kernel expects it, that is, the - * type in the source and the code in the destination address. - * @return the number of bytes copied - */ -static size_t hostcpy_icmp(void *dest, host_t *host, u_int16_t type) -{ - size_t len; - - len = hostcpy(dest, host, TRUE); - if (type == SADB_EXT_ADDRESS_SRC) - { - set_port(dest, traffic_selector_icmp_type(host->get_port(host))); - } - else - { - set_port(dest, traffic_selector_icmp_code(host->get_port(host))); - } - return len; -} - /** * add a host to the given sadb_msg */ @@ -975,14 +976,7 @@ static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type, addr->sadb_address_exttype = type; addr->sadb_address_proto = proto; addr->sadb_address_prefixlen = prefixlen; - if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) - { - len = hostcpy_icmp(addr + 1, host, type); - } - else - { - len = hostcpy(addr + 1, host, include_port); - } + len = hostcpy(addr + 1, host, include_port); addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len); PFKEY_EXT_ADD(msg, addr); } @@ -2078,31 +2072,44 @@ METHOD(kernel_ipsec_t, flush_sas, status_t, { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; + struct { + u_int8_t proto; + char *name; + } protos[] = { + { SADB_SATYPE_AH, "AH" }, + { SADB_SATYPE_ESP, "ESP" }, + { SADB_X_SATYPE_IPCOMP, "IPComp" }, + }; size_t len; + int i; memset(&request, 0, sizeof(request)); - DBG2(DBG_KNL, "flushing all SAD entries"); - msg = (struct sadb_msg*)request; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_FLUSH; - msg->sadb_msg_satype = SADB_SATYPE_UNSPEC; msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - if (pfkey_send(this, msg, &out, &len) != SUCCESS) - { - DBG1(DBG_KNL, "unable to flush SAD entries"); - return FAILED; - } - else if (out->sadb_msg_errno) + for (i = 0; i < countof(protos); i++) { - DBG1(DBG_KNL, "unable to flush SAD entries: %s (%d)", - strerror(out->sadb_msg_errno), out->sadb_msg_errno); + DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name); + + msg->sadb_msg_satype = protos[i].proto; + if (pfkey_send(this, msg, &out, &len) != SUCCESS) + { + DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name); + return FAILED; + } + else if (out->sadb_msg_errno) + { + DBG1(DBG_KNL, "unable to flush %s SAD entries: %s (%d)", + protos[i].name, strerror(out->sadb_msg_errno), + out->sadb_msg_errno); + free(out); + return FAILED; + } free(out); - return FAILED; } - free(out); return SUCCESS; } @@ -2357,6 +2364,7 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this, pfkey_msg_t response; size_t len; ipsec_mode_t proto_mode; + status_t status; memset(&request, 0, sizeof(request)); @@ -2444,7 +2452,15 @@ static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this, this->mutex->unlock(this->mutex); - if (pfkey_send(this, msg, &out, &len) != SUCCESS) + status = pfkey_send(this, msg, &out, &len); + if (status == SUCCESS && !update && out->sadb_msg_errno == EEXIST) + { + DBG1(DBG_KNL, "policy already exists, try to update it"); + free(out); + msg->sadb_msg_type = SADB_X_SPDUPDATE; + status = pfkey_send(this, msg, &out, &len); + } + if (status != SUCCESS) { return FAILED; } diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c index 0f7802270..df80c29b8 100644 --- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c +++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -408,6 +408,11 @@ struct private_kernel_pfroute_net_t * Time in ms to wait for IP addresses to appear/disappear */ int vip_wait; + + /** + * whether to actually install virtual IPs + */ + bool install_virtual_ip; }; @@ -1197,6 +1202,11 @@ METHOD(kernel_net_t, add_ip, status_t, tun_device_t *tun; bool timeout = FALSE; + if (!this->install_virtual_ip) + { /* disabled by config */ + return SUCCESS; + } + tun = tun_device_create(NULL); if (!tun) { @@ -1271,6 +1281,11 @@ METHOD(kernel_net_t, del_ip, status_t, host_t *addr; bool timeout = FALSE, found = FALSE; + if (!this->install_virtual_ip) + { /* disabled by config */ + return SUCCESS; + } + this->lock->write_lock(this->lock); enumerator = this->tuns->create_enumerator(this->tuns); while (enumerator->enumerate(enumerator, &tun)) @@ -1848,6 +1863,8 @@ kernel_pfroute_net_t *kernel_pfroute_net_create() .roam_lock = spinlock_create(), .vip_wait = lib->settings->get_int(lib->settings, "%s.plugins.kernel-pfroute.vip_wait", 1000, lib->ns), + .install_virtual_ip = lib->settings->get_bool(lib->settings, + "%s.install_virtual_ip", TRUE, lib->ns), ); timerclear(&this->last_route_reinstall); timerclear(&this->next_roam); diff --git a/src/libhydra/tests/hydra_tests.c b/src/libhydra/tests/hydra_tests.c index 90abd8369..0d6387be7 100644 --- a/src/libhydra/tests/hydra_tests.c +++ b/src/libhydra/tests/hydra_tests.c @@ -26,8 +26,8 @@ static test_configuration_t tests[] = { #define TEST_SUITE(x) \ { .suite = x, }, -#define TEST_SUITE_DEPEND(x, type, args) \ - { .suite = x, .feature = PLUGIN_DEPENDS(type, args) }, +#define TEST_SUITE_DEPEND(x, type, ...) \ + { .suite = x, .feature = PLUGIN_DEPENDS(type, __VA_ARGS__) }, #include "hydra_tests.h" { .suite = NULL, } }; diff --git a/src/libimcv/Android.mk b/src/libimcv/Android.mk index 8269d7296..80e2aaadb 100644 --- a/src/libimcv/Android.mk +++ b/src/libimcv/Android.mk @@ -18,11 +18,13 @@ libimcv_la_SOURCES := \ imv/imv_session.h imv/imv_session.c \ imv/imv_session_manager.h imv/imv_session_manager.c \ imv/imv_workitem.h imv/imv_workitem.c \ + generic/generic_attr_bool.h generic/generic_attr_bool.c \ + generic/generic_attr_chunk.h generic/generic_attr_chunk.c \ + generic/generic_attr_string.h generic/generic_attr_string.c \ ietf/ietf_attr.h ietf/ietf_attr.c \ ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \ ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \ ietf/ietf_attr_fwd_enabled.h ietf/ietf_attr_fwd_enabled.c \ - ietf/ietf_attr_default_pwd_enabled.h ietf/ietf_attr_default_pwd_enabled.c \ ietf/ietf_attr_installed_packages.h ietf/ietf_attr_installed_packages.c \ ietf/ietf_attr_numeric_version.h ietf/ietf_attr_numeric_version.c \ ietf/ietf_attr_op_status.h ietf/ietf_attr_op_status.c \ @@ -37,7 +39,6 @@ libimcv_la_SOURCES := \ ita/ita_attr_get_settings.h ita/ita_attr_get_settings.c \ ita/ita_attr_settings.h ita/ita_attr_settings.c \ ita/ita_attr_angel.h ita/ita_attr_angel.c \ - ita/ita_attr_device_id.h ita/ita_attr_device_id.c \ os_info/os_info.h os_info/os_info.c \ pa_tnc/pa_tnc_attr.h \ pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \ @@ -66,6 +67,8 @@ libimcv_la_SOURCES := \ pts/components/ita/ita_comp_tboot.h pts/components/ita/ita_comp_tboot.c \ pts/components/ita/ita_comp_tgrub.h pts/components/ita/ita_comp_tgrub.c \ pts/components/tcg/tcg_comp_func_name.h pts/components/tcg/tcg_comp_func_name.c \ + pwg/pwg_attr.h pwg/pwg_attr.c \ + pwg/pwg_attr_vendor_smi_code.h pwg/pwg_attr_vendor_smi_code.c \ seg/seg_contract.h seg/seg_contract.c \ seg/seg_contract_manager.h seg/seg_contract_manager.c \ seg/seg_env.h seg/seg_env.c \ diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am index a61382723..7683da3af 100644 --- a/src/libimcv/Makefile.am +++ b/src/libimcv/Makefile.am @@ -36,11 +36,13 @@ libimcv_la_SOURCES = \ imv/imv_session.h imv/imv_session.c \ imv/imv_session_manager.h imv/imv_session_manager.c \ imv/imv_workitem.h imv/imv_workitem.c \ + generic/generic_attr_bool.h generic/generic_attr_bool.c \ + generic/generic_attr_chunk.h generic/generic_attr_chunk.c \ + generic/generic_attr_string.h generic/generic_attr_string.c \ ietf/ietf_attr.h ietf/ietf_attr.c \ ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \ ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \ ietf/ietf_attr_fwd_enabled.h ietf/ietf_attr_fwd_enabled.c \ - ietf/ietf_attr_default_pwd_enabled.h ietf/ietf_attr_default_pwd_enabled.c \ ietf/ietf_attr_installed_packages.h ietf/ietf_attr_installed_packages.c \ ietf/ietf_attr_numeric_version.h ietf/ietf_attr_numeric_version.c \ ietf/ietf_attr_op_status.h ietf/ietf_attr_op_status.c \ @@ -55,7 +57,6 @@ libimcv_la_SOURCES = \ ita/ita_attr_get_settings.h ita/ita_attr_get_settings.c \ ita/ita_attr_settings.h ita/ita_attr_settings.c \ ita/ita_attr_angel.h ita/ita_attr_angel.c \ - ita/ita_attr_device_id.h ita/ita_attr_device_id.c \ os_info/os_info.h os_info/os_info.c \ pa_tnc/pa_tnc_attr.h \ pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \ @@ -84,6 +85,8 @@ libimcv_la_SOURCES = \ pts/components/ita/ita_comp_tboot.h pts/components/ita/ita_comp_tboot.c \ pts/components/ita/ita_comp_tgrub.h pts/components/ita/ita_comp_tgrub.c \ pts/components/tcg/tcg_comp_func_name.h pts/components/tcg/tcg_comp_func_name.c \ + pwg/pwg_attr.h pwg/pwg_attr.c \ + pwg/pwg_attr_vendor_smi_code.h pwg/pwg_attr_vendor_smi_code.c \ seg/seg_contract.h seg/seg_contract.c \ seg/seg_contract_manager.h seg/seg_contract_manager.c \ seg/seg_env.h seg/seg_env.c \ @@ -173,6 +176,14 @@ if USE_IMV_SWID SUBDIRS += plugins/imv_swid endif +if USE_IMC_HCD + SUBDIRS += plugins/imc_hcd +endif + +if USE_IMV_HCD + SUBDIRS += plugins/imv_hcd +endif + TESTS = imcv_tests check_PROGRAMS = $(TESTS) diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in index 03778a22c..ed2934cfb 100644 --- a/src/libimcv/Makefile.in +++ b/src/libimcv/Makefile.in @@ -94,6 +94,8 @@ ipsec_PROGRAMS = imv_policy_manager$(EXEEXT) @USE_IMV_ATTESTATION_TRUE@am__append_10 = plugins/imv_attestation @USE_IMC_SWID_TRUE@am__append_11 = plugins/imc_swid @USE_IMV_SWID_TRUE@am__append_12 = plugins/imv_swid +@USE_IMC_HCD_TRUE@am__append_13 = plugins/imc_hcd +@USE_IMV_HCD_TRUE@am__append_14 = plugins/imv_hcd TESTS = imcv_tests$(EXEEXT) check_PROGRAMS = $(am__EXEEXT_1) subdir = src/libimcv @@ -157,10 +159,10 @@ am_libimcv_la_OBJECTS = imcv.lo imc/imc_agent.lo imc/imc_msg.lo \ imv/imv_msg.lo imv/imv_lang_string.lo imv/imv_os_info.lo \ imv/imv_reason_string.lo imv/imv_remediation_string.lo \ imv/imv_session.lo imv/imv_session_manager.lo \ - imv/imv_workitem.lo ietf/ietf_attr.lo \ - ietf/ietf_attr_assess_result.lo ietf/ietf_attr_attr_request.lo \ - ietf/ietf_attr_fwd_enabled.lo \ - ietf/ietf_attr_default_pwd_enabled.lo \ + imv/imv_workitem.lo generic/generic_attr_bool.lo \ + generic/generic_attr_chunk.lo generic/generic_attr_string.lo \ + ietf/ietf_attr.lo ietf/ietf_attr_assess_result.lo \ + ietf/ietf_attr_attr_request.lo ietf/ietf_attr_fwd_enabled.lo \ ietf/ietf_attr_installed_packages.lo \ ietf/ietf_attr_numeric_version.lo ietf/ietf_attr_op_status.lo \ ietf/ietf_attr_pa_tnc_error.lo ietf/ietf_attr_port_filter.lo \ @@ -169,8 +171,7 @@ am_libimcv_la_OBJECTS = imcv.lo imc/imc_agent.lo imc/imc_msg.lo \ ietf/ietf_attr_string_version.lo ita/ita_attr.lo \ ita/ita_attr_command.lo ita/ita_attr_dummy.lo \ ita/ita_attr_get_settings.lo ita/ita_attr_settings.lo \ - ita/ita_attr_angel.lo ita/ita_attr_device_id.lo \ - os_info/os_info.lo pa_tnc/pa_tnc_msg.lo \ + ita/ita_attr_angel.lo os_info/os_info.lo pa_tnc/pa_tnc_msg.lo \ pa_tnc/pa_tnc_attr_manager.lo pts/pts.lo pts/pts_error.lo \ pts/pts_pcr.lo pts/pts_creds.lo pts/pts_database.lo \ pts/pts_dh_group.lo pts/pts_file_meas.lo pts/pts_file_meta.lo \ @@ -183,7 +184,8 @@ am_libimcv_la_OBJECTS = imcv.lo imc/imc_agent.lo imc/imc_msg.lo \ pts/components/ita/ita_comp_ima.lo \ pts/components/ita/ita_comp_tboot.lo \ pts/components/ita/ita_comp_tgrub.lo \ - pts/components/tcg/tcg_comp_func_name.lo seg/seg_contract.lo \ + pts/components/tcg/tcg_comp_func_name.lo pwg/pwg_attr.lo \ + pwg/pwg_attr_vendor_smi_code.lo seg/seg_contract.lo \ seg/seg_contract_manager.lo seg/seg_env.lo swid/swid_error.lo \ swid/swid_inventory.lo swid/swid_tag.lo swid/swid_tag_id.lo \ tcg/tcg_attr.lo tcg/pts/tcg_pts_attr_proto_caps.lo \ @@ -344,7 +346,8 @@ am__tty_colors = { \ DIST_SUBDIRS = . plugins/imc_test plugins/imv_test plugins/imc_scanner \ plugins/imv_scanner plugins/imc_os plugins/imv_os \ plugins/imc_attestation plugins/imv_attestation \ - plugins/imc_swid plugins/imv_swid + plugins/imc_swid plugins/imv_swid plugins/imc_hcd \ + plugins/imv_hcd DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -625,11 +628,13 @@ libimcv_la_SOURCES = \ imv/imv_session.h imv/imv_session.c \ imv/imv_session_manager.h imv/imv_session_manager.c \ imv/imv_workitem.h imv/imv_workitem.c \ + generic/generic_attr_bool.h generic/generic_attr_bool.c \ + generic/generic_attr_chunk.h generic/generic_attr_chunk.c \ + generic/generic_attr_string.h generic/generic_attr_string.c \ ietf/ietf_attr.h ietf/ietf_attr.c \ ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \ ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \ ietf/ietf_attr_fwd_enabled.h ietf/ietf_attr_fwd_enabled.c \ - ietf/ietf_attr_default_pwd_enabled.h ietf/ietf_attr_default_pwd_enabled.c \ ietf/ietf_attr_installed_packages.h ietf/ietf_attr_installed_packages.c \ ietf/ietf_attr_numeric_version.h ietf/ietf_attr_numeric_version.c \ ietf/ietf_attr_op_status.h ietf/ietf_attr_op_status.c \ @@ -644,7 +649,6 @@ libimcv_la_SOURCES = \ ita/ita_attr_get_settings.h ita/ita_attr_get_settings.c \ ita/ita_attr_settings.h ita/ita_attr_settings.c \ ita/ita_attr_angel.h ita/ita_attr_angel.c \ - ita/ita_attr_device_id.h ita/ita_attr_device_id.c \ os_info/os_info.h os_info/os_info.c \ pa_tnc/pa_tnc_attr.h \ pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \ @@ -673,6 +677,8 @@ libimcv_la_SOURCES = \ pts/components/ita/ita_comp_tboot.h pts/components/ita/ita_comp_tboot.c \ pts/components/ita/ita_comp_tgrub.h pts/components/ita/ita_comp_tgrub.c \ pts/components/tcg/tcg_comp_func_name.h pts/components/tcg/tcg_comp_func_name.c \ + pwg/pwg_attr.h pwg/pwg_attr.c \ + pwg/pwg_attr_vendor_smi_code.h pwg/pwg_attr_vendor_smi_code.c \ seg/seg_contract.h seg/seg_contract.c \ seg/seg_contract_manager.h seg/seg_contract_manager.c \ seg/seg_env.h seg/seg_env.c \ @@ -721,7 +727,7 @@ imv_policy_manager_LDADD = \ SUBDIRS = . $(am__append_3) $(am__append_4) $(am__append_5) \ $(am__append_6) $(am__append_7) $(am__append_8) \ $(am__append_9) $(am__append_10) $(am__append_11) \ - $(am__append_12) + $(am__append_12) $(am__append_13) $(am__append_14) imcv_tests_SOURCES = \ ita/ita_attr_command.c \ pa_tnc/pa_tnc_attr_manager.c \ @@ -842,6 +848,18 @@ imv/imv_session.lo: imv/$(am__dirstamp) imv/$(DEPDIR)/$(am__dirstamp) imv/imv_session_manager.lo: imv/$(am__dirstamp) \ imv/$(DEPDIR)/$(am__dirstamp) imv/imv_workitem.lo: imv/$(am__dirstamp) imv/$(DEPDIR)/$(am__dirstamp) +generic/$(am__dirstamp): + @$(MKDIR_P) generic + @: > generic/$(am__dirstamp) +generic/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) generic/$(DEPDIR) + @: > generic/$(DEPDIR)/$(am__dirstamp) +generic/generic_attr_bool.lo: generic/$(am__dirstamp) \ + generic/$(DEPDIR)/$(am__dirstamp) +generic/generic_attr_chunk.lo: generic/$(am__dirstamp) \ + generic/$(DEPDIR)/$(am__dirstamp) +generic/generic_attr_string.lo: generic/$(am__dirstamp) \ + generic/$(DEPDIR)/$(am__dirstamp) ietf/$(am__dirstamp): @$(MKDIR_P) ietf @: > ietf/$(am__dirstamp) @@ -855,8 +873,6 @@ ietf/ietf_attr_attr_request.lo: ietf/$(am__dirstamp) \ ietf/$(DEPDIR)/$(am__dirstamp) ietf/ietf_attr_fwd_enabled.lo: ietf/$(am__dirstamp) \ ietf/$(DEPDIR)/$(am__dirstamp) -ietf/ietf_attr_default_pwd_enabled.lo: ietf/$(am__dirstamp) \ - ietf/$(DEPDIR)/$(am__dirstamp) ietf/ietf_attr_installed_packages.lo: ietf/$(am__dirstamp) \ ietf/$(DEPDIR)/$(am__dirstamp) ietf/ietf_attr_numeric_version.lo: ietf/$(am__dirstamp) \ @@ -890,8 +906,6 @@ ita/ita_attr_settings.lo: ita/$(am__dirstamp) \ ita/$(DEPDIR)/$(am__dirstamp) ita/ita_attr_angel.lo: ita/$(am__dirstamp) \ ita/$(DEPDIR)/$(am__dirstamp) -ita/ita_attr_device_id.lo: ita/$(am__dirstamp) \ - ita/$(DEPDIR)/$(am__dirstamp) os_info/$(am__dirstamp): @$(MKDIR_P) os_info @: > os_info/$(am__dirstamp) @@ -974,6 +988,15 @@ pts/components/tcg/$(DEPDIR)/$(am__dirstamp): pts/components/tcg/tcg_comp_func_name.lo: \ pts/components/tcg/$(am__dirstamp) \ pts/components/tcg/$(DEPDIR)/$(am__dirstamp) +pwg/$(am__dirstamp): + @$(MKDIR_P) pwg + @: > pwg/$(am__dirstamp) +pwg/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) pwg/$(DEPDIR) + @: > pwg/$(DEPDIR)/$(am__dirstamp) +pwg/pwg_attr.lo: pwg/$(am__dirstamp) pwg/$(DEPDIR)/$(am__dirstamp) +pwg/pwg_attr_vendor_smi_code.lo: pwg/$(am__dirstamp) \ + pwg/$(DEPDIR)/$(am__dirstamp) seg/$(am__dirstamp): @$(MKDIR_P) seg @: > seg/$(am__dirstamp) @@ -1201,6 +1224,8 @@ uninstall-ipsecSCRIPTS: mostlyclean-compile: -rm -f *.$(OBJEXT) + -rm -f generic/*.$(OBJEXT) + -rm -f generic/*.lo -rm -f ietf/*.$(OBJEXT) -rm -f ietf/*.lo -rm -f imc/*.$(OBJEXT) @@ -1221,6 +1246,8 @@ mostlyclean-compile: -rm -f pts/components/ita/*.lo -rm -f pts/components/tcg/*.$(OBJEXT) -rm -f pts/components/tcg/*.lo + -rm -f pwg/*.$(OBJEXT) + -rm -f pwg/*.lo -rm -f seg/*.$(OBJEXT) -rm -f seg/*.lo -rm -f suites/*.$(OBJEXT) @@ -1241,10 +1268,12 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imcv.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imcv_tests-imcv.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imcv_tests-imcv_tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@generic/$(DEPDIR)/generic_attr_bool.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@generic/$(DEPDIR)/generic_attr_chunk.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@generic/$(DEPDIR)/generic_attr_string.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ietf/$(DEPDIR)/ietf_attr.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ietf/$(DEPDIR)/ietf_attr_assess_result.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ietf/$(DEPDIR)/ietf_attr_attr_request.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@ietf/$(DEPDIR)/ietf_attr_default_pwd_enabled.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ietf/$(DEPDIR)/ietf_attr_fwd_enabled.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ietf/$(DEPDIR)/ietf_attr_installed_packages.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ietf/$(DEPDIR)/ietf_attr_numeric_version.Plo@am__quote@ @@ -1274,7 +1303,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@ita/$(DEPDIR)/ita_attr.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ita/$(DEPDIR)/ita_attr_angel.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ita/$(DEPDIR)/ita_attr_command.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@ita/$(DEPDIR)/ita_attr_device_id.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ita/$(DEPDIR)/ita_attr_dummy.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ita/$(DEPDIR)/ita_attr_get_settings.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ita/$(DEPDIR)/ita_attr_settings.Plo@am__quote@ @@ -1302,6 +1330,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@pts/components/ita/$(DEPDIR)/ita_comp_tboot.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@pts/components/ita/$(DEPDIR)/ita_comp_tgrub.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@pts/components/tcg/$(DEPDIR)/tcg_comp_func_name.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@pwg/$(DEPDIR)/pwg_attr.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@pwg/$(DEPDIR)/pwg_attr_vendor_smi_code.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@seg/$(DEPDIR)/imcv_tests-seg_contract.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@seg/$(DEPDIR)/imcv_tests-seg_contract_manager.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@seg/$(DEPDIR)/imcv_tests-seg_env.Po@am__quote@ @@ -1508,6 +1538,7 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs + -rm -rf generic/.libs generic/_libs -rm -rf ietf/.libs ietf/_libs -rm -rf imc/.libs imc/_libs -rm -rf imv/.libs imv/_libs @@ -1518,6 +1549,7 @@ clean-libtool: -rm -rf pts/components/.libs pts/components/_libs -rm -rf pts/components/ita/.libs pts/components/ita/_libs -rm -rf pts/components/tcg/.libs pts/components/tcg/_libs + -rm -rf pwg/.libs pwg/_libs -rm -rf seg/.libs seg/_libs -rm -rf swid/.libs swid/_libs -rm -rf tcg/.libs tcg/_libs @@ -1829,6 +1861,8 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + -rm -f generic/$(DEPDIR)/$(am__dirstamp) + -rm -f generic/$(am__dirstamp) -rm -f ietf/$(DEPDIR)/$(am__dirstamp) -rm -f ietf/$(am__dirstamp) -rm -f imc/$(DEPDIR)/$(am__dirstamp) @@ -1849,6 +1883,8 @@ distclean-generic: -rm -f pts/components/ita/$(am__dirstamp) -rm -f pts/components/tcg/$(DEPDIR)/$(am__dirstamp) -rm -f pts/components/tcg/$(am__dirstamp) + -rm -f pwg/$(DEPDIR)/$(am__dirstamp) + -rm -f pwg/$(am__dirstamp) -rm -f seg/$(DEPDIR)/$(am__dirstamp) -rm -f seg/$(am__dirstamp) -rm -f suites/$(DEPDIR)/$(am__dirstamp) @@ -1873,7 +1909,7 @@ clean-am: clean-checkPROGRAMS clean-generic clean-ipsecPROGRAMS \ clean-ipseclibLTLIBRARIES clean-libtool mostlyclean-am distclean: distclean-recursive - -rm -rf ./$(DEPDIR) ietf/$(DEPDIR) imc/$(DEPDIR) imv/$(DEPDIR) ita/$(DEPDIR) os_info/$(DEPDIR) pa_tnc/$(DEPDIR) pts/$(DEPDIR) pts/components/$(DEPDIR) pts/components/ita/$(DEPDIR) pts/components/tcg/$(DEPDIR) seg/$(DEPDIR) suites/$(DEPDIR) swid/$(DEPDIR) tcg/$(DEPDIR) tcg/pts/$(DEPDIR) tcg/seg/$(DEPDIR) tcg/swid/$(DEPDIR) + -rm -rf ./$(DEPDIR) generic/$(DEPDIR) ietf/$(DEPDIR) imc/$(DEPDIR) imv/$(DEPDIR) ita/$(DEPDIR) os_info/$(DEPDIR) pa_tnc/$(DEPDIR) pts/$(DEPDIR) pts/components/$(DEPDIR) pts/components/ita/$(DEPDIR) pts/components/tcg/$(DEPDIR) pwg/$(DEPDIR) seg/$(DEPDIR) suites/$(DEPDIR) swid/$(DEPDIR) tcg/$(DEPDIR) tcg/pts/$(DEPDIR) tcg/seg/$(DEPDIR) tcg/swid/$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1920,7 +1956,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive - -rm -rf ./$(DEPDIR) ietf/$(DEPDIR) imc/$(DEPDIR) imv/$(DEPDIR) ita/$(DEPDIR) os_info/$(DEPDIR) pa_tnc/$(DEPDIR) pts/$(DEPDIR) pts/components/$(DEPDIR) pts/components/ita/$(DEPDIR) pts/components/tcg/$(DEPDIR) seg/$(DEPDIR) suites/$(DEPDIR) swid/$(DEPDIR) tcg/$(DEPDIR) tcg/pts/$(DEPDIR) tcg/seg/$(DEPDIR) tcg/swid/$(DEPDIR) + -rm -rf ./$(DEPDIR) generic/$(DEPDIR) ietf/$(DEPDIR) imc/$(DEPDIR) imv/$(DEPDIR) ita/$(DEPDIR) os_info/$(DEPDIR) pa_tnc/$(DEPDIR) pts/$(DEPDIR) pts/components/$(DEPDIR) pts/components/ita/$(DEPDIR) pts/components/tcg/$(DEPDIR) pwg/$(DEPDIR) seg/$(DEPDIR) suites/$(DEPDIR) swid/$(DEPDIR) tcg/$(DEPDIR) tcg/pts/$(DEPDIR) tcg/seg/$(DEPDIR) tcg/swid/$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic diff --git a/src/libimcv/generic/generic_attr_bool.c b/src/libimcv/generic/generic_attr_bool.c new file mode 100644 index 000000000..3f570d9f8 --- /dev/null +++ b/src/libimcv/generic/generic_attr_bool.c @@ -0,0 +1,248 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "generic_attr_bool.h" + +#include +#include +#include +#include +#include + +typedef struct private_generic_attr_bool_t private_generic_attr_bool_t; + +/** + * Generic PA-TNC attribute containing boolean status value in 32 bit encoding + * + * 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Boolean Value | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define ATTR_BOOL_SIZE 4 + +/** + * Private data of an generic_attr_bool_t object. + */ +struct private_generic_attr_bool_t { + + /** + * Public members of generic_attr_bool_t + */ + generic_attr_bool_t public; + + /** + * Vendor-specific attribute type + */ + pen_type_t type; + + /** + * Length of attribute value + */ + size_t length; + + /** + * Attribute value or segment + */ + chunk_t value; + + /** + * Noskip flag + */ + bool noskip_flag; + + /** + * Boolean status value + */ + bool status; + + /** + * Reference count + */ + refcount_t ref; +}; + +METHOD(pa_tnc_attr_t, get_type, pen_type_t, + private_generic_attr_bool_t *this) +{ + return this->type; +} + +METHOD(pa_tnc_attr_t, get_value, chunk_t, + private_generic_attr_bool_t *this) +{ + return this->value; +} + +METHOD(pa_tnc_attr_t, get_noskip_flag, bool, + private_generic_attr_bool_t *this) +{ + return this->noskip_flag; +} + +METHOD(pa_tnc_attr_t, set_noskip_flag,void, + private_generic_attr_bool_t *this, bool noskip) +{ + this->noskip_flag = noskip; +} + +METHOD(pa_tnc_attr_t, build, void, + private_generic_attr_bool_t *this) +{ + bio_writer_t *writer; + + if (this->value.ptr) + { + return; + } + writer = bio_writer_create(ATTR_BOOL_SIZE); + writer->write_uint32(writer, this->status); + + this->value = writer->extract_buf(writer); + this->length = this->value.len; + writer->destroy(writer); +} + +METHOD(pa_tnc_attr_t, process, status_t, + private_generic_attr_bool_t *this, u_int32_t *offset) +{ + enum_name_t *pa_attr_names; + bio_reader_t *reader; + u_int32_t status; + + *offset = 0; + + if (this->value.len < this->length) + { + return NEED_MORE; + } + pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes, + this->type.vendor_id); + + if (this->value.len != ATTR_BOOL_SIZE) + { + DBG1(DBG_TNC, "incorrect attribute size for %N/%N", + pen_names, this->type.vendor_id, pa_attr_names, this->type.type); + return FAILED; + } + reader = bio_reader_create(this->value); + reader->read_uint32(reader, &status); + reader->destroy(reader); + + if (status > 1) + { + DBG1(DBG_TNC, "%N/%N attribute contains invalid non-boolean value %u", + pen_names, this->type.vendor_id, pa_attr_names, this->type.type, + status); + return FAILED; + } + this->status = status; + + return SUCCESS; +} + +METHOD(pa_tnc_attr_t, add_segment, void, + private_generic_attr_bool_t *this, chunk_t segment) +{ + this->value = chunk_cat("mc", this->value, segment); +} + +METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*, + private_generic_attr_bool_t *this) +{ + ref_get(&this->ref); + return &this->public.pa_tnc_attribute; +} + +METHOD(pa_tnc_attr_t, destroy, void, + private_generic_attr_bool_t *this) +{ + if (ref_put(&this->ref)) + { + free(this->value.ptr); + free(this); + } +} + +METHOD(generic_attr_bool_t, get_status, bool, + private_generic_attr_bool_t *this) +{ + return this->status; +} + +/** + * Described in header. + */ +pa_tnc_attr_t *generic_attr_bool_create(bool status, pen_type_t type) +{ + private_generic_attr_bool_t *this; + + INIT(this, + .public = { + .pa_tnc_attribute = { + .get_type = _get_type, + .get_value = _get_value, + .get_noskip_flag = _get_noskip_flag, + .set_noskip_flag = _set_noskip_flag, + .build = _build, + .process = _process, + .add_segment = _add_segment, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_status = _get_status, + }, + .type = type, + .status = status, + .ref = 1, + ); + + return &this->public.pa_tnc_attribute; +} + +/** + * Described in header. + */ +pa_tnc_attr_t *generic_attr_bool_create_from_data(size_t length, chunk_t data, + pen_type_t type) +{ + private_generic_attr_bool_t *this; + + INIT(this, + .public = { + .pa_tnc_attribute = { + .get_type = _get_type, + .get_value = _get_value, + .get_noskip_flag = _get_noskip_flag, + .set_noskip_flag = _set_noskip_flag, + .build = _build, + .process = _process, + .add_segment = _add_segment, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_status = _get_status, + }, + .type = type, + .length = length, + .value = chunk_clone(data), + .ref = 1, + ); + + return &this->public.pa_tnc_attribute; +} + diff --git a/src/libimcv/generic/generic_attr_bool.h b/src/libimcv/generic/generic_attr_bool.h new file mode 100644 index 000000000..93754bf9d --- /dev/null +++ b/src/libimcv/generic/generic_attr_bool.h @@ -0,0 +1,67 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup generic_attr_bool generic_attr_bool + * @{ @ingroup generic_attr + */ + +#ifndef GENERIC_ATTR_BOOL_H_ +#define GENERIC_ATTR_BOOL_H_ + +typedef struct generic_attr_bool_t generic_attr_bool_t; + +#include +#include "pa_tnc/pa_tnc_attr.h" + +/** + * Class implementing a generic PA-TNC attribute containing a boolean status + * value encoded as a 32 bit unsigned integer (0,1) in network order + */ +struct generic_attr_bool_t { + + /** + * Public PA-TNC attribute interface + */ + pa_tnc_attr_t pa_tnc_attribute; + + /** + * Gets boolean value + * + * @return Boolean status value + */ + bool (*get_status)(generic_attr_bool_t *this); + +}; + +/** + * Creates a generic_attr_bool_t object + * + * @param status Boolean status value + * @param type Vendor ID / Attribute Type + */ +pa_tnc_attr_t* generic_attr_bool_create(bool status, pen_type_t type); + +/** + * Creates an generic_attr_bool_t object from received data + * + * @param length Total length of attribute value + * @param value Unparsed attribute value (might be a segment) + * @param type Vendor ID / Attribute Type + */ +pa_tnc_attr_t* generic_attr_bool_create_from_data(size_t length, chunk_t value, + pen_type_t type); + +#endif /** GENERIC_ATTR_BOOL_H_ @}*/ diff --git a/src/libimcv/generic/generic_attr_chunk.c b/src/libimcv/generic/generic_attr_chunk.c new file mode 100644 index 000000000..98a539987 --- /dev/null +++ b/src/libimcv/generic/generic_attr_chunk.c @@ -0,0 +1,182 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "generic_attr_chunk.h" + +#include +#include +#include + +typedef struct private_generic_attr_chunk_t private_generic_attr_chunk_t; + +/** + * Private data of an generic_attr_chunk_t object. + */ +struct private_generic_attr_chunk_t { + + /** + * Public members of generic_attr_chunk_t + */ + generic_attr_chunk_t public; + + /** + * Vendor-specific attribute type + */ + pen_type_t type; + + /** + * Length of attribute value + */ + size_t length; + + /** + * Fixed size of attribute value, set to 0 if dynamic + */ + size_t size; + + /** + * Attribute value or segment + */ + chunk_t value; + + /** + * Noskip flag + */ + bool noskip_flag; + + /** + * Reference count + */ + refcount_t ref; +}; + +METHOD(pa_tnc_attr_t, get_type, pen_type_t, + private_generic_attr_chunk_t *this) +{ + return this->type; +} + +METHOD(pa_tnc_attr_t, get_value, chunk_t, + private_generic_attr_chunk_t *this) +{ + return this->value; +} + +METHOD(pa_tnc_attr_t, get_noskip_flag, bool, + private_generic_attr_chunk_t *this) +{ + return this->noskip_flag; +} + +METHOD(pa_tnc_attr_t, set_noskip_flag,void, + private_generic_attr_chunk_t *this, bool noskip) +{ + this->noskip_flag = noskip; +} + +METHOD(pa_tnc_attr_t, build, void, + private_generic_attr_chunk_t *this) +{ + return; +} + +METHOD(pa_tnc_attr_t, process, status_t, + private_generic_attr_chunk_t *this, u_int32_t *offset) +{ + enum_name_t *pa_attr_names; + *offset = 0; + + if (this->value.len < this->length) + { + return NEED_MORE; + } + pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes, + this->type.vendor_id); + + if ((this->size == 0 && this->value.len > this->length) || + (this->size != 0 && this->value.len != this->size)) + { + DBG1(DBG_TNC, "inconsistent length of %N/%N string attribute", + pen_names, this->type.vendor_id, pa_attr_names, this->type.type); + return FAILED; + } + + return SUCCESS; +} + +METHOD(pa_tnc_attr_t, add_segment, void, + private_generic_attr_chunk_t *this, chunk_t segment) +{ + this->value = chunk_cat("mc", this->value, segment); +} + +METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*, + private_generic_attr_chunk_t *this) +{ + ref_get(&this->ref); + return &this->public.pa_tnc_attribute; +} + +METHOD(pa_tnc_attr_t, destroy, void, + private_generic_attr_chunk_t *this) +{ + if (ref_put(&this->ref)) + { + free(this->value.ptr); + free(this); + } +} + +/** + * Described in header. + */ +pa_tnc_attr_t *generic_attr_chunk_create_from_data(size_t length, chunk_t value, + size_t size, pen_type_t type) +{ + private_generic_attr_chunk_t *this; + + INIT(this, + .public = { + .pa_tnc_attribute = { + .get_type = _get_type, + .get_value = _get_value, + .get_noskip_flag = _get_noskip_flag, + .set_noskip_flag = _set_noskip_flag, + .build = _build, + .process = _process, + .add_segment = _add_segment, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .type = type, + .length = length, + .size = size, + .value = chunk_clone(value), + .ref = 1, + ); + + return &this->public.pa_tnc_attribute; +} + +/** + * Described in header. + */ +pa_tnc_attr_t *generic_attr_chunk_create(chunk_t value, pen_type_t type) +{ + return generic_attr_chunk_create_from_data(value.len, value, + value.len, type); +} + diff --git a/src/libimcv/generic/generic_attr_chunk.h b/src/libimcv/generic/generic_attr_chunk.h new file mode 100644 index 000000000..a9b3a62de --- /dev/null +++ b/src/libimcv/generic/generic_attr_chunk.h @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup generic_attr_chunk generic_attr_chunk + * @{ @ingroup generic_attr + */ + +#ifndef GENERIC_ATTR_CHUNK_H_ +#define GENERIC_ATTR_CHUNK_H_ + +typedef struct generic_attr_chunk_t generic_attr_chunk_t; + +#include +#include "pa_tnc/pa_tnc_attr.h" + +/** + * Class implementing a generic PA-TNC attribute containing a possibly + * binary string with either a fixed or variable size + */ +struct generic_attr_chunk_t { + + /** + * Public PA-TNC attribute interface + */ + pa_tnc_attr_t pa_tnc_attribute; +}; + +/** + * Creates a generic_attr_chunk_t object + * + * @param string Non-nul terminated string + * @param type Vendor ID / Attribute Type + */ +pa_tnc_attr_t* generic_attr_chunk_create(chunk_t string, pen_type_t type); + +/** + * Creates an generic_attr_chunk_t object from received data + * + * @param length Total length of attribute value + * @param value Unparsed attribute value (might be a segment) + * @param size size in bytes if fixed array or 0 if dynamic size + * @param type Vendor ID / Attribute Type + */ +pa_tnc_attr_t* generic_attr_chunk_create_from_data(size_t length, chunk_t value, + size_t size, pen_type_t type); + +#endif /** GENERIC_ATTR_CHUNK_H_ @}*/ diff --git a/src/libimcv/generic/generic_attr_string.c b/src/libimcv/generic/generic_attr_string.c new file mode 100644 index 000000000..e63c0126a --- /dev/null +++ b/src/libimcv/generic/generic_attr_string.c @@ -0,0 +1,183 @@ +/* + * Copyright (C) 2013-2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "generic_attr_string.h" + +#include +#include +#include + +typedef struct private_generic_attr_string_t private_generic_attr_string_t; + +/** + * Private data of an generic_attr_string_t object. + */ +struct private_generic_attr_string_t { + + /** + * Public members of generic_attr_string_t + */ + generic_attr_string_t public; + + /** + * Vendor-specific attribute type + */ + pen_type_t type; + + /** + * Length of attribute value + */ + size_t length; + + /** + * Attribute value or segment + */ + chunk_t value; + + /** + * Noskip flag + */ + bool noskip_flag; + + /** + * Reference count + */ + refcount_t ref; +}; + +METHOD(pa_tnc_attr_t, get_type, pen_type_t, + private_generic_attr_string_t *this) +{ + return this->type; +} + +METHOD(pa_tnc_attr_t, get_value, chunk_t, + private_generic_attr_string_t *this) +{ + return this->value; +} + +METHOD(pa_tnc_attr_t, get_noskip_flag, bool, + private_generic_attr_string_t *this) +{ + return this->noskip_flag; +} + +METHOD(pa_tnc_attr_t, set_noskip_flag,void, + private_generic_attr_string_t *this, bool noskip) +{ + this->noskip_flag = noskip; +} + +METHOD(pa_tnc_attr_t, build, void, + private_generic_attr_string_t *this) +{ + return; +} + +METHOD(pa_tnc_attr_t, process, status_t, + private_generic_attr_string_t *this, u_int32_t *offset) +{ + enum_name_t *pa_attr_names; + u_char *pos; + *offset = 0; + + if (this->value.len < this->length) + { + return NEED_MORE; + } + pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes, + this->type.vendor_id); + if (this->value.len > this->length) + { + DBG1(DBG_TNC, "inconsistent length of %N/%N string attribute", + pen_names, this->type.vendor_id, pa_attr_names, this->type.type); + return FAILED; + } + + pos = memchr(this->value.ptr, '\0', this->value.len); + if (pos) + { + DBG1(DBG_TNC, "nul termination in %N/%N string attribute", + pen_names, this->type.vendor_id, pa_attr_names, this->type.type); + *offset = pos - this->value.ptr; + return FAILED; + } + + return SUCCESS; +} + +METHOD(pa_tnc_attr_t, add_segment, void, + private_generic_attr_string_t *this, chunk_t segment) +{ + this->value = chunk_cat("mc", this->value, segment); +} + +METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*, + private_generic_attr_string_t *this) +{ + ref_get(&this->ref); + return &this->public.pa_tnc_attribute; +} + +METHOD(pa_tnc_attr_t, destroy, void, + private_generic_attr_string_t *this) +{ + if (ref_put(&this->ref)) + { + free(this->value.ptr); + free(this); + } +} + +/** + * Described in header. + */ +pa_tnc_attr_t *generic_attr_string_create_from_data(size_t length, + chunk_t value, pen_type_t type) +{ + private_generic_attr_string_t *this; + + INIT(this, + .public = { + .pa_tnc_attribute = { + .get_type = _get_type, + .get_value = _get_value, + .get_noskip_flag = _get_noskip_flag, + .set_noskip_flag = _set_noskip_flag, + .build = _build, + .process = _process, + .add_segment = _add_segment, + .get_ref = _get_ref, + .destroy = _destroy, + }, + }, + .type = type, + .length = length, + .value = chunk_clone(value), + .ref = 1, + ); + + return &this->public.pa_tnc_attribute; +} + +/** + * Described in header. + */ +pa_tnc_attr_t *generic_attr_string_create(chunk_t value, pen_type_t type) +{ + return generic_attr_string_create_from_data(value.len, value, type); +} + diff --git a/src/libimcv/generic/generic_attr_string.h b/src/libimcv/generic/generic_attr_string.h new file mode 100644 index 000000000..d830ab4aa --- /dev/null +++ b/src/libimcv/generic/generic_attr_string.h @@ -0,0 +1,59 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup generic_attr_string generic_attr_string + * @{ @ingroup generic_attr + */ + +#ifndef GENERIC_ATTR_STRING_H_ +#define GENERIC_ATTR_STRING_H_ + +typedef struct generic_attr_string_t generic_attr_string_t; + +#include +#include "pa_tnc/pa_tnc_attr.h" + +/** + * Class implementing a generic PA-TNC attribute containing a non-nul + * terminated printable string + */ +struct generic_attr_string_t { + + /** + * Public PA-TNC attribute interface + */ + pa_tnc_attr_t pa_tnc_attribute; +}; + +/** + * Creates a generic_attr_string_t object + * + * @param string Non-nul terminated string + * @param type Vendor ID / Attribute Type + */ +pa_tnc_attr_t* generic_attr_string_create(chunk_t string, pen_type_t type); + +/** + * Creates an generic_attr_string_t object from received data + * + * @param length Total length of attribute value + * @param value Unparsed attribute value (might be a segment) + * @param type Vendor ID / Attribute Type + */ +pa_tnc_attr_t* generic_attr_string_create_from_data(size_t length, + chunk_t value, pen_type_t type); + +#endif /** GENERIC_ATTR_STRING_H_ @}*/ diff --git a/src/libimcv/ietf/ietf_attr.c b/src/libimcv/ietf/ietf_attr.c index 67269af53..38b777fce 100644 --- a/src/libimcv/ietf/ietf_attr.c +++ b/src/libimcv/ietf/ietf_attr.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -17,7 +17,6 @@ #include "ietf/ietf_attr_assess_result.h" #include "ietf/ietf_attr_attr_request.h" #include "ietf/ietf_attr_fwd_enabled.h" -#include "ietf/ietf_attr_default_pwd_enabled.h" #include "ietf/ietf_attr_installed_packages.h" #include "ietf/ietf_attr_numeric_version.h" #include "ietf/ietf_attr_op_status.h" @@ -26,6 +25,7 @@ #include "ietf/ietf_attr_product_info.h" #include "ietf/ietf_attr_remediation_instr.h" #include "ietf/ietf_attr_string_version.h" +#include "generic/generic_attr_bool.h" ENUM(ietf_attr_names, IETF_ATTR_TESTING, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED, @@ -63,7 +63,8 @@ pa_tnc_attr_t* ietf_attr_create_from_data(u_int32_t type, size_t length, case IETF_ATTR_OPERATIONAL_STATUS: return ietf_attr_op_status_create_from_data(length, value); case IETF_ATTR_PORT_FILTER: - return ietf_attr_port_filter_create_from_data(length, value); + return ietf_attr_port_filter_create_from_data(length, value, + pen_type_create(PEN_IETF, type)); case IETF_ATTR_INSTALLED_PACKAGES: return ietf_attr_installed_packages_create_from_data(length, value); case IETF_ATTR_PA_TNC_ERROR: @@ -73,9 +74,11 @@ pa_tnc_attr_t* ietf_attr_create_from_data(u_int32_t type, size_t length, case IETF_ATTR_REMEDIATION_INSTRUCTIONS: return ietf_attr_remediation_instr_create_from_data(length, value); case IETF_ATTR_FORWARDING_ENABLED: - return ietf_attr_fwd_enabled_create_from_data(length, value); + return ietf_attr_fwd_enabled_create_from_data(length, value, + pen_type_create(PEN_IETF, type)); case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED: - return ietf_attr_default_pwd_enabled_create_from_data(length, value); + return generic_attr_bool_create_from_data(length, value, + pen_type_create(PEN_IETF, type)); case IETF_ATTR_TESTING: case IETF_ATTR_RESERVED: default: diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c deleted file mode 100644 index ee5864d29..000000000 --- a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c +++ /dev/null @@ -1,242 +0,0 @@ -/* - * Copyright (C) 2012-2014 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "ietf_attr_default_pwd_enabled.h" - -#include -#include -#include -#include - -typedef struct private_ietf_attr_default_pwd_enabled_t private_ietf_attr_default_pwd_enabled_t; - -/** - * PA-TNC Factory Default Password Enabled type (see section 4.2.12 of RFC 5792) - * - * 1 2 3 - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - * | Factory Default Password Enabled | - * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - */ - -#define DEFAULT_PWD_ENABLED_SIZE 4 - -/** - * Private data of an ietf_attr_default_pwd_enabled_t object. - */ -struct private_ietf_attr_default_pwd_enabled_t { - - /** - * Public members of ietf_attr_default_pwd_enabled_t - */ - ietf_attr_default_pwd_enabled_t public; - - /** - * Vendor-specific attribute type - */ - pen_type_t type; - - /** - * Length of attribute value - */ - size_t length; - - /** - * Attribute value or segment - */ - chunk_t value; - - /** - * Noskip flag - */ - bool noskip_flag; - - /** - * Factory Default Password Enabled status - */ - bool status; - - /** - * Reference count - */ - refcount_t ref; -}; - -METHOD(pa_tnc_attr_t, get_type, pen_type_t, - private_ietf_attr_default_pwd_enabled_t *this) -{ - return this->type; -} - -METHOD(pa_tnc_attr_t, get_value, chunk_t, - private_ietf_attr_default_pwd_enabled_t *this) -{ - return this->value; -} - -METHOD(pa_tnc_attr_t, get_noskip_flag, bool, - private_ietf_attr_default_pwd_enabled_t *this) -{ - return this->noskip_flag; -} - -METHOD(pa_tnc_attr_t, set_noskip_flag,void, - private_ietf_attr_default_pwd_enabled_t *this, bool noskip) -{ - this->noskip_flag = noskip; -} - -METHOD(pa_tnc_attr_t, build, void, - private_ietf_attr_default_pwd_enabled_t *this) -{ - bio_writer_t *writer; - - if (this->value.ptr) - { - return; - } - writer = bio_writer_create(DEFAULT_PWD_ENABLED_SIZE); - writer->write_uint32(writer, this->status); - - this->value = writer->extract_buf(writer); - this->length = this->value.len; - writer->destroy(writer); -} - -METHOD(pa_tnc_attr_t, process, status_t, - private_ietf_attr_default_pwd_enabled_t *this, u_int32_t *offset) -{ - bio_reader_t *reader; - u_int32_t status; - - *offset = 0; - - if (this->value.len < this->length) - { - return NEED_MORE; - } - if (this->value.len != DEFAULT_PWD_ENABLED_SIZE) - { - DBG1(DBG_TNC, "incorrect size for IETF factory default password " - "enabled attribute"); - return FAILED; - } - reader = bio_reader_create(this->value); - reader->read_uint32(reader, &status); - reader->destroy(reader); - - if (status > TRUE) - { - DBG1(DBG_TNC, "IETF factory default password enabled field " - "has unknown value %u", status); - return FAILED; - } - this->status = status; - - return SUCCESS; -} - -METHOD(pa_tnc_attr_t, add_segment, void, - private_ietf_attr_default_pwd_enabled_t *this, chunk_t segment) -{ - this->value = chunk_cat("mc", this->value, segment); -} - -METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*, - private_ietf_attr_default_pwd_enabled_t *this) -{ - ref_get(&this->ref); - return &this->public.pa_tnc_attribute; -} - -METHOD(pa_tnc_attr_t, destroy, void, - private_ietf_attr_default_pwd_enabled_t *this) -{ - if (ref_put(&this->ref)) - { - free(this->value.ptr); - free(this); - } -} - -METHOD(ietf_attr_default_pwd_enabled_t, get_status, bool, - private_ietf_attr_default_pwd_enabled_t *this) -{ - return this->status; -} - -/** - * Described in header. - */ -pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create(bool status) -{ - private_ietf_attr_default_pwd_enabled_t *this; - - INIT(this, - .public = { - .pa_tnc_attribute = { - .get_type = _get_type, - .get_value = _get_value, - .get_noskip_flag = _get_noskip_flag, - .set_noskip_flag = _set_noskip_flag, - .build = _build, - .process = _process, - .add_segment = _add_segment, - .get_ref = _get_ref, - .destroy = _destroy, - }, - .get_status = _get_status, - }, - .type = { PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED }, - .status = status, - .ref = 1, - ); - - return &this->public.pa_tnc_attribute; -} - -/** - * Described in header. - */ -pa_tnc_attr_t *ietf_attr_default_pwd_enabled_create_from_data(size_t length, - chunk_t data) -{ - private_ietf_attr_default_pwd_enabled_t *this; - - INIT(this, - .public = { - .pa_tnc_attribute = { - .get_type = _get_type, - .get_value = _get_value, - .get_noskip_flag = _get_noskip_flag, - .set_noskip_flag = _set_noskip_flag, - .build = _build, - .process = _process, - .add_segment = _add_segment, - .get_ref = _get_ref, - .destroy = _destroy, - }, - .get_status = _get_status, - }, - .type = { PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED }, - .length = length, - .value = chunk_clone(data), - .ref = 1, - ); - - return &this->public.pa_tnc_attribute; -} - diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h deleted file mode 100644 index 3999590d4..000000000 --- a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright (C) 2012 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup ietf_attr_default_pwd_enabled ietf_attr_default_pwd_enabled - * @{ @ingroup ietf_attr - */ - -#ifndef IETF_ATTR_PWD_ENABLED_H_ -#define IETF_ATTR_PWD_ENABLED_H_ - -typedef struct ietf_attr_default_pwd_enabled_t ietf_attr_default_pwd_enabled_t; - -#include "ietf_attr.h" -#include "pa_tnc/pa_tnc_attr.h" - -/** - * Class implementing the IETF PA-TNC Factory Default Password Enabled attribute. - * - */ -struct ietf_attr_default_pwd_enabled_t { - - /** - * Public PA-TNC attribute interface - */ - pa_tnc_attr_t pa_tnc_attribute; - - /** - * Gets the Factory Default Password Enabled status - * - * @return Factory Default Password Enabled status - */ - bool (*get_status)(ietf_attr_default_pwd_enabled_t *this); - -}; - -/** - * Creates an ietf_attr_default_pwd_enabled_t object - * - * @param status Factory Default Password Enabled status - */ -pa_tnc_attr_t* ietf_attr_default_pwd_enabled_create(bool status); - -/** - * Creates an ietf_attr_default_pwd_enabled_t object from received data - * - * @param length Total length of attribute value - * @param value Unparsed attribute value (might be a segment) - */ -pa_tnc_attr_t* ietf_attr_default_pwd_enabled_create_from_data(size_t length, - chunk_t value); - -#endif /** IETF_ATTR_PWD_ENABLED_H_ @}*/ diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.c b/src/libimcv/ietf/ietf_attr_fwd_enabled.c index c00a5efc2..876a740c0 100644 --- a/src/libimcv/ietf/ietf_attr_fwd_enabled.c +++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -180,7 +180,8 @@ METHOD(ietf_attr_fwd_enabled_t, get_status, os_fwd_status_t, /** * Described in header. */ -pa_tnc_attr_t *ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status) +pa_tnc_attr_t *ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status, + pen_type_t type) { private_ietf_attr_fwd_enabled_t *this; @@ -199,7 +200,7 @@ pa_tnc_attr_t *ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status) }, .get_status = _get_status, }, - .type = { PEN_IETF, IETF_ATTR_FORWARDING_ENABLED }, + .type = type, .fwd_status = fwd_status, .ref = 1, ); @@ -211,7 +212,7 @@ pa_tnc_attr_t *ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status) * Described in header. */ pa_tnc_attr_t *ietf_attr_fwd_enabled_create_from_data(size_t length, - chunk_t data) + chunk_t data, pen_type_t type) { private_ietf_attr_fwd_enabled_t *this; @@ -230,7 +231,7 @@ pa_tnc_attr_t *ietf_attr_fwd_enabled_create_from_data(size_t length, }, .get_status = _get_status, }, - .type = { PEN_IETF, IETF_ATTR_FORWARDING_ENABLED }, + .type = type, .length = length, .value = chunk_clone(data), .ref = 1, diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.h b/src/libimcv/ietf/ietf_attr_fwd_enabled.h index 3d554369b..39abb0a03 100644 --- a/src/libimcv/ietf/ietf_attr_fwd_enabled.h +++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -51,16 +51,19 @@ struct ietf_attr_fwd_enabled_t { * Creates an ietf_attr_fwd_enabled_t object * * @param fwd_status Forwarding Enabled status + * @param type Vendor ID / Attribute Type */ -pa_tnc_attr_t* ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status); +pa_tnc_attr_t* ietf_attr_fwd_enabled_create(os_fwd_status_t fwd_status, + pen_type_t type); /** * Creates an ietf_attr_fwd_enabled_t object from received data * * @param length Total length of attribute value * @param value Unparsed attribute value (might be a segment) + * @param type Vendor ID / Attribute Type */ pa_tnc_attr_t* ietf_attr_fwd_enabled_create_from_data(size_t length, - chunk_t value); + chunk_t value, pen_type_t type); #endif /** IETF_ATTR_FWD_ENABLED_H_ @}*/ diff --git a/src/libimcv/ietf/ietf_attr_port_filter.c b/src/libimcv/ietf/ietf_attr_port_filter.c index 46824406a..6f7ff54cc 100644 --- a/src/libimcv/ietf/ietf_attr_port_filter.c +++ b/src/libimcv/ietf/ietf_attr_port_filter.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -236,7 +236,7 @@ METHOD(ietf_attr_port_filter_t, create_port_enumerator, enumerator_t*, /** * Described in header. */ -pa_tnc_attr_t *ietf_attr_port_filter_create(void) +pa_tnc_attr_t *ietf_attr_port_filter_create(pen_type_t type) { private_ietf_attr_port_filter_t *this; @@ -256,7 +256,7 @@ pa_tnc_attr_t *ietf_attr_port_filter_create(void) .add_port = _add_port, .create_port_enumerator = _create_port_enumerator, }, - .type = { PEN_IETF, IETF_ATTR_PORT_FILTER }, + .type = type, .ports = linked_list_create(), .ref = 1, ); @@ -268,7 +268,7 @@ pa_tnc_attr_t *ietf_attr_port_filter_create(void) * Described in header. */ pa_tnc_attr_t *ietf_attr_port_filter_create_from_data(size_t length, - chunk_t data) + chunk_t data, pen_type_t type) { private_ietf_attr_port_filter_t *this; @@ -288,7 +288,7 @@ pa_tnc_attr_t *ietf_attr_port_filter_create_from_data(size_t length, .add_port = _add_port, .create_port_enumerator = _create_port_enumerator, }, - .type = {PEN_IETF, IETF_ATTR_PORT_FILTER }, + .type = type, .length = length, .value = chunk_clone(data), .ports = linked_list_create(), diff --git a/src/libimcv/ietf/ietf_attr_port_filter.h b/src/libimcv/ietf/ietf_attr_port_filter.h index d383b19a2..e6c5a3f61 100644 --- a/src/libimcv/ietf/ietf_attr_port_filter.h +++ b/src/libimcv/ietf/ietf_attr_port_filter.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -61,16 +61,18 @@ struct ietf_attr_port_filter_t { /** * Creates an ietf_attr_port_filter_t object * + * @param type Vendor ID / Attribute Type */ -pa_tnc_attr_t* ietf_attr_port_filter_create(void); +pa_tnc_attr_t* ietf_attr_port_filter_create(pen_type_t type); /** * Creates an ietf_attr_port_filter_t object from received data * * @param length Total length of attribute value * @param value Unparsed attribute value (might be a segment) + * @param type Vendor ID / Attribute Type */ pa_tnc_attr_t* ietf_attr_port_filter_create_from_data(size_t length, - chunk_t value); + chunk_t value, pen_type_t type); #endif /** IETF_ATTR_PORT_FILTER_H_ @}*/ diff --git a/src/libimcv/imc/imc_msg.c b/src/libimcv/imc/imc_msg.c index 83337cf7b..9e12e29f1 100644 --- a/src/libimcv/imc/imc_msg.c +++ b/src/libimcv/imc/imc_msg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -108,6 +108,7 @@ METHOD(imc_msg_t, send_, TNC_Result, pa_tnc_attr_t *attr; TNC_UInt32 msg_flags; TNC_MessageType msg_type; + size_t max_msg_len, min_seg_attr_len, space_left; bool attr_added, oversize; chunk_t msg; seg_contract_t *contract; @@ -120,23 +121,37 @@ METHOD(imc_msg_t, send_, TNC_Result, contract = contracts->get_contract(contracts, this->msg_type, FALSE, this->dst_id); + /* Retrieve maximum allowed PA-TNC message size if set */ + max_msg_len = this->state->get_max_msg_len(this->state); + + /* Minimum size needed for Segmentation Envelope Attribute */ + min_seg_attr_len = PA_TNC_ATTR_HEADER_SIZE + TCG_SEG_ATTR_SEG_ENV_HEADER + + PA_TNC_ATTR_HEADER_SIZE; + while (this->attr_list->get_count(this->attr_list)) { - pa_tnc_msg = pa_tnc_msg_create(this->state->get_max_msg_len(this->state)); + pa_tnc_msg = pa_tnc_msg_create(max_msg_len); attr_added = FALSE; enumerator = this->attr_list->create_enumerator(this->attr_list); while (enumerator->enumerate(enumerator, &attr)) { + space_left = pa_tnc_msg->get_space(pa_tnc_msg); + if (contract && contract->check_size(contract, attr, &oversize)) { if (oversize) { - /* TODO generate SWID error msg */ + /* TODO handle oversized attributes */ + } + else if (max_msg_len == 0 || space_left >= min_seg_attr_len) + { + attr = contract->first_segment(contract, attr, space_left); } else { - attr = contract->first_segment(contract, attr); + /* segment attribute in next iteration */ + break; } } if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr)) @@ -147,11 +162,12 @@ METHOD(imc_msg_t, send_, TNC_Result, { if (attr_added) { + /* there might be space for attribute in next iteration */ break; } else { - DBG1(DBG_IMC, "PA-TNC attribute too large to send, deleted"); + DBG1(DBG_IMV, "PA-TNC attribute too large to send, deleted"); attr->destroy(attr); } } @@ -341,9 +357,7 @@ METHOD(imc_msg_t, receive, TNC_Result, my_max_seg_size = this->state->get_max_msg_len(this->state) - PA_TNC_HEADER_SIZE - PA_TNC_ATTR_HEADER_SIZE - - TCG_SEG_ATTR_SEG_ENV_HEADER - - PA_TNC_ATTR_HEADER_SIZE - - TCG_SEG_ATTR_MAX_SIZE_SIZE; + - TCG_SEG_ATTR_SEG_ENV_HEADER; /* If segmentation is possible select lower segment size */ if (max_seg_size != SEG_CONTRACT_NO_FRAGMENTATION && diff --git a/src/libimcv/imc/imc_os_info.c b/src/libimcv/imc/imc_os_info.c index 47697f1a3..0a094eb23 100644 --- a/src/libimcv/imc/imc_os_info.c +++ b/src/libimcv/imc/imc_os_info.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -90,6 +90,14 @@ METHOD(imc_os_info_t, get_version, chunk_t, return this->version; } +METHOD(imc_os_info_t, get_default_pwd_status, bool, + private_imc_os_info_t *this) +{ + /* As an option the default password status can be configured manually */ + return lib->settings->get_bool(lib->settings, + "%s.imcv.os_info.default_password_enabled", FALSE, lib->ns); +} + #ifdef WIN32 METHOD(imc_os_info_t, get_fwd_status, os_fwd_status_t, @@ -618,6 +626,7 @@ imc_os_info_t *imc_os_info_create(void) .get_numeric_version = _get_numeric_version, .get_version = _get_version, .get_fwd_status = _get_fwd_status, + .get_default_pwd_status = _get_default_pwd_status, .get_uptime = _get_uptime, .get_setting = _get_setting, .create_package_enumerator = _create_package_enumerator, diff --git a/src/libimcv/imc/imc_os_info.h b/src/libimcv/imc/imc_os_info.h index 6bb0e960c..ef7fb6d43 100644 --- a/src/libimcv/imc/imc_os_info.h +++ b/src/libimcv/imc/imc_os_info.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -71,6 +71,13 @@ struct imc_os_info_t { */ os_fwd_status_t (*get_fwd_status)(imc_os_info_t *this); + /** + * Get the default password status + * + * @return TRUE if enabled, FALSE otherwise + */ + bool (*get_default_pwd_status)(imc_os_info_t *this); + /** * Get the OS uptime in seconds * diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c index bd4156c19..ec6ea4288 100644 --- a/src/libimcv/imcv.c +++ b/src/libimcv/imcv.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * Copyright (C) 2011-2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -15,6 +16,7 @@ #include "imcv.h" #include "ietf/ietf_attr.h" #include "ita/ita_attr.h" +#include "pwg/pwg_attr.h" #include "tcg/tcg_attr.h" #include "pts/components/pts_component.h" #include "pts/components/pts_component_manager.h" @@ -179,6 +181,8 @@ bool libimcv_init(bool is_imv) ietf_attr_create_from_data, ietf_attr_names); imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_ITA, ita_attr_create_from_data, ita_attr_names); + imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_PWG, + pwg_attr_create_from_data, pwg_attr_names); imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_TCG, tcg_attr_create_from_data, tcg_attr_names); @@ -235,6 +239,7 @@ void libimcv_deinit(void) imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_IETF); imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_ITA); + imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_PWG); imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_TCG); DESTROY_IF(imcv_pa_tnc_attributes); imcv_pa_tnc_attributes = NULL; diff --git a/src/libimcv/imcv.h b/src/libimcv/imcv.h index 31536eca5..e260ff8f6 100644 --- a/src/libimcv/imcv.h +++ b/src/libimcv/imcv.h @@ -15,6 +15,9 @@ /** * @defgroup libimcv libimcv * + * @defgroup generic_attr generic_attr + * @ingroup libimcv + * * @defgroup libimcv_imc imc * @ingroup libimcv * diff --git a/src/libimcv/imv/imv_msg.c b/src/libimcv/imv/imv_msg.c index fdf63325d..039124c2a 100644 --- a/src/libimcv/imv/imv_msg.c +++ b/src/libimcv/imv/imv_msg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -125,6 +125,7 @@ METHOD(imv_msg_t, send_, TNC_Result, pa_tnc_attr_t *attr; TNC_UInt32 msg_flags; TNC_MessageType msg_type; + size_t max_msg_len, min_seg_attr_len, space_left; bool attr_added, oversize; chunk_t msg; seg_contract_t *contract; @@ -137,23 +138,37 @@ METHOD(imv_msg_t, send_, TNC_Result, contract = contracts->get_contract(contracts, this->msg_type, FALSE, this->dst_id); + /* Retrieve maximum allowed PA-TNC message size if set */ + max_msg_len = this->state->get_max_msg_len(this->state); + + /* Minimum size needed for Segmentation Envelope Attribute */ + min_seg_attr_len = PA_TNC_ATTR_HEADER_SIZE + TCG_SEG_ATTR_SEG_ENV_HEADER + + PA_TNC_ATTR_HEADER_SIZE; + while (this->attr_list->get_count(this->attr_list)) { - pa_tnc_msg = pa_tnc_msg_create(this->state->get_max_msg_len(this->state)); + pa_tnc_msg = pa_tnc_msg_create(max_msg_len); attr_added = FALSE; enumerator = this->attr_list->create_enumerator(this->attr_list); while (enumerator->enumerate(enumerator, &attr)) { + space_left = pa_tnc_msg->get_space(pa_tnc_msg); + if (contract && contract->check_size(contract, attr, &oversize)) { if (oversize) { - /* TODO generate SWID error msg */ + /* TODO handle oversized attributes */ + } + else if (max_msg_len == 0 || space_left >= min_seg_attr_len) + { + attr = contract->first_segment(contract, attr, space_left); } else { - attr = contract->first_segment(contract, attr); + /* segment attribute in next iteration */ + break; } } if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr)) @@ -164,6 +179,7 @@ METHOD(imv_msg_t, send_, TNC_Result, { if (attr_added) { + /* there might be space for attribute in next iteration */ break; } else @@ -377,9 +393,7 @@ METHOD(imv_msg_t, receive, TNC_Result, my_max_seg_size = this->state->get_max_msg_len(this->state) - PA_TNC_HEADER_SIZE - PA_TNC_ATTR_HEADER_SIZE - - TCG_SEG_ATTR_SEG_ENV_HEADER - - PA_TNC_ATTR_HEADER_SIZE - - TCG_SEG_ATTR_MAX_SIZE_SIZE; + - TCG_SEG_ATTR_SEG_ENV_HEADER; /* If segmentation is possible select lower segment size */ if (max_seg_size != SEG_CONTRACT_NO_FRAGMENTATION && diff --git a/src/libimcv/ita/ita_attr.c b/src/libimcv/ita/ita_attr.c index 9d7706dba..35c882c37 100644 --- a/src/libimcv/ita/ita_attr.c +++ b/src/libimcv/ita/ita_attr.c @@ -19,7 +19,7 @@ #include "ita/ita_attr_get_settings.h" #include "ita/ita_attr_settings.h" #include "ita/ita_attr_angel.h" -#include "ita/ita_attr_device_id.h" +#include "generic/generic_attr_string.h" ENUM(ita_attr_names, ITA_ATTR_COMMAND, ITA_ATTR_DEVICE_ID, "Command", @@ -53,7 +53,8 @@ pa_tnc_attr_t* ita_attr_create_from_data(u_int32_t type, size_t length, case ITA_ATTR_STOP_ANGEL: return ita_attr_angel_create_from_data(FALSE); case ITA_ATTR_DEVICE_ID: - return ita_attr_device_id_create_from_data(length, value); + return generic_attr_string_create_from_data(length, value, + pen_type_create(PEN_ITA, type)); default: return NULL; } diff --git a/src/libimcv/ita/ita_attr_device_id.c b/src/libimcv/ita/ita_attr_device_id.c deleted file mode 100644 index 232842695..000000000 --- a/src/libimcv/ita/ita_attr_device_id.c +++ /dev/null @@ -1,163 +0,0 @@ -/* - * Copyright (C) 2013-2014 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "ita_attr.h" -#include "ita_attr_device_id.h" - -#include - -#include - -typedef struct private_ita_attr_device_id_t private_ita_attr_device_id_t; - -/** - * Private data of an ita_attr_device_id_t object. - */ -struct private_ita_attr_device_id_t { - - /** - * Public members of ita_attr_device_id_t - */ - ita_attr_device_id_t public; - - /** - * Vendor-specific attribute type - */ - pen_type_t type; - - /** - * Length of attribute value - */ - size_t length; - - /** - * Attribute value or segment - */ - chunk_t value; - - /** - * Noskip flag - */ - bool noskip_flag; - - /** - * Reference count - */ - refcount_t ref; -}; - -METHOD(pa_tnc_attr_t, get_type, pen_type_t, - private_ita_attr_device_id_t *this) -{ - return this->type; -} - -METHOD(pa_tnc_attr_t, get_value, chunk_t, - private_ita_attr_device_id_t *this) -{ - return this->value; -} - -METHOD(pa_tnc_attr_t, get_noskip_flag, bool, - private_ita_attr_device_id_t *this) -{ - return this->noskip_flag; -} - -METHOD(pa_tnc_attr_t, set_noskip_flag,void, - private_ita_attr_device_id_t *this, bool noskip) -{ - this->noskip_flag = noskip; -} - -METHOD(pa_tnc_attr_t, build, void, - private_ita_attr_device_id_t *this) -{ - return; -} - -METHOD(pa_tnc_attr_t, process, status_t, - private_ita_attr_device_id_t *this, u_int32_t *offset) -{ - *offset = 0; - - if (this->value.len < this->length) - { - return NEED_MORE; - } - return SUCCESS; -} - -METHOD(pa_tnc_attr_t, add_segment, void, - private_ita_attr_device_id_t *this, chunk_t segment) -{ - this->value = chunk_cat("mc", this->value, segment); -} - -METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*, - private_ita_attr_device_id_t *this) -{ - ref_get(&this->ref); - return &this->public.pa_tnc_attribute; -} - -METHOD(pa_tnc_attr_t, destroy, void, - private_ita_attr_device_id_t *this) -{ - if (ref_put(&this->ref)) - { - free(this->value.ptr); - free(this); - } -} - -/** - * Described in header. - */ -pa_tnc_attr_t *ita_attr_device_id_create_from_data(size_t length, chunk_t value) -{ - private_ita_attr_device_id_t *this; - - INIT(this, - .public = { - .pa_tnc_attribute = { - .get_type = _get_type, - .get_value = _get_value, - .get_noskip_flag = _get_noskip_flag, - .set_noskip_flag = _set_noskip_flag, - .build = _build, - .process = _process, - .add_segment = _add_segment, - .get_ref = _get_ref, - .destroy = _destroy, - }, - }, - .type = { PEN_ITA, ITA_ATTR_DEVICE_ID }, - .length = length, - .value = chunk_clone(value), - .ref = 1, - ); - - return &this->public.pa_tnc_attribute; -} - -/** - * Described in header. - */ -pa_tnc_attr_t *ita_attr_device_id_create(chunk_t value) -{ - return ita_attr_device_id_create_from_data(value.len, value); -} - diff --git a/src/libimcv/ita/ita_attr_device_id.h b/src/libimcv/ita/ita_attr_device_id.h deleted file mode 100644 index 94bb778c0..000000000 --- a/src/libimcv/ita/ita_attr_device_id.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (C) 2013-2014 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup ita_attr_device_id ita_attr_device_id - * @{ @ingroup ita_attr - */ - -#ifndef ITA_ATTR_DEVICE_ID_H_ -#define ITA_ATTR_DEVICE_ID_H_ - -typedef struct ita_attr_device_id_t ita_attr_device_id_t; - -#include "pa_tnc/pa_tnc_attr.h" - -/** - * Class implementing the ITA Device ID PA-TNC attribute. - * - */ -struct ita_attr_device_id_t { - - /** - * Public PA-TNC attribute interface - */ - pa_tnc_attr_t pa_tnc_attribute; - -}; - -/** - * Creates an ita_attr_device_id_t object - * - * @param value ITA Device ID attribute value - */ -pa_tnc_attr_t* ita_attr_device_id_create(chunk_t value); - -/** - * Creates an ita_attr_device_id_t object from received data - * - * @param length Total length of attribute value - * @param value Unparsed attribute value (might be a segment) - */ -pa_tnc_attr_t* ita_attr_device_id_create_from_data(size_t length, chunk_t value); - -#endif /** ITA_ATTR_DEVICE_ID_H_ @}*/ diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c index ea4dee950..17c649dfd 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.c +++ b/src/libimcv/pa_tnc/pa_tnc_msg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -92,6 +92,12 @@ METHOD(pa_tnc_msg_t, get_encoding, chunk_t, return this->encoding; } +METHOD(pa_tnc_msg_t, get_space, size_t, + private_pa_tnc_msg_t *this) +{ + return this->max_msg_len ? this->max_msg_len - this->msg_len : 0; +} + METHOD(pa_tnc_msg_t, add_attribute, bool, private_pa_tnc_msg_t *this, pa_tnc_attr_t *attr) { @@ -389,6 +395,7 @@ pa_tnc_msg_t *pa_tnc_msg_create(size_t max_msg_len) INIT(this, .public = { .get_encoding = _get_encoding, + .get_space = _get_space, .add_attribute = _add_attribute, .build = _build, .process = _process, @@ -416,6 +423,7 @@ pa_tnc_msg_t *pa_tnc_msg_create_from_data(chunk_t data) INIT(this, .public = { .get_encoding = _get_encoding, + .get_space = _get_space, .add_attribute = _add_attribute, .build = _build, .process = _process, diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.h b/src/libimcv/pa_tnc/pa_tnc_msg.h index 57ff1a04c..3be302032 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.h +++ b/src/libimcv/pa_tnc/pa_tnc_msg.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -43,6 +43,13 @@ struct pa_tnc_msg_t { */ chunk_t (*get_encoding)(pa_tnc_msg_t *this); + /** + * Get the remaining space in octets left in the PA-TNC message + * + * @return remaining space or 0 if max_msg_len is not set + */ + size_t (*get_space)(pa_tnc_msg_t *this); + /** * Add a PA-TNC attribute * diff --git a/src/libimcv/plugins/imc_hcd/Makefile.am b/src/libimcv/plugins/imc_hcd/Makefile.am new file mode 100644 index 000000000..db25a57de --- /dev/null +++ b/src/libimcv/plugins/imc_hcd/Makefile.am @@ -0,0 +1,16 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libtncif \ + -I$(top_srcdir)/src/libimcv + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +imcv_LTLIBRARIES = imc-hcd.la + +imc_hcd_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la + +imc_hcd_la_SOURCES = imc_hcd.c imc_hcd_state.h imc_hcd_state.c + +imc_hcd_la_LDFLAGS = -module -avoid-version -no-undefined diff --git a/src/libimcv/plugins/imc_hcd/Makefile.in b/src/libimcv/plugins/imc_hcd/Makefile.in new file mode 100644 index 000000000..da7523c33 --- /dev/null +++ b/src/libimcv/plugins/imc_hcd/Makefile.in @@ -0,0 +1,763 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libimcv/plugins/imc_hcd +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(imcvdir)" +LTLIBRARIES = $(imcv_LTLIBRARIES) +imc_hcd_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la +am_imc_hcd_la_OBJECTS = imc_hcd.lo imc_hcd_state.lo +imc_hcd_la_OBJECTS = $(am_imc_hcd_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +imc_hcd_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(imc_hcd_la_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(imc_hcd_la_SOURCES) +DIST_SOURCES = $(imc_hcd_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libtncif \ + -I$(top_srcdir)/src/libimcv + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +imcv_LTLIBRARIES = imc-hcd.la +imc_hcd_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la + +imc_hcd_la_SOURCES = imc_hcd.c imc_hcd_state.h imc_hcd_state.c +imc_hcd_la_LDFLAGS = -module -avoid-version -no-undefined +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libimcv/plugins/imc_hcd/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libimcv/plugins/imc_hcd/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \ + } + +uninstall-imcvLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(imcvdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(imcvdir)/$$f"; \ + done + +clean-imcvLTLIBRARIES: + -test -z "$(imcv_LTLIBRARIES)" || rm -f $(imcv_LTLIBRARIES) + @list='$(imcv_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +imc-hcd.la: $(imc_hcd_la_OBJECTS) $(imc_hcd_la_DEPENDENCIES) $(EXTRA_imc_hcd_la_DEPENDENCIES) + $(AM_V_CCLD)$(imc_hcd_la_LINK) -rpath $(imcvdir) $(imc_hcd_la_OBJECTS) $(imc_hcd_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_hcd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_hcd_state.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(imcvdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-imcvLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-imcvLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-imcvLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-imcvLTLIBRARIES clean-libtool cscopelist-am ctags \ + ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am \ + install-imcvLTLIBRARIES install-info install-info-am \ + install-man install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-imcvLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libimcv/plugins/imc_hcd/imc_hcd.c b/src/libimcv/plugins/imc_hcd/imc_hcd.c new file mode 100644 index 000000000..b631683ce --- /dev/null +++ b/src/libimcv/plugins/imc_hcd/imc_hcd.c @@ -0,0 +1,791 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imc_hcd_state.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include "ietf/ietf_attr_fwd_enabled.h" +#include +#include + +#include + +#include +#include + +/* IMC definitions */ + +static const char imc_name[] = "HCD"; + +static pen_type_t msg_types[] = { + { PEN_PWG, PA_SUBTYPE_PWG_HCD_SYSTEM }, + { PEN_PWG, PA_SUBTYPE_PWG_HCD_CONSOLE }, + { PEN_PWG, PA_SUBTYPE_PWG_HCD_MARKER }, + { PEN_PWG, PA_SUBTYPE_PWG_HCD_FINISHER }, + { PEN_PWG, PA_SUBTYPE_PWG_HCD_INTERFACE }, + { PEN_PWG, PA_SUBTYPE_PWG_HCD_SCANNER } +}; + +static imc_agent_t *imc_hcd; +static imc_os_info_t *os; + +typedef struct section_subtype_t section_subtype_t; + +struct section_subtype_t { + char *section; + pa_subtype_pwg_t subtype; +}; + +static section_subtype_t section_subtypes[] = { + { "system", PA_SUBTYPE_PWG_HCD_SYSTEM }, + { "console", PA_SUBTYPE_PWG_HCD_CONSOLE }, + { "marker", PA_SUBTYPE_PWG_HCD_MARKER }, + { "finisher", PA_SUBTYPE_PWG_HCD_FINISHER }, + { "interface", PA_SUBTYPE_PWG_HCD_INTERFACE }, + { "scanner" , PA_SUBTYPE_PWG_HCD_SCANNER } +}; + +typedef struct quadruple_t quadruple_t; + +struct quadruple_t { + char *section; + pwg_attr_t name_attr; + pwg_attr_t patches_attr; + pwg_attr_t string_version_attr; + pwg_attr_t version_attr; +}; + +static quadruple_t quadruples[] = { + { "firmware", + PWG_HCD_FIRMWARE_NAME, PWG_HCD_FIRMWARE_PATCHES, + PWG_HCD_FIRMWARE_STRING_VERSION, PWG_HCD_FIRMWARE_VERSION }, + { "resident_application", + PWG_HCD_RESIDENT_APP_NAME, PWG_HCD_RESIDENT_APP_PATCHES, + PWG_HCD_RESIDENT_APP_STRING_VERSION, PWG_HCD_RESIDENT_APP_VERSION }, + { "user_application", + PWG_HCD_USER_APP_NAME, PWG_HCD_USER_APP_PATCHES, + PWG_HCD_USER_APP_STRING_VERSION, PWG_HCD_USER_APP_VERSION } +}; + +/** + * see section 3.8.1 of TCG TNC IF-IMC Specification 1.3 + */ +TNC_Result TNC_IMC_API TNC_IMC_Initialize(TNC_IMCID imc_id, + TNC_Version min_version, + TNC_Version max_version, + TNC_Version *actual_version) +{ + if (imc_hcd) + { + DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name); + return TNC_RESULT_ALREADY_INITIALIZED; + } + imc_hcd = imc_agent_create(imc_name, msg_types, countof(msg_types), + imc_id, actual_version); + if (!imc_hcd) + { + return TNC_RESULT_FATAL; + } + + os = imc_os_info_create(); + if (!os) + { + imc_hcd->destroy(imc_hcd); + imc_hcd = NULL; + + return TNC_RESULT_FATAL; + } + + if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1) + { + DBG1(DBG_IMC, "no common IF-IMC version"); + return TNC_RESULT_NO_COMMON_VERSION; + } + return TNC_RESULT_SUCCESS; +} + +/** + * see section 3.8.2 of TCG TNC IF-IMC Specification 1.3 + */ +TNC_Result TNC_IMC_API TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id, + TNC_ConnectionID connection_id, TNC_ConnectionState new_state) +{ + imc_state_t *state; + + if (!imc_hcd) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + switch (new_state) + { + case TNC_CONNECTION_STATE_CREATE: + state = imc_hcd_state_create(connection_id); + return imc_hcd->create_state(imc_hcd, state); + case TNC_CONNECTION_STATE_HANDSHAKE: + if (imc_hcd->change_state(imc_hcd, connection_id, new_state, + &state) != TNC_RESULT_SUCCESS) + { + return TNC_RESULT_FATAL; + } + state->set_result(state, imc_id, + TNC_IMV_EVALUATION_RESULT_DONT_KNOW); + return TNC_RESULT_SUCCESS; + case TNC_CONNECTION_STATE_DELETE: + return imc_hcd->delete_state(imc_hcd, connection_id); + default: + return imc_hcd->change_state(imc_hcd, connection_id, + new_state, NULL); + } +} + +/** + * Add AttributesNaturalLanguage attribute to send queue + */ +static void add_attrs_natural_lang(imc_msg_t *msg, char *section) +{ + pa_tnc_attr_t *attr; + char *string; + + string = lib->settings->get_str(lib->settings, + "%s.plugins.imc-hcd.subtypes.%s.attributes_natural_language", + "en", lib->ns, section); + DBG2(DBG_IMC, " %N: %s", pwg_attr_names, PWG_HCD_ATTRS_NATURAL_LANG, + string); + attr = generic_attr_string_create(chunk_from_str(string), + pen_type_create(PEN_PWG, PWG_HCD_ATTRS_NATURAL_LANG)); + msg->add_attribute(msg, attr); +} + +/** + * Add DefaultPasswordEnabled attribute to send queue + */ +static void add_default_pwd_enabled(imc_msg_t *msg) +{ + pa_tnc_attr_t *attr; + bool status; + + status = os->get_default_pwd_status(os); + DBG2(DBG_IMC, " %N: %s", pwg_attr_names, PWG_HCD_DEFAULT_PWD_ENABLED, + status ? "yes" : "no"); + attr = generic_attr_bool_create(status, + pen_type_create(PEN_PWG, PWG_HCD_DEFAULT_PWD_ENABLED)); + msg->add_attribute(msg, attr); +} + +/** + * Add ForwardingEnabled attribute to send queue + */ +static void add_forwarding_enabled(imc_msg_t *msg) +{ + pa_tnc_attr_t *attr; + os_fwd_status_t fwd_status; + + fwd_status = os->get_fwd_status(os); + DBG2(DBG_IMC, " %N: %N", pwg_attr_names, PWG_HCD_FORWARDING_ENABLED, + os_fwd_status_names, fwd_status); + attr = ietf_attr_fwd_enabled_create(fwd_status, + pen_type_create(PEN_PWG, PWG_HCD_FORWARDING_ENABLED)); + msg->add_attribute(msg, attr); +} + +/** + * Add MachineTypeModel attribute to send queue + */ +static void add_machine_type_model(imc_msg_t *msg) +{ + pa_tnc_attr_t *attr; + char *string; + + string = lib->settings->get_str(lib->settings, + "%s.plugins.imc-hcd.subtypes.system.machine_type_model", + "", lib->ns); + DBG2(DBG_IMC, " %N: %s", pwg_attr_names, PWG_HCD_MACHINE_TYPE_MODEL, + string); + attr = generic_attr_string_create(chunk_from_str(string), + pen_type_create(PEN_PWG, PWG_HCD_MACHINE_TYPE_MODEL)); + msg->add_attribute(msg, attr); +} + +/** + * Add PSTNFaxEnabled attribute to send queue + */ +static void add_pstn_fax_enabled(imc_msg_t *msg) +{ + pa_tnc_attr_t *attr; + bool status; + + status = lib->settings->get_bool(lib->settings, + "%s.plugins.imc-hcd.subtypes.system.pstn_fax_enabled", + FALSE, lib->ns); + DBG2(DBG_IMC, " %N: %s", pwg_attr_names, PWG_HCD_PSTN_FAX_ENABLED, + status ? "yes" : "no"); + attr = generic_attr_bool_create(status, + pen_type_create(PEN_PWG, PWG_HCD_PSTN_FAX_ENABLED)); + msg->add_attribute(msg, attr); +} + +/** + * Add TimeSource attribute to send queue + */ +static void add_time_source(imc_msg_t *msg) +{ + pa_tnc_attr_t *attr; + char *string; + + string = lib->settings->get_str(lib->settings, + "%s.plugins.imc-hcd.subtypes.system.time_source", + "", lib->ns); + DBG2(DBG_IMC, " %N: %s", pwg_attr_names, PWG_HCD_TIME_SOURCE, + string); + attr = generic_attr_string_create(chunk_from_str(string), + pen_type_create(PEN_PWG, PWG_HCD_TIME_SOURCE)); + msg->add_attribute(msg, attr); +} + +/** + * Add UserApplicationEnabled attribute to send queue + */ +static void add_user_app_enabled(imc_msg_t *msg) +{ + pa_tnc_attr_t *attr; + bool status; + + status = lib->settings->get_bool(lib->settings, + "%s.plugins.imc-hcd.subtypes.system.user_application_enabled", + FALSE, lib->ns); + DBG2(DBG_IMC, " %N: %s", pwg_attr_names, PWG_HCD_USER_APP_ENABLED, + status ? "yes" : "no"); + attr = generic_attr_bool_create(status, + pen_type_create(PEN_PWG, PWG_HCD_USER_APP_ENABLED)); + msg->add_attribute(msg, attr); +} + +/** + * Add UserApplicationPersistenceEnabled attribute to send queue + */ +static void add_user_app_persist_enabled(imc_msg_t *msg) +{ + pa_tnc_attr_t *attr; + bool status; + + status = lib->settings->get_bool(lib->settings, + "%s.plugins.imc-hcd.subtypes.system.user_application_persistence.enabled", + FALSE, lib->ns); + DBG2(DBG_IMC, " %N: %s", pwg_attr_names, PWG_HCD_USER_APP_PERSIST_ENABLED, + status ? "yes" : "no"); + attr = generic_attr_bool_create(status, + pen_type_create(PEN_PWG, PWG_HCD_USER_APP_PERSIST_ENABLED)); + msg->add_attribute(msg, attr); +} + +/** + * Add VendorName attribute to send queue + */ +static void add_vendor_name(imc_msg_t *msg) +{ + pa_tnc_attr_t *attr; + char *string; + + string = lib->settings->get_str(lib->settings, + "%s.plugins.imc-hcd.subtypes.system.vendor_name", + "", lib->ns); + DBG2(DBG_IMC, " %N: %s", pwg_attr_names, PWG_HCD_VENDOR_NAME, + string); + attr = generic_attr_string_create(chunk_from_str(string), + pen_type_create(PEN_PWG, PWG_HCD_VENDOR_NAME)); + msg->add_attribute(msg, attr); +} + +/** + * Add VendorSMICode attribute to send queue + */ +static void add_vendor_smi_code(imc_msg_t *msg) +{ + pa_tnc_attr_t *attr; + int smi_code; + + smi_code = lib->settings->get_int(lib->settings, + "%s.plugins.imc-hcd.subtypes.system.vendor_smi_code", + 0, lib->ns); + DBG2(DBG_IMC, " %N: 0x%06x (%d)", pwg_attr_names, PWG_HCD_VENDOR_SMI_CODE, + smi_code, smi_code); + attr = pwg_attr_vendor_smi_code_create(smi_code); + msg->add_attribute(msg, attr); +} + +/** + * Add CertificationState attribute to send queue + */ +static void add_certification_state(imc_msg_t *msg) +{ + pa_tnc_attr_t *attr; + char *hex_string; + chunk_t blob; + + hex_string = lib->settings->get_str(lib->settings, + "%s.plugins.imc-hcd.subtypes.system.certification_state", + NULL, lib->ns); + if (hex_string) + { + blob = chunk_from_hex(chunk_from_str(hex_string), NULL); + + DBG2(DBG_IMC, " %N: %B", pwg_attr_names, PWG_HCD_CERTIFICATION_STATE, + &blob); + attr = generic_attr_chunk_create(blob, + pen_type_create(PEN_PWG, PWG_HCD_CERTIFICATION_STATE)); + msg->add_attribute(msg, attr); + chunk_free(&blob); + } +} + +/** + * Add CertificationState attribute to send queue + */ +static void add_configuration_state(imc_msg_t *msg) +{ + pa_tnc_attr_t *attr; + char *hex_string; + chunk_t blob; + + hex_string = lib->settings->get_str(lib->settings, + "%s.plugins.imc-hcd.subtypes.system.configuration_state", + NULL, lib->ns); + if (hex_string) + { + blob = chunk_from_hex(chunk_from_str(hex_string), NULL); + + DBG2(DBG_IMC, " %N: %B", pwg_attr_names, PWG_HCD_CONFIGURATION_STATE, + &blob); + attr = generic_attr_chunk_create(blob, + pen_type_create(PEN_PWG, PWG_HCD_CONFIGURATION_STATE)); + msg->add_attribute(msg, attr); + chunk_free(&blob); + } +} + +/** + * Add Correlated Attributes to send queue + */ +static void add_quadruple(imc_msg_t *msg, char *section, quadruple_t *quad) +{ + pa_tnc_attr_t *attr; + const size_t version_len = 16; + char version[version_len]; + char hex_version_default[] = "00000000000000000000000000000000"; + char *app, *name, *patches, *string_version, *hex_version; + size_t len; + chunk_t num_version; + enumerator_t *enumerator; + + enumerator = lib->settings->create_section_enumerator(lib->settings, + "%s.plugins.imc-hcd.subtypes.%s.%s", + lib->ns, section, quad->section); + while (enumerator->enumerate(enumerator, &app)) + { + name = lib->settings->get_str(lib->settings, + "%s.plugins.imc-hcd.subtypes.%s.%s.%s.name", + "", lib->ns, section, quad->section, app); + patches = lib->settings->get_str(lib->settings, + "%s.plugins.imc-hcd.subtypes.%s.%s.%s.patches", + "", lib->ns, section, quad->section, app); + string_version = lib->settings->get_str(lib->settings, + "%s.plugins.imc-hcd.subtypes.%s.%s.%s.string_version", + "", lib->ns, section, quad->section, app); + hex_version = lib->settings->get_str(lib->settings, + "%s.plugins.imc-hcd.subtypes.%s.%s.%s.version", + hex_version_default, lib->ns, section, quad->section, app); + + /* convert hex string into binary chunk */ + if (strlen(hex_version) > 2 * version_len) + { + hex_version = hex_version_default; + } + num_version = chunk_from_hex(chunk_from_str(hex_version), version); + + DBG2(DBG_IMC, "--- %s ---", app); + + DBG2(DBG_IMC, " %N: %s", pwg_attr_names, quad->name_attr, name); + attr = generic_attr_string_create(chunk_from_str(name), + pen_type_create(PEN_PWG, quad->name_attr)); + msg->add_attribute(msg, attr); + + /* remove any trailing LF from patches string for logging */ + len = strlen(patches); + if (len && (patches[len - 1] == '\n')) + { + len--; + } + DBG2(DBG_IMC, " %N:%s%.*s", pwg_attr_names, quad->patches_attr, + len ? "\n" : " ", len, patches); + attr = generic_attr_string_create(chunk_from_str(patches), + pen_type_create(PEN_PWG, quad->patches_attr)); + msg->add_attribute(msg, attr); + + DBG2(DBG_IMC, " %N: %s", pwg_attr_names, quad->string_version_attr, + string_version); + attr = generic_attr_string_create(chunk_from_str(string_version), + pen_type_create(PEN_PWG, quad->string_version_attr)); + msg->add_attribute(msg, attr); + + DBG2(DBG_IMC, " %N: %#B", pwg_attr_names, quad->version_attr, &num_version); + attr = generic_attr_chunk_create(num_version, + pen_type_create(PEN_PWG, quad->version_attr)); + msg->add_attribute(msg, attr); + } + enumerator->destroy(enumerator); +} + +/** + * see section 3.8.3 of TCG TNC IF-IMC Specification 1.3 + */ +TNC_Result TNC_IMC_API TNC_IMC_BeginHandshake(TNC_IMCID imc_id, + TNC_ConnectionID connection_id) +{ + imc_state_t *state; + imc_msg_t *out_msg; + TNC_Result result = TNC_RESULT_SUCCESS; + pa_subtype_pwg_t subtype; + pen_type_t msg_type; + enumerator_t *enumerator; + char *section; + int i; + + if (!imc_hcd) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imc_hcd->get_state(imc_hcd, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + + /* Enumerate over all HCD subtype sections */ + enumerator = lib->settings->create_section_enumerator(lib->settings, + "%s.plugins.imc-hcd.subtypes", lib->ns); + while (enumerator->enumerate(enumerator, §ion) && + result == TNC_RESULT_SUCCESS) + { + subtype = PA_SUBTYPE_PWG_HCD_UNKNOWN; + + for (i = 0; i < countof(section_subtypes); i++) + { + if (streq(section, section_subtypes[i].section)) + { + subtype = section_subtypes[i].subtype; + break; + } + } + if (subtype == PA_SUBTYPE_PWG_HCD_UNKNOWN) + { + DBG1(DBG_IMC, "HCD subtype '%s' not supported", section); + continue; + } + DBG2(DBG_IMC, "retrieving attributes for PA subtype %N/%N", + pen_names, PEN_PWG, pa_subtype_pwg_names, subtype); + + msg_type = pen_type_create(PEN_PWG, subtype); + out_msg = imc_msg_create(imc_hcd, state, connection_id, imc_id, + TNC_IMVID_ANY, msg_type); + + /* mandatory attributes that are always sent without request */ + add_attrs_natural_lang(out_msg, section); + if (subtype == PA_SUBTYPE_PWG_HCD_SYSTEM) + { + add_default_pwd_enabled(out_msg); + add_forwarding_enabled(out_msg); + add_machine_type_model(out_msg); + add_pstn_fax_enabled(out_msg); + add_time_source(out_msg); + add_vendor_name(out_msg); + add_vendor_smi_code(out_msg); + add_user_app_enabled(out_msg); + add_user_app_persist_enabled(out_msg); + } + if (lib->settings->get_bool(lib->settings, + "%s.plugins.imc-hcd.push_info", FALSE, lib->ns)) + { + /* correlated attributes */ + for (i = 0; i < countof(quadruples); i++) + { + add_quadruple(out_msg, section, &quadruples[i]); + } + } + + /* send PA-TNC message with the excl flag not set */ + result = out_msg->send(out_msg, FALSE); + out_msg->destroy(out_msg); + } + enumerator->destroy(enumerator); + + return result; +} + +static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) +{ + imc_msg_t *out_msg; + enumerator_t *enumerator; + pa_tnc_attr_t *attr; + pen_type_t type, msg_type; + TNC_Result result; + char *section = NULL; + int i; + bool fatal_error = FALSE, pushed_info; + + /* generate an outgoing PA-TNC message - we might need it */ + out_msg = imc_msg_create_as_reply(in_msg); + + /* parse received PA-TNC message and handle local and remote errors */ + result = in_msg->receive(in_msg, out_msg, &fatal_error); + if (result != TNC_RESULT_SUCCESS) + { + out_msg->destroy(out_msg); + return result; + } + msg_type = in_msg->get_msg_type(in_msg); + + for (i = 0; i < countof(section_subtypes); i++) + { + if (msg_type.type == section_subtypes[i].subtype) + { + section = section_subtypes[i].section; + break; + } + } + pushed_info = lib->settings->get_bool(lib->settings, + "%s.plugins.imc-hcd.push_info", FALSE, lib->ns); + + /* analyze PA-TNC attributes */ + enumerator = in_msg->create_attribute_enumerator(in_msg); + while (enumerator->enumerate(enumerator, &attr)) + { + type = attr->get_type(attr); + + if (type.vendor_id == PEN_IETF) + { + if (type.type == IETF_ATTR_ATTRIBUTE_REQUEST) + { + ietf_attr_attr_request_t *attr_cast; + pen_type_t *entry; + enumerator_t *e; + + attr_cast = (ietf_attr_attr_request_t*)attr; + + e = attr_cast->create_enumerator(attr_cast); + while (e->enumerate(e, &entry)) + { + if (entry->vendor_id == PEN_PWG) + { + switch (entry->type) + { + case PWG_HCD_ATTRS_NATURAL_LANG: + add_attrs_natural_lang(out_msg, section); + break; + case PWG_HCD_DEFAULT_PWD_ENABLED: + add_default_pwd_enabled(out_msg); + break; + case PWG_HCD_FORWARDING_ENABLED: + add_forwarding_enabled(out_msg); + break; + case PWG_HCD_MACHINE_TYPE_MODEL: + add_machine_type_model(out_msg); + break; + case PWG_HCD_PSTN_FAX_ENABLED: + add_pstn_fax_enabled(out_msg); + break; + case PWG_HCD_TIME_SOURCE: + add_time_source(out_msg); + break; + case PWG_HCD_USER_APP_ENABLED: + add_user_app_enabled(out_msg); + break; + case PWG_HCD_USER_APP_PERSIST_ENABLED: + add_user_app_persist_enabled(out_msg); + break; + case PWG_HCD_VENDOR_NAME: + add_vendor_name(out_msg); + break; + case PWG_HCD_VENDOR_SMI_CODE: + add_vendor_smi_code(out_msg); + break; + case PWG_HCD_CERTIFICATION_STATE: + add_certification_state(out_msg); + break; + case PWG_HCD_CONFIGURATION_STATE: + add_configuration_state(out_msg); + break; + default: + if (pushed_info) + { + continue; + } + } + + /* if not pushed, deliver on request */ + switch (entry->type) + { + case PWG_HCD_FIRMWARE_NAME: + add_quadruple(out_msg, section, &quadruples[0]); + break; + case PWG_HCD_RESIDENT_APP_NAME: + add_quadruple(out_msg, section, &quadruples[1]); + break; + case PWG_HCD_USER_APP_NAME: + add_quadruple(out_msg, section, &quadruples[2]); + break; + default: + break; + } + } + } + e->destroy(e); + } + } + } + enumerator->destroy(enumerator); + + if (fatal_error) + { + result = TNC_RESULT_FATAL; + } + else + { + /* send PA-TNC message with the EXCL flag set */ + result = out_msg->send(out_msg, TRUE); + } + out_msg->destroy(out_msg); + + return result; +} + +/** + * see section 3.8.4 of TCG TNC IF-IMC Specification 1.3 + */ +TNC_Result TNC_IMC_API TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, + TNC_ConnectionID connection_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) +{ + imc_state_t *state; + imc_msg_t *in_msg; + TNC_Result result; + + if (!imc_hcd) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imc_hcd->get_state(imc_hcd, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imc_msg_create_from_data(imc_hcd, state, connection_id, msg_type, + chunk_create(msg, msg_len)); + result = receive_message(state, in_msg); + in_msg->destroy(in_msg); + + return result; +} + +/** + * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3 + */ +TNC_Result TNC_IMC_API TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id, + TNC_ConnectionID connection_id, + TNC_UInt32 msg_flags, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_VendorID msg_vid, + TNC_MessageSubtype msg_subtype, + TNC_UInt32 src_imv_id, + TNC_UInt32 dst_imc_id) +{ + imc_state_t *state; + imc_msg_t *in_msg; + TNC_Result result; + + if (!imc_hcd) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imc_hcd->get_state(imc_hcd, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imc_msg_create_from_long_data(imc_hcd, state, connection_id, + src_imv_id, dst_imc_id,msg_vid, msg_subtype, + chunk_create(msg, msg_len)); + result =receive_message(state, in_msg); + in_msg->destroy(in_msg); + + return result; +} + +/** + * see section 3.8.7 of TCG TNC IF-IMC Specification 1.3 + */ +TNC_Result TNC_IMC_API TNC_IMC_BatchEnding(TNC_IMCID imc_id, + TNC_ConnectionID connection_id) +{ + if (!imc_hcd) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + return TNC_RESULT_SUCCESS; +} + +/** + * see section 3.8.8 of TCG TNC IF-IMC Specification 1.3 + */ +TNC_Result TNC_IMC_API TNC_IMC_Terminate(TNC_IMCID imc_id) +{ + if (!imc_hcd) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + imc_hcd->destroy(imc_hcd); + imc_hcd = NULL; + + os->destroy(os); + os = NULL; + + return TNC_RESULT_SUCCESS; +} + +/** + * see section 4.2.8.1 of TCG TNC IF-IMC Specification 1.3 + */ +TNC_Result TNC_IMC_API TNC_IMC_ProvideBindFunction(TNC_IMCID imc_id, + TNC_TNCC_BindFunctionPointer bind_function) +{ + if (!imc_hcd) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + return imc_hcd->bind_functions(imc_hcd, bind_function); +} diff --git a/src/libimcv/plugins/imc_hcd/imc_hcd_state.c b/src/libimcv/plugins/imc_hcd/imc_hcd_state.c new file mode 100644 index 000000000..ce93d7ef7 --- /dev/null +++ b/src/libimcv/plugins/imc_hcd/imc_hcd_state.c @@ -0,0 +1,176 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imc_hcd_state.h" + +#include + +#include + +typedef struct private_imc_hcd_state_t private_imc_hcd_state_t; + +/** + * Private data of an imc_hcd_state_t object. + */ +struct private_imc_hcd_state_t { + + /** + * Public members of imc_hcd_state_t + */ + imc_hcd_state_t public; + + /** + * TNCCS connection ID + */ + TNC_ConnectionID connection_id; + + /** + * TNCCS connection state + */ + TNC_ConnectionState state; + + /** + * Assessment/Evaluation Result + */ + TNC_IMV_Evaluation_Result result; + + /** + * Does the TNCCS connection support long message types? + */ + bool has_long; + + /** + * Does the TNCCS connection support exclusive delivery? + */ + bool has_excl; + + /** + * Maximum PA-TNC message size for this TNCCS connection + */ + u_int32_t max_msg_len; + + /** + * PA-TNC attribute segmentation contracts associated with TNCCS connection + */ + seg_contract_manager_t *contracts; +}; + +METHOD(imc_state_t, get_connection_id, TNC_ConnectionID, + private_imc_hcd_state_t *this) +{ + return this->connection_id; +} + +METHOD(imc_state_t, has_long, bool, + private_imc_hcd_state_t *this) +{ + return this->has_long; +} + +METHOD(imc_state_t, has_excl, bool, + private_imc_hcd_state_t *this) +{ + return this->has_excl; +} + +METHOD(imc_state_t, set_flags, void, + private_imc_hcd_state_t *this, bool has_long, bool has_excl) +{ + this->has_long = has_long; + this->has_excl = has_excl; +} + +METHOD(imc_state_t, set_max_msg_len, void, + private_imc_hcd_state_t *this, u_int32_t max_msg_len) +{ + this->max_msg_len = max_msg_len; +} + +METHOD(imc_state_t, get_max_msg_len, u_int32_t, + private_imc_hcd_state_t *this) +{ + return this->max_msg_len; +} + +METHOD(imc_state_t, get_contracts, seg_contract_manager_t*, + private_imc_hcd_state_t *this) +{ + return this->contracts; +} + +METHOD(imc_state_t, change_state, void, + private_imc_hcd_state_t *this, TNC_ConnectionState new_state) +{ + this->state = new_state; +} + +METHOD(imc_state_t, set_result, void, + private_imc_hcd_state_t *this, TNC_IMCID id, + TNC_IMV_Evaluation_Result result) +{ + this->result = result; +} + +METHOD(imc_state_t, get_result, bool, + private_imc_hcd_state_t *this, TNC_IMCID id, + TNC_IMV_Evaluation_Result *result) +{ + if (result) + { + *result = this->result; + } + return this->result != TNC_IMV_EVALUATION_RESULT_DONT_KNOW; +} + +METHOD(imc_state_t, destroy, void, + private_imc_hcd_state_t *this) +{ + this->contracts->destroy(this->contracts); + free(this); +} + +/** + * Described in header. + */ +imc_state_t *imc_hcd_state_create(TNC_ConnectionID connection_id) +{ + private_imc_hcd_state_t *this; + + INIT(this, + .public = { + .interface = { + .get_connection_id = _get_connection_id, + .has_long = _has_long, + .has_excl = _has_excl, + .set_flags = _set_flags, + .set_max_msg_len = _set_max_msg_len, + .get_max_msg_len = _get_max_msg_len, + .get_contracts = _get_contracts, + .change_state = _change_state, + .set_result = _set_result, + .get_result = _get_result, + .destroy = _destroy, + }, + }, + .state = TNC_CONNECTION_STATE_CREATE, + .result = TNC_IMV_EVALUATION_RESULT_DONT_KNOW, + .connection_id = connection_id, + .contracts = seg_contract_manager_create(), + ); + + return &this->public.interface; +} + + diff --git a/src/libimcv/plugins/imc_hcd/imc_hcd_state.h b/src/libimcv/plugins/imc_hcd/imc_hcd_state.h new file mode 100644 index 000000000..dbd5ddb4f --- /dev/null +++ b/src/libimcv/plugins/imc_hcd/imc_hcd_state.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imc_hcd imc_hcd + * @ingroup libimcv_plugins + * + * @defgroup imc_hcd_state_t imc_hcd_state + * @{ @ingroup imc_hcd + */ + +#ifndef IMC_HCD_STATE_H_ +#define IMC_HCD_STATE_H_ + +#include +#include + +typedef struct imc_hcd_state_t imc_hcd_state_t; + +/** + * Internal state of an imc_hcd_t connection instance + */ +struct imc_hcd_state_t { + + /** + * imc_state_t interface + */ + imc_state_t interface; +}; + +/** + * Create an imc_hcd_state_t instance + * + * @param id connection ID + */ +imc_state_t* imc_hcd_state_create(TNC_ConnectionID id); + +#endif /** IMC_HCD_STATE_H_ @}*/ diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c index 4fe8856e6..af1862ad3 100644 --- a/src/libimcv/plugins/imc_os/imc_os.c +++ b/src/libimcv/plugins/imc_os/imc_os.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -18,10 +18,11 @@ #include #include #include +#include +#include #include #include -#include -#include +#include "ietf/ietf_attr_fwd_enabled.h" #include #include #include @@ -30,7 +31,6 @@ #include #include #include -#include #include @@ -212,9 +212,9 @@ static void add_fwd_enabled(imc_msg_t *msg) os_fwd_status_t fwd_status; fwd_status = os->get_fwd_status(os); - DBG1(DBG_IMC, "IPv4 forwarding is %N", - os_fwd_status_names, fwd_status); - attr = ietf_attr_fwd_enabled_create(fwd_status); + DBG1(DBG_IMC, "IPv4 forwarding is %N", os_fwd_status_names, fwd_status); + attr = ietf_attr_fwd_enabled_create(fwd_status, + pen_type_create(PEN_IETF, IETF_ATTR_FORWARDING_ENABLED)); msg->add_attribute(msg, attr); } @@ -224,9 +224,12 @@ static void add_fwd_enabled(imc_msg_t *msg) static void add_default_pwd_enabled(imc_msg_t *msg) { pa_tnc_attr_t *attr; + bool status; - DBG1(DBG_IMC, "factory default password is disabled"); - attr = ietf_attr_default_pwd_enabled_create(FALSE); + status = os->get_default_pwd_status(os); + DBG1(DBG_IMC, "factory default password is %sabled", status ? "en" : "dis"); + attr = generic_attr_bool_create(status, + pen_type_create(PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED)); msg->add_attribute(msg, attr); } @@ -330,7 +333,8 @@ static void add_device_id(imc_msg_t *msg) } DBG1(DBG_IMC, "device ID is %.*s", value.len, value.ptr); - attr = ita_attr_device_id_create(value); + attr = generic_attr_string_create(value, pen_type_create(PEN_ITA, + ITA_ATTR_DEVICE_ID)); msg->add_attribute(msg, attr); free(value.ptr); } diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner.c b/src/libimcv/plugins/imc_scanner/imc_scanner.c index 0478841cb..c67636f8f 100644 --- a/src/libimcv/plugins/imc_scanner/imc_scanner.c +++ b/src/libimcv/plugins/imc_scanner/imc_scanner.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -34,7 +34,7 @@ static const char imc_name[] = "Scanner"; static pen_type_t msg_types[] = { - { PEN_IETF, PA_SUBTYPE_IETF_VPN } + { PEN_IETF, PA_SUBTYPE_IETF_FIREWALL } }; static imc_agent_t *imc_scanner; @@ -241,7 +241,8 @@ static TNC_Result add_port_filter(imc_msg_t *msg) pa_tnc_attr_t *attr; ietf_attr_port_filter_t *attr_port_filter; - attr = ietf_attr_port_filter_create(); + attr = ietf_attr_port_filter_create(pen_type_create(PEN_IETF, + IETF_ATTR_PORT_FILTER)); attr->set_noskip_flag(attr, TRUE); attr_port_filter = (ietf_attr_port_filter_t*)attr; if (!do_netstat(attr_port_filter)) diff --git a/src/libimcv/plugins/imc_swid/imc_swid.c b/src/libimcv/plugins/imc_swid/imc_swid.c index 40f352ad9..0dcb9afb6 100644 --- a/src/libimcv/plugins/imc_swid/imc_swid.c +++ b/src/libimcv/plugins/imc_swid/imc_swid.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2014 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -134,9 +134,7 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id, /* Determine maximum PA-TNC attribute segment size */ max_seg_size = state->get_max_msg_len(state) - PA_TNC_HEADER_SIZE - PA_TNC_ATTR_HEADER_SIZE - - TCG_SEG_ATTR_SEG_ENV_HEADER - - PA_TNC_ATTR_HEADER_SIZE - - TCG_SEG_ATTR_MAX_SIZE_SIZE; + - TCG_SEG_ATTR_SEG_ENV_HEADER; /* Announce support of PA-TNC segmentation to IMV */ contract = seg_contract_create(msg_types[0], max_attr_size, max_seg_size, diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c b/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c index 8e3736857..28ebd0069 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2011-2012 Sansar Choinyambuu - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -27,13 +27,13 @@ #include #include #include +#include #include #include #include #include #include #include -#include #include #include #include @@ -484,9 +484,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, max_seg_size = state->get_max_msg_len(state) - PA_TNC_HEADER_SIZE - PA_TNC_ATTR_HEADER_SIZE - - TCG_SEG_ATTR_SEG_ENV_HEADER - - PA_TNC_ATTR_HEADER_SIZE - - TCG_SEG_ATTR_MAX_SIZE_SIZE; + - TCG_SEG_ATTR_SEG_ENV_HEADER; /* Announce support of PA-TNC segmentation to IMC */ contract = seg_contract_create(msg_types[0], max_attr_size, diff --git a/src/libimcv/plugins/imv_hcd/Makefile.am b/src/libimcv/plugins/imv_hcd/Makefile.am new file mode 100644 index 000000000..28926d45e --- /dev/null +++ b/src/libimcv/plugins/imv_hcd/Makefile.am @@ -0,0 +1,18 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libtncif \ + -I$(top_srcdir)/src/libimcv + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +imcv_LTLIBRARIES = imv-hcd.la + +imv_hcd_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la + +imv_hcd_la_SOURCES = \ + imv_hcd.c imv_hcd_state.h imv_hcd_state.c \ + imv_hcd_agent.h imv_hcd_agent.c + +imv_hcd_la_LDFLAGS = -module -avoid-version -no-undefined diff --git a/src/libimcv/plugins/imv_hcd/Makefile.in b/src/libimcv/plugins/imv_hcd/Makefile.in new file mode 100644 index 000000000..ea017646d --- /dev/null +++ b/src/libimcv/plugins/imv_hcd/Makefile.in @@ -0,0 +1,767 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libimcv/plugins/imv_hcd +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(imcvdir)" +LTLIBRARIES = $(imcv_LTLIBRARIES) +imv_hcd_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la +am_imv_hcd_la_OBJECTS = imv_hcd.lo imv_hcd_state.lo imv_hcd_agent.lo +imv_hcd_la_OBJECTS = $(am_imv_hcd_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +imv_hcd_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(imv_hcd_la_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(imv_hcd_la_SOURCES) +DIST_SOURCES = $(imv_hcd_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libtncif \ + -I$(top_srcdir)/src/libimcv + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +imcv_LTLIBRARIES = imv-hcd.la +imv_hcd_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la + +imv_hcd_la_SOURCES = \ + imv_hcd.c imv_hcd_state.h imv_hcd_state.c \ + imv_hcd_agent.h imv_hcd_agent.c + +imv_hcd_la_LDFLAGS = -module -avoid-version -no-undefined +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libimcv/plugins/imv_hcd/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libimcv/plugins/imv_hcd/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \ + } + +uninstall-imcvLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(imcvdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(imcvdir)/$$f"; \ + done + +clean-imcvLTLIBRARIES: + -test -z "$(imcv_LTLIBRARIES)" || rm -f $(imcv_LTLIBRARIES) + @list='$(imcv_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +imv-hcd.la: $(imv_hcd_la_OBJECTS) $(imv_hcd_la_DEPENDENCIES) $(EXTRA_imv_hcd_la_DEPENDENCIES) + $(AM_V_CCLD)$(imv_hcd_la_LINK) -rpath $(imcvdir) $(imv_hcd_la_OBJECTS) $(imv_hcd_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_hcd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_hcd_agent.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_hcd_state.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(imcvdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-imcvLTLIBRARIES clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-imcvLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-imcvLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-imcvLTLIBRARIES clean-libtool cscopelist-am ctags \ + ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am \ + install-imcvLTLIBRARIES install-info install-info-am \ + install-man install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-imcvLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libimcv/plugins/imv_hcd/imv_hcd.c b/src/libimcv/plugins/imv_hcd/imv_hcd.c new file mode 100644 index 000000000..f32095217 --- /dev/null +++ b/src/libimcv/plugins/imv_hcd/imv_hcd.c @@ -0,0 +1,24 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_hcd_agent.h" + +static const char imv_name[] = "HCD"; +static const imv_agent_create_t imv_agent_create = imv_hcd_agent_create; + +/* include generic TGC TNC IF-IMV API code below */ + +#include + diff --git a/src/libimcv/plugins/imv_hcd/imv_hcd_agent.c b/src/libimcv/plugins/imv_hcd/imv_hcd_agent.c new file mode 100644 index 000000000..e15eeb10a --- /dev/null +++ b/src/libimcv/plugins/imv_hcd/imv_hcd_agent.c @@ -0,0 +1,680 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include + +#include "imv_hcd_agent.h" +#include "imv_hcd_state.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "tcg/seg/tcg_seg_attr_max_size.h" +#include "tcg/seg/tcg_seg_attr_seg_env.h" + +#include +#include + +#include +#include + +#define HCD_MAX_ATTR_SIZE 10000000 + +typedef struct private_imv_hcd_agent_t private_imv_hcd_agent_t; + +/* Subscribed PA-TNC message subtypes */ +static pen_type_t msg_types[] = { + { PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }, + { PEN_PWG, PA_SUBTYPE_PWG_HCD_SYSTEM }, + { PEN_PWG, PA_SUBTYPE_PWG_HCD_CONSOLE }, + { PEN_PWG, PA_SUBTYPE_PWG_HCD_MARKER }, + { PEN_PWG, PA_SUBTYPE_PWG_HCD_FINISHER }, + { PEN_PWG, PA_SUBTYPE_PWG_HCD_INTERFACE }, + { PEN_PWG, PA_SUBTYPE_PWG_HCD_SCANNER } +}; + +static imv_hcd_attr_t attr_type_to_flag(pwg_attr_t attr_type) +{ + switch (attr_type) + { + case PWG_HCD_DEFAULT_PWD_ENABLED: + return IMV_HCD_ATTR_DEFAULT_PWD_ENABLED; + case PWG_HCD_FIREWALL_SETTING: + return IMV_HCD_ATTR_FIREWALL_SETTING; + case PWG_HCD_FORWARDING_ENABLED: + return IMV_HCD_ATTR_FORWARDING_ENABLED; + case PWG_HCD_MACHINE_TYPE_MODEL: + return IMV_HCD_ATTR_MACHINE_TYPE_MODEL; + case PWG_HCD_PSTN_FAX_ENABLED: + return IMV_HCD_ATTR_PSTN_FAX_ENABLED; + case PWG_HCD_TIME_SOURCE: + return IMV_HCD_ATTR_TIME_SOURCE; + case PWG_HCD_USER_APP_ENABLED: + return IMV_HCD_ATTR_USER_APP_ENABLED; + case PWG_HCD_USER_APP_PERSIST_ENABLED: + return IMV_HCD_ATTR_USER_APP_PERSIST_ENABLED; + case PWG_HCD_VENDOR_NAME: + return IMV_HCD_ATTR_VENDOR_NAME; + case PWG_HCD_VENDOR_SMI_CODE: + return IMV_HCD_ATTR_VENDOR_SMI_CODE; + case PWG_HCD_CERTIFICATION_STATE: + return IMV_HCD_ATTR_CERTIFICATION_STATE; + case PWG_HCD_CONFIGURATION_STATE: + return IMV_HCD_ATTR_CONFIGURATION_STATE; + case PWG_HCD_ATTRS_NATURAL_LANG: + return IMV_HCD_ATTR_NATURAL_LANG; + case PWG_HCD_FIRMWARE_NAME: + return IMV_HCD_ATTR_FIRMWARE_NAME; + case PWG_HCD_RESIDENT_APP_NAME: + return IMV_HCD_ATTR_RESIDENT_APP_NAME; + case PWG_HCD_USER_APP_NAME: + return IMV_HCD_ATTR_USER_APP_NAME; + default: + return IMV_HCD_ATTR_NONE; + } +} + +/** + * Private data of an imv_hcd_agent_t object. + */ +struct private_imv_hcd_agent_t { + + /** + * Public members of imv_hcd_agent_t + */ + imv_agent_if_t public; + + /** + * IMV agent responsible for generic functions + */ + imv_agent_t *agent; + +}; + +METHOD(imv_agent_if_t, bind_functions, TNC_Result, + private_imv_hcd_agent_t *this, TNC_TNCS_BindFunctionPointer bind_function) +{ + return this->agent->bind_functions(this->agent, bind_function); +} + +METHOD(imv_agent_if_t, notify_connection_change, TNC_Result, + private_imv_hcd_agent_t *this, TNC_ConnectionID id, + TNC_ConnectionState new_state) +{ + TNC_IMV_Action_Recommendation rec; + imv_state_t *state; + imv_session_t *session; + + switch (new_state) + { + case TNC_CONNECTION_STATE_CREATE: + state = imv_hcd_state_create(id); + return this->agent->create_state(this->agent, state); + case TNC_CONNECTION_STATE_DELETE: + return this->agent->delete_state(this->agent, id); + case TNC_CONNECTION_STATE_ACCESS_ALLOWED: + case TNC_CONNECTION_STATE_ACCESS_ISOLATED: + case TNC_CONNECTION_STATE_ACCESS_NONE: + if (this->agent->get_state(this->agent, id, &state) && imcv_db) + { + session = state->get_session(state); + + if (session->get_policy_started(session)) + { + switch (new_state) + { + case TNC_CONNECTION_STATE_ACCESS_ALLOWED: + rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW; + break; + case TNC_CONNECTION_STATE_ACCESS_ISOLATED: + rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE; + break; + case TNC_CONNECTION_STATE_ACCESS_NONE: + default: + rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS; + } + imcv_db->add_recommendation(imcv_db, session, rec); + if (!imcv_db->policy_script(imcv_db, session, FALSE)) + { + DBG1(DBG_IMV, "error in policy script stop"); + } + } + } + /* fall through to default state */ + default: + return this->agent->change_state(this->agent, id, new_state, NULL); + } +} + +/** + * Process a received message + */ +static TNC_Result receive_msg(private_imv_hcd_agent_t *this, imv_state_t *state, + imv_msg_t *in_msg) +{ + imv_msg_t *out_msg; + imv_hcd_state_t *hcd_state; + pa_tnc_attr_t *attr; + enum_name_t *pa_subtype_names; + pen_type_t type, msg_type; + TNC_Result result; + bool fatal_error = FALSE, assessment = FALSE; + enumerator_t *enumerator; + + hcd_state = (imv_hcd_state_t*)state; + + /* generate an outgoing PA-TNC message - we might need it */ + out_msg = imv_msg_create_as_reply(in_msg); + + /* parse received PA-TNC message and handle local and remote errors */ + result = in_msg->receive(in_msg,out_msg, &fatal_error); + if (result != TNC_RESULT_SUCCESS) + { + out_msg->destroy(out_msg); + return result; + } + msg_type = in_msg->get_msg_type(in_msg); + pa_subtype_names = get_pa_subtype_names(msg_type.vendor_id); + DBG2(DBG_IMV, "received attributes for PA subtype %N/%N", + pen_names, msg_type.vendor_id, pa_subtype_names, msg_type.type); + + /* set current subtype */ + if (msg_type.vendor_id == PEN_IETF) + { + hcd_state->set_subtype(hcd_state, PA_SUBTYPE_PWG_HCD_SYSTEM); + } + else + { + hcd_state->set_subtype(hcd_state, msg_type.type); + } + + /* analyze PA-TNC attributes */ + enumerator = in_msg->create_attribute_enumerator(in_msg); + while (enumerator->enumerate(enumerator, &attr)) + { + type = attr->get_type(attr); + + if (type.vendor_id == PEN_IETF) + { + switch (type.type) + { + case IETF_ATTR_FORWARDING_ENABLED: + { + ietf_attr_fwd_enabled_t *attr_cast; + os_fwd_status_t fwd_status; + + attr_cast = (ietf_attr_fwd_enabled_t*)attr; + fwd_status = attr_cast->get_status(attr_cast); + DBG2(DBG_IMV, " %N: %N", ietf_attr_names, type.type, + os_fwd_status_names, fwd_status); + state->set_action_flags(state, + IMV_HCD_ATTR_FORWARDING_ENABLED); + break; + } + case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED: + { + generic_attr_bool_t *attr_cast; + bool status; + + attr_cast = (generic_attr_bool_t*)attr; + status = attr_cast->get_status(attr_cast); + DBG2(DBG_IMV, " %N: %s", ietf_attr_names, type.type, + status ? "yes" : "no"); + state->set_action_flags(state, + IMV_HCD_ATTR_DEFAULT_PWD_ENABLED); + break; + } + default: + break; + } + } + else if (type.vendor_id == PEN_PWG) + { + state->set_action_flags(state, attr_type_to_flag(type.type)); + + switch (type.type) + { + case PWG_HCD_ATTRS_NATURAL_LANG: + case PWG_HCD_MACHINE_TYPE_MODEL: + case PWG_HCD_VENDOR_NAME: + case PWG_HCD_TIME_SOURCE: + case PWG_HCD_FIRMWARE_NAME: + case PWG_HCD_FIRMWARE_STRING_VERSION: + case PWG_HCD_RESIDENT_APP_NAME: + case PWG_HCD_RESIDENT_APP_STRING_VERSION: + case PWG_HCD_USER_APP_NAME: + case PWG_HCD_USER_APP_STRING_VERSION: + { + chunk_t value; + + value = attr->get_value(attr); + DBG2(DBG_IMV, " %N: %.*s", pwg_attr_names, type.type, + value.len, value.ptr); + break; + } + case PWG_HCD_FIRMWARE_PATCHES: + case PWG_HCD_RESIDENT_APP_PATCHES: + case PWG_HCD_USER_APP_PATCHES: + { + chunk_t value; + size_t len; + + value = attr->get_value(attr); + len = value.len; + + /* remove any trailing LF from patches string */ + if (len && (value.ptr[len - 1] == '\n')) + { + len--; + } + DBG2(DBG_IMV, " %N:%s%.*s", pwg_attr_names, type.type, + len ? "\n" : " ", len, value.ptr); + break; + } + case PWG_HCD_FIRMWARE_VERSION: + case PWG_HCD_RESIDENT_APP_VERSION: + case PWG_HCD_USER_APP_VERSION: + { + chunk_t value; + + value = attr->get_value(attr); + DBG2(DBG_IMV, " %N: %#B", pwg_attr_names, type.type, &value); + break; + } + case PWG_HCD_CERTIFICATION_STATE: + case PWG_HCD_CONFIGURATION_STATE: + { + chunk_t value; + + value = attr->get_value(attr); + DBG2(DBG_IMV, " %N: %B", pwg_attr_names, type.type, &value); + break; + } + case PWG_HCD_DEFAULT_PWD_ENABLED: + case PWG_HCD_PSTN_FAX_ENABLED: + case PWG_HCD_USER_APP_ENABLED: + case PWG_HCD_USER_APP_PERSIST_ENABLED: + { + generic_attr_bool_t *attr_cast; + bool status; + + attr_cast = (generic_attr_bool_t*)attr; + status = attr_cast->get_status(attr_cast); + DBG2(DBG_IMV, " %N: %s", pwg_attr_names, type.type, + status ? "yes" : "no"); + + if (type.type == PWG_HCD_USER_APP_ENABLED && !status) + { + /* do not request user applications */ + hcd_state->set_user_app_disabled(hcd_state); + } + break; + } + case PWG_HCD_FORWARDING_ENABLED: + { + ietf_attr_fwd_enabled_t *attr_cast; + os_fwd_status_t fwd_status; + + attr_cast = (ietf_attr_fwd_enabled_t*)attr; + fwd_status = attr_cast->get_status(attr_cast); + DBG2(DBG_IMV, " %N: %N", pwg_attr_names, type.type, + os_fwd_status_names, fwd_status); + break; + } + + case PWG_HCD_VENDOR_SMI_CODE: + { + pwg_attr_vendor_smi_code_t *attr_cast; + uint32_t smi_code; + + attr_cast = (pwg_attr_vendor_smi_code_t*)attr; + smi_code = attr_cast->get_vendor_smi_code(attr_cast); + DBG2(DBG_IMV, " %N: 0x%06x (%u)", pwg_attr_names, type.type, + smi_code, smi_code); + break; + } + default: + break; + } + } + } + enumerator->destroy(enumerator); + + if (fatal_error) + { + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, + TNC_IMV_EVALUATION_RESULT_ERROR); + assessment = TRUE; + } + + if (assessment) + { + hcd_state->set_handshake_state(hcd_state, IMV_HCD_STATE_END); + result = out_msg->send_assessment(out_msg); + if (result == TNC_RESULT_SUCCESS) + { + result = this->agent->provide_recommendation(this->agent, state); + } + } + else + { + /* send PA-TNC message with the EXCL flag set */ + result = out_msg->send(out_msg, TRUE); + } + out_msg->destroy(out_msg); + + return result; +} + +METHOD(imv_agent_if_t, receive_message, TNC_Result, + private_imv_hcd_agent_t *this, TNC_ConnectionID id, + TNC_MessageType msg_type, chunk_t msg) +{ + imv_state_t *state; + imv_msg_t *in_msg; + TNC_Result result; + + if (!this->agent->get_state(this->agent, id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imv_msg_create_from_data(this->agent, state, id, msg_type, msg); + result = receive_msg(this, state, in_msg); + in_msg->destroy(in_msg); + + return result; +} + +METHOD(imv_agent_if_t, receive_message_long, TNC_Result, + private_imv_hcd_agent_t *this, TNC_ConnectionID id, + TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id, + TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype, chunk_t msg) +{ + imv_state_t *state; + imv_msg_t *in_msg; + TNC_Result result; + + if (!this->agent->get_state(this->agent, id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imv_msg_create_from_long_data(this->agent, state, id, + src_imc_id, dst_imv_id, msg_vid, msg_subtype, msg); + result = receive_msg(this, state, in_msg); + in_msg->destroy(in_msg); + + return result; + +} + +/** + * Build an IETF Attribute Request attribute for missing attributes + */ +static pa_tnc_attr_t* build_attr_request(uint32_t received) +{ + pa_tnc_attr_t *attr; + ietf_attr_attr_request_t *attr_cast; + + attr = ietf_attr_attr_request_create(PEN_RESERVED, 0); + attr_cast = (ietf_attr_attr_request_t*)attr; + + if (!(received & IMV_HCD_ATTR_NATURAL_LANG)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_ATTRS_NATURAL_LANG); + } + if (!(received & IMV_HCD_ATTR_DEFAULT_PWD_ENABLED)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_DEFAULT_PWD_ENABLED); + } + if (!(received & IMV_HCD_ATTR_FIREWALL_SETTING)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_FIREWALL_SETTING); + } + if (!(received & IMV_HCD_ATTR_FIRMWARE_NAME)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_FIRMWARE_NAME); + } + if (!(received & IMV_HCD_ATTR_FORWARDING_ENABLED)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_FORWARDING_ENABLED); + } + if (!(received & IMV_HCD_ATTR_MACHINE_TYPE_MODEL)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_MACHINE_TYPE_MODEL); + } + if (!(received & IMV_HCD_ATTR_PSTN_FAX_ENABLED)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_PSTN_FAX_ENABLED); + } + if (!(received & IMV_HCD_ATTR_RESIDENT_APP_NAME)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_RESIDENT_APP_NAME); + } + if (!(received & IMV_HCD_ATTR_TIME_SOURCE)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_TIME_SOURCE); + } + if (!(received & IMV_HCD_ATTR_USER_APP_ENABLED)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_USER_APP_ENABLED); + } + if (!(received & IMV_HCD_ATTR_USER_APP_PERSIST_ENABLED)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_USER_APP_PERSIST_ENABLED); + } + if (!(received & IMV_HCD_ATTR_USER_APP_NAME)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_USER_APP_NAME); + } + if (!(received & IMV_HCD_ATTR_VENDOR_NAME)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_VENDOR_NAME); + } + if (!(received & IMV_HCD_ATTR_VENDOR_SMI_CODE)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_VENDOR_SMI_CODE); + } + if (!(received & IMV_HCD_ATTR_CERTIFICATION_STATE)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_CERTIFICATION_STATE); + } + if (!(received & IMV_HCD_ATTR_CONFIGURATION_STATE)) + { + attr_cast->add(attr_cast, PEN_PWG, PWG_HCD_CONFIGURATION_STATE); + } + return attr; +} + +METHOD(imv_agent_if_t, batch_ending, TNC_Result, + private_imv_hcd_agent_t *this, TNC_ConnectionID id) +{ + imv_msg_t *out_msg; + imv_state_t *state; + imv_hcd_state_t *hcd_state; + imv_hcd_handshake_state_t handshake_state; + pa_tnc_attr_t *attr; + TNC_IMVID imv_id; + TNC_Result result = TNC_RESULT_SUCCESS; + + if (!this->agent->get_state(this->agent, id, &state)) + { + return TNC_RESULT_FATAL; + } + hcd_state = (imv_hcd_state_t*)state; + handshake_state = hcd_state->get_handshake_state(hcd_state); + imv_id = this->agent->get_id(this->agent); + + if (handshake_state == IMV_HCD_STATE_END) + { + return TNC_RESULT_SUCCESS; + } + + if (handshake_state == IMV_HCD_STATE_INIT) + { + size_t max_attr_size = HCD_MAX_ATTR_SIZE; + size_t max_seg_size; + seg_contract_t *contract; + seg_contract_manager_t *contracts; + char buf[BUF_LEN]; + uint32_t received; + int i; + + /* Determine maximum PA-TNC attribute segment size */ + max_seg_size = state->get_max_msg_len(state) + - PA_TNC_HEADER_SIZE + - PA_TNC_ATTR_HEADER_SIZE + - TCG_SEG_ATTR_SEG_ENV_HEADER + - PA_TNC_ATTR_HEADER_SIZE + - TCG_SEG_ATTR_MAX_SIZE_SIZE; + contracts = state->get_contracts(state); + + for (i = 1; i < countof(msg_types); i++) + { + out_msg = imv_msg_create(this->agent, state, id, imv_id, + TNC_IMCID_ANY, msg_types[i]); + + /* Announce support of PA-TNC segmentation to IMC */ + contract = seg_contract_create(msg_types[i], max_attr_size, + max_seg_size, TRUE, imv_id, FALSE); + contract->get_info_string(contract, buf, BUF_LEN, TRUE); + DBG2(DBG_IMV, "%s", buf); + contracts->add_contract(contracts, contract); + attr = tcg_seg_attr_max_size_create(max_attr_size, max_seg_size, + TRUE); + out_msg->add_attribute(out_msg, attr); + + hcd_state->set_subtype(hcd_state, msg_types[i].type); + received = state->get_action_flags(state); + + if ((received & IMV_HCD_ATTR_MUST) != IMV_HCD_ATTR_MUST) + { + /* create attribute request for missing mandatory attributes */ + out_msg->add_attribute(out_msg, build_attr_request(received)); + } + result = out_msg->send(out_msg, FALSE); + out_msg->destroy(out_msg); + + if (result != TNC_RESULT_SUCCESS) + { + break; + } + } + hcd_state->set_handshake_state(hcd_state, IMV_HCD_STATE_ATTR_REQ); + } + + return result; +} + +METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result, + private_imv_hcd_agent_t *this, TNC_ConnectionID id) +{ + imv_state_t *state; + imv_hcd_state_t* hcd_state; + imv_hcd_handshake_state_t handshake_state; + enum_name_t *pa_subtype_names; + bool missing = FALSE; + uint32_t received; + int i; + + if (!this->agent->get_state(this->agent, id, &state)) + { + return TNC_RESULT_FATAL; + } + hcd_state = (imv_hcd_state_t*)state; + handshake_state = hcd_state->get_handshake_state(hcd_state); + + if (handshake_state == IMV_HCD_STATE_ATTR_REQ) + { + pa_subtype_names = get_pa_subtype_names(PEN_PWG); + + for (i = 1; i < countof(msg_types); i++) + { + hcd_state->set_subtype(hcd_state, msg_types[i].type); + received = state->get_action_flags(state); + if ((received & IMV_HCD_ATTR_MUST) != IMV_HCD_ATTR_MUST) + { + DBG1(DBG_IMV, "missing attributes for PA subtype %N/%N", + pen_names, PEN_PWG, pa_subtype_names, msg_types[i].type); + missing = TRUE; + } + } + + if (missing) + { + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS , + TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR); + } + else + { + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_ALLOW , + TNC_IMV_EVALUATION_RESULT_COMPLIANT); + } + } + hcd_state->set_handshake_state(hcd_state, IMV_HCD_STATE_END); + + return this->agent->provide_recommendation(this->agent, state); +} + +METHOD(imv_agent_if_t, destroy, void, + private_imv_hcd_agent_t *this) +{ + DESTROY_IF(this->agent); + free(this); +} + +/** + * Described in header. + */ +imv_agent_if_t *imv_hcd_agent_create(const char *name, TNC_IMVID id, + TNC_Version *actual_version) +{ + private_imv_hcd_agent_t *this; + imv_agent_t *agent; + + agent = imv_agent_create(name, msg_types, countof(msg_types), id, + actual_version); + if (!agent) + { + return NULL; + } + + INIT(this, + .public = { + .bind_functions = _bind_functions, + .notify_connection_change = _notify_connection_change, + .receive_message = _receive_message, + .receive_message_long = _receive_message_long, + .batch_ending = _batch_ending, + .solicit_recommendation = _solicit_recommendation, + .destroy = _destroy, + }, + .agent = agent, + ); + + return &this->public; +} + diff --git a/src/libimcv/plugins/imv_hcd/imv_hcd_agent.h b/src/libimcv/plugins/imv_hcd/imv_hcd_agent.h new file mode 100644 index 000000000..d4e2e3f0e --- /dev/null +++ b/src/libimcv/plugins/imv_hcd/imv_hcd_agent.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imv_hcd_agent_t imv_hcd_agent + * @{ @ingroup imv_hcd + */ + +#ifndef IMV_HCD_AGENT_H_ +#define IMV_HCD_AGENT_H_ + +#include + +/** + * Creates a HCD IMV agent + * + * @param name Name of the IMV + * @param id ID of the IMV + * @param actual_version TNC IF-IMV version + */ +imv_agent_if_t* imv_hcd_agent_create(const char* name, TNC_IMVID id, + TNC_Version *actual_version); + +#endif /** IMV_HCD_AGENT_H_ @}*/ diff --git a/src/libimcv/plugins/imv_hcd/imv_hcd_state.c b/src/libimcv/plugins/imv_hcd/imv_hcd_state.c new file mode 100644 index 000000000..bfe6dd619 --- /dev/null +++ b/src/libimcv/plugins/imv_hcd/imv_hcd_state.c @@ -0,0 +1,350 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_hcd_state.h" +#include "imv/imv_lang_string.h" +#include "imv/imv_reason_string.h" + +#include + +#include + +typedef struct private_imv_hcd_state_t private_imv_hcd_state_t; +typedef struct subtype_action_flags_t subtype_action_flags_t; + +struct subtype_action_flags_t { + pa_subtype_pwg_t subtype; + uint32_t action_flags; +}; + +/** + * Private data of an imv_hcd_state_t object. + */ +struct private_imv_hcd_state_t { + + /** + * Public members of imv_hcd_state_t + */ + imv_hcd_state_t public; + + /** + * TNCCS connection ID + */ + TNC_ConnectionID connection_id; + + /** + * TNCCS connection state + */ + TNC_ConnectionState state; + + /** + * Does the TNCCS connection support long message types? + */ + bool has_long; + + /** + * Does the TNCCS connection support exclusive delivery? + */ + bool has_excl; + + /** + * Maximum PA-TNC message size for this TNCCS connection + */ + uint32_t max_msg_len; + + /** + * Current flags set for completed actions + */ + uint32_t *action_flags; + + /** + * Action flags for all PA subtypes + */ + subtype_action_flags_t subtype_action_flags[6]; + + /** + * IMV database session associated with TNCCS connection + */ + imv_session_t *session; + + /** + * PA-TNC attribute segmentation contracts associated with TNCCS connection + */ + seg_contract_manager_t *contracts; + + /** + * IMV action recommendation + */ + TNC_IMV_Action_Recommendation rec; + + /** + * IMV evaluation result + */ + TNC_IMV_Evaluation_Result eval; + + /** + * IMV OS handshake state + */ + imv_hcd_handshake_state_t handshake_state; + + /** + * TNC Reason String + */ + imv_reason_string_t *reason_string; + +}; + +/** + * Supported languages + */ +static char* languages[] = { "en", "de", "fr", "pl" }; + +/** + * Reason strings for "Port Filter" + */ +static imv_lang_string_t reasons[] = { + { "en", "Mandatory HCD attributes are missing" }, + { "de", "Obligatorische HCD Attribute fehlen" }, + { "fr", "Il manque des attributes HCD obligatoires" }, + { "pl", "Brakuje atrybutów obowiązkowych" }, + { NULL, NULL } +}; + +METHOD(imv_state_t, get_connection_id, TNC_ConnectionID, + private_imv_hcd_state_t *this) +{ + return this->connection_id; +} + +METHOD(imv_state_t, has_long, bool, + private_imv_hcd_state_t *this) +{ + return this->has_long; +} + +METHOD(imv_state_t, has_excl, bool, + private_imv_hcd_state_t *this) +{ + return this->has_excl; +} + +METHOD(imv_state_t, set_flags, void, + private_imv_hcd_state_t *this, bool has_long, bool has_excl) +{ + this->has_long = has_long; + this->has_excl = has_excl; +} + +METHOD(imv_state_t, set_max_msg_len, void, + private_imv_hcd_state_t *this, uint32_t max_msg_len) +{ + this->max_msg_len = max_msg_len; +} + +METHOD(imv_state_t, get_max_msg_len, uint32_t, + private_imv_hcd_state_t *this) +{ + return this->max_msg_len; +} + +METHOD(imv_state_t, set_action_flags, void, + private_imv_hcd_state_t *this, uint32_t flags) +{ + *this->action_flags |= flags; +} + +METHOD(imv_state_t, get_action_flags, uint32_t, + private_imv_hcd_state_t *this) +{ + return *this->action_flags; +} + +METHOD(imv_state_t, set_session, void, + private_imv_hcd_state_t *this, imv_session_t *session) +{ + this->session = session; +} + +METHOD(imv_state_t, get_session, imv_session_t*, + private_imv_hcd_state_t *this) +{ + return this->session; +} + +METHOD(imv_state_t, get_contracts, seg_contract_manager_t*, + private_imv_hcd_state_t *this) +{ + return this->contracts; +} + +METHOD(imv_state_t, get_recommendation, void, + private_imv_hcd_state_t *this, TNC_IMV_Action_Recommendation *rec, + TNC_IMV_Evaluation_Result *eval) +{ + *rec = this->rec; + *eval = this->eval; +} + +METHOD(imv_state_t, set_recommendation, void, + private_imv_hcd_state_t *this, TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval) +{ + this->rec = rec; + this->eval = eval; +} + +METHOD(imv_state_t, update_recommendation, void, + private_imv_hcd_state_t *this, TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval) +{ + this->rec = tncif_policy_update_recommendation(this->rec, rec); + this->eval = tncif_policy_update_evaluation(this->eval, eval); +} + +METHOD(imv_state_t, change_state, void, + private_imv_hcd_state_t *this, TNC_ConnectionState new_state) +{ + this->state = new_state; +} + +METHOD(imv_state_t, get_reason_string, bool, + private_imv_hcd_state_t *this, enumerator_t *language_enumerator, + chunk_t *reason_string, char **reason_language) +{ + if (this->rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION) + { + return FALSE; + } + *reason_language = imv_lang_string_select_lang(language_enumerator, + languages, countof(languages)); + + /* Instantiate a TNC Reason String object */ + DESTROY_IF(this->reason_string); + this->reason_string = imv_reason_string_create(*reason_language, "\n"); + this->reason_string->add_reason(this->reason_string, reasons); + *reason_string = this->reason_string->get_encoding(this->reason_string); + + return TRUE; +} + +METHOD(imv_state_t, get_remediation_instructions, bool, + private_imv_hcd_state_t *this, enumerator_t *language_enumerator, + chunk_t *string, char **lang_code, char **uri) +{ + return FALSE; +} + +METHOD(imv_state_t, destroy, void, + private_imv_hcd_state_t *this) +{ + DESTROY_IF(this->session); + DESTROY_IF(this->reason_string); + this->contracts->destroy(this->contracts); + free(this); +} + +METHOD(imv_hcd_state_t, set_handshake_state, void, + private_imv_hcd_state_t *this, imv_hcd_handshake_state_t new_state) +{ + this->handshake_state = new_state; +} + +METHOD(imv_hcd_state_t, get_handshake_state, imv_hcd_handshake_state_t, + private_imv_hcd_state_t *this) +{ + return this->handshake_state; +} + +METHOD(imv_hcd_state_t, set_subtype, void, + private_imv_hcd_state_t *this, pa_subtype_pwg_t subtype) +{ + int i; + + for (i = 0; i < countof(this->subtype_action_flags); i++) + { + if (subtype == this->subtype_action_flags[i].subtype) + { + this->action_flags = &this->subtype_action_flags[i].action_flags; + break; + } + } +} + +METHOD(imv_hcd_state_t, set_user_app_disabled, void, + private_imv_hcd_state_t *this) +{ + int i; + + for (i = 0; i < countof(this->subtype_action_flags); i++) + { + this->subtype_action_flags[i].action_flags |= IMV_HCD_ATTR_USER_APP_NAME; + } +} + +/** + * Described in header. + */ +imv_state_t *imv_hcd_state_create(TNC_ConnectionID connection_id) +{ + private_imv_hcd_state_t *this; + + INIT(this, + .public = { + .interface = { + .get_connection_id = _get_connection_id, + .has_long = _has_long, + .has_excl = _has_excl, + .set_flags = _set_flags, + .set_max_msg_len = _set_max_msg_len, + .get_max_msg_len = _get_max_msg_len, + .set_action_flags = _set_action_flags, + .get_action_flags = _get_action_flags, + .set_session = _set_session, + .get_session = _get_session, + .get_contracts = _get_contracts, + .change_state = _change_state, + .get_recommendation = _get_recommendation, + .set_recommendation = _set_recommendation, + .update_recommendation = _update_recommendation, + .get_reason_string = _get_reason_string, + .get_remediation_instructions = _get_remediation_instructions, + .destroy = _destroy, + }, + .set_handshake_state = _set_handshake_state, + .get_handshake_state = _get_handshake_state, + .set_subtype = _set_subtype, + .set_user_app_disabled = _set_user_app_disabled, + }, + .state = TNC_CONNECTION_STATE_CREATE, + .rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, + .eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW, + .connection_id = connection_id, + .contracts = seg_contract_manager_create(), + .subtype_action_flags = { + { PA_SUBTYPE_PWG_HCD_SYSTEM, IMV_HCD_ATTR_NONE }, + { PA_SUBTYPE_PWG_HCD_CONSOLE, IMV_HCD_ATTR_SYSTEM_ONLY }, + { PA_SUBTYPE_PWG_HCD_MARKER, IMV_HCD_ATTR_SYSTEM_ONLY }, + { PA_SUBTYPE_PWG_HCD_FINISHER, IMV_HCD_ATTR_SYSTEM_ONLY }, + { PA_SUBTYPE_PWG_HCD_INTERFACE, IMV_HCD_ATTR_SYSTEM_ONLY }, + { PA_SUBTYPE_PWG_HCD_SCANNER, IMV_HCD_ATTR_SYSTEM_ONLY }, + } + ); + + this->action_flags = &this->subtype_action_flags[0].action_flags; + + return &this->public.interface; +} + + diff --git a/src/libimcv/plugins/imv_hcd/imv_hcd_state.h b/src/libimcv/plugins/imv_hcd/imv_hcd_state.h new file mode 100644 index 000000000..dce9b3098 --- /dev/null +++ b/src/libimcv/plugins/imv_hcd/imv_hcd_state.h @@ -0,0 +1,120 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imv_hcd imv_hcd + * @ingroup libimcv_plugins + * + * @defgroup imv_hcd_state_t imv_hcd_state + * @{ @ingroup imv_hcd + */ + +#ifndef IMV_HCD_STATE_H_ +#define IMV_HCD_STATE_H_ + +#include +#include + +#include + +typedef struct imv_hcd_state_t imv_hcd_state_t; +typedef enum imv_hcd_attr_t imv_hcd_attr_t; +typedef enum imv_hcd_handshake_state_t imv_hcd_handshake_state_t; +typedef enum os_settings_t os_settings_t; + +/** + * Flag set when corresponding attribute has been received + */ +enum imv_hcd_attr_t { + IMV_HCD_ATTR_NONE = 0, + IMV_HCD_ATTR_DEFAULT_PWD_ENABLED = (1<<0), + IMV_HCD_ATTR_FIREWALL_SETTING = (1<<1), + IMV_HCD_ATTR_FORWARDING_ENABLED = (1<<2), + IMV_HCD_ATTR_MACHINE_TYPE_MODEL = (1<<3), + IMV_HCD_ATTR_PSTN_FAX_ENABLED = (1<<4), + IMV_HCD_ATTR_TIME_SOURCE = (1<<5), + IMV_HCD_ATTR_USER_APP_ENABLED = (1<<6), + IMV_HCD_ATTR_USER_APP_PERSIST_ENABLED = (1<<7), + IMV_HCD_ATTR_VENDOR_NAME = (1<<8), + IMV_HCD_ATTR_VENDOR_SMI_CODE = (1<<9), + IMV_HCD_ATTR_CERTIFICATION_STATE = (1<<10), + IMV_HCD_ATTR_CONFIGURATION_STATE = (1<<11), + + IMV_HCD_ATTR_SYSTEM_ONLY = (1<<12)-1, + + IMV_HCD_ATTR_NATURAL_LANG = (1<<12), + IMV_HCD_ATTR_FIRMWARE_NAME = (1<<13), + IMV_HCD_ATTR_RESIDENT_APP_NAME = (1<<14), + IMV_HCD_ATTR_USER_APP_NAME = (1<<15), + + IMV_HCD_ATTR_MUST = (1<<16)-1 +}; + +/** + * IMV OS Handshake States (state machine) + */ +enum imv_hcd_handshake_state_t { + IMV_HCD_STATE_INIT, + IMV_HCD_STATE_ATTR_REQ, + IMV_HCD_STATE_END +}; + +/** + * Internal state of an imv_hcd_t connection instance + */ +struct imv_hcd_state_t { + + /** + * imv_state_t interface + */ + imv_state_t interface; + + /** + * Set state of the handshake + * + * @param new_state the handshake state of IMV + */ + void (*set_handshake_state)(imv_hcd_state_t *this, + imv_hcd_handshake_state_t new_state); + + /** + * Get state of the handshake + * + * @return the handshake state of IMV + */ + imv_hcd_handshake_state_t (*get_handshake_state)(imv_hcd_state_t *this); + + /** + * Set the PWG HCD PA subtype currently being handled + * + * @param subtype PWG HCD PA subtype + */ + void (*set_subtype)(imv_hcd_state_t *this, pa_subtype_pwg_t subtype); + + /** + * Set User Application Disabled + */ + void (*set_user_app_disabled)(imv_hcd_state_t *this); + +}; + +/** + * Create an imv_hcd_state_t instance + * + * @param id connection ID + */ +imv_state_t* imv_hcd_state_create(TNC_ConnectionID id); + +#endif /** IMV_HCD_STATE_H_ @}*/ diff --git a/src/libimcv/plugins/imv_os/imv_os_agent.c b/src/libimcv/plugins/imv_os/imv_os_agent.c index f0b1936ab..4bf6c7e21 100644 --- a/src/libimcv/plugins/imv_os/imv_os_agent.c +++ b/src/libimcv/plugins/imv_os/imv_os_agent.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2014 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -23,10 +23,10 @@ #include #include #include +#include +#include #include #include -#include -#include #include #include #include @@ -37,7 +37,6 @@ #include #include #include -#include #include "tcg/seg/tcg_seg_attr_max_size.h" #include "tcg/seg/tcg_seg_attr_seg_env.h" @@ -270,12 +269,12 @@ static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state, } case IETF_ATTR_FORWARDING_ENABLED: { - ietf_attr_fwd_enabled_t *attr_cast; + generic_attr_bool_t *attr_cast; os_fwd_status_t fwd_status; state->set_action_flags(state, IMV_OS_ATTR_FORWARDING_ENABLED); - attr_cast = (ietf_attr_fwd_enabled_t*)attr; + attr_cast = (generic_attr_bool_t*)attr; fwd_status = attr_cast->get_status(attr_cast); DBG1(DBG_IMV, "IPv4 forwarding is %N", os_fwd_status_names, fwd_status); @@ -288,12 +287,12 @@ static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state, } case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED: { - ietf_attr_default_pwd_enabled_t *attr_cast; + generic_attr_bool_t *attr_cast; bool default_pwd_status; state->set_action_flags(state, IMV_OS_ATTR_FACTORY_DEFAULT_PWD_ENABLED); - attr_cast = (ietf_attr_default_pwd_enabled_t*)attr; + attr_cast = (generic_attr_bool_t*)attr; default_pwd_status = attr_cast->get_status(attr_cast); DBG1(DBG_IMV, "factory default password is %sabled", default_pwd_status ? "en":"dis"); @@ -542,9 +541,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, max_seg_size = state->get_max_msg_len(state) - PA_TNC_HEADER_SIZE - PA_TNC_ATTR_HEADER_SIZE - - TCG_SEG_ATTR_SEG_ENV_HEADER - - PA_TNC_ATTR_HEADER_SIZE - - TCG_SEG_ATTR_MAX_SIZE_SIZE; + - TCG_SEG_ATTR_SEG_ENV_HEADER; /* Announce support of PA-TNC segmentation to IMC */ contract = seg_contract_create(msg_types[0], max_attr_size, diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/libimcv/plugins/imv_os/pacman.c index 019e2adb8..fbcab5eba 100644 --- a/src/libimcv/plugins/imv_os/pacman.c +++ b/src/libimcv/plugins/imv_os/pacman.c @@ -104,8 +104,14 @@ static void cleanup(void) static void usage(void) { - printf("Usage:\n" - "ipsec pacman --product --file [--update]\n"); + printf("Parses package information files from Debian/Ubuntu repositories and\n"); + printf("stores the extracted information in the database used by the OS IMV.\n\n"); + printf("ipsec pacman --product --file [--security]\n\n"); + printf(" --help print usage information\n"); + printf(" --product name of the Debian/Ubuntu release, as stored in the DB\n"); + printf(" --file package information file to parse\n"); + printf(" --security set this when parsing a file with security updates\n"); + printf("\n"); } /** @@ -396,6 +402,17 @@ static void process_packages(char *filename, char *product, bool security) pacman_state = PACMAN_STATE_BEGIN_PACKAGE; } } + switch (pacman_state) + { + case PACMAN_STATE_END_PACKAGE: + free(version); + /* fall-through */ + case PACMAN_STATE_VERSION: + free(package); + break; + default: + break; + } fclose(file); db->destroy(db); diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c index cbabc80bf..acef11cad 100644 --- a/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c +++ b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2014 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -35,7 +35,7 @@ typedef struct private_imv_scanner_agent_t private_imv_scanner_agent_t; /* Subscribed PA-TNC message subtypes */ static pen_type_t msg_types[] = { - { PEN_IETF, PA_SUBTYPE_IETF_VPN } + { PEN_IETF, PA_SUBTYPE_IETF_FIREWALL } }; /** diff --git a/src/libimcv/plugins/imv_swid/imv_swid_agent.c b/src/libimcv/plugins/imv_swid/imv_swid_agent.c index 5bebf32c0..6d327830f 100644 --- a/src/libimcv/plugins/imv_swid/imv_swid_agent.c +++ b/src/libimcv/plugins/imv_swid/imv_swid_agent.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2014 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -446,9 +446,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, max_seg_size = state->get_max_msg_len(state) - PA_TNC_HEADER_SIZE - PA_TNC_ATTR_HEADER_SIZE - - TCG_SEG_ATTR_SEG_ENV_HEADER - - PA_TNC_ATTR_HEADER_SIZE - - TCG_SEG_ATTR_MAX_SIZE_SIZE; + - TCG_SEG_ATTR_SEG_ENV_HEADER; /* Announce support of PA-TNC segmentation to IMC */ contract = seg_contract_create(msg_types[0], max_attr_size, diff --git a/src/libimcv/pwg/pwg_attr.c b/src/libimcv/pwg/pwg_attr.c new file mode 100644 index 000000000..8a2eb2828 --- /dev/null +++ b/src/libimcv/pwg/pwg_attr.c @@ -0,0 +1,123 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pwg_attr.h" + +#include "generic/generic_attr_bool.h" +#include "generic/generic_attr_chunk.h" +#include "generic/generic_attr_string.h" +#include "ietf/ietf_attr_fwd_enabled.h" +#include "ietf/ietf_attr_port_filter.h" +#include "pwg/pwg_attr_vendor_smi_code.h" + +ENUM_BEGIN(pwg_attr_names, PWG_HCD_ATTRS_NATURAL_LANG, + PWG_HCD_VENDOR_SMI_CODE, + "HCD AttributesNaturalLanguage", + "HCD MachineTypeModel", + "HCD VendorName", + "HCD VendorSMICode"); +ENUM_NEXT(pwg_attr_names, PWG_HCD_DEFAULT_PWD_ENABLED, + PWG_HCD_FORWARDING_ENABLED, + PWG_HCD_VENDOR_SMI_CODE, + "HCD DefaultPasswordEnabled", + "HCD FirewallSetting", + "HCD ForwardingEnabled"); +ENUM_NEXT(pwg_attr_names, PWG_HCD_PSTN_FAX_ENABLED, + PWG_HCD_PSTN_FAX_ENABLED, + PWG_HCD_FORWARDING_ENABLED, + "HCD PSTNFaxEnabled"); +ENUM_NEXT(pwg_attr_names, PWG_HCD_TIME_SOURCE, + PWG_HCD_TIME_SOURCE, + PWG_HCD_PSTN_FAX_ENABLED, + "HCD TimeSource"); +ENUM_NEXT(pwg_attr_names, PWG_HCD_FIRMWARE_NAME, + PWG_HCD_FIRMWARE_VERSION, + PWG_HCD_TIME_SOURCE, + "HCD FirmwareName", + "HCD FirmwarePatches", + "HCD FirmwareStringVersion", + "HCD FirmwareVersion"); +ENUM_NEXT(pwg_attr_names, PWG_HCD_RESIDENT_APP_NAME, + PWG_HCD_RESIDENT_APP_VERSION, + PWG_HCD_FIRMWARE_VERSION, + "HCD ResidentApplicationName", + "HCD ResidentApplicationPatches", + "HCD ResidentApplicationStringVersion", + "HCD ResidentApplicationVersion"); +ENUM_NEXT(pwg_attr_names, PWG_HCD_USER_APP_NAME, + PWG_HCD_USER_APP_PERSIST_ENABLED, + PWG_HCD_RESIDENT_APP_VERSION, + "HCD UserApplicationName", + "HCD UserApplicationPatches", + "HCD UserApplicationStringVersion", + "HCD UserApplicationVersion", + "HCD UserApplicationEnabled", + "HCD UserApplicationPersistenceEnabled"); +ENUM_NEXT(pwg_attr_names, PWG_HCD_CERTIFICATION_STATE, + PWG_HCD_CONFIGURATION_STATE, + PWG_HCD_USER_APP_PERSIST_ENABLED, + "HCD CertificationState", + "HCD ConfigurationState"); +ENUM_END(pwg_attr_names, PWG_HCD_CONFIGURATION_STATE); + +/** + * See header + */ +pa_tnc_attr_t* pwg_attr_create_from_data(u_int32_t type, size_t length, chunk_t value) +{ + switch (type) + { + case PWG_HCD_DEFAULT_PWD_ENABLED: + case PWG_HCD_USER_APP_ENABLED: + case PWG_HCD_USER_APP_PERSIST_ENABLED: + case PWG_HCD_PSTN_FAX_ENABLED: + return generic_attr_bool_create_from_data(length, value, + pen_type_create(PEN_PWG, type)); + case PWG_HCD_ATTRS_NATURAL_LANG: + case PWG_HCD_MACHINE_TYPE_MODEL: + case PWG_HCD_VENDOR_NAME: + case PWG_HCD_FIRMWARE_NAME: + case PWG_HCD_FIRMWARE_PATCHES: + case PWG_HCD_FIRMWARE_STRING_VERSION: + case PWG_HCD_TIME_SOURCE: + case PWG_HCD_USER_APP_NAME: + case PWG_HCD_USER_APP_PATCHES: + case PWG_HCD_USER_APP_STRING_VERSION: + case PWG_HCD_RESIDENT_APP_NAME: + case PWG_HCD_RESIDENT_APP_PATCHES: + case PWG_HCD_RESIDENT_APP_STRING_VERSION: + return generic_attr_string_create_from_data(length, value, + pen_type_create(PEN_PWG, type)); + case PWG_HCD_FIRMWARE_VERSION: + case PWG_HCD_RESIDENT_APP_VERSION: + case PWG_HCD_USER_APP_VERSION: + return generic_attr_chunk_create_from_data(length, value, 16, + pen_type_create(PEN_PWG, type)); + case PWG_HCD_CERTIFICATION_STATE: + case PWG_HCD_CONFIGURATION_STATE: + return generic_attr_chunk_create_from_data(length, value, 0, + pen_type_create(PEN_PWG, type)); + case PWG_HCD_VENDOR_SMI_CODE: + return pwg_attr_vendor_smi_code_create_from_data(length, value); + case PWG_HCD_FORWARDING_ENABLED: + return ietf_attr_fwd_enabled_create_from_data(length, value, + pen_type_create(PEN_PWG, type)); + case PWG_HCD_FIREWALL_SETTING: + return ietf_attr_port_filter_create_from_data(length, value, + pen_type_create(PEN_PWG, type)); + default: + return NULL; + } +} diff --git a/src/libimcv/pwg/pwg_attr.h b/src/libimcv/pwg/pwg_attr.h new file mode 100644 index 000000000..01db42cd2 --- /dev/null +++ b/src/libimcv/pwg/pwg_attr.h @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pwg_attr pwg_attr + * @{ @ingroup libimcv + */ + +#ifndef PWG_ATTR_H_ +#define PWG_ATTR_H_ + +#include +#include + +typedef enum pwg_attr_t pwg_attr_t; + +/** + * PWG HCD IF-M Attributes (Hardcopy Device Health Assessment TNC Binding) + */ +enum pwg_attr_t { + PWG_HCD_ATTRS_NATURAL_LANG = 0x00000001, /* 1 */ + PWG_HCD_MACHINE_TYPE_MODEL = 0x00000002, /* 2 */ + PWG_HCD_VENDOR_NAME = 0x00000003, /* 3 */ + PWG_HCD_VENDOR_SMI_CODE = 0x00000004, /* 4 */ + PWG_HCD_DEFAULT_PWD_ENABLED = 0x00000014, /* 20 */ + PWG_HCD_FIREWALL_SETTING = 0x00000015, /* 21 */ + PWG_HCD_FORWARDING_ENABLED = 0x00000016, /* 22 */ + PWG_HCD_PSTN_FAX_ENABLED = 0x00000028, /* 40 */ + PWG_HCD_TIME_SOURCE = 0x00000032, /* 50 ??? */ + PWG_HCD_FIRMWARE_NAME = 0x0000003C, /* 60 */ + PWG_HCD_FIRMWARE_PATCHES = 0x0000003D, /* 61 */ + PWG_HCD_FIRMWARE_STRING_VERSION = 0x0000003E, /* 62 */ + PWG_HCD_FIRMWARE_VERSION = 0x0000003F, /* 63 */ + PWG_HCD_RESIDENT_APP_NAME = 0x00000050, /* 80 */ + PWG_HCD_RESIDENT_APP_PATCHES = 0x00000051, /* 81 */ + PWG_HCD_RESIDENT_APP_STRING_VERSION = 0x00000052, /* 82 */ + PWG_HCD_RESIDENT_APP_VERSION = 0x00000053, /* 83 */ + PWG_HCD_USER_APP_NAME = 0x00000064, /* 100 */ + PWG_HCD_USER_APP_PATCHES = 0x00000065, /* 101 */ + PWG_HCD_USER_APP_STRING_VERSION = 0x00000066, /* 102 */ + PWG_HCD_USER_APP_VERSION = 0x00000067, /* 103 */ + PWG_HCD_USER_APP_ENABLED = 0x00000068, /* 104 */ + PWG_HCD_USER_APP_PERSIST_ENABLED = 0x00000069, /* 105 */ + PWG_HCD_CERTIFICATION_STATE = 0x000000C8, /* 200 */ + PWG_HCD_CONFIGURATION_STATE = 0x000000C9, /* 201 */ +}; + +/** + * enum name for pwg_attr_t. + */ +extern enum_name_t *pwg_attr_names; + +/** + * Create a TCG PA-TNC attribute from data + * + * @param type attribute type + * @param length attribute length + * @param value attribute value or segment + */ +pa_tnc_attr_t* pwg_attr_create_from_data(u_int32_t type, size_t length, + chunk_t value); + +#endif /** PWG_ATTR_H_ @}*/ diff --git a/src/libimcv/pwg/pwg_attr_vendor_smi_code.c b/src/libimcv/pwg/pwg_attr_vendor_smi_code.c new file mode 100644 index 000000000..7931259aa --- /dev/null +++ b/src/libimcv/pwg/pwg_attr_vendor_smi_code.c @@ -0,0 +1,236 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pwg_attr_vendor_smi_code.h" + +#include +#include +#include +#include + +typedef struct private_pwg_attr_vendor_smi_code_t private_pwg_attr_vendor_smi_code_t; + +/** + * PWG HCD PA-TNC Vendor SMI Code + * + * 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Reserved | Vendor SMI Code | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define VENDOR_SMI_CODE_SIZE 4 + +/** + * Private data of an pwg_attr_vendor_smi_code_t object. + */ +struct private_pwg_attr_vendor_smi_code_t { + + /** + * Public members of pwg_attr_vendor_smi_code_t + */ + pwg_attr_vendor_smi_code_t public; + + /** + * Vendor-specific attribute type + */ + pen_type_t type; + + /** + * Length of attribute value + */ + size_t length; + + /** + * Attribute value or segment + */ + chunk_t value; + + /** + * Noskip flag + */ + bool noskip_flag; + + /** + * Vendor SMI code + */ + pen_t vendor_smi_code; + + /** + * Reference count + */ + refcount_t ref; +}; + +METHOD(pa_tnc_attr_t, get_type, pen_type_t, + private_pwg_attr_vendor_smi_code_t *this) +{ + return this->type; +} + +METHOD(pa_tnc_attr_t, get_value, chunk_t, + private_pwg_attr_vendor_smi_code_t *this) +{ + return this->value; +} + +METHOD(pa_tnc_attr_t, get_noskip_flag, bool, + private_pwg_attr_vendor_smi_code_t *this) +{ + return this->noskip_flag; +} + +METHOD(pa_tnc_attr_t, set_noskip_flag,void, + private_pwg_attr_vendor_smi_code_t *this, bool noskip) +{ + this->noskip_flag = noskip; +} + +METHOD(pa_tnc_attr_t, build, void, + private_pwg_attr_vendor_smi_code_t *this) +{ + bio_writer_t *writer; + + if (this->value.ptr) + { + return; + } + writer = bio_writer_create(VENDOR_SMI_CODE_SIZE); + writer->write_uint32(writer, this->vendor_smi_code); + + this->value = writer->extract_buf(writer); + this->length = this->value.len; + writer->destroy(writer); +} + +METHOD(pa_tnc_attr_t, process, status_t, + private_pwg_attr_vendor_smi_code_t *this, u_int32_t *offset) +{ + bio_reader_t *reader; + uint32_t vendor_smi_code; + uint8_t reserved; + + *offset = 0; + + if (this->value.len < this->length) + { + return NEED_MORE; + } + if (this->value.len != VENDOR_SMI_CODE_SIZE) + { + DBG1(DBG_TNC, "incorrect attribute length for PWG HCD Vendor SMI Code"); + return FAILED; + } + reader = bio_reader_create(this->value); + reader->read_uint8 (reader, &reserved); + reader->read_uint24(reader, &vendor_smi_code); + reader->destroy(reader); + this->vendor_smi_code = vendor_smi_code; + + return SUCCESS; +} + +METHOD(pa_tnc_attr_t, add_segment, void, + private_pwg_attr_vendor_smi_code_t *this, chunk_t segment) +{ + this->value = chunk_cat("mc", this->value, segment); +} + +METHOD(pa_tnc_attr_t, get_ref, pa_tnc_attr_t*, + private_pwg_attr_vendor_smi_code_t *this) +{ + ref_get(&this->ref); + return &this->public.pa_tnc_attribute; +} + +METHOD(pa_tnc_attr_t, destroy, void, + private_pwg_attr_vendor_smi_code_t *this) +{ + if (ref_put(&this->ref)) + { + free(this->value.ptr); + free(this); + } +} + +METHOD(pwg_attr_vendor_smi_code_t, get_vendor_smi_code, pen_t, + private_pwg_attr_vendor_smi_code_t *this) +{ + return this->vendor_smi_code; +} + +/** + * Described in header. + */ +pa_tnc_attr_t *pwg_attr_vendor_smi_code_create(pen_t vendor_smi_code) +{ + private_pwg_attr_vendor_smi_code_t *this; + + INIT(this, + .public = { + .pa_tnc_attribute = { + .get_type = _get_type, + .get_value = _get_value, + .get_noskip_flag = _get_noskip_flag, + .set_noskip_flag = _set_noskip_flag, + .build = _build, + .process = _process, + .add_segment = _add_segment, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_vendor_smi_code = _get_vendor_smi_code, + }, + .type = { PEN_PWG, PWG_HCD_VENDOR_SMI_CODE }, + .vendor_smi_code = vendor_smi_code, + .ref = 1, + ); + + return &this->public.pa_tnc_attribute; +} + +/** + * Described in header. + */ +pa_tnc_attr_t *pwg_attr_vendor_smi_code_create_from_data(size_t length, + chunk_t data) +{ + private_pwg_attr_vendor_smi_code_t *this; + + INIT(this, + .public = { + .pa_tnc_attribute = { + .get_type = _get_type, + .get_value = _get_value, + .get_noskip_flag = _get_noskip_flag, + .set_noskip_flag = _set_noskip_flag, + .build = _build, + .process = _process, + .add_segment = _add_segment, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_vendor_smi_code = _get_vendor_smi_code, + }, + .type = { PEN_PWG, PWG_HCD_VENDOR_SMI_CODE }, + .length = length, + .value = chunk_clone(data), + .ref = 1, + ); + + return &this->public.pa_tnc_attribute; +} + diff --git a/src/libimcv/pwg/pwg_attr_vendor_smi_code.h b/src/libimcv/pwg/pwg_attr_vendor_smi_code.h new file mode 100644 index 000000000..31255b43f --- /dev/null +++ b/src/libimcv/pwg/pwg_attr_vendor_smi_code.h @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pwg_attr_vendor_smi_codet pwg_attr_vendor_smi_code + * @{ @ingroup ietf_attr + */ + +#ifndef PWG_ATTR_VENDOR_SMI_CODE_H_ +#define PWG_ATTR_VENDOR_SMI_CODE_H_ + +typedef struct pwg_attr_vendor_smi_code_t pwg_attr_vendor_smi_code_t; + +#include "pwg_attr.h" +#include "pa_tnc/pa_tnc_attr.h" + + +/** + * Class implementing the PWG HCD PA-TNC Vendor SMI Code attribute. + * + */ +struct pwg_attr_vendor_smi_code_t { + + /** + * Public PA-TNC attribute interface + */ + pa_tnc_attr_t pa_tnc_attribute; + + /** + * Gets the Vendor SMI Code + * + * @return Vendor SMI Code + */ + pen_t (*get_vendor_smi_code)(pwg_attr_vendor_smi_code_t *this); + +}; + +/** + * Creates an pwg_attr_vendor_smi_code_t object + * + */ +pa_tnc_attr_t* pwg_attr_vendor_smi_code_create(pen_t vendor_smi_code); + +/** + * Creates an pwg_attr_vendor_smi_code_t object from received data + * + * @param length Total length of attribute value + * @param value Unparsed attribute value (might be a segment) + */ +pa_tnc_attr_t* pwg_attr_vendor_smi_code_create_from_data(size_t length, + chunk_t value); + +#endif /** PWG_ATTR_VENDOR_SMI_CODE_H_ @}*/ diff --git a/src/libimcv/seg/seg_contract.c b/src/libimcv/seg/seg_contract.c index 7db702a08..41aed583a 100644 --- a/src/libimcv/seg/seg_contract.c +++ b/src/libimcv/seg/seg_contract.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -148,7 +148,7 @@ METHOD(seg_contract_t, check_size, bool, } METHOD(seg_contract_t, first_segment, pa_tnc_attr_t*, - private_seg_contract_t *this, pa_tnc_attr_t *attr) + private_seg_contract_t *this, pa_tnc_attr_t *attr, size_t max_attr_len) { seg_env_t *seg_env; @@ -160,7 +160,7 @@ METHOD(seg_contract_t, first_segment, pa_tnc_attr_t*, } this->seg_envs->insert_last(this->seg_envs, seg_env); - return seg_env->first_segment(seg_env); + return seg_env->first_segment(seg_env, max_attr_len); } METHOD(seg_contract_t, next_segment, pa_tnc_attr_t*, diff --git a/src/libimcv/seg/seg_contract.h b/src/libimcv/seg/seg_contract.h index 23676a9f4..afbf30934 100644 --- a/src/libimcv/seg/seg_contract.h +++ b/src/libimcv/seg/seg_contract.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -78,9 +78,11 @@ struct seg_contract_t { * Generate first segment of a PA-TNC attribute according to the contract * * @param attr PA-TNC attribute to be segmented + * @param max_attr_len Maximum size of first segment envelope attribute * @return First segment envelope attribute */ - pa_tnc_attr_t* (*first_segment)(seg_contract_t *this, pa_tnc_attr_t *attr); + pa_tnc_attr_t* (*first_segment)(seg_contract_t *this, pa_tnc_attr_t *attr, + size_t max_attr_len); /** * Generate next segment of a PA-TNC attribute according to the contract diff --git a/src/libimcv/seg/seg_env.c b/src/libimcv/seg/seg_env.c index f38419248..8d0f76007 100644 --- a/src/libimcv/seg/seg_env.c +++ b/src/libimcv/seg/seg_env.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -89,14 +89,21 @@ METHOD(seg_env_t, get_base_attr_info, chunk_t, } METHOD(seg_env_t, first_segment, pa_tnc_attr_t*, - private_seg_env_t *this) + private_seg_env_t *this, size_t max_attr_len) { pa_tnc_attr_t *seg_env_attr; bio_writer_t *writer; pen_type_t type; chunk_t segment_data, value; + size_t seg_size; uint8_t flags, seg_env_flags; + /* compute size of first segment */ + seg_size = max_attr_len ? min(this->max_seg_size, + max_attr_len - PA_TNC_ATTR_HEADER_SIZE + - TCG_SEG_ATTR_SEG_ENV_HEADER) + : this->max_seg_size; + /* get components of base attribute header and data */ flags = this->base_attr->get_noskip_flag(this->base_attr) ? PA_TNC_ATTR_FLAG_NOSKIP : PA_TNC_ATTR_FLAG_NONE; @@ -104,7 +111,7 @@ METHOD(seg_env_t, first_segment, pa_tnc_attr_t*, /* attribute data going into the first segment */ segment_data = this->data; - segment_data.len = this->max_seg_size - PA_TNC_ATTR_HEADER_SIZE; + segment_data.len = seg_size - PA_TNC_ATTR_HEADER_SIZE; /* build encoding of the base attribute header and first segment data */ writer = bio_writer_create(this->max_seg_size); @@ -118,7 +125,7 @@ METHOD(seg_env_t, first_segment, pa_tnc_attr_t*, this->data = chunk_skip(this->data, segment_data.len); DBG2(DBG_TNC, "creating first segment for base attribute ID %d (%d bytes)", - this->base_attr_id, this->max_seg_size); + this->base_attr_id, seg_size); seg_env_flags = SEG_ENV_FLAG_START | SEG_ENV_FLAG_MORE; seg_env_attr = tcg_seg_attr_seg_env_create(value, seg_env_flags, diff --git a/src/libimcv/seg/seg_env.h b/src/libimcv/seg/seg_env.h index 611f9a98a..5f21236f0 100644 --- a/src/libimcv/seg/seg_env.h +++ b/src/libimcv/seg/seg_env.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -66,9 +66,10 @@ struct seg_env_t { /** * Generate the first segment envelope of the base attribute * + * @param max_attr_len Maximum size of first attribute segment envelope * @return First attribute segment envelope */ - pa_tnc_attr_t* (*first_segment)(seg_env_t *this); + pa_tnc_attr_t* (*first_segment)(seg_env_t *this, size_t max_attr_len); /** * Generate the next segment envelope of the base attribute diff --git a/src/libimcv/suites/test_imcv_seg.c b/src/libimcv/suites/test_imcv_seg.c index 8b51eda05..5245be9fa 100644 --- a/src/libimcv/suites/test_imcv_seg.c +++ b/src/libimcv/suites/test_imcv_seg.c @@ -42,7 +42,7 @@ static struct { { 24, 1, 24 }, { 25, 1, 23 }, { 47, 1, 1 }, - { 48, 0, 0 }, + { 48, 0, 0 }, }; static char command[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; @@ -87,7 +87,7 @@ START_TEST(test_imcv_seg_env) if (n == 0) { /* create first segment */ - attr = seg_env->first_segment(seg_env); + attr = seg_env->first_segment(seg_env, 0); seg_env_attr = (tcg_seg_attr_seg_env_t*)attr; segment = seg_env_attr->get_segment(seg_env_attr, &flags); @@ -168,8 +168,9 @@ START_TEST(test_imcv_seg_env_special) pen_type_t type; seg_env_t *seg_env; chunk_t segment, value; + uint32_t max_attr_len = 60; uint32_t max_seg_size = 47; - uint32_t last_seg_size = 1; + uint32_t last_seg_size = 4; uint32_t offset = 12; base_attr = ita_attr_command_create(command); @@ -179,7 +180,7 @@ START_TEST(test_imcv_seg_env_special) base_attr->set_noskip_flag(base_attr, TRUE); seg_env = seg_env_create(id, base_attr, max_seg_size); - attr = seg_env->first_segment(seg_env); + attr = seg_env->first_segment(seg_env, max_attr_len); attr->destroy(attr); /* don't return last segment indicator */ @@ -306,7 +307,7 @@ START_TEST(test_imcv_seg_contract) contract_r = seg_contract_create(msg_type, max_attr_size, max_seg_size, FALSE, issuer_id, TRUE); attr = contract_r->first_segment(contract_r, - base_attr_r->get_ref(base_attr_r)); + base_attr_r->get_ref(base_attr_r), 0); if (seg_env_tests[_i].next_segs == 0) { @@ -422,8 +423,8 @@ START_TEST(test_imcv_seg_contract_special) ck_assert(!oversize); /* get first segment of each base attribute */ - attr1_f = contract_r->first_segment(contract_r, base_attr1_r->get_ref(base_attr1_r)); - attr2_f = contract_r->first_segment(contract_r, base_attr2_r->get_ref(base_attr2_r)); + attr1_f = contract_r->first_segment(contract_r, base_attr1_r->get_ref(base_attr1_r), 0); + attr2_f = contract_r->first_segment(contract_r, base_attr2_r->get_ref(base_attr2_r), 0); ck_assert(attr1_f); ck_assert(attr2_f); seg_env_attr1 = (tcg_seg_attr_seg_env_t*)attr1_f; diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am index 41f5ae937..90b456114 100644 --- a/src/libipsec/Makefile.am +++ b/src/libipsec/Makefile.am @@ -24,11 +24,4 @@ AM_LDFLAGS = \ EXTRA_DIST = Android.mk -# build optional plugins -######################## - -if MONOLITHIC -SUBDIRS = -else -SUBDIRS = . -endif +SUBDIRS = . tests diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in index a80d28ac6..aa793441b 100644 --- a/src/libipsec/Makefile.in +++ b/src/libipsec/Makefile.in @@ -214,7 +214,7 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = . +DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -490,11 +490,7 @@ AM_LDFLAGS = \ -no-undefined EXTRA_DIST = Android.mk -@MONOLITHIC_FALSE@SUBDIRS = . - -# build optional plugins -######################## -@MONOLITHIC_TRUE@SUBDIRS = +SUBDIRS = . tests all: all-recursive .SUFFIXES: diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c index a2307e048..b742d1576 100644 --- a/src/libipsec/esp_context.c +++ b/src/libipsec/esp_context.c @@ -215,6 +215,7 @@ static bool create_aead(private_esp_context_t *this, int alg, case ENCR_AES_GCM_ICV8: case ENCR_AES_GCM_ICV12: case ENCR_AES_GCM_ICV16: + case ENCR_CHACHA20_POLY1305: /* the key includes a 4 byte salt */ this->aead = lib->crypto->create_aead(lib->crypto, alg, key.len - 4, 4); diff --git a/src/libipsec/tests/Makefile.am b/src/libipsec/tests/Makefile.am new file mode 100644 index 000000000..6138833e7 --- /dev/null +++ b/src/libipsec/tests/Makefile.am @@ -0,0 +1,21 @@ +TESTS = ipsec_tests + +check_PROGRAMS = $(TESTS) + +ipsec_tests_SOURCES = \ + suites/test_chapoly.c \ + ipsec_tests.h ipsec_tests.c + +ipsec_tests_CFLAGS = \ + -I$(top_srcdir)/src/libipsec \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINS=\""${s_plugins}\"" \ + @COVERAGE_CFLAGS@ + +ipsec_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +ipsec_tests_LDADD = \ + $(top_builddir)/src/libipsec/libipsec.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la diff --git a/src/libipsec/tests/Makefile.in b/src/libipsec/tests/Makefile.in new file mode 100644 index 000000000..9a9bb3142 --- /dev/null +++ b/src/libipsec/tests/Makefile.in @@ -0,0 +1,870 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +TESTS = ipsec_tests$(EXEEXT) +check_PROGRAMS = $(am__EXEEXT_1) +subdir = src/libipsec/tests +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__EXEEXT_1 = ipsec_tests$(EXEEXT) +am__dirstamp = $(am__leading_dot)dirstamp +am_ipsec_tests_OBJECTS = suites/ipsec_tests-test_chapoly.$(OBJEXT) \ + ipsec_tests-ipsec_tests.$(OBJEXT) +ipsec_tests_OBJECTS = $(am_ipsec_tests_OBJECTS) +ipsec_tests_DEPENDENCIES = $(top_builddir)/src/libipsec/libipsec.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +ipsec_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(ipsec_tests_CFLAGS) \ + $(CFLAGS) $(ipsec_tests_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(ipsec_tests_SOURCES) +DIST_SOURCES = $(ipsec_tests_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red=''; \ + grn=''; \ + lgn=''; \ + blu=''; \ + mgn=''; \ + brg=''; \ + std=''; \ + fi; \ +} +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +ipsec_tests_SOURCES = \ + suites/test_chapoly.c \ + ipsec_tests.h ipsec_tests.c + +ipsec_tests_CFLAGS = \ + -I$(top_srcdir)/src/libipsec \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINS=\""${s_plugins}\"" \ + @COVERAGE_CFLAGS@ + +ipsec_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +ipsec_tests_LDADD = \ + $(top_builddir)/src/libipsec/libipsec.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libipsec/tests/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libipsec/tests/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +suites/$(am__dirstamp): + @$(MKDIR_P) suites + @: > suites/$(am__dirstamp) +suites/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) suites/$(DEPDIR) + @: > suites/$(DEPDIR)/$(am__dirstamp) +suites/ipsec_tests-test_chapoly.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) + +ipsec_tests$(EXEEXT): $(ipsec_tests_OBJECTS) $(ipsec_tests_DEPENDENCIES) $(EXTRA_ipsec_tests_DEPENDENCIES) + @rm -f ipsec_tests$(EXEEXT) + $(AM_V_CCLD)$(ipsec_tests_LINK) $(ipsec_tests_OBJECTS) $(ipsec_tests_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + -rm -f suites/*.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_tests-ipsec_tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/ipsec_tests-test_chapoly.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +suites/ipsec_tests-test_chapoly.o: suites/test_chapoly.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipsec_tests_CFLAGS) $(CFLAGS) -MT suites/ipsec_tests-test_chapoly.o -MD -MP -MF suites/$(DEPDIR)/ipsec_tests-test_chapoly.Tpo -c -o suites/ipsec_tests-test_chapoly.o `test -f 'suites/test_chapoly.c' || echo '$(srcdir)/'`suites/test_chapoly.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/ipsec_tests-test_chapoly.Tpo suites/$(DEPDIR)/ipsec_tests-test_chapoly.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_chapoly.c' object='suites/ipsec_tests-test_chapoly.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipsec_tests_CFLAGS) $(CFLAGS) -c -o suites/ipsec_tests-test_chapoly.o `test -f 'suites/test_chapoly.c' || echo '$(srcdir)/'`suites/test_chapoly.c + +suites/ipsec_tests-test_chapoly.obj: suites/test_chapoly.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipsec_tests_CFLAGS) $(CFLAGS) -MT suites/ipsec_tests-test_chapoly.obj -MD -MP -MF suites/$(DEPDIR)/ipsec_tests-test_chapoly.Tpo -c -o suites/ipsec_tests-test_chapoly.obj `if test -f 'suites/test_chapoly.c'; then $(CYGPATH_W) 'suites/test_chapoly.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chapoly.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/ipsec_tests-test_chapoly.Tpo suites/$(DEPDIR)/ipsec_tests-test_chapoly.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_chapoly.c' object='suites/ipsec_tests-test_chapoly.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipsec_tests_CFLAGS) $(CFLAGS) -c -o suites/ipsec_tests-test_chapoly.obj `if test -f 'suites/test_chapoly.c'; then $(CYGPATH_W) 'suites/test_chapoly.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_chapoly.c'; fi` + +ipsec_tests-ipsec_tests.o: ipsec_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipsec_tests_CFLAGS) $(CFLAGS) -MT ipsec_tests-ipsec_tests.o -MD -MP -MF $(DEPDIR)/ipsec_tests-ipsec_tests.Tpo -c -o ipsec_tests-ipsec_tests.o `test -f 'ipsec_tests.c' || echo '$(srcdir)/'`ipsec_tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipsec_tests-ipsec_tests.Tpo $(DEPDIR)/ipsec_tests-ipsec_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipsec_tests.c' object='ipsec_tests-ipsec_tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipsec_tests_CFLAGS) $(CFLAGS) -c -o ipsec_tests-ipsec_tests.o `test -f 'ipsec_tests.c' || echo '$(srcdir)/'`ipsec_tests.c + +ipsec_tests-ipsec_tests.obj: ipsec_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipsec_tests_CFLAGS) $(CFLAGS) -MT ipsec_tests-ipsec_tests.obj -MD -MP -MF $(DEPDIR)/ipsec_tests-ipsec_tests.Tpo -c -o ipsec_tests-ipsec_tests.obj `if test -f 'ipsec_tests.c'; then $(CYGPATH_W) 'ipsec_tests.c'; else $(CYGPATH_W) '$(srcdir)/ipsec_tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/ipsec_tests-ipsec_tests.Tpo $(DEPDIR)/ipsec_tests-ipsec_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipsec_tests.c' object='ipsec_tests-ipsec_tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipsec_tests_CFLAGS) $(CFLAGS) -c -o ipsec_tests-ipsec_tests.obj `if test -f 'ipsec_tests.c'; then $(CYGPATH_W) 'ipsec_tests.c'; else $(CYGPATH_W) '$(srcdir)/ipsec_tests.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + $(am__tty_colors); \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + col=$$red; res=XPASS; \ + ;; \ + *) \ + col=$$grn; res=PASS; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xfail=`expr $$xfail + 1`; \ + col=$$lgn; res=XFAIL; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + col=$$red; res=FAIL; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + col=$$blu; res=SKIP; \ + fi; \ + echo "$${col}$$res$${std}: $$tst"; \ + done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="$$All$$all $$tests passed"; \ + else \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all $$tests failed"; \ + else \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + if test "$$failed" -eq 0; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + fi; \ + echo "$${col}$$dashes$${std}"; \ + echo "$${col}$$banner$${std}"; \ + test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \ + test -z "$$report" || echo "$${col}$$report$${std}"; \ + echo "$${col}$$dashes$${std}"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + -rm -f suites/$(DEPDIR)/$(am__dirstamp) + -rm -f suites/$(am__dirstamp) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) suites/$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) suites/$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ + clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libipsec/tests/ipsec_tests.c b/src/libipsec/tests/ipsec_tests.c new file mode 100644 index 000000000..d5e905304 --- /dev/null +++ b/src/libipsec/tests/ipsec_tests.c @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +/* declare test suite constructors */ +#define TEST_SUITE(x) test_suite_t* x(); +#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x) +#include "ipsec_tests.h" +#undef TEST_SUITE +#undef TEST_SUITE_DEPEND + +static test_configuration_t tests[] = { +#define TEST_SUITE(x) \ + { .suite = x, }, +#define TEST_SUITE_DEPEND(x, type, ...) \ + { .suite = x, .feature = PLUGIN_DEPENDS(type, __VA_ARGS__) }, +#include "ipsec_tests.h" + { .suite = NULL, } +}; + +static bool test_runner_init(bool init) +{ + if (init) + { + plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS); + if (!lib->plugins->load(lib->plugins, PLUGINS)) + { + return FALSE; + } + } + else + { + lib->credmgr->flush_cache(lib->credmgr, CERT_ANY); + lib->processor->set_threads(lib->processor, 0); + lib->processor->cancel(lib->processor); + lib->plugins->unload(lib->plugins); + } + return TRUE; +} + +int main(int argc, char *argv[]) +{ + return test_runner_run("libipsec", tests, test_runner_init); +} diff --git a/src/libipsec/tests/ipsec_tests.h b/src/libipsec/tests/ipsec_tests.h new file mode 100644 index 000000000..1b591f9d0 --- /dev/null +++ b/src/libipsec/tests/ipsec_tests.h @@ -0,0 +1,16 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +TEST_SUITE_DEPEND(chapoly_suite_create, AEAD, ENCR_CHACHA20_POLY1305, 32) diff --git a/src/libipsec/tests/suites/test_chapoly.c b/src/libipsec/tests/suites/test_chapoly.c new file mode 100644 index 000000000..31dc2ac7b --- /dev/null +++ b/src/libipsec/tests/suites/test_chapoly.c @@ -0,0 +1,136 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include +#include + +static iv_gen_t *ivgen; + +METHOD(aead_t, get_iv_gen, iv_gen_t*, + aead_t *this) +{ + return ivgen; +} + +METHOD(iv_gen_t, get_iv, bool, + iv_gen_t *this, u_int64_t seq, size_t size, u_int8_t *buffer) +{ + if (size != 8) + { + return FALSE; + } + memcpy(buffer, "\x10\x11\x12\x13\x14\x15\x16\x17", 8); + return TRUE; +} + +METHOD(iv_gen_t, allocate_iv, bool, + iv_gen_t *this, u_int64_t seq, size_t size, chunk_t *chunk) +{ + if (size != 8) + { + return FALSE; + } + *chunk = chunk_alloc(size); + return get_iv(this, seq, chunk->len, chunk->ptr); +} + +/** + * Appendix A draft-ietf-ipsecme-chacha20-poly1305-06 + */ +START_TEST(test_chapoly) +{ + host_t *src, *dst; + ip_packet_t *icmp; + esp_packet_t *esp; + esp_context_t *ctx; + chunk_t data, exp; + u_int32_t seq = 0; + + icmp = ip_packet_create(chunk_clone(chunk_from_chars( + 0x45,0x00,0x00,0x54,0xa6,0xf2,0x00,0x00, + 0x40,0x01,0xe7,0x78,0xc6,0x33,0x64,0x05, + 0xc0,0x00,0x02,0x05,0x08,0x00,0x5b,0x7a, + 0x3a,0x08,0x00,0x00,0x55,0x3b,0xec,0x10, + 0x00,0x07,0x36,0x27,0x08,0x09,0x0a,0x0b, + 0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13, + 0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b, + 0x1c,0x1d,0x1e,0x1f,0x20,0x21,0x22,0x23, + 0x24,0x25,0x26,0x27,0x28,0x29,0x2a,0x2b, + 0x2c,0x2d,0x2e,0x2f,0x30,0x31,0x32,0x33, + 0x34,0x35,0x36,0x37))); + ck_assert(icmp); + + src = host_create_from_string("203.0.113.153", 0); + dst = host_create_from_string("203.0.113.5", 0); + esp = esp_packet_create_from_payload(src, dst, icmp); + + ctx = esp_context_create(ENCR_CHACHA20_POLY1305, chunk_from_chars( + 0x80,0x81,0x82,0x83,0x84,0x85,0x86,0x87, + 0x88,0x89,0x8a,0x8b,0x8c,0x8d,0x8e,0x8f, + 0x90,0x91,0x92,0x93,0x94,0x95,0x96,0x97, + 0x98,0x99,0x9a,0x9b,0x9c,0x9d,0x9e,0x9f, + 0xa0,0xa1,0xa2,0xa3), + AUTH_UNDEFINED, chunk_empty, FALSE); + while (seq != 4) + { + ck_assert(ctx->next_seqno(ctx, &seq)); + } + INIT(ivgen, + .get_iv = _get_iv, + .allocate_iv = _allocate_iv, + .destroy = (void*)free, + ); + ctx->get_aead(ctx)->get_iv_gen = _get_iv_gen; + ck_assert(esp->encrypt(esp, ctx, htonl(0x01020304)) == SUCCESS); + + data = esp->packet.get_data(&esp->packet); + exp = chunk_from_chars(0x01,0x02,0x03,0x04,0x00,0x00,0x00,0x05, + 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17, + 0x24,0x03,0x94,0x28,0xb9,0x7f,0x41,0x7e, + 0x3c,0x13,0x75,0x3a,0x4f,0x05,0x08,0x7b, + 0x67,0xc3,0x52,0xe6,0xa7,0xfa,0xb1,0xb9, + 0x82,0xd4,0x66,0xef,0x40,0x7a,0xe5,0xc6, + 0x14,0xee,0x80,0x99,0xd5,0x28,0x44,0xeb, + 0x61,0xaa,0x95,0xdf,0xab,0x4c,0x02,0xf7, + 0x2a,0xa7,0x1e,0x7c,0x4c,0x4f,0x64,0xc9, + 0xbe,0xfe,0x2f,0xac,0xc6,0x38,0xe8,0xf3, + 0xcb,0xec,0x16,0x3f,0xac,0x46,0x9b,0x50, + 0x27,0x73,0xf6,0xfb,0x94,0xe6,0x64,0xda, + 0x91,0x65,0xb8,0x28,0x29,0xf6,0x41,0xe0, + 0x76,0xAA,0xA8,0x26,0x6B,0x7F,0xB0,0xF7, + 0xB1,0x1B,0x36,0x99,0x07,0xE1,0xAD,0x43); + ck_assert_msg(chunk_equals(data, exp), "got %B\nexp %B", &data, &exp); + + esp->destroy(esp); + ctx->destroy(ctx); + ivgen->destroy(ivgen); +} +END_TEST + +Suite *chapoly_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("chapoly"); + + tc = tcase_create("ChaCha20Poly1305 ESP encryption"); + tcase_add_test(tc, test_chapoly); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c index 315129d7e..bd5b96f70 100644 --- a/src/libpttls/pt_tls_client.c +++ b/src/libpttls/pt_tls_client.c @@ -450,6 +450,7 @@ METHOD(pt_tls_client_t, run_assessment, status_t, { return FAILED; } + tnccs->set_auth_type(tnccs, TNC_AUTH_X509_CERT); DBG1(DBG_TNC, "entering PT-TLS data transport phase"); if (!assess(this, (tls_t*)tnccs)) diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c index e6abfe2c2..01c829841 100644 --- a/src/libradius/radius_message.c +++ b/src/libradius/radius_message.c @@ -97,7 +97,7 @@ ENUM_NEXT(radius_message_code_names, RMC_DISCONNECT_REQUEST, RMC_COA_NAK, RMC_AC "CoA-NAK"); ENUM_END(radius_message_code_names, RMC_COA_NAK); -ENUM(radius_attribute_type_names, RAT_USER_NAME, RAT_MIP6_HOME_LINK_PREFIX, +ENUM_BEGIN(radius_attribute_type_names, RAT_USER_NAME, RAT_MIP6_HOME_LINK_PREFIX, "User-Name", "User-Password", "CHAP-Password", @@ -223,6 +223,13 @@ ENUM(radius_attribute_type_names, RAT_USER_NAME, RAT_MIP6_HOME_LINK_PREFIX, "Delegated-IPv6-Prefix", "MIP6-Feature-Vector", "MIP6-Home-Link-Prefix"); +ENUM_NEXT(radius_attribute_type_names, RAT_FRAMED_IPV6_ADDRESS, RAT_STATEFUL_IPV6_ADDRESS_POOL, RAT_MIP6_HOME_LINK_PREFIX, + "Framed-IPv6-Address", + "DNS-Server-IPv6-Address", + "Route-IPv6-Information", + "Delegated-IPv6-Prefix-Pool", + "Stateful-IPv6-Address-Pool"); +ENUM_END(radius_attribute_type_names, RAT_STATEFUL_IPV6_ADDRESS_POOL); /** * Attribute enumerator implementation diff --git a/src/libradius/radius_message.h b/src/libradius/radius_message.h index 4ce03a44e..e6cb40b18 100644 --- a/src/libradius/radius_message.h +++ b/src/libradius/radius_message.h @@ -186,6 +186,11 @@ enum radius_attribute_type_t { RAT_DELEGATED_IPV6_PREFIX = 123, RAT_MIP6_FEATURE_VECTOR = 124, RAT_MIP6_HOME_LINK_PREFIX = 125, + RAT_FRAMED_IPV6_ADDRESS = 168, + RAT_FRAMED_IPV6_DNS_SERVER = 169, + RAT_ROUTE_IPV6_INFORMATION = 170, + RAT_DELEGATED_IPV6_PREFIX_POOL = 171, + RAT_STATEFUL_IPV6_ADDRESS_POOL = 172, }; /** diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index b3636cfb8..adf3687ae 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -100,7 +100,7 @@ resolver/rr.h resolver/resolver_manager.h \ plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \ processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \ processing/scheduler.h processing/watcher.h selectors/traffic_selector.h \ -settings/settings.h threading/thread_value.h \ +settings/settings.h settings/settings_parser.h threading/thread_value.h \ threading/thread.h threading/windows/thread.h \ threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h \ threading/rwlock.h threading/rwlock_condvar.h threading/lock_profiler.h \ @@ -540,6 +540,13 @@ if MONOLITHIC endif endif +if USE_CHAPOLY + SUBDIRS += plugins/chapoly +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/chapoly/libstrongswan-chapoly.la +endif +endif + if USE_CTR SUBDIRS += plugins/ctr if MONOLITHIC diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 5b20f6ea6..9598c8b51 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -203,19 +203,21 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_105 = plugins/keychain/libstrongswan-keychain.la @USE_PKCS11_TRUE@am__append_106 = plugins/pkcs11 @MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_107 = plugins/pkcs11/libstrongswan-pkcs11.la -@USE_CTR_TRUE@am__append_108 = plugins/ctr -@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_109 = plugins/ctr/libstrongswan-ctr.la -@USE_CCM_TRUE@am__append_110 = plugins/ccm -@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_111 = plugins/ccm/libstrongswan-ccm.la -@USE_GCM_TRUE@am__append_112 = plugins/gcm -@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_113 = plugins/gcm/libstrongswan-gcm.la -@USE_NTRU_TRUE@am__append_114 = plugins/ntru -@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_115 = plugins/ntru/libstrongswan-ntru.la -@USE_BLISS_TRUE@am__append_116 = plugins/bliss -@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_117 = plugins/bliss/libstrongswan-bliss.la -@USE_TEST_VECTORS_TRUE@am__append_118 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_119 = plugins/test_vectors/libstrongswan-test-vectors.la -@USE_BLISS_TRUE@am__append_120 = plugins/bliss/tests +@USE_CHAPOLY_TRUE@am__append_108 = plugins/chapoly +@MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE@am__append_109 = plugins/chapoly/libstrongswan-chapoly.la +@USE_CTR_TRUE@am__append_110 = plugins/ctr +@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_111 = plugins/ctr/libstrongswan-ctr.la +@USE_CCM_TRUE@am__append_112 = plugins/ccm +@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_113 = plugins/ccm/libstrongswan-ccm.la +@USE_GCM_TRUE@am__append_114 = plugins/gcm +@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_115 = plugins/gcm/libstrongswan-gcm.la +@USE_NTRU_TRUE@am__append_116 = plugins/ntru +@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_117 = plugins/ntru/libstrongswan-ntru.la +@USE_BLISS_TRUE@am__append_118 = plugins/bliss +@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_119 = plugins/bliss/libstrongswan-bliss.la +@USE_TEST_VECTORS_TRUE@am__append_120 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_121 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_BLISS_TRUE@am__append_122 = plugins/bliss/tests subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ settings/settings_parser.h settings/settings_parser.c \ @@ -295,7 +297,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_101) $(am__append_103) $(am__append_105) \ $(am__append_107) $(am__append_109) $(am__append_111) \ $(am__append_113) $(am__append_115) $(am__append_117) \ - $(am__append_119) + $(am__append_119) $(am__append_121) am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \ bio/bio_writer.c collections/blocking_queue.c \ @@ -558,15 +560,16 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ processing/jobs/job.h processing/jobs/callback_job.h \ processing/processor.h processing/scheduler.h \ processing/watcher.h selectors/traffic_selector.h \ - settings/settings.h threading/thread_value.h \ - threading/thread.h threading/windows/thread.h \ - threading/mutex.h threading/condvar.h threading/spinlock.h \ - threading/semaphore.h threading/rwlock.h \ - threading/rwlock_condvar.h threading/lock_profiler.h \ - utils/utils.h utils/chunk.h utils/debug.h utils/enum.h \ - utils/identification.h utils/lexparser.h utils/optionsfrom.h \ - utils/capabilities.h utils/backtrace.h utils/cpu_feature.h \ - utils/leak_detective.h utils/printf_hook/printf_hook.h \ + settings/settings.h settings/settings_parser.h \ + threading/thread_value.h threading/thread.h \ + threading/windows/thread.h threading/mutex.h \ + threading/condvar.h threading/spinlock.h threading/semaphore.h \ + threading/rwlock.h threading/rwlock_condvar.h \ + threading/lock_profiler.h utils/utils.h utils/chunk.h \ + utils/debug.h utils/enum.h utils/identification.h \ + utils/lexparser.h utils/optionsfrom.h utils/capabilities.h \ + utils/backtrace.h utils/cpu_feature.h utils/leak_detective.h \ + utils/printf_hook/printf_hook.h \ utils/printf_hook/printf_hook_vstr.h \ utils/printf_hook/printf_hook_builtin.h utils/parser_helper.h \ utils/test.h utils/integrity_checker.h utils/process.h \ @@ -615,9 +618,9 @@ DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \ plugins/files plugins/winhttp plugins/unbound plugins/soup \ plugins/ldap plugins/mysql plugins/sqlite plugins/padlock \ plugins/openssl plugins/gcrypt plugins/fips_prf plugins/agent \ - plugins/keychain plugins/pkcs11 plugins/ctr plugins/ccm \ - plugins/gcm plugins/ntru plugins/bliss plugins/test_vectors \ - tests plugins/bliss/tests + plugins/keychain plugins/pkcs11 plugins/chapoly plugins/ctr \ + plugins/ccm plugins/gcm plugins/ntru plugins/bliss \ + plugins/test_vectors tests plugins/bliss/tests DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -970,7 +973,7 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \ @USE_DEV_HEADERS_TRUE@processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \ @USE_DEV_HEADERS_TRUE@processing/scheduler.h processing/watcher.h selectors/traffic_selector.h \ -@USE_DEV_HEADERS_TRUE@settings/settings.h threading/thread_value.h \ +@USE_DEV_HEADERS_TRUE@settings/settings.h settings/settings_parser.h threading/thread_value.h \ @USE_DEV_HEADERS_TRUE@threading/thread.h threading/windows/thread.h \ @USE_DEV_HEADERS_TRUE@threading/mutex.h threading/condvar.h threading/spinlock.h threading/semaphore.h \ @USE_DEV_HEADERS_TRUE@threading/rwlock.h threading/rwlock_condvar.h threading/lock_profiler.h \ @@ -1004,7 +1007,7 @@ libstrongswan_la_LIBADD = $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) \ $(am__append_101) $(am__append_103) $(am__append_105) \ $(am__append_107) $(am__append_109) $(am__append_111) \ $(am__append_113) $(am__append_115) $(am__append_117) \ - $(am__append_119) + $(am__append_119) $(am__append_121) AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \ -DPLUGINDIR=\"${plugindir}\" \ @@ -1056,7 +1059,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c @MONOLITHIC_FALSE@ $(am__append_106) $(am__append_108) \ @MONOLITHIC_FALSE@ $(am__append_110) $(am__append_112) \ @MONOLITHIC_FALSE@ $(am__append_114) $(am__append_116) \ -@MONOLITHIC_FALSE@ $(am__append_118) tests $(am__append_120) +@MONOLITHIC_FALSE@ $(am__append_118) $(am__append_120) tests \ +@MONOLITHIC_FALSE@ $(am__append_122) # build plugins with their own Makefile ####################################### @@ -1085,7 +1089,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c @MONOLITHIC_TRUE@ $(am__append_106) $(am__append_108) \ @MONOLITHIC_TRUE@ $(am__append_110) $(am__append_112) \ @MONOLITHIC_TRUE@ $(am__append_114) $(am__append_116) \ -@MONOLITHIC_TRUE@ $(am__append_118) . tests $(am__append_120) +@MONOLITHIC_TRUE@ $(am__append_118) $(am__append_120) . tests \ +@MONOLITHIC_TRUE@ $(am__append_122) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 37b89c61b..628bb99e6 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -340,7 +340,7 @@ static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 33 static const int tm_leap_1970 = 477; /** - * Converts ASN.1 UTCTIME or GENERALIZEDTIME into calender time + * Converts ASN.1 UTCTIME or GENERALIZEDTIME into calendar time */ time_t asn1_to_time(const chunk_t *utctime, asn1_t type) { diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 0ca45a15b..1e93f021a 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -514,9 +514,10 @@ METHOD(auth_cfg_t, complies, bool, private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error) { enumerator_t *e1, *e2; - bool success = TRUE, group_match = FALSE, cert_match = FALSE; + bool success = TRUE, group_match = FALSE; + bool ca_match = FALSE, cert_match = FALSE; identification_t *require_group = NULL; - certificate_t *require_cert = NULL; + certificate_t *require_ca = NULL, *require_cert = NULL; signature_scheme_t scheme = SIGN_UNKNOWN; u_int strength = 0; auth_rule_t t1, t2; @@ -531,26 +532,21 @@ METHOD(auth_cfg_t, complies, bool, case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: { - certificate_t *c1, *c2; + certificate_t *cert; - c1 = (certificate_t*)value; + /* for CA certs, a match of a single cert is sufficient */ + require_ca = (certificate_t*)value; - success = FALSE; e2 = create_enumerator(this); - while (e2->enumerate(e2, &t2, &c2)) + while (e2->enumerate(e2, &t2, &cert)) { if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) && - c1->equals(c1, c2)) + cert->equals(cert, require_ca)) { - success = TRUE; + ca_match = TRUE; } } e2->destroy(e2); - if (!success && log_error) - { - DBG1(DBG_CFG, "constraint check failed: peer not " - "authenticated by CA '%Y'.", c1->get_subject(c1)); - } break; } case AUTH_RULE_SUBJECT_CERT: @@ -665,7 +661,9 @@ METHOD(auth_cfg_t, complies, bool, } case AUTH_RULE_EAP_TYPE: { - if ((uintptr_t)value != (uintptr_t)get(this, t1)) + if ((uintptr_t)value != (uintptr_t)get(this, t1) && + (uintptr_t)value != EAP_DYNAMIC && + (uintptr_t)value != EAP_RADIUS) { success = FALSE; if (log_error) @@ -853,13 +851,22 @@ METHOD(auth_cfg_t, complies, bool, } return FALSE; } - + if (require_ca && !ca_match) + { + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: peer not " + "authenticated by CA '%Y'", + require_ca->get_subject(require_ca)); + } + return FALSE; + } if (require_cert && !cert_match) { if (log_error) { DBG1(DBG_CFG, "constraint check failed: peer not " - "authenticated with peer cert '%Y'.", + "authenticated with peer cert '%Y'", require_cert->get_subject(require_cert)); } return FALSE; diff --git a/src/libstrongswan/credentials/certificates/ocsp_request.h b/src/libstrongswan/credentials/certificates/ocsp_request.h index 0b1871309..730d95d70 100644 --- a/src/libstrongswan/credentials/certificates/ocsp_request.h +++ b/src/libstrongswan/credentials/certificates/ocsp_request.h @@ -31,7 +31,7 @@ typedef struct ocsp_request_t ocsp_request_t; struct ocsp_request_t { /** - * Implements certificiate_t interface + * Implements certificate_t interface */ certificate_t interface; }; diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h index 157577458..9c5637b9f 100644 --- a/src/libstrongswan/credentials/certificates/ocsp_response.h +++ b/src/libstrongswan/credentials/certificates/ocsp_response.h @@ -50,7 +50,7 @@ extern enum_name_t *ocsp_status_names; struct ocsp_response_t { /** - * Implements certificiate_t interface + * Implements certificate_t interface */ certificate_t certificate; diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c index 7ad011b5e..4884c4bfa 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.c +++ b/src/libstrongswan/credentials/sets/mem_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Tobias Brunner + * Copyright (C) 2010-2015 Tobias Brunner * Hochschule fuer Technik Rapperwsil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG @@ -197,7 +197,7 @@ METHOD(mem_cred_t, get_cert_ref, certificate_t*, { certificate_t *cached; - this->lock->write_lock(this->lock); + this->lock->read_lock(this->lock); if (this->untrusted->find_first(this->untrusted, (linked_list_match_t)certificate_equals, (void**)&cached, cert) == SUCCESS) @@ -643,6 +643,49 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, } +static void reset_certs(private_mem_cred_t *this) +{ + this->trusted->destroy_offset(this->trusted, + offsetof(certificate_t, destroy)); + this->untrusted->destroy_offset(this->untrusted, + offsetof(certificate_t, destroy)); + this->trusted = linked_list_create(); + this->untrusted = linked_list_create(); +} + +static void copy_certs(linked_list_t *dst, linked_list_t *src, bool clone) +{ + enumerator_t *enumerator; + certificate_t *cert; + + enumerator = src->create_enumerator(src); + while (enumerator->enumerate(enumerator, &cert)) + { + if (clone) + { + cert = cert->get_ref(cert); + } + else + { + src->remove_at(src, enumerator); + } + dst->insert_last(dst, cert); + } + enumerator->destroy(enumerator); +} + +METHOD(mem_cred_t, replace_certs, void, + private_mem_cred_t *this, mem_cred_t *other_set, bool clone) +{ + private_mem_cred_t *other = (private_mem_cred_t*)other_set; + + this->lock->write_lock(this->lock); + reset_certs(this); + copy_certs(this->untrusted, other->untrusted, clone); + copy_certs(this->trusted, other->trusted, clone); + this->lock->unlock(this->lock); +} + static void reset_secrets(private_mem_cred_t *this) { this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy)); @@ -710,17 +753,11 @@ METHOD(mem_cred_t, clear_, void, private_mem_cred_t *this) { this->lock->write_lock(this->lock); - this->trusted->destroy_offset(this->trusted, - offsetof(certificate_t, destroy)); - this->untrusted->destroy_offset(this->untrusted, - offsetof(certificate_t, destroy)); this->cdps->destroy_function(this->cdps, (void*)cdp_destroy); - this->trusted = linked_list_create(); - this->untrusted = linked_list_create(); this->cdps = linked_list_create(); + reset_certs(this); + reset_secrets(this); this->lock->unlock(this->lock); - - clear_secrets(this); } METHOD(mem_cred_t, destroy, void, @@ -760,6 +797,7 @@ mem_cred_t *mem_cred_create() .add_shared = _add_shared, .add_shared_list = _add_shared_list, .add_cdp = _add_cdp, + .replace_certs = _replace_certs, .replace_secrets = _replace_secrets, .clear = _clear_, .clear_secrets = _clear_secrets, diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h index 3ce815abc..51f0b8c30 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.h +++ b/src/libstrongswan/credentials/sets/mem_cred.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Tobias Brunner + * Copyright (C) 2010-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG @@ -102,6 +102,7 @@ struct mem_cred_t { */ void (*add_shared_list)(mem_cred_t *this, shared_key_t *shared, linked_list_t *owners); + /** * Add a certificate distribution point to the set. * @@ -112,6 +113,15 @@ struct mem_cred_t { void (*add_cdp)(mem_cred_t *this, certificate_type_t type, identification_t *id, char *uri); + /** + * Replace all certificates in this credential set with those of another. + * + * @param other credential set to get certificates from + * @param clone TRUE to clone certs, FALSE to adopt them (they + * get removed from the other set) + */ + void (*replace_certs)(mem_cred_t *this, mem_cred_t *other, bool clone); + /** * Replace all secrets (private and shared keys) in this credential set * with those of another. diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c index 1e73baa4e..3e33765b1 100644 --- a/src/libstrongswan/crypto/crypters/crypter.c +++ b/src/libstrongswan/crypto/crypters/crypter.c @@ -40,13 +40,14 @@ ENUM_NEXT(encryption_algorithm_names, ENCR_AES_GCM_ICV8, ENCR_NULL_AUTH_AES_GMAC "AES_GCM_12", "AES_GCM_16", "NULL_AES_GMAC"); -ENUM_NEXT(encryption_algorithm_names, ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CCM_ICV16, ENCR_NULL_AUTH_AES_GMAC, +ENUM_NEXT(encryption_algorithm_names, ENCR_CAMELLIA_CBC, ENCR_CHACHA20_POLY1305, ENCR_NULL_AUTH_AES_GMAC, "CAMELLIA_CBC", "CAMELLIA_CTR", "CAMELLIA_CCM_8", "CAMELLIA_CCM_12", - "CAMELLIA_CCM_16"); -ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_RC2_CBC, ENCR_CAMELLIA_CCM_ICV16, + "CAMELLIA_CCM_16", + "CHACHA20_POLY1305"); +ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_RC2_CBC, ENCR_CHACHA20_POLY1305, "UNDEFINED", "DES_ECB", "SERPENT_CBC", @@ -184,6 +185,7 @@ bool encryption_algorithm_is_aead(encryption_algorithm_t alg) case ENCR_CAMELLIA_CCM_ICV8: case ENCR_CAMELLIA_CCM_ICV12: case ENCR_CAMELLIA_CCM_ICV16: + case ENCR_CHACHA20_POLY1305: return TRUE; default: return FALSE; diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h index 849aea500..19ba55d83 100644 --- a/src/libstrongswan/crypto/crypters/crypter.h +++ b/src/libstrongswan/crypto/crypters/crypter.h @@ -57,6 +57,7 @@ enum encryption_algorithm_t { ENCR_CAMELLIA_CCM_ICV8 = 25, ENCR_CAMELLIA_CCM_ICV12 = 26, ENCR_CAMELLIA_CCM_ICV16 = 27, + ENCR_CHACHA20_POLY1305 = 28, ENCR_UNDEFINED = 1024, ENCR_DES_ECB = 1025, ENCR_SERPENT_CBC = 1026, diff --git a/src/libstrongswan/crypto/iv/iv_gen.c b/src/libstrongswan/crypto/iv/iv_gen.c index e18843210..7d6570a74 100644 --- a/src/libstrongswan/crypto/iv/iv_gen.c +++ b/src/libstrongswan/crypto/iv/iv_gen.c @@ -48,6 +48,7 @@ iv_gen_t* iv_gen_create_for_alg(encryption_algorithm_t alg) case ENCR_CAMELLIA_CCM_ICV8: case ENCR_CAMELLIA_CCM_ICV12: case ENCR_CAMELLIA_CCM_ICV16: + case ENCR_CHACHA20_POLY1305: case ENCR_NULL_AUTH_AES_GMAC: return iv_gen_seq_create(); case ENCR_NULL: diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c index 1da1421f4..51b9d782d 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c +++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c @@ -59,12 +59,12 @@ struct proposal_token { u_int16_t keysize; }; -#define TOTAL_KEYWORDS 138 +#define TOTAL_KEYWORDS 139 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 20 -#define MAX_HASH_VALUE 295 -/* maximum key range = 276, duplicates = 0 */ +#define MIN_HASH_VALUE 18 +#define MAX_HASH_VALUE 276 +/* maximum key range = 259, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -80,32 +80,32 @@ hash (str, len) { static const unsigned short asso_values[] = { - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 47, 6, - 15, 8, 64, 24, 12, 14, 7, 5, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 120, 296, 9, 5, 22, - 48, 114, 28, 76, 6, 5, 296, 296, 5, 20, - 7, 14, 82, 7, 81, 98, 10, 86, 296, 296, - 5, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296, 296, 296, 296, - 296, 296, 296, 296, 296, 296, 296 + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 66, 6, + 18, 39, 81, 30, 9, 27, 3, 0, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 105, 277, 33, 0, 6, + 57, 60, 15, 96, 3, 0, 277, 277, 0, 0, + 0, 18, 126, 30, 111, 24, 36, 159, 277, 277, + 9, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277, 277, 277, 277, + 277, 277, 277, 277, 277, 277, 277 }; register int hval = len; @@ -144,178 +144,177 @@ hash (str, len) static const struct proposal_token wordlist[] = { - {"sha1", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0}, - {"sha", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0}, + {"esn", EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0}, {"null", ENCRYPTION_ALGORITHM, ENCR_NULL, 0}, {"noesn", EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0}, - {"md5", INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0}, - {"esn", EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0}, + {"aesxcbc", INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0}, + {"aes", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128}, {"aes128", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128}, - {"prfsha1", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0}, - {"aes192", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192}, + {"md5", INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0}, {"modp8192", DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0}, {"md5_128", INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_128, 0}, - {"sha512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0}, - {"modp768", DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0}, - {"ntru128", DIFFIE_HELLMAN_GROUP, NTRU_128_BIT, 0}, - {"prfsha256", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0}, - {"aes256", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256}, - {"ecp521", DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0}, - {"ntru192", DIFFIE_HELLMAN_GROUP, NTRU_192_BIT, 0}, - {"ntru112", DIFFIE_HELLMAN_GROUP, NTRU_112_BIT, 0}, - {"sha256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0}, - {"modp1536", DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0}, - {"ecp192", DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0}, - {"prfsha512", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0}, {"aes192ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192}, - {"aes192ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192}, + {"aes192", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192}, {"aes128ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128}, - {"aes128ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128}, {"aes192ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192}, - {"aes192ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192}, + {"aes192ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192}, + {"sha1", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0}, {"aes128ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128}, + {"aes128ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128}, + {"modp768", DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0}, + {"aes192ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192}, + {"ecp521", DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0}, + {"aescmac", INTEGRITY_ALGORITHM, AUTH_AES_CMAC_96, 0}, {"aes128ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128}, + {"aes256", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256}, + {"ntru128", DIFFIE_HELLMAN_GROUP, NTRU_128_BIT, 0}, + {"blowfish", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128}, + {"ecp192", DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0}, {"aes192ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192}, - {"camellia", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128}, - {"aes128ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128}, - {"ecp256", DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0}, - {"aesxcbc", INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0}, - {"ntru256", DIFFIE_HELLMAN_GROUP, NTRU_256_BIT, 0}, - {"aescmac", INTEGRITY_ALGORITHM, AUTH_AES_CMAC_96, 0}, {"aes256ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256}, - {"aes256ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256}, - {"cast128", ENCRYPTION_ALGORITHM, ENCR_CAST, 128}, + {"aes128ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128}, {"aes256ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256}, + {"aes256ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256}, + {"ntru192", DIFFIE_HELLMAN_GROUP, NTRU_192_BIT, 0}, + {"ecp256", DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0}, {"aes256ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256}, - {"camellia192", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192}, - {"aes256ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256}, - {"camellia128", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128}, + {"sha", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0}, + {"ntru112", DIFFIE_HELLMAN_GROUP, NTRU_112_BIT, 0}, + {"blowfish192", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192}, + {"blowfish128", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128}, {"camellia192ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192}, - {"camellia192ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192}, - {"modp3072", DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0}, + {"aes256ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256}, + {"camelliaxcbc", INTEGRITY_ALGORITHM, AUTH_CAMELLIA_XCBC_96, 0}, {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192}, + {"camellia192ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192}, + {"sha512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0}, + {"prfsha1", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0}, + {"camellia192", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192}, + {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0}, {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192}, - {"prfsha384", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0}, - {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192}, - {"aes", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128}, + {"camellia128", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128}, + {"sha256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0}, + {"ntru256", DIFFIE_HELLMAN_GROUP, NTRU_256_BIT, 0}, + {"modp1536", DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0}, + {"cast128", ENCRYPTION_ALGORITHM, ENCR_CAST, 128}, + {"blowfish256", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256}, {"camellia128ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128}, - {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128}, - {"prfmd5", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0}, - {"camellia256", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 256}, + {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192}, + {"camellia", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128}, {"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128}, + {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128}, + {"prfsha256", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0}, {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128}, - {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128}, + {"camellia256", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 256}, {"camellia256ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256}, - {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256}, - {"modpnull", DIFFIE_HELLMAN_GROUP, MODP_NULL, 0}, - {"camelliaxcbc", INTEGRITY_ALGORITHM, AUTH_CAMELLIA_XCBC_96, 0}, + {"3des", ENCRYPTION_ALGORITHM, ENCR_3DES, 0}, {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256}, + {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256}, + {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128}, {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256}, + {"prfsha512", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0}, + {"aes192ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192}, {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256}, + {"aes128ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128}, {"aes192gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192}, - {"aes192gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192}, {"aes128gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128}, - {"aes128gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128}, {"aes192gcm96", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192}, - {"aes192gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192}, + {"aes192gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192}, + {"aes192gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192}, {"aes128gcm96", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128}, + {"aes128gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128}, + {"aes128gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128}, + {"aes192gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192}, + {"prfaescmac", PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC, 0}, {"aes128gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128}, - {"aes192gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192}, - {"aes192ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192}, - {"aes128gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128}, - {"aes128ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128}, {"aes192ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192}, + {"prfaesxcbc", PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0}, + {"aes256ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256}, {"aes128ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 128}, - {"modp1024s160", DIFFIE_HELLMAN_GROUP, MODP_1024_160, 0}, + {"serpent128", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128}, + {"aes192gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192}, + {"prfcamelliaxcbc", PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC, 0}, {"aes256gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256}, - {"aes256gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256}, - {"modp4096", DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0}, - {"ecp512bp", DIFFIE_HELLMAN_GROUP, ECP_512_BP, 0}, + {"aes128gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128}, + {"prfmd5", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0}, {"aes256gcm96", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256}, + {"aes256gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256}, + {"aes256gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256}, + {"modp3072", DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0}, + {"serpent256", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256}, {"aes256gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256}, - {"modp1024", DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0}, - {"modp2048", DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0}, - {"aes256gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256}, - {"aes256ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256}, - {"sha384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0}, + {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192}, + {"modp4096", DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0}, {"aes256ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 256}, - {"aes192gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192}, - {"aes128gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128}, + {"modpnull", DIFFIE_HELLMAN_GROUP, MODP_NULL, 0}, + {"aes256gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256}, + {"ecp512bp", DIFFIE_HELLMAN_GROUP, ECP_512_BP, 0}, + {"modp1024s160", DIFFIE_HELLMAN_GROUP, MODP_1024_160, 0}, {"serpent", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128}, - {"ecp256bp", DIFFIE_HELLMAN_GROUP, ECP_256_BP, 0}, - {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192}, - {"modp6144", DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0}, + {"modp2048", DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0}, + {"serpent192", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192}, + {"modp1024", DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0}, + {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128}, {"camellia192ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 192}, - {"serpent128", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128}, - {"3des", ENCRYPTION_ALGORITHM, ENCR_3DES, 0}, - {"blowfish", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128}, + {"modp6144", DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0}, {"ecp384", DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0}, - {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128}, - {"aes256gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256}, - {"modp2048s256", DIFFIE_HELLMAN_GROUP, MODP_2048_256, 0}, + {"ecp256bp", DIFFIE_HELLMAN_GROUP, ECP_256_BP, 0}, + {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256}, + {"prfsha384", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0}, + {"twofish", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128}, + {"sha256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0}, {"camellia128ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 128}, - {"serpent256", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256}, {"ecp224", DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0}, - {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256}, - {"serpent192", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192}, - {"camellia256ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 256}, + {"twofish128", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128}, {"sha2_512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0}, - {"blowfish192", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192}, - {"blowfish128", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128}, - {"sha256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0}, - {"aes192gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192}, + {"modp2048s256", DIFFIE_HELLMAN_GROUP, MODP_2048_256, 0}, {"sha2_256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0}, - {"aes128gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128}, - {"ecp384bp", DIFFIE_HELLMAN_GROUP, ECP_384_BP, 0}, + {"sha384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0}, {"sha2_256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0}, - {"blowfish256", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256}, - {"ecp224bp", DIFFIE_HELLMAN_GROUP, ECP_224_BP, 0}, + {"camellia256ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 256}, + {"twofish256", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 256}, + {"aes192gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192}, + {"aes128gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128}, {"sha1_160", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_160, 0}, + {"twofish192", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 192}, + {"ecp384bp", DIFFIE_HELLMAN_GROUP, ECP_384_BP, 0}, {"aes256gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256}, - {"twofish", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128}, - {"prfcamelliaxcbc", PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC, 0}, - {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0}, + {"chacha20poly1305", ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305, 256}, + {"ecp224bp", DIFFIE_HELLMAN_GROUP, ECP_224_BP, 0}, {"sha2_384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0}, - {"twofish128", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128}, - {"modp2048s224", DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0}, - {"twofish256", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 256}, - {"twofish192", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 192}, - {"prfaesxcbc", PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0}, - {"prfaescmac", PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC, 0} + {"modp2048s224", DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0} }; static const short lookup[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, 0, -1, + -1, -1, 1, 2, -1, 3, -1, 4, -1, -1, + 5, -1, -1, 6, -1, 7, -1, 8, -1, -1, + 9, -1, 10, 11, 12, 13, 14, 15, 16, 17, + 18, 19, 20, 21, 22, 23, 24, 25, -1, 26, + -1, 27, 28, -1, -1, 29, 30, 31, -1, 32, + -1, 33, 34, 35, 36, -1, -1, 37, 38, -1, + 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, + 49, 50, 51, -1, 52, 53, 54, 55, 56, -1, + 57, 58, 59, -1, -1, -1, 60, 61, 62, 63, + -1, -1, 64, 65, -1, 66, -1, -1, 67, -1, + -1, -1, -1, 68, -1, 69, -1, 70, 71, -1, + 72, -1, -1, 73, 74, 75, 76, 77, 78, 79, + 80, -1, 81, 82, 83, 84, 85, 86, 87, 88, + 89, 90, 91, 92, -1, 93, 94, 95, 96, -1, + 97, 98, -1, 99, 100, 101, -1, 102, -1, -1, + 103, -1, -1, 104, 105, 106, 107, -1, 108, 109, + -1, 110, 111, -1, -1, 112, 113, -1, 114, -1, + -1, -1, -1, 115, -1, 116, 117, -1, 118, -1, + 119, 120, 121, 122, 123, -1, 124, 125, -1, 126, + -1, -1, 127, -1, 128, 129, -1, -1, 130, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - 0, -1, 1, 2, -1, -1, -1, -1, -1, -1, - -1, -1, -1, 3, 4, -1, -1, -1, 5, -1, - 6, 7, -1, -1, -1, -1, 8, -1, 9, 10, - -1, -1, 11, -1, 12, -1, 13, -1, 14, 15, - -1, 16, 17, 18, 19, 20, -1, -1, -1, 21, - 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, - 32, 33, 34, 35, 36, 37, -1, 38, 39, -1, - 40, 41, 42, -1, 43, 44, 45, 46, 47, 48, - -1, 49, 50, 51, -1, 52, 53, 54, 55, 56, - 57, 58, 59, -1, -1, 60, 61, 62, 63, 64, - 65, 66, -1, -1, 67, 68, 69, 70, 71, 72, - 73, 74, 75, 76, 77, 78, 79, 80, -1, 81, - 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, - 92, 93, -1, 94, -1, 95, -1, 96, 97, 98, - 99, 100, -1, 101, -1, 102, 103, 104, -1, 105, - 106, 107, 108, 109, -1, 110, -1, 111, -1, 112, - -1, 113, 114, 115, 116, -1, 117, 118, 119, 120, - 121, -1, -1, -1, 122, -1, -1, 123, -1, -1, - 124, -1, 125, 126, 127, -1, -1, -1, 128, -1, - -1, -1, -1, -1, 129, 130, -1, 131, -1, 132, - -1, -1, -1, -1, 133, -1, -1, -1, -1, 134, - -1, -1, -1, -1, -1, 135, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + 131, -1, 132, 133, -1, -1, 134, -1, -1, -1, + -1, 135, -1, -1, -1, -1, -1, -1, 136, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, 136, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, 137 + -1, -1, 137, -1, -1, -1, 138 }; #ifdef __GNUC__ diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt index 70e79157a..da92409ca 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt +++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt @@ -78,6 +78,7 @@ aes256gcm128, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256 aes128gmac, ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128 aes192gmac, ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192 aes256gmac, ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256 +chacha20poly1305, ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305, 256 blowfish, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128 blowfish128, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128 blowfish192, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192 diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c index 07da3ef3b..2e464b0ad 100644 --- a/src/libstrongswan/networking/host.c +++ b/src/libstrongswan/networking/host.c @@ -354,6 +354,10 @@ host_t *host_create_from_string_and_family(char *string, int family, struct sockaddr_in6 v6; } addr; + if (!string) + { + return NULL; + } if (streq(string, "%any")) { return host_create_any_port(family ? family : AF_INET, port); diff --git a/src/libstrongswan/pen/pen.c b/src/libstrongswan/pen/pen.c index 474a7a876..9fe47547e 100644 --- a/src/libstrongswan/pen/pen.c +++ b/src/libstrongswan/pen/pen.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -23,7 +23,9 @@ ENUM_NEXT(pen_names, PEN_MICROSOFT, PEN_MICROSOFT, PEN_IBM, "Microsoft"); ENUM_NEXT(pen_names, PEN_REDHAT, PEN_REDHAT, PEN_MICROSOFT, "Redhat"); -ENUM_NEXT(pen_names, PEN_ALTIGA, PEN_ALTIGA, PEN_REDHAT, +ENUM_NEXT(pen_names, PEN_PWG, PEN_PWG, PEN_REDHAT, + "PWG"); +ENUM_NEXT(pen_names, PEN_ALTIGA, PEN_ALTIGA, PEN_PWG, "Altiga"); ENUM_NEXT(pen_names, PEN_OSC, PEN_OSC, PEN_ALTIGA, "OSC"); diff --git a/src/libstrongswan/pen/pen.h b/src/libstrongswan/pen/pen.h index 1760a0578..2c5592330 100644 --- a/src/libstrongswan/pen/pen.h +++ b/src/libstrongswan/pen/pen.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2012 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -39,6 +39,7 @@ enum pen_t { PEN_IBM = 0x000002, /* 2 */ PEN_MICROSOFT = 0x000137, /* 311 */ PEN_REDHAT = 0x000908, /* 2312 */ + PEN_PWG = 0x000A8B, /* 2699 */ PEN_ALTIGA = 0x000c04, /* 3076 */ PEN_OSC = 0x002358, /* 9048 */ PEN_DEBIAN = 0x002572, /* 9586 */ diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c index e1064d2f2..1386eeb2d 100644 --- a/src/libstrongswan/plugins/bliss/bliss_private_key.c +++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c @@ -168,7 +168,7 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg, bliss_sampler_t *sampler = NULL; rng_t *rng; hasher_t *hasher; - hash_algorithm_t mgf1_alg; + hash_algorithm_t mgf1_alg, oracle_alg; size_t mgf1_seed_len; uint8_t mgf1_seed_buf[HASH_SIZE_SHA512], data_hash_buf[HASH_SIZE_SHA512]; chunk_t mgf1_seed, data_hash; @@ -185,7 +185,7 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg, /* Initialize signature */ *signature = chunk_empty; - /* Create data hash */ + /* Create data hash using configurable hash algorithm */ hasher = lib->crypto->create_hasher(lib->crypto, alg); if (!hasher) { @@ -200,13 +200,6 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg, } hasher->destroy(hasher); - /* Create SHA512 hasher for c_indices oracle */ - hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512); - if (!hasher) - { - return FALSE; - } - /* Set MGF1 hash algorithm and seed length based on security strength */ if (this->set->strength > 160) { @@ -223,10 +216,12 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg, rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); if (!rng) { - hasher->destroy(hasher); return FALSE; } + /* MGF1 hash algorithm to be used for random oracle */ + oracle_alg = HASH_SHA512; + /* Initialize a couple of needed variables */ n = this->set->n; q = this->set->q; @@ -360,7 +355,7 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg, DBG3(DBG_LIB, "%3d %6d %4d", i, u[i], ud[i]); } - if (!bliss_utils_generate_c(hasher, data_hash, ud, n, this->set->kappa, + if (!bliss_utils_generate_c(oracle_alg, data_hash, ud, this->set, c_indices)) { goto end; @@ -495,7 +490,6 @@ static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg, end: /* cleanup */ DESTROY_IF(sampler); - hasher->destroy(hasher); sig->destroy(sig); fft->destroy(fft); rng->destroy(rng); diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c index 0175b0f8e..2b305f6c2 100644 --- a/src/libstrongswan/plugins/bliss/bliss_public_key.c +++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c @@ -70,11 +70,12 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg, uint8_t data_hash_buf[HASH_SIZE_SHA512]; chunk_t data_hash; hasher_t *hasher; + hash_algorithm_t oracle_alg; bliss_fft_t *fft; bliss_signature_t *sig; bool success = FALSE; - /* Create data hash */ + /* Create data hash using configurable hash algorithm */ hasher = lib->crypto->create_hasher(lib->crypto, alg); if (!hasher ) { @@ -89,28 +90,22 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg, } hasher->destroy(hasher); - /* Create SHA512 hasher for c_indices oracle */ - hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512); - if (!hasher) - { - return FALSE; - } - sig = bliss_signature_create_from_data(this->set, signature); if (!sig) { - hasher->destroy(hasher); return FALSE; } sig->get_parameters(sig, &z1, &z2d, &c_indices); if (!bliss_utils_check_norms(this->set, z1, z2d)) { - hasher->destroy(hasher); sig->destroy(sig); return FALSE; } + /* MGF1 hash algorithm to be used for random oracle */ + oracle_alg = HASH_SHA512; + /* Initialize a couple of needed variables */ n = this->set->n; q = this->set->q; @@ -165,8 +160,7 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg, DBG3(DBG_LIB, "%3d %6d %4d %4d", i, u[i], ud[i], z2d[i]); } - if (!bliss_utils_generate_c(hasher, data_hash, ud, n, this->set->kappa, - indices)) + if (!bliss_utils_generate_c(oracle_alg, data_hash, ud, this->set, indices)) { goto end; } @@ -183,7 +177,6 @@ static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg, end: /* cleanup */ - hasher->destroy(hasher); sig->destroy(sig); fft->destroy(fft); free(az); diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.c b/src/libstrongswan/plugins/bliss/bliss_utils.c index 5a069989c..5e313ff26 100644 --- a/src/libstrongswan/plugins/bliss/bliss_utils.c +++ b/src/libstrongswan/plugins/bliss/bliss_utils.c @@ -17,6 +17,7 @@ #include #include +#include #include /** @@ -54,55 +55,63 @@ void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd) /** * See header. */ -bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud, - int n, uint16_t kappa, uint16_t *c_indices) +bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash, + uint16_t *ud, bliss_param_set_t *set, + uint16_t *c_indices) { - int i, j; - uint64_t extra_bits; - uint16_t index, rounds = 0; - uint8_t hash[HASH_SIZE_SHA512], un16_buf[2]; - chunk_t un16 = { un16_buf, 2 }; - bool index_taken[n]; - - while (TRUE) + int i, index_trials = 0, index_found = 0; + bool index_taken[set->n]; + uint32_t index; + uint8_t *seed_pos; + chunk_t seed; + mgf1_bitspender_t *bitspender; + + seed = chunk_alloca(data_hash.len + set->n * sizeof(uint16_t)); + + /* the data hash makes up the first part of the oracle seed */ + memcpy(seed.ptr, data_hash.ptr, data_hash.len); + seed_pos = seed.ptr + data_hash.len; + + /* followed by the n elements of the ud vector in network order */ + for (i = 0; i < set->n; i++) { - if (!hasher->get_hash(hasher, data_hash, NULL)) - { - return FALSE; - } + htoun16(seed_pos, ud[i]); + seed_pos += sizeof(uint16_t); + } - for (i = 0; i < n; i++) - { - htoun16(un16_buf, ud[i]); - if (!hasher->get_hash(hasher, un16, NULL)) - { - return FALSE; - } - index_taken[i] = FALSE; - } + bitspender = mgf1_bitspender_create(alg, seed, FALSE); + if (!bitspender) + { + return NULL; + } - htoun16(un16_buf, rounds++); - if (!hasher->get_hash(hasher, un16, hash)) - { - return FALSE; - } + for (i = 0; i < set->n; i++) + { + index_taken[i] = FALSE; + } - extra_bits = untoh64(hash + sizeof(hash) - sizeof(uint64_t)); + DBG3(DBG_LIB, " i c_index[i]"); + while (bitspender->get_bits(bitspender, set->n_bits, &index)) + { + index_trials++; - for (i = 0, j = 0; j < sizeof(hash); j++) + if (!index_taken[index]) { - index = 2 * (uint16_t)hash[i] + (extra_bits & 1); - if (!index_taken[index]) - { - c_indices[i++] = index; - index_taken[index] = TRUE; - } - if (i == kappa) + DBG3(DBG_LIB, "%2u %8u", index_found, index); + c_indices[index_found++] = index; + index_taken[index] = TRUE; + + if (index_found == set->kappa) { + DBG3(DBG_LIB, "%2d index trials", index_trials); + bitspender->destroy(bitspender); return TRUE; } } } + + bitspender->destroy(bitspender); + return FALSE; } /** diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.h b/src/libstrongswan/plugins/bliss/bliss_utils.h index 063fd91c8..156968dd7 100644 --- a/src/libstrongswan/plugins/bliss/bliss_utils.h +++ b/src/libstrongswan/plugins/bliss/bliss_utils.h @@ -47,15 +47,15 @@ void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd) /** * Generate the binary challenge vector c as an array of kappa indices * - * @param hasher hasher used as an oracle + * @param alg hash algorithm to be used for the internal oracle * @param data_hash hash of the data to be signed * @param ud input vector ud of size n - * @param n size of input vector ud - * @param kappa parameter kappa + * @param set BLISS parameter set to be used (n, n_bits, kappa) * @param c_indices indexes of non-zero challenge coefficients */ -bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud, - int n, uint16_t kappa, uint16_t *c_indices); +bool bliss_utils_generate_c(hash_algorithm_t alg, chunk_t data_hash, + uint16_t *ud, bliss_param_set_t *set, + uint16_t *c_indices); /** * Check the infinity and l2 norms of the vectors z1 and z2d << d diff --git a/src/libstrongswan/plugins/chapoly/Makefile.am b/src/libstrongswan/plugins/chapoly/Makefile.am new file mode 100644 index 000000000..1753de0c7 --- /dev/null +++ b/src/libstrongswan/plugins/chapoly/Makefile.am @@ -0,0 +1,29 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +noinst_LTLIBRARIES = +if MONOLITHIC +noinst_LTLIBRARIES += libstrongswan-chapoly.la +else +plugin_LTLIBRARIES = libstrongswan-chapoly.la +endif + +libstrongswan_chapoly_la_SOURCES = \ + chapoly_plugin.h chapoly_plugin.c \ + chapoly_drv.h chapoly_drv.c \ + chapoly_drv_portable.h chapoly_drv_portable.c \ + chapoly_aead.h chapoly_aead.c + +noinst_LTLIBRARIES += libchapoly-drv-ssse3.la +libchapoly_drv_ssse3_la_SOURCES = chapoly_drv_ssse3.h chapoly_drv_ssse3.c +if USE_X86X64 + libchapoly_drv_ssse3_la_CFLAGS = $(PLUGIN_CFLAGS) -mssse3 +endif + +libstrongswan_chapoly_la_LIBADD = \ + libchapoly-drv-ssse3.la + +libstrongswan_chapoly_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/chapoly/Makefile.in b/src/libstrongswan/plugins/chapoly/Makefile.in new file mode 100644 index 000000000..98e1f4d9e --- /dev/null +++ b/src/libstrongswan/plugins/chapoly/Makefile.in @@ -0,0 +1,810 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@MONOLITHIC_TRUE@am__append_1 = libstrongswan-chapoly.la +subdir = src/libstrongswan/plugins/chapoly +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libchapoly_drv_ssse3_la_LIBADD = +am_libchapoly_drv_ssse3_la_OBJECTS = \ + libchapoly_drv_ssse3_la-chapoly_drv_ssse3.lo +libchapoly_drv_ssse3_la_OBJECTS = \ + $(am_libchapoly_drv_ssse3_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libchapoly_drv_ssse3_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libchapoly_drv_ssse3_la_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +libstrongswan_chapoly_la_DEPENDENCIES = libchapoly-drv-ssse3.la +am_libstrongswan_chapoly_la_OBJECTS = chapoly_plugin.lo chapoly_drv.lo \ + chapoly_drv_portable.lo chapoly_aead.lo +libstrongswan_chapoly_la_OBJECTS = \ + $(am_libstrongswan_chapoly_la_OBJECTS) +libstrongswan_chapoly_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_chapoly_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_chapoly_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_chapoly_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libchapoly_drv_ssse3_la_SOURCES) \ + $(libstrongswan_chapoly_la_SOURCES) +DIST_SOURCES = $(libchapoly_drv_ssse3_la_SOURCES) \ + $(libstrongswan_chapoly_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +noinst_LTLIBRARIES = $(am__append_1) libchapoly-drv-ssse3.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-chapoly.la +libstrongswan_chapoly_la_SOURCES = \ + chapoly_plugin.h chapoly_plugin.c \ + chapoly_drv.h chapoly_drv.c \ + chapoly_drv_portable.h chapoly_drv_portable.c \ + chapoly_aead.h chapoly_aead.c + +libchapoly_drv_ssse3_la_SOURCES = chapoly_drv_ssse3.h chapoly_drv_ssse3.c +@USE_X86X64_TRUE@libchapoly_drv_ssse3_la_CFLAGS = $(PLUGIN_CFLAGS) -mssse3 +libstrongswan_chapoly_la_LIBADD = \ + libchapoly-drv-ssse3.la + +libstrongswan_chapoly_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/chapoly/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/chapoly/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libchapoly-drv-ssse3.la: $(libchapoly_drv_ssse3_la_OBJECTS) $(libchapoly_drv_ssse3_la_DEPENDENCIES) $(EXTRA_libchapoly_drv_ssse3_la_DEPENDENCIES) + $(AM_V_CCLD)$(libchapoly_drv_ssse3_la_LINK) $(libchapoly_drv_ssse3_la_OBJECTS) $(libchapoly_drv_ssse3_la_LIBADD) $(LIBS) + +libstrongswan-chapoly.la: $(libstrongswan_chapoly_la_OBJECTS) $(libstrongswan_chapoly_la_DEPENDENCIES) $(EXTRA_libstrongswan_chapoly_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_chapoly_la_LINK) $(am_libstrongswan_chapoly_la_rpath) $(libstrongswan_chapoly_la_OBJECTS) $(libstrongswan_chapoly_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chapoly_aead.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chapoly_drv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chapoly_drv_portable.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chapoly_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libchapoly_drv_ssse3_la-chapoly_drv_ssse3.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +libchapoly_drv_ssse3_la-chapoly_drv_ssse3.lo: chapoly_drv_ssse3.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libchapoly_drv_ssse3_la_CFLAGS) $(CFLAGS) -MT libchapoly_drv_ssse3_la-chapoly_drv_ssse3.lo -MD -MP -MF $(DEPDIR)/libchapoly_drv_ssse3_la-chapoly_drv_ssse3.Tpo -c -o libchapoly_drv_ssse3_la-chapoly_drv_ssse3.lo `test -f 'chapoly_drv_ssse3.c' || echo '$(srcdir)/'`chapoly_drv_ssse3.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libchapoly_drv_ssse3_la-chapoly_drv_ssse3.Tpo $(DEPDIR)/libchapoly_drv_ssse3_la-chapoly_drv_ssse3.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='chapoly_drv_ssse3.c' object='libchapoly_drv_ssse3_la-chapoly_drv_ssse3.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libchapoly_drv_ssse3_la_CFLAGS) $(CFLAGS) -c -o libchapoly_drv_ssse3_la-chapoly_drv_ssse3.lo `test -f 'chapoly_drv_ssse3.c' || echo '$(srcdir)/'`chapoly_drv_ssse3.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/chapoly/chapoly_aead.c b/src/libstrongswan/plugins/chapoly/chapoly_aead.c new file mode 100644 index 000000000..50ad84b21 --- /dev/null +++ b/src/libstrongswan/plugins/chapoly/chapoly_aead.c @@ -0,0 +1,333 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "chapoly_aead.h" +#include "chapoly_drv.h" + +#include + +/* maximum plain message size */ +#define P_MAX 247877906880 + +typedef struct private_chapoly_aead_t private_chapoly_aead_t; + +/** + * Private data of an chapoly_aead_t object. + */ +struct private_chapoly_aead_t { + + /** + * Public chapoly_aead_t interface. + */ + chapoly_aead_t public; + + /** + * IV generator. + */ + iv_gen_t *iv_gen; + + /** + * Driver backend + */ + chapoly_drv_t *drv; +}; + +/** + * Include a partial block to ICV by padding it with zero bytes + */ +static bool poly_update_padded(private_chapoly_aead_t *this, + u_char *in, size_t len) +{ + u_char b[POLY_BLOCK_SIZE]; + + memset(b, 0, sizeof(b)); + memcpy(b, in, len); + + return this->drv->poly(this->drv, b, 1); +} + +/** + * Include associated data with padding to ICV + */ +static bool poly_head(private_chapoly_aead_t *this, u_char *assoc, size_t len) +{ + u_int blocks, rem; + + blocks = len / POLY_BLOCK_SIZE; + rem = len % POLY_BLOCK_SIZE; + if (!this->drv->poly(this->drv, assoc, blocks)) + { + return FALSE; + } + if (rem) + { + return poly_update_padded(this, assoc + blocks * POLY_BLOCK_SIZE, rem); + } + return TRUE; +} + +/** + * Include length fields to ICV + */ +static bool poly_tail(private_chapoly_aead_t *this, size_t alen, size_t clen) +{ + struct { + u_int64_t alen; + u_int64_t clen; + } b; + + b.alen = htole64(alen); + b.clen = htole64(clen); + + return this->drv->poly(this->drv, (u_char*)&b, 1); +} + +/** + * Perform ChaCha20 encryption inline and generate an ICV tag + */ +static bool do_encrypt(private_chapoly_aead_t *this, size_t len, u_char *data, + u_char *iv, size_t alen, u_char *assoc, u_char *icv) +{ + u_int blocks, rem, prem; + + if (!this->drv->init(this->drv, iv) || + !poly_head(this, assoc, alen)) + { + return FALSE; + } + blocks = len / CHACHA_BLOCK_SIZE; + if (!this->drv->encrypt(this->drv, data, blocks)) + { + return FALSE; + } + rem = len % CHACHA_BLOCK_SIZE; + if (rem) + { + u_char stream[CHACHA_BLOCK_SIZE]; + + data += blocks * CHACHA_BLOCK_SIZE; + if (!this->drv->chacha(this->drv, stream)) + { + return FALSE; + } + memxor(data, stream, rem); + + blocks = rem / POLY_BLOCK_SIZE; + if (!this->drv->poly(this->drv, data, blocks)) + { + return FALSE; + } + prem = rem % POLY_BLOCK_SIZE; + if (prem) + { + poly_update_padded(this, data + blocks * POLY_BLOCK_SIZE, prem); + } + } + return poly_tail(this, alen, len) && + this->drv->finish(this->drv, icv); +} + +/** + * Perform ChaCha20 decryption inline and generate an ICV tag + */ +static bool do_decrypt(private_chapoly_aead_t *this, size_t len, u_char *data, + u_char *iv, size_t alen, u_char *assoc, u_char *icv) +{ + u_int blocks, rem, prem; + + if (!this->drv->init(this->drv, iv) || + !poly_head(this, assoc, alen)) + { + return FALSE; + } + blocks = len / CHACHA_BLOCK_SIZE; + if (!this->drv->decrypt(this->drv, data, blocks)) + { + return FALSE; + } + rem = len % CHACHA_BLOCK_SIZE; + if (rem) + { + u_char stream[CHACHA_BLOCK_SIZE]; + + data += blocks * CHACHA_BLOCK_SIZE; + + blocks = rem / POLY_BLOCK_SIZE; + if (!this->drv->poly(this->drv, data, blocks)) + { + return FALSE; + } + prem = rem % POLY_BLOCK_SIZE; + if (prem) + { + poly_update_padded(this, data + blocks * POLY_BLOCK_SIZE, prem); + } + if (!this->drv->chacha(this->drv, stream)) + { + return FALSE; + } + memxor(data, stream, rem); + } + return poly_tail(this, alen, len) && + this->drv->finish(this->drv, icv); +} + +METHOD(aead_t, encrypt, bool, + private_chapoly_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv, + chunk_t *encr) +{ + u_char *out; + + if (sizeof(plain.len) > sizeof(u_int32_t) && plain.len > P_MAX) + { + return FALSE; + } + if (iv.len != CHACHA_IV_SIZE) + { + return FALSE; + } + out = plain.ptr; + if (encr) + { + *encr = chunk_alloc(plain.len + POLY_ICV_SIZE); + out = encr->ptr; + memcpy(out, plain.ptr, plain.len); + } + do_encrypt(this, plain.len, out, iv.ptr, assoc.len, assoc.ptr, + out + plain.len); + return TRUE; +} + +METHOD(aead_t, decrypt, bool, + private_chapoly_aead_t *this, chunk_t encr, chunk_t assoc, chunk_t iv, + chunk_t *plain) +{ + u_char *out, icv[POLY_ICV_SIZE]; + if (iv.len != CHACHA_IV_SIZE || encr.len < POLY_ICV_SIZE) + { + return FALSE; + } + encr.len -= POLY_ICV_SIZE; + if (sizeof(encr.len) > sizeof(u_int32_t) && encr.len > P_MAX) + { + return FALSE; + } + out = encr.ptr; + if (plain) + { + *plain = chunk_alloc(encr.len); + out = plain->ptr; + memcpy(out, encr.ptr, encr.len); + } + do_decrypt(this, encr.len, out, iv.ptr, assoc.len, assoc.ptr, icv); + return memeq_const(icv, encr.ptr + encr.len, POLY_ICV_SIZE); +} + +METHOD(aead_t, get_block_size, size_t, + private_chapoly_aead_t *this) +{ + return 1; +} + +METHOD(aead_t, get_icv_size, size_t, + private_chapoly_aead_t *this) +{ + return POLY_ICV_SIZE; +} + +METHOD(aead_t, get_iv_size, size_t, + private_chapoly_aead_t *this) +{ + return CHACHA_IV_SIZE; +} + +METHOD(aead_t, get_iv_gen, iv_gen_t*, + private_chapoly_aead_t *this) +{ + return this->iv_gen; +} + +METHOD(aead_t, get_key_size, size_t, + private_chapoly_aead_t *this) +{ + return CHACHA_KEY_SIZE + CHACHA_SALT_SIZE; +} + +METHOD(aead_t, set_key, bool, + private_chapoly_aead_t *this, chunk_t key) +{ + if (key.len != CHACHA_KEY_SIZE + CHACHA_SALT_SIZE) + { + return FALSE; + } + return this->drv->set_key(this->drv, "expand 32-byte k", + key.ptr, key.ptr + CHACHA_KEY_SIZE); +} + +METHOD(aead_t, destroy, void, + private_chapoly_aead_t *this) +{ + this->drv->destroy(this->drv); + this->iv_gen->destroy(this->iv_gen); + free(this); +} + +/** + * See header + */ +chapoly_aead_t *chapoly_aead_create(encryption_algorithm_t algo, + size_t key_size, size_t salt_size) +{ + private_chapoly_aead_t *this; + chapoly_drv_t *drv; + + if (algo != ENCR_CHACHA20_POLY1305) + { + return NULL; + } + if (key_size && key_size != CHACHA_KEY_SIZE) + { + return NULL; + } + if (salt_size && salt_size != CHACHA_SALT_SIZE) + { + return NULL; + } + drv = chapoly_drv_probe(); + if (!drv) + { + return NULL; + } + + INIT(this, + .public = { + .aead = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_icv_size = _get_icv_size, + .get_iv_size = _get_iv_size, + .get_iv_gen = _get_iv_gen, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .iv_gen = iv_gen_seq_create(), + .drv = drv, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/chapoly/chapoly_aead.h b/src/libstrongswan/plugins/chapoly/chapoly_aead.h new file mode 100644 index 000000000..e090541dd --- /dev/null +++ b/src/libstrongswan/plugins/chapoly/chapoly_aead.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup chapoly_aead chapoly_aead + * @{ @ingroup chapoly + */ + +#ifndef CHAPOLY_AEAD_H_ +#define CHAPOLY_AEAD_H_ + +#include + +typedef struct chapoly_aead_t chapoly_aead_t; + +/** + * ChaCha20/Poly1305 AEAD implementation. + * + * TODO-Chapoly: draft-ietf-ipsecme-chacha20-poly1305-05 + */ +struct chapoly_aead_t { + + /** + * Implements aead_t interface. + */ + aead_t aead; +}; + +/** + * Create a chapoly_aead instance. + * + * @param algo algorithm to implement, ENCR_CHACHA20_POLY1305 + * @param key_size key size in bytes, 32 + * @param salt_size size of implicit salt length, 0 + * @return AEAD, NULL if not supported + */ +chapoly_aead_t *chapoly_aead_create(encryption_algorithm_t algo, + size_t key_size, size_t salt_size); + +#endif /** CHAPOLY_AEAD_H_ @}*/ diff --git a/src/libstrongswan/plugins/chapoly/chapoly_drv.c b/src/libstrongswan/plugins/chapoly/chapoly_drv.c new file mode 100644 index 000000000..ca5e2be08 --- /dev/null +++ b/src/libstrongswan/plugins/chapoly/chapoly_drv.c @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "chapoly_drv.h" +#include "chapoly_drv_portable.h" +#include "chapoly_drv_ssse3.h" + +typedef chapoly_drv_t*(*chapoly_drv_create)(); + +/** + * See header. + */ +chapoly_drv_t *chapoly_drv_probe() +{ + chapoly_drv_create drivers[] = { + chapoly_drv_ssse3_create, + chapoly_drv_portable_create, + }; + chapoly_drv_t *driver; + int i; + + for (i = 0; i < countof(drivers); i++) + { + driver = drivers[i](); + if (driver) + { + return driver; + } + } + return NULL; +} diff --git a/src/libstrongswan/plugins/chapoly/chapoly_drv.h b/src/libstrongswan/plugins/chapoly/chapoly_drv.h new file mode 100644 index 000000000..bffc43447 --- /dev/null +++ b/src/libstrongswan/plugins/chapoly/chapoly_drv.h @@ -0,0 +1,113 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup chapoly_drv chapoly_drv + * @{ @ingroup chapoly + */ + +#ifndef CHAPOLY_DRV_H_ +#define CHAPOLY_DRV_H_ + +#include + +#define CHACHA_BLOCK_SIZE 64 +#define CHACHA_IV_SIZE 8 +#define CHACHA_SALT_SIZE 4 +#define CHACHA_KEY_SIZE 32 +#define POLY_BLOCK_SIZE 16 +#define POLY_ICV_SIZE 16 + +typedef struct chapoly_drv_t chapoly_drv_t; + +/** + * ChaCha20/Poly1305 backend implementation. + */ +struct chapoly_drv_t { + + /** + * Set the ChaCha20 encryption key. + * + * @param constant 16 byte key constant to use + * @param key 32 byte encryption key + * @param salt 4 byte nonce salt + * @return TRUE if key set + */ + bool (*set_key)(chapoly_drv_t *this, u_char *constant, u_char *key, + u_char *salt); + + /** + * Start an AEAD en/decryption session, reset state. + * + * @param iv 8 byte initialization vector for nonce + * @return TRUE if initialized + */ + bool (*init)(chapoly_drv_t *this, u_char *iv); + + /** + * Poly1305 update multiple blocks. + * + * @param data data to update Poly1305 for + * @param blocks number of 16-byte blocks to process + * @return TRUE if updated + */ + bool (*poly)(chapoly_drv_t *this, u_char *data, u_int blocks); + + /** + * Create a single ChaCha20 keystream block. + * + * @param stream 64-byte block to write key stream data to + * @return TRUE if keystream returned + */ + bool (*chacha)(chapoly_drv_t *this, u_char *stream); + + /** + * Encrypt multiple blocks of data inline, update Poly1305. + * + * @param data data to process + * @param blocks number of 64-byte blocks to process + * @return TRUE if encrypted + */ + bool (*encrypt)(chapoly_drv_t *this, u_char *data, u_int blocks); + + /** + * Decrypt multiple blocks of data inline, update Poly1305. + * + * @param data data to process + * @param blocks number of 64-byte blocks to process + * @return TRUE if decrypted + */ + bool (*decrypt)(chapoly_drv_t *this, u_char *data, u_int blocks); + + /** + * End a AEAD encryption session, return MAC. + * + * @param mac 16-byte block to write MAC to + * @return TRUE if MAC returned + */ + bool (*finish)(chapoly_drv_t *this, u_char *mac); + + /** + * Destroy a chapoly_drv_t. + */ + void (*destroy)(chapoly_drv_t *this); +}; + +/** + * Create a chapoly_drv instance. + */ +chapoly_drv_t *chapoly_drv_probe(); + +#endif /** CHAPOLY_DRV_H_ @}*/ diff --git a/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c b/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c new file mode 100644 index 000000000..54e934e6a --- /dev/null +++ b/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c @@ -0,0 +1,454 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * Based on public domain code by Andrew Moon and Daniel J. Bernstein. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "chapoly_drv_portable.h" + +#define CHACHA_DOUBLEROUNDS 10 +/* index of some state fields */ +#define CHACHA_BLOCKCOUNT 12 +#define CHACHA_NONCE1 13 +#define CHACHA_NONCE2 14 +#define CHACHA_NONCE3 15 + +typedef struct private_chapoly_drv_portable_t private_chapoly_drv_portable_t; + +/** + * Private data of an chapoly_drv_portable_t object. + */ +struct private_chapoly_drv_portable_t { + + /** + * Public chapoly_drv_portable_t interface. + */ + chapoly_drv_t public; + + /** + * ChaCha20 state matrix + */ + u_int32_t m[16]; + + /** + * Poly1305 update key + */ + u_int32_t r[5]; + + /** + * Poly1305 state + */ + u_int32_t h[5]; + + /** + * Poly1305 finalize key + */ + u_int32_t s[4]; +}; + +/** + * Convert unaligned little endian to host byte order + */ +static inline u_int32_t uletoh32(void *p) +{ + u_int32_t ret; + + memcpy(&ret, p, sizeof(ret)); + ret = le32toh(ret); + return ret; +} + +/** + * Convert host byte order to unaligned little endian + */ +static inline void htoule32(void *p, u_int32_t v) +{ + v = htole32(v); + memcpy(p, &v, sizeof(v)); +} + +/** + * XOR a 32-bit integer into an unaligned destination + */ +static inline void xor32u(void *p, u_int32_t x) +{ + u_int32_t y; + + memcpy(&y, p, sizeof(y)); + y ^= x; + memcpy(p, &y, sizeof(y)); +} + +/** + * Multiply two 64-bit words + */ +static inline u_int64_t mlt(u_int64_t a, u_int64_t b) +{ + return a * b; +} + +/** + * Shift a 64-bit unsigned integer v right by n bits, clamp to 32 bit +*/ +static inline u_int32_t sr(u_int64_t v, u_char n) +{ + return v >> n; +} + +/** + * Circular left shift by n bits + */ +static inline u_int32_t rotl32(u_int32_t v, u_char n) +{ + return (v << n) | (v >> (sizeof(v) * 8 - n)); +} + +/** + * AND two values, using a native integer size >= sizeof(u_int32_t) + */ +static inline u_long and(u_long v, u_long mask) +{ + return v & mask; +} + +/** + * XOR a Chacha20 keystream block into data, increment counter + */ +static void chacha_block_xor(private_chapoly_drv_portable_t *this, void *data) +{ + u_int32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, xa, xb, xc, xd, xe, xf; + u_int32_t *out = data; + u_int i; + + x0 = this->m[ 0]; + x1 = this->m[ 1]; + x2 = this->m[ 2]; + x3 = this->m[ 3]; + x4 = this->m[ 4]; + x5 = this->m[ 5]; + x6 = this->m[ 6]; + x7 = this->m[ 7]; + x8 = this->m[ 8]; + x9 = this->m[ 9]; + xa = this->m[10]; + xb = this->m[11]; + xc = this->m[12]; + xd = this->m[13]; + xe = this->m[14]; + xf = this->m[15]; + + for (i = 0; i < CHACHA_DOUBLEROUNDS; i++) + { + x0 += x4; xc = rotl32(xc ^ x0, 16); + x1 += x5; xd = rotl32(xd ^ x1, 16); + x2 += x6; xe = rotl32(xe ^ x2, 16); + x3 += x7; xf = rotl32(xf ^ x3, 16); + + x8 += xc; x4 = rotl32(x4 ^ x8, 12); + x9 += xd; x5 = rotl32(x5 ^ x9, 12); + xa += xe; x6 = rotl32(x6 ^ xa, 12); + xb += xf; x7 = rotl32(x7 ^ xb, 12); + + x0 += x4; xc = rotl32(xc ^ x0, 8); + x1 += x5; xd = rotl32(xd ^ x1, 8); + x2 += x6; xe = rotl32(xe ^ x2, 8); + x3 += x7; xf = rotl32(xf ^ x3, 8); + + x8 += xc; x4 = rotl32(x4 ^ x8, 7); + x9 += xd; x5 = rotl32(x5 ^ x9, 7); + xa += xe; x6 = rotl32(x6 ^ xa, 7); + xb += xf; x7 = rotl32(x7 ^ xb, 7); + + x0 += x5; xf = rotl32(xf ^ x0, 16); + x1 += x6; xc = rotl32(xc ^ x1, 16); + x2 += x7; xd = rotl32(xd ^ x2, 16); + x3 += x4; xe = rotl32(xe ^ x3, 16); + + xa += xf; x5 = rotl32(x5 ^ xa, 12); + xb += xc; x6 = rotl32(x6 ^ xb, 12); + x8 += xd; x7 = rotl32(x7 ^ x8, 12); + x9 += xe; x4 = rotl32(x4 ^ x9, 12); + + x0 += x5; xf = rotl32(xf ^ x0, 8); + x1 += x6; xc = rotl32(xc ^ x1, 8); + x2 += x7; xd = rotl32(xd ^ x2, 8); + x3 += x4; xe = rotl32(xe ^ x3, 8); + + xa += xf; x5 = rotl32(x5 ^ xa, 7); + xb += xc; x6 = rotl32(x6 ^ xb, 7); + x8 += xd; x7 = rotl32(x7 ^ x8, 7); + x9 += xe; x4 = rotl32(x4 ^ x9, 7); + } + + xor32u(out + 0, le32toh(x0 + this->m[ 0])); + xor32u(out + 1, le32toh(x1 + this->m[ 1])); + xor32u(out + 2, le32toh(x2 + this->m[ 2])); + xor32u(out + 3, le32toh(x3 + this->m[ 3])); + xor32u(out + 4, le32toh(x4 + this->m[ 4])); + xor32u(out + 5, le32toh(x5 + this->m[ 5])); + xor32u(out + 6, le32toh(x6 + this->m[ 6])); + xor32u(out + 7, le32toh(x7 + this->m[ 7])); + xor32u(out + 8, le32toh(x8 + this->m[ 8])); + xor32u(out + 9, le32toh(x9 + this->m[ 9])); + xor32u(out + 10, le32toh(xa + this->m[10])); + xor32u(out + 11, le32toh(xb + this->m[11])); + xor32u(out + 12, le32toh(xc + this->m[12])); + xor32u(out + 13, le32toh(xd + this->m[13])); + xor32u(out + 14, le32toh(xe + this->m[14])); + xor32u(out + 15, le32toh(xf + this->m[15])); + + this->m[CHACHA_BLOCKCOUNT]++; +} + +METHOD(chapoly_drv_t, set_key, bool, + private_chapoly_drv_portable_t *this, u_char *constant, u_char *key, + u_char *salt) +{ + this->m[ 0] = uletoh32(constant + 0); + this->m[ 1] = uletoh32(constant + 4); + this->m[ 2] = uletoh32(constant + 8); + this->m[ 3] = uletoh32(constant + 12); + + this->m[ 4] = uletoh32(key + 0); + this->m[ 5] = uletoh32(key + 4); + this->m[ 6] = uletoh32(key + 8); + this->m[ 7] = uletoh32(key + 12); + this->m[ 8] = uletoh32(key + 16); + this->m[ 9] = uletoh32(key + 20); + this->m[10] = uletoh32(key + 24); + this->m[11] = uletoh32(key + 28); + + this->m[CHACHA_NONCE1] = uletoh32(salt); + + return TRUE; +} + +METHOD(chapoly_drv_t, init, bool, + private_chapoly_drv_portable_t *this, u_char *iv) +{ + u_char key[CHACHA_BLOCK_SIZE]; + + this->m[CHACHA_BLOCKCOUNT] = 0; + this->m[CHACHA_NONCE2] = uletoh32(iv + 0); + this->m[CHACHA_NONCE3] = uletoh32(iv + 4); + + memset(key, 0, CHACHA_BLOCK_SIZE); + chacha_block_xor(this, key); + + /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ + this->r[0] = (uletoh32(key + 0) >> 0) & 0x3ffffff; + this->r[1] = (uletoh32(key + 3) >> 2) & 0x3ffff03; + this->r[2] = (uletoh32(key + 6) >> 4) & 0x3ffc0ff; + this->r[3] = (uletoh32(key + 9) >> 6) & 0x3f03fff; + this->r[4] = (uletoh32(key + 12) >> 8) & 0x00fffff; + + /* h = 0 */ + memwipe(this->h, sizeof(this->h)); + + this->s[0] = uletoh32(key + 16); + this->s[1] = uletoh32(key + 20); + this->s[2] = uletoh32(key + 24); + this->s[3] = uletoh32(key + 28); + + return TRUE; +} + +METHOD(chapoly_drv_t, poly, bool, + private_chapoly_drv_portable_t *this, u_char *data, u_int blocks) +{ + u_int32_t r0, r1, r2, r3, r4; + u_int32_t s1, s2, s3, s4; + u_int32_t h0, h1, h2, h3, h4; + u_int64_t d0, d1, d2, d3, d4; + u_int i; + + r0 = this->r[0]; + r1 = this->r[1]; + r2 = this->r[2]; + r3 = this->r[3]; + r4 = this->r[4]; + + s1 = r1 * 5; + s2 = r2 * 5; + s3 = r3 * 5; + s4 = r4 * 5; + + h0 = this->h[0]; + h1 = this->h[1]; + h2 = this->h[2]; + h3 = this->h[3]; + h4 = this->h[4]; + + for (i = 0; i < blocks; i++) + { + /* h += m[i] */ + h0 += (uletoh32(data + 0) >> 0) & 0x3ffffff; + h1 += (uletoh32(data + 3) >> 2) & 0x3ffffff; + h2 += (uletoh32(data + 6) >> 4) & 0x3ffffff; + h3 += (uletoh32(data + 9) >> 6) & 0x3ffffff; + h4 += (uletoh32(data + 12) >> 8) | (1 << 24); + + /* h *= r */ + d0 = mlt(h0, r0) + mlt(h1, s4) + mlt(h2, s3) + mlt(h3, s2) + mlt(h4, s1); + d1 = mlt(h0, r1) + mlt(h1, r0) + mlt(h2, s4) + mlt(h3, s3) + mlt(h4, s2); + d2 = mlt(h0, r2) + mlt(h1, r1) + mlt(h2, r0) + mlt(h3, s4) + mlt(h4, s3); + d3 = mlt(h0, r3) + mlt(h1, r2) + mlt(h2, r1) + mlt(h3, r0) + mlt(h4, s4); + d4 = mlt(h0, r4) + mlt(h1, r3) + mlt(h2, r2) + mlt(h3, r1) + mlt(h4, r0); + + /* (partial) h %= p */ + d1 += sr(d0, 26); h0 = and(d0, 0x3ffffff); + d2 += sr(d1, 26); h1 = and(d1, 0x3ffffff); + d3 += sr(d2, 26); h2 = and(d2, 0x3ffffff); + d4 += sr(d3, 26); h3 = and(d3, 0x3ffffff); + h0 += sr(d4, 26) * 5; h4 = and(d4, 0x3ffffff); + h1 += h0 >> 26; h0 = h0 & 0x3ffffff; + + data += POLY_BLOCK_SIZE; + } + + this->h[0] = h0; + this->h[1] = h1; + this->h[2] = h2; + this->h[3] = h3; + this->h[4] = h4; + + return TRUE; +} + +METHOD(chapoly_drv_t, chacha, bool, + private_chapoly_drv_portable_t *this, u_char *stream) +{ + memset(stream, 0, CHACHA_BLOCK_SIZE); + chacha_block_xor(this, stream); + + return TRUE; +} + +METHOD(chapoly_drv_t, encrypt, bool, + private_chapoly_drv_portable_t *this, u_char *data, u_int blocks) +{ + u_int i; + + for (i = 0; i < blocks; i++) + { + chacha_block_xor(this, data); + poly(this, data, 4); + data += CHACHA_BLOCK_SIZE; + } + return TRUE; +} + +METHOD(chapoly_drv_t, decrypt, bool, + private_chapoly_drv_portable_t *this, u_char *data, u_int blocks) +{ + u_int i; + + for (i = 0; i < blocks; i++) + { + poly(this, data, 4); + chacha_block_xor(this, data); + data += CHACHA_BLOCK_SIZE; + } + return TRUE; +} + +METHOD(chapoly_drv_t, finish, bool, + private_chapoly_drv_portable_t *this, u_char *mac) +{ + u_int32_t h0, h1, h2, h3, h4; + u_int32_t g0, g1, g2, g3, g4; + u_int32_t mask; + u_int64_t f = 0; + + /* fully carry h */ + h0 = this->h[0]; + h1 = this->h[1]; + h2 = this->h[2]; + h3 = this->h[3]; + h4 = this->h[4]; + + h2 += (h1 >> 26); h1 = h1 & 0x3ffffff; + h3 += (h2 >> 26); h2 = h2 & 0x3ffffff; + h4 += (h3 >> 26); h3 = h3 & 0x3ffffff; + h0 += (h4 >> 26) * 5; h4 = h4 & 0x3ffffff; + h1 += (h0 >> 26); h0 = h0 & 0x3ffffff; + + /* compute h + -p */ + g0 = h0 + 5; + g1 = h1 + (g0 >> 26); g0 &= 0x3ffffff; + g2 = h2 + (g1 >> 26); g1 &= 0x3ffffff; + g3 = h3 + (g2 >> 26); g2 &= 0x3ffffff; + g4 = h4 + (g3 >> 26) - (1 << 26); g3 &= 0x3ffffff; + + /* select h if h < p, or h + -p if h >= p */ + mask = (g4 >> ((sizeof(u_int32_t) * 8) - 1)) - 1; + g0 &= mask; + g1 &= mask; + g2 &= mask; + g3 &= mask; + g4 &= mask; + mask = ~mask; + h0 = (h0 & mask) | g0; + h1 = (h1 & mask) | g1; + h2 = (h2 & mask) | g2; + h3 = (h3 & mask) | g3; + h4 = (h4 & mask) | g4; + + /* h = h % (2^128) */ + h0 = (h0 >> 0) | (h1 << 26); + h1 = (h1 >> 6) | (h2 << 20); + h2 = (h2 >> 12) | (h3 << 14); + h3 = (h3 >> 18) | (h4 << 8); + + /* mac = (h + s) % (2^128) */ + f = (f >> 32) + h0 + this->s[0]; htoule32(mac + 0, f); + f = (f >> 32) + h1 + this->s[1]; htoule32(mac + 4, f); + f = (f >> 32) + h2 + this->s[2]; htoule32(mac + 8, f); + f = (f >> 32) + h3 + this->s[3]; htoule32(mac + 12, f); + + return TRUE; +} + +METHOD(chapoly_drv_t, destroy, void, + private_chapoly_drv_portable_t *this) +{ + memwipe(this->m, sizeof(this->m)); + memwipe(this->h, sizeof(this->h)); + memwipe(this->r, sizeof(this->r)); + memwipe(this->s, sizeof(this->s)); + free(this); +} + +/** + * See header + */ +chapoly_drv_t *chapoly_drv_portable_create() +{ + private_chapoly_drv_portable_t *this; + + INIT(this, + .public = { + .set_key = _set_key, + .init = _init, + .poly = _poly, + .chacha = _chacha, + .encrypt = _encrypt, + .decrypt = _decrypt, + .finish = _finish, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.h b/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.h new file mode 100644 index 000000000..a320b2d41 --- /dev/null +++ b/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.h @@ -0,0 +1,31 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup chapoly_drv_portable chapoly_drv_portable + * @{ @ingroup chapoly + */ + +#include "chapoly_drv.h" + +#ifndef CHAPOLY_DRV_PORTABLE_H_ +#define CHAPOLY_DRV_PORTABLE_H_ + +/** + * Create a chapoly_drv_portable instance. + */ +chapoly_drv_t *chapoly_drv_portable_create(); + +#endif /** CHAPOLY_drv_PORTABLE_H_ @}*/ diff --git a/src/libstrongswan/plugins/chapoly/chapoly_drv_ssse3.c b/src/libstrongswan/plugins/chapoly/chapoly_drv_ssse3.c new file mode 100644 index 000000000..df88e7d77 --- /dev/null +++ b/src/libstrongswan/plugins/chapoly/chapoly_drv_ssse3.c @@ -0,0 +1,867 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * Based on public domain code by Andrew Moon and Daniel J. Bernstein. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "chapoly_drv_ssse3.h" + +#ifdef __SSSE3__ + +#include + +#include + +#define CHACHA_DOUBLEROUNDS 10 + +typedef struct private_chapoly_drv_ssse3_t private_chapoly_drv_ssse3_t; + +/** + * Private data of an chapoly_drv_ssse3_t object. + */ +struct private_chapoly_drv_ssse3_t { + + /** + * Public chapoly_drv_ssse3_t interface. + */ + chapoly_drv_t public; + + /** + * ChaCha20 state matrix, as 128-bit vectors + */ + __m128i m[4]; + + /** + * Poly1305 update key + */ + u_int32_t r[5]; + + /** + * Poly1305 update key r^2 + */ + u_int32_t u[5]; + + /** + * Poly1305 state + */ + u_int32_t h[5]; + + /** + * Poly1305 finalize key + */ + u_int32_t s[4]; +}; + +/** + * Read a 32-bit integer from an unaligned address + */ +static inline u_int32_t ru32(void *p) +{ + u_int32_t ret; + + memcpy(&ret, p, sizeof(ret)); + return ret; +} + +/** + * Write a 32-bit word to an unaligned address + */ +static inline void wu32(void *p, u_int32_t v) +{ + memcpy(p, &v, sizeof(v)); +} + +/** + * Shift a 64-bit unsigned integer v right by n bits, clamp to 32 bit +*/ +static inline u_int32_t sr(u_int64_t v, u_char n) +{ + return v >> n; +} + +/** + * AND two values, using a native integer size >= sizeof(u_int32_t) + */ +static inline u_long and(u_long v, u_long mask) +{ + return v & mask; +} + +/** + * r = shuffle(a ^ b, s) + */ +static inline __m128i sfflxor32(__m128i a, __m128i b, __m128i s) +{ + return _mm_shuffle_epi8(_mm_xor_si128(a, b), s); +} + +/** + * r = rotl32(a ^ b, r) + */ +static inline __m128i rotlxor32(__m128i a, __m128i b, u_char r) +{ + a = _mm_xor_si128(a, b); + return _mm_or_si128(_mm_slli_epi32(a, r), _mm_srli_epi32(a, 32 - r)); +} + +/** + * XOR a Chacha20 keystream block into data, increment counter + */ +static void chacha_block_xor(private_chapoly_drv_ssse3_t *this, void *data) +{ + __m128i x0, x1, x2, x3, r8, r16, *out = data; + u_int i; + + r8 = _mm_set_epi8(14, 13, 12, 15, 10, 9, 8, 11, 6, 5, 4, 7, 2, 1, 0, 3); + r16 = _mm_set_epi8(13, 12, 15, 14, 9, 8, 11, 10, 5, 4, 7, 6, 1, 0, 3, 2); + + x0 = this->m[0]; + x1 = this->m[1]; + x2 = this->m[2]; + x3 = this->m[3]; + + for (i = 0 ; i < CHACHA_DOUBLEROUNDS; i++) + { + x0 = _mm_add_epi32(x0, x1); + x3 = sfflxor32(x3, x0, r16); + + x2 = _mm_add_epi32(x2, x3); + x1 = rotlxor32(x1, x2, 12); + + x0 = _mm_add_epi32(x0, x1); + x3 = sfflxor32(x3, x0, r8); + + x2 = _mm_add_epi32(x2, x3); + x1 = rotlxor32(x1, x2, 7); + + x1 = _mm_shuffle_epi32(x1, _MM_SHUFFLE(0, 3, 2, 1)); + x2 = _mm_shuffle_epi32(x2, _MM_SHUFFLE(1, 0, 3, 2)); + x3 = _mm_shuffle_epi32(x3, _MM_SHUFFLE(2, 1, 0, 3)); + + x0 = _mm_add_epi32(x0, x1); + x3 = sfflxor32(x3, x0, r16); + + x2 = _mm_add_epi32(x2, x3); + x1 = rotlxor32(x1, x2, 12); + + x0 = _mm_add_epi32(x0, x1); + x3 = sfflxor32(x3, x0, r8); + + x2 = _mm_add_epi32(x2, x3); + x1 = rotlxor32(x1, x2, 7); + + x1 = _mm_shuffle_epi32(x1, _MM_SHUFFLE(2, 1, 0, 3)); + x2 = _mm_shuffle_epi32(x2, _MM_SHUFFLE(1, 0, 3, 2)); + x3 = _mm_shuffle_epi32(x3, _MM_SHUFFLE(0, 3, 2, 1)); + } + + x0 = _mm_add_epi32(x0, this->m[0]); + x1 = _mm_add_epi32(x1, this->m[1]); + x2 = _mm_add_epi32(x2, this->m[2]); + x3 = _mm_add_epi32(x3, this->m[3]); + x0 = _mm_xor_si128(x0, _mm_loadu_si128(out + 0)); + x1 = _mm_xor_si128(x1, _mm_loadu_si128(out + 1)); + x2 = _mm_xor_si128(x2, _mm_loadu_si128(out + 2)); + x3 = _mm_xor_si128(x3, _mm_loadu_si128(out + 3)); + _mm_storeu_si128(out + 0, x0); + _mm_storeu_si128(out + 1, x1); + _mm_storeu_si128(out + 2, x2); + _mm_storeu_si128(out + 3, x3); + + this->m[3] = _mm_add_epi32(this->m[3], _mm_set_epi32(0, 0, 0, 1)); +} + +/** + * XOR four Chacha20 keystream blocks into data, increment counter + */ +static void chacha_4block_xor(private_chapoly_drv_ssse3_t *this, void *data) +{ + __m128i x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, xa, xb, xc, xd, xe, xf; + __m128i r8, r16, ctrinc, t, *out = data; + u_int32_t *m = (u_int32_t*)this->m; + u_int i; + + r8 = _mm_set_epi8(14, 13, 12, 15, 10, 9, 8, 11, 6, 5, 4, 7, 2, 1, 0, 3); + r16 = _mm_set_epi8(13, 12, 15, 14, 9, 8, 11, 10, 5, 4, 7, 6, 1, 0, 3, 2); + ctrinc = _mm_set_epi32(3, 2, 1, 0); + + x0 = _mm_set1_epi32(m[ 0]); + x1 = _mm_set1_epi32(m[ 1]); + x2 = _mm_set1_epi32(m[ 2]); + x3 = _mm_set1_epi32(m[ 3]); + x4 = _mm_set1_epi32(m[ 4]); + x5 = _mm_set1_epi32(m[ 5]); + x6 = _mm_set1_epi32(m[ 6]); + x7 = _mm_set1_epi32(m[ 7]); + x8 = _mm_set1_epi32(m[ 8]); + x9 = _mm_set1_epi32(m[ 9]); + xa = _mm_set1_epi32(m[10]); + xb = _mm_set1_epi32(m[11]); + xc = _mm_set1_epi32(m[12]); + xd = _mm_set1_epi32(m[13]); + xe = _mm_set1_epi32(m[14]); + xf = _mm_set1_epi32(m[15]); + + xc = _mm_add_epi32(xc, ctrinc); + + for (i = 0 ; i < CHACHA_DOUBLEROUNDS; i++) + { + x0 = _mm_add_epi32(x0, x4); xc = sfflxor32(xc, x0, r16); + x1 = _mm_add_epi32(x1, x5); xd = sfflxor32(xd, x1, r16); + x2 = _mm_add_epi32(x2, x6); xe = sfflxor32(xe, x2, r16); + x3 = _mm_add_epi32(x3, x7); xf = sfflxor32(xf, x3, r16); + + x8 = _mm_add_epi32(x8, xc); x4 = rotlxor32(x4, x8, 12); + x9 = _mm_add_epi32(x9, xd); x5 = rotlxor32(x5, x9, 12); + xa = _mm_add_epi32(xa, xe); x6 = rotlxor32(x6, xa, 12); + xb = _mm_add_epi32(xb, xf); x7 = rotlxor32(x7, xb, 12); + + x0 = _mm_add_epi32(x0, x4); xc = sfflxor32(xc, x0, r8); + x1 = _mm_add_epi32(x1, x5); xd = sfflxor32(xd, x1, r8); + x2 = _mm_add_epi32(x2, x6); xe = sfflxor32(xe, x2, r8); + x3 = _mm_add_epi32(x3, x7); xf = sfflxor32(xf, x3, r8); + + x8 = _mm_add_epi32(x8, xc); x4 = rotlxor32(x4, x8, 7); + x9 = _mm_add_epi32(x9, xd); x5 = rotlxor32(x5, x9, 7); + xa = _mm_add_epi32(xa, xe); x6 = rotlxor32(x6, xa, 7); + xb = _mm_add_epi32(xb, xf); x7 = rotlxor32(x7, xb, 7); + + x0 = _mm_add_epi32(x0, x5); xf = sfflxor32(xf, x0, r16); + x1 = _mm_add_epi32(x1, x6); xc = sfflxor32(xc, x1, r16); + x2 = _mm_add_epi32(x2, x7); xd = sfflxor32(xd, x2, r16); + x3 = _mm_add_epi32(x3, x4); xe = sfflxor32(xe, x3, r16); + + xa = _mm_add_epi32(xa, xf); x5 = rotlxor32(x5, xa, 12); + xb = _mm_add_epi32(xb, xc); x6 = rotlxor32(x6, xb, 12); + x8 = _mm_add_epi32(x8, xd); x7 = rotlxor32(x7, x8, 12); + x9 = _mm_add_epi32(x9, xe); x4 = rotlxor32(x4, x9, 12); + + x0 = _mm_add_epi32(x0, x5); xf = sfflxor32(xf, x0, r8); + x1 = _mm_add_epi32(x1, x6); xc = sfflxor32(xc, x1, r8); + x2 = _mm_add_epi32(x2, x7); xd = sfflxor32(xd, x2, r8); + x3 = _mm_add_epi32(x3, x4); xe = sfflxor32(xe, x3, r8); + + xa = _mm_add_epi32(xa, xf); x5 = rotlxor32(x5, xa, 7); + xb = _mm_add_epi32(xb, xc); x6 = rotlxor32(x6, xb, 7); + x8 = _mm_add_epi32(x8, xd); x7 = rotlxor32(x7, x8, 7); + x9 = _mm_add_epi32(x9, xe); x4 = rotlxor32(x4, x9, 7); + } + + x0 = _mm_add_epi32(x0, _mm_set1_epi32(m[ 0])); + x1 = _mm_add_epi32(x1, _mm_set1_epi32(m[ 1])); + x2 = _mm_add_epi32(x2, _mm_set1_epi32(m[ 2])); + x3 = _mm_add_epi32(x3, _mm_set1_epi32(m[ 3])); + x4 = _mm_add_epi32(x4, _mm_set1_epi32(m[ 4])); + x5 = _mm_add_epi32(x5, _mm_set1_epi32(m[ 5])); + x6 = _mm_add_epi32(x6, _mm_set1_epi32(m[ 6])); + x7 = _mm_add_epi32(x7, _mm_set1_epi32(m[ 7])); + x8 = _mm_add_epi32(x8, _mm_set1_epi32(m[ 8])); + x9 = _mm_add_epi32(x9, _mm_set1_epi32(m[ 9])); + xa = _mm_add_epi32(xa, _mm_set1_epi32(m[10])); + xb = _mm_add_epi32(xb, _mm_set1_epi32(m[11])); + xc = _mm_add_epi32(xc, _mm_set1_epi32(m[12])); + xd = _mm_add_epi32(xd, _mm_set1_epi32(m[13])); + xe = _mm_add_epi32(xe, _mm_set1_epi32(m[14])); + xf = _mm_add_epi32(xf, _mm_set1_epi32(m[15])); + + xc = _mm_add_epi32(xc, ctrinc); + + /* transpose state matrix by interleaving 32-, then 64-bit words */ + t = x0; x0 = _mm_unpacklo_epi32(t, x1); + x1 = _mm_unpackhi_epi32(t, x1); + t = x2; x2 = _mm_unpacklo_epi32(t, x3); + x3 = _mm_unpackhi_epi32(t, x3); + t = x4; x4 = _mm_unpacklo_epi32(t, x5); + x5 = _mm_unpackhi_epi32(t, x5); + t = x6; x6 = _mm_unpacklo_epi32(t, x7); + x7 = _mm_unpackhi_epi32(t, x7); + t = x8; x8 = _mm_unpacklo_epi32(t, x9); + x9 = _mm_unpackhi_epi32(t, x9); + t = xa; xa = _mm_unpacklo_epi32(t, xb); + xb = _mm_unpackhi_epi32(t, xb); + t = xc; xc = _mm_unpacklo_epi32(t, xd); + xd = _mm_unpackhi_epi32(t, xd); + t = xe; xe = _mm_unpacklo_epi32(t, xf); + xf = _mm_unpackhi_epi32(t, xf); + + t = x0; x0 = _mm_unpacklo_epi64(t, x2); + x2 = _mm_unpackhi_epi64(t, x2); + t = x1; x1 = _mm_unpacklo_epi64(t, x3); + x3 = _mm_unpackhi_epi64(t, x3); + t = x4; x4 = _mm_unpacklo_epi64(t, x6); + x6 = _mm_unpackhi_epi64(t, x6); + t = x5; x5 = _mm_unpacklo_epi64(t, x7); + x7 = _mm_unpackhi_epi64(t, x7); + t = x8; x8 = _mm_unpacklo_epi64(t, xa); + xa = _mm_unpackhi_epi64(t, xa); + t = x9; x9 = _mm_unpacklo_epi64(t, xb); + xb = _mm_unpackhi_epi64(t, xb); + t = xc; xc = _mm_unpacklo_epi64(t, xe); + xe = _mm_unpackhi_epi64(t, xe); + t = xd; xd = _mm_unpacklo_epi64(t, xf); + xf = _mm_unpackhi_epi64(t, xf); + + x0 = _mm_xor_si128(_mm_loadu_si128(out + 0), x0); + x1 = _mm_xor_si128(_mm_loadu_si128(out + 8), x1); + x2 = _mm_xor_si128(_mm_loadu_si128(out + 4), x2); + x3 = _mm_xor_si128(_mm_loadu_si128(out + 12), x3); + x4 = _mm_xor_si128(_mm_loadu_si128(out + 1), x4); + x5 = _mm_xor_si128(_mm_loadu_si128(out + 9), x5); + x6 = _mm_xor_si128(_mm_loadu_si128(out + 5), x6); + x7 = _mm_xor_si128(_mm_loadu_si128(out + 13), x7); + x8 = _mm_xor_si128(_mm_loadu_si128(out + 2), x8); + x9 = _mm_xor_si128(_mm_loadu_si128(out + 10), x9); + xa = _mm_xor_si128(_mm_loadu_si128(out + 6), xa); + xb = _mm_xor_si128(_mm_loadu_si128(out + 14), xb); + xc = _mm_xor_si128(_mm_loadu_si128(out + 3), xc); + xd = _mm_xor_si128(_mm_loadu_si128(out + 11), xd); + xe = _mm_xor_si128(_mm_loadu_si128(out + 7), xe); + xf = _mm_xor_si128(_mm_loadu_si128(out + 15), xf); + + _mm_storeu_si128(out + 0, x0); + _mm_storeu_si128(out + 8, x1); + _mm_storeu_si128(out + 4, x2); + _mm_storeu_si128(out + 12, x3); + _mm_storeu_si128(out + 1, x4); + _mm_storeu_si128(out + 9, x5); + _mm_storeu_si128(out + 5, x6); + _mm_storeu_si128(out + 13, x7); + _mm_storeu_si128(out + 2, x8); + _mm_storeu_si128(out + 10, x9); + _mm_storeu_si128(out + 6, xa); + _mm_storeu_si128(out + 14, xb); + _mm_storeu_si128(out + 3, xc); + _mm_storeu_si128(out + 11, xd); + _mm_storeu_si128(out + 7, xe); + _mm_storeu_si128(out + 15, xf); + + this->m[3] = _mm_add_epi32(this->m[3], _mm_set_epi32(0, 0, 0, 4)); +} + +METHOD(chapoly_drv_t, set_key, bool, + private_chapoly_drv_ssse3_t *this, u_char *constant, u_char *key, + u_char *salt) +{ + this->m[0] = _mm_loadu_si128((__m128i*)constant); + this->m[1] = _mm_loadu_si128((__m128i*)key + 0); + this->m[2] = _mm_loadu_si128((__m128i*)key + 1); + this->m[3] = _mm_set_epi32(0, 0, ru32(salt), 0); + + return TRUE; +} + +/** + * r[127:64] = h[95:64] * a, r[63:0] = h[31:0] * b + */ +static inline __m128i mul2(__m128i h, u_int32_t a, u_int32_t b) +{ + return _mm_mul_epu32(h, _mm_set_epi32(0, a, 0, b)); +} + +/** + * c = a[127:64] + a[63:0] + b[127:64] + b[63:0] + * z = x[127:64] + x[63:0] + y[127:64] + y[63:0] + */ +static inline void sum2(__m128i a, __m128i b, __m128i x, __m128i y, + u_int64_t *c, u_int64_t *z) +{ + __m128i r, s; + + a = _mm_add_epi64(a, b); + x = _mm_add_epi64(x, y); + r = _mm_unpacklo_epi64(x, a); + s = _mm_unpackhi_epi64(x, a); + r = _mm_add_epi64(r, s); + + _mm_storel_epi64((__m128i*)z, r); + _mm_storel_epi64((__m128i*)c, _mm_srli_si128(r, 8)); +} + +/** + * r = a[127:64] + b[127:64] + c[127:64] + d[127:64] + e[127:64] + * + a[63:0] + b[63:0] + c[63:0] + d[63:0] + e[63:0] + */ +static inline u_int64_t sum5(__m128i a, __m128i b, __m128i c, + __m128i d, __m128i e) +{ + u_int64_t r; + + a = _mm_add_epi64(a, b); + c = _mm_add_epi64(c, d); + a = _mm_add_epi64(a, e); + a = _mm_add_epi64(a, c); + + a = _mm_add_epi64(a, _mm_srli_si128(a, 8)); + _mm_storel_epi64((__m128i*)&r, a); + + return r; +} + +/** + * Make second Poly1305 key u = r^2 + */ +static void make_u(private_chapoly_drv_ssse3_t *this) +{ + __m128i r01, r23, r44, x0, x1, y0, y1, z0; + u_int32_t r0, r1, r2, r3, r4; + u_int32_t u0, u1, u2, u3, u4; + u_int32_t s1, s2, s3, s4; + u_int64_t d0, d1, d2, d3, d4; + + r0 = this->r[0]; + r1 = this->r[1]; + r2 = this->r[2]; + r3 = this->r[3]; + r4 = this->r[4]; + + s1 = r1 * 5; + s2 = r2 * 5; + s3 = r3 * 5; + s4 = r4 * 5; + + r01 = _mm_set_epi32(0, r0, 0, r1); + r23 = _mm_set_epi32(0, r2, 0, r3); + r44 = _mm_set_epi32(0, r4, 0, r4); + + /* u = r^2 */ + x0 = mul2(r01, r0, s4); + x1 = mul2(r01, r1, r0); + y0 = mul2(r23, s3, s2); + y1 = mul2(r23, s4, s3); + z0 = mul2(r44, s1, s2); + y0 = _mm_add_epi64(y0, _mm_srli_si128(z0, 8)); + y1 = _mm_add_epi64(y1, _mm_slli_si128(z0, 8)); + sum2(x0, y0, x1, y1, &d0, &d1); + + x0 = mul2(r01, r2, r1); + x1 = mul2(r01, r3, r2); + y0 = mul2(r23, r0, s4); + y1 = mul2(r23, r1, r0); + z0 = mul2(r44, s3, s4); + y0 = _mm_add_epi64(y0, _mm_srli_si128(z0, 8)); + y1 = _mm_add_epi64(y1, _mm_slli_si128(z0, 8)); + sum2(x0, y0, x1, y1, &d2, &d3); + + x0 = mul2(r01, r4, r3); + y0 = mul2(r23, r2, r1); + z0 = mul2(r44, r0, 0); + y0 = _mm_add_epi64(y0, z0); + x0 = _mm_add_epi64(x0, y0); + x0 = _mm_add_epi64(x0, _mm_srli_si128(x0, 8)); + _mm_storel_epi64((__m128i*)&d4, x0); + + /* (partial) r %= p */ + d1 += sr(d0, 26); u0 = and(d0, 0x3ffffff); + d2 += sr(d1, 26); u1 = and(d1, 0x3ffffff); + d3 += sr(d2, 26); u2 = and(d2, 0x3ffffff); + d4 += sr(d3, 26); u3 = and(d3, 0x3ffffff); + u0 += sr(d4, 26) * 5; u4 = and(d4, 0x3ffffff); + u1 += u0 >> 26; u0 &= 0x3ffffff; + + this->u[0] = u0; + this->u[1] = u1; + this->u[2] = u2; + this->u[3] = u3; + this->u[4] = u4; +} + +METHOD(chapoly_drv_t, init, bool, + private_chapoly_drv_ssse3_t *this, u_char *iv) +{ + u_char key[CHACHA_BLOCK_SIZE]; + + this->m[3] = _mm_or_si128( + _mm_set_epi32(ru32(iv + 4), ru32(iv + 0), 0, 0), + _mm_and_si128(this->m[3], _mm_set_epi32(0, 0, ~0, 0))); + + memset(key, 0, CHACHA_BLOCK_SIZE); + chacha_block_xor(this, key); + + /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ + this->r[0] = (ru32(key + 0) >> 0) & 0x3ffffff; + this->r[1] = (ru32(key + 3) >> 2) & 0x3ffff03; + this->r[2] = (ru32(key + 6) >> 4) & 0x3ffc0ff; + this->r[3] = (ru32(key + 9) >> 6) & 0x3f03fff; + this->r[4] = (ru32(key + 12) >> 8) & 0x00fffff; + + make_u(this); + + /* h = 0 */ + memwipe(this->h, sizeof(this->h)); + + this->s[0] = ru32(key + 16); + this->s[1] = ru32(key + 20); + this->s[2] = ru32(key + 24); + this->s[3] = ru32(key + 28); + + return TRUE; +} + +/** + * Update Poly1305 for a multiple of two blocks + */ +static void poly2(private_chapoly_drv_ssse3_t *this, u_char *data, u_int dblks) +{ + u_int32_t r0, r1, r2, r3, r4, u0, u1, u2, u3, u4; + u_int32_t s1, s2, s3, s4, v1, v2, v3, v4; + __m128i hc0, hc1, hc2, hc3, hc4; + u_int32_t h0, h1, h2, h3, h4; + u_int32_t c0, c1, c2, c3, c4; + u_int64_t d0, d1, d2, d3, d4; + u_int i; + + r0 = this->r[0]; + r1 = this->r[1]; + r2 = this->r[2]; + r3 = this->r[3]; + r4 = this->r[4]; + + s1 = r1 * 5; + s2 = r2 * 5; + s3 = r3 * 5; + s4 = r4 * 5; + + u0 = this->u[0]; + u1 = this->u[1]; + u2 = this->u[2]; + u3 = this->u[3]; + u4 = this->u[4]; + + v1 = u1 * 5; + v2 = u2 * 5; + v3 = u3 * 5; + v4 = u4 * 5; + + h0 = this->h[0]; + h1 = this->h[1]; + h2 = this->h[2]; + h3 = this->h[3]; + h4 = this->h[4]; + + /* h = (h + c1) * r^2 + c2 * r */ + for (i = 0; i < dblks; i++) + { + /* h += m[i] */ + h0 += (ru32(data + 0) >> 0) & 0x3ffffff; + h1 += (ru32(data + 3) >> 2) & 0x3ffffff; + h2 += (ru32(data + 6) >> 4) & 0x3ffffff; + h3 += (ru32(data + 9) >> 6) & 0x3ffffff; + h4 += (ru32(data + 12) >> 8) | (1 << 24); + data += POLY_BLOCK_SIZE; + + /* c = m[i + 1] */ + c0 = (ru32(data + 0) >> 0) & 0x3ffffff; + c1 = (ru32(data + 3) >> 2) & 0x3ffffff; + c2 = (ru32(data + 6) >> 4) & 0x3ffffff; + c3 = (ru32(data + 9) >> 6) & 0x3ffffff; + c4 = (ru32(data + 12) >> 8) | (1 << 24); + data += POLY_BLOCK_SIZE; + + hc0 = _mm_set_epi32(0, h0, 0, c0); + hc1 = _mm_set_epi32(0, h1, 0, c1); + hc2 = _mm_set_epi32(0, h2, 0, c2); + hc3 = _mm_set_epi32(0, h3, 0, c3); + hc4 = _mm_set_epi32(0, h4, 0, c4); + + /* h = h * r^2 + c * r */ + d0 = sum5(mul2(hc0, u0, r0), + mul2(hc1, v4, s4), + mul2(hc2, v3, s3), + mul2(hc3, v2, s2), + mul2(hc4, v1, s1)); + d1 = sum5(mul2(hc0, u1, r1), + mul2(hc1, u0, r0), + mul2(hc2, v4, s4), + mul2(hc3, v3, s3), + mul2(hc4, v2, s2)); + d2 = sum5(mul2(hc0, u2, r2), + mul2(hc1, u1, r1), + mul2(hc2, u0, r0), + mul2(hc3, v4, s4), + mul2(hc4, v3, s3)); + d3 = sum5(mul2(hc0, u3, r3), + mul2(hc1, u2, r2), + mul2(hc2, u1, r1), + mul2(hc3, u0, r0), + mul2(hc4, v4, s4)); + d4 = sum5(mul2(hc0, u4, r4), + mul2(hc1, u3, r3), + mul2(hc2, u2, r2), + mul2(hc3, u1, r1), + mul2(hc4, u0, r0)); + + /* (partial) h %= p */ + d1 += sr(d0, 26); h0 = and(d0, 0x3ffffff); + d2 += sr(d1, 26); h1 = and(d1, 0x3ffffff); + d3 += sr(d2, 26); h2 = and(d2, 0x3ffffff); + d4 += sr(d3, 26); h3 = and(d3, 0x3ffffff); + h0 += sr(d4, 26) * 5; h4 = and(d4, 0x3ffffff); + h1 += h0 >> 26; h0 = h0 & 0x3ffffff; + } + + this->h[0] = h0; + this->h[1] = h1; + this->h[2] = h2; + this->h[3] = h3; + this->h[4] = h4; +} + +/** + * Update Poly1305 for a single block + */ +static void poly1(private_chapoly_drv_ssse3_t *this, u_char *data) +{ + u_int32_t r0, r1, r2, r3, r4; + u_int32_t s1, s2, s3, s4; + u_int32_t h0, h1, h2, h3, h4; + u_int64_t d0, d1, d2, d3, d4; + __m128i h01, h23, h44; + __m128i x0, x1, y0, y1, z0; + u_int32_t t0, t1; + + r0 = this->r[0]; + r1 = this->r[1]; + r2 = this->r[2]; + r3 = this->r[3]; + r4 = this->r[4]; + + s1 = r1 * 5; + s2 = r2 * 5; + s3 = r3 * 5; + s4 = r4 * 5; + + h0 = this->h[0]; + h1 = this->h[1]; + h2 = this->h[2]; + h3 = this->h[3]; + h4 = this->h[4]; + + h01 = _mm_set_epi32(0, h0, 0, h1); + h23 = _mm_set_epi32(0, h2, 0, h3); + h44 = _mm_set_epi32(0, h4, 0, h4); + + /* h += m[i] */ + t0 = (ru32(data + 0) >> 0) & 0x3ffffff; + t1 = (ru32(data + 3) >> 2) & 0x3ffffff; + h01 = _mm_add_epi32(h01, _mm_set_epi32(0, t0, 0, t1)); + t0 = (ru32(data + 6) >> 4) & 0x3ffffff; + t1 = (ru32(data + 9) >> 6) & 0x3ffffff; + h23 = _mm_add_epi32(h23, _mm_set_epi32(0, t0, 0, t1)); + t0 = (ru32(data + 12) >> 8) | (1 << 24); + h44 = _mm_add_epi32(h44, _mm_set_epi32(0, t0, 0, t0)); + + /* h *= r */ + x0 = mul2(h01, r0, s4); + x1 = mul2(h01, r1, r0); + y0 = mul2(h23, s3, s2); + y1 = mul2(h23, s4, s3); + z0 = mul2(h44, s1, s2); + y0 = _mm_add_epi64(y0, _mm_srli_si128(z0, 8)); + y1 = _mm_add_epi64(y1, _mm_slli_si128(z0, 8)); + sum2(x0, y0, x1, y1, &d0, &d1); + + x0 = mul2(h01, r2, r1); + x1 = mul2(h01, r3, r2); + y0 = mul2(h23, r0, s4); + y1 = mul2(h23, r1, r0); + z0 = mul2(h44, s3, s4); + y0 = _mm_add_epi64(y0, _mm_srli_si128(z0, 8)); + y1 = _mm_add_epi64(y1, _mm_slli_si128(z0, 8)); + sum2(x0, y0, x1, y1, &d2, &d3); + + x0 = mul2(h01, r4, r3); + y0 = mul2(h23, r2, r1); + z0 = mul2(h44, r0, 0); + y0 = _mm_add_epi64(y0, z0); + x0 = _mm_add_epi64(x0, y0); + x0 = _mm_add_epi64(x0, _mm_srli_si128(x0, 8)); + _mm_storel_epi64((__m128i*)&d4, x0); + + /* (partial) h %= p */ + d1 += sr(d0, 26); h0 = and(d0, 0x3ffffff); + d2 += sr(d1, 26); h1 = and(d1, 0x3ffffff); + d3 += sr(d2, 26); h2 = and(d2, 0x3ffffff); + d4 += sr(d3, 26); h3 = and(d3, 0x3ffffff); + h0 += sr(d4, 26) * 5; h4 = and(d4, 0x3ffffff); + h1 += h0 >> 26; h0 = h0 & 0x3ffffff; + + this->h[0] = h0; + this->h[1] = h1; + this->h[2] = h2; + this->h[3] = h3; + this->h[4] = h4; +} + +METHOD(chapoly_drv_t, poly, bool, + private_chapoly_drv_ssse3_t *this, u_char *data, u_int blocks) +{ + poly2(this, data, blocks / 2); + if (blocks-- % 2) + { + poly1(this, data + POLY_BLOCK_SIZE * blocks); + } + return TRUE; +} + +METHOD(chapoly_drv_t, chacha, bool, + private_chapoly_drv_ssse3_t *this, u_char *stream) +{ + memset(stream, 0, CHACHA_BLOCK_SIZE); + chacha_block_xor(this, stream); + + return TRUE; +} + +METHOD(chapoly_drv_t, encrypt, bool, + private_chapoly_drv_ssse3_t *this, u_char *data, u_int blocks) +{ + while (blocks >= 4) + { + chacha_4block_xor(this, data); + poly2(this, data, 8); + data += CHACHA_BLOCK_SIZE * 4; + blocks -= 4; + } + while (blocks--) + { + chacha_block_xor(this, data); + poly2(this, data, 2); + data += CHACHA_BLOCK_SIZE; + } + return TRUE; +} + +METHOD(chapoly_drv_t, decrypt, bool, + private_chapoly_drv_ssse3_t *this, u_char *data, u_int blocks) +{ + while (blocks >= 4) + { + poly2(this, data, 8); + chacha_4block_xor(this, data); + data += CHACHA_BLOCK_SIZE * 4; + blocks -= 4; + } + while (blocks--) + { + poly2(this, data, 2); + chacha_block_xor(this, data); + data += CHACHA_BLOCK_SIZE; + } + return TRUE; +} + +METHOD(chapoly_drv_t, finish, bool, + private_chapoly_drv_ssse3_t *this, u_char *mac) +{ + u_int32_t h0, h1, h2, h3, h4; + u_int32_t g0, g1, g2, g3, g4; + u_int32_t mask; + u_int64_t f = 0; + + /* fully carry h */ + h0 = this->h[0]; + h1 = this->h[1]; + h2 = this->h[2]; + h3 = this->h[3]; + h4 = this->h[4]; + + h2 += (h1 >> 26); h1 = h1 & 0x3ffffff; + h3 += (h2 >> 26); h2 = h2 & 0x3ffffff; + h4 += (h3 >> 26); h3 = h3 & 0x3ffffff; + h0 += (h4 >> 26) * 5; h4 = h4 & 0x3ffffff; + h1 += (h0 >> 26); h0 = h0 & 0x3ffffff; + + /* compute h + -p */ + g0 = h0 + 5; + g1 = h1 + (g0 >> 26); g0 &= 0x3ffffff; + g2 = h2 + (g1 >> 26); g1 &= 0x3ffffff; + g3 = h3 + (g2 >> 26); g2 &= 0x3ffffff; + g4 = h4 + (g3 >> 26) - (1 << 26); g3 &= 0x3ffffff; + + /* select h if h < p, or h + -p if h >= p */ + mask = (g4 >> ((sizeof(u_int32_t) * 8) - 1)) - 1; + g0 &= mask; + g1 &= mask; + g2 &= mask; + g3 &= mask; + g4 &= mask; + mask = ~mask; + h0 = (h0 & mask) | g0; + h1 = (h1 & mask) | g1; + h2 = (h2 & mask) | g2; + h3 = (h3 & mask) | g3; + h4 = (h4 & mask) | g4; + + /* h = h % (2^128) */ + h0 = (h0 >> 0) | (h1 << 26); + h1 = (h1 >> 6) | (h2 << 20); + h2 = (h2 >> 12) | (h3 << 14); + h3 = (h3 >> 18) | (h4 << 8); + + /* mac = (h + s) % (2^128) */ + f = (f >> 32) + h0 + this->s[0]; wu32(mac + 0, f); + f = (f >> 32) + h1 + this->s[1]; wu32(mac + 4, f); + f = (f >> 32) + h2 + this->s[2]; wu32(mac + 8, f); + f = (f >> 32) + h3 + this->s[3]; wu32(mac + 12, f); + + return TRUE; +} + +METHOD(chapoly_drv_t, destroy, void, + private_chapoly_drv_ssse3_t *this) +{ + memwipe(this->m, sizeof(this->m)); + memwipe(this->h, sizeof(this->h)); + memwipe(this->r, sizeof(this->r)); + memwipe(this->u, sizeof(this->u)); + memwipe(this->s, sizeof(this->s)); + free_align(this); +} + +/** + * See header + */ +chapoly_drv_t *chapoly_drv_ssse3_create() +{ + private_chapoly_drv_ssse3_t *this; + + if (!cpu_feature_available(CPU_FEATURE_SSSE3)) + { + return FALSE; + } + + INIT_ALIGN(this, sizeof(__m128i), + .public = { + .set_key = _set_key, + .init = _init, + .poly = _poly, + .chacha = _chacha, + .encrypt = _encrypt, + .decrypt = _decrypt, + .finish = _finish, + .destroy = _destroy, + }, + ); + + return &this->public; +} + +#else /* !__SSSE3__ */ + +chapoly_drv_t *chapoly_drv_ssse3_create() +{ + return NULL; +} + +#endif /* !__SSSE3__ */ diff --git a/src/libstrongswan/plugins/chapoly/chapoly_drv_ssse3.h b/src/libstrongswan/plugins/chapoly/chapoly_drv_ssse3.h new file mode 100644 index 000000000..7e0e8084c --- /dev/null +++ b/src/libstrongswan/plugins/chapoly/chapoly_drv_ssse3.h @@ -0,0 +1,31 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup chapoly_drv_ssse3 chapoly_drv_ssse3 + * @{ @ingroup chapoly + */ + +#include "chapoly_drv.h" + +#ifndef CHAPOLY_DRV_SSSE3_H_ +#define CHAPOLY_DRV_SSSE3_H_ + +/** + * Create a chapoly_drv_ssse3 instance. + */ +chapoly_drv_t *chapoly_drv_ssse3_create(); + +#endif /** CHAPOLY_DRV_SSSE3_H_ @}*/ diff --git a/src/libstrongswan/plugins/chapoly/chapoly_plugin.c b/src/libstrongswan/plugins/chapoly/chapoly_plugin.c new file mode 100644 index 000000000..02e7121d6 --- /dev/null +++ b/src/libstrongswan/plugins/chapoly/chapoly_plugin.c @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "chapoly_plugin.h" +#include "chapoly_aead.h" + +#include + +typedef struct private_chapoly_plugin_t private_chapoly_plugin_t; + +/** + * Private data of chapoly_plugin + */ +struct private_chapoly_plugin_t { + + /** + * Public functions + */ + chapoly_plugin_t public; +}; + +METHOD(plugin_t, get_name, char*, + private_chapoly_plugin_t *this) +{ + return "chapoly"; +} + +METHOD(plugin_t, get_features, int, + private_chapoly_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_REGISTER(AEAD, chapoly_aead_create), + PLUGIN_PROVIDE(AEAD, ENCR_CHACHA20_POLY1305, 32), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_chapoly_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *chapoly_plugin_create() +{ + private_chapoly_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + ); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/chapoly/chapoly_plugin.h b/src/libstrongswan/plugins/chapoly/chapoly_plugin.h new file mode 100644 index 000000000..f2b62e73c --- /dev/null +++ b/src/libstrongswan/plugins/chapoly/chapoly_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup chapoly chapoly + * @ingroup plugins + * + * @defgroup chapoly_plugin chapoly_plugin + * @{ @ingroup chapoly + */ + +#ifndef CHAPOLY_PLUGIN_H_ +#define CHAPOLY_PLUGIN_H_ + +#include + +typedef struct chapoly_plugin_t chapoly_plugin_t; + +/** + * Plugin providing a ChaCha20/Poly1305 AEAD. + */ +struct chapoly_plugin_t { + + /** + * Implements plugin interface. + */ + plugin_t plugin; +}; + +#endif /** CHAPOLY_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c index c81318b19..6010f9d8b 100644 --- a/src/libstrongswan/plugins/des/des_crypter.c +++ b/src/libstrongswan/plugins/des/des_crypter.c @@ -112,7 +112,7 @@ struct private_des_crypter_t { #endif /* This helps C compiler generate the correct code for multiple functional - * units. It reduces register dependancies at the expense of 2 more + * units. It reduces register dependencies at the expense of 2 more * registers */ #ifndef DES_RISC1 #define DES_RISC1 diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h index 2d2b2b45d..bb45d7b4f 100644 --- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h +++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h @@ -15,7 +15,7 @@ */ /** - * @defgroup sha1_hasher sha1_hasher + * @defgroup padlock_sha1_hasher padlock_sha1_hasher * @{ @ingroup padlock_p */ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c index 6d5211657..384777610 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c @@ -439,12 +439,17 @@ static bool encode_rsa(private_pkcs11_public_key_t *this, attr[0].ulValueLen > 0 && attr[1].ulValueLen > 0) { chunk_t n, e; - n = chunk_create(attr[0].pValue, attr[0].ulValueLen); + /* some tokens/libraries add unnecessary 0x00 prefixes */ + n = chunk_skip_zero(chunk_create(attr[0].pValue, attr[0].ulValueLen)); if (n.ptr[0] & 0x80) - { /* add leading 0x00, encoders expect it already like this */ + { /* add leading 0x00, encoders might expect it in two's complement */ n = chunk_cata("cc", chunk_from_chars(0x00), n); } - e = chunk_create(attr[1].pValue, attr[1].ulValueLen); + e = chunk_skip_zero(chunk_create(attr[1].pValue, attr[1].ulValueLen)); + if (e.ptr[0] & 0x80) + { + e = chunk_cata("cc", chunk_from_chars(0x00), e); + } success = lib->encoding->encode(lib->encoding, type, cache, encoding, CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); } diff --git a/src/libstrongswan/plugins/plugin_feature.c b/src/libstrongswan/plugins/plugin_feature.c index 2d0ce8a4c..0ea5eeaf8 100644 --- a/src/libstrongswan/plugins/plugin_feature.c +++ b/src/libstrongswan/plugins/plugin_feature.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2013 Tobias Brunner + * Copyright (C) 2012-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * * Copyright (C) 2011 Martin Willi @@ -59,7 +59,7 @@ ENUM(plugin_feature_names, FEATURE_NONE, FEATURE_CUSTOM, */ u_int32_t plugin_feature_hash(plugin_feature_t *feature) { - chunk_t data; + chunk_t data = chunk_empty; switch (feature->type) { @@ -185,7 +185,8 @@ bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b) return a->arg.container == b->arg.container; case FEATURE_EAP_SERVER: case FEATURE_EAP_PEER: - return a->arg.eap == b->arg.eap; + return a->arg.eap.vendor == b->arg.eap.vendor && + a->arg.eap.type == b->arg.eap.type; case FEATURE_DATABASE: return a->arg.database == DB_ANY || a->arg.database == b->arg.database; @@ -368,8 +369,15 @@ char* plugin_feature_get_string(plugin_feature_t *feature) break; case FEATURE_EAP_SERVER: case FEATURE_EAP_PEER: - if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type, - eap_type_short_names, feature->arg.eap) > 0) + if (feature->arg.eap.vendor && + asprintf(&str, "%N:%d-%d", plugin_feature_names, feature->type, + feature->arg.eap.type, feature->arg.eap.vendor) > 0) + { + return str; + } + else if (!feature->arg.eap.vendor && + asprintf(&str, "%N:%N", plugin_feature_names, feature->type, + eap_type_short_names, feature->arg.eap.type) > 0) { return str; } diff --git a/src/libstrongswan/plugins/plugin_feature.h b/src/libstrongswan/plugins/plugin_feature.h index ea23f766c..03f1ba8cc 100644 --- a/src/libstrongswan/plugins/plugin_feature.h +++ b/src/libstrongswan/plugins/plugin_feature.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2013 Tobias Brunner + * Copyright (C) 2012-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * * Copyright (C) 2011 Martin Willi @@ -196,7 +196,7 @@ struct plugin_feature_t { /** FEATURE_CONTAINER_DECODE/ENCODE */ container_type_t container; /** FEATURE_EAP_SERVER/CLIENT */ - eap_type_t eap; + eap_vendor_type_t eap; /** FEATURE_DATABASE */ db_driver_t database; /** FEATURE_FETCHER */ @@ -292,8 +292,10 @@ struct plugin_feature_t { #define _PLUGIN_FEATURE_CERT_ENCODE(kind, type) __PLUGIN_FEATURE(kind, CERT_ENCODE, .cert = type) #define _PLUGIN_FEATURE_CONTAINER_DECODE(kind, type) __PLUGIN_FEATURE(kind, CONTAINER_DECODE, .container = type) #define _PLUGIN_FEATURE_CONTAINER_ENCODE(kind, type) __PLUGIN_FEATURE(kind, CONTAINER_ENCODE, .container = type) -#define _PLUGIN_FEATURE_EAP_SERVER(kind, type) __PLUGIN_FEATURE(kind, EAP_SERVER, .eap = type) -#define _PLUGIN_FEATURE_EAP_PEER(kind, type) __PLUGIN_FEATURE(kind, EAP_PEER, .eap = type) +#define _PLUGIN_FEATURE_EAP_SERVER(kind, type) _PLUGIN_FEATURE_EAP_SERVER_VENDOR(kind, type, 0) +#define _PLUGIN_FEATURE_EAP_PEER(kind, type) _PLUGIN_FEATURE_EAP_PEER_VENDOR(kind, type, 0) +#define _PLUGIN_FEATURE_EAP_SERVER_VENDOR(kind, type, vendor)__PLUGIN_FEATURE(kind, EAP_SERVER, .eap = { type, vendor }) +#define _PLUGIN_FEATURE_EAP_PEER_VENDOR(kind, type, vendor) __PLUGIN_FEATURE(kind, EAP_PEER, .eap = { type, vendor }) #define _PLUGIN_FEATURE_DATABASE(kind, type) __PLUGIN_FEATURE(kind, DATABASE, .database = type) #define _PLUGIN_FEATURE_FETCHER(kind, type) __PLUGIN_FEATURE(kind, FETCHER, .fetcher = type) #define _PLUGIN_FEATURE_RESOLVER(kind, ...) __PLUGIN_FEATURE(kind, RESOLVER, .custom = NULL) diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am index bde27b873..72ba4ceef 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.am +++ b/src/libstrongswan/plugins/test_vectors/Makefile.am @@ -19,6 +19,7 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/aes_cmac.c \ test_vectors/aes_ccm.c \ test_vectors/aes_gcm.c \ + test_vectors/chacha20poly1305.c \ test_vectors/blowfish.c \ test_vectors/camellia_cbc.c \ test_vectors/camellia_ctr.c \ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index e98119b85..fa7c3cb82 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -133,11 +133,11 @@ am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \ test_vectors/3des_cbc.lo test_vectors/aes_cbc.lo \ test_vectors/aes_ctr.lo test_vectors/aes_xcbc.lo \ test_vectors/aes_cmac.lo test_vectors/aes_ccm.lo \ - test_vectors/aes_gcm.lo test_vectors/blowfish.lo \ - test_vectors/camellia_cbc.lo test_vectors/camellia_ctr.lo \ - test_vectors/camellia_xcbc.lo test_vectors/cast.lo \ - test_vectors/des.lo test_vectors/idea.lo test_vectors/null.lo \ - test_vectors/rc2.lo test_vectors/rc5.lo \ + test_vectors/aes_gcm.lo test_vectors/chacha20poly1305.lo \ + test_vectors/blowfish.lo test_vectors/camellia_cbc.lo \ + test_vectors/camellia_ctr.lo test_vectors/camellia_xcbc.lo \ + test_vectors/cast.lo test_vectors/des.lo test_vectors/idea.lo \ + test_vectors/null.lo test_vectors/rc2.lo test_vectors/rc5.lo \ test_vectors/serpent_cbc.lo test_vectors/twofish_cbc.lo \ test_vectors/md2.lo test_vectors/md4.lo test_vectors/md5.lo \ test_vectors/md5_hmac.lo test_vectors/sha1.lo \ @@ -461,6 +461,7 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/aes_cmac.c \ test_vectors/aes_ccm.c \ test_vectors/aes_gcm.c \ + test_vectors/chacha20poly1305.c \ test_vectors/blowfish.c \ test_vectors/camellia_cbc.c \ test_vectors/camellia_ctr.c \ @@ -589,6 +590,8 @@ test_vectors/aes_ccm.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/aes_gcm.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) +test_vectors/chacha20poly1305.lo: test_vectors/$(am__dirstamp) \ + test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/blowfish.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/camellia_cbc.lo: test_vectors/$(am__dirstamp) \ @@ -666,6 +669,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/camellia_ctr.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/camellia_xcbc.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/cast.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/chacha20poly1305.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/des.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/ecp.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/ecpbp.Plo@am__quote@ diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h index f7450aa9e..57c218c16 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors.h +++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h @@ -113,6 +113,10 @@ TEST_VECTOR_AEAD(aes_gcm21) TEST_VECTOR_AEAD(aes_gcm22) TEST_VECTOR_AEAD(aes_gcm23) +TEST_VECTOR_AEAD(chacha20poly1305_1) +TEST_VECTOR_AEAD(chacha20poly1305_2) +TEST_VECTOR_AEAD(chacha20poly1305_3) + TEST_VECTOR_SIGNER(aes_xcbc_s1) TEST_VECTOR_SIGNER(aes_xcbc_s2) TEST_VECTOR_SIGNER(aes_xcbc_s3) diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c b/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c new file mode 100644 index 000000000..21726cbbb --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/chacha20poly1305.c @@ -0,0 +1,107 @@ +/* + * Copyright (C) 2015 Martin Willi + * Copyright (C) 2015 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +/** + * From draft-irtf-cfrg-chacha20-poly1305 + */ +aead_test_vector_t chacha20poly1305_1 = { + .alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4, + .len = 265, .alen = 12, + .key = "\x1c\x92\x40\xa5\xeb\x55\xd3\x8a\xf3\x33\x88\x86\x04\xf6\xb5\xf0" + "\x47\x39\x17\xc1\x40\x2b\x80\x09\x9d\xca\x5c\xbc\x20\x70\x75\xc0" + "\x00\x00\x00\x00", + .iv = "\x01\x02\x03\x04\x05\x06\x07\x08", + .adata = "\xf3\x33\x88\x86\x00\x00\x00\x00\x00\x00\x4e\x91", + .plain = "\x49\x6e\x74\x65\x72\x6e\x65\x74\x2d\x44\x72\x61\x66\x74\x73\x20" + "\x61\x72\x65\x20\x64\x72\x61\x66\x74\x20\x64\x6f\x63\x75\x6d\x65" + "\x6e\x74\x73\x20\x76\x61\x6c\x69\x64\x20\x66\x6f\x72\x20\x61\x20" + "\x6d\x61\x78\x69\x6d\x75\x6d\x20\x6f\x66\x20\x73\x69\x78\x20\x6d" + "\x6f\x6e\x74\x68\x73\x20\x61\x6e\x64\x20\x6d\x61\x79\x20\x62\x65" + "\x20\x75\x70\x64\x61\x74\x65\x64\x2c\x20\x72\x65\x70\x6c\x61\x63" + "\x65\x64\x2c\x20\x6f\x72\x20\x6f\x62\x73\x6f\x6c\x65\x74\x65\x64" + "\x20\x62\x79\x20\x6f\x74\x68\x65\x72\x20\x64\x6f\x63\x75\x6d\x65" + "\x6e\x74\x73\x20\x61\x74\x20\x61\x6e\x79\x20\x74\x69\x6d\x65\x2e" + "\x20\x49\x74\x20\x69\x73\x20\x69\x6e\x61\x70\x70\x72\x6f\x70\x72" + "\x69\x61\x74\x65\x20\x74\x6f\x20\x75\x73\x65\x20\x49\x6e\x74\x65" + "\x72\x6e\x65\x74\x2d\x44\x72\x61\x66\x74\x73\x20\x61\x73\x20\x72" + "\x65\x66\x65\x72\x65\x6e\x63\x65\x20\x6d\x61\x74\x65\x72\x69\x61" + "\x6c\x20\x6f\x72\x20\x74\x6f\x20\x63\x69\x74\x65\x20\x74\x68\x65" + "\x6d\x20\x6f\x74\x68\x65\x72\x20\x74\x68\x61\x6e\x20\x61\x73\x20" + "\x2f\xe2\x80\x9c\x77\x6f\x72\x6b\x20\x69\x6e\x20\x70\x72\x6f\x67" + "\x72\x65\x73\x73\x2e\x2f\xe2\x80\x9d", + .cipher = "\x64\xa0\x86\x15\x75\x86\x1a\xf4\x60\xf0\x62\xc7\x9b\xe6\x43\xbd" + "\x5e\x80\x5c\xfd\x34\x5c\xf3\x89\xf1\x08\x67\x0a\xc7\x6c\x8c\xb2" + "\x4c\x6c\xfc\x18\x75\x5d\x43\xee\xa0\x9e\xe9\x4e\x38\x2d\x26\xb0" + "\xbd\xb7\xb7\x3c\x32\x1b\x01\x00\xd4\xf0\x3b\x7f\x35\x58\x94\xcf" + "\x33\x2f\x83\x0e\x71\x0b\x97\xce\x98\xc8\xa8\x4a\xbd\x0b\x94\x81" + "\x14\xad\x17\x6e\x00\x8d\x33\xbd\x60\xf9\x82\xb1\xff\x37\xc8\x55" + "\x97\x97\xa0\x6e\xf4\xf0\xef\x61\xc1\x86\x32\x4e\x2b\x35\x06\x38" + "\x36\x06\x90\x7b\x6a\x7c\x02\xb0\xf9\xf6\x15\x7b\x53\xc8\x67\xe4" + "\xb9\x16\x6c\x76\x7b\x80\x4d\x46\xa5\x9b\x52\x16\xcd\xe7\xa4\xe9" + "\x90\x40\xc5\xa4\x04\x33\x22\x5e\xe2\x82\xa1\xb0\xa0\x6c\x52\x3e" + "\xaf\x45\x34\xd7\xf8\x3f\xa1\x15\x5b\x00\x47\x71\x8c\xbc\x54\x6a" + "\x0d\x07\x2b\x04\xb3\x56\x4e\xea\x1b\x42\x22\x73\xf5\x48\x27\x1a" + "\x0b\xb2\x31\x60\x53\xfa\x76\x99\x19\x55\xeb\xd6\x31\x59\x43\x4e" + "\xce\xbb\x4e\x46\x6d\xae\x5a\x10\x73\xa6\x72\x76\x27\x09\x7a\x10" + "\x49\xe6\x17\xd9\x1d\x36\x10\x94\xfa\x68\xf0\xff\x77\x98\x71\x30" + "\x30\x5b\xea\xba\x2e\xda\x04\xdf\x99\x7b\x71\x4d\x6c\x6f\x2c\x29" + "\xa6\xad\x5c\xb4\x02\x2b\x02\x70\x9b\xee\xad\x9d\x67\x89\x0c\xbb" + "\x22\x39\x23\x36\xfe\xa1\x85\x1f\x38", +}; + +/** + * ESP example from draft-ietf-ipsecme-chacha20-poly1305-06 + */ +aead_test_vector_t chacha20poly1305_2 = { + .alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4, + .len = 88, .alen = 8, + .key = "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f" + "\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" + "\xa0\xa1\xa2\xa3", + .iv = "\x10\x11\x12\x13\x14\x15\x16\x17", + .adata = "\x01\x02\x03\x04\x00\x00\x00\x05", + .plain = "\x45\x00\x00\x54\xa6\xf2\x00\x00\x40\x01\xe7\x78\xc6\x33\x64\x05" + "\xc0\x00\x02\x05\x08\x00\x5b\x7a\x3a\x08\x00\x00\x55\x3b\xec\x10" + "\x00\x07\x36\x27\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13" + "\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23" + "\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33" + "\x34\x35\x36\x37\x01\x02\x02\x04", + .cipher = "\x24\x03\x94\x28\xb9\x7f\x41\x7e\x3c\x13\x75\x3a\x4f\x05\x08\x7b" + "\x67\xc3\x52\xe6\xa7\xfa\xb1\xb9\x82\xd4\x66\xef\x40\x7a\xe5\xc6" + "\x14\xee\x80\x99\xd5\x28\x44\xeb\x61\xaa\x95\xdf\xab\x4c\x02\xf7" + "\x2a\xa7\x1e\x7c\x4c\x4f\x64\xc9\xbe\xfe\x2f\xac\xc6\x38\xe8\xf3" + "\xcb\xec\x16\x3f\xac\x46\x9b\x50\x27\x73\xf6\xfb\x94\xe6\x64\xda" + "\x91\x65\xb8\x28\x29\xf6\x41\xe0\x76\xaa\xa8\x26\x6b\x7f\xb0\xf7" + "\xb1\x1b\x36\x99\x07\xe1\xad\x43", +}; + +/** + * IKEv2 example from draft-ietf-ipsecme-chacha20-poly1305-06 + */ +aead_test_vector_t chacha20poly1305_3 = { + .alg = ENCR_CHACHA20_POLY1305, .key_size = 32, .salt_size = 4, + .len = 13, .alen = 32, + .key = "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f" + "\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" + "\xa0\xa1\xa2\xa3", + .iv = "\x10\x11\x12\x13\x14\x15\x16\x17", + .adata = "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7" + "\x2e\x20\x25\x00\x00\x00\x00\x09\x00\x00\x00\x45\x29\x00\x00\x29", + .plain = "\x00\x00\x00\x0c\x00\x00\x40\x01\x00\x00\x00\x0a\x00", + .cipher = "\x61\x03\x94\x70\x1f\x8d\x01\x7f\x7c\x12\x92\x48\x89\x6b\x71\xbf" + "\xe2\x52\x36\xef\xd7\xcd\xc6\x70\x66\x90\x63\x15\xb2", +}; diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c index 3b7f8c5a0..668632459 100644 --- a/src/libstrongswan/selectors/traffic_selector.c +++ b/src/libstrongswan/selectors/traffic_selector.c @@ -849,8 +849,7 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type, memcpy(this->to, to.ptr+1, to.len-1); this->to[to.len-2] |= mask; } - this->netbits = chunk_equals(from, to) ? (from.len-1)*8 - from.ptr[0] - : NON_SUBNET_ADDRESS_RANGE; + calc_netbits(this); return (&this->public); } diff --git a/src/libstrongswan/settings/settings.c b/src/libstrongswan/settings/settings.c index acf9160d2..305ebe620 100644 --- a/src/libstrongswan/settings/settings.c +++ b/src/libstrongswan/settings/settings.c @@ -37,9 +37,10 @@ typedef struct private_settings_t private_settings_t; /** - * Parse function provided by the generated parser. + * Parse functions provided by the generated parser. */ bool settings_parser_parse_file(section_t *root, char *name); +bool settings_parser_parse_string(section_t *root, char *settings); /** * Private data of settings @@ -843,16 +844,17 @@ METHOD(settings_t, add_fallback, void, } /** - * Load settings from files matching the given file pattern. + * Load settings from files matching the given file pattern or from a string. * All sections and values are added relative to "parent". * All files (even included ones) have to be loaded successfully. * If merge is FALSE the contents of parent are replaced with the parsed * contents, otherwise they are merged together. */ -static bool load_files_internal(private_settings_t *this, section_t *parent, - char *pattern, bool merge) +static bool load_internal(private_settings_t *this, section_t *parent, + char *pattern, bool merge, bool string) { section_t *section; + bool loaded; if (pattern == NULL || !pattern[0]) { /* TODO: Clear parent if merge is FALSE? */ @@ -860,7 +862,9 @@ static bool load_files_internal(private_settings_t *this, section_t *parent, } section = settings_section_create(NULL); - if (!settings_parser_parse_file(section, pattern)) + loaded = string ? settings_parser_parse_string(section, pattern) : + settings_parser_parse_file(section, pattern); + if (!loaded) { settings_section_destroy(section, NULL); return FALSE; @@ -877,7 +881,7 @@ static bool load_files_internal(private_settings_t *this, section_t *parent, METHOD(settings_t, load_files, bool, private_settings_t *this, char *pattern, bool merge) { - return load_files_internal(this, this->top, pattern, merge); + return load_internal(this, this->top, pattern, merge, FALSE); } METHOD(settings_t, load_files_section, bool, @@ -894,7 +898,30 @@ METHOD(settings_t, load_files_section, bool, { return FALSE; } - return load_files_internal(this, section, pattern, merge); + return load_internal(this, section, pattern, merge, FALSE); +} + +METHOD(settings_t, load_string, bool, + private_settings_t *this, char *settings, bool merge) +{ + return load_internal(this, this->top, settings, merge, TRUE); +} + +METHOD(settings_t, load_string_section, bool, + private_settings_t *this, char *settings, bool merge, char *key, ...) +{ + section_t *section; + va_list args; + + va_start(args, key); + section = ensure_section(this, this->top, key, args); + va_end(args); + + if (!section) + { + return FALSE; + } + return load_internal(this, section, settings, merge, TRUE); } METHOD(settings_t, destroy, void, @@ -906,10 +933,7 @@ METHOD(settings_t, destroy, void, free(this); } -/* - * see header file - */ -settings_t *settings_create(char *file) +static private_settings_t *settings_create_base() { private_settings_t *this; @@ -931,14 +955,37 @@ settings_t *settings_create(char *file) .add_fallback = _add_fallback, .load_files = _load_files, .load_files_section = _load_files_section, + .load_string = _load_string, + .load_string_section = _load_string_section, .destroy = _destroy, }, .top = settings_section_create(NULL), .contents = array_create(0, 0), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), ); + return this; +} + +/* + * see header file + */ +settings_t *settings_create(char *file) +{ + private_settings_t *this = settings_create_base(); load_files(this, file, FALSE); return &this->public; } + +/* + * see header file + */ +settings_t *settings_create_string(char *settings) +{ + private_settings_t *this = settings_create_base(); + + load_string(this, settings, FALSE); + + return &this->public; +} diff --git a/src/libstrongswan/settings/settings.h b/src/libstrongswan/settings/settings.h index 3b87c8feb..4ef80d0f6 100644 --- a/src/libstrongswan/settings/settings.h +++ b/src/libstrongswan/settings/settings.h @@ -334,6 +334,50 @@ struct settings_t { bool (*load_files_section)(settings_t *this, char *pattern, bool merge, char *section, ...); + /** + * Load settings from the given string. + * + * If merge is TRUE, existing sections are extended, existing values + * replaced, by those found in the string. If it is FALSE, existing + * sections are purged before reading the new config. + * + * @note If the string contains _include_ statements they should be + * absolute paths. + * + * @note If any failures occur, no settings are added at all. So, it's all + * or nothing. + * + * @param settings string to parse + * @param merge TRUE to merge config with existing values + * @return TRUE, if settings were loaded successfully + */ + bool (*load_string)(settings_t *this, char *settings, bool merge); + + /** + * Load settings from the given string. + * + * If merge is TRUE, existing sections are extended, existing values + * replaced, by those found in the string. If it is FALSE, existing + * sections are purged before reading the new config. + * + * All settings are loaded relative to the given section. The section is + * created, if it does not yet exist. + * + * @note If the string contains _include_ statements they should be + * absolute paths. + * + * @note If any failures occur, no settings are added at all. So, it's all + * or nothing. + * + * @param settings string to parse + * @param merge TRUE to merge config with existing values + * @param section section name of parent section, printf style + * @param ... argument list for section + * @return TRUE, if settings were loaded successfully + */ + bool (*load_string_section)(settings_t *this, char *settings, bool merge, + char *section, ...); + /** * Destroy a settings instance. */ @@ -350,4 +394,14 @@ struct settings_t { */ settings_t *settings_create(char *file); +/** + * Load settings from a string. + * + * @note If parsing the file fails the object is still created. + * + * @param settings string to read settings from + * @return settings object, or NULL + */ +settings_t *settings_create_string(char *settings); + #endif /** SETTINGS_H_ @}*/ diff --git a/src/libstrongswan/settings/settings_lexer.c b/src/libstrongswan/settings/settings_lexer.c index 0d71a1d01..6e64e15a6 100644 --- a/src/libstrongswan/settings/settings_lexer.c +++ b/src/libstrongswan/settings/settings_lexer.c @@ -456,8 +456,8 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner ); yyg->yy_c_buf_p = yy_cp; /* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */ -#define YY_NUM_RULES 26 -#define YY_END_OF_BUFFER 27 +#define YY_NUM_RULES 23 +#define YY_END_OF_BUFFER 24 /* This struct is not used in this scanner, but its presence is necessary. */ struct yy_trans_info @@ -465,14 +465,13 @@ struct yy_trans_info flex_int32_t yy_verify; flex_int32_t yy_nxt; }; -static yyconst flex_int16_t yy_accept[52] = +static yyconst flex_int16_t yy_accept[49] = { 0, - 0, 0, 0, 0, 0, 0, 27, 9, 2, 3, + 0, 0, 0, 0, 0, 0, 24, 9, 2, 3, 8, 1, 6, 9, 4, 5, 14, 10, 11, 12, - 25, 16, 15, 17, 9, 2, 1, 1, 3, 9, - 14, 13, 25, 24, 23, 24, 21, 22, 18, 19, - 20, 1, 9, 9, 9, 9, 9, 0, 7, 7, - 0 + 22, 15, 16, 9, 2, 1, 1, 3, 9, 14, + 13, 22, 21, 20, 21, 17, 18, 19, 1, 9, + 9, 9, 9, 9, 0, 7, 7, 0 } ; static yyconst flex_int32_t yy_ec[256] = @@ -486,11 +485,11 @@ static yyconst flex_int32_t yy_ec[256] = 8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 9, 1, 1, 1, 1, 1, 10, 11, 12, + 1, 9, 1, 1, 1, 1, 1, 1, 10, 11, - 13, 14, 1, 1, 15, 1, 1, 16, 1, 17, - 1, 1, 1, 18, 1, 19, 20, 1, 1, 1, - 1, 1, 21, 1, 22, 1, 1, 1, 1, 1, + 12, 1, 1, 1, 13, 1, 1, 14, 1, 15, + 1, 1, 1, 16, 1, 17, 18, 1, 1, 1, + 1, 1, 19, 1, 20, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, @@ -507,92 +506,91 @@ static yyconst flex_int32_t yy_ec[256] = 1, 1, 1, 1, 1 } ; -static yyconst flex_int32_t yy_meta[23] = +static yyconst flex_int32_t yy_meta[21] = { 0, 1, 2, 3, 1, 4, 5, 4, 6, 7, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 8, 4 + 1, 1, 1, 1, 1, 1, 1, 1, 8, 9 } ; -static yyconst flex_int16_t yy_base[62] = +static yyconst flex_int16_t yy_base[60] = { 0, - 0, 0, 21, 42, 26, 28, 63, 0, 31, 155, - 155, 59, 155, 44, 155, 155, 0, 155, 155, 0, - 0, 155, 155, 62, 0, 48, 0, 57, 155, 47, - 0, 155, 0, 155, 155, 49, 155, 155, 155, 155, - 155, 0, 30, 21, 28, 12, 37, 52, 155, 54, - 155, 81, 89, 97, 104, 112, 117, 122, 130, 138, - 146 + 0, 0, 19, 38, 21, 23, 55, 0, 47, 161, + 161, 50, 161, 37, 161, 161, 0, 161, 161, 0, + 0, 161, 56, 0, 44, 0, 47, 161, 39, 0, + 161, 0, 161, 161, 45, 161, 161, 161, 0, 32, + 24, 26, 11, 29, 31, 161, 33, 161, 73, 82, + 91, 97, 101, 110, 115, 124, 133, 142, 151 } ; -static yyconst flex_int16_t yy_def[62] = +static yyconst flex_int16_t yy_def[60] = { 0, - 51, 1, 52, 52, 53, 53, 51, 54, 51, 51, - 51, 55, 51, 54, 51, 51, 56, 51, 51, 57, - 58, 51, 51, 59, 54, 51, 60, 55, 51, 54, - 56, 51, 58, 51, 51, 51, 51, 51, 51, 51, - 51, 60, 54, 54, 54, 54, 54, 61, 51, 61, - 0, 51, 51, 51, 51, 51, 51, 51, 51, 51, - 51 + 48, 1, 49, 49, 50, 50, 48, 51, 52, 48, + 48, 53, 48, 51, 48, 48, 54, 48, 48, 55, + 56, 48, 57, 51, 52, 58, 53, 48, 51, 54, + 48, 56, 48, 48, 48, 48, 48, 48, 58, 51, + 51, 51, 51, 51, 59, 48, 59, 0, 48, 48, + 48, 48, 48, 48, 48, 48, 48, 48, 48 } ; -static yyconst flex_int16_t yy_nxt[178] = +static yyconst flex_int16_t yy_nxt[182] = { 0, 8, 9, 10, 8, 9, 11, 12, 13, 8, 8, - 8, 8, 8, 8, 14, 8, 8, 8, 8, 8, - 15, 16, 18, 18, 47, 18, 19, 18, 22, 20, - 22, 23, 26, 23, 24, 26, 24, 27, 48, 46, - 45, 48, 18, 18, 18, 44, 18, 19, 18, 26, - 20, 35, 26, 50, 27, 50, 50, 43, 50, 29, - 30, 29, 51, 18, 35, 36, 51, 51, 51, 51, - 51, 37, 51, 51, 51, 38, 51, 51, 39, 40, - 41, 17, 17, 17, 17, 17, 17, 17, 17, 21, - 21, 21, 21, 21, 21, 21, 21, 25, 51, 51, - - 51, 51, 51, 25, 28, 28, 28, 28, 28, 28, - 28, 28, 31, 51, 51, 51, 51, 31, 51, 31, - 32, 32, 33, 33, 51, 33, 51, 33, 51, 33, - 34, 34, 34, 34, 34, 34, 34, 34, 42, 42, - 51, 42, 42, 42, 42, 42, 49, 49, 49, 49, - 49, 51, 49, 49, 7, 51, 51, 51, 51, 51, - 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, - 51, 51, 51, 51, 51, 51, 51 + 8, 8, 14, 8, 8, 8, 8, 8, 15, 16, + 18, 18, 44, 18, 19, 18, 22, 20, 22, 23, + 45, 23, 47, 45, 47, 47, 43, 47, 18, 18, + 18, 42, 18, 19, 18, 41, 20, 34, 40, 28, + 26, 29, 28, 26, 48, 48, 48, 18, 34, 35, + 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, + 36, 37, 38, 17, 17, 17, 17, 17, 17, 17, + 17, 17, 21, 21, 21, 21, 21, 21, 21, 21, + 21, 24, 48, 48, 48, 48, 48, 24, 25, 48, + + 25, 27, 27, 27, 27, 27, 27, 27, 27, 27, + 30, 48, 48, 48, 48, 30, 48, 30, 31, 31, + 48, 48, 48, 31, 32, 32, 32, 32, 48, 32, + 48, 32, 32, 33, 33, 33, 33, 33, 33, 33, + 33, 33, 39, 39, 48, 39, 39, 39, 39, 39, + 39, 46, 46, 46, 46, 46, 48, 46, 46, 46, + 7, 48, 48, 48, 48, 48, 48, 48, 48, 48, + 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, + 48 } ; -static yyconst flex_int16_t yy_chk[178] = +static yyconst flex_int16_t yy_chk[182] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 3, 3, 46, 3, 3, 3, 5, 3, - 6, 5, 9, 6, 5, 9, 6, 9, 47, 45, - 44, 47, 3, 4, 4, 43, 4, 4, 4, 26, - 4, 36, 26, 48, 26, 50, 48, 30, 50, 28, - 14, 12, 7, 4, 24, 24, 0, 0, 0, 0, - 0, 24, 0, 0, 0, 24, 0, 0, 24, 24, - 24, 52, 52, 52, 52, 52, 52, 52, 52, 53, - 53, 53, 53, 53, 53, 53, 53, 54, 0, 0, - - 0, 0, 0, 54, 55, 55, 55, 55, 55, 55, - 55, 55, 56, 0, 0, 0, 0, 56, 0, 56, - 57, 57, 58, 58, 0, 58, 0, 58, 0, 58, - 59, 59, 59, 59, 59, 59, 59, 59, 60, 60, - 0, 60, 60, 60, 60, 60, 61, 61, 61, 61, - 61, 0, 61, 61, 51, 51, 51, 51, 51, 51, - 51, 51, 51, 51, 51, 51, 51, 51, 51, 51, - 51, 51, 51, 51, 51, 51, 51 + 3, 3, 43, 3, 3, 3, 5, 3, 6, 5, + 44, 6, 45, 44, 47, 45, 42, 47, 3, 4, + 4, 41, 4, 4, 4, 40, 4, 35, 29, 27, + 25, 14, 12, 9, 7, 0, 0, 4, 23, 23, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 23, 23, 23, 49, 49, 49, 49, 49, 49, 49, + 49, 49, 50, 50, 50, 50, 50, 50, 50, 50, + 50, 51, 0, 0, 0, 0, 0, 51, 52, 0, + + 52, 53, 53, 53, 53, 53, 53, 53, 53, 53, + 54, 0, 0, 0, 0, 54, 0, 54, 55, 55, + 0, 0, 0, 55, 56, 56, 56, 56, 0, 56, + 0, 56, 56, 57, 57, 57, 57, 57, 57, 57, + 57, 57, 58, 58, 0, 58, 58, 58, 58, 58, + 58, 59, 59, 59, 59, 59, 0, 59, 59, 59, + 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, + 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, + 48 } ; /* Table of booleans, true if rule could match eol. */ -static yyconst flex_int32_t yy_rule_can_match_eol[27] = +static yyconst flex_int32_t yy_rule_can_match_eol[24] = { 0, -0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, - 0, 0, 0, 1, 0, 0, 0, }; +0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 1, 0, 1, 0, }; -static yyconst flex_int16_t yy_rule_linenum[26] = +static yyconst flex_int16_t yy_rule_linenum[23] = { 0, 59, 60, 61, 63, 64, 65, 67, 72, 77, 85, - 105, 108, 111, 114, 120, 122, 123, 146, 147, 148, - 149, 150, 151, 152, 153 + 105, 108, 111, 114, 120, 122, 141, 142, 143, 144, + 145, 146 } ; /* The intent behind this definition is that it'll catch @@ -640,7 +638,7 @@ static void include_files(parser_helper_t *ctx); /* state used to scan quoted strings */ -#line 644 "settings/settings_lexer.c" +#line 642 "settings/settings_lexer.c" #define INITIAL 0 #define inc 1 @@ -952,7 +950,7 @@ YY_DECL #line 57 "settings/settings_lexer.l" -#line 956 "settings/settings_lexer.c" +#line 954 "settings/settings_lexer.c" yylval = yylval_param; @@ -1017,13 +1015,13 @@ yy_match: while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 52 ) + if ( yy_current_state >= 49 ) yy_c = yy_meta[(unsigned int) yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; ++yy_cp; } - while ( yy_base[yy_current_state] != 155 ); + while ( yy_base[yy_current_state] != 161 ); yy_find_action: /* %% [10.0] code to find the action number goes here */ @@ -1058,13 +1056,13 @@ do_action: /* This label is used only to access EOF actions. */ { if ( yy_act == 0 ) fprintf( stderr, "--scanner backing up\n" ); - else if ( yy_act < 26 ) + else if ( yy_act < 23 ) fprintf( stderr, "--accepting rule at line %ld (\"%s\")\n", (long)yy_rule_linenum[yy_act], yytext ); - else if ( yy_act == 26 ) + else if ( yy_act == 23 ) fprintf( stderr, "--accepting default rule (\"%s\")\n", yytext ); - else if ( yy_act == 27 ) + else if ( yy_act == 24 ) fprintf( stderr, "--(end of buffer or a NUL)\n" ); else fprintf( stderr, "--EOF (start condition %d)\n", YY_START ); @@ -1197,21 +1195,13 @@ case 15: case YY_STATE_EOF(str): #line 121 "settings/settings_lexer.l" case 16: -/* rule 16 can match eol */ -#line 123 "settings/settings_lexer.l" -case 17: -/* rule 17 can match eol */ YY_RULE_SETUP -#line 123 "settings/settings_lexer.l" +#line 122 "settings/settings_lexer.l" { if (!streq(yytext, "\"")) { - if (streq(yytext, "\n")) - { /* put the newline back to fix the line numbers */ - unput('\n'); - yy_set_bol(0); - } PARSER_DBG1(yyextra, "unterminated string detected"); + return STRING_ERROR; } if (yy_top_state(yyscanner) == inc) { /* string include */ @@ -1227,52 +1217,43 @@ YY_RULE_SETUP } } YY_BREAK -case 18: +case 17: YY_RULE_SETUP -#line 146 "settings/settings_lexer.l" +#line 141 "settings/settings_lexer.l" yyextra->string_add(yyextra, "\n"); YY_BREAK -case 19: +case 18: YY_RULE_SETUP -#line 147 "settings/settings_lexer.l" +#line 142 "settings/settings_lexer.l" yyextra->string_add(yyextra, "\r"); YY_BREAK -case 20: +case 19: YY_RULE_SETUP -#line 148 "settings/settings_lexer.l" +#line 143 "settings/settings_lexer.l" yyextra->string_add(yyextra, "\t"); YY_BREAK -case 21: -YY_RULE_SETUP -#line 149 "settings/settings_lexer.l" -yyextra->string_add(yyextra, "\b"); - YY_BREAK -case 22: -YY_RULE_SETUP -#line 150 "settings/settings_lexer.l" -yyextra->string_add(yyextra, "\f"); - YY_BREAK -case 23: -/* rule 23 can match eol */ +case 20: +/* rule 20 can match eol */ YY_RULE_SETUP -#line 151 "settings/settings_lexer.l" +#line 144 "settings/settings_lexer.l" /* merge lines that end with EOL characters */ YY_BREAK -case 24: +case 21: YY_RULE_SETUP -#line 152 "settings/settings_lexer.l" +#line 145 "settings/settings_lexer.l" yyextra->string_add(yyextra, yytext+1); YY_BREAK -case 25: +case 22: +/* rule 22 can match eol */ YY_RULE_SETUP -#line 153 "settings/settings_lexer.l" +#line 146 "settings/settings_lexer.l" { yyextra->string_add(yyextra, yytext); } YY_BREAK case YY_STATE_EOF(INITIAL): -#line 158 "settings/settings_lexer.l" +#line 151 "settings/settings_lexer.l" { settings_parser_pop_buffer_state(yyscanner); if (!settings_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER) @@ -1281,12 +1262,12 @@ case YY_STATE_EOF(INITIAL): } } YY_BREAK -case 26: +case 23: YY_RULE_SETUP -#line 166 "settings/settings_lexer.l" +#line 159 "settings/settings_lexer.l" YY_FATAL_ERROR( "flex scanner jammed" ); YY_BREAK -#line 1290 "settings/settings_lexer.c" +#line 1271 "settings/settings_lexer.c" case YY_END_OF_BUFFER: { @@ -1599,7 +1580,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 52 ) + if ( yy_current_state >= 49 ) yy_c = yy_meta[(unsigned int) yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; @@ -1633,11 +1614,11 @@ static int yy_get_next_buffer (yyscan_t yyscanner) while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 52 ) + if ( yy_current_state >= 49 ) yy_c = yy_meta[(unsigned int) yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; - yy_is_jam = (yy_current_state == 51); + yy_is_jam = (yy_current_state == 48); return yy_is_jam ? 0 : yy_current_state; } @@ -2654,7 +2635,7 @@ void settings_parser_free (void * ptr , yyscan_t yyscanner) /* %ok-for-header */ -#line 166 "settings/settings_lexer.l" +#line 159 "settings/settings_lexer.l" @@ -2692,3 +2673,11 @@ static void include_files(parser_helper_t *ctx) settings_parser_open_next_file(ctx); } +/** + * Load the given string to be parsed next + */ +void settings_parser_load_string(parser_helper_t *ctx, const char *content) +{ + settings_parser__scan_string(content, ctx->scanner); +} + diff --git a/src/libstrongswan/settings/settings_lexer.l b/src/libstrongswan/settings/settings_lexer.l index 176387f1f..ce9d4eedc 100644 --- a/src/libstrongswan/settings/settings_lexer.l +++ b/src/libstrongswan/settings/settings_lexer.l @@ -119,16 +119,11 @@ static void include_files(parser_helper_t *ctx); { "\"" | <> | - \n | \\ { if (!streq(yytext, "\"")) { - if (streq(yytext, "\n")) - { /* put the newline back to fix the line numbers */ - unput('\n'); - yy_set_bol(0); - } PARSER_DBG1(yyextra, "unterminated string detected"); + return STRING_ERROR; } if (yy_top_state(yyscanner) == inc) { /* string include */ @@ -146,11 +141,9 @@ static void include_files(parser_helper_t *ctx); \\n yyextra->string_add(yyextra, "\n"); \\r yyextra->string_add(yyextra, "\r"); \\t yyextra->string_add(yyextra, "\t"); - \\b yyextra->string_add(yyextra, "\b"); - \\f yyextra->string_add(yyextra, "\f"); \\\r?\n /* merge lines that end with EOL characters */ \\. yyextra->string_add(yyextra, yytext+1); - [^\\\n"]+ { + [^\\"]+ { yyextra->string_add(yyextra, yytext); } } @@ -198,3 +191,11 @@ static void include_files(parser_helper_t *ctx) settings_parser_open_next_file(ctx); } + +/** + * Load the given string to be parsed next + */ +void settings_parser_load_string(parser_helper_t *ctx, const char *content) +{ + settings_parser__scan_string(content, ctx->scanner); +} diff --git a/src/libstrongswan/settings/settings_parser.c b/src/libstrongswan/settings/settings_parser.c index be805efc9..6cd3b177a 100644 --- a/src/libstrongswan/settings/settings_parser.c +++ b/src/libstrongswan/settings/settings_parser.c @@ -110,6 +110,7 @@ int settings_parser_get_leng(void *scanner); int settings_parser_get_lineno(void *scanner); /* Custom functions in lexer */ bool settings_parser_open_next_file(parser_helper_t *ctx); +bool settings_parser_load_string(parser_helper_t *ctx, const char *content); /** * Forward declarations @@ -130,7 +131,7 @@ static int yylex(YYSTYPE *lvalp, parser_helper_t *ctx) } -#line 134 "settings/settings_parser.c" /* yacc.c:339 */ +#line 135 "settings/settings_parser.c" /* yacc.c:339 */ # ifndef YY_NULLPTR # if defined __cplusplus && 201103L <= __cplusplus @@ -167,26 +168,28 @@ extern int settings_parser_debug; { NAME = 258, STRING = 259, - NEWLINE = 260 + NEWLINE = 260, + STRING_ERROR = 261 }; #endif /* Tokens. */ #define NAME 258 #define STRING 259 #define NEWLINE 260 +#define STRING_ERROR 261 /* Value type. */ #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED typedef union YYSTYPE YYSTYPE; union YYSTYPE { -#line 76 "settings/settings_parser.y" /* yacc.c:355 */ +#line 77 "settings/settings_parser.y" /* yacc.c:355 */ char *s; struct section_t *sec; struct kv_t *kv; -#line 190 "settings/settings_parser.c" /* yacc.c:355 */ +#line 193 "settings/settings_parser.c" /* yacc.c:355 */ }; # define YYSTYPE_IS_TRIVIAL 1 # define YYSTYPE_IS_DECLARED 1 @@ -200,7 +203,7 @@ int settings_parser_parse (parser_helper_t *ctx); /* Copy the second part of user declarations. */ -#line 204 "settings/settings_parser.c" /* yacc.c:358 */ +#line 207 "settings/settings_parser.c" /* yacc.c:358 */ #ifdef short # undef short @@ -445,7 +448,7 @@ union yyalloc #define YYLAST 13 /* YYNTOKENS -- Number of terminals. */ -#define YYNTOKENS 9 +#define YYNTOKENS 10 /* YYNNTS -- Number of nonterminals. */ #define YYNNTS 8 /* YYNRULES -- Number of rules. */ @@ -456,7 +459,7 @@ union yyalloc /* YYTRANSLATE[YYX] -- Symbol number corresponding to YYX as returned by yylex, with out-of-bounds checking. */ #define YYUNDEFTOK 2 -#define YYMAXUTOK 260 +#define YYMAXUTOK 261 #define YYTRANSLATE(YYX) \ ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK) @@ -471,13 +474,13 @@ static const yytype_uint8 yytranslate[] = 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 8, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 9, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 7, 2, 6, 2, 2, 2, 2, + 2, 2, 2, 8, 2, 7, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, @@ -491,15 +494,15 @@ static const yytype_uint8 yytranslate[] = 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 2, 3, 4, - 5 + 5, 6 }; #if YYDEBUG /* YYRLINE[YYN] -- Source line where rule number YYN was defined. */ static const yytype_uint8 yyrline[] = { - 0, 104, 104, 106, 107, 111, 115, 122, 130, 135, - 142, 147, 154, 155, 169, 170 + 0, 105, 105, 107, 108, 112, 116, 123, 131, 136, + 143, 148, 155, 156, 170, 171 }; #endif @@ -508,9 +511,9 @@ static const yytype_uint8 yyrline[] = First, the terminals, then, starting at YYNTOKENS, nonterminals. */ static const char *const yytname[] = { - "$end", "error", "$undefined", "NAME", "STRING", "NEWLINE", "'}'", - "'{'", "'='", "$accept", "statements", "statement", "section", - "section_start", "setting", "value", "valuepart", YY_NULLPTR + "$end", "error", "$undefined", "NAME", "STRING", "NEWLINE", + "STRING_ERROR", "'}'", "'{'", "'='", "$accept", "statements", + "statement", "section", "section_start", "setting", "value", "valuepart", YY_NULLPTR }; #endif @@ -519,14 +522,14 @@ static const char *const yytname[] = (internal) symbol number NUM (which must be that of a token). */ static const yytype_uint16 yytoknum[] = { - 0, 256, 257, 258, 259, 260, 125, 123, 61 + 0, 256, 257, 258, 259, 260, 261, 125, 123, 61 }; # endif -#define YYPACT_NINF -5 +#define YYPACT_NINF -11 #define yypact_value_is_default(Yystate) \ - (!!((Yystate) == (-5))) + (!!((Yystate) == (-11))) #define YYTABLE_NINF -1 @@ -537,8 +540,8 @@ static const yytype_uint16 yytoknum[] = STATE-NUM. */ static const yytype_int8 yypact[] = { - -5, 0, -5, -1, -5, -5, -5, -5, -5, 2, - -5, -2, 5, -5, -5, -5, -2, -5, -5, -5 + -11, 0, -11, -1, -11, -11, -11, -11, -11, 2, + -11, -2, 6, -11, -11, -11, -2, -11, -11, -11 }; /* YYDEFACT[STATE-NUM] -- Default reduction number in state STATE-NUM. @@ -553,7 +556,7 @@ static const yytype_uint8 yydefact[] = /* YYPGOTO[NTERM-NUM]. */ static const yytype_int8 yypgoto[] = { - -5, 6, -5, -5, -5, -5, -5, -4 + -11, 5, -11, -11, -11, -11, -11, -10 }; /* YYDEFGOTO[NTERM-NUM]. */ @@ -567,29 +570,29 @@ static const yytype_int8 yydefgoto[] = number is the opposite. If YYTABLE_NINF, syntax error. */ static const yytype_uint8 yytable[] = { - 2, 14, 15, 3, 9, 4, 10, 11, 3, 13, - 4, 18, 19, 12 + 2, 14, 15, 3, 9, 4, 19, 10, 11, 3, + 13, 4, 12, 18 }; static const yytype_uint8 yycheck[] = { - 0, 3, 4, 3, 5, 5, 7, 8, 3, 7, - 5, 6, 16, 7 + 0, 3, 4, 3, 5, 5, 16, 8, 9, 3, + 8, 5, 7, 7 }; /* YYSTOS[STATE-NUM] -- The (internal number of the) accessing symbol of state STATE-NUM. */ static const yytype_uint8 yystos[] = { - 0, 10, 0, 3, 5, 11, 12, 13, 14, 5, - 7, 8, 10, 7, 3, 4, 15, 16, 6, 16 + 0, 11, 0, 3, 5, 12, 13, 14, 15, 5, + 8, 9, 11, 8, 3, 4, 16, 17, 7, 17 }; /* YYR1[YYN] -- Symbol number of symbol that rule YYN derives. */ static const yytype_uint8 yyr1[] = { - 0, 9, 10, 10, 10, 11, 11, 12, 13, 13, - 14, 14, 15, 15, 16, 16 + 0, 10, 11, 11, 11, 12, 12, 13, 14, 14, + 15, 15, 16, 16, 17, 17 }; /* YYR2[YYN] -- Number of symbols on the right hand side of rule YYN. */ @@ -1022,45 +1025,45 @@ yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep, parser_helper_t *c switch (yytype) { case 3: /* NAME */ -#line 90 "settings/settings_parser.y" /* yacc.c:1257 */ +#line 91 "settings/settings_parser.y" /* yacc.c:1257 */ { free(((*yyvaluep).s)); } -#line 1028 "settings/settings_parser.c" /* yacc.c:1257 */ +#line 1031 "settings/settings_parser.c" /* yacc.c:1257 */ break; case 4: /* STRING */ -#line 90 "settings/settings_parser.y" /* yacc.c:1257 */ +#line 91 "settings/settings_parser.y" /* yacc.c:1257 */ { free(((*yyvaluep).s)); } -#line 1034 "settings/settings_parser.c" /* yacc.c:1257 */ +#line 1037 "settings/settings_parser.c" /* yacc.c:1257 */ break; - case 12: /* section */ -#line 92 "settings/settings_parser.y" /* yacc.c:1257 */ + case 13: /* section */ +#line 93 "settings/settings_parser.y" /* yacc.c:1257 */ { pop_section(ctx); settings_section_destroy(((*yyvaluep).sec), NULL); } -#line 1040 "settings/settings_parser.c" /* yacc.c:1257 */ +#line 1043 "settings/settings_parser.c" /* yacc.c:1257 */ break; - case 13: /* section_start */ -#line 92 "settings/settings_parser.y" /* yacc.c:1257 */ + case 14: /* section_start */ +#line 93 "settings/settings_parser.y" /* yacc.c:1257 */ { pop_section(ctx); settings_section_destroy(((*yyvaluep).sec), NULL); } -#line 1046 "settings/settings_parser.c" /* yacc.c:1257 */ +#line 1049 "settings/settings_parser.c" /* yacc.c:1257 */ break; - case 14: /* setting */ -#line 93 "settings/settings_parser.y" /* yacc.c:1257 */ + case 15: /* setting */ +#line 94 "settings/settings_parser.y" /* yacc.c:1257 */ { settings_kv_destroy(((*yyvaluep).kv), NULL); } -#line 1052 "settings/settings_parser.c" /* yacc.c:1257 */ +#line 1055 "settings/settings_parser.c" /* yacc.c:1257 */ break; - case 15: /* value */ -#line 90 "settings/settings_parser.y" /* yacc.c:1257 */ + case 16: /* value */ +#line 91 "settings/settings_parser.y" /* yacc.c:1257 */ { free(((*yyvaluep).s)); } -#line 1058 "settings/settings_parser.c" /* yacc.c:1257 */ +#line 1061 "settings/settings_parser.c" /* yacc.c:1257 */ break; - case 16: /* valuepart */ -#line 90 "settings/settings_parser.y" /* yacc.c:1257 */ + case 17: /* valuepart */ +#line 91 "settings/settings_parser.y" /* yacc.c:1257 */ { free(((*yyvaluep).s)); } -#line 1064 "settings/settings_parser.c" /* yacc.c:1257 */ +#line 1067 "settings/settings_parser.c" /* yacc.c:1257 */ break; @@ -1326,64 +1329,64 @@ yyreduce: switch (yyn) { case 5: -#line 112 "settings/settings_parser.y" /* yacc.c:1646 */ +#line 113 "settings/settings_parser.y" /* yacc.c:1646 */ { add_section(ctx, (yyvsp[0].sec)); } -#line 1334 "settings/settings_parser.c" /* yacc.c:1646 */ +#line 1337 "settings/settings_parser.c" /* yacc.c:1646 */ break; case 6: -#line 116 "settings/settings_parser.y" /* yacc.c:1646 */ +#line 117 "settings/settings_parser.y" /* yacc.c:1646 */ { add_setting(ctx, (yyvsp[0].kv)); } -#line 1342 "settings/settings_parser.c" /* yacc.c:1646 */ +#line 1345 "settings/settings_parser.c" /* yacc.c:1646 */ break; case 7: -#line 123 "settings/settings_parser.y" /* yacc.c:1646 */ +#line 124 "settings/settings_parser.y" /* yacc.c:1646 */ { pop_section(ctx); (yyval.sec) = (yyvsp[-2].sec); } -#line 1351 "settings/settings_parser.c" /* yacc.c:1646 */ +#line 1354 "settings/settings_parser.c" /* yacc.c:1646 */ break; case 8: -#line 131 "settings/settings_parser.y" /* yacc.c:1646 */ +#line 132 "settings/settings_parser.y" /* yacc.c:1646 */ { (yyval.sec) = push_section(ctx, (yyvsp[-1].s)); } -#line 1359 "settings/settings_parser.c" /* yacc.c:1646 */ +#line 1362 "settings/settings_parser.c" /* yacc.c:1646 */ break; case 9: -#line 136 "settings/settings_parser.y" /* yacc.c:1646 */ +#line 137 "settings/settings_parser.y" /* yacc.c:1646 */ { (yyval.sec) = push_section(ctx, (yyvsp[-2].s)); } -#line 1367 "settings/settings_parser.c" /* yacc.c:1646 */ +#line 1370 "settings/settings_parser.c" /* yacc.c:1646 */ break; case 10: -#line 143 "settings/settings_parser.y" /* yacc.c:1646 */ +#line 144 "settings/settings_parser.y" /* yacc.c:1646 */ { (yyval.kv) = settings_kv_create((yyvsp[-2].s), (yyvsp[0].s)); } -#line 1375 "settings/settings_parser.c" /* yacc.c:1646 */ +#line 1378 "settings/settings_parser.c" /* yacc.c:1646 */ break; case 11: -#line 148 "settings/settings_parser.y" /* yacc.c:1646 */ +#line 149 "settings/settings_parser.y" /* yacc.c:1646 */ { (yyval.kv) = settings_kv_create((yyvsp[-1].s), NULL); } -#line 1383 "settings/settings_parser.c" /* yacc.c:1646 */ +#line 1386 "settings/settings_parser.c" /* yacc.c:1646 */ break; case 13: -#line 156 "settings/settings_parser.y" /* yacc.c:1646 */ +#line 157 "settings/settings_parser.y" /* yacc.c:1646 */ { /* just put a single space between them, use strings for more */ if (asprintf(&(yyval.s), "%s %s", (yyvsp[-1].s), (yyvsp[0].s)) < 0) { @@ -1394,11 +1397,11 @@ yyreduce: free((yyvsp[-1].s)); free((yyvsp[0].s)); } -#line 1398 "settings/settings_parser.c" /* yacc.c:1646 */ +#line 1401 "settings/settings_parser.c" /* yacc.c:1646 */ break; -#line 1402 "settings/settings_parser.c" /* yacc.c:1646 */ +#line 1405 "settings/settings_parser.c" /* yacc.c:1646 */ default: break; } /* User semantic actions sometimes alter yychar, and that requires @@ -1626,7 +1629,7 @@ yyreturn: #endif return yyresult; } -#line 173 "settings/settings_parser.y" /* yacc.c:1906 */ +#line 174 "settings/settings_parser.y" /* yacc.c:1906 */ /** @@ -1743,3 +1746,39 @@ bool settings_parser_parse_file(section_t *root, char *name) helper->destroy(helper); return success; } + +/** + * Parse the given string and add all sections and key/value pairs to the + * given section. + */ +bool settings_parser_parse_string(section_t *root, char *settings) +{ + parser_helper_t *helper; + array_t *sections = NULL; + bool success = FALSE; + + array_insert_create(§ions, ARRAY_TAIL, root); + helper = parser_helper_create(sections); + helper->get_lineno = settings_parser_get_lineno; + if (settings_parser_lex_init_extra(helper, &helper->scanner) != 0) + { + helper->destroy(helper); + array_destroy(sections); + return FALSE; + } + settings_parser_load_string(helper, settings); + if (getenv("DEBUG_SETTINGS_PARSER")) + { + yydebug = 1; + settings_parser_set_debug(1, helper->scanner); + } + success = yyparse(helper) == 0; + if (!success) + { + DBG1(DBG_CFG, "failed to parse settings '%s'", settings); + } + array_destroy(sections); + settings_parser_lex_destroy(helper->scanner); + helper->destroy(helper); + return success; +} diff --git a/src/libstrongswan/settings/settings_parser.h b/src/libstrongswan/settings/settings_parser.h index 9d56465ef..d887777a2 100644 --- a/src/libstrongswan/settings/settings_parser.h +++ b/src/libstrongswan/settings/settings_parser.h @@ -47,26 +47,28 @@ extern int settings_parser_debug; { NAME = 258, STRING = 259, - NEWLINE = 260 + NEWLINE = 260, + STRING_ERROR = 261 }; #endif /* Tokens. */ #define NAME 258 #define STRING 259 #define NEWLINE 260 +#define STRING_ERROR 261 /* Value type. */ #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED typedef union YYSTYPE YYSTYPE; union YYSTYPE { -#line 76 "settings/settings_parser.y" /* yacc.c:1909 */ +#line 77 "settings/settings_parser.y" /* yacc.c:1909 */ char *s; struct section_t *sec; struct kv_t *kv; -#line 70 "settings/settings_parser.h" /* yacc.c:1909 */ +#line 72 "settings/settings_parser.h" /* yacc.c:1909 */ }; # define YYSTYPE_IS_TRIVIAL 1 # define YYSTYPE_IS_DECLARED 1 diff --git a/src/libstrongswan/settings/settings_parser.y b/src/libstrongswan/settings/settings_parser.y index d95a24b2a..96ab36faf 100644 --- a/src/libstrongswan/settings/settings_parser.y +++ b/src/libstrongswan/settings/settings_parser.y @@ -39,6 +39,7 @@ int settings_parser_get_leng(void *scanner); int settings_parser_get_lineno(void *scanner); /* Custom functions in lexer */ bool settings_parser_open_next_file(parser_helper_t *ctx); +bool settings_parser_load_string(parser_helper_t *ctx, const char *content); /** * Forward declarations @@ -79,7 +80,7 @@ static int yylex(YYSTYPE *lvalp, parser_helper_t *ctx) struct kv_t *kv; } %token NAME STRING -%token NEWLINE +%token NEWLINE STRING_ERROR /* ...and other symbols */ %type value valuepart @@ -286,3 +287,39 @@ bool settings_parser_parse_file(section_t *root, char *name) helper->destroy(helper); return success; } + +/** + * Parse the given string and add all sections and key/value pairs to the + * given section. + */ +bool settings_parser_parse_string(section_t *root, char *settings) +{ + parser_helper_t *helper; + array_t *sections = NULL; + bool success = FALSE; + + array_insert_create(§ions, ARRAY_TAIL, root); + helper = parser_helper_create(sections); + helper->get_lineno = settings_parser_get_lineno; + if (settings_parser_lex_init_extra(helper, &helper->scanner) != 0) + { + helper->destroy(helper); + array_destroy(sections); + return FALSE; + } + settings_parser_load_string(helper, settings); + if (getenv("DEBUG_SETTINGS_PARSER")) + { + yydebug = 1; + settings_parser_set_debug(1, helper->scanner); + } + success = yyparse(helper) == 0; + if (!success) + { + DBG1(DBG_CFG, "failed to parse settings '%s'", settings); + } + array_destroy(sections); + settings_parser_lex_destroy(helper->scanner); + helper->destroy(helper); + return success; +} diff --git a/src/libstrongswan/tests/suites/test_chunk.c b/src/libstrongswan/tests/suites/test_chunk.c index 312a187ac..6272ca795 100644 --- a/src/libstrongswan/tests/suites/test_chunk.c +++ b/src/libstrongswan/tests/suites/test_chunk.c @@ -1020,7 +1020,7 @@ START_TEST(test_printf_hook) int len; /* %B should be the same as %b, which is what we check, comparing the - * acutal result could be tricky as %b prints the chunk's memory address */ + * actual result could be tricky as %b prints the chunk's memory address */ len = snprintf(buf, sizeof(buf), "%B", &printf_hook_data[_i].in); ck_assert(len >= 0 && len < sizeof(buf)); len = snprintf(mem, sizeof(mem), "%b", printf_hook_data[_i].in.ptr, diff --git a/src/libstrongswan/tests/suites/test_host.c b/src/libstrongswan/tests/suites/test_host.c index 7161b2c5b..5cb8013ff 100644 --- a/src/libstrongswan/tests/suites/test_host.c +++ b/src/libstrongswan/tests/suites/test_host.c @@ -104,6 +104,9 @@ START_TEST(test_create_from_string_v4) { host_t *host; + host = host_create_from_string(NULL, 500); + ck_assert(!host); + host = host_create_from_string("%any", 500); verify_any(host, AF_INET, 500); host->destroy(host); @@ -196,6 +199,7 @@ static void test_create_from_string_and_family_addr(char *string, chunk_t addr, START_TEST(test_create_from_string_and_family_v4) { + test_create_from_string_and_family_any(NULL, AF_INET, AF_UNSPEC); test_create_from_string_and_family_any("%any", AF_INET, AF_INET); test_create_from_string_and_family_any("%any4", AF_INET, AF_INET); test_create_from_string_and_family_any("0.0.0.0", AF_INET, AF_INET); @@ -210,6 +214,7 @@ END_TEST START_TEST(test_create_from_string_and_family_v6) { + test_create_from_string_and_family_any(NULL, AF_INET6, AF_UNSPEC); test_create_from_string_and_family_any("%any", AF_INET6, AF_INET6); test_create_from_string_and_family_any("%any6", AF_INET6, AF_INET6); test_create_from_string_and_family_any("::", AF_INET6, AF_INET6); @@ -224,6 +229,7 @@ END_TEST START_TEST(test_create_from_string_and_family_other) { + test_create_from_string_and_family_any(NULL, AF_UNSPEC, AF_UNSPEC); test_create_from_string_and_family_any("%any", AF_UNSPEC, AF_INET); test_create_from_string_and_family_any("%any4", AF_UNSPEC, AF_INET); test_create_from_string_and_family_any("0.0.0.0", AF_UNSPEC, AF_INET); diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c index de00e4afd..ff14ba897 100644 --- a/src/libstrongswan/tests/suites/test_identification.c +++ b/src/libstrongswan/tests/suites/test_identification.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Tobias Brunner + * Copyright (C) 2013-2015 Tobias Brunner * Copyright (C) 2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -726,6 +726,88 @@ START_TEST(test_matches_empty_reverse) } END_TEST +/******************************************************************************* + * identification hashing + */ + +static bool id_hash_equals(char *str, char *b_str) +{ + identification_t *a, *b; + bool success = FALSE; + + a = identification_create_from_string(str); + b = identification_create_from_string(b_str ?: str); + success = a->hash(a, 0) == b->hash(b, 0); + a->destroy(a); + b->destroy(b); + return success; +} + +START_TEST(test_hash) +{ + ck_assert(id_hash_equals("moon@strongswan.org", NULL)); + ck_assert(id_hash_equals("vpn.strongswan.org", NULL)); + ck_assert(id_hash_equals("192.168.1.1", NULL)); + ck_assert(id_hash_equals("C=CH", NULL)); + + ck_assert(!id_hash_equals("moon@strongswan.org", "sun@strongswan.org")); + ck_assert(!id_hash_equals("vpn.strongswan.org", "*.strongswan.org")); + ck_assert(!id_hash_equals("192.168.1.1", "192.168.1.2")); + ck_assert(!id_hash_equals("C=CH", "C=DE")); + ck_assert(!id_hash_equals("fqdn:strongswan.org", "keyid:strongswan.org")); +} +END_TEST + +START_TEST(test_hash_any) +{ + ck_assert(id_hash_equals("%any", NULL)); + ck_assert(id_hash_equals("%any", "0.0.0.0")); + ck_assert(id_hash_equals("%any", "*")); + ck_assert(id_hash_equals("%any", "")); + + ck_assert(!id_hash_equals("%any", "any")); +} +END_TEST + +START_TEST(test_hash_dn) +{ + identification_t *a, *b; + + /* same DN (C=CH, O=strongSwan), different RDN type (PRINTABLESTRING vs. + * UTF8STRING) */ + a = identification_create_from_data(chunk_from_chars( + 0x30, 0x22, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48, 0x31, + 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, + 0x13, 0x0a, 0x73, 0x74, 0x72, 0x6f, 0x6e, 0x67, + 0x53, 0x77, 0x61, 0x6e)); + b = identification_create_from_data(chunk_from_chars( + 0x30, 0x22, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x0c, 0x02, 0x43, 0x48, 0x31, + 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, + 0x0c, 0x0a, 0x73, 0x74, 0x72, 0x6f, 0x6e, 0x67, + 0x53, 0x77, 0x61, 0x6e)); + ck_assert_int_eq(a->hash(a, 0), b->hash(b, 0)); + ck_assert(a->equals(a, b)); + a->destroy(a); + b->destroy(b); +} +END_TEST + +START_TEST(test_hash_inc) +{ + identification_t *a; + + a = identification_create_from_string("vpn.strongswan.org"); + ck_assert(a->hash(a, 0) != a->hash(a, 1)); + a->destroy(a); + + a = identification_create_from_string("C=CH, O=strongSwan"); + ck_assert(a->hash(a, 0) != a->hash(a, 1)); + a->destroy(a); +} +END_TEST + /******************************************************************************* * identification part enumeration */ @@ -851,6 +933,13 @@ Suite *identification_suite_create() tcase_add_loop_test(tc, test_matches_empty_reverse, ID_ANY, ID_KEY_ID + 1); suite_add_tcase(s, tc); + tc = tcase_create("hash"); + tcase_add_test(tc, test_hash); + tcase_add_test(tc, test_hash_any); + tcase_add_test(tc, test_hash_dn); + tcase_add_test(tc, test_hash_inc); + suite_add_tcase(s, tc); + tc = tcase_create("part enumeration"); tcase_add_test(tc, test_parts); suite_add_tcase(s, tc); diff --git a/src/libstrongswan/tests/suites/test_settings.c b/src/libstrongswan/tests/suites/test_settings.c index 9601a34a9..bead9d795 100644 --- a/src/libstrongswan/tests/suites/test_settings.c +++ b/src/libstrongswan/tests/suites/test_settings.c @@ -58,6 +58,10 @@ START_SETUP(setup_base_config) " }\n" " key2 = with space\n" " key3 = \"string with\\nnewline\"\n" + " key4 = \"multi line\n" + "string\"\n" + " key5 = \"escaped \\\n" + "newline\"\n" "}\n" "out = side\n" "other {\n" @@ -88,6 +92,8 @@ START_TEST(test_get_str) verify_string("", "main.empty"); verify_string("with space", "main.key2"); verify_string("string with\nnewline", "main.key3"); + verify_string("multi line\nstring", "main.key4"); + verify_string("escaped newline", "main.key5"); verify_string("value", "main.sub1.key"); verify_string("value2", "main.sub1.key2"); verify_string("bar", "main.sub1.subsub.foo"); @@ -97,7 +103,7 @@ START_TEST(test_get_str) verify_string("other val", "other.key1"); verify_null("main.none"); - verify_null("main.key4"); + verify_null("main.key6"); verify_null("other.sub"); } END_TEST @@ -131,7 +137,7 @@ START_TEST(test_get_str_printf) * probably document it at least */ verify_null("main.%s%u.key%d", "sub", 1, 2); - verify_null("%s.%s%d", "main", "key", 4); + verify_null("%s.%s%d", "main", "key", 6); } END_TEST @@ -529,9 +535,7 @@ END_TEST # define include2 "/tmp/strongswan-settings-test-include2" #endif -START_SETUP(setup_include_config) -{ - chunk_t inc1 = chunk_from_str( +static char *include_content1 = "main {\n" " key1 = n1\n" " key2 = n2\n" @@ -544,14 +548,17 @@ START_SETUP(setup_include_config) " sub3 = val3\n" " }\n" " include " include2 "\n" - "}"); - chunk_t inc2 = chunk_from_str( + "}"; +static char *include_content2 = "key2 = v2\n" "sub1 {\n" " key = val\n" - "}"); - ck_assert(chunk_write(inc1, include1, 0022, TRUE)); - ck_assert(chunk_write(inc2, include2, 0022, TRUE)); + "}"; + +START_SETUP(setup_include_config) +{ + ck_assert(chunk_write(chunk_from_str(include_content1), include1, 0022, TRUE)); + ck_assert(chunk_write(chunk_from_str(include_content2), include2, 0022, TRUE)); } END_SETUP @@ -600,6 +607,27 @@ START_TEST(test_include) } END_TEST +START_TEST(test_include_string) +{ + chunk_t contents = chunk_from_str( + "main {\n" + " key1 = val1\n" + " key2 = val2\n" + " none = x\n" + " sub1 {\n" + " include this/does/not/exist.conf\n" + " include = value\n" + " key2 = value2\n" + " include \"" include2 "\"\n" + " }\n" + "}\n" + "include \"" include1 "\""); + + create_settings(contents); + verify_include(); +} +END_TEST + START_TEST(test_load_files) { chunk_t contents = chunk_from_str( @@ -784,6 +812,104 @@ START_TEST(test_order_section) } END_TEST + +START_TEST(test_load_string) +{ + char *content = + "main {\n" + " key1 = val1\n" + " key2 = val2\n" + " key3 = val3\n" + " none = x\n" + " sub1 {\n" + " include = value\n" + " key2 = v2\n" + " sub1 {\n" + " key = val\n" + " }\n" + " }\n" + "}"; + char *val1, *val2, *val3; + + settings = settings_create_string(content); + + val1 = settings->get_str(settings, "main.key1", NULL); + val2 = settings->get_str(settings, "main.sub1.key2", NULL); + /* loading the same content twice should not change anything, with... */ + ck_assert(settings->load_string(settings, content, TRUE)); + ck_assert(val1 == settings->get_str(settings, "main.key1", NULL)); + ck_assert(val2 == settings->get_str(settings, "main.sub1.key2", NULL)); + /* ...or without merging */ + ck_assert(settings->load_string(settings, content, FALSE)); + ck_assert(val1 == settings->get_str(settings, "main.key1", NULL)); + ck_assert(val2 == settings->get_str(settings, "main.sub1.key2", NULL)); + + val1 = settings->get_str(settings, "main.key2", NULL); + val2 = settings->get_str(settings, "main.key3", NULL); + val3 = settings->get_str(settings, "main.none", NULL); + /* only pointers for modified settings should change, but still be valid */ + ck_assert(settings->load_string(settings, include_content1, FALSE)); + ck_assert(val1 != settings->get_str(settings, "main.key2", NULL)); + ck_assert_str_eq(val1, "val2"); + ck_assert(val2 == settings->get_str(settings, "main.key3", NULL)); + ck_assert(val3 != settings->get_str(settings, "main.none", NULL)); + ck_assert_str_eq(val3, "x"); + + settings->destroy(settings); + settings = settings_create_string(content); + ck_assert(settings); + + ck_assert(settings->load_string(settings, include_content1, TRUE)); + verify_include(); + + ck_assert(settings->load_string(settings, include_content2, FALSE)); + verify_null("main.key1"); + verify_string("v2", "key2"); + verify_string("val", "sub1.key"); + verify_null("main.sub1.key3"); +} +END_TEST + + +START_TEST(test_load_string_section) +{ + char *content = + "main {\n" + " key1 = val1\n" + " key2 = val2\n" + " none = x\n" + " sub1 {\n" + " include = value\n" + " key2 = value2\n" + " }\n" + "}"; + + settings = settings_create_string(content); + + ck_assert(settings->load_string_section(settings, include_content1, TRUE, "")); + ck_assert(settings->load_string_section(settings, include_content2, TRUE, "main.sub1")); + verify_include(); + + /* invalid strings are a failure */ + ck_assert(!settings->load_string_section(settings, "conf {", TRUE, "")); + /* NULL or empty strings are OK though */ + ck_assert(settings->load_string_section(settings, "", TRUE, "")); + ck_assert(settings->load_string_section(settings, NULL, TRUE, "")); + verify_include(); + + ck_assert(settings->load_string_section(settings, include_content2, FALSE, "main")); + verify_null("main.key1"); + verify_string("v2", "main.key2"); + verify_string("val", "main.sub1.key"); + verify_null("main.sub1.key3"); + verify_null("main.sub2.sub3"); + + ck_assert(settings->load_string_section(settings, include_content2, TRUE, "main.sub2")); + verify_string("v2", "main.sub2.key2"); + verify_string("val", "main.sub2.sub1.key"); +} +END_TEST + START_SETUP(setup_fallback_config) { create_settings(chunk_from_str( @@ -904,11 +1030,10 @@ END_TEST START_SETUP(setup_string_config) { create_settings(chunk_from_str( - "string = \" with accurate\twhitespace\"\n" + "string = \" with accurate\twhite\\tspace\"\n" "special = \"all { special } characters # can be used.\"\n" - "unterminated = \"is fine\n" - "but = produces a warning\n" - "newlines = \"can either be encoded\\nor \\\n" + "newlines = \"can be encoded explicitly\\nor implicitly\n" + "or \\\n" "escaped\"\n" "quotes = \"\\\"and\\\" slashes \\\\ can \\\\ be\" # escaped too\n" "multiple = \"strings\" are \"combined\"\n" @@ -918,11 +1043,9 @@ END_SETUP START_TEST(test_strings) { - verify_string(" with accurate\twhitespace", "string"); + verify_string(" with accurate\twhite\tspace", "string"); verify_string("all { special } characters # can be used.", "special"); - verify_string("is fine", "unterminated"); - verify_string("produces a warning", "but"); - verify_string("can either be encoded\nor escaped", "newlines"); + verify_string("can be encoded explicitly\nor implicitly\nor escaped", "newlines"); verify_string("\"and\" slashes \\ can \\ be", "quotes"); verify_string("strings are combined", "multiple"); } @@ -989,6 +1112,12 @@ START_TEST(test_invalid) ck_assert(chunk_write(contents, path, 0022, TRUE)); ck_assert(!settings->load_files(settings, path, FALSE)); + contents = chunk_from_str( + "unterminated {\n" + " strings = \"are invalid\n"); + ck_assert(chunk_write(contents, path, 0022, TRUE)); + ck_assert(!settings->load_files(settings, path, FALSE)); + contents = chunk_from_str( "spaces in name {}"); ck_assert(chunk_write(contents, path, 0022, TRUE)); @@ -1054,12 +1183,19 @@ Suite *settings_suite_create() tc = tcase_create("include/load_files[_section]"); tcase_add_checked_fixture(tc, setup_include_config, teardown_include_config); tcase_add_test(tc, test_include); + tcase_add_test(tc, test_include_string); tcase_add_test(tc, test_load_files); tcase_add_test(tc, test_load_files_section); tcase_add_test(tc, test_order_kv); tcase_add_test(tc, test_order_section); suite_add_tcase(s, tc); + tc = tcase_create("load_string[_section]"); + tcase_add_checked_fixture(tc, setup_include_config, teardown_config); + tcase_add_test(tc, test_load_string); + tcase_add_test(tc, test_load_string_section); + suite_add_tcase(s, tc); + tc = tcase_create("fallback"); tcase_add_checked_fixture(tc, setup_fallback_config, teardown_config); tcase_add_test(tc, test_add_fallback); diff --git a/src/libstrongswan/tests/suites/test_traffic_selector.c b/src/libstrongswan/tests/suites/test_traffic_selector.c index 4312c6ce1..bec32d2d8 100644 --- a/src/libstrongswan/tests/suites/test_traffic_selector.c +++ b/src/libstrongswan/tests/suites/test_traffic_selector.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2015 Martin Willi * Copyright (C) 2015 revosec AG * @@ -22,10 +25,9 @@ static void verify(const char *str, const char *alt, traffic_selector_t *ts) { char buf[512]; - ck_assert(ts != NULL); snprintf(buf, sizeof(buf), "%R", ts); - ts->destroy(ts); - if (!streq(buf, str) && !streq(buf, alt)) + DESTROY_IF(ts); + if (!streq(buf, str) && (!alt || !streq(buf, alt))) { fail("%s != %s or %s", buf, str, alt); } @@ -43,6 +45,16 @@ START_TEST(test_create_from_string) verify("fec1::/64", NULL, traffic_selector_create_from_string(0, TS_IPV6_ADDR_RANGE, "fec1::", 0, "fec1::ffff:ffff:ffff:ffff", 65535)); + verify("fec1::1..fec1::ffff:ffff:ffff:ffff", NULL, + traffic_selector_create_from_string(0, TS_IPV6_ADDR_RANGE, + "fec1::1", 0, "fec1::ffff:ffff:ffff:ffff", 65535)); + + ck_assert(!traffic_selector_create_from_string(IPPROTO_TCP, 0, + "10.1.0.0", 80, "10.1.255.255", 80)); + ck_assert(!traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE, + "a.b.c.d", 80, "10.1.255.255", 80)); + ck_assert(!traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE, + "10.1.0.0", 80, "a.b.c.d", 80)); } END_TEST @@ -53,6 +65,10 @@ START_TEST(test_create_from_cidr) verify("10.1.0.1/32[udp/1234-1235]", "10.1.0.1/32[17/1234-1235]", traffic_selector_create_from_cidr("10.1.0.1/32", IPPROTO_UDP, 1234, 1235)); + verify("10.1.0.0/16[OPAQUE]", NULL, + traffic_selector_create_from_cidr("10.1.0.0/16", 0, 65535, 0)); + + ck_assert(!traffic_selector_create_from_cidr("a.b.c.d/16", 0, 0, 65535)); } END_TEST @@ -62,6 +78,16 @@ START_TEST(test_create_from_bytes) traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE, chunk_from_chars(0x0a,0x01,0x00,0x00), 0, chunk_from_chars(0x0a,0x01,0xff,0xff), 65535)); + + ck_assert(!traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE, + chunk_empty, 0, + chunk_empty, 65535)); + ck_assert(!traffic_selector_create_from_bytes(0, TS_IPV6_ADDR_RANGE, + chunk_from_chars(0x0a,0x01,0x00,0x00), 0, + chunk_from_chars(0x0a,0x01,0xff,0xff), 65535)); + ck_assert(!traffic_selector_create_from_bytes(0, 0, + chunk_from_chars(0x0a,0x01,0x00,0x00), 0, + chunk_from_chars(0x0a,0x01,0xff,0xff), 65535)); } END_TEST @@ -73,6 +99,175 @@ START_TEST(test_create_from_subnet) } END_TEST +struct { + char *net; + ts_type_t type; + chunk_t enc; +} rfc3779_prefix_tests[] = { + /* some examples from RFC 3779, for addressPrefix elements we pass the same + * value twice to the constructor */ + { "10.0.0.0/8", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x00,0x0a), }, + { "10.0.32.0/20", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x04,0x0a,0x00,0x20), }, + { "10.0.64.0/24", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x00,0x0a,0x00,0x40), }, + { "10.1.0.0/16", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x00,0x0a,0x01), }, + { "10.5.0.1/32", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x00,0x0a,0x05,0x00,0x01), }, + { "10.5.0.0/23", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x01,0x0a,0x05,0x00), }, + { "10.64.0.0/12", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x04,0x0a,0x40), }, + { "10.64.0.0/20", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x04,0x0a,0x40,0x00), }, + { "128.0.0.0/4", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x04,0x80), }, + { "172.16.0.0/12", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x04,0xac,0x10), }, + { "0.0.0.0/0", TS_IPV4_ADDR_RANGE, chunk_from_chars(0x00), }, + /* FIXME: not a correct encoding, so we might want to fail here */ + { "0.0.0.0/0", TS_IPV4_ADDR_RANGE, {NULL, 0}, }, + { "2001:0:2::/48", TS_IPV6_ADDR_RANGE, chunk_from_chars(0x00,0x20,0x01,0x00,0x00,0x00,0x02),}, + { "2001:0:200::/39",TS_IPV6_ADDR_RANGE, chunk_from_chars(0x01,0x20,0x01,0x00,0x00,0x02),}, + { "::/0", TS_IPV6_ADDR_RANGE, chunk_from_chars(0x00), }, + /* FIXME: not a correct encoding, so we might want to fail here */ + { "::/0", TS_IPV6_ADDR_RANGE, {NULL, 0}, }, +}; + +START_TEST(test_create_from_rfc3779_format_prefix) +{ + verify(rfc3779_prefix_tests[_i].net, NULL, + traffic_selector_create_from_rfc3779_format(rfc3779_prefix_tests[_i].type, + rfc3779_prefix_tests[_i].enc, rfc3779_prefix_tests[_i].enc)); +} +END_TEST + +START_TEST(test_create_from_rfc3779_format_range) +{ + /* addressRange elements encode a from and to address, which may still + * represent prefixes */ + verify("10.5.0.0/23", NULL, + traffic_selector_create_from_rfc3779_format(TS_IPV4_ADDR_RANGE, + chunk_from_chars(0x00,0x0a,0x05), + chunk_from_chars(0x01,0x0a,0x05,0x00))); + verify("2001:0:200::/39", NULL, + traffic_selector_create_from_rfc3779_format(TS_IPV6_ADDR_RANGE, + chunk_from_chars(0x01,0x20,0x01,0x00,0x00,0x02), + chunk_from_chars(0x02,0x20,0x01,0x00,0x00,0x00))); + verify("10.2.48.0..10.2.64.255", NULL, + traffic_selector_create_from_rfc3779_format(TS_IPV4_ADDR_RANGE, + chunk_from_chars(0x04,0x0a,0x02,0x30), + chunk_from_chars(0x00,0x0a,0x02,0x40))); + verify("129.64.0.0..143.255.255.255", NULL, + traffic_selector_create_from_rfc3779_format(TS_IPV4_ADDR_RANGE, + chunk_from_chars(0x06,0x81,0x40), + chunk_from_chars(0x04,0x80))); +} +END_TEST + + +static void verify_address(char *addr_from, char *addr_to, traffic_selector_t *ts) +{ + host_t *from, *to; + + from = host_create_from_string(addr_from, 0); + to = host_create_from_string(addr_to, 0); + + ck_assert_chunk_eq(from->get_address(from), ts->get_from_address(ts)); + ck_assert_chunk_eq(to->get_address(to), ts->get_to_address(ts)); + from->destroy(from); + to->destroy(to); + ts->destroy(ts); +} + +START_TEST(test_get_address_range) +{ + verify_address("10.1.0.1", "10.1.0.10", + traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, + "10.1.0.1", 0, "10.1.0.10", 65535)); + /* currently not reordered */ + verify_address("10.1.0.10", "10.1.0.1", + traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, + "10.1.0.10", 0, "10.1.0.1", 65535)); +} +END_TEST + +START_TEST(test_get_address_cidr) +{ + verify_address("10.1.0.0", "10.1.255.255", + traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535)); + verify_address("fec1::", "fec1::ffff:ffff:ffff:ffff", + traffic_selector_create_from_cidr("fec1::/64", 0, 0, 65535)); +} +END_TEST + +struct { + ts_type_t type; + char *from; + char *to; + char *net; + u_int8_t mask; + bool exact; +} to_subnet_tests[] = { + { TS_IPV4_ADDR_RANGE, "10.0.0.1", "10.0.0.1", "10.0.0.1", 32, TRUE }, + { TS_IPV4_ADDR_RANGE, "10.0.0.0", "10.255.255.255", "10.0.0.0", 8, TRUE }, + { TS_IPV4_ADDR_RANGE, "10.0.0.1", "10.0.0.255", "10.0.0.0", 24, FALSE }, + { TS_IPV4_ADDR_RANGE, "10.0.0.0", "10.0.0.15", "10.0.0.0", 28, TRUE }, + { TS_IPV4_ADDR_RANGE, "10.0.0.1", "10.0.0.15", "10.0.0.0", 28, FALSE }, + { TS_IPV4_ADDR_RANGE, "10.0.0.1", "10.0.0.16", "10.0.0.0", 27, FALSE }, + { TS_IPV6_ADDR_RANGE, "fec1::1", "fec1::1", "fec1::1", 128, TRUE }, + { TS_IPV6_ADDR_RANGE, "fec1::0", "fec1::ffff:ffff:ffff:ffff", "fec1::", 64, TRUE }, + { TS_IPV6_ADDR_RANGE, "fec1::1", "fec1::ffff:ffff:ffff:ffff", "fec1::", 64, FALSE }, + { TS_IPV6_ADDR_RANGE, "fec1::1", "fec1::7fff", "fec1::", 113, FALSE }, + { TS_IPV6_ADDR_RANGE, "fec1::1", "fec1::efff", "fec1::", 112, FALSE }, +}; + +START_TEST(test_to_subnet) +{ + traffic_selector_t *ts; + host_t *net, *exp_net; + u_int8_t mask; + + ts = traffic_selector_create_from_string(0, to_subnet_tests[_i].type, + to_subnet_tests[_i].from, 0, to_subnet_tests[_i].to, 0); + ck_assert(ts->to_subnet(ts, &net, &mask) == to_subnet_tests[_i].exact); + exp_net = host_create_from_string(to_subnet_tests[_i].net, 0); + ck_assert(exp_net->ip_equals(exp_net, net)); + ck_assert_int_eq(to_subnet_tests[_i].mask, mask); + exp_net->destroy(exp_net); + net->destroy(net); + ts->destroy(ts); +} +END_TEST + +struct { + char *cidr; + u_int16_t from_port; + u_int16_t to_port; + u_int16_t port; +} to_subnet_port_tests[] = { + { "10.0.0.0/8", 0, 0, 0 }, + { "10.0.0.1/32", 80, 80, 80 }, + { "10.0.0.1/32", 123, 465, 0 }, + { "0.0.0.0/0", 0, 65535, 0 }, + { "fec1::/64", 0, 0, 0 }, + { "fec1::1/128", 80, 80, 80 }, + { "fec1::1/128", 123, 465, 0 }, + { "::/0", 0, 65535, 0 }, +}; + +START_TEST(test_to_subnet_port) +{ + traffic_selector_t *ts; + host_t *net, *exp_net; + u_int8_t mask; + int exp_mask; + + ts = traffic_selector_create_from_cidr(to_subnet_port_tests[_i].cidr, 0, + to_subnet_port_tests[_i].from_port, + to_subnet_port_tests[_i].to_port); + ck_assert(ts->to_subnet(ts, &net, &mask)); + exp_net = host_create_from_subnet(to_subnet_port_tests[_i].cidr, &exp_mask); + ck_assert(exp_net->ip_equals(exp_net, net)); + ck_assert_int_eq(exp_mask, mask); + ck_assert_int_eq(to_subnet_port_tests[_i].port, net->get_port(net)); + exp_net->destroy(exp_net); + net->destroy(net); + ts->destroy(ts); +} +END_TEST START_TEST(test_subset) { @@ -81,6 +276,14 @@ START_TEST(test_subset) a = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535); b = traffic_selector_create_from_cidr("10.1.5.0/24", 0, 0, 65535); verify("10.1.5.0/24", NULL, a->get_subset(a, b)); + verify("10.1.5.0/24", NULL, b->get_subset(b, a)); + a->destroy(a); + b->destroy(b); + + a = traffic_selector_create_from_cidr("fec1::/64", 0, 0, 65535); + b = traffic_selector_create_from_cidr("fec1::1/128", 0, 0, 65535); + verify("fec1::1/128", NULL, a->get_subset(a, b)); + verify("fec1::1/128", NULL, b->get_subset(b, a)); a->destroy(a); b->destroy(b); } @@ -117,7 +320,7 @@ START_TEST(test_subset_nonet) a = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535); b = traffic_selector_create_from_cidr("10.2.0.0/16", 0, 0, 65535); - ck_assert(a->get_subset(a, b) == NULL); + ck_assert(!a->get_subset(a, b)); a->destroy(a); b->destroy(b); } @@ -129,7 +332,7 @@ START_TEST(test_subset_noport) a = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 9999); b = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 10000, 65535); - ck_assert(a->get_subset(a, b) == NULL); + ck_assert(!a->get_subset(a, b)); a->destroy(a); b->destroy(b); } @@ -141,7 +344,7 @@ START_TEST(test_subset_noproto) a = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_TCP, 0, 65535); b = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_UDP, 0, 65535); - ck_assert(a->get_subset(a, b) == NULL); + ck_assert(!a->get_subset(a, b)); a->destroy(a); b->destroy(b); } @@ -153,7 +356,43 @@ START_TEST(test_subset_nofamily) a = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535); b = traffic_selector_create_from_cidr("::/0", 0, 0, 65535); - ck_assert(a->get_subset(a, b) == NULL); + ck_assert(!a->get_subset(a, b)); + a->destroy(a); + b->destroy(b); +} +END_TEST + +START_TEST(test_subset_dynamic) +{ + traffic_selector_t *a, *b; + + a = traffic_selector_create_dynamic(0, 0, 65535); + b = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535); + ck_assert(!a->get_subset(a, b)); + ck_assert(!b->get_subset(b, a)); + a->destroy(a); + b->destroy(b); +} +END_TEST + +START_TEST(test_subset_opaque) +{ + traffic_selector_t *a, *b; + + a = traffic_selector_create_from_cidr("10.0.0.0/8", 0, 65535, 0); + b = traffic_selector_create_from_cidr("10.2.7.16/30", IPPROTO_TCP, 80, 80); + ck_assert(!a->get_subset(a, b)); + ck_assert(!b->get_subset(b, a)); + b->destroy(b); + + b = traffic_selector_create_from_cidr("10.2.7.16/30", IPPROTO_TCP, 65535, 0); + verify("10.2.7.16/30[tcp/OPAQUE]", "10.2.7.16/30[6/OPAQUE]", a->get_subset(a, b)); + verify("10.2.7.16/30[tcp/OPAQUE]", "10.2.7.16/30[6/OPAQUE]", b->get_subset(b, a)); + b->destroy(b); + + b = traffic_selector_create_from_cidr("10.2.7.16/30", IPPROTO_TCP, 0, 65535); + verify("10.2.7.16/30[tcp/OPAQUE]", "10.2.7.16/30[6/OPAQUE]", a->get_subset(a, b)); + verify("10.2.7.16/30[tcp/OPAQUE]", "10.2.7.16/30[6/OPAQUE]", b->get_subset(b, a)); a->destroy(a); b->destroy(b); } @@ -188,6 +427,130 @@ START_TEST(test_includes) } END_TEST +struct { + bool contained; + struct { + char *net; + u_int8_t proto; + u_int16_t from_port; + u_int16_t to_port; + } a, b; +} is_contained_in_tests[] = { + { TRUE, { "10.0.0.0/16", 0, 0, 65535 }, { "10.0.0.0/16", 0, 0, 65535 }, }, + { TRUE, { "10.0.1.0/24", 0, 0, 65535 }, { "10.0.0.0/16", 0, 0, 65535 }, }, + { TRUE, { "10.0.1.0/24", 17, 123, 456 }, { "10.0.0.0/16", 0, 0, 65535 }, }, + { TRUE, { "10.0.1.0/24", 17, 123, 456 }, { "10.0.0.0/16", 17, 123, 456 },}, + { FALSE, { "10.0.0.0/8", 0, 0, 65535 }, { "10.0.0.0/16", 0, 0, 65535 }, }, + { FALSE, { "10.0.1.0/24", 17, 0, 65535 }, { "10.0.0.0/16", 17, 123, 456 },}, + { FALSE, { "fec2::/64", 0, 0, 65535 }, { "10.0.0.0/16", 17, 123, 456 },}, +}; + +START_TEST(test_is_contained_in) +{ + traffic_selector_t *a, *b; + + a = traffic_selector_create_from_cidr( + is_contained_in_tests[_i].a.net, is_contained_in_tests[_i].a.proto, + is_contained_in_tests[_i].a.from_port, is_contained_in_tests[_i].a.to_port); + b = traffic_selector_create_from_cidr( + is_contained_in_tests[_i].b.net, is_contained_in_tests[_i].b.proto, + is_contained_in_tests[_i].b.from_port, is_contained_in_tests[_i].b.to_port); + ck_assert(a->is_contained_in(a, b) == is_contained_in_tests[_i].contained); + a->destroy(a); + b->destroy(b); +} +END_TEST + +struct { + char *net; + char *host; + bool is_host; + bool when_null; +} is_host_tests[] = { + { "0.0.0.0/0", "192.168.1.2", FALSE, FALSE }, + { "::/0", "fec2::1", FALSE, FALSE }, + { "192.168.1.2/32", "192.168.1.2", TRUE, TRUE }, + { "192.168.1.2/32", "192.168.1.1", FALSE, TRUE }, + { "192.168.1.2/32", "fec2::1", FALSE, TRUE }, + { "fec2::1/128", "fec2::1", TRUE, TRUE }, + { "fec2::1/128", "fec2::2", FALSE, TRUE }, + { "fec2::1/128", "192.168.1.2", FALSE, TRUE }, +}; + +START_TEST(test_is_host) +{ + traffic_selector_t *ts; + host_t *h; + + ts = traffic_selector_create_from_cidr(is_host_tests[_i].net, 0, 0, 65535); + h = host_create_from_string(is_host_tests[_i].host, 0); + ck_assert(ts->is_host(ts, h) == is_host_tests[_i].is_host); + ck_assert(ts->is_host(ts, NULL) == is_host_tests[_i].when_null); + ts->destroy(ts); + h->destroy(h); +} +END_TEST + +START_TEST(test_is_host_dynamic) +{ + traffic_selector_t *ts; + host_t *h; + + ts = traffic_selector_create_dynamic(0, 0, 65535); + h = host_create_from_string(is_host_tests[_i].host, 0); + ck_assert(!ts->is_host(ts, h)); + ck_assert(ts->is_host(ts, NULL)); + ts->destroy(ts); + h->destroy(h); +} +END_TEST + + +struct { + char *orig; + char *host; + char *after; +} set_address_tests[] = { + { "0.0.0.0/0", "192.168.1.2", "0.0.0.0/0" }, + { "::/0", "fec2::1", "::/0" }, + { "192.168.1.2/32", "192.168.1.1", "192.168.1.1/32" }, + { "192.168.1.2/32", "fec2::1", "fec2::1/128" }, + { "192.168.1.2/32", "%any", "0.0.0.0/0" }, + { "192.168.1.2/32", "%any6", "::/0" }, + { "fec2::1/128", "192.168.1.1", "192.168.1.1/32" }, + { "fec2::1/128", "fec2::2", "fec2::2/128" }, + { "fec2::1/128", "%any", "0.0.0.0/0" }, + { "fec2::1/128", "%any6", "::/0" }, + { NULL, "192.168.1.1", "192.168.1.1/32" }, + { NULL, "fec2::1", "fec2::1/128" }, + { NULL, "%any", "0.0.0.0/0" }, + { NULL, "%any6", "::/0" }, +}; + +START_TEST(test_set_address) +{ + traffic_selector_t *ts; + host_t *h; + + if (set_address_tests[_i].orig) + { + ts = traffic_selector_create_from_cidr(set_address_tests[_i].orig, 0, 0, 65535); + ck_assert(!ts->is_dynamic(ts)); + } + else + { + ts = traffic_selector_create_dynamic(0, 0, 65535); + ck_assert(ts->is_dynamic(ts)); + } + h = host_create_from_string(set_address_tests[_i].host, 0); + ts->set_address(ts, h); + ck_assert(!ts->is_dynamic(ts)); + verify(set_address_tests[_i].after, NULL, ts); + h->destroy(h); +} +END_TEST + + struct { int res; struct { @@ -206,6 +569,10 @@ struct { { 1, { "2.0.0.0/8", 0, 0, 65535 }, { "1.0.0.0/8", 0, 0, 65535 }, }, { -1, { "1.0.0.0/8", 0, 0, 65535 }, { "1.0.0.0/16", 0, 0, 65535 }, }, { 1, { "1.0.0.0/16", 0, 0, 65535 }, { "1.0.0.0/8", 0, 0, 65535 }, }, + { -1, { "fec1::/64", 0, 0, 65535 }, { "fec2::/64", 0, 0, 65535 }, }, + { 1, { "fec2::/64", 0, 0, 65535 }, { "fec1::/64", 0, 0, 65535 }, }, + { -1, { "fec1::/48", 0, 0, 65535 }, { "fec1::/64", 0, 0, 65535 }, }, + { 1, { "fec1::/64", 0, 0, 65535 }, { "fec1::/48", 0, 0, 65535 }, }, { -1, { "10.0.0.0/8", 0, 0, 65535 }, { "fec2::/64", 0, 0, 65535 }, }, { 1, { "fec2::/64", 0, 0, 65535 }, { "10.0.0.0/8", 0, 0, 65535 }, }, @@ -235,12 +602,15 @@ START_TEST(test_cmp) { case 0: ck_assert(traffic_selector_cmp(a, b, NULL) == 0); + ck_assert(a->equals(a, b)); break; case 1: ck_assert(traffic_selector_cmp(a, b, NULL) > 0); + ck_assert(!a->equals(a, b)); break; case -1: ck_assert(traffic_selector_cmp(a, b, NULL) < 0); + ck_assert(!a->equals(a, b)); break; } a->destroy(a); @@ -248,6 +618,172 @@ START_TEST(test_cmp) } END_TEST +static void verify_clone(traffic_selector_t *ts) +{ + traffic_selector_t *clone; + + clone = ts->clone(ts); + if (!ts->equals(ts, clone)) + { + fail("%R != %R", ts, clone); + } + /* equals() already compares most of these but not all */ + ck_assert(ts->get_type(ts) == clone->get_type(clone)); + ck_assert(ts->get_protocol(ts) == clone->get_protocol(clone)); + ck_assert(ts->get_from_port(ts) == clone->get_from_port(clone)); + ck_assert(ts->get_to_port(ts) == clone->get_to_port(clone)); + ck_assert_chunk_eq(ts->get_from_address(ts), clone->get_from_address(clone)); + ck_assert_chunk_eq(ts->get_to_address(ts), clone->get_to_address(clone)); + ck_assert(ts->is_host(ts, NULL) == clone->is_host(clone, NULL)); + ck_assert(ts->is_dynamic(ts) == clone->is_dynamic(clone)); + clone->destroy(clone); + ts->destroy(ts); +} + +START_TEST(test_clone) +{ + traffic_selector_t *ts; + host_t *h; + + ts = traffic_selector_create_dynamic(0, 0, 0); + verify_clone(ts); + ts = traffic_selector_create_dynamic(IPPROTO_UDP, 123, 456); + verify_clone(ts); + ts = traffic_selector_create_dynamic(IPPROTO_UDP, 0, 65535); + verify_clone(ts); + + h = host_create_from_string("192.168.1.1", 0); + ts = traffic_selector_create_dynamic(0, 0, 0); + ts->set_address(ts, h); + verify_clone(ts); + ts = traffic_selector_create_dynamic(IPPROTO_UDP, 123, 456); + ts->set_address(ts, h); + verify_clone(ts); + h->destroy(h); + + ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "10.0.0.1", 0, "10.0.0.16", 65535); + verify_clone(ts); + ts = traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV6_ADDR_RANGE, "fec1::1", 80, "fec1::1:0000", 80); + verify_clone(ts); + ts = traffic_selector_create_from_cidr("10.0.0.0/8", 0, 0, 65535); + verify_clone(ts); + ts = traffic_selector_create_from_cidr("fec1::/64", 0, 0, 65535); + verify_clone(ts); +} +END_TEST + +START_TEST(test_hash) +{ + traffic_selector_t *a, *b; + host_t *h; + + a = traffic_selector_create_dynamic(0, 0, 0); + b = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 0); + ck_assert(a->hash(a, 0) != a->hash(a, 1)); + ck_assert_int_eq(a->hash(a, 0), b->hash(b, 0)); + ck_assert_int_eq(a->hash(a, 1), b->hash(b, 1)); + + h = host_create_from_string("192.168.1.1", 0); + a->set_address(a, h); + ck_assert(a->hash(a, 0) != b->hash(b, 0)); + h->destroy(h); + + a->destroy(a); + a = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "192.168.0.0", 0, "192.168.0.255", 65535); + ck_assert(a->hash(a, 0) != b->hash(b, 0)); + b->destroy(b); + b = traffic_selector_create_from_cidr("192.168.0.0/24", 0, 0, 65535); + ck_assert_int_eq(a->hash(a, 0), b->hash(b, 0)); + b->destroy(b); + b = traffic_selector_create_from_cidr("192.168.0.0/24", IPPROTO_TCP, 0, 65535); + ck_assert(a->hash(a, 0) != b->hash(b, 0)); + b->destroy(b); + b = traffic_selector_create_from_cidr("192.168.0.0/24", 0, 123, 456); + ck_assert(a->hash(a, 0) != b->hash(b, 0)); + b->destroy(b); + a->destroy(a); +} +END_TEST + +struct { + u_int8_t proto; + u_int16_t from_port; + u_int16_t to_port; + u_int8_t from_type; + u_int8_t from_code; + u_int8_t to_type; + u_int8_t to_code; + char *str; + char *str_alt; +} icmp_tests[] = { + { IPPROTO_ICMP, 0, 0, 0, 0, 0, 0, "dynamic[icmp/0]", "dynamic[1/0]" }, + { IPPROTO_ICMP, 3, 3, 3, 0, 3, 0, "dynamic[icmp/3]", "dynamic[1/3]" }, + { IPPROTO_ICMP, 0x0307, 0x0307, 3, 7, 3, 7, "dynamic[icmp/3(7)]", "dynamic[1/3(7)]" }, + { IPPROTO_ICMP, 0x0300, 0x040f, 3, 0, 4, 15, "dynamic[icmp/3-4(15)]", "dynamic[1/3-4(15)]" }, + { IPPROTO_ICMP, 0x0301, 0x040f, 3, 1, 4, 15, "dynamic[icmp/3(1)-4(15)]", "dynamic[1/3(1)-4(15)]" }, + { IPPROTO_ICMPV6, 0, 0, 0, 0, 0, 0, "dynamic[ipv6-icmp/0]", "dynamic[58/0]" }, + { IPPROTO_ICMPV6, 1, 1, 1, 0, 1, 0, "dynamic[ipv6-icmp/1]", "dynamic[58/1]" }, + { IPPROTO_ICMPV6, 0x0104, 0x0104, 1, 4, 1, 4, "dynamic[ipv6-icmp/1(4)]", "dynamic[58/1(4)]" }, + { IPPROTO_ICMPV6, 0x0100, 0x040f, 1, 0, 4, 15, "dynamic[ipv6-icmp/1-4(15)]", "dynamic[58/1-4(15)]" }, + { IPPROTO_ICMPV6, 0x0101, 0x040f, 1, 1, 4, 15, "dynamic[ipv6-icmp/1(1)-4(15)]", "dynamic[58/1(1)-4(15)]" }, +}; + +START_TEST(test_icmp) +{ + traffic_selector_t *ts; + u_int16_t from, to; + + ts = traffic_selector_create_dynamic(icmp_tests[_i].proto, + icmp_tests[_i].from_port, icmp_tests[_i].to_port); + from = ts->get_from_port(ts); + to = ts->get_to_port(ts); + ck_assert_int_eq(icmp_tests[_i].from_type, traffic_selector_icmp_type(from)); + ck_assert_int_eq(icmp_tests[_i].from_code, traffic_selector_icmp_code(from)); + ck_assert_int_eq(icmp_tests[_i].to_type, traffic_selector_icmp_type(to)); + ck_assert_int_eq(icmp_tests[_i].to_code, traffic_selector_icmp_code(to)); + verify(icmp_tests[_i].str, icmp_tests[_i].str_alt, ts); +} +END_TEST + +static void verify_list(const char *str, const char *alt, linked_list_t *list) +{ + char buf[512]; + + snprintf(buf, sizeof(buf), "%#R", list); + list->destroy_offset(list, offsetof(traffic_selector_t, destroy)); + if (!streq(buf, str) && !streq(buf, alt)) + { + fail("%s != %s or %s", buf, str, alt); + } +} + +START_TEST(test_printf_hook_null) +{ + verify("(null)", NULL, NULL); +} +END_TEST + +START_TEST(test_printf_hook_hash) +{ + linked_list_t *list; + + list = linked_list_create_with_items( + traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535), + NULL); + verify_list("10.1.0.0/16 ", NULL, list); + list = linked_list_create_with_items( + traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535), + traffic_selector_create_from_cidr("10.1.0.1/32", IPPROTO_UDP, 1234, 1235), + NULL); + verify_list("10.1.0.0/16 10.1.0.1/32[udp/1234-1235] ", "10.1.0.0/16 10.1.0.1/32[17/1234-1235] ", list); + list = linked_list_create_with_items( + traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535), + traffic_selector_create_from_string(IPPROTO_UDP, TS_IPV4_ADDR_RANGE, "10.1.0.1", 1234, "10.1.0.99", 1235), + NULL); + verify_list("10.1.0.0/16 10.1.0.1..10.1.0.99[udp/1234-1235] ", "10.1.0.0/16 10.1.0.1..10.1.0.99[17/1234-1235] ", list); +} +END_TEST + Suite *traffic_selector_suite_create() { Suite *s; @@ -260,6 +796,18 @@ Suite *traffic_selector_suite_create() tcase_add_test(tc, test_create_from_cidr); tcase_add_test(tc, test_create_from_bytes); tcase_add_test(tc, test_create_from_subnet); + tcase_add_loop_test(tc, test_create_from_rfc3779_format_prefix, 0, countof(rfc3779_prefix_tests)); + tcase_add_test(tc, test_create_from_rfc3779_format_range); + suite_add_tcase(s, tc); + + tc = tcase_create("addresses"); + tcase_add_test(tc, test_get_address_range); + tcase_add_test(tc, test_get_address_cidr); + suite_add_tcase(s, tc); + + tc = tcase_create("to_subnet"); + tcase_add_loop_test(tc, test_to_subnet, 0, countof(to_subnet_tests)); + tcase_add_loop_test(tc, test_to_subnet_port, 0, countof(to_subnet_port_tests)); suite_add_tcase(s, tc); tc = tcase_create("subset"); @@ -270,15 +818,47 @@ Suite *traffic_selector_suite_create() tcase_add_test(tc, test_subset_noport); tcase_add_test(tc, test_subset_noproto); tcase_add_test(tc, test_subset_nofamily); + tcase_add_test(tc, test_subset_dynamic); + tcase_add_test(tc, test_subset_opaque); suite_add_tcase(s, tc); tc = tcase_create("includes"); tcase_add_loop_test(tc, test_includes, 0, countof(include_tests)); suite_add_tcase(s, tc); + tc = tcase_create("is_contained_in"); + tcase_add_loop_test(tc, test_is_contained_in, 0, countof(is_contained_in_tests)); + suite_add_tcase(s, tc); + + tc = tcase_create("is_host"); + tcase_add_loop_test(tc, test_is_host, 0, countof(is_host_tests)); + tcase_add_loop_test(tc, test_is_host_dynamic, 0, countof(is_host_tests)); + suite_add_tcase(s, tc); + + tc = tcase_create("set_address"); + tcase_add_loop_test(tc, test_set_address, 0, countof(is_host_tests)); + suite_add_tcase(s, tc); + tc = tcase_create("cmp"); tcase_add_loop_test(tc, test_cmp, 0, countof(cmp_tests)); suite_add_tcase(s, tc); + tc = tcase_create("clone"); + tcase_add_test(tc, test_clone); + suite_add_tcase(s, tc); + + tc = tcase_create("hash"); + tcase_add_test(tc, test_hash); + suite_add_tcase(s, tc); + + tc = tcase_create("icmp"); + tcase_add_loop_test(tc, test_icmp, 0, countof(icmp_tests)); + suite_add_tcase(s, tc); + + tc = tcase_create("printf hook"); + tcase_add_test(tc, test_printf_hook_null); + tcase_add_test(tc, test_printf_hook_hash); + suite_add_tcase(s, tc); + return s; } diff --git a/src/libstrongswan/tests/test_runner.c b/src/libstrongswan/tests/test_runner.c index 0bae9c8cd..66d0e612d 100644 --- a/src/libstrongswan/tests/test_runner.c +++ b/src/libstrongswan/tests/test_runner.c @@ -265,7 +265,7 @@ static bool pre_test(test_runner_init_t init, char *cfg) */ typedef struct { char *name; - char msg[512 - sizeof(char*) - 2 * sizeof(int)]; + char msg[4096 - sizeof(char*) - 2 * sizeof(int)]; const char *file; int line; int i; diff --git a/src/libstrongswan/tests/test_suite.c b/src/libstrongswan/tests/test_suite.c index 00ac31830..0af34c847 100644 --- a/src/libstrongswan/tests/test_suite.c +++ b/src/libstrongswan/tests/test_suite.c @@ -27,7 +27,7 @@ /** * Failure message buf */ -static char failure_buf[512]; +static char failure_buf[4096]; /** * Source file failure occurred diff --git a/src/libstrongswan/tests/tests.c b/src/libstrongswan/tests/tests.c index aed600fbc..0fdfac52d 100644 --- a/src/libstrongswan/tests/tests.c +++ b/src/libstrongswan/tests/tests.c @@ -25,8 +25,8 @@ static test_configuration_t tests[] = { #define TEST_SUITE(x) \ { .suite = x, }, -#define TEST_SUITE_DEPEND(x, type, args) \ - { .suite = x, .feature = PLUGIN_DEPENDS(type, args) }, +#define TEST_SUITE_DEPEND(x, type, ...) \ + { .suite = x, .feature = PLUGIN_DEPENDS(type, __VA_ARGS__) }, #include "tests.h" { .suite = NULL, } }; diff --git a/src/libstrongswan/utils/capabilities.c b/src/libstrongswan/utils/capabilities.c index 923b7d4db..ce5f550b5 100644 --- a/src/libstrongswan/utils/capabilities.c +++ b/src/libstrongswan/utils/capabilities.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2013 Tobias Brunner + * Copyright (C) 2012-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG @@ -288,13 +288,25 @@ METHOD(capabilities_t, resolve_uid, bool, #ifdef HAVE_GETPWNAM_R struct passwd passwd; - char buf[1024]; + size_t buflen = 1024; + char *buf = NULL; - err = getpwnam_r(username, &passwd, buf, sizeof(buf), &pwp); - if (pwp) + while (TRUE) { - this->uid = pwp->pw_uid; + buf = realloc(buf, buflen); + err = getpwnam_r(username, &passwd, buf, buflen, &pwp); + if (err == ERANGE) + { + buflen *= 2; + continue; + } + if (pwp) + { + this->uid = pwp->pw_uid; + } + break; } + free(buf); #else /* HAVE GETPWNAM_R */ this->mutex->lock(this->mutex); pwp = getpwnam(username); @@ -324,13 +336,25 @@ METHOD(capabilities_t, resolve_gid, bool, #ifdef HAVE_GETGRNAM_R struct group group; - char buf[1024]; + size_t buflen = 1024; + char *buf = NULL; - err = getgrnam_r(groupname, &group, buf, sizeof(buf), &grp); - if (grp) + while (TRUE) { - this->gid = grp->gr_gid; + buf = realloc(buf, buflen); + err = getgrnam_r(groupname, &group, buf, buflen, &grp); + if (err == ERANGE) + { + buflen *= 2; + continue; + } + if (grp) + { + this->gid = grp->gr_gid; + } + break; } + free(buf); #else /* HAVE_GETGRNAM_R */ this->mutex->lock(this->mutex); grp = getgrnam(groupname); @@ -362,12 +386,24 @@ static bool init_supplementary_groups(private_capabilities_t *this) #ifdef HAVE_GETPWUID_R struct passwd pwd; - char buf[1024]; + size_t buflen = 1024; + char *buf = NULL; - if (getpwuid_r(this->uid, &pwd, buf, sizeof(buf), &pwp) == 0 && pwp) + while (TRUE) { - res = initgroups(pwp->pw_name, this->gid); + buf = realloc(buf, buflen); + if (getpwuid_r(this->uid, &pwd, buf, buflen, &pwp) == ERANGE) + { + buflen *= 2; + continue; + } + if (pwp) + { + res = initgroups(pwp->pw_name, this->gid); + } + break; } + free(buf); #else /* HAVE_GETPWUID_R */ this->mutex->lock(this->mutex); pwp = getpwuid(this->uid); diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index b69adf399..da23d143c 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2012 Tobias Brunner + * Copyright (C) 2009-2015 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -47,10 +47,9 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID, "ID_DER_ASN1_DN", "ID_DER_ASN1_GN", "ID_KEY_ID"); -ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_USER_ID, ID_KEY_ID, - "ID_DER_ASN1_GN_URI", - "ID_USER_ID"); -ENUM_END(id_type_names, ID_USER_ID); +ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_DER_ASN1_GN_URI, ID_KEY_ID, + "ID_DER_ASN1_GN_URI"); +ENUM_END(id_type_names, ID_DER_ASN1_GN_URI); /** * coding of X.501 distinguished name @@ -478,7 +477,7 @@ static status_t atodn(char *src, chunk_t *dn) name.len -= whitespace; rdn_type = (x501rdns[i].type == ASN1_PRINTABLESTRING && !asn1_is_printablestring(name)) - ? ASN1_T61STRING : x501rdns[i].type; + ? ASN1_UTF8STRING : x501rdns[i].type; if (rdn_count < RDN_MAX) { @@ -579,6 +578,19 @@ METHOD(identification_t, contains_wildcards_memchr, bool, return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL; } +METHOD(identification_t, hash_binary, u_int, + private_identification_t *this, u_int inc) +{ + u_int hash; + + hash = chunk_hash_inc(chunk_from_thing(this->type), inc); + if (this->type != ID_ANY) + { + hash = chunk_hash_inc(this->encoded, hash); + } + return hash; +} + METHOD(identification_t, equals_binary, bool, private_identification_t *this, identification_t *other) { @@ -687,6 +699,24 @@ METHOD(identification_t, equals_dn, bool, return compare_dn(this->encoded, other->get_encoding(other), NULL); } +METHOD(identification_t, hash_dn, u_int, + private_identification_t *this, u_int inc) +{ + enumerator_t *rdns; + chunk_t oid, data; + u_char type; + u_int hash; + + hash = chunk_hash_inc(chunk_from_thing(this->type), inc); + rdns = create_rdn_enumerator(this->encoded); + while (rdns->enumerate(rdns, &oid, &type, &data)) + { + hash = chunk_hash_inc(data, chunk_hash_inc(oid, hash)); + } + rdns->destroy(rdns); + return hash; +} + METHOD(identification_t, equals_strcasecmp, bool, private_identification_t *this, identification_t *other) { @@ -828,7 +858,6 @@ int identification_printf_hook(printf_hook_data_t *data, case ID_FQDN: case ID_RFC822_ADDR: case ID_DER_ASN1_GN_URI: - case ID_USER_ID: chunk_printable(this->encoded, &proper, '?'); snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr); chunk_free(&proper); @@ -903,23 +932,26 @@ static private_identification_t *identification_create(id_type_t type) switch (type) { case ID_ANY: + this->public.hash = _hash_binary; this->public.matches = _matches_any; this->public.equals = _equals_binary; this->public.contains_wildcards = return_true; break; case ID_FQDN: case ID_RFC822_ADDR: - case ID_USER_ID: + this->public.hash = _hash_binary; this->public.matches = _matches_string; this->public.equals = _equals_strcasecmp; this->public.contains_wildcards = _contains_wildcards_memchr; break; case ID_DER_ASN1_DN: + this->public.hash = _hash_dn; this->public.equals = _equals_dn; this->public.matches = _matches_dn; this->public.contains_wildcards = _contains_wildcards_dn; break; default: + this->public.hash = _hash_binary; this->public.equals = _equals_binary; this->public.matches = _matches_binary; this->public.contains_wildcards = return_false; diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h index e6a9fe1c6..5f27ba112 100644 --- a/src/libstrongswan/utils/identification.h +++ b/src/libstrongswan/utils/identification.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009 Tobias Brunner + * Copyright (C) 2009-2015 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -129,11 +129,6 @@ enum id_type_t { * Private ID type which represents a GeneralName of type URI */ ID_DER_ASN1_GN_URI = 201, - - /** - * Private ID type which represents a user ID - */ - ID_USER_ID = 202 }; /** @@ -218,6 +213,14 @@ struct identification_t { */ id_type_t (*get_type) (identification_t *this); + /** + * Create a hash value for this identification_t object. + * + * @param inc optional value for incremental hashing + * @return hash value + */ + u_int (*hash) (identification_t *this, u_int inc); + /** * Check if two identification_t objects are equal. * diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c index 466c673d9..af5494052 100644 --- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c +++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c @@ -843,7 +843,8 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap) /* String */ sarg = va_arg(ap, const char *); sarg = sarg ? sarg : "(null)"; - slen = strlen(sarg); + slen = prec != -1 ? strnlen(sarg, prec) + : strlen(sarg); goto is_string; } case 'm': diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.h b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.h index 409b5bf3d..efbacff6f 100644 --- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.h +++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.h @@ -15,7 +15,7 @@ /** * @defgroup printf_hook_builtin printf_hook_builtin - * @{ @ingroup utils + * @{ @ingroup printf_hook */ #ifndef PRINTF_HOOK_BUILTIN_H_ diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_vstr.h b/src/libstrongswan/utils/printf_hook/printf_hook_vstr.h index 2f9ee5983..7c24b05e2 100644 --- a/src/libstrongswan/utils/printf_hook/printf_hook_vstr.h +++ b/src/libstrongswan/utils/printf_hook/printf_hook_vstr.h @@ -16,7 +16,7 @@ /** * @defgroup printf_hook_vstr printf_hook_vstr - * @{ @ingroup utils + * @{ @ingroup printf_hook */ #ifndef PRINTF_HOOK_VSTR_H_ diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c index 9b516accd..b4a4db802 100644 --- a/src/libstrongswan/utils/utils.c +++ b/src/libstrongswan/utils/utils.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -16,15 +16,38 @@ #include "utils.h" +#include #include #include +#include #ifndef WIN32 # include #endif +#ifndef HAVE_CLOSEFROM +#if defined(__linux__) && defined(HAVE_SYS_SYSCALL_H) +# include +# include +# include +/* This is from the kernel sources. We limit the length of directory names to + * 256 as we only use it to enumerate FDs. */ +struct linux_dirent64 { + u_int64_t d_ino; + int64_t d_off; + unsigned short d_reclen; + unsigned char d_type; + char d_name[256]; +}; +#else /* !defined(__linux__) || !defined(HAVE_SYS_SYSCALL_H) */ +# include +#endif /* defined(__linux__) && defined(HAVE_SYS_SYSCALL_H) */ +#endif + #include #include +#define FD_DIR "/proc/self/fd" + #ifdef WIN32 #include @@ -110,43 +133,89 @@ void wait_sigint() /** * Described in header. */ -void closefrom(int lowfd) +void closefrom(int low_fd) { - char fd_dir[PATH_MAX]; - int maxfd, fd, len; + int max_fd, dir_fd, fd; /* try to close only open file descriptors on Linux... */ - len = snprintf(fd_dir, sizeof(fd_dir), "/proc/%u/fd", getpid()); - if (len > 0 && len < sizeof(fd_dir) && access(fd_dir, F_OK) == 0) +#if defined(__linux__) && defined(HAVE_SYS_SYSCALL_H) + /* By directly using a syscall we avoid any calls that might be unsafe after + * fork() (e.g. malloc()). */ + char buffer[sizeof(struct linux_dirent64)]; + struct linux_dirent64 *entry; + int offset, len; + + dir_fd = open("/proc/self/fd", O_RDONLY); + if (dir_fd != -1) { - enumerator_t *enumerator = enumerator_create_directory(fd_dir); - if (enumerator) + while ((len = syscall(SYS_getdents64, dir_fd, buffer, + sizeof(buffer))) > 0) { - char *rel; - while (enumerator->enumerate(enumerator, &rel, NULL, NULL)) + for (offset = 0; offset < len; offset += entry->d_reclen) { - fd = atoi(rel); - if (fd >= lowfd) + entry = (struct linux_dirent64*)(buffer + offset); + if (!isdigit(entry->d_name[0])) + { + continue; + } + fd = atoi(entry->d_name); + if (fd != dir_fd && fd >= low_fd) { close(fd); } } - enumerator->destroy(enumerator); - return; } + close(dir_fd); + return; + } +#else /* !defined(__linux__) || !defined(HAVE_SYS_SYSCALL_H) */ + /* This is potentially unsafe when called after fork() in multi-threaded + * applications. In particular opendir() will require an allocation. + * Depends on how the malloc() implementation handles such situations. */ + DIR *dir; + struct dirent *entry; + +#ifndef HAVE_DIRFD + /* if we don't have dirfd() lets close the lowest FD and hope it gets reused + * by opendir() */ + close(low_fd); + dir_fd = low_fd++; +#endif + + dir = opendir(FD_DIR); + if (dir) + { +#ifdef HAVE_DIRFD + dir_fd = dirfd(dir); +#endif + while ((entry = readdir(dir))) + { + if (!isdigit(entry->d_name[0])) + { + continue; + } + fd = atoi(entry->d_name); + if (fd != dir_fd && fd >= low_fd) + { + close(fd); + } + } + closedir(dir); + return; } +#endif /* defined(__linux__) && defined(HAVE_SYS_SYSCALL_H) */ /* ...fall back to closing all fds otherwise */ #ifdef WIN32 - maxfd = _getmaxstdio(); + max_fd = _getmaxstdio(); #else - maxfd = (int)sysconf(_SC_OPEN_MAX); + max_fd = (int)sysconf(_SC_OPEN_MAX); #endif - if (maxfd < 0) + if (max_fd < 0) { - maxfd = 256; + max_fd = 256; } - for (fd = lowfd; fd < maxfd; fd++) + for (fd = low_fd; fd < max_fd; fd++) { close(fd); } diff --git a/src/libstrongswan/utils/utils/string.c b/src/libstrongswan/utils/utils/string.c index 14087e765..56910ed79 100644 --- a/src/libstrongswan/utils/utils/string.c +++ b/src/libstrongswan/utils/utils/string.c @@ -44,7 +44,7 @@ char* translate(char *str, const char *from, const char *to) char* strreplace(const char *str, const char *search, const char *replace) { size_t len, slen, rlen, count = 0; - char *res, *pos, *found, *dst; + char *res, *pos, *found = NULL, *dst; if (!str || !*str || !search || !*search || !replace) { diff --git a/src/libtls/tests/tls_tests.c b/src/libtls/tests/tls_tests.c index 2c2c5bacc..3f22f9c82 100644 --- a/src/libtls/tests/tls_tests.c +++ b/src/libtls/tests/tls_tests.c @@ -25,8 +25,8 @@ static test_configuration_t tests[] = { #define TEST_SUITE(x) \ { .suite = x, }, -#define TEST_SUITE_DEPEND(x, type, args) \ - { .suite = x, .feature = PLUGIN_DEPENDS(type, args) }, +#define TEST_SUITE_DEPEND(x, type, ...) \ + { .suite = x, .feature = PLUGIN_DEPENDS(type, __VA_ARGS__) }, #include "tls_tests.h" { .suite = NULL, } }; diff --git a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c index 30e505246..67c33ee63 100644 --- a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c +++ b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c @@ -729,7 +729,9 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result, list = linked_list_create(); tnccs = entry->tnccs; - peer_id = tnccs->tls.get_peer_id(&tnccs->tls); + peer_id = tnccs->tls.is_server(&tnccs->tls) ? + tnccs->tls.get_peer_id(&tnccs->tls) : + tnccs->tls.get_server_id(&tnccs->tls); if (peer_id) { switch (peer_id->get_type(peer_id)) @@ -771,7 +773,9 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result, } } - peer_ip = tnccs->get_peer_ip(tnccs); + peer_ip = tnccs->tls.is_server(&tnccs->tls) ? + tnccs->get_peer_ip(tnccs) : + tnccs->get_server_ip(tnccs); if (peer_ip) { switch (peer_ip->get_family(peer_ip)) diff --git a/src/libtncif/tncif_pa_subtypes.c b/src/libtncif/tncif_pa_subtypes.c index bf1e999b3..d83c3255d 100644 --- a/src/libtncif/tncif_pa_subtypes.c +++ b/src/libtncif/tncif_pa_subtypes.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2011 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * * HSR Hochschule fuer Technik Rapperswil * @@ -16,6 +16,7 @@ #include "tncif_pa_subtypes.h" +/* IETF PA Subtype names */ ENUM_BEGIN(pa_subtype_ietf_names, PA_SUBTYPE_IETF_TESTING, PA_SUBTYPE_IETF_NEA_CLIENT, "Testing", "Operating System", @@ -33,6 +34,7 @@ ENUM_NEXT(pa_subtype_ietf_names, PA_SUBTYPE_IETF_ANY, PA_SUBTYPE_IETF_ANY, ); ENUM_END(pa_subtype_ietf_names, PA_SUBTYPE_IETF_ANY); +/* TCG PA Subtype names */ ENUM_BEGIN(pa_subtype_tcg_names, PA_SUBTYPE_TCG_PTS, PA_SUBTYPE_TCG_SWID, "PTS", "SCAP", @@ -44,6 +46,56 @@ ENUM_NEXT(pa_subtype_tcg_names, PA_SUBTYPE_TCG_ANY, PA_SUBTYPE_TCG_ANY, ); ENUM_END(pa_subtype_tcg_names, PA_SUBTYPE_TCG_ANY); +/* PWG PA Subtype names */ +ENUM_BEGIN(pa_subtype_pwg_names, PA_SUBTYPE_PWG_HCD_TESTING, + PA_SUBTYPE_PWG_HCD_UNKNOWN, + "HCD Testing", + "HCD Other", + "HCD Unknown" +); +ENUM_NEXT(pa_subtype_pwg_names, PA_SUBTYPE_PWG_HCD_CONSOLE, + PA_SUBTYPE_PWG_HCD_COVER, + PA_SUBTYPE_PWG_HCD_UNKNOWN, + "HCD Console", + "HCD System", + "HCD Cover" +); +ENUM_NEXT(pa_subtype_pwg_names, PA_SUBTYPE_PWG_HCD_INPUT_TRAY, + PA_SUBTYPE_PWG_HCD_MARKER, + PA_SUBTYPE_PWG_HCD_COVER, + "HCD Input Tray", + "HCD Output Tray", + "HCD Marker" +); +ENUM_NEXT(pa_subtype_pwg_names, PA_SUBTYPE_PWG_HCD_MEDIA_PATH, + PA_SUBTYPE_PWG_HCD_INTERPRETER, + PA_SUBTYPE_PWG_HCD_MARKER, + "HCD Media Path", + "HCD Channel", + "HCD Interpreter" +); +ENUM_NEXT(pa_subtype_pwg_names, PA_SUBTYPE_PWG_HCD_FINISHER, + PA_SUBTYPE_PWG_HCD_FINISHER, + PA_SUBTYPE_PWG_HCD_INTERPRETER, + "HCD Finisher" +); +ENUM_NEXT(pa_subtype_pwg_names, PA_SUBTYPE_PWG_HCD_INTERFACE, + PA_SUBTYPE_PWG_HCD_INTERFACE, + PA_SUBTYPE_PWG_HCD_FINISHER, + "HCD Interface" +); +ENUM_NEXT(pa_subtype_pwg_names, PA_SUBTYPE_PWG_HCD_SCANNER, + PA_SUBTYPE_PWG_HCD_SCANNER, + PA_SUBTYPE_PWG_HCD_INTERFACE, + "HCD Scanner" +); +ENUM_NEXT(pa_subtype_pwg_names, PA_SUBTYPE_PWG_ANY, PA_SUBTYPE_PWG_ANY, + PA_SUBTYPE_PWG_HCD_SCANNER, + "ANY" +); +ENUM_END(pa_subtype_pwg_names, PA_SUBTYPE_PWG_ANY); + +/* FHH PA Subtype names */ ENUM_BEGIN(pa_subtype_fhh_names, PA_SUBTYPE_FHH_HOSTSCANNER, PA_SUBTYPE_FHH_DUMMY, "HostScanner", "Dummy" @@ -63,6 +115,7 @@ ENUM_NEXT(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY, PA_SUBTYPE_FHH_ANY, ); ENUM_END(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY); +/* ITA-HSR PA Subtype names */ ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_ECHO, "Test", "Echo" @@ -84,6 +137,8 @@ enum_name_t* get_pa_subtype_names(pen_t pen) return pa_subtype_ietf_names; case PEN_TCG: return pa_subtype_tcg_names; + case PEN_PWG: + return pa_subtype_pwg_names; case PEN_FHH: return pa_subtype_fhh_names; case PEN_ITA: diff --git a/src/libtncif/tncif_pa_subtypes.h b/src/libtncif/tncif_pa_subtypes.h index 0855d1df3..d6dcad025 100644 --- a/src/libtncif/tncif_pa_subtypes.h +++ b/src/libtncif/tncif_pa_subtypes.h @@ -1,5 +1,6 @@ /* - * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * Copyright (C) 2011-2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -22,6 +23,7 @@ typedef enum pa_subtype_ietf_t pa_subtype_ietf_t; typedef enum pa_subtype_tcg_t pa_subtype_tcg_t; +typedef enum pa_subtype_pwg_t pa_subtype_pwg_t; typedef enum pa_subtype_fhh_t pa_subtype_fhh_t; typedef enum pa_subtype_ita_t pa_subtype_ita_t; @@ -64,6 +66,33 @@ extern enum_name_t *pa_subtype_ietf_names; */ extern enum_name_t *pa_subtype_tcg_names; +/** + * PA-TNC PWG Subtypes + */ + enum pa_subtype_pwg_t { + PA_SUBTYPE_PWG_HCD_TESTING = 0x00, + PA_SUBTYPE_PWG_HCD_OTHER = 0x01, + PA_SUBTYPE_PWG_HCD_UNKNOWN = 0x02, + PA_SUBTYPE_PWG_HCD_CONSOLE = 0x04, + PA_SUBTYPE_PWG_HCD_SYSTEM = 0x05, + PA_SUBTYPE_PWG_HCD_COVER = 0x06, + PA_SUBTYPE_PWG_HCD_INPUT_TRAY = 0x08, + PA_SUBTYPE_PWG_HCD_OUTPUT_TRAY = 0x09, + PA_SUBTYPE_PWG_HCD_MARKER = 0x0a, + PA_SUBTYPE_PWG_HCD_MEDIA_PATH = 0x0d, + PA_SUBTYPE_PWG_HCD_CHANNEL = 0x0e, + PA_SUBTYPE_PWG_HCD_INTERPRETER = 0x0f, + PA_SUBTYPE_PWG_HCD_FINISHER = 0x1e, + PA_SUBTYPE_PWG_HCD_INTERFACE = 0x28, + PA_SUBTYPE_PWG_HCD_SCANNER = 0x32, + PA_SUBTYPE_PWG_ANY = 0xff +}; + +/** + * enum name for pa_subtype_pwg_t. + */ +extern enum_name_t *pa_subtype_pwg_names; + /** * PA-TNC FHH Subtypes */ diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am index ab407e021..a3da0ab04 100644 --- a/src/pki/Makefile.am +++ b/src/pki/Makefile.am @@ -3,17 +3,18 @@ SUBDIRS = man bin_PROGRAMS = pki pki_SOURCES = pki.c pki.h command.c command.h \ + commands/acert.c \ + commands/dn.c \ commands/gen.c \ commands/issue.c \ commands/keyid.c \ + commands/pkcs12.c \ + commands/pkcs7.c \ + commands/print.c \ commands/pub.c \ commands/req.c \ commands/self.c \ - commands/print.c \ commands/signcrl.c \ - commands/acert.c \ - commands/pkcs7.c \ - commands/pkcs12.c \ commands/verify.c pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index 4205469fc..b4829f777 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -103,12 +103,13 @@ am__installdirs = "$(DESTDIR)$(bindir)" PROGRAMS = $(bin_PROGRAMS) am__dirstamp = $(am__leading_dot)dirstamp am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) \ + commands/acert.$(OBJEXT) commands/dn.$(OBJEXT) \ commands/gen.$(OBJEXT) commands/issue.$(OBJEXT) \ - commands/keyid.$(OBJEXT) commands/pub.$(OBJEXT) \ - commands/req.$(OBJEXT) commands/self.$(OBJEXT) \ - commands/print.$(OBJEXT) commands/signcrl.$(OBJEXT) \ - commands/acert.$(OBJEXT) commands/pkcs7.$(OBJEXT) \ - commands/pkcs12.$(OBJEXT) commands/verify.$(OBJEXT) + commands/keyid.$(OBJEXT) commands/pkcs12.$(OBJEXT) \ + commands/pkcs7.$(OBJEXT) commands/print.$(OBJEXT) \ + commands/pub.$(OBJEXT) commands/req.$(OBJEXT) \ + commands/self.$(OBJEXT) commands/signcrl.$(OBJEXT) \ + commands/verify.$(OBJEXT) pki_OBJECTS = $(am_pki_OBJECTS) pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la AM_V_lt = $(am__v_lt_@AM_V@) @@ -445,17 +446,18 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ SUBDIRS = man pki_SOURCES = pki.c pki.h command.c command.h \ + commands/acert.c \ + commands/dn.c \ commands/gen.c \ commands/issue.c \ commands/keyid.c \ + commands/pkcs12.c \ + commands/pkcs7.c \ + commands/print.c \ commands/pub.c \ commands/req.c \ commands/self.c \ - commands/print.c \ commands/signcrl.c \ - commands/acert.c \ - commands/pkcs7.c \ - commands/pkcs12.c \ commands/verify.c pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -552,27 +554,29 @@ commands/$(am__dirstamp): commands/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) commands/$(DEPDIR) @: > commands/$(DEPDIR)/$(am__dirstamp) +commands/acert.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) +commands/dn.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/gen.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/issue.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/keyid.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) -commands/pub.$(OBJEXT): commands/$(am__dirstamp) \ - commands/$(DEPDIR)/$(am__dirstamp) -commands/req.$(OBJEXT): commands/$(am__dirstamp) \ +commands/pkcs12.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) -commands/self.$(OBJEXT): commands/$(am__dirstamp) \ +commands/pkcs7.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/print.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) -commands/signcrl.$(OBJEXT): commands/$(am__dirstamp) \ +commands/pub.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) -commands/acert.$(OBJEXT): commands/$(am__dirstamp) \ +commands/req.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) -commands/pkcs7.$(OBJEXT): commands/$(am__dirstamp) \ +commands/self.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) -commands/pkcs12.$(OBJEXT): commands/$(am__dirstamp) \ +commands/signcrl.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/verify.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) @@ -591,6 +595,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/command.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pki.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/acert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/dn.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/gen.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/issue.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/keyid.Po@am__quote@ diff --git a/src/pki/command.h b/src/pki/command.h index d49adda09..e55c579e4 100644 --- a/src/pki/command.h +++ b/src/pki/command.h @@ -24,7 +24,7 @@ /** * Maximum number of commands (+1). */ -#define MAX_COMMANDS 13 +#define MAX_COMMANDS 14 /** * Maximum number of options in a command (+3) diff --git a/src/pki/commands/dn.c b/src/pki/commands/dn.c new file mode 100644 index 000000000..75585fc16 --- /dev/null +++ b/src/pki/commands/dn.c @@ -0,0 +1,146 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pki.h" + +#include + +#include + +/** + * Extract subject DN + */ +static int dn() +{ + identification_t *id; + certificate_t *cert; + chunk_t chunk; + enum { + FORMAT_CONFIG, + FORMAT_HEX, + FORMAT_BASE64, + FORMAT_BINARY, + } format = FORMAT_CONFIG; + char *arg, *file = NULL, *fmt; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 'f': + if (streq(arg, "hex")) + { + format = FORMAT_HEX; + } + else if (streq(arg, "base64")) + { + format = FORMAT_BASE64; + } + else if (streq(arg, "bin")) + { + format = FORMAT_BINARY; + } + else if (!streq(arg, "config")) + { + return command_usage( "invalid output format"); + } + continue; + case 'i': + file = arg; + continue; + case EOF: + break; + default: + return command_usage("invalid --print option"); + } + break; + } + if (file) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, BUILD_END); + } + else + { + chunk_t chunk; + + set_file_mode(stdin, CERT_ASN1_DER); + if (!chunk_from_fd(0, &chunk)) + { + fprintf(stderr, "reading input failed: %s\n", strerror(errno)); + return 1; + } + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB, chunk, BUILD_END); + free(chunk.ptr); + } + if (!cert) + { + fprintf(stderr, "parsing input failed\n"); + return 1; + } + id = cert->get_subject(cert); + if (!id) + { + fprintf(stderr, "failed to get certificate's subject DN\n"); + cert->destroy(cert); + return 1; + } + fmt = "%.*s\n"; + switch (format) + { + case FORMAT_CONFIG: + fmt = "\"asn1dn:#%.*s\"\n"; + /* fall-through */ + case FORMAT_HEX: + chunk = chunk_to_hex(id->get_encoding(id), NULL, FALSE); + printf(fmt, (int)chunk.len, chunk.ptr); + chunk_free(&chunk); + break; + case FORMAT_BASE64: + chunk = chunk_to_base64(id->get_encoding(id), NULL); + printf(fmt, (int)chunk.len, chunk.ptr); + chunk_free(&chunk); + break; + case FORMAT_BINARY: + chunk = id->get_encoding(id); + if (fwrite(chunk.ptr, chunk.len, 1, stdout) != 1) + { + fprintf(stderr, "writing subject DN failed\n"); + } + break; + } + cert->destroy(cert); + return 0; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) + { dn, 'd', "dn", + "extract the subject DN of an X.509 certificate", + {"[--in file] [--format config|hex|base64|bin]"}, + { + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "input file, default: stdin"}, + {"format", 'f', 1, "output format, default: config"}, + } + }); +} diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 6a2d09d78..2dc9fcce3 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -64,6 +64,8 @@ static int issue() certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL; private_key_t *private = NULL; public_key_t *public = NULL; + credential_type_t type = CRED_PUBLIC_KEY; + key_type_t subtype = KEY_ANY; bool pkcs10 = FALSE; char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL; char *error = NULL, *keyid = NULL; @@ -100,6 +102,21 @@ static int issue() { pkcs10 = TRUE; } + else if (streq(arg, "rsa")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_RSA; + } + else if (streq(arg, "ecdsa")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ECDSA; + } + else if (streq(arg, "bliss")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_BLISS; + } else if (!streq(arg, "pub")) { error = "invalid input type"; @@ -447,10 +464,10 @@ static int issue() } else { - DBG2(DBG_LIB, "Reading public key:"); + DBG2(DBG_LIB, "Reading key:"); if (file) { - public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, + public = lib->creds->create(lib->creds, type, subtype, BUILD_FROM_FILE, file, BUILD_END); } else @@ -460,13 +477,19 @@ static int issue() if (!chunk_from_fd(0, &chunk)) { fprintf(stderr, "%s: ", strerror(errno)); - error = "reading public key failed"; + error = "reading key failed"; goto end; } - public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, + public = lib->creds->create(lib->creds, type, subtype, BUILD_BLOB, chunk, BUILD_END); free(chunk.ptr); } + if (public && type == CRED_PRIVATE_KEY) + { + private_key_t *priv = (private_key_t*)public; + public = priv->get_public_key(priv); + priv->destroy(priv); + } } if (!public) { @@ -557,7 +580,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { issue, 'i', "issue", "issue a certificate using a CA certificate and key", - {"[--in file] [--type pub|pkcs10] --cakey file|--cakeyid hex", + {"[--in file] [--type pub|pkcs10|rsa|ecdsa|bliss] --cakey file|--cakeyid hex", " --cacert file [--dn subject-dn] [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--pathlen len]", "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", @@ -568,7 +591,7 @@ static void __attribute__ ((constructor))reg() "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, - {"in", 'i', 1, "public key/request file to issue, default: stdin"}, + {"in", 'i', 1, "key/request file to issue, default: stdin"}, {"type", 't', 1, "type of input, default: pub"}, {"cacert", 'c', 1, "CA certificate file"}, {"cakey", 'k', 1, "CA private key file"}, diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am index 4c901ae3c..fc9440031 100644 --- a/src/pki/man/Makefile.am +++ b/src/pki/man/Makefile.am @@ -1,15 +1,16 @@ man1_MANS = \ pki.1 \ + pki---acert.1 \ + pki---dn.1 \ pki---gen.1 \ - pki---self.1 \ pki---issue.1 \ - pki---signcrl.1 \ - pki---acert.1 \ - pki---req.1 \ - pki---pkcs7.1 \ pki---keyid.1 \ + pki---pkcs7.1 \ pki---print.1 \ pki---pub.1 \ + pki---req.1 \ + pki---self.1 \ + pki---signcrl.1 \ pki---verify.1 CLEANFILES = $(man1_MANS) diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in index 45355bacd..62942d108 100644 --- a/src/pki/man/Makefile.in +++ b/src/pki/man/Makefile.in @@ -79,13 +79,13 @@ build_triplet = @build@ host_triplet = @host@ subdir = src/pki/man DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/pki.1.in $(srcdir)/pki---gen.1.in \ + $(srcdir)/pki.1.in $(srcdir)/pki---acert.1.in \ + $(srcdir)/pki---dn.1.in $(srcdir)/pki---gen.1.in \ $(srcdir)/pki---issue.1.in $(srcdir)/pki---keyid.1.in \ - $(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---pkcs12.1.in \ + $(srcdir)/pki---pkcs12.1.in $(srcdir)/pki---pkcs7.1.in \ $(srcdir)/pki---print.1.in $(srcdir)/pki---pub.1.in \ $(srcdir)/pki---req.1.in $(srcdir)/pki---self.1.in \ - $(srcdir)/pki---signcrl.1.in $(srcdir)/pki---acert.1.in \ - $(srcdir)/pki---verify.1.in + $(srcdir)/pki---signcrl.1.in $(srcdir)/pki---verify.1.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -101,10 +101,10 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = pki.1 pki---gen.1 pki---issue.1 pki---keyid.1 \ - pki---pkcs7.1 pki---pkcs12.1 pki---print.1 pki---pub.1 \ - pki---req.1 pki---self.1 pki---signcrl.1 pki---acert.1 \ - pki---verify.1 +CONFIG_CLEAN_FILES = pki.1 pki---acert.1 pki---dn.1 pki---gen.1 \ + pki---issue.1 pki---keyid.1 pki---pkcs12.1 pki---pkcs7.1 \ + pki---print.1 pki---pub.1 pki---req.1 pki---self.1 \ + pki---signcrl.1 pki---verify.1 CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) @@ -385,16 +385,17 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ man1_MANS = \ pki.1 \ + pki---acert.1 \ + pki---dn.1 \ pki---gen.1 \ - pki---self.1 \ pki---issue.1 \ - pki---signcrl.1 \ - pki---acert.1 \ - pki---req.1 \ - pki---pkcs7.1 \ pki---keyid.1 \ + pki---pkcs7.1 \ pki---print.1 \ pki---pub.1 \ + pki---req.1 \ + pki---self.1 \ + pki---signcrl.1 \ pki---verify.1 CLEANFILES = $(man1_MANS) @@ -433,16 +434,20 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) $(am__aclocal_m4_deps): pki.1: $(top_builddir)/config.status $(srcdir)/pki.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +pki---acert.1: $(top_builddir)/config.status $(srcdir)/pki---acert.1.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +pki---dn.1: $(top_builddir)/config.status $(srcdir)/pki---dn.1.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---gen.1: $(top_builddir)/config.status $(srcdir)/pki---gen.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---issue.1: $(top_builddir)/config.status $(srcdir)/pki---issue.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---keyid.1: $(top_builddir)/config.status $(srcdir)/pki---keyid.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ -pki---pkcs7.1: $(top_builddir)/config.status $(srcdir)/pki---pkcs7.1.in - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---pkcs12.1: $(top_builddir)/config.status $(srcdir)/pki---pkcs12.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +pki---pkcs7.1: $(top_builddir)/config.status $(srcdir)/pki---pkcs7.1.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---print.1: $(top_builddir)/config.status $(srcdir)/pki---print.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---pub.1: $(top_builddir)/config.status $(srcdir)/pki---pub.1.in @@ -453,8 +458,6 @@ pki---self.1: $(top_builddir)/config.status $(srcdir)/pki---self.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---signcrl.1: $(top_builddir)/config.status $(srcdir)/pki---signcrl.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ -pki---acert.1: $(top_builddir)/config.status $(srcdir)/pki---acert.1.in - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---verify.1: $(top_builddir)/config.status $(srcdir)/pki---verify.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ diff --git a/src/pki/man/pki---dn.1.in b/src/pki/man/pki---dn.1.in new file mode 100644 index 000000000..ce1210fdb --- /dev/null +++ b/src/pki/man/pki---dn.1.in @@ -0,0 +1,56 @@ +.TH "PKI \-\-DN" 1 "2015-08-06" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-dn \- Extract the subject DN of an X.509 certificate +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-dn +.OP \-\-in file +.OP \-\-format format +.OP \-\-debug level +.YS +. +.SY pki\ \-\-dn +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-dn" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +extracts the ASN.1-encoded subject DistinguishedName (DN) of an X.509 +certificate and exports it in different formats. This may be useful when +strongSwan's identity parser is unable to produce the correct binary encoding +from a string. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-i, \-\-in " file +Input file. If not given the input is read from \fISTDIN\fR. +.TP +.BI "\-t, \-\-format " format +Output format. One of \fIconfig\fR (strongSwan configuration compatible), +\fIhex\fR (hexadecimal encoding, no prefix), \fIbase64\fR (Base64 encoding, +no prefix), \fIbin\fR (raw binary data), defaults to \fIconfig\fR. +. +.SH "SEE ALSO" +. +.BR pki (1) diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in index 3a89059c8..20238b73d 100644 --- a/src/pki/man/pki---issue.1.in +++ b/src/pki/man/pki---issue.1.in @@ -67,8 +67,9 @@ Public key or PKCS#10 certificate request file to issue. If not given the key/request is read from \fISTDIN\fR. .TP .BI "\-t, \-\-type " type -Type of the input. Either \fIpub\fR for a public key, or \fIpkcs10\fR for a -PKCS#10 certificate request, defaults to \fIpub\fR. +Type of the input. One of \fIpub\fR (public key), \fIrsa\fR (RSA private key), +\fIecdsa\fR (ECDSA private key), or \fIpkcs10\fR (PKCS#10 certificate request), +defaults to \fIpub\fR. .TP .BI "\-k, \-\-cakey " file CA private key file. Either this or diff --git a/src/pki/man/pki.1.in b/src/pki/man/pki.1.in index f347031b4..f1a2ae2c0 100644 --- a/src/pki/man/pki.1.in +++ b/src/pki/man/pki.1.in @@ -1,4 +1,4 @@ -.TH PKI 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +.TH PKI 1 "2015-08-06" "@PACKAGE_VERSION@" "strongSwan" . .SH "NAME" . @@ -64,6 +64,9 @@ Calculate key identifiers of a key or certificate. .B "\-a, \-\-print" Print a credential (key, certificate etc.) in human readable form. .TP +.B "\-d, \-\-dn" +Extract the subject DN of an X.509 certificate. +.TP .B "\-p, \-\-pub" Extract a public key from a private key or certificate. .TP @@ -156,5 +159,6 @@ certificates with the \-\-crl option. .BR pki\ \-\-pkcs7 (1), .BR pki\ \-\-keyid (1), .BR pki\ \-\-print (1), +.BR pki\ \-\-dn (1), .BR pki\ \-\-pub (1), .BR pki\ \-\-verify (1) diff --git a/src/starter/netkey.c b/src/starter/netkey.c index 2b500bab4..3eb6973a1 100644 --- a/src/starter/netkey.c +++ b/src/starter/netkey.c @@ -55,16 +55,3 @@ bool starter_netkey_init(void) DBG2(DBG_APP, "found netkey IPsec stack"); return TRUE; } - -void starter_netkey_cleanup(void) -{ - if (!lib->plugins->load(lib->plugins, - lib->settings->get_str(lib->settings, "starter.load", PLUGINS))) - { - DBG1(DBG_APP, "unable to load kernel plugins"); - return; - } - hydra->kernel_interface->flush_sas(hydra->kernel_interface); - hydra->kernel_interface->flush_policies(hydra->kernel_interface); - lib->plugins->unload(lib->plugins); -} diff --git a/src/starter/netkey.h b/src/starter/netkey.h index c12924174..bc71af2ed 100644 --- a/src/starter/netkey.h +++ b/src/starter/netkey.h @@ -16,7 +16,6 @@ #define _STARTER_NETKEY_H_ extern bool starter_netkey_init (void); -extern void starter_netkey_cleanup (void); #endif /* _STARTER_NETKEY_H_ */ diff --git a/src/starter/parser/conf_parser.h b/src/starter/parser/conf_parser.h index 20938201a..49131a0db 100644 --- a/src/starter/parser/conf_parser.h +++ b/src/starter/parser/conf_parser.h @@ -119,4 +119,4 @@ struct conf_parser_t { */ conf_parser_t *conf_parser_create(const char *file); -#endif /** CONF_PARSER_H_ @}*/ \ No newline at end of file +#endif /** CONF_PARSER_H_ @}*/ diff --git a/src/starter/parser/lexer.c b/src/starter/parser/lexer.c index cebf5a06c..a0937710e 100644 --- a/src/starter/parser/lexer.c +++ b/src/starter/parser/lexer.c @@ -456,8 +456,8 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner ); yyg->yy_c_buf_p = yy_cp; /* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */ -#define YY_NUM_RULES 29 -#define YY_END_OF_BUFFER 30 +#define YY_NUM_RULES 26 +#define YY_END_OF_BUFFER 27 /* This struct is not used in this scanner, but its presence is necessary. */ struct yy_trans_info @@ -465,17 +465,16 @@ struct yy_trans_info flex_int32_t yy_verify; flex_int32_t yy_nxt; }; -static yyconst flex_int16_t yy_accept[83] = +static yyconst flex_int16_t yy_accept[80] = { 0, - 0, 0, 0, 0, 0, 0, 30, 12, 3, 5, + 0, 0, 0, 0, 0, 0, 27, 12, 3, 5, 11, 4, 6, 12, 12, 2, 12, 12, 17, 13, - 14, 15, 28, 19, 18, 20, 12, 3, 4, 4, - 0, 12, 2, 0, 9, 12, 12, 17, 16, 28, - 27, 26, 27, 24, 25, 21, 22, 23, 12, 0, - 12, 12, 12, 0, 12, 8, 12, 12, 0, 12, - 12, 12, 0, 12, 12, 12, 0, 0, 12, 0, - 0, 0, 12, 0, 1, 10, 10, 0, 0, 0, - 7, 0 + 14, 15, 25, 18, 19, 12, 3, 4, 4, 0, + 12, 2, 0, 9, 12, 12, 17, 16, 25, 24, + 23, 24, 20, 21, 22, 12, 0, 12, 12, 12, + 0, 12, 8, 12, 12, 0, 12, 12, 12, 0, + 12, 12, 12, 0, 0, 12, 0, 0, 0, 12, + 0, 1, 10, 10, 0, 0, 0, 7, 0 } ; static yyconst flex_int32_t yy_ec[256] = @@ -489,11 +488,11 @@ static yyconst flex_int32_t yy_ec[256] = 8, 1, 1, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 10, 1, 1, 1, 1, 11, 12, 13, 14, + 1, 10, 1, 1, 1, 1, 11, 1, 12, 13, - 15, 16, 17, 1, 18, 1, 1, 19, 1, 20, - 21, 22, 1, 23, 24, 25, 26, 27, 1, 1, - 1, 1, 1, 1, 28, 1, 1, 1, 1, 1, + 14, 15, 16, 1, 17, 1, 1, 18, 1, 19, + 20, 21, 1, 22, 23, 24, 25, 26, 1, 1, + 1, 1, 1, 1, 27, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, @@ -510,110 +509,106 @@ static yyconst flex_int32_t yy_ec[256] = 1, 1, 1, 1, 1 } ; -static yyconst flex_int32_t yy_meta[29] = +static yyconst flex_int32_t yy_meta[28] = { 0, 1, 2, 3, 1, 2, 4, 2, 5, 1, 6, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1 + 1, 1, 1, 1, 1, 1, 1 } ; -static yyconst flex_int16_t yy_base[94] = +static yyconst flex_int16_t yy_base[91] = { 0, - 0, 17, 43, 52, 7, 26, 102, 0, 9, 189, - 189, 0, 189, 93, 79, 36, 10, 83, 0, 189, - 189, 59, 0, 189, 189, 85, 0, 32, 0, 0, - 0, 83, 65, 80, 0, 74, 70, 0, 189, 0, - 189, 189, 88, 189, 189, 189, 189, 189, 71, 63, - 31, 61, 58, 59, 64, 0, 63, 66, 61, 61, - 56, 60, 53, 64, 41, 10, 40, 32, 109, 66, - 49, 27, 116, 37, 189, 189, 71, 8, 2, 5, - 189, 189, 124, 130, 136, 142, 148, 154, 159, 164, - 170, 176, 182 - + 0, 16, 41, 50, 4, 5, 101, 0, 24, 184, + 184, 0, 184, 92, 79, 32, 16, 83, 0, 184, + 184, 56, 0, 184, 81, 0, 33, 0, 0, 0, + 84, 62, 81, 0, 75, 71, 0, 184, 0, 184, + 184, 89, 184, 184, 184, 73, 68, 1, 66, 62, + 63, 65, 0, 64, 67, 62, 62, 57, 62, 55, + 67, 47, 63, 40, 31, 104, 68, 47, 35, 111, + 42, 184, 184, 69, 17, 7, 9, 184, 184, 119, + 125, 131, 137, 143, 149, 154, 159, 165, 171, 177 } ; -static yyconst flex_int16_t yy_def[94] = +static yyconst flex_int16_t yy_def[91] = { 0, - 83, 83, 84, 84, 85, 85, 82, 86, 82, 82, - 82, 87, 82, 86, 86, 82, 86, 86, 88, 82, - 82, 82, 89, 82, 82, 90, 86, 82, 87, 87, - 86, 86, 82, 82, 86, 86, 86, 88, 82, 89, - 82, 82, 82, 82, 82, 82, 82, 82, 86, 82, - 86, 86, 86, 82, 86, 86, 86, 86, 82, 86, - 86, 86, 82, 86, 86, 86, 82, 82, 91, 92, - 93, 82, 91, 93, 82, 82, 92, 82, 82, 82, - 82, 0, 82, 82, 82, 82, 82, 82, 82, 82, - 82, 82, 82 - + 80, 80, 81, 81, 82, 82, 79, 83, 79, 79, + 79, 84, 79, 83, 83, 79, 83, 83, 85, 79, + 79, 79, 86, 79, 87, 83, 79, 84, 84, 83, + 83, 79, 79, 83, 83, 83, 85, 79, 86, 79, + 79, 79, 79, 79, 79, 83, 79, 83, 83, 83, + 79, 83, 83, 83, 83, 79, 83, 83, 83, 79, + 83, 83, 83, 79, 79, 88, 89, 90, 79, 88, + 90, 79, 79, 89, 79, 79, 79, 79, 0, 79, + 79, 79, 79, 79, 79, 79, 79, 79, 79, 79 } ; -static yyconst flex_int16_t yy_nxt[218] = +static yyconst flex_int16_t yy_nxt[212] = { 0, - 82, 9, 10, 82, 9, 11, 12, 13, 14, 24, - 28, 70, 25, 28, 70, 29, 26, 15, 16, 10, - 35, 16, 11, 12, 13, 14, 81, 80, 24, 17, - 36, 25, 79, 28, 15, 26, 28, 33, 29, 75, - 33, 78, 29, 18, 20, 20, 55, 20, 21, 20, - 56, 75, 22, 20, 20, 72, 20, 21, 20, 71, - 69, 22, 34, 39, 39, 39, 33, 77, 68, 33, - 77, 29, 77, 67, 66, 77, 65, 64, 63, 62, - 61, 60, 59, 58, 57, 54, 39, 42, 43, 53, - 42, 34, 52, 51, 50, 49, 44, 37, 32, 31, - - 45, 82, 82, 82, 46, 82, 82, 47, 82, 48, - 74, 75, 82, 74, 74, 74, 74, 74, 75, 82, - 74, 74, 74, 74, 8, 8, 8, 8, 8, 8, - 19, 19, 19, 19, 19, 19, 23, 23, 23, 23, - 23, 23, 27, 82, 82, 82, 82, 27, 30, 30, - 82, 30, 30, 30, 38, 82, 82, 82, 38, 40, - 40, 82, 82, 40, 41, 41, 41, 41, 41, 41, - 73, 73, 73, 73, 73, 73, 76, 76, 76, 76, - 82, 76, 74, 74, 74, 74, 74, 74, 7, 82, - 82, 82, 82, 82, 82, 82, 82, 82, 82, 82, - - 82, 82, 82, 82, 82, 82, 82, 82, 82, 82, - 82, 82, 82, 82, 82, 82, 82 + 79, 9, 10, 79, 9, 11, 12, 13, 14, 24, + 24, 79, 79, 25, 25, 52, 15, 16, 10, 53, + 16, 11, 12, 13, 14, 27, 34, 17, 27, 78, + 28, 77, 15, 32, 27, 35, 32, 27, 28, 28, + 76, 18, 20, 20, 72, 20, 21, 20, 75, 72, + 22, 20, 20, 69, 20, 21, 20, 33, 68, 22, + 38, 38, 38, 32, 67, 66, 32, 67, 28, 74, + 74, 65, 74, 74, 64, 63, 62, 61, 60, 59, + 58, 57, 38, 41, 42, 56, 55, 33, 54, 51, + 50, 41, 49, 48, 47, 46, 36, 31, 30, 43, + + 79, 79, 44, 79, 45, 71, 72, 79, 71, 71, + 71, 71, 71, 72, 79, 71, 71, 71, 71, 8, + 8, 8, 8, 8, 8, 19, 19, 19, 19, 19, + 19, 23, 23, 23, 23, 23, 23, 26, 79, 79, + 79, 79, 26, 29, 29, 79, 29, 29, 29, 37, + 79, 79, 79, 37, 39, 39, 39, 79, 39, 40, + 40, 40, 40, 40, 40, 70, 70, 70, 70, 70, + 70, 73, 73, 73, 73, 79, 73, 71, 71, 71, + 71, 71, 71, 7, 79, 79, 79, 79, 79, 79, + 79, 79, 79, 79, 79, 79, 79, 79, 79, 79, + + 79, 79, 79, 79, 79, 79, 79, 79, 79, 79, + 79 } ; -static yyconst flex_int16_t yy_chk[218] = +static yyconst flex_int16_t yy_chk[212] = { 0, 0, 1, 1, 0, 1, 1, 1, 1, 1, 5, - 9, 66, 5, 9, 66, 9, 5, 1, 2, 2, - 17, 2, 2, 2, 2, 2, 80, 79, 6, 2, - 17, 6, 78, 28, 2, 6, 28, 16, 28, 74, - 16, 72, 16, 2, 3, 3, 51, 3, 3, 3, - 51, 71, 3, 4, 4, 68, 4, 4, 4, 67, - 65, 4, 16, 22, 22, 22, 33, 70, 64, 33, - 70, 33, 77, 63, 62, 77, 61, 60, 59, 58, - 57, 55, 54, 53, 52, 50, 22, 26, 26, 49, - 43, 33, 37, 36, 34, 32, 26, 18, 15, 14, - - 26, 7, 0, 0, 26, 0, 0, 26, 0, 26, - 69, 69, 0, 69, 69, 69, 69, 73, 73, 0, - 73, 73, 73, 73, 83, 83, 83, 83, 83, 83, - 84, 84, 84, 84, 84, 84, 85, 85, 85, 85, - 85, 85, 86, 0, 0, 0, 0, 86, 87, 87, - 0, 87, 87, 87, 88, 0, 0, 0, 88, 89, - 89, 0, 0, 89, 90, 90, 90, 90, 90, 90, - 91, 91, 91, 91, 91, 91, 92, 92, 92, 92, - 0, 92, 93, 93, 93, 93, 93, 93, 82, 82, - 82, 82, 82, 82, 82, 82, 82, 82, 82, 82, - - 82, 82, 82, 82, 82, 82, 82, 82, 82, 82, - 82, 82, 82, 82, 82, 82, 82 + 6, 0, 0, 5, 6, 48, 1, 2, 2, 48, + 2, 2, 2, 2, 2, 9, 17, 2, 9, 77, + 9, 76, 2, 16, 27, 17, 16, 27, 16, 27, + 75, 2, 3, 3, 71, 3, 3, 3, 69, 68, + 3, 4, 4, 65, 4, 4, 4, 16, 64, 4, + 22, 22, 22, 32, 63, 62, 32, 63, 32, 67, + 74, 61, 67, 74, 60, 59, 58, 57, 56, 55, + 54, 52, 22, 25, 25, 51, 50, 32, 49, 47, + 46, 42, 36, 35, 33, 31, 18, 15, 14, 25, + + 7, 0, 25, 0, 25, 66, 66, 0, 66, 66, + 66, 66, 70, 70, 0, 70, 70, 70, 70, 80, + 80, 80, 80, 80, 80, 81, 81, 81, 81, 81, + 81, 82, 82, 82, 82, 82, 82, 83, 0, 0, + 0, 0, 83, 84, 84, 0, 84, 84, 84, 85, + 0, 0, 0, 85, 86, 86, 86, 0, 86, 87, + 87, 87, 87, 87, 87, 88, 88, 88, 88, 88, + 88, 89, 89, 89, 89, 0, 89, 90, 90, 90, + 90, 90, 90, 79, 79, 79, 79, 79, 79, 79, + 79, 79, 79, 79, 79, 79, 79, 79, 79, 79, + + 79, 79, 79, 79, 79, 79, 79, 79, 79, 79, + 79 } ; /* Table of booleans, true if rule could match eol. */ -static yyconst flex_int32_t yy_rule_can_match_eol[30] = +static yyconst flex_int32_t yy_rule_can_match_eol[27] = { 0, -0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, - 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, }; +0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 1, 0, 1, 0, }; -static yyconst flex_int16_t yy_rule_linenum[29] = +static yyconst flex_int16_t yy_rule_linenum[26] = { 0, 60, 61, 62, 63, 65, 67, 68, 69, 70, 72, - 77, 82, 90, 109, 112, 115, 118, 124, 126, 127, - 150, 151, 152, 153, 154, 155, 156, 157 + 77, 82, 90, 109, 112, 115, 118, 124, 126, 145, + 146, 147, 148, 149, 150 } ; /* The intent behind this definition is that it'll catch @@ -662,7 +657,7 @@ static void include_files(parser_helper_t *ctx); /* state used to scan quoted strings */ -#line 666 "parser/lexer.c" +#line 661 "parser/lexer.c" #define INITIAL 0 #define inc 1 @@ -977,7 +972,7 @@ YY_DECL #line 58 "parser/lexer.l" -#line 981 "parser/lexer.c" +#line 976 "parser/lexer.c" yylval = yylval_param; @@ -1043,13 +1038,13 @@ yy_match: while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 83 ) + if ( yy_current_state >= 80 ) yy_c = yy_meta[(unsigned int) yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; ++yy_cp; } - while ( yy_base[yy_current_state] != 189 ); + while ( yy_base[yy_current_state] != 184 ); yy_find_action: /* %% [10.0] code to find the action number goes here */ @@ -1084,13 +1079,13 @@ do_action: /* This label is used only to access EOF actions. */ { if ( yy_act == 0 ) fprintf( stderr, "--scanner backing up\n" ); - else if ( yy_act < 29 ) + else if ( yy_act < 26 ) fprintf( stderr, "--accepting rule at line %ld (\"%s\")\n", (long)yy_rule_linenum[yy_act], yytext ); - else if ( yy_act == 29 ) + else if ( yy_act == 26 ) fprintf( stderr, "--accepting default rule (\"%s\")\n", yytext ); - else if ( yy_act == 30 ) + else if ( yy_act == 27 ) fprintf( stderr, "--(end of buffer or a NUL)\n" ); else fprintf( stderr, "--EOF (start condition %d)\n", YY_START ); @@ -1246,21 +1241,13 @@ case 18: case YY_STATE_EOF(str): #line 125 "parser/lexer.l" case 19: -/* rule 19 can match eol */ -#line 127 "parser/lexer.l" -case 20: -/* rule 20 can match eol */ YY_RULE_SETUP -#line 127 "parser/lexer.l" +#line 126 "parser/lexer.l" { if (!streq(yytext, "\"")) { - if (streq(yytext, "\n")) - { /* put the newline back to fix the line numbers */ - unput('\n'); - yy_set_bol(0); - } PARSER_DBG1(yyextra, "unterminated string detected"); + return STRING_ERROR; } if (yy_top_state(yyscanner) == inc) { /* string include */ @@ -1276,52 +1263,43 @@ YY_RULE_SETUP } } YY_BREAK -case 21: +case 20: YY_RULE_SETUP -#line 150 "parser/lexer.l" +#line 145 "parser/lexer.l" yyextra->string_add(yyextra, "\n"); YY_BREAK -case 22: +case 21: YY_RULE_SETUP -#line 151 "parser/lexer.l" +#line 146 "parser/lexer.l" yyextra->string_add(yyextra, "\r"); YY_BREAK -case 23: +case 22: YY_RULE_SETUP -#line 152 "parser/lexer.l" +#line 147 "parser/lexer.l" yyextra->string_add(yyextra, "\t"); YY_BREAK -case 24: -YY_RULE_SETUP -#line 153 "parser/lexer.l" -yyextra->string_add(yyextra, "\b"); - YY_BREAK -case 25: -YY_RULE_SETUP -#line 154 "parser/lexer.l" -yyextra->string_add(yyextra, "\f"); - YY_BREAK -case 26: -/* rule 26 can match eol */ +case 23: +/* rule 23 can match eol */ YY_RULE_SETUP -#line 155 "parser/lexer.l" +#line 148 "parser/lexer.l" /* merge lines that end with EOL characters */ YY_BREAK -case 27: +case 24: YY_RULE_SETUP -#line 156 "parser/lexer.l" +#line 149 "parser/lexer.l" yyextra->string_add(yyextra, yytext+1); YY_BREAK -case 28: +case 25: +/* rule 25 can match eol */ YY_RULE_SETUP -#line 157 "parser/lexer.l" +#line 150 "parser/lexer.l" { yyextra->string_add(yyextra, yytext); } YY_BREAK case YY_STATE_EOF(INITIAL): -#line 162 "parser/lexer.l" +#line 155 "parser/lexer.l" { conf_parser_pop_buffer_state(yyscanner); if (!conf_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER) @@ -1330,12 +1308,12 @@ case YY_STATE_EOF(INITIAL): } } YY_BREAK -case 29: +case 26: YY_RULE_SETUP -#line 170 "parser/lexer.l" +#line 163 "parser/lexer.l" YY_FATAL_ERROR( "flex scanner jammed" ); YY_BREAK -#line 1339 "parser/lexer.c" +#line 1317 "parser/lexer.c" case YY_END_OF_BUFFER: { @@ -1649,7 +1627,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner) while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 83 ) + if ( yy_current_state >= 80 ) yy_c = yy_meta[(unsigned int) yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; @@ -1683,11 +1661,11 @@ static int yy_get_next_buffer (yyscan_t yyscanner) while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state ) { yy_current_state = (int) yy_def[yy_current_state]; - if ( yy_current_state >= 83 ) + if ( yy_current_state >= 80 ) yy_c = yy_meta[(unsigned int) yy_c]; } yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c]; - yy_is_jam = (yy_current_state == 82); + yy_is_jam = (yy_current_state == 79); return yy_is_jam ? 0 : yy_current_state; } @@ -2705,7 +2683,7 @@ void conf_parser_free (void * ptr , yyscan_t yyscanner) /* %ok-for-header */ -#line 170 "parser/lexer.l" +#line 163 "parser/lexer.l" diff --git a/src/starter/parser/lexer.l b/src/starter/parser/lexer.l index d967e745b..f70658e68 100644 --- a/src/starter/parser/lexer.l +++ b/src/starter/parser/lexer.l @@ -123,16 +123,11 @@ static void include_files(parser_helper_t *ctx); { "\"" | <> | - \n | \\ { if (!streq(yytext, "\"")) { - if (streq(yytext, "\n")) - { /* put the newline back to fix the line numbers */ - unput('\n'); - yy_set_bol(0); - } PARSER_DBG1(yyextra, "unterminated string detected"); + return STRING_ERROR; } if (yy_top_state(yyscanner) == inc) { /* string include */ @@ -150,11 +145,9 @@ static void include_files(parser_helper_t *ctx); \\n yyextra->string_add(yyextra, "\n"); \\r yyextra->string_add(yyextra, "\r"); \\t yyextra->string_add(yyextra, "\t"); - \\b yyextra->string_add(yyextra, "\b"); - \\f yyextra->string_add(yyextra, "\f"); \\\r?\n /* merge lines that end with EOL characters */ \\. yyextra->string_add(yyextra, yytext+1); - [^\\\n"]+ { + [^\\"]+ { yyextra->string_add(yyextra, yytext); } } diff --git a/src/starter/parser/parser.c b/src/starter/parser/parser.c index 8cf3fe19e..41ab515cb 100644 --- a/src/starter/parser/parser.c +++ b/src/starter/parser/parser.c @@ -166,7 +166,8 @@ extern int conf_parser_debug; NEWLINE = 261, CONFIG_SETUP = 262, CONN = 263, - CA = 264 + CA = 264, + STRING_ERROR = 265 }; #endif /* Tokens. */ @@ -177,6 +178,7 @@ extern int conf_parser_debug; #define CONFIG_SETUP 262 #define CONN 263 #define CA 264 +#define STRING_ERROR 265 /* Value type. */ #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED @@ -188,7 +190,7 @@ union YYSTYPE char *s; conf_parser_section_t t; -#line 192 "parser/parser.c" /* yacc.c:355 */ +#line 194 "parser/parser.c" /* yacc.c:355 */ }; # define YYSTYPE_IS_TRIVIAL 1 # define YYSTYPE_IS_DECLARED 1 @@ -202,7 +204,7 @@ int conf_parser_parse (parser_helper_t *ctx); /* Copy the second part of user declarations. */ -#line 206 "parser/parser.c" /* yacc.c:358 */ +#line 208 "parser/parser.c" /* yacc.c:358 */ #ifdef short # undef short @@ -447,7 +449,7 @@ union yyalloc #define YYLAST 11 /* YYNTOKENS -- Number of terminals. */ -#define YYNTOKENS 10 +#define YYNTOKENS 11 /* YYNNTS -- Number of nonterminals. */ #define YYNNTS 8 /* YYNRULES -- Number of rules. */ @@ -458,7 +460,7 @@ union yyalloc /* YYTRANSLATE[YYX] -- Symbol number corresponding to YYX as returned by yylex, with out-of-bounds checking. */ #define YYUNDEFTOK 2 -#define YYMAXUTOK 264 +#define YYMAXUTOK 265 #define YYTRANSLATE(YYX) \ ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK) @@ -493,7 +495,7 @@ static const yytype_uint8 yytranslate[] = 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 2, 3, 4, - 5, 6, 7, 8, 9 + 5, 6, 7, 8, 9, 10 }; #if YYDEBUG @@ -511,8 +513,9 @@ static const yytype_uint8 yyrline[] = static const char *const yytname[] = { "$end", "error", "$undefined", "STRING", "EQ", "SPACES", "NEWLINE", - "CONFIG_SETUP", "CONN", "CA", "$accept", "statements", "statement", - "section", "section_type", "section_name", "setting", "value", YY_NULLPTR + "CONFIG_SETUP", "CONN", "CA", "STRING_ERROR", "$accept", "statements", + "statement", "section", "section_type", "section_name", "setting", + "value", YY_NULLPTR }; #endif @@ -521,7 +524,8 @@ static const char *const yytname[] = (internal) symbol number NUM (which must be that of a token). */ static const yytype_uint16 yytoknum[] = { - 0, 256, 257, 258, 259, 260, 261, 262, 263, 264 + 0, 256, 257, 258, 259, 260, 261, 262, 263, 264, + 265 }; # endif @@ -583,15 +587,15 @@ static const yytype_int8 yycheck[] = symbol of state STATE-NUM. */ static const yytype_uint8 yystos[] = { - 0, 11, 0, 5, 6, 7, 8, 9, 12, 13, - 14, 3, 16, 3, 15, 4, 3, 17, 3 + 0, 12, 0, 5, 6, 7, 8, 9, 13, 14, + 15, 3, 17, 3, 16, 4, 3, 18, 3 }; /* YYR1[YYN] -- Symbol number of symbol that rule YYN derives. */ static const yytype_uint8 yyr1[] = { - 0, 10, 11, 11, 11, 12, 12, 13, 14, 14, - 14, 15, 15, 16, 16, 16, 16, 17, 17 + 0, 11, 12, 12, 12, 13, 13, 14, 15, 15, + 15, 16, 16, 17, 17, 17, 17, 18, 18 }; /* YYR2[YYN] -- Number of symbols on the right hand side of rule YYN. */ @@ -1026,19 +1030,19 @@ yydestruct (const char *yymsg, int yytype, YYSTYPE *yyvaluep, parser_helper_t *c case 3: /* STRING */ #line 86 "parser/parser.y" /* yacc.c:1257 */ { free(((*yyvaluep).s)); } -#line 1030 "parser/parser.c" /* yacc.c:1257 */ +#line 1034 "parser/parser.c" /* yacc.c:1257 */ break; - case 15: /* section_name */ + case 16: /* section_name */ #line 86 "parser/parser.y" /* yacc.c:1257 */ { free(((*yyvaluep).s)); } -#line 1036 "parser/parser.c" /* yacc.c:1257 */ +#line 1040 "parser/parser.c" /* yacc.c:1257 */ break; - case 17: /* value */ + case 18: /* value */ #line 86 "parser/parser.y" /* yacc.c:1257 */ { free(((*yyvaluep).s)); } -#line 1042 "parser/parser.c" /* yacc.c:1257 */ +#line 1046 "parser/parser.c" /* yacc.c:1257 */ break; @@ -1315,7 +1319,7 @@ yyreduce: conf_parser_t *parser = (conf_parser_t*)ctx->context; parser->add_section(parser, (yyvsp[-1].t), (yyvsp[0].s)); } -#line 1319 "parser/parser.c" /* yacc.c:1646 */ +#line 1323 "parser/parser.c" /* yacc.c:1646 */ break; case 8: @@ -1323,7 +1327,7 @@ yyreduce: { (yyval.t) = CONF_PARSER_CONFIG_SETUP; } -#line 1327 "parser/parser.c" /* yacc.c:1646 */ +#line 1331 "parser/parser.c" /* yacc.c:1646 */ break; case 9: @@ -1331,7 +1335,7 @@ yyreduce: { (yyval.t) = CONF_PARSER_CONN; } -#line 1335 "parser/parser.c" /* yacc.c:1646 */ +#line 1339 "parser/parser.c" /* yacc.c:1646 */ break; case 10: @@ -1339,7 +1343,7 @@ yyreduce: { (yyval.t) = CONF_PARSER_CA; } -#line 1343 "parser/parser.c" /* yacc.c:1646 */ +#line 1347 "parser/parser.c" /* yacc.c:1646 */ break; case 11: @@ -1347,7 +1351,7 @@ yyreduce: { (yyval.s) = NULL; } -#line 1351 "parser/parser.c" /* yacc.c:1646 */ +#line 1355 "parser/parser.c" /* yacc.c:1646 */ break; case 12: @@ -1355,7 +1359,7 @@ yyreduce: { (yyval.s) = (yyvsp[0].s); } -#line 1359 "parser/parser.c" /* yacc.c:1646 */ +#line 1363 "parser/parser.c" /* yacc.c:1646 */ break; case 14: @@ -1371,7 +1375,7 @@ yyreduce: conf_parser_t *parser = (conf_parser_t*)ctx->context; parser->add_setting(parser, (yyvsp[-2].s), (yyvsp[0].s)); } -#line 1375 "parser/parser.c" /* yacc.c:1646 */ +#line 1379 "parser/parser.c" /* yacc.c:1646 */ break; case 15: @@ -1386,7 +1390,7 @@ yyreduce: conf_parser_t *parser = (conf_parser_t*)ctx->context; parser->add_setting(parser, (yyvsp[-1].s), NULL); } -#line 1390 "parser/parser.c" /* yacc.c:1646 */ +#line 1394 "parser/parser.c" /* yacc.c:1646 */ break; case 16: @@ -1396,7 +1400,7 @@ yyreduce: free((yyvsp[0].s)); YYERROR; } -#line 1400 "parser/parser.c" /* yacc.c:1646 */ +#line 1404 "parser/parser.c" /* yacc.c:1646 */ break; case 18: @@ -1411,11 +1415,11 @@ yyreduce: free((yyvsp[-1].s)); free((yyvsp[0].s)); } -#line 1415 "parser/parser.c" /* yacc.c:1646 */ +#line 1419 "parser/parser.c" /* yacc.c:1646 */ break; -#line 1419 "parser/parser.c" /* yacc.c:1646 */ +#line 1423 "parser/parser.c" /* yacc.c:1646 */ default: break; } /* User semantic actions sometimes alter yychar, and that requires diff --git a/src/starter/parser/parser.h b/src/starter/parser/parser.h index c10547be8..ed6ed2bf5 100644 --- a/src/starter/parser/parser.h +++ b/src/starter/parser/parser.h @@ -51,7 +51,8 @@ extern int conf_parser_debug; NEWLINE = 261, CONFIG_SETUP = 262, CONN = 263, - CA = 264 + CA = 264, + STRING_ERROR = 265 }; #endif /* Tokens. */ @@ -62,6 +63,7 @@ extern int conf_parser_debug; #define CONFIG_SETUP 262 #define CONN 263 #define CA 264 +#define STRING_ERROR 265 /* Value type. */ #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED @@ -73,7 +75,7 @@ union YYSTYPE char *s; conf_parser_section_t t; -#line 77 "parser/parser.h" /* yacc.c:1909 */ +#line 79 "parser/parser.h" /* yacc.c:1909 */ }; # define YYSTYPE_IS_TRIVIAL 1 # define YYSTYPE_IS_DECLARED 1 diff --git a/src/starter/parser/parser.y b/src/starter/parser/parser.y index 54dedc12b..0b2b3b09f 100644 --- a/src/starter/parser/parser.y +++ b/src/starter/parser/parser.y @@ -73,7 +73,7 @@ static int yylex(YYSTYPE *lvalp, parser_helper_t *ctx) conf_parser_section_t t; } %token STRING -%token EQ SPACES NEWLINE CONFIG_SETUP CONN CA +%token EQ SPACES NEWLINE CONFIG_SETUP CONN CA STRING_ERROR /* ...and other symbols */ %type section_type diff --git a/src/starter/starter.c b/src/starter/starter.c index a19298923..ab1ebdd5d 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -703,7 +703,6 @@ int main (int argc, char **argv) { starter_stop_charon(); } - starter_netkey_cleanup(); confread_free(cfg); unlink(starter_pid_file); cleanup(); diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 79a92cdad..b92c00c87 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -16,6 +16,7 @@ #include #include +#include #include #include diff --git a/src/starter/tests/suites/test_parser.c b/src/starter/tests/suites/test_parser.c index 26a41ba55..4ae7b22fa 100644 --- a/src/starter/tests/suites/test_parser.c +++ b/src/starter/tests/suites/test_parser.c @@ -328,6 +328,9 @@ static struct { { TRUE, "conn foo\n\tkey=val ue", "foo", "val ue" }, { TRUE, "conn foo\n\tkey=\"val ue\"", "foo", "val ue" }, { TRUE, "conn foo\n\tkey=\"val\\nue\"", "foo", "val\nue" }, + { TRUE, "conn foo\n\tkey=\"val\nue\"", "foo", "val\nue" }, + { TRUE, "conn foo\n\tkey=\"val\\\nue\"", "foo", "value" }, + { FALSE, "conn foo\n\tkey=\"unterminated", "foo", NULL }, }; START_TEST(test_strings) diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index 07911d2d2..2dfb66d7c 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index f4f9fdf7e..703e5746a 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -7,10 +7,12 @@ swanctl_SOURCES = \ commands/install.c \ commands/list_sas.c \ commands/list_pols.c \ + commands/list_authorities.c \ commands/list_conns.c \ commands/list_certs.c \ commands/list_pools.c \ commands/load_all.c \ + commands/load_authorities.h commands/load_authorities.c \ commands/load_conns.c commands/load_conns.h \ commands/load_creds.c commands/load_creds.h \ commands/load_pools.c commands/load_pools.h \ @@ -46,7 +48,7 @@ CLEANFILES = $(man_MANS) swanctl.conf.5.main: swanctl.opt $(AM_V_GEN) \ - $(PYTHON) $(top_srcdir)/conf/format-options.py -n -f man swanctl.opt > $(srcdir)/$@ + cd $(srcdir) && $(PYTHON) $(abs_top_srcdir)/conf/format-options.py -n -f man swanctl.opt > $@ swanctl.conf.5: swanctl.conf.5.head swanctl.conf.5.main swanctl.conf.5.tail $(AM_V_GEN) \ diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in index f981bb1f3..a4d853cb1 100644 --- a/src/swanctl/Makefile.in +++ b/src/swanctl/Makefile.in @@ -107,8 +107,10 @@ am__dirstamp = $(am__leading_dot)dirstamp am_swanctl_OBJECTS = command.$(OBJEXT) commands/initiate.$(OBJEXT) \ commands/terminate.$(OBJEXT) commands/install.$(OBJEXT) \ commands/list_sas.$(OBJEXT) commands/list_pols.$(OBJEXT) \ + commands/list_authorities.$(OBJEXT) \ commands/list_conns.$(OBJEXT) commands/list_certs.$(OBJEXT) \ commands/list_pools.$(OBJEXT) commands/load_all.$(OBJEXT) \ + commands/load_authorities.$(OBJEXT) \ commands/load_conns.$(OBJEXT) commands/load_creds.$(OBJEXT) \ commands/load_pools.$(OBJEXT) commands/log.$(OBJEXT) \ commands/version.$(OBJEXT) commands/stats.$(OBJEXT) \ @@ -445,10 +447,12 @@ swanctl_SOURCES = \ commands/install.c \ commands/list_sas.c \ commands/list_pols.c \ + commands/list_authorities.c \ commands/list_conns.c \ commands/list_certs.c \ commands/list_pools.c \ commands/load_all.c \ + commands/load_authorities.h commands/load_authorities.c \ commands/load_conns.c commands/load_conns.h \ commands/load_creds.c commands/load_creds.h \ commands/load_pools.c commands/load_pools.h \ @@ -581,6 +585,8 @@ commands/list_sas.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/list_pols.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) +commands/list_authorities.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/list_conns.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/list_certs.$(OBJEXT): commands/$(am__dirstamp) \ @@ -589,6 +595,8 @@ commands/list_pools.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/load_all.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) +commands/load_authorities.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/load_conns.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/load_creds.$(OBJEXT): commands/$(am__dirstamp) \ @@ -619,12 +627,14 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/swanctl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/initiate.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/install.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_authorities.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_certs.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_conns.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_pols.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_pools.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_sas.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_all.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_authorities.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_conns.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_creds.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_pools.Po@am__quote@ @@ -977,7 +987,7 @@ swanctl.o : $(top_builddir)/config.status swanctl.conf.5.main: swanctl.opt $(AM_V_GEN) \ - $(PYTHON) $(top_srcdir)/conf/format-options.py -n -f man swanctl.opt > $(srcdir)/$@ + cd $(srcdir) && $(PYTHON) $(abs_top_srcdir)/conf/format-options.py -n -f man swanctl.opt > $@ swanctl.conf.5: swanctl.conf.5.head swanctl.conf.5.main swanctl.conf.5.tail $(AM_V_GEN) \ diff --git a/src/swanctl/command.c b/src/swanctl/command.c index 03cd8b959..26c41346c 100644 --- a/src/swanctl/command.c +++ b/src/swanctl/command.c @@ -211,7 +211,7 @@ int command_usage(char *error, ...) { for (i = 0; i < MAX_COMMANDS && cmds[i].cmd; i++) { - fprintf(out, " swanctl --%-15s (-%c) %s\n", + fprintf(out, " swanctl --%-16s (-%c) %s\n", cmds[i].cmd, cmds[i].op, cmds[i].description); } } diff --git a/src/swanctl/command.h b/src/swanctl/command.h index ffc319085..0760d1384 100644 --- a/src/swanctl/command.h +++ b/src/swanctl/command.h @@ -27,7 +27,7 @@ /** * Maximum number of commands (+1). */ -#define MAX_COMMANDS 19 +#define MAX_COMMANDS 21 /** * Maximum number of options in a command (+3) diff --git a/src/swanctl/commands/list_authorities.c b/src/swanctl/commands/list_authorities.c new file mode 100644 index 000000000..8bff6f95d --- /dev/null +++ b/src/swanctl/commands/list_authorities.c @@ -0,0 +1,169 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include +#include + +#include "command.h" + +#define LABELED_CRL_URI (1 << 0) +#define LABELED_OCSP_URI (1 << 1) + +CALLBACK(authority_kv, int, + void *null, vici_res_t *res, char *name, void *value, int len) +{ + chunk_t chunk; + + chunk = chunk_create(value, len); + if (chunk_printable(chunk, NULL, ' ')) + { + printf(" %s: %.*s\n", name, len, value); + } + + return 0; +} + + +CALLBACK(authority_list, int, + int *labeled, vici_res_t *res, char *name, void *value, int len) +{ + chunk_t chunk; + + chunk = chunk_create(value, len); + if (chunk_printable(chunk, NULL, ' ')) + { + if (streq(name, "crl_uris")) + { + printf(" %s %.*s\n", + (*labeled & LABELED_CRL_URI) ? " " : "crl_uris: ", + len, value); + *labeled |= LABELED_CRL_URI; + } + if (streq(name, "ocsp_uris")) + { + printf(" %s %.*s\n", + (*labeled & LABELED_OCSP_URI) ? " " : "ocsp_uris:", + len, value); + *labeled %= LABELED_OCSP_URI; + } + } + return 0; +} + +CALLBACK(authorities, int, + void *null, vici_res_t *res, char *name) +{ + int labeled = 0; + + printf("%s:\n", name); + + return vici_parse_cb(res, NULL, authority_kv, authority_list, &labeled); +} + +CALLBACK(list_cb, void, + command_format_options_t *format, char *name, vici_res_t *res) +{ + if (*format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "list-authorities event", *format & COMMAND_FORMAT_PRETTY, + stdout); + } + else + { + if (vici_parse_cb(res, authorities, NULL, NULL, NULL) != 0) + { + fprintf(stderr, "parsing authority event failed: %s\n", + strerror(errno)); + } + } +} + +static int list_authorities(vici_conn_t *conn) +{ + vici_req_t *req; + vici_res_t *res; + command_format_options_t format = COMMAND_FORMAT_NONE; + char *arg, *ca_name = NULL;; + int ret = 0; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 'n': + ca_name = arg; + continue; + case 'P': + format |= COMMAND_FORMAT_PRETTY; + /* fall through to raw */ + case 'r': + format |= COMMAND_FORMAT_RAW; + continue; + case EOF: + break; + default: + return command_usage("invalid --list-authorities option"); + } + break; + } + if (vici_register(conn, "list-authority", list_cb, &format) != 0) + { + ret = errno; + fprintf(stderr, "registering for authorities failed: %s\n", + strerror(errno)); + return ret; + } + + req = vici_begin("list-authorities"); + if (ca_name) + { + vici_add_key_valuef(req, "name", "%s", ca_name); + } + res = vici_submit(req, conn); + if (!res) + { + ret = errno; + fprintf(stderr, "list-authorities request failed: %s\n", strerror(errno)); + return ret; + } + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "list-authorities reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + vici_free_res(res); + return 0; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + list_authorities, 'B', "list-authorities", + "list loaded authority configurations", + {"[--raw|--pretty]"}, + { + {"help", 'h', 0, "show usage information"}, + {"name", 'n', 1, "filter by authority name"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, + } + }); +} diff --git a/src/swanctl/commands/list_certs.c b/src/swanctl/commands/list_certs.c index ecb65289a..167f8d848 100644 --- a/src/swanctl/commands/list_certs.c +++ b/src/swanctl/commands/list_certs.c @@ -2,6 +2,9 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -388,7 +391,7 @@ static void print_crl(crl_t *crl) chunk = chunk_skip_zero(chunk); localtime_r(&ts, &tm); strftime(buf, sizeof(buf), "%F %T", &tm); - printf(" %#B %N %s\n", &chunk, crl_reason_names, reason, buf); + printf(" %#B: %s, %N\n", &chunk, buf, crl_reason_names, reason); count++; } enumerator->destroy(enumerator); diff --git a/src/swanctl/commands/load_all.c b/src/swanctl/commands/load_all.c index f47fee5b4..0010ce140 100644 --- a/src/swanctl/commands/load_all.c +++ b/src/swanctl/commands/load_all.c @@ -22,6 +22,7 @@ #include "command.h" #include "swanctl.h" #include "load_creds.h" +#include "load_authorities.h" #include "load_pools.h" #include "load_conns.h" @@ -71,6 +72,10 @@ static int load_all(vici_conn_t *conn) ret = load_creds_cfg(conn, format, cfg, clear, noprompt); } if (ret == 0) + { + ret = load_authorities_cfg(conn, format, cfg); + } + if (ret == 0) { ret = load_pools_cfg(conn, format, cfg); } @@ -90,7 +95,8 @@ static int load_all(vici_conn_t *conn) static void __attribute__ ((constructor))reg() { command_register((command_t) { - load_all, 'q', "load-all", "load credentials, pools and connections", + load_all, 'q', "load-all", + "load credentials, authorities, pools and connections", {"[--raw|--pretty] [--clear] [--noprompt]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c new file mode 100644 index 000000000..88dde6aaf --- /dev/null +++ b/src/swanctl/commands/load_authorities.c @@ -0,0 +1,365 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include +#include +#include + +#include "command.h" +#include "swanctl.h" +#include "load_authorities.h" + +/** + * Add a vici list from a comma separated string value + */ +static void add_list_key(vici_req_t *req, char *key, char *value) +{ + enumerator_t *enumerator; + char *token; + + vici_begin_list(req, key); + enumerator = enumerator_create_token(value, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + vici_add_list_itemf(req, "%s", token); + } + enumerator->destroy(enumerator); + vici_end_list(req); +} + +/** + * Add a vici certificate blob value given by its file patch + */ +static bool add_file_key_value(vici_req_t *req, char *key, char *value) +{ + chunk_t *map; + char *path, buf[PATH_MAX]; + + if (path_absolute(value)) + { + path = value; + } + else + { + path = buf; + snprintf(path, PATH_MAX, "%s%s%s", + SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, value); + } + map = chunk_map(path, FALSE); + + if (map) + { + vici_add_key_value(req, key, map->ptr, map->len); + chunk_unmap(map); + return TRUE; + } + else + { + fprintf(stderr, "loading ca certificate '%s' failed: %s\n", + path, strerror(errno)); + return FALSE; + } +} + +/** + * Translate sletting key/values from a section into vici key-values/lists + */ +static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section) +{ + enumerator_t *enumerator; + char *key, *value; + bool ret = TRUE; + + enumerator = cfg->create_key_value_enumerator(cfg, section); + while (enumerator->enumerate(enumerator, &key, &value)) + { + /* pool subnet is encoded as key/value, all other attributes as list */ + if (streq(key, "cacert")) + { + ret = add_file_key_value(req, key, value); + } + else if (streq(key, "cert_uri_base")) + { + vici_add_key_valuef(req, key, "%s", value); + } + else + { + add_list_key(req, key, value); + } + if (!ret) + { + break; + } + } + enumerator->destroy(enumerator); + + return ret; +} + +/** + * Load an authority configuration + */ +static bool load_authority(vici_conn_t *conn, settings_t *cfg, + char *section, command_format_options_t format) +{ + vici_req_t *req; + vici_res_t *res; + bool ret = TRUE; + char buf[128]; + + snprintf(buf, sizeof(buf), "%s.%s", "authorities", section); + + req = vici_begin("load-authority"); + + vici_begin_section(req, section); + if (!add_key_values(req, cfg, buf)) + { + vici_free_req(req); + return FALSE; + } + vici_end_section(req); + + res = vici_submit(req, conn); + if (!res) + { + fprintf(stderr, "load-authority request failed: %s\n", strerror(errno)); + return FALSE; + } + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "load-authority reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + else if (!streq(vici_find_str(res, "no", "success"), "yes")) + { + fprintf(stderr, "loading authority '%s' failed: %s\n", + section, vici_find_str(res, "", "errmsg")); + ret = FALSE; + } + else + { + printf("loaded authority '%s'\n", section); + } + vici_free_res(res); + return ret; +} + +CALLBACK(list_authority, int, + linked_list_t *list, vici_res_t *res, char *name, void *value, int len) +{ + if (streq(name, "authorities")) + { + char *str; + + if (asprintf(&str, "%.*s", len, value) != -1) + { + list->insert_last(list, str); + } + } + return 0; +} + +/** + * Create a list of currently loaded authorities + */ +static linked_list_t* list_authorities(vici_conn_t *conn, + command_format_options_t format) +{ + linked_list_t *list; + vici_res_t *res; + + list = linked_list_create(); + + res = vici_submit(vici_begin("get-authorities"), conn); + if (res) + { + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "get-authorities reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + vici_parse_cb(res, NULL, NULL, list_authority, list); + vici_free_res(res); + } + return list; +} + +/** + * Remove and free a string from a list + */ +static void remove_from_list(linked_list_t *list, char *str) +{ + enumerator_t *enumerator; + char *current; + + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (streq(current, str)) + { + list->remove_at(list, enumerator); + free(current); + } + } + enumerator->destroy(enumerator); +} + +/** + * Unload a authority by name + */ +static bool unload_authority(vici_conn_t *conn, char *name, + command_format_options_t format) +{ + vici_req_t *req; + vici_res_t *res; + bool ret = TRUE; + + req = vici_begin("unload-authority"); + vici_add_key_valuef(req, "name", "%s", name); + res = vici_submit(req, conn); + if (!res) + { + fprintf(stderr, "unload-authority request failed: %s\n", strerror(errno)); + return FALSE; + } + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "unload-authority reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + else if (!streq(vici_find_str(res, "no", "success"), "yes")) + { + fprintf(stderr, "unloading authority '%s' failed: %s\n", + name, vici_find_str(res, "", "errmsg")); + ret = FALSE; + } + vici_free_res(res); + return ret; +} + +/** + * See header. + */ +int load_authorities_cfg(vici_conn_t *conn, command_format_options_t format, + settings_t *cfg) +{ + u_int found = 0, loaded = 0, unloaded = 0; + char *section; + enumerator_t *enumerator; + linked_list_t *authorities; + + authorities = list_authorities(conn, format); + + enumerator = cfg->create_section_enumerator(cfg, "authorities"); + while (enumerator->enumerate(enumerator, §ion)) + { + remove_from_list(authorities, section); + found++; + if (load_authority(conn, cfg, section, format)) + { + loaded++; + } + } + enumerator->destroy(enumerator); + + /* unload all authorities in daemon, but not in file */ + while (authorities->remove_first(authorities, (void**)§ion) == SUCCESS) + { + if (unload_authority(conn, section, format)) + { + unloaded++; + } + free(section); + } + authorities->destroy(authorities); + + if (format & COMMAND_FORMAT_RAW) + { + return 0; + } + if (found == 0) + { + printf("no authorities found, %u unloaded\n", unloaded); + return 0; + } + if (loaded == found) + { + printf("successfully loaded %u authorities, %u unloaded\n", + loaded, unloaded); + return 0; + } + fprintf(stderr, "loaded %u of %u authorities, %u failed to load, " + "%u unloaded\n", loaded, found, found - loaded, unloaded); + return EINVAL; +} + +static int load_authorities(vici_conn_t *conn) +{ + command_format_options_t format = COMMAND_FORMAT_NONE; + settings_t *cfg; + char *arg; + int ret; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 'P': + format |= COMMAND_FORMAT_PRETTY; + /* fall through to raw */ + case 'r': + format |= COMMAND_FORMAT_RAW; + continue; + case EOF: + break; + default: + return command_usage("invalid --load-authorities option"); + } + break; + } + + cfg = settings_create(SWANCTL_CONF); + if (!cfg) + { + fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF); + return EINVAL; + } + + ret = load_authorities_cfg(conn, format, cfg); + + cfg->destroy(cfg); + + return ret; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + load_authorities, 'b', + "load-authorities", "(re-)load authority configuration", + {"[--raw|--pretty]"}, + { + {"help", 'h', 0, "show usage information"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, + } + }); +} diff --git a/src/swanctl/commands/load_authorities.h b/src/swanctl/commands/load_authorities.h new file mode 100644 index 000000000..d4be214fb --- /dev/null +++ b/src/swanctl/commands/load_authorities.h @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2015 Andreas Stefffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "command.h" + +/** + * Load all certification authority definitions from configuration file + * + * @param conn vici connection to load to + * @param format output format + * @param cfg configuration to load from + */ +int load_authorities_cfg(vici_conn_t *conn, command_format_options_t format, + settings_t *cfg); diff --git a/src/swanctl/swanctl.8.in b/src/swanctl/swanctl.8.in index 543c10a67..cd033f91e 100644 --- a/src/swanctl/swanctl.8.in +++ b/src/swanctl/swanctl.8.in @@ -53,9 +53,15 @@ list currently active IKE_SAs .B "\-P, \-\-list\-pols" list currently installed policies .TP +.B "\-b, \-\-load\-authorities" +(re\-)load certification authorities information +.TP .B "\-L, \-\-list\-conns" list loaded configurations .TP +.B "\-B, \-\-list\-authorities" +list loaded certification authorities information +.TP .B "\-x, \-\-list\-certs" list stored certificates .TP @@ -63,7 +69,7 @@ list stored certificates list loaded pool configurations .TP .B "\-q, \-\-load\-all" -(re\-)load credentials, pools and connections +(re\-)load credentials, pools, authorities and connections .TP .B "\-c, \-\-load\-conns" (re\-)load connection configuration diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf index faafecc44..c480ce174 100644 --- a/src/swanctl/swanctl.conf +++ b/src/swanctl/swanctl.conf @@ -180,6 +180,9 @@ # drop). # mode = tunnel + # Whether to install IPsec policies or not. + # policies = yes + # Action to perform on DPD timeout (clear, trap or restart). # dpd_action = clear @@ -316,3 +319,25 @@ # } +# Section defining attributes of certification authorities. +# authorities { + + # Section defining a certification authority with a unique name. + # { + + # CA certificate belonging to the certification authority. + # cacert = + + # Comma-separated list of CRL distribution points + # crl_uris = + + # Comma-separated list of OCSP URIs + # ocsp_uris = + + # Defines the base URI for the Hash and URL feature supported by IKEv2. + # cert_uri_base = + + # } + +# } + diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index a770b28b1..6e3842d8a 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -725,6 +725,11 @@ and are used to install shunt policies, which explicitly bypass the defined traffic from IPsec processing, or drop it, respectively. +.TP +.BR connections..children..policies " [yes]" +Whether to install IPsec policies or not. Disabling this can be useful in some +scenarios e.g. MIPv6, where policies are not managed by the IKE daemon. + .TP .BR connections..children..dpd_action " [clear]" Action to perform for this CHILD_SA on DPD timeout. The default @@ -1022,3 +1027,35 @@ corresponding attribute types. Alternatively, can be a numerical identifier, for which string attribute values are accepted as well. +.TP +.B authorities +.br +Section defining attributes of certification authorities. + +.TP +.B authorities. +.br +Section defining a certification authority with a unique name. + +.TP +.BR authorities..cacert " []" +The certificates may use a relative path from the +.RB "" "swanctl" "" +.RI "" "x509ca" "" +directory, or an absolute path. + +.TP +.BR authorities..crl_uris " []" +Comma\-separated list of CRL distribution points (ldap, http, or file URI) + +.TP +.BR authorities..ocsp_uris " []" +Comma\-separated list of OCSP URIs + +.TP +.BR authorities..cert_uri_base " []" +Defines the base URI for the Hash and URL feature supported by IKEv2. Instead of +exchanging complete certificates, IKEv2 allows one to send an URI that resolves +to the DER encoded certificate. The certificate URIs are built by appending the +SHA1 hash of the DER encoded certificates to this base URI. + diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index b6ef17546..ef38d5d86 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -589,6 +589,12 @@ connections..children..mode = tunnel _pass_ and _drop_ are used to install shunt policies, which explicitly bypass the defined traffic from IPsec processing, or drop it, respectively. +connections..children..policies = yes + Whether to install IPsec policies or not. + + Whether to install IPsec policies or not. Disabling this can be useful in + some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon. + connections..children..dpd_action = clear Action to perform on DPD timeout (_clear_, _trap_ or _restart_). @@ -810,3 +816,35 @@ pools.. = subnets for the corresponding attribute types. Alternatively, **** can be a numerical identifier, for which string attribute values are accepted as well. + +authorities { # } + Section defining attributes of certification authorities. + +authorities. { # } + Section defining a certification authority with a unique name. + +authorities..cacert = + CA certificate belonging to the certification authority. + + The certificates may use a relative path from the **swanctl** _x509ca_ + directory, or an absolute path. + +authorities..crl_uris = + Comma-separated list of CRL distribution points + + Comma-separated list of CRL distribution points (ldap, http, or file URI) + +authorities..ocsp_uris = + Comma-separated list of OCSP URIs + + Comma-separated list of OCSP URIs + +authorities..cert_uri_base = + Defines the base URI for the Hash and URL feature supported by IKEv2. + + Defines the base URI for the Hash and URL feature supported by IKEv2. + Instead of exchanging complete certificates, IKEv2 allows one to send an + URI that resolves to the DER encoded certificate. The certificate URIs are + built by appending the SHA1 hash of the DER encoded certificates to this + base URI. + -- cgit v1.2.3 From 1e980d6be0ef0e243c6fe82b5e855454b97e24a4 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Wed, 18 Nov 2015 14:49:27 +0100 Subject: Imported Upstream version 5.3.4 --- Android.common.mk | 2 +- NEWS | 16 +- conf/options/charon-logging.conf | 5 + conf/options/charon-logging.opt | 4 + conf/options/charon.conf | 8 + conf/options/charon.opt | 8 + conf/strongswan.conf.5.main | 17 + config.h.in | 3 + configure | 75 +- configure.ac | 16 +- init/systemd/strongswan.service.in | 2 +- src/_updown/_updown.in | 31 + src/charon-cmd/charon-cmd.c | 12 +- src/charon-nm/charon-nm.c | 10 +- src/charon-systemd/charon-systemd.c | 10 +- src/charon-tkm/src/charon-tkm.c | 14 +- src/charon-tkm/src/tkm/tkm_kernel_ipsec.c | 7 +- src/charon-tkm/src/tkm/tkm_spi_generator.c | 98 +++ src/charon-tkm/src/tkm/tkm_spi_generator.h | 36 + src/charon/charon.c | 11 +- src/conftest/conftest.c | 10 +- src/include/Makefile.am | 2 +- src/include/Makefile.in | 2 +- src/include/linux/socket.h | 21 + src/ipsec/_ipsec.8 | 2 +- src/ipsec/_ipsec.in | 4 +- src/libcharon/Android.mk | 1 - src/libcharon/bus/listeners/file_logger.c | 32 +- src/libcharon/bus/listeners/file_logger.h | 7 +- src/libcharon/config/peer_cfg.c | 2 +- src/libcharon/daemon.c | 46 +- src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 115 ++- .../plugins/eap_radius/eap_radius_provider.c | 32 +- .../plugins/error_notify/error_notify_listener.c | 2 +- src/libcharon/plugins/ha/ha_child.c | 2 +- src/libcharon/plugins/ha/ha_dispatcher.c | 2 +- .../kernel_libipsec/kernel_libipsec_ipsec.c | 7 +- .../plugins/kernel_wfp/kernel_wfp_ipsec.c | 9 +- .../plugins/load_tester/load_tester_ipsec.c | 5 +- .../plugins/socket_default/socket_default_socket.c | 281 +++++--- .../plugins/socket_dynamic/socket_dynamic_socket.c | 94 ++- src/libcharon/plugins/stroke/stroke_config.c | 6 +- src/libcharon/plugins/stroke/stroke_control.c | 71 +- src/libcharon/plugins/stroke/stroke_list.c | 6 +- src/libcharon/plugins/vici/README.md | 21 +- src/libcharon/plugins/vici/vici_attribute.c | 28 +- src/libcharon/plugins/vici/vici_cred.c | 12 +- src/libcharon/plugins/vici/vici_query.c | 47 ++ .../processing/jobs/initiate_mediation_job.c | 4 + src/libcharon/sa/child_sa.c | 178 ++--- src/libcharon/sa/ike_sa_manager.c | 84 ++- src/libcharon/sa/ike_sa_manager.h | 21 +- src/libcharon/sa/ikev1/keymat_v1.c | 20 +- src/libcharon/sa/ikev1/task_manager_v1.c | 110 ++- src/libcharon/sa/ikev1/tasks/mode_config.c | 4 +- src/libcharon/sa/ikev1/tasks/quick_delete.c | 4 +- src/libcharon/sa/ikev1/tasks/quick_mode.c | 6 +- src/libcharon/sa/ikev1/tasks/xauth.c | 10 +- src/libcharon/sa/ikev2/keymat_v2.c | 1 + src/libcharon/sa/ikev2/tasks/child_create.c | 4 +- src/libcharon/sa/ikev2/tasks/child_delete.c | 4 +- src/libcharon/sa/ikev2/tasks/ike_mobike.c | 6 +- src/libcharon/sa/ikev2/tasks/ike_natd.c | 28 +- src/libcharon/sa/shunt_manager.c | 66 +- src/libcharon/sa/trap_manager.c | 2 + src/libfast/fast_dispatcher.c | 3 +- src/libhydra/Android.mk | 1 - src/libhydra/kernel/kernel_interface.c | 27 +- src/libhydra/kernel/kernel_interface.h | 53 +- src/libhydra/kernel/kernel_ipsec.c | 7 +- src/libhydra/kernel/kernel_ipsec.h | 23 +- src/libhydra/kernel/kernel_net.c | 7 +- .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 81 +-- .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 19 +- src/libimcv/imv/data.sql | 48 ++ src/libipsec/Android.mk | 1 - src/libipsec/esp_context.c | 14 +- src/libstrongswan/Android.mk | 4 +- src/libstrongswan/AndroidConfigLocal.h | 22 - src/libstrongswan/Makefile.am | 14 +- src/libstrongswan/Makefile.in | 257 +++---- src/libstrongswan/asn1/oid.c | 511 +++++++------- src/libstrongswan/asn1/oid.h | 201 +++--- src/libstrongswan/asn1/oid.txt | 17 +- src/libstrongswan/credentials/auth_cfg.c | 6 +- src/libstrongswan/credentials/keys/public_key.c | 64 +- src/libstrongswan/credentials/keys/public_key.h | 20 +- src/libstrongswan/crypto/hashers/hasher.c | 75 +- src/libstrongswan/crypto/hashers/hasher.h | 4 + src/libstrongswan/crypto/iv/iv_gen.c | 5 + src/libstrongswan/crypto/iv/iv_gen_null.c | 63 ++ src/libstrongswan/crypto/iv/iv_gen_null.h | 32 + src/libstrongswan/plugins/bliss/bliss_plugin.c | 24 +- .../plugins/bliss/bliss_private_key.c | 12 +- src/libstrongswan/plugins/bliss/bliss_public_key.c | 12 +- .../plugins/bliss/tests/suites/test_bliss_sign.c | 10 +- src/libstrongswan/plugins/curl/curl_fetcher.c | 6 +- .../plugins/openssl/openssl_diffie_hellman.c | 1 + .../plugins/openssl/openssl_ec_diffie_hellman.c | 1 + .../plugins/openssl/openssl_rsa_private_key.c | 1 + .../plugins/openssl/openssl_rsa_public_key.c | 1 + src/libstrongswan/plugins/openssl/openssl_util.c | 1 + src/libstrongswan/plugins/plugin_loader.c | 17 +- src/libstrongswan/plugins/random/random_rng.c | 1 + .../plugins/revocation/revocation_validator.c | 2 +- src/libstrongswan/plugins/sha3/Makefile.am | 16 + src/libstrongswan/plugins/sha3/Makefile.in | 774 +++++++++++++++++++++ src/libstrongswan/plugins/sha3/sha3_hasher.c | 527 ++++++++++++++ src/libstrongswan/plugins/sha3/sha3_hasher.h | 48 ++ src/libstrongswan/plugins/sha3/sha3_plugin.c | 79 +++ src/libstrongswan/plugins/sha3/sha3_plugin.h | 42 ++ src/libstrongswan/plugins/test_vectors/Makefile.am | 1 + src/libstrongswan/plugins/test_vectors/Makefile.in | 11 +- .../plugins/test_vectors/test_vectors.h | 24 + .../plugins/test_vectors/test_vectors/sha3.c | 328 +++++++++ src/libstrongswan/plugins/x509/x509_ocsp_request.c | 4 +- src/libstrongswan/selectors/traffic_selector.c | 9 +- src/libstrongswan/settings/settings.c | 25 + src/libstrongswan/settings/settings.h | 9 + src/libstrongswan/tests/suites/test_hasher.c | 137 +++- .../tests/suites/test_identification.c | 1 + src/libstrongswan/tests/suites/test_settings.c | 24 + .../tests/suites/test_traffic_selector.c | 6 +- src/libstrongswan/tests/suites/test_utils.c | 6 +- src/libstrongswan/utils/compat/android.h | 31 + src/libstrongswan/utils/compat/windows.h | 5 + src/libstrongswan/utils/utils.c | 25 +- src/libstrongswan/utils/utils.h | 19 +- src/libtnccs/plugins/tnc_imc/tnc_imc.c | 8 +- src/libtnccs/plugins/tnc_imv/tnc_imv.c | 8 +- src/medsrv/Makefile.am | 4 +- src/medsrv/Makefile.in | 4 +- src/medsrv/templates/peer/add.cs | 2 +- src/medsrv/templates/peer/edit.cs | 2 +- src/medsrv/templates/static/mootools.js | 341 --------- src/medsrv/templates/static/script.js | 13 - src/medsrv/templates/static/style.css | 28 +- src/medsrv/templates/user/add.cs | 2 +- src/medsrv/templates/user/login.cs | 2 +- src/pki/commands/acert.c | 3 +- src/pki/commands/issue.c | 3 +- src/pki/commands/req.c | 3 +- src/pki/commands/self.c | 3 +- src/pki/commands/signcrl.c | 2 +- src/scepclient/scepclient.8 | 9 - src/swanctl/commands/list_pools.c | 32 +- src/swanctl/commands/list_sas.c | 12 +- testing/do-tests | 79 ++- testing/hosts/default/etc/strongswan.conf.testing | 7 + testing/hosts/winnetou/etc/openssl/generate-crl | 2 +- testing/scripts/build-strongswan | 14 + testing/scripts/recipes/010_tkm.mk | 2 +- testing/scripts/recipes/013_strongswan.mk | 5 +- testing/tests/af-alg/alg-camellia/pretest.dat | 3 +- testing/tests/af-alg/rw-cert/pretest.dat | 6 +- testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat | 2 +- testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat | 2 +- .../tests/gcrypt-ikev2/alg-camellia/pretest.dat | 3 +- testing/tests/gcrypt-ikev2/rw-cert/pretest.dat | 3 +- testing/tests/ha/active-passive/evaltest.dat | 2 +- testing/tests/ha/active-passive/pretest.dat | 5 +- testing/tests/ha/both-active/pretest.dat | 3 +- testing/tests/ike/rw-cert/pretest.dat | 4 +- testing/tests/ike/rw_v1-net_v2/pretest.dat | 4 +- testing/tests/ikev1/alg-3des-md5/pretest.dat | 2 +- testing/tests/ikev1/alg-blowfish/pretest.dat | 3 +- testing/tests/ikev1/alg-modp-subgroup/pretest.dat | 3 +- testing/tests/ikev1/alg-sha256/pretest.dat | 2 +- testing/tests/ikev1/alg-sha384/pretest.dat | 2 +- testing/tests/ikev1/alg-sha512/pretest.dat | 2 +- testing/tests/ikev1/compress/pretest.dat | 2 +- .../tests/ikev1/config-payload-push/pretest.dat | 4 +- testing/tests/ikev1/config-payload/pretest.dat | 4 +- testing/tests/ikev1/double-nat-net/pretest.dat | 3 +- testing/tests/ikev1/double-nat/pretest.dat | 3 +- testing/tests/ikev1/dpd-clear/description.txt | 2 +- testing/tests/ikev1/dpd-clear/evaltest.dat | 4 +- .../ikev1/dpd-clear/hosts/moon/etc/ipsec.conf | 4 +- testing/tests/ikev1/dpd-clear/pretest.dat | 2 +- testing/tests/ikev1/dpd-restart/description.txt | 6 +- testing/tests/ikev1/dpd-restart/evaltest.dat | 4 +- .../ikev1/dpd-restart/hosts/carol/etc/ipsec.conf | 4 +- testing/tests/ikev1/dpd-restart/pretest.dat | 2 +- testing/tests/ikev1/dynamic-initiator/posttest.dat | 1 - testing/tests/ikev1/dynamic-initiator/pretest.dat | 5 +- testing/tests/ikev1/dynamic-responder/posttest.dat | 1 - testing/tests/ikev1/dynamic-responder/pretest.dat | 7 +- testing/tests/ikev1/dynamic-two-peers/posttest.dat | 1 - testing/tests/ikev1/dynamic-two-peers/pretest.dat | 4 +- testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat | 2 +- testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat | 2 +- testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat | 2 +- testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat | 2 +- testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat | 2 +- testing/tests/ikev1/esp-alg-null/pretest.dat | 3 +- testing/tests/ikev1/host2host-ah/pretest.dat | 2 +- testing/tests/ikev1/host2host-cert/pretest.dat | 2 +- .../tests/ikev1/host2host-transport/pretest.dat | 2 +- .../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev1/ip-pool-db/posttest.dat | 1 - testing/tests/ikev1/ip-pool-db/pretest.dat | 10 +- testing/tests/ikev1/ip-pool-db/test.conf | 4 + testing/tests/ikev1/ip-pool/pretest.dat | 4 +- .../tests/ikev1/multi-level-ca-cr-init/pretest.dat | 3 +- .../tests/ikev1/multi-level-ca-cr-resp/pretest.dat | 3 +- testing/tests/ikev1/multi-level-ca/pretest.dat | 5 +- testing/tests/ikev1/nat-rw/pretest.dat | 5 +- testing/tests/ikev1/nat-virtual-ip/pretest.dat | 3 +- testing/tests/ikev1/net2net-ah/pretest.dat | 4 +- testing/tests/ikev1/net2net-cert/pretest.dat | 4 +- .../tests/ikev1/net2net-fragmentation/pretest.dat | 4 +- testing/tests/ikev1/net2net-ntru-cert/pretest.dat | 2 +- testing/tests/ikev1/net2net-psk-fail/pretest.dat | 4 +- testing/tests/ikev1/net2net-psk/pretest.dat | 4 +- testing/tests/ikev1/protoport-dual/pretest.dat | 3 +- testing/tests/ikev1/rw-cert-aggressive/pretest.dat | 3 +- testing/tests/ikev1/rw-cert-unity/pretest.dat | 2 +- testing/tests/ikev1/rw-cert/pretest.dat | 4 +- .../hosts/dave/etc/strongswan.conf | 4 - testing/tests/ikev1/rw-initiator-only/pretest.dat | 3 +- testing/tests/ikev1/rw-ntru-psk/pretest.dat | 4 +- testing/tests/ikev1/rw-psk-aggressive/pretest.dat | 5 +- testing/tests/ikev1/rw-psk-fqdn/pretest.dat | 5 +- testing/tests/ikev1/rw-psk-ipv4/pretest.dat | 5 +- testing/tests/ikev1/virtual-ip/pretest.dat | 3 +- .../tests/ikev1/xauth-id-psk-config/pretest.dat | 3 +- .../ikev1/xauth-id-rsa-aggressive/pretest.dat | 3 +- .../tests/ikev1/xauth-id-rsa-config/pretest.dat | 3 +- .../tests/ikev1/xauth-id-rsa-hybrid/pretest.dat | 3 +- testing/tests/ikev1/xauth-psk/pretest.dat | 3 +- .../ikev1/xauth-rsa-eap-md5-radius/pretest.dat | 3 +- testing/tests/ikev1/xauth-rsa-radius/pretest.dat | 3 +- testing/tests/ikev1/xauth-rsa/pretest.dat | 3 +- testing/tests/ikev2/acert-cached/evaltest.dat | 2 +- testing/tests/ikev2/acert-cached/pretest.dat | 3 +- testing/tests/ikev2/acert-fallback/evaltest.dat | 2 +- testing/tests/ikev2/acert-fallback/pretest.dat | 2 +- testing/tests/ikev2/acert-inline/evaltest.dat | 2 +- testing/tests/ikev2/acert-inline/pretest.dat | 3 +- testing/tests/ikev2/after-2038-certs/pretest.dat | 2 +- testing/tests/ikev2/alg-3des-md5/pretest.dat | 2 +- testing/tests/ikev2/alg-aes-ccm/pretest.dat | 2 +- testing/tests/ikev2/alg-aes-ctr/pretest.dat | 2 +- testing/tests/ikev2/alg-aes-gcm/pretest.dat | 2 +- testing/tests/ikev2/alg-aes-xcbc/pretest.dat | 2 +- testing/tests/ikev2/alg-blowfish/pretest.dat | 3 +- .../tests/ikev2/alg-chacha20poly1305/pretest.dat | 2 +- testing/tests/ikev2/alg-modp-subgroup/pretest.dat | 3 +- testing/tests/ikev2/alg-sha256-96/pretest.dat | 2 +- testing/tests/ikev2/alg-sha256/pretest.dat | 2 +- testing/tests/ikev2/alg-sha384/pretest.dat | 2 +- testing/tests/ikev2/alg-sha512/pretest.dat | 2 +- testing/tests/ikev2/any-interface/pretest.dat | 9 +- testing/tests/ikev2/compress/pretest.dat | 2 +- .../tests/ikev2/config-payload-swapped/pretest.dat | 4 +- testing/tests/ikev2/config-payload/pretest.dat | 4 +- testing/tests/ikev2/critical-extension/pretest.dat | 2 +- testing/tests/ikev2/crl-from-cache/pretest.dat | 2 +- testing/tests/ikev2/crl-ldap/pretest.dat | 3 +- testing/tests/ikev2/crl-revoked/pretest.dat | 2 +- testing/tests/ikev2/crl-to-cache/pretest.dat | 2 +- testing/tests/ikev2/default-keys/pretest.dat | 4 +- testing/tests/ikev2/dhcp-dynamic/pretest.dat | 4 +- .../tests/ikev2/dhcp-static-client-id/pretest.dat | 4 +- testing/tests/ikev2/dhcp-static-mac/pretest.dat | 4 +- testing/tests/ikev2/double-nat-net/pretest.dat | 3 +- testing/tests/ikev2/double-nat/pretest.dat | 3 +- testing/tests/ikev2/dpd-clear/description.txt | 2 +- testing/tests/ikev2/dpd-clear/evaltest.dat | 4 +- testing/tests/ikev2/dpd-clear/pretest.dat | 2 +- testing/tests/ikev2/dpd-hold/evaltest.dat | 8 +- testing/tests/ikev2/dpd-hold/pretest.dat | 2 +- testing/tests/ikev2/dpd-restart/evaltest.dat | 6 +- testing/tests/ikev2/dpd-restart/pretest.dat | 2 +- .../tests/ikev2/dynamic-initiator/description.txt | 6 +- testing/tests/ikev2/dynamic-initiator/posttest.dat | 1 - testing/tests/ikev2/dynamic-initiator/pretest.dat | 5 +- testing/tests/ikev2/dynamic-two-peers/posttest.dat | 1 - testing/tests/ikev2/dynamic-two-peers/pretest.dat | 4 +- testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat | 2 +- testing/tests/ikev2/esp-alg-md5-128/pretest.dat | 3 +- testing/tests/ikev2/esp-alg-null/pretest.dat | 3 +- testing/tests/ikev2/esp-alg-sha1-160/pretest.dat | 3 +- testing/tests/ikev2/farp/pretest.dat | 4 +- testing/tests/ikev2/force-udp-encaps/pretest.dat | 4 +- testing/tests/ikev2/forecast/pretest.dat | 4 +- testing/tests/ikev2/host2host-ah/pretest.dat | 2 +- testing/tests/ikev2/host2host-cert/pretest.dat | 2 +- testing/tests/ikev2/host2host-swapped/pretest.dat | 2 +- .../tests/ikev2/host2host-transport/pretest.dat | 2 +- .../tests/ikev2/inactivity-timeout/evaltest.dat | 4 +- testing/tests/ikev2/inactivity-timeout/pretest.dat | 3 +- .../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/ip-pool-db/posttest.dat | 1 - testing/tests/ikev2/ip-pool-db/pretest.dat | 10 +- testing/tests/ikev2/ip-pool-db/test.conf | 4 + testing/tests/ikev2/ip-pool-wish/pretest.dat | 4 +- testing/tests/ikev2/ip-pool/pretest.dat | 4 +- .../hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/ip-split-pools-db/posttest.dat | 1 - testing/tests/ikev2/ip-split-pools-db/pretest.dat | 8 +- testing/tests/ikev2/ip-split-pools-db/test.conf | 4 + .../ip-two-pools-db/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/ip-two-pools-db/posttest.dat | 1 - testing/tests/ikev2/ip-two-pools-db/pretest.dat | 12 +- testing/tests/ikev2/ip-two-pools-db/test.conf | 4 + .../hosts/moon/etc/strongswan.conf | 2 +- .../tests/ikev2/ip-two-pools-mixed/posttest.dat | 1 - testing/tests/ikev2/ip-two-pools-mixed/pretest.dat | 10 +- testing/tests/ikev2/ip-two-pools-mixed/test.conf | 4 + .../hosts/moon/etc/strongswan.conf | 2 +- .../tests/ikev2/ip-two-pools-v4v6-db/posttest.dat | 1 - .../tests/ikev2/ip-two-pools-v4v6-db/pretest.dat | 6 +- testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf | 4 + testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat | 2 +- testing/tests/ikev2/ip-two-pools/posttest.dat | 1 - testing/tests/ikev2/ip-two-pools/pretest.dat | 4 +- testing/tests/ikev2/lookip/pretest.dat | 4 +- .../mobike-nat/hosts/alice/etc/iptables.rules | 6 +- testing/tests/ikev2/mobike-nat/pretest.dat | 3 +- .../hosts/alice/etc/iptables.rules | 4 + testing/tests/ikev2/mobike-virtual-ip/pretest.dat | 3 +- .../ikev2/mobike/hosts/alice/etc/iptables.rules | 4 + testing/tests/ikev2/mobike/pretest.dat | 3 +- .../ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat | 2 +- .../ikev2/mult-auth-rsa-eap-sim-id/pretest.dat | 4 +- .../tests/ikev2/multi-level-ca-cr-init/pretest.dat | 3 +- .../tests/ikev2/multi-level-ca-cr-resp/pretest.dat | 3 +- .../tests/ikev2/multi-level-ca-ldap/pretest.dat | 7 +- .../tests/ikev2/multi-level-ca-loop/pretest.dat | 2 +- .../tests/ikev2/multi-level-ca-pathlen/pretest.dat | 4 +- .../tests/ikev2/multi-level-ca-revoked/pretest.dat | 2 +- .../tests/ikev2/multi-level-ca-strict/pretest.dat | 5 +- testing/tests/ikev2/multi-level-ca/posttest.dat | 1 - testing/tests/ikev2/multi-level-ca/pretest.dat | 5 +- testing/tests/ikev2/nat-rw-mark/pretest.dat | 5 +- testing/tests/ikev2/nat-rw-psk/pretest.dat | 5 +- testing/tests/ikev2/nat-rw/pretest.dat | 5 +- testing/tests/ikev2/nat-virtual-ip/pretest.dat | 3 +- testing/tests/ikev2/net2net-ah/pretest.dat | 2 +- testing/tests/ikev2/net2net-cert-sha2/pretest.dat | 2 +- testing/tests/ikev2/net2net-cert/pretest.dat | 2 +- testing/tests/ikev2/net2net-dnscert/pretest.dat | 2 +- testing/tests/ikev2/net2net-dnssec/pretest.dat | 2 +- testing/tests/ikev2/net2net-esn/pretest.dat | 2 +- .../tests/ikev2/net2net-ntru-bandwidth/pretest.dat | 2 +- testing/tests/ikev2/net2net-ntru-cert/pretest.dat | 2 +- testing/tests/ikev2/net2net-pgp-v3/pretest.dat | 2 +- testing/tests/ikev2/net2net-pgp-v4/pretest.dat | 2 +- testing/tests/ikev2/net2net-pkcs12/pretest.dat | 2 +- testing/tests/ikev2/net2net-psk-dscp/pretest.dat | 5 +- testing/tests/ikev2/net2net-psk-fail/pretest.dat | 2 +- testing/tests/ikev2/net2net-psk/pretest.dat | 2 +- testing/tests/ikev2/net2net-rfc3779/pretest.dat | 3 +- testing/tests/ikev2/net2net-route/pretest.dat | 4 +- testing/tests/ikev2/net2net-rsa/pretest.dat | 2 +- testing/tests/ikev2/net2net-same-nets/pretest.dat | 2 +- testing/tests/ikev2/net2net-start/pretest.dat | 3 +- testing/tests/ikev2/ocsp-local-cert/pretest.dat | 2 +- testing/tests/ikev2/ocsp-multi-level/pretest.dat | 3 +- .../tests/ikev2/ocsp-no-signer-cert/pretest.dat | 4 +- testing/tests/ikev2/ocsp-revoked/pretest.dat | 2 +- testing/tests/ikev2/ocsp-root-cert/pretest.dat | 2 +- testing/tests/ikev2/ocsp-signer-cert/pretest.dat | 2 +- testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat | 2 +- testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat | 3 +- .../tests/ikev2/ocsp-timeouts-good/description.txt | 2 +- .../tests/ikev2/ocsp-timeouts-good/evaltest.dat | 4 +- .../hosts/winnetou/etc/openssl/ocsp/ocsp.cgi | 2 +- testing/tests/ikev2/ocsp-timeouts-good/pretest.dat | 2 +- .../tests/ikev2/ocsp-timeouts-unknown/evaltest.dat | 2 +- .../tests/ikev2/ocsp-timeouts-unknown/pretest.dat | 6 +- .../tests/ikev2/ocsp-untrusted-cert/pretest.dat | 4 +- testing/tests/ikev2/protoport-dual/pretest.dat | 3 +- testing/tests/ikev2/protoport-route/pretest.dat | 6 +- testing/tests/ikev2/reauth-early/pretest.dat | 2 +- testing/tests/ikev2/reauth-late/pretest.dat | 2 +- .../tests/ikev2/reauth-mbb-virtual-ip/pretest.dat | 2 +- testing/tests/ikev2/reauth-mbb/pretest.dat | 2 +- .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/rw-cert/pretest.dat | 4 +- testing/tests/ikev2/rw-dnssec/pretest.dat | 4 +- testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-dynamic/pretest.dat | 4 +- .../ikev2/rw-eap-framed-ip-radius/pretest.dat | 8 +- .../ikev2/rw-eap-md5-class-radius/pretest.dat | 6 +- .../tests/ikev2/rw-eap-md5-id-prompt/pretest.dat | 3 +- .../tests/ikev2/rw-eap-md5-id-radius/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-md5-radius/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat | 3 +- .../tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-peap-md5/pretest.dat | 4 +- .../tests/ikev2/rw-eap-peap-mschapv2/pretest.dat | 4 +- testing/tests/ikev2/rw-eap-peap-radius/pretest.dat | 4 +- .../tests/ikev2/rw-eap-sim-id-radius/pretest.dat | 3 +- .../ikev2/rw-eap-sim-only-radius/evaltest.dat | 2 +- .../tests/ikev2/rw-eap-sim-only-radius/pretest.dat | 4 +- testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat | 2 +- testing/tests/ikev2/rw-eap-sim-radius/pretest.dat | 4 +- testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat | 3 +- .../tests/ikev2/rw-eap-tls-fragments/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-tls-only/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-tls-radius/pretest.dat | 3 +- testing/tests/ikev2/rw-eap-ttls-only/pretest.dat | 4 +- .../ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat | 4 +- testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat | 4 +- testing/tests/ikev2/rw-hash-and-url/pretest.dat | 3 +- .../hosts/dave/etc/strongswan.conf | 4 - testing/tests/ikev2/rw-initiator-only/pretest.dat | 3 +- testing/tests/ikev2/rw-mark-in-out/pretest.dat | 11 +- testing/tests/ikev2/rw-ntru-bliss/evaltest.dat | 8 +- .../ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf | 1 + .../rw-ntru-bliss/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf | 1 + .../rw-ntru-bliss/hosts/dave/etc/strongswan.conf | 2 +- .../ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf | 1 + .../rw-ntru-bliss/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/rw-ntru-bliss/pretest.dat | 4 +- testing/tests/ikev2/rw-ntru-psk/pretest.dat | 4 +- testing/tests/ikev2/rw-pkcs8/pretest.dat | 3 +- testing/tests/ikev2/rw-psk-fqdn/pretest.dat | 3 +- testing/tests/ikev2/rw-psk-ipv4/pretest.dat | 3 +- testing/tests/ikev2/rw-psk-no-idr/pretest.dat | 3 +- testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat | 3 +- testing/tests/ikev2/rw-psk-rsa-split/pretest.dat | 3 +- .../tests/ikev2/rw-radius-accounting/pretest.dat | 3 +- testing/tests/ikev2/rw-sig-auth/pretest.dat | 6 +- testing/tests/ikev2/rw-whitelist/evaltest.dat | 2 +- testing/tests/ikev2/strong-keys-certs/pretest.dat | 4 +- testing/tests/ikev2/trap-any/evaltest.dat | 10 +- testing/tests/ikev2/two-certs/pretest.dat | 4 +- .../tests/ikev2/virtual-ip-override/pretest.dat | 3 +- testing/tests/ikev2/virtual-ip/pretest.dat | 3 +- testing/tests/ikev2/wildcards/pretest.dat | 5 +- .../hosts/sun/etc/ipsec.conf | 2 +- .../hosts/sun/etc/ipsec.conf | 2 +- testing/tests/ipv6/rw-compress-ikev2/evaltest.dat | 3 +- testing/tests/libipsec/host2host-cert/pretest.dat | 2 +- testing/tests/libipsec/net2net-3des/pretest.dat | 2 +- testing/tests/libipsec/net2net-cert/pretest.dat | 2 +- .../tests/libipsec/net2net-null/description.txt | 11 + testing/tests/libipsec/net2net-null/evaltest.dat | 11 + .../net2net-null/hosts/moon/etc/ipsec.conf | 24 + .../net2net-null/hosts/moon/etc/strongswan.conf | 6 + .../libipsec/net2net-null/hosts/moon/etc/updown | 566 +++++++++++++++ .../libipsec/net2net-null/hosts/sun/etc/ipsec.conf | 24 + .../net2net-null/hosts/sun/etc/strongswan.conf | 6 + .../libipsec/net2net-null/hosts/sun/etc/updown | 566 +++++++++++++++ testing/tests/libipsec/net2net-null/posttest.dat | 4 + testing/tests/libipsec/net2net-null/pretest.dat | 6 + testing/tests/libipsec/net2net-null/test.conf | 21 + testing/tests/libipsec/rw-suite-b/pretest.dat | 4 +- .../tests/openssl-ikev1/alg-camellia/pretest.dat | 3 +- .../tests/openssl-ikev1/alg-ecp-high/pretest.dat | 3 +- .../tests/openssl-ikev1/alg-ecp-low/pretest.dat | 3 +- .../tests/openssl-ikev1/ecdsa-certs/pretest.dat | 3 +- .../tests/openssl-ikev2/alg-aes-gcm/pretest.dat | 3 +- .../tests/openssl-ikev2/alg-blowfish/pretest.dat | 3 +- .../tests/openssl-ikev2/alg-camellia/pretest.dat | 3 +- .../alg-ecp-brainpool-high/pretest.dat | 3 +- .../alg-ecp-brainpool-low/pretest.dat | 3 +- .../tests/openssl-ikev2/alg-ecp-high/pretest.dat | 3 +- .../tests/openssl-ikev2/alg-ecp-low/pretest.dat | 3 +- .../openssl-ikev2/critical-extension/pretest.dat | 2 +- .../tests/openssl-ikev2/ecdsa-certs/pretest.dat | 3 +- .../tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat | 3 +- .../tests/openssl-ikev2/net2net-pgp-v3/pretest.dat | 2 +- .../tests/openssl-ikev2/net2net-pkcs12/pretest.dat | 2 +- testing/tests/openssl-ikev2/rw-cert/pretest.dat | 5 +- .../openssl-ikev2/rw-eap-tls-only/pretest.dat | 3 +- .../rw-suite-b-128/hosts/dave/etc/strongswan.conf | 3 - .../tests/openssl-ikev2/rw-suite-b-128/pretest.dat | 4 +- .../rw-suite-b-192/hosts/dave/etc/strongswan.conf | 3 - .../tests/openssl-ikev2/rw-suite-b-192/pretest.dat | 4 +- testing/tests/p2pnat/behind-same-nat/pretest.dat | 4 +- testing/tests/p2pnat/medsrv-psk/pretest.dat | 4 +- testing/tests/pfkey/alg-aes-xcbc/pretest.dat | 2 +- testing/tests/pfkey/alg-sha384/pretest.dat | 2 +- testing/tests/pfkey/alg-sha512/pretest.dat | 2 +- testing/tests/pfkey/compress/pretest.dat | 2 +- testing/tests/pfkey/esp-alg-null/pretest.dat | 2 +- .../tests/pfkey/host2host-transport/pretest.dat | 2 +- testing/tests/pfkey/nat-rw/pretest.dat | 5 +- testing/tests/pfkey/net2net-route/pretest.dat | 4 +- testing/tests/pfkey/protoport-dual/pretest.dat | 3 +- testing/tests/pfkey/protoport-route/pretest.dat | 6 +- testing/tests/pfkey/rw-cert/pretest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 4 +- testing/tests/sql/ip-pool-db-expired/posttest.dat | 4 - testing/tests/sql/ip-pool-db-expired/pretest.dat | 15 +- testing/tests/sql/ip-pool-db-expired/test.conf | 4 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 4 +- testing/tests/sql/ip-pool-db-restart/posttest.dat | 4 - testing/tests/sql/ip-pool-db-restart/pretest.dat | 16 +- testing/tests/sql/ip-pool-db-restart/test.conf | 4 + .../sql/ip-pool-db/hosts/carol/etc/strongswan.conf | 2 +- .../sql/ip-pool-db/hosts/dave/etc/strongswan.conf | 2 +- .../sql/ip-pool-db/hosts/moon/etc/strongswan.conf | 4 +- testing/tests/sql/ip-pool-db/posttest.dat | 7 +- testing/tests/sql/ip-pool-db/pretest.dat | 16 +- testing/tests/sql/ip-pool-db/test.conf | 4 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 4 +- .../sql/ip-split-pools-db-restart/posttest.dat | 4 - .../sql/ip-split-pools-db-restart/pretest.dat | 16 +- .../tests/sql/ip-split-pools-db-restart/test.conf | 4 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 4 +- testing/tests/sql/ip-split-pools-db/posttest.dat | 4 - testing/tests/sql/ip-split-pools-db/pretest.dat | 16 +- testing/tests/sql/ip-split-pools-db/test.conf | 4 + .../multi-level-ca/hosts/carol/etc/strongswan.conf | 2 +- .../multi-level-ca/hosts/dave/etc/strongswan.conf | 2 +- .../multi-level-ca/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/multi-level-ca/posttest.dat | 4 - testing/tests/sql/multi-level-ca/pretest.dat | 15 +- testing/tests/sql/multi-level-ca/test.conf | 4 + .../net2net-cert/hosts/moon/etc/strongswan.conf | 2 +- .../sql/net2net-cert/hosts/sun/etc/strongswan.conf | 2 +- testing/tests/sql/net2net-cert/posttest.dat | 2 - testing/tests/sql/net2net-cert/pretest.dat | 10 +- testing/tests/sql/net2net-cert/test.conf | 6 +- .../sql/net2net-psk/hosts/moon/etc/strongswan.conf | 2 +- .../sql/net2net-psk/hosts/sun/etc/strongswan.conf | 2 +- testing/tests/sql/net2net-psk/posttest.dat | 2 - testing/tests/sql/net2net-psk/pretest.dat | 10 +- testing/tests/sql/net2net-psk/test.conf | 6 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 2 +- testing/tests/sql/net2net-route-pem/posttest.dat | 2 - testing/tests/sql/net2net-route-pem/pretest.dat | 14 +- testing/tests/sql/net2net-route-pem/test.conf | 6 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 2 +- testing/tests/sql/net2net-start-pem/posttest.dat | 2 - testing/tests/sql/net2net-start-pem/pretest.dat | 10 +- testing/tests/sql/net2net-start-pem/test.conf | 6 +- .../sql/rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../sql/rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../sql/rw-cert/hosts/moon/etc/strongswan.conf | 5 +- testing/tests/sql/rw-cert/posttest.dat | 4 - testing/tests/sql/rw-cert/pretest.dat | 15 +- testing/tests/sql/rw-cert/test.conf | 4 + .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf | 2 +- .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/rw-eap-aka-rsa/posttest.dat | 3 - testing/tests/sql/rw-eap-aka-rsa/pretest.dat | 10 +- testing/tests/sql/rw-eap-aka-rsa/test.conf | 4 + .../rw-psk-ipv4/hosts/carol/etc/strongswan.conf | 2 +- .../sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf | 2 +- .../sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/rw-psk-ipv4/posttest.dat | 4 - testing/tests/sql/rw-psk-ipv4/pretest.dat | 15 +- testing/tests/sql/rw-psk-ipv4/test.conf | 4 + .../rw-psk-ipv6/hosts/carol/etc/strongswan.conf | 2 +- .../sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf | 2 +- .../sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/rw-psk-ipv6/posttest.dat | 3 - testing/tests/sql/rw-psk-ipv6/pretest.dat | 15 +- testing/tests/sql/rw-psk-ipv6/test.conf | 4 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/rw-psk-rsa-split/posttest.dat | 4 - testing/tests/sql/rw-psk-rsa-split/pretest.dat | 15 +- testing/tests/sql/rw-psk-rsa-split/test.conf | 4 + .../rw-rsa-keyid/hosts/carol/etc/strongswan.conf | 2 +- .../rw-rsa-keyid/hosts/dave/etc/strongswan.conf | 2 +- .../rw-rsa-keyid/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/rw-rsa-keyid/posttest.dat | 4 - testing/tests/sql/rw-rsa-keyid/pretest.dat | 15 +- testing/tests/sql/rw-rsa-keyid/test.conf | 4 + .../sql/rw-rsa/hosts/carol/etc/strongswan.conf | 2 +- .../sql/rw-rsa/hosts/dave/etc/strongswan.conf | 2 +- .../sql/rw-rsa/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/sql/rw-rsa/posttest.dat | 4 - testing/tests/sql/rw-rsa/pretest.dat | 15 +- testing/tests/sql/rw-rsa/test.conf | 4 + .../hosts/alice/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 4 +- .../hosts/venus/etc/strongswan.conf | 2 +- .../tests/sql/shunt-policies-nat-rw/posttest.dat | 3 - .../tests/sql/shunt-policies-nat-rw/pretest.dat | 12 +- testing/tests/sql/shunt-policies-nat-rw/test.conf | 4 + .../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/swanctl/ip-pool-db/pretest.dat | 4 +- testing/tests/swanctl/ip-pool-db/test.conf | 4 + testing/tests/swanctl/ip-pool/evaltest.dat | 2 + testing/tests/tnc/tnccs-11-fhh/evaltest.dat | 4 +- testing/tests/tnc/tnccs-11-fhh/pretest.dat | 5 +- .../tests/tnc/tnccs-11-radius-block/evaltest.dat | 2 +- .../tests/tnc/tnccs-11-radius-block/pretest.dat | 4 +- testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat | 4 +- .../hosts/alice/etc/strongswan.conf | 4 +- .../hosts/dave/etc/strongswan.conf | 2 + testing/tests/tnc/tnccs-11-radius-pts/posttest.dat | 1 - testing/tests/tnc/tnccs-11-radius-pts/pretest.dat | 6 +- testing/tests/tnc/tnccs-11-radius-pts/test.conf | 3 + testing/tests/tnc/tnccs-11-radius/evaltest.dat | 4 +- testing/tests/tnc/tnccs-11-radius/pretest.dat | 4 +- testing/tests/tnc/tnccs-11-supplicant/pretest.dat | 2 +- testing/tests/tnc/tnccs-11/evaltest.dat | 4 +- testing/tests/tnc/tnccs-11/pretest.dat | 4 +- testing/tests/tnc/tnccs-20-block/evaltest.dat | 2 +- testing/tests/tnc/tnccs-20-block/pretest.dat | 4 +- .../tests/tnc/tnccs-20-client-retry/evaltest.dat | 4 +- .../tests/tnc/tnccs-20-client-retry/pretest.dat | 8 +- testing/tests/tnc/tnccs-20-fail-init/pretest.dat | 5 +- testing/tests/tnc/tnccs-20-fail-resp/pretest.dat | 4 +- testing/tests/tnc/tnccs-20-fhh/evaltest.dat | 4 +- testing/tests/tnc/tnccs-20-fhh/pretest.dat | 9 +- .../alice/etc/apache2/sites-available/default | 26 - .../tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql | 61 -- .../hosts/alice/etc/strongTNC/settings.ini | 19 - .../hosts/alice/etc/strongswan.conf | 9 +- testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat | 4 +- testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat | 2 +- .../tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat | 4 +- testing/tests/tnc/tnccs-20-os-pts/evaltest.dat | 4 +- .../tnccs-20-os-pts/hosts/dave/etc/strongswan.conf | 2 + .../tnccs-20-os-pts/hosts/moon/etc/strongswan.conf | 4 +- testing/tests/tnc/tnccs-20-os-pts/posttest.dat | 1 - testing/tests/tnc/tnccs-20-os-pts/pretest.dat | 6 +- testing/tests/tnc/tnccs-20-os-pts/test.conf | 5 +- testing/tests/tnc/tnccs-20-os/evaltest.dat | 4 +- .../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf | 4 +- testing/tests/tnc/tnccs-20-os/posttest.dat | 1 - testing/tests/tnc/tnccs-20-os/pretest.dat | 2 +- testing/tests/tnc/tnccs-20-os/test.conf | 5 +- testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat | 4 +- .../hosts/alice/etc/strongTNC/settings.ini | 2 +- .../hosts/alice/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 + .../hosts/dave/etc/strongswan.conf | 4 +- testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat | 1 - testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat | 7 +- testing/tests/tnc/tnccs-20-pdp-eap/test.conf | 4 +- .../hosts/alice/etc/strongTNC/settings.ini | 2 +- .../hosts/alice/etc/strongswan.conf | 2 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat | 1 - testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat | 7 +- testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf | 5 +- testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat | 4 +- .../hosts/dave/etc/strongswan.conf | 2 + .../hosts/moon/etc/strongswan.conf | 4 +- testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat | 1 - testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat | 6 +- testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf | 4 +- testing/tests/tnc/tnccs-20-pts/evaltest.dat | 4 +- .../tnccs-20-pts/hosts/dave/etc/strongswan.conf | 2 + .../tnccs-20-pts/hosts/moon/etc/strongswan.conf | 6 +- testing/tests/tnc/tnccs-20-pts/posttest.dat | 1 - testing/tests/tnc/tnccs-20-pts/pretest.dat | 6 +- testing/tests/tnc/tnccs-20-pts/test.conf | 4 +- .../tests/tnc/tnccs-20-server-retry/evaltest.dat | 4 +- .../tests/tnc/tnccs-20-server-retry/pretest.dat | 8 +- testing/tests/tnc/tnccs-20-tls/evaltest.dat | 4 +- testing/tests/tnc/tnccs-20-tls/pretest.dat | 4 +- testing/tests/tnc/tnccs-20/evaltest.dat | 4 +- testing/tests/tnc/tnccs-20/pretest.dat | 8 +- testing/tests/tnc/tnccs-dynamic/evaltest.dat | 4 +- testing/tests/tnc/tnccs-dynamic/pretest.dat | 4 +- 671 files changed, 6798 insertions(+), 2616 deletions(-) create mode 100644 src/charon-tkm/src/tkm/tkm_spi_generator.c create mode 100644 src/charon-tkm/src/tkm/tkm_spi_generator.h create mode 100644 src/include/linux/socket.h delete mode 100644 src/libstrongswan/AndroidConfigLocal.h create mode 100644 src/libstrongswan/crypto/iv/iv_gen_null.c create mode 100644 src/libstrongswan/crypto/iv/iv_gen_null.h create mode 100644 src/libstrongswan/plugins/sha3/Makefile.am create mode 100644 src/libstrongswan/plugins/sha3/Makefile.in create mode 100644 src/libstrongswan/plugins/sha3/sha3_hasher.c create mode 100644 src/libstrongswan/plugins/sha3/sha3_hasher.h create mode 100644 src/libstrongswan/plugins/sha3/sha3_plugin.c create mode 100644 src/libstrongswan/plugins/sha3/sha3_plugin.h create mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c create mode 100644 src/libstrongswan/utils/compat/android.h delete mode 100644 src/medsrv/templates/static/mootools.js delete mode 100644 src/medsrv/templates/static/script.js create mode 100644 testing/hosts/default/etc/strongswan.conf.testing create mode 100644 testing/tests/libipsec/net2net-null/description.txt create mode 100644 testing/tests/libipsec/net2net-null/evaltest.dat create mode 100644 testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/libipsec/net2net-null/hosts/moon/etc/updown create mode 100644 testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/libipsec/net2net-null/hosts/sun/etc/updown create mode 100644 testing/tests/libipsec/net2net-null/posttest.dat create mode 100644 testing/tests/libipsec/net2net-null/pretest.dat create mode 100644 testing/tests/libipsec/net2net-null/test.conf delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql delete mode 100644 testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini (limited to 'src') diff --git a/Android.common.mk b/Android.common.mk index 33b993e8e..baeeb36e1 100644 --- a/Android.common.mk +++ b/Android.common.mk @@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.3.3" +strongswan_VERSION := "5.3.4" diff --git a/NEWS b/NEWS index 0940dff9c..4674e52e6 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,17 @@ +strongswan-5.3.4 +---------------- + +- Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that + was caused by insufficient verification of the internal state when handling + MSCHAPv2 Success messages received by the client. + This vulnerability has been registered as CVE-2015-8023. + +- The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family. + Within the strongSwan framework SHA3 is currently used for BLISS signatures + only because the OIDs for other signature algorithms haven't been defined + yet. Also the use of SHA3 for IKEv2 has not been standardized yet. + + strongswan-5.3.3 ---------------- @@ -37,7 +51,7 @@ strongswan-5.3.3 since 5.0.0) and packets that have the flag set incorrectly are again ignored. - Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy - Device Health Assessment Trusted Network Connect Binding" (HCD-TNC) + Device Health Assessment Trusted Network Connect Binding" (HCD-TNC) document drafted by the IEEE Printer Working Group (PWG). - Fixed IF-M segmentation which failed in the presence of multiple small diff --git a/conf/options/charon-logging.conf b/conf/options/charon-logging.conf index c91421dea..454405985 100644 --- a/conf/options/charon-logging.conf +++ b/conf/options/charon-logging.conf @@ -25,6 +25,11 @@ charon { # numerical identifier for each IKE_SA. # ike_name = no + # Adds the milliseconds within the current second after the + # timestamp (separated by a dot, so time_format should end with %S + # or %T). + # time_add_ms = no + # Prefix each log entry with a timestamp. The option accepts a # format string as passed to strftime(3). # time_format = diff --git a/conf/options/charon-logging.opt b/conf/options/charon-logging.opt index b437a9cc3..2bbb5dce4 100644 --- a/conf/options/charon-logging.opt +++ b/conf/options/charon-logging.opt @@ -28,6 +28,10 @@ charon.filelog..time_format Prefix each log entry with a timestamp. The option accepts a format string as passed to **strftime**(3). +charon.filelog..time_add_ms = no + Adds the milliseconds within the current second after the timestamp + (separated by a dot, so _time_format_ should end with %S or %T). + charon.syslog {} Section to define syslog loggers, see LOGGER CONFIGURATION in **strongswan.conf**(5). diff --git a/conf/options/charon.conf b/conf/options/charon.conf index 5f27b08e3..b55d429a7 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -24,6 +24,10 @@ charon { # strength. # dh_exponent_ansi_x9_42 = yes + # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal + # missing symbols immediately. + # dlopen_use_rtld_now = no + # DNS server assigned to peer via configuration payload (CP). # dns1 = @@ -123,6 +127,10 @@ charon { # Initiate IKEv2 reauthentication with a make-before-break scheme. # make_before_break = no + # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about + # and track concurrently. + # max_ikev1_exchanges = 3 + # Maximum packet size accepted by charon. # max_packet = 10000 diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 5d137aee8..816f3250c 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -65,6 +65,10 @@ charon.dh_exponent_ansi_x9_42 = yes Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic strength. +charon.dlopen_use_rtld_now = no + Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing + symbols immediately. + charon.dns1 DNS server assigned to peer via configuration payload (CP). @@ -204,6 +208,10 @@ charon.load_modular = no plugin list is preserved. Enabled plugins not found in that list are ordered alphabetically before other plugins with the same priority. +charon.max_ikev1_exchanges = 3 + Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and + track concurrently. + charon.max_packet = 10000 Maximum packet size accepted by charon. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 559efcb4c..7fc421c60 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -101,6 +101,11 @@ Whether to test RNG with TRUE quality; requires a lot of entropy. Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic strength. +.TP +.BR charon.dlopen_use_rtld_now " [no]" +Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing +symbols immediately. + .TP .BR charon.dns1 " []" DNS server assigned to peer via configuration payload (CP). @@ -151,6 +156,13 @@ Enabling this option disables block buffering and enables line buffering. Prefix each log entry with the connection name and a unique numerical identifier for each IKE_SA. +.TP +.BR charon.filelog..time_add_ms " [no]" +Adds the milliseconds within the current second after the timestamp (separated +by a dot, so +.RI "" "time_format" "" +should end with %S or %T). + .TP .BR charon.filelog..time_format " []" Prefix each log entry with a timestamp. The option accepts a format string as @@ -343,6 +355,11 @@ ones. This behavior can be beneficial to avoid connectivity gaps during reauthentication, but requires support for overlapping SAs by the peer. strongSwan can handle such overlapping SAs since version 5.3.0. +.TP +.BR charon.max_ikev1_exchanges " [3]" +Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and +track concurrently. + .TP .BR charon.max_packet " [10000]" Maximum packet size accepted by charon. diff --git a/config.h.in b/config.h.in index 729ddf009..b95e01843 100644 --- a/config.h.in +++ b/config.h.in @@ -205,6 +205,9 @@ /* Define to 1 if you have the `setlinebuf' function. */ #undef HAVE_SETLINEBUF +/* Define to 1 if you have the `sigwaitinfo' function. */ +#undef HAVE_SIGWAITINFO + /* have sqlite3_prepare_v2() */ #undef HAVE_SQLITE3_PREPARE_V2 diff --git a/configure b/configure index 59a74ccc2..c810ffd91 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.3.3. +# Generated by GNU Autoconf 2.69 for strongSwan 5.3.4. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.3.3' -PACKAGE_STRING='strongSwan 5.3.3' +PACKAGE_VERSION='5.3.4' +PACKAGE_STRING='strongSwan 5.3.4' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -977,6 +977,8 @@ USE_GMP_FALSE USE_GMP_TRUE USE_FIPS_PRF_FALSE USE_FIPS_PRF_TRUE +USE_SHA3_FALSE +USE_SHA3_TRUE USE_SHA2_FALSE USE_SHA2_TRUE USE_SHA1_FALSE @@ -1299,6 +1301,7 @@ enable_rdrand enable_aesni enable_sha1 enable_sha2 +enable_sha3 enable_xcbc enable_dnskey enable_pem @@ -2029,7 +2032,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.3.3 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.3.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2099,7 +2102,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.3.3:";; + short | recursive ) echo "Configuration of strongSwan 5.3.4:";; esac cat <<\_ACEOF @@ -2137,6 +2140,8 @@ Optional Features: --disable-sha1 disable SHA1 software implementation plugin. --disable-sha2 disable SHA256/SHA384/SHA512 software implementation plugin. + --enable-sha3 enable SHA3_224/SHA3_256/SHA3_384/SHA3_512 software + implementation plugin. --disable-xcbc disable xcbc crypto implementation plugin. --disable-dnskey disable DNS RR key decoding plugin. --disable-pem disable PEM decoding plugin. @@ -2540,7 +2545,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.3.3 +strongSwan configure 5.3.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3062,7 +3067,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.3.3, which was +It was created by strongSwan $as_me 5.3.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3925,7 +3930,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.3.3' + VERSION='5.3.4' cat >>confdefs.h <<_ACEOF @@ -5194,6 +5199,22 @@ fi enabled_by_default=${enabled_by_default}" sha2" +# Check whether --enable-sha3 was given. +if test "${enable_sha3+set}" = set; then : + enableval=$enable_sha3; sha3_given=true + if test x$enableval = xyes; then + sha3=true + else + sha3=false + fi +else + sha3=false + sha3_given=false + +fi + + disabled_by_default=${disabled_by_default}" sha3" + # Check whether --enable-xcbc was given. if test "${enable_xcbc+set}" = set; then : enableval=$enable_xcbc; xcbc_given=true @@ -18269,7 +18290,7 @@ _ACEOF fi done -for ac_func in fmemopen funopen mmap memrchr setlinebuf strptime dirfd +for ac_func in fmemopen funopen mmap memrchr setlinebuf strptime dirfd sigwaitinfo do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -21969,6 +21990,7 @@ if test x$sha1 = xtrue; then scepclient_plugins=${scepclient_plugins}" sha1" pki_plugins=${pki_plugins}" sha1" scripts_plugins=${scripts_plugins}" sha1" + manager_plugins=${manager_plugins}" sha1" medsrv_plugins=${medsrv_plugins}" sha1" attest_plugins=${attest_plugins}" sha1" nm_plugins=${nm_plugins}" sha1" @@ -21991,10 +22013,23 @@ if test x$sha2 = xtrue; then fi +if test x$sha3 = xtrue; then + s_plugins=${s_plugins}" sha3" + charon_plugins=${charon_plugins}" sha3" + scepclient_plugins=${scepclient_plugins}" sha3" + pki_plugins=${pki_plugins}" sha3" + scripts_plugins=${scripts_plugins}" sha3" + medsrv_plugins=${medsrv_plugins}" sha3" + attest_plugins=${attest_plugins}" sha3" + nm_plugins=${nm_plugins}" sha3" + cmd_plugins=${cmd_plugins}" sha3" + aikgen_plugins=${aikgen_plugins}" sha3" + + fi + if test x$md4 = xtrue; then s_plugins=${s_plugins}" md4" charon_plugins=${charon_plugins}" md4" - manager_plugins=${manager_plugins}" md4" scepclient_plugins=${scepclient_plugins}" md4" pki_plugins=${pki_plugins}" md4" nm_plugins=${nm_plugins}" md4" @@ -22035,6 +22070,7 @@ if test x$random = xtrue; then scepclient_plugins=${scepclient_plugins}" random" pki_plugins=${pki_plugins}" random" scripts_plugins=${scripts_plugins}" random" + manager_plugins=${manager_plugins}" random" medsrv_plugins=${medsrv_plugins}" random" attest_plugins=${attest_plugins}" random" nm_plugins=${nm_plugins}" random" @@ -23031,6 +23067,14 @@ else USE_SHA2_FALSE= fi + if test x$sha3 = xtrue; then + USE_SHA3_TRUE= + USE_SHA3_FALSE='#' +else + USE_SHA3_TRUE='#' + USE_SHA3_FALSE= +fi + if test x$fips_prf = xtrue; then USE_FIPS_PRF_TRUE= USE_FIPS_PRF_FALSE='#' @@ -24499,7 +24543,7 @@ fi # build Makefiles # ================= -ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/chapoly/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/tests/Makefile src/libipsec/Makefile src/libipsec/tests/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/libimcv/plugins/imc_hcd/Makefile src/libimcv/plugins/imv_hcd/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/chapoly/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/tests/Makefile src/libipsec/Makefile src/libipsec/tests/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/libimcv/plugins/imc_hcd/Makefile src/libimcv/plugins/imv_hcd/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" # ================= @@ -24727,6 +24771,10 @@ if test -z "${USE_SHA2_TRUE}" && test -z "${USE_SHA2_FALSE}"; then as_fn_error $? "conditional \"USE_SHA2\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_SHA3_TRUE}" && test -z "${USE_SHA3_FALSE}"; then + as_fn_error $? "conditional \"USE_SHA3\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_FIPS_PRF_TRUE}" && test -z "${USE_FIPS_PRF_FALSE}"; then as_fn_error $? "conditional \"USE_FIPS_PRF\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -25812,7 +25860,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.3.3, which was +This file was extended by strongSwan $as_me 5.3.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -25878,7 +25926,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.3.3 +strongSwan config.status 5.3.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -26305,6 +26353,7 @@ do "src/libstrongswan/plugins/md5/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/md5/Makefile" ;; "src/libstrongswan/plugins/sha1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha1/Makefile" ;; "src/libstrongswan/plugins/sha2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha2/Makefile" ;; + "src/libstrongswan/plugins/sha3/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sha3/Makefile" ;; "src/libstrongswan/plugins/fips_prf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/fips_prf/Makefile" ;; "src/libstrongswan/plugins/gmp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gmp/Makefile" ;; "src/libstrongswan/plugins/rdrand/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/rdrand/Makefile" ;; diff --git a/configure.ac b/configure.ac index ffd092939..c073c70b8 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,6 @@ # # Copyright (C) 2007-2015 Tobias Brunner -# Copyright (C) 2006-2014 Andreas Steffen +# Copyright (C) 2006-2015 Andreas Steffen # Copyright (C) 2006-2014 Martin Willi # Hochschule fuer Technik Rapperswil # @@ -19,7 +19,7 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.3.3]) +AC_INIT([strongSwan],[5.3.4]) AM_INIT_AUTOMAKE(m4_esyscmd([ echo tar-ustar echo subdir-objects @@ -148,6 +148,7 @@ ARG_ENABL_SET([rdrand], [enable Intel RDRAND random generator plugin.]) ARG_ENABL_SET([aesni], [enable Intel AES-NI crypto plugin.]) ARG_DISBL_SET([sha1], [disable SHA1 software implementation plugin.]) ARG_DISBL_SET([sha2], [disable SHA256/SHA384/SHA512 software implementation plugin.]) +ARG_ENABL_SET([sha3], [enable SHA3_224/SHA3_256/SHA3_384/SHA3_512 software implementation plugin.]) ARG_DISBL_SET([xcbc], [disable xcbc crypto implementation plugin.]) # encoding/decoding plugins ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.]) @@ -585,7 +586,7 @@ AC_CHECK_FUNC( ) AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r) -AC_CHECK_FUNCS(fmemopen funopen mmap memrchr setlinebuf strptime dirfd) +AC_CHECK_FUNCS(fmemopen funopen mmap memrchr setlinebuf strptime dirfd sigwaitinfo) AC_CHECK_FUNC([syslog], [ AC_DEFINE([HAVE_SYSLOG], [], [have syslog(3) and friends]) @@ -1282,12 +1283,13 @@ ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd]) ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd]) ADD_PLUGIN([blowfish], [s charon scepclient pki scripts nm cmd]) ADD_PLUGIN([rc2], [s charon scepclient pki scripts nm cmd]) -ADD_PLUGIN([sha1], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) +ADD_PLUGIN([sha1], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen]) ADD_PLUGIN([sha2], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) -ADD_PLUGIN([md4], [s charon manager scepclient pki nm cmd]) +ADD_PLUGIN([sha3], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) +ADD_PLUGIN([md4], [s charon scepclient pki nm cmd]) ADD_PLUGIN([md5], [s charon scepclient pki scripts attest nm cmd aikgen]) ADD_PLUGIN([rdrand], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) -ADD_PLUGIN([random], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) +ADD_PLUGIN([random], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen]) ADD_PLUGIN([nonce], [s charon nm cmd aikgen]) ADD_PLUGIN([x509], [s charon scepclient pki scripts attest nm cmd aikgen]) ADD_PLUGIN([revocation], [s charon pki nm cmd]) @@ -1439,6 +1441,7 @@ AM_CONDITIONAL(USE_MD4, test x$md4 = xtrue) AM_CONDITIONAL(USE_MD5, test x$md5 = xtrue) AM_CONDITIONAL(USE_SHA1, test x$sha1 = xtrue) AM_CONDITIONAL(USE_SHA2, test x$sha2 = xtrue) +AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue) AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue) AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue) AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue) @@ -1686,6 +1689,7 @@ AC_CONFIG_FILES([ src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile + src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile diff --git a/init/systemd/strongswan.service.in b/init/systemd/strongswan.service.in index 608078b1e..49c1cd0bf 100644 --- a/init/systemd/strongswan.service.in +++ b/init/systemd/strongswan.service.in @@ -1,6 +1,6 @@ [Unit] Description=strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf -After=syslog.target +After=syslog.target network.target [Service] ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index 6e7abca09..e549e9597 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -427,6 +427,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -451,6 +459,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -490,6 +505,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -533,6 +557,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c index 6f2b6f178..b8f943f51 100644 --- a/src/charon-cmd/charon-cmd.c +++ b/src/charon-cmd/charon-cmd.c @@ -17,14 +17,13 @@ */ #include -#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */ #include -#undef _POSIX_PTHREAD_SEMANTICS #include #include #include #include #include +#include #include #include @@ -112,12 +111,11 @@ static int run() while (TRUE) { int sig; - int error; - error = sigwait(&set, &sig); - if (error) + sig = sigwaitinfo(&set, NULL); + if (sig == -1) { - DBG1(DBG_DMN, "error %d while waiting for a signal", error); + DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno)); return 1; } switch (sig) @@ -382,7 +380,7 @@ int main(int argc, char *argv[]) lib->plugins->status(lib->plugins, LEVEL_CTRL); /* add handler for SEGV and ILL, - * INT, TERM and HUP are handled by sigwait() in run() */ + * INT, TERM and HUP are handled by sigwaitinfo() in run() */ action.sa_handler = segv_handler; action.sa_flags = 0; sigemptyset(&action.sa_mask); diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c index 80551f853..1773e7c39 100644 --- a/src/charon-nm/charon-nm.c +++ b/src/charon-nm/charon-nm.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -80,12 +81,11 @@ static void run() while (TRUE) { int sig; - int error; - error = sigwait(&set, &sig); - if (error) + sig = sigwaitinfo(&set, NULL); + if (sig == -1) { - DBG1(DBG_DMN, "error %d while waiting for a signal", error); + DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno)); return; } switch (sig) @@ -237,7 +237,7 @@ int main(int argc, char *argv[]) } /* add handler for SEGV and ILL, - * INT and TERM are handled by sigwait() in run() */ + * INT and TERM are handled by sigwaitinfo() in run() */ action.sa_handler = segv_handler; action.sa_flags = 0; sigemptyset(&action.sa_mask); diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c index e391a5397..f302d4527 100644 --- a/src/charon-systemd/charon-systemd.c +++ b/src/charon-systemd/charon-systemd.c @@ -249,12 +249,12 @@ static int run() while (TRUE) { - int sig, error; + int sig; - error = sigwait(&set, &sig); - if (error) + sig = sigwaitinfo(&set, NULL); + if (sig == -1) { - DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(error)); + DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno)); return SS_RC_INITIALIZATION_FAILED; } switch (sig) @@ -393,7 +393,7 @@ int main(int argc, char *argv[]) } /* add handler for SEGV and ILL, - * INT, TERM and HUP are handled by sigwait() in run() */ + * INT, TERM and HUP are handled by sigwaitinfo() in run() */ action.sa_handler = segv_handler; action.sa_flags = 0; sigemptyset(&action.sa_mask); diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c index 7c60f0ca8..52d82f3ad 100644 --- a/src/charon-tkm/src/charon-tkm.c +++ b/src/charon-tkm/src/charon-tkm.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include @@ -42,6 +43,7 @@ #include "tkm_public_key.h" #include "tkm_cred.h" #include "tkm_encoder.h" +#include "tkm_spi_generator.h" /** * TKM bus listener for IKE authorize events. @@ -98,12 +100,11 @@ static void run() while (TRUE) { int sig; - int error; - error = sigwait(&set, &sig); - if (error) + sig = sigwaitinfo(&set, NULL); + if (sig == -1) { - DBG1(DBG_DMN, "error %d while waiting for a signal", error); + DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno)); return; } switch (sig) @@ -298,6 +299,9 @@ int main(int argc, char *argv[]) PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA256), PLUGIN_CALLBACK(kernel_ipsec_register, tkm_kernel_ipsec_create), PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"), + PLUGIN_CALLBACK(tkm_spi_generator_register, NULL), + PLUGIN_PROVIDE(CUSTOM, "tkm-spi-generator"), + PLUGIN_DEPENDS(CUSTOM, "libcharon-sa-managers"), }; lib->plugins->add_static_features(lib->plugins, "tkm-backend", features, countof(features), TRUE, NULL, NULL); @@ -358,7 +362,7 @@ int main(int argc, char *argv[]) lib->encoding->add_encoder(lib->encoding, tkm_encoder_encode); /* add handler for SEGV and ILL, - * INT and TERM are handled by sigwait() in run() */ + * INT and TERM are handled by sigwaitinfo() in run() */ action.sa_handler = segv_handler; action.sa_flags = 0; sigemptyset(&action.sa_mask); diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c index 7a0672aa8..2d22fbdc3 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c +++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c @@ -281,9 +281,10 @@ METHOD(kernel_ipsec_t, query_policy, status_t, } METHOD(kernel_ipsec_t, del_policy, status_t, - private_tkm_kernel_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, - mark_t mark, policy_priority_t prio) + private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, + mark_t mark, policy_priority_t priority) { return SUCCESS; } diff --git a/src/charon-tkm/src/tkm/tkm_spi_generator.c b/src/charon-tkm/src/tkm/tkm_spi_generator.c new file mode 100644 index 000000000..eff0ca91e --- /dev/null +++ b/src/charon-tkm/src/tkm/tkm_spi_generator.c @@ -0,0 +1,98 @@ +/* + * Copyright (C) 2015 Reto Buerki + * Copyright (C) 2015 Adrian-Ken Rueegsegger + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include + +#include "tkm_spi_generator.h" + +/** + * Get SPI callback arguments + */ +typedef struct { + rng_t *rng; + u_int64_t spi_mask; + u_int64_t spi_label; +} get_spi_args_t; + +static get_spi_args_t *spi_args; + +/** + * Callback called to generate an IKE SPI. + * + * @param this Callback args containing rng_t and spi mask & label + * @return labeled SPI + */ +CALLBACK(tkm_get_spi, u_int64_t, + const get_spi_args_t const *this) +{ + u_int64_t spi; + + if (!this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) + { + return 0; + } + + return (spi & ~this->spi_mask) | this->spi_label; +} + +bool tkm_spi_generator_register(plugin_t *plugin, + plugin_feature_t *feature, + bool reg, void *cb_data) +{ + u_int64_t spi_mask, spi_label; + char *spi_val; + rng_t *rng; + + if (reg) + { + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (!rng) + { + return FALSE; + } + + spi_val = lib->settings->get_str(lib->settings, "%s.spi_mask", NULL, + lib->ns); + spi_mask = settings_value_as_uint64(spi_val, 0); + + spi_val = lib->settings->get_str(lib->settings, "%s.spi_label", NULL, + lib->ns); + spi_label = settings_value_as_uint64(spi_val, 0); + + INIT(spi_args, + .rng = rng, + .spi_mask = spi_mask, + .spi_label = spi_label, + ); + + charon->ike_sa_manager->set_spi_cb(charon->ike_sa_manager, + tkm_get_spi, spi_args); + DBG1(DBG_IKE, "using SPI label 0x%.16"PRIx64" and mask 0x%.16"PRIx64, + spi_label, spi_mask); + } + else + { + if (spi_args) + { + DESTROY_IF(spi_args->rng); + free(spi_args); + } + } + + return TRUE; +} diff --git a/src/charon-tkm/src/tkm/tkm_spi_generator.h b/src/charon-tkm/src/tkm/tkm_spi_generator.h new file mode 100644 index 000000000..5f9ff03c6 --- /dev/null +++ b/src/charon-tkm/src/tkm/tkm_spi_generator.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2015 Reto Buerki + * Copyright (C) 2015 Adrian-Ken Rueegsegger + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tkm-spi-generator spi generator + * @{ @ingroup tkm + */ + +#ifndef TKM_SPI_GENERATOR_H_ +#define TKM_SPI_GENERATOR_H_ + +#include + +/** + * Register the TKM SPI generator callback. + * + * @return TRUE on success + */ +bool tkm_spi_generator_register(plugin_t *plugin, + plugin_feature_t *feature, + bool reg, void *cb_data); + +#endif /** TKM_SPI_GENERATOR_H_ @}*/ diff --git a/src/charon/charon.c b/src/charon/charon.c index 081e49490..f03b6e1ba 100644 --- a/src/charon/charon.c +++ b/src/charon/charon.c @@ -17,9 +17,7 @@ */ #include -#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */ #include -#undef _POSIX_PTHREAD_SEMANTICS #include #include #include @@ -110,12 +108,11 @@ static void run() while (TRUE) { int sig; - int error; - error = sigwait(&set, &sig); - if (error) + sig = sigwaitinfo(&set, NULL); + if (sig == -1) { - DBG1(DBG_DMN, "error %d while waiting for a signal", error); + DBG1(DBG_DMN, "waiting for signal failed: %s", strerror(errno)); return; } switch (sig) @@ -434,7 +431,7 @@ int main(int argc, char *argv[]) } /* add handler for SEGV and ILL, - * INT, TERM and HUP are handled by sigwait() in run() */ + * INT, TERM and HUP are handled by sigwaitinfo() in run() */ action.sa_handler = segv_handler; action.sa_flags = 0; sigemptyset(&action.sa_mask); diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c index 584a2698a..9348b64e1 100644 --- a/src/conftest/conftest.c +++ b/src/conftest/conftest.c @@ -382,15 +382,17 @@ static void load_log_levels(file_logger_t *logger, char *section) */ static void load_logger_options(file_logger_t *logger, char *section) { - bool ike_name; char *time_format; + bool add_ms, ike_name; time_format = conftest->test->get_str(conftest->test, "log.%s.time_format", NULL, section); + add_ms = conftest->test->get_bool(conftest->test, + "log.%s.time_add_ms", FALSE, section); ike_name = conftest->test->get_bool(conftest->test, "log.%s.ike_name", FALSE, section); - logger->set_options(logger, time_format, ike_name); + logger->set_options(logger, time_format, add_ms, ike_name); } /** @@ -463,7 +465,7 @@ int main(int argc, char *argv[]) lib->credmgr->add_set(lib->credmgr, &conftest->creds->set); logger = file_logger_create("stdout"); - logger->set_options(logger, NULL, FALSE); + logger->set_options(logger, NULL, FALSE, FALSE); logger->open(logger, FALSE, FALSE); logger->set_level(logger, DBG_ANY, LEVEL_CTRL); charon->bus->add_logger(charon->bus, &logger->logger); @@ -563,7 +565,7 @@ int main(int argc, char *argv[]) sigaddset(&set, SIGTERM); sigprocmask(SIG_BLOCK, &set, NULL); - while (sigwait(&set, &sig) == 0) + while ((sig = sigwaitinfo(&set, NULL)) != -1) { switch (sig) { diff --git a/src/include/Makefile.am b/src/include/Makefile.am index 0284c094a..8e6db88a4 100644 --- a/src/include/Makefile.am +++ b/src/include/Makefile.am @@ -1,2 +1,2 @@ EXTRA_DIST = linux/if_alg.h linux/ipsec.h linux/netlink.h linux/rtnetlink.h \ - linux/pfkeyv2.h linux/udp.h linux/xfrm.h sys/queue.h + linux/pfkeyv2.h linux/udp.h linux/socket.h linux/xfrm.h sys/queue.h diff --git a/src/include/Makefile.in b/src/include/Makefile.in index e2c3cd0c3..5740544ca 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -343,7 +343,7 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ EXTRA_DIST = linux/if_alg.h linux/ipsec.h linux/netlink.h linux/rtnetlink.h \ - linux/pfkeyv2.h linux/udp.h linux/xfrm.h sys/queue.h + linux/pfkeyv2.h linux/udp.h linux/socket.h linux/xfrm.h sys/queue.h all: all-am diff --git a/src/include/linux/socket.h b/src/include/linux/socket.h new file mode 100644 index 000000000..76ab0c685 --- /dev/null +++ b/src/include/linux/socket.h @@ -0,0 +1,21 @@ +#ifndef _UAPI_LINUX_SOCKET_H +#define _UAPI_LINUX_SOCKET_H + +/* + * Desired design of maximum size and alignment (see RFC2553) + */ +#define _K_SS_MAXSIZE 128 /* Implementation specific max size */ +#define _K_SS_ALIGNSIZE (__alignof__ (struct sockaddr *)) + /* Implementation specific desired alignment */ + +typedef unsigned short __kernel_sa_family_t; + +struct __kernel_sockaddr_storage { + __kernel_sa_family_t ss_family; /* address family */ + /* Following field(s) are implementation specific */ + char __data[_K_SS_MAXSIZE - sizeof(unsigned short)]; + /* space to achieve desired size, */ + /* _SS_MAXSIZE value minus size of ss_family */ +} __attribute__ ((aligned(_K_SS_ALIGNSIZE))); /* force desired alignment */ + +#endif /* _UAPI_LINUX_SOCKET_H */ diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8 index 9795451e8..bc7b633b0 100644 --- a/src/ipsec/_ipsec.8 +++ b/src/ipsec/_ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2013-10-29" "5.3.3dr5" "strongSwan" +.TH IPSEC 8 "2013-10-29" "5.3.4dr1" "strongSwan" . .SH NAME . diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in index 0798830cf..89c7ef753 100644 --- a/src/ipsec/_ipsec.in +++ b/src/ipsec/_ipsec.in @@ -256,10 +256,10 @@ stop) if [ -n "$spid" ] then kill $spid 2>/dev/null - loop=11 + loop=110 while [ $loop -gt 0 ] ; do kill -0 $spid 2>/dev/null || break - sleep 1 + sleep 0.1 loop=$(($loop - 1)) done if [ $loop -eq 0 ] diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk index 5eef6fdc6..10085794b 100644 --- a/src/libcharon/Android.mk +++ b/src/libcharon/Android.mk @@ -228,7 +228,6 @@ endif # build libcharon -------------------------------------------------------------- LOCAL_C_INCLUDES += \ - $(strongswan_PATH)/src/include \ $(strongswan_PATH)/src/libhydra \ $(strongswan_PATH)/src/libstrongswan diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c index e3661bde6..7a53e9338 100644 --- a/src/libcharon/bus/listeners/file_logger.c +++ b/src/libcharon/bus/listeners/file_logger.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2015 Tobias Brunner * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -64,6 +64,11 @@ struct private_file_logger_t { */ char *time_format; + /** + * Add milliseconds after the time string + */ + bool add_ms; + /** * Print the name/# of the IKE_SA? */ @@ -87,7 +92,9 @@ METHOD(logger_t, log_, void, char timestr[128], namestr[128] = ""; const char *current = message, *next; struct tm tm; - time_t t; + timeval_t tv; + time_t s; + u_int ms = 0; this->lock->read_lock(this->lock); if (!this->out) @@ -97,8 +104,10 @@ METHOD(logger_t, log_, void, } if (this->time_format) { - t = time(NULL); - localtime_r(&t, &tm); + gettimeofday(&tv, NULL); + s = tv.tv_sec; + ms = tv.tv_usec / 1000; + localtime_r(&s, &tm); strftime(timestr, sizeof(timestr), this->time_format, &tm); } if (this->ike_name && ike_sa) @@ -126,8 +135,16 @@ METHOD(logger_t, log_, void, next = strchr(current, '\n'); if (this->time_format) { - fprintf(this->out, "%s %.2d[%N]%s ", - timestr, thread, debug_names, group, namestr); + if (this->add_ms) + { + fprintf(this->out, "%s.%03u %.2d[%N]%s ", + timestr, ms, thread, debug_names, group, namestr); + } + else + { + fprintf(this->out, "%s %.2d[%N]%s ", + timestr, thread, debug_names, group, namestr); + } } else { @@ -182,11 +199,12 @@ METHOD(file_logger_t, set_level, void, } METHOD(file_logger_t, set_options, void, - private_file_logger_t *this, char *time_format, bool ike_name) + private_file_logger_t *this, char *time_format, bool add_ms, bool ike_name) { this->lock->write_lock(this->lock); free(this->time_format); this->time_format = strdupnull(time_format); + this->add_ms = add_ms; this->ike_name = ike_name; this->lock->unlock(this->lock); } diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h index 9e5aed50b..1bcfec150 100644 --- a/src/libcharon/bus/listeners/file_logger.h +++ b/src/libcharon/bus/listeners/file_logger.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2015 Tobias Brunner * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -48,9 +48,12 @@ struct file_logger_t { * Set options used by this logger * * @param time_format format of timestamp prefix, as in strftime(), cloned + * @param add_ms TRUE to add the number of milliseconds within the + * current second after the timestamp * @param ike_name TRUE to prefix the name of the IKE_SA */ - void (*set_options) (file_logger_t *this, char *time_format, bool ike_name); + void (*set_options) (file_logger_t *this, char *time_format, bool add_ms, + bool ike_name); /** * Open (or reopen) the log file according to the given parameters diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c index ce9301006..aa2a39ce5 100644 --- a/src/libcharon/config/peer_cfg.c +++ b/src/libcharon/config/peer_cfg.c @@ -302,7 +302,7 @@ METHOD(peer_cfg_t, select_child_cfg, child_cfg_t*, enumerator_t *enumerator; int best = 0; - DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts); + DBG2(DBG_CFG, "looking for a child config for %#R === %#R", my_ts, other_ts); enumerator = create_child_cfg_enumerator(this); while (enumerator->enumerate(enumerator, ¤t)) { diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index 316be7611..dce2a7144 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2012 Tobias Brunner + * Copyright (C) 2006-2015 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter @@ -324,11 +324,13 @@ static void load_file_logger(private_daemon_t *this, char *filename, file_logger_t *file_logger; debug_t group; level_t def; - bool ike_name, flush_line, append; + bool add_ms, ike_name, flush_line, append; char *time_format; time_format = lib->settings->get_str(lib->settings, "%s.filelog.%s.time_format", NULL, lib->ns, filename); + add_ms = lib->settings->get_bool(lib->settings, + "%s.filelog.%s.time_add_ms", FALSE, lib->ns, filename); ike_name = lib->settings->get_bool(lib->settings, "%s.filelog.%s.ike_name", FALSE, lib->ns, filename); flush_line = lib->settings->get_bool(lib->settings, @@ -337,7 +339,7 @@ static void load_file_logger(private_daemon_t *this, char *filename, "%s.filelog.%s.append", TRUE, lib->ns, filename); file_logger = add_file_logger(this, filename, current_loggers); - file_logger->set_options(file_logger, time_format, ike_name); + file_logger->set_options(file_logger, time_format, add_ms, ike_name); file_logger->open(file_logger, flush_line, append); def = lib->settings->get_int(lib->settings, "%s.filelog.%s.default", 1, @@ -486,8 +488,6 @@ static void destroy(private_daemon_t *this) DESTROY_IF(this->kernel_handler); DESTROY_IF(this->public.traps); DESTROY_IF(this->public.shunts); - DESTROY_IF(this->public.child_sa_manager); - DESTROY_IF(this->public.ike_sa_manager); DESTROY_IF(this->public.controller); DESTROY_IF(this->public.eap); DESTROY_IF(this->public.xauth); @@ -560,7 +560,6 @@ METHOD(daemon_t, start, void, run_scripts(this, "start"); } - /** * Initialize/deinitialize sender and receiver */ @@ -584,12 +583,36 @@ static bool sender_receiver_cb(void *plugin, plugin_feature_t *feature, return TRUE; } +/** + * Initialize/deinitialize IKE_SA/CHILD_SA managers + */ +static bool sa_managers_cb(void *plugin, plugin_feature_t *feature, + bool reg, private_daemon_t *this) +{ + if (reg) + { + this->public.ike_sa_manager = ike_sa_manager_create(); + if (!this->public.ike_sa_manager) + { + return FALSE; + } + this->public.child_sa_manager = child_sa_manager_create(); + } + else + { + DESTROY_IF(this->public.ike_sa_manager); + DESTROY_IF(this->public.child_sa_manager); + } + return TRUE; +} + METHOD(daemon_t, initialize, bool, private_daemon_t *this, char *plugins) { plugin_feature_t features[] = { PLUGIN_PROVIDE(CUSTOM, "libcharon"), PLUGIN_DEPENDS(NONCE_GEN), + PLUGIN_DEPENDS(CUSTOM, "libcharon-sa-managers"), PLUGIN_DEPENDS(CUSTOM, "libcharon-receiver"), PLUGIN_DEPENDS(CUSTOM, "kernel-ipsec"), PLUGIN_DEPENDS(CUSTOM, "kernel-net"), @@ -598,6 +621,10 @@ METHOD(daemon_t, initialize, bool, PLUGIN_DEPENDS(HASHER, HASH_SHA1), PLUGIN_DEPENDS(RNG, RNG_STRONG), PLUGIN_DEPENDS(CUSTOM, "socket"), + PLUGIN_CALLBACK((plugin_feature_callback_t)sa_managers_cb, this), + PLUGIN_PROVIDE(CUSTOM, "libcharon-sa-managers"), + PLUGIN_DEPENDS(HASHER, HASH_SHA1), + PLUGIN_DEPENDS(RNG, RNG_WEAK), }; lib->plugins->add_static_features(lib->plugins, lib->ns, features, countof(features), TRUE, NULL, NULL); @@ -608,13 +635,6 @@ METHOD(daemon_t, initialize, bool, return FALSE; } - this->public.ike_sa_manager = ike_sa_manager_create(); - if (this->public.ike_sa_manager == NULL) - { - return FALSE; - } - this->public.child_sa_manager = child_sa_manager_create(); - /* Queue start_action job */ lib->processor->queue_job(lib->processor, (job_t*)start_action_job_create()); diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c index f7f39f984..16978f486 100644 --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009 Tobias Brunner + * Copyright (C) 2009-2015 Tobias Brunner * Copyright (C) 2010 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -81,6 +81,21 @@ struct private_eap_mschapv2_t * Number of retries */ int retries; + + /** + * Provide EAP-Identity + */ + auth_cfg_t *auth; + + /** + * Current state + */ + enum { + S_EXPECT_CHALLENGE, + S_EXPECT_RESPONSE, + S_EXPECT_SUCCESS, + S_DONE, + } state; }; /** @@ -628,6 +643,7 @@ METHOD(eap_method_t, initiate_server, status_t, memcpy(cha->name, name, sizeof(MSCHAPV2_HOST_NAME) - 1); *out = eap_payload_create_data(chunk_create((void*) eap, len)); + this->state = S_EXPECT_RESPONSE; return NEED_MORE; } @@ -747,6 +763,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this, memcpy(res->name, userid.ptr, userid.len); *out = eap_payload_create_data(chunk_create((void*) eap, len)); + this->state = S_EXPECT_SUCCESS; return NEED_MORE; } @@ -829,6 +846,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this, *out = eap_payload_create_data(chunk_create((void*) eap, len)); status = NEED_MORE; + this->state = S_DONE; error: chunk_free(&auth_string); @@ -922,6 +940,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, */ status = FAILED; + this->state = S_DONE; error: chunk_free(&challenge); @@ -946,26 +965,38 @@ METHOD(eap_method_t, process_peer, status_t, eap = (eap_mschapv2_header_t*)data.ptr; + switch (this->state) + { + case S_EXPECT_CHALLENGE: + if (eap->opcode == MSCHAPV2_CHALLENGE) + { + return process_peer_challenge(this, in, out); + } + break; + case S_EXPECT_SUCCESS: + switch (eap->opcode) + { + case MSCHAPV2_SUCCESS: + return process_peer_success(this, in, out); + case MSCHAPV2_FAILURE: + return process_peer_failure(this, in, out); + } + break; + default: + break; + } switch (eap->opcode) { case MSCHAPV2_CHALLENGE: - { - return process_peer_challenge(this, in, out); - } case MSCHAPV2_SUCCESS: - { - return process_peer_success(this, in, out); - } case MSCHAPV2_FAILURE: - { - return process_peer_failure(this, in, out); - } + DBG1(DBG_IKE, "received unexpected EAP-MS-CHAPv2 message with " + "OpCode (%N)!", mschapv2_opcode_names, eap->opcode); + break; default: - { DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported " "OpCode (%N)!", mschapv2_opcode_names, eap->opcode); break; - } } return FAILED; } @@ -1027,6 +1058,8 @@ static status_t process_server_retry(private_eap_mschapv2_t *this, /* delay the response for some time to make brute-force attacks harder */ sleep(RETRY_DELAY); + /* since the error is retryable the state does not change, we still + * expect an MSCHAPV2_RESPONSE from the peer */ return NEED_MORE; } @@ -1058,7 +1091,10 @@ static status_t process_server_response(private_eap_mschapv2_t *this, name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255); snprintf(buf, sizeof(buf), "%.*s", name_len, res->name); userid = identification_create_from_string(buf); - DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid); + if (!userid->equals(userid, this->peer)) + { + DBG1(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid); + } /* userid can only be destroyed after the last use of username */ username = extract_username(userid->get_encoding(userid)); @@ -1084,7 +1120,6 @@ static status_t process_server_response(private_eap_mschapv2_t *this, chunk_clear(&nt_hash); return FAILED; } - userid->destroy(userid); chunk_clear(&nt_hash); if (memeq_const(res->response.nt_response, this->nt_response.ptr, @@ -1109,9 +1144,12 @@ static status_t process_server_response(private_eap_mschapv2_t *this, chunk_free(&hex); memcpy(eap->data, msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)); *out = eap_payload_create_data(chunk_create((void*) eap, len)); + + this->auth->add(this->auth, AUTH_RULE_EAP_IDENTITY, userid); + this->state = S_EXPECT_SUCCESS; return NEED_MORE; } - + userid->destroy(userid); return process_server_retry(this, out); } @@ -1137,26 +1175,39 @@ METHOD(eap_method_t, process_server, status_t, eap = (eap_mschapv2_header_t*)data.ptr; + switch (this->state) + { + case S_EXPECT_RESPONSE: + if (eap->opcode == MSCHAPV2_RESPONSE) + { + return process_server_response(this, in, out); + } + break; + case S_EXPECT_SUCCESS: + if (eap->opcode == MSCHAPV2_SUCCESS && + this->msk.ptr) + { + return SUCCESS; + } + break; + default: + break; + } switch (eap->opcode) { - case MSCHAPV2_RESPONSE: - { - return process_server_response(this, in, out); - } - case MSCHAPV2_SUCCESS: - { - return SUCCESS; - } case MSCHAPV2_FAILURE: - { + /* the client may abort the authentication by sending us a failure + * in any state */ return FAILED; - } + case MSCHAPV2_RESPONSE: + case MSCHAPV2_SUCCESS: + DBG1(DBG_IKE, "received unexpected EAP-MS-CHAPv2 message with " + "OpCode (%N)!", mschapv2_opcode_names, eap->opcode); + break; default: - { DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported " "OpCode (%N)!", mschapv2_opcode_names, eap->opcode); break; - } } return FAILED; } @@ -1197,11 +1248,18 @@ METHOD(eap_method_t, is_mutual, bool, return FALSE; } +METHOD(eap_method_t, get_auth, auth_cfg_t*, + private_eap_mschapv2_t *this) +{ + return this->auth; +} + METHOD(eap_method_t, destroy, void, private_eap_mschapv2_t *this) { this->peer->destroy(this->peer); this->server->destroy(this->server); + this->auth->destroy(this->auth); chunk_free(&this->challenge); chunk_free(&this->nt_response); chunk_free(&this->auth_response); @@ -1224,11 +1282,14 @@ static private_eap_mschapv2_t *eap_mschapv2_create_generic(identification_t *ser .get_msk = _get_msk, .get_identifier = _get_identifier, .set_identifier = _set_identifier, + .get_auth = _get_auth, .destroy = _destroy, }, }, .peer = peer->clone(peer), .server = server->clone(server), + .auth = auth_cfg_create(), + .state = S_EXPECT_CHALLENGE, ); return this; diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c index 0cf723711..0f207fbe6 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c @@ -178,18 +178,38 @@ static void add_addr(private_eap_radius_provider_t *this, * Remove the next address from the locked hashtable stored for given id */ static host_t* remove_addr(private_eap_radius_provider_t *this, - hashtable_t *hashtable, uintptr_t id) + hashtable_t *hashtable, uintptr_t id, host_t *addr) { + enumerator_t *enumerator; entry_t *entry; - host_t *addr = NULL; + host_t *found = NULL, *current; entry = hashtable->remove(hashtable, (void*)id); if (entry) { - entry->addrs->remove_first(entry->addrs, (void**)&addr); + enumerator = entry->addrs->create_enumerator(entry->addrs); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (addr->ip_equals(addr, current)) + { /* prefer an exact match */ + entry->addrs->remove_at(entry->addrs, enumerator); + enumerator->destroy(enumerator); + put_or_destroy_entry(hashtable, entry); + return current; + } + if (!found && addr->get_family(addr) == current->get_family(current)) + { /* fallback to the first IP with a matching address family */ + found = current; + } + } + enumerator->destroy(enumerator); + if (found) + { + entry->addrs->remove(entry->addrs, found, NULL); + } put_or_destroy_entry(hashtable, entry); } - return addr; + return found; } /** @@ -326,7 +346,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*, if (streq(name, "radius")) { this->listener.mutex->lock(this->listener.mutex); - addr = remove_addr(this, this->listener.unclaimed, sa); + addr = remove_addr(this, this->listener.unclaimed, sa, requested); if (addr) { add_addr(this, this->listener.claimed, sa, addr->clone(addr)); @@ -357,7 +377,7 @@ METHOD(attribute_provider_t, release_address, bool, if (streq(name, "radius")) { this->listener.mutex->lock(this->listener.mutex); - found = remove_addr(this, this->listener.claimed, sa); + found = remove_addr(this, this->listener.claimed, sa, address); this->listener.mutex->unlock(this->listener.mutex); break; } diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.c b/src/libcharon/plugins/error_notify/error_notify_listener.c index f7a1f49ec..ce577c62c 100644 --- a/src/libcharon/plugins/error_notify/error_notify_listener.c +++ b/src/libcharon/plugins/error_notify/error_notify_listener.c @@ -110,7 +110,7 @@ METHOD(listener_t, alert, bool, list = va_arg(args, linked_list_t*); list2 = va_arg(args, linked_list_t*); snprintf(msg.str, sizeof(msg.str), "the received traffic selectors " - "did not match: %#R=== %#R", list, list2); + "did not match: %#R === %#R", list, list2); break; case ALERT_INSTALL_CHILD_SA_FAILED: msg.type = htonl(ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED); diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c index 17f2d50d1..dbb6adc8f 100644 --- a/src/libcharon/plugins/ha/ha_child.c +++ b/src/libcharon/plugins/ha/ha_child.c @@ -126,7 +126,7 @@ METHOD(listener_t, child_keys, bool, ike_sa->get_my_host(ike_sa), child_sa->get_spi(child_sa, TRUE)); seg_o = this->kernel->get_segment_spi(this->kernel, ike_sa->get_other_host(ike_sa), child_sa->get_spi(child_sa, FALSE)); - DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R=== %#R " + DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R === %#R " "(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), local_ts, remote_ts, seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "", diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index afa099309..07ef607c6 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -848,7 +848,7 @@ static void process_child_add(private_ha_dispatcher_t *this, seg_o = this->kernel->get_segment_spi(this->kernel, ike_sa->get_other_host(ike_sa), outbound_spi); - DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R=== %#R " + DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R === %#R " "(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), local_ts, remote_ts, seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "", diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c index 6246dc505..d738e6d13 100644 --- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c +++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c @@ -563,15 +563,16 @@ METHOD(kernel_ipsec_t, query_policy, status_t, } METHOD(kernel_ipsec_t, del_policy, status_t, - private_kernel_libipsec_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, + private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark, policy_priority_t priority) { policy_entry_t *policy, *found = NULL; status_t status; status = ipsec->policies->del_policy(ipsec->policies, src_ts, dst_ts, - direction, reqid, mark, priority); + direction, sa->reqid, mark, priority); policy = create_policy_entry(src_ts, dst_ts, direction); diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c index b38ded846..95f79f168 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c @@ -2456,15 +2456,16 @@ METHOD(kernel_ipsec_t, query_policy, status_t, } METHOD(kernel_ipsec_t, del_policy, status_t, - private_kernel_wfp_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, + private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark, policy_priority_t priority) { if (direction == POLICY_OUT && priority == POLICY_PRIORITY_ROUTED) { - if (remove_trap(this, reqid, FALSE, src_ts, dst_ts)) + if (remove_trap(this, sa->reqid, FALSE, src_ts, dst_ts)) { - remove_trap(this, reqid, TRUE, src_ts, dst_ts); + remove_trap(this, sa->reqid, TRUE, src_ts, dst_ts); return SUCCESS; } return NOT_FOUND; diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index 62d43e302..6a86bb899 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -103,8 +103,9 @@ METHOD(kernel_ipsec_t, query_policy, status_t, } METHOD(kernel_ipsec_t, del_policy, status_t, - private_load_tester_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark, policy_priority_t priority) { return SUCCESS; diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c index dbfddbb81..13bf3e775 100644 --- a/src/libcharon/plugins/socket_default/socket_default_socket.c +++ b/src/libcharon/plugins/socket_default/socket_default_socket.c @@ -148,6 +148,91 @@ struct private_socket_default_socket_t { u_int rr_counter; }; +/** + * Get the destination IPv4 address of a received packet, depending on the + * available mechanism. + */ +#ifdef IP_PKTINFO + +static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port) +{ + struct sockaddr_in dst = { + .sin_family = AF_INET, + .sin_port = htons(port), + }; + struct in_pktinfo *pktinfo; + struct in_addr *addr; + + if (cmsgptr->cmsg_type == IP_PKTINFO) + { + pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr); + addr = &pktinfo->ipi_addr; + memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr)); + return host_create_from_sockaddr((sockaddr_t*)&dst); + } + return NULL; +} + +#elif defined(IP_RECVDSTADDR) + +static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port) +{ + struct sockaddr_in dst = { + .sin_family = AF_INET, + .sin_port = htons(port), + }; + struct in_addr *addr; + + if (cmsgptr->cmsg_type == IP_RECVDSTADDR) + { + addr = (struct in_addr*)CMSG_DATA(cmsgptr); + memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr)); + return host_create_from_sockaddr((sockaddr_t*)&dst); + } + return NULL; +} + +#else /* IP_PKTINFO || IP_RECVDSTADDR */ + +static host_t *get_dst_v4(struct cmsghdr *cmsgptr, u_int16_t port) +{ + return NULL; +} + +#endif /* IP_PKTINFO || IP_RECVDSTADDR */ + +/** + * Get the destination IPv6 address of a received packet, depending on the + * available mechanism. + */ +#ifdef HAVE_IN6_PKTINFO + +static host_t *get_dst_v6(struct cmsghdr *cmsgptr, u_int16_t port) +{ + struct in6_pktinfo *pktinfo; + struct sockaddr_in6 dst = { + .sin6_family = AF_INET6, + .sin6_port = htons(port), + }; + + if (cmsgptr->cmsg_type == IPV6_PKTINFO) + { + pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr); + memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr)); + return host_create_from_sockaddr((sockaddr_t*)&dst); + } + return NULL; +} + +#else /* HAVE_IN6_PKTINFO */ + +static host_t *get_dst_v6(struct cmsghdr *cmsgptr, u_int16_t port) +{ + return NULL; +} + +#endif /* HAVE_IN6_PKTINFO */ + METHOD(socket_t, receiver, status_t, private_socket_default_socket_t *this, packet_t **packet) { @@ -233,48 +318,13 @@ METHOD(socket_t, receiver, status_t, DBG1(DBG_NET, "error reading ancillary data"); return FAILED; } - -#ifdef HAVE_IN6_PKTINFO - if (cmsgptr->cmsg_level == SOL_IPV6 && - cmsgptr->cmsg_type == IPV6_PKTINFO) + if (cmsgptr->cmsg_level == SOL_IP) { - struct in6_pktinfo *pktinfo; - pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr); - struct sockaddr_in6 dst; - - memset(&dst, 0, sizeof(dst)); - memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr)); - dst.sin6_family = AF_INET6; - dst.sin6_port = htons(port); - dest = host_create_from_sockaddr((sockaddr_t*)&dst); + dest = get_dst_v4(cmsgptr, port); } -#endif /* HAVE_IN6_PKTINFO */ - if (cmsgptr->cmsg_level == SOL_IP && -#ifdef IP_PKTINFO - cmsgptr->cmsg_type == IP_PKTINFO -#elif defined(IP_RECVDSTADDR) - cmsgptr->cmsg_type == IP_RECVDSTADDR -#else - FALSE -#endif - ) + else if (cmsgptr->cmsg_level == SOL_IPV6) { - struct in_addr *addr; - struct sockaddr_in dst; - -#ifdef IP_PKTINFO - struct in_pktinfo *pktinfo; - pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr); - addr = &pktinfo->ipi_addr; -#elif defined(IP_RECVDSTADDR) - addr = (struct in_addr*)CMSG_DATA(cmsgptr); -#endif - memset(&dst, 0, sizeof(dst)); - memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr)); - - dst.sin_family = AF_INET; - dst.sin_port = htons(port); - dest = host_create_from_sockaddr((sockaddr_t*)&dst); + dest = get_dst_v6(cmsgptr, port); } if (dest) { @@ -305,6 +355,107 @@ METHOD(socket_t, receiver, status_t, return SUCCESS; } +/** + * Generic function to send a message. + */ +static ssize_t send_msg_generic(int skt, struct msghdr *msg) +{ + return sendmsg(skt, msg, 0); +} + +/** + * Send a message with the IPv4 source address set, if possible. + */ +#ifdef IP_PKTINFO + +static ssize_t send_msg_v4(int skt, struct msghdr *msg, host_t *src) +{ + char buf[CMSG_SPACE(sizeof(struct in_pktinfo))] = {}; + struct cmsghdr *cmsg; + struct in_addr *addr; + struct in_pktinfo *pktinfo; + struct sockaddr_in *sin; + + msg->msg_control = buf; + msg->msg_controllen = sizeof(buf); + cmsg = CMSG_FIRSTHDR(msg); + cmsg->cmsg_level = SOL_IP; + cmsg->cmsg_type = IP_PKTINFO; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); + + pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg); + addr = &pktinfo->ipi_spec_dst; + + sin = (struct sockaddr_in*)src->get_sockaddr(src); + memcpy(addr, &sin->sin_addr, sizeof(struct in_addr)); + return send_msg_generic(skt, msg); +} + +#elif defined(IP_SENDSRCADDR) + +static ssize_t send_msg_v4(int skt, struct msghdr *msg, host_t *src) +{ + char buf[CMSG_SPACE(sizeof(struct in_addr))] = {}; + struct cmsghdr *cmsg; + struct in_addr *addr; + struct sockaddr_in *sin; + + msg->msg_control = buf; + msg->msg_controllen = sizeof(buf); + cmsg = CMSG_FIRSTHDR(msg); + cmsg->cmsg_level = SOL_IP; + cmsg->cmsg_type = IP_SENDSRCADDR; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); + + addr = (struct in_addr*)CMSG_DATA(cmsg); + + sin = (struct sockaddr_in*)src->get_sockaddr(src); + memcpy(addr, &sin->sin_addr, sizeof(struct in_addr)); + return send_msg_generic(skt, msg); +} + +#else /* IP_PKTINFO || IP_RECVDSTADDR */ + +static ssize_t send_msg_v4(int skt, struct msghdr *msg, host_t *src) +{ + return send_msg_generic(skt, msg); +} + +#endif /* IP_PKTINFO || IP_RECVDSTADDR */ + +/** + * Send a message with the IPv6 source address set, if possible. + */ +#ifdef HAVE_IN6_PKTINFO + +static ssize_t send_msg_v6(int skt, struct msghdr *msg, host_t *src) +{ + char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))] = {}; + struct cmsghdr *cmsg; + struct in6_pktinfo *pktinfo; + struct sockaddr_in6 *sin; + + msg->msg_control = buf; + msg->msg_controllen = sizeof(buf); + cmsg = CMSG_FIRSTHDR(msg); + cmsg->cmsg_level = SOL_IPV6; + cmsg->cmsg_type = IPV6_PKTINFO; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); + pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg); + sin = (struct sockaddr_in6*)src->get_sockaddr(src); + memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr)); + return send_msg_generic(skt, msg); +} + +#else /* HAVE_IN6_PKTINFO */ + +static ssize_t send_msg_v6(int skt, struct msghdr *msg, host_t *src) +{ + return send_msg_generic(skt, msg); +} + +#endif /* HAVE_IN6_PKTINFO */ + METHOD(socket_t, sender, status_t, private_socket_default_socket_t *this, packet_t *packet) { @@ -313,7 +464,6 @@ METHOD(socket_t, sender, status_t, chunk_t data; host_t *src, *dst; struct msghdr msg; - struct cmsghdr *cmsg; struct iovec iov; u_int8_t *dscp; @@ -415,56 +565,17 @@ METHOD(socket_t, sender, status_t, { if (family == AF_INET) { -#if defined(IP_PKTINFO) || defined(IP_SENDSRCADDR) - struct in_addr *addr; - struct sockaddr_in *sin; -#ifdef IP_PKTINFO - char buf[CMSG_SPACE(sizeof(struct in_pktinfo))]; - struct in_pktinfo *pktinfo; -#elif defined(IP_SENDSRCADDR) - char buf[CMSG_SPACE(sizeof(struct in_addr))]; -#endif - memset(buf, 0, sizeof(buf)); - msg.msg_control = buf; - msg.msg_controllen = sizeof(buf); - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_IP; -#ifdef IP_PKTINFO - cmsg->cmsg_type = IP_PKTINFO; - cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); - pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg); - addr = &pktinfo->ipi_spec_dst; -#elif defined(IP_SENDSRCADDR) - cmsg->cmsg_type = IP_SENDSRCADDR; - cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); - addr = (struct in_addr*)CMSG_DATA(cmsg); -#endif - sin = (struct sockaddr_in*)src->get_sockaddr(src); - memcpy(addr, &sin->sin_addr, sizeof(struct in_addr)); -#endif /* IP_PKTINFO || IP_SENDSRCADDR */ + bytes_sent = send_msg_v4(skt, &msg, src); } -#ifdef HAVE_IN6_PKTINFO else { - char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))]; - struct in6_pktinfo *pktinfo; - struct sockaddr_in6 *sin; - - memset(buf, 0, sizeof(buf)); - msg.msg_control = buf; - msg.msg_controllen = sizeof(buf); - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_IPV6; - cmsg->cmsg_type = IPV6_PKTINFO; - cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); - pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg); - sin = (struct sockaddr_in6*)src->get_sockaddr(src); - memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr)); + bytes_sent = send_msg_v6(skt, &msg, src); } -#endif /* HAVE_IN6_PKTINFO */ } - - bytes_sent = sendmsg(skt, &msg, 0); + else + { + bytes_sent = send_msg_generic(skt, &msg); + } if (bytes_sent != data.len) { diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c index b82a69e1b..a032134c3 100644 --- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c +++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c @@ -527,6 +527,62 @@ static dynsock_t *find_socket(private_socket_dynamic_socket_t *this, return skt; } +/** + * Generic function to send a message. + */ +static ssize_t send_msg_generic(int skt, struct msghdr *msg) +{ + return sendmsg(skt, msg, 0); +} + +/** + * Send a message with the IPv4 source address set. + */ +static ssize_t send_msg_v4(int skt, struct msghdr *msg, host_t *src) +{ + char buf[CMSG_SPACE(sizeof(struct in_pktinfo))] = {}; + struct cmsghdr *cmsg; + struct in_addr *addr; + struct in_pktinfo *pktinfo; + struct sockaddr_in *sin; + + msg->msg_control = buf; + msg->msg_controllen = sizeof(buf); + cmsg = CMSG_FIRSTHDR(msg); + cmsg->cmsg_level = SOL_IP; + cmsg->cmsg_type = IP_PKTINFO; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); + + pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg); + addr = &pktinfo->ipi_spec_dst; + + sin = (struct sockaddr_in*)src->get_sockaddr(src); + memcpy(addr, &sin->sin_addr, sizeof(struct in_addr)); + return send_msg_generic(skt, msg); +} + +/** + * Send a message with the IPv6 source address set. + */ +static ssize_t send_msg_v6(int skt, struct msghdr *msg, host_t *src) +{ + char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))] = {}; + struct cmsghdr *cmsg; + struct in6_pktinfo *pktinfo; + struct sockaddr_in6 *sin; + + msg->msg_control = buf; + msg->msg_controllen = sizeof(buf); + cmsg = CMSG_FIRSTHDR(msg); + cmsg->cmsg_level = SOL_IPV6; + cmsg->cmsg_type = IPV6_PKTINFO; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); + pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg); + sin = (struct sockaddr_in6*)src->get_sockaddr(src); + memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr)); + return send_msg_generic(skt, msg); +} + METHOD(socket_t, sender, status_t, private_socket_dynamic_socket_t *this, packet_t *packet) { @@ -536,7 +592,6 @@ METHOD(socket_t, sender, status_t, ssize_t len; chunk_t data; struct msghdr msg; - struct cmsghdr *cmsg; struct iovec iov; src = packet->get_source(packet); @@ -564,43 +619,18 @@ METHOD(socket_t, sender, status_t, { if (family == AF_INET) { - struct in_addr *addr; - struct sockaddr_in *sin; - char buf[CMSG_SPACE(sizeof(struct in_pktinfo))]; - struct in_pktinfo *pktinfo; - - memset(buf, 0, sizeof(buf)); - msg.msg_control = buf; - msg.msg_controllen = sizeof(buf); - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_IP; - cmsg->cmsg_type = IP_PKTINFO; - cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); - pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg); - addr = &pktinfo->ipi_spec_dst; - sin = (struct sockaddr_in*)src->get_sockaddr(src); - memcpy(addr, &sin->sin_addr, sizeof(struct in_addr)); + len = send_msg_v4(skt->fd, &msg, src); } else { - char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))]; - struct in6_pktinfo *pktinfo; - struct sockaddr_in6 *sin; - - memset(buf, 0, sizeof(buf)); - msg.msg_control = buf; - msg.msg_controllen = sizeof(buf); - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_level = SOL_IPV6; - cmsg->cmsg_type = IPV6_PKTINFO; - cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); - pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg); - sin = (struct sockaddr_in6*)src->get_sockaddr(src); - memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr)); + len = send_msg_v6(skt->fd, &msg, src); } } + else + { + len = send_msg_generic(skt->fd, &msg); + } - len = sendmsg(skt->fd, &msg, 0); if (len != data.len) { DBG1(DBG_NET, "error writing to socket: %s", strerror(errno)); diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index f71719458..68cf83089 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -346,9 +346,9 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg) { "sha256", SIGN_ECDSA_256, KEY_ECDSA, }, { "sha384", SIGN_ECDSA_384, KEY_ECDSA, }, { "sha512", SIGN_ECDSA_521, KEY_ECDSA, }, - { "sha256", SIGN_BLISS_WITH_SHA256, KEY_BLISS, }, - { "sha384", SIGN_BLISS_WITH_SHA384, KEY_BLISS, }, - { "sha512", SIGN_BLISS_WITH_SHA512, KEY_BLISS, }, + { "sha256", SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, }, + { "sha384", SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, }, + { "sha512", SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, }, }; if (rsa_len || ecdsa_len || bliss_strength) diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index 0125d17c6..5a1a5074d 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Tobias Brunner + * Copyright (C) 2013-2015 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -298,6 +298,41 @@ static void report_terminate_status(private_stroke_control_t *this, } } +/** + * Call the charon controller to terminate a CHILD_SA + */ +static void charon_terminate(private_stroke_control_t *this, u_int32_t id, + stroke_msg_t *msg, FILE *out, bool child) +{ + if (msg->output_verbosity >= 0) + { + stroke_log_info_t info = { msg->output_verbosity, out }; + status_t status; + + if (child) + { + status = charon->controller->terminate_child(charon->controller, id, + (controller_cb_t)stroke_log, &info, this->timeout); + } + else + { + status = charon->controller->terminate_ike(charon->controller, id, + (controller_cb_t)stroke_log, &info, this->timeout); + } + report_terminate_status(this, status, out, id, child); + } + else if (child) + { + charon->controller->terminate_child(charon->controller, id, + NULL, NULL, 0); + } + else + { + charon->controller->terminate_ike(charon->controller, id, + NULL, NULL, 0); + } +} + METHOD(stroke_control_t, terminate, void, private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { @@ -307,9 +342,7 @@ METHOD(stroke_control_t, terminate, void, ike_sa_t *ike_sa; enumerator_t *enumerator; linked_list_t *ike_list, *child_list; - stroke_log_info_t info; uintptr_t del; - status_t status; if (!parse_specifier(msg->terminate.name, &id, &name, &child, &all)) { @@ -317,22 +350,9 @@ METHOD(stroke_control_t, terminate, void, return; } - info.out = out; - info.level = msg->output_verbosity; - if (id) { - if (child) - { - status = charon->controller->terminate_child(charon->controller, id, - (controller_cb_t)stroke_log, &info, this->timeout); - } - else - { - status = charon->controller->terminate_ike(charon->controller, id, - (controller_cb_t)stroke_log, &info, this->timeout); - } - return report_terminate_status(this, status, out, id, child); + return charon_terminate(this, id, msg, out, child); } ike_list = linked_list_create(); @@ -380,18 +400,14 @@ METHOD(stroke_control_t, terminate, void, enumerator = child_list->create_enumerator(child_list); while (enumerator->enumerate(enumerator, &del)) { - status = charon->controller->terminate_child(charon->controller, del, - (controller_cb_t)stroke_log, &info, this->timeout); - report_terminate_status(this, status, out, del, TRUE); + charon_terminate(this, del, msg, out, TRUE); } enumerator->destroy(enumerator); enumerator = ike_list->create_enumerator(ike_list); while (enumerator->enumerate(enumerator, &del)) { - status = charon->controller->terminate_ike(charon->controller, del, - (controller_cb_t)stroke_log, &info, this->timeout); - report_terminate_status(this, status, out, del, FALSE); + charon_terminate(this, del, msg, out, FALSE); } enumerator->destroy(enumerator); @@ -548,11 +564,6 @@ METHOD(stroke_control_t, purge_ike, void, child_sa_t *child_sa; linked_list_t *list; uintptr_t del; - stroke_log_info_t info; - status_t status; - - info.out = out; - info.level = msg->output_verbosity; list = linked_list_create(); enumerator = charon->controller->create_ike_sa_enumerator( @@ -572,9 +583,7 @@ METHOD(stroke_control_t, purge_ike, void, enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &del)) { - status = charon->controller->terminate_ike(charon->controller, del, - (controller_cb_t)stroke_log, &info, this->timeout); - report_terminate_status(this, status, out, del, TRUE); + charon_terminate(this, del, msg, out, FALSE); } enumerator->destroy(enumerator); list->destroy(list); diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index c7e4c9c65..c0192b5c0 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -334,7 +334,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) child_sa->create_ts_enumerator(child_sa, TRUE)); other_ts = linked_list_create_from_enumerator( child_sa->create_ts_enumerator(child_sa, FALSE)); - fprintf(out, "\n%12s{%d}: %#R=== %#R\n", + fprintf(out, "\n%12s{%d}: %#R === %#R\n", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), my_ts, other_ts); my_ts->destroy(my_ts); @@ -586,7 +586,7 @@ METHOD(stroke_list_t, status, void, { my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL); - fprintf(out, "%12s: child: %#R=== %#R%N", + fprintf(out, "%12s: child: %#R === %#R %N", child_cfg->get_name(child_cfg), my_ts, other_ts, ipsec_mode_names, child_cfg->get_mode(child_cfg)); my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); @@ -620,7 +620,7 @@ METHOD(stroke_list_t, status, void, } my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL); - fprintf(out, "%12s: %#R=== %#R%N\n", + fprintf(out, "%12s: %#R === %#R %N\n", child_cfg->get_name(child_cfg), my_ts, other_ts, ipsec_mode_names, child_cfg->get_mode(child_cfg)); my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index e20e8ab26..b9531d8a5 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -526,12 +526,21 @@ Unloading fails for pools with leases currently online. List the currently loaded pools. - {} => { + { + leases = + } => { * = { base = size = online = offline = + leases = { + * = { + address = + identity = + status = + } + } } } @@ -587,6 +596,10 @@ command. initiator = initiator-spi = responder-spi = + nat-local = + nat-remote = + nat-fake = + nat-any = encr-alg = encr-keysize = integ-alg = @@ -596,6 +609,12 @@ command. established = rekey-time = reauth-time = + local-vips = [ + + ] + remote-vips = [ + + ] tasks-queued = [ ] diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c index f04bae774..9064d3d8c 100644 --- a/src/libcharon/plugins/vici/vici_attribute.c +++ b/src/libcharon/plugins/vici/vici_attribute.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Tobias Brunner + * Copyright (C) 2014-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * * Copyright (C) 2014 Martin Willi @@ -662,9 +662,16 @@ CALLBACK(get_pools, vici_message_t*, vici_message_t *message) { vici_builder_t *builder; - enumerator_t *enumerator; + enumerator_t *enumerator, *leases; mem_pool_t *vips; pool_t *pool; + identification_t *uid; + host_t *lease; + bool list_leases, on; + char buf[32]; + int i; + + list_leases = message->get_bool(message, FALSE, "leases"); builder = vici_builder_create(); @@ -681,6 +688,23 @@ CALLBACK(get_pools, vici_message_t*, builder->add_kv(builder, "online", "%u", vips->get_online(vips)); builder->add_kv(builder, "offline", "%u", vips->get_offline(vips)); + if (list_leases) + { + i = 0; + builder->begin_section(builder, "leases"); + leases = vips->create_lease_enumerator(vips); + while (leases && leases->enumerate(leases, &uid, &lease, &on)) + { + snprintf(buf, sizeof(buf), "%d", i++); + builder->begin_section(builder, buf); + builder->add_kv(builder, "address", "%H", lease); + builder->add_kv(builder, "identity", "%Y", uid); + builder->add_kv(builder, "status", on ? "online" : "offline"); + builder->end_section(builder); + } + leases->destroy(leases); + builder->end_section(builder); + } builder->end_section(builder); } enumerator->destroy(enumerator); diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c index ffdc034ea..6631184b5 100644 --- a/src/libcharon/plugins/vici/vici_cred.c +++ b/src/libcharon/plugins/vici/vici_cred.c @@ -71,6 +71,7 @@ CALLBACK(load_cert, vici_message_t*, certificate_t *cert; x509_t *x509; chunk_t data; + bool trusted = TRUE; char *str; str = message->get_str(message, NULL, "type"); @@ -99,6 +100,7 @@ CALLBACK(load_cert, vici_message_t*, else if (strcaseeq(str, "x509ac")) { type = CERT_X509_AC; + trusted = FALSE; } else { @@ -131,8 +133,14 @@ CALLBACK(load_cert, vici_message_t*, DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert)); - this->creds->add_cert(this->creds, TRUE, cert); - + if (type == CERT_X509_CRL) + { + this->creds->add_crl(this->creds, (crl_t*)cert); + } + else + { + this->creds->add_cert(this->creds, trusted, cert); + } return create_reply(NULL); } diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 98d264fca..9a3d832da 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -221,6 +221,45 @@ static void list_task_queue(private_vici_query_t *this, vici_builder_t *b, } } +/** + * Add an IKE_SA condition to the given builder + */ +static void add_condition(vici_builder_t *b, ike_sa_t *ike_sa, + char *key, ike_condition_t cond) +{ + if (ike_sa->has_condition(ike_sa, cond)) + { + b->add_kv(b, key, "yes"); + } +} + +/** + * List virtual IPs + */ +static void list_vips(private_vici_query_t *this, vici_builder_t *b, + ike_sa_t *ike_sa, bool local, char *name) +{ + enumerator_t *enumerator; + bool has = FALSE; + host_t *vip; + + enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local); + while (enumerator->enumerate(enumerator, &vip)) + { + if (!has) + { + b->begin_list(b, name); + has = TRUE; + } + b->add_li(b, "%H", vip); + } + enumerator->destroy(enumerator); + if (has) + { + b->end_list(b); + } +} + /** * List details of an IKE_SA */ @@ -265,6 +304,11 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, b->add_kv(b, "initiator-spi", "%.16"PRIx64, id->get_initiator_spi(id)); b->add_kv(b, "responder-spi", "%.16"PRIx64, id->get_responder_spi(id)); + add_condition(b, ike_sa, "nat-local", COND_NAT_HERE); + add_condition(b, ike_sa, "nat-remote", COND_NAT_THERE); + add_condition(b, ike_sa, "nat-fake", COND_NAT_FAKE); + add_condition(b, ike_sa, "nat-any", COND_NAT_ANY); + proposal = ike_sa->get_proposal(ike_sa); if (proposal) { @@ -310,6 +354,9 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, } } + list_vips(this, b, ike_sa, TRUE, "local-vips"); + list_vips(this, b, ike_sa, FALSE, "remote-vips"); + list_task_queue(this, b, ike_sa, TASK_QUEUE_QUEUED, "tasks-queued"); list_task_queue(this, b, ike_sa, TASK_QUEUE_ACTIVE, "tasks-active"); list_task_queue(this, b, ike_sa, TASK_QUEUE_PASSIVE, "tasks-passive"); diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c index 5b5fb9d98..6c01ffe95 100644 --- a/src/libcharon/processing/jobs/initiate_mediation_job.c +++ b/src/libcharon/processing/jobs/initiate_mediation_job.c @@ -161,6 +161,10 @@ METHOD(job_t, initiate, job_requeue_t, } mediated_cfg->destroy(mediated_cfg); } + else + { /* newly created IKE_SA is not checked in yet, try again */ + return JOB_RESCHEDULE_MS(100); + } return JOB_REQUEUE_NONE; } diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 73f2ec9d3..b0f163c83 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -413,8 +413,14 @@ METHOD(enumerator_t, policy_enumerate, bool, { /* protocol mismatch */ continue; } - *my_out = this->ts; - *other_out = other_ts; + if (my_out) + { + *my_out = this->ts; + } + if (other_out) + { + *other_out = other_ts; + } return TRUE; } return FALSE; @@ -774,6 +780,50 @@ static bool require_policy_update() return !(f & KERNEL_NO_POLICY_UPDATES); } +/** + * Prepare SA config to install/delete policies + */ +static void prepare_sa_cfg(private_child_sa_t *this, ipsec_sa_cfg_t *my_sa, + ipsec_sa_cfg_t *other_sa) +{ + enumerator_t *enumerator; + + *my_sa = (ipsec_sa_cfg_t){ + .mode = this->mode, + .reqid = this->reqid, + .ipcomp = { + .transform = this->ipcomp, + }, + }; + *other_sa = *my_sa; + + my_sa->ipcomp.cpi = this->my_cpi; + other_sa->ipcomp.cpi = this->other_cpi; + + if (this->protocol == PROTO_ESP) + { + my_sa->esp.use = TRUE; + my_sa->esp.spi = this->my_spi; + other_sa->esp.use = TRUE; + other_sa->esp.spi = this->other_spi; + } + else + { + my_sa->ah.use = TRUE; + my_sa->ah.spi = this->my_spi; + other_sa->ah.use = TRUE; + other_sa->ah.spi = this->other_spi; + } + + enumerator = create_policy_enumerator(this); + while (enumerator->enumerate(enumerator, NULL, NULL)) + { + my_sa->policy_count++; + other_sa->policy_count++; + } + enumerator->destroy(enumerator); +} + /** * Install 3 policies: out, in and forward */ @@ -806,20 +856,22 @@ static status_t install_policies_internal(private_child_sa_t *this, * Delete 3 policies: out, in and forward */ static void del_policies_internal(private_child_sa_t *this, - traffic_selector_t *my_ts, traffic_selector_t *other_ts, - policy_priority_t priority) + host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts, + traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa, + ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority) { + hydra->kernel_interface->del_policy(hydra->kernel_interface, - my_ts, other_ts, POLICY_OUT, this->reqid, - this->mark_out, priority); + my_addr, other_addr, my_ts, other_ts, POLICY_OUT, type, + other_sa, this->mark_out, priority); hydra->kernel_interface->del_policy(hydra->kernel_interface, - other_ts, my_ts, POLICY_IN, this->reqid, - this->mark_in, priority); + other_addr, my_addr, other_ts, my_ts, POLICY_IN, + type, my_sa, this->mark_in, priority); if (this->mode != MODE_TRANSPORT) { hydra->kernel_interface->del_policy(hydra->kernel_interface, - other_ts, my_ts, POLICY_FWD, this->reqid, - this->mark_in, priority); + other_addr, my_addr, other_ts, my_ts, POLICY_FWD, + type, my_sa, this->mark_in, priority); } } @@ -864,31 +916,9 @@ METHOD(child_sa_t, add_policies, status_t, if (this->config->install_policy(this->config)) { policy_priority_t priority; - ipsec_sa_cfg_t my_sa = { - .mode = this->mode, - .reqid = this->reqid, - .ipcomp = { - .transform = this->ipcomp, - }, - }, other_sa = my_sa; - - my_sa.ipcomp.cpi = this->my_cpi; - other_sa.ipcomp.cpi = this->other_cpi; - - if (this->protocol == PROTO_ESP) - { - my_sa.esp.use = TRUE; - my_sa.esp.spi = this->my_spi; - other_sa.esp.use = TRUE; - other_sa.esp.spi = this->other_spi; - } - else - { - my_sa.ah.use = TRUE; - my_sa.ah.spi = this->my_spi; - other_sa.ah.use = TRUE; - other_sa.ah.spi = this->other_spi; - } + ipsec_sa_cfg_t my_sa, other_sa; + + prepare_sa_cfg(this, &my_sa, &other_sa); /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD * entry) we install a trap policy */ @@ -896,14 +926,6 @@ METHOD(child_sa_t, add_policies, status_t, priority = this->trap ? POLICY_PRIORITY_ROUTED : POLICY_PRIORITY_DEFAULT; - enumerator = create_policy_enumerator(this); - while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) - { - my_sa.policy_count++; - other_sa.policy_count++; - } - enumerator->destroy(enumerator); - /* enumerate pairs of traffic selectors */ enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) @@ -1006,47 +1028,24 @@ METHOD(child_sa_t, update, status_t, if (this->config->install_policy(this->config) && require_policy_update()) { - ipsec_sa_cfg_t my_sa = { - .mode = this->mode, - .reqid = this->reqid, - .ipcomp = { - .transform = this->ipcomp, - }, - }, other_sa = my_sa; - - my_sa.ipcomp.cpi = this->my_cpi; - other_sa.ipcomp.cpi = this->other_cpi; - - if (this->protocol == PROTO_ESP) - { - my_sa.esp.use = TRUE; - my_sa.esp.spi = this->my_spi; - other_sa.esp.use = TRUE; - other_sa.esp.spi = this->other_spi; - } - else - { - my_sa.ah.use = TRUE; - my_sa.ah.spi = this->my_spi; - other_sa.ah.use = TRUE; - other_sa.ah.spi = this->other_spi; - } - - /* update policies */ if (!me->ip_equals(me, this->my_addr) || !other->ip_equals(other, this->other_addr)) { + ipsec_sa_cfg_t my_sa, other_sa; enumerator_t *enumerator; traffic_selector_t *my_ts, *other_ts; + prepare_sa_cfg(this, &my_sa, &other_sa); + /* always use high priorities, as hosts getting updated are INSTALLED */ enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL; /* remove old policies first */ - del_policies_internal(this, my_ts, other_ts, - POLICY_PRIORITY_DEFAULT); + del_policies_internal(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, + POLICY_IPSEC, POLICY_PRIORITY_DEFAULT); /* check if we have to update a "dynamic" traffic selector */ if (!me->ip_equals(me, this->my_addr) && @@ -1068,21 +1067,20 @@ METHOD(child_sa_t, update, status_t, /* reinstall updated policies */ install_policies_internal(this, me, other, my_ts, other_ts, - &my_sa, &other_sa, POLICY_IPSEC, - POLICY_PRIORITY_DEFAULT); + &my_sa, &other_sa, POLICY_IPSEC, + POLICY_PRIORITY_DEFAULT); /* update fallback policies after the new policy is in place */ - if (old_my_ts || old_other_ts) - { - del_policies_internal(this, old_my_ts ?: my_ts, - old_other_ts ?: other_ts, + del_policies_internal(this, this->my_addr, this->other_addr, + old_my_ts ?: my_ts, + old_other_ts ?: other_ts, + &my_sa, &other_sa, POLICY_DROP, + POLICY_PRIORITY_FALLBACK); + install_policies_internal(this, me, other, my_ts, other_ts, + &my_sa, &other_sa, POLICY_DROP, POLICY_PRIORITY_FALLBACK); - install_policies_internal(this, me, other, my_ts, other_ts, - &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_FALLBACK); - DESTROY_IF(old_my_ts); - DESTROY_IF(old_other_ts); - } + DESTROY_IF(old_my_ts); + DESTROY_IF(old_other_ts); } enumerator->destroy(enumerator); } @@ -1122,15 +1120,21 @@ METHOD(child_sa_t, destroy, void, if (this->config->install_policy(this->config)) { + ipsec_sa_cfg_t my_sa, other_sa; + + prepare_sa_cfg(this, &my_sa, &other_sa); + /* delete all policies in the kernel */ enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { - del_policies_internal(this, my_ts, other_ts, priority); + del_policies_internal(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, priority); if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update()) { - del_policies_internal(this, my_ts, other_ts, - POLICY_PRIORITY_FALLBACK); + del_policies_internal(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, POLICY_DROP, + POLICY_PRIORITY_FALLBACK); } } enumerator->destroy(enumerator); diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 37d69874d..4625df5b8 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -394,9 +394,17 @@ struct private_ike_sa_manager_t { rng_t *rng; /** - * Lock to access the RNG instance + * Registered callback for IKE SPIs */ - rwlock_t *rng_lock; + struct { + spi_cb_t cb; + void *data; + } spi_cb; + + /** + * Lock to access the RNG instance and the callback + */ + rwlock_t *spi_lock; /** * reuse existing IKE_SAs in checkout_by_config @@ -971,13 +979,17 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this) { u_int64_t spi; - this->rng_lock->read_lock(this->rng_lock); - if (!this->rng || - !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) + this->spi_lock->read_lock(this->spi_lock); + if (this->spi_cb.cb) + { + spi = this->spi_cb.cb(this->spi_cb.data); + } + else if (!this->rng || + !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) { spi = 0; } - this->rng_lock->unlock(this->rng_lock); + this->spi_lock->unlock(this->spi_lock); return spi; } @@ -1188,11 +1200,15 @@ METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*, */ static u_int32_t get_message_id_or_hash(message_t *message) { - /* Use the message ID, or the message hash in IKEv1 Main/Aggressive mode */ - if (message->get_major_version(message) == IKEV1_MAJOR_VERSION && - message->get_message_id(message) == 0) + if (message->get_major_version(message) == IKEV1_MAJOR_VERSION) { - return chunk_hash(message->get_packet_data(message)); + /* Use a hash for IKEv1 Phase 1, where we don't have a MID, and Quick + * Mode, where all three messages use the same message ID */ + if (message->get_message_id(message) == 0 || + message->get_exchange_type(message) == QUICK_MODE) + { + return chunk_hash(message->get_packet_data(message)); + } } return message->get_message_id(message); } @@ -1384,7 +1400,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, continue; } if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING) - { /* skip IKE_SAs which are not usable */ + { /* skip IKE_SAs which are not usable, wake other waiting threads */ + entry->condvar->signal(entry->condvar); continue; } @@ -1402,6 +1419,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, break; } } + /* other threads might be waiting for this entry */ + entry->condvar->signal(entry->condvar); } enumerator->destroy(enumerator); @@ -1434,6 +1453,8 @@ METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*, entry->checked_out = TRUE; break; } + /* other threads might be waiting for this entry */ + entry->condvar->signal(entry->condvar); } } enumerator->destroy(enumerator); @@ -1490,6 +1511,8 @@ METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*, ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); break; } + /* other threads might be waiting for this entry */ + entry->condvar->signal(entry->condvar); } } enumerator->destroy(enumerator); @@ -1628,8 +1651,27 @@ METHOD(ike_sa_manager_t, checkin, void, * delete any existing IKE_SAs with that peer. */ if (ike_sa->has_condition(ike_sa, COND_INIT_CONTACT_SEEN)) { + /* We can't hold the segment locked while checking the + * uniqueness as this could lead to deadlocks. We mark the + * entry as checked out while we release the lock so no other + * thread can acquire it. Since it is not yet in the list of + * connected peers that will not cause a deadlock as no other + * caller of check_unqiueness() will try to check out this SA */ + entry->checked_out = TRUE; + unlock_single_segment(this, segment); + this->public.check_uniqueness(&this->public, ike_sa, TRUE); ike_sa->set_condition(ike_sa, COND_INIT_CONTACT_SEEN, FALSE); + + /* The entry could have been modified in the mean time, e.g. + * because another SA was added/removed next to it or another + * thread is waiting, but it should still exist, so there is no + * need for a lookup via get_entry_by... */ + lock_single_segment(this, segment); + entry->checked_out = FALSE; + /* We already signaled waiting threads above, we have to do that + * again after checking the SA out and back in again. */ + entry->condvar->signal(entry->condvar); } } @@ -2010,6 +2052,15 @@ METHOD(ike_sa_manager_t, get_half_open_count, u_int, return count; } +METHOD(ike_sa_manager_t, set_spi_cb, void, + private_ike_sa_manager_t *this, spi_cb_t callback, void *data) +{ + this->spi_lock->write_lock(this->spi_lock); + this->spi_cb.cb = callback; + this->spi_cb.data = data; + this->spi_lock->unlock(this->spi_lock); +} + METHOD(ike_sa_manager_t, flush, void, private_ike_sa_manager_t *this) { @@ -2092,10 +2143,12 @@ METHOD(ike_sa_manager_t, flush, void, charon->bus->set_sa(charon->bus, NULL); unlock_all_segments(this); - this->rng_lock->write_lock(this->rng_lock); + this->spi_lock->write_lock(this->spi_lock); this->rng->destroy(this->rng); this->rng = NULL; - this->rng_lock->unlock(this->rng_lock); + this->spi_cb.cb = NULL; + this->spi_cb.data = NULL; + this->spi_lock->unlock(this->spi_lock); } METHOD(ike_sa_manager_t, destroy, void, @@ -2120,7 +2173,7 @@ METHOD(ike_sa_manager_t, destroy, void, free(this->connected_peers_segments); free(this->init_hashes_segments); - this->rng_lock->destroy(this->rng_lock); + this->spi_lock->destroy(this->spi_lock); free(this); } @@ -2167,6 +2220,7 @@ ike_sa_manager_t *ike_sa_manager_create() .get_count = _get_count, .get_half_open_count = _get_half_open_count, .flush = _flush, + .set_spi_cb = _set_spi_cb, .destroy = _destroy, }, ); @@ -2178,7 +2232,7 @@ ike_sa_manager_t *ike_sa_manager_create() free(this); return NULL; } - this->rng_lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + this->spi_lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->ikesa_limit = lib->settings->get_int(lib->settings, "%s.ikesa_limit", 0, lib->ns); diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h index 3ea928ea5..f1b7c2579 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -30,6 +30,16 @@ typedef struct ike_sa_manager_t ike_sa_manager_t; #include #include +/** + * Callback called to generate an IKE SPI. + * + * This may be called from multiple threads concurrently. + * + * @param data data supplied during registration of the callback + * @return allocated SPI, 0 on failure + */ +typedef u_int64_t (*spi_cb_t)(void *data); + /** * Manages and synchronizes access to all IKE_SAs. * @@ -226,6 +236,15 @@ struct ike_sa_manager_t { u_int (*get_half_open_count)(ike_sa_manager_t *this, host_t *ip, bool responder_only); + /** + * Set the callback to generate IKE SPIs + * + * @param callback callback to register + * @param data data provided to callback + */ + void (*set_spi_cb)(ike_sa_manager_t *this, spi_cb_t callback, + void *data); + /** * Delete all existing IKE_SAs and destroy them immediately. * diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c index f5a91dbeb..e428966ad 100644 --- a/src/libcharon/sa/ikev1/keymat_v1.c +++ b/src/libcharon/sa/ikev1/keymat_v1.c @@ -23,14 +23,9 @@ typedef struct private_keymat_v1_t private_keymat_v1_t; /** - * Max. number of IVs to track. + * Max. number of IVs/QMs to track. */ -#define MAX_IV 3 - -/** - * Max. number of Quick Modes to track. - */ -#define MAX_QM 2 +#define MAX_EXCHANGES_DEFAULT 3 /** * Data stored for IVs @@ -110,6 +105,11 @@ struct private_keymat_v1_t { * of QMs are tracked at the same time. Stores qm_data_t objects. */ linked_list_t *qms; + + /** + * Max. number of IVs/Quick Modes to track. + */ + int max_exchanges; }; @@ -874,7 +874,7 @@ static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, u_int32_t mid) } this->qms->insert_first(this->qms, found); /* remove least recently used state if maximum reached */ - if (this->qms->get_count(this->qms) > MAX_QM && + if (this->qms->get_count(this->qms) > this->max_exchanges && this->qms->remove_last(this->qms, (void**)&qm) == SUCCESS) { qm_data_destroy(qm); @@ -1048,7 +1048,7 @@ static iv_data_t *lookup_iv(private_keymat_v1_t *this, u_int32_t mid) } this->ivs->insert_first(this->ivs, found); /* remove least recently used IV if maximum reached */ - if (this->ivs->get_count(this->ivs) > MAX_IV && + if (this->ivs->get_count(this->ivs) > this->max_exchanges && this->ivs->remove_last(this->ivs, (void**)&iv) == SUCCESS) { iv_data_destroy(iv); @@ -1163,6 +1163,8 @@ keymat_v1_t *keymat_v1_create(bool initiator) .ivs = linked_list_create(), .qms = linked_list_create(), .initiator = initiator, + .max_exchanges = lib->settings->get_int(lib->settings, + "%s.max_ikev1_exchanges", MAX_EXCHANGES_DEFAULT, lib->ns), ); return &this->public; diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index 678f99df1..3c601a4fa 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -752,6 +752,12 @@ static status_t build_response(private_task_manager_t *this, message_t *request) case ALREADY_DONE: cancelled = TRUE; break; + case INVALID_ARG: + if (task->get_type(task) == TASK_QUICK_MODE) + { /* not responsible for this exchange */ + continue; + } + /* FALL */ case FAILED: default: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); @@ -928,6 +934,28 @@ static bool have_quick_mode_task(private_task_manager_t *this, u_int32_t mid) return found; } +/** + * Check if we still have an aggressive mode task queued + */ +static bool have_aggressive_mode_task(private_task_manager_t *this) +{ + enumerator_t *enumerator; + task_t *task; + bool found = FALSE; + + enumerator = this->passive_tasks->create_enumerator(this->passive_tasks); + while (enumerator->enumerate(enumerator, &task)) + { + if (task->get_type(task) == TASK_AGGRESSIVE_MODE) + { + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + return found; +} + /** * handle an incoming request message */ @@ -1034,6 +1062,12 @@ static status_t process_request(private_task_manager_t *this, case ALREADY_DONE: send_response = FALSE; break; + case INVALID_ARG: + if (task->get_type(task) == TASK_QUICK_MODE) + { /* not responsible for this exchange */ + continue; + } + /* FALL */ case FAILED: default: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); @@ -1061,6 +1095,22 @@ static status_t process_request(private_task_manager_t *this, * the same message again. */ clear_packets(this->responding.packets); } + if (this->queued && + this->queued->get_exchange_type(this->queued) == INFORMATIONAL_V1) + { + message_t *queued; + status_t status; + + queued = this->queued; + this->queued = NULL; + status = this->public.task_manager.process_message( + &this->public.task_manager, queued); + queued->destroy(queued); + if (status == DESTROY_ME) + { + return status; + } + } if (this->passive_tasks->get_count(this->passive_tasks) == 0 && this->queued_tasks->get_count(this->queued_tasks) > 0) { @@ -1133,7 +1183,8 @@ static status_t process_response(private_task_manager_t *this, this->initiating.type = EXCHANGE_TYPE_UNDEFINED; clear_packets(this->initiating.packets); - if (this->queued && this->active_tasks->get_count(this->active_tasks) == 0) + if (this->queued && !this->active_tasks->get_count(this->active_tasks) && + this->queued->get_exchange_type(this->queued) == TRANSACTION) { queued = this->queued; this->queued = NULL; @@ -1228,6 +1279,29 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg) return status; } +/** + * Queue the given message if possible + */ +static status_t queue_message(private_task_manager_t *this, message_t *msg) +{ + if (this->queued) + { + DBG1(DBG_IKE, "ignoring %N request, queue full", + exchange_type_names, msg->get_exchange_type(msg)); + return FAILED; + } + this->queued = message_create_from_packet(msg->get_packet(msg)); + if (this->queued->parse_header(this->queued) != SUCCESS) + { + this->queued->destroy(this->queued); + this->queued = NULL; + return FAILED; + } + DBG1(DBG_IKE, "queueing %N request as tasks still active", + exchange_type_names, msg->get_exchange_type(msg)); + return SUCCESS; +} + METHOD(task_manager_t, process_message, status_t, private_task_manager_t *this, message_t *msg) { @@ -1328,25 +1402,29 @@ METHOD(task_manager_t, process_message, status_t, } } - if (msg->get_exchange_type(msg) == TRANSACTION && - this->active_tasks->get_count(this->active_tasks)) - { /* main mode not yet complete, queue XAuth/Mode config tasks */ - if (this->queued) + /* drop XAuth/Mode Config/Quick Mode messages until we received the last + * Aggressive Mode message. since Informational messages are not + * retransmitted we queue them. */ + if (have_aggressive_mode_task(this)) + { + if (msg->get_exchange_type(msg) == INFORMATIONAL_V1) { - DBG1(DBG_IKE, "ignoring additional %N request, queue full", - exchange_type_names, TRANSACTION); - return SUCCESS; + return queue_message(this, msg); } - this->queued = message_create_from_packet(msg->get_packet(msg)); - if (this->queued->parse_header(this->queued) != SUCCESS) + else if (msg->get_exchange_type(msg) != AGGRESSIVE) { - this->queued->destroy(this->queued); - this->queued = NULL; + DBG1(DBG_IKE, "ignoring %N request while phase 1 is incomplete", + exchange_type_names, msg->get_exchange_type(msg)); return FAILED; } - DBG1(DBG_IKE, "queueing %N request as tasks still active", - exchange_type_names, TRANSACTION); - return SUCCESS; + } + + /* queue XAuth/Mode Config messages unless the Main Mode exchange we + * initiated is complete */ + if (msg->get_exchange_type(msg) == TRANSACTION && + this->active_tasks->get_count(this->active_tasks)) + { + return queue_message(this, msg); } msg->set_request(msg, TRUE); @@ -1724,6 +1802,8 @@ METHOD(task_manager_t, queue_dpd, void, pow(this->retransmit_base, retransmit)); } } + /* compensate for the already elapsed dpd delay */ + t -= 1000 * peer_cfg->get_dpd(peer_cfg); /* schedule DPD timeout job */ lib->scheduler->schedule_job_ms(lib->scheduler, diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c index d0994a961..a03477e18 100644 --- a/src/libcharon/sa/ikev1/tasks/mode_config.c +++ b/src/libcharon/sa/ikev1/tasks/mode_config.c @@ -482,7 +482,9 @@ static host_t *assign_migrated_vip(linked_list_t *migrated, host_t *requested) enumerator = migrated->create_enumerator(migrated); while (enumerator->enumerate(enumerator, &vip)) { - if (vip->ip_equals(vip, requested)) + if (vip->ip_equals(vip, requested) || + (requested->is_anyaddr(requested) && + requested->get_family(requested) == vip->get_family(vip))) { migrated->remove_at(migrated, enumerator); found = vip; diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c index 1b95a8b11..ade59a2dd 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_delete.c +++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c @@ -115,7 +115,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol, if (this->expired) { DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} " - "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + "with SPIs %.8x_i %.8x_o and TS %#R === %#R", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), ntohl(child_sa->get_spi(child_sa, TRUE)), ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts); @@ -126,7 +126,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol, child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, NULL); DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs " - "%.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R", + "%.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R === %#R", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in, ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out, diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index d6a3f2cd1..e7d26443b 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -388,7 +388,7 @@ static bool install(private_quick_mode_t *this) this->child_sa->create_ts_enumerator(this->child_sa, FALSE)); DBG0(DBG_IKE, "CHILD_SA %s{%d} established " - "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + "with SPIs %.8x_i %.8x_o and TS %#R === %#R", this->child_sa->get_name(this->child_sa), this->child_sa->get_unique_id(this->child_sa), ntohl(this->child_sa->get_spi(this->child_sa, TRUE)), @@ -1026,7 +1026,7 @@ METHOD(task_t, process_r, status_t, { if (this->mid && this->mid != message->get_message_id(message)) { /* not responsible for this quick mode exchange */ - return NEED_MORE; + return INVALID_ARG; } switch (this->state) @@ -1200,7 +1200,7 @@ METHOD(task_t, build_r, status_t, { if (this->mid && this->mid != message->get_message_id(message)) { /* not responsible for this quick mode exchange */ - return NEED_MORE; + return INVALID_ARG; } switch (this->state) diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c index a770e90ff..c0c91574c 100644 --- a/src/libcharon/sa/ikev1/tasks/xauth.c +++ b/src/libcharon/sa/ikev1/tasks/xauth.c @@ -271,7 +271,10 @@ static bool add_auth_cfg(private_xauth_t *this, identification_t *id, bool local auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_XAUTH); - auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, id->clone(id)); + if (id) + { + auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, id->clone(id)); + } auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), FALSE); this->ike_sa->add_auth_cfg(this->ike_sa, local, auth); @@ -342,7 +345,10 @@ METHOD(task_t, build_i, status_t, break; case SUCCESS: DESTROY_IF(cp); - this->status = XAUTH_OK; + if (add_auth_cfg(this, NULL, FALSE) && allowed(this)) + { + this->status = XAUTH_OK; + } this->public.task.process = _process_i_status; return build_i_status(this, message); default: diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index fce0840e3..55cb5dd9c 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -527,6 +527,7 @@ METHOD(keymat_v2_t, derive_child_keys, bool, case ENCR_AES_GCM_ICV12: case ENCR_AES_GCM_ICV16: case ENCR_AES_CTR: + case ENCR_CAMELLIA_CTR: case ENCR_NULL_AUTH_AES_GMAC: case ENCR_CHACHA20_POLY1305: enc_size += 4; diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index e08f3dab1..97f73d851 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -712,7 +712,7 @@ static status_t select_and_install(private_child_create_t *this, this->child_sa->create_ts_enumerator(this->child_sa, FALSE)); DBG0(DBG_IKE, "CHILD_SA %s{%d} established " - "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + "with SPIs %.8x_i %.8x_o and TS %#R === %#R", this->child_sa->get_name(this->child_sa), this->child_sa->get_unique_id(this->child_sa), ntohl(this->child_sa->get_spi(this->child_sa, TRUE)), @@ -1245,7 +1245,7 @@ METHOD(task_t, build_r, status_t, } if (this->config == NULL) { - DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable", + DBG1(DBG_IKE, "traffic selectors %#R === %#R inacceptable", this->tsr, this->tsi); charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr); message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty); diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c index f0b11e291..877ae0531 100644 --- a/src/libcharon/sa/ikev2/tasks/child_delete.c +++ b/src/libcharon/sa/ikev2/tasks/child_delete.c @@ -266,7 +266,7 @@ static void log_children(private_child_delete_t *this) if (this->expired) { DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} " - "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + "with SPIs %.8x_i %.8x_o and TS %#R === %#R", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), ntohl(child_sa->get_spi(child_sa, TRUE)), ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts); @@ -277,7 +277,7 @@ static void log_children(private_child_delete_t *this) child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, NULL); DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs %.8x_i " - "(%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R", + "(%llu bytes) %.8x_o (%llu bytes) and TS %#R === %#R", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in, ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out, diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c index 11b0bb281..cbdc5e797 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c @@ -339,7 +339,11 @@ METHOD(ike_mobike_t, transmit, bool, { if (me->ip_equals(me, me_old)) { - charon->sender->send(charon->sender, packet->clone(packet)); + copy = packet->clone(packet); + /* hosts might have been updated by a peer's MOBIKE exchange */ + copy->set_source(copy, me_old->clone(me_old)); + copy->set_destination(copy, other_old->clone(other_old)); + charon->sender->send(charon->sender, copy); me->destroy(me); return TRUE; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c index 9e0eb68ce..dd34c1234 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_natd.c +++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c @@ -128,25 +128,6 @@ static chunk_t generate_natd_hash(private_ike_natd_t *this, return natd_hash; } -/** - * build a faked NATD payload to enforce UDP encap - */ -static chunk_t generate_natd_hash_faked(private_ike_natd_t *this) -{ - rng_t *rng; - chunk_t chunk; - - rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - if (!rng || !rng->allocate_bytes(rng, HASH_SIZE_SHA1, &chunk)) - { - DBG1(DBG_IKE, "unable to get random bytes for NATD fake"); - DESTROY_IF(rng); - return chunk_empty; - } - rng->destroy(rng); - return chunk; -} - /** * Build a NAT detection notify payload. */ @@ -162,7 +143,14 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this, config = this->ike_sa->get_ike_cfg(this->ike_sa); if (force_encap(config) && type == NAT_DETECTION_SOURCE_IP) { - hash = generate_natd_hash_faked(this); + u_int32_t addr; + + /* chunk_hash() is randomly keyed so this produces a random IPv4 address + * that changes with every restart but otherwise stays the same */ + addr = chunk_hash(chunk_from_chars(0x00, 0x00, 0x00, 0x00)); + host = host_create_from_chunk(AF_INET, chunk_from_thing(addr), 0); + hash = generate_natd_hash(this, ike_sa_id, host); + host->destroy(host); } else { diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c index 1a984435c..5231994c8 100644 --- a/src/libcharon/sa/shunt_manager.c +++ b/src/libcharon/sa/shunt_manager.c @@ -63,9 +63,9 @@ struct private_shunt_manager_t { static bool install_shunt_policy(child_cfg_t *child) { enumerator_t *e_my_ts, *e_other_ts; - linked_list_t *my_ts_list, *other_ts_list; + linked_list_t *my_ts_list, *other_ts_list, *hosts; traffic_selector_t *my_ts, *other_ts; - host_t *host_any; + host_t *host_any, *host_any6; policy_type_t policy_type; policy_priority_t policy_prio; status_t status = SUCCESS; @@ -85,9 +85,13 @@ static bool install_shunt_policy(child_cfg_t *child) return FALSE; } - my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL); - other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL); host_any = host_create_any(AF_INET); + host_any6 = host_create_any(AF_INET6); + + hosts = linked_list_create_with_items(host_any, host_any6, NULL); + my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, hosts); + other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, hosts); + hosts->destroy(hosts); /* enumerate pairs of traffic selectors */ e_my_ts = my_ts_list->create_enumerator(my_ts_list); @@ -96,6 +100,16 @@ static bool install_shunt_policy(child_cfg_t *child) e_other_ts = other_ts_list->create_enumerator(other_ts_list); while (e_other_ts->enumerate(e_other_ts, &other_ts)) { + if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts)) + { + continue; + } + if (my_ts->get_protocol(my_ts) && + other_ts->get_protocol(other_ts) && + my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts)) + { + continue; + } /* install out policy */ status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, host_any, host_any, @@ -125,6 +139,7 @@ static bool install_shunt_policy(child_cfg_t *child) offsetof(traffic_selector_t, destroy)); other_ts_list->destroy_offset(other_ts_list, offsetof(traffic_selector_t, destroy)); + host_any6->destroy(host_any6); host_any->destroy(host_any); return status == SUCCESS; @@ -185,25 +200,35 @@ METHOD(shunt_manager_t, install, bool, static void uninstall_shunt_policy(child_cfg_t *child) { enumerator_t *e_my_ts, *e_other_ts; - linked_list_t *my_ts_list, *other_ts_list; + linked_list_t *my_ts_list, *other_ts_list, *hosts; traffic_selector_t *my_ts, *other_ts; + host_t *host_any, *host_any6; + policy_type_t policy_type; policy_priority_t policy_prio; status_t status = SUCCESS; + ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT }; switch (child->get_mode(child)) { case MODE_PASS: + policy_type = POLICY_PASS; policy_prio = POLICY_PRIORITY_PASS; break; case MODE_DROP: + policy_type = POLICY_DROP; policy_prio = POLICY_PRIORITY_FALLBACK; break; default: return; } - my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL); - other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL); + host_any = host_create_any(AF_INET); + host_any6 = host_create_any(AF_INET6); + + hosts = linked_list_create_with_items(host_any, host_any6, NULL); + my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, hosts); + other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, hosts); + hosts->destroy(hosts); /* enumerate pairs of traffic selectors */ e_my_ts = my_ts_list->create_enumerator(my_ts_list); @@ -212,22 +237,35 @@ static void uninstall_shunt_policy(child_cfg_t *child) e_other_ts = other_ts_list->create_enumerator(other_ts_list); while (e_other_ts->enumerate(e_other_ts, &other_ts)) { + if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts)) + { + continue; + } + if (my_ts->get_protocol(my_ts) && + other_ts->get_protocol(other_ts) && + my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts)) + { + continue; + } /* uninstall out policy */ status |= hydra->kernel_interface->del_policy( - hydra->kernel_interface, my_ts, other_ts, - POLICY_OUT, 0, child->get_mark(child, FALSE), + hydra->kernel_interface, host_any, host_any, + my_ts, other_ts, POLICY_OUT, policy_type, + &sa, child->get_mark(child, FALSE), policy_prio); /* uninstall in policy */ status |= hydra->kernel_interface->del_policy( - hydra->kernel_interface, other_ts, my_ts, - POLICY_IN, 0, child->get_mark(child, TRUE), + hydra->kernel_interface, host_any, host_any, + other_ts, my_ts, POLICY_IN, policy_type, + &sa, child->get_mark(child, TRUE), policy_prio); /* uninstall forward policy */ status |= hydra->kernel_interface->del_policy( - hydra->kernel_interface, other_ts, my_ts, - POLICY_FWD, 0, child->get_mark(child, TRUE), + hydra->kernel_interface, host_any, host_any, + other_ts, my_ts, POLICY_FWD, policy_type, + &sa, child->get_mark(child, TRUE), policy_prio); } e_other_ts->destroy(e_other_ts); @@ -238,6 +276,8 @@ static void uninstall_shunt_policy(child_cfg_t *child) offsetof(traffic_selector_t, destroy)); other_ts_list->destroy_offset(other_ts_list, offsetof(traffic_selector_t, destroy)); + host_any6->destroy(host_any6); + host_any->destroy(host_any); if (status != SUCCESS) { diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index 63505c960..90ad7e40e 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -211,6 +211,7 @@ METHOD(trap_manager_t, install, u_int32_t, if (this->installing == INSTALL_DISABLED) { /* flush() has been called */ this->lock->unlock(this->lock); + other->destroy(other); me->destroy(me); return 0; } @@ -235,6 +236,7 @@ METHOD(trap_manager_t, install, u_int32_t, { DBG1(DBG_CFG, "CHILD_SA '%s' is already being routed", found->name); this->lock->unlock(this->lock); + other->destroy(other); me->destroy(me); return 0; } diff --git a/src/libfast/fast_dispatcher.c b/src/libfast/fast_dispatcher.c index 4daf91905..b4c6ce3a6 100644 --- a/src/libfast/fast_dispatcher.c +++ b/src/libfast/fast_dispatcher.c @@ -383,14 +383,13 @@ METHOD(fast_dispatcher_t, waitsignal, void, private_fast_dispatcher_t *this) { sigset_t set; - int sig; sigemptyset(&set); sigaddset(&set, SIGINT); sigaddset(&set, SIGTERM); sigaddset(&set, SIGHUP); sigprocmask(SIG_BLOCK, &set, NULL); - sigwait(&set, &sig); + sigwaitinfo(&set, NULL); } METHOD(fast_dispatcher_t, destroy, void, diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk index af39f04ec..7b62e9529 100644 --- a/src/libhydra/Android.mk +++ b/src/libhydra/Android.mk @@ -20,7 +20,6 @@ LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink) # build libhydra --------------------------------------------------------------- LOCAL_C_INCLUDES += \ - $(strongswan_PATH)/src/include \ $(strongswan_PATH)/src/libstrongswan LOCAL_CFLAGS := $(strongswan_CFLAGS) diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c index ce31bd410..89e95ade9 100644 --- a/src/libhydra/kernel/kernel_interface.c +++ b/src/libhydra/kernel/kernel_interface.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2013 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG @@ -509,16 +509,17 @@ METHOD(kernel_interface_t, query_policy, status_t, } METHOD(kernel_interface_t, del_policy, status_t, - private_kernel_interface_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, + private_kernel_interface_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark, policy_priority_t priority) { if (!this->ipsec) { return NOT_SUPPORTED; } - return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts, - direction, reqid, mark, priority); + return this->ipsec->del_policy(this->ipsec, src, dst, src_ts, dst_ts, + direction, type, sa, mark, priority); } METHOD(kernel_interface_t, flush_policies, status_t, @@ -738,44 +739,52 @@ METHOD(kernel_interface_t, get_address_by_ts, status_t, } -METHOD(kernel_interface_t, add_ipsec_interface, void, +METHOD(kernel_interface_t, add_ipsec_interface, bool, private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor) { if (!this->ipsec) { this->ipsec_constructor = constructor; this->ipsec = constructor(); + return this->ipsec != NULL; } + return FALSE; } -METHOD(kernel_interface_t, remove_ipsec_interface, void, +METHOD(kernel_interface_t, remove_ipsec_interface, bool, private_kernel_interface_t *this, kernel_ipsec_constructor_t constructor) { if (constructor == this->ipsec_constructor && this->ipsec) { this->ipsec->destroy(this->ipsec); this->ipsec = NULL; + return TRUE; } + return FALSE; } -METHOD(kernel_interface_t, add_net_interface, void, +METHOD(kernel_interface_t, add_net_interface, bool, private_kernel_interface_t *this, kernel_net_constructor_t constructor) { if (!this->net) { this->net_constructor = constructor; this->net = constructor(); + return this->net != NULL; } + return FALSE; } -METHOD(kernel_interface_t, remove_net_interface, void, +METHOD(kernel_interface_t, remove_net_interface, bool, private_kernel_interface_t *this, kernel_net_constructor_t constructor) { if (constructor == this->net_constructor && this->net) { this->net->destroy(this->net); this->net = NULL; + return TRUE; } + return FALSE; } METHOD(kernel_interface_t, add_listener, void, diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index 96ce9e26d..45efe8946 100644 --- a/src/libhydra/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2013 Tobias Brunner + * Copyright (C) 2006-2015 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -265,9 +265,6 @@ struct kernel_interface_t { /** * Add a policy to the SPD. * - * A policy is always associated to an SA. Traffic which matches a - * policy is handled by the SA with the same reqid. - * * @param src source address of SA * @param dst dest address of SA * @param src_ts traffic selector to match traffic source @@ -309,24 +306,24 @@ struct kernel_interface_t { /** * Remove a policy from the SPD. * - * The kernel interface implements reference counting for policies. - * If the same policy is installed multiple times (in the case of rekeying), - * the reference counter is increased. del_policy() decreases the ref counter - * and removes the policy only when no more references are available. - * + * @param src source address of SA + * @param dst dest address of SA * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_(IN|OUT|FWD) - * @param reqid unique ID of the associated SA - * @param mark optional mark + * @param type type of policy, POLICY_(IPSEC|PASS|DROP) + * @param sa details about the SA(s) tied to this policy + * @param mark mark for this policy * @param priority priority of the policy * @return SUCCESS if operation completed */ status_t (*del_policy) (kernel_interface_t *this, + host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t reqid, - mark_t mark, policy_priority_t priority); + policy_dir_t direction, policy_type_t type, + ipsec_sa_cfg_t *sa, mark_t mark, + policy_priority_t priority); /** * Flush all policies from the SPD. @@ -502,39 +499,49 @@ struct kernel_interface_t { /** * Register an ipsec kernel interface constructor on the manager. * - * @param create constructor to register + * @param create constructor to register + * @return TRUE if the ipsec kernel interface was registered + * successfully, FALSE if an interface was already + * registered or the registration failed */ - void (*add_ipsec_interface)(kernel_interface_t *this, + bool (*add_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create); /** * Unregister an ipsec kernel interface constructor. * - * @param create constructor to unregister + * @param create constructor to unregister + * @return TRUE if the ipsec kernel interface was unregistered + * successfully, FALSE otherwise */ - void (*remove_ipsec_interface)(kernel_interface_t *this, + bool (*remove_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create); /** * Register a network kernel interface constructor on the manager. * - * @param create constructor to register + * @param create constructor to register + * @return TRUE if the kernel net interface was registered + * successfully, FALSE if an interface was already + * registered or the registration failed */ - void (*add_net_interface)(kernel_interface_t *this, + bool (*add_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create); /** * Unregister a network kernel interface constructor. * - * @param create constructor to unregister + * @param create constructor to unregister + * @return TRUE if the kernel net interface was unregistered + * successfully, FALSE otherwise */ - void (*remove_net_interface)(kernel_interface_t *this, + bool (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create); /** * Add a listener to the kernel interface. * - * @param listener listener to add + * @param listener listener to add */ void (*add_listener)(kernel_interface_t *this, kernel_listener_t *listener); @@ -542,7 +549,7 @@ struct kernel_interface_t { /** * Remove a listener from the kernel interface. * - * @param listener listener to remove + * @param listener listener to remove */ void (*remove_listener)(kernel_interface_t *this, kernel_listener_t *listener); diff --git a/src/libhydra/kernel/kernel_ipsec.c b/src/libhydra/kernel/kernel_ipsec.c index 1a32ab4e7..697b1b33d 100644 --- a/src/libhydra/kernel/kernel_ipsec.c +++ b/src/libhydra/kernel/kernel_ipsec.c @@ -25,13 +25,14 @@ bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature, { if (reg) { - hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, + return hydra->kernel_interface->add_ipsec_interface( + hydra->kernel_interface, (kernel_ipsec_constructor_t)data); } else { - hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, + return hydra->kernel_interface->remove_ipsec_interface( + hydra->kernel_interface, (kernel_ipsec_constructor_t)data); } - return TRUE; } diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index 19caaa400..2458db5b9 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2012 Tobias Brunner + * Copyright (C) 2006-2015 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -186,9 +186,6 @@ struct kernel_ipsec_t { /** * Add a policy to the SPD. * - * A policy is always associated to an SA. Traffic which matches a - * policy is handled by the SA with the same reqid. - * * @param src source address of SA * @param dst dest address of SA * @param src_ts traffic selector to match traffic source @@ -231,24 +228,24 @@ struct kernel_ipsec_t { /** * Remove a policy from the SPD. * - * The kernel interface implements reference counting for policies. - * If the same policy is installed multiple times (in the case of rekeying), - * the reference counter is increased. del_policy() decreases the ref counter - * and removes the policy only when no more references are available. - * + * @param src source address of SA + * @param dst dest address of SA * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_(IN|OUT|FWD) - * @param reqid unique ID of the associated SA - * @param mark optional mark + * @param type type of policy, POLICY_(IPSEC|PASS|DROP) + * @param sa details about the SA(s) tied to this policy + * @param mark mark for this policy * @param priority priority of the policy * @return SUCCESS if operation completed */ status_t (*del_policy) (kernel_ipsec_t *this, + host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t reqid, - mark_t mark, policy_priority_t priority); + policy_dir_t direction, policy_type_t type, + ipsec_sa_cfg_t *sa, mark_t mark, + policy_priority_t priority); /** * Flush all policies from the SPD. diff --git a/src/libhydra/kernel/kernel_net.c b/src/libhydra/kernel/kernel_net.c index 0841ed803..07d8b2999 100644 --- a/src/libhydra/kernel/kernel_net.c +++ b/src/libhydra/kernel/kernel_net.c @@ -25,13 +25,14 @@ bool kernel_net_register(plugin_t *plugin, plugin_feature_t *feature, { if (reg) { - hydra->kernel_interface->add_net_interface(hydra->kernel_interface, + return hydra->kernel_interface->add_net_interface( + hydra->kernel_interface, (kernel_net_constructor_t)data); } else { - hydra->kernel_interface->remove_net_interface(hydra->kernel_interface, + return hydra->kernel_interface->remove_net_interface( + hydra->kernel_interface, (kernel_net_constructor_t)data); } - return TRUE; } diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 605476ef1..8c506d9f4 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2013 Tobias Brunner + * Copyright (C) 2006-2015 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2008 Andreas Steffen * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser @@ -317,11 +317,6 @@ struct private_kernel_netlink_ipsec_t { */ bool proto_port_transport; - /** - * Whether to track the history of a policy - */ - bool policy_history; - /** * Whether to always use UPDATE to install policies */ @@ -2140,7 +2135,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, { continue; } - tmpl->reqid = policy->reqid; + tmpl->reqid = ipsec->cfg.reqid; tmpl->id.proto = protos[i].proto; tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; tmpl->mode = mode2kernel(proto_mode); @@ -2322,7 +2317,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, current = this->policies->get(this->policies, policy); if (current) { - if (current->reqid != sa->reqid) + if (current->reqid && sa->reqid && current->reqid != sa->reqid) { DBG1(DBG_CFG, "unable to install policy %R === %R %N (mark " "%u/0x%08x) for reqid %u, the same policy for reqid %u exists", @@ -2352,26 +2347,19 @@ METHOD(kernel_ipsec_t, add_policy, status_t, dst_ts, mark, sa); assigned_sa->priority = get_priority(policy, priority); - if (this->policy_history) - { /* insert the SA according to its priority */ - enumerator = policy->used_by->create_enumerator(policy->used_by); - while (enumerator->enumerate(enumerator, (void**)¤t_sa)) + /* insert the SA according to its priority */ + enumerator = policy->used_by->create_enumerator(policy->used_by); + while (enumerator->enumerate(enumerator, (void**)¤t_sa)) + { + if (current_sa->priority >= assigned_sa->priority) { - if (current_sa->priority >= assigned_sa->priority) - { - break; - } - update = FALSE; + break; } - policy->used_by->insert_before(policy->used_by, enumerator, - assigned_sa); - enumerator->destroy(enumerator); - } - else - { /* simply insert it last and only update if it is not installed yet */ - policy->used_by->insert_last(policy->used_by, assigned_sa); - update = !found; + update = FALSE; } + policy->used_by->insert_before(policy->used_by, enumerator, + assigned_sa); + enumerator->destroy(enumerator); if (!update) { /* we don't update the policy if the priority is lower than that of @@ -2482,8 +2470,9 @@ METHOD(kernel_ipsec_t, query_policy, status_t, } METHOD(kernel_ipsec_t, del_policy, status_t, - private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, + private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark, policy_priority_t prio) { policy_entry_t *current, policy; @@ -2494,6 +2483,12 @@ METHOD(kernel_ipsec_t, del_policy, status_t, struct xfrm_userpolicy_id *policy_id; bool is_installed = TRUE; u_int32_t priority; + ipsec_sa_t assigned_sa = { + .src = src, + .dst = dst, + .mark = mark, + .cfg = *sa, + }; DBG2(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%08x)", src_ts, dst_ts, policy_dir_names, direction, @@ -2508,7 +2503,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t, /* find the policy */ this->mutex->lock(this->mutex); current = this->policies->get(this->policies, &policy); - if (!current || current->reqid != reqid) + if (!current) { if (mark.value) { @@ -2525,28 +2520,21 @@ METHOD(kernel_ipsec_t, del_policy, status_t, return NOT_FOUND; } - if (this->policy_history) - { /* remove mapping to SA by reqid and priority */ - priority = get_priority(current, prio); - enumerator = current->used_by->create_enumerator(current->used_by); - while (enumerator->enumerate(enumerator, (void**)&mapping)) + /* remove mapping to SA by reqid and priority */ + priority = get_priority(current, prio); + enumerator = current->used_by->create_enumerator(current->used_by); + while (enumerator->enumerate(enumerator, (void**)&mapping)) + { + if (priority == mapping->priority && type == mapping->type && + ipsec_sa_equals(mapping->sa, &assigned_sa)) { - if (priority == mapping->priority) - { - current->used_by->remove_at(current->used_by, enumerator); - policy_sa_destroy(mapping, &direction, this); - break; - } - is_installed = FALSE; + current->used_by->remove_at(current->used_by, enumerator); + policy_sa_destroy(mapping, &direction, this); + break; } - enumerator->destroy(enumerator); - } - else - { /* remove one of the SAs but don't update the policy */ - current->used_by->remove_last(current->used_by, (void**)&mapping); - policy_sa_destroy(mapping, &direction, this); is_installed = FALSE; } + enumerator->destroy(enumerator); if (current->used_by->get_count(current->used_by) > 0) { /* policy is used by more SAs, keep in kernel */ @@ -2915,7 +2903,6 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() (hashtable_equals_t)ipsec_sa_equals, 32), .bypass = array_create(sizeof(bypass_t), 0), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .policy_history = TRUE, .policy_update = lib->settings->get_bool(lib->settings, "%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns), .install_routes = lib->settings->get_bool(lib->settings, diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 5027e1759..c67366b86 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2012 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2008 Andreas Steffen * Hochschule fuer Technik Rapperswil * @@ -843,7 +843,9 @@ static kernel_algorithm_t encryption_algs[] = { /* {ENCR_DES_IV32, 0 }, */ {ENCR_NULL, SADB_EALG_NULL }, {ENCR_AES_CBC, SADB_X_EALG_AESCBC }, -/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */ +#ifdef SADB_X_EALG_AESCTR + {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, +#endif /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */ /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */ /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */ @@ -2689,8 +2691,9 @@ METHOD(kernel_ipsec_t, query_policy, status_t, } METHOD(kernel_ipsec_t, del_policy, status_t, - private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid, + private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark, policy_priority_t prio) { unsigned char request[PFKEY_BUFFER_SIZE]; @@ -2702,6 +2705,11 @@ METHOD(kernel_ipsec_t, del_policy, status_t, bool first = TRUE, is_installed = TRUE; u_int32_t priority; size_t len; + ipsec_sa_t assigned_sa = { + .src = src, + .dst = dst, + .cfg = *sa, + }; if (dir2kernel(direction) == IPSEC_DIR_INVALID) { /* FWD policies are not supported on all platforms */ @@ -2735,7 +2743,8 @@ METHOD(kernel_ipsec_t, del_policy, status_t, enumerator = policy->used_by->create_enumerator(policy->used_by); while (enumerator->enumerate(enumerator, (void**)&mapping)) { - if (reqid == mapping->sa->cfg.reqid && priority == mapping->priority) + if (priority == mapping->priority && + ipsec_sa_equals(mapping->sa, &assigned_sa)) { to_remove = mapping; is_installed = first; diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql index ff6191117..9162e3f87 100644 --- a/src/libimcv/imv/data.sql +++ b/src/libimcv/imv/data.sql @@ -388,6 +388,30 @@ INSERT INTO products ( /* 65 */ 'Debian 7.8 armv7l' ); +INSERT INTO products ( /* 66 */ + name +) VALUES ( + 'Debian 7.9 i686' +); + +INSERT INTO products ( /* 67 */ + name +) VALUES ( + 'Debian 7.9 x86_64' +); + +INSERT INTO products ( /* 68 */ + name +) VALUES ( + 'Debian 7.9 armv6l' +); + +INSERT INTO products ( /* 69 */ + name +) VALUES ( + 'Debian 7.9 armv7l' +); + /* Directories */ INSERT INTO directories ( /* 1 */ @@ -886,6 +910,12 @@ INSERT INTO groups_product_defaults ( 4, 58 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 66 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( @@ -952,6 +982,12 @@ INSERT INTO groups_product_defaults ( 5, 59 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 67 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( @@ -1198,12 +1234,24 @@ INSERT INTO groups_product_defaults ( 14, 60 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 14, 68 +); + INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( 15, 65 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 15, 69 +); + /* Policies */ INSERT INTO policies ( /* 1 */ diff --git a/src/libipsec/Android.mk b/src/libipsec/Android.mk index c5d987977..dffed94f0 100644 --- a/src/libipsec/Android.mk +++ b/src/libipsec/Android.mk @@ -20,7 +20,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(libipsec_la_SOURCES)) # build libipsec --------------------------------------------------------------- LOCAL_C_INCLUDES += \ - $(strongswan_PATH)/src/include \ $(strongswan_PATH)/src/libstrongswan LOCAL_CFLAGS := $(strongswan_CFLAGS) diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c index b742d1576..2b003e390 100644 --- a/src/libipsec/esp_context.c +++ b/src/libipsec/esp_context.c @@ -247,7 +247,19 @@ static bool create_traditional(private_esp_context_t *this, int enc_alg, signer_t *signer = NULL; iv_gen_t *ivg; - crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_key.len); + switch (enc_alg) + { + case ENCR_AES_CTR: + case ENCR_CAMELLIA_CTR: + /* the key includes a 4 byte salt */ + crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, + enc_key.len - 4); + break; + default: + crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, + enc_key.len); + break; + } if (!crypter) { DBG1(DBG_ESP, "failed to create ESP context: unsupported encryption " diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index d019d96e1..db3da8e15 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -15,6 +15,7 @@ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \ crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \ crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \ +crypto/iv/iv_gen_null.c \ crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ @@ -116,8 +117,7 @@ LOCAL_SRC_FILES += $(call add_plugin, xcbc) # build libstrongswan ---------------------------------------------------------- -LOCAL_CFLAGS := $(strongswan_CFLAGS) \ - -include $(LOCAL_PATH)/AndroidConfigLocal.h +LOCAL_CFLAGS := $(strongswan_CFLAGS) LOCAL_MODULE := libstrongswan diff --git a/src/libstrongswan/AndroidConfigLocal.h b/src/libstrongswan/AndroidConfigLocal.h deleted file mode 100644 index ae0e60633..000000000 --- a/src/libstrongswan/AndroidConfigLocal.h +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (C) 2010 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/* stuff defined in AndroidConfig.h, which is included using the -include - * command-line option, thus cannot be undefined using -U CFLAGS options. - * the reason we have to undefine these flags in the first place, is that - * AndroidConfig.h defines them as 0, which in turn means that they are - * actually defined. */ - -#undef HAVE_BACKTRACE diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index adf3687ae..ed3b85dd4 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -13,6 +13,7 @@ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \ crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \ crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \ +crypto/iv/iv_gen_null.c \ crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ @@ -72,7 +73,7 @@ crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \ crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \ crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \ crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \ -crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \ +crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h crypto/iv/iv_gen_null.h \ crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \ credentials/credential_factory.h credentials/builder.h \ credentials/cred_encoding.h credentials/keys/private_key.h \ @@ -109,7 +110,7 @@ utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \ utils/cpu_feature.h utils/leak_detective.h utils/printf_hook/printf_hook.h \ utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \ utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \ -utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h \ +utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h utils/compat/android.h \ utils/utils/atomics.h utils/utils/types.h utils/utils/byteorder.h \ utils/utils/string.h utils/utils/memory.h utils/utils/tty.h utils/utils/path.h \ utils/utils/status.h utils/utils/object.h utils/utils/time.h utils/utils/align.h @@ -190,7 +191,7 @@ endif EXTRA_DIST = \ asn1/oid.txt asn1/oid.pl \ crypto/proposal/proposal_keywords_static.txt \ -Android.mk AndroidConfigLocal.h +Android.mk BUILT_SOURCES = \ $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \ @@ -288,6 +289,13 @@ if MONOLITHIC endif endif +if USE_SHA3 + SUBDIRS += plugins/sha3 +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/sha3/libstrongswan-sha3.la +endif +endif + if USE_GMP SUBDIRS += plugins/gmp if MONOLITHIC diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 9598c8b51..284960f5c 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -131,93 +131,95 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_33 = plugins/sha1/libstrongswan-sha1.la @USE_SHA2_TRUE@am__append_34 = plugins/sha2 @MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_35 = plugins/sha2/libstrongswan-sha2.la -@USE_GMP_TRUE@am__append_36 = plugins/gmp -@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_37 = plugins/gmp/libstrongswan-gmp.la -@USE_RDRAND_TRUE@am__append_38 = plugins/rdrand -@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_39 = plugins/rdrand/libstrongswan-rdrand.la -@USE_AESNI_TRUE@am__append_40 = plugins/aesni -@MONOLITHIC_TRUE@@USE_AESNI_TRUE@am__append_41 = plugins/aesni/libstrongswan-aesni.la -@USE_RANDOM_TRUE@am__append_42 = plugins/random -@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_43 = plugins/random/libstrongswan-random.la -@USE_NONCE_TRUE@am__append_44 = plugins/nonce -@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_45 = plugins/nonce/libstrongswan-nonce.la -@USE_HMAC_TRUE@am__append_46 = plugins/hmac -@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_47 = plugins/hmac/libstrongswan-hmac.la -@USE_CMAC_TRUE@am__append_48 = plugins/cmac -@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_49 = plugins/cmac/libstrongswan-cmac.la -@USE_XCBC_TRUE@am__append_50 = plugins/xcbc -@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_51 = plugins/xcbc/libstrongswan-xcbc.la -@USE_X509_TRUE@am__append_52 = plugins/x509 -@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_53 = plugins/x509/libstrongswan-x509.la -@USE_REVOCATION_TRUE@am__append_54 = plugins/revocation -@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_55 = plugins/revocation/libstrongswan-revocation.la -@USE_CONSTRAINTS_TRUE@am__append_56 = plugins/constraints -@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_57 = plugins/constraints/libstrongswan-constraints.la -@USE_ACERT_TRUE@am__append_58 = plugins/acert -@MONOLITHIC_TRUE@@USE_ACERT_TRUE@am__append_59 = plugins/acert/libstrongswan-acert.la -@USE_PUBKEY_TRUE@am__append_60 = plugins/pubkey -@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_61 = plugins/pubkey/libstrongswan-pubkey.la -@USE_PKCS1_TRUE@am__append_62 = plugins/pkcs1 -@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_63 = plugins/pkcs1/libstrongswan-pkcs1.la -@USE_PKCS7_TRUE@am__append_64 = plugins/pkcs7 -@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_65 = plugins/pkcs7/libstrongswan-pkcs7.la -@USE_PKCS8_TRUE@am__append_66 = plugins/pkcs8 -@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_67 = plugins/pkcs8/libstrongswan-pkcs8.la -@USE_PKCS12_TRUE@am__append_68 = plugins/pkcs12 -@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_69 = plugins/pkcs12/libstrongswan-pkcs12.la -@USE_PGP_TRUE@am__append_70 = plugins/pgp -@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_71 = plugins/pgp/libstrongswan-pgp.la -@USE_DNSKEY_TRUE@am__append_72 = plugins/dnskey -@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_73 = plugins/dnskey/libstrongswan-dnskey.la -@USE_SSHKEY_TRUE@am__append_74 = plugins/sshkey -@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_75 = plugins/sshkey/libstrongswan-sshkey.la -@USE_PEM_TRUE@am__append_76 = plugins/pem -@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_77 = plugins/pem/libstrongswan-pem.la -@USE_CURL_TRUE@am__append_78 = plugins/curl -@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_79 = plugins/curl/libstrongswan-curl.la -@USE_FILES_TRUE@am__append_80 = plugins/files -@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_81 = plugins/files/libstrongswan-files.la -@USE_WINHTTP_TRUE@am__append_82 = plugins/winhttp -@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_83 = plugins/winhttp/libstrongswan-winhttp.la -@USE_UNBOUND_TRUE@am__append_84 = plugins/unbound -@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_85 = plugins/unbound/libstrongswan-unbound.la -@USE_SOUP_TRUE@am__append_86 = plugins/soup -@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_87 = plugins/soup/libstrongswan-soup.la -@USE_LDAP_TRUE@am__append_88 = plugins/ldap -@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_89 = plugins/ldap/libstrongswan-ldap.la -@USE_MYSQL_TRUE@am__append_90 = plugins/mysql -@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_91 = plugins/mysql/libstrongswan-mysql.la -@USE_SQLITE_TRUE@am__append_92 = plugins/sqlite -@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_93 = plugins/sqlite/libstrongswan-sqlite.la -@USE_PADLOCK_TRUE@am__append_94 = plugins/padlock -@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_95 = plugins/padlock/libstrongswan-padlock.la -@USE_OPENSSL_TRUE@am__append_96 = plugins/openssl -@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_97 = plugins/openssl/libstrongswan-openssl.la -@USE_GCRYPT_TRUE@am__append_98 = plugins/gcrypt -@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_99 = plugins/gcrypt/libstrongswan-gcrypt.la -@USE_FIPS_PRF_TRUE@am__append_100 = plugins/fips_prf -@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_101 = plugins/fips_prf/libstrongswan-fips-prf.la -@USE_AGENT_TRUE@am__append_102 = plugins/agent -@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_103 = plugins/agent/libstrongswan-agent.la -@USE_KEYCHAIN_TRUE@am__append_104 = plugins/keychain -@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_105 = plugins/keychain/libstrongswan-keychain.la -@USE_PKCS11_TRUE@am__append_106 = plugins/pkcs11 -@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_107 = plugins/pkcs11/libstrongswan-pkcs11.la -@USE_CHAPOLY_TRUE@am__append_108 = plugins/chapoly -@MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE@am__append_109 = plugins/chapoly/libstrongswan-chapoly.la -@USE_CTR_TRUE@am__append_110 = plugins/ctr -@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_111 = plugins/ctr/libstrongswan-ctr.la -@USE_CCM_TRUE@am__append_112 = plugins/ccm -@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_113 = plugins/ccm/libstrongswan-ccm.la -@USE_GCM_TRUE@am__append_114 = plugins/gcm -@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_115 = plugins/gcm/libstrongswan-gcm.la -@USE_NTRU_TRUE@am__append_116 = plugins/ntru -@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_117 = plugins/ntru/libstrongswan-ntru.la -@USE_BLISS_TRUE@am__append_118 = plugins/bliss -@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_119 = plugins/bliss/libstrongswan-bliss.la -@USE_TEST_VECTORS_TRUE@am__append_120 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_121 = plugins/test_vectors/libstrongswan-test-vectors.la -@USE_BLISS_TRUE@am__append_122 = plugins/bliss/tests +@USE_SHA3_TRUE@am__append_36 = plugins/sha3 +@MONOLITHIC_TRUE@@USE_SHA3_TRUE@am__append_37 = plugins/sha3/libstrongswan-sha3.la +@USE_GMP_TRUE@am__append_38 = plugins/gmp +@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_39 = plugins/gmp/libstrongswan-gmp.la +@USE_RDRAND_TRUE@am__append_40 = plugins/rdrand +@MONOLITHIC_TRUE@@USE_RDRAND_TRUE@am__append_41 = plugins/rdrand/libstrongswan-rdrand.la +@USE_AESNI_TRUE@am__append_42 = plugins/aesni +@MONOLITHIC_TRUE@@USE_AESNI_TRUE@am__append_43 = plugins/aesni/libstrongswan-aesni.la +@USE_RANDOM_TRUE@am__append_44 = plugins/random +@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_45 = plugins/random/libstrongswan-random.la +@USE_NONCE_TRUE@am__append_46 = plugins/nonce +@MONOLITHIC_TRUE@@USE_NONCE_TRUE@am__append_47 = plugins/nonce/libstrongswan-nonce.la +@USE_HMAC_TRUE@am__append_48 = plugins/hmac +@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_49 = plugins/hmac/libstrongswan-hmac.la +@USE_CMAC_TRUE@am__append_50 = plugins/cmac +@MONOLITHIC_TRUE@@USE_CMAC_TRUE@am__append_51 = plugins/cmac/libstrongswan-cmac.la +@USE_XCBC_TRUE@am__append_52 = plugins/xcbc +@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_53 = plugins/xcbc/libstrongswan-xcbc.la +@USE_X509_TRUE@am__append_54 = plugins/x509 +@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_55 = plugins/x509/libstrongswan-x509.la +@USE_REVOCATION_TRUE@am__append_56 = plugins/revocation +@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_57 = plugins/revocation/libstrongswan-revocation.la +@USE_CONSTRAINTS_TRUE@am__append_58 = plugins/constraints +@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_59 = plugins/constraints/libstrongswan-constraints.la +@USE_ACERT_TRUE@am__append_60 = plugins/acert +@MONOLITHIC_TRUE@@USE_ACERT_TRUE@am__append_61 = plugins/acert/libstrongswan-acert.la +@USE_PUBKEY_TRUE@am__append_62 = plugins/pubkey +@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_63 = plugins/pubkey/libstrongswan-pubkey.la +@USE_PKCS1_TRUE@am__append_64 = plugins/pkcs1 +@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_65 = plugins/pkcs1/libstrongswan-pkcs1.la +@USE_PKCS7_TRUE@am__append_66 = plugins/pkcs7 +@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_67 = plugins/pkcs7/libstrongswan-pkcs7.la +@USE_PKCS8_TRUE@am__append_68 = plugins/pkcs8 +@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_69 = plugins/pkcs8/libstrongswan-pkcs8.la +@USE_PKCS12_TRUE@am__append_70 = plugins/pkcs12 +@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_71 = plugins/pkcs12/libstrongswan-pkcs12.la +@USE_PGP_TRUE@am__append_72 = plugins/pgp +@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_73 = plugins/pgp/libstrongswan-pgp.la +@USE_DNSKEY_TRUE@am__append_74 = plugins/dnskey +@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_75 = plugins/dnskey/libstrongswan-dnskey.la +@USE_SSHKEY_TRUE@am__append_76 = plugins/sshkey +@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_77 = plugins/sshkey/libstrongswan-sshkey.la +@USE_PEM_TRUE@am__append_78 = plugins/pem +@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_79 = plugins/pem/libstrongswan-pem.la +@USE_CURL_TRUE@am__append_80 = plugins/curl +@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_81 = plugins/curl/libstrongswan-curl.la +@USE_FILES_TRUE@am__append_82 = plugins/files +@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_83 = plugins/files/libstrongswan-files.la +@USE_WINHTTP_TRUE@am__append_84 = plugins/winhttp +@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_85 = plugins/winhttp/libstrongswan-winhttp.la +@USE_UNBOUND_TRUE@am__append_86 = plugins/unbound +@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_87 = plugins/unbound/libstrongswan-unbound.la +@USE_SOUP_TRUE@am__append_88 = plugins/soup +@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_89 = plugins/soup/libstrongswan-soup.la +@USE_LDAP_TRUE@am__append_90 = plugins/ldap +@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_91 = plugins/ldap/libstrongswan-ldap.la +@USE_MYSQL_TRUE@am__append_92 = plugins/mysql +@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_93 = plugins/mysql/libstrongswan-mysql.la +@USE_SQLITE_TRUE@am__append_94 = plugins/sqlite +@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_95 = plugins/sqlite/libstrongswan-sqlite.la +@USE_PADLOCK_TRUE@am__append_96 = plugins/padlock +@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_97 = plugins/padlock/libstrongswan-padlock.la +@USE_OPENSSL_TRUE@am__append_98 = plugins/openssl +@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_99 = plugins/openssl/libstrongswan-openssl.la +@USE_GCRYPT_TRUE@am__append_100 = plugins/gcrypt +@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_101 = plugins/gcrypt/libstrongswan-gcrypt.la +@USE_FIPS_PRF_TRUE@am__append_102 = plugins/fips_prf +@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_103 = plugins/fips_prf/libstrongswan-fips-prf.la +@USE_AGENT_TRUE@am__append_104 = plugins/agent +@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_105 = plugins/agent/libstrongswan-agent.la +@USE_KEYCHAIN_TRUE@am__append_106 = plugins/keychain +@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_107 = plugins/keychain/libstrongswan-keychain.la +@USE_PKCS11_TRUE@am__append_108 = plugins/pkcs11 +@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_109 = plugins/pkcs11/libstrongswan-pkcs11.la +@USE_CHAPOLY_TRUE@am__append_110 = plugins/chapoly +@MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE@am__append_111 = plugins/chapoly/libstrongswan-chapoly.la +@USE_CTR_TRUE@am__append_112 = plugins/ctr +@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_113 = plugins/ctr/libstrongswan-ctr.la +@USE_CCM_TRUE@am__append_114 = plugins/ccm +@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_115 = plugins/ccm/libstrongswan-ccm.la +@USE_GCM_TRUE@am__append_116 = plugins/gcm +@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_117 = plugins/gcm/libstrongswan-gcm.la +@USE_NTRU_TRUE@am__append_118 = plugins/ntru +@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_119 = plugins/ntru/libstrongswan-ntru.la +@USE_BLISS_TRUE@am__append_120 = plugins/bliss +@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_121 = plugins/bliss/libstrongswan-bliss.la +@USE_TEST_VECTORS_TRUE@am__append_122 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_123 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_BLISS_TRUE@am__append_124 = plugins/bliss/tests subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ settings/settings_parser.h settings/settings_parser.c \ @@ -297,7 +299,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_101) $(am__append_103) $(am__append_105) \ $(am__append_107) $(am__append_109) $(am__append_111) \ $(am__append_113) $(am__append_115) $(am__append_117) \ - $(am__append_119) $(am__append_121) + $(am__append_119) $(am__append_121) $(am__append_123) am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \ bio/bio_writer.c collections/blocking_queue.c \ @@ -312,11 +314,11 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c \ crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \ crypto/transform.c crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c \ - crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \ - crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \ - credentials/builder.c credentials/cred_encoding.c \ - credentials/keys/private_key.c credentials/keys/public_key.c \ - credentials/keys/shared_key.c \ + crypto/iv/iv_gen_seq.c crypto/iv/iv_gen_null.c \ + crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \ + credentials/credential_factory.c credentials/builder.c \ + credentials/cred_encoding.c credentials/keys/private_key.c \ + credentials/keys/public_key.c credentials/keys/shared_key.c \ credentials/certificates/certificate.c \ credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ @@ -397,7 +399,8 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ crypto/crypto_tester.lo crypto/diffie_hellman.lo \ crypto/aead.lo crypto/transform.lo crypto/iv/iv_gen.lo \ crypto/iv/iv_gen_rand.lo crypto/iv/iv_gen_seq.lo \ - crypto/mgf1/mgf1.lo crypto/mgf1/mgf1_bitspender.lo \ + crypto/iv/iv_gen_null.lo crypto/mgf1/mgf1.lo \ + crypto/mgf1/mgf1_bitspender.lo \ credentials/credential_factory.lo credentials/builder.lo \ credentials/cred_encoding.lo credentials/keys/private_key.lo \ credentials/keys/public_key.lo credentials/keys/shared_key.lo \ @@ -524,10 +527,11 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ crypto/crypto_tester.h crypto/diffie_hellman.h crypto/aead.h \ crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \ crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \ - crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \ - credentials/credential_factory.h credentials/builder.h \ - credentials/cred_encoding.h credentials/keys/private_key.h \ - credentials/keys/public_key.h credentials/keys/shared_key.h \ + crypto/iv/iv_gen_null.h crypto/mgf1/mgf1.h \ + crypto/mgf1/mgf1_bitspender.h credentials/credential_factory.h \ + credentials/builder.h credentials/cred_encoding.h \ + credentials/keys/private_key.h credentials/keys/public_key.h \ + credentials/keys/shared_key.h \ credentials/certificates/certificate.h \ credentials/certificates/x509.h credentials/certificates/ac.h \ credentials/certificates/crl.h \ @@ -574,7 +578,8 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ utils/printf_hook/printf_hook_builtin.h utils/parser_helper.h \ utils/test.h utils/integrity_checker.h utils/process.h \ utils/utils/strerror.h utils/compat/windows.h \ - utils/compat/apple.h utils/utils/atomics.h utils/utils/types.h \ + utils/compat/apple.h utils/compat/android.h \ + utils/utils/atomics.h utils/utils/types.h \ utils/utils/byteorder.h utils/utils/string.h \ utils/utils/memory.h utils/utils/tty.h utils/utils/path.h \ utils/utils/status.h utils/utils/object.h utils/utils/time.h \ @@ -609,18 +614,19 @@ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \ plugins/blowfish plugins/rc2 plugins/md4 plugins/md5 \ - plugins/sha1 plugins/sha2 plugins/gmp plugins/rdrand \ - plugins/aesni plugins/random plugins/nonce plugins/hmac \ - plugins/cmac plugins/xcbc plugins/x509 plugins/revocation \ - plugins/constraints plugins/acert plugins/pubkey plugins/pkcs1 \ - plugins/pkcs7 plugins/pkcs8 plugins/pkcs12 plugins/pgp \ - plugins/dnskey plugins/sshkey plugins/pem plugins/curl \ - plugins/files plugins/winhttp plugins/unbound plugins/soup \ - plugins/ldap plugins/mysql plugins/sqlite plugins/padlock \ - plugins/openssl plugins/gcrypt plugins/fips_prf plugins/agent \ - plugins/keychain plugins/pkcs11 plugins/chapoly plugins/ctr \ - plugins/ccm plugins/gcm plugins/ntru plugins/bliss \ - plugins/test_vectors tests plugins/bliss/tests + plugins/sha1 plugins/sha2 plugins/sha3 plugins/gmp \ + plugins/rdrand plugins/aesni plugins/random plugins/nonce \ + plugins/hmac plugins/cmac plugins/xcbc plugins/x509 \ + plugins/revocation plugins/constraints plugins/acert \ + plugins/pubkey plugins/pkcs1 plugins/pkcs7 plugins/pkcs8 \ + plugins/pkcs12 plugins/pgp plugins/dnskey plugins/sshkey \ + plugins/pem plugins/curl plugins/files plugins/winhttp \ + plugins/unbound plugins/soup plugins/ldap plugins/mysql \ + plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \ + plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \ + plugins/chapoly plugins/ctr plugins/ccm plugins/gcm \ + plugins/ntru plugins/bliss plugins/test_vectors tests \ + plugins/bliss/tests DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -886,11 +892,11 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ crypto/signers/mac_signer.c crypto/crypto_factory.c \ crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \ crypto/transform.c crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c \ - crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \ - crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \ - credentials/builder.c credentials/cred_encoding.c \ - credentials/keys/private_key.c credentials/keys/public_key.c \ - credentials/keys/shared_key.c \ + crypto/iv/iv_gen_seq.c crypto/iv/iv_gen_null.c \ + crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \ + credentials/credential_factory.c credentials/builder.c \ + credentials/cred_encoding.c credentials/keys/private_key.c \ + credentials/keys/public_key.c credentials/keys/shared_key.c \ credentials/certificates/certificate.c \ credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ @@ -945,7 +951,7 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \ @USE_DEV_HEADERS_TRUE@crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \ @USE_DEV_HEADERS_TRUE@crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \ -@USE_DEV_HEADERS_TRUE@crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \ +@USE_DEV_HEADERS_TRUE@crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h crypto/iv/iv_gen_null.h \ @USE_DEV_HEADERS_TRUE@crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \ @USE_DEV_HEADERS_TRUE@credentials/credential_factory.h credentials/builder.h \ @USE_DEV_HEADERS_TRUE@credentials/cred_encoding.h credentials/keys/private_key.h \ @@ -982,7 +988,7 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@utils/cpu_feature.h utils/leak_detective.h utils/printf_hook/printf_hook.h \ @USE_DEV_HEADERS_TRUE@utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \ @USE_DEV_HEADERS_TRUE@utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \ -@USE_DEV_HEADERS_TRUE@utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h \ +@USE_DEV_HEADERS_TRUE@utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h utils/compat/android.h \ @USE_DEV_HEADERS_TRUE@utils/utils/atomics.h utils/utils/types.h utils/utils/byteorder.h \ @USE_DEV_HEADERS_TRUE@utils/utils/string.h utils/utils/memory.h utils/utils/tty.h utils/utils/path.h \ @USE_DEV_HEADERS_TRUE@utils/utils/status.h utils/utils/object.h utils/utils/time.h utils/utils/align.h @@ -1007,7 +1013,7 @@ libstrongswan_la_LIBADD = $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) \ $(am__append_101) $(am__append_103) $(am__append_105) \ $(am__append_107) $(am__append_109) $(am__append_111) \ $(am__append_113) $(am__append_115) $(am__append_117) \ - $(am__append_119) $(am__append_121) + $(am__append_119) $(am__append_121) $(am__append_123) AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \ -DPLUGINDIR=\"${plugindir}\" \ @@ -1023,7 +1029,7 @@ AM_YFLAGS = -v -d EXTRA_DIST = \ asn1/oid.txt asn1/oid.pl \ crypto/proposal/proposal_keywords_static.txt \ -Android.mk AndroidConfigLocal.h +Android.mk BUILT_SOURCES = \ $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h \ @@ -1059,8 +1065,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c @MONOLITHIC_FALSE@ $(am__append_106) $(am__append_108) \ @MONOLITHIC_FALSE@ $(am__append_110) $(am__append_112) \ @MONOLITHIC_FALSE@ $(am__append_114) $(am__append_116) \ -@MONOLITHIC_FALSE@ $(am__append_118) $(am__append_120) tests \ -@MONOLITHIC_FALSE@ $(am__append_122) +@MONOLITHIC_FALSE@ $(am__append_118) $(am__append_120) \ +@MONOLITHIC_FALSE@ $(am__append_122) tests $(am__append_124) # build plugins with their own Makefile ####################################### @@ -1089,8 +1095,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c @MONOLITHIC_TRUE@ $(am__append_106) $(am__append_108) \ @MONOLITHIC_TRUE@ $(am__append_110) $(am__append_112) \ @MONOLITHIC_TRUE@ $(am__append_114) $(am__append_116) \ -@MONOLITHIC_TRUE@ $(am__append_118) $(am__append_120) . tests \ -@MONOLITHIC_TRUE@ $(am__append_122) +@MONOLITHIC_TRUE@ $(am__append_118) $(am__append_120) \ +@MONOLITHIC_TRUE@ $(am__append_122) . tests $(am__append_124) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -1284,6 +1290,8 @@ crypto/iv/iv_gen_rand.lo: crypto/iv/$(am__dirstamp) \ crypto/iv/$(DEPDIR)/$(am__dirstamp) crypto/iv/iv_gen_seq.lo: crypto/iv/$(am__dirstamp) \ crypto/iv/$(DEPDIR)/$(am__dirstamp) +crypto/iv/iv_gen_null.lo: crypto/iv/$(am__dirstamp) \ + crypto/iv/$(DEPDIR)/$(am__dirstamp) crypto/mgf1/$(am__dirstamp): @$(MKDIR_P) crypto/mgf1 @: > crypto/mgf1/$(am__dirstamp) @@ -1750,6 +1758,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@crypto/hashers/$(DEPDIR)/hash_algorithm_set.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/hashers/$(DEPDIR)/hasher.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_null.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_rand.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_seq.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/mgf1/$(DEPDIR)/mgf1.Plo@am__quote@ diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index a750f7fcb..a088b0527 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -199,12 +199,12 @@ const oid_t oid_names[] = { { 0x02, 187, 0, 7, "ecdsa-with-SHA256" }, /* 186 */ { 0x03, 188, 0, 7, "ecdsa-with-SHA384" }, /* 187 */ { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 188 */ - {0x2B, 413, 1, 0, "" }, /* 189 */ - { 0x06, 327, 1, 1, "dod" }, /* 190 */ + {0x2B, 416, 1, 0, "" }, /* 189 */ + { 0x06, 330, 1, 1, "dod" }, /* 190 */ { 0x01, 0, 1, 2, "internet" }, /* 191 */ - { 0x04, 278, 1, 3, "private" }, /* 192 */ + { 0x04, 281, 1, 3, "private" }, /* 192 */ { 0x01, 0, 1, 4, "enterprise" }, /* 193 */ - { 0x82, 228, 1, 5, "" }, /* 194 */ + { 0x82, 231, 1, 5, "" }, /* 194 */ { 0x37, 207, 1, 6, "Microsoft" }, /* 195 */ { 0x0A, 200, 1, 7, "" }, /* 196 */ { 0x03, 0, 1, 8, "" }, /* 197 */ @@ -235,254 +235,257 @@ const oid_t oid_names[] = { { 0x07, 223, 0, 10, "BLISS-B-III" }, /* 222 */ { 0x08, 0, 0, 10, "BLISS-B-IV" }, /* 223 */ { 0x03, 0, 1, 9, "blissSigType" }, /* 224 */ - { 0x01, 226, 0, 10, "BLISS-with-SHA512" }, /* 225 */ - { 0x02, 227, 0, 10, "BLISS-with-SHA384" }, /* 226 */ - { 0x03, 0, 0, 10, "BLISS-with-SHA256" }, /* 227 */ - { 0x89, 235, 1, 5, "" }, /* 228 */ - { 0x31, 0, 1, 6, "" }, /* 229 */ - { 0x01, 0, 1, 7, "" }, /* 230 */ - { 0x01, 0, 1, 8, "" }, /* 231 */ - { 0x02, 0, 1, 9, "" }, /* 232 */ - { 0x02, 0, 1, 10, "" }, /* 233 */ - { 0x4B, 0, 0, 11, "TCGID" }, /* 234 */ - { 0x97, 239, 1, 5, "" }, /* 235 */ - { 0x55, 0, 1, 6, "" }, /* 236 */ - { 0x01, 0, 1, 7, "" }, /* 237 */ - { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 238 */ - { 0xC1, 0, 1, 5, "" }, /* 239 */ - { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 240 */ - { 0x01, 0, 1, 7, "eess" }, /* 241 */ - { 0x01, 0, 1, 8, "eess1" }, /* 242 */ - { 0x01, 247, 1, 9, "eess1-algs" }, /* 243 */ - { 0x01, 245, 0, 10, "ntru-EESS1v1-SVES" }, /* 244 */ - { 0x02, 246, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 245 */ - { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 246 */ - { 0x02, 277, 1, 9, "eess1-params" }, /* 247 */ - { 0x01, 249, 0, 10, "ees251ep1" }, /* 248 */ - { 0x02, 250, 0, 10, "ees347ep1" }, /* 249 */ - { 0x03, 251, 0, 10, "ees503ep1" }, /* 250 */ - { 0x07, 252, 0, 10, "ees251sp2" }, /* 251 */ - { 0x0C, 253, 0, 10, "ees251ep4" }, /* 252 */ - { 0x0D, 254, 0, 10, "ees251ep5" }, /* 253 */ - { 0x0E, 255, 0, 10, "ees251sp3" }, /* 254 */ - { 0x0F, 256, 0, 10, "ees251sp4" }, /* 255 */ - { 0x10, 257, 0, 10, "ees251sp5" }, /* 256 */ - { 0x11, 258, 0, 10, "ees251sp6" }, /* 257 */ - { 0x12, 259, 0, 10, "ees251sp7" }, /* 258 */ - { 0x13, 260, 0, 10, "ees251sp8" }, /* 259 */ - { 0x14, 261, 0, 10, "ees251sp9" }, /* 260 */ - { 0x22, 262, 0, 10, "ees401ep1" }, /* 261 */ - { 0x23, 263, 0, 10, "ees449ep1" }, /* 262 */ - { 0x24, 264, 0, 10, "ees677ep1" }, /* 263 */ - { 0x25, 265, 0, 10, "ees1087ep2" }, /* 264 */ - { 0x26, 266, 0, 10, "ees541ep1" }, /* 265 */ - { 0x27, 267, 0, 10, "ees613ep1" }, /* 266 */ - { 0x28, 268, 0, 10, "ees887ep1" }, /* 267 */ - { 0x29, 269, 0, 10, "ees1171ep1" }, /* 268 */ - { 0x2A, 270, 0, 10, "ees659ep1" }, /* 269 */ - { 0x2B, 271, 0, 10, "ees761ep1" }, /* 270 */ - { 0x2C, 272, 0, 10, "ees1087ep1" }, /* 271 */ - { 0x2D, 273, 0, 10, "ees1499ep1" }, /* 272 */ - { 0x2E, 274, 0, 10, "ees401ep2" }, /* 273 */ - { 0x2F, 275, 0, 10, "ees439ep1" }, /* 274 */ - { 0x30, 276, 0, 10, "ees593ep1" }, /* 275 */ - { 0x31, 0, 0, 10, "ees743ep1" }, /* 276 */ - { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 277 */ - { 0x05, 0, 1, 3, "security" }, /* 278 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 279 */ - { 0x07, 324, 1, 5, "id-pkix" }, /* 280 */ - { 0x01, 285, 1, 6, "id-pe" }, /* 281 */ - { 0x01, 283, 0, 7, "authorityInfoAccess" }, /* 282 */ - { 0x03, 284, 0, 7, "qcStatements" }, /* 283 */ - { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 284 */ - { 0x02, 288, 1, 6, "id-qt" }, /* 285 */ - { 0x01, 287, 0, 7, "cps" }, /* 286 */ - { 0x02, 0, 0, 7, "unotice" }, /* 287 */ - { 0x03, 298, 1, 6, "id-kp" }, /* 288 */ - { 0x01, 290, 0, 7, "serverAuth" }, /* 289 */ - { 0x02, 291, 0, 7, "clientAuth" }, /* 290 */ - { 0x03, 292, 0, 7, "codeSigning" }, /* 291 */ - { 0x04, 293, 0, 7, "emailProtection" }, /* 292 */ - { 0x05, 294, 0, 7, "ipsecEndSystem" }, /* 293 */ - { 0x06, 295, 0, 7, "ipsecTunnel" }, /* 294 */ - { 0x07, 296, 0, 7, "ipsecUser" }, /* 295 */ - { 0x08, 297, 0, 7, "timeStamping" }, /* 296 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 297 */ - { 0x08, 306, 1, 6, "id-otherNames" }, /* 298 */ - { 0x01, 300, 0, 7, "personalData" }, /* 299 */ - { 0x02, 301, 0, 7, "userGroup" }, /* 300 */ - { 0x03, 302, 0, 7, "id-on-permanentIdentifier" }, /* 301 */ - { 0x04, 303, 0, 7, "id-on-hardwareModuleName" }, /* 302 */ - { 0x05, 304, 0, 7, "xmppAddr" }, /* 303 */ - { 0x06, 305, 0, 7, "id-on-SIM" }, /* 304 */ - { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 305 */ - { 0x0A, 311, 1, 6, "id-aca" }, /* 306 */ - { 0x01, 308, 0, 7, "authenticationInfo" }, /* 307 */ - { 0x02, 309, 0, 7, "accessIdentity" }, /* 308 */ - { 0x03, 310, 0, 7, "chargingIdentity" }, /* 309 */ - { 0x04, 0, 0, 7, "group" }, /* 310 */ - { 0x0B, 312, 0, 6, "subjectInfoAccess" }, /* 311 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 312 */ - { 0x01, 321, 1, 7, "ocsp" }, /* 313 */ - { 0x01, 315, 0, 8, "basic" }, /* 314 */ - { 0x02, 316, 0, 8, "nonce" }, /* 315 */ - { 0x03, 317, 0, 8, "crl" }, /* 316 */ - { 0x04, 318, 0, 8, "response" }, /* 317 */ - { 0x05, 319, 0, 8, "noCheck" }, /* 318 */ - { 0x06, 320, 0, 8, "archiveCutoff" }, /* 319 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 320 */ - { 0x02, 322, 0, 7, "caIssuers" }, /* 321 */ - { 0x03, 323, 0, 7, "timeStamping" }, /* 322 */ - { 0x05, 0, 0, 7, "caRepository" }, /* 323 */ - { 0x08, 0, 1, 5, "ipsec" }, /* 324 */ - { 0x02, 0, 1, 6, "certificate" }, /* 325 */ - { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 326 */ - { 0x0E, 333, 1, 1, "oiw" }, /* 327 */ - { 0x03, 0, 1, 2, "secsig" }, /* 328 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 329 */ - { 0x07, 331, 0, 4, "des-cbc" }, /* 330 */ - { 0x1A, 332, 0, 4, "sha-1" }, /* 331 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 332 */ - { 0x24, 379, 1, 1, "TeleTrusT" }, /* 333 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 334 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 335 */ - { 0x01, 340, 1, 4, "rsaSignature" }, /* 336 */ - { 0x02, 338, 0, 5, "rsaSigWithripemd160" }, /* 337 */ - { 0x03, 339, 0, 5, "rsaSigWithripemd128" }, /* 338 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 339 */ - { 0x02, 0, 1, 4, "ecSign" }, /* 340 */ - { 0x01, 342, 0, 5, "ecSignWithsha1" }, /* 341 */ - { 0x02, 343, 0, 5, "ecSignWithripemd160" }, /* 342 */ - { 0x03, 344, 0, 5, "ecSignWithmd2" }, /* 343 */ - { 0x04, 345, 0, 5, "ecSignWithmd5" }, /* 344 */ - { 0x05, 362, 1, 5, "ttt-ecg" }, /* 345 */ - { 0x01, 350, 1, 6, "fieldType" }, /* 346 */ - { 0x01, 0, 1, 7, "characteristictwoField" }, /* 347 */ - { 0x01, 0, 1, 8, "basisType" }, /* 348 */ - { 0x01, 0, 0, 9, "ipBasis" }, /* 349 */ - { 0x02, 352, 1, 6, "keyType" }, /* 350 */ - { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 351 */ - { 0x03, 353, 0, 6, "curve" }, /* 352 */ - { 0x04, 360, 1, 6, "signatures" }, /* 353 */ - { 0x01, 355, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 354 */ - { 0x02, 356, 0, 7, "ecgdsa-with-SHA1" }, /* 355 */ - { 0x03, 357, 0, 7, "ecgdsa-with-SHA224" }, /* 356 */ - { 0x04, 358, 0, 7, "ecgdsa-with-SHA256" }, /* 357 */ - { 0x05, 359, 0, 7, "ecgdsa-with-SHA384" }, /* 358 */ - { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 359 */ - { 0x05, 0, 1, 6, "module" }, /* 360 */ - { 0x01, 0, 0, 7, "1" }, /* 361 */ - { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 362 */ - { 0x01, 0, 1, 6, "ellipticCurve" }, /* 363 */ - { 0x01, 0, 1, 7, "versionOne" }, /* 364 */ - { 0x01, 366, 0, 8, "brainpoolP160r1" }, /* 365 */ - { 0x02, 367, 0, 8, "brainpoolP160t1" }, /* 366 */ - { 0x03, 368, 0, 8, "brainpoolP192r1" }, /* 367 */ - { 0x04, 369, 0, 8, "brainpoolP192t1" }, /* 368 */ - { 0x05, 370, 0, 8, "brainpoolP224r1" }, /* 369 */ - { 0x06, 371, 0, 8, "brainpoolP224t1" }, /* 370 */ - { 0x07, 372, 0, 8, "brainpoolP256r1" }, /* 371 */ - { 0x08, 373, 0, 8, "brainpoolP256t1" }, /* 372 */ - { 0x09, 374, 0, 8, "brainpoolP320r1" }, /* 373 */ - { 0x0A, 375, 0, 8, "brainpoolP320t1" }, /* 374 */ - { 0x0B, 376, 0, 8, "brainpoolP384r1" }, /* 375 */ - { 0x0C, 377, 0, 8, "brainpoolP384t1" }, /* 376 */ - { 0x0D, 378, 0, 8, "brainpoolP512r1" }, /* 377 */ - { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 378 */ - { 0x81, 0, 1, 1, "" }, /* 379 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 380 */ - { 0x00, 0, 1, 3, "curve" }, /* 381 */ - { 0x01, 383, 0, 4, "sect163k1" }, /* 382 */ - { 0x02, 384, 0, 4, "sect163r1" }, /* 383 */ - { 0x03, 385, 0, 4, "sect239k1" }, /* 384 */ - { 0x04, 386, 0, 4, "sect113r1" }, /* 385 */ - { 0x05, 387, 0, 4, "sect113r2" }, /* 386 */ - { 0x06, 388, 0, 4, "secp112r1" }, /* 387 */ - { 0x07, 389, 0, 4, "secp112r2" }, /* 388 */ - { 0x08, 390, 0, 4, "secp160r1" }, /* 389 */ - { 0x09, 391, 0, 4, "secp160k1" }, /* 390 */ - { 0x0A, 392, 0, 4, "secp256k1" }, /* 391 */ - { 0x0F, 393, 0, 4, "sect163r2" }, /* 392 */ - { 0x10, 394, 0, 4, "sect283k1" }, /* 393 */ - { 0x11, 395, 0, 4, "sect283r1" }, /* 394 */ - { 0x16, 396, 0, 4, "sect131r1" }, /* 395 */ - { 0x17, 397, 0, 4, "sect131r2" }, /* 396 */ - { 0x18, 398, 0, 4, "sect193r1" }, /* 397 */ - { 0x19, 399, 0, 4, "sect193r2" }, /* 398 */ - { 0x1A, 400, 0, 4, "sect233k1" }, /* 399 */ - { 0x1B, 401, 0, 4, "sect233r1" }, /* 400 */ - { 0x1C, 402, 0, 4, "secp128r1" }, /* 401 */ - { 0x1D, 403, 0, 4, "secp128r2" }, /* 402 */ - { 0x1E, 404, 0, 4, "secp160r2" }, /* 403 */ - { 0x1F, 405, 0, 4, "secp192k1" }, /* 404 */ - { 0x20, 406, 0, 4, "secp224k1" }, /* 405 */ - { 0x21, 407, 0, 4, "secp224r1" }, /* 406 */ - { 0x22, 408, 0, 4, "secp384r1" }, /* 407 */ - { 0x23, 409, 0, 4, "secp521r1" }, /* 408 */ - { 0x24, 410, 0, 4, "sect409k1" }, /* 409 */ - { 0x25, 411, 0, 4, "sect409r1" }, /* 410 */ - { 0x26, 412, 0, 4, "sect571k1" }, /* 411 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 412 */ - {0x60, 467, 1, 0, "" }, /* 413 */ - { 0x86, 0, 1, 1, "" }, /* 414 */ - { 0x48, 0, 1, 2, "" }, /* 415 */ - { 0x01, 0, 1, 3, "organization" }, /* 416 */ - { 0x65, 443, 1, 4, "gov" }, /* 417 */ - { 0x03, 0, 1, 5, "csor" }, /* 418 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 419 */ - { 0x01, 430, 1, 7, "aes" }, /* 420 */ - { 0x02, 422, 0, 8, "id-aes128-CBC" }, /* 421 */ - { 0x06, 423, 0, 8, "id-aes128-GCM" }, /* 422 */ - { 0x07, 424, 0, 8, "id-aes128-CCM" }, /* 423 */ - { 0x16, 425, 0, 8, "id-aes192-CBC" }, /* 424 */ - { 0x1A, 426, 0, 8, "id-aes192-GCM" }, /* 425 */ - { 0x1B, 427, 0, 8, "id-aes192-CCM" }, /* 426 */ - { 0x2A, 428, 0, 8, "id-aes256-CBC" }, /* 427 */ - { 0x2E, 429, 0, 8, "id-aes256-GCM" }, /* 428 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 429 */ - { 0x02, 0, 1, 7, "hashalgs" }, /* 430 */ - { 0x01, 432, 0, 8, "id-sha256" }, /* 431 */ - { 0x02, 433, 0, 8, "id-sha384" }, /* 432 */ - { 0x03, 434, 0, 8, "id-sha512" }, /* 433 */ - { 0x04, 435, 0, 8, "id-sha224" }, /* 434 */ - { 0x05, 436, 0, 8, "id-sha512-224" }, /* 435 */ - { 0x06, 437, 0, 8, "id-sha512-256" }, /* 436 */ - { 0x07, 438, 0, 8, "id-sha3-224" }, /* 437 */ - { 0x08, 439, 0, 8, "id-sha3-256" }, /* 438 */ - { 0x09, 440, 0, 8, "id-sha3-384" }, /* 439 */ - { 0x0A, 441, 0, 8, "id-sha3-512" }, /* 440 */ - { 0x0B, 442, 0, 8, "id-shake128" }, /* 441 */ - { 0x0C, 0, 0, 8, "id-shake256" }, /* 442 */ - { 0x86, 0, 1, 4, "" }, /* 443 */ - { 0xf8, 0, 1, 5, "" }, /* 444 */ - { 0x42, 457, 1, 6, "netscape" }, /* 445 */ - { 0x01, 452, 1, 7, "" }, /* 446 */ - { 0x01, 448, 0, 8, "nsCertType" }, /* 447 */ - { 0x03, 449, 0, 8, "nsRevocationUrl" }, /* 448 */ - { 0x04, 450, 0, 8, "nsCaRevocationUrl" }, /* 449 */ - { 0x08, 451, 0, 8, "nsCaPolicyUrl" }, /* 450 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 451 */ - { 0x03, 455, 1, 7, "directory" }, /* 452 */ - { 0x01, 0, 1, 8, "" }, /* 453 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 454 */ - { 0x04, 0, 1, 7, "policy" }, /* 455 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 456 */ - { 0x45, 0, 1, 6, "verisign" }, /* 457 */ - { 0x01, 0, 1, 7, "pki" }, /* 458 */ - { 0x09, 0, 1, 8, "attributes" }, /* 459 */ - { 0x02, 461, 0, 9, "messageType" }, /* 460 */ - { 0x03, 462, 0, 9, "pkiStatus" }, /* 461 */ - { 0x04, 463, 0, 9, "failInfo" }, /* 462 */ - { 0x05, 464, 0, 9, "senderNonce" }, /* 463 */ - { 0x06, 465, 0, 9, "recipientNonce" }, /* 464 */ - { 0x07, 466, 0, 9, "transID" }, /* 465 */ - { 0x08, 0, 0, 9, "extensionReq" }, /* 466 */ - {0x67, 0, 1, 0, "" }, /* 467 */ - { 0x81, 0, 1, 1, "" }, /* 468 */ - { 0x05, 0, 1, 2, "" }, /* 469 */ - { 0x02, 0, 1, 3, "tcg-attribute" }, /* 470 */ - { 0x01, 472, 0, 4, "tcg-at-tpmManufacturer" }, /* 471 */ - { 0x02, 473, 0, 4, "tcg-at-tpmModel" }, /* 472 */ - { 0x03, 474, 0, 4, "tcg-at-tpmVersion" }, /* 473 */ - { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 474 */ + { 0x01, 226, 0, 10, "BLISS-with-SHA2-512" }, /* 225 */ + { 0x02, 227, 0, 10, "BLISS-with-SHA2-384" }, /* 226 */ + { 0x03, 228, 0, 10, "BLISS-with-SHA2-256" }, /* 227 */ + { 0x04, 229, 0, 10, "BLISS-with-SHA3-512" }, /* 228 */ + { 0x05, 230, 0, 10, "BLISS-with-SHA3-384" }, /* 229 */ + { 0x06, 0, 0, 10, "BLISS-with-SHA3-256" }, /* 230 */ + { 0x89, 238, 1, 5, "" }, /* 231 */ + { 0x31, 0, 1, 6, "" }, /* 232 */ + { 0x01, 0, 1, 7, "" }, /* 233 */ + { 0x01, 0, 1, 8, "" }, /* 234 */ + { 0x02, 0, 1, 9, "" }, /* 235 */ + { 0x02, 0, 1, 10, "" }, /* 236 */ + { 0x4B, 0, 0, 11, "TCGID" }, /* 237 */ + { 0x97, 242, 1, 5, "" }, /* 238 */ + { 0x55, 0, 1, 6, "" }, /* 239 */ + { 0x01, 0, 1, 7, "" }, /* 240 */ + { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 241 */ + { 0xC1, 0, 1, 5, "" }, /* 242 */ + { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 243 */ + { 0x01, 0, 1, 7, "eess" }, /* 244 */ + { 0x01, 0, 1, 8, "eess1" }, /* 245 */ + { 0x01, 250, 1, 9, "eess1-algs" }, /* 246 */ + { 0x01, 248, 0, 10, "ntru-EESS1v1-SVES" }, /* 247 */ + { 0x02, 249, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 248 */ + { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 249 */ + { 0x02, 280, 1, 9, "eess1-params" }, /* 250 */ + { 0x01, 252, 0, 10, "ees251ep1" }, /* 251 */ + { 0x02, 253, 0, 10, "ees347ep1" }, /* 252 */ + { 0x03, 254, 0, 10, "ees503ep1" }, /* 253 */ + { 0x07, 255, 0, 10, "ees251sp2" }, /* 254 */ + { 0x0C, 256, 0, 10, "ees251ep4" }, /* 255 */ + { 0x0D, 257, 0, 10, "ees251ep5" }, /* 256 */ + { 0x0E, 258, 0, 10, "ees251sp3" }, /* 257 */ + { 0x0F, 259, 0, 10, "ees251sp4" }, /* 258 */ + { 0x10, 260, 0, 10, "ees251sp5" }, /* 259 */ + { 0x11, 261, 0, 10, "ees251sp6" }, /* 260 */ + { 0x12, 262, 0, 10, "ees251sp7" }, /* 261 */ + { 0x13, 263, 0, 10, "ees251sp8" }, /* 262 */ + { 0x14, 264, 0, 10, "ees251sp9" }, /* 263 */ + { 0x22, 265, 0, 10, "ees401ep1" }, /* 264 */ + { 0x23, 266, 0, 10, "ees449ep1" }, /* 265 */ + { 0x24, 267, 0, 10, "ees677ep1" }, /* 266 */ + { 0x25, 268, 0, 10, "ees1087ep2" }, /* 267 */ + { 0x26, 269, 0, 10, "ees541ep1" }, /* 268 */ + { 0x27, 270, 0, 10, "ees613ep1" }, /* 269 */ + { 0x28, 271, 0, 10, "ees887ep1" }, /* 270 */ + { 0x29, 272, 0, 10, "ees1171ep1" }, /* 271 */ + { 0x2A, 273, 0, 10, "ees659ep1" }, /* 272 */ + { 0x2B, 274, 0, 10, "ees761ep1" }, /* 273 */ + { 0x2C, 275, 0, 10, "ees1087ep1" }, /* 274 */ + { 0x2D, 276, 0, 10, "ees1499ep1" }, /* 275 */ + { 0x2E, 277, 0, 10, "ees401ep2" }, /* 276 */ + { 0x2F, 278, 0, 10, "ees439ep1" }, /* 277 */ + { 0x30, 279, 0, 10, "ees593ep1" }, /* 278 */ + { 0x31, 0, 0, 10, "ees743ep1" }, /* 279 */ + { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 280 */ + { 0x05, 0, 1, 3, "security" }, /* 281 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 282 */ + { 0x07, 327, 1, 5, "id-pkix" }, /* 283 */ + { 0x01, 288, 1, 6, "id-pe" }, /* 284 */ + { 0x01, 286, 0, 7, "authorityInfoAccess" }, /* 285 */ + { 0x03, 287, 0, 7, "qcStatements" }, /* 286 */ + { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 287 */ + { 0x02, 291, 1, 6, "id-qt" }, /* 288 */ + { 0x01, 290, 0, 7, "cps" }, /* 289 */ + { 0x02, 0, 0, 7, "unotice" }, /* 290 */ + { 0x03, 301, 1, 6, "id-kp" }, /* 291 */ + { 0x01, 293, 0, 7, "serverAuth" }, /* 292 */ + { 0x02, 294, 0, 7, "clientAuth" }, /* 293 */ + { 0x03, 295, 0, 7, "codeSigning" }, /* 294 */ + { 0x04, 296, 0, 7, "emailProtection" }, /* 295 */ + { 0x05, 297, 0, 7, "ipsecEndSystem" }, /* 296 */ + { 0x06, 298, 0, 7, "ipsecTunnel" }, /* 297 */ + { 0x07, 299, 0, 7, "ipsecUser" }, /* 298 */ + { 0x08, 300, 0, 7, "timeStamping" }, /* 299 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 300 */ + { 0x08, 309, 1, 6, "id-otherNames" }, /* 301 */ + { 0x01, 303, 0, 7, "personalData" }, /* 302 */ + { 0x02, 304, 0, 7, "userGroup" }, /* 303 */ + { 0x03, 305, 0, 7, "id-on-permanentIdentifier" }, /* 304 */ + { 0x04, 306, 0, 7, "id-on-hardwareModuleName" }, /* 305 */ + { 0x05, 307, 0, 7, "xmppAddr" }, /* 306 */ + { 0x06, 308, 0, 7, "id-on-SIM" }, /* 307 */ + { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 308 */ + { 0x0A, 314, 1, 6, "id-aca" }, /* 309 */ + { 0x01, 311, 0, 7, "authenticationInfo" }, /* 310 */ + { 0x02, 312, 0, 7, "accessIdentity" }, /* 311 */ + { 0x03, 313, 0, 7, "chargingIdentity" }, /* 312 */ + { 0x04, 0, 0, 7, "group" }, /* 313 */ + { 0x0B, 315, 0, 6, "subjectInfoAccess" }, /* 314 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 315 */ + { 0x01, 324, 1, 7, "ocsp" }, /* 316 */ + { 0x01, 318, 0, 8, "basic" }, /* 317 */ + { 0x02, 319, 0, 8, "nonce" }, /* 318 */ + { 0x03, 320, 0, 8, "crl" }, /* 319 */ + { 0x04, 321, 0, 8, "response" }, /* 320 */ + { 0x05, 322, 0, 8, "noCheck" }, /* 321 */ + { 0x06, 323, 0, 8, "archiveCutoff" }, /* 322 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 323 */ + { 0x02, 325, 0, 7, "caIssuers" }, /* 324 */ + { 0x03, 326, 0, 7, "timeStamping" }, /* 325 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 326 */ + { 0x08, 0, 1, 5, "ipsec" }, /* 327 */ + { 0x02, 0, 1, 6, "certificate" }, /* 328 */ + { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 329 */ + { 0x0E, 336, 1, 1, "oiw" }, /* 330 */ + { 0x03, 0, 1, 2, "secsig" }, /* 331 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 332 */ + { 0x07, 334, 0, 4, "des-cbc" }, /* 333 */ + { 0x1A, 335, 0, 4, "sha-1" }, /* 334 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 335 */ + { 0x24, 382, 1, 1, "TeleTrusT" }, /* 336 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 337 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 338 */ + { 0x01, 343, 1, 4, "rsaSignature" }, /* 339 */ + { 0x02, 341, 0, 5, "rsaSigWithripemd160" }, /* 340 */ + { 0x03, 342, 0, 5, "rsaSigWithripemd128" }, /* 341 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 342 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 343 */ + { 0x01, 345, 0, 5, "ecSignWithsha1" }, /* 344 */ + { 0x02, 346, 0, 5, "ecSignWithripemd160" }, /* 345 */ + { 0x03, 347, 0, 5, "ecSignWithmd2" }, /* 346 */ + { 0x04, 348, 0, 5, "ecSignWithmd5" }, /* 347 */ + { 0x05, 365, 1, 5, "ttt-ecg" }, /* 348 */ + { 0x01, 353, 1, 6, "fieldType" }, /* 349 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 350 */ + { 0x01, 0, 1, 8, "basisType" }, /* 351 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 352 */ + { 0x02, 355, 1, 6, "keyType" }, /* 353 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 354 */ + { 0x03, 356, 0, 6, "curve" }, /* 355 */ + { 0x04, 363, 1, 6, "signatures" }, /* 356 */ + { 0x01, 358, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 357 */ + { 0x02, 359, 0, 7, "ecgdsa-with-SHA1" }, /* 358 */ + { 0x03, 360, 0, 7, "ecgdsa-with-SHA224" }, /* 359 */ + { 0x04, 361, 0, 7, "ecgdsa-with-SHA256" }, /* 360 */ + { 0x05, 362, 0, 7, "ecgdsa-with-SHA384" }, /* 361 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 362 */ + { 0x05, 0, 1, 6, "module" }, /* 363 */ + { 0x01, 0, 0, 7, "1" }, /* 364 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 365 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 366 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 367 */ + { 0x01, 369, 0, 8, "brainpoolP160r1" }, /* 368 */ + { 0x02, 370, 0, 8, "brainpoolP160t1" }, /* 369 */ + { 0x03, 371, 0, 8, "brainpoolP192r1" }, /* 370 */ + { 0x04, 372, 0, 8, "brainpoolP192t1" }, /* 371 */ + { 0x05, 373, 0, 8, "brainpoolP224r1" }, /* 372 */ + { 0x06, 374, 0, 8, "brainpoolP224t1" }, /* 373 */ + { 0x07, 375, 0, 8, "brainpoolP256r1" }, /* 374 */ + { 0x08, 376, 0, 8, "brainpoolP256t1" }, /* 375 */ + { 0x09, 377, 0, 8, "brainpoolP320r1" }, /* 376 */ + { 0x0A, 378, 0, 8, "brainpoolP320t1" }, /* 377 */ + { 0x0B, 379, 0, 8, "brainpoolP384r1" }, /* 378 */ + { 0x0C, 380, 0, 8, "brainpoolP384t1" }, /* 379 */ + { 0x0D, 381, 0, 8, "brainpoolP512r1" }, /* 380 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 381 */ + { 0x81, 0, 1, 1, "" }, /* 382 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 383 */ + { 0x00, 0, 1, 3, "curve" }, /* 384 */ + { 0x01, 386, 0, 4, "sect163k1" }, /* 385 */ + { 0x02, 387, 0, 4, "sect163r1" }, /* 386 */ + { 0x03, 388, 0, 4, "sect239k1" }, /* 387 */ + { 0x04, 389, 0, 4, "sect113r1" }, /* 388 */ + { 0x05, 390, 0, 4, "sect113r2" }, /* 389 */ + { 0x06, 391, 0, 4, "secp112r1" }, /* 390 */ + { 0x07, 392, 0, 4, "secp112r2" }, /* 391 */ + { 0x08, 393, 0, 4, "secp160r1" }, /* 392 */ + { 0x09, 394, 0, 4, "secp160k1" }, /* 393 */ + { 0x0A, 395, 0, 4, "secp256k1" }, /* 394 */ + { 0x0F, 396, 0, 4, "sect163r2" }, /* 395 */ + { 0x10, 397, 0, 4, "sect283k1" }, /* 396 */ + { 0x11, 398, 0, 4, "sect283r1" }, /* 397 */ + { 0x16, 399, 0, 4, "sect131r1" }, /* 398 */ + { 0x17, 400, 0, 4, "sect131r2" }, /* 399 */ + { 0x18, 401, 0, 4, "sect193r1" }, /* 400 */ + { 0x19, 402, 0, 4, "sect193r2" }, /* 401 */ + { 0x1A, 403, 0, 4, "sect233k1" }, /* 402 */ + { 0x1B, 404, 0, 4, "sect233r1" }, /* 403 */ + { 0x1C, 405, 0, 4, "secp128r1" }, /* 404 */ + { 0x1D, 406, 0, 4, "secp128r2" }, /* 405 */ + { 0x1E, 407, 0, 4, "secp160r2" }, /* 406 */ + { 0x1F, 408, 0, 4, "secp192k1" }, /* 407 */ + { 0x20, 409, 0, 4, "secp224k1" }, /* 408 */ + { 0x21, 410, 0, 4, "secp224r1" }, /* 409 */ + { 0x22, 411, 0, 4, "secp384r1" }, /* 410 */ + { 0x23, 412, 0, 4, "secp521r1" }, /* 411 */ + { 0x24, 413, 0, 4, "sect409k1" }, /* 412 */ + { 0x25, 414, 0, 4, "sect409r1" }, /* 413 */ + { 0x26, 415, 0, 4, "sect571k1" }, /* 414 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 415 */ + {0x60, 470, 1, 0, "" }, /* 416 */ + { 0x86, 0, 1, 1, "" }, /* 417 */ + { 0x48, 0, 1, 2, "" }, /* 418 */ + { 0x01, 0, 1, 3, "organization" }, /* 419 */ + { 0x65, 446, 1, 4, "gov" }, /* 420 */ + { 0x03, 0, 1, 5, "csor" }, /* 421 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 422 */ + { 0x01, 433, 1, 7, "aes" }, /* 423 */ + { 0x02, 425, 0, 8, "id-aes128-CBC" }, /* 424 */ + { 0x06, 426, 0, 8, "id-aes128-GCM" }, /* 425 */ + { 0x07, 427, 0, 8, "id-aes128-CCM" }, /* 426 */ + { 0x16, 428, 0, 8, "id-aes192-CBC" }, /* 427 */ + { 0x1A, 429, 0, 8, "id-aes192-GCM" }, /* 428 */ + { 0x1B, 430, 0, 8, "id-aes192-CCM" }, /* 429 */ + { 0x2A, 431, 0, 8, "id-aes256-CBC" }, /* 430 */ + { 0x2E, 432, 0, 8, "id-aes256-GCM" }, /* 431 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 432 */ + { 0x02, 0, 1, 7, "hashalgs" }, /* 433 */ + { 0x01, 435, 0, 8, "id-sha256" }, /* 434 */ + { 0x02, 436, 0, 8, "id-sha384" }, /* 435 */ + { 0x03, 437, 0, 8, "id-sha512" }, /* 436 */ + { 0x04, 438, 0, 8, "id-sha224" }, /* 437 */ + { 0x05, 439, 0, 8, "id-sha512-224" }, /* 438 */ + { 0x06, 440, 0, 8, "id-sha512-256" }, /* 439 */ + { 0x07, 441, 0, 8, "id-sha3-224" }, /* 440 */ + { 0x08, 442, 0, 8, "id-sha3-256" }, /* 441 */ + { 0x09, 443, 0, 8, "id-sha3-384" }, /* 442 */ + { 0x0A, 444, 0, 8, "id-sha3-512" }, /* 443 */ + { 0x0B, 445, 0, 8, "id-shake128" }, /* 444 */ + { 0x0C, 0, 0, 8, "id-shake256" }, /* 445 */ + { 0x86, 0, 1, 4, "" }, /* 446 */ + { 0xf8, 0, 1, 5, "" }, /* 447 */ + { 0x42, 460, 1, 6, "netscape" }, /* 448 */ + { 0x01, 455, 1, 7, "" }, /* 449 */ + { 0x01, 451, 0, 8, "nsCertType" }, /* 450 */ + { 0x03, 452, 0, 8, "nsRevocationUrl" }, /* 451 */ + { 0x04, 453, 0, 8, "nsCaRevocationUrl" }, /* 452 */ + { 0x08, 454, 0, 8, "nsCaPolicyUrl" }, /* 453 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 454 */ + { 0x03, 458, 1, 7, "directory" }, /* 455 */ + { 0x01, 0, 1, 8, "" }, /* 456 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 457 */ + { 0x04, 0, 1, 7, "policy" }, /* 458 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 459 */ + { 0x45, 0, 1, 6, "verisign" }, /* 460 */ + { 0x01, 0, 1, 7, "pki" }, /* 461 */ + { 0x09, 0, 1, 8, "attributes" }, /* 462 */ + { 0x02, 464, 0, 9, "messageType" }, /* 463 */ + { 0x03, 465, 0, 9, "pkiStatus" }, /* 464 */ + { 0x04, 466, 0, 9, "failInfo" }, /* 465 */ + { 0x05, 467, 0, 9, "senderNonce" }, /* 466 */ + { 0x06, 468, 0, 9, "recipientNonce" }, /* 467 */ + { 0x07, 469, 0, 9, "transID" }, /* 468 */ + { 0x08, 0, 0, 9, "extensionReq" }, /* 469 */ + {0x67, 0, 1, 0, "" }, /* 470 */ + { 0x81, 0, 1, 1, "" }, /* 471 */ + { 0x05, 0, 1, 2, "" }, /* 472 */ + { 0x02, 0, 1, 3, "tcg-attribute" }, /* 473 */ + { 0x01, 475, 0, 4, "tcg-at-tpmManufacturer" }, /* 474 */ + { 0x02, 476, 0, 4, "tcg-at-tpmModel" }, /* 475 */ + { 0x03, 477, 0, 4, "tcg-at-tpmVersion" }, /* 476 */ + { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 477 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index 0f7c5d644..b9ed08d2e 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -150,103 +150,110 @@ extern const oid_t oid_names[]; #define OID_BLISS_B_II 221 #define OID_BLISS_B_III 222 #define OID_BLISS_B_IV 223 -#define OID_BLISS_WITH_SHA512 225 -#define OID_BLISS_WITH_SHA384 226 -#define OID_BLISS_WITH_SHA256 227 -#define OID_TCGID 234 -#define OID_BLOWFISH_CBC 238 -#define OID_AUTHORITY_INFO_ACCESS 282 -#define OID_IP_ADDR_BLOCKS 284 -#define OID_POLICY_QUALIFIER_CPS 286 -#define OID_POLICY_QUALIFIER_UNOTICE 287 -#define OID_SERVER_AUTH 289 -#define OID_CLIENT_AUTH 290 -#define OID_OCSP_SIGNING 297 -#define OID_XMPP_ADDR 303 -#define OID_AUTHENTICATION_INFO 307 -#define OID_ACCESS_IDENTITY 308 -#define OID_CHARGING_IDENTITY 309 -#define OID_GROUP 310 -#define OID_OCSP 313 -#define OID_BASIC 314 -#define OID_NONCE 315 -#define OID_CRL 316 -#define OID_RESPONSE 317 -#define OID_NO_CHECK 318 -#define OID_ARCHIVE_CUTOFF 319 -#define OID_SERVICE_LOCATOR 320 -#define OID_CA_ISSUERS 321 -#define OID_IKE_INTERMEDIATE 326 -#define OID_DES_CBC 330 -#define OID_SHA1 331 -#define OID_SHA1_WITH_RSA_OIW 332 -#define OID_ECGDSA_PUBKEY 351 -#define OID_ECGDSA_SIG_WITH_RIPEMD160 354 -#define OID_ECGDSA_SIG_WITH_SHA1 355 -#define OID_ECGDSA_SIG_WITH_SHA224 356 -#define OID_ECGDSA_SIG_WITH_SHA256 357 -#define OID_ECGDSA_SIG_WITH_SHA384 358 -#define OID_ECGDSA_SIG_WITH_SHA512 359 -#define OID_SECT163K1 382 -#define OID_SECT163R1 383 -#define OID_SECT239K1 384 -#define OID_SECT113R1 385 -#define OID_SECT113R2 386 -#define OID_SECT112R1 387 -#define OID_SECT112R2 388 -#define OID_SECT160R1 389 -#define OID_SECT160K1 390 -#define OID_SECT256K1 391 -#define OID_SECT163R2 392 -#define OID_SECT283K1 393 -#define OID_SECT283R1 394 -#define OID_SECT131R1 395 -#define OID_SECT131R2 396 -#define OID_SECT193R1 397 -#define OID_SECT193R2 398 -#define OID_SECT233K1 399 -#define OID_SECT233R1 400 -#define OID_SECT128R1 401 -#define OID_SECT128R2 402 -#define OID_SECT160R2 403 -#define OID_SECT192K1 404 -#define OID_SECT224K1 405 -#define OID_SECT224R1 406 -#define OID_SECT384R1 407 -#define OID_SECT521R1 408 -#define OID_SECT409K1 409 -#define OID_SECT409R1 410 -#define OID_SECT571K1 411 -#define OID_SECT571R1 412 -#define OID_AES128_CBC 421 -#define OID_AES128_GCM 422 -#define OID_AES128_CCM 423 -#define OID_AES192_CBC 424 -#define OID_AES192_GCM 425 -#define OID_AES192_CCM 426 -#define OID_AES256_CBC 427 -#define OID_AES256_GCM 428 -#define OID_AES256_CCM 429 -#define OID_SHA256 431 -#define OID_SHA384 432 -#define OID_SHA512 433 -#define OID_SHA224 434 -#define OID_NS_REVOCATION_URL 448 -#define OID_NS_CA_REVOCATION_URL 449 -#define OID_NS_CA_POLICY_URL 450 -#define OID_NS_COMMENT 451 -#define OID_EMPLOYEE_NUMBER 454 -#define OID_PKI_MESSAGE_TYPE 460 -#define OID_PKI_STATUS 461 -#define OID_PKI_FAIL_INFO 462 -#define OID_PKI_SENDER_NONCE 463 -#define OID_PKI_RECIPIENT_NONCE 464 -#define OID_PKI_TRANS_ID 465 -#define OID_TPM_MANUFACTURER 471 -#define OID_TPM_MODEL 472 -#define OID_TPM_VERSION 473 -#define OID_TPM_ID_LABEL 474 +#define OID_BLISS_WITH_SHA2_512 225 +#define OID_BLISS_WITH_SHA2_384 226 +#define OID_BLISS_WITH_SHA2_256 227 +#define OID_BLISS_WITH_SHA3_512 228 +#define OID_BLISS_WITH_SHA3_384 229 +#define OID_BLISS_WITH_SHA3_256 230 +#define OID_TCGID 237 +#define OID_BLOWFISH_CBC 241 +#define OID_AUTHORITY_INFO_ACCESS 285 +#define OID_IP_ADDR_BLOCKS 287 +#define OID_POLICY_QUALIFIER_CPS 289 +#define OID_POLICY_QUALIFIER_UNOTICE 290 +#define OID_SERVER_AUTH 292 +#define OID_CLIENT_AUTH 293 +#define OID_OCSP_SIGNING 300 +#define OID_XMPP_ADDR 306 +#define OID_AUTHENTICATION_INFO 310 +#define OID_ACCESS_IDENTITY 311 +#define OID_CHARGING_IDENTITY 312 +#define OID_GROUP 313 +#define OID_OCSP 316 +#define OID_BASIC 317 +#define OID_NONCE 318 +#define OID_CRL 319 +#define OID_RESPONSE 320 +#define OID_NO_CHECK 321 +#define OID_ARCHIVE_CUTOFF 322 +#define OID_SERVICE_LOCATOR 323 +#define OID_CA_ISSUERS 324 +#define OID_IKE_INTERMEDIATE 329 +#define OID_DES_CBC 333 +#define OID_SHA1 334 +#define OID_SHA1_WITH_RSA_OIW 335 +#define OID_ECGDSA_PUBKEY 354 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 357 +#define OID_ECGDSA_SIG_WITH_SHA1 358 +#define OID_ECGDSA_SIG_WITH_SHA224 359 +#define OID_ECGDSA_SIG_WITH_SHA256 360 +#define OID_ECGDSA_SIG_WITH_SHA384 361 +#define OID_ECGDSA_SIG_WITH_SHA512 362 +#define OID_SECT163K1 385 +#define OID_SECT163R1 386 +#define OID_SECT239K1 387 +#define OID_SECT113R1 388 +#define OID_SECT113R2 389 +#define OID_SECT112R1 390 +#define OID_SECT112R2 391 +#define OID_SECT160R1 392 +#define OID_SECT160K1 393 +#define OID_SECT256K1 394 +#define OID_SECT163R2 395 +#define OID_SECT283K1 396 +#define OID_SECT283R1 397 +#define OID_SECT131R1 398 +#define OID_SECT131R2 399 +#define OID_SECT193R1 400 +#define OID_SECT193R2 401 +#define OID_SECT233K1 402 +#define OID_SECT233R1 403 +#define OID_SECT128R1 404 +#define OID_SECT128R2 405 +#define OID_SECT160R2 406 +#define OID_SECT192K1 407 +#define OID_SECT224K1 408 +#define OID_SECT224R1 409 +#define OID_SECT384R1 410 +#define OID_SECT521R1 411 +#define OID_SECT409K1 412 +#define OID_SECT409R1 413 +#define OID_SECT571K1 414 +#define OID_SECT571R1 415 +#define OID_AES128_CBC 424 +#define OID_AES128_GCM 425 +#define OID_AES128_CCM 426 +#define OID_AES192_CBC 427 +#define OID_AES192_GCM 428 +#define OID_AES192_CCM 429 +#define OID_AES256_CBC 430 +#define OID_AES256_GCM 431 +#define OID_AES256_CCM 432 +#define OID_SHA256 434 +#define OID_SHA384 435 +#define OID_SHA512 436 +#define OID_SHA224 437 +#define OID_SHA3_224 440 +#define OID_SHA3_256 441 +#define OID_SHA3_384 442 +#define OID_SHA3_512 443 +#define OID_NS_REVOCATION_URL 451 +#define OID_NS_CA_REVOCATION_URL 452 +#define OID_NS_CA_POLICY_URL 453 +#define OID_NS_COMMENT 454 +#define OID_EMPLOYEE_NUMBER 457 +#define OID_PKI_MESSAGE_TYPE 463 +#define OID_PKI_STATUS 464 +#define OID_PKI_FAIL_INFO 465 +#define OID_PKI_SENDER_NONCE 466 +#define OID_PKI_RECIPIENT_NONCE 467 +#define OID_PKI_TRANS_ID 468 +#define OID_TPM_MANUFACTURER 474 +#define OID_TPM_MODEL 475 +#define OID_TPM_VERSION 476 +#define OID_TPM_ID_LABEL 477 -#define OID_MAX 475 +#define OID_MAX 478 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 919d24c43..64dedcb33 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -223,9 +223,12 @@ 0x07 "BLISS-B-III" OID_BLISS_B_III 0x08 "BLISS-B-IV" OID_BLISS_B_IV 0x03 "blissSigType" - 0x01 "BLISS-with-SHA512" OID_BLISS_WITH_SHA512 - 0x02 "BLISS-with-SHA384" OID_BLISS_WITH_SHA384 - 0x03 "BLISS-with-SHA256" OID_BLISS_WITH_SHA256 + 0x01 "BLISS-with-SHA2-512" OID_BLISS_WITH_SHA2_512 + 0x02 "BLISS-with-SHA2-384" OID_BLISS_WITH_SHA2_384 + 0x03 "BLISS-with-SHA2-256" OID_BLISS_WITH_SHA2_256 + 0x04 "BLISS-with-SHA3-512" OID_BLISS_WITH_SHA3_512 + 0x05 "BLISS-with-SHA3-384" OID_BLISS_WITH_SHA3_384 + 0x06 "BLISS-with-SHA3-256" OID_BLISS_WITH_SHA3_256 0x89 "" 0x31 "" 0x01 "" @@ -435,10 +438,10 @@ 0x04 "id-sha224" OID_SHA224 0x05 "id-sha512-224" 0x06 "id-sha512-256" - 0x07 "id-sha3-224" - 0x08 "id-sha3-256" - 0x09 "id-sha3-384" - 0x0A "id-sha3-512" + 0x07 "id-sha3-224" OID_SHA3_224 + 0x08 "id-sha3-256" OID_SHA3_256 + 0x09 "id-sha3-384" OID_SHA3_384 + 0x0A "id-sha3-512" OID_SHA3_512 0x0B "id-shake128" 0x0C "id-shake256" 0x86 "" diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 1e93f021a..9988d8021 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -951,9 +951,9 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy { entry_t entry; - while (array_remove(other->entries, ARRAY_HEAD, &entry)) - { - array_insert(this->entries, ARRAY_TAIL, &entry); + while (array_remove(other->entries, ARRAY_TAIL, &entry)) + { /* keep order but prefer new values (esp. for single valued ones) */ + array_insert(this->entries, ARRAY_HEAD, &entry); } array_compress(other->entries); } diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index bd5915e60..d6f211a34 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ ENUM(key_type_names, KEY_ANY, KEY_BLISS, "BLISS" ); -ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512, +ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA3_512, "UNKNOWN", "RSA_EMSA_PKCS1_NULL", "RSA_EMSA_PKCS1_MD5", @@ -44,9 +44,12 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512, "ECDSA-256", "ECDSA-384", "ECDSA-521", - "BLISS_WITH_SHA256", - "BLISS_WITH_SHA384", - "BLISS_WITH_SHA512", + "BLISS_WITH_SHA2_256", + "BLISS_WITH_SHA2_384", + "BLISS_WITH_SHA2_512", + "BLISS_WITH_SHA3_256", + "BLISS_WITH_SHA3_384", + "BLISS_WITH_SHA3_512", ); ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512, @@ -137,12 +140,18 @@ signature_scheme_t signature_scheme_from_oid(int oid) case OID_ECDSA_WITH_SHA512: return SIGN_ECDSA_WITH_SHA512_DER; case OID_BLISS_PUBLICKEY: - case OID_BLISS_WITH_SHA512: - return SIGN_BLISS_WITH_SHA512; - case OID_BLISS_WITH_SHA256: - return SIGN_BLISS_WITH_SHA256; - case OID_BLISS_WITH_SHA384: - return SIGN_BLISS_WITH_SHA384; + case OID_BLISS_WITH_SHA2_512: + return SIGN_BLISS_WITH_SHA2_512; + case OID_BLISS_WITH_SHA2_384: + return SIGN_BLISS_WITH_SHA2_384; + case OID_BLISS_WITH_SHA2_256: + return SIGN_BLISS_WITH_SHA2_256; + case OID_BLISS_WITH_SHA3_512: + return SIGN_BLISS_WITH_SHA3_512; + case OID_BLISS_WITH_SHA3_384: + return SIGN_BLISS_WITH_SHA3_384; + case OID_BLISS_WITH_SHA3_256: + return SIGN_BLISS_WITH_SHA3_256; } return SIGN_UNKNOWN; } @@ -181,12 +190,18 @@ int signature_scheme_to_oid(signature_scheme_t scheme) return OID_ECDSA_WITH_SHA384; case SIGN_ECDSA_WITH_SHA512_DER: return OID_ECDSA_WITH_SHA512; - case SIGN_BLISS_WITH_SHA256: - return OID_BLISS_WITH_SHA256; - case SIGN_BLISS_WITH_SHA384: - return OID_BLISS_WITH_SHA384; - case SIGN_BLISS_WITH_SHA512: - return OID_BLISS_WITH_SHA512; + case SIGN_BLISS_WITH_SHA2_256: + return OID_BLISS_WITH_SHA2_256; + case SIGN_BLISS_WITH_SHA2_384: + return OID_BLISS_WITH_SHA2_384; + case SIGN_BLISS_WITH_SHA2_512: + return OID_BLISS_WITH_SHA2_512; + case SIGN_BLISS_WITH_SHA3_256: + return OID_BLISS_WITH_SHA3_256; + case SIGN_BLISS_WITH_SHA3_384: + return OID_BLISS_WITH_SHA3_384; + case SIGN_BLISS_WITH_SHA3_512: + return OID_BLISS_WITH_SHA3_512; } return OID_UNKNOWN; } @@ -207,9 +222,9 @@ static struct { { SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 }, { SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 }, { SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 }, - { SIGN_BLISS_WITH_SHA256, KEY_BLISS, 128 }, - { SIGN_BLISS_WITH_SHA384, KEY_BLISS, 192 }, - { SIGN_BLISS_WITH_SHA512, KEY_BLISS, 0 }, + { SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, 128 }, + { SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, 192 }, + { SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, 0 } }; /** @@ -284,9 +299,12 @@ key_type_t key_type_from_signature_scheme(signature_scheme_t scheme) case SIGN_ECDSA_384: case SIGN_ECDSA_521: return KEY_ECDSA; - case SIGN_BLISS_WITH_SHA256: - case SIGN_BLISS_WITH_SHA384: - case SIGN_BLISS_WITH_SHA512: + case SIGN_BLISS_WITH_SHA2_256: + case SIGN_BLISS_WITH_SHA2_384: + case SIGN_BLISS_WITH_SHA2_512: + case SIGN_BLISS_WITH_SHA3_256: + case SIGN_BLISS_WITH_SHA3_384: + case SIGN_BLISS_WITH_SHA3_512: return KEY_BLISS; } return KEY_ANY; diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index 66e98b294..ce48f9b7e 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -1,7 +1,7 @@ /* * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -94,12 +94,18 @@ enum signature_scheme_t { SIGN_ECDSA_384, /** ECDSA on the P-521 curve with SHA-512 as in RFC 4754 */ SIGN_ECDSA_521, - /** BLISS with SHA-256 */ - SIGN_BLISS_WITH_SHA256, - /** BLISS with SHA-384 */ - SIGN_BLISS_WITH_SHA384, - /** BLISS with SHA-512 */ - SIGN_BLISS_WITH_SHA512, + /** BLISS with SHA-2_256 */ + SIGN_BLISS_WITH_SHA2_256, + /** BLISS with SHA-2_384 */ + SIGN_BLISS_WITH_SHA2_384, + /** BLISS with SHA-2_512 */ + SIGN_BLISS_WITH_SHA2_512, + /** BLISS with SHA-3_256 */ + SIGN_BLISS_WITH_SHA3_256, + /** BLISS with SHA-3_384 */ + SIGN_BLISS_WITH_SHA3_384, + /** BLISS with SHA-3_512 */ + SIGN_BLISS_WITH_SHA3_512, }; /** diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c index 38eebea9c..e220593d4 100644 --- a/src/libstrongswan/crypto/hashers/hasher.c +++ b/src/libstrongswan/crypto/hashers/hasher.c @@ -1,8 +1,9 @@ /* * Copyright (C) 2012-2015 Tobias Brunner + * Copyright (C) 2015 Andreas Steffen * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -24,26 +25,34 @@ ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_SHA512, "HASH_SHA256", "HASH_SHA384", "HASH_SHA512"); -ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA224, HASH_SHA512, +ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_SHA512, "HASH_UNKNOWN", "HASH_MD2", "HASH_MD4", "HASH_MD5", - "HASH_SHA224"); -ENUM_END(hash_algorithm_names, HASH_SHA224); + "HASH_SHA224", + "HASH_SHA3_224", + "HASH_SHA3_256", + "HASH_SHA3_384", + "HASH_SHA3_512"); +ENUM_END(hash_algorithm_names, HASH_SHA3_512); ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_SHA512, "sha1", "sha256", "sha384", "sha512"); -ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA224, HASH_SHA512, +ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_SHA512, "unknown", "md2", "md4", "md5", - "sha224"); -ENUM_END(hash_algorithm_short_names, HASH_SHA224); + "sha224", + "sha3_224", + "sha3_256", + "sha3_384", + "sha3_512"); +ENUM_END(hash_algorithm_short_names, HASH_SHA3_512); /* * Described in header. @@ -73,6 +82,14 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid) case OID_SHA512: case OID_SHA512_WITH_RSA: return HASH_SHA512; + case OID_SHA3_224: + return HASH_SHA3_224; + case OID_SHA3_256: + return HASH_SHA3_256; + case OID_SHA3_384: + return HASH_SHA3_384; + case OID_SHA3_512: + return HASH_SHA3_512; default: return HASH_UNKNOWN; } @@ -242,6 +259,10 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg, case HASH_MD2: case HASH_MD4: case HASH_SHA224: + case HASH_SHA3_224: + case HASH_SHA3_256: + case HASH_SHA3_384: + case HASH_SHA3_512: case HASH_UNKNOWN: break; } @@ -265,6 +286,10 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg) case HASH_MD4: case HASH_MD5: case HASH_SHA224: + case HASH_SHA3_224: + case HASH_SHA3_256: + case HASH_SHA3_384: + case HASH_SHA3_512: break; } return FALSE; @@ -300,6 +325,18 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg) case HASH_SHA512: oid = OID_SHA512; break; + case HASH_SHA3_224: + oid = OID_SHA3_224; + break; + case HASH_SHA3_256: + oid = OID_SHA3_256; + break; + case HASH_SHA3_384: + oid = OID_SHA3_384; + break; + case HASH_SHA3_512: + oid = OID_SHA3_512; + break; default: oid = OID_UNKNOWN; } @@ -351,11 +388,17 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key) switch (alg) { case HASH_SHA256: - return OID_BLISS_WITH_SHA256; + return OID_BLISS_WITH_SHA2_256; case HASH_SHA384: - return OID_BLISS_WITH_SHA384; + return OID_BLISS_WITH_SHA2_384; case HASH_SHA512: - return OID_BLISS_WITH_SHA512; + return OID_BLISS_WITH_SHA2_512; + case HASH_SHA3_256: + return OID_BLISS_WITH_SHA3_256; + case HASH_SHA3_384: + return OID_BLISS_WITH_SHA3_384; + case HASH_SHA3_512: + return OID_BLISS_WITH_SHA3_512; default: return OID_UNKNOWN; } @@ -385,18 +428,24 @@ hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme) case SIGN_RSA_EMSA_PKCS1_SHA256: case SIGN_ECDSA_WITH_SHA256_DER: case SIGN_ECDSA_256: - case SIGN_BLISS_WITH_SHA256: + case SIGN_BLISS_WITH_SHA2_256: return HASH_SHA256; case SIGN_RSA_EMSA_PKCS1_SHA384: case SIGN_ECDSA_WITH_SHA384_DER: case SIGN_ECDSA_384: - case SIGN_BLISS_WITH_SHA384: + case SIGN_BLISS_WITH_SHA2_384: return HASH_SHA384; case SIGN_RSA_EMSA_PKCS1_SHA512: case SIGN_ECDSA_WITH_SHA512_DER: case SIGN_ECDSA_521: - case SIGN_BLISS_WITH_SHA512: + case SIGN_BLISS_WITH_SHA2_512: return HASH_SHA512; + case SIGN_BLISS_WITH_SHA3_256: + return HASH_SHA3_256; + case SIGN_BLISS_WITH_SHA3_384: + return HASH_SHA3_384; + case SIGN_BLISS_WITH_SHA3_512: + return HASH_SHA3_512; } return HASH_UNKNOWN; } diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h index 772586308..272502cf0 100644 --- a/src/libstrongswan/crypto/hashers/hasher.h +++ b/src/libstrongswan/crypto/hashers/hasher.h @@ -45,6 +45,10 @@ enum hash_algorithm_t { HASH_MD4 = 1026, HASH_MD5 = 1027, HASH_SHA224 = 1028, + HASH_SHA3_224 = 1029, + HASH_SHA3_256 = 1030, + HASH_SHA3_384 = 1031, + HASH_SHA3_512 = 1032 }; #define HASH_SIZE_MD2 16 diff --git a/src/libstrongswan/crypto/iv/iv_gen.c b/src/libstrongswan/crypto/iv/iv_gen.c index 7d6570a74..c70627723 100644 --- a/src/libstrongswan/crypto/iv/iv_gen.c +++ b/src/libstrongswan/crypto/iv/iv_gen.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2015 Martin Willi * Copyright (C) 2015 revosec AG * @@ -16,6 +19,7 @@ #include "iv_gen.h" #include "iv_gen_rand.h" #include "iv_gen_seq.h" +#include "iv_gen_null.h" /** * See header. @@ -52,6 +56,7 @@ iv_gen_t* iv_gen_create_for_alg(encryption_algorithm_t alg) case ENCR_NULL_AUTH_AES_GMAC: return iv_gen_seq_create(); case ENCR_NULL: + return iv_gen_null_create(); case ENCR_UNDEFINED: case ENCR_DES_ECB: case ENCR_DES_IV32: diff --git a/src/libstrongswan/crypto/iv/iv_gen_null.c b/src/libstrongswan/crypto/iv/iv_gen_null.c new file mode 100644 index 000000000..b13de0674 --- /dev/null +++ b/src/libstrongswan/crypto/iv/iv_gen_null.c @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "iv_gen_null.h" + +typedef struct private_iv_gen_t private_iv_gen_t; + +/** + * Private data of an iv_gen_t object. + */ +struct private_iv_gen_t { + + /** + * Public iv_gen_t interface. + */ + iv_gen_t public; +}; + +METHOD(iv_gen_t, get_iv, bool, + private_iv_gen_t *this, u_int64_t seq, size_t size, u_int8_t *buffer) +{ + return size == 0; +} + +METHOD(iv_gen_t, allocate_iv, bool, + private_iv_gen_t *this, u_int64_t seq, size_t size, chunk_t *chunk) +{ + *chunk = chunk_empty; + return size == 0; +} + +METHOD(iv_gen_t, destroy, void, + private_iv_gen_t *this) +{ + free(this); +} + +iv_gen_t *iv_gen_null_create() +{ + private_iv_gen_t *this; + + INIT(this, + .public = { + .get_iv = _get_iv, + .allocate_iv = _allocate_iv, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libstrongswan/crypto/iv/iv_gen_null.h b/src/libstrongswan/crypto/iv/iv_gen_null.h new file mode 100644 index 000000000..b63f0c3e9 --- /dev/null +++ b/src/libstrongswan/crypto/iv/iv_gen_null.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @{ @ingroup iv + */ + +#ifndef IV_GEN_NULL_H_ +#define IV_GEN_NULL_H_ + +#include + +/** + * Create an IV generator that does not actually generate an IV. + * + * @return IV generator + */ +iv_gen_t *iv_gen_null_create(); + +#endif /** IV_GEN_NULL_H_ @}*/ diff --git a/src/libstrongswan/plugins/bliss/bliss_plugin.c b/src/libstrongswan/plugins/bliss/bliss_plugin.c index 07597c318..4adcf1e76 100644 --- a/src/libstrongswan/plugins/bliss/bliss_plugin.c +++ b/src/libstrongswan/plugins/bliss/bliss_plugin.c @@ -55,19 +55,31 @@ METHOD(plugin_t, get_features, int, PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE), PLUGIN_PROVIDE(PUBKEY, KEY_ANY), /* signature schemes, private */ - PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA256), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA2_256), PLUGIN_DEPENDS(HASHER, HASH_SHA256), - PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA384), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA2_384), PLUGIN_DEPENDS(HASHER, HASH_SHA384), - PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA512), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA2_512), PLUGIN_DEPENDS(HASHER, HASH_SHA512), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA3_256), + PLUGIN_DEPENDS(HASHER, HASH_SHA3_256), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA3_384), + PLUGIN_DEPENDS(HASHER, HASH_SHA3_384), + PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA3_512), + PLUGIN_DEPENDS(HASHER, HASH_SHA3_512), /* signature verification schemes */ - PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA256), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA2_256), PLUGIN_DEPENDS(HASHER, HASH_SHA256), - PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA384), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA2_384), PLUGIN_DEPENDS(HASHER, HASH_SHA384), - PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA512), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA2_512), PLUGIN_DEPENDS(HASHER, HASH_SHA512), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA3_256), + PLUGIN_DEPENDS(HASHER, HASH_SHA3_256), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA3_384), + PLUGIN_DEPENDS(HASHER, HASH_SHA3_384), + PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA3_512), + PLUGIN_DEPENDS(HASHER, HASH_SHA3_512), }; *features = f; diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c index 1386eeb2d..20bbc6ac5 100644 --- a/src/libstrongswan/plugins/bliss/bliss_private_key.c +++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c @@ -511,12 +511,18 @@ METHOD(private_key_t, sign, bool, { switch (scheme) { - case SIGN_BLISS_WITH_SHA256: + case SIGN_BLISS_WITH_SHA2_256: return sign_bliss(this, HASH_SHA256, data, signature); - case SIGN_BLISS_WITH_SHA384: + case SIGN_BLISS_WITH_SHA2_384: return sign_bliss(this, HASH_SHA384, data, signature); - case SIGN_BLISS_WITH_SHA512: + case SIGN_BLISS_WITH_SHA2_512: return sign_bliss(this, HASH_SHA512, data, signature); + case SIGN_BLISS_WITH_SHA3_256: + return sign_bliss(this, HASH_SHA3_256, data, signature); + case SIGN_BLISS_WITH_SHA3_384: + return sign_bliss(this, HASH_SHA3_384, data, signature); + case SIGN_BLISS_WITH_SHA3_512: + return sign_bliss(this, HASH_SHA3_512, data, signature); default: DBG1(DBG_LIB, "signature scheme %N not supported with BLISS", signature_scheme_names, scheme); diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c index 2b305f6c2..93d1165eb 100644 --- a/src/libstrongswan/plugins/bliss/bliss_public_key.c +++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c @@ -193,12 +193,18 @@ METHOD(public_key_t, verify, bool, { switch (scheme) { - case SIGN_BLISS_WITH_SHA256: + case SIGN_BLISS_WITH_SHA2_256: return verify_bliss(this, HASH_SHA256, data, signature); - case SIGN_BLISS_WITH_SHA384: + case SIGN_BLISS_WITH_SHA2_384: return verify_bliss(this, HASH_SHA384, data, signature); - case SIGN_BLISS_WITH_SHA512: + case SIGN_BLISS_WITH_SHA2_512: return verify_bliss(this, HASH_SHA512, data, signature); + case SIGN_BLISS_WITH_SHA3_256: + return verify_bliss(this, HASH_SHA3_256, data, signature); + case SIGN_BLISS_WITH_SHA3_384: + return verify_bliss(this, HASH_SHA3_384, data, signature); + case SIGN_BLISS_WITH_SHA3_512: + return verify_bliss(this, HASH_SHA3_512, data, signature); default: DBG1(DBG_LIB, "signature scheme %N not supported by BLISS", signature_scheme_names, scheme); diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c index 8b4e9cbf0..a3e4420a9 100644 --- a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c +++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c @@ -36,13 +36,13 @@ START_TEST(test_bliss_sign_all) switch (k) { case 1: - signature_scheme = SIGN_BLISS_WITH_SHA256; + signature_scheme = SIGN_BLISS_WITH_SHA2_256; break; case 2: - signature_scheme = SIGN_BLISS_WITH_SHA384; + signature_scheme = SIGN_BLISS_WITH_SHA2_384; break; default: - signature_scheme = SIGN_BLISS_WITH_SHA512; + signature_scheme = SIGN_BLISS_WITH_SHA2_512; } /* enforce BLISS-B key for k = 2, 3 */ @@ -176,14 +176,14 @@ START_TEST(test_bliss_sign_fail) /* generate valid signature */ msg = chunk_from_str("Hello Dolly!"); - ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA512, msg, &signature)); + ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA2_512, msg, &signature)); /* verify with invalid signature scheme */ ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, msg, signature)); /* corrupt signature */ signature.ptr[signature.len - 1] ^= 0x80; - ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA512, msg, signature)); + ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA2_512, msg, signature)); free(signature.ptr); privkey->destroy(privkey); diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c index 7653c1986..9207f11b6 100644 --- a/src/libstrongswan/plugins/curl/curl_fetcher.c +++ b/src/libstrongswan/plugins/curl/curl_fetcher.c @@ -123,7 +123,7 @@ METHOD(fetcher_t, fetch, status_t, curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, this->headers); } - DBG2(DBG_LIB, " sending http request to '%s'...", uri); + DBG2(DBG_LIB, " sending request to '%s'...", uri); curl_status = curl_easy_perform(this->curl); switch (curl_status) { @@ -137,10 +137,10 @@ METHOD(fetcher_t, fetch, status_t, { *this->result = result; } - status = (result >= 200 && result < 300) ? SUCCESS : FAILED; + status = (result < 400) ? SUCCESS : FAILED; break; default: - DBG1(DBG_LIB, "libcurl http request failed [%d]: %s", curl_status, + DBG1(DBG_LIB, "libcurl request failed [%d]: %s", curl_status, error); status = FAILED; break; diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c index cac442fc0..49ec48804 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c @@ -18,6 +18,7 @@ #ifndef OPENSSL_NO_DH +#include #include #include "openssl_diffie_hellman.h" diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index a1af500e2..11d6e8ec5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -17,6 +17,7 @@ #ifndef OPENSSL_NO_EC +#include #include #include #include diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index 10a35c1fd..de02f302d 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -23,6 +23,7 @@ #include +#include #include #include #ifndef OPENSSL_NO_ENGINE diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index aa54d3bbd..db928569f 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -23,6 +23,7 @@ #include +#include #include #include #include diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c index 0e61086b1..2f9813701 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.c +++ b/src/libstrongswan/plugins/openssl/openssl_util.c @@ -18,6 +18,7 @@ #include +#include #include #include diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index f7ac347d2..01d0495be 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -356,6 +356,7 @@ static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name, { plugin_entry_t *entry; void *handle; + int flag = RTLD_LAZY; switch (create_plugin(this, RTLD_DEFAULT, name, FALSE, critical, &entry)) { @@ -380,15 +381,19 @@ static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name, return NULL; } } - handle = dlopen(file, RTLD_LAZY + if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now", + lib->ns, FALSE)) + { + flag = RTLD_NOW; + } #ifdef RTLD_NODELETE - /* if supported, do not unload library when unloading a plugin. It really - * doesn't matter in productive systems, but causes many (dependency) - * library reloads during unit tests. Some libraries can't handle that, + /* If supported, do not unload the library when unloading a plugin. It + * really doesn't matter in productive systems, but causes many (dependency) + * library reloads during unit tests. Some libraries can't handle that, e.g. * GnuTLS leaks file descriptors in its library load/unload functions. */ - | RTLD_NODELETE + flag |= RTLD_NODELETE; #endif - ); + handle = dlopen(file, flag); if (handle == NULL) { DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror()); diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c index 36d5446b8..177b3c2e5 100644 --- a/src/libstrongswan/plugins/random/random_rng.c +++ b/src/libstrongswan/plugins/random/random_rng.c @@ -56,6 +56,7 @@ METHOD(rng_t, get_bytes, bool, DBG1(DBG_LIB, "reading from random FD %d failed: %s, retrying...", this->fd, strerror(errno)); sleep(1); + continue; } done += got; } diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 9fd5b2a22..fdcb9902b 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -367,7 +367,7 @@ static certificate_t* fetch_crl(char *url) return NULL; } crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, - BUILD_BLOB_ASN1_DER, chunk, BUILD_END); + BUILD_BLOB_PEM, chunk, BUILD_END); chunk_free(&chunk); if (!crl) { diff --git a/src/libstrongswan/plugins/sha3/Makefile.am b/src/libstrongswan/plugins/sha3/Makefile.am new file mode 100644 index 000000000..7ccf58ce6 --- /dev/null +++ b/src/libstrongswan/plugins/sha3/Makefile.am @@ -0,0 +1,16 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-sha3.la +else +plugin_LTLIBRARIES = libstrongswan-sha3.la +endif + +libstrongswan_sha3_la_SOURCES = \ + sha3_plugin.h sha3_plugin.c sha3_hasher.c sha3_hasher.h + +libstrongswan_sha3_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/sha3/Makefile.in b/src/libstrongswan/plugins/sha3/Makefile.in new file mode 100644 index 000000000..3034ea537 --- /dev/null +++ b/src/libstrongswan/plugins/sha3/Makefile.in @@ -0,0 +1,774 @@ +# Makefile.in generated by automake 1.14.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/sha3 +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_sha3_la_LIBADD = +am_libstrongswan_sha3_la_OBJECTS = sha3_plugin.lo sha3_hasher.lo +libstrongswan_sha3_la_OBJECTS = $(am_libstrongswan_sha3_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_sha3_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_sha3_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_sha3_la_rpath = -rpath $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_sha3_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_sha3_la_SOURCES) +DIST_SOURCES = $(libstrongswan_sha3_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sha3.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sha3.la +libstrongswan_sha3_la_SOURCES = \ + sha3_plugin.h sha3_plugin.c sha3_hasher.c sha3_hasher.h + +libstrongswan_sha3_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/sha3/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/sha3/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-sha3.la: $(libstrongswan_sha3_la_OBJECTS) $(libstrongswan_sha3_la_DEPENDENCIES) $(EXTRA_libstrongswan_sha3_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_sha3_la_LINK) $(am_libstrongswan_sha3_la_rpath) $(libstrongswan_sha3_la_OBJECTS) $(libstrongswan_sha3_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha3_hasher.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha3_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/sha3/sha3_hasher.c b/src/libstrongswan/plugins/sha3/sha3_hasher.c new file mode 100644 index 000000000..b34a02594 --- /dev/null +++ b/src/libstrongswan/plugins/sha3/sha3_hasher.c @@ -0,0 +1,527 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Based on the implementation by the Keccak, Keyak and Ketje Teams, namely, + * Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche and + * Ronny Van Keer, hereby denoted as "the implementer". + * + * To the extent possible under law, the implementer has waived all copyright + * and related or neighboring rights to the source code in this file. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +#include + +#include "sha3_hasher.h" + +typedef struct private_sha3_hasher_t private_sha3_hasher_t; + +#define KECCAK_STATE_SIZE 200 /* bytes */ +#define KECCAK_MAX_RATE 144 /* bytes */ +#define DELIMITED_SUFFIX 0x06 + +static const uint64_t round_constants[] = { + 0x0000000000000001ULL, + 0x0000000000008082ULL, + 0x800000000000808aULL, + 0x8000000080008000ULL, + 0x000000000000808bULL, + 0x0000000080000001ULL, + 0x8000000080008081ULL, + 0x8000000000008009ULL, + 0x000000000000008aULL, + 0x0000000000000088ULL, + 0x0000000080008009ULL, + 0x000000008000000aULL, + 0x000000008000808bULL, + 0x800000000000008bULL, + 0x8000000000008089ULL, + 0x8000000000008003ULL, + 0x8000000000008002ULL, + 0x8000000000000080ULL, + 0x000000000000800aULL, + 0x800000008000000aULL, + 0x8000000080008081ULL, + 0x8000000000008080ULL, + 0x0000000080000001ULL, + 0x8000000080008008ULL +}; + +/** + * Private data structure with hashing context for SHA-3 + */ +struct private_sha3_hasher_t { + + /** + * Public interface for this hasher. + */ + sha3_hasher_t public; + + /** + * SHA-3 algorithm to be used + */ + hash_algorithm_t algorithm; + + /** + * Internal state of 1600 bits as defined by FIPS-202 + */ + uint8_t state[KECCAK_STATE_SIZE]; + + /** + * Rate in bytes + */ + u_int rate; + + /** + * Rate input buffer + */ + uint8_t rate_buffer[KECCAK_MAX_RATE]; + + /** + * Index pointing to the current position in the rate buffer + */ + u_int rate_index; + +}; + +#if BYTE_ORDER != LITTLE_ENDIAN +/** + * Function to load a 64-bit value using the little-endian (LE) convention. + * On a LE platform, this could be greatly simplified using a cast. + */ +static uint64_t load64(const uint8_t *x) +{ + int i; + uint64_t u = 0; + + for (i = 7; i >= 0; --i) + { + u <<= 8; + u |= x[i]; + } + return u; +} + +/** + * Function to store a 64-bit value using the little-endian (LE) convention. + * On a LE platform, this could be greatly simplified using a cast. + */ +static void store64(uint8_t *x, uint64_t u) +{ + u_int i; + + for (i = 0; i < 8; ++i) + { + x[i] = u; + u >>= 8; + } +} + +/** + * Function to XOR into a 64-bit value using the little-endian (LE) convention. + * On a LE platform, this could be greatly simplified using a cast. + */ +static void xor64(uint8_t *x, uint64_t u) +{ + u_int i; + + for (i = 0; i < 8; ++i) + { + x[i] ^= u; + u >>= 8; + } +} +#endif + +/** + * Some macros used by the Keccak-f[1600] permutation. + */ +#define ROL64(a, offset) ((((uint64_t)a) << offset) ^ (((uint64_t)a) >> (64-offset))) + +#if BYTE_ORDER == LITTLE_ENDIAN + #define readLane(i) (((uint64_t*)state)[i]) + #define writeLane(i, lane) (((uint64_t*)state)[i]) = (lane) + #define XORLane(i, lane) (((uint64_t*)state)[i]) ^= (lane) +#elif BYTE_ORDER == BIG_ENDIAN + #define readLane(i) load64((uint8_t*)state+sizeof(uint64_t)*i)) + #define writeLane(i, lane) store64((uint8_t*)state+sizeof(uint64_t)*i, lane) + #define XORLane(i, lane) xor64((uint8_t*)state+sizeof(uint64_t)*i, lane) +#endif + +/** + * Function that computes the Keccak-f[1600] permutation on the given state. + */ +static void keccak_f1600_state_permute(void *state) +{ + int round; + + for (round = 0; round < 24; round++) + { + { /* θ step (see [Keccak Reference, Section 2.3.2]) */ + + uint64_t C[5], D; + + /* Compute the parity of the columns */ + C[0] = readLane(0) ^ readLane( 5) ^ readLane(10) + ^ readLane(15) ^ readLane(20); + C[1] = readLane(1) ^ readLane( 6) ^ readLane(11) + ^ readLane(16) ^ readLane(21); + C[2] = readLane(2) ^ readLane( 7) ^ readLane(12) + ^ readLane(17) ^ readLane(22); + C[3] = readLane(3) ^ readLane( 8) ^ readLane(13) + ^ readLane(18) ^ readLane(23); + C[4] = readLane(4) ^ readLane( 9) ^ readLane(14) + ^ readLane(19) ^ readLane(24); + + /* Compute and add the θ effect to the whole column */ + D = C[4] ^ ROL64(C[1], 1); + XORLane( 0, D); + XORLane( 5, D); + XORLane(10, D); + XORLane(15, D); + XORLane(20, D); + + D = C[0] ^ ROL64(C[2], 1); + XORLane( 1, D); + XORLane( 6, D); + XORLane(11, D); + XORLane(16, D); + XORLane(21, D); + + D = C[1] ^ ROL64(C[3], 1); + XORLane( 2, D); + XORLane( 7, D); + XORLane(12, D); + XORLane(17, D); + XORLane(22, D); + + D = C[2] ^ ROL64(C[4], 1); + XORLane( 3, D); + XORLane( 8, D); + XORLane(13, D); + XORLane(18, D); + XORLane(23, D); + + D = C[3] ^ ROL64(C[0], 1); + XORLane( 4, D); + XORLane( 9, D); + XORLane(14, D); + XORLane(19, D); + XORLane(24, D); + } + + { /* ρ and π steps (see [Keccak Reference, Sections 2.3.3 and 2.3.4]) */ + + uint64_t t1, t2; + + t1 = readLane( 1); + + t2 = readLane(10); + writeLane(10, ROL64(t1, 1)); + + t1 = readLane( 7); + writeLane( 7, ROL64(t2, 3)); + + t2 = readLane(11); + writeLane(11, ROL64(t1, 6)); + + t1 = readLane(17); + writeLane(17, ROL64(t2, 10)); + + t2 = readLane(18); + writeLane(18, ROL64(t1, 15)); + + t1 = readLane( 3); + writeLane( 3, ROL64(t2, 21)); + + t2 = readLane( 5); + writeLane( 5, ROL64(t1, 28)); + + t1 = readLane(16); + writeLane(16, ROL64(t2, 36)); + + t2 = readLane( 8); + writeLane( 8, ROL64(t1, 45)); + + t1 = readLane(21); + writeLane(21, ROL64(t2, 55)); + + t2 = readLane(24); + writeLane(24, ROL64(t1, 2)); + + t1 = readLane( 4); + writeLane( 4, ROL64(t2, 14)); + + t2 = readLane(15); + writeLane(15, ROL64(t1, 27)); + + t1 = readLane(23); + writeLane(23, ROL64(t2, 41)); + + t2 = readLane(19); + writeLane(19, ROL64(t1, 56)); + + t1 = readLane(13); + writeLane(13, ROL64(t2, 8)); + + t2 = readLane(12); + writeLane(12, ROL64(t1, 25)); + + t1 = readLane( 2); + writeLane( 2, ROL64(t2, 43)); + + t2 = readLane(20); + writeLane(20, ROL64(t1, 62)); + + t1 = readLane(14); + writeLane(14, ROL64(t2, 18)); + + t2 = readLane(22); + writeLane(22, ROL64(t1, 39)); + + t1 = readLane( 9); + writeLane( 9, ROL64(t2, 61)); + + t2 = readLane( 6); + writeLane( 6, ROL64(t1, 20)); + + writeLane( 1, ROL64(t2, 44)); + } + + { /* χ step (see [Keccak Reference, Section 2.3.1]) */ + + uint64_t t[5]; + + t[0] = readLane(0); + t[1] = readLane(1); + t[2] = readLane(2); + t[3] = readLane(3); + t[4] = readLane(4); + + writeLane(0, t[0] ^ ((~t[1]) & t[2])); + writeLane(1, t[1] ^ ((~t[2]) & t[3])); + writeLane(2, t[2] ^ ((~t[3]) & t[4])); + writeLane(3, t[3] ^ ((~t[4]) & t[0])); + writeLane(4, t[4] ^ ((~t[0]) & t[1])); + + t[0] = readLane(5); + t[1] = readLane(6); + t[2] = readLane(7); + t[3] = readLane(8); + t[4] = readLane(9); + + writeLane(5, t[0] ^ ((~t[1]) & t[2])); + writeLane(6, t[1] ^ ((~t[2]) & t[3])); + writeLane(7, t[2] ^ ((~t[3]) & t[4])); + writeLane(8, t[3] ^ ((~t[4]) & t[0])); + writeLane(9, t[4] ^ ((~t[0]) & t[1])); + + t[0] = readLane(10); + t[1] = readLane(11); + t[2] = readLane(12); + t[3] = readLane(13); + t[4] = readLane(14); + + writeLane(10, t[0] ^ ((~t[1]) & t[2])); + writeLane(11, t[1] ^ ((~t[2]) & t[3])); + writeLane(12, t[2] ^ ((~t[3]) & t[4])); + writeLane(13, t[3] ^ ((~t[4]) & t[0])); + writeLane(14, t[4] ^ ((~t[0]) & t[1])); + + t[0] = readLane(15); + t[1] = readLane(16); + t[2] = readLane(17); + t[3] = readLane(18); + t[4] = readLane(19); + + writeLane(15, t[0] ^ ((~t[1]) & t[2])); + writeLane(16, t[1] ^ ((~t[2]) & t[3])); + writeLane(17, t[2] ^ ((~t[3]) & t[4])); + writeLane(18, t[3] ^ ((~t[4]) & t[0])); + writeLane(19, t[4] ^ ((~t[0]) & t[1])); + + t[0] = readLane(20); + t[1] = readLane(21); + t[2] = readLane(22); + t[3] = readLane(23); + t[4] = readLane(24); + + writeLane(20, t[0] ^ ((~t[1]) & t[2])); + writeLane(21, t[1] ^ ((~t[2]) & t[3])); + writeLane(22, t[2] ^ ((~t[3]) & t[4])); + writeLane(23, t[3] ^ ((~t[4]) & t[0])); + writeLane(24, t[4] ^ ((~t[0]) & t[1])); + } + + { /* ι step (see [Keccak Reference, Section 2.3.5]) */ + + XORLane(0, round_constants[round]); + } + } +} + +METHOD(hasher_t, reset, bool, + private_sha3_hasher_t *this) +{ + memset(this->state, 0x00, KECCAK_STATE_SIZE); + this->rate_index = 0; + + return TRUE; +} + +METHOD(hasher_t, get_hash_size, size_t, + private_sha3_hasher_t *this) +{ + switch (this->algorithm) + { + case HASH_SHA3_224: + return HASH_SIZE_SHA224; + case HASH_SHA3_256: + return HASH_SIZE_SHA256; + case HASH_SHA3_384: + return HASH_SIZE_SHA384; + case HASH_SHA3_512: + return HASH_SIZE_SHA512; + default: + return 0; + } +} + +static void sha3_absorb(private_sha3_hasher_t *this, chunk_t data) +{ + uint64_t *buffer_lanes, *state_lanes; + size_t len, rate_lanes; + int i; + + buffer_lanes = (uint64_t*)this->rate_buffer; + state_lanes = (uint64_t*)this->state; + rate_lanes = this->rate / sizeof(uint64_t); + + while (data.len) + { + len = min(data.len, this->rate - this->rate_index); + memcpy(this->rate_buffer + this->rate_index, data.ptr, len); + this->rate_index += len; + data.ptr += len; + data.len -= len; + + if (this->rate_index == this->rate) + { + for (i = 0; i < rate_lanes; i++) + { + state_lanes[i] ^= buffer_lanes[i]; + } + this->rate_index = 0; + + keccak_f1600_state_permute(this->state); + } + } +} + +static void sha3_final(private_sha3_hasher_t *this) +{ + uint64_t *buffer_lanes, *state_lanes; + size_t rate_lanes, remainder; + int i; + + /* Add the delimitedSuffix as the first bit of padding */ + this->rate_buffer[this->rate_index++] = DELIMITED_SUFFIX; + + buffer_lanes = (uint64_t*)this->rate_buffer; + state_lanes = (uint64_t*)this->state; + rate_lanes = this->rate_index / sizeof(uint64_t); + + remainder = this->rate_index - rate_lanes * sizeof(uint64_t); + if (remainder) + { + memset(this->rate_buffer + this->rate_index, 0x00, + sizeof(uint64_t) - remainder); + rate_lanes++; + } + for (i = 0; i < rate_lanes; i++) + { + state_lanes[i] ^= buffer_lanes[i]; + } + + /* Add the second bit of padding */ + this->state[this->rate - 1] ^= 0x80; + + /* Switch to the squeezing phase */ + keccak_f1600_state_permute(this->state); +} + +METHOD(hasher_t, get_hash, bool, + private_sha3_hasher_t *this, chunk_t chunk, uint8_t *buffer) +{ + sha3_absorb(this, chunk); + + if (buffer != NULL) + { + sha3_final(this); + memcpy(buffer, this->state, get_hash_size(this)); + reset(this); + } + return TRUE; +} + +METHOD(hasher_t, allocate_hash, bool, + private_sha3_hasher_t *this, chunk_t chunk, chunk_t *hash) +{ + chunk_t allocated_hash; + + sha3_absorb(this, chunk); + + if (hash != NULL) + { + sha3_final(this); + allocated_hash = chunk_alloc(get_hash_size(this)); + memcpy(allocated_hash.ptr, this->state, allocated_hash.len); + reset(this); + *hash = allocated_hash; + } + return TRUE; +} + +METHOD(hasher_t, destroy, void, + sha3_hasher_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +sha3_hasher_t *sha3_hasher_create(hash_algorithm_t algorithm) +{ + private_sha3_hasher_t *this; + + switch (algorithm) + { + case HASH_SHA3_224: + case HASH_SHA3_256: + case HASH_SHA3_384: + case HASH_SHA3_512: + break; + default: + return NULL; + } + + INIT(this, + .public = { + .hasher_interface = { + .reset = _reset, + .get_hash_size = _get_hash_size, + .get_hash = _get_hash, + .allocate_hash = _allocate_hash, + .destroy = _destroy, + }, + }, + .algorithm = algorithm, + ); + + this->rate = KECCAK_STATE_SIZE - 2*get_hash_size(this); + reset(this); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/sha3/sha3_hasher.h b/src/libstrongswan/plugins/sha3/sha3_hasher.h new file mode 100644 index 000000000..2f18d35b0 --- /dev/null +++ b/src/libstrongswan/plugins/sha3/sha3_hasher.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup sha3_hasher sha3_hasher + * @{ @ingroup sha3_p + */ + +#ifndef SHA3_HASHER_H_ +#define SHA3_HASHER_H_ + +typedef struct sha3_hasher_t sha3_hasher_t; + +#include + +/** + * Implementation of hasher_t interface using the SHA-3 algorithm family + * SHA3_224, SHA3_256, SHA3_384 and SHA3_512 as defined by FIPS-202. + */ +struct sha3_hasher_t { + + /** + * Generic hasher_t interface for this hasher. + */ + hasher_t hasher_interface; +}; + +/** + * Creates a new sha3_hasher_t. + * + * @param algorithm HASH3_224, HASH_SHA3_256, HASH_SHA3_384 or HASH_SHA3_512 + * @return sha3_hasher_t object, NULL if not supported + */ +sha3_hasher_t *sha3_hasher_create(hash_algorithm_t algorithm); + +#endif /** SHA3_HASHER_H_ @}*/ diff --git a/src/libstrongswan/plugins/sha3/sha3_plugin.c b/src/libstrongswan/plugins/sha3/sha3_plugin.c new file mode 100644 index 000000000..28068f38e --- /dev/null +++ b/src/libstrongswan/plugins/sha3/sha3_plugin.c @@ -0,0 +1,79 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "sha3_plugin.h" + +#include +#include "sha3_hasher.h" + +typedef struct private_sha3_plugin_t private_sha3_plugin_t; + +/** + * private data of sha3_plugin + */ +struct private_sha3_plugin_t { + + /** + * public functions + */ + sha3_plugin_t public; +}; + +METHOD(plugin_t, get_name, char*, + private_sha3_plugin_t *this) +{ + return "sha3"; +} + +METHOD(plugin_t, get_features, int, + private_sha3_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_REGISTER(HASHER, sha3_hasher_create), + PLUGIN_PROVIDE(HASHER, HASH_SHA3_224), + PLUGIN_PROVIDE(HASHER, HASH_SHA3_256), + PLUGIN_PROVIDE(HASHER, HASH_SHA3_384), + PLUGIN_PROVIDE(HASHER, HASH_SHA3_512), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_sha3_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *sha3_plugin_create() +{ + private_sha3_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + ); + + return &this->public.plugin; +} + diff --git a/src/libstrongswan/plugins/sha3/sha3_plugin.h b/src/libstrongswan/plugins/sha3/sha3_plugin.h new file mode 100644 index 000000000..09c8e5d81 --- /dev/null +++ b/src/libstrongswan/plugins/sha3/sha3_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup sha3_p sha3 + * @ingroup plugins + * + * @defgroup sha3_plugin sha3_plugin + * @{ @ingroup sha3_p + */ + +#ifndef SHA3_PLUGIN_H_ +#define SHA3_PLUGIN_H_ + +#include + +typedef struct sha3_plugin_t sha3_plugin_t; + +/** + * Plugin implementing the SHA356, SHA384 and SHA512 algorithms in software. + */ +struct sha3_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** SHA3_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am index 72ba4ceef..ab540e78e 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.am +++ b/src/libstrongswan/plugins/test_vectors/Makefile.am @@ -40,6 +40,7 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/sha1_hmac.c \ test_vectors/sha2.c \ test_vectors/sha2_hmac.c \ + test_vectors/sha3.c \ test_vectors/fips_prf.c \ test_vectors/modp.c \ test_vectors/modpsub.c \ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index fa7c3cb82..100f3b15a 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -142,9 +142,10 @@ am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \ test_vectors/md2.lo test_vectors/md4.lo test_vectors/md5.lo \ test_vectors/md5_hmac.lo test_vectors/sha1.lo \ test_vectors/sha1_hmac.lo test_vectors/sha2.lo \ - test_vectors/sha2_hmac.lo test_vectors/fips_prf.lo \ - test_vectors/modp.lo test_vectors/modpsub.lo \ - test_vectors/ecp.lo test_vectors/ecpbp.lo test_vectors/rng.lo + test_vectors/sha2_hmac.lo test_vectors/sha3.lo \ + test_vectors/fips_prf.lo test_vectors/modp.lo \ + test_vectors/modpsub.lo test_vectors/ecp.lo \ + test_vectors/ecpbp.lo test_vectors/rng.lo libstrongswan_test_vectors_la_OBJECTS = \ $(am_libstrongswan_test_vectors_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) @@ -482,6 +483,7 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/sha1_hmac.c \ test_vectors/sha2.c \ test_vectors/sha2_hmac.c \ + test_vectors/sha3.c \ test_vectors/fips_prf.c \ test_vectors/modp.c \ test_vectors/modpsub.c \ @@ -632,6 +634,8 @@ test_vectors/sha2.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/sha2_hmac.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) +test_vectors/sha3.lo: test_vectors/$(am__dirstamp) \ + test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/fips_prf.lo: test_vectors/$(am__dirstamp) \ test_vectors/$(DEPDIR)/$(am__dirstamp) test_vectors/modp.lo: test_vectors/$(am__dirstamp) \ @@ -690,6 +694,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/sha1_hmac.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/sha2.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/sha2_hmac.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/sha3.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@test_vectors/$(DEPDIR)/twofish_cbc.Plo@am__quote@ .c.o: diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h index 57c218c16..3ff211da8 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors.h +++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h @@ -184,6 +184,30 @@ TEST_VECTOR_HASHER(sha384_3) TEST_VECTOR_HASHER(sha512_1) TEST_VECTOR_HASHER(sha512_2) TEST_VECTOR_HASHER(sha512_3) +TEST_VECTOR_HASHER(sha3_224_0) +TEST_VECTOR_HASHER(sha3_256_0) +TEST_VECTOR_HASHER(sha3_384_0) +TEST_VECTOR_HASHER(sha3_512_0) +TEST_VECTOR_HASHER(sha3_224_1) +TEST_VECTOR_HASHER(sha3_256_1) +TEST_VECTOR_HASHER(sha3_384_1) +TEST_VECTOR_HASHER(sha3_512_1) +TEST_VECTOR_HASHER(sha3_224_2) +TEST_VECTOR_HASHER(sha3_256_2) +TEST_VECTOR_HASHER(sha3_384_2) +TEST_VECTOR_HASHER(sha3_512_2) +TEST_VECTOR_HASHER(sha3_224_143) +TEST_VECTOR_HASHER(sha3_256_135) +TEST_VECTOR_HASHER(sha3_384_103) +TEST_VECTOR_HASHER(sha3_512_71) +TEST_VECTOR_HASHER(sha3_224_144) +TEST_VECTOR_HASHER(sha3_256_136) +TEST_VECTOR_HASHER(sha3_384_104) +TEST_VECTOR_HASHER(sha3_512_72) +TEST_VECTOR_HASHER(sha3_224_255) +TEST_VECTOR_HASHER(sha3_256_255) +TEST_VECTOR_HASHER(sha3_384_255) +TEST_VECTOR_HASHER(sha3_512_255) TEST_VECTOR_PRF(aes_xcbc_p1) TEST_VECTOR_PRF(aes_xcbc_p2) diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c new file mode 100644 index 000000000..e659f66f4 --- /dev/null +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha3.c @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the Licenseor (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be usefulbut + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +/** + * SHA-3_224 vectors from "https://github.com/gvanas/KeccakCodePackage/" + */ +hasher_test_vector_t sha3_224_0 = { + .alg = HASH_SHA3_224, .len = 0, + .data = "", + .hash = "\x6B\x4E\x03\x42\x36\x67\xDB\xB7\x3B\x6E\x15\x45\x4F\x0E\xB1\xAB" + "\xD4\x59\x7F\x9A\x1B\x07\x8E\x3F\x5B\x5A\x6B\xC7" + +}; + +hasher_test_vector_t sha3_224_1 = { + .alg = HASH_SHA3_224, .len = 1, + .data = "\xCC", + .hash = "\xDF\x70\xAD\xC4\x9B\x2E\x76\xEE\xE3\xA6\x93\x1B\x93\xFA\x41\x84" + "\x1C\x3A\xF2\xCD\xF5\xB3\x2A\x18\xB5\x47\x8C\x39" +}; + +hasher_test_vector_t sha3_224_2 = { + .alg = HASH_SHA3_224, .len = 2, + .data = "\x41\xFB", + .hash = "\xBF\xF2\x95\x86\x1D\xAE\xDF\x33\xE7\x05\x19\xB1\xE2\xBC\xB4\xC2" + "\xE9\xFE\x33\x64\xD7\x89\xBC\x3B\x17\x30\x1C\x15" +}; + +hasher_test_vector_t sha3_224_143 = { + .alg = HASH_SHA3_224, .len = 143, + .data = "\xEA\x40\xE8\x3C\xB1\x8B\x3A\x24\x2C\x1E\xCC\x6C\xCD\x0B\x78\x53" + "\xA4\x39\xDA\xB2\xC5\x69\xCF\xC6\xDC\x38\xA1\x9F\x5C\x90\xAC\xBF" + "\x76\xAE\xF9\xEA\x37\x42\xFF\x3B\x54\xEF\x7D\x36\xEB\x7C\xE4\xFF" + "\x1C\x9A\xB3\xBC\x11\x9C\xFF\x6B\xE9\x3C\x03\xE2\x08\x78\x33\x35" + "\xC0\xAB\x81\x37\xBE\x5B\x10\xCD\xC6\x6F\xF3\xF8\x9A\x1B\xDD\xC6" + "\xA1\xEE\xD7\x4F\x50\x4C\xBE\x72\x90\x69\x0B\xB2\x95\xA8\x72\xB9" + "\xE3\xFE\x2C\xEE\x9E\x6C\x67\xC4\x1D\xB8\xEF\xD7\xD8\x63\xCF\x10" + "\xF8\x40\xFE\x61\x8E\x79\x36\xDA\x3D\xCA\x5C\xA6\xDF\x93\x3F\x24" + "\xF6\x95\x4B\xA0\x80\x1A\x12\x94\xCD\x8D\x7E\x66\xDF\xAF\xEC", + .hash = "\xAB\x0F\xD3\x08\x59\x05\x74\xD6\xF6\x13\x02\x32\xD9\xFA\xFA\x9F" + "\xFC\xFE\xA7\x85\x79\xA6\xA8\xF6\x7C\x59\x04\x20" +}; + +hasher_test_vector_t sha3_224_144 = { + .alg = HASH_SHA3_224, .len = 144, + .data = "\x15\x7D\x5B\x7E\x45\x07\xF6\x6D\x9A\x26\x74\x76\xD3\x38\x31\xE7" + "\xBB\x76\x8D\x4D\x04\xCC\x34\x38\xDA\x12\xF9\x01\x02\x63\xEA\x5F" + "\xCA\xFB\xDE\x25\x79\xDB\x2F\x6B\x58\xF9\x11\xD5\x93\xD5\xF7\x9F" + "\xB0\x5F\xE3\x59\x6E\x3F\xA8\x0F\xF2\xF7\x61\xD1\xB0\xE5\x70\x80" + "\x05\x5C\x11\x8C\x53\xE5\x3C\xDB\x63\x05\x52\x61\xD7\xC9\xB2\xB3" + "\x9B\xD9\x0A\xCC\x32\x52\x0C\xBB\xDB\xDA\x2C\x4F\xD8\x85\x6D\xBC" + "\xEE\x17\x31\x32\xA2\x67\x91\x98\xDA\xF8\x30\x07\xA9\xB5\xC5\x15" + "\x11\xAE\x49\x76\x6C\x79\x2A\x29\x52\x03\x88\x44\x4E\xBE\xFE\x28" + "\x25\x6F\xB3\x3D\x42\x60\x43\x9C\xBA\x73\xA9\x47\x9E\xE0\x0C\x63", + .hash = "\xD5\x13\x42\x00\xDC\x98\xF4\xCA\x48\x0C\xD2\x4D\x24\x49\x77\x37" + "\x25\x2B\x55\x97\x7A\xE5\xA8\x69\xBA\x27\x08\x9D" +}; + +hasher_test_vector_t sha3_224_255 = { + .alg = HASH_SHA3_224, .len = 255, + .data = "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B" + "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5" + "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A" + "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A" + "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD" + "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0" + "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE" + "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64" + "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5" + "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43" + "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4" + "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D" + "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4" + "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08" + "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7" + "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1", + .hash = "\x94\x68\x9E\xA9\xF3\x47\xDD\xA8\xDD\x79\x8A\x85\x86\x05\x86\x87" + "\x43\xC6\xBD\x03\xA6\xA6\x5C\x60\x85\xD5\x2B\xED" +}; + +/** + * SHA-3_256 vectors from "https://github.com/gvanas/KeccakCodePackage/" + */ +hasher_test_vector_t sha3_256_0 = { + .alg = HASH_SHA3_256, .len = 0, + .data = "", + .hash = "\xA7\xFF\xC6\xF8\xBF\x1E\xD7\x66\x51\xC1\x47\x56\xA0\x61\xD6\x62" + "\xF5\x80\xFF\x4D\xE4\x3B\x49\xFA\x82\xD8\x0A\x4B\x80\xF8\x43\x4A" +}; + +hasher_test_vector_t sha3_256_1 = { + .alg = HASH_SHA3_256, .len = 1, + .data = "\xCC", + .hash = "\x67\x70\x35\x39\x1C\xD3\x70\x12\x93\xD3\x85\xF0\x37\xBA\x32\x79" + "\x62\x52\xBB\x7C\xE1\x80\xB0\x0B\x58\x2D\xD9\xB2\x0A\xAA\xD7\xF0" +}; + +hasher_test_vector_t sha3_256_2 = { + .alg = HASH_SHA3_256, .len = 2, + .data = "\x41\xFB", + .hash = "\x39\xF3\x1B\x6E\x65\x3D\xFC\xD9\xCA\xED\x26\x02\xFD\x87\xF6\x1B" + "\x62\x54\xF5\x81\x31\x2F\xB6\xEE\xEC\x4D\x71\x48\xFA\x2E\x72\xAA" +}; + +hasher_test_vector_t sha3_256_135 = { + .alg = HASH_SHA3_256, .len = 135, + .data = "\xB7\x71\xD5\xCE\xF5\xD1\xA4\x1A\x93\xD1\x56\x43\xD7\x18\x1D\x2A" + "\x2E\xF0\xA8\xE8\x4D\x91\x81\x2F\x20\xED\x21\xF1\x47\xBE\xF7\x32" + "\xBF\x3A\x60\xEF\x40\x67\xC3\x73\x4B\x85\xBC\x8C\xD4\x71\x78\x0F" + "\x10\xDC\x9E\x82\x91\xB5\x83\x39\xA6\x77\xB9\x60\x21\x8F\x71\xE7" + "\x93\xF2\x79\x7A\xEA\x34\x94\x06\x51\x28\x29\x06\x5D\x37\xBB\x55" + "\xEA\x79\x6F\xA4\xF5\x6F\xD8\x89\x6B\x49\xB2\xCD\x19\xB4\x32\x15" + "\xAD\x96\x7C\x71\x2B\x24\xE5\x03\x2D\x06\x52\x32\xE0\x2C\x12\x74" + "\x09\xD2\xED\x41\x46\xB9\xD7\x5D\x76\x3D\x52\xDB\x98\xD9\x49\xD3" + "\xB0\xFE\xD6\xA8\x05\x2F\xBB", + .hash = "\xA1\x9E\xEE\x92\xBB\x20\x97\xB6\x4E\x82\x3D\x59\x77\x98\xAA\x18" + "\xBE\x9B\x7C\x73\x6B\x80\x59\xAB\xFD\x67\x79\xAC\x35\xAC\x81\xB5" +}; + +hasher_test_vector_t sha3_256_136 = { + .alg = HASH_SHA3_256, .len = 136, + .data = "\xB3\x2D\x95\xB0\xB9\xAA\xD2\xA8\x81\x6D\xE6\xD0\x6D\x1F\x86\x00" + "\x85\x05\xBD\x8C\x14\x12\x4F\x6E\x9A\x16\x3B\x5A\x2A\xDE\x55\xF8" + "\x35\xD0\xEC\x38\x80\xEF\x50\x70\x0D\x3B\x25\xE4\x2C\xC0\xAF\x05" + "\x0C\xCD\x1B\xE5\xE5\x55\xB2\x30\x87\xE0\x4D\x7B\xF9\x81\x36\x22" + "\x78\x0C\x73\x13\xA1\x95\x4F\x87\x40\xB6\xEE\x2D\x3F\x71\xF7\x68" + "\xDD\x41\x7F\x52\x04\x82\xBD\x3A\x08\xD4\xF2\x22\xB4\xEE\x9D\xBD" + "\x01\x54\x47\xB3\x35\x07\xDD\x50\xF3\xAB\x42\x47\xC5\xDE\x9A\x8A" + "\xBD\x62\xA8\xDE\xCE\xA0\x1E\x3B\x87\xC8\xB9\x27\xF5\xB0\x8B\xEB" + "\x37\x67\x4C\x6F\x8E\x38\x0C\x04", + .hash = "\xDF\x67\x3F\x41\x05\x37\x9F\xF6\xB7\x55\xEE\xAB\x20\xCE\xB0\xDC" + "\x77\xB5\x28\x63\x64\xFE\x16\xC5\x9C\xC8\xA9\x07\xAF\xF0\x77\x32" +}; + +hasher_test_vector_t sha3_256_255 = { + .alg = HASH_SHA3_256, .len = 255, + .data = "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B" + "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5" + "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A" + "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A" + "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD" + "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0" + "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE" + "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64" + "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5" + "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43" + "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4" + "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D" + "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4" + "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08" + "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7" + "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1", + .hash = "\xC1\x1F\x35\x22\xA8\xFB\x7B\x35\x32\xD8\x0B\x6D\x40\x02\x3A\x92" + "\xB4\x89\xAD\xDA\xD9\x3B\xF5\xD6\x4B\x23\xF3\x5E\x96\x63\x52\x1C" +}; + +/** + * SHA-3_384 vectors from "https://github.com/gvanas/KeccakCodePackage/" + */ +hasher_test_vector_t sha3_384_0 = { + .alg = HASH_SHA3_384, .len = 0, + .data = "", + .hash = "\x0C\x63\xA7\x5B\x84\x5E\x4F\x7D\x01\x10\x7D\x85\x2E\x4C\x24\x85" + "\xC5\x1A\x50\xAA\xAA\x94\xFC\x61\x99\x5E\x71\xBB\xEE\x98\x3A\x2A" + "\xC3\x71\x38\x31\x26\x4A\xDB\x47\xFB\x6B\xD1\xE0\x58\xD5\xF0\x04" +}; + +hasher_test_vector_t sha3_384_1 = { + .alg = HASH_SHA3_384, .len = 1, + .data = "\xCC", + .hash = "\x5E\xE7\xF3\x74\x97\x3C\xD4\xBB\x3D\xC4\x1E\x30\x81\x34\x67\x98" + "\x49\x7F\xF6\xE3\x6C\xB9\x35\x22\x81\xDF\xE0\x7D\x07\xFC\x53\x0C" + "\xA9\xAD\x8E\xF7\xAA\xD5\x6E\xF5\xD4\x1B\xE8\x3D\x5E\x54\x38\x07" +}; + +hasher_test_vector_t sha3_384_2 = { + .alg = HASH_SHA3_384, .len = 2, + .data = "\x41\xFB", + .hash = "\x1D\xD8\x16\x09\xDC\xC2\x90\xEF\xFD\x7A\xC0\xA9\x5D\x4A\x20\x82" + "\x15\x80\xE5\x6B\xD5\x0D\xBD\x84\x39\x20\x65\x0B\xE7\xA8\x0A\x17" + "\x19\x57\x7D\xA3\x37\xCF\xDF\x86\xE5\x1C\x76\x4C\xAA\x2E\x10\xBD" +}; + +hasher_test_vector_t sha3_384_103 = { + .alg = HASH_SHA3_384, .len = 103, + .data = "\xF1\x3C\x97\x2C\x52\xCB\x3C\xC4\xA4\xDF\x28\xC9\x7F\x2D\xF1\x1C" + "\xE0\x89\xB8\x15\x46\x6B\xE8\x88\x63\x24\x3E\xB3\x18\xC2\xAD\xB1" + "\xA4\x17\xCB\x10\x41\x30\x85\x98\x54\x17\x20\x19\x7B\x9B\x1C\xB5" + "\xBA\x23\x18\xBD\x55\x74\xD1\xDF\x21\x74\xAF\x14\x88\x41\x49\xBA" + "\x9B\x2F\x44\x6D\x60\x9D\xF2\x40\xCE\x33\x55\x99\x95\x7B\x8E\xC8" + "\x08\x76\xD9\xA0\x85\xAE\x08\x49\x07\xBC\x59\x61\xB2\x0B\xF5\xF6" + "\xCA\x58\xD5\xDA\xB3\x8A\xDB", + .hash = "\x0A\x83\x4E\x11\x1B\x4E\x84\x0E\x78\x7C\x19\x74\x84\x65\xA4\x7D" + "\x88\xB3\xF0\xF3\xDA\xAF\x15\xDB\x25\x53\x6B\xDC\x60\x78\xFA\x9C" + "\x05\xE6\xC9\x53\x83\x02\x74\x22\x39\x68\x84\x7D\xA8\xBF\xD2\x0D" +}; + +hasher_test_vector_t sha3_384_104 = { + .alg = HASH_SHA3_384, .len = 104, + .data = "\xE3\x57\x80\xEB\x97\x99\xAD\x4C\x77\x53\x5D\x4D\xDB\x68\x3C\xF3" + "\x3E\xF3\x67\x71\x53\x27\xCF\x4C\x4A\x58\xED\x9C\xBD\xCD\xD4\x86" + "\xF6\x69\xF8\x01\x89\xD5\x49\xA9\x36\x4F\xA8\x2A\x51\xA5\x26\x54" + "\xEC\x72\x1B\xB3\xAA\xB9\x5D\xCE\xB4\xA8\x6A\x6A\xFA\x93\x82\x6D" + "\xB9\x23\x51\x7E\x92\x8F\x33\xE3\xFB\xA8\x50\xD4\x56\x60\xEF\x83" + "\xB9\x87\x6A\xCC\xAF\xA2\xA9\x98\x7A\x25\x4B\x13\x7C\x6E\x14\x0A" + "\x21\x69\x1E\x10\x69\x41\x38\x48", + .hash = "\xD1\xC0\xFA\x85\xC8\xD1\x83\xBE\xFF\x99\xAD\x9D\x75\x2B\x26\x3E" + "\x28\x6B\x47\x7F\x79\xF0\x71\x0B\x01\x03\x17\x01\x73\x97\x81\x33" + "\x44\xB9\x9D\xAF\x3B\xB7\xB1\xBC\x5E\x8D\x72\x2B\xAC\x85\x94\x3A" +}; + +hasher_test_vector_t sha3_384_255 = { + .alg = HASH_SHA3_384, .len = 255, + .data = "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B" + "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5" + "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A" + "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A" + "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD" + "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0" + "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE" + "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64" + "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5" + "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43" + "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4" + "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D" + "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4" + "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08" + "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7" + "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1", + .hash = "\x12\x8D\xC6\x11\x76\x2B\xE9\xB1\x35\xB3\x73\x94\x84\xCF\xAA\xDC" + "\xA7\x48\x1D\x68\x51\x4F\x3D\xFD\x6F\x5D\x78\xBB\x18\x63\xAE\x68" + "\x13\x08\x35\xCD\xC7\x06\x1A\x7E\xD9\x64\xB3\x2F\x1D\xB7\x5E\xE1" +}; + +/** + * SHA-3_512 vectors from "https://github.com/gvanas/KeccakCodePackage/" + */ +hasher_test_vector_t sha3_512_0 = { + .alg = HASH_SHA3_512, .len = 0, + .data = "", + .hash = "\xA6\x9F\x73\xCC\xA2\x3A\x9A\xC5\xC8\xB5\x67\xDC\x18\x5A\x75\x6E" + "\x97\xC9\x82\x16\x4F\xE2\x58\x59\xE0\xD1\xDC\xC1\x47\x5C\x80\xA6" + "\x15\xB2\x12\x3A\xF1\xF5\xF9\x4C\x11\xE3\xE9\x40\x2C\x3A\xC5\x58" + "\xF5\x00\x19\x9D\x95\xB6\xD3\xE3\x01\x75\x85\x86\x28\x1D\xCD\x26" +}; + +hasher_test_vector_t sha3_512_1 = { + .alg = HASH_SHA3_512, .len = 1, + .data = "\xCC", + .hash = "\x39\x39\xFC\xC8\xB5\x7B\x63\x61\x25\x42\xDA\x31\xA8\x34\xE5\xDC" + "\xC3\x6E\x2E\xE0\xF6\x52\xAC\x72\xE0\x26\x24\xFA\x2E\x5A\xDE\xEC" + "\xC7\xDD\x6B\xB3\x58\x02\x24\xB4\xD6\x13\x87\x06\xFC\x6E\x80\x59" + "\x7B\x52\x80\x51\x23\x0B\x00\x62\x1C\xC2\xB2\x29\x99\xEA\xA2\x05" +}; + +hasher_test_vector_t sha3_512_2 = { + .alg = HASH_SHA3_512, .len = 2, + .data = "\x41\xFB", + .hash = "\xAA\x09\x28\x65\xA4\x06\x94\xD9\x17\x54\xDB\xC7\x67\xB5\x20\x2C" + "\x54\x6E\x22\x68\x77\x14\x7A\x95\xCB\x8B\x4C\x8F\x87\x09\xFE\x8C" + "\xD6\x90\x52\x56\xB0\x89\xDA\x37\x89\x6E\xA5\xCA\x19\xD2\xCD\x9A" + "\xB9\x4C\x71\x92\xFC\x39\xF7\xCD\x4D\x59\x89\x75\xA3\x01\x3C\x69" +}; + +hasher_test_vector_t sha3_512_71 = { + .alg = HASH_SHA3_512, .len = 71, + .data = "\x13\xBD\x28\x11\xF6\xED\x2B\x6F\x04\xFF\x38\x95\xAC\xEE\xD7\xBE" + "\xF8\xDC\xD4\x5E\xB1\x21\x79\x1B\xC1\x94\xA0\xF8\x06\x20\x6B\xFF" + "\xC3\xB9\x28\x1C\x2B\x30\x8B\x1A\x72\x9C\xE0\x08\x11\x9D\xD3\x06" + "\x6E\x93\x78\xAC\xDC\xC5\x0A\x98\xA8\x2E\x20\x73\x88\x00\xB6\xCD" + "\xDB\xE5\xFE\x96\x94\xAD\x6D", + .hash = "\xDE\xF4\xAB\x6C\xDA\x88\x39\x72\x9A\x03\xE0\x00\x84\x66\x04\xB1" + "\x7F\x03\xC5\xD5\xD7\xEC\x23\xC4\x83\x67\x0A\x13\xE1\x15\x73\xC1" + "\xE9\x34\x7A\x63\xEC\x69\xA5\xAB\xB2\x13\x05\xF9\x38\x2E\xCD\xAA" + "\xAB\xC6\x85\x0F\x92\x84\x0E\x86\xF8\x8F\x4D\xAB\xFC\xD9\x3C\xC0" +}; + +hasher_test_vector_t sha3_512_72 = { + .alg = HASH_SHA3_512, .len = 72, + .data = "\x1E\xED\x9C\xBA\x17\x9A\x00\x9E\xC2\xEC\x55\x08\x77\x3D\xD3\x05" + "\x47\x7C\xA1\x17\xE6\xD5\x69\xE6\x6B\x5F\x64\xC6\xBC\x64\x80\x1C" + "\xE2\x5A\x84\x24\xCE\x4A\x26\xD5\x75\xB8\xA6\xFB\x10\xEA\xD3\xFD" + "\x19\x92\xED\xDD\xEE\xC2\xEB\xE7\x15\x0D\xC9\x8F\x63\xAD\xC3\x23" + "\x7E\xF5\x7B\x91\x39\x7A\xA8\xA7", + .hash = "\xA3\xE1\x68\xB0\xD6\xC1\x43\xEE\x9E\x17\xEA\xE9\x29\x30\xB9\x7E" + "\x66\x00\x35\x6B\x73\xAE\xBB\x5D\x68\x00\x5D\xD1\xD0\x74\x94\x45" + "\x1A\x37\x05\x2F\x7B\x39\xFF\x03\x0C\x1A\xE1\xD7\xEF\xC4\xE0\xC3" + "\x66\x7E\xB7\xA7\x6C\x62\x7E\xC1\x43\x54\xC4\xF6\xA7\x96\xE2\xC6" +}; + +hasher_test_vector_t sha3_512_255 = { + .alg = HASH_SHA3_512, .len = 255, + .data = "\x3A\x3A\x81\x9C\x48\xEF\xDE\x2A\xD9\x14\xFB\xF0\x0E\x18\xAB\x6B" + "\xC4\xF1\x45\x13\xAB\x27\xD0\xC1\x78\xA1\x88\xB6\x14\x31\xE7\xF5" + "\x62\x3C\xB6\x6B\x23\x34\x67\x75\xD3\x86\xB5\x0E\x98\x2C\x49\x3A" + "\xDB\xBF\xC5\x4B\x9A\x3C\xD3\x83\x38\x23\x36\xA1\xA0\xB2\x15\x0A" + "\x15\x35\x8F\x33\x6D\x03\xAE\x18\xF6\x66\xC7\x57\x3D\x55\xC4\xFD" + "\x18\x1C\x29\xE6\xCC\xFD\xE6\x3E\xA3\x5F\x0A\xDF\x58\x85\xCF\xC0" + "\xA3\xD8\x4A\x2B\x2E\x4D\xD2\x44\x96\xDB\x78\x9E\x66\x31\x70\xCE" + "\xF7\x47\x98\xAA\x1B\xBC\xD4\x57\x4E\xA0\xBB\xA4\x04\x89\xD7\x64" + "\xB2\xF8\x3A\xAD\xC6\x6B\x14\x8B\x4A\x0C\xD9\x52\x46\xC1\x27\xD5" + "\x87\x1C\x4F\x11\x41\x86\x90\xA5\xDD\xF0\x12\x46\xA0\xC8\x0A\x43" + "\xC7\x00\x88\xB6\x18\x36\x39\xDC\xFD\xA4\x12\x5B\xD1\x13\xA8\xF4" + "\x9E\xE2\x3E\xD3\x06\xFA\xAC\x57\x6C\x3F\xB0\xC1\xE2\x56\x67\x1D" + "\x81\x7F\xC2\x53\x4A\x52\xF5\xB4\x39\xF7\x2E\x42\x4D\xE3\x76\xF4" + "\xC5\x65\xCC\xA8\x23\x07\xDD\x9E\xF7\x6D\xA5\xB7\xC4\xEB\x7E\x08" + "\x51\x72\xE3\x28\x80\x7C\x02\xD0\x11\xFF\xBF\x33\x78\x53\x78\xD7" + "\x9D\xC2\x66\xF6\xA5\xBE\x6B\xB0\xE4\xA9\x2E\xCE\xEB\xAE\xB1", + .hash = "\x6E\x8B\x8B\xD1\x95\xBD\xD5\x60\x68\x9A\xF2\x34\x8B\xDC\x74\xAB" + "\x7C\xD0\x5E\xD8\xB9\xA5\x77\x11\xE9\xBE\x71\xE9\x72\x6F\xDA\x45" + "\x91\xFE\xE1\x22\x05\xED\xAC\xAF\x82\xFF\xBB\xAF\x16\xDF\xF9\xE7" + "\x02\xA7\x08\x86\x20\x80\x16\x6C\x2F\xF6\xBA\x37\x9B\xC7\xFF\xC2" +}; + diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index eb5b01986..e32f8eefe 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -266,8 +266,8 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, scheme = SIGN_ECDSA_WITH_SHA1_DER; break; case KEY_BLISS: - oid = OID_BLISS_WITH_SHA512; - scheme = SIGN_BLISS_WITH_SHA512; + oid = OID_BLISS_WITH_SHA2_512; + scheme = SIGN_BLISS_WITH_SHA2_512; break; default: DBG1(DBG_LIB, "unable to sign OCSP request, %N signature not " diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c index 668632459..a6298b394 100644 --- a/src/libstrongswan/selectors/traffic_selector.c +++ b/src/libstrongswan/selectors/traffic_selector.c @@ -219,9 +219,8 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, enumerator_t *enumerator; char from_str[INET6_ADDRSTRLEN] = ""; char to_str[INET6_ADDRSTRLEN] = ""; - char *serv_proto = NULL; - bool has_proto; - bool has_ports; + char *serv_proto = NULL, *sep = ""; + bool has_proto, has_ports; size_t written = 0; u_int32_t from[4], to[4]; @@ -235,8 +234,8 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, (void**)&this)) { - /* call recursivly */ - written += print_in_hook(data, "%R ", this); + written += print_in_hook(data, "%s%R", sep, this); + sep = " "; } enumerator->destroy(enumerator); return written; diff --git a/src/libstrongswan/settings/settings.c b/src/libstrongswan/settings/settings.c index 305ebe620..56cc2f19b 100644 --- a/src/libstrongswan/settings/settings.c +++ b/src/libstrongswan/settings/settings.c @@ -537,6 +537,31 @@ METHOD(settings_t, get_int, int, return settings_value_as_int(value, def); } +/** + * Described in header + */ +inline u_int64_t settings_value_as_uint64(char *value, u_int64_t def) +{ + u_int64_t intval; + char *end; + int base = 10; + + if (value) + { + errno = 0; + if (value[0] == '0' && value[1] == 'x') + { /* manually detect 0x prefix as we want to avoid octal encoding */ + base = 16; + } + intval = strtoull(value, &end, base); + if (errno == 0 && *end == 0 && end != value) + { + return intval; + } + } + return def; +} + /** * Described in header */ diff --git a/src/libstrongswan/settings/settings.h b/src/libstrongswan/settings/settings.h index 4ef80d0f6..a133a3681 100644 --- a/src/libstrongswan/settings/settings.h +++ b/src/libstrongswan/settings/settings.h @@ -50,6 +50,15 @@ bool settings_value_as_bool(char *value, bool def); */ int settings_value_as_int(char *value, int def); +/** + * Convert a string value returned by a key/value enumerator to an u_int64_t. + * + * @see settings_t.create_key_value_enumerator() + * @param value the string value + * @param def the default value, if value is NULL or invalid + */ +u_int64_t settings_value_as_uint64(char *value, u_int64_t def); + /** * Convert a string value returned by a key/value enumerator to a double. * diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c index 14cc32122..067abf0d9 100644 --- a/src/libstrongswan/tests/suites/test_hasher.c +++ b/src/libstrongswan/tests/suites/test_hasher.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -28,30 +28,38 @@ typedef struct { }hasher_oid_t; static hasher_oid_t oids[] = { - { OID_MD2, HASH_MD2, KEY_ANY }, - { OID_MD5, HASH_MD5, KEY_ANY }, - { OID_SHA1, HASH_SHA1, KEY_ANY }, - { OID_SHA224, HASH_SHA224, KEY_ANY }, - { OID_SHA256, HASH_SHA256, KEY_ANY }, - { OID_SHA384, HASH_SHA384, KEY_ANY }, - { OID_SHA512, HASH_SHA512, KEY_ANY }, - { OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY }, - { OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA }, - { OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA }, - { OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA }, - { OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA }, - { OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA }, - { OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA }, - { OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA }, - { OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA }, - { OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA }, - { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA }, - { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA }, - { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA }, - { OID_BLISS_WITH_SHA256, HASH_SHA256, KEY_BLISS }, - { OID_BLISS_WITH_SHA384, HASH_SHA384, KEY_BLISS }, - { OID_BLISS_WITH_SHA512, HASH_SHA512, KEY_BLISS }, - { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA } + { OID_MD2, HASH_MD2, KEY_ANY }, /* 0 */ + { OID_MD5, HASH_MD5, KEY_ANY }, /* 1 */ + { OID_SHA1, HASH_SHA1, KEY_ANY }, /* 2 */ + { OID_SHA224, HASH_SHA224, KEY_ANY }, /* 3 */ + { OID_SHA256, HASH_SHA256, KEY_ANY }, /* 4 */ + { OID_SHA384, HASH_SHA384, KEY_ANY }, /* 5 */ + { OID_SHA512, HASH_SHA512, KEY_ANY }, /* 6 */ + { OID_SHA3_224, HASH_SHA3_224, KEY_ANY }, /* 7 */ + { OID_SHA3_256, HASH_SHA3_256, KEY_ANY }, /* 8 */ + { OID_SHA3_384, HASH_SHA3_384, KEY_ANY }, /* 9 */ + { OID_SHA3_512, HASH_SHA3_512, KEY_ANY }, /* 10 */ + { OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY }, /* 11 */ + { OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA }, /* 12 */ + { OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA }, /* 13 */ + { OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA }, /* 14 */ + { OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA }, /* 15 */ + { OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA }, /* 16 */ + { OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA }, /* 17 */ + { OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA }, /* 18 */ + { OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA }, /* 19 */ + { OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA }, /* 20 */ + { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA }, /* 21 */ + { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA }, /* 22 */ + { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA }, /* 23 */ + { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }, /* 24 */ + { OID_BLISS_WITH_SHA2_256, HASH_SHA256, KEY_BLISS }, /* 25 */ + { OID_BLISS_WITH_SHA2_384, HASH_SHA384, KEY_BLISS }, /* 26 */ + { OID_BLISS_WITH_SHA2_512, HASH_SHA512, KEY_BLISS }, /* 27 */ + { OID_BLISS_WITH_SHA3_256, HASH_SHA3_256, KEY_BLISS }, /* 28 */ + { OID_BLISS_WITH_SHA3_384, HASH_SHA3_384, KEY_BLISS }, /* 29 */ + { OID_BLISS_WITH_SHA3_512, HASH_SHA3_512, KEY_BLISS }, /* 30 */ + { OID_UNKNOWN, HASH_UNKNOWN, KEY_BLISS } /* 31 */ }; START_TEST(test_hasher_from_oid) @@ -73,6 +81,44 @@ START_TEST(test_hasher_sig_to_oid) } END_TEST +typedef struct { + signature_scheme_t scheme; + hash_algorithm_t alg; +}hasher_sig_scheme_t; + +static hasher_sig_scheme_t sig_schemes[] = { + { SIGN_UNKNOWN, HASH_UNKNOWN }, + { SIGN_RSA_EMSA_PKCS1_NULL, HASH_UNKNOWN }, + { SIGN_RSA_EMSA_PKCS1_MD5, HASH_MD5 }, + { SIGN_RSA_EMSA_PKCS1_SHA1, HASH_SHA1 }, + { SIGN_RSA_EMSA_PKCS1_SHA224, HASH_SHA224 }, + { SIGN_RSA_EMSA_PKCS1_SHA256, HASH_SHA256 }, + { SIGN_RSA_EMSA_PKCS1_SHA384, HASH_SHA384 }, + { SIGN_RSA_EMSA_PKCS1_SHA512, HASH_SHA512 }, + { SIGN_ECDSA_WITH_SHA1_DER, HASH_SHA1 }, + { SIGN_ECDSA_WITH_SHA256_DER, HASH_SHA256 }, + { SIGN_ECDSA_WITH_SHA384_DER, HASH_SHA384 }, + { SIGN_ECDSA_WITH_SHA512_DER, HASH_SHA512 }, + { SIGN_ECDSA_WITH_NULL, HASH_UNKNOWN }, + { SIGN_ECDSA_256, HASH_SHA256 }, + { SIGN_ECDSA_384, HASH_SHA384 }, + { SIGN_ECDSA_521, HASH_SHA512 }, + { SIGN_BLISS_WITH_SHA2_256, HASH_SHA256 }, + { SIGN_BLISS_WITH_SHA2_384, HASH_SHA384 }, + { SIGN_BLISS_WITH_SHA2_512, HASH_SHA512 }, + { SIGN_BLISS_WITH_SHA3_256, HASH_SHA3_256 }, + { SIGN_BLISS_WITH_SHA3_384, HASH_SHA3_384 }, + { SIGN_BLISS_WITH_SHA3_512, HASH_SHA3_512 }, + { 30, HASH_UNKNOWN } +}; + +START_TEST(test_hasher_from_sig_scheme) +{ + ck_assert(hasher_from_signature_scheme(sig_schemes[_i].scheme) == + sig_schemes[_i].alg); +} +END_TEST + typedef struct { pseudo_random_function_t prf; hash_algorithm_t alg; @@ -157,6 +203,35 @@ START_TEST(test_hasher_to_integrity) } END_TEST + +typedef struct { + hash_algorithm_t alg; + bool ikev2; +}hasher_ikev2_t; + +static hasher_ikev2_t ikev2[] = { + { HASH_SHA1, TRUE }, + { HASH_SHA256, TRUE }, + { HASH_SHA384, TRUE }, + { HASH_SHA512, TRUE }, + { HASH_UNKNOWN, FALSE }, + { HASH_MD2, FALSE }, + { HASH_MD4, FALSE }, + { HASH_MD5, FALSE }, + { HASH_SHA224, FALSE }, + { HASH_SHA3_224, FALSE }, + { HASH_SHA3_256, FALSE }, + { HASH_SHA3_384, FALSE }, + { HASH_SHA3_512, FALSE }, + { 30, FALSE } +}; + +START_TEST(test_hasher_for_ikev2) +{ + ck_assert(hasher_algorithm_for_ikev2(ikev2[_i].alg) == ikev2[_i].ikev2); +} +END_TEST + Suite *hasher_suite_create() { Suite *s; @@ -169,11 +244,15 @@ Suite *hasher_suite_create() suite_add_tcase(s, tc); tc = tcase_create("to_oid"); - tcase_add_loop_test(tc, test_hasher_to_oid, 0, 8); + tcase_add_loop_test(tc, test_hasher_to_oid, 0, 12); suite_add_tcase(s, tc); tc = tcase_create("sig_to_oid"); - tcase_add_loop_test(tc, test_hasher_sig_to_oid, 7, countof(oids)); + tcase_add_loop_test(tc, test_hasher_sig_to_oid, 11, countof(oids)); + suite_add_tcase(s, tc); + + tc = tcase_create("from_sig_scheme"); + tcase_add_loop_test(tc, test_hasher_from_sig_scheme, 0, countof(sig_schemes)); suite_add_tcase(s, tc); tc = tcase_create("from_prf"); @@ -188,5 +267,9 @@ Suite *hasher_suite_create() tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 17); suite_add_tcase(s, tc); + tc = tcase_create("for_ikev2"); + tcase_add_loop_test(tc, test_hasher_for_ikev2, 0, countof(ikev2)); + suite_add_tcase(s, tc); + return s; } diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c index ff14ba897..9554d2919 100644 --- a/src/libstrongswan/tests/suites/test_identification.c +++ b/src/libstrongswan/tests/suites/test_identification.c @@ -550,6 +550,7 @@ START_TEST(test_matches) a = identification_create_from_string("C=CH, E=moon@strongswan.org, CN=moon"); ck_assert(id_matches(a, "C=CH, E=moon@strongswan.org, CN=moon", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "C=CH, E=*@strongswan.org, CN=moon", ID_MATCH_NONE)); ck_assert(id_matches(a, "C=CH, E=*, CN=moon", ID_MATCH_ONE_WILDCARD)); ck_assert(id_matches(a, "C=CH, E=*, CN=*", ID_MATCH_ONE_WILDCARD - 1)); ck_assert(id_matches(a, "C=*, E=*, CN=*", ID_MATCH_ONE_WILDCARD - 2)); diff --git a/src/libstrongswan/tests/suites/test_settings.c b/src/libstrongswan/tests/suites/test_settings.c index bead9d795..5ddd0bb9a 100644 --- a/src/libstrongswan/tests/suites/test_settings.c +++ b/src/libstrongswan/tests/suites/test_settings.c @@ -317,6 +317,26 @@ START_TEST(test_set_int) } END_TEST +START_TEST(test_value_as_unit64) +{ + test_int_eq(1, settings_value_as_uint64(NULL, 1)); + test_int_eq(1, settings_value_as_uint64("", 1)); + test_int_eq(1, settings_value_as_uint64("2a", 1)); + test_int_eq(1, settings_value_as_uint64("a2", 1)); + test_int_eq(1, settings_value_as_uint64("2.0", 1)); + + test_int_eq(10, settings_value_as_uint64("10", 0)); + test_int_eq(10, settings_value_as_uint64("010", 0)); + test_int_eq(16, settings_value_as_uint64("0x010", 0)); + test_int_eq(0x2a, settings_value_as_uint64("0x2a", 0)); + + test_int_eq(0xffffffffffffffffLL, settings_value_as_uint64("0xffffffffffffffff", 0)); + test_int_eq(0xffffffff00000000LL, settings_value_as_uint64("0xffffffff00000000", 0)); + test_int_eq(0xffffffff00000000LL, settings_value_as_uint64("18446744069414584320", 0)); + test_int_eq(0xffffffff00000001LL, settings_value_as_uint64("18446744069414584321", 0)); +} +END_TEST + START_SETUP(setup_double_config) { create_settings(chunk_from_str( @@ -1158,6 +1178,10 @@ Suite *settings_suite_create() tcase_add_test(tc, test_set_int); suite_add_tcase(s, tc); + tc = tcase_create("settings_value_as_uint64"); + tcase_add_test(tc, test_value_as_unit64); + suite_add_tcase(s, tc); + tc = tcase_create("get/set_double"); tcase_add_checked_fixture(tc, setup_double_config, teardown_config); tcase_add_test(tc, test_get_double); diff --git a/src/libstrongswan/tests/suites/test_traffic_selector.c b/src/libstrongswan/tests/suites/test_traffic_selector.c index bec32d2d8..5c0fb754d 100644 --- a/src/libstrongswan/tests/suites/test_traffic_selector.c +++ b/src/libstrongswan/tests/suites/test_traffic_selector.c @@ -770,17 +770,17 @@ START_TEST(test_printf_hook_hash) list = linked_list_create_with_items( traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535), NULL); - verify_list("10.1.0.0/16 ", NULL, list); + verify_list("10.1.0.0/16", NULL, list); list = linked_list_create_with_items( traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535), traffic_selector_create_from_cidr("10.1.0.1/32", IPPROTO_UDP, 1234, 1235), NULL); - verify_list("10.1.0.0/16 10.1.0.1/32[udp/1234-1235] ", "10.1.0.0/16 10.1.0.1/32[17/1234-1235] ", list); + verify_list("10.1.0.0/16 10.1.0.1/32[udp/1234-1235]", "10.1.0.0/16 10.1.0.1/32[17/1234-1235]", list); list = linked_list_create_with_items( traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535), traffic_selector_create_from_string(IPPROTO_UDP, TS_IPV4_ADDR_RANGE, "10.1.0.1", 1234, "10.1.0.99", 1235), NULL); - verify_list("10.1.0.0/16 10.1.0.1..10.1.0.99[udp/1234-1235] ", "10.1.0.0/16 10.1.0.1..10.1.0.99[17/1234-1235] ", list); + verify_list("10.1.0.0/16 10.1.0.1..10.1.0.99[udp/1234-1235]", "10.1.0.0/16 10.1.0.1..10.1.0.99[17/1234-1235]", list); } END_TEST diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c index b38f2cb52..104b0b2c0 100644 --- a/src/libstrongswan/tests/suites/test_utils.c +++ b/src/libstrongswan/tests/suites/test_utils.c @@ -789,9 +789,9 @@ static struct { {KEY_ECDSA, 256, { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }}, {KEY_ECDSA, 384, { SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }}, {KEY_ECDSA, 512, { SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }}, - {KEY_BLISS, 128, { SIGN_BLISS_WITH_SHA256, SIGN_BLISS_WITH_SHA384, SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }}, - {KEY_BLISS, 192, { SIGN_BLISS_WITH_SHA384, SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }}, - {KEY_BLISS, 256, { SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }}, + {KEY_BLISS, 128, { SIGN_BLISS_WITH_SHA2_256, SIGN_BLISS_WITH_SHA2_384, SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }}, + {KEY_BLISS, 192, { SIGN_BLISS_WITH_SHA2_384, SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }}, + {KEY_BLISS, 256, { SIGN_BLISS_WITH_SHA2_512, SIGN_UNKNOWN }}, }; START_TEST(test_signature_schemes_for_key) diff --git a/src/libstrongswan/utils/compat/android.h b/src/libstrongswan/utils/compat/android.h new file mode 100644 index 000000000..b3ea9c475 --- /dev/null +++ b/src/libstrongswan/utils/compat/android.h @@ -0,0 +1,31 @@ +/* + * Copyright (C) 2010-2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup android android + * @{ @ingroup compat + */ + +#ifndef ANDROID_H_ +#define ANDROID_H_ + +/* stuff defined in AndroidConfig.h, which is included using the -include + * command-line option, thus cannot be undefined using -U CFLAGS options. + * the reason we have to undefine these flags in the first place, is that + * AndroidConfig.h defines them as 0, which in turn means that they are + * actually defined. */ +#undef HAVE_BACKTRACE + +#endif /** ANDROID_H_ @}*/ diff --git a/src/libstrongswan/utils/compat/windows.h b/src/libstrongswan/utils/compat/windows.h index fd4f1f196..f7e6207a5 100644 --- a/src/libstrongswan/utils/compat/windows.h +++ b/src/libstrongswan/utils/compat/windows.h @@ -220,6 +220,11 @@ static inline int setenv(const char *name, const char *value, int overwrite) */ #define RTLD_LAZY 1 +/** + * Immediate binding, ignored on Windows + */ +#define RTLD_NOW 2 + /** * Default handle targeting .exe */ diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c index b4a4db802..47d72ee98 100644 --- a/src/libstrongswan/utils/utils.c +++ b/src/libstrongswan/utils/utils.c @@ -20,6 +20,7 @@ #include #include #include +#include #ifndef WIN32 # include #endif @@ -117,17 +118,35 @@ void wait_sigint() void wait_sigint() { sigset_t set; - int sig; sigemptyset(&set); sigaddset(&set, SIGINT); sigaddset(&set, SIGTERM); sigprocmask(SIG_BLOCK, &set, NULL); - sigwait(&set, &sig); + sigwaitinfo(&set, NULL); } -#endif +#ifndef HAVE_SIGWAITINFO +int sigwaitinfo(const sigset_t *set, void *info) +{ + int sig, err; + + if (info) + { /* we don't replicate siginfo_t, fail if anybody tries to use it */ + errno = EINVAL; + return -1; + } + err = sigwait(set, &sig); + if (err != 0) + { + errno = err; + sig = -1; + } + return sig; +} +#endif /* HAVE_SIGWAITINFO */ +#endif /* WIN32 */ #ifndef HAVE_CLOSEFROM /** diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h index acc15c42a..18b17b120 100644 --- a/src/libstrongswan/utils/utils.h +++ b/src/libstrongswan/utils/utils.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2014 Tobias Brunner + * Copyright (C) 2008-2015 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -38,6 +38,7 @@ # include # include # include +# include #endif #include "utils/types.h" @@ -56,6 +57,9 @@ #ifdef __APPLE__ # include "compat/apple.h" #endif +#ifdef __ANDROID__ +# include "compat/android.h" +#endif /** * Initialize utility functions @@ -148,6 +152,19 @@ void utils_deinit(); */ #define ignore_result(call) { if(call){}; } +#if !defined(HAVE_SIGWAITINFO) && !defined(WIN32) +/** + * Block and wait for a set of signals + * + * We don't replicate the functionality of siginfo_t. If info is not NULL + * -1 is returend and errno is set to EINVAL. + * + * @param set set of signals to wait for + * @param info must be NULL + */ +int sigwaitinfo(const sigset_t *set, void *info); +#endif + /** * Portable function to wait for SIGINT/SIGTERM (or equivalent). */ diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc.c b/src/libtnccs/plugins/tnc_imc/tnc_imc.c index 623da7f62..822df3f27 100644 --- a/src/libtnccs/plugins/tnc_imc/tnc_imc.c +++ b/src/libtnccs/plugins/tnc_imc/tnc_imc.c @@ -349,10 +349,16 @@ static private_tnc_imc_t* tnc_imc_create_empty(char *name) imc_t* tnc_imc_create(char *name, char *path) { private_tnc_imc_t *this; + int flag = RTLD_LAZY; this = tnc_imc_create_empty(name); - this->handle = dlopen(path, RTLD_LAZY); + if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now", + lib->ns, FALSE)) + { + flag = RTLD_NOW; + } + this->handle = dlopen(path, flag); if (!this->handle) { DBG1(DBG_TNC, "IMC \"%s\" failed to load: %s", name, dlerror()); diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv.c b/src/libtnccs/plugins/tnc_imv/tnc_imv.c index 039f1fcf1..9a0304172 100644 --- a/src/libtnccs/plugins/tnc_imv/tnc_imv.c +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv.c @@ -345,10 +345,16 @@ static private_tnc_imv_t* tnc_imv_create_empty(char *name) imv_t* tnc_imv_create(char *name, char *path) { private_tnc_imv_t *this; + int flag = RTLD_LAZY; this = tnc_imv_create_empty(name); - this->handle = dlopen(path, RTLD_LAZY); + if (lib->settings->get_bool(lib->settings, "%s.dlopen_use_rtld_now", + lib->ns, FALSE)) + { + flag = RTLD_NOW; + } + this->handle = dlopen(path, flag); if (!this->handle) { DBG1(DBG_TNC, "IMV \"%s\" failed to load: %s", name, dlerror()); diff --git a/src/medsrv/Makefile.am b/src/medsrv/Makefile.am index 94ab0cf67..bee7ae1f0 100644 --- a/src/medsrv/Makefile.am +++ b/src/medsrv/Makefile.am @@ -35,11 +35,11 @@ templates/peer/list.cs medsrv_templates_staticdir = ${medsrv_templatesdir}/static medsrv_templates_static_DATA = templates/header.cs templates/footer.cs \ templates/static/style.css templates/static/strongswan.png \ -templates/static/favicon.ico templates/static/mootools.js templates/static/script.js +templates/static/favicon.ico EXTRA_DIST = templates/header.cs templates/footer.cs \ templates/static/style.css templates/static/strongswan.png \ -templates/static/favicon.ico templates/static/mootools.js templates/static/script.js \ +templates/static/favicon.ico \ templates/peer/add.cs templates/peer/edit.cs templates/peer/list.cs \ templates/user/login.cs templates/user/add.cs templates/user/edit.cs \ templates/user/help.cs diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 7265457f1..42830e186 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -466,11 +466,11 @@ templates/peer/list.cs medsrv_templates_staticdir = ${medsrv_templatesdir}/static medsrv_templates_static_DATA = templates/header.cs templates/footer.cs \ templates/static/style.css templates/static/strongswan.png \ -templates/static/favicon.ico templates/static/mootools.js templates/static/script.js +templates/static/favicon.ico EXTRA_DIST = templates/header.cs templates/footer.cs \ templates/static/style.css templates/static/strongswan.png \ -templates/static/favicon.ico templates/static/mootools.js templates/static/script.js \ +templates/static/favicon.ico \ templates/peer/add.cs templates/peer/edit.cs templates/peer/list.cs \ templates/user/login.cs templates/user/add.cs templates/user/edit.cs \ templates/user/help.cs diff --git a/src/medsrv/templates/peer/add.cs b/src/medsrv/templates/peer/add.cs index 28a994f7f..27fdf0685 100644 --- a/src/medsrv/templates/peer/add.cs +++ b/src/medsrv/templates/peer/add.cs @@ -6,7 +6,7 @@ - + diff --git a/src/medsrv/templates/peer/edit.cs b/src/medsrv/templates/peer/edit.cs index 76fb9dafc..942762b49 100644 --- a/src/medsrv/templates/peer/edit.cs +++ b/src/medsrv/templates/peer/edit.cs @@ -6,7 +6,7 @@
- + diff --git a/src/medsrv/templates/static/mootools.js b/src/medsrv/templates/static/mootools.js deleted file mode 100644 index d953a1c06..000000000 --- a/src/medsrv/templates/static/mootools.js +++ /dev/null @@ -1,341 +0,0 @@ -//MooTools, , My Object Oriented (JavaScript) Tools. Copyright (c) 2006-2008 Valerio Proietti, , MIT Style License. - -var MooTools={version:"1.2dev",build:""};var Native=function(J){J=J||{};var F=J.afterImplement||function(){};var G=J.generics;G=(G!==false);var H=J.legacy; -var E=J.initialize;var B=J.protect;var A=J.name;var C=E||H;C.constructor=Native;C.$family={name:"native"};if(H&&E){C.prototype=H.prototype;}C.prototype.constructor=C; -if(A){var D=A.toLowerCase();C.prototype.$family={name:D};Native.typize(C,D);}var I=function(M,K,N,L){if(!B||L||!M.prototype[K]){M.prototype[K]=N;}if(G){Native.genericize(M,K,B); -}F.call(M,K,N);return M;};C.implement=function(L,K,N){if(typeof L=="string"){return I(this,L,K,N);}for(var M in L){I(this,M,L[M],K);}return this;};C.alias=function(M,K,N){if(typeof M=="string"){M=this.prototype[M]; -if(M){I(this,K,M,N);}}else{for(var L in M){this.alias(L,M[L],K);}}return this;};return C;};Native.implement=function(D,C){for(var B=0,A=D.length;B-1:this.indexOf(A)>-1;},trim:function(){return this.replace(/^\s+|\s+$/g,"");},clean:function(){return this.replace(/\s+/g," ").trim(); -},camelCase:function(){return this.replace(/-\D/g,function(A){return A.charAt(1).toUpperCase();});},hyphenate:function(){return this.replace(/[A-Z]/g,function(A){return("-"+A.charAt(0).toLowerCase()); -});},capitalize:function(){return this.replace(/\b[a-z]/g,function(A){return A.toUpperCase();});},escapeRegExp:function(){return this.replace(/([-.*+?^${}()|[\]\/\\])/g,"\\$1"); -},toInt:function(A){return parseInt(this,A||10);},toFloat:function(){return parseFloat(this);},hexToRgb:function(B){var A=this.match(/^#?(\w{1,2})(\w{1,2})(\w{1,2})$/); -return(A)?A.slice(1).hexToRgb(B):null;},rgbToHex:function(B){var A=this.match(/\d{1,3}/g);return(A)?A.rgbToHex(B):null;},stripScripts:function(B){var A=""; -var C=this.replace(/]*>([\s\S]*?)<\/script>/gi,function(){A+=arguments[1]+"\n";return"";});if(B===true){$exec(A);}else{if($type(B)=="function"){B(A,C); -}}return C;},substitute:function(A,B){return this.replace(B||(/\\?\{([^}]+)\}/g),function(D,C){if(D.charAt(0)=="\\"){return D.slice(1);}return(A[C]!=undefined)?A[C]:""; -});}});Hash.implement({has:Object.prototype.hasOwnProperty,keyOf:function(B){for(var A in this){if(this.hasOwnProperty(A)&&this[A]===B){return A;}}return null; -},hasValue:function(A){return(Hash.keyOf(this,A)!==null);},extend:function(A){Hash.each(A,function(C,B){Hash.set(this,B,C);},this);return this;},combine:function(A){Hash.each(A,function(C,B){Hash.include(this,B,C); -},this);return this;},erase:function(A){if(this.hasOwnProperty(A)){delete this[A];}return this;},get:function(A){return(this.hasOwnProperty(A))?this[A]:null; -},set:function(A,B){if(!this[A]||this.hasOwnProperty(A)){this[A]=B;}return this;},empty:function(){Hash.each(this,function(B,A){delete this[A];},this); -return this;},include:function(B,C){var A=this[B];if(A==undefined){this[B]=C;}return this;},map:function(B,C){var A=new Hash;Hash.each(this,function(E,D){A.set(D,B.call(C,E,D,this)); -},this);return A;},filter:function(B,C){var A=new Hash;Hash.each(this,function(E,D){if(B.call(C,E,D,this)){A.set(D,E);}},this);return A;},every:function(B,C){for(var A in this){if(this.hasOwnProperty(A)&&!B.call(C,this[A],A)){return false; -}}return true;},some:function(B,C){for(var A in this){if(this.hasOwnProperty(A)&&B.call(C,this[A],A)){return true;}}return false;},getKeys:function(){var A=[]; -Hash.each(this,function(C,B){A.push(B);});return A;},getValues:function(){var A=[];Hash.each(this,function(B){A.push(B);});return A;},toQueryString:function(A){var B=[]; -Hash.each(this,function(F,E){if(A){E=A+"["+E+"]";}var D;switch($type(F)){case"object":D=Hash.toQueryString(F,E);break;case"array":var C={};F.each(function(H,G){C[G]=H; -});D=Hash.toQueryString(C,E);break;default:D=E+"="+encodeURIComponent(F);}if(F!=undefined){B.push(D);}});return B.join("&");}});Hash.alias({keyOf:"indexOf",hasValue:"contains"}); -var Event=new Native({name:"Event",initialize:function(A,F){F=F||window;var K=F.document;A=A||F.event;if(A.$extended){return A;}this.$extended=true;var J=A.type; -var G=A.target||A.srcElement;while(G&&G.nodeType==3){G=G.parentNode;}if(J.test(/key/)){var B=A.which||A.keyCode;var M=Event.Keys.keyOf(B);if(J=="keydown"){var D=B-111; -if(D>0&&D<13){M="f"+D;}}M=M||String.fromCharCode(B).toLowerCase();}else{if(J.match(/(click|mouse|menu)/i)){K=(!K.compatMode||K.compatMode=="CSS1Compat")?K.html:K.body; -var I={x:A.pageX||A.clientX+K.scrollLeft,y:A.pageY||A.clientY+K.scrollTop};var C={x:(A.pageX)?A.pageX-F.pageXOffset:A.clientX,y:(A.pageY)?A.pageY-F.pageYOffset:A.clientY}; -if(J.match(/DOMMouseScroll|mousewheel/)){var H=(A.wheelDelta)?A.wheelDelta/120:-(A.detail||0)/3;}var E=(A.which==3)||(A.button==2);var L=null;if(J.match(/over|out/)){switch(J){case"mouseover":L=A.relatedTarget||A.fromElement; -break;case"mouseout":L=A.relatedTarget||A.toElement;}if(!(function(){while(L&&L.nodeType==3){L=L.parentNode;}return true;}).create({attempt:Browser.Engine.gecko})()){L=false; -}}}}return $extend(this,{event:A,type:J,page:I,client:C,rightClick:E,wheel:H,relatedTarget:L,target:G,code:B,key:M,shift:A.shiftKey,control:A.ctrlKey,alt:A.altKey,meta:A.metaKey}); -}});Event.Keys=new Hash({enter:13,up:38,down:40,left:37,right:39,esc:27,space:32,backspace:8,tab:9,"delete":46});Event.implement({stop:function(){return this.stopPropagation().preventDefault(); -},stopPropagation:function(){if(this.event.stopPropagation){this.event.stopPropagation();}else{this.event.cancelBubble=true;}return this;},preventDefault:function(){if(this.event.preventDefault){this.event.preventDefault(); -}else{this.event.returnValue=false;}return this;}});var Class=new Native({name:"Class",initialize:function(B){B=B||{};var A=function(E){for(var D in this){this[D]=$unlink(this[D]); -}for(var F in Class.Mutators){if(!this[F]){continue;}Class.Mutators[F](this,this[F]);delete this[F];}this.constructor=A;if(E===$empty){return this;}var C=(this.initialize)?this.initialize.apply(this,arguments):this; -if(this.options&&this.options.initialize){this.options.initialize.call(this);}return C;};$extend(A,this);A.constructor=Class;A.prototype=B;return A;}}); -Class.implement({implement:function(){Class.Mutators.Implements(this.prototype,Array.slice(arguments));return this;}});Class.Mutators={Implements:function(A,B){$splat(B).each(function(C){$extend(A,($type(C)=="class")?new C($empty):C); -});},Extends:function(self,klass){var instance=new klass($empty);delete instance.parent;delete instance.parentOf;for(var key in instance){var current=self[key],previous=instance[key]; -if(current==undefined){self[key]=previous;continue;}var ctype=$type(current),ptype=$type(previous);if(ctype!=ptype){continue;}switch(ctype){case"function":if(!arguments.callee.caller){self[key]=eval("("+String(current).replace(/\bthis\.parent\(\s*(\))?/g,function(full,close){return"arguments.callee._parent_.call(this"+(close||", "); -})+")");}self[key]._parent_=previous;break;case"object":self[key]=$merge(previous,current);}}self.parent=function(){return arguments.callee.caller._parent_.apply(this,arguments); -};self.parentOf=function(descendant){return descendant._parent_.apply(this,Array.slice(arguments,1));};}};var Chain=new Class({chain:function(){this.$chain=(this.$chain||[]).extend(arguments); -return this;},callChain:function(){return(this.$chain&&this.$chain.length)?this.$chain.shift().apply(this,arguments):false;},clearChain:function(){if(this.$chain){this.$chain.empty(); -}return this;}});var Events=new Class({addEvent:function(C,B,A){C=Events.removeOn(C);if(B!=$empty){this.$events=this.$events||{};this.$events[C]=this.$events[C]||[]; -this.$events[C].include(B);if(A){B.internal=true;}}return this;},addEvents:function(A){for(var B in A){this.addEvent(B,A[B]);}return this;},fireEvent:function(C,B,A){C=Events.removeOn(C); -if(!this.$events||!this.$events[C]){return this;}this.$events[C].each(function(D){D.create({bind:this,delay:A,"arguments":B})();},this);return this;},removeEvent:function(B,A){B=Events.removeOn(B); -if(!this.$events||!this.$events[B]){return this;}if(!A.internal){this.$events[B].erase(A);}return this;},removeEvents:function(C){for(var D in this.$events){if(C&&C!=D){continue; -}var B=this.$events[D];for(var A=B.length;A--;A){this.removeEvent(D,B[A]);}}return this;}});Events.removeOn=function(A){return A.replace(/^on([A-Z])/,function(B,C){return C.toLowerCase(); -});};var Options=new Class({setOptions:function(){this.options=$merge.run([this.options].extend(arguments));if(!this.addEvent){return this;}for(var A in this.options){if($type(this.options[A])!="function"||!(/^on[A-Z]/).test(A)){continue; -}this.addEvent(A,this.options[A]);delete this.options[A];}return this;}});Document.implement({newElement:function(A,B){if(Browser.Engine.trident&&B){["name","type","checked"].each(function(C){if(!B[C]){return ; -}A+=" "+C+'="'+B[C]+'"';if(C!="checked"){delete B[C];}});A="<"+A+">";}return $.element(this.createElement(A)).set(B);},newTextNode:function(A){return this.createTextNode(A); -},getDocument:function(){return this;},getWindow:function(){return this.defaultView||this.parentWindow;},purge:function(){var C=this.getElementsByTagName("*"); -for(var B=0,A=C.length;B1);A.each(function(E){var F=this.getElementsByTagName(E.trim());(B)?C.extend(F):C=F;},this);return new Elements(C,{ddup:B,cash:!D}); -}});Element.Storage={get:function(A){return(this[A]||(this[A]={}));}};Element.Inserters=new Hash({before:function(B,A){if(A.parentNode){A.parentNode.insertBefore(B,A); -}},after:function(B,A){if(!A.parentNode){return ;}var C=A.nextSibling;(C)?A.parentNode.insertBefore(B,C):A.parentNode.appendChild(B);},bottom:function(B,A){A.appendChild(B); -},top:function(B,A){var C=A.firstChild;(C)?A.insertBefore(B,C):A.appendChild(B);}});Element.Inserters.inside=Element.Inserters.bottom;Element.Inserters.each(function(C,B){var A=B.capitalize(); -Element.implement("inject"+A,function(D){C(this,$(D,true));return this;});Element.implement("grab"+A,function(D){C($(D,true),this);return this;});});Element.implement({getDocument:function(){return this.ownerDocument; -},getWindow:function(){return this.ownerDocument.getWindow();},getElementById:function(D,C){var B=this.ownerDocument.getElementById(D);if(!B){return null; -}for(var A=B.parentNode;A!=this;A=A.parentNode){if(!A){return null;}}return $.element(B,C);},set:function(D,B){switch($type(D)){case"object":for(var C in D){this.set(C,D[C]); -}break;case"string":var A=Element.Properties.get(D);(A&&A.set)?A.set.apply(this,Array.slice(arguments,1)):this.setProperty(D,B);}return this;},get:function(B){var A=Element.Properties.get(B); -return(A&&A.get)?A.get.apply(this,Array.slice(arguments,1)):this.getProperty(B);},erase:function(B){var A=Element.Properties.get(B);(A&&A.erase)?A.erase.apply(this,Array.slice(arguments,1)):this.removeProperty(B); -return this;},match:function(A){return(!A||Element.get(this,"tag")==A);},inject:function(B,A){Element.Inserters.get(A||"bottom")(this,$(B,true));return this; -},wraps:function(B,A){B=$(B,true);return this.replaces(B).grab(B,A);},grab:function(B,A){Element.Inserters.get(A||"bottom")($(B,true),this);return this; -},appendText:function(B,A){return this.grab(this.getDocument().newTextNode(B),A);},adopt:function(){Array.flatten(arguments).each(function(A){A=$(A,true); -if(A){this.appendChild(A);}},this);return this;},dispose:function(){return(this.parentNode)?this.parentNode.removeChild(this):this;},clone:function(D,C){switch($type(this)){case"element":var H={}; -for(var G=0,E=this.attributes.length;G1),cash:!G});}});Element.implement({match:function(B){if(!B){return true;}var D=Selectors.Utils.parseTagAndID(B); -var A=D[0],E=D[1];if(!Selectors.Filters.byID(this,E)||!Selectors.Filters.byTag(this,A)){return false;}var C=Selectors.Utils.parseSelector(B);return(C)?Selectors.Utils.filter(this,C,{}):true; -}});var Selectors={Cache:{nth:{},parsed:{}}};Selectors.RegExps={id:(/#([\w-]+)/),tag:(/^(\w+|\*)/),quick:(/^(\w+|\*)$/),splitter:(/\s*([+>~\s])\s*([a-zA-Z#.*:\[])/g),combined:(/\.([\w-]+)|\[(\w+)(?:([!*^$~|]?=)["']?(.*?)["']?)?\]|:([\w-]+)(?:\(["']?(.*?)?["']?\)|$)/g)}; -Selectors.Utils={chk:function(B,C){if(!C){return true;}var A=$uid(B);if(!C[A]){return C[A]=true;}return false;},parseNthArgument:function(F){if(Selectors.Cache.nth[F]){return Selectors.Cache.nth[F]; -}var C=F.match(/^([+-]?\d*)?([a-z]+)?([+-]?\d*)?$/);if(!C){return false;}var E=parseInt(C[1]);var B=(E||E===0)?E:1;var D=C[2]||false;var A=parseInt(C[3])||0; -if(B!=0){A--;while(A<1){A+=B;}while(A>=B){A-=B;}}else{B=A;D="index";}switch(D){case"n":C={a:B,b:A,special:"n"};break;case"odd":C={a:2,b:0,special:"n"}; -break;case"even":C={a:2,b:1,special:"n"};break;case"first":C={a:0,special:"index"};break;case"last":C={special:"last-child"};break;case"only":C={special:"only-child"}; -break;default:C={a:(B-1),special:"index"};}return Selectors.Cache.nth[F]=C;},parseSelector:function(E){if(Selectors.Cache.parsed[E]){return Selectors.Cache.parsed[E]; -}var D,H={classes:[],pseudos:[],attributes:[]};while((D=Selectors.RegExps.combined.exec(E))){var I=D[1],G=D[2],F=D[3],B=D[4],C=D[5],J=D[6];if(I){H.classes.push(I); -}else{if(C){var A=Selectors.Pseudo.get(C);if(A){H.pseudos.push({parser:A,argument:J});}else{H.attributes.push({name:C,operator:"=",value:J});}}else{if(G){H.attributes.push({name:G,operator:F,value:B}); -}}}}if(!H.classes.length){delete H.classes;}if(!H.attributes.length){delete H.attributes;}if(!H.pseudos.length){delete H.pseudos;}if(!H.classes&&!H.attributes&&!H.pseudos){H=null; -}return Selectors.Cache.parsed[E]=H;},parseTagAndID:function(B){var A=B.match(Selectors.RegExps.tag);var C=B.match(Selectors.RegExps.id);return[(A)?A[1]:"*",(C)?C[1]:false]; -},filter:function(F,C,E){var D;if(C.classes){for(D=C.classes.length;D--;D){var G=C.classes[D];if(!Selectors.Filters.byClass(F,G)){return false;}}}if(C.attributes){for(D=C.attributes.length; -D--;D){var B=C.attributes[D];if(!Selectors.Filters.byAttribute(F,B.name,B.operator,B.value)){return false;}}}if(C.pseudos){for(D=C.pseudos.length;D--;D){var A=C.pseudos[D]; -if(!Selectors.Filters.byPseudo(F,A.parser,A.argument,E)){return false;}}}return true;},getByTagAndID:function(B,A,D){if(D){var C=(B.getElementById)?B.getElementById(D,true):Element.getElementById(B,D,true); -return(C&&Selectors.Filters.byTag(C,A))?[C]:[];}else{return B.getElementsByTagName(A);}},search:function(J,I,O){var B=[];var C=I.trim().replace(Selectors.RegExps.splitter,function(Z,Y,X){B.push(Y); -return":)"+X;}).split(":)");var K,F,E,V;for(var U=0,Q=C.length;U":function(H,G,I,A,F){var C=Selectors.Utils.getByTagAndID(G,I,A);for(var E=0,D=C.length;EA){return false; -}}return(C==A);},even:function(B,A){return Selectors.Pseudo["nth-child"].call(this,"2n+1",A);},odd:function(B,A){return Selectors.Pseudo["nth-child"].call(this,"2n",A); -}});Element.Events.domready={onAdd:function(A){if(Browser.loaded){A.call(this);}}};(function(){var B=function(){if(Browser.loaded){return ;}Browser.loaded=true; -window.fireEvent("domready");document.fireEvent("domready");};switch(Browser.Engine.name){case"webkit":(function(){(["loaded","complete"].contains(document.readyState))?B():arguments.callee.delay(50); -})();break;case"trident":var A=document.createElement("div");(function(){($try(function(){A.doScroll("left");return $(A).inject(document.body).set("html","temp").dispose(); -}))?B():arguments.callee.delay(50);})();break;default:window.addEvent("load",B);document.addEvent("DOMContentLoaded",B);}})();var JSON=new Hash({encode:function(B){switch($type(B)){case"string":return'"'+B.replace(/[\x00-\x1f\\"]/g,JSON.$replaceChars)+'"'; -case"array":return"["+String(B.map(JSON.encode).filter($defined))+"]";case"object":case"hash":var A=[];Hash.each(B,function(E,D){var C=JSON.encode(E);if(C){A.push(JSON.encode(D)+":"+C); -}});return"{"+A+"}";case"number":case"boolean":return String(B);case false:return"null";}return null;},$specialChars:{"\b":"\\b","\t":"\\t","\n":"\\n","\f":"\\f","\r":"\\r",'"':'\\"',"\\":"\\\\"},$replaceChars:function(A){return JSON.$specialChars[A]||"\\u00"+Math.floor(A.charCodeAt()/16).toString(16)+(A.charCodeAt()%16).toString(16); -},decode:function(string,secure){if($type(string)!="string"||!string.length){return null;}if(secure&&!(/^[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]*$/).test(string.replace(/\\./g,"@").replace(/"[^"\\\n\r]*"/g,""))){return null; -}return eval("("+string+")");}});Native.implement([Hash,Array,String,Number],{toJSON:function(){return JSON.encode(this);}});var Cookie=new Class({Implements:Options,options:{path:false,domain:false,duration:false,secure:false,document:document},initialize:function(B,A){this.key=B; -this.setOptions(A);},write:function(B){B=encodeURIComponent(B);if(this.options.domain){B+="; domain="+this.options.domain;}if(this.options.path){B+="; path="+this.options.path; -}if(this.options.duration){var A=new Date();A.setTime(A.getTime()+this.options.duration*24*60*60*1000);B+="; expires="+A.toGMTString();}if(this.options.secure){B+="; secure"; -}this.options.document.cookie=this.key+"="+B;return this;},read:function(){var A=this.options.document.cookie.match("(?:^|;)\\s*"+this.key.escapeRegExp()+"=([^;]*)"); -return(A)?decodeURIComponent(A[1]):null;},dispose:function(){new Cookie(this.key,$merge(this.options,{duration:-1})).write("");return this;}});Cookie.write=function(B,C,A){return new Cookie(B,A).write(C); -};Cookie.read=function(A){return new Cookie(A).read();};Cookie.dispose=function(B,A){return new Cookie(B,A).dispose();};var Swiff=new Class({Implements:[Options],options:{id:null,height:1,width:1,container:null,properties:{},params:{quality:"high",allowScriptAccess:"always",wMode:"transparent",swLiveConnect:true},callBacks:{},vars:{}},toElement:function(){return this.object; -},initialize:function(L,M){this.instance="Swiff_"+$time();this.setOptions(M);M=this.options;var B=this.id=M.id||this.instance;var A=$(M.container);Swiff.CallBacks[this.instance]={}; -var E=M.params,G=M.vars,F=M.callBacks;var H=$extend({height:M.height,width:M.width},M.properties);var K=this;for(var D in F){Swiff.CallBacks[this.instance][D]=(function(N){return function(){return N.apply(K.object,arguments); -};})(F[D]);G[D]="Swiff.CallBacks."+this.instance+"."+D;}E.flashVars=Hash.toQueryString(G);if(Browser.Engine.trident){H.classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"; -E.movie=L;}else{H.type="application/x-shockwave-flash";H.data=L;}var J=''; -}}J+="";this.object=((A)?A.empty():new Element("div")).set("html",J).firstChild;},replaces:function(A){A=$(A,true);A.parentNode.replaceChild(this.toElement(),A); -return this;},inject:function(A){$(A,true).appendChild(this.toElement());return this;},remote:function(){return Swiff.remote.apply(Swiff,[this.toElement()].extend(arguments)); -}});Swiff.CallBacks={};Swiff.remote=function(obj,fn){var rs=obj.CallFunction(''+__flash__argumentsToXML(arguments,2)+""); -return eval(rs);};var Fx=new Class({Implements:[Chain,Events,Options],options:{fps:50,unit:false,duration:500,link:"ignore",transition:function(A){return -(Math.cos(Math.PI*A)-1)/2; -}},initialize:function(A){this.subject=this.subject||this;this.setOptions(A);this.options.duration=Fx.Durations[this.options.duration]||this.options.duration.toInt(); -var B=this.options.wait;if(B===false){this.options.link="cancel";}},step:function(){var A=$time();if(A=(7-4*B)/11){C=-Math.pow((11-6*B-11*D)/4,2)+A*A; -break;}}return C;},Elastic:function(B,A){return Math.pow(2,10*--B)*Math.cos(20*B*Math.PI*(A[0]||1)/3);}});["Quad","Cubic","Quart","Quint"].each(function(B,A){Fx.Transitions[B]=new Fx.Transition(function(C){return Math.pow(C,[A+2]); -});});var Request=new Class({Implements:[Chain,Events,Options],options:{url:"",data:"",headers:{"X-Requested-With":"XMLHttpRequest",Accept:"text/javascript, text/html, application/xml, text/xml, */*"},async:true,format:false,method:"post",link:"ignore",isSuccess:null,emulation:true,urlEncoded:true,encoding:"utf-8",evalScripts:false,evalResponse:false},initialize:function(A){this.xhr=new Browser.Request(); -this.setOptions(A);this.options.isSuccess=this.options.isSuccess||this.isSuccess;this.headers=new Hash(this.options.headers);},onStateChange:function(){if(this.xhr.readyState!=4||!this.running){return ; -}this.running=false;this.status=0;$try(function(){this.status=this.xhr.status;}.bind(this));if(this.options.isSuccess.call(this,this.status)){this.response={text:this.xhr.responseText,xml:this.xhr.responseXML}; -this.success(this.response.text,this.response.xml);}else{this.response={text:null,xml:null};this.failure();}this.xhr.onreadystatechange=$empty;},isSuccess:function(){return((this.status>=200)&&(this.status<300)); -},processScripts:function(A){if(this.options.evalResponse||(/(ecma|java)script/).test(this.getHeader("Content-type"))){return $exec(A);}return A.stripScripts(this.options.evalScripts); -},success:function(B,A){this.onSuccess(this.processScripts(B),A);},onSuccess:function(){this.fireEvent("complete",arguments).fireEvent("success",arguments).callChain(); -},failure:function(){this.onFailure();},onFailure:function(){this.fireEvent("complete").fireEvent("failure",this.xhr);},setHeader:function(A,B){this.headers.set(A,B); -return this;},getHeader:function(A){return $try(function(){return this.xhr.getResponseHeader(A);}.bind(this));},check:function(A){if(!this.running){return true; -}switch(this.options.link){case"cancel":this.cancel();return true;case"chain":this.chain(A.bind(this,Array.slice(arguments,1)));return false;}return false; -},send:function(I){if(!this.check(arguments.callee,I)){return this;}this.running=true;var G=$type(I);if(G=="string"||G=="element"){I={data:I};}var D=this.options; -I=$extend({data:D.data,url:D.url,method:D.method},I);var E=I.data,B=I.url,A=I.method;switch($type(E)){case"element":E=$(E).toQueryString();break;case"object":case"hash":E=Hash.toQueryString(E); -}if(this.options.format){var H="format="+this.options.format;E=(E)?H+"&"+E:H;}if(this.options.emulation&&["put","delete"].contains(A)){var F="_method="+A; -E=(E)?F+"&"+E:F;A="post";}if(this.options.urlEncoded&&A=="post"){var C=(this.options.encoding)?"; charset="+this.options.encoding:"";this.headers.set("Content-type","application/x-www-form-urlencoded"+C); -}if(E&&A=="get"){B=B+(B.contains("?")?"&":"?")+E;E=null;}this.xhr.open(A.toUpperCase(),B,this.options.async);this.xhr.onreadystatechange=this.onStateChange.bind(this); -this.headers.each(function(K,J){if(!$try(function(){this.xhr.setRequestHeader(J,K);return true;}.bind(this))){this.fireEvent("exception",[J,K]);}},this); -this.fireEvent("request");this.xhr.send(E);if(!this.options.async){this.onStateChange();}return this;},cancel:function(){if(!this.running){return this; -}this.running=false;this.xhr.abort();this.xhr.onreadystatechange=$empty;this.xhr=new Browser.Request();this.fireEvent("cancel");return this;}});(function(){var A={}; -["get","post","put","delete","GET","POST","PUT","DELETE"].each(function(B){A[B]=function(){var C=Array.link(arguments,{url:String.type,data:$defined}); -return this.send($extend(C,{method:B.toLowerCase()}));};});Request.implement(A);})();Element.Properties.send={set:function(A){var B=this.retrieve("send"); -if(B){B.cancel();}return this.eliminate("send").store("send:options",$extend({data:this,link:"cancel",method:this.get("method")||"post",url:this.get("action")},A)); -},get:function(A){if(A||!this.retrieve("send")){if(A||!this.retrieve("send:options")){this.set("send",A);}this.store("send",new Request(this.retrieve("send:options"))); -}return this.retrieve("send");}};Element.implement({send:function(A){var B=this.get("send");B.send({data:this,url:A||B.options.url});return this;}});Request.HTML=new Class({Extends:Request,options:{update:false,evalScripts:true,filter:false},processHTML:function(C){var B=C.match(/]*>([\s\S]*?)<\/body>/i); -C=(B)?B[1]:C;var A=new Element("div");return $try(function(){var D=""+C+"",G;if(Browser.Engine.trident){G=new ActiveXObject("Microsoft.XMLDOM"); -G.async=false;G.loadXML(D);}else{G=new DOMParser().parseFromString(D,"text/xml");}D=G.getElementsByTagName("root")[0];for(var F=0,E=D.childNodes.length; -F - + diff --git a/src/medsrv/templates/user/login.cs b/src/medsrv/templates/user/login.cs index 1d6eadbbc..fbf5b8bd7 100644 --- a/src/medsrv/templates/user/login.cs +++ b/src/medsrv/templates/user/login.cs @@ -6,7 +6,7 @@
- + diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c index 7099977f2..4f850d6d1 100644 --- a/src/pki/commands/acert.c +++ b/src/pki/commands/acert.c @@ -278,7 +278,8 @@ static void __attribute__ ((constructor))reg() {"[--in file] [--group name]* --issuerkey file|--issuerkeyid hex", " --issuercert file [--serial hex] [--lifetime hours]", " [--not-before datetime] [--not-after datetime] [--dateform form]", - "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "holder certificate, default: stdin"}, diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 2dc9fcce3..fdc43d705 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -588,7 +588,8 @@ static void __attribute__ ((constructor))reg() "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]", "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+", - "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "key/request file to issue, default: stdin"}, diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index da991b505..68d611250 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -196,7 +196,8 @@ static void __attribute__ ((constructor))reg() "create a PKCS#10 certificate request", {" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name", "[--san subjectAltName]+ [--password challengePassword]", - "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index a785c2a0c..f4e83c76c 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -425,7 +425,8 @@ static void __attribute__ ((constructor))reg() "[--policy-map issuer-oid:subject-oid]", "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+", - "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 720dfd8a9..6c27289f9 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -451,7 +451,7 @@ static void __attribute__ ((constructor))reg() " [[--reason key-compromise|ca-compromise|affiliation-changed|", " superseded|cessation-of-operation|certificate-hold]", " [--date timestamp] --cert file|--serial hex]*", - " [--digest md5|sha1|sha224|sha256|sha384|sha512]", + " [--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", " [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8 index bf71bf85c..78ce5c628 100644 --- a/src/scepclient/scepclient.8 +++ b/src/scepclient/scepclient.8 @@ -289,14 +289,5 @@ The challenge password is '5xH2pnT7wq'. The encryption and signature check has t caCert.der. .RE - .SH "BUGS" \fB\-\-optionsfrom\fP seems to have parsing problems reading option files containing strings in quotation marks. -.SH "COPYRIGHT" -Copyright (C) 2005 Jan Hutter, Martin Willi -.br -Hochschule fuer Technik Rapperswil -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See . -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. diff --git a/src/swanctl/commands/list_pools.c b/src/swanctl/commands/list_pools.c index 155771657..429107e17 100644 --- a/src/swanctl/commands/list_pools.c +++ b/src/swanctl/commands/list_pools.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * @@ -19,8 +22,22 @@ #include "command.h" +CALLBACK(list_leases, int, + char *pool, vici_res_t *res, char *name) +{ + if (streq(name, "leases")) + { + return vici_parse_cb(res, list_leases, NULL, NULL, pool); + } + printf(" %-30s %-8s '%s'\n", + vici_find_str(res, "", "%s.leases.%s.address", pool, name), + vici_find_str(res, "", "%s.leases.%s.status", pool, name), + vici_find_str(res, "", "%s.leases.%s.identity", pool, name)); + return 0; +} + CALLBACK(list_pool, int, - linked_list_t *list, vici_res_t *res, char *name) + void *not_used, vici_res_t *res, char *name) { char pool[64], leases[32]; @@ -33,7 +50,7 @@ CALLBACK(list_pool, int, printf("%-20s %-30s %16s\n", name, vici_find_str(res, "", "%s.base", name), leases); - return 0; + return vici_parse_cb(res, list_leases, NULL, NULL, name); } static int list_pools(vici_conn_t *conn) @@ -43,6 +60,7 @@ static int list_pools(vici_conn_t *conn) command_format_options_t format = COMMAND_FORMAT_NONE; char *arg; int ret = 0; + bool leases = FALSE; while (TRUE) { @@ -56,6 +74,9 @@ static int list_pools(vici_conn_t *conn) case 'r': format |= COMMAND_FORMAT_RAW; continue; + case 'l': + leases = TRUE; + continue; case EOF: break; default: @@ -65,6 +86,10 @@ static int list_pools(vici_conn_t *conn) } req = vici_begin("get-pools"); + if (leases) + { + vici_add_key_valuef(req, "leases", "yes"); + } res = vici_submit(req, conn); if (!res) { @@ -92,11 +117,12 @@ static void __attribute__ ((constructor))reg() { command_register((command_t) { list_pools, 'A', "list-pools", "list loaded pool configurations", - {"[--raw|--pretty]"}, + {"[--leases] [--raw|--pretty]"}, { {"help", 'h', 0, "show usage information"}, {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, + {"leases", 'l', 0, "list leases of each pool"}, } }); } diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c index 1aca6d212..93dd7ed85 100644 --- a/src/swanctl/commands/list_sas.c +++ b/src/swanctl/commands/list_sas.c @@ -198,8 +198,14 @@ CALLBACK(ike_sa, int, ike->get(ike, "state"), ike->get(ike, "version"), ike->get(ike, "initiator-spi"), ike->get(ike, "responder-spi")); - printf(" local '%s' @ %s\n", + printf(" local '%s' @ %s", ike->get(ike, "local-id"), ike->get(ike, "local-host")); + if (ike->get(ike, "local-vips")) + { + printf(" [%s]", ike->get(ike, "local-vips")); + } + printf("\n"); + printf(" remote '%s' @ %s", ike->get(ike, "remote-id"), ike->get(ike, "remote-host")); if (ike->get(ike, "remote-eap-id")) @@ -210,6 +216,10 @@ CALLBACK(ike_sa, int, { printf(" XAuth: '%s'", ike->get(ike, "remote-xauth-id")); } + if (ike->get(ike, "remote-vips")) + { + printf(" [%s]", ike->get(ike, "remote-vips")); + } printf("\n"); if (ike->get(ike, "encr-alg")) diff --git a/testing/do-tests b/testing/do-tests index c01152c7b..c87ba05a7 100755 --- a/testing/do-tests +++ b/testing/do-tests @@ -47,7 +47,6 @@ testnumber="0" failed_cnt="0" passed_cnt="0" - ############################################################################## # copy default tests to $BUILDDIR # @@ -105,6 +104,12 @@ do do_on_exit kill `eval echo \\\$ssh_pid_$host` done +############################################################################## +# determine actual software versions +# + +[ -f $SHAREDDIR/.strongswan-version ] && SWANVERSION=`cat $SHAREDDIR/.strongswan-version` +KERNELVERSION=`ssh $SSHCONF root@\$ipv4_winnetou uname -r 2>/dev/null` ############################################################################## # create header for the results html file @@ -131,7 +136,7 @@ ENVIRONMENT_HEADER=$(cat <<@EOF - + @EOF @@ -159,7 +164,8 @@ cat > $TESTRESULTSHTML <<@EOF - + + @EOF @@ -249,6 +255,8 @@ do testname=$SUBDIR/$name log_action " $testnumber $testname:" + teststart=$(date +%s) + if [ ! -d $DEFAULTTESTSDIR/${testname} ] then echo "is missing..skipped" @@ -329,8 +337,11 @@ do # copy test specific configurations to uml hosts and clear auth.log files # + DBDIR=/etc/db.d + $DIR/scripts/load-testconfig $testname unset RADIUSHOSTS + unset DBHOSTS unset IPV6 unset SWANCTL source $TESTDIR/test.conf @@ -355,6 +366,17 @@ do done fi + ########################################################################## + # create database directory in RAM + # + + for host in $DBHOSTS + do + eval HOSTLOGIN=root@\$ipv4_${host} + ssh $SSHCONF $HOSTLOGIN "mkdir -p $DBDIR; mount -t ramfs -o size=5m ramfs $DBDIR" >/dev/null 2>&1 + ssh $SSHCONF $HOSTLOGIN "chgrp www-data $DBDIR; chmod g+w $DBDIR" >/dev/null 2>&1 + done + ########################################################################## # flush conntrack table on all hosts # @@ -504,32 +526,20 @@ do scp $SSHCONF $HOSTLOGIN:/etc/strongswan.conf \ $TESTRESULTDIR/${host}.strongswan.conf > /dev/null 2>&1 - if [ -n "$SWANCTL" ] then scp $SSHCONF $HOSTLOGIN:/etc/swanctl/swanctl.conf \ $TESTRESULTDIR/${host}.swanctl.conf > /dev/null 2>&1 - ssh $SSHCONF $HOSTLOGIN swanctl --list-conns \ - > $TESTRESULTDIR/${host}.swanctl.conns 2>/dev/null + for subsys in conns certs pools authorities sas pols + do + ssh $SSHCONF $HOSTLOGIN swanctl --list-$subsys \ + > $TESTRESULTDIR/${host}.swanctl.$subsys 2>/dev/null + done - ssh $SSHCONF $HOSTLOGIN swanctl --list-certs \ - > $TESTRESULTDIR/${host}.swanctl.certs 2>/dev/null - - ssh $SSHCONF $HOSTLOGIN swanctl --list-pools \ - > $TESTRESULTDIR/${host}.swanctl.pools 2>/dev/null - - ssh $SSHCONF $HOSTLOGIN swanctl --list-authorities \ - > $TESTRESULTDIR/${host}.swanctl.authorities 2>/dev/null - - ssh $SSHCONF $HOSTLOGIN swanctl --list-sas \ - > $TESTRESULTDIR/${host}.swanctl.sas 2>/dev/null - - ssh $SSHCONF $HOSTLOGIN swanctl --list-pols \ - > $TESTRESULTDIR/${host}.swanctl.pols 2>/dev/null - - ssh $SSHCONF $HOSTLOGIN swanctl --stats \ - > $TESTRESULTDIR/${host}.swanctl.stats 2>/dev/null + # this is quite slow due to allocation stats via leak-detective + ssh $SSHCONF $HOSTLOGIN swanctl --stats \ + > $TESTRESULTDIR/${host}.swanctl.stats 2>/dev/null else for file in ipsec.conf ipsec.secrets do @@ -752,7 +762,7 @@ do for host in $IPSECHOSTS do eval HOSTLOGIN=root@\$ipv4_${host} - ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv|pt-tls-client' \ + ssh $SSHCONF $HOSTLOGIN "grep -s -E 'charon|last message repeated|imcv|pt-tls-client' \ /var/log/auth.log" >> $TESTRESULTDIR/${host}.auth.log done @@ -764,7 +774,7 @@ do for host in $IPSECHOSTS do eval HOSTLOGIN=root@\$ipv4_${host} - ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv' \ + ssh $SSHCONF $HOSTLOGIN "grep -s -E 'charon|last message repeated|imcv' \ /var/log/daemon.log" >> $TESTRESULTDIR/${host}.daemon.log done @@ -783,6 +793,15 @@ do fi done + ########################################################################## + # remove database directory if needed + # + + for host in $DBHOSTS + do + eval HOSTLOGIN=root@\$ipv4_${host} + ssh $SSHCONF $HOSTLOGIN "umount $DBDIR; rm -r $DBDIR" > /dev/null 2>&1 + done ########################################################################## # copy default host config back if necessary @@ -794,6 +813,9 @@ do ########################################################################## # write test status to html file # + testend=$(date +%s) + let "testend -= teststart" + let "timetotal += testend" if [ $STATUS = "passed" ] then @@ -808,8 +830,8 @@ do + - @EOF cat >> $SUBTESTSINDEX << @EOF @@ -851,6 +873,9 @@ cat >> $TESTRESULTSHTML << @EOF + + +
       
Number TestResultTime [s]Result
$testnumber $testname$testend $STATUS 
Failed$failed_cnt  
Time [s]$timetotal  
@@ -895,6 +920,6 @@ echo echo "The results are available in $TODAYDIR" echo "or via the link http://$ipv4_winnetou/testresults/$TESTDATE" -ENDDATE=`date +%Y%m%d-%H%M` +ENDDATE=`date +%Y%m%d-%H%M-%S` echo echo "Finished : $ENDDATE" diff --git a/testing/hosts/default/etc/strongswan.conf.testing b/testing/hosts/default/etc/strongswan.conf.testing new file mode 100644 index 000000000..55efbe7d1 --- /dev/null +++ b/testing/hosts/default/etc/strongswan.conf.testing @@ -0,0 +1,7 @@ +charon { + retransmit_tries = 2 + retransmit_timeout = 1.0 + retransmit_base = 1 +} + +include strongswan.conf \ No newline at end of file diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl index f064bdb0b..842c3a1b2 100755 --- a/testing/hosts/winnetou/etc/openssl/generate-crl +++ b/testing/hosts/winnetou/etc/openssl/generate-crl @@ -45,5 +45,5 @@ openssl ca -gencrl -crldays 15 -config /etc/openssl/rfc3779/openssl.cnf -out crl openssl crl -in crl.pem -outform der -out strongswan_rfc3779.crl cp strongswan_rfc3779.crl ${ROOT} cd /etc/openssl/bliss -pki --signcrl --cacert strongswan_blissCert.der --cakey strongswan_blissKey.der --lifetime 30 --digest sha512 > strongswan_bliss.crl +pki --signcrl --cacert strongswan_blissCert.der --cakey strongswan_blissKey.der --lifetime 30 --digest sha3_512 > strongswan_bliss.crl cp strongswan_bliss.crl ${ROOT} diff --git a/testing/scripts/build-strongswan b/testing/scripts/build-strongswan index c52dddda8..8c6ecaafd 100755 --- a/testing/scripts/build-strongswan +++ b/testing/scripts/build-strongswan @@ -49,7 +49,21 @@ log_action "Mounting $SWANDIR as /root/strongswan" execute "bindfs -u $SRCUID -g $SRCGID $SWANDIR $LOOPDIR/root/strongswan" do_on_exit umount $LOOPDIR/root/strongswan +log_action "Remove SWID tags of previous versions" +execute_chroot 'find /usr/local/share/regid.2004-03.org.strongswan -name *.swidtag -delete' + echo "Building and installing strongSwan" + +log_action "Determine strongSwan version" +desc=`git -C $SWANDIR describe --dirty` +if [ $? -eq 0 ]; then + SWANVERSION="$desc (`git -C $SWANDIR rev-parse --abbrev-ref HEAD`)" +else + SWANVERSION="`cat $SWANDIR/configure.ac | sed -n '/^AC_INIT/{ s/.*,\[\(.*\)\])$/\1/p }'`" +fi +echo "$SWANVERSION" > $SHAREDDIR/.strongswan-version +log_status 0 + log_action "Preparing source tree" execute_chroot 'autoreconf -i /root/strongswan' diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk index 5abd2178b..8799d424d 100644 --- a/testing/scripts/recipes/010_tkm.mk +++ b/testing/scripts/recipes/010_tkm.mk @@ -2,7 +2,7 @@ PKG = tkm SRC = http://git.codelabs.ch/git/$(PKG).git -REV = v0.1.2 +REV = v0.1.3 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk index 404c6c6bf..994acaa28 100644 --- a/testing/scripts/recipes/013_strongswan.mk +++ b/testing/scripts/recipes/013_strongswan.mk @@ -18,6 +18,7 @@ NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) CONFIG_OPTS = \ --sysconfdir=/etc \ + --with-strongswan-conf=/etc/strongswan.conf.testing \ --with-random-device=/dev/urandom \ --disable-load-warning \ --enable-curl \ @@ -98,7 +99,8 @@ CONFIG_OPTS = \ --enable-ntru \ --enable-lookip \ --enable-swanctl \ - --enable-bliss + --enable-bliss \ + --enable-sha3 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat @@ -109,6 +111,7 @@ $(TAR): $(PKG): $(TAR) tar xfj $(TAR) + echo "$(SWANVERSION)" > /root/shared/.strongswan-version configure: $(BUILDDIR) cd $(BUILDDIR) && $(DIR)/configure $(CONFIG_OPTS) diff --git a/testing/tests/af-alg/alg-camellia/pretest.dat b/testing/tests/af-alg/alg-camellia/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/af-alg/alg-camellia/pretest.dat +++ b/testing/tests/af-alg/alg-camellia/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat index c582e030d..855c273cc 100644 --- a/testing/tests/af-alg/rw-cert/pretest.dat +++ b/testing/tests/af-alg/rw-cert/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +moon::expect-connection rw +carol::expect-connection home +dave::expect-connection home carol::ipsec up home -dave::ipsec up home +dave::ipsec up home \ No newline at end of file diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat index 1b8fc3b79..8230de058 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat +++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat @@ -1,4 +1,4 @@ carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat index 1b8fc3b79..8230de058 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat +++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat @@ -1,4 +1,4 @@ carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat +++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat index c582e030d..f1a4b964c 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ha/active-passive/evaltest.dat b/testing/tests/ha/active-passive/evaltest.dat index 448f283f1..9af5c4c02 100644 --- a/testing/tests/ha/active-passive/evaltest.dat +++ b/testing/tests/ha/active-passive/evaltest.dat @@ -16,7 +16,7 @@ dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES alice::ip xfrm policy flush::no output expected::NO alice::ip xfrm state flush::no output expected::NO alice::killall -9 starter charon::no output expected::NO -carol::sleep 3::no output expected::NO +carol::sleep 2::no output expected::NO moon:: cat /var/log/daemon.log::no heartbeat received, taking all segments::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES diff --git a/testing/tests/ha/active-passive/pretest.dat b/testing/tests/ha/active-passive/pretest.dat index d0efb76f7..2bdab2839 100644 --- a/testing/tests/ha/active-passive/pretest.dat +++ b/testing/tests/ha/active-passive/pretest.dat @@ -12,10 +12,11 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start alice::ipsec start moon::ipsec start -moon::sleep 2 +moon::sleep 2 alice::echo "+1" > /var/run/charon.ha carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ha/both-active/pretest.dat b/testing/tests/ha/both-active/pretest.dat index 5ffc38766..f48873f62 100644 --- a/testing/tests/ha/both-active/pretest.dat +++ b/testing/tests/ha/both-active/pretest.dat @@ -14,6 +14,7 @@ alice::ipsec start alice::sleep 1 carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ike/rw-cert/pretest.dat b/testing/tests/ike/rw-cert/pretest.dat index e50793830..f1af9ede5 100644 --- a/testing/tests/ike/rw-cert/pretest.dat +++ b/testing/tests/ike/rw-cert/pretest.dat @@ -1,7 +1,7 @@ moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ike/rw_v1-net_v2/pretest.dat b/testing/tests/ike/rw_v1-net_v2/pretest.dat index f61a4cb51..072d9ddeb 100644 --- a/testing/tests/ike/rw_v1-net_v2/pretest.dat +++ b/testing/tests/ike/rw_v1-net_v2/pretest.dat @@ -1,7 +1,7 @@ moon::ipsec start sun::ipsec start carol::ipsec start -moon::sleep 1 +moon::expect-connection net-net +carol::expect-connection home moon::ipsec up net-net carol::ipsec up home -moon::sleep 1 diff --git a/testing/tests/ikev1/alg-3des-md5/pretest.dat b/testing/tests/ikev1/alg-3des-md5/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/alg-3des-md5/pretest.dat +++ b/testing/tests/ikev1/alg-3des-md5/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1/alg-blowfish/pretest.dat index 8bbea1412..f1a4b964c 100644 --- a/testing/tests/ikev1/alg-blowfish/pretest.dat +++ b/testing/tests/ikev1/alg-blowfish/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat index 8bbea1412..f1a4b964c 100644 --- a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat +++ b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ikev1/alg-sha256/pretest.dat b/testing/tests/ikev1/alg-sha256/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/alg-sha256/pretest.dat +++ b/testing/tests/ikev1/alg-sha256/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/alg-sha384/pretest.dat b/testing/tests/ikev1/alg-sha384/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/alg-sha384/pretest.dat +++ b/testing/tests/ikev1/alg-sha384/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/alg-sha512/pretest.dat b/testing/tests/ikev1/alg-sha512/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/alg-sha512/pretest.dat +++ b/testing/tests/ikev1/alg-sha512/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat index f5aa989fe..8230de058 100644 --- a/testing/tests/ikev1/compress/pretest.dat +++ b/testing/tests/ikev1/compress/pretest.dat @@ -1,4 +1,4 @@ carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/config-payload-push/pretest.dat b/testing/tests/ikev1/config-payload-push/pretest.dat index 3864bdac3..c0ec6a7a4 100644 --- a/testing/tests/ikev1/config-payload-push/pretest.dat +++ b/testing/tests/ikev1/config-payload-push/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/config-payload/pretest.dat b/testing/tests/ikev1/config-payload/pretest.dat index 3864bdac3..c0ec6a7a4 100644 --- a/testing/tests/ikev1/config-payload/pretest.dat +++ b/testing/tests/ikev1/config-payload/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home +dave::expect-connection home carol::ipsec up home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat index 17a4fe5eb..d300a276f 100644 --- a/testing/tests/ikev1/double-nat-net/pretest.dat +++ b/testing/tests/ikev1/double-nat-net/pretest.dat @@ -7,6 +7,5 @@ sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-des sun::ip route add 10.1.0.0/16 via PH_IP_BOB alice::ipsec start bob::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -alice::sleep 1 diff --git a/testing/tests/ikev1/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat index 65f18b756..6a861d29f 100644 --- a/testing/tests/ikev1/double-nat/pretest.dat +++ b/testing/tests/ikev1/double-nat/pretest.dat @@ -6,6 +6,5 @@ sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-s sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB alice::ipsec start bob::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -alice::sleep 1 diff --git a/testing/tests/ikev1/dpd-clear/description.txt b/testing/tests/ikev1/dpd-clear/description.txt index 7f62dc576..0fb2f1064 100644 --- a/testing/tests/ikev1/dpd-clear/description.txt +++ b/testing/tests/ikev1/dpd-clear/description.txt @@ -1,5 +1,5 @@ The roadwarrior carol sets up an IPsec tunnel connection to the gateway moon which in turn activates Dead Peer Detection (DPD) with a polling interval of 10 s. When the network connectivity between carol and moon is forcefully disrupted, -moon clears the connection after 4 unsuccessful retransmits. +moon clears the connection after a number of unsuccessful retransmits. diff --git a/testing/tests/ikev1/dpd-clear/evaltest.dat b/testing/tests/ikev1/dpd-clear/evaltest.dat index f6f18212c..8d4fa03a8 100644 --- a/testing/tests/ikev1/dpd-clear/evaltest.dat +++ b/testing/tests/ikev1/dpd-clear/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon:: sleep 60::no output expected::NO +moon:: sleep 16::no output expected::NO moon:: cat /var/log/daemon.log::sending DPD request::YES -moon::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES +moon:: cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf index 83f2849a4..9219e7028 100644 --- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf @@ -9,8 +9,8 @@ conn %default keyingtries=1 keyexchange=ikev1 dpdaction=clear - dpddelay=10 - dpdtimeout=45 + dpddelay=5 + dpdtimeout=15 conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev1/dpd-clear/pretest.dat b/testing/tests/ikev1/dpd-clear/pretest.dat index 14ed95322..3a1982f8a 100644 --- a/testing/tests/ikev1/dpd-clear/pretest.dat +++ b/testing/tests/ikev1/dpd-clear/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt index 410d3d636..6f4af9439 100644 --- a/testing/tests/ikev1/dpd-restart/description.txt +++ b/testing/tests/ikev1/dpd-restart/description.txt @@ -1,7 +1,7 @@ The roadwarrior carol sets up an IPsec tunnel connection to the gateway moon. Both end points activate Dead Peer Detection (DPD) with a -polling interval of 10 s. When the network connectivity between carol -and moon is forcefully disrupted for a duration of 100 s, moon -clears the connection after 4 unsuccessful retransmits whereas carol +polling interval of 10s. When the network connectivity between carol +and moon is forcefully disrupted for a duration of 100s, moon +clears the connection after a number of unsuccessful retransmits whereas carol also takes down the connection but immediately tries to reconnect which succeeds as soon as the connection becomes available again. diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index 6a749b826..a685ce166 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -2,12 +2,12 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -carol::sleep 60::no output expected::NO +carol::sleep 16::no output expected::NO carol::cat /var/log/daemon.log::sending DPD request::YES carol::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES carol::cat /var/log/daemon.log::restarting CHILD_SA home::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO -carol::sleep 10::no output expected::NO +carol::sleep 2::no output expected::NO carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf index d3c105c31..4e142d699 100644 --- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf @@ -9,8 +9,8 @@ conn %default keyingtries=1 keyexchange=ikev1 dpdaction=restart - dpddelay=10 - dpdtimeout=45 + dpddelay=5 + dpdtimeout=15 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/dpd-restart/pretest.dat b/testing/tests/ikev1/dpd-restart/pretest.dat index 14ed95322..3a1982f8a 100644 --- a/testing/tests/ikev1/dpd-restart/pretest.dat +++ b/testing/tests/ikev1/dpd-restart/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/dynamic-initiator/posttest.dat b/testing/tests/ikev1/dynamic-initiator/posttest.dat index 32ac12ddc..6898bd567 100644 --- a/testing/tests/ikev1/dynamic-initiator/posttest.dat +++ b/testing/tests/ikev1/dynamic-initiator/posttest.dat @@ -1,6 +1,5 @@ dave::ipsec stop carol::ipsec stop -dave::sleep 1 moon::ipsec stop carol::iptables-restore < /etc/iptables.flush dave::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat index 9aadb2a4c..7e6ad46df 100644 --- a/testing/tests/ikev1/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat @@ -2,10 +2,9 @@ carol::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection moon carol::ipsec up moon -carol::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +dave::expect-connection moon dave::ipsec up moon -dave::sleep 2 diff --git a/testing/tests/ikev1/dynamic-responder/posttest.dat b/testing/tests/ikev1/dynamic-responder/posttest.dat index 32ac12ddc..6898bd567 100644 --- a/testing/tests/ikev1/dynamic-responder/posttest.dat +++ b/testing/tests/ikev1/dynamic-responder/posttest.dat @@ -1,6 +1,5 @@ dave::ipsec stop carol::ipsec stop -dave::sleep 1 moon::ipsec stop carol::iptables-restore < /etc/iptables.flush dave::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat index 8dc744f9a..0c423aeec 100644 --- a/testing/tests/ikev1/dynamic-responder/pretest.dat +++ b/testing/tests/ikev1/dynamic-responder/pretest.dat @@ -2,10 +2,11 @@ carol::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -moon::sleep 2 +moon::expect-connection carol moon::ipsec up carol -moon::sleep 1 +moon::sleep 0.5 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +dave::expect-connection moon dave::ipsec up moon -dave::sleep 2 +moon::sleep 0.5 diff --git a/testing/tests/ikev1/dynamic-two-peers/posttest.dat b/testing/tests/ikev1/dynamic-two-peers/posttest.dat index 7b2609846..119c8e45a 100644 --- a/testing/tests/ikev1/dynamic-two-peers/posttest.dat +++ b/testing/tests/ikev1/dynamic-two-peers/posttest.dat @@ -1,6 +1,5 @@ carol::ipsec stop dave::ipsec stop -moon::sleep 1 moon::ipsec stop moon::mv /etc/hosts.ori /etc/hosts moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/dynamic-two-peers/pretest.dat b/testing/tests/ikev1/dynamic-two-peers/pretest.dat index 4bb2a4686..c19b38fcd 100644 --- a/testing/tests/ikev1/dynamic-two-peers/pretest.dat +++ b/testing/tests/ikev1/dynamic-two-peers/pretest.dat @@ -6,7 +6,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection moon +dave::expect-connection moon carol::ipsec up moon dave::ipsec up moon -carol::sleep 1 diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat index f5aa989fe..8230de058 100644 --- a/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat @@ -1,4 +1,4 @@ carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/ikev1/esp-alg-null/pretest.dat +++ b/testing/tests/ikev1/esp-alg-null/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/host2host-ah/pretest.dat b/testing/tests/ikev1/host2host-ah/pretest.dat index 99789b90f..997a48167 100644 --- a/testing/tests/ikev1/host2host-ah/pretest.dat +++ b/testing/tests/ikev1/host2host-ah/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev1/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat index 3bce9f6e5..997a48167 100644 --- a/testing/tests/ikev1/host2host-cert/pretest.dat +++ b/testing/tests/ikev1/host2host-cert/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev1/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat index 99789b90f..997a48167 100644 --- a/testing/tests/ikev1/host2host-transport/pretest.dat +++ b/testing/tests/ikev1/host2host-transport/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf index a4542db77..6c22fd548 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -7,7 +7,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/ikev1/ip-pool-db/posttest.dat b/testing/tests/ikev1/ip-pool-db/posttest.dat index c99f347e3..37436a3d9 100644 --- a/testing/tests/ikev1/ip-pool-db/posttest.dat +++ b/testing/tests/ikev1/ip-pool-db/posttest.dat @@ -7,4 +7,3 @@ dave::iptables-restore < /etc/iptables.flush moon::ipsec pool --del bigpool 2> /dev/null moon::ipsec pool --del dns 2> /dev/null moon::ipsec pool --del nbns 2> /dev/null -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat index 2327eb983..337ccb297 100644 --- a/testing/tests/ikev1/ip-pool-db/pretest.dat +++ b/testing/tests/ikev1/ip-pool-db/pretest.dat @@ -1,5 +1,5 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null @@ -7,10 +7,10 @@ moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/ip-pool-db/test.conf b/testing/tests/ikev1/ip-pool-db/test.conf index 164b07ff9..31820ea1a 100644 --- a/testing/tests/ikev1/ip-pool-db/test.conf +++ b/testing/tests/ikev1/ip-pool-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/ikev1/ip-pool/pretest.dat b/testing/tests/ikev1/ip-pool/pretest.dat index 3864bdac3..2d09e88ce 100644 --- a/testing/tests/ikev1/ip-pool/pretest.dat +++ b/testing/tests/ikev1/ip-pool/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat index 2eebc0f84..bee9bc792 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat +++ b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat @@ -1,6 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -moon::sleep 2 +moon::expect-connection alice +moon::expect-connection venus moon::ipsec up alice moon::ipsec up venus diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat index 86dd31e83..be0051e0b 100644 --- a/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat @@ -1,6 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice carol::ipsec up alice +dave::expect-connection venus dave::ipsec up venus diff --git a/testing/tests/ikev1/multi-level-ca/pretest.dat b/testing/tests/ikev1/multi-level-ca/pretest.dat index 755564cbc..2134d6bea 100644 --- a/testing/tests/ikev1/multi-level-ca/pretest.dat +++ b/testing/tests/ikev1/multi-level-ca/pretest.dat @@ -1,8 +1,11 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up venus dave::ipsec up alice diff --git a/testing/tests/ikev1/nat-rw/pretest.dat b/testing/tests/ikev1/nat-rw/pretest.dat index d701a1d61..e3d9fc858 100644 --- a/testing/tests/ikev1/nat-rw/pretest.dat +++ b/testing/tests/ikev1/nat-rw/pretest.dat @@ -6,8 +6,7 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to- alice::ipsec start venus::ipsec start sun::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -venus::sleep 2 +venus::expect-connection nat-t venus::ipsec up nat-t -venus::sleep 2 diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat index 8945d87b9..1732d6efa 100644 --- a/testing/tests/ikev1/nat-virtual-ip/pretest.dat +++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net -moon::sleep 1 diff --git a/testing/tests/ikev1/net2net-ah/pretest.dat b/testing/tests/ikev1/net2net-ah/pretest.dat index 81a98fa41..25e393c8e 100644 --- a/testing/tests/ikev1/net2net-ah/pretest.dat +++ b/testing/tests/ikev1/net2net-ah/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::ipsec start +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-cert/pretest.dat b/testing/tests/ikev1/net2net-cert/pretest.dat index c724e5df8..25e393c8e 100644 --- a/testing/tests/ikev1/net2net-cert/pretest.dat +++ b/testing/tests/ikev1/net2net-cert/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::ipsec start +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-fragmentation/pretest.dat b/testing/tests/ikev1/net2net-fragmentation/pretest.dat index c724e5df8..25e393c8e 100644 --- a/testing/tests/ikev1/net2net-fragmentation/pretest.dat +++ b/testing/tests/ikev1/net2net-fragmentation/pretest.dat @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::ipsec start +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-ntru-cert/pretest.dat b/testing/tests/ikev1/net2net-ntru-cert/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/pretest.dat +++ b/testing/tests/ikev1/net2net-ntru-cert/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat index 0f4ae0f4f..fe4223a44 100644 --- a/testing/tests/ikev1/net2net-psk-fail/pretest.dat +++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat @@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::ipsec start +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-psk/pretest.dat b/testing/tests/ikev1/net2net-psk/pretest.dat index 0f4ae0f4f..fe4223a44 100644 --- a/testing/tests/ikev1/net2net-psk/pretest.dat +++ b/testing/tests/ikev1/net2net-psk/pretest.dat @@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::ipsec start +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev1/protoport-dual/pretest.dat b/testing/tests/ikev1/protoport-dual/pretest.dat index efb2e5712..4759fdb7b 100644 --- a/testing/tests/ikev1/protoport-dual/pretest.dat +++ b/testing/tests/ikev1/protoport-dual/pretest.dat @@ -2,6 +2,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home-icmp +carol::expect-connection home-ssh carol::ipsec up home-icmp carol::ipsec up home-ssh diff --git a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat +++ b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/rw-cert-unity/pretest.dat b/testing/tests/ikev1/rw-cert-unity/pretest.dat index 4fbe475bf..3a1982f8a 100644 --- a/testing/tests/ikev1/rw-cert-unity/pretest.dat +++ b/testing/tests/ikev1/rw-cert-unity/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/rw-cert/pretest.dat b/testing/tests/ikev1/rw-cert/pretest.dat index 8bbea1412..e87a8ee47 100644 --- a/testing/tests/ikev1/rw-cert/pretest.dat +++ b/testing/tests/ikev1/rw-cert/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +moon::expect-connection rw +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf index 2b80853c6..094e0effa 100644 --- a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -2,8 +2,4 @@ charon { load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown - - retransmit_timeout = 2 - retransmit_base = 1.5 - retransmit_tries = 3 } diff --git a/testing/tests/ikev1/rw-initiator-only/pretest.dat b/testing/tests/ikev1/rw-initiator-only/pretest.dat index fc7173430..5a972079b 100644 --- a/testing/tests/ikev1/rw-initiator-only/pretest.dat +++ b/testing/tests/ikev1/rw-initiator-only/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +dave::expect-connection peer dave::ipsec up peer +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev1/rw-ntru-psk/pretest.dat b/testing/tests/ikev1/rw-ntru-psk/pretest.dat index 40eaede87..e827687f8 100644 --- a/testing/tests/ikev1/rw-ntru-psk/pretest.dat +++ b/testing/tests/ikev1/rw-ntru-psk/pretest.dat @@ -7,7 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat index 44f41f995..ab5e18da2 100644 --- a/testing/tests/ikev1/rw-psk-aggressive/pretest.dat +++ b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat @@ -4,9 +4,10 @@ dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat index 44f41f995..ab5e18da2 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat +++ b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat @@ -4,9 +4,10 @@ dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat index 44f41f995..ab5e18da2 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat +++ b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat @@ -4,9 +4,10 @@ dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/virtual-ip/pretest.dat b/testing/tests/ikev1/virtual-ip/pretest.dat index 1765a83cd..2d09e88ce 100644 --- a/testing/tests/ikev1/virtual-ip/pretest.dat +++ b/testing/tests/ikev1/virtual-ip/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat index 88a91ae86..ab5e18da2 100644 --- a/testing/tests/ikev1/xauth-id-psk-config/pretest.dat +++ b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat @@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat index e5a06d44c..a55cf37b2 100644 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat index e5a06d44c..a55cf37b2 100644 --- a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat index e5a06d44c..a55cf37b2 100644 --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-psk/pretest.dat b/testing/tests/ikev1/xauth-psk/pretest.dat index 88a91ae86..ab5e18da2 100644 --- a/testing/tests/ikev1/xauth-psk/pretest.dat +++ b/testing/tests/ikev1/xauth-psk/pretest.dat @@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat index 9adc43d3e..c65fbda83 100644 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat @@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat index 9adc43d3e..c65fbda83 100644 --- a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat @@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/xauth-rsa/pretest.dat b/testing/tests/ikev1/xauth-rsa/pretest.dat index e5a06d44c..a55cf37b2 100644 --- a/testing/tests/ikev1/xauth-rsa/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/acert-cached/evaltest.dat b/testing/tests/ikev2/acert-cached/evaltest.dat index 682c55ce2..c0bb035a1 100644 --- a/testing/tests/ikev2/acert-cached/evaltest.dat +++ b/testing/tests/ikev2/acert-cached/evaltest.dat @@ -5,7 +5,7 @@ moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO diff --git a/testing/tests/ikev2/acert-cached/pretest.dat b/testing/tests/ikev2/acert-cached/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/acert-cached/pretest.dat +++ b/testing/tests/ikev2/acert-cached/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/acert-fallback/evaltest.dat b/testing/tests/ikev2/acert-fallback/evaltest.dat index 985f3208e..17d83d182 100644 --- a/testing/tests/ikev2/acert-fallback/evaltest.dat +++ b/testing/tests/ikev2/acert-fallback/evaltest.dat @@ -2,7 +2,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon. moon:: ipsec status 2> /dev/null::finance.*: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO moon:: ipsec status 2> /dev/null::sales.*: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES moon::cat /var/log/daemon.log::constraint check failed: group membership to 'finance' required::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/acert-fallback/pretest.dat b/testing/tests/ikev2/acert-fallback/pretest.dat index baacc1605..de4acbbf0 100644 --- a/testing/tests/ikev2/acert-fallback/pretest.dat +++ b/testing/tests/ikev2/acert-fallback/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/acert-inline/evaltest.dat b/testing/tests/ikev2/acert-inline/evaltest.dat index ba448f81b..98128e715 100644 --- a/testing/tests/ikev2/acert-inline/evaltest.dat +++ b/testing/tests/ikev2/acert-inline/evaltest.dat @@ -8,7 +8,7 @@ dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=expired AA\"::YES dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO diff --git a/testing/tests/ikev2/acert-inline/pretest.dat b/testing/tests/ikev2/acert-inline/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/acert-inline/pretest.dat +++ b/testing/tests/ikev2/acert-inline/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/after-2038-certs/pretest.dat b/testing/tests/ikev2/after-2038-certs/pretest.dat index baacc1605..de4acbbf0 100644 --- a/testing/tests/ikev2/after-2038-certs/pretest.dat +++ b/testing/tests/ikev2/after-2038-certs/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-3des-md5/pretest.dat b/testing/tests/ikev2/alg-3des-md5/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-3des-md5/pretest.dat +++ b/testing/tests/ikev2/alg-3des-md5/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-aes-ccm/pretest.dat +++ b/testing/tests/ikev2/alg-aes-ccm/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-aes-ctr/pretest.dat +++ b/testing/tests/ikev2/alg-aes-ctr/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-aes-gcm/pretest.dat +++ b/testing/tests/ikev2/alg-aes-gcm/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat +++ b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-blowfish/pretest.dat b/testing/tests/ikev2/alg-blowfish/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/alg-blowfish/pretest.dat +++ b/testing/tests/ikev2/alg-blowfish/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat b/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat +++ b/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat +++ b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/alg-sha256-96/pretest.dat b/testing/tests/ikev2/alg-sha256-96/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-sha256-96/pretest.dat +++ b/testing/tests/ikev2/alg-sha256-96/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-sha256/pretest.dat b/testing/tests/ikev2/alg-sha256/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-sha256/pretest.dat +++ b/testing/tests/ikev2/alg-sha256/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-sha384/pretest.dat b/testing/tests/ikev2/alg-sha384/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-sha384/pretest.dat +++ b/testing/tests/ikev2/alg-sha384/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/alg-sha512/pretest.dat b/testing/tests/ikev2/alg-sha512/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/alg-sha512/pretest.dat +++ b/testing/tests/ikev2/alg-sha512/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/any-interface/pretest.dat b/testing/tests/ikev2/any-interface/pretest.dat index 0a6ce8be4..2f27224d2 100644 --- a/testing/tests/ikev2/any-interface/pretest.dat +++ b/testing/tests/ikev2/any-interface/pretest.dat @@ -4,7 +4,8 @@ alice::ipsec start moon::ipsec start sun::ipsec start bob::ipsec start -moon::sleep 2 -moon::ping -n -c 3 -s 8184 -p deadbeef PH_IP_ALICE -moon::ping -n -c 3 -s 8184 -p deadbeef PH_IP_SUN -bob::ping -n -c 3 -s 8184 -p deadbeef PH_IP_SUN1 +moon::expect-connection alice +moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_ALICE +moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN +bob::expect-connection sun +bob::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN1 diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat index 29a90355f..1fd37b6a8 100644 --- a/testing/tests/ikev2/compress/pretest.dat +++ b/testing/tests/ikev2/compress/pretest.dat @@ -2,5 +2,5 @@ carol::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/config-payload-swapped/pretest.dat b/testing/tests/ikev2/config-payload-swapped/pretest.dat index 3864bdac3..2d09e88ce 100644 --- a/testing/tests/ikev2/config-payload-swapped/pretest.dat +++ b/testing/tests/ikev2/config-payload-swapped/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/config-payload/pretest.dat b/testing/tests/ikev2/config-payload/pretest.dat index 3864bdac3..2d09e88ce 100644 --- a/testing/tests/ikev2/config-payload/pretest.dat +++ b/testing/tests/ikev2/config-payload/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev2/critical-extension/pretest.dat +++ b/testing/tests/ikev2/critical-extension/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/crl-from-cache/pretest.dat b/testing/tests/ikev2/crl-from-cache/pretest.dat index acdb265ed..d4141a30c 100644 --- a/testing/tests/ikev2/crl-from-cache/pretest.dat +++ b/testing/tests/ikev2/crl-from-cache/pretest.dat @@ -4,5 +4,5 @@ carol::wget -q http://crl.strongswan.org/strongswan.crl carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/crl-ldap/pretest.dat b/testing/tests/ikev2/crl-ldap/pretest.dat index 8ffa9d3ed..4eed5e073 100644 --- a/testing/tests/ikev2/crl-ldap/pretest.dat +++ b/testing/tests/ikev2/crl-ldap/pretest.dat @@ -3,6 +3,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home -carol::sleep 3 diff --git a/testing/tests/ikev2/crl-revoked/pretest.dat b/testing/tests/ikev2/crl-revoked/pretest.dat index 8984dcbcf..3a1982f8a 100644 --- a/testing/tests/ikev2/crl-revoked/pretest.dat +++ b/testing/tests/ikev2/crl-revoked/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/crl-to-cache/pretest.dat b/testing/tests/ikev2/crl-to-cache/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/crl-to-cache/pretest.dat +++ b/testing/tests/ikev2/crl-to-cache/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat index ef5f67097..9e291d291 100644 --- a/testing/tests/ikev2/default-keys/pretest.dat +++ b/testing/tests/ikev2/default-keys/pretest.dat @@ -10,10 +10,10 @@ moon::rm /etc/ipsec.d/private/* moon::rm /etc/ipsec.d/certs/* moon::rm /etc/ipsec.d/cacerts/* moon::ipsec start -moon::sleep 5 +moon::expect-connection carol moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der moon::ipsec reload carol::ipsec reload -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/dhcp-dynamic/pretest.dat b/testing/tests/ikev2/dhcp-dynamic/pretest.dat index 5670a2e89..3b22f29f2 100644 --- a/testing/tests/ikev2/dhcp-dynamic/pretest.dat +++ b/testing/tests/ikev2/dhcp-dynamic/pretest.dat @@ -6,7 +6,7 @@ venus::/etc/init.d/isc-dhcp-server start 2> /dev/null carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat index 5670a2e89..8eafe1a9e 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat +++ b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat @@ -6,7 +6,7 @@ venus::/etc/init.d/isc-dhcp-server start 2> /dev/null carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +carol::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/dhcp-static-mac/pretest.dat b/testing/tests/ikev2/dhcp-static-mac/pretest.dat index 5670a2e89..3b22f29f2 100644 --- a/testing/tests/ikev2/dhcp-static-mac/pretest.dat +++ b/testing/tests/ikev2/dhcp-static-mac/pretest.dat @@ -6,7 +6,7 @@ venus::/etc/init.d/isc-dhcp-server start 2> /dev/null carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/double-nat-net/pretest.dat b/testing/tests/ikev2/double-nat-net/pretest.dat index 17a4fe5eb..d300a276f 100644 --- a/testing/tests/ikev2/double-nat-net/pretest.dat +++ b/testing/tests/ikev2/double-nat-net/pretest.dat @@ -7,6 +7,5 @@ sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-des sun::ip route add 10.1.0.0/16 via PH_IP_BOB alice::ipsec start bob::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -alice::sleep 1 diff --git a/testing/tests/ikev2/double-nat/pretest.dat b/testing/tests/ikev2/double-nat/pretest.dat index 65f18b756..6a861d29f 100644 --- a/testing/tests/ikev2/double-nat/pretest.dat +++ b/testing/tests/ikev2/double-nat/pretest.dat @@ -6,6 +6,5 @@ sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-s sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB alice::ipsec start bob::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -alice::sleep 1 diff --git a/testing/tests/ikev2/dpd-clear/description.txt b/testing/tests/ikev2/dpd-clear/description.txt index 7f62dc576..0fb2f1064 100644 --- a/testing/tests/ikev2/dpd-clear/description.txt +++ b/testing/tests/ikev2/dpd-clear/description.txt @@ -1,5 +1,5 @@ The roadwarrior carol sets up an IPsec tunnel connection to the gateway moon which in turn activates Dead Peer Detection (DPD) with a polling interval of 10 s. When the network connectivity between carol and moon is forcefully disrupted, -moon clears the connection after 4 unsuccessful retransmits. +moon clears the connection after a number of unsuccessful retransmits. diff --git a/testing/tests/ikev2/dpd-clear/evaltest.dat b/testing/tests/ikev2/dpd-clear/evaltest.dat index c1a271903..2071e8fc8 100644 --- a/testing/tests/ikev2/dpd-clear/evaltest.dat +++ b/testing/tests/ikev2/dpd-clear/evaltest.dat @@ -1,8 +1,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon:: sleep 180::no output expected::NO +moon:: sleep 13::no output expected::NO moon:: cat /var/log/daemon.log::sending DPD request::YES moon:: cat /var/log/daemon.log::retransmit.*of request::YES -moon:: cat /var/log/daemon.log::giving up after 5 retransmits::YES +moon:: cat /var/log/daemon.log::giving up after.*retransmits::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO diff --git a/testing/tests/ikev2/dpd-clear/pretest.dat b/testing/tests/ikev2/dpd-clear/pretest.dat index 14ed95322..3a1982f8a 100644 --- a/testing/tests/ikev2/dpd-clear/pretest.dat +++ b/testing/tests/ikev2/dpd-clear/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/dpd-hold/evaltest.dat b/testing/tests/ikev2/dpd-hold/evaltest.dat index 4c035a6e9..9ce76f976 100644 --- a/testing/tests/ikev2/dpd-hold/evaltest.dat +++ b/testing/tests/ikev2/dpd-hold/evaltest.dat @@ -2,13 +2,13 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -carol::sleep 180::no output expected::NO +carol::sleep 13::no output expected::NO carol::cat /var/log/daemon.log::sending DPD request::YES carol::cat /var/log/daemon.log::retransmit.*of request::YES -carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES +carol::cat /var/log/daemon.log::giving up after.*retransmits::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO -carol::ping -c 1 PH_IP_ALICE::trigger route::NO -carol::sleep 2::no output expected::NO +carol::ping -c 1 -W 1 PH_IP_ALICE::trigger route::NO +carol::sleep 1::no output expected::NO carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/dpd-hold/pretest.dat b/testing/tests/ikev2/dpd-hold/pretest.dat index 14ed95322..3a1982f8a 100644 --- a/testing/tests/ikev2/dpd-hold/pretest.dat +++ b/testing/tests/ikev2/dpd-hold/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/dpd-restart/evaltest.dat b/testing/tests/ikev2/dpd-restart/evaltest.dat index 962bd0636..25c54df95 100644 --- a/testing/tests/ikev2/dpd-restart/evaltest.dat +++ b/testing/tests/ikev2/dpd-restart/evaltest.dat @@ -2,12 +2,12 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -carol::sleep 180::no output expected::NO +carol::sleep 13::no output expected::NO carol::cat /var/log/daemon.log::sending DPD request::YES carol::cat /var/log/daemon.log::retransmit.*of request::YES -carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES +carol::cat /var/log/daemon.log::giving up after.*retransmits::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO -carol::sleep 10::no output expected::NO +carol::sleep 2::no output expected::NO carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/dpd-restart/pretest.dat b/testing/tests/ikev2/dpd-restart/pretest.dat index 14ed95322..3a1982f8a 100644 --- a/testing/tests/ikev2/dpd-restart/pretest.dat +++ b/testing/tests/ikev2/dpd-restart/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/dynamic-initiator/description.txt b/testing/tests/ikev2/dynamic-initiator/description.txt index e74ee1569..3e441b2fe 100644 --- a/testing/tests/ikev2/dynamic-initiator/description.txt +++ b/testing/tests/ikev2/dynamic-initiator/description.txt @@ -1,12 +1,12 @@ The peers carol and moon both have dynamic IP addresses, so that the remote end -is defined symbolically by right=<hostname>. The ipsec starter resolves the +is defined symbolically by right=<hostname>. The IKE daemon resolves the fully-qualified hostname into the current IP address via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are expected to change over time, the option -rightallowany=yes will allow an IKE_SA rekeying to arrive from an arbitrary +% prefix in the right option will allow an IKE_SA rekeying to arrive from an arbitrary IP address under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin.

In this scenario carol first initiates a tunnel to moon. After some time carol suddenly changes her IP address and restarts the connection to moon without deleting the old tunnel first (simulated by iptables blocking IKE packets to and from -carol and starting the connection from host dave using carol's identity). +carol and starting the connection from host dave using carol's identity). diff --git a/testing/tests/ikev2/dynamic-initiator/posttest.dat b/testing/tests/ikev2/dynamic-initiator/posttest.dat index 83063a23f..715bb9482 100644 --- a/testing/tests/ikev2/dynamic-initiator/posttest.dat +++ b/testing/tests/ikev2/dynamic-initiator/posttest.dat @@ -1,6 +1,5 @@ dave::ipsec stop carol::ipsec stop -dave::sleep 1 moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/dynamic-initiator/pretest.dat b/testing/tests/ikev2/dynamic-initiator/pretest.dat index 3e1cfce77..f354efe51 100644 --- a/testing/tests/ikev2/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev2/dynamic-initiator/pretest.dat @@ -4,10 +4,9 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection moon carol::ipsec up moon -carol::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +dave::expect-connection moon dave::ipsec up moon -dave::sleep 2 diff --git a/testing/tests/ikev2/dynamic-two-peers/posttest.dat b/testing/tests/ikev2/dynamic-two-peers/posttest.dat index 7b2609846..119c8e45a 100644 --- a/testing/tests/ikev2/dynamic-two-peers/posttest.dat +++ b/testing/tests/ikev2/dynamic-two-peers/posttest.dat @@ -1,6 +1,5 @@ carol::ipsec stop dave::ipsec stop -moon::sleep 1 moon::ipsec stop moon::mv /etc/hosts.ori /etc/hosts moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/dynamic-two-peers/pretest.dat b/testing/tests/ikev2/dynamic-two-peers/pretest.dat index 4bb2a4686..ee0b156dd 100644 --- a/testing/tests/ikev2/dynamic-two-peers/pretest.dat +++ b/testing/tests/ikev2/dynamic-two-peers/pretest.dat @@ -6,7 +6,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection moon carol::ipsec up moon +dave::expect-connection moon dave::ipsec up moon -carol::sleep 1 diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat +++ b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat +++ b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/esp-alg-null/pretest.dat b/testing/tests/ikev2/esp-alg-null/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/ikev2/esp-alg-null/pretest.dat +++ b/testing/tests/ikev2/esp-alg-null/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat +++ b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/farp/pretest.dat b/testing/tests/ikev2/farp/pretest.dat index f0254da6c..1a982288d 100644 --- a/testing/tests/ikev2/farp/pretest.dat +++ b/testing/tests/ikev2/farp/pretest.dat @@ -6,7 +6,7 @@ alice::arp -d 10.1.0.40 carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/force-udp-encaps/pretest.dat b/testing/tests/ikev2/force-udp-encaps/pretest.dat index 7be66867a..87a7764cf 100644 --- a/testing/tests/ikev2/force-udp-encaps/pretest.dat +++ b/testing/tests/ikev2/force-udp-encaps/pretest.dat @@ -4,7 +4,5 @@ sun::ip route add 10.1.0.0/16 via PH_IP_MOON winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON alice::ipsec start sun::ipsec start -alice::sleep 4 +alice::expect-connection nat-t alice::ipsec up nat-t -alice::sleep 1 - diff --git a/testing/tests/ikev2/forecast/pretest.dat b/testing/tests/ikev2/forecast/pretest.dat index 206bf5b64..68a0c2cda 100644 --- a/testing/tests/ikev2/forecast/pretest.dat +++ b/testing/tests/ikev2/forecast/pretest.dat @@ -1,7 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/host2host-ah/pretest.dat b/testing/tests/ikev2/host2host-ah/pretest.dat index 99789b90f..997a48167 100644 --- a/testing/tests/ikev2/host2host-ah/pretest.dat +++ b/testing/tests/ikev2/host2host-ah/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat index 3bce9f6e5..997a48167 100644 --- a/testing/tests/ikev2/host2host-cert/pretest.dat +++ b/testing/tests/ikev2/host2host-cert/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev2/host2host-swapped/pretest.dat index 3bce9f6e5..997a48167 100644 --- a/testing/tests/ikev2/host2host-swapped/pretest.dat +++ b/testing/tests/ikev2/host2host-swapped/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev2/host2host-transport/pretest.dat b/testing/tests/ikev2/host2host-transport/pretest.dat index 99789b90f..997a48167 100644 --- a/testing/tests/ikev2/host2host-transport/pretest.dat +++ b/testing/tests/ikev2/host2host-transport/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2/inactivity-timeout/evaltest.dat index 221c59318..76b45c280 100644 --- a/testing/tests/ikev2/inactivity-timeout/evaltest.dat +++ b/testing/tests/ikev2/inactivity-timeout/evaltest.dat @@ -1,8 +1,8 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::sleep 15::NO +carol::sleep 11::NO carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO carol::ipsec status 2> /dev/null::home.*INSTALLED::NO -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/ikev2/inactivity-timeout/pretest.dat b/testing/tests/ikev2/inactivity-timeout/pretest.dat index b949aaeaf..ac7b8d978 100644 --- a/testing/tests/ikev2/inactivity-timeout/pretest.dat +++ b/testing/tests/ikev2/inactivity-timeout/pretest.dat @@ -1,6 +1,5 @@ carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf index a4542db77..6c22fd548 100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -7,7 +7,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat index c99f347e3..37436a3d9 100644 --- a/testing/tests/ikev2/ip-pool-db/posttest.dat +++ b/testing/tests/ikev2/ip-pool-db/posttest.dat @@ -7,4 +7,3 @@ dave::iptables-restore < /etc/iptables.flush moon::ipsec pool --del bigpool 2> /dev/null moon::ipsec pool --del dns 2> /dev/null moon::ipsec pool --del nbns 2> /dev/null -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat index 2327eb983..337ccb297 100644 --- a/testing/tests/ikev2/ip-pool-db/pretest.dat +++ b/testing/tests/ikev2/ip-pool-db/pretest.dat @@ -1,5 +1,5 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null @@ -7,10 +7,10 @@ moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf index 164b07ff9..31820ea1a 100644 --- a/testing/tests/ikev2/ip-pool-db/test.conf +++ b/testing/tests/ikev2/ip-pool-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2/ip-pool-wish/pretest.dat index 1466fd2f2..2d09e88ce 100644 --- a/testing/tests/ikev2/ip-pool-wish/pretest.dat +++ b/testing/tests/ikev2/ip-pool-wish/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat index 3864bdac3..2d09e88ce 100644 --- a/testing/tests/ikev2/ip-pool/pretest.dat +++ b/testing/tests/ikev2/ip-pool/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf index a4542db77..6c22fd548 100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -7,7 +7,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/ikev2/ip-split-pools-db/posttest.dat b/testing/tests/ikev2/ip-split-pools-db/posttest.dat index 9d88281ad..6066d464a 100644 --- a/testing/tests/ikev2/ip-split-pools-db/posttest.dat +++ b/testing/tests/ikev2/ip-split-pools-db/posttest.dat @@ -3,4 +3,3 @@ dave::ipsec stop moon::ipsec stop moon::ipsec pool --del pool0 2> /dev/null moon::ipsec pool --del pool1 2> /dev/null -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-split-pools-db/pretest.dat b/testing/tests/ikev2/ip-split-pools-db/pretest.dat index c5af81b38..f74576382 100644 --- a/testing/tests/ikev2/ip-split-pools-db/pretest.dat +++ b/testing/tests/ikev2/ip-split-pools-db/pretest.dat @@ -1,12 +1,12 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add pool0 --start 10.3.0.1 --end 10.3.0.1 --timeout 48 2> /dev/null moon::ipsec pool --add pool1 --start 10.3.1.1 --end 10.3.1.1 --timeout 48 2> /dev/null moon::ipsec pool --status 2> /dev/null carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev2/ip-split-pools-db/test.conf index 164b07ff9..31820ea1a 100644 --- a/testing/tests/ikev2/ip-split-pools-db/test.conf +++ b/testing/tests/ikev2/ip-split-pools-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon alice" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf index fe6cdde42..cf3b0d81b 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf @@ -7,7 +7,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat index 150690e3c..dd4abebad 100644 --- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat @@ -15,4 +15,3 @@ moon::ipsec pool --del intpool 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat index bb36a2630..2d8b28cd9 100644 --- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat @@ -1,5 +1,5 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null @@ -13,14 +13,16 @@ venus::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules +moon::ipsec start alice::ipsec start venus::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home +alice::expect-connection home alice::ipsec up home +venus::expect-connection home venus::ipsec up home -alice::sleep 1 diff --git a/testing/tests/ikev2/ip-two-pools-db/test.conf b/testing/tests/ikev2/ip-two-pools-db/test.conf index c88e11d28..167c75d9d 100644 --- a/testing/tests/ikev2/ip-two-pools-db/test.conf +++ b/testing/tests/ikev2/ip-two-pools-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice venus carol dave" # Used for IPsec logging purposes # IPSECHOSTS="alice venus moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf index fe6cdde42..cf3b0d81b 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf @@ -7,7 +7,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat index 57449be25..0c3cd2648 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat @@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush alice::iptables-restore < /etc/iptables.flush moon::ipsec pool --del intpool 2> /dev/null -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat index 8ebfdc740..5b3274131 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat @@ -1,13 +1,13 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules alice::iptables-restore < /etc/iptables.rules -carol::ipsec start moon::ipsec start +carol::ipsec start alice::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +alice::expect-connection home alice::ipsec up home -alice::sleep 1 diff --git a/testing/tests/ikev2/ip-two-pools-mixed/test.conf b/testing/tests/ikev2/ip-two-pools-mixed/test.conf index 1ed3473ab..0c1b38d49 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/test.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice carol" # Used for IPsec logging purposes # IPSECHOSTS="alice moon carol" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf index c7e9a44c1..5176e2a4d 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf @@ -7,7 +7,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat index 2e78893e3..e46195cd3 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat @@ -1,4 +1,3 @@ alice::ip -6 route del default via fec1:\:1 carol::ipsec stop moon::ipsec stop -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat index 466a5eaec..60af3bce9 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat @@ -1,9 +1,9 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add v4_pool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null moon::ipsec pool --add v6_pool --start fec3:\:1 --end fec3:\:fe --timeout 48 2> /dev/null alice::ip -6 route add default via fec1:\:1 moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf index cd03759f0..60819189c 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="carol" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# Guest instances on which databases are used +# +DBHOSTS="moon" diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat index 04139badf..7eb81b60c 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat @@ -1,5 +1,5 @@ alice::ip -6 route add default via fec1:\:1 moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat index 7de2bc9be..e4b043696 100644 --- a/testing/tests/ikev2/ip-two-pools/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools/posttest.dat @@ -4,4 +4,3 @@ moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush alice::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat index 4e8b639f4..56c1785cc 100644 --- a/testing/tests/ikev2/ip-two-pools/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools/pretest.dat @@ -4,7 +4,7 @@ alice::iptables-restore < /etc/iptables.rules carol::ipsec start moon::ipsec start alice::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +alice::expect-connection home alice::ipsec up home -alice::sleep 1 diff --git a/testing/tests/ikev2/lookip/pretest.dat b/testing/tests/ikev2/lookip/pretest.dat index 3864bdac3..2d09e88ce 100644 --- a/testing/tests/ikev2/lookip/pretest.dat +++ b/testing/tests/ikev2/lookip/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules index 6dd261f20..450e7cef6 100644 --- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules +++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules @@ -5,11 +5,15 @@ -P OUTPUT DROP -P FORWARD DROP +# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953 +-A OUTPUT -o lo -j ACCEPT +-A INPUT -i lo -j ACCEPT + # allow IPsec tunnel traffic -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT -# allow ESP +# allow ESP -A INPUT -i eth0 -p 50 -j ACCEPT -A INPUT -i eth1 -p 50 -j ACCEPT -A OUTPUT -o eth0 -p 50 -j ACCEPT diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat index fde195daa..68df1b533 100644 --- a/testing/tests/ikev2/mobike-nat/pretest.dat +++ b/testing/tests/ikev2/mobike-nat/pretest.dat @@ -5,6 +5,5 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to- moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 alice::ipsec start sun::ipsec start -alice::sleep 2 +alice::expect-connection mobike alice::ipsec up mobike -alice::sleep 1 diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules index a238c8d19..450e7cef6 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules @@ -5,6 +5,10 @@ -P OUTPUT DROP -P FORWARD DROP +# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953 +-A OUTPUT -o lo -j ACCEPT +-A INPUT -i lo -j ACCEPT + # allow IPsec tunnel traffic -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT diff --git a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat index 067c1a1ec..8197296ee 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat +++ b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat @@ -4,6 +4,5 @@ sun::iptables-restore < /etc/iptables.rules sun::ip route add 10.1.0.0/16 via PH_IP_MOON alice::ipsec start sun::ipsec start -alice::sleep 2 +alice::expect-connection mobike alice::ipsec up mobike -alice::sleep 1 diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules index a238c8d19..450e7cef6 100644 --- a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules +++ b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules @@ -5,6 +5,10 @@ -P OUTPUT DROP -P FORWARD DROP +# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953 +-A OUTPUT -o lo -j ACCEPT +-A INPUT -i lo -j ACCEPT + # allow IPsec tunnel traffic -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT diff --git a/testing/tests/ikev2/mobike/pretest.dat b/testing/tests/ikev2/mobike/pretest.dat index 067c1a1ec..8197296ee 100644 --- a/testing/tests/ikev2/mobike/pretest.dat +++ b/testing/tests/ikev2/mobike/pretest.dat @@ -4,6 +4,5 @@ sun::iptables-restore < /etc/iptables.rules sun::ip route add 10.1.0.0/16 via PH_IP_MOON alice::ipsec start sun::ipsec start -alice::sleep 2 +alice::expect-connection mobike alice::ipsec up mobike -alice::sleep 1 diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat index 8457ae0dd..eb20c7f0b 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat @@ -18,4 +18,4 @@ moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 22806012345600 moon::ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave::ipsec status 2> /dev/null::home.*ESTABLISHED::NO -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat index eb69d2e45..07ffe10fa 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat @@ -8,7 +8,7 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat index 2eebc0f84..bee9bc792 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat @@ -1,6 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -moon::sleep 2 +moon::expect-connection alice +moon::expect-connection venus moon::ipsec up alice moon::ipsec up venus diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat index 86dd31e83..be0051e0b 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat @@ -1,6 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice carol::ipsec up alice +dave::expect-connection venus dave::ipsec up venus diff --git a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat index 41319ae4d..d9ed52718 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat @@ -1,10 +1,13 @@ winnetou::/etc/init.d/slapd start moon::iptables-restore < /etc/iptables.rules +moon::ipsec start carol::ipsec start dave::ipsec start -moon::ipsec start -carol::sleep 2 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up venus dave::ipsec up alice diff --git a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat index bb538c160..3407743b3 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat @@ -1,5 +1,5 @@ moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice carol::ipsec up alice diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat index e209e60ff..8230de058 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat @@ -1,4 +1,4 @@ carol::ipsec start moon::ipsec start -carol::sleep 2 -carol::ipsec up home +carol::expect-connection home +carol::ipsec up home diff --git a/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat b/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat index 755564cbc..2134d6bea 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat @@ -1,8 +1,11 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up venus dave::ipsec up alice diff --git a/testing/tests/ikev2/multi-level-ca/posttest.dat b/testing/tests/ikev2/multi-level-ca/posttest.dat index 1646d5ed2..0f3f1ff89 100644 --- a/testing/tests/ikev2/multi-level-ca/posttest.dat +++ b/testing/tests/ikev2/multi-level-ca/posttest.dat @@ -2,4 +2,3 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop moon::rm /etc/ipsec.d/cacerts/* - diff --git a/testing/tests/ikev2/multi-level-ca/pretest.dat b/testing/tests/ikev2/multi-level-ca/pretest.dat index 755564cbc..2134d6bea 100644 --- a/testing/tests/ikev2/multi-level-ca/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca/pretest.dat @@ -1,8 +1,11 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up venus dave::ipsec up alice diff --git a/testing/tests/ikev2/nat-rw-mark/pretest.dat b/testing/tests/ikev2/nat-rw-mark/pretest.dat index 6cddfd4fe..9d68e3c6e 100644 --- a/testing/tests/ikev2/nat-rw-mark/pretest.dat +++ b/testing/tests/ikev2/nat-rw-mark/pretest.dat @@ -13,8 +13,7 @@ sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 20 sun::ipsec start alice::ipsec start venus::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -venus::sleep 2 +venus::expect-connection nat-t venus::ipsec up nat-t -venus::sleep 2 diff --git a/testing/tests/ikev2/nat-rw-psk/pretest.dat b/testing/tests/ikev2/nat-rw-psk/pretest.dat index c5d091f32..e52bc9d9c 100644 --- a/testing/tests/ikev2/nat-rw-psk/pretest.dat +++ b/testing/tests/ikev2/nat-rw-psk/pretest.dat @@ -9,8 +9,7 @@ sun::rm /etc/ipsec.d/cacerts/* sun::ipsec start alice::ipsec start venus::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -venus::sleep 2 +venus::expect-connection nat-t venus::ipsec up nat-t -venus::sleep 2 diff --git a/testing/tests/ikev2/nat-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat index 12676f7ac..e3d9fc858 100644 --- a/testing/tests/ikev2/nat-rw/pretest.dat +++ b/testing/tests/ikev2/nat-rw/pretest.dat @@ -6,8 +6,7 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to- alice::ipsec start venus::ipsec start sun::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -venus::sleep 2 +venus::expect-connection nat-t venus::ipsec up nat-t -venus::sleep 2 diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat index 8945d87b9..1732d6efa 100644 --- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net -moon::sleep 1 diff --git a/testing/tests/ikev2/net2net-ah/pretest.dat b/testing/tests/ikev2/net2net-ah/pretest.dat index 81a98fa41..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-ah/pretest.dat +++ b/testing/tests/ikev2/net2net-ah/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat index 81a98fa41..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat +++ b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-cert/pretest.dat +++ b/testing/tests/ikev2/net2net-cert/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-dnscert/pretest.dat b/testing/tests/ikev2/net2net-dnscert/pretest.dat index 0f4ae0f4f..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-dnscert/pretest.dat +++ b/testing/tests/ikev2/net2net-dnscert/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-dnssec/pretest.dat b/testing/tests/ikev2/net2net-dnssec/pretest.dat index 0f4ae0f4f..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-dnssec/pretest.dat +++ b/testing/tests/ikev2/net2net-dnssec/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-esn/pretest.dat b/testing/tests/ikev2/net2net-esn/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-esn/pretest.dat +++ b/testing/tests/ikev2/net2net-esn/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-ntru-cert/pretest.dat b/testing/tests/ikev2/net2net-ntru-cert/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/pretest.dat +++ b/testing/tests/ikev2/net2net-ntru-cert/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat index 0f4ae0f4f..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat +++ b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat index 0f4ae0f4f..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat +++ b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-pkcs12/pretest.dat b/testing/tests/ikev2/net2net-pkcs12/pretest.dat index 3492238f0..fd1ce379f 100644 --- a/testing/tests/ikev2/net2net-pkcs12/pretest.dat +++ b/testing/tests/ikev2/net2net-pkcs12/pretest.dat @@ -6,5 +6,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat index 0495890dd..ef3eb9e06 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat +++ b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat @@ -9,9 +9,10 @@ moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mar bob::iptables -t mangle -A OUTPUT -d PH_IP_ALICE -p icmp -j DSCP --set-dscp-class BE bob::iptables -t mangle -A OUTPUT -d PH_IP_VENUS -p icmp -j DSCP --set-dscp-class EF sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10 -sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20 +sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20 moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection dscp-be +moon::expect-connection dscp-ef moon::ipsec up dscp-be moon::ipsec up dscp-ef diff --git a/testing/tests/ikev2/net2net-psk-fail/pretest.dat b/testing/tests/ikev2/net2net-psk-fail/pretest.dat index cb9282595..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-psk-fail/pretest.dat +++ b/testing/tests/ikev2/net2net-psk-fail/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-psk/pretest.dat b/testing/tests/ikev2/net2net-psk/pretest.dat index cb9282595..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-psk/pretest.dat +++ b/testing/tests/ikev2/net2net-psk/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-rfc3779/pretest.dat b/testing/tests/ikev2/net2net-rfc3779/pretest.dat index 9fe2860b9..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-rfc3779/pretest.dat +++ b/testing/tests/ikev2/net2net-rfc3779/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net -moon::sleep 1 diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat index e4ee3fac2..a1c567079 100644 --- a/testing/tests/ikev2/net2net-route/pretest.dat +++ b/testing/tests/ikev2/net2net-route/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 -alice::ping -c 10 PH_IP_BOB +moon::expect-connection net-net +alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff --git a/testing/tests/ikev2/net2net-rsa/pretest.dat b/testing/tests/ikev2/net2net-rsa/pretest.dat index 0f4ae0f4f..f2cbf6a0c 100644 --- a/testing/tests/ikev2/net2net-rsa/pretest.dat +++ b/testing/tests/ikev2/net2net-rsa/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2/net2net-same-nets/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/ikev2/net2net-same-nets/pretest.dat +++ b/testing/tests/ikev2/net2net-same-nets/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat index 9d23c553e..b3f371041 100644 --- a/testing/tests/ikev2/net2net-start/pretest.dat +++ b/testing/tests/ikev2/net2net-start/pretest.dat @@ -1,6 +1,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules sun::ipsec start -sun::sleep 2 moon::ipsec start -moon::sleep 3 +moon::sleep 1 diff --git a/testing/tests/ikev2/ocsp-local-cert/pretest.dat b/testing/tests/ikev2/ocsp-local-cert/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/ocsp-local-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-local-cert/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-multi-level/pretest.dat b/testing/tests/ikev2/ocsp-multi-level/pretest.dat index 86dd31e83..be0051e0b 100644 --- a/testing/tests/ikev2/ocsp-multi-level/pretest.dat +++ b/testing/tests/ikev2/ocsp-multi-level/pretest.dat @@ -1,6 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice carol::ipsec up alice +dave::expect-connection venus dave::ipsec up venus diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat index afb64c3ed..6296b4e06 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat @@ -1,5 +1,5 @@ -moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-revoked/pretest.dat b/testing/tests/ikev2/ocsp-revoked/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/ocsp-revoked/pretest.dat +++ b/testing/tests/ikev2/ocsp-revoked/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-root-cert/pretest.dat b/testing/tests/ikev2/ocsp-root-cert/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/ocsp-root-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-root-cert/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-signer-cert/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-signer-cert/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat index c31e05ef5..934df4e5b 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat +++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat @@ -1,5 +1,5 @@ moon:: cat /var/log/daemon.log::authentication of.*carol.*successful::YES -moon:: cat /var/log/daemon.log::libcurl http request failed::YES +moon:: cat /var/log/daemon.log::libcurl request failed::YES moon:: cat /var/log/daemon.log::certificate status is not available::YES moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat index 86dd31e83..be0051e0b 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat +++ b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat @@ -1,6 +1,7 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection alice carol::ipsec up alice +dave::expect-connection venus dave::ipsec up venus diff --git a/testing/tests/ikev2/ocsp-timeouts-good/description.txt b/testing/tests/ikev2/ocsp-timeouts-good/description.txt index 9ee5db95b..ad7de9ecc 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/description.txt +++ b/testing/tests/ikev2/ocsp-timeouts-good/description.txt @@ -6,5 +6,5 @@ OCSP server is listening. Thanks to timeouts the connection can nevertheless be established successfully by contacting a valid OCSP URI contained in carol's certificate.

-As an additional test the OCSP response is delayed by 5 seconds in order to check +As an additional test the OCSP response is delayed by a few seconds in order to check the correct handling of retransmitted IKE_AUTH messages. diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat index f50d5e88c..d4e41dbb8 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat @@ -1,9 +1,9 @@ -moon:: cat /var/log/daemon.log::libcurl http request failed::YES +moon:: cat /var/log/daemon.log::libcurl request failed::YES moon:: cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES moon:: cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES moon:: cat /var/log/daemon.log::ocsp response is valid::YES moon:: cat /var/log/daemon.log::certificate status is good::YES -carol::cat /var/log/daemon.log::libcurl http request failed::YES +carol::cat /var/log/daemon.log::libcurl request failed::YES carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed::YES carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES carol::cat /var/log/daemon.log::ocsp response is valid::YES diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi index aa70321d5..46a716f83 100755 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi @@ -6,7 +6,7 @@ echo "Content-type: application/ocsp-response" echo "" # simulate a delayed response -sleep 5 +sleep 2 cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ -rkey ocspKey.pem -rsigner ocspCert.pem \ diff --git a/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat b/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat index d92333d86..3a1982f8a 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat @@ -1,4 +1,4 @@ moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat index 7c0a9a5a4..cb7997f72 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat @@ -1,4 +1,4 @@ -moon:: cat /var/log/daemon.log::libcurl http request failed::YES +moon:: cat /var/log/daemon.log::libcurl request failed::YES moon:: cat /var/log/daemon.log::certificate status is not available::YES moon:: cat /var/log/daemon.log::constraint check failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat index 7d9d600ff..a43ba3550 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat @@ -1,6 +1,6 @@ -moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP -carol::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset +carol::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat index afb64c3ed..6296b4e06 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat @@ -1,5 +1,5 @@ -moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j REJECT --reject-with tcp-reset moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/protoport-dual/pretest.dat b/testing/tests/ikev2/protoport-dual/pretest.dat index efb2e5712..4759fdb7b 100644 --- a/testing/tests/ikev2/protoport-dual/pretest.dat +++ b/testing/tests/ikev2/protoport-dual/pretest.dat @@ -2,6 +2,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home-icmp +carol::expect-connection home-ssh carol::ipsec up home-icmp carol::ipsec up home-ssh diff --git a/testing/tests/ikev2/protoport-route/pretest.dat b/testing/tests/ikev2/protoport-route/pretest.dat index 5a15574d6..433d0cf98 100644 --- a/testing/tests/ikev2/protoport-route/pretest.dat +++ b/testing/tests/ikev2/protoport-route/pretest.dat @@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home-icmp +carol::expect-connection home-ssh carol::ssh PH_IP_ALICE hostname -carol::ping -c 1 PH_IP_ALICE > /dev/null -carol::sleep 2 +carol::ping -W 1 -c 1 PH_IP_ALICE > /dev/null diff --git a/testing/tests/ikev2/reauth-early/pretest.dat b/testing/tests/ikev2/reauth-early/pretest.dat index 153ea7c43..d3ce70e80 100644 --- a/testing/tests/ikev2/reauth-early/pretest.dat +++ b/testing/tests/ikev2/reauth-early/pretest.dat @@ -2,6 +2,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home carol::sleep 30 diff --git a/testing/tests/ikev2/reauth-late/pretest.dat b/testing/tests/ikev2/reauth-late/pretest.dat index 153ea7c43..d3ce70e80 100644 --- a/testing/tests/ikev2/reauth-late/pretest.dat +++ b/testing/tests/ikev2/reauth-late/pretest.dat @@ -2,6 +2,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home carol::sleep 30 diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat index baacc1605..de4acbbf0 100644 --- a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/reauth-mbb/pretest.dat b/testing/tests/ikev2/reauth-mbb/pretest.dat index baacc1605..de4acbbf0 100644 --- a/testing/tests/ikev2/reauth-mbb/pretest.dat +++ b/testing/tests/ikev2/reauth-mbb/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf index d1eb77041..646bcee1a 100644 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf index d1eb77041..646bcee1a 100644 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf index d1eb77041..646bcee1a 100644 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat index c582e030d..e87a8ee47 100644 --- a/testing/tests/ikev2/rw-cert/pretest.dat +++ b/testing/tests/ikev2/rw-cert/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +moon::expect-connection rw +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat index 40eaede87..e827687f8 100644 --- a/testing/tests/ikev2/rw-dnssec/pretest.dat +++ b/testing/tests/ikev2/rw-dnssec/pretest.dat @@ -7,7 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat index 17f1b5f2b..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat +++ b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat index 698a719f7..98bf0b15a 100644 --- a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat @@ -5,7 +5,7 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat index a2704e833..8893e0169 100644 --- a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat @@ -5,9 +5,11 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up alice dave::ipsec up venus -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat index 180537f5f..d44910db8 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat @@ -2,7 +2,6 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec stroke user-creds home carol "Ar3etTnp" carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat index 9adc43d3e..c65fbda83 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat @@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat index 9adc43d3e..c65fbda83 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat @@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat index 17f1b5f2b..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat index 17f1b5f2b..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat index 3e7fc0bb1..98bf0b15a 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat @@ -5,7 +5,7 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat index f8a9cc852..fa1164713 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat @@ -5,6 +5,5 @@ carol::cat /etc/ipsec.d/triplets.dat alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat index f434ddfc6..4f8f7285b 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat @@ -12,4 +12,4 @@ moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongsw moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat index 0e9e46bfd..a204f88a1 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat @@ -11,7 +11,7 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat index a514f48b7..01aed2492 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat @@ -12,4 +12,4 @@ moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongsw moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat index 57c9f11a8..fdb50fcfb 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat @@ -11,7 +11,7 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat index ae464b51c..3e05e4ed7 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat @@ -4,6 +4,5 @@ moon::cat /etc/ipsec.d/triplets.dat carol::cat /etc/ipsec.d/triplets.dat moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat index 3d680ab78..7ed202116 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat @@ -4,6 +4,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat index 9adc43d3e..c65fbda83 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat @@ -3,6 +3,5 @@ carol::iptables-restore < /etc/iptables.rules alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat index 589d478e7..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 2 diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat index 17f1b5f2b..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat index 3e7fc0bb1..98bf0b15a 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat @@ -5,7 +5,7 @@ alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-hash-and-url/pretest.dat +++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf index 2b80853c6..094e0effa 100644 --- a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -2,8 +2,4 @@ charon { load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown - - retransmit_timeout = 2 - retransmit_base = 1.5 - retransmit_tries = 3 } diff --git a/testing/tests/ikev2/rw-initiator-only/pretest.dat b/testing/tests/ikev2/rw-initiator-only/pretest.dat index fc7173430..4660c29d6 100644 --- a/testing/tests/ikev2/rw-initiator-only/pretest.dat +++ b/testing/tests/ikev2/rw-initiator-only/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection peer dave::ipsec up peer +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2/rw-mark-in-out/pretest.dat index 8e9dd2f51..728831472 100644 --- a/testing/tests/ikev2/rw-mark-in-out/pretest.dat +++ b/testing/tests/ikev2/rw-mark-in-out/pretest.dat @@ -1,8 +1,8 @@ alice::iptables-restore < /etc/iptables.rules venus::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON -sun::ip route add 10.1.0.0/16 via PH_IP_MOON +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON +sun::ip route add 10.1.0.0/16 via PH_IP_MOON sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10 sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10 sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 11 @@ -10,8 +10,7 @@ sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 21 alice::ipsec start venus::ipsec start sun::ipsec start -alice::sleep 2 -alice::ipsec up home -venus::sleep 2 +alice::expect-connection home +alice::ipsec up home +venus::expect-connection home venus::ipsec up home -venus::sleep 2 diff --git a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat index 5a88b6641..72f3a0e69 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat +++ b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat @@ -1,15 +1,15 @@ -carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES +dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA256 successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA384 successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf index f13e47a71..647a47f2f 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf @@ -1,6 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup + strictcrlpolicy=yes conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf index ab824c993..c47ca8027 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf index 5f605a43d..e7786040c 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf @@ -1,6 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup + strictcrlpolicy=yes conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf index ab824c993..c47ca8027 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf index 2a9b33aae..e5c2bf8b6 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf @@ -1,6 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup + strictcrlpolicy=yes conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf index ab824c993..c47ca8027 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat index 24249435e..c0f963d4c 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat +++ b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat @@ -7,7 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-ntru-psk/pretest.dat b/testing/tests/ikev2/rw-ntru-psk/pretest.dat index 40eaede87..e827687f8 100644 --- a/testing/tests/ikev2/rw-ntru-psk/pretest.dat +++ b/testing/tests/ikev2/rw-ntru-psk/pretest.dat @@ -7,7 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-pkcs8/pretest.dat b/testing/tests/ikev2/rw-pkcs8/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-pkcs8/pretest.dat +++ b/testing/tests/ikev2/rw-pkcs8/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat index 64ce593fb..ab5e18da2 100644 --- a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat +++ b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat @@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat index 64ce593fb..ab5e18da2 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat +++ b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat @@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat index 64ce593fb..ab5e18da2 100644 --- a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat +++ b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat @@ -7,6 +7,7 @@ dave::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat index 446f81426..08b891aa5 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat @@ -5,6 +5,7 @@ carol::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat index 9f437fe85..d26229602 100644 --- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat @@ -4,6 +4,5 @@ alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/* alice::radiusd moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/rw-sig-auth/pretest.dat b/testing/tests/ikev2/rw-sig-auth/pretest.dat index bec31cc68..9c26ea122 100644 --- a/testing/tests/ikev2/rw-sig-auth/pretest.dat +++ b/testing/tests/ikev2/rw-sig-auth/pretest.dat @@ -4,9 +4,11 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up alice dave::ipsec up venus -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat index 3522c3d79..a9917bcf1 100644 --- a/testing/tests/ikev2/rw-whitelist/evaltest.dat +++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat @@ -6,7 +6,7 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/strong-keys-certs/pretest.dat b/testing/tests/ikev2/strong-keys-certs/pretest.dat index dea5fc162..a55cf37b2 100644 --- a/testing/tests/ikev2/strong-keys-certs/pretest.dat +++ b/testing/tests/ikev2/strong-keys-certs/pretest.dat @@ -4,7 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/trap-any/evaltest.dat b/testing/tests/ikev2/trap-any/evaltest.dat index bcba9ef08..b62e890c0 100644 --- a/testing/tests/ikev2/trap-any/evaltest.dat +++ b/testing/tests/ikev2/trap-any/evaltest.dat @@ -1,8 +1,8 @@ -moon::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES -moon::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES -sun::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES -dave::ping -c 2 -W 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES -dave::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES +moon::ping -c 2 -W 1 -i 0.2 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES +moon::ping -c 2 -W 1 -i 0.2 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES +sun::ping -c 2 -W 1 -i 0.2 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES +dave::ping -c 2 -W 1 -i 0.2 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES +dave::ping -c 2 -W 1 -i 0.2 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=1::YES moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_SUN::YES moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_CAROL::YES diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat index fe2aaec19..5936eda68 100644 --- a/testing/tests/ikev2/two-certs/pretest.dat +++ b/testing/tests/ikev2/two-certs/pretest.dat @@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus -carol::sleep 1 diff --git a/testing/tests/ikev2/virtual-ip-override/pretest.dat b/testing/tests/ikev2/virtual-ip-override/pretest.dat index 1765a83cd..2d09e88ce 100644 --- a/testing/tests/ikev2/virtual-ip-override/pretest.dat +++ b/testing/tests/ikev2/virtual-ip-override/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/virtual-ip/pretest.dat b/testing/tests/ikev2/virtual-ip/pretest.dat index 1765a83cd..2d09e88ce 100644 --- a/testing/tests/ikev2/virtual-ip/pretest.dat +++ b/testing/tests/ikev2/virtual-ip/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/ikev2/wildcards/pretest.dat b/testing/tests/ikev2/wildcards/pretest.dat index 3c4832e5e..2134d6bea 100644 --- a/testing/tests/ikev2/wildcards/pretest.dat +++ b/testing/tests/ikev2/wildcards/pretest.dat @@ -1,8 +1,11 @@ carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 1 +carol::expect-connection alice +carol::expect-connection venus carol::ipsec up alice carol::ipsec up venus +dave::expect-connection alice +dave::expect-connection venus dave::ipsec up venus dave::ipsec up alice diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf index 8e6478c51..f64bc2342 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf @@ -5,7 +5,7 @@ config setup ca strongswan cacert=strongswanCert.pem certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.org/strongswan.crl + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl auto=add conn %default diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf index a880b12a1..e739fc8ea 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf @@ -5,7 +5,7 @@ config setup ca strongswan cacert=strongswanCert.pem certuribase=http://ip6-winnetou.strongswan.org/certs/ - crluri=http://ip6-winnetou.org/strongswan.crl + crluri=http://ip6-winnetou.strongswan.org/strongswan.crl auto=add conn %default diff --git a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat index 0a0b1a78f..8229b6254 100644 --- a/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-compress-ikev2/evaltest.dat @@ -8,6 +8,7 @@ moon:: ip xfrm state::proto comp spi::YES carol::ip xfrm state::proto comp spi::YES # send two pings because the first is lost due to Path MTU Discovery between alice and moon carol::ping6 -c 2 -W 1 -s 8184 -p deadbeef ip6-alice.strongswan.org::8192 bytes from ip6-alice.strongswan.org::YES -carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org::YES +# reduce the size as the default is already larger than the threshold of 90 bytes +carol::ping6 -c 1 -s 40 ip6-alice.strongswan.org::48 bytes from ip6-alice.strongswan.org::YES moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES diff --git a/testing/tests/libipsec/host2host-cert/pretest.dat b/testing/tests/libipsec/host2host-cert/pretest.dat index d8d30af02..b095bf5c4 100644 --- a/testing/tests/libipsec/host2host-cert/pretest.dat +++ b/testing/tests/libipsec/host2host-cert/pretest.dat @@ -4,5 +4,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/libipsec/net2net-3des/pretest.dat b/testing/tests/libipsec/net2net-3des/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/libipsec/net2net-3des/pretest.dat +++ b/testing/tests/libipsec/net2net-3des/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/libipsec/net2net-cert/pretest.dat b/testing/tests/libipsec/net2net-cert/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/libipsec/net2net-cert/pretest.dat +++ b/testing/tests/libipsec/net2net-cert/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/libipsec/net2net-null/description.txt b/testing/tests/libipsec/net2net-null/description.txt new file mode 100644 index 000000000..d8f019d36 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/description.txt @@ -0,0 +1,11 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and the kernel-libipsec +plugin is used for userland IPsec ESP encryption. The negotiated encryption and authentication +algorithms are NULL and SHA-256, respectively.
+Just by way of example, NULL encryption is also configured for the IKEv2 connection, +using the NULL-crypter provided by the OpenSSL library. +

+Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +ipsec0 tun interface. In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun. diff --git a/testing/tests/libipsec/net2net-null/evaltest.dat b/testing/tests/libipsec/net2net-null/evaltest.dat new file mode 100644 index 000000000..e455a3650 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/evaltest.dat @@ -0,0 +1,11 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +moon::ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES +sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES +sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..4ecfb0e92 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=null-sha256-modp2048! + esp=null-sha256-modp2048! + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftupdown=/etc/updown + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c283474db --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = pem pkcs1 random nonce revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-null/hosts/moon/etc/updown new file mode 100755 index 000000000..61f65311c --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/updown @@ -0,0 +1,566 @@ +#!/bin/sh +# default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_SOURCEIP +# PLUTO_PEER_SOURCEIP4_$i +# PLUTO_PEER_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP sent to an initiator, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# comment to disable logging VPN connections to syslog +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older release?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete release?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..95ea20d3c --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=null-sha256-modp2048! + esp=null-sha256-modp2048! + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftupdown=/etc/updown + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..c283474db --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = pem pkcs1 random nonce revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown new file mode 100755 index 000000000..61f65311c --- /dev/null +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown @@ -0,0 +1,566 @@ +#!/bin/sh +# default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_SOURCEIP +# PLUTO_PEER_SOURCEIP4_$i +# PLUTO_PEER_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP sent to an initiator, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# comment to disable logging VPN connections to syslog +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older release?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete release?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/libipsec/net2net-null/posttest.dat b/testing/tests/libipsec/net2net-null/posttest.dat new file mode 100644 index 000000000..1f7aa73a1 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-null/pretest.dat b/testing/tests/libipsec/net2net-null/pretest.dat new file mode 100644 index 000000000..1732d6efa --- /dev/null +++ b/testing/tests/libipsec/net2net-null/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/libipsec/net2net-null/test.conf b/testing/tests/libipsec/net2net-null/test.conf new file mode 100644 index 000000000..646b8b3e6 --- /dev/null +++ b/testing/tests/libipsec/net2net-null/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/libipsec/rw-suite-b/pretest.dat index 8bbea1412..e87a8ee47 100644 --- a/testing/tests/libipsec/rw-suite-b/pretest.dat +++ b/testing/tests/libipsec/rw-suite-b/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +moon::expect-connection rw +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat +++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat index 972d93053..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat index 886fdf55c..de4acbbf0 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat index c724e5df8..1732d6efa 100644 --- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat +++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat index 8bbea1412..a55cf37b2 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat @@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat index 0f4ae0f4f..f2cbf6a0c 100644 --- a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat @@ -4,5 +4,5 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat index 3492238f0..fd1ce379f 100644 --- a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat +++ b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat @@ -6,5 +6,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat index c582e030d..974c22530 100644 --- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat @@ -4,6 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +# moon runs crypto tests, so make sure it is ready +moon::expect-connection rw +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat index 388339fb8..de4acbbf0 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat @@ -2,6 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf index 7f06388b8..d117a3001 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf @@ -3,9 +3,6 @@ charon { load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - retransmit_timeout = 2 - retransmit_base = 1.5 - retransmit_tries = 3 initiator_only = yes integrity_test = yes diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat index b9393944a..290f57e69 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +moon::expect-connection rw +dave::expect-connection peer dave::ipsec up peer +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf index 7f06388b8..d117a3001 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf @@ -3,9 +3,6 @@ charon { load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default - retransmit_timeout = 2 - retransmit_base = 1.5 - retransmit_tries = 3 initiator_only = yes integrity_test = yes diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat index b9393944a..290f57e69 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +moon::expect-connection rw +dave::expect-connection peer dave::ipsec up peer +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat index eb1d67fa2..6d9217066 100644 --- a/testing/tests/p2pnat/behind-same-nat/pretest.dat +++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat @@ -7,8 +7,8 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to- moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT carol::ipsec start -carol::sleep 1 +carol::expect-connection medsrv alice::ipsec start alice::sleep 1 venus::ipsec start -venus::sleep 4 +venus::sleep 2 diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat index 09b658318..950520006 100644 --- a/testing/tests/p2pnat/medsrv-psk/pretest.dat +++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat @@ -12,8 +12,8 @@ sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-s sun::iptables -A FORWARD -i eth1 -o eth0 -s 10.2.0.0/16 -j ACCEPT sun::iptables -A FORWARD -i eth0 -o eth1 -d 10.2.0.0/16 -j ACCEPT carol::ipsec start -carol::sleep 1 +carol::expect-connection medsrv bob::ipsec start bob::sleep 1 alice::ipsec start -alice::sleep 4 +alice::sleep 2 diff --git a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat +++ b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/pfkey/alg-sha384/pretest.dat b/testing/tests/pfkey/alg-sha384/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/pfkey/alg-sha384/pretest.dat +++ b/testing/tests/pfkey/alg-sha384/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/pfkey/alg-sha512/pretest.dat b/testing/tests/pfkey/alg-sha512/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/pfkey/alg-sha512/pretest.dat +++ b/testing/tests/pfkey/alg-sha512/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/pfkey/compress/pretest.dat b/testing/tests/pfkey/compress/pretest.dat index 29a90355f..1fd37b6a8 100644 --- a/testing/tests/pfkey/compress/pretest.dat +++ b/testing/tests/pfkey/compress/pretest.dat @@ -2,5 +2,5 @@ carol::iptables-restore < /etc/iptables.rules moon::iptables-restore < /etc/iptables.rules carol::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/pfkey/esp-alg-null/pretest.dat b/testing/tests/pfkey/esp-alg-null/pretest.dat index 4fc25772b..de4acbbf0 100644 --- a/testing/tests/pfkey/esp-alg-null/pretest.dat +++ b/testing/tests/pfkey/esp-alg-null/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/pfkey/host2host-transport/pretest.dat b/testing/tests/pfkey/host2host-transport/pretest.dat index 99789b90f..997a48167 100644 --- a/testing/tests/pfkey/host2host-transport/pretest.dat +++ b/testing/tests/pfkey/host2host-transport/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/pfkey/nat-rw/pretest.dat b/testing/tests/pfkey/nat-rw/pretest.dat index d701a1d61..e3d9fc858 100644 --- a/testing/tests/pfkey/nat-rw/pretest.dat +++ b/testing/tests/pfkey/nat-rw/pretest.dat @@ -6,8 +6,7 @@ moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to- alice::ipsec start venus::ipsec start sun::ipsec start -alice::sleep 2 +alice::expect-connection nat-t alice::ipsec up nat-t -venus::sleep 2 +venus::expect-connection nat-t venus::ipsec up nat-t -venus::sleep 2 diff --git a/testing/tests/pfkey/net2net-route/pretest.dat b/testing/tests/pfkey/net2net-route/pretest.dat index e4ee3fac2..a1c567079 100644 --- a/testing/tests/pfkey/net2net-route/pretest.dat +++ b/testing/tests/pfkey/net2net-route/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 -alice::ping -c 10 PH_IP_BOB +moon::expect-connection net-net +alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff --git a/testing/tests/pfkey/protoport-dual/pretest.dat b/testing/tests/pfkey/protoport-dual/pretest.dat index efb2e5712..12112b194 100644 --- a/testing/tests/pfkey/protoport-dual/pretest.dat +++ b/testing/tests/pfkey/protoport-dual/pretest.dat @@ -2,6 +2,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 2 +carol::expect-connection home-icmp carol::ipsec up home-icmp +carol::expect-connection home-ssh carol::ipsec up home-ssh diff --git a/testing/tests/pfkey/protoport-route/pretest.dat b/testing/tests/pfkey/protoport-route/pretest.dat index 5a15574d6..b1bf23870 100644 --- a/testing/tests/pfkey/protoport-route/pretest.dat +++ b/testing/tests/pfkey/protoport-route/pretest.dat @@ -2,7 +2,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home-icmp +carol::expect-connection home-ssh carol::ssh PH_IP_ALICE hostname -carol::ping -c 1 PH_IP_ALICE > /dev/null -carol::sleep 2 +carol::ping -c 1 -W 1 PH_IP_ALICE > /dev/null diff --git a/testing/tests/pfkey/rw-cert/pretest.dat b/testing/tests/pfkey/rw-cert/pretest.dat index c582e030d..e87a8ee47 100644 --- a/testing/tests/pfkey/rw-cert/pretest.dat +++ b/testing/tests/pfkey/rw-cert/pretest.dat @@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +moon::expect-connection rw +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf index 3b720bff2..64e7cc722 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql @@ -12,7 +12,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat index 1b963fcec..b757d8b15 100644 --- a/testing/tests/sql/ip-pool-db-expired/posttest.dat +++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat @@ -4,7 +4,3 @@ moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat index 10a51bc37..3e1b762d7 100644 --- a/testing/tests/sql/ip-pool-db-expired/pretest.dat +++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat @@ -1,12 +1,12 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --leases 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules @@ -14,6 +14,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/ip-pool-db-expired/test.conf b/testing/tests/sql/ip-pool-db-expired/test.conf index 9b1ec0b54..450100fbe 100644 --- a/testing/tests/sql/ip-pool-db-expired/test.conf +++ b/testing/tests/sql/ip-pool-db-expired/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf index 3b720bff2..64e7cc722 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql @@ -12,7 +12,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat index 1b963fcec..b757d8b15 100644 --- a/testing/tests/sql/ip-pool-db-restart/posttest.dat +++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat @@ -4,7 +4,3 @@ moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat index 639cfd99f..4976693ec 100644 --- a/testing/tests/sql/ip-pool-db-restart/pretest.dat +++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat @@ -1,12 +1,12 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --leases 2> /dev/null moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules @@ -14,7 +14,7 @@ dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/sql/ip-pool-db-restart/test.conf b/testing/tests/sql/ip-pool-db-restart/test.conf index 9b1ec0b54..450100fbe 100644 --- a/testing/tests/sql/ip-pool-db-restart/test.conf +++ b/testing/tests/sql/ip-pool-db-restart/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf index 62d9edbd8..4346eca40 100644 --- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf index 62d9edbd8..4346eca40 100644 --- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf index 3b720bff2..64e7cc722 100644 --- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql @@ -12,7 +12,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat index 1b963fcec..47061432a 100644 --- a/testing/tests/sql/ip-pool-db/posttest.dat +++ b/testing/tests/sql/ip-pool-db/posttest.dat @@ -4,7 +4,6 @@ moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ +moon::dbdir-remove +carol::dbdir-remove +dave::dbdir-remove diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat index 46f33324c..0cea9d816 100644 --- a/testing/tests/sql/ip-pool-db/pretest.dat +++ b/testing/tests/sql/ip-pool-db/pretest.dat @@ -1,19 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/sql/ip-pool-db/test.conf b/testing/tests/sql/ip-pool-db/test.conf index 9b1ec0b54..450100fbe 100644 --- a/testing/tests/sql/ip-pool-db/test.conf +++ b/testing/tests/sql/ip-pool-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf index 3b720bff2..64e7cc722 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql @@ -12,7 +12,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat index 0fce500bf..a851d0924 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat @@ -1,7 +1,3 @@ carol::ipsec stop dave::ipsec stop moon::ipsec stop -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat index ba3f4d1cb..706cb3205 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat @@ -1,18 +1,18 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --status 2> /dev/null moon::ipsec pool --leases 2> /dev/null moon::ipsec start dave::ipsec start carol::ipsec start -dave::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/sql/ip-split-pools-db-restart/test.conf b/testing/tests/sql/ip-split-pools-db-restart/test.conf index 9b1ec0b54..450100fbe 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/test.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf index 3b720bff2..64e7cc722 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql @@ -12,7 +12,7 @@ charon { libhydra { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat index 0fce500bf..a851d0924 100644 --- a/testing/tests/sql/ip-split-pools-db/posttest.dat +++ b/testing/tests/sql/ip-split-pools-db/posttest.dat @@ -1,7 +1,3 @@ carol::ipsec stop dave::ipsec stop moon::ipsec stop -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/ip-split-pools-db/pretest.dat b/testing/tests/sql/ip-split-pools-db/pretest.dat index 6c7633811..e820c81a2 100644 --- a/testing/tests/sql/ip-split-pools-db/pretest.dat +++ b/testing/tests/sql/ip-split-pools-db/pretest.dat @@ -1,17 +1,17 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --status 2> /dev/null moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/sql/ip-split-pools-db/test.conf b/testing/tests/sql/ip-split-pools-db/test.conf index 9b1ec0b54..450100fbe 100644 --- a/testing/tests/sql/ip-split-pools-db/test.conf +++ b/testing/tests/sql/ip-split-pools-db/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat index e9ad4bea6..1865a1c60 100644 --- a/testing/tests/sql/multi-level-ca/posttest.dat +++ b/testing/tests/sql/multi-level-ca/posttest.dat @@ -4,7 +4,3 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat index 6d56ede09..0cea9d816 100644 --- a/testing/tests/sql/multi-level-ca/pretest.dat +++ b/testing/tests/sql/multi-level-ca/pretest.dat @@ -1,18 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf index f29298850..f6fb44f5f 100644 --- a/testing/tests/sql/multi-level-ca/test.conf +++ b/testing/tests/sql/multi-level-ca/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat index 329a572b2..1f7aa73a1 100644 --- a/testing/tests/sql/net2net-cert/posttest.dat +++ b/testing/tests/sql/net2net-cert/posttest.dat @@ -2,5 +2,3 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat index b62da613c..05fe277ce 100644 --- a/testing/tests/sql/net2net-cert/pretest.dat +++ b/testing/tests/sql/net2net-cert/pretest.dat @@ -1,12 +1,12 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/sql/net2net-cert/test.conf b/testing/tests/sql/net2net-cert/test.conf index 646b8b3e6..1b7e280e8 100644 --- a/testing/tests/sql/net2net-cert/test.conf +++ b/testing/tests/sql/net2net-cert/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat index 329a572b2..1f7aa73a1 100644 --- a/testing/tests/sql/net2net-psk/posttest.dat +++ b/testing/tests/sql/net2net-psk/posttest.dat @@ -2,5 +2,3 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat index b62da613c..05fe277ce 100644 --- a/testing/tests/sql/net2net-psk/pretest.dat +++ b/testing/tests/sql/net2net-psk/pretest.dat @@ -1,12 +1,12 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/sql/net2net-psk/test.conf b/testing/tests/sql/net2net-psk/test.conf index 646b8b3e6..1b7e280e8 100644 --- a/testing/tests/sql/net2net-psk/test.conf +++ b/testing/tests/sql/net2net-psk/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat index 329a572b2..1f7aa73a1 100644 --- a/testing/tests/sql/net2net-route-pem/posttest.dat +++ b/testing/tests/sql/net2net-route-pem/posttest.dat @@ -2,5 +2,3 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat index 537aa630b..cef74e474 100644 --- a/testing/tests/sql/net2net-route-pem/pretest.dat +++ b/testing/tests/sql/net2net-route-pem/pretest.dat @@ -1,13 +1,13 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules sun::ipsec start moon::ipsec start -moon::sleep 1 -alice::ping -c 1 PH_IP_BOB -bob::ping -c 1 PH_IP_VENUS +moon::expect-connection net-net +alice::ping -c 1 -W 1 PH_IP_BOB +bob::ping -c 1 -W 1 PH_IP_VENUS diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf index 10c582c9b..ee97968ab 100644 --- a/testing/tests/sql/net2net-route-pem/test.conf +++ b/testing/tests/sql/net2net-route-pem/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice venus moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-v-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat index 329a572b2..1f7aa73a1 100644 --- a/testing/tests/sql/net2net-start-pem/posttest.dat +++ b/testing/tests/sql/net2net-start-pem/posttest.dat @@ -2,5 +2,3 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat index 7307aca81..f260b396c 100644 --- a/testing/tests/sql/net2net-start-pem/pretest.dat +++ b/testing/tests/sql/net2net-start-pem/pretest.dat @@ -1,11 +1,11 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules sun::ipsec start moon::ipsec start -moon::sleep 3 +moon::sleep 1 diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf index 10c582c9b..ee97968ab 100644 --- a/testing/tests/sql/net2net-start-pem/test.conf +++ b/testing/tests/sql/net2net-start-pem/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice venus moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-v-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" @@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun" # Used for IPsec logging purposes # IPSECHOSTS="moon sun" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf index 7e8023fcc..4946b1520 100644 --- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf index 7e8023fcc..4946b1520 100644 --- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf index 7e8023fcc..7fed45bed 100644 --- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf @@ -3,13 +3,10 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql integrity_test = yes - crypto_test { - on_add = yes - } } diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat index e9ad4bea6..1865a1c60 100644 --- a/testing/tests/sql/rw-cert/posttest.dat +++ b/testing/tests/sql/rw-cert/posttest.dat @@ -4,7 +4,3 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat index 7958f0928..0cea9d816 100644 --- a/testing/tests/sql/rw-cert/pretest.dat +++ b/testing/tests/sql/rw-cert/pretest.dat @@ -1,18 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 3 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/rw-cert/test.conf b/testing/tests/sql/rw-cert/test.conf index f29298850..f6fb44f5f 100644 --- a/testing/tests/sql/rw-cert/test.conf +++ b/testing/tests/sql/rw-cert/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf index ec5899c84..2fba94535 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf index 41951083c..b06c611b7 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat index 584356d8e..046d4cfdc 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat @@ -2,6 +2,3 @@ moon::ipsec stop carol::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat index 2a8e460e7..a6cbee7a9 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat @@ -1,12 +1,12 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/sql/rw-eap-aka-rsa/test.conf b/testing/tests/sql/rw-eap-aka-rsa/test.conf index 4a5fc470f..81b1d3bdb 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/test.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat index e9ad4bea6..1865a1c60 100644 --- a/testing/tests/sql/rw-psk-ipv4/posttest.dat +++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat @@ -4,7 +4,3 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat index 6d56ede09..0cea9d816 100644 --- a/testing/tests/sql/rw-psk-ipv4/pretest.dat +++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat @@ -1,18 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/rw-psk-ipv4/test.conf b/testing/tests/sql/rw-psk-ipv4/test.conf index f29298850..f6fb44f5f 100644 --- a/testing/tests/sql/rw-psk-ipv4/test.conf +++ b/testing/tests/sql/rw-psk-ipv4/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf index 5e4eb1246..e20fecca5 100644 --- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat index ab753507f..4e59395e3 100644 --- a/testing/tests/sql/rw-psk-ipv6/posttest.dat +++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat @@ -10,6 +10,3 @@ dave::ip6tables-restore < /etc/ip6tables.flush alice::"ip route del fec0:\:/16 via fec1:\:1" carol::"ip route del fec1:\:/16 via fec0:\:1" dave::"ip route del fec1:\:/16 via fec0:\:1" -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat index fdb5f1970..894689648 100644 --- a/testing/tests/sql/rw-psk-ipv6/pretest.dat +++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat @@ -1,12 +1,12 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules @@ -19,6 +19,7 @@ dave::"ip route add fec1:\:/16 via fec0:\:1" moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/rw-psk-ipv6/test.conf b/testing/tests/sql/rw-psk-ipv6/test.conf index 05bb8ab6d..024105ebb 100644 --- a/testing/tests/sql/rw-psk-ipv6/test.conf +++ b/testing/tests/sql/rw-psk-ipv6/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf index 174f8c29e..8b25be7aa 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat index e9ad4bea6..1865a1c60 100644 --- a/testing/tests/sql/rw-psk-rsa-split/posttest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat @@ -4,7 +4,3 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.* -carol::rm /etc/ipsec.d/ipsec.* -dave::rm /etc/ipsec.d/ipsec.* -~ diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat index 6d56ede09..0cea9d816 100644 --- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat @@ -1,18 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/rw-psk-rsa-split/test.conf b/testing/tests/sql/rw-psk-rsa-split/test.conf index f29298850..f6fb44f5f 100644 --- a/testing/tests/sql/rw-psk-rsa-split/test.conf +++ b/testing/tests/sql/rw-psk-rsa-split/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf index 4c06ca4dc..75a2b0624 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf index 4c06ca4dc..75a2b0624 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf index 4c06ca4dc..75a2b0624 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat index 892650ccb..1865a1c60 100644 --- a/testing/tests/sql/rw-rsa-keyid/posttest.dat +++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat @@ -4,7 +4,3 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.db -carol::rm /etc/ipsec.d/ipsec.db -dave::rm /etc/ipsec.d/ipsec.db -~ diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat index 6d56ede09..0cea9d816 100644 --- a/testing/tests/sql/rw-rsa-keyid/pretest.dat +++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat @@ -1,18 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/rw-rsa-keyid/test.conf b/testing/tests/sql/rw-rsa-keyid/test.conf index f29298850..f6fb44f5f 100644 --- a/testing/tests/sql/rw-rsa-keyid/test.conf +++ b/testing/tests/sql/rw-rsa-keyid/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf index 4c06ca4dc..75a2b0624 100644 --- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf index 4c06ca4dc..75a2b0624 100644 --- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf index 4c06ca4dc..75a2b0624 100644 --- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat index 892650ccb..1865a1c60 100644 --- a/testing/tests/sql/rw-rsa/posttest.dat +++ b/testing/tests/sql/rw-rsa/posttest.dat @@ -4,7 +4,3 @@ dave::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush -moon::rm /etc/ipsec.d/ipsec.db -carol::rm /etc/ipsec.d/ipsec.db -dave::rm /etc/ipsec.d/ipsec.db -~ diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat index 6d56ede09..0cea9d816 100644 --- a/testing/tests/sql/rw-rsa/pretest.dat +++ b/testing/tests/sql/rw-rsa/pretest.dat @@ -1,18 +1,19 @@ moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/sql/rw-rsa/test.conf b/testing/tests/sql/rw-rsa/test.conf index f29298850..f6fb44f5f 100644 --- a/testing/tests/sql/rw-rsa/test.conf +++ b/testing/tests/sql/rw-rsa/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which databases are used +# +DBHOSTS="$IPSECHOSTS" diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf index 7f02ba120..f4dd8f199 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf index 6a89855a9..6210c21cc 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf @@ -3,10 +3,10 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf index 7f02ba120..f4dd8f199 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf @@ -3,7 +3,7 @@ charon { plugins { sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql diff --git a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat index f410dd776..e772be6af 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat @@ -2,7 +2,4 @@ sun::ipsec stop alice::ipsec stop venus::ipsec stop sun::iptables-restore < /etc/iptables.flush -alice::rm /etc/ipsec.d/ipsec.* -venus::rm /etc/ipsec.d/ipsec.* -sun::rm /etc/ipsec.d/ipsec.* moon::iptables -t nat -F \ No newline at end of file diff --git a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat index 0314e7ad1..c23c09981 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat @@ -1,12 +1,12 @@ alice::rm /etc/ipsec.d/cacerts/* venus::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -alice::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -venus::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql -alice::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -venus::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +alice::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +venus::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql +alice::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +venus::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db +sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 diff --git a/testing/tests/sql/shunt-policies-nat-rw/test.conf b/testing/tests/sql/shunt-policies-nat-rw/test.conf index bd82f03ad..d797acb06 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/test.conf +++ b/testing/tests/sql/shunt-policies-nat-rw/test.conf @@ -19,3 +19,7 @@ TCPDUMPHOSTS="alice moon" # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" + +# Guest instances on which databases are used +# +DBHOSTS="alice venus sun" diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf index c5ddd386a..1eab75a03 100755 --- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -14,7 +14,7 @@ charon { plugins { attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db + database = sqlite:///etc/db.d/ipsec.db } } } diff --git a/testing/tests/swanctl/ip-pool-db/pretest.dat b/testing/tests/swanctl/ip-pool-db/pretest.dat index 4b88a6f4a..91380e6f9 100755 --- a/testing/tests/swanctl/ip-pool-db/pretest.dat +++ b/testing/tests/swanctl/ip-pool-db/pretest.dat @@ -1,5 +1,5 @@ -moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql > /etc/db.d/ipsec.sql +moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db moon::ipsec pool --add big_pool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null diff --git a/testing/tests/swanctl/ip-pool-db/test.conf b/testing/tests/swanctl/ip-pool-db/test.conf index 1227b9d1c..5554b4669 100755 --- a/testing/tests/swanctl/ip-pool-db/test.conf +++ b/testing/tests/swanctl/ip-pool-db/test.conf @@ -20,6 +20,10 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol dave" +# Guest instances on which databases are used +# +DBHOSTS="moon" + # charon controlled by swanctl # SWANCTL=1 diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat index a16ed01a6..a0891c358 100755 --- a/testing/tests/swanctl/ip-pool/evaltest.dat +++ b/testing/tests/swanctl/ip-pool/evaltest.dat @@ -3,6 +3,8 @@ dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32] moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32] moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES +moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat index 6b7c713ef..3478c07df 100644 --- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat index 8fab1fb6c..d181aab9f 100644 --- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat @@ -9,7 +9,8 @@ dave::cat /etc/tnc/dummyimc.file moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -carol::sleep 1 +moon::expect-connection rw-allow +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat index b9eee4f57..3f3aa9f64 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat @@ -10,5 +10,5 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EA moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat index 96163aa36..d2bb94583 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat @@ -8,7 +8,7 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat index 224807860..955584ba3 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf index 23f840f69..45845710b 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf @@ -3,11 +3,11 @@ libimcv { load = random nonce openssl pubkey sqlite debug_level = 3 - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager assessment_result = no } attest { - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db } diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf index b8488fef8..e8706082e 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf @@ -5,6 +5,8 @@ charon { multiple_authentication=no + retransmit_tries = 5 + plugins { eap-tnc { protocol = tnccs-1.1 diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat index dc8507d26..18e03746b 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat @@ -3,7 +3,6 @@ carol::ipsec stop dave::ipsec stop alice::killall radiusd alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second -alice::rm /etc/pts/config.db carol::echo 1 > /proc/sys/net/ipv4/ip_forward moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat index 03b24747e..31ee7d1c7 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat @@ -6,7 +6,7 @@ dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd alice::cat /etc/tnc_config carol::cat /etc/tnc_config @@ -14,9 +14,9 @@ dave::cat /etc/tnc_config moon::ipsec start dave::ipsec start carol::ipsec start -dave::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home -carol::sleep 1 alice::ipsec attest --sessions alice::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/tnc/tnccs-11-radius-pts/test.conf index f23a19329..318dfdfcb 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/test.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/test.conf @@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave" # RADIUSHOSTS="alice" +# Guest instances on which databases are used +# +DBHOSTS="alice" diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat index 224807860..955584ba3 100644 --- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat index 71dff71b7..fcfb1451c 100644 --- a/testing/tests/tnc/tnccs-11-radius/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat @@ -10,7 +10,7 @@ dave::cat /etc/tnc_config moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat index ac03fedbb..4dbff64a3 100644 --- a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat +++ b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat @@ -6,6 +6,6 @@ carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::hostapd -B /etc/hostapd/hostapd.conf carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0 -carol::sleep 4 +carol::sleep 4 dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0 dave::sleep 4 diff --git a/testing/tests/tnc/tnccs-11/evaltest.dat b/testing/tests/tnc/tnccs-11/evaltest.dat index 6b7c713ef..3478c07df 100644 --- a/testing/tests/tnc/tnccs-11/evaltest.dat +++ b/testing/tests/tnc/tnccs-11/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat index cac1cfafc..85622034d 100644 --- a/testing/tests/tnc/tnccs-11/pretest.dat +++ b/testing/tests/tnc/tnccs-11/pretest.dat @@ -7,7 +7,7 @@ dave::cat /etc/tnc_config moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-block/evaltest.dat b/testing/tests/tnc/tnccs-20-block/evaltest.dat index 03b576efa..e0f3d9357 100644 --- a/testing/tests/tnc/tnccs-20-block/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-block/evaltest.dat @@ -9,4 +9,4 @@ moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat index f5b3b2e8c..c66a2e1ec 100644 --- a/testing/tests/tnc/tnccs-20-block/pretest.dat +++ b/testing/tests/tnc/tnccs-20-block/pretest.dat @@ -8,7 +8,7 @@ dave::cat /etc/tnc_config moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat index bac7294b2..c69940c4b 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat index b2b243ba3..85622034d 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat +++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat @@ -5,9 +5,9 @@ moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 +carol::ipsec start +dave::ipsec start +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat index 38c651328..85622034d 100644 --- a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat @@ -5,8 +5,9 @@ moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start -carol::ipsec start +carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat index 6947c4bdf..e5c202947 100644 --- a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat @@ -3,6 +3,6 @@ carol::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config moon::ipsec start -carol::ipsec start -carol::sleep 1 +carol::ipsec start +carol::expect-connection home carol::ipsec up home diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat index bac7294b2..c69940c4b 100644 --- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat index 72c9b1665..39b0e03eb 100644 --- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat @@ -8,9 +8,10 @@ carol::cat /etc/tnc/dummyimc.file dave::cat /etc/tnc/dummyimc.file moon::cat /etc/tnc/dummyimv.policy moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -carol::sleep 1 +carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +moon::expect-connection rw-allow +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default deleted file mode 100644 index 626000612..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default +++ /dev/null @@ -1,26 +0,0 @@ -WSGIPythonPath /var/www/tnc - - - ServerName tnc.strongswan.org - ServerAlias tnc - ServerAdmin webmaster@localhost - - DocumentRoot /var/www/tnc - - - - Order deny,allow - Allow from all - - - - WSGIScriptAlias / /var/www/tnc/config/wsgi.py - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - - Alias /static/ /var/www/tnc/static/ - - ErrorLog ${APACHE_LOG_DIR}/tnc/error.log - LogLevel warn - CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined - diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql deleted file mode 100644 index d6a547bd1..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql +++ /dev/null @@ -1,61 +0,0 @@ -/* Devices */ - -INSERT INTO devices ( /* 1 */ - value, product, created -) -SELECT 'aabbccddeeff11223344556677889900', id, 1372330615 -FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64'; - -/* Groups Members */ - -INSERT INTO groups_members ( - group_id, device_id -) VALUES ( - 10, 1 -); - -/* Identities */ - -INSERT INTO identities ( - type, value -) VALUES ( /* dave@strongswan.org */ - 5, X'64617665' -); - -/* Sessions */ - -INSERT INTO sessions ( - time, connection, identity, device, product, rec -) -SELECT NOW, 1, 1, 1, id, 0 -FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64'; - -/* Results */ - -INSERT INTO results ( - session, policy, rec, result -) VALUES ( - 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' -); - -/* Enforcements */ - -INSERT INTO enforcements ( - policy, group_id, max_age, rec_fail, rec_noresult -) VALUES ( - 3, 10, 0, 2, 2 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 17, 2, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 18, 10, 86400 -); - -DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini deleted file mode 100644 index 5e7b7b556..000000000 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini +++ /dev/null @@ -1,19 +0,0 @@ -[debug] -DEBUG=0 -TEMPLATE_DEBUG=0 -DEBUG_TOOLBAR=0 - -[db] -DJANGO_DB_URL=sqlite:////var/www/tnc/django.db -STRONGTNC_DB_URL = sqlite:////etc/pts/config.db - -[localization] -LANGUAGE_CODE=en-us -TIME_ZONE=Europe/Zurich - -[admins] -Your Name: alice@strongswan.org - -[security] -SECRET_KEY=strongSwan -ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf index d22a7e978..1ecf6f883 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf @@ -23,13 +23,6 @@ charon { } libimcv { - debug_level = 3 - database = sqlite:///etc/pts/config.db + debug_level = 3 policy_script = ipsec imv_policy_manager - - plugins { - imv-swid { - rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ - } - } } diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat index 913dd2190..0978d1252 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat @@ -11,7 +11,7 @@ alice::ipsec start moon::ipsec start carol::ipsec start dave::ipsec start -dave::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat index 3bce9f6e5..997a48167 100644 --- a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat @@ -2,5 +2,5 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat index fab55d11a..07b17600d 100644 --- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat @@ -1,4 +1,4 @@ sun::ipsec start moon::cat /etc/pts/options -moon::sleep 1 -moon::ipsec pt-tls-client --optionsfrom /etc/pts/options +sun::expect-connection pdp +moon::ipsec pt-tls-client --optionsfrom /etc/pts/options diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat index 14c2aaf6c..8c9e59a56 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat @@ -15,6 +15,6 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf index 228441289..156a2e4c4 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf @@ -5,6 +5,8 @@ charon { multiple_authentication = no + retransmit_tries = 5 + plugins { tnc-imc { preferred_language = de diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf index 88a4ad36e..c8992bdad 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf @@ -15,7 +15,7 @@ charon { } libimcv { - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager plugins { imv-attestation { @@ -26,5 +26,5 @@ libimcv { attest { load = random nonce openssl sqlite - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db } diff --git a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat index 48514d6e0..74b902c69 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat @@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush carol::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat index 7a562eec5..345f54816 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat @@ -4,16 +4,16 @@ dave::iptables-restore < /etc/iptables.rules carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id moon::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start dave::ipsec start carol::ipsec start -dave::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home -carol::sleep 1 moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-os-pts/test.conf b/testing/tests/tnc/tnccs-20-os-pts/test.conf index a8a05af19..4b1c410ff 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/test.conf +++ b/testing/tests/tnc/tnccs-20-os-pts/test.conf @@ -20,7 +20,6 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol dave" -# Guest instances on which FreeRadius is started +# Guest instances on which databases are used # -RADIUSHOSTS= - +DBHOSTS="moon" diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat index 1cf7ed69a..292116309 100644 --- a/testing/tests/tnc/tnccs-20-os/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat @@ -15,6 +15,6 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf index baa7dbbc8..43cf395d9 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf @@ -15,11 +15,11 @@ charon { } libimcv { - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager } attest { load = random nonce openssl sqlite - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db } diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat index 48514d6e0..74b902c69 100644 --- a/testing/tests/tnc/tnccs-20-os/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os/posttest.dat @@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush carol::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat index fc102ec12..3c5cd328e 100644 --- a/testing/tests/tnc/tnccs-20-os/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os/pretest.dat @@ -5,7 +5,7 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id moon::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql moon::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config diff --git a/testing/tests/tnc/tnccs-20-os/test.conf b/testing/tests/tnc/tnccs-20-os/test.conf index a8a05af19..f4fd4dc16 100644 --- a/testing/tests/tnc/tnccs-20-os/test.conf +++ b/testing/tests/tnc/tnccs-20-os/test.conf @@ -20,7 +20,6 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol dave" -# Guest instances on which FreeRadius is started +# Guest instances on which databases are used # -RADIUSHOSTS= - +DBHOSTS="moon" \ No newline at end of file diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat index f744453e6..d373eb39b 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat @@ -24,6 +24,6 @@ moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP succe moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini index 5e7b7b556..ea9cbbee4 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini @@ -5,7 +5,7 @@ DEBUG_TOOLBAR=0 [db] DJANGO_DB_URL=sqlite:////var/www/tnc/django.db -STRONGTNC_DB_URL = sqlite:////etc/pts/config.db +STRONGTNC_DB_URL = sqlite:////etc/db.d/config.db [localization] LANGUAGE_CODE=en-us diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf index 1c34f51f8..48d5d70f0 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf @@ -24,7 +24,7 @@ charon { libimcv { debug_level = 3 - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager plugins { diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf index ee16a4cad..8aa2ab97e 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf @@ -3,6 +3,8 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + retransmit_timeout = + plugins { eap-ttls { max_message_count = 0 diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf index dd7d16076..aea7a71f9 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf @@ -3,7 +3,9 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - plugins { + retransmit_timeout = + + plugins { eap-ttls { max_message_count = 0 } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat index 1e5c3f8cd..fe9f59e44 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat @@ -3,7 +3,6 @@ carol::ipsec stop dave::ipsec stop alice::ipsec stop alice::service apache2 stop -alice::rm /etc/pts/config.db moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat index ca3c559d1..4b8d3f024 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat @@ -8,15 +8,16 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db -alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db +alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db +alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan alice::service apache2 start alice::ipsec start moon::ipsec start dave::ipsec start carol::ipsec start -carol::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home carol::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf index c4ca1a19f..345e91150 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf @@ -20,7 +20,7 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol dave alice" -# Guest instances on which FreeRadius is started +# Guest instances on which databases are used # -RADIUSHOSTS= +DBHOSTS="alice" diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini index 5e7b7b556..ea9cbbee4 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini @@ -5,7 +5,7 @@ DEBUG_TOOLBAR=0 [db] DJANGO_DB_URL=sqlite:////var/www/tnc/django.db -STRONGTNC_DB_URL = sqlite:////etc/pts/config.db +STRONGTNC_DB_URL = sqlite:////etc/db.d/config.db [localization] LANGUAGE_CODE=en-us diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf index 857e6d6d6..5fa49e7a7 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -18,7 +18,7 @@ libtls { } libimcv { - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager plugins { diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat index b7da857a7..2f45a149d 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat @@ -3,7 +3,6 @@ dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 alice::ipsec stop alice::service apache2 stop -alice::rm /etc/pts/config.db alice::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat index eed7967ee..e14ba8902 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat @@ -8,12 +8,12 @@ dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id dave::cat /etc/tnc_config alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db -alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db +alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db +alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan alice::service apache2 start alice::ipsec start -alice::sleep 1 +alice::expect-connection aaa winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 dave::ip route add 10.1.0.0/16 via 192.168.0.1 dave::cat /etc/pts/options @@ -21,4 +21,3 @@ dave::ipsec pt-tls-client --optionsfrom /etc/pts/options carol::ip route add 10.1.0.0/16 via 192.168.0.1 carol::cat /etc/pts/options carol::ipsec pt-tls-client --optionsfrom /etc/pts/options -carol::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf index 5f4f8e725..baeceb92b 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf @@ -20,7 +20,6 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="carol moon dave alice" -# Guest instances on which FreeRadius is started +# Guest instances on which databases are used # -RADIUSHOSTS= - +DBHOSTS="alice" diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat index 14c2aaf6c..8c9e59a56 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat @@ -15,6 +15,6 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf index e67223b45..c69f9454d 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf @@ -3,6 +3,8 @@ charon { load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + retransmit_timeout = + multiple_authentication = no plugins { diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf index e72ab0920..38b2e2ec2 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf @@ -15,7 +15,7 @@ charon { } libimcv { - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager plugins { imv-attestation { @@ -28,5 +28,5 @@ libimcv { attest { load = random nonce openssl sqlite - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db } diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat index 48514d6e0..74b902c69 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat @@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush carol::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat index 7a562eec5..345f54816 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat @@ -4,16 +4,16 @@ dave::iptables-restore < /etc/iptables.rules carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id moon::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start dave::ipsec start carol::ipsec start -dave::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home -carol::sleep 1 moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf index a8a05af19..2fd3139f5 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf @@ -20,7 +20,7 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol dave" -# Guest instances on which FreeRadius is started +# Guest instances on which databases are used # -RADIUSHOSTS= +DBHOSTS="moon" diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat index 0bf4f2b9b..d67756349 100644 --- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat @@ -15,6 +15,6 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf index 3c41f154a..b6c9ab661 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf @@ -3,6 +3,8 @@ charon { load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + retransmit_timeout = + multiple_authentication = no plugins { tnc-imc { diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf index 88a4ad36e..d9d0624f5 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf @@ -3,6 +3,8 @@ charon { load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite + retransmit_timeout = + multiple_authentication = no plugins { @@ -15,7 +17,7 @@ charon { } libimcv { - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db policy_script = ipsec imv_policy_manager plugins { imv-attestation { @@ -26,5 +28,5 @@ libimcv { attest { load = random nonce openssl sqlite - database = sqlite:///etc/pts/config.db + database = sqlite:///etc/db.d/config.db } diff --git a/testing/tests/tnc/tnccs-20-pts/posttest.dat b/testing/tests/tnc/tnccs-20-pts/posttest.dat index 48514d6e0..74b902c69 100644 --- a/testing/tests/tnc/tnccs-20-pts/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pts/posttest.dat @@ -5,4 +5,3 @@ moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush carol::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat index 7a562eec5..345f54816 100644 --- a/testing/tests/tnc/tnccs-20-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat @@ -4,16 +4,16 @@ dave::iptables-restore < /etc/iptables.rules carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id moon::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql -moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start dave::ipsec start carol::ipsec start -dave::sleep 1 +dave::expect-connection home dave::ipsec up home +carol::expect-connection home carol::ipsec up home -carol::sleep 1 moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-pts/test.conf b/testing/tests/tnc/tnccs-20-pts/test.conf index a8a05af19..2fd3139f5 100644 --- a/testing/tests/tnc/tnccs-20-pts/test.conf +++ b/testing/tests/tnc/tnccs-20-pts/test.conf @@ -20,7 +20,7 @@ TCPDUMPHOSTS="moon" # IPSECHOSTS="moon carol dave" -# Guest instances on which FreeRadius is started +# Guest instances on which databases are used # -RADIUSHOSTS= +DBHOSTS="moon" diff --git a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat index bac7294b2..c69940c4b 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat index b2b243ba3..85622034d 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat +++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat @@ -5,9 +5,9 @@ moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 +carol::ipsec start +dave::ipsec start +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat index 40d5e24d5..fe1becb97 100644 --- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU= moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat index cac1cfafc..85622034d 100644 --- a/testing/tests/tnc/tnccs-20-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat @@ -7,7 +7,7 @@ dave::cat /etc/tnc_config moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20/evaltest.dat b/testing/tests/tnc/tnccs-20/evaltest.dat index bac7294b2..c69940c4b 100644 --- a/testing/tests/tnc/tnccs-20/evaltest.dat +++ b/testing/tests/tnc/tnccs-20/evaltest.dat @@ -13,7 +13,7 @@ moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat index b2b243ba3..85622034d 100644 --- a/testing/tests/tnc/tnccs-20/pretest.dat +++ b/testing/tests/tnc/tnccs-20/pretest.dat @@ -5,9 +5,9 @@ moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 +carol::ipsec start +dave::ipsec start +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-dynamic/evaltest.dat b/testing/tests/tnc/tnccs-dynamic/evaltest.dat index 405298381..3d0c55449 100644 --- a/testing/tests/tnc/tnccs-dynamic/evaltest.dat +++ b/testing/tests/tnc/tnccs-dynamic/evaltest.dat @@ -21,7 +21,7 @@ moon:: cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat index 60775a11e..927b89d06 100644 --- a/testing/tests/tnc/tnccs-dynamic/pretest.dat +++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat @@ -7,7 +7,7 @@ dave::cat /etc/tnc_config moon::LEAK_DETECTIVE_DISABLE=1 ipsec start carol::LEAK_DETECTIVE_DISABLE=1 ipsec start dave::ipsec start -carol::sleep 1 +carol::expect-connection home carol::ipsec up home +dave::expect-connection home dave::ipsec up home -dave::sleep 1 -- cgit v1.2.3