-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
-e "s:\@IPSEC_ROUTING_TABLE\@:$(IPSEC_ROUTING_TABLE):" \
-e "s:\@IPSEC_ROUTING_TABLE_PRIO\@:$(IPSEC_ROUTING_TABLE_PRIO):" \
- $< > $@
+ $(srcdir)/$@.in > $@
chmod +x $@
-DIPSEC_PIDDIR=\"${piddir}\" \
-DIPSEC_PLUGINDIR=\"${plugindir}\" \
-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
-charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm -ldl
+charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB)
EXTRA_DIST = config/proposal_keywords.txt
-MAINTAINERCLEANFILES = config/proposal_keywords.c
+BUILT_SOURCES = $(srcdir)/config/proposal_keywords.c
+MAINTAINERCLEANFILES = $(srcdir)/config/proposal_keywords.c
-config/proposal_keywords.c: config/proposal_keywords.txt config/proposal_keywords.h
- (cd `dirname $<` && $(GPERF) -C -G -c -t < `basename $<` > `basename $@` )
+$(srcdir)/config/proposal_keywords.c: $(srcdir)/config/proposal_keywords.txt $(srcdir)/config/proposal_keywords.h
+ $(GPERF) -C -G -c -t -D < $(srcdir)/config/proposal_keywords.txt > $@
# compile options
#################
PLUGINS += kernel-pfkey
endif
+if USE_KERNEL_PFROUTE
+ SUBDIRS += plugins/kernel_pfroute
+ PLUGINS += kernel-pfroute
+endif
+
if USE_KERNEL_KLIPS
SUBDIRS += plugins/kernel_klips
PLUGINS += kernel-klips
if (!success && log_error)
{
DBG1(DBG_CFG, "constraint check failed: peer not "
- "authenticated by CA '%D'.", c1->get_subject(c1));
+ "authenticated by CA '%Y'.", c1->get_subject(c1));
}
break;
}
if (log_error)
{
DBG1(DBG_CFG, "constraint check failed: peer not "
- "authenticated with peer cert '%D'.",
+ "authenticated with peer cert '%Y'.",
c1->get_subject(c1));
}
}
success = FALSE;
if (log_error)
{
- DBG1(DBG_CFG, "constraint check failed: %sidentity '%D'"
+ DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'"
" required ", t1 == AUTH_RULE_IDENTITY ? "" :
"EAP ", id1);
}
return enumerator;
}
- DBG1(DBG_CFG, "looking for peer configs matching %H[%D]...%H[%D]",
+ DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
me, my_id, other, other_id);
configs = linked_list_create();
{
if (this->cache->issued_by(this->cache, subject, issuer))
{
- DBG1(DBG_CFG, " ocsp response correctly signed by \"%D\"",
+ DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"",
issuer->get_subject(issuer));
verified = TRUE;
break;
{
if (this->cache->issued_by(this->cache, crl, issuer))
{
- DBG1(DBG_CFG, " crl correctly signed by \"%D\"",
+ DBG1(DBG_CFG, " crl correctly signed by \"%Y\"",
issuer->get_subject(issuer));
verified = TRUE;
break;
{
if (ocsp || crl)
{
- DBG1(DBG_CFG, "checking certificate status of \"%D\"",
+ DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
subject->get_subject(subject));
}
if (ocsp)
if (this->cache->issued_by(this->cache, issuer, issuer))
{
auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
- DBG1(DBG_CFG, " using trusted ca certificate \"%D\"",
+ DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"",
issuer->get_subject(issuer));
trusted = TRUE;
}
{
auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
DBG1(DBG_CFG, " using trusted intermediate ca certificate "
- "\"%D\"", issuer->get_subject(issuer));
+ "\"%Y\"", issuer->get_subject(issuer));
}
}
else
{
if (current->equals(current, issuer))
{
- DBG1(DBG_CFG, " self-signed certificate \"%D\" is not trusted",
+ DBG1(DBG_CFG, " self-signed certificate \"%Y\" is not trusted",
current->get_subject(current));
issuer->destroy(issuer);
break;
}
auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
DBG1(DBG_CFG, " using untrusted intermediate certificate "
- "\"%D\"", issuer->get_subject(issuer));
+ "\"%Y\"", issuer->get_subject(issuer));
}
else
{
- DBG1(DBG_CFG, "no issuer certificate found for \"%D\"",
+ DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
current->get_subject(current));
break;
}
{
this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
this->pretrusted->get_ref(this->pretrusted));
- DBG1(DBG_CFG, " using trusted certificate \"%D\"",
+ DBG1(DBG_CFG, " using trusted certificate \"%Y\"",
this->pretrusted->get_subject(this->pretrusted));
*cert = this->pretrusted;
if (auth)
continue;
}
- DBG1(DBG_CFG, " using certificate \"%D\"",
+ DBG1(DBG_CFG, " using certificate \"%Y\"",
current->get_subject(current));
if (verify_trust_chain(this->this, current, this->auth, FALSE,
this->crl, this->ocsp))
return FALSE;
}
- DBG1(DBG_CFG, " fetched certificate \"%D\"", cert->get_subject(cert));
+ DBG1(DBG_CFG, " fetched certificate \"%Y\"", cert->get_subject(cert));
charon->credentials->cache_cert(charon->credentials, cert);
if (*rule == AUTH_HELPER_IM_HASH_URL)
*/
#include <stdio.h>
+#ifdef HAVE_PRCTL
#include <sys/prctl.h>
+#endif
#include <signal.h>
#include <pthread.h>
#include <sys/stat.h>
* drop daemon capabilities
*/
static void drop_capabilities(private_daemon_t *this)
-{
+{
+#ifdef HAVE_PRCTL
prctl(PR_SET_KEEPCAPS, 1);
+#endif
if (setgid(charon->gid) != 0)
{
/**
* Implementation of kernel_interface_t.del_sa
*/
-static status_t del_sa(private_kernel_interface_t *this, host_t *dst, u_int32_t spi,
- protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
{
- return this->ipsec->del_sa(this->ipsec, dst, spi, protocol, cpi);
+ return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi);
}
/**
this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
- this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
/**
* Delete a previously installed SA from the SAD.
*
+ * @param src source address for this SA
* @param dst destination address for this SA
* @param spi SPI allocated by us or remote peer
* @param protocol protocol for this SA (ESP/AH)
* @param cpi CPI for IPComp or 0
* @return SUCCESS if operation completed
*/
- status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi,
- protocol_id_t protocol, u_int16_t cpi);
+ status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
/**
* Add a policy to the SPD.
#include <encoding/payloads/proposal_substructure.h>
/**
- * Mode of an CHILD_SA.
- *
- * These are equal to those defined in XFRM, so don't change.
+ * Mode of a CHILD_SA.
*/
enum ipsec_mode_t {
/** transport mode, no inner address */
- MODE_TRANSPORT = 0,
+ MODE_TRANSPORT = 1,
/** tunnel mode, inner and outer addresses */
- MODE_TUNNEL = 1,
+ MODE_TUNNEL,
/** BEET mode, tunnel mode but fixed, bound inner addresses */
- MODE_BEET = 4,
+ MODE_BEET,
};
/**
/**
* Delete a previusly installed SA from the SAD.
*
+ * @param src source address for this SA
* @param dst destination address for this SA
* @param spi SPI allocated by us or remote peer
* @param protocol protocol for this SA (ESP/AH)
* @param cpi CPI for IPComp or 0
* @return SUCCESS if operation completed
*/
- status_t (*del_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi,
- protocol_id_t protocol, u_int16_t cpi);
+ status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
/**
* Add a policy to the SPD.
/*
- * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
#include <stdlib.h>
#include <fcntl.h>
#include <sys/ioctl.h>
+#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <netinet/udp.h>
-#include <linux/types.h>
-#include <linux/filter.h>
#include <net/if.h>
#include "socket.h"
#define UDP_ENCAP_ESPINUDP 2
#endif /*UDP_ENCAP_ESPINUDP*/
-/* needed for older kernel headers */
-#ifndef IPV6_2292PKTINFO
-#define IPV6_2292PKTINFO 2
-#endif /*IPV6_2292PKTINFO*/
+/* these are not defined on some platforms */
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#define SOL_IPV6 IPPROTO_IPV6
+#define SOL_UDP IPPROTO_UDP
+#endif
typedef struct private_socket_t private_socket_t;
}
if (cmsgptr->cmsg_level == SOL_IPV6 &&
- cmsgptr->cmsg_type == IPV6_2292PKTINFO)
+ cmsgptr->cmsg_type == IPV6_PKTINFO)
{
struct in6_pktinfo *pktinfo;
pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
dest = host_create_from_sockaddr((sockaddr_t*)&dst);
}
if (cmsgptr->cmsg_level == SOL_IP &&
- cmsgptr->cmsg_type == IP_PKTINFO)
- {
+#ifdef IP_RECVDSTADDR
+ cmsgptr->cmsg_type == IP_RECVDSTADDR
+#else
+ cmsgptr->cmsg_type == IP_PKTINFO
+#endif
+ )
+ {
+ struct in_addr *addr;
+ struct sockaddr_in dst;
+
+#ifdef IP_RECVDSTADDR
+ addr = (struct in_addr*)CMSG_DATA(cmsgptr);
+#else
struct in_pktinfo *pktinfo;
pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
- struct sockaddr_in dst;
-
+ addr = &pktinfo->ipi_addr;
+#endif
memset(&dst, 0, sizeof(dst));
- memcpy(&dst.sin_addr, &pktinfo->ipi_addr, sizeof(dst.sin_addr));
+ memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
+
dst.sin_family = AF_INET;
dst.sin_port = htons(port);
dest = host_create_from_sockaddr((sockaddr_t*)&dst);
msg.msg_iovlen = 1;
msg.msg_flags = 0;
- if (!dst->is_anyaddr(dst))
+ if (!src->is_anyaddr(src))
{
if (family == AF_INET)
{
+ struct in_addr *addr;
+ struct sockaddr_in *sin;
+#ifdef IP_SENDSRCADDR
+ char buf[CMSG_SPACE(sizeof(struct in_addr))];
+#else
char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
struct in_pktinfo *pktinfo;
- struct sockaddr_in *sin;
-
+#endif
msg.msg_control = buf;
msg.msg_controllen = sizeof(buf);
cmsg = CMSG_FIRSTHDR(&msg);
cmsg->cmsg_level = SOL_IP;
+#ifdef IP_SENDSRCADDR
+ cmsg->cmsg_type = IP_SENDSRCADDR;
+ cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
+ addr = (struct in_addr*)CMSG_DATA(cmsg);
+#else
cmsg->cmsg_type = IP_PKTINFO;
cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
memset(pktinfo, 0, sizeof(struct in_pktinfo));
+ addr = &pktinfo->ipi_spec_dst;
+#endif
sin = (struct sockaddr_in*)src->get_sockaddr(src);
- memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
+ memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
}
else
{
msg.msg_controllen = sizeof(buf);
cmsg = CMSG_FIRSTHDR(&msg);
cmsg->cmsg_level = SOL_IPV6;
- cmsg->cmsg_type = IPV6_2292PKTINFO;
+ cmsg->cmsg_type = IPV6_PKTINFO;
cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
memset(pktinfo, 0, sizeof(struct in6_pktinfo));
}
/**
- * open a socket to send packets
+ * open a socket to send and receive packets
*/
static int open_socket(private_socket_t *this, int family, u_int16_t port)
{
int on = TRUE;
int type = UDP_ENCAP_ESPINUDP;
struct sockaddr_storage addr;
+ socklen_t addrlen;
u_int sol, pktinfo;
int skt;
sin->sin_family = AF_INET;
sin->sin_addr.s_addr = INADDR_ANY;
sin->sin_port = htons(port);
+ addrlen = sizeof(struct sockaddr_in);
sol = SOL_IP;
+#ifdef IP_RECVDSTADDR
+ pktinfo = IP_RECVDSTADDR;
+#else
pktinfo = IP_PKTINFO;
+#endif
break;
}
case AF_INET6:
sin6->sin6_family = AF_INET6;
memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
sin6->sin6_port = htons(port);
+ addrlen = sizeof(struct sockaddr_in6);
sol = SOL_IPV6;
- pktinfo = IPV6_2292PKTINFO;
+ pktinfo = IPV6_RECVPKTINFO;
break;
}
default:
return 0;
}
- /* bind the send socket */
- if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+ /* bind the socket */
+ if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
{
DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
close(skt);
/* Get the shared key K: */
if (load_key(this->server, this->peer, &this->k) != SUCCESS)
{
- DBG1(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate "
+ DBG1(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate "
"with EAP-AKA", this->server, this->peer);
return FAILED;
}
{
*out = build_aka_payload(this, EAP_RESPONSE, identifier,
AKA_AUTHENTICATION_REJECT, AT_END);
- DBG3(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate "
+ DBG3(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate "
"with EAP-AKA, sending %N", this->peer, this->server,
aka_subtype_names, AKA_AUTHENTICATION_REJECT);
return NEED_MORE;
this->peer, this->server);
if (shared == NULL)
{
- DBG1(DBG_IKE, "no EAP key found for '%D' - '%D'",
+ DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'",
this->peer, this->server);
return FAILED;
}
this->server, this->peer);
if (shared == NULL)
{
- DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+ DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
this->server, this->peer);
return NOT_FOUND;
}
SHARED_EAP, this->peer, this->server);
if (shared == NULL)
{
- DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+ DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
this->server, this->peer);
return NOT_FOUND;
}
name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255);
snprintf(buf, sizeof(buf), "%.*s", name_len, res->name);
userid = identification_create_from_string(buf);
- DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%D'", userid);
+ DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
username = extract_username(userid);
shared = charon->credentials->get_shared(charon->credentials,
SHARED_EAP, this->server, userid);
if (shared == NULL)
{
- DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+ DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
this->server, userid);
/* FIXME: windows 7 always sends the username that is first entered in
* the username box, even, if the user changes it during retries (probably
enumerator->destroy(enumerator);
if (!card)
{
- DBG1(DBG_IKE, "no SIM card found matching '%D'", this->peer);
+ DBG1(DBG_IKE, "no SIM card found matching '%Y'", this->peer);
}
return success;
}
tried++;
}
enumerator->destroy(enumerator);
- DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%D'",
+ DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'",
tried, this->peer);
return FALSE;
}
continue;
}
- DBG2(DBG_CFG, "triplet: imsi %D\nrand %b\nsres %b\nkc %b",
+ DBG2(DBG_CFG, "triplet: imsi %Y\nrand %b\nsres %b\nkc %b",
triplet->imsi, triplet->rand, RAND_LEN,
triplet->sres, SRES_LEN, triplet->kc, KC_LEN);
/**
* Implementation of kernel_interface_t.del_sa.
*/
-static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src,
+ host_t *dst, u_int32_t spi, protocol_id_t protocol,
+ u_int16_t cpi)
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
- this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
}
}
+/**
+ * convert the general ipsec mode to the one defined in xfrm.h
+ */
+static u_int8_t mode2kernel(ipsec_mode_t mode)
+{
+ switch (mode)
+ {
+ case MODE_TRANSPORT:
+ return XFRM_MODE_TRANSPORT;
+ case MODE_TUNNEL:
+ return XFRM_MODE_TUNNEL;
+ case MODE_BEET:
+ return XFRM_MODE_BEET;
+ default:
+ return mode;
+ }
+}
+
/**
* convert a host_t to a struct xfrm_address
*/
host2xfrm(src, &userspi->info.saddr);
host2xfrm(dst, &userspi->info.id.daddr);
userspi->info.id.proto = proto;
- userspi->info.mode = TRUE; /* tunnel mode */
+ userspi->info.mode = XFRM_MODE_TUNNEL;
userspi->info.reqid = reqid;
userspi->info.family = src->get_family(src);
userspi->min = min;
sa->id.spi = spi;
sa->id.proto = proto_ike2kernel(protocol);
sa->family = src->get_family(src);
- sa->mode = mode;
+ sa->mode = mode2kernel(mode);
if (mode == MODE_TUNNEL)
{
sa->flags |= XFRM_STATE_AF_UNSPEC;
/**
* Implementation of kernel_interface_t.del_sa.
*/
-static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
+ host_t *dst, u_int32_t spi, protocol_id_t protocol,
+ u_int16_t cpi)
{
netlink_buf_t request;
struct nlmsghdr *hdr;
/* if IPComp was used, we first delete the additional IPComp SA */
if (cpi)
{
- del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
+ del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
}
memset(&request, 0, sizeof(request));
}
/* delete the old SA (without affecting the IPComp SA) */
- if (del_sa(this, dst, spi, protocol, 0) != SUCCESS)
+ if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS)
{
DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
free(out);
tmpl->reqid = reqid;
tmpl->id.proto = IPPROTO_COMP;
tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
- tmpl->mode = mode;
+ tmpl->mode = mode2kernel(mode);
tmpl->optional = direction != POLICY_OUT;
tmpl->family = src->get_family(src);
tmpl->reqid = reqid;
tmpl->id.proto = proto_ike2kernel(protocol);
tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
- tmpl->mode = mode;
+ tmpl->mode = mode2kernel(mode);
tmpl->family = src->get_family(src);
host2xfrm(src, &tmpl->saddr);
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
- this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
/**
* Implementation of kernel_net_t.add_route.
*/
-status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
{
return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
/**
* Implementation of kernel_net_t.del_route.
*/
-status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
{
return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
/*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
* Copyright (C) 2008 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
#include <sys/types.h>
#include <sys/socket.h>
+
+#ifdef HAVE_NET_PFKEYV2_H
+#include <net/pfkeyv2.h>
+#else
#include <stdint.h>
-#include <linux/ipsec.h>
#include <linux/pfkeyv2.h>
+#endif
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+#define HAVE_NATT
+#endif
+
+#ifdef HAVE_NETIPSEC_IPSEC_H
+#include <netipsec/ipsec.h>
+#else
+#include <linux/ipsec.h>
+#endif
+
+#ifdef HAVE_NATT
+#ifdef HAVE_NETINET_UDP_H
+#include <netinet/udp.h>
+#else
#include <linux/udp.h>
+#endif /*HAVE_NETINET_UDP_H*/
+#endif /*HAVE_NATT*/
+
#include <unistd.h>
#include <pthread.h>
#include <errno.h>
#include <processing/jobs/delete_child_sa_job.h>
#include <processing/jobs/update_sa_job.h>
+/** non linux specific */
+#ifndef IPPROTO_COMP
+#define IPPROTO_COMP IPPROTO_IPCOMP
+#endif
+
+#ifndef SADB_X_AALG_SHA2_256HMAC
+#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
+#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
+#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
+#endif
+
+#ifndef SADB_X_EALG_AESCBC
+#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
+#endif
+
+#ifndef SADB_X_EALG_CASTCBC
+#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
+#endif
+
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#define SOL_IPV6 IPPROTO_IPV6
+#endif
+
/** from linux/in.h */
#ifndef IP_IPSEC_POLICY
#define IP_IPSEC_POLICY 16
/* missing on uclibc */
#ifndef IPV6_IPSEC_POLICY
#define IPV6_IPSEC_POLICY 34
-#endif /*IPV6_IPSEC_POLICY*/
+#endif
/** default priority of installed policies */
#define PRIO_LOW 3000
static void route_entry_destroy(route_entry_t *this)
{
free(this->if_name);
- this->src_ip->destroy(this->src_ip);
- this->gateway->destroy(this->gateway);
+ DESTROY_IF(this->src_ip);
+ DESTROY_IF(this->gateway);
chunk_free(&this->dst_net);
free(this);
}
/* src or dest proto may be "any" (0), use more restrictive one */
policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
- policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
+ policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
policy->dst.proto = policy->src.proto;
return policy;
*/
struct sadb_msg *msg;
-
/**
* PF_KEY message extensions
*/
};
};
-ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
+ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
"SADB_EXT_RESERVED",
"SADB_EXT_SA",
"SADB_EXT_LIFETIME_CURRENT",
"SADB_X_EXT_SEC_CTX",
"SADB_X_EXT_KMADDRESS"
);
+
/**
* convert a IKEv2 specific protocol identifier to the PF_KEY sa type
*/
return IPSEC_MODE_TRANSPORT;
case MODE_TUNNEL:
return IPSEC_MODE_TUNNEL;
+#ifdef IPSEC_MODE_BEET
case MODE_BEET:
return IPSEC_MODE_BEET;
+#endif
default:
return mode;
}
return IPSEC_DIR_INBOUND;
case POLICY_OUT:
return IPSEC_DIR_OUTBOUND;
+#ifdef IPSEC_DIR_FWD
case POLICY_FWD:
return IPSEC_DIR_FWD;
+#endif
default:
return dir;
}
}
+#ifdef SADB_X_MIGRATE
/**
* convert the policy direction in ipsec.h to the general one.
*/
return POLICY_IN;
case IPSEC_DIR_OUTBOUND:
return POLICY_OUT;
+#ifdef IPSEC_DIR_FWD
case IPSEC_DIR_FWD:
return POLICY_FWD;
+#endif
default:
return dir;
}
}
+#endif /*SADB_X_MIGRATE*/
+
typedef struct kernel_algorithm_t kernel_algorithm_t;
/**
* Algorithms for encryption
*/
static kernel_algorithm_t encryption_algs[] = {
-/* {ENCR_DES_IV64, 0 }, */
- {ENCR_DES, SADB_EALG_DESCBC },
- {ENCR_3DES, SADB_EALG_3DESCBC },
-/* {ENCR_RC5, 0 }, */
-/* {ENCR_IDEA, 0 }, */
- {ENCR_CAST, SADB_X_EALG_CASTCBC },
- {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
-/* {ENCR_3IDEA, 0 }, */
-/* {ENCR_DES_IV32, 0 }, */
- {ENCR_NULL, SADB_EALG_NULL },
- {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
-/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
+/* {ENCR_DES_IV64, 0 }, */
+ {ENCR_DES, SADB_EALG_DESCBC },
+ {ENCR_3DES, SADB_EALG_3DESCBC },
+/* {ENCR_RC5, 0 }, */
+/* {ENCR_IDEA, 0 }, */
+ {ENCR_CAST, SADB_X_EALG_CASTCBC },
+ {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
+/* {ENCR_3IDEA, 0 }, */
+/* {ENCR_DES_IV32, 0 }, */
+ {ENCR_NULL, SADB_EALG_NULL },
+ {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
+/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
/* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
/* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
/* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
/* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
/* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
/* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
- {END_OF_LIST, 0 },
+ {END_OF_LIST, 0 },
};
/**
* Algorithms for integrity protection
*/
static kernel_algorithm_t integrity_algs[] = {
- {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
+ {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
{AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
{AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
{AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
/* {AUTH_DES_MAC, 0, }, */
/* {AUTH_KPDK_MD5, 0, }, */
{AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
- {END_OF_LIST, 0, },
+ {END_OF_LIST, 0, },
};
#if 0
* Algorithms for IPComp, unused yet
*/
static kernel_algorithm_t compression_algs[] = {
-/* {IPCOMP_OUI, 0 }, */
+/* {IPCOMP_OUI, 0 }, */
{IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
{IPCOMP_LZS, SADB_X_CALG_LZS },
{IPCOMP_LZJH, SADB_X_CALG_LZJH },
- {END_OF_LIST, 0 },
+ {END_OF_LIST, 0 },
};
#endif
{
sockaddr_t *host_addr = host->get_sockaddr(host);
socklen_t *len = host->get_sockaddr_len(host);
- memcpy((char*)(ext + 1), host_addr, *len);
- ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+ host_addr->sa_len = *len;
+#endif
+ memcpy((char*)(ext + 1), host_addr, *len);
+ ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
}
/**
addr->sadb_address_exttype = type;
sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
saddr->sa_family = family;
- addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+ saddr->sa_len = len;
+#endif
+ addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
PFKEY_EXT_ADD(msg, addr);
}
+#ifdef HAVE_NATT
/**
* add udp encap extensions to a sadb_msg
*/
nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
PFKEY_EXT_ADD(msg, nat_port);
}
+#endif /*HAVE_NATT*/
/**
* Convert a sadb_address to a traffic_selector
*/
host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
- address->sadb_address_proto, host->get_port(host));
+ address->sadb_address_proto, host->get_port(host));
return ts;
}
if (out->ext[ext->sadb_ext_type])
{
- DBG1(DBG_KNL, "duplicate %N extension",
+ DBG1(DBG_KNL, "duplicate %N extension",
sadb_ext_type_names, ext->sadb_ext_type);
break;
}
}
while (TRUE)
- {
+ {
msg = (struct sadb_msg*)buf;
len = recv(socket, buf, sizeof(buf), 0);
*out_len = len;
*out = (struct sadb_msg*)malloc(len);
memcpy(*out, buf, len);
-
+
this->mutex_pfkey->unlock(this->mutex_pfkey);
return SUCCESS;
charon->processor->queue_job(charon->processor, job);
}
+#ifdef SADB_X_MIGRATE
/**
- * Process a SADB_MIGRATE message from the kernel
+ * Process a SADB_X_MIGRATE message from the kernel
*/
static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
{
DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
policy_dir_names, dir);
- /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
+ /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
if (response.x_kmaddress)
{
sockaddr_t *local_addr, *remote_addr;
DESTROY_IF(remote);
}
}
+#endif /*SADB_X_MIGRATE*/
+#ifdef HAVE_NATT
/**
* Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
*/
}
}
}
+#endif /*HAVE_NATT*/
/**
* Receives events from kernel
int len, oldstate;
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
- len = recv(this->socket_events, buf, sizeof(buf), 0);
+ len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
pthread_setcancelstate(oldstate, NULL);
if (len < 0)
case SADB_EXPIRE:
process_expire(this, msg);
break;
+#ifdef SADB_X_MIGRATE
case SADB_X_MIGRATE:
process_migrate(this, msg);
break;
+#endif /*SADB_X_MIGRATE*/
+#ifdef HAVE_NATT
case SADB_X_NAT_T_NEW_MAPPING:
process_mapping(this, msg);
break;
+#endif /*HAVE_NATT*/
default:
break;
}
/**
* Implementation of kernel_interface_t.get_spi.
*/
-static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
- host_t *src, host_t *dst,
+static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
+ host_t *src, host_t *dst,
protocol_id_t protocol, u_int32_t reqid,
u_int32_t *spi)
{
{
received_spi = response.sa->sadb_sa_spi;
}
- free(out);
+ free(out);
}
if (received_spi == 0)
/**
* Implementation of kernel_interface_t.get_cpi.
*/
-static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
- host_t *src, host_t *dst,
+static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
+ host_t *src, host_t *dst,
u_int32_t reqid, u_int16_t *cpi)
{
return FAILED;
{
/*TODO*/
}
-
+
+#ifdef HAVE_NATT
if (encap)
{
add_encap_ext(msg, src, dst);
}
+#endif /*HAVE_NATT*/
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
{
PFKEY_EXT_COPY(msg, response.key_auth);
}
-
+
+#ifdef HAVE_NATT
if (new_encap)
{
add_encap_ext(msg, new_src, new_dst);
}
+#endif /*HAVE_NATT*/
free(out);
/**
* Implementation of kernel_interface_t.del_sa.
*/
-static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
+ host_t *dst, u_int32_t spi, protocol_id_t protocol,
+ u_int16_t cpi)
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
sa->sadb_sa_spi = spi;
PFKEY_EXT_ADD(msg, sa);
- /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
- * it is not used for anything. */
- add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+ /* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */
+ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
/**
* Implementation of kernel_interface_t.add_policy.
*/
-static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
+static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
host_t *src, host_t *dst,
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
this->policies->insert_last(this->policies, policy);
policy->refcount = 1;
}
-
+
memset(&request, 0, sizeof(request));
DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
pol->sadb_x_policy_id = 0;
pol->sadb_x_policy_dir = dir2kernel(direction);
+ pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
/* calculate priority based on source selector size, small size = high prio */
pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
pol->sadb_x_policy_priority -= policy->src.mask * 10;
pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
- pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+#endif
/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
req = (struct sadb_x_ipsecrequest*)(pol + 1);
{
free(route);
}
- }
+ }
- this->mutex->unlock(this->mutex);
+ this->mutex->unlock(this->mutex);
return SUCCESS;
}
* Implementation of kernel_interface_t.query_policy.
*/
static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t *use_time)
{
*use_time = response.lft_current->sadb_lifetime_usetime;
free(out);
-
+
return SUCCESS;
}
* Implementation of kernel_interface_t.del_policy.
*/
static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, bool unrouted)
{
if (--found->refcount > 0)
{
/* is used by more SAs, keep in kernel */
- DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+ DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
policy_entry_destroy(policy);
this->mutex->unlock(this->mutex);
return SUCCESS;
return NOT_FOUND;
}
this->mutex->unlock(this->mutex);
-
+
memset(&request, 0, sizeof(request));
msg = (struct sadb_msg*)request;
DBG1(DBG_KNL, "error uninstalling route installed with "
"policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
- }
+ }
route_entry_destroy(route);
}
switch (family)
{
case AF_INET:
+ {
sol = SOL_IP;
ipsec_policy = IP_IPSEC_POLICY;
break;
+ }
case AF_INET6:
{
sol = SOL_IPV6;
ipsec_policy = IPV6_IPSEC_POLICY;
break;
}
+ default:
+ continue;
}
memset(&policy, 0, sizeof(policy));
policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-
+
policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
- DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+ DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
strerror(errno));
status = FALSE;
break;
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
- this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
--- /dev/null
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+
+libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
+ kernel_pfroute_net.h kernel_pfroute_net.c
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module
--- /dev/null
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#include <ifaddrs.h>
+#include <net/route.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <errno.h>
+
+#include "kernel_pfroute_net.h"
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <utils/mutex.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/roam_job.h>
+
+#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
+#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member.
+#endif
+
+/** delay before firing roam jobs (ms) */
+#define ROAM_DELAY 100
+
+/** buffer size for PF_ROUTE messages */
+#define PFROUTE_BUFFER_SIZE 4096
+
+typedef struct addr_entry_t addr_entry_t;
+
+/**
+ * IP address in an inface_entry_t
+ */
+struct addr_entry_t {
+
+ /** The ip address */
+ host_t *ip;
+
+ /** virtual IP managed by us */
+ bool virtual;
+
+ /** Number of times this IP is used, if virtual */
+ u_int refcount;
+};
+
+/**
+ * destroy a addr_entry_t object
+ */
+static void addr_entry_destroy(addr_entry_t *this)
+{
+ this->ip->destroy(this->ip);
+ free(this);
+}
+
+typedef struct iface_entry_t iface_entry_t;
+
+/**
+ * A network interface on this system, containing addr_entry_t's
+ */
+struct iface_entry_t {
+
+ /** interface index */
+ int ifindex;
+
+ /** name of the interface */
+ char ifname[IFNAMSIZ];
+
+ /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
+ u_int flags;
+
+ /** list of addresses as host_t */
+ linked_list_t *addrs;
+};
+
+/**
+ * destroy an interface entry
+ */
+static void iface_entry_destroy(iface_entry_t *this)
+{
+ this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
+ free(this);
+}
+
+
+typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t;
+
+/**
+ * Private variables and functions of kernel_pfroute class.
+ */
+struct private_kernel_pfroute_net_t
+{
+ /**
+ * Public part of the kernel_pfroute_t object.
+ */
+ kernel_pfroute_net_t public;
+
+ /**
+ * mutex to lock access to various lists
+ */
+ mutex_t *mutex;
+
+ /**
+ * Cached list of interfaces and their addresses (iface_entry_t)
+ */
+ linked_list_t *ifaces;
+
+ /**
+ * job receiving PF_ROUTE events
+ */
+ callback_job_t *job;
+
+ /**
+ * mutex to lock access to the PF_ROUTE socket
+ */
+ mutex_t *mutex_pfroute;
+
+ /**
+ * PF_ROUTE socket to communicate with the kernel
+ */
+ int socket;
+
+ /**
+ * PF_ROUTE socket to receive events
+ */
+ int socket_events;
+
+ /**
+ * sequence number for messages sent to the kernel
+ */
+ int seq;
+
+ /**
+ * time of last roam job
+ */
+ struct timeval last_roam;
+};
+
+/**
+ * Start a roaming job. We delay it a bit and fire only one job
+ * for multiple events. Otherwise we would create too many jobs.
+ */
+static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address)
+{
+ struct timeval now;
+
+ if (gettimeofday(&now, NULL) == 0)
+ {
+ if (timercmp(&now, &this->last_roam, >))
+ {
+ now.tv_usec += ROAM_DELAY * 1000;
+ while (now.tv_usec > 1000000)
+ {
+ now.tv_sec++;
+ now.tv_usec -= 1000000;
+ }
+ this->last_roam = now;
+ charon->scheduler->schedule_job_ms(charon->scheduler,
+ (job_t*)roam_job_create(address), ROAM_DELAY);
+ }
+ }
+}
+
+/**
+ * Process an RTM_*ADDR message from the kernel
+ */
+static void process_addr(private_kernel_pfroute_net_t *this,
+ struct rt_msghdr *msg)
+{
+ struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg;
+ sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1);
+ host_t *host = NULL;
+ enumerator_t *ifaces, *addrs;
+ iface_entry_t *iface;
+ addr_entry_t *addr;
+ bool found = FALSE, changed = FALSE, roam = FALSE;
+ int i;
+
+ for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
+ {
+ if (ifa->ifam_addrs & i)
+ {
+ if (RTA_IFA & i)
+ {
+ host = host_create_from_sockaddr(sockaddr);
+ break;
+ }
+ sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
+ }
+ }
+
+ if (!host)
+ {
+ return;
+ }
+
+ this->mutex->lock(this->mutex);
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
+ {
+ if (iface->ifindex == ifa->ifam_index)
+ {
+ addrs = iface->addrs->create_enumerator(iface->addrs);
+ while (addrs->enumerate(addrs, &addr))
+ {
+ if (host->ip_equals(host, addr->ip))
+ {
+ found = TRUE;
+ if (ifa->ifam_type == RTM_DELADDR)
+ {
+ iface->addrs->remove_at(iface->addrs, addrs);
+ if (!addr->virtual)
+ {
+ changed = TRUE;
+ DBG1(DBG_KNL, "%H disappeared from %s",
+ host, iface->ifname);
+ }
+ addr_entry_destroy(addr);
+ }
+ else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual)
+ {
+ addr->refcount = 1;
+ }
+ }
+ }
+ addrs->destroy(addrs);
+
+ if (!found && ifa->ifam_type == RTM_NEWADDR)
+ {
+ changed = TRUE;
+ addr = malloc_thing(addr_entry_t);
+ addr->ip = host->clone(host);
+ addr->virtual = FALSE;
+ addr->refcount = 1;
+ iface->addrs->insert_last(iface->addrs, addr);
+ DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+ }
+
+ if (changed && (iface->flags & IFF_UP))
+ {
+ roam = TRUE;
+ }
+ break;
+ }
+ }
+ ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
+ host->destroy(host);
+
+ if (roam)
+ {
+ fire_roam_job(this, TRUE);
+ }
+}
+
+/**
+ * Process an RTM_IFINFO message from the kernel
+ */
+static void process_link(private_kernel_pfroute_net_t *this,
+ struct rt_msghdr *hdr)
+{
+ struct if_msghdr *msg = (struct if_msghdr*)hdr;
+ enumerator_t *enumerator;
+ iface_entry_t *iface;
+ bool roam = FALSE;
+
+ if (msg->ifm_flags & IFF_LOOPBACK)
+ { /* ignore loopback interfaces */
+ return;
+ }
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->ifaces->create_enumerator(this->ifaces);
+ while (enumerator->enumerate(enumerator, &iface))
+ {
+ if (iface->ifindex == msg->ifm_index)
+ {
+ if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP))
+ {
+ roam = TRUE;
+ DBG1(DBG_KNL, "interface %s activated", iface->ifname);
+ }
+ else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP))
+ {
+ roam = TRUE;
+ DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
+ }
+ iface->flags = msg->ifm_flags;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+
+ if (roam)
+ {
+ fire_roam_job(this, TRUE);
+ }
+}
+
+/**
+ * Process an RTM_*ROUTE message from the kernel
+ */
+static void process_route(private_kernel_pfroute_net_t *this,
+ struct rt_msghdr *msg)
+{
+
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
+{
+ unsigned char buf[PFROUTE_BUFFER_SIZE];
+ struct rt_msghdr *msg = (struct rt_msghdr*)buf;
+ int len, oldstate;
+
+ pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+ len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
+ pthread_setcancelstate(oldstate, NULL);
+
+ if (len < 0)
+ {
+ switch (errno)
+ {
+ case EINTR:
+ /* interrupted, try again */
+ return JOB_REQUEUE_DIRECT;
+ case EAGAIN:
+ /* no data ready, select again */
+ return JOB_REQUEUE_DIRECT;
+ default:
+ DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket");
+ sleep(1);
+ return JOB_REQUEUE_FAIR;
+ }
+ }
+
+ if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
+ msg->rtm_version != RTM_VERSION)
+ {
+ DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
+ return JOB_REQUEUE_DIRECT;
+ }
+
+ switch (msg->rtm_type)
+ {
+ case RTM_NEWADDR:
+ case RTM_DELADDR:
+ process_addr(this, msg);
+ break;
+ case RTM_IFINFO:
+ /*case RTM_IFANNOUNCE <- what about this*/
+ process_link(this, msg);
+ break;
+ case RTM_ADD:
+ case RTM_DELETE:
+ process_route(this, msg);
+ default:
+ break;
+ }
+
+ return JOB_REQUEUE_DIRECT;
+}
+
+
+/** enumerator over addresses */
+typedef struct {
+ private_kernel_pfroute_net_t* this;
+ /** whether to enumerate down interfaces */
+ bool include_down_ifaces;
+ /** whether to enumerate virtual ip addresses */
+ bool include_virtual_ips;
+} address_enumerator_t;
+
+/**
+ * cleanup function for address enumerator
+ */
+static void address_enumerator_destroy(address_enumerator_t *data)
+{
+ data->this->mutex->unlock(data->this->mutex);
+ free(data);
+}
+
+/**
+ * filter for addresses
+ */
+static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
+{
+ host_t *ip;
+ if (!data->include_virtual_ips && (*in)->virtual)
+ { /* skip virtual interfaces added by us */
+ return FALSE;
+ }
+ ip = (*in)->ip;
+ if (ip->get_family(ip) == AF_INET6)
+ {
+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip);
+ if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+ { /* skip addresses with a unusable scope */
+ return FALSE;
+ }
+ }
+ *out = ip;
+ return TRUE;
+}
+
+/**
+ * enumerator constructor for interfaces
+ */
+static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
+{
+ return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
+ (void*)filter_addresses, data, NULL);
+}
+
+/**
+ * filter for interfaces
+ */
+static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
+{
+ if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
+ { /* skip interfaces not up */
+ return FALSE;
+ }
+ *out = *in;
+ return TRUE;
+}
+
+/**
+ * implementation of kernel_net_t.create_address_enumerator
+ */
+static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this,
+ bool include_down_ifaces, bool include_virtual_ips)
+{
+ address_enumerator_t *data = malloc_thing(address_enumerator_t);
+ data->this = this;
+ data->include_down_ifaces = include_down_ifaces;
+ data->include_virtual_ips = include_virtual_ips;
+
+ this->mutex->lock(this->mutex);
+ return enumerator_create_nested(
+ enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
+ (void*)filter_interfaces, data, NULL),
+ (void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
+}
+
+/**
+ * implementation of kernel_net_t.get_interface_name
+ */
+static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip)
+{
+ enumerator_t *ifaces, *addrs;
+ iface_entry_t *iface;
+ addr_entry_t *addr;
+ char *name = NULL;
+
+ DBG2(DBG_KNL, "getting interface name for %H", ip);
+
+ this->mutex->lock(this->mutex);
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
+ {
+ addrs = iface->addrs->create_enumerator(iface->addrs);
+ while (addrs->enumerate(addrs, &addr))
+ {
+ if (ip->ip_equals(ip, addr->ip))
+ {
+ name = strdup(iface->ifname);
+ break;
+ }
+ }
+ addrs->destroy(addrs);
+ if (name)
+ {
+ break;
+ }
+ }
+ ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
+
+ if (name)
+ {
+ DBG2(DBG_KNL, "%H is on interface %s", ip, name);
+ }
+ else
+ {
+ DBG2(DBG_KNL, "%H is not a local address", ip);
+ }
+ return name;
+}
+
+/**
+ * Implementation of kernel_net_t.get_source_addr.
+ */
+static host_t* get_source_addr(private_kernel_pfroute_net_t *this,
+ host_t *dest, host_t *src)
+{
+ return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.get_nexthop.
+ */
+static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest)
+{
+ return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.add_ip.
+ */
+static status_t add_ip(private_kernel_pfroute_net_t *this,
+ host_t *virtual_ip, host_t *iface_ip)
+{
+ return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_ip.
+ */
+static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip)
+{
+ return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.add_route.
+ */
+static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+ u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+ return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_route.
+ */
+static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+ u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+ return FAILED;
+}
+
+/**
+ * Initialize a list of local addresses.
+ */
+static status_t init_address_list(private_kernel_pfroute_net_t *this)
+{
+ struct ifaddrs *ifap, *ifa;
+ iface_entry_t *iface, *current;
+ addr_entry_t *addr;
+ enumerator_t *ifaces, *addrs;
+
+ DBG1(DBG_KNL, "listening on interfaces:");
+
+ if (getifaddrs(&ifap) < 0)
+ {
+ DBG1(DBG_KNL, " failed to get interfaces!");
+ return FAILED;
+ }
+
+ for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
+ {
+ if (ifa->ifa_addr == NULL)
+ {
+ continue;
+ }
+ switch(ifa->ifa_addr->sa_family)
+ {
+ case AF_LINK:
+ case AF_INET:
+ case AF_INET6:
+ {
+ if (ifa->ifa_flags & IFF_LOOPBACK)
+ { /* ignore loopback interfaces */
+ continue;
+ }
+
+ iface = NULL;
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, ¤t))
+ {
+ if (streq(current->ifname, ifa->ifa_name))
+ {
+ iface = current;
+ break;
+ }
+ }
+ ifaces->destroy(ifaces);
+
+ if (!iface)
+ {
+ iface = malloc_thing(iface_entry_t);
+ memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
+ iface->ifindex = if_nametoindex(ifa->ifa_name);
+ iface->flags = ifa->ifa_flags;
+ iface->addrs = linked_list_create();
+ this->ifaces->insert_last(this->ifaces, iface);
+ }
+
+ if (ifa->ifa_addr->sa_family != AF_LINK)
+ {
+ addr = malloc_thing(addr_entry_t);
+ addr->ip = host_create_from_sockaddr(ifa->ifa_addr);
+ addr->virtual = FALSE;
+ addr->refcount = 1;
+ iface->addrs->insert_last(iface->addrs, addr);
+ }
+ }
+ }
+ }
+ freeifaddrs(ifap);
+
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
+ {
+ if (iface->flags & IFF_UP)
+ {
+ DBG1(DBG_KNL, " %s", iface->ifname);
+ addrs = iface->addrs->create_enumerator(iface->addrs);
+ while (addrs->enumerate(addrs, (void**)&addr))
+ {
+ DBG1(DBG_KNL, " %H", addr->ip);
+ }
+ addrs->destroy(addrs);
+ }
+ }
+ ifaces->destroy(ifaces);
+
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_netlink_net_t.destroy.
+ */
+static void destroy(private_kernel_pfroute_net_t *this)
+{
+ this->job->cancel(this->job);
+ close(this->socket);
+ close(this->socket_events);
+ this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+ this->mutex->destroy(this->mutex);
+ this->mutex_pfroute->destroy(this->mutex_pfroute);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create()
+{
+ private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t);
+
+ /* public functions */
+ this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
+ this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
+ this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
+ this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
+ this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
+ this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
+ this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
+ this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
+
+ this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
+
+ /* private members */
+ this->ifaces = linked_list_create();
+ this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex_pfroute = mutex_create(MUTEX_DEFAULT);
+
+ this->seq = 0;
+
+ /* create a PF_ROUTE socket to communicate with the kernel */
+ this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+ if (this->socket <= 0)
+ {
+ charon->kill(charon, "unable to create PF_ROUTE socket");
+ }
+
+ /* create a PF_ROUTE socket to receive events */
+ this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+ if (this->socket_events <= 0)
+ {
+ charon->kill(charon, "unable to create PF_ROUTE event socket");
+ }
+
+ this->job = callback_job_create((callback_job_cb_t)receive_events,
+ this, NULL, NULL);
+ charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+ if (init_address_list(this) != SUCCESS)
+ {
+ charon->kill(charon, "unable to get interface list");
+ }
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup kernel_pfroute_net_i kernel_pfroute_net
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_NET_H_
+#define KERNEL_PFROUTE_NET_H_
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_pfroute_net_t kernel_pfroute_net_t;
+
+/**
+ * Implementation of the kernel net interface using PF_ROUTE.
+ */
+struct kernel_pfroute_net_t {
+
+ /**
+ * Implements kernel_net_t interface
+ */
+ kernel_net_t interface;
+};
+
+/**
+ * Create a PF_ROUTE kernel net interface instance.
+ *
+ * @return kernel_pfroute_net_t instance
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create();
+
+#endif /** KERNEL_PFROUTE_NET_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+
+#include "kernel_pfroute_plugin.h"
+
+#include "kernel_pfroute_net.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t;
+
+/**
+ * private data of kernel PF_ROUTE plugin
+ */
+struct private_kernel_pfroute_plugin_t {
+ /**
+ * implements plugin interface
+ */
+ kernel_pfroute_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_pfroute_plugin_t *this)
+{
+ charon->kernel_interface->remove_net_interface(charon->kernel_interface,
+ (kernel_net_constructor_t)kernel_pfroute_net_create);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+ private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t);
+
+ this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+ charon->kernel_interface->add_net_interface(charon->kernel_interface,
+ (kernel_net_constructor_t)kernel_pfroute_net_create);
+
+ return &this->public.plugin;
+}
--- /dev/null
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup kernel_pfroute kernel_pfroute
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_PLUGIN_H_
+#define KERNEL_PFROUTE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t;
+
+/**
+ * PF_ROUTE kernel interface plugin
+ */
+struct kernel_pfroute_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+/**
+ * Create a kernel_pfroute_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/
/**
* Implementation of kernel_interface_t.del_sa.
*/
-static status_t del_sa(private_load_tester_ipsec_t *this, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src,
+ host_t *dst, u_int32_t spi, protocol_id_t protocol,
+ u_int16_t cpi)
{
return SUCCESS;
}
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
- this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
if ((type != KEY_RSA && type != KEY_ANY) ||
id == NULL || id->get_type(id) != ID_KEY_ID)
{
- DBG1(DBG_CFG, "%N - %D", key_type_names, type, id);
+ DBG1(DBG_CFG, "%N - %Y", key_type_names, type, id);
return NULL;
}
if (out)
{
addr = host_create_from_chunk(family, data, 0);
- fprintf(out, "nameserver %H # by strongSwan, from %D\n",
+ fprintf(out, "nameserver %H # by strongSwan, from %Y\n",
addr, ike_sa->get_other_id(ike_sa));
DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
addr->destroy(addr);
{
addr = host_create_from_chunk(family, data, 0);
snprintf(matcher, sizeof(matcher),
- "nameserver %H # by strongSwan, from %D\n",
+ "nameserver %H # by strongSwan, from %Y\n",
addr, ike_sa->get_other_id(ike_sa));
/* copy all, but matching line */
break;
}
xmlTextWriterWriteAttribute(writer, "type", type);
- xmlTextWriterWriteFormatString(writer, "%D", id);
+ xmlTextWriterWriteFormatString(writer, "%Y", id);
break;
}
default:
printf(" ");
}
}
- printf("%D\n", identity);
+ printf("%Y\n", identity);
DESTROY_IF(address);
identity->destroy(identity);
}
id = pool->ids->get(pool->ids, id);
if (id)
{
- DBG1(DBG_CFG, "reassigning offline lease to %D", id);
+ DBG1(DBG_CFG, "reassigning offline lease to %Y", id);
pool->online->put(pool->online, id, (void*)offset);
break;
}
offset = (uintptr_t)pool->online->get(pool->online, id);
if (offset && offset == host2offset(pool, requested))
{
- DBG1(DBG_CFG, "reassigning online lease to %D", id);
+ DBG1(DBG_CFG, "reassigning online lease to %Y", id);
break;
}
id = id->clone(id);
pool->ids->put(pool->ids, id, id);
pool->online->put(pool->online, id, (void*)offset);
- DBG1(DBG_CFG, "assigning new lease to %D", id);
+ DBG1(DBG_CFG, "assigning new lease to %Y", id);
break;
}
/* no more addresses, replace the first found offline lease */
{
/* destroy reference to old ID */
old_id = pool->ids->remove(pool->ids, old_id);
- DBG1(DBG_CFG, "reassigning existing offline lease of %D to %D",
+ DBG1(DBG_CFG, "reassigning existing offline lease of %Y to %Y",
old_id, id);
if (old_id)
{
id = pool->ids->get(pool->ids, id);
if (id)
{
- DBG1(DBG_CFG, "lease %H of %D went offline", address, id);
+ DBG1(DBG_CFG, "lease %H of %Y went offline", address, id);
pool->offline->put(pool->offline, id, (void*)offset);
found = TRUE;
}
first = FALSE;
}
fprintf(out, "\n");
- fprintf(out, " authname: \"%D\"\n", cert->get_subject(cert));
+ fprintf(out, " authname: \"%Y\"\n", cert->get_subject(cert));
/* list authkey and keyid */
if (public)
{
- fprintf(out, " authkey: %D\n",
+ fprintf(out, " authkey: %Y\n",
public->get_id(public, ID_PUBKEY_SHA1));
- fprintf(out, " keyid: %D\n",
+ fprintf(out, " keyid: %Y\n",
public->get_id(public, ID_PUBKEY_INFO_SHA1));
public->destroy(public);
}
if (identity->get_type(identity) == ID_ANY ||
!certificate->has_subject(certificate, identity))
{
- DBG1(DBG_CFG, " peerid %D not confirmed by certificate, "
- "defaulting to subject DN: %D", identity,
+ DBG1(DBG_CFG, " peerid %Y not confirmed by certificate, "
+ "defaulting to subject DN: %Y", identity,
certificate->get_subject(certificate));
identity->destroy(identity);
identity = certificate->get_subject(certificate);
enumerator_t *enumerator;
ike_sa_t *ike_sa;
host_t *start = NULL, *end = NULL, *vip;
- chunk_t chunk_start, chunk_end, chunk_vip;
+ chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip;
if (msg->terminate_srcip.start)
{
fprintf(out, " %V ago", &now, &established);
}
- fprintf(out, ", %H[%D]...%H[%D]\n",
+ fprintf(out, ", %H[%Y]...%H[%Y]\n",
ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
while (enumerator->enumerate(enumerator, &auth))
{
- fprintf(out, "%12s: %s [%D] uses ", name, local ? "local: " : "remote:",
+ fprintf(out, "%12s: %s [%Y] uses ", name, local ? "local: " : "remote:",
auth->get(auth, AUTH_RULE_IDENTITY));
auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
if (id)
{
- fprintf(out, " with EAP identity '%D'", id);
+ fprintf(out, " with EAP identity '%Y'", id);
}
fprintf(out, "\n");
}
cert = auth->get(auth, AUTH_RULE_CA_CERT);
if (cert)
{
- fprintf(out, "%12s: ca: \"%D\"\n", name, cert->get_subject(cert));
+ fprintf(out, "%12s: ca: \"%Y\"\n", name, cert->get_subject(cert));
}
cert = auth->get(auth, AUTH_RULE_IM_CERT);
if (cert)
{
- fprintf(out, "%12s: im-ca: \"%D\"\n", name, cert->get_subject(cert));
+ fprintf(out, "%12s: im-ca: \"%Y\"\n", name, cert->get_subject(cert));
}
cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
if (cert)
{
- fprintf(out, "%12s: cert: \"%D\"\n", name,
+ fprintf(out, "%12s: cert: \"%Y\"\n", name,
cert->get_subject(cert));
}
{
if (rule == AUTH_RULE_AC_GROUP)
{
- fprintf(out, "%12s: group: %D\n", name, id);
+ fprintf(out, "%12s: group: %Y\n", name, id);
}
}
rules->destroy(rules);
key_type_names, public->get_type(public),
public->get_keysize(public) * 8,
private ? ", has private key" : "");
- fprintf(out, " keyid: %D\n", keyid);
- fprintf(out, " subjkey: %D\n", id);
+ fprintf(out, " keyid: %Y\n", keyid);
+ fprintf(out, " subjkey: %Y\n", id);
DESTROY_IF(private);
public->destroy(public);
}
{
fprintf(out, ", ");
}
- fprintf(out, "%D", altName);
+ fprintf(out, "%Y", altName);
}
if (!first_altName)
{
}
enumerator->destroy(enumerator);
- fprintf(out, " subject: \"%D\"\n", cert->get_subject(cert));
- fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert));
+ fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert));
+ fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
fprintf(out, " serial: %#B\n", &serial);
/* list validity */
key_type_names, public->get_type(public),
public->get_keysize(public) * 8,
private ? ", has private key" : "");
- fprintf(out, " keyid: %D\n", keyid);
- fprintf(out, " subjkey: %D\n", id);
+ fprintf(out, " keyid: %Y\n", keyid);
+ fprintf(out, " subjkey: %Y\n", id);
DESTROY_IF(private);
public->destroy(public);
}
/* list optional authorityKeyIdentifier */
if (authkey)
{
- fprintf(out, " authkey: %D\n", authkey);
+ fprintf(out, " authkey: %Y\n", authkey);
}
}
}
if (entityName)
{
- fprintf(out, " holder: \"%D\"\n", entityName);
+ fprintf(out, " holder: \"%Y\"\n", entityName);
}
if (holderIssuer)
{
- fprintf(out, " hissuer: \"%D\"\n", holderIssuer);
+ fprintf(out, " hissuer: \"%Y\"\n", holderIssuer);
}
if (holderSerial.ptr)
{
fprintf(out, " hserial: %#B\n", &holderSerial);
}
- fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert));
+ fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
fprintf(out, " serial: %#B\n", &serial);
/* list validity */
/* list optional authorityKeyIdentifier */
if (authkey)
{
- fprintf(out, " authkey: %D\n", authkey);
+ fprintf(out, " authkey: %Y\n", authkey);
}
}
enumerator->destroy(enumerator);
}
fprintf(out, "\n");
- fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert));
+ fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
/* list optional crlNumber */
if (serial.ptr)
/* list optional authorityKeyIdentifier */
if (authkey)
{
- fprintf(out, " authkey: %D\n", authkey);
+ fprintf(out, " authkey: %Y\n", authkey);
}
}
enumerator->destroy(enumerator);
first = FALSE;
}
- fprintf(out, " signer: \"%D\"\n", cert->get_issuer(cert));
+ fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert));
}
enumerator->destroy(enumerator);
}
{
if (!address || address->ip_equals(address, lease))
{
- fprintf(out, " %15H %s '%D'\n",
+ fprintf(out, " %15H %s '%Y'\n",
lease, on ? "online" : "offline", id);
found++;
}
*/
static bool open_socket(private_stroke_socket_t *this)
{
- struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET};
+ struct sockaddr_un socket_addr;
mode_t old;
+
+ socket_addr.sun_family = AF_UNIX;
+ strcpy(socket_addr.sun_path, STROKE_SOCKET);
/* set up unix socket */
this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
"PLUTO_INTERFACE='%s' "
"PLUTO_REQID='%u' "
"PLUTO_ME='%H' "
- "PLUTO_MY_ID='%D' "
+ "PLUTO_MY_ID='%Y' "
"PLUTO_MY_CLIENT='%s/%s' "
"PLUTO_MY_CLIENT_NET='%s' "
"PLUTO_MY_CLIENT_MASK='%s' "
"PLUTO_MY_PORT='%u' "
"PLUTO_MY_PROTOCOL='%u' "
"PLUTO_PEER='%H' "
- "PLUTO_PEER_ID='%D' "
+ "PLUTO_PEER_ID='%Y' "
"PLUTO_PEER_CLIENT='%s/%s' "
"PLUTO_PEER_CLIENT_NET='%s' "
"PLUTO_PEER_CLIENT_MASK='%s' "
/* send callback to a peer */
if (target_sa->callback(target_sa, this->source) != SUCCESS)
{
- DBG1(DBG_JOB, "callback for '%D' to '%D' failed",
+ DBG1(DBG_JOB, "callback for '%Y' to '%Y' failed",
this->source, this->target);
charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
destroy(this);
if (target_sa->relay(target_sa, this->source, this->connect_id,
this->connect_key, this->endpoints, this->response) != SUCCESS)
{
- DBG1(DBG_JOB, "mediation between '%D' and '%D' failed",
+ DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed",
this->source, this->target);
charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
/* FIXME: notify the initiator */
}
else
{
- DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: "
+ DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
"SA not found", this->source, this->target);
}
}
else
{
- DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: "
+ DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
"peer is not online anymore", this->source, this->target);
}
destroy(this);
{
snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr);
this->eap_identity = identification_create_from_string(buf);
- DBG1(DBG_IKE, "received EAP identity '%D'",
+ DBG1(DBG_IKE, "received EAP identity '%Y'",
this->eap_identity);
}
/* restart EAP exchange, but with real method */
if (vendor)
{
DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
- "peer %D", type, vendor,
+ "peer %Y", type, vendor,
this->ike_sa->get_other_id(this->ike_sa));
}
else
{
- DBG1(DBG_IKE, "EAP method %N failed for peer %D",
+ DBG1(DBG_IKE, "EAP method %N failed for peer %Y",
eap_type_names, type,
this->ike_sa->get_other_id(this->ike_sa));
}
{
id = this->ike_sa->get_my_id(this->ike_sa);
}
- DBG1(DBG_IKE, "server requested %N, sending '%D'",
+ DBG1(DBG_IKE, "server requested %N, sending '%Y'",
eap_type_names, type, id);
this->eap_identity = id->clone(id);
}
chunk_free(&auth_data);
- DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+ DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
other_id, auth_class_names, AUTH_CLASS_EAP);
this->auth_complete = TRUE;
auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
my_id = this->ike_sa->get_my_id(this->ike_sa);
keymat = this->ike_sa->get_keymat(this->ike_sa);
- DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
+ DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
my_id, auth_class_names, AUTH_CLASS_EAP);
auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
keymat = this->ike_sa->get_keymat(this->ike_sa);
my_id = this->ike_sa->get_my_id(this->ike_sa);
other_id = this->ike_sa->get_other_id(this->ike_sa);
- DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
+ DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
my_id, auth_method_names, AUTH_PSK);
key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
my_id, other_id);
if (key == NULL)
{
- DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+ DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
return NOT_FOUND;
}
auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
this->nonce, key->get_key(key), other_id);
if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
{
- DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+ DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
other_id, auth_method_names, AUTH_PSK);
authenticated = TRUE;
}
{
if (keys_found == 0)
{
- DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+ DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
return NOT_FOUND;
}
- DBG1(DBG_IKE, "tried %d shared key%s for '%D' - '%D', but MAC mismatched",
+ DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched",
keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
return FAILED;
}
id, auth);
if (private == NULL)
{
- DBG1(DBG_IKE, "no private key found for '%D'", id);
+ DBG1(DBG_IKE, "no private key found for '%Y'", id);
return NOT_FOUND;
}
message->add_payload(message, (payload_t*)auth_payload);
status = SUCCESS;
}
- DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", id,
+ DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
auth_method_names, auth_method,
(status == SUCCESS)? "successful":"failed");
chunk_free(&octets);
{
if (public->verify(public, scheme, octets, auth_data))
{
- DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+ DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
id, auth_method_names, auth_method);
status = SUCCESS;
auth->merge(auth, current_auth, FALSE);
chunk_free(&octets);
if (status == NOT_FOUND)
{
- DBG1(DBG_IKE, "no trusted %N public key found for '%D'",
+ DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
key_type_names, key_type, id);
}
return status;
if (this->my_spi)
{
charon->kernel_interface->del_sa(charon->kernel_interface,
- this->my_addr, this->my_spi, this->protocol,
- this->my_cpi);
+ this->other_addr, this->my_addr, this->my_spi,
+ this->protocol, this->my_cpi);
}
if (this->other_spi)
{
charon->kernel_interface->del_sa(charon->kernel_interface,
- this->other_addr, this->other_spi, this->protocol,
- this->other_cpi);
+ this->my_addr, this->other_addr, this->other_spi,
+ this->protocol, this->other_cpi);
}
if (this->config->install_policy(this->config))
}
else
{
- DBG1(DBG_IKE, "there is no mediated connection waiting between '%D' "
- "and '%D'", checklist->initiator.id, checklist->responder.id);
+ DBG1(DBG_IKE, "there is no mediated connection waiting between '%Y' "
+ "and '%Y'", checklist->initiator.id, checklist->responder.id);
}
}
}
if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
{
- DBG2(DBG_IKE, "registered waiting mediated connection with '%D'", peer_id);
+ DBG2(DBG_IKE, "registered waiting mediated connection with '%Y'", peer_id);
initiated = initiated_create(id, peer_id);
this->initiated->insert_last(this->initiated, initiated);
already_there = FALSE;
if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
{
- DBG2(DBG_IKE, "no waiting mediated connections with '%D'", peer_id);
+ DBG2(DBG_IKE, "no waiting mediated connections with '%Y'", peer_id);
this->mutex->unlock(this->mutex);
return;
}
{
case UNIQUE_REPLACE:
DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
- "'%D' due to uniqueness policy", other);
+ "'%Y' due to uniqueness policy", other);
status = duplicate->delete(duplicate);
break;
case UNIQUE_KEEP:
if (!found)
{
- DBG2(DBG_IKE, "adding peer '%D'", peer_id);
+ DBG2(DBG_IKE, "adding peer '%Y'", peer_id);
peer = peer_create(peer_id, NULL);
this->peers->insert_last(this->peers, peer);
}
- DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%D'", peer_id);
+ DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id);
peer->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
/* send callbacks to registered peers */
if (get_peer_by_id(this, peer_id, &peer) != SUCCESS)
{
- DBG2(DBG_IKE, "adding peer %D", peer_id);
+ DBG2(DBG_IKE, "adding peer %Y", peer_id);
peer = peer_create(peer_id, NULL);
this->peers->insert_last(this->peers, peer);
}
if (!peer->ike_sa_id)
{
/* the peer is not online */
- DBG2(DBG_IKE, "requested peer '%D' is offline, registering peer '%D'", peer_id, requester);
+ DBG2(DBG_IKE, "requested peer '%Y' is offline, registering peer '%Y'", peer_id, requester);
register_peer(peer, requester);
this->mutex->unlock(this->mutex);
return NULL;
{ /* IDr received, check if it matches configuration */
if (id_cfg && !id->matches(id, id_cfg))
{
- DBG1(DBG_CFG, "received IDr %D, but require %D", id, id_cfg);
+ DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
chunk_empty);
return FAILED;
return FAILED;
}
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+ DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
return FAILED;
}
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+ DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
{
break;
}
- DBG1(DBG_IKE, "sending end entity cert \"%D\"",
+ DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
cert->get_subject(cert));
message->add_payload(message, (payload_t*)payload);
payload = cert_payload_create_from_cert(cert);
if (payload)
{
- DBG1(DBG_IKE, "sending issuer cert \"%D\"",
+ DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
cert->get_subject(cert));
message->add_payload(message, (payload_t*)payload);
}
CERT_X509, KEY_ANY, id, TRUE);
if (cert)
{
- DBG1(DBG_IKE, "received cert request for \"%D\"",
+ DBG1(DBG_IKE, "received cert request for \"%Y\"",
cert->get_subject(cert));
auth->add(auth, AUTH_RULE_CA_CERT, cert);
}
else
{
DBG1(DBG_IKE, "received cert request for unknown ca "
- "with keyid %D", id);
+ "with keyid %Y", id);
}
id->destroy(id);
}
{
if (first)
{ /* the first is an end entity certificate */
- DBG1(DBG_IKE, "received end entity cert \"%D\"",
+ DBG1(DBG_IKE, "received end entity cert \"%Y\"",
cert->get_subject(cert));
auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
first = FALSE;
}
else
{
- DBG1(DBG_IKE, "received issuer cert \"%D\"",
+ DBG1(DBG_IKE, "received issuer cert \"%Y\"",
cert->get_subject(cert));
auth->add(auth, AUTH_HELPER_IM_CERT, cert);
}
keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
(*req)->add_keyid(*req, keyid->get_encoding(keyid));
public->destroy(public);
- DBG1(DBG_IKE, "sending cert request for \"%D\"",
+ DBG1(DBG_IKE, "sending cert request for \"%Y\"",
cert->get_subject(cert));
break;
}
{
delete_payload_t *delete_payload;
- DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+ DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa));
- DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+ DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
if (this->callback)
{
- DBG1(DBG_IKE, "received ME_CALLBACK for '%D'", this->peer_id);
+ DBG1(DBG_IKE, "received ME_CALLBACK for '%Y'", this->peer_id);
break;
}
if (this->failed)
{
- DBG1(DBG_IKE, "peer '%D' is not online", this->peer_id);
+ DBG1(DBG_IKE, "peer '%Y' is not online", this->peer_id);
/* FIXME: notify the mediated connection (job?) */
}
else
this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+ DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->new_sa->get_name(this->new_sa),
this->new_sa->get_unique_id(this->new_sa),
this->ike_sa->get_my_host(this->ike_sa),
}
this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+ DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->new_sa->get_name(this->new_sa),
this->new_sa->get_unique_id(this->new_sa),
this->ike_sa->get_my_host(this->ike_sa),
-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
-e "s:@IPSEC_CONFDIR@:$(confdir):" \
-e "s:@IPSEC_PIDDIR@:$(piddir):" \
- $< > $@
+ $(srcdir)/$@.in > $@
chmod +x $@
noinst_LIBRARIES = libfreeswan.a
libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
- goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipcomp.h \
- ipsec_ah.h ipsec_alg.h ipsec_encap.h ipsec_eroute.h ipsec_errs.h \
- ipsec_esp.h ipsec_ipe4.h ipsec_kversion.h ipsec_life.h ipsec_md5h.h \
- ipsec_param.h ipsec_policy.h ipsec_proto.h ipsec_radij.h ipsec_rcv.h \
- ipsec_sa.h ipsec_sha1.h ipsec_stats.h ipsec_tunnel.h ipsec_xform.h \
- ipsec_xmit.h keyblobtoid.c optionsfrom.c pfkey_v2_build.c pfkey_v2_debug.c \
- pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c radij.h rangetoa.c \
+ goodmask.c initaddr.c initsaid.c initsubnet.c internal.h \
+ ipsec_param.h ipsec_policy.h \
+ keyblobtoid.c optionsfrom.c pfkey_v2_build.c pfkey_v2_debug.c \
+ pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \
pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \
satot.c subnetof.c subnettoa.c subnettot.c \
subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
*
* RCSID $Id$
*/
+#include <sys/socket.h>
+
#include "internal.h"
#include "freeswan.h"
*
* RCSID $Id$
*/
+#include <sys/socket.h>
+
#include "internal.h"
#include "freeswan.h"
*
* RCSID $Id$
*/
+#include <sys/socket.h>
+
#include "internal.h"
#include "freeswan.h"
*/
#define _FREESWAN_H /* seen it, no need to see it again */
-
-
-/*
- * We've just got to have some datatypes defined... And annoyingly, just
- * where we get them depends on whether we're in userland or not.
- */
-#ifdef __KERNEL__
-
-# include <linux/types.h>
-# include <linux/in.h>
-
-#else /* __KERNEL__ */
-
+# include <sys/types.h>
# include <stdio.h>
# include <netinet/in.h>
# define DEBUG_NO_STATIC static
-#endif /* __KERNEL__ */
-
#include <ipsec_param.h>
#include <utils.h>
/*
- * Grab the kernel version to see if we have NET_21, and therefore
- * IPv6. Some of this is repeated from ipsec_kversions.h. Of course,
- * we aren't really testing if the kernel has IPv6, but rather if the
- * the include files do.
+ * We assume header files have IPv6 (i.e. kernel version >= 2.1.0)
*/
-#include <linux/version.h>
-#ifndef KERNEL_VERSION
-#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0)
#define NET_21
-#endif
#ifndef IPPROTO_COMP
# define IPPROTO_COMP 108
* use their definitions directly, they are subject to change!
*/
-/* first, some quick fakes in case we're on an old system with no IPv6 */
-#ifndef s6_addr16
-struct in6_addr {
- union
- {
- __u8 u6_addr8[16];
- __u16 u6_addr16[8];
- __u32 u6_addr32[4];
- } in6_u;
-#define s6_addr in6_u.u6_addr8
-#define s6_addr16 in6_u.u6_addr16
-#define s6_addr32 in6_u.u6_addr32
-};
-struct sockaddr_in6 {
- unsigned short int sin6_family; /* AF_INET6 */
- __u16 sin6_port; /* Transport layer port # */
- __u32 sin6_flowinfo; /* IPv6 flow information */
- struct in6_addr sin6_addr; /* IPv6 address */
- __u32 sin6_scope_id; /* scope id (new in RFC2553) */
-};
-#endif /* !s6_addr16 */
-
/* then the main types */
typedef struct {
union {
} ip_subnet;
/* and the SA ID stuff */
-#ifdef __KERNEL__
-typedef __u32 ipsec_spi_t;
-#else
typedef u_int32_t ipsec_spi_t;
-#endif
typedef struct { /* to identify an SA, we need: */
ip_address dst; /* A. destination host */
ipsec_spi_t spi; /* B. 32-bit SPI, assigned by dest. host */
*/
typedef uint32_t IPsecSAref_t;
+#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH)
+
#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
#define IPsecSAref2NFmark(x) ((x) << (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
* general utilities
*/
-#ifndef __KERNEL__
-/* option pickup from files (userland only because of use of FILE) */
+/* option pickup from files */
const char *optionsfrom(const char *filename, int *argcp, char ***argvp,
int optind, FILE *errorreport);
-#endif
/*
* Debugging levels for pfkey_lib_debug
*
* RCSID $Id$
*/
+#include <sys/socket.h>
+
#include "internal.h"
#include "freeswan.h"
#define PASSTHROUGHDST 0
#endif
-/*
- * Headers, greatly complicated by stupid and unnecessary inconsistencies
- * between the user environment and the kernel environment. These are done
- * here so that this mess need exist in only one place.
- *
- * It may seem like a -I or two could avoid most of this, but on closer
- * inspection it is not quite that easy.
- */
-
-/* things that need to come from one place or the other, depending */
-#ifdef __KERNEL__
-#include <linux/types.h>
-#include <linux/socket.h>
-#include <linux/in.h>
-#include <linux/string.h>
-#include <linux/ctype.h>
-#define assert(foo) /* nothing */
-#else
#include <sys/types.h>
#include <netinet/in.h>
#include <string.h>
#include <ctype.h>
#include <assert.h>
-#endif
-
-/* things that exist only in userland */
-#ifndef __KERNEL__
-
-/* You'd think this would be okay in the kernel too -- it's just a */
-/* bunch of constants -- but no, in RH5.1 it screws up other things. */
-/* (Credit: Mike Warfield tracked this problem down. Thanks Mike!) */
-/* Fortunately, we don't need it in the kernel subset of the library. */
#include <limits.h>
-
-/* header files for things that should never be called in kernel */
#include <netdb.h>
-
-/* memory allocation, currently user-only, macro-ized just in case */
#include <stdlib.h>
#define MALLOC(n) malloc(n)
#define FREE(p) free(p)
-#endif /* __KERNEL__ */
-
+++ /dev/null
-/*
- * IPCOMP zlib interface code.
- * Copyright (C) 2000 Svenning Soerensen <svenning@post5.tele.dk>
- * Copyright (C) 2000, 2001 Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
-
- RCSID $Id$
-
- */
-
-/* SSS */
-
-#ifndef _IPCOMP_H
-#define _IPCOMP_H
-
-/* Prefix all global deflate symbols with "ipcomp_" to avoid collisions with ppp_deflate & ext2comp */
-#ifndef IPCOMP_PREFIX
-#define IPCOMP_PREFIX
-#endif /* IPCOMP_PREFIX */
-
-#ifndef IPPROTO_COMP
-#define IPPROTO_COMP 108
-#endif /* IPPROTO_COMP */
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int sysctl_ipsec_debug_ipcomp;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-struct ipcomphdr { /* IPCOMP header */
- __u8 ipcomp_nh; /* Next header (protocol) */
- __u8 ipcomp_flags; /* Reserved, must be 0 */
- __u16 ipcomp_cpi; /* Compression Parameter Index */
-};
-
-extern struct inet_protocol comp_protocol;
-extern int sysctl_ipsec_debug_ipcomp;
-
-#define IPCOMP_UNCOMPRESSABLE 0x000000001
-#define IPCOMP_COMPRESSIONERROR 0x000000002
-#define IPCOMP_PARMERROR 0x000000004
-#define IPCOMP_DECOMPRESSIONERROR 0x000000008
-
-#define IPCOMP_ADAPT_INITIAL_TRIES 8
-#define IPCOMP_ADAPT_INITIAL_SKIP 4
-#define IPCOMP_ADAPT_SUBSEQ_TRIES 2
-#define IPCOMP_ADAPT_SUBSEQ_SKIP 8
-
-/* Function prototypes */
-struct sk_buff *skb_compress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags);
-struct sk_buff *skb_decompress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags);
-
-#endif /* _IPCOMP_H */
+++ /dev/null
-/*
- * Authentication Header declarations
- * Copyright (C) 1996, 1997 John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#include "ipsec_md5h.h"
-#include "ipsec_sha1.h"
-
-#ifndef IPPROTO_AH
-#define IPPROTO_AH 51
-#endif /* IPPROTO_AH */
-
-#define AH_FLENGTH 12 /* size of fixed part */
-#define AHMD5_KMAX 64 /* MD5 max 512 bits key */
-#define AHMD5_AMAX 12 /* MD5 96 bits of authenticator */
-
-#define AHMD596_KLEN 16 /* MD5 128 bits key */
-#define AHSHA196_KLEN 20 /* SHA1 160 bits key */
-
-#define AHMD596_ALEN 16 /* MD5 128 bits authentication length */
-#define AHSHA196_ALEN 20 /* SHA1 160 bits authentication length */
-
-#define AHMD596_BLKLEN 64 /* MD5 block length */
-#define AHSHA196_BLKLEN 64 /* SHA1 block length */
-#define AHSHA2_256_BLKLEN 64 /* SHA2-256 block length */
-#define AHSHA2_384_BLKLEN 128 /* SHA2-384 block length (?) */
-#define AHSHA2_512_BLKLEN 128 /* SHA2-512 block length */
-
-#define AH_BLKLEN_MAX 128 /* keep up to date! */
-
-#define AH_AMAX AHSHA196_ALEN /* keep up to date! */
-#define AHHMAC_HASHLEN 12 /* authenticator length of 96bits */
-#define AHHMAC_RPLLEN 4 /* 32 bit replay counter */
-
-#define DB_AH_PKTRX 0x0001
-#define DB_AH_PKTRX2 0x0002
-#define DB_AH_DMP 0x0004
-#define DB_AH_IPSA 0x0010
-#define DB_AH_XF 0x0020
-#define DB_AH_INAU 0x0040
-#define DB_AH_REPLAY 0x0100
-
-#ifdef __KERNEL__
-
-/* General HMAC algorithm is described in RFC 2104 */
-
-#define HMAC_IPAD 0x36
-#define HMAC_OPAD 0x5C
-
-struct md5_ctx {
- MD5_CTX ictx; /* context after H(K XOR ipad) */
- MD5_CTX octx; /* context after H(K XOR opad) */
-};
-
-struct sha1_ctx {
- SHA1_CTX ictx; /* context after H(K XOR ipad) */
- SHA1_CTX octx; /* context after H(K XOR opad) */
-};
-
-struct auth_alg {
- void (*init)(void *ctx);
- void (*update)(void *ctx, unsigned char *bytes, __u32 len);
- void (*final)(unsigned char *hash, void *ctx);
- int hashlen;
-};
-
-extern struct inet_protocol ah_protocol;
-
-struct options;
-
-extern int
-ah_rcv(struct sk_buff *skb,
- struct device *dev,
- struct options *opt,
- __u32 daddr,
- unsigned short len,
- __u32 saddr,
- int redo,
- struct inet_protocol *protocol);
-
-struct ahhdr /* Generic AH header */
-{
- __u8 ah_nh; /* Next header (protocol) */
- __u8 ah_hl; /* AH length, in 32-bit words */
- __u16 ah_rv; /* reserved, must be 0 */
- __u32 ah_spi; /* Security Parameters Index */
- __u32 ah_rpl; /* Replay prevention */
- __u8 ah_data[AHHMAC_HASHLEN];/* Authentication hash */
-};
-#define AH_BASIC_LEN 8 /* basic AH header is 8 bytes, nh,hl,rv,spi
- * and the ah_hl, says how many bytes after that
- * to cover. */
-
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_ah;
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif /* __KERNEL__ */
+++ /dev/null
-/*
- * Modular extensions service and registration functions interface
- *
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- *
- * $Id$
- *
- */
-/*
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- */
-#ifndef IPSEC_ALG_H
-#define IPSEC_ALG_H
-
-/*
- * gcc >= 3.2 has removed __FUNCTION__, replaced by C99 __func__
- * *BUT* its a compiler variable.
- */
-#if (__GNUC__ >= 3)
-#ifndef __FUNCTION__
-#define __FUNCTION__ __func__
-#endif
-#endif
-
-/* Version 0.8.1-0 */
-#define IPSEC_ALG_VERSION 0x00080100
-
-#include <linux/types.h>
-#include <linux/list.h>
-#include <asm/atomic.h>
-/*
- * The following structs are used via pointers in ipsec_alg object to
- * avoid ipsec_alg.h coupling with freeswan headers, thus simplifying
- * module development
- */
-struct ipsec_sa;
-struct esp;
-
-/**************************************
- *
- * Main registration object
- *
- *************************************/
-#define IPSEC_ALG_VERSION_QUAD(v) \
- (v>>24),((v>>16)&0xff),((v>>8)&0xff),(v&0xff)
-/*
- * Main ipsec_alg objects: "OOPrograming wannabe"
- * Hierachy (carefully handled with _minimal_ cast'ing):
- *
- * ipsec_alg+
- * +->ipsec_alg_enc (ixt_alg_type=SADB_EXT_SUPPORTED_ENCRYPT)
- * +->ipsec_alg_auth (ixt_alg_type=SADB_EXT_SUPPORTED_AUTH)
- */
-
-/***************************************************************
- *
- * INTERFACE object: struct ipsec_alg
- *
- ***************************************************************/
-
-/*
- * common part for every struct ipsec_alg_*
- * (sortof poor's man OOP)
- */
-#define IPSEC_ALG_STRUCT_COMMON \
- unsigned ixt_version; /* only allow this version (or 'near')*/ \
- struct list_head ixt_list; /* dlinked list */ \
- struct module *ixt_module; /* THIS_MODULE */ \
- unsigned ixt_state; /* state flags */ \
- atomic_t ixt_refcnt; /* ref. count when pointed from ipsec_sa */ \
- char ixt_name[16]; /* descriptive short name, eg. "3des" */ \
- void *ixt_data; /* private for algo implementation */ \
- uint8_t ixt_blocksize; /* blocksize in bytes */ \
- \
- /* THIS IS A COPY of struct supported (lib/pfkey.h) \
- * please keep in sync until we migrate 'supported' stuff \
- * to ipsec_alg \
- */ \
- uint16_t ixt_alg_type; /* correspond to IPSEC_ALG_{ENCRYPT,AUTH} */ \
- uint8_t ixt_alg_id; /* enc. alg. number, eg. ESP_3DES */ \
- uint8_t ixt_ivlen; /* ivlen in bits, expected to be multiple of 8! */ \
- uint16_t ixt_keyminbits;/* min. keybits (of entropy) */ \
- uint16_t ixt_keymaxbits;/* max. keybits (of entropy) */
-
-#define ixt_support ixt_alg_type
-
-#define IPSEC_ALG_ST_SUPP 0x01
-#define IPSEC_ALG_ST_REGISTERED 0x02
-#define IPSEC_ALG_ST_EXCL 0x04
-struct ipsec_alg {
- IPSEC_ALG_STRUCT_COMMON
-};
-/*
- * Note the const in cbc_encrypt IV arg:
- * some ciphers like to toast passed IV (eg. 3DES): make a local IV copy
- */
-struct ipsec_alg_enc {
- IPSEC_ALG_STRUCT_COMMON
- unsigned ixt_e_keylen; /* raw key length in bytes */
- unsigned ixt_e_ctx_size; /* sa_p->key_e_size */
- int (*ixt_e_set_key)(struct ipsec_alg_enc *alg, __u8 *key_e, const __u8 *key, size_t keysize);
- __u8 *(*ixt_e_new_key)(struct ipsec_alg_enc *alg, const __u8 *key, size_t keysize);
- void (*ixt_e_destroy_key)(struct ipsec_alg_enc *alg, __u8 *key_e);
- int (*ixt_e_cbc_encrypt)(struct ipsec_alg_enc *alg, __u8 *key_e, __u8 *in, int ilen, const __u8 *iv, int encrypt);
-};
-struct ipsec_alg_auth {
- IPSEC_ALG_STRUCT_COMMON
- unsigned ixt_a_keylen; /* raw key length in bytes */
- unsigned ixt_a_ctx_size; /* sa_p->key_a_size */
- unsigned ixt_a_authlen; /* 'natural' auth. hash len (bytes) */
- int (*ixt_a_hmac_set_key)(struct ipsec_alg_auth *alg, __u8 *key_a, const __u8 *key, int keylen);
- int (*ixt_a_hmac_hash)(struct ipsec_alg_auth *alg, __u8 *key_a, const __u8 *dat, int len, __u8 *hash, int hashlen);
-};
-/*
- * These are _copies_ of SADB_EXT_SUPPORTED_{AUTH,ENCRYPT},
- * to avoid header coupling for true constants
- * about headers ... "cp is your friend" --Linus
- */
-#define IPSEC_ALG_TYPE_AUTH 14
-#define IPSEC_ALG_TYPE_ENCRYPT 15
-
-/***************************************************************
- *
- * INTERFACE for module loading,testing, and unloading
- *
- ***************************************************************/
-/* - registration calls */
-int register_ipsec_alg(struct ipsec_alg *);
-int unregister_ipsec_alg(struct ipsec_alg *);
-/* - optional (simple test) for algos */
-int ipsec_alg_test(unsigned alg_type, unsigned alg_id, int testparm);
-/* inline wrappers (usefull for type validation */
-static inline int register_ipsec_alg_enc(struct ipsec_alg_enc *ixt) {
- return register_ipsec_alg((struct ipsec_alg*)ixt);
-}
-static inline int unregister_ipsec_alg_enc(struct ipsec_alg_enc *ixt) {
- return unregister_ipsec_alg((struct ipsec_alg*)ixt);
-}
-static inline int register_ipsec_alg_auth(struct ipsec_alg_auth *ixt) {
- return register_ipsec_alg((struct ipsec_alg*)ixt);
-}
-static inline int unregister_ipsec_alg_auth(struct ipsec_alg_auth *ixt) {
- return unregister_ipsec_alg((struct ipsec_alg*)ixt);
-}
-
-/*****************************************************************
- *
- * INTERFACE for ENC services: key creation, encrypt function
- *
- *****************************************************************/
-
-#define IPSEC_ALG_ENCRYPT 1
-#define IPSEC_ALG_DECRYPT 0
-
-/* encryption key context creation function */
-int ipsec_alg_enc_key_create(struct ipsec_sa *sa_p);
-/*
- * ipsec_alg_esp_encrypt(): encrypt ilen bytes in idat returns
- * 0 or ERR<0
- */
-int ipsec_alg_esp_encrypt(struct ipsec_sa *sa_p, __u8 *idat, int ilen, const __u8 *iv, int action);
-
-/***************************************************************
- *
- * INTERFACE for AUTH services: key creation, hash functions
- *
- ***************************************************************/
-int ipsec_alg_auth_key_create(struct ipsec_sa *sa_p);
-int ipsec_alg_sa_esp_hash(const struct ipsec_sa *sa_p, const __u8 *espp, int len, __u8 *hash, int hashlen) ;
-#define ipsec_alg_sa_esp_update(c,k,l) ipsec_alg_sa_esp_hash(c,k,l,NULL,0)
-
-/* only called from ipsec_init.c */
-int ipsec_alg_init(void);
-
-/* algo module glue for static algos */
-void ipsec_alg_static_init(void);
-typedef int (*ipsec_alg_init_func_t) (void);
-
-/**********************************************
- *
- * INTERFACE for ipsec_sa init and wipe
- *
- **********************************************/
-
-/* returns true if ipsec_sa has ipsec_alg obj attached */
-/*
- * Initializes ipsec_sa's ipsec_alg object, using already loaded
- * proto, authalg, encalg.; links ipsec_alg objects (enc, auth)
- */
-int ipsec_alg_sa_init(struct ipsec_sa *sa_p);
-/*
- * Destroys ipsec_sa's ipsec_alg object
- * unlinking ipsec_alg objects
- */
-int ipsec_alg_sa_wipe(struct ipsec_sa *sa_p);
-
-/**********************************************
- *
- * 2.2 backport for some 2.4 useful module stuff
- *
- **********************************************/
-#ifdef MODULE
-#ifndef THIS_MODULE
-#define THIS_MODULE (&__this_module)
-#endif
-#ifndef module_init
-typedef int (*__init_module_func_t)(void);
-typedef void (*__cleanup_module_func_t)(void);
-
-#define module_init(x) \
- int init_module(void) __attribute__((alias(#x))); \
- static inline __init_module_func_t __init_module_inline(void) \
- { return x; }
-#define module_exit(x) \
- void cleanup_module(void) __attribute__((alias(#x))); \
- static inline __cleanup_module_func_t __cleanup_module_inline(void) \
- { return x; }
-#endif
-
-#define IPSEC_ALG_MODULE_INIT( func_name ) \
- static int func_name(void); \
- module_init(func_name); \
- static int __init func_name(void)
-#define IPSEC_ALG_MODULE_EXIT( func_name ) \
- static void func_name(void); \
- module_exit(func_name); \
- static void __exit func_name(void)
-#else /* not MODULE */
-#ifndef THIS_MODULE
-#define THIS_MODULE NULL
-#endif
-/*
- * I only want module_init() magic
- * when algo.c file *is THE MODULE*, in all other
- * cases, initialization is called explicitely from ipsec_alg_init()
- */
-#define IPSEC_ALG_MODULE_INIT( func_name ) \
- extern int func_name(void); \
- int func_name(void)
-#define IPSEC_ALG_MODULE_EXIT( func_name ) \
- extern void func_name(void); \
- void func_name(void)
-#endif
-
-#endif /* IPSEC_ALG_H */
+++ /dev/null
-/*
- * declarations relevant to encapsulation-like operations
- * Copyright (C) 1996, 1997 John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#ifndef _IPSEC_ENCAP_H_
-
-#define SENT_IP4 16 /* data is two struct in_addr + proto + ports*/
- /* (2 * sizeof(struct in_addr)) */
- /* sizeof(struct sockaddr_encap)
- - offsetof(struct sockaddr_encap, Sen.Sip4.Src) */
-
-struct sockaddr_encap
-{
- __u8 sen_len; /* length */
- __u8 sen_family; /* AF_ENCAP */
- __u16 sen_type; /* see SENT_* */
- union
- {
- struct /* SENT_IP4 */
- {
- struct in_addr Src;
- struct in_addr Dst;
- __u8 Proto;
- __u16 Sport;
- __u16 Dport;
- } Sip4;
- } Sen;
-};
-
-#define sen_ip_src Sen.Sip4.Src
-#define sen_ip_dst Sen.Sip4.Dst
-#define sen_proto Sen.Sip4.Proto
-#define sen_sport Sen.Sip4.Sport
-#define sen_dport Sen.Sip4.Dport
-
-#ifndef AF_ENCAP
-#define AF_ENCAP 26
-#endif /* AF_ENCAP */
-
-#define _IPSEC_ENCAP_H_
-#endif /* _IPSEC_ENCAP_H_ */
+++ /dev/null
-/*
- * @(#) declarations of eroute structures
- *
- * Copyright (C) 1996, 1997 John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs <rgb@freeswan.org>
- * Copyright (C) 2001 Michael Richardson <mcr@freeswan.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- *
- * derived from ipsec_encap.h 1.15 on 2001/9/18 by mcr.
- *
- */
-
-#ifndef _IPSEC_EROUTE_H_
-
-#include "radij.h"
-#include "ipsec_encap.h"
-#include "ipsec_radij.h"
-
-/*
- * The "type" is really part of the address as far as the routing
- * system is concerned. By using only one bit in the type field
- * for each type, we sort-of make sure that different types of
- * encapsulation addresses won't be matched against the wrong type.
- */
-
-/*
- * An entry in the radix tree
- */
-
-struct rjtentry
-{
- struct radij_node rd_nodes[2]; /* tree glue, and other values */
-#define rd_key(r) ((struct sockaddr_encap *)((r)->rd_nodes->rj_key))
-#define rd_mask(r) ((struct sockaddr_encap *)((r)->rd_nodes->rj_mask))
- short rd_flags;
- short rd_count;
-};
-
-struct ident
-{
- __u16 type; /* identity type */
- __u64 id; /* identity id */
- __u8 len; /* identity len */
- caddr_t data; /* identity data */
-};
-
-/*
- * An encapsulation route consists of a pointer to a
- * radix tree entry and a SAID (a destination_address/SPI/protocol triple).
- */
-
-struct eroute
-{
- struct rjtentry er_rjt;
- struct sa_id er_said;
- uint32_t er_pid;
- uint32_t er_count;
- uint64_t er_lasttime;
- struct sockaddr_encap er_eaddr; /* MCR get rid of _encap, it is silly*/
- struct sockaddr_encap er_emask;
- struct ident er_ident_s;
- struct ident er_ident_d;
- struct sk_buff* er_first;
- struct sk_buff* er_last;
-};
-
-#define er_dst er_said.dst
-#define er_spi er_said.spi
-
-#define _IPSEC_EROUTE_H_
-#endif /* _IPSEC_EROUTE_H_ */
+++ /dev/null
-/*
- * @(#) definition of ipsec_errs structure
- *
- * Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org>
- * and Michael Richardson <mcr@freeswan.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- *
- */
-
-/*
- * This file describes the errors/statistics that FreeSWAN collects.
- *
- */
-
-struct ipsec_errs {
- __u32 ips_alg_errs; /* number of algorithm errors */
- __u32 ips_auth_errs; /* # of authentication errors */
- __u32 ips_encsize_errs; /* # of encryption size errors*/
- __u32 ips_encpad_errs; /* # of encryption pad errors*/
- __u32 ips_replaywin_errs; /* # of pkt sequence errors */
-};
+++ /dev/null
-/*
- * Copyright (C) 1996, 1997 John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#include "freeswan/ipsec_md5h.h"
-#include "freeswan/ipsec_sha1.h"
-
-#include "crypto/des.h"
-
-#ifndef IPPROTO_ESP
-#define IPPROTO_ESP 50
-#endif /* IPPROTO_ESP */
-
-#define ESP_HEADER_LEN 8 /* 64 bits header (spi+rpl)*/
-
-#define EMT_ESPDESCBC_ULEN 20 /* coming from user mode */
-#define EMT_ESPDES_KMAX 64 /* 512 bit secret key enough? */
-#define EMT_ESPDES_KEY_SZ 8 /* 56 bit secret key with parity = 64 bits */
-#define EMT_ESP3DES_KEY_SZ 24 /* 168 bit secret key with parity = 192 bits */
-#define EMT_ESPDES_IV_SZ 8 /* IV size */
-#define ESP_DESCBC_BLKLEN 8 /* DES-CBC block size */
-
-#define ESP_IV_MAXSZ 16 /* This is _critical_ */
-#define ESP_IV_MAXSZ_INT (ESP_IV_MAXSZ/sizeof(int))
-
-#define DB_ES_PKTRX 0x0001
-#define DB_ES_PKTRX2 0x0002
-#define DB_ES_IPSA 0x0010
-#define DB_ES_XF 0x0020
-#define DB_ES_IPAD 0x0040
-#define DB_ES_INAU 0x0080
-#define DB_ES_OINFO 0x0100
-#define DB_ES_OINFO2 0x0200
-#define DB_ES_OH 0x0400
-#define DB_ES_REPLAY 0x0800
-
-#ifdef __KERNEL__
-struct des_eks {
- des_key_schedule ks;
-};
-
-extern struct inet_protocol esp_protocol;
-
-struct options;
-
-extern int
-esp_rcv(struct sk_buff *skb,
- struct device *dev,
- struct options *opt,
- __u32 daddr,
- unsigned short len,
- __u32 saddr,
- int redo,
- struct inet_protocol *protocol);
-
-/* Only for 64 bits IVs, eg. ESP_3DES :P */
-struct esphdr
-{
- __u32 esp_spi; /* Security Parameters Index */
- __u32 esp_rpl; /* Replay counter */
- __u8 esp_iv[8]; /* iv */
-};
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_esp;
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif /* __KERNEL__ */
+++ /dev/null
-/*
- * IP-in-IP Header declarations
- * Copyright (C) 1996, 1997 John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-/* The packet header is an IP header! */
-
-struct ipe4_xdata /* transform table data */
-{
- struct in_addr i4_src;
- struct in_addr i4_dst;
-};
-
-#define EMT_IPE4_ULEN 8 /* coming from user mode */
+++ /dev/null
-#ifndef _FREESWAN_KVERSIONS_H
-/*
- * header file for FreeS/WAN library functions
- * Copyright (C) 1998, 1999, 2000 Henry Spencer.
- * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
- * License for more details.
- *
- * RCSID $Id$
- */
-#define _FREESWAN_KVERSIONS_H /* seen it, no need to see it again */
-
-/*
- * this file contains a series of atomic defines that depend upon
- * kernel version numbers. The kernel versions are arranged
- * in version-order number (which is often not chronological)
- * and each clause enables or disables a feature.
- */
-
-/*
- * First, assorted kernel-version-dependent trickery.
- */
-#include <linux/version.h>
-#ifndef KERNEL_VERSION
-#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,0)
-#define HEADER_CACHE_BIND_21
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0)
-#define SPINLOCK
-#define PROC_FS_21
-#define NETLINK_SOCK
-#define NET_21
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,19)
-#define net_device_stats enet_statistics
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)
-#define SPINLOCK_23
-#define NETDEV_23
-# ifndef CONFIG_IP_ALIAS
-# define CONFIG_IP_ALIAS
-# endif
-#include <linux/socket.h>
-#include <linux/skbuff.h>
-#include <linux/netlink.h>
-# ifdef NETLINK_XFRM
-# define NETDEV_25
-# endif
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,25)
-#define PROC_FS_2325
-#undef PROC_FS_21
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,30)
-#define PROC_NO_DUMMY
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,35)
-#define SKB_COPY_EXPAND
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,37)
-#define IP_SELECT_IDENT
-#endif
-
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,50)) && defined(CONFIG_NETFILTER)
-#define SKB_RESET_NFCT
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,2)
-#define IP_SELECT_IDENT_NEW
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4)
-#define IPH_is_SKB_PULLED
-#define SKB_COW_NEW
-#define PROTO_HANDLER_SINGLE_PARM
-#define IP_FRAGMENT_LINEARIZE 1
-#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */
-# ifdef REDHAT_BOGOSITY
-# define IP_SELECT_IDENT_NEW
-# define IPH_is_SKB_PULLED
-# define SKB_COW_NEW
-# define PROTO_HANDLER_SINGLE_PARM
-# endif /* REDHAT_BOGOSITY */
-#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9)
-#define MALLOC_SLAB
-#define LINUX_KERNEL_HAS_SNPRINTF
-#endif
-
-#ifdef NET_21
-# include <linux/in6.h>
-#else
- /* old kernel in.h has some IPv6 stuff, but not quite enough */
-# define s6_addr16 s6_addr
-# define AF_INET6 10
-# define uint8_t __u8
-# define uint16_t __u16
-# define uint32_t __u32
-# define uint64_t __u64
-#endif
-
-#ifdef NET_21
-# define ipsec_kfree_skb(a) kfree_skb(a)
-#else /* NET_21 */
-# define ipsec_kfree_skb(a) kfree_skb(a, FREE_WRITE)
-#endif /* NET_21 */
-
-#ifdef NETDEV_23
-# define device net_device
-# define ipsec_dev_get dev_get_by_name
-# define __ipsec_dev_get __dev_get_by_name
-# define ipsec_dev_put(x) dev_put(x)
-# define __ipsec_dev_put(x) __dev_put(x)
-# define ipsec_dev_hold(x) dev_hold(x)
-#else /* NETDEV_23 */
-# define ipsec_dev_get dev_get
-# define __ipsec_dev_put(x)
-# define ipsec_dev_put(x)
-# define ipsec_dev_hold(x)
-#endif /* NETDEV_23 */
-
-#ifndef SPINLOCK
-# include <linux/bios32.h>
- /* simulate spin locks and read/write locks */
- typedef struct {
- volatile char lock;
- } spinlock_t;
-
- typedef struct {
- volatile unsigned int lock;
- } rwlock_t;
-
-# define spin_lock_init(x) { (x)->lock = 0;}
-# define rw_lock_init(x) { (x)->lock = 0; }
-
-# define spin_lock(x) { while ((x)->lock) barrier(); (x)->lock=1;}
-# define spin_lock_irq(x) { cli(); spin_lock(x);}
-# define spin_lock_irqsave(x,flags) { save_flags(flags); spin_lock_irq(x);}
-
-# define spin_unlock(x) { (x)->lock=0;}
-# define spin_unlock_irq(x) { spin_unlock(x); sti();}
-# define spin_unlock_irqrestore(x,flags) { spin_unlock(x); restore_flags(flags);}
-
-# define read_lock(x) spin_lock(x)
-# define read_lock_irq(x) spin_lock_irq(x)
-# define read_lock_irqsave(x,flags) spin_lock_irqsave(x,flags)
-
-# define read_unlock(x) spin_unlock(x)
-# define read_unlock_irq(x) spin_unlock_irq(x)
-# define read_unlock_irqrestore(x,flags) spin_unlock_irqrestore(x,flags)
-
-# define write_lock(x) spin_lock(x)
-# define write_lock_irq(x) spin_lock_irq(x)
-# define write_lock_irqsave(x,flags) spin_lock_irqsave(x,flags)
-
-# define write_unlock(x) spin_unlock(x)
-# define write_unlock_irq(x) spin_unlock_irq(x)
-# define write_unlock_irqrestore(x,flags) spin_unlock_irqrestore(x,flags)
-#endif /* !SPINLOCK */
-
-#ifndef SPINLOCK_23
-# define spin_lock_bh(x) spin_lock_irq(x)
-# define spin_unlock_bh(x) spin_unlock_irq(x)
-
-# define read_lock_bh(x) read_lock_irq(x)
-# define read_unlock_bh(x) read_unlock_irq(x)
-
-# define write_lock_bh(x) write_lock_irq(x)
-# define write_unlock_bh(x) write_unlock_irq(x)
-#endif /* !SPINLOCK_23 */
-
-#endif /* _FREESWAN_KVERSIONS_H */
+++ /dev/null
-/*
- * Definitions relevant to IPSEC lifetimes
- * Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org>
- * and Michael Richardson <mcr@freeswan.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- *
- * This file derived from ipsec_xform.h on 2001/9/18 by mcr.
- *
- */
-
-/*
- * This file describes the book keeping fields for the
- * IPsec Security Association Structure. ("ipsec_sa")
- *
- * This structure is never allocated directly by kernel code,
- * (it is always a static/auto or is part of a structure)
- * so it does not have a reference count.
- *
- */
-
-#ifndef _IPSEC_LIFE_H_
-
-/*
- * _count is total count.
- * _hard is hard limit (kill SA after this number)
- * _soft is soft limit (try to renew SA after this number)
- * _last is used in some special cases.
- *
- */
-
-struct ipsec_lifetime64
-{
- __u64 ipl_count;
- __u64 ipl_soft;
- __u64 ipl_hard;
- __u64 ipl_last;
-};
-
-struct ipsec_lifetimes
-{
- /* number of bytes processed */
- struct ipsec_lifetime64 ipl_bytes;
-
- /* number of packets processed */
- struct ipsec_lifetime64 ipl_packets;
-
- /* time since SA was added */
- struct ipsec_lifetime64 ipl_addtime;
-
- /* time since SA was first used */
- struct ipsec_lifetime64 ipl_usetime;
-
- /* from rfc2367:
- * For CURRENT, the number of different connections,
- * endpoints, or flows that the association has been
- * allocated towards. For HARD and SOFT, the number of
- * these the association may be allocated towards
- * before it expires. The concept of a connection,
- * flow, or endpoint is system specific.
- *
- * mcr(2001-9-18) it is unclear what purpose these serve for FreeSWAN.
- * They are maintained for PF_KEY compatibility.
- */
- struct ipsec_lifetime64 ipl_allocations;
-};
-
-enum ipsec_life_alive {
- ipsec_life_harddied = -1,
- ipsec_life_softdied = 0,
- ipsec_life_okay = 1
-};
-
-enum ipsec_life_type {
- ipsec_life_timebased = 1,
- ipsec_life_countbased= 0
-};
-
-#define _IPSEC_LIFE_H_
-#endif /* _IPSEC_LIFE_H_ */
+++ /dev/null
-/*
- * RCSID $Id$
- */
-
-/*
- * The rest of this file is Copyright RSA DSI. See the following comments
- * for the full Copyright notice.
- */
-
-#ifndef _IPSEC_MD5H_H_
-#define _IPSEC_MD5H_H_
-
-/* GLOBAL.H - RSAREF types and constants
- */
-
-/* PROTOTYPES should be set to one if and only if the compiler supports
- function argument prototyping.
- The following makes PROTOTYPES default to 0 if it has not already
- been defined with C compiler flags.
- */
-#ifndef PROTOTYPES
-#define PROTOTYPES 1
-#endif /* !PROTOTYPES */
-
-/* POINTER defines a generic pointer type */
-typedef __u8 *POINTER;
-
-/* UINT2 defines a two byte word */
-typedef __u16 UINT2;
-
-/* UINT4 defines a four byte word */
-typedef __u32 UINT4;
-
-/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
- If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
- returns an empty list.
- */
-
-#if PROTOTYPES
-#define PROTO_LIST(list) list
-#else /* PROTOTYPES */
-#define PROTO_LIST(list) ()
-#endif /* PROTOTYPES */
-
-
-/* MD5.H - header file for MD5C.C
- */
-
-/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
-rights reserved.
-
-License to copy and use this software is granted provided that it
-is identified as the "RSA Data Security, Inc. MD5 Message-Digest
-Algorithm" in all material mentioning or referencing this software
-or this function.
-
-License is also granted to make and use derivative works provided
-that such works are identified as "derived from the RSA Data
-Security, Inc. MD5 Message-Digest Algorithm" in all material
-mentioning or referencing the derived work.
-
-RSA Data Security, Inc. makes no representations concerning either
-the merchantability of this software or the suitability of this
-software for any particular purpose. It is provided "as is"
-without express or implied warranty of any kind.
-
-These notices must be retained in any copies of any part of this
-documentation and/or software.
- */
-
-/* MD5 context. */
-typedef struct {
- UINT4 state[4]; /* state (ABCD) */
- UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
- unsigned char buffer[64]; /* input buffer */
-} MD5_CTX;
-
-void MD5Init PROTO_LIST ((void *));
-void MD5Update PROTO_LIST
- ((void *, unsigned char *, __u32));
-void MD5Final PROTO_LIST ((unsigned char [16], void *));
-
-#endif /* _IPSEC_MD5H_H_ */
#ifndef _IPSEC_PARAM_H_
-#ifdef __KERNEL__
-#include "ipsec_kversion.h"
-
-/* Set number of ipsecX virtual devices here. */
-/* This must be < exp(field width of IPSEC_DEV_FORMAT) */
-/* It must also be reasonable so as not to overload the memory and CPU */
-/* constraints of the host. */
-#define IPSEC_NUM_IF 4
-/* The field width must be < IF_NAM_SIZ - strlen("ipsec") - 1. */
-/* With "ipsec" being 5 characters, that means 10 is the max field width */
-/* but machine memory and CPU constraints are not likely to tollerate */
-/* more than 3 digits. The default is one digit. */
-/* Update: userland scripts get upset if they can't find "ipsec0", so */
-/* for now, no "0"-padding should be used (which would have been helpful */
-/* to make text-searches work */
-#define IPSEC_DEV_FORMAT "ipsec%d"
-/* For, say, 500 virtual ipsec devices, I would recommend: */
-/* #define IPSEC_NUM_IF 500 */
-/* #define IPSEC_DEV_FORMAT "ipsec%03d" */
-/* Note that the "interfaces=" line in /etc/ipsec.conf would be, um, challenging. */
-
-/* use dynamic ipsecX device allocation */
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif /* CONFIG_IPSEC_DYNDEV */
-
-
-#ifdef CONFIG_IPSEC_BIGGATE
-# define SADB_HASHMOD 8069
-#else /* CONFIG_IPSEC_BIGGATE */
-# define SADB_HASHMOD 257
-#endif /* CONFIG_IPSEC_BIGGATE */
-#endif /* __KERNEL__ */
-
/*
* This is for the SA reference table. This number is related to the
* maximum number of SAs that KLIPS can concurrently deal with, plus enough
# define IPSEC_SA_REF_CODE 1
#endif
-#ifdef __KERNEL__
-/* This is defined for 2.4, but not 2.2.... */
-#ifndef ARPHRD_VOID
-# define ARPHRD_VOID 0xFFFF
-#endif
-
-/*
- * Worry about PROC_FS stuff
- */
-#if defined(PROC_FS_2325)
-/* kernel 2.4 */
-# define IPSEC_PROC_LAST_ARG ,int *eof,void *data
-# define IPSEC_PROCFS_DEBUG_NO_STATIC
-# define IPSEC_PROC_SUBDIRS
-#else
-/* kernel <2.4 */
-# define IPSEC_PROCFS_DEBUG_NO_STATIC DEBUG_NO_STATIC
-
-# ifndef PROC_NO_DUMMY
-# define IPSEC_PROC_LAST_ARG , int dummy
-# else
-# define IPSEC_PROC_LAST_ARG
-# endif /* !PROC_NO_DUMMY */
-#endif /* PROC_FS_2325 */
-
-#if !defined(LINUX_KERNEL_HAS_SNPRINTF)
-/* GNU CPP specific! */
-# define snprintf(buf, len, fmt...) sprintf(buf, ##fmt)
-#endif /* !LINUX_KERNEL_HAS_SNPRINTF */
-
-#ifdef SPINLOCK
-# ifdef SPINLOCK_23
-# include <linux/spinlock.h> /* *lock* */
-# else /* SPINLOCK_23 */
-# include <asm/spinlock.h> /* *lock* */
-# endif /* SPINLOCK_23 */
-#endif /* SPINLOCK */
-
-#ifndef KLIPS_FIXES_DES_PARITY
-# define KLIPS_FIXES_DES_PARITY 1
-#endif /* !KLIPS_FIXES_DES_PARITY */
-
-/* we don't really want to print these unless there are really big problems */
-#ifndef KLIPS_DIVULGE_CYPHER_KEY
-# define KLIPS_DIVULGE_CYPHER_KEY 0
-#endif /* !KLIPS_DIVULGE_CYPHER_KEY */
-
-#ifndef KLIPS_DIVULGE_HMAC_KEY
-# define KLIPS_DIVULGE_HMAC_KEY 0
-#endif /* !KLIPS_DIVULGE_HMAC_KEY */
-
-#ifndef IPSEC_DISALLOW_IPOPTIONS
-# define IPSEC_DISALLOW_IPOPTIONS 1
-#endif /* !KLIPS_DIVULGE_HMAC_KEY */
-
-/* extra toggles for regression testing */
-#ifdef CONFIG_IPSEC_REGRESS
-
-/*
- * should pfkey_acquire() become 100% lossy?
- *
- */
-extern int sysctl_ipsec_regress_pfkey_lossage;
-#ifndef KLIPS_PFKEY_ACQUIRE_LOSSAGE
-# ifdef CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE
-# define KLIPS_PFKEY_ACQUIRE_LOSSAGE 100
-# else /* CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE */
-/* not by default! */
-# define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0
-# endif /* CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE */
-#endif /* KLIPS_PFKEY_ACQUIRE_LOSSAGE */
-
-#endif /* CONFIG_IPSEC_REGRESS */
-
-/*
- * debugging routines.
- */
-#ifdef CONFIG_IPSEC_DEBUG
-extern void ipsec_print_ip(struct iphdr *ip);
-
- #define KLIPS_PRINT(flag, format, args...) \
- ((flag) ? printk(KERN_INFO format , ## args) : 0)
- #define KLIPS_PRINTMORE(flag, format, args...) \
- ((flag) ? printk(format , ## args) : 0)
- #define KLIPS_IP_PRINT(flag, ip) \
- ((flag) ? ipsec_print_ip(ip) : 0)
-#else /* CONFIG_IPSEC_DEBUG */
- #define KLIPS_PRINT(flag, format, args...) do ; while(0)
- #define KLIPS_PRINTMORE(flag, format, args...) do ; while(0)
- #define KLIPS_IP_PRINT(flag, ip) do ; while(0)
-#endif /* CONFIG_IPSEC_DEBUG */
-
-
-/*
- * Stupid kernel API differences in APIs. Not only do some
- * kernels not have ip_select_ident, but some have differing APIs,
- * and SuSE has one with one parameter, but no way of checking to
- * see what is really what.
- */
-
-#ifdef SUSE_LINUX_2_4_19_IS_STUPID
-#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph)
-#else
-
-/* simplest case, nothing */
-#if !defined(IP_SELECT_IDENT)
-#define KLIPS_IP_SELECT_IDENT(iph, skb) do { iph->id = htons(ip_id_count++); } while(0)
-#endif
-
-/* kernels > 2.3.37-ish */
-#if defined(IP_SELECT_IDENT) && !defined(IP_SELECT_IDENT_NEW)
-#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst)
-#endif
-
-/* kernels > 2.4.2 */
-#if defined(IP_SELECT_IDENT) && defined(IP_SELECT_IDENT_NEW)
-#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst, NULL)
-#endif
-
-#endif /* SUSE_LINUX_2_4_19_IS_STUPID */
-
-/*
- * make klips fail test:east-espiv-01.
- * exploit is at testing/attacks/espiv
- *
- */
-#define KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK 0
-
-
-/* IP_FRAGMENT_LINEARIZE is set in freeswan.h if Kernel > 2.4.4 */
-#ifndef IP_FRAGMENT_LINEARIZE
-# define IP_FRAGMENT_LINEARIZE 0
-#endif /* IP_FRAGMENT_LINEARIZE */
-#endif /* __KERNEL__ */
-
#define _IPSEC_PARAM_H_
#endif /* _IPSEC_PARAM_H_ */
+++ /dev/null
-/*
- * @(#) prototypes for FreeSWAN functions
- *
- * Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org>
- * and Michael Richardson <mcr@freeswan.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- *
- */
-
-#ifndef _IPSEC_PROTO_H_
-
-#include "ipsec_param.h"
-
-/*
- * This file is a kernel only file that declares prototypes for
- * all intra-module function calls and global data structures.
- *
- * Include this file last.
- *
- */
-
-/* ipsec_init.c */
-extern struct prng ipsec_prng;
-
-/* ipsec_sa.c */
-extern struct ipsec_sa *ipsec_sadb_hash[SADB_HASHMOD];
-extern spinlock_t tdb_lock;
-extern int ipsec_sadb_init(void);
-
-extern struct ipsec_sa *ipsec_sa_getbyid(struct sa_id*);
-extern int ipsec_sa_put(struct ipsec_sa *);
-extern /* void */ int ipsec_sa_del(struct ipsec_sa *);
-extern /* void */ int ipsec_sa_delchain(struct ipsec_sa *);
-extern /* void */ int ipsec_sa_add(struct ipsec_sa *);
-
-extern int ipsec_sadb_cleanup(__u8);
-extern int ipsec_sa_wipe(struct ipsec_sa *);
-
-/* debug declarations */
-
-/* ipsec_proc.c */
-extern int ipsec_proc_init(void);
-extern void ipsec_proc_cleanup(void);
-
-/* ipsec_radij.c */
-extern int ipsec_makeroute(struct sockaddr_encap *ea,
- struct sockaddr_encap *em,
- struct sa_id said,
- uint32_t pid,
- struct sk_buff *skb,
- struct ident *ident_s,
- struct ident *ident_d);
-
-extern int ipsec_breakroute(struct sockaddr_encap *ea,
- struct sockaddr_encap *em,
- struct sk_buff **first,
- struct sk_buff **last);
-
-int ipsec_radijinit(void);
-int ipsec_cleareroutes(void);
-int ipsec_radijcleanup(void);
-
-/* ipsec_life.c */
-extern enum ipsec_life_alive ipsec_lifetime_check(struct ipsec_lifetime64 *il64,
- const char *lifename,
- const char *saname,
- enum ipsec_life_type ilt,
- enum ipsec_direction idir,
- struct ipsec_sa *ips);
-
-
-extern int ipsec_lifetime_format(char *buffer,
- int buflen,
- char *lifename,
- enum ipsec_life_type timebaselife,
- struct ipsec_lifetime64 *lifetime);
-
-extern void ipsec_lifetime_update_hard(struct ipsec_lifetime64 *lifetime,
- __u64 newvalue);
-
-extern void ipsec_lifetime_update_soft(struct ipsec_lifetime64 *lifetime,
- __u64 newvalue);
-
-
-
-
-#ifdef CONFIG_IPSEC_DEBUG
-
-extern int debug_xform;
-extern int debug_eroute;
-extern int debug_spi;
-extern int debug_netlink;
-
-#endif /* CONFIG_IPSEC_DEBUG */
-
-
-
-
-#define _IPSEC_PROTO_H
-#endif /* _IPSEC_PROTO_H_ */
+++ /dev/null
-/*
- * @(#) Definitions relevant to the IPSEC <> radij tree interfacing
- * Copyright (C) 1996, 1997 John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#ifndef _IPSEC_RADIJ_H
-
-#include <freeswan.h>
-
-int ipsec_walk(char *);
-
-int ipsec_rj_walker_procprint(struct radij_node *, void *);
-int ipsec_rj_walker_delete(struct radij_node *, void *);
-
-/* This structure is used to pass information between
- * ipsec_eroute_get_info and ipsec_rj_walker_procprint
- * (through rj_walktree) and between calls of ipsec_rj_walker_procprint.
- */
-struct wsbuf
-{
- /* from caller of ipsec_eroute_get_info: */
- char *const buffer; /* start of buffer provided */
- const int length; /* length of buffer provided */
- const off_t offset; /* file position of first character of interest */
- /* accumulated by ipsec_rj_walker_procprint: */
- int len; /* number of character filled into buffer */
- off_t begin; /* file position contained in buffer[0] (<=offset) */
-};
-
-
-extern struct radij_node_head *rnh;
-extern spinlock_t eroute_lock;
-
-struct eroute * ipsec_findroute(struct sockaddr_encap *);
-
-#define O1(x) (int)(((x)>>24)&0xff)
-#define O2(x) (int)(((x)>>16)&0xff)
-#define O3(x) (int)(((x)>>8)&0xff)
-#define O4(x) (int)(((x))&0xff)
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_radij;
-void rj_dumptrees(void);
-
-#define DB_RJ_DUMPTREES 0x0001
-#define DB_RJ_FINDROUTE 0x0002
-#endif /* CONFIG_IPSEC_DEBUG */
-
-#define _IPSEC_RADIJ_H
-#endif
+++ /dev/null
-/*
- *
- * Copyright (C) 1996, 1997 John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#define DB_RX_PKTRX 0x0001
-#define DB_RX_PKTRX2 0x0002
-#define DB_RX_DMP 0x0004
-#define DB_RX_IPSA 0x0010
-#define DB_RX_XF 0x0020
-#define DB_RX_IPAD 0x0040
-#define DB_RX_INAU 0x0080
-#define DB_RX_OINFO 0x0100
-#define DB_RX_OINFO2 0x0200
-#define DB_RX_OH 0x0400
-#define DB_RX_REPLAY 0x0800
-
-#ifdef __KERNEL__
-/* struct options; */
-
-#define __NO_VERSION__
-#include <linux/module.h>
-#include <linux/config.h> /* for CONFIG_IP_FORWARD */
-#include <linux/version.h>
-#include <freeswan.h>
-
-#define IPSEC_BIRTH_TEMPLATE_MAXLEN 256
-
-struct ipsec_birth_reply {
- int packet_template_len;
- unsigned char packet_template[IPSEC_BIRTH_TEMPLATE_MAXLEN];
-};
-
-extern struct ipsec_birth_reply ipsec_ipv4_birth_packet;
-extern struct ipsec_birth_reply ipsec_ipv6_birth_packet;
-
-extern int
-#ifdef PROTO_HANDLER_SINGLE_PARM
-ipsec_rcv(struct sk_buff *skb);
-#else /* PROTO_HANDLER_SINGLE_PARM */
-ipsec_rcv(struct sk_buff *skb,
-#ifdef NET_21
- unsigned short xlen);
-#else /* NET_21 */
- struct device *dev,
- struct options *opt,
- __u32 daddr,
- unsigned short len,
- __u32 saddr,
- int redo,
- struct inet_protocol *protocol);
-#endif /* NET_21 */
-#endif /* PROTO_HANDLER_SINGLE_PARM */
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_rcv;
-#endif /* CONFIG_IPSEC_DEBUG */
-extern int sysctl_ipsec_inbound_policy_check;
-#endif /* __KERNEL__ */
+++ /dev/null
-/*
- * @(#) Definitions of IPsec Security Association (ipsec_sa)
- *
- * Copyright (C) 2001, 2002, 2003
- * Richard Guy Briggs <rgb@freeswan.org>
- * and Michael Richardson <mcr@freeswan.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- *
- * This file derived from ipsec_xform.h on 2001/9/18 by mcr.
- *
- */
-
-/*
- * This file describes the IPsec Security Association Structure.
- *
- * This structure keeps track of a single transform that may be done
- * to a set of packets. It can describe applying the transform or
- * apply the reverse. (e.g. compression vs expansion). However, it
- * only describes one at a time. To describe both, two structures would
- * be used, but since the sides of the transform are performed
- * on different machines typically it is usual to have only one side
- * of each association.
- *
- */
-
-#ifndef _IPSEC_SA_H_
-
-#ifdef __KERNEL__
-#include "ipsec_stats.h"
-#include "ipsec_life.h"
-#include "ipsec_eroute.h"
-#endif /* __KERNEL__ */
-#include "ipsec_param.h"
-
-
-/* SAs are held in a table.
- * Entries in this table are referenced by IPsecSAref_t values.
- * IPsecSAref_t values are conceptually subscripts. Because
- * we want to allocate the table piece-meal, the subscripting
- * is implemented with two levels, a bit like paged virtual memory.
- * This representation mechanism is known as an Iliffe Vector.
- *
- * The Main table (AKA the refTable) consists of 2^IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
- * pointers to subtables.
- * Each subtable has 2^IPSEC_SA_REF_SUBTABLE_IDX_WIDTH entries, each of which
- * is a pointer to an SA.
- *
- * An IPsecSAref_t contains either an exceptional value (signified by the
- * high-order bit being on) or a reference to a table entry. A table entry
- * reference has the subtable subscript in the low-order
- * IPSEC_SA_REF_SUBTABLE_IDX_WIDTH bits and the Main table subscript
- * in the next lowest IPSEC_SA_REF_MAINTABLE_IDX_WIDTH bits.
- *
- * The Maintable entry for an IPsecSAref_t x, a pointer to its subtable, is
- * IPsecSAref2table(x). It is of type struct IPsecSArefSubTable *.
- *
- * The pointer to the SA for x is IPsecSAref2SA(x). It is of type
- * struct ipsec_sa*. The macro definition clearly shows the two-level
- * access needed to find the SA pointer.
- *
- * The Maintable is allocated when IPsec is initialized.
- * Each subtable is allocated when needed, but the first is allocated
- * when IPsec is initialized.
- *
- * IPsecSAref_t is designed to be smaller than an NFmark so that
- * they can be stored in NFmarks and still leave a few bits for other
- * purposes. The spare bits are in the low order of the NFmark
- * but in the high order of the IPsecSAref_t, so conversion is required.
- * We pick the upper bits of NFmark on the theory that they are less likely to
- * interfere with more pedestrian uses of nfmark.
- */
-
-
-typedef unsigned short int IPsecRefTableUnusedCount;
-
-#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH)
-
-#ifdef __KERNEL__
-#if ((IPSEC_SA_REF_TABLE_IDX_WIDTH - (1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) < 0)
-#error "IPSEC_SA_REF_TABLE_IDX_WIDTH("IPSEC_SA_REF_TABLE_IDX_WIDTH") MUST be < 1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH("IPSEC_SA_REF_MAINTABLE_IDX_WIDTH")"
-#endif
-
-#define IPSEC_SA_REF_SUBTABLE_IDX_WIDTH (IPSEC_SA_REF_TABLE_IDX_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)
-
-#define IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)
-#define IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
-
-#ifdef CONFIG_NETFILTER
-#define IPSEC_SA_REF_HOST_FIELD(x) ((struct sk_buff*)(x))->nfmark
-#define IPSEC_SA_REF_HOST_FIELD_TYPE typeof(IPSEC_SA_REF_HOST_FIELD(NULL))
-#else /* CONFIG_NETFILTER */
-/* just make it work for now, it doesn't matter, since there is no nfmark */
-#define IPSEC_SA_REF_HOST_FIELD_TYPE unsigned long
-#endif /* CONFIG_NETFILTER */
-#define IPSEC_SA_REF_HOST_FIELD_WIDTH (8 * sizeof(IPSEC_SA_REF_HOST_FIELD_TYPE))
-#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
-
-#define IPSEC_SA_REF_MASK (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
-#define IPSEC_SA_REF_TABLE_MASK ((IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
-#define IPSEC_SA_REF_ENTRY_MASK (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_SUBTABLE_IDX_WIDTH))
-
-#define IPsecSAref2table(x) (((x) & IPSEC_SA_REF_TABLE_MASK) >> IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
-#define IPsecSAref2entry(x) ((x) & IPSEC_SA_REF_ENTRY_MASK)
-#define IPsecSArefBuild(x,y) (((x) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) + (y))
-
-#define IPsecSAref2SA(x) (ipsec_sadb.refTable[IPsecSAref2table(x)]->entry[IPsecSAref2entry(x)])
-#define IPsecSA2SAref(x) ((x)->ips_ref)
-
-#define EMT_INBOUND 0x01 /* SA direction, 1=inbound */
-
-/* 'struct ipsec_sa' should be 64bit aligned when allocated. */
-struct ipsec_sa
-{
- IPsecSAref_t ips_ref; /* reference table entry number */
- atomic_t ips_refcount; /* reference count for this struct */
- struct ipsec_sa *ips_hnext; /* next in hash chain */
- struct ipsec_sa *ips_inext; /* pointer to next xform */
- struct ipsec_sa *ips_onext; /* pointer to prev xform */
-
- struct ifnet *ips_rcvif; /* related rcv encap interface */
-
- struct sa_id ips_said; /* SA ID */
-
- __u32 ips_seq; /* seq num of msg that initiated this SA */
- __u32 ips_pid; /* PID of process that initiated this SA */
- __u8 ips_authalg; /* auth algorithm for this SA */
- __u8 ips_encalg; /* enc algorithm for this SA */
-
- struct ipsec_stats ips_errs;
-
- __u8 ips_replaywin; /* replay window size */
- __u8 ips_state; /* state of SA */
- __u32 ips_replaywin_lastseq; /* last pkt sequence num */
- __u64 ips_replaywin_bitmap; /* bitmap of received pkts */
- __u32 ips_replaywin_maxdiff; /* max pkt sequence difference */
-
- __u32 ips_flags; /* generic xform flags */
-
-
- struct ipsec_lifetimes ips_life; /* lifetime records */
-
- /* selector information */
- struct sockaddr*ips_addr_s; /* src sockaddr */
- struct sockaddr*ips_addr_d; /* dst sockaddr */
- struct sockaddr*ips_addr_p; /* proxy sockaddr */
- __u16 ips_addr_s_size;
- __u16 ips_addr_d_size;
- __u16 ips_addr_p_size;
- ip_address ips_flow_s;
- ip_address ips_flow_d;
- ip_address ips_mask_s;
- ip_address ips_mask_d;
-
- __u16 ips_key_bits_a; /* size of authkey in bits */
- __u16 ips_auth_bits; /* size of authenticator in bits */
- __u16 ips_key_bits_e; /* size of enckey in bits */
- __u16 ips_iv_bits; /* size of IV in bits */
- __u8 ips_iv_size;
- __u16 ips_key_a_size;
- __u16 ips_key_e_size;
-
- caddr_t ips_key_a; /* authentication key */
- caddr_t ips_key_e; /* encryption key */
- caddr_t ips_iv; /* Initialisation Vector */
-
- struct ident ips_ident_s; /* identity src */
- struct ident ips_ident_d; /* identity dst */
-
-#ifdef CONFIG_IPSEC_IPCOMP
- __u16 ips_comp_adapt_tries; /* ipcomp self-adaption tries */
- __u16 ips_comp_adapt_skip; /* ipcomp self-adaption to-skip */
- __u64 ips_comp_ratio_cbytes; /* compressed bytes */
- __u64 ips_comp_ratio_dbytes; /* decompressed (or uncompressed) bytes */
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
- __u8 ips_natt_type;
- __u8 ips_natt_reserved[3];
- __u16 ips_natt_sport;
- __u16 ips_natt_dport;
-
- struct sockaddr *ips_natt_oa;
- __u16 ips_natt_oa_size;
- __u16 ips_natt_reserved2;
-#endif
-
-#if 0
- __u32 ips_sens_dpd;
- __u8 ips_sens_sens_level;
- __u8 ips_sens_sens_len;
- __u64* ips_sens_sens_bitmap;
- __u8 ips_sens_integ_level;
- __u8 ips_sens_integ_len;
- __u64* ips_sens_integ_bitmap;
-#endif
- struct ipsec_alg_enc *ips_alg_enc;
- struct ipsec_alg_auth *ips_alg_auth;
- IPsecSAref_t ips_ref_rel;
-};
-
-struct IPsecSArefSubTable
-{
- struct ipsec_sa* entry[IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES];
-};
-
-struct ipsec_sadb {
- struct IPsecSArefSubTable* refTable[IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES];
- IPsecSAref_t refFreeList[IPSEC_SA_REF_FREELIST_NUM_ENTRIES];
- int refFreeListHead;
- int refFreeListTail;
- IPsecSAref_t refFreeListCont;
- IPsecSAref_t said_hash[SADB_HASHMOD];
- spinlock_t sadb_lock;
-};
-
-extern struct ipsec_sadb ipsec_sadb;
-
-extern int ipsec_SAref_recycle(void);
-extern int ipsec_SArefSubTable_alloc(unsigned table);
-extern int ipsec_saref_freelist_init(void);
-extern int ipsec_sadb_init(void);
-extern struct ipsec_sa *ipsec_sa_alloc(int*error); /* pass in error var by pointer */
-extern IPsecSAref_t ipsec_SAref_alloc(int*erorr); /* pass in error var by pointer */
-extern int ipsec_sa_free(struct ipsec_sa* ips);
-extern struct ipsec_sa *ipsec_sa_getbyid(struct sa_id *said);
-extern int ipsec_sa_put(struct ipsec_sa *ips);
-extern int ipsec_sa_add(struct ipsec_sa *ips);
-extern int ipsec_sa_del(struct ipsec_sa *ips);
-extern int ipsec_sa_delchain(struct ipsec_sa *ips);
-extern int ipsec_sadb_cleanup(__u8 proto);
-extern int ipsec_sadb_free(void);
-extern int ipsec_sa_wipe(struct ipsec_sa *ips);
-#endif /* __KERNEL__ */
-
-enum ipsec_direction {
- ipsec_incoming = 1,
- ipsec_outgoing = 2
-};
-
-#define _IPSEC_SA_H_
-#endif /* _IPSEC_SA_H_ */
+++ /dev/null
-/*
- * RCSID $Id$
- */
-
-/*
- * Here is the original comment from the distribution:
-
-SHA-1 in C
-By Steve Reid <steve@edmweb.com>
-100% Public Domain
-
- * Adapted for use by the IPSEC code by John Ioannidis
- */
-
-
-#ifndef _IPSEC_SHA1_H_
-#define _IPSEC_SHA1_H_
-
-typedef struct
-{
- __u32 state[5];
- __u32 count[2];
- __u8 buffer[64];
-} SHA1_CTX;
-
-void SHA1Transform(__u32 state[5], __u8 buffer[64]);
-void SHA1Init(void *context);
-void SHA1Update(void *context, unsigned char *data, __u32 len);
-void SHA1Final(unsigned char digest[20], void *context);
-
-
-#endif /* _IPSEC_SHA1_H_ */
+++ /dev/null
-/*
- * @(#) definition of ipsec_stats structure
- *
- * Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org>
- * and Michael Richardson <mcr@freeswan.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- *
- */
-
-/*
- * This file describes the errors/statistics that FreeSWAN collects.
- */
-
-#ifndef _IPSEC_STATS_H_
-
-struct ipsec_stats {
- __u32 ips_alg_errs; /* number of algorithm errors */
- __u32 ips_auth_errs; /* # of authentication errors */
- __u32 ips_encsize_errs; /* # of encryption size errors*/
- __u32 ips_encpad_errs; /* # of encryption pad errors*/
- __u32 ips_replaywin_errs; /* # of pkt sequence errors */
-};
-
-extern int ipsec_snprintf(char * buf, ssize_t size, const char *fmt, ...);
-
-#define _IPSEC_STATS_H_
-#endif /* _IPSEC_STATS_H_ */
+++ /dev/null
-/*
- * IPSEC tunneling code
- * Copyright (C) 1996, 1997 John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#include <linux/types.h>
-
-#ifdef NET_21
-# define DEV_QUEUE_XMIT(skb, device, pri) {\
- skb->dev = device; \
- neigh_compat_output(skb); \
- /* skb->dst->output(skb); */ \
- }
-# define ICMP_SEND(skb_in, type, code, info, dev) \
- icmp_send(skb_in, type, code, htonl(info))
-# define IP_SEND(skb, dev) \
- ip_send(skb);
-#else /* NET_21 */
-# define DEV_QUEUE_XMIT(skb, device, pri) {\
- dev_queue_xmit(skb, device, pri); \
- }
-# define ICMP_SEND(skb_in, type, code, info, dev) \
- icmp_send(skb_in, type, code, info, dev)
-# define IP_SEND(skb, dev) \
- if(ntohs(iph->tot_len) > physmtu) { \
- ip_fragment(NULL, skb, dev, 0); \
- ipsec_kfree_skb(skb); \
- } else { \
- dev_queue_xmit(skb, dev, SOPRI_NORMAL); \
- }
-#endif /* NET_21 */
-
-
-/*
- * Heavily based on drivers/net/new_tunnel.c. Lots
- * of ideas also taken from the 2.1.x version of drivers/net/shaper.c
- */
-
-struct ipsectunnelconf
-{
- __u32 cf_cmd;
- union
- {
- char cfu_name[12];
- } cf_u;
-#define cf_name cf_u.cfu_name
-};
-
-#define IPSEC_SET_DEV (SIOCDEVPRIVATE)
-#define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1)
-#define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2)
-
-#ifdef __KERNEL__
-#include <linux/version.h>
-#ifndef KERNEL_VERSION
-# define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
-#endif
-struct ipsecpriv
-{
- struct sk_buff_head sendq;
- struct device *dev;
- struct wait_queue *wait_queue;
- char locked;
- int (*hard_start_xmit) (struct sk_buff *skb,
- struct device *dev);
- int (*hard_header) (struct sk_buff *skb,
- struct device *dev,
- unsigned short type,
- void *daddr,
- void *saddr,
- unsigned len);
-#ifdef NET_21
- int (*rebuild_header)(struct sk_buff *skb);
-#else /* NET_21 */
- int (*rebuild_header)(void *buff, struct device *dev,
- unsigned long raddr, struct sk_buff *skb);
-#endif /* NET_21 */
- int (*set_mac_address)(struct device *dev, void *addr);
-#ifndef NET_21
- void (*header_cache_bind)(struct hh_cache **hhp, struct device *dev,
- unsigned short htype, __u32 daddr);
-#endif /* !NET_21 */
- void (*header_cache_update)(struct hh_cache *hh, struct device *dev, unsigned char * haddr);
- struct net_device_stats *(*get_stats)(struct device *dev);
- struct net_device_stats mystats;
- int mtu; /* What is the desired MTU? */
-};
-
-extern char ipsec_tunnel_c_version[];
-
-extern struct device *ipsecdevices[IPSEC_NUM_IF];
-
-int ipsec_tunnel_init_devices(void);
-
-/* void */ int ipsec_tunnel_cleanup_devices(void);
-
-extern /* void */ int ipsec_init(void);
-
-extern int ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev);
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_tunnel;
-extern int sysctl_ipsec_debug_verbose;
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif /* __KERNEL__ */
-
-#ifdef CONFIG_IPSEC_DEBUG
-#define DB_TN_INIT 0x0001
-#define DB_TN_PROCFS 0x0002
-#define DB_TN_XMIT 0x0010
-#define DB_TN_OHDR 0x0020
-#define DB_TN_CROUT 0x0040
-#define DB_TN_OXFS 0x0080
-#define DB_TN_REVEC 0x0100
-#endif /* CONFIG_IPSEC_DEBUG */
+++ /dev/null
-/*
- * Definitions relevant to IPSEC transformations
- * Copyright (C) 1996, 1997 John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#ifndef _IPSEC_XFORM_H_
-
-#include <freeswan.h>
-#include "ipsec_policy.h"
-
-#define XF_NONE 0 /* No transform set */
-#define XF_IP4 1 /* IPv4 inside IPv4 */
-#define XF_AHMD5 2 /* AH MD5 */
-#define XF_AHSHA 3 /* AH SHA */
-#define XF_ESP3DES 5 /* ESP DES3-CBC */
-#define XF_AHHMACMD5 6 /* AH-HMAC-MD5 with opt replay prot */
-#define XF_AHHMACSHA1 7 /* AH-HMAC-SHA1 with opt replay prot */
-#define XF_ESP3DESMD5 9 /* triple DES, HMAC-MD-5, 128-bits of authentication */
-#define XF_ESP3DESMD596 10 /* triple DES, HMAC-MD-5, 96-bits of authentication */
-#define XF_ESPNULLMD596 12 /* NULL, HMAC-MD-5 with 96-bits of authentication */
-#define XF_ESPNULLSHA196 13 /* NULL, HMAC-SHA-1 with 96-bits of authentication */
-#define XF_ESP3DESSHA196 14 /* triple DES, HMAC-SHA-1, 96-bits of authentication */
-#define XF_IP6 15 /* IPv6 inside IPv6 */
-#define XF_COMPDEFLATE 16 /* IPCOMP deflate */
-
-#define XF_CLR 126 /* Clear SA table */
-#define XF_DEL 127 /* Delete SA */
-
-#define XFT_AUTH 0x0001
-#define XFT_CONF 0x0100
-
-/* available if CONFIG_IPSEC_DEBUG is defined */
-#define DB_XF_INIT 0x0001
-
-#define PROTO2TXT(x) \
- (x) == IPPROTO_AH ? "AH" : \
- (x) == IPPROTO_ESP ? "ESP" : \
- (x) == IPPROTO_IPIP ? "IPIP" : \
- (x) == IPPROTO_COMP ? "COMP" : \
- "UNKNOWN_proto"
-static inline const char *enc_name_id (unsigned id) {
- static char buf[16];
- snprintf(buf, sizeof(buf), "_ID%d", id);
- return buf;
-}
-static inline const char *auth_name_id (unsigned id) {
- static char buf[16];
- snprintf(buf, sizeof(buf), "_ID%d", id);
- return buf;
-}
-#define IPS_XFORM_NAME(x) \
- PROTO2TXT((x)->ips_said.proto), \
- (x)->ips_said.proto == IPPROTO_COMP ? \
- ((x)->ips_encalg == SADB_X_CALG_DEFLATE ? \
- "_DEFLATE" : "_UNKNOWN_comp") : \
- (x)->ips_encalg == ESP_NONE ? "" : \
- (x)->ips_encalg == ESP_3DES ? "_3DES" : \
- (x)->ips_encalg == ESP_AES ? "_AES" : \
- (x)->ips_encalg == ESP_SERPENT ? "_SERPENT" : \
- (x)->ips_encalg == ESP_TWOFISH ? "_TWOFISH" : \
- enc_name_id(x->ips_encalg)/* "_UNKNOWN_encr" */, \
- (x)->ips_authalg == AH_NONE ? "" : \
- (x)->ips_authalg == AH_MD5 ? "_HMAC_MD5" : \
- (x)->ips_authalg == AH_SHA ? "_HMAC_SHA1" : \
- (x)->ips_authalg == AH_SHA2_256 ? "_HMAC_SHA2_256" : \
- (x)->ips_authalg == AH_SHA2_384 ? "_HMAC_SHA2_384" : \
- (x)->ips_authalg == AH_SHA2_512 ? "_HMAC_SHA2_512" : \
- auth_name_id(x->ips_authalg) /* "_UNKNOWN_auth" */ \
-
-#define _IPSEC_XFORM_H_
-#endif /* _IPSEC_XFORM_H_ */
+++ /dev/null
-/*
- * IPSEC tunneling code
- * Copyright (C) 1996, 1997 John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#include "freeswan/ipsec_sa.h"
-
-enum ipsec_xmit_value
-{
- IPSEC_XMIT_STOLEN=2,
- IPSEC_XMIT_PASS=1,
- IPSEC_XMIT_OK=0,
- IPSEC_XMIT_ERRMEMALLOC=-1,
- IPSEC_XMIT_ESP_BADALG=-2,
- IPSEC_XMIT_BADPROTO=-3,
- IPSEC_XMIT_ESP_PUSHPULLERR=-4,
- IPSEC_XMIT_BADLEN=-5,
- IPSEC_XMIT_AH_BADALG=-6,
- IPSEC_XMIT_SAIDNOTFOUND=-7,
- IPSEC_XMIT_SAIDNOTLIVE=-8,
- IPSEC_XMIT_REPLAYROLLED=-9,
- IPSEC_XMIT_LIFETIMEFAILED=-10,
- IPSEC_XMIT_CANNOTFRAG=-11,
- IPSEC_XMIT_MSSERR=-12,
- IPSEC_XMIT_ERRSKBALLOC=-13,
- IPSEC_XMIT_ENCAPFAIL=-14,
- IPSEC_XMIT_NODEV=-15,
- IPSEC_XMIT_NOPRIVDEV=-16,
- IPSEC_XMIT_NOPHYSDEV=-17,
- IPSEC_XMIT_NOSKB=-18,
- IPSEC_XMIT_NOIPV6=-19,
- IPSEC_XMIT_NOIPOPTIONS=-20,
- IPSEC_XMIT_TTLEXPIRED=-21,
- IPSEC_XMIT_BADHHLEN=-22,
- IPSEC_XMIT_PUSHPULLERR=-23,
- IPSEC_XMIT_ROUTEERR=-24,
- IPSEC_XMIT_RECURSDETECT=-25,
- IPSEC_XMIT_IPSENDFAILURE=-26,
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
- IPSEC_XMIT_ESPUDP=-27,
-#endif
-};
-
-struct ipsec_xmit_state
-{
- struct sk_buff *skb; /* working skb pointer */
- struct device *dev; /* working dev pointer */
- struct ipsecpriv *prv; /* Our device' private space */
- struct sk_buff *oskb; /* Original skb pointer */
- struct net_device_stats *stats; /* This device's statistics */
- struct iphdr *iph; /* Our new IP header */
- __u32 newdst; /* The other SG's IP address */
- __u32 orgdst; /* Original IP destination address */
- __u32 orgedst; /* 1st SG's IP address */
- __u32 newsrc; /* The new source SG's IP address */
- __u32 orgsrc; /* Original IP source address */
- __u32 innersrc; /* Innermost IP source address */
- int iphlen; /* IP header length */
- int pyldsz; /* upper protocol payload size */
- int headroom;
- int tailroom;
- int max_headroom; /* The extra header space needed */
- int max_tailroom; /* The extra stuffing needed */
- int ll_headroom; /* The extra link layer hard_header space needed */
- int tot_headroom; /* The total header space needed */
- int tot_tailroom; /* The totalstuffing needed */
- __u8 *saved_header; /* saved copy of the hard header */
- unsigned short sport, dport;
-
- struct sockaddr_encap matcher; /* eroute search key */
- struct eroute *eroute;
- struct ipsec_sa *ipsp, *ipsq; /* ipsec_sa pointers */
- char sa_txt[SATOA_BUF];
- size_t sa_len;
- int hard_header_stripped; /* has the hard header been removed yet? */
- int hard_header_len;
- struct device *physdev;
-/* struct device *virtdev; */
- short physmtu;
- short mtudiff;
-#ifdef NET_21
- struct rtable *route;
-#endif /* NET_21 */
- struct sa_id outgoing_said;
-#ifdef NET_21
- int pass;
-#endif /* NET_21 */
- int error;
- uint32_t eroute_pid;
- struct ipsec_sa ips;
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
- uint8_t natt_type;
- uint8_t natt_head;
- uint16_t natt_sport;
- uint16_t natt_dport;
-#endif
-};
-
-#if 0 /* save for alg refactorisation */
-struct xform_functions
-{
- enum ipsec_xmit_value (*checks)(struct ipsec_xmit_state *ixs,
- struct sk_buff *skb);
- enum ipsec_xmit_value (*encrypt)(struct ipsec_xmit_state *ixs);
-
- enum ipsec_xmit_value (*setup_auth)(struct ipsec_xmit_state *ixs,
- struct sk_buff *skb,
- __u32 *replay,
- unsigned char **authenticator);
- enum ipsec_xmit_value (*calc_auth)(struct ipsec_xmit_state *ixs,
- struct sk_buff *skb);
-};
-#endif
-
-enum ipsec_xmit_value
-ipsec_xmit_sanity_check_dev(struct ipsec_xmit_state *ixs);
-
-enum ipsec_xmit_value
-ipsec_xmit_sanity_check_skb(struct ipsec_xmit_state *ixs);
-
-enum ipsec_xmit_value
-ipsec_xmit_encap_bundle(struct ipsec_xmit_state *ixs);
-
-extern int ipsec_xmit_trap_count;
-extern int ipsec_xmit_trap_sendcount;
-
-extern void ipsec_extract_ports(struct iphdr * iph, struct sockaddr_encap * er);
#ifndef __NET_IPSEC_PF_KEY_H
#define __NET_IPSEC_PF_KEY_H
-#ifdef __KERNEL__
-extern struct proto_ops pfkey_proto_ops;
-typedef struct sock pfkey_sock;
-extern int debug_pfkey;
-
-extern /* void */ int pfkey_init(void);
-extern /* void */ int pfkey_cleanup(void);
-
-extern struct sock *pfkey_sock_list;
-struct socket_list
-{
- struct socket *socketp;
- struct socket_list *next;
-};
-extern int pfkey_list_insert_socket(struct socket*, struct socket_list**);
-extern int pfkey_list_remove_socket(struct socket*, struct socket_list**);
-extern struct socket_list *pfkey_open_sockets;
-extern struct socket_list *pfkey_registered_sockets[SADB_SATYPE_MAX+1];
-
-/*
- * There is a field-by-field copy in klips/net/ipsec/ipsec_alg.h
- * please keep in sync until we migrate all support stuff
- * to ipsec_alg objects
- */
-struct supported
-{
- uint16_t supported_alg_exttype;
- uint8_t supported_alg_id;
- uint8_t supported_alg_ivlen;
- uint16_t supported_alg_minbits;
- uint16_t supported_alg_maxbits;
-};
-extern struct supported_list *pfkey_supported_list[SADB_SATYPE_MAX+1];
-struct supported_list
-{
- struct supported *supportedp;
- struct supported_list *next;
-};
-extern int pfkey_list_insert_supported(struct supported*, struct supported_list**);
-extern int pfkey_list_remove_supported(struct supported*, struct supported_list**);
-
-struct sockaddr_key
-{
- uint16_t key_family; /* PF_KEY */
- uint16_t key_pad; /* not used */
- uint32_t key_pid; /* process ID */
-};
-
-struct pfkey_extracted_data
-{
- struct ipsec_sa* ips;
- struct ipsec_sa* ips2;
- struct eroute *eroute;
-};
-
-extern int
-pfkey_alloc_eroute(struct eroute** eroute);
-
-extern int
-pfkey_sa_process(struct sadb_ext *pfkey_ext,
- struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_lifetime_process(struct sadb_ext *pfkey_ext,
- struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_address_process(struct sadb_ext *pfkey_ext,
- struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_key_process(struct sadb_ext *pfkey_ext,
- struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_ident_process(struct sadb_ext *pfkey_ext,
- struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_sens_process(struct sadb_ext *pfkey_ext,
- struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_prop_process(struct sadb_ext *pfkey_ext,
- struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_supported_process(struct sadb_ext *pfkey_ext,
- struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_spirange_process(struct sadb_ext *pfkey_ext,
- struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_x_kmprivate_process(struct sadb_ext *pfkey_ext,
- struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_x_satype_process(struct sadb_ext *pfkey_ext,
- struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_x_debug_process(struct sadb_ext *pfkey_ext,
- struct pfkey_extracted_data* extr);
-
-extern int pfkey_register_reply(int satype, struct sadb_msg *);
-extern int pfkey_upmsg(struct socket *, struct sadb_msg *);
-extern int pfkey_expire(struct ipsec_sa *, int);
-extern int pfkey_acquire(struct ipsec_sa *);
-#else /* ! __KERNEL__ */
extern void (*pfkey_debug_func)(const char *message, ...);
-#endif /* __KERNEL__ */
-
extern uint8_t satype2proto(uint8_t satype);
extern uint8_t proto2satype(uint8_t proto);
extern char* satype2name(uint8_t satype);
uint8_t ident_len,
char* ident_string);
-#ifdef __KERNEL__
-extern int pfkey_nat_t_new_mapping(struct ipsec_sa *, struct sockaddr *, __u16);
-extern int pfkey_x_nat_t_type_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr);
-extern int pfkey_x_nat_t_port_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr);
-#endif /* __KERNEL__ */
-
int
pfkey_x_nat_t_type_build(struct sadb_ext** pfkey_ext,
uint8_t type);
char pfkey_v2_build_c_version[] = "$Id$";
-/*
- * Some ugly stuff to allow consistent debugging code for use in the
- * kernel and in user space
-*/
-
-#ifdef __KERNEL__
-
-# include <linux/kernel.h> /* for printk */
-
-# include "freeswan/ipsec_kversion.h" /* for malloc switch */
-# ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-# else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-# endif /* MALLOC_SLAB */
-# include <linux/errno.h> /* error codes */
-# include <linux/types.h> /* size_t */
-# include <linux/interrupt.h> /* mark_bh */
-
-# include <linux/netdevice.h> /* struct device, and other headers */
-# include <linux/etherdevice.h> /* eth_type_trans */
-# include <linux/ip.h> /* struct iphdr */
-# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-# include <linux/ipv6.h> /* struct ipv6hdr */
-# endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
-
-# define MALLOC(size) kmalloc(size, GFP_ATOMIC)
-# define FREE(obj) kfree(obj)
-# include <freeswan.h>
-#else /* __KERNEL__ */
-
# include <sys/types.h>
-# include <linux/types.h>
-# include <linux/errno.h>
-# include <malloc.h>
+# include <sys/socket.h>
+# include <stdlib.h>
+# include <errno.h>
# include <string.h> /* memset */
# include <freeswan.h>
void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
-/* #define PLUTO */
-
#define DEBUGGING(args...) if(pfkey_lib_debug) { \
if(pfkey_debug_func != NULL) { \
(*pfkey_debug_func)("pfkey_lib_debug:" args); \
} }
# define MALLOC(size) malloc(size)
# define FREE(obj) free(obj)
-#endif /* __KERNEL__ */
#include <pfkeyv2.h>
#include <pfkey.h>
-#ifdef __KERNEL__
-
-#include "freeswan/radij.h" /* rd_nodes */
-#include "freeswan/ipsec_encap.h" /* sockaddr_encap */
-
-# define DEBUGGING(args...) \
- KLIPS_PRINT(debug_pfkey, "klips_debug:" args)
-#endif /* __KERNEL__ */
-
-#include "ipsec_sa.h" /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
-
#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
void
"found address family AF_INET6.\n");
saddr_len = sizeof(struct sockaddr_in6);
sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x-%x"
- , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[0])
- , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[1])
- , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[2])
- , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[3])
- , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[4])
- , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[5])
- , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[6])
- , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[7])
+ , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[0])
+ , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[1])
+ , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[2])
+ , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[3])
+ , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[4])
+ , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[5])
+ , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[6])
+ , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[7])
, ntohs(((struct sockaddr_in6*)address)->sin6_port));
break;
default:
*
*/
-#ifdef __KERNEL__
-
-# include <linux/kernel.h> /* for printk */
-
-# include "freeswan/ipsec_kversion.h" /* for malloc switch */
-# ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-# else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-# endif /* MALLOC_SLAB */
-# include <linux/errno.h> /* error codes */
-# include <linux/types.h> /* size_t */
-# include <linux/interrupt.h> /* mark_bh */
-
-# include <linux/netdevice.h> /* struct device, and other headers */
-# include <linux/etherdevice.h> /* eth_type_trans */
-extern int debug_pfkey;
-
-#else /* __KERNEL__ */
-
# include <sys/types.h>
-# include <linux/types.h>
-# include <linux/errno.h>
-
-#endif /* __KERNEL__ */
+# include <errno.h>
#include "freeswan.h"
#include "pfkeyv2.h"
char pfkey_v2_ext_bits_c_version[] = "$Id$";
-/*
- * Some ugly stuff to allow consistent debugging code for use in the
- * kernel and in user space
-*/
-
-#ifdef __KERNEL__
-
-# include <linux/kernel.h> /* for printk */
-
-# include "freeswan/ipsec_kversion.h" /* for malloc switch */
-# ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-# else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-# endif /* MALLOC_SLAB */
-# include <linux/errno.h> /* error codes */
-# include <linux/types.h> /* size_t */
-# include <linux/interrupt.h> /* mark_bh */
-
-# include <linux/netdevice.h> /* struct device, and other headers */
-# include <linux/etherdevice.h> /* eth_type_trans */
-# include <linux/ip.h> /* struct iphdr */
-# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-# include <linux/ipv6.h>
-# endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
-
-#else /* __KERNEL__ */
-
# include <sys/types.h>
-# include <linux/types.h>
-# include <linux/errno.h>
-#endif
+# include <errno.h>
#include <freeswan.h>
#include <pfkeyv2.h>
char pfkey_v2_parse_c_version[] = "$Id$";
-/*
- * Some ugly stuff to allow consistent debugging code for use in the
- * kernel and in user space
-*/
-
-#ifdef __KERNEL__
-
-# include <linux/kernel.h> /* for printk */
-
-#include "freeswan/ipsec_kversion.h" /* for malloc switch */
-
-# ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-# else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-# endif /* MALLOC_SLAB */
-# include <linux/errno.h> /* error codes */
-# include <linux/types.h> /* size_t */
-# include <linux/interrupt.h> /* mark_bh */
-
-# include <linux/netdevice.h> /* struct device, and other headers */
-# include <linux/etherdevice.h> /* eth_type_trans */
-# include <linux/ip.h> /* struct iphdr */
-# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-# include <linux/ipv6.h> /* struct ipv6hdr */
-# endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
-extern int debug_pfkey;
-
-#include "freeswan.h"
-
-#include "ipsec_encap.h"
-
-#else /* __KERNEL__ */
-
# include <sys/types.h>
-# include <linux/types.h>
-# include <linux/errno.h>
+# include <sys/socket.h>
+# include <errno.h>
# include <freeswan.h>
# include <constants.h>
# include <defs.h> /* for PRINTF_LIKE */
# include <log.h> /* for debugging and DBG_log */
-/* #define PLUTO */
-
# ifdef PLUTO
# define DEBUGGING(level, args...) { DBG_log("pfkey_lib_debug:" args); }
# else
# define DEBUGGING(level, args...) if(pfkey_lib_debug & level) { printf("pfkey_lib_debug:" args); } else { ; }
# endif
-#endif /* __KERNEL__ */
-
-
#include <pfkeyv2.h>
#include <pfkey.h>
-#ifdef __KERNEL__
-extern int sysctl_ipsec_debug_verbose;
-# define DEBUGGING(level, args...) \
- KLIPS_PRINT( \
- ((debug_pfkey & level & (PF_KEY_DEBUG_PARSE_STRUCT | PF_KEY_DEBUG_PARSE_PROBLEM)) \
- || (sysctl_ipsec_debug_verbose && (debug_pfkey & level & PF_KEY_DEBUG_PARSE_FLOW))) \
- , "klips_debug:" args)
-#endif /* __KERNEL__ */
-#include "ipsec_sa.h" /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
-
#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
uint8_t satype;
char* name;
} static satype_tbl[] = {
-#ifdef __KERNEL__
- { IPPROTO_ESP, SADB_SATYPE_ESP, "ESP" },
- { IPPROTO_AH, SADB_SATYPE_AH, "AH" },
- { IPPROTO_IPIP, SADB_X_SATYPE_IPIP, "IPIP" },
-#ifdef CONFIG_IPSEC_IPCOMP
- { IPPROTO_COMP, SADB_X_SATYPE_COMP, "COMP" },
-#endif /* CONFIG_IPSEC_IPCOMP */
- { IPPROTO_INT, SADB_X_SATYPE_INT, "INT" },
-#else /* __KERNEL__ */
{ SA_ESP, SADB_SATYPE_ESP, "ESP" },
{ SA_AH, SADB_SATYPE_AH, "AH" },
{ SA_IPIP, SADB_X_SATYPE_IPIP, "IPIP" },
{ SA_COMP, SADB_X_SATYPE_COMP, "COMP" },
{ SA_INT, SADB_X_SATYPE_INT, "INT" },
-#endif /* __KERNEL__ */
{ 0, 0, "UNKNOWN" }
};
case AF_INET6:
saddr_len = sizeof(struct sockaddr_in6);
sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x"
- , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[0])
- , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[1])
- , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[2])
- , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[3])
- , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[4])
- , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[5])
- , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[6])
- , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[7]));
+ , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[0])
+ , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[1])
+ , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[2])
+ , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[3])
+ , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[4])
+ , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[5])
+ , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[6])
+ , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[7]));
DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
"pfkey_address_parse: "
"found exttype=%u(%s) family=%d(AF_INET6) address=%s proto=%u port=%u.\n",
*
* RCSID $Id$
*/
+#include <sys/socket.h>
+
#include "internal.h"
#include "freeswan.h"
+++ /dev/null
-/*
- * RCSID $Id$
- */
-
-/*
- * This file is defived from ${SRC}/sys/net/radix.h of BSD 4.4lite
- *
- * Variable and procedure names have been modified so that they don't
- * conflict with the original BSD code, as a small number of modifications
- * have been introduced and we may want to reuse this code in BSD.
- *
- * The `j' in `radij' is pronounced as a voiceless guttural (like a Greek
- * chi or a German ch sound (as `doch', not as in `milch'), or even a
- * spanish j as in Juan. It is not as far back in the throat like
- * the corresponding Hebrew sound, nor is it a soft breath like the English h.
- * It has nothing to do with the Dutch ij sound.
- *
- * Here is the appropriate copyright notice:
- */
-
-/*
- * Copyright (c) 1988, 1989, 1993
- * The Regents of the University of California. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * @(#)radix.h 8.1 (Berkeley) 6/10/93
- */
-
-#ifndef _RADIJ_H_
-#define _RADIJ_H_
-
-/*
-#define RJ_DEBUG
-*/
-
-#ifdef __KERNEL__
-
-#ifndef __P
-#ifdef __STDC__
-#define __P(x) x
-#else
-#define __P(x) ()
-#endif
-#endif
-
-/*
- * Radix search tree node layout.
- */
-
-struct radij_node
-{
- struct radij_mask *rj_mklist; /* list of masks contained in subtree */
- struct radij_node *rj_p; /* parent */
- short rj_b; /* bit offset; -1-index(netmask) */
- char rj_bmask; /* node: mask for bit test*/
- u_char rj_flags; /* enumerated next */
-#define RJF_NORMAL 1 /* leaf contains normal route */
-#define RJF_ROOT 2 /* leaf is root leaf for tree */
-#define RJF_ACTIVE 4 /* This node is alive (for rtfree) */
- union {
- struct { /* leaf only data: */
- caddr_t rj_Key; /* object of search */
- caddr_t rj_Mask; /* netmask, if present */
- struct radij_node *rj_Dupedkey;
- } rj_leaf;
- struct { /* node only data: */
- int rj_Off; /* where to start compare */
- struct radij_node *rj_L;/* progeny */
- struct radij_node *rj_R;/* progeny */
- }rj_node;
- } rj_u;
-#ifdef RJ_DEBUG
- int rj_info;
- struct radij_node *rj_twin;
- struct radij_node *rj_ybro;
-#endif
-};
-
-#define rj_dupedkey rj_u.rj_leaf.rj_Dupedkey
-#define rj_key rj_u.rj_leaf.rj_Key
-#define rj_mask rj_u.rj_leaf.rj_Mask
-#define rj_off rj_u.rj_node.rj_Off
-#define rj_l rj_u.rj_node.rj_L
-#define rj_r rj_u.rj_node.rj_R
-
-/*
- * Annotations to tree concerning potential routes applying to subtrees.
- */
-
-extern struct radij_mask {
- short rm_b; /* bit offset; -1-index(netmask) */
- char rm_unused; /* cf. rj_bmask */
- u_char rm_flags; /* cf. rj_flags */
- struct radij_mask *rm_mklist; /* more masks to try */
- caddr_t rm_mask; /* the mask */
- int rm_refs; /* # of references to this struct */
-} *rj_mkfreelist;
-
-#define MKGet(m) {\
- if (rj_mkfreelist) {\
- m = rj_mkfreelist; \
- rj_mkfreelist = (m)->rm_mklist; \
- } else \
- R_Malloc(m, struct radij_mask *, sizeof (*(m))); }\
-
-#define MKFree(m) { (m)->rm_mklist = rj_mkfreelist; rj_mkfreelist = (m);}
-
-struct radij_node_head {
- struct radij_node *rnh_treetop;
- int rnh_addrsize; /* permit, but not require fixed keys */
- int rnh_pktsize; /* permit, but not require fixed keys */
-#if 0
- struct radij_node *(*rnh_addaddr) /* add based on sockaddr */
- __P((void *v, void *mask,
- struct radij_node_head *head, struct radij_node nodes[]));
-#endif
- int (*rnh_addaddr) /* add based on sockaddr */
- __P((void *v, void *mask,
- struct radij_node_head *head, struct radij_node nodes[]));
- struct radij_node *(*rnh_addpkt) /* add based on packet hdr */
- __P((void *v, void *mask,
- struct radij_node_head *head, struct radij_node nodes[]));
-#if 0
- struct radij_node *(*rnh_deladdr) /* remove based on sockaddr */
- __P((void *v, void *mask, struct radij_node_head *head));
-#endif
- int (*rnh_deladdr) /* remove based on sockaddr */
- __P((void *v, void *mask, struct radij_node_head *head, struct radij_node **node));
- struct radij_node *(*rnh_delpkt) /* remove based on packet hdr */
- __P((void *v, void *mask, struct radij_node_head *head));
- struct radij_node *(*rnh_matchaddr) /* locate based on sockaddr */
- __P((void *v, struct radij_node_head *head));
- struct radij_node *(*rnh_matchpkt) /* locate based on packet hdr */
- __P((void *v, struct radij_node_head *head));
- int (*rnh_walktree) /* traverse tree */
- __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w));
- struct radij_node rnh_nodes[3]; /* empty tree for common case */
-};
-
-
-#define Bcmp(a, b, n) memcmp(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n))
-#define Bcopy(a, b, n) memmove(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n))
-#define Bzero(p, n) memset((caddr_t)(p), 0, (unsigned)(n))
-#define R_Malloc(p, t, n) ((p = (t) kmalloc((size_t)(n), GFP_ATOMIC)), Bzero((p),(n)))
-#define Free(p) kfree((caddr_t)p);
-
-void rj_init __P((void));
-int rj_inithead __P((void **, int));
-int rj_refines __P((void *, void *));
-int rj_walktree __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w));
-struct radij_node
- *rj_addmask __P((void *, int, int)) /* , rgb */ ;
-int /* * */ rj_addroute __P((void *, void *, struct radij_node_head *,
- struct radij_node [2])) /* , rgb */ ;
-int /* * */ rj_delete __P((void *, void *, struct radij_node_head *, struct radij_node **)) /* , rgb */ ;
-struct radij_node /* rgb */
- *rj_insert __P((void *, struct radij_node_head *, int *,
- struct radij_node [2])),
- *rj_match __P((void *, struct radij_node_head *)),
- *rj_newpair __P((void *, int, struct radij_node[2])),
- *rj_search __P((void *, struct radij_node *)),
- *rj_search_m __P((void *, struct radij_node *, void *));
-
-void rj_deltree(struct radij_node_head *);
-void rj_delnodes(struct radij_node *);
-void rj_free_mkfreelist(void);
-int radijcleartree(void);
-int radijcleanup(void);
-
-extern struct radij_node_head *mask_rjhead;
-extern int maj_keylen;
-#endif /* __KERNEL__ */
-
-#endif /* _RADIJ_H_ */
*
* RCSID $Id$
*/
+#include <sys/socket.h>
+
#include "internal.h"
#include "freeswan.h"
*
* RCSID $Id$
*/
+#include <sys/socket.h>
+
#include "internal.h"
#include "freeswan.h"
*
* RCSID $Id$
*/
+#include <sys/socket.h>
+
#include "internal.h"
#include "freeswan.h"
*
* RCSID $Id$
*/
+#include <sys/socket.h>
+
#include "internal.h"
#include "freeswan.h"
* RCSID $Id$
*/
-#ifdef __KERNEL__
-#include <linux/netdevice.h>
-#endif
-
#include "freeswan.h"
static const char strongswan_number[] = VERSION;
utils/backtrace.c utils/backtrace.h \
plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h
-libstrongswan_la_LIBADD = -lpthread -ldl
+libstrongswan_la_LIBADD = -lpthread $(DLLIB)
INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = \
endif
EXTRA_DIST = asn1/oid.txt asn1/oid.pl
-BUILT_SOURCES = asn1/oid.c asn1/oid.h
-MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
+BUILT_SOURCES = $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h
+MAINTAINERCLEANFILES = $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h
-asn1/oid.c : asn1/oid.pl asn1/oid.txt
- (cd `dirname $<` && $(PERL) `basename $<`)
+$(srcdir)/asn1/oid.c : $(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+ (cd $(srcdir)/asn1/ && $(PERL) oid.pl)
-asn1/oid.h : asn1/oid.pl asn1/oid.txt
- (cd `dirname $<` && $(PERL) `basename $<`)
+$(srcdir)/asn1/oid.h : $(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
+ (cd $(srcdir)/asn1/ && $(PERL) oid.pl)
# build plugins with their own Makefile
*/
time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
{
- struct tm t;
- time_t tc, tz_offset;
+ struct tm t, local;
+ time_t tc, tz_offset, now;
u_char *eot = NULL;
if ((eot = memchr(utctime->ptr, 'Z', utctime->len)) != NULL)
/* convert to time_t */
tc = mktime(&t);
+
+ if (tc == -1)
+ {
+ return TIME_MAX;
+ }
/* if no conversion overflow occurred, compensate timezone */
- return (tc == -1) ? TIME_MAX : (tc - timezone - tz_offset);
+ now = time(NULL);
+ localtime_r(&now, &local);
+ return tc - local.tm_gmtoff - tz_offset;
}
/**
" * ", $automatic, "\n",
" * ", $warning, "\n",
" */\n\n",
+ "#include <sys/types.h>\n\n",
"#ifndef OID_H_\n",
"#define OID_H_\n\n",
"typedef struct {\n",
identification_t *issuer;
issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
- DBG2(" '%D'", issuer);
+ DBG2(" '%Y'", issuer);
issuer->destroy(issuer);
break;
}
identification_t *issuer;
issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
- DBG2(" '%D'", issuer);
+ DBG2(" '%Y'", issuer);
issuer->destroy(issuer);
}
break;
PRINTF_HOOK_ARGTYPE_END);
pfh->add_handler(pfh, 'B', chunk_printf_hook,
PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
- pfh->add_handler(pfh, 'D', identification_printf_hook,
- PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
pfh->add_handler(pfh, 'H', host_printf_hook,
PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
pfh->add_handler(pfh, 'N', enum_printf_hook,
pfh->add_handler(pfh, 'V', time_delta_printf_hook,
PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_POINTER,
PRINTF_HOOK_ARGTYPE_END);
+ pfh->add_handler(pfh, 'Y', identification_printf_hook,
+ PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
this->public.crypto = crypto_factory_create();
this->public.creds = credential_factory_create();
/**
* Implementation of public_key_t.get_keysize.
*/
-static bool encrypt(private_gmp_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain)
+static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain)
{
DBG1("RSA public key encryption not implemented");
return FALSE;
this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
- this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt;
+ this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
/**
* Implementation of public_key_t.get_keysize.
*/
-static bool encrypt(private_openssl_ec_public_key_t *this, chunk_t crypto, chunk_t *plain)
+static bool encrypt_(private_openssl_ec_public_key_t *this, chunk_t crypto, chunk_t *plain)
{
DBG1("EC public key encryption not implemented");
return FALSE;
this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
- this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt;
+ this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
/**
* Implementation of public_key_t.get_keysize.
*/
-static bool encrypt(private_openssl_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain)
+static bool encrypt_(private_openssl_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain)
{
DBG1("RSA public key encryption not implemented");
return FALSE;
this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
- this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt;
+ this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id;
this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding;
if (id_type != ID_ANY)
{
gn = identification_create_from_encoding(id_type, object);
- DBG2(" '%D'", gn);
+ DBG2(" '%Y'", gn);
goto end;
}
}
/* parsing went wrong - abort */
goto end;
}
- DBG2(" '%D'", id);
+ DBG2(" '%Y'", id);
if (accessMethod == OID_OCSP &&
- asprintf(&uri, "%D", id) > 0)
+ asprintf(&uri, "%Y", id) > 0)
{
this->ocsp_uris->insert_last(this->ocsp_uris, uri);
}
{
char *uri;
- if (asprintf(&uri, "%D", id) > 0)
+ if (asprintf(&uri, "%Y", id) > 0)
{
this->crl_uris->insert_last(this->crl_uris, uri);
}
break;
case X509_OBJ_ISSUER:
this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
- DBG2(" '%D'", this->issuer);
+ DBG2(" '%Y'", this->issuer);
break;
case X509_OBJ_NOT_BEFORE:
this->notBefore = asn1_parse_time(object, level);
break;
case X509_OBJ_SUBJECT:
this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
- DBG2(" '%D'", this->subject);
+ DBG2(" '%Y'", this->subject);
break;
case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO:
this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
break;
case CRL_OBJ_ISSUER:
this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
- DBG2(" '%D'", this->issuer);
+ DBG2(" '%Y'", this->issuer);
break;
case CRL_OBJ_THIS_UPDATE:
this->thisUpdate = asn1_parse_time(object, level);
case BASIC_RESPONSE_ID_BY_NAME:
this->responderId = identification_create_from_encoding(
ID_DER_ASN1_DN, object);
- DBG2(" '%D'", this->responderId);
+ DBG2(" '%Y'", this->responderId);
break;
case BASIC_RESPONSE_ID_BY_KEY:
this->responderId = identification_create_from_encoding(
ID_PUBKEY_INFO_SHA1, object);
- DBG2(" '%D'", this->responderId);
+ DBG2(" '%Y'", this->responderId);
break;
case BASIC_RESPONSE_PRODUCED_AT:
this->producedAt = asn1_to_time(&object, ASN1_GENERALIZEDTIME);
}
/**
- * Add a custom format handler to the given Vstr_conf object
+ * Add a custom format handler to the given Vstr_conf object
*/
static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler)
{
return;
}
- handler = malloc_thing(printf_hook_handler_t);
+ handler = malloc_thing(printf_hook_handler_t);
handler->hook = hook;
va_start(args, hook);
#ifdef HAVE_PRINTF_HOOKS
+#include <stdio.h>
#include <printf.h>
enum printf_hook_argtype_t {
- PRINTF_HOOK_ARGTYPE_END = PA_LAST,
+ PRINTF_HOOK_ARGTYPE_END = -1,
PRINTF_HOOK_ARGTYPE_INT = PA_INT,
PRINTF_HOOK_ARGTYPE_POINTER = PA_POINTER,
};
#include <string.h>
#include <stdio.h>
#include <unistd.h>
+#include <limits.h>
#include <dirent.h>
#include <time.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
+#include <limits.h>
#include <stdio.h>
#include <dirent.h>
#include <errno.h>
{
request->setf(request, "peers.%d.alias=%s", id, alias);
identifier = identification_create_from_encoding(ID_KEY_ID, keyid);
- request->setf(request, "peers.%d.identifier=%D", id, identifier);
+ request->setf(request, "peers.%d.identifier=%Y", id, identifier);
identifier->destroy(identifier);
}
query->destroy(query);
$(LIBSTRONGSWANDIR)/libstrongswan.la \
$(LIBFREESWANDIR)/libfreeswan.a \
$(LIBCRYPTODIR)/libcrypto.a \
--lgmp -lresolv -lpthread -ldl
+-lgmp -lresolv -lpthread $(DLLIB)
_pluto_adns_LDADD = \
$(LIBFREESWANDIR)/libfreeswan.a \
--lresolv -ldl
+-lresolv $(DLLIB)
dist_man_MANS = pluto.8 ipsec.secrets.5
# This compile option activates smartcard support
if USE_SMARTCARD
AM_CFLAGS += -DSMARTCARD
- scepclient_LDADD += -ldl
+ scepclient_LDADD += $(DLLIB)
endif
dist_man_MANS = scepclient.8
AM_CFLAGS += -DSTART_CHARON
endif
-lex.yy.c: parser.l parser.y parser.h y.tab.c
- $(LEX) --nounput $<
+lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h
+ $(LEX) $(srcdir)/parser.l
-y.tab.c: parser.y parser.l parser.h
- $(YACC) -v -d $<
+y.tab.c: $(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h
+ $(YACC) -v -d $(srcdir)/parser.y
-y.tab.h: parser.y parser.l parser.h
- $(YACC) -v -d $<
+y.tab.h: $(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h
+ $(YACC) -v -d $(srcdir)/parser.y
-keywords.c: keywords.txt keywords.h
- $(GPERF) -C -G -t < $< > $@
+keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h
+ $(GPERF) -C -G -D -t < $(srcdir)/keywords.txt > $@
defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
- $(COMPILE) -c -o $@ $<
+ $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
install-exec-local :
test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
#include <sys/socket.h>
#include <sys/ioctl.h>
-#include <linux/if.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <freeswan.h>
-#include <ipsec_tunnel.h>
#include <constants.h>
#include <defs.h>
#ifndef _STARTER_INTERFACES_H_
#define _STARTER_INTERFACES_H_
-#include <linux/if.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
#include "../pluto/constants.h"
+%option noinput
+%option nounput
%{
/* FreeS/WAN config file parser (parser.l)
* Copyright (C) 2001 Mathieu Lafon - Arkoon Network Security
#define MAX_INCLUDE_DEPTH 20
-#define YY_NO_INPUT
-#define YY_NO_UNPUT
extern void yyerror(const char *);
extern int yylex (void);
/* determine if we have a native netkey IPsec stack */
if (!starter_netkey_init())
{
- plog("no netkey IPSec stack detected");
+ plog("no netkey IPsec stack detected");
if (!starter_klips_init())
{
- plog("no KLIPS IPSec stack detected");
- exit(LSB_RC_FAILURE);
+ plog("no KLIPS IPsec stack detected");
+ plog("no known IPsec stack detected, ignoring!");
}
}
#include <stddef.h>
#include <unistd.h>
#include <stdlib.h>
+#include <string.h>
#include <errno.h>
#include <netinet/in.h>
#include <arpa/inet.h>
-#include <linux/xfrm.h>
#include <freeswan.h>
#define IPV4_LEN 4
#define IPV6_LEN 16
+/**
+ * Mode of an IPsec SA, must be the same as in charons kernel_ipsec.h
+ */
+enum ipsec_mode_t {
+ MODE_TRANSPORT = 1,
+ MODE_TUNNEL,
+ MODE_BEET
+};
+
/**
* Authentication methods, must be the same as in charons authenticator.h
*/
static int send_stroke_msg (stroke_msg_t *msg)
{
- struct sockaddr_un ctl_addr = { AF_UNIX, CHARON_CTL_FILE };
+ struct sockaddr_un ctl_addr;
int byte_count;
char buffer[64];
+
+ ctl_addr.sun_family = AF_UNIX;
+ strcpy(ctl_addr.sun_path, CHARON_CTL_FILE);
/* starter is not called from commandline, and therefore absolutely silent */
msg->output_verbosity = -1;
if (conn->policy & POLICY_TUNNEL)
{
- msg.add_conn.mode = XFRM_MODE_TUNNEL;
+ msg.add_conn.mode = MODE_TUNNEL;
}
else if (conn->policy & POLICY_BEET)
{
- msg.add_conn.mode = XFRM_MODE_BEET;
+ msg.add_conn.mode = MODE_BEET;
}
else if (conn->policy & POLICY_PROXY)
{
- msg.add_conn.mode = XFRM_MODE_TRANSPORT;
+ msg.add_conn.mode = MODE_TRANSPORT;
msg.add_conn.proxy_mode = TRUE;
}
else
{
- msg.add_conn.mode = XFRM_MODE_TRANSPORT;
+ msg.add_conn.mode = MODE_TRANSPORT;
}
if (!(conn->policy & POLICY_DONT_REKEY))
#include <sys/un.h>
#include <stddef.h>
#include <unistd.h>
+#include <string.h>
#include <errno.h>
#include <freeswan.h>
static int
send_whack_msg (whack_message_t *msg)
{
- struct sockaddr_un ctl_addr = { AF_UNIX, PLUTO_CTL_FILE };
+ struct sockaddr_un ctl_addr;
int sock;
ssize_t len;
char *str_next, *str_roof;
+ ctl_addr.sun_family = AF_UNIX;
+ strcpy(ctl_addr.sun_path, PLUTO_CTL_FILE);
+
/* pack strings */
str_next = (char *)msg->string;
str_roof = (char *)&msg->string[sizeof(msg->string)];
stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
INCLUDES = -I$(top_srcdir)/src/libstrongswan
EXTRA_DIST = stroke_keywords.txt
+BUILT_SOURCES = stroke_keywords.c
MAINTAINERCLEANFILES = stroke_keywords.c
AM_CFLAGS = -DIPSEC_PIDDIR=\"${piddir}\"
-stroke_keywords.c: stroke_keywords.txt stroke_keywords.h
- $(GPERF) -C -G -t < $< > $@
+stroke_keywords.c: $(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h
+ $(GPERF) -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@
#include <errno.h>
#include <stdio.h>
#include <stddef.h>
+#include <string.h>
#include "stroke_msg.h"
#include "stroke_keywords.h"
static int send_stroke_msg (stroke_msg_t *msg)
{
- struct sockaddr_un ctl_addr = { AF_UNIX, STROKE_SOCKET };
+ struct sockaddr_un ctl_addr;
int sock;
char buffer[64];
int byte_count;
+
+ ctl_addr.sun_family = AF_UNIX;
+ strcpy(ctl_addr.sun_path, STROKE_SOCKET);
msg->output_verbosity = 1; /* CONTROL */
projects / thirdparty / strongswan.git / commitdiff
