+strongswan-5.0.3
+----------------
+
+- The new ipseckey plugin enables authentication based on trustworthy public
+ keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC.
+ To do so it uses a DNSSEC enabled resolver, like the one provided by the new
+ unbound plugin, which is based on libldns and libunbound. Both plugins were
+ created by Reto Guadagnini.
+
+- Implemented the TCG TNC IF-IMV 1.4 draft making access
+ requestor identities available to an IMV.
+
+
strongswan-5.0.2
----------------
-dnl configure.in for linux strongSwan
-dnl Copyright (C) 2006 Martin Willi
-dnl Hochschule fuer Technik Rapperswil
-dnl
-dnl This program is free software; you can redistribute it and/or modify it
-dnl under the terms of the GNU General Public License as published by the
-dnl Free Software Foundation; either version 2 of the License, or (at your
-dnl option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-dnl
-dnl This program is distributed in the hope that it will be useful, but
-dnl WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-dnl or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-dnl for more details.
-
-dnl ===========================
-dnl initialize & set some vars
-dnl ===========================
-
-AC_INIT(strongSwan,5.0.2)
+#
+# Copyright (C) 2007-2013 Tobias Brunner
+# Copyright (C) 2006-2013 Andreas Steffen
+# Copyright (C) 2006-2013 Martin Willi
+# Hochschule fuer Technik Rapperswil
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+#
+
+# ============================
+# initialize & set some vars
+# ============================
+
+AC_INIT([strongSwan],[5.0.3dr2])
AM_INIT_AUTOMAKE(tar-ustar)
AC_CONFIG_MACRO_DIR([m4/config])
AC_CONFIG_HEADERS([config.h])
AC_DEFINE([CONFIG_H_INCLUDED], [], [defined if config.h included])
PKG_PROG_PKG_CONFIG
-dnl =================================
-dnl check --enable-xxx & --with-xxx
-dnl =================================
+# =================================
+# check --enable-xxx & --with-xxx
+# =================================
m4_include(m4/macros/with.m4)
m4_include(m4/macros/enable-disable.m4)
ARG_ENABL_SET([curl], [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
+ARG_ENABL_SET([unbound], [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
ARG_ENABL_SET([soup], [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
ARG_ENABL_SET([ldap], [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
ARG_DISBL_SET([aes], [disable AES software implementation plugin.])
ARG_DISBL_SET([pkcs8], [disable PKCS8 private key decoding plugin.])
ARG_DISBL_SET([pgp], [disable PGP key decoding plugin.])
ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.])
+ARG_ENABL_SET([ipseckey], [enable IPSECKEY authentication plugin.])
ARG_DISBL_SET([pem], [disable PEM decoding plugin.])
ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
ARG_DISBL_SET([cmac], [disable CMAC crypto implementation plugin.])
ARG_ENABL_SET([monolithic], [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
-dnl =========================
-dnl set up compiler and flags
-dnl =========================
+# ===================================
+# option to disable default options
+# ===================================
+
+ARG_DISBL_SET([defaults], [disable all default plugins (they can be enabled with their respective --enable options)])
+
+if test x$defaults = xfalse; then
+ for option in $enabled_by_default; do
+ eval test x\${${option}_given} = xtrue && continue
+ let $option=false
+ done
+fi
+
+# ===========================
+# set up compiler and flags
+# ===========================
if test -z "$CFLAGS"; then
CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign"
AC_LIB_PREFIX
AC_C_BIGENDIAN
-dnl =========================
-dnl check required programs
-dnl =========================
+# =========================
+# check required programs
+# =========================
+LT_INIT
AC_PROG_INSTALL
-AC_PROG_LIBTOOL
AC_PROG_EGREP
AC_PROG_AWK
AC_PROG_LEX
AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
-dnl because gperf is not needed by end-users we just report it but do not abort on failure
+# because gperf is not needed by end-users we just report it but do not abort on failure
AC_MSG_CHECKING([gperf version >= 3.0.0])
if test -x "$GPERF"; then
if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then
AC_MSG_RESULT([not found])
fi
-dnl =========================
-dnl dependency calculation
-dnl =========================
+# ========================
+# dependency calculation
+# ========================
if test x$xauth_generic_given = xfalse -a x$ikev1 = xfalse; then
xauth_generic=false;
mediation=true
fi
-dnl ===========================================
-dnl check required libraries and header files
-dnl ===========================================
+# ===========================================
+# check required libraries and header files
+# ===========================================
AC_HEADER_STDBOOL
AC_FUNC_ALLOCA
AC_FUNC_STRERROR_R
-dnl libraries needed on some platforms but not on others
-dnl ====================================================
+# libraries needed on some platforms but not on others
+# ------------------------------------------------------
saved_LIBS=$LIBS
-dnl FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
+# FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
LIBS=""
AC_SEARCH_LIBS(dlopen, dl, [DLLIB=$LIBS])
AC_SUBST(DLLIB)
-dnl glibc's backtrace() can be replicated on FreeBSD with libexecinfo
+# glibc's backtrace() can be replicated on FreeBSD with libexecinfo
LIBS=""
AC_SEARCH_LIBS(backtrace, execinfo, [BTLIB=$LIBS])
AC_CHECK_FUNCS(backtrace)
AC_SUBST(BTLIB)
-dnl OpenSolaris needs libsocket and libnsl for socket()
+# OpenSolaris needs libsocket and libnsl for socket()
LIBS=""
AC_SEARCH_LIBS(socket, socket, [SOCKLIB=$LIBS],
[AC_CHECK_LIB(nsl, socket, [SOCKLIB="-lsocket -lnsl"], [], [-lsocket])]
)
AC_SUBST(SOCKLIB)
-dnl FreeBSD has clock_gettime in libc, Linux needs librt
+# FreeBSD has clock_gettime in libc, Linux needs librt
LIBS=""
AC_SEARCH_LIBS(clock_gettime, rt, [RTLIB=$LIBS])
AC_CHECK_FUNCS(clock_gettime)
AC_SUBST(RTLIB)
-dnl Android has pthread_* functions in bionic (libc), others need libpthread
+# Android has pthread_* functions in bionic (libc), others need libpthread
LIBS=""
AC_SEARCH_LIBS(pthread_create, pthread, [PTHREADLIB=$LIBS])
AC_SUBST(PTHREADLIB)
LIBS=$saved_LIBS
-dnl ======================
+# ------------------------------------------------------
AC_MSG_CHECKING(for dladdr)
-AC_TRY_COMPILE(
- [#define _GNU_SOURCE
- #include <dlfcn.h>],
- [Dl_info* info = 0;
- dladdr(0, info);],
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#define _GNU_SOURCE
+ #include <dlfcn.h>]],
+ [[Dl_info* info = 0;
+ dladdr(0, info);]])],
[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_DLADDR], [], [have dladdr()])],
[AC_MSG_RESULT([no])]
)
-dnl check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
+# check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
saved_LIBS=$LIBS
LIBS=$PTHREADLIB
AC_MSG_CHECKING([for pthread_condattr_setclock(CLOCK_MONOTONE)])
-AC_TRY_RUN(
- [#include <pthread.h>
- int main() { pthread_condattr_t attr;
- pthread_condattr_init(&attr);
- return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}],
+AC_RUN_IFELSE(
+ [AC_LANG_SOURCE(
+ [[#include <pthread.h>
+ int main() { pthread_condattr_t attr;
+ pthread_condattr_init(&attr);
+ return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}]])],
[AC_MSG_RESULT([yes]);
AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC], [],
[pthread_condattr_setclock supports CLOCK_MONOTONIC])],
[AC_MSG_RESULT([no])],
- dnl Check existence of pthread_condattr_setclock if cross-compiling
+ # Check existence of pthread_condattr_setclock if cross-compiling
[AC_MSG_RESULT([unknown]);
AC_CHECK_FUNCS(pthread_condattr_setclock,
[AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC], [],
[have pthread_condattr_setclock()])]
)]
)
-dnl check if we actually are able to configure attributes on cond vars
+# check if we actually are able to configure attributes on cond vars
AC_CHECK_FUNCS(pthread_condattr_init)
-dnl instead of pthread_condattr_setclock Android has this function
+# instead of pthread_condattr_setclock Android has this function
AC_CHECK_FUNCS(pthread_cond_timedwait_monotonic)
-dnl check if we can cancel threads
+# check if we can cancel threads
AC_CHECK_FUNCS(pthread_cancel)
-dnl check if native rwlocks are available
+# check if native rwlocks are available
AC_CHECK_FUNCS(pthread_rwlock_init)
-dnl check if pthread spinlocks are available
+# check if pthread spinlocks are available
AC_CHECK_FUNCS(pthread_spin_init)
-dnl check if we have POSIX semaphore functions, including timed-wait
+# check if we have POSIX semaphore functions, including timed-wait
AC_CHECK_FUNCS(sem_timedwait)
LIBS=$saved_LIBS
[gettid],
[AC_DEFINE([HAVE_GETTID], [], [have gettid()])],
[AC_MSG_CHECKING([for SYS_gettid])
- AC_TRY_COMPILE(
- [#define _GNU_SOURCE
- #include <unistd.h>
- #include <sys/syscall.h>],
- [int main() {
- return syscall(SYS_gettid);}],
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#define _GNU_SOURCE
+ #include <unistd.h>
+ #include <sys/syscall.h>]],
+ [[int main() {
+ return syscall(SYS_gettid);}]])],
[AC_MSG_RESULT([yes]);
AC_DEFINE([HAVE_GETTID], [], [have gettid()])
AC_DEFINE([HAVE_SYS_GETTID], [], [have syscall(SYS_gettid)])],
])
AC_MSG_CHECKING([for in6addr_any])
-AC_TRY_COMPILE(
- [#include <sys/types.h>
- #include <sys/socket.h>
- #include <netinet/in.h>],
- [struct in6_addr in6;
- in6 = in6addr_any;],
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <sys/types.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>]],
+ [[struct in6_addr in6;
+ in6 = in6addr_any;]])],
[AC_MSG_RESULT([yes]);
AC_DEFINE([HAVE_IN6ADDR_ANY], [], [have struct in6_addr in6addr_any])],
[AC_MSG_RESULT([no])]
)
AC_MSG_CHECKING([for in6_pktinfo])
-AC_TRY_COMPILE(
- [#define _GNU_SOURCE
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <netinet/in.h>],
- [struct in6_pktinfo pi;
- if (pi.ipi6_ifindex)
- {
- return 0;
- }],
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#define _GNU_SOURCE
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>]],
+ [[struct in6_pktinfo pi;
+ if (pi.ipi6_ifindex)
+ {
+ return 0;
+ }]])],
[AC_MSG_RESULT([yes]);
AC_DEFINE([HAVE_IN6_PKTINFO], [], [have struct in6_pktinfo.ipi6_ifindex])],
[AC_MSG_RESULT([no])]
)
AC_MSG_CHECKING([for IPSEC_MODE_BEET])
-AC_TRY_COMPILE(
- [#include <sys/types.h>
- #ifdef HAVE_NETIPSEC_IPSEC_H
- #include <netipsec/ipsec.h>
- #elif defined(HAVE_NETINET6_IPSEC_H)
- #include <netinet6/ipsec.h>
- #else
- #include <stdint.h>
- #include <linux/ipsec.h>
- #endif],
- [int mode = IPSEC_MODE_BEET;
- return mode;],
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <sys/types.h>
+ #ifdef HAVE_NETIPSEC_IPSEC_H
+ #include <netipsec/ipsec.h>
+ #elif defined(HAVE_NETINET6_IPSEC_H)
+ #include <netinet6/ipsec.h>
+ #else
+ #include <stdint.h>
+ #include <linux/ipsec.h>
+ #endif]],
+ [[int mode = IPSEC_MODE_BEET;
+ return mode;]])],
[AC_MSG_RESULT([yes]);
AC_DEFINE([HAVE_IPSEC_MODE_BEET], [], [have IPSEC_MODE_BEET defined])],
[AC_MSG_RESULT([no])]
)
AC_MSG_CHECKING([for IPSEC_DIR_FWD])
-AC_TRY_COMPILE(
- [#include <sys/types.h>
- #ifdef HAVE_NETIPSEC_IPSEC_H
- #include <netipsec/ipsec.h>
- #elif defined(HAVE_NETINET6_IPSEC_H)
- #include <netinet6/ipsec.h>
- #else
- #include <stdint.h>
- #include <linux/ipsec.h>
- #endif],
- [int dir = IPSEC_DIR_FWD;
- return dir;],
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <sys/types.h>
+ #ifdef HAVE_NETIPSEC_IPSEC_H
+ #include <netipsec/ipsec.h>
+ #elif defined(HAVE_NETINET6_IPSEC_H)
+ #include <netinet6/ipsec.h>
+ #else
+ #include <stdint.h>
+ #include <linux/ipsec.h>
+ #endif]],
+ [[int dir = IPSEC_DIR_FWD;
+ return dir;]])],
[AC_MSG_RESULT([yes]);
AC_DEFINE([HAVE_IPSEC_DIR_FWD], [], [have IPSEC_DIR_FWD defined])],
[AC_MSG_RESULT([no])]
)
AC_MSG_CHECKING([for RTA_TABLE])
-AC_TRY_COMPILE(
- [#include <sys/socket.h>
- #include <linux/netlink.h>
- #include <linux/rtnetlink.h>],
- [int rta_type = RTA_TABLE;
- return rta_type;],
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <sys/socket.h>
+ #include <linux/netlink.h>
+ #include <linux/rtnetlink.h>]],
+ [[int rta_type = RTA_TABLE;
+ return rta_type;]])],
[AC_MSG_RESULT([yes]);
AC_DEFINE([HAVE_RTA_TABLE], [], [have netlink RTA_TABLE defined])],
[AC_MSG_RESULT([no])]
)
AC_MSG_CHECKING([for gcc atomic operations])
-AC_TRY_RUN(
-[
- int main() {
- volatile int ref = 1;
- __sync_fetch_and_add (&ref, 1);
- __sync_sub_and_fetch (&ref, 1);
- /* Make sure test fails if operations are not supported */
- __sync_val_compare_and_swap(&ref, 1, 0);
- return ref;
- }
-],
-[AC_MSG_RESULT([yes]);
- AC_DEFINE([HAVE_GCC_ATOMIC_OPERATIONS], [],
+AC_RUN_IFELSE([AC_LANG_SOURCE(
+ [[
+ int main() {
+ volatile int ref = 1;
+ __sync_fetch_and_add (&ref, 1);
+ __sync_sub_and_fetch (&ref, 1);
+ /* Make sure test fails if operations are not supported */
+ __sync_val_compare_and_swap(&ref, 1, 0);
+ return ref;
+ }
+ ]])],
+ [AC_MSG_RESULT([yes]);
+ AC_DEFINE([HAVE_GCC_ATOMIC_OPERATIONS], [],
[have GCC __sync_* atomic operations])],
-[AC_MSG_RESULT([no])],
-[AC_MSG_RESULT([no])])
+ [AC_MSG_RESULT([no])],
+ [AC_MSG_RESULT([no])]
+)
-dnl check for the new register_printf_specifier function with len argument,
-dnl or the deprecated register_printf_function without
+# check for the new register_printf_specifier function with len argument,
+# or the deprecated register_printf_function without
AC_CHECK_FUNC(
[register_printf_specifier],
[AC_DEFINE([HAVE_PRINTF_SPECIFIER], [], [have register_printf_specifier()])],
)
if test x$vstr = xtrue; then
- AC_HAVE_LIBRARY([vstr],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])])
+ AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
AC_DEFINE([USE_VSTR], [], [use vstring library for printf hooks])
fi
if test x$gmp = xtrue; then
saved_LIBS=$LIBS
- AC_HAVE_LIBRARY([gmp],,[AC_MSG_ERROR([GNU Multi Precision library gmp not found])])
+ AC_CHECK_LIB([gmp],[main],[],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])],[])
AC_MSG_CHECKING([mpz_powm_sec])
if test x$mpz_powm_sec = xyes; then
- AC_TRY_COMPILE(
- [#include "gmp.h"],
- [
- void *x = mpz_powm_sec;
- ],
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include "gmp.h"]],
+ [[void *x = mpz_powm_sec;]])],
[AC_MSG_RESULT([yes]);
AC_DEFINE([HAVE_MPZ_POWM_SEC], [], [have mpz_mown_sec()])],
[AC_MSG_RESULT([no])]
fi
LIBS=$saved_LIBS
AC_MSG_CHECKING([gmp.h version >= 4.1.4])
- AC_TRY_COMPILE(
- [#include "gmp.h"],
- [
- #if (__GNU_MP_VERSION*100 + __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
- #error bad gmp
- #endif
- ],
- [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include "gmp.h"]],
+ [[
+ #if (__GNU_MP_VERSION*100 + __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
+ #error bad gmp
+ #endif]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
)
fi
if test x$ldap = xtrue; then
- AC_HAVE_LIBRARY([ldap],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])])
- AC_HAVE_LIBRARY([lber],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])])
+ AC_CHECK_LIB([ldap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])],[])
+ AC_CHECK_LIB([lber],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])],[])
AC_CHECK_HEADER([ldap.h],,[AC_MSG_ERROR([LDAP header ldap.h not found!])])
fi
if test x$curl = xtrue; then
- AC_HAVE_LIBRARY([curl],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])])
+ AC_CHECK_LIB([curl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])],[])
AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])])
fi
+if test x$unbound = xtrue; then
+ AC_HAVE_LIBRARY([ldns],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library ldns not found])])
+ AC_CHECK_HEADER([ldns/ldns.h],,[AC_MSG_ERROR([UNBOUND header ldns/ldns.h not found!])])
+ AC_HAVE_LIBRARY([unbound],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library libunbound not found])])
+ AC_CHECK_HEADER([unbound.h],,[AC_MSG_ERROR([UNBOUND header unbound.h not found!])])
+fi
+
if test x$soup = xtrue; then
PKG_CHECK_MODULES(soup, [libsoup-2.4])
AC_SUBST(soup_CFLAGS)
fi
if test x$tss = xtrousers; then
- AC_HAVE_LIBRARY([tspi],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])])
+ AC_CHECK_LIB([tspi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])],[])
AC_CHECK_HEADER([trousers/tss.h],,[AC_MSG_ERROR([TrouSerS header trousers/tss.h not found!])])
AC_DEFINE([TSS_TROUSERS], [], [use TrouSerS library libtspi as TSS implementation])
fi
fi
if test x$fast = xtrue; then
- AC_HAVE_LIBRARY([neo_cgi],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_cgi not found!])])
- AC_HAVE_LIBRARY([neo_utl],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])])
+ AC_CHECK_LIB([neo_cgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_cgi not found!])],[])
+ AC_CHECK_LIB([neo_utl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])],[])
AC_MSG_CHECKING([ClearSilver requires zlib])
saved_CFLAGS=$CFLAGS
saved_LIBS=$LIBS
LIBS="-lneo_cgi -lneo_cs -lneo_utl"
CFLAGS="-I/usr/include/ClearSilver"
- AC_TRY_LINK(
- [#include <ClearSilver.h>],
- [
- NEOERR *err = cgi_display(NULL, NULL);
- ],
+ AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <ClearSilver.h>]],
+ [[NEOERR *err = cgi_display(NULL, NULL);]])],
[AC_MSG_RESULT([no]); clearsilver_LIBS="$LIBS"],
[AC_MSG_RESULT([yes]); clearsilver_LIBS="$LIBS -lz"]
)
AC_SUBST(clearsilver_LIBS)
LIBS=$saved_LIBS
CFLAGS=$saved_CFLAGS
-dnl autoconf does not like CamelCase!? How to fix this?
-dnl AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
+# autoconf does not like CamelCase!? How to fix this?
+# AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
- AC_HAVE_LIBRARY([fcgi],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])])
+ AC_CHECK_LIB([fcgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])],[])
AC_CHECK_HEADER([fcgiapp.h],,[AC_MSG_ERROR([FastCGI header file fcgiapp.h not found!])])
fi
fi
if test x$sqlite = xtrue; then
- AC_HAVE_LIBRARY([sqlite3],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])])
+ AC_CHECK_LIB([sqlite3],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])],[])
AC_CHECK_HEADER([sqlite3.h],,[AC_MSG_ERROR([SQLite header sqlite3.h not found!])])
AC_MSG_CHECKING([sqlite3_prepare_v2])
- AC_TRY_COMPILE(
- [#include <sqlite3.h>],
- [
- void *test = sqlite3_prepare_v2;
- ],
- [AC_MSG_RESULT([yes])];
- AC_DEFINE([HAVE_SQLITE3_PREPARE_V2], [], [have sqlite3_prepare_v2()]),
- [AC_MSG_RESULT([no])])
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <sqlite3.h>]],
+ [[void *test = sqlite3_prepare_v2;]])],
+ [AC_MSG_RESULT([yes]);
+ AC_DEFINE([HAVE_SQLITE3_PREPARE_V2], [], [have sqlite3_prepare_v2()])],
+ [AC_MSG_RESULT([no])]
+ )
AC_MSG_CHECKING([sqlite3.h version >= 3.3.1])
- AC_TRY_COMPILE(
- [#include <sqlite3.h>],
- [
- #if SQLITE_VERSION_NUMBER < 3003001
- #error bad sqlite
- #endif
- ],
- [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([SQLite version >= 3.3.1 required!])])
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <sqlite3.h>]],
+ [[
+ #if SQLITE_VERSION_NUMBER < 3003001
+ #error bad sqlite
+ #endif]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no]); AC_MSG_ERROR([SQLite version >= 3.3.1 required!])]
+ )
fi
if test x$openssl = xtrue; then
- AC_HAVE_LIBRARY([crypto],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL crypto library not found])])
+ AC_CHECK_LIB([crypto],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL crypto library not found])],[])
AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
fi
if test x$gcrypt = xtrue; then
- AC_HAVE_LIBRARY([gcrypt],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
+ AC_CHECK_LIB([gcrypt],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])])
AC_MSG_CHECKING([gcrypt CAMELLIA cipher])
- AC_TRY_COMPILE(
- [#include <gcrypt.h>],
- [enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;],
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <gcrypt.h>]],
+ [[enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;]])],
[AC_MSG_RESULT([yes]);
AC_DEFINE([HAVE_GCRY_CIPHER_CAMELLIA], [], [have GCRY_CIPHER_CAMELLIA128])],
[AC_MSG_RESULT([no])]
fi
if test x$uci = xtrue; then
- AC_HAVE_LIBRARY([uci],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])])
+ AC_CHECK_LIB([uci],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
fi
if test x$android = xtrue; then
- AC_HAVE_LIBRARY([cutils],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])])
+ AC_CHECK_LIB([cutils],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
- dnl we have to force the use of libdl here because the autodetection
- dnl above does not work correctly when cross-compiling for android.
+ # we have to force the use of libdl here because the autodetection
+ # above does not work correctly when cross-compiling for android.
DLLIB="-ldl"
AC_SUBST(DLLIB)
fi
fi
if test x$xauth_pam = xtrue; then
- AC_HAVE_LIBRARY([pam],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])])
+ AC_CHECK_LIB([pam],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])],[])
AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
fi
if test x$capabilities = xnative; then
AC_MSG_NOTICE([Usage of the native Linux capabilities interface is deprecated, use libcap instead])
- dnl Linux requires the following for capset(), Android does not have it,
- dnl but defines capset() in unistd.h instead.
+ # Linux requires the following for capset(), Android does not have it,
+ # but defines capset() in unistd.h instead.
AC_CHECK_HEADERS([sys/capability.h])
AC_CHECK_FUNC(capset,,[AC_MSG_ERROR([capset() not found!])])
AC_DEFINE([CAPABILITIES_NATIVE], [], [have native linux capset()])
fi
if test x$capabilities = xlibcap; then
- AC_HAVE_LIBRARY([cap],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])])
+ AC_CHECK_LIB([cap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])],[])
AC_CHECK_HEADER([sys/capability.h],
[AC_DEFINE([HAVE_SYS_CAPABILITY_H], [], [have sys/capability.h])],
[AC_MSG_ERROR([libcap header sys/capability.h not found!])])
if test x$integrity_test = xtrue; then
AC_MSG_CHECKING([for dladdr()])
- AC_TRY_COMPILE(
- [#define _GNU_SOURCE
- #include <dlfcn.h>],
- [Dl_info info; dladdr(main, &info);],
- [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]);
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#define _GNU_SOURCE
+ #include <dlfcn.h>]],
+ [[Dl_info info; dladdr(main, &info);]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no]);
AC_MSG_ERROR([dladdr() not supported, required by integrity-test!])]
)
AC_MSG_CHECKING([for dl_iterate_phdr()])
- AC_TRY_COMPILE(
- [#define _GNU_SOURCE
- #include <link.h>],
- [dl_iterate_phdr((void*)0, (void*)0);],
- [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]);
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#define _GNU_SOURCE
+ #include <link.h>]],
+ [[dl_iterate_phdr((void*)0, (void*)0);]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no]);
AC_MSG_ERROR([dl_iterate_phdr() not supported, required by integrity-test!])]
)
fi
if test x$bfd_backtraces = xtrue; then
- AC_HAVE_LIBRARY([bfd],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])])
+ AC_CHECK_LIB([bfd],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])],[])
AC_CHECK_HEADER([bfd.h],[AC_DEFINE([HAVE_BFD_H],,[have binutils bfd.h])],
[AC_MSG_ERROR([binutils bfd.h header not found!])])
BFDLIB="-lbfd"
CFLAGS="$CFLAGS -include `pwd`/config.h"
-dnl ==============================================
-dnl collect plugin list for strongSwan components
-dnl ==============================================
+# ===============================================
+# collect plugin list for strongSwan components
+# ===============================================
m4_include(m4/macros/add-plugin.m4)
ADD_PLUGIN([test-vectors], [s charon openac scepclient pki])
ADD_PLUGIN([curl], [s charon scepclient scripts nm])
ADD_PLUGIN([soup], [s charon scripts nm])
+ADD_PLUGIN([unbound], [s charon scripts])
ADD_PLUGIN([ldap], [s charon scepclient scripts nm])
ADD_PLUGIN([mysql], [s charon pool manager medsrv attest])
ADD_PLUGIN([sqlite], [s charon pool manager medsrv attest])
ADD_PLUGIN([pkcs8], [s charon openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([pgp], [s charon])
ADD_PLUGIN([dnskey], [s charon])
+ADD_PLUGIN([ipseckey], [c charon])
ADD_PLUGIN([pem], [s charon openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([padlock], [s charon])
ADD_PLUGIN([openssl], [s charon openac scepclient pki scripts manager medsrv attest nm])
AC_SUBST(nm_plugins)
AC_SUBST(c_plugins)
-AC_SUBST(p_plugins)
AC_SUBST(h_plugins)
AC_SUBST(s_plugins)
-dnl =========================
-dnl set Makefile.am vars
-dnl =========================
+# ======================
+# set Makefile.am vars
+# ======================
-dnl libstrongswan plugins
-dnl =====================
+# libstrongswan plugins
+# -----------------------
AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue)
AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
+AM_CONDITIONAL(USE_UNBOUND, test x$unbound = xtrue)
AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue)
AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
AM_CONDITIONAL(USE_AES, test x$aes = xtrue)
AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
-dnl charon plugins
-dnl ==============
+# charon plugins
+# ----------------
AM_CONDITIONAL(USE_STROKE, test x$stroke = xtrue)
AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
+AM_CONDITIONAL(USE_IPSECKEY, test x$ipseckey = xtrue)
AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue)
-dnl hydra plugins
-dnl =============
+# hydra plugins
+# ---------------
AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue -o x$sql = xtrue)
AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
-dnl other options
-dnl =============
+# other options
+# ---------------
AM_CONDITIONAL(USE_LEAK_DETECTIVE, test x$leak_detective = xtrue)
AM_CONDITIONAL(USE_LOCK_PROFILER, test x$lock_profiler = xtrue)
AM_CONDITIONAL(USE_DUMM, test x$dumm = xtrue)
AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
+AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers)
AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
-dnl ==============================
-dnl set global definitions
-dnl ==============================
+# ========================
+# set global definitions
+# ========================
if test x$mediation = xtrue; then
AC_DEFINE([ME], [], [mediation extension support])
AC_DEFINE([USE_IKEV2], [], [support for IKEv2 protocol])
fi
-dnl ==============================
-dnl build Makefiles
-dnl ==============================
+# =================
+# build Makefiles
+# =================
-AC_OUTPUT(
+AC_CONFIG_FILES([
Makefile
man/Makefile
init/Makefile
src/libstrongswan/plugins/dnskey/Makefile
src/libstrongswan/plugins/pem/Makefile
src/libstrongswan/plugins/curl/Makefile
+ src/libstrongswan/plugins/unbound/Makefile
src/libstrongswan/plugins/soup/Makefile
src/libstrongswan/plugins/ldap/Makefile
src/libstrongswan/plugins/mysql/Makefile
src/libradius/Makefile
src/libtncif/Makefile
src/libtnccs/Makefile
+ src/libpttls/Makefile
src/libpts/Makefile
src/libpts/plugins/imc_attestation/Makefile
src/libpts/plugins/imv_attestation/Makefile
src/libcharon/plugins/farp/Makefile
src/libcharon/plugins/smp/Makefile
src/libcharon/plugins/sql/Makefile
+ src/libcharon/plugins/ipseckey/Makefile
src/libcharon/plugins/medsrv/Makefile
src/libcharon/plugins/medcli/Makefile
src/libcharon/plugins/addrblock/Makefile
src/conftest/Makefile
scripts/Makefile
testing/Makefile
-)
+])
+AC_OUTPUT
+
+# ========================
+# report enabled plugins
+# ========================
+
+AC_MSG_RESULT([])
+AC_MSG_RESULT([ strongSwan will be built with the following plugins])
+AC_MSG_RESULT([-----------------------------------------------------])
+
+AC_MSG_RESULT([libstrongswan:$s_plugins])
+AC_MSG_RESULT([libcharon: $c_plugins])
+AC_MSG_RESULT([libhydra: $h_plugins])
+AC_MSG_RESULT([])
# ARG_DISBL_SET(option, help)
# ---------------------------
# Create a --disable-$1 option with helptext, set a variable $1 to true/false
+# All $1 are collected in the variable $enabled_by_default
AC_DEFUN([ARG_DISBL_SET],
[AC_ARG_ENABLE(
[$1],
fi],
[patsubst([$1], [-], [_])=true
patsubst([$1], [-], [_])_given=false]
- )]
+ )
+ enabled_by_default=${enabled_by_default}" patsubst([$1], [-], [_])"]
)
exclamation mark) can be used, e.g:
.BR aes256-sha512-modp4096!
.TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
+.TP
.BR ikelifetime " = " 3h " | <time>"
how long the keying channel of a connection (ISAKMP or IKE SA)
should last before being renegotiated. Also see EXPIRY/REKEY below.
.TP
.BR charon.plugins.ha.segment_count " [1]"
+.TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable the fetching of IPSECKEY RRs from the DNS
.TP
.BR charon.plugins.led.activity_led
.TP
.BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
File to read pseudo random bytes from, instead of @DEV_URANDOM@
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
.SS libtnccs section
.TP
.BR libtnccs.tnc_config " [/etc/tnc_config]"
Initiator ID used in load test
.TP
.BR charon.plugins.load-tester.initiator_match
-Initiator ID to to match against as responder
+Initiator ID to match against as responder
.TP
.BR charon.plugins.load-tester.initiator_tsi
Traffic selector on initiator side, as proposed by initiator
hash_burn
tls_test
fetch
+dnssec
-DPLUGINS="\"${scripts_plugins}\""
noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \
- thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch
+ thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch \
+ dnssec
if USE_TLS
noinst_PROGRAMS += tls_test
crypt_burn_SOURCES = crypt_burn.c
hash_burn_SOURCES = hash_burn.c
fetch_SOURCES = fetch.c
+dnssec_SOURCES = dnssec.c
id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
hash_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
key2keyid.o : $(top_builddir)/config.status
--- /dev/null
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+
+#include <library.h>
+
+int main(int argc, char *argv[])
+{
+ resolver_t *resolver;
+ resolver_response_t *response;
+ enumerator_t *enumerator;
+ rr_set_t *rrset;
+ rr_t *rr;
+ chunk_t chunk;
+
+ library_init(NULL);
+ atexit(library_deinit);
+ if (!lib->plugins->load(lib->plugins, NULL, PLUGINS))
+ {
+ return 1;
+ }
+ if (argc != 2)
+ {
+ fprintf(stderr, "usage: %s <name>\n", argv[0]);
+ return 1;
+ }
+
+ resolver = lib->resolver->create(lib->resolver);
+ if (!resolver)
+ {
+ printf("failed to create a resolver!\n");
+ return 1;
+ }
+
+ response = resolver->query(resolver, argv[1], RR_CLASS_IN, RR_TYPE_A);
+ if (!response)
+ {
+ printf("no response received!\n");
+ resolver->destroy(resolver);
+ return 1;
+ }
+
+ printf("DNS response:\n");
+ if (!response->has_data(response) || !response->query_name_exist(response))
+ {
+ if (!response->has_data(response))
+ {
+ printf(" no data in the response\n");
+ }
+ if (!response->query_name_exist(response))
+ {
+ printf(" query name does not exist\n");
+ }
+ response->destroy(response);
+ resolver->destroy(resolver);
+ return 1;
+ }
+
+ printf(" RRs in the response:\n");
+ rrset = response->get_rr_set(response);
+ if (!rrset)
+ {
+ printf(" response contains no RRset!\n");
+ response->destroy(response);
+ resolver->destroy(resolver);
+ return 1;
+ }
+
+ enumerator = rrset->create_rr_enumerator(rrset);
+ while (enumerator->enumerate(enumerator, &rr))
+ {
+ printf(" name: ");
+ printf(rr->get_name(rr));
+ printf("\n");
+ }
+
+ enumerator = rrset->create_rrsig_enumerator(rrset);
+ if (enumerator)
+ {
+ printf(" RRSIGs for the RRset:\n");
+ while (enumerator->enumerate(enumerator, &rr))
+ {
+ printf(" name: ");
+ printf(rr->get_name(rr));
+ printf("\n RDATA: ");
+ chunk = rr->get_rdata(rr);
+ chunk = chunk_to_hex(chunk, NULL, TRUE);
+ printf(chunk.ptr);
+ printf("\n");
+ }
+ }
+
+ printf(" security status of the response: ");
+ switch (response->get_security_state(response))
+ {
+ case SECURE:
+ printf("SECURE\n\n");
+ break;
+ case INSECURE:
+ printf("INSECURE\n\n");
+ break;
+ case BOGUS:
+ printf("BOGUS\n\n");
+ break;
+ case INDETERMINATE:
+ printf("INDETERMINATE\n\n");
+ break;
+ }
+ response->destroy(response);
+ resolver->destroy(resolver);
+ return 0;
+}
SUBDIRS += libtnccs
endif
+if USE_LIBPTTLS
+ SUBDIRS += libpttls
+endif
+
if USE_IMCV
SUBDIRS += libimcv
endif
ike_cfg = ike_cfg_create(IKEV2, TRUE, encap, "0.0.0.0", FALSE,
charon->socket->get_port(charon->socket, FALSE),
(char*)address, FALSE, IKEV2_UDP_PORT,
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
peer_cfg = peer_cfg_create(priv->name, ike_cfg,
CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
}
return plugin;
}
-
settings->get_int(settings, "configs.%s.lport", 500, config),
settings->get_str(settings, "configs.%s.rhost", "%any", config), FALSE,
settings->get_int(settings, "configs.%s.rport", 500, config),
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
token = settings->get_str(settings, "configs.%s.proposal", NULL, config);
if (token)
{
ike_cfg = ike_cfg_create(IKEV2, TRUE, TRUE, "0.0.0.0", FALSE,
charon->socket->get_port(charon->socket, FALSE),
this->gateway, FALSE, IKEV2_UDP_PORT,
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED,
processing/jobs/roam_job.c processing/jobs/roam_job.h \
processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-sa/eap/eap_method.c sa/eap/eap_method.h \
+sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
sa/eap/eap_manager.c sa/eap/eap_manager.h \
sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
processing/jobs/roam_job.c processing/jobs/roam_job.h \
processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-sa/eap/eap_method.c sa/eap/eap_method.h \
+sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
sa/eap/eap_manager.c sa/eap/eap_manager.h \
sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
endif
endif
+if USE_IPSECKEY
+ SUBDIRS += plugins/ipseckey
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/ipseckey/libstrongswan-ipseckey.la
+endif
+endif
+
if USE_UPDOWN
SUBDIRS += plugins/updown
if MONOLITHIC
*/
fragmentation_t fragmentation;
+ /**
+ * DSCP value to use on sent IKE packets
+ */
+ u_int8_t dscp;
+
/**
* List of proposals to use
*/
return this->other_port;
}
+METHOD(ike_cfg_t, get_dscp, u_int8_t,
+ private_ike_cfg_t *this)
+{
+ return this->dscp;
+}
+
METHOD(ike_cfg_t, add_proposal, void,
private_ike_cfg_t *this, proposal_t *proposal)
{
ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
char *me, bool my_allow_any, u_int16_t my_port,
char *other, bool other_allow_any, u_int16_t other_port,
- fragmentation_t fragmentation)
+ fragmentation_t fragmentation, u_int8_t dscp)
{
private_ike_cfg_t *this;
.get_other_addr = _get_other_addr,
.get_my_port = _get_my_port,
.get_other_port = _get_other_port,
+ .get_dscp = _get_dscp,
.add_proposal = _add_proposal,
.get_proposals = _get_proposals,
.select_proposal = _select_proposal,
.other_allow_any = other_allow_any,
.my_port = my_port,
.other_port = other_port,
+ .dscp = dscp,
.proposals = linked_list_create(),
);
*/
u_int16_t (*get_other_port)(ike_cfg_t *this);
+ /**
+ * Get the DSCP value to use for IKE packets send from connections.
+ *
+ * @return DSCP value
+ */
+ u_int8_t (*get_dscp)(ike_cfg_t *this);
+
/**
* Adds a proposal to the list.
*
* @param other_allow_any allow override of remote address by any address
* @param other_port IKE port to use as dest, 500 uses IKEv2 port floating
* @param fragmentation use IKEv1 fragmentation
+ * @param dscp DSCP value to send IKE packets with
* @return ike_cfg_t object.
*/
ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
char *me, bool my_allow_any, u_int16_t my_port,
char *other, bool other_allow_any, u_int16_t other_port,
- fragmentation_t fragmentation);
+ fragmentation_t fragmentation, u_int8_t dscp);
#endif /** IKE_CFG_H_ @}*/
{SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
{KEY_EXCHANGE, 1, 1, FALSE, FALSE},
{NONCE, 1, 1, FALSE, FALSE},
- {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
+ {CERTIFICATE_REQUEST, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
{VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
};
{AUTHENTICATION, 0, 1, TRUE, TRUE},
{ID_INITIATOR, 0, 1, TRUE, FALSE},
{CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
- {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
+ {CERTIFICATE_REQUEST, 0, MAX_CERTREQ_PAYLOADS, TRUE, FALSE},
{ID_RESPONDER, 0, 1, TRUE, FALSE},
#ifdef ME
{SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE,
charon->socket->get_port(charon->socket, FALSE),
- hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
+ hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO,
+ 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED,
return &this->public;
}
-
/*
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
#include <utils/debug.h>
#include <daemon.h>
+#include <tncifimv.h>
+
/**
* Maximum size of an EAP-TNC message
*/
*/
eap_tnc_t public;
+ /**
+ * Outer EAP authentication type
+ */
+ eap_type_t auth_type;
+
/**
* TLS stack, wrapped by EAP helper
*/
tls_eap_t *tls_eap;
+
+ /**
+ * TNCCS instance running over EAP-TNC
+ */
+ tnccs_t *tnccs;
+
};
METHOD(eap_method_t, initiate, status_t,
private_eap_tnc_t *this, eap_payload_t **out)
{
chunk_t data;
+ u_int32_t auth_type;
+
+ /* Determine TNC Client Authentication Type */
+ switch (this->auth_type)
+ {
+ case EAP_TLS:
+ case EAP_TTLS:
+ case EAP_PEAP:
+ auth_type = TNC_AUTH_CERT;
+ break;
+ case EAP_MD5:
+ case EAP_MSCHAPV2:
+ case EAP_GTC:
+ case EAP_OTP:
+ auth_type = TNC_AUTH_PASSWORD;
+ break;
+ case EAP_SIM:
+ case EAP_AKA:
+ auth_type = TNC_AUTH_SIM;
+ break;
+ default:
+ auth_type = TNC_AUTH_UNKNOWN;
+ }
+ this->tnccs->set_auth_type(this->tnccs, auth_type);
if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
{
free(this);
}
+METHOD(eap_inner_method_t, get_auth_type, eap_type_t,
+ private_eap_tnc_t *this)
+{
+ return this->auth_type;
+}
+
+METHOD(eap_inner_method_t, set_auth_type, void,
+ private_eap_tnc_t *this, eap_type_t type)
+{
+ this->auth_type = type;
+}
+
/**
* Generic private constructor
*/
int max_msg_count;
char* protocol;
tnccs_type_t type;
- tnccs_t *tnccs;
INIT(this,
.public = {
- .eap_method = {
- .initiate = _initiate,
- .process = _process,
- .get_type = _get_type,
- .is_mutual = _is_mutual,
- .get_msk = _get_msk,
- .get_identifier = _get_identifier,
- .set_identifier = _set_identifier,
- .destroy = _destroy,
+ .eap_inner_method = {
+ .eap_method = {
+ .initiate = _initiate,
+ .process = _process,
+ .get_type = _get_type,
+ .is_mutual = _is_mutual,
+ .get_msk = _get_msk,
+ .get_identifier = _get_identifier,
+ .set_identifier = _set_identifier,
+ .destroy = _destroy,
+ },
+ .get_auth_type = _get_auth_type,
+ .set_auth_type = _set_auth_type,
},
},
);
free(this);
return NULL;
}
- tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server);
- this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs,
- EAP_TNC_MAX_MESSAGE_LEN,
- max_msg_count, FALSE);
+ this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
+ server, peer, TNC_IFT_EAP_1_1);
+ this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls,
+ EAP_TNC_MAX_MESSAGE_LEN,
+ max_msg_count, FALSE);
if (!this->tls_eap)
{
free(this);
typedef struct eap_tnc_t eap_tnc_t;
-#include <sa/eap/eap_method.h>
+#include <sa/eap/eap_inner_method.h>
/**
* Implementation of the eap_method_t interface using EAP-TNC.
struct eap_tnc_t {
/**
- * Implemented eap_method_t interface.
+ * Implemented eap_inner_method_t interface.
*/
- eap_method_t eap_method;
+ eap_inner_method_t eap_inner_method;
};
/**
#include <daemon.h>
#include <sa/eap/eap_method.h>
+#include <sa/eap/eap_inner_method.h>
typedef struct private_eap_ttls_server_t private_eap_ttls_server_t;
/**
* If configured, start EAP-TNC protocol
*/
-static status_t start_phase2_tnc(private_eap_ttls_server_t *this)
+static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
+ eap_type_t auth_type)
{
+ eap_inner_method_t *inner_method;
+
if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
"%s.plugins.eap-ttls.phase2_tnc", FALSE, charon->name))
{
DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
return FAILED;
}
+ inner_method = (eap_inner_method_t *)this->method;
+ inner_method->set_auth_type(inner_method, auth_type);
+
this->start_phase2_tnc = FALSE;
if (this->method->initiate(this->method, &this->out) == NEED_MORE)
{
if (lib->settings->get_bool(lib->settings,
"%s.plugins.eap-ttls.request_peer_auth", FALSE, charon->name))
{
- return start_phase2_tnc(this);
+ return start_phase2_tnc(this, EAP_TLS);
}
else
{
this->method = NULL;
/* continue phase2 with EAP-TNC? */
- return start_phase2_tnc(this);
+ return start_phase2_tnc(this, type);
case NEED_MORE:
break;
case FAILED:
/* create config and backend */
ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE, local, FALSE,
charon->socket->get_port(charon->socket, FALSE),
- remote, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
+ remote, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
peer_cfg = peer_cfg_create("ha", ike_cfg, CERT_NEVER_SEND,
UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE, 30,
return &this->public;
}
-
--- /dev/null
+
+INCLUDES = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ipseckey.la
+else
+plugin_LTLIBRARIES = libstrongswan-ipseckey.la
+endif
+
+libstrongswan_ipseckey_la_SOURCES = \
+ ipseckey_plugin.h ipseckey_plugin.c \
+ ipseckey_cred.h ipseckey_cred.c \
+ ipseckey.h ipseckey.c
+
+libstrongswan_ipseckey_la_LDFLAGS = -module -avoid-version
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipseckey.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <bio/bio_reader.h>
+
+typedef struct private_ipseckey_t private_ipseckey_t;
+
+/**
+* private data of the ipseckey
+*/
+struct private_ipseckey_t {
+
+ /**
+ * public functions
+ */
+ ipseckey_t public;
+
+ /**
+ * Precedence
+ */
+ u_int8_t precedence;
+
+ /**
+ * Gateway type
+ */
+ u_int8_t gateway_type;
+
+ /**
+ * Algorithm
+ */
+ u_int8_t algorithm;
+
+ /**
+ * Gateway
+ */
+ chunk_t gateway;
+
+ /**
+ * Public key
+ */
+ chunk_t public_key;
+};
+
+METHOD(ipseckey_t, get_precedence, u_int8_t,
+ private_ipseckey_t *this)
+{
+ return this->precedence;
+}
+
+METHOD(ipseckey_t, get_gateway_type, ipseckey_gw_type_t,
+ private_ipseckey_t *this)
+{
+ return this->gateway_type;
+}
+
+METHOD(ipseckey_t, get_algorithm, ipseckey_algorithm_t,
+ private_ipseckey_t *this)
+{
+ return this->algorithm;
+}
+
+METHOD(ipseckey_t, get_gateway, chunk_t,
+ private_ipseckey_t *this)
+{
+ return this->gateway;
+}
+
+METHOD(ipseckey_t, get_public_key, chunk_t,
+ private_ipseckey_t *this)
+{
+ return this->public_key;
+}
+
+METHOD(ipseckey_t, destroy, void,
+ private_ipseckey_t *this)
+{
+ chunk_free(&this->gateway);
+ chunk_free(&this->public_key);
+ free(this);
+}
+
+/*
+ * See header
+ */
+ipseckey_t *ipseckey_create_frm_rr(rr_t *rr)
+{
+ private_ipseckey_t *this;
+ bio_reader_t *reader = NULL;
+ u_int8_t label;
+ chunk_t tmp;
+
+ INIT(this,
+ .public = {
+ .get_precedence = _get_precedence,
+ .get_gateway_type = _get_gateway_type,
+ .get_algorithm = _get_algorithm,
+ .get_gateway = _get_gateway,
+ .get_public_key = _get_public_key,
+ .destroy = _destroy,
+ },
+ );
+
+ if (rr->get_type(rr) != RR_TYPE_IPSECKEY)
+ {
+ DBG1(DBG_CFG, "unable to create an ipseckey out of an RR "
+ "whose type is not IPSECKEY");
+ free(this);
+ return NULL;
+ }
+
+ /** Parse the content (RDATA field) of the RR */
+ reader = bio_reader_create(rr->get_rdata(rr));
+ if (!reader->read_uint8(reader, &this->precedence) ||
+ !reader->read_uint8(reader, &this->gateway_type) ||
+ !reader->read_uint8(reader, &this->algorithm))
+ {
+ DBG1(DBG_CFG, "ipseckey RR has a wrong format");
+ reader->destroy(reader);
+ free(this);
+ }
+
+ switch (this->gateway_type)
+ {
+ case IPSECKEY_GW_TP_NOT_PRESENT:
+ break;
+
+ case IPSECKEY_GW_TP_IPV4:
+ if (!reader->read_data(reader, 4, &this->gateway))
+ {
+ DBG1(DBG_CFG, "ipseckey gateway field does not contain an "
+ "IPv4 address as expected");
+ reader->destroy(reader);
+ free(this);
+ return NULL;
+ }
+ this->gateway = chunk_clone(this->gateway);
+ break;
+
+ case IPSECKEY_GW_TP_IPV6:
+ if (!reader->read_data(reader, 16, &this->gateway))
+ {
+ DBG1(DBG_CFG, "ipseckey gateway field does not contain an "
+ "IPv6 address as expected");
+ reader->destroy(reader);
+ free(this);
+ return NULL;
+ }
+ this->gateway = chunk_clone(this->gateway);
+ break;
+
+ case IPSECKEY_GW_TP_WR_ENC_DNAME:
+ /**
+ * Uncompressed domain name as defined in RFC 1035 chapter 3.
+ *
+ * TODO: Currently we ignore wire encoded domain names.
+ *
+ */
+ while (reader->read_uint8(reader, &label) &&
+ label != 0 && label < 192)
+ {
+ if (!reader->read_data(reader, label, &tmp))
+ {
+ DBG1(DBG_CFG, "wrong wire encoded domain name format "
+ "in ipseckey gateway field");
+ reader->destroy(reader);
+ free(this);
+ return NULL;
+ }
+ }
+ break;
+
+ default:
+ DBG1(DBG_CFG, "unable to parse ipseckey gateway field");
+ reader->destroy(reader);
+ free(this);
+ return NULL;
+ }
+
+ if (!reader->read_data(reader, reader->remaining(reader),
+ &this->public_key))
+ {
+ DBG1(DBG_CFG, "failed to read ipseckey public key field");
+ reader->destroy(reader);
+ chunk_free(&this->gateway);
+ free(this);
+ return NULL;
+ }
+ this->public_key = chunk_clone(this->public_key);
+ reader->destroy(reader);
+ return &this->public;
+}
+
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipseckey_cred_i ipseckey
+ * @{ @ingroup ipseckey
+ */
+
+#ifndef IPSECKEY_H_
+#define IPSECKEY_H_
+
+typedef struct ipseckey_t ipseckey_t;
+typedef enum ipseckey_algorithm_t ipseckey_algorithm_t;
+typedef enum ipseckey_gw_type_t ipseckey_gw_type_t;
+
+#include <library.h>
+
+/**
+ * IPSECKEY gateway types as defined in RFC 4025.
+ */
+enum ipseckey_gw_type_t {
+ /** No gateway is present */
+ IPSECKEY_GW_TP_NOT_PRESENT = 0,
+ /** A 4-byte IPv4 address is present */
+ IPSECKEY_GW_TP_IPV4 = 1,
+ /** A 16-byte IPv6 address is present */
+ IPSECKEY_GW_TP_IPV6 = 2,
+ /** A wire-encoded domain name is present */
+ IPSECKEY_GW_TP_WR_ENC_DNAME = 3,
+};
+
+/**
+ * IPSECKEY algorithms as defined in RFC 4025.
+ */
+enum ipseckey_algorithm_t {
+ /** No key present */
+ IPSECKEY_ALGORITHM_NONE = 0,
+ /** DSA key */
+ IPSECKEY_ALGORITHM_DSA = 1,
+ /** RSA key */
+ IPSECKEY_ALGORITHM_RSA = 2,
+};
+
+/**
+ * An IPSECKEY.
+ *
+ * Represents an IPSECKEY as defined in RFC 4025:
+ *
+ * 0 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | precedence | gateway type | algorithm | gateway |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+ +
+ * ~ gateway ~
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | /
+ * / public key /
+ * / /
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+ *
+ *
+ * Note: RFC 4025 defines that the algorithm field has a length of 7 bits.
+ * We use 8 bits instead, because the use of 7 bits is very uncommon
+ * in internet protocols and might be an error in RFC 4025
+ * (also the BIND DNS server uses 8 bits for the algorithm field of the
+ * IPSECKEY resource records).
+ *
+ */
+struct ipseckey_t {
+
+ /**
+ * Get the precedence of the IPSECKEY.
+ *
+ * @return precedence
+ */
+ u_int8_t (*get_precedence)(ipseckey_t *this);
+
+ /**
+ * Get the type of the gateway.
+ *
+ * The "gateway type" determines the format of the gateway field
+ * of the IPSECKEY.
+ *
+ * @return gateway type
+ */
+ ipseckey_gw_type_t (*get_gateway_type)(ipseckey_t *this);
+
+ /**
+ * Get the algorithm.
+ *
+ * The "algorithm" determines the format of the public key field
+ * of the IPSECKEY.
+ *
+ * @return algorithm
+ */
+ ipseckey_algorithm_t (*get_algorithm)(ipseckey_t *this);
+
+ /**
+ * Get the content of the gateway field as chunk.
+ *
+ * The content is in network byte order and its format depends on the
+ * gateway type.
+ *
+ * The data pointed by the chunk is still owned by the IPSECKEY.
+ * Clone it if necessary.
+ *
+ * @return gateway field as chunk
+ */
+ chunk_t (*get_gateway)(ipseckey_t *this);
+
+ /**
+ * Get the content of the public key field as chunk.
+ *
+ * The format of the public key depends on the algorithm type.
+ *
+ * The data pointed by the chunk is still owned by the IPSECKEY.
+ * Clone it if necessary.
+ *
+ * @return public key field as chunk
+ */
+ chunk_t (*get_public_key)(ipseckey_t *this);
+
+ /**
+ * Destroy the IPSECKEY.
+ */
+ void (*destroy) (ipseckey_t *this);
+};
+
+/**
+ * Create an ipseckey instance out of a resource record.
+ *
+ * @param rr resource record which contains an IPSECKEY
+ * @return ipseckey, NULL on failure
+ */
+ipseckey_t *ipseckey_create_frm_rr(rr_t *rr);
+
+#endif /** IPSECKEY_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+
+#include "ipseckey_cred.h"
+#include "ipseckey.h"
+
+#include <bio/bio_reader.h>
+#include <daemon.h>
+
+typedef struct private_ipseckey_cred_t private_ipseckey_cred_t;
+
+/**
+ * Private data of an ipseckey_cred_t object
+ */
+struct private_ipseckey_cred_t {
+
+ /**
+ * Public part
+ */
+ ipseckey_cred_t public;
+
+ /**
+ * DNS resolver
+ */
+ resolver_t *res;
+};
+
+/**
+ * enumerator over certificates
+ */
+typedef struct {
+ /** implements enumerator interface */
+ enumerator_t public;
+ /** inner enumerator (enumerates IPSECKEY resource records) */
+ enumerator_t *inner;
+ /** response of the DNS resolver which contains the IPSECKEYs */
+ resolver_response_t *response;
+ /* IPSECKEYs are not valid before this point in time */
+ time_t notBefore;
+ /* IPSECKEYs are not valid after this point in time */
+ time_t notAfter;
+ /* identity to which the IPSECKEY belongs */
+ identification_t *identity;
+} cert_enumerator_t;
+
+METHOD(enumerator_t, cert_enumerator_enumerate, bool,
+ cert_enumerator_t *this, certificate_t **cert)
+{
+ rr_t *cur_rr = NULL;
+ ipseckey_t *cur_ipseckey = NULL;
+ chunk_t pub_key;
+ public_key_t * key = NULL;
+ bool supported_ipseckey_found = FALSE;
+
+ /* Get the next supported IPSECKEY using the inner enumerator. */
+ while (this->inner->enumerate(this->inner, &cur_rr) &&
+ !supported_ipseckey_found)
+ {
+ supported_ipseckey_found = TRUE;
+
+ cur_ipseckey = ipseckey_create_frm_rr(cur_rr);
+
+ if (!cur_ipseckey)
+ {
+ DBG1(DBG_CFG, "failed to parse ipseckey - skipping this key");
+ supported_ipseckey_found = FALSE;
+ }
+
+ if (cur_ipseckey &&
+ cur_ipseckey->get_algorithm(cur_ipseckey) != IPSECKEY_ALGORITHM_RSA)
+ {
+ DBG1(DBG_CFG, "unsupported ipseckey algorithm -skipping this key");
+ cur_ipseckey->destroy(cur_ipseckey);
+ supported_ipseckey_found = FALSE;
+ }
+ }
+
+ if (supported_ipseckey_found)
+ {
+ /*
+ * Wrap the key of the IPSECKEY in a certificate and return this
+ * certificate.
+ */
+ pub_key = cur_ipseckey->get_public_key(cur_ipseckey);
+
+ key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+ BUILD_BLOB_DNSKEY, pub_key,
+ BUILD_END);
+
+ if (!key)
+ {
+ DBG1(DBG_CFG, "failed to create public key from ipseckey");
+ cur_ipseckey->destroy(cur_ipseckey);
+ return FALSE;
+ }
+
+ *cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+ CERT_TRUSTED_PUBKEY,
+ BUILD_PUBLIC_KEY, key,
+ BUILD_SUBJECT, this->identity,
+ BUILD_NOT_BEFORE_TIME, this->notBefore,
+ BUILD_NOT_AFTER_TIME, this->notAfter,
+ BUILD_END);
+ return TRUE;
+ }
+
+ return FALSE;
+}
+
+METHOD(enumerator_t, cert_enumerator_destroy, void,
+ cert_enumerator_t *this)
+{
+ this->inner->destroy(this->inner);
+ this->response->destroy(this->response);
+ free(this);
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+ private_ipseckey_cred_t *this, certificate_type_t cert, key_type_t key,
+ identification_t *id, bool trusted)
+{
+ char *fqdn = NULL;
+ resolver_response_t *response = NULL;
+ rr_set_t *rrset = NULL;
+ enumerator_t *rrsig_enum = NULL;
+ rr_t *rrsig = NULL;
+ bio_reader_t *reader = NULL;
+ chunk_t ignore;
+ u_int32_t nBefore, nAfter;
+ cert_enumerator_t *e;
+
+ if (id && id->get_type(id) == ID_FQDN)
+ {
+ /** Query the DNS for the required IPSECKEY RRs */
+
+ if (0 >= asprintf(&fqdn, "%Y", id))
+ {
+ DBG1(DBG_CFG, "empty FQDN string");
+ return enumerator_create_empty();
+ }
+
+ DBG1(DBG_CFG, "performing a DNS query for IPSECKEY RRs of '%s'",
+ fqdn);
+ response = this->res->query(this->res, fqdn, RR_CLASS_IN,
+ RR_TYPE_IPSECKEY);
+ if (!response)
+ {
+ DBG1(DBG_CFG, " query for IPSECKEY RRs failed");
+ free(fqdn);
+ return enumerator_create_empty();
+ }
+
+ if (!response->has_data(response) ||
+ !response->query_name_exist(response))
+ {
+ DBG1(DBG_CFG, " unable to retrieve IPSECKEY RRs from the DNS");
+ response->destroy(response);
+ free(fqdn);
+ return enumerator_create_empty();
+ }
+
+ if (!(response->get_security_state(response) == SECURE))
+ {
+ DBG1(DBG_CFG, " DNSSEC state of IPSECKEY RRs is not secure");
+ response->destroy(response);
+ free(fqdn);
+ return enumerator_create_empty();
+ }
+
+ free(fqdn);
+
+ /** Determine the validity period of the retrieved IPSECKEYs
+ *
+ * We use the "Signature Inception" and "Signature Expiration" field
+ * of the first RRSIG RR to determine the validity period of the
+ * IPSECKEY RRs. TODO: Take multiple RRSIGs into account.
+ */
+ rrset = response->get_rr_set(response);
+ rrsig_enum = rrset->create_rrsig_enumerator(rrset);
+ if (!rrsig_enum || !rrsig_enum->enumerate(rrsig_enum, &rrsig))
+ {
+ DBG1(DBG_CFG, " unable to determine the validity period of "
+ "IPSECKEY RRs because no RRSIGs are present");
+ DESTROY_IF(rrsig_enum);
+ response->destroy(response);
+ return enumerator_create_empty();
+ }
+
+ /**
+ * Parse the RRSIG for its validity period (RFC 4034)
+ */
+ reader = bio_reader_create(rrsig->get_rdata(rrsig));
+ reader->read_data(reader, 8, &ignore);
+ reader->read_uint32(reader, &nAfter);
+ reader->read_uint32(reader, &nBefore);
+ reader->destroy(reader);
+
+ /*Create and return an iterator over the retrieved IPSECKEYs */
+ INIT(e,
+ .public = {
+ .enumerate = (void*)_cert_enumerator_enumerate,
+ .destroy = _cert_enumerator_destroy,
+ },
+ .inner = response->get_rr_set(response)->create_rr_enumerator(
+ response->get_rr_set(response)),
+ .response = response,
+ .notBefore = nBefore,
+ .notAfter = nAfter,
+ .identity = id,
+ );
+
+ return &e->public;
+ }
+
+
+ return enumerator_create_empty();
+}
+
+METHOD(ipseckey_cred_t, destroy, void,
+ private_ipseckey_cred_t *this)
+{
+ this->res->destroy(this->res);
+ free(this);
+}
+
+/**
+ * Described in header.
+ */
+ipseckey_cred_t *ipseckey_cred_create(resolver_t *res)
+{
+ private_ipseckey_cred_t *this;
+
+ INIT(this,
+ .public = {
+ .set = {
+ .create_private_enumerator = (void*)return_null,
+ .create_cert_enumerator = _create_cert_enumerator,
+ .create_shared_enumerator = (void*)return_null,
+ .create_cdp_enumerator = (void*)return_null,
+ .cache_cert = (void*)nop,
+ },
+ .destroy = _destroy,
+ },
+ .res = res,
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipseckey_cred_i ipseckey_cred
+ * @{ @ingroup ipseckey
+ */
+
+#ifndef IPSECKEY_CRED_H_
+#define IPSECKEY_CRED_H_
+
+#include <credentials/credential_set.h>
+#include <resolver/resolver.h>
+
+typedef struct ipseckey_cred_t ipseckey_cred_t;
+
+/**
+ * IPSECKEY credential set.
+ *
+ * The ipseckey credential set contains IPSECKEYs as certificates of type
+ * pubkey_cert_t.
+ */
+struct ipseckey_cred_t {
+
+ /**
+ * Implements credential_set_t interface
+ */
+ credential_set_t set;
+
+ /**
+ * Destroy the ipseckey_cred.
+ */
+ void (*destroy)(ipseckey_cred_t *this);
+};
+
+/**
+ * Create an ipseckey_cred instance which uses the given resolver
+ * to query the DNS for IPSECKEY resource records.
+ *
+ * @param res resolver to use
+ * @return credential set
+ */
+ipseckey_cred_t *ipseckey_cred_create(resolver_t *res);
+
+#endif /** IPSECKEY_CRED_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipseckey_plugin.h"
+
+#include <daemon.h>
+#include "ipseckey_cred.h"
+
+typedef struct private_ipseckey_plugin_t private_ipseckey_plugin_t;
+
+
+/**
+ * private data of the ipseckey plugin
+ */
+struct private_ipseckey_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ ipseckey_plugin_t public;
+
+ /**
+ * DNS resolver instance
+ */
+ resolver_t *res;
+
+ /**
+ * credential set
+ */
+ ipseckey_cred_t *cred;
+
+ /**
+ * IPSECKEY based authentication enabled
+ */
+ bool enabled;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_ipseckey_plugin_t *this)
+{
+ return "ipseckey";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_ipseckey_plugin_t *this)
+{
+ if (this->enabled)
+ {
+ lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
+ }
+ this->res->destroy(this->res);
+ DESTROY_IF(this->cred);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ipseckey_plugin_create()
+{
+ private_ipseckey_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .res = lib->resolver->create(lib->resolver),
+ .enabled = lib->settings->get_bool(lib->settings,
+ "charon.plugins.ipseckey.enable", FALSE),
+ );
+
+ if (!this->res)
+ {
+ DBG1(DBG_CFG, "ipseckey_plugin: Failed to create"
+ "a DNS resolver instance");
+ destroy(this);
+ return NULL;
+ }
+
+ if (this->enabled)
+ {
+ this->cred = ipseckey_cred_create(this->res);
+ lib->credmgr->add_set(lib->credmgr, &this->cred->set);
+ }
+
+ return &this->public.plugin;
+}
+
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipseckey ipseckey
+ * @ingroup cplugins
+ *
+ * @defgroup ipseckey_plugin ipseckey_plugin
+ * @{ @ingroup ipseckey
+ */
+
+#ifndef IPSECKEY_PLUGIN_H_
+#define IPSECKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ipseckey_plugin_t ipseckey_plugin_t;
+
+/**
+ * IPSECKEY plugin
+ *
+ * The IPSECKEY plugin registers a credential set for IPSECKEYs.
+ *
+ * With this credential set it is possible to authenticate tunnel endpoints
+ * using IPSECKEY resource records which are retrieved from the DNS in a secure
+ * way (DNSSEC).
+ */
+struct ipseckey_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** IPSECKEY_PLUGIN_H_ @}*/
ike_cfg = ike_cfg_create(this->version, TRUE, FALSE,
local, FALSE, this->port + num - 1,
remote, FALSE, IKEV2_NATT_PORT,
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
}
else
{
local, FALSE,
charon->socket->get_port(charon->socket, FALSE),
remote, FALSE, IKEV2_UDP_PORT,
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
}
ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
peer_cfg = peer_cfg_create("load-test", ike_cfg,
ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE,
charon->socket->get_port(charon->socket, FALSE),
- hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
+ hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO,
+ 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
peer_cfg = peer_cfg_create(this->current, ike_cfg,
return &this->public;
}
-
ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
"0.0.0.0", FALSE,
charon->socket->get_port(charon->socket, FALSE),
- address, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
+ address, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
med_cfg = peer_cfg_create(
"mediation", ike_cfg,
"0.0.0.0", FALSE,
charon->socket->get_port(charon->socket, FALSE),
"0.0.0.0", FALSE, IKEV2_UDP_PORT,
- FRAGMENTATION_NO),
+ FRAGMENTATION_NO, 0),
);
this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
return &this->public;
}
-
"0.0.0.0", FALSE,
charon->socket->get_port(charon->socket, FALSE),
"0.0.0.0", FALSE, IKEV2_UDP_PORT,
- FRAGMENTATION_NO),
+ FRAGMENTATION_NO, 0),
);
this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
return &this->public;
}
-
#ifndef SOL_IPV6
#define SOL_IPV6 IPPROTO_IPV6
#endif
+#ifndef IPV6_TCLASS
+#define IPV6_TCLASS 67
+#endif
/* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
* previously defined IPV6_PKTINFO */
*/
int ipv6_natt;
+ /**
+ * DSCP value set on IPv4 socket
+ */
+ u_int8_t dscp4;
+
+ /**
+ * DSCP value set on IPv4 socket for NAT-T (4500 or natt)
+ */
+ u_int8_t dscp4_natt;
+
+ /**
+ * DSCP value set on IPv6 socket (500 or port)
+ */
+ u_int8_t dscp6;
+
+ /**
+ * DSCP value set on IPv6 socket for NAT-T (4500 or natt)
+ */
+ u_int8_t dscp6_natt;
+
/**
* Maximum packet size to receive
*/
struct msghdr msg;
struct cmsghdr *cmsg;
struct iovec iov;
+ u_int8_t *dscp;
src = packet->get_source(packet);
dst = packet->get_destination(packet);
family = dst->get_family(dst);
if (sport == 0 || sport == this->port)
{
- if (family == AF_INET)
- {
- skt = this->ipv4;
- }
- else
+ switch (family)
{
- skt = this->ipv6;
+ case AF_INET:
+ skt = this->ipv4;
+ dscp = &this->dscp4;
+ break;
+ case AF_INET6:
+ skt = this->ipv6;
+ dscp = &this->dscp6;
+ break;
+ default:
+ return FAILED;
}
}
else if (sport == this->natt)
{
- if (family == AF_INET)
- {
- skt = this->ipv4_natt;
- }
- else
+ switch (family)
{
- skt = this->ipv6_natt;
+ case AF_INET:
+ skt = this->ipv4_natt;
+ dscp = &this->dscp4_natt;
+ break;
+ case AF_INET6:
+ skt = this->ipv6_natt;
+ dscp = &this->dscp6_natt;
+ break;
+ default:
+ return FAILED;
}
}
else
return FAILED;
}
+ /* setting DSCP values per-packet in a cmsg seems not to be supported
+ * on Linux. We instead setsockopt() before sending it, this should be
+ * safe as only a single thread calls send(). */
+ if (*dscp != packet->get_dscp(packet))
+ {
+ if (family == AF_INET)
+ {
+ u_int8_t ds4;
+
+ ds4 = packet->get_dscp(packet) << 2;
+ if (setsockopt(skt, SOL_IP, IP_TOS, &ds4, sizeof(ds4)) == 0)
+ {
+ *dscp = packet->get_dscp(packet);
+ }
+ else
+ {
+ DBG1(DBG_NET, "unable to set IP_TOS on socket: %s",
+ strerror(errno));
+ }
+ }
+ else
+ {
+ u_int ds6;
+
+ ds6 = packet->get_dscp(packet) << 2;
+ if (setsockopt(skt, SOL_IPV6, IPV6_TCLASS, &ds6, sizeof(ds6)) == 0)
+ {
+ *dscp = packet->get_dscp(packet);
+ }
+ else
+ {
+ DBG1(DBG_NET, "unable to set IPV6_TCLASS on socket: %s",
+ strerror(errno));
+ }
+ }
+ }
+
memset(&msg, 0, sizeof(struct msghdr));
msg.msg_name = dst->get_sockaddr(dst);;
msg.msg_namelen = *dst->get_sockaddr_len(dst);
int family, u_int16_t *port)
{
int on = TRUE;
- struct sockaddr_storage addr;
+ union {
+ struct sockaddr sockaddr;
+ struct sockaddr_in sin;
+ struct sockaddr_in6 sin6;
+ } addr;
socklen_t addrlen;
u_int sol, pktinfo = 0;
int skt;
memset(&addr, 0, sizeof(addr));
- addr.ss_family = family;
+ addr.sockaddr.sa_family = family;
/* precalculate constants depending on address family */
switch (family)
{
case AF_INET:
- {
- struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
- htoun32(&sin->sin_addr.s_addr, INADDR_ANY);
- htoun16(&sin->sin_port, *port);
- addrlen = sizeof(struct sockaddr_in);
+ addr.sin.sin_addr.s_addr = htonl(INADDR_ANY);
+ addr.sin.sin_port = htons(*port);
+ addrlen = sizeof(addr.sin);
sol = SOL_IP;
#ifdef IP_PKTINFO
pktinfo = IP_PKTINFO;
pktinfo = IP_RECVDSTADDR;
#endif
break;
- }
case AF_INET6:
- {
- struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
- memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
- htoun16(&sin6->sin6_port, *port);
- addrlen = sizeof(struct sockaddr_in6);
+ memcpy(&addr.sin6.sin6_addr, &in6addr_any, sizeof(in6addr_any));
+ addr.sin6.sin6_port = htons(*port);
+ addrlen = sizeof(addr.sin6);
sol = SOL_IPV6;
pktinfo = IPV6_RECVPKTINFO;
break;
- }
default:
return 0;
}
}
/* bind the socket */
- if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
+ if (bind(skt, &addr.sockaddr, addrlen) < 0)
{
DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
close(skt);
/* retrieve randomly allocated port if needed */
if (*port == 0)
{
- if (getsockname(skt, (struct sockaddr *)&addr, &addrlen) < 0)
+ if (getsockname(skt, &addr.sockaddr, &addrlen) < 0)
{
DBG1(DBG_NET, "unable to determine port: %s", strerror(errno));
close(skt);
switch (family)
{
case AF_INET:
- {
- struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
- *port = untoh16(&sin->sin_port);
+ *port = ntohs(addr.sin.sin_port);
break;
- }
case AF_INET6:
- {
- struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
- *port = untoh16(&sin6->sin6_port);
+ *port = ntohs(addr.sin6.sin6_port);
break;
- }
}
}
return &this->public;
}
-
local, FALSE,
charon->socket->get_port(charon->socket, FALSE),
remote, FALSE, IKEV2_UDP_PORT,
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
add_ike_proposals(this, ike_cfg, id);
return ike_cfg;
}
return &this->public;
}
-
msg->add_conn.other.address,
msg->add_conn.other.allow_any,
msg->add_conn.other.ikeport,
- msg->add_conn.fragmentation);
+ msg->add_conn.fragmentation,
+ msg->add_conn.ikedscp);
add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
return ike_cfg;
}
DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
msg->loglevel.level, msg->loglevel.type);
- group = enum_from_name(debug_names, msg->loglevel.type);
- if ((int)group < 0)
+ if (strcaseeq(msg->loglevel.type, "any"))
{
- fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
- return;
+ group = DBG_ANY;
+ }
+ else
+ {
+ group = enum_from_name(debug_names, msg->loglevel.type);
+ if ((int)group < 0)
+ {
+ fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
+ return;
+ }
}
charon->set_level(charon, group, msg->loglevel.level);
}
-I$(top_srcdir)/src/libhydra \
-I$(top_srcdir)/src/libcharon \
-I$(top_srcdir)/src/libtncif \
- -I$(top_srcdir)/src/libtnccs
+ -I$(top_srcdir)/src/libtnccs \
+ -I$(top_srcdir)/src/libtls
AM_CFLAGS = -rdynamic
-I$(top_srcdir)/src/libhydra \
-I$(top_srcdir)/src/libcharon \
-I$(top_srcdir)/src/libtncif \
- -I$(top_srcdir)/src/libtnccs
+ -I$(top_srcdir)/src/libtnccs \
+ -I$(top_srcdir)/src/libtls
AM_CFLAGS = -rdynamic
}
this->connections->add(this->connections, nas_id, user_name, peer,
method);
- method->initiate(method, &out);
+ if (method->initiate(method, &out) == NEED_MORE)
+ {
+ send_response(this, request, code, out, group, msk, source);
+ }
}
else
{
in->get_identifier(in));
}
charon->bus->set_sa(charon->bus, NULL);
+ send_response(this, request, code, out, group, msk, source);
+ this->connections->unlock(this->connections);
}
- send_response(this, request, code, out, group, msk, source);
- out->destroy(out);
-
if (code == RMC_ACCESS_ACCEPT || code == RMC_ACCESS_REJECT)
{
this->connections->remove(this->connections, nas_id, user_name);
}
+ out->destroy(out);
end:
free(message.ptr);
in->destroy(in);
return &this->public;
}
-
#include <collections/linked_list.h>
#include <utils/debug.h>
+#include <threading/rwlock.h>
+#include <processing/jobs/callback_job.h>
+
+#include <daemon.h>
+
+/**
+ * Default PDP connection timeout, in s
+ */
+#define DEFAULT_TIMEOUT 30
typedef struct private_tnc_pdp_connections_t private_tnc_pdp_connections_t;
typedef struct entry_t entry_t;
tnc_pdp_connections_t public;
/**
- * List of TNC PEP RADIUS Connections
+ * TNC PEP RADIUS Connections
*/
linked_list_t *list;
+
+ /**
+ * Lock to access PEP connection list
+ */
+ rwlock_t *lock;
+
+ /**
+ * Connection timeout before we kill non-completed connections, in s
+ */
+ int timeout;
};
/**
* IKE SA used for bus communication
*/
ike_sa_t *ike_sa;
+
+ /**
+ * Timestamp this entry has been created
+ */
+ time_t created;
};
/**
}
}
+/**
+ * Check if any connection has timed out
+ */
+static job_requeue_t check_timeouts(private_tnc_pdp_connections_t *this)
+{
+ enumerator_t *enumerator;
+ entry_t *entry;
+ time_t now;
+
+ now = time_monotonic(NULL);
+
+ this->lock->write_lock(this->lock);
+ enumerator = this->list->create_enumerator(this->list);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->created + this->timeout <= now)
+ {
+ DBG1(DBG_CFG, "RADIUS connection timed out after %d seconds",
+ this->timeout);
+ this->list->remove_at(this->list, enumerator);
+ free_entry(entry);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+
+ return JOB_REQUEUE_NONE;
+}
+
METHOD(tnc_pdp_connections_t, add, void,
private_tnc_pdp_connections_t *this, chunk_t nas_id, chunk_t user_name,
identification_t *peer, eap_method_t *method)
ike_sa_id->destroy(ike_sa_id);
ike_sa->set_other_id(ike_sa, peer);
+ this->lock->read_lock(this->lock);
enumerator = this->list->create_enumerator(this->list);
while (enumerator->enumerate(enumerator, &entry))
{
DBG1(DBG_CFG, "removed stale RADIUS connection");
entry->method = method;
entry->ike_sa = ike_sa;
+ entry->created = time_monotonic(NULL);
break;
}
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
if (!found)
{
- entry = malloc_thing(entry_t);
- entry->nas_id = chunk_clone(nas_id);
- entry->user_name = chunk_clone(user_name);
- entry->method = method;
- entry->ike_sa = ike_sa;
+ INIT(entry,
+ .nas_id = chunk_clone(nas_id),
+ .user_name = chunk_clone(user_name),
+ .method = method,
+ .ike_sa = ike_sa,
+ .created = time_monotonic(NULL),
+ );
+ this->lock->write_lock(this->lock);
this->list->insert_last(this->list, entry);
+ this->lock->unlock(this->lock);
}
+
+ /* schedule timeout checking */
+ lib->scheduler->schedule_job_ms(lib->scheduler,
+ (job_t*)callback_job_create((callback_job_cb_t)check_timeouts,
+ this, NULL, (callback_job_cancel_t)return_false),
+ this->timeout * 1000);
+
dbg_nas_user(nas_id, user_name, FALSE, "created");
}
enumerator_t *enumerator;
entry_t *entry;
+ this->lock->write_lock(this->lock);
enumerator = this->list->create_enumerator(this->list);
while (enumerator->enumerate(enumerator, &entry))
{
}
}
enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
}
METHOD(tnc_pdp_connections_t, get_state, eap_method_t*,
entry_t *entry;
eap_method_t *found = NULL;
+ this->lock->read_lock(this->lock);
enumerator = this->list->create_enumerator(this->list);
while (enumerator->enumerate(enumerator, &entry))
{
}
}
enumerator->destroy(enumerator);
+ if (!found)
+ {
+ this->lock->unlock(this->lock);
+ }
dbg_nas_user(nas_id, user_name, !found, "found");
return found;
}
+METHOD(tnc_pdp_connections_t, unlock, void,
+ private_tnc_pdp_connections_t *this)
+{
+ this->lock->unlock(this->lock);
+}
+
METHOD(tnc_pdp_connections_t, destroy, void,
private_tnc_pdp_connections_t *this)
{
+ this->lock->destroy(this->lock);
this->list->destroy_function(this->list, (void*)free_entry);
free(this);
}
.add = _add,
.remove = _remove_,
.get_state = _get_state,
+ .unlock = _unlock,
.destroy = _destroy,
},
.list = linked_list_create(),
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ .timeout = lib->settings->get_int(lib->settings,
+ "%s.plugins.tnc-pdp.timeout", DEFAULT_TIMEOUT, charon->name),
);
return &this->public;
}
-
chunk_t user_name);
/**
- * Get the EAP method and IKE_SA of a registered TNC PEP RADIUS Connection
+ * Get the EAP method and IKE_SA of a registered TNC PEP RADIUS Connection.
+ *
+ * If this call succeeds, the connection manager is locked. Call unlock
+ * after using the return objects.
*
* @param nas_id NAS identifier of Policy Enforcement Point
* @param user_name User name of TNC Client
eap_method_t* (*get_state)(tnc_pdp_connections_t *this, chunk_t nas_id,
chunk_t user_name, ike_sa_t **ike_sa);
+ /**
+ * Unlock connections after successfully calling get_state().
+ */
+ void (*unlock)(tnc_pdp_connections_t *this);
+
/**
* Destroys a tnc_pdp_connections_t object.
*/
INCLUDES = \
-I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libtls \
-I$(top_srcdir)/src/libtncif \
-I$(top_srcdir)/src/libtnccs
/*
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
#include <tnc/imc/imc_manager.h>
#include <tnc/imv/imv_manager.h>
+#include <tncif_identity.h>
+
+#include <tls.h>
+
#include <utils/debug.h>
+#include <pen/pen.h>
+#include <bio/bio_writer.h>
#include <collections/linked_list.h>
#include <threading/rwlock.h>
}
METHOD(tnccs_manager_t, create_instance, tnccs_t*,
- private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server)
+ private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server,
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport)
{
enumerator_t *enumerator;
tnccs_entry_t *entry;
{
if (type == entry->type)
{
- protocol = entry->constructor(is_server);
+ protocol = entry->constructor(is_server, server, peer, transport);
if (protocol)
{
break;
}
}
+/**
+ * Write the value of a TNC identity list into the buffer
+ */
+static TNC_Result identity_attribute(TNC_UInt32 buffer_len,
+ TNC_BufferReference buffer,
+ TNC_UInt32 *value_len,
+ linked_list_t *list)
+{
+ bio_writer_t *writer;
+ enumerator_t *enumerator;
+ u_int32_t count;
+ chunk_t value;
+ tncif_identity_t *tnc_id;
+ TNC_Result result = TNC_RESULT_INVALID_PARAMETER;
+
+ count = list->get_count(list);
+ writer = bio_writer_create(4 + TNCIF_IDENTITY_MIN_SIZE * count);
+ writer->write_uint32(writer, count);
+
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &tnc_id))
+ {
+ tnc_id->build(tnc_id, writer);
+ }
+ enumerator->destroy(enumerator);
+
+ value = writer->get_buf(writer);
+ *value_len = value.len;
+ if (buffer && buffer_len >= value.len)
+ {
+ memcpy(buffer, value.ptr, value.len);
+ result = TNC_RESULT_SUCCESS;
+ }
+ writer->destroy(writer);
+
+ return result;
+}
+
METHOD(tnccs_manager_t, get_attribute, TNC_Result,
private_tnc_tnccs_manager_t *this, bool is_imc,
TNC_UInt32 imcv_id,
/* these attributes are supported */
case TNC_ATTRIBUTEID_PRIMARY_IMV_ID:
+ case TNC_ATTRIBUTEID_AR_IDENTITIES:
attribute_match = TRUE;
break;
version = "1.0";
break;
default:
- return TNC_RESULT_INVALID_PARAMETER;
+ return TNC_RESULT_INVALID_PARAMETER;
}
return str_attribute(buffer_len, buffer, value_len, version);
}
case TNC_ATTRIBUTEID_IFT_PROTOCOL:
- return str_attribute(buffer_len, buffer, value_len,
- "IF-T for Tunneled EAP");
+ {
+ char *protocol;
+
+ switch (entry->tnccs->get_transport(entry->tnccs))
+ {
+ case TNC_IFT_EAP_1_0:
+ case TNC_IFT_EAP_1_1:
+ case TNC_IFT_EAP_2_0:
+ protocol = "IF-T for Tunneled EAP";
+ break;
+ case TNC_IFT_TLS_1_0:
+ case TNC_IFT_TLS_2_0:
+ protocol = "IF-T for TLS";
+ break;
+ default:
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
+ return str_attribute(buffer_len, buffer, value_len, protocol);
+ }
case TNC_ATTRIBUTEID_IFT_VERSION:
- return str_attribute(buffer_len, buffer, value_len, "1.1");
+ {
+ char *version;
+
+ switch (entry->tnccs->get_transport(entry->tnccs))
+ {
+ case TNC_IFT_EAP_1_0:
+ case TNC_IFT_TLS_1_0:
+ version = "1.0";
+ break;
+ case TNC_IFT_EAP_1_1:
+ version = "1.1";
+ break;
+ case TNC_IFT_EAP_2_0:
+ case TNC_IFT_TLS_2_0:
+ version = "2.0";
+ break;
+ default:
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
+ return str_attribute(buffer_len, buffer, value_len, version);
+ }
+ case TNC_ATTRIBUTEID_AR_IDENTITIES:
+ {
+ linked_list_t *list;
+ identification_t *peer;
+ tnccs_t *tnccs;
+ tncif_identity_t *tnc_id;
+ u_int32_t id_type, subject_type;
+ TNC_Result result;
+
+ list = linked_list_create();
+ tnccs = entry->tnccs;
+ peer = tnccs->tls.get_peer_id(&tnccs->tls);
+ if (peer)
+ {
+ switch (peer->get_type(peer))
+ {
+ case ID_IPV4_ADDR:
+ id_type = TNC_ID_IPV4_ADDR;
+ subject_type = TNC_SUBJECT_MACHINE;
+ break;
+ case ID_IPV6_ADDR:
+ id_type = TNC_ID_IPV6_ADDR;
+ subject_type = TNC_SUBJECT_MACHINE;
+ break;
+ case ID_FQDN:
+ id_type = TNC_ID_USER_NAME;
+ subject_type = TNC_SUBJECT_USER;
+ break;
+ case ID_RFC822_ADDR:
+ id_type = TNC_ID_RFC822_ADDR;
+ subject_type = TNC_SUBJECT_USER;
+ break;
+ case ID_DER_ASN1_DN:
+ id_type = TNC_ID_DER_ASN1_DN;
+ subject_type = TNC_SUBJECT_USER;
+ break;
+ case ID_DER_ASN1_GN:
+ id_type = TNC_ID_DER_ASN1_GN;
+ subject_type = TNC_SUBJECT_UNKNOWN;
+ break;
+ default:
+ id_type = TNC_ID_UNKNOWN;
+ subject_type = TNC_SUBJECT_UNKNOWN;
+ }
+ if (id_type != TNC_ID_UNKNOWN)
+ {
+ tnc_id = tncif_identity_create(
+ pen_type_create(PEN_TCG, id_type),
+ peer->get_encoding(peer),
+ pen_type_create(PEN_TCG, subject_type),
+ pen_type_create(PEN_TCG,
+ tnccs->get_auth_type(tnccs)));
+ list->insert_last(list, tnc_id);
+ }
+ }
+ result = identity_attribute(buffer_len, buffer, value_len, list);
+ list->destroy_offset(list, offsetof(tncif_identity_t, destroy));
+ return result;
+ }
default:
return TNC_RESULT_INVALID_PARAMETER;
}
/*
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
struct private_tnccs_11_t {
/**
- * Public tls_t interface.
+ * Public tnccs_t interface.
*/
- tls_t public;
+ tnccs_t public;
/**
* TNCC if TRUE, TNCS if FALSE
*/
bool is_server;
+ /**
+ * Server identity
+ */
+ identification_t *server;
+
+ /**
+ * Client identity
+ */
+ identification_t *peer;
+
+ /**
+ * Underlying TNC IF-T transport protocol
+ */
+ tnc_ift_type_t transport;
+
+ /**
+ * Type of TNC client authentication
+ */
+ u_int32_t auth_type;
+
/**
* Connection ID assigned to this TNCCS connection
*/
return this->is_server;
}
+METHOD(tls_t, get_server_id, identification_t*,
+ private_tnccs_11_t *this)
+{
+ return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+ private_tnccs_11_t *this)
+{
+ return this->peer;
+}
+
METHOD(tls_t, get_purpose, tls_purpose_t,
private_tnccs_11_t *this)
{
{
tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
this->is_server);
+ this->server->destroy(this->server);
+ this->peer->destroy(this->peer);
this->mutex->destroy(this->mutex);
DESTROY_IF(this->batch);
free(this);
}
+METHOD(tnccs_t, get_transport, tnc_ift_type_t,
+ private_tnccs_11_t *this)
+{
+ return this->transport;
+}
+
+METHOD(tnccs_t, set_transport, void,
+ private_tnccs_11_t *this, tnc_ift_type_t transport)
+{
+ this->transport = transport;
+}
+
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+ private_tnccs_11_t *this)
+{
+ return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+ private_tnccs_11_t *this, u_int32_t auth_type)
+{
+ this->auth_type = auth_type;
+}
+
/**
* See header
*/
-tls_t *tnccs_11_create(bool is_server)
+tnccs_t* tnccs_11_create(bool is_server,
+ identification_t *server,
+ identification_t *peer,
+ tnc_ift_type_t transport)
{
private_tnccs_11_t *this;
INIT(this,
.public = {
- .process = _process,
- .build = _build,
- .is_server = _is_server,
- .get_purpose = _get_purpose,
- .is_complete = _is_complete,
- .get_eap_msk = _get_eap_msk,
- .destroy = _destroy,
+ .tls = {
+ .process = _process,
+ .build = _build,
+ .is_server = _is_server,
+ .get_server_id = _get_server_id,
+ .get_peer_id = _get_peer_id,
+ .get_purpose = _get_purpose,
+ .is_complete = _is_complete,
+ .get_eap_msk = _get_eap_msk,
+ .destroy = _destroy,
+ },
+ .get_transport = _get_transport,
+ .set_transport = _set_transport,
+ .get_auth_type = _get_auth_type,
+ .set_auth_type = _set_auth_type,
},
.is_server = is_server,
+ .server = server->clone(server),
+ .peer = peer->clone(peer),
+ .transport = transport,
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
.max_msg_len = lib->settings->get_int(lib->settings,
"%s.plugins.tnccs-11.max_message_size", 45000,
/*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
#include <library.h>
-#include <tls.h>
+#include <tnc/tnccs/tnccs.h>
/**
* Create an instance of the TNC IF-TNCCS 1.1 protocol handler.
*
- * @param is_server TRUE to act as TNC Server, FALSE for TNC Client
- * @return TNC_IF_TNCCS 1.1 protocol stack
+ * @param is_server TRUE to act as TNC Server, FALSE for TNC Client
+ * @param server Server identity
+ * @param peer Client identity
+ * @param transport Underlying IF-T transport protocol
+ * @return TNC_IF_TNCCS 1.1 protocol stack
*/
-tls_t *tnccs_11_create(bool is_server);
+tnccs_t* tnccs_11_create(bool is_server,
+ identification_t *server,
+ identification_t *peer,
+ tnc_ift_type_t transport);
#endif /** TNCCS_11_H_ @}*/
static plugin_feature_t f[] = {
PLUGIN_CALLBACK(tnccs_method_register, tnccs_11_create),
PLUGIN_PROVIDE(CUSTOM, "tnccs-1.1"),
- PLUGIN_DEPENDS(EAP_SERVER, EAP_TNC),
- PLUGIN_DEPENDS(EAP_PEER, EAP_TNC),
PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
};
*features = f;
return &this->plugin;
}
-
}
else
{
+ if (msg_type == PB_MSG_EXPERIMENTAL && noskip_flag)
+ {
+ DBG1(DBG_TNC, "reject PB-Experimental message with NOSKIP flag set");
+ msg = pb_error_msg_create_with_offset(TRUE, PEN_IETF,
+ PB_ERROR_UNSUPPORTED_MANDATORY_MSG, this->offset);
+ goto fatal;
+ }
if (pb_tnc_msg_infos[msg_type].has_noskip_flag != TRUE_OR_FALSE &&
pb_tnc_msg_infos[msg_type].has_noskip_flag != noskip_flag)
{
{
DBG1(DBG_TNC, "PA Subtype 0x%08x is reserved", PA_RESERVED_SUBTYPE);
*offset = 4;
+ return FAILED;
}
return SUCCESS;
pb_tnc_msg_type_t type;
/**
- * Remediation Parameters Vendor ID
+ * Remediation Parameters Type
*/
- u_int32_t vendor_id;
+ pen_type_t parameters_type;
/**
- * Remediation Parameters Type
+ * Remediation Parameters
*/
- u_int32_t parameters_type;
+ chunk_t parameters;
/**
- * Remediation Parameters string
+ * Remediation String
*/
- chunk_t remediation_string;
+ chunk_t string;
/**
- * Language code
+ * Remediation Language Code
*/
- chunk_t language_code;
+ chunk_t lang_code;
/**
* Encoded message
return;
}
writer = bio_writer_create(64);
- writer->write_uint32(writer, this->vendor_id);
- writer->write_uint32(writer, this->parameters_type);
- writer->write_data32(writer, this->remediation_string);
- writer->write_data8 (writer, this->language_code);
+ writer->write_uint32(writer, this->parameters_type.vendor_id);
+ writer->write_uint32(writer, this->parameters_type.type);
+ writer->write_data32(writer, this->parameters);
this->encoding = writer->get_buf(writer);
this->encoding = chunk_clone(this->encoding);
private_pb_remediation_parameters_msg_t *this, u_int32_t *offset)
{
bio_reader_t *reader;
+ u_int8_t reserved;
+ status_t status = SUCCESS;
+ u_char *pos;
+
+ *offset = 0;
/* process message */
reader = bio_reader_create(this->encoding);
- reader->read_uint32(reader, &this->vendor_id);
- reader->read_uint32(reader, &this->parameters_type);
+ reader->read_uint8 (reader, &reserved);
+ reader->read_uint24(reader, &this->parameters_type.vendor_id);
+ reader->read_uint32(reader, &this->parameters_type.type);
+ reader->read_data (reader, reader->remaining(reader), &this->parameters);
- if (!reader->read_data32(reader, &this->remediation_string))
+ this->parameters = chunk_clone(this->parameters);
+ reader->destroy(reader);
+
+ if (this->parameters_type.vendor_id == PEN_IETF &&
+ this->parameters_type.type == PB_REMEDIATION_STRING)
{
- DBG1(DBG_TNC, "could not parse remediation string");
- reader->destroy(reader);
+ reader = bio_reader_create(this->parameters);
+ status = FAILED;
*offset = 8;
- return FAILED;
- };
- this->remediation_string = chunk_clone(this->remediation_string);
- if (this->remediation_string.len &&
- this->remediation_string.ptr[this->remediation_string.len-1] == '\0')
- {
- DBG1(DBG_TNC, "remediation string must not be null terminated");
+ if (!reader->read_data32(reader, &this->string))
+ {
+ DBG1(DBG_TNC, "insufficient data for remediation string");
+ goto end;
+ };
+ *offset += 4;
+
+ pos = memchr(this->string.ptr, '\0', this->string.len);
+ if (pos)
+ {
+ DBG1(DBG_TNC, "nul termination in remediation string");
+ *offset += (pos - this->string.ptr);
+ goto end;
+ }
+ *offset += this->string.len;
+
+ if (!reader->read_data8(reader, &this->lang_code))
+ {
+ DBG1(DBG_TNC, "insufficient data for remediation string lang code");
+ goto end;
+ };
+ *offset += 1;
+
+ pos = memchr(this->lang_code.ptr, '\0', this->lang_code.len);
+
+ if (pos)
+ {
+ DBG1(DBG_TNC, "nul termination in remediation string lang code");
+ *offset += (pos - this->lang_code.ptr);
+ goto end;
+ }
+ status = SUCCESS;
+
+end:
reader->destroy(reader);
- *offset = 11 + this->remediation_string.len;
- return FAILED;
}
-
- if (!reader->read_data8(reader, &this->language_code))
- {
- DBG1(DBG_TNC, "could not parse language code");
- reader->destroy(reader);
- *offset = 12 + this->remediation_string.len;
- return FAILED;
- };
- this->language_code = chunk_clone(this->language_code);
- reader->destroy(reader);
-
- if (this->language_code.len &&
- this->language_code.ptr[this->language_code.len-1] == '\0')
- {
- DBG1(DBG_TNC, "language code must not be null terminated");
- *offset = 12 + this->remediation_string.len + this->language_code.len;
- return FAILED;
- }
-
- return SUCCESS;
+ return status;
}
METHOD(pb_tnc_msg_t, destroy, void,
private_pb_remediation_parameters_msg_t *this)
{
free(this->encoding.ptr);
- free(this->remediation_string.ptr);
- free(this->language_code.ptr);
+ free(this->parameters.ptr);
free(this);
}
-METHOD(pb_remediation_parameters_msg_t, get_vendor_id, u_int32_t,
- private_pb_remediation_parameters_msg_t *this, u_int32_t *type)
+METHOD(pb_remediation_parameters_msg_t, get_parameters_type, pen_type_t,
+ private_pb_remediation_parameters_msg_t *this)
{
- *type = this->parameters_type;
- return this->vendor_id;
+ return this->parameters_type;
}
-METHOD(pb_remediation_parameters_msg_t, get_remediation_string, chunk_t,
+METHOD(pb_remediation_parameters_msg_t, get_parameters, chunk_t,
private_pb_remediation_parameters_msg_t *this)
{
- return this->remediation_string;
+ return this->parameters;
}
-METHOD(pb_remediation_parameters_msg_t, get_language_code, chunk_t,
- private_pb_remediation_parameters_msg_t *this)
+METHOD(pb_remediation_parameters_msg_t, get_string, chunk_t,
+ private_pb_remediation_parameters_msg_t *this, chunk_t *lang_code)
{
- return this->language_code;
+ if (lang_code)
+ {
+ *lang_code = this->lang_code;
+ }
+ return this->string;
}
/**
* See header
*/
-pb_tnc_msg_t *pb_remediation_parameters_msg_create_from_data(chunk_t data)
+pb_tnc_msg_t* pb_remediation_parameters_msg_create(pen_type_t parameters_type,
+ chunk_t parameters)
{
private_pb_remediation_parameters_msg_t *this;
.process = _process,
.destroy = _destroy,
},
- .get_vendor_id = _get_vendor_id,
- .get_remediation_string = _get_remediation_string,
- .get_language_code = _get_language_code,
+ .get_parameters_type = _get_parameters_type,
+ .get_parameters = _get_parameters,
+ .get_uri = _get_parameters,
+ .get_string = _get_string,
},
- .type = PB_MSG_REASON_STRING,
- .encoding = chunk_clone(data),
+ .type = PB_MSG_REMEDIATION_PARAMETERS,
+ .parameters_type = parameters_type,
+ .parameters = chunk_clone(parameters),
);
return &this->public.pb_interface;
}
+/**
+ * Described in header.
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_uri(chunk_t uri)
+{
+ pen_type_t type = { PEN_IETF, PB_REMEDIATION_URI };
+
+ return pb_remediation_parameters_msg_create(type, uri);
+}
+
+/**
+ * Described in header.
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_string(chunk_t string,
+ chunk_t lang_code)
+{
+ pb_tnc_msg_t *msg;
+ bio_writer_t *writer;
+ pen_type_t type = { PEN_IETF, PB_REMEDIATION_STRING };
+
+ /* limit language code to 255 octets */
+ lang_code.len = min(255, lang_code.len);
+
+ writer = bio_writer_create(4 + string.len + 1 + lang_code.len);
+ writer->write_data32(writer, string);
+ writer->write_data8 (writer, lang_code);
+
+ msg = pb_remediation_parameters_msg_create(type, writer->get_buf(writer));
+ writer->destroy(writer);
+
+ return msg;
+}
+
/**
* See header
*/
-pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id,
- u_int32_t type,
- chunk_t remediation_string,
- chunk_t language_code)
+pb_tnc_msg_t *pb_remediation_parameters_msg_create_from_data(chunk_t data)
{
private_pb_remediation_parameters_msg_t *this;
.process = _process,
.destroy = _destroy,
},
- .get_vendor_id = _get_vendor_id,
- .get_remediation_string = _get_remediation_string,
- .get_language_code = _get_language_code,
+ .get_parameters_type = _get_parameters_type,
+ .get_parameters = _get_parameters,
+ .get_uri = _get_parameters,
+ .get_string = _get_string,
},
- .type = PB_MSG_REASON_STRING,
- .vendor_id = vendor_id,
- .parameters_type = type,
- .remediation_string = chunk_clone(remediation_string),
- .language_code = chunk_clone(language_code),
+ .type = PB_MSG_REMEDIATION_PARAMETERS,
+ .encoding = chunk_clone(data),
);
return &this->public.pb_interface;
}
+
/*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
#include "pb_tnc_msg.h"
+#include <pen/pen.h>
+
/**
* PB-TNC Remediation Parameter Types as defined in section 4.8.1 of RFC 5793
*/
pb_tnc_msg_t pb_interface;
/**
- * Get Remediation Parameters Vendor ID and Type
+ * Get the Remediation Parameters Type (Vendor ID and Type)
*
- * @param type Remediation Parameters Type
- * @return Remediation Parameters Vendor ID
+ * @return Remediation Parameters Type
*/
- u_int32_t (*get_vendor_id)(pb_remediation_parameters_msg_t *this,
- u_int32_t *type);
+ pen_type_t (*get_parameters_type)(pb_remediation_parameters_msg_t *this);
/**
- * Get Remediation String
+ * Get the Remediation Parameters
*
- * @return Remediation String
+ * @return Remediation Parameters
*/
- chunk_t (*get_remediation_string)(pb_remediation_parameters_msg_t *this);
+ chunk_t (*get_parameters)(pb_remediation_parameters_msg_t *this);
/**
- * Get Reason String Language Code
+ * Get the Remediation URI
*
- * @return Language Code
+ * @return Remediation URI
*/
- chunk_t (*get_language_code)(pb_remediation_parameters_msg_t *this);
+ chunk_t (*get_uri)(pb_remediation_parameters_msg_t *this);
+
+ /**
+ * Get the Remediation String
+ *
+ * @param lang_code Optional Language Code
+ * @return Remediation String
+ */
+ chunk_t (*get_string)(pb_remediation_parameters_msg_t *this,
+ chunk_t *lang_code);
+
};
/**
- * Create a PB-Remediation-Parameters message from parameters
+ * Create a general PB-Remediation-Parameters message
+ *
+ * @param parameters_type Remediation Parameters Type
+ * @param parameters Remediation Parameters
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create(pen_type_t parameters_type,
+ chunk_t parameters);
+
+/**
+ * Create a PB-Remediation-Parameters message of IETF Type Remediation URI
+ *
+ * @param uri Remediation URI
+ */
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_uri(chunk_t uri);
+
+/**
+ * Create a PB-Remediation-Parameters message of IETF Type Remediation String
*
- * @param vendor_id Remediation Parameters Vendor ID
- * @param type Remediation Parameters Type
- * @param remediation_string Remediation String
- * @param language_code Language Code
+ * @param string Remediation String
+ * @param lang_code Remediation String Language Code
*/
-pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id,
- u_int32_t type,
- chunk_t remediation_string,
- chunk_t language_code);
+pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_string(chunk_t string,
+ chunk_t lang_code);
/**
* Create an unprocessed PB-Remediation-Parameters message from raw data
/*
* Copyright (C) 2010 Sansar Choinyanbuu
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
struct private_tnccs_20_t {
/**
- * Public tls_t interface.
+ * Public tnccs_t interface.
*/
- tls_t public;
+ tnccs_t public;
/**
* TNCC if TRUE, TNCS if FALSE
*/
bool is_server;
+ /**
+ * Server identity
+ */
+ identification_t *server;
+
+ /**
+ * Client identity
+ */
+ identification_t *peer;
+
+ /**
+ * Underlying TNC IF-T transport protocol
+ */
+ tnc_ift_type_t transport;
+
+ /**
+ * Type of TNC client authentication
+ */
+ u_int32_t auth_type;
+
/**
* PB-TNC State Machine
*/
}
case PB_MSG_REMEDIATION_PARAMETERS:
{
- /* TODO : Remediation parameters message processing */
+ pb_remediation_parameters_msg_t *rem_msg;
+ pen_type_t parameters_type;
+ chunk_t parameters, string, lang_code;
+
+ rem_msg = (pb_remediation_parameters_msg_t*)msg;
+ parameters_type = rem_msg->get_parameters_type(rem_msg);
+ parameters = rem_msg->get_parameters(rem_msg);
+
+ if (parameters_type.vendor_id == PEN_IETF)
+ {
+ switch (parameters_type.type)
+ {
+ case PB_REMEDIATION_URI:
+ DBG1(DBG_TNC, "remediation uri: %.*s",
+ parameters.len, parameters.ptr);
+ break;
+ case PB_REMEDIATION_STRING:
+ string = rem_msg->get_string(rem_msg, &lang_code);
+ DBG1(DBG_TNC, "remediation string: [%.*s]\n%.*s",
+ lang_code.len, lang_code.ptr,
+ string.len, string.ptr);
+ break;
+ default:
+ DBG1(DBG_TNC, "remediation parameters: %B", ¶meters);
+ }
+ }
+ else
+ {
+ DBG1(DBG_TNC, "remediation parameters: %B", ¶meters);
+ }
break;
}
case PB_MSG_ERROR:
lang_msg = (pb_language_preference_msg_t*)msg;
lang = lang_msg->get_language_preference(lang_msg);
- DBG2(DBG_TNC, "setting language preference to '%.*s'",
- (int)lang.len, lang.ptr);
- this->recs->set_preferred_language(this->recs, lang);
+ if (this->recs)
+ {
+ DBG2(DBG_TNC, "setting language preference to '%.*s'",
+ (int)lang.len, lang.ptr);
+ this->recs->set_preferred_language(this->recs, lang);
+ }
break;
}
case PB_MSG_REASON_STRING:
return this->is_server;
}
+METHOD(tls_t, get_server_id, identification_t*,
+ private_tnccs_20_t *this)
+{
+ return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+ private_tnccs_20_t *this)
+{
+ return this->peer;
+}
+
METHOD(tls_t, get_purpose, tls_purpose_t,
private_tnccs_20_t *this)
{
{
tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
this->is_server);
+ this->server->destroy(this->server);
+ this->peer->destroy(this->peer);
this->state_machine->destroy(this->state_machine);
this->mutex->destroy(this->mutex);
this->messages->destroy_offset(this->messages,
free(this);
}
+METHOD(tnccs_t, get_transport, tnc_ift_type_t,
+ private_tnccs_20_t *this)
+{
+ return this->transport;
+}
+
+METHOD(tnccs_t, set_transport, void,
+ private_tnccs_20_t *this, tnc_ift_type_t transport)
+{
+ this->transport = transport;
+}
+
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+ private_tnccs_20_t *this)
+{
+ return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+ private_tnccs_20_t *this, u_int32_t auth_type)
+{
+ this->auth_type = auth_type;
+}
+
/**
* See header
*/
-tls_t *tnccs_20_create(bool is_server)
+tnccs_t* tnccs_20_create(bool is_server,
+ identification_t *server,
+ identification_t *peer,
+ tnc_ift_type_t transport)
{
private_tnccs_20_t *this;
INIT(this,
.public = {
- .process = _process,
- .build = _build,
- .is_server = _is_server,
- .get_purpose = _get_purpose,
- .is_complete = _is_complete,
- .get_eap_msk = _get_eap_msk,
- .destroy = _destroy,
+ .tls = {
+ .process = _process,
+ .build = _build,
+ .is_server = _is_server,
+ .get_server_id = _get_server_id,
+ .get_peer_id = _get_peer_id,
+ .get_purpose = _get_purpose,
+ .is_complete = _is_complete,
+ .get_eap_msk = _get_eap_msk,
+ .destroy = _destroy,
+ },
+ .get_transport = _get_transport,
+ .set_transport = _set_transport,
+ .get_auth_type = _get_auth_type,
+ .set_auth_type = _set_auth_type,
},
.is_server = is_server,
+ .server = server->clone(server),
+ .peer = peer->clone(peer),
+ .transport = transport,
.state_machine = pb_tnc_state_machine_create(is_server),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
.messages = linked_list_create(),
/*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
#include <library.h>
-#include <tls.h>
+#include <tnc/tnccs/tnccs.h>
/**
* Create an instance of the TNC IF-TNCCS 2.0 protocol handler.
*
- * @param is_server TRUE to act as TNC Server, FALSE for TNC Client
- * @return TNC_IF_TNCCS 2.0 protocol stack
+ * @param is_server TRUE to act as TNC Server, FALSE for TNC Client
+ * @param server Server identity
+ * @param peer Client identity
+ * @param transport Underlying IF-T transport protocol
+ * @return TNC_IF_TNCCS 2.0 protocol stack
*/
-tls_t *tnccs_20_create(bool is_server);
+tnccs_t* tnccs_20_create(bool is_server,
+ identification_t *server,
+ identification_t *peer,
+ tnc_ift_type_t transport);
#endif /** TNCCS_20_H_ @}*/
static plugin_feature_t f[] = {
PLUGIN_CALLBACK(tnccs_method_register, tnccs_20_create),
PLUGIN_PROVIDE(CUSTOM, "tnccs-2.0"),
- PLUGIN_DEPENDS(EAP_SERVER, EAP_TNC),
- PLUGIN_DEPENDS(EAP_PEER, EAP_TNC),
PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
};
*features = f;
return &this->plugin;
}
-
/*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
struct private_tnccs_dynamic_t {
/**
- * Public tls_t interface.
+ * Public tnccs_t interface.
*/
- tls_t public;
+ tnccs_t public;
+
+ /**
+ * Server identity
+ */
+ identification_t *server;
+
+ /**
+ * Client identity
+ */
+ identification_t *peer;
/**
* Detected TNC IF-TNCCS stack
*/
tls_t *tls;
+
+ /**
+ * Underlying TNC IF-T transport protocol
+ */
+ tnc_ift_type_t transport;
+
+ /**
+ * Type of TNC client authentication
+ */
+ u_int32_t auth_type;
+
};
/**
private_tnccs_dynamic_t *this, void *buf, size_t buflen)
{
tnccs_type_t type;
+ tnccs_t *tnccs;
if (!this->tls)
{
type = determine_tnccs_protocol(*(char*)buf);
DBG1(DBG_TNC, "%N protocol detected dynamically",
tnccs_type_names, type);
- this->tls = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, type, TRUE);
- if (!this->tls)
+ tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
+ this->server, this->peer, this->transport);
+ if (!tnccs)
{
DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
return FAILED;
}
+ tnccs->set_auth_type(tnccs, this->auth_type);
+ this->tls = &tnccs->tls;
}
return this->tls->process(this->tls, buf, buflen);
}
return TRUE;
}
+METHOD(tls_t, get_server_id, identification_t*,
+ private_tnccs_dynamic_t *this)
+{
+ return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+ private_tnccs_dynamic_t *this)
+{
+ return this->peer;
+}
+
METHOD(tls_t, get_purpose, tls_purpose_t,
private_tnccs_dynamic_t *this)
{
private_tnccs_dynamic_t *this)
{
DESTROY_IF(this->tls);
+ this->server->destroy(this->server);
+ this->peer->destroy(this->peer);
free(this);
}
+METHOD(tnccs_t, get_transport, tnc_ift_type_t,
+ private_tnccs_dynamic_t *this)
+{
+ return this->transport;
+}
+
+METHOD(tnccs_t, set_transport, void,
+ private_tnccs_dynamic_t *this, tnc_ift_type_t transport)
+{
+ this->transport = transport;
+}
+
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+ private_tnccs_dynamic_t *this)
+{
+ return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+ private_tnccs_dynamic_t *this, u_int32_t auth_type)
+{
+ this->auth_type = auth_type;
+}
+
/**
* See header
*/
-tls_t *tnccs_dynamic_create(bool is_server)
+tnccs_t* tnccs_dynamic_create(bool is_server,
+ identification_t *server,
+ identification_t *peer,
+ tnc_ift_type_t transport)
{
private_tnccs_dynamic_t *this;
INIT(this,
.public = {
- .process = _process,
- .build = _build,
- .is_server = _is_server,
- .get_purpose = _get_purpose,
- .is_complete = _is_complete,
- .get_eap_msk = _get_eap_msk,
- .destroy = _destroy,
+ .tls = {
+ .process = _process,
+ .build = _build,
+ .is_server = _is_server,
+ .get_server_id = _get_server_id,
+ .get_peer_id = _get_peer_id,
+ .get_purpose = _get_purpose,
+ .is_complete = _is_complete,
+ .get_eap_msk = _get_eap_msk,
+ .destroy = _destroy,
+ },
+ .get_transport = _get_transport,
+ .set_transport = _set_transport,
+ .get_auth_type = _get_auth_type,
+ .set_auth_type = _set_auth_type,
},
+ .server = server->clone(server),
+ .peer = peer->clone(peer),
+ .transport = transport,
);
return &this->public;
/*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
#include <library.h>
-#include <tls.h>
+#include <tnc/tnccs/tnccs.h>
/**
* Create an instance of a dynamic TNC IF-TNCCS protocol handler.
*
- * @param is_server TRUE to act as TNC Server, FALSE for TNC Client
- * @return dynamic TNC IF-TNCCS protocol stack
+ * @param is_server TRUE to act as TNC Server, FALSE for TNC Client
+ * @param server Server identity
+ * @param peer Client identity
+ * @param transport Underlying IF-T transport protocol
+ * @return dynamic TNC IF-TNCCS protocol stack
*/
-tls_t *tnccs_dynamic_create(bool is_server);
+tnccs_t* tnccs_dynamic_create(bool is_server,
+ identification_t *server,
+ identification_t *peer,
+ tnc_ift_type_t transport);
#endif /** TNCCS_DYNAMIC_H_ @}*/
PLUGIN_PROVIDE(CUSTOM, "tnccs-dynamic"),
PLUGIN_DEPENDS(CUSTOM, "tnccs-1.1"),
PLUGIN_DEPENDS(CUSTOM, "tnccs-2.0"),
- PLUGIN_DEPENDS(EAP_SERVER, EAP_TNC),
- PLUGIN_DEPENDS(EAP_PEER, EAP_TNC),
};
*features = f;
return countof(f);
return &this->plugin;
}
-
local_addr, FALSE,
charon->socket->get_port(charon->socket, FALSE),
remote_addr, FALSE, IKEV2_UDP_PORT,
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
this->peer_cfg = peer_cfg_create(
name, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
local_addr, FALSE,
charon->socket->get_port(charon->socket, FALSE),
remote_addr, FALSE, IKEV2_UDP_PORT,
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
this->ike_cfg->add_proposal(this->ike_cfg,
create_proposal(ike_proposal, PROTO_IKE));
return &this->public;
}
-
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_inner_method eap_inner_method
+ * @{ @ingroup eap
+ */
+
+#ifndef EAP_INNER_METHOD_H_
+#define EAP_INNER_METHOD_H_
+
+typedef struct eap_inner_method_t eap_inner_method_t;
+
+#include <library.h>
+
+#include "eap_method.h"
+
+/**
+ * Interface of a weak inner EAP method like EAP-TNC or PT-EAP
+ * that must be encapsulated in a strong TLS-based EAP method
+ */
+struct eap_inner_method_t {
+
+ /*
+ * Public EAP method interface
+ */
+ eap_method_t eap_method;
+
+ /*
+ * Get type of outer EAP authentication method
+ *
+ * @return outer EAP authentication type
+ */
+ eap_type_t (*get_auth_type)(eap_inner_method_t *this);
+
+ /*
+ * Set type of outer EAP Client/Server authentication
+ *
+ * @param type outer EAP authentication type
+ */
+ void (*set_auth_type)(eap_inner_method_t *this, eap_type_t type);
+
+};
+
+#endif /** EAP_INNER_METHOD_H_ @}*/
}
}
+/**
+ * Set configured DSCP value on packet
+ */
+static void set_dscp(private_ike_sa_t *this, packet_t *packet)
+{
+ ike_cfg_t *ike_cfg;
+
+ /* prefer IKE config on peer_cfg, as its selection is more accurate
+ * then the initial IKE config */
+ if (this->peer_cfg)
+ {
+ ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
+ }
+ else
+ {
+ ike_cfg = this->ike_cfg;
+ }
+ if (ike_cfg)
+ {
+ packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
+ }
+}
+
METHOD(ike_sa_t, generate_message, status_t,
private_ike_sa_t *this, message_t *message, packet_t **packet)
{
status_t status;
if (message->is_encoded(message))
- { /* already done */
+ { /* already encoded in task, but set DSCP value */
*packet = message->get_packet(message);
+ set_dscp(this, *packet);
return SUCCESS;
}
this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
status = message->generate(message, this->keymat, packet);
if (status == SUCCESS)
{
+ set_dscp(this, *packet);
charon->bus->message(charon->bus, message, FALSE, FALSE);
}
return status;
{
DBG1(DBG_IKE, "destroying duplicate IKE_SA for peer '%Y', "
"received INITIAL_CONTACT", other);
+ charon->bus->ike_updown(charon->bus, duplicate, FALSE);
checkin_and_destroy(this, duplicate);
continue;
}
return NEED_MORE;
}
-METHOD(task_t, return_success, status_t,
- private_ike_dpd_t *this, message_t *message)
-{
- return SUCCESS;
-}
-
METHOD(task_t, get_type, task_type_t,
private_ike_dpd_t *this)
{
if (initiator)
{
this->public.task.build = _return_need_more;
- this->public.task.process = _return_success;
+ this->public.task.process = (void*)return_success;
}
else
{
- this->public.task.build = _return_success;
+ this->public.task.build = (void*)return_success;
this->public.task.process = _return_need_more;
}
}
/**
- * Described in header.
+ * Generic constructor
*/
-pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_type_t error_code,
- chunk_t msg_info)
+static private_ietf_attr_pa_tnc_error_t* create_generic()
{
private_ietf_attr_pa_tnc_error_t *this;
- if (error_code.vendor_id == PEN_IETF)
- {
- msg_info.len = PA_ERROR_MSG_INFO_SIZE;
- }
- else if (msg_info.len > PA_ERROR_MSG_INFO_MAX_SIZE)
- {
- msg_info.len = PA_ERROR_MSG_INFO_MAX_SIZE;
- }
-
INIT(this,
.public = {
.pa_tnc_attribute = {
.get_offset = _get_offset,
},
.type = { PEN_IETF, IETF_ATTR_PA_TNC_ERROR },
- .error_code = error_code,
- .msg_info = chunk_clone(msg_info),
.ref = 1,
);
+ return this;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_type_t error_code,
+ chunk_t msg_info)
+{
+ private_ietf_attr_pa_tnc_error_t *this;
+
+ if (error_code.vendor_id == PEN_IETF)
+ {
+ msg_info.len = PA_ERROR_MSG_INFO_SIZE;
+ }
+ else if (msg_info.len > PA_ERROR_MSG_INFO_MAX_SIZE)
+ {
+ msg_info.len = PA_ERROR_MSG_INFO_MAX_SIZE;
+ }
+
+ this = create_generic();
+ this->error_code = error_code;
+ this->msg_info = chunk_clone(msg_info);
+
return &this->public.pa_tnc_attribute;
}
/* the first 8 bytes of the erroneous PA-TNC message are sent back */
msg_info.len = PA_ERROR_MSG_INFO_SIZE;
- INIT(this,
- .public = {
- .pa_tnc_attribute = {
- .get_type = _get_type,
- .get_value = _get_value,
- .get_noskip_flag = _get_noskip_flag,
- .set_noskip_flag = _set_noskip_flag,
- .build = _build,
- .process = _process,
- .get_ref = _get_ref,
- .destroy = _destroy,
- },
- .get_error_code = _get_error_code,
- .get_msg_info = _get_msg_info,
- .get_attr_info = _get_attr_info,
- .set_attr_info = _set_attr_info,
- .get_offset = _get_offset,
- },
- .type = { PEN_IETF, IETF_ATTR_PA_TNC_ERROR },
- .error_code = error_code,
- .msg_info = chunk_clone(msg_info),
- .error_offset = error_offset,
- .ref = 1,
- );
+ this = create_generic();
+ this->error_code = error_code;
+ this->msg_info = chunk_clone(msg_info);
+ this->error_offset = error_offset;
return &this->public.pa_tnc_attribute;
}
{
private_ietf_attr_pa_tnc_error_t *this;
- INIT(this,
- .public = {
- .pa_tnc_attribute = {
- .get_type = _get_type,
- .get_value = _get_value,
- .get_noskip_flag = _get_noskip_flag,
- .set_noskip_flag = _set_noskip_flag,
- .build = _build,
- .process = _process,
- .get_ref = _get_ref,
- .destroy = _destroy,
- },
- .get_error_code = _get_error_code,
- .get_msg_info = _get_msg_info,
- .get_attr_info = _get_attr_info,
- .set_attr_info = _set_attr_info,
- .get_offset = _get_offset,
- },
- .type = { PEN_IETF, IETF_ATTR_PA_TNC_ERROR },
- .value = chunk_clone(data),
- .ref = 1,
- );
+ this = create_generic();
+ this->value = chunk_clone(data);
return &this->public.pa_tnc_attribute;
}
-
-
DBG1(DBG_TNC, "insufficient data for IETF remediation string");
goto end;
}
+ *offset += 4;
+
pos = memchr(this->string.ptr, '\0', this->string.len);
if (pos)
{
DBG1(DBG_TNC, "nul termination in IETF remediation string");
- *offset += 1 + (pos - this->string.ptr);
+ *offset += (pos - this->string.ptr);
goto end;
}
- *offset += 4 + this->string.len;
+ *offset += this->string.len;
if (!reader->read_data8(reader, &this->lang_code))
{
return this->parameters;
}
-METHOD(ietf_attr_remediation_instr_t, get_uri, chunk_t,
- private_ietf_attr_remediation_instr_t *this)
-{
- return this->parameters;
-}
-
METHOD(ietf_attr_remediation_instr_t, get_string, chunk_t,
private_ietf_attr_remediation_instr_t *this, chunk_t *lang_code)
{
},
.get_parameters_type = _get_parameters_type,
.get_parameters = _get_parameters,
- .get_uri = _get_uri,
+ .get_uri = _get_parameters,
.get_string = _get_string,
},
.type = { PEN_IETF, IETF_ATTR_REMEDIATION_INSTRUCTIONS },
},
.get_parameters_type = _get_parameters_type,
.get_parameters = _get_parameters,
- .get_uri = _get_uri,
+ .get_uri = _get_parameters,
.get_string = _get_string,
},
.type = { PEN_IETF, IETF_ATTR_REMEDIATION_INSTRUCTIONS },
{
this->reserve_additional_id = NULL;
}
- DBG2(DBG_IMC, "IMC %u \"%s\" provided with bind function",
- this->id, this->name);
if (this->report_message_types_long)
{
return this->dst_id;
}
+METHOD(imc_msg_t, get_msg_type, pen_type_t,
+ private_imc_msg_t *this)
+{
+ return this->msg_type;
+}
+
METHOD(imc_msg_t, send_, TNC_Result,
private_imc_msg_t *this, bool excl)
{
.public = {
.get_src_id = _get_src_id,
.get_dst_id = _get_dst_id,
+ .get_msg_type = _get_msg_type,
.send = _send_,
.receive = _receive,
.add_attribute = _add_attribute,
return &this->public;
}
-
*/
TNC_UInt32 (*get_dst_id)(imc_msg_t *this);
+ /**
+ * Get the PA-TNC message type.
+ *
+ * @return message type
+ */
+ pen_type_t (*get_msg_type)(imc_msg_t *this);
+
/**
* Sends one or multiple PA-TNC messages
*
#include "ietf/ietf_attr_assess_result.h"
#include <tncif_names.h>
+#include <tncif_identity.h>
#include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <bio/bio_reader.h>
#include <threading/rwlock.h>
typedef struct private_imv_agent_t private_imv_agent_t;
{
this->reserve_additional_id = NULL;
}
- DBG2(DBG_IMV, "IMV %u \"%s\" provided with bind function",
- this->id, this->name);
if (this->report_message_types_long)
{
return 0;
}
+/**
+ * Read a TNC identity attribute
+ */
+static linked_list_t* get_identity_attribute(private_imv_agent_t *this,
+ TNC_ConnectionID id,
+ TNC_AttributeID attribute_id)
+{
+ TNC_UInt32 len;
+ char buf[2048];
+ u_int32_t count;
+ tncif_identity_t *tnc_id;
+ bio_reader_t *reader;
+ linked_list_t *list;
+
+ list = linked_list_create();
+
+ if (!this->get_attribute ||
+ this->get_attribute(this->id, id, attribute_id, sizeof(buf), buf, &len)
+ != TNC_RESULT_SUCCESS || len > sizeof(buf))
+ {
+ return list;
+ }
+
+ reader = bio_reader_create(chunk_create(buf, len));
+ if (!reader->read_uint32(reader, &count))
+ {
+ goto end;
+ }
+ while (count--)
+ {
+ tnc_id = tncif_identity_create_empty();
+ if (!tnc_id->process(tnc_id, reader))
+ {
+ tnc_id->destroy(tnc_id);
+ goto end;
+ }
+ list->insert_last(list, tnc_id);
+ }
+
+end:
+ reader->destroy(reader);
+ return list;
+ }
+
METHOD(imv_agent_t, create_state, TNC_Result,
private_imv_agent_t *this, imv_state_t *state)
{
TNC_ConnectionID conn_id;
char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL;
bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE;
+ linked_list_t *ar_identities;
+ enumerator_t *enumerator;
+ tncif_identity_t *tnc_id;
u_int32_t max_msg_len;
conn_id = state->get_connection_id(state);
t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL);
t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION);
max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
+ ar_identities = get_identity_attribute(this, conn_id, TNC_ATTRIBUTEID_AR_IDENTITIES);
state->set_flags(state, has_long, has_excl);
state->set_max_msg_len(state, max_msg_len);
DBG2(DBG_IMV, " over %s %s with maximum PA-TNC message size of %u bytes",
t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len);
+ enumerator = ar_identities->create_enumerator(ar_identities);
+ while (enumerator->enumerate(enumerator, &tnc_id))
+ {
+ pen_type_t id_type, subject_type, auth_type;
+ int tcg_id_type, tcg_subject_type, tcg_auth_type;
+ chunk_t id_value;
+ id_type_t ike_type;
+ identification_t *id;
+
+ id_type = tnc_id->get_identity_type(tnc_id);
+ id_value = tnc_id->get_identity_value(tnc_id);
+ subject_type = tnc_id->get_subject_type(tnc_id);
+ auth_type = tnc_id->get_auth_type(tnc_id);
+
+ tcg_id_type = (id_type.vendor_id == PEN_TCG) ?
+ id_type.type : TNC_ID_UNKNOWN;
+ tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ?
+ subject_type.type : TNC_SUBJECT_UNKNOWN;
+ tcg_auth_type = (auth_type.vendor_id == PEN_TCG) ?
+ auth_type.type : TNC_AUTH_UNKNOWN;
+
+ switch (tcg_id_type)
+ {
+ case TNC_ID_IPV4_ADDR:
+ ike_type = ID_IPV4_ADDR;
+ break;
+ case TNC_ID_IPV6_ADDR:
+ ike_type = ID_IPV6_ADDR;
+ break;
+ case TNC_ID_FQDN:
+ case TNC_ID_USER_NAME:
+ ike_type = ID_FQDN;
+ break;
+ case TNC_ID_RFC822_ADDR:
+ ike_type = ID_RFC822_ADDR;
+ break;
+ case TNC_ID_DER_ASN1_DN:
+ ike_type = ID_DER_ASN1_DN;
+ break;
+ case TNC_ID_DER_ASN1_GN:
+ ike_type = ID_IPV4_ADDR;
+ break;
+ case TNC_ID_UNKNOWN:
+ default:
+ ike_type = ID_KEY_ID;
+ break;
+ }
+
+ id = identification_create_from_encoding(ike_type, id_value);
+ DBG2(DBG_IMV, "%N identity '%Y' authenticated by %N",
+ TNC_Subject_names, tcg_subject_type, id,
+ TNC_Authentication_names, tcg_auth_type);
+ id->destroy(id);
+ }
+ enumerator->destroy(enumerator);
+
+ ar_identities->destroy_offset(ar_identities,
+ offsetof(tncif_identity_t, destroy));
free(tnccs_p);
free(tnccs_v);
free(t_p);
}
}
+METHOD(imv_msg_t, get_msg_type, pen_type_t,
+ private_imv_msg_t *this)
+{
+ return this->msg_type;
+}
+
METHOD(imv_msg_t, add_attribute, void,
private_imv_msg_t *this, pa_tnc_attr_t *attr)
{
.get_src_id = _get_src_id,
.get_dst_id = _get_dst_id,
.set_msg_type = _set_msg_type,
+ .get_msg_type = _get_msg_type,
.send = _send_,
.send_assessment = _send_assessment,
.receive = _receive,
*/
void (*set_msg_type)(imv_msg_t *this, pen_type_t msg_type);
+ /**
+ * Get the type of a PA-TNC message.
+ *
+ * @return message type
+ */
+ pen_type_t (*get_msg_type)(imv_msg_t *this);
+
/**
* Sends one or multiple PA-TNC messages
*
{
const char proc_uptime[] = "/proc/uptime";
FILE *file;
- time_t uptime;
+ u_int uptime;
file = fopen(proc_uptime, "r");
if (!file)
}
DBG3(DBG_TNC, "%B", &value);
+ if (vendor_id == PEN_RESERVED)
+ {
+ error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
+ this->encoding, offset + 1);
+ goto err;
+ }
+ if (type == IETF_ATTR_RESERVED)
+ {
+ error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
+ this->encoding, offset + 4);
+ goto err;
+ }
attr = imcv_pa_tnc_attributes->create(imcv_pa_tnc_attributes,
vendor_id, type, value);
if (!attr)
out_msg->add_attribute(out_msg, attr);
}
- if (fatal_error)
+ if (fatal_error ||
+ (os_state->get_attribute_request(os_state) &&
+ os_state->get_info(os_state, NULL, NULL, NULL) == NULL))
{
state->set_recommendation(state,
TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
/* If all Installed Packages attributes were received, go to assessment */
if (!assessment &&
!os_state->get_package_request(os_state) &&
- !os_state->get_angel_count(os_state))
+ !os_state->get_angel_count(os_state) &&
+ os_state->get_info(os_state, NULL, NULL, NULL))
{
int device_id, count, count_update, count_blacklist, count_ok;
u_int os_settings;
{
imv_state_t *state;
imv_os_state_t *os_state;
+ TNC_IMV_Action_Recommendation rec;
+ TNC_IMV_Evaluation_Result eval;
TNC_Result result = TNC_RESULT_SUCCESS;
if (!imv_os)
}
os_state = (imv_os_state_t*)state;
+ state->get_recommendation(state, &rec, &eval);
+
+ /*
+ * Don't send an attribute request if an evaluation is available
+ * or if an attribute request has already been sent
+ */
+ if (eval != TNC_IMV_EVALUATION_RESULT_DONT_KNOW ||
+ os_state->get_attribute_request(os_state))
+ {
+ return TNC_RESULT_SUCCESS;
+ }
+
if (os_state->get_info(os_state, NULL, NULL, NULL) == NULL)
{
imv_msg_t *out_msg;
attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_FORWARDING_ENABLED);
attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED);
out_msg->add_attribute(out_msg, attr);
+ os_state->set_attribute_request(os_state, TRUE);
/* send PA-TNC message with excl flag not set */
result = out_msg->send(out_msg, FALSE);
*/
int count_ok;
+ /**
+ * Attribute request sent - mandatory response expected
+ */
+ bool attribute_request;
+
/**
* OS Installed Package request sent - mandatory response expected
*/
}
}
+METHOD(imv_os_state_t, set_attribute_request, void,
+ private_imv_os_state_t *this, bool set)
+{
+ this->attribute_request = set;
+}
+
+METHOD(imv_os_state_t, get_attribute_request, bool,
+ private_imv_os_state_t *this)
+{
+ return this->attribute_request;
+}
+
METHOD(imv_os_state_t, set_package_request, void,
private_imv_os_state_t *this, bool set)
{
.get_info = _get_info,
.set_count = _set_count,
.get_count = _get_count,
+ .set_attribute_request = _set_attribute_request,
+ .get_attribute_request = _get_attribute_request,
.set_package_request = _set_package_request,
.get_package_request = _get_package_request,
.set_device_id = _set_device_id,
*/
void (*get_count)(imv_os_state_t *this, int *count, int *count_update,
int *count_blacklist, int *count_ok);
+
+ /**
+ * Set/reset attribute request status
+ *
+ * @param set TRUE to set, FALSE to clear
+ */
+ void (*set_attribute_request)(imv_os_state_t *this, bool set);
+
+ /**
+ * Get attribute request status
+ *
+ * @return TRUE if set, FALSE if unset
+ */
+ bool (*get_attribute_request)(imv_os_state_t *this);
+
/**
* Set/reset OS Installed Packages request status
*
return this->packet->set_data(this->packet, data);
}
+METHOD(packet_t, get_dscp, u_int8_t,
+ private_esp_packet_t *this)
+{
+ return this->packet->get_dscp(this->packet);
+}
+
+METHOD(packet_t, set_dscp, void,
+ private_esp_packet_t *this, u_int8_t value)
+{
+ this->packet->set_dscp(this->packet, value);
+}
+
METHOD(packet_t, skip_bytes, void,
private_esp_packet_t *this, size_t bytes)
{
.get_destination = _get_destination,
.get_data = _get_data,
.set_data = _set_data,
+ .get_dscp = _get_dscp,
+ .set_dscp = _set_dscp,
.skip_bytes = _skip_bytes,
.clone = _clone,
.destroy = _destroy,
--- /dev/null
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls \
+ -I$(top_srcdir)/src/libtncif -I$(top_srcdir)/src/libtnccs
+
+ipseclib_LTLIBRARIES = libpttls.la
+libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libpttls_la_SOURCES = pt_tls.c pt_tls.h \
+ pt_tls_client.c pt_tls_client.h \
+ pt_tls_server.c pt_tls_server.h \
+ pt_tls_dispatcher.c pt_tls_dispatcher.h
--- /dev/null
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls.h"
+
+#include <utils/debug.h>
+
+/*
+ * PT-TNC Message format:
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Reserved | Message Type Vendor ID |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Message Type |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Message Length |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Message Identifier |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Message Value (e.g. PB-TNC Batch) . . . |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Read a chunk of data from TLS, returning a reader for it
+ */
+static bio_reader_t* read_tls(tls_socket_t *tls, size_t len)
+{
+ ssize_t got, total = 0;
+ char *buf;
+
+ buf = malloc(len);
+ while (total < len)
+ {
+ got = tls->read(tls, buf + total, len - total, TRUE);
+ if (got <= 0)
+ {
+ free(buf);
+ return NULL;
+ }
+ total += got;
+ }
+ return bio_reader_create_own(chunk_create(buf, len));
+}
+
+/**
+ * Read a PT-TLS message, return header data
+ */
+bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
+ u_int32_t *type, u_int32_t *identifier)
+{
+ bio_reader_t *reader;
+ u_int32_t len;
+ u_int8_t reserved;
+
+ reader = read_tls(tls, PT_TLS_HEADER_LEN);
+ if (!reader)
+ {
+ return NULL;
+ }
+ if (!reader->read_uint8(reader, &reserved) ||
+ !reader->read_uint24(reader, vendor) ||
+ !reader->read_uint32(reader, type) ||
+ !reader->read_uint32(reader, &len) ||
+ !reader->read_uint32(reader, identifier))
+ {
+ reader->destroy(reader);
+ return NULL;
+ }
+ reader->destroy(reader);
+
+ if (len < PT_TLS_HEADER_LEN)
+ {
+ DBG1(DBG_TNC, "received short PT-TLS header (%d bytes)", len);
+ return NULL;
+ }
+ return read_tls(tls, len - PT_TLS_HEADER_LEN);
+}
+
+/**
+ * Prepend a PT-TLS header to a writer, send data, destroy writer
+ */
+bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
+ pt_tls_message_type_t type, u_int32_t identifier)
+{
+ bio_writer_t *header;
+ ssize_t len;
+ chunk_t data;
+
+ data = writer->get_buf(writer);
+ len = PT_TLS_HEADER_LEN + data.len;
+ header = bio_writer_create(len);
+ header->write_uint8(header, 0);
+ header->write_uint24(header, 0);
+ header->write_uint32(header, type);
+ header->write_uint32(header, len);
+ header->write_uint32(header, identifier);
+
+ header->write_data(header, data);
+ writer->destroy(writer);
+
+ data = header->get_buf(header);
+ len = tls->write(tls, data.ptr, data.len);
+ header->destroy(header);
+
+ return len == data.len;
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls pt_tls
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_H_
+#define PT_TLS_H_
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <tls_socket.h>
+
+/**
+ * PT-TLS version we support
+ */
+#define PT_TLS_VERSION 1
+
+/**
+ * Length of a PT-TLS header
+ */
+#define PT_TLS_HEADER_LEN 16
+
+typedef enum pt_tls_message_type_t pt_tls_message_type_t;
+
+/**
+ * Message types, as defined by NEA PT-TLS
+ */
+enum pt_tls_message_type_t {
+ PT_TLS_EXPERIMENTAL = 0,
+ PT_TLS_VERSION_REQUEST = 1,
+ PT_TLS_VERSION_RESPONSE = 2,
+ PT_TLS_SASL_MECHS = 3,
+ PT_TLS_SASL_MECH_SELECTION = 4,
+ PT_TLS_SASL_AUTH_DATA = 5,
+ PT_TLS_SASL_RESULT = 6,
+ PT_TLS_PB_TNC_BATCH = 7,
+ PT_TLS_ERROR = 8,
+};
+
+/**
+ * Read a PT-TLS message, create reader over Message Value.
+ *
+ * @param tls TLS socket to read from
+ * @param vendor receives Message Type Vendor ID from header
+ * @param type receives Message Type from header
+ * @param identifier receives Message Identifer
+ * @return reader over message value, NULL on error
+ */
+bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
+ u_int32_t *type, u_int32_t *identifier);
+
+/**
+ * Prepend a PT-TLS header to a writer, send data, destroy writer.
+ *
+ * @param tls TLS socket to write to
+ * @param writer prepared Message value to write
+ * @param type Message Type to write
+ * @param identifier Message Identifier to write
+ * @return TRUE if data written successfully
+ */
+bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
+ pt_tls_message_type_t type, u_int32_t identifier);
+
+#endif /** PT_TLS_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_client.h"
+#include "pt_tls.h"
+
+#include <tls_socket.h>
+#include <utils/debug.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <unistd.h>
+
+typedef struct private_pt_tls_client_t private_pt_tls_client_t;
+
+/**
+ * Private data of an pt_tls_client_t object.
+ */
+struct private_pt_tls_client_t {
+
+ /**
+ * Public pt_tls_client_t interface.
+ */
+ pt_tls_client_t public;
+
+ /**
+ * TLS secured socket used by PT-TLS
+ */
+ tls_socket_t *tls;
+
+ /**
+ * Server address/port
+ */
+ host_t *address;
+
+ /**
+ * Server identity
+ */
+ identification_t *id;
+
+ /**
+ * Current PT-TLS message identifier
+ */
+ u_int32_t identifier;
+};
+
+/**
+ * Establish TLS secured TCP connection to TNC server
+ */
+static bool make_connection(private_pt_tls_client_t *this)
+{
+ int fd;
+
+ fd = socket(this->address->get_family(this->address), SOCK_STREAM, 0);
+ if (fd == -1)
+ {
+ DBG1(DBG_TNC, "opening PT-TLS socket failed: %s", strerror(errno));
+ return FALSE;
+ }
+ if (connect(fd, this->address->get_sockaddr(this->address),
+ *this->address->get_sockaddr_len(this->address)) == -1)
+ {
+ DBG1(DBG_TNC, "connecting to PT-TLS server failed: %s", strerror(errno));
+ close(fd);
+ return FALSE;
+ }
+
+ this->tls = tls_socket_create(FALSE, this->id, NULL, fd, NULL);
+ if (!this->tls)
+ {
+ close(fd);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Negotiate PT-TLS version
+ */
+static bool negotiate_version(private_pt_tls_client_t *this)
+{
+ bio_writer_t *writer;
+ bio_reader_t *reader;
+ u_int32_t type, vendor, identifier, reserved;
+ u_int8_t version;
+
+ DBG1(DBG_TNC, "sending offer for PT-TLS version %d", PT_TLS_VERSION);
+
+ writer = bio_writer_create(4);
+ writer->write_uint8(writer, 0);
+ writer->write_uint8(writer, PT_TLS_VERSION);
+ writer->write_uint8(writer, PT_TLS_VERSION);
+ writer->write_uint8(writer, PT_TLS_VERSION);
+ if (!pt_tls_write(this->tls, writer, PT_TLS_VERSION_REQUEST,
+ this->identifier++))
+ {
+ return FALSE;
+ }
+
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FALSE;
+ }
+ if (vendor != 0 || type != PT_TLS_VERSION_RESPONSE ||
+ !reader->read_uint24(reader, &reserved) ||
+ !reader->read_uint8(reader, &version) ||
+ version != PT_TLS_VERSION)
+ {
+ DBG1(DBG_TNC, "PT-TLS version negotiation failed");
+ reader->destroy(reader);
+ return FALSE;
+ }
+ reader->destroy(reader);
+ return TRUE;
+}
+
+/**
+ * Authenticate session using SASL
+ */
+static bool authenticate(private_pt_tls_client_t *this)
+{
+ bio_reader_t *reader;
+ u_int32_t type, vendor, identifier;
+
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FALSE;
+ }
+ if (vendor != 0 || type != PT_TLS_SASL_MECHS)
+ {
+ DBG1(DBG_TNC, "PT-TLS authentication failed");
+ reader->destroy(reader);
+ return FALSE;
+ }
+
+ if (reader->remaining(reader))
+ { /* mechanism list not empty, FAIL until we support it */
+ reader->destroy(reader);
+ return FALSE;
+ }
+ DBG1(DBG_TNC, "PT-TLS authentication complete");
+ reader->destroy(reader);
+ return TRUE;
+}
+
+/**
+ * Perform assessment
+ */
+static bool assess(private_pt_tls_client_t *this, tls_t *tnccs)
+{
+ while (TRUE)
+ {
+ bio_writer_t *writer;
+ bio_reader_t *reader;
+ u_int32_t vendor, type, identifier;
+ chunk_t data;
+
+ writer = bio_writer_create(32);
+ while (TRUE)
+ {
+ char buf[2048];
+ size_t buflen, msglen;
+
+ buflen = sizeof(buf);
+ switch (tnccs->build(tnccs, buf, &buflen, &msglen))
+ {
+ case SUCCESS:
+ writer->destroy(writer);
+ return tnccs->is_complete(tnccs);
+ case FAILED:
+ default:
+ writer->destroy(writer);
+ return FALSE;
+ case INVALID_STATE:
+ writer->destroy(writer);
+ break;
+ case NEED_MORE:
+ writer->write_data(writer, chunk_create(buf, buflen));
+ continue;
+ case ALREADY_DONE:
+ writer->write_data(writer, chunk_create(buf, buflen));
+ if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH,
+ this->identifier++))
+ {
+ return FALSE;
+ }
+ writer = bio_writer_create(32);
+ continue;
+ }
+ break;
+ }
+
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FALSE;
+ }
+ if (vendor == 0)
+ {
+ if (type == PT_TLS_ERROR)
+ {
+ DBG1(DBG_TNC, "received PT-TLS error");
+ reader->destroy(reader);
+ return FALSE;
+ }
+ if (type != PT_TLS_PB_TNC_BATCH)
+ {
+ DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type);
+ reader->destroy(reader);
+ return FALSE;
+ }
+ data = reader->peek(reader);
+ switch (tnccs->process(tnccs, data.ptr, data.len))
+ {
+ case SUCCESS:
+ reader->destroy(reader);
+ return tnccs->is_complete(tnccs);
+ case FAILED:
+ default:
+ reader->destroy(reader);
+ return FALSE;
+ case NEED_MORE:
+ break;
+ }
+ }
+ else
+ {
+ DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message");
+ }
+ reader->destroy(reader);
+ }
+}
+
+METHOD(pt_tls_client_t, run_assessment, status_t,
+ private_pt_tls_client_t *this, tnccs_t *tnccs)
+{
+ if (!this->tls)
+ {
+ if (!make_connection(this))
+ {
+ return FAILED;
+ }
+ }
+ if (!negotiate_version(this))
+ {
+ return FAILED;
+ }
+ if (!authenticate(this))
+ {
+ return FAILED;
+ }
+ if (!assess(this, (tls_t*)tnccs))
+ {
+ return FAILED;
+ }
+ return SUCCESS;
+}
+
+
+METHOD(pt_tls_client_t, destroy, void,
+ private_pt_tls_client_t *this)
+{
+ if (this->tls)
+ {
+ close(this->tls->get_fd(this->tls));
+ this->tls->destroy(this->tls);
+ }
+ this->address->destroy(this->address);
+ this->id->destroy(this->id);
+ free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_client_t *pt_tls_client_create(host_t *address, identification_t *id)
+{
+ private_pt_tls_client_t *this;
+
+ INIT(this,
+ .public = {
+ .run_assessment = _run_assessment,
+ .destroy = _destroy,
+ },
+ .address = address,
+ .id = id,
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_client pt_tls_client
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_CLIENT_H_
+#define PT_TLS_CLIENT_H_
+
+#include <networking/host.h>
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+typedef struct pt_tls_client_t pt_tls_client_t;
+
+/**
+ * IF-T for TLS aka PT-TLS transport client.
+ */
+struct pt_tls_client_t {
+
+ /**
+ * Perform an assessment.
+ *
+ * @param tnccs upper layer TNC client used for assessment
+ * @return status of assessment
+ */
+ status_t (*run_assessment)(pt_tls_client_t *this, tnccs_t *tnccs);
+
+ /**
+ * Destroy a pt_tls_client_t.
+ */
+ void (*destroy)(pt_tls_client_t *this);
+};
+
+/**
+ * Create a pt_tls_client instance.
+ *
+ * @param address address/port to run assessments against, gets owned
+ * @param id server identity to use for authentication, gets owned
+ * @return PT-TLS context
+ */
+pt_tls_client_t *pt_tls_client_create(host_t *address, identification_t *id);
+
+#endif /** PT_TLS_CLIENT_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_dispatcher.h"
+#include "pt_tls_server.h"
+
+#include <threading/thread.h>
+#include <utils/debug.h>
+#include <processing/jobs/callback_job.h>
+
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+typedef struct private_pt_tls_dispatcher_t private_pt_tls_dispatcher_t;
+
+/**
+ * Private data of an pt_tls_dispatcher_t object.
+ */
+struct private_pt_tls_dispatcher_t {
+
+ /**
+ * Public pt_tls_dispatcher_t interface.
+ */
+ pt_tls_dispatcher_t public;
+
+ /**
+ * Listening socket
+ */
+ int fd;
+
+ /**
+ * Server identity
+ */
+ identification_t *server;
+
+ /**
+ * Peer identity
+ */
+ identification_t *peer;
+
+ /**
+ * TNCCS protocol handler constructor
+ */
+ pt_tls_tnccs_constructor_t *create;
+};
+
+/**
+ * Open listening server socket
+ */
+static bool open_socket(private_pt_tls_dispatcher_t *this, host_t *host)
+{
+ this->fd = socket(AF_INET, SOCK_STREAM, 0);
+ if (this->fd == -1)
+ {
+ DBG1(DBG_TNC, "opening PT-TLS socket failed: %s", strerror(errno));
+ return FALSE;
+ }
+ if (bind(this->fd, host->get_sockaddr(host),
+ *host->get_sockaddr_len(host)) == -1)
+ {
+ DBG1(DBG_TNC, "binding to PT-TLS socket failed: %s", strerror(errno));
+ return FALSE;
+ }
+ if (listen(this->fd, 5) == -1)
+ {
+ DBG1(DBG_TNC, "listen on PT-TLS socket failed: %s", strerror(errno));
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Handle a single PT-TLS client connection
+ */
+static job_requeue_t handle(pt_tls_server_t *connection)
+{
+ while (TRUE)
+ {
+ switch (connection->handle(connection))
+ {
+ case NEED_MORE:
+ continue;
+ case FAILED:
+ case SUCCESS:
+ default:
+ break;
+ }
+ break;
+ }
+ return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Clean up connection state
+ */
+static void cleanup(pt_tls_server_t *connection)
+{
+ int fd;
+
+ fd = connection->get_fd(connection);
+ connection->destroy(connection);
+ close(fd);
+}
+
+METHOD(pt_tls_dispatcher_t, dispatch, void,
+ private_pt_tls_dispatcher_t *this,
+ pt_tls_tnccs_constructor_t *create)
+{
+ while (TRUE)
+ {
+ pt_tls_server_t *connection;
+ tnccs_t *tnccs;
+ bool old;
+ int fd;
+
+ old = thread_cancelability(TRUE);
+ fd = accept(this->fd, NULL, NULL);
+ thread_cancelability(old);
+ if (fd == -1)
+ {
+ DBG1(DBG_TNC, "accepting PT-TLS failed: %s", strerror(errno));
+ continue;
+ }
+
+ tnccs = create(this->server, this->peer);
+ if (!tnccs)
+ {
+ close(fd);
+ continue;
+ }
+ connection = pt_tls_server_create(this->server, fd, tnccs);
+ if (!connection)
+ {
+ close(fd);
+ continue;
+ }
+ lib->processor->queue_job(lib->processor,
+ (job_t*)callback_job_create_with_prio((callback_job_cb_t)handle,
+ connection, (void*)cleanup,
+ (callback_job_cancel_t)return_false,
+ JOB_PRIO_CRITICAL));
+ }
+}
+
+METHOD(pt_tls_dispatcher_t, destroy, void,
+ private_pt_tls_dispatcher_t *this)
+{
+ if (this->fd != -1)
+ {
+ close(this->fd);
+ }
+ this->server->destroy(this->server);
+ this->peer->destroy(this->peer);
+ free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address,
+ identification_t *id)
+{
+ private_pt_tls_dispatcher_t *this;
+
+ INIT(this,
+ .public = {
+ .dispatch = _dispatch,
+ .destroy = _destroy,
+ },
+ .server = id,
+ /* we currently don't authenticate the peer, use %any identity */
+ .peer = identification_create_from_encoding(ID_ANY, chunk_empty),
+ .fd = -1,
+ );
+
+ if (!open_socket(this, address))
+ {
+ address->destroy(address);
+ destroy(this);
+ return NULL;
+ }
+ address->destroy(address);
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_dispatcher pt_tls_dispatcher
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_DISPATCHER_H_
+#define PT_TLS_DISPATCHER_H_
+
+#include <networking/host.h>
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+typedef struct pt_tls_dispatcher_t pt_tls_dispatcher_t;
+
+/**
+ * Constructor callback to create TNCCS to use within PT-TLS.
+ *
+ * @param server server identity
+ * @param peer peer identity
+ */
+typedef tnccs_t* (pt_tls_tnccs_constructor_t)(identification_t *server,
+ identification_t *peer);
+
+/**
+ * PT-TLS dispatcher service, handles PT-TLS connections as a server.
+ */
+struct pt_tls_dispatcher_t {
+
+ /**
+ * Dispatch and handle PT-TLS connections.
+ *
+ * This call is blocking and a thread cancellation point. The passed
+ * constructor gets called for each dispatched connection.
+ *
+ * @param create TNCCS constructor function to use
+ */
+ void (*dispatch)(pt_tls_dispatcher_t *this,
+ pt_tls_tnccs_constructor_t *create);
+
+ /**
+ * Destroy a pt_tls_dispatcher_t.
+ */
+ void (*destroy)(pt_tls_dispatcher_t *this);
+};
+
+/**
+ * Create a pt_tls_dispatcher instance.
+ *
+ * @param address server address with port to listen on, gets owned
+ * @param id TLS server identity, gets owned
+ * @return dispatcher service
+ */
+pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address,
+ identification_t *id);
+
+#endif /** PT_TLS_DISPATCHER_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_server.h"
+#include "pt_tls.h"
+
+#include <utils/debug.h>
+
+typedef struct private_pt_tls_server_t private_pt_tls_server_t;
+
+/**
+ * Private data of an pt_tls_server_t object.
+ */
+struct private_pt_tls_server_t {
+
+ /**
+ * Public pt_tls_server_t interface.
+ */
+ pt_tls_server_t public;
+
+ /**
+ * TLS protected socket
+ */
+ tls_socket_t *tls;
+
+ enum {
+ /* expecting version negotiation */
+ PT_TLS_SERVER_VERSION,
+ /* expecting an SASL exchange */
+ PT_TLS_SERVER_AUTH,
+ /* expecting TNCCS exchange */
+ PT_TLS_SERVER_TNCCS,
+ /* terminating state */
+ PT_TLS_SERVER_END,
+ } state;
+
+ /**
+ * Message Identifier
+ */
+ u_int32_t identifier;
+
+ /**
+ * TNCCS protocol handler, implemented as tls_t
+ */
+ tls_t *tnccs;
+};
+
+/**
+ * Negotiate PT-TLS version
+ */
+static bool negotiate_version(private_pt_tls_server_t *this)
+{
+ bio_reader_t *reader;
+ bio_writer_t *writer;
+ u_int32_t vendor, type, identifier;
+ u_int8_t reserved, vmin, vmax, vpref;
+
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FALSE;
+ }
+ if (vendor != 0 || type != PT_TLS_VERSION_REQUEST ||
+ !reader->read_uint8(reader, &reserved) ||
+ !reader->read_uint8(reader, &vmin) ||
+ !reader->read_uint8(reader, &vmax) ||
+ !reader->read_uint8(reader, &vpref))
+ {
+ DBG1(DBG_TNC, "PT-TLS version negotiation failed");
+ reader->destroy(reader);
+ return FALSE;
+ }
+ reader->destroy(reader);
+
+ if (vmin > PT_TLS_VERSION || vmax < PT_TLS_VERSION)
+ {
+ /* TODO: send error */
+ return FALSE;
+ }
+
+ writer = bio_writer_create(4);
+ writer->write_uint24(writer, 0);
+ writer->write_uint8(writer, PT_TLS_VERSION);
+
+ return pt_tls_write(this->tls, writer, PT_TLS_VERSION_RESPONSE,
+ this->identifier++);
+}
+
+/**
+ * Authenticated PT-TLS session with SASL
+ */
+static bool authenticate(private_pt_tls_server_t *this)
+{
+ bio_writer_t *writer;
+
+ /* send empty SASL mechanims list to skip authentication */
+ writer = bio_writer_create(0);
+ return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS,
+ this->identifier++);
+}
+
+/**
+ * Perform assessment
+ */
+static bool assess(private_pt_tls_server_t *this, tls_t *tnccs)
+{
+ while (TRUE)
+ {
+ bio_writer_t *writer;
+ bio_reader_t *reader;
+ u_int32_t vendor, type, identifier;
+ chunk_t data;
+
+ writer = bio_writer_create(32);
+ while (TRUE)
+ {
+ char buf[2048];
+ size_t buflen, msglen;
+
+ buflen = sizeof(buf);
+ switch (tnccs->build(tnccs, buf, &buflen, &msglen))
+ {
+ case SUCCESS:
+ writer->destroy(writer);
+ return tnccs->is_complete(tnccs);
+ case FAILED:
+ default:
+ writer->destroy(writer);
+ return FALSE;
+ case INVALID_STATE:
+ writer->destroy(writer);
+ break;
+ case NEED_MORE:
+ writer->write_data(writer, chunk_create(buf, buflen));
+ continue;
+ case ALREADY_DONE:
+ writer->write_data(writer, chunk_create(buf, buflen));
+ if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH,
+ this->identifier++))
+ {
+ return FALSE;
+ }
+ writer = bio_writer_create(32);
+ continue;
+ }
+ break;
+ }
+
+ reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+ if (!reader)
+ {
+ return FALSE;
+ }
+ if (vendor == 0)
+ {
+ if (type == PT_TLS_ERROR)
+ {
+ DBG1(DBG_TNC, "received PT-TLS error");
+ reader->destroy(reader);
+ return FALSE;
+ }
+ if (type != PT_TLS_PB_TNC_BATCH)
+ {
+ DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type);
+ reader->destroy(reader);
+ return FALSE;
+ }
+ data = reader->peek(reader);
+ switch (tnccs->process(tnccs, data.ptr, data.len))
+ {
+ case SUCCESS:
+ reader->destroy(reader);
+ return tnccs->is_complete(tnccs);
+ case FAILED:
+ default:
+ reader->destroy(reader);
+ return FALSE;
+ case NEED_MORE:
+ break;
+ }
+ }
+ else
+ {
+ DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message");
+ }
+ reader->destroy(reader);
+ }
+}
+
+METHOD(pt_tls_server_t, handle, status_t,
+ private_pt_tls_server_t *this)
+{
+ switch (this->state)
+ {
+ case PT_TLS_SERVER_VERSION:
+ if (!negotiate_version(this))
+ {
+ return FAILED;
+ }
+ DBG1(DBG_TNC, "negotiated PT-TLS version %d", PT_TLS_VERSION);
+ this->state = PT_TLS_SERVER_AUTH;
+ break;
+ case PT_TLS_SERVER_AUTH:
+ DBG1(DBG_TNC, "sending empty mechanism list to skip SASL");
+ if (!authenticate(this))
+ {
+ return FAILED;
+ }
+ this->state = PT_TLS_SERVER_TNCCS;
+ break;
+ case PT_TLS_SERVER_TNCCS:
+ if (!assess(this, (tls_t*)this->tnccs))
+ {
+ return FAILED;
+ }
+ this->state = PT_TLS_SERVER_END;
+ return SUCCESS;
+ default:
+ return FAILED;
+ }
+ return NEED_MORE;
+}
+
+METHOD(pt_tls_server_t, get_fd, int,
+ private_pt_tls_server_t *this)
+{
+ return this->tls->get_fd(this->tls);
+}
+
+METHOD(pt_tls_server_t, destroy, void,
+ private_pt_tls_server_t *this)
+{
+ this->tnccs->destroy(this->tnccs);
+ this->tls->destroy(this->tls);
+ free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
+ tnccs_t *tnccs)
+{
+ private_pt_tls_server_t *this;
+
+ INIT(this,
+ .public = {
+ .handle = _handle,
+ .get_fd = _get_fd,
+ .destroy = _destroy,
+ },
+ .state = PT_TLS_SERVER_VERSION,
+ .tls = tls_socket_create(TRUE, server, NULL, fd, NULL),
+ .tnccs = (tls_t*)tnccs,
+ );
+
+ if (!this->tls)
+ {
+ this->tnccs->destroy(this->tnccs);
+ free(this);
+ return NULL;
+ }
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_server pt_tls_server
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_SERVER_H_
+#define PT_TLS_SERVER_H_
+
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+typedef struct pt_tls_server_t pt_tls_server_t;
+
+/**
+ * IF-T for TLS aka PT-TLS transport server.
+ */
+struct pt_tls_server_t {
+
+ /**
+ * Handle assessment data read from socket.
+ *
+ * @return
+ * - NEED_MORE if more exchanges required,
+ * - SUCCESS if assessment complete
+ * - FAILED if assessment failed
+ */
+ status_t (*handle)(pt_tls_server_t *this);
+
+ /**
+ * Get the underlying client connection socket.
+ *
+ * @return socket fd, suitable to select()
+ */
+ int (*get_fd)(pt_tls_server_t *this);
+
+ /**
+ * Destroy a pt_tls_server_t.
+ */
+ void (*destroy)(pt_tls_server_t *this);
+};
+
+/**
+ * Create a pt_tls_server connection instance.
+ *
+ * @param server TLS server identity
+ * @param fd client connection socket
+ * @param tnccs inner TNCCS protocol handler to use for this connection
+ * @return PT-TLS server
+ */
+pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
+ tnccs_t *tnccs);
+
+#endif /** PT_TLS_SERVER_H_ @}*/
networking/tun_device.c \
pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
+resolver/resolver_manager.c resolver/rr_set.c \
selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
networking/tun_device.c \
pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
+resolver/resolver_manager.c resolver/rr_set.c \
selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
fetcher/fetcher_manager.h eap/eap.h pen/pen.h ipsec/ipsec_types.h \
networking/host.h networking/host_resolver.h networking/packet.h \
networking/tun_device.h \
+resolver/resolver.h resolver/resolver_response.h resolver/rr_set.h \
+resolver/rr.h resolver/resolver_manager.h \
plugins/plugin_loader.h plugins/plugin.h plugins/plugin_feature.h \
processing/jobs/job.h processing/jobs/callback_job.h processing/processor.h \
processing/scheduler.h selectors/traffic_selector.h \
endif
endif
+if USE_UNBOUND
+ SUBDIRS += plugins/unbound
+if MONOLITHIC
+ libstrongswan_la_LIBADD += plugins/unbound/libstrongswan-unbound.la
+endif
+endif
+
if USE_SOUP
SUBDIRS += plugins/soup
if MONOLITHIC
* Remaining data to process
*/
chunk_t buf;
+
+ /**
+ * Optional data to free during destruction
+ */
+ chunk_t cleanup;
};
METHOD(bio_reader_t, remaining, u_int32_t,
METHOD(bio_reader_t, destroy, void,
private_bio_reader_t *this)
{
+ free(this->cleanup.ptr);
free(this);
}
return &this->public;
}
+
+/**
+ * See header
+ */
+bio_reader_t *bio_reader_create_own(chunk_t data)
+{
+ private_bio_reader_t *this;
+
+ this = (private_bio_reader_t*)bio_reader_create(data);
+
+ this->cleanup = data;
+
+ return &this->public;
+}
/**
* Create a bio_reader instance.
+ *
+ * @param data data buffer, must survive lifetime of reader
+ * @return reader
*/
bio_reader_t *bio_reader_create(chunk_t data);
-#endif /** bio_reader_H_ @}*/
+/**
+ * Create a bio_reader instance owning buffer.
+ *
+ * @param data data buffer, gets freed with destroy()
+ * @return reader
+ */
+bio_reader_t *bio_reader_create_own(chunk_t data);
+
+#endif /** BIO_READER_H_ @}*/
{
enumerator_t *enumerator;
auth_cfg_t *clone;
- entry_t *entry;
+ auth_rule_t type;
+ void *value;
clone = auth_cfg_create();
/* this enumerator skips duplicates for rules we expect only once */
- enumerator = this->entries->create_enumerator(this->entries);
- while (enumerator->enumerate(enumerator, &entry))
+ enumerator = create_enumerator(this);
+ while (enumerator->enumerate(enumerator, &type, &value))
{
- switch (entry->type)
+ switch (type)
{
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_GROUP:
case AUTH_RULE_XAUTH_IDENTITY:
{
- identification_t *id = (identification_t*)entry->value;
- clone->add(clone, entry->type, id->clone(id));
+ identification_t *id = (identification_t*)value;
+ clone->add(clone, type, id->clone(id));
break;
}
case AUTH_RULE_CA_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_REVOCATION_CERT:
{
- certificate_t *cert = (certificate_t*)entry->value;
- clone->add(clone, entry->type, cert->get_ref(cert));
+ certificate_t *cert = (certificate_t*)value;
+ clone->add(clone, type, cert->get_ref(cert));
break;
}
case AUTH_RULE_XAUTH_BACKEND:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
{
- clone->add(clone, entry->type, strdup(entry->value));
+ clone->add(clone, type, strdup(value));
break;
}
case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
case AUTH_RULE_SIGNATURE_SCHEME:
- clone->add(clone, entry->type, (uintptr_t)entry->value);
+ clone->add(clone, type, (uintptr_t)value);
break;
case AUTH_RULE_MAX:
break;
/** PGP key encoding */
PUBKEY_PGP,
PRIVKEY_PGP,
+ /** DNSKEY encoding */
+ PUBKEY_DNSKEY,
/** ASN.1 DER encoded certificate */
CERT_ASN1_DER,
failure:
aead->destroy(aead);
chunk_free(&cipher);
- chunk_free(&plain);
+ if (plain.ptr != vector->plain)
+ {
+ chunk_free(&plain);
+ }
if (failed)
{
DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
this->public.crypto->destroy(this->public.crypto);
this->public.proposal->destroy(this->public.proposal);
this->public.fetcher->destroy(this->public.fetcher);
+ this->public.resolver->destroy(this->public.resolver);
this->public.db->destroy(this->public.db);
this->public.printf_hook->destroy(this->public.printf_hook);
this->objects->destroy(this->objects);
this->public.credmgr = credential_manager_create();
this->public.encoding = cred_encoding_create();
this->public.fetcher = fetcher_manager_create();
+ this->public.resolver = resolver_manager_create();
this->public.db = database_factory_create();
this->public.processor = processor_create();
this->public.scheduler = scheduler_create();
* @defgroup fetcher fetcher
* @ingroup libstrongswan
*
+ * @defgroup resolver resolver
+ * @ingroup libstrongswan
+ *
* @defgroup ipsec ipsec
* @ingroup libstrongswan
*
#include "crypto/crypto_factory.h"
#include "crypto/proposal/proposal_keywords.h"
#include "fetcher/fetcher_manager.h"
+#include "resolver/resolver_manager.h"
#include "database/database_factory.h"
#include "credentials/credential_factory.h"
#include "credentials/credential_manager.h"
*/
fetcher_manager_t *fetcher;
+ /**
+ * Manager for DNS resolvers
+ */
+ resolver_manager_t *resolver;
+
/**
* database construction factory
*/
*/
host_t *destination;
+ /**
+ * DSCP value on packet
+ */
+ u_int8_t dscp;
+
/**
* message data
*/
this->adjusted_data = this->data = data;
}
+METHOD(packet_t, get_dscp, u_int8_t,
+ private_packet_t *this)
+{
+ return this->dscp;
+}
+METHOD(packet_t, set_dscp, void,
+ private_packet_t *this, u_int8_t value)
+{
+ this->dscp = value;
+}
+
METHOD(packet_t, skip_bytes, void,
private_packet_t *this, size_t bytes)
{
{
other->set_data(other, chunk_clone(this->adjusted_data));
}
+ other->set_dscp(other, this->dscp);
return other;
}
.get_source = _get_source,
.set_destination = _set_destination,
.get_destination = _get_destination,
+ .get_dscp = _get_dscp,
+ .set_dscp = _set_dscp,
.skip_bytes = _skip_bytes,
.clone = _clone_,
.destroy = _destroy,
*/
void (*set_data)(packet_t *packet, chunk_t data);
+ /**
+ * Get the DiffServ Code Point set on this packet.
+ *
+ * @return DSCP value
+ */
+ u_int8_t (*get_dscp)(packet_t *this);
+
+ /**
+ * Set the DiffServ Code Point to use on this packet.
+ *
+ * @param value DSCP value
+ */
+ void (*set_dscp)(packet_t *this, u_int8_t value);
+
/**
* Increase the offset where the actual packet data starts.
*
case AF_INET:
{
struct sockaddr_in *addr = (struct sockaddr_in*)&ifr->ifr_addr;
- addr->sin_family = AF_INET;
target = (char*)&addr->sin_addr;
len = 4;
break;
case AF_INET6:
{
struct sockaddr_in6 *addr = (struct sockaddr_in6*)&ifr->ifr_addr;
- addr->sin6_family = AF_INET6;
target = (char*)&addr->sin6_addr;
len = 16;
break;
return;
}
+ ifr->ifr_addr.sa_family = family;
+
bytes = (netmask + 7) / 8;
bits = (bytes * 8) - netmask;
ENUM_NEXT(pen_names, PEN_MICROSOFT, PEN_MICROSOFT, PEN_IBM,
"Microsoft");
ENUM_NEXT(pen_names, PEN_REDHAT, PEN_REDHAT, PEN_MICROSOFT,
- "Redhat");
+ "Redhat");
ENUM_NEXT(pen_names, PEN_OSC, PEN_OSC, PEN_REDHAT,
"OSC");
ENUM_NEXT(pen_names, PEN_DEBIAN, PEN_DEBIAN, PEN_OSC,
ENUM_NEXT(pen_names, PEN_TCG, PEN_TCG, PEN_GOOGLE,
"TCG");
ENUM_NEXT(pen_names, PEN_CANONICAL, PEN_CANONICAL, PEN_TCG,
- "Canonical");
+ "Canonical");
ENUM_NEXT(pen_names, PEN_FEDORA, PEN_FEDORA, PEN_CANONICAL,
"Fedora Project");
ENUM_NEXT(pen_names, PEN_FHH, PEN_FHH, PEN_FEDORA,
"ITA-HSR");
ENUM_NEXT(pen_names, PEN_OPENPTS, PEN_OPENPTS, PEN_ITA,
"OpenPTS");
-ENUM_NEXT(pen_names, PEN_RESERVED, PEN_RESERVED, PEN_OPENPTS,
+ENUM_NEXT(pen_names, PEN_UNASSIGNED, PEN_RESERVED, PEN_OPENPTS,
+ "Unassigned",
"Reserved");
ENUM_END(pen_names, PEN_RESERVED);
-
typedef enum pen_t pen_t;
typedef struct pen_type_t pen_type_t;
+/**
+ * Private enterprise numbers allocated by IANA.
+ *
+ * http://www.iana.org/assignments/enterprise-numbers
+ */
enum pen_t {
- PEN_IETF = 0x000000, /* 0 */
- PEN_IBM = 0x000002, /* 2 */
- PEN_MICROSOFT = 0x000137, /* 311 */
- PEN_REDHAT = 0x000908, /* 2312 */
- PEN_OSC = 0x002358, /* 9048 */
- PEN_DEBIAN = 0x002572, /* 9586 */
- PEN_GOOGLE = 0x002B79, /* 11129 */
- PEN_TCG = 0x005597, /* 21911 */
- PEN_CANONICAL = 0x007132, /* 28978 */
- PEN_FEDORA = 0x0076C1, /* 30401 */
- PEN_FHH = 0x0080ab, /* 32939 */
- PEN_ITA = 0x00902a, /* 36906 */
- PEN_OPENPTS = 0x00950e, /* 38158 */
- PEN_RESERVED = 0xffffff, /* 16777215 */
+ PEN_IETF = 0x000000, /* 0 */
+ PEN_IBM = 0x000002, /* 2 */
+ PEN_MICROSOFT = 0x000137, /* 311 */
+ PEN_REDHAT = 0x000908, /* 2312 */
+ PEN_OSC = 0x002358, /* 9048 */
+ PEN_DEBIAN = 0x002572, /* 9586 */
+ PEN_GOOGLE = 0x002B79, /* 11129 */
+ PEN_TCG = 0x005597, /* 21911 */
+ PEN_CANONICAL = 0x007132, /* 28978 */
+ PEN_FEDORA = 0x0076C1, /* 30401 */
+ PEN_FHH = 0x0080ab, /* 32939 */
+ PEN_ITA = 0x00902a, /* 36906 */
+ PEN_OPENPTS = 0x00950e, /* 38158 */
+ PEN_UNASSIGNED = 0xfffffe, /* 16777214 */
+ PEN_RESERVED = 0xffffff, /* 16777215 */
};
/**
- * Vendor specific type
+ * Vendor specific type in vendor specific namespace.
*/
struct pen_type_t {
pen_t vendor_id;
/**
* Create a pen_type_t struct
+ *
+ * @param vendor_id vendor ID to create a pen_type_t
+ * @param type type to create a pen_type_t
+ * @return created pen_type_t
*/
static inline pen_type_t pen_type_create(pen_t vendor_id, u_int32_t type)
{
- pen_type_t pen_type = {vendor_id, type};
+ pen_type_t pen_type = { vendor_id, type };
return pen_type;
}
+/**
+ * Check two pen_type_t for equality.
+ *
+ * @param a first pen_type_t to compare
+ * @param b second pen_type_t to compare
+ * @return TRUE if a == b
+ */
+static inline bool pen_type_equals(pen_type_t a, pen_type_t b)
+{
+ return a.vendor_id == b.vendor_id && a.type == b.type;
+}
+
+/**
+ * Check if a pen_type_t matches vendor and type.
+ *
+ * @param pen_type pen_type_t to compare
+ * @param vendor_id vendor to check in pen_type
+ * @param type type to check in pen_type
+ * @return TRUE if vendor_id and type matches pen_type
+ */
+static inline bool pen_type_is(pen_type_t pen_type,
+ pen_t vendor_id, u_int32_t type)
+{
+ return pen_type.vendor_id == vendor_id && pen_type.type == type;
+}
+
/**
* enum names for pen_t.
*/
/**
* Create a ccm_aead instance.
*
- * @param key_size key size in bytes
* @param algo algorithm to implement, a CCM mode
+ * @param key_size key size in bytes
* @return aead, NULL if not supported
*/
ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size);
#include "curl_fetcher.h"
-#define DEFAULT_TIMEOUT 10
+#define CONNECT_TIMEOUT 10
typedef struct private_curl_fetcher_t private_curl_fetcher_t;
* Callback function
*/
fetcher_callback_t cb;
+
+ /**
+ * Timeout for a transfer
+ */
+ long timeout;
};
/**
curl_easy_setopt(this->curl, CURLOPT_ERRORBUFFER, error);
curl_easy_setopt(this->curl, CURLOPT_FAILONERROR, TRUE);
curl_easy_setopt(this->curl, CURLOPT_NOSIGNAL, TRUE);
- curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, DEFAULT_TIMEOUT);
+ if (this->timeout)
+ {
+ curl_easy_setopt(this->curl, CURLOPT_TIMEOUT, this->timeout);
+ }
+ curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, CONNECT_TIMEOUT);
curl_easy_setopt(this->curl, CURLOPT_WRITEFUNCTION, (void*)curl_cb);
curl_easy_setopt(this->curl, CURLOPT_WRITEDATA, &data);
if (this->headers)
}
case FETCH_TIMEOUT:
{
- curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT,
- va_arg(args, u_int));
+ this->timeout = va_arg(args, u_int);
break;
}
case FETCH_CALLBACK:
}
return &this->public;
}
-
libstrongswan_dnskey_la_SOURCES = \
dnskey_plugin.h dnskey_plugin.c \
- dnskey_builder.h dnskey_builder.c
+ dnskey_builder.h dnskey_builder.c \
+ dnskey_encoder.h dnskey_encoder.c
libstrongswan_dnskey_la_LDFLAGS = -module -avoid-version
DNSKEY_ALG_RSA_MD5 = 1,
DNSKEY_ALG_DH = 2,
DNSKEY_ALG_DSA = 3,
- DNSKEY_ALG_ECC = 4,
DNSKEY_ALG_RSA_SHA1 = 5,
+ DNSKEY_ALG_DSA_NSEC3_SHA1 = 6,
+ DNSKEY_ALG_RSA_SHA1_NSEC3_SHA1 = 7,
+ DNSKEY_ALG_RSA_SHA256 = 8,
+ DNSKEY_ALG_RSA_SHA512 = 10,
+ DNSKEY_ALG_ECC_GOST = 12,
+ DNSKEY_ALG_ECDSA_P256_SHA256 = 13,
+ DNSKEY_ALG_ECDSA_P384_SHA384 = 14
};
/**
switch (rr->algorithm)
{
+ case DNSKEY_ALG_RSA_MD5:
case DNSKEY_ALG_RSA_SHA1:
+ case DNSKEY_ALG_RSA_SHA1_NSEC3_SHA1:
+ case DNSKEY_ALG_RSA_SHA256:
+ case DNSKEY_ALG_RSA_SHA512:
return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
BUILD_BLOB_DNSKEY, blob, BUILD_END);
default:
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "dnskey_encoder.h"
+
+#include <utils/debug.h>
+
+/**
+ * Encode an RSA public key in DNSKEY format (RFC 3110)
+ */
+bool build_pub(chunk_t *encoding, va_list args)
+{
+ chunk_t n, e, pubkey;
+ size_t exp_len;
+ u_char *pos;
+
+ if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n,
+ CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END))
+ {
+ /* remove leading zeros in exponent and modulus */
+ while (*e.ptr == 0)
+ {
+ e = chunk_skip(e, 1);
+ }
+ while (*n.ptr == 0)
+ {
+ n = chunk_skip(n, 1);
+ }
+
+ if (e.len < 256)
+ {
+ /* exponent length fits into a single octet */
+ exp_len = 1;
+ pubkey = chunk_alloc(exp_len + e.len + n.len);
+ pubkey.ptr[0] = (char)e.len;
+ }
+ else if (e.len < 65536)
+ {
+ /* exponent length fits into two octets preceded by zero octet */
+ exp_len = 3;
+ pubkey = chunk_alloc(exp_len + e.len + n.len);
+ pubkey.ptr[0] = 0x00;
+ htoun16(pubkey.ptr + 1, e.len);
+ }
+ else
+ {
+ /* exponent length is too large */
+ return FALSE;
+ }
+
+ /* copy exponent and modulus and convert to base64 format */
+ pos = pubkey.ptr + exp_len;
+ memcpy(pos, e.ptr, e.len);
+ pos += e.len;
+ memcpy(pos, n.ptr, n.len);
+ *encoding = chunk_to_base64(pubkey, NULL);
+ chunk_free(&pubkey);
+
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool dnskey_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+ va_list args)
+{
+ switch (type)
+ {
+ case PUBKEY_DNSKEY:
+ return build_pub(encoding, args);
+ default:
+ return FALSE;
+ }
+}
+
+
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup dnskey_encoder dnskey_encoder
+ * @{ @ingroup dnskey
+ */
+
+#ifndef DNSKEY_ENCODER_H_
+#define DNSKEY_ENCODER_H_
+
+#include <credentials/cred_encoding.h>
+
+/**
+ * Encoding function for DNSKEY (RFC 3110) public key format.
+ */
+bool dnskey_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+ va_list args);
+
+#endif /** DNSKEY_ENCODER_H_ @}*/
#include <library.h>
#include "dnskey_builder.h"
+#include "dnskey_encoder.h"
typedef struct private_dnskey_plugin_t private_dnskey_plugin_t;
METHOD(plugin_t, destroy, void,
private_dnskey_plugin_t *this)
{
+ lib->encoding->remove_encoder(lib->encoding, dnskey_encoder_encode);
+
free(this);
}
},
);
+ lib->encoding->add_encoder(lib->encoding, dnskey_encoder_encode);
+
return &this->public.plugin;
}
/**
* Create a gcm_aead instance.
*
- * @param key_size key size in bytes
* @param algo algorithm to implement, a gcm mode
+ * @param key_size key size in bytes
* @return aead, NULL if not supported
*/
gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size);
openssl_crl.c openssl_crl.h \
openssl_pkcs7.c openssl_pkcs7.h \
openssl_rng.c openssl_rng.h \
- openssl_hmac.c openssl_hmac.h
+ openssl_hmac.c openssl_hmac.h \
+ openssl_gcm.c openssl_gcm.h
libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
libstrongswan_openssl_la_LIBADD = -lcrypto
* for more details.
*/
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_DH
+
#include <openssl/dh.h>
#include "openssl_diffie_hellman.h"
return &this->public;
}
+
+#endif /* OPENSSL_NO_DH */
#include <openssl/opensslconf.h>
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDSA
#include "openssl_ec_private_key.h"
#include "openssl_ec_public_key.h"
destroy(this);
return NULL;
}
-#endif /* OPENSSL_NO_EC */
-
+#endif /* OPENSSL_NO_ECDSA */
#include <openssl/opensslconf.h>
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDSA
#include "openssl_ec_public_key.h"
#include "openssl_util.h"
}
return &this->public;
}
-#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_ECDSA */
--- /dev/null
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "openssl_gcm.h"
+
+#include <openssl/evp.h>
+
+/** as defined in RFC 4106 */
+#define IV_LEN 8
+#define SALT_LEN 4
+#define NONCE_LEN (IV_LEN + SALT_LEN)
+
+typedef struct private_aead_t private_aead_t;
+
+/**
+ * Private data of aead_t
+ */
+struct private_aead_t {
+
+ /**
+ * Public interface
+ */
+ aead_t public;
+
+ /**
+ * The encryption key
+ */
+ chunk_t key;
+
+ /**
+ * Salt value
+ */
+ char salt[SALT_LEN];
+
+ /**
+ * Size of the integrity check value
+ */
+ size_t icv_size;
+
+ /**
+ * The cipher to use
+ */
+ const EVP_CIPHER *cipher;
+};
+
+/**
+ * Do the actual en/decryption in an EVP context
+ */
+static bool crypt(private_aead_t *this, chunk_t data, chunk_t assoc, chunk_t iv,
+ u_char *out, int enc)
+{
+ EVP_CIPHER_CTX ctx;
+ u_char nonce[NONCE_LEN];
+ bool success = FALSE;
+ int len;
+
+ memcpy(nonce, this->salt, SALT_LEN);
+ memcpy(nonce + SALT_LEN, iv.ptr, IV_LEN);
+
+ EVP_CIPHER_CTX_init(&ctx);
+ EVP_CIPHER_CTX_set_padding(&ctx, 0);
+ if (!EVP_CipherInit_ex(&ctx, this->cipher, NULL, NULL, NULL, enc) ||
+ !EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, NONCE_LEN, NULL) ||
+ !EVP_CipherInit_ex(&ctx, NULL, NULL, this->key.ptr, nonce, enc))
+ {
+ goto done;
+ }
+ if (!enc && !EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, this->icv_size,
+ data.ptr + data.len))
+ { /* set ICV for verification on decryption */
+ goto done;
+ }
+ if (assoc.len && !EVP_CipherUpdate(&ctx, NULL, &len, assoc.ptr, assoc.len))
+ { /* set AAD if specified */
+ goto done;
+ }
+ if (!EVP_CipherUpdate(&ctx, out, &len, data.ptr, data.len) ||
+ !EVP_CipherFinal_ex(&ctx, out + len, &len))
+ { /* EVP_CipherFinal_ex fails if ICV is incorrect on decryption */
+ goto done;
+ }
+ if (enc && !EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, this->icv_size,
+ out + data.len))
+ { /* copy back the ICV when encrypting */
+ goto done;
+ }
+ success = TRUE;
+
+done:
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ return success;
+}
+
+METHOD(aead_t, encrypt, bool,
+ private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+ chunk_t *encrypted)
+{
+ u_char *out;
+
+ out = plain.ptr;
+ if (encrypted)
+ {
+ *encrypted = chunk_alloc(plain.len + this->icv_size);
+ out = encrypted->ptr;
+ }
+ return crypt(this, plain, assoc, iv, out, 1);
+}
+
+METHOD(aead_t, decrypt, bool,
+ private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+ chunk_t *plain)
+{
+ u_char *out;
+
+ if (encrypted.len < this->icv_size)
+ {
+ return FALSE;
+ }
+ encrypted.len -= this->icv_size;
+
+ out = encrypted.ptr;
+ if (plain)
+ {
+ *plain = chunk_alloc(encrypted.len);
+ out = plain->ptr;
+ }
+ return crypt(this, encrypted, assoc, iv, out, 0);
+}
+
+METHOD(aead_t, get_block_size, size_t,
+ private_aead_t *this)
+{
+ return this->cipher->block_size;
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+ private_aead_t *this)
+{
+ return this->icv_size;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+ private_aead_t *this)
+{
+ return IV_LEN;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+ private_aead_t *this)
+{
+ return this->key.len + SALT_LEN;
+}
+
+METHOD(aead_t, set_key, bool,
+ private_aead_t *this, chunk_t key)
+{
+ if (key.len != get_key_size(this))
+ {
+ return FALSE;
+ }
+ memcpy(this->salt, key.ptr + key.len - SALT_LEN, SALT_LEN);
+ memcpy(this->key.ptr, key.ptr, this->key.len);
+ return TRUE;
+}
+
+METHOD(aead_t, destroy, void,
+ private_aead_t *this)
+{
+ chunk_clear(&this->key);
+ free(this);
+}
+
+/*
+ * Described in header
+ */
+aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size)
+{
+ private_aead_t *this;
+
+ INIT(this,
+ .public = {
+ .encrypt = _encrypt,
+ .decrypt = _decrypt,
+ .get_block_size = _get_block_size,
+ .get_icv_size = _get_icv_size,
+ .get_iv_size = _get_iv_size,
+ .get_key_size = _get_key_size,
+ .set_key = _set_key,
+ .destroy = _destroy,
+ },
+ );
+
+ switch (algo)
+ {
+ case ENCR_AES_GCM_ICV8:
+ this->icv_size = 8;
+ break;
+ case ENCR_AES_GCM_ICV12:
+ this->icv_size = 12;
+ break;
+ case ENCR_AES_GCM_ICV16:
+ this->icv_size = 16;
+ break;
+ default:
+ free(this);
+ return NULL;
+ }
+
+ switch (algo)
+ {
+ case ENCR_AES_GCM_ICV8:
+ case ENCR_AES_GCM_ICV12:
+ case ENCR_AES_GCM_ICV16:
+ switch (key_size)
+ {
+ case 0:
+ key_size = 16;
+ /* FALL */
+ case 16:
+ this->cipher = EVP_get_cipherbyname("aes-128-gcm");
+ break;
+ case 24:
+ this->cipher = EVP_get_cipherbyname("aes-192-gcm");
+ break;
+ case 32:
+ this->cipher = EVP_get_cipherbyname("aes-256-gcm");
+ break;
+ default:
+ free(this);
+ return NULL;
+ }
+ break;
+ default:
+ free(this);
+ return NULL;
+ }
+
+ if (!this->cipher)
+ {
+ free(this);
+ return NULL;
+ }
+
+ this->key = chunk_alloc(key_size);
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Implements the aead_t interface using OpenSSL in GCM mode.
+ *
+ * @defgroup openssl_gcm openssl_gcm
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_GCM_H_
+#define OPENSSL_GCM_H_
+
+#include <crypto/aead.h>
+
+/**
+ * Constructor to create aead_t implementation.
+ *
+ * @param algo algorithm to implement
+ * @param key_size key size in bytes
+ * @return aead_t object, NULL if not supported
+ */
+aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /** OPENSSL_GCM_H_ @}*/
* THE SOFTWARE.
*/
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_HMAC
+
#include <openssl/evp.h>
#include <openssl/hmac.h>
return NULL;
}
+#endif /* OPENSSL_NO_HMAC */
* for more details.
*/
+#include <openssl/opensslv.h>
#include <openssl/opensslconf.h>
+#if OPENSSL_VERSION_NUMBER >= 0x0090807fL
#ifndef OPENSSL_NO_CMS
#include "openssl_pkcs7.h"
}
#endif /* OPENSSL_NO_CMS */
+#endif /* OPENSSL_VERSION_NUMBER */
#include "openssl_pkcs7.h"
#include "openssl_rng.h"
#include "openssl_hmac.h"
+#include "openssl_gcm.h"
typedef struct private_openssl_plugin_t private_openssl_plugin_t;
PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
#endif
#endif /* OPENSSL_NO_HMAC */
+#ifndef OPENSSL_NO_AES
+ /* AES GCM */
+ PLUGIN_REGISTER(AEAD, openssl_gcm_create),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
+ PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
+#endif /* OPENSSL_NO_AES */
#ifndef OPENSSL_NO_DH
/* MODP DH groups */
PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE),
PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
+#if OPENSSL_VERSION_NUMBER >= 0x0090807fL
#ifndef OPENSSL_NO_CMS
PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs7_load, TRUE),
PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
#endif /* OPENSSL_NO_CMS */
+#endif /* OPENSSL_VERSION_NUMBER */
#ifndef OPENSSL_NO_ECDH
/* EC DH groups */
PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
return &this->public.plugin;
}
-
* for more details.
*/
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_RSA
+
#include "openssl_rsa_private_key.h"
#include "openssl_rsa_public_key.h"
#endif /* OPENSSL_NO_ENGINE */
}
+#endif /* OPENSSL_NO_RSA */
* for more details.
*/
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_RSA
+
#include "openssl_rsa_public_key.h"
#include <utils/debug.h>
destroy(this);
return NULL;
}
+
+#endif /* OPENSSL_NO_RSA */
* for more details.
*/
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_SHA1
+
#include "openssl_sha1_prf.h"
#include <openssl/sha.h>
return &this->public;
}
+#endif /* OPENSSL_NO_SHA1 */
/**
* @defgroup rdrand_rng rdrand_rng
- * @{ @ingroup rdrand
+ * @{ @ingroup rdrand_p
*/
#ifndef RDRAND_RNG_H_
--- /dev/null
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\"
+
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-unbound.la
+else
+plugin_LTLIBRARIES = libstrongswan-unbound.la
+endif
+
+libstrongswan_unbound_la_SOURCES = \
+ unbound_plugin.h unbound_plugin.c \
+ unbound_resolver.c unbound_resolver.h \
+ unbound_rr.h unbound_rr.c \
+ unbound_response.h unbound_response.c
+
+libstrongswan_unbound_la_LDFLAGS = -module -avoid-version
+libstrongswan_unbound_la_LIBADD = -lunbound -lldns
--- /dev/null
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "unbound_plugin.h"
+
+#include <library.h>
+#include "unbound_resolver.h"
+
+typedef struct private_unbound_plugin_t private_unbound_plugin_t;
+
+/**
+ * private data of unbound_plugin
+ */
+struct private_unbound_plugin_t {
+
+ /**
+ * public functions
+ */
+ unbound_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_unbound_plugin_t *this)
+{
+ return "unbound";
+}
+
+METHOD(plugin_t, destroy, void,
+ private_unbound_plugin_t *this)
+{
+ lib->resolver->remove_resolver(lib->resolver, unbound_resolver_create);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *unbound_plugin_create()
+{
+ private_unbound_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ lib->resolver->add_resolver(lib->resolver, unbound_resolver_create);
+
+ return &this->public.plugin;
+}
--- /dev/null
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unbound_p unbound
+ * @ingroup plugins
+ *
+ * @defgroup unbound_plugin unbound_plugin
+ * @{ @ingroup unbound_p
+ */
+
+#ifndef unbound_PLUGIN_H_
+#define unbound_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct unbound_plugin_t unbound_plugin_t;
+
+/**
+ * Plugin implementing the resolver interface using the libunbound DNS library.
+ */
+struct unbound_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** unbound_PLUGIN_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <unbound.h>
+#include <errno.h>
+#include <ldns/ldns.h>
+#include <string.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include "unbound_resolver.h"
+#include "unbound_response.h"
+
+/* DNS resolver configuration and DNSSEC trust anchors */
+#define RESOLV_CONF_FILE "/etc/resolv.conf"
+#define TRUST_ANCHOR_FILE IPSEC_CONFDIR "/ipsec.d/dnssec.keys"
+
+typedef struct private_resolver_t private_resolver_t;
+
+/**
+ * private data of a unbound_resolver_t object.
+ */
+struct private_resolver_t {
+
+ /**
+ * Public data
+ */
+ resolver_t public;
+
+ /**
+ * private unbound resolver handle (unbound context)
+ */
+ struct ub_ctx *ctx;
+};
+
+/**
+ * query method implementation
+ */
+METHOD(resolver_t, query, resolver_response_t*,
+ private_resolver_t *this, char *domain, rr_class_t rr_class,
+ rr_type_t rr_type)
+{
+ unbound_response_t *response = NULL;
+ struct ub_result *result = NULL;
+ int ub_retval;
+
+ ub_retval = ub_resolve(this->ctx, domain, rr_type, rr_class, &result);
+ if (ub_retval)
+ {
+ DBG1(DBG_LIB, "unbound resolver error: %s", ub_strerror(ub_retval));
+ ub_resolve_free(result);
+ return NULL;
+ }
+
+ response = unbound_response_create_frm_libub_response(result);
+ if (!response)
+ {
+ DBG1(DBG_LIB, "unbound resolver failed to create response");
+ ub_resolve_free(result);
+ return NULL;
+ }
+ ub_resolve_free(result);
+
+ return (resolver_response_t*)response;
+}
+
+/**
+ * destroy method implementation
+ */
+METHOD(resolver_t, destroy, void,
+ private_resolver_t *this)
+{
+ ub_ctx_delete(this->ctx);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+resolver_t *unbound_resolver_create(void)
+{
+ private_resolver_t *this;
+ int ub_retval = 0;
+ char *resolv_conf_file;
+ char *trust_anchor_file;
+
+ resolv_conf_file = lib->settings->get_str(lib->settings,
+ "libstrongswan.plugins.unbound.resolv_conf",
+ RESOLV_CONF_FILE);
+
+ trust_anchor_file = lib->settings->get_str(lib->settings,
+ "libstrongswan.plugins.unbound.trust_anchors",
+ TRUST_ANCHOR_FILE);
+
+ INIT(this,
+ .public = {
+ .query = _query,
+ .destroy = _destroy,
+ },
+ );
+
+ this->ctx = ub_ctx_create();
+ if (!this->ctx)
+ {
+ DBG1(DBG_LIB, "failed to create unbound resolver context");
+ destroy(this);
+ return NULL;
+ }
+
+ DBG1(DBG_CFG, "loading unbound resolver config from '%s'", resolv_conf_file);
+ ub_retval = ub_ctx_resolvconf(this->ctx, resolv_conf_file);
+ if (ub_retval)
+ {
+ DBG1(DBG_CFG, "failed to read the resolver config: %s (%s)",
+ ub_strerror(ub_retval), strerror(errno));
+ destroy(this);
+ return NULL;
+ }
+
+ DBG1(DBG_CFG, "loading unbound trust anchors from '%s'", trust_anchor_file);
+ ub_retval = ub_ctx_add_ta_file(this->ctx, trust_anchor_file);
+ if (ub_retval)
+ {
+ DBG1(DBG_CFG, "failed to load trust anchors: %s (%s)",
+ ub_strerror(ub_retval), strerror(errno));
+ }
+
+ return &this->public;
+}
+
--- /dev/null
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unbound_resolver unbound_resolver
+ * @{ @ingroup unbound_p
+ */
+
+#ifndef unbound_RESOLVER_H_
+#define unbound_RESOLVER_H_
+
+/**
+ * Create a resolver_t instance.
+ */
+resolver_t *unbound_resolver_create(void);
+
+#endif /** LIBunbound_RESOLVER_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <resolver/resolver_response.h>
+#include <resolver/rr.h>
+#include "unbound_rr.h"
+#include "unbound_response.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include <unbound.h>
+#include <ldns/ldns.h>
+
+typedef struct private_unbound_response_t private_unbound_response_t;
+
+/**
+ * private data of an unbound_response_t object.
+ */
+struct private_unbound_response_t {
+
+ /**
+ * Public data
+ */
+ unbound_response_t public;
+
+ /**
+ * Original question string
+ */
+ char* query_name;
+
+ /**
+ * Canonical name of the response
+ */
+ char* canon_name;
+
+ /**
+ * Are the some RRs in the RRset of this response?
+ */
+ bool has_data;
+
+ /*
+ * Does the queried name exist?
+ */
+ bool query_name_exist;
+
+ /**
+ * DNSSEC security state
+ */
+ dnssec_status_t security_state;
+
+ /**
+ * RRset
+ */
+ rr_set_t *rr_set;
+};
+
+METHOD(resolver_response_t, get_query_name, char*,
+ private_unbound_response_t *this)
+{
+ return this->query_name;
+}
+
+METHOD(resolver_response_t, get_canon_name, char*,
+ private_unbound_response_t *this)
+{
+ return this->canon_name;
+}
+
+METHOD(resolver_response_t, has_data, bool,
+ private_unbound_response_t *this)
+{
+ return this->has_data;
+}
+
+METHOD(resolver_response_t, query_name_exist, bool,
+ private_unbound_response_t *this)
+{
+ return this->query_name_exist;
+}
+
+METHOD(resolver_response_t, get_security_state, dnssec_status_t,
+ private_unbound_response_t *this)
+{
+ return this->security_state;
+}
+
+METHOD(resolver_response_t, get_rr_set, rr_set_t*,
+ private_unbound_response_t *this)
+{
+ return this->rr_set;
+}
+
+METHOD(resolver_response_t, destroy, void,
+ private_unbound_response_t *this)
+{
+ free(this->query_name);
+ free(this->canon_name);
+ DESTROY_IF(this->rr_set);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+unbound_response_t *unbound_response_create_frm_libub_response(
+ struct ub_result *libub_response)
+{
+ private_unbound_response_t *this = NULL;
+
+ INIT(this,
+ .public = {
+ .interface = {
+ .get_query_name = _get_query_name,
+ .get_canon_name = _get_canon_name,
+ .has_data = _has_data,
+ .query_name_exist = _query_name_exist,
+ .get_security_state = _get_security_state,
+ .get_rr_set = _get_rr_set,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ this->query_name = strdup(libub_response->qname);
+
+ if (libub_response->canonname)
+ {
+ this->canon_name = strdup(libub_response->canonname);
+ }
+
+ this->has_data = libub_response->havedata;
+
+ this->query_name_exist = !(libub_response->nxdomain);
+
+ if (libub_response->secure)
+ {
+ this->security_state = SECURE;
+ }
+ else if (libub_response->bogus)
+ {
+ this->security_state = BOGUS;
+ }
+ else
+ {
+ this->security_state = INDETERMINATE;
+ }
+
+ /**
+ * Create RRset
+ */
+ if (this->query_name_exist && this->has_data)
+ {
+ ldns_pkt *dns_pkt = NULL;
+ ldns_rr_list *orig_rr_list = NULL;
+ size_t orig_rr_count;
+ ldns_rr *orig_rr = NULL;
+ ldns_rdf *orig_rdf = NULL;
+ ldns_status status;
+ linked_list_t *rr_list = NULL, *rrsig_list = NULL;
+ unbound_rr_t *rr = NULL;
+ int i;
+
+ /**Parse the received DNS packet using the ldns library */
+ status = ldns_wire2pkt(&dns_pkt, libub_response->answer_packet,
+ libub_response->answer_len);
+
+ if (status != LDNS_STATUS_OK)
+ {
+ DBG1(DBG_LIB, "failed to parse DNS packet");
+ destroy(this);
+ return NULL;
+ }
+
+ /* Create a list with the queried RRs. If there are corresponding RRSIGs
+ * create also a list with these.
+ */
+ rr_list = linked_list_create();
+
+ orig_rr_list = ldns_pkt_get_section_clone(dns_pkt, LDNS_SECTION_ANSWER);
+ orig_rr_count = ldns_rr_list_rr_count(orig_rr_list);
+
+ for (i = 0; i < orig_rr_count; i++)
+ {
+ orig_rr = ldns_rr_list_rr(orig_rr_list, i);
+
+ if (ldns_rr_get_type(orig_rr) == libub_response->qtype &&
+ ldns_rr_get_class(orig_rr) == libub_response->qclass)
+ {
+ /* RR is part of the queried RRset.
+ * => add it to the list of Resource Records.
+ */
+ rr = unbound_rr_create_frm_ldns_rr(orig_rr);
+ if (rr)
+ {
+ rr_list->insert_last(rr_list, rr);
+ }
+ else
+ {
+ DBG1(DBG_LIB, "failed to create RR");
+ }
+ }
+
+ if (ldns_rr_get_type(orig_rr) == LDNS_RR_TYPE_RRSIG)
+ {
+ orig_rdf = ldns_rr_rrsig_typecovered(orig_rr);
+ if (!orig_rdf)
+ {
+ DBG1(DBG_LIB, "failed to get the type covered by an RRSIG");
+ }
+ else if (ldns_rdf2native_int16(orig_rdf) == libub_response->qtype)
+ {
+ /* The current RR represent a signature (RRSIG)
+ * which belongs to the queried RRset.
+ * => add it to the list of signatures.
+ */
+ rr = unbound_rr_create_frm_ldns_rr(orig_rr);
+ if (rr)
+ {
+ if (!rrsig_list)
+ {
+ rrsig_list = linked_list_create();
+ }
+ rrsig_list->insert_last(rrsig_list, rr);
+ }
+ else
+ {
+ DBG1(DBG_LIB, "failed to create RRSIG");
+ }
+ }
+ else
+ {
+ DBG1(DBG_LIB, "failed to determine the RR type "
+ "covered by RRSIG RR");
+ }
+ }
+ }
+ /**
+ * Create the RRset for which the query was performed.
+ */
+ this->rr_set = rr_set_create(rr_list, rrsig_list);
+
+ ldns_pkt_free(dns_pkt);
+ ldns_rr_list_free(orig_rr_list);
+ }
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unbound_response unbound_response
+ * @{ @ingroup unbound_p
+ */
+
+#ifndef UNBOUND_RESPONSE_H_
+#define UNBOUND_RESPONSE_H_
+
+#include <resolver/resolver_response.h>
+#include <unbound.h>
+
+typedef struct unbound_response_t unbound_response_t;
+
+/**
+ * Implementation of the resolver_response interface using libunbound.
+ *
+ */
+struct unbound_response_t {
+
+ /**
+ * Implements the resolver_response interface
+ */
+ resolver_response_t interface;
+};
+
+/**
+ * Create an unbound_response instance from a response of the unbound library.
+ *
+ * @param a response of the unbound library
+ * @return an unbound_response conforming to the resolver_response
+ * interface, or NULL on failure
+ */
+unbound_response_t *unbound_response_create_frm_libub_response(
+ struct ub_result *libub_response);
+
+#endif /** UNBOUND_RESPONSE_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <resolver/rr.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "unbound_rr.h"
+
+typedef struct private_unbound_rr_t private_unbound_rr_t;
+
+/**
+ * private data of an unbound_rr_t object.
+ */
+struct private_unbound_rr_t {
+
+ /**
+ * Public data
+ */
+ unbound_rr_t public;
+
+ /**
+ * Owner name
+ */
+ char* name;
+
+ /**
+ * Type
+ */
+ rr_type_t type;
+
+ /**
+ * Class
+ */
+ rr_class_t class;
+
+ /**
+ * TTL
+ */
+ uint32_t ttl;
+
+ /**
+ * Size of the rdata field in octets
+ */
+ uint16_t size;
+
+ /**
+ * RDATA field (array of bytes in network order)
+ */
+ u_char *rdata;
+};
+
+METHOD(rr_t, get_name, char *,
+ private_unbound_rr_t *this)
+{
+ return this->name;
+}
+
+METHOD(rr_t, get_type, rr_type_t,
+ private_unbound_rr_t *this)
+{
+ return this->type;
+}
+
+METHOD(rr_t, get_class, rr_class_t,
+ private_unbound_rr_t *this)
+{
+ return this->class;
+}
+
+METHOD(rr_t, get_ttl, uint32_t,
+ private_unbound_rr_t *this)
+{
+ return this->ttl;
+}
+
+METHOD(rr_t, get_rdata, chunk_t,
+ private_unbound_rr_t *this)
+{
+ return chunk_create(this->rdata, this->size);
+}
+
+METHOD(rr_t, destroy, void,
+ private_unbound_rr_t *this)
+{
+ free(this->name);
+ free(this->rdata);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+unbound_rr_t *unbound_rr_create_frm_ldns_rr(ldns_rr *rr)
+{
+ private_unbound_rr_t *this;
+ ldns_status status;
+ ldns_buffer *buf;
+ int i;
+
+ INIT(this,
+ .public = {
+ .interface = {
+ .get_name = _get_name,
+ .get_type = _get_type,
+ .get_class = _get_class,
+ .get_ttl = _get_ttl,
+ .get_rdata = _get_rdata,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ this->name = ldns_rdf2str(ldns_rr_owner(rr));
+ if (!this->name)
+ {
+ DBG1(DBG_LIB, "failed to parse the owner name of a DNS RR");
+ _destroy(this);
+ return NULL;
+ }
+
+ this->type = ldns_rr_get_type(rr);
+ this->class = ldns_rr_get_class(rr);
+ this->ttl = ldns_rr_ttl(rr);
+ for(i = 0; i < ldns_rr_rd_count(rr); i++)
+ {
+ this->size += ldns_rdf_size(ldns_rr_rdf(rr, i));
+ }
+
+ /**
+ * The ldns library splits the RDATA field of a RR in various rdf.
+ * Here we reassemble these rdf to get the RDATA field of the RR.
+ */
+ buf = ldns_buffer_new(LDNS_MIN_BUFLEN);
+ /* The buffer will be resized automatically by ldns_rr_rdata2buffer_wire() */
+ status = ldns_rr_rdata2buffer_wire(buf, rr);
+
+ if (status != LDNS_STATUS_OK)
+ {
+ DBG1(DBG_LIB, "failed to get the RDATA field of a DNS RR");
+ _destroy(this);
+ return NULL;
+ }
+
+ this->rdata = ldns_buffer_export(buf);
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup unbound_rr unbound_rr
+ * @{ @ingroup unbound_p
+ */
+
+#ifndef UNBOUND_RR_H_
+#define UNBOUND_RR_H_
+
+#include <resolver/rr.h>
+#include <ldns/ldns.h>
+
+typedef struct unbound_rr_t unbound_rr_t;
+
+/**
+ * Implementation of the Resource Record interface using libunbound and libldns.
+ */
+struct unbound_rr_t {
+
+ /**
+ * Implements the Resource Record interface
+ */
+ rr_t interface;
+};
+
+/**
+ * Create an unbound_rr instance from a Resource Record given by
+ * a ldns_struct_rr from the ldns library.
+ *
+ * @return Resource Record, NULL on error
+ */
+unbound_rr_t *unbound_rr_create_frm_ldns_rr(ldns_rr *rr);
+
+#endif /** UNBOUND_RR_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolveri resolver
+ * @{ @ingroup resolver
+ */
+
+#ifndef RESOLVER_H_
+#define RESOLVER_H_
+
+typedef struct resolver_t resolver_t;
+
+/**
+ * Constructor function which creates DNS resolver instances.
+ */
+typedef resolver_t* (*resolver_constructor_t)(void);
+
+#include <resolver/resolver_response.h>
+#include <resolver/rr_set.h>
+#include <resolver/rr.h>
+
+/**
+ * Interface of a security-aware DNS resolver.
+ *
+ */
+struct resolver_t {
+
+ /**
+ * Perform a DNS query.
+ *
+ * @param domain domain (FQDN) to query
+ * @param rr_class class of the desired RRs
+ * @param rr_type type of the desired RRs
+ * @return response to the query, NULL on failure
+ */
+ resolver_response_t *(*query)(resolver_t *this, char *domain,
+ rr_class_t rr_class, rr_type_t rr_type);
+
+ /**
+ * Destroy the resolver instance.
+ */
+ void (*destroy)(resolver_t *this);
+};
+
+#endif /** RESOLVER_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolver_manager.h"
+
+#include <utils/debug.h>
+
+typedef struct private_resolver_manager_t private_resolver_manager_t;
+
+/**
+ * private data of resolver_manager
+ */
+struct private_resolver_manager_t {
+
+ /**
+ * public functions
+ */
+ resolver_manager_t public;
+
+ /**
+ * constructor function to create resolver instances
+ */
+ resolver_constructor_t constructor;
+};
+
+METHOD(resolver_manager_t, add_resolver, void,
+ private_resolver_manager_t *this, resolver_constructor_t constructor)
+{
+ if (!this->constructor)
+ {
+ this->constructor = constructor;
+ }
+}
+
+METHOD(resolver_manager_t, remove_resolver, void,
+ private_resolver_manager_t *this, resolver_constructor_t constructor)
+{
+ if (this->constructor == constructor)
+ {
+ this->constructor = NULL;
+ }
+}
+
+METHOD(resolver_manager_t, create, resolver_t*,
+ private_resolver_manager_t *this)
+{
+ return this->constructor();
+}
+
+METHOD(resolver_manager_t, destroy, void,
+ private_resolver_manager_t *this)
+{
+ free(this);
+}
+
+/*
+ * See header
+ */
+resolver_manager_t *resolver_manager_create()
+{
+ private_resolver_manager_t *this;
+
+ INIT(this,
+ .public = {
+ .add_resolver = _add_resolver,
+ .remove_resolver = _remove_resolver,
+ .create = _create,
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
+
--- /dev/null
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+* @defgroup resolver_manager resolver_manager
+* @{ @ingroup resolver
+*/
+
+#ifndef RESOLVER_MANAGER_H_
+#define RESOLVER_MANAGER_H_
+
+typedef struct resolver_manager_t resolver_manager_t;
+
+#include <resolver/resolver.h>
+
+/**
+ * The resolver_manager manages the resolver implementations and
+ * creates instances of them.
+ *
+ * A resolver plugin is registered by providing its constructor function
+ * to the manager. The manager creates instances of the resolver plugin
+ * using the registered constructor function.
+ */
+struct resolver_manager_t {
+
+ /**
+ * Register a resolver implementation.
+ *
+ * @param constructor resolver constructor function
+ */
+ void (*add_resolver)(resolver_manager_t *this,
+ resolver_constructor_t constructor);
+
+ /**
+ * Unregister a previously registered resolver implementation.
+ *
+ * @param constructor resolver constructor function to unregister
+ */
+ void (*remove_resolver)(resolver_manager_t *this,
+ resolver_constructor_t constructor);
+
+ /**
+ * Get a new resolver instance.
+ *
+ * @return resolver instance.
+ */
+ resolver_t* (*create)(resolver_manager_t *this);
+
+ /**
+ * Destroy a resolver_manager instance.
+ */
+ void (*destroy)(resolver_manager_t *this);
+};
+
+/**
+ * Create a resolver_manager instance.
+ */
+resolver_manager_t *resolver_manager_create();
+
+#endif /** RESOLVER_MANAGER_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rsolver_response resolver_response
+ * @{ @ingroup resolver
+ */
+
+#ifndef RESOLVER_RESPONSE_H_
+#define RESOLVER_RESPONSE_H_
+
+typedef struct resolver_response_t resolver_response_t;
+typedef enum dnssec_status_t dnssec_status_t;
+
+#include <library.h>
+#include <resolver/rr_set.h>
+
+/**
+ * DNSSEC security state.
+ *
+ * DNSSEC security state, which a security aware resolver is able determine
+ * according to RFC 4033.
+ */
+enum dnssec_status_t {
+ /**
+ * The validating resolver has a trust anchor, has a chain of
+ * trust, and is able to verify all the signatures in the response.
+ * [RFC4033]
+ */
+ SECURE,
+ /**
+ * The validating resolver has a trust anchor, a chain of
+ * trust, and, at some delegation point, signed proof of the
+ * non-existence of a DS record. This indicates that subsequent
+ * branches in the tree are provably insecure. A validating resolver
+ * may have a local policy to mark parts of the domain space as
+ * insecure. [RFC4033]
+ */
+ INSECURE,
+ /**
+ * The validating resolver has a trust anchor and a secure
+ * delegation indicating that subsidiary data is signed, but the
+ * response fails to validate for some reason: missing signatures,
+ * expired signatures, signatures with unsupported algorithms, data
+ * missing that the relevant NSEC RR says should be present, and so
+ * forth. [RFC4033]
+ */
+ BOGUS,
+ /**
+ * There is no trust anchor that would indicate that a
+ * specific portion of the tree is secure. This is the default
+ * operation mode. [RFC4033]
+ */
+ INDETERMINATE,
+};
+
+
+/**
+ * A response of the DNS resolver to a DNS query.
+ *
+ * A response represents the answer of the Domain Name System to a query.
+ * It contains the RRset with the queried Resource Records and additional
+ * information.
+ */
+struct resolver_response_t {
+
+ /**
+ * Get the original question string.
+ *
+ * The string to which the returned pointer points, is still owned
+ * by the resolver_response. Clone it if necessary.
+ *
+ * @return the queried name
+ */
+ char *(*get_query_name)(resolver_response_t *this);
+
+ /**
+ * Get the canonical name of the result.
+ *
+ * The string to which the returned pointer points, is still owned
+ * by the resolver_response. Clone it if necessary.
+ *
+ * @return - canonical name of result
+ * - NULL, if result has no canonical name
+ */
+ char *(*get_canon_name)(resolver_response_t *this);
+
+ /**
+ * Does the RRset of this response contain some Resource Records?
+ *
+ * Returns TRUE if the RRset of this response contains some RRs
+ * (RRSIG Resource Records are ignored).
+ *
+ * @return
+ * - TRUE, if there are some RRs in the RRset
+ * - FALSE, otherwise
+ */
+ bool (*has_data)(resolver_response_t *this);
+
+ /**
+ * Does the queried name exist?
+ *
+ * @return
+ * - TRUE, if the queried name exists
+ * - FALSE, otherwise
+ */
+ bool (*query_name_exist)(resolver_response_t *this);
+
+ /**
+ * Get the DNSSEC security state of the response.
+ *
+ * @return DNSSEC security state
+ */
+ dnssec_status_t (*get_security_state)(resolver_response_t *this);
+
+ /**
+ * Get the RRset with all Resource Records of this response.
+ *
+ * @return - RRset
+ * - NULL if there is no data or the query name
+ * does not exist
+ */
+ rr_set_t *(*get_rr_set)(resolver_response_t *this);
+
+ /**
+ * Destroy this response.
+ */
+ void (*destroy) (resolver_response_t *this);
+};
+
+#endif /** RR_SET_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rr rr
+ * @{ @ingroup resolver
+ */
+
+#ifndef RR_H_
+#define RR_H_
+
+typedef struct rr_t rr_t;
+typedef enum rr_type_t rr_type_t;
+typedef enum rr_class_t rr_class_t;
+
+#include <library.h>
+
+/**
+ * Resource Record types.
+ *
+ * According to www.iana.org/assignments/dns-parameters (version 2012-03-13).
+ */
+enum rr_type_t {
+ /** a host address */
+ RR_TYPE_A = 1,
+ /** an authoritative name server */
+ RR_TYPE_NS = 2,
+ //** a mail destination (OBSOLETE - use MX */
+ RR_TYPE_MD = 3,
+ /** a mail forwarder (OBSOLETE - use MX) */
+ RR_TYPE_MF = 4,
+ /** the canonical name for an alias */
+ RR_TYPE_CNAME = 5,
+ /** marks the start of a zone of authority */
+ RR_TYPE_SOA = 6,
+ /** a mailbox domain name (EXPERIMENTAL) */
+ RR_TYPE_MB = 7,
+ /** a mail group member (EXPERIMENTAL) */
+ RR_TYPE_MG = 8,
+ /** a mail rename domain name (EXPERIMENTAL) */
+ RR_TYPE_MR = 9,
+ /** a null RR (EXPERIMENTAL) */
+ RR_TYPE_NULL = 10,
+ /** a well known service description */
+ RR_TYPE_WKS = 11,
+ /** a domain name pointer */
+ RR_TYPE_PTR = 12,
+ /** host information */
+ RR_TYPE_HINFO = 13,
+ /** mailbox or mail list information */
+ RR_TYPE_MINFO = 14,
+ /** mail exchange */
+ RR_TYPE_MX = 15,
+ /** text strings */
+ RR_TYPE_TXT = 16,
+ /** for Responsible Person */
+ RR_TYPE_RP = 17,
+ /** for AFS Data Base location */
+ RR_TYPE_AFSDB = 18,
+ /** for X.25 PSDN address */
+ RR_TYPE_X25 = 19,
+ /** for ISDN address */
+ RR_TYPE_ISDN = 20,
+ /** for Route Through */
+ RR_TYPE_RT = 21,
+ /** for NSAP address, NSAP style A record */
+ RR_TYPE_NSAP = 22,
+ /** for domain name pointer, NSAP style */
+ RR_TYPE_NSAP_PTR = 23,
+ /** for security signature */
+ RR_TYPE_SIG = 24,
+ /** for security key */
+ RR_TYPE_KEY = 25,
+ /** X.400 mail mapping information */
+ RR_TYPE_PX = 26,
+ /** Geographical Position */
+ RR_TYPE_GPOS = 27,
+ /** ipv6 address */
+ RR_TYPE_AAAA = 28,
+ /** Location Information */
+ RR_TYPE_LOC = 29,
+ /** Next Domain (OBSOLETE) */
+ RR_TYPE_NXT = 30,
+ /** Endpoint Identifier */
+ RR_TYPE_EID = 31,
+ /** Nimrod Locator */
+ RR_TYPE_NIMLOC = 32,
+ /** Server Selection */
+ RR_TYPE_SRV = 33,
+ /** ATM Address */
+ RR_TYPE_ATMA = 34,
+ /** Naming Authority Pointer */
+ RR_TYPE_NAPTR = 35,
+ /** Key Exchanger */
+ RR_TYPE_KX = 36,
+ /** CERT */
+ RR_TYPE_CERT = 37,
+ /** A6 (OBSOLETE - use AAAA) */
+ RR_TYPE_A6 = 38,
+ /** DNAME */
+ RR_TYPE_DNAME = 39,
+ /** SINK */
+ RR_TYPE_SINK = 40,
+ /** OPT */
+ RR_TYPE_OPT = 41,
+ /** APL */
+ RR_TYPE_APL = 42,
+ /** Delegation Signer */
+ RR_TYPE_DS = 43,
+ /** SSH Key Fingerprint */
+ RR_TYPE_SSHFP = 44,
+ /** IPSECKEY */
+ RR_TYPE_IPSECKEY = 45,
+ /** RRSIG */
+ RR_TYPE_RRSIG = 46,
+ /** NSEC */
+ RR_TYPE_NSEC = 47,
+ /** DNSKEY */
+ RR_TYPE_DNSKEY = 48,
+ /** DHCID */
+ RR_TYPE_DHCID = 49,
+ /** NSEC3 */
+ RR_TYPE_NSEC3 = 50,
+ /** NSEC3PARAM */
+ RR_TYPE_NSEC3PARAM = 51,
+
+ /** Unassigned 52-54 */
+
+ /** Host Identity Protocol */
+ RR_TYPE_HIP = 55,
+ /** NINFO */
+ RR_TYPE_NINFO = 56,
+ /** RKEY */
+ RR_TYPE_RKEY = 57,
+ /** Trust Anchor LINK */
+ RR_TYPE_TALINK = 58,
+ /** Child DS */
+ RR_TYPE_CDS = 59,
+
+ /** Unassigned 60-98 */
+
+ /** SPF */
+ RR_TYPE_SPF = 99,
+ /** UINFO */
+ RR_TYPE_UINFO = 100,
+ /** UID */
+ RR_TYPE_UID = 101,
+ /** GID */
+ RR_TYPE_GID = 102,
+ /** UNSPEC */
+ RR_TYPE_UNSPEC = 103,
+
+ /** Unassigned 104-248 */
+
+ /** Transaction Key */
+ RR_TYPE_TKEY = 249,
+ /** Transaction Signature */
+ RR_TYPE_TSIG = 250,
+ /** incremental transfer */
+ RR_TYPE_IXFR = 251,
+ /** transfer of an entire zone */
+ RR_TYPE_AXFR = 252,
+ /** mailbox-related RRs (MB, MG or MR) */
+ RR_TYPE_MAILB = 253,
+ /** mail agent RRs (OBSOLETE - see MX) */
+ RR_TYPE_MAILA = 254,
+ /** A request for all records */
+ RR_TYPE_ANY = 255,
+ /** URI */
+ RR_TYPE_URI = 256,
+ /** Certification Authority Authorization */
+ RR_TYPE_CAA = 257,
+
+ /** Unassigned 258-32767 */
+
+ /** DNSSEC Trust Authorities */
+ RR_TYPE_TA = 32768,
+ /** DNSSEC Lookaside Validation */
+ RR_TYPE_DLV = 32769,
+
+ /** Unassigned 32770-65279 */
+
+ /** Private use 65280-65534 */
+
+ /** Reserved 65535 */
+};
+
+
+/**
+ * Resource Record CLASSes
+ */
+enum rr_class_t {
+ /** Internet */
+ RR_CLASS_IN = 1,
+ /** Chaos */
+ RR_CLASS_CH = 3,
+ /** Hesiod */
+ RR_CLASS_HS = 4,
+ /** further CLASSes: http://wwwiana.org/assignments/dns-parameters */
+};
+
+
+/**
+ * A DNS Resource Record.
+ *
+ * Represents a Resource Record of the Domain Name System
+ * as defined in RFC 1035.
+ *
+ */
+struct rr_t {
+
+ /**
+ * Get the NAME of the owner of this RR.
+ *
+ * @return owner name as string
+ */
+ char *(*get_name)(rr_t *this);
+
+ /**
+ * Get the type of this RR.
+ *
+ * @return RR type
+ */
+ rr_type_t (*get_type)(rr_t *this);
+
+ /**
+ * Get the class of this RR.
+ *
+ * @return RR class
+ */
+ rr_class_t (*get_class)(rr_t *this);
+
+ /**
+ * Get the Time to Live (TTL) of this RR.
+ *
+ * @return Time to Live
+ */
+ uint32_t (*get_ttl)(rr_t *this);
+
+ /**
+ * Get the content of the RDATA field as chunk.
+ *
+ * The data pointed by the chunk is still owned by the RR.
+ * Clone it if needed.
+ *
+ * @return RDATA field as chunk
+ */
+ chunk_t (*get_rdata)(rr_t *this);
+
+ /**
+ * Destroy the Resource Record.
+ */
+ void (*destroy) (rr_t *this);
+};
+
+#endif /** RR_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "rr_set.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+typedef struct private_rr_set_t private_rr_set_t;
+
+/**
+* private data of the rr_set
+*/
+struct private_rr_set_t {
+
+ /**
+ * public functions
+ */
+ rr_set_t public;
+
+ /**
+ * List of Resource Records which form the RRset
+ */
+ linked_list_t *rr_list;
+
+ /**
+ * List of the signatures (RRSIGs) of the Resource Records contained in
+ * this set
+ */
+ linked_list_t *rrsig_list;
+};
+
+METHOD(rr_set_t, create_rr_enumerator, enumerator_t*,
+ private_rr_set_t *this)
+{
+ return this->rr_list->create_enumerator(this->rr_list);
+}
+
+METHOD(rr_set_t, create_rrsig_enumerator, enumerator_t*,
+ private_rr_set_t *this)
+{
+ if (this->rrsig_list)
+ {
+ return this->rrsig_list->create_enumerator(this->rrsig_list);
+ }
+ return NULL;
+}
+
+METHOD(rr_set_t, destroy, void,
+ private_rr_set_t *this)
+{
+ this->rr_list->destroy_offset(this->rr_list,
+ offsetof(rr_t, destroy));
+ if (this->rrsig_list)
+ {
+ this->rrsig_list->destroy_offset(this->rrsig_list,
+ offsetof(rr_t, destroy));
+ }
+ free(this);
+}
+
+/*
+ * see header
+ */
+rr_set_t *rr_set_create(linked_list_t *list_of_rr, linked_list_t *list_of_rrsig)
+{
+ private_rr_set_t *this;
+
+ INIT(this,
+ .public = {
+ .create_rr_enumerator = _create_rr_enumerator,
+ .create_rrsig_enumerator = _create_rrsig_enumerator,
+ .destroy = _destroy,
+ },
+ );
+
+ if (list_of_rr == NULL)
+ {
+ DBG1(DBG_LIB, "could not create a rr_set without a list_of_rr");
+ _destroy(this);
+ return NULL;
+ }
+ this->rr_list = list_of_rr;
+ this->rrsig_list = list_of_rrsig;
+
+ return &this->public;
+}
+
--- /dev/null
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup rr_set rr_set
+ * @{ @ingroup resolver
+ */
+
+#ifndef RR_SET_H_
+#define RR_SET_H_
+
+typedef struct rr_set_t rr_set_t;
+
+#include <library.h>
+#include <collections/enumerator.h>
+#include <collections/linked_list.h>
+
+/**
+ * A set of DNS Resource Records.
+ *
+ * Represents a RRset as defined in RFC 2181. This RRset consists of a set of
+ * Resource Records with the same label, class and type but different data.
+ *
+ * The DNSSEC signature Resource Records (RRSIGs) which sign the RRs of this set
+ * are also part of an object of this type.
+ */
+struct rr_set_t {
+
+ /**
+ * Create an enumerator over all Resource Records of this RRset.
+ *
+ * @note The enumerator's position is invalid before the first call
+ * to enumerate().
+ *
+ * @return enumerator over Resource Records
+ */
+ enumerator_t *(*create_rr_enumerator)(rr_set_t *this);
+
+ /**
+ * Create an enumerator over all RRSIGs of this RRset
+ *
+ * @note The enumerator's position is invalid before the first call
+ * to enumerate().
+ *
+ * @return enumerator over RRSIG Resource Records,
+ * NULL if there are no RRSIGs for this RRset
+ */
+ enumerator_t *(*create_rrsig_enumerator)(rr_set_t *this);
+
+ /**
+ * Destroy this RRset with all its Resource Records.
+ */
+ void (*destroy) (rr_set_t *this);
+};
+
+/**
+ * Create an rr_set instance.
+ *
+ * @param list_of_rr list of Resource Records which form this RRset
+ * @param list_of_rrsig list of the signatures (RRSIGs) of the
+ * Resource Records of this set
+ * @return Resource Record set, NULL on failure
+ */
+rr_set_t *rr_set_create(linked_list_t *list_of_rr,
+ linked_list_t *list_of_rrsig);
+
+#endif /** RR_SET_H_ @}*/
#ifndef HAVE_PTHREAD_CANCEL
/* if pthread_cancel is not available, we emulate it using a signal */
+#ifdef ANDROID
+#define SIG_CANCEL SIGUSR2
+#else
#define SIG_CANCEL (SIGRTMIN+7)
+#endif
/* the signal handler for SIG_CANCEL uses pthread_exit to terminate the
* "cancelled" thread */
*/
#define chunk_from_thing(thing) chunk_create((char*)&(thing), sizeof(thing))
+/**
+ * Initialize a chunk from a static string, not containing 0-terminator
+ */
+#define chunk_from_str(str) chunk_create(str, strlen(str))
+
/**
* Allocate a chunk on the heap
*/
return FAILED;
}
+/**
+ * returns SUCCESS
+ */
+status_t return_success()
+{
+ return SUCCESS;
+}
+
/**
* nop operation
*/
bool utc = *((bool*)(args[1]));;
struct tm t;
- if (time == UNDEFINED_TIME)
+ if (*time == UNDEFINED_TIME)
{
return print_in_hook(data, "--- -- --:--:--%s----",
utc ? " UTC " : " ");
*/
status_t return_failed();
+/**
+ * returns SUCCESS
+ */
+status_t return_success();
+
/**
* Write a 16-bit host order value in network order to an unaligned address.
*
return this->is_server;
}
+METHOD(tls_t, get_server_id, identification_t*,
+ private_tls_t *this)
+{
+ return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+ private_tls_t *this)
+{
+ return this->peer;
+}
+
METHOD(tls_t, get_version, tls_version_t,
private_tls_t *this)
{
.process = _process,
.build = _build,
.is_server = _is_server,
+ .get_server_id = _get_server_id,
+ .get_peer_id = _get_peer_id,
.get_version = _get_version,
.set_version = _set_version,
.get_purpose = _get_purpose,
*/
bool (*is_server)(tls_t *this);
+ /**
+ * Return the server identity
+ *
+ * @return Server identity
+ */
+ identification_t* (*get_server_id)(tls_t *this);
+
+ /**
+ * Return the peer identity
+ *
+ * @return Peer identity
+ */
+ identification_t* (*get_peer_id)(tls_t *this);
+
/**
* Get the negotiated TLS/SSL version.
*
continue;
case SUCCESS:
this->application_finished = TRUE;
- return SUCCESS;
+ /* FALL */
case FAILED:
default:
this->alert->add(this->alert, TLS_FATAL, TLS_CLOSE_NOTIFY);
break;
case SUCCESS:
this->application_finished = TRUE;
- break;
+ /* FALL */
case FAILED:
default:
this->alert->add(this->alert, TLS_FATAL, TLS_CLOSE_NOTIFY);
this->state = ALERT_SENT;
return INVALID_STATE;
case ALERT_SENT:
+ if (this->application_finished)
+ {
+ return SUCCESS;
+ }
return FAILED;
case ALERT_NONE:
break;
tls_application_t application;
/**
- * Chunk of data to send
+ * Output buffer to write to
*/
chunk_t out;
/**
- * Chunk of data received
+ * Number of bytes written to out
+ */
+ size_t out_done;
+
+ /**
+ * Input buffer to read to
*/
chunk_t in;
+
+ /**
+ * Number of bytes read to in
+ */
+ size_t in_done;
+
+ /**
+ * Cached input data
+ */
+ chunk_t cache;
+
+ /**
+ * Bytes cosnumed in cache
+ */
+ size_t cache_done;
+
+ /**
+ * Close TLS connection?
+ */
+ bool close;
};
/**
private_tls_application_t *this, bio_reader_t *reader)
{
chunk_t data;
+ size_t len;
- if (!reader->read_data(reader, reader->remaining(reader), &data))
+ if (this->close)
{
- return FAILED;
+ return SUCCESS;
+ }
+ len = min(reader->remaining(reader), this->in.len - this->in_done);
+ if (len)
+ { /* copy to read buffer as much as fits in */
+ if (!reader->read_data(reader, len, &data))
+ {
+ return FAILED;
+ }
+ memcpy(this->in.ptr + this->in_done, data.ptr, data.len);
+ this->in_done += data.len;
+ }
+ else
+ { /* read buffer is full, cache for next read */
+ if (!reader->read_data(reader, reader->remaining(reader), &data))
+ {
+ return FAILED;
+ }
+ this->cache = chunk_cat("mc", this->cache, data);
}
- this->in = chunk_cat("mc", this->in, data);
return NEED_MORE;
}
METHOD(tls_application_t, build, status_t,
private_tls_application_t *this, bio_writer_t *writer)
{
- if (this->out.len)
+ if (this->close)
+ {
+ return SUCCESS;
+ }
+ if (this->out.len > this->out_done)
{
writer->write_data(writer, this->out);
- this->out = chunk_empty;
+ this->out_done = this->out.len;
return NEED_MORE;
}
return INVALID_STATE;
/**
* TLS data exchange loop
*/
-static bool exchange(private_tls_socket_t *this, bool wr)
+static bool exchange(private_tls_socket_t *this, bool wr, bool block)
{
char buf[CRYPTO_BUF_SIZE], *pos;
ssize_t len, out;
- int round = 0;
+ int round = 0, flags;
for (round = 0; TRUE; round++)
{
continue;
case INVALID_STATE:
break;
+ case SUCCESS:
+ return TRUE;
default:
return FALSE;
}
}
if (wr)
{
- if (this->app.out.len == 0)
+ if (this->app.out_done == this->app.out.len)
{ /* all data written */
return TRUE;
}
}
else
{
- if (this->app.in.len)
- { /* some data received */
+ if (this->app.in_done == this->app.in.len)
+ { /* buffer fully received */
return TRUE;
}
- if (round > 0)
- { /* did some handshaking, return empty chunk to not block */
- return TRUE;
+ }
+
+ flags = 0;
+ if (this->app.out_done == this->app.out.len)
+ {
+ if (!block || this->app.in_done)
+ {
+ flags |= MSG_DONTWAIT;
}
}
- len = read(this->fd, buf, sizeof(buf));
- if (len <= 0)
+ len = recv(this->fd, buf, sizeof(buf), flags);
+ if (len < 0)
{
+ if (errno == EAGAIN || errno == EWOULDBLOCK)
+ {
+ if (this->app.in_done == 0)
+ {
+ /* reading, nothing got yet, and call would block */
+ errno = EWOULDBLOCK;
+ this->app.in_done = -1;
+ }
+ return TRUE;
+ }
return FALSE;
}
- if (this->tls->process(this->tls, buf, len) != NEED_MORE)
+ if (len == 0)
+ { /* EOF */
+ return TRUE;
+ }
+ switch (this->tls->process(this->tls, buf, len))
{
- return FALSE;
+ case NEED_MORE:
+ break;
+ case SUCCESS:
+ return TRUE;
+ default:
+ return FALSE;
}
}
}
-METHOD(tls_socket_t, read_, bool,
- private_tls_socket_t *this, chunk_t *buf)
+METHOD(tls_socket_t, read_, ssize_t,
+ private_tls_socket_t *this, void *buf, size_t len, bool block)
{
- if (exchange(this, FALSE))
+ if (this->app.cache.len)
+ {
+ size_t cache;
+
+ cache = min(len, this->app.cache.len - this->app.cache_done);
+ memcpy(buf, this->app.cache.ptr + this->app.cache_done, cache);
+
+ this->app.cache_done += cache;
+ if (this->app.cache_done == this->app.cache.len)
+ {
+ chunk_free(&this->app.cache);
+ this->app.cache_done = 0;
+ }
+ return cache;
+ }
+ this->app.in.ptr = buf;
+ this->app.in.len = len;
+ this->app.in_done = 0;
+ if (exchange(this, FALSE, block))
{
- *buf = this->app.in;
- this->app.in = chunk_empty;
- return TRUE;
+ return this->app.in_done;
}
- return FALSE;
+ return -1;
}
-METHOD(tls_socket_t, write_, bool,
- private_tls_socket_t *this, chunk_t buf)
+METHOD(tls_socket_t, write_, ssize_t,
+ private_tls_socket_t *this, void *buf, size_t len)
{
- this->app.out = buf;
- if (exchange(this, TRUE))
+ this->app.out.ptr = buf;
+ this->app.out.len = len;
+ this->app.out_done = 0;
+ if (exchange(this, TRUE, FALSE))
{
- return TRUE;
+ return this->app.out_done;
}
- return FALSE;
+ return -1;
}
METHOD(tls_socket_t, splice, bool,
{
char buf[PLAIN_BUF_SIZE], *pos;
fd_set set;
- chunk_t data;
- ssize_t len;
- bool old;
+ ssize_t in, out;
+ bool old, plain_eof = FALSE, crypto_eof = FALSE;
- while (TRUE)
+ while (!plain_eof && !crypto_eof)
{
FD_ZERO(&set);
FD_SET(rfd, &set);
FD_SET(this->fd, &set);
old = thread_cancelability(TRUE);
- len = select(max(rfd, this->fd) + 1, &set, NULL, NULL, NULL);
+ in = select(max(rfd, this->fd) + 1, &set, NULL, NULL, NULL);
thread_cancelability(old);
- if (len == -1)
+ if (in == -1)
{
DBG1(DBG_TLS, "TLS select error: %s", strerror(errno));
return FALSE;
}
- if (FD_ISSET(this->fd, &set))
+ while (!plain_eof && FD_ISSET(this->fd, &set))
{
- if (!read_(this, &data))
- {
- DBG2(DBG_TLS, "TLS read error/disconnect");
- return TRUE;
- }
- pos = data.ptr;
- while (data.len)
+ in = read_(this, buf, sizeof(buf), FALSE);
+ switch (in)
{
- len = write(wfd, pos, data.len);
- if (len == -1)
- {
- free(data.ptr);
- DBG1(DBG_TLS, "TLS plain write error: %s", strerror(errno));
- return FALSE;
- }
- data.len -= len;
- pos += len;
+ case 0:
+ plain_eof = TRUE;
+ break;
+ case -1:
+ if (errno != EWOULDBLOCK)
+ {
+ DBG1(DBG_TLS, "TLS read error: %s", strerror(errno));
+ return FALSE;
+ }
+ break;
+ default:
+ pos = buf;
+ while (in)
+ {
+ out = write(wfd, pos, in);
+ if (out == -1)
+ {
+ DBG1(DBG_TLS, "TLS plain write error: %s",
+ strerror(errno));
+ return FALSE;
+ }
+ in -= out;
+ pos += out;
+ }
+ continue;
}
- free(data.ptr);
+ break;
}
- if (FD_ISSET(rfd, &set))
+ if (!crypto_eof && FD_ISSET(rfd, &set))
{
- len = read(rfd, buf, sizeof(buf));
- if (len > 0)
+ in = read(rfd, buf, sizeof(buf));
+ switch (in)
{
- if (!write_(this, chunk_create(buf, len)))
- {
- DBG1(DBG_TLS, "TLS write error");
- return FALSE;
- }
- }
- else
- {
- if (len < 0)
- {
+ case 0:
+ crypto_eof = TRUE;
+ break;
+ case -1:
DBG1(DBG_TLS, "TLS plain read error: %s", strerror(errno));
return FALSE;
- }
- return TRUE;
+ default:
+ pos = buf;
+ while (in)
+ {
+ out = write_(this, pos, in);
+ if (out == -1)
+ {
+ DBG1(DBG_TLS, "TLS write error");
+ return FALSE;
+ }
+ in -= out;
+ pos += out;
+ }
+ break;
}
}
}
+ return TRUE;
}
METHOD(tls_socket_t, get_fd, int,
METHOD(tls_socket_t, destroy, void,
private_tls_socket_t *this)
{
+ /* send a TLS close notify if not done yet */
+ this->app.close = TRUE;
+ write_(this, NULL, 0);
+ free(this->app.cache.ptr);
this->tls->destroy(this->tls);
- free(this->app.in.ptr);
free(this);
}
struct tls_socket_t {
/**
- * Read data from secured socket, return allocated chunk.
+ * Read data from secured socket.
*
* This call is blocking, you may use select() on the underlying socket to
- * wait for data. If the there was non-application data available, the
- * read function can return an empty chunk.
+ * wait for data. If "block" is FALSE and no application data is available,
+ * the function returns -1 and sets errno to EWOULDBLOCK.
*
- * @param data pointer to allocate received data
- * @return TRUE if data received successfully
+ * @param buf buffer to write received data to
+ * @param len size of buffer
+ * @param block TRUE to block this call, FALSE to fail if it would block
+ * @return number of bytes read, 0 on EOF, -1 on error
*/
- bool (*read)(tls_socket_t *this, chunk_t *data);
+ ssize_t (*read)(tls_socket_t *this, void *buf, size_t len, bool block);
/**
- * Write a chunk of data over the secured socket.
+ * Write data over the secured socket.
*
- * @param data data to send
- * @return TRUE if data sent successfully
+ * @param buf data to send
+ * @param len number of bytes to write from buf
+ * @return number of bytes written, -1 on error
*/
- bool (*write)(tls_socket_t *this, chunk_t data);
+ ssize_t (*write)(tls_socket_t *this, void *buf, size_t len);
/**
* Read/write plain data from file descriptor.
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif
+INCLUDES = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libtncif \
+ -I$(top_srcdir)/src/libtls
ipseclib_LTLIBRARIES = libtnccs.la
/*
- * Copyright (C) 2010-2011 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
typedef struct tnccs_t tnccs_t;
typedef enum tnccs_type_t tnccs_type_t;
+typedef enum tnc_ift_type_t tnc_ift_type_t;
#include <tncif.h>
#include <tncifimc.h>
#include <library.h>
#include <plugins/plugin.h>
+#include <tls.h>
+
/**
* Type of TNC Client/Server protocol
*/
TNCCS_DYNAMIC
};
+/**
+ * Type of TNC Transport protocol
+ */
+enum tnc_ift_type_t {
+ TNC_IFT_UNKNOWN,
+ TNC_IFT_EAP_1_0,
+ TNC_IFT_EAP_1_1,
+ TNC_IFT_EAP_2_0,
+ TNC_IFT_TLS_1_0,
+ TNC_IFT_TLS_2_0
+};
+
/**
* enum names for tnccs_type_t.
*/
extern enum_name_t *tnccs_type_names;
+/**
+ * TNCCS public interface
+ */
+struct tnccs_t {
+
+ /**
+ * Implements tls_t
+ */
+ tls_t tls;
+
+ /**
+ * Get underlying TNC IF-T transport protocol
+ *
+ * @return TNC IF-T transport protocol
+ */
+ tnc_ift_type_t (*get_transport)(tnccs_t *this);
+
+ /**
+ * Set underlying TNC IF-T transport protocol
+ *
+ * @param transport TNC IF-T transport protocol
+ */
+ void (*set_transport)(tnccs_t *this, tnc_ift_type_t transport);
+
+ /**
+ * Get type of TNC Client authentication
+ *
+ * @return TNC Client authentication type
+ */
+ u_int32_t (*get_auth_type)(tnccs_t *this);
+
+ /**
+ * Set type of TNC Client authentication
+ *
+ * @param auth_type TNC Client authentication type
+ */
+ void (*set_auth_type)(tnccs_t *this, u_int32_t auth_type);
+
+};
+
/**
* Constructor definition for a pluggable TNCCS protocol implementation.
*
* @param is_server TRUE if TNC Server, FALSE if TNC Client
+ * @param server Server identity
+ * @param peer Client identity
+ * @param transport Underlying TNC IF-T transport protocol used
* @return implementation of the tnccs_t interface
*/
-typedef tnccs_t *(*tnccs_constructor_t)(bool is_server);
+typedef tnccs_t *(*tnccs_constructor_t)(bool is_server,
+ identification_t *server,
+ identification_t *peer,
+ tnc_ift_type_t transport);
/**
* Callback function adding a message to a TNCCS batch
/*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
*
* @param type type of the TNCCS protocol
* @param is_server TRUE if TNC Server, FALSE if TNC Client
+ * @param server Server identity
+ * @param peer Client identity
+ * @param transport Underlying TNC IF-T transport protocol used
* @return TNCCS protocol instance, NULL if no constructor found
*/
tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
- bool is_server);
+ bool is_server, identification_t *server,
+ identification_t *peer,
+ tnc_ift_type_t transport);
/**
* Create a TNCCS connection and assign a unique connection ID as well a
# copy-n-paste from Makefile.am
LOCAL_SRC_FILES := \
tncif.h tncifimc.h tncifimv.h tncif_names.h tncif_names.c \
+tncif_identity.h tncif_identity.c \
tncif_pa_subtypes.h tncif_pa_subtypes.c
# build libtncif ---------------------------------------------------------------
libtncif_la_SOURCES = \
tncif.h tncifimc.h tncifimv.h tncif_names.h tncif_names.c \
+tncif_identity.h tncif_identity.c \
tncif_pa_subtypes.h tncif_pa_subtypes.c
EXTRA_DIST = Android.mk
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tncif_identity.h"
+
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+typedef struct private_tncif_identity_t private_tncif_identity_t;
+
+/**
+ * TNC Identity List Attribute Format (TCG TNC IF-IMV 1.4 Draft)
+ *
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Identity Count |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | RESERVED | Identity Type Vendor ID |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Identity Type |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Identity Value Length |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | |
+ * ~ Identity Value ~
+ * | |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | RESERVED | Subject Type Vendor ID |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Subject Type |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | RESERVED | Authentication Method Vendor ID |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Authentication Method |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Private data of a tncif_identity_t object.
+ *
+ */
+struct private_tncif_identity_t {
+
+ /**
+ * Public tncif_identity_t interface.
+ */
+ tncif_identity_t public;
+
+ /**
+ * Identity Type
+ */
+ pen_type_t identity_type;
+
+ /**
+ * Identity Value
+ */
+ chunk_t identity_value;
+
+ /**
+ * Subject Type
+ */
+ pen_type_t subject_type;
+
+ /**
+ * Authentication Type
+ */
+ pen_type_t auth_type;
+};
+
+METHOD(tncif_identity_t, get_identity_type, pen_type_t,
+ private_tncif_identity_t *this)
+{
+ return this->identity_type;
+}
+
+METHOD(tncif_identity_t, get_identity_value, chunk_t,
+ private_tncif_identity_t *this)
+{
+ return this->identity_value;
+}
+
+METHOD(tncif_identity_t, get_subject_type, pen_type_t,
+ private_tncif_identity_t *this)
+{
+ return this->subject_type;
+}
+
+METHOD(tncif_identity_t, get_auth_type, pen_type_t,
+ private_tncif_identity_t *this)
+{
+ return this->auth_type;
+}
+
+METHOD(tncif_identity_t, build, void,
+ private_tncif_identity_t *this, bio_writer_t *writer)
+{
+ writer->write_uint32(writer, this->identity_type.vendor_id);
+ writer->write_uint32(writer, this->identity_type.type);
+ writer->write_data32(writer, this->identity_value);
+ writer->write_uint32(writer, this->subject_type.vendor_id);
+ writer->write_uint32(writer, this->subject_type.type);
+ writer->write_uint32(writer, this->auth_type.vendor_id);
+ writer->write_uint32(writer, this->auth_type.type);
+}
+
+METHOD(tncif_identity_t, process, bool,
+ private_tncif_identity_t *this, bio_reader_t *reader)
+{
+ u_int8_t reserved;
+ u_int32_t vendor_id, type;
+ chunk_t identity_value;
+
+ if (reader->remaining(reader) < TNCIF_IDENTITY_MIN_SIZE)
+ {
+ return FALSE;
+ }
+ reader->read_uint8 (reader, &reserved);
+ reader->read_uint24(reader, &vendor_id);
+ reader->read_uint32(reader, &type);
+ this->identity_type = pen_type_create(vendor_id, type);
+
+ if (!reader->read_data32(reader, &identity_value) ||
+ reader->remaining(reader) < 16)
+ {
+ return FALSE;
+ }
+ this->identity_value = chunk_clone(identity_value);
+
+ reader->read_uint8 (reader, &reserved);
+ reader->read_uint24(reader, &vendor_id);
+ reader->read_uint32(reader, &type);
+ this->subject_type = pen_type_create(vendor_id, type);
+
+ reader->read_uint8 (reader, &reserved);
+ reader->read_uint24(reader, &vendor_id);
+ reader->read_uint32(reader, &type);
+ this->auth_type = pen_type_create(vendor_id, type);
+
+ return TRUE;
+}
+
+METHOD(tncif_identity_t, destroy, void,
+ private_tncif_identity_t *this)
+{
+ free(this->identity_value.ptr);
+ free(this);
+}
+
+
+/**
+ * See header
+ */
+tncif_identity_t *tncif_identity_create_empty(void)
+{
+ private_tncif_identity_t *this;
+
+ INIT(this,
+ .public = {
+ .get_identity_type = _get_identity_type,
+ .get_identity_value = _get_identity_value,
+ .get_subject_type = _get_subject_type,
+ .get_auth_type = _get_auth_type,
+ .build = _build,
+ .process = _process,
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
+
+/**
+ * See header
+ */
+tncif_identity_t *tncif_identity_create(pen_type_t identity_type,
+ chunk_t identity_value,
+ pen_type_t subject_type,
+ pen_type_t auth_type)
+{
+ private_tncif_identity_t *this;
+
+ this = (private_tncif_identity_t*)tncif_identity_create_empty();
+ this->identity_type = identity_type;
+ this->identity_value = chunk_clone(identity_value);
+ this->subject_type = subject_type;
+ this->auth_type = auth_type;
+
+ return &this->public;
+}
+
--- /dev/null
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libtncif libtncif
+ *
+ * @addtogroup libtncif
+ * TNC interface definitions
+ *
+ * @defgroup tnc_identities tnc_identities
+ * @{ @ingroup libtncif
+ */
+
+#ifndef TNCIF_IDENTITY_H_
+#define TNCIF_IDENTITY_H_
+
+#include <library.h>
+
+#include <pen/pen.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+
+#define TNCIF_IDENTITY_MIN_SIZE 28
+
+typedef struct tncif_identity_t tncif_identity_t;
+
+/**
+ * Public interface of a TNC Identity object
+ */
+struct tncif_identity_t {
+
+ /**
+ * Get the TNC Identity Type
+ *
+ * @return TNC Identity Type
+ */
+ pen_type_t (*get_identity_type)(tncif_identity_t *this);
+
+ /**
+ * Get the TNC Identity Value
+ *
+ * @return TNC Identity Value
+ */
+ chunk_t (*get_identity_value)(tncif_identity_t *this);
+
+ /**
+ * Get the TNC Subject Type
+ *
+ * @return TNC Subject Type
+ */
+ pen_type_t (*get_subject_type)(tncif_identity_t *this);
+
+ /**
+ * Get the TNC Authentication Type
+ *
+ * @return TNC Authentication Type
+ */
+ pen_type_t (*get_auth_type)(tncif_identity_t *this);
+
+ /**
+ * Build the IF-IMV TNC Identity attribute encoding
+ *
+ * @param writer writer to write encoded data to
+ */
+ void (*build)(tncif_identity_t *this, bio_writer_t *writer);
+
+ /**
+ * Process the IF-IMV TNC Identity attribute encoding
+ *
+ * @param reader reader to read encoded data from
+ * @return TRUE if successful
+ */
+ bool (*process)(tncif_identity_t *this, bio_reader_t *reader);
+
+ /**
+ * Destroys a tncif_identity_t object.
+ */
+ void (*destroy)(tncif_identity_t *this);
+
+};
+
+/**
+ * Create an empty TNC Identity object
+ */
+tncif_identity_t* tncif_identity_create_empty(void);
+
+/**
+ * Create an TNC Identity object from its components
+ *
+ * @param identity_type TNC Identity Type
+ * @param identity_value TNC Identity Value
+ * @param subject_type TNC Subject Type
+ * @param auth_type TNC Authentication Type
+ */
+tncif_identity_t* tncif_identity_create(pen_type_t identity_type,
+ chunk_t identity_value,
+ pen_type_t subject_type,
+ pen_type_t auth_type);
+
+#endif /** TNCIF_IDENTITY_H_ @}*/
"error",
"don't know"
);
+
+ENUM(TNC_Subject_names,
+ TNC_SUBJECT_UNKNOWN,
+ TNC_SUBJECT_USER,
+ "unknown",
+ "machine",
+ "user"
+);
+
+ENUM(TNC_Authentication_names,
+ TNC_AUTH_UNKNOWN,
+ TNC_AUTH_SIM,
+ "unknown method",
+ "certificate",
+ "password",
+ "SIM card"
+);
extern enum_name_t *TNC_Connection_State_names;
extern enum_name_t *TNC_IMV_Action_Recommendation_names;
extern enum_name_t *TNC_IMV_Evaluation_Result_names;
+extern enum_name_t *TNC_Subject_names;
+extern enum_name_t *TNC_Authentication_names;
#endif /** TNCIF_NAME_H_ @}*/
#define TNC_ATTRIBUTEID_SOH ((TNC_AttributeID) 0x00559706)
#define TNC_ATTRIBUTEID_SSOH ((TNC_AttributeID) 0x00559707)
#define TNC_ATTRIBUTEID_PRIMARY_IMV_ID ((TNC_AttributeID) 0x00559710)
+#define TNC_ATTRIBUTEID_AR_IDENTITIES ((TNC_AttributeID) 0x00559712)
+
+/* TNC Identity Types */
+
+#define TNC_ID_UNKNOWN 0
+#define TNC_ID_IPV4_ADDR 1
+#define TNC_ID_IPV6_ADDR 2
+#define TNC_ID_FQDN 3
+#define TNC_ID_RFC822_ADDR 4
+#define TNC_ID_USER_NAME 5
+#define TNC_ID_DER_ASN1_DN 6
+#define TNC_ID_DER_ASN1_GN 7
+
+/* TNC Subject Types */
+
+#define TNC_SUBJECT_UNKNOWN 0
+#define TNC_SUBJECT_MACHINE 1
+#define TNC_SUBJECT_USER 2
+
+/* TNC Authentication Types */
+
+#define TNC_AUTH_UNKNOWN 0
+#define TNC_AUTH_CERT 1
+#define TNC_AUTH_PASSWORD 2
+#define TNC_AUTH_SIM 3
/* IMV Functions */
pub, 'p', "pub",
"extract the public key from a private key/certificate",
{"[--in file|--keyid hex] [--type rsa|ecdsa|pkcs10|x509]",
- "[--outform der|pem|pgp]"},
+ "[--outform der|pem|pgp|dnskey]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
return FALSE;
}
}
+ else if (streq(form, "dnskey"))
+ {
+ switch (type)
+ {
+ case CRED_PUBLIC_KEY:
+ *enc =PUBKEY_DNSKEY;
+ return TRUE;
+ default:
+ return FALSE;
+ }
+ }
return FALSE;
}
chunk_t digest = chunk_alloca(HASH_SIZE_MD5);
chunk_t keyEncoding = chunk_empty, keyInfo;
hasher_t *hasher;
- bool msb_set;
- u_char *pos;
+ int zeros = 0, msb_set = 0;
key->get_encoding(key, PUBKEY_ASN1_DER, &keyEncoding);
DESTROY_IF(hasher);
free(keyInfo.ptr);
- /* is the most significant bit of the digest set? */
- msb_set = (*digest.ptr & 0x80) == 0x80;
-
- /* allocate space for the serialNumber */
- serialNumber->len = msb_set + digest.len;
- serialNumber->ptr = malloc(serialNumber->len);
-
- /* the serial number as the two's complement of the digest */
- pos = serialNumber->ptr;
+ /* the serialNumber should be valid ASN1 integer content:
+ * remove leading zeros, add one if MSB is set (two's complement) */
+ while (zeros < digest.len)
+ {
+ if (digest.ptr[zeros])
+ {
+ if (digest.ptr[zeros] & 0x80)
+ {
+ msb_set = 1;
+ }
+ break;
+ }
+ zeros++;
+ }
+ *serialNumber = chunk_alloc(digest.len - zeros + msb_set);
if (msb_set)
{
- *pos++ = 0x00;
+ serialNumber->ptr[0] = 0x00;
}
- memcpy(pos, digest.ptr, digest.len);
+ memcpy(serialNumber->ptr + msb_set, digest.ptr + zeros,
+ digest.len - zeros);
/* the transaction id is the serial number in hex format */
*transID = chunk_to_hex(digest, NULL, TRUE);
* Send a SCEP request via HTTP and wait for a response
*/
bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
- bool http_get_request, chunk_t *response)
+ bool http_get_request, u_int timeout, chunk_t *response)
{
int len;
status_t status;
status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
FETCH_HTTP_VERSION_1_0,
+ FETCH_TIMEOUT, timeout,
FETCH_REQUEST_HEADER, "Pragma:",
FETCH_REQUEST_HEADER, "Host:",
FETCH_REQUEST_HEADER, "Accept:",
status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
FETCH_HTTP_VERSION_1_0,
+ FETCH_TIMEOUT, timeout,
FETCH_REQUEST_DATA, msg,
FETCH_REQUEST_TYPE, "",
FETCH_REQUEST_HEADER, "Expect:",
status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
FETCH_HTTP_VERSION_1_0,
+ FETCH_TIMEOUT, timeout,
FETCH_END);
}
size_t key_size, certificate_t *signer_cert,
hash_algorithm_t digest_alg, private_key_t *private_key);
bool scep_http_request(const char *url, chunk_t message, scep_op_t op,
- bool http_get_request, chunk_t *response);
+ bool http_get_request, u_int timeout, chunk_t *response);
err_t scep_parse_response(chunk_t response, chunk_t transID,
container_t **out, scep_attributes_t *attrs);
/* by default pluto logs out after every smartcard use */
bool pkcs11_keep_state = FALSE;
+/* by default HTTP fetch timeout is 30s */
+static u_int http_timeout = 30;
+
/* options read by optionsfrom */
options_t *options;
" - if no filename is given, default is used\n"
" --optionsfrom (-+) <filename> reads additional options from given file\n"
" --force (-f) force existing file(s)\n"
+ " --httptimeout (-T) timeout for HTTP operations (default: 30s)\n"
"\n"
"Options for key generation (pkcs1):\n"
" --keylength (-k) <bits> key length for RSA key generation\n"
{ "in", required_argument, NULL, 'i' },
{ "out", required_argument, NULL, 'o' },
{ "force", no_argument, NULL, 'f' },
+ { "httptimeout", required_argument, NULL, 'T' },
{ "keylength", required_argument, NULL, 'k' },
{ "dn", required_argument, NULL, 'd' },
{ "days", required_argument, NULL, 'D' },
force = TRUE;
continue;
+ case 'T': /* --httptimeout */
+ http_timeout = atoi(optarg);
+ if (http_timeout <= 0)
+ {
+ usage("invalid httptimeout specified");
+ }
+ continue;
+
case '+': /* --optionsfrom <filename> */
if (!options->from(options, optarg, &argc, &argv, optind))
{
pkcs7_t *pkcs7;
if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
- SCEP_GET_CA_CERT, http_get_request, &scep_response))
+ SCEP_GET_CA_CERT, http_get_request,
+ http_timeout, &scep_response))
{
exit_scepclient("did not receive a valid scep response");
}
creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
- http_get_request, &scep_response))
+ http_get_request, http_timeout, &scep_response))
{
exit_scepclient("did not receive a valid scep response");
}
poll_start = time_monotonic(NULL);
issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
issuer->get_encoding(issuer),
- subject);
+ subject->get_encoding(subject));
}
while (attrs.pkiStatus == SCEP_PENDING)
{
exit_scepclient("failed to build scep request");
}
if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
- http_get_request, &scep_response))
+ http_get_request, http_timeout, &scep_response))
{
exit_scepclient("did not receive a valid scep response");
}
exit_scepclient(NULL);
return -1; /* should never be reached */
}
-
-
ARG_TIME,
ARG_ULNG,
ARG_ULLI,
+ ARG_UBIN,
ARG_PCNT,
ARG_STR,
ARG_LST,
{ ARG_MISC, 0, NULL /* KW_MOBIKE */ },
{ ARG_MISC, 0, NULL /* KW_FORCEENCAPS */ },
{ ARG_ENUM, offsetof(starter_conn_t, fragmentation), LST_fragmentation },
+ { ARG_UBIN, offsetof(starter_conn_t, ikedscp), NULL },
{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL },
{ ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL },
{ ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL },
}
}
break;
+ case ARG_UBIN:
+ {
+ char *endptr;
+ u_int *u = (u_int *)p;
+
+ *u = strtoul(kw->value, &endptr, 2);
+
+ if (*endptr != '\0')
+ {
+ DBG1(DBG_APP, "# bad binary value: %s=%s", kw->entry->name,
+ kw->value);
+ return FALSE;
+ }
+ }
+ break;
case ARG_TIME:
{
char *endptr;
ipsec_mode_t mode;
bool proxy_mode;
fragmentation_t fragmentation;
+ u_int ikedscp;
sa_option_t options;
time_t sa_ike_life_seconds;
time_t sa_ipsec_life_seconds;
extern void confread_free(starter_config_t *cfg);
#endif /* _IPSEC_CONFREAD_H_ */
-
KW_MOBIKE,
KW_FORCEENCAPS,
KW_FRAGMENTATION,
+ KW_IKEDSCP,
KW_IKELIFETIME,
KW_KEYLIFE,
KW_REKEYMARGIN,
} kw_token_t;
#endif /* _KEYWORDS_H_ */
-
mobike, KW_MOBIKE
forceencaps, KW_FORCEENCAPS
fragmentation, KW_FRAGMENTATION
+ikedscp, KW_IKEDSCP,
ikelifetime, KW_IKELIFETIME
lifetime, KW_KEYLIFE
keylife, KW_KEYLIFE
msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
msg.add_conn.fragmentation = conn->fragmentation;
+ msg.add_conn.ikedscp = conn->ikedscp;
msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
msg.add_conn.install_policy = conn->install_policy;
msg.add_conn.aggressive = conn->aggressive;
}
return 0;
}
-
int close_action;
u_int32_t reqid;
u_int32_t tfc;
+ u_int8_t ikedscp;
crl_policy_t crl_policy;
int unique;
--- /dev/null
+; This is a key-signing key, keyid 32329, for .
+; Created: 20130213194956 (Wed Feb 13 20:49:56 2013)
+; Publish: 20130213194956 (Wed Feb 13 20:49:56 2013)
+; Activate: 20130213194956 (Wed Feb 13 20:49:56 2013)
+. IN DNSKEY 257 3 8 AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO O9fOgGnjzAk=
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: tyyRqtq0WC+C9eXRs2rgjjdkHN32Nieg+qwhwDRqGpeVRNRr5zZfM3aZLsMZwjhnkaf7y/8iHiVAlCuV/0j9zYeOigICwrVsDlxFLYOJT5svoZ7Scu2805/gLQwcYutZwM42DlCgvQ5wW8xe5S068OSggx218NgNJzET29KiRz3xLHnnf8xPGmyxd4z2L45q4aqiEhlT4xVF1bC8k+J4IvsxrhsC22Ab4pJtDLvH+pc8hKirPAZC8LGwv3d+8P9ymn4rOKoDSgf4N+vK9zmdZ0J2triBjPtYIUXBxjU9bo9svmJ7iOeOXdZbGim7NPjocpE7EOET4U47186AaePMCQ==
+PublicExponent: AQAB
+PrivateExponent: cOOQ6uFa4DZ32aBHuvGVb1CH7JqHER0fQx4utswW0Ei3f/IChj6mMYtYIM+w4lfszIHg1vpoRnfi8u5hxTFw6egvWrKejO1OqRMIt2Inj94uXscJIDeQdkRD3r9mBzjQ2di8y9m5For9iDXODiPv/WKJ4gS/iq08ffjrKkEILirduFpG+EcopBy4MJeAMAkATkRsATEHgEbyqulP7gMwAnQ6vXFbTybfZQWWSgANabGikKMmGroJMChBGJ2Q9c7mHVpXu2IhMqYRKHWmBA5v/OrEc21dNxRGXsZuq+iu3P8o5MLHgX6YDB9nB3OVb47Prg/BxHYdQid2PwX0A0qZeQ==
+Prime1: 2ovikMXe1sTJ2xYPHgofDMmDXUwgpHu/nsCbdDHhyHIMllLXWsefuAFGQug/DDDg69oZGhNkah53uU9XAEyy6uiFJKgnzBTqCg+QmuZnuiuiQ4QjZ/g2x6R2MvzTZLOAQOaOLA3GVsgOh5msyO1kaatES4m2Pbp3xF6CYkhVRlc=
+Prime2: 1pDSXUoE/dwWCebwJHyKLQ3RSGn1o3EHeKZKnqZpABMSPs7imeoVQVZomidjUjHxkB9jbE8nqN15U/Ui4WuZKM+LPbiknaC+h2Y8v6p3u5XQSR0l1cWwdo7BZtdUkcuqSwpL0mnwnmLc6ZQrr13GXnk3qm1ymXST3MFWCWjyRJ8=
+Exponent1: 02q1b8XrT6qpd2a8kxvJc85RZWTqwxPviDzdZaeHuygRYy6apHgu24toE/umWj3CqIag9+fAoSP+P+cvy9tmzfbILnD5puSoj7kE88RmnePuIhBnTAIDxFgl/Cc2vNkk/iPLb3SX5YW9AJK6Ytm75LlI5SZAhTCpAe9HhJpi3Bs=
+Exponent2: deHfEY3nLCnMmegdK46Yw6QBxU0hvYgN2MVT3dIDghz4OzWi3Xjz8I+urHLTaIcz9kCoeQsL+QSk8fGOFlbtMLTGBUT6e/eidfU/jvXzDkaCxoiTDt2r05cevoezWN6SUuP3QEUgA4TBZjsXvSNCJwlmAeZbvd+ElRZLVKQp5nU=
+Coefficient: mtSrbS9kgU1yoTaaY4C6jTnfa43wvHi9pGHW5TUSjRQ9YnCsxy6GiuhmCcKB4iDUzWvIHehfGF5A8UaIF4GvIWcSj1FYO1uBrre5mKMxk89Y7oGtwF2qVbpPHAL4GKHPOUzmfr0vR+nT1PFs1Gr1BF+hkYgluh05KEu0flOZoAk=
+Created: 20130213194956
+Publish: 20130213194956
+Activate: 20130213194956
--- /dev/null
+; This is a zone-signing key, keyid 43749, for .
+; Created: 20130213194939 (Wed Feb 13 20:49:39 2013)
+; Publish: 20130213194939 (Wed Feb 13 20:49:39 2013)
+; Activate: 20130213194939 (Wed Feb 13 20:49:39 2013)
+. IN DNSKEY 256 3 8 AwEAAdMS+CyW9m8yB6rwrqsdfMW41AWim1T/ehg4Un/9qADFEZN9T7NK 9PI+DD3Dr72Z2ZO4hrKXB2Xe0nlvsCUjTfCwdGqgz9YLv2WfXzqRksxF gQXmzAdG7JGH+7YmXq7AAF3246caa+wMXAGRdUUCiQf87CnAaZXJ1kUz wHw3Arp5
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 0xL4LJb2bzIHqvCuqx18xbjUBaKbVP96GDhSf/2oAMURk31Ps0r08j4MPcOvvZnZk7iGspcHZd7SeW+wJSNN8LB0aqDP1gu/ZZ9fOpGSzEWBBebMB0bskYf7tiZersAAXfbjpxpr7AxcAZF1RQKJB/zsKcBplcnWRTPAfDcCunk=
+PublicExponent: AQAB
+PrivateExponent: MWEqtiPLG1B1AsSz2ExZuFf5IihcdpIeGjRy+IZ7G1L/PaX/U06h51okuv5gytaHVEvDF1zF2ks6qjY62zVbMhr69/a6XjP6QWtiDmJgAnOjRqnKs8ZfEE3rsdauDtPPUIclNr9LnJtOz32oVlvxQXn/zVCE421eKlIKZIS0AEE=
+Prime1: 8iaE9VEf9lmYEBM7m5Z/maTvP+RjYvmVx7gdnBDzHkw1ZZkc/27sSI1bvgPZ55ZSiH+324OHwQp3A5m2P9th1Q==
+Prime2: 3yVw5TpfBOSteVUMtkvUqI7o0TnUoMeGuKZyXUo8GfQz8oGKoZgmdBJTETmmV4gXPtaEMFUxD4PhJw5ralrkFQ==
+Exponent1: QPWeY2Tw6xhb16whKHr2HhSF7iDpnIqR6LL2loBhh/YvuOKbSdbK4iexvcawtRS5bU691tBxIZMaHEgnAPhsRQ==
+Exponent2: iw5B9BcT73CxydJ+QXuv4fpsizWGk0rDYX4X9pq0KVhMpuqjAWBXVi21Jh7O0e00zyvO5G+ySwDb5gLOXVCWoQ==
+Coefficient: b46+74v/ETHVVKxqdXZWf9r5RL/08AyxScYrT5qDXhJ+QeGZa1jRxrWp469FWltzliP68jLh2om6F4IjAK5o0g==
+Created: 20130213194939
+Publish: 20130213194939
+Activate: 20130213194939
--- /dev/null
+; This is a zone-signing key, keyid 24285, for org.
+; Created: 20130213191908 (Wed Feb 13 20:19:08 2013)
+; Publish: 20130213191908 (Wed Feb 13 20:19:08 2013)
+; Activate: 20130213191908 (Wed Feb 13 20:19:08 2013)
+org. IN DNSKEY 256 3 8 AwEAAa6IO30MFlgyj0hJLe0vqvHLr1/4kRCNl/Biz7VYwgzRkiYxHxLJ U+i8/r9rEWU85Q6WEt77xQ+HyxzwmoXpSaMtymYifNFZnvwl31CbkzIB FTtBUQ3BCKZjv0WgpLExDqAKgclCWBZ1PrHvDn1HTl6mMgCpiWothzkn zoNbB0g9
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: rog7fQwWWDKPSEkt7S+q8cuvX/iREI2X8GLPtVjCDNGSJjEfEslT6Lz+v2sRZTzlDpYS3vvFD4fLHPCahelJoy3KZiJ80Vme/CXfUJuTMgEVO0FRDcEIpmO/RaCksTEOoAqByUJYFnU+se8OfUdOXqYyAKmJai2HOSfOg1sHSD0=
+PublicExponent: AQAB
+PrivateExponent: Enac/HSL5Jasq7P6JM5XIi8vBVMRXZPtD+QUHxYdqSd+c4XcyKr9snBT7sIP3AreHHXp1ycBSMxPw2b8oc/1Fx5UcCdfL2Sygw2l9oDG2nVWX5taLZgNe1t+Bbsf7fqUxBu0fYHx42xvRHPNwV+8VsDa2TDGRImH8MlPuVbHt2E=
+Prime1: 375Bu+m6egBN6k2P82oE8mUuLVYnJDOQ90ipG6Vcfxy7HTzObX+Ismw171oMASLrwMV8UWohp8cbFiira/4ruQ==
+Prime2: x7G7d58Pycz+Wox3ez8/livTQ4wXYb/ykUzgycOVJaPPRX9siz10rVfl5Y3sXQlsR4xFSl6GKFAc11MbmS7qpQ==
+Exponent1: aPk+pgd28h6Kb8+MJkwrnf5St/qfyqBW924jyVDAIPM95u3MfBtF61BRzcaVs0LLEVqWhSwiNjF4R+E07CoIIQ==
+Exponent2: T3kaZJb3D5b3u02f13rqcXdrkrxUKeDcRptT8rhVyS8SNFRr/FYu8zXCFsOOx9ASOb9HbDuGJNENSVyX5TTYyQ==
+Coefficient: GsFR4s38eNTqazXvDLcSG+166dSIRRWUrIMR85veIchQY7lsFTRFEmwKX43OsXvSZUMIE2svwIgclhP/FefcUw==
+Created: 20130213191908
+Publish: 20130213191908
+Activate: 20130213191908
--- /dev/null
+; This is a key-signing key, keyid 51859, for org.
+; Created: 20130213191920 (Wed Feb 13 20:19:20 2013)
+; Publish: 20130213191920 (Wed Feb 13 20:19:20 2013)
+; Activate: 20130213191920 (Wed Feb 13 20:19:20 2013)
+org. IN DNSKEY 257 3 8 AwEAAfAyiINF1/fIyebiAZhG3kFxv1+j3D3TxNBPccbiVUgYSnse95mb mn40KgguCljoi6kDu10Qo+XUwpR78dGJiqvKfej7cz6wbIr5qu9Kv7f8 lJPRQ2igxZ/0ZCLXGbozRuQGy39klQeG98fwxNkzHqXRxkhyAgpY8E2B umRsi2Cca/vKF+6OpNx9b8RXIBcUTdhx0Vjg+3gYhSRR1rPB160sbaL+ v3Fxv9ZzOIY9ekforNxuqV9/U0DCiOhgpZC7H+5ShPb0VNzYvv0IwIAG VPVEJdh5SNPQ0LclPXcR3av+DpjvdY5oAOn/mLPCHjxBnzOl7Q3P43dL DtYdKb9mGnk=
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 8DKIg0XX98jJ5uIBmEbeQXG/X6PcPdPE0E9xxuJVSBhKex73mZuafjQqCC4KWOiLqQO7XRCj5dTClHvx0YmKq8p96PtzPrBsivmq70q/t/yUk9FDaKDFn/RkItcZujNG5AbLf2SVB4b3x/DE2TMepdHGSHICCljwTYG6ZGyLYJxr+8oX7o6k3H1vxFcgFxRN2HHRWOD7eBiFJFHWs8HXrSxtov6/cXG/1nM4hj16R+is3G6pX39TQMKI6GClkLsf7lKE9vRU3Ni+/QjAgAZU9UQl2HlI09DQtyU9dxHdq/4OmO91jmgA6f+Ys8IePEGfM6XtDc/jd0sO1h0pv2YaeQ==
+PublicExponent: AQAB
+PrivateExponent: pJ69mNqhbZ0bYzW6Shcn9Ep1EqNHKsictvf7zocIU+TyBvfuUkSm2Z/+vqRvSwf1z9xS6TGiYr4yrXlU/nr5o0ugh7DuByT6/zSlxmLAiuR9H+HoBSlKyJnCl248n7TM/TL6/VB+Iy6JW2rUPtgeRR9EehpI87aI21Xx3SnXTFoUTP7Z9HwoWEPOaU1SfYvBDLjZ0GTtMJ4i/LRB/rC6sbetqru4MTCAhsr8VrcH6YsFu5JrlmG+/dTEi005DrZPUOnKaDf4w3TbgSeTfbFJmvpfOoJObGm+Pc1PtxgfVUVdDWGK/LSNbTdqPQkPGlOI1sUETFNMKOY0S66H5q44QQ==
+Prime1: /y8kGw8mAtAuvISUtlUao7srcSphvvMLpxvgOB22u2wgzD51VdPRr2Inv1SJN7SGoJ9ERNLnfBnc1KFBOqtvf5uOwHD4++U80H+qWS+1aNgmMEa+IQ5WamQSPvUWFkhF6TjJnwY4rATfK2FGh00n6O3IOMjDxYyDs/M/j62/VQ0=
+Prime2: 8PcgSGgYGveDwkocfVkF0uuWRMVtfY3O/tiYSuCfkFP/++7eKMXQekmBay+5a5YUSZ6UwDFqduC/tYIuvGBi0rv+lzZJ8ydz/sdmQ+aqS3/g6oerGaTUjRV560OKWCwiMIfwQqaN+ivXdBFgGCJnaah65wiQ9W0xeTJqORQxWB0=
+Exponent1: dL3+SJrPiu3u07PbzOZ2P317TFRVT2QlapfoJgQB+xBmmMniKBe1kATZpkBoXiGqjYUPWGUcHbw/OM9k5hBT/A8QaZ3FaoffIIunRRH8bjCkl+VlSf4jLp0Fc+Pv7NW3lhCyvJu+BYRdDJ1+BJwZrAhMVx4R4ih8gDDCXVrhc2k=
+Exponent2: QQvEuCb5UtY7yAevdxq/2rbjon7U1o6gMOUQ/y1xhUlXkY9igwkbBNewytlgKS2jHlhjeRodzidPONUCfrFaG97Jk9IA1lVxF3aGIZAzqhvEACtNQafgBJGmjp51yuVm+UjIz4UcUErjZx6FnR40Yi4rtw/16XpnX3r/d5b+1vU=
+Coefficient: hAE0/Fdc6enFMymrfGW8o4lDauKQj7yQ16hw3IoOlrRLUpXqLiEnk+J6kzkSqgiW+ZC2v5Qq8mTC/3Q//ddWgaLX/LlbItitTlhQCS7hlV33ZkyvLBBjonYztnI+LHnIkj/omjumEzeQGR40TAh4FAgByRNXG2IOrLavfR/iPC8=
+Created: 20130213191920
+Publish: 20130213191920
+Activate: 20130213191920
--- /dev/null
+; This is a key-signing key, keyid 481, for strongswan.org.
+; Created: 20130213175556 (Wed Feb 13 18:55:56 2013)
+; Publish: 20130213175556 (Wed Feb 13 18:55:56 2013)
+; Activate: 20130213175556 (Wed Feb 13 18:55:56 2013)
+strongswan.org. IN DNSKEY 257 3 8 AwEAAcXfcWvCGzQq80q9JX1Wvz0lwA/fi1XZmega350wGR8WdFCklvmK fAzNaf1CrvN3bH9Gl2VEEhkYMF6h6kVFTU7taspq5t0bLwgCK/nS8QzK TLWvzWdyVayiHfij1PPwnQV5FADBTE5mMEkmn82+PKg6jaKs3ANsc0BP bGSsGIxhUKliLxJEd+6KSl/+ouQD9RfCD5sz9NIF+IXv1ZGp2Rjf+6vK bPO8f0hmttwE/OzKyBgysLBbd6fw2pKOBhunVFmUYPaHM9zLTydzuSIA X9iSeM6HtAvlKgK0JGgPEFrX+jPG6wDvJfzzakx85rMkRGc31NFiFLqM ooWxy1674/U=
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: xd9xa8IbNCrzSr0lfVa/PSXAD9+LVdmZ6BrfnTAZHxZ0UKSW+Yp8DM1p/UKu83dsf0aXZUQSGRgwXqHqRUVNTu1qymrm3RsvCAIr+dLxDMpMta/NZ3JVrKId+KPU8/CdBXkUAMFMTmYwSSafzb48qDqNoqzcA2xzQE9sZKwYjGFQqWIvEkR37opKX/6i5AP1F8IPmzP00gX4he/VkanZGN/7q8ps87x/SGa23AT87MrIGDKwsFt3p/Dako4GG6dUWZRg9ocz3MtPJ3O5IgBf2JJ4zoe0C+UqArQkaA8QWtf6M8brAO8l/PNqTHzmsyREZzfU0WIUuoyihbHLXrvj9Q==
+PublicExponent: AQAB
+PrivateExponent: SIEdgEy5xx3N1B8Gs6yrmm5QuABDgAuh94iRU3miWt/RcxM8NuflmJNUOPbMQG4MFX76TqLotsVERAi0XPmN4FPig5U0TuR9EUQqdPo0VWlzPkfSzgr5Fa65qLfvegs6nhzFlZk+qqOLIeLDP5Jri4EZEPiiDacZfAEeSK0+uYDxxNCSShcYFqd9kIcqFS9pk0tcqVOZY55xjEHlk35+N08TvC+H6OnFyppz24TAuU9vqxtdGYEt6+BXnwG8MI6hCv16PkHJKeJVeC3tIl+cO+TYMMaWeI+8MXX+GIfyAOaAGj0pi3BnpUOiiLtwO0P3mi7mxB2/0Jzx2c8lLvLqaQ==
+Prime1: 8UFH1F2bt+1B2ssTHiPq+nqw/VYMTVUw+Hju79hVg2TugP0OEat00BqmZU4+bI1YscpwmWHZAU8wHvhMyjomol4+KplqxALXes3WMTijs9qXZIAX48yuakWyOrPLgUdNYwnvtcrC0vxJXk9G1lhOXDzHxmLD+HVd37SlUGvFvy8=
+Prime2: 0fdlpeBJzmDDLYz7GP2oCLhuxvUXl4xFKDDJMAikdjgpZI8wTHAyNOY9BQMZGDUkrozrxWzYpcDLyEuhVfQFl7fvlOy6c8cnHPar6JPLFhcV1g2tSiXGnUVfusVytwtDdApAPKVtFeaC3HX+jil0SmO4uqw6wXtkwwsH7aeMZhs=
+Exponent1: Utd/usSJ/BZUTrT805Sx02Dd9Z/eiY9/SVL9eQ5oDr5Rx6kdc6PUcME18gN0HAJNOn+xOnoG8hQnCftpIufk7ExAPJCBwNzY8SpNKomwbMnawn/ZtDdMjOFx2gZzEulRAXkf/uSpEZnf96pxQJkCD1ovn0e600459d8qBPt847E=
+Exponent2: Y+w99rwPw+Su3j2qvhDxZ/0F0y+O47OAsgjNpktmoVBG+rFeRfJbImuz/G+mAKxB4cP07IbJb9CZ6p97j2FLTBHgNdqXPUQ47ALEezHiw4eG/9CQeKoTpIMAdO1Ek7ILjuzV90au7G5ANtT8qQE3c7OTlVsjtzKXGG9mfYZwPaM=
+Coefficient: zqyn6OSkR2j10qY+a+Yma8kiOnUdcqvk1TW8CpG9+ch9T0mlCSiB7wPkWiIqkK8fP0qVkuurIvsxEARa0FFDTZDM5g5nJ8G26LsoNj1LA8hp0xH/UB/2pSXzo1Coc3f2VAuZEunFoNxEq0XBaZm4XLbPc3cOvVeL8WmSrf2K6lU=
+Created: 20130213175556
+Publish: 20130213175556
+Activate: 20130213175556
--- /dev/null
+; This is a zone-signing key, keyid 9396, for strongswan.org.
+; Created: 20130213175239 (Wed Feb 13 18:52:39 2013)
+; Publish: 20130213175239 (Wed Feb 13 18:52:39 2013)
+; Activate: 20130213175239 (Wed Feb 13 18:52:39 2013)
+strongswan.org. IN DNSKEY 256 3 8 AwEAAa5Lb6qTxuy4ZJBDoDStnmstIU5nAsliu6UKZ6imLEg2ufAXfz7f fOtIh2/QECp80GgUDBStMvVJfRjXeJUgavM8d0Ob/rJfl1uH/buyO7Yj D+64n9t29pEuFKSAR+tYyUYk5iTidqE/CNltNkps9wc1wBAxK8ouSVXd bNvV9pvZ
--- /dev/null
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: rktvqpPG7LhkkEOgNK2eay0hTmcCyWK7pQpnqKYsSDa58Bd/Pt9860iHb9AQKnzQaBQMFK0y9Ul9GNd4lSBq8zx3Q5v+sl+XW4f9u7I7tiMP7rif23b2kS4UpIBH61jJRiTmJOJ2oT8I2W02Smz3BzXAEDEryi5JVd1s29X2m9k=
+PublicExponent: AQAB
+PrivateExponent: rT8wnPZNGgnjc/60ZQha2p++ZodAHtt0N4XTKbEbfSBgzEUe52kQa3LppPvExebQ5VNf+sF6UJSesy2in2DczIqBOo2iftjKHXXWlnZN6ApN0v+oVmWxbvsEzODbeMOYklAzZd/QHvcNJCVHr+6WzxFlu5vnRwwF3vAEbFw+hIE=
+Prime1: 59ugOWNLFlyOP/m7iYkr3vrei7vhT0c1IvIlBYiDSX6Ns98reI21KFXHjAl7jfx0DjJXZBK4VYCfFm7/nFS7KQ==
+Prime2: wHFpgOLWd6AQfDscdkE7+rCHiaYKBADAUZ7smJni1rWFfQix+wm4qZRyrFjgT3mIZdWICJiFjh0qdrM9SvqhMQ==
+Exponent1: ndmuiaOKGV1GE1QoU4ip75MINEXjLSAjkvkcL1ozV7PrMUx8wgRoE1/jDPnfvljjgk7PpHgCO2Pn61QCfiJJkQ==
+Exponent2: vUKMdQIh1DIqJFNqEW7kkw5rrdcKwJcQjPUUUJv/OBP7fVVA3NfZsYVaJd+ecureVvBiwblml7ZdXbG3VPcZ8Q==
+Coefficient: D6wuDQKGBlZjXQov//tXMrwhWMFhNzXfBbZCSz7td3RLspi7TJkDBFIXmJolXCLpB+Y5TNOa/3FDA8rWEIQm9w==
+Created: 20130213175239
+Publish: 20130213175239
+Activate: 20130213175239
--- /dev/null
+/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */
+# The bind.keys file is used to override the built-in DNSSEC trust anchors
+# which are included as part of BIND 9. As of the current release, the only
+# trust anchors it contains are those for the DNS root zone ("."), and for
+# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
+# for any other zones MUST be configured elsewhere; if they are configured
+# here, they will not be recognized or used by named.
+#
+# The built-in trust anchors are provided for convenience of configuration.
+# They are not activated within named.conf unless specifically switched on.
+# To use the built-in root key, set "dnssec-validation auto;" in
+# named.conf options. To use the built-in DLV key, set
+# "dnssec-lookaside auto;". Without these options being set,
+# the keys in this file are ignored.
+#
+# This file is NOT expected to be user-configured.
+#
+# These keys are current as of January 2011. If any key fails to
+# initialize correctly, it may have expired. In that event you should
+# replace this file with a current version. The latest version of
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+
+managed-keys {
+ # ISC DLV: See https://www.isc.org/solutions/dlv for details.
+ # NOTE: This key is activated by setting "dnssec-lookaside auto;"
+ # in named.conf.
+ dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+ brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+ ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+ Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+ QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+ TDN0YUuWrBNh";
+
+ # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
+ # for current trust anchor information.
+ # NOTE: This key is activated by setting "dnssec-validation auto;"
+ # in named.conf.
+ . initial-key 257 3 8 "AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+ XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+ L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+ E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+ AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+ nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+ O9fOgGnjzAk=";
+};
--- /dev/null
+;
+; Zonefile for the org zone
+;
+$TTL 604800
+@ IN SOA ns1.org. root.org. (
+ 1 ; Serial
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+;
+@ IN NS ns1.org.
+ns1 IN A 192.168.0.150
+ns1 IN AAAA fe80::fcfd:c0ff:fea8:96
+;
+strongswan IN NS ns1.strongswan.org.
+ns1.strongswan IN A 192.168.0.150
+ns1.strongswan IN AAAA fe80::fcfd:c0ff:fea8:96
+;
+strongswan.org. IN DS 481 8 1 5B239B124E38890C1853F5ECF299DEDEB5537E55
+strongswan.org. IN DS 481 8 2 FEE6842CA2322347D818318D278A929E0B9FD82353B84AE94A6A4C7B 1DFB4FEE
+;
+; This is a zone-signing key, keyid 24285, for org.
+org. IN DNSKEY 256 3 8 (
+ AwEAAa6IO30MFlgyj0hJLe0vqvHLr1/4kRCNl/Biz7VYwgzRkiYxHxLJ
+ U+i8/r9rEWU85Q6WEt77xQ+HyxzwmoXpSaMtymYifNFZnvwl31CbkzIB
+ FTtBUQ3BCKZjv0WgpLExDqAKgclCWBZ1PrHvDn1HTl6mMgCpiWothzkn
+ zoNbB0g9
+ )
+;
+; This is a key-signing key, keyid 51859, for org.
+org. IN DNSKEY 257 3 8 (
+ AwEAAfAyiINF1/fIyebiAZhG3kFxv1+j3D3TxNBPccbiVUgYSnse95mb
+ mn40KgguCljoi6kDu10Qo+XUwpR78dGJiqvKfej7cz6wbIr5qu9Kv7f8
+ lJPRQ2igxZ/0ZCLXGbozRuQGy39klQeG98fwxNkzHqXRxkhyAgpY8E2B
+ umRsi2Cca/vKF+6OpNx9b8RXIBcUTdhx0Vjg+3gYhSRR1rPB160sbaL+
+ v3Fxv9ZzOIY9ekforNxuqV9/U0DCiOhgpZC7H+5ShPb0VNzYvv0IwIAG
+ VPVEJdh5SNPQ0LclPXcR3av+DpjvdY5oAOn/mLPCHjxBnzOl7Q3P43dL
+ DtYdKb9mGnk=
+ )
--- /dev/null
+;
+; Zonefile for the root zone
+;
+$TTL 604800
+@ IN SOA ns1. root. (
+ 1 ; Serial
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+;
+@ IN NS ns1.
+ns1 IN A 192.168.0.150
+ns1 IN AAAA fe80::fcfd:c0ff:fea8:96
+;
+org IN NS ns1.org.
+ns1.org IN A 192.168.0.150
+ns1.org IN AAAA fe80::fcfd:c0ff:fea8:96
+;
+org. IN DS 51859 8 1 5075E7B1185CFCC744364EC45D2E03CBA6178929
+org. IN DS 51859 8 2 9122D2557F70A8CE5CB14E85BF5D966848FC7016A0E2E021012F33B8 398770A9
+;
+; This is a zone-signing key, keyid 43749, for .
+. IN DNSKEY 256 3 8 (
+ AwEAAdMS+CyW9m8yB6rwrqsdfMW41AWim1T/ehg4Un/9qADFEZN9T7NK
+ 9PI+DD3Dr72Z2ZO4hrKXB2Xe0nlvsCUjTfCwdGqgz9YLv2WfXzqRksxF
+ gQXmzAdG7JGH+7YmXq7AAF3246caa+wMXAGRdUUCiQf87CnAaZXJ1kUz
+ wHw3Arp5
+ )
+;
+; This is a key-signing key, keyid 32329, for .
+. IN DNSKEY 257 3 8 (
+ AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+ XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+ L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+ E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+ AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+ nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+ O9fOgGnjzAk=
+ )
--- /dev/null
+;
+; Zonefile for the strongswan.org zone
+;
+$TTL 604800
+@ IN SOA ns1.strongswan.org. root.strongswan.org. (
+ 1 ; Serial
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+;
+@ IN NS ns1.strongswan.org.
+ns1 IN A 192.168.0.150
+ns1 IN AAAA fe80::fcfd:c0ff:fea8:96
+;
+moon IN A 192.168.0.1
+sun IN A 192.168.0.2
+mars IN A 192.168.0.5
+alice1 IN A 192.168.0.50
+carol IN A 192.168.0.100
+winnetou IN A 192.168.0.150
+dave IN A 192.168.0.200
+;
+ip6-moon IN AAAA fe80::fcfd:c0ff:fea8:01
+ip6-sun IN AAAA fe80::fcfd:c0ff:fea8:02
+ip6-carol IN AAAA fe80::fcfd:c0ff:fea8:64
+ip6-winnetou IN AAAA fe80::fcfd:c0ff:fea8:96
+ip6-dave IN AAAA fe80::fcfd:c0ff:fea8:c8
+;
+crl IN CNAME winnetou.strongswan.org.
+ldap IN CNAME winnetou.strongswan.org.
+ocsp IN CNAME winnetou.strongswan.org.
+;
+moon IN IPSECKEY ( 10 1 2 192.168.0.1
+ AwEAAcovYz3Uu7oFhiFbFaAxL3P1MxJPCzObmuE7tkiwK0xGjg8B5jD7
+ 75IZe3cI9dv/6n5JYoaWbXWs8TvV5Dd6GCHYLeEC6t+ZY7SJBBoLD592
+ t54hUKo5Ag4/pSpnfbuHnJhikeTxVC/i8ElOnFyVTU+qdaF6p7VmUvGx
+ bvvctGaX99C39SC8mQIFNlk40s0x8r7tMOdhpWwC2dyC8M3vydQ0R7ap
+ j3YortKsEnpKlQSDj2bnUX5eCwZyyBZUdLzmifc6b8bjxyssRUmN27w
+ LF7BJFWBv6U8lbMd3xCxTRWD/u+WqzdlEzI200quviilK9VsDpqAaVNe
+ EMKt4OJdTwoc=
+ )
+sun IN IPSECKEY ( 10 1 2 192.168.0.2
+ AwEAAd+VVIpn6Q5jaU//EN6p6A5cSfUfhBK0mFa2laFFZh/Y0h66AXqq
+ rQ3X917h7YNsSk68oowY9h9I3gOx7hNVBsJr2VjdYC+b0q5NTha09/A5
+ mimv/prYj6o0yawxoPjoDs9Yh7D7Kf+F8fkgk0stlHJZX66J7dNrFXbg
+ 1xBld+Ep5Or2FbEZ9QWUpRQTuhdpNt/49YuxQ59DemY9IRbwsrKCHH0m
+ GrJsDdqeb0ap+8QvSXHjCt1fr9MNKWaAFAQLKQI4e0da1ntPCEQLeE83
+ 3+NNRBgGufk0KqGT3eAXqrxa9AEIUJnVcPexQdqUMjcUpXFb8WNzRWB8
+ Egh3BDK6FsE=
+ )
+carol IN IPSECKEY ( 10 1 2 192.168.0.100
+ AwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuukt
+ gXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo
+ 5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6
+ q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF
+ 5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5P
+ UdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3
+ WEKTAmsZrVE=
+ )
+dave IN IPSECKEY ( 10 1 2 192.168.0.200
+ AwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO0
+ 4jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4b
+ V2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH
+ 10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GK
+ qmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3
+ Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K
+ 0J4a81Paq3U=
+ )
+;
+; This is a zone-signing key, keyid 9396, for strongswan.org.
+strongswan.org. IN DNSKEY 256 3 8 (
+ AwEAAa5Lb6qTxuy4ZJBDoDStnmstIU5nAsliu6UKZ6imLEg2ufAXfz7f
+ fOtIh2/QECp80GgUDBStMvVJfRjXeJUgavM8d0Ob/rJfl1uH/buyO7Yj
+ D+64n9t29pEuFKSAR+tYyUYk5iTidqE/CNltNkps9wc1wBAxK8ouSVXd
+ bNvV9pvZ
+ )
+;
+; This is a key-signing key, keyid 481, for strongswan.org.
+strongswan.org. IN DNSKEY 257 3 8 (
+ AwEAAcXfcWvCGzQq80q9JX1Wvz0lwA/fi1XZmega350wGR8WdFCklvmK
+ fAzNaf1CrvN3bH9Gl2VEEhkYMF6h6kVFTU7taspq5t0bLwgCK/nS8QzK
+ TLWvzWdyVayiHfij1PPwnQV5FADBTE5mMEkmn82+PKg6jaKs3ANsc0BP
+ bGSsGIxhUKliLxJEd+6KSl/+ouQD9RfCD5sz9NIF+IXv1ZGp2Rjf+6vK
+ bPO8f0hmttwE/OzKyBgysLBbd6fw2pKOBhunVFmUYPaHM9zLTydzuSIA
+ X9iSeM6HtAvlKgK0JGgPEFrX+jPG6wDvJfzzakx85rMkRGc31NFiFLqM
+ ooWxy1674/U=
+ )
--- /dev/null
+. IN DS 32329 8 1 39BE767A8E8BCD4D7AF698144FF41701FEDC3BA1
+. IN DS 32329 8 2 36B3DE82C971DF2A99AF3B00923A67A1DC956218E95A39335AF9768C 057FBBE0
--- /dev/null
+org. IN DS 51859 8 1 5075E7B1185CFCC744364EC45D2E03CBA6178929
+org. IN DS 51859 8 2 9122D2557F70A8CE5CB14E85BF5D966848FC7016A0E2E021012F33B8 398770A9
--- /dev/null
+strongswan.org. IN DS 481 8 1 5B239B124E38890C1853F5ECF299DEDEB5537E55
+strongswan.org. IN DS 481 8 2 FEE6842CA2322347D818318D278A929E0B9FD82353B84AE94A6A4C7B 1DFB4FEE
--- /dev/null
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+ type master;
+ file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+ type master;
+ file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+ type master;
+ file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+ type master;
+ file "/etc/bind/db.255";
+};
+
--- /dev/null
+//
+// Do any local configuration here
+//
+
+zone "." {
+ type master;
+ file "/etc/bind/db.root.signed";
+};
+
+zone "org" {
+ type master;
+ file "/etc/bind/db.org.signed";
+};
+
+zone "strongswan.org" {
+ type master;
+ file "/etc/bind/db.strongswan.org.signed";
+};
INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc
INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libxerces-c2-dev,libltdl-dev
INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core
-INC=$INC,less,acpid,acpi-support-base
-SERVICES="apache2 dbus isc-dhcp-server slapd"
+INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils
+SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
INC=$INC,${SERVICES// /,}
EXC=iptables
log_action "Running debootstrap ($BASEIMGSUITE, $BASEIMGARCH)"
execute "debootstrap --arch=$BASEIMGARCH --include=$INC --exclude $EXC $BASEIMGSUITE $LOOPDIR $BASEIMGMIRROR"
+execute "mount -t proc none $LOOPDIR/proc"
+do_on_exit graceful_umount $LOOPDIR/proc
+
for service in $SERVICES
do
log_action "Stopping service $service"
execute_chroot "rm -rf /var/lib/ldap/*" 0
execute_chroot "slapadd -l /etc/ldap/ldif.txt -f /etc/ldap/slapd.conf" 0
execute_chroot "chown -R openldap:openldap /var/lib/ldap" 0
+ execute_chroot "dnssec-signzone -K /etc/bind -o strongswan.org. /etc/bind/db.strongswan.org" 0
+ execute_chroot "dnssec-signzone -K /etc/bind -o org. /etc/bind/db.org" 0
+ execute_chroot "dnssec-signzone -K /etc/bind -o . /etc/bind/db.root" 0
+ execute_chroot "update-rc.d bind9 defaults" 0
fi
sync
execute "umount $LOOPDIR" 0
--enable-xauth-generic \
--enable-xauth-eap \
--enable-pkcs8 \
- --enable-unity
+ --enable-unity \
+ --enable-unbound \
+ --enable-ipseckey
all: install
--- /dev/null
+#!/bin/bash
+
+DIR=$(dirname `readlink -f $0`)
+. $DIR/testing.conf
+
+if [ $# == 0 ]
+then
+ echo "$0 <host>"
+ exit 1
+fi
+
+host=$1
+ip="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+if [ -z $ip ]
+then
+ echo "Host '$host' unknown"
+ exit 1
+fi
+
+exec ssh $SSHCONF -q root@$ip
[ `id -u` -eq 0 ] || die "You must be root to run $0"
-check_commands virsh
+check_commands kvm virsh
log_action "Deploying kernel $KERNEL"
execute "ln -fs $KNLSRC $KNLTARGET"
--- /dev/null
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b>. The proprietary IKEv1 fragmentation
+protocol prevents the IP fragmentation of the IKEv1 messages carrying the large X.509
+certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
--- /dev/null
+moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
+sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
+moon::cat /var/log/daemon.log::sending IKE message with length of 1468 bytes in 2 fragments::YES
+sun::cat /var/log/daemon.log::sending IKE message with length of 1388 bytes in 2 fragments::YES
+moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
+moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
+sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
+sun::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ fragmentation=yes
+
+conn net-net
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+ fragment_size = 1024
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+ fragmentation=yes
+
+conn net-net
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+ fragment_size = 1024
+}
+
+libstrongswan {
+ dh_exponent_ansi_x9_42 = no
+}
--- /dev/null
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up net-net
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
--- /dev/null
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b>
+resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
--- /dev/null
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*sun.strongswan.org::YES
+sun:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_MOON
+ leftid=moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftrsasigkey=moonPub.der
+ leftauth=pubkey
+ leftfirewall=yes
+ right=sun.strongswan.org
+ rightid=sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ rightauth=pubkey
+ auto=add
--- /dev/null
+; This is a key-signing key, keyid 32329, for .
+. IN DNSKEY 257 3 8 (
+ AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+ XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+ L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+ E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+ AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+ nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+ O9fOgGnjzAk=
+ )
--- /dev/null
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
--- /dev/null
+nameserver PH_IP_WINNETOU
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown
+
+ plugins {
+ ipseckey {
+ enable = yes
+ }
+ }
+}
+
+libstrongswan {
+ plugins {
+ unbound {
+ # trust_anchors = /etc/ipsec.d/dnssec.keys
+ # resolv_conf = /etc/resolv.conf
+ }
+ }
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_SUN
+ leftid=sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftrsasigkey=sunPub.der
+ leftauth=pubkey
+ leftfirewall=yes
+ right=moon.strongswan.org
+ rightid=moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ auto=add
--- /dev/null
+; This is a key-signing key, keyid 32329, for .
+. IN DNSKEY 257 3 8 (
+ AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+ XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+ L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+ E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+ AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+ nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+ O9fOgGnjzAk=
+ )
--- /dev/null
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
--- /dev/null
+nameserver PH_IP_WINNETOU
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown
+
+ plugins {
+ ipseckey {
+ enable = yes
+ }
+ }
+}
+
+libstrongswan {
+ plugins {
+ unbound {
+ # trust_anchors = /etc/ipsec.d/dnssec.keys
+ # resolv_conf = /etc/resolv.conf
+ }
+ }
+}
--- /dev/null
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/resolv.conf
+sun::rm /etc/resolv.conf
+moon::rm /etc/ipsec.d/dnssec.keys
+sun::rm /etc/ipsec.d/dnssec.keys
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
--- /dev/null
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b>
+resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
+</p>
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
+and <b>dave1</b>, respectively.
--- /dev/null
+carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave.strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=%any
+ leftsourceip=%config
+ leftid=carol.strongswan.org
+ leftrsasigkey="0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
+ leftauth=pubkey
+ leftfirewall=yes
+ right=moon.strongswan.org
+ rightid=moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ auto=add
--- /dev/null
+; This is a key-signing key, keyid 32329, for .
+. IN DNSKEY 257 3 8 (
+ AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+ XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+ L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+ E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+ AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+ nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+ O9fOgGnjzAk=
+ )
--- /dev/null
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
--- /dev/null
+nameserver PH_IP_WINNETOU
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
+
+ plugins {
+ ipseckey {
+ enable = yes
+ }
+ }
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=%any
+ leftsourceip=%config
+ leftid=dave.strongswan.org
+ leftrsasigkey="0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
+ leftauth=pubkey
+ leftfirewall=yes
+ right=moon.strongswan.org
+ rightid=moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ auto=add
--- /dev/null
+; This is a key-signing key, keyid 32329, for .
+. IN DNSKEY 257 3 8 (
+ AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+ XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+ L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+ E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+ AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+ nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+ O9fOgGnjzAk=
+ )
--- /dev/null
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
--- /dev/null
+nameserver PH_IP_WINNETOU
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
+
+ plugins {
+ ipseckey {
+ enable = yes
+ }
+ }
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftid=moon.strongswan.org
+ leftauth=pubkey
+ leftrsasigkey=moonPub.der
+ leftfirewall=yes
+ right=%any
+ rightauth=pubkey
+ rightsourceip=10.3.0.0/24
+ auto=add
--- /dev/null
+; This is a key-signing key, keyid 32329, for .
+. IN DNSKEY 257 3 8 (
+ AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+ XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+ L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+ E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+ AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+ nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+ O9fOgGnjzAk=
+ )
--- /dev/null
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
--- /dev/null
+nameserver PH_IP_WINNETOU
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 dnskey pubkey unbound ipseckey gmp random nonce hmac stroke kernel-netlink socket-default updown attr
+
+ dns1 = PH_IP_WINNETOU
+ dns2 = PH_IP_VENUS
+
+ plugins {
+ ipseckey {
+ enable = yes
+ }
+ }
+}
--- /dev/null
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon:rm /etc/resolv.conf
+carol:rm /etc/resolv.conf
+dave:rm /etc/resolv.conf
+moon:rm /etc/ipsec.d/dnssec.key
+carol:rm /etc/ipsec.d/dnssec.key
+dave:rm /etc/ipse.cd/dnssec.key
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
: RSA aaaKey.pem
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
+carol : EAP "Ar3etTnp"
+dave : EAP "W7R0g3do"
conn home
left=PH_IP_CAROL
- leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
+ eap_identity=carol
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-carol@strongswan.org : EAP "Ar3etTnp"
+carol : EAP "Ar3etTnp"
conn home
left=PH_IP_DAVE
- leftid=dave@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
rightauth=pubkey
+ eap_identity=dave
aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-dave@strongswan.org : EAP "W7R0g3do"
+dave : EAP "W7R0g3do"
leftauth=pubkey
leftfirewall=yes
rightauth=eap-radius
- rightid=*@strongswan.org
rightsendcert=never
right=%any
+ eap_identity=%any
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
multiple_authentication=no
plugins {
eap-radius {