{
break;
}
- }
+ }
printf("};\n");
return 0;
}
break;
}
printf("%02x", (unsigned int)byte);
- }
+ }
printf("'\n");
return 0;
}
static double end_timing(struct timespec *start)
{
struct timespec end;
-
+
clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end);
return (end.tv_nsec - start->tv_nsec) / 1000000000.0 +
(end.tv_sec - start->tv_sec) * 1.0;
chunk_t chunk;
struct timespec timing;
int round;
-
+
r = lib->crypto->create_dh(lib->crypto, group);
if (!r)
{
diffie_hellman_group_names, group);
return;
}
-
+
printf("%N:\t",
diffie_hellman_group_names, group);
-
+
start_timing(&timing);
for (round = 0; round < rounds; round++)
{
l[round] = lib->crypto->create_dh(lib->crypto, group);
}
printf("A = g^a/s: %8.1f", rounds / end_timing(&timing));
-
+
for (round = 0; round < rounds; round++)
{
l[round]->get_my_public_value(l[round], &chunk);
r->set_other_public_value(r, chunk);
chunk_free(&chunk);
}
-
+
r->get_my_public_value(r, &chunk);
start_timing(&timing);
for (round = 0; round < rounds; round++)
}
printf(" | S = B^a/s: %8.1f\n", rounds / end_timing(&timing));
chunk_free(&chunk);
-
+
for (round = 0; round < rounds; round++)
{
l[round]->destroy(l[round]);
int main(int argc, char *argv[])
{
int rounds, i, j;
-
+
if (argc < 4)
{
usage();
}
-
+
library_init(STRONGSWAN_CONF);
lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, argv[1]);
atexit(library_deinit);
-
+
rounds = atoi(argv[2]);
-
+
for (i = 3; i < argc; i++)
{
bool found = FALSE;
-
+
for (j = 0; j < countof(groups); j++)
{
if (streq(groups[j].name, argv[i]))
identification_t *id;
chunk_t enc;
int i;
-
+
if (argc < 2)
{
return -1;
for (i = 0; i < enc.len; i++)
{
printf("%02x", (unsigned int)enc.ptr[i]);
- }
+ }
printf("'\n");
return 0;
}
chunk_t chunk;
char buf[8096];
int read;
-
+
library_init(NULL);
lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, PLUGINS);
atexit(library_deinit);
fprintf(stderr, "reading key failed.\n");
return -1;
}
-
+
chunk = chunk_create(buf, read);
-
+
private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_BLOB_PEM, chunk_clone(chunk),
BUILD_END);
private->destroy(private);
return 0;
}
-
+
public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
BUILD_BLOB_PEM, chunk_clone(chunk),
BUILD_END);
public->destroy(public);
return 0;
}
-
+
fprintf(stderr, "unable to parse input key.\n");
return -1;
}
chunk_t chunk;
char buf[8096];
int read, n;
-
+
library_init(NULL);
lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, PLUGINS);
atexit(library_deinit);
fprintf(stderr, "reading key failed.\n");
return -1;
}
-
+
chunk = chunk_create(buf, read);
-
+
private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_BLOB_PEM, chunk_clone(chunk),
BUILD_END);
private->destroy(private);
return 0;
}
-
+
public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
BUILD_BLOB_PEM, chunk_clone(chunk),
BUILD_END);
public->destroy(public);
return 0;
}
-
+
fprintf(stderr, "unable to parse input key.\n");
return -1;
}
double end_timing(struct timespec *start)
{
struct timespec end;
-
+
clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end);
return (end.tv_nsec - start->tv_nsec) / 1000000000.0 +
(end.tv_sec - start->tv_sec) * 1.0;
key_type_t type = KEY_ANY;
signature_scheme_t scheme = SIGN_UNKNOWN;
chunk_t keydata, *sigs, data = chunk_from_buf(data_buf);
-
+
if (argc < 4)
{
usage();
}
-
+
rounds = atoi(argv[3]);
-
+
if (streq(argv[2], "rsa"))
{
type = KEY_RSA;
{
usage();
}
-
+
library_init(STRONGSWAN_CONF);
lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, argv[1]);
atexit(library_deinit);
-
+
keydata = chunk_create(buf, 0);
while ((read = fread(pos, 1, sizeof(buf) - (pos - buf), stdin)))
{
pos += read;
keydata.len += read;
}
-
+
private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
BUILD_BLOB_PEM, keydata, BUILD_END);
if (!private)
switch (private->get_keysize(private))
{
case 32:
- scheme = SIGN_ECDSA_256;
+ scheme = SIGN_ECDSA_256;
break;
case 48:
scheme = SIGN_ECDSA_384;
exit(1);
}
}
-
+
printf("%4d bit %N: ", private->get_keysize(private)*8,
key_type_names, type);
-
+
sigs = malloc(sizeof(chunk_t) * rounds);
-
+
start_timing(&timing);
for (round = 0; round < rounds; round++)
{
}
};
printf("sign()/s: %8.1f ", rounds / end_timing(&timing));
-
+
public = private->get_public_key(private);
if (!public)
{
printf("verify()/s: %8.1f\n", rounds / end_timing(&timing));
public->destroy(public);
private->destroy(private);
-
+
for (round = 0; round < rounds; round++)
{
free(sigs[round].ptr);
/* Analyzes the concurrent use of charon's threads
- *
+ *
* Copyright (C) 2008 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
*line = '\0';
return 1;
}
- line++;
+ line++;
}
*line = '\0';
return 0;
for (th = 1; th <= THREADS; th++)
{
states[state[th]]++;
- printf("<td class=\"%s\"></td>", state_names[state[th]]);
+ printf("<td class=\"%s\"></td>", state_names[state[th]]);
}
total = states[STATE_INIT] + states[STATE_AUTH] + states[STATE_BUSY] + states[STATE_RETRY];
printf("<td class=\"init\">%d</td><td class=\"auth\">%d</td><td class=\"busy\">%d</td>",
states[STATE_INIT], states[STATE_AUTH], total);
for (th = 10; th <= (THREADS + 2); th += 5)
{
- printf("<td class=\"%s\"></td>", (th <= total + 2)? "busy":"idle");
+ printf("<td class=\"%s\"></td>", (th <= total + 2)? "busy":"idle");
}
printf("\n");
printf(" </tr>\n");
FILE *fd;
state_t state[THREADS + 1];
-
+
/* threads 1..5 and 9 are always busy */
for (th = 1; th <= THREADS; th++)
{
state[th] = (th <= 7 && th != 3)? STATE_BUSY : STATE_IDLE;
}
-
+
/* open the log file */
fd = fopen(LOGFILE, "r");
if (!fd)
printf(" <td class=\"log\">Timestamp</td>");
for (th = 1 ; th <= THREADS; th++)
{
- printf("<td>%02d</td>", th);
+ printf("<td>%02d</td>", th);
}
printf("<td class=\"init\">I</td><td class=\"auth\">A</td><td class=\"busy\">B</td>");
for (th = 10; th <= (THREADS + 2); th += 5)
{
- printf("<td class=\"busy\">%d</td>", (th == 100)? 99:th);
+ printf("<td class=\"busy\">%d</td>", (th == 100)? 99:th);
}
printf("\n");
printf(" </tr>\n");
-
+
while (readline(fd, line))
{
char *p_section, *p_charon, *p_thread, *p_log;
{
continue;
}
-
+
/* determine thread */
p_thread = p_charon + 8;
th = atol(p_thread);
printf("</body>\n");
printf("</html>\n");
- fclose(fd);
+ fclose(fd);
return 0;
}
* copyright reporter
* (just avoids having the info in more than one place in the source)
* Copyright (C) 2001 Henry Spencer.
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
+ *
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* Public part of a bus_t object.
*/
bus_t public;
-
+
/**
* List of registered listeners as entry_t's
*/
linked_list_t *listeners;
-
+
/**
* mutex to synchronize active listeners, recursively
*/
mutex_t *mutex;
-
+
/**
* Thread local storage for a unique, simple thread ID
*/
pthread_key_t thread_id;
-
+
/**
* Thread local storage the threads IKE_SA
*/
* registered listener interface
*/
listener_t *listener;
-
+
/**
* is this a active listen() call with a blocking thread
*/
bool blocker;
-
+
/**
* are we currently calling this listener
*/
int calling;
-
+
/**
* condvar where active listeners wait
*/
static entry_t *entry_create(listener_t *listener, bool blocker)
{
entry_t *this = malloc_thing(entry_t);
-
+
this->listener = listener;
this->blocker = blocker;
this->calling = 0;
this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-
+
return this;
}
{
static uintptr_t current_num = 0;
uintptr_t stored_num;
-
+
stored_num = (uintptr_t)pthread_getspecific(this->thread_id);
if (stored_num == 0)
{ /* first call of current thread */
{
int old;
cleanup_data_t data;
-
+
data.this = this;
data.entry = entry_create(listener, TRUE);
char* format, va_list args)
{
log_data_t data;
-
+
data.ike_sa = pthread_getspecific(this->thread_sa);
data.thread = get_thread_number(this);
data.group = group;
data.level = level;
data.format = format;
va_copy(data.args, args);
-
+
this->mutex->lock(this->mutex);
/* We use the remove() method to invoke all listeners. This is cheap and
* does not require an allocation for this performance critical function. */
this->listeners->remove(this->listeners, &data, (void*)log_cb);
this->mutex->unlock(this->mutex);
-
+
va_end(data.args);
}
char* format, ...)
{
va_list args;
-
+
va_start(args, format);
vlog(this, group, level, format, args);
va_end(args);
entry_t *entry;
va_list args;
bool keep;
-
+
ike_sa = pthread_getspecific(this->thread_sa);
-
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &entry))
enumerator_t *enumerator;
entry_t *entry;
bool keep;
-
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &entry))
ike_sa_t *ike_sa;
entry_t *entry;
bool keep;
-
+
ike_sa = pthread_getspecific(this->thread_sa);
-
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &entry))
ike_sa_t *ike_sa;
entry_t *entry;
bool keep;
-
+
ike_sa = pthread_getspecific(this->thread_sa);
-
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &entry))
enumerator_t *enumerator;
entry_t *entry;
bool keep;
-
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &entry))
ike_sa_t *ike_sa;
entry_t *entry;
bool keep;
-
+
ike_sa = pthread_getspecific(this->thread_sa);
-
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &entry))
ike_sa_t *ike_sa;
entry_t *entry;
bool keep;
-
+
ike_sa = pthread_getspecific(this->thread_sa);
-
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &entry))
ike_sa_t *ike_sa;
entry_t *entry;
bool keep;
-
+
ike_sa = pthread_getspecific(this->thread_sa);
-
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &entry))
enumerator_t *enumerator;
entry_t *entry;
bool keep;
-
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &entry))
}
enumerator->destroy(enumerator);
this->mutex->unlock(this->mutex);
-
+
/* a down event for IKE_SA implicitly downs all CHILD_SAs */
if (!up)
{
iterator_t *iterator;
child_sa_t *child_sa;
-
+
iterator = ike_sa->create_child_sa_iterator(ike_sa);
while (iterator->iterate(iterator, (void**)&child_sa))
{
enumerator_t *enumerator;
entry_t *entry;
bool keep;
-
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &entry))
ike_sa_t *ike_sa;
entry_t *entry;
bool keep, success = TRUE;
-
+
ike_sa = pthread_getspecific(this->thread_sa);
-
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &entry))
bus_t *bus_create()
{
private_bus_t *this = malloc_thing(private_bus_t);
-
+
this->public.add_listener = (void(*)(bus_t*,listener_t*))add_listener;
this->public.remove_listener = (void(*)(bus_t*,listener_t*))remove_listener;
this->public.listen = (void(*)(bus_t*, listener_t *listener, job_t *job))listen_;
this->public.child_rekey = (void(*)(bus_t*, child_sa_t *old, child_sa_t *new))child_rekey;
this->public.authorize = (bool(*)(bus_t*, linked_list_t *auth, bool final))authorize;
this->public.destroy = (void(*)(bus_t*)) destroy;
-
+
this->listeners = linked_list_create();
this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
pthread_key_create(&this->thread_id, NULL);
pthread_key_create(&this->thread_sa, NULL);
-
+
return &this->public;
}
* may wait actively to events using the blocking listen() call.
*/
struct bus_t {
-
+
/**
* Register a listener to the bus.
*
* @param listener listener to register.
*/
void (*add_listener) (bus_t *this, listener_t *listener);
-
+
/**
* Unregister a listener from the bus.
*
* @param listener listener to unregister.
*/
void (*remove_listener) (bus_t *this, listener_t *listener);
-
+
/**
* Register a listener and block the calling thread.
*
* @param job job to execute asynchronously when registered, or NULL
*/
void (*listen)(bus_t *this, listener_t *listener, job_t *job);
-
+
/**
* Set the IKE_SA the calling thread is using.
*
* To associate an received log message to an IKE_SA without passing it as
* parameter each time, the thread registers the currenlty used IKE_SA
- * during check-out. Before check-in, the thread unregisters the IKE_SA.
+ * during check-out. Before check-in, the thread unregisters the IKE_SA.
* This IKE_SA is stored per-thread, so each thread has its own IKE_SA
* registered.
- *
+ *
* @param ike_sa ike_sa to register, or NULL to unregister
*/
void (*set_sa) (bus_t *this, ike_sa_t *ike_sa);
-
+
/**
* Send a log message to the bus.
*
* @param ... printf() style argument list
*/
void (*log)(bus_t *this, debug_t group, level_t level, char* format, ...);
-
+
/**
* Send a log message to the bus using va_list arguments.
*
*/
void (*vlog)(bus_t *this, debug_t group, level_t level,
char* format, va_list args);
-
+
/**
* Raise an alert over the bus.
*
* @param ... alert specific attributes
*/
void (*alert)(bus_t *this, alert_t alert, ...);
-
+
/**
* Send a IKE_SA state change event to the bus.
*
* @param incoming TRUE for incoming messages, FALSE for outgoing
*/
void (*message)(bus_t *this, message_t *message, bool incoming);
-
+
/**
* IKE_SA authorization hook.
*
* @return TRUE to establish IKE_SA, FALSE to send AUTH_FAILED
*/
bool (*authorize)(bus_t *this, linked_list_t *auth, bool final);
-
+
/**
* IKE_SA keymat hook.
*
*/
void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh,
chunk_t nonce_i, chunk_t nonce_r);
-
+
/**
* IKE_SA up/down hook.
*
* @param up TRUE for an up event, FALSE for a down event
*/
void (*ike_updown)(bus_t *this, ike_sa_t *ike_sa, bool up);
-
+
/**
* IKE_SA rekeying hook.
*
* @param new new IKE_SA replacing old
*/
void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
-
+
/**
* CHILD_SA up/down hook.
*
* @param up TRUE for an up event, FALSE for a down event
*/
void (*child_updown)(bus_t *this, child_sa_t *child_sa, bool up);
-
+
/**
* CHILD_SA rekeying hook.
*
* @param new new CHILD_SA replacing old
*/
void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new);
-
+
/**
* Destroy the event bus.
*/
* Private data of a file_logger_t object
*/
struct private_file_logger_t {
-
+
/**
* Public data.
*/
file_logger_t public;
-
+
/**
* output file
*/
FILE *out;
-
+
/**
* Maximum level to log, for each group
*/
{
char buffer[8192];
char *current = buffer, *next;
-
+
/* write in memory buffer first */
vsnprintf(buffer, sizeof(buffer), format, args);
-
+
/* prepend a prefix in front of every line */
while (current)
{
file_logger_t *file_logger_create(FILE *out)
{
private_file_logger_t *this = malloc_thing(private_file_logger_t);
-
+
/* public functions */
memset(&this->public.listener, 0, sizeof(listener_t));
this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
this->public.set_level = (void(*)(file_logger_t*,debug_t,level_t))set_level;
this->public.destroy = (void(*)(file_logger_t*))destroy;
-
+
/* private variables */
this->out = out;
set_level(this, DBG_ANY, LEVEL_SILENT);
-
+
return &this->public;
}
* Logger to files which implements listener_t.
*/
struct file_logger_t {
-
+
/**
* Implements the listener_t interface.
*/
listener_t listener;
-
+
/**
* Set the loglevel for a debug group.
*
* @param level max level to log (0..4)
*/
void (*set_level) (file_logger_t *this, debug_t group, level_t level);
-
+
/**
* Destroys a file_logger_t object.
*/
* Listener interface, listens to events if registered to the bus.
*/
struct listener_t {
-
+
/**
* Log a debugging message.
*
*/
bool (*log)(listener_t *this, debug_t group, level_t level, int thread,
ike_sa_t *ike_sa, char* format, va_list args);
-
+
/**
* Hook called if a critical alert is risen.
*
*/
bool (*alert)(listener_t *this, ike_sa_t *ike_sa,
alert_t alert, va_list args);
-
+
/**
* Handle state changes in an IKE_SA.
*
*/
bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa,
ike_sa_state_t state);
-
+
/**
* Handle state changes in a CHILD_SA.
*
*/
bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa,
child_sa_t *child_sa, child_sa_state_t state);
-
+
/**
* Hook called for received/sent messages of an IKE_SA.
*
*/
bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message,
bool incoming);
-
+
/**
* Hook called with IKE_SA key material.
*
*/
bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
-
+
/**
* Hook called with CHILD_SA key material.
*
*/
bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
-
+
/**
* Hook called if an IKE_SA gets up or down.
*
* @return TRUE to stay registered, FALSE to unregister
*/
bool (*ike_updown)(listener_t *this, ike_sa_t *ike_sa, bool up);
-
+
/**
* Hook called when an IKE_SA gets rekeyed.
*
* @return TRUE to stay registered, FALSE to unregister
*/
bool (*ike_rekey)(listener_t *this, ike_sa_t *old, ike_sa_t *new);
-
+
/**
* Hook called when a CHILD_SA gets up or down.
*
*/
bool (*child_updown)(listener_t *this, ike_sa_t *ike_sa,
child_sa_t *child_sa, bool up);
-
+
/**
* Hook called when an CHILD_SA gets rekeyed.
*
*/
bool (*child_rekey)(listener_t *this, ike_sa_t *ike_sa,
child_sa_t *old, child_sa_t *new);
-
+
/**
* Hook called to invoke additional authorization rules.
*
* Private data of a sys_logger_t object
*/
struct private_sys_logger_t {
-
+
/**
* Public data.
*/
sys_logger_t public;
-
+
/**
* syslog facility to use
*/
int facility;
-
+
/**
* Maximum level to log, for each group
*/
{
char buffer[8192];
char *current = buffer, *next;
-
+
/* write in memory buffer first */
vsnprintf(buffer, sizeof(buffer), format, args);
-
+
/* do a syslog with every line */
while (current)
{
sys_logger_t *sys_logger_create(int facility)
{
private_sys_logger_t *this = malloc_thing(private_sys_logger_t);
-
+
/* public functions */
memset(&this->public.listener, 0, sizeof(listener_t));
this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
this->public.set_level = (void(*)(sys_logger_t*,debug_t,level_t))set_level;
this->public.destroy = (void(*)(sys_logger_t*))destroy;
-
+
/* private variables */
this->facility = facility;
set_level(this, DBG_ANY, LEVEL_SILENT);
-
+
return &this->public;
}
* Logger for syslog which implements listener_t.
*/
struct sys_logger_t {
-
+
/**
* Implements the listener_t interface.
*/
listener_t listener;
-
+
/**
* Set the loglevel for a debug group.
*
* @param level max level to log (0..4)
*/
void (*set_level) (sys_logger_t *this, debug_t group, level_t level);
-
+
/**
* Destroys a sys_logger_t object.
*/
* Interface to handle configuration payload attributes.
*/
struct attribute_handler_t {
-
+
/**
* Handle a configuration attribute.
*
*/
bool (*handle)(attribute_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data);
-
+
/**
* Release an attribute handled during handle().
*
* public functions
*/
attribute_manager_t public;
-
+
/**
* list of registered providers
*/
linked_list_t *providers;
-
+
/**
* list of registered handlers
*/
linked_list_t *handlers;
-
+
/**
* rwlock provider list
*/
enumerator_t *enumerator;
attribute_provider_t *current;
host_t *host = NULL;
-
+
this->lock->read_lock(this->lock);
enumerator = this->providers->create_enumerator(this->providers);
while (enumerator->enumerate(enumerator, ¤t))
}
enumerator->destroy(enumerator);
this->lock->unlock(this->lock);
-
+
if (!host)
{
DBG1(DBG_CFG, "acquiring address from pool '%s' failed", pool);
enumerator_t *enumerator;
attribute_provider_t *current;
bool found = FALSE;
-
+
this->lock->read_lock(this->lock);
enumerator = this->providers->create_enumerator(this->providers);
while (enumerator->enumerate(enumerator, ¤t))
}
enumerator->destroy(enumerator);
this->lock->unlock(this->lock);
-
+
if (!found)
{
DBG1(DBG_CFG, "releasing address to pool '%s' failed", pool);
{
enumerator_t *enumerator;
attribute_handler_t *current, *handled = NULL;
-
+
this->lock->read_lock(this->lock);
enumerator = this->handlers->create_enumerator(this->handlers);
while (enumerator->enumerate(enumerator, ¤t))
}
enumerator->destroy(enumerator);
this->lock->unlock(this->lock);
-
+
if (!handled)
{
DBG1(DBG_CFG, "handling %N attribute failed",
{
enumerator_t *enumerator;
attribute_handler_t *current;
-
+
this->lock->read_lock(this->lock);
enumerator = this->handlers->create_enumerator(this->handlers);
while (enumerator->enumerate(enumerator, ¤t))
attribute_manager_t *attribute_manager_create()
{
private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t);
-
+
this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,host_t*))acquire_address;
this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address;
this->public.create_attribute_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t *id))create_attribute_enumerator;
this->public.add_handler = (void(*)(attribute_manager_t*, attribute_handler_t *handler))add_handler;
this->public.remove_handler = (void(*)(attribute_manager_t*, attribute_handler_t *handler))remove_handler;
this->public.destroy = (void(*)(attribute_manager_t*))destroy;
-
+
this->providers = linked_list_create();
this->handlers = linked_list_create();
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
+
return &this->public;
}
* are received on the requesting peer.
*/
struct attribute_manager_t {
-
+
/**
* Acquire a virtual IP address to assign to a peer.
*
host_t* (*acquire_address)(attribute_manager_t *this,
char *pool, identification_t *id,
host_t *requested);
-
+
/**
* Release a previously acquired address.
*
*/
void (*release_address)(attribute_manager_t *this,
char *pool, host_t *address, identification_t *id);
-
+
/**
* Create an enumerator over attributes to hand out to a peer.
*
*/
enumerator_t* (*create_attribute_enumerator)(attribute_manager_t *this,
identification_t *id);
-
+
/**
* Register an attribute provider to the manager.
*
*/
void (*remove_provider)(attribute_manager_t *this,
attribute_provider_t *provider);
-
+
/**
* Handle a configuration attribute by passing them to the handlers.
*
*/
attribute_handler_t* (*handle)(attribute_manager_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data);
-
+
/**
* Release an attribute previously handle()d by a handler.
*
void (*release)(attribute_manager_t *this, attribute_handler_t *handler,
ike_sa_t *ike_sa, configuration_attribute_type_t type,
chunk_t data);
-
+
/**
* Register an attribute handler to the manager.
*
*/
void (*add_handler)(attribute_manager_t *this,
attribute_handler_t *handler);
-
+
/**
* Unregister an attribute handler from the manager.
*
*/
void (*remove_handler)(attribute_manager_t *this,
attribute_handler_t *handler);
-
+
/**
* Destroy a attribute_manager instance.
*/
* @return allocated address, NULL to serve none
*/
host_t* (*acquire_address)(attribute_provider_t *this,
- char *pool, identification_t *id,
+ char *pool, identification_t *id,
host_t *requested);
/**
* Release a previously acquired address.
*/
bool (*release_address)(attribute_provider_t *this,
char *pool, host_t *address, identification_t *id);
-
+
/**
* Create an enumerator over attributes to hand out to a peer.
*
* private data of item_set
*/
struct private_auth_cfg_t {
-
+
/**
* public functions
*/
auth_cfg_t public;
-
+
/**
* list of entry_t
*/
static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value)
{
entry_t *entry;
-
+
if (this->inner->enumerate(this->inner, &entry))
{
this->current = entry;
static enumerator_t* create_enumerator(private_auth_cfg_t *this)
{
entry_enumerator_t *enumerator;
-
+
enumerator = malloc_thing(entry_enumerator_t);
enumerator->inner = this->entries->create_enumerator(this->entries);
enumerator->public.enumerate = (void*)enumerate;
if (enumerator->current)
{
va_list args;
-
+
va_start(args, type);
-
+
destroy_entry_value(enumerator->current);
enumerator->current->type = type;
switch (type)
void *current_value, *best_value = NULL;
auth_rule_t current_type;
bool found = FALSE;
-
+
enumerator = create_enumerator(this);
while (enumerator->enumerate(enumerator, ¤t_type, ¤t_value))
{
{
entry_t *entry = malloc_thing(entry_t);
va_list args;
-
+
va_start(args, type);
entry->type = type;
switch (type)
bool success = TRUE;
auth_rule_t t1, t2;
void *value;
-
+
e1 = constraints->create_enumerator(constraints);
while (e1->enumerate(e1, &t1, &value))
{
case AUTH_RULE_IM_CERT:
{
certificate_t *c1, *c2;
-
+
c1 = (certificate_t*)value;
-
+
success = FALSE;
e2 = create_enumerator(this);
while (e2->enumerate(e2, &t2, &c2))
case AUTH_RULE_SUBJECT_CERT:
{
certificate_t *c1, *c2;
-
+
c1 = (certificate_t*)value;
c2 = get(this, AUTH_RULE_SUBJECT_CERT);
if (!c2 || !c1->equals(c1, c2))
case AUTH_RULE_OCSP_VALIDATION:
{
cert_validation_t validated, required;
-
+
required = (uintptr_t)value;
validated = (uintptr_t)get(this, t1);
switch (required)
case AUTH_RULE_EAP_IDENTITY:
{
identification_t *id1, *id2;
-
+
id1 = (identification_t*)value;
id2 = get(this, t1);
if (!id2 || !id2->matches(id2, id1))
enumerator_t *enumerator;
auth_rule_t type;
void *value;
-
+
enumerator = create_enumerator(other);
while (enumerator->enumerate(enumerator, &type, &value))
{
case AUTH_HELPER_SUBJECT_CERT:
{
certificate_t *cert = (certificate_t*)value;
-
+
add(this, type, cert->get_ref(cert));
break;
}
case AUTH_RULE_AC_GROUP:
{
identification_t *id = (identification_t*)value;
-
+
add(this, type, id->clone(id));
break;
}
else
{
entry_t *entry;
-
+
while (other->entries->remove_first(other->entries,
(void**)&entry) == SUCCESS)
{
enumerator_t *e1, *e2;
entry_t *i1, *i2;
bool equal = TRUE, found;
-
+
if (this->entries->get_count(this->entries) !=
other->entries->get_count(other->entries))
{
case AUTH_HELPER_SUBJECT_CERT:
{
certificate_t *c1, *c2;
-
+
c1 = (certificate_t*)i1->value;
c2 = (certificate_t*)i2->value;
-
+
if (c1->equals(c1, c2))
{
found = TRUE;
case AUTH_RULE_AC_GROUP:
{
identification_t *id1, *id2;
-
+
id1 = (identification_t*)i1->value;
id2 = (identification_t*)i2->value;
-
+
if (id1->equals(id1, id2))
{
found = TRUE;
{
entry_t *entry;
linked_list_t *cas;
-
+
cas = linked_list_create();
while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS)
{
enumerator_t *enumerator;
auth_cfg_t *clone;
entry_t *entry;
-
+
clone = auth_cfg_create();
enumerator = this->entries->create_enumerator(this->entries);
while (enumerator->enumerate(enumerator, &entry))
auth_cfg_t *auth_cfg_create()
{
private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t);
-
+
this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add;
this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get;
this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator;
this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals;
this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_;
this->public.destroy = (void(*)(auth_cfg_t*))destroy;
-
+
this->entries = linked_list_create();
-
+
return &this->public;
}
* to transport credentials during the authentication process.
*/
enum auth_rule_t {
-
+
/** identity to use for IKEv2 authentication exchange, identification_t* */
AUTH_RULE_IDENTITY,
/** authentication class, auth_class_t */
AUTH_RULE_OCSP_VALIDATION,
/** subject is in attribute certificate group, identification_t* */
AUTH_RULE_AC_GROUP,
-
+
/** intermediate certificate, certificate_t* */
AUTH_HELPER_IM_CERT,
/** subject certificate, certificate_t* */
* RFC4739 defines multiple authentication rounds. This class defines such
* a round from a configuration perspective, either for the local or the remote
* peer. Local config are called "rulesets", as they define how we authenticate.
- * Remote peer configs are called "constraits", they define what is needed to
+ * Remote peer configs are called "constraits", they define what is needed to
* complete the authentication round successfully.
*
* @verbatim
* @param ... associated value to rule
*/
void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
-
+
/**
* Get an rule value.
*
* @return bool if item has been found
*/
void* (*get)(auth_cfg_t *this, auth_rule_t rule);
-
+
/**
* Create an enumerator over added rules.
*
* @return enumerator over (auth_rule_t, union{void*,uintpr_t})
*/
enumerator_t* (*create_enumerator)(auth_cfg_t *this);
-
+
/**
* Replace an rule at enumerator position.
*
*/
void (*replace)(auth_cfg_t *this, enumerator_t *pos,
auth_rule_t rule, ...);
-
+
/**
* Check if a used config fulfills a set of configured constraints.
*
* @return TRUE if this complies with constraints
*/
bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
-
+
/**
* Merge items from other into this.
*
* @param copy TRUE to copy items, FALSE to move them
*/
void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
-
+
/**
* Purge all rules in a config.
*
* @param keep_ca wheter to keep AUTH_RULE_CA_CERT entries
*/
void (*purge)(auth_cfg_t *this, bool keep_ca);
-
+
/**
* Check two configs for equality.
*
* @return TRUE if auth infos identical
*/
bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
-
+
/**
* Clone a authentication config, including all rules.
*
* @return cloned configuration
*/
auth_cfg_t* (*clone)(auth_cfg_t *this);
-
+
/**
* Destroy a config with all associated rules/values.
*/
* Public part of backend_manager_t object.
*/
backend_manager_t public;
-
+
/**
* list of registered backends
*/
linked_list_t *backends;
-
+
/**
* rwlock for backends
*/
{
host_t *me_cand, *other_cand;
ike_cfg_match_t match = MATCH_NONE;
-
+
if (me)
{
me_cand = host_create_from_dns(cand->get_my_addr(cand),
{
match += MATCH_ANY;
}
-
+
if (other)
{
other_cand = host_create_from_dns(cand->get_other_addr(cand),
/**
* implements backend_manager_t.get_ike_cfg.
*/
-static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
+static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
host_t *me, host_t *other)
{
ike_cfg_t *current, *found = NULL;
enumerator_t *enumerator;
ike_cfg_match_t match, best = MATCH_ANY;
ike_data_t *data;
-
+
data = malloc_thing(ike_data_t);
data->this = this;
data->me = me;
data->other = other;
-
+
DBG2(DBG_CFG, "looking for an ike config for %H...%H", me, other);
-
+
this->lock->read_lock(this->lock);
enumerator = enumerator_create_nested(
this->backends->create_enumerator(this->backends),
while (enumerator->enumerate(enumerator, (void**)¤t))
{
match = get_ike_match(current, me, other);
-
+
if (match)
{
- DBG2(DBG_CFG, " candidate: %s...%s, prio %d",
- current->get_my_addr(current),
+ DBG2(DBG_CFG, " candidate: %s...%s, prio %d",
+ current->get_my_addr(current),
current->get_other_addr(current), match);
if (match > best)
{
this->lock->unlock(this->lock);
if (found)
{
- DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d",
+ DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d",
found->get_my_addr(found), found->get_other_addr(found), best);
}
return found;
auth_cfg_t *auth;
identification_t *candidate;
id_match_t match = ID_MATCH_NONE;
-
+
if (!id)
{
return ID_MATCH_ANY;
}
-
+
/* compare first auth config only */
enumerator = cfg->create_auth_cfg_enumerator(cfg, local);
if (enumerator->enumerate(enumerator, &auth))
static void peer_enum_filter_destroy(linked_list_t *configs)
{
match_entry_t *entry;
-
+
while (configs->remove_last(configs, (void**)&entry) == SUCCESS)
{
entry->cfg->destroy(entry->cfg);
linked_list_t *helper)
{
match_entry_t *current;
-
+
while (list->remove_first(list, (void**)¤t) == SUCCESS)
{
helper->insert_last(helper, current);
/**
* Implements backend_manager_t.create_peer_cfg_enumerator.
- */
+ */
static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
host_t *me, host_t *other, identification_t *my_id,
identification_t *other_id)
peer_data_t *data;
peer_cfg_t *cfg;
linked_list_t *configs, *helper;
-
+
data = malloc_thing(peer_data_t);
data->lock = this->lock;
data->me = my_id;
data->other = other_id;
-
+
/* create a sorted list with all matches */
this->lock->read_lock(this->lock);
enumerator = enumerator_create_nested(
this->backends->create_enumerator(this->backends),
(void*)peer_enum_create, data, (void*)peer_enum_destroy);
-
+
if (!me && !other && !my_id && !other_id)
{ /* shortcut if we are doing a "listall" */
return enumerator;
}
-
+
DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
me, my_id, other, other_id);
-
+
configs = linked_list_create();
/* only once allocated helper list for sorting */
helper = linked_list_create();
id_match_t match_peer_me, match_peer_other;
ike_cfg_match_t match_ike;
match_entry_t *entry;
-
+
match_peer_me = get_peer_match(my_id, cfg, TRUE);
match_peer_other = get_peer_match(other_id, cfg, FALSE);
match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other);
-
+
if (match_peer_me && match_peer_other && match_ike)
{
DBG2(DBG_CFG, " candidate \"%s\", match: %d/%d/%d (me/other/ike)",
cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike);
-
+
entry = malloc_thing(match_entry_t);
entry->match_peer = match_peer_me + match_peer_other;
entry->match_ike = match_ike;
}
enumerator->destroy(enumerator);
helper->destroy(helper);
-
+
return enumerator_create_filter(configs->create_enumerator(configs),
(void*)peer_enum_filter, configs,
(void*)peer_enum_filter_destroy);
/**
* implements backend_manager_t.get_peer_cfg_by_name.
- */
+ */
static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *name)
{
backend_t *backend;
peer_cfg_t *config = NULL;
enumerator_t *enumerator;
-
+
this->lock->read_lock(this->lock);
enumerator = this->backends->create_enumerator(this->backends);
while (config == NULL && enumerator->enumerate(enumerator, (void**)&backend))
backend_manager_t *backend_manager_create()
{
private_backend_manager_t *this = malloc_thing(private_backend_manager_t);
-
+
this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg;
this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name;
this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*))create_peer_cfg_enumerator;
this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend;
this->public.remove_backend = (void(*)(backend_manager_t*, backend_t *backend))remove_backend;
this->public.destroy = (void (*)(backend_manager_t*))destroy;
-
+
this->backends = linked_list_create();
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
+
return &this->public;
}
| |----->| | +--------------+ |
| | | | |
+---------+ +-----------+ |
-
+
@endverbatim
*/
struct backend_manager_t {
-
+
/**
* Get an ike_config identified by two hosts.
*
* @param other_host address of remote host
* @return matching ike_config, or NULL if none found
*/
- ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this,
+ ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this,
host_t *my_host, host_t *other_host);
-
+
/**
* Get a peer_config identified by it's name.
*
* @return matching peer_config, or NULL if none found
*/
peer_cfg_t* (*get_peer_cfg_by_name)(backend_manager_t *this, char *name);
-
+
/**
* Create an enumerator over all matching peer configs.
*
* @param backend backend to register
*/
void (*add_backend)(backend_manager_t *this, backend_t *backend);
-
+
/**
* Unregister a backend.
*
* @param backend backend to unregister
*/
void (*remove_backend)(backend_manager_t *this, backend_t *backend);
-
+
/**
* Destroys a backend_manager_t object.
*/
"restart",
);
-ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE,
+ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE,
"IPCOMP_NONE");
ENUM_NEXT(ipcomp_transform_names, IPCOMP_OUI, IPCOMP_LZJH, IPCOMP_NONE,
"IPCOMP_OUI",
* Public part
*/
child_cfg_t public;
-
+
/**
* Number of references hold by others to this child_cfg
*/
refcount_t refcount;
-
+
/**
* Name of the child_cfg, used to query it
*/
char *name;
-
+
/**
* list for all proposals
*/
linked_list_t *proposals;
-
+
/**
* list for traffic selectors for my site
*/
linked_list_t *my_ts;
-
+
/**
* list for traffic selectors for others site
*/
linked_list_t *other_ts;
-
+
/**
* updown script
*/
char *updown;
-
+
/**
* allow host access
*/
bool hostaccess;
-
+
/**
* Mode to propose for a initiated CHILD: tunnel/transport
*/
ipsec_mode_t mode;
-
+
/**
* action to take on DPD
*/
action_t dpd_action;
-
+
/**
* action to take on CHILD_SA close
*/
action_t close_action;
-
+
/**
* CHILD_SA lifetime config
*/
lifetime_cfg_t lifetime;
-
+
/**
* enable IPComp
*/
enumerator_t *enumerator;
proposal_t *current;
linked_list_t *proposals = linked_list_create();
-
+
enumerator = this->proposals->create_enumerator(this->proposals);
while (enumerator->enumerate(enumerator, ¤t))
{
proposals->insert_last(proposals, current);
}
enumerator->destroy(enumerator);
-
+
return proposals;
}
{
enumerator_t *stored_enum, *supplied_enum;
proposal_t *stored, *supplied, *selected = NULL;
-
+
stored_enum = this->proposals->create_enumerator(this->proposals);
supplied_enum = proposals->create_enumerator(proposals);
-
+
/* compare all stored proposals with all supplied. Stored ones are preferred. */
while (stored_enum->enumerate(stored_enum, &stored))
{
break;
}
supplied_enum->destroy(supplied_enum);
- supplied_enum = proposals->create_enumerator(proposals);
+ supplied_enum = proposals->create_enumerator(proposals);
}
stored_enum->destroy(stored_enum);
supplied_enum->destroy(supplied_enum);
enumerator_t *e1, *e2;
traffic_selector_t *ts1, *ts2, *selected;
linked_list_t *result = linked_list_create();
-
+
if (local)
{
e1 = this->my_ts->create_enumerator(this->my_ts);
{
e1 = this->other_ts->create_enumerator(this->other_ts);
}
-
+
/* no list supplied, just fetch the stored traffic selectors */
if (supplied == NULL)
{
- DBG2(DBG_CFG, "proposing traffic selectors for %s:",
+ DBG2(DBG_CFG, "proposing traffic selectors for %s:",
local ? "us" : "other");
while (e1->enumerate(e1, &ts1))
{
}
else
{
- DBG2(DBG_CFG, "selecting traffic selectors for %s:",
+ DBG2(DBG_CFG, "selecting traffic selectors for %s:",
local ? "us" : "other");
e2 = supplied->create_enumerator(supplied);
/* iterate over all stored selectors */
{
ts1->set_address(ts1, host);
}
-
+
/* iterate over all supplied traffic selectors */
while (e2->enumerate(e2, &ts2))
{
e1->destroy(e1);
e2->destroy(e2);
}
-
+
/* remove any redundant traffic selectors in the list */
e1 = result->create_enumerator(result);
e2 = result->create_enumerator(result);
}
e1->destroy(e1);
e2->destroy(e2);
-
+
return result;
}
enumerator_t *enumerator;
proposal_t *proposal;
u_int16_t dh_group = MODP_NONE;
-
+
enumerator = this->proposals->create_enumerator(this->proposals);
while (enumerator->enumerate(enumerator, &proposal))
{
this->public.install_policy = (bool (*) (child_cfg_t *))install_policy;
this->public.get_ref = (child_cfg_t* (*) (child_cfg_t*))get_ref;
this->public.destroy = (void (*) (child_cfg_t*))destroy;
-
+
this->name = strdup(name);
this->updown = updown ? strdup(updown) : NULL;
this->hostaccess = hostaccess;
this->mode = mode;
this->dpd_action = dpd_action;
this->close_action = close_action;
- this->use_ipcomp = ipcomp;
+ this->use_ipcomp = ipcomp;
this->proxy_mode = FALSE;
- this->install_policy = TRUE;
+ this->install_policy = TRUE;
this->refcount = 1;
this->proposals = linked_list_create();
this->my_ts = linked_list_create();
* After creation, proposals and traffic selectors may be added to the config.
* A child_cfg object is referenced multiple times, and is not thread save.
* Reading from the object is save, adding things is not allowed while other
- * threads may access the object.
+ * threads may access the object.
* A reference counter handles the number of references hold to this config.
*
* @see peer_cfg_t to get an overview over the configurations.
*/
struct child_cfg_t {
-
+
/**
* Get the name of the child_cfg.
- *
+ *
* @return child_cfg's name
*/
char *(*get_name) (child_cfg_t *this);
-
+
/**
- * Add a proposal to the list.
- *
+ * Add a proposal to the list.
+ *
* The proposals are stored by priority, first added
* is the most prefered.
* After add, proposal is owned by child_cfg.
- *
+ *
* @param proposal proposal to add
*/
void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
-
+
/**
* Get the list of proposals for the CHILD_SA.
*
* Resulting list and all of its proposals must be freed after use.
- *
+ *
* @param strip_dh TRUE strip out diffie hellman groups
* @return list of proposals
*/
linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
-
+
/**
* Select a proposal from a supplied list.
*
* Returned propsal is newly created and must be destroyed after usage.
- *
+ *
* @param proposals list from from wich proposals are selected
* @param strip_dh TRUE strip out diffie hellman groups
* @return selected proposal, or NULL if nothing matches
*/
proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
bool strip_dh);
-
+
/**
* Add a traffic selector to the config.
- *
+ *
* Use the "local" parameter to add it for the local or the remote side.
* After add, traffic selector is owned by child_cfg.
- *
+ *
* @param local TRUE for local side, FALSE for remote
* @param ts traffic_selector to add
*/
void (*add_traffic_selector)(child_cfg_t *this, bool local,
traffic_selector_t *ts);
-
+
/**
* Get a list of traffic selectors to use for the CHILD_SA.
- *
+ *
* The config contains two set of traffic selectors, one for the local
* side, one for the remote side.
* If a list with traffic selectors is supplied, these are used to narrow
* to a specific address (host-to-host or virtual-IP setups). Use
* the "host" parameter to narrow such traffic selectors to that address.
* Resulted list and its traffic selectors must be destroyed after use.
- *
+ *
* @param local TRUE for TS on local side, FALSE for remote
* @param supplied list with TS to select from, or NULL
* @param host address to use for narrowing "dynamic" TS', or NULL
host_t *host);
/**
* Get the updown script to run for the CHILD_SA.
- *
+ *
* @return path to updown script
*/
char* (*get_updown)(child_cfg_t *this);
-
+
/**
* Should we allow access to the local host (gateway)?
- *
+ *
* @return value of hostaccess flag
*/
bool (*get_hostaccess) (child_cfg_t *this);
* @return lifetime_cfg_t (has to be freed)
*/
lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
-
+
/**
* Get the mode to use for the CHILD_SA.
*
* The mode is either tunnel, transport or BEET. The peer must agree
* on the method, fallback is tunnel mode.
- *
+ *
* @return ipsec mode
*/
ipsec_mode_t (*get_mode) (child_cfg_t *this);
-
+
/**
* Action to take on DPD.
*
* @return DPD action
- */
+ */
action_t (*get_dpd_action) (child_cfg_t *this);
-
+
/**
* Action to take if CHILD_SA gets closed.
*
* @return close action
- */
+ */
action_t (*get_close_action) (child_cfg_t *this);
-
+
/**
* Get the DH group to use for CHILD_SA setup.
- *
+ *
* @return dh group to use
*/
diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
-
+
/**
* Check whether IPComp should be used, if the other peer supports it.
- *
+ *
* @return TRUE, if IPComp should be used
* FALSE, otherwise
*/
/**
* Sets two options needed for Mobile IPv6 interoperability
- *
+ *
* @param proxy_mode use IPsec transport proxy mode (default FALSE)
* @param install_policy install IPsec kernel policies (default TRUE)
*/
/**
* Check whether IPsec transport SA should be set up in proxy mode
- *
+ *
* @return TRUE, if proxy mode should be used
* FALSE, otherwise
*/
bool (*use_proxy_mode)(child_cfg_t *this);
-
+
/**
* Check whether IPsec policies should be installed in the kernel
- *
+ *
* @return TRUE, if IPsec kernel policies should be installed
* FALSE, otherwise
*/
bool (*install_policy)(child_cfg_t *this);
-
+
/**
* Increase the reference count.
*
* @return reference to this
*/
child_cfg_t* (*get_ref) (child_cfg_t *this);
-
+
/**
* Destroys the child_cfg object.
*
/**
* Create a configuration template for CHILD_SA setup.
- *
+ *
* The "name" string gets cloned.
*
* The lifetime_cfg_t object gets cloned.
* specified. Rekeying of an SA starts at (x.rekey - random(0, x.jitter)).
*
* After a call to create, a reference is obtained (refcount = 1).
- *
+ *
* @param name name of the child_cfg
* @param lifetime lifetime_cfg_t for this child_cfg
* @param updown updown script to execute on up/down event
* Public part
*/
ike_cfg_t public;
-
+
/**
* Number of references hold by others to this ike_cfg
*/
/**
* Address of remote host
- */
+ */
char *other;
-
+
/**
* should we send a certificate request?
*/
bool certreq;
-
+
/**
* enforce UDP encapsulation
*/
bool force_encap;
-
+
/**
* List of proposals to use
*/
{
return this->certreq;
}
-
+
/**
* Implementation of ike_cfg_t.force_encap.
*/
iterator_t *iterator;
proposal_t *current;
linked_list_t *proposals = linked_list_create();
-
+
iterator = this->proposals->create_iterator(this->proposals, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
{
proposals->insert_last(proposals, (void*)current);
}
iterator->destroy(iterator);
-
+
return proposals;
}
-
+
/**
* Implementation of ike_cfg_t.select_proposal.
*/
{
iterator_t *stored_iter, *supplied_iter;
proposal_t *stored, *supplied, *selected;
-
+
stored_iter = this->proposals->create_iterator(this->proposals, TRUE);
supplied_iter = proposals->create_iterator(proposals, TRUE);
-
-
+
+
/* compare all stored proposals with all supplied. Stored ones are preferred.*/
while (stored_iter->iterate(stored_iter, (void**)&stored))
{
supplied_iter->reset(supplied_iter);
-
+
while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
{
selected = stored->select(stored, supplied);
supplied_iter->destroy(supplied_iter);
DBG1(DBG_CFG, "received proposals: %#P", proposals);
DBG1(DBG_CFG, "configured proposals: %#P", this->proposals);
-
+
return NULL;
}
enumerator_t *enumerator;
proposal_t *proposal;
u_int16_t dh_group = MODP_NONE;
-
+
enumerator = this->proposals->create_enumerator(this->proposals);
while (enumerator->enumerate(enumerator, &proposal))
{
enumerator_t *e1, *e2;
proposal_t *p1, *p2;
bool eq = TRUE;
-
+
if (this == other)
{
return TRUE;
char *me, char *other)
{
private_ike_cfg_t *this = malloc_thing(private_ike_cfg_t);
-
+
/* public functions */
this->public.send_certreq = (bool(*)(ike_cfg_t*))send_certreq;
this->public.force_encap = (bool (*) (ike_cfg_t *))force_encap_meth;
this->public.equals = (bool(*)(ike_cfg_t*,ike_cfg_t*)) equals;
this->public.get_ref = (ike_cfg_t*(*)(ike_cfg_t*))get_ref;
this->public.destroy = (void(*)(ike_cfg_t*))destroy;
-
+
/* private variables */
this->refcount = 1;
this->certreq = certreq;
this->me = strdup(me);
this->other = strdup(other);
this->proposals = linked_list_create();
-
+
return &this->public;
}
* @see peer_cfg_t to get an overview over the configurations.
*/
struct ike_cfg_t {
-
+
/**
* Get own address.
- *
+ *
* @return string of address/DNS name
*/
char* (*get_my_addr) (ike_cfg_t *this);
/**
* Get peers address.
- *
+ *
* @return string of address/DNS name
*/
char* (*get_other_addr) (ike_cfg_t *this);
-
+
/**
* Adds a proposal to the list.
- *
+ *
* The first added proposal has the highest priority, the last
* added the lowest.
- *
+ *
* @param proposal proposal to add
*/
void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
-
+
/**
* Returns a list of all supported proposals.
- *
+ *
* Returned list and its proposals must be destroyed after use.
- *
+ *
* @return list containing all the proposals
*/
linked_list_t* (*get_proposals) (ike_cfg_t *this);
-
+
/**
* Select a proposed from suggested proposals.
- *
+ *
* Returned proposal must be destroyed after use.
- *
+ *
* @param proposals list of proposals to select from
* @return selected proposal, or NULL if none matches.
*/
proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals);
-
+
/**
* Should we send a certificate request in IKE_SA_INIT?
*
* @return certificate request sending policy
*/
bool (*send_certreq) (ike_cfg_t *this);
-
+
/**
* Enforce UDP encapsulation by faking NATD notifies?
- *
+ *
* @return TRUE to enfoce UDP encapsulation
*/
bool (*force_encap) (ike_cfg_t *this);
-
+
/**
* Get the DH group to use for IKE_SA setup.
- *
+ *
* @return dh group to use for initialization
*/
diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
-
+
/**
* Check if two IKE configs are equal.
*
* @return TRUE if other equal to this
*/
bool (*equals)(ike_cfg_t *this, ike_cfg_t *other);
-
+
/**
* Increase reference count.
*
* @return reference to this
*/
ike_cfg_t* (*get_ref) (ike_cfg_t *this);
-
+
/**
* Destroys a ike_cfg_t object.
- *
+ *
* Decrements the internal reference counter and
* destroys the ike_cfg when it reaches zero.
*/
* @param other address/DNS name of remote peer
* @return ike_cfg_t object.
*/
-ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
+ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
char *me, char *other);
#endif /** IKE_CFG_H_ @}*/
* Public part
*/
peer_cfg_t public;
-
+
/**
* Number of references hold by others to this peer_cfg
*/
refcount_t refcount;
-
+
/**
* Name of the peer_cfg, used to query it
*/
char *name;
-
+
/**
* IKE version to use for initiation
*/
u_int ike_version;
-
+
/**
* IKE config associated to this peer config
*/
ike_cfg_t *ike_cfg;
-
+
/**
* list of child configs associated to this peer config
*/
linked_list_t *child_cfgs;
-
+
/**
* mutex to lock access to list of child_cfgs
*/
mutex_t *mutex;
-
+
/**
* should we send a certificate
*/
cert_policy_t cert_policy;
-
+
/**
* uniqueness of an IKE_SA
*/
unique_policy_t unique;
-
+
/**
* number of tries after giving up if peer does not respond
*/
u_int32_t keyingtries;
-
+
/**
* enable support for MOBIKE
*/
bool use_mobike;
-
+
/**
* Time before starting rekeying
*/
u_int32_t rekey_time;
-
+
/**
* Time before starting reauthentication
*/
u_int32_t reauth_time;
-
+
/**
* Time, which specifies the range of a random value substracted from above.
*/
u_int32_t jitter_time;
-
+
/**
* Delay before deleting a rekeying/reauthenticating SA
*/
u_int32_t over_time;
-
+
/**
* DPD check intervall
*/
u_int32_t dpd;
-
+
/**
* virtual IP to use locally
*/
host_t *virtual_ip;
-
+
/**
* pool to acquire configuration attributes from
*/
char *pool;
-
+
/**
* local authentication configs (rulesets)
*/
linked_list_t *local_auth;
-
+
/**
* remote authentication configs (constraints)
*/
linked_list_t *remote_auth;
-
+
#ifdef ME
/**
* Is this a mediation connection?
*/
bool mediation;
-
+
/**
* Name of the mediation connection to mediate through
*/
peer_cfg_t *mediated_by;
-
+
/**
* ID of our peer at the mediation server (= leftid of the peer's conn with
* the mediation server)
static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this)
{
child_cfg_enumerator_t *enumerator = malloc_thing(child_cfg_enumerator_t);
-
+
enumerator->public.enumerate = (void*)child_cfg_enumerate;
enumerator->public.destroy = (void*)child_cfg_enumerator_destroy;
enumerator->mutex = this->mutex;
enumerator->wrapped = this->child_cfgs->create_enumerator(this->child_cfgs);
-
+
this->mutex->lock(this->mutex);
return &enumerator->public;
}
enumerator_t *sup_enum, *cfg_enum;
traffic_selector_t *sup_ts, *cfg_ts;
int match = 0, round;
-
+
/* fetch configured TS list, narrowing dynamic TS */
cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, host);
-
+
/* use a round counter to rate leading TS with higher priority */
round = sup_list->get_count(sup_list);
-
+
sup_enum = sup_list->create_enumerator(sup_list);
while (sup_enum->enumerate(sup_enum, &sup_ts))
{
round--;
}
sup_enum->destroy(sup_enum);
-
+
cfg_list->destroy_offset(cfg_list, offsetof(traffic_selector_t, destroy));
-
+
return match;
}
child_cfg_t *current, *found = NULL;
enumerator_t *enumerator;
int best = 0;
-
+
DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts);
enumerator = create_child_cfg_enumerator(this);
while (enumerator->enumerate(enumerator, ¤t))
{
int my_prio, other_prio;
-
+
my_prio = get_ts_match(current, TRUE, my_ts, my_host);
other_prio = get_ts_match(current, FALSE, other_ts, other_host);
-
+
if (my_prio && other_prio)
{
DBG2(DBG_CFG, " candidate \"%s\" with prio %d+%d",
{
return this->virtual_ip;
}
-
+
/**
* Implementation of peer_cfg_t.get_pool.
*/
enumerator_t *e1, *e2;
auth_cfg_t *cfg1, *cfg2;
bool equal = TRUE;
-
+
if (this->local_auth->get_count(this->local_auth) !=
other->local_auth->get_count(other->local_auth))
{
{
return FALSE;
}
-
+
e1 = this->local_auth->create_enumerator(this->local_auth);
e2 = other->local_auth->create_enumerator(other->local_auth);
while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2))
}
e1->destroy(e1);
e2->destroy(e2);
-
+
if (!equal)
{
return FALSE;
}
-
+
e1 = this->remote_auth->create_enumerator(this->remote_auth);
e2 = other->remote_auth->create_enumerator(other->remote_auth);
while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2))
}
e1->destroy(e1);
e2->destroy(e2);
-
+
return equal;
}
{
return FALSE;
}
-
+
return (
this->ike_version == other->ike_version &&
this->cert_policy == other->cert_policy &&
this->public.get_mediated_by = (peer_cfg_t* (*) (peer_cfg_t *))get_mediated_by;
this->public.get_peer_id = (identification_t* (*) (peer_cfg_t *))get_peer_id;
#endif /* ME */
-
+
/* apply init values */
this->name = strdup(name);
this->ike_version = ike_version;
* to gain access to the configuration.
*/
struct peer_cfg_t {
-
+
/**
* Get the name of the peer_cfg.
*
* @return peer_cfg's name
*/
char* (*get_name) (peer_cfg_t *this);
-
+
/**
* Get the IKE version to use for initiating.
*
* @return IKE major version
*/
u_int (*get_ike_version)(peer_cfg_t *this);
-
+
/**
* Get the IKE config to use for initiaton.
*
* @return the IKE config to use
*/
ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
-
+
/**
* Attach a CHILD config.
*
* @param child_cfg CHILD config to add
*/
void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
-
+
/**
* Detach a CHILD config, pointed to by an enumerator.
*
* @param enumerator enumerator indicating element position
*/
void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
-
+
/**
* Create an enumerator for all attached CHILD configs.
*
* @return an enumerator over all CHILD configs.
*/
enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
-
+
/**
* Select a CHILD config from traffic selectors.
*
child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
linked_list_t *other_ts, host_t *my_host,
host_t *other_host);
-
+
/**
* Add an authentication config to the peer configuration.
*
* @param local TRUE for local rules, FALSE for remote constraints
*/
void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
-
+
/**
* Create an enumerator over registered authentication configs.
*
* @return unique policy
*/
unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
-
+
/**
* Get the max number of retries after timeout.
*
* @return max number retries
*/
u_int32_t (*get_keyingtries) (peer_cfg_t *this);
-
+
/**
* Get a time to start rekeying (is randomized with jitter).
*
* @return time in s when to start rekeying, 0 disables rekeying
*/
u_int32_t (*get_rekey_time)(peer_cfg_t *this);
-
+
/**
* Get a time to start reauthentication (is randomized with jitter).
*
* @return time in s when to start reauthentication, 0 disables it
*/
u_int32_t (*get_reauth_time)(peer_cfg_t *this);
-
+
/**
* Get the timeout of a rekeying/reauthenticating SA.
*
* @return timeout in s
*/
u_int32_t (*get_over_time)(peer_cfg_t *this);
-
+
/**
* Use MOBIKE (RFC4555) if peer supports it?
*
* @return TRUE to enable MOBIKE support
*/
bool (*use_mobike) (peer_cfg_t *this);
-
+
/**
* Get the DPD check interval.
*
* @return dpd_delay in seconds
*/
u_int32_t (*get_dpd) (peer_cfg_t *this);
-
+
/**
* Get a virtual IP for the local peer.
*
* @return virtual IP, %any or NULL
*/
host_t* (*get_virtual_ip) (peer_cfg_t *this);
-
+
/**
* Get the name of the pool to acquire configuration attributes from.
*
* @return pool name, NULL if none defined
*/
char* (*get_pool)(peer_cfg_t *this);
-
+
#ifdef ME
/**
* Is this a mediation connection?
* @return TRUE, if this is a mediation connection
*/
bool (*is_mediation) (peer_cfg_t *this);
-
+
/**
* Get peer_cfg of the connection this one is mediated through.
*
* @return the peer_cfg of the mediation connection
*/
peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
-
+
/**
* Get the id of the other peer at the mediation server.
*
* @return TRUE if peer_cfg and ike_cfg are equal
*/
bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);
-
+
/**
* Increase reference count.
*
* @return reference to this
*/
peer_cfg_t* (*get_ref) (peer_cfg_t *this);
-
+
/**
* Destroys the peer_cfg object.
*
* Public part
*/
proposal_t public;
-
+
/**
* protocol (ESP or AH)
*/
protocol_id_t protocol;
-
+
/**
* priority ordered list of encryption algorithms
*/
linked_list_t *encryption_algos;
-
+
/**
* priority ordered list of integrity algorithms
*/
linked_list_t *integrity_algos;
-
+
/**
* priority ordered list of pseudo random functions
*/
linked_list_t *prf_algos;
-
+
/**
* priority ordered list of dh groups
*/
linked_list_t *dh_groups;
-
+
/**
* priority ordered list of extended sequence number flags
*/
linked_list_t *esns;
-
- /**
+
+ /**
* senders SPI
*/
u_int64_t spi;
};
/**
- * Struct used to store different kinds of algorithms.
+ * Struct used to store different kinds of algorithms.
*/
struct algorithm_t {
/**
* Value from an encryption_algorithm_t/integrity_algorithm_t/...
*/
u_int16_t algorithm;
-
+
/**
* the associated key size in bits, or zero if not needed
*/
static void add_algo(linked_list_t *list, u_int16_t algo, u_int16_t key_size)
{
algorithm_t *algo_key;
-
+
algo_key = malloc_thing(algorithm_t);
algo_key->algorithm = algo;
algo_key->key_size = key_size;
{
enumerator_t *enumerator;
bool found = FALSE;
-
+
enumerator = create_enumerator(this, type);
if (enumerator->enumerate(enumerator, alg, key_size))
{
static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group)
{
bool result = FALSE;
-
+
if (this->dh_groups->get_count(this->dh_groups))
{
algorithm_t *current;
enumerator_t *enumerator;
-
+
enumerator = this->dh_groups->create_enumerator(this->dh_groups);
while (enumerator->enumerate(enumerator, (void**)¤t))
{
static void strip_dh(private_proposal_t *this)
{
algorithm_t *alg;
-
+
while (this->dh_groups->remove_last(this->dh_groups, (void**)&alg) == SUCCESS)
{
free(alg);
{
enumerator_t *e1, *e2;
algorithm_t *alg1, *alg2;
-
+
/* if in both are zero algorithms specified, we HAVE a match */
if (first->get_count(first) == 0 && second->get_count(second) == 0)
{
*add = FALSE;
return TRUE;
}
-
+
e1 = first->create_enumerator(first);
e2 = second->create_enumerator(second);
/* compare algs, order of algs in "first" is preferred */
u_int16_t algo;
size_t key_size;
bool add;
-
+
DBG2(DBG_CFG, "selecting proposal:");
-
+
/* check protocol */
if (this->protocol != other->protocol)
{
DBG2(DBG_CFG, " protocol mismatch, skipping");
return NULL;
}
-
+
selected = proposal_create(this->protocol);
-
+
/* select encryption algorithm */
if (select_algo(this->encryption_algos, other->encryption_algos,
&add, &algo, &key_size))
/* select integrity algorithm */
if (!is_authenticated_encryption(algo))
{
- if (select_algo(this->integrity_algos, other->integrity_algos,
+ if (select_algo(this->integrity_algos, other->integrity_algos,
&add, &algo, &key_size))
{
if (add)
return NULL;
}
DBG2(DBG_CFG, " proposal matches");
-
+
/* apply SPI from "other" */
selected->set_spi(selected, other->spi);
-
+
/* everything matched, return new proposal */
return selected;
}
{
algorithm_t *algo, *clone_algo;
enumerator_t *enumerator;
-
+
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &algo))
{
enumerator_t *e1, *e2;
algorithm_t *alg1, *alg2;
bool equals = TRUE;
-
+
if (l1->get_count(l1) != l2->get_count(l2))
{
return FALSE;
}
-
+
e1 = l1->create_enumerator(l1);
e2 = l2->create_enumerator(l2);
while (e1->enumerate(e1, &alg1) && e2->enumerate(e2, &alg2))
static proposal_t *clone_(private_proposal_t *this)
{
private_proposal_t *clone = (private_proposal_t*)proposal_create(this->protocol);
-
+
clone_algo_list(this->encryption_algos, clone->encryption_algos);
clone_algo_list(this->integrity_algos, clone->integrity_algos);
clone_algo_list(this->prf_algos, clone->prf_algos);
clone_algo_list(this->dh_groups, clone->dh_groups);
clone_algo_list(this->esns, clone->esns);
-
+
clone->spi = this->spi;
-
+
return &clone->public;
}
enumerator_t *e;
algorithm_t *alg;
bool all_aead = TRUE;
-
+
e = this->encryption_algos->create_enumerator(this->encryption_algos);
while (e->enumerate(e, &alg))
{
}
}
e->destroy(e);
-
+
if (all_aead)
{
/* if all encryption algorithms in the proposal are authenticated encryption
case AUTH_AES_XCBC_96:
prf = PRF_AES128_XCBC;
break;
- default:
+ default:
prf = PRF_UNDEFINED;
}
if (prf != PRF_UNDEFINED)
enumerator_t *enumerator;
size_t written = 0;
u_int16_t alg, size;
-
+
enumerator = create_enumerator(this, kind);
while (enumerator->enumerate(enumerator, &alg, &size))
{
enumerator_t *enumerator;
size_t written = 0;
bool first = TRUE;
-
+
if (this == NULL)
{
return print_in_hook(dst, len, "(null)");
}
-
+
if (spec->hash)
{
enumerator = list->create_enumerator(list);
enumerator->destroy(enumerator);
return written;
}
-
+
written = print_in_hook(dst, len, "%N:", protocol_id_names, this->protocol);
written += print_alg(this, &dst, &len, ENCRYPTION_ALGORITHM,
encryption_algorithm_names, &first);
proposal_t *proposal_create(protocol_id_t protocol)
{
private_proposal_t *this = malloc_thing(private_proposal_t);
-
+
this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,u_int16_t))add_algorithm;
this->public.create_enumerator = (enumerator_t* (*)(proposal_t*,transform_type_t))create_enumerator;
this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,u_int16_t*,u_int16_t*))get_algorithm;
this->public.equals = (bool(*)(proposal_t*, proposal_t *other))equals;
this->public.clone = (proposal_t*(*)(proposal_t*))clone_;
this->public.destroy = (void(*)(proposal_t*))destroy;
-
+
this->spi = 0;
this->protocol = protocol;
-
+
this->encryption_algos = linked_list_create();
this->integrity_algos = linked_list_create();
this->prf_algos = linked_list_create();
this->dh_groups = linked_list_create();
this->esns = linked_list_create();
-
+
return &this->public;
}
integrity_algorithm_t integrity;
pseudo_random_function_t prf;
diffie_hellman_group_t group;
-
+
enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &encryption))
{
break;
default:
break;
- }
+ }
}
enumerator->destroy(enumerator);
-
+
enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &integrity))
{
break;
default:
break;
- }
+ }
}
enumerator->destroy(enumerator);
-
+
enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &prf))
{
}
}
enumerator->destroy(enumerator);
-
+
enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &group))
{
proposal_t *proposal_create_default(protocol_id_t protocol)
{
private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
-
+
switch (protocol)
{
case PROTO_IKE:
chunk_t string = {(void*)algs, strlen(algs)};
chunk_t alg;
status_t status = SUCCESS;
-
+
eat_whitespace(&string);
if (string.len < 1)
{
destroy(this);
return NULL;
}
-
+
/* get all tokens, separated by '-' */
while (extract_token(&alg, '-', &string))
{
destroy(this);
return NULL;
}
-
+
check_proposal(this);
-
+
if (protocol == PROTO_AH || protocol == PROTO_ESP)
{
add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
/**
* Stores a set of algorithms used for an SA.
- *
- * A proposal stores algorithms for a specific
+ *
+ * A proposal stores algorithms for a specific
* protocol. It can store algorithms for one protocol.
* Proposals with multiple protocols are not supported,
* as it's not specified in RFC4301 anymore.
*/
struct proposal_t {
-
+
/**
* Add an algorithm to the proposal.
- *
+ *
* The algorithms are stored by priority, first added
* is the most preferred.
* Key size is only needed for encryption algorithms
* The alg parameter accepts encryption_algorithm_t,
* integrity_algorithm_t, dh_group_number_t and
* extended_sequence_numbers_t.
- *
+ *
* @param type kind of algorithm
* @param alg identifier for algorithm
* @param key_size key size to use
*/
void (*add_algorithm) (proposal_t *this, transform_type_t type,
u_int16_t alg, u_int16_t key_size);
-
+
/**
* Get an enumerator over algorithms for a specifc algo type.
- *
+ *
* @param type kind of algorithm
* @return enumerator over u_int16_t alg, u_int16_t key_size
*/
enumerator_t *(*create_enumerator) (proposal_t *this, transform_type_t type);
-
+
/**
* Get the algorithm for a type to use.
- *
+ *
* If there are multiple algorithms, only the first is returned.
- *
+ *
* @param type kind of algorithm
* @param alg pointer which receives algorithm
* @param key_size pointer which receives the key size
*/
bool (*get_algorithm) (proposal_t *this, transform_type_t type,
u_int16_t *alg, u_int16_t *key_size);
-
+
/**
* Check if the proposal has a specific DH group.
- *
+ *
* @param group group to check for
* @return TRUE if algorithm included
*/
bool (*has_dh_group) (proposal_t *this, diffie_hellman_group_t group);
-
+
/**
* Strip DH groups from proposal to use it without PFS.
*/
- void (*strip_dh)(proposal_t *this);
+ void (*strip_dh)(proposal_t *this);
/**
* Compare two proposal, and select a matching subset.
- *
+ *
* If the proposals are for the same protocols (AH/ESP), they are
* compared. If they have at least one algorithm of each type
* in common, a resulting proposal of this kind is created.
- *
+ *
* @param other proposal to compair agains
* @return selected proposal, NULL if proposals don't match
*/
proposal_t *(*select) (proposal_t *this, proposal_t *other);
-
+
/**
* Get the protocol ID of the proposal.
*
* @return protocol of the proposal
*/
protocol_id_t (*get_protocol) (proposal_t *this);
-
+
/**
* Get the SPI of the proposal.
- *
+ *
* @return spi for proto
*/
u_int64_t (*get_spi) (proposal_t *this);
-
+
/**
* Set the SPI of the proposal.
- *
+ *
* @param spi spi to set for proto
*/
void (*set_spi) (proposal_t *this, u_int64_t spi);
-
+
/**
* Check for the eqality of two proposals.
*
* @return TRUE if other equal to this
*/
bool (*equals)(proposal_t *this, proposal_t *other);
-
+
/**
* Clone a proposal.
- *
+ *
* @return clone of proposal
*/
proposal_t *(*clone) (proposal_t *this);
-
+
/**
* Destroys the proposal object.
*/
/**
* printf hook function for proposal_t.
*
- * Arguments are:
+ * Arguments are:
* proposal_t *proposal
* With the #-specifier, arguments are:
* linked_list_t *list containing proposal_t*
* Public part
*/
traffic_selector_t public;
-
+
/**
* Type of address
*/
ts_type_t type;
-
+
/**
* IP protocol (UDP, TCP, ICMP, ...)
*/
u_int8_t protocol;
-
+
/**
* narrow this traffic selector to hosts external ip
* if set, from and to have no meaning until set_address() is called
*/
bool dynamic;
-
- /**
+
+ /**
* begin of address range, network order
*/
union {
/** IPv6 address */
u_int32_t from6[4];
};
-
+
/**
* end of address range, network order
*/
/** IPv6 address */
u_int32_t to6[4];
};
-
+
/**
- * begin of port range
+ * begin of port range
*/
u_int16_t from_port;
-
+
/**
- * end of port range
+ * end of port range
*/
u_int16_t to_port;
};
{
int byte;
size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-
+
/* go through the from address, starting at the tail. While we
* have not processed the bits belonging to the host, set them to 1 on
* the to address. If we reach the bits for the net, copy them from "from". */
{
u_char mask = 0x00;
int shift;
-
+
shift = (byte+1) * 8 - netbits;
if (shift > 0)
{
{
int byte, bit;
size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-
+
/* go trough all bits of the addresses, beginning in the front.
* as long as they are equal, the subnet gets larger
*/
bool has_ports;
size_t written = 0;
u_int32_t from[4], to[4];
-
+
if (this == NULL)
{
return print_in_hook(dst, len, "(null)");
}
-
+
if (spec->hash)
{
iterator = list->create_iterator(list, TRUE);
iterator->destroy(iterator);
return written;
}
-
+
memset(from, 0, sizeof(from));
memset(to, 0xFF, sizeof(to));
if (this->dynamic &&
- memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) &&
+ memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) &&
memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16))
{
written += print_in_hook(dst, len, "dynamic");
mask = calc_netbits(this);
written += print_in_hook(dst, len, "%s/%d", addr_str, mask);
}
-
+
/* check if we have protocol and/or port selectors */
has_proto = this->protocol != 0;
has_ports = !(this->from_port == 0 && this->to_port == 0xFFFF);
written += print_in_hook(dst, len, "%d", this->protocol);
}
}
-
+
if (has_proto && has_ports)
{
written += print_in_hook(dst, len, "/");
written += print_in_hook(dst, len, "%d-%d", this->from_port, this->to_port);
}
}
-
+
written += print_in_hook(dst, len, "]");
return written;
u_int8_t protocol;
size_t size;
private_traffic_selector_t *new_ts;
-
+
/* calculate the maximum port range allowed for both */
from_port = max(this->from_port, other->from_port);
to_port = min(this->to_port, other->to_port);
}
/* select protocol, which is not zero */
protocol = max(this->protocol, other->protocol);
-
+
switch (this->type)
{
case TS_IPV4_ADDR_RANGE:
default:
return NULL;
}
-
+
/* get higher from-address */
if (memcmp(this->from, other->from, size) > 0)
{
{
return NULL;
}
-
+
/* we have a match in protocol, port, and address: return it... */
new_ts = traffic_selector_create(protocol, this->type, from_port, to_port);
new_ts->type = this->type;
new_ts->dynamic = this->dynamic || other->dynamic;
memcpy(new_ts->from, from, size);
memcpy(new_ts->to, to, size);
-
+
return &new_ts->public;
}
return NULL;
return chunk_empty;
}
}
-
+
/**
* Implements traffic_selector_t.get_to_address.
*/
return chunk_empty;
}
}
-
+
/**
* Implements traffic_selector_t.get_from_port.
*/
{
return this->from_port;
}
-
+
/**
* Implements traffic_selector_t.get_to_port.
*/
{
chunk_t addr;
int family = host->get_family(host);
-
+
if ((family == AF_INET && this->type == TS_IPV4_ADDR_RANGE) ||
(family == AF_INET6 && this->type == TS_IPV6_ADDR_RANGE))
{
else
{
size_t length = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-
+
if (this->dynamic)
{
return TRUE;
}
-
+
if (memeq(this->from, this->to, length))
{
return TRUE;
{
this->type = host->get_family(host) == AF_INET ?
TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
-
+
if (host->is_anyaddr(host))
{
memset(this->from6, 0x00, sizeof(this->from6));
{
private_traffic_selector_t *subset;
bool contained_in = FALSE;
-
+
subset = (private_traffic_selector_t*)get_subset(this, other);
-
+
if (subset)
{
if (equals(subset, this))
}
free(subset);
}
- return contained_in;
+ return contained_in;
}
/**
(family == AF_INET6 && this->type == TS_IPV6_ADDR_RANGE))
{
addr = host->get_address(host);
-
+
return memcmp(this->from, addr.ptr, addr.len) <= 0 &&
memcmp(this->to, addr.ptr, addr.len) >= 0;
}
- return FALSE;
+ return FALSE;
}
/**
static void to_subnet(private_traffic_selector_t *this, host_t **net, u_int8_t *mask)
{
/* there is no way to do this cleanly, as the address range may
- * be anything else but a subnet. We use from_addr as subnet
+ * be anything else but a subnet. We use from_addr as subnet
* and try to calculate a usable subnet mask.
*/
int family, byte;
u_int16_t port = 0;
chunk_t net_chunk;
-
+
*mask = calc_netbits(this);
-
+
switch (this->type)
{
case TS_IPV4_ADDR_RANGE:
return;
}
}
-
+
net_chunk.ptr = malloc(net_chunk.len);
memcpy(net_chunk.ptr, this->from, net_chunk.len);
-
+
for (byte = net_chunk.len - 1; byte >= (*mask / 8); --byte)
{
int shift = (byte + 1) * 8 - *mask;
net_chunk.ptr[byte] = net_chunk.ptr[byte] & (0xFF << shift);
}
-
+
if (this->to_port == this->from_port)
{
port = this->to_port;
}
-
- *net = host_create_from_chunk(family, net_chunk, port);
+
+ *net = host_create_from_chunk(family, net_chunk, port);
chunk_free(&net_chunk);
}
static traffic_selector_t *clone_(private_traffic_selector_t *this)
{
private_traffic_selector_t *clone;
-
- clone = traffic_selector_create(this->protocol, this->type,
+
+ clone = traffic_selector_create(this->protocol, this->type,
this->from_port, this->to_port);
-
+
clone->dynamic = this->dynamic;
switch (clone->type)
{
* see header
*/
traffic_selector_t *traffic_selector_create_from_bytes(u_int8_t protocol,
- ts_type_t type,
- chunk_t from, u_int16_t from_port,
+ ts_type_t type,
+ chunk_t from, u_int16_t from_port,
chunk_t to, u_int16_t to_port)
{
private_traffic_selector_t *this = traffic_selector_create(protocol, type,
from_port, to_port);
-
+
switch (type)
{
case TS_IPV4_ADDR_RANGE:
default:
{
free(this);
- return NULL;
+ return NULL;
}
}
return (&this->public);
/*
* see header
*/
-traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
+traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
u_int8_t netbits, u_int8_t protocol, u_int16_t port)
{
private_traffic_selector_t *this = traffic_selector_create(protocol, 0, 0, 65535);
case AF_INET:
{
chunk_t from;
-
+
this->type = TS_IPV4_ADDR_RANGE;
from = net->get_address(net);
memcpy(this->from4, from.ptr, from.len);
case AF_INET6:
{
chunk_t from;
-
+
this->type = TS_IPV6_ADDR_RANGE;
from = net->get_address(net);
memcpy(this->from6, from.ptr, from.len);
free(this);
return NULL;
}
- break;
+ break;
}
case TS_IPV6_ADDR_RANGE:
{
/*
* see header
*/
-traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol,
+traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol,
u_int16_t from_port, u_int16_t to_port)
{
private_traffic_selector_t *this = traffic_selector_create(
protocol, TS_IPV4_ADDR_RANGE, from_port, to_port);
-
+
memset(this->from6, 0, sizeof(this->from6));
memset(this->to6, 0xFF, sizeof(this->to6));
-
+
this->dynamic = TRUE;
-
+
return &this->public;
}
this->public.get_from_address = (chunk_t(*)(traffic_selector_t*))get_from_address;
this->public.get_to_address = (chunk_t(*)(traffic_selector_t*))get_to_address;
this->public.get_from_port = (u_int16_t(*)(traffic_selector_t*))get_from_port;
- this->public.get_to_port = (u_int16_t(*)(traffic_selector_t*))get_to_port;
+ this->public.get_to_port = (u_int16_t(*)(traffic_selector_t*))get_to_port;
this->public.get_type = (ts_type_t(*)(traffic_selector_t*))get_type;
this->public.get_protocol = (u_int8_t(*)(traffic_selector_t*))get_protocol;
this->public.is_host = (bool(*)(traffic_selector_t*,host_t*))is_host;
this->public.to_subnet = (void(*)(traffic_selector_t*,host_t**,u_int8_t*))to_subnet;
this->public.clone = (traffic_selector_t*(*)(traffic_selector_t*))clone_;
this->public.destroy = (void(*)(traffic_selector_t*))destroy;
-
+
this->from_port = from_port;
this->to_port = to_port;
this->protocol = protocol;
this->type = type;
this->dynamic = FALSE;
-
+
return this;
}
* Traffic selector types.
*/
enum ts_type_t {
-
+
/**
* A range of IPv4 addresses, represented by two four (4) octet
* values. The first value is the beginning IPv4 address
* addresses are considered to be within the list.
*/
TS_IPV4_ADDR_RANGE = 7,
-
+
/**
* A range of IPv6 addresses, represented by two sixteen (16)
* octet values. The first value is the beginning IPv6 address
* and a range of ports. IPv6 is not fully supported yet.
*/
struct traffic_selector_t {
-
+
/**
* Compare two traffic selectors, and create a new one
* which is the largest subset of both (subnet & port).
* - created subset of them
* - or NULL if no match between this and other
*/
- traffic_selector_t *(*get_subset) (traffic_selector_t *this,
+ traffic_selector_t *(*get_subset) (traffic_selector_t *this,
traffic_selector_t *other);
-
+
/**
* Clone a traffic selector.
*
* @return clone of it
*/
traffic_selector_t *(*clone) (traffic_selector_t *this);
-
+
/**
* Get starting address of this ts as a chunk.
*
* @return chunk containing the address
*/
chunk_t (*get_from_address) (traffic_selector_t *this);
-
+
/**
* Get ending address of this ts as a chunk.
*
* @return chunk containing the address
*/
chunk_t (*get_to_address) (traffic_selector_t *this);
-
+
/**
* Get starting port of this ts.
- *
+ *
* Port is in host order, since the parser converts it.
* Size depends on protocol.
- *
+ *
* @return port
*/
u_int16_t (*get_from_port) (traffic_selector_t *this);
-
+
/**
* Get ending port of this ts.
*
* @return port
*/
u_int16_t (*get_to_port) (traffic_selector_t *this);
-
+
/**
* Get the type of the traffic selector.
*
* @return ts_type_t specifying the type
*/
ts_type_t (*get_type) (traffic_selector_t *this);
-
+
/**
* Get the protocol id of this ts.
*
* @return protocol id
*/
u_int8_t (*get_protocol) (traffic_selector_t *this);
-
+
/**
* Check if the traffic selector is for a single host.
*
* @param host host_t specifying the address range
*/
bool (*is_host) (traffic_selector_t *this, host_t* host);
-
+
/**
* Check if a traffic selector has been created by create_dynamic().
*
* @return TRUE if TS is dynamic
*/
bool (*is_dynamic)(traffic_selector_t *this);
-
+
/**
* Update the address of a traffic selector.
*
* @param host host_t specifying the address
*/
void (*set_address) (traffic_selector_t *this, host_t* host);
-
+
/**
* Compare two traffic selectors for equality.
- *
+ *
* @param other ts to compare with this
* @return TRUE if equal, FALSE otherwise
*/
bool (*equals) (traffic_selector_t *this, traffic_selector_t *other);
-
+
/**
* Check if a traffic selector is contained completly in another.
*
bool (*is_contained_in) (traffic_selector_t *this, traffic_selector_t *other);
/**
- * Check if a specific host is included in the address range of
+ * Check if a specific host is included in the address range of
* this traffic selector.
*
* @param host the host to check
*/
bool (*includes) (traffic_selector_t *this, host_t *host);
-
+
/**
* Convert a traffic selector address range to a subnet
* and its net mask.
* If from and to ports of this traffic selector are equal,
* the port of the returned host_t is set to that port.
- *
+ *
* @param net converted subnet (has to be freed)
* @param mask converted net mask
*/
void (*to_subnet) (traffic_selector_t *this, host_t **net, u_int8_t *mask);
-
+
/**
* Destroys the ts object
*/
/**
* Create a new traffic selector using human readable params.
- *
+ *
* @param protocol protocol for this ts, such as TCP or UDP
* @param type type of following addresses, such as TS_IPV4_ADDR_RANGE
* @param from_addr start of address range as string
/**
* Create a new traffic selector using data read from the net.
- *
+ *
* There exists a mix of network and host order in the params.
* But the parser gives us this data in this format, so we
* don't have to convert twice.
- *
+ *
* @param protocol protocol for this ts, such as TCP or UDP
* @param type type of following addresses, such as TS_IPV4_ADDR_RANGE
* @param from_address start of address range, network order
/**
* Create a new traffic selector defining a whole subnet.
- *
+ *
* In most cases, definition of a traffic selector for full subnets
* is sufficient. This constructor creates a traffic selector for
* all protocols, all ports and the address range specified by the
* subnet.
* Additionally, a protocol and a port may be specified. Port ranges
* are not supported via this constructor.
- *
+ *
* @param net subnet to use
* @param netbits size of the subnet, as used in e.g. 192.168.0.0/24 notation
* @param protocol protocol for this ts, such as TCP or UDP
* - NULL if address family of net not supported
*/
traffic_selector_t *traffic_selector_create_from_subnet(
- host_t *net, u_int8_t netbits,
+ host_t *net, u_int8_t netbits,
u_int8_t protocol, u_int16_t port);
/**
* Create a traffic selector for host-to-host cases.
- *
+ *
* For host2host or virtual IP setups, the traffic selectors gets
* created at runtime using the external/virtual IP. Using this constructor,
* a call to set_address() sets this traffic selector to the supplied host.
- *
- *
+ *
+ *
* @param protocol upper layer protocl to allow
* @param from_port start of allowed port range
* @param to_port end of range
/**
* printf hook function for traffic_selector_t.
*
- * Arguments are:
+ * Arguments are:
* traffic_selector_t *ts
* With the #-specifier, arguments are:
* linked_list_t *list containing traffic_selector_t*
* public bus listener interface
*/
listener_t public;
-
+
/**
* status of the operation, return to method callers
*/
status_t status;
-
+
/**
* interface callback (listener gets redirected to here)
*/
controller_cb_t callback;
-
+
/**
* user parameter to pass to callback
*/
void *param;
-
+
/**
* child configuration, used for initiate
*/
child_cfg_t *child_cfg;
-
+
/**
* peer configuration, used for initiate
*/
peer_cfg_t *peer_cfg;
-
+
/**
* IKE_SA to handle
*/
ike_sa_t *ike_sa;
-
+
/**
* CHILD_SA to handle
*/
child_sa_t *child_sa;
-
+
/**
* unique ID, used for various methods
*/
* job interface
*/
job_t public;
-
+
/**
* associated listener
*/
case IKE_ESTABLISHED:
{ /* mediation connections are complete without CHILD_SA */
peer_cfg_t *peer_cfg = ike_sa->get_peer_cfg(ike_sa);
-
+
if (peer_cfg->is_mediation(peer_cfg))
{
this->status = SUCCESS;
ike_sa_t *ike_sa;
interface_listener_t *listener = &job->listener;
peer_cfg_t *peer_cfg = listener->peer_cfg;
-
+
ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
peer_cfg);
listener->ike_sa = ike_sa;
-
+
if (ike_sa->get_peer_cfg(ike_sa) == NULL)
{
ike_sa->set_peer_cfg(ike_sa, peer_cfg);
}
peer_cfg->destroy(peer_cfg);
-
+
if (ike_sa->initiate(ike_sa, listener->child_cfg, 0, NULL, NULL) == SUCCESS)
{
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
{
interface_listener_t *listener = &job->listener;
ike_sa_t *ike_sa = listener->ike_sa;
-
+
charon->bus->set_sa(charon->bus, ike_sa);
-
+
if (ike_sa->delete(ike_sa) != DESTROY_ME)
{
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
.destroy = (void*)recheckin,
},
};
-
+
ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
unique_id, FALSE);
if (ike_sa == NULL)
return NOT_FOUND;
}
job.listener.ike_sa = ike_sa;
-
+
if (callback == NULL)
{
return terminate_ike_execute(&job);
interface_listener_t *listener = &job->listener;
ike_sa_t *ike_sa = listener->ike_sa;
child_sa_t *child_sa = listener->child_sa;
-
+
charon->bus->set_sa(charon->bus, ike_sa);
if (ike_sa->delete_child_sa(ike_sa, child_sa->get_protocol(child_sa),
child_sa->get_spi(child_sa, TRUE)) != DESTROY_ME)
.destroy = (void*)recheckin,
},
};
-
+
ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
reqid, TRUE);
if (ike_sa == NULL)
return NOT_FOUND;
}
job.listener.ike_sa = ike_sa;
-
+
iterator = ike_sa->create_child_sa_iterator(ike_sa);
while (iterator->iterate(iterator, (void**)&child_sa))
{
child_sa = NULL;
}
iterator->destroy(iterator);
-
+
if (child_sa == NULL)
{
DBG1(DBG_IKE, "unable to terminate, established "
controller_t *controller_create(void)
{
private_controller_t *this = malloc_thing(private_controller_t);
-
+
this->public.create_ike_sa_enumerator = (enumerator_t*(*)(controller_t*))create_ike_sa_enumerator;
this->public.initiate = (status_t(*)(controller_t*,peer_cfg_t*,child_cfg_t*,controller_cb_t,void*))initiate;
this->public.terminate_ike = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void*))terminate_ike;
this->public.terminate_child = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void *param))terminate_child;
this->public.destroy = (void (*)(controller_t*))destroy;
-
+
return &this->public;
}
* Terminate an IKE_SA and all of its CHILD_SAs.
*
* The terminate() function is synchronous and thus blocks until the
- * IKE_SA is properly deleted, or the delete timed out.
+ * IKE_SA is properly deleted, or the delete timed out.
* The terminate() function contains a thread cancellation point.
*
* @param unique_id unique id of the IKE_SA to terminate.
* - NOT_FOUND, if no such CHILD_SA found
* - NEED_MORE, if callback returned FALSE
*/
- status_t (*terminate_ike)(controller_t *this, u_int32_t unique_id,
+ status_t (*terminate_ike)(controller_t *this, u_int32_t unique_id,
controller_cb_t callback, void *param);
-
+
/**
* Terminate a CHILD_SA.
*
* - NOT_FOUND, if no such CHILD_SA found
* - NEED_MORE, if callback returned FALSE
*/
- status_t (*terminate_child)(controller_t *this, u_int32_t reqid,
+ status_t (*terminate_child)(controller_t *this, u_int32_t reqid,
controller_cb_t callback, void *param);
-
+
/**
* Destroy a controller_t instance.
*/
/**
* Creates a controller instance.
- *
+ *
* @return controller_t object
*/
controller_t *controller_create(void);
* public functions
*/
credential_manager_t public;
-
+
/**
* list of credential sets
*/
linked_list_t *sets;
-
+
/**
* thread local set of credentials, linked_list_t with credential_set_t's
*/
pthread_key_t local_sets;
-
+
/**
* trust relationship and certificate cache
*/
cert_cache_t *cache;
-
+
/**
* certificates queued for persistent caching
*/
linked_list_t *cache_queue;
-
+
/**
* read-write lock to sets list
*/
{
linked_list_t *local;
sets_enumerator_t *enumerator = malloc_thing(sets_enumerator_t);
-
+
enumerator->public.enumerate = (void*)sets_enumerator_enumerate;
enumerator->public.destroy = (void*)sets_enumerator_destroy;
enumerator->global = this->sets->create_enumerator(this->sets);
*/
static enumerator_t *create_cert(credential_set_t *set, cert_data_t *data)
{
- return set->create_cert_enumerator(set, data->cert, data->key,
+ return set->create_cert_enumerator(set, data->cert, data->key,
data->id, data->trusted);
}
data->key = key;
data->id = id;
data->trusted = trusted;
-
+
this->lock->read_lock(this->lock);
return enumerator_create_nested(create_sets_enumerator(this),
(void*)create_cert, data,
{
certificate_t *current, *found = NULL;
enumerator_t *enumerator;
-
+
enumerator = create_cert_enumerator(this, cert, key, id, trusted);
if (enumerator->enumerate(enumerator, ¤t))
{
data->this = this;
data->type = type;
data->id = id;
-
+
this->lock->read_lock(this->lock);
return enumerator_create_nested(create_sets_enumerator(this),
(void*)create_cdp, data,
key_type_t key, identification_t *keyid)
{
private_data_t *data;
-
+
data = malloc_thing(private_data_t);
data->this = this;
data->type = key;
/**
* Implementation of credential_manager_t.get_private_by_keyid.
- */
+ */
static private_key_t *get_private_by_keyid(private_credential_manager_t *this,
key_type_t key, identification_t *keyid)
{
private_key_t *found = NULL;
enumerator_t *enumerator;
-
+
enumerator = create_private_enumerator(this, key, keyid);
if (enumerator->enumerate(enumerator, &found))
{
/**
* Implementation of credential_manager_t.create_shared_enumerator.
*/
-static enumerator_t *create_shared_enumerator(private_credential_manager_t *this,
+static enumerator_t *create_shared_enumerator(private_credential_manager_t *this,
shared_key_type_t type,
identification_t *me, identification_t *other)
{
data->type = type;
data->me = me;
data->other = other;
-
+
this->lock->read_lock(this->lock);
return enumerator_create_nested(create_sets_enumerator(this),
- (void*)create_shared, data,
+ (void*)create_shared, data,
(void*)destroy_shared_data);
}
/**
* Implementation of credential_manager_t.get_shared.
- */
+ */
static shared_key_t *get_shared(private_credential_manager_t *this,
shared_key_type_t type, identification_t *me,
identification_t *other)
id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE;
id_match_t *match_me, *match_other;
enumerator_t *enumerator;
-
+
enumerator = create_shared_enumerator(this, type, me, other);
while (enumerator->enumerate(enumerator, ¤t, &match_me, &match_other))
{
credential_set_t *set)
{
linked_list_t *sets;
-
+
sets = pthread_getspecific(this->local_sets);
sets->remove(sets, set, NULL);
}
{
credential_set_t *set;
enumerator_t *enumerator;
-
+
if (this->lock->try_write_lock(this->lock))
{
enumerator = this->sets->create_enumerator(this->sets);
credential_set_t *set;
certificate_t *cert;
enumerator_t *enumerator;
-
+
if (this->cache_queue->get_count(this->cache_queue) > 0 &&
this->lock->try_write_lock(this->lock))
{
}
/**
- * forward declaration
+ * forward declaration
*/
static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
key_type_t type, identification_t *id, bool crl, bool ocsp);
{
certificate_t *request, *response;
chunk_t send, receive;
-
+
/* TODO: requestor name, signature */
request = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
DBG1(DBG_CFG, "generating ocsp request failed");
return NULL;
}
-
+
send = request->get_encoding(request);
request->destroy(request);
DBG1(DBG_CFG, " requesting ocsp status from '%s' ...", url);
- if (lib->fetcher->fetch(lib->fetcher, url, &receive,
+ if (lib->fetcher->fetch(lib->fetcher, url, &receive,
FETCH_REQUEST_DATA, send,
FETCH_REQUEST_TYPE, "application/ocsp-request",
FETCH_END) != SUCCESS)
return NULL;
}
chunk_free(&send);
-
+
response = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
BUILD_BLOB_ASN1_DER, receive, BUILD_END);
}
/**
- * check the signature of an OCSP response
+ * check the signature of an OCSP response
*/
-static bool verify_ocsp(private_credential_manager_t *this,
+static bool verify_ocsp(private_credential_manager_t *this,
ocsp_response_t *response)
{
certificate_t *issuer, *subject;
wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
add_local_set(this, &wrapper->set);
-
+
subject = &response->certificate;
responder = subject->get_issuer(subject);
enumerator = create_trusted_enumerator(this, KEY_ANY, responder, FALSE, FALSE);
}
}
enumerator->destroy(enumerator);
-
+
remove_local_set(this, &wrapper->set);
wrapper->destroy(wrapper);
return verified;
time_t revocation, this_update, next_update, valid_until;
crl_reason_t reason;
bool revoked = FALSE;
-
+
response = (ocsp_response_t*)cand;
/* check ocsp signature */
* validate a x509 certificate using OCSP
*/
static cert_validation_t check_ocsp(private_credential_manager_t *this,
- x509_t *subject, x509_t *issuer,
+ x509_t *subject, x509_t *issuer,
auth_cfg_t *auth)
{
enumerator_t *enumerator;
public_key_t *public;
chunk_t chunk;
char *uri = NULL;
-
+
/** lookup cache for valid OCSP responses */
enumerator = create_cert_enumerator(this, CERT_X509_OCSP_RESPONSE,
KEY_ANY, NULL, FALSE);
}
}
enumerator->destroy(enumerator);
-
+
/* derive the authorityKeyIdentifier from the issuer's public key */
current = &issuer->interface;
public = current->get_public_key(current);
{
certificate_t *crl;
chunk_t chunk;
-
+
DBG1(DBG_CFG, " fetching crl from '%s' ...", url);
if (lib->fetcher->fetch(lib->fetcher, url, &chunk, FETCH_END) != SUCCESS)
{
certificate_t *issuer;
enumerator_t *enumerator;
bool verified = FALSE;
-
+
enumerator = create_trusted_enumerator(this, KEY_ANY, crl->get_issuer(crl),
FALSE, FALSE);
while (enumerator->enumerate(enumerator, &issuer, NULL))
}
}
enumerator->destroy(enumerator);
-
+
return verified;
}
cand->destroy(cand);
return best;
}
-
+
crl = (crl_t*)cand;
enumerator = crl->create_enumerator(crl);
while (enumerator->enumerate(enumerator, &serial, &revocation, &reason))
* validate a x509 certificate using CRL
*/
static cert_validation_t check_crl(private_credential_manager_t *this,
- x509_t *subject, x509_t *issuer,
+ x509_t *subject, x509_t *issuer,
auth_cfg_t *auth)
{
cert_validation_t valid = VALIDATION_SKIPPED;
enumerator_t *enumerator;
chunk_t chunk;
char *uri = NULL;
-
+
/* derive the authorityKeyIdentifier from the issuer's public key */
current = &issuer->interface;
public = current->get_public_key(current);
if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
{
keyid = identification_create_from_encoding(ID_KEY_ID, chunk);
-
+
/* find a cached crl by authorityKeyIdentifier */
- enumerator = create_cert_enumerator(this, CERT_X509_CRL, KEY_ANY,
+ enumerator = create_cert_enumerator(this, CERT_X509_CRL, KEY_ANY,
keyid, FALSE);
while (enumerator->enumerate(enumerator, ¤t))
{
}
}
enumerator->destroy(enumerator);
-
+
/* fallback to fetching crls from credential sets cdps */
if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
{
enumerator = create_cdp_enumerator(this, CERT_X509_CRL, keyid);
-
+
while (enumerator->enumerate(enumerator, &uri))
{
current = fetch_crl(this, uri);
keyid->destroy(keyid);
}
DESTROY_IF(public);
-
+
/* fallback to fetching crls from cdps from subject's certificate */
if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED)
{
enumerator = subject->create_crl_uri_enumerator(subject);
-
+
while (enumerator->enumerate(enumerator, &uri))
{
current = fetch_crl(this, uri);
}
enumerator->destroy(enumerator);
}
-
+
/* an uri was found, but no result. switch validation state to failed */
if (valid == VALIDATION_SKIPPED && uri)
{
bool crl, bool ocsp, auth_cfg_t *auth)
{
time_t not_before, not_after;
-
+
if (!subject->get_validity(subject, NULL, ¬_before, ¬_after))
{
DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)",
{
certificate_t *subject;
public_key_t *public;
-
+
subject = get_cert(this, CERT_ANY, type, id, TRUE);
if (!subject)
{
{
enumerator_t *enumerator;
certificate_t *issuer = NULL, *candidate;
-
- enumerator = create_cert_enumerator(this, subject->get_type(subject), KEY_ANY,
+
+ enumerator = create_cert_enumerator(this, subject->get_type(subject), KEY_ANY,
subject->get_issuer(subject), trusted);
while (enumerator->enumerate(enumerator, &candidate))
{
certificate_t *current, *issuer;
auth_cfg_t *auth;
u_int level = 0;
-
+
auth = auth_cfg_create();
current = subject->get_ref(subject);
while (level++ < MAX_CA_LEVELS)
}
else
{
- DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
+ DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
current->get_subject(current));
break;
}
certificate_t **cert, auth_cfg_t **auth)
{
certificate_t *current;
-
+
DESTROY_IF(this->auth);
this->auth = auth_cfg_create();
-
+
if (!this->candidates)
{
/* first invocation, build enumerator for next one */
if (this->pretrusted)
{
/* if we find a trusted self signed certificate, we just accept it.
- * However, in order to fulfill authorization rules, we try to build
+ * However, in order to fulfill authorization rules, we try to build
* the trust chain if it is not self signed */
if (this->this->cache->issued_by(this->this->cache,
this->pretrusted, this->pretrusted) ||
{ /* skip pretrusted certificate we already served */
continue;
}
-
+
DBG1(DBG_CFG, " using certificate \"%Y\"",
current->get_subject(current));
if (verify_trust_chain(this->this, current, this->auth, FALSE,
key_type_t type, identification_t *id, bool crl, bool ocsp)
{
trusted_enumerator_t *enumerator = malloc_thing(trusted_enumerator_t);
-
+
enumerator->public.enumerate = (void*)trusted_enumerate;
enumerator->public.destroy = (void*)trusted_destroy;
-
+
enumerator->candidates = NULL;
enumerator->this = this;
enumerator->type = type;
enumerator->ocsp = ocsp;
enumerator->pretrusted = NULL;
enumerator->auth = NULL;
-
+
return &enumerator->public;
}
public_key_t **key, auth_cfg_t **auth)
{
certificate_t *cert;
-
+
while (this->inner->enumerate(this->inner, &cert, auth))
{
DESTROY_IF(this->current);
this->wrapper->destroy(this->wrapper);
}
this->this->lock->unlock(this->this->lock);
-
+
/* check for delayed certificate cache queue */
cache_queue(this->this);
free(this);
key_type_t type, identification_t *id, auth_cfg_t *auth)
{
public_enumerator_t *enumerator = malloc_thing(public_enumerator_t);
-
+
enumerator->public.enumerate = (void*)public_enumerate;
enumerator->public.destroy = (void*)public_destroy;
enumerator->inner = create_trusted_enumerator(this, type, id, TRUE, TRUE);
*/
static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
certificate_t *subject, auth_cfg_t *auth)
-{
+{
certificate_t *issuer, *current;
auth_cfg_t *trustchain;
u_int level = 0;
-
+
trustchain = auth_cfg_create();
-
+
current = auth->get(auth, AUTH_RULE_CA_CERT);
if (!current)
{
identification_t *keyid;
chunk_t chunk;
public_key_t *public;
-
+
public = cert->get_public_key(cert);
if (public)
{
certificate_t *cert;
private_key_t *private = NULL;
auth_cfg_t *trustchain;
-
+
/* check if this is a lookup by key ID, and do it if so */
if (id && id->get_type(id) == ID_KEY_ID)
{
return get_private_by_keyid(this, type, id);
}
-
+
/* if a specific certificate is preferred, check for a matching key */
cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
if (cert)
return private;
}
}
-
+
/* try to build a trust chain for each certificate found */
enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
while (enumerator->enumerate(enumerator, &cert))
}
}
enumerator->destroy(enumerator);
-
+
/* if no valid trustchain was found, fall back to the first usable cert */
if (!private)
{
credential_manager_t *credential_manager_create()
{
private_credential_manager_t *this = malloc_thing(private_credential_manager_t);
-
+
this->public.create_cert_enumerator = (enumerator_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *id,bool))create_cert_enumerator;
this->public.create_shared_enumerator = (enumerator_t *(*)(credential_manager_t *this, shared_key_type_t type,identification_t *me, identification_t *other))create_shared_enumerator;
this->public.create_cdp_enumerator = (enumerator_t *(*)(credential_manager_t*, certificate_type_t type, identification_t *id))create_cdp_enumerator;
this->public.add_set = (void(*)(credential_manager_t*, credential_set_t *set))add_set;
this->public.remove_set = (void(*)(credential_manager_t*, credential_set_t *set))remove_set;
this->public.destroy = (void(*)(credential_manager_t*))destroy;
-
+
this->sets = linked_list_create();
pthread_key_create(&this->local_sets, (void*)this->sets->destroy);
this->cache = cert_cache_create();
this->cache_queue = linked_list_create();
this->sets->insert_first(this->sets, this->cache);
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
+
return &this->public;
}
*
* The credential manager is the entry point of the credential framework. It
* uses so called "sets" to access credentials in a modular fashion, these
- * are implemented through the credential_set_t interface.
+ * are implemented through the credential_set_t interface.
* The manager additionally does trust chain verification and trust status
* chaching. A set may call the managers methods if it needs credentials itself,
* the manager uses recursive locking.
- *
+ *
* @verbatim
+-------+ +----------------+
| o | may be recursive
| r |
+-------+
-
- @endverbatim
+
+ @endverbatim
*
* The credential manager uses rwlocks for performance reasons, credential
* sets must be fully thread save.
*/
struct credential_manager_t {
-
+
/**
* Create an enumerator over all certificates.
*
* @param second second subject between key is shared
* @return enumerator over shared keys
*/
- enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
+ enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
shared_key_type_t type,
identification_t *first, identification_t *second);
/**
* @param me own identity
* @param other peers identity
* @return shared_key_t, NULL if none found
- */
+ */
shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
identification_t *me, identification_t *other);
/**
* Get a private key to create a signature.
*
* The get_private() method gets a secret private key identified by either
- * the keyid itself or an id the key belongs to.
+ * the keyid itself or an id the key belongs to.
* The auth parameter contains additional information, such as receipients
* trusted CA certs. Auth gets filled with subject and CA certificates
* needed to validate a created signature.
*/
private_key_t* (*get_private)(credential_manager_t *this, key_type_t type,
identification_t *id, auth_cfg_t *auth);
-
+
/**
* Create an enumerator over trusted public keys.
*
* This method gets a an enumerator over trusted public keys to verify a
- * signature created by id. The auth parameter contains additional
+ * signature created by id. The auth parameter contains additional
* authentication infos, e.g. peer and intermediate certificates.
* The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
* where the auth config helper contains rules for constraint checks.
*/
enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
key_type_t type, identification_t *id, auth_cfg_t *auth);
-
+
/**
* Cache a certificate by invoking cache_cert() on all registerd sets.
*
* @param cert certificate to cache
*/
void (*cache_cert)(credential_manager_t *this, certificate_t *cert);
-
+
/**
* Flush the certificate cache.
*
* @param type type of certificate to flush, or CERT_ANY
*/
void (*flush_cache)(credential_manager_t *this, certificate_type_t type);
-
+
/**
* Register a credential set to the manager.
*
* @param set set to register
*/
void (*add_set)(credential_manager_t *this, credential_set_t *set);
-
+
/**
* Unregister a credential set from the manager.
*
* @param set set to unregister
*/
void (*remove_set)(credential_manager_t *this, credential_set_t *set);
-
+
/**
* Destroy a credential_manager instance.
*/
* enumerator is alive, so it is save to use a write lock there.
*/
struct credential_set_t {
-
+
/**
* Create an enumerator over private keys (private_key_t).
*
* The id is either a key identifier of the requested key, or an identity
- * of the key owner.
+ * of the key owner.
*
* @param type type of requested private key
* @param id key identifier/owner
* @param other other identity who owns that secret
* @return enumerator as described above
*/
- enumerator_t *(*create_shared_enumerator)(credential_set_t *this,
+ enumerator_t *(*create_shared_enumerator)(credential_set_t *this,
shared_key_type_t type,
identification_t *me, identification_t *other);
-
+
/**
* Create an enumerator over certificate distribution points.
*
*/
enumerator_t *(*create_cdp_enumerator)(credential_set_t *this,
certificate_type_t type, identification_t *id);
-
+
/**
* Cache a certificate in the credential set.
*
*
* @param cert certificate to cache
*/
- void (*cache_cert)(credential_set_t *this, certificate_t *cert);
+ void (*cache_cert)(credential_set_t *this, certificate_t *cert);
};
#endif /** CREDENTIAL_SET_H_ @}*/
* public functions
*/
auth_cfg_wrapper_t public;
-
+
/**
* wrapped auth info
*/
/* fetching the certificate previously failed */
return FALSE;
}
-
+
chunk_t data;
certificate_t *cert;
-
+
DBG1(DBG_CFG, " fetching certificate from '%s' ...", url);
if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS)
{
*rule, NULL);
return FALSE;
}
-
+
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_BLOB_ASN1_DER, data, BUILD_END);
free(data.ptr);
-
+
if (!cert)
{
DBG1(DBG_CFG, " parsing fetched certificate failed");
*rule, NULL);
return FALSE;
}
-
+
DBG1(DBG_CFG, " fetched certificate \"%Y\"", cert->get_subject(cert));
charon->credentials->cache_cert(charon->credentials, cert);
-
+
if (*rule == AUTH_HELPER_IM_HASH_URL)
{
*rule = AUTH_HELPER_IM_CERT;
* implementation of auth_cfg_wrapper_t.set.create_cert_enumerator
*/
static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this,
- certificate_type_t cert, key_type_t key,
+ certificate_type_t cert, key_type_t key,
identification_t *id, bool trusted)
{
wrapper_enumerator_t *enumerator;
-
+
if (trusted)
{
return NULL;
auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth)
{
private_auth_cfg_wrapper_t *this = malloc_thing(private_auth_cfg_wrapper_t);
-
+
this->public.set.create_private_enumerator = (void*)return_null;
this->public.set.create_cert_enumerator = (void*)create_enumerator;
this->public.set.create_shared_enumerator = (void*)return_null;
this->public.set.create_cdp_enumerator = (void*)return_null;
this->public.set.cache_cert = (void*)nop;
this->public.destroy = (void(*)(auth_cfg_wrapper_t*))destroy;
-
+
this->auth = auth;
-
+
return &this->public;
}
* implements credential_set_t
*/
credential_set_t set;
-
+
/**
* Destroy a auth_cfg_wrapper instance.
*/
* A trusted relation between subject and issuer
*/
struct relation_t {
-
+
/**
* subject of this relation
*/
certificate_t *subject;
-
+
/**
* issuer of this relation
*/
certificate_t *issuer;
-
+
/**
* Cache hits
*/
u_int hits;
-
+
/**
* Lock for this relation
*/
* private data of cert_cache
*/
struct private_cert_cache_t {
-
+
/**
* public functions
*/
cert_cache_t public;
-
+
/**
* array of trusted subject-issuer relations
*/
relation_t *rel;
int i, offset, try;
u_int total_hits = 0;
-
+
/* check for a unused relation slot first */
for (i = 0; i < CACHE_SIZE; i++)
{
rel = &this->relations[i];
-
+
if (!rel->subject && rel->lock->try_write_lock(rel->lock))
{
/* double-check having lock */
for (i = 0; i < CACHE_SIZE; i++)
{
rel = &this->relations[(i + offset) % CACHE_SIZE];
-
+
if (rel->hits > total_hits / CACHE_SIZE)
{ /* skip often used slots */
continue;
{
relation_t *found = NULL, *current;
int i;
-
+
for (i = 0; i < CACHE_SIZE; i++)
{
current = &this->relations[i];
-
+
current->lock->read_lock(current->lock);
if (current->subject)
{
{
public_key_t *public;
relation_t *rel;
-
+
if (this->locked >= 0)
{
rel = &this->relations[this->locked];
rel->lock->unlock(rel->lock);
this->locked = -1;
}
-
+
while (++this->index < CACHE_SIZE)
{
rel = &this->relations[this->index];
if (rel->subject)
{
/* CRL lookup is done using issuer/authkeyidentifier */
- if (this->key == KEY_ANY && this->id &&
+ if (this->key == KEY_ANY && this->id &&
(this->cert == CERT_ANY || this->cert == CERT_X509_CRL) &&
rel->subject->get_type(rel->subject) == CERT_X509_CRL &&
rel->subject->has_issuer(rel->subject, this->id))
static void cert_enumerator_destroy(cert_enumerator_t *this)
{
relation_t *rel;
-
+
if (this->locked >= 0)
{
rel = &this->relations[this->locked];
* implementation of credential_set_t.create_cert_enumerator
*/
static enumerator_t *create_enumerator(private_cert_cache_t *this,
- certificate_type_t cert, key_type_t key,
+ certificate_type_t cert, key_type_t key,
identification_t *id, bool trusted)
{
cert_enumerator_t *enumerator;
-
+
if (trusted)
{
return NULL;
enumerator->relations = this->relations;
enumerator->index = -1;
enumerator->locked = -1;
-
+
return &enumerator->public;
}
{
relation_t *rel;
int i;
-
+
for (i = 0; i < CACHE_SIZE; i++)
{
rel = &this->relations[i];
{
relation_t *rel;
int i;
-
+
for (i = 0; i < CACHE_SIZE; i++)
{
rel = &this->relations[i];
{
private_cert_cache_t *this;
int i;
-
+
this = malloc_thing(private_cert_cache_t);
this->public.set.create_private_enumerator = (void*)return_null;
this->public.set.create_cert_enumerator = (void*)create_enumerator;
this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by;
this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush;
this->public.destroy = (void(*)(cert_cache_t*))destroy;
-
+
for (i = 0; i < CACHE_SIZE; i++)
{
this->relations[i].subject = NULL;
* Implements credential_set_t.
*/
credential_set_t set;
-
+
/**
* Caching wrapper around certificate_t.issued_by.
*
*/
bool (*issued_by)(cert_cache_t *this,
certificate_t *subject, certificate_t *issuer);
-
+
/**
* Flush the certificate cache.
*
* @param type type of certificate to flush, or CERT_ANY
*/
void (*flush)(cert_cache_t *this, certificate_type_t type);
-
+
/**
* Destroy a cert_cache instance.
*/
* public functions
*/
ocsp_response_wrapper_t public;
-
+
/**
* wrapped OCSP response
*/
* implementation of ocsp_response_wrapper_t.set.create_cert_enumerator
*/
static enumerator_t *create_enumerator(private_ocsp_response_wrapper_t *this,
- certificate_type_t cert, key_type_t key,
+ certificate_type_t cert, key_type_t key,
identification_t *id, bool trusted)
{
wrapper_enumerator_t *enumerator;
-
+
if (trusted)
{
return NULL;
}
-
+
enumerator = malloc_thing(wrapper_enumerator_t);
enumerator->cert = cert;
enumerator->key = key;
ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response)
{
private_ocsp_response_wrapper_t *this = malloc_thing(private_ocsp_response_wrapper_t);
-
+
this->public.set.create_private_enumerator = (void*)return_null;
this->public.set.create_cert_enumerator = (void*)create_enumerator;
this->public.set.create_shared_enumerator = (void*)return_null;
this->public.set.create_cdp_enumerator = (void*)return_null;
this->public.set.cache_cert = (void*)nop;
this->public.destroy = (void(*)(ocsp_response_wrapper_t*))destroy;
-
+
this->response = response;
-
+
return &this->public;
}
* implements credential_set_t
*/
credential_set_t set;
-
+
/**
* Destroy a ocsp_response_wrapper instance.
*/
* Public members of daemon_t.
*/
daemon_t public;
-
+
/**
* Signal set used for signal handling.
*/
static void dbg_bus(int level, char *fmt, ...)
{
va_list args;
-
+
va_start(args, fmt);
charon->bus->vlog(charon->bus, DBG_LIB, level, fmt, args);
va_end(args);
static void dbg_stderr(int level, char *fmt, ...)
{
va_list args;
-
+
if (level <= 1)
{
va_start(args, fmt);
static void run(private_daemon_t *this)
{
sigset_t set;
-
+
/* handle SIGINT, SIGHUP ans SIGTERM in this handler */
sigemptyset(&set);
sigaddset(&set, SIGINT);
sigaddset(&set, SIGHUP);
sigaddset(&set, SIGTERM);
-
+
while (TRUE)
{
int sig;
int error;
-
+
error = sigwait(&set, &sig);
if (error)
{
DESTROY_IF(this->public.socket);
/* wait until all threads are gone */
DESTROY_IF(this->public.processor);
-
+
/* rehook library logging, shutdown logging */
dbg = dbg_stderr;
DESTROY_IF(this->public.bus);
{
kill_daemon(this, "change to unprivileged user failed");
}
-
+
#ifdef CAPABILITIES
if (cap_set_proc(this->caps) != 0)
{
{
char buf[1024];
struct passwd passwd, *pwp;
-
+
if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
pwp == NULL)
{
{
char buf[1024];
struct group group, *grp;
-
+
if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
grp == NULL)
{
char buf[512], *plugin;
int len = 0;
enumerator_t *enumerator;
-
+
buf[0] = '\0';
enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
while (len < sizeof(buf) && enumerator->enumerate(enumerator, &plugin))
level_t def;
bool append;
FILE *file;
-
+
/* setup sysloggers */
enumerator = lib->settings->create_section_enumerator(lib->settings,
"charon.syslog");
this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
}
enumerator->destroy(enumerator);
-
+
/* and file loggers */
enumerator = lib->settings->create_section_enumerator(lib->settings,
"charon.filelog");
this->public.file_loggers->insert_last(this->public.file_loggers,
file_logger);
this->public.bus->add_listener(this->public.bus, &file_logger->listener);
-
+
}
enumerator->destroy(enumerator);
-
+
/* set up legacy style default loggers provided via command-line */
if (!loggers_defined)
{
file_logger->set_level(file_logger, group, levels[group]);
}
}
-
+
/* set up default auth sys_logger */
sys_logger = sys_logger_create(LOG_AUTHPRIV);
this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
{
/* for uncritical pseudo random numbers */
srandom(time(NULL) + getpid());
-
+
/* setup bus and it's listeners first to enable log output */
this->public.bus = bus_create();
/* set up hook to log dbg message in library via charons message bus */
dbg = dbg_bus;
-
+
initialize_loggers(this, !syslog, levels);
-
+
DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")");
if (lib->integrity)
this->public.kernel_interface = kernel_interface_create();
this->public.socket = socket_create();
this->public.traps = trap_manager_create();
-
+
/* load plugins, further infrastructure may need it */
if (!lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
lib->settings->get_str(lib->settings, "charon.load", PLUGINS)))
{
return FALSE;
}
-
+
print_plugins();
this->public.ike_sa_manager = ike_sa_manager_create();
{
return FALSE;
}
-
+
#ifdef ME
this->public.connect_manager = connect_manager_create();
if (this->public.connect_manager == NULL)
}
this->public.mediation_manager = mediation_manager_create();
#endif /* ME */
-
+
return TRUE;
}
static void segv_handler(int signal)
{
backtrace_t *backtrace;
-
+
DBG1(DBG_DMN, "thread %u received %d", pthread_self(), signal);
backtrace = backtrace_create(2);
backtrace->log(backtrace, stderr);
backtrace->destroy(backtrace);
-
+
DBG1(DBG_DMN, "killing ourself, received critical signal");
raise(SIGKILL);
}
{
struct sigaction action;
private_daemon_t *this = malloc_thing(private_daemon_t);
-
+
/* assign methods */
this->public.kill = (void (*) (daemon_t*,char*))kill_daemon;
this->public.keep_cap = (void(*)(daemon_t*, u_int cap))keep_cap;
-
+
/* NULL members for clean destruction */
this->public.socket = NULL;
this->public.ike_sa_manager = NULL;
#endif /* ME */
this->public.uid = 0;
this->public.gid = 0;
-
+
this->public.main_thread_id = pthread_self();
#ifdef CAPABILITIES
this->caps = cap_init();
keep_cap(this, CAP_SYS_NICE);
}
#endif /* CAPABILITIES */
-
+
/* add handler for SEGV and ILL,
* add handler for USR1 (cancellation).
* INT, TERM and HUP are handled by sigwait() in run() */
sigaction(SIGBUS, &action, NULL);
action.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &action, NULL);
-
+
pthread_sigmask(SIG_SETMASK, &action.sa_mask, 0);
-
+
return this;
}
{
struct stat stb;
FILE *file;
-
+
if (stat(PID_FILE, &stb) == 0)
{
file = fopen(PID_FILE, "r");
{
char buf[64];
pid_t pid = 0;
-
+
memset(buf, 0, sizeof(buf));
if (fread(buf, 1, sizeof(buf), file))
{
DBG1(DBG_DMN, "removing pidfile '"PID_FILE"', process not running");
unlink(PID_FILE);
}
-
+
/* create new pidfile */
file = fopen(PID_FILE, "w");
if (file)
private_daemon_t *private_charon;
level_t levels[DBG_MAX];
int group;
-
+
/* logging for library during initialization, as we have no bus yet */
dbg = dbg_stderr;
-
+
/* initialize library */
if (!library_init(STRONGSWAN_CONF))
{
library_deinit();
exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
}
-
+
if (lib->integrity &&
!lib->integrity->check_file(lib->integrity, "charon", argv[0]))
{
library_deinit();
exit(SS_RC_DAEMON_INTEGRITY);
}
-
+
lib->printf_hook->add_handler(lib->printf_hook, 'R',
traffic_selector_printf_hook,
PRINTF_HOOK_ARGTYPE_POINTER,
PRINTF_HOOK_ARGTYPE_END);
private_charon = daemon_create();
charon = (daemon_t*)private_charon;
-
+
lookup_uid_gid(private_charon);
-
+
/* use CTRL loglevel for default */
for (group = 0; group < DBG_MAX; group++)
{
levels[group] = LEVEL_CTRL;
}
-
+
/* handle arguments */
for (;;)
{
{ "debug-lib", required_argument, &group, DBG_LIB },
{ 0,0,0,0 }
};
-
+
int c = getopt_long(argc, argv, "", long_opts, NULL);
switch (c)
{
}
break;
}
-
+
/* initialize daemon */
if (!initialize(private_charon, use_syslog, levels))
{
destroy(private_charon);
exit(SS_RC_INITIALIZATION_FAILED);
}
-
+
if (check_pidfile())
{
DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)");
destroy(private_charon);
exit(-1);
}
-
+
/* drop the capabilities we won't need */
drop_capabilities(private_charon);
-
+
/* start the engine, go multithreaded */
charon->processor->set_threads(charon->processor,
lib->settings->get_int(lib->settings, "charon.threads",
DEFAULT_THREADS));
-
+
/* run daemon */
run(private_charon);
-
+
/* normal termination, cleanup and exit */
destroy(private_charon);
unlink(PID_FILE);
-
+
library_deinit();
-
+
return 0;
}
* Main class of daemon, contains some globals.
*/
struct daemon_t {
-
+
/**
* A socket_t instance.
*/
socket_t *socket;
-
+
/**
* A ike_sa_manager_t instance.
*/
ike_sa_manager_t *ike_sa_manager;
-
+
/**
* Manager for triggering policies, called traps
*/
trap_manager_t *traps;
-
+
/**
* Manager for the different configuration backends.
*/
backend_manager_t *backends;
-
+
/**
* Manager for IKEv2 cfg payload attributes
*/
attribute_manager_t *attributes;
-
+
/**
* Manager for the credential backends
*/
credential_manager_t *credentials;
-
+
/**
* The Sender-Thread.
*/
sender_t *sender;
-
+
/**
* The Receiver-Thread.
*/
receiver_t *receiver;
-
+
/**
* The Scheduler-Thread.
*/
scheduler_t *scheduler;
-
+
/**
* Job processing using a thread pool.
*/
processor_t *processor;
-
+
/**
* The signaling bus.
*/
bus_t *bus;
-
+
/**
* A list of installed file_logger_t's
*/
linked_list_t *file_loggers;
-
+
/**
* A list of installed sys_logger_t's
*/
linked_list_t *sys_loggers;
-
+
/**
* Kernel Interface to communicate with kernel
*/
kernel_interface_t *kernel_interface;
-
+
/**
* Controller to control the daemon
*/
controller_t *controller;
-
+
/**
* EAP manager to maintain registered EAP methods
*/
eap_manager_t *eap;
-
+
/**
* SIM manager to maintain SIM cards/providers
*/
sim_manager_t *sim;
-
+
#ifdef ME
/**
* Connect manager
*/
connect_manager_t *connect_manager;
-
+
/**
* Mediation manager
*/
mediation_manager_t *mediation_manager;
#endif /* ME */
-
+
/**
* User ID the daemon will user after initialization
*/
* Group ID the daemon will use after initialization
*/
gid_t gid;
-
+
/**
* The thread_id of main-thread.
*/
pthread_t main_thread_id;
-
+
/**
* Do not drop a given capability after initialization.
*
* drop these.
*/
void (*keep_cap)(daemon_t *this, u_int cap);
-
+
/**
* Shut down the daemon.
*
* Public part of a generator_t object.
*/
generator_t public;
-
+
/**
* Buffer used to generate the data into.
*/
u_int8_t *buffer;
-
+
/**
* Current write position in buffer (one byte aligned).
*/
u_int8_t *out_position;
-
+
/**
* Position of last byte in buffer.
*/
u_int8_t *roof_position;
-
+
/**
* Current bit writing to in current byte (between 0 and 7).
*/
u_int8_t current_bit;
-
+
/**
* Associated data struct to read informations from.
*/
void *data_struct;
-
+
/*
* Last payload length position offset in the buffer.
*/
u_int32_t last_payload_length_position_offset;
-
+
/**
* Offset of the header length field in the buffer.
*/
u_int32_t header_length_position_offset;
-
+
/**
* Last SPI size.
*/
u_int8_t last_spi_size;
-
+
/**
* Attribute format of the last generated transform attribute.
*
- * Used to check if a variable value field is used or not for
+ * Used to check if a variable value field is used or not for
* the transform attribute value.
*/
bool attribute_format;
-
+
/**
* Depending on the value of attribute_format this field is used
* to hold the length of the transform attribute in bytes.
while ((get_space(this) * 8 - this->current_bit) < bits)
{
int old_buffer_size, new_buffer_size, out_position_offset;
-
+
old_buffer_size = get_size(this);
new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
out_position_offset = this->out_position - this->buffer;
-
- DBG2(DBG_ENC, "increasing gen buffer from %d to %d byte",
+
+ DBG2(DBG_ENC, "increasing gen buffer from %d to %d byte",
old_buffer_size, new_buffer_size);
-
+
this->buffer = realloc(this->buffer,new_buffer_size);
this->out_position = (this->buffer + out_position_offset);
this->roof_position = (this->buffer + new_buffer_size);
{
int i;
u_int8_t *read_position = (u_int8_t *)bytes;
-
+
make_space_available(this, number_of_bytes * 8);
-
+
for (i = 0; i < number_of_bytes; i++)
{
*(this->out_position) = *(read_position);
u_int8_t *read_position = (u_int8_t *)bytes;
u_int8_t *write_position;
u_int32_t free_space_after_offset = get_size(this) - offset;
-
- /* check first if enough space for new data is available */
+
+ /* check first if enough space for new data is available */
if (number_of_bytes > free_space_after_offset)
{
- make_space_available(this,
+ make_space_available(this,
(number_of_bytes - free_space_after_offset) * 8);
}
-
+
write_position = this->buffer + offset;
for (i = 0; i < number_of_bytes; i++)
{
encoding_type_t int_type,u_int32_t offset)
{
int number_of_bits = 0;
-
+
/* find out number of bits of each U_INT type to check for enough space */
switch (int_type)
{
encoding_type_names, int_type);
return;
}
-
+
make_space_available(this, number_of_bits);
switch (int_type)
{
case U_INT_4:
{
u_int8_t high, low;
-
+
if (this->current_bit == 0)
{
/* high of current byte in buffer has to be set to the new value*/
{
u_int8_t attribute_format_flag;
u_int16_t val;
-
+
/* attribute type must not change first bit of current byte */
if (this->current_bit != 1)
{
write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
this->current_bit = 0;
break;
-
+
}
case U_INT_16:
case CONFIGURATION_ATTRIBUTE_LENGTH:
return ;
}
make_space_available(this, bits);
-
+
if (bits == 1)
{
u_int8_t reserved_bit = ~(1 << (7 - this->current_bit));
-
+
*(this->out_position) = *(this->out_position) & reserved_bit;
if (this->current_bit == 0)
{
{
u_int8_t flag_value;
u_int8_t flag;
-
+
flag_value = (*((bool *) (this->data_struct + offset))) ? 1 : 0;
/* get flag position */
flag = (flag_value << (7 - this->current_bit));
-
+
/* make sure one bit is available in buffer */
make_space_available(this, 1);
if (this->current_bit == 0)
/* memory must be zero */
*(this->out_position) = 0x00;
}
-
+
*(this->out_position) = *(this->out_position) | flag;
DBG3(DBG_ENC, " => %d", *this->out_position);
-
+
this->current_bit++;
if (this->current_bit >= 8)
{
static void generate_from_chunk(private_generator_t *this, u_int32_t offset)
{
chunk_t *value;
-
+
if (this->current_bit != 0)
{
DBG1(DBG_ENC, "can not generate a chunk at Bitpos %d", this->current_bit);
return ;
}
-
+
value = (chunk_t *)(this->data_struct + offset);
DBG3(DBG_ENC, " => %B", value);
-
+
write_bytes_to_buffer(this, value->ptr, value->len);
}
{
int data_length = get_length(this);
u_int32_t header_length_field = data_length;
-
+
/* write length into header length field */
if (this->header_length_position_offset > 0)
{
write_bytes_to_buffer_at_offset(this, &val, sizeof(u_int32_t),
this->header_length_position_offset);
}
-
+
if (this->current_bit > 0)
{
data_length++;
}
*data = chunk_alloc(data_length);
memcpy(data->ptr, this->buffer, data_length);
-
+
DBG3(DBG_ENC, "generated data of this generator %B", data);
}
size_t rule_count;
encoding_rule_t *rules;
payload_type_t payload_type;
-
+
this->data_struct = payload;
payload_type = payload->get_type(payload);
/* spi size has to get reseted */
this->last_spi_size = 0;
-
+
offset_start = this->out_position - this->buffer;
-
+
DBG2(DBG_ENC, "generating payload of type %N",
payload_type_names, payload_type);
-
+
/* each payload has its own encoding rules */
payload->get_encoding_rules(payload, &rules, &rule_count);
-
+
for (i = 0; i < rule_count;i++)
{
DBG2(DBG_ENC, " generating rule %d %N",
{
generate_reserved_field(this, 8);
break;
- }
+ }
case FLAG:
{
generate_flag(this, rules[i].offset);
u_int16_t length_of_payload;
u_int16_t header_length = 0;
u_int16_t length_in_network_order;
-
+
switch(rules[i].type)
{
case KEY_EXCHANGE_DATA:
break;
}
generate_from_chunk(this, rules[i].offset);
-
+
payload_length_position_offset =
this->last_payload_length_position_offset;
-
- length_of_payload = header_length +
+
+ length_of_payload = header_length +
((chunk_t *)(this->data_struct + rules[i].offset))->len;
-
+
length_in_network_order = htons(length_of_payload);
write_bytes_to_buffer_at_offset(this, &length_in_network_order,
sizeof(u_int16_t), payload_length_position_offset);
}
case PROPOSALS:
{
- u_int32_t payload_length_position_offset =
+ u_int32_t payload_length_position_offset =
this->last_payload_length_position_offset;
/* Length of SA_PAYLOAD is calculated */
u_int16_t length_of_sa_payload = SA_PAYLOAD_HEADER_LENGTH;
(this->data_struct + rules[i].offset));
iterator_t *iterator;
payload_t *current_proposal;
-
+
iterator = proposals->create_iterator(proposals,TRUE);
while (iterator->iterate(iterator, (void**)¤t_proposal))
{
u_int32_t before_generate_position_offset;
u_int32_t after_generate_position_offset;
-
+
before_generate_position_offset = get_offset(this);
generate_payload(this, current_proposal);
after_generate_position_offset = get_offset(this);
before_generate_position_offset);
}
iterator->destroy(iterator);
-
+
int16_val = htons(length_of_sa_payload);
write_bytes_to_buffer_at_offset(this, &int16_val,
sizeof(u_int16_t),payload_length_position_offset);
}
case TRANSFORMS:
{
- u_int32_t payload_length_position_offset =
+ u_int32_t payload_length_position_offset =
this->last_payload_length_position_offset;
- u_int16_t length_of_proposal =
+ u_int16_t length_of_proposal =
PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size;
u_int16_t int16_val;
linked_list_t *transforms = *((linked_list_t **)
(this->data_struct + rules[i].offset));
iterator_t *iterator;
payload_t *current_transform;
-
+
iterator = transforms->create_iterator(transforms,TRUE);
while (iterator->iterate(iterator, (void**)¤t_transform))
{
u_int32_t before_generate_position_offset;
u_int32_t after_generate_position_offset;
-
+
before_generate_position_offset = get_offset(this);
generate_payload(this, current_transform);
after_generate_position_offset = get_offset(this);
-
+
length_of_proposal += (after_generate_position_offset -
before_generate_position_offset);
}
iterator->destroy(iterator);
-
+
int16_val = htons(length_of_proposal);
write_bytes_to_buffer_at_offset(this, &int16_val,
sizeof(u_int16_t), payload_length_position_offset);
break;
- }
+ }
case TRANSFORM_ATTRIBUTES:
{
u_int32_t transform_length_position_offset =
(this->data_struct + rules[i].offset));
iterator_t *iterator;
payload_t *current_attribute;
-
+
iterator = transform_attributes->create_iterator(
transform_attributes, TRUE);
while (iterator->iterate(iterator, (void**)¤t_attribute))
{
u_int32_t before_generate_position_offset;
u_int32_t after_generate_position_offset;
-
+
before_generate_position_offset = get_offset(this);
generate_payload(this, current_attribute);
after_generate_position_offset = get_offset(this);
-
+
length_of_transform += (after_generate_position_offset -
before_generate_position_offset);
}
-
+
iterator->destroy(iterator);
-
+
int16_val = htons(length_of_transform);
- write_bytes_to_buffer_at_offset(this, &int16_val,
+ write_bytes_to_buffer_at_offset(this, &int16_val,
sizeof(u_int16_t),transform_length_position_offset);
break;
}
case CONFIGURATION_ATTRIBUTES:
{
- u_int32_t configurations_length_position_offset =
+ u_int32_t configurations_length_position_offset =
this->last_payload_length_position_offset;
u_int16_t length_of_configurations = CP_PAYLOAD_HEADER_LENGTH;
u_int16_t int16_val;
(this->data_struct + rules[i].offset));
iterator_t *iterator;
payload_t *current_attribute;
-
+
iterator = configuration_attributes->create_iterator(
configuration_attributes,TRUE);
while (iterator->iterate(iterator, (void**)¤t_attribute))
{
u_int32_t before_generate_position_offset;
u_int32_t after_generate_position_offset;
-
+
before_generate_position_offset = get_offset(this);
generate_payload(this, current_attribute);
after_generate_position_offset = get_offset(this);
-
+
length_of_configurations += after_generate_position_offset -
before_generate_position_offset;
}
-
+
iterator->destroy(iterator);
-
+
int16_val = htons(length_of_configurations);
- write_bytes_to_buffer_at_offset(this, &int16_val,
+ write_bytes_to_buffer_at_offset(this, &int16_val,
sizeof(u_int16_t),configurations_length_position_offset);
break;
- }
+ }
case ATTRIBUTE_FORMAT:
{
generate_flag(this, rules[i].offset);
this->attribute_format =
*((bool *)(this->data_struct + rules[i].offset));
break;
- }
+ }
case ATTRIBUTE_LENGTH_OR_VALUE:
{
}
case TRAFFIC_SELECTORS:
{
- u_int32_t payload_length_position_offset =
+ u_int32_t payload_length_position_offset =
this->last_payload_length_position_offset;
u_int16_t length_of_ts_payload = TS_PAYLOAD_HEADER_LENGTH;
u_int16_t int16_val;
(this->data_struct + rules[i].offset));
iterator_t *iterator;
payload_t *current_tss;
-
+
iterator = traffic_selectors->create_iterator(
traffic_selectors,TRUE);
while (iterator->iterate(iterator, (void **)¤t_tss))
{
u_int32_t before_generate_position_offset;
u_int32_t after_generate_position_offset;
-
+
before_generate_position_offset = get_offset(this);
generate_payload(this, current_tss);
after_generate_position_offset = get_offset(this);
-
+
length_of_ts_payload += (after_generate_position_offset -
before_generate_position_offset);
}
iterator->destroy(iterator);
-
+
int16_val = htons(length_of_ts_payload);
write_bytes_to_buffer_at_offset(this, &int16_val,
sizeof(u_int16_t),payload_length_position_offset);
break;
- }
-
+ }
+
case ENCRYPTED_DATA:
{
generate_from_chunk(this, rules[i].offset);
this->public.generate_payload = (void(*)(generator_t*, payload_t *))generate_payload;
this->public.destroy = (void(*)(generator_t*)) destroy;
this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *))write_to_chunk;
-
+
/* allocate memory for buffer */
this->buffer = malloc(GENERATOR_DATA_BUFFER_SIZE);
-
+
/* initiate private variables */
this->out_position = this->buffer;
this->roof_position = this->buffer + GENERATOR_DATA_BUFFER_SIZE;
this->current_bit = 0;
this->last_payload_length_position_offset = 0;
this->header_length_position_offset = 0;
-
+
return &(this->public);
}
* A generator_t class used to generate IKEv2 payloads.
*
* After creation, multiple payloads can be generated with the generate_payload
- * method. The generated bytes are appended. After all payloads are added,
+ * method. The generated bytes are appended. After all payloads are added,
* the write_to_chunk method writes out all generated data since
* the creation of the generator. After that, the generator must be destroyed.
* The generater uses a set of encoding rules, which it can get from
* the payload and all substructures automatically.
*/
struct generator_t {
-
+
/**
* Generates a specific payload from given payload object.
*
* @param payload interface payload_t implementing object
*/
void (*generate_payload) (generator_t *this,payload_t *payload);
-
+
/**
* Writes all generated data of the generator to a chunk.
*
* @param data chunk to write the data to
*/
void (*write_to_chunk) (generator_t *this,chunk_t *data);
-
+
/**
* Destroys a generator_t object.
*/
/**
* Constructor to create a generator.
- *
+ *
* @return generator_t object.
*/
generator_t *generator_create(void);
* Payload type.
*/
payload_type_t payload_type;
-
+
/**
* Minimal occurence of this payload.
*/
* Max occurence of this payload.
*/
size_t max_occurence;
-
+
/**
* TRUE if payload must be encrypted
*/
bool encrypted;
-
+
/**
* If this payload occurs, the message rule is
* fullfilled in any case. This applies e.g. to
* payload type
*/
payload_type_t type;
-
+
/**
* notify type, if payload == NOTIFY
*/
* Type of message.
*/
exchange_type_t exchange_type;
-
+
/**
* Is message a request or response.
*/
* Message contains encrypted content.
*/
bool encrypted_content;
-
+
/**
* Number of payload rules which will follow
*/
int payload_rule_count;
-
+
/**
* Pointer to first payload rule
*/
payload_rule_t *payload_rules;
-
+
/**
* Number of payload order rules
*/
int payload_order_count;
-
+
/**
* payload ordering rules
*/
* Minor version of message.
*/
u_int8_t major_version;
-
+
/**
* Major version of message.
*/
u_int8_t minor_version;
-
+
/**
* First Payload in message.
*/
* TRUE if message is a request, FALSE if a reply.
*/
bool is_request;
-
+
/**
* Message ID of this message.
*/
u_int32_t message_id;
-
+
/**
* ID of assigned IKE_SA.
*/
ike_sa_id_t *ike_sa_id;
-
+
/**
* Assigned UDP packet, stores incoming packet or last generated one.
*/
packet_t *packet;
-
+
/**
* Linked List where payload data are stored in.
*/
linked_list_t *payloads;
-
+
/**
* Assigned parser to parse Header and Body of this message.
*/
parser_t *parser;
-
+
/**
* The message rule for this message instance
*/
static status_t set_message_rule(private_message_t *this)
{
int i;
-
+
for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
{
if ((this->exchange_type == message_rules[i].exchange_type) &&
static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
{
int i;
-
+
for (i = 0; i < this->message_rule->payload_rule_count;i++)
{
if (this->message_rule->payload_rules[i].payload_type == payload_type)
return SUCCESS;
}
}
-
+
*payload_rule = NULL;
return NOT_FOUND;
}
static bool is_encoded(private_message_t *this)
{
chunk_t data = this->packet->get_data(this->packet);
-
+
if (data.ptr == NULL)
{
return FALSE;
{
notify_payload_t *notify;
payload_t *payload;
-
+
if (flush)
{
while (this->payloads->remove_last(this->payloads,
{
payload_t *current, *found = NULL;
enumerator_t *enumerator;
-
+
enumerator = create_payload_enumerator(this);
while (enumerator->enumerate(enumerator, ¤t))
{
enumerator_t *enumerator;
notify_payload_t *notify = NULL;
payload_t *payload;
-
+
enumerator = create_payload_enumerator(this);
while (enumerator->enumerate(enumerator, &payload))
{
payload_t *payload;
int written;
char *pos = buf;
-
+
memset(buf, 0, len);
len--;
-
+
written = snprintf(pos, len, "%N %s %d [",
exchange_type_names, this->exchange_type,
this->is_request ? "request" : "response",
}
pos += written;
len -= written;
-
+
enumerator = create_payload_enumerator(this);
while (enumerator->enumerate(enumerator, &payload))
{
}
}
enumerator->destroy(enumerator);
-
+
/* remove last space */
snprintf(pos, len, " ]");
return buf;
linked_list_t *list;
payload_t *payload;
int i;
-
+
/* move to temp list */
list = linked_list_create();
while (this->payloads->remove_last(this->payloads,
enumerator_t *enumerator;
notify_payload_t *notify;
payload_order_t order = this->message_rule->payload_order[i];
-
+
/* ... find all payload ... */
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &payload))
if (payload->get_type(payload) == order.type)
{
notify = (notify_payload_t*)payload;
-
+
/**... and check notify for type. */
if (order.type != NOTIFY || order.notify == 0 ||
order.notify == notify->get_notify_type(notify))
encryption_payload_t *encryption_payload = NULL;
status_t status;
linked_list_t *all_payloads;
-
+
if (!this->message_rule->encrypted_content)
{
DBG2(DBG_ENC, "message doesn't have to be encrypted");
/* message contains no content to encrypt */
return SUCCESS;
}
-
+
if (!crypter || !signer)
{
DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
/* message contains no content to encrypt */
return SUCCESS;
}
-
+
DBG2(DBG_ENC, "copy all payloads to a temporary list");
all_payloads = linked_list_create();
-
+
/* first copy all payloads in a temporary list */
while (this->payloads->get_count(this->payloads) > 0)
{
this->payloads->remove_first(this->payloads,¤t_payload);
all_payloads->insert_last(all_payloads,current_payload);
}
-
+
encryption_payload = encryption_payload_create();
DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
payload_rule_t *payload_rule;
payload_t *current_payload;
bool to_encrypt = FALSE;
-
+
all_payloads->remove_first(all_payloads,(void **)¤t_payload);
-
+
status = get_payload_rule(this,
current_payload->get_type(current_payload),&payload_rule);
/* for payload types which are not found in supported payload list,
payload_type_names, current_payload->get_type(current_payload));
to_encrypt = TRUE;
}
-
+
if (to_encrypt)
{
DBG2(DBG_ENC, "insert payload %N to encryption payload",
status = encryption_payload->encrypt(encryption_payload);
DBG2(DBG_ENC, "add encrypted payload to payload list");
add_payload(this, (payload_t*)encryption_payload);
-
+
all_payloads->destroy(all_payloads);
-
+
return status;
}
status_t status;
chunk_t packet_data;
char str[256];
-
+
if (is_encoded(this))
{
/* already generated, return a new packet clone */
*packet = this->packet->clone(this->packet);
return SUCCESS;
}
-
+
if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
{
DBG1(DBG_ENC, "exchange type is not defined");
return INVALID_STATE;
}
-
+
if (this->packet->get_source(this->packet) == NULL ||
this->packet->get_destination(this->packet) == NULL)
{
!this->packet->get_source(this->packet) ? "source" : "destination");
return INVALID_STATE;
}
-
+
/* set the rules for this messge */
status = set_message_rule(this);
if (status != SUCCESS)
DBG1(DBG_ENC, "no message rules specified for this message type");
return NOT_SUPPORTED;
}
-
+
order_payloads(this);
-
+
DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
-
+
/* going to encrypt all content which have to be encrypted */
status = encrypt_payloads(this, crypter, signer);
if (status != SUCCESS)
DBG1(DBG_ENC, "payload encryption failed");
return status;
}
-
+
/* build ike header */
ike_header = ike_header_create();
-
+
ike_header->set_exchange_type(ike_header, this->exchange_type);
ike_header->set_message_id(ike_header, this->message_id);
ike_header->set_response_flag(ike_header, !this->is_request);
ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
-
+
generator = generator_create();
-
+
payload = (payload_t*)ike_header;
-
+
/* generate every payload expect last one, this is done later*/
enumerator = create_payload_enumerator(this);
while (enumerator->enumerate(enumerator, &next_payload))
payload = next_payload;
}
enumerator->destroy(enumerator);
-
+
/* last payload has no next payload*/
payload->set_next_type(payload, NO_PAYLOAD);
generator->generate_payload(generator, payload);
ike_header->destroy(ike_header);
-
+
/* build packet */
generator->write_to_chunk(generator, &packet_data);
generator->destroy(generator);
-
+
/* if last payload is of type encrypted, integrity checksum if necessary */
if (payload->get_type(payload) == ENCRYPTED)
{
return status;
}
}
-
+
this->packet->set_data(this->packet, packet_data);
-
+
/* clone packet for caller */
*packet = this->packet->clone(this->packet);
-
+
DBG2(DBG_ENC, "message generated successfully");
return SUCCESS;
}
{
ike_header_t *ike_header;
status_t status;
-
+
DBG2(DBG_ENC, "parsing header of message");
-
+
this->parser->reset_context(this->parser);
status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
if (status != SUCCESS)
{
DBG1(DBG_ENC, "header could not be parsed");
return status;
-
+
}
-
+
/* verify payload */
status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
if (status != SUCCESS)
ike_header->destroy(ike_header);
return status;
}
-
+
if (this->ike_sa_id != NULL)
{
this->ike_sa_id->destroy(this->ike_sa_id);
}
-
+
this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
ike_header->get_responder_spi(ike_header),
ike_header->get_initiator_flag(ike_header));
this->major_version = ike_header->get_maj_version(ike_header);
this->minor_version = ike_header->get_min_version(ike_header);
this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
-
+
DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
this->is_request ? "request" : "response");
-
+
ike_header->destroy(ike_header);
-
+
/* get the rules for this messge */
status = set_message_rule(this);
if (status != SUCCESS)
exchange_type_names, this->exchange_type,
this->is_request ? "request" : "response");
}
-
+
return status;
}
{
payload_rule_t *payload_rule;
payload_type_t current_payload_type;
-
+
/* needed to check */
current_payload_type = current_payload->get_type(current_payload);
-
+
DBG2(DBG_ENC, "process payload of type %N",
payload_type_names, current_payload_type);
-
+
if (current_payload_type == ENCRYPTED)
{
encryption_payload_t *encryption_payload;
payload_t *current_encrypted_payload;
-
+
encryption_payload = (encryption_payload_t*)current_payload;
-
+
DBG2(DBG_ENC, "found an encryption payload");
if (payload_number != this->payloads->get_count(this->payloads))
iterator->destroy(iterator);
return PARSE_ERROR;
}
-
+
/* needed later to find out if a payload was encrypted */
current_payload_was_encrypted = TRUE;
-
+
/* check if there are payloads contained in the encryption payload */
if (encryption_payload->get_payload_count(encryption_payload) == 0)
{
iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
}
-
+
/* is the current paylad the first in the message? */
if (previous_payload == NULL)
{
/* no, set the next_type of the previous payload to the current type */
previous_payload->set_next_type(previous_payload, current_payload_type);
}
-
+
/* all encrypted payloads are added to the payload list */
while (encryption_payload->get_payload_count(encryption_payload) > 0)
{
payload_type_names, current_encrypted_payload->get_type(current_encrypted_payload));
this->payloads->insert_last(this->payloads,current_encrypted_payload);
}
-
+
/* encryption payload is processed, payloads are moved. Destroy it. */
encryption_payload->destroy(encryption_payload);
}
iterator->destroy(iterator);
return VERIFY_ERROR;
}
-
+
/* check if the payload was encrypted, and if it should been have encrypted */
if (payload_rule->encrypted != current_payload_was_encrypted)
{
enumerator_t *enumerator;
payload_t *current_payload;
size_t total_found_payloads = 0;
-
+
DBG2(DBG_ENC, "verifying message structure");
-
+
/* check for payloads with wrong count*/
for (i = 0; i < this->message_rule->payload_rule_count; i++)
{
size_t found_payloads = 0;
payload_rule_t *rule;
-
+
rule = &this->message_rule->payload_rules[i];
enumerator = create_payload_enumerator(this);
-
+
/* check all payloads for specific rule */
while (enumerator->enumerate(enumerator, ¤t_payload))
{
payload_type_t current_payload_type;
unknown_payload_t *unknown_payload;
-
+
current_payload_type = current_payload->get_type(current_payload);
if (current_payload_type == UNKNOWN_PAYLOAD)
{
total_found_payloads++;
DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
rule->payload_type);
-
+
/* as soon as ohe payload occures more then specified,
* the verification fails */
if (found_payloads >
}
}
}
-
+
if (found_payloads < rule->min_occurence)
{
DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
status_t status = SUCCESS;
payload_type_t current_payload_type;
char str[256];
-
+
current_payload_type = this->first_payload;
-
+
DBG2(DBG_ENC, "parsing body of message, first payload is %N",
payload_type_names, current_payload_type);
while ((current_payload_type != NO_PAYLOAD))
{
payload_t *current_payload;
-
+
DBG2(DBG_ENC, "starting parsing a %N payload",
payload_type_names, current_payload_type);
-
+
/* parse current payload */
status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) ¤t_payload);
-
+
if (status != SUCCESS)
{
DBG1(DBG_ENC, "payload type %N could not be parsed",
DBG2(DBG_ENC, "verifying payload of type %N",
payload_type_names, current_payload_type);
-
+
/* verify it, stop parsig if its invalid */
status = current_payload->verify(current_payload);
if (status != SUCCESS)
current_payload->destroy(current_payload);
return VERIFY_ERROR;
}
-
+
DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
payload_type_names, current_payload_type);
this->payloads->insert_last(this->payloads,current_payload);
-
+
/* an encryption payload is the last one, so STOP here. decryption is done later */
if (current_payload_type == ENCRYPTED)
{
payload_type_names, current_payload_type);
break;
}
-
+
/* get next payload type */
current_payload_type = current_payload->get_next_type(current_payload);
}
return status;
}
}
-
+
status = verify(this);
if (status != SUCCESS)
{
return status;
}
-
+
DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
-
+
return SUCCESS;
}
this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
this->public.destroy = (void(*)(message_t*))destroy;
-
+
/* private values */
this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
this->is_request = TRUE;
this->ike_sa_id = NULL;
this->first_payload = NO_PAYLOAD;
this->message_id = 0;
-
+
/* private values */
if (packet == NULL)
{
this->message_rule = NULL;
this->packet = packet;
this->payloads = linked_list_create();
-
+
/* parser is created from data of packet */
this->parser = parser_create(this->packet->get_data(this->packet));
-
+
return (&this->public);
}
* @return major version of the message
*/
u_int8_t (*get_major_version) (message_t *this);
-
+
/**
* Sets the IKE minor version of the message.
*
* @return message_id type of the message
*/
u_int32_t (*get_message_id) (message_t *this);
-
+
/**
* Gets the initiator SPI of the message.
*
/**
* Sets the IKE_SA ID of the message.
- *
+ *
* ike_sa_id gets cloned.
*
* @param ike_sa_id ike_sa_id to set
* @return exchange type of the message
*/
exchange_type_t (*get_exchange_type) (message_t *this);
-
+
/**
* Gets the payload type of the first payload.
- *
+ *
* @return payload type of the first payload
*/
payload_type_t (*get_first_payload_type) (message_t *this);
/**
* Append a payload to the message.
- *
+ *
* If the payload must be encrypted is not specified here. Encryption
* of payloads is evaluated via internal rules for the messages and
* is done before generation. The order of payloads may change, since
- * all payloads to encrypt are added to the encryption payload, which is
+ * all payloads to encrypt are added to the encryption payload, which is
* always the last one.
*
* @param payload payload to append
- */
+ */
void (*add_payload) (message_t *this, payload_t *payload);
/**
* Build a notify payload and add it to the message.
- *
+ *
* This is a helper method to create notify messages or add
* notify payload to messages. The flush parameter specifies if existing
* payloads should get removed before appending the notify.
* @param flush TRUE to remove existing payloads
* @param type type of the notify
* @param data a chunk of data to add to the notify, gets cloned
- */
- void (*add_notify) (message_t *this, bool flush, notify_type_t type,
+ */
+ void (*add_notify) (message_t *this, bool flush, notify_type_t type,
chunk_t data);
/**
* Parses header of message.
- *
+ *
* Begins parisng of a message created via message_create_from_packet().
* The parsing context is stored, so a subsequent call to parse_body()
* will continue the parsing process.
* - FAILED if consistence check of header failed
*/
status_t (*parse_header) (message_t *this);
-
+
/**
* Parses body of message.
- *
- * The body gets not only parsed, but rather it gets verified.
- * All payloads are verified if they are allowed to exist in the message
- * of this type and if their own structure is ok.
- * If there are encrypted payloads, they get decrypted via the supplied
+ *
+ * The body gets not only parsed, but rather it gets verified.
+ * All payloads are verified if they are allowed to exist in the message
+ * of this type and if their own structure is ok.
+ * If there are encrypted payloads, they get decrypted via the supplied
* crypter. Also the message integrity gets verified with the supplied
* signer.
- * Crypter/signer can be omitted (by passing NULL) when no encryption
+ * Crypter/signer can be omitted (by passing NULL) when no encryption
* payload is expected.
*
* @param crypter crypter to decrypt encryption payloads
/**
* Generates the UDP packet of specific message.
- *
+ *
* Payloads which must be encrypted are generated first and added to
- * an encryption payload. This encryption payload will get encrypted via
+ * an encryption payload. This encryption payload will get encrypted via
* the supplied crypter. Then all other payloads and the header get generated.
- * After that, the checksum is added to the encryption payload over the full
+ * After that, the checksum is added to the encryption payload over the full
* message.
- * Crypter/signer can be omitted (by passing NULL) when no encryption
+ * Crypter/signer can be omitted (by passing NULL) when no encryption
* payload is expected.
* Generation is only done once, multiple calls will just return a packet copy.
*
* - INVALID_STATE if exchange type is currently not set
* - NOT_FOUND if no rules found for message generation
* - INVALID_STATE if crypter/signer not supplied but needed.
- */
+ */
status_t (*generate) (message_t *this, crypter_t *crypter, signer_t *signer, packet_t **packet);
/**
- * Gets the source host informations.
- *
- * @warning Returned host_t object is not getting cloned,
+ * Gets the source host informations.
+ *
+ * @warning Returned host_t object is not getting cloned,
* do not destroy nor modify.
*
* @return host_t object representing source host
- */
+ */
host_t * (*get_source) (message_t *this);
-
+
/**
- * Sets the source host informations.
- *
+ * Sets the source host informations.
+ *
* @warning host_t object is not getting cloned and gets destroyed by
* message_t.destroy or next call of message_t.set_source.
*
* @param host host_t object representing source host
- */
+ */
void (*set_source) (message_t *this, host_t *host);
/**
- * Gets the destination host informations.
- *
- * @warning Returned host_t object is not getting cloned,
+ * Gets the destination host informations.
+ *
+ * @warning Returned host_t object is not getting cloned,
* do not destroy nor modify.
*
* @return host_t object representing destination host
- */
+ */
host_t * (*get_destination) (message_t *this);
/**
- * Sets the destination host informations.
- *
+ * Sets the destination host informations.
+ *
* @warning host_t object is not getting cloned and gets destroyed by
* message_t.destroy or next call of message_t.set_destination.
*
* @param host host_t object representing destination host
- */
+ */
void (*set_destination) (message_t *this, host_t *host);
-
+
/**
* Create an enumerator over all payloads.
*
* @return enumerator over payload_t
- */
+ */
enumerator_t * (*create_payload_enumerator) (message_t *this);
-
+
/**
* Find a payload of a specific type.
- *
- * Returns the first occurance.
+ *
+ * Returns the first occurance.
*
* @param type type of the payload to find
* @return payload, or NULL if no such payload found
- */
+ */
payload_t* (*get_payload) (message_t *this, payload_type_t type);
-
+
/**
* Get the first notify payload of a specific type.
*
* @return notify payload, NULL if no such notify found
*/
notify_payload_t* (*get_notify)(message_t *this, notify_type_t type);
-
+
/**
* Returns a clone of the internal stored packet_t object.
*
* @return packet_t object as clone of internal one
- */
+ */
packet_t * (*get_packet) (message_t *this);
-
+
/**
* Returns a clone of the internal stored packet_t data.
*
* @return clone of the internal stored packet_t data.
- */
+ */
chunk_t (*get_packet_data) (message_t *this);
-
+
/**
* Destroys a message and all including objects.
*/
/**
* Creates an message_t object from a incoming UDP Packet.
- *
- * @warning the given packet_t object is not copied and gets
+ *
+ * @warning the given packet_t object is not copied and gets
* destroyed in message_t's destroy call.
- *
+ *
* - exchange_type is set to NOT_SET
* - original_initiator is set to TRUE
* - is_request is set to TRUE
* Call message_t.parse_header afterwards.
- *
- * @param packet packet_t object which is assigned to message
+ *
+ * @param packet packet_t object which is assigned to message
* @return message_t object
*/
message_t * message_create_from_packet(packet_t *packet);
* - exchange_type is set to NOT_SET
* - original_initiator is set to TRUE
* - is_request is set to TRUE
- *
+ *
* @return message_t object
*/
message_t * message_create(void);
/**
* Private data stored in a context.
- *
+ *
* Contains pointers and counters to store current state.
*/
struct private_parser_t {
* Public members, see parser_t.
*/
parser_t public;
-
+
/**
* Current bit for reading in input data.
*/
u_int8_t bit_pos;
-
+
/**
* Current byte for reading in input data.
*/
u_int8_t *byte_pos;
-
+
/**
* Input data to parse.
*/
u_int8_t *input;
-
+
/**
* Roof of input, used for length-checking.
*/
u_int8_t *input_roof;
-
+
/**
* Set of encoding rules for this parsing session.
*/
return short_input(this, rule_number);
}
if (output_pos)
- {
+ {
u_int8_t mask;
mask = 0x01 << (7 - this->bit_pos);
*output_pos = *this->byte_pos & mask;
-
+
if (*output_pos)
{ /* set to a "clean", comparable true */
*output_pos = TRUE;
linked_list_t **output_pos, payload_type_t payload_type, int length)
{
linked_list_t *list = *output_pos;
-
+
if (length < 0)
{
return short_input(this, rule_number);
{
u_int8_t *pos_before = this->byte_pos;
payload_t *payload;
-
+
DBG2(DBG_ENC, " %d bytes left, parsing recursively %N",
length, payload_type_names, payload_type);
-
+
if (parse_payload(this, payload_type, &payload) != SUCCESS)
{
DBG1(DBG_ENC, " parsing of a %N substructure failed",
bool attribute_format = FALSE;
int rule_number;
encoding_rule_t *rule;
-
+
/* create instance of the payload to parse */
pld = payload_create(payload_type);
-
+
DBG2(DBG_ENC, "parsing %N payload, %d bytes left",
payload_type_names, payload_type, this->input_roof - this->byte_pos);
-
+
DBG3(DBG_ENC, "parsing payload from %b",
this->byte_pos, this->input_roof - this->byte_pos);
-
+
if (pld->get_type(pld) == UNKNOWN_PAYLOAD)
{
DBG1(DBG_ENC, " payload type %d is unknown, handling as %N",
payload_type, payload_type_names, UNKNOWN_PAYLOAD);
}
-
+
/* base pointer for output, avoids casting in every rule */
output = pld;
-
+
/* parse the payload with its own rulse */
pld->get_encoding_rules(pld, &this->rules, &rule_count);
for (rule_number = 0; rule_number < rule_count; rule_number++)
case ADDRESS:
{
int address_length = (ts_type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
-
+
if (!parse_chunk(this, rule_number, output + rule->offset,
address_length))
{
/* process next rulue */
rule++;
}
-
+
*payload = pld;
DBG2(DBG_ENC, "parsing %N payload finished",
payload_type_names, payload_type);
parser_t *parser_create(chunk_t data)
{
private_parser_t *this = malloc_thing(private_parser_t);
-
+
this->public.parse_payload = (status_t(*)(parser_t*,payload_type_t,payload_t**))parse_payload;
this->public.reset_context = (void(*)(parser_t*)) reset_context;
this->public.get_remaining_byte_count = (int (*) (parser_t *))get_remaining_byte_count;
this->public.destroy = (void(*)(parser_t*)) destroy;
-
+
this->input = data.ptr;
this->byte_pos = data.ptr;
this->bit_pos = 0;
this->input_roof = data.ptr + data.len;
-
+
return &this->public;
}
* The parser remains the state until destroyed.
*/
struct parser_t {
-
+
/**
* Parses the next payload.
- *
+ *
* @warning Caller is responsible for freeing allocated payload.
- *
+ *
* Rules for parsing are described in the payload definition.
*
* @param payload_type payload type to parse
* @param payload pointer where parsed payload was allocated
- * @return
+ * @return
* - SUCCESSFUL if succeeded,
* - PARSE_ERROR if corrupted/invalid data found
*/
status_t (*parse_payload) (parser_t *this, payload_type_t payload_type, payload_t **payload);
-
+
/**
* Gets the remaining byte count which is not currently parsed.
*/
int (*get_remaining_byte_count) (parser_t *this);
-
+
/**
* Resets the current parser context.
*/
void (*reset_context) (parser_t *this);
-
+
/**
* Destroys a parser_t object.
*/
/**
* Constructor to create a parser_t object.
- *
+ *
* @param data chunk of data to parse with this parser_t object
* @return parser_t object
*/
/**
* Private data of an auth_payload_t object.
- *
+ *
*/
struct private_auth_payload_t {
-
+
/**
* Public auth_payload_t interface.
*/
auth_payload_t public;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* Method of the AUTH Data.
*/
u_int8_t auth_method;
-
+
/**
* The contained auth data value.
*/
/**
* Encoding rules to parse or generate a AUTH payload
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_auth_payload_t.
*/
encoding_rule_t auth_payload_encodings[] = {
{
chunk_free(&(this->auth_data));
}
-
- free(this);
+
+ free(this);
}
/*
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.destroy = (void (*) (auth_payload_t *)) destroy;
this->public.set_auth_method = (void (*) (auth_payload_t *,auth_method_t)) set_auth_method;
this->public.set_data = (void (*) (auth_payload_t *,chunk_t)) set_data;
this->public.get_data_clone = (chunk_t (*) (auth_payload_t *)) get_data_clone;
this->public.get_data = (chunk_t (*) (auth_payload_t *)) get_data;
-
+
/* private variables */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
* The AUTH payload format is described in RFC section 3.8.
*/
struct auth_payload_t {
-
+
/**
* The payload_t interface.
*/
* @param method auth_method_t to use
*/
void (*set_auth_method) (auth_payload_t *this, auth_method_t method);
-
+
/**
* Get the AUTH method.
*
* @return auth_method_t used
*/
auth_method_t (*get_auth_method) (auth_payload_t *this);
-
+
/**
* Set the AUTH data.
- *
+ *
* Data gets cloned.
*
* @param data AUTH data as chunk_t
*/
void (*set_data) (auth_payload_t *this, chunk_t data);
-
+
/**
* Get the AUTH data.
- *
+ *
* Returned data are a copy of the internal one.
*
* @return AUTH data as chunk_t
*/
chunk_t (*get_data_clone) (auth_payload_t *this);
-
+
/**
* Get the AUTH data.
- *
+ *
* Returned data are NOT copied
*
* @return AUTH data as chunk_t
*/
chunk_t (*get_data) (auth_payload_t *this);
-
+
/**
* Destroys an auth_payload_t object.
*/
/**
* Creates an empty auth_payload_t object.
- *
+ *
* @return auth_payload_t object
*/
auth_payload_t *auth_payload_create(void);
/**
* Private data of an cert_payload_t object.
- *
+ *
*/
struct private_cert_payload_t {
/**
* Public cert_payload_t interface.
*/
cert_payload_t public;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* Encoding of the CERT Data.
*/
u_int8_t encoding;
-
+
/**
* The contained cert data value.
*/
chunk_t data;
-
+
/**
* TRUE if the "Hash and URL" data is invalid
*/
/**
* Encoding rules to parse or generate a CERT payload
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_cert_payload_t.
- *
+ *
*/
encoding_rule_t cert_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
this->invalid_hash_and_url = TRUE;
return SUCCESS;
}
-
+
int i = 20; /* skipping the hash */
for (; i < this->data.len; ++i)
{
return SUCCESS;
}
}
-
+
/* URL is not null terminated, correct that */
chunk_t data = chunk_alloc(this->data.len + 1);
memcpy(data.ptr, this->data.ptr, this->data.len);
static void destroy(private_cert_payload_t *this)
{
chunk_free(&this->data);
- free(this);
+ free(this);
}
/*
this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type;
this->public.payload_interface.destroy = (void (*) (payload_t*))destroy;
-
+
this->public.destroy = (void (*) (cert_payload_t*))destroy;
this->public.get_cert = (certificate_t* (*) (cert_payload_t*))get_cert;
this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t*))get_cert_encoding;
this->public.get_hash = (chunk_t (*) (cert_payload_t*))get_hash;
this->public.get_url = (char* (*) (cert_payload_t*))get_url;
-
+
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
this->payload_length = CERT_PAYLOAD_HEADER_LENGTH;
{
private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create();
chunk_t url_chunk;
-
+
this->encoding = ENC_X509_HASH_AND_URL;
-
+
url_chunk.ptr = url;
url_chunk.len = strlen(url) + 1;
-
+
this->data = chunk_cat("cc", hash, url_chunk);
this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len;
return &this->public;
* The CERT payload format is described in RFC section 3.6.
*/
struct cert_payload_t {
-
+
/**
* The payload_t interface.
*/
payload_t payload_interface;
-
+
/**
* Get the playoads encoded certifcate.
*
* @return certifcate copy
*/
certificate_t *(*get_cert)(cert_payload_t *this);
-
+
/**
* Get the encoding of the certificate.
- *
+ *
* @return encoding
*/
cert_encoding_t (*get_cert_encoding)(cert_payload_t *this);
-
+
/**
* Get the hash if this is a hash and URL encoded certificate.
- *
+ *
* This function returns internal data, do not free.
- *
+ *
* @return hash
*/
chunk_t (*get_hash)(cert_payload_t *this);
-
+
/**
* Get the URL if this is a hash and URL encoded certificate.
- *
+ *
* This function returns internal data, do not free.
- *
+ *
* @return url
*/
char *(*get_url)(cert_payload_t *this);
-
-
+
+
/**
* Destroys the cert_payload object.
*/
/**
* Creates an empty certificate payload.
- *
+ *
* @return cert_payload_t object
*/
cert_payload_t *cert_payload_create(void);
/**
* Creates a certificate payload with an embedded certificate.
- *
+ *
* @param cert certificate to embed
* @return cert_payload_t object
*/
/**
* Creates a certificate payload with hash and URL encoding of a certificate.
- *
+ *
* @param hash hash of the DER encoded certificate (get's cloned)
* @param url the URL to locate the certificate (get's cloned)
* @return cert_payload_t object
/**
* Private data of an certreq_payload_t object.
- *
+ *
*/
struct private_certreq_payload_t {
/**
* Public certreq_payload_t interface.
*/
certreq_payload_t public;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* Encoding of the CERT Data.
*/
u_int8_t encoding;
-
+
/**
* The contained certreq data value.
*/
/**
* Encoding rules to parse or generate a CERTREQ payload
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_certreq_payload_t.
- *
+ *
*/
encoding_rule_t certreq_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
{
return this->payload_length;
}
-
+
/**
* Implementation of certreq_payload_t.add_keyid.
*/
static void destroy(private_certreq_payload_t *this)
{
chunk_free(&this->data);
- free(this);
+ free(this);
}
/*
this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type;
this->public.payload_interface.destroy = (void (*) (payload_t*))destroy;
-
+
/* public functions */
this->public.destroy = (void (*) (certreq_payload_t*)) destroy;
this->public.create_keyid_enumerator = (enumerator_t*(*)(certreq_payload_t*))create_keyid_enumerator;
this->public.get_cert_type = (certificate_type_t(*)(certreq_payload_t*))get_cert_type;
this->public.add_keyid = (void(*)(certreq_payload_t*, chunk_t keyid))add_keyid;
-
+
/* private variables */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
certreq_payload_t *certreq_payload_create_type(certificate_type_t type)
{
private_certreq_payload_t *this = (private_certreq_payload_t*)certreq_payload_create();
-
+
switch (type)
{
case CERT_X509:
* @return enumerator over chunk_t's.
*/
enumerator_t* (*create_keyid_enumerator)(certreq_payload_t *this);
-
+
/**
* Get the type of contained certificate keyids.
*
* @return certificate keyid type
*/
certificate_type_t (*get_cert_type)(certreq_payload_t *this);
-
+
/**
* Add a certificates keyid to the payload.
*
* @return
*/
void (*add_keyid)(certreq_payload_t *this, chunk_t keyid);
-
+
/**
* Destroys an certreq_payload_t object.
*/
/**
* Creates an empty certreq_payload_t object.
- *
+ *
* @return certreq payload
*/
certreq_payload_t *certreq_payload_create(void);
/**
* Creates an empty certreq_payload_t for a kind of certificates.
- *
+ *
* @param type type of the added keyids
* @return certreq payload
*/
/**
* Private data of an configuration_attribute_t object.
- *
+ *
*/
struct private_configuration_attribute_t {
/**
* Public configuration_attribute_t interface.
*/
configuration_attribute_t public;
-
+
/**
* Type of the attribute.
*/
u_int16_t attribute_type;
-
+
/**
* Length of the attribute.
*/
/**
* Encoding rules to parse or generate a configuration attribute.
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_configuration_attribute_t.
- *
+ *
*/
encoding_rule_t configuration_attribute_encodings[] = {
{ RESERVED_BIT, 0 },
/* type of the attribute as 15 bit unsigned integer */
- { ATTRIBUTE_TYPE, offsetof(private_configuration_attribute_t, attribute_type) },
+ { ATTRIBUTE_TYPE, offsetof(private_configuration_attribute_t, attribute_type) },
/* Length of attribute value */
{ CONFIGURATION_ATTRIBUTE_LENGTH, offsetof(private_configuration_attribute_t, attribute_length)},
/* Value of attribute if attribute format flag is zero */
/* any length acceptable */
break;
default:
- DBG1(DBG_ENC, "unknown attribute type %N",
+ DBG1(DBG_ENC, "unknown attribute type %N",
configuration_attribute_type_names, this->attribute_type);
break;
}
-
+
if (failed)
{
DBG1(DBG_ENC, "invalid attribute length %d for %N",
if (this->attribute_value.ptr != NULL)
{
/* free existing value */
- chunk_free(&(this->attribute_value));
+ chunk_free(&(this->attribute_value));
}
-
+
this->attribute_value.ptr = clalloc(value.ptr,value.len);
this->attribute_value.len = value.len;
-
+
this->attribute_length = this->attribute_value.len;
}
if (this->attribute_value.ptr != NULL)
{
free(this->attribute_value.ptr);
- }
+ }
free(this);
}
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.set_value = (void (*) (configuration_attribute_t *,chunk_t)) set_value;
this->public.get_value = (chunk_t (*) (configuration_attribute_t *)) get_value;
this->public.get_type = (u_int16_t (*) (configuration_attribute_t *)) get_attribute_type;
this->public.get_length = (u_int16_t (*) (configuration_attribute_t *)) get_attribute_length;
this->public.destroy = (void (*) (configuration_attribute_t *)) destroy;
-
+
/* set default values of the fields */
this->attribute_type = 0;
this->attribute_value = chunk_empty;
INTERNAL_IP6_SERVER = 23457
};
-/**
+/**
* enum names for configuration_attribute_type_t.
*/
extern enum_name_t *configuration_attribute_type_names;
/**
* Class representing an IKEv2-CONFIGURATION Attribute.
- *
+ *
* The CONFIGURATION ATTRIBUTE format is described in RFC section 3.15.1.
*/
struct configuration_attribute_t {
/**
* Returns the currently set value of the attribute.
- *
+ *
* @warning Returned data are not copied.
- *
+ *
* @return chunk_t pointing to the value
*/
chunk_t (*get_value) (configuration_attribute_t *this);
-
+
/**
* Sets the value of the attribute.
- *
+ *
* Value is getting copied.
- *
+ *
* @param value chunk_t pointing to the value to set
*/
void (*set_value) (configuration_attribute_t *this, chunk_t value);
/**
* Sets the type of the attribute.
- *
+ *
* @param type type to set (most significant bit is set to zero)
*/
void (*set_type) (configuration_attribute_t *this, u_int16_t type);
-
+
/**
* get the type of the attribute.
- *
+ *
* @return type of the value
*/
u_int16_t (*get_type) (configuration_attribute_t *this);
-
+
/**
* get the length of an attribute.
- *
+ *
* @return type of the value
*/
u_int16_t (*get_length) (configuration_attribute_t *this);
-
+
/**
* Destroys an configuration_attribute_t object.
*/
/**
* Creates an empty configuration_attribute_t object.
- *
+ *
* @return created configuration_attribute_t object
*/
configuration_attribute_t *configuration_attribute_create(void);
/**
* Private data of an cp_payload_t object.
- *
+ *
*/
struct private_cp_payload_t {
/**
* Public cp_payload_t interface.
*/
cp_payload_t public;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* Configuration Attributes in this payload are stored in a linked_list_t.
*/
linked_list_t * attributes;
-
+
/**
* Config Type.
*/
/**
* Encoding rules to parse or generate a IKEv2-CP Payload
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_cp_payload_t.
- *
+ *
*/
encoding_rule_t cp_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
{ U_INT_8, offsetof(private_cp_payload_t, next_payload) },
/* the critical bit */
- { FLAG, offsetof(private_cp_payload_t, critical) },
+ { FLAG, offsetof(private_cp_payload_t, critical) },
/* 7 Bit reserved bits, nowhere stored */
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
/* Length of the whole CP payload*/
- { PAYLOAD_LENGTH, offsetof(private_cp_payload_t, payload_length) },
- /* Proposals are stored in a proposal substructure,
+ { PAYLOAD_LENGTH, offsetof(private_cp_payload_t, payload_length) },
+ /* Proposals are stored in a proposal substructure,
offset points to a linked_list_t pointer */
{ U_INT_8, offsetof(private_cp_payload_t, config_type) },
- { RESERVED_BYTE,0 },
- { RESERVED_BYTE,0 },
- { RESERVED_BYTE,0 },
+ { RESERVED_BYTE,0 },
+ { RESERVED_BYTE,0 },
+ { RESERVED_BYTE,0 },
{ CONFIGURATION_ATTRIBUTES, offsetof(private_cp_payload_t, attributes) }
};
status_t status = SUCCESS;
iterator_t *iterator;
configuration_attribute_t *attribute;
-
+
iterator = this->attributes->create_iterator(this->attributes,TRUE);
while(iterator->iterate(iterator, (void**)&attribute))
{
iterator_t *iterator;
payload_t *current_attribute;
size_t length = CP_PAYLOAD_HEADER_LENGTH;
-
+
iterator = this->attributes->create_iterator(this->attributes,TRUE);
while (iterator->iterate(iterator, (void**)¤t_attribute))
{
length += current_attribute->get_length(current_attribute);
}
iterator->destroy(iterator);
-
+
this->payload_length = length;
}
cp_payload_t *cp_payload_create()
{
private_cp_payload_t *this = malloc_thing(private_cp_payload_t);
-
+
/* public interface */
this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.create_attribute_iterator = (iterator_t* (*) (cp_payload_t *)) create_attribute_iterator;
this->public.add_configuration_attribute = (void (*) (cp_payload_t *,configuration_attribute_t *)) add_configuration_attribute;
this->public.set_config_type = (void (*) (cp_payload_t *, config_type_t)) set_config_type;
this->public.get_config_type = (config_type_t (*) (cp_payload_t *)) get_config_type;
this->public.destroy = (void (*) (cp_payload_t *)) destroy;
-
+
/* set default values of the fields */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
/**
* Class representing an IKEv2-CP Payload.
- *
+ *
* The CP Payload format is described in RFC section 3.15.
*/
struct cp_payload_t {
* The payload_t interface.
*/
payload_t payload_interface;
-
+
/**
* Creates an iterator of stored configuration_attribute_t objects.
- *
+ *
* When deleting an attribute using this iterator, the length of this
* configuration_attribute_t has to be refreshed by calling get_length()!
*
* @return created iterator_t object
*/
iterator_t *(*create_attribute_iterator) (cp_payload_t *this);
-
+
/**
* Adds a configuration_attribute_t object to this object.
- *
+ *
* The added configuration_attribute_t object is getting destroyed in
* destroy function of cp_payload_t.
*
* @param attribute configuration_attribute_t object to add
*/
void (*add_configuration_attribute) (cp_payload_t *this, configuration_attribute_t *attribute);
-
+
/**
* Set the config type.
*
* @param config_type config_type_t to set
*/
void (*set_config_type) (cp_payload_t *this,config_type_t config_type);
-
+
/**
* Get the config type.
*
* @return config_type_t
*/
config_type_t (*get_config_type) (cp_payload_t *this);
-
+
/**
* Destroys an cp_payload_t object.
*/
/**
* Creates an empty cp_payload_t object
- *
+ *
* @return cp_payload_t object
*/
cp_payload_t *cp_payload_create(void);
/**
* Private data of an delete_payload_t object.
- *
+ *
*/
struct private_delete_payload_t {
/**
* Public delete_payload_t interface.
*/
delete_payload_t public;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* Protocol ID.
*/
* SPI Size.
*/
u_int8_t spi_size;
-
+
/**
* Number of SPI's.
*/
u_int16_t spi_count;
-
+
/**
* The contained SPI's.
*/
chunk_t spis;
-
+
/**
- * List containing u_int32_t spis
+ * List containing u_int32_t spis
*/
linked_list_t *spi_list;
};
/**
* Encoding rules to parse or generate a DELETE payload
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_delete_payload_t.
- *
+ *
*/
encoding_rule_t delete_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
static iterator_t* create_spi_iterator(private_delete_payload_t *this)
{
int i;
-
+
if (this->spi_list == NULL)
{
this->spi_list = linked_list_create();
{
this->spi_list->destroy(this->spi_list);
}
- free(this);
+ free(this);
}
/*
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.destroy = (void (*) (delete_payload_t *)) destroy;
this->public.get_protocol_id = (protocol_id_t (*) (delete_payload_t *)) get_protocol_id;
this->public.add_spi = (void (*) (delete_payload_t *,u_int32_t))add_spi;
this->public.create_spi_iterator = (iterator_t* (*) (delete_payload_t *)) create_spi_iterator;
-
+
/* private variables */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
* The payload_t interface.
*/
payload_t payload_interface;
-
+
/**
* Get the protocol ID.
*
* @return protocol ID
*/
protocol_id_t (*get_protocol_id) (delete_payload_t *this);
-
+
/**
* Add an SPI to the list of deleted SAs.
*
* @param spi spi to add
*/
void (*add_spi) (delete_payload_t *this, u_int32_t spi);
-
+
/**
* Get an iterator over the SPIs.
*
* @return iterator over SPIs
*/
iterator_t *(*create_spi_iterator) (delete_payload_t *this);
-
+
/**
* Destroys an delete_payload_t object.
*/
/**
* Creates an empty delete_payload_t object.
- *
+ *
* @param protocol_id protocol, such as AH|ESP
* @return delete_payload_t object
*/
/**
* Private data of an eap_payload_t object.
- *
+ *
*/
struct private_eap_payload_t {
/**
* Public eap_payload_t interface.
*/
eap_payload_t public;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* EAP message data, if available
*/
/**
* Encoding rules to parse or generate a EAP payload.
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_eap_payload_t.
- *
+ *
*/
encoding_rule_t eap_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
{
u_int16_t length;
u_int8_t code;
-
+
if (this->data.len < 4)
{
DBG1(DBG_ENC, "EAP payloads EAP message too short (%d)", this->data.len);
eap_payload_t *eap_payload_create()
{
private_eap_payload_t *this = malloc_thing(private_eap_payload_t);
-
+
/* interface functions */
this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.destroy = (void (*) (eap_payload_t *)) destroy;
this->public.get_data = (chunk_t (*) (eap_payload_t*))get_data;
this->public.get_code = (eap_code_t (*) (eap_payload_t*))get_code;
this->public.get_identifier = (u_int8_t (*) (eap_payload_t*))get_identifier;
this->public.get_type = (eap_type_t (*) (eap_payload_t*,u_int32_t*))get_type;
-
+
/* private variables */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
this->payload_length = EAP_PAYLOAD_HEADER_LENGTH;
this->data = chunk_empty;
-
+
return &(this->public);
}
eap_payload_t *eap_payload_create_data(chunk_t data)
{
eap_payload_t *this = eap_payload_create();
-
+
this->set_data(this, data);
return this;
}
{
eap_payload_t *this = eap_payload_create();
chunk_t data = chunk_alloca(4);
-
+
*(data.ptr + 0) = code;
*(data.ptr + 1) = identifier;
*(u_int16_t*)(data.ptr + 2) = htons(data.len);
-
+
this->set_data(this, data);
return this;
}
{
eap_payload_t *this = eap_payload_create();
chunk_t data = chunk_alloca(5);
-
+
*(data.ptr + 0) = EAP_RESPONSE;
*(data.ptr + 1) = identifier;
*(u_int16_t*)(data.ptr + 2) = htons(data.len);
*(data.ptr + 4) = EAP_NAK;
-
+
this->set_data(this, data);
return this;
}
* The EAP payload format is described in RFC section 3.16.
*/
struct eap_payload_t {
-
+
/**
* The payload_t interface.
*/
payload_t payload_interface;
-
+
/**
* Set the contained EAP data.
*
* @param message EAP data
*/
void (*set_data) (eap_payload_t *this, chunk_t data);
-
+
/**
* Get the contained EAP data.
*
* @return EAP data (pointer to internal data)
*/
chunk_t (*get_data) (eap_payload_t *this);
-
+
/**
* Get the EAP code.
*
* @return EAP message as chunk_t
*/
eap_code_t (*get_code) (eap_payload_t *this);
-
+
/**
* Get the EAP identifier.
*
* @return unique identifier
*/
u_int8_t (*get_identifier) (eap_payload_t *this);
-
+
/**
* Get the EAP method type.
*
* @return EAP method type, vendor specific if vendor != 0
*/
eap_type_t (*get_type) (eap_payload_t *this, u_int32_t *vendor);
-
+
/**
* Destroys an eap_payload_t object.
*/
/**
* Creates an eap_payload_t object with a code.
*
- * Could should be either EAP_SUCCESS/EAP_FAILURE, use
+ * Could should be either EAP_SUCCESS/EAP_FAILURE, use
* constructor above otherwise.
*
* @param code EAP status code
#include <library.h>
/**
- * All different kinds of encoding types.
+ * All different kinds of encoding types.
*
- * Each field of an IKEv2-Message (in header or payload)
+ * Each field of an IKEv2-Message (in header or payload)
* which has to be parsed or generated differently has its own
* type defined here.
*
- * Header is parsed like a payload and gets its one payload_id
- * from PRIVATE USE space. Also the substructures
- * of specific payload types get their own payload_id
+ * Header is parsed like a payload and gets its one payload_id
+ * from PRIVATE USE space. Also the substructures
+ * of specific payload types get their own payload_id
* from PRIVATE_USE space. See IKEv2-Draft for more informations.
*/
enum encoding_type_t {
-
+
/**
* Representing a 4 Bit unsigned int value.
- *
- *
+ *
+ *
* When generating it must be changed from host to network order.
* The value is read from the associated data struct.
* The current write position is moved 4 bit forward afterwards.
- *
+ *
* When parsing it must be changed from network to host order.
* The value is written to the associated data struct.
* The current read pointer is moved 4 bit forward afterwards.
*/
U_INT_4,
-
+
/**
* Representing a 8 Bit unsigned int value.
- *
- *
+ *
+ *
* When generating it must be changed from host to network order.
* The value is read from the associated data struct.
* The current write position is moved 8 bit forward afterwards.
- *
+ *
* When parsing it must be changed from network to host order.
* The value is written to the associated data struct.
* The current read pointer is moved 8 bit forward afterwards.
*/
U_INT_8,
-
+
/**
* Representing a 16 Bit unsigned int value.
- *
- *
+ *
+ *
* When generating it must be changed from host to network order.
* The value is read from the associated data struct.
* The current write position is moved 16 bit forward afterwards.
- *
+ *
* When parsing it must be changed from network to host order.
* The value is written to the associated data struct.
* The current read pointer is moved 16 bit forward afterwards.
*/
U_INT_16,
-
+
/**
* Representing a 32 Bit unsigned int value.
- *
+ *
* When generating it must be changed from host to network order.
* The value is read from the associated data struct.
* The current write position is moved 32 bit forward afterwards.
- *
+ *
* When parsing it must be changed from network to host order.
* The value is written to the associated data struct.
* The current read pointer is moved 32 bit forward afterwards.
*/
U_INT_32,
-
+
/**
* represents a RESERVED_BIT used in FLAG-Bytes.
- *
- * When generating, the next bit is set to zero and the current write
+ *
+ * When generating, the next bit is set to zero and the current write
* position is moved one bit forward.
* No value is read from the associated data struct.
* The current write position is moved 1 bit forward afterwards.
- *
+ *
* When parsing, the current read pointer is moved one bit forward.
* No value is written to the associated data struct.
* The current read pointer is moved 1 bit forward afterwards.
*/
RESERVED_BIT,
-
+
/**
* represents a RESERVED_BYTE.
- *
- * When generating, the next byte is set to zero and the current write
+ *
+ * When generating, the next byte is set to zero and the current write
* position is moved one byte forward.
* No value is read from the associated data struct.
* The current write position is moved 1 byte forward afterwards.
- *
+ *
* When parsing, the current read pointer is moved one byte forward.
* No value is written to the associated data struct.
* The current read pointer is moved 1 byte forward afterwards.
*/
RESERVED_BYTE,
-
+
/**
* Representing a 1 Bit flag.
- *
- * When generation, the next bit is set to 1 if the associated value
- * in the data struct is TRUE, 0 otherwise. The current write position
+ *
+ * When generation, the next bit is set to 1 if the associated value
+ * in the data struct is TRUE, 0 otherwise. The current write position
* is moved 1 bit forward afterwards.
*
- * When parsing, the next bit is read and stored in the associated data
- * struct. 0 means FALSE, 1 means TRUE, The current read pointer
+ * When parsing, the next bit is read and stored in the associated data
+ * struct. 0 means FALSE, 1 means TRUE, The current read pointer
* is moved 1 bit forward afterwards
*/
FLAG,
-
+
/**
* Representating a length field of a payload.
- *
+ *
* When generating it must be changed from host to network order.
* The value is read from the associated data struct.
* The current write position is moved 16 bit forward afterwards.
- *
+ *
* When parsing it must be changed from network to host order.
* The value is written to the associated data struct.
* The current read pointer is moved 16 bit forward afterwards.
*/
PAYLOAD_LENGTH,
-
+
/**
* Representating a length field of a header.
- *
+ *
* When generating it must be changed from host to network order.
* The value is read from the associated data struct.
* The current write position is moved 32 bit forward afterwards.
- *
+ *
* When parsing it must be changed from network to host order.
* The value is written to the associated data struct.
* The current read pointer is moved 32 bit forward afterwards.
*/
HEADER_LENGTH,
-
+
/**
* Representating a spi size field.
- *
+ *
* When generating it must be changed from host to network order.
* The value is read from the associated data struct.
* The current write position is moved 8 bit forward afterwards.
- *
+ *
* When parsing it must be changed from network to host order.
* The value is written to the associated data struct.
* The current read pointer is moved 8 bit forward afterwards.
*/
SPI_SIZE,
-
+
/**
* Representating a spi field.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing SPI_SIZE bytes are read and written into the chunk pointing to.
*/
SPI,
-
+
/**
* Representating a Key Exchange Data field.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
*/
KEY_EXCHANGE_DATA,
-
+
/**
* Representating a Notification field.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing (Payload Length - spi size - 8) bytes are read and written into the chunk pointing to.
*/
NOTIFICATION_DATA,
-
+
/**
* Representating one or more proposal substructures.
- *
+ *
* The offset points to a linked_list_t pointer.
- *
- * When generating the proposal_substructure_t objects are stored
+ *
+ * When generating the proposal_substructure_t objects are stored
* in the pointed linked_list.
- *
- * When parsing the parsed proposal_substructure_t objects have
+ *
+ * When parsing the parsed proposal_substructure_t objects have
* to be stored in the pointed linked_list.
- */
+ */
PROPOSALS,
-
+
/**
* Representating one or more transform substructures.
- *
+ *
* The offset points to a linked_list_t pointer.
- *
- * When generating the transform_substructure_t objects are stored
+ *
+ * When generating the transform_substructure_t objects are stored
* in the pointed linked_list.
- *
- * When parsing the parsed transform_substructure_t objects have
+ *
+ * When parsing the parsed transform_substructure_t objects have
* to be stored in the pointed linked_list.
- */
+ */
TRANSFORMS,
-
+
/**
* Representating one or more Attributes of a transform substructure.
- *
+ *
* The offset points to a linked_list_t pointer.
- *
- * When generating the transform_attribute_t objects are stored
+ *
+ * When generating the transform_attribute_t objects are stored
* in the pointed linked_list.
- *
- * When parsing the parsed transform_attribute_t objects have
+ *
+ * When parsing the parsed transform_attribute_t objects have
* to be stored in the pointed linked_list.
- */
+ */
TRANSFORM_ATTRIBUTES,
/**
* Representating one or more Attributes of a configuration payload.
- *
+ *
* The offset points to a linked_list_t pointer.
- *
- * When generating the configuration_attribute_t objects are stored
+ *
+ * When generating the configuration_attribute_t objects are stored
* in the pointed linked_list.
- *
- * When parsing the parsed configuration_attribute_t objects have
+ *
+ * When parsing the parsed configuration_attribute_t objects have
* to be stored in the pointed linked_list.
- */
+ */
CONFIGURATION_ATTRIBUTES,
-
+
/**
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
*/
CONFIGURATION_ATTRIBUTE_VALUE,
-
+
/**
* Representing a 1 Bit flag specifying the format of a transform attribute.
- *
- * When generation, the next bit is set to 1 if the associated value
- * in the data struct is TRUE, 0 otherwise. The current write position
+ *
+ * When generation, the next bit is set to 1 if the associated value
+ * in the data struct is TRUE, 0 otherwise. The current write position
* is moved 1 bit forward afterwards.
*
- * When parsing, the next bit is read and stored in the associated data
- * struct. 0 means FALSE, 1 means TRUE, The current read pointer
+ * When parsing, the next bit is read and stored in the associated data
+ * struct. 0 means FALSE, 1 means TRUE, The current read pointer
* is moved 1 bit forward afterwards.
*/
ATTRIBUTE_FORMAT,
/**
- * Representing a 15 Bit unsigned int value used as attribute type
+ * Representing a 15 Bit unsigned int value used as attribute type
* in an attribute transform.
- *
- *
+ *
+ *
* When generating it must be changed from host to network order.
* The value is read from the associated data struct.
* The current write position is moved 15 bit forward afterwards.
- *
+ *
* When parsing it must be changed from network to host order.
* The value is written to the associated data struct.
* The current read pointer is moved 15 bit forward afterwards.
* Depending on the field of type ATTRIBUTE_FORMAT
* this field contains the length or the value of an transform attribute.
* Its stored in a 16 unsigned integer field.
- *
+ *
* When generating it must be changed from host to network order.
* The value is read from the associated data struct.
* The current write position is moved 16 bit forward afterwards.
- *
+ *
* When parsing it must be changed from network to host order.
* The value is written to the associated data struct.
* The current read pointer is moved 16 bit forward afterwards.
/**
* This field contains the length or the value of an configuration attribute.
* Its stored in a 16 unsigned integer field.
- *
+ *
* When generating it must be changed from host to network order.
* The value is read from the associated data struct.
* The current write position is moved 16 bit forward afterwards.
- *
+ *
* When parsing it must be changed from network to host order.
* The value is written to the associated data struct.
* The current read pointer is moved 16 bit forward afterwards.
/**
* Depending on the field of type ATTRIBUTE_FORMAT
- * this field is available or missing and so parsed/generated
+ * this field is available or missing and so parsed/generated
* or not parsed/not generated.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing SPI_SIZE bytes are read and written into the chunk pointing to.
*/
ATTRIBUTE_VALUE,
-
+
/**
* Representating one or more Traffic selectors of a TS payload.
- *
+ *
* The offset points to a linked_list_t pointer.
- *
- * When generating the traffic_selector_substructure_t objects are stored
+ *
+ * When generating the traffic_selector_substructure_t objects are stored
* in the pointed linked_list.
- *
- * When parsing the parsed traffic_selector_substructure_t objects have
+ *
+ * When parsing the parsed traffic_selector_substructure_t objects have
* to be stored in the pointed linked_list.
- */
+ */
TRAFFIC_SELECTORS,
-
+
/**
* Representating a Traffic selector type field.
- *
+ *
* When generating it must be changed from host to network order.
* The value is read from the associated data struct.
* The current write position is moved 16 bit forward afterwards.
- *
+ *
* When parsing it must be changed from network to host order.
* The value is written to the associated data struct.
* The current read pointer is moved 16 bit forward afterwards.
*/
TS_TYPE,
-
+
/**
* Representating an address field in a traffic selector.
- *
+ *
* Depending on the last field of type TS_TYPE
* this field is either 4 or 16 byte long.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing 4 or 16 bytes are read and written into the chunk pointing to.
*/
ADDRESS,
/**
* Representating a Nonce Data field.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
*/
NONCE_DATA,
-
+
/**
* Representating a ID Data field.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
*/
ID_DATA,
-
+
/**
* Representating a AUTH Data field.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
*/
AUTH_DATA,
-
+
/**
* Representating a CERT Data field.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
*/
CERT_DATA,
/**
* Representating a CERTREQ Data field.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
*/
CERTREQ_DATA,
-
+
/**
* Representating an EAP message field.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
*/
EAP_DATA,
-
+
/**
* Representating the SPIS field in a DELETE payload.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
*/
SPIS,
-
+
/**
* Representating the VID DATA field in a VENDOR ID payload.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
*/
VID_DATA,
-
+
/**
* Representating the DATA of an unknown payload.
- *
- * When generating the content of the chunkt pointing to
+ *
+ * When generating the content of the chunkt pointing to
* is written.
- *
+ *
* When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
*/
UNKNOWN_DATA,
-
+
/**
* Representating an IKE_SPI field in an IKEv2 Header.
- *
- * When generating the value of the u_int64_t pointing to
+ *
+ * When generating the value of the u_int64_t pointing to
* is written (host and networ order is not changed).
- *
+ *
* When parsing 8 bytes are read and written into the u_int64_t pointing to.
*/
IKE_SPI,
-
+
/**
* Representing the encrypted data body of a encryption payload.
*/
/**
* Rule how to en-/decode a payload field.
*
- * An encoding rule is a mapping of a specific encoding type to
+ * An encoding rule is a mapping of a specific encoding type to
* a location in the data struct where the current field is stored to
* or read from.
* This rules are used by parser and generator.
*/
struct encoding_rule_t {
-
+
/**
* Encoding type.
*/
encoding_type_t type;
-
+
/**
* Offset in the data struct.
- *
- * When parsing, data are written to this offset of the
+ *
+ * When parsing, data are written to this offset of the
* data struct.
- *
- * When generating, data are read from this offset in the
+ *
+ * When generating, data are read from this offset in the
* data struct.
*/
u_int32_t offset;
/**
* Private data of an encryption_payload_t' Object.
- *
+ *
*/
struct private_encryption_payload_t {
-
+
/**
* Public encryption_payload_t interface.
*/
encryption_payload_t public;
-
+
/**
- * There is no next payload for an encryption payload,
+ * There is no next payload for an encryption payload,
* since encryption payload MUST be the last one.
- * next_payload means here the first payload of the
+ * next_payload means here the first payload of the
* contained, encrypted payload.
*/
u_int8_t next_payload;
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload
*/
u_int16_t payload_length;
-
+
/**
* Chunk containing the iv, data, padding,
* and (an eventually not calculated) signature.
*/
chunk_t encrypted;
-
+
/**
* Chunk containing the data in decrypted (unpadded) form.
*/
chunk_t decrypted;
-
+
/**
* Signer set by set_signer.
*/
signer_t *signer;
-
+
/**
* Crypter, supplied by encrypt/decrypt
*/
crypter_t *crypter;
-
+
/**
* Contained payloads of this encrpytion_payload.
*/
/**
* Encoding rules to parse or generate a IKEv2-Encryption Payload.
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_encryption_payload_t.
- *
+ *
*/
encoding_rule_t encryption_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
*/
static void set_next_type(private_encryption_payload_t *this, payload_type_t type)
{
- /* set next type is not allowed, since this payload MUST be the last one
+ /* set next type is not allowed, since this payload MUST be the last one
* and so nothing is done in here*/
}
length += current_payload->get_length(current_payload);
}
iterator->destroy(iterator);
-
+
if (this->crypter && this->signer)
{
/* append one byte for padding length */
payload_t *current_payload, *next_payload;
generator_t *generator;
iterator_t *iterator;
-
+
/* recalculate length before generating */
compute_length(this);
-
+
/* create iterator */
iterator = this->payloads->create_iterator(this->payloads, TRUE);
-
+
/* get first payload */
if (iterator->iterate(iterator, (void**)¤t_payload))
{
iterator->destroy(iterator);
return;
}
-
+
generator = generator_create();
-
+
/* build all payload, except last */
while(iterator->iterate(iterator, (void**)&next_payload))
{
current_payload = next_payload;
}
iterator->destroy(iterator);
-
+
/* build last payload */
current_payload->set_next_type(current_payload, NO_PAYLOAD);
generator->generate_payload(generator, current_payload);
-
+
/* free already generated data */
free(this->decrypted.ptr);
-
+
generator->write_to_chunk(generator, &(this->decrypted));
generator->destroy(generator);
DBG2(DBG_ENC, "successfully generated content in encryption payload");
chunk_t iv, padding, to_crypt, result;
rng_t *rng;
size_t block_size;
-
+
if (this->signer == NULL || this->crypter == NULL)
{
DBG1(DBG_ENC, "could not encrypt, signer/crypter not set");
return INVALID_STATE;
}
-
+
/* for random data in iv and padding */
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (!rng)
}
/* build payload chunk */
generate(this);
-
+
DBG2(DBG_ENC, "encrypting payloads");
DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted);
-
+
/* build padding */
block_size = this->crypter->get_block_size(this->crypter);
padding.len = block_size - ((this->decrypted.len + 1) % block_size);
rng->allocate_bytes(rng, padding.len, &padding);
-
+
/* concatenate payload data, padding, padding len */
to_crypt.len = this->decrypted.len + padding.len + 1;
to_crypt.ptr = malloc(to_crypt.len);
memcpy(to_crypt.ptr, this->decrypted.ptr, this->decrypted.len);
memcpy(to_crypt.ptr + this->decrypted.len, padding.ptr, padding.len);
*(to_crypt.ptr + to_crypt.len - 1) = padding.len;
-
+
/* build iv */
iv.len = block_size;
rng->allocate_bytes(rng, iv.len, &iv);
rng->destroy(rng);
-
+
DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt);
-
+
/* encrypt to_crypt chunk */
free(this->encrypted.ptr);
this->crypter->encrypt(this->crypter, to_crypt, iv, &result);
free(padding.ptr);
free(to_crypt.ptr);
-
+
DBG3(DBG_ENC, "data after encryption %B", &result);
-
+
/* build encrypted result with iv and signature */
this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
free(this->encrypted.ptr);
this->encrypted.ptr = malloc(this->encrypted.len);
-
+
/* fill in result, signature is left out */
memcpy(this->encrypted.ptr, iv.ptr, iv.len);
memcpy(this->encrypted.ptr + iv.len, result.ptr, result.len);
-
+
free(result.ptr);
free(iv.ptr);
DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B",
&this->encrypted);
-
+
return SUCCESS;
}
parser_t *parser;
status_t status;
payload_type_t current_payload_type;
-
+
/* build a parser on the decrypted data */
parser = parser_create(this->decrypted);
-
+
current_payload_type = this->next_payload;
/* parse all payloads */
while (current_payload_type != NO_PAYLOAD)
{
- payload_t *current_payload;
-
+ payload_t *current_payload;
+
status = parser->parse_payload(parser, current_payload_type, (payload_t**)¤t_payload);
if (status != SUCCESS)
{
/* get next payload type */
current_payload_type = current_payload->get_next_type(current_payload);
-
+
this->payloads->insert_last(this->payloads,current_payload);
}
parser->destroy(parser);
{
chunk_t iv, concatenated;
u_int8_t padding_length;
-
+
DBG2(DBG_ENC, "decrypting encryption payload");
DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B",
&this->encrypted);
-
+
if (this->signer == NULL || this->crypter == NULL)
{
DBG1(DBG_ENC, "could not decrypt, no crypter/signer set");
return INVALID_STATE;
}
-
+
/* get IV */
iv.len = this->crypter->get_block_size(this->crypter);
-
+
iv.ptr = this->encrypted.ptr;
-
+
/* point concatenated to data + padding + padding_length*/
concatenated.ptr = this->encrypted.ptr + iv.len;
concatenated.len = this->encrypted.len - iv.len -
this->signer->get_block_size(this->signer);
-
+
/* concatenated must be a multiple of block_size of crypter */
if (concatenated.len < iv.len || concatenated.len % iv.len)
{
DBG1(DBG_ENC, "could not decrypt, invalid input");
return FAILED;
}
-
+
/* free previus data, if any */
free(this->decrypted.ptr);
-
+
DBG3(DBG_ENC, "data before decryption %B", &concatenated);
-
+
this->crypter->decrypt(this->crypter, concatenated, iv, &this->decrypted);
DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted);
-
+
/* get padding length, sits just bevore signature */
padding_length = *(this->decrypted.ptr + this->decrypted.len - 1);
- /* add one byte to the padding length, since the padding_length field is
+ /* add one byte to the padding length, since the padding_length field is
* not included */
padding_length++;
this->decrypted.len -= padding_length;
-
+
/* check size again */
if (padding_length > concatenated.len || this->decrypted.len < 0)
{
/* decryption failed :-/ */
return FAILED;
}
-
+
/* free padding */
this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len);
DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted);
{
chunk_t data_without_sig = data;
chunk_t sig;
-
+
if (this->signer == NULL)
{
DBG1(DBG_ENC, "unable to build signature, no signer set");
return INVALID_STATE;
}
-
+
sig.len = this->signer->get_block_size(this->signer);
data_without_sig.len -= sig.len;
sig.ptr = data.ptr + data_without_sig.len;
{
chunk_t sig, data_without_sig;
bool valid;
-
+
if (this->signer == NULL)
{
DBG1(DBG_ENC, "unable to verify signature, no signer set");
return FAILED;
}
sig.ptr = data.ptr + data.len - sig.len;
-
+
/* verify it */
data_without_sig.len = data.len - sig.len;
data_without_sig.ptr = data.ptr;
valid = this->signer->verify_signature(this->signer, data_without_sig, sig);
-
+
if (!valid)
{
DBG1(DBG_ENC, "signature verification failed");
return FAILED;
}
-
+
DBG2(DBG_ENC, "signature verification successful");
return SUCCESS;
}
encryption_payload_t *encryption_payload_create()
{
private_encryption_payload_t *this = malloc_thing(private_encryption_payload_t);
-
+
/* payload_t interface functions */
this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.create_payload_iterator = (iterator_t * (*) (encryption_payload_t *,bool)) create_payload_iterator;
this->public.add_payload = (void (*) (encryption_payload_t *,payload_t *)) add_payload;
this->public.remove_first_payload = (status_t (*)(encryption_payload_t*, payload_t **)) remove_first_payload;
this->public.get_payload_count = (size_t (*)(encryption_payload_t*)) get_payload_count;
-
+
this->public.encrypt = (status_t (*) (encryption_payload_t *)) encrypt;
this->public.decrypt = (status_t (*) (encryption_payload_t *)) decrypt;
this->public.set_transforms = (void (*) (encryption_payload_t*,crypter_t*,signer_t*)) set_transforms;
this->public.build_signature = (status_t (*) (encryption_payload_t*, chunk_t)) build_signature;
this->public.verify_signature = (status_t (*) (encryption_payload_t*, chunk_t)) verify_signature;
this->public.destroy = (void (*) (encryption_payload_t *)) destroy;
-
+
/* set default values of the fields */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
this->signer = NULL;
this->crypter = NULL;
this->payloads = linked_list_create();
-
+
return (&(this->public));
}
/**
* The encryption payload as described in RFC section 3.14.
*
- * Before any crypt/decrypt/sign/verify operation can occur,
+ * Before any crypt/decrypt/sign/verify operation can occur,
* the transforms must be set. After that, a parsed encryption payload
* can be decrypted, which also will parse the contained payloads.
* Encryption is done the same way, added payloads will get generated
* Implements payload_t interface.
*/
payload_t payload_interface;
-
+
/**
* Creates an iterator for all contained payloads.
- *
+ *
* iterator_t object has to get destroyed by the caller.
*
* @param forward iterator direction (TRUE: front to end)
* return created iterator_t object
*/
iterator_t *(*create_payload_iterator) (encryption_payload_t *this, bool forward);
-
+
/**
* Adds a payload to this encryption payload.
*
* @param payload payload_t object to add
*/
void (*add_payload) (encryption_payload_t *this, payload_t *payload);
-
+
/**
* Reove the last payload in the contained payload list.
*
* - NOT_FOUND if list empty
*/
status_t (*remove_first_payload) (encryption_payload_t *this, payload_t **payload);
-
+
/**
* Get the number of payloads.
*
* @return number of contained payloads
*/
size_t (*get_payload_count) (encryption_payload_t *this);
-
+
/**
* Set transforms to use.
- *
+ *
* To decryption, encryption, signature building and verifying,
* the payload needs a crypter and a signer object.
- *
+ *
* @warning Do NOT call this function again after encryption, since
* the signer must be the same while encrypting and signature building!
*
* @param signer signer_t to use for data signing/verifying
*/
void (*set_transforms) (encryption_payload_t *this, crypter_t *crypter, signer_t *signer);
-
+
/**
* Generate and encrypt contained payloads.
- *
+ *
* This function generates the content for added payloads
* and encrypts them. Signature is not built, since we need
* additional data (the full message).
* @return SUCCESS, or INVALID_STATE if transforms not set
*/
status_t (*encrypt) (encryption_payload_t *this);
-
+
/**
* Decrypt and parse contained payloads.
- *
- * This function decrypts the contained data. After,
+ *
+ * This function decrypts the contained data. After,
* the payloads are parsed internally and are accessible
* via the iterator.
*
* - FAILED if data is invalid
*/
status_t (*decrypt) (encryption_payload_t *this);
-
+
/**
* Build the signature.
- *
+ *
* The signature is built over the FULL message, so the header
* and every payload (inclusive this one) must already be generated.
* The generated message is supplied via the data paramater.
- *
+ *
* @param data chunk contains the already generated message
* @return
* - SUCCESS, or
* - INVALID_STATE if transforms not set
*/
status_t (*build_signature) (encryption_payload_t *this, chunk_t data);
-
+
/**
* Verify the signature.
- *
+ *
* Since the signature is built over the full message, we need
* this data to do the verification. The message data
* is supplied via the data argument.
- *
- * @param data chunk contains the message
+ *
+ * @param data chunk contains the message
* @return
* - SUCCESS, or
* - FAILED if signature invalid, or
/**
* Creates an empty encryption_payload_t object.
- *
+ *
* @return encryption_payload_t object
*/
encryption_payload_t *encryption_payload_create(void);
/**
* Private data of an notify_payload_t object.
- *
+ *
*/
struct private_endpoint_notify_t {
/**
* Public endpoint_notify_t interface.
*/
endpoint_notify_t public;
-
+
/**
* Priority
*/
u_int32_t priority;
-
+
/**
* Family
*/
me_endpoint_family_t family;
-
+
/**
* Endpoint type
*/
me_endpoint_type_t type;
-
+
/**
* Endpoint
*/
host_t *endpoint;
-
+
/**
* Base (used for server reflexive endpoints)
*/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Family ! Type ! Port !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ! IP Address (variable)
+ ! IP Address (variable)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
chunk_t addr;
u_int8_t *cur = data.ptr;
u_int8_t *top = data.ptr + data.len;
-
+
DBG3(DBG_IKE, "me_endpoint_data %B", &data);
-
+
if (parse_uint32(&cur, top, &this->priority) != SUCCESS)
{
DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid priority");
DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid family");
return FAILED;
}
-
+
this->family = (me_endpoint_family_t)family;
-
+
if (parse_uint8(&cur, top, &type) != SUCCESS || type >= MAX_TYPE)
{
DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid type");
return FAILED;
}
-
+
this->type = (me_endpoint_type_t)type;
-
+
addr_family = AF_INET;
addr.len = 4;
-
+
switch(this->family)
{
case IPv6:
if (parse_uint16(&cur, top, &port) != SUCCESS)
{
DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid port");
- return FAILED;
+ return FAILED;
}
-
+
if (cur + addr.len > top)
{
DBG1(DBG_IKE, "failed to parse ME_ENDPOINT: invalid IP address");
return FAILED;
}
-
+
addr.ptr = cur;
-
+
this->endpoint = host_create_from_chunk(addr_family, addr, port);
break;
case NO_FAMILY:
default:
this->endpoint = NULL;
break;
- }
+ }
return SUCCESS;
}
u_int32_t prio;
u_int16_t port;
u_int8_t family, type;
-
+
prio = htonl(this->priority);
prio_chunk = chunk_from_thing(prio);
family = this->family;
family_chunk = chunk_from_thing(family);
type = this->type;
type_chunk = chunk_from_thing(type);
-
+
if (this->endpoint)
{
port = htons(this->endpoint->get_port(this->endpoint));
else
{
port = 0;
- addr_chunk = chunk_empty;
+ addr_chunk = chunk_empty;
}
port_chunk = chunk_from_thing(port);
-
+
/* data = prio | family | type | port | addr */
data = chunk_cat("ccccc", prio_chunk, family_chunk, type_chunk,
port_chunk, addr_chunk);
DBG3(DBG_IKE, "me_endpoint_data %B", &data);
-
+
return data;
}
static notify_payload_t *build_notify(private_endpoint_notify_t *this)
{
chunk_t data;
- notify_payload_t *notify;
-
+ notify_payload_t *notify;
+
notify = notify_payload_create();
notify->set_notify_type(notify, ME_ENDPOINT);
data = build_notification_data(this);
notify->set_notification_data(notify, data);
chunk_free(&data);
-
+
return notify;
}
static endpoint_notify_t *_clone(private_endpoint_notify_t *this)
{
private_endpoint_notify_t *clone = (private_endpoint_notify_t*)endpoint_notify_create();
-
+
clone->priority = this->priority;
clone->type = this->type;
clone->family = this->family;
{
clone->endpoint = this->endpoint->clone(this->endpoint);
}
-
+
if (this->base)
{
clone->base = this->base->clone(this->base);
}
-
+
return &clone->public;
}
this->public.build_notify = (notify_payload_t *(*) (endpoint_notify_t *)) build_notify;
this->public.clone = (endpoint_notify_t *(*) (endpoint_notify_t *)) _clone;
this->public.destroy = (void (*) (endpoint_notify_t *)) destroy;
-
+
/* set default values of the fields */
this->priority = 0;
this->family = NO_FAMILY;
this->type = NO_TYPE;
this->endpoint = NULL;
this->base = NULL;
-
+
return &this->public;
}
endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type, host_t *host, host_t *base)
{
private_endpoint_notify_t *this = (private_endpoint_notify_t*)endpoint_notify_create();
-
+
this->type = type;
-
+
switch(type)
{
case HOST:
- this->priority = pow(2, 16) * ME_PRIO_HOST;
+ this->priority = pow(2, 16) * ME_PRIO_HOST;
break;
case PEER_REFLEXIVE:
- this->priority = pow(2, 16) * ME_PRIO_PEER;
+ this->priority = pow(2, 16) * ME_PRIO_PEER;
break;
case SERVER_REFLEXIVE:
- this->priority = pow(2, 16) * ME_PRIO_SERVER;
+ this->priority = pow(2, 16) * ME_PRIO_SERVER;
break;
case RELAYED:
default:
- this->priority = pow(2, 16) * ME_PRIO_RELAY;
+ this->priority = pow(2, 16) * ME_PRIO_RELAY;
break;
}
-
+
/* FIXME: if there is more than one ip address we should vary this priority */
this->priority += 65535;
-
+
if (!host)
{
return &this->public;
}
-
+
switch(host->get_family(host))
{
case AF_INET:
* (family is set to NO_FAMILY) */
return &this->public;
}
-
+
this->endpoint = host->clone(host);
-
+
if (base)
{
this->base = base->clone(base);
}
-
+
return &this->public;
}
{
return NULL;
}
-
+
private_endpoint_notify_t *this = (private_endpoint_notify_t*)endpoint_notify_create();
chunk_t data = notify->get_notification_data(notify);
if (parse_notification_data(this, data) != SUCCESS)
* ME endpoint families.
*/
enum me_endpoint_family_t {
-
+
NO_FAMILY = 0,
-
+
IPv4 = 1,
-
+
IPv6 = 2,
-
+
MAX_FAMILY = 3
-
+
};
/**
* ME endpoint types.
*/
enum me_endpoint_type_t {
-
+
NO_TYPE = 0,
-
+
HOST = 1,
-
+
PEER_REFLEXIVE = 2,
-
+
SERVER_REFLEXIVE = 3,
-
+
RELAYED = 4,
-
+
MAX_TYPE = 5
-
+
};
/**
struct endpoint_notify_t {
/**
* Returns the priority of this endpoint.
- *
+ *
* @return priority
*/
u_int32_t (*get_priority) (endpoint_notify_t *this);
-
+
/**
* Sets the priority of this endpoint.
- *
+ *
* @param priority priority
*/
void (*set_priority) (endpoint_notify_t *this, u_int32_t priority);
-
+
/**
* Returns the endpoint type of this endpoint.
- *
+ *
* @return endpoint type
*/
me_endpoint_type_t (*get_type) (endpoint_notify_t *this);
-
+
/**
* Returns the endpoint family of this endpoint.
- *
+ *
* @return endpoint family
*/
me_endpoint_family_t (*get_family) (endpoint_notify_t *this);
-
+
/**
* Returns the host of this endpoint.
- *
+ *
* @return host
*/
host_t *(*get_host) (endpoint_notify_t *this);
-
+
/**
* Returns the base of this endpoint.
- *
+ *
* If this is not a SERVER_REFLEXIVE endpoint, the returned host is the same
* as the one returned by get_host.
- *
+ *
* @return host
*/
host_t *(*get_base) (endpoint_notify_t *this);
-
+
/**
- * Generates a notification payload from this endpoint.
- *
+ * Generates a notification payload from this endpoint.
+ *
* @return built notify_payload_t
*/
notify_payload_t *(*build_notify) (endpoint_notify_t *this);
* @return cloned object
*/
endpoint_notify_t *(*clone) (endpoint_notify_t *this);
-
+
/**
* Destroys an endpoint_notify_t object.
*/
/**
* Creates an empty endpoint_notify_t object.
- *
+ *
* @return created endpoint_notify_t object
*/
endpoint_notify_t *endpoint_notify_create(void);
/**
* Creates an endpoint_notify_t object from a host.
- *
+ *
* @param type the endpoint type
* @param host host to base the notify on (gets cloned)
* @param base base of the endpoint, applies only to reflexive endpoints (gets cloned)
/**
* Creates an endpoint_notify_t object from a notify payload.
- *
+ *
* @param notify the notify payload
* @return - created endpoint_notify_t object
* - NULL if invalid payload
/**
* Private data of an id_payload_t object.
- *
+ *
*/
struct private_id_payload_t {
/**
* Public id_payload_t interface.
*/
id_payload_t public;
-
+
/**
* one of ID_INITIATOR, ID_RESPONDER
*/
payload_type_t payload_type;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* Type of the ID Data.
*/
u_int8_t id_type;
-
+
/**
* The contained id data value.
*/
/**
* Encoding rules to parse or generate a ID payload
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_id_payload_t.
- *
+ *
*/
encoding_rule_t id_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type);
return FAILED;
}
-
+
return SUCCESS;
}
{
chunk_free(&(this->id_data));
}
- free(this);
+ free(this);
}
/*
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.destroy = (void (*) (id_payload_t *)) destroy;
this->public.set_id_type = (void (*) (id_payload_t *,id_type_t)) set_id_type;
this->public.set_data = (void (*) (id_payload_t *,chunk_t)) set_data;
this->public.get_data = (chunk_t (*) (id_payload_t *)) get_data;
this->public.get_data_clone = (chunk_t (*) (id_payload_t *)) get_data_clone;
-
+
this->public.get_identification = (identification_t * (*) (id_payload_t *this)) get_identification;
/* private variables */
* @param type Type of ID
*/
void (*set_id_type) (id_payload_t *this, id_type_t type);
-
+
/**
* Get the ID type.
*
- * @return type of the ID
+ * @return type of the ID
*/
id_type_t (*get_id_type) (id_payload_t *this);
-
+
/**
* Set the ID data.
- *
+ *
* Data are getting cloned.
*
* @param data ID data as chunk_t
*/
void (*set_data) (id_payload_t *this, chunk_t data);
-
+
/**
* Get the ID data.
- *
+ *
* Returned data are a copy of the internal one
*
* @return ID data as chunk_t
*/
chunk_t (*get_data_clone) (id_payload_t *this);
-
+
/**
* Get the ID data.
- *
+ *
* Returned data are NOT copied.
*
* @return ID data as chunk_t
/**
* Creates an identification object of this id payload.
- *
+ *
* Returned object has to get destroyed by the caller.
*
- * @return identification_t object
+ * @return identification_t object
*/
identification_t *(*get_identification) (id_payload_t *this);
-
+
/**
* Destroys an id_payload_t object.
*/
/**
* Creates an empty id_payload_t object.
- *
+ *
* @param payload_type one of ID_INITIATOR, ID_RESPONDER
* @return id_payload_t object
*/
/**
* Creates an id_payload_t from an existing identification_t object.
- *
+ *
* @param payload_type one of ID_INITIATOR, ID_RESPONDER
* @param identification identification_t object
* @return id_payload_t object
* Public interface.
*/
ike_header_t public;
-
+
/**
* SPI of the initiator.
*/
* Exchange type .
*/
u_int8_t exchange_type;
-
+
/**
* Flags of the Message.
*/
* Associated Message-ID.
*/
u_int32_t message_id;
-
+
/**
* Length of the whole IKEv2-Message (header and all payloads).
*/
/**
* Encoding rules to parse or generate a IKEv2-Header.
- *
+ *
* The defined offsets are the positions in a object of type
* ike_header_t.
*/
/* initiator spi not set */
return FAILED;
}
-
+
/* verification of version is not done in here */
-
+
return SUCCESS;
}
ike_header_t *ike_header_create()
{
private_ike_header_t *this = malloc_thing(private_ike_header_t);
-
+
this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
this->public.payload_interface.get_encoding_rules = get_encoding_rules;
this->public.payload_interface.get_length = get_length;
this->public.payload_interface.get_type = get_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
this->public.destroy = destroy;
-
+
this->public.get_initiator_spi = (u_int64_t (*) (ike_header_t*))get_initiator_spi;
this->public.set_initiator_spi = (void (*) (ike_header_t*,u_int64_t))set_initiator_spi;
this->public.get_responder_spi = (u_int64_t (*) (ike_header_t*))get_responder_spi;
this->public.set_exchange_type = (void (*) (ike_header_t*,u_int8_t))set_exchange_type;
this->public.get_message_id = (u_int32_t (*) (ike_header_t*))get_message_id;
this->public.set_message_id = (void (*) (ike_header_t*,u_int32_t))set_message_id;
-
+
/* set default values of the fields */
this->initiator_spi = 0;
this->responder_spi = 0;
this->flags.response = FALSE;
this->message_id = 0;
this->length = IKE_HEADER_LENGTH;
-
+
return (ike_header_t*)this;
}
* EXCHANGE_TYPE_UNDEFINED. In private space, since not a official message type.
*/
EXCHANGE_TYPE_UNDEFINED = 255,
-
+
/**
* IKE_SA_INIT.
*/
* The payload_t interface.
*/
payload_t payload_interface;
-
+
/**
* Get the initiator spi.
*
* @return initiator_spi
*/
u_int64_t (*get_initiator_spi) (ike_header_t *this);
-
+
/**
* Set the initiator spi.
*
* @param initiator_spi initiator_spi
*/
void (*set_initiator_spi) (ike_header_t *this, u_int64_t initiator_spi);
-
+
/**
* Get the responder spi.
*
* @return responder_spi
*/
u_int64_t (*get_responder_spi) (ike_header_t *this);
-
+
/**
* Set the responder spi.
*
* @param responder_spi responder_spi
*/
void (*set_responder_spi) (ike_header_t *this, u_int64_t responder_spi);
-
+
/**
* Get the major version.
*
* @return major version
*/
u_int8_t (*get_maj_version) (ike_header_t *this);
-
+
/**
* Get the minor version.
*
* @return minor version
*/
u_int8_t (*get_min_version) (ike_header_t *this);
-
+
/**
* Get the response flag.
*
* @return response flag
*/
bool (*get_response_flag) (ike_header_t *this);
-
+
/**
* Set the response flag-
*
* @return version flag
*/
bool (*get_version_flag) (ike_header_t *this);
-
+
/**
* Get the initiator flag.
*
* @return initiator flag
*/
bool (*get_initiator_flag) (ike_header_t *this);
-
+
/**
* Set the initiator flag.
*
* @return exchange type
*/
u_int8_t (*get_exchange_type) (ike_header_t *this);
-
+
/**
* Set the exchange type.
*
* @param exchange_type exchange type
*/
void (*set_exchange_type) (ike_header_t *this, u_int8_t exchange_type);
-
+
/**
* Get the message id.
*
* @return message id
*/
u_int32_t (*get_message_id) (ike_header_t *this);
-
+
/**
* Set the message id.
*
* @param initiator_spi message id
*/
void (*set_message_id) (ike_header_t *this, u_int32_t message_id);
-
+
/**
* Destroys a ike_header_t object.
*/
/**
* Private data of an ke_payload_t object.
- *
+ *
*/
struct private_ke_payload_t {
/**
* Public ke_payload_t interface.
*/
ke_payload_t public;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* DH Group Number.
*/
u_int16_t dh_group_number;
-
+
/**
* Key Exchange Data of this KE payload.
*/
/**
* Encoding rules to parse or generate a IKEv2-KE Payload.
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_ke_payload_t.
- *
+ *
*/
encoding_rule_t ke_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
{ U_INT_8, offsetof(private_ke_payload_t, next_payload) },
/* the critical bit */
- { FLAG, offsetof(private_ke_payload_t, critical) },
+ { FLAG, offsetof(private_ke_payload_t, critical) },
/* 7 Bit reserved bits, nowhere stored */
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
/* Length of the whole payload*/
- { PAYLOAD_LENGTH, offsetof(private_ke_payload_t, payload_length) },
+ { PAYLOAD_LENGTH, offsetof(private_ke_payload_t, payload_length) },
/* DH Group number as 16 bit field*/
{ U_INT_16, offsetof(private_ke_payload_t, dh_group_number) },
- { RESERVED_BYTE, 0 },
- { RESERVED_BYTE, 0 },
+ { RESERVED_BYTE, 0 },
+ { RESERVED_BYTE, 0 },
/* Key Exchange Data is from variable size */
{ KEY_EXCHANGE_DATA, offsetof(private_ke_payload_t, key_exchange_data)}
};
if (this->key_exchange_data.ptr != NULL)
{
length += this->key_exchange_data.len;
- }
+ }
this->payload_length = length;
}
free(this->key_exchange_data.ptr);
this->key_exchange_data.ptr = NULL;
this->key_exchange_data.len = 0;
-
+
}
-
+
this->key_exchange_data = chunk_clone(key_exchange_data);
compute_length(this);
}
this->public.get_dh_group_number = (diffie_hellman_group_t (*) (ke_payload_t *)) get_dh_group_number;
this->public.set_dh_group_number =(void (*) (ke_payload_t *,diffie_hellman_group_t)) set_dh_group_number;
this->public.destroy = (void (*) (ke_payload_t *)) destroy;
-
+
/* set default values of the fields */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
ke_payload_t *ke_payload_create_from_diffie_hellman(diffie_hellman_t *dh)
{
private_ke_payload_t *this = (private_ke_payload_t*)ke_payload_create();
-
+
dh->get_my_public_value(dh, &this->key_exchange_data);
this->dh_group_number = dh->get_dh_group(dh);
compute_length(this);
-
+
return &this->public;
}
* The payload_t interface.
*/
payload_t payload_interface;
-
+
/**
* Returns the currently set key exchange data of this KE payload.
- *
+ *
* @warning Returned data are not copied.
- *
+ *
* @return chunk_t pointing to the value
*/
chunk_t (*get_key_exchange_data) (ke_payload_t *this);
-
+
/**
* Sets the key exchange data of this KE payload.
- *
+ *
* Value is getting copied.
- *
+ *
* @param key_exchange_data chunk_t pointing to the value to set
*/
void (*set_key_exchange_data) (ke_payload_t *this, chunk_t key_exchange_data);
/**
* Gets the Diffie-Hellman Group Number of this KE payload.
- *
+ *
* @return DH Group Number of this payload
*/
diffie_hellman_group_t (*get_dh_group_number) (ke_payload_t *this);
/**
* Sets the Diffie-Hellman Group Number of this KE payload.
- *
+ *
* @param dh_group_number DH Group to set
*/
- void (*set_dh_group_number) (ke_payload_t *this,
+ void (*set_dh_group_number) (ke_payload_t *this,
diffie_hellman_group_t dh_group_number);
/**
/**
* Creates an empty ke_payload_t object
- *
+ *
* @return ke_payload_t object
*/
ke_payload_t *ke_payload_create(void);
/**
* Creates a ke_payload_t from a diffie_hellman_t
- *
+ *
* @param diffie_hellman diffie hellman object containing group and key
* @return ke_payload_t object
*/
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/* offsetof macro */
#include <stddef.h>
/**
* Private data of an nonce_payload_t object.
- *
+ *
*/
struct private_nonce_payload_t {
/**
* Public nonce_payload_t interface.
*/
nonce_payload_t public;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* The contained nonce value.
*/
/**
* Encoding rules to parse or generate a nonce payload
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_nonce_payload_t.
- *
+ *
*/
encoding_rule_t nonce_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
{ U_INT_8, offsetof(private_nonce_payload_t, next_payload) },
/* the critical bit */
- { FLAG, offsetof(private_nonce_payload_t, critical) },
+ { FLAG, offsetof(private_nonce_payload_t, critical) },
/* 7 Bit reserved bits, nowhere stored */
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
/* Length of the whole nonce payload*/
- { PAYLOAD_LENGTH, offsetof(private_nonce_payload_t, payload_length) },
+ { PAYLOAD_LENGTH, offsetof(private_nonce_payload_t, payload_length) },
/* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */
{ NONCE_DATA, offsetof(private_nonce_payload_t, nonce) }
};
/* nonce length is wrong */
return FAILED;
}
-
+
return SUCCESS;
}
{
free(this->nonce.ptr);
}
-
- free(this);
+
+ free(this);
}
/*
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.destroy = (void (*) (nonce_payload_t *)) destroy;
this->public.set_nonce = (void (*) (nonce_payload_t *,chunk_t)) set_nonce;
this->public.get_nonce = (chunk_t (*) (nonce_payload_t *)) get_nonce;
-
+
/* private variables */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
/**
* Object representing an IKEv2 Nonce payload.
- *
+ *
* The Nonce payload format is described in RFC section 3.3.
*/
struct nonce_payload_t {
* @param nonce chunk containing the nonce, will be cloned
*/
void (*set_nonce) (nonce_payload_t *this, chunk_t nonce);
-
+
/**
* Get the nonce value.
*
* @return a chunk containing the cloned nonce
*/
chunk_t (*get_nonce) (nonce_payload_t *this);
-
+
/**
* Destroys an nonce_payload_t object.
*/
/**
* Creates an empty nonce_payload_t object
- *
+ *
* @return nonce_payload_t object
*/
nonce_payload_t *nonce_payload_create(void);
/**
* Private data of an notify_payload_t object.
- *
+ *
*/
struct private_notify_payload_t {
/**
* Public notify_payload_t interface.
*/
notify_payload_t public;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* Protocol id.
*/
u_int8_t protocol_id;
-
+
/**
* Spi size.
*/
u_int8_t spi_size;
-
+
/**
* Notify message type.
*/
u_int16_t notify_type;
-
+
/**
* Security parameter index (spi).
*/
/**
* Encoding rules to parse or generate a IKEv2-Notify Payload.
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_notify_payload_t.
- *
+ *
*/
encoding_rule_t notify_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
{ U_INT_8, offsetof(private_notify_payload_t, next_payload) },
/* the critical bit */
- { FLAG, offsetof(private_notify_payload_t, critical) },
+ { FLAG, offsetof(private_notify_payload_t, critical) },
/* 7 Bit reserved bits, nowhere stored */
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
/* Length of the whole payload*/
- { PAYLOAD_LENGTH, offsetof(private_notify_payload_t, payload_length) },
+ { PAYLOAD_LENGTH, offsetof(private_notify_payload_t, payload_length) },
/* Protocol ID as 8 bit field*/
{ U_INT_8, offsetof(private_notify_payload_t, protocol_id) },
/* SPI Size as 8 bit field*/
DBG1(DBG_ENC, "Unknown protocol (%d)", this->protocol_id);
return FAILED;
}
-
+
switch (this->notify_type)
{
case INVALID_KE_PAYLOAD:
this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data;
this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data;
this->public.destroy = (void (*) (notify_payload_t *)) destroy;
-
+
/* set default values of the fields */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
this->spi_size = 0;
this->notification_data.ptr = NULL;
this->notification_data.len = 0;
-
+
return &this->public;
}
notify->set_notify_type(notify,notify_type);
notify->set_protocol_id(notify,protocol_id);
-
+
return notify;
}
UNEXPECTED_NAT_DETECTED = 41,
/* IKE-ME, private use */
ME_CONNECT_FAILED = 8192,
-
+
/* notify status messages */
INITIAL_CONTACT = 16384,
SET_WINDOW_SIZE = 16385,
/**
* Class representing an IKEv2-Notify Payload.
- *
+ *
* The Notify Payload format is described in Draft section 3.10.
*/
struct notify_payload_t {
* The payload_t interface.
*/
payload_t payload_interface;
-
+
/**
* Gets the protocol id of this payload.
- *
+ *
* @return protocol id of this payload
*/
u_int8_t (*get_protocol_id) (notify_payload_t *this);
/**
* Sets the protocol id of this payload.
- *
+ *
* @param protocol_id protocol id to set
*/
void (*set_protocol_id) (notify_payload_t *this, u_int8_t protocol_id);
/**
* Gets the notify message type of this payload.
- *
+ *
* @return notify message type of this payload
*/
notify_type_t (*get_notify_type) (notify_payload_t *this);
/**
* Sets notify message type of this payload.
- *
+ *
* @param type notify message type to set
*/
void (*set_notify_type) (notify_payload_t *this, notify_type_t type);
/**
* Returns the currently set spi of this payload.
- *
+ *
* This is only valid for notifys with protocol AH|ESP
*
* @return SPI value
*/
u_int32_t (*get_spi) (notify_payload_t *this);
-
+
/**
* Sets the spi of this payload.
- *
+ *
* This is only valid for notifys with protocol AH|ESP
- *
+ *
* @param spi SPI value
*/
void (*set_spi) (notify_payload_t *this, u_int32_t spi);
/**
* Returns the currently set notification data of payload.
- *
+ *
* Returned data are not copied.
- *
+ *
* @return chunk_t pointing to the value
*/
chunk_t (*get_notification_data) (notify_payload_t *this);
-
+
/**
* Sets the notification data of this payload.
- *
+ *
* @warning Value is getting copied.
- *
+ *
* @param notification_data chunk_t pointing to the value to set
*/
void (*set_notification_data) (notify_payload_t *this,
/**
* Creates an empty notify_payload_t object
- *
+ *
* @return created notify_payload_t object
*/
notify_payload_t *notify_payload_create(void);
/**
* Creates an notify_payload_t object of specific type for specific protocol id.
- *
+ *
* @param protocol_id protocol id (IKE, AH or ESP)
* @param type notify type (see notify_type_t)
* @return notify_payload_t object
* End of payload list in next_payload
*/
NO_PAYLOAD = 0,
-
+
/**
* The security association (SA) payload containing proposals.
*/
* Extensible authentication payload (EAP).
*/
EXTENSIBLE_AUTHENTICATION = 48,
-
+
#ifdef ME
/**
* Identification payload for peers has a value from
*/
ID_PEER = 128,
#endif /* ME */
-
+
/**
* Header has a value of PRIVATE USE space.
*
* used internally to handle IKEv2-Header like a payload.
*/
HEADER = 140,
-
+
/**
* PROPOSAL_SUBSTRUCTURE has a value of PRIVATE USE space.
*
* used internally to handle a transform substructure like a payload.
*/
TRANSFORM_SUBSTRUCTURE = 142,
-
+
/**
* TRANSFORM_ATTRIBUTE has a value of PRIVATE USE space.
*
* used internally to handle a transform selector like a payload.
*/
TRAFFIC_SELECTOR_SUBSTRUCTURE = 144,
-
+
/**
* CONFIGURATION_ATTRIBUTE has a value of PRIVATE USE space.
*
* used internally to handle a transform attribute like a payload.
*/
CONFIGURATION_ATTRIBUTE = 145,
-
+
/**
* A unknown payload has a value of PRIVATE USE space.
*
* handling of all payloads.
*/
struct payload_t {
-
+
/**
* Get encoding rules for this payload.
*
* @return type of next payload
*/
payload_type_t (*get_next_type) (payload_t *this);
-
+
/**
* Set type of next payload.
*
* @return length of this payload
*/
size_t (*get_length) (payload_t *this);
-
+
/**
* Verifies payload structure and makes consistence check.
*
* @return SUCCESS, FAILED if consistence not given
*/
status_t (*verify) (payload_t *this);
-
+
/**
* Destroys a payload and all included substructures.
*/
/**
* Private data of an proposal_substructure_t object.
- *
+ *
*/
struct private_proposal_substructure_t {
/**
* Public proposal_substructure_t interface.
*/
proposal_substructure_t public;
-
+
/**
* Next payload type.
*/
* Length of this payload.
*/
u_int16_t proposal_length;
-
+
/**
* Proposal number.
*/
u_int8_t proposal_number;
-
+
/**
* Protocol ID.
*/
* Number of transforms.
*/
u_int8_t transforms_count;
-
+
/**
* SPI is stored as chunk.
*/
chunk_t spi;
-
+
/**
* Transforms are stored in a linked_list_t.
*/
/**
* Encoding rules to parse or generate a Proposal substructure.
*
- * The defined offsets are the positions in a object of type
+ * The defined offsets are the positions in a object of type
* private_proposal_substructure_t.
*/
encoding_rule_t proposal_substructure_encodings[] = {
{ U_INT_8, offsetof(private_proposal_substructure_t, transforms_count) },
/* SPI is a chunk of variable size*/
{ SPI, offsetof(private_proposal_substructure_t, spi) },
- /* Transforms are stored in a transform substructure,
+ /* Transforms are stored in a transform substructure,
offset points to a linked_list_t pointer */
{ TRANSFORMS, offsetof(private_proposal_substructure_t, transforms) }
};
status_t status = SUCCESS;
iterator_t *iterator;
payload_t *current_transform;
-
+
if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 2))
{
/* must be 0 or 2 */
DBG1(DBG_ENC, "invalid protocol");
return FAILED;
}
-
+
iterator = this->transforms->create_iterator(this->transforms,TRUE);
while(iterator->iterate(iterator, (void**)¤t_transform))
{
}
}
iterator->destroy(iterator);
-
- /* proposal number is checked in SA payload */
+
+ /* proposal number is checked in SA payload */
return status;
}
payload_t *current_transform;
size_t transforms_count = 0;
size_t length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH;
-
+
iterator = this->transforms->create_iterator(this->transforms,TRUE);
while (iterator->iterate(iterator, (void**)¤t_transform))
{
transforms_count++;
}
iterator->destroy(iterator);
-
+
length += this->spi.len;
this->transforms_count = transforms_count;
this->proposal_length = length;
}
transform->set_is_last_transform(transform,TRUE);
-
+
this->transforms->insert_last(this->transforms,(void *) transform);
compute_length(this);
}
this->spi.len = 0;
compute_length(this);
}
-
+
this->spi.ptr = clalloc(spi.ptr,spi.len);
this->spi.len = spi.len;
this->spi_size = spi.len;
chunk_t spi;
spi.ptr = this->spi.ptr;
spi.len = this->spi.len;
-
+
return spi;
}
transform_substructure_t *transform;
proposal_t *proposal;
u_int64_t spi;
-
+
proposal = proposal_create(this->protocol_id);
-
+
iterator = this->transforms->create_iterator(this->transforms, TRUE);
while (iterator->iterate(iterator, (void**)&transform))
{
transform_type_t transform_type;
u_int16_t transform_id;
u_int16_t key_length = 0;
-
+
transform_type = transform->get_transform_type(transform);
transform_id = transform->get_transform_id(transform);
transform->get_key_length(transform, &key_length);
-
+
proposal->add_algorithm(proposal, transform_type, transform_id, key_length);
}
iterator->destroy(iterator);
-
+
switch (this->spi.len)
{
case 4:
spi = 0;
}
proposal->set_spi(proposal, spi);
-
+
return proposal;
}
private_proposal_substructure_t *clone;
iterator_t *transforms;
transform_substructure_t *current_transform;
-
+
clone = (private_proposal_substructure_t *) proposal_substructure_create();
clone->next_payload = this->next_payload;
clone->proposal_number = this->proposal_number;
current_transform = current_transform->clone(current_transform);
clone->public.add_transform_substructure(&clone->public, current_transform);
}
- transforms->destroy(transforms);
-
+ transforms->destroy(transforms);
+
return clone;
}
{
private_proposal_substructure_t *this = malloc_thing(private_proposal_substructure_t);
- /* interface functions */
+ /* interface functions */
this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
- this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+ this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-
+
+
/* public functions */
this->public.create_transform_substructure_iterator = (iterator_t* (*) (proposal_substructure_t *,bool)) create_transform_substructure_iterator;
this->public.add_transform_substructure = (void (*) (proposal_substructure_t *,transform_substructure_t *)) add_transform_substructure;
this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi;
this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi;
this->public.get_transform_count = (size_t (*) (proposal_substructure_t *)) get_transform_count;
- this->public.get_spi_size = (size_t (*) (proposal_substructure_t *)) get_spi_size;
+ this->public.get_spi_size = (size_t (*) (proposal_substructure_t *)) get_spi_size;
this->public.clone = (proposal_substructure_t * (*) (proposal_substructure_t *)) clone_;
this->public.destroy = (void (*) (proposal_substructure_t *)) destroy;
-
+
/* set default values of the fields */
this->next_payload = NO_PAYLOAD;
this->proposal_length = 0;
this->spi_size = 0;
this->spi.ptr = NULL;
this->spi.len = 0;
-
+
this->transforms = linked_list_create();
-
+
return (&(this->public));
}
private_proposal_substructure_t *this;
u_int16_t alg, key_size;
enumerator_t *enumerator;
-
+
this = (private_proposal_substructure_t*)proposal_substructure_create();
-
+
/* encryption algorithm is only availble in ESP */
enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
while (enumerator->enumerate(enumerator, &alg, &key_size))
add_transform_substructure(this, transform);
}
enumerator->destroy(enumerator);
-
+
/* integrity algorithms */
enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
while (enumerator->enumerate(enumerator, &alg, &key_size))
add_transform_substructure(this, transform);
}
enumerator->destroy(enumerator);
-
+
/* prf algorithms */
enumerator = proposal->create_enumerator(proposal, PSEUDO_RANDOM_FUNCTION);
while (enumerator->enumerate(enumerator, &alg, &key_size))
add_transform_substructure(this, transform);
}
enumerator->destroy(enumerator);
-
+
/* dh groups */
enumerator = proposal->create_enumerator(proposal, DIFFIE_HELLMAN_GROUP);
while (enumerator->enumerate(enumerator, &alg, NULL))
{
- transform = transform_substructure_create_type(DIFFIE_HELLMAN_GROUP,
+ transform = transform_substructure_create_type(DIFFIE_HELLMAN_GROUP,
alg, 0);
add_transform_substructure(this, transform);
}
enumerator->destroy(enumerator);
-
+
/* extended sequence numbers */
enumerator = proposal->create_enumerator(proposal, EXTENDED_SEQUENCE_NUMBERS);
while (enumerator->enumerate(enumerator, &alg, NULL))
add_transform_substructure(this, transform);
}
enumerator->destroy(enumerator);
-
+
/* add SPI, if necessary */
switch (proposal->get_protocol(proposal))
{
}
this->proposal_number = 0;
this->protocol_id = proposal->get_protocol(proposal);
-
+
return &this->public;
}
/**
* Class representing an IKEv2-PROPOSAL SUBSTRUCTURE.
- *
+ *
* The PROPOSAL SUBSTRUCTURE format is described in RFC section 3.3.1.
*/
struct proposal_substructure_t {
*/
iterator_t *(*create_transform_substructure_iterator) (
proposal_substructure_t *this, bool forward);
-
+
/**
* Adds a transform_substructure_t object to this object.
*
*/
void (*add_transform_substructure) (proposal_substructure_t *this,
transform_substructure_t *transform);
-
+
/**
* Sets the proposal number of current proposal.
*
*/
void (*set_proposal_number) (proposal_substructure_t *this,
u_int8_t proposal_number);
-
+
/**
* get proposal number of current proposal.
- *
+ *
* @return proposal number of current proposal substructure.
*/
u_int8_t (*get_proposal_number) (proposal_substructure_t *this);
/**
* get the number of transforms in current proposal.
- *
+ *
* @return transform count in current proposal
*/
size_t (*get_transform_count) (proposal_substructure_t *this);
/**
* get size of the set spi in bytes.
- *
+ *
* @return size of the spi in bytes
*/
size_t (*get_spi_size) (proposal_substructure_t *this);
*/
void (*set_protocol_id) (proposal_substructure_t *this,
u_int8_t protocol_id);
-
+
/**
* get protocol id of current proposal.
- *
+ *
* @return protocol id of current proposal substructure.
*/
u_int8_t (*get_protocol_id) (proposal_substructure_t *this);
-
+
/**
* Sets the next_payload field of this substructure
- *
+ *
* If this is the last proposal, next payload field is set to 0,
* otherwise to 2
*
* @param is_last When TRUE, next payload field is set to 0, otherwise to 2
*/
void (*set_is_last_proposal) (proposal_substructure_t *this, bool is_last);
-
+
/**
* Returns the currently set SPI of this proposal.
*
* @return chunk_t pointing to the value
*/
chunk_t (*get_spi) (proposal_substructure_t *this);
-
+
/**
* Sets the SPI of the current proposal.
- *
+ *
* @warning SPI is getting copied
- *
+ *
* @param spi chunk_t pointing to the value to set
*/
void (*set_spi) (proposal_substructure_t *this, chunk_t spi);
-
+
/**
* Get a proposal_t from the propsal_substructure_t.
- *
+ *
* @return proposal_t
*/
proposal_t * (*get_proposal) (proposal_substructure_t *this);
/**
* Creates an empty proposal_substructure_t object
- *
+ *
* @return proposal_substructure_t object
*/
proposal_substructure_t *proposal_substructure_create(void);
/**
* Private data of an sa_payload_t object.
- *
+ *
*/
struct private_sa_payload_t {
/**
* Public sa_payload_t interface.
*/
sa_payload_t public;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* Proposals in this payload are stored in a linked_list_t.
*/
/**
* Encoding rules to parse or generate a IKEv2-SA Payload
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_sa_payload_t.
- *
+ *
*/
encoding_rule_t sa_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
{ U_INT_8, offsetof(private_sa_payload_t, next_payload) },
/* the critical bit */
- { FLAG, offsetof(private_sa_payload_t, critical) },
+ { FLAG, offsetof(private_sa_payload_t, critical) },
/* 7 Bit reserved bits, nowhere stored */
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
/* Length of the whole SA payload*/
- { PAYLOAD_LENGTH, offsetof(private_sa_payload_t, payload_length) },
- /* Proposals are stored in a proposal substructure,
+ { PAYLOAD_LENGTH, offsetof(private_sa_payload_t, payload_length) },
+ /* Proposals are stored in a proposal substructure,
offset points to a linked_list_t pointer */
{ PROPOSALS, offsetof(private_sa_payload_t, proposals) }
};
/* check proposal numbering */
iterator = this->proposals->create_iterator(this->proposals,TRUE);
-
+
while(iterator->iterate(iterator, (void**)¤t_proposal))
{
current_number = current_proposal->get_proposal_number(current_proposal);
if (current_number < expected_number)
- {
+ {
if (current_number != (expected_number + 1))
{
DBG1(DBG_ENC, "proposal number is %d, expected %d or %d",
status = FAILED;
break;
}
-
+
status = current_proposal->payload_interface.verify(&(current_proposal->payload_interface));
if (status != SUCCESS)
{
first = FALSE;
expected_number = current_number;
}
-
+
iterator->destroy(iterator);
return status;
}
iterator_t *iterator;
payload_t *current_proposal;
size_t length = SA_PAYLOAD_HEADER_LENGTH;
-
+
iterator = this->proposals->create_iterator(this->proposals,TRUE);
while (iterator->iterate(iterator, (void **)¤t_proposal))
{
length += current_proposal->get_length(current_proposal);
}
iterator->destroy(iterator);
-
+
this->payload_length = length;
}
{
status_t status;
u_int proposal_count = this->proposals->get_count(this->proposals);
-
+
if (proposal_count > 0)
{
proposal_substructure_t *last_proposal;
static void add_proposal(private_sa_payload_t *this, proposal_t *proposal)
{
proposal_substructure_t *substructure;
-
+
substructure = proposal_substructure_create_from_proposal(proposal);
add_proposal_substructure(this, substructure);
}
iterator_t *iterator;
proposal_substructure_t *proposal_struct;
linked_list_t *proposal_list;
-
+
/* this list will hold our proposals */
proposal_list = linked_list_create();
-
+
/* we do not support proposals split up to two proposal substructures, as
* AH+ESP bundles are not supported in RFC4301 anymore.
* To handle such structures safely, we just skip proposals with multiple
while (iterator->iterate(iterator, (void **)&proposal_struct))
{
proposal_t *proposal;
-
+
/* check if a proposal has a single protocol */
if (proposal_struct->get_proposal_number(proposal_struct) == struct_number)
{
sa_payload_t *sa_payload_create()
{
private_sa_payload_t *this = malloc_thing(private_sa_payload_t);
-
+
/* public interface */
this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.create_proposal_substructure_iterator = (iterator_t* (*) (sa_payload_t *,bool)) create_proposal_substructure_iterator;
this->public.add_proposal_substructure = (void (*) (sa_payload_t *,proposal_substructure_t *)) add_proposal_substructure;
this->public.add_proposal = (void (*) (sa_payload_t*,proposal_t*))add_proposal;
this->public.get_proposals = (linked_list_t* (*) (sa_payload_t *)) get_proposals;
this->public.destroy = (void (*) (sa_payload_t *)) destroy;
-
+
/* set default values of the fields */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
iterator_t *iterator;
proposal_t *proposal;
sa_payload_t *sa_payload = sa_payload_create();
-
+
/* add every payload from the list */
iterator = proposals->create_iterator(proposals, TRUE);
while (iterator->iterate(iterator, (void**)&proposal))
add_proposal((private_sa_payload_t*)sa_payload, proposal);
}
iterator->destroy(iterator);
-
+
return sa_payload;
}
sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal)
{
sa_payload_t *sa_payload = sa_payload_create();
-
+
add_proposal((private_sa_payload_t*)sa_payload, proposal);
-
+
return sa_payload;
}
* The payload_t interface.
*/
payload_t payload_interface;
-
+
/**
* Creates an iterator of stored proposal_substructure_t objects.
- *
- * When deleting an proposal using this iterator,
- * the length of this transform substructure has to be refreshed
+ *
+ * When deleting an proposal using this iterator,
+ * the length of this transform substructure has to be refreshed
* by calling get_length()!
*
* @param forward iterator direction (TRUE: front to end)
*/
iterator_t *(*create_proposal_substructure_iterator) (sa_payload_t *this,
bool forward);
-
+
/**
* Adds a proposal_substructure_t object to this object.
*
/**
* Gets the proposals in this payload as a list.
- *
+ *
* @return a list containing proposal_t s
*/
linked_list_t *(*get_proposals) (sa_payload_t *this);
-
+
/**
* Add a child proposal (AH/ESP) to the payload.
- *
+ *
* @param proposal child proposal to add to the payload
*/
void (*add_proposal) (sa_payload_t *this, proposal_t *proposal);
-
+
/**
* Destroys an sa_payload_t object.
*/
/**
* Creates an empty sa_payload_t object
- *
+ *
* @return created sa_payload_t object
*/
sa_payload_t *sa_payload_create(void);
/**
* Creates a sa_payload_t object from a list of proposals.
- *
+ *
* @param proposals list of proposals to build the payload from
* @return sa_payload_t object
*/
/**
* Creates a sa_payload_t object from a single proposal.
- *
+ *
* This is only for convenience. Use sa_payload_create_from_proposal_list
* if you want to add more than one proposal.
- *
+ *
* @param proposal proposal from which the payload should be built.
* @return sa_payload_t object
*/
/**
* Private data of an traffic_selector_substructure_t object.
- *
+ *
*/
struct private_traffic_selector_substructure_t {
/**
* Public traffic_selector_substructure_t interface.
*/
traffic_selector_substructure_t public;
-
+
/**
* Type of traffic selector.
*/
u_int8_t ts_type;
-
+
/**
* IP Protocol ID.
*/
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* Start port number.
*/
* End port number.
*/
u_int16_t end_port;
-
+
/**
* Starting address.
*/
/**
* Encoding rules to parse or generate a TS payload
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_traffic_selector_substructure_t.
- *
+ *
*/
encoding_rule_t traffic_selector_substructure_encodings[] = {
/* 1 Byte next ts type*/
{ TS_TYPE, offsetof(private_traffic_selector_substructure_t, ts_type) },
/* 1 Byte IP protocol id*/
{ U_INT_8, offsetof(private_traffic_selector_substructure_t, ip_protocol_id) },
- /* Length of the whole payload*/
+ /* Length of the whole payload*/
{ PAYLOAD_LENGTH, offsetof(private_traffic_selector_substructure_t, payload_length) },
/* 2 Byte start port*/
{ U_INT_16, offsetof(private_traffic_selector_substructure_t, start_port) },
{
case TS_IPV4_ADDR_RANGE:
{
- if ((this->starting_address.len != 4) ||
+ if ((this->starting_address.len != 4) ||
(this->ending_address.len != 4))
{
/* ipv4 address must be 4 bytes long */
return FAILED;
}
}
-
+
return SUCCESS;
}
*/
static void set_next_type(private_traffic_selector_substructure_t *this,payload_type_t type)
{
-
+
}
/**
static traffic_selector_t *get_traffic_selector(private_traffic_selector_substructure_t *this)
{
traffic_selector_t *ts;
- ts = traffic_selector_create_from_bytes(this->ip_protocol_id, this->ts_type,
- this->starting_address, this->start_port,
+ ts = traffic_selector_create_from_bytes(this->ip_protocol_id, this->ts_type,
+ this->starting_address, this->start_port,
this->ending_address, this->end_port);
return ts;
}
{
free(this->starting_address.ptr);
free(this->ending_address.ptr);
- free(this);
+ free(this);
}
/*
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.get_traffic_selector = (traffic_selector_t* (*)(traffic_selector_substructure_t*))get_traffic_selector;
this->public.destroy = (void (*) (traffic_selector_substructure_t *)) destroy;
-
+
/* private variables */
this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH;
this->start_port = 0;
this->end_port = traffic_selector->get_to_port(traffic_selector);
this->starting_address = chunk_clone(traffic_selector->get_from_address(traffic_selector));
this->ending_address = chunk_clone(traffic_selector->get_to_address(traffic_selector));
-
+
compute_length(this);
-
+
return &(this->public);
}
/**
* Class representing an IKEv2 TRAFFIC SELECTOR.
- *
+ *
* The TRAFFIC SELECTOR format is described in RFC section 3.13.1.
*/
struct traffic_selector_substructure_t {
* The payload_t interface.
*/
payload_t payload_interface;
-
+
/**
* Get the type of Traffic selector.
*
* @return type of traffic selector
- *
+ *
*/
ts_type_t (*get_ts_type) (traffic_selector_substructure_t *this);
-
+
/**
* Set the type of Traffic selector.
*
- * @param ts_type type of traffic selector
+ * @param ts_type type of traffic selector
*/
void (*set_ts_type) (traffic_selector_substructure_t *this,
ts_type_t ts_type);
-
+
/**
* Get the IP protocol ID of Traffic selector.
*
* @return type of traffic selector
- *
+ *
*/
u_int8_t (*get_protocol_id) (traffic_selector_substructure_t *this);
-
+
/**
* Set the IP protocol ID of Traffic selector
*
- * @param protocol_id protocol ID of traffic selector
+ * @param protocol_id protocol ID of traffic selector
*/
void (*set_protocol_id) (traffic_selector_substructure_t *this,
u_int8_t protocol_id);
-
+
/**
* Get the start port and address as host_t object.
*
* Returned host_t object has to get destroyed by the caller.
- *
+ *
* @return start host as host_t object
- *
+ *
*/
host_t *(*get_start_host) (traffic_selector_substructure_t *this);
-
+
/**
* Set the start port and address as host_t object.
*
*/
void (*set_start_host) (traffic_selector_substructure_t *this,
host_t *start_host);
-
+
/**
* Get the end port and address as host_t object.
*
* Returned host_t object has to get destroyed by the caller.
- *
+ *
* @return end host as host_t object
- *
+ *
*/
host_t *(*get_end_host) (traffic_selector_substructure_t *this);
-
+
/**
* Set the end port and address as host_t object.
*
*/
void (*set_end_host) (traffic_selector_substructure_t *this,
host_t *end_host);
-
+
/**
* Get a traffic_selector_t from this substructure.
*
* @warning traffic_selector_t must be destroyed after usage.
- *
+ *
* @return contained traffic_selector_t
*/
traffic_selector_t *(*get_traffic_selector) (
traffic_selector_substructure_t *this);
-
+
/**
* Destroys an traffic_selector_substructure_t object.
*/
* Creates an empty traffic_selector_substructure_t object.
*
* TS type is set to default TS_IPV4_ADDR_RANGE!
- *
+ *
* @return traffic_selector_substructure_t object
*/
traffic_selector_substructure_t *traffic_selector_substructure_create(void);
/**
* Creates an initialized traffif selector substructure using
* the values from a traffic_selector_t.
- *
+ *
* @param traffic_selector traffic_selector_t to use for initialization
* @return traffic_selector_substructure_t object
*/
/**
* Private data of an transform_attribute_t object.
- *
+ *
*/
struct private_transform_attribute_t {
/**
* Public transform_attribute_t interface.
*/
transform_attribute_t public;
-
+
/**
* Attribute Format Flag.
- *
+ *
* - TRUE means value is stored in attribute_length_or_value
* - FALSE means value is stored in attribute_value
*/
bool attribute_format;
-
+
/**
* Type of the attribute.
*/
u_int16_t attribute_type;
-
+
/**
* Attribute Length if attribute_format is 0, attribute Value otherwise.
*/
u_int16_t attribute_length_or_value;
-
+
/**
* Attribute value as chunk if attribute_format is 0 (FALSE).
*/
/**
* Encoding rules to parse or generate a Transform attribute.
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_transform_attribute_t.
- *
+ *
*/
encoding_rule_t transform_attribute_encodings[] = {
/* Flag defining the format of this payload */
{ ATTRIBUTE_FORMAT, offsetof(private_transform_attribute_t, attribute_format) },
/* type of the attribute as 15 bit unsigned integer */
- { ATTRIBUTE_TYPE, offsetof(private_transform_attribute_t, attribute_type) },
+ { ATTRIBUTE_TYPE, offsetof(private_transform_attribute_t, attribute_type) },
/* Length or value, depending on the attribute format flag */
{ ATTRIBUTE_LENGTH_OR_VALUE, offsetof(private_transform_attribute_t, attribute_length_or_value) },
/* Value of attribute if attribute format flag is zero */
{
return FAILED;
}
-
+
return SUCCESS;
}
free(this->attribute_value.ptr);
this->attribute_value.ptr = NULL;
this->attribute_value.len = 0;
-
+
}
-
+
if (value.len > 2)
{
this->attribute_value.ptr = clalloc(value.ptr,value.len);
this->attribute_value.len = value.len;
this->attribute_length_or_value = value.len;
/* attribute has not a fixed length */
- this->attribute_format = FALSE;
+ this->attribute_format = FALSE;
}
else
{
free(this->attribute_value.ptr);
this->attribute_value.ptr = NULL;
this->attribute_value.len = 0;
-
+
}
this->attribute_length_or_value = value;
}
if (this->attribute_format == FALSE)
{
value.ptr = this->attribute_value.ptr;
- value.len = this->attribute_value.len;
+ value.len = this->attribute_value.len;
}
else
{
value.ptr = (void *) &(this->attribute_length_or_value);
value.len = 2;
}
-
+
return value;
}
static transform_attribute_t * _clone(private_transform_attribute_t *this)
{
private_transform_attribute_t *new_clone;
-
+
new_clone = (private_transform_attribute_t *) transform_attribute_create();
-
+
new_clone->attribute_format = this->attribute_format;
new_clone->attribute_type = this->attribute_type;
new_clone->attribute_length_or_value = this->attribute_length_or_value;
-
+
if (!new_clone->attribute_format)
{
- new_clone->attribute_value.ptr = clalloc(this->attribute_value.ptr,this->attribute_value.len);
+ new_clone->attribute_value.ptr = clalloc(this->attribute_value.ptr,this->attribute_value.len);
new_clone->attribute_value.len = this->attribute_value.len;
}
-
+
return (transform_attribute_t *) new_clone;
}
if (this->attribute_value.ptr != NULL)
{
free(this->attribute_value.ptr);
- }
+ }
free(this);
}
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.set_value_chunk = (void (*) (transform_attribute_t *,chunk_t)) set_value_chunk;
this->public.set_value = (void (*) (transform_attribute_t *,u_int16_t)) set_value;
this->public.get_attribute_type = (u_int16_t (*) (transform_attribute_t *)) get_attribute_type;
this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) _clone;
this->public.destroy = (void (*) (transform_attribute_t *)) destroy;
-
+
/* set default values of the fields */
this->attribute_format = TRUE;
this->attribute_type = 0;
KEY_LENGTH = 14
};
-/**
+/**
* enum name for transform_attribute_type_t.
*/
extern enum_name_t *transform_attribute_type_names;
/**
* Class representing an IKEv2- TRANSFORM Attribute.
- *
+ *
* The TRANSFORM ATTRIBUTE format is described in RFC section 3.3.5.
*/
struct transform_attribute_t {
/**
* Returns the currently set value of the attribute.
- *
+ *
* Returned data are not copied.
- *
+ *
* @return chunk_t pointing to the value
*/
chunk_t (*get_value_chunk) (transform_attribute_t *this);
-
+
/**
* Returns the currently set value of the attribute.
- *
+ *
* Returned data are not copied.
- *
+ *
* @return value
*/
u_int16_t (*get_value) (transform_attribute_t *this);
-
+
/**
* Sets the value of the attribute.
- *
+ *
* Value is getting copied.
- *
+ *
* @param value chunk_t pointing to the value to set
*/
void (*set_value_chunk) (transform_attribute_t *this, chunk_t value);
/**
* Sets the value of the attribute.
- *
+ *
* @param value value to set
*/
void (*set_value) (transform_attribute_t *this, u_int16_t value);
/**
* Sets the type of the attribute.
- *
+ *
* @param type type to set (most significant bit is set to zero)
*/
void (*set_attribute_type) (transform_attribute_t *this, u_int16_t type);
-
+
/**
* get the type of the attribute.
- *
+ *
* @return type of the value
*/
u_int16_t (*get_attribute_type) (transform_attribute_t *this);
-
+
/**
* Clones an transform_attribute_t object.
*
/**
* Creates an empty transform_attribute_t object.
- *
+ *
* @return transform_attribute_t object
*/
transform_attribute_t *transform_attribute_create(void);
/**
* Creates an transform_attribute_t of type KEY_LENGTH.
- *
+ *
* @param key_length key length in bytes
* @return transform_attribute_t object
*/
/**
* Private data of an transform_substructure_t object.
- *
+ *
*/
struct private_transform_substructure_t {
/**
* Public transform_substructure_t interface.
*/
transform_substructure_t public;
-
+
/**
* Next payload type.
*/
u_int8_t next_payload;
-
+
/**
* Length of this payload.
*/
u_int16_t transform_length;
-
-
+
+
/**
* Type of the transform.
*/
u_int8_t transform_type;
-
+
/**
* Transform ID.
*/
u_int16_t transform_id;
-
+
/**
* Transforms Attributes are stored in a linked_list_t.
*/
/**
* Encoding rules to parse or generate a Transform substructure.
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_transform_substructure_t.
- *
+ *
*/
encoding_rule_t transform_substructure_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
{ U_INT_8, offsetof(private_transform_substructure_t, next_payload) },
/* Reserved Byte is skipped */
- { RESERVED_BYTE, 0 },
+ { RESERVED_BYTE, 0 },
/* Length of the whole transform substructure*/
- { PAYLOAD_LENGTH, offsetof(private_transform_substructure_t, transform_length) },
+ { PAYLOAD_LENGTH, offsetof(private_transform_substructure_t, transform_length) },
/* transform type is a number of 8 bit */
- { U_INT_8, offsetof(private_transform_substructure_t, transform_type) },
+ { U_INT_8, offsetof(private_transform_substructure_t, transform_type) },
/* Reserved Byte is skipped */
- { RESERVED_BYTE, 0 },
+ { RESERVED_BYTE, 0 },
/* tranform ID is a number of 8 bit */
- { U_INT_16, offsetof(private_transform_substructure_t, transform_id) },
- /* Attributes are stored in a transform attribute,
+ { U_INT_16, offsetof(private_transform_substructure_t, transform_id) },
+ /* Attributes are stored in a transform attribute,
offset points to a linked_list_t pointer */
{ TRANSFORM_ATTRIBUTES, offsetof(private_transform_substructure_t, attributes) }
};
status_t status = SUCCESS;
iterator_t *iterator;
payload_t *current_attributes;
-
+
if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 3))
{
/* must be 0 or 3 */
}
}
iterator = this->attributes->create_iterator(this->attributes,TRUE);
-
+
while(iterator->iterate(iterator, (void**)¤t_attributes))
{
status = current_attributes->verify(current_attributes);
}
}
iterator->destroy(iterator);
-
- /* proposal number is checked in SA payload */
+
+ /* proposal number is checked in SA payload */
return status;
}
iterator_t *iterator;
payload_t *current_attribute;
size_t length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
-
+
iterator = this->attributes->create_iterator(this->attributes,TRUE);
while (iterator->iterate(iterator, (void**)¤t_attribute))
{
length += current_attribute->get_length(current_attribute);
}
iterator->destroy(iterator);
-
+
this->transform_length = length;
}
{
this->transform_type = type;
}
-
+
/**
* Implementation of transform_substructure_t.get_transform_type.
*/
{
this->transform_id = id;
}
-
+
/**
* Implementation of transform_substructure_t.get_transform_id.
*/
private_transform_substructure_t *clone;
iterator_t *attributes;
transform_attribute_t *current_attribute;
-
+
clone = (private_transform_substructure_t *) transform_substructure_create();
clone->next_payload = this->next_payload;
clone->transform_type = this->transform_type;
clone->transform_id = this->transform_id;
-
+
attributes = this->attributes->create_iterator(this->attributes, FALSE);
while (attributes->iterate(attributes, (void**)¤t_attribute))
{
current_attribute = current_attribute->clone(current_attribute);
clone->public.add_transform_attribute(&clone->public, current_attribute);
}
- attributes->destroy(attributes);
-
+ attributes->destroy(attributes);
+
return &clone->public;
}
{
iterator_t *attributes;
transform_attribute_t *current_attribute;
-
+
attributes = this->attributes->create_iterator(this->attributes, TRUE);
while (attributes->iterate(attributes, (void**)¤t_attribute))
{
if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH)
{
*key_length = current_attribute->get_value(current_attribute);
- attributes->destroy(attributes);
+ attributes->destroy(attributes);
return SUCCESS;
}
}
this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
- this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+ this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.create_transform_attribute_iterator = (iterator_t * (*) (transform_substructure_t *,bool)) create_transform_attribute_iterator;
this->public.add_transform_attribute = (void (*) (transform_substructure_t *,transform_attribute_t *)) add_transform_attribute;
this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length;
this->public.clone = (transform_substructure_t* (*) (transform_substructure_t *)) clone_;
this->public.destroy = (void (*) (transform_substructure_t *)) destroy;
-
+
/* set default values of the fields */
this->next_payload = NO_PAYLOAD;
this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
this->transform_id = 0;
this->transform_type = 0;
this->attributes = linked_list_create();
-
+
return (&(this->public));
}
u_int16_t transform_id, u_int16_t key_length)
{
transform_substructure_t *transform = transform_substructure_create();
-
+
transform->set_transform_type(transform,transform_type);
transform->set_transform_id(transform,transform_id);
-
+
if (key_length)
{
transform_attribute_t *attribute;
-
+
attribute = transform_attribute_create_key_length(key_length);
transform->add_transform_attribute(transform, attribute);
-
+
}
return transform;
}
/**
* Class representing an IKEv2- TRANSFORM SUBSTRUCTURE.
- *
+ *
* The TRANSFORM SUBSTRUCTURE format is described in RFC section 3.3.2.
*/
struct transform_substructure_t {
* The payload_t interface.
*/
payload_t payload_interface;
-
+
/**
* Creates an iterator of stored transform_attribute_t objects.
- *
- * When deleting an transform attribute using this iterator,
- * the length of this transform substructure has to be refreshed
+ *
+ * When deleting an transform attribute using this iterator,
+ * the length of this transform substructure has to be refreshed
* by calling get_length().
*
* @param forward iterator direction (TRUE: front to end)
*/
iterator_t * (*create_transform_attribute_iterator) (
transform_substructure_t *this, bool forward);
-
+
/**
* Adds a transform_attribute_t object to this object.
*
*/
void (*add_transform_attribute) (transform_substructure_t *this,
transform_attribute_t *attribute);
-
+
/**
* Sets the next_payload field of this substructure
- *
+ *
* If this is the last transform, next payload field is set to 0,
* otherwise to 3
*
* @param is_last When TRUE, next payload field is set to 0, otherwise to 3
*/
void (*set_is_last_transform) (transform_substructure_t *this, bool is_last);
-
+
/**
* Checks if this is the last transform.
- *
+ *
* @return TRUE if this is the last Transform, FALSE otherwise
*/
bool (*get_is_last_transform) (transform_substructure_t *this);
-
+
/**
* Sets transform type of the current transform substructure.
*
* @param type type value to set
*/
void (*set_transform_type) (transform_substructure_t *this, u_int8_t type);
-
+
/**
* get transform type of the current transform.
- *
+ *
* @return Transform type of current transform substructure.
*/
u_int8_t (*get_transform_type) (transform_substructure_t *this);
-
+
/**
* Sets transform id of the current transform substructure.
*
* @param id transform id to set
*/
void (*set_transform_id) (transform_substructure_t *this, u_int16_t id);
-
+
/**
* get transform id of the current transform.
- *
+ *
* @return Transform id of current transform substructure.
*/
u_int16_t (*get_transform_id) (transform_substructure_t *this);
-
+
/**
* get transform id of the current transform.
- *
- * @param key_length The key length is written to this location
- * @return
+ *
+ * @param key_length The key length is written to this location
+ * @return
* - SUCCESS if a key length attribute is contained
- * - FAILED if no key length attribute is part of this
+ * - FAILED if no key length attribute is part of this
* transform or key length uses more then 16 bit!
*/
status_t (*get_key_length) (transform_substructure_t *this,
/**
* Creates an empty transform_substructure_t object.
- *
+ *
* @return created transform_substructure_t object
*/
transform_substructure_t *transform_substructure_create(void);
/**
* Creates an empty transform_substructure_t object.
- *
+ *
* The key length is used for the transport types ENCRYPTION_ALGORITHM,
- * PSEUDO_RANDOM_FUNCTION, INTEGRITY_ALGORITHM. For all
+ * PSEUDO_RANDOM_FUNCTION, INTEGRITY_ALGORITHM. For all
* other transport types the key_length parameter is not used
- *
+ *
* @param transform_type type of transform to create
* @param transform_id transform id specifying the specific algorithm of a transform type
* @param key_length Key length for key lenght attribute
/**
* Private data of an ts_payload_t object.
- *
+ *
*/
struct private_ts_payload_t {
/**
* Public ts_payload_t interface.
*/
ts_payload_t public;
-
+
/**
* TRUE if this TS payload is of type TSi, FALSE for TSr.
*/
bool is_initiator;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* Number of traffic selectors
*/
u_int8_t number_of_traffic_selectors;
-
+
/**
* Contains the traffic selectors of type traffic_selector_substructure_t.
*/
/**
* Encoding rules to parse or generate a TS payload
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_ts_payload_t.
- *
+ *
*/
encoding_rule_t ts_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
{ RESERVED_BIT, 0 },
{ RESERVED_BIT, 0 },
{ RESERVED_BIT, 0 },
- /* Length of the whole payload*/
+ /* Length of the whole payload*/
{ PAYLOAD_LENGTH, offsetof(private_ts_payload_t, payload_length)},
/* 1 Byte TS type*/
{ U_INT_8, offsetof(private_ts_payload_t, number_of_traffic_selectors) },
iterator_t *iterator;
payload_t *current_traffic_selector;
status_t status = SUCCESS;
-
+
if (this->number_of_traffic_selectors != (this->traffic_selectors->get_count(this->traffic_selectors)))
{
/* must be the same */
return FAILED;
}
-
+
iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
while(iterator->iterate(iterator, (void**)¤t_traffic_selector))
{
}
}
iterator->destroy(iterator);
-
+
return status;
}
size_t ts_count = 0;
size_t length = TS_PAYLOAD_HEADER_LENGTH;
payload_t *current_traffic_selector;
-
+
iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
while (iterator->iterate(iterator, (void**)¤t_traffic_selector))
{
ts_count++;
}
iterator->destroy(iterator);
-
+
this->number_of_traffic_selectors= ts_count;
- this->payload_length = length;
+ this->payload_length = length;
}
/**
iterator_t *iterator;
traffic_selector_substructure_t *ts_substructure;
linked_list_t *ts_list = linked_list_create();
-
+
iterator = this->traffic_selectors->create_iterator(this->traffic_selectors, TRUE);
while (iterator->iterate(iterator, (void**)&ts_substructure))
{
ts_list->insert_last(ts_list, (void*)ts);
}
iterator->destroy(iterator);
-
+
return ts_list;
}
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.destroy = (void (*) (ts_payload_t *)) destroy;
this->public.get_initiator = (bool (*) (ts_payload_t *)) get_initiator;
this->public.add_traffic_selector_substructure = (void (*) (ts_payload_t *,traffic_selector_substructure_t *)) add_traffic_selector_substructure;
this->public.create_traffic_selector_substructure_iterator = (iterator_t* (*) (ts_payload_t *,bool)) create_traffic_selector_substructure_iterator;
this->public.get_traffic_selectors = (linked_list_t *(*) (ts_payload_t *)) get_traffic_selectors;
-
+
/* private variables */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
this->payload_length =TS_PAYLOAD_HEADER_LENGTH;
this->is_initiator = is_initiator;
this->number_of_traffic_selectors = 0;
- this->traffic_selectors = linked_list_create();
+ this->traffic_selectors = linked_list_create();
return &(this->public);
}
traffic_selector_t *ts;
traffic_selector_substructure_t *ts_substructure;
private_ts_payload_t *this;
-
+
this = (private_ts_payload_t*)ts_payload_create(is_initiator);
-
+
iterator = traffic_selectors->create_iterator(traffic_selectors, TRUE);
while (iterator->iterate(iterator, (void**)&ts))
{
this->public.add_traffic_selector_substructure(&(this->public), ts_substructure);
}
iterator->destroy(iterator);
-
+
return &(this->public);
}
* The payload_t interface.
*/
payload_t payload_interface;
-
+
/**
* Get the type of TSpayload (TSi or TSr).
*
* - FALSE if this payload is of type TSr
*/
bool (*get_initiator) (ts_payload_t *this);
-
+
/**
* Set the type of TS payload (TSi or TSr).
*
- * @param is_initiator
+ * @param is_initiator
* - TRUE if this payload is of type TSi
* - FALSE if this payload is of type TSr
*/
void (*set_initiator) (ts_payload_t *this,bool is_initiator);
-
+
/**
* Adds a traffic_selector_substructure_t object to this object.
*
*/
void (*add_traffic_selector_substructure) (ts_payload_t *this,
traffic_selector_substructure_t *traffic_selector);
-
+
/**
* Creates an iterator of stored traffic_selector_substructure_t objects.
- *
- * When removing an traffic_selector_substructure_t object
- * using this iterator, the length of this payload
+ *
+ * When removing an traffic_selector_substructure_t object
+ * using this iterator, the length of this payload
* has to get refreshed by calling payload_t.get_length!
*
* @param forward iterator direction (TRUE: front to end)
*/
iterator_t *(*create_traffic_selector_substructure_iterator) (
ts_payload_t *this, bool forward);
-
+
/**
* Get a list of nested traffic selectors as traffic_selector_t.
- *
+ *
* Resulting list and its traffic selectors must be destroyed after usage
*
* @return list of traffic selectors
/**
* Creates an empty ts_payload_t object.
- *
- * @param is_initiator
+ *
+ * @param is_initiator
* - TRUE if this payload is of type TSi
* - FALSE if this payload is of type TSr
* @return ts_payload_t object
/**
* Creates ts_payload with a list of traffic_selector_t
- *
- * @param is_initiator
+ *
+ * @param is_initiator
* - TRUE if this payload is of type TSi
* - FALSE if this payload is of type TSr
* @param traffic_selectors list of traffic selectors to include
* @return ts_payload_t object
*/
-ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator,
+ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator,
linked_list_t *traffic_selectors);
#endif /** TS_PAYLOAD_H_ @}*/
* Private data of an unknown_payload_t object.
*/
struct private_unknown_payload_t {
-
+
/**
* Public unknown_payload_t interface.
*/
unknown_payload_t public;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* The contained data.
*/
/**
* Encoding rules to parse an payload which is not further specified.
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_unknown_payload_t.
- *
+ *
*/
encoding_rule_t unknown_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
*/
static bool is_critical(private_unknown_payload_t *this)
{
- return this->critical;
+ return this->critical;
}
/**
{
chunk_free(&(this->data));
}
-
- free(this);
+
+ free(this);
}
/*
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.destroy = (void (*) (unknown_payload_t *)) destroy;
this->public.is_critical = (bool (*) (unknown_payload_t *)) is_critical;
this->public.get_data = (chunk_t (*) (unknown_payload_t *)) get_data;
-
+
/* private variables */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
* a check for the critical bit in the header.
*/
struct unknown_payload_t {
-
+
/**
* The payload_t interface.
*/
payload_t payload_interface;
-
+
/**
- * Get the raw data of this payload, without
+ * Get the raw data of this payload, without
* the generic payload header.
- *
+ *
* Returned data are NOT copied and must not be freed.
*
* @return data as chunk_t
*/
chunk_t (*get_data) (unknown_payload_t *this);
-
+
/**
* Get the critical flag.
*
* @return TRUE if payload is critical, FALSE if not
*/
bool (*is_critical) (unknown_payload_t *this);
-
+
/**
* Destroys an unknown_payload_t object.
*/
/**
* Creates an empty unknown_payload_t object.
- *
+ *
* @return unknown_payload_t object
*/
unknown_payload_t *unknown_payload_create(void);
/**
* Private data of an vendor_id_payload_t object.
- *
+ *
*/
struct private_vendor_id_payload_t {
/**
* Public vendor_id_payload_t interface.
*/
vendor_id_payload_t public;
-
+
/**
* Next payload type.
*/
* Critical flag.
*/
bool critical;
-
+
/**
* Length of this payload.
*/
u_int16_t payload_length;
-
+
/**
* The contained vendor_id data value.
*/
/**
* Encoding rules to parse or generate a VENDOR ID payload
- *
- * The defined offsets are the positions in a object of type
+ *
+ * The defined offsets are the positions in a object of type
* private_vendor_id_payload_t.
- *
+ *
*/
encoding_rule_t vendor_id_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
{
chunk_free(&(this->vendor_id_data));
}
- free(this);
+ free(this);
}
/*
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
+
/* public functions */
this->public.destroy = (void (*) (vendor_id_payload_t *)) destroy;
this->public.set_data = (void (*) (vendor_id_payload_t *,chunk_t)) set_data;
this->public.get_data_clone = (chunk_t (*) (vendor_id_payload_t *)) get_data_clone;
this->public.get_data = (chunk_t (*) (vendor_id_payload_t *)) get_data;
-
+
/* private variables */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
/**
* Set the VID data.
- *
+ *
* Data are getting cloned.
*
* @param data VID data as chunk_t
*/
void (*set_data) (vendor_id_payload_t *this, chunk_t data);
-
+
/**
* Get the VID data.
- *
+ *
* Returned data are a copy of the internal one.
*
* @return VID data as chunk_t
*/
chunk_t (*get_data_clone) (vendor_id_payload_t *this);
-
+
/**
* Get the VID data.
- *
+ *
* Returned data are NOT copied.
*
* @return VID data as chunk_t
*/
chunk_t (*get_data) (vendor_id_payload_t *this);
-
+
/**
* Destroys an vendor_id_payload_t object.
*/
/**
* Creates an empty vendor_id_payload_t object.
- *
+ *
* @return vendor_id_payload_t object
*/
vendor_id_payload_t *vendor_id_payload_create(void);
* Public part of kernel_interface_t object.
*/
kernel_interface_t public;
-
+
/**
* ipsec interface
*/
kernel_ipsec_t *ipsec;
-
+
/**
* network interface
*/
/**
* Implementation of kernel_interface_t.get_spi
*/
-static status_t get_spi(private_kernel_interface_t *this, host_t *src, host_t *dst,
+static status_t get_spi(private_kernel_interface_t *this, host_t *src, host_t *dst,
protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
{
if (!this->ipsec)
/**
* Implementation of kernel_interface_t.get_cpi
*/
-static status_t get_cpi(private_kernel_interface_t *this, host_t *src, host_t *dst,
+static status_t get_cpi(private_kernel_interface_t *this, host_t *src, host_t *dst,
u_int32_t reqid, u_int16_t *cpi)
{
if (!this->ipsec)
* Implementation of kernel_interface_t.update_sa
*/
static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
- protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst,
+ protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst,
host_t *new_src, host_t *new_dst, bool encap, bool new_encap)
{
if (!this->ipsec)
host_t *host;
int family;
bool found = FALSE;
-
+
DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
-
+
/* if we have a family which includes localhost, we do not
* search for an IP, we use the default */
family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
-
+
if (family == AF_INET)
{
host = host_create_from_string("127.0.0.1", 0);
{
host = host_create_from_string("::1", 0);
}
-
+
if (ts->includes(ts, host))
{
*ip = host_create_any(family);
return SUCCESS;
}
host->destroy(host);
-
+
addrs = create_address_enumerator(this, TRUE, TRUE);
while (addrs->enumerate(addrs, (void**)&host))
{
}
}
addrs->destroy(addrs);
-
+
if (!found)
{
DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
return FAILED;
}
-
+
DBG2(DBG_KNL, "using host %H", *ip);
return SUCCESS;
}
kernel_interface_t *kernel_interface_create()
{
private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
-
+
this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-
+
this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest, host_t *src))get_source_addr;
this->public.get_nexthop = (host_t*(*)(kernel_interface_t*, host_t *dest))get_nexthop;
this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface;
this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
this->public.add_route = (status_t(*)(kernel_interface_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
this->public.del_route = (status_t(*)(kernel_interface_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
-
+
this->public.get_address_by_ts = (status_t(*)(kernel_interface_t*,traffic_selector_t*,host_t**))get_address_by_ts;
-
+
this->public.add_ipsec_interface = (void(*)(kernel_interface_t*, kernel_ipsec_constructor_t))add_ipsec_interface;
this->public.remove_ipsec_interface = (void(*)(kernel_interface_t*, kernel_ipsec_constructor_t))remove_ipsec_interface;
this->public.add_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))add_net_interface;
this->public.remove_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))remove_net_interface;
-
+
this->public.destroy = (void (*)(kernel_interface_t*))destroy;
-
+
this->ipsec = NULL;
this->net = NULL;
-
+
return &this->public;
}
/**
* Manager and wrapper for different kernel interfaces.
- *
+ *
* The kernel interface handles the communication with the kernel
* for SA and policy management and interface and IP address management.
*/
* @param spi allocated spi
* @return SUCCESS if operation completed
*/
- status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
+ status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
-
+
/**
* Get a Compression Parameter Index (CPI) from the kernel.
- *
+ *
* @param src source address of SA
* @param dst destination address of SA
* @param reqid unique ID for the corresponding SA
* @param cpi allocated cpi
* @return SUCCESS if operation completed
*/
- status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
+ status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
u_int32_t reqid, u_int16_t *cpi);
-
+
/**
* Add an SA to the SAD.
*
u_int16_t int_alg, chunk_t int_key,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
bool encap, bool inbound);
-
+
/**
* Update the hosts on an installed SA.
*
*/
status_t (*update_sa)(kernel_interface_t *this,
u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
- host_t *src, host_t *dst,
+ host_t *src, host_t *dst,
host_t *new_src, host_t *new_dst,
bool encap, bool new_encap);
-
+
/**
* Query the number of bytes processed by an SA from the SAD.
- *
+ *
* @param src source address for this SA
* @param dst destination address for this SA
* @param spi SPI allocated by us or remote peer
*/
status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
-
+
/**
* Delete a previously installed SA from the SAD.
- *
+ *
* @param src source address for this SA
* @param dst destination address for this SA
* @param spi SPI allocated by us or remote peer
*/
status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
-
+
/**
* Add a policy to the SPD.
- *
+ *
* A policy is always associated to an SA. Traffic which matches a
* policy is handled by the SA with the same reqid.
- *
+ *
* @param src source address of SA
* @param dst dest address of SA
* @param src_ts traffic selector to match traffic source
protocol_id_t protocol, u_int32_t reqid,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
bool routed);
-
+
/**
* Query the use time of a policy.
*
* The use time of a policy is the time the policy was used
* for the last time.
- *
+ *
* @param src_ts traffic selector to match traffic source
* @param dst_ts traffic selector to match traffic dest
* @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
* @return SUCCESS if operation completed
*/
status_t (*query_policy) (kernel_interface_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t *use_time);
-
+
/**
* Remove a policy from the SPD.
*
* @return SUCCESS if operation completed
*/
status_t (*del_policy) (kernel_interface_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction,
bool unrouted);
-
+
/**
* Get our outgoing source address for a destination.
*
*/
host_t* (*get_source_addr)(kernel_interface_t *this,
host_t *dest, host_t *src);
-
+
/**
* Get the next hop for a destination.
*
* @return next hop address, NULL if unreachable
*/
host_t* (*get_nexthop)(kernel_interface_t *this, host_t *dest);
-
+
/**
* Get the interface name of a local address.
*
* @return allocated interface name, or NULL if not found
*/
char* (*get_interface) (kernel_interface_t *this, host_t *host);
-
+
/**
* Creates an enumerator over all local addresses.
- *
+ *
* This function blocks an internal cached address list until the
* enumerator gets destroyed.
* The hosts are read-only, do not modify of free.
- *
+ *
* @param include_down_ifaces TRUE to enumerate addresses from down interfaces
* @param include_virtual_ips TRUE to enumerate virtual ip addresses
* @return enumerator over host_t's
*/
enumerator_t *(*create_address_enumerator) (kernel_interface_t *this,
bool include_down_ifaces, bool include_virtual_ips);
-
+
/**
* Add a virtual IP to an interface.
*
*/
status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip,
host_t *iface_ip);
-
+
/**
* Remove a virtual IP from an interface.
*
* @return SUCCESS if operation completed
*/
status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip);
-
+
/**
* Add a route.
- *
+ *
* @param dst_net destination net
* @param prefixlen destination net prefix length
* @param gateway gateway for this route
*/
status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
host_t *gateway, host_t *src_ip, char *if_name);
-
+
/**
* Delete a route.
- *
+ *
* @param dst_net destination net
* @param prefixlen destination net prefix length
* @param gateway gateway for this route
*/
status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
host_t *gateway, host_t *src_ip, char *if_name);
-
+
/**
* manager methods
*/
-
+
/**
* Tries to find an ip address of a local interface that is included in the
* supplied traffic selector.
- *
+ *
* @param ts traffic selector
* @param ip returned ip (has to be destroyed)
* @return SUCCESS if address found
*/
status_t (*get_address_by_ts) (kernel_interface_t *this,
traffic_selector_t *ts, host_t **ip);
-
+
/**
* Register an ipsec kernel interface constructor on the manager.
*
* @param create constructor to register
*/
void (*add_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
-
+
/**
* Unregister an ipsec kernel interface constructor.
*
* @param create constructor to unregister
*/
void (*remove_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
-
+
/**
* Register a network kernel interface constructor on the manager.
*
* @param create constructor to register
*/
void (*add_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
-
+
/**
* Unregister a network kernel interface constructor.
*
* @param create constructor to unregister
*/
void (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
-
+
/**
* Destroys a kernel_interface_manager_t object.
*/
/**
* Interface to the ipsec subsystem of the kernel.
- *
+ *
* The kernel ipsec interface handles the communication with the kernel
- * for SA and policy management. It allows setup of these, and provides
+ * for SA and policy management. It allows setup of these, and provides
* further the handling of kernel events.
* Policy information are cached in the interface. This is necessary to do
* reference counting. The Linux kernel does not allow the same policy
* when rekeying. Thats why we do reference counting of policies.
*/
struct kernel_ipsec_t {
-
+
/**
* Get a SPI from the kernel.
*
* @param spi allocated spi
* @return SUCCESS if operation completed
*/
- status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
+ status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
-
+
/**
* Get a Compression Parameter Index (CPI) from the kernel.
- *
+ *
* @param src source address of SA
* @param dst destination address of SA
* @param reqid unique ID for the corresponding SA
* @param cpi allocated cpi
* @return SUCCESS if operation completed
*/
- status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
+ status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
u_int32_t reqid, u_int16_t *cpi);
-
+
/**
* Add an SA to the SAD.
*
u_int16_t int_alg, chunk_t int_key,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
bool encap, bool inbound);
-
+
/**
* Update the hosts on an installed SA.
*
*/
status_t (*update_sa)(kernel_ipsec_t *this,
u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
- host_t *src, host_t *dst,
+ host_t *src, host_t *dst,
host_t *new_src, host_t *new_dst,
bool encap, bool new_encap);
-
+
/**
* Query the number of bytes processed by an SA from the SAD.
- *
+ *
* @param src source address for this SA
* @param dst destination address for this SA
* @param spi SPI allocated by us or remote peer
*/
status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
-
+
/**
* Delete a previusly installed SA from the SAD.
- *
+ *
* @param src source address for this SA
* @param dst destination address for this SA
* @param spi SPI allocated by us or remote peer
*/
status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
-
+
/**
* Add a policy to the SPD.
- *
+ *
* A policy is always associated to an SA. Traffic which matches a
* policy is handled by the SA with the same reqid.
- *
+ *
* @param src source address of SA
* @param dst dest address of SA
* @param src_ts traffic selector to match traffic source
protocol_id_t protocol, u_int32_t reqid,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
bool routed);
-
+
/**
* Query the use time of a policy.
*
* The use time of a policy is the time the policy was used for the last
* time. It is not the system time, but a monotonic timestamp as returned
* by time_monotonic.
- *
+ *
* @param src_ts traffic selector to match traffic source
* @param dst_ts traffic selector to match traffic dest
* @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
* @return SUCCESS if operation completed
*/
status_t (*query_policy) (kernel_ipsec_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t *use_time);
-
+
/**
* Remove a policy from the SPD.
*
* @return SUCCESS if operation completed
*/
status_t (*del_policy) (kernel_ipsec_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction,
bool unrouted);
-
+
/**
* Destroy the implementation.
*/
/**
* Interface to the network subsystem of the kernel.
- *
+ *
* The kernel network interface handles the communication with the kernel
* for interface and IP address management.
*/
* @return outgoing source address, NULL if unreachable
*/
host_t* (*get_source_addr)(kernel_net_t *this, host_t *dest, host_t *src);
-
+
/**
* Get the next hop for a destination.
*
* @return next hop address, NULL if unreachable
*/
host_t* (*get_nexthop)(kernel_net_t *this, host_t *dest);
-
+
/**
* Get the interface name of a local address.
*
* @return allocated interface name, or NULL if not found
*/
char* (*get_interface) (kernel_net_t *this, host_t *host);
-
+
/**
* Creates an enumerator over all local addresses.
- *
+ *
* This function blocks an internal cached address list until the
* enumerator gets destroyed.
* The hosts are read-only, do not modify of free.
- *
+ *
* @param include_down_ifaces TRUE to enumerate addresses from down interfaces
* @param include_virtual_ips TRUE to enumerate virtual ip addresses
* @return enumerator over host_t's
*/
enumerator_t *(*create_address_enumerator) (kernel_net_t *this,
bool include_down_ifaces, bool include_virtual_ips);
-
+
/**
* Add a virtual IP to an interface.
*
*/
status_t (*add_ip) (kernel_net_t *this, host_t *virtual_ip,
host_t *iface_ip);
-
+
/**
* Remove a virtual IP from an interface.
*
* @return SUCCESS if operation completed
*/
status_t (*del_ip) (kernel_net_t *this, host_t *virtual_ip);
-
+
/**
* Add a route.
- *
+ *
* @param dst_net destination net
* @param prefixlen destination net prefix length
* @param gateway gateway for this route
*/
status_t (*add_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
host_t *gateway, host_t *src_ip, char *if_name);
-
+
/**
* Delete a route.
- *
+ *
* @param dst_net destination net
* @param prefixlen destination net prefix length
* @param gateway gateway for this route
*/
status_t (*del_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
host_t *gateway, host_t *src_ip, char *if_name);
-
+
/**
* Destroy the implementation.
*/
* Public part of a packet_t object.
*/
packet_t public;
-
+
/**
* source address
*/
host_t *source;
-
+
/**
* destination address
*/
host_t *destination;
-
+
/**
* message data
*/
{
return this->destination;
}
-
+
/**
* Implements packet_t.get_data
*/
if (this->source != NULL)
{
this->source->destroy(this->source);
- }
+ }
if (this->destination != NULL)
{
this->destination->destroy(this->destination);
static packet_t *clone_(private_packet_t *this)
{
private_packet_t *other = (private_packet_t*)packet_create();
-
+
if (this->destination != NULL)
{
other->destination = this->destination->clone(this->destination);
this->public.get_destination = (host_t*(*) (packet_t *)) get_destination;
this->public.clone = (packet_t*(*) (packet_t *))clone_;
this->public.destroy = (void(*) (packet_t *)) destroy;
-
+
this->destination = NULL;
this->source = NULL;
this->data = chunk_empty;
-
+
return &(this->public);
}
/**
* Set the source address.
- *
+ *
* Set host_t is now owned by packet_t, it will destroy
* it if necessary.
- *
+ *
* @param source address to set as source
*/
void (*set_source) (packet_t *packet, host_t *source);
-
+
/**
* Set the destination address.
- *
+ *
* Set host_t is now owned by packet_t, it will destroy
* it if necessary.
- *
+ *
* @param source address to set as destination
*/
void (*set_destination) (packet_t *packet, host_t *destination);
-
+
/**
* Get the source address.
- *
+ *
* Set host_t is still owned by packet_t, clone it
* if needed.
- *
+ *
* @return source address
*/
host_t *(*get_source) (packet_t *packet);
-
+
/**
* Get the destination address.
- *
+ *
* Set host_t is still owned by packet_t, clone it
* if needed.
- *
+ *
* @return destination address
*/
host_t *(*get_destination) (packet_t *packet);
-
+
/**
* Get the data from the packet.
- *
- * The data pointed by the chunk is still owned
+ *
+ * The data pointed by the chunk is still owned
* by the packet. Clone it if needed.
- *
+ *
* @return chunk containing the data
*/
chunk_t (*get_data) (packet_t *packet);
-
+
/**
* Set the data in the packet.
- *
- * Supplied chunk data is now owned by the
+ *
+ * Supplied chunk data is now owned by the
* packet. It will free it.
- *
+ *
* @param data chunk with data to set
*/
void (*set_data) (packet_t *packet, chunk_t data);
-
+
/**
* Clones a packet_t object.
- *
+ *
* @param clone clone of the packet
*/
packet_t* (*clone) (packet_t *packet);
-
+
/**
* Destroy the packet, freeing contained data.
*/
/**
* create an empty packet
- *
+ *
* @return packet_t object
*/
packet_t *packet_create(void);
* Public part of a receiver_t object.
*/
receiver_t public;
-
+
/**
* Threads job receiving packets
*/
callback_job_t *job;
-
+
/**
* Assigned thread.
*/
pthread_t assigned_thread;
-
+
/**
* current secret to use for cookie calculation
*/
char secret[SECRET_LENGTH];
-
+
/**
* previous secret used to verify older cookies
*/
char secret_old[SECRET_LENGTH];
-
+
/**
* how many times we have used "secret" so far
*/
u_int32_t secret_used;
-
+
/**
* time we did the cookie switch
*/
u_int32_t secret_switch;
-
+
/**
* time offset to use, hides our system time
*/
u_int32_t secret_offset;
-
+
/**
* the RNG to use for secret generation
*/
rng_t *rng;
-
+
/**
* hasher to use for cookie calculation
*/
hasher_t *hasher;
-
+
/**
* require cookies after this many half open IKE_SAs
*/
u_int32_t cookie_threshold;
-
+
/**
* how many half open IKE_SAs per peer before blocking
*/
host_t *src, *dst;
packet_t *packet;
ike_sa_id_t *ike_sa_id;
-
+
response = message_create();
dst = request->get_source(request);
src = request->get_destination(request);
u_int64_t spi = message->get_initiator_spi(message);
host_t *ip = message->get_source(message);
chunk_t input, hash;
-
+
/* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
chunk_from_thing(t), secret);
u_int32_t t, now;
chunk_t reference;
chunk_t secret;
-
+
now = time_monotonic(NULL);
t = *(u_int32_t*)cookie.ptr;
-
+
if (cookie.len != sizeof(u_int32_t) +
- this->hasher->get_hash_size(this->hasher) ||
+ this->hasher->get_hash_size(this->hasher) ||
t < now - this->secret_offset - COOKIE_LIFETIME)
{
DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
- return FALSE;
+ return FALSE;
}
-
+
/* check if cookie is derived from old_secret */
if (t + this->secret_offset > this->secret_switch)
{
{
secret = chunk_from_thing(this->secret_old);
}
-
+
/* compare own calculation against received */
reference = cookie_build(this, message, t, secret);
if (chunk_equals(reference, cookie))
static bool cookie_required(private_receiver_t *this, message_t *message)
{
bool failed = FALSE;
-
+
if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
NULL) >= this->cookie_threshold)
{
/* check for a cookie. We don't use our parser here and do it
- * quick and dirty for performance reasons.
- * we assume the cookie is the first payload (which is a MUST), and
+ * quick and dirty for performance reasons.
+ * we assume the cookie is the first payload (which is a MUST), and
* the cookie's SPI length is zero. */
packet_t *packet = message->get_packet(message);
chunk_t data = packet->get_data(packet);
- if (data.len <
+ if (data.len <
IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
- *(data.ptr + 16) != NOTIFY ||
+ *(data.ptr + 16) != NOTIFY ||
*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
{
/* no cookie found */
packet_t *packet;
message_t *message;
job_t *job;
-
+
/* read in a packet */
if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
{
DBG2(DBG_NET, "receiving from socket failed!");
return JOB_REQUEUE_FAIR;
}
-
+
/* parse message header */
message = message_create_from_packet(packet);
if (message->parse_header(message) != SUCCESS)
message->destroy(message);
return JOB_REQUEUE_DIRECT;
}
-
+
/* check IKE major version */
if (message->get_major_version(message) != IKE_MAJOR_VERSION)
{
DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
- "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
+ "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
message->get_minor_version(message), packet->get_source(packet));
send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
message->destroy(message);
return JOB_REQUEUE_DIRECT;
}
-
+
if (message->get_request(message) &&
message->get_exchange_type(message) == IKE_SA_INIT)
{
u_int32_t now = time_monotonic(NULL);
chunk_t cookie = cookie_build(this, message, now - this->secret_offset,
chunk_from_thing(this->secret));
-
+
DBG2(DBG_NET, "received packet from: %#H to %#H",
message->get_source(message),
message->get_destination(message));
/* create new cookie */
DBG1(DBG_NET, "generating new cookie secret after %d uses",
this->secret_used);
- memcpy(this->secret_old, this->secret, SECRET_LENGTH);
+ memcpy(this->secret_old, this->secret, SECRET_LENGTH);
this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
this->secret_switch = now;
this->secret_used = 0;
message->destroy(message);
return JOB_REQUEUE_DIRECT;
}
-
+
/* check if peer has not too many IKE_SAs half open */
if (this->block_threshold && peer_to_aggressive(this, message))
{
{
private_receiver_t *this = malloc_thing(private_receiver_t);
u_int32_t now = time_monotonic(NULL);
-
+
this->public.destroy = (void(*)(receiver_t*)) destroy;
-
+
this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
if (this->hasher == NULL)
{
this->cookie_threshold = 0;
this->block_threshold = 0;
}
-
+
this->job = callback_job_create((callback_job_cb_t)receive_packets,
this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
+
return &this->public;
}
/**
* Receives packets from the socket and adds them to the job queue.
- *
+ *
* The receiver starts a thread, wich reads on the blocking socket. A received
* packet is preparsed and a process_message_job is queued in the job queue.
*
*
* The secret is changed after a certain amount of cookies sent. The old
* secret is stored to allow a clean migration between secret changes.
- *
+ *
* Further, the number of half-initiated IKE_SAs is limited per peer. This
* mades it impossible for a peer to flood the server with its real IP address.
*/
struct receiver_t {
-
+
/**
* Destroys a receiver_t object.
*/
/**
* Create a receiver_t object.
- *
+ *
* The receiver thread will start working, get data
* from the socket and add those packets to the job queue.
- *
+ *
* @return receiver_t object, NULL if initialization fails
*/
receiver_t * receiver_create(void);
* Sender threads job.
*/
callback_job_t *job;
-
+
/**
* The packets are stored in a linked list
*/
* condvar to signal for packets added to list
*/
condvar_t *got;
-
+
/**
* condvar to signal for packets sent
*/
static void send_(private_sender_t *this, packet_t *packet)
{
host_t *src, *dst;
-
+
src = packet->get_source(packet);
dst = packet->get_destination(packet);
DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
-
+
this->mutex->lock(this->mutex);
this->list->insert_last(this->list, packet);
this->got->signal(this->got);
{
packet_t *packet;
int oldstate;
-
+
this->mutex->lock(this->mutex);
while (this->list->get_count(this->list) == 0)
{
/* add cleanup handler, wait for packet, remove cleanup handler */
pthread_cleanup_push((void(*)(void*))this->mutex->unlock, this->mutex);
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-
+
this->got->wait(this->got, this->mutex);
-
+
pthread_setcancelstate(oldstate, NULL);
pthread_cleanup_pop(0);
}
this->list->remove_first(this->list, (void**)&packet);
this->sent->signal(this->sent);
this->mutex->unlock(this->mutex);
-
+
charon->socket->send(charon->socket, packet);
packet->destroy(packet);
return JOB_REQUEUE_DIRECT;
sender_t * sender_create()
{
private_sender_t *this = malloc_thing(private_sender_t);
-
+
this->public.send = (void(*)(sender_t*,packet_t*))send_;
this->public.destroy = (void(*)(sender_t*)) destroy;
-
+
this->list = linked_list_create();
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->got = condvar_create(CONDVAR_TYPE_DEFAULT);
this->sent = condvar_create(CONDVAR_TYPE_DEFAULT);
-
+
this->job = callback_job_create((callback_job_cb_t)send_packets,
this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
+
return &this->public;
}
* Thread responsible for sending packets over the socket.
*/
struct sender_t {
-
+
/**
* Send a packet over the network.
*
* @param packet packet to send
*/
void (*send) (sender_t *this, packet_t *packet);
-
+
/**
* Destroys a sender object.
*/
/**
* Create the sender thread.
- *
+ *
* The thread will start to work, getting packets
* from its queue and sends them out.
- *
+ *
* @return created sender object
*/
sender_t * sender_create(void);
* port used for nat-t
*/
int natt_port;
-
+
/**
* raw receiver socket for IPv4
*/
int recv4;
-
+
/**
* raw receiver socket for IPv6
*/
fd_set rfds;
FD_ZERO(&rfds);
-
+
if (this->recv4)
{
FD_SET(this->recv4, &rfds);
{
FD_SET(this->recv6, &rfds);
}
-
+
DBG2(DBG_NET, "waiting for data on raw sockets");
-
+
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
if (select(max(this->recv4, this->recv6) + 1, &rfds, NULL, NULL, NULL) <= 0)
{
return FAILED;
}
pthread_setcancelstate(oldstate, NULL);
-
+
if (this->recv4 && FD_ISSET(this->recv4, &rfds))
{
/* IPv4 raw sockets return the IP header. We read src/dest
* information directly from the raw header */
struct iphdr *ip;
struct sockaddr_in src, dst;
-
+
bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0);
if (bytes_read < 0)
{
return FAILED;
}
DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
-
+
/* read source/dest from raw IP/UDP header */
if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
{
dst.sin_port = udp->dest;
source = host_create_from_sockaddr((sockaddr_t*)&src);
dest = host_create_from_sockaddr((sockaddr_t*)&dst);
-
+
pkt = packet_create();
pkt->set_source(pkt, source);
pkt->set_destination(pkt, dest);
DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
data_offset = IP_LEN + UDP_LEN;
- /* remove non esp marker */
+ /* remove non esp marker */
if (dest->get_port(dest) == IKEV2_NATT_PORT)
{
data_offset += MARKER_LEN;
struct sockaddr_in6 src, dst;
struct iovec iov;
char ancillary[64];
-
+
msg.msg_name = &src;
msg.msg_namelen = sizeof(src);
iov.iov_base = buffer;
msg.msg_control = ancillary;
msg.msg_controllen = sizeof(ancillary);
msg.msg_flags = 0;
-
+
bytes_read = recvmsg(this->recv6, &msg, 0);
if (bytes_read < 0)
{
return FAILED;
}
DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read);
-
+
if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
{
DBG3(DBG_NET, "received IPv6 packet too short (%d bytes)",
bytes_read);
return FAILED;
}
-
+
/* read ancillary data to get destination address */
for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
{
DBG1(DBG_NET, "error reading IPv6 ancillary data");
return FAILED;
- }
+ }
if (cmsgptr->cmsg_level == SOL_IPV6 &&
cmsgptr->cmsg_type == IPV6_2292PKTINFO)
{
struct in6_pktinfo *pktinfo;
pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
-
+
memset(&dst, 0, sizeof(dst));
memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
dst.sin6_family = AF_INET6;
DBG1(DBG_NET, "error reading IPv6 packet header");
return FAILED;
}
-
+
source = host_create_from_sockaddr((sockaddr_t*)&src);
-
+
pkt = packet_create();
pkt->set_source(pkt, source);
pkt->set_destination(pkt, dest);
DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
data_offset = UDP_LEN;
- /* remove non esp marker */
+ /* remove non esp marker */
if (dest->get_port(dest) == IKEV2_NATT_PORT)
{
data_offset += MARKER_LEN;
/* oops, shouldn't happen */
return FAILED;
}
-
+
/* return packet */
*packet = pkt;
return SUCCESS;
struct msghdr msg;
struct cmsghdr *cmsg;
struct iovec iov;
-
+
src = packet->get_source(packet);
dst = packet->get_destination(packet);
data = packet->get_data(packet);
DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
-
+
/* send data */
sport = src->get_port(src);
family = dst->get_family(dst);
DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
return FAILED;
}
-
+
memset(&msg, 0, sizeof(struct msghdr));
msg.msg_name = dst->get_sockaddr(dst);;
msg.msg_namelen = *dst->get_sockaddr_len(dst);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_flags = 0;
-
+
if (!src->is_anyaddr(src))
{
if (family == AF_INET)
char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
struct in_pktinfo *pktinfo;
struct sockaddr_in *sin;
-
+
msg.msg_control = buf;
msg.msg_controllen = sizeof(buf);
cmsg = CMSG_FIRSTHDR(&msg);
char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
struct in6_pktinfo *pktinfo;
struct sockaddr_in6 *sin;
-
+
msg.msg_control = buf;
msg.msg_controllen = sizeof(buf);
cmsg = CMSG_FIRSTHDR(&msg);
memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
}
}
-
+
bytes_sent = sendmsg(skt, &msg, 0);
if (bytes_sent != data.len)
struct sockaddr_storage addr;
u_int sol;
int skt;
-
+
memset(&addr, 0, sizeof(addr));
/* precalculate constants depending on address family */
switch (family)
default:
return 0;
}
-
+
skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
if (skt < 0)
{
DBG1(DBG_NET, "could not open send socket: %s", strerror(errno));
return 0;
}
-
+
if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
{
DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %s",
close(skt);
return 0;
}
-
+
/* bind the send socket */
if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
{
close(skt);
return 0;
}
-
+
if (family == AF_INET)
{
/* enable UDP decapsulation globally, only for one socket needed */
strerror(errno));
}
}
-
+
return skt;
}
int skt;
int on = TRUE;
u_int proto_offset, ip_len, sol, udp_header, ike_header;
-
+
/* precalculate constants depending on address family */
switch (family)
{
}
udp_header = ip_len;
ike_header = ip_len + UDP_LEN;
-
+
/* This filter code filters out all non-IKEv2 traffic on
* a SOCK_RAW IP_PROTP_UDP socket. Handling of other
* IKE versions is done in pluto.
sizeof(ikev2_filter_code) / sizeof(struct sock_filter),
ikev2_filter_code
};
-
+
/* set up a raw socket */
skt = socket(family, SOCK_RAW, IPPROTO_UDP);
if (skt < 0)
DBG1(DBG_NET, "unable to create raw socket: %s", strerror(errno));
return 0;
}
-
+
if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER,
&ikev2_filter, sizeof(ikev2_filter)) < 0)
{
close(skt);
return 0;
}
-
+
if (family == AF_INET6 &&
/* we use IPV6_2292PKTINFO, as IPV6_PKTINFO is defined as
* 2 or 50 depending on kernel header version */
close(skt);
return 0;
}
-
+
return skt;
}
{ offsetof(private_socket_t, send4_natt), AF_INET, IKEV2_NATT_PORT },
{ offsetof(private_socket_t, send6_natt), AF_INET6, IKEV2_NATT_PORT }
};
-
+
while(++this->index < countof(sockets))
{
int sock = *(int*)((char*)this->socket + sockets[this->index].fd_offset);
static enumerator_t *create_enumerator(private_socket_t *this)
{
socket_enumerator_t *enumerator;
-
+
enumerator = malloc_thing(socket_enumerator_t);
enumerator->index = -1;
enumerator->socket = this;
socket_t *socket_create()
{
private_socket_t *this = malloc_thing(private_socket_t);
-
+
/* public functions */
this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
this->public.create_enumerator = (enumerator_t*(*)(socket_t*))create_enumerator;
this->public.destroy = (void(*)(socket_t*)) destroy;
-
+
this->recv4 = 0;
this->recv6 = 0;
this->send4 = 0;
this->send6 = 0;
this->send4_natt = 0;
this->send6_natt = 0;
-
+
this->recv4 = open_recv_socket(this, AF_INET);
if (this->recv4 == 0)
{
}
}
}
-
+
this->recv6 = open_recv_socket(this, AF_INET6);
if (this->recv6 == 0)
{
}
}
}
-
+
if (!(this->send4 || this->send6) || !(this->recv4 || this->recv6))
{
DBG1(DBG_NET, "could not create any sockets");
destroy(this);
charon->kill(charon, "socket initialization failed");
}
-
+
return (socket_t*)this;
}
* public functions
*/
socket_t public;
-
+
/**
* IPv4 socket (500)
*/
int ipv4;
-
+
/**
* IPv4 socket for NATT (4500)
*/
int ipv4_natt;
-
+
/**
* IPv6 socket (500)
*/
int ipv6;
-
+
/**
* IPv6 socket for NATT (4500)
*/
fd_set rfds;
int max_fd = 0, selected = 0;
u_int16_t port = 0;
-
+
FD_ZERO(&rfds);
-
+
if (this->ipv4)
{
FD_SET(this->ipv4, &rfds);
FD_SET(this->ipv6_natt, &rfds);
}
max_fd = max(max(this->ipv4, this->ipv4_natt), max(this->ipv6, this->ipv6_natt));
-
+
DBG2(DBG_NET, "waiting for data on sockets");
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0)
return FAILED;
}
pthread_setcancelstate(oldstate, NULL);
-
+
if (FD_ISSET(this->ipv4, &rfds))
{
port = IKEV2_UDP_PORT;
struct sockaddr_in in4;
struct sockaddr_in6 in6;
} src;
-
+
msg.msg_name = &src;
msg.msg_namelen = sizeof(src);
iov.iov_base = buffer;
return FAILED;
}
DBG3(DBG_NET, "received packet %b", buffer, bytes_read);
-
+
if (bytes_read < MARKER_LEN)
{
DBG3(DBG_NET, "received packet too short (%d bytes)",
bytes_read);
return FAILED;
}
-
+
/* read ancillary data to get destination address */
for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
DBG1(DBG_NET, "error reading ancillary data");
return FAILED;
}
-
+
if (cmsgptr->cmsg_level == SOL_IPV6 &&
cmsgptr->cmsg_type == IPV6_PKTINFO)
{
struct in6_pktinfo *pktinfo;
pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
struct sockaddr_in6 dst;
-
+
memset(&dst, 0, sizeof(dst));
memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
dst.sin6_family = AF_INET6;
#endif
memset(&dst, 0, sizeof(dst));
memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
-
+
dst.sin_family = AF_INET;
dst.sin_port = htons(port);
dest = host_create_from_sockaddr((sockaddr_t*)&dst);
return FAILED;
}
source = host_create_from_sockaddr((sockaddr_t*)&src);
-
+
pkt = packet_create();
pkt->set_source(pkt, source);
pkt->set_destination(pkt, dest);
DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
data_offset = 0;
- /* remove non esp marker */
+ /* remove non esp marker */
if (dest->get_port(dest) == IKEV2_NATT_PORT)
{
data_offset += MARKER_LEN;
struct msghdr msg;
struct cmsghdr *cmsg;
struct iovec iov;
-
+
src = packet->get_source(packet);
dst = packet->get_destination(packet);
data = packet->get_data(packet);
DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
-
+
/* send data */
sport = src->get_port(src);
family = dst->get_family(dst);
DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
return FAILED;
}
-
+
memset(&msg, 0, sizeof(struct msghdr));
msg.msg_name = dst->get_sockaddr(dst);;
msg.msg_namelen = *dst->get_sockaddr_len(dst);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_flags = 0;
-
+
if (!src->is_anyaddr(src))
{
if (family == AF_INET)
char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
struct in6_pktinfo *pktinfo;
struct sockaddr_in6 *sin;
-
+
msg.msg_control = buf;
msg.msg_controllen = sizeof(buf);
cmsg = CMSG_FIRSTHDR(&msg);
memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
}
}
-
+
bytes_sent = sendmsg(skt, &msg, 0);
if (bytes_sent != data.len)
socklen_t addrlen;
u_int sol, pktinfo = 0;
int skt;
-
+
memset(&addr, 0, sizeof(addr));
/* precalculate constants depending on address family */
switch (family)
default:
return 0;
}
-
+
skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
if (skt < 0)
{
close(skt);
return 0;
}
-
+
/* bind the socket */
if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
{
close(skt);
return 0;
}
-
+
/* get additional packet info on receive */
if (pktinfo > 0)
{
{ offsetof(private_socket_t, ipv4_natt), AF_INET, IKEV2_NATT_PORT },
{ offsetof(private_socket_t, ipv6_natt), AF_INET6, IKEV2_NATT_PORT }
};
-
+
while(++this->index < countof(sockets))
{
int sock = *(int*)((char*)this->socket + sockets[this->index].fd_offset);
static enumerator_t *create_enumerator(private_socket_t *this)
{
socket_enumerator_t *enumerator;
-
+
enumerator = malloc_thing(socket_enumerator_t);
enumerator->index = -1;
enumerator->socket = this;
this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
this->public.create_enumerator = (enumerator_t*(*)(socket_t*))create_enumerator;
this->public.destroy = (void(*)(socket_t*)) destroy;
-
+
this->ipv4 = 0;
this->ipv6 = 0;
this->ipv4_natt = 0;
}
}
#endif
-
+
this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT);
if (this->ipv4 == 0)
{
DBG1(DBG_NET, "could not open IPv4 NAT-T socket");
}
}
-
+
this->ipv6 = open_socket(this, AF_INET6, IKEV2_UDP_PORT);
if (this->ipv6 == 0)
{
DBG1(DBG_NET, "could not open IPv6 NAT-T socket");
}
}
-
+
if (!this->ipv4 && !this->ipv6)
{
DBG1(DBG_NET, "could not create any sockets");
destroy(this);
charon->kill(charon, "socket initialization failed");
- }
+ }
return (socket_t*)this;
}
* All available sockets are bound and the receive function
* reads from them. There are actually two implementations:
* The first uses raw sockets to allow binding of other daemons (pluto) to
- * UDP/500. An installed "Linux socket filter" filters out all non-IKEv2
- * traffic and handles just IKEv2 messages. An other daemon (pluto) must
- * handle all traffic separately, e.g. ignore IKEv2 traffic, since charon
+ * UDP/500. An installed "Linux socket filter" filters out all non-IKEv2
+ * traffic and handles just IKEv2 messages. An other daemon (pluto) must
+ * handle all traffic separately, e.g. ignore IKEv2 traffic, since charon
* handles that.
* The other implementation uses normal sockets and is built if
* --disable-pluto is given to the configure script.
*/
struct socket_t {
-
+
/**
* Receive a packet.
- *
+ *
* Reads a packet from the socket and sets source/dest
* appropriately.
- *
+ *
* @param packet pinter gets address from allocated packet_t
- * @return
+ * @return
* - SUCCESS when packet successfully received
* - FAILED when unable to receive
*/
status_t (*receive) (socket_t *this, packet_t **packet);
-
+
/**
* Send a packet.
- *
+ *
* Sends a packet to the net using source and destination addresses of
* the packet.
- *
+ *
* @param packet packet_t to send
- * @return
+ * @return
* - SUCCESS when packet successfully sent
* - FAILED when unable to send
*/
status_t (*send) (socket_t *this, packet_t *packet);
-
+
/**
* Enumerate all underlying socket file descriptors.
- *
+ *
* @return enumerator over (int fd, int family, int port)
*/
enumerator_t *(*create_enumerator) (socket_t *this);
-
+
/**
* Destroy socket.
*/
* private data of attr plugin
*/
struct private_attr_plugin_t {
-
+
/**
* implements plugin interface
*/
attr_plugin_t public;
-
+
/**
* CFG attributes provider
*/
plugin_t *plugin_create()
{
private_attr_plugin_t *this = malloc_thing(private_attr_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
this->provider = attr_provider_create();
charon->attributes->add_provider(charon->attributes, &this->provider->provider);
-
+
return &this->public.plugin;
}
* Plugin providing configuration attribute through strongswan.conf.
*/
struct attr_plugin_t {
-
+
/**
* implements plugin interface
*/
* private data of attr_provider
*/
struct private_attr_provider_t {
-
+
/**
* public functions
*/
attr_provider_t public;
-
+
/**
* List of attributes, attribute_entry_t
*/
static void destroy(private_attr_provider_t *this)
{
attribute_entry_t *entry;
-
+
while (this->attributes->remove_last(this->attributes,
(void**)&entry) == SUCCESS)
{
attribute_entry_t *entry;
host_t *host;
char *str;
-
+
str = lib->settings->get_str(lib->settings, "charon.%s%d", NULL, key, nr);
if (str)
{
if (host)
{
entry = malloc_thing(attribute_entry_t);
-
+
if (host->get_family(host) == AF_INET6)
{
switch (type)
{
private_attr_provider_t *this;
int i;
-
+
this = malloc_thing(private_attr_provider_t);
-
+
this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))return_null;
this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))return_false;
this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))create_attribute_enumerator;
this->public.destroy = (void(*)(attr_provider_t*))destroy;
-
+
this->attributes = linked_list_create();
-
+
for (i = 1; i <= SERVER_MAX; i++)
{
add_entry(this, "dns", i, INTERNAL_IP4_DNS);
add_entry(this, "nbns", i, INTERNAL_IP4_NBNS);
}
-
+
return &this->public;
}
* Provide configuration attributes through static strongswan.conf definition.
*/
struct attr_provider_t {
-
+
/**
* Implements attribute provider interface
*/
attribute_provider_t provider;
-
+
/**
* Destroy a attr_provider instance.
*/
* Private data of an eap_aka_t object.
*/
struct private_eap_aka_t {
-
+
/**
* Public authenticator_t interface.
*/
eap_aka_t public;
-
+
/**
* ID of the server
*/
identification_t *server;
-
+
/**
* ID of the peer
*/
identification_t *peer;
-
+
/**
* SHA11 hasher
*/
hasher_t *sha1;
-
+
/**
* MAC function used in EAP-AKA
*/
signer_t *signer;
-
+
/**
* pseudo random function used in EAP-aka
*/
prf_t *prf;
-
+
/**
* Special keyed SHA1 hasher used in EAP-AKA, implemented as PRF
*/
prf_t *keyed_prf;
-
+
/**
* Key for EAP MAC
*/
chunk_t k_auth;
-
+
/**
* Key for EAP encryption
*/
chunk_t k_encr;
-
+
/**
* MSK
*/
chunk_t msk;
-
+
/**
* Extendend MSK
*/
chunk_t emsk;
-
+
/**
* Expected result from client XRES
*/
chunk_t xres;
-
+
/**
* Shared secret K from ipsec.conf (padded)
*/
chunk_t k;
-
+
/**
* random value RAND generated by server
*/
static void update_sqn(u_int8_t *sqn, time_t offset)
{
timeval_t time;
-
+
time_monotonic(&time);
/* set sqb_sqn to an integer containing seconds followed by most
* significant useconds */
{
mpz_t bm, rm;
int current = 0, shifted = 0, shift;
-
+
mpz_init_set(bm, b);
mpz_init_set_ui(rm, 0);
/* scan through a, for each found bit: */
mpz_xor(rm, rm, bm);
current++;
}
-
+
mpz_swap(r, rm);
mpz_clear(rm);
mpz_clear(bm);
*/
int a_bit, b_bit, diff;
mpz_t bm, am;
-
+
mpz_init_set(am, a);
mpz_init(bm);
-
+
a_bit = mpz_sizeinbase(a, 2);
b_bit = mpz_sizeinbase(b, 2);
-
+
/* don't do anything if b > a */
if (a_bit >= b_bit)
{
* a = 00000010
* which is the polynomial modulo
*/
-
+
mpz_swap(r, am);
mpz_clear(am);
mpz_clear(bm);
static void step4(private_eap_aka_t *this, u_int8_t x[])
{
mpz_t xm, am, bm, gm;
-
+
mpz_init(xm);
mpz_init(am);
mpz_init(bm);
mpz_init(gm);
-
+
mpz_import(xm, HASH_SIZE_SHA1, 1, 1, 1, 0, x);
mpz_import(am, sizeof(a), 1, 1, 1, 0, a);
mpz_import(bm, sizeof(b), 1, 1, 1, 0, b);
mpz_mul_poly(xm, am, xm);
mpz_add_poly(xm, bm, xm);
mpz_mod_poly(xm, xm, gm);
-
+
mpz_export(x, NULL, 1, HASH_SIZE_SHA1, 1, 0, xm);
-
+
mpz_clear(xm);
mpz_clear(am);
mpz_clear(bm);
chunk_t k, chunk_t payload, u_int8_t h[])
{
u_int8_t buf[64];
-
+
if (payload.len < sizeof(buf))
{
/* pad c with zeros */
/* not more than 512 bits can be G()-ed */
payload.len = sizeof(buf);
}
-
+
/* use the keyed hasher to build the hash */
this->keyed_prf->set_key(this->keyed_prf, k);
this->keyed_prf->get_bytes(this->keyed_prf, payload, h);
chunk_t payload = chunk_alloca(PAYLOAD_LENGTH);
u_int8_t h[HASH_SIZE_SHA1];
u_int8_t i;
-
+
for (i = 0; i < 2; i++)
{
memset(payload.ptr, 0x5c, payload.len);
payload.ptr[11] ^= f;
memxor(payload.ptr + 12, fmk.ptr, fmk.len);
memxor(payload.ptr + 24, rand.ptr, rand.len);
-
+
payload.ptr[3] ^= i;
payload.ptr[19] ^= i;
payload.ptr[35] ^= i;
payload.ptr[51] ^= i;
-
+
step3(this, k, payload, h);
step4(this, h);
memcpy(out + i * 8, h, 8);
*/
chunk_t payload = chunk_alloca(PAYLOAD_LENGTH);
u_int8_t h[HASH_SIZE_SHA1];
-
+
memset(payload.ptr, 0x5c, PAYLOAD_LENGTH);
payload.ptr[11] ^= f;
memxor(payload.ptr + 12, fmk.ptr, fmk.len);
memxor(payload.ptr + 16, rand.ptr, rand.len);
memxor(payload.ptr + 34, sqn.ptr, sqn.len);
memxor(payload.ptr + 42, amf.ptr, amf.len);
-
+
step3(this, k, payload, h);
step4(this, h);
memcpy(mac, h, MAC_LENGTH);
/**
* Calculation function of f5() and f5star()
*/
-static void f5x(private_eap_aka_t *this,
+static void f5x(private_eap_aka_t *this,
u_int8_t f, chunk_t k, chunk_t rand, u_int8_t ak[])
{
chunk_t payload = chunk_alloca(PAYLOAD_LENGTH);
u_int8_t h[HASH_SIZE_SHA1];
-
+
memset(payload.ptr, 0x5c, payload.len);
payload.ptr[11] ^= f;
memxor(payload.ptr + 12, fmk.ptr, fmk.len);
memxor(payload.ptr + 16, rand.ptr, rand.len);
-
+
step3(this, k, payload, h);
step4(this, h);
memcpy(ak, h, AK_LENGTH);
static bool derive_keys(private_eap_aka_t *this, identification_t *id)
{
chunk_t ck, ik, mk, identity, tmp;
-
+
ck = chunk_alloca(CK_LENGTH);
ik = chunk_alloca(IK_LENGTH);
mk = chunk_alloca(MK_LENGTH);
identity = id->get_encoding(id);
-
+
/* MK = SHA1( Identity | IK | CK ) */
f3(this, this->k, this->rand, ck.ptr);
f4(this, this->k, this->rand, ik.ptr);
tmp = chunk_cata("ccc", identity, ik, ck);
DBG3(DBG_IKE, "Identity|IK|CK %B", &tmp);
this->sha1->get_hash(this->sha1, tmp, mk.ptr);
-
+
/* K_encr | K_auth | MSK | EMSK = prf(0) | prf(0)
* FIPS PRF has 320 bit block size, we need 160 byte for keys
* => run prf four times */
{
aka_attribute_t attribute;
size_t length;
-
+
DBG3(DBG_IKE, "reading attribute from %B", data);
-
+
if (data->len < 2)
{
return AT_END;
va_list args;
aka_attribute_t attr;
u_int8_t *mac_pos = NULL;
-
+
/* write EAP header, skip length bytes */
*pos.ptr++ = code;
*pos.ptr++ = identifier;
*pos.ptr++ = 0;
*pos.ptr++ = 0;
pos.len -= 4;
-
+
va_start(args, type);
while ((attr = va_arg(args, aka_attribute_t)) != AT_END)
{
chunk_t data = va_arg(args, chunk_t);
-
+
DBG3(DBG_IKE, "building %N %B", aka_attribute_names, attr, &data);
-
+
/* write attribute header */
*pos.ptr++ = attr;
pos.len--;
-
+
switch (attr)
{
case AT_RES:
}
}
va_end(args);
-
+
/* calculate message length, write into header */
message.len = pos.ptr - message.ptr;
*(u_int16_t*)(message.ptr + 2) = htons(message.len);
-
+
/* create MAC if AT_MAC attribte was included */
if (mac_pos)
{
this->signer->get_signature(this->signer, message, mac_pos);
DBG3(DBG_IKE, "is %b", mac_pos, AT_MAC_LENGTH);
}
-
+
/* payload constructor takes data with some bytes skipped */
payload = eap_payload_create_data(message);
-
+
DBG3(DBG_IKE, "created EAP message %B", &message);
return payload;
}
static u_char get_identifier()
{
u_char id;
-
+
do {
id = random();
} while (!id);
{
rng_t *rng;
chunk_t mac, ak, autn;
-
+
mac = chunk_alloca(MAC_LENGTH);
ak = chunk_alloca(AK_LENGTH);
chunk_free(&this->rand);
chunk_free(&this->xres);
-
+
/* generate RAND:
* we use a registered RNG, not f0() proposed in S.S0055
*/
}
rng->allocate_bytes(rng, RAND_LENGTH, &this->rand);
rng->destroy(rng);
-
+
# ifdef TEST_VECTORS
/* Test vector for RAND */
u_int8_t test_rand[] = {
0x4b,0x05,0x2b,0x20,0xe2,0xa0,0x6c,0x8f,
0xf7,0x00,0xda,0x51,0x2b,0x4e,0x11,0x1e,
};
- memcpy(this->rand.ptr, test_rand, this->rand.len);
+ memcpy(this->rand.ptr, test_rand, this->rand.len);
# endif /* TEST_VECTORS */
-
+
/* Get the shared key K: */
if (load_key(this->server, this->peer, &this->k) != SUCCESS)
{
"with EAP-AKA", this->server, this->peer);
return FAILED;
}
-
+
# ifdef TEST_VECTORS
/* Test vector for K */
u_int8_t test_k[] = {
};
memcpy(this->k.ptr, test_k, this->k.len);
# endif /* TEST_VECTORS */
-
+
/* generate MAC */
f1(this, this->k, this->rand, sqn, amf, mac.ptr);
-
+
/* generate AK */
f5(this, this->k, this->rand, ak.ptr);
-
+
/* precalculate XRES as expected from client */
this->xres = chunk_alloc(RES_LENGTH);
f2(this, this->k, this->rand, this->xres.ptr);
-
+
/* calculate AUTN = (SQN xor AK) || AMF || MAC */
autn = chunk_cata("ccc", sqn, amf, mac);
memxor(autn.ptr, ak.ptr, ak.len);
DBG3(DBG_IKE, "AUTN %B", &autn);
-
-
+
+
/* derive K_encr, K_auth, MSK, EMSK */
derive_keys(this, this->peer);
-
+
/* build payload */
*out = build_aka_payload(this, EAP_REQUEST, get_identifier(), AKA_CHALLENGE,
AT_RAND, this->rand, AT_AUTN, autn, AT_MAC,
static status_t server_initiate(private_eap_aka_t *this, eap_payload_t **out)
{
chunk_t sqn = chunk_alloca(SQN_LENGTH);
-
+
/* we use an offset of 3 minutes to tolerate clock inaccuracy
* without the need to synchronize sequence numbers */
update_sqn(sqn.ptr, 180);
-
+
# ifdef TEST_VECTORS
/* Test vector for SQN */
u_int8_t test_sqn[] = {0x00,0x00,0x00,0x00,0x00,0x01};
- memcpy(sqn.ptr, test_sqn, sqn.len);
+ memcpy(sqn.ptr, test_sqn, sqn.len);
# endif /* TEST_VECTORS */
-
+
return server_initiate_challenge(this, sqn, out);
}
{
chunk_t attr, auts = chunk_empty, pos, message, macs, xmacs, sqn, aks, amf;
u_int i;
-
+
message = in->get_data(in);
pos = message;
read_header(&pos);
-
+
/* iterate over attributes */
while (TRUE)
{
}
break;
}
-
+
if (auts.len != AUTS_LENGTH)
{
DBG1(DBG_IKE, "synchronization request didn't contain useable AUTS");
return FAILED;
}
-
+
chunk_split(auts, "mm", SQN_LENGTH, &sqn, MAC_LENGTH, &macs);
aks = chunk_alloca(AK_LENGTH);
f5star(this, this->k, this->rand, aks.ptr);
/* decrypt serial number by XORing AKS */
memxor(sqn.ptr, aks.ptr, aks.len);
-
+
/* verify MACS */
xmacs = chunk_alloca(MAC_LENGTH);
amf = chunk_alloca(AMF_LENGTH);
DBG3(DBG_IKE, "MACS %B XMACS %B", &macs, &xmacs);
return FAILED;
}
-
+
/* retry the challenge with the received SQN + 1*/
for (i = SQN_LENGTH - 1; i >= 0; i--)
{
static status_t server_process_challenge(private_eap_aka_t *this, eap_payload_t *in)
{
chunk_t attr, res = chunk_empty, at_mac = chunk_empty, pos, message;
-
+
message = in->get_data(in);
pos = message;
read_header(&pos);
-
+
/* iterate over attributes */
while (TRUE)
{
}
break;
}
-
+
/* verify EAP message MAC AT_MAC */
{
this->signer->set_key(this->signer, this->k_auth);
return FAILED;
}
}
-
+
/* compare received RES against stored precalculated XRES */
if (!chunk_equals(res, this->xres))
{
{
chunk_t message;
aka_subtype_t type;
-
+
message = in->get_data(in);
type = read_header(&message);
-
+
DBG3(DBG_IKE, "received EAP message %B", &message);
-
+
switch (type)
{
case AKA_CHALLENGE:
chunk_t autn = chunk_empty, at_mac = chunk_empty;
chunk_t ak, sqn, sqn_ak, mac, xmac, res, amf, message, pos;
u_int8_t identifier;
-
+
ak = chunk_alloca(AK_LENGTH);
xmac = chunk_alloca(MAC_LENGTH);
res = chunk_alloca(RES_LENGTH);
chunk_free(&this->rand);
-
+
message = in->get_data(in);
pos = message;
read_header(&pos);
identifier = in->get_identifier(in);
-
+
DBG3(DBG_IKE, "reading attributes from %B", &pos);
-
+
/* iterate over attributes */
while (TRUE)
{
}
break;
}
-
+
if (this->rand.len != RAND_LENGTH || autn.len != AUTN_LENGTH)
{
/* required attributes wrong/not found, abort */
aka_attribute_names, AT_CLIENT_ERROR_CODE, 0);
return NEED_MORE;
}
-
+
DBG3(DBG_IKE, "using autn %B", &autn);
/* split up AUTN = SQN xor AK | AMF | MAC */
chunk_split(autn, "mmm", SQN_LENGTH, &sqn_ak, AMF_LENGTH, &amf, MAC_LENGTH, &mac);
-
+
/* Get the shared key K: */
chunk_free(&this->k);
if (load_key(this->peer, this->server, &this->k) != SUCCESS)
};
memcpy(this->k.ptr, test_k, this->k.len);
# endif /* TEST_VECTORS */
-
+
/* calculate anonymity key AK */
f5(this, this->k, this->rand, ak.ptr);
DBG3(DBG_IKE, "using rand %B", &this->rand);
DBG3(DBG_IKE, "using ak %B", &ak);
/* XOR AK into SQN to decrypt it */
-
+
sqn = chunk_clonea(sqn_ak);
-
+
DBG3(DBG_IKE, "using ak xor sqn %B", &sqn_ak);
memxor(sqn.ptr, ak.ptr, sqn.len);
DBG3(DBG_IKE, "using sqn %B", &sqn);
-
+
/* calculate expected MAC and compare against received one */
f1(this, this->k, this->rand, sqn, amf, xmac.ptr);
if (!chunk_equals(mac, xmac))
{
/* sequence number invalid. send AUTS */
chunk_t auts, macs, aks, amf;
-
+
macs = chunk_alloca(MAC_LENGTH);
aks = chunk_alloca(AK_LENGTH);
amf = chunk_alloca(AMF_LENGTH);
-
+
/* AMF is set to zero in AKA_SYNCHRONIZATION_FAILURE */
- memset(amf.ptr, 0, amf.len);
+ memset(amf.ptr, 0, amf.len);
/* AKS = f5*(RAND) */
f5star(this, this->k, this->rand, aks.ptr);
/* MACS = f1*(RAND) */
/* AUTS = SQN xor AKS | MACS */
memxor(aks.ptr, peer_sqn.ptr, aks.len);
auts = chunk_cata("cc", aks, macs);
-
+
*out = build_aka_payload(this, EAP_RESPONSE, identifier,
AKA_SYNCHRONIZATION_FAILURE,
AT_AUTS, auts, AT_END);
/* derive K_encr, K_auth, MSK, EMSK */
derive_keys(this, this->peer);
-
+
/* verify EAP message MAC AT_MAC */
DBG3(DBG_IKE, "verifying AT_MAC signature of %B", &message);
DBG3(DBG_IKE, "using key %B", &this->k_auth);
AT_CLIENT_ERROR_CODE, 0);
return NEED_MORE;
}
-
+
/* update stored SQN to the received one */
memcpy(peer_sqn.ptr, sqn.ptr, sqn.len);
-
+
/* calculate RES */
f2(this, this->k, this->rand, res.ptr);
-
+
/* build response */
*out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_CHALLENGE,
AT_RES, res, AT_MAC, chunk_empty, AT_END);
{
chunk_t message, pos, attr;
u_int8_t identifier;
-
+
message = in->get_data(in);
pos = message;
read_header(&pos);
identifier = in->get_identifier(in);
-
+
DBG3(DBG_IKE, "reading attributes from %B", &pos);
-
+
/* iterate over attributes */
while (TRUE)
{
case AT_NOTIFICATION:
{
u_int16_t code;
-
+
if (attr.len != 2)
{
DBG1(DBG_IKE, "received invalid AKA notification, ignored");
code = ntohs(*(u_int16_t*)attr.ptr);
switch (code)
{
- case 0:
+ case 0:
DBG1(DBG_IKE, "received AKA notification 'general "
"failure after authentication' (%d)", code);
return FAILED;
aka_subtype_t type;
chunk_t message;
u_int8_t identifier;
-
+
message = in->get_data(in);
type = read_header(&message);
identifier = in->get_identifier(in);
-
+
DBG3(DBG_IKE, "received EAP message %B", &message);
-
+
switch (type)
{
case AKA_CHALLENGE:
identification_t *peer)
{
private_eap_aka_t *this = malloc_thing(private_eap_aka_t);
-
+
this->public.eap_method_interface.initiate = NULL;
this->public.eap_method_interface.process = NULL;
this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
+
/* private data */
this->server = server->clone(server);
this->peer = peer->clone(peer);
this->xres = chunk_empty;
this->k = chunk_empty;
this->rand = chunk_empty;
-
+
this->sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128);
this->prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160);
eap_aka_t *eap_aka_create_server(identification_t *server, identification_t *peer)
{
private_eap_aka_t *this = eap_aka_create_generic(server, peer);
-
+
if (this)
{
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))server_initiate;
eap_aka_t *eap_aka_create_peer(identification_t *server, identification_t *peer)
{
private_eap_aka_t *this = eap_aka_create_generic(server, peer);
-
+
if (this)
{
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))peer_initiate;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))peer_process;
}
- return (eap_aka_t*)this;
+ return (eap_aka_t*)this;
}
plugin_t *plugin_create()
{
eap_aka_plugin_t *this = malloc_thing(eap_aka_plugin_t);
-
+
this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
charon->eap->add_method(charon->eap, EAP_AKA, 0, EAP_SERVER,
(eap_constructor_t)eap_aka_create_server);
charon->eap->add_method(charon->eap, EAP_AKA, 0, EAP_PEER,
(eap_constructor_t)eap_aka_create_peer);
-
+
return &this->plugin;
}
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#include "eap_gtc.h"
#include <daemon.h>
* Private data of an eap_gtc_t object.
*/
struct private_eap_gtc_t {
-
+
/**
* Public authenticator_t interface.
*/
eap_gtc_t public;
-
+
/**
* ID of the server
*/
identification_t *server;
-
+
/**
* ID of the peer
*/
identification_t *peer;
-
+
/**
* EAP message identififier
*/
struct pam_response **resp, char *password)
{
struct pam_response *response;
-
+
if (num_msg != 1)
{
return PAM_CONV_ERR;
pam_handle_t *pamh = NULL;
static struct pam_conv conv;
int ret;
-
+
conv.conv = (void*)auth_conv;
conv.appdata_ptr = password;
-
+
ret = pam_start(service, user, &conv, &pamh);
if (ret != PAM_SUCCESS)
{
{
eap_gtc_header_t *req;
size_t len;
-
+
len = strlen(GTC_REQUEST_MSG);
req = alloca(sizeof(eap_gtc_header_t) + len);
req->length = htons(sizeof(eap_gtc_header_t) + len);
req->identifier = this->identifier;
req->type = EAP_GTC;
memcpy(req->data, GTC_REQUEST_MSG, len);
-
+
*out = eap_payload_create_data(chunk_create((void*)req,
sizeof(eap_gtc_header_t) + len));
return NEED_MORE;
}
key = shared->get_key(shared);
len = key.len;
-
+
/* TODO: According to the draft we should "SASLprep" password, RFC4013. */
res = alloca(sizeof(eap_gtc_header_t) + len);
res->identifier = in->get_identifier(in);
res->type = EAP_GTC;
memcpy(res->data, key.ptr, len);
-
+
shared->destroy(shared);
-
+
*out = eap_payload_create_data(chunk_create((void*)res,
sizeof(eap_gtc_header_t) + len));
return NEED_MORE;
{
chunk_t data, encoding;
char *user, *password, *service, *pos;
-
+
data = chunk_skip(in->get_data(in), 5);
if (this->identifier != in->get_identifier(in) || !data.len)
{
DBG1(DBG_IKE, "received invalid EAP-GTC message");
return FAILED;
}
-
+
encoding = this->peer->get_encoding(this->peer);
/* if a RFC822_ADDR id is provided, we use the username part only */
pos = memchr(encoding.ptr, '@', encoding.len);
user = alloca(encoding.len + 1);
memcpy(user, encoding.ptr, encoding.len);
user[encoding.len] = '\0';
-
+
password = alloca(data.len + 1);
memcpy(password, data.ptr, data.len);
password[data.len] = '\0';
-
+
service = lib->settings->get_str(lib->settings,
"charon.plugins.eap_gtc.pam_service", GTC_PAM_SERVICE);
-
+
if (!authenticate(service, user, password))
{
return FAILED;
identification_t *peer)
{
private_eap_gtc_t *this = malloc_thing(private_eap_gtc_t);
-
+
this->public.eap_method_interface.initiate = NULL;
this->public.eap_method_interface.process = NULL;
this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
+
/* private data */
this->peer = peer->clone(peer);
this->server = server->clone(server);
this->identifier = 0;
-
+
return this;
}
eap_gtc_t *eap_gtc_create_server(identification_t *server, identification_t *peer)
{
private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
-
+
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
eap_gtc_t *eap_gtc_create_peer(identification_t *server, identification_t *peer)
{
private_eap_gtc_t *this = eap_gtc_create_generic(server, peer);
-
+
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
plugin_t *plugin_create()
{
eap_gtc_plugin_t *this = malloc_thing(eap_gtc_plugin_t);
-
+
this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
/* required for PAM authentication */
charon->keep_cap(charon, CAP_AUDIT_WRITE);
-
+
charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_SERVER,
(eap_constructor_t)eap_gtc_create_server);
charon->eap->add_method(charon->eap, EAP_GTC, 0, EAP_PEER,
(eap_constructor_t)eap_gtc_create_peer);
-
+
return &this->plugin;
}
* Private data of an eap_identity_t object.
*/
struct private_eap_identity_t {
-
+
/**
* Public authenticator_t interface.
*/
eap_identity_t public;
-
+
/**
* ID of the peer
*/
identification_t *peer;
-
+
/**
* received identity chunk
*/
chunk_t id;
eap_identity_header_t *hdr;
size_t len;
-
+
id = this->peer->get_encoding(this->peer);
len = sizeof(eap_identity_header_t) + id.len;
-
+
hdr = alloca(len);
hdr->code = EAP_RESPONSE;
hdr->identifier = in->get_identifier(in);
hdr->length = htons(len);
hdr->type = EAP_IDENTITY;
memcpy(hdr->data, id.ptr, id.len);
-
+
*out = eap_payload_create_data(chunk_create((u_char*)hdr, len));
return SUCCESS;
}
eap_payload_t *in, eap_payload_t **out)
{
chunk_t data;
-
+
data = chunk_skip(in->get_data(in), 5);
if (data.len)
{
static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **out)
{
eap_identity_header_t hdr;
-
+
hdr.code = EAP_REQUEST;
hdr.identifier = 0;
hdr.length = htons(sizeof(eap_identity_header_t));
hdr.type = EAP_IDENTITY;
-
+
*out = eap_payload_create_data(chunk_create((u_char*)&hdr,
sizeof(eap_identity_header_t)));
return NEED_MORE;
identification_t *peer)
{
private_eap_identity_t *this = malloc_thing(private_eap_identity_t);
-
+
this->public.eap_method_interface.initiate = NULL;
this->public.eap_method_interface.process = NULL;
this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
+
this->peer = peer->clone(peer);
this->identity = chunk_empty;
-
+
return this;
}
identification_t *peer)
{
private_eap_identity_t *this = eap_identity_create(server, peer);
-
+
/* public functions */
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
-
+
return &this->public;
}
identification_t *peer)
{
private_eap_identity_t *this = eap_identity_create(server, peer);
-
+
/* public functions */
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
-
+
return &this->public;
}
plugin_t *plugin_create()
{
eap_identity_plugin_t *this = malloc_thing(eap_identity_plugin_t);
-
+
this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_SERVER,
(eap_constructor_t)eap_identity_create_server);
charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_PEER,
(eap_constructor_t)eap_identity_create_peer);
-
+
return &this->plugin;
}
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#include "eap_md5.h"
#include <daemon.h>
* Private data of an eap_md5_t object.
*/
struct private_eap_md5_t {
-
+
/**
* Public authenticator_t interface.
*/
eap_md5_t public;
-
+
/**
* ID of the server
*/
identification_t *server;
-
+
/**
* ID of the peer
*/
identification_t *peer;
-
+
/**
* challenge sent by the server
*/
chunk_t challenge;
-
+
/**
* EAP message identififier
*/
* Hash the challenge string, create response
*/
static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response)
-{
+{
shared_key_t *shared;
chunk_t concat;
hasher_t *hasher;
this->server, this->peer);
return NOT_FOUND;
}
- concat = chunk_cata("ccc", chunk_from_thing(this->identifier),
+ concat = chunk_cata("ccc", chunk_from_thing(this->identifier),
shared->get_key(shared), this->challenge);
shared->destroy(shared);
hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
{
rng_t *rng;
eap_md5_header_t *req;
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (!rng)
{
}
rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge);
rng->destroy(rng);
-
+
req = alloca(PAYLOAD_LEN);
req->length = htons(PAYLOAD_LEN);
req->code = EAP_REQUEST;
req->type = EAP_MD5;
req->value_size = this->challenge.len;
memcpy(req->value, this->challenge.ptr, this->challenge.len);
-
+
*out = eap_payload_create_data(chunk_create((void*)req, PAYLOAD_LEN));
return NEED_MORE;
}
chunk_t response;
chunk_t data;
eap_md5_header_t *req;
-
+
this->identifier = in->get_identifier(in);
data = in->get_data(in);
this->challenge = chunk_clone(chunk_skip(data, 6));
req->value_size = response.len;
memcpy(req->value, response.ptr, response.len);
chunk_free(&response);
-
+
*out = eap_payload_create_data(chunk_create((void*)req, PAYLOAD_LEN));
return NEED_MORE;
}
{
chunk_t response, expected;
chunk_t data;
-
+
if (this->identifier != in->get_identifier(in))
{
DBG1(DBG_IKE, "received invalid EAP-MD5 message");
}
data = in->get_data(in);
response = chunk_skip(data, 6);
-
+
if (response.len < expected.len ||
!memeq(response.ptr, expected.ptr, expected.len))
{
identification_t *peer)
{
private_eap_md5_t *this = malloc_thing(private_eap_md5_t);
-
+
this->public.eap_method_interface.initiate = NULL;
this->public.eap_method_interface.process = NULL;
this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
+
/* private data */
this->peer = peer->clone(peer);
this->server = server->clone(server);
this->challenge = chunk_empty;
this->identifier = 0;
-
+
return this;
}
eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *peer)
{
private_eap_md5_t *this = eap_md5_create_generic(server, peer);
-
+
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer)
{
private_eap_md5_t *this = eap_md5_create_generic(server, peer);
-
+
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
plugin_t *plugin_create()
{
eap_md5_plugin_t *this = malloc_thing(eap_md5_plugin_t);
-
+
this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
charon->eap->add_method(charon->eap, EAP_MD5, 0, EAP_SERVER,
(eap_constructor_t)eap_md5_create_server);
charon->eap->add_method(charon->eap, EAP_MD5, 0, EAP_PEER,
(eap_constructor_t)eap_md5_create_peer);
-
+
return &this->plugin;
}
* Public authenticator_t interface.
*/
eap_mschapv2_t public;
-
+
/**
* ID of the server
*/
identification_t *server;
-
+
/**
* ID of the peer
*/
identification_t *peer;
-
+
/**
* challenge sent by the server
*/
chunk_t challenge;
-
+
/**
* generated NT-Response
*/
chunk_t nt_response;
-
+
/**
* generated Authenticator Response
*/
chunk_t auth_response;
-
+
/**
* generated MSK
*/
chunk_t msk;
-
+
/**
* EAP message identifier
*/
u_int8_t identifier;
-
+
/**
* MS-CHAPv2-ID (session ID, increases with each retry)
*/
u_int8_t mschapv2id;
-
+
/**
* Number of retries
*/
int i;
u_char carry = 0;
chunk_t expanded;
-
+
/* expand the 7 octets to 8 octets */
expanded = chunk_alloc(8);
for (i = 0; i < 7; i++)
carry = key.ptr[i] & ~bitmask[i];
}
expanded.ptr[7] = carry << 1;
-
+
/* add parity bits to each octet */
for (i = 0; i < 8; i++)
{
}
/**
- * Calculate the NT password hash (i.e. hash the (unicode) password with MD4)
+ * Calculate the NT password hash (i.e. hash the (unicode) password with MD4)
*/
static status_t NtPasswordHash(chunk_t password, chunk_t *password_hash)
{
/**
* Calculate the challenge hash (i.e. hash [peer_challenge | server_challenge |
- * username (without domain part)] with SHA1)
+ * username (without domain part)] with SHA1)
*/
static status_t ChallengeHash(chunk_t peer_challenge, chunk_t server_challenge,
chunk_t username, chunk_t *challenge_hash)
memset(z_password_hash.ptr, 0, z_password_hash.len);
memcpy(z_password_hash.ptr, password_hash.ptr, password_hash.len);
chunk_split(z_password_hash, "mmm", 7, &keys[0], 7, &keys[1], 7, &keys[2]);
-
+
*response = chunk_alloc(24);
for (i = 0; i < 3; i++)
{
0x6E };
static const chunk_t magic1 = chunk_from_buf(magic1_data);
static const chunk_t magic2 = chunk_from_buf(magic2_data);
-
+
chunk_t digest = chunk_empty, concat;
hasher_t *hasher;
-
+
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (hasher == NULL)
{
DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
return FAILED;
}
-
+
concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1);
hasher->allocate_hash(hasher, concat, &digest);
concat = chunk_cata("ccc", digest, challenge_hash, magic2);
hasher->allocate_hash(hasher, concat, response);
-
+
hasher->destroy(hasher);
chunk_free(&digest);
return SUCCESS;
static const chunk_t shapad1 = chunk_from_buf(shapad1_data);
static const chunk_t shapad2 = chunk_from_buf(shapad2_data);
static const chunk_t keypad = { shapad1_data, 16 };
-
+
chunk_t concat, master_key, master_receive_key, master_send_key;
hasher_t *hasher;
-
+
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (hasher == NULL)
{
DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed, SHA1 not supported");
return FAILED;
}
-
+
concat = chunk_cata("ccc", password_hash_hash, nt_response, magic1);
hasher->allocate_hash(hasher, concat, &master_key);
master_key.len = 16;
-
+
concat = chunk_cata("cccc", master_key, shapad1, magic2, shapad2);
hasher->allocate_hash(hasher, concat, &master_receive_key);
master_receive_key.len = 16;
-
+
concat = chunk_cata("cccc", master_key, shapad1, magic3, shapad2);
hasher->allocate_hash(hasher, concat, &master_send_key);
master_send_key.len = 16;
-
+
*msk = chunk_cat("cccc", master_receive_key, master_send_key, keypad, keypad);
-
+
hasher->destroy(hasher);
chunk_free(&master_key);
chunk_free(&master_receive_key);
status_t status = FAILED;
chunk_t password_hash = chunk_empty, password_hash_hash = chunk_empty,
challenge_hash = chunk_empty;
-
+
if (NtPasswordHash(password, &password_hash) != SUCCESS)
{
goto error;
{
goto error;
}
-
+
if (ChallengeResponse(challenge_hash, password_hash,
&this->nt_response) != SUCCESS)
{
{
goto error;
}
-
+
status = SUCCESS;
-
+
error:
chunk_free(&password_hash);
chunk_free(&password_hash_hash);
static char* sanitize(char *str)
{
char *pos = str;
-
+
while (pos && *pos)
{
if (!isprint(*pos))
eap_mschapv2_challenge_t *cha;
const char *name = MSCHAPV2_HOST_NAME;
u_int16_t len = CHALLENGE_PAYLOAD_LEN + sizeof(MSCHAPV2_HOST_NAME) - 1;
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (!rng)
{
}
rng->allocate_bytes(rng, CHALLENGE_LEN, &this->challenge);
rng->destroy(rng);
-
+
eap = alloca(len);
eap->code = EAP_REQUEST;
eap->identifier = this->identifier;
eap->opcode = MSCHAPV2_CHALLENGE;
eap->ms_chapv2_id = this->mschapv2id;
set_ms_length(eap, len);
-
+
cha = (eap_mschapv2_challenge_t*)eap->data;
cha->value_size = CHALLENGE_LEN;
memcpy(cha->challenge, this->challenge.ptr, this->challenge.len);
memcpy(cha->name, name, sizeof(MSCHAPV2_HOST_NAME) - 1);
-
+
*out = eap_payload_create_data(chunk_create((void*) eap, len));
return NEED_MORE;
}
shared_key_t *shared;
chunk_t data, peer_challenge, username, password;
u_int16_t len = RESPONSE_PAYLOAD_LEN;
-
+
data = in->get_data(in);
eap = (eap_mschapv2_header_t*)data.ptr;
-
+
/* the name MUST be at least one octet long */
if (data.len < CHALLENGE_PAYLOAD_LEN + 1)
{
DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
return FAILED;
}
-
+
cha = (eap_mschapv2_challenge_t*)eap->data;
-
+
if (cha->value_size != CHALLENGE_LEN)
{
DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
"invalid challenge size");
return FAILED;
}
-
+
this->mschapv2id = eap->ms_chapv2_id;
this->challenge = chunk_clone(chunk_create(cha->challenge, CHALLENGE_LEN));
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (!rng)
{
peer_challenge = chunk_alloca(CHALLENGE_LEN);
rng->get_bytes(rng, CHALLENGE_LEN, peer_challenge.ptr);
rng->destroy(rng);
-
+
shared = charon->credentials->get_shared(charon->credentials,
SHARED_EAP, this->peer, this->server);
if (shared == NULL)
this->server, this->peer);
return NOT_FOUND;
}
-
+
password = ascii_to_unicode(shared->get_key(shared));
shared->destroy(shared);
-
+
username = extract_username(this->peer);
len += username.len;
-
+
if (GenerateStuff(this, this->challenge, peer_challenge, username, password) != SUCCESS)
{
DBG1(DBG_IKE, "EAP-MS-CHAPv2 generating NT-Response failed");
return FAILED;
}
chunk_clear(&password);
-
+
eap = alloca(len);
eap->code = EAP_RESPONSE;
eap->identifier = this->identifier;
eap->opcode = MSCHAPV2_RESPONSE;
eap->ms_chapv2_id = this->mschapv2id;
set_ms_length(eap, len);
-
+
res = (eap_mschapv2_response_t*)eap->data;
res->value_size = RESPONSE_LEN;
memset(&res->response, 0, RESPONSE_LEN);
memcpy(res->response.peer_challenge, peer_challenge.ptr, peer_challenge.len);
memcpy(res->response.nt_response, this->nt_response.ptr, this->nt_response.len);
-
+
username = this->peer->get_encoding(this->peer);
memcpy(res->name, username.ptr, username.len);
-
+
*out = eap_payload_create_data(chunk_create((void*) eap, len));
return NEED_MORE;
}
char *message, *token, *msg = NULL;
int message_len;
u_int16_t len = SHORT_HEADER_LEN;
-
+
data = in->get_data(in);
eap = (eap_mschapv2_header_t*)data.ptr;
-
+
if (data.len < AUTH_RESPONSE_LEN)
{
DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
return FAILED;
}
-
+
message_len = data.len - HEADER_LEN;
message = malloc(message_len + 1);
memcpy(message, eap->data, message_len);
message[message_len] = '\0';
-
+
/* S=<auth_string> M=<msg> */
enumerator = enumerator_create_token(message, " ", " ");
while (enumerator->enumerate(enumerator, &token))
}
}
enumerator->destroy(enumerator);
-
- if (auth_string.ptr == NULL)
+
+ if (auth_string.ptr == NULL)
{
DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
"auth string missing");
goto error;
}
-
+
if (!chunk_equals(this->auth_response, auth_string))
{
DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
goto error;
}
-
+
DBG1(DBG_IKE, "EAP-MS-CHAPv2 succeeded: '%s'", sanitize(msg));
-
+
eap = alloca(len);
eap->code = EAP_RESPONSE;
eap->identifier = this->identifier;
eap->length = htons(len);
eap->type = EAP_MSCHAPV2;
eap->opcode = MSCHAPV2_SUCCESS;
-
+
*out = eap_payload_create_data(chunk_create((void*) eap, len));
status = NEED_MORE;
-
+
error:
chunk_free(&auth_string);
free(message);
char *message, *token, *msg = NULL;
int message_len, error, retryable;
chunk_t challenge = chunk_empty;
-
+
data = in->get_data(in);
eap = (eap_mschapv2_header_t*)data.ptr;
-
+
if (data.len < 3) /* we want at least an error code: E=e */
{
DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
return FAILED;
}
-
+
message_len = data.len - HEADER_LEN;
message = malloc(message_len + 1);
memcpy(message, eap->data, message_len);
message[message_len] = '\0';
-
+
/* E=eeeeeeeeee R=r C=cccccccccccccccccccccccccccccccc V=vvvvvvvvvv M=<msg> */
enumerator = enumerator_create_token(message, " ", " ");
while (enumerator->enumerate(enumerator, &token))
}
}
enumerator->destroy(enumerator);
-
+
DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed with error %N: '%s'",
mschapv2_error_names, error, sanitize(msg));
-
+
/**
* at this point, if the error is retryable, we MAY retry the authentication
* or MAY send a Change Password packet.
- *
+ *
* if the error is not retryable (or if we do neither of the above), we
* SHOULD send a Failure Response packet.
* windows clients don't do that, and since windows server 2008 r2 behaves
* pretty odd if we do send a Failure Response, we just don't send one
* either. windows 7 actually sends a delete notify (which, according to the
- * logs, results in an error on windows server 2008 r2).
- *
+ * logs, results in an error on windows server 2008 r2).
+ *
* btw, windows server 2008 r2 does not send non-retryable errors for e.g.
* a disabled account but returns the windows error code in a notify payload
* of type 12345.
*/
-
+
status = FAILED;
-
+
error:
chunk_free(&challenge);
free(message);
{
chunk_t data;
eap_mschapv2_header_t *eap;
-
+
this->identifier = in->get_identifier(in);
data = in->get_data(in);
if (data.len < SHORT_HEADER_LEN)
DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message");
return FAILED;
}
-
+
eap = (eap_mschapv2_header_t*)data.ptr;
-
+
switch (eap->opcode)
{
case MSCHAPV2_CHALLENGE:
chunk_t hex;
char msg[FAILURE_MESSAGE_LEN];
u_int16_t len = HEADER_LEN + FAILURE_MESSAGE_LEN - 1; /* no null byte */
-
+
if (++this->retries > MAX_RETRIES)
{
/* we MAY send a Failure Request with R=0, but windows 7 does not
"maximum number of retries reached");
return FAILED;
}
-
+
DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed, retry (%d)", this->retries);
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (!rng)
{
}
rng->get_bytes(rng, CHALLENGE_LEN, this->challenge.ptr);
rng->destroy(rng);
-
+
chunk_free(&this->nt_response);
chunk_free(&this->auth_response);
chunk_free(&this->msk);
-
+
eap = alloca(len);
eap->code = EAP_REQUEST;
eap->identifier = ++this->identifier;
eap->opcode = MSCHAPV2_FAILURE;
eap->ms_chapv2_id = this->mschapv2id++; /* increase for each retry */
set_ms_length(eap, len);
-
+
hex = chunk_to_hex(this->challenge, NULL, TRUE);
snprintf(msg, FAILURE_MESSAGE_LEN, "%s%s", FAILURE_MESSAGE, hex.ptr);
chunk_free(&hex);
memcpy(eap->data, msg, FAILURE_MESSAGE_LEN - 1); /* no null byte */
*out = eap_payload_create_data(chunk_create((void*) eap, len));
-
+
/* delay the response for some time to make brute-force attacks harder */
sleep(RETRY_DELAY);
-
+
return NEED_MORE;
}
shared_key_t *shared;
int name_len;
char buf[256];
-
+
data = in->get_data(in);
eap = (eap_mschapv2_header_t*)data.ptr;
-
+
if (data.len < RESPONSE_PAYLOAD_LEN)
{
DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
return FAILED;
}
-
+
res = (eap_mschapv2_response_t*)eap->data;
peer_challenge = chunk_create(res->response.peer_challenge, CHALLENGE_LEN);
-
+
name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255);
snprintf(buf, sizeof(buf), "%.*s", name_len, res->name);
userid = identification_create_from_string(buf);
DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
username = extract_username(userid);
-
+
shared = charon->credentials->get_shared(charon->credentials,
SHARED_EAP, this->server, userid);
if (shared == NULL)
userid->destroy(userid);
return process_server_retry(this, out);
}
-
+
password = ascii_to_unicode(shared->get_key(shared));
shared->destroy(shared);
-
+
if (GenerateStuff(this, this->challenge, peer_challenge,
username, password) != SUCCESS)
{
- DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
+ DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
userid->destroy(userid);
chunk_clear(&password);
return FAILED;
}
userid->destroy(userid);
chunk_clear(&password);
-
+
if (memeq(res->response.nt_response, this->nt_response.ptr, this->nt_response.len))
{
chunk_t hex;
char msg[AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE)];
u_int16_t len = HEADER_LEN + AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE);
-
+
eap = alloca(len);
eap->code = EAP_REQUEST;
eap->identifier = ++this->identifier;
eap->opcode = MSCHAPV2_SUCCESS;
eap->ms_chapv2_id = this->mschapv2id;
set_ms_length(eap, len);
-
+
hex = chunk_to_hex(this->auth_response, NULL, TRUE);
snprintf(msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE),
"S=%s%s", hex.ptr, SUCCESS_MESSAGE);
{
eap_mschapv2_header_t *eap;
chunk_t data;
-
+
if (this->identifier != in->get_identifier(in))
{
DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
"unexpected identifier");
return FAILED;
}
-
+
data = in->get_data(in);
if (data.len < SHORT_HEADER_LEN)
{
DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
return FAILED;
}
-
+
eap = (eap_mschapv2_header_t*)data.ptr;
-
+
switch (eap->opcode)
{
case MSCHAPV2_RESPONSE:
static private_eap_mschapv2_t *eap_mschapv2_create_generic(identification_t *server, identification_t *peer)
{
private_eap_mschapv2_t *this = malloc_thing(private_eap_mschapv2_t);
-
+
this->public.eap_method_interface.initiate = NULL;
this->public.eap_method_interface.process = NULL;
this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
+
/* private data */
this->peer = peer->clone(peer);
this->server = server->clone(server);
this->identifier = 0;
this->mschapv2id = 0;
this->retries = 0;
-
+
return this;
}
eap_mschapv2_t *eap_mschapv2_create_server(identification_t *server, identification_t *peer)
{
private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer);
-
+
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_server;
{
this->identifier = random();
} while (!this->identifier);
-
+
this->mschapv2id = this->identifier;
-
+
return &this->public;
}
eap_mschapv2_t *eap_mschapv2_create_peer(identification_t *server, identification_t *peer)
{
private_eap_mschapv2_t *this = eap_mschapv2_create_generic(server, peer);
-
+
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*, eap_payload_t**))process_peer;
-
+
return &this->public;
}
plugin_t *plugin_create()
{
eap_mschapv2_plugin_t *this = malloc_thing(eap_mschapv2_plugin_t);
-
+
this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_SERVER,
(eap_constructor_t)eap_mschapv2_create_server);
charon->eap->add_method(charon->eap, EAP_MSCHAPV2, 0, EAP_PEER,
(eap_constructor_t)eap_mschapv2_create_peer);
-
+
return &this->plugin;
}
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#include "eap_radius.h"
#include "radius_message.h"
* Private data of an eap_radius_t object.
*/
struct private_eap_radius_t {
-
+
/**
* Public authenticator_t interface.
*/
eap_radius_t public;
-
+
/**
* ID of the server
*/
identification_t *server;
-
+
/**
* ID of the peer
*/
identification_t *peer;
-
+
/**
* EAP method type we are proxying
*/
eap_type_t type;
-
+
/**
* EAP vendor, if any
*/
u_int32_t vendor;
-
+
/**
* EAP MSK, if method established one
*/
chunk_t msk;
-
+
/**
* RADIUS client instance
*/
radius_client_t *client;
-
+
/**
* TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
*/
bool eap_start;
-
+
/**
* Prefix to prepend to EAP identity
*/
} __attribute__((__packed__)) *hdr;
chunk_t id, prefix;
size_t len;
-
+
id = this->peer->get_encoding(this->peer);
prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
len = sizeof(*hdr) + prefix.len + id.len;
-
+
hdr = alloca(len);
hdr->code = EAP_RESPONSE;
hdr->identifier = 0;
hdr->type = EAP_IDENTITY;
memcpy(hdr->data, prefix.ptr, prefix.len);
memcpy(hdr->data + prefix.len, id.ptr, id.len);
-
+
request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
}
eap_payload_t *payload;
chunk_t data;
int type;
-
+
enumerator = msg->create_enumerator(msg);
while (enumerator->enumerate(enumerator, &type, &data))
{
radius_message_t *request, *response;
status_t status = FAILED;
chunk_t username;
-
+
request = radius_message_create_request();
username = chunk_create(this->id_prefix, strlen(this->id_prefix));
username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
request->add(request, RAT_USER_NAME, username);
-
+
if (this->eap_start)
{
request->add(request, RAT_EAP_MESSAGE, chunk_empty);
{
add_eap_identity(this, request);
}
-
+
response = this->client->request(this->client, request);
if (response)
{
{
radius_message_t *request, *response;
status_t status = FAILED;
-
+
request = radius_message_create_request();
request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
request->add(request, RAT_EAP_MESSAGE, in->get_data(in));
-
+
response = this->client->request(this->client, request);
if (response)
{
eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer)
{
private_eap_radius_t *this = malloc_thing(private_eap_radius_t);
-
+
this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
+
this->client = radius_client_create();
if (!this->client)
{
this->type = EAP_RADIUS;
this->vendor = 0;
this->msk = chunk_empty;
- this->eap_start = lib->settings->get_bool(lib->settings,
+ this->eap_start = lib->settings->get_bool(lib->settings,
"charon.plugins.eap_radius.eap_start", FALSE);
this->id_prefix = lib->settings->get_str(lib->settings,
"charon.plugins.eap_radius.id_prefix", "");
plugin_t *plugin_create()
{
eap_radius_plugin_t *this;
-
+
if (!radius_client_init())
{
DBG1(DBG_CFG, "RADIUS plugin initialization failed");
return NULL;
}
-
+
this = malloc_thing(eap_radius_plugin_t);
this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
charon->eap->add_method(charon->eap, EAP_RADIUS, 0,
EAP_SERVER, (eap_constructor_t)eap_radius_create);
-
+
return &this->plugin;
}
* Private data of an radius_client_t object.
*/
struct private_radius_client_t {
-
+
/**
* Public radius_client_t interface.
*/
radius_client_t public;
-
+
/**
* RADIUS servers State attribute
*/
void radius_client_cleanup()
{
entry_t *entry;
-
+
mutex->destroy(mutex);
condvar->destroy(condvar);
while (sockets->remove_last(sockets, (void**)&entry) == SUCCESS)
entry_t *entry;
host_t *host;
char *server;
-
+
nas_identifier.ptr = lib->settings->get_str(lib->settings,
"charon.plugins.eap_radius.nas_identifier", "strongSwan");
nas_identifier.len = strlen(nas_identifier.ptr);
-
+
secret.ptr = lib->settings->get_str(lib->settings,
"charon.plugins.eap_radius.secret", NULL);
if (!secret.ptr)
}
count = lib->settings->get_int(lib->settings,
"charon.plugins.eap_radius.sockets", 1);
-
+
sockets = linked_list_create();
mutex = mutex_create(MUTEX_TYPE_DEFAULT);
condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
static entry_t* get_socket()
{
entry_t *entry;
-
+
mutex->lock(mutex);
while (sockets->remove_first(sockets, (void**)&entry) != SUCCESS)
{
enumerator_t *enumerator;
int type;
chunk_t data;
-
+
enumerator = msg->create_enumerator(msg);
while (enumerator->enumerate(enumerator, &type, &data))
{
entry_t *socket;
chunk_t data;
int i;
-
+
socket = get_socket();
-
+
/* set Message Identifier */
req->set_identifier(req, socket->identifier++);
/* we add the "Virtual" NAS-Port-Type, as we SHOULD include one */
}
/* sign the request */
req->sign(req, socket->rng, socket->signer);
-
+
data = req->get_encoding(req);
/* timeout after 2, 3, 4, 5 seconds */
for (i = 2; i <= 5; i++)
char buf[1024];
fd_set fds;
int res;
-
+
if (send(socket->fd, data.ptr, data.len, 0) != data.len)
{
DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
}
tv.tv_sec = i;
tv.tv_usec = 0;
-
+
while (TRUE)
{
FD_ZERO(&fds);
}
response = radius_message_parse_response(chunk_create(buf, res));
if (response)
- {
+ {
if (response->verify(response, req->get_authenticator(req),
secret, socket->hasher, socket->signer))
{
chunk_t A, R, P, seed;
u_char *c, *p;
hasher_t *hasher;
-
+
/**
* From RFC2548 (encryption):
* b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1)
* . . .
* b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i)
*/
-
+
if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5)
{
return chunk_empty;
}
-
+
hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
if (!hasher)
{
return chunk_empty;
}
-
+
A = chunk_create((u_char*)&salt, sizeof(salt));
R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5);
P = chunk_alloca(C.len);
p = P.ptr;
c = C.ptr;
-
+
seed = chunk_cata("cc", R, A);
-
+
while (c < C.ptr + C.len)
{
/* b(i) = MD5(S + c(i-1)) */
hasher->get_hash(hasher, secret, NULL);
hasher->get_hash(hasher, seed, p);
-
+
/* p(i) = b(i) xor c(1) */
memxor(p, c, HASH_SIZE_MD5);
-
+
/* prepare next round */
seed = chunk_create(c, HASH_SIZE_MD5);
c += HASH_SIZE_MD5;
p += HASH_SIZE_MD5;
}
hasher->destroy(hasher);
-
+
/* remove truncation, first byte is key length */
if (*P.ptr >= P.len)
{ /* decryption failed? */
enumerator_t *enumerator;
chunk_t data, send = chunk_empty, recv = chunk_empty;
int type;
-
+
enumerator = response->create_enumerator(response);
while (enumerator->enumerate(enumerator, &type, &data))
{
radius_client_t *radius_client_create()
{
private_radius_client_t *this = malloc_thing(private_radius_client_t);
-
+
this->public.request = (radius_message_t*(*)(radius_client_t*, radius_message_t *msg))request;
this->public.decrypt_msk = (chunk_t(*)(radius_client_t*, radius_message_t *, radius_message_t *))decrypt_msk;
this->public.destroy = (void(*)(radius_client_t*))destroy;
-
+
this->state = chunk_empty;
-
+
return &this->public;
}
* a socket during request() and releases it afterwards.
*/
struct radius_client_t {
-
+
/**
* Send a RADIUS request and wait for the response.
*
- * The client fills in RADIUS Message identifier, NAS-Identifier,
+ * The client fills in RADIUS Message identifier, NAS-Identifier,
* NAS-Port-Type, builds a Request-Authenticator and calculates the
* Message-Authenticator attribute.
* The received response gets verified using the Response-Identifier
* @return response, NULL if timed out/verification failed
*/
radius_message_t* (*request)(radius_client_t *this, radius_message_t *msg);
-
+
/**
* Decrypt the MSK encoded in a messages MS-MPPE-Send/Recv-Key.
*
*/
chunk_t (*decrypt_msk)(radius_client_t *this, radius_message_t *response,
radius_message_t *request);
-
+
/**
* Destroy the client, release the socket.
*/
* Private data of an radius_message_t object.
*/
struct private_radius_message_t {
-
+
/**
* Public radius_message_t interface.
*/
radius_message_t public;
-
+
/**
* message data, allocated
*/
static enumerator_t* create_enumerator(private_radius_message_t *this)
{
attribute_enumerator_t *e;
-
+
if (ntohs(this->msg->length) < sizeof(rmsg_t) + sizeof(rattr_t))
{
return enumerator_create_empty();
}
-
+
e = malloc_thing(attribute_enumerator_t);
e->public.enumerate = (void*)attribute_enumerate;
e->public.destroy = (void*)free;
chunk_t data)
{
rattr_t *attribute;
-
+
this->msg = realloc(this->msg,
ntohs(this->msg->length) + sizeof(rattr_t) + data.len);
attribute = ((void*)this->msg) + ntohs(this->msg->length);
static void sign(private_radius_message_t *this, rng_t *rng, signer_t *signer)
{
char buf[HASH_SIZE_MD5];
-
+
/* build Request-Authenticator */
rng->get_bytes(rng, HASH_SIZE_MD5, this->msg->authenticator);
-
+
/* build Message-Authenticator attribute, using 16 null bytes */
memset(buf, 0, sizeof(buf));
add(this, RAT_MESSAGE_AUTHENTICATOR, chunk_create(buf, sizeof(buf)));
int type;
chunk_t data, msg;
bool has_eap = FALSE, has_auth = FALSE;
-
+
/* replace Response by Request Authenticator for verification */
memcpy(res_auth, this->msg->authenticator, HASH_SIZE_MD5);
memcpy(this->msg->authenticator, req_auth, HASH_SIZE_MD5);
msg = chunk_create((u_char*)this->msg, ntohs(this->msg->length));
-
+
/* verify Response-Authenticator */
hasher->get_hash(hasher, msg, NULL);
hasher->get_hash(hasher, secret, buf);
DBG1(DBG_CFG, "RADIUS Response-Authenticator verification failed");
return FALSE;
}
-
+
/* verify Message-Authenticator attribute */
enumerator = create_enumerator(this);
while (enumerator->enumerate(enumerator, &type, &data))
enumerator->destroy(enumerator);
/* restore Response-Authenticator */
memcpy(this->msg->authenticator, res_auth, HASH_SIZE_MD5);
-
+
if (has_eap && !has_auth)
{ /* Message-Authenticator is required if we have an EAP-Message */
DBG1(DBG_CFG, "RADIUS Message-Authenticator attribute missing");
static private_radius_message_t *radius_message_create()
{
private_radius_message_t *this = malloc_thing(private_radius_message_t);
-
+
this->public.create_enumerator = (enumerator_t*(*)(radius_message_t*))create_enumerator;
this->public.add = (void(*)(radius_message_t*, radius_attribute_type_t,chunk_t))add;
this->public.get_code = (radius_message_code_t(*)(radius_message_t*))get_code;
this->public.sign = (void(*)(radius_message_t*, rng_t *rng, signer_t *signer))sign;
this->public.verify = (bool(*)(radius_message_t*, u_int8_t *req_auth, chunk_t secret, hasher_t *hasher, signer_t *signer))verify;
this->public.destroy = (void(*)(radius_message_t*))destroy;
-
+
return this;
}
radius_message_t *radius_message_create_request()
{
private_radius_message_t *this = radius_message_create();
-
+
this->msg = malloc_thing(rmsg_t);
this->msg->code = RMC_ACCESS_REQUEST;
this->msg->identifier = 0;
this->msg->length = htons(sizeof(rmsg_t));
-
+
return &this->public;
}
radius_message_t *radius_message_parse_response(chunk_t data)
{
private_radius_message_t *this = radius_message_create();
-
+
this->msg = malloc(data.len);
memcpy(this->msg, data.ptr, data.len);
if (data.len < sizeof(rmsg_t) ||
* A RADIUS message, contains attributes.
*/
struct radius_message_t {
-
+
/**
* Create an enumerator over contained RADIUS attributes.
*
* @return enumerator over (int type, chunk_t data)
*/
enumerator_t* (*create_enumerator)(radius_message_t *this);
-
+
/**
* Add a RADIUS attribute to the message.
*
*/
void (*add)(radius_message_t *this, radius_attribute_type_t type,
chunk_t data);
-
+
/**
* Get the message type (code).
*
* @return message code
*/
radius_message_code_t (*get_code)(radius_message_t *this);
-
+
/**
* Get the message identifier.
*
* @return message identifier
*/
u_int8_t (*get_identifier)(radius_message_t *this);
-
+
/**
* Set the message identifier.
*
* @param identifier message identifier
*/
void (*set_identifier)(radius_message_t *this, u_int8_t identifier);
-
+
/**
* Get the 16 byte authenticator.
*
* @return pointer to the Authenticator field
*/
u_int8_t* (*get_authenticator)(radius_message_t *this);
-
+
/**
* Get the RADIUS message in its encoded form.
*
* @return chunk pointing to internal RADIUS message.
*/
chunk_t (*get_encoding)(radius_message_t *this);
-
+
/**
* Calculate and add the Message-Authenticator attribute to the message.
*
* @param signer HMAC-MD5 signer with secret set
*/
void (*sign)(radius_message_t *this, rng_t *rng, signer_t *signer);
-
+
/**
* Verify the integrity of a received RADIUS response.
*
*/
bool (*verify)(radius_message_t *this, u_int8_t *req_auth, chunk_t secret,
hasher_t *hasher, signer_t *signer);
-
+
/**
* Destroy the message.
*/
* Private data of an eap_sim_t object.
*/
struct private_eap_sim_t {
-
+
/**
* Public authenticator_t interface.
*/
eap_sim_t public;
-
+
/**
* ID of ourself
*/
identification_t *peer;
-
+
/**
* hashing function
*/
hasher_t *hasher;
-
+
/**
* prf
*/
prf_t *prf;
-
+
/**
* MAC function
*/
signer_t *signer;
-
+
/**
* how many times we try to authenticate
*/
int tries;
-
+
/**
* unique EAP identifier
*/
u_int8_t identifier;
-
+
/**
* EAP message type this role sends
*/
u_int8_t type;
-
+
/**
* version this implementation uses
*/
chunk_t version;
-
+
/**
* version list received from server
*/
chunk_t version_list;
-
+
/**
* Nonce value used in AT_NONCE_MT
*/
chunk_t nonce;
-
+
/**
* concatenated SRES values
*/
chunk_t sreses;
-
+
/**
* k_encr key derived from MK
*/
chunk_t k_encr;
-
+
/**
* k_auth key derived from MK, used for AT_MAC verification
*/
chunk_t k_auth;
-
+
/**
* MSK, used for EAP-SIM based IKEv2 authentication
*/
chunk_t msk;
-
+
/**
* EMSK, extended MSK for further uses
*/
{
sim_attribute_t attribute;
size_t length;
-
+
DBG3(DBG_IKE, "reading attribute from %B", message);
-
+
if (message->len < 2)
{
return AT_END;
sim_attribute_t attr;
u_int8_t *mac_pos = NULL;
chunk_t mac_data = chunk_empty;
-
+
/* write EAP header, skip length bytes */
*pos.ptr++ = this->type;
*pos.ptr++ = identifier;
*pos.ptr++ = 0;
*pos.ptr++ = 0;
pos.len -= 4;
-
+
va_start(args, type);
while ((attr = va_arg(args, sim_attribute_t)) != AT_END)
{
chunk_t data = va_arg(args, chunk_t);
-
+
DBG3(DBG_IKE, "building %N %B", sim_attribute_names, attr, &data);
-
+
/* write attribute header */
*pos.ptr++ = attr;
pos.len--;
-
+
switch (attr)
{
case AT_CLIENT_ERROR_CODE:
}
}
va_end(args);
-
+
/* calculate message length, write into header */
message.len = pos.ptr - message.ptr;
*(u_int16_t*)(message.ptr + 2) = htons(message.len);
-
+
/* create MAC if AT_MAC attribte was included. Append supplied va_arg
* chunk mac_data to "to-sign" chunk */
if (mac_pos)
DBG3(DBG_IKE, "AT_MAC signature of %B\n is %b",
&mac_data, mac_pos, MAC_LEN);
}
-
+
payload = eap_payload_create_data(message);
-
+
DBG3(DBG_IKE, "created EAP message %B", &message);
return payload;
}
break;
}
}
-
+
/* build payload. If "include_id" is AT_END, AT_IDENTITY is ommited */
*out = build_payload(this, identifier, SIM_START,
AT_SELECTED_VERSION, this->version,
mk = chunk_alloca(this->hasher->get_hash_size(this->hasher));
this->hasher->get_hash(this->hasher, tmp, mk.ptr);
DBG3(DBG_IKE, "MK = SHA1(%B\n) = %B", &tmp, &mk);
-
+
/* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf()
* FIPS PRF has 320 bit block size, we need 160 byte for keys
* => run prf four times */
sim_card_t *card = NULL, *current;
id_match_t match, best = ID_MATCH_NONE;
bool success = FALSE;
-
+
/* find the best matching SIM */
enumerator = charon->sim->create_card_enumerator(charon->sim);
while (enumerator->enumerate(enumerator, ¤t))
sim_attribute_t attribute;
u_int8_t identifier;
chunk_t mac = chunk_empty, rands = chunk_empty;
-
+
if (this->tries-- <= 0)
{
/* give up without notification. This hack is required as some buggy
break;
}
}
-
+
/* excepting two or three RAND, each 16 bytes. We require two valid
* and different RANDs */
if ((rands.len != 2 * RAND_LEN && rands.len != 3 * RAND_LEN) ||
AT_END);
return NEED_MORE;
}
-
+
/* get two or three KCs/SRESes from SIM using RANDs */
kcs = kc = chunk_alloca(rands.len / 2);
sreses = sres = chunk_alloca(rands.len / 4);
while (rands.len >= RAND_LEN)
- {
+ {
if (!get_card_triplet(this, rands.ptr, sres.ptr, kc.ptr))
{
DBG1(DBG_IKE, "unable to get EAP-SIM triplet");
sres = chunk_skip(sres, SRES_LEN);
rands = chunk_skip(rands, RAND_LEN);
}
-
+
derive_keys(this, kcs);
-
+
/* verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT" */
this->signer->set_key(this->signer, this->k_auth);
tmp = chunk_cata("cc", in->get_data(in), this->nonce);
AT_END);
return NEED_MORE;
}
-
+
/* build response, AT_MAC is built over "EAP packet | n*SRES" */
*out = build_payload(this, identifier, SIM_CHALLENGE,
AT_MAC, sreses,
chunk_t message, data;
sim_attribute_t attribute;
chunk_t mac = chunk_empty, tmp;
-
+
message = in->get_data(in);
read_header(&message);
enumerator_t *enumerator;
sim_provider_t *provider;
int tried = 0;
-
+
enumerator = charon->sim->create_provider_enumerator(charon->sim);
while (enumerator->enumerate(enumerator, &provider))
{
bool supported = FALSE;
chunk_t rands, rand, kcs, kc, sreses, sres;
int i;
-
+
message = in->get_data(in);
read_header(&message);
DBG1(DBG_IKE, "received incomplete EAP-SIM/Response/Start");
return FAILED;
}
-
+
/* read triplets from provider */
rand = rands = chunk_alloca(RAND_LEN * TRIPLET_COUNT);
kc = kcs = chunk_alloca(KC_LEN * TRIPLET_COUNT);
kc = chunk_skip(kc, KC_LEN);
}
derive_keys(this, kcs);
-
+
/* build MAC over "EAP packet | NONCE_MT" */
*out = build_payload(this, this->identifier++, SIM_CHALLENGE, AT_RAND,
rands, AT_MAC, this->nonce, AT_END);
{
chunk_t message, data;
sim_attribute_t attribute;
-
+
message = in->get_data(in);
read_header(&message);
{
chunk_t message, data;
sim_attribute_t attribute;
-
+
message = in->get_data(in);
read_header(&message);
{
sim_subtype_t type;
chunk_t message;
-
+
message = in->get_data(in);
type = read_header(&message);
-
+
switch (type)
{
case SIM_START:
{
sim_subtype_t type;
chunk_t message;
-
+
message = in->get_data(in);
type = read_header(&message);
-
+
switch (type)
{
case SIM_START:
{
private_eap_sim_t *this = malloc_thing(private_eap_sim_t);
rng_t *rng;
-
+
this->nonce = chunk_empty;
this->sreses = chunk_empty;
this->peer = peer->clone(peer);
do {
this->identifier = random();
} while (!this->identifier);
-
+
switch (role)
{
case EAP_SERVER:
this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
+
this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
this->prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160);
this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128);
{
return eap_sim_create_generic(EAP_PEER, server, peer);
}
-
+
plugin_t *plugin_create()
{
eap_sim_plugin_t *this = malloc_thing(eap_sim_plugin_t);
-
+
this->plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
charon->eap->add_method(charon->eap, EAP_SIM, 0, EAP_SERVER,
(eap_constructor_t)eap_sim_create_server);
charon->eap->add_method(charon->eap, EAP_SIM, 0, EAP_PEER,
(eap_constructor_t)eap_sim_create_peer);
-
+
return &this->plugin;
}
* Private data of an eap_sim_file_card_t object.
*/
struct private_eap_sim_file_card_t {
-
+
/**
* Public eap_sim_file_card_t interface.
*/
eap_sim_file_card_t public;
-
+
/**
* IMSI, is ID_ANY for file implementation
*/
identification_t *imsi;
-
+
/**
* source of triplets
*/
enumerator_t *enumerator;
identification_t *id;
char *c_rand, *c_sres, *c_kc;
-
+
DBG2(DBG_CFG, "looking for rand: %b", rand, RAND_LEN);
-
+
enumerator = this->triplets->create_enumerator(this->triplets);
while (enumerator->enumerate(enumerator, &id, &c_rand, &c_sres, &c_kc))
{
eap_sim_file_card_t *eap_sim_file_card_create(eap_sim_file_triplets_t *triplets)
{
private_eap_sim_file_card_t *this = malloc_thing(private_eap_sim_file_card_t);
-
+
this->public.card.get_triplet = (bool(*)(sim_card_t*, char *rand, char *sres, char *kc))get_triplet;
this->public.card.get_imsi = (identification_t*(*)(sim_card_t*))get_imsi;
this->public.destroy = (void(*)(eap_sim_file_card_t*))destroy;
-
+
/* this SIM card implementation does not have an ID, serve ID_ANY */
this->imsi = identification_create_from_encoding(ID_ANY, chunk_empty);
this->triplets = triplets;
-
+
return &this->public;
}
* Implements sim_card_t interface
*/
sim_card_t card;
-
+
/**
* Destroy a eap_sim_file_card_t.
*/
* Private data of an eap_sim_file_t object.
*/
struct private_eap_sim_file_t {
-
+
/**
* Public eap_sim_file_plugin_t interface.
*/
eap_sim_file_plugin_t public;
-
+
/**
* SIM card
*/
eap_sim_file_card_t *card;
-
+
/**
* SIM provider
*/
eap_sim_file_provider_t *provider;
-
+
/**
* Triplet source
*/
plugin_t *plugin_create()
{
private_eap_sim_file_t *this = malloc_thing(private_eap_sim_file_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
this->triplets = eap_sim_file_triplets_create(TRIPLET_FILE);
this->card = eap_sim_file_card_create(this->triplets);
this->provider = eap_sim_file_provider_create(this->triplets);
-
+
charon->sim->add_card(charon->sim, &this->card->card);
charon->sim->add_provider(charon->sim, &this->provider->provider);
-
+
return &this->public.plugin;
}
* Private data of an eap_sim_file_provider_t object.
*/
struct private_eap_sim_file_provider_t {
-
+
/**
* Public eap_sim_file_provider_t interface.
*/
eap_sim_file_provider_t public;
-
+
/**
* source of triplets
*/
enumerator_t *enumerator;
identification_t *id;
char *c_rand, *c_sres, *c_kc;
-
+
enumerator = this->triplets->create_enumerator(this->triplets);
while (enumerator->enumerate(enumerator, &id, &c_rand, &c_sres, &c_kc))
{
eap_sim_file_triplets_t *triplets)
{
private_eap_sim_file_provider_t *this = malloc_thing(private_eap_sim_file_provider_t);
-
+
this->public.provider.get_triplet = (bool(*)(sim_provider_t*, identification_t *imsi, char rand[16], char sres[4], char kc[8]))get_triplet;
this->public.destroy = (void(*)(eap_sim_file_provider_t*))destroy;
-
+
this->triplets = triplets;
-
+
return &this->public;
}
* Implements sim_provider_t interface.
*/
sim_provider_t provider;
-
+
/**
* Destroy a eap_sim_file_provider_t.
*/
* Private data of an eap_sim_file_triplets_t object.
*/
struct private_eap_sim_file_triplets_t {
-
+
/**
* Public eap_sim_file_triplets_t interface.
*/
eap_sim_file_triplets_t public;
-
+
/**
* List of triplets, as triplet_t
*/
linked_list_t *triplets;
-
+
/**
* mutex to lock triplets list
*/
char **rand, char **sres, char **kc)
{
triplet_t *triplet;
-
+
if (e->inner->enumerate(e->inner, &triplet))
{
e->current = triplet;
static enumerator_t* create_enumerator(private_eap_sim_file_triplets_t *this)
{
triplet_enumerator_t *enumerator = malloc_thing(triplet_enumerator_t);
-
+
this->mutex->lock(this->mutex);
enumerator->public.enumerate = (void*)enumerator_enumerate;
enumerator->public.destroy = (void*)enumerator_destroy;
enumerator->inner = this->triplets->create_enumerator(this->triplets);
enumerator->current = NULL;
enumerator->this = this;
-
+
return &enumerator->public;
}
static void parse_token(char *to, char *from, size_t len)
{
chunk_t chunk;
-
+
chunk = chunk_create(from, min(strlen(from), len * 2));
chunk = chunk_from_hex(chunk, NULL);
memset(to, 0, len);
char line[512];
FILE *file;
int i, nr = 0;
-
+
file = fopen(path, "r");
if (file == NULL)
{
- DBG1(DBG_CFG, "opening triplet file %s failed: %s",
+ DBG1(DBG_CFG, "opening triplet file %s failed: %s",
path, strerror(errno));
return;
}
-
+
/* read line by line */
while (fgets(line, sizeof(line), file))
{
triplet_t *triplet;
enumerator_t *enumerator;
char *token;
-
+
nr++;
/* skip comments, empty lines */
switch (line[0])
}
triplet = malloc_thing(triplet_t);
memset(triplet, 0, sizeof(triplet_t));
-
+
i = 0;
enumerator = enumerator_create_token(line, ",", " \n\r#");
while (enumerator->enumerate(enumerator, &token))
triplet_destroy(triplet);
continue;
}
-
+
DBG2(DBG_CFG, "triplet: imsi %Y\nrand %b\nsres %b\nkc %b",
triplet->imsi, triplet->rand, RAND_LEN,
triplet->sres, SRES_LEN, triplet->kc, KC_LEN);
-
+
this->triplets->insert_last(this->triplets, triplet);
}
fclose(file);
-
+
DBG1(DBG_CFG, "read %d triplets from %s",
this->triplets->get_count(this->triplets), path);
}
eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file)
{
private_eap_sim_file_triplets_t *this = malloc_thing(private_eap_sim_file_triplets_t);
-
+
this->public.create_enumerator = (enumerator_t*(*)(eap_sim_file_triplets_t*))create_enumerator;
this->public.destroy = (void(*)(eap_sim_file_triplets_t*))destroy;
-
+
this->triplets = linked_list_create();
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-
+
read_triplets(this, file);
-
+
return &this->public;
}
/** the prefix of the name of KLIPS ipsec devices */
#define IPSEC_DEV_PREFIX "ipsec"
/** this is the default number of ipsec devices */
-#define DEFAULT_IPSEC_DEV_COUNT 4
+#define DEFAULT_IPSEC_DEV_COUNT 4
/** TRUE if the given name matches an ipsec device */
#define IS_IPSEC_DEV(name) (strneq((name), IPSEC_DEV_PREFIX, sizeof(IPSEC_DEV_PREFIX) - 1))
* Public part of the kernel_klips_t object.
*/
kernel_klips_ipsec_t public;
-
+
/**
* mutex to lock access to various lists
*/
mutex_t *mutex;
-
+
/**
* List of installed policies (policy_entry_t)
*/
linked_list_t *policies;
-
+
/**
* List of allocated SPIs without installed SA (sa_entry_t)
*/
linked_list_t *allocated_spis;
-
+
/**
* List of installed SAs (sa_entry_t)
*/
linked_list_t *installed_sas;
-
+
/**
* whether to install routes along policies
*/
bool install_routes;
-
+
/**
* List of ipsec devices (ipsec_dev_t)
*/
linked_list_t *ipsec_devices;
-
+
/**
* job receiving PF_KEY events
*/
callback_job_t *job;
-
+
/**
* mutex to lock access to the PF_KEY socket
*/
mutex_t *mutex_pfkey;
-
+
/**
* PF_KEY socket to communicate with the kernel
*/
int socket;
-
+
/**
* PF_KEY socket to receive acquire and expire events
*/
int socket_events;
-
+
/**
* sequence number for messages sent to the kernel
*/
int seq;
-
+
};
struct ipsec_dev_t {
/** name of the virtual ipsec interface */
char name[IFNAMSIZ];
-
+
/** name of the physical interface */
char phys_name[IFNAMSIZ];
-
+
/** by how many CHILD_SA's this ipsec device is used */
u_int refcount;
};
struct ipsectunnelconf *itc = (struct ipsectunnelconf*)&req.ifr_data;
short phys_flags;
int mtu;
-
+
DBG2(DBG_KNL, "attaching virtual interface %s to %s", name, phys_name);
-
+
if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
{
return FAILED;
}
-
+
strncpy(req.ifr_name, phys_name, IFNAMSIZ);
if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
{
close(sock);
return FAILED;
}
-
+
if (req.ifr_flags & IFF_UP)
{
/* if it's already up, it is already attached, detach it first */
ioctl(sock, IPSEC_DEL_DEV, &req);
}
-
+
/* attach it */
strncpy(req.ifr_name, name, IFNAMSIZ);
strncpy(itc->cf_name, phys_name, sizeof(itc->cf_name));
ioctl(sock, IPSEC_SET_DEV, &req);
-
+
/* copy address from physical to virtual */
strncpy(req.ifr_name, phys_name, IFNAMSIZ);
if (ioctl(sock, SIOCGIFADDR, &req) == 0)
strncpy(req.ifr_name, name, IFNAMSIZ);
ioctl(sock, SIOCSIFADDR, &req);
}
-
+
/* copy net mask from physical to virtual */
strncpy(req.ifr_name, phys_name, IFNAMSIZ);
if (ioctl(sock, SIOCGIFNETMASK, &req) == 0)
strncpy(req.ifr_name, name, IFNAMSIZ);
ioctl(sock, SIOCSIFNETMASK, &req);
}
-
+
/* copy other flags and addresses */
strncpy(req.ifr_name, name, IFNAMSIZ);
if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
req.ifr_flags |= IFF_POINTOPOINT;
req.ifr_flags &= ~IFF_BROADCAST;
ioctl(sock, SIOCSIFFLAGS, &req);
-
+
strncpy(req.ifr_name, phys_name, IFNAMSIZ);
if (ioctl(sock, SIOCGIFDSTADDR, &req) == 0)
{
req.ifr_flags &= ~IFF_POINTOPOINT;
req.ifr_flags |= IFF_BROADCAST;
ioctl(sock, SIOCSIFFLAGS, &req);
-
+
strncpy(req.ifr_name, phys_name, IFNAMSIZ);
if (ioctl(sock, SIOCGIFBRDADDR, &req)==0)
{
/* guess MTU as physical MTU - ESP overhead [- NAT-T overhead]
* ESP overhead : 73 bytes
* NAT-T overhead : 8 bytes ==> 81 bytes
- *
+ *
* assuming tunnel mode with AES encryption and integrity
* outer IP header : 20 bytes
* (NAT-T UDP header: 8 bytes)
ioctl(sock, SIOCGIFMTU, &req);
mtu = req.ifr_mtu - 81;
}
-
+
/* set MTU */
strncpy(req.ifr_name, name, IFNAMSIZ);
req.ifr_mtu = mtu;
ioctl(sock, SIOCSIFMTU, &req);
-
+
/* bring ipsec device UP */
if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
{
req.ifr_flags |= IFF_UP;
ioctl(sock, SIOCSIFFLAGS, &req);
}
-
+
close(sock);
return SUCCESS;
}
{
int sock;
struct ifreq req;
-
+
DBG2(DBG_KNL, "detaching virtual interface %s from %s", name,
strlen(phys_name) ? phys_name : "any physical interface");
-
+
if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) <= 0)
{
return FAILED;
}
-
+
strncpy(req.ifr_name, name, IFNAMSIZ);
if (ioctl(sock, SIOCGIFFLAGS, &req) < 0)
{
close(sock);
return FAILED;
}
-
+
/* shutting interface down */
if (req.ifr_flags & IFF_UP)
{
req.ifr_flags &= ~IFF_UP;
ioctl(sock, SIOCSIFFLAGS, &req);
}
-
+
/* unset address */
memset(&req.ifr_addr, 0, sizeof(req.ifr_addr));
req.ifr_addr.sa_family = AF_INET;
ioctl(sock, SIOCSIFADDR, &req);
-
+
/* detach interface */
ioctl(sock, IPSEC_DEL_DEV, &req);
-
+
close(sock);
return SUCCESS;
}
struct route_entry_t {
/** Name of the interface the route is bound to */
char *if_name;
-
+
/** Source ip of the route */
host_t *src_ip;
-
+
/** Gateway for this route */
host_t *gateway;
* installed kernel policy.
*/
struct policy_entry_t {
-
+
/** reqid of this policy, if setup as trap */
u_int32_t reqid;
-
+
/** direction of this policy: in, out, forward */
u_int8_t direction;
-
+
/** parameters of installed policy */
struct {
/** subnet and port */
/** protocol */
u_int8_t proto;
} src, dst;
-
+
/** associated route installed for this policy */
route_entry_t *route;
-
+
/** by how many CHILD_SA's this policy is actively used */
u_int activecount;
-
+
/** by how many CHILD_SA's this policy is trapped */
u_int trapcount;
};
static const u_char bitmask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
chunk_t host_chunk, net_chunk;
int bytes = mask / 8, bits = mask % 8;
-
+
host_chunk = host->get_address(host);
net_chunk = net->get_address(net);
-
+
if (host_chunk.len != net_chunk.len)
{
return FALSE;
}
-
+
if (memeq(host_chunk.ptr, net_chunk.ptr, bytes))
{
return (bits == 0) ||
- (host_chunk.ptr[bytes] & bitmask[bits]) ==
+ (host_chunk.ptr[bytes] & bitmask[bits]) ==
(net_chunk.ptr[bytes] & bitmask[bits]);
}
-
+
return FALSE;
}
policy->route = NULL;
policy->activecount = 0;
policy->trapcount = 0;
-
+
src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
-
+
/* src or dest proto may be "any" (0), use more restrictive one */
policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
- policy->src.proto = policy->src.proto ? policy->src.proto : 0;
+ policy->src.proto = policy->src.proto ? policy->src.proto : 0;
policy->dst.proto = policy->src.proto;
-
+
return policy;
}
* - installed inbound SAs with enabled UDP encapsulation
*/
struct sa_entry_t {
-
+
/** protocol of this SA */
protocol_id_t protocol;
-
+
/** reqid of this SA */
u_int32_t reqid;
-
+
/** SPI of this SA */
u_int32_t spi;
-
+
/** src address of this SA */
host_t *src;
-
+
/** dst address of this SA */
host_t *dst;
-
+
/** TRUE if this SA uses UDP encapsulation */
bool encap;
-
+
/** TRUE if this SA is inbound */
bool inbound;
};
* PF_KEY message base
*/
struct sadb_msg *msg;
-
-
+
+
/**
* PF_KEY message extensions
*/
* Identifier specified in IKEv2
*/
int ikev2;
-
+
/**
* Identifier as defined in pfkeyv2.h
*/
{
struct sadb_x_nat_t_type* nat_type;
struct sadb_x_nat_t_port* nat_port;
-
+
if (!ports_only)
{
nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
PFKEY_EXT_ADD(msg, nat_type);
}
-
+
nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
nat_port->sadb_x_nat_t_port_port = src->get_port(src);
PFKEY_EXT_ADD(msg, nat_port);
-
+
nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
struct sadb_sa *sa;
struct sadb_protocol *proto;
host_t *host;
-
+
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_X_ADDFLOW;
msg->sadb_msg_satype = satype;
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
sa->sadb_sa_exttype = SADB_EXT_SA;
sa->sadb_sa_spi = spi;
sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
sa->sadb_sa_flags = replace ? SADB_X_SAFLAGS_REPLACEFLOW : 0;
PFKEY_EXT_ADD(msg, sa);
-
+
if (!src)
{
add_anyaddr_ext(msg, src_net->get_family(src_net), SADB_EXT_ADDRESS_SRC);
{
add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
}
-
+
if (!dst)
{
add_anyaddr_ext(msg, dst_net->get_family(dst_net), SADB_EXT_ADDRESS_DST);
{
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
}
-
+
add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
-
+
host = mask2host(src_net->get_family(src_net), src_mask);
add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
host->destroy(host);
-
+
host = mask2host(dst_net->get_family(dst_net), dst_mask);
add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
host->destroy(host);
-
+
proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
{
struct sadb_protocol *proto;
host_t *host;
-
+
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_X_DELFLOW;
msg->sadb_msg_satype = satype;
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
add_addr_ext(msg, src_net, SADB_X_EXT_ADDRESS_SRC_FLOW);
add_addr_ext(msg, dst_net, SADB_X_EXT_ADDRESS_DST_FLOW);
-
+
host = mask2host(src_net->get_family(src_net),
src_mask);
add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_SRC_MASK);
host->destroy(host);
-
+
host = mask2host(dst_net->get_family(dst_net),
dst_mask);
add_addr_ext(msg, host, SADB_X_EXT_ADDRESS_DST_MASK);
host->destroy(host);
-
+
proto = (struct sadb_protocol*)PFKEY_EXT_ADD_NEXT(msg);
proto->sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
proto->sadb_protocol_len = PFKEY_LEN(sizeof(struct sadb_protocol));
{
struct sadb_ext* ext;
size_t len;
-
+
memset(out, 0, sizeof(pfkey_msg_t));
out->msg = msg;
-
+
len = msg->sadb_msg_len;
len -= PFKEY_LEN(sizeof(struct sadb_msg));
-
+
ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
-
+
while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
{
if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
DBG1(DBG_KNL, "length of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
break;
}
-
+
if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
{
DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
break;
}
-
+
if (out->ext[ext->sadb_ext_type])
{
- DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type);
+ DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type);
break;
}
-
+
out->ext[ext->sadb_ext_type] = ext;
ext = PFKEY_EXT_NEXT_LEN(ext, len);
}
DBG1(DBG_KNL, "PF_KEY message length is invalid");
return FAILED;
}
-
+
return SUCCESS;
}
unsigned char buf[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg;
int in_len, len;
-
+
this->mutex_pfkey->lock(this->mutex_pfkey);
in->sadb_msg_seq = ++this->seq;
}
break;
}
-
+
while (TRUE)
- {
+ {
msg = (struct sadb_msg*)buf;
-
+
len = recv(socket, buf, sizeof(buf), 0);
-
+
if (len < 0)
{
if (errno == EINTR)
}
break;
}
-
+
*out_len = len;
*out = (struct sadb_msg*)malloc(len);
memcpy(*out, buf, len);
-
+
this->mutex_pfkey->unlock(this->mutex_pfkey);
-
+
return SUCCESS;
}
{
struct sadb_msg *out;
size_t len;
-
+
if (pfkey_send(this, in, &out, &len) != SUCCESS)
{
return FAILED;
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg = (struct sadb_msg*)request;
-
+
memset(&request, 0, sizeof(request));
-
+
build_addflow(msg, satype, spi, src, dst, src_net, src_mask,
dst_net, dst_mask, protocol, replace);
-
+
return pfkey_send_ack(this, msg);
}
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg = (struct sadb_msg*)request;
-
+
memset(&request, 0, sizeof(request));
-
+
build_delflow(msg, satype, src_net, src_mask, dst_net, dst_mask, protocol);
-
+
return pfkey_send_ack(this, msg);
}
u_int8_t proto;
policy_entry_t *policy;
job_t *job;
-
+
switch (msg->sadb_msg_satype)
{
case SADB_SATYPE_UNSPEC:
/* acquire for AH/ESP only */
return;
}
-
+
if (parse_pfkey_message(msg, &response) != SUCCESS)
{
DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
return;
}
-
+
/* KLIPS provides us only with the source and destination address,
* and the transport protocol of the packet that triggered the policy.
* we use this information to find a matching policy in our cache.
DBG1(DBG_KNL, "received an SADB_ACQUIRE with invalid hosts");
return;
}
-
+
DBG2(DBG_KNL, "received an SADB_ACQUIRE for %H == %H : %d", src, dst, proto);
this->mutex->lock(this->mutex);
if (this->policies->find_first(this->policies,
DBG1(DBG_KNL, "received an SADB_ACQUIRE, but policy is not routed anymore");
return;
}
-
+
/* add a broad %hold eroute that replaces the %trap eroute */
add_eroute(this, SADB_X_SATYPE_INT, htonl(SPI_HOLD), NULL, NULL,
policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
policy->src.proto, TRUE);
-
+
/* remove the narrow %hold eroute installed by KLIPS */
del_eroute(this, SADB_X_SATYPE_INT, src, 32, dst, 32, proto);
-
+
this->mutex->unlock(this->mutex);
-
+
DBG2(DBG_KNL, "received an SADB_ACQUIRE");
DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
job = (job_t*)acquire_job_create(reqid, NULL, NULL);
u_int32_t spi, reqid;
host_t *old_src, *new_src;
job_t *job;
-
+
DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
-
+
if (parse_pfkey_message(msg, &response) != SUCCESS)
{
DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
return;
}
-
+
spi = response.sa->sadb_sa_spi;
-
+
if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
{
sa_entry_t *sa;
sockaddr_t *addr = (sockaddr_t*)(response.src + 1);
old_src = host_create_from_sockaddr(addr);
-
+
this->mutex->lock(this->mutex);
if (!old_src || this->installed_sas->find_first(this->installed_sas,
(linked_list_match_t)sa_entry_match_encapbysrc,
}
reqid = sa->reqid;
this->mutex->unlock(this->mutex);
-
+
addr = (sockaddr_t*)(response.dst + 1);
switch (addr->sa_family)
{
case AF_INET6:
{
struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)addr;
- sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
+ sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
}
default:
break;
unsigned char buf[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg = (struct sadb_msg*)buf;
int len, oldstate;
-
+
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
len = recv(this->socket_events, buf, sizeof(buf), 0);
pthread_setcancelstate(oldstate, NULL);
-
+
if (len < 0)
{
switch (errno)
return JOB_REQUEUE_FAIR;
}
}
-
+
if (len < sizeof(struct sadb_msg) ||
msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
{
DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
return JOB_REQUEUE_DIRECT;
}
-
+
switch (msg->sadb_msg_type)
{
case SADB_ACQUIRE:
default:
break;
}
-
+
return JOB_REQUEUE_DIRECT;
}
sa_entry_t *cached_sa;
linked_list_t *list;
job_t *job;
-
+
/* for an expired SPI we first check whether the CHILD_SA got installed
* in the meantime, for expired SAs we check whether they are still installed */
list = expire->type == EXPIRE_TYPE_SPI ? this->allocated_spis : this->installed_sas;
-
+
this->mutex->lock(this->mutex);
if (list->find_first(list, (linked_list_match_t)sa_entry_match_byid,
(void**)&cached_sa, &protocol, &spi, &reqid) != SUCCESS)
sa_entry_destroy(cached_sa);
}
this->mutex->unlock(this->mutex);
-
+
DBG2(DBG_KNL, "%N CHILD_SA with SPI %.8x and reqid {%d} expired",
protocol_id_names, protocol, ntohl(spi), reqid);
-
+
DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
hard ? "delete" : "rekey", protocol_id_names,
protocol, ntohl(spi), reqid);
}
/**
- * Schedule an expire job for an SA. Time is in seconds.
+ * Schedule an expire job for an SA. Time is in seconds.
*/
static void schedule_expire(private_kernel_klips_ipsec_t *this,
protocol_id_t protocol, u_int32_t spi,
/**
* Implementation of kernel_interface_t.get_spi.
*/
-static status_t get_spi(private_kernel_klips_ipsec_t *this,
- host_t *src, host_t *dst,
+static status_t get_spi(private_kernel_klips_ipsec_t *this,
+ host_t *src, host_t *dst,
protocol_id_t protocol, u_int32_t reqid,
u_int32_t *spi)
{
*/
rng_t *rng;
u_int32_t spi_gen;
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (!rng)
{
}
rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen);
rng->destroy(rng);
-
+
/* charon's SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */
spi_gen = 0xc0000000 | (spi_gen & 0x0FFFFFFF);
-
+
DBG2(DBG_KNL, "allocated SPI %.8x for %N SA between %#H..%#H",
spi_gen, protocol_id_names, protocol, src, dst);
-
+
*spi = htonl(spi_gen);
-
+
this->mutex->lock(this->mutex);
this->allocated_spis->insert_last(this->allocated_spis,
create_sa_entry(protocol, *spi, reqid, NULL, NULL, FALSE, TRUE));
this->mutex->unlock(this->mutex);
schedule_expire(this, protocol, *spi, reqid, EXPIRE_TYPE_SPI, SPI_TIMEOUT);
-
+
return SUCCESS;
}
/**
* Implementation of kernel_interface_t.get_cpi.
*/
-static status_t get_cpi(private_kernel_klips_ipsec_t *this,
- host_t *src, host_t *dst,
+static status_t get_cpi(private_kernel_klips_ipsec_t *this,
+ host_t *src, host_t *dst,
u_int32_t reqid, u_int16_t *cpi)
{
return FAILED;
struct sadb_msg *msg, *out;
struct sadb_sa *sa;
size_t len;
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "adding pseudo IPIP SA with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_ADD;
msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
sa->sadb_sa_exttype = SADB_EXT_SA;
sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
sa->sadb_sa_spi = spi;
sa->sadb_sa_state = SADB_SASTATE_MATURE;
PFKEY_EXT_ADD(msg, sa);
-
+
add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to add pseudo IPIP SA with SPI %.8x", ntohl(spi));
free(out);
return FAILED;
}
-
+
free(out);
return SUCCESS;
}
struct sadb_sa *sa;
struct sadb_x_satype *satype;
size_t len;
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "grouping SAs with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_X_GRPSA;
msg->sadb_msg_satype = SADB_X_SATYPE_IPIP;
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
sa->sadb_sa_exttype = SADB_EXT_SA;
sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
sa->sadb_sa_spi = spi;
sa->sadb_sa_state = SADB_SASTATE_MATURE;
PFKEY_EXT_ADD(msg, sa);
-
+
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
+
satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg);
satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype));
satype->sadb_x_satype_satype = proto_ike2satype(protocol);
PFKEY_EXT_ADD(msg, satype);
-
+
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
sa->sadb_sa_exttype = SADB_X_EXT_SA2;
sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
sa->sadb_sa_spi = spi;
sa->sadb_sa_state = SADB_SASTATE_MATURE;
PFKEY_EXT_ADD(msg, sa);
-
+
add_addr_ext(msg, dst, SADB_X_EXT_ADDRESS_DST2);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to group SAs with SPI %.8x", ntohl(spi));
free(out);
return FAILED;
}
-
+
free(out);
return SUCCESS;
}
struct sadb_sa *sa;
struct sadb_key *key;
size_t len;
-
+
if (inbound)
{
/* for inbound SAs we allocated an SPI via get_spi, so we first check
}
this->mutex->unlock(this->mutex);
}
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_ADD;
msg->sadb_msg_satype = proto_ike2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
sa->sadb_sa_exttype = SADB_EXT_SA;
sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
PFKEY_EXT_ADD(msg, sa);
-
+
add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
+
if (enc_alg != ENCR_UNDEFINED)
{
if (!sa->sadb_sa_encrypt)
}
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
encryption_algorithm_names, enc_alg, enc_key.len * 8);
-
+
key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
key->sadb_key_bits = enc_key.len * 8;
key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
memcpy(key + 1, enc_key.ptr, enc_key.len);
-
+
PFKEY_EXT_ADD(msg, key);
}
-
+
if (int_alg != AUTH_UNDEFINED)
{
if (!sa->sadb_sa_auth)
}
DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
integrity_algorithm_names, int_alg, int_key.len * 8);
-
+
key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
key->sadb_key_bits = int_key.len * 8;
key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
memcpy(key + 1, int_key.ptr, int_key.len);
-
+
PFKEY_EXT_ADD(msg, key);
}
-
+
if (ipcomp != IPCOMP_NONE)
{
/*TODO*/
}
-
+
if (encap)
{
add_encap_ext(msg, src, dst, FALSE);
}
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
return FAILED;
}
free(out);
-
+
/* for tunnel mode SAs we have to install an additional IPIP SA and
* group the two SAs together */
if (mode == MODE_TUNNEL)
return FAILED;
}
}
-
+
this->mutex->lock(this->mutex);
/* we cache this SA for two reasons:
* - in case an SADB_X_NAT_T_MAPPING_NEW event occurs (we need to find the reqid then)
this->installed_sas->insert_last(this->installed_sas,
create_sa_entry(protocol, spi, reqid, src, dst, encap, inbound));
this->mutex->unlock(this->mutex);
-
+
/* Although KLIPS supports SADB_EXT_LIFETIME_SOFT/HARD, we handle the lifetime
* of SAs manually in the plugin. Refer to the comments in receive_events()
* for details. */
{
schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_SOFT, lifetime->time.rekey);
}
-
+
if (lifetime->time.life)
{
schedule_expire(this, protocol, spi, reqid, EXPIRE_TYPE_HARD, lifetime->time.life);
}
-
+
return SUCCESS;
}
struct sadb_msg *msg, *out;
struct sadb_sa *sa;
size_t len;
-
+
/* we can't update the SA if any of the ip addresses have changed.
* that's because we can't use SADB_UPDATE and by deleting and readding the
* SA the sequence numbers would get lost */
" are not supported", ntohl(spi));
return NOT_SUPPORTED;
}
-
+
/* because KLIPS does not allow us to change the NAT-T type in an SADB_UPDATE,
* we can't update the SA if the encap flag has changed since installing it */
if (encap != new_encap)
" encapsulation is not supported", ntohl(spi));
return NOT_SUPPORTED;
}
-
+
DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
ntohl(spi), src, dst, new_src, new_dst);
-
+
memset(&request, 0, sizeof(request));
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_UPDATE;
msg->sadb_msg_satype = proto_ike2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
sa->sadb_sa_exttype = SADB_EXT_SA;
sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
sa->sadb_sa_auth = SADB_AALG_SHA1HMAC; /* ignored */
sa->sadb_sa_state = SADB_SASTATE_MATURE;
PFKEY_EXT_ADD(msg, sa);
-
+
add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
+
add_encap_ext(msg, new_src, new_dst, TRUE);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
return FAILED;
}
free(out);
-
+
return SUCCESS;
}
struct sadb_sa *sa;
sa_entry_t *cached_sa;
size_t len;
-
+
memset(&request, 0, sizeof(request));
-
+
/* all grouped SAs are automatically deleted by KLIPS as soon as
* one of them is deleted, therefore we delete only the main one */
DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-
+
this->mutex->lock(this->mutex);
/* this should not fail, but we don't care if it does, let the kernel decide
* whether this SA exists or not */
sa_entry_destroy(cached_sa);
}
this->mutex->unlock(this->mutex);
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_DELETE;
msg->sadb_msg_satype = proto_ike2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
sa->sadb_sa_exttype = SADB_EXT_SA;
sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
sa->sadb_sa_spi = spi;
PFKEY_EXT_ADD(msg, sa);
-
+
/* the kernel wants an SADB_EXT_ADDRESS_SRC to be present even though
* it is not used for anything. */
add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
free(out);
return FAILED;
}
-
+
DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
free(out);
return SUCCESS;
/**
* Implementation of kernel_interface_t.add_policy.
*/
-static status_t add_policy(private_kernel_klips_ipsec_t *this,
+static status_t add_policy(private_kernel_klips_ipsec_t *this,
host_t *src, host_t *dst,
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
struct sadb_msg *msg, *out;
policy_entry_t *policy, *found = NULL;
u_int8_t satype;
- size_t len;
-
+ size_t len;
+
if (direction == POLICY_FWD)
{
/* no forward policies for KLIPS */
return SUCCESS;
}
-
+
/* tunnel mode policies direct the packets into the pseudo IPIP SA */
satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
proto_ike2satype(protocol);
-
+
/* create a policy */
policy = create_policy_entry(src_ts, dst_ts, direction);
-
+
/* find a matching policy */
this->mutex->lock(this->mutex);
if (this->policies->find_first(this->policies,
/* apply the new one, if we have no such policy */
this->policies->insert_last(this->policies, policy);
}
-
+
if (routed)
{
/* we install this as a %trap eroute in the kernel, later to be
* triggered by packets matching the policy (-> ACQUIRE). */
spi = htonl(SPI_TRAP);
satype = SADB_X_SATYPE_INT;
-
+
/* the reqid is always set to the latest child SA that trapped this
* policy. we will need this reqid upon receiving an acquire. */
policy->reqid = reqid;
-
+
/* increase the trap counter */
policy->trapcount++;
-
+
if (policy->activecount)
{
/* we do not replace the current policy in the kernel while a
/* increase the reference counter */
policy->activecount++;
}
-
+
DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
-
+
memset(&request, 0, sizeof(request));
-
+
msg = (struct sadb_msg*)request;
-
+
/* FIXME: SADB_X_SAFLAGS_INFLOW may be required, if we add an inbound policy for an IPIP SA */
build_addflow(msg, satype, spi, routed ? NULL : src, routed ? NULL : dst,
policy->src.net, policy->src.mask, policy->dst.net, policy->dst.mask,
policy->src.proto, found != NULL);
-
+
this->mutex->unlock(this->mutex);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
return FAILED;
}
free(out);
-
+
this->mutex->lock(this->mutex);
-
+
/* we try to find the policy again and install the route if needed */
if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
{
src_ts, dst_ts, policy_dir_names, direction);
return SUCCESS;
}
-
+
/* KLIPS requires a special route that directs traffic that matches this
* policy to one of the virtual ipsec interfaces. The virtual interface
* has to be attached to the physical one the traffic runs over.
ipsec_dev_t *dev;
route_entry_t *route = malloc_thing(route_entry_t);
route->src_ip = NULL;
-
+
if (mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
this->install_routes)
{
charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
src_ts, &route->src_ip);
}
-
+
if (!route->src_ip)
{
route->src_ip = host_create_any(src->get_family(src));
}
-
+
/* find the virtual interface */
iface = charon->kernel_interface->get_interface(charon->kernel_interface,
src);
}
free(iface);
route->if_name = strdup(dev->name);
-
+
/* get the nexthop to dst */
route->gateway = charon->kernel_interface->get_nexthop(
charon->kernel_interface, dst);
route->dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net));
route->prefixlen = policy->dst.mask;
-
+
switch (charon->kernel_interface->add_route(charon->kernel_interface,
route->dst_net, route->prefixlen, route->gateway,
route->src_ip, route->if_name))
policy->route = route;
break;
}
- }
-
- this->mutex->unlock(this->mutex);
-
+ }
+
+ this->mutex->unlock(this->mutex);
+
return SUCCESS;
}
* Implementation of kernel_interface_t.query_policy.
*/
static status_t query_policy(private_kernel_klips_ipsec_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t *use_time)
{
char *said = NULL, *pos;
policy_entry_t *policy, *found = NULL;
status_t status = FAILED;
-
+
if (direction == POLICY_FWD)
{
/* we do not install forward policies */
return FAILED;
}
-
+
DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
-
+
/* create a policy */
policy = create_policy_entry(src_ts, dst_ts, direction);
-
+
/* find a matching policy */
this->mutex->lock(this->mutex);
if (this->policies->find_first(this->policies,
}
policy_entry_destroy(policy);
policy = found;
-
+
/* src and dst selectors in KLIPS are of the form NET_ADDR/NETBITS:PROTO */
snprintf(src, sizeof(src), "%H/%d:%d", policy->src.net, policy->src.mask,
policy->src.proto);
snprintf(dst, sizeof(dst), "%H/%d:%d", policy->dst.net, policy->dst.mask,
policy->dst.proto);
dst[sizeof(dst) - 1] = '\0';
-
+
this->mutex->unlock(this->mutex);
-
+
/* we try to find the matching eroute first */
file = fopen(path_eroute, "r");
if (file == NULL)
dst_ts, policy_dir_names, direction, strerror(errno), errno);
return FAILED;
}
-
+
/* read line by line where each line looks like:
* packets src -> dst => said */
while (fgets(line, sizeof(line), file))
enumerator_t *enumerator;
char *token;
int i = 0;
-
+
enumerator = enumerator_create_token(line, " \t", " \t\n");
while (enumerator->enumerate(enumerator, &token))
{
break;
}
enumerator->destroy(enumerator);
-
+
if (i == 5)
{
/* eroute matched */
}
}
fclose(file);
-
+
if (said == NULL)
{
DBG1(DBG_KNL, "unable to query policy %R === %R %N: found no matching"
" eroute", src_ts, dst_ts, policy_dir_names, direction);
return FAILED;
}
-
+
/* compared with the one in the spi entry the SA ID from the eroute entry
* has an additional ":PROTO" appended, which we need to cut off */
pos = strrchr(said, ':');
*pos = '\0';
-
+
/* now we try to find the matching spi entry */
file = fopen(path_spi, "r");
if (file == NULL)
dst_ts, policy_dir_names, direction, strerror(errno), errno);
return FAILED;
}
-
+
while (fgets(line, sizeof(line), file))
{
if (strneq(line, said, strlen(said)))
/* idle time not valid */
break;
}
-
+
*use_time = time_monotonic(NULL) - idle_time;
status = SUCCESS;
break;
}
fclose(file);
free(said);
-
+
return status;
}
* Implementation of kernel_interface_t.del_policy.
*/
static status_t del_policy(private_kernel_klips_ipsec_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, bool unrouted)
{
policy_entry_t *policy, *found = NULL;
route_entry_t *route;
size_t len;
-
+
if (direction == POLICY_FWD)
{
/* no forward policies for KLIPS */
return SUCCESS;
}
-
+
DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
-
+
/* create a policy */
policy = create_policy_entry(src_ts, dst_ts, direction);
-
+
/* find a matching policy */
this->mutex->lock(this->mutex);
if (this->policies->find_first(this->policies,
return NOT_FOUND;
}
policy_entry_destroy(policy);
-
+
/* decrease appropriate counter */
unrouted ? found->trapcount-- : found->activecount--;
-
+
if (found->trapcount == 0)
{
/* if this policy is finally unrouted, we reset the reqid because it
* this policy. */
found->reqid = 0;
}
-
+
if (found->activecount > 0)
{
/* is still used by SAs, keep in kernel */
this->mutex->unlock(this->mutex);
return pfkey_send_ack(this, msg);
}
-
+
/* remove if last reference */
this->policies->remove(this->policies, found, NULL);
policy = found;
-
+
this->mutex->unlock(this->mutex);
-
+
memset(&request, 0, sizeof(request));
-
+
build_delflow(msg, 0, policy->src.net, policy->src.mask, policy->dst.net,
policy->dst.mask, policy->src.proto);
-
+
route = policy->route;
policy->route = NULL;
policy_entry_destroy(policy);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
return FAILED;
}
free(out);
-
+
if (route)
{
ipsec_dev_t *dev;
-
+
if (charon->kernel_interface->del_route(charon->kernel_interface,
route->dst_net, route->prefixlen, route->gateway,
route->src_ip, route->if_name) != SUCCESS)
" policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
}
-
+
/* we have to detach the ipsec interface from the physical one over which
* this SA ran (if it is not used by any other) */
this->mutex->lock(this->mutex);
-
+
if (find_ipsec_dev(this, route->if_name, &dev) == SUCCESS)
{
/* fine, we found a matching device object, let's check if we have
dev->phys_name[0] = '\0';
}
}
-
+
this->mutex->unlock(this->mutex);
-
+
route_entry_destroy(route);
}
-
+
return SUCCESS;
}
int i, count = lib->settings->get_int(lib->settings,
"charon.plugins.kernel_klips.ipsec_dev_count",
DEFAULT_IPSEC_DEV_COUNT);
-
+
for (i = 0; i < count; ++i)
{
ipsec_dev_t *dev = malloc_thing(ipsec_dev_t);
dev->phys_name[0] = '\0';
dev->refcount = 0;
this->ipsec_devices->insert_last(this->ipsec_devices, dev);
-
+
/* detach any previously attached ipsec device */
detach_ipsec_dev(dev->name, dev->phys_name);
}
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
size_t len;
-
+
memset(&request, 0, sizeof(request));
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_REGISTER;
msg->sadb_msg_satype = satype;
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to register PF_KEY socket");
kernel_klips_ipsec_t *kernel_klips_ipsec_create()
{
private_kernel_klips_ipsec_t *this = malloc_thing(private_kernel_klips_ipsec_t);
-
+
/* public functions */
this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-
+
this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
/* private members */
this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT);
this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE);
this->seq = 0;
-
+
/* initialize ipsec devices */
init_ipsec_devices(this);
-
+
/* create a PF_KEY socket to communicate with the kernel */
this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
if (this->socket <= 0)
{
charon->kill(charon, "unable to create PF_KEY socket");
}
-
+
/* create a PF_KEY socket for ACQUIRE & EXPIRE */
this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
if (this->socket_events <= 0)
{
charon->kill(charon, "unable to create PF_KEY event socket");
}
-
+
/* register the event socket */
if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
{
charon->kill(charon, "unable to register PF_KEY event socket");
}
-
+
this->job = callback_job_create((callback_job_cb_t)receive_events,
this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
+
return &this->public;
}
plugin_t *plugin_create()
{
private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
-
+
return &this->public.plugin;
}
uint8_t sadb_x_satype_satype;
uint8_t sadb_x_satype_reserved[3];
};
-
+
struct sadb_x_debug {
uint16_t sadb_x_debug_len;
uint16_t sadb_x_debug_exttype;
uint16_t sadb_x_nat_t_port_port;
uint16_t sadb_x_nat_t_port_reserved;
};
-
+
/*
* A protocol structure for passing through the transport level
* protocol. It contains more fields than are actually used/needed
#define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
/**
- * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
- * 'usual' netlink data x like 'struct xfrm_usersa_info'
+ * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
+ * 'usual' netlink data x like 'struct xfrm_usersa_info'
*/
#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
/**
*/
#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
/**
- * returns the total size of attached rta data
- * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
+ * returns the total size of attached rta data
+ * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
*/
#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
* Identifier specified in IKEv2
*/
int ikev2;
-
+
/**
* Name of the algorithm in linux crypto API
*/
struct route_entry_t {
/** Name of the interface the route is bound to */
char *if_name;
-
+
/** Source ip of the route */
host_t *src_ip;
-
+
/** gateway for this route */
host_t *gateway;
* installed kernel policy.
*/
struct policy_entry_t {
-
+
/** direction of this policy: in, out, forward */
u_int8_t direction;
-
+
/** parameters of installed policy */
struct xfrm_selector sel;
-
+
/** associated route installed for this policy */
route_entry_t *route;
-
+
/** by how many CHILD_SA's this policy is used */
u_int refcount;
};
* Public part of the kernel_netlink_t object.
*/
kernel_netlink_ipsec_t public;
-
+
/**
* mutex to lock access to various lists
*/
mutex_t *mutex;
-
+
/**
* Hash table of installed policies (policy_entry_t)
*/
hashtable_t *policies;
-
+
/**
* job receiving netlink events
*/
callback_job_t *job;
-
+
/**
* Netlink xfrm socket (IPsec)
*/
netlink_socket_t *socket_xfrm;
-
+
/**
* netlink xfrm socket to receive acquire and expire events
*/
int socket_xfrm_events;
-
+
/**
* whether to install routes along policies
*/
static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
{
chunk_t chunk = host->get_address(host);
- memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
+ memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
}
/**
static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
{
chunk_t chunk;
-
+
switch (family)
{
case AF_INET:
/**
* convert a traffic selector address range to subnet and its mask.
*/
-static void ts2subnet(traffic_selector_t* ts,
+static void ts2subnet(traffic_selector_t* ts,
xfrm_address_t *net, u_int8_t *mask)
{
host_t *net_host;
chunk_t net_chunk;
-
+
ts->to_subnet(ts, &net_host, mask);
net_chunk = net_host->get_address(net_host);
memcpy(net, net_chunk.ptr, net_chunk.len);
/**
* convert a traffic selector port range to port/portmask
*/
-static void ts2ports(traffic_selector_t* ts,
+static void ts2ports(traffic_selector_t* ts,
u_int16_t *port, u_int16_t *mask)
{
/* linux does not seem to accept complex portmasks. Only
* a port range, or to a specific, if we have one port only.
*/
u_int16_t from, to;
-
+
from = ts->get_from_port(ts);
to = ts->get_to_port(ts);
-
+
if (from == to)
{
*port = htons(from);
/**
* convert a pair of traffic_selectors to a xfrm_selector
*/
-static struct xfrm_selector ts2selector(traffic_selector_t *src,
+static struct xfrm_selector ts2selector(traffic_selector_t *src,
traffic_selector_t *dst)
{
struct xfrm_selector sel;
ts2ports(src, &sel.sport, &sel.sport_mask);
sel.ifindex = 0;
sel.user = 0;
-
+
return sel;
}
/**
- * convert a xfrm_selector to a src|dst traffic_selector
+ * convert a xfrm_selector to a src|dst traffic_selector
*/
static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
{
u_int8_t prefixlen;
u_int16_t port = 0;
host_t *host = NULL;
-
+
if (src)
{
addr = (u_char*)&sel->saddr;
port = htons(sel->dport);
}
}
-
+
/* The Linux 2.6 kernel does not set the selector's family field,
- * so as a kludge we additionally test the prefix length.
+ * so as a kludge we additionally test the prefix length.
*/
if (sel->family == AF_INET || sel->prefixlen_s == 32)
{
{
host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
}
-
+
if (host)
{
return traffic_selector_create_from_subnet(host, prefixlen,
struct rtattr *rta;
size_t rtasize;
job_t *job;
-
+
acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
protocol_id_t protocol;
u_int32_t spi, reqid;
struct xfrm_user_expire *expire;
-
+
expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
protocol = proto_kernel2ike(expire->state.id.proto);
spi = expire->state.id.spi;
reqid = expire->state.reqid;
-
+
DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
-
+
if (protocol != PROTO_ESP && protocol != PROTO_AH)
{
DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
"which is not a CHILD_SA", ntohl(spi), reqid);
return;
}
-
+
DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
expire->hard ? "delete" : "rekey", protocol_id_names,
protocol, ntohl(spi), reqid);
rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
-
+
src_ts = selector2ts(&policy_id->sel, TRUE);
dst_ts = selector2ts(&policy_id->sel, FALSE);
dir = (policy_dir_t)policy_id->dir;
u_int32_t spi, reqid;
struct xfrm_user_mapping *mapping;
host_t *host;
-
+
mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
spi = mapping->id.spi;
reqid = mapping->reqid;
-
+
DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
-
+
if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
{
host = xfrm2host(mapping->id.family, &mapping->new_saddr,
len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
(struct sockaddr*)&addr, &addr_len);
pthread_setcancelstate(oldstate, NULL);
-
+
if (len < 0)
{
switch (errno)
return JOB_REQUEUE_FAIR;
}
}
-
+
if (addr.nl_pid != 0)
{ /* not from kernel. not interested, try another one */
return JOB_REQUEUE_DIRECT;
}
-
+
while (NLMSG_OK(hdr, len))
{
switch (hdr->nlmsg_type)
struct xfrm_userspi_info *userspi;
u_int32_t received_spi = 0;
size_t len;
-
+
memset(&request, 0, sizeof(request));
-
+
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST;
hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
userspi->info.family = src->get_family(src);
userspi->min = min;
userspi->max = max;
-
+
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
hdr = out;
case NLMSG_ERROR:
{
struct nlmsgerr *err = NLMSG_DATA(hdr);
-
+
DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
strerror(-err->error), -err->error);
break;
}
free(out);
}
-
+
if (received_spi == 0)
{
return FAILED;
}
-
+
*spi = received_spi;
return SUCCESS;
}
/**
* Implementation of kernel_interface_t.get_spi.
*/
-static status_t get_spi(private_kernel_netlink_ipsec_t *this,
- host_t *src, host_t *dst,
+static status_t get_spi(private_kernel_netlink_ipsec_t *this,
+ host_t *src, host_t *dst,
protocol_id_t protocol, u_int32_t reqid,
u_int32_t *spi)
{
DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-
+
if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
{
DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
return FAILED;
}
-
+
DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
-
+
return SUCCESS;
}
/**
* Implementation of kernel_interface_t.get_cpi.
*/
-static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
- host_t *src, host_t *dst,
+static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
+ host_t *src, host_t *dst,
u_int32_t reqid, u_int16_t *cpi)
{
u_int32_t received_spi = 0;
DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
-
+
if (get_spi_internal(this, src, dst,
IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
{
DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
return FAILED;
}
-
+
*cpi = htons((u_int16_t)ntohl(received_spi));
-
+
DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
-
+
return SUCCESS;
}
char *alg_name;
struct nlmsghdr *hdr;
struct xfrm_usersa_info *sa;
- u_int16_t icv_size = 64;
-
+ u_int16_t icv_size = 64;
+
/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
* we are in the recursive call below */
if (ipcomp != IPCOMP_NONE && cpi != 0)
mode, ipcomp, 0, FALSE, inbound);
ipcomp = IPCOMP_NONE;
}
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
ntohl(spi), reqid);
-
+
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
-
+
sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
host2xfrm(src, &sa->saddr);
host2xfrm(dst, &sa->id.daddr);
sa->lft.hard_add_expires_seconds = lifetime->time.life;
sa->lft.soft_use_expires_seconds = 0;
sa->lft.hard_use_expires_seconds = 0;
-
+
struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
-
+
switch (enc_alg)
{
case ENCR_UNDEFINED:
}
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
encryption_algorithm_names, enc_alg, enc_key.len * 8);
-
+
rthdr->rta_type = XFRMA_ALG_AEAD;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
hdr->nlmsg_len += rthdr->rta_len;
{
return FAILED;
}
-
+
algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
algo->alg_key_len = enc_key.len * 8;
algo->alg_icv_len = icv_size;
strcpy(algo->alg_name, alg_name);
memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
-
+
rthdr = XFRM_RTA_NEXT(rthdr);
break;
}
}
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
encryption_algorithm_names, enc_alg, enc_key.len * 8);
-
+
rthdr->rta_type = XFRMA_ALG_CRYPT;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
hdr->nlmsg_len += rthdr->rta_len;
{
return FAILED;
}
-
+
algo = (struct xfrm_algo*)RTA_DATA(rthdr);
algo->alg_key_len = enc_key.len * 8;
strcpy(algo->alg_name, alg_name);
memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
-
+
rthdr = XFRM_RTA_NEXT(rthdr);
}
}
-
+
if (int_alg != AUTH_UNDEFINED)
{
rthdr->rta_type = XFRMA_ALG_AUTH;
alg_name = lookup_algorithm(integrity_algs, int_alg);
if (alg_name == NULL)
{
- DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+ DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
integrity_algorithm_names, int_alg);
return FAILED;
}
DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
integrity_algorithm_names, int_alg, int_key.len * 8);
-
+
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
hdr->nlmsg_len += rthdr->rta_len;
if (hdr->nlmsg_len > sizeof(request))
{
return FAILED;
}
-
+
struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
algo->alg_key_len = int_key.len * 8;
strcpy(algo->alg_name, alg_name);
memcpy(algo->alg_key, int_key.ptr, int_key.len);
-
+
rthdr = XFRM_RTA_NEXT(rthdr);
}
-
+
if (ipcomp != IPCOMP_NONE)
{
rthdr->rta_type = XFRMA_ALG_COMP;
alg_name = lookup_algorithm(compression_algs, ipcomp);
if (alg_name == NULL)
{
- DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+ DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
ipcomp_transform_names, ipcomp);
return FAILED;
}
DBG2(DBG_KNL, " using compression algorithm %N",
ipcomp_transform_names, ipcomp);
-
+
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
hdr->nlmsg_len += rthdr->rta_len;
if (hdr->nlmsg_len > sizeof(request))
{
return FAILED;
}
-
+
struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
algo->alg_key_len = 0;
strcpy(algo->alg_name, alg_name);
-
+
rthdr = XFRM_RTA_NEXT(rthdr);
}
-
+
if (encap)
{
rthdr->rta_type = XFRMA_ENCAP;
tmpl->encap_sport = htons(src->get_port(src));
tmpl->encap_dport = htons(dst->get_port(dst));
memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
- /* encap_oa could probably be derived from the
- * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
- * pluto does the same as we do here but it uses encap_oa in the
- * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
+ /* encap_oa could probably be derived from the
+ * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
+ * pluto does the same as we do here but it uses encap_oa in the
+ * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
* the kernel ignores it anyway
* -> does that mean that NAT-T encap doesn't work in transport mode?
- * No. The reason the kernel ignores NAT-OA is that it recomputes
+ * No. The reason the kernel ignores NAT-OA is that it recomputes
* (or, rather, just ignores) the checksum. If packets pass
* the IPsec checks it marks them "checksum ok" so OA isn't needed. */
rthdr = XFRM_RTA_NEXT(rthdr);
size_t len;
struct rtattr *rta;
size_t rtasize;
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST;
hdr->nlmsg_type = XFRM_MSG_GETAE;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
-
+
aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
aevent_id->flags = XFRM_AE_RVAL;
-
+
host2xfrm(dst, &aevent_id->sa_id.daddr);
aevent_id->sa_id.spi = spi;
aevent_id->sa_id.proto = proto_ike2kernel(protocol);
aevent_id->sa_id.family = dst->get_family(dst);
-
+
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
hdr = out;
break;
}
}
-
+
if (out_aevent == NULL)
{
DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
free(out);
return FAILED;
}
-
+
rta = XFRM_RTA(out, struct xfrm_aevent_id);
rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
while(RTA_OK(rta, rtasize))
}
rta = RTA_NEXT(rta, rtasize);
}
-
+
DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
ntohl(spi));
free(out);
struct xfrm_usersa_id *sa_id;
struct xfrm_usersa_info *sa = NULL;
size_t len;
-
+
memset(&request, 0, sizeof(request));
DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
sa_id->spi = spi;
sa_id->proto = proto_ike2kernel(protocol);
sa_id->family = dst->get_family(dst);
-
+
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
hdr = out;
break;
}
}
-
+
if (sa == NULL)
{
DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
return FAILED;
}
*bytes = sa->curlft.bytes;
-
+
free(out);
return SUCCESS;
}
netlink_buf_t request;
struct nlmsghdr *hdr;
struct xfrm_usersa_id *sa_id;
-
+
/* if IPComp was used, we first delete the additional IPComp SA */
if (cpi)
{
del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
}
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-
+
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = XFRM_MSG_DELSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-
+
sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
host2xfrm(dst, &sa_id->daddr);
sa_id->spi = spi;
sa_id->proto = proto_ike2kernel(protocol);
sa_id->family = dst->get_family(dst);
-
+
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
{
DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
struct xfrm_encap_tmpl* tmpl = NULL;
bool got_replay_state = FALSE;
struct xfrm_replay_state replay;
-
+
/* if IPComp is used, we first update the IPComp SA */
if (cpi)
{
update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
src, dst, new_src, new_dst, FALSE, FALSE);
}
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
-
+
/* query the existing SA first */
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST;
hdr->nlmsg_type = XFRM_MSG_GETSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
-
+
sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
host2xfrm(dst, &sa_id->daddr);
sa_id->spi = spi;
sa_id->proto = proto_ike2kernel(protocol);
sa_id->family = dst->get_family(dst);
-
+
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
hdr = out;
free(out);
return FAILED;
}
-
+
/* try to get the replay state */
if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
{
got_replay_state = TRUE;
}
-
+
/* delete the old SA (without affecting the IPComp SA) */
if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS)
{
free(out);
return FAILED;
}
-
+
DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
ntohl(spi), src, dst, new_src, new_dst);
/* copy over the SA from out to request */
hdr = (struct nlmsghdr*)request;
memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
- hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+ hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = XFRM_MSG_NEWSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
sa = NLMSG_DATA(hdr);
sa->family = new_dst->get_family(new_dst);
-
+
if (!src->ip_equals(src, new_src))
{
host2xfrm(new_src, &sa->saddr);
{
host2xfrm(new_dst, &sa->id.daddr);
}
-
+
rta = XFRM_RTA(out, struct xfrm_usersa_info);
rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
tmpl->encap_sport = ntohs(new_src->get_port(new_src));
tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
- }
+ }
memcpy(pos, rta, rta->rta_len);
pos += RTA_ALIGN(rta->rta_len);
hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
}
rta = RTA_NEXT(rta, rtasize);
}
-
+
rta = (struct rtattr*)pos;
if (tmpl == NULL && new_encap)
{ /* add tmpl if we are enabling it */
rta->rta_type = XFRMA_ENCAP;
rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
-
+
hdr->nlmsg_len += rta->rta_len;
if (hdr->nlmsg_len > sizeof(request))
{
return FAILED;
}
-
+
tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
tmpl->encap_type = UDP_ENCAP_ESPINUDP;
tmpl->encap_sport = ntohs(new_src->get_port(new_src));
tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
-
+
rta = XFRM_RTA_NEXT(rta);
}
-
+
if (got_replay_state)
{ /* copy the replay data if available */
rta->rta_type = XFRMA_REPLAY_VAL;
rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
-
+
hdr->nlmsg_len += rta->rta_len;
if (hdr->nlmsg_len > sizeof(request))
{
return FAILED;
}
memcpy(RTA_DATA(rta), &replay, sizeof(replay));
-
+
rta = XFRM_RTA_NEXT(rta);
}
return FAILED;
}
free(out);
-
+
return SUCCESS;
}
/**
* Implementation of kernel_interface_t.add_policy.
*/
-static status_t add_policy(private_kernel_netlink_ipsec_t *this,
+static status_t add_policy(private_kernel_netlink_ipsec_t *this,
host_t *src, host_t *dst,
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
netlink_buf_t request;
struct xfrm_userpolicy_info *policy_info;
struct nlmsghdr *hdr;
-
+
/* create a policy */
policy = malloc_thing(policy_entry_t);
memset(policy, 0, sizeof(policy_entry_t));
policy->sel = ts2selector(src_ts, dst_ts);
policy->direction = direction;
-
+
/* find the policy, which matches EXACTLY */
this->mutex->lock(this->mutex);
current = this->policies->get(this->policies, policy);
this->policies->put(this->policies, policy, policy);
policy->refcount = 1;
}
-
+
DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
-
+
memset(&request, 0, sizeof(request));
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
policy_info->action = XFRM_POLICY_ALLOW;
policy_info->share = XFRM_SHARE_ANY;
this->mutex->unlock(this->mutex);
-
+
/* policies don't expire */
policy_info->lft.soft_byte_limit = XFRM_INF;
policy_info->lft.soft_packet_limit = XFRM_INF;
policy_info->lft.hard_add_expires_seconds = 0;
policy_info->lft.soft_use_expires_seconds = 0;
policy_info->lft.hard_use_expires_seconds = 0;
-
+
struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
rthdr->rta_type = XFRMA_TMPL;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-
+
hdr->nlmsg_len += rthdr->rta_len;
if (hdr->nlmsg_len > sizeof(request))
{
return FAILED;
}
-
+
struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
-
+
if (ipcomp != IPCOMP_NONE)
{
tmpl->reqid = reqid;
tmpl->mode = mode2kernel(mode);
tmpl->optional = direction != POLICY_OUT;
tmpl->family = src->get_family(src);
-
+
host2xfrm(src, &tmpl->saddr);
host2xfrm(dst, &tmpl->id.daddr);
-
+
/* add an additional xfrm_user_tmpl */
rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
{
return FAILED;
}
-
+
tmpl++;
}
-
+
tmpl->reqid = reqid;
tmpl->id.proto = proto_ike2kernel(protocol);
tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
tmpl->mode = mode2kernel(mode);
tmpl->family = src->get_family(src);
-
+
host2xfrm(src, &tmpl->saddr);
host2xfrm(dst, &tmpl->id.daddr);
-
+
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
{
DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
return FAILED;
}
-
+
/* install a route, if:
* - we are NOT updating a policy
* - this is a forward policy (to just get one for each child)
this->install_routes)
{
route_entry_t *route = malloc_thing(route_entry_t);
-
+
if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
dst_ts, &route->src_ip) == SUCCESS)
{
route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
route->prefixlen = policy->sel.prefixlen_s;
-
+
if (route->if_name)
- {
+ {
switch (charon->kernel_interface->add_route(
charon->kernel_interface, route->dst_net,
route->prefixlen, route->gateway,
* Implementation of kernel_interface_t.query_policy.
*/
static status_t query_policy(private_kernel_netlink_ipsec_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t *use_time)
{
struct xfrm_userpolicy_id *policy_id;
struct xfrm_userpolicy_info *policy = NULL;
size_t len;
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
policy_id->sel = ts2selector(src_ts, dst_ts);
policy_id->dir = direction;
-
+
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
hdr = out;
break;
}
}
-
+
if (policy == NULL)
{
DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
free(out);
return FAILED;
}
-
+
if (policy->curlft.use_time)
{
/* we need the monotonic time, but the kernel returns system time. */
{
*use_time = 0;
}
-
+
free(out);
return SUCCESS;
}
* Implementation of kernel_interface_t.del_policy.
*/
static status_t del_policy(private_kernel_netlink_ipsec_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, bool unrouted)
{
netlink_buf_t request;
struct nlmsghdr *hdr;
struct xfrm_userpolicy_id *policy_id;
-
+
DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
-
+
/* create a policy */
memset(&policy, 0, sizeof(policy_entry_t));
policy.sel = ts2selector(src_ts, dst_ts);
policy.direction = direction;
-
+
/* find the policy */
this->mutex->lock(this->mutex);
current = this->policies->get(this->policies, &policy);
dst_ts, policy_dir_names, direction);
return NOT_FOUND;
}
-
+
memset(&request, 0, sizeof(request));
-
+
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
policy_id->sel = to_delete->sel;
policy_id->dir = direction;
-
+
route = to_delete->route;
free(to_delete);
-
+
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
{
DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
DBG1(DBG_KNL, "error uninstalling route installed with "
"policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
- }
+ }
route_entry_destroy(route);
}
return SUCCESS;
{
enumerator_t *enumerator;
policy_entry_t *policy;
-
+
this->job->cancel(this->job);
close(this->socket_xfrm_events);
this->socket_xfrm->destroy(this->socket_xfrm);
int fd, family, port;
enumerator_t *sockets;
bool status = TRUE;
-
+
/* we open an AF_KEY socket to autoload the af_key module. Otherwise
* setsockopt(IPSEC_POLICY) won't work. */
fd = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
return FALSE;
}
close(fd);
-
+
sockets = charon->socket->create_enumerator(charon->socket);
while (sockets->enumerate(sockets, &fd, &family, &port))
{
struct sadb_x_policy policy;
u_int sol, ipsec_policy;
-
+
switch (family)
{
case AF_INET:
default:
continue;
}
-
+
memset(&policy, 0, sizeof(policy));
policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-
+
policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
- DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+ DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
strerror(errno));
status = FALSE;
break;
private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
struct sockaddr_nl addr;
int fd;
-
+
/* public functions */
this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->install_routes = lib->settings->get_bool(lib->settings,
"charon.install_routes", TRUE);
-
+
/* disable lifetimes for allocated SPIs in kernel */
fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
if (fd)
ignore_result(write(fd, "0", 1));
close(fd);
}
-
+
/* add bypass policies on the sockets used by charon */
if (!add_bypass_policies())
{
charon->kill(charon, "unable to add bypass policies on sockets");
}
-
+
this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
-
+
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
-
+
/* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
if (this->socket_xfrm_events <= 0)
{
charon->kill(charon, "unable to bind XFRM event socket");
}
-
+
this->job = callback_job_create((callback_job_cb_t)receive_events,
this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
+
return &this->public;
}
* IP address in an inface_entry_t
*/
struct addr_entry_t {
-
+
/** The ip address */
host_t *ip;
-
+
/** virtual IP managed by us */
bool virtual;
-
+
/** scope of the address */
u_char scope;
-
+
/** Number of times this IP is used, if virtual */
u_int refcount;
};
* A network interface on this system, containing addr_entry_t's
*/
struct iface_entry_t {
-
+
/** interface index */
int ifindex;
-
+
/** name of the interface */
char ifname[IFNAMSIZ];
-
+
/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
u_int flags;
-
+
/** list of addresses as host_t */
linked_list_t *addrs;
};
* Public part of the kernel_netlink_net_t object.
*/
kernel_netlink_net_t public;
-
+
/**
* mutex to lock access to various lists
*/
mutex_t *mutex;
-
+
/**
* condition variable to signal virtual IP add/removal
*/
condvar_t *condvar;
-
+
/**
* Cached list of interfaces and its addresses (iface_entry_t)
*/
linked_list_t *ifaces;
-
+
/**
* job receiving netlink events
*/
callback_job_t *job;
-
+
/**
* netlink rt socket (routing)
*/
netlink_socket_t *socket;
-
+
/**
* Netlink rt socket to receive address change events
*/
int socket_events;
-
+
/**
* time of the last roam_job
*/
timeval_t last_roam;
-
+
/**
* routing table to install routes
*/
int routing_table;
-
+
/**
* priority of used routing table
*/
int routing_table_prio;
-
+
/**
* whether to react to RTM_NEWROUTE or RTM_DELROUTE events
*/
bool process_route;
-
+
/**
* whether to actually install virtual IPs
*/
iface_entry_t *iface;
addr_entry_t *addr;
int refcount = 0;
-
+
ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
while (ifaces->iterate(ifaces, (void**)&iface))
{
}
}
ifaces->destroy(ifaces);
-
+
return refcount;
}
static void fire_roam_job(private_kernel_netlink_net_t *this, bool address)
{
timeval_t now;
-
+
time_monotonic(&now);
if (timercmp(&now, &this->last_roam, >))
{
iface_entry_t *current, *entry = NULL;
char *name = NULL;
bool update = FALSE;
-
+
while(RTA_OK(rta, rtasize))
{
switch (rta->rta_type)
{
name = "(unknown)";
}
-
+
this->mutex->lock(this->mutex);
switch (hdr->nlmsg_type)
{
{
if (current->ifindex == msg->ifi_index)
{
- /* we do not remove it, as an address may be added to a
+ /* we do not remove it, as an address may be added to a
* "down" interface and we wan't to know that. */
current->flags = msg->ifi_flags;
break;
}
}
this->mutex->unlock(this->mutex);
-
+
/* send an update to all IKE_SAs */
if (update && event)
{
addr_entry_t *addr;
chunk_t local = chunk_empty, address = chunk_empty;
bool update = FALSE, found = FALSE, changed = FALSE;
-
+
while(RTA_OK(rta, rtasize))
{
switch (rta->rta_type)
}
rta = RTA_NEXT(rta, rtasize);
}
-
+
/* For PPP interfaces, we need the IFA_LOCAL address,
* IFA_ADDRESS is the peers address. But IFA_LOCAL is
* not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
{
host = host_create_from_chunk(msg->ifa_family, address, 0);
}
-
+
if (host == NULL)
{ /* bad family? */
return;
}
-
+
this->mutex->lock(this->mutex);
ifaces = this->ifaces->create_enumerator(this->ifaces);
while (ifaces->enumerate(ifaces, &iface))
}
}
addrs->destroy(addrs);
-
+
if (hdr->nlmsg_type == RTM_NEWADDR)
{
if (!found)
addr->virtual = FALSE;
addr->refcount = 1;
addr->scope = msg->ifa_scope;
-
+
iface->addrs->insert_last(iface->addrs, addr);
if (event)
{
ifaces->destroy(ifaces);
this->mutex->unlock(this->mutex);
host->destroy(host);
-
+
/* send an update to all IKE_SAs */
if (update && event && changed)
{
struct rtattr *rta = RTM_RTA(msg);
size_t rtasize = RTM_PAYLOAD(hdr);
host_t *host = NULL;
-
+
/* ignore routes added by us */
if (msg->rtm_table && msg->rtm_table == this->routing_table)
{
return;
}
-
+
while (RTA_OK(rta, rtasize))
{
switch (rta->rta_type)
socklen_t addr_len = sizeof(addr);
int len, oldstate;
- pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+ pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
len = recvfrom(this->socket_events, response, sizeof(response), 0,
(struct sockaddr*)&addr, &addr_len);
pthread_setcancelstate(oldstate, NULL);
-
+
if (len < 0)
{
switch (errno)
return JOB_REQUEUE_FAIR;
}
}
-
+
if (addr.nl_pid != 0)
{ /* not from kernel. not interested, try another one */
return JOB_REQUEUE_DIRECT;
}
-
+
while (NLMSG_OK(hdr, len))
{
/* looks good so far, dispatch netlink message */
private_kernel_netlink_net_t* this;
/** whether to enumerate down interfaces */
bool include_down_ifaces;
- /** whether to enumerate virtual ip addresses */
+ /** whether to enumerate virtual ip addresses */
bool include_virtual_ips;
} address_enumerator_t;
data->this = this;
data->include_down_ifaces = include_down_ifaces;
data->include_virtual_ips = include_virtual_ips;
-
+
this->mutex->lock(this->mutex);
return enumerator_create_nested(
enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
iface_entry_t *iface;
addr_entry_t *addr;
char *name = NULL;
-
+
DBG2(DBG_KNL, "getting interface name for %H", ip);
-
+
this->mutex->lock(this->mutex);
ifaces = this->ifaces->create_enumerator(this->ifaces);
while (ifaces->enumerate(ifaces, &iface))
}
ifaces->destroy(ifaces);
this->mutex->unlock(this->mutex);
-
+
if (name)
{
DBG2(DBG_KNL, "%H is on interface %s", ip, name);
enumerator_t *ifaces;
iface_entry_t *iface;
int ifindex = 0;
-
+
DBG2(DBG_KNL, "getting iface index for %s", name);
-
+
this->mutex->lock(this->mutex);
ifaces = this->ifaces->create_enumerator(this->ifaces);
while (ifaces->enumerate(ifaces, &iface))
iface_entry_t *iface;
/* default to TRUE for interface we do not monitor (e.g. lo) */
bool up = TRUE;
-
+
ifaces = this->ifaces->create_enumerator(this->ifaces);
while (ifaces->enumerate(ifaces, &iface))
{
{
static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
int byte = 0;
-
+
if (net_len == 0)
{ /* any address matches a /0 network */
return TRUE;
size_t len;
int best = -1;
host_t *src = NULL, *gtw = NULL;
-
+
DBG2(DBG_KNL, "getting address to reach %H", dest);
-
+
memset(&request, 0, sizeof(request));
hdr = (struct nlmsghdr*)request;
}
chunk = dest->get_address(dest);
netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
-
+
if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "getting address to %H failed", dest);
chunk_t rta_gtw, rta_src, rta_dst;
u_int32_t rta_oif = 0;
host_t *new_src, *new_gtw;
-
+
rta_gtw = rta_src = rta_dst = chunk_empty;
msg = (struct rtmsg*)(NLMSG_DATA(current));
rta = RTM_RTA(msg);
{ /* route destination does not contain dest */
goto next;
}
-
+
if (nexthop)
{
/* nexthop lookup, return gateway */
}
free(out);
this->mutex->unlock(this->mutex);
-
+
if (nexthop)
{
if (gtw)
struct nlmsghdr *hdr;
struct ifaddrmsg *msg;
chunk_t chunk;
-
+
memset(&request, 0, sizeof(request));
-
+
chunk = ip->get_address(ip);
-
+
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
- hdr->nlmsg_type = nlmsg_type;
+ hdr->nlmsg_type = nlmsg_type;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
-
+
msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
msg->ifa_family = ip->get_family(ip);
msg->ifa_flags = 0;
msg->ifa_prefixlen = 8 * chunk.len;
msg->ifa_scope = RT_SCOPE_UNIVERSE;
msg->ifa_index = if_index;
-
+
netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
return this->socket->send_ack(this->socket, hdr);
/**
* Implementation of kernel_net_t.add_ip.
*/
-static status_t add_ip(private_kernel_netlink_net_t *this,
+static status_t add_ip(private_kernel_netlink_net_t *this,
host_t *virtual_ip, host_t *iface_ip)
{
iface_entry_t *iface;
addr_entry_t *addr;
enumerator_t *addrs, *ifaces;
int ifindex;
-
+
if (!this->install_virtual_ip)
{ /* disabled by config */
return SUCCESS;
}
-
+
DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
-
+
this->mutex->lock(this->mutex);
ifaces = this->ifaces->create_enumerator(this->ifaces);
while (ifaces->enumerate(ifaces, &iface))
{
bool iface_found = FALSE;
-
+
addrs = iface->addrs->create_enumerator(iface->addrs);
while (addrs->enumerate(addrs, &addr))
{
}
}
addrs->destroy(addrs);
-
+
if (iface_found)
{
ifindex = iface->ifindex;
addr->virtual = TRUE;
addr->scope = RT_SCOPE_UNIVERSE;
iface->addrs->insert_last(iface->addrs, addr);
-
+
if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
ifindex, virtual_ip) == SUCCESS)
{
}
ifaces->destroy(ifaces);
this->mutex->unlock(this->mutex);
-
+
DBG1(DBG_KNL, "interface address %H not found, unable to install"
"virtual IP %H", iface_ip, virtual_ip);
return FAILED;
enumerator_t *addrs, *ifaces;
status_t status;
int ifindex;
-
+
if (!this->install_virtual_ip)
{ /* disabled by config */
return SUCCESS;
}
-
+
DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
-
+
this->mutex->lock(this->mutex);
ifaces = this->ifaces->create_enumerator(this->ifaces);
while (ifaces->enumerate(ifaces, &iface))
}
ifaces->destroy(ifaces);
this->mutex->unlock(this->mutex);
-
+
DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
return FAILED;
}
chunk_t half_net;
u_int8_t half_prefixlen;
status_t status;
-
+
half_net = chunk_alloca(dst_net.len);
memset(half_net.ptr, 0, half_net.len);
half_prefixlen = 1;
-
+
status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
gateway, src_ip, if_name);
half_net.ptr[0] |= 0x80;
gateway, src_ip, if_name);
return status;
}
-
+
memset(&request, 0, sizeof(request));
hdr = (struct nlmsghdr*)request;
msg->rtm_protocol = RTPROT_STATIC;
msg->rtm_type = RTN_UNICAST;
msg->rtm_scope = RT_SCOPE_UNIVERSE;
-
+
netlink_add_attribute(hdr, RTA_DST, dst_net, sizeof(request));
chunk = src_ip->get_address(src_ip);
netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
dst_net, prefixlen, gateway, src_ip, if_name);
}
-
+
/**
* Implementation of kernel_net_t.del_route.
*/
enumerator_t *ifaces, *addrs;
iface_entry_t *iface;
addr_entry_t *addr;
-
+
DBG1(DBG_KNL, "listening on interfaces:");
-
+
memset(&request, 0, sizeof(request));
in = (struct nlmsghdr*)&request;
in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
msg = (struct rtgenmsg*)NLMSG_DATA(in);
msg->rtgen_family = AF_UNSPEC;
-
+
/* get all links */
in->nlmsg_type = RTM_GETLINK;
if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
break;
}
free(out);
-
+
/* get all interface addresses */
in->nlmsg_type = RTM_GETADDR;
if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
break;
}
free(out);
-
+
this->mutex->lock(this->mutex);
ifaces = this->ifaces->create_enumerator(this->ifaces);
while (ifaces->enumerate(ifaces, &iface))
struct rtmsg *msg;
chunk_t chunk;
- memset(&request, 0, sizeof(request));
+ memset(&request, 0, sizeof(request));
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
- hdr->nlmsg_type = nlmsg_type;
+ hdr->nlmsg_type = nlmsg_type;
if (nlmsg_type == RTM_NEWRULE)
{
hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
{
private_kernel_netlink_net_t *this = malloc_thing(private_kernel_netlink_net_t);
struct sockaddr_nl addr;
-
+
/* public functions */
this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
"charon.process_route", TRUE);
this->install_virtual_ip = lib->settings->get_bool(lib->settings,
"charon.install_virtual_ip", TRUE);
-
+
this->socket = netlink_socket_create(NETLINK_ROUTE);
-
+
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
-
+
/* create and bind RT socket for events (address/interface/route changes) */
this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (this->socket_events <= 0)
{
charon->kill(charon, "unable to create RT event socket");
}
- addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
+ addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
{
charon->kill(charon, "unable to bind RT event socket");
}
-
+
this->job = callback_job_create((callback_job_cb_t)receive_events,
this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
+
if (init_address_list(this) != SUCCESS)
{
charon->kill(charon, "unable to get interface list");
}
-
+
if (this->routing_table)
{
if (manage_rule(this, RTM_NEWRULE, this->routing_table,
DBG1(DBG_KNL, "unable to create routing table rule");
}
}
-
+
return &this->public;
}
plugin_t *plugin_create()
{
private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
charon->kernel_interface->add_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create);
-
+
return &this->public.plugin;
}
* public part of the netlink_socket_t object.
*/
netlink_socket_t public;
-
+
/**
* mutex to lock access to netlink socket
*/
int seq;
/**
- * netlink socket protocol
+ * netlink socket protocol
*/
int protocol;
/**
- * netlink socket
+ * netlink socket
*/
int socket;
};
struct sockaddr_nl addr;
chunk_t result = chunk_empty, tmp;
struct nlmsghdr *msg, peek;
-
+
this->mutex->lock(this->mutex);
-
+
in->nlmsg_seq = ++this->seq;
in->nlmsg_pid = getpid();
-
+
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
addr.nl_pid = 0;
while (TRUE)
{
- len = sendto(this->socket, in, in->nlmsg_len, 0,
+ len = sendto(this->socket, in, in->nlmsg_len, 0,
(struct sockaddr*)&addr, sizeof(addr));
-
+
if (len != in->nlmsg_len)
- {
+ {
if (errno == EINTR)
{
/* interrupted, try again */
}
break;
}
-
+
while (TRUE)
- {
+ {
char buf[4096];
tmp.len = sizeof(buf);
tmp.ptr = buf;
msg = (struct nlmsghdr*)tmp.ptr;
-
+
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
addr.nl_pid = getpid();
addr.nl_groups = 0;
addr_len = sizeof(addr);
-
+
len = recvfrom(this->socket, tmp.ptr, tmp.len, 0,
(struct sockaddr*)&addr, &addr_len);
-
+
if (len < 0)
{
if (errno == EINTR)
free(result.ptr);
return FAILED;
}
-
+
tmp.len = len;
result.ptr = realloc(result.ptr, result.len + tmp.len);
memcpy(result.ptr + result.len, tmp.ptr, tmp.len);
result.len += tmp.len;
-
+
/* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
* numbers to detect multi header messages */
len = recvfrom(this->socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
(struct sockaddr*)&addr, &addr_len);
-
+
if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
{
/* seems to be multipart */
}
break;
}
-
+
*out_len = result.len;
*out = (struct nlmsghdr*)result.ptr;
-
+
this->mutex->unlock(this->mutex);
-
+
return SUCCESS;
}
case NLMSG_ERROR:
{
struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
-
+
if (err->error)
{
if (-err->error == EEXIST)
netlink_socket_t *netlink_socket_create(int protocol) {
private_netlink_socket_t *this = malloc_thing(private_netlink_socket_t);
struct sockaddr_nl addr;
-
+
/* public functions */
this->public.send = (status_t(*)(netlink_socket_t*,struct nlmsghdr*, struct nlmsghdr**, size_t*))netlink_send;
this->public.send_ack = (status_t(*)(netlink_socket_t*,struct nlmsghdr*))netlink_send_ack;
/* private members */
this->seq = 200;
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-
+
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
-
+
this->protocol = protocol;
this->socket = socket(AF_NETLINK, SOCK_RAW, protocol);
if (this->socket <= 0)
{
charon->kill(charon, "unable to create netlink socket");
}
-
+
addr.nl_groups = 0;
if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)))
{
charon->kill(charon, "unable to bind netlink socket");
}
-
+
return &this->public;
}
size_t buflen)
{
struct rtattr *rta;
-
+
if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
{
DBG1(DBG_KNL, "unable to add attribute, buffer too small");
return;
}
-
+
rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
rta->rta_type = rta_type;
rta->rta_len = RTA_LENGTH(data.len);
/**
* Send a netlink message and wait for a reply.
- *
+ *
* @param in netlink message to send
* @param out received netlink message
* @param out_len length of the received message
*/
status_t (*send)(netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out, size_t *out_len);
-
+
/**
* Send a netlink message and wait for its acknowledge.
- *
+ *
* @param in netlink message to send
*/
status_t (*send_ack)(netlink_socket_t *this, struct nlmsghdr *in);
-
+
/**
* Destroy the socket.
*/
/**
* Create a netlink_socket_t object.
- *
+ *
* @param protocol protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE)
*/
netlink_socket_t *netlink_socket_create(int protocol);
/**
* Creates an rtattr and adds it to the given netlink message.
- *
+ *
* @param hdr netlink message
* @param rta_type type of the rtattr
* @param data data to add to the rtattr
* Public part of the kernel_pfkey_t object.
*/
kernel_pfkey_ipsec_t public;
-
+
/**
* mutex to lock access to various lists
*/
mutex_t *mutex;
-
+
/**
* List of installed policies (policy_entry_t)
*/
linked_list_t *policies;
-
+
/**
* whether to install routes along policies
*/
bool install_routes;
-
+
/**
* job receiving PF_KEY events
*/
callback_job_t *job;
-
+
/**
* mutex to lock access to the PF_KEY socket
*/
mutex_t *mutex_pfkey;
-
+
/**
* PF_KEY socket to communicate with the kernel
*/
int socket;
-
+
/**
* PF_KEY socket to receive acquire and expire events
*/
int socket_events;
-
+
/**
* sequence number for messages sent to the kernel
*/
struct route_entry_t {
/** Name of the interface the route is bound to */
char *if_name;
-
+
/** Source ip of the route */
host_t *src_ip;
-
+
/** gateway for this route */
host_t *gateway;
* installed kernel policy.
*/
struct policy_entry_t {
-
+
/** reqid of this policy */
u_int32_t reqid;
-
+
/** index assigned by the kernel */
u_int32_t index;
-
+
/** direction of this policy: in, out, forward */
u_int8_t direction;
-
+
/** parameters of installed policy */
struct {
/** subnet and port */
/** protocol */
u_int8_t proto;
} src, dst;
-
+
/** associated route installed for this policy */
route_entry_t *route;
-
+
/** by how many CHILD_SA's this policy is used */
u_int refcount;
};
policy->direction = dir;
policy->route = NULL;
policy->refcount = 0;
-
+
src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
-
+
/* src or dest proto may be "any" (0), use more restrictive one */
policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
policy->dst.proto = policy->src.proto;
-
+
return policy;
}
* PF_KEY message base
*/
struct sadb_msg *msg;
-
+
/**
* PF_KEY message extensions
*/
* Identifier specified in IKEv2
*/
int ikev2;
-
+
/**
* Identifier as defined in pfkeyv2.h
*/
{
struct sadb_x_nat_t_type* nat_type;
struct sadb_x_nat_t_port* nat_port;
-
+
nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
PFKEY_EXT_ADD(msg, nat_type);
-
+
nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
PFKEY_EXT_ADD(msg, nat_port);
-
+
nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
{
struct sadb_ext* ext;
size_t len;
-
+
memset(out, 0, sizeof(pfkey_msg_t));
out->msg = msg;
-
+
len = msg->sadb_msg_len;
len -= PFKEY_LEN(sizeof(struct sadb_msg));
-
+
ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
-
+
while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
{
DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
sadb_ext_type_names, ext->sadb_ext_type);
break;
}
-
+
if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
{
DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
break;
}
-
+
if (out->ext[ext->sadb_ext_type])
{
DBG1(DBG_KNL, "duplicate %N extension",
sadb_ext_type_names, ext->sadb_ext_type);
break;
}
-
+
out->ext[ext->sadb_ext_type] = ext;
ext = PFKEY_EXT_NEXT_LEN(ext, len);
}
DBG1(DBG_KNL, "PF_KEY message length is invalid");
return FAILED;
}
-
+
return SUCCESS;
}
unsigned char buf[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg;
int in_len, len;
-
+
this->mutex_pfkey->lock(this->mutex_pfkey);
/* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
}
break;
}
-
+
while (TRUE)
{
msg = (struct sadb_msg*)buf;
-
+
len = recv(socket, buf, sizeof(buf), 0);
-
+
if (len < 0)
{
if (errno == EINTR)
}
break;
}
-
+
*out_len = len;
*out = (struct sadb_msg*)malloc(len);
memcpy(*out, buf, len);
-
+
this->mutex_pfkey->unlock(this->mutex_pfkey);
-
+
return SUCCESS;
}
traffic_selector_t *src_ts, *dst_ts;
policy_entry_t *policy;
job_t *job;
-
+
switch (msg->sadb_msg_satype)
{
case SADB_SATYPE_UNSPEC:
return;
}
DBG2(DBG_KNL, "received an SADB_ACQUIRE");
-
+
if (parse_pfkey_message(msg, &response) != SUCCESS)
{
DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
return;
}
-
+
index = response.x_policy->sadb_x_policy_id;
this->mutex->lock(this->mutex);
if (this->policies->find_first(this->policies,
src_ts = sadb_address2ts(response.src);
dst_ts = sadb_address2ts(response.dst);
this->mutex->unlock(this->mutex);
-
+
DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
src_ts, dst_ts, reqid);
job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
u_int32_t spi, reqid;
bool hard;
job_t *job;
-
+
DBG2(DBG_KNL, "received an SADB_EXPIRE");
-
+
if (parse_pfkey_message(msg, &response) != SUCCESS)
{
DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
return;
}
-
+
protocol = proto_satype2ike(msg->sadb_msg_satype);
spi = response.sa->sadb_sa_spi;
reqid = response.x_sa2->sadb_x_sa2_reqid;
hard = response.lft_hard != NULL;
-
+
if (protocol != PROTO_ESP && protocol != PROTO_AH)
{
DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
"which is not a CHILD_SA", ntohl(spi), reqid);
return;
}
-
+
DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
hard ? "delete" : "rekey", protocol_id_names,
protocol, ntohl(spi), reqid);
dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
policy_dir_names, dir);
-
+
/* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
if (response.x_kmaddress)
{
remote = host_create_from_sockaddr(remote_addr);
DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
}
-
+
if (src_ts && dst_ts && local && remote)
{
DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
u_int32_t spi, reqid;
host_t *host;
job_t *job;
-
+
DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
-
+
if (parse_pfkey_message(msg, &response) != SUCCESS)
{
DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
return;
}
-
+
if (!response.x_sa2)
{
DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
return;
}
-
+
spi = response.sa->sadb_sa_spi;
reqid = response.x_sa2->sadb_x_sa2_reqid;
-
+
if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
{
sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
unsigned char buf[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg = (struct sadb_msg*)buf;
int len, oldstate;
-
+
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
pthread_setcancelstate(oldstate, NULL);
-
+
if (len < 0)
{
switch (errno)
return JOB_REQUEUE_FAIR;
}
}
-
+
if (len < sizeof(struct sadb_msg) ||
msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
{
DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
return JOB_REQUEUE_DIRECT;
}
-
+
switch (msg->sadb_msg_type)
{
case SADB_ACQUIRE:
default:
break;
}
-
+
return JOB_REQUEUE_DIRECT;
}
pfkey_msg_t response;
u_int32_t received_spi = 0;
size_t len;
-
+
memset(&request, 0, sizeof(request));
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_GETSPI;
msg->sadb_msg_satype = proto_ike2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
sa2->sadb_x_sa2_reqid = reqid;
PFKEY_EXT_ADD(msg, sa2);
-
+
add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
+
range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
range->sadb_spirange_min = 0xc0000000;
range->sadb_spirange_max = 0xcFFFFFFF;
PFKEY_EXT_ADD(msg, range);
-
+
if (pfkey_send(this, msg, &out, &len) == SUCCESS)
{
if (out->sadb_msg_errno)
}
free(out);
}
-
+
if (received_spi == 0)
{
return FAILED;
}
-
+
*spi = received_spi;
return SUCCESS;
}
struct sadb_lifetime *lft;
struct sadb_key *key;
size_t len;
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
PFKEY_EXT_ADD(msg, sa);
-
+
sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
sa2->sadb_x_sa2_mode = mode2kernel(mode);
sa2->sadb_x_sa2_reqid = reqid;
PFKEY_EXT_ADD(msg, sa2);
-
+
add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
+
lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
lft->sadb_lifetime_addtime = lifetime->time.rekey;
lft->sadb_lifetime_usetime = 0; /* we only use addtime */
PFKEY_EXT_ADD(msg, lft);
-
+
lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
lft->sadb_lifetime_addtime = lifetime->time.life;
lft->sadb_lifetime_usetime = 0; /* we only use addtime */
PFKEY_EXT_ADD(msg, lft);
-
+
if (enc_alg != ENCR_UNDEFINED)
{
if (!sa->sadb_sa_encrypt)
}
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
encryption_algorithm_names, enc_alg, enc_key.len * 8);
-
+
key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
key->sadb_key_bits = enc_key.len * 8;
key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
memcpy(key + 1, enc_key.ptr, enc_key.len);
-
+
PFKEY_EXT_ADD(msg, key);
}
-
+
if (int_alg != AUTH_UNDEFINED)
{
if (!sa->sadb_sa_auth)
}
DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
integrity_algorithm_names, int_alg, int_key.len * 8);
-
+
key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
key->sadb_key_bits = int_key.len * 8;
key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
memcpy(key + 1, int_key.ptr, int_key.len);
-
+
PFKEY_EXT_ADD(msg, key);
}
-
+
if (ipcomp != IPCOMP_NONE)
{
/*TODO*/
add_encap_ext(msg, src, dst);
}
#endif /*HAVE_NATT*/
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
free(out);
return FAILED;
}
-
+
free(out);
return SUCCESS;
}
struct sadb_sa *sa;
pfkey_msg_t response;
size_t len;
-
+
/* we can't update the SA if any of the ip addresses have changed.
* that's because we can't use SADB_UPDATE and by deleting and readding the
* SA the sequence numbers would get lost */
" are not supported", ntohl(spi));
return NOT_SUPPORTED;
}
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_GET;
msg->sadb_msg_satype = proto_ike2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
sa->sadb_sa_exttype = SADB_EXT_SA;
sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
sa->sadb_sa_spi = spi;
PFKEY_EXT_ADD(msg, sa);
-
+
/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
* it is not used for anything. */
add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
free(out);
return FAILED;
}
-
+
DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
ntohl(spi), src, dst, new_src, new_dst);
-
+
memset(&request, 0, sizeof(request));
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_UPDATE;
msg->sadb_msg_satype = proto_ike2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
#ifdef __APPLE__
{
struct sadb_sa_2 *sa_2;
PFKEY_EXT_COPY(msg, response.sa);
#endif
PFKEY_EXT_COPY(msg, response.x_sa2);
-
+
PFKEY_EXT_COPY(msg, response.src);
PFKEY_EXT_COPY(msg, response.dst);
-
+
PFKEY_EXT_COPY(msg, response.lft_soft);
PFKEY_EXT_COPY(msg, response.lft_hard);
-
+
if (response.key_encr)
{
PFKEY_EXT_COPY(msg, response.key_encr);
}
-
+
if (response.key_auth)
{
PFKEY_EXT_COPY(msg, response.key_auth);
}
-
+
#ifdef HAVE_NATT
if (new_encap)
{
add_encap_ext(msg, new_src, new_dst);
}
#endif /*HAVE_NATT*/
-
+
free(out);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
return FAILED;
}
free(out);
-
+
return SUCCESS;
}
struct sadb_sa *sa;
pfkey_msg_t response;
size_t len;
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_GET;
msg->sadb_msg_satype = proto_ike2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
sa->sadb_sa_exttype = SADB_EXT_SA;
sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
sa->sadb_sa_spi = spi;
PFKEY_EXT_ADD(msg, sa);
-
+
/* the Linux Kernel doesn't care for the src address, but other systems do
* (e.g. FreeBSD)
*/
add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
struct sadb_msg *msg, *out;
struct sadb_sa *sa;
size_t len;
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_DELETE;
msg->sadb_msg_satype = proto_ike2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
sa->sadb_sa_exttype = SADB_EXT_SA;
sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
sa->sadb_sa_spi = spi;
PFKEY_EXT_ADD(msg, sa);
-
+
/* the Linux Kernel doesn't care for the src address, but other systems do
* (e.g. FreeBSD)
*/
add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
free(out);
return FAILED;
}
-
+
DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
free(out);
return SUCCESS;
policy_entry_t *policy, *found = NULL;
pfkey_msg_t response;
size_t len;
-
+
if (dir2kernel(direction) == IPSEC_DIR_INVALID)
{
/* FWD policies are not supported on all platforms */
return SUCCESS;
}
-
+
/* create a policy */
policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
-
+
/* find a matching policy */
this->mutex->lock(this->mutex);
if (this->policies->find_first(this->policies,
this->policies->insert_last(this->policies, policy);
policy->refcount = 1;
}
-
+
memset(&request, 0, sizeof(request));
-
+
DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
msg->sadb_msg_satype = 0;
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
#endif
-
+
/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
req = (struct sadb_x_ipsecrequest*)(pol + 1);
req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
req->sadb_x_ipsecrequest_len += sl * 2;
}
-
+
pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
PFKEY_EXT_ADD(msg, pol);
-
+
add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
policy->src.mask);
add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
policy->dst.mask);
-
+
#ifdef __FreeBSD__
{ /* on FreeBSD a lifetime has to be defined to be able to later query
* the current use time. */
PFKEY_EXT_ADD(msg, lft);
}
#endif
-
+
this->mutex->unlock(this->mutex);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
free(out);
return FAILED;
}
-
+
this->mutex->lock(this->mutex);
-
+
/* we try to find the policy again and update the kernel index */
if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
{
}
policy->index = response.x_policy->sadb_x_policy_id;
free(out);
-
+
/* install a route, if:
* - we are NOT updating a policy
* - this is a forward policy (to just get one for each child)
this->install_routes)
{
route_entry_t *route = malloc_thing(route_entry_t);
-
+
if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
dst_ts, &route->src_ip) == SUCCESS)
{
charon->kernel_interface, dst);
route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
route->prefixlen = policy->src.mask;
-
+
switch (charon->kernel_interface->add_route(charon->kernel_interface,
route->dst_net, route->prefixlen, route->gateway,
route->src_ip, route->if_name))
free(route);
}
}
-
+
this->mutex->unlock(this->mutex);
-
+
return SUCCESS;
}
policy_entry_t *policy, *found = NULL;
pfkey_msg_t response;
size_t len;
-
+
if (dir2kernel(direction) == IPSEC_DIR_INVALID)
{
/* FWD policies are not supported on all platforms */
return NOT_FOUND;
}
-
+
DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
/* create a policy */
policy = create_policy_entry(src_ts, dst_ts, direction, 0);
-
+
/* find a matching policy */
this->mutex->lock(this->mutex);
if (this->policies->find_first(this->policies,
}
policy_entry_destroy(policy);
policy = found;
-
+
memset(&request, 0, sizeof(request));
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_X_SPDGET;
msg->sadb_msg_satype = 0;
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
pol->sadb_x_policy_id = policy->index;
pol->sadb_x_policy_dir = dir2kernel(direction);
pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
PFKEY_EXT_ADD(msg, pol);
-
+
add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
policy->src.mask);
add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
policy->dst.mask);
-
+
this->mutex->unlock(this->mutex);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
*use_time = 0;
}
free(out);
-
+
return SUCCESS;
}
policy_entry_t *policy, *found = NULL;
route_entry_t *route;
size_t len;
-
+
if (dir2kernel(direction) == IPSEC_DIR_INVALID)
{
/* FWD policies are not supported on all platforms */
return SUCCESS;
}
-
+
DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
-
+
/* create a policy */
policy = create_policy_entry(src_ts, dst_ts, direction, 0);
-
+
/* find a matching policy */
this->mutex->lock(this->mutex);
if (this->policies->find_first(this->policies,
return NOT_FOUND;
}
this->mutex->unlock(this->mutex);
-
+
memset(&request, 0, sizeof(request));
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_X_SPDDELETE;
msg->sadb_msg_satype = 0;
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
pol->sadb_x_policy_dir = dir2kernel(direction);
pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
PFKEY_EXT_ADD(msg, pol);
-
+
add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
policy->src.mask);
add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
policy->dst.mask);
-
+
route = policy->route;
policy->route = NULL;
policy_entry_destroy(policy);
-
+
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
return FAILED;
}
free(out);
-
+
if (route)
{
if (charon->kernel_interface->del_route(charon->kernel_interface,
}
route_entry_destroy(route);
}
-
+
return SUCCESS;
}
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
size_t len;
-
+
memset(&request, 0, sizeof(request));
-
+
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
msg->sadb_msg_type = SADB_REGISTER;
msg->sadb_msg_satype = satype;
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
+
if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
{
DBG1(DBG_KNL, "unable to register PF_KEY socket");
int fd, family, port;
enumerator_t *sockets;
bool status = TRUE;
-
+
sockets = charon->socket->create_enumerator(charon->socket);
while (sockets->enumerate(sockets, &fd, &family, &port))
{
struct sadb_x_policy policy;
u_int sol, ipsec_policy;
-
+
switch (family)
{
case AF_INET:
default:
continue;
}
-
+
memset(&policy, 0, sizeof(policy));
policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-
+
policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
{
private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
-
+
/* public functions */
this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
-
+
this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
/* private members */
this->install_routes = lib->settings->get_bool(lib->settings,
"charon.install_routes", TRUE);
this->seq = 0;
-
+
/* create a PF_KEY socket to communicate with the kernel */
this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
if (this->socket <= 0)
{
charon->kill(charon, "unable to create PF_KEY socket");
}
-
+
/* create a PF_KEY socket for ACQUIRE & EXPIRE */
this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
if (this->socket_events <= 0)
{
charon->kill(charon, "unable to create PF_KEY event socket");
}
-
+
/* add bypass policies on the sockets used by charon */
if (!add_bypass_policies(this))
{
charon->kill(charon, "unable to add bypass policies on sockets");
}
-
+
/* register the event socket */
if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
{
charon->kill(charon, "unable to register PF_KEY event socket");
}
-
+
this->job = callback_job_create((callback_job_cb_t)receive_events,
this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
+
return &this->public;
}
plugin_t *plugin_create()
{
private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
-
+
return &this->public.plugin;
}
* IP address in an inface_entry_t
*/
struct addr_entry_t {
-
+
/** The ip address */
host_t *ip;
-
+
/** virtual IP managed by us */
bool virtual;
-
+
/** Number of times this IP is used, if virtual */
u_int refcount;
};
* A network interface on this system, containing addr_entry_t's
*/
struct iface_entry_t {
-
+
/** interface index */
int ifindex;
-
+
/** name of the interface */
char ifname[IFNAMSIZ];
-
+
/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
u_int flags;
-
+
/** list of addresses as host_t */
linked_list_t *addrs;
};
* Public part of the kernel_pfroute_t object.
*/
kernel_pfroute_net_t public;
-
+
/**
* mutex to lock access to various lists
*/
mutex_t *mutex;
-
+
/**
* Cached list of interfaces and their addresses (iface_entry_t)
*/
linked_list_t *ifaces;
-
+
/**
* job receiving PF_ROUTE events
*/
callback_job_t *job;
-
+
/**
* mutex to lock access to the PF_ROUTE socket
*/
mutex_t *mutex_pfroute;
-
+
/**
* PF_ROUTE socket to communicate with the kernel
*/
int socket;
-
+
/**
* PF_ROUTE socket to receive events
*/
int socket_events;
-
+
/**
* sequence number for messages sent to the kernel
*/
int seq;
-
+
/**
* time of last roam job
*/
static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address)
{
timeval_t now;
-
+
time_monotonic(&now);
if (timercmp(&now, &this->last_roam, >))
{
addr_entry_t *addr;
bool found = FALSE, changed = FALSE, roam = FALSE;
int i;
-
+
for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
{
if (ifa->ifam_addrs & i)
sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
}
}
-
+
if (!host)
{
return;
}
-
+
this->mutex->lock(this->mutex);
ifaces = this->ifaces->create_enumerator(this->ifaces);
while (ifaces->enumerate(ifaces, &iface))
}
}
addrs->destroy(addrs);
-
+
if (!found && ifa->ifam_type == RTM_NEWADDR)
{
changed = TRUE;
iface->addrs->insert_last(iface->addrs, addr);
DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
}
-
+
if (changed && (iface->flags & IFF_UP))
{
roam = TRUE;
ifaces->destroy(ifaces);
this->mutex->unlock(this->mutex);
host->destroy(host);
-
+
if (roam)
{
fire_roam_job(this, TRUE);
enumerator_t *enumerator;
iface_entry_t *iface;
bool roam = FALSE;
-
+
if (msg->ifm_flags & IFF_LOOPBACK)
{ /* ignore loopback interfaces */
return;
}
-
+
this->mutex->lock(this->mutex);
enumerator = this->ifaces->create_enumerator(this->ifaces);
while (enumerator->enumerate(enumerator, &iface))
}
enumerator->destroy(enumerator);
this->mutex->unlock(this->mutex);
-
+
if (roam)
{
fire_roam_job(this, TRUE);
unsigned char buf[PFROUTE_BUFFER_SIZE];
struct rt_msghdr *msg = (struct rt_msghdr*)buf;
int len, oldstate;
-
+
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
pthread_setcancelstate(oldstate, NULL);
-
+
if (len < 0)
{
switch (errno)
return JOB_REQUEUE_FAIR;
}
}
-
+
if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
msg->rtm_version != RTM_VERSION)
{
DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
return JOB_REQUEUE_DIRECT;
}
-
+
switch (msg->rtm_type)
{
case RTM_NEWADDR:
default:
break;
}
-
+
return JOB_REQUEUE_DIRECT;
}
}
ifaces->destroy(ifaces);
this->mutex->unlock(this->mutex);
-
+
if (name)
{
DBG2(DBG_KNL, "%H is on interface %s", ip, name);
iface_entry_t *iface, *current;
addr_entry_t *addr;
enumerator_t *ifaces, *addrs;
-
+
DBG1(DBG_KNL, "listening on interfaces:");
-
+
if (getifaddrs(&ifap) < 0)
{
DBG1(DBG_KNL, " failed to get interfaces!");
return FAILED;
}
-
+
for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
{
if (ifa->ifa_addr == NULL)
{ /* ignore loopback interfaces */
continue;
}
-
+
iface = NULL;
ifaces = this->ifaces->create_enumerator(this->ifaces);
while (ifaces->enumerate(ifaces, ¤t))
}
}
ifaces->destroy(ifaces);
-
+
if (!iface)
{
iface = malloc_thing(iface_entry_t);
iface->addrs = linked_list_create();
this->ifaces->insert_last(this->ifaces, iface);
}
-
+
if (ifa->ifa_addr->sa_family != AF_LINK)
{
addr = malloc_thing(addr_entry_t);
}
}
freeifaddrs(ifap);
-
+
ifaces = this->ifaces->create_enumerator(this->ifaces);
while (ifaces->enumerate(ifaces, &iface))
{
}
}
ifaces->destroy(ifaces);
-
+
return SUCCESS;
}
kernel_pfroute_net_t *kernel_pfroute_net_create()
{
private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t);
-
+
/* public functions */
this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
-
+
this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
-
+
/* private members */
this->ifaces = linked_list_create();
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT);
-
+
this->seq = 0;
-
+
/* create a PF_ROUTE socket to communicate with the kernel */
this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
if (this->socket <= 0)
{
charon->kill(charon, "unable to create PF_ROUTE socket");
}
-
+
/* create a PF_ROUTE socket to receive events */
this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
if (this->socket_events <= 0)
{
charon->kill(charon, "unable to create PF_ROUTE event socket");
}
-
+
this->job = callback_job_create((callback_job_cb_t)receive_events,
this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
+
if (init_address_list(this) != SUCCESS)
{
charon->kill(charon, "unable to get interface list");
}
-
+
return &this->public;
}
plugin_t *plugin_create()
{
private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
charon->kernel_interface->add_net_interface(charon->kernel_interface,
(kernel_net_constructor_t)kernel_pfroute_net_create);
-
+
return &this->public.plugin;
}
* Public part
*/
load_tester_config_t public;
-
+
/**
* peer config
*/
peer_cfg_t *peer_cfg;
-
+
/**
* virtual IP, if any
*/
host_t *vip;
-
+
/**
* Remote address
*/
char *remote;
-
+
/**
* IP address pool
*/
char *pool;
-
+
/**
* IKE proposal
*/
proposal_t *proposal;
-
+
/**
* Authentication method(s) to use/expect from initiator
*/
char *initiator_auth;
-
+
/**
* Authentication method(s) use/expected from responder
*/
char *responder_auth;
-
+
/**
* IKE_SA rekeying delay
*/
u_int ike_rekey;
-
+
/**
* CHILD_SA rekeying delay
*/
u_int child_rekey;
-
+
/**
* incremental numbering of generated configs
*/
eap_type_t type;
char buf[128];
int rnd = 0;
-
+
enumerator = enumerator_create_token(str, "|", " ");
while (enumerator->enumerate(enumerator, &str))
{
auth = auth_cfg_create();
rnd++;
-
+
if (streq(str, "psk"))
{ /* PSK authentication, use FQDNs */
class = AUTH_CLASS_PSK;
.jitter = 0
}
};
-
+
ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", this->remote);
ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
peer_cfg = peer_cfg_create("load-test", 2, ike_cfg,
generate_auth_cfg(this, this->responder_auth, peer_cfg, TRUE, num);
generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num);
}
-
+
child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE,
MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
* Implementation of backend_t.create_peer_cfg_enumerator.
*/
static enumerator_t* create_peer_cfg_enumerator(private_load_tester_config_t *this,
- identification_t *me,
+ identification_t *me,
identification_t *other)
{
return enumerator_create_single(this->peer_cfg, NULL);
load_tester_config_t *load_tester_config_create()
{
private_load_tester_config_t *this = malloc_thing(private_load_tester_config_t);
-
+
this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
this->public.destroy = (void(*)(load_tester_config_t*))destroy;
-
+
this->vip = NULL;
if (lib->settings->get_bool(lib->settings,
"charon.plugins.load_tester.request_virtual_ip", FALSE))
}
this->pool = lib->settings->get_str(lib->settings,
"charon.plugins.load_tester.pool", NULL);
- this->remote = lib->settings->get_str(lib->settings,
+ this->remote = lib->settings->get_str(lib->settings,
"charon.plugins.load_tester.remote", "127.0.0.1");
-
+
this->proposal = proposal_create_from_string(PROTO_IKE,
lib->settings->get_str(lib->settings,
"charon.plugins.load_tester.proposal", "aes128-sha1-modp768"));
"charon.plugins.load_tester.ike_rekey", 0);
this->child_rekey = lib->settings->get_int(lib->settings,
"charon.plugins.load_tester.child_rekey", 600);
-
+
this->initiator_auth = lib->settings->get_str(lib->settings,
"charon.plugins.load_tester.initiator_auth", "pubkey");
this->responder_auth = lib->settings->get_str(lib->settings,
"charon.plugins.load_tester.responder_auth", "pubkey");
-
+
this->num = 1;
this->peer_cfg = generate_config(this, 0);
-
+
return &this->public;
}
* Implements backend_t interface
*/
backend_t backend;
-
+
/**
* Destroy the backend.
*/
- void (*destroy)(load_tester_config_t *this);
+ void (*destroy)(load_tester_config_t *this);
};
/**
* Public part
*/
load_tester_creds_t public;
-
+
/**
* Private key to create signatures
*/
private_key_t *private;
-
+
/**
* CA certificate, to issue/verify peer certificates
*/
certificate_t *ca;
-
+
/**
* serial number to issue certificates
*/
u_int32_t serial;
-
+
/**
* Preshared key
*/
shared_key_t *shared;
-
+
/**
* Identification for shared key
*/
if (id)
{
chunk_t keyid;
-
+
if (!this->private->get_fingerprint(this->private,
KEY_ID_PUBKEY_SHA1, &keyid) ||
!chunk_equals(keyid, id->get_encoding(id)))
u_int32_t serial;
time_t now;
chunk_t keyid;
-
+
if (this->ca == NULL)
{
return NULL;
/**
* Implements credential_set_t.create_shared_enumerator
*/
-static enumerator_t* create_shared_enumerator(private_load_tester_creds_t *this,
+static enumerator_t* create_shared_enumerator(private_load_tester_creds_t *this,
shared_key_type_t type, identification_t *me,
identification_t *other)
{
this->public.credential_set.create_cdp_enumerator = (enumerator_t*(*) (credential_set_t *,certificate_type_t, identification_t *))return_null;
this->public.credential_set.cache_cert = (void (*)(credential_set_t *, certificate_t *))nop;
this->public.destroy = (void(*) (load_tester_creds_t*))destroy;
-
+
this->private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_BLOB_ASN1_DER, chunk_create(private, sizeof(private)),
BUILD_END);
-
+
this->ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_BLOB_ASN1_DER, chunk_create(cert, sizeof(cert)),
BUILD_X509_FLAG, X509_CA,
BUILD_END);
-
- this->shared = shared_key_create(SHARED_IKE,
+
+ this->shared = shared_key_create(SHARED_IKE,
chunk_clone(chunk_create(psk, sizeof(psk))));
this->id = identification_create_from_string("CN=*, OU=load-test, O=strongSwan");
this->serial = 0;
* Implements credential set interface.
*/
credential_set_t credential_set;
-
+
/**
* Destroy the backend.
*/
- void (*destroy)(load_tester_creds_t *this);
+ void (*destroy)(load_tester_creds_t *this);
};
/**
diffie_hellman_group_t group)
{
load_tester_diffie_hellman_t *this;
-
+
if (group != MODP_NULL)
{
return NULL;
}
-
+
this = malloc_thing(load_tester_diffie_hellman_t);
-
+
this->dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *))get_shared_secret;
this->dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t ))nop;
this->dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *))get_my_public_value;
this->dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *))get_dh_group;
this->dh.destroy = (void (*)(diffie_hellman_t *))free;
-
+
return this;
}
* A NULL Diffie Hellman implementation to avoid calculation overhead in tests.
*/
struct load_tester_diffie_hellman_t {
-
+
/**
* Implements diffie_hellman_t interface.
*/
/**
* Creates a new gmp_diffie_hellman_t object.
- *
+ *
* @param group Diffie Hellman group, supports MODP_NULL only
* @return gmp_diffie_hellman_t object
*/
* Public interface.
*/
load_tester_ipsec_t public;
-
+
/**
* faked SPI counter
*/
/**
* Implementation of kernel_interface_t.get_spi.
*/
-static status_t get_spi(private_load_tester_ipsec_t *this,
- host_t *src, host_t *dst,
+static status_t get_spi(private_load_tester_ipsec_t *this,
+ host_t *src, host_t *dst,
protocol_id_t protocol, u_int32_t reqid,
u_int32_t *spi)
{
/**
* Implementation of kernel_interface_t.get_cpi.
*/
-static status_t get_cpi(private_load_tester_ipsec_t *this,
- host_t *src, host_t *dst,
+static status_t get_cpi(private_load_tester_ipsec_t *this,
+ host_t *src, host_t *dst,
u_int32_t reqid, u_int16_t *cpi)
{
return FAILED;
* Implementation of kernel_interface_t.query_policy.
*/
static status_t query_policy(private_load_tester_ipsec_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t *use_time)
{
* Implementation of kernel_interface_t.del_policy.
*/
static status_t del_policy(private_load_tester_ipsec_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, bool unrouted)
{
load_tester_ipsec_t *load_tester_ipsec_create()
{
private_load_tester_ipsec_t *this = malloc_thing(private_load_tester_ipsec_t);
-
+
/* public functions */
this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
-
+
this->spi = 0;
-
+
return &this->public;
}
* Public part
*/
load_tester_listener_t public;
-
+
/**
* Delete IKE_SA after it has been established
*/
* Number of established SAs
*/
u_int established;
-
+
/**
* Shutdown the daemon if we have established this SA count
*/
if (state == IKE_ESTABLISHED)
{
ike_sa_id_t *id = ike_sa->get_id(ike_sa);
-
+
if (this->delete_after_established)
{
charon->processor->queue_job(charon->processor,
(job_t*)delete_ike_sa_job_create(id, TRUE));
}
-
+
if (id->is_initiator(id))
{
if (this->shutdown_on == ++this->established)
load_tester_listener_t *load_tester_listener_create(u_int shutdown_on)
{
private_load_tester_listener_t *this = malloc_thing(private_load_tester_listener_t);
-
+
memset(&this->public.listener, 0, sizeof(listener_t));
this->public.listener.ike_state_change = (void*)ike_state_change;
this->public.destroy = (void(*) (load_tester_listener_t*))destroy;
-
+
this->delete_after_established = lib->settings->get_bool(lib->settings,
"charon.plugins.load_tester.delete_after_established", FALSE);
-
+
this->shutdown_on = shutdown_on;
this->established = 0;
-
+
return &this->public;
}
* Implements listener set interface.
*/
listener_t listener;
-
+
/**
* Destroy the backend.
*/
- void (*destroy)(load_tester_listener_t *this);
+ void (*destroy)(load_tester_listener_t *this);
};
/**
* implements plugin interface
*/
load_tester_plugin_t public;
-
+
/**
* load_tester configuration backend
*/
load_tester_config_t *config;
-
+
/**
* load_tester credential set implementation
*/
load_tester_creds_t *creds;
-
+
/**
* event handler, listens on bus
*/
load_tester_listener_t *listener;
-
+
/**
* number of iterations per thread
*/
int iterations;
-
+
/**
* number desired initiator threads
*/
int initiators;
-
+
/**
* currenly running initiators
*/
int running;
-
+
/**
* delay between initiations, in ms
*/
int delay;
-
+
/**
* mutex to lock running field
*/
mutex_t *mutex;
-
+
/**
* condvar to wait for initiators
*/
static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
{
int i, s = 0, ms = 0;
-
+
this->mutex->lock(this->mutex);
if (!this->running)
{
s = this->delay / 1000;
ms = this->delay % 1000;
}
-
+
for (i = 0; this->iterations == 0 || i < this->iterations; i++)
{
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg = NULL;
enumerator_t *enumerator;
-
+
peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
"load-test");
if (!peer_cfg)
break;
}
enumerator->destroy(enumerator);
-
+
charon->controller->initiate(charon->controller,
peer_cfg, child_cfg->get_ref(child_cfg),
NULL, NULL);
{
private_load_tester_plugin_t *this;
u_int i, shutdown_on = 0;
-
+
if (!lib->settings->get_bool(lib->settings,
"charon.plugins.load_tester.enable", FALSE))
{
DBG1(DBG_CFG, "disabling load-tester plugin, not configured");
return NULL;
}
-
+
this = malloc_thing(private_load_tester_plugin_t);
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
- lib->crypto->add_dh(lib->crypto, MODP_NULL,
+
+ lib->crypto->add_dh(lib->crypto, MODP_NULL,
(dh_constructor_t)load_tester_diffie_hellman_create);
-
+
this->delay = lib->settings->get_int(lib->settings,
"charon.plugins.load_tester.delay", 0);
this->iterations = lib->settings->get_int(lib->settings,
{
shutdown_on = this->iterations * this->initiators;
}
-
+
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
this->config = load_tester_config_create();
charon->backends->add_backend(charon->backends, &this->config->backend);
charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
charon->bus->add_listener(charon->bus, &this->listener->listener);
-
+
if (lib->settings->get_bool(lib->settings,
"charon.plugins.load_tester.fake_kernel", FALSE))
{
- charon->kernel_interface->add_ipsec_interface(charon->kernel_interface,
+ charon->kernel_interface->add_ipsec_interface(charon->kernel_interface,
(kernel_ipsec_constructor_t)load_tester_ipsec_create);
}
this->running = 0;
for (i = 0; i < this->initiators; i++)
{
- charon->processor->queue_job(charon->processor,
+ charon->processor->queue_job(charon->processor,
(job_t*)callback_job_create((callback_job_cb_t)do_load_test,
this, NULL, NULL));
}
/**
* Load tester plugin to inspect system core under high load.
*
- * This plugin
+ * This plugin
*/
struct load_tester_plugin_t {
* Public part
*/
medcli_config_t public;
-
+
/**
* database connection
*/
database_t *db;
-
+
/**
* rekey time
*/
int rekey;
-
+
/**
* dpd delay
*/
int dpd;
-
+
/**
* default ike config
*/
int netbits = 32;
host_t *net;
char *pos;
-
+
str = strdupa(str);
pos = strchr(str, '/');
if (pos)
.jitter = this->rekey
}
};
-
+
/* query mediation server config:
- * - build ike_cfg/peer_cfg for mediation connection on-the-fly
+ * - build ike_cfg/peer_cfg for mediation connection on-the-fly
*/
e = this->db->query(this->db,
"SELECT Address, ClientConfig.KeyId, MediationServerConfig.KeyId "
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
med_cfg = peer_cfg_create(
"mediation", 2, ike_cfg,
- CERT_NEVER_SEND, UNIQUE_REPLACE,
+ CERT_NEVER_SEND, UNIQUE_REPLACE,
1, this->rekey*60, 0, /* keytries, rekey, reauth */
this->rekey*5, this->rekey*3, /* jitter, overtime */
TRUE, this->dpd, /* mobike, dpddelay */
NULL, NULL, /* vip, pool */
TRUE, NULL, NULL); /* mediation, med by, peer id */
e->destroy(e);
-
+
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
auth->add(auth, AUTH_RULE_IDENTITY,
auth->add(auth, AUTH_RULE_IDENTITY,
identification_create_from_encoding(ID_KEY_ID, other));
med_cfg->add_auth_cfg(med_cfg, auth, FALSE);
-
+
/* query mediated config:
* - use any-any ike_cfg
* - build peer_cfg on-the-fly using med_cfg
}
peer_cfg = peer_cfg_create(
name, 2, this->ike->get_ref(this->ike),
- CERT_NEVER_SEND, UNIQUE_REPLACE,
+ CERT_NEVER_SEND, UNIQUE_REPLACE,
1, this->rekey*60, 0, /* keytries, rekey, reauth */
this->rekey*5, this->rekey*3, /* jitter, overtime */
TRUE, this->dpd, /* mobike, dpddelay */
NULL, NULL, /* vip, pool */
FALSE, med_cfg, /* mediation, med by */
identification_create_from_encoding(ID_KEY_ID, other));
-
+
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
auth->add(auth, AUTH_RULE_IDENTITY,
auth->add(auth, AUTH_RULE_IDENTITY,
identification_create_from_encoding(ID_KEY_ID, other));
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-
+
child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE,
MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
}
this->current = peer_cfg_create(
name, 2, this->ike->get_ref(this->ike),
- CERT_NEVER_SEND, UNIQUE_REPLACE,
+ CERT_NEVER_SEND, UNIQUE_REPLACE,
1, this->rekey*60, 0, /* keytries, rekey, reauth */
this->rekey*5, this->rekey*3, /* jitter, overtime */
TRUE, this->dpd, /* mobike, dpddelay */
NULL, NULL, /* vip, pool */
FALSE, NULL, NULL); /* mediation, med by, peer id */
-
+
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
auth->add(auth, AUTH_RULE_IDENTITY,
auth->add(auth, AUTH_RULE_IDENTITY,
identification_create_from_encoding(ID_KEY_ID, other));
this->current->add_auth_cfg(this->current, auth, FALSE);
-
+
child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
ACTION_NONE, ACTION_NONE, FALSE);
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
identification_t *other)
{
peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
-
+
e->current = NULL;
e->ike = this->ike;
e->rekey = this->rekey;
"Connection.LocalSubnet, Connection.RemoteSubnet "
"FROM ClientConfig JOIN Connection "
"WHERE Active AND "
- "(? OR ClientConfig.KeyId = ?) AND (? OR Connection.KeyId = ?)",
- DB_INT, me == NULL || me->get_type(me) == ID_ANY,
- DB_BLOB, me && me->get_type(me) == ID_KEY_ID ?
+ "(? OR ClientConfig.KeyId = ?) AND (? OR Connection.KeyId = ?)",
+ DB_INT, me == NULL || me->get_type(me) == ID_ANY,
+ DB_BLOB, me && me->get_type(me) == ID_KEY_ID ?
me->get_encoding(me) : chunk_empty,
- DB_INT, other == NULL || other->get_type(other) == ID_ANY,
- DB_BLOB, other && other->get_type(other) == ID_KEY_ID ?
+ DB_INT, other == NULL || other->get_type(other) == ID_ANY,
+ DB_BLOB, other && other->get_type(other) == ID_KEY_ID ?
other->get_encoding(other) : chunk_empty,
DB_TEXT, DB_BLOB, DB_BLOB, DB_TEXT, DB_TEXT);
if (!e->inner)
{
enumerator_t *enumerator;
child_cfg_t *child_cfg = NULL;;
-
+
enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
enumerator->enumerate(enumerator, &child_cfg);
if (child_cfg)
{
enumerator_t *e;
char *name;
-
+
e = this->db->query(this->db, "SELECT Alias FROM Connection WHERE Active",
DB_TEXT);
if (e)
while (e->enumerate(e, &name))
{
peer_cfg_t *peer_cfg;
-
+
peer_cfg = get_peer_cfg_by_name(this, name);
if (peer_cfg)
{
this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
this->public.destroy = (void(*)(medcli_config_t*))destroy;
-
+
this->db = db;
this->rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200);
this->dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300);
this->ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", "0.0.0.0");
this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
-
+
schedule_autoinit(this);
-
+
return &this->public;
}
* Implements backend_t interface
*/
backend_t backend;
-
+
/**
* Destroy the backend.
*/
- void (*destroy)(medcli_config_t *this);
+ void (*destroy)(medcli_config_t *this);
};
/**
* Public part
*/
medcli_creds_t public;
-
+
/**
* underlying database handle
*/
key_type_t type, identification_t *id)
{
private_enumerator_t *e;
-
+
if ((type != KEY_RSA && type != KEY_ANY) ||
id == NULL || id->get_type(id) != ID_KEY_ID)
{
DBG1(DBG_CFG, "%N - %Y", key_type_names, type, id);
return NULL;
}
-
+
e = malloc_thing(private_enumerator_t);
e->current = NULL;
e->public.enumerate = (void*)private_enumerator_enumerate;
e->public.destroy = (void*)private_enumerator_destroy;
e->inner = this->db->query(this->db,
"SELECT PrivateKey FROM ClientConfig WHERE KeyId = ?",
- DB_BLOB, id->get_encoding(id),
+ DB_BLOB, id->get_encoding(id),
DB_BLOB);
if (!e->inner)
{
identification_t *id, bool trusted)
{
cert_enumerator_t *e;
-
+
if ((cert != CERT_TRUSTED_PUBKEY && cert != CERT_ANY) ||
id == NULL || id->get_type(id) != ID_KEY_ID)
{
return NULL;
}
-
+
e = malloc_thing(cert_enumerator_t);
e->current = NULL;
e->type = key;
this->public.set.cache_cert = (void*)nop;
this->public.destroy = (void (*)(medcli_creds_t*))destroy;
-
+
this->db = db;
-
+
return &this->public;
}
* Implements credential_set_t interface
*/
credential_set_t set;
-
+
/**
* Destroy the credentials databse.
*/
- void (*destroy)(medcli_creds_t *this);
+ void (*destroy)(medcli_creds_t *this);
};
/**
* Public part
*/
medcli_listener_t public;
-
+
/**
* underlying database handle
*/
medcli_listener_t *medcli_listener_create(database_t *db)
{
private_medcli_listener_t *this = malloc_thing(private_medcli_listener_t);
-
+
memset(&this->public.listener, 0, sizeof(listener_t));
-
+
this->public.listener.ike_state_change = (void*)ike_state_change;
this->public.listener.child_state_change = (void*)child_state_change;
this->public.destroy = (void (*)(medcli_listener_t*))destroy;
-
+
this->db = db;
db->execute(db, NULL, "UPDATE Connection SET Status = ?",
DB_UINT, STATE_DOWN);
-
+
return &this->public;
}
* Implements bus_listener_t interface
*/
listener_t listener;
-
+
/**
* Destroy the credentials databse.
*/
- void (*destroy)(medcli_listener_t *this);
+ void (*destroy)(medcli_listener_t *this);
};
/**
* implements plugin interface
*/
medcli_plugin_t public;
-
+
/**
* database connection instance
*/
database_t *db;
-
+
/**
* medcli credential set instance
*/
medcli_creds_t *creds;
-
+
/**
* medcli config database
*/
medcli_config_t *config;
-
+
/**
* Listener to update database connection state
*/
{
char *uri;
private_medcli_plugin_t *this = malloc_thing(private_medcli_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
uri = lib->settings->get_str(lib->settings,
"medcli.database", NULL);
if (!uri)
free(this);
return NULL;
}
-
+
this->db = lib->db->create(lib->db, uri);
if (this->db == NULL)
{
free(this);
return NULL;
}
-
+
this->creds = medcli_creds_create(this->db);
this->config = medcli_config_create(this->db);
this->listener = medcli_listener_create(this->db);
-
+
charon->credentials->add_set(charon->credentials, &this->creds->set);
charon->backends->add_backend(charon->backends, &this->config->backend);
charon->bus->add_listener(charon->bus, &this->listener->listener);
-
+
return &this->public.plugin;
}
* Public part
*/
medsrv_config_t public;
-
+
/**
* database connection
*/
database_t *db;
-
+
/**
* rekey time
*/
int rekey;
-
+
/**
* dpd delay
*/
int dpd;
-
+
/**
* default ike config
*/
identification_t *other)
{
enumerator_t *e;
-
+
if (!me || !other || other->get_type(other) != ID_KEY_ID)
{
return NULL;
peer_cfg_t *peer_cfg;
auth_cfg_t *auth;
char *name;
-
+
if (e->enumerate(e, &name))
{
peer_cfg = peer_cfg_create(
NULL, NULL, /* vip, pool */
TRUE, NULL, NULL); /* mediation, med by, peer id */
e->destroy(e);
-
+
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
auth->add(auth, AUTH_RULE_IDENTITY, me->clone(me));
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
auth->add(auth, AUTH_RULE_IDENTITY, other->clone(other));
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-
+
return enumerator_create_single(peer_cfg, (void*)peer_cfg->destroy);
}
e->destroy(e);
this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
this->public.destroy = (void(*)(medsrv_config_t*))destroy;
-
+
this->db = db;
this->rekey = lib->settings->get_time(lib->settings, "medsrv.rekey", 1200);
this->dpd = lib->settings->get_time(lib->settings, "medsrv.dpd", 300);
this->ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", "0.0.0.0");
this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
-
+
return &this->public;
}
* Implements backend_t interface
*/
backend_t backend;
-
+
/**
* Destroy the backend.
*/
- void (*destroy)(medsrv_config_t *this);
+ void (*destroy)(medsrv_config_t *this);
};
/**
* Public part
*/
medsrv_creds_t public;
-
+
/**
* underlying database handle
*/
identification_t *id, bool trusted)
{
cert_enumerator_t *e;
-
+
if ((cert != CERT_TRUSTED_PUBKEY && cert != CERT_ANY) ||
id == NULL || id->get_type(id) != ID_KEY_ID)
{
return NULL;
}
-
+
e = malloc_thing(cert_enumerator_t);
e->current = NULL;
e->type = key;
this->public.set.cache_cert = (void*)nop;
this->public.destroy = (void (*)(medsrv_creds_t*))destroy;
-
+
this->db = db;
-
+
return &this->public;
}
* Implements credential_set_t interface
*/
credential_set_t set;
-
+
/**
* Destroy the credentials databse.
*/
- void (*destroy)(medsrv_creds_t *this);
+ void (*destroy)(medsrv_creds_t *this);
};
/**
* implements plugin interface
*/
medsrv_plugin_t public;
-
+
/**
* database connection instance
*/
database_t *db;
-
+
/**
* medsrv credential set instance
*/
medsrv_creds_t *creds;
-
+
/**
* medsrv config database
*/
{
char *uri;
private_medsrv_plugin_t *this = malloc_thing(private_medsrv_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
uri = lib->settings->get_str(lib->settings,
"medsrv.database", NULL);
if (!uri)
free(this);
return NULL;
}
-
+
this->db = lib->db->create(lib->db, uri);
if (this->db == NULL)
{
free(this);
return NULL;
}
-
+
this->creds = medsrv_creds_create(this->db);
this->config = medsrv_config_create(this->db);
-
+
charon->credentials->add_set(charon->credentials, &this->creds->set);
charon->backends->add_backend(charon->backends, &this->config->backend);
-
+
return &this->public.plugin;
}
/*
* Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
- * Copyright (C) 2004 Dan Williams
+ * Copyright (C) 2004 Dan Williams
* Red Hat, Inc.
*
* This program is free software; you can redistribute it and/or modify it
for (iter = list; iter; iter = iter->next)
{
GnomeKeyringNetworkPasswordData *data = iter->data;
-
+
if (strcmp(data->object, "password") == 0 && data->password)
{
pass = g_strdup(data->password);
}
g_slist_foreach(list, (GFunc)g_free, NULL);
g_slist_free(list);
-
+
if (found)
{
key = g_strdup_printf ("%s/%s/%s", found,
argc, argv,
GNOME_PARAM_GOPTION_CONTEXT, context,
GNOME_PARAM_NONE);
-
+
if (uuid == NULL || name == NULL || service == NULL)
{
fprintf (stderr, "Have to supply UUID, name, and service\n");
g_object_unref (program);
return 1;
}
-
+
if (strcmp(service, NM_DBUS_SERVICE_STRONGSWAN) != 0)
{
fprintf(stderr, "This dialog only works with the '%s' service\n",
g_object_unref (program);
return 1;
}
-
+
type = get_connection_type(uuid);
if (!type)
{
else
{
dialog = gtk_message_dialog_new(NULL, 0, GTK_MESSAGE_ERROR,
- GTK_BUTTONS_OK,
+ GTK_BUTTONS_OK,
_("Configuration uses ssh-agent for authentication, "
"but ssh-agent is not running!"));
gtk_dialog_run (GTK_DIALOG (dialog));
{
StrongswanPluginUiWidget *self = STRONGSWAN_PLUGIN_UI_WIDGET (user_data);
StrongswanPluginUiWidgetPrivate *priv = STRONGSWAN_PLUGIN_UI_WIDGET_GET_PRIVATE (self);
-
+
if (widget == glade_xml_get_widget (priv->xml, "method-combo"))
{
update_layout(glade_xml_get_widget (priv->xml, "method-combo"), priv);
NMSettingVPN *settings;
GtkWidget *widget;
const char *value;
-
+
settings = NM_SETTING_VPN(nm_connection_get_setting(connection, NM_TYPE_SETTING_VPN));
widget = glade_xml_get_widget (priv->xml, "address-entry");
value = nm_setting_vpn_get_data_item (settings, "address");
}
update_layout (widget, priv);
g_signal_connect (G_OBJECT (widget), "changed", G_CALLBACK (settings_changed_cb), self);
-
+
widget = glade_xml_get_widget (priv->xml, "usercert-label");
gtk_widget_set_no_show_all (widget, TRUE);
widget = glade_xml_get_widget (priv->xml, "usercert-button");
if (value)
gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), value);
g_signal_connect (G_OBJECT (widget), "selection-changed", G_CALLBACK (settings_changed_cb), self);
-
+
widget = glade_xml_get_widget (priv->xml, "userkey-label");
gtk_widget_set_no_show_all (widget, TRUE);
widget = glade_xml_get_widget (priv->xml, "userkey-button");
if (value)
gtk_file_chooser_set_filename (GTK_FILE_CHOOSER (widget), value);
g_signal_connect (G_OBJECT (widget), "selection-changed", G_CALLBACK (settings_changed_cb), self);
-
+
widget = glade_xml_get_widget (priv->xml, "virtual-check");
value = nm_setting_vpn_get_data_item (settings, "virtual");
if (value && strcmp(value, "yes") == 0)
gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(widget), TRUE);
}
g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (settings_changed_cb), self);
-
+
widget = glade_xml_get_widget (priv->xml, "encap-check");
value = nm_setting_vpn_get_data_item (settings, "encap");
if (value && strcmp(value, "yes") == 0)
gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(widget), TRUE);
}
g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (settings_changed_cb), self);
-
+
widget = glade_xml_get_widget (priv->xml, "ipcomp-check");
value = nm_setting_vpn_get_data_item (settings, "ipcomp");
if (value && strcmp(value, "yes") == 0)
if (!check_validity (self, error))
return FALSE;
settings = NM_SETTING_VPN (nm_setting_vpn_new ());
-
+
g_object_set (settings, NM_SETTING_VPN_SERVICE_TYPE,
NM_DBUS_SERVICE_STRONGSWAN, NULL);
if (str) {
nm_setting_vpn_add_data_item (settings, "certificate", str);
}
-
+
widget = glade_xml_get_widget (priv->xml, "method-combo");
switch (gtk_combo_box_get_active (GTK_COMBO_BOX (widget)))
{
break;
}
nm_setting_vpn_add_data_item (settings, "method", str);
-
+
widget = glade_xml_get_widget (priv->xml, "virtual-check");
active = gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(widget));
nm_setting_vpn_add_data_item (settings, "virtual", active ? "yes" : "no");
-
+
widget = glade_xml_get_widget (priv->xml, "encap-check");
active = gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(widget));
nm_setting_vpn_add_data_item (settings, "encap", active ? "yes" : "no");
-
+
widget = glade_xml_get_widget (priv->xml, "ipcomp-check");
active = gtk_toggle_button_get_active(GTK_TOGGLE_BUTTON(widget));
nm_setting_vpn_add_data_item (settings, "ipcomp", active ? "yes" : "no");
STRONGSWAN_PLUGIN_UI_ERROR_MISSING_PROPERTY
} StrongswanPluginUiError;
-#define STRONGSWAN_TYPE_PLUGIN_UI_ERROR (strongswan_plugin_ui_error_get_type ())
+#define STRONGSWAN_TYPE_PLUGIN_UI_ERROR (strongswan_plugin_ui_error_get_type ())
GType strongswan_plugin_ui_error_get_type (void);
#define STRONGSWAN_TYPE_PLUGIN_UI (strongswan_plugin_ui_get_type ())
* public functions
*/
nm_creds_t public;
-
+
/**
* gateway certificate
*/
certificate_t *cert;
-
+
/**
* User name
*/
identification_t *user;
-
+
/**
* User password
*/
char *pass;
-
+
/**
* users certificate
*/
certificate_t *usercert;
-
+
/**
* users private key
*/
private_key_t *key;
-
+
/**
* read/write lock
*/
certificate_type_t cert, key_type_t key)
{
public_key_t *public;
-
+
if (cert != CERT_ANY && cert != this->usercert->get_type(this->usercert))
{
return NULL;
}
if (key != KEY_ANY)
- {
+ {
public = this->usercert->get_public_key(this->usercert);
if (!public)
{
if (key != KEY_ANY)
{
public_key_t *public;
-
+
public = this->cert->get_public_key(this->cert);
if (!public)
{
if (id && id->get_type(id) != ID_ANY)
{
chunk_t keyid;
-
+
if (id->get_type(id) != ID_KEY_ID ||
!this->key->get_fingerprint(this->key, KEY_ID_PUBKEY_SHA1, &keyid) ||
!chunk_equals(keyid, id->get_encoding(id)))
/**
* Implements credential_set_t.create_cert_enumerator
*/
-static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
+static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
shared_key_type_t type, identification_t *me,
identification_t *other)
{
{
return NULL;
}
-
+
enumerator = malloc_thing(shared_enumerator_t);
enumerator->public.enumerate = (void*)shared_enumerate;
enumerator->public.destroy = (void*)shared_destroy;
/**
* Implementation of nm_creds_t.set_cert_and_key
*/
-static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,
+static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,
private_key_t *key)
{
this->lock->write_lock(this->lock);
this->key = key;
this->usercert = cert;
this->lock->unlock(this->lock);
-}
+}
/**
* Implementation of nm_creds_t.clear
nm_creds_t *nm_creds_create()
{
private_nm_creds_t *this = malloc_thing(private_nm_creds_t);
-
+
this->public.set.create_private_enumerator = (void*)create_private_enumerator;
this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key;
this->public.clear = (void(*)(nm_creds_t*))clear;
this->public.destroy = (void(*)(nm_creds_t*))destroy;
-
+
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
+
this->cert = NULL;
this->user = NULL;
this->pass = NULL;
this->usercert = NULL;
this->key = NULL;
-
+
return &this->public;
}
* Implements credential_set_t
*/
credential_set_t set;
-
+
/**
* Set the trusted gateway certificate to serve by this set.
*
* @param cert certificate to serve
*/
void (*set_certificate)(nm_creds_t *this, certificate_t *cert);
-
+
/**
* Set the username/password for authentication.
*
* Private data of an nm_handler_t object.
*/
struct private_nm_handler_t {
-
+
/**
* Public nm_handler_t interface.
*/
nm_handler_t public;
-
+
/**
* list of received DNS server attributes, pointer to 4 byte data
*/
linked_list_t *dns;
-
+
/**
* list of received NBNS server attributes, pointer to 4 byte data
*/
configuration_attribute_type_t type, chunk_t data)
{
linked_list_t *list;
-
+
switch (type)
{
case INTERNAL_IP4_DNS:
configuration_attribute_type_t type)
{
linked_list_t *list;
-
+
switch (type)
{
case INTERNAL_IP4_DNS:
static void reset(private_nm_handler_t *this)
{
void *data;
-
+
while (this->dns->remove_last(this->dns, (void**)&data) == SUCCESS)
{
free(data);
nm_handler_t *nm_handler_create()
{
private_nm_handler_t *this = malloc_thing(private_nm_handler_t);
-
+
this->public.handler.handle = (bool(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))handle;
this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))nop;
this->public.create_enumerator = (enumerator_t*(*)(nm_handler_t*, configuration_attribute_type_t type))create_enumerator;
this->public.reset = (void(*)(nm_handler_t*))reset;
this->public.destroy = (void(*)(nm_handler_t*))destroy;
-
+
this->dns = linked_list_create();
this->nbns = linked_list_create();
-
+
return &this->public;
}
* Handles DNS/NBNS attributes to pass to NM.
*/
struct nm_handler_t {
-
+
/**
* Implements attribute handler interface
*/
attribute_handler_t handler;
-
+
/**
* Create an enumerator over received attributes of a given kind.
*
* Reset state, flush all received attributes.
*/
void (*reset)(nm_handler_t *this);
-
+
/**
* Destroy a nm_handler_t.
*/
* implements plugin interface
*/
nm_plugin_t public;
-
+
/**
* NetworkManager service (VPNPlugin)
*/
NMStrongswanPlugin *plugin;
-
+
/**
* Glib main loop for a thread, handles DBUS calls
*/
GMainLoop *loop;
-
+
/**
* credential set registered at the daemon
*/
nm_creds_t *creds;
-
+
/**
* attribute handler regeisterd at the daemon
*/
plugin_t *plugin_create()
{
private_nm_plugin_t *this = malloc_thing(private_nm_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
this->loop = NULL;
g_type_init ();
if (!g_thread_supported())
{
g_thread_init(NULL);
}
-
+
this->creds = nm_creds_create();
this->handler = nm_handler_create();
charon->credentials->add_set(charon->credentials, &this->creds->set);
destroy(this);
return NULL;
}
-
+
/* bypass file permissions to read from users ssh-agent */
charon->keep_cap(charon, CAP_DAC_OVERRIDE);
-
- charon->processor->queue_job(charon->processor,
+
+ charon->processor->queue_job(charon->processor,
(job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL));
-
+
return &this->public.plugin;
}
GArray *array;
enumerator_t *enumerator;
chunk_t chunk;
-
+
enumerator = handler->create_enumerator(handler, type);
array = g_array_new (FALSE, TRUE, sizeof (guint32));
while (enumerator->enumerate(enumerator, &chunk))
val = g_slice_new0 (GValue);
g_value_init (val, DBUS_TYPE_G_UINT_ARRAY);
g_value_set_boxed (val, array);
-
+
return val;
}
GHashTable *config;
host_t *me, *other;
nm_handler_t *handler;
-
+
config = g_hash_table_new(g_str_hash, g_str_equal);
me = ike_sa->get_my_host(ike_sa);
other = ike_sa->get_other_host(ike_sa);
handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
-
+
/* NM requires a tundev, but netkey does not use one. Passing an invalid
* iface makes NM complain, but it accepts it without fiddling on eth0. */
val = g_slice_new0 (GValue);
g_value_init (val, G_TYPE_STRING);
g_value_set_string (val, "none");
g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
-
+
val = g_slice_new0(GValue);
g_value_init(val, G_TYPE_UINT);
g_value_set_uint(val, *(u_int32_t*)me->get_address(me).ptr);
g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
-
+
val = g_slice_new0(GValue);
g_value_init(val, G_TYPE_UINT);
g_value_set_uint(val, me->get_address(me).len * 8);
g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
-
+
val = handler_to_val(handler, INTERNAL_IP4_DNS);
g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_DNS, val);
-
+
val = handler_to_val(handler, INTERNAL_IP4_NBNS);
g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NBNS, val);
-
+
handler->reset(handler);
-
+
nm_vpn_plugin_set_ip4_config(plugin, config);
}
static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure)
{
nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
-
+
handler->reset(handler);
-
+
/* TODO: NM does not handle this failure!? */
- nm_vpn_plugin_failure(plugin, failure);
+ nm_vpn_plugin_failure(plugin, failure);
nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
}
ike_sa_state_t state)
{
NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-
+
if (private->ike_sa == ike_sa && state == IKE_DESTROYING)
{
signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
child_sa_t *child_sa, child_sa_state_t state)
{
NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-
+
if (private->ike_sa == ike_sa && state == CHILD_DESTROYING)
{
signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
child_sa_t *child_sa, bool up)
{
NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-
+
if (private->ike_sa == ike_sa)
{
if (up)
static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new)
{
NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-
+
if (private->ike_sa == old)
{ /* follow a rekeyed IKE_SA */
private->ike_sa = new;
.jitter = 300 /* 5min */
}
};
-
+
/**
* Read parameters
*/
auth_class = AUTH_CLASS_PUBKEY;
}
}
-
+
/**
* Register credentials
*/
priv->creds->clear(priv->creds);
-
+
/* gateway/CA cert */
str = nm_setting_vpn_get_data_item(vpn, "certificate");
if (str)
gateway = gateway->clone(gateway);
DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
}
-
+
if (auth_class == AUTH_CLASS_EAP)
{
/* username/password authentication ... */
priv->creds->set_username_password(priv->creds, user, (char*)str);
}
}
-
+
if (auth_class == AUTH_CLASS_PUBKEY)
{
/* ... or certificate/private key authenitcation */
{
public_key_t *public;
private_key_t *private = NULL;
-
+
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, str, BUILD_END);
if (!cert)
gateway->destroy(gateway);
return FALSE;
}
- /* try agent */
+ /* try agent */
str = nm_setting_vpn_get_secret(vpn, "agent");
if (agent && str)
{
"Connecting to SSH agent failed.");
}
}
- /* ... or key file */
+ /* ... or key file */
str = nm_setting_vpn_get_data_item(vpn, "userkey");
if (!agent && str)
{
chunk_t secret;
-
+
secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password");
if (secret.ptr)
{
}
}
}
-
+
if (!user)
{
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
gateway->destroy(gateway);
return FALSE;
}
-
+
/**
* Set up configurations
*/
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
auth->add(auth, AUTH_RULE_IDENTITY, gateway);
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-
+
child_cfg = child_cfg_create(priv->name, &lifetime,
NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
ACTION_NONE, ACTION_NONE, ipcomp);
"255.255.255.255", 65535);
child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-
+
/**
* Prepare IKE_SA
*/
{
peer_cfg->destroy(peer_cfg);
}
-
+
/**
* Register listener, enable initiate-failure-detection hooks
*/
priv->listener.ike_state_change = ike_state_change;
priv->listener.child_state_change = child_state_change;
charon->bus->add_listener(charon->bus, &priv->listener);
-
+
/**
* Initiate
*/
{
charon->bus->remove_listener(charon->bus, &priv->listener);
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-
+
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
"Initiating failed.");
return FALSE;
}
/**
- * NeedSecrets called from NM via DBUS
+ * NeedSecrets called from NM via DBUS
*/
static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
char **setting_name, GError **error)
{
NMSettingVPN *settings;
const char *method, *path;
-
+
settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
NM_TYPE_SETTING_VPN));
method = nm_setting_vpn_get_data_item(settings, "method");
{
private_key_t *key;
chunk_t secret;
-
+
secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password");
if (secret.ptr)
{
}
/**
- * Disconnect called from NM via DBUS
+ * Disconnect called from NM via DBUS
*/
static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
{
enumerator_t *enumerator;
ike_sa_t *ike_sa;
u_int id;
-
+
/* our ike_sa pointer might be invalid, lookup sa */
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
}
}
enumerator->destroy(enumerator);
-
+
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_GENERAL,
"Connection not found.");
return FALSE;
static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
{
NMStrongswanPluginPrivate *priv;
-
+
priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
priv->plugin = NM_VPN_PLUGIN(plugin);
memset(&priv->listener.log, 0, sizeof(listener_t));
NMStrongswanPluginClass *strongswan_class)
{
NMVPNPluginClass *parent_class = NM_VPN_PLUGIN_CLASS(strongswan_class);
-
+
g_type_class_add_private(G_OBJECT_CLASS(strongswan_class),
sizeof(NMStrongswanPluginPrivate));
parent_class->connect = connect_;
if (plugin)
{
NMStrongswanPluginPrivate *priv;
-
+
priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
priv->creds = creds;
priv->handler = handler;
* Private data of an resolv_conf_handler_t object.
*/
struct private_resolv_conf_handler_t {
-
+
/**
* Public resolv_conf_handler_t interface.
*/
resolv_conf_handler_t public;
-
+
/**
* resolv.conf file to use
*/
char *file;
-
+
/**
* Mutex to access file exclusively
*/
int family;
size_t len;
bool handled = FALSE;
-
+
switch (type)
{
case INTERNAL_IP4_DNS:
default:
return FALSE;
}
-
+
this->mutex->lock(this->mutex);
-
+
in = fopen(this->file, "r");
/* allows us to stream from in to out */
unlink(this->file);
DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
addr->destroy(addr);
handled = TRUE;
-
+
/* copy rest of the file */
if (in)
{
}
fclose(out);
}
-
+
if (!handled)
{
DBG1(DBG_IKE, "adding DNS server failed", this->file);
char line[1024], matcher[512], *pos;
host_t *addr;
int family;
-
+
switch (type)
{
case INTERNAL_IP4_DNS:
default:
return;
}
-
+
this->mutex->lock(this->mutex);
-
+
in = fopen(this->file, "r");
if (in)
{
snprintf(matcher, sizeof(matcher),
"nameserver %H # by strongSwan, from %Y\n",
addr, ike_sa->get_other_id(ike_sa));
-
+
/* copy all, but matching line */
while ((pos = fgets(line, sizeof(line), in)))
{
}
fclose(in);
}
-
+
this->mutex->unlock(this->mutex);
}
resolv_conf_handler_t *resolv_conf_handler_create()
{
private_resolv_conf_handler_t *this = malloc_thing(private_resolv_conf_handler_t);
-
+
this->public.handler.handle = (bool(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))handle;
this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))release;
this->public.destroy = (void(*)(resolv_conf_handler_t*))destroy;
-
+
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->file = lib->settings->get_str(lib->settings,
"charon.plugins.resolv-conf.file", RESOLV_CONF);
-
+
return &this->public;
}
* Handle DNS configuration attributes by mangling a resolv.conf file.
*/
struct resolv_conf_handler_t {
-
+
/**
* Implements the attribute_handler_t interface
*/
attribute_handler_t handler;
-
+
/**
* Destroy a resolv_conf_handler_t.
*/
* implements plugin interface
*/
resolv_conf_plugin_t public;
-
+
/**
* The registerd DNS attribute handler
*/
plugin_t *plugin_create()
{
private_resolv_conf_plugin_t *this = malloc_thing(private_resolv_conf_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
this->handler = resolv_conf_handler_create();
charon->attributes->add_handler(charon->attributes, &this->handler->handler);
-
+
return &this->public.plugin;
}
* Plugin that writes received DNS servers in a resolv.conf file.
*/
struct resolv_conf_plugin_t {
-
+
/**
* implements plugin interface
*/
* Public part of smp_t object.
*/
smp_t public;
-
+
/**
* XML unix socket fd
*/
int socket;
-
+
/**
* job accepting stroke messages
*/
{
enumerator_t *enumerator;
traffic_selector_t *ts;
-
+
xmlTextWriterStartElement(writer, element);
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, (void**)&ts))
static void write_childend(xmlTextWriterPtr writer, child_sa_t *child, bool local)
{
linked_list_t *list;
-
- xmlTextWriterWriteFormatElement(writer, "spi", "%lx",
+
+ xmlTextWriterWriteFormatElement(writer, "spi", "%lx",
htonl(child->get_spi(child, local)));
list = child->get_traffic_selectors(child, local);
write_networks(writer, "networks", list);
}
/**
- * write a child_sa_t
+ * write a child_sa_t
*/
static void write_child(xmlTextWriterPtr writer, child_sa_t *child)
{
child_cfg_t *config;
-
+
config = child->get_config(child);
xmlTextWriterStartElement(writer, "childsa");
xmlTextWriterWriteFormatElement(writer, "reqid", "%d",
child->get_reqid(child));
- xmlTextWriterWriteFormatElement(writer, "childconfig", "%s",
+ xmlTextWriterWriteFormatElement(writer, "childconfig", "%s",
config->get_name(config));
xmlTextWriterStartElement(writer, "local");
write_childend(writer, child, TRUE);
/* <ikesalist> */
xmlTextWriterStartElement(writer, "ikesalist");
-
+
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
{
host_t *local, *remote;
iterator_t *children;
child_sa_t *child_sa;
-
+
id = ike_sa->get_id(ike_sa);
-
+
xmlTextWriterStartElement(writer, "ikesa");
xmlTextWriterWriteFormatElement(writer, "id", "%d",
ike_sa->get_unique_id(ike_sa));
- xmlTextWriterWriteFormatElement(writer, "status", "%N",
+ xmlTextWriterWriteFormatElement(writer, "status", "%N",
ike_sa_state_lower_names, ike_sa->get_state(ike_sa));
xmlTextWriterWriteElement(writer, "role",
id->is_initiator(id) ? "initiator" : "responder");
xmlTextWriterWriteElement(writer, "peerconfig", ike_sa->get_name(ike_sa));
-
+
/* <local> */
local = ike_sa->get_my_host(ike_sa);
xmlTextWriterStartElement(writer, "local");
}
xmlTextWriterEndElement(writer);
/* </local> */
-
+
/* <remote> */
remote = ike_sa->get_other_host(ike_sa);
xmlTextWriterStartElement(writer, "remote");
write_bool(writer, "nat", ike_sa->has_condition(ike_sa, COND_NAT_THERE));
}
xmlTextWriterEndElement(writer);
- /* </remote> */
-
+ /* </remote> */
+
/* <childsalist> */
xmlTextWriterStartElement(writer, "childsalist");
children = ike_sa->create_child_sa_iterator(ike_sa);
}
children->destroy(children);
/* </childsalist> */
- xmlTextWriterEndElement(writer);
-
+ xmlTextWriterEndElement(writer);
+
/* </ikesa> */
xmlTextWriterEndElement(writer);
}
enumerator->destroy(enumerator);
-
+
/* </ikesalist> */
xmlTextWriterEndElement(writer);
}
/* <configlist> */
xmlTextWriterStartElement(writer, "configlist");
-
+
enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
NULL, NULL, NULL, NULL);
while (enumerator->enumerate(enumerator, &peer_cfg))
child_cfg_t *child_cfg;
ike_cfg_t *ike_cfg;
linked_list_t *list;
-
+
if (peer_cfg->get_ike_version(peer_cfg) != 2)
{ /* only IKEv2 connections yet */
continue;
}
-
+
/* <peerconfig> */
xmlTextWriterStartElement(writer, "peerconfig");
xmlTextWriterWriteElement(writer, "name", peer_cfg->get_name(peer_cfg));
-
+
/* TODO: write auth_cfgs */
-
+
/* <ikeconfig> */
ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
xmlTextWriterStartElement(writer, "ikeconfig");
xmlTextWriterWriteElement(writer, "remote", ike_cfg->get_other_addr(ike_cfg));
xmlTextWriterEndElement(writer);
/* </ikeconfig> */
-
+
/* <childconfiglist> */
xmlTextWriterStartElement(writer, "childconfiglist");
children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
while (children->enumerate(children, &child_cfg))
{
/* <childconfig> */
- xmlTextWriterStartElement(writer, "childconfig");
+ xmlTextWriterStartElement(writer, "childconfig");
xmlTextWriterWriteElement(writer, "name",
child_cfg->get_name(child_cfg));
list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
list = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
write_networks(writer, "remote", list);
- list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
+ list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
xmlTextWriterEndElement(writer);
/* </childconfig> */
}
/* </childconfiglist> */
xmlTextWriterEndElement(writer);
/* </peerconfig> */
- xmlTextWriterEndElement(writer);
+ xmlTextWriterEndElement(writer);
}
enumerator->destroy(enumerator);
/* </configlist> */
const char *str;
u_int32_t id;
status_t status;
-
+
str = xmlTextReaderConstValue(reader);
if (str == NULL)
{
{
enumerator_t *enumerator;
ike_sa_t *ike_sa;
-
+
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
{
DBG1(DBG_CFG, "error parsing XML id string");
return;
}
-
+
DBG1(DBG_CFG, "terminating %s_SA %d", ike ? "IKE" : "CHILD", id);
-
+
/* <log> */
xmlTextWriterStartElement(writer, "log");
if (ike)
{
status = charon->controller->terminate_ike(
- charon->controller, id,
+ charon->controller, id,
(controller_cb_t)xml_callback, writer);
}
else
{
status = charon->controller->terminate_child(
- charon->controller, id,
+ charon->controller, id,
(controller_cb_t)xml_callback, writer);
}
/* </log> */
peer_cfg_t *peer;
child_cfg_t *child = NULL;
enumerator_t *enumerator;
-
+
str = xmlTextReaderConstValue(reader);
if (str == NULL)
{
return;
}
DBG1(DBG_CFG, "initiating %s_SA %s", ike ? "IKE" : "CHILD", str);
-
+
/* <log> */
xmlTextWriterStartElement(writer, "log");
peer = charon->backends->get_peer_cfg_by_name(charon->backends, (char*)str);
static void request(xmlTextReaderPtr reader, char *id, int fd)
{
xmlTextWriterPtr writer;
-
+
writer = xmlNewTextWriter(xmlOutputBufferCreateFd(fd, NULL));
if (writer == NULL)
{
size_t len;
xmlTextReaderPtr reader;
char *id = NULL, *type = NULL;
-
+
pthread_cleanup_push((void*)closefdp, (void*)&fd);
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
len = read(fd, buffer, sizeof(buffer));
return JOB_REQUEUE_NONE;
}
DBG3(DBG_CFG, "got XML request: %b", buffer, len);
-
+
reader = xmlReaderForMemory(buffer, len, NULL, NULL, 0);
if (reader == NULL)
{
DBG1(DBG_CFG, "opening SMP XML reader failed");
return JOB_REQUEUE_FAIR;;
}
-
+
/* read message type and id */
while (xmlTextReaderRead(reader))
{
break;
}
}
-
+
/* process message */
if (id && type)
{
struct sockaddr_un strokeaddr;
int oldstate, fd, *fdp, strokeaddrlen = sizeof(strokeaddr);
callback_job_t *job;
-
+
/* wait for connections, but allow thread to terminate */
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
fd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
pthread_setcancelstate(oldstate, NULL);
-
+
if (fd < 0)
{
DBG1(DBG_CFG, "accepting SMP XML socket failed: %s", strerror(errno));
sleep(1);
return JOB_REQUEUE_FAIR;;
}
-
+
fdp = malloc_thing(int);
*fdp = fd;
job = callback_job_create((callback_job_cb_t)process, fdp, free, this->job);
charon->processor->queue_job(charon->processor, (job_t*)job);
-
+
return JOB_REQUEUE_DIRECT;
}
mode_t old;
this->public.plugin.destroy = (void (*)(plugin_t*))destroy;
-
+
/* set up unix socket */
this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
if (this->socket == -1)
free(this);
return NULL;
}
-
+
unlink(unix_addr.sun_path);
old = umask(~(S_IRWXU | S_IRWXG));
if (bind(this->socket, (struct sockaddr *)&unix_addr, sizeof(unix_addr)) < 0)
{
DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno));
}
-
+
if (listen(this->socket, 5) < 0)
{
DBG1(DBG_CFG, "could not listen on XML socket: %s", strerror(errno));
this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
+
return &this->public.plugin;
}
if (start.len < sizeof(u_int) || end.len < sizeof(u_int))
{
- return 0;
+ return 0;
}
start_ptr = (u_int*)(start.ptr + start.len - sizeof(u_int));
end_ptr = (u_int*)(end.ptr + end.len - sizeof(u_int));
{
enumerator_t *pool, *lease;
bool found = FALSE;
-
+
pool = db->query(db, "SELECT id, name, start, end, timeout FROM pools",
DB_INT, DB_TEXT, DB_BLOB, DB_BLOB, DB_UINT);
if (pool)
chunk_t start_chunk, end_chunk;
host_t *start, *end;
u_int id, timeout, online = 0, used = 0, size = 0;
-
+
while (pool->enumerate(pool, &id, &name,
&start_chunk, &end_chunk, &timeout))
{
"end", "timeout", "size", "online", "usage");
found = TRUE;
}
-
+
start = host_create_from_chunk(AF_UNSPEC, start_chunk, 0);
end = host_create_from_chunk(AF_UNSPEC, end_chunk, 0);
size = get_pool_size(start_chunk, end_chunk);
lease->destroy(lease);
}
printf("%5d (%2d%%) ", used, used*100/size);
-
+
printf("\n");
DESTROY_IF(start);
DESTROY_IF(end);
{
chunk_t start_addr, end_addr, cur_addr;
u_int id, count;
-
+
start_addr = start->get_address(start);
end_addr = end->get_address(end);
cur_addr = chunk_clonea(start_addr);
db->execute(db, NULL, "END TRANSACTION");
}
printf("done.\n", count);
-
+
exit(0);
}
enumerator_t *query;
u_int id;
bool found = FALSE;
-
+
query = db->query(db, "SELECT id FROM pools WHERE name = ?",
DB_TEXT, name, DB_UINT);
if (!query)
enumerator_t *query;
chunk_t old_addr, new_addr, cur_addr;
u_int id, count;
-
+
new_addr = end->get_address(end);
-
+
query = db->query(db, "SELECT id, end FROM pools WHERE name = ?",
DB_TEXT, name, DB_UINT, DB_BLOB);
if (!query || !query->enumerate(query, &id, &old_addr))
fprintf(stderr, "pool '%s' not found.\n", name);
exit(-1);
}
-
+
printf("allocating %d new addresses... ", count);
fflush(stdout);
if (db->get_driver(db) == DB_SQLITE)
db->execute(db, NULL, "END TRANSACTION");
}
printf("done.\n", count);
-
+
exit(0);
}
[FIL_STATE] = "status",
NULL
};
-
+
/* if the filter string contains a distinguished name as a ID, we replace
* ", " by "/ " in order to not confuse the getsubopt parser */
pos = filter;
}
pos++;
}
-
+
while (filter && *filter != '\0')
{
switch (getsubopt(&filter, token, &value))
host_t *address;
identification_t *identity;
bool found = FALSE;
-
+
query = create_lease_query(filter);
if (!query)
{
}
address = host_create_from_chunk(AF_UNSPEC, address_chunk, 0);
identity = identification_create_from_encoding(identity_type, identity_chunk);
-
+
printf("%-8s %-15H ", name, address);
if (released == 0)
{
{
printf("%-7s ", "expired");
}
-
+
printf(" %T ", &acquired, utc);
if (released)
{
static void purge(char *name)
{
int purged = 0;
-
+
purged = db->execute(db, NULL,
"DELETE FROM leases WHERE address IN ("
" SELECT id FROM addresses WHERE pool IN ("
static void dbg_stderr(int level, char *fmt, ...)
{
va_list args;
-
+
if (level <= 1)
{
va_start(args, fmt);
{
exit(SS_RC_INITIALIZATION_FAILED);
}
-
+
uri = lib->settings->get_str(lib->settings, "charon.plugins.sql.database", NULL);
if (!uri)
{
exit(SS_RC_INITIALIZATION_FAILED);
}
atexit(cleanup);
-
+
while (TRUE)
{
int c;
-
+
struct option long_opts[] = {
{ "help", no_argument, NULL, 'h' },
-
+
{ "utc", no_argument, NULL, 'u' },
{ "status", no_argument, NULL, 'w' },
{ "add", required_argument, NULL, 'a' },
{ "resize", required_argument, NULL, 'r' },
{ "leases", no_argument, NULL, 'l' },
{ "purge", required_argument, NULL, 'p' },
-
+
{ "start", required_argument, NULL, 's' },
{ "end", required_argument, NULL, 'e' },
{ "timeout", required_argument, NULL, 't' },
{ "filter", required_argument, NULL, 'f' },
{ 0,0,0,0 }
};
-
+
c = getopt_long(argc, argv, "", long_opts, NULL);
switch (c)
{
}
break;
}
-
+
switch (operation)
{
case OP_USAGE:
* public functions
*/
sql_attribute_t public;
-
+
/**
* database connection
*/
database_t *db;
-
+
/**
* wheter to record lease history in lease table
*/
{
enumerator_t *e;
u_int row;
-
+
/* look for peer identity in the identities table */
e = this->db->query(this->db,
"SELECT id FROM identities WHERE type = ? AND data = ?",
DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id),
DB_UINT);
-
+
if (e && e->enumerate(e, &row))
{
e->destroy(e);
if (!e || !e->enumerate(e, &id, &address))
{
DESTROY_IF(e);
- break;
+ break;
}
address = chunk_clonea(address);
e->destroy(e);
if (!e || !e->enumerate(e, &id, &address))
{
DESTROY_IF(e);
- break;
+ break;
}
address = chunk_clonea(address);
e->destroy(e);
-
+
if (timeout)
{
hits = this->db->execute(this->db, NULL,
enumerator_t *enumerator;
bool found = FALSE;
time_t now = time(NULL);
-
+
enumerator = enumerator_create_token(name, ",", " ");
while (enumerator->enumerate(enumerator, &name))
{
u_int pool, timeout;
-
+
pool = get_pool(this, name, &timeout);
if (pool)
{
{
private_sql_attribute_t *this = malloc_thing(private_sql_attribute_t);
time_t now = time(NULL);
-
+
this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))acquire_address;
this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))enumerator_create_empty;
this->public.destroy = (void(*)(sql_attribute_t*))destroy;
-
+
this->db = db;
this->history = lib->settings->get_bool(lib->settings,
"charon.plugins.sql.lease_history", TRUE);
-
+
/* close any "online" leases in the case we crashed */
if (this->history)
{
* Implements attribute provider interface
*/
attribute_provider_t provider;
-
+
/**
* Destroy a sql_attribute instance.
*/
* Public part
*/
sql_config_t public;
-
+
/**
* database connection
*/
TS_LOCAL_DYNAMIC = 2,
TS_REMOTE_DYNAMIC = 3,
} kind;
-
+
while (e->enumerate(e, &kind, &type, &protocol,
&start_addr, &end_addr, &start_port, &end_port))
{
enumerator_t *e;
traffic_selector_t *ts;
bool local;
-
+
e = this->db->query(this->db,
"SELECT kind, type, protocol, "
"start_addr, end_addr, start_port, end_port "
int id, lifetime, rekeytime, jitter, hostaccess, mode, dpd, close, ipcomp;
char *name, *updown;
child_cfg_t *child_cfg;
-
- if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter,
+
+ if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter,
&updown, &hostaccess, &mode, &dpd, &close, &ipcomp))
{
lifetime_cfg_t lft = {
{
enumerator_t *e;
child_cfg_t *child_cfg;
-
+
e = this->db->query(this->db,
"SELECT id, name, lifetime, rekeytime, jitter, "
"updown, hostaccess, mode, dpd_action, close_action, ipcomp "
{
int certreq, force_encap;
char *local, *remote;
-
+
while (e->enumerate(e, &certreq, &force_encap, &local, &remote))
{
ike_cfg_t *ike_cfg;
-
+
ike_cfg = ike_cfg_create(certreq, force_encap, local, remote);
/* TODO: read proposal from db */
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
{
enumerator_t *e;
ike_cfg_t *ike_cfg = NULL;
-
+
e = this->db->query(this->db,
"SELECT certreq, force_encap, local, remote "
"FROM ike_configs WHERE id = ?",
{
enumerator_t *e;
peer_cfg_t *peer_cfg = NULL;
-
+
e = this->db->query(this->db,
"SELECT c.id, name, ike_cfg, l.type, l.data, r.type, r.data, "
"cert_policy, uniqueid, auth_method, eap_type, eap_vendor, "
"WHERE id = ?",
DB_INT, id,
DB_INT, DB_TEXT, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB,
- DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
- DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
+ DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
+ DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT,
DB_INT, DB_TEXT, DB_TEXT,
DB_INT, DB_INT, DB_INT, DB_BLOB);
if (e)
mediation, mediated_by, p_type;
chunk_t l_data, r_data, p_data;
char *name, *virtual, *pool;
-
+
while (e->enumerate(e,
&id, &name, &ike_cfg, &l_type, &l_data, &r_type, &r_data,
&cert_policy, &uniqueid, &auth_method, &eap_type, &eap_vendor,
- &keyingtries, &rekeytime, &reauthtime, &jitter, &overtime, &mobike,
+ &keyingtries, &rekeytime, &reauthtime, &jitter, &overtime, &mobike,
&dpd_delay, &virtual, &pool,
&mediation, &mediated_by, &p_type, &p_data))
{
ike_cfg_t *ike;
host_t *vip = NULL;
auth_cfg_t *auth;
-
+
local_id = identification_create_from_encoding(l_type, l_data);
remote_id = identification_create_from_encoding(r_type, r_data);
if ((me && !me->matches(me, local_id)) ||
{
enumerator_t *e;
peer_cfg_t *peer_cfg = NULL;
-
+
e = this->db->query(this->db,
"SELECT c.id, name, ike_cfg, l.type, l.data, r.type, r.data, "
"cert_policy, uniqueid, auth_method, eap_type, eap_vendor, "
host_t *me, host_t *other)
{
ike_enumerator_t *e = malloc_thing(ike_enumerator_t);
-
+
e->this = this;
e->me = me;
e->other = other;
e->current = NULL;
e->public.enumerate = (void*)ike_enumerator_enumerate;
e->public.destroy = (void*)ike_enumerator_destroy;
-
+
e->inner = this->db->query(this->db,
"SELECT certreq, force_encap, local, remote "
"FROM ike_configs",
identification_t *other)
{
peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
-
+
e->this = this;
e->me = me;
e->other = other;
this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
this->public.destroy = (void(*)(sql_config_t*))destroy;
-
+
this->db = db;
-
+
return &this->public;
}
* Implements backend_t interface
*/
backend_t backend;
-
+
/**
* Destry the backend.
*/
- void (*destroy)(sql_config_t *this);
+ void (*destroy)(sql_config_t *this);
};
/**
* Public part
*/
sql_cred_t public;
-
+
/**
* database connection
*/
identification_t *id)
{
private_enumerator_t *e;
-
+
e = malloc_thing(private_enumerator_t);
e->current = NULL;
e->public.enumerate = (void*)private_enumerator_enumerate;
identification_t *id, bool trusted)
{
cert_enumerator_t *e;
-
+
e = malloc_thing(cert_enumerator_t);
e->current = NULL;
e->public.enumerate = (void*)cert_enumerator_enumerate;
* Implementation of credential_set_t.create_shared_enumerator.
*/
static enumerator_t* create_shared_enumerator(private_sql_cred_t *this,
- shared_key_type_t type,
+ shared_key_type_t type,
identification_t *me, identification_t *other)
{
shared_enumerator_t *e;
-
+
e = malloc_thing(shared_enumerator_t);
e->me = me;
e->other = other;
DB_INT, me->get_type(me), DB_BLOB, me->get_encoding(me),
DB_INT, other->get_type(other), DB_BLOB, other->get_encoding(other),
DB_INT, type == SHARED_ANY, DB_INT, type,
- DB_INT, DB_BLOB);
+ DB_INT, DB_BLOB);
}
else
{
identification_t *id = me ? me : other;
-
+
e->inner = this->db->query(this->db,
"SELECT s.type, s.data FROM shared_secrets AS s "
"JOIN shared_secret_identity AS si ON s.id = si.shared_secret "
sql_cred_t *sql_cred_create(database_t *db)
{
private_sql_cred_t *this = malloc_thing(private_sql_cred_t);
-
+
this->public.set.create_private_enumerator = (void*)create_private_enumerator;
this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
this->public.set.create_cdp_enumerator = (void*)return_null;
this->public.set.cache_cert = (void*)cache_cert;
this->public.destroy = (void(*)(sql_cred_t*))destroy;
-
+
this->db = db;
-
+
return &this->public;
}
* Implements credential_set_t interface
*/
credential_set_t set;
-
+
/**
* Destry the backend.
*/
- void (*destroy)(sql_cred_t *this);
+ void (*destroy)(sql_cred_t *this);
};
/**
* Public part
*/
sql_logger_t public;
-
+
/**
* database connection
*/
database_t *db;
-
+
/**
* logging level
*/
int level;
-
+
/**
* avoid recursive logging
*/
identification_t *local_id, *remote_id;
u_int64_t ispi, rspi;
ike_sa_id_t *id;
-
+
id = ike_sa->get_id(ike_sa);
ispi = id->get_initiator_spi(id);
rspi = id->get_responder_spi(id);
remote_id = ike_sa->get_other_id(ike_sa);
local_host = ike_sa->get_my_host(ike_sa);
remote_host = ike_sa->get_other_host(ike_sa);
-
+
vsnprintf(buffer, sizeof(buffer), format, args);
-
+
this->db->execute(this->db, NULL, "REPLACE INTO ike_sas ("
"local_spi, remote_spi, id, initiator, "
"local_id_type, local_id_data, "
sql_logger_t *sql_logger_create(database_t *db)
{
private_sql_logger_t *this = malloc_thing(private_sql_logger_t);
-
+
memset(&this->public.listener, 0, sizeof(listener_t));
this->public.listener.log = (bool(*)(listener_t*,debug_t,level_t,int,ike_sa_t*,char*,va_list))log_;
this->public.destroy = (void(*)(sql_logger_t*))destroy;
-
+
this->db = db;
this->recursive = FALSE;
-
+
this->level = lib->settings->get_int(lib->settings,
"charon.plugins.sql.loglevel", -1);
-
+
return &this->public;
}
* Implements bus_listener_t interface
*/
listener_t listener;
-
+
/**
* Destry the backend.
*/
- void (*destroy)(sql_logger_t *this);
+ void (*destroy)(sql_logger_t *this);
};
/**
* implements plugin interface
*/
sql_plugin_t public;
-
+
/**
* database connection instance
*/
database_t *db;
-
+
/**
* configuration backend
*/
sql_config_t *config;
-
+
/**
* credential set
*/
sql_cred_t *cred;
-
+
/**
* CFG attributes
*/
sql_attribute_t *attribute;
-
+
/**
* bus listener/logger
*/
{
char *uri;
private_sql_plugin_t *this;
-
+
uri = lib->settings->get_str(lib->settings, "charon.plugins.sql.database", NULL);
if (!uri)
{
DBG1(DBG_CFG, "sql plugin: database URI not set");
return NULL;
}
-
+
this = malloc_thing(private_sql_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
this->db = lib->db->create(lib->db, uri);
if (!this->db)
{
this->cred = sql_cred_create(this->db);
this->attribute = sql_attribute_create(this->db);
this->logger = sql_logger_create(this->db);
-
+
charon->backends->add_backend(charon->backends, &this->config->backend);
charon->credentials->add_set(charon->credentials, &this->cred->set);
charon->attributes->add_provider(charon->attributes, &this->attribute->provider);
charon->bus->add_listener(charon->bus, &this->logger->listener);
-
+
return &this->public.plugin;
}
* public functions
*/
stroke_attribute_t public;
-
+
/**
* list of pools, contains pool_t
*/
linked_list_t *pools;
-
+
/**
* mutex to lock access to pools
*/
{
enumerator_t *enumerator;
identification_t *id;
-
+
enumerator = this->ids->create_enumerator(this->ids);
while (enumerator->enumerate(enumerator, &id, NULL))
{
{
enumerator_t *enumerator;
pool_t *current, *found = NULL;
-
+
enumerator = this->pools->create_enumerator(this->pools);
while (enumerator->enumerate(enumerator, ¤t))
{
chunk_t addr;
host_t *host;
u_int32_t *pos;
-
+
offset--;
if (offset > pool->size)
{
return NULL;
}
-
+
addr = chunk_clone(pool->base->get_address(pool->base));
if (pool->base->get_family(pool->base) == AF_INET6)
{
{
chunk_t host, base;
u_int32_t hosti, basei;
-
+
if (addr->get_family(addr) != pool->base->get_family(pool->base))
{
return -1;
uintptr_t offset = 0;
enumerator_t *enumerator;
identification_t *old_id;
-
+
this->mutex->lock(this->mutex);
pool = find_pool(this, name);
while (pool)
this->mutex->unlock(this->mutex);
return requested->clone(requested);
}
-
+
if (!requested->is_anyaddr(requested) &&
requested->get_family(requested) !=
pool->base->get_family(pool->base))
DBG1(DBG_CFG, "IP pool address family mismatch");
break;
}
-
+
/* check for a valid offline lease, refresh */
offset = (uintptr_t)pool->offline->remove(pool->offline, id);
if (offset)
break;
}
}
-
+
/* check for a valid online lease, reassign */
offset = (uintptr_t)pool->online->get(pool->online, id);
if (offset && offset == host2offset(pool, requested))
DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
break;
}
-
+
if (pool->unused < pool->size)
{
/* assigning offset, starting by 1. Handling 0 in hashtable
}
}
enumerator->destroy(enumerator);
-
+
DBG1(DBG_CFG, "pool '%s' is full, unable to assign address", name);
break;
}
pool_t *pool;
bool found = FALSE;
uintptr_t offset;
-
+
this->mutex->lock(this->mutex);
pool = find_pool(this, name);
if (pool)
if (msg->add_conn.other.sourceip_size)
{
pool_t *pool;
-
+
pool = malloc_thing(pool_t);
pool->base = NULL;
pool->size = 0;
(hashtable_equals_t)id_equals, 16);
pool->ids = hashtable_create((hashtable_hash_t)id_hash,
(hashtable_equals_t)id_equals, 16);
-
+
/* if %config, add an empty pool, otherwise */
if (msg->add_conn.other.sourceip)
{
u_int32_t bits;
int family;
-
- DBG1(DBG_CFG, "adding virtual IP address pool '%s': %s/%d",
- msg->add_conn.name, msg->add_conn.other.sourceip,
+
+ DBG1(DBG_CFG, "adding virtual IP address pool '%s': %s/%d",
+ msg->add_conn.name, msg->add_conn.other.sourceip,
msg->add_conn.other.sourceip_size);
-
+
pool->base = host_create_from_string(msg->add_conn.other.sourceip, 0);
if (!pool->base)
{
(family == AF_INET ? 32 : 128) - bits);
}
pool->size = 1 << (bits);
-
+
if (pool->size > 2)
{ /* do not use first and last addresses of a block */
pool->unused++;
{
enumerator_t *enumerator;
pool_t *pool;
-
+
this->mutex->lock(this->mutex);
enumerator = this->pools->create_enumerator(this->pools);
while (enumerator->enumerate(enumerator, &pool))
void *d3, u_int *offline)
{
pool_t *pool = *poolp;
-
+
*name = pool->name;
*size = pool->size;
*online = pool->online->get_count(pool->online);
{
identification_t *id;
uintptr_t offset;
-
+
DESTROY_IF(this->current);
this->current = NULL;
-
+
if (this->inner->enumerate(this->inner, &id, NULL))
{
offset = (uintptr_t)this->pool->online->get(this->pool->online, id);
char *pool)
{
lease_enumerator_t *enumerator;
-
+
this->mutex->lock(this->mutex);
enumerator = malloc_thing(lease_enumerator_t);
enumerator->pool = find_pool(this, pool);
stroke_attribute_t *stroke_attribute_create()
{
private_stroke_attribute_t *this = malloc_thing(private_stroke_attribute_t);
-
+
this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,host_t *))acquire_address;
this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))enumerator_create_empty;
this->public.create_pool_enumerator = (enumerator_t*(*)(stroke_attribute_t*))create_pool_enumerator;
this->public.create_lease_enumerator = (enumerator_t*(*)(stroke_attribute_t*, char *pool))create_lease_enumerator;
this->public.destroy = (void(*)(stroke_attribute_t*))destroy;
-
+
this->pools = linked_list_create();
this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-
+
return &this->public;
}
* Stroke IKEv2 cfg attribute provider
*/
struct stroke_attribute_t {
-
+
/**
* Implements attribute provider interface
*/
attribute_provider_t provider;
-
+
/**
* Add a virtual IP address.
*
* @param end end of stroke message that contains virtual IP.
*/
void (*add_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
-
+
/**
* Remove a virtual IP address.
*
* @param msg stroke message
*/
void (*del_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
-
+
/**
* Create an enumerator over installed pools.
*
- * Enumerator enumerates over
+ * Enumerator enumerates over
* char *pool, u_int size, u_int offline, u_int online.
*
* @return enumerator
*/
enumerator_t* (*create_pool_enumerator)(stroke_attribute_t *this);
-
+
/**
* Create an enumerator over the leases of a pool.
*
* public functions
*/
stroke_ca_t public;
-
+
/**
* read-write lock to lists
*/
rwlock_t *lock;
-
+
/**
* list of starters CA sections and its certificates (ca_section_t)
*/
linked_list_t *sections;
-
+
/**
* stroke credentials, stores our CA certificates
*/
* name of the CA section
*/
char *name;
-
+
/**
* reference to cert in trusted_credential_t
*/
certificate_t *cert;
-
+
/**
* CRL URIs
*/
linked_list_t *crl;
-
+
/**
* OCSP URIs
*/
linked_list_t *ocsp;
-
+
/**
* Hashes of certificates issued by this CA
*/
linked_list_t *hashes;
-
+
/**
* Base URI used for certificates from this CA
*/
};
/**
- * create a new CA section
+ * create a new CA section
*/
static ca_section_t *ca_section_create(char *name, certificate_t *cert)
{
ca_section_t *ca = malloc_thing(ca_section_t);
-
+
ca->name = strdup(name);
ca->crl = linked_list_create();
ca->ocsp = linked_list_create();
chunk_t keyid;
enumerator_t *enumerator = NULL;
linked_list_t *list;
-
+
if (data->type == CERT_X509_OCSP_RESPONSE)
{
list = section->ocsp;
{
list = section->crl;
}
-
+
public = section->cert->get_public_key(section->cert);
if (public)
{
{
enumerator_t *enumerator = NULL, *hash_enum;
identification_t *current;
-
+
if (!data->id || !section->certuribase)
{
return NULL;
}
-
+
hash_enum = section->hashes->create_enumerator(section->hashes);
while (hash_enum->enumerate(hash_enum, ¤t))
- {
+ {
if (current->matches(current, data->id))
{
char *url, *hash;
-
+
url = malloc(strlen(section->certuribase) + 40 + 1);
strcpy(url, section->certuribase);
hash = chunk_to_hex(current->get_encoding(current), NULL, FALSE).ptr;
strncat(url, hash, 40);
free(hash);
-
+
enumerator = enumerator_create_single(url, free);
break;
}
data->this = this;
data->type = type;
data->id = id;
-
+
this->lock->read_lock(this->lock);
return enumerator_create_nested(this->sections->create_enumerator(this->sections),
(type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp,
{
certificate_t *cert;
ca_section_t *ca;
-
+
if (msg->add_ca.cacert == NULL)
{
DBG1(DBG_CFG, "missing cacert parameter");
return;
- }
+ }
cert = this->cred->load_ca(this->cred, msg->add_ca.cacert);
if (cert)
{
{
enumerator_t *enumerator;
ca_section_t *ca = NULL;
-
+
this->lock->write_lock(this->lock);
enumerator = this->sections->create_enumerator(this->sections);
while (enumerator->enumerate(enumerator, &ca))
{
ca_section_t *section;
enumerator_t *enumerator;
-
+
hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (hasher == NULL)
{
DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
return;
}
-
+
this->lock->write_lock(this->lock);
enumerator = this->sections->create_enumerator(this->sections);
while (enumerator->enumerate(enumerator, (void**)§ion))
}
enumerator->destroy(enumerator);
this->lock->unlock(this->lock);
-
+
hasher->destroy(hasher);
}
bool first = TRUE;
ca_section_t *section;
enumerator_t *enumerator;
-
+
this->lock->read_lock(this->lock);
enumerator = this->sections->create_enumerator(this->sections);
while (enumerator->enumerate(enumerator, (void**)§ion))
certificate_t *cert = section->cert;
public_key_t *public = cert->get_public_key(cert);
chunk_t chunk;
-
+
if (first)
{
fprintf(out, "\n");
}
fprintf(out, "\n");
fprintf(out, " authname: \"%Y\"\n", cert->get_subject(cert));
-
+
/* list authkey and keyid */
if (public)
{
stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
{
private_stroke_ca_t *this = malloc_thing(private_stroke_ca_t);
-
+
this->public.set.create_private_enumerator = (void*)return_null;
this->public.set.create_cert_enumerator = (void*)return_null;
this->public.set.create_shared_enumerator = (void*)return_null;
this->public.list = (void(*)(stroke_ca_t*, stroke_msg_t *msg, FILE *out))list;
this->public.check_for_hash_and_url = (void(*)(stroke_ca_t*, certificate_t*))check_for_hash_and_url;
this->public.destroy = (void(*)(stroke_ca_t*))destroy;
-
+
this->sections = linked_list_create();
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
this->cred = cred;
-
+
return &this->public;
}
* Implements credential_set_t
*/
credential_set_t set;
-
+
/**
* Add a CA to the set using a stroke_msg_t.
*
* @param msg stroke message containing CA info
*/
void (*add)(stroke_ca_t *this, stroke_msg_t *msg);
-
+
/**
* Remove a CA from the set using a stroke_msg_t.
*
* @param msg stroke message containing CA info
*/
void (*del)(stroke_ca_t *this, stroke_msg_t *msg);
-
+
/**
* List CA sections to stroke console.
*
* @param msg stroke message
*/
void (*list)(stroke_ca_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Check if a certificate can be made available through hash and URL.
- *
+ *
* @param cert peer certificate
*/
void (*check_for_hash_and_url)(stroke_ca_t *this, certificate_t* cert);
-
+
/**
* Destroy a stroke_ca instance.
*/
* public functions
*/
stroke_config_t public;
-
+
/**
* list of peer_cfg_t
*/
linked_list_t *list;
-
+
/**
* mutex to lock config list
*/
mutex_t *mutex;
-
+
/**
* ca sections
*/
stroke_ca_t *ca;
-
+
/**
* credentials
*/
enumerator_t *e1, *e2;
peer_cfg_t *current, *found = NULL;
child_cfg_t *child;
-
+
this->mutex->lock(this->mutex);
e1 = this->list->create_enumerator(this->list);
while (e1->enumerate(e1, ¤t))
char *strict;
proposal_t *proposal;
protocol_id_t proto = PROTO_ESP;
-
+
if (ike_cfg)
{
proto = PROTO_IKE;
ike_cfg_t *ike_cfg;
char *interface;
host_t *host;
-
+
host = host_create_from_dns(msg->add_conn.other.address, 0, 0);
if (host)
{
{
free(interface);
}
-
+
}
}
}
stroke_end_t *end, *other_end;
auth_cfg_t *cfg;
char eap_buf[32];
-
+
/* select strings */
if (local)
{
ca = other_end->ca2;
}
}
-
+
if (!auth)
{
if (primary)
return NULL;
}
}
-
+
cfg = auth_cfg_create();
-
+
/* add identity and peer certifcate */
identity = identification_create_from_string(id);
if (cert)
}
}
cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
-
+
/* CA constraint */
if (ca)
{
"constraint", ca);
}
}
-
+
/* AC groups */
if (end->groups)
{
enumerator_t *enumerator;
char *group;
-
+
enumerator = enumerator_create_token(end->groups, ",", " ");
while (enumerator->enumerate(enumerator, &group))
{
}
enumerator->destroy(enumerator);
}
-
+
/* authentication metod (class, actually) */
if (streq(auth, "pubkey") ||
streq(auth, "rsasig") || streq(auth, "rsa") ||
enumerator_t *enumerator;
char *str;
int i = 0, type = 0, vendor;
-
+
cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-
+
/* parse EAP string, format: eap[-type[-vendor]] */
enumerator = enumerator_create_token(auth, "-", " ");
while (enumerator->enumerate(enumerator, &str))
i++;
}
enumerator->destroy(enumerator);
-
+
if (msg->add_conn.eap_identity)
{
if (streq(msg->add_conn.eap_identity, "%identity"))
u_int32_t rekey = 0, reauth = 0, over, jitter;
peer_cfg_t *peer_cfg;
auth_cfg_t *auth_cfg;
-
+
#ifdef ME
if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
{
"at the same time, aborting");
return NULL;
}
-
+
if (msg->add_conn.ikeme.mediation)
{
/* force unique connections for mediation connections */
msg->add_conn.unique = 1;
}
-
+
if (msg->add_conn.ikeme.mediated_by)
{
mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends,
}
}
#endif /* ME */
-
+
jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
over = msg->add_conn.rekey.margin;
if (msg->add_conn.rekey.reauth)
{ /* dpdaction=none disables DPD */
msg->add_conn.dpd.delay = 0;
}
-
+
/* other.sourceip is managed in stroke_attributes. If it is set, we define
* the pool name as the connection name, which the attribute provider
* uses to serve pool addresses. */
vip, msg->add_conn.other.sourceip_size ?
msg->add_conn.name : msg->add_conn.other.sourceip,
msg->add_conn.ikeme.mediation, mediated_by, peer_id);
-
+
/* build leftauth= */
auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE);
if (auth_cfg)
stroke_end_t *end, child_cfg_t *child_cfg, bool local)
{
traffic_selector_t *ts;
-
+
if (end->tohost)
{
ts = traffic_selector_create_dynamic(end->protocol,
else
{
host_t *net;
-
+
if (!end->subnets)
{
net = host_create_from_string(end->address, IKEV2_UDP_PORT);
else
{
char *del, *start, *bits;
-
+
start = end->subnets;
do
{
int intbits = 0;
-
+
del = strchr(start, ',');
if (del)
{
*bits = '\0';
intbits = atoi(bits + 1);
}
-
+
net = host_create_from_string(start, IKEV2_UDP_PORT);
if (net)
{
.jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
}
};
-
+
switch (msg->add_conn.dpd.action)
{ /* map startes magic values to our action type */
case 2: /* =hold */
dpd = ACTION_NONE;
break;
}
-
+
child_cfg = child_cfg_create(
msg->add_conn.name, &lifetime,
msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
msg->add_conn.install_policy);
add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
-
+
add_proposals(this, msg->add_conn.algorithms.esp, NULL, child_cfg);
-
+
return child_cfg;
}
ike_cfg->destroy(ike_cfg);
return;
}
-
+
enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
while (enumerator->enumerate(enumerator, &existing))
{
}
}
enumerator->destroy(enumerator);
-
+
child_cfg = build_child_cfg(this, msg);
if (!child_cfg)
{
return;
}
peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-
+
if (use_existing)
{
peer_cfg->destroy(peer_cfg);
peer_cfg_t *peer;
child_cfg_t *child;
bool deleted = FALSE;
-
+
this->mutex->lock(this->mutex);
enumerator = this->list->create_enumerator(this->list);
while (enumerator->enumerate(enumerator, (void**)&peer))
{
bool keep = FALSE;
-
+
/* remove any child with such a name */
children = peer->create_child_cfg_enumerator(peer);
while (children->enumerate(children, &child))
}
}
children->destroy(children);
-
+
/* if peer config matches, or has no children anymore, remove it */
if (!keep || streq(peer->get_name(peer), msg->del_conn.name))
{
}
enumerator->destroy(enumerator);
this->mutex->unlock(this->mutex);
-
+
if (deleted)
{
DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name);
stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred)
{
private_stroke_config_t *this = malloc_thing(private_stroke_config_t);
-
+
this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
this->public.add = (void(*)(stroke_config_t*, stroke_msg_t *msg))add;
this->public.del = (void(*)(stroke_config_t*, stroke_msg_t *msg))del;
this->public.destroy = (void(*)(stroke_config_t*))destroy;
-
+
this->list = linked_list_create();
this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
this->ca = ca;
this->cred = cred;
-
+
return &this->public;
}
* Implements the backend_t interface
*/
backend_t backend;
-
+
/**
* Add a configuration to the backend.
*
* @param msg received stroke message containing config
*/
void (*add)(stroke_config_t *this, stroke_msg_t *msg);
-
+
/**
* Remove a configuration from the backend.
*
* @param msg received stroke message containing config name
*/
void (*del)(stroke_config_t *this, stroke_msg_t *msg);
-
+
/**
* Destroy a stroke_config instance.
*/
* level to log up to
*/
level_t level;
-
+
/**
* where to write log
*/
{
child_cfg_t *current, *found = NULL;
enumerator_t *enumerator;
-
+
enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
while (enumerator->enumerate(enumerator, ¤t))
{
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
stroke_log_info_t info;
-
+
peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
msg->initiate.name);
if (peer_cfg == NULL)
peer_cfg->destroy(peer_cfg);
return;
}
-
+
child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name);
if (child_cfg == NULL)
{
peer_cfg->destroy(peer_cfg);
return;
}
-
+
if (msg->output_verbosity < 0)
{
charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
linked_list_t *ike_list, *child_list;
stroke_log_info_t info;
uintptr_t del;
-
+
string = msg->terminate.name;
-
+
len = strlen(string);
if (len < 1)
{
child = FALSE;
break;
}
-
+
if (name)
{
/* is a single name */
}
}
}
-
+
info.out = out;
info.level = msg->output_verbosity;
-
+
if (id)
{
if (child)
}
return;
}
-
+
ike_list = linked_list_create();
child_list = linked_list_create();
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
{
child_sa_t *child_sa;
iterator_t *children;
-
+
if (child)
{
children = ike_sa->create_child_sa_iterator(ike_sa);
}
}
enumerator->destroy(enumerator);
-
+
enumerator = child_list->create_enumerator(child_list);
while (enumerator->enumerate(enumerator, &del))
{
(controller_cb_t)stroke_log, &info);
}
enumerator->destroy(enumerator);
-
+
enumerator = ike_list->create_enumerator(ike_list);
while (enumerator->enumerate(enumerator, &del))
{
(controller_cb_t)stroke_log, &info);
}
enumerator->destroy(enumerator);
-
+
if (child_list->get_count(child_list) == 0 &&
ike_list->get_count(ike_list) == 0)
{
ike_sa_t *ike_sa;
host_t *start = NULL, *end = NULL, *vip;
chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip;
-
+
if (msg->terminate_srcip.start)
{
start = host_create_from_string(msg->terminate_srcip.start, 0);
}
chunk_end = end->get_address(end);
}
-
+
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
{
linked_list_t *list;
uintptr_t del;
stroke_log_info_t info;
-
+
info.out = out;
info.level = msg->output_verbosity;
-
+
list = linked_list_create();
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
iterator->destroy(iterator);
}
enumerator->destroy(enumerator);
-
+
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &del))
{
{
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
-
+
peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
msg->route.name);
if (peer_cfg == NULL)
peer_cfg->destroy(peer_cfg);
return;
}
-
+
child_cfg = get_child_from_peer(peer_cfg, msg->route.name);
if (child_cfg == NULL)
{
peer_cfg->destroy(peer_cfg);
return;
}
-
+
if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
{
fprintf(out, "configuration '%s' routed\n", msg->route.name);
child_sa_t *child_sa;
enumerator_t *enumerator;
u_int32_t id;
-
+
enumerator = charon->traps->create_enumerator(charon->traps);
while (enumerator->enumerate(enumerator, NULL, &child_sa))
{
stroke_control_t *stroke_control_create()
{
private_stroke_control_t *this = malloc_thing(private_stroke_control_t);
-
+
this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate;
this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate;
this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip;
this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route;
this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute;
this->public.destroy = (void(*)(stroke_control_t*))destroy;
-
+
return &this->public;
}
* @param msg stroke message
*/
void (*initiate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Terminate a connection.
*
* @param msg stroke message
*/
void (*terminate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Terminate a connection by peers virtual IP.
*
* @param msg stroke message
*/
void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Delete IKE_SAs without a CHILD_SA.
*
* @param msg stroke message
*/
void (*purge_ike)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Route a connection.
*
* @param msg stroke message
*/
void (*route)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Unroute a connection.
*
* @param msg stroke message
*/
void (*unroute)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Destroy a stroke_control instance.
*/
* public functions
*/
stroke_cred_t public;
-
+
/**
* list of trusted peer/signer/CA certificates (certificate_t)
*/
* list of private keys (private_key_t)
*/
linked_list_t *private;
-
+
/**
* read-write lock to lists
*/
rwlock_t *lock;
-
+
/**
* cache CRLs to disk?
*/
{
private_key_t *key;
chunk_t keyid;
-
+
key = *in;
if (data->id == NULL)
{
data = malloc_thing(id_data_t);
data->this = this;
data->id = id;
-
+
this->lock->read_lock(this->lock);
return enumerator_create_filter(this->private->create_enumerator(this->private),
(void*)private_filter, data,
public_key_t *public;
certificate_t *cert = *in;
chunk_t keyid;
-
+
if (cert->get_type(cert) == CERT_X509_CRL ||
cert->get_type(cert) == CERT_X509_AC)
{
*out = *in;
return TRUE;
}
-
+
public = cert->get_public_key(cert);
if (public)
{
static bool crl_filter(id_data_t *data, certificate_t **in, certificate_t **out)
{
certificate_t *cert = *in;
-
+
if (cert->get_type(cert) != CERT_X509_CRL)
{
return FALSE;
static bool ac_filter(id_data_t *data, certificate_t **in, certificate_t **out)
{
certificate_t *cert = *in;
-
+
if (cert->get_type(cert) != CERT_X509_AC)
{
return FALSE;
identification_t *id, bool trusted)
{
id_data_t *data;
-
+
if (cert == CERT_X509_CRL || cert == CERT_X509_AC)
{
if (trusted)
data = malloc_thing(id_data_t);
data->this = this;
data->id = id;
-
+
this->lock->read_lock(this->lock);
return enumerator_create_filter(this->certs->create_enumerator(this->certs),
(cert == CERT_X509_CRL)? (void*)crl_filter : (void*)ac_filter,
data = malloc_thing(id_data_t);
data->this = this;
data->id = id;
-
+
this->lock->read_lock(this->lock);
return enumerator_create_filter(this->certs->create_enumerator(this->certs),
(void*)certs_filter, data,
{
return FALSE;
}
-
+
my_match = stroke->has_owner(stroke, data->me);
other_match = stroke->has_owner(stroke, data->other);
if (!my_match && !other_match)
/**
* Implements credential_set_t.create_shared_enumerator
*/
-static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this,
+static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this,
shared_key_type_t type, identification_t *me,
identification_t *other)
{
shared_data_t *data = malloc_thing(shared_data_t);
-
+
data->this = this;
data->me = me;
data->other = other;
{
certificate_t *current;
enumerator_t *enumerator;
- bool new = TRUE;
+ bool new = TRUE;
this->lock->read_lock(this->lock);
enumerator = this->certs->create_enumerator(this->certs);
this->lock->unlock(this->lock);
return cert;
}
-
+
/**
* Implementation of stroke_cred_t.load_ca.
*/
{
certificate_t *cert;
char path[PATH_MAX];
-
+
if (*filename == '/')
{
snprintf(path, sizeof(path), "%s", filename);
{
snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
}
-
+
cert = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, path,
if (cert)
{
x509_t *x509 = (x509_t*)cert;
-
+
if (!(x509->get_flags(x509) & X509_CA))
{
DBG1(DBG_CFG, " ca certificate '%Y' misses ca basic constraint, "
{
certificate_t *current, *cert = &crl->certificate;
enumerator_t *enumerator;
- bool new = TRUE, found = FALSE;
+ bool new = TRUE, found = FALSE;
this->lock->write_lock(this->lock);
enumerator = this->certs->create_enumerator(this->certs);
crl_t *crl_c = (crl_t*)current;
chunk_t authkey = crl->get_authKeyIdentifier(crl);
chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c);
-
+
/* if compare authorityKeyIdentifiers if available */
if (authkey.ptr && authkey_c.ptr && chunk_equals(authkey, authkey_c))
{
{
identification_t *issuer = cert->get_issuer(cert);
identification_t *issuer_c = current->get_issuer(current);
-
+
/* otherwise compare issuer distinguished names */
if (issuer->equals(issuer, issuer_c))
{
}
}
enumerator->destroy(enumerator);
-
+
if (new)
{
this->certs->insert_last(this->certs, cert);
{
snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
}
-
+
cert = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, path,
{
struct stat st;
char *file;
-
+
enumerator_t *enumerator = enumerator_create_directory(path);
if (!enumerator)
if (cert)
{
x509_t *x509 = (x509_t*)cert;
-
+
if (!(x509->get_flags(x509) & X509_CA))
{
DBG1(DBG_CFG, " ca certificate '%Y' misses "
{
/* CRLs get written to /etc/ipsec.d/crls/<authkeyId>.crl */
crl_t *crl = (crl_t*)cert;
-
+
cert->get_ref(cert);
if (add_crl(this, crl))
{
char buf[BUF_LEN];
chunk_t chunk, hex;
-
+
chunk = crl->get_authKeyIdentifier(crl);
hex = chunk_to_hex(chunk, NULL, FALSE);
snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex);
free(hex.ptr);
-
+
chunk = cert->get_encoding(cert);
chunk_write(chunk, buf, "crl", 022, TRUE);
free(chunk.ptr);
}
if (quotes)
- {
+ {
/* treat as an ASCII string */
*secret = chunk_clone(raw_secret);
return NULL;
chunk_t passphrase_cb(passphrase_cb_data_t *data, int try)
{
chunk_t secret = chunk_empty;;
-
+
if (try > 5)
{
fprintf(data->prompt, "invalid passphrase, too many trials\n");
private->destroy(private);
}
}
-
+
while (fetchline(&src, &line))
{
chunk_t ids, token;
glob_t buf;
char **expanded, *dir, pattern[PATH_MAX];
u_char *pos;
-
+
if (level > MAX_SECRETS_RECURSION)
{
DBG1(DBG_CFG, "maximum level of %d includes reached, ignored",
{ /* use directory of current file if relative */
dir = strdup(file);
dir = dirname(dir);
-
+
if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern))
{
DBG1(DBG_CFG, "include pattern too long, ignored");
globfree(&buf);
continue;
}
-
+
if (line.len > 2 && strneq(": ", line.ptr, 2))
{
/* no ids, skip the ':' */
else
{
/* relative path name */
- snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
+ snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
filename.len, filename.ptr);
}
if (prompt)
{
passphrase_cb_data_t data;
-
+
data.prompt = prompt;
data.file = path;
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
char smartcard[32], keyid[22], pin[32];
private_key_t *key;
u_int slot;
-
+
err_t ugh = extract_value(&sc, &line);
-
+
if (ugh != NULL)
{
DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
}
snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr);
smartcard[sizeof(smartcard) - 1] = '\0';
-
+
/* parse slot and key id. only two formats are supported.
* first try %smartcard<slot>:<keyid> */
if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
" supported or invalid", line_nr);
goto error;
}
-
+
if (!eat_whitespace(&line))
{
DBG1(DBG_CFG, "line %d: expected PIN", line_nr);
}
snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
pin[sizeof(pin) - 1] = '\0';
-
+
/* we assume an RSA key */
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_SMARTCARD_KEYID, smartcard,
BUILD_SMARTCARD_PIN, pin, BUILD_END);
-
+
if (key)
{
DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr);
DBG1(DBG_CFG, " loaded %N secret for %s", shared_key_type_names, type,
ids.len > 0 ? (char*)ids.ptr : "%any");
DBG4(DBG_CFG, " secret: %#B", &secret);
-
+
this->shared->insert_last(this->shared, shared_key);
while (ids.len > 0)
{
{
continue;
}
-
+
/* NULL terminate the ID string */
*(id.ptr + id.len) = '\0';
peer_id = identification_create_from_string(id.ptr);
peer_id->destroy(peer_id);
continue;
}
-
+
shared_key->add_owner(shared_key, peer_id);
any = FALSE;
}
stroke_cred_t *stroke_cred_create()
{
private_stroke_cred_t *this = malloc_thing(private_stroke_cred_t);
-
+
this->public.set.create_private_enumerator = (void*)create_private_enumerator;
this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
this->public.load_peer = (certificate_t*(*)(stroke_cred_t*, char *filename))load_peer;
this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl;
this->public.destroy = (void(*)(stroke_cred_t*))destroy;
-
+
this->certs = linked_list_create();
this->shared = linked_list_create();
this->private = linked_list_create();
load_certs(this);
load_secrets(this, SECRETS_FILE, 0, NULL);
-
+
this->cachecrl = FALSE;
-
+
return &this->public;
}
* Implements credential_set_t
*/
credential_set_t set;
-
+
/**
* Reread secrets from config files.
*
* @param prompt I/O channel to prompt for private key passhprase
*/
void (*reread)(stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt);
-
+
/**
* Load a CA certificate, and serve it through the credential_set.
*
* @return reference to loaded certificate, or NULL
*/
certificate_t* (*load_ca)(stroke_cred_t *this, char *filename);
-
+
/**
* Load a peer certificate and serve it rhrough the credential_set.
*
* @return reference to loaded certificate, or NULL
*/
certificate_t* (*load_peer)(stroke_cred_t *this, char *filename);
-
+
/**
* Enable/Disable CRL caching to disk.
*
* @param enabled TRUE to enable, FALSE to disable
*/
void (*cachecrl)(stroke_cred_t *this, bool enabled);
-
+
/**
* Destroy a stroke_cred instance.
*/
* public functions
*/
stroke_list_t public;
-
+
/**
* timestamp of daemon start
*/
time_t uptime;
-
+
/**
* strokes attribute provider
*/
{
ike_sa_id_t *id = ike_sa->get_id(ike_sa);
time_t now = time_monotonic(NULL);
-
+
fprintf(out, "%12s[%d]: %N",
ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
ike_sa_state_names, ike_sa->get_state(ike_sa));
-
+
if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
{
time_t established;
-
+
established = ike_sa->get_statistic(ike_sa, STAT_ESTABLISHED);
fprintf(out, " %V ago", &now, &established);
}
-
+
fprintf(out, ", %H[%Y]...%H[%Y]\n",
ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
-
+
if (all)
{
proposal_t *ike_proposal;
-
+
ike_proposal = ike_sa->get_proposal(ike_sa);
-
+
fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s",
ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
id->get_responder_spi(id), id->is_initiator(id) ? "" : "*");
-
-
+
+
if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
{
time_t rekey, reauth;
peer_cfg_t *peer_cfg;
-
+
rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY);
reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH);
peer_cfg = ike_sa->get_peer_cfg(ike_sa);
-
+
if (rekey)
{
fprintf(out, ", rekeying in %V", &rekey, &now);
bool first = TRUE;
enumerator_t *enumerator;
auth_cfg_t *auth;
-
+
fprintf(out, ", ");
enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, TRUE);
while (enumerator->enumerate(enumerator, &auth))
}
}
fprintf(out, "\n");
-
+
if (ike_proposal)
{
char buf[BUF_LEN];
-
+
snprintf(buf, BUF_LEN, "%P", ike_proposal);
fprintf(out, "%12s[%d]: IKE proposal: %s\n",
ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
u_int64_t bytes_in, bytes_out;
proposal_t *proposal;
child_cfg_t *config = child_sa->get_config(child_sa);
-
-
- fprintf(out, "%12s{%d}: %N, %N%s",
+
+
+ fprintf(out, "%12s{%d}: %N, %N%s",
child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
child_sa_state_names, child_sa->get_state(child_sa),
ipsec_mode_names, child_sa->get_mode(child_sa),
config->use_proxy_mode(config) ? "_PROXY" : "");
-
+
if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
{
fprintf(out, ", %N%s SPIs: %.8x_i %.8x_o",
child_sa->has_encap(child_sa) ? " in UDP" : "",
ntohl(child_sa->get_spi(child_sa, TRUE)),
ntohl(child_sa->get_spi(child_sa, FALSE)));
-
+
if (child_sa->get_ipcomp(child_sa) != IPCOMP_NONE)
{
fprintf(out, ", IPCOMP CPIs: %.4x_i %.4x_o",
ntohs(child_sa->get_cpi(child_sa, TRUE)),
ntohs(child_sa->get_cpi(child_sa, FALSE)));
}
-
+
if (all)
{
- fprintf(out, "\n%12s{%d}: ", child_sa->get_name(child_sa),
+ fprintf(out, "\n%12s{%d}: ", child_sa->get_name(child_sa),
child_sa->get_reqid(child_sa));
-
+
proposal = child_sa->get_proposal(child_sa);
if (proposal)
{
u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED;
u_int16_t encr_size = 0, int_size = 0;
-
+
proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
&encr_alg, &encr_size);
proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
&int_alg, &int_size);
-
+
if (encr_alg != ENCR_UNDEFINED)
{
fprintf(out, "%N", encryption_algorithm_names, encr_alg);
}
}
}
-
+
now = time_monotonic(NULL);
child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in);
fprintf(out, ", %llu bytes_i", bytes_in);
fprintf(out, " (%ds ago)", now - use_out);
}
fprintf(out, ", rekeying ");
-
+
rekey = child_sa->get_lifetime(child_sa, FALSE);
if (rekey)
{
{
fprintf(out, "disabled");
}
-
+
}
}
-
+
fprintf(out, "\n%12s{%d}: %#R=== %#R\n",
child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
child_sa->get_traffic_selectors(child_sa, TRUE),
certificate_t *cert;
cert_validation_t valid;
char *name;
-
+
name = peer_cfg->get_name(peer_cfg);
-
+
enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
while (enumerator->enumerate(enumerator, &auth))
{
fprintf(out, "%12s: ocsp: status must be GOOD%s\n", name,
(valid == VALIDATION_SKIPPED) ? " or SKIPPED" : "");
}
-
+
valid = (uintptr_t)auth->get(auth, AUTH_RULE_CRL_VALIDATION);
if (valid != VALIDATION_FAILED)
{
ike_sa_t *ike_sa;
bool first, found = FALSE;
char *name = msg->status.name;
-
+
if (all)
{
peer_cfg_t *peer_cfg;
u_int32_t dpd;
time_t since, now;
u_int size, online, offline;
-
+
now = time_monotonic(NULL);
since = time(NULL) - (now - this->uptime);
-
+
fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n");
fprintf(out, " uptime: %V, since %T\n", &now, &this->uptime, &since, FALSE);
fprintf(out, " worker threads: %d idle of %d,",
}
enumerator->destroy(enumerator);
fprintf(out, "\n");
-
+
first = TRUE;
enumerator = this->attribute->create_pool_enumerator(this->attribute);
while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
fprintf(out, " %s: %u/%u/%u\n", pool, size, online, offline);
}
enumerator->destroy(enumerator);
-
+
enumerator = charon->kernel_interface->create_address_enumerator(
charon->kernel_interface, FALSE, FALSE);
fprintf(out, "Listening IP addresses:\n");
fprintf(out, " %H\n", host);
}
enumerator->destroy(enumerator);
-
+
fprintf(out, "Connections:\n");
enumerator = charon->backends->create_peer_cfg_enumerator(
charon->backends, NULL, NULL, NULL, NULL);
{
continue;
}
-
+
ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
fprintf(out, "%12s: %s...%s", peer_cfg->get_name(peer_cfg),
ike_cfg->get_my_addr(ike_cfg), ike_cfg->get_other_addr(ike_cfg));
-
+
dpd = peer_cfg->get_dpd(peer_cfg);
if (dpd)
{
fprintf(out, ", dpddelay=%us", dpd);
}
fprintf(out, "\n");
-
+
log_auth_cfgs(out, peer_cfg, TRUE);
log_auth_cfgs(out, peer_cfg, FALSE);
-
+
children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
while (children->enumerate(children, &child_cfg))
{
linked_list_t *my_ts, *other_ts;
-
+
my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
fprintf(out, "%12s: child: %#R=== %#R", child_cfg->get_name(child_cfg),
my_ts, other_ts);
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-
+
if (dpd)
{
fprintf(out, ", dpdaction=%N", action_names,
enumerator->destroy(enumerator);
}
- first = TRUE;
+ first = TRUE;
enumerator = charon->traps->create_enumerator(charon->traps);
while (enumerator->enumerate(enumerator, NULL, &child_sa))
{
log_child_sa(out, child_sa, all);
}
enumerator->destroy(enumerator);
-
+
fprintf(out, "Security Associations:\n");
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
{
bool ike_printed = FALSE;
iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
-
+
if (name == NULL || streq(name, ike_sa->get_name(ike_sa)))
{
log_ike_sa(out, ike_sa, all);
ike_printed = TRUE;
}
log_child_sa(out, child_sa, all);
- }
+ }
}
children->destroy(children);
}
enumerator->destroy(enumerator);
-
+
if (!found)
{
if (name)
charon->credentials, type, KEY_ANY,
NULL, FALSE);
certificate_t *cert;
-
+
while (enumerator->enumerate(enumerator, (void**)&cert))
{
iterator_t *iterator = list->create_iterator(list, TRUE);
identification_t *issuer = cert->get_issuer(cert);
bool previous_same, same = FALSE, last = TRUE;
certificate_t *list_cert;
-
+
while (iterator->iterate(iterator, (void**)&list_cert))
{
/* exit if we have a duplicate? */
private_key_t *private = NULL;
chunk_t keyid;
identification_t *id;
-
+
if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
{
id = identification_create_from_encoding(ID_KEY_ID, keyid);
static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
{
bool first = TRUE;
-
+
enumerator_t *enumerator = list->create_enumerator(list);
certificate_t *cert;
-
+
while (enumerator->enumerate(enumerator, (void**)&cert))
{
public_key_t *public = cert->get_public_key(cert);
-
+
if (public)
{
if (first)
first = FALSE;
}
fprintf(out, "\n");
-
+
list_public_key(public, out);
public->destroy(public);
}
/**
* list all X.509 certificates matching the flags
*/
-static void stroke_list_certs(linked_list_t *list, char *label,
+static void stroke_list_certs(linked_list_t *list, char *label,
x509_flag_t flags, bool utc, FILE *out)
{
bool first = TRUE;
{
x509_t *x509 = (x509_t*)cert;
x509_flag_t x509_flags = x509->get_flags(x509);
-
+
/* list only if flag is set, or flags == 0 (ignoring self-signed) */
if ((x509_flags & flags) || (flags == (x509_flags & ~X509_SELF_SIGNED)))
{
chunk_t serial, authkey;
time_t notBefore, notAfter;
public_key_t *public;
-
+
if (first)
{
fprintf(out, "\n");
first = FALSE;
}
fprintf(out, "\n");
-
+
/* list subjectAltNames */
enumerator = x509->create_subjectAltName_enumerator(x509);
while (enumerator->enumerate(enumerator, (void**)&altName))
fprintf(out, "\n");
}
enumerator->destroy(enumerator);
-
+
fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert));
fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
serial = x509->get_serial(x509);
fprintf(out, " serial: %#B\n", &serial);
-
+
/* list validity */
cert->get_validity(cert, &now, ¬Before, ¬After);
fprintf(out, " validity: not before %T, ", ¬Before, utc);
}
fprintf(out, " \n");
}
-
+
public = cert->get_public_key(cert);
if (public)
{
list_public_key(public, out);
public->destroy(public);
}
-
+
/* list optional authorityKeyIdentifier */
authkey = x509->get_authKeyIdentifier(x509);
if (authkey.ptr)
ac_t *ac = (ac_t*)cert;
identification_t *id;
chunk_t chunk;
-
+
if (first)
{
fprintf(out, "\n");
first = FALSE;
}
fprintf(out, "\n");
-
+
id = cert->get_subject(cert);
if (id)
{
}
fprintf(out, " \n");
}
-
+
/* list optional authorityKeyIdentifier */
chunk = ac->get_authKeyIdentifier(ac);
if (chunk.ptr)
time_t thisUpdate, nextUpdate, now = time(NULL);
enumerator_t *enumerator = list->create_enumerator(list);
certificate_t *cert;
-
+
while (enumerator->enumerate(enumerator, (void**)&cert))
{
crl_t *crl = (crl_t*)cert;
chunk_t chunk;
-
+
if (first)
{
fprintf(out, "\n");
first = FALSE;
}
fprintf(out, "\n");
-
+
fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
-
+
/* list optional crlNumber */
chunk = crl->get_serial(crl);
if (chunk.ptr)
{
fprintf(out, " serial: %#B\n", &chunk);
}
-
+
/* count the number of revoked certificates */
{
int count = 0;
enumerator_t *enumerator = crl->create_enumerator(crl);
-
+
while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
{
count++;
(count == 1)? "" : "s");
enumerator->destroy(enumerator);
}
-
+
/* list validity */
cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
fprintf(out, " updates: this %T\n", &thisUpdate, utc);
}
fprintf(out, " \n");
}
-
+
/* list optional authorityKeyIdentifier */
chunk = crl->get_authKeyIdentifier(crl);
if (chunk.ptr)
bool first = TRUE;
enumerator_t *enumerator = list->create_enumerator(list);
certificate_t *cert;
-
+
while (enumerator->enumerate(enumerator, (void**)&cert))
{
if (first)
hash_algorithm_t hash;
pseudo_random_function_t prf;
diffie_hellman_group_t group;
-
+
fprintf(out, "\n");
fprintf(out, "List of registered IKEv2 Algorithms:\n");
fprintf(out, "\n encryption: ");
linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
stroke_list_pubkeys(pubkey_list, msg->list.utc, out);
- pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
+ pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
{
linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
stroke_list_acerts(ac_list, msg->list.utc, out);
- ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
+ ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & LIST_CRLS)
{
linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
stroke_list_crls(crl_list, msg->list.utc, out);
- crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
+ crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & LIST_OCSP)
{
linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
stroke_list_ocsp(ocsp_list, msg->list.utc, out);
-
- ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
+
+ ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & LIST_ALGS)
{
host_t *lease;
bool on;
int found = 0;
-
+
fprintf(out, "Leases in pool '%s', usage: %lu/%lu, %lu online\n",
pool, online + offline, size, online);
enumerator = this->attribute->create_lease_enumerator(this->attribute, pool);
host_t *address = NULL;
char *pool;
int found = 0;
-
+
if (msg->leases.address)
{
address = host_create_from_string(msg->leases.address, 0);
}
-
+
enumerator = this->attribute->create_pool_enumerator(this->attribute);
while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
{
stroke_list_t *stroke_list_create(stroke_attribute_t *attribute)
{
private_stroke_list_t *this = malloc_thing(private_stroke_list_t);
-
+
this->public.list = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))list;
this->public.status = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out,bool))status;
this->public.leases = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))leases;
this->public.destroy = (void(*)(stroke_list_t*))destroy;
-
+
this->uptime = time_monotonic(NULL);
this->attribute = attribute;
-
+
return &this->public;
}
* @param out stroke console stream
*/
void (*list)(stroke_list_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Log status information to stroke console.
*
* @param all TRUE for "statusall"
*/
void (*status)(stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all);
-
+
/**
* Log pool leases to stroke console.
*
* @param out stroke console stream
*/
void (*leases)(stroke_list_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Destroy a stroke_list instance.
*/
* public functions
*/
stroke_plugin_t public;
-
+
/**
* stroke socket, receives strokes
*/
plugin_t *plugin_create()
{
private_stroke_plugin_t *this = malloc_thing(private_stroke_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
this->socket = stroke_socket_create();
if (this->socket == NULL)
{
* @defgroup stroke_plugin stroke_plugin
* @{ @ingroup stroke
*/
-
+
#ifndef STROKE_PLUGIN_H_
#define STROKE_PLUGIN_H_
* implements shared_key_t
*/
stroke_shared_key_t public;
-
+
/**
* type of this key
*/
* list of key owners, as identification_t
*/
linked_list_t *owners;
-
+
/**
* reference counter
*/
static chunk_t get_key(private_stroke_shared_key_t *this)
{
return this->key;
-}
-
+}
+
/**
* Implementation of stroke_shared_key_t.has_owner.
*/
enumerator_t *enumerator;
id_match_t match, best = ID_MATCH_NONE;
identification_t *current;
-
+
enumerator = this->owners->create_enumerator(this->owners);
while (enumerator->enumerate(enumerator, ¤t))
{
this->type = type;
this->key = key;
this->ref = 1;
-
+
return &this->public;
}
* Implements the shared_key_t interface.
*/
shared_key_t shared;
-
+
/**
* Add an owner to the key.
*
* @param owner owner to add
*/
void (*add_owner)(stroke_shared_key_t *this, identification_t *owner);
-
+
/**
* Check if a key has a specific owner.
*
* @param owner owner to check
* @return best match found
*/
- id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner);
+ id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner);
};
/**
* public functions
*/
stroke_socket_t public;
-
+
/**
* Unix socket to listen for strokes
*/
int socket;
-
+
/**
* job accepting stroke messages
*/
callback_job_t *job;
-
+
/**
* configuration backend
*/
stroke_config_t *config;
-
+
/**
* attribute provider
*/
stroke_attribute_t *attribute;
-
+
/**
* controller to control daemon
*/
stroke_control_t *control;
-
+
/**
* credential set
*/
stroke_cred_t *cred;
-
+
/**
* CA sections
*/
stroke_ca_t *ca;
-
+
/**
* Status information logging
*/
* file descriptor to read from
*/
int fd;
-
+
/**
* global stroke interface
*/
pop_string(msg, &end->ca2);
pop_string(msg, &end->groups);
pop_string(msg, &end->updown);
-
+
DBG2(DBG_CFG, " %s=%s", label, end->address);
DBG2(DBG_CFG, " %ssubnet=%s", label, end->subnets);
DBG2(DBG_CFG, " %ssourceip=%s", label, end->sourceip);
{
pop_string(msg, &msg->del_conn.name);
DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name);
-
+
this->config->del(this->config, msg);
this->attribute->del_pool(this->attribute, msg);
}
{
pop_string(msg, &msg->initiate.name);
DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
-
+
this->control->initiate(this->control, msg, out);
}
DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name);
this->control->terminate(this->control, msg, out);
-}
+}
/**
* terminate a connection by peers virtual IP
{
pop_string(msg, &msg->route.name);
DBG1(DBG_CFG, "received stroke: route '%s'", msg->route.name);
-
+
this->control->route(this->control, msg, out);
}
{
pop_string(msg, &msg->terminate.name);
DBG1(DBG_CFG, "received stroke: unroute '%s'", msg->route.name);
-
+
this->control->unroute(this->control, msg, out);
}
DBG2(DBG_CFG, " ocspuri=%s", msg->add_ca.ocspuri);
DBG2(DBG_CFG, " ocspuri2=%s", msg->add_ca.ocspuri2);
DBG2(DBG_CFG, " certuribase=%s", msg->add_ca.certuribase);
-
+
this->ca->add(this->ca, msg);
}
{
pop_string(msg, &msg->del_ca.name);
DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name);
-
+
this->ca->del(this->ca, msg);
}
stroke_msg_t *msg, FILE *out, bool all)
{
pop_string(msg, &(msg->status.name));
-
+
this->list->status(this->list, msg, out, all);
}
{
pop_string(msg, &msg->leases.pool);
pop_string(msg, &msg->leases.address);
-
+
this->list->leases(this->list, msg, out);
}
sys_logger_t *sys_logger;
file_logger_t *file_logger;
debug_t group;
-
+
pop_string(msg, &(msg->loglevel.type));
DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
msg->loglevel.level, msg->loglevel.type);
-
+
group = get_group_from_name(msg->loglevel.type);
if (group < 0)
{
FILE *out;
private_stroke_socket_t *this = ctx->this;
int strokefd = ctx->fd;
-
+
/* peek the length */
bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
if (bytes_read != sizeof(msg_length))
strerror(errno));
return JOB_REQUEUE_NONE;
}
-
+
/* read message */
msg = alloca(msg_length);
bytes_read = recv(strokefd, msg, msg_length, 0);
DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno));
return JOB_REQUEUE_NONE;
}
-
+
out = fdopen(strokefd, "w+");
if (out == NULL)
{
DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno));
return JOB_REQUEUE_NONE;
}
-
+
DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
-
+
switch (msg->type)
{
case STR_INITIATE:
int oldstate;
callback_job_t *job;
stroke_job_context_t *ctx;
-
+
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
pthread_setcancelstate(oldstate, NULL);
-
+
if (strokefd < 0)
{
DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno));
return JOB_REQUEUE_FAIR;
}
-
+
ctx = malloc_thing(stroke_job_context_t);
ctx->fd = strokefd;
ctx->this = this;
job = callback_job_create((callback_job_cb_t)process,
ctx, (void*)stroke_job_context_destroy, this->job);
charon->processor->queue_job(charon->processor, (job_t*)job);
-
+
return JOB_REQUEUE_FAIR;
}
socket_addr.sun_family = AF_UNIX;
strcpy(socket_addr.sun_path, STROKE_SOCKET);
-
+
/* set up unix socket */
this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
if (this->socket == -1)
DBG1(DBG_CFG, "could not create stroke socket");
return FALSE;
}
-
+
unlink(socket_addr.sun_path);
old = umask(~(S_IRWXU | S_IRWXG));
if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
strerror(errno));
}
-
+
if (listen(this->socket, 10) < 0)
{
DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno));
stroke_socket_t *stroke_socket_create()
{
private_stroke_socket_t *this = malloc_thing(private_stroke_socket_t);
-
+
this->public.destroy = (void(*)(stroke_socket_t*))destroy;
-
+
if (!open_socket(this))
{
free(this);
return NULL;
}
-
+
this->cred = stroke_cred_create();
this->attribute = stroke_attribute_create();
this->ca = stroke_ca_create(this->cred);
this->config = stroke_config_create(this->ca, this->cred);
this->control = stroke_control_create();
this->list = stroke_list_create(this->attribute);
-
+
charon->credentials->add_set(charon->credentials, &this->ca->set);
charon->credentials->add_set(charon->credentials, &this->cred->set);
charon->backends->add_backend(charon->backends, &this->config->backend);
charon->attributes->add_provider(charon->attributes, &this->attribute->provider);
-
+
this->job = callback_job_create((callback_job_cb_t)receive,
this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
+
return &this->public;
}
* Stroke socket, opens UNIX communication socket, reads and dispatches.
*/
struct stroke_socket_t {
-
+
/**
* Destroy a stroke_socket instance.
*/
* Public part
*/
uci_config_t public;
-
+
/**
* UCI parser context
*/
static proposal_t *create_proposal(char *string, protocol_id_t proto)
{
proposal_t *proposal = NULL;
-
+
if (string)
{
proposal = proposal_create_from_string(proto, string);
{ /* UCI default is aes/sha1 only */
if (proto == PROTO_IKE)
{
- proposal = proposal_create_from_string(proto,
+ proposal = proposal_create_from_string(proto,
"aes128-aes192-aes256-sha1-modp1536-modp2048");
}
else
{
- proposal = proposal_create_from_string(proto,
+ proposal = proposal_create_from_string(proto,
"aes128-aes192-aes256-sha1");
}
}
int netbits = 32;
host_t *net;
char *pos;
-
+
string = strdupa(string);
pos = strchr(string, '/');
if (pos)
static u_int create_rekey(char *string)
{
u_int rekey = 0;
-
+
if (string)
{
rekey = atoi(string);
.jitter = 300
}
};
-
+
/* defaults */
name = "unnamed";
local_id = NULL;
esp_proposal = NULL;
ike_rekey = NULL;
esp_rekey = NULL;
-
+
if (this->inner->enumerate(this->inner, &name, &local_id, &remote_id,
&local_addr, &remote_addr, &local_net, &remote_net,
&ike_proposal, &esp_proposal, &ike_rekey, &esp_rekey))
auth->add(auth, AUTH_RULE_IDENTITY,
identification_create_from_string(local_id));
this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, TRUE);
-
+
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
if (remote_id)
identification_create_from_string(remote_id));
}
this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
-
+
child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
ACTION_NONE, ACTION_NONE, FALSE);
child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
* Implementation of backend_t.create_peer_cfg_enumerator.
*/
static enumerator_t* create_peer_cfg_enumerator(private_uci_config_t *this,
- identification_t *me,
+ identification_t *me,
identification_t *other)
{
peer_enumerator_t *e = malloc_thing(peer_enumerator_t);
-
+
e->public.enumerate = (void*)peer_enumerator_enumerate;
e->public.destroy = (void*)peer_enumerator_destroy;
e->peer_cfg = NULL;
- e->inner = this->parser->create_section_enumerator(this->parser,
+ e->inner = this->parser->create_section_enumerator(this->parser,
"local_id", "remote_id", "local_addr", "remote_addr",
"local_net", "remote_net", "ike_proposal", "esp_proposal",
"ike_rekey", "esp_rekey", NULL);
static bool ike_enumerator_enumerate(ike_enumerator_t *this, ike_cfg_t **cfg)
{
char *local_addr, *remote_addr, *ike_proposal;
-
+
/* defaults */
local_addr = "0.0.0.0";
remote_addr = "0.0.0.0";
ike_proposal = NULL;
-
+
if (this->inner->enumerate(this->inner, NULL,
&local_addr, &remote_addr, &ike_proposal))
{
host_t *me, host_t *other)
{
ike_enumerator_t *e = malloc_thing(ike_enumerator_t);
-
+
e->public.enumerate = (void*)ike_enumerator_enumerate;
e->public.destroy = (void*)ike_enumerator_destroy;
e->ike_cfg = NULL;
- e->inner = this->parser->create_section_enumerator(this->parser,
+ e->inner = this->parser->create_section_enumerator(this->parser,
"local_addr", "remote_addr", "ike_proposal", NULL);
if (!e->inner)
{
{
enumerator_t *enumerator;
peer_cfg_t *current, *found = NULL;
-
+
enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
if (enumerator)
{
* Implements backend_t interface
*/
backend_t backend;
-
+
/**
* Destroy the backend.
*/
- void (*destroy)(uci_config_t *this);
+ void (*destroy)(uci_config_t *this);
};
/**
* private data of uci_control_t
*/
struct private_uci_control_t {
-
+
/**
* Public part
*/
uci_control_t public;
-
+
/**
- * Job
+ * Job
*/
callback_job_t *job;
};
{
va_list args;
FILE *out;
-
+
out = fopen(FIFO_FILE, "w");
if (out)
{
peer_cfg_t *peer_cfg;
char buf[2048];
FILE *out = NULL;
-
+
configs = charon->backends->create_peer_cfg_enumerator(charon->backends,
NULL, NULL, NULL, NULL);
while (configs->enumerate(configs, &peer_cfg))
}
fprintf(out, "%-8s %-20D %-16H ", ike_sa->get_name(ike_sa),
ike_sa->get_other_id(ike_sa), ike_sa->get_other_host(ike_sa));
-
+
children = ike_sa->create_child_sa_iterator(ike_sa);
while (children->iterate(children, (void**)&child_sa))
{
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
enumerator_t *enumerator;
-
+
peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, name);
if (peer_cfg)
{
enumerator_t *enumerator;
ike_sa_t *ike_sa;
u_int id;
-
+
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
{
static void process(private_uci_control_t *this, char *message)
{
enumerator_t* enumerator;
-
+
enumerator = enumerator_create_token(message, " \n", "");
if (enumerator->enumerate(enumerator, &message))
{
{
initiate(this, message);
}
- else if (streq(message, "down") &&
+ else if (streq(message, "down") &&
enumerator->enumerate(enumerator, &message))
{
terminate(this, message);
char message[128];
int oldstate, len;
FILE *in;
-
+
memset(message, 0, sizeof(message));
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
in = fopen(FIFO_FILE, "r");
uci_control_t *uci_control_create()
{
private_uci_control_t *this = malloc_thing(private_uci_control_t);
-
+
this->public.destroy = (void(*)(uci_control_t*))destroy;
-
+
unlink(FIFO_FILE);
if (mkfifo(FIFO_FILE, S_IRUSR|S_IWUSR) != 0)
{
* UCI control interface, uses a simple FIFO file
*/
struct uci_control_t {
-
+
/**
* Destroy the controller
*/
* Public part
*/
uci_creds_t public;
-
+
/**
* UCI parser context
*/
local_id = "%any";
remote_id = "%any";
psk = NULL;
-
+
if (!this->inner->enumerate(this->inner, NULL,
&local_id, &remote_id, &psk))
{
*/
static enumerator_t* create_shared_enumerator(private_uci_creds_t *this,
shared_key_type_t type,
- identification_t *me,
+ identification_t *me,
identification_t *other)
{
shared_enumerator_t *e;
-
+
if (type != SHARED_IKE)
{
return NULL;
}
-
+
e = malloc_thing(shared_enumerator_t);
e->current = NULL;
e->public.enumerate = (void*)shared_enumerator_enumerate;
e->public.destroy = (void*)shared_enumerator_destroy;
e->me = me;
e->other = other;
- e->inner = this->parser->create_section_enumerator(this->parser,
+ e->inner = this->parser->create_section_enumerator(this->parser,
"local_id", "remote_id", "psk", NULL);
if (!e->inner)
{
this->public.credential_set.create_cdp_enumerator = (enumerator_t*(*) (credential_set_t *,certificate_type_t, identification_t *))return_null;
this->public.credential_set.cache_cert = (void (*)(credential_set_t *, certificate_t *))nop;
this->public.destroy = (void(*) (uci_creds_t*))destroy;
-
+
this->parser = parser;
return &this->public;
* Implements credential set interface.
*/
credential_set_t credential_set;
-
+
/**
* Destroy the backend.
*/
- void (*destroy)(uci_creds_t *this);
+ void (*destroy)(uci_creds_t *this);
};
/**
* Public part
*/
uci_parser_t public;
-
+
/**
* UCI package name this parser reads
*/
char **value;
va_list args;
int i;
-
+
if (&this->current->list == this->list)
{
return FALSE;
}
-
+
va_start(args, this);
value = va_arg(args, char**);
*value = uci_to_section(this->current)->type;
}
}
-
+
/* followed by keyword parameters */
for (i = 0; this->keywords[i]; i++)
{
}
}
va_end(args);
-
+
this->current = list_to_element(this->current->list.next);
return TRUE;
}
section_enumerator_t *e;
va_list args;
int i;
-
+
/* allocate enumerator large enought to hold keyword pointers */
i = 1;
va_start(args, this);
e = malloc(sizeof(section_enumerator_t) + sizeof(char*) * i);
i = 0;
va_start(args, this);
- do
+ do
{
e->keywords[i] = va_arg(args, char*);
}
while (e->keywords[i++]);
va_end(args);
-
+
e->public.enumerate = (void*)section_enumerator_enumerate;
e->public.destroy = (void*)section_enumerator_destroy;
-
+
/* load uci context */
e->ctx = uci_alloc_context();
if (uci_load(e->ctx, this->package, &e->package) != UCI_OK)
this->public.create_section_enumerator = (enumerator_t*(*)(uci_parser_t*, ...))create_section_enumerator;
this->public.destroy = (void(*)(uci_parser_t*))destroy;
-
+
this->package = strdup(package);
-
+
return &this->public;
}
* @return enumerator over sections
*/
enumerator_t* (*create_section_enumerator)(uci_parser_t *this, ...);
-
+
/**
* Destroy the parser.
*/
- void (*destroy)(uci_parser_t *this);
+ void (*destroy)(uci_parser_t *this);
};
/**
* implements plugin interface
*/
uci_plugin_t public;
-
+
/**
* UCI configuration backend
*/
uci_config_t *config;
-
+
/**
* UCI credential set implementation
*/
uci_creds_t *creds;
-
+
/**
* UCI parser wrapper
*/
plugin_t *plugin_create()
{
private_uci_plugin_t *this = malloc_thing(private_uci_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
this->parser = uci_parser_create(UCI_PACKAGE);
this->config = uci_config_create(this->parser);
this->creds = uci_creds_create(this->parser);
this->control = uci_control_create();
charon->backends->add_backend(charon->backends, &this->config->backend);
charon->credentials->add_set(charon->credentials, &this->creds->credential_set);
-
+
return &this->public.plugin;
}
*/
/**
- * @defgroup tests tests
+ * @defgroup tests tests
* @{ @ingroup unit_tester
*/
chunk_t sig, data = chunk_from_buf(buf);
private_key_t *private;
public_key_t *public;
-
+
path = getenv("SSH_AUTH_SOCK");
if (!path)
{
DBG1(DBG_CFG, "ssh-agent not found.");
return FALSE;
}
-
+
private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_AGENT_SOCKET, path, BUILD_END);
if (!private)
{
return FALSE;
}
-
+
private->destroy(private);
public->destroy(public);
-
+
return TRUE;
}
int round = 0;
void *value;
auth_rule_t type;
-
+
c1 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_BLOB_ASN1_DER, certchunk,
BUILD_END);
{
return FALSE;
}
-
+
auth->add(auth, AUTH_RULE_SUBJECT_CERT, c1->get_ref(c1));
c2 = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
if (!c2)
{
return FALSE;
}
-
+
enumerator = auth->create_enumerator(auth);
while (enumerator->enumerate(enumerator, &type, &value))
{
return FALSE;
}
enumerator->destroy(enumerator);
-
+
auth2 = auth_cfg_create();
auth2->add(auth2, AUTH_RULE_CA_CERT, c1->get_ref(c1));
auth2->merge(auth2, auth, FALSE);
-
+
round = 0;
enumerator = auth2->create_enumerator(auth2);
while (enumerator->enumerate(enumerator, &type, &value))
identification_t *issuer, *subject;
u_int32_t serial = htonl(0);
chunk_t encoding;
-
+
issuer = identification_create_from_string("CN=CA, OU=Test, O=strongSwan");
subject = identification_create_from_string("CN=Peer, OU=Test, O=strongSwan");
-
+
ca_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_KEY_SIZE, 1024, BUILD_END);
peer_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
{
return FALSE;
}
-
+
encoding = ca_cert->get_encoding(ca_cert);
parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_BLOB_ASN1_DER, encoding,
return FALSE;
}
parsed->destroy(parsed);
-
+
serial = htonl(ntohl(serial) + 1);
public = peer_key->get_public_key(peer_key);
peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
{
return FALSE;
}
-
+
encoding = peer_cert->get_encoding(peer_cert);
parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_BLOB_ASN1_DER, encoding,
return FALSE;
}
parsed->destroy(parsed);
-
+
ca_cert->destroy(ca_cert);
ca_key->destroy(ca_key);
peer_cert->destroy(peer_cert);
* BASE64("fooba") = "Zm9vYmE="
* BASE64("foobar") = "Zm9vYmFy"
*/
-
+
typedef struct {
char *in;
char *out;
} testdata_t;
-
+
testdata_t test[] = {
{"", ""},
{"f", "Zg=="},
{"foobar", "Zm9vYmFy"},
};
int i;
-
+
for (i = 0; i < countof(test); i++)
{
chunk_t out;
-
+
out = chunk_to_base64(chunk_create(test[i].in, strlen(test[i].in)), NULL);
-
+
if (!streq(out.ptr, test[i].out))
{
- DBG1(DBG_CFG, "base64 conversion error - should %s, is %s",
+ DBG1(DBG_CFG, "base64 conversion error - should %s, is %s",
test[i].out, out.ptr);
return FALSE;
}
free(out.ptr);
}
-
+
for (i = 0; i < countof(test); i++)
{
chunk_t out;
-
+
out = chunk_from_base64(chunk_create(test[i].out, strlen(test[i].out)), NULL);
-
+
if (!strneq(out.ptr, test[i].in, out.len))
{
- DBG1(DBG_CFG, "base64 conversion error - should %s, is %#B",
+ DBG1(DBG_CFG, "base64 conversion error - should %s, is %#B",
test[i].in, &out);
return FALSE;
}
bool test_curl_get()
{
chunk_t chunk;
-
+
if (lib->fetcher->fetch(lib->fetcher, "http://www.strongswan.org",
&chunk, FETCH_END) != SUCCESS)
{
return FALSE;
}
free(chunk.ptr);
-
+
if (lib->fetcher->fetch(lib->fetcher, "http://www.google.com",
&chunk, FETCH_END) != SUCCESS)
{
{
void *a = (void*)1, *b = (void*)2;
linked_list_t *list;
-
+
list = linked_list_create();
list->insert_last(list, a);
if (list->remove(list, a, NULL) != 1)
void *a = (void*)4, *b = (void*)3, *c = (void*)2, *d = (void*)5, *e = (void*)1;
linked_list_t *list;
enumerator_t *enumerator;
-
+
list = linked_list_create();
-
+
list->insert_last(list, a);
list->insert_first(list, b);
list->insert_first(list, c);
list->insert_last(list, d);
list->insert_first(list, e);
-
+
round = 1;
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &x))
round++;
}
enumerator->destroy(enumerator);
-
+
list->destroy(list);
return TRUE;
}
void *a = (void*)1, *b = (void*)2, *c = (void*)3, *d = (void*)4, *e = (void*)5;
linked_list_t *list, *l1, *l2, *l3;
enumerator_t *enumerator;
-
+
bad_data = FALSE;
list = linked_list_create();
l1 = linked_list_create();
list->insert_last(list, l1);
list->insert_last(list, l2);
list->insert_last(list, l3);
-
+
l1->insert_last(l1, a);
l1->insert_last(l1, b);
l3->insert_last(l3, c);
l3->insert_last(l3, d);
l3->insert_last(l3, e);
-
+
round = 1;
enumerator = enumerator_create_nested(list->create_enumerator(list),
(void*)create_inner, (void*)101, destroy_data);
round++;
}
enumerator->destroy(enumerator);
-
+
list->destroy(list);
l1->destroy(l1);
l2->destroy(l2);
void *a = (void*)1, *b = (void*)2, *c = (void*)3, *d = (void*)4, *e = (void*)5;
linked_list_t *list;
enumerator_t *enumerator;
-
+
bad_data = FALSE;
list = linked_list_create();
-
+
list->insert_last(list, a);
list->insert_last(list, b);
list->insert_last(list, c);
list->insert_last(list, d);
list->insert_last(list, e);
-
+
round = 1;
enumerator = enumerator_create_filter(list->create_enumerator(list),
(void*)filter, (void*)101, destroy_data);
round++;
}
enumerator->destroy(enumerator);
-
+
list->destroy(list);
return !bad_data;
}
/*******************************************************************************
* token parser test
******************************************************************************/
-
+
bool test_enumerate_token()
{
enumerator_t *enumerator;
{"a.b,c", ",.", ""},
{" a b c ", " ", " "},
};
-
+
for (num = 0; num < countof(tests1); num++)
{
i = 0;
}
enumerator->destroy(enumerator);
}
-
+
for (num = 0; num < countof(tests2); num++)
{
i = 0;
}
enumerator->destroy(enumerator);
}
-
+
return TRUE;
}
id_part_t part;
chunk_t data;
int i = 0;
-
+
id = identification_create_from_string("C=CH, O=strongSwan, CN=tester");
-
+
enumerator = id->create_part_enumerator(id);
while (enumerator->enumerate(enumerator, &part, &data))
{
{
identification_t *id;
bool contains;
-
+
id = identification_create_from_string(string);
contains = id->contains_wildcards(id);
id->destroy(id);
{
identification_t *b;
bool equals;
-
+
b = identification_create_from_string(b_str);
equals = a->equals(a, b);
b->destroy(b);
identification_t *a;
chunk_t encoding, fuzzed;
int i;
-
+
a = identification_create_from_string(
"C=CH, E=martin@strongswan.org, CN=martin");
-
+
if (!test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
{
return FALSE;
}
encoding = chunk_clone(a->get_encoding(a));
a->destroy(a);
-
+
/* simple fuzzing, increment each byte of encoding */
for (i = 0; i < encoding.len; i++)
{
a->destroy(a);
free(fuzzed.ptr);
}
-
+
/* and decrement each byte of encoding */
for (i = 0; i < encoding.len; i++)
{
{
identification_t *b;
id_match_t match;
-
+
b = identification_create_from_string(b_str);
match = a->matches(a, b);
b->destroy(b);
bool test_id_matches()
{
identification_t *a;
-
+
a = identification_create_from_string(
"C=CH, E=martin@strongswan.org, CN=martin");
-
+
if (test_id_matches_one(a, "C=CH, E=martin@strongswan.org, CN=martin")
!= ID_MATCH_PERFECT)
{
public_key_t *public;
auth_cfg_t *auth;
bool good = FALSE;
-
+
id = identification_create_from_encoding(ID_KEY_ID, keyid);
enumerator = charon->credentials->create_public_enumerator(
charon->credentials, KEY_ANY, id, NULL);
if (locked > 1)
{
failed = TRUE;
- }
+ }
locked--;
mutex->unlock(mutex);
mutex->unlock(mutex);
{
int i;
pthread_t threads[THREADS];
-
+
mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-
+
for (i = 0; i < 10; i++)
{
mutex->lock(mutex);
{
mutex->unlock(mutex);
}
-
+
pthread_barrier_init(&barrier, NULL, THREADS);
-
+
for (i = 0; i < THREADS; i++)
{
pthread_create(&threads[i], NULL, run, NULL);
pthread_join(threads[i], NULL);
}
pthread_barrier_destroy(&barrier);
-
+
mutex->destroy(mutex);
-
+
return !failed;
}
char *qtxt;
bool good = FALSE;
enumerator_t *enumerator;
-
+
db = lib->db->create(lib->db, "mysql://testuser:testpass@localhost/test");
if (!db)
{
int i;
host_t *addr[ALLOCS];
identification_t *id[ALLOCS];
-
+
/* prepare identities */
for (i = 0; i < ALLOCS; i++)
{
char buf[256];
-
+
snprintf(buf, sizeof(buf), "%d-%d@strongswan.org", (uintptr_t)thread, i);
id[i] = identification_create_from_string(buf);
}
-
+
/* allocate addresses */
for (i = 0; i < ALLOCS; i++)
{
- addr[i] = charon->attributes->acquire_address(charon->attributes,
+ addr[i] = charon->attributes->acquire_address(charon->attributes,
"test", id[i], NULL);
if (!addr[i])
{
return (void*)FALSE;
}
}
-
+
/* release addresses */
for (i = 0; i < ALLOCS; i++)
{
charon->attributes->release_address(charon->attributes, "test", addr[i], id[i]);
}
-
+
/* cleanup */
for (i = 0; i < ALLOCS; i++)
{
uintptr_t i;
void *res;
pthread_t thread[THREADS];
-
+
for (i = 0; i < THREADS; i++)
{
if (pthread_create(&thread[i], NULL, (void*)testing, (void*)i) < 0)
private_key_t *private;
public_key_t *public;
u_int key_size;
-
+
for (key_size = 512; key_size <= 2048; key_size *= 2)
{
private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
{
chunk_t chunk = chunk_from_buf(public_any);
public_key_t *public;
-
+
public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
BUILD_BLOB_ASN1_DER, chunk,
BUILD_END);
char *qtxt;
bool good = FALSE;
enumerator_t *enumerator;
-
+
db = lib->db->create(lib->db, "sqlite://" DBFILE);
if (!db)
{
};
struct unit_test_t {
-
+
/**
* name of the test
*/
char *name;
-
+
/**
* test function
*/
bool (*test)(void);
-
+
/**
* run the test?
*/
static void run_tests(private_unit_tester_t *this)
{
int i, run = 0, failed = 0, success = 0, skipped = 0;
-
+
DBG1(DBG_CFG, "running unit tests, %d tests registered",
sizeof(tests)/sizeof(unit_test_t));
-
+
for (i = 0; i < sizeof(tests)/sizeof(unit_test_t); i++)
{
if (tests[i].enabled)
plugin_t *plugin_create()
{
private_unit_tester_t *this = malloc_thing(private_unit_tester_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
run_tests(this);
-
+
return &this->public.plugin;
}
/**
* Unit testing plugin.
*
- * The unit testing plugin runs tests on plugin initialization. Tests are
+ * The unit testing plugin runs tests on plugin initialization. Tests are
* defined in tests.h using the DEFINE_TEST macro. Implementation of the
* tests is done in the tests folder. Each test has uses a function which
* returns TRUE for success or FALSE for failure.
* Private data of an updown_listener_t object.
*/
struct private_updown_listener_t {
-
+
/**
* Public updown_listener_t interface.
*/
updown_listener_t public;
-
+
/**
* List of cached interface names
*/
char *iface)
{
cache_entry_t *entry = malloc_thing(cache_entry_t);
-
+
entry->reqid = reqid;
entry->iface = strdup(iface);
-
+
this->iface_cache->insert_first(this->iface_cache, entry);
}
enumerator_t *enumerator;
cache_entry_t *entry;
char *iface = NULL;
-
+
enumerator = this->iface_cache->create_enumerator(this->iface_cache);
while (enumerator->enumerate(enumerator, &entry))
{
child_cfg_t *config;
host_t *vip, *me, *other;
char *script;
-
+
config = child_sa->get_config(child_sa);
vip = ike_sa->get_virtual_ip(ike_sa, TRUE);
script = config->get_updown(config);
me = ike_sa->get_my_host(ike_sa);
other = ike_sa->get_other_host(ike_sa);
-
+
if (script == NULL)
{
return;
}
-
+
enumerator = child_sa->create_policy_enumerator(child_sa);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
virtual_ip = NULL;
}
}
-
+
if (up)
{
iface = charon->kernel_interface->get_interface(
{
iface = uncache_iface(this, child_sa->get_reqid(child_sa));
}
-
+
/* build the command with all env variables.
* TODO: PLUTO_PEER_CA and PLUTO_NEXT_HOP are currently missing
*/
free(other_client);
free(virtual_ip);
free(iface);
-
+
DBG3(DBG_CHD, "running updown script: %s", command);
shell = popen(command, "r");
DBG1(DBG_CHD, "could not execute updown script '%s'", script);
return;
}
-
+
while (TRUE)
{
char resp[128];
-
+
if (fgets(resp, sizeof(resp), shell) == NULL)
{
if (ferror(shell))
child_sa_t *child_sa, child_sa_state_t state)
{
child_sa_state_t old;
-
+
if (ike_sa)
{
old = child_sa->get_state(child_sa);
-
+
if ((old == CHILD_INSTALLED && state != CHILD_REKEYING ) ||
(old == CHILD_DELETING && state == CHILD_DESTROYING))
{
updown_listener_t *updown_listener_create()
{
private_updown_listener_t *this = malloc_thing(private_updown_listener_t);
-
+
memset(&this->public.listener, 0, sizeof(listener_t));
this->public.listener.child_state_change = (void*)child_state_change;
this->public.destroy = (void(*)(updown_listener_t*))destroy;
-
+
this->iface_cache = linked_list_create();
-
+
return &this->public;
}
* Listener which invokes the scripts on CHILD_SA up/down.
*/
struct updown_listener_t {
-
+
/**
* Implements listener_t.
*/
listener_t listener;
-
+
/**
* Destroy a updown_listener_t.
*/
* implements plugin interface
*/
updown_plugin_t public;
-
+
/**
* Listener interface, listens to CHILD_SA state changes
*/
plugin_t *plugin_create()
{
private_updown_plugin_t *this = malloc_thing(private_updown_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
this->listener = updown_listener_create();
charon->bus->add_listener(charon->bus, &this->listener->listener);
-
+
return &this->public.plugin;
}
* Public acquire_job_t interface.
*/
acquire_job_t public;
-
+
/**
* reqid of the child to rekey
*/
u_int32_t reqid;
-
+
/**
* acquired source traffic selector
*/
traffic_selector_t *src_ts;
-
+
/**
* acquired destination traffic selector
*/
traffic_selector_t *dst_ts)
{
private_acquire_job_t *this = malloc_thing(private_acquire_job_t);
-
+
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-
+
this->reqid = reqid;
this->src_ts = src_ts;
this->dst_ts = dst_ts;
-
+
return &this->public;
}
/**
* Class representing an ACQUIRE Job.
- *
+ *
* This job initiates a CHILD SA on kernel request.
*/
struct acquire_job_t {
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#include "callback_job.h"
#include <pthread.h>
* Public callback_job_t interface.
*/
callback_job_t public;
-
+
/**
* Callback to call on execution
*/
* parameter to supply to callback
*/
void *data;
-
+
/**
* cleanup function for data
*/
callback_job_cleanup_t cleanup;
-
+
/**
* thread ID of the job, if running
*/
pthread_t thread;
-
+
/**
* mutex to access jobs interna
*/
mutex_t *mutex;
-
+
/**
* list of asociated child jobs
*/
linked_list_t *children;
-
+
/**
* parent of this job, or NULL
*/
{
iterator_t *iterator;
private_callback_job_t *child;
-
+
this->parent->mutex->lock(this->parent->mutex);
iterator = this->parent->children->create_iterator(this->parent->children, TRUE);
while (iterator->iterate(iterator, (void**)&child))
static void cancel(private_callback_job_t *this)
{
pthread_t thread;
-
+
this->mutex->lock(this->mutex);
thread = this->thread;
-
+
/* terminate its children */
this->children->invoke_offset(this->children, offsetof(callback_job_t, cancel));
this->mutex->unlock(this->mutex);
-
+
/* terminate thread */
if (thread)
{
this->mutex->lock(this->mutex);
this->thread = pthread_self();
this->mutex->unlock(this->mutex);
-
+
pthread_cleanup_push((void*)destroy, this);
while (TRUE)
{
callback_job_t *parent)
{
private_callback_job_t *this = malloc_thing(private_callback_job_t);
-
+
/* interface functions */
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
this->thread = 0;
this->children = linked_list_create();
this->parent = (private_callback_job_t*)parent;
-
+
/* register us at parent */
if (parent)
{
this->parent->children->insert_last(this->parent->children, this);
this->parent->mutex->unlock(this->parent->mutex);
}
-
+
return &this->public;
}
* Do not requeue job, destroy it
*/
JOB_REQUEUE_NONE,
-
+
/**
* Reque the job fairly, meaning it has to requeue as any other job
*/
JOB_REQUEUE_FAIR,
-
+
/**
* Reexecute the job directly, without the need of requeueing it
*/
* The job_t interface.
*/
job_t job_interface;
-
+
/**
* Cancel the jobs thread and wait for its termination.
*/
* If parent is not NULL, the specified job gets an association. Whenever
* the parent gets cancelled (or runs out), all of its children are cancelled,
* too.
- *
+ *
* @param cb callback to call from the processor
* @param data user data to supply to callback
* @param cleanup destructor for data on destruction, or NULL
* Public delete_child_sa_job_t interface.
*/
delete_child_sa_job_t public;
-
+
/**
* reqid of the CHILD_SA
*/
u_int32_t reqid;
-
+
/**
* protocol of the CHILD_SA (ESP/AH)
*/
protocol_id_t protocol;
-
+
/**
* inbound SPI of the CHILD_SA
*/
static void execute(private_delete_child_sa_job_t *this)
{
ike_sa_t *ike_sa;
-
+
ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
this->reqid, TRUE);
if (ike_sa == NULL)
else
{
ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi);
-
+
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
}
destroy(this);
/*
* Described in header
*/
-delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
- protocol_id_t protocol,
+delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
+ protocol_id_t protocol,
u_int32_t spi)
{
private_delete_child_sa_job_t *this = malloc_thing(private_delete_child_sa_job_t);
-
+
/* interface functions */
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-
+
/* private variables */
this->reqid = reqid;
this->protocol = protocol;
this->spi = spi;
-
+
return &this->public;
}
/**
* Class representing an DELETE_CHILD_SA Job.
- *
+ *
* This job initiates the delete of a CHILD SA.
*/
struct delete_child_sa_job_t {
* @param spi security parameter index of the CHILD_SA
* @return delete_child_sa_job_t object
*/
-delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
- protocol_id_t protocol,
+delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
+ protocol_id_t protocol,
u_int32_t spi);
#endif /** DELETE_CHILD_SA_JOB_H_ @}*/
* public delete_ike_sa_job_t interface
*/
delete_ike_sa_job_t public;
-
+
/**
* ID of the ike_sa to delete
*/
ike_sa_id_t *ike_sa_id;
-
+
/**
* Should the IKE_SA be deleted if it is in ESTABLISHED state?
*/
static void execute(private_delete_ike_sa_job_t *this)
{
ike_sa_t *ike_sa;
-
+
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
this->ike_sa_id);
if (ike_sa)
/*
* Described in header
*/
-delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id,
+delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id,
bool delete_if_established)
{
private_delete_ike_sa_job_t *this = malloc_thing(private_delete_ike_sa_job_t);
-
+
/* interface functions */
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*)(job_t *)) destroy;;
-
+
/* private variables */
this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
this->delete_if_established = delete_if_established;
-
+
return &(this->public);
}
* @defgroup delete_child_sa_job delete_child_sa_job
* @{ @ingroup jobs
*/
-
+
#ifndef DELETE_IKE_SA_JOB_H_
#define DELETE_IKE_SA_JOB_H_
/**
* Class representing an DELETE_IKE_SA Job.
*
- * This job is responsible for deleting established or half open IKE_SAs.
+ * This job is responsible for deleting established or half open IKE_SAs.
* A half open IKE_SA is every IKE_SA which hasn't reache the SA_ESTABLISHED
* state.
*/
struct delete_ike_sa_job_t {
-
+
/**
* The job_t interface.
*/
/**
* Creates a job of type DELETE_IKE_SA.
- *
+ *
* @param ike_sa_id id of the IKE_SA to delete
* @param delete_if_established should the IKE_SA be deleted if it is established?
* @return created delete_ike_sa_job_t object
* public initiate_mediation_job_t interface
*/
initiate_mediation_job_t public;
-
+
/**
* ID of the IKE_SA of the mediated connection.
*/
ike_sa_id_t *mediated_sa_id;
-
+
/**
* ID of the IKE_SA of the mediation connection.
*/
/**
* Implementation of job_t.execute.
- */
+ */
static void initiate(private_initiate_mediation_job_t *this)
{
ike_sa_t *mediated_sa, *mediation_sa;
peer_cfg_t *mediated_cfg, *mediation_cfg;
enumerator_t *enumerator;
auth_cfg_t *auth_cfg;
-
+
mediated_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
this->mediated_sa_id);
if (mediated_sa)
{
mediated_cfg = mediated_sa->get_peer_cfg(mediated_sa);
- mediated_cfg->get_ref(mediated_cfg);
-
+ mediated_cfg->get_ref(mediated_cfg);
+
charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediated_sa);
-
+
mediation_cfg = mediated_cfg->get_mediated_by(mediated_cfg);
mediation_cfg->get_ref(mediation_cfg);
-
+
enumerator = mediation_cfg->create_auth_cfg_enumerator(mediation_cfg,
TRUE);
if (!enumerator->enumerate(enumerator, &auth_cfg) ||
destroy(this);
return;
}
-
+
if (charon->connect_manager->check_and_register(charon->connect_manager,
auth_cfg->get(auth_cfg, AUTH_RULE_IDENTITY),
mediated_cfg->get_peer_id(mediated_cfg),
{
mediated_cfg->destroy(mediated_cfg);
mediation_cfg->destroy(mediation_cfg);
-
+
mediated_sa = charon->ike_sa_manager->checkout(
charon->ike_sa_manager, this->mediated_sa_id);
if (mediated_sa)
return;
}
/* we need an additional reference because initiate consumes one */
- mediation_cfg->get_ref(mediation_cfg);
+ mediation_cfg->get_ref(mediation_cfg);
if (charon->controller->initiate(charon->controller, mediation_cfg,
NULL, (controller_cb_t)initiate_callback, this) != SUCCESS)
mediation_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
this->mediation_sa_id);
-
+
if (mediation_sa)
{
if (mediation_sa->initiate_mediation(mediation_sa,
destroy(this);
return;
}
-
+
charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediation_sa);
}
-
+
mediated_cfg->destroy(mediated_cfg);
}
destroy(this);
/**
* Implementation of job_t.execute.
- */
+ */
static void reinitiate(private_initiate_mediation_job_t *this)
{
ike_sa_t *mediated_sa, *mediation_sa;
peer_cfg_t *mediated_cfg;
-
+
mediated_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
this->mediated_sa_id);
if (mediated_sa)
mediated_cfg = mediated_sa->get_peer_cfg(mediated_sa);
mediated_cfg->get_ref(mediated_cfg);
charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediated_sa);
-
+
mediation_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
this->mediation_sa_id);
if (mediation_sa)
}
charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediation_sa);
}
-
+
mediated_cfg->destroy(mediated_cfg);
}
destroy(this);
static private_initiate_mediation_job_t *initiate_mediation_job_create_empty()
{
private_initiate_mediation_job_t *this = malloc_thing(private_initiate_mediation_job_t);
-
+
/* interface functions */
this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
+
/* private variables */
this->mediation_sa_id = NULL;
this->mediated_sa_id = NULL;
initiate_mediation_job_t *initiate_mediation_job_create(ike_sa_id_t *ike_sa_id)
{
private_initiate_mediation_job_t *this = initiate_mediation_job_create_empty();
-
+
this->public.job_interface.execute = (void (*) (job_t *)) initiate;
-
+
this->mediated_sa_id = ike_sa_id->clone(ike_sa_id);
return &this->public;
ike_sa_id_t *mediated_sa_id)
{
private_initiate_mediation_job_t *this = initiate_mediation_job_create_empty();
-
+
this->public.job_interface.execute = (void (*) (job_t *)) reinitiate;
-
+
this->mediation_sa_id = mediation_sa_id->clone(mediation_sa_id);
this->mediated_sa_id = mediated_sa_id->clone(mediated_sa_id);
-
- return &this->public;
+
+ return &this->public;
}
/**
* Class representing a INITIATE_MEDIATION Job.
- *
+ *
* This job will initiate a mediation on behalf of a mediated connection.
* If required the mediation connection is established.
*/
/**
* Creates a job of type INITIATE_MEDIATION.
- *
+ *
* @param ike_sa_id identification of the ike_sa as ike_sa_id_t object (gets cloned)
* @return job object
*/
/**
* Creates a special job of type INITIATE_MEDIATION that reinitiates a
* specific connection.
- *
+ *
* @param mediation_sa_id identification of the mediation sa (gets cloned)
* @param mediated_sa_id identification of the mediated sa (gets cloned)
* @return job object
/**
* Execute a job.
- *
+ *
* The processing facility executes a job using this method. Jobs are
* one-shot, they destroy themself after execution, so don't use a job
* once it has been executed.
* public mediation_job_t interface
*/
mediation_job_t public;
-
+
/**
* ID of target peer.
*/
identification_t *target;
-
+
/**
* ID of the source peer.
*/
identification_t *source;
-
+
/**
* ME_CONNECTID
*/
chunk_t connect_id;
-
+
/**
* ME_CONNECTKEY
*/
chunk_t connect_key;
-
+
/**
* Submitted endpoints
*/
linked_list_t *endpoints;
-
+
/**
* Is this a callback job?
*/
bool callback;
-
+
/**
* Is this a response?
*/
/**
* Implementation of job_t.execute.
- */
+ */
static void execute(private_mediation_job_t *this)
{
ike_sa_id_t *target_sa_id;
-
+
target_sa_id = charon->mediation_manager->check(charon->mediation_manager, this->target);
-
+
if (target_sa_id)
{
ike_sa_t *target_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
return;
}
}
-
+
charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
}
else
static private_mediation_job_t *mediation_job_create_empty()
{
private_mediation_job_t *this = malloc_thing(private_mediation_job_t);
-
+
/* interface functions */
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
+
/* private variables */
this->target = NULL;
this->source = NULL;
this->connect_key = chunk_empty;
this->endpoints = NULL;
this->response = FALSE;
-
+
return this;
}
this->connect_key = chunk_clone(connect_key);
this->endpoints = endpoints->clone_offset(endpoints, offsetof(endpoint_notify_t, clone));
this->response = response;
-
+
return &this->public;
}
identification_t *peer_id)
{
private_mediation_job_t *this = mediation_job_create_empty();
-
+
this->target = requester->clone(requester);
this->source = peer_id->clone(peer_id);
this->callback = TRUE;
-
+
return &this->public;
}
/**
* Class representing a MEDIATION Job.
- *
+ *
* This job handles the mediation on the mediation server.
*/
struct mediation_job_t {
/**
* Creates a job of type MEDIATION.
- *
+ *
* Parameters get cloned.
- *
+ *
* @param peer_id ID of the requested peer
* @param requester ID of the requesting peer
* @param connect_id content of ME_CONNECTID (could be NULL)
/**
* Creates a special job of type MEDIATION that is used to send a callback
* notification to a peer.
- *
+ *
* Parameters get cloned.
- *
+ *
* @param requester ID of the waiting peer
* @param peer_id ID of the requested peer
* @return job object
* Public migrate_job_t interface.
*/
migrate_job_t public;
-
+
/**
* reqid of the CHILD_SA if it already exists
*/
static void execute(private_migrate_job_t *this)
{
ike_sa_t *ike_sa = NULL;
-
+
if (this->reqid)
{
ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
host_t *local, host_t *remote)
{
private_migrate_job_t *this = malloc_thing(private_migrate_job_t);
-
+
/* interface functions */
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-
+
/* private variables */
this->reqid = reqid;
this->src_ts = (dir == POLICY_OUT) ? src_ts : dst_ts;
this->dst_ts = (dir == POLICY_OUT) ? dst_ts : src_ts;
this->local = local;
this->remote = remote;
-
+
return &this->public;
}
/**
* Class representing a MIGRATE Job.
- *
- * This job sets a routed CHILD_SA for an existing IPsec policy.
+ *
+ * This job sets a routed CHILD_SA for an existing IPsec policy.
*/
struct migrate_job_t {
/**
* public process_message_job_t interface
*/
process_message_job_t public;
-
+
/**
* Message associated with this job
*/
static void execute(private_process_message_job_t *this)
{
ike_sa_t *ike_sa;
-
+
#ifdef ME
/* if this is an unencrypted INFORMATIONAL exchange it is likely a
* connectivity check. */
return;
}
#endif /* ME */
-
+
ike_sa = charon->ike_sa_manager->checkout_by_message(charon->ike_sa_manager,
this->message);
if (ike_sa)
/* interface functions */
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void(*)(job_t*))destroy;
-
+
/* private variables */
this->message = message;
-
+
return &(this->public);
}
/**
* Creates a job of type PROCESS_MESSAGE.
- *
+ *
* @param message message to process
* @return created process_message_job_t object
*/
* Public rekey_child_sa_job_t interface.
*/
rekey_child_sa_job_t public;
-
+
/**
* reqid of the child to rekey
*/
u_int32_t reqid;
-
+
/**
* protocol of the CHILD_SA (ESP/AH)
*/
protocol_id_t protocol;
-
+
/**
* inbound SPI of the CHILD_SA
*/
static void execute(private_rekey_child_sa_job_t *this)
{
ike_sa_t *ike_sa;
-
+
ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
this->reqid, TRUE);
if (ike_sa == NULL)
}
else
{
- ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi);
+ ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi);
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
}
destroy(this);
/*
* Described in header
*/
-rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
- protocol_id_t protocol,
+rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
+ protocol_id_t protocol,
u_int32_t spi)
{
private_rekey_child_sa_job_t *this = malloc_thing(private_rekey_child_sa_job_t);
-
+
/* interface functions */
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-
+
/* private variables */
this->reqid = reqid;
this->protocol = protocol;
this->spi = spi;
-
+
return &this->public;
}
* @param spi security parameter index of the CHILD_SA
* @return rekey_child_sa_job_t object
*/
-rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
+rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
protocol_id_t protocol,
u_int32_t spi);
#endif /** REKEY_CHILD_SA_JOB_H_ @}*/
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#include "rekey_ike_sa_job.h"
#include <daemon.h>
* Public rekey_ike_sa_job_t interface.
*/
rekey_ike_sa_job_t public;
-
+
/**
* ID of the IKE_SA to rekey
*/
ike_sa_id_t *ike_sa_id;
-
+
/**
* force reauthentication of the peer (full IKE_SA setup)
*/
{
ike_sa_t *ike_sa;
status_t status = SUCCESS;
-
+
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
this->ike_sa_id);
if (ike_sa == NULL)
{
status = ike_sa->rekey(ike_sa);
}
-
+
if (status == DESTROY_ME)
{
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth)
{
private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t);
-
+
/* interface functions */
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
-
+
/* private variables */
this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
this->reauth = reauth;
-
+
return &(this->public);
}
/**
* Class representing an REKEY_IKE_SA Job.
- *
+ *
* This job initiates the rekeying of an IKE_SA.
*/
struct rekey_ike_sa_job_t {
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#include "retransmit_job.h"
#include <daemon.h>
* Public retransmit_job_t interface.
*/
retransmit_job_t public;
-
+
/**
* Message ID of the request to resend.
*/
static void execute(private_retransmit_job_t *this)
{
ike_sa_t *ike_sa;
-
+
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
this->ike_sa_id);
if (ike_sa)
retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa_id)
{
private_retransmit_job_t *this = malloc_thing(private_retransmit_job_t);
-
+
/* interface functions */
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
/* private variables */
this->message_id = message_id;
this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
-
+
return &this->public;
}
/**
* Creates a job of type retransmit.
- *
+ *
* @param message_id message_id of the request to resend
* @param ike_sa_id identification of the ike_sa as ike_sa_id_t
* @return retransmit_job_t object
* public roam_job_t interface
*/
roam_job_t public;
-
+
/**
* has the address list changed, or the routing only?
*/
}
/**
- * Implementation of job_t.execute.
- */
+ * Implementation of job_t.execute.
+ */
static void execute(private_roam_job_t *this)
{
ike_sa_t *ike_sa;
linked_list_t *list;
ike_sa_id_t *id;
enumerator_t *enumerator;
-
- /* enumerator over all IKE_SAs gives us no way to checkin_and_destroy
+
+ /* enumerator over all IKE_SAs gives us no way to checkin_and_destroy
* after a DESTROY_ME, so we check out each available IKE_SA by hand. */
list = linked_list_create();
enumerator = charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager);
list->insert_last(list, id->clone(id));
}
enumerator->destroy(enumerator);
-
+
while (list->remove_last(list, (void**)&id) == SUCCESS)
{
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
roam_job_t *roam_job_create(bool address)
{
private_roam_job_t *this = malloc_thing(private_roam_job_t);
-
+
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
+
this->address = address;
return &this->public;
/**
* A job to inform IKE_SAs about changed local address setup.
- *
+ *
* If a local address appears or disappears, the kernel fires this job to
* update all IKE_SAs.
*/
/**
* Creates a job to inform IKE_SAs about an updated address list.
- *
+ *
* @param address TRUE if address list changed, FALSE if routing changed
* @return initiate_ike_sa_job_t object
*/
* public send_dpd_job_t interface
*/
send_dpd_job_t public;
-
+
/**
* ID of the IKE_SA which the message belongs to.
*/
}
/**
- * Implementation of job_t.execute.
- */
+ * Implementation of job_t.execute.
+ */
static void execute(private_send_dpd_job_t *this)
{
ike_sa_t *ike_sa;
-
+
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
this->ike_sa_id);
if (ike_sa)
send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id)
{
private_send_dpd_job_t *this = malloc_thing(private_send_dpd_job_t);
-
+
/* interface functions */
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
+
/* private variables */
this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
/**
* Class representing a SEND_DPD Job.
- *
+ *
* Job to periodically send a Dead Peer Detection (DPD) request,
* ie. an IKE request with no payloads other than the encrypted payload
* required by the syntax.
/**
* Creates a job of type SEND_DPD.
- *
+ *
* @param ike_sa_id identification of the ike_sa as ike_sa_id_t object (gets cloned)
* @return initiate_ike_sa_job_t object
*/
* public send_keepalive_job_t interface
*/
send_keepalive_job_t public;
-
+
/**
* ID of the IKE_SA which the message belongs to.
*/
/**
* Implementation of job_t.execute.
- */
+ */
static void execute(private_send_keepalive_job_t *this)
{
ike_sa_t *ike_sa;
-
+
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
this->ike_sa_id);
if (ike_sa)
send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id)
{
private_send_keepalive_job_t *this = malloc_thing(private_send_keepalive_job_t);
-
+
/* interface functions */
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
+
/* private variables */
this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
/**
* Class representing a SEND_KEEPALIVE Job.
- *
+ *
* This job will send a NAT keepalive packet if the IKE SA is still alive,
* and reinsert itself into the event queue.
*/
/**
* Creates a job of type SEND_KEEPALIVE.
- *
+ *
* @param ike_sa_id identification of the ike_sa as ike_sa_id_t object (gets cloned)
* @return initiate_ike_sa_job_t object
*/
* public update_sa_job_t interface
*/
update_sa_job_t public;
-
+
/**
* reqid of the CHILD_SA
*/
u_int32_t reqid;
-
+
/**
* New SA address and port
*/
}
/**
- * Implementation of job_t.execute.
- */
+ * Implementation of job_t.execute.
+ */
static void execute(private_update_sa_job_t *this)
{
ike_sa_t *ike_sa;
-
+
ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
this->reqid, TRUE);
if (ike_sa == NULL)
update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new)
{
private_update_sa_job_t *this = malloc_thing(private_update_sa_job_t);
-
+
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-
+
this->reqid = reqid;
this->new = new;
/**
* Creates a job to update IKE and CHILD_SA addresses.
- *
+ *
* @param reqid reqid of the CHILD_SA
* @param new new address and port
* @return update_sa_job_t object
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#include <stdlib.h>
#include <pthread.h>
#include <string.h>
* Number of running threads
*/
u_int total_threads;
-
+
/**
* Desired number of threads
*/
u_int desired_threads;
-
+
/**
* Number of threads waiting for work
*/
* The jobs are stored in a linked list
*/
linked_list_t *list;
-
+
/**
* access to linked_list is locked through this mutex
*/
* Condvar to wait for new jobs
*/
condvar_t *job_added;
-
+
/**
* Condvar to wait for terminated threads
*/
static void restart(private_processor_t *this)
{
pthread_t thread;
-
+
/* respawn thread if required */
if (this->desired_threads == 0 ||
pthread_create(&thread, NULL, (void*)process_jobs, this) != 0)
static void process_jobs(private_processor_t *this)
{
int oldstate;
-
+
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &oldstate);
-
+
DBG2(DBG_JOB, "started worker thread, thread_ID: %06u", (int)pthread_self());
-
+
this->mutex->lock(this->mutex);
while (this->desired_threads >= this->total_threads)
{
job_t *job;
-
+
if (this->list->get_count(this->list) == 0)
{
this->idle_threads++;
{
u_int count;
this->mutex->lock(this->mutex);
- count = this->total_threads;
+ count = this->total_threads;
this->mutex->unlock(this->mutex);
return count;
}
this->job_added->signal(this->job_added);
this->mutex->unlock(this->mutex);
}
-
+
/**
* Implementation of processor_t.set_threads.
*/
{ /* increase thread count */
int i;
pthread_t current;
-
+
this->desired_threads = count;
DBG1(DBG_JOB, "spawning %d worker threads", count - this->total_threads);
for (i = this->total_threads; i < count; i++)
processor_t *processor_create(size_t pool_size)
{
private_processor_t *this = malloc_thing(private_processor_t);
-
+
this->public.get_total_threads = (u_int(*)(processor_t*))get_total_threads;
this->public.get_idle_threads = (u_int(*)(processor_t*))get_idle_threads;
this->public.get_job_load = (u_int(*)(processor_t*))get_job_load;
this->public.queue_job = (void(*)(processor_t*, job_t*))queue_job;
this->public.set_threads = (void(*)(processor_t*, u_int))set_threads;
this->public.destroy = (void(*)(processor_t*))destroy;
-
+
this->list = linked_list_create();
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->job_added = condvar_create(CONDVAR_TYPE_DEFAULT);
this->total_threads = 0;
this->desired_threads = 0;
this->idle_threads = 0;
-
+
return &this->public;
}
* The processor uses threads to process queued jobs.
*/
struct processor_t {
-
+
/**
* Get the total number of threads used by the processor.
- *
+ *
* @return size of thread pool
*/
u_int (*get_total_threads) (processor_t *this);
-
+
/**
* Get the number of threads currently waiting.
- *
+ *
* @return number of idle threads
*/
u_int (*get_idle_threads) (processor_t *this);
-
+
/**
* Get the number of queued jobs.
*
* @param job job to add to the queue
*/
void (*queue_job) (processor_t *this, job_t *job);
-
+
/**
* Set the number of threads to use in the processor.
*
* @param count number of threads to allocate
*/
void (*set_threads)(processor_t *this, u_int count);
-
+
/**
* Destroy a processor object.
*/
* Time to fire the event.
*/
timeval_t time;
-
+
/**
* Every event has its assigned job.
*/
* Private data of a scheduler_t object.
*/
struct private_scheduler_t {
-
+
/**
* Public part of a scheduler_t object.
*/
scheduler_t public;
-
+
/**
* Job which queues scheduled jobs to the processor.
*/
callback_job_t *job;
-
+
/**
* The heap in which the events are stored.
*/
event_t **heap;
-
+
/**
* The size of the heap.
*/
u_int heap_size;
-
+
/**
* The number of scheduled events.
*/
u_int event_count;
-
+
/**
* Exclusive access to list
*/
mutex_t *mutex;
-
+
/**
* Condvar to wait for next job.
*/
{
return NULL;
}
-
+
/* store the value to return */
event = this->heap[1];
/* move the bottom event to the top */
top = this->heap[1] = this->heap[this->event_count];
-
+
if (--this->event_count > 1)
{
/* seep down the top event */
while ((position << 1) <= this->event_count)
{
u_int child = position << 1;
-
+
if ((child + 1) <= this->event_count &&
timeval_cmp(&this->heap[child + 1]->time,
&this->heap[child]->time) < 0)
/* the "right" child is smaller */
child++;
}
-
+
if (timeval_cmp(&top->time, &this->heap[child]->time) <= 0)
{
/* the top event fires before the smaller of the two children,
* stop */
break;
}
-
+
/* swap with the smaller child */
this->heap[position] = this->heap[child];
position = child;
event_t *event;
int oldstate;
bool timed = FALSE;
-
+
this->mutex->lock(this->mutex);
-
+
time_monotonic(&now);
-
+
if ((event = peek_event(this)) != NULL)
{
if (timeval_cmp(&now, &event->time) >= 0)
}
pthread_cleanup_push((void*)this->mutex->unlock, this->mutex);
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-
+
if (timed)
{
this->condvar->timed_wait_abs(this->condvar, this->mutex, event->time);
{
event_t *event;
u_int position;
-
+
event = malloc_thing(event_t);
event->job = job;
event->time = tv;
-
+
this->mutex->lock(this->mutex);
-
+
this->event_count++;
if (this->event_count > this->heap_size)
{
}
/* "put" the event to the bottom */
position = this->event_count;
-
+
/* then bubble it up */
while (position > 1 && timeval_cmp(&this->heap[position >> 1]->time,
&event->time) > 0)
position >>= 1;
}
this->heap[position] = event;
-
+
this->condvar->signal(this->condvar);
this->mutex->unlock(this->mutex);
}
static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t s)
{
timeval_t tv;
-
+
time_monotonic(&tv);
tv.tv_sec += s;
-
+
schedule_job_tv(this, job, tv);
}
static void schedule_job_ms(private_scheduler_t *this, job_t *job, u_int32_t ms)
{
timeval_t tv, add;
-
+
time_monotonic(&tv);
add.tv_sec = ms / 1000;
add.tv_usec = (ms % 1000) * 1000;
-
+
timeradd(&tv, &add, &tv);
-
+
schedule_job_tv(this, job, tv);
}
scheduler_t * scheduler_create()
{
private_scheduler_t *this = malloc_thing(private_scheduler_t);
-
+
this->public.get_job_load = (u_int (*) (scheduler_t *this)) get_job_load;
this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t s)) schedule_job;
this->public.schedule_job_ms = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job_ms;
this->public.schedule_job_tv = (void (*) (scheduler_t *this, job_t *job, timeval_t tv)) schedule_job_tv;
this->public.destroy = (void(*)(scheduler_t*)) destroy;
-
+
/* Note: the root of the heap is at index 1 */
this->event_count = 0;
this->heap_size = HEAP_SIZE_DEFAULT;
this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
-
+
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-
+
this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
+
return &this->public;
}
* children has a smaller key or it is again a leaf node.
*/
struct scheduler_t {
-
+
/**
* Adds a event to the queue, using a relative time offset in s.
*
* @param time relative time to schedule job, in s
*/
void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t s);
-
+
/**
* Adds a event to the queue, using a relative time offset in ms.
*
* @param time relative time to schedule job, in ms
*/
void (*schedule_job_ms) (scheduler_t *this, job_t *job, u_int32_t ms);
-
+
/**
* Adds a event to the queue, using an absolut time.
*
* @param time absolut time to schedule job
*/
void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv);
-
+
/**
* Returns number of jobs scheduled.
*
* @return number of scheduled jobs
*/
u_int (*get_job_load) (scheduler_t *this);
-
+
/**
* Destroys a scheduler object.
*/
chunk_t received_init, chunk_t sent_init)
{
auth_payload_t *auth_payload;
-
+
auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
if (auth_payload == NULL)
{
*/
enum auth_method_t {
/**
- * Computed as specified in section 2.15 of RFC using
+ * Computed as specified in section 2.15 of RFC using
* an RSA private key over a PKCS#1 padded hash.
*/
AUTH_RSA = 1,
-
+
/**
- * Computed as specified in section 2.15 of RFC using the
- * shared key associated with the identity in the ID payload
+ * Computed as specified in section 2.15 of RFC using the
+ * shared key associated with the identity in the ID payload
* and the negotiated prf function
*/
AUTH_PSK = 2,
-
+
/**
- * Computed as specified in section 2.15 of RFC using a
+ * Computed as specified in section 2.15 of RFC using a
* DSS private key over a SHA-1 hash.
*/
AUTH_DSS = 3,
-
+
/**
* ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
*/
AUTH_ECDSA_256 = 9,
-
+
/**
* ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
*/
AUTH_ECDSA_384 = 10,
-
+
/**
* ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
*/
* - NEED_MORE if another exchange required
*/
status_t (*process)(authenticator_t *this, message_t *message);
-
+
/**
* Attach authentication data to an outgoing message.
*
* - NEED_MORE if another exchange required
*/
status_t (*build)(authenticator_t *this, message_t *message);
-
+
/**
* Destroy authenticator instance.
*/
/**
* Create an authenticator to verify signatures.
- *
+ *
* @param ike_sa associated ike_sa
* @param message message containing authentication data
* @param received_nonce nonce received in IKE_SA_INIT
* EAP constructor entry
*/
struct eap_entry_t {
-
+
/**
* EAP method type, vendor specific if vendor is set
*/
eap_type_t type;
-
+
/**
* vendor ID, 0 for default EAP methods
*/
u_int32_t vendor;
-
+
/**
* Role of the method returned by the constructor, EAP_SERVER or EAP_PEER
*/
eap_role_t role;
-
+
/**
* constructor function to create instance
*/
* public functions
*/
eap_manager_t public;
-
+
/**
* list of eap_entry_t's
*/
linked_list_t *methods;
-
+
/**
* rwlock to lock methods
*/
eap_constructor_t constructor)
{
eap_entry_t *entry = malloc_thing(eap_entry_t);
-
+
entry->type = type;
entry->vendor = vendor;
entry->role = role;
{
enumerator_t *enumerator;
eap_entry_t *entry;
-
+
this->lock->write_lock(this->lock);
enumerator = this->methods->create_enumerator(this->methods);
while (enumerator->enumerate(enumerator, &entry))
enumerator_t *enumerator;
eap_entry_t *entry;
eap_method_t *method = NULL;
-
+
this->lock->read_lock(this->lock);
enumerator = this->methods->create_enumerator(this->methods);
while (enumerator->enumerate(enumerator, &entry))
eap_manager_t *eap_manager_create()
{
private_eap_manager_t *this = malloc_thing(private_eap_manager_t);
-
+
this->public.add_method = (void(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, eap_constructor_t constructor))add_method;
this->public.remove_method = (void(*)(eap_manager_t*, eap_constructor_t constructor))remove_method;
this->public.create_instance = (eap_method_t*(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, identification_t*,identification_t*))create_instance;
this->public.destroy = (void(*)(eap_manager_t*))destroy;
-
+
this->methods = linked_list_create();
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
+
return &this->public;
}
*/
void (*add_method)(eap_manager_t *this, eap_type_t type, u_int32_t vendor,
eap_role_t role, eap_constructor_t constructor);
-
+
/**
* Unregister a EAP method implementation using it's constructor.
*
* @param constructor constructor function to remove, as added in add_method
*/
void (*remove_method)(eap_manager_t *this, eap_constructor_t constructor);
-
+
/**
* Create a new EAP method instance.
*
u_int32_t vendor, eap_role_t role,
identification_t *server,
identification_t *peer);
-
+
/**
* Destroy a eap_manager instance.
*/
{"mschapv2", EAP_MSCHAPV2},
{"radius", EAP_RADIUS},
};
-
+
for (i = 0; i < countof(types); i++)
{
if (strcaseeq(name, types[i].name))
* EAP-Identity exchange always uses identifier 0.
*/
struct eap_method_t {
-
+
/**
* Initiate the EAP exchange.
*
* - FAILED, if unable to create eap request payload
*/
status_t (*initiate) (eap_method_t *this, eap_payload_t **out);
-
+
/**
* Process a received EAP message.
*
*/
status_t (*process) (eap_method_t *this, eap_payload_t *in,
eap_payload_t **out);
-
+
/**
* Get the EAP type implemented in this method.
*
* @return type of the EAP method
*/
eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor);
-
+
/**
* Check if this EAP method authenticates the server.
*
- * Some EAP methods provide mutual authentication and
+ * Some EAP methods provide mutual authentication and
* allow authentication using only EAP, if the peer supports it.
*
* @return TRUE if methods provides mutual authentication
*/
bool (*is_mutual) (eap_method_t *this);
-
+
/**
* Get the MSK established by this EAP method.
*
* - FAILED, if MSK not established (yet)
*/
status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
-
+
/**
* Destroys a eap_method_t object.
*/
* Private data of an sim_manager_t object.
*/
struct private_sim_manager_t {
-
+
/**
* Public sim_manager_t interface.
*/
sim_manager_t public;
-
+
/**
* list of added cards
*/
linked_list_t *cards;
-
+
/**
* list of added provider
*/
sim_manager_t *sim_manager_create()
{
private_sim_manager_t *this = malloc_thing(private_sim_manager_t);
-
+
this->public.add_card = (void(*)(sim_manager_t*, sim_card_t *card))add_card;
this->public.remove_card = (void(*)(sim_manager_t*, sim_card_t *card))remove_card;
this->public.create_card_enumerator = (enumerator_t*(*)(sim_manager_t*))create_card_enumerator;
this->public.remove_provider = (void(*)(sim_manager_t*, sim_provider_t *provider))remove_provider;
this->public.create_provider_enumerator = (enumerator_t*(*)(sim_manager_t*))create_provider_enumerator;
this->public.destroy = (void(*)(sim_manager_t*))destroy;
-
+
this->cards = linked_list_create();
this->provider = linked_list_create();
-
+
return &this->public;
}
* @return identity
*/
identification_t* (*get_imsi)(sim_card_t *this);
-
+
/**
* Calculate SRES/KC from a RAND.
*
* Interface for a triplet provider (used as EAP server).
*/
struct sim_provider_t {
-
+
/**
* Get a single triplet to authenticate a EAP client.
*
* The EAP-SIM manager handles multiple SIM cards and providers.
*/
struct sim_manager_t {
-
+
/**
* Register a SIM card (client) at the manager.
*
* @param card sim card to register
*/
void (*add_card)(sim_manager_t *this, sim_card_t *card);
-
+
/**
* Unregister a previously registered card from the manager.
*
* @param card sim card to unregister
*/
void (*remove_card)(sim_manager_t *this, sim_card_t *card);
-
+
/**
* Create an enumerator over all registered cards.
*
* @return enumerator over sim_card_t's
*/
enumerator_t* (*create_card_enumerator)(sim_manager_t *this);
-
+
/**
* Register a triplet provider (server) at the manager.
*
* @param card sim card to register
*/
void (*add_provider)(sim_manager_t *this, sim_provider_t *provider);
-
+
/**
* Unregister a previously registered provider from the manager.
*
* @param card sim card to unregister
*/
void (*remove_provider)(sim_manager_t *this, sim_provider_t *provider);
-
+
/**
* Create an enumerator over all registered provider.
*
* @return enumerator over sim_provider_t's
*/
enumerator_t* (*create_provider_enumerator)(sim_manager_t *this);
-
+
/**
* Destroy a manager instance.
*/
* Private data of an eap_authenticator_t object.
*/
struct private_eap_authenticator_t {
-
+
/**
* Public authenticator_t interface.
*/
eap_authenticator_t public;
-
+
/**
* Assigned IKE_SA
*/
ike_sa_t *ike_sa;
-
+
/**
* others nonce to include in AUTH calculation
*/
chunk_t received_nonce;
-
+
/**
* our nonce to include in AUTH calculation
*/
chunk_t sent_nonce;
-
+
/**
* others IKE_SA_INIT message data to include in AUTH calculation
*/
chunk_t received_init;
-
+
/**
* our IKE_SA_INIT message data to include in AUTH calculation
*/
chunk_t sent_init;
-
+
/**
* Current EAP method processing
*/
eap_method_t *method;
-
+
/**
* MSK used to build and verify auth payload
*/
chunk_t msk;
-
+
/**
* EAP authentication method completed successfully
*/
bool eap_complete;
-
+
/**
* authentication payload verified successfully
*/
bool auth_complete;
-
+
/**
* generated EAP payload
*/
eap_payload_t *eap_payload;
-
+
/**
* EAP identity of peer
*/
eap_type_t type, u_int32_t vendor, eap_role_t role)
{
identification_t *server, *peer;
-
+
if (role == EAP_SERVER)
{
server = this->ike_sa->get_my_id(this->ike_sa);
identification_t *id;
u_int32_t vendor;
eap_payload_t *out;
-
+
auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-
+
/* initiate EAP-Identity exchange if required */
if (!this->eap_identity && do_identity)
{
if (vendor)
{
DBG1(DBG_IKE, "initiating EAP vendor type %d-%d", type, vendor);
-
+
}
else
{
u_int32_t vendor, received_vendor;
eap_payload_t *out;
auth_cfg_t *cfg;
-
+
if (in->get_code(in) != EAP_RESPONSE)
{
DBG1(DBG_IKE, "received %N, sending %N",
eap_code_names, in->get_code(in), eap_code_names, EAP_FAILURE);
return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
}
-
+
type = this->method->get_type(this->method, &vendor);
received_type = in->get_type(in, &received_vendor);
if (type != received_type || vendor != received_vendor)
}
return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
}
-
+
switch (this->method->process(this->method, in, &out))
{
case NEED_MORE:
{
chunk_t data;
char buf[256];
-
+
if (this->method->get_msk(this->method, &data) == SUCCESS)
{
snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr);
if (vendor)
{
DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
- "peer %Y", type, vendor,
+ "peer %Y", type, vendor,
this->ike_sa->get_other_id(this->ike_sa));
}
else
auth_cfg_t *auth;
eap_payload_t *out;
identification_t *id;
-
+
type = in->get_type(in, &vendor);
-
+
if (!vendor && type == EAP_IDENTITY)
{
DESTROY_IF(this->eap_identity);
DBG1(DBG_IKE, "server requested %N, sending '%Y'",
eap_type_names, type, id);
this->eap_identity = id->clone(id);
-
+
this->method = load_method(this, type, vendor, EAP_PEER);
if (this->method)
{
return eap_payload_create_nak(in->get_identifier(in));
}
}
-
+
type = this->method->get_type(this->method, &vendor);
-
+
if (this->method->process(this->method, in, &out) == NEED_MORE)
{ /* client methods should never return SUCCESS */
return out;
}
-
+
if (vendor)
{
DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", type, vendor);
identification_t *other_id;
auth_cfg_t *auth;
keymat_t *keymat;
-
+
auth_payload = (auth_payload_t*)message->get_payload(message,
AUTHENTICATION);
if (!auth_payload)
return FALSE;
}
chunk_free(&auth_data);
-
+
DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
other_id, auth_class_names, AUTH_CLASS_EAP);
this->auth_complete = TRUE;
identification_t *my_id;
chunk_t auth_data;
keymat_t *keymat;
-
+
my_id = this->ike_sa->get_my_id(this->ike_sa);
keymat = this->ike_sa->get_keymat(this->ike_sa);
-
+
DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
my_id, auth_class_names, AUTH_CLASS_EAP);
-
+
auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id);
auth_payload = auth_payload_create();
auth_payload->set_auth_method(auth_payload, AUTH_PSK);
message_t *message)
{
eap_payload_t *eap_payload;
-
+
if (this->eap_complete)
{
if (!verify_auth(this, message, this->sent_nonce, this->received_init))
}
return NEED_MORE;
}
-
+
if (!this->method)
{
this->eap_payload = server_initiate_eap(this, TRUE);
if (this->eap_payload)
{
eap_code_t code;
-
+
code = this->eap_payload->get_code(this->eap_payload);
message->add_payload(message, (payload_t*)this->eap_payload);
this->eap_payload = NULL;
message_t *message)
{
eap_payload_t *eap_payload;
-
+
if (this->eap_complete)
{
if (!verify_auth(this, message, this->sent_nonce, this->received_init))
}
return SUCCESS;
}
-
+
eap_payload = (eap_payload_t*)message->get_payload(message,
EXTENSIBLE_AUTHENTICATION);
if (eap_payload)
eap_type_t type;
u_int32_t vendor;
auth_cfg_t *cfg;
-
+
if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
{
this->msk = chunk_clone(this->msk);
/**
* Implementation of authenticator_t.build for a client
*/
-static status_t build_client(private_eap_authenticator_t *this,
+static status_t build_client(private_eap_authenticator_t *this,
message_t *message)
{
if (this->eap_payload)
chunk_t received_init, chunk_t sent_init)
{
private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
-
+
this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build_client;
this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_client;
this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
+
this->ike_sa = ike_sa;
this->received_init = received_init;
this->received_nonce = received_nonce;
this->eap_complete = FALSE;
this->auth_complete = FALSE;
this->eap_identity = NULL;
-
+
return &this->public;
}
chunk_t received_init, chunk_t sent_init)
{
private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
-
+
this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))build_server;
this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_server;
this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
+
this->ike_sa = ike_sa;
this->received_init = received_init;
this->received_nonce = received_nonce;
this->eap_complete = FALSE;
this->auth_complete = FALSE;
this->eap_identity = NULL;
-
+
return &this->public;
}
/**
* Create an authenticator to authenticate EAP clients.
- *
+ *
* @param ike_sa associated ike_sa
* @param received_nonce nonce received in IKE_SA_INIT
* @param sent_nonce nonce sent in IKE_SA_INIT
* Assigned IKE_SA
*/
ike_sa_t *ike_sa;
-
+
/**
* nonce to include in AUTH calculation
*/
chunk_t nonce;
-
+
/**
* IKE_SA_INIT message data to include in AUTH calculation
*/
shared_key_t *key;
chunk_t auth_data;
keymat_t *keymat;
-
+
keymat = this->ike_sa->get_keymat(this->ike_sa);
my_id = this->ike_sa->get_my_id(this->ike_sa);
other_id = this->ike_sa->get_other_id(this->ike_sa);
auth_payload->set_data(auth_payload, auth_data);
chunk_free(&auth_data);
message->add_payload(message, (payload_t*)auth_payload);
-
+
return SUCCESS;
}
bool authenticated = FALSE;
int keys_found = 0;
keymat_t *keymat;
-
+
auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
if (!auth_payload)
{
while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL))
{
keys_found++;
-
+
auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
this->nonce, key->get_key(key), other_id);
if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
chunk_free(&auth_data);
}
enumerator->destroy(enumerator);
-
+
if (!authenticated)
{
if (keys_found == 0)
keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
return FAILED;
}
-
+
auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
return SUCCESS;
chunk_t received_nonce, chunk_t sent_init)
{
private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
-
+
this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
+
this->ike_sa = ike_sa;
this->ike_sa_init = sent_init;
this->nonce = received_nonce;
-
+
return &this->public;
}
chunk_t sent_nonce, chunk_t received_init)
{
private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
-
+
this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed;
this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
+
this->ike_sa = ike_sa;
this->ike_sa_init = received_init;
this->nonce = sent_nonce;
-
+
return &this->public;
}
/**
* Create an authenticator to verify PSK signatures.
- *
+ *
* @param ike_sa associated ike_sa
* @param sent_nonce nonce sent in IKE_SA_INIT
* @param received_init received IKE_SA_INIT message data
* Private data of an pubkey_authenticator_t object.
*/
struct private_pubkey_authenticator_t {
-
+
/**
* Public authenticator_t interface.
*/
pubkey_authenticator_t public;
-
+
/**
* Assigned IKE_SA
*/
ike_sa_t *ike_sa;
-
+
/**
* nonce to include in AUTH calculation
*/
chunk_t nonce;
-
+
/**
* IKE_SA_INIT message data to include in AUTH calculation
*/
DBG1(DBG_IKE, "no private key found for '%Y'", id);
return NOT_FOUND;
}
-
+
switch (private->get_type(private))
{
case KEY_RSA:
- /* we currently use always SHA1 for signatures,
+ /* we currently use always SHA1 for signatures,
* TODO: support other hashes depending on configuration/auth */
scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
auth_method = AUTH_RSA;
switch (private->get_keysize(private))
{
case 32:
- scheme = SIGN_ECDSA_256;
+ scheme = SIGN_ECDSA_256;
auth_method = AUTH_ECDSA_256;
break;
case 48:
status = SUCCESS;
}
DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
- auth_method_names, auth_method,
+ auth_method_names, auth_method,
(status == SUCCESS)? "successful":"failed");
chunk_free(&octets);
private->destroy(private);
-
+
return status;
}
signature_scheme_t scheme;
status_t status = NOT_FOUND;
keymat_t *keymat;
-
+
auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
if (!auth_payload)
{
chunk_t received_nonce, chunk_t sent_init)
{
private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
-
+
this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
+
this->ike_sa = ike_sa;
this->ike_sa_init = sent_init;
this->nonce = received_nonce;
-
+
return &this->public;
}
chunk_t sent_nonce, chunk_t received_init)
{
private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
-
+
this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))return_failed;
this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
+
this->ike_sa = ike_sa;
this->ike_sa_init = received_init;
this->nonce = sent_nonce;
-
+
return &this->public;
}
/**
* Create an authenticator to verify public key signatures.
- *
+ *
* @param ike_sa associated ike_sa
* @param sent_nonce nonce sent in IKE_SA_INIT
* @param received_init received IKE_SA_INIT message data
* Public interface of child_sa_t.
*/
child_sa_t public;
-
+
/**
* address of us
*/
host_t *my_addr;
-
+
/**
* address of remote
*/
host_t *other_addr;
-
+
/**
* our actually used SPI, 0 if unused
*/
u_int32_t my_spi;
-
+
/**
* others used SPI, 0 if unused
*/
u_int32_t other_spi;
-
+
/**
* our Compression Parameter Index (CPI) used, 0 if unused
*/
u_int16_t my_cpi;
-
+
/**
* others Compression Parameter Index (CPI) used, 0 if unused
*/
u_int16_t other_cpi;
-
+
/**
* List for local traffic selectors
*/
linked_list_t *my_ts;
-
+
/**
* List for remote traffic selectors
*/
linked_list_t *other_ts;
-
+
/**
* Protocol used to protect this SA, ESP|AH
*/
protocol_id_t protocol;
-
+
/**
* reqid used for this child_sa
*/
u_int32_t reqid;
-
+
/**
* absolute time when rekeying is scheduled
*/
time_t rekey_time;
-
+
/**
* absolute time when the SA expires
*/
time_t expire_time;
-
+
/**
* state of the CHILD_SA
*/
* Specifies if UDP encapsulation is enabled (NAT traversal)
*/
bool encap;
-
+
/**
* Specifies the IPComp transform used (IPCOMP_NONE if disabled)
*/
ipcomp_transform_t ipcomp;
-
+
/**
* mode this SA uses, tunnel/transport
*/
ipsec_mode_t mode;
-
+
/**
* selected proposal
*/
proposal_t *proposal;
-
+
/**
* config used to create this child
*/
traffic_selector_t **my_out, traffic_selector_t **other_out)
{
traffic_selector_t *other_ts;
-
+
while (this->ts || this->mine->enumerate(this->mine, &this->ts))
{
if (!this->other->enumerate(this->other, &other_ts))
static enumerator_t* create_policy_enumerator(private_child_sa_t *this)
{
policy_enumerator_t *e = malloc_thing(policy_enumerator_t);
-
+
e->public.enumerate = (void*)policy_enumerate;
e->public.destroy = (void*)policy_destroy;
e->mine = this->my_ts->create_enumerator(this->my_ts);
e->other = this->other_ts->create_enumerator(this->other_ts);
e->list = this->other_ts;
e->ts = NULL;
-
+
return &e->public;
}
{
status_t status = FAILED;
u_int64_t bytes;
-
+
if (inbound)
{
if (this->my_spi)
enumerator_t *enumerator;
traffic_selector_t *my_ts, *other_ts;
u_int32_t last_use = 0;
-
+
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
u_int32_t in, out, fwd;
-
+
if (inbound)
{
if (charon->kernel_interface->query_policy(charon->kernel_interface,
host_t *src, *dst;
status_t status;
bool update = FALSE;
-
+
/* now we have to decide which spi to use. Use self allocated, if "in",
* or the one in the proposal, if not "in" (others). Additionally,
* source and dest host switch depending on the role */
this->other_spi = spi;
this->other_cpi = cpi;
}
-
+
DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",
protocol_id_names, this->protocol);
-
+
/* send SA down to the kernel */
DBG2(DBG_CHD, " SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
-
+
this->proposal->get_algorithm(this->proposal, ENCRYPTION_ALGORITHM,
&enc_alg, &size);
this->proposal->get_algorithm(this->proposal, INTEGRITY_ALGORITHM,
&int_alg, &size);
-
+
lifetime = this->config->get_lifetime(this->config);
-
+
now = time_monotonic(NULL);
if (lifetime->time.rekey)
{
{
this->expire_time = now + lifetime->time.life;
}
-
+
if (!lifetime->time.jitter && !inbound)
{ /* avoid triggering multiple rekey events */
lifetime->time.rekey = 0;
}
-
+
status = charon->kernel_interface->add_sa(charon->kernel_interface,
src, dst, spi, this->protocol, this->reqid, lifetime,
enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi,
this->encap, update);
-
+
free(lifetime);
-
+
return status;
}
traffic_selector_t *my_ts, *other_ts;
status_t status = SUCCESS;
bool routed = (this->state == CHILD_CREATED);
-
+
/* apply traffic selectors */
enumerator = my_ts_list->create_enumerator(my_ts_list);
while (enumerator->enumerate(enumerator, &my_ts))
this->other_ts->insert_last(this->other_ts, other_ts->clone(other_ts));
}
enumerator->destroy(enumerator);
-
+
if (this->config->install_policy(this->config))
{
/* enumerate pairs of traffic selectors */
this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT,
this->other_spi, this->protocol, this->reqid, this->mode,
this->ipcomp, this->other_cpi, routed);
-
+
status |= charon->kernel_interface->add_policy(charon->kernel_interface,
this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN,
this->my_spi, this->protocol, this->reqid, this->mode,
this->my_spi, this->protocol, this->reqid, this->mode,
this->ipcomp, this->my_cpi, routed);
}
-
+
if (status != SUCCESS)
{
break;
}
enumerator->destroy(enumerator);
}
-
+
if (status == SUCCESS && this->state == CHILD_CREATED)
{ /* switch to routed state if no SAD entry set up */
set_state(this, CHILD_ROUTED);
{
child_sa_state_t old;
bool transport_proxy_mode;
-
+
/* anything changed at all? */
if (me->equals(me, this->my_addr) &&
other->equals(other, this->other_addr) && this->encap == encap)
{
return SUCCESS;
}
-
+
old = this->state;
set_state(this, CHILD_UPDATING);
transport_proxy_mode = this->config->use_proxy_mode(this->config) &&
this->mode == MODE_TRANSPORT;
-
+
if (!transport_proxy_mode)
{
/* update our (initator) SA */
return NOT_SUPPORTED;
}
}
-
+
/* update his (responder) SA */
if (this->other_spi)
{
}
}
}
-
+
if (this->config->install_policy(this->config))
{
/* update policies */
{
enumerator_t *enumerator;
traffic_selector_t *my_ts, *other_ts;
-
+
/* always use high priorities, as hosts getting updated are INSTALLED */
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
charon->kernel_interface->del_policy(charon->kernel_interface,
other_ts, my_ts, POLICY_FWD, FALSE);
}
-
+
/* check whether we have to update a "dynamic" traffic selector */
if (!me->ip_equals(me, this->my_addr) &&
my_ts->is_host(my_ts, this->my_addr))
{
other_ts->set_address(other_ts, other);
}
-
+
/* we reinstall the virtual IP to handle interface roaming
* correctly */
if (vip)
charon->kernel_interface->del_ip(charon->kernel_interface, vip);
charon->kernel_interface->add_ip(charon->kernel_interface, vip, me);
}
-
+
/* reinstall updated policies */
charon->kernel_interface->add_policy(charon->kernel_interface,
me, other, my_ts, other_ts, POLICY_OUT, this->other_spi,
enumerator_t *enumerator;
traffic_selector_t *my_ts, *other_ts;
bool unrouted = (this->state == CHILD_ROUTED);
-
+
set_state(this, CHILD_DESTROYING);
-
+
/* delete SAs in the kernel, if they are set up */
if (this->my_spi)
{
this->my_addr, this->other_addr, this->other_spi,
this->protocol, this->other_cpi);
}
-
+
if (this->config->install_policy(this->config))
{
/* delete all policies in the kernel */
}
enumerator->destroy(enumerator);
}
-
+
this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
this->my_addr->destroy(this->my_addr);
this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
this->public.create_policy_enumerator = (enumerator_t*(*)(child_sa_t*))create_policy_enumerator;
this->public.destroy = (void(*)(child_sa_t*))destroy;
-
+
/* private data */
this->my_addr = me->clone(me);
this->other_addr = other->clone(other);
this->expire_time = 0;
this->config = config;
config->get_ref(config);
-
+
/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
if (config->get_mode(config) == MODE_TRANSPORT &&
config->use_proxy_mode(config))
enumerator_t *enumerator;
linked_list_t *my_ts_list, *other_ts_list;
traffic_selector_t *my_ts, *other_ts;
-
+
this->mode = MODE_TRANSPORT;
-
+
my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, me);
enumerator = my_ts_list->create_enumerator(my_ts_list);
if (enumerator->enumerate(enumerator, &my_ts))
}
enumerator->destroy(enumerator);
my_ts_list->destroy_offset(my_ts_list, offsetof(traffic_selector_t, destroy));
-
+
other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, other);
enumerator = other_ts_list->create_enumerator(other_ts_list);
if (enumerator->enumerate(enumerator, &other_ts))
enumerator->destroy(enumerator);
other_ts_list->destroy_offset(other_ts_list, offsetof(traffic_selector_t, destroy));
}
-
+
return &this->public;
}
* States of a CHILD_SA
*/
enum child_sa_state_t {
-
+
/**
* Just created, uninstalled CHILD_SA
*/
CHILD_CREATED,
-
+
/**
* Installed SPD, but no SAD entries
*/
CHILD_ROUTED,
-
+
/**
* Installing an in-use CHILD_SA
*/
CHILD_INSTALLING,
-
+
/**
* Installed an in-use CHILD_SA
*/
CHILD_INSTALLED,
-
+
/**
* While updating hosts, in update_hosts()
*/
CHILD_UPDATING,
-
+
/**
* CHILD_SA which is rekeying
*/
CHILD_REKEYING,
-
+
/**
* CHILD_SA in progress of delete
*/
CHILD_DELETING,
-
+
/**
* CHILD_SA object gets destroyed
*/
* Once SAs are set up, policies can be added using add_policies.
*/
struct child_sa_t {
-
+
/**
* Get the name of the config this CHILD_SA uses.
*
* @return name
*/
char* (*get_name) (child_sa_t *this);
-
+
/**
* Get the reqid of the CHILD SA.
*
* @return reqid of the CHILD SA
*/
u_int32_t (*get_reqid)(child_sa_t *this);
-
+
/**
* Get the config used to set up this child sa.
*
* @return child_cfg
*/
child_cfg_t* (*get_config) (child_sa_t *this);
-
+
/**
* Get the state of the CHILD_SA.
*
* @return CHILD_SA state
*/
child_sa_state_t (*get_state) (child_sa_t *this);
-
+
/**
* Set the state of the CHILD_SA.
*
* @param state state to set on CHILD_SA
*/
void (*set_state) (child_sa_t *this, child_sa_state_t state);
-
+
/**
* Get the SPI of this CHILD_SA.
*
* @return SPI of the CHILD SA
*/
u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
-
+
/**
* Get the CPI of this CHILD_SA.
*
* @return AH | ESP
*/
protocol_id_t (*get_protocol) (child_sa_t *this);
-
+
/**
* Set the negotiated protocol to use for this CHILD_SA.
*
* @param protocol AH | ESP
*/
void (*set_protocol)(child_sa_t *this, protocol_id_t protocol);
-
+
/**
* Get the IPsec mode of this CHILD_SA.
*
* @return TUNNEL | TRANSPORT | BEET
*/
ipsec_mode_t (*get_mode)(child_sa_t *this);
-
+
/**
* Set the negotiated IPsec mode to use.
*
* @param mode TUNNEL | TRANPORT | BEET
*/
void (*set_mode)(child_sa_t *this, ipsec_mode_t mode);
-
+
/**
* Get the used IPComp algorithm.
*
* @return IPComp compression algorithm.
*/
ipcomp_transform_t (*get_ipcomp)(child_sa_t *this);
-
+
/**
* Set the IPComp algorithm to use.
*
* @param ipcomp the IPComp transform to use
*/
void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
-
+
/**
* Get the selected proposal.
*
* @return selected proposal
*/
proposal_t* (*get_proposal)(child_sa_t *this);
-
+
/**
* Set the negotiated proposal.
*
* @param proposal selected proposal
*/
void (*set_proposal)(child_sa_t *this, proposal_t *proposal);
-
+
/**
* Check if this CHILD_SA uses UDP encapsulation.
*
* @return TRUE if SA encapsulates ESP packets
*/
bool (*has_encap)(child_sa_t *this);
-
+
/**
* Get the absolute time when the CHILD_SA expires or gets rekeyed.
*
* @return absolute time
*/
time_t (*get_lifetime)(child_sa_t *this, bool hard);
-
+
/**
* Get last use time and the number of bytes processed.
*
*/
void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time,
u_int64_t *bytes);
-
+
/**
* Get the traffic selectors list added for one side.
*
* @return list of traffic selectors
*/
linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
-
+
/**
* Create an enumerator over installed policies.
*
* @return enumerator over pairs of traffic selectors.
*/
enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
-
+
/**
* Allocate an SPI to include in a proposal.
*
* @return SPI, 0 on failure
*/
u_int32_t (*alloc_spi)(child_sa_t *this, protocol_id_t protocol);
-
+
/**
* Allocate a CPI to use for IPComp.
*
* @return CPI, 0 on failure
*/
u_int16_t (*alloc_cpi)(child_sa_t *this);
-
+
/**
* Install an IPsec SA for one direction.
*
* Public interface of connect_manager_t.
*/
connect_manager_t public;
-
+
/**
* Lock for exclusivly accessing the manager.
*/
mutex_t *mutex;
-
+
/**
* Hasher to generate signatures
*/
hasher_t *hasher;
-
+
/**
* Linked list with initiated mediated connections
*/
linked_list_t *initiated;
-
+
/**
* Linked list with checklists (hash table with connect ID as key would be better).
*/
struct endpoint_pair_t {
/** pair id */
u_int32_t id;
-
+
/** priority */
u_int64_t priority;
-
+
/** local endpoint */
host_t *local;
-
+
/** remote endpoint */
host_t *remote;
-
+
/** state */
check_state_t state;
-
+
/** number of retransmissions */
u_int32_t retransmitted;
-
+
/** the generated packet */
packet_t *packet;
};
endpoint_notify_t *responder, bool initiator_is_local)
{
endpoint_pair_t *this = malloc_thing(endpoint_pair_t);
-
+
this->id = 0;
-
+
u_int32_t pi = initiator->get_priority(initiator);
u_int32_t pr = responder->get_priority(responder);
this->priority = pow(2, 32) * min(pi, pr) + 2 * max(pi, pr) + (pi > pr ? 1 : 0);
-
+
this->local = initiator_is_local ? initiator->get_base(initiator) : responder->get_base(responder);
this->local = this->local->clone(this->local);
this->remote = initiator_is_local ? responder->get_host(responder) : initiator->get_host(initiator);
this->remote = this->remote->clone(this->remote);
-
+
this->state = CHECK_WAITING;
this->retransmitted = 0;
this->packet = NULL;
-
+
return this;
}
* An entry in the linked list.
*/
struct check_list_t {
-
+
struct {
/** initiator's id */
identification_t *id;
-
+
/** initiator's key */
chunk_t key;
-
+
/** initiator's endpoints */
linked_list_t *endpoints;
} initiator;
-
+
struct {
/** responder's id */
identification_t *id;
-
+
/** responder's key */
chunk_t key;
-
+
/** responder's endpoints */
linked_list_t *endpoints;
} responder;
-
+
/** connect id */
chunk_t connect_id;
-
+
/** list of endpoint pairs */
linked_list_t *pairs;
-
+
/** pairs queued for triggered checks */
linked_list_t *triggered;
-
+
/** state */
check_state_t state;
-
+
/** TRUE if this is the initiator */
bool is_initiator;
-
+
/** TRUE if the initiator is finishing the checks */
bool is_finishing;
-
+
/** the current sender job */
job_t *sender;
-
+
};
/**
{
DESTROY_IF(this->initiator.id);
DESTROY_IF(this->responder.id);
-
+
chunk_free(&this->connect_id);
chunk_free(&this->initiator.key);
chunk_free(&this->responder.key);
-
+
DESTROY_OFFSET_IF(this->initiator.endpoints, offsetof(endpoint_notify_t, destroy));
DESTROY_OFFSET_IF(this->responder.endpoints, offsetof(endpoint_notify_t, destroy));
-
+
DESTROY_FUNCTION_IF(this->pairs, (void*)endpoint_pair_destroy);
/* this list contains some of the same elements as contained in this->pairs */
- DESTROY_IF(this->triggered);
-
+ DESTROY_IF(this->triggered);
+
free(this);
}
bool is_initiator)
{
check_list_t *this = malloc_thing(check_list_t);
-
+
this->connect_id = chunk_clone(connect_id);
-
+
this->initiator.id = initiator->clone(initiator);
this->initiator.key = chunk_clone(initiator_key);
this->initiator.endpoints = initiator_endpoints->clone_offset(initiator_endpoints, offsetof(endpoint_notify_t, clone));
-
+
this->responder.id = responder->clone(responder);
this->responder.key = chunk_empty;
this->responder.endpoints = NULL;
-
+
this->pairs = linked_list_create();
this->triggered = linked_list_create();
this->state = CHECK_NONE;
this->is_initiator = is_initiator;
this->is_finishing = FALSE;
-
+
return this;
}
struct initiated_t {
/** my id */
identification_t *id;
-
+
/** peer id */
identification_t *peer_id;
-
+
/** list of mediated sas */
linked_list_t *mediated;
};
static initiated_t *initiated_create(identification_t *id, identification_t *peer_id)
{
initiated_t *this = malloc_thing(initiated_t);
-
+
this->id = id->clone(id);
this->peer_id = peer_id->clone(peer_id);
this->mediated = linked_list_create();
-
+
return this;
}
struct check_t {
/** message id */
u_int32_t mid;
-
+
/** source of the connectivity check */
host_t *src;
-
+
/** destination of the connectivity check */
host_t *dst;
-
+
/** connect id */
chunk_t connect_id;
-
+
/** endpoint */
endpoint_notify_t *endpoint;
-
+
/** raw endpoint payload (to verify the signature) */
chunk_t endpoint_raw;
-
+
/** connect auth */
chunk_t auth;
};
static check_t *check_create()
{
check_t *this = malloc_thing(check_t);
-
+
this->connect_id = chunk_empty;
this->auth = chunk_empty;
this->endpoint_raw = chunk_empty;
this->src = NULL;
this->dst = NULL;
this->endpoint = NULL;
-
+
this->mid = 0;
-
+
return this;
}
struct callback_data_t {
/** connect manager */
private_connect_manager_t *connect_manager;
-
+
/** connect id */
chunk_t connect_id;
-
+
/** message (pair) id */
u_int32_t mid;
};
static callback_data_t *callback_data_create(private_connect_manager_t *connect_manager,
chunk_t connect_id)
{
- callback_data_t *this = malloc_thing(callback_data_t);
+ callback_data_t *this = malloc_thing(callback_data_t);
this->connect_manager = connect_manager;
this->connect_id = chunk_clone(connect_id);
this->mid = 0;
struct initiate_data_t {
/** checklist */
check_list_t *checklist;
-
+
/** waiting mediated connections */
initiated_t *initiated;
};
static initiate_data_t *initiate_data_create(check_list_t *checklist, initiated_t *initiated)
{
initiate_data_t *this = malloc_thing(initiate_data_t);
-
+
this->checklist = checklist;
this->initiated = initiated;
{
iterator_t *iterator;
initiated_t *current;
-
+
iterator = this->initiated->create_iterator(this->initiated, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
{
{
iterator_t *iterator;
check_list_t *current;
-
+
iterator = this->checklists->create_iterator(this->checklists, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
{
iterator_t *iterator;
endpoint_pair_t *current;
bool inserted = FALSE;
-
+
iterator = pairs->create_iterator(pairs, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
{
}
}
iterator->destroy(iterator);
-
+
if (!inserted)
{
pairs->insert_last(pairs, pair);
}
/**
- * Returns the best pair of state CHECK_SUCCEEDED from a checklist.
+ * Returns the best pair of state CHECK_SUCCEEDED from a checklist.
*/
static status_t get_best_valid_pair(check_list_t *checklist, endpoint_pair_t **pair)
{
}
/**
- * Returns and *removes* the first triggered pair in state CHECK_WAITING.
+ * Returns and *removes* the first triggered pair in state CHECK_WAITING.
*/
static status_t get_triggered_pair(check_list_t *checklist, endpoint_pair_t **pair)
{
iterator_t *iterator;
endpoint_pair_t *current;
status_t status = NOT_FOUND;
-
+
iterator = checklist->triggered->create_iterator(checklist->triggered, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
{
iterator->remove(iterator);
-
+
if (current->state == CHECK_WAITING)
{
if (pair)
}
}
iterator->destroy(iterator);
-
+
return status;
}
{
iterator_t *iterator;
endpoint_pair_t *current;
-
+
DBG1(DBG_IKE, "pairs on checklist %#B:", &checklist->connect_id);
iterator = checklist->pairs->create_iterator(checklist->pairs, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
iterator_t *iterator, *search;
endpoint_pair_t *current, *other;
u_int32_t id = 0;
-
+
iterator = pairs->create_iterator(pairs, TRUE);
search = pairs->create_iterator(pairs, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
{
current->id = ++id;
-
+
while (search->iterate(search, (void**)&other))
{
if (current == other)
{
continue;
}
-
+
if (current->local->equals(current->local, other->local) &&
current->remote->equals(current->remote, other->remote))
{
/* FIXME: limit endpoints and pairs */
iterator_t *iterator_i, *iterator_r;
endpoint_notify_t *initiator, *responder;
-
+
iterator_i = checklist->initiator.endpoints->create_iterator(checklist->initiator.endpoints, TRUE);
while (iterator_i->iterate(iterator_i, (void**)&initiator))
{
{
continue;
}
-
+
insert_pair_by_priority(checklist->pairs,
endpoint_pair_create(initiator, responder, checklist->is_initiator));
}
iterator_r->destroy(iterator_r);
}
iterator_i->destroy(iterator_i);
-
+
print_checklist(checklist);
prune_pairs(checklist->pairs);
"connectivity check", payload_type_names, payload->get_type(payload));
continue;
}
-
+
notify_payload_t *notify = (notify_payload_t*)payload;
-
+
switch (notify->get_notify_type(notify))
{
case ME_ENDPOINT:
DBG1(DBG_IKE, "connectivity check contains multiple ME_ENDPOINT notifies");
break;
}
-
+
endpoint_notify_t *endpoint = endpoint_notify_create_from_payload(notify);
if (!endpoint)
{
}
}
enumerator->destroy(enumerator);
-
+
if (!check->connect_id.ptr || !check->endpoint || !check->auth.ptr)
{
DBG1(DBG_IKE, "at least one payload was missing from the connectivity check");
return FAILED;
}
-
+
return SUCCESS;
}
/**
* Builds the signature for a connectivity check
*/
-static chunk_t build_signature(private_connect_manager_t *this,
+static chunk_t build_signature(private_connect_manager_t *this,
check_list_t *checklist, check_t *check, bool outbound)
{
u_int32_t mid;
chunk_t mid_chunk, key_chunk, sig_chunk;
chunk_t sig_hash;
-
+
mid = htonl(check->mid);
mid_chunk = chunk_from_thing(mid);
-
+
key_chunk = (checklist->is_initiator && outbound) || (!checklist->is_initiator && !outbound)
? checklist->initiator.key : checklist->responder.key;
-
+
/* signature = SHA1( MID | ME_CONNECTID | ME_ENDPOINT | ME_CONNECTKEY ) */
sig_chunk = chunk_cat("cccc", mid_chunk, check->connect_id, check->endpoint_raw, key_chunk);
this->hasher->allocate_hash(this->hasher, sig_chunk, &sig_hash);
DBG3(DBG_IKE, "sig_chunk %#B", &sig_chunk);
DBG3(DBG_IKE, "sig_hash %#B", &sig_hash);
-
+
chunk_free(&sig_chunk);
return sig_hash;
}
/**
* After one of the initiator's pairs has succeeded we finish the checks without
- * waiting for all the timeouts
+ * waiting for all the timeouts
*/
static job_requeue_t initiator_finish(callback_data_t *data)
{
this->mutex->unlock(this->mutex);
return JOB_REQUEUE_NONE;
}
-
+
finish_checks(this, checklist);
-
+
this->mutex->unlock(this->mutex);
-
+
return JOB_REQUEUE_NONE;
}
}
}
iterator->destroy(iterator);
-
+
if (checklist->is_initiator && succeeded && !checklist->is_finishing)
{
/* instead of waiting until all checks have finished (i.e. all
* right after the first check has succeeded. to allow a probably
* better pair to succeed, we still wait a certain time */
DBG2(DBG_IKE, "fast finishing checks for checklist '%#B'", &checklist->connect_id);
-
+
callback_data_t *data = callback_data_create(this, checklist->connect_id);
job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiator_finish, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
charon->scheduler->schedule_job_ms(charon->scheduler, job, ME_WAIT_TO_FINISH);
checklist->is_finishing = TRUE;
}
-
+
if (in_progress)
{
checklist->state = CHECK_IN_PROGRESS;
static job_requeue_t retransmit(callback_data_t *data)
{
private_connect_manager_t *this = data->connect_manager;
-
+
this->mutex->lock(this->mutex);
check_list_t *checklist;
this->mutex->unlock(this->mutex);
return JOB_REQUEUE_NONE;
}
-
+
endpoint_pair_t *pair;
if (get_pair_by_id(checklist, data->mid, &pair) != SUCCESS)
{
data->mid);
goto retransmit_end;
}
-
+
if (pair->state != CHECK_IN_PROGRESS)
{
DBG2(DBG_IKE, "pair with id '%d' is in wrong state [%d], don't retransmit the connectivity check",
data->mid, pair->state);
goto retransmit_end;
}
-
+
if (++pair->retransmitted > ME_MAX_RETRANS)
{
DBG2(DBG_IKE, "pair with id '%d' failed after %d retransmissions",
pair->state = CHECK_FAILED;
goto retransmit_end;
}
-
+
charon->sender->send(charon->sender, pair->packet->clone(pair->packet));
-
+
queue_retransmission(this, checklist, pair);
retransmit_end:
update_checklist_state(this, checklist);
-
+
switch(checklist->state)
{
case CHECK_SUCCEEDED:
default:
break;
}
-
+
this->mutex->unlock(this->mutex);
-
+
/* we reschedule it manually */
return JOB_REQUEUE_NONE;
}
{
callback_data_t *data = retransmit_data_create(this, checklist->connect_id, pair->id);
job_t *job = (job_t*)callback_job_create((callback_job_cb_t)retransmit, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-
+
u_int32_t retransmission = pair->retransmitted + 1;
u_int32_t rto = ME_INTERVAL;
if (retransmission > ME_BOOST)
rto = (u_int32_t)(ME_INTERVAL * pow(ME_RETRANS_BASE, retransmission - ME_BOOST));
}
DBG2(DBG_IKE, "scheduling retransmission %d of pair '%d' in %dms", retransmission, pair->id, rto);
-
+
charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)job, rto);
}
message->set_request(message, request);
message->set_destination(message, check->dst->clone(check->dst));
message->set_source(message, check->src->clone(check->src));
-
+
ike_sa_id_t *ike_sa_id = ike_sa_id_create(0, 0, request);
message->set_ike_sa_id(message, ike_sa_id);
ike_sa_id->destroy(ike_sa_id);
message->add_notify(message, FALSE, ME_CONNECTID, check->connect_id);
DBG2(DBG_IKE, "send ME_CONNECTID %#B", &check->connect_id);
-
+
notify_payload_t *endpoint = check->endpoint->build_notify(check->endpoint);
check->endpoint_raw = chunk_clone(endpoint->get_notification_data(endpoint));
message->add_payload(message, (payload_t*)endpoint);
DBG2(DBG_IKE, "send ME_ENDPOINT notify");
-
+
check->auth = build_signature(this, checklist, check, TRUE);
message->add_notify(message, FALSE, ME_CONNECTAUTH, check->auth);
DBG2(DBG_IKE, "send ME_CONNECTAUTH %#B", &check->auth);
-
+
packet_t *packet;
if (message->generate(message, NULL, NULL, &packet) == SUCCESS)
{
charon->sender->send(charon->sender, packet->clone(packet));
-
+
if (request)
{
DESTROY_IF(pair->packet);
/**
* Queues a triggered check
*/
-static void queue_triggered_check(private_connect_manager_t *this,
+static void queue_triggered_check(private_connect_manager_t *this,
check_list_t *checklist, endpoint_pair_t *pair)
{
DBG2(DBG_IKE, "queueing triggered check for pair '%d'", pair->id);
pair->state = CHECK_WAITING;
checklist->triggered->insert_last(checklist->triggered, pair);
-
+
if (!checklist->sender)
{
/* if the sender is not running we restart it */
private_connect_manager_t *this = data->connect_manager;
this->mutex->lock(this->mutex);
-
+
check_list_t *checklist;
if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
{
this->mutex->unlock(this->mutex);
return JOB_REQUEUE_NONE;
}
-
+
/* reset the sender */
checklist->sender = NULL;
-
+
endpoint_pair_t *pair;
if (get_triggered_pair(checklist, &pair) != SUCCESS)
{
DBG1(DBG_IKE, "no triggered check queued, sending an ordinary check");
-
+
if (checklist->pairs->find_first(checklist->pairs,
(linked_list_match_t)match_waiting_pair, (void**)&pair) != SUCCESS)
{
check->dst = pair->remote->clone(pair->remote);
check->connect_id = chunk_clone(checklist->connect_id);
check->endpoint = endpoint_notify_create();
-
+
pair->state = CHECK_IN_PROGRESS;
-
+
send_check(this, checklist, check, pair, TRUE);
-
+
check_destroy(check);
-
+
/* schedule this job again */
schedule_checks(this, checklist, ME_INTERVAL);
-
+
this->mutex->unlock(this->mutex);
-
+
/* we reschedule it manually */
return JOB_REQUEUE_NONE;
}
{
check_list_t *checklist = data->checklist;
initiated_t *initiated = data->initiated;
-
+
endpoint_pair_t *pair;
if (get_best_valid_pair(checklist, &pair) == SUCCESS)
{
{
/* this should (can?) not happen */
}
-
+
return JOB_REQUEUE_NONE;
}
{
remove_checklist(this, checklist);
remove_initiated(this, initiated);
-
+
initiate_data_t *data = initiate_data_create(checklist, initiated);
job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiate_mediated, data, (callback_job_cleanup_t)initiate_data_destroy, NULL);
charon->processor->queue_job(charon->processor, job);
pair->local, pair->remote);
pair->state = CHECK_SUCCEEDED;
}
-
+
linked_list_t *local_endpoints = checklist->is_initiator ?
checklist->initiator.endpoints : checklist->responder.endpoints;
-
+
endpoint_notify_t *local_endpoint;
if (endpoints_contain(local_endpoints,
check->endpoint->get_host(check->endpoint), &local_endpoint) != SUCCESS)
local_endpoint->set_priority(local_endpoint, check->endpoint->get_priority(check->endpoint));
local_endpoints->insert_last(local_endpoints, local_endpoint);
}
-
+
update_checklist_state(this, checklist);
-
+
switch(checklist->state)
{
case CHECK_SUCCEEDED:
{
linked_list_t *remote_endpoints = checklist->is_initiator ?
checklist->responder.endpoints : checklist->initiator.endpoints;
-
+
endpoint_notify_t *peer_reflexive, *remote_endpoint;
peer_reflexive = endpoint_notify_create_from_host(PEER_REFLEXIVE, check->src, NULL);
peer_reflexive->set_priority(peer_reflexive, check->endpoint->get_priority(check->endpoint));
-
+
if (endpoints_contain(remote_endpoints, check->src, &remote_endpoint) != SUCCESS)
{
remote_endpoint = peer_reflexive->clone(peer_reflexive);
remote_endpoints->insert_last(remote_endpoints, remote_endpoint);
}
-
+
endpoint_pair_t *pair;
if (get_pair_by_hosts(checklist->pairs, check->dst, check->src, &pair) == SUCCESS)
{
else
{
endpoint_notify_t *local_endpoint = endpoint_notify_create_from_host(HOST, check->dst, NULL);
-
+
endpoint_notify_t *initiator = checklist->is_initiator ? local_endpoint : remote_endpoint;
endpoint_notify_t *responder = checklist->is_initiator ? remote_endpoint : local_endpoint;
-
+
pair = endpoint_pair_create(initiator, responder, checklist->is_initiator);
pair->id = checklist->pairs->get_count(checklist->pairs) + 1;
-
+
insert_pair_by_priority(checklist->pairs, pair);
-
+
queue_triggered_check(this, checklist, pair);
-
+
local_endpoint->destroy(local_endpoint);
}
-
-
+
+
check_t *response = check_create();
-
+
response->mid = check->mid;
response->src = check->dst->clone(check->dst);
response->dst = check->src->clone(check->src);
response->connect_id = chunk_clone(check->connect_id);
response->endpoint = peer_reflexive;
-
+
send_check(this, checklist, response, pair, FALSE);
-
+
check_destroy(response);
}
message->get_message_id(message));
return;
}
-
+
check_t *check = check_create();
check->mid = message->get_message_id(message);
check->src = message->get_source(message);
check->src = check->src->clone(check->src);
check->dst = message->get_destination(message);
check->dst = check->dst->clone(check->dst);
-
+
if (process_payloads(message, check) != SUCCESS)
{
DBG1(DBG_IKE, "invalid connectivity check %s received",
check_destroy(check);
return;
}
-
+
this->mutex->lock(this->mutex);
-
+
check_list_t *checklist;
if (get_checklist_by_id(this, check->connect_id, &checklist) != SUCCESS)
{
this->mutex->unlock(this->mutex);
return;
}
-
- chunk_t sig = build_signature(this, checklist, check, FALSE);
+
+ chunk_t sig = build_signature(this, checklist, check, FALSE);
if (!chunk_equals(sig, check->auth))
{
DBG1(DBG_IKE, "connectivity check verification failed");
return;
}
chunk_free(&sig);
-
+
if (message->get_request(message))
{
process_request(this, check, checklist);
{
process_response(this, check, checklist);
}
-
+
this->mutex->unlock(this->mutex);
-
+
check_destroy(check);
}
this->initiated->insert_last(this->initiated, initiated);
already_there = FALSE;
}
-
- if (initiated->mediated->find_first(initiated->mediated,
+
+ if (initiated->mediated->find_first(initiated->mediated,
(linked_list_match_t)mediated_sa->equals, NULL, mediated_sa) != SUCCESS)
{
initiated->mediated->insert_last(initiated->mediated, mediated_sa->clone(mediated_sa));
this->mutex->unlock(this->mutex);
return;
}
-
+
ike_sa_id_t *waiting_sa;
iterator_t *iterator = initiated->mediated->create_iterator(initiated->mediated, TRUE);
while (iterator->iterate(iterator, (void**)&waiting_sa))
chunk_t connect_id, chunk_t key, linked_list_t *endpoints, bool is_initiator)
{
check_list_t *checklist;
-
- this->mutex->lock(this->mutex);
-
+
+ this->mutex->lock(this->mutex);
+
if (get_checklist_by_id(this, connect_id, NULL) == SUCCESS)
{
DBG1(DBG_IKE, "checklist with id '%#B' already exists, aborting",
this->mutex->unlock(this->mutex);
return FAILED;
}
-
+
checklist = check_list_create(initiator, responder, connect_id, key, endpoints, is_initiator);
this->checklists->insert_last(this->checklists, checklist);
-
+
this->mutex->unlock(this->mutex);
-
+
return SUCCESS;
}
check_list_t *checklist;
this->mutex->lock(this->mutex);
-
+
if (get_checklist_by_id(this, connect_id, &checklist) != SUCCESS)
{
DBG1(DBG_IKE, "checklist with id '%#B' not found",
this->mutex->unlock(this->mutex);
return NOT_FOUND;
}
-
+
checklist->responder.key = chunk_clone(key);
checklist->responder.endpoints = endpoints->clone_offset(endpoints, offsetof(endpoint_notify_t, clone));
checklist->state = CHECK_WAITING;
-
+
build_pairs(checklist);
-
+
/* send the first check immediately */
schedule_checks(this, checklist, 0);
-
+
this->mutex->unlock(this->mutex);
-
+
return SUCCESS;
}
check_list_t *checklist;
this->mutex->lock(this->mutex);
-
+
if (get_checklist_by_id(this, connect_id, &checklist) != SUCCESS)
{
DBG1(DBG_IKE, "checklist with id '%#B' not found",
this->mutex->unlock(this->mutex);
return NOT_FOUND;
}
-
+
DBG1(DBG_IKE, "removing checklist with id '%#B'", &connect_id);
-
+
remove_checklist(this, checklist);
check_list_destroy(checklist);
-
+
this->mutex->unlock(this->mutex);
-
+
return SUCCESS;
}
static void destroy(private_connect_manager_t *this)
{
this->mutex->lock(this->mutex);
-
+
this->hasher->destroy(this->hasher);
this->checklists->destroy_function(this->checklists, (void*)check_list_destroy);
this->initiated->destroy_function(this->initiated, (void*)initiated_destroy);
-
- this->mutex->unlock(this->mutex);
+
+ this->mutex->unlock(this->mutex);
this->mutex->destroy(this->mutex);
free(this);
}
this->public.set_responder_data = (status_t(*)(connect_manager_t*,chunk_t,chunk_t,linked_list_t*))set_responder_data;
this->public.process_check = (void(*)(connect_manager_t*,message_t*))process_check;
this->public.stop_checks = (status_t(*)(connect_manager_t*,chunk_t))stop_checks;
-
+
this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (this->hasher == NULL)
{
free(this);
return NULL;
}
-
+
this->checklists = linked_list_create();
this->initiated = linked_list_create();
-
+
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-
+
return (connect_manager_t*)this;
}
* connection with another peer.
*/
struct connect_manager_t {
-
+
/**
* Checks if a there is already a mediated connection registered
* between two peers.
- *
+ *
* @param id my id
* @param peer_id the other peer's id
* @param mediated_sa the IKE_SA ID of the mediated connection
- * @returns
+ * @returns
* - TRUE, if there was already a mediated connection registered
* - FALSE, otherwise
*/
bool (*check_and_register) (connect_manager_t *this,
identification_t *id, identification_t *peer_id, ike_sa_id_t *mediated_sa);
-
+
/**
* Checks if there are waiting connections with a specific peer.
* If so, reinitiate them.
- *
+ *
* @param id my id
* @param peer_id the other peer's id
*/
void (*check_and_initiate) (connect_manager_t *this, ike_sa_id_t *mediation_sa,
identification_t *id, identification_t *peer_id);
-
+
/**
* Creates a checklist and sets the initiator's data.
- *
+ *
* @param initiator ID of the initiator
* @param responder ID of the responder
* @param connect_id the connect ID provided by the initiator
status_t (*set_initiator_data) (connect_manager_t *this,
identification_t *initiator, identification_t *responder,
chunk_t connect_id, chunk_t key, linked_list_t *endpoints, bool is_initiator);
-
+
/**
* Updates a checklist and sets the responder's data. The checklist's
* state is advanced to WAITING which means that checks will be sent.
- *
+ *
* @param connect_id the connect ID
* @param chunk_t the responder's key
- * @param endpoints the responder's endpoints
- * @returns
+ * @param endpoints the responder's endpoints
+ * @returns
* - NOT_FOUND, if the checklist has not been found
* - SUCCESS, otherwise
*/
status_t (*set_responder_data) (connect_manager_t *this,
chunk_t connect_id, chunk_t key, linked_list_t *endpoints);
-
+
/**
* Stops checks for a checklist. Used after the responder received an IKE_SA_INIT
* request which contains a ME_CONNECTID payload.
- *
+ *
* @param connect_id the connect ID
* @returns
* - NOT_FOUND, if the checklist has not been found
* - SUCCESS, otherwise
*/
status_t (*stop_checks) (connect_manager_t *this, chunk_t connect_id);
-
+
/**
* Processes a connectivity check
- *
+ *
* @param message the received message
*/
void (*process_check) (connect_manager_t *this, message_t *message);
-
+
/**
* Destroys the manager with all data.
*/
/**
* Create a manager.
- *
+ *
* @returns connect_manager_t object
*/
connect_manager_t *connect_manager_create(void);
* Private data of an ike_sa_t object.
*/
struct private_ike_sa_t {
-
+
/**
* Public members
*/
ike_sa_t public;
-
+
/**
* Identifier for the current IKE_SA.
*/
ike_sa_id_t *ike_sa_id;
-
+
/**
* unique numerical ID for this IKE_SA.
*/
u_int32_t unique_id;
-
+
/**
* Current state of the IKE_SA
*/
ike_sa_state_t state;
-
+
/**
* IKE configuration used to set up this IKE_SA
*/
ike_cfg_t *ike_cfg;
-
+
/**
* Peer and authentication information to establish IKE_SA.
*/
peer_cfg_t *peer_cfg;
-
+
/**
* currently used authentication ruleset, local (as auth_cfg_t)
*/
auth_cfg_t *my_auth;
-
+
/**
* currently used authentication constraints, remote (as auth_cfg_t)
*/
auth_cfg_t *other_auth;
-
+
/**
* Selected IKE proposal
*/
proposal_t *proposal;
-
+
/**
* Juggles tasks to process messages
*/
task_manager_t *task_manager;
-
+
/**
* Address of local host
*/
host_t *my_host;
-
+
/**
* Address of remote host
*/
host_t *other_host;
-
+
#ifdef ME
/**
* Are we mediation server
*/
bool is_mediation_server;
-
+
/**
* Server reflexive host
*/
host_t *server_reflexive_host;
-
+
/**
* Connect ID
*/
chunk_t connect_id;
#endif /* ME */
-
+
/**
* Identification used for us
*/
identification_t *my_id;
-
+
/**
* Identification used for other
*/
identification_t *other_id;
-
+
/**
* EAP Identity exchange in EAP-Identity method
*/
identification_t *eap_identity;;
-
+
/**
* set of extensions the peer supports
*/
ike_extension_t extensions;
-
+
/**
* set of condition flags currently enabled for this IKE_SA
*/
ike_condition_t conditions;
-
+
/**
* Linked List containing the child sa's of the current IKE_SA.
*/
linked_list_t *child_sas;
-
+
/**
* keymat of this IKE_SA
*/
keymat_t *keymat;
-
+
/**
* Virtual IP on local host, if any
*/
host_t *my_virtual_ip;
-
+
/**
* Virtual IP on remote host, if any
*/
host_t *other_virtual_ip;
-
+
/**
* List of configuration attributes (attribute_entry_t)
*/
linked_list_t *attributes;
-
+
/**
* list of peers additional addresses, transmitted via MOBIKE
*/
linked_list_t *additional_addresses;
-
+
/**
* previously value of received DESTINATION_IP hash
*/
chunk_t nat_detection_dest;
-
+
/**
* number pending UPDATE_SA_ADDRESS (MOBIKE)
*/
u_int32_t pending_updates;
-
+
/**
* NAT keep alive interval
*/
u_int32_t keepalive_interval;
-
+
/**
* Timestamps for this IKE_SA
*/
u_int32_t stats[STAT_MAX];
-
+
/**
* how many times we have retried so far (keyingtries)
*/
u_int32_t keyingtry;
-
+
/**
* local host address to be used for IKE, set via MIGRATE kernel message
*/
host_t *local_host;
-
+
/**
* remote host address to be used for IKE, set via MIGRATE kernel message
*/
enumerator_t *enumerator;
child_sa_t *child_sa;
time_t use_time, current;
-
+
if (inbound)
{
use_time = this->stats[STAT_INBOUND];
use_time = max(use_time, current);
}
enumerator->destroy(enumerator);
-
+
return use_time;
}
DESTROY_IF(this->peer_cfg);
peer_cfg->get_ref(peer_cfg);
this->peer_cfg = peer_cfg;
-
+
if (this->ike_cfg == NULL)
{
this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
{
send_keepalive_job_t *job;
time_t last_out, now, diff;
-
+
if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
{ /* disable keep alives if we are not NATed anymore */
return;
}
-
+
last_out = get_use_time(this, FALSE);
now = time_monotonic(NULL);
-
+
diff = now - last_out;
-
+
if (diff >= this->keepalive_interval)
{
packet_t *packet;
chunk_t data;
-
+
packet = packet_create();
packet->set_source(packet, this->my_host->clone(this->my_host));
packet->set_destination(packet, this->other_host->clone(this->other_host));
{
job_t *job;
time_t diff, delay;
-
+
delay = this->peer_cfg->get_dpd(this->peer_cfg);
-
+
if (delay == 0)
{
/* DPD disabled */
return SUCCESS;
}
-
+
if (this->task_manager->busy(this->task_manager))
{
/* an exchange is in the air, no need to start a DPD check */
/* to long ago, initiate dead peer detection */
task_t *task;
ike_mobike_t *mobike;
-
+
if (supports_extension(this, EXT_MOBIKE) &&
has_condition(this, COND_NAT_HERE))
{
}
diff = 0;
DBG1(DBG_IKE, "sending DPD request");
-
+
this->task_manager->queue_task(this->task_manager, task);
this->task_manager->initiate(this->task_manager);
}
get_name(this), this->unique_id,
ike_sa_state_names, this->state,
ike_sa_state_names, state);
-
+
switch (state)
{
case IKE_ESTABLISHED:
{
job_t *job;
u_int32_t t;
-
+
/* calculate rekey, reauth and lifetime */
this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
-
+
/* schedule rekeying if we have a time which is smaller than
* an already scheduled rekeying */
t = this->peer_cfg->get_rekey_time(this->peer_cfg);
charon->scheduler->schedule_job(charon->scheduler, job, t);
DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
}
-
+
/* start DPD checks */
send_dpd(this);
}
{
this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
}
-
+
set_state(this, IKE_CREATED);
-
+
this->task_manager->reset(this->task_manager, 0, 0);
}
{
this->additional_addresses->insert_last(this->additional_addresses, host);
}
-
+
/**
* Implementation of ike_sa_t.create_additional_address_iterator.
*/
static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
{
bool update = FALSE;
-
+
if (me == NULL)
{
me = this->my_host;
{
other = this->other_host;
}
-
+
/* apply hosts on first received message */
if (this->my_host->is_anyaddr(this->my_host) ||
this->other_host->is_anyaddr(this->other_host))
set_my_host(this, me->clone(me));
update = TRUE;
}
-
+
if (!other->equals(other, this->other_host))
{
/* update others adress if we are NOT NATed,
}
}
}
-
+
/* update all associated CHILD_SAs, if required */
if (update)
{
iterator_t *iterator;
child_sa_t *child_sa;
-
+
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
{
{
message_t *response;
packet_t *packet;
-
+
response = message_create();
response->set_exchange_type(response, request->get_exchange_type(request));
response->set_request(response, FALSE);
static void resolve_hosts(private_ike_sa_t *this)
{
host_t *host;
-
+
if (this->remote_host)
{
host = this->remote_host->clone(this->remote_host);
{
set_other_host(this, host);
}
-
+
if (this->local_host)
{
host = this->local_host->clone(this->local_host);
host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
this->my_host->get_family(this->my_host),
IKEV2_UDP_PORT);
-
+
if (host && host->is_anyaddr(host) &&
!this->other_host->is_anyaddr(this->other_host))
{
traffic_selector_t *tsi, traffic_selector_t *tsr)
{
task_t *task;
-
+
if (this->state == IKE_CREATED)
{
resolve_hosts(this);
-
+
if (this->other_host->is_anyaddr(this->other_host)
#ifdef ME
&& !this->peer_cfg->get_mediated_by(this->peer_cfg)
DBG1(DBG_IKE, "unable to initiate to %%any");
return DESTROY_ME;
}
-
+
set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
-
+
task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
this->task_manager->queue_task(this->task_manager, task);
task = (task_t*)ike_natd_create(&this->public, TRUE);
}
#endif /* ME */
}
-
+
return this->task_manager->initiate(this->task_manager);
}
{
status_t status;
bool is_request;
-
+
if (this->state == IKE_PASSIVE)
{ /* do not handle messages in passive state */
return FAILED;
}
-
+
is_request = message->get_request(message);
-
+
status = message->parse_body(message,
this->keymat->get_crypter(this->keymat, TRUE),
this->keymat->get_signer(this->keymat, TRUE));
if (status != SUCCESS)
{
-
+
if (is_request)
{
switch (status)
exchange_type_names, message->get_exchange_type(message),
message->get_request(message) ? "request" : "response",
message->get_message_id(message));
-
+
if (this->state == IKE_CREATED)
{ /* invalid initiation attempt, close SA */
return DESTROY_ME;
else
{
host_t *me, *other;
-
+
me = message->get_destination(message);
other = message->get_source(message);
-
+
/* if this IKE_SA is virgin, we check for a config */
if (this->ike_cfg == NULL)
{
{
iterator_t *iterator;
child_sa_t *current, *found = NULL;
-
+
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
{
u_int32_t spi)
{
child_rekey_t *child_rekey;
-
+
child_rekey = child_rekey_create(&this->public, protocol, spi);
this->task_manager->queue_task(this->task_manager, &child_rekey->task);
return this->task_manager->initiate(this->task_manager);
u_int32_t spi)
{
child_delete_t *child_delete;
-
+
child_delete = child_delete_create(&this->public, protocol, spi);
this->task_manager->queue_task(this->task_manager, &child_delete->task);
return this->task_manager->initiate(this->task_manager);
iterator_t *iterator;
child_sa_t *child_sa;
status_t status = NOT_FOUND;
-
+
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
{
static status_t rekey(private_ike_sa_t *this)
{
ike_rekey_t *ike_rekey;
-
+
ike_rekey = ike_rekey_create(&this->public, TRUE);
-
+
this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
return this->task_manager->initiate(this->task_manager);
}
)
{
time_t now = time_monotonic(NULL);
-
+
DBG1(DBG_IKE, "IKE_SA will timeout in %V",
&now, &this->stats[STAT_DELETE]);
return FAILED;
child_cfg_t *child_cfg;
bool required = FALSE;
status_t status = FAILED;
-
+
/* check if we have children to keep up at all */
iterator = create_child_sa_iterator(this);
while (iterator->iterate(iterator, (void**)&child_sa))
{
return FAILED;
}
-
+
/* check if we are able to reestablish this IKE_SA */
if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
(this->other_virtual_ip != NULL ||
DBG1(DBG_IKE, "unable to reestablish IKE_SA due asymetric setup");
return FAILED;
}
-
+
new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
new->set_peer_cfg(new, this->peer_cfg);
host = this->other_host;
{
new->set_virtual_ip(new, TRUE, host);
}
-
+
#ifdef ME
if (this->peer_cfg->is_mediation(this->peer_cfg))
{
}
iterator->destroy(iterator);
}
-
+
if (status == DESTROY_ME)
{
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
{
host_t *src;
ike_mobike_t *mobike;
-
+
switch (this->state)
{
case IKE_CREATED:
}
return SUCCESS;
}
-
+
/* keep existing path if possible */
src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
this->other_host, this->my_host);
return SUCCESS;
}
src->destroy(src);
-
+
}
else
{
/* check if we find a route at all */
enumerator_t *enumerator;
host_t *addr;
-
+
src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
this->other_host, NULL);
if (!src)
src->destroy(src);
}
set_condition(this, COND_STALE, FALSE);
-
+
/* update addresses with mobike, if supported ... */
if (supports_extension(this, EXT_MOBIKE))
{
{
attribute_entry_t *entry;
attribute_handler_t *handler;
-
+
handler = charon->attributes->handle(charon->attributes,
&this->public, type, data);
if (handler)
entry->handler = handler;
entry->type = type;
entry->data = chunk_clone(data);
-
+
this->attributes->insert_last(this->attributes, entry);
}
}
{
child_sa_t *child_sa;
attribute_entry_t *entry;
-
+
/* apply hosts and ids */
this->my_host->destroy(this->my_host);
this->other_host->destroy(this->other_host);
this->other_host = other->other_host->clone(other->other_host);
this->my_id = other->my_id->clone(other->my_id);
this->other_id = other->other_id->clone(other->other_id);
-
+
/* apply virtual assigned IPs... */
if (other->my_virtual_ip)
{
this->other_virtual_ip = other->other_virtual_ip;
other->other_virtual_ip = NULL;
}
-
+
/* ... and configuration attributes */
while (other->attributes->remove_last(other->attributes,
(void**)&entry) == SUCCESS)
{
send_keepalive(this);
}
-
+
#ifdef ME
if (other->is_mediation_server)
{
{
this->child_sas->insert_first(this->child_sas, (void*)child_sa);
}
-
+
/* move pending tasks to the new IKE_SA */
this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
-
+
/* reauthentication timeout survives a rekeying */
if (other->stats[STAT_REAUTH])
{
time_t reauth, delete, now = time_monotonic(NULL);
-
+
this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
reauth = this->stats[STAT_REAUTH] - now;
delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
static void destroy(private_ike_sa_t *this)
{
attribute_entry_t *entry;
-
+
charon->bus->set_sa(charon->bus, &this->public);
-
+
set_state(this, IKE_DESTROYING);
-
+
/* remove attributes first, as we pass the IKE_SA to the handler */
while (this->attributes->remove_last(this->attributes,
(void**)&entry) == SUCCESS)
free(entry);
}
this->attributes->destroy(this->attributes);
-
+
this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
-
+
/* unset SA after here to avoid usage by the listeners */
charon->bus->set_sa(charon->bus, NULL);
-
+
this->task_manager->destroy(this->task_manager);
this->keymat->destroy(this->keymat);
-
+
if (this->my_virtual_ip)
{
charon->kernel_interface->del_ip(charon->kernel_interface,
chunk_free(&this->connect_id);
#endif /* ME */
free(this->nat_detection_dest.ptr);
-
+
DESTROY_IF(this->my_host);
DESTROY_IF(this->other_host);
DESTROY_IF(this->my_id);
DESTROY_IF(this->local_host);
DESTROY_IF(this->remote_host);
DESTROY_IF(this->eap_identity);
-
+
DESTROY_IF(this->ike_cfg);
DESTROY_IF(this->peer_cfg);
DESTROY_IF(this->proposal);
this->my_auth->destroy(this->my_auth);
this->other_auth->destroy(this->other_auth);
-
+
this->ike_sa_id->destroy(this->ike_sa_id);
free(this);
}
{
private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
static u_int32_t unique_id = 0;
-
+
/* Public functions */
this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
#endif /* ME */
-
+
/* initialize private fields */
this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
this->child_sas = linked_list_create();
this->server_reflexive_host = NULL;
this->connect_id = chunk_empty;
#endif /* ME */
-
+
return &this->public;
}
* Extensions (or optional features) the peer supports
*/
enum ike_extension_t {
-
+
/**
* peer supports NAT traversal as specified in RFC4306
*/
* peer supports MOBIKE (RFC4555)
*/
EXT_MOBIKE = (1<<1),
-
+
/**
* peer supports HTTP cert lookups as specified in RFC4306
*/
EXT_HASH_AND_URL = (1<<2),
-
+
/**
* peer supports multiple authentication exchanges, RFC4739
*/
* Conditions of an IKE_SA, change during its lifetime
*/
enum ike_condition_t {
-
+
/**
* Connection is natted (or faked) somewhere
*/
COND_NAT_ANY = (1<<0),
-
+
/**
* we are behind NAT
*/
COND_NAT_HERE = (1<<1),
-
+
/**
* other is behind NAT
*/
COND_NAT_THERE = (1<<2),
-
+
/**
* Faking NAT to enforce UDP encapsulation
*/
COND_NAT_FAKE = (1<<3),
-
+
/**
* peer has been authenticated using EAP at least once
*/
COND_EAP_AUTHENTICATED = (1<<4),
-
+
/**
* received a certificate request from the peer
*/
COND_CERTREQ_SEEN = (1<<5),
-
+
/**
* Local peer is the "original" IKE initiator. Unaffected from rekeying.
*/
COND_ORIGINAL_INITIATOR = (1<<6),
-
+
/**
* IKE_SA is stale, the peer is currently unreachable (MOBIKE)
*/
STAT_INBOUND,
/** Timestamp of last outbound IKE packet */
STAT_OUTBOUND,
-
+
STAT_MAX
};
@endverbatim
*/
enum ike_sa_state_t {
-
+
/**
* IKE_SA just got created, but is not initiating nor responding yet.
*/
IKE_CREATED,
-
+
/**
* IKE_SA gets initiated actively or passively
*/
IKE_CONNECTING,
-
+
/**
* IKE_SA is fully established
*/
IKE_ESTABLISHED,
-
+
/**
* IKE_SA is managed externally and does not process messages
*/
IKE_PASSIVE,
-
+
/**
* IKE_SA rekeying in progress
*/
IKE_REKEYING,
-
+
/**
* IKE_SA is in progress of deletion
*/
IKE_DELETING,
-
+
/**
* IKE_SA object gets destroyed
*/
* @return ike_sa's ike_sa_id_t
*/
ike_sa_id_t* (*get_id) (ike_sa_t *this);
-
+
/**
* Get the numerical ID uniquely defining this IKE_SA.
*
* @return unique ID
*/
u_int32_t (*get_unique_id) (ike_sa_t *this);
-
+
/**
* Get the state of the IKE_SA.
*
* @return state of the IKE_SA
*/
ike_sa_state_t (*get_state) (ike_sa_t *this);
-
+
/**
* Set the state of the IKE_SA.
*
* @param state state to set for the IKE_SA
*/
void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
-
+
/**
* Get the name of the connection this IKE_SA uses.
*
* @return name
*/
char* (*get_name) (ike_sa_t *this);
-
+
/**
* Get statistic values from the IKE_SA.
*
* @return value as integer
*/
u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
-
+
/**
* Get the own host address.
*
* @return host address
*/
host_t* (*get_my_host) (ike_sa_t *this);
-
+
/**
* Set the own host address.
*
* @param me host address
*/
void (*set_my_host) (ike_sa_t *this, host_t *me);
-
+
/**
* Get the other peers host address.
*
* @return host address
*/
host_t* (*get_other_host) (ike_sa_t *this);
-
+
/**
* Set the others host address.
*
* @param other host address
*/
void (*set_other_host) (ike_sa_t *this, host_t *other);
-
+
/**
* Update the IKE_SAs host.
*
* @param other new remote host address, or NULL
*/
void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other);
-
+
/**
* Get the own identification.
*
* @return identification
*/
identification_t* (*get_my_id) (ike_sa_t *this);
-
+
/**
* Set the own identification.
*
* @param me identification
*/
void (*set_my_id) (ike_sa_t *this, identification_t *me);
-
+
/**
* Get the other peer's identification.
*
* @return identification
*/
identification_t* (*get_other_id) (ike_sa_t *this);
-
+
/**
* Set the other peer's identification.
*
* @param other identification
*/
void (*set_other_id) (ike_sa_t *this, identification_t *other);
-
+
/**
* Get the peers EAP identity.
*
* @return identification, NULL if none set
*/
identification_t* (*get_eap_identity) (ike_sa_t *this);
-
+
/**
* Set the peer's EAP identity.
*
* @param id identification
*/
void (*set_eap_identity) (ike_sa_t *this, identification_t *id);
-
+
/**
* Get the config used to setup this IKE_SA.
*
* @return ike_config
*/
ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
-
+
/**
* Set the config to setup this IKE_SA.
*
* @return peer_config
*/
peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
-
+
/**
* Set the peer config to use with this IKE_SA.
*
* @param config peer_config to use
*/
void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
-
+
/**
* Get the authentication config with rules of the current auth round.
*
* @return current cfg
*/
auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
-
+
/**
* Get the selected proposal of this IKE_SA.
*
* @return selected proposal
*/
proposal_t* (*get_proposal)(ike_sa_t *this);
-
+
/**
* Set the proposal selected for this IKE_SA.
*
* @param selected proposal
*/
void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
-
+
/**
* Set the message id of the IKE_SA.
*
* @param mid message id to set
*/
void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid);
-
+
/**
* Add an additional address for the peer.
*
* @param host host to add to list
*/
void (*add_additional_address)(ike_sa_t *this, host_t *host);
-
+
/**
* Create an iterator over all additional addresses of the peer.
*
* @return iterator over addresses
*/
iterator_t* (*create_additional_address_iterator)(ike_sa_t *this);
-
+
/**
* Check if mappings have changed on a NAT for our source address.
*
* @return TRUE if mappings have changed
*/
bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
-
+
/**
* Enable an extension the peer supports.
*
* @param extension extension to enable
*/
void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
-
+
/**
* Check if the peer supports an extension.
*
* @return TRUE if peer supports it, FALSE otherwise
*/
bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
-
+
/**
* Enable/disable a condition flag for this IKE_SA.
*
* @return TRUE if condition flag set, FALSE otherwise
*/
bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
-
+
/**
* Get the number of queued MOBIKE address updates.
*
* @return number of pending updates
*/
u_int32_t (*get_pending_updates)(ike_sa_t *this);
-
+
/**
* Set the number of queued MOBIKE address updates.
*
* @param updates number of pending updates
*/
void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
-
+
#ifdef ME
/**
* Activate mediation server functionality for this IKE_SA.
*/
void (*act_as_mediation_server) (ike_sa_t *this);
-
+
/**
* Get the server reflexive host.
*
* @return server reflexive host
*/
host_t* (*get_server_reflexive_host) (ike_sa_t *this);
-
+
/**
* Set the server reflexive host.
*
* @param host server reflexive host
*/
void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
-
+
/**
* Get the connect ID.
*
* @return connect ID
*/
chunk_t (*get_connect_id) (ike_sa_t *this);
-
+
/**
* Initiate the mediation of a mediated connection (i.e. initiate a
* ME_CONNECT exchange to a mediation server).
* - DESTROY_ME if initialization failed
*/
status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
-
+
/**
* Initiate the mediated connection
*
*/
status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
chunk_t connect_id);
-
+
/**
* Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
* to a peer).
status_t (*relay) (ike_sa_t *this, identification_t *requester,
chunk_t connect_id, chunk_t connect_key,
linked_list_t *endpoints, bool response);
-
+
/**
* Send a callback to a peer.
*
* - DESTROY_ME if response failed
*/
status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
-
+
/**
* Respond to a ME_CONNECT request.
*
status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
chunk_t connect_id);
#endif /* ME */
-
+
/**
* Initiate a new connection.
*
status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
u_int32_t reqid, traffic_selector_t *tsi,
traffic_selector_t *tsr);
-
+
/**
* Initiates the deletion of an IKE_SA.
*
* deleted (but destroyed).
*/
status_t (*delete) (ike_sa_t *this);
-
+
/**
* Update IKE_SAs after network interfaces have changed.
*
* @return SUCCESS, FAILED, DESTROY_ME
*/
status_t (*roam)(ike_sa_t *this, bool address);
-
+
/**
* Processes a incoming IKEv2-Message.
*
* - DESTROY_ME if this IKE_SA MUST be deleted
*/
status_t (*process_message) (ike_sa_t *this, message_t *message);
-
+
/**
* Generate a IKE message to send it to the peer.
*
*/
status_t (*generate_message) (ike_sa_t *this, message_t *message,
packet_t **packet);
-
+
/**
* Retransmits a request.
*
* - NOT_FOUND if request doesn't have to be retransmited
*/
status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
-
+
/**
* Sends a DPD request to the peer.
*
* - DESTROY_ME, if peer did not respond
*/
status_t (*send_dpd) (ike_sa_t *this);
-
+
/**
* Sends a keep alive packet.
*
* was sent.
*/
void (*send_keepalive) (ike_sa_t *this);
-
+
/**
* Get the keying material of this IKE_SA.
*
* @return per IKE_SA keymat instance
*/
keymat_t* (*get_keymat)(ike_sa_t *this);
-
+
/**
* Associates a child SA to this IKE SA
*
* @param child_sa child_sa to add
*/
void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
-
+
/**
* Get a CHILD_SA identified by protocol and SPI.
*
*/
child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
u_int32_t spi, bool inbound);
-
+
/**
* Create an iterator over all CHILD_SAs.
*
* @return iterator
*/
iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
-
+
/**
* Rekey the CHILD SA with the specified reqid.
*
* @return DESTROY_ME to destroy the IKE_SA
*/
status_t (*reestablish) (ike_sa_t *this);
-
+
/**
* Set the lifetime limit received from a AUTH_LIFETIME notify.
*
* @param lifetime lifetime in seconds
*/
void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime);
-
+
/**
* Set the virtual IP to use for this IKE_SA and its children.
*
* @param ip IP to set as virtual IP
*/
void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
-
+
/**
* Get the virtual IP configured.
*
* @return host_t *virtual IP
*/
host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
-
+
/**
* Register a configuration attribute to the IKE_SA.
*
*/
void (*add_configuration_attribute)(ike_sa_t *this,
configuration_attribute_type_t type, chunk_t data);
-
+
/**
* Set local and remote host addresses to be used for IKE.
*
* @param remote remote kmaddress
*/
void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
-
+
/**
* Inherit all attributes of other to this after rekeying.
*
* @return DESTROY_ME if initiation of inherited task failed
*/
status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
-
+
/**
* Reset the IKE_SA, useable when initiating fails
*/
void (*reset) (ike_sa_t *this);
-
+
/**
* Destroys a ike_sa_t object.
*/
/**
* Check if two ike_sa_id_t objects are equal.
- *
+ *
* Two ike_sa_id_t objects are equal if both SPI values and the role matches.
*
* @param other ike_sa_id_t object to check if equal
/**
* Replace all values of a given ike_sa_id_t object with values.
* from another ike_sa_id_t object.
- *
+ *
* After calling this function, both objects are equal.
*
* @param other ike_sa_id_t object from which values will be taken
/**
* Switche the original initiator flag.
- *
+ *
* @return TRUE if we are the original initator after switch, FALSE otherwise
*/
bool (*switch_initiator) (ike_sa_id_t *this);
* An entry in the linked list, contains IKE_SA, locking and lookup data.
*/
struct entry_t {
-
+
/**
* Number of threads waiting for this ike_sa_t object.
*/
int waiting_threads;
-
+
/**
* Condvar where threads can wait until ike_sa_t object is free for use again.
*/
condvar_t *condvar;
-
+
/**
* Is this ike_sa currently checked out?
*/
bool checked_out;
-
+
/**
* Does this SA drives out new threads?
*/
bool driveout_new_threads;
-
+
/**
* Does this SA drives out waiting threads?
*/
bool driveout_waiting_threads;
-
+
/**
* Identification of an IKE_SA (SPIs).
*/
ike_sa_id_t *ike_sa_id;
-
+
/**
* The contained ike_sa_t object.
*/
ike_sa_t *ike_sa;
-
+
/**
* hash of the IKE_SA_INIT message, used to detect retransmissions
*/
chunk_t init_hash;
-
+
/**
* remote host address, required for DoS detection
*/
host_t *other;
-
+
/**
* As responder: Is this SA half-open?
*/
bool half_open;
-
+
/**
* own identity, required for duplicate checking
*/
identification_t *my_id;
-
+
/**
* remote identity, required for duplicate checking
*/
identification_t *other_id;
-
+
/**
* message ID currently processing, if any
*/
static entry_t *entry_create()
{
entry_t *this = malloc_thing(entry_t);
-
+
this->waiting_threads = 0;
this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
-
+
/* we set checkout flag when we really give it out */
this->checked_out = FALSE;
this->driveout_new_threads = FALSE;
this->other_id = NULL;
this->ike_sa_id = NULL;
this->ike_sa = NULL;
-
+
return this;
}
if (id->equals(id, entry->ike_sa_id))
{
return TRUE;
- }
+ }
if ((id->get_responder_spi(id) == 0 ||
entry->ike_sa_id->get_responder_spi(entry->ike_sa_id) == 0) &&
id->is_initiator(id) == entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
struct half_open_t {
/** chunk of remote host address */
chunk_t other;
-
+
/** the number of half-open IKE_SAs with that host */
u_int count;
};
struct connected_peers_t {
/** own identity */
identification_t *my_id;
-
+
/** remote identity */
identification_t *other_id;
-
+
/** list of ike_sa_id_t objects of IKE_SAs between the two identities */
linked_list_t *sas;
};
struct segment_t {
/** mutex to access a segment exclusively */
mutex_t *mutex;
-
+
/** the number of entries in this segment */
u_int count;
};
struct shareable_segment_t {
/** rwlock to access a segment non-/exclusively */
rwlock_t *lock;
-
+
/** the number of entries in this segment - in case of the "half-open table"
* it's the sum of all half_open_t.count in a segment. */
u_int count;
* Public interface of ike_sa_manager_t.
*/
ike_sa_manager_t public;
-
+
/**
* Hash table with entries for the ike_sa_t objects.
*/
linked_list_t **ike_sa_table;
-
+
/**
* The size of the hash table.
*/
u_int table_size;
-
+
/**
* Mask to map the hashes to table rows.
*/
u_int table_mask;
-
+
/**
* Segments of the hash table.
*/
segment_t *segments;
-
+
/**
* The number of segments.
*/
u_int segment_count;
-
+
/**
* Mask to map a table row to a segment.
*/
u_int segment_mask;
-
+
/**
* Hash table with half_open_t objects.
*/
linked_list_t **half_open_table;
-
+
/**
* Segments of the "half-open" hash table.
*/
shareable_segment_t *half_open_segments;
-
+
/**
* Hash table with connected_peers_t objects.
*/
linked_list_t **connected_peers_table;
-
+
/**
* Segments of the "connected peers" hash table.
*/
shareable_segment_t *connected_peers_segments;
-
+
/**
* RNG to get random SPIs for our side
*/
rng_t *rng;
-
+
/**
* SHA1 hasher for IKE_SA_INIT retransmit detection
*/
hasher_t *hasher;
-
+
/**
* reuse existing IKE_SAs in checkout_by_config
*/
static void lock_single_segment(private_ike_sa_manager_t *this, u_int index)
{
mutex_t *lock = this->segments[index & this->segment_mask].mutex;
-
+
lock->lock(lock);
}
static void unlock_single_segment(private_ike_sa_manager_t *this, u_int index)
{
mutex_t *lock = this->segments[index & this->segment_mask].mutex;
-
+
lock->unlock(lock);
}
static void lock_all_segments(private_ike_sa_manager_t *this)
{
u_int i;
-
+
for (i = 0; i < this->segment_count; ++i)
{
this->segments[i].mutex->lock(this->segments[i].mutex);
static void unlock_all_segments(private_ike_sa_manager_t *this)
{
u_int i;
-
+
for (i = 0; i < this->segment_count; ++i)
{
this->segments[i].mutex->unlock(this->segments[i].mutex);
* implements enumerator interface
*/
enumerator_t enumerator;
-
+
/**
* associated ike_sa_manager_t
*/
private_ike_sa_manager_t *manager;
-
+
/**
* current segment index
*/
u_int segment;
-
+
/**
* currently enumerating entry
*/
entry_t *entry;
-
+
/**
* current table row index
*/
u_int row;
-
+
/**
* enumerator for the current table row
*/
if (this->current)
{
entry_t *item;
-
+
if (this->current->enumerate(this->current, &item))
{
*entry = this->entry = item;
else
{
linked_list_t *list;
-
+
lock_single_segment(this->manager, this->segment);
if ((list = this->manager->ike_sa_table[this->row]) != NULL &&
list->get_count(list))
static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this)
{
private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
-
+
enumerator->enumerator.enumerate = (void*)enumerate;
enumerator->enumerator.destroy = (void*)enumerator_destroy;
enumerator->manager = this;
enumerator->entry = NULL;
enumerator->row = 0;
enumerator->current = NULL;
-
+
return &enumerator->enumerator;
}
linked_list_t *list;
u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
u_int segment = row & this->segment_mask;
-
+
lock_single_segment(this, segment);
if ((list = this->ike_sa_table[row]) == NULL)
{
linked_list_t *list;
u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
u_int segment = row & this->segment_mask;
-
+
if ((list = this->ike_sa_table[row]) != NULL)
{
entry_t *current;
linked_list_t *list;
u_int row = ike_sa_id_hash(ike_sa_id) & this->table_mask;
u_int seg = row & this->segment_mask;
-
+
lock_single_segment(this, seg);
if ((list = this->ike_sa_table[row]) != NULL)
{
static status_t get_entry_by_id(private_ike_sa_manager_t *this,
ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment)
{
- return get_entry_by_match_function(this, ike_sa_id, entry, segment,
+ return get_entry_by_match_function(this, ike_sa_id, entry, segment,
(linked_list_match_t)entry_match_by_id, ike_sa_id, NULL);
}
/* we are not allowed to get this */
return FALSE;
}
- while (entry->checked_out && !entry->driveout_waiting_threads)
+ while (entry->checked_out && !entry->driveout_waiting_threads)
{
/* so wait until we can get it for us.
* we register us as waiting. */
chunk_t addr = entry->other->get_address(entry->other);
u_int row = chunk_hash(addr) & this->table_mask;
u_int segment = row & this->segment_mask;
-
+
rwlock_t *lock = this->half_open_segments[segment].lock;
lock->write_lock(lock);
if ((list = this->half_open_table[row]) == NULL)
this->half_open_segments[segment].count++;
}
}
-
+
if (!half_open)
{
half_open = malloc_thing(half_open_t);
chunk_t addr = entry->other->get_address(entry->other);
u_int row = chunk_hash(addr) & this->table_mask;
u_int segment = row & this->segment_mask;
-
+
rwlock_t *lock = this->half_open_segments[segment].lock;
lock->write_lock(lock);
if ((list = this->half_open_table[row]) != NULL)
other_id = entry->other_id->get_encoding(entry->other_id);
u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
u_int segment = row & this->segment_mask;
-
+
rwlock_t *lock = this->connected_peers_segments[segment].lock;
lock->write_lock(lock);
if ((list = this->connected_peers_table[row]) == NULL)
}
}
}
-
+
if (!connected_peers)
{
connected_peers = malloc_thing(connected_peers_t);
other_id = entry->other_id->get_encoding(entry->other_id);
u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
u_int segment = row & this->segment_mask;
-
+
rwlock_t *lock = this->connected_peers_segments[segment].lock;
lock->write_lock(lock);
if ((list = this->connected_peers_table[row]) != NULL)
static u_int64_t get_next_spi(private_ike_sa_manager_t *this)
{
u_int64_t spi;
-
+
this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi);
return spi;
}
ike_sa_t *ike_sa = NULL;
entry_t *entry;
u_int segment;
-
+
DBG2(DBG_MGR, "checkout IKE_SA");
-
+
if (get_entry_by_id(this, ike_sa_id, &entry, &segment) == SUCCESS)
{
if (wait_for_entry(this, entry, segment))
ike_sa_t *ike_sa;
entry_t *entry;
u_int segment;
-
+
if (initiator)
{
ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE);
}
ike_sa = ike_sa_create(ike_sa_id);
-
+
DBG2(DBG_MGR, "created IKE_SA");
-
+
if (!initiator)
{
ike_sa_id->destroy(ike_sa_id);
return ike_sa;
}
-
+
entry = entry_create();
entry->ike_sa_id = ike_sa_id;
entry->ike_sa = ike_sa;
id = id->clone(id);
id->switch_initiator(id);
-
+
DBG2(DBG_MGR, "checkout IKE_SA by message");
-
+
if (message->get_request(message) &&
message->get_exchange_type(message) == IKE_SA_INIT)
{
/* IKE_SA_INIT request. Check for an IKE_SA with such a message hash. */
chunk_t data, hash;
-
+
data = message->get_packet_data(message);
this->hasher->allocate_hash(this->hasher, data, &hash);
chunk_free(&data);
-
+
if (get_entry_by_hash(this, id, hash, &entry, &segment) == SUCCESS)
{
if (entry->message_id == 0)
}
unlock_single_segment(this, segment);
}
-
+
if (ike_sa == NULL)
{
if (id->get_responder_spi(id) == 0 &&
entry = entry_create();
entry->ike_sa = ike_sa_create(id);
entry->ike_sa_id = id->clone(id);
-
+
segment = put_entry(this, entry);
entry->checked_out = TRUE;
unlock_single_segment(this, segment);
-
- entry->message_id = message->get_message_id(message);
+
+ entry->message_id = message->get_message_id(message);
entry->init_hash = hash;
ike_sa = entry->ike_sa;
-
+
DBG2(DBG_MGR, "created IKE_SA");
}
else
charon->bus->set_sa(charon->bus, ike_sa);
return ike_sa;
}
-
+
if (get_entry_by_id(this, id, &entry, &segment) == SUCCESS)
{
/* only check out if we are not processing this request */
peer_cfg_t *current_peer;
ike_cfg_t *current_ike;
u_int segment;
-
+
if (!this->reuse_ikesa)
{ /* IKE_SA reuse disable by config */
- ike_sa = checkout_new(this, TRUE);
+ ike_sa = checkout_new(this, TRUE);
charon->bus->set_sa(charon->bus, ike_sa);
return ike_sa;
}
-
+
enumerator = create_table_enumerator(this);
while (enumerator->enumerate(enumerator, &entry, &segment))
{
{ /* skip IKE_SAs which are not usable */
continue;
}
-
+
current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
if (current_peer && current_peer->equals(current_peer, peer_cfg))
{
}
}
enumerator->destroy(enumerator);
-
+
if (!ike_sa)
{ /* no IKE_SA using such a config, hand out a new */
- ike_sa = checkout_new(this, TRUE);
+ ike_sa = checkout_new(this, TRUE);
}
charon->bus->set_sa(charon->bus, ike_sa);
return ike_sa;
ike_sa_t *ike_sa = NULL;
child_sa_t *child_sa;
u_int segment;
-
+
enumerator = create_table_enumerator(this);
while (enumerator->enumerate(enumerator, &entry, &segment))
{
{
ike_sa = entry->ike_sa;
break;
- }
+ }
}
children->destroy(children);
}
}
}
enumerator->destroy(enumerator);
-
+
charon->bus->set_sa(charon->bus, ike_sa);
return ike_sa;
}
ike_sa_t *ike_sa = NULL;
child_sa_t *child_sa;
u_int segment;
-
+
enumerator = create_table_enumerator(this);
while (enumerator->enumerate(enumerator, &entry, &segment))
{
{
ike_sa = entry->ike_sa;
break;
- }
+ }
}
children->destroy(children);
}
}
}
enumerator->destroy(enumerator);
-
+
charon->bus->set_sa(charon->bus, ike_sa);
return ike_sa;
}
/**
- * enumerator filter function
+ * enumerator filter function
*/
static bool enumerator_filter(private_ike_sa_manager_t *this,
entry_t **in, ike_sa_t **out, u_int *segment)
host_t *other;
identification_t *my_id, *other_id;
u_int segment;
-
+
ike_sa_id = ike_sa->get_id(ike_sa);
my_id = ike_sa->get_my_id(ike_sa);
other_id = ike_sa->get_other_id(ike_sa);
other = ike_sa->get_other_host(ike_sa);
-
+
DBG2(DBG_MGR, "checkin IKE_SA");
-
+
/* look for the entry */
if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
{
entry->ike_sa = ike_sa;
segment = put_entry(this, entry);
}
-
+
/* apply identities for duplicate test (only as responder) */
if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
entry->other_id = other_id->clone(other_id);
put_connected_peers(this, entry);
}
-
+
unlock_single_segment(this, segment);
-
+
charon->bus->set_sa(charon->bus, NULL);
}
entry_t *entry;
ike_sa_id_t *ike_sa_id;
u_int segment;
-
+
ike_sa_id = ike_sa->get_id(ike_sa);
-
+
DBG2(DBG_MGR, "checkin and destroy IKE_SA");
-
+
if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
{
/* drive out waiting threads, as we are in hurry */
}
remove_entry(this, entry);
unlock_single_segment(this, segment);
-
+
if (entry->half_open)
{
remove_half_open(this, entry);
{
remove_connected_peers(this, entry);
}
-
+
entry_destroy(entry);
-
+
DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
}
else
charon->bus->set_sa(charon->bus, NULL);
}
-
+
/**
* Implementation of ike_sa_manager_t.check_uniqueness.
*/
identification_t *me, *other;
u_int row, segment;
rwlock_t *lock;
-
+
peer_cfg = ike_sa->get_peer_cfg(ike_sa);
policy = peer_cfg->get_unique_policy(peer_cfg);
if (policy == UNIQUE_NO)
{
return FALSE;
}
-
+
me = ike_sa->get_my_id(ike_sa);
other = ike_sa->get_other_id(ike_sa);
-
+
row = chunk_hash_inc(other->get_encoding(other),
chunk_hash(me->get_encoding(me))) & this->table_mask;
segment = row & this->segment_mask;
-
+
lock = this->connected_peers_segments[segment & this->segment_mask].lock;
lock->read_lock(lock);
if ((list = this->connected_peers_table[row]) != NULL)
{
connected_peers_t *current;
-
+
if (list->find_first(list, (linked_list_match_t)connected_peers_match,
(void**)¤t, me, other) == SUCCESS)
{
}
}
lock->unlock(lock);
-
+
if (!duplicate_ids)
{
return FALSE;
}
-
+
enumerator = duplicate_ids->create_enumerator(duplicate_ids);
while (enumerator->enumerate(enumerator, &duplicate_id))
{
status_t status = SUCCESS;
ike_sa_t *duplicate;
-
+
duplicate = checkout(this, duplicate_id);
if (!duplicate)
{
chunk_t addr = ip->get_address(ip);
u_int row = chunk_hash(addr) & this->table_mask;
u_int segment = row & this->segment_mask;
-
+
rwlock_t *lock = this->half_open_segments[segment & this->segment_mask].lock;
lock->read_lock(lock);
if ((list = this->half_open_table[row]) != NULL)
{
half_open_t *current;
-
+
if (list->find_first(list, (linked_list_match_t)half_open_match,
(void**)¤t, &addr) == SUCCESS)
{
else
{
u_int segment;
-
+
for (segment = 0; segment < this->segment_count; ++segment)
{
rwlock_t *lock;
lock->unlock(lock);
}
}
-
+
return count;
}
enumerator_t *enumerator;
entry_t *entry;
u_int segment;
-
+
lock_all_segments(this);
DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
/* Step 1: drive out all waiting threads */
{
/* do not accept new threads, drive out waiting threads */
entry->driveout_new_threads = TRUE;
- entry->driveout_waiting_threads = TRUE;
+ entry->driveout_waiting_threads = TRUE;
}
enumerator->destroy(enumerator);
DBG2(DBG_MGR, "wait for all threads to leave IKE_SA's");
entry->ike_sa->delete(entry->ike_sa);
}
enumerator->destroy(enumerator);
-
+
DBG2(DBG_MGR, "destroy all entries");
/* Step 4: destroy all entries */
enumerator = create_table_enumerator(this);
free(this->segments);
free(this->half_open_segments);
free(this->connected_peers_segments);
-
+
this->rng->destroy(this->rng);
this->hasher->destroy(this->hasher);
free(this);
static u_int get_nearest_powerof2(u_int n)
{
u_int i;
-
+
--n;
for (i = 1; i < sizeof(u_int) * 8; i <<= 1)
{
this->public.checkin = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin;
this->public.checkin_and_destroy = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy;
this->public.get_half_open_count = (int(*)(ike_sa_manager_t*,host_t*))get_half_open_count;
-
+
/* initialize private variables */
this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
if (this->hasher == NULL)
"charon.ikesa_table_size", DEFAULT_HASHTABLE_SIZE));
this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE));
this->table_mask = this->table_size - 1;
-
+
this->segment_count = get_nearest_powerof2(lib->settings->get_int(lib->settings,
"charon.ikesa_table_segments", DEFAULT_SEGMENT_COUNT));
this->segment_count = max(1, min(this->segment_count, this->table_size));
this->segment_mask = this->segment_count - 1;
-
+
this->ike_sa_table = calloc(this->table_size, sizeof(linked_list_t*));
-
+
this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t));
for (i = 0; i < this->segment_count; ++i)
{
this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
this->segments[i].count = 0;
}
-
+
/* we use the same table parameters for the table to track half-open SAs */
this->half_open_table = calloc(this->table_size, sizeof(linked_list_t*));
this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
this->half_open_segments[i].count = 0;
}
-
+
/* also for the hash table used for duplicate tests */
this->connected_peers_table = calloc(this->table_size, sizeof(linked_list_t*));
this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
this->connected_peers_segments[i].count = 0;
}
-
+
this->reuse_ikesa = lib->settings->get_bool(lib->settings,
"charon.reuse_ikesa", TRUE);
return &this->public;
* by the owning thread.
*/
struct ike_sa_manager_t {
-
+
/**
* Checkout an existing IKE_SA.
- *
+ *
* @param ike_sa_id the SA identifier, will be updated
- * @returns
+ * @returns
* - checked out IKE_SA if found
* - NULL, if specified IKE_SA is not found.
*/
ike_sa_t* (*checkout) (ike_sa_manager_t* this, ike_sa_id_t *sa_id);
-
+
/**
* Create and check out a new IKE_SA.
- *
+ *
* @note If initiator equals FALSE, the returned IKE_SA is not registered
* in the manager.
*
* @returns created and checked out IKE_SA
*/
ike_sa_t* (*checkout_new) (ike_sa_manager_t* this, bool initiator);
-
+
/**
* Checkout an IKE_SA by a message.
- *
+ *
* In some situations, it is necessary that the manager knows the
* message to use for the checkout. This has the following reasons:
- *
+ *
* 1. If the targeted IKE_SA is already processing a message, we do not
* check it out if the message ID is the same.
- * 2. If it is an IKE_SA_INIT request, we have to check if it is a
+ * 2. If it is an IKE_SA_INIT request, we have to check if it is a
* retransmission. If so, we have to drop the message, we would
* create another unneeded IKE_SA for each retransmitted packet.
*
* A call to checkout_by_message() returns a (maybe new created) IKE_SA.
* If processing the message does not make sense (for the reasons above),
* NULL is returned.
- *
+ *
* @param ike_sa_id the SA identifier, will be updated
- * @returns
+ * @returns
* - checked out/created IKE_SA
* - NULL to not process message further
*/
ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
-
+
/**
* Checkout an IKE_SA for initiation by a peer_config.
*
*/
ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this,
peer_cfg_t *peer_cfg);
-
+
/**
* Check for duplicates of the given IKE_SA.
- *
+ *
* Measures are taken according to the uniqueness policy of the IKE_SA.
* The return value indicates whether duplicates have been found and if
* further measures should be taken (e.g. cancelling an IKE_AUTH exchange).
* check_uniqueness() must be called before the IKE_SA is complete,
* deadlocks occur otherwise.
- *
+ *
* @param ike_sa ike_sa to check
* @return TRUE, if the given IKE_SA has duplicates and
* should be deleted
*/
bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa);
-
+
/**
* Check out an IKE_SA a unique ID.
*
- * Every IKE_SA and every CHILD_SA is uniquely identified by an ID.
+ * Every IKE_SA and every CHILD_SA is uniquely identified by an ID.
* These checkout function uses, depending
* on the child parameter, the unique ID of the IKE_SA or the reqid
* of one of a IKE_SAs CHILD_SA.
*/
ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, u_int32_t id,
bool child);
-
+
/**
* Check out an IKE_SA by the policy/connection name.
*
*/
ike_sa_t* (*checkout_by_name) (ike_sa_manager_t* this, char *name,
bool child);
-
+
/**
* Create an enumerator over all stored IKE_SAs.
*
* @return enumerator over all IKE_SAs.
*/
enumerator_t *(*create_enumerator) (ike_sa_manager_t* this);
-
+
/**
* Checkin the SA after usage.
*
* @param ike_sa checked out SA
*/
void (*checkin) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
-
+
/**
* Destroy a checked out SA.
*
* @param ike_sa SA to delete
*/
void (*checkin_and_destroy) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
-
+
/**
* Get the number of IKE_SAs which are in the connecting state.
*
* If a host is supplied, only the number of half open IKE_SAs initiated
* from this IP are counted.
* Only SAs for which we are the responder are counted.
- *
+ *
* @param ip NULL for all, IP for half open IKE_SAs with IP
* @return number of half open IKE_SAs
*/
int (*get_half_open_count) (ike_sa_manager_t *this, host_t *ip);
-
+
/**
* Delete all existing IKE_SAs and destroy them immediately.
- *
+ *
* Threads will be driven out, so all SAs can be deleted cleanly.
*/
void (*flush)(ike_sa_manager_t *this);
-
+
/**
* Destroys the manager with all associated SAs.
*
/**
* Create the IKE_SA manager.
- *
+ *
* @returns ike_sa_manager_t object, NULL if initialization fails
*/
ike_sa_manager_t *ike_sa_manager_create(void);
* Private data of an keymat_t object.
*/
struct private_keymat_t {
-
+
/**
* Public keymat_t interface.
*/
keymat_t public;
-
+
/**
* IKE_SA Role, initiator or responder
*/
bool initiator;
-
+
/**
* inbound signer (verify)
*/
signer_t *signer_in;
-
+
/**
* outbound signer (sign)
*/
signer_t *signer_out;
-
+
/**
* inbound crypter (decrypt)
*/
crypter_t *crypter_in;
-
+
/**
* outbound crypter (encrypt)
*/
crypter_t *crypter_out;
-
+
/**
* General purpose PRF
*/
prf_t *prf;
-
+
/**
* Negotiated PRF algorithm
*/
pseudo_random_function_t prf_alg;
-
+
/**
* Key to derive key material from for CHILD_SAs, rekeying
*/
chunk_t skd;
-
+
/**
* Key to build outging authentication data (SKp)
*/
prf_plus_t *prf_plus;
u_int16_t alg, key_size;
prf_t *rekey_prf = NULL;
-
+
spi_i = chunk_alloca(sizeof(u_int64_t));
spi_r = chunk_alloca(sizeof(u_int64_t));
-
+
if (dh->get_shared_secret(dh, &secret) != SUCCESS)
{
return FALSE;
}
-
+
/* Create SAs general purpose PRF first, we may use it here */
if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
{
*((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
*((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
-
- /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
+
+ /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
*
* if we are rekeying, SKEYSEED is built on another way
*/
}
else
{
- /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
+ /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
* use OLD SAs PRF functions for both prf_plus and prf */
rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
if (!rekey_prf)
prf_plus = prf_plus_create(rekey_prf, prf_plus_seed);
}
DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
-
+
chunk_clear(&skeyseed);
chunk_clear(&secret);
chunk_free(&full_nonce);
chunk_free(&fixed_nonce);
chunk_clear(&prf_plus_seed);
-
+
/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
-
+
/* SK_d is used for generating CHILD_SA key mat => store for later use */
key_size = this->prf->get_key_size(this->prf);
prf_plus->allocate_bytes(prf_plus, key_size, &this->skd);
DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
-
+
/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
{
return FALSE;
}
key_size = signer_i->get_key_size(signer_i);
-
+
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(DBG_IKE, "Sk_ai secret %B", &key);
signer_i->set_key(signer_i, key);
chunk_clear(&key);
-
+
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(DBG_IKE, "Sk_ar secret %B", &key);
signer_r->set_key(signer_r, key);
chunk_clear(&key);
-
+
if (this->initiator)
{
this->signer_in = signer_r;
this->signer_in = signer_i;
this->signer_out = signer_r;
}
-
+
/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
{
return FALSE;
}
key_size = crypter_i->get_key_size(crypter_i);
-
+
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(DBG_IKE, "Sk_ei secret %B", &key);
crypter_i->set_key(crypter_i, key);
chunk_clear(&key);
-
+
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(DBG_IKE, "Sk_er secret %B", &key);
crypter_r->set_key(crypter_r, key);
chunk_clear(&key);
-
+
if (this->initiator)
{
this->crypter_in = crypter_r;
this->crypter_in = crypter_i;
this->crypter_out = crypter_r;
}
-
- /* SK_pi/SK_pr used for authentication => stored for later */
+
+ /* SK_pi/SK_pr used for authentication => stored for later */
key_size = this->prf->get_key_size(this->prf);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(DBG_IKE, "Sk_pi secret %B", &key);
{
this->skp_build = key;
}
-
+
/* all done, prf_plus not needed anymore */
prf_plus->destroy(prf_plus);
DESTROY_IF(rekey_prf);
-
+
return TRUE;
}
u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
chunk_t seed, secret = chunk_empty;
prf_plus_t *prf_plus;
-
+
if (dh)
{
if (dh->get_shared_secret(dh, &secret) != SUCCESS)
}
seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
DBG4(DBG_CHD, "seed %B", &seed);
-
+
if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
&enc_alg, &enc_size))
{
- DBG2(DBG_CHD, " using %N for encryption",
+ DBG2(DBG_CHD, " using %N for encryption",
encryption_algorithm_names, enc_alg);
-
+
if (!enc_size)
{
enc_size = lookup_keylen(keylen_enc, enc_alg);
}
/* to bytes */
enc_size /= 8;
-
+
/* CCM/GCM/CTR needs additional bytes */
switch (enc_alg)
{
break;
}
}
-
+
if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
&int_alg, &int_size))
{
DBG2(DBG_CHD, " using %N for integrity",
integrity_algorithm_names, int_alg);
-
+
if (!int_size)
{
int_size = lookup_keylen(keylen_int, int_alg);
/* to bytes */
int_size /= 8;
}
-
+
this->prf->set_key(this->prf, this->skd);
prf_plus = prf_plus_create(this->prf, seed);
-
+
prf_plus->allocate_bytes(prf_plus, enc_size, encr_i);
prf_plus->allocate_bytes(prf_plus, int_size, integ_i);
prf_plus->allocate_bytes(prf_plus, enc_size, encr_r);
prf_plus->allocate_bytes(prf_plus, int_size, integ_r);
-
+
prf_plus->destroy(prf_plus);
-
+
if (enc_size)
{
DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
{
chunk_t chunk, idx, octets;
chunk_t skp;
-
+
skp = verify ? this->skp_verify : this->skp_build;
-
+
chunk = chunk_alloca(4);
memset(chunk.ptr, 0, chunk.len);
chunk.ptr[0] = id->get_type(id);
idx = chunk_cata("cc", chunk, id->get_encoding(id));
-
+
DBG3(DBG_IKE, "IDx' %B", &idx);
DBG3(DBG_IKE, "SK_p %B", &skp);
this->prf->set_key(this->prf, skp);
this->prf->allocate_bytes(this->prf, idx, &chunk);
-
+
octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
return octets;
/**
* Implementation of keymat_t.get_psk_sig
*/
-static chunk_t get_psk_sig(private_keymat_t *this, bool verify,
+static chunk_t get_psk_sig(private_keymat_t *this, bool verify,
chunk_t ike_sa_init, chunk_t nonce, chunk_t secret,
identification_t *id)
{
chunk_t key_pad, key, sig, octets;
-
+
if (!secret.len)
{ /* EAP uses SK_p if no MSK has been established */
secret = verify ? this->skp_verify : this->skp_build;
DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &sig);
chunk_free(&octets);
chunk_free(&key);
-
+
return sig;
}
keymat_t *keymat_create(bool initiator)
{
private_keymat_t *this = malloc_thing(private_keymat_t);
-
+
this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t,chunk_t))derive_ike_keys;
this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
this->public.get_psk_sig = (chunk_t(*)(keymat_t*, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id))get_psk_sig;
this->public.destroy = (void(*)(keymat_t*))destroy;
-
+
this->initiator = initiator;
-
+
this->signer_in = NULL;
this->signer_out = NULL;
this->crypter_in = NULL;
this->skd = chunk_empty;
this->skp_verify = chunk_empty;
this->skp_build = chunk_empty;
-
+
return &this->public;
}
* Derivation an management of sensitive keying material.
*/
struct keymat_t {
-
+
/**
* Create a diffie hellman object for key agreement.
*
* @return DH object, NULL if group not supported
*/
diffie_hellman_t* (*create_dh)(keymat_t *this, diffie_hellman_group_t group);
-
+
/**
* Derive keys for the IKE_SA.
*
* @param integ_r chunk to write responders integrity key to
* @return TRUE on success
*/
- bool (*derive_child_keys)(keymat_t *this,
+ bool (*derive_child_keys)(keymat_t *this,
proposal_t *proposal, diffie_hellman_t *dh,
chunk_t nonce_i, chunk_t nonce_r,
chunk_t *encr_i, chunk_t *integ_i,
* @return PRF function to derive keymat
*/
pseudo_random_function_t (*get_skd)(keymat_t *this, chunk_t *skd);
-
+
/**
* Get a signer to sign/verify IKE messages.
*
* @return signer
*/
signer_t* (*get_signer)(keymat_t *this, bool in);
-
+
/*
* Get a crypter to en-/decrypt IKE messages.
*
* @return crypter
*/
crypter_t* (*get_crypter)(keymat_t *this, bool in);
-
+
/**
* Generate octets to use for authentication procedure (RFC4306 2.15).
*
identification_t *id;
/** sa id of the peer, NULL if offline */
- ike_sa_id_t *ike_sa_id;
-
+ ike_sa_id_t *ike_sa_id;
+
/** list of peer ids that reuested this peer */
linked_list_t *requested_by;
};
static peer_t *peer_create(identification_t *id, ike_sa_id_t* ike_sa_id)
{
peer_t *this = malloc_thing(peer_t);
-
+
/* clone everything */
this->id = id->clone(id);
this->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
this->requested_by = linked_list_create();
-
+
return this;
}
* Public interface of mediation_manager_t.
*/
mediation_manager_t public;
-
+
/**
* Lock for exclusivly accessing the manager.
*/
{
iterator_t *iterator;
identification_t *current;
-
+
iterator = peer->requested_by->create_iterator(peer->requested_by, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
{
}
}
iterator->destroy(iterator);
-
+
peer->requested_by->insert_last(peer->requested_by, peer_id->clone(peer_id));
}
iterator_t *iterator;
peer_t *current;
status_t status = NOT_FOUND;
-
+
iterator = this->peers->create_iterator(this->peers, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
{
}
}
iterator_r->destroy(iterator_r);
-
+
if (!peer->ike_sa_id && !peer->requested_by->get_count(peer->requested_by))
{
iterator->remove(iterator);
peer_t *peer;
this->mutex->lock(this->mutex);
-
+
iterator = this->peers->create_iterator(this->peers, TRUE);
while (iterator->iterate(iterator, (void**)&peer))
{
if (ike_sa_id->equals(ike_sa_id, peer->ike_sa_id))
{
iterator->remove(iterator);
-
+
unregister_peer(this, peer->id);
-
+
peer_destroy(peer);
break;
}
}
}
iterator->destroy(iterator);
-
+
if (!found)
{
DBG2(DBG_IKE, "adding peer '%Y'", peer_id);
this->peers->insert_last(this->peers, peer);
}
- DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id);
+ DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id);
peer->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
-
+
/* send callbacks to registered peers */
identification_t *requester;
while(peer->requested_by->remove_last(peer->requested_by, (void**)&requester) == SUCCESS)
charon->processor->queue_job(charon->processor, job);
requester->destroy(requester);
}
-
+
this->mutex->unlock(this->mutex);
}
peer = peer_create(peer_id, NULL);
this->peers->insert_last(this->peers, peer);
}
-
+
if (!peer->ike_sa_id)
{
/* the peer is not online */
static void destroy(private_mediation_manager_t *this)
{
this->mutex->lock(this->mutex);
-
+
this->peers->destroy_function(this->peers, (void*)peer_destroy);
-
+
this->mutex->unlock(this->mutex);
this->mutex->destroy(this->mutex);
free(this);
this->public.update_sa_id = (void(*)(mediation_manager_t*,identification_t*,ike_sa_id_t*))update_sa_id;
this->public.check = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*))check;
this->public.check_and_register = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*,identification_t*))check_and_register;
-
+
this->peers = linked_list_create();
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-
+
return (mediation_manager_t*)this;
}
* peers and registered requests for offline peers on the mediation server.
*/
struct mediation_manager_t {
-
+
/**
* Remove the IKE_SA of a peer.
- *
+ *
* @param ike_sa_id the IKE_SA ID of the peer's SA
*/
void (*remove) (mediation_manager_t* this, ike_sa_id_t *ike_sa_id);
-
+
/**
* Update the ike_sa_id that is assigned to a peer's ID. If the peer
- * is new, it gets a new record assigned.
- *
+ * is new, it gets a new record assigned.
+ *
* @param peer_id the peer's ID
* @param ike_sa_id the IKE_SA ID of the peer's SA
*/
void (*update_sa_id) (mediation_manager_t* this, identification_t *peer_id,
ike_sa_id_t *ike_sa_id);
-
+
/**
* Checks if a specific peer is online.
- *
+ *
* @param peer_id the peer's ID
- * @returns
+ * @returns
* - IKE_SA ID of the peer's SA.
* - NULL, if the peer is not online.
*/
ike_sa_id_t* (*check) (mediation_manager_t* this,
identification_t *peer_id);
-
+
/**
* Checks if a specific peer is online and registers the requesting
* peer if it is not.
- *
+ *
* @param peer_id the peer's ID
* @param requester the requesters ID
- * @returns
+ * @returns
* - IKE_SA ID of the peer's SA.
* - NULL, if the peer is not online.
*/
ike_sa_id_t* (*check_and_register) (mediation_manager_t* this,
identification_t *peer_id, identification_t *requester);
-
+
/**
* Destroys the manager with all data.
*/
/**
* Create a manager.
- *
+ *
* @returns mediation_manager_t object
*/
mediation_manager_t *mediation_manager_create(void);
* An exchange in the air, used do detect and handle retransmission
*/
struct exchange_t {
-
+
/**
* Message ID used for this transaction
*/
u_int32_t mid;
-
+
/**
* generated packet for retransmission
*/
* private data of the task manager
*/
struct private_task_manager_t {
-
+
/**
* public functions
*/
task_manager_t public;
-
+
/**
* associated IKE_SA we are serving
*/
ike_sa_t *ike_sa;
-
+
/**
* Exchange we are currently handling as responder
*/
* Message ID of the exchange
*/
u_int32_t mid;
-
+
/**
* packet for retransmission
*/
packet_t *packet;
-
+
} responding;
-
+
/**
* Exchange we are currently handling as initiator
*/
* Message ID of the exchange
*/
u_int32_t mid;
-
+
/**
* how many times we have retransmitted so far
*/
* packet for retransmission
*/
packet_t *packet;
-
+
/**
* type of the initated exchange
*/
exchange_type_t type;
-
+
} initiating;
-
+
/**
* List of queued tasks not yet in action
*/
linked_list_t *queued_tasks;
-
+
/**
* List of active tasks, initiated by ourselve
*/
linked_list_t *active_tasks;
-
+
/**
* List of tasks initiated by peer
*/
linked_list_t *passive_tasks;
-
+
/**
* the task manager has been reset
*/
iterator_t *iterator;
task_t *task;
bool found = FALSE;
-
+
iterator = this->queued_tasks->create_iterator(this->queued_tasks, TRUE);
while (iterator->iterate(iterator, (void**)&task))
{
packet_t *packet;
task_t *task;
ike_mobike_t *mobike = NULL;
-
+
/* check if we are retransmitting a MOBIKE routability check */
iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
while (iterator->iterate(iterator, (void*)&task))
}
return DESTROY_ME;
}
-
+
if (this->initiating.retransmitted)
{
DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
return DESTROY_ME;
}
-
+
if (this->initiating.retransmitted)
{
DBG1(DBG_IKE, "path probing attempt %d",
packet = this->initiating.packet->clone(this->initiating.packet);
mobike->transmit(mobike, packet);
}
-
+
charon->sender->send(charon->sender, packet);
-
+
this->initiating.retransmitted++;
job = (job_t*)retransmit_job_create(this->initiating.mid,
this->ike_sa->get_id(this->ike_sa));
host_t *me, *other;
status_t status;
exchange_type_t exchange = 0;
-
+
if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
{
DBG2(DBG_IKE, "delaying task initiation, exchange in progress");
/* do not initiate if we already have a message in the air */
return SUCCESS;
}
-
+
if (this->active_tasks->get_count(this->active_tasks) == 0)
{
DBG2(DBG_IKE, "activating new tasks");
}
iterator->destroy(iterator);
}
-
+
if (exchange == 0)
{
DBG2(DBG_IKE, "nothing to initiate");
/* nothing to do yet... */
return SUCCESS;
}
-
+
me = this->ike_sa->get_my_host(this->ike_sa);
other = this->ike_sa->get_other_host(this->ike_sa);
-
+
message = message_create();
message->set_message_id(message, this->initiating.mid);
message->set_source(message, me->clone(me));
message->set_exchange_type(message, exchange);
this->initiating.type = exchange;
this->initiating.retransmitted = 0;
-
+
iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
while (iterator->iterate(iterator, (void*)&task))
{
}
}
iterator->destroy(iterator);
-
+
/* update exchange type if a task changed it */
this->initiating.type = message->get_exchange_type(message);
-
+
status = this->ike_sa->generate_message(this->ike_sa, message,
&this->initiating.packet);
if (status != SUCCESS)
charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
return DESTROY_ME;
}
-
+
charon->bus->message(charon->bus, message, FALSE);
message->destroy(message);
-
+
return retransmit(this, this->initiating.mid);
}
{
iterator_t *iterator;
task_t *task;
-
+
if (message->get_exchange_type(message) != this->initiating.type)
{
DBG1(DBG_IKE, "received %N response, but expected %N",
charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
return DESTROY_ME;
}
-
+
/* catch if we get resetted while processing */
this->reset = FALSE;
iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
}
}
iterator->destroy(iterator);
-
+
this->initiating.mid++;
this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
this->initiating.packet->destroy(this->initiating.packet);
this->initiating.packet = NULL;
-
+
return build_request(this);
}
iterator_t *iterator;
task_t *active;
task_type_t type;
-
+
type = task->get_type(task);
-
+
/* do we have to check */
if (type == IKE_REKEY || type == CHILD_REKEY ||
type == CHILD_DELETE || type == IKE_DELETE || type == IKE_REAUTH)
host_t *me, *other;
bool delete = FALSE;
status_t status;
-
+
me = request->get_destination(request);
other = request->get_source(request);
-
+
message = message_create();
message->set_exchange_type(message, request->get_exchange_type(request));
/* send response along the path the request came in */
message->set_destination(message, other->clone(other));
message->set_message_id(message, this->responding.mid);
message->set_request(message, FALSE);
-
+
iterator = this->passive_tasks->create_iterator(this->passive_tasks, TRUE);
while (iterator->iterate(iterator, (void*)&task))
{
}
}
iterator->destroy(iterator);
-
+
/* remove resonder SPI if IKE_SA_INIT failed */
if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
{
ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
id->set_responder_spi(id, 0);
}
-
+
/* message complete, send it */
DESTROY_IF(this->responding.packet);
this->responding.packet = NULL;
charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
return DESTROY_ME;
}
-
+
charon->sender->send(charon->sender,
this->responding.packet->clone(this->responding.packet));
if (delete)
payload_t *payload;
notify_payload_t *notify;
delete_payload_t *delete;
-
+
if (this->passive_tasks->get_count(this->passive_tasks) == 0)
{ /* create tasks depending on request type, if not already some queued */
switch (message->get_exchange_type(message))
}
}
enumerator->destroy(enumerator);
-
+
if (ts_found)
{
if (notify_found)
}
}
enumerator->destroy(enumerator);
-
+
if (task == NULL)
{
task = (task_t*)ike_dpd_create(FALSE);
break;
}
}
-
+
/* let the tasks process the message */
iterator = this->passive_tasks->create_iterator(this->passive_tasks, TRUE);
while (iterator->iterate(iterator, (void*)&task))
}
}
iterator->destroy(iterator);
-
+
return build_response(this, message);
}
static status_t process_message(private_task_manager_t *this, message_t *msg)
{
u_int32_t mid = msg->get_message_id(msg);
-
+
if (msg->get_request(msg))
{
if (mid == this->responding.mid)
{
packet_t *clone;
host_t *me, *other;
-
+
DBG1(DBG_IKE, "received retransmit of request with ID %d, "
"retransmitting response", mid);
clone = this->responding.packet->clone(this->responding.packet);
{ /* there is no need to queue more than one mobike task */
iterator_t *iterator;
task_t *current;
-
+
iterator = this->queued_tasks->create_iterator(this->queued_tasks, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
{
static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *other)
{
task_t *task;
-
+
/* move queued tasks from other to this */
while (other->queued_tasks->remove_last(other->queued_tasks,
(void**)&task) == SUCCESS)
u_int32_t initiate, u_int32_t respond)
{
task_t *task;
-
+
/* reset message counters and retransmit packets */
DESTROY_IF(this->responding.packet);
DESTROY_IF(this->initiating.packet);
this->responding.mid = respond;
}
this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
-
+
/* reset active tasks */
while (this->active_tasks->remove_last(this->active_tasks,
(void**)&task) == SUCCESS)
task->migrate(task, this->ike_sa);
this->queued_tasks->insert_first(this->queued_tasks, task);
}
-
+
this->reset = TRUE;
}
static void destroy(private_task_manager_t *this)
{
flush(this);
-
+
this->active_tasks->destroy(this->active_tasks);
this->queued_tasks->destroy(this->queued_tasks);
this->passive_tasks->destroy(this->passive_tasks);
-
+
DESTROY_IF(this->responding.packet);
DESTROY_IF(this->initiating.packet);
free(this);
task_manager_t *task_manager_create(ike_sa_t *ike_sa)
{
private_task_manager_t *this = malloc_thing(private_task_manager_t);
-
+
this->public.process_message = (status_t(*)(task_manager_t*,message_t*))process_message;
this->public.queue_task = (void(*)(task_manager_t*,task_t*))queue_task;
this->public.initiate = (status_t(*)(task_manager_t*))build_request;
this->public.adopt_tasks = (void(*)(task_manager_t*,task_manager_t*))adopt_tasks;
this->public.busy = (bool(*)(task_manager_t*))busy;
this->public.destroy = (void(*)(task_manager_t*))destroy;
-
+
this->ike_sa = ike_sa;
this->responding.packet = NULL;
this->initiating.packet = NULL;
this->active_tasks = linked_list_create();
this->passive_tasks = linked_list_create();
this->reset = FALSE;
-
+
return &this->public;
}
* For the initial IKE_SA setup, several tasks are queued: One for the
* unauthenticated IKE_SA setup, one for authentication, one for CHILD_SA setup
* and maybe one for virtual IP assignement.
- * The task manager is also responsible for retransmission. It uses a backoff
+ * The task manager is also responsible for retransmission. It uses a backoff
* algorithm. The timeout is calculated using
* RETRANSMIT_TIMEOUT * (RETRANSMIT_BASE ** try).
* When try reaches RETRANSMIT_TRIES, retransmission is given up.
4s * (1.8 ** 3) = 23s 47s
4s * (1.8 ** 4) = 42s 89s
4s * (1.8 ** 5) = 76s 165s
-
+
@endverbatim
* The peer is considered dead after 2min 45s when no reply comes in.
*/
/**
* Process an incoming message.
- *
+ *
* @param message message to add payloads to
* @return
* - DESTROY_ME if IKE_SA must be closed
* A return value of INVALID_STATE means that the message was already
* acknowledged and has not to be retransmitted. A return value of SUCCESS
* means retransmission was required and the message has been resent.
- *
+ *
* @param message_id ID of the message to retransmit
* @return
* - INVALID_STATE if retransmission not required
* - SUCCESS if retransmission sent
*/
status_t (*retransmit) (task_manager_t *this, u_int32_t message_id);
-
+
/**
* Migrate all tasks from other to this.
*
* To rekey or reestablish an IKE_SA completely, all queued or active
* tasks should get migrated to the new IKE_SA.
- *
+ *
* @param other manager which gives away its tasks
*/
void (*adopt_tasks) (task_manager_t *this, task_manager_t *other);
-
+
/**
* Reset message ID counters of the task manager.
*
* @param respond message ID to respond to exchanges (expect)
*/
void (*reset) (task_manager_t *this, u_int32_t initiate, u_int32_t respond);
-
+
/**
* Check if we are currently waiting for a reply.
*
* @return TRUE if we are waiting, FALSE otherwise
*/
bool (*busy) (task_manager_t *this);
-
+
/**
* Destroy the task_manager_t.
*/
* Private members of a child_create_t task.
*/
struct private_child_create_t {
-
+
/**
* Public methods and task_t interface.
*/
child_create_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* Are we the initiator?
*/
bool initiator;
-
+
/**
* nonce chosen by us
*/
chunk_t my_nonce;
-
+
/**
* nonce chosen by peer
*/
chunk_t other_nonce;
-
+
/**
* config to create the CHILD_SA from
*/
child_cfg_t *config;
-
+
/**
* list of proposal candidates
*/
linked_list_t *proposals;
-
+
/**
* selected proposal to use for CHILD_SA
*/
proposal_t *proposal;
-
+
/**
* traffic selectors for initiators side
*/
linked_list_t *tsi;
-
+
/**
* traffic selectors for responders side
*/
linked_list_t *tsr;
-
+
/**
* source of triggering packet
*/
traffic_selector_t *packet_tsi;
-
+
/**
* destination of triggering packet
*/
traffic_selector_t *packet_tsr;
-
+
/**
* optional diffie hellman exchange
*/
diffie_hellman_t *dh;
-
+
/**
* group used for DH exchange
*/
diffie_hellman_group_t dh_group;
-
+
/**
* IKE_SAs keymat
*/
keymat_t *keymat;
-
+
/**
* mode the new CHILD_SA uses (transport/tunnel/beet)
*/
ipsec_mode_t mode;
-
+
/**
* IPComp transform to use
*/
ipcomp_transform_t ipcomp;
-
+
/**
* IPComp transform proposed or accepted by the other peer
*/
ipcomp_transform_t ipcomp_received;
-
+
/**
* Own allocated SPI
*/
u_int32_t my_spi;
-
+
/**
* SPI received in proposal
*/
u_int32_t other_spi;
-
+
/**
* Own allocated Compression Parameter Index (CPI)
*/
u_int16_t my_cpi;
-
+
/**
* Other Compression Parameter Index (CPI), received via IPCOMP_SUPPORTED
*/
u_int16_t other_cpi;
-
+
/**
* reqid to use if we are rekeying
*/
u_int32_t reqid;
-
+
/**
* CHILD_SA which gets established
*/
child_sa_t *child_sa;
-
+
/**
* successfully established the CHILD?
*/
bool established;
-
+
/**
* whether the CHILD_SA rekeys an existing one
*/
static status_t get_nonce(message_t *message, chunk_t *nonce)
{
nonce_payload_t *payload;
-
+
payload = (nonce_payload_t*)message->get_payload(message, NONCE);
if (payload == NULL)
{
static status_t generate_nonce(chunk_t *nonce)
{
rng_t *rng;
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (!rng)
{
traffic_selector_t *ts;
bool is_host = TRUE;
iterator_t *iterator = list->create_iterator(list, TRUE);
-
+
while (is_host && iterator->iterate(iterator, (void**)&ts))
{
is_host = is_host && ts->is_host(ts, host);
{
enumerator_t *enumerator;
proposal_t *proposal;
-
- /* TODO: allocate additional SPI for AH if we have such proposals */
+
+ /* TODO: allocate additional SPI for AH if we have such proposals */
this->my_spi = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
if (this->my_spi)
{
chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
linked_list_t *my_ts, *other_ts;
host_t *me, *other, *other_vip, *my_vip;
-
+
if (this->proposals == NULL)
{
DBG1(DBG_IKE, "SA payload missing in message");
DBG1(DBG_IKE, "TS payloads missing in message");
return NOT_FOUND;
}
-
+
me = this->ike_sa->get_my_host(this->ike_sa);
other = this->ike_sa->get_other_host(this->ike_sa);
my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
-
+
this->proposal = this->config->select_proposal(this->config, this->proposals,
no_dh);
if (this->proposal == NULL)
return FAILED;
}
this->other_spi = this->proposal->get_spi(this->proposal);
-
+
if (!this->initiator && !allocate_spi(this))
{ /* responder has no SPI allocated yet */
DBG1(DBG_IKE, "allocating SPI failed");
return FAILED;
}
this->child_sa->set_proposal(this->child_sa, this->proposal);
-
+
if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
{
u_int16_t group;
-
+
if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
&group, NULL))
{
return FAILED;
}
}
-
+
if (my_vip == NULL)
{
my_vip = me;
{
other_vip = other;
}
-
+
if (this->initiator)
{
nonce_i = this->my_nonce;
}
my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts,
my_vip);
- other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
+ other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
other_vip);
-
+
if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
{
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
DBG1(DBG_IKE, "no acceptable traffic selectors found");
return NOT_FOUND;
}
-
+
this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
if (this->initiator)
this->tsr = my_ts;
this->tsi = other_ts;
}
-
+
if (!this->initiator)
{
/* check if requested mode is acceptable, downgrade if required */
break;
}
}
-
+
this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
this->child_sa->set_mode(this->child_sa, this->mode);
this->child_sa->set_protocol(this->child_sa,
this->proposal->get_protocol(this->proposal));
-
+
if (this->my_cpi == 0 || this->other_cpi == 0 || this->ipcomp == IPCOMP_NONE)
{
this->my_cpi = this->other_cpi = 0;
chunk_clear(&integ_r);
chunk_clear(&encr_i);
chunk_clear(&encr_r);
-
+
if (status_i != SUCCESS || status_o != SUCCESS)
{
DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
(status_o != SUCCESS) ? "outbound " : "");
return FAILED;
}
-
+
status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
if (status != SUCCESS)
- {
+ {
DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
return NOT_FOUND;
}
-
+
charon->bus->child_keys(charon->bus, this->child_sa, this->dh,
nonce_i, nonce_r);
-
+
/* add to IKE_SA, and remove from task */
this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
sa_payload = sa_payload_create_from_proposal(this->proposal);
}
message->add_payload(message, (payload_t*)sa_payload);
-
+
/* add nonce payload if not in IKE_AUTH */
if (message->get_exchange_type(message) == CREATE_CHILD_SA)
{
nonce_payload->set_nonce(nonce_payload, this->my_nonce);
message->add_payload(message, (payload_t*)nonce_payload);
}
-
+
/* diffie hellman exchange, if PFS enabled */
if (this->dh)
{
ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
message->add_payload(message, (payload_t*)ke_payload);
}
-
+
/* add TSi/TSr payloads */
ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
message->add_payload(message, (payload_t*)ts_payload);
"IPComp disabled");
return;
}
-
+
this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
if (this->my_cpi)
{
this->ipcomp = ipcomp;
- message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
+ message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
chunk_cata("cc", chunk_from_thing(this->my_cpi),
chunk_from_thing(ipcomp)));
}
ipcomp_transform_t ipcomp;
u_int16_t cpi;
chunk_t data;
-
+
data = notify->get_notification_data(notify);
cpi = *(u_int16_t*)data.ptr;
ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
sa_payload_t *sa_payload;
ke_payload_t *ke_payload;
ts_payload_t *ts_payload;
-
+
/* defaults to TUNNEL mode */
this->mode = MODE_TUNNEL;
case TRAFFIC_SELECTOR_INITIATOR:
ts_payload = (ts_payload_t*)payload;
this->tsi = ts_payload->get_traffic_selectors(ts_payload);
- break;
+ break;
case TRAFFIC_SELECTOR_RESPONDER:
ts_payload = (ts_payload_t*)payload;
this->tsr = ts_payload->get_traffic_selectors(ts_payload);
{
host_t *me, *other, *vip;
peer_cfg_t *peer_cfg;
-
+
switch (message->get_exchange_type(message))
{
case IKE_SA_INIT:
default:
break;
}
-
+
if (this->reqid)
{
DBG0(DBG_IKE, "establishing CHILD_SA %s{%d}",
DBG0(DBG_IKE, "establishing CHILD_SA %s",
this->config->get_name(this->config));
}
-
+
/* reuse virtual IP if we already have one */
me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
if (me == NULL)
{
other = this->ike_sa->get_other_host(this->ike_sa);
}
-
+
/* check if we want a virtual IP, but don't have one */
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
vip = peer_cfg->get_virtual_ip(peer_cfg);
this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
NULL, me);
}
- this->tsr = this->config->get_traffic_selectors(this->config, FALSE,
+ this->tsr = this->config->get_traffic_selectors(this->config, FALSE,
NULL, other);
-
+
if (this->packet_tsi)
{
this->tsi->insert_first(this->tsi,
this->proposals = this->config->get_proposals(this->config,
this->dh_group == MODP_NONE);
this->mode = this->config->get_mode(this->config);
-
+
this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
-
+
if (!allocate_spi(this))
{
DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
return FAILED;
}
-
+
if (this->dh_group != MODP_NONE)
{
this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
}
-
+
if (this->config->use_ipcomp(this->config))
{
/* IPCOMP_DEFLATE is the only transform we support at the moment */
add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
}
-
+
build_payloads(this, message);
-
+
this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
this->tsi = NULL;
this->tsr = NULL;
this->proposals = NULL;
-
+
return NEED_MORE;
}
default:
break;
}
-
+
process_payloads(this, message);
-
+
return NEED_MORE;
}
payload_t *payload;
enumerator_t *enumerator;
bool no_dh = TRUE;
-
+
switch (message->get_exchange_type(message))
{
case IKE_SA_INIT:
default:
break;
}
-
+
if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
{
DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
return SUCCESS;
}
-
+
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
if (peer_cfg && this->tsi && this->tsr)
{
host_t *me, *other;
-
+
me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
if (me == NULL)
{
this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr,
this->tsi, me, other);
}
-
+
if (this->config == NULL)
{
DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
handle_child_sa_failure(this, message);
return SUCCESS;
}
-
+
/* check if ike_config_t included non-critical error notifies */
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
if (payload->get_type(payload) == NOTIFY)
{
notify_payload_t *notify = (notify_payload_t*)payload;
-
+
switch (notify->get_notify_type(notify))
{
case INTERNAL_ADDRESS_FAILURE:
}
}
enumerator->destroy(enumerator);
-
+
this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
-
+
if (this->ipcomp_received != IPCOMP_NONE)
{
if (this->config->use_ipcomp(this->config))
notify_type_names, IPCOMP_SUPPORTED);
}
}
-
+
switch (select_and_install(this, no_dh))
{
case SUCCESS:
handle_child_sa_failure(this, message);
return SUCCESS;
}
-
+
build_payloads(this, message);
-
+
DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
"with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
this->child_sa->get_name(this->child_sa),
ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
-
+
if (!this->rekey)
{ /* invoke the child_up() hook if we are not rekeying */
charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
{
notify_payload_t *notify = (notify_payload_t*)payload;
notify_type_t type = notify->get_notify_type(notify);
-
+
switch (type)
{
/* handle notify errors related to CHILD_SA only */
{
chunk_t data;
diffie_hellman_group_t bad_group;
-
+
bad_group = this->dh_group;
data = notify->get_notification_data(notify);
this->dh_group = ntohs(*((u_int16_t*)data.ptr));
DBG1(DBG_IKE, "peer didn't accept DH group %N, "
"it requested %N", diffie_hellman_group_names,
bad_group, diffie_hellman_group_names, this->dh_group);
-
+
this->public.task.migrate(&this->public.task, this->ike_sa);
enumerator->destroy(enumerator);
return NEED_MORE;
}
}
enumerator->destroy(enumerator);
-
+
process_payloads(this, message);
-
+
if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
{
DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
handle_child_sa_failure(this, message);
return SUCCESS;
}
-
+
if (select_and_install(this, no_dh) == SUCCESS)
{
DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
-
+
if (!this->rekey)
{ /* invoke the child_up() hook if we are not rekeying */
charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
* Implementation of child_create_t.get_lower_nonce
*/
static chunk_t get_lower_nonce(private_child_create_t *this)
-{
+{
if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
min(this->my_nonce.len, this->other_nonce.len)) < 0)
{
{
this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
}
-
+
this->ike_sa = ike_sa;
this->keymat = ike_sa->get_keymat(ike_sa);
this->proposal = NULL;
{
this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
}
-
+
DESTROY_IF(this->config);
free(this);
}
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
this->initiator = FALSE;
}
-
+
this->ike_sa = ike_sa;
this->config = config;
this->my_nonce = chunk_empty;
this->reqid = 0;
this->established = FALSE;
this->rekey = rekey;
-
+
return &this->public;
}
/**
* Task of type CHILD_CREATE, established a new CHILD_SA.
*
- * This task may be included in the IKE_AUTH message or in a separate
+ * This task may be included in the IKE_AUTH message or in a separate
* CREATE_CHILD_SA exchange.
*/
struct child_create_t {
* Implements the task_t interface
*/
task_t task;
-
+
/**
* Use a specific reqid for the CHILD_SA.
*
* When this task is used for rekeying, the same reqid is used
- * for the new CHILD_SA.
+ * for the new CHILD_SA.
*
* @param reqid reqid to use
*/
void (*use_reqid) (child_create_t *this, u_int32_t reqid);
-
+
/**
* Get the lower of the two nonces, used for rekey collisions.
*
* @return lower nonce
*/
chunk_t (*get_lower_nonce) (child_create_t *this);
-
+
/**
* Get the CHILD_SA established/establishing by this task.
*
* Private members of a child_delete_t task.
*/
struct private_child_delete_t {
-
+
/**
* Public methods and task_t interface.
*/
child_delete_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* Are we the initiator?
*/
bool initiator;
-
+
/**
* Protocol of CHILD_SA to delete
*/
protocol_id_t protocol;
-
+
/**
* Inbound SPI of CHILD_SA to delete
*/
u_int32_t spi;
-
+
/**
* whether to enforce delete action policy
*/
bool check_delete_action;
-
+
/**
* is this delete exchange following a rekey?
*/
bool rekeyed;
-
+
/**
* CHILD_SAs which get deleted
*/
delete_payload_t *ah = NULL, *esp = NULL;
iterator_t *iterator;
child_sa_t *child_sa;
-
+
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
- {
+ {
protocol_id_t protocol = child_sa->get_protocol(child_sa);
u_int32_t spi = child_sa->get_spi(child_sa, TRUE);
message->add_payload(message, (payload_t*)esp);
}
esp->add_spi(esp, spi);
- DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
+ DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
protocol_id_names, protocol, ntohl(spi));
break;
case PROTO_AH:
message->add_payload(message, (payload_t*)ah);
}
ah->add_spi(ah, spi);
- DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
+ DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
protocol_id_names, protocol, ntohl(spi));
break;
default:
u_int32_t *spi;
protocol_id_t protocol;
child_sa_t *child_sa;
-
+
payloads = message->create_payload_enumerator(message);
while (payloads->enumerate(payloads, &payload))
{
"but no such SA", protocol_id_names, protocol, ntohl(*spi));
continue;
}
- DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x",
+ DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x",
protocol_id_names, protocol, ntohl(*spi));
-
+
switch (child_sa->get_state(child_sa))
{
case CHILD_REKEYING:
default:
break;
}
-
+
this->child_sas->insert_last(this->child_sas, child_sa);
}
spis->destroy(spis);
protocol_id_t protocol;
u_int32_t spi;
status_t status = SUCCESS;
-
+
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
{
status = this->ike_sa->initiate(this->ike_sa, child_cfg, 0,
NULL, NULL);
break;
- case ACTION_ROUTE:
+ case ACTION_ROUTE:
charon->traps->install(charon->traps,
this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg);
break;
iterator_t *iterator;
child_sa_t *child_sa;
u_int64_t bytes_in, bytes_out;
-
+
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
{
child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in);
child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out);
-
+
DBG0(DBG_IKE, "closing CHILD_SA %s{%d} "
"with SPIs %.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
static status_t build_i(private_child_delete_t *this, message_t *message)
{
child_sa_t *child_sa;
-
+
child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
this->spi, TRUE);
if (!child_sa)
/* flush the list before adding new SAs */
this->child_sas->destroy(this->child_sas);
this->child_sas = linked_list_create();
-
+
process_payloads(this, message);
DBG1(DBG_IKE, "CHILD_SA closed");
return destroy_and_reestablish(this);
/* if we are rekeying, we send an empty informational */
if (this->ike_sa->get_state(this->ike_sa) != IKE_REKEYING)
{
- build_payloads(this, message);
+ build_payloads(this, message);
}
DBG1(DBG_IKE, "CHILD_SA closed");
return destroy_and_reestablish(this);
{
this->check_delete_action = FALSE;
this->ike_sa = ike_sa;
-
+
this->child_sas->destroy(this->child_sas);
this->child_sas = linked_list_create();
}
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
-
+
this->ike_sa = ike_sa;
this->check_delete_action = FALSE;
this->child_sas = linked_list_create();
this->protocol = protocol;
this->spi = spi;
this->rekeyed = FALSE;
-
+
if (protocol != PROTO_NONE)
{
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
* Implements the task_t interface
*/
task_t task;
-
+
/**
* Get the CHILD_SA to delete by this task.
*
* Private members of a child_rekey_t task.
*/
struct private_child_rekey_t {
-
+
/**
* Public methods and task_t interface.
*/
child_rekey_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* Are we the initiator?
*/
bool initiator;
-
+
/**
* Protocol of CHILD_SA to rekey
*/
protocol_id_t protocol;
-
+
/**
* Inbound SPI of CHILD_SA to rekey
*/
u_int32_t spi;
-
+
/**
* the CHILD_CREATE task which is reused to simplify rekeying
*/
child_create_t *child_create;
-
+
/**
* the CHILD_DELETE task to delete rekeyed CHILD_SA
*/
child_delete_t *child_delete;
-
+
/**
* CHILD_SA which gets rekeyed
*/
child_sa_t *child_sa;
-
+
/**
* colliding task, may be delete or rekey
*/
{
/* update exchange type to INFORMATIONAL for the delete */
message->set_exchange_type(message, INFORMATIONAL);
-
+
return this->child_delete->task.build(&this->child_delete->task, message);
}
notify_payload_t *notify;
protocol_id_t protocol;
u_int32_t spi;
-
+
notify = message->get_notify(message, REKEY_SA);
if (notify)
{
protocol = notify->get_protocol_id(notify);
spi = notify->get_spi(notify);
-
+
if (protocol == PROTO_ESP || protocol == PROTO_AH)
{
this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
notify_payload_t *notify;
u_int32_t reqid;
child_cfg_t *config;
-
+
this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
this->spi, TRUE);
if (!this->child_sa)
this->spi = this->child_sa->get_spi(this->child_sa, TRUE);
}
config = this->child_sa->get_config(this->child_sa);
-
+
/* we just need the rekey notify ... */
notify = notify_payload_create_from_protocol_and_type(this->protocol,
REKEY_SA);
notify->set_spi(notify, this->spi);
message->add_payload(message, (payload_t*)notify);
-
+
/* ... our CHILD_CREATE task does the hard work for us. */
reqid = this->child_sa->get_reqid(this->child_sa);
this->child_create = child_create_create(this->ike_sa, config, TRUE,
NULL, NULL);
this->child_create->use_reqid(this->child_create, reqid);
this->child_create->task.build(&this->child_create->task, message);
-
+
this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
-
+
return NEED_MORE;
}
{
/* let the CHILD_CREATE task process the message */
this->child_create->task.process(&this->child_create->task, message);
-
+
find_child(this, message);
-
+
return NEED_MORE;
}
message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
return SUCCESS;
}
-
+
/* let the CHILD_CREATE task build the response */
reqid = this->child_sa->get_reqid(this->child_sa);
this->child_create->use_reqid(this->child_create, reqid);
this->child_create->task.build(&this->child_create->task, message);
-
+
if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
{
/* rekeying failed, reuse old child */
this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
return SUCCESS;
}
-
+
this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
-
+
/* invoke rekey hook */
charon->bus->child_rekey(charon->bus, this->child_sa,
this->child_create->get_child(this->child_create));
protocol_id_t protocol;
u_int32_t spi;
child_sa_t *to_delete;
-
+
if (message->get_notify(message, NO_ADDITIONAL_SAS))
{
DBG1(DBG_IKE, "peer seems to not support CHILD_SA rekeying, "
this->ike_sa->get_id(this->ike_sa), TRUE));
return SUCCESS;
}
-
+
if (this->child_create->task.process(&this->child_create->task,
message) == NEED_MORE)
{
{
/* establishing new child failed, reuse old. but not when we
* recieved a delete in the meantime */
- if (!(this->collision &&
+ if (!(this->collision &&
this->collision->get_type(this->collision) == CHILD_DELETE))
{
job_t *job;
u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
-
+
job = (job_t*)rekey_child_sa_job_create(
this->child_sa->get_reqid(this->child_sa),
this->child_sa->get_protocol(this->child_sa),
}
return SUCCESS;
}
-
+
to_delete = this->child_sa;
-
+
/* check for rekey collisions */
if (this->collision &&
this->collision->get_type(this->collision) == CHILD_REKEY)
{
chunk_t this_nonce, other_nonce;
private_child_rekey_t *other = (private_child_rekey_t*)this->collision;
-
+
this_nonce = this->child_create->get_lower_nonce(this->child_create);
other_nonce = other->child_create->get_lower_nonce(other->child_create);
-
+
/* if we have the lower nonce, delete rekeyed SA. If not, delete
* the redundant. */
- if (memcmp(this_nonce.ptr, other_nonce.ptr,
+ if (memcmp(this_nonce.ptr, other_nonce.ptr,
min(this_nonce.len, other_nonce.len)) < 0)
{
DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting rekeyed child");
}
}
}
-
+
if (to_delete != this->child_create->get_child(this->child_create))
{ /* invoke rekey hook if rekeying successful */
charon->bus->child_rekey(charon->bus, this->child_sa,
this->child_create->get_child(this->child_create));
}
-
+
spi = to_delete->get_spi(to_delete, TRUE);
protocol = to_delete->get_protocol(to_delete);
-
+
/* rekeying done, delete the obsolete CHILD_SA using a subtask */
this->child_delete = child_delete_create(this->ike_sa, protocol, spi);
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
-
+
return NEED_MORE;
}
*/
static void collide(private_child_rekey_t *this, task_t *other)
{
- /* the task manager only detects exchange collision, but not if
+ /* the task manager only detects exchange collision, but not if
* the collision is for the same child. we check it here. */
if (other->get_type(other) == CHILD_REKEY)
{
child_delete_t *del = (child_delete_t*)other;
if (del == NULL || del->get_child(del) != this->child_sa)
{
- /* not the same child => no collision */
+ /* not the same child => no collision */
other->destroy(other);
return;
}
* Implementation of task_t.migrate
*/
static void migrate(private_child_rekey_t *this, ike_sa_t *ike_sa)
-{
+{
if (this->child_create)
{
this->child_create->task.migrate(&this->child_create->task, ike_sa);
this->child_delete->task.migrate(&this->child_delete->task, ike_sa);
}
DESTROY_IF(this->collision);
-
+
this->ike_sa = ike_sa;
this->collision = NULL;
}
u_int32_t spi)
{
private_child_rekey_t *this = malloc_thing(private_child_rekey_t);
-
+
this->public.collide = (void (*)(child_rekey_t*,task_t*))collide;
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->initiator = FALSE;
this->child_create = child_create_create(ike_sa, NULL, TRUE, NULL, NULL);
}
-
+
this->ike_sa = ike_sa;
this->child_sa = NULL;
this->protocol = protocol;
this->spi = spi;
this->collision = NULL;
this->child_delete = NULL;
-
+
return &this->public;
}
* Implements the task_t interface
*/
task_t task;
-
+
/**
* Register a rekeying task which collides with this one
*
* Private members of a ike_auth_t task.
*/
struct private_ike_auth_t {
-
+
/**
* Public methods and task_t interface.
*/
ike_auth_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* Are we the initiator?
*/
bool initiator;
-
+
/**
* Nonce chosen by us in ike_init
*/
chunk_t my_nonce;
-
+
/**
* Nonce chosen by peer in ike_init
*/
chunk_t other_nonce;
-
+
/**
* IKE_SA_INIT message sent by us
*/
packet_t *my_packet;
-
+
/**
* IKE_SA_INIT message sent by peer
*/
packet_t *other_packet;
-
+
/**
* completed authentication configs initiated by us (auth_cfg_t)
*/
linked_list_t *my_cfgs;
-
+
/**
* completed authentication configs initiated by other (auth_cfg_t)
*/
linked_list_t *other_cfgs;;
-
+
/**
* currently active authenticator, to authenticate us
*/
authenticator_t *my_auth;
-
+
/**
* currently active authenticator, to authenticate peer
*/
authenticator_t *other_auth;
-
+
/**
* peer_cfg candidates, ordered by priority
*/
linked_list_t *candidates;
-
+
/**
* selected peer config (might change when using multiple authentications)
*/
peer_cfg_t *peer_cfg;
-
+
/**
* have we planned an(other) authentication exchange?
*/
bool do_another_auth;
-
+
/**
* has the peer announced another authentication exchange?
*/
bool expect_another_auth;
-
+
/**
* should we send a AUTHENTICATION_FAILED notify?
*/
message_t *message)
{
nonce_payload_t *nonce;
-
+
/* get the nonce that was generated in ike_init */
nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
if (nonce == NULL)
return FAILED;
}
this->my_nonce = nonce->get_nonce(nonce);
-
+
/* pre-generate the message, keep a copy */
if (this->ike_sa->generate_message(this->ike_sa, message,
&this->my_packet) != SUCCESS)
{
return FAILED;
}
- return NEED_MORE;
+ return NEED_MORE;
}
/**
{
/* we collect the needed information in the IKE_SA_INIT exchange */
nonce_payload_t *nonce;
-
+
/* get the nonce that was generated in ike_init */
nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
if (nonce == NULL)
return FAILED;
}
this->other_nonce = nonce->get_nonce(nonce);
-
+
/* keep a copy of the received packet */
this->other_packet = message->get_packet(message);
- return NEED_MORE;
+ return NEED_MORE;
}
/**
{
enumerator_t *e1, *e2;
auth_cfg_t *c1, *c2, *next = NULL;
-
+
/* find an available config not already done */
e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
while (e1->enumerate(e1, &c1))
{
bool found = FALSE;
-
+
if (local)
{
e2 = this->my_cfgs->create_enumerator(this->my_cfgs);
bool do_another = FALSE;
enumerator_t *done, *todo;
auth_cfg_t *done_cfg, *todo_cfg;
-
+
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
{
return FALSE;
}
-
+
done = this->my_cfgs->create_enumerator(this->my_cfgs);
todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
while (todo->enumerate(todo, &todo_cfg))
peer_cfg_t *peer_cfg;
host_t *me, *other;
identification_t *my_id, *other_id;
-
+
me = this->ike_sa->get_my_host(this->ike_sa);
other = this->ike_sa->get_other_host(this->ike_sa);
my_id = this->ike_sa->get_my_id(this->ike_sa);
other_id = this->ike_sa->get_other_id(this->ike_sa);
-
+
enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
me, other, my_id, other_id);
while (enumerator->enumerate(enumerator, &peer_cfg))
bool complies = TRUE;
enumerator_t *e1, *e2, *tmp;
auth_cfg_t *c1, *c2;
-
+
e1 = this->other_cfgs->create_enumerator(this->other_cfgs);
e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
-
+
if (strict)
{ /* swap lists in strict mode: all configured rounds must be
* fulfilled. If !strict, we check only the rounds done so far. */
}
}
while (this->peer_cfg);
-
+
return this->peer_cfg != NULL;
}
static status_t build_i(private_ike_auth_t *this, message_t *message)
{
auth_cfg_t *cfg;
-
+
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
return collect_my_init_data(this, message);
}
-
+
if (this->peer_cfg == NULL)
{
this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
this->peer_cfg->get_ref(this->peer_cfg);
}
-
+
if (message->get_message_id(message) == 1 &&
this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
{ /* in the first IKE_AUTH, indicate support for multiple authentication */
message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED, chunk_empty);
}
-
+
if (!this->do_another_auth && !this->my_auth)
{ /* we have done our rounds */
return NEED_MORE;
}
-
+
/* check if an authenticator is in progress */
if (this->my_auth == NULL)
{
identification_t *id;
id_payload_t *id_payload;
-
+
/* clean up authentication config from a previous round */
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
cfg->purge(cfg, TRUE);
-
+
/* add (optional) IDr */
cfg = get_auth_cfg(this, FALSE);
if (cfg)
this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
id_payload = id_payload_create_from_identification(ID_INITIATOR, id);
message->add_payload(message, (payload_t*)id_payload);
-
+
/* build authentication data */
this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
this->other_nonce, this->my_nonce,
default:
return FAILED;
}
-
+
/* check for additional authentication rounds */
if (do_another_auth(this))
{
auth_cfg_t *cfg, *cand;
id_payload_t *id_payload;
identification_t *id;
-
+
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
return collect_other_init_data(this, message);
}
-
+
if (this->my_auth == NULL && this->do_another_auth)
{
/* handle (optional) IDr payload, apply proposed identity */
}
this->ike_sa->set_my_id(this->ike_sa, id);
}
-
+
if (!this->expect_another_auth)
{
return NEED_MORE;
{
this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
}
-
+
if (this->other_auth == NULL)
{
/* handle IDi payload */
this->ike_sa->set_other_id(this->ike_sa, id);
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
-
+
if (this->peer_cfg == NULL)
{
if (!load_cfg_candidates(this))
}
cfg->merge(cfg, cand, TRUE);
}
-
+
/* verify authentication data */
this->other_auth = authenticator_create_verifier(this->ike_sa,
message, this->other_nonce, this->my_nonce,
this->authentication_failed = TRUE;
return NEED_MORE;
}
-
+
/* store authentication information */
cfg = auth_cfg_create();
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
this->other_cfgs->insert_last(this->other_cfgs, cfg);
-
+
/* another auth round done, invoke authorize hook */
if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
{
this->authentication_failed = TRUE;
return NEED_MORE;
}
-
+
if (!update_cfg_candidates(this, FALSE))
{
this->authentication_failed = TRUE;
return NEED_MORE;
}
-
+
if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
{
this->expect_another_auth = FALSE;
static status_t build_r(private_ike_auth_t *this, message_t *message)
{
auth_cfg_t *cfg;
-
+
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
if (multiple_auth_enabled())
}
return collect_my_init_data(this, message);
}
-
+
if (this->authentication_failed || this->peer_cfg == NULL)
{
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
return FAILED;
}
-
+
if (this->my_auth == NULL && this->do_another_auth)
{
identification_t *id, *id_cfg;
id_payload_t *id_payload;
-
+
/* add IDr */
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
cfg->purge(cfg, TRUE);
cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
-
+
id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
id = this->ike_sa->get_my_id(this->ike_sa);
if (id->get_type(id) == ID_ANY)
return FAILED;
}
}
-
+
id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
message->add_payload(message, (payload_t*)id_payload);
-
+
/* build authentication data */
this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
this->other_nonce, this->my_nonce,
return FAILED;
}
}
-
+
if (this->other_auth)
{
switch (this->other_auth->build(this->other_auth, message))
return FAILED;
}
}
-
+
/* check for additional authentication rounds */
if (do_another_auth(this))
{
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
this->ike_sa->get_other_id(this->ike_sa));
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
enumerator_t *enumerator;
payload_t *payload;
auth_cfg_t *cfg;
-
+
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
}
return collect_other_init_data(this, message);
}
-
+
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
{
notify_payload_t *notify = (notify_payload_t*)payload;
notify_type_t type = notify->get_notify_type(notify);
-
+
switch (type)
{
case NO_PROPOSAL_CHOSEN:
DBG1(DBG_IKE, "received %N notify error",
notify_type_names, type);
enumerator->destroy(enumerator);
- return FAILED;
+ return FAILED;
}
DBG2(DBG_IKE, "received %N notify",
notify_type_names, type);
}
}
enumerator->destroy(enumerator);
-
+
if (this->my_auth)
{
switch (this->my_auth->process(this->my_auth, message))
return FAILED;
}
}
-
+
if (this->expect_another_auth)
{
if (this->other_auth == NULL)
{
id_payload_t *id_payload;
identification_t *id;
-
+
/* responder is not allowed to do EAP */
if (!message->get_payload(message, AUTHENTICATION))
{
DBG1(DBG_IKE, "AUTH payload missing");
return FAILED;
}
-
+
/* handle IDr payload */
id_payload = (id_payload_t*)message->get_payload(message,
ID_RESPONDER);
this->ike_sa->set_other_id(this->ike_sa, id);
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
-
+
/* verify authentication data */
this->other_auth = authenticator_create_verifier(this->ike_sa,
message, this->other_nonce, this->my_nonce,
this->other_cfgs->insert_last(this->other_cfgs, cfg);
this->other_auth->destroy(this->other_auth);
this->other_auth = NULL;
-
+
/* another auth round done, invoke authorize hook */
if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
{
return FAILED;
}
}
-
+
if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
{
this->expect_another_auth = FALSE;
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
this->ike_sa->get_other_id(this->ike_sa));
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
-
+
this->my_packet = NULL;
this->other_packet = NULL;
this->ike_sa = ike_sa;
ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
{
private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
-
+
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
-
+
if (initiator)
{
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
}
-
+
this->ike_sa = ike_sa;
this->initiator = initiator;
this->my_nonce = chunk_empty;
this->do_another_auth = TRUE;
this->expect_another_auth = TRUE;
this->authentication_failed = FALSE;
-
+
return &this->public;
}
* Private members of a ike_auth_lifetime_t task.
*/
struct private_ike_auth_lifetime_t {
-
+
/**
* Public methods and task_t interface.
*/
ike_auth_lifetime_t public;
-
+
/**
* Assigned IKE_SA.
*/
{
chunk_t chunk;
u_int32_t lifetime;
-
+
lifetime = this->ike_sa->get_statistic(this->ike_sa, STAT_REAUTH);
if (lifetime)
{
notify_payload_t *notify;
chunk_t data;
u_int32_t lifetime;
-
+
notify = message->get_notify(message, AUTH_LIFETIME);
if (notify)
{
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
-
+
if (initiator)
{
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
}
-
+
this->ike_sa = ike_sa;
-
+
return &this->public;
}
/**
* Task of type IKE_AUTH_LIFETIME, implements RFC4478.
*
- * This task exchanges lifetimes for IKE_AUTH to force a client to
+ * This task exchanges lifetimes for IKE_AUTH to force a client to
* reauthenticate before the responders lifetime reaches the limit.
*/
struct ike_auth_lifetime_t {
* Private members of a ike_cert_post_t task.
*/
struct private_ike_cert_post_t {
-
+
/**
* Public methods and task_t interface.
*/
ike_cert_post_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* Are we the initiator?
*/
chunk_t hash, encoded ;
enumerator_t *enumerator;
char *url;
-
+
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_HASH_AND_URL))
{
return cert_payload_create_from_cert(cert);
}
-
+
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (!hasher)
{
DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
return cert_payload_create_from_cert(cert);
}
-
+
encoded = cert->get_encoding(cert);
hasher->allocate_hash(hasher, encoded, &hash);
id = identification_create_from_encoding(ID_KEY_ID, hash);
-
+
enumerator = charon->credentials->create_cdp_enumerator(
charon->credentials, CERT_X509, id);
if (!enumerator->enumerate(enumerator, &url))
url = NULL;
}
enumerator->destroy(enumerator);
-
+
id->destroy(id);
chunk_free(&hash);
chunk_free(&encoded);
{
peer_cfg_t *peer_cfg;
auth_payload_t *payload;
-
+
payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
if (!peer_cfg || !payload || payload->get_auth_method(payload) == AUTH_PSK)
{ /* no CERT payload for EAP/PSK */
return;
}
-
+
switch (peer_cfg->get_cert_policy(peer_cfg))
{
case CERT_NEVER_SEND:
certificate_t *cert;
auth_rule_t type;
auth_cfg_t *auth;
-
+
auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-
+
/* get subject cert first, then issuing certificates */
cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
if (!cert)
DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
cert->get_subject(cert));
message->add_payload(message, (payload_t*)payload);
-
+
enumerator = auth->create_enumerator(auth);
while (enumerator->enumerate(enumerator, &type, &cert))
{
}
}
enumerator->destroy(enumerator);
- }
+ }
}
}
static status_t build_i(private_ike_cert_post_t *this, message_t *message)
{
build_certs(this, message);
-
+
return NEED_MORE;
}
* Implementation of task_t.process for responder
*/
static status_t process_r(private_ike_cert_post_t *this, message_t *message)
-{
+{
return NEED_MORE;
}
static status_t build_r(private_ike_cert_post_t *this, message_t *message)
{
build_certs(this, message);
-
+
if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
{ /* stay alive, we might have additional rounds with certs */
return NEED_MORE;
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
-
+
if (initiator)
{
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
}
-
+
this->ike_sa = ike_sa;
this->initiator = initiator;
-
+
return &this->public;
}
* Private members of a ike_cert_pre_t task.
*/
struct private_ike_cert_pre_t {
-
+
/**
* Public methods and task_t interface.
*/
ike_cert_pre_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* Are we the initiator?
*/
bool initiator;
-
+
/**
* Do we accept HTTP certificate lookup requests
*/
bool do_http_lookup;
-
+
/**
* wheter this is the final authentication round
*/
};
/**
- * read certificate requests
+ * read certificate requests
*/
static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
{
enumerator_t *enumerator;
payload_t *payload;
auth_cfg_t *auth;
-
+
auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-
+
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
certreq_payload_t *certreq = (certreq_payload_t*)payload;
enumerator_t *enumerator;
chunk_t keyid;
-
+
this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
-
+
if (certreq->get_cert_type(certreq) != CERT_X509)
{
DBG1(DBG_IKE, "cert payload %N not supported - ignored",
{
identification_t *id;
certificate_t *cert;
-
+
id = identification_create_from_encoding(ID_KEY_ID, keyid);
- cert = charon->credentials->get_cert(charon->credentials,
+ cert = charon->credentials->get_cert(charon->credentials,
CERT_X509, KEY_ANY, id, TRUE);
if (cert)
{
case NOTIFY:
{
notify_payload_t *notify = (notify_payload_t*)payload;
-
+
/* we only handle one type of notify here */
if (notify->get_notify_type(notify) == HTTP_CERT_LOOKUP_SUPPORTED)
{
* tries to extract a certificate from the cert payload or the credential
* manager (based on the hash of a "Hash and URL" encoded cert).
* Note: the returned certificate (if any) has to be destroyed
- */
+ */
static certificate_t *try_get_cert(cert_payload_t *cert_payload)
{
certificate_t *cert = NULL;
-
+
switch (cert_payload->get_cert_encoding(cert_payload))
{
case ENC_X509_SIGNATURE:
break;
}
id = identification_create_from_encoding(ID_KEY_ID, hash);
- cert = charon->credentials->get_cert(charon->credentials,
+ cert = charon->credentials->get_cert(charon->credentials,
CERT_X509, KEY_ANY, id, FALSE);
id->destroy(id);
break;
payload_t *payload;
auth_cfg_t *auth;
bool first = TRUE;
-
+
auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-
+
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
cert_encoding_t encoding;
certificate_t *cert;
char *url;
-
+
cert_payload = (cert_payload_t*)payload;
encoding = cert_payload->get_cert_encoding(cert_payload);
-
+
switch (encoding)
{
case ENC_X509_HASH_AND_URL:
public_key_t *public;
chunk_t keyid;
x509_t *x509 = (x509_t*)cert;
-
+
if (!(x509->get_flags(x509) & X509_CA))
{ /* no CA cert, skip */
break;
enumerator_t *enumerator;
auth_rule_t type;
void *value;
-
+
enumerator = auth->create_enumerator(auth);
while (enumerator->enumerate(enumerator, &type, &value))
{
certificate_t *cert;
auth_cfg_t *auth;
certreq_payload_t *req = NULL;
-
+
ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
if (!ike_cfg->send_certreq(ike_cfg))
{
return;
}
-
+
/* check if we require a specific CA for that peer */
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
if (peer_cfg)
}
enumerator->destroy(enumerator);
}
-
+
if (!req)
{
/* otherwise add all trusted CA certificates */
}
enumerator->destroy(enumerator);
}
-
+
if (req)
{
message->add_payload(message, (payload_t*)req);
-
+
if (lib->settings->get_bool(lib->settings, "charon.hash_and_url", FALSE))
{
message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED,
* Implementation of task_t.process for initiator
*/
static status_t build_i(private_ike_cert_pre_t *this, message_t *message)
-{
+{
if (message->get_message_id(message) == 1)
{ /* initiator sends CERTREQs in first IKE_AUTH */
build_certreqs(this, message);
process_certreqs(this, message);
}
process_certs(this, message);
-
+
if (final_auth(message))
{
return SUCCESS;
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
-
+
if (initiator)
{
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
}
-
+
this->ike_sa = ike_sa;
this->initiator = initiator;
this->do_http_lookup = FALSE;
this->final = FALSE;
-
+
return &this->public;
}
* Private members of a ike_config_t task.
*/
struct private_ike_config_t {
-
+
/**
* Public methods and task_t interface.
*/
ike_config_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* Are we the initiator?
*/
bool initiator;
-
+
/**
* virtual ip
*/
{
configuration_attribute_t *ca;
chunk_t chunk, prefix;
-
+
ca = configuration_attribute_create();
-
+
if (vip->get_family(vip) == AF_INET)
{
ca->set_type(ca, INTERNAL_IP4_ADDRESS);
host_t *ip;
chunk_t addr;
int family = AF_INET6;
-
+
switch (ca->get_type(ca))
{
case INTERNAL_IP4_ADDRESS:
/* skip prefix byte in IPv6 payload*/
if (family == AF_INET6)
{
- addr.len--;
+ addr.len--;
}
ip = host_create_from_chunk(family, addr, 0);
}
enumerator_t *enumerator;
iterator_t *attributes;
payload_t *payload;
-
+
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
break;
}
default:
- DBG1(DBG_IKE, "ignoring %N config payload",
+ DBG1(DBG_IKE, "ignoring %N config payload",
config_type_names, cp->get_config_type(cp));
break;
}
{ /* in first IKE_AUTH only */
peer_cfg_t *config;
host_t *vip;
-
+
/* reuse virtual IP if we already have one */
vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
if (!vip)
{
configuration_attribute_t *ca;
cp_payload_t *cp;
-
+
cp = cp_payload_create();
cp->set_config_type(cp, CFG_REQUEST);
-
+
build_vip(this, vip, cp);
-
+
/* we currently always add a DNS request if we request an IP */
ca = configuration_attribute_create();
if (vip->get_family(vip) == AF_INET)
if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
{ /* in last IKE_AUTH exchange */
peer_cfg_t *config = this->ike_sa->get_peer_cfg(this->ike_sa);
-
+
if (config && this->virtual_ip)
{
enumerator_t *enumerator;
chunk_t value;
cp_payload_t *cp;
host_t *vip = NULL;
-
+
DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
if (config->get_pool(config))
{
- vip = charon->attributes->acquire_address(charon->attributes,
+ vip = charon->attributes->acquire_address(charon->attributes,
config->get_pool(config),
this->ike_sa->get_other_id(this->ike_sa),
this->virtual_ip);
}
DBG1(DBG_IKE, "assigning virtual IP %H to peer", vip);
this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, vip);
-
+
cp = cp_payload_create();
cp->set_config_type(cp, CFG_REPLY);
-
+
build_vip(this, vip, cp);
vip->destroy(vip);
-
+
/* if we add an IP, we also look for other attributes */
enumerator = charon->attributes->create_attribute_enumerator(
charon->attributes, this->ike_sa->get_other_id(this->ike_sa));
cp->add_configuration_attribute(cp, ca);
}
enumerator->destroy(enumerator);
-
+
message->add_payload(message, (payload_t*)cp);
}
return SUCCESS;
{
if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
{ /* in last IKE_AUTH exchange */
-
+
process_payloads(this, message);
-
+
if (this->virtual_ip)
{
this->ike_sa->set_virtual_ip(this->ike_sa, TRUE, this->virtual_ip);
static void migrate(private_ike_config_t *this, ike_sa_t *ike_sa)
{
DESTROY_IF(this->virtual_ip);
-
+
this->ike_sa = ike_sa;
this->virtual_ip = NULL;
}
ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
{
private_ike_config_t *this = malloc_thing(private_ike_config_t);
-
+
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
-
+
this->initiator = initiator;
this->ike_sa = ike_sa;
this->virtual_ip = NULL;
-
+
if (initiator)
{
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
}
-
+
return &this->public;
}
* Private members of a ike_delete_t task.
*/
struct private_ike_delete_t {
-
+
/**
* Public methods and task_t interface.
*/
ike_delete_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* Are we the initiator?
*/
bool initiator;
-
+
/**
* are we deleting a rekeyed SA?
*/
bool rekeyed;
-
+
/**
* are we responding to a delete, but have initated our own?
*/
delete_payload = delete_payload_create(PROTO_IKE);
message->add_payload(message, (payload_t*)delete_payload);
-
+
if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
{
this->rekeyed = TRUE;
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
-
+
if (initiator)
{
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
}
-
+
this->ike_sa = ike_sa;
this->initiator = initiator;
this->rekeyed = FALSE;
this->simultaneous = FALSE;
-
+
return &this->public;
}
* Private members of a ike_dpd_t task.
*/
struct private_ike_dpd_t {
-
+
/**
* Public methods and task_t interface.
*/
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
-
+
if (initiator)
{
this->public.task.build = (status_t(*)(task_t*,message_t*))return_need_more;
this->public.task.build = (status_t(*)(task_t*,message_t*))return_success;
this->public.task.process = (status_t(*)(task_t*,message_t*))return_need_more;
}
-
+
return &this->public;
}
* Private members of a ike_init_t task.
*/
struct private_ike_init_t {
-
+
/**
* Public methods and task_t interface.
*/
ike_init_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* Are we the initiator?
*/
bool initiator;
-
+
/**
* IKE config to establish
*/
ike_cfg_t *config;
-
+
/**
* diffie hellman group to use
*/
diffie_hellman_group_t dh_group;
-
+
/**
* diffie hellman key exchange
*/
diffie_hellman_t *dh;
-
+
/**
* Keymat derivation (from IKE_SA)
*/
keymat_t *keymat;
-
+
/**
* nonce chosen by us
*/
chunk_t my_nonce;
-
+
/**
* nonce chosen by peer
*/
chunk_t other_nonce;
-
+
/**
* Negotiated proposal used for IKE_SA
*/
proposal_t *proposal;
-
+
/**
* Old IKE_SA which gets rekeyed
*/
ike_sa_t *old_sa;
-
+
/**
* cookie received from responder
*/
chunk_t cookie;
-
+
/**
* retries done so far after failure (cookie or bad dh group)
*/
ike_sa_id_t *id;
proposal_t *proposal;
iterator_t *iterator;
-
+
id = this->ike_sa->get_id(this->ike_sa);
-
+
this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
if (this->initiator)
}
iterator->destroy(iterator);
}
-
+
sa_payload = sa_payload_create_from_proposal_list(proposal_list);
proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
}
sa_payload = sa_payload_create_from_proposal(this->proposal);
}
message->add_payload(message, (payload_t*)sa_payload);
-
+
nonce_payload = nonce_payload_create();
nonce_payload->set_nonce(nonce_payload, this->my_nonce);
ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
-
+
if (this->old_sa)
{ /* payload order differs if we are rekeying */
message->add_payload(message, (payload_t*)nonce_payload);
{
enumerator_t *enumerator;
payload_t *payload;
-
+
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
{
sa_payload_t *sa_payload = (sa_payload_t*)payload;
linked_list_t *proposal_list;
-
+
proposal_list = sa_payload->get_proposals(sa_payload);
this->proposal = this->config->select_proposal(this->config,
proposal_list);
case KEY_EXCHANGE:
{
ke_payload_t *ke_payload = (ke_payload_t*)payload;
-
+
this->dh_group = ke_payload->get_dh_group_number(ke_payload);
if (!this->initiator)
{
static status_t build_i(private_ike_init_t *this, message_t *message)
{
rng_t *rng;
-
+
this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa));
this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
-
+
if (this->retry++ >= MAX_RETRIES)
{
DBG1(DBG_IKE, "giving up after %d retries", MAX_RETRIES);
return FAILED;
}
-
+
/* if the DH group is set via use_dh_group(), we already have a DH object */
if (!this->dh)
{
return FAILED;
}
}
-
+
/* generate nonce only when we are trying the first time */
if (this->my_nonce.ptr == NULL)
{
rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
rng->destroy(rng);
}
-
+
if (this->cookie.ptr)
{
message->add_notify(message, FALSE, COOKIE, this->cookie);
}
-
+
build_payloads(this, message);
#ifdef ME
}
}
#endif /* ME */
-
+
return NEED_MORE;
}
static status_t process_r(private_ike_init_t *this, message_t *message)
{
rng_t *rng;
-
+
this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
DBG0(DBG_IKE, "%H is initiating an IKE_SA", message->get_source(message));
this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
}
rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
rng->destroy(rng);
-
+
#ifdef ME
{
notify_payload_t *notify = message->get_notify(message, ME_CONNECTID);
}
}
#endif /* ME */
-
+
process_payloads(this, message);
-
+
return NEED_MORE;
}
pseudo_random_function_t prf_alg = PRF_UNDEFINED;
chunk_t skd = chunk_empty;
ike_sa_id_t *id;
-
+
id = this->ike_sa->get_id(this->ike_sa);
if (this->old_sa)
{
return FAILED;
}
this->ike_sa->set_proposal(this->ike_sa, this->proposal);
-
+
if (this->dh == NULL ||
!this->proposal->has_dh_group(this->proposal, this->dh_group))
{
u_int16_t group;
-
+
if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
&group, NULL))
{
}
return FAILED;
}
-
+
if (!derive_keys(this, this->other_nonce, this->my_nonce))
{
DBG1(DBG_IKE, "key derivation failed");
{
enumerator_t *enumerator;
payload_t *payload;
-
+
/* check for erronous notifies */
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
notify_payload_t *notify = (notify_payload_t*)payload;
notify_type_t type = notify->get_notify_type(notify);
-
+
switch (type)
{
case INVALID_KE_PAYLOAD:
{
chunk_t data;
diffie_hellman_group_t bad_group;
-
+
bad_group = this->dh_group;
data = notify->get_notification_data(notify);
this->dh_group = ntohs(*((u_int16_t*)data.ptr));
DBG1(DBG_IKE, "peer didn't accept DH group %N, "
"it requested %N", diffie_hellman_group_names,
bad_group, diffie_hellman_group_names, this->dh_group);
-
+
if (this->old_sa == NULL)
{ /* reset the IKE_SA if we are not rekeying */
this->ike_sa->reset(this->ike_sa);
}
-
+
enumerator->destroy(enumerator);
return NEED_MORE;
}
}
}
enumerator->destroy(enumerator);
-
+
process_payloads(this, message);
/* check if we have everything */
return FAILED;
}
this->ike_sa->set_proposal(this->ike_sa, this->proposal);
-
+
if (this->dh == NULL ||
!this->proposal->has_dh_group(this->proposal, this->dh_group))
{
DBG1(DBG_IKE, "peer DH group selection invalid");
return FAILED;
}
-
+
if (!derive_keys(this, this->my_nonce, this->other_nonce))
{
DBG1(DBG_IKE, "key derivation failed");
{
DESTROY_IF(this->proposal);
chunk_free(&this->other_nonce);
-
+
this->ike_sa = ike_sa;
this->proposal = NULL;
DESTROY_IF(this->dh);
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
}
-
+
this->ike_sa = ike_sa;
this->initiator = initiator;
this->dh_group = MODP_NONE;
this->config = NULL;
this->old_sa = old_sa;
this->retry = 0;
-
+
return &this->public;
}
* Implements the task_t interface
*/
task_t task;
-
+
/**
* Get the lower of the two nonces, used for rekey collisions.
*
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#include "ike_me.h"
#include <string.h>
* Private members of a ike_me_t task.
*/
struct private_ike_me_t {
-
+
/**
* Public methods and task_t interface.
*/
ike_me_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* Are we the initiator?
*/
bool initiator;
-
+
/**
* Is this a mediation connection?
*/
bool mediation;
-
+
/**
* Is this the response from another peer?
*/
bool response;
-
+
/**
* Gathered endpoints
*/
linked_list_t *local_endpoints;
-
+
/**
* Parsed endpoints
*/
linked_list_t *remote_endpoints;
-
+
/**
* Did the peer request a callback?
*/
bool callback;
-
+
/**
* Did the connect fail?
*/
bool failed;
-
+
/**
* Was there anything wrong with the payloads?
*/
bool invalid_syntax;
-
+
/**
* The requested peer
*/
- identification_t *peer_id;
+ identification_t *peer_id;
/**
* Received ID used for connectivity checks
*/
chunk_t connect_id;
-
+
/**
* Received key used for connectivity checks
*/
chunk_t connect_key;
-
+
/**
* Peer config of the mediated connection
*/
{
iterator_t *iterator;
endpoint_notify_t *endpoint;
-
+
iterator = endpoints->create_iterator(endpoints, TRUE);
while (iterator->iterate(iterator, (void**)&endpoint))
{
enumerator_t *enumerator;
host_t *addr, *host;
u_int16_t port;
-
+
/* get the port that is used to communicate with the ms */
host = this->ike_sa->get_my_host(this->ike_sa);
port = host->get_port(host);
-
+
enumerator = charon->kernel_interface->create_address_enumerator(
charon->kernel_interface, FALSE, FALSE);
while (enumerator->enumerate(enumerator, (void**)&addr))
{
host = addr->clone(addr);
host->set_port(host, port);
-
+
this->local_endpoints->insert_last(this->local_endpoints,
endpoint_notify_create_from_host(HOST, host, NULL));
-
+
host->destroy(host);
}
enumerator->destroy(enumerator);
-
+
host = this->ike_sa->get_server_reflexive_host(this->ike_sa);
if (host)
{
endpoint_notify_create_from_host(SERVER_REFLEXIVE, host,
this->ike_sa->get_my_host(this->ike_sa)));
}
-
+
add_endpoints_to_message(message, this->local_endpoints);
}
{
enumerator_t *enumerator;
payload_t *payload;
-
+
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
{
continue;
}
-
+
notify_payload_t *notify = (notify_payload_t*)payload;
-
+
switch (notify->get_notify_type(notify))
{
case ME_CONNECT_FAILED:
}
DBG1(DBG_IKE, "received %N ME_ENDPOINT %#H", me_endpoint_type_names,
endpoint->get_type(endpoint), endpoint->get_host(endpoint));
-
+
this->remote_endpoints->insert_last(this->remote_endpoints, endpoint);
break;
}
{
id_payload_t *id_payload;
rng_t *rng;
-
+
id_payload = id_payload_create_from_identification(ID_PEER, this->peer_id);
message->add_payload(message, (payload_t*)id_payload);
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
if (!rng)
{
- DBG1(DBG_IKE, "unable to generate connect ID for ME_CONNECT");
+ DBG1(DBG_IKE, "unable to generate connect ID for ME_CONNECT");
return FAILED;
}
if (!this->response)
}
rng->allocate_bytes(rng, ME_CONNECTKEY_LEN, &this->connect_key);
rng->destroy(rng);
-
+
message->add_notify(message, FALSE, ME_CONNECTID, this->connect_id);
message->add_notify(message, FALSE, ME_CONNECTKEY, this->connect_key);
-
+
if (this->response)
{
message->add_notify(message, FALSE, ME_RESPONSE, chunk_empty);
/* FIXME: should we make that configurable? */
message->add_notify(message, FALSE, ME_CALLBACK, chunk_empty);
}
-
+
gather_and_add_endpoints(this, message);
-
+
break;
}
default:
break;
}
this->peer_id = id_payload->get_identification(id_payload);
-
+
process_payloads(this, message);
-
+
if (this->callback)
{
DBG1(DBG_IKE, "received ME_CALLBACK for '%Y'", this->peer_id);
break;
- }
-
+ }
+
if (!this->connect_id.ptr)
{
DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTID notify, aborting");
this->invalid_syntax = TRUE;
break;
}
-
+
if (!this->connect_key.ptr)
{
DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTKEY notify, aborting");
this->invalid_syntax = TRUE;
break;
}
-
+
if (!this->remote_endpoints->get_count(this->remote_endpoints))
{
DBG1(DBG_IKE, "received ME_CONNECT without any ME_ENDPOINT payloads, aborting");
this->invalid_syntax = TRUE;
break;
}
-
+
DBG1(DBG_IKE, "received ME_CONNECT");
break;
}
message->add_notify(message, TRUE, INVALID_SYNTAX, chunk_empty);
break;
}
-
+
if (this->callback)
{
charon->connect_manager->check_and_initiate(charon->connect_manager,
this->ike_sa->get_my_id(this->ike_sa), this->peer_id);
return SUCCESS;
}
-
+
if (this->response)
{
/* FIXME: handle result of set_responder_data
case IKE_SA_INIT:
{
process_payloads(this, message);
-
+
if (!this->mediation)
{
DBG1(DBG_IKE, "server did not return a ME_MEDIATION, aborting");
return FAILED;
}
-
+
return NEED_MORE;
}
case IKE_AUTH:
/* FIXME: we should update the server reflexive endpoint somehow,
* if mobike notices a change */
endpoint_notify_t *reflexive;
- if (this->remote_endpoints->get_first(this->remote_endpoints,
+ if (this->remote_endpoints->get_first(this->remote_endpoints,
(void**)&reflexive) == SUCCESS &&
reflexive->get_type(reflexive) == SERVER_REFLEXIVE)
- { /* FIXME: should we accept this endpoint even if we did not send
+ { /* FIXME: should we accept this endpoint even if we did not send
* a request? */
host_t *endpoint = reflexive->get_host(reflexive);
-
+
this->ike_sa->set_server_reflexive_host(this->ike_sa, endpoint->clone(endpoint));
}
/* FIXME: what if it failed? e.g. AUTH failure */
DBG1(DBG_IKE, "established mediation connection successfully");
-
+
break;
}
case ME_CONNECT:
{
process_payloads(this, message);
-
+
if (this->failed)
{
DBG1(DBG_IKE, "peer '%Y' is not online", this->peer_id);
{
id_payload_t *id_payload = id_payload_create_from_identification(ID_PEER, this->peer_id);
message->add_payload(message, (payload_t*)id_payload);
-
+
if (this->callback)
{
message->add_notify(message, FALSE, ME_CALLBACK, chunk_empty);
if (this->response)
{
message->add_notify(message, FALSE, ME_RESPONSE, chunk_empty);
- }
+ }
message->add_notify(message, FALSE, ME_CONNECTID, this->connect_id);
message->add_notify(message, FALSE, ME_CONNECTKEY, this->connect_key);
-
+
add_endpoints_to_message(message, this->remote_endpoints);
}
break;
default:
break;
}
-
+
return NEED_MORE;
}
this->invalid_syntax = TRUE;
break;
}
-
+
this->peer_id = id_payload->get_identification(id_payload);
-
+
process_payloads(this, message);
-
+
if (!this->connect_id.ptr)
{
DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTID notify, aborting");
this->invalid_syntax = TRUE;
break;
}
-
+
if (!this->connect_key.ptr)
{
DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTKEY notify, aborting");
this->invalid_syntax = TRUE;
break;
}
-
+
if (!this->remote_endpoints->get_count(this->remote_endpoints))
{
DBG1(DBG_IKE, "received ME_CONNECT without any ME_ENDPOINT payloads, aborting");
default:
break;
}
-
+
return NEED_MORE;
}
endpoint->get_type(endpoint) == SERVER_REFLEXIVE)
{
host_t *host = this->ike_sa->get_other_host(this->ike_sa);
-
+
DBG2(DBG_IKE, "received request for a server reflexive endpoint "
"sending: %#H", host);
-
- endpoint = endpoint_notify_create_from_host(SERVER_REFLEXIVE, host, NULL);
+
+ endpoint = endpoint_notify_create_from_host(SERVER_REFLEXIVE, host, NULL);
message->add_payload(message, (payload_t*)endpoint->build_notify(endpoint));
endpoint->destroy(endpoint);
}
-
+
/* FIXME: we actually must delete any existing IKE_SAs with the same remote id */
this->ike_sa->act_as_mediation_server(this->ike_sa);
-
+
DBG1(DBG_IKE, "established mediation connection successfully");
-
+
break;
}
case ME_CONNECT:
- {
+ {
if (this->invalid_syntax)
{
message->add_notify(message, TRUE, INVALID_SYNTAX, chunk_empty);
break;
}
-
+
ike_sa_id_t *peer_sa;
if (this->callback)
{
peer_sa = charon->mediation_manager->check(charon->mediation_manager,
this->peer_id);
}
-
+
if (!peer_sa)
{
/* the peer is not online */
message->add_notify(message, TRUE, ME_CONNECT_FAILED, chunk_empty);
break;
}
-
+
job_t *job = (job_t*)mediation_job_create(this->peer_id,
this->ike_sa->get_other_id(this->ike_sa), this->connect_id,
this->connect_key, this->remote_endpoints, this->response);
charon->processor->queue_job(charon->processor, job);
-
+
break;
}
default:
/**
* Implementation of ike_me.respond
*/
-static void me_respond(private_ike_me_t *this, identification_t *peer_id,
+static void me_respond(private_ike_me_t *this, identification_t *peer_id,
chunk_t connect_id)
{
this->peer_id = peer_id->clone(peer_id);
this->peer_id = requester->clone(requester);
this->connect_id = chunk_clone(connect_id);
this->connect_key = chunk_clone(connect_key);
-
+
this->remote_endpoints->destroy_offset(this->remote_endpoints, offsetof(endpoint_notify_t, destroy));
this->remote_endpoints = endpoints->clone_offset(endpoints, offsetof(endpoint_notify_t, clone));
-
+
this->response = response;
}
static void destroy(private_ike_me_t *this)
{
DESTROY_IF(this->peer_id);
-
+
chunk_free(&this->connect_id);
chunk_free(&this->connect_key);
-
+
this->local_endpoints->destroy_offset(this->local_endpoints, offsetof(endpoint_notify_t, destroy));
this->remote_endpoints->destroy_offset(this->remote_endpoints, offsetof(endpoint_notify_t, destroy));
-
+
DESTROY_IF(this->mediated_cfg);
free(this);
}
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
-
+
if (ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
{
if (initiator)
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r_ms;
}
}
-
+
this->public.connect = (void(*)(ike_me_t*,identification_t*))me_connect;
this->public.respond = (void(*)(ike_me_t*,identification_t*,chunk_t))me_respond;
this->public.callback = (void(*)(ike_me_t*,identification_t*))me_callback;
this->public.relay = (void(*)(ike_me_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool))relay;
-
+
this->ike_sa = ike_sa;
this->initiator = initiator;
-
+
this->peer_id = NULL;
this->connect_id = chunk_empty;
this->connect_key = chunk_empty;
this->callback = FALSE;
this->failed = FALSE;
this->invalid_syntax = FALSE;
-
+
this->mediated_cfg = NULL;
-
+
return &this->public;
}
* connection, allows to initiate mediated connections using ME_CONNECT
* exchanges and to request reflexive addresses from the mediation server using
* ME_ENDPOINT notifies.
- *
+ *
* @note This task has to be activated before the IKE_AUTH task, because that
* task generates the IKE_SA_INIT message so that no more payloads can be added
* to it afterwards.
* Implements the task_t interface
*/
task_t task;
-
+
/**
* Initiates a connection with another peer (i.e. sends a ME_CONNECT
* to the mediation server)
* @param peer_id ID of the other peer (gets cloned)
*/
void (*connect)(ike_me_t *this, identification_t *peer_id);
-
+
/**
* Responds to a ME_CONNECT from another peer (i.e. sends a ME_CONNECT
* to the mediation server)
- *
+ *
* @param peer_id ID of the other peer (gets cloned)
* @param connect_id the connect ID as provided by the initiator (gets cloned)
*/
void (*respond)(ike_me_t *this, identification_t *peer_id, chunk_t connect_id);
-
+
/**
* Sends a ME_CALLBACK to a peer that previously requested another peer.
- *
+ *
* @param peer_id ID of the other peer (gets cloned)
*/
void (*callback)(ike_me_t *this, identification_t *peer_id);
-
+
/**
* Relays data to another peer (i.e. sends a ME_CONNECT to the peer)
- *
+ *
* Data gets cloned.
- *
+ *
* @param requester ID of the requesting peer
* @param connect_id content of the ME_CONNECTID notify
* @param connect_key content of the ME_CONNECTKEY notify
* Private members of a ike_mobike_t task.
*/
struct private_ike_mobike_t {
-
+
/**
* Public methods and task_t interface.
*/
ike_mobike_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* Are we the initiator?
*/
bool initiator;
-
+
/**
* cookie2 value to verify new addresses
*/
chunk_t cookie2;
-
+
/**
* NAT discovery reusing the IKE_NATD task
*/
ike_natd_t *natd;
-
+
/**
* use task to update addresses
*/
bool update;
-
+
/**
* do routability check
*/
bool check;
-
+
/**
* include address list update
*/
{
iterator_t *iterator;
host_t *host;
-
+
iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
while (iterator->iterate(iterator, (void**)&host))
{
enumerator_t *enumerator;
payload_t *payload;
bool first = TRUE;
-
+
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
notify_payload_t *notify;
chunk_t data;
host_t *host;
-
+
if (payload->get_type(payload) != NOTIFY)
{
continue;
case MOBIKE_SUPPORTED:
{
peer_cfg_t *peer_cfg;
-
+
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (!this->initiator &&
+ if (!this->initiator &&
peer_cfg && !peer_cfg->use_mobike(peer_cfg))
{
DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
host_t *host, *me;
notify_type_t type;
int added = 0;
-
+
me = this->ike_sa->get_my_host(this->ike_sa);
enumerator = charon->kernel_interface->create_address_enumerator(
charon->kernel_interface, FALSE, FALSE);
}
/**
- * build a cookie and add it to the message
+ * build a cookie and add it to the message
*/
static void build_cookie(private_ike_mobike_t *this, message_t *message)
{
{
iterator_t *iterator;
child_sa_t *child_sa;
-
+
iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
while (iterator->iterate(iterator, (void**)&child_sa))
{
if (child_sa->update(child_sa,
- this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
host_t *me, *other, *me_old, *other_old;
iterator_t *iterator;
packet_t *copy;
-
+
if (!this->check)
{
return;
me_old = this->ike_sa->get_my_host(this->ike_sa);
other_old = this->ike_sa->get_other_host(this->ike_sa);
-
+
me = charon->kernel_interface->get_source_addr(
charon->kernel_interface, other_old, NULL);
if (me)
me_old->get_port(me_old) : IKEV2_NATT_PORT);
packet->set_source(packet, me);
}
-
+
iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
while (iterator->iterate(iterator, (void**)&other))
{
else if (message->get_exchange_type(message) == INFORMATIONAL)
{
host_t *old, *new;
-
- /* we check if the existing address is still valid */
+
+ /* we check if the existing address is still valid */
old = message->get_source(message);
new = charon->kernel_interface->get_source_addr(charon->kernel_interface,
message->get_destination(message), old);
if (this->update)
{
host_t *me, *other;
-
+
me = message->get_destination(message);
other = message->get_source(message);
this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
}
-
+
if (this->natd)
{
this->natd->task.process(&this->natd->task, message);
if (this->cookie2.ptr)
{ /* check cookie if we included one */
chunk_t cookie2;
-
+
cookie2 = this->cookie2;
this->cookie2 = chunk_empty;
process_payloads(this, message);
if (this->check)
{
host_t *me_new, *me_old, *other_new, *other_old;
-
+
me_new = message->get_destination(message);
other_new = message->get_source(message);
me_old = this->ike_sa->get_my_host(this->ike_sa);
other_old = this->ike_sa->get_other_host(this->ike_sa);
-
+
if (!me_new->equals(me_new, me_old))
{
this->update = TRUE;
this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
- }
+ }
if (!other_new->equals(other_new, other_old))
{
this->update = TRUE;
{
this->check = TRUE;
this->address = address;
- this->ike_sa->set_pending_updates(this->ike_sa,
+ this->ike_sa->set_pending_updates(this->ike_sa,
this->ike_sa->get_pending_updates(this->ike_sa) + 1);
}
this->natd = ike_natd_create(this->ike_sa, this->initiator);
}
this->address = FALSE;
- this->ike_sa->set_pending_updates(this->ike_sa,
+ this->ike_sa->set_pending_updates(this->ike_sa,
this->ike_sa->get_pending_updates(this->ike_sa) + 1);
}
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
-
+
if (initiator)
{
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
}
-
+
this->ike_sa = ike_sa;
this->initiator = initiator;
this->update = FALSE;
this->address = TRUE;
this->cookie2 = chunk_empty;
this->natd = NULL;
-
+
return &this->public;
}
* and IPsec tunnel addresses.
* This tasks handles the MOBIKE_SUPPORTED notify exchange to detect MOBIKE
* support, allows the exchange of ADDITIONAL_*_ADDRESS to exchange additional
- * endpoints and handles the UPDATE_SA_ADDRESS notify to finally update
+ * endpoints and handles the UPDATE_SA_ADDRESS notify to finally update
* endpoints.
*/
struct ike_mobike_t {
* Implements the task_t interface
*/
task_t task;
-
+
/**
* Use the task to roam to other addresses.
*
* @param address TRUE to include address list update
*/
void (*roam)(ike_mobike_t *this, bool address);
-
+
/**
* Use the task for a DPD check which detects changes in NAT mappings.
*/
void (*dpd)(ike_mobike_t *this);
-
+
/**
* Transmision hook, called by task manager.
*
- * The task manager calls this hook whenever it transmits a packet. It
+ * The task manager calls this hook whenever it transmits a packet. It
* allows the mobike task to send the packet on multiple paths to do path
* probing.
*
* @param packet the packet to transmit
*/
void (*transmit)(ike_mobike_t *this, packet_t *packet);
-
+
/**
* Check if this task is probing for routability.
*
* @return TRUE if task is probing
*/
- bool (*is_probing)(ike_mobike_t *this);
+ bool (*is_probing)(ike_mobike_t *this);
};
/**
* Private members of a ike_natd_t task.
*/
struct private_ike_natd_t {
-
+
/**
* Public methods and task_t interface.
*/
ike_natd_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* Are we the initiator?
*/
bool initiator;
-
+
/**
* Hasher used to build NAT detection hashes
*/
hasher_t *hasher;
-
+
/**
* Did we process any NAT detection notifys for a source address?
*/
bool src_seen;
-
+
/**
* Did we process any NAT detection notifys for a destination address?
*/
bool dst_seen;
-
+
/**
* Have we found a matching source address NAT hash?
*/
bool src_matched;
-
+
/**
* Have we found a matching destination address NAT hash?
*/
bool dst_matched;
-
+
/**
* whether NAT mappings for our NATed address has changed
*/
chunk_t natd_hash;
u_int64_t spi_i, spi_r;
u_int16_t port;
-
+
/* prepare all required chunks */
spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
port_chunk.ptr = (void*)&port;
port_chunk.len = sizeof(port);
addr_chunk = host->get_address(host);
-
+
/* natd_hash = SHA1( spi_i | spi_r | address | port ) */
natd_chunk = chunk_cat("cccc", spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk);
this->hasher->allocate_hash(this->hasher, natd_chunk, &natd_hash);
DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk);
DBG3(DBG_IKE, "natd_hash %B", &natd_hash);
-
+
chunk_free(&natd_chunk);
return natd_hash;
}
{
rng_t *rng;
chunk_t chunk;
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (!rng)
{
notify_payload_t *notify;
ike_sa_id_t *ike_sa_id;
ike_cfg_t *config;
-
+
ike_sa_id = this->ike_sa->get_id(this->ike_sa);
config = this->ike_sa->get_ike_cfg(this->ike_sa);
if (config->force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
notify->set_notify_type(notify, type);
notify->set_notification_data(notify, hash);
chunk_free(&hash);
-
+
return notify;
}
ike_sa_id_t *ike_sa_id;
host_t *me, *other;
ike_cfg_t *config;
-
+
/* Precompute NAT-D hashes for incoming NAT notify comparison */
ike_sa_id = message->get_ike_sa_id(message);
me = message->get_destination(message);
other = message->get_source(message);
dst_hash = generate_natd_hash(this, ike_sa_id, me);
src_hash = generate_natd_hash(this, ike_sa_id, other);
-
+
DBG3(DBG_IKE, "precalculated src_hash %B", &src_hash);
DBG3(DBG_IKE, "precalculated dst_hash %B", &dst_hash);
-
+
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
}
}
enumerator->destroy(enumerator);
-
+
chunk_free(&src_hash);
chunk_free(&dst_hash);
-
+
if (this->src_seen && this->dst_seen)
{
this->ike_sa->enable_extension(this->ike_sa, EXT_NATT);
static status_t process_i(private_ike_natd_t *this, message_t *message)
{
process_payloads(this, message);
-
+
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
return SUCCESS;
}
#endif /* ME */
-
+
if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
#ifdef ME
/* if we are on a mediation connection we switch to port 4500 even
this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
{
host_t *me, *other;
-
+
/* do not switch if we have a custom port from mobike/NAT */
me = this->ike_sa->get_my_host(this->ike_sa);
if (me->get_port(me) == IKEV2_UDP_PORT)
}
}
}
-
+
return SUCCESS;
}
notify_payload_t *notify;
enumerator_t *enumerator;
host_t *host;
-
+
if (this->hasher == NULL)
{
DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
return NEED_MORE;
}
-
+
/* destination is always set */
host = message->get_destination(message);
notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, host);
message->add_payload(message, (payload_t*)notify);
-
+
/* source may be any, we have 3 possibilities to get our source address:
* 1. It is defined in the config => use the one of the IKE_SA
* 2. We do a routing lookup in the kernel interface
{
notify_payload_t *notify;
host_t *me, *other;
-
+
/* only add notifies on successfull responses. */
if (message->get_exchange_type(message) == IKE_SA_INIT &&
message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
return SUCCESS;
}
-
+
/* initiator seems to support NAT detection, add response */
me = message->get_source(message);
notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, me);
message->add_payload(message, (payload_t*)notify);
-
+
other = message->get_destination(message);
notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, other);
message->add_payload(message, (payload_t*)notify);
static status_t process_r(private_ike_natd_t *this, message_t *message)
{
process_payloads(this, message);
-
+
return NEED_MORE;
}
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
-
+
if (initiator)
{
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
}
-
+
this->public.has_mapping_changed = (bool(*)(ike_natd_t*))has_mapping_changed;
-
+
this->ike_sa = ike_sa;
this->initiator = initiator;
this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
this->src_matched = FALSE;
this->dst_matched = FALSE;
this->mapping_changed = FALSE;
-
+
return &this->public;
}
* Implements the task_t interface
*/
task_t task;
-
+
/**
* Check if the NAT mapping has changed for our address.
*
* Private members of a ike_reauth_t task.
*/
struct private_ike_reauth_t {
-
+
/**
* Public methods and task_t interface.
*/
ike_reauth_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* reused ike_delete task
*/
iterator_t *iterator;
child_sa_t *child_sa;
peer_cfg_t *peer_cfg;
-
+
/* process delete response first */
this->ike_delete->task.process(&this->ike_delete->task, message);
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-
+
/* reauthenticate only if we have children */
iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
if (iterator->get_count(iterator) == 0
iterator->destroy(iterator);
return FAILED;
}
-
+
new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
-
+
new->set_peer_cfg(new, peer_cfg);
host = this->ike_sa->get_other_host(this->ike_sa);
new->set_other_host(new, host->clone(host));
{
new->set_virtual_ip(new, TRUE, host);
}
-
+
#ifdef ME
/* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
if (peer_cfg->is_mediation(peer_cfg))
}
}
#endif /* ME */
-
+
while (iterator->iterate(iterator, (void**)&child_sa))
{
switch (child_sa->get_state(child_sa))
charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
/* set threads active IKE_SA after checkin */
charon->bus->set_sa(charon->bus, this->ike_sa);
-
+
/* we always return failed to delete the obsolete IKE_SA */
return FAILED;
}
this->public.task.destroy = (void(*)(task_t*))destroy;
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-
+
this->ike_sa = ike_sa;
this->ike_delete = ike_delete_create(ike_sa, TRUE);
-
+
return &this->public;
}
* Private members of a ike_rekey_t task.
*/
struct private_ike_rekey_t {
-
+
/**
* Public methods and task_t interface.
*/
ike_rekey_t public;
-
+
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
-
+
/**
* New IKE_SA which replaces the current one
*/
ike_sa_t *new_sa;
-
+
/**
* Are we the initiator?
*/
bool initiator;
-
+
/**
* the IKE_INIT task which is reused to simplify rekeying
*/
ike_init_t *ike_init;
-
+
/**
* IKE_DELETE task to delete the old IKE_SA after rekeying was successful
*/
ike_delete_t *ike_delete;
-
+
/**
* colliding task detected by the task manager
*/
{
/* update exchange type to INFORMATIONAL for the delete */
message->set_exchange_type(message, INFORMATIONAL);
-
+
return this->ike_delete->task.build(&this->ike_delete->task, message);
}
{
peer_cfg_t *peer_cfg;
host_t *other_host;
-
+
/* create new SA only on first try */
if (this->new_sa == NULL)
{
this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
TRUE);
-
+
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
other_host = this->ike_sa->get_other_host(this->ike_sa);
this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
peer_cfg_t *peer_cfg;
iterator_t *iterator;
child_sa_t *child_sa;
-
+
if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
{
DBG1(DBG_IKE, "peer initiated rekeying, but we are deleting");
}
}
iterator->destroy(iterator);
-
+
this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
FALSE);
-
+
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
this->ike_init = ike_init_create(this->new_sa, FALSE, this->ike_sa);
this->ike_init->task.process(&this->ike_init->task, message);
-
+
return NEED_MORE;
}
message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
return SUCCESS;
}
-
+
if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
{
return SUCCESS;
}
-
+
this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
this->ike_sa->get_other_id(this->ike_sa));
-
+
return SUCCESS;
}
this->ike_sa->get_id(this->ike_sa), TRUE));
return SUCCESS;
}
-
+
switch (this->ike_init->task.process(&this->ike_init->task, message))
{
case FAILED:
default:
break;
}
-
+
this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->new_sa->get_name(this->new_sa),
this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
this->ike_sa->get_other_id(this->ike_sa));
-
+
/* check for collisions */
if (this->collision &&
this->collision->get_type(this->collision) == IKE_REKEY)
chunk_t this_nonce, other_nonce;
host_t *host;
private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision;
-
+
this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
-
+
/* if we have the lower nonce, delete rekeyed SA. If not, delete
* the redundant. */
- if (memcmp(this_nonce.ptr, other_nonce.ptr,
+ if (memcmp(this_nonce.ptr, other_nonce.ptr,
min(this_nonce.len, other_nonce.len)) < 0)
{
/* peer should delete this SA. Add a timeout just in case. */
/* set threads active IKE_SA after checkin */
charon->bus->set_sa(charon->bus, this->ike_sa);
}
-
+
/* rekeying successful, delete the IKE_SA using a subtask */
this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
-
+
return NEED_MORE;
}
charon->bus->set_sa(charon->bus, this->ike_sa);
}
DESTROY_IF(this->collision);
-
+
this->collision = NULL;
this->ike_sa = ike_sa;
this->new_sa = NULL;
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
}
-
+
this->ike_sa = ike_sa;
this->new_sa = NULL;
this->ike_init = NULL;
this->ike_delete = NULL;
this->initiator = initiator;
this->collision = NULL;
-
+
return &this->public;
}
* Implements the task_t interface
*/
task_t task;
-
+
/**
* Register a rekeying task which collides with this one.
*
* Get the type of the task implementation.
*/
task_type_t (*get_type) (task_t *this);
-
+
/**
* Migrate a task to a new IKE_SA.
*
* @param ike_sa new IKE_SA this task works for
*/
void (*migrate) (task_t *this, ike_sa_t *ike_sa);
-
+
/**
* Destroys a task_t object.
*/
* listener to track acquires
*/
struct trap_listener_t {
-
+
/**
* Implements listener interface
*/
listener_t listener;
-
+
/**
* points to trap_manager
*/
* Private data of an trap_manager_t object.
*/
struct private_trap_manager_t {
-
+
/**
* Public trap_manager_t interface.
*/
trap_manager_t public;
-
+
/**
* Installed traps, as entry_t
*/
linked_list_t *traps;
-
+
/**
* read write lock for traps list
*/
rwlock_t *lock;
-
+
/**
* listener to track acquiring IKE_SAs
*/
bool found = FALSE;
status_t status;
u_int32_t reqid;
-
+
/* check if not already done */
this->lock->read_lock(this->lock);
enumerator = this->traps->create_enumerator(this->traps);
child->get_name(child));
return 0;
}
-
+
/* try to resolve addresses */
ike_cfg = peer->get_ike_cfg(peer);
- other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg),
+ other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg),
0, IKEV2_UDP_PORT);
if (!other)
{
}
me->set_port(me, IKEV2_UDP_PORT);
}
-
+
/* create and route CHILD_SA */
child_sa = child_sa_create(me, other, child, 0, FALSE);
my_ts = child->get_traffic_selectors(child, TRUE, NULL, me);
other_ts = child->get_traffic_selectors(child, FALSE, NULL, other);
me->destroy(me);
other->destroy(other);
-
+
/* while we don't know the finally negotiated protocol (ESP|AH), we
* could iterate all proposals for a best guest (TODO). But as we
* support ESP only for now, we set here. */
DBG1(DBG_CFG, "installing trap failed");
return 0;
}
-
+
reqid = child_sa->get_reqid(child_sa);
entry = malloc_thing(entry_t);
entry->child_sa = child_sa;
entry->peer_cfg = peer->get_ref(peer);
entry->pending = NULL;
-
+
this->lock->write_lock(this->lock);
this->traps->insert_last(this->traps, entry);
this->lock->unlock(this->lock);
-
+
return reqid;
}
{
enumerator_t *enumerator;
entry_t *entry, *found = NULL;
-
+
this->lock->write_lock(this->lock);
enumerator = this->traps->create_enumerator(this->traps);
while (enumerator->enumerate(enumerator, &entry))
}
enumerator->destroy(enumerator);
this->lock->unlock(this->lock);
-
+
if (!found)
{
DBG1(DBG_CFG, "trap %d not found to uninstall", reqid);
return FALSE;
}
-
+
destroy_entry(found);
return TRUE;
}
peer_cfg_t *peer;
child_cfg_t *child;
ike_sa_t *ike_sa;
-
+
this->lock->read_lock(this->lock);
enumerator = this->traps->create_enumerator(this->traps);
while (enumerator->enumerate(enumerator, &entry))
}
}
enumerator->destroy(enumerator);
-
+
if (!found)
{
DBG1(DBG_CFG, "trap not found, unable to acquire reqid %d",reqid);
private_trap_manager_t *this;
enumerator_t *enumerator;
entry_t *entry;
-
+
switch (state)
{
case IKE_ESTABLISHED:
default:
return TRUE;
}
-
+
this = listener->traps;
this->lock->read_lock(this->lock);
enumerator = this->traps->create_enumerator(this->traps);
trap_manager_t *trap_manager_create()
{
private_trap_manager_t *this = malloc_thing(private_trap_manager_t);
-
+
this->public.install = (u_int(*)(trap_manager_t*, peer_cfg_t *peer, child_cfg_t *child))install;
this->public.uninstall = (bool(*)(trap_manager_t*, u_int32_t id))uninstall;
this->public.create_enumerator = (enumerator_t*(*)(trap_manager_t*))create_enumerator;
this->public.acquire = (void(*)(trap_manager_t*, u_int32_t reqid, traffic_selector_t *src, traffic_selector_t *dst))acquire;
this->public.destroy = (void(*)(trap_manager_t*))destroy;
-
+
this->traps = linked_list_create();
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
+
/* register listener for IKE state changes */
this->listener.traps = this;
memset(&this->listener.listener, 0, sizeof(listener_t));
this->listener.listener.ike_state_change = (void*)ike_state_change;
charon->bus->add_listener(charon->bus, &this->listener.listener);
-
+
return &this->public;
}
* Manage policies to create SAs from traffic.
*/
struct trap_manager_t {
-
+
/**
* Install a policy as a trap.
*
*/
u_int32_t (*install)(trap_manager_t *this, peer_cfg_t *peer,
child_cfg_t *child);
-
+
/**
* Uninstall a trap policy.
*
* @return TRUE if uninstalled successfully
*/
bool (*uninstall)(trap_manager_t *this, u_int32_t reqid);
-
+
/**
* Create an enumerator over all installed traps.
*
* @return enumerator over (peer_cfg_t, child_sa_t)
*/
enumerator_t* (*create_enumerator)(trap_manager_t *this);
-
+
/**
* Acquire an SA triggered by an installed trap.
*
*/
void (*acquire)(trap_manager_t *this, u_int32_t reqid,
traffic_selector_t *src, traffic_selector_t *dst);
-
+
/**
* Destroy a trap_manager_t.
*/
{
int i;
integrity_checker_t *integrity;
-
+
/* avoid confusing leak reports in build process */
setenv("LEAK_DETECTIVE_DISABLE", "1", 0);
library_init(NULL);
atexit(library_deinit);
-
+
integrity = integrity_checker_create(NULL);
-
+
printf("/**\n");
printf(" * checksums of files and loaded code segments.\n");
printf(" * created by %s\n", argv[0]);
size_t ssize = 0;
path = argv[i];
-
+
if ((name = strstr(path, "libstrongswan-")))
{
name = strdup(name + strlen("libstrongswan-"));
fprintf(stderr, "don't know how to handle '%s', ignored", path);
continue;
}
-
+
fsum = integrity->build_file(integrity, path, &fsize);
ssum = 0;
if (sname)
}
printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n",
name, fsize, fsum, ssize, ssum);
- fprintf(stderr, "\"%-20s%7u / 0x%08x %6u / 0x%08x\n",
+ fprintf(stderr, "\"%-20s%7u / 0x%08x %6u / 0x%08x\n",
name, fsize, fsum, ssize, ssum);
free(name);
}
printf("int checksum_count = countof(checksums);\n");
printf("\n");
integrity->destroy(integrity);
-
+
exit(0);
}
* defined in iface.c
*/
bool iface_control(char *name, bool up);
-
+
/**
* Implementation of bridge_t.get_name.
*/
bridge_t *bridge_create(char *name)
{
private_bridge_t *this;
-
+
if (instances == 0)
{
if (br_init() != 0)
return NULL;
}
}
-
+
this = malloc_thing(private_bridge_t);
this->public.get_name = (char*(*)(bridge_t*))get_name;
this->public.create_iface_enumerator = (enumerator_t*(*)(bridge_t*))create_iface_enumerator;
* Interface in a guest, connected to a tap device on the host.
*/
struct bridge_t {
-
+
/**
* Get the name of the bridge.
*
* @return name of the bridge
*/
char* (*get_name)(bridge_t *this);
-
+
/**
* Add an interface to a bridge.
*
* @return TRUE if interface added
*/
bool (*connect_iface)(bridge_t *this, iface_t *iface);
-
+
/**
* Remove an interface from a bridge.
*
* @return TRUE if interface removed
*/
bool (*disconnect_iface)(bridge_t *this, iface_t *iface);
-
+
/**
* Create an enumerator over all interfaces.
*
* @return enumerator over iface_t's
*/
- enumerator_t* (*create_iface_enumerator)(bridge_t *this);
-
+ enumerator_t* (*create_iface_enumerator)(bridge_t *this);
+
/**
* Destroy a bridge
*/
static int get_rd(const char *path)
{
private_cowfs_t *this = get_this();
-
+
if (this->over_fd > 0 && faccessat(this->over_fd, path, F_OK, 0) == 0)
{
return this->over_fd;
struct stat st;
full = strdupa(path);
pos = full;
-
+
while ((pos = strchr(pos, '/')))
{
*pos = '\0';
int rd, wr;
int from, to;
struct stat st;
-
+
rd = get_rd(path);
wr = get_wr(path);
-
+
if (rd == wr)
{
/* already writeable */
static int cowfs_getattr(const char *path, struct stat *stbuf)
{
rel(&path);
-
+
if (fstatat(get_rd(path), path, stbuf, AT_SYMLINK_NOFOLLOW) < 0)
{
return -errno;
static int cowfs_access(const char *path, int mask)
{
rel(&path);
-
+
if (faccessat(get_rd(path), path, mask, 0) < 0)
{
return -errno;
static int cowfs_readlink(const char *path, char *buf, size_t size)
{
int res;
-
+
rel(&path);
-
+
res = readlinkat(get_rd(path), path, buf, size - 1);
if (res < 0)
{
static DIR* get_dir(char *dir, const char *subdir)
{
char *full;
-
+
if (dir == NULL)
{
return NULL;
}
-
+
full = alloca(strlen(dir) + strlen(subdir) + 1);
strcpy(full, dir);
strcat(full, subdir);
-
+
return opendir(full);
}
if (d)
{
struct dirent *ent;
-
+
rewinddir(d);
while ((ent = readdir(d)))
{
DIR *d1, *d2, *d3;
struct stat st;
struct dirent *ent;
-
+
memset(&st, 0, sizeof(st));
-
+
d1 = get_dir(this->master, path);
d2 = get_dir(this->host, path);
d3 = get_dir(this->over, path);
-
+
if (d1)
{
while ((ent = readdir(d1)))
{
int fd;
rel(&path);
-
+
fd = get_wr(path);
if (!clone_path(get_rd(path), fd, path))
{
return -errno;
}
-
+
if (mknodat(fd, path, mode, rdev) < 0)
{
return -errno;
{
int fd;
rel(&path);
-
+
fd = get_wr(path);
if (!clone_path(get_rd(path), fd, path))
{
static int cowfs_unlink(const char *path)
{
rel(&path);
-
+
/* TODO: whiteout master */
if (unlinkat(get_wr(path), path, 0) < 0)
{
static int cowfs_rmdir(const char *path)
{
rel(&path);
-
+
/* TODO: whiteout master */
if (unlinkat(get_wr(path), path, AT_REMOVEDIR) < 0)
{
{
int fd;
const char *fromrel = from;
-
+
rel(&to);
rel(&fromrel);
-
+
fd = get_wr(to);
if (!clone_path(get_rd(fromrel), fd, fromrel))
{
static int cowfs_rename(const char *from, const char *to)
{
int fd;
-
+
rel(&from);
rel(&to);
-
+
fd = copy(from);
if (fd < 0)
{
static int cowfs_link(const char *from, const char *to)
{
int rd, wr;
-
+
rel(&from);
rel(&to);
-
+
rd = get_rd(from);
wr = get_wr(to);
-
+
if (!clone_path(rd, wr, to))
{
DBG1("cloning path '%s' failed", to);
{
int fd;
struct stat st;
-
+
rel(&path);
fd = get_rd(path);
if (fstatat(fd, path, &st, 0) < 0)
{
int fd;
struct stat st;
-
+
rel(&path);
fd = get_rd(path);
if (fstatat(fd, path, &st, 0) < 0)
{
int fd;
struct stat st;
-
+
rel(&path);
fd = get_rd(path);
if (fstatat(fd, path, &st, 0) < 0)
{
struct timeval tv[2];
int fd;
-
+
rel(&path);
fd = copy(path);
if (fd < 0)
{
return -errno;
}
-
+
tv[0].tv_sec = ts[0].tv_sec;
tv[0].tv_usec = ts[0].tv_nsec / 1000;
tv[1].tv_sec = ts[1].tv_sec;
tv[1].tv_usec = ts[1].tv_nsec / 1000;
-
+
if (futimesat(fd, path, tv) < 0)
{
return -errno;
static int cowfs_open(const char *path, struct fuse_file_info *fi)
{
int fd;
-
+
rel(&path);
fd = get_rd(path);
-
+
fd = openat(fd, path, fi->flags);
if (fd < 0)
{
struct fuse_file_info *fi)
{
int file, fd, res;
-
+
rel(&path);
-
+
fd = get_rd(path);
-
+
file = openat(fd, path, O_RDONLY);
if (file < 0)
{
return -errno;
}
-
+
res = pread(file, buf, size, offset);
if (res < 0)
{
off_t offset, struct fuse_file_info *fi)
{
int file, fd, res;
-
+
rel(&path);
-
+
fd = copy(path);
if (fd < 0)
{
static int cowfs_statfs(const char *path, struct statvfs *stbuf)
{
int fd;
-
+
fd = get_rd(path);
if (fstatvfs(fd, stbuf) < 0)
{
return -errno;
}
-
+
return 0;
}
-/**
+/**
* FUSE init method
*/
static void *cowfs_init(struct fuse_conn_info *conn)
{
struct fuse_context *ctx;
-
+
ctx = fuse_get_context();
-
+
return ctx->private_data;
}
{
struct fuse_args args = {0, NULL, 0};
private_cowfs_t *this = malloc_thing(private_cowfs_t);
-
+
this->public.set_overlay = (bool(*)(cowfs_t*, char *path))set_overlay;
this->public.destroy = (void(*)(cowfs_t*))destroy;
-
+
this->master_fd = open(master, O_RDONLY | O_DIRECTORY);
if (this->master_fd < 0)
{
return NULL;
}
this->over_fd = -1;
-
+
this->chan = fuse_mount(mount, &args);
if (this->chan == NULL)
{
free(this);
return NULL;
}
-
+
this->fuse = fuse_new(this->chan, &args, &cowfs_operations,
sizeof(cowfs_operations), this);
if (this->fuse == NULL)
free(this);
return NULL;
}
-
+
this->mount = strdup(mount);
this->master = strdup(master);
this->host = strdup(host);
this->over = NULL;
-
+
if (pthread_create(&this->thread, NULL, (void*)fuse_loop, this->fuse) != 0)
{
DBG1("creating thread to handle FUSE failed");
free(this);
return NULL;
}
-
+
return &this->public;
}
*
*/
struct cowfs_t {
-
+
/**
* Set an additional copy on write overlay.
*
* @return FALSE if failed
*/
bool (*set_overlay)(cowfs_t *this, char *path);
-
+
/**
* Stop, umount and destroy a cowfs FUSE filesystem.
*/
/**
* Implementation of dumm_t.create_guest.
*/
-static guest_t* create_guest(private_dumm_t *this, char *name, char *kernel,
+static guest_t* create_guest(private_dumm_t *this, char *name, char *kernel,
char *master, char *args)
{
guest_t *guest;
-
+
guest = guest_create(this->guest_dir, name, kernel, master, args);
if (guest)
{
{
char buf[512];
int len;
-
+
len = snprintf(buf, sizeof(buf), "rm -Rf %s/%s",
this->guest_dir, guest->get_name(guest));
guest->destroy(guest);
static bridge_t* create_bridge(private_dumm_t *this, char *name)
{
bridge_t *bridge;
-
+
bridge = bridge_create(name);
if (bridge)
{
}
/**
- * disable the currently enabled template
+ * disable the currently enabled template
*/
static void clear_template(private_dumm_t *this)
{
enumerator_t *enumerator;
guest_t *guest;
-
+
free(this->template);
this->template = NULL;
-
+
enumerator = this->guests->create_enumerator(this->guests);
while (enumerator->enumerate(enumerator, (void**)&guest))
{
{
enumerator_t *enumerator;
guest_t *guest;
-
+
clear_template(this);
-
+
if (dir == NULL)
{
return TRUE;
DBG1("template directory string '%s' is too long", dir);
return FALSE;
}
-
+
if (asprintf(&this->template, "%s/%s", TEMPLATE_DIR, dir) < 0)
{
this->template = NULL;
{
struct stat st;
char *rel;
-
+
while (this->inner->enumerate(this->inner, &rel, NULL, &st))
{
if (S_ISDIR(st.st_mode) && *rel != '.')
static enumerator_t* create_template_enumerator(private_dumm_t *this)
{
template_enumerator_t *enumerator;
-
+
enumerator = malloc_thing(template_enumerator_t);
enumerator->public.enumerate = (void*)template_enumerate;
enumerator->public.destroy = (void*)template_enumerator_destroy;
enumerator->inner = enumerator_create_directory(TEMPLATE_DIR);
-
+
return &enumerator->public;
}
{
enumerator_t *enumerator;
guest_t *guest;
-
+
this->bridges->destroy_offset(this->bridges, offsetof(bridge_t, destroy));
-
+
enumerator = this->guests->create_enumerator(this->guests);
while (enumerator->enumerate(enumerator, (void**)&guest))
{
guest->stop(guest, NULL);
}
enumerator->destroy(enumerator);
-
+
while (this->guests->remove_last(this->guests, (void**)&guest) == SUCCESS)
{
guest->destroy(guest);
DIR *dir;
struct dirent *ent;
guest_t *guest;
-
+
dir = opendir(this->guest_dir);
if (dir == NULL)
{
return;
}
-
+
while ((ent = readdir(dir)))
{
if (*ent->d_name == '.')
{
char cwd[PATH_MAX];
private_dumm_t *this = malloc_thing(private_dumm_t);
-
+
this->public.create_guest = (guest_t*(*)(dumm_t*,char*,char*,char*,char*))create_guest;
this->public.create_guest_enumerator = (enumerator_t*(*)(dumm_t*))create_guest_enumerator;
this->public.delete_guest = (void(*)(dumm_t*,guest_t*))delete_guest;
this->public.load_template = (bool(*)(dumm_t*, char *name))load_template;
this->public.create_template_enumerator = (enumerator_t*(*)(dumm_t*))create_template_enumerator;
this->public.destroy = (void(*)(dumm_t*))destroy;
-
+
if (dir && *dir == '/')
{
this->dir = strdup(dir);
}
this->guests = linked_list_create();
this->bridges = linked_list_create();
-
+
if (this->dir == NULL || this->guest_dir == NULL ||
(mkdir(this->guest_dir, PERME) < 0 && errno != EEXIST))
{
destroy(this);
return NULL;
}
-
+
load_guests(this);
return &this->public;
}
* @param args additional args to pass to kernel
* @return guest if started, NULL if failed
*/
- guest_t* (*create_guest) (dumm_t *this, char *name, char *kernel,
+ guest_t* (*create_guest) (dumm_t *this, char *name, char *kernel,
char *master, char *args);
-
+
/**
* Create an enumerator over all guests.
*
* @return enumerator over guest_t's
*/
enumerator_t* (*create_guest_enumerator) (dumm_t *this);
-
+
/**
* Delete a guest from disk.
*
* @param guest guest to destroy
*/
void (*delete_guest) (dumm_t *this, guest_t *guest);
-
+
/**
* Create a new bridge.
*
* @return created bridge
*/
bridge_t* (*create_bridge)(dumm_t *this, char *name);
-
+
/**
* Create an enumerator over all bridges.
*
* @return enumerator over bridge_t's
*/
enumerator_t* (*create_bridge_enumerator)(dumm_t *this);
-
+
/**
* Delete a bridge.
*
* @param bridge bridge to destroy
*/
void (*delete_bridge) (dumm_t *this, bridge_t *bridge);
-
+
/**
* Loads a template, create a new one if it does not exist.
*
* @return FALSE if load/create failed
*/
bool (*load_template)(dumm_t *this, char *dir);
-
+
/**
* Create an enumerator over all available templates.
*
* @return enumerator over char*
*/
enumerator_t* (*create_template_enumerator)(dumm_t *this);
-
+
/**
* stop all guests and destroy the modeler
*/
static pid_t invoke(void *null, guest_t *guest, char *args[], int argc)
{
pid_t pid;
-
+
pid = fork();
switch (pid)
{
{
enumerator_t *enumerator;
guest_t *guest;
-
+
enumerator = dumm->create_guest_enumerator(dumm);
while (enumerator->enumerate(enumerator, &guest))
{
{
enumerator_t *enumerator;
guest_t *guest, *found = NULL;
-
+
if (TYPE(key) == T_SYMBOL)
{
key = rb_convert_type(key, T_STRING, "String", "to_s");
linked_list_t *list;
enumerator_t *enumerator;
guest_t *guest;
-
+
if (!rb_block_given_p())
{
rb_raise(rb_eArgError, "must be called with a block");
VALUE master, VALUE args)
{
guest_t *guest;
-
+
guest = dumm->create_guest(dumm, StringValuePtr(name), StringValuePtr(kernel),
StringValuePtr(master), StringValuePtr(args));
if (!guest)
static VALUE guest_to_s(VALUE self)
{
guest_t *guest;
-
+
Data_Get_Struct(self, guest_t, guest);
return rb_str_new2(guest->get_name(guest));
}
static VALUE guest_start(VALUE self)
{
guest_t *guest;
-
+
Data_Get_Struct(self, guest_t, guest);
-
+
if (!guest->start(guest, invoke, NULL, NULL))
{
rb_raise(rb_eRuntimeError, "starting guest failed");
static VALUE guest_stop(VALUE self)
{
guest_t *guest;
-
+
Data_Get_Struct(self, guest_t, guest);
guest->stop(guest, NULL);
return self;
static VALUE guest_running(VALUE self)
{
guest_t *guest;
-
+
Data_Get_Struct(self, guest_t, guest);
return guest->get_pid(guest) ? Qtrue : Qfalse;
}
guest_t *guest;
bool block;
int ret;
-
+
block = rb_block_given_p();
Data_Get_Struct(self, guest_t, guest);
if ((ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL,
guest_t *guest;
bool block;
int ret;
-
+
block = rb_block_given_p();
Data_Get_Struct(self, guest_t, guest);
if ((ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL,
{
guest_t *guest;
iface_t *iface;
-
+
Data_Get_Struct(self, guest_t, guest);
iface = guest->create_iface(guest, StringValuePtr(name));
if (!iface)
enumerator_t *enumerator;
iface_t *iface, *found = NULL;
guest_t *guest;
-
+
if (TYPE(key) == T_SYMBOL)
{
key = rb_convert_type(key, T_STRING, "String", "to_s");
linked_list_t *list;
guest_t *guest;
iface_t *iface;
-
+
if (!rb_block_given_p())
{
rb_raise(rb_eArgError, "must be called with a block");
static VALUE guest_delete(VALUE self)
{
guest_t *guest;
-
+
Data_Get_Struct(self, guest_t, guest);
if (guest->get_pid(guest))
{
rbc_guest = rb_define_class_under(rbm_dumm , "Guest", rb_cObject);
rb_include_module(rb_class_of(rbc_guest), rb_mEnumerable);
rb_include_module(rbc_guest, rb_mEnumerable);
-
+
rb_define_singleton_method(rbc_guest, "[]", guest_get, 1);
rb_define_singleton_method(rbc_guest, "each", guest_each, -1);
rb_define_singleton_method(rbc_guest, "new", guest_new, 4);
rb_define_singleton_method(rbc_guest, "include?", guest_find, 1);
rb_define_singleton_method(rbc_guest, "guest?", guest_find, 1);
-
+
rb_define_method(rbc_guest, "to_s", guest_to_s, 0);
rb_define_method(rbc_guest, "start", guest_start, 0);
rb_define_method(rbc_guest, "stop", guest_stop, 0);
{
enumerator_t *enumerator;
bridge_t *bridge, *found = NULL;
-
+
if (TYPE(key) == T_SYMBOL)
{
key = rb_convert_type(key, T_STRING, "String", "to_s");
enumerator_t *enumerator;
linked_list_t *list;
bridge_t *bridge;
-
+
if (!rb_block_given_p())
{
rb_raise(rb_eArgError, "must be called with a block");
{
bridge_t *bridge;
-
+
bridge = dumm->create_bridge(dumm, StringValuePtr(name));
if (!bridge)
{
static VALUE bridge_to_s(VALUE self)
{
bridge_t *bridge;
-
+
Data_Get_Struct(self, bridge_t, bridge);
return rb_str_new2(bridge->get_name(bridge));
}
linked_list_t *list;
bridge_t *bridge;
iface_t *iface;
-
+
if (!rb_block_given_p())
{
rb_raise(rb_eArgError, "must be called with a block");
static VALUE bridge_delete(VALUE self)
{
bridge_t *bridge;
-
+
Data_Get_Struct(self, bridge_t, bridge);
dumm->delete_bridge(dumm, bridge);
return Qnil;
rbc_bridge = rb_define_class_under(rbm_dumm , "Bridge", rb_cObject);
rb_include_module(rb_class_of(rbc_bridge), rb_mEnumerable);
rb_include_module(rbc_bridge, rb_mEnumerable);
-
+
rb_define_singleton_method(rbc_bridge, "[]", bridge_get, 1);
rb_define_singleton_method(rbc_bridge, "each", bridge_each, -1);
rb_define_singleton_method(rbc_bridge, "new", bridge_new, 1);
rb_define_singleton_method(rbc_bridge, "include?", bridge_find, 1);
rb_define_singleton_method(rbc_bridge, "bridge?", bridge_find, 1);
-
+
rb_define_method(rbc_bridge, "to_s", bridge_to_s, 0);
rb_define_method(rbc_bridge, "each", bridge_each_iface, -1);
rb_define_method(rbc_bridge, "delete", bridge_delete, 0);
static VALUE iface_to_s(VALUE self)
{
iface_t *iface;
-
+
Data_Get_Struct(self, iface_t, iface);
return rb_str_new2(iface->get_hostif(iface));
}
{
iface_t *iface;
bridge_t *bridge;
-
+
Data_Get_Struct(self, iface_t, iface);
Data_Get_Struct(vbridge, bridge_t, bridge);
if (!bridge->connect_iface(bridge, iface))
{
iface_t *iface;
bridge_t *bridge;
-
+
Data_Get_Struct(self, iface_t, iface);
bridge = iface->get_bridge(iface);
if (!bridge || !bridge->disconnect_iface(bridge, iface))
{
iface_t *iface;
host_t *addr;
-
+
addr = host_create_from_string(StringValuePtr(name), 0);
if (!addr)
{
iface_t *iface;
host_t *addr;
char buf[64];
-
+
if (!rb_block_given_p())
{
rb_raise(rb_eArgError, "must be called with a block");
{
iface_t *iface;
host_t *addr;
-
+
addr = host_create_from_string(StringValuePtr(vaddr), 0);
if (!addr)
{
{
guest_t *guest;
iface_t *iface;
-
+
Data_Get_Struct(self, iface_t, iface);
guest = iface->get_guest(iface);
guest->destroy_iface(guest, iface);
{
rbc_iface = rb_define_class_under(rbm_dumm , "Iface", rb_cObject);
rb_include_module(rbc_iface, rb_mEnumerable);
-
+
rb_define_method(rbc_iface, "to_s", iface_to_s, 0);
rb_define_method(rbc_iface, "connect", iface_connect, 1);
rb_define_method(rbc_iface, "disconnect", iface_disconnect, 0);
{
enumerator_t *enumerator;
char *template;
-
+
if (!rb_block_given_p())
{
rb_raise(rb_eArgError, "must be called with a block");
static void template_init()
{
rbc_template = rb_define_class_under(rbm_dumm , "Template", rb_cObject);
-
+
rb_define_singleton_method(rbc_template, "load", template_load, 1);
rb_define_singleton_method(rbc_template, "unload", template_unload, 0);
rb_define_singleton_method(rbc_template, "each", template_each, -1);
void Final_dumm()
{
struct sigaction action;
-
+
dumm->destroy(dumm);
-
+
sigemptyset(&action.sa_mask);
action.sa_handler = SIG_DFL;
action.sa_flags = 0;
sigaction(SIGCHLD, &action, NULL);
-
+
library_deinit();
}
void Init_dumm()
{
struct sigaction action;
-
+
/* there are too many to report, rubyruby... */
setenv("LEAK_DETECTIVE_DISABLE", "1", 1);
-
+
library_init(NULL);
-
+
dumm = dumm_create(NULL);
-
+
rbm_dumm = rb_define_module("Dumm");
-
+
guest_init();
bridge_init();
iface_init();
template_init();
-
+
sigemptyset(&action.sa_mask);
action.sa_sigaction = sigchld_handler;
action.sa_flags = SA_SIGINFO;
sigaction(SIGCHLD, &action, NULL);
-
+
rb_set_end_proc(Final_dumm, 0);
}
{
enumerator_t *enumerator;
iface_t *iface;
-
+
if (this->state != GUEST_RUNNING)
{
DBG1("guest '%s' not running, unable to add interface", this->name);
return NULL;
}
-
+
enumerator = this->ifaces->create_enumerator(this->ifaces);
while (enumerator->enumerate(enumerator, (void**)&iface))
{
{
enumerator_t *enumerator;
iface_t *current;
-
+
enumerator = this->ifaces->create_enumerator(this->ifaces);
while (enumerator->enumerate(enumerator, (void**)¤t))
{
{
return this->ifaces->create_enumerator(this->ifaces);
}
-
+
/**
* Implementation of guest_t.get_state.
*/
void savepid(private_guest_t *this)
{
FILE *file;
-
+
file = fdopen(openat(this->dir, PID_FILE, O_RDWR | O_CREAT | O_TRUNC,
PERM), "w");
if (file)
char *args[32];
int i = 0;
size_t left = sizeof(buf);
-
+
memset(args, 0, sizeof(args));
-
+
if (this->state != GUEST_STOPPED)
{
DBG1("unable to start guest in state %N", guest_state_names, this->state);
return FALSE;
}
this->state = GUEST_STARTING;
-
+
notify = write_arg(&pos, &left, "%s/%s", this->dirname, NOTIFY_FILE);
-
+
args[i++] = write_arg(&pos, &left, "nice");
args[i++] = write_arg(&pos, &left, "%s/%s", this->dirname, KERNEL_FILE);
args[i++] = write_arg(&pos, &left, "root=/dev/root");
{
args[i++] = this->args;
}
-
+
this->pid = invoke(data, &this->public, args, i);
if (!this->pid)
{
return FALSE;
}
savepid(this);
-
+
/* open mconsole */
this->mconsole = mconsole_create(notify, idle);
if (this->mconsole == NULL)
stop(this, NULL);
return FALSE;
}
-
+
this->state = GUEST_RUNNING;
return TRUE;
-}
-
+}
+
/**
* Implementation of guest_t.load_template.
*/
{
char dir[PATH_MAX];
size_t len;
-
+
if (path == NULL)
{
- return this->cowfs->set_overlay(this->cowfs, NULL);
+ return this->cowfs->set_overlay(this->cowfs, NULL);
}
-
+
len = snprintf(dir, sizeof(dir), "%s/%s", path, this->name);
if (len < 0 || len >= sizeof(dir))
{
{
char buf[1024];
size_t len;
-
+
if (this->mconsole)
{
len = vsnprintf(buf, sizeof(buf), cmd, args);
-
+
if (len > 0 && len < sizeof(buf))
{
return this->mconsole->exec(this->mconsole, cb, data, buf);
}
strncat(data->buf.ptr, buf, len);
}
-
+
if (data->cb)
{
char *nl;
snprintf(master, sizeof(master), "%s/%s", this->dirname, MASTER_DIR);
snprintf(diff, sizeof(diff), "%s/%s", this->dirname, DIFF_DIR);
snprintf(mount, sizeof(mount), "%s/%s", this->dirname, UNION_DIR);
-
+
this->cowfs = cowfs_create(master, diff, mount);
if (this->cowfs)
{
{
FILE *file;
char buf[512], *args = NULL;
-
+
file = fdopen(openat(this->dir, ARGS_FILE, O_RDONLY, PERM), "r");
if (file)
{
{
FILE *file;
bool retval = FALSE;
-
+
file = fdopen(openat(this->dir, ARGS_FILE, O_RDWR | O_CREAT | O_TRUNC,
PERM), "w");
if (file)
{
char cwd[PATH_MAX];
private_guest_t *this = malloc_thing(private_guest_t);
-
+
this->public.get_name = (void*)get_name;
this->public.get_pid = (pid_t(*)(guest_t*))get_pid;
this->public.get_state = (guest_state_t(*)(guest_t*))get_state;
this->public.exec_str = (int(*)(guest_t*, void(*cb)(void*,char*),bool,void*,char*,...))exec_str;
this->public.sigchild = (void(*)(guest_t*))sigchild;
this->public.destroy = (void*)destroy;
-
+
if (*parent == '/' || getcwd(cwd, sizeof(cwd)) == NULL)
{
if (asprintf(&this->dirname, "%s/%s", parent, name) < 0)
this->args = NULL;
this->name = strdup(name);
this->cowfs = NULL;
-
+
return this;
}
{
char cwd[PATH_MAX];
char buf[PATH_MAX];
-
+
if (*old == '/' || getcwd(cwd, sizeof(cwd)) == NULL)
{
snprintf(buf, sizeof(buf), "%s", old);
/**
- * create the guest instance, including required dirs and mounts
+ * create the guest instance, including required dirs and mounts
*/
guest_t *guest_create(char *parent, char *name, char *kernel,
char *master, char *args)
{
private_guest_t *this = guest_create_generic(parent, name, TRUE);
-
+
if (this == NULL)
{
return NULL;
}
-
+
if (!make_symlink(this, master, MASTER_DIR) ||
!make_symlink(this, kernel, KERNEL_FILE))
{
destroy(this);
return NULL;
}
-
- if (mkdirat(this->dir, UNION_DIR, PERME) != 0 ||
+
+ if (mkdirat(this->dir, UNION_DIR, PERME) != 0 ||
mkdirat(this->dir, DIFF_DIR, PERME) != 0)
{
DBG1("unable to create directories for '%s': %m", name);
destroy(this);
return NULL;
}
-
+
this->args = args;
if (args && !saveargs(this, args))
{
destroy(this);
return NULL;
}
-
+
if (!mount_unionfs(this))
{
destroy(this);
guest_t *guest_load(char *parent, char *name)
{
private_guest_t *this = guest_create_generic(parent, name, FALSE);
-
+
if (this == NULL)
{
return NULL;
}
-
+
this->args = loadargs(this);
-
+
if (!mount_unionfs(this))
{
destroy(this);
return NULL;
}
-
+
return &this->public;
}
* @param guest guest to start
* @param args args to use for guest invocation, args[0] is kernel
* @param argc number of elements in args
- * @param idle
+ * @param idle
* @return PID of child, 0 if failed
*/
-typedef pid_t (*invoke_function_t)(void *data, guest_t *guest,
+typedef pid_t (*invoke_function_t)(void *data, guest_t *guest,
char *args[], int argc);
/**
* A guest is a UML instance running on the host.
**/
struct guest_t {
-
+
/**
* Get the name of this guest.
*
* @return name of the guest
*/
char* (*get_name) (guest_t *this);
-
+
/**
* Get the process ID of the guest child process.
*
* @return name of the guest
*/
pid_t (*get_pid) (guest_t *this);
-
+
/**
* Get the state of the guest (stopped, started, etc.).
*
* @return guests state
*/
- guest_state_t (*get_state)(guest_t *this);
-
+ guest_state_t (*get_state)(guest_t *this);
+
/**
* Start the guest.
*
*/
bool (*start) (guest_t *this, invoke_function_t invoke, void *data,
idle_function_t idle);
-
+
/**
* Kill the guest.
*
* @param idle idle function to call while waiting to termination
*/
void (*stop) (guest_t *this, idle_function_t idle);
-
+
/**
* Create a new interface in the current scenario.
*
* @return created interface, or NULL if failed
*/
iface_t* (*create_iface)(guest_t *this, char *name);
-
+
/**
* Destroy an interface on guest.
*
* @param iface interface to destroy
*/
void (*destroy_iface)(guest_t *this, iface_t *iface);
-
+
/**
* Create an enumerator over all guest interfaces.
*
* @return enumerator over iface_t's
*/
enumerator_t* (*create_iface_enumerator)(guest_t *this);
-
+
/**
* Set the template COWFS overlay to use.
*
* @return FALSE if failed
*/
bool (*load_template)(guest_t *this, char *parent);
-
+
/**
* Execute a command on the guests mconsole.
*
*/
int (*exec)(guest_t *this, void(*cb)(void*,char*,size_t), void *data,
char *cmd, ...);
-
+
/**
* Execute a command on the guests mconsole, with output formatter.
- *
+ *
* If lines is TRUE, callback is invoked for each output line. Otherwise
* the full result is returned in one callback invocation.
- *
+ *
* @note This function does not work with binary output.
- *
+ *
* @param cb callback to call for each line or for the complete output
* @param lines TRUE if the callback should be called for each line
* @param data data to pass to callback
*/
int (*exec_str)(guest_t *this, void(*cb)(void*,char*), bool lines,
void *data, char *cmd, ...);
-
+
/**
* Called whenever a SIGCHILD for the guests PID is received.
*/
void (*sigchild)(guest_t *this);
-
+
/**
* Close and destroy a guest with all interfaces
- */
+ */
void (*destroy) (guest_t *this);
};
int s;
bool good = FALSE;
struct ifreq ifr;
-
+
memset(&ifr, 0, sizeof(struct ifreq));
strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
-
+
s = socket(AF_INET, SOCK_DGRAM, 0);
if (!s)
{
*/
static bool add_address(private_iface_t *this, host_t *addr)
{
- return (this->guest->exec(this->guest, NULL, NULL,
+ return (this->guest->exec(this->guest, NULL, NULL,
"exec ip addr add %H dev %s", addr, this->guestif) == 0);
}
{
return this->guest;
}
-
+
/**
* destroy the tap device
*/
{
struct ifreq ifr;
int tap;
-
+
if (!iface_control(this->hostif, FALSE))
{
DBG1("bringing iface down failed: %m");
memset(&ifr, 0, sizeof(ifr));
ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
strncpy(ifr.ifr_name, this->hostif, sizeof(ifr.ifr_name) - 1);
-
+
tap = open(TAP_DEVICE, O_RDWR);
if (tap < 0)
{
DBG1("creating new tap device failed: %m");
close(tap);
return NULL;
- }
+ }
close(tap);
return strdup(ifr.ifr_name);
}
iface_t *iface_create(char *name, guest_t *guest, mconsole_t *mconsole)
{
private_iface_t *this = malloc_thing(private_iface_t);
-
+
this->public.get_hostif = (char*(*)(iface_t*))get_hostif;
this->public.get_guestif = (char*(*)(iface_t*))get_guestif;
this->public.add_address = (bool(*)(iface_t*, host_t *addr))add_address;
* Interface in a guest, connected to a tap device on the host.
*/
struct iface_t {
-
+
/**
* Get the interface name in the guest (e.g. eth0).
*
* @return guest interface name
*/
char* (*get_guestif)(iface_t *this);
-
+
/**
* Get the interface name at the host (e.g. tap0).
*
* @return host interface (tap device) name
*/
char* (*get_hostif)(iface_t *this);
-
+
/**
* Add an address to the interface.
*
* @return TRUE if address added
*/
bool (*add_address)(iface_t *this, host_t *addr);
-
+
/**
* Create an enumerator over all installed addresses.
*
* @return enumerator over host_t*
*/
enumerator_t* (*create_address_enumerator)(iface_t *this);
-
+
/**
* Remove an address from an interface.
*
* @param addr address to remove
* @return TRUE if address removed
*/
- bool (*delete_address)(iface_t *this, host_t *addr);
-
+ bool (*delete_address)(iface_t *this, host_t *addr);
+
/**
* Set the bridge this interface is attached to.
*
* @param bridge assigned bridge, or NULL for none
*/
void (*set_bridge)(iface_t *this, bridge_t *bridge);
-
+
/**
* Get the bridge this iface is connected, or NULL.
*
* @return connected bridge, or NULL
*/
bridge_t* (*get_bridge)(iface_t *this);
-
+
/**
* Get the guest this iface belongs to.
*
* @return guest of this iface
*/
guest_t* (*get_guest)(iface_t *this);
-
+
/**
* Destroy an interface
*/
{
int state, i;
char buf[512];
-
+
ruby_init();
ruby_init_loadpath();
-
+
rb_eval_string_protect("require 'dumm' and include Dumm", &state);
if (state)
{
{
rb_p(ruby_errinfo);
}
-
+
ruby_finalize();
return 0;
}
{
enumerator_t *enumerator;
page_t *page;
-
+
enumerator = pages->create_enumerator(pages);
while (enumerator->enumerate(enumerator, (void**)&page))
{
{
enumerator_t *enumerator;
page_t *page, *found = NULL;
-
+
enumerator = pages->create_enumerator(pages);
while (enumerator->enumerate(enumerator, (void**)&page))
{
static void start_guest()
{
page_t *page;
-
+
page = get_page(gtk_notebook_get_current_page(GTK_NOTEBOOK(notebook)));
if (page && page->guest->get_state(page->guest) == GUEST_STOPPED)
{
{
enumerator_t *enumerator;
page_t *page;
-
+
enumerator = pages->create_enumerator(pages);
while (enumerator->enumerate(enumerator, (void**)&page))
{
static void stop_guest()
{
page_t *page;
-
+
page = get_page(gtk_notebook_get_current_page(GTK_NOTEBOOK(notebook)));
if (page && page->guest->get_state(page->guest) == GUEST_RUNNING)
{
page_t *page;
dumm->load_template(dumm, NULL);
-
+
enumerator = pages->create_enumerator(pages);
while (enumerator->enumerate(enumerator, &page))
{
if (page->guest->get_state(page->guest) != GUEST_STOPPED)
- {
+ {
page->guest->stop(page->guest, idle);
}
}
{
GtkWidget *dialog, *table, *label, *name;
bridge_t *bridge;
-
+
dialog = gtk_dialog_new_with_buttons("Create new switch", GTK_WINDOW(window),
GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
GTK_STOCK_CANCEL, GTK_RESPONSE_REJECT,
GTK_STOCK_NEW, GTK_RESPONSE_ACCEPT, NULL);
-
+
table = gtk_table_new(1, 2, TRUE);
gtk_container_add(GTK_CONTAINER(GTK_DIALOG(dialog)->vbox), table);
-
+
label = gtk_label_new("Switch name");
gtk_table_attach(GTK_TABLE(table), label, 0, 1, 0, 1, 0, 0, 0, 0);
gtk_widget_show(label);
-
+
name = gtk_entry_new();
gtk_table_attach(GTK_TABLE(table), name, 1, 2, 0, 1,
GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
gtk_widget_show(name);
-
+
gtk_widget_show(table);
-
+
while (TRUE)
{
switch (gtk_dialog_run(GTK_DIALOG(dialog)))
{
case GTK_RESPONSE_ACCEPT:
- {
+ {
if (streq(gtk_entry_get_text(GTK_ENTRY(name)), ""))
{
continue;
bridge_t *bridge;
iface_t *iface;
enumerator_t *enumerator;
-
+
page = get_page(gtk_notebook_get_current_page(GTK_NOTEBOOK(notebook)));
if (!page || page->guest->get_state(page->guest) != GUEST_RUNNING)
{
return;
}
-
+
dialog = gtk_dialog_new_with_buttons("Connect guest", GTK_WINDOW(window),
GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
GTK_STOCK_CANCEL, GTK_RESPONSE_REJECT,
GTK_STOCK_NEW, GTK_RESPONSE_ACCEPT, NULL);
-
+
table = gtk_table_new(2, 2, TRUE);
gtk_container_add(GTK_CONTAINER(GTK_DIALOG(dialog)->vbox), table);
-
+
label = gtk_label_new("Interface name");
gtk_table_attach(GTK_TABLE(table), label, 0, 1, 0, 1, 0, 0, 0, 0);
gtk_widget_show(label);
-
+
name = gtk_entry_new();
gtk_table_attach(GTK_TABLE(table), name, 1, 2, 0, 1,
GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
gtk_widget_show(name);
-
+
label = gtk_label_new("Connected switch");
gtk_table_attach(GTK_TABLE(table), label, 0, 1, 1, 2, 0, 0, 0, 0);
gtk_widget_show(label);
-
+
box = gtk_combo_box_new_text();
gtk_table_attach(GTK_TABLE(table), box, 1, 2, 1, 2,
GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
}
enumerator->destroy(enumerator);
gtk_widget_show(box);
-
+
gtk_widget_show(table);
-
+
while (TRUE)
{
switch (gtk_dialog_run(GTK_DIALOG(dialog)))
{
case GTK_RESPONSE_ACCEPT:
- {
+ {
if (streq(gtk_entry_get_text(GTK_ENTRY(name)), ""))
{
continue;
}
-
+
iface = page->guest->create_iface(page->guest,
(char*)gtk_entry_get_text(GTK_ENTRY(name)));
if (!iface)
static void delete_guest()
{
page_t *page;
-
+
page = get_page(gtk_notebook_get_current_page(GTK_NOTEBOOK(notebook)));
if (page)
{
{
GtkWidget *label;
page_t *page;
-
+
page = g_new(page_t, 1);
page->guest = guest;
page->vte = vte_terminal_new();
{
guest_t *guest;
GtkWidget *dialog, *table, *label, *name, *kernel, *master, *args;
-
+
dialog = gtk_dialog_new_with_buttons("Create new guest", GTK_WINDOW(window),
GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
GTK_STOCK_CANCEL, GTK_RESPONSE_REJECT,
GTK_STOCK_NEW, GTK_RESPONSE_ACCEPT, NULL);
-
+
table = gtk_table_new(4, 2, TRUE);
gtk_container_add(GTK_CONTAINER(GTK_DIALOG(dialog)->vbox), table);
-
+
label = gtk_label_new("Guest name");
gtk_table_attach(GTK_TABLE(table), label, 0, 1, 0, 1, 0, 0, 0, 0);
gtk_widget_show(label);
-
+
label = gtk_label_new("UML kernel");
gtk_table_attach(GTK_TABLE(table), label, 0, 1, 1, 2, 0, 0, 0, 0);
gtk_widget_show(label);
-
+
label = gtk_label_new("Master filesystem");
gtk_table_attach(GTK_TABLE(table), label, 0, 1, 2, 3, 0, 0, 0, 0);
gtk_widget_show(label);
-
+
label = gtk_label_new("Kernel arguments");
gtk_table_attach(GTK_TABLE(table), label, 0, 1, 3, 4, 0, 0, 0, 0);
gtk_widget_show(label);
-
+
name = gtk_entry_new();
gtk_table_attach(GTK_TABLE(table), name, 1, 2, 0, 1,
GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
gtk_widget_show(name);
-
+
kernel = gtk_file_chooser_button_new("Select UML kernel image",
GTK_FILE_CHOOSER_ACTION_OPEN);
gtk_table_attach(GTK_TABLE(table), kernel, 1, 2, 1, 2,
GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
gtk_widget_show(kernel);
-
+
master = gtk_file_chooser_button_new("Select master filesystem",
GTK_FILE_CHOOSER_ACTION_SELECT_FOLDER);
gtk_table_attach(GTK_TABLE(table), master, 1, 2, 2, 3,
GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
gtk_widget_show(master);
-
+
args = gtk_entry_new();
gtk_table_attach(GTK_TABLE(table), args, 1, 2, 3, 4,
GTK_FILL | GTK_EXPAND | GTK_SHRINK, 0, 0, 0);
gtk_widget_show(args);
-
+
gtk_widget_show(table);
-
+
while (TRUE)
{
switch (gtk_dialog_run(GTK_DIALOG(dialog)))
{
char *sname, *skernel, *smaster, *sargs;
page_t *page;
-
+
sname = (char*)gtk_entry_get_text(GTK_ENTRY(name));
skernel = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(kernel));
smaster = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(master));
sargs = (char*)gtk_entry_get_text(GTK_ENTRY(args));
-
+
if (!sname[0] || !skernel || !smaster)
{
continue;
GtkWidget *dummMenu, *guestMenu, *switchMenu;
enumerator_t *enumerator;
guest_t *guest;
-
+
library_init(NULL);
gtk_init(&argc, &argv);
-
+
pages = linked_list_create();
dumm = dumm_create(NULL);
gtk_window_set_default_size(GTK_WINDOW (window), 1000, 500);
g_signal_connect(G_OBJECT(vte_reaper_get()), "child-exited",
G_CALLBACK(child_exited), NULL);
-
+
/* add vbox with menubar, notebook */
vbox = gtk_vbox_new(FALSE, 0);
gtk_container_add(GTK_CONTAINER(window), vbox);
gtk_menu_bar_append(GTK_MENU_BAR(menubar), dummMenu);
gtk_widget_show(dummMenu);
gtk_menu_item_set_submenu(GTK_MENU_ITEM(dummMenu), menu);
-
+
/* Dumm -> exit */
menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_QUIT, NULL);
g_signal_connect(G_OBJECT(menuitem), "activate",
gtk_menu_bar_append(GTK_MENU_BAR(menubar), guestMenu);
gtk_widget_show(guestMenu);
gtk_menu_item_set_submenu(GTK_MENU_ITEM(guestMenu), menu);
-
+
/* Guest -> new */
menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_NEW, NULL);
g_signal_connect(G_OBJECT(menuitem), "activate",
G_CALLBACK(create_guest), NULL);
gtk_menu_append(GTK_MENU(menu), menuitem);
gtk_widget_show(menuitem);
-
+
/* Guest -> delete */
menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_DELETE, NULL);
g_signal_connect(G_OBJECT(menuitem), "activate",
G_CALLBACK(delete_guest), NULL);
gtk_menu_append(GTK_MENU(menu), menuitem);
gtk_widget_show(menuitem);
-
+
menuitem = gtk_separator_menu_item_new();
gtk_menu_append(GTK_MENU(menu), menuitem);
gtk_widget_show(menuitem);
-
+
/* Guest -> start */
menuitem = gtk_menu_item_new_with_mnemonic("_Start");
g_signal_connect(G_OBJECT(menuitem), "activate",
G_CALLBACK(start_guest), NULL);
gtk_menu_append(GTK_MENU(menu), menuitem);
gtk_widget_show(menuitem);
-
+
/* Guest -> startall */
menuitem = gtk_menu_item_new_with_mnemonic("Start _all");
g_signal_connect(G_OBJECT(menuitem), "activate",
G_CALLBACK(start_all_guests), NULL);
gtk_menu_append(GTK_MENU(menu), menuitem);
gtk_widget_show(menuitem);
-
+
/* Guest -> stop */
menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_STOP, NULL);
g_signal_connect(G_OBJECT(menuitem), "activate",
G_CALLBACK(stop_guest), NULL);
gtk_menu_append(GTK_MENU(menu), menuitem);
gtk_widget_show(menuitem);
-
+
menuitem = gtk_separator_menu_item_new();
gtk_menu_append(GTK_MENU(menu), menuitem);
gtk_widget_show(menuitem);
-
+
/* Guest -> connect */
menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_CONNECT, NULL);
g_signal_connect(G_OBJECT(menuitem), "activate",
G_CALLBACK(connect_guest), NULL);
gtk_menu_append(GTK_MENU(menu), menuitem);
gtk_widget_show(menuitem);
-
+
/* Guest -> disconnect */
menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_DISCONNECT, NULL);
g_signal_connect(G_OBJECT(menuitem), "activate",
gtk_menu_bar_append(GTK_MENU_BAR(menubar), switchMenu);
gtk_widget_show(switchMenu);
gtk_menu_item_set_submenu(GTK_MENU_ITEM(switchMenu), menu);
-
+
/* Switch -> new */
menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_NEW, NULL);
g_signal_connect(G_OBJECT(menuitem), "activate",
G_CALLBACK(create_switch), NULL);
gtk_menu_append(GTK_MENU(menu), menuitem);
gtk_widget_show(menuitem);
-
+
/* Switch -> delete */
menuitem = gtk_image_menu_item_new_from_stock(GTK_STOCK_DELETE, NULL);
g_signal_connect(G_OBJECT(menuitem), "activate",
gtk_menu_append(GTK_MENU(menu), menuitem);
gtk_widget_set_sensitive(menuitem, FALSE);
gtk_widget_show(menuitem);
-
+
/* show widgets */
gtk_widget_show(menubar);
gtk_widget_show(notebook);
gtk_widget_show(vbox);
gtk_widget_show(window);
-
+
/* fill notebook with guests */
enumerator = dumm->create_guest_enumerator(dumm);
while (enumerator->enumerate(enumerator, (void**)&guest))
create_page(guest);
}
enumerator->destroy(enumerator);
-
+
gtk_main();
-
+
dumm->destroy(dumm);
pages->destroy_function(pages, g_free);
-
+
library_deinit();
return 0;
}
mconsole_reply reply;
int len, flags = 0;
va_list args;
-
+
memset(&request, 0, sizeof(request));
request.magic = MCONSOLE_MAGIC;
request.version = MCONSOLE_VERSION;
va_start(args, command);
request.len = vsnprintf(request.data, sizeof(request.data), command, args);
va_end(args);
-
+
if (this->idle)
{
flags = MSG_DONTWAIT;
(struct sockaddr*)&this->uml, sizeof(this->uml));
}
while (len < 0 && (errno == EINTR || errno == EAGAIN));
-
+
if (len < 0)
{
DBG1("sending mconsole command to UML failed: %m");
return -1;
}
- do
+ do
{
len = recv(this->console, &reply, sizeof(reply), flags);
if (len < 0 && (errno == EINTR || errno == EAGAIN))
}
}
while (reply.more);
-
+
return reply.err;
}
static bool add_iface(private_mconsole_t *this, char *guest, char *host)
{
int tries = 0;
-
+
while (tries++ < 5)
{
if (request(this, ignore, NULL, "config %s=tuntap,%s", guest, host) == 0)
* Implementation of mconsole_t.del_iface.
*/
static bool del_iface(private_mconsole_t *this, char *guest)
-{
+{
if (request(this, NULL, NULL, "remove %s", guest) != 0)
{
return FALSE;
len = recvfrom(this->notify, ¬ify, sizeof(notify), flags, NULL, 0);
}
while (len < 0 && (errno == EINTR || errno == EAGAIN));
-
+
if (len < 0 || len >= sizeof(notify))
{
DBG1("reading from mconsole notify socket failed: %m");
static bool setup_console(private_mconsole_t *this)
{
struct sockaddr_un addr;
-
+
this->console = socket(AF_UNIX, SOCK_DGRAM, 0);
if (this->console < 0)
{
mconsole_t *mconsole_create(char *notify, void(*idle)(void))
{
private_mconsole_t *this = malloc_thing(private_mconsole_t);
-
+
this->public.add_iface = (bool(*)(mconsole_t*, char *guest, char *host))add_iface;
this->public.del_iface = (bool(*)(mconsole_t*, char *guest))del_iface;
this->public.exec = (int(*)(mconsole_t*, void(*cb)(void*,char*,size_t), void *data, char *cmd))exec;
this->public.destroy = (void*)destroy;
-
+
this->idle = idle;
-
+
if (!wait_for_notify(this, notify))
{
free(this);
return NULL;
}
-
+
if (!setup_console(this))
{
close(this->notify);
return NULL;
}
unlink(notify);
-
+
wait_bootup(this);
-
+
return &this->public;
}
* UML mconsole, change running UML configuration using mconsole.
*/
struct mconsole_t {
-
+
/**
* Create a guest interface and connect it to tap host interface.
*
* @return TRUE if interface created
*/
bool (*add_iface)(mconsole_t *this, char *guest, char *host);
-
+
/**
* Delete a guest interface.
*
* @return TRUE if interface deleted
*/
bool (*del_iface)(mconsole_t *this, char *guest);
-
+
/**
* Execute a command on the mconsole.
*
*/
int (*exec)(mconsole_t *this, void(*cb)(void*,char*,size_t), void *data,
char *cmd);
-
+
/**
* Destroy the mconsole instance
*/
#define NETLINK_SELINUX 7 /* SELinux event notifications */
#define NETLINK_ISCSI 8 /* Open-iSCSI */
#define NETLINK_AUDIT 9 /* auditing */
-#define NETLINK_FIB_LOOKUP 10
+#define NETLINK_FIB_LOOKUP 10
#define NETLINK_CONNECTOR 11
#define NETLINK_NETFILTER 12 /* netfilter subsystem */
#define NETLINK_IP6_FW 13
#define NETLINK_KOBJECT_UEVENT 15 /* Kernel messages to userspace */
#define NETLINK_GENERIC 16
-#define MAX_LINKS 32
+#define MAX_LINKS 32
struct sockaddr_nl
{
#define RTM_NR_FAMILIES (RTM_NR_MSGTYPES >> 2)
#define RTM_FAM(cmd) (((cmd) - RTM_BASE) >> 2)
-/*
+/*
Generic structure for encapsulation of optional route information.
It is reminiscent of sockaddr, but with sa_family replaced
with attribute type.
unsigned char rtm_table; /* Routing table id */
unsigned char rtm_protocol; /* Routing protocol; see below */
- unsigned char rtm_scope; /* See below */
+ unsigned char rtm_scope; /* See below */
unsigned char rtm_type; /* See below */
unsigned rtm_flags;
};
/********************************************************************
- * prefix information
+ * prefix information
****/
struct prefixmsg
unsigned char prefix_pad3;
};
-enum
+enum
{
PREFIX_UNSPEC,
PREFIX_ADDRESS,
__u32 tx_fifo_errors;
__u32 tx_heartbeat_errors;
__u32 tx_window_errors;
-
+
/* for cslip etc */
__u32 rx_compressed;
__u32 tx_compressed;
};
#define TA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcamsg))))
#define TA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcamsg))
-#define TCA_ACT_TAB 1 /* attr type must be >=1 */
+#define TCA_ACT_TAB 1 /* attr type must be >=1 */
#define TCAA_MAX 1
/* End of information exported to user level */
#define RTA_PUT(skb, attrtype, attrlen, data) \
({ if (unlikely(skb_tailroom(skb) < (int)RTA_SPACE(attrlen))) \
goto rtattr_failure; \
- __rta_fill(skb, attrtype, attrlen, data); })
+ __rta_fill(skb, attrtype, attrlen, data); })
#define RTA_APPEND(skb, attrlen, data) \
({ if (unlikely(skb_tailroom(skb) < (int)(attrlen))) \
#define RTA_GET_SECS(rta) ((unsigned long) RTA_GET_U64(rta) * HZ)
#define RTA_GET_MSECS(rta) (msecs_to_jiffies((unsigned long) RTA_GET_U64(rta)))
-
+
static __inline__ struct rtattr *
__rta_reserve(struct sk_buff *skb, int attrtype, int attrlen)
{
* User specific session context, to extend.
*/
struct context_t {
-
+
/**
* Destroy the context_t.
*/
* The controller handle function is called for each incoming request.
*/
struct controller_t {
-
+
/**
* Get the name of the controller.
*
* @return name of the controller
*/
char* (*get_name)(controller_t *this);
-
+
/**
* Handle a HTTP request for that controller.
*
*/
void (*handle)(controller_t *this, request_t *request,
char *p1, char *p2, char *p3, char *p4, char *p5);
-
+
/**
* Destroy the controller instance.
*/
* public functions
*/
dispatcher_t public;
-
+
/**
* fcgi socket fd
*/
int fd;
-
+
/**
* thread list
*/
pthread_t *threads;
-
+
/**
* number of threads in "threads"
*/
int thread_count;
-
+
/**
* session locking mutex
*/
pthread_mutex_t mutex;
-
+
/**
* List of sessions
*/
linked_list_t *sessions;
-
+
/**
* session timeout
*/
time_t timeout;
-
+
/**
* running in debug mode?
*/
bool debug;
-
+
/**
* List of controllers controller_constructor_t
*/
linked_list_t *controllers;
-
+
/**
* List of filters filter_constructor_t
*/
linked_list_t *filters;
-
- /**
+
+ /**
* constructor function to create session context (in controller_entry_t)
*/
context_constructor_t context_constructor;
-
+
/**
* user param to context constructor
*/
context_t *context = NULL;
controller_t *controller;
filter_t *filter;
-
+
if (this->context_constructor)
{
context = this->context_constructor(this->param);
}
session = session_create(context);
-
+
iterator = this->controllers->create_iterator(this->controllers, TRUE);
while (iterator->iterate(iterator, (void**)¢ry))
{
session->add_controller(session, controller);
}
iterator->destroy(iterator);
-
+
iterator = this->filters->create_iterator(this->filters, TRUE);
while (iterator->iterate(iterator, (void**)&fentry))
{
session->add_filter(session, filter);
}
iterator->destroy(iterator);
-
+
return session;
}
char *host)
{
session_entry_t *entry;
-
+
entry = malloc_thing(session_entry_t);
entry->in_use = FALSE;
entry->closed = FALSE;
entry->session = load_session(this);
entry->used = time_monotonic(NULL);
entry->host = strdup(host);
-
+
return entry;
}
controller_constructor_t constructor, void *param)
{
controller_entry_t *entry = malloc_thing(controller_entry_t);
-
+
entry->constructor = constructor;
entry->param = param;
this->controllers->insert_last(this->controllers, entry);
filter_constructor_t constructor, void *param)
{
filter_entry_t *entry = malloc_thing(filter_entry_t);
-
+
entry->constructor = constructor;
entry->param = param;
this->filters->insert_last(this->filters, entry);
}
/**
- * Actual dispatching code
+ * Actual dispatching code
*/
static void dispatch(private_dispatcher_t *this)
{
iterator_t *iterator;
time_t now;
char *sid;
-
+
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL);
request = request_create(this->fd, this->debug);
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
}
sid = request->get_cookie(request, "SID");
now = time_monotonic(NULL);
-
+
/* find session */
pthread_mutex_lock(&this->mutex);
iterator = this->sessions->create_iterator(this->sessions, TRUE);
while (iterator->iterate(iterator, (void**)¤t))
{
- /* check all sessions for timeout or close flag
+ /* check all sessions for timeout or close flag
* TODO: use a seperate cleanup thread */
if (!current->in_use &&
(current->used < now - this->timeout || current->closed))
}
}
iterator->destroy(iterator);
-
+
if (found)
{
/* wait until session is unused */
}
found->in_use = TRUE;
pthread_mutex_unlock(&this->mutex);
-
+
/* start processing */
found->session->process(found->session, request);
found->used = time_monotonic(NULL);
-
+
/* release session */
pthread_mutex_lock(&this->mutex);
found->in_use = FALSE;
found->closed = request->session_closed(request);
pthread_cond_signal(&found->cond);
pthread_mutex_unlock(&this->mutex);
-
+
/* cleanup */
request->destroy(request);
}
{
sigset_t set;
int sig;
-
+
sigemptyset(&set);
sigaddset(&set, SIGINT);
sigaddset(&set, SIGTERM);
this->public.run = (void(*)(dispatcher_t*, int threads))run;
this->public.waitsignal = (void(*)(dispatcher_t*))waitsignal;
this->public.destroy = (void(*)(dispatcher_t*))destroy;
-
+
this->sessions = linked_list_create();
this->controllers = linked_list_create();
this->filters = linked_list_create();
this->timeout = timeout;
this->debug = debug;
this->threads = NULL;
-
+
FCGX_Init();
-
+
if (socket)
{
unlink(socket);
* the webserver. It is multithreaded and really fast.
*
* The application has a global context and a session context. The global
- * context is accessed from all sessions simultaneously and therefore
+ * context is accessed from all sessions simultaneously and therefore
* needs to be threadsave. Often a database wrapper is the global context.
* The session context is instanciated per session. Sessions are managed
* automatically through session cookies. The session context is kept alive
* until the session times out. It must implement the context_t interface and
- * a #context_constructor_t is needed to create instances. To each session,
- * a set of controllers gets instanciated. The controller instances are per
+ * a #context_constructor_t is needed to create instances. To each session,
+ * a set of controllers gets instanciated. The controller instances are per
* session, so you can hold private data for each user.
- * Controllers need to implement the controller_t interface and need a
+ * Controllers need to implement the controller_t interface and need a
* #controller_constructor_t function to create instances.
*
* A small example shows how to set up libfast:
* @code
dispatcher_t *dispatcher;
your_global_context_implementation_t *global;
-
+
global = initialize_your_global_context();
-
+
dispatcher = dispatcher_create(NULL, FALSE, 180,
(context_constructor_t)your_session_context_create, global);
dispatcher->add_controller(dispatcher, your_controller1_create, param1);
dispatcher->add_controller(dispatcher, your_controller2_create, param2);
-
+
dispatcher->run(dispatcher, 20);
-
+
dispatcher->waitsignal(dispatcher);
-
+
dispatcher->destroy(dispatcher);
global->destroy();
@endcode
* constructor added with add_controller.
*/
struct dispatcher_t {
-
+
/**
* Register a controller to the dispatcher.
*
* @param param param to pass to constructor
*/
void (*add_filter)(dispatcher_t *this,
- filter_constructor_t constructor, void *param);
-
+ filter_constructor_t constructor, void *param);
+
/**
* Start with dispatching.
*
* @param threads number of dispatching threads
*/
void (*run)(dispatcher_t *this, int threads);
-
+
/**
* Wait for a relevant signal action.
*
*/
void (*waitsignal)(dispatcher_t *this);
-
+
/**
* Destroy the dispatcher_t.
*/
* Filter interface, to be implemented by users filters.
*/
struct filter_t {
-
+
/**
* Called before the controller handles the request.
*
*/
bool (*run)(filter_t *this, request_t *request,
char *p0, char *p1, char *p2, char *p3, char *p4, char *p5);
-
+
/**
* Destroy the filter instance.
*/
* public functions
*/
request_t public;
-
+
/**
* FastCGI request object
*/
FCGX_Request req;
-
+
/**
* length of the req.envp array
*/
int req_env_len;
-
+
/**
* ClearSilver CGI Kit context
*/
CGI *cgi;
-
+
/**
* ClearSilver HDF dataset for this request
*/
HDF *hdf;
-
- /**
+
+ /**
* close the session?
*/
bool closed;
-
+
/**
* reference count
*/
static int read_cb(void *null, char *buf, int size)
{
private_request_t *this = (private_request_t*)pthread_getspecific(this_key);
-
+
return FCGX_GetStr(buf, size, this->req.in);
}
static int writef_cb(void *null, const char *format, va_list args)
{
private_request_t *this = (private_request_t*)pthread_getspecific(this_key);
-
+
FCGX_VFPrintF(this->req.out, format, args);
return 0;
}
static int write_cb(void *null, const char *buf, int size)
{
private_request_t *this = (private_request_t*)pthread_getspecific(this_key);
-
+
return FCGX_PutStr(buf, size, this->req.out);
}
{
char *value;
private_request_t *this = (private_request_t*)pthread_getspecific(this_key);
-
+
value = FCGX_GetParam(key, this->req.envp);
return value ? strdup(value) : NULL;
}
}
return 0;
}
-
+
/**
* Implementation of request_t.get_cookie.
*/
{
return hdf_get_valuef(this->hdf, "Cookie.%s", name);
}
-
+
/**
* Implementation of request_t.get_path.
*/
FCGX_GetParam("SCRIPT_NAME", this->req.envp),
NULL, NULL, 0, 0);
}
-
+
/**
* Implementation of request_t.redirect.
*/
{
return FCGX_GetParam("SCRIPT_NAME", this->req.envp);
}
-
+
/**
* Implementation of request_t.session_closed.
*/
static void render(private_request_t *this, char *template)
{
NEOERR* err;
-
+
pthread_setspecific(this_key, this);
err = cgi_display(this->cgi, template);
if (err)
va_start(args, format);
hdf_set_valuevf(this->hdf, format, args);
va_end(args);
-}
-
+}
+
/**
* Implementation of request_t.get_ref.
*/
NEOERR* err;
private_request_t *this = malloc_thing(private_request_t);
bool failed = FALSE;
-
+
pthread_cleanup_push(free, this);
if (FCGX_InitRequest(&this->req, fd, 0) != 0 ||
FCGX_Accept_r(&this->req) != 0)
this->public.setf = (void(*)(request_t*, char *format, ...))setf;
this->public.get_ref = (request_t*(*)(request_t*))get_ref;
this->public.destroy = (void(*)(request_t*))destroy;
-
+
pthread_once(&once, init);
pthread_setspecific(this_key, this);
-
+
this->ref = 1;
this->closed = FALSE;
- this->req_env_len = 0;
+ this->req_env_len = 0;
while (this->req.envp[this->req_env_len] != NULL)
{
this->req_env_len++;
}
-
+
err = hdf_init(&this->hdf);
if (!err)
{
hdf_set_value(this->hdf, "Config.CompressionEnabled", "1");
hdf_set_value(this->hdf, "Config.WhiteSpaceStrip", "2");
}
-
+
err = cgi_init(&this->cgi, this->hdf);
if (!err)
{
* The response is also handled through the request object.
*/
struct request_t {
-
+
/**
* Add a cookie to the reply (Set-Cookie header).
*
* @param value value of the cookie
*/
void (*add_cookie)(request_t *this, char *name, char *value);
-
+
/**
* Get a cookie the client sent in the request.
*
* @return cookie value, NULL if no such cookie found
*/
char* (*get_cookie)(request_t *this, char *name);
-
+
/**
* Get the request path relative to the application.
*
* @return path
*/
char* (*get_path)(request_t *this);
-
+
/**
* Get the base path of the application.
*
* @return base path
*/
char* (*get_base)(request_t *this);
-
+
/**
* Get the remote host address of this request.
*
* @return host address as string
*/
char* (*get_host)(request_t *this);
-
+
/**
* Get the user agent string.
*
* @return user agent string
*/
char* (*get_user_agent)(request_t *this);
-
+
/**
* Get a post/get variable included in the request.
*
* @return value, NULL if not found
*/
char* (*get_query_data)(request_t *this, char *name);
-
+
/**
* Close the session and it's context after handling.
*/
void (*close_session)(request_t *this);
-
+
/**
* Has the session been closed by close_session()?
*
* @return TRUE if session has been closed
*/
bool (*session_closed)(request_t *this);
-
+
/**
* Redirect the client to another location.
*
* @param ... variable argument for fmt
*/
void (*redirect)(request_t *this, char *fmt, ...);
-
+
/**
* Redirect the client to the referer.
*/
void (*to_referer)(request_t *this);
-
+
/**
* Set a template value.
*
* @param value value to set key to
*/
void (*set)(request_t *this, char *key, char *value);
-
+
/**
* Set a template value using format strings.
*
* @param ... variable argument list
*/
void (*setf)(request_t *this, char *format, ...);
-
+
/**
* Render a template.
*
* @param template clearsilver template file location
*/
void (*render)(request_t *this, char *template);
-
+
/**
* Stream a format string to the client.
*
* @return number of streamed bytes, < 0 if stream closed
*/
int (*streamf)(request_t *this, char *format, ...);
-
+
/**
* Serve a request with headers and a body.
*
* @param chunk body to write to output
*/
void (*serve)(request_t *this, char *headers, chunk_t chunk);
-
+
/**
* Increase the reference count to the stream.
*
* @return this with increased refcount
*/
request_t* (*get_ref)(request_t *this);
-
+
/**
* Destroy the request_t.
*/
* public functions
*/
session_t public;
-
+
/**
* session ID
*/
char *sid;
-
+
/**
* list of controller instances controller_t
*/
linked_list_t *controllers;
-
+
/**
* list of filter instances filter_t
*/
linked_list_t *filters;
-
+
/**
* user defined session context
*/
char buf[16];
chunk_t chunk = chunk_from_buf(buf);
rng_t *rng;
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (rng)
{
{
enumerator_t *enumerator;
filter_t *filter;
-
+
enumerator = this->filters->create_enumerator(this->filters);
while (enumerator->enumerate(enumerator, &filter))
{
bool handled = FALSE;
controller_t *current;
int i = 0;
-
+
if (this->sid == NULL)
{
create_sid(this, request);
}
-
+
start = request->get_path(request);
if (start)
{
start = pos + 1;
}
param[i] = strdupa(start);
-
- if (run_filter(this, request, param[0], param[1], param[2], param[3],
+
+ if (run_filter(this, request, param[0], param[1], param[2], param[3],
param[4], param[5]))
{
enumerator = this->controllers->create_enumerator(this->controllers);
while (enumerator->enumerate(enumerator, ¤t))
{
if (streq(current->get_name(current), param[0]))
- {
+ {
current->handle(current, request, param[1], param[2],
param[3], param[4], param[5]);
handled = TRUE;
this->controllers = linked_list_create();
this->filters = linked_list_create();
this->context = context;
-
+
return &this->public;
}
* Session handling class, instanciated for each user session.
*/
struct session_t {
-
+
/**
* Get the session ID of the session.
*
* @return session ID
*/
char* (*get_sid)(session_t *this);
-
+
/**
* Add a controller instance to the session.
*
* @param controller controller to add
*/
void (*add_controller)(session_t *this, controller_t *controller);
-
+
/**
* @brief Add a filter instance to the session.
*
* @param filter filter to add
*/
void (*add_filter)(session_t *this, filter_t *filter);
-
+
/**
* Process a request in this session.
*
* @param request request to process
*/
void (*process)(session_t *this, request_t *request);
-
+
/**
* Destroy the session_t.
*
/*
* addresses to ASCII
* Copyright (C) 1998, 1999 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* addresses to text
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
if (n == 0 && r->output == NULL)
{} /* okay, error expected */
-
+
else if (n == 0) {
printf("`%s' atoasr failed\n", r->input);
status = 1;
-
+
} else if (r->output == NULL) {
printf("`%s' atoasr succeeded unexpectedly '%c'\n",
r->input, r->format);
/*
* extract parts of an ip_address
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* special addresses
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* conversion from ASCII forms of addresses to internal ones
* Copyright (C) 1998, 1999 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert from ASCII form of address/subnet/range to binary
* Copyright (C) 1998, 1999 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert from ASCII form of SA ID to binary
* Copyright (C) 1998, 1999 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert from ASCII form of subnet specification to binary
* Copyright (C) 1998, 1999 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert from ASCII form of unsigned long to binary
* Copyright (C) 1998, 1999 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert from binary data (e.g. key) to text form
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* header file for FreeS/WAN library functions
* Copyright (C) 1998, 1999, 2000 Henry Spencer.
* Copyright (C) 1999, 2000, 2001 Richard Guy Briggs
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* pluto and lwdnsq need to know the maximum size of the commands to,
- * and replies from lwdnsq.
+ * and replies from lwdnsq.
*/
#define LWDNSQ_CMDBUF_LEN 1024
/*
* minor utilities for subnet-mask manipulation
* Copyright (C) 1998, 1999 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
- goodmask - is this a good (^1*0*$) subnet mask?
- * You are not expected to understand this. See Henry S. Warren Jr,
+ * You are not expected to understand this. See Henry S. Warren Jr,
* "Functions realizable with word-parallel logical and two's-complement
* addition instructions", CACM 20.6 (June 1977), p.439.
*/
/*
* initialize address structure
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* initialize SA ID structure
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* initialize subnet structure
* Copyright (C) 2000, 2002 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* internal definitions for use within the library; do not export!
* Copyright (C) 1998, 1999 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
*
* Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org>
* and Michael Richardson <mcr@freeswan.org>
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
+ *
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-/*
+/*
* This file provides a set of #define's which may be tuned by various
* people/configurations. It keeps all compile-time tunables in one place.
*
# define IPSEC_SA_REF_TABLE_IDX_WIDTH 16
#endif
-#ifndef IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
-# define IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 4
+#ifndef IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
+# define IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 4
#endif
-#ifndef IPSEC_SA_REF_FREELIST_NUM_ENTRIES
+#ifndef IPSEC_SA_REF_FREELIST_NUM_ENTRIES
# define IPSEC_SA_REF_FREELIST_NUM_ENTRIES 256
#endif
-#ifndef IPSEC_SA_REF_CODE
-# define IPSEC_SA_REF_CODE 1
+#ifndef IPSEC_SA_REF_CODE
+# define IPSEC_SA_REF_CODE 1
#endif
#define _IPSEC_PARAM_H_
/*
* generate printable key IDs
* Copyright (C) 2002 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* FreeS/WAN specific PF_KEY headers
* Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
+ *
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
/*
* RFC2367 PF_KEYv2 Key management API message parser
* Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
+ *
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
pfkey_extensions_init(struct sadb_ext *extensions[SADB_EXT_MAX + 1])
{
int i;
-
+
for (i = 0; i != SADB_EXT_MAX + 1; i++) {
extensions[i] = NULL;
}
pfkey_extensions_free(struct sadb_ext *extensions[SADB_EXT_MAX + 1])
{
int i;
-
+
if (!extensions) {
return;
}
FREE(extensions[0]);
extensions[0] = NULL;
}
-
+
for (i = 1; i != SADB_EXT_MAX + 1; i++) {
if(extensions[i]) {
memset(extensions[i], 0, extensions[i]->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
if (satype > SADB_SATYPE_MAX) {
DEBUGGING(
"pfkey_msg_hdr_build: "
- "satype %d > max %d\n",
+ "satype %d > max %d\n",
satype, SADB_SATYPE_MAX);
SENDERR(EINVAL);
}
*pfkey_ext);
errlab:
return error;
-}
+}
int
pfkey_sa_ref_build(struct sadb_ext ** pfkey_ext,
SADB_SASTATE_DEAD);
SENDERR(EINVAL);
}
-
+
if ((IPSEC_SAREF_NULL != ref) && (ref >= (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH))) {
DEBUGGING(
"pfkey_sa_build: "
IPSEC_SA_REF_TABLE_NUM_ENTRIES);
SENDERR(EINVAL);
}
-
+
pfkey_sa = (struct sadb_sa*)MALLOC(sizeof(struct sadb_sa));
*pfkey_ext = (struct sadb_ext*)pfkey_sa;
SENDERR(ENOMEM);
}
memset(pfkey_sa, 0, sizeof(struct sadb_sa));
-
+
pfkey_sa->sadb_sa_len = sizeof(*pfkey_sa) / IPSEC_PFKEYv2_ALIGN;
pfkey_sa->sadb_sa_exttype = exttype;
pfkey_sa->sadb_sa_spi = spi;
pfkey_sa->sadb_sa_auth = auth;
pfkey_sa->sadb_sa_encrypt = encrypt;
pfkey_sa->sadb_sa_flags = flags;
- pfkey_sa->sadb_x_sa_ref = ref;
+ pfkey_sa->sadb_x_sa_ref = ref;
errlab:
return error;
-}
+}
int
pfkey_sa_build(struct sadb_ext ** pfkey_ext,
int saddr_len = 0;
char ipaddr_txt[ADDRTOT_BUF + 6/*extra for port number*/];
struct sadb_address *pfkey_address = (struct sadb_address *)*pfkey_ext;
-
+
DEBUGGING(
"pfkey_address_build: "
"exttype=%d proto=%d prefixlen=%d\n",
"address is NULL\n");
SENDERR(EINVAL);
}
-
- switch(exttype) {
+
+ switch(exttype) {
case SADB_EXT_ADDRESS_SRC:
case SADB_EXT_ADDRESS_DST:
case SADB_EXT_ADDRESS_PROXY:
case SADB_X_EXT_NAT_T_OA:
break;
default:
- DEBUGGING(
+ DEBUGGING(
"pfkey_address_build: "
- "unrecognised ext_type=%d.\n",
- exttype);
- SENDERR(EINVAL);
+ "unrecognised ext_type=%d.\n",
+ exttype);
+ SENDERR(EINVAL);
}
switch (address->sa_family) {
0,
ALIGN_N(sizeof(struct sadb_address) + saddr_len,
IPSEC_PFKEYv2_ALIGN));
-
+
pfkey_address->sadb_address_len = DIVUP(sizeof(struct sadb_address) + saddr_len,
IPSEC_PFKEYv2_ALIGN);
-
+
pfkey_address->sadb_address_exttype = exttype;
pfkey_address->sadb_address_proto = proto;
pfkey_address->sadb_address_prefixlen = prefixlen;
}
pfkey_key = (struct sadb_key*)
- MALLOC(sizeof(struct sadb_key) +
+ MALLOC(sizeof(struct sadb_key) +
DIVUP(key_bits, 64) * IPSEC_PFKEYv2_ALIGN);
*pfkey_ext = (struct sadb_ext*)pfkey_key;
0,
sizeof(struct sadb_key) +
DIVUP(key_bits, 64) * IPSEC_PFKEYv2_ALIGN);
-
+
pfkey_key->sadb_key_len = DIVUP(sizeof(struct sadb_key) * IPSEC_PFKEYv2_ALIGN + key_bits,
64);
pfkey_key->sadb_key_exttype = exttype;
"string required to allocate size of extension.\n");
SENDERR(EINVAL);
}
-
+
#if 0
if (ident_type == SADB_IDENTTYPE_USERFQDN) {
}
#endif
-
+
pfkey_ident = (struct sadb_ident*)
MALLOC(ident_len * IPSEC_PFKEYv2_ALIGN);
*pfkey_ext = (struct sadb_ext*)pfkey_ident;
SENDERR(ENOMEM);
}
memset(pfkey_ident, 0, ident_len * IPSEC_PFKEYv2_ALIGN);
-
+
pfkey_ident->sadb_ident_len = ident_len;
pfkey_ident->sadb_ident_exttype = exttype;
pfkey_ident->sadb_ident_type = ident_type;
0,
sizeof(struct sadb_sens) +
(sens_len + integ_len) * sizeof(uint64_t));
-
+
pfkey_sens->sadb_sens_len = (sizeof(struct sadb_sens) +
(sens_len + integ_len) * sizeof(uint64_t)) / IPSEC_PFKEYv2_ALIGN;
pfkey_sens->sadb_sens_exttype = SADB_EXT_SENSITIVITY;
0,
sizeof(struct sadb_prop) +
comb_num * sizeof(struct sadb_comb));
-
+
pfkey_prop->sadb_prop_len = (sizeof(struct sadb_prop) +
comb_num * sizeof(struct sadb_comb)) / IPSEC_PFKEYv2_ALIGN;
sizeof(struct sadb_supported) +
alg_num *
sizeof(struct sadb_alg));
-
+
pfkey_supported->sadb_supported_len = (sizeof(struct sadb_supported) +
alg_num *
sizeof(struct sadb_alg)) /
pfkey_alg->sadb_alg_reserved = 0;
pfkey_alg++;
}
-
+
#if 0
DEBUGGING(
"pfkey_supported_build: "
{
int error = 0;
struct sadb_spirange *pfkey_spirange = (struct sadb_spirange *)*pfkey_ext;
-
+
/* sanity checks... */
if (pfkey_spirange) {
DEBUGGING(
"why is pfkey_spirange already pointing to something?\n");
SENDERR(EINVAL);
}
-
+
if (ntohl(max) < ntohl(min)) {
DEBUGGING(
"pfkey_spirange_build: "
ntohl(max));
SENDERR(EINVAL);
}
-
+
if (ntohl(min) <= 255) {
DEBUGGING(
"pfkey_spirange_build: "
ntohl(min));
SENDERR(EEXIST);
}
-
+
pfkey_spirange = (struct sadb_spirange*)
MALLOC(sizeof(struct sadb_spirange));
*pfkey_ext = (struct sadb_ext*)pfkey_spirange;
memset(pfkey_spirange,
0,
sizeof(struct sadb_spirange));
-
+
pfkey_spirange->sadb_spirange_len = sizeof(struct sadb_spirange) / IPSEC_PFKEYv2_ALIGN;
pfkey_spirange->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
"why is pfkey_x_kmprivate already pointing to something?\n");
SENDERR(EINVAL);
}
-
+
pfkey_x_kmprivate->sadb_x_kmprivate_reserved = 0;
DEBUGGING(
memset(pfkey_x_kmprivate,
0,
sizeof(struct sadb_x_kmprivate));
-
+
pfkey_x_kmprivate->sadb_x_kmprivate_len =
sizeof(struct sadb_x_kmprivate) / IPSEC_PFKEYv2_ALIGN;
"why is pfkey_x_satype already pointing to something?\n");
SENDERR(EINVAL);
}
-
+
if (!satype) {
DEBUGGING(
"pfkey_x_satype_build: "
if (satype > SADB_SATYPE_MAX) {
DEBUGGING(
"pfkey_x_satype_build: "
- "satype %d > max %d\n",
+ "satype %d > max %d\n",
satype, SADB_SATYPE_MAX);
SENDERR(EINVAL);
}
memset(pfkey_x_satype,
0,
sizeof(struct sadb_x_satype));
-
+
pfkey_x_satype->sadb_x_satype_len = sizeof(struct sadb_x_satype) / IPSEC_PFKEYv2_ALIGN;
pfkey_x_satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
"why is pfkey_x_debug already pointing to something?\n");
SENDERR(EINVAL);
}
-
+
DEBUGGING(
"pfkey_x_debug_build: "
"tunnel=%x netlink=%x xform=%x eroute=%x spi=%x radij=%x esp=%x ah=%x rcv=%x pfkey=%x ipcomp=%x verbose=%x?\n",
0,
sizeof(struct sadb_x_debug));
#endif
-
+
pfkey_x_debug->sadb_x_debug_len = sizeof(struct sadb_x_debug) / IPSEC_PFKEYv2_ALIGN;
pfkey_x_debug->sadb_x_debug_exttype = SADB_X_EXT_DEBUG;
"why is pfkey_x_nat_t_type already pointing to something?\n");
SENDERR(EINVAL);
}
-
+
DEBUGGING(
"pfkey_x_nat_t_type_build: "
"type=%d\n", type);
"memory allocation failed\n");
SENDERR(ENOMEM);
}
-
+
pfkey_x_nat_t_type->sadb_x_nat_t_type_len = sizeof(struct sadb_x_nat_t_type) / IPSEC_PFKEYv2_ALIGN;
pfkey_x_nat_t_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
pfkey_x_nat_t_type->sadb_x_nat_t_type_type = type;
"why is pfkey_x_nat_t_port already pointing to something?\n");
SENDERR(EINVAL);
}
-
- switch (exttype) {
+
+ switch (exttype) {
case SADB_X_EXT_NAT_T_SPORT:
case SADB_X_EXT_NAT_T_DPORT:
break;
default:
- DEBUGGING(
+ DEBUGGING(
"pfkey_nat_t_port_build: "
- "unrecognised ext_type=%d.\n",
- exttype);
- SENDERR(EINVAL);
+ "unrecognised ext_type=%d.\n",
+ exttype);
+ SENDERR(EINVAL);
}
DEBUGGING(
"memory allocation failed\n");
SENDERR(ENOMEM);
}
-
+
pfkey_x_nat_t_port->sadb_x_nat_t_port_len = sizeof(struct sadb_x_nat_t_port) / IPSEC_PFKEYv2_ALIGN;
pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype = exttype;
pfkey_x_nat_t_port->sadb_x_nat_t_port_port = port;
struct sadb_ext *pfkey_ext;
int extensions_seen = 0;
struct sadb_ext *extensions_check[SADB_EXT_MAX + 1];
-
+
if (!extensions[0]) {
DEBUGGING(
"pfkey_msg_build: "
if(extensions[ext]) {
total_size += (extensions[ext])->sadb_ext_len;
}
- }
+ }
if (!(*pfkey_msg = (struct sadb_msg*)MALLOC(total_size * IPSEC_PFKEYv2_ALIGN))) {
DEBUGGING(
for (ext = 1; ext <= SADB_EXT_MAX; ext++) {
/* copy from extension[ext] to buffer */
- if (extensions[ext]) {
+ if (extensions[ext]) {
/* Is this type of extension permitted for this type of message? */
if (!(extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type] &
1<<ext)) {
DEBUGGING(
"pfkey_msg_build: "
- "ext type %d not permitted, exts_perm=%08x, 1<<type=%08x\n",
- ext,
+ "ext type %d not permitted, exts_perm=%08x, 1<<type=%08x\n",
+ ext,
extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type],
1<<ext);
SENDERR(EINVAL);
memcpy(pfkey_ext,
extensions[ext],
(extensions[ext])->sadb_ext_len * IPSEC_PFKEYv2_ALIGN);
- {
+ {
char *pfkey_ext_c = (char *)pfkey_ext;
pfkey_ext_c += (extensions[ext])->sadb_ext_len * IPSEC_PFKEYv2_ALIGN;
extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type],
extensions_seen,
extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]);
-
+
if ((extensions_seen &
extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) !=
extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) {
extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) );
SENDERR(EINVAL);
}
-
+
error = pfkey_msg_parse(*pfkey_msg, NULL, extensions_check, dir);
if (error) {
DEBUGGING(
*
* Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org>
* and Michael Richardson <mcr@freeswan.org>
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
+ *
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
#include "pfkeyv2.h"
#include "pfkey.h"
-/*
+/*
* This file provides ASCII translations of PF_KEY magic numbers.
*
*/
/*
* RFC2367 PF_KEYv2 Key management API message parser
* Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
+ *
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
/*
* RFC2367 PF_KEYv2 Key management API message parser
* Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
+ *
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
#if 0
struct sadb_sa sav2;
#endif
-
+
DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
"pfkey_sa_parse: entry\n");
/* sanity checks... */
"NULL pointer passed in.\n");
SENDERR(EINVAL);
}
-
+
#if 0
/* check if this structure is short, and if so, fix it up.
* XXX this is NOT the way to do things.
memcpy(&sav2, pfkey_sa, sizeof(struct sadb_sa_v1));
sav2.sadb_x_sa_ref=-1;
sav2.sadb_sa_len = sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN;
-
+
pfkey_sa = &sav2;
}
#endif
(int)sizeof(struct sadb_sa));
SENDERR(EINVAL);
}
-
+
if(pfkey_sa->sadb_sa_encrypt > SADB_EALG_MAX) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_sa_parse: "
SADB_EALG_MAX);
SENDERR(EINVAL);
}
-
+
if(pfkey_sa->sadb_sa_auth > SADB_AALG_MAX) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_sa_parse: "
SADB_AALG_MAX);
SENDERR(EINVAL);
}
-
+
if(pfkey_sa->sadb_sa_state > SADB_SASTATE_MAX) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_sa_parse: "
SADB_SASTATE_MAX);
SENDERR(EINVAL);
}
-
+
if(pfkey_sa->sadb_sa_state == SADB_SASTATE_DEAD) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_sa_parse: "
SADB_SASTATE_DEAD);
SENDERR(EINVAL);
}
-
+
if(pfkey_sa->sadb_sa_replay > 64) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_sa_parse: "
pfkey_sa->sadb_sa_replay);
SENDERR(EINVAL);
}
-
+
if(! ((pfkey_sa->sadb_sa_exttype == SADB_EXT_SA) ||
(pfkey_sa->sadb_sa_exttype == SADB_X_EXT_SA2)))
{
IPSEC_SA_REF_TABLE_NUM_ENTRIES);
SENDERR(EINVAL);
}
-
+
DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
"pfkey_sa_parse: "
"successfully found len=%d exttype=%d(%s) spi=%08lx replay=%d state=%d auth=%d encrypt=%d flags=%d ref=%d.\n",
pfkey_sa->sadb_sa_encrypt,
pfkey_sa->sadb_sa_flags,
pfkey_sa->sadb_x_sa_ref);
-
+
errlab:
return error;
-}
+}
DEBUG_NO_STATIC int
pfkey_lifetime_parse(struct sadb_ext *pfkey_ext)
(pfkey_lifetime->sadb_lifetime_exttype != SADB_EXT_LIFETIME_CURRENT)) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_lifetime_parse: "
- "unexpected ext_type=%d.\n",
- pfkey_lifetime->sadb_lifetime_exttype);
+ "unexpected ext_type=%d.\n",
+ pfkey_lifetime->sadb_lifetime_exttype);
SENDERR(EINVAL);
}
DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
"pfkey_lifetime_parse: "
- "life_type=%d(%s) alloc=%u bytes=%u add=%u use=%u pkts=%u.\n",
+ "life_type=%d(%s) alloc=%u bytes=%u add=%u use=%u pkts=%u.\n",
pfkey_lifetime->sadb_lifetime_exttype,
pfkey_v2_sadb_ext_string(pfkey_lifetime->sadb_lifetime_exttype),
pfkey_lifetime->sadb_lifetime_allocations,
(unsigned)pfkey_lifetime->sadb_lifetime_bytes,
(unsigned)pfkey_lifetime->sadb_lifetime_addtime,
(unsigned)pfkey_lifetime->sadb_lifetime_usetime,
- pfkey_lifetime->sadb_x_lifetime_packets);
+ pfkey_lifetime->sadb_x_lifetime_packets);
errlab:
return error;
}
struct sadb_address *pfkey_address = (struct sadb_address *)pfkey_ext;
struct sockaddr* s = (struct sockaddr*)((char*)pfkey_address + sizeof(*pfkey_address));
char ipaddr_txt[ADDRTOT_BUF];
-
+
DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
"pfkey_address_parse:enter\n");
/* sanity checks... */
"NULL pointer passed in.\n");
SENDERR(EINVAL);
}
-
+
if(pfkey_address->sadb_address_len <
(sizeof(struct sadb_address) + sizeof(struct sockaddr))/
IPSEC_PFKEYv2_ALIGN) {
(int)sizeof(struct sockaddr));
SENDERR(EINVAL);
}
-
+
if(pfkey_address->sadb_address_reserved) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_address_parse: "
pfkey_address->sadb_address_reserved);
SENDERR(EINVAL);
}
-
- switch(pfkey_address->sadb_address_exttype) {
+
+ switch(pfkey_address->sadb_address_exttype) {
case SADB_EXT_ADDRESS_SRC:
case SADB_EXT_ADDRESS_DST:
case SADB_EXT_ADDRESS_PROXY:
case SADB_X_EXT_NAT_T_OA:
break;
default:
- DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_address_parse: "
"unexpected ext_type=%d.\n",
pfkey_address->sadb_address_exttype);
s->sa_family);
SENDERR(EPFNOSUPPORT);
}
-
+
if(pfkey_address->sadb_address_len !=
DIVUP(sizeof(struct sadb_address) + saddr_len, IPSEC_PFKEYv2_ALIGN)) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
saddr_len);
SENDERR(EINVAL);
}
-
+
if(pfkey_address->sadb_address_prefixlen != 0) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_address_parse: "
"address prefixes not supported yet.\n");
SENDERR(EAFNOSUPPORT); /* not supported yet */
}
-
+
/* XXX check if port!=0 */
-
+
DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
"pfkey_address_parse: successful.\n");
errlab:
pfkey_key->sadb_key_len);
SENDERR(EINVAL);
}
-
+
if(pfkey_key->sadb_key_reserved) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_key_parse: "
SENDERR(EINVAL);
}
}
-
+
if( ! ((pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ||
(pfkey_ident->sadb_ident_exttype == SADB_EXT_IDENTITY_DST))) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
struct sadb_comb *pfkey_comb = (struct sadb_comb *)((char*)pfkey_ext + sizeof(struct sadb_prop));
/* sanity checks... */
- if((pfkey_prop->sadb_prop_len < sizeof(struct sadb_prop) / IPSEC_PFKEYv2_ALIGN) ||
+ if((pfkey_prop->sadb_prop_len < sizeof(struct sadb_prop) / IPSEC_PFKEYv2_ALIGN) ||
(((pfkey_prop->sadb_prop_len * IPSEC_PFKEYv2_ALIGN) - sizeof(struct sadb_prop)) % sizeof(struct sadb_comb))) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_prop_parse: "
pfkey_prop->sadb_prop_replay);
SENDERR(EINVAL);
}
-
+
for(i=0; i<3; i++) {
if(pfkey_prop->sadb_prop_reserved[i]) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
}
pfkey_alg++;
}
-
+
errlab:
return error;
}
{
int error = 0;
struct sadb_spirange *pfkey_spirange = (struct sadb_spirange *)pfkey_ext;
-
+
/* sanity checks... */
if(pfkey_spirange->sadb_spirange_len !=
sizeof(struct sadb_spirange) / IPSEC_PFKEYv2_ALIGN) {
(int)sizeof(struct sadb_spirange));
SENDERR(EINVAL);
}
-
+
if(pfkey_spirange->sadb_spirange_reserved) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_spirange_parse: "
pfkey_spirange->sadb_spirange_reserved);
SENDERR(EINVAL);
}
-
+
if(ntohl(pfkey_spirange->sadb_spirange_max) < ntohl(pfkey_spirange->sadb_spirange_min)) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_spirange_parse: "
ntohl(pfkey_spirange->sadb_spirange_max));
SENDERR(EINVAL);
}
-
+
if(ntohl(pfkey_spirange->sadb_spirange_min) <= 255) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_spirange_parse: "
ntohl(pfkey_spirange->sadb_spirange_min));
SENDERR(EEXIST);
}
-
+
DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
"pfkey_spirange_parse: "
"ext_len=%u ext_type=%u(%s) min=%u max=%u res=%u.\n",
(int)sizeof(struct sadb_x_satype));
SENDERR(EINVAL);
}
-
+
if(!pfkey_x_satype->sadb_x_satype_satype) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_x_satype_parse: "
if(pfkey_x_satype->sadb_x_satype_satype > SADB_SATYPE_MAX) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_x_satype_parse: "
- "satype %d > max %d, invalid.\n",
+ "satype %d > max %d, invalid.\n",
pfkey_x_satype->sadb_x_satype_satype, SADB_SATYPE_MAX);
SENDERR(EINVAL);
}
SENDERR(EINVAL);
}
}
-
+
DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
"pfkey_x_satype_parse: "
"len=%u ext=%u(%s) satype=%u(%s) res=%u,%u,%u.\n",
(int)sizeof(struct sadb_x_debug));
SENDERR(EINVAL);
}
-
+
for(i = 0; i < 4; i++) {
if(pfkey_x_debug->sadb_x_debug_reserved[i]) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
SENDERR(EINVAL);
}
}
-
+
errlab:
return error;
}
{
int error = 0;
struct sadb_protocol *p = (struct sadb_protocol *)pfkey_ext;
-
+
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, "pfkey_x_protocol_parse:\n");
/* sanity checks... */
-
+
if (p->sadb_protocol_len != sizeof(*p)/IPSEC_PFKEYv2_ALIGN) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_x_protocol_parse: size wrong ext_len=%d, key_ext_len=%d.\n",
p->sadb_protocol_len, (int)sizeof(*p));
SENDERR(EINVAL);
}
-
+
if (p->sadb_protocol_reserved2 != 0) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_protocol_parse: res=%d, must be zero.\n",
int remain;
struct sadb_ext *pfkey_ext;
int extensions_seen = 0;
-
+
DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
"pfkey_msg_parse: "
- "parsing message ver=%d, type=%d(%s), errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n",
+ "parsing message ver=%d, type=%d(%s), errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n",
pfkey_msg->sadb_msg_version,
pfkey_msg->sadb_msg_type,
pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
pfkey_msg->sadb_msg_reserved,
pfkey_msg->sadb_msg_seq,
pfkey_msg->sadb_msg_pid);
-
+
if(ext_parsers == NULL) ext_parsers = ext_default_parsers;
-
+
pfkey_extensions_init(extensions);
-
+
remain = pfkey_msg->sadb_msg_len;
remain -= sizeof(struct sadb_msg) / IPSEC_PFKEYv2_ALIGN;
-
+
pfkey_ext = (struct sadb_ext*)((char*)pfkey_msg +
sizeof(struct sadb_msg));
-
+
extensions[0] = (struct sadb_ext *) pfkey_msg;
-
-
+
+
if(pfkey_msg->sadb_msg_version != PF_KEY_V2) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_msg_parse: "
default:
break;
}
-
+
/* errno must not be set in downward messages */
/* this is not entirely true... a response to an ACQUIRE could return an error */
if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type != SADB_ACQUIRE) && pfkey_msg->sadb_msg_errno) {
DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
"pfkey_msg_parse: "
- "remain=%d, ext_type=%d(%s), ext_len=%d.\n",
+ "remain=%d, ext_type=%d(%s), ext_len=%d.\n",
remain,
pfkey_ext->sadb_ext_type,
pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
pfkey_ext->sadb_ext_len);
-
+
DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
"pfkey_msg_parse: "
"extensions permitted=%08x, required=%08x.\n",
extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]);
-
+
extensions_seen = 1;
-
+
while( (remain * IPSEC_PFKEYv2_ALIGN) >= sizeof(struct sadb_ext) ) {
/* Is there enough message left to support another extension header? */
if(remain < pfkey_ext->sadb_ext_len) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_msg_parse: "
- "remain %d less than ext len %d.\n",
+ "remain %d less than ext len %d.\n",
remain, pfkey_ext->sadb_ext_len);
SENDERR(EINVAL);
}
-
+
DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
"pfkey_msg_parse: "
"parsing ext type=%d(%s) remain=%d.\n",
pfkey_ext->sadb_ext_type,
pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
remain);
-
+
/* Is the extension header type valid? */
if((pfkey_ext->sadb_ext_type > SADB_EXT_MAX) || (!pfkey_ext->sadb_ext_type)) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_msg_parse: "
- "ext type %d(%s) invalid, SADB_EXT_MAX=%d.\n",
+ "ext type %d(%s) invalid, SADB_EXT_MAX=%d.\n",
pfkey_ext->sadb_ext_type,
pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
SADB_EXT_MAX);
SENDERR(EINVAL);
}
-
+
/* Have we already seen this type of extension? */
if((extensions_seen & ( 1 << pfkey_ext->sadb_ext_type )) != 0)
{
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_msg_parse: "
- "ext type %d(%s) already seen.\n",
+ "ext type %d(%s) already seen.\n",
pfkey_ext->sadb_ext_type,
pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
SENDERR(EINVAL);
if(ext_parsers[pfkey_ext->sadb_ext_type]==NULL) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_msg_parse: "
- "ext type %d(%s) unknown, ignoring.\n",
+ "ext type %d(%s) unknown, ignoring.\n",
pfkey_ext->sadb_ext_type,
pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
goto next_ext;
1<<pfkey_ext->sadb_ext_type)) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_msg_parse: "
- "ext type %d(%s) not permitted, exts_perm_in=%08x, 1<<type=%08x\n",
- pfkey_ext->sadb_ext_type,
+ "ext type %d(%s) not permitted, exts_perm_in=%08x, 1<<type=%08x\n",
+ pfkey_ext->sadb_ext_type,
pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type],
1<<pfkey_ext->sadb_ext_type);
pfkey_ext->sadb_ext_len,
pfkey_ext,
ext_parsers[pfkey_ext->sadb_ext_type]->parser_name);
-
+
/* Parse the extension */
if((error =
(*ext_parsers[pfkey_ext->sadb_ext_type]->parser)(pfkey_ext))) {
"extension parsing for type %d(%s) failed with error %d.\n",
pfkey_ext->sadb_ext_type,
pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
- error);
+ error);
SENDERR(-error);
}
DEBUGGING(PF_KEY_DEBUG_PARSE_FLOW,
"Extension %d(%s) parsed.\n",
pfkey_ext->sadb_ext_type,
pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
-
+
/* Mark that we have seen this extension and remember the header location */
extensions_seen |= ( 1 << pfkey_ext->sadb_ext_type );
extensions[pfkey_ext->sadb_ext_type] = pfkey_ext;
- next_ext:
+ next_ext:
/* Calculate how much message remains */
remain -= pfkey_ext->sadb_ext_len;
if(remain) {
DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
"pfkey_msg_parse: "
- "unexpected remainder of %d.\n",
+ "unexpected remainder of %d.\n",
remain);
/* why is there still something remaining? */
SENDERR(EINVAL);
extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]));
SENDERR(EINVAL);
}
-
+
if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type == SADB_X_DELFLOW)
&& ((extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW)
!= SADB_X_EXT_ADDRESS_DELFLOW)
(1<<SADB_EXT_SA) - (extensions_seen & (1<<SADB_EXT_SA)));
SENDERR(EINVAL);
}
-
+
switch(pfkey_msg->sadb_msg_type) {
case SADB_ADD:
case SADB_UPDATE:
SADB_SASTATE_MATURE);
SENDERR(EINVAL);
}
-
+
/* check AH and ESP */
switch(((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype) {
case SADB_SATYPE_AH:
ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi));
SENDERR(EINVAL);
}
- default:
+ default:
break;
}
errlab:
uint8_t sadb_x_satype_satype;
uint8_t sadb_x_satype_reserved[3];
};
-
+
struct sadb_x_policy {
uint16_t sadb_x_policy_len;
uint16_t sadb_x_policy_exttype;
uint32_t sadb_x_policy_id;
uint32_t sadb_x_policy_reserved2;
};
-
+
struct sadb_x_debug {
uint16_t sadb_x_debug_len;
uint16_t sadb_x_debug_exttype;
/*
* low-level ip_address ugliness
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* crypto-class pseudorandom number generator
* currently uses same algorithm as RC4(TM), from Schneier 2nd ed p397
* Copyright (C) 2002 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert binary form of address range to ASCII
* Copyright (C) 1998, 1999 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* express an address range as a subnet (if possible)
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* comparisons
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert from binary form of SA ID to ASCII
* Copyright (C) 1998, 1999, 2001 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert from binary form of SA ID to text
* Copyright (C) 2000, 2001 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
PASSTHROUGH6NAME);
len = strlen(buf);
}
-
+
if (sa->proto == SA_INT && addrtypeof(&sa->dst) == AF_INET &&
isunspecaddr(&sa->dst)) {
switch (ntohl(sa->spi)) {
/*
* minor network-address manipulation utilities
* Copyright (C) 1998, 1999 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert binary form of subnet description to ASCII
* Copyright (C) 1998, 1999 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert binary form of subnet description to text
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* extract parts of an ip_subnet, and related
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* conversion from text forms of addresses to internal ones
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
case AF_INET6:
case 0: /* guess */
break;
-
+
default:
return "invalid address family";
}
{
af = AF_INET6;
}
-
+
if (af != AF_INET6)
return "non-ipv6 address may not contain `:'";
return colon(src, srclen, dst);
}
return "does not appear to be either IPv4 or IPv6 numeric address";
break;
-
+
case AF_INET6:
return colon(src, srclen, dst);
break;
/*
* convert from text form of arbitrary data (e.g., keys) to binary
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
else if (!(skipSpace && (*src == ' ' || *src == '\t')))
stage[sl++] = *src;
}
-
+
nbytes = (*decode)(stage, buf, sizeof(buf));
switch (nbytes) {
case BADCH0:
if (dstlen < 1)
return SHORT;
-
+
p = strchr(hex, *src);
if (p == NULL)
p = strchr(hex, tolower(*src));
break;
}
}
-
+
if (base >= IGNORESPACE_BIAS) {
base = base - IGNORESPACE_BIAS;
check(r, buf, n, ttodatav(r->ascii, 0, base, buf, sizeof(buf), &n, NULL, 0, TTODATAV_IGNORESPACE), &status);
/* is there a port wildcard? */
*has_port_wildcard = (strcmp(service_name, "%any") == 0);
-
+
if (*has_port_wildcard)
{
*port = 0;
/*
* convert from text form of SA ID to binary
* Copyright (C) 2000, 2001 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert from text form of subnet specification to binary
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert from text form of unsigned long to binary
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert unsigned long to ASCII
* Copyright (C) 1998, 1999 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
/*
* convert unsigned long to text
* Copyright (C) 2000 Henry Spencer.
- *
+ *
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
chunk_t asn1_algorithmIdentifier(int oid)
{
chunk_t parameters;
-
+
/* some algorithmIdentifiers have a NULL parameters field and some do not */
switch (oid)
{
int asn1_known_oid(chunk_t object)
{
int oid = 0;
-
+
while (object.len)
{
if (oid_names[oid].octet == *object.ptr)
{
chunk_t oid;
int i;
-
+
if (n < 0 || n >= OID_MAX)
{
return chunk_empty;
}
-
+
i = oid_names[n].level + 1;
oid = chunk_alloc(2 + i);
oid.ptr[0] = ASN1_OID;
oid.ptr[1] = i;
-
+
do
{
if (oid_names[n].level >= i)
oid.ptr[--i + 2] = oid_names[n--].octet;
}
while (i > 0);
-
+
return oid;
}
{
u_char n;
size_t len;
-
+
if (blob->len < 2)
{
DBG2("insufficient number of octets to parse ASN.1 length");
return ASN1_INVALID_LENGTH;
}
-
+
/* read length field, skip tag and length */
n = blob->ptr[1];
*blob = chunk_skip(*blob, 2);
-
- if ((n & 0x80) == 0)
+
+ if ((n & 0x80) == 0)
{ /* single length octet */
if (n > blob->len)
{
}
return n;
}
-
+
/* composite length, determine number of length octets */
n &= 0x7f;
-
+
if (n == 0 || n > blob->len)
{
DBG2("number of length octets invalid");
return ASN1_INVALID_LENGTH;
}
-
+
if (n > sizeof(len))
{
- DBG2("number of length octets is larger than limit of %d octets",
+ DBG2("number of length octets is larger than limit of %d octets",
(int)sizeof(len));
return ASN1_INVALID_LENGTH;
}
-
+
len = 0;
-
+
while (n-- > 0)
{
len = 256*len + *blob->ptr++;
chunk_t res;
u_char len;
int type;
-
+
if (blob->len < 2)
{
return ASN1_INVALID;
type = blob->ptr[0];
len = blob->ptr[1];
*blob = chunk_skip(*blob, 2);
-
+
if ((len & 0x80) == 0)
{ /* single length octet */
res.len = len;
int tz_hour, tz_min, tz_offset;
time_t tm_secs;
u_char *eot = NULL;
-
+
if ((eot = memchr(utctime->ptr, 'Z', utctime->len)) != NULL)
{
tz_offset = 0; /* Zulu time with a zero time zone offset */
{
return 0; /* error in time format */
}
-
+
/* parse ASN.1 time string */
{
const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
"%4d%2d%2d%2d%2d";
-
+
if (sscanf(utctime->ptr, format, &tm_year, &tm_mon, &tm_day,
&tm_hour, &tm_min) != 5)
{
return 0; /* error in [yy]yymmddhhmm time format */
}
}
-
+
/* is there a seconds field? */
if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
{
{
tm_sec = 0;
}
-
+
/* representation of two-digit years */
if (type == ASN1_UTCTIME)
{
tm_year += (tm_year < 50) ? 2000 : 1900;
}
-
+
/* prevent large 32 bit integer overflows */
if (sizeof(time_t) == 4 && tm_year > 2038)
{
return 0; /* error in month format */
}
tm_mon--;
-
+
/* representation of days as 0..30 */
tm_day--;
char buf[BUF_LEN];
chunk_t formatted_time;
struct tm t;
-
+
gmtime_r(time, &t);
if (type == ASN1_GENERALIZEDTIME)
{
format = "%02d%02d%02d%02d%02d%02dZ";
offset = (t.tm_year < 100)? 0 : -100;
}
- snprintf(buf, BUF_LEN, format, t.tm_year + offset,
+ snprintf(buf, BUF_LEN, format, t.tm_year + offset,
t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec);
formatted_time.ptr = buf;
formatted_time.len = strlen(buf);
void asn1_debug_simple_object(chunk_t object, asn1_t type, bool private)
{
int oid;
-
+
switch (type)
{
case ASN1_OID:
bool asn1_parse_simple_object(chunk_t *object, asn1_t type, u_int level, const char* name)
{
size_t len;
-
+
/* an ASN.1 object must possess at least a tag and length field */
if (object->len < 2)
{
DBG2("L%d - %s: ASN.1 object smaller than 2 octets", level, name);
return FALSE;
}
-
+
if (*object->ptr != type)
{
DBG2("L%d - %s: ASN1 tag 0x%02x expected, but is 0x%02x",
level, name, type, *object->ptr);
return FALSE;
}
-
+
len = asn1_length(object);
-
+
if (len == ASN1_INVALID_LENGTH || object->len < len)
{
DBG2("L%d - %s: length of ASN.1 object invalid or too large",
level, name);
return FALSE;
}
-
+
DBG2("L%d - %s:", level, name);
asn1_debug_simple_object(*object, type, FALSE);
return TRUE;
chunk_t object;
int objectID;
int alg = OID_UNKNOWN;
-
+
parser = asn1_parser_create(algorithmIdentifierObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
switch (objectID)
const char printablestring_charset[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 '()+,-./:=?";
u_int i;
-
+
for (i = 0; i < str.len; i++)
{
if (strchr(printablestring_charset, str.ptr[i]) == NULL)
u_char length_buf[4];
chunk_t length = { length_buf, 0 };
u_char *pos;
-
+
/* code the asn.1 length field */
asn1_code_length(datalen, &length);
-
+
/* allocate memory for the asn.1 TLV object */
object->len = 1 + length.len + datalen;
object->ptr = malloc(object->len);
-
+
/* set position pointer at the start of the object */
pos = object->ptr;
-
+
/* copy the asn.1 tag field and advance the pointer */
*pos++ = type;
-
+
/* copy the asn.1 length field and advance the pointer */
- memcpy(pos, length.ptr, length.len);
+ memcpy(pos, length.ptr, length.len);
pos += length.len;
-
+
return pos;
}
chunk_t asn1_simple_object(asn1_t tag, chunk_t content)
{
chunk_t object;
-
+
u_char *pos = asn1_build_object(&object, tag, content.len);
- memcpy(pos, content.ptr, content.len);
+ memcpy(pos, content.ptr, content.len);
pos += content.len;
-
+
return object;
}
u_char *pos;
int i;
int count = strlen(mode);
-
- /* sum up lengths of individual chunks */
+
+ /* sum up lengths of individual chunks */
va_start(chunks, mode);
construct.len = 0;
for (i = 0; i < count; i++)
construct.len += ch.len;
}
va_end(chunks);
-
+
/* allocate needed memory for construct */
pos = asn1_build_object(&construct, type, construct.len);
-
+
/* copy or move the chunks */
va_start(chunks, mode);
for (i = 0; i < count; i++)
{
chunk_t ch = va_arg(chunks, chunk_t);
-
+
memcpy(pos, ch.ptr, ch.len);
pos += ch.len;
}
}
va_end(chunks);
-
+
return construct;
}
chunk_t object;
int objectID;
time_t utc_time = 0;
-
+
parser= asn1_parser_create(timeObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
if (objectID == TIME_UTC || objectID == TIME_GENERALIZED)
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup asn1i asn1
* @{ @ingroup asn1
* Converts an ASN.1 OID into a known OID index
*
* @param object body of an OID
- * @return index into the oid_names[] table or OID_UNKNOWN
+ * @return index into the oid_names[] table or OID_UNKNOWN
*/
int asn1_known_oid(chunk_t object);
* @param blob ASN.1 coded blob
* @param level0 top-most level offset
* @param params returns optional [ASN.1 coded] parameters
- * @return known OID index or OID_UNKNOWN
+ * @return known OID index or OID_UNKNOWN
*/
int asn1_parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *params);
*
* @param time time_t in UTC
* @param type ASN1_UTCTIME or ASN1_GENERALIZEDTIME
- * @return body of an ASN.1 code time object
+ * @return body of an ASN.1 code time object
*/
chunk_t asn1_from_time(const time_t *time, asn1_t type);
*
* @param blob ASN.1 coded time object
* @param level0 top-most level offset
- * @return time_t in UTC
+ * @return time_t in UTC
*/
time_t asn1_parse_time(chunk_t blob, int level0);
bool success;
/**
- * Declare object data as private - use debug level 4 to log it
+ * Declare object data as private - use debug level 4 to log it
*/
bool private;
u_char *start_ptr;
u_int level;
asn1Object_t obj;
-
+
*object = chunk_empty;
/* Advance to the next object syntax definition line */
{
return FALSE;
}
-
+
if (obj.flags & ASN1_END) /* end of loop or option found */
{
if (this->loopAddr[obj.level] && this->blobs[obj.level+1].len > 0)
goto end;
}
}
-
+
level = this->level0 + obj.level;
blob = this->blobs + obj.level;
blob1 = blob + 1;
start_ptr = blob->ptr;
-
+
/* handle ASN.1 defaults values */
if ((obj.flags & ASN1_DEF) && (blob->len == 0 || *start_ptr != obj.type) )
{
}
goto end;
}
-
+
/* handle ASN.1 options */
-
+
if ((obj.flags & ASN1_OPT)
&& (blob->len == 0 || *start_ptr != obj.type))
{
(this->objects[this->line].level == obj.level)));
goto end;
}
-
+
/* an ASN.1 object must possess at least a tag and length field */
-
+
if (blob->len < 2)
{
DBG1("L%d - %s: ASN.1 object smaller than 2 octets",
this->success = FALSE;
goto end;
}
-
+
blob1->len = asn1_length(blob);
-
+
if (blob1->len == ASN1_INVALID_LENGTH)
{
- DBG1("L%d - %s: length of ASN.1 object invalid or too large",
+ DBG1("L%d - %s: length of ASN.1 object invalid or too large",
level, obj.name);
this->success = FALSE;
}
-
+
blob1->ptr = blob->ptr;
blob->ptr += blob1->len;
blob->len -= blob1->len;
-
+
/* return raw ASN.1 object without prior type checking */
-
+
if (obj.flags & ASN1_RAW)
{
DBG2("L%d - %s:", level, obj.name);
this->success = FALSE;
goto end;
}
-
+
DBG2("L%d - %s:", level, obj.name);
-
- /* In case of "SEQUENCE OF" or "SET OF" start a loop */
+
+ /* In case of "SEQUENCE OF" or "SET OF" start a loop */
if (obj.flags & ASN1_LOOP)
{
if (blob1->len > 0)
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup asn1_parser asn1_parser
* @{ @ingroup asn1
typedef struct asn1_parser_t asn1_parser_t;
/**
- * Public interface of an ASN.1 parser
+ * Public interface of an ASN.1 parser
*/
struct asn1_parser_t {
*/
void (*destroy)(asn1_parser_t *this);
};
-
+
/**
* Create an ASN.1 parser
*
chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk)
{
chunk_t clone = chunk_empty;
-
+
if (chunk.ptr && chunk.len > 0)
{
clone.ptr = ptr;
clone.len = chunk.len;
memcpy(clone.ptr, chunk.ptr, chunk.len);
}
-
+
return clone;
}
{
va_list chunks;
size_t length = 0;
-
+
va_start(chunks, mode);
while (TRUE)
{
{
va_list chunks;
chunk_t construct = chunk_create(ptr, 0);
-
+
va_start(chunks, mode);
while (TRUE)
{
bool free_chunk = FALSE, clear_chunk = FALSE;
chunk_t ch;
-
+
switch (*mode++)
{
case 's':
/* FALL */
case 'c':
ch = va_arg(chunks, chunk_t);
- memcpy(ptr, ch.ptr, ch.len);
+ memcpy(ptr, ch.ptr, ch.len);
ptr += ch.len;
construct.len += ch.len;
if (clear_chunk)
break;
}
va_end(chunks);
-
+
return construct;
}
va_list chunks;
u_int len;
chunk_t *ch;
-
+
va_start(chunks, mode);
while (TRUE)
{
{
int i, len;
char *hexdig = hexdig_lower;
-
+
if (uppercase)
{
hexdig = hexdig_upper;
}
-
+
len = chunk.len * 2;
if (!buf)
{
buf = malloc(len + 1);
}
buf[len] = '\0';
-
+
for (i = 0; i < chunk.len; i++)
{
buf[i*2] = hexdig[(chunk.ptr[i] >> 4) & 0xF];
{
int i, len;
bool odd = FALSE;
-
+
len = (hex.len / 2);
if (hex.len % 2)
{
}
/** base 64 conversion digits */
-static char b64digits[] =
+static char b64digits[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
/**
{
int i, len;
char *pos;
-
+
len = chunk.len + ((3 - chunk.len % 3) % 3);
if (!buf)
{
{
u_char *pos, byte[4];
int i, j, len, outlen;
-
+
len = base64.len / 4 * 3;
if (!buf)
{
bool chunk_increment(chunk_t chunk)
{
int i;
-
+
for (i = chunk.len - 1; i >= 0; i--)
{
if (++chunk.ptr[i] != 0)
{
bool printable = TRUE;
int i;
-
+
if (sane)
{
*sane = chunk_clone(chunk);
/**
* Described in header.
- *
+ *
* The implementation is based on Paul Hsieh's SuperFastHash:
* http://www.azillionmonkeys.com/qed/hash.html
*/
size_t len = chunk.len;
u_int32_t tmp;
int rem;
-
+
if (!len || data == NULL)
{
return 0;
}
-
+
rem = len & 3;
len >>= 2;
-
+
/* Main loop */
for (; len > 0; --len)
{
data += 2 * sizeof(u_int16_t);
hash += hash >> 11;
}
-
+
/* Handle end cases */
switch (rem)
{
break;
}
}
-
+
/* Force "avalanching" of final 127 bits */
hash ^= hash << 3;
hash += hash >> 5;
hash += hash >> 17;
hash ^= hash << 25;
hash += hash >> 6;
-
+
return hash;
}
bool first = TRUE;
chunk_t copy = *chunk;
int written = 0;
-
+
if (!spec->hash)
{
const void *new_args[] = {&chunk->ptr, &chunk->len};
return mem_printf_hook(dst, len, spec, new_args);
}
-
+
while (copy.len > 0)
{
if (first)
*
* @param chunk contents to write to file
* @param path path where file is written to
- * @param label label specifying file type
+ * @param label label specifying file type
* @param mask file mode creation mask
* @param force overwrite existing file by force
* @return TRUE if write operation was successful
/**
* printf hook function for chunk_t.
*
- * Arguments are:
+ * Arguments are:
* chunk_t *chunk
* Use #-modifier to print a compact version
*/
/**
* Add a part to the construct.
*
- * Any added parts are cloned/refcounted by the builder implementation, a
+ * Any added parts are cloned/refcounted by the builder implementation, a
* caller may need to free the passed ressources themself.
*
* @param part kind of part
* @param ... part specific variable argument
*/
void (*add)(builder_t *this, builder_part_t part, ...);
-
+
/**
* Build the construct with all supplied parts.
*
* Implements the certificate_t interface
*/
certificate_t certificate;
-
+
/**
* Get the attribute certificate's serial number.
*
* @return chunk pointing to serialNumber
*/
chunk_t (*get_serial)(ac_t *this);
-
+
/**
* Get the serial number of the holder certificate.
*
* @return chunk pointing to serialNumber
*/
chunk_t (*get_holderSerial)(ac_t *this);
-
+
/**
* Get the issuer of the holder certificate.
*
* @return holderIssuer as identification_t*
*/
identification_t* (*get_holderIssuer)(ac_t *this);
-
+
/**
* Get the thauthorityKeyIdentifier.
*
* @return authKeyIdentifier as chunk_t, to internal data
*/
chunk_t (*get_authKeyIdentifier)(ac_t *this);
-
+
/**
* @brief Checks if two attribute certificates belong to the same holder
*
/**
* An abstract certificate.
*
- * A certificate designs a subject-issuer relationship. It may have an
+ * A certificate designs a subject-issuer relationship. It may have an
* associated public key.
*/
struct certificate_t {
* @return subject identity
*/
identification_t* (*get_subject)(certificate_t *this);
-
+
/**
* Check if certificate contains a subject ID.
*
* @return matching value of best match
*/
id_match_t (*has_subject)(certificate_t *this, identification_t *subject);
-
+
/**
* Get the issuer which signed this certificate.
*
* @return issuer identity
*/
identification_t* (*get_issuer)(certificate_t *this);
-
+
/**
* Check if certificate contains an issuer ID.
*
* @return matching value of best match
*/
id_match_t (*has_issuer)(certificate_t *this, identification_t *issuer);
-
+
/**
* Check if this certificate is issued and signed by a specific issuer.
*
* @return TRUE if certificate issued by issuer and trusted
*/
bool (*issued_by)(certificate_t *this, certificate_t *issuer);
-
+
/**
* Get the public key associated to this certificate.
*
* @return newly referenced public_key, NULL if none available
*/
public_key_t* (*get_public_key)(certificate_t *this);
-
+
/**
* Check the lifetime of the certificate.
*
*/
bool (*get_validity)(certificate_t *this, time_t *when,
time_t *not_before, time_t *not_after);
-
+
/**
* Is this newer than that?
*
* @return TRUE if newer, FALSE otherwise
*/
bool (*is_newer)(certificate_t *this, certificate_t *that);
-
+
/**
* Get the certificate in an encoded form.
*
* @return allocated chunk of encoded cert
*/
chunk_t (*get_encoding)(certificate_t *this);
-
+
/**
* Check if two certificates are equal.
*
* @return TRUE if certificates are equal
*/
bool (*equals)(certificate_t *this, certificate_t *other);
-
+
/**
* Get a new reference to the certificate.
*
- * @return this, with an increased refcount
+ * @return this, with an increased refcount
*/
certificate_t* (*get_ref)(certificate_t *this);
-
+
/**
* Destroy a certificate.
*/
* Implements (parts of) the certificate_t interface
*/
certificate_t certificate;
-
+
/**
* Get the CRL serial number.
*
* @return chunk pointing to internal crlNumber
*/
chunk_t (*get_serial)(crl_t *this);
-
+
/**
* Get the the authorityKeyIdentifier.
*
* @return authKeyIdentifier chunk, point to internal data
*/
chunk_t (*get_authKeyIdentifier)(crl_t *this);
-
+
/**
* Create an enumerator over all revoked certificates.
*
* @return enumerator over revoked certificates.
*/
enumerator_t* (*create_enumerator)(crl_t *this);
-
+
};
#endif /** CRL_H_ @}*/
typedef enum ocsp_status_t ocsp_status_t;
/**
- * OCSP response status
+ * OCSP response status
*/
enum ocsp_status_t {
OCSP_SUCCESSFUL = 0,
* Implements certificiate_t interface
*/
certificate_t certificate;
-
+
/**
* Check the status of a certificate by this OCSP response.
*
* @param next_update exptected time of next revocation list
* @return certificate revocation status
*/
- cert_validation_t (*get_status)(ocsp_response_t *this,
+ cert_validation_t (*get_status)(ocsp_response_t *this,
x509_t *subject, x509_t *issuer,
time_t *revocation_time,
crl_reason_t *revocation_reason,
time_t *this_update, time_t *next_update);
-
+
/**
* Create an enumerator over the contained certificates.
*
* @return enumerator over certificate_t*
*/
- enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this);
+ enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this);
};
#endif /** OCSP_RESPONSE_H_ @}*/
* Implements certificate_t.
*/
certificate_t interface;
-
+
/**
* Get the flags set for this certificate.
*
* @return set of flags
*/
x509_flag_t (*get_flags)(x509_t *this);
-
+
/**
* Get the certificate serial number.
*
* @return chunk pointing to internal serial number
*/
chunk_t (*get_serial)(x509_t *this);
-
+
/**
* Get the the authorityKeyIdentifier.
*
* @return authKeyIdentifier as chunk_t, internal data
*/
chunk_t (*get_authKeyIdentifier)(x509_t *this);
-
+
/**
* Create an enumerator over all subjectAltNames.
*
* @return enumerator over subjectAltNames as identification_t*
*/
enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
-
+
/**
* Create an enumerator over all CRL URIs.
*
* @return enumerator over URIs as char*
*/
enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
-
+
/**
* Create an enumerator over all OCSP URIs.
*
* public functions
*/
credential_factory_t public;
-
+
/**
* list with entry_t
*/
linked_list_t *constructors;
-
+
/**
* Thread specific recursiveness counter
*/
pthread_key_t recursive;
-
+
/**
* lock access to builders
*/
static bool builder_filter(entry_t *data, entry_t **in, builder_t **out)
{
builder_t *builder;
-
+
if (data->type == (*in)->type &&
data->subtype == (*in)->subtype)
{
private_credential_factory_t *this, credential_type_t type, int subtype)
{
entry_t *data = malloc_thing(entry_t);
-
+
data->type = type;
data->subtype = subtype;
-
+
this->lock->read_lock(this->lock);
return enumerator_create_cleaner(
enumerator_create_filter(
this->constructors->create_enumerator(this->constructors),
- (void*)builder_filter, data, free),
+ (void*)builder_filter, data, free),
(void*)this->lock->unlock, this->lock);
}
builder_constructor_t constructor)
{
entry_t *entry = malloc_thing(entry_t);
-
+
entry->type = type;
entry->subtype = subtype;
entry->constructor = constructor;
{
enumerator_t *enumerator;
entry_t *entry;
-
+
this->lock->write_lock(this->lock);
enumerator = this->constructors->create_enumerator(this->constructors);
while (enumerator->enumerate(enumerator, &entry))
void* construct = NULL, *fn, *data;
int failures = 0;
uintptr_t level;
-
+
level = (uintptr_t)pthread_getspecific(this->recursive);
pthread_setspecific(this->recursive, (void*)level + 1);
-
+
enumerator = create_builder_enumerator(this, type, subtype);
while (enumerator->enumerate(enumerator, &builder))
{
break;
}
va_end(args);
-
+
construct = builder->build(builder);
if (construct)
{
if (!construct && !level)
{
enum_name_t *names = key_type_names;
-
+
if (type == CRED_CERTIFICATE)
{
names = certificate_type_names;
this->public.add_builder = (void(*)(credential_factory_t*,credential_type_t type, int subtype, builder_constructor_t constructor))add_builder;
this->public.remove_builder = (void(*)(credential_factory_t*,builder_constructor_t constructor))remove_builder;
this->public.destroy = (void(*)(credential_factory_t*))destroy;
-
+
this->constructors = linked_list_create();
pthread_key_create(&this->recursive, NULL);
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
+
return &this->public;
}
* Manages credential construction functions and creates instances.
*/
struct credential_factory_t {
-
+
/**
* Create a credential using a list of builder_part_t's.
*
*/
void* (*create)(credential_factory_t *this, credential_type_t type,
int subtype, ...);
-
+
/**
* Create an enumerator for a builder type.
*
- * The build() method has to be called on each enumerated builder to
- * cleanup associated ressources.
+ * The build() method has to be called on each enumerated builder to
+ * cleanup associated ressources.
*
* @param type type of credentials the builder creates
* @param subtype type specific subtype, such as certificate_type_t
*/
enumerator_t* (*create_builder_enumerator)(credential_factory_t *this,
credential_type_t type, int subtype);
-
+
/**
* Register a builder_t constructor function.
*
* @param constructor builder constructor function to register
*/
void (*add_builder)(credential_factory_t *this,
- credential_type_t type, int subtype,
+ credential_type_t type, int subtype,
builder_constructor_t constructor);
/**
* Unregister a builder_t constructor function.
*
* @param constructor constructor function to unregister.
*/
- void (*remove_builder)(credential_factory_t *this,
+ void (*remove_builder)(credential_factory_t *this,
builder_constructor_t constructor);
-
+
/**
* Destroy a credential_factory instance.
*/
* Private data of an key_encoding_t object.
*/
struct private_key_encoding_t {
-
+
/**
* Public key_encoding_t interface.
*/
key_encoding_t public;
-
+
/**
* cached encodings, a table for each encoding_type_t, containing chunk_t*
*/
hashtable_t *cache[KEY_ENCODING_MAX];
-
+
/**
* Registered encoding fuctions, key_encoder_t
*/
linked_list_t *encoders;
-
+
/**
* lock to access cache/encoders
*/
{
va_list parts, copy;
bool failed = FALSE;
-
+
va_start(parts, args);
-
+
while (!failed)
{
key_encoding_part_t current, target;
chunk_t *out, data;
-
+
/* get the part we are looking for */
target = va_arg(parts, key_encoding_part_t);
if (target == KEY_PART_END)
break;
}
out = va_arg(parts, chunk_t*);
-
+
va_copy(copy, args);
while (!failed)
{
void *cache, chunk_t *encoding)
{
chunk_t *chunk;
-
+
if (type >= KEY_ENCODING_MAX || type < 0)
{
return FALSE;
key_encoder_t encode;
bool success = FALSE;
chunk_t *chunk;
-
+
if (type >= KEY_ENCODING_MAX || type < 0)
{
return FALSE;
void *cache, chunk_t encoding)
{
chunk_t *chunk;
-
+
if (type >= KEY_ENCODING_MAX || type < 0)
{
return free(encoding.ptr);
{
key_encoding_type_t type;
chunk_t *chunk;
-
+
this->lock->write_lock(this->lock);
for (type = 0; type < KEY_ENCODING_MAX; type++)
{
static void destroy(private_key_encoding_t *this)
{
key_encoding_type_t type;
-
+
for (type = 0; type < KEY_ENCODING_MAX; type++)
{
/* We explicitly do not free remaining encodings. All keys should
{
private_key_encoding_t *this = malloc_thing(private_key_encoding_t);
key_encoding_type_t type;
-
+
this->public.encode = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode;
this->public.get_cache = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding))get_cache;
this->public.cache = (void(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t encoding))cache;
this->public.add_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))add_encoder;
this->public.remove_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))remove_encoder;
this->public.destroy = (void(*)(key_encoding_t*))destroy;
-
+
for (type = 0; type < KEY_ENCODING_MAX; type++)
{
this->cache[type] = hashtable_create(hash, equals, 8);
}
this->encoders = linked_list_create();
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
+
return &this->public;
}
KEY_ID_PGPV3,
/** PGPv4 fingerprint */
KEY_ID_PGPV4,
-
+
/** PKCS#1 and similar ASN.1 key encoding */
KEY_PUB_ASN1_DER,
KEY_PRIV_ASN1_DER,
/** PGP key encoding */
KEY_PUB_PGP,
KEY_PRIV_PGP,
-
+
KEY_ENCODING_MAX,
};
KEY_PART_ECDSA_PUB_ASN1_DER,
/** a DER encoded ECDSA private key */
KEY_PART_ECDSA_PRIV_ASN1_DER,
-
+
KEY_PART_END,
};
*/
bool (*encode)(key_encoding_t *this, key_encoding_type_t type, void *cache,
chunk_t *encoding, ...);
-
+
/**
* Clear all cached encodings of a given cache key.
*
* @param cache key used in encode() for caching
*/
void (*clear_cache)(key_encoding_t *this, void *cache);
-
+
/**
* Check for a cached encoding.
*
*/
bool (*get_cache)(key_encoding_t *this, key_encoding_type_t type,
void *cache, chunk_t *encoding);
-
+
/**
* Cache a key encoding created externally.
*
*/
void (*cache)(key_encoding_t *this, key_encoding_type_t type, void *cache,
chunk_t encoding);
-
+
/**
* Register a key encoder function.
*
* @param encoder key encoder function to add
*/
void (*add_encoder)(key_encoding_t *this, key_encoder_t encoder);
-
+
/**
* Unregister a previously registered key encoder function.
*
* @param encoder key encoder function to remove
*/
void (*remove_encoder)(key_encoding_t *this, key_encoder_t encoder);
-
+
/**
* Destroy a key_encoding_t.
*/
{
key_encoding_type_t type;
chunk_t a, b;
-
+
if (this == other)
{
return TRUE;
}
-
+
for (type = 0; type < KEY_ENCODING_MAX; type++)
{
if (this->get_fingerprint(this, type, &a) &&
{
key_encoding_type_t type;
chunk_t a, b;
-
+
for (type = 0; type < KEY_ENCODING_MAX; type++)
{
if (private->get_fingerprint(private, type, &a) &&
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup private_key private_key
* @{ @ingroup keys
* Abstract private key interface.
*/
struct private_key_t {
-
+
/**
* Get the key type.
*
* @return type of the key
*/
key_type_t (*get_type)(private_key_t *this);
-
+
/**
* Create a signature over a chunk of data.
*
* @param signature where to allocate created signature
* @return TRUE if signature created
*/
- bool (*sign)(private_key_t *this, signature_scheme_t scheme,
+ bool (*sign)(private_key_t *this, signature_scheme_t scheme,
chunk_t data, chunk_t *signature);
/**
* Decrypt a chunk of data.
* @return TRUE if data decrypted and plaintext allocated
*/
bool (*decrypt)(private_key_t *this, chunk_t crypto, chunk_t *plain);
-
+
/**
* Get the strength of the key in bytes.
- *
+ *
* @return strength of the key in bytes
*/
size_t (*get_keysize) (private_key_t *this);
-
+
/**
* Get the public part from the private key.
*
* @return public key
*/
public_key_t* (*get_public_key)(private_key_t *this);
-
+
/**
* Check if two private keys are equal.
- *
+ *
* @param other other private key
* @return TRUE, if equality
*/
bool (*equals) (private_key_t *this, private_key_t *other);
-
+
/**
* Check if a private key belongs to a public key.
- *
+ *
* @param public public key
* @return TRUE, if keys belong together
*/
bool (*belongs_to) (private_key_t *this, public_key_t *public);
-
+
/**
* Get the fingerprint of the key.
*
*/
bool (*get_fingerprint)(private_key_t *this, key_encoding_type_t type,
chunk_t *fp);
-
+
/**
* Get the key in an encoded form as a chunk.
*
*/
bool (*get_encoding)(private_key_t *this, key_encoding_type_t type,
chunk_t *encoding);
-
+
/**
* Increase the refcount to this private key.
*
* @return this, with an increased refcount
*/
private_key_t* (*get_ref)(private_key_t *this);
-
+
/**
* Decrease refcount, destroy private_key if no more references.
*/
{
key_encoding_type_t type;
chunk_t a, b;
-
+
if (this == other)
{
return TRUE;
}
-
+
for (type = 0; type < KEY_ENCODING_MAX; type++)
{
if (this->get_fingerprint(this, type, &a) &&
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup public_key public_key
* @{ @ingroup keys
* Signature scheme for signature creation
*
* EMSA-PKCS1 signatures are defined in PKCS#1 standard.
- * A prepended ASN.1 encoded digestInfo field contains the
+ * A prepended ASN.1 encoded digestInfo field contains the
* OID of the used hash algorithm.
*/
enum signature_scheme_t {
* @return type of the key
*/
key_type_t (*get_type)(public_key_t *this);
-
+
/**
* Verifies a signature against a chunk of data.
*
* @param signature signature to check
* @return TRUE if signature matches
*/
- bool (*verify)(public_key_t *this, signature_scheme_t scheme,
+ bool (*verify)(public_key_t *this, signature_scheme_t scheme,
chunk_t data, chunk_t signature);
-
+
/**
* Encrypt a chunk of data.
*
* @return TRUE if data successfully encrypted
*/
bool (*encrypt)(public_key_t *this, chunk_t plain, chunk_t *crypto);
-
+
/**
* Check if two public keys are equal.
- *
+ *
* @param other other public key
* @return TRUE, if equality
*/
/**
* Get the strength of the key in bytes.
- *
+ *
* @return strength of the key in bytes
*/
size_t (*get_keysize) (public_key_t *this);
-
+
/**
* Get the fingerprint of the key.
*
*/
bool (*get_fingerprint)(public_key_t *this, key_encoding_type_t type,
chunk_t *fp);
-
+
/**
* Get the key in an encoded form as a chunk.
*
*/
bool (*get_encoding)(public_key_t *this, key_encoding_type_t type,
chunk_t *encoding);
-
+
/**
* Increase the refcount of the key.
*
* @return this with an increased refcount
*/
public_key_t* (*get_ref)(public_key_t *this);
-
+
/**
* Destroy a public_key instance.
*/
/**
* Conversion of ASN.1 signature or hash OID to signature scheme.
- *
+ *
* @param oid ASN.1 OID
* @return signature_scheme, SIGN_UNKNOWN if OID is unsupported
*/
* public functions
*/
shared_key_t public;
-
+
/**
* type of this shared key
*/
shared_key_type_t type;
-
+
/**
* associated shared key data
*/
chunk_t key;
-
+
/**
* reference counter
*/
shared_key_t *shared_key_create(shared_key_type_t type, chunk_t key)
{
private_shared_key_t *this = malloc_thing(private_shared_key_t);
-
+
this->public.get_type = (shared_key_type_t (*)(shared_key_t *this))get_type;
this->public.get_key = (chunk_t (*)(shared_key_t *this))get_key;
this->public.get_ref = (shared_key_t* (*)(shared_key_t *this))get_ref;
this->public.destroy = (void(*)(shared_key_t*))destroy;
-
+
this->type = type;
this->key = key;
this->ref = 1;
-
+
return &this->public;
}
* reading.
*/
struct shared_key_t {
-
+
/**
* Get the kind of this key.
*
* @return type of the key
*/
shared_key_type_t (*get_type)(shared_key_t *this);
-
+
/**
* Get the shared key data.
*
* @return chunk pointing to the internal key
*/
chunk_t (*get_key)(shared_key_t *this);
-
- /**
+
+ /**
* Increase refcount of the key.
*
- * @return this with an increased refcount
+ * @return this with an increased refcount
*/
shared_key_t* (*get_ref)(shared_key_t *this);
-
+
/**
* Destroy a shared_key instance if all references are gone.
*/
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup crypter crypter
* @{ @ingroup crypto
* Generic interface for symmetric encryption algorithms.
*/
struct crypter_t {
-
+
/**
* Encrypt a chunk of data and allocate space for the encrypted value.
*
*/
void (*encrypt) (crypter_t *this, chunk_t data, chunk_t iv,
chunk_t *encrypted);
-
+
/**
* Decrypt a chunk of data and allocate space for the decrypted value.
*
* The length of the iv must equal to get_block_size(), while the length
* of data must be a multiple it.
* If decrpyted is NULL, the encryption is done in-place (overwriting data).
- *
+ *
* @param data data to decrypt
* @param iv initializing vector
* @param encrypted chunk to allocate decrypted data, or NULL
/**
* Get the block size of the crypto algorithm.
- *
+ *
* @return block size in bytes
*/
size_t (*get_block_size) (crypter_t *this);
/**
* Get the key size of the crypto algorithm.
- *
+ *
* @return key size in bytes
*/
size_t (*get_key_size) (crypter_t *this);
-
+
/**
* Set the key.
*
* @param key key to set
*/
void (*set_key) (crypter_t *this, chunk_t key);
-
+
/**
* Destroys a crypter_t object.
*/
/**
* Conversion of ASN.1 OID to encryption algorithm.
- *
+ *
* @param oid ASN.1 OID
* @param key_size returns size of encryption key in bits
* @return encryption algorithm, ENCR_UNDEFINED if OID unsupported
/**
* Conversion of encryption algorithm to ASN.1 OID.
- *
+ *
* @param alg encryption algorithm
* @param key_size size of encryption key in bits
* @return ASN.1 OID, OID_UNKNOWN if OID is unknown
* public functions
*/
crypto_factory_t public;
-
+
/**
* registered crypters, as entry_t
*/
linked_list_t *crypters;
-
+
/**
* registered signers, as entry_t
*/
linked_list_t *signers;
-
+
/**
* registered hashers, as entry_t
*/
linked_list_t *hashers;
-
+
/**
* registered prfs, as entry_t
*/
linked_list_t *prfs;
-
+
/**
* registered rngs, as entry_t
*/
linked_list_t *rngs;
-
+
/**
* registered diffie hellman, as entry_t
*/
linked_list_t *dhs;
-
+
/**
* test manager to test crypto algorithms
*/
crypto_tester_t *tester;
-
+
/**
* whether to test algorithms during registration
*/
bool test_on_add;
-
+
/**
* whether to test algorithms on each crypto primitive construction
*/
bool test_on_create;
-
+
/**
* rwlock to lock access to modules
*/
enumerator_t *enumerator;
entry_t *entry;
crypter_t *crypter = NULL;
-
+
this->lock->read_lock(this->lock);
enumerator = this->crypters->create_enumerator(this->crypters);
while (enumerator->enumerate(enumerator, &entry))
enumerator_t *enumerator;
entry_t *entry;
signer_t *signer = NULL;
-
+
this->lock->read_lock(this->lock);
enumerator = this->signers->create_enumerator(this->signers);
while (enumerator->enumerate(enumerator, &entry))
}
enumerator->destroy(enumerator);
this->lock->unlock(this->lock);
-
+
return signer;
}
entry_t *entry;
u_int diff = ~0;
rng_constructor_t constr = NULL;
-
+
this->lock->read_lock(this->lock);
enumerator = this->rngs->create_enumerator(this->rngs);
while (enumerator->enumerate(enumerator, &entry))
this->tester->test_crypter(this->tester, algo, 0, create))
{
entry_t *entry = malloc_thing(entry_t);
-
+
entry->algo = algo;
entry->create_crypter = create;
this->lock->write_lock(this->lock);
{
entry_t *entry;
enumerator_t *enumerator;
-
+
this->lock->write_lock(this->lock);
enumerator = this->crypters->create_enumerator(this->crypters);
while (enumerator->enumerate(enumerator, &entry))
this->tester->test_signer(this->tester, algo, create))
{
entry_t *entry = malloc_thing(entry_t);
-
+
entry->algo = algo;
entry->create_signer = create;
this->lock->write_lock(this->lock);
{
entry_t *entry;
enumerator_t *enumerator;
-
+
this->lock->write_lock(this->lock);
enumerator = this->signers->create_enumerator(this->signers);
while (enumerator->enumerate(enumerator, &entry))
this->tester->test_hasher(this->tester, algo, create))
{
entry_t *entry = malloc_thing(entry_t);
-
+
entry->algo = algo;
entry->create_hasher = create;
this->lock->write_lock(this->lock);
{
entry_t *entry;
enumerator_t *enumerator;
-
+
this->lock->write_lock(this->lock);
enumerator = this->hashers->create_enumerator(this->hashers);
while (enumerator->enumerate(enumerator, &entry))
this->tester->test_prf(this->tester, algo, create))
{
entry_t *entry = malloc_thing(entry_t);
-
+
entry->algo = algo;
entry->create_prf = create;
this->lock->write_lock(this->lock);
{
entry_t *entry;
enumerator_t *enumerator;
-
+
this->lock->write_lock(this->lock);
enumerator = this->prfs->create_enumerator(this->prfs);
while (enumerator->enumerate(enumerator, &entry))
this->tester->test_rng(this->tester, quality, create))
{
entry_t *entry = malloc_thing(entry_t);
-
+
entry->algo = quality;
entry->create_rng = create;
this->lock->write_lock(this->lock);
{
entry_t *entry;
enumerator_t *enumerator;
-
+
this->lock->write_lock(this->lock);
enumerator = this->rngs->create_enumerator(this->rngs);
while (enumerator->enumerate(enumerator, &entry))
dh_constructor_t create)
{
entry_t *entry = malloc_thing(entry_t);
-
+
entry->algo = group;
entry->create_dh = create;
this->lock->write_lock(this->lock);
{
entry_t *entry;
enumerator_t *enumerator;
-
+
this->lock->write_lock(this->lock);
enumerator = this->dhs->create_enumerator(this->dhs);
while (enumerator->enumerate(enumerator, &entry))
crypto_factory_t *crypto_factory_create()
{
private_crypto_factory_t *this = malloc_thing(private_crypto_factory_t);
-
+
this->public.create_crypter = (crypter_t*(*)(crypto_factory_t*, encryption_algorithm_t, size_t))create_crypter;
this->public.create_signer = (signer_t*(*)(crypto_factory_t*, integrity_algorithm_t))create_signer;
this->public.create_hasher = (hasher_t*(*)(crypto_factory_t*, hash_algorithm_t))create_hasher;
this->public.create_dh_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_dh_enumerator;
this->public.add_test_vector = (void(*)(crypto_factory_t*, transform_type_t type, ...))add_test_vector;
this->public.destroy = (void(*)(crypto_factory_t*))destroy;
-
+
this->crypters = linked_list_create();
this->signers = linked_list_create();
this->hashers = linked_list_create();
"libstrongswan.crypto_test.on_add", FALSE);
this->test_on_create = lib->settings->get_bool(lib->settings,
"libstrongswan.crypto_test.on_create", FALSE);
-
+
return &this->public;
}
*/
crypter_t* (*create_crypter)(crypto_factory_t *this,
encryption_algorithm_t algo, size_t key_size);
-
+
/**
* Create a symmetric signer instance.
*
* @return hasher_t instance, NULL if not supported
*/
hasher_t* (*create_hasher)(crypto_factory_t *this, hash_algorithm_t algo);
-
+
/**
* Create a pseudo random function instance.
*
* @return prf_t instance, NULL if not supported
*/
prf_t* (*create_prf)(crypto_factory_t *this, pseudo_random_function_t algo);
-
+
/**
* Create a source of randomness.
*
* @return rng_t instance, NULL if no RNG with such a quality
*/
rng_t* (*create_rng)(crypto_factory_t *this, rng_quality_t quality);
-
+
/**
* Create a diffie hellman instance.
*
*/
diffie_hellman_t* (*create_dh)(crypto_factory_t *this,
diffie_hellman_group_t group);
-
+
/**
* Register a crypter constructor.
*
*/
void (*add_crypter)(crypto_factory_t *this, encryption_algorithm_t algo,
crypter_constructor_t create);
-
+
/**
* Unregister a crypter constructor.
*
* @param create constructor function to unregister
*/
void (*remove_crypter)(crypto_factory_t *this, crypter_constructor_t create);
-
+
/**
* Register a signer constructor.
*
*/
void (*add_signer)(crypto_factory_t *this, integrity_algorithm_t algo,
signer_constructor_t create);
-
+
/**
* Unregister a signer constructor.
*
* @param create constructor function to unregister
*/
void (*remove_signer)(crypto_factory_t *this, signer_constructor_t create);
-
+
/**
* Register a hasher constructor.
*
*/
void (*add_hasher)(crypto_factory_t *this, hash_algorithm_t algo,
hasher_constructor_t create);
-
+
/**
* Unregister a hasher constructor.
*
* @param create constructor function to unregister
*/
void (*remove_hasher)(crypto_factory_t *this, hasher_constructor_t create);
-
+
/**
* Register a prf constructor.
*
*/
void (*add_prf)(crypto_factory_t *this, pseudo_random_function_t algo,
prf_constructor_t create);
-
+
/**
* Unregister a prf constructor.
*
* @param create constructor function to unregister
*/
void (*remove_prf)(crypto_factory_t *this, prf_constructor_t create);
-
+
/**
* Register a source of randomness.
*
* @param create constructor function for such a quality
*/
void (*add_rng)(crypto_factory_t *this, rng_quality_t quality, rng_constructor_t create);
-
+
/**
* Unregister a source of randomness.
*
* @param create constructor function to unregister
*/
void (*remove_rng)(crypto_factory_t *this, rng_constructor_t create);
-
+
/**
* Register a diffie hellman constructor.
*
*/
void (*add_dh)(crypto_factory_t *this, diffie_hellman_group_t group,
dh_constructor_t create);
-
+
/**
* Unregister a diffie hellman constructor.
*
* @param create constructor function to unregister
*/
void (*remove_dh)(crypto_factory_t *this, dh_constructor_t create);
-
+
/**
* Create an enumerator over all registered crypter algorithms.
*
* @return enumerator over encryption_algorithm_t
*/
enumerator_t* (*create_crypter_enumerator)(crypto_factory_t *this);
-
+
/**
* Create an enumerator over all registered signer algorithms.
*
* @return enumerator over integrity_algorithm_t
*/
enumerator_t* (*create_signer_enumerator)(crypto_factory_t *this);
-
+
/**
* Create an enumerator over all registered hasher algorithms.
*
* @return enumerator over hash_algorithm_t
*/
enumerator_t* (*create_hasher_enumerator)(crypto_factory_t *this);
-
+
/**
* Create an enumerator over all registered PRFs.
*
* @return enumerator over pseudo_random_function_t
*/
enumerator_t* (*create_prf_enumerator)(crypto_factory_t *this);
-
+
/**
* Create an enumerator over all registered diffie hellman groups.
*
* @return enumerator over diffie_hellman_group_t
*/
enumerator_t* (*create_dh_enumerator)(crypto_factory_t *this);
-
+
/**
* Add a test vector to the crypto factory.
*
* @param ... pointer to a test vector, defined in crypto_tester.h
*/
void (*add_test_vector)(crypto_factory_t *this, transform_type_t type, ...);
-
+
/**
* Destroy a crypto_factory instance.
*/
* Private data of an crypto_tester_t object.
*/
struct private_crypto_tester_t {
-
+
/**
* Public crypto_tester_t interface.
*/
crypto_tester_t public;
-
+
/**
* List of crypter test vectors
*/
linked_list_t *crypter;
-
+
/**
* List of signer test vectors
*/
linked_list_t *signer;
-
+
/**
* List of hasher test vectors
*/
linked_list_t *hasher;
-
+
/**
* List of PRF test vectors
*/
linked_list_t *prf;
-
+
/**
* List of RNG test vectors
*/
linked_list_t *rng;
-
+
/**
* Is a test vector required to pass a test?
*/
bool required;
-
+
/**
* should we run RNG_TRUE tests? Enough entropy?
*/
crypter_test_vector_t *vector;
bool failed = FALSE;
u_int tested = 0;
-
+
enumerator = this->crypter->create_enumerator(this->crypter);
while (enumerator->enumerate(enumerator, &vector))
{
crypter_t *crypter;
chunk_t key, plain, cipher, iv;
-
+
if (vector->alg != alg)
{
continue;
{ /* key size not supported... */
continue;
}
-
+
failed = FALSE;
tested++;
-
+
key = chunk_create(vector->key, crypter->get_key_size(crypter));
crypter->set_key(crypter, key);
iv = chunk_create(vector->iv, crypter->get_block_size(crypter));
-
+
/* allocated encryption */
plain = chunk_create(vector->plain, vector->len);
crypter->encrypt(crypter, plain, iv, &cipher);
failed = TRUE;
}
free(plain.ptr);
-
+
crypter->destroy(crypter);
if (failed)
{
signer_test_vector_t *vector;
bool failed = FALSE;
u_int tested = 0;
-
+
enumerator = this->signer->create_enumerator(this->signer);
while (enumerator->enumerate(enumerator, &vector))
{
signer_t *signer;
chunk_t key, data, mac;
-
+
if (vector->alg != alg)
{
continue;
}
-
+
tested++;
signer = create(alg);
if (!signer)
failed = TRUE;
break;
}
-
+
failed = FALSE;
-
+
key = chunk_create(vector->key, signer->get_key_size(signer));
signer->set_key(signer, key);
-
+
/* allocated signature */
data = chunk_create(vector->data, vector->len);
signer->allocate_signature(signer, data, &mac);
}
}
free(mac.ptr);
-
+
signer->destroy(signer);
if (failed)
{
hasher_test_vector_t *vector;
bool failed = FALSE;
u_int tested = 0;
-
+
enumerator = this->hasher->create_enumerator(this->hasher);
while (enumerator->enumerate(enumerator, &vector))
{
hasher_t *hasher;
chunk_t data, hash;
-
+
if (vector->alg != alg)
{
continue;
}
-
+
tested++;
hasher = create(alg);
if (!hasher)
failed = TRUE;
break;
}
-
+
failed = FALSE;
-
+
/* allocated hash */
data = chunk_create(vector->data, vector->len);
hasher->allocate_hash(hasher, data, &hash);
}
}
free(hash.ptr);
-
+
hasher->destroy(hasher);
if (failed)
{
prf_test_vector_t *vector;
bool failed = FALSE;
u_int tested = 0;
-
+
enumerator = this->prf->create_enumerator(this->prf);
while (enumerator->enumerate(enumerator, &vector))
{
prf_t *prf;
chunk_t key, seed, out;
-
+
if (vector->alg != alg)
{
continue;
}
-
+
tested++;
prf = create(alg);
if (!prf)
failed = TRUE;
break;
}
-
+
failed = FALSE;
-
+
key = chunk_create(vector->key, vector->key_size);
prf->set_key(prf, key);
-
+
/* allocated bytes */
seed = chunk_create(vector->seed, vector->len);
prf->allocate_bytes(prf, seed, &out);
}
}
free(out.ptr);
-
+
prf->destroy(prf);
if (failed)
{
rng_test_vector_t *vector;
bool failed = FALSE;
u_int tested = 0;
-
+
if (!this->rng_true && quality == RNG_TRUE)
{
DBG1("enabled %N: skipping test (disabled by config)",
rng_quality_names, quality);
return TRUE;
}
-
+
enumerator = this->rng->create_enumerator(this->rng);
while (enumerator->enumerate(enumerator, &vector))
{
rng_t *rng;
chunk_t data;
-
+
if (vector->quality != quality)
{
continue;
}
-
+
tested++;
rng = create(quality);
if (!rng)
failed = TRUE;
break;
}
-
+
failed = FALSE;
-
+
/* allocated bytes */
rng->allocate_bytes(rng, vector->len, &data);
if (data.len != vector->len)
failed = TRUE;
}
free(data.ptr);
-
+
rng->destroy(rng);
if (failed)
{
crypto_tester_t *crypto_tester_create()
{
private_crypto_tester_t *this = malloc_thing(private_crypto_tester_t);
-
+
this->public.test_crypter = (bool(*)(crypto_tester_t*, encryption_algorithm_t alg,size_t key_size, crypter_constructor_t create))test_crypter;
this->public.test_signer = (bool(*)(crypto_tester_t*, integrity_algorithm_t alg, signer_constructor_t create))test_signer;
this->public.test_hasher = (bool(*)(crypto_tester_t*, hash_algorithm_t alg, hasher_constructor_t create))test_hasher;
this->public.add_prf_vector = (void(*)(crypto_tester_t*, prf_test_vector_t *vector))add_prf_vector;
this->public.add_rng_vector = (void(*)(crypto_tester_t*, rng_test_vector_t *vector))add_rng_vector;
this->public.destroy = (void(*)(crypto_tester_t*))destroy;
-
+
this->crypter = linked_list_create();
this->signer = linked_list_create();
this->hasher = linked_list_create();
this->prf = linked_list_create();
this->rng = linked_list_create();
-
+
this->required = lib->settings->get_bool(lib->settings,
"libstrongswan.crypto_test.required", FALSE);
this->rng_true = lib->settings->get_bool(lib->settings,
"libstrongswan.crypto_test.rng_true", FALSE);
-
+
return &this->public;
}
* Cryptographic primitive testing framework.
*/
struct crypto_tester_t {
-
+
/**
* Test a crypter algorithm, optionally using a specified key size.
*
* @param alg algorithm to test
- * @param key_size key size to test, 0 for all
+ * @param key_size key size to test, 0 for all
* @param create constructor function for the crypter
* @return TRUE if test passed
*/
* @param vector pointer to test vector
*/
void (*add_prf_vector)(crypto_tester_t *this, prf_test_vector_t *vector);
-
+
/**
* Add a test vector to test a RNG.
*
* @param vector pointer to test vector
*/
void (*add_rng_vector)(crypto_tester_t *this, rng_test_vector_t *vector);
-
+
/**
* Destroy a crypto_tester_t.
*/
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup diffie_hellman diffie_hellman
* @{ @ingroup crypto
*
* The modulus (or group) to use for a Diffie-Hellman calculation.
* See IKEv2 RFC 3.3.2 and RFC 3526.
- *
+ *
* ECP groups are defined in RFC 4753 and RFC 5114.
*/
enum diffie_hellman_group_t {
* Implementation of the Diffie-Hellman algorithm, as in RFC2631.
*/
struct diffie_hellman_t {
-
+
/**
* Returns the shared secret of this diffie hellman exchange.
- *
- * Space for returned secret is allocated and must be
+ *
+ * Space for returned secret is allocated and must be
* freed by the caller.
- *
+ *
* @param secret shared secret will be written into this chunk
* @return SUCCESS, FAILED if not both DH values are set
*/
status_t (*get_shared_secret) (diffie_hellman_t *this, chunk_t *secret);
-
+
/**
* Sets the public value of partner.
- *
+ *
* Chunk gets cloned and can be destroyed afterwards.
- *
+ *
* @param value public value of partner
*/
void (*set_other_public_value) (diffie_hellman_t *this, chunk_t value);
-
+
/**
* Gets the own public value to transmit.
- *
+ *
* Space for returned chunk is allocated and must be freed by the caller.
- *
+ *
* @param value public value of caller is stored at this location
*/
void (*get_my_public_value) (diffie_hellman_t *this, chunk_t *value);
-
+
/**
* Get the DH group used.
- *
+ *
* @return DH group set in construction
*/
diffie_hellman_group_t (*get_dh_group) (diffie_hellman_t *this);
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup hasher hasher
* @{ @ingroup crypto
struct hasher_t {
/**
* Hash data and write it in the buffer.
- *
+ *
* If the parameter hash is NULL, no result is written back
* and more data can be appended to already hashed data.
* If not, the result is written back and the hasher is reset.
- *
+ *
* The hash output parameter must hold at least
* hash_t.get_block_size() bytes.
- *
+ *
* @param data data to hash
* @param hash pointer where the hash will be written
*/
void (*get_hash) (hasher_t *this, chunk_t data, u_int8_t *hash);
-
+
/**
* Hash data and allocate space for the hash.
- *
+ *
* If the parameter hash is NULL, no result is written back
* and more data can be appended to already hashed data.
* If not, the result is written back and the hasher is reset.
- *
+ *
* @param data chunk with data to hash
* @param hash chunk which will hold allocated hash
*/
void (*allocate_hash) (hasher_t *this, chunk_t data, chunk_t *hash);
-
+
/**
* Get the size of the resulting hash.
- *
+ *
* @return hash size in bytes
*/
size_t (*get_hash_size) (hasher_t *this);
-
+
/**
* Resets the hashers state.
*/
void (*reset) (hasher_t *this);
-
+
/**
* Destroys a hasher object.
*/
/**
* Conversion of ASN.1 OID to hash algorithm.
- *
+ *
* @param oid ASN.1 OID
* @return hash algorithm, HASH_UNKNOWN if OID unsuported
*/
/**
* Conversion of hash algorithm into ASN.1 OID.
- *
+ *
* @param alg hash algorithm
* @return ASN.1 OID, or OID_UNKNOW
*/
/**
* Conversion of hash signature algorithm into ASN.1 OID.
- *
+ *
* @param alg hash algorithm
* @return ASN.1 OID if, or OID_UNKNOW
*/
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06
};
-static const chunk_t ASN1_pkcs7_data_oid =
+static const chunk_t ASN1_pkcs7_data_oid =
chunk_from_buf(ASN1_pkcs7_data_oid_str);
static const chunk_t ASN1_pkcs7_signed_data_oid =
chunk_from_buf(ASN1_pkcs7_signed_data_oid_str);
static const chunk_t ASN1_pkcs7_enveloped_data_oid =
chunk_from_buf(ASN1_pkcs7_enveloped_data_oid_str);
-static const chunk_t ASN1_pkcs7_signed_enveloped_data_oid =
+static const chunk_t ASN1_pkcs7_signed_enveloped_data_oid =
chunk_from_buf(ASN1_pkcs7_signed_enveloped_data_oid_str);
static const chunk_t ASN1_pkcs7_digested_data_oid =
chunk_from_buf(ASN1_pkcs7_digested_data_oid_str);
0x2B, 0x0E, 0x03, 0x02, 0x07
};
-static const chunk_t ASN1_3des_ede_cbc_oid =
+static const chunk_t ASN1_3des_ede_cbc_oid =
chunk_from_buf(ASN1_3des_ede_cbc_oid_str);
static const chunk_t ASN1_des_cbc_oid =
chunk_from_buf(ASN1_des_cbc_oid_str);
*/
{
rng_t *rng;
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
rng->allocate_bytes(rng, crypter->get_key_size(crypter), &symmetricKey);
DBG4(" symmetric encryption key: %B", &symmetricKey);
chunk_clear(&in);
DBG3(" encrypted data: %B", &out);
- /* build pkcs7 enveloped data object */
+ /* build pkcs7 enveloped data object */
{
chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "cm",
alg_oid,
asn1_wrap(ASN1_OCTET_STRING, "m", iv));
-
+
chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "cmm",
ASN1_pkcs7_data_oid,
contentEncryptionAlgorithm,
if(this->data.ptr != NULL)
{
hasher_t *hasher;
-
+
hasher = lib->crypto->create_hasher(lib->crypto, alg);
if (hasher == NULL)
{
hash_algorithm_names, alg);
return FALSE;
}
-
+
/* take the current time as signingTime */
time_t now = time(NULL);
chunk_t signingTime = asn1_from_time(&now, ASN1_UTCTIME);
chunk_t messageDigest, attributes;
-
+
hasher->allocate_hash(hasher, this->data, &messageDigest);
hasher->destroy(hasher);
this->attributes->set_attribute(this->attributes,
static private_pkcs7_t *pkcs7_create_empty(void)
{
private_pkcs7_t *this = malloc_thing(private_pkcs7_t);
-
+
/* initialize */
this->type = OID_UNKNOWN;
this->content = chunk_empty;
pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level)
{
private_pkcs7_t *this = pkcs7_create_empty();
-
+
this->level = level + 2;
if (!parse_contentInfo(chunk, level, this))
{
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup pkcs7 pkcs7
* @{ @ingroup crypto
struct pkcs7_t {
/**
* Check if the PKCS#7 contentType is data
- *
+ *
* @return TRUE if the contentType is data
*/
bool (*is_data) (pkcs7_t *this);
/**
* Check if the PKCS#7 contentType is signedData
- *
+ *
* @return TRUE if the contentType is signedData
*/
bool (*is_signedData) (pkcs7_t *this);
/**
* Check if the PKCS#7 contentType is envelopedData
- *
+ *
* @return TRUE if the contentType is envelopedData
*/
bool (*is_envelopedData) (pkcs7_t *this);
/**
* Parse a PKCS#7 data content.
- *
+ *
* @return TRUE if parsing was successful
*/
bool (*parse_data) (pkcs7_t *this);
/**
* Parse a PKCS#7 signedData content.
- *
+ *
* @param cacert cacert used to verify the signature
* @return TRUE if parsing was successful
*/
/**
* Parse a PKCS#7 envelopedData content.
- *
+ *
* @param serialNumber serialNumber of the request
* @param key private key used to decrypt the symmetric key
* @return TRUE if parsing was successful
/**
* Create an iterator for the certificates.
- *
+ *
* @return iterator for the certificates
*/
iterator_t *(*create_certificate_iterator) (pkcs7_t *this);
/**
* Add a certificate.
- *
+ *
* @param cert certificate to be included
*/
void (*set_certificate) (pkcs7_t *this, x509_t *cert);
/**
* Add authenticated attributes.
- *
+ *
* @param attributes attributes to be included
*/
void (*set_attributes) (pkcs7_t *this, pkcs9_t *attributes);
/**
* Read a PKCS#7 contentInfo object from a DER encoded chunk.
- *
+ *
* @param chunk chunk containing DER encoded data
* @param level ASN.1 parsing start level
* @return created pkcs7_contentInfo object, or NULL if invalid.
/**
* Create a PKCS#7 contentInfo object
- *
+ *
* @param data chunk containing data
* @return created pkcs7_contentInfo object.
*/
/**
* Destroys the attribute.
- *
+ *
* @param this attribute to destroy
*/
void (*destroy) (attribute_t *this);
/* allocate memory for the attributes and build the encoding */
{
u_char *pos = asn1_build_object(&this->encoding, ASN1_SET, attributes_len);
-
+
iterator = this->attributes->create_iterator(this->attributes, TRUE);
while (iterator->iterate(iterator, (void**)&attribute))
static private_pkcs9_t *pkcs9_create_empty(void)
{
private_pkcs9_t *this = malloc_thing(private_pkcs9_t);
-
+
/* initialize */
this->encoding = chunk_empty;
this->attributes = linked_list_create();
pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level)
{
private_pkcs9_t *this = pkcs9_create_empty();
-
+
this->encoding = chunk_clone(chunk);
if (!parse_attributes(chunk, level, this))
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup pkcs9 pkcs9
* @{ @ingroup crypto
* PKCS#9 attributes.
*/
struct pkcs9_t {
-
+
/**
* Generate ASN.1 encoding of attribute list
*/
* Adds a PKCS#9 attribute
*
* @param oid OID of the attribute
- * @param value ASN.1 encoded value of the attribute
+ * @param value ASN.1 encoded value of the attribute
*/
void (*set_attribute) (pkcs9_t *this, int oid, chunk_t value);
/**
* Add a PKCS#9 messageDigest attribute
*
- * @param value messageDigest
+ * @param value messageDigest
*/
void (*set_messageDigest) (pkcs9_t *this, chunk_t value);
/**
* Read a PKCS#9 attribute list from a DER encoded chunk.
- *
+ *
* @param chunk chunk containing DER encoded data
* @param level ASN.1 parsing start level
* @return created pkcs9 attribute list, or NULL if invalid.
/**
* Create an empty PKCS#9 attribute list
- *
+ *
* @return created pkcs9 attribute list.
*/
pkcs9_t *pkcs9_create(void);
/**
* Private data of an prf_plus_t object.
- *
+ *
*/
struct private_prf_plus_t {
/**
* Public interface of prf_plus_t.
*/
prf_plus_t public;
-
+
/**
* PRF to use.
*/
prf_t *prf;
-
+
/**
* Initial seed.
*/
chunk_t seed;
-
+
/**
* Buffer to store current PRF result.
*/
chunk_t buffer;
-
+
/**
* Already given out bytes in current buffer.
*/
size_t given_out;
-
+
/**
* Octet which will be appended to the seed.
*/
* Implementation of prf_plus_t.get_bytes.
*/
static void get_bytes(private_prf_plus_t *this, size_t length, u_int8_t *buffer)
-{
+{
chunk_t appending_chunk;
size_t bytes_in_round;
size_t total_bytes_written = 0;
-
+
appending_chunk.ptr = &(this->appending_octet);
appending_chunk.len = 1;
-
+
while (length > 0)
{ /* still more to do... */
if (this->buffer.len == this->given_out)
- { /* no bytes left in buffer, get next*/
+ { /* no bytes left in buffer, get next*/
this->prf->get_bytes(this->prf, this->buffer, NULL);
this->prf->get_bytes(this->prf, this->seed, NULL);
this->prf->get_bytes(this->prf, appending_chunk, this->buffer.ptr);
bytes_in_round = min(length, this->buffer.len - this->given_out);
/* copy bytes from buffer with offset */
memcpy(buffer + total_bytes_written, this->buffer.ptr + this->given_out, bytes_in_round);
-
+
length -= bytes_in_round;
this->given_out += bytes_in_round;
total_bytes_written += bytes_in_round;
/**
* Implementation of prf_plus_t.allocate_bytes.
- */
+ */
static void allocate_bytes(private_prf_plus_t *this, size_t length, chunk_t *chunk)
{
if (length)
{
private_prf_plus_t *this;
chunk_t appending_chunk;
-
+
this = malloc_thing(private_prf_plus_t);
/* set public methods */
this->public.get_bytes = (void (*)(prf_plus_t *,size_t,u_int8_t*))get_bytes;
this->public.allocate_bytes = (void (*)(prf_plus_t *,size_t,chunk_t*))allocate_bytes;
this->public.destroy = (void (*)(prf_plus_t *))destroy;
-
+
/* take over prf */
this->prf = prf;
-
+
/* allocate buffer for prf output */
this->buffer.len = prf->get_block_size(prf);
this->buffer.ptr = malloc(this->buffer.len);
this->appending_octet = 0x01;
-
+
/* clone seed */
this->seed.ptr = clalloc(seed.ptr, seed.len);
this->seed.len = seed.len;
this->prf->get_bytes(this->prf, appending_chunk, this->buffer.ptr);
this->given_out = 0;
this->appending_octet++;
-
+
return &(this->public);
}
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup prf_plus prf_plus
* @{ @ingroup crypto
struct prf_plus_t {
/**
* Get pseudo random bytes.
- *
+ *
* Get the next few bytes of the prf+ output. Space
* must be allocated by the caller.
- *
+ *
* @param length number of bytes to get
* @param buffer pointer where the generated bytes will be written
*/
void (*get_bytes) (prf_plus_t *this, size_t length, u_int8_t *buffer);
-
+
/**
* Allocate pseudo random bytes.
- *
+ *
* Get the next few bytes of the prf+ output. This function
* will allocate the required space.
- *
+ *
* @param length number of bytes to get
* @param chunk chunk which will hold generated bytes
*/
void (*allocate_bytes) (prf_plus_t *this, size_t length, chunk_t *chunk);
-
+
/**
* Destroys a prf_plus_t object.
*/
/**
* Creates a new prf_plus_t object.
- *
+ *
* Seed will be cloned. prf will
* not be cloned, must be destroyed outside after
* prf_plus_t usage.
- *
+ *
* @param prf prf object to use
* @param seed input seed for prf
* @return prf_plus_t object
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup prf prf
* @{ @ingroup crypto
PRF_FIPS_SHA1_160 = 1025,
/** FIPS 186-2-change1, uses fixed output size of 160bit */
PRF_FIPS_DES = 1026,
- /**
+ /**
* Keyed hash algorithm using SHA1, used in EAP-AKA:
* This PRF uses SHA1, but XORs the key into the IV. No "Final()" operation
* is applied to the SHA1 state. */
* @param buffer pointer where the generated bytes will be written
*/
void (*get_bytes) (prf_t *this, chunk_t seed, u_int8_t *buffer);
-
+
/**
* Generates pseudo random bytes and allocate space for them.
- *
+ *
* @param seed a chunk containing the seed for the next bytes
* @param chunk chunk which will hold generated bytes
*/
void (*allocate_bytes) (prf_t *this, chunk_t seed, chunk_t *chunk);
-
+
/**
* Get the block size of this prf_t object.
- *
+ *
* @return block size in bytes
*/
size_t (*get_block_size) (prf_t *this);
-
+
/**
* Get the key size of this prf_t object.
*
* This is a suggestion only, all implemented PRFs accept variable key
* length.
- *
+ *
* @return key size in bytes
*/
size_t (*get_key_size) (prf_t *this);
-
+
/**
* Set the key for this prf_t object.
- *
+ *
* @param key key to set
*/
void (*set_key) (prf_t *this, chunk_t key);
-
+
/**
* Destroys a prf object.
*/
char *name;
transform_type_t type;
u_int16_t algorithm;
- u_int16_t keysize;
+ u_int16_t keysize;
};
extern const proposal_token_t* proposal_get_token(register const char *str,
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup rng rng
* @{ @ingroup crypto
* @param buffer pointer where the generated bytes will be written
*/
void (*get_bytes) (rng_t *this, size_t len, u_int8_t *buffer);
-
+
/**
* Generates random bytes and allocate space for them.
- *
+ *
* @param len number of bytes to get
* @param chunk chunk which will hold generated bytes
*/
void (*allocate_bytes) (rng_t *this, size_t len, chunk_t *chunk);
-
+
/**
* Destroys a rng object.
*/
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup signer signer
* @{ @ingroup crypto
*
* If buffer is NULL, data is processed and prepended to a next call until
* buffer is a valid pointer.
- *
+ *
* @param data a chunk containing the data to sign
* @param buffer pointer where the signature will be written
*/
void (*get_signature) (signer_t *this, chunk_t data, u_int8_t *buffer);
-
+
/**
* Generate a signature and allocate space for it.
*
* If chunk is NULL, data is processed and prepended to a next call until
* chunk is a valid chunk pointer.
- *
+ *
* @param data a chunk containing the data to sign
* @param chunk chunk which will hold the allocated signature
*/
void (*allocate_signature) (signer_t *this, chunk_t data, chunk_t *chunk);
-
+
/**
* Verify a signature.
- *
+ *
* @param data a chunk containing the data to verify
* @param signature a chunk containing the signature
* @return TRUE, if signature is valid, FALSE otherwise
*/
bool (*verify_signature) (signer_t *this, chunk_t data, chunk_t signature);
-
+
/**
* Get the block size of this signature algorithm.
- *
+ *
* @return block size in bytes
*/
size_t (*get_block_size) (signer_t *this);
-
+
/**
* Get the key size of the signature algorithm.
- *
+ *
* @return key size in bytes
*/
size_t (*get_key_size) (signer_t *this);
-
+
/**
* Set the key for this object.
- *
+ *
* @param key key to set
*/
void (*set_key) (signer_t *this, chunk_t key);
-
+
/**
* Destroys a signer_t object.
*/
char *atext;
database_t *db;
enumerator_t *enumerator;
-
+
db = lib->database->create("mysql://user:pass@host/database");
affected = db->execute(db, &rowid, "INSERT INTO table VALUES (?, ?)",
DB_INT, 77, DB_TEXT, "a text");
printf("inserted %d row, new row ID: %d\n", affected, rowid);
-
+
enumerator = db->query(db, "SELECT aint, atext FROM table WHERE aint > ?",
DB_INT, 10, // 1 argument to SQL string
DB_INT, DB_TEXT); // 2 enumerated types in query
@endcode
*/
struct database_t {
-
+
/**
* Run a query which returns rows, such as a SELECT.
*
* @return enumerator as defined with arguments, NULL on failure
*/
enumerator_t* (*query)(database_t *this, char *sql, ...);
-
+
/**
* Execute a query which dows not return rows, such as INSERT.
*
* @return number of affected rows, < 0 on failure
*/
int (*execute)(database_t *this, int *rowid, char *sql, ...);
-
+
/**
* Get the database implementation type.
*
* @return database implementation type
*/
db_driver_t (*get_driver)(database_t *this);
-
+
/**
* Destroy a database connection.
*/
* public functions
*/
database_factory_t public;
-
+
/**
* list of registered database_t implementations
*/
linked_list_t *databases;
-
+
/**
* mutex to lock access to databases
*/
enumerator_t *enumerator;
database_t *database = NULL;
database_constructor_t create;
-
+
this->mutex->lock(this->mutex);
enumerator = this->databases->create_enumerator(this->databases);
while (enumerator->enumerate(enumerator, &create))
database_factory_t *database_factory_create()
{
private_database_factory_t *this = malloc_thing(private_database_factory_t);
-
+
this->public.create = (database_t*(*)(database_factory_t*, char *url))create;
this->public.add_database = (void(*)(database_factory_t*, database_constructor_t))add_database;
this->public.remove_database = (void(*)(database_factory_t*, database_constructor_t))remove_database;
this->public.destroy = (void(*)(database_factory_t*))destroy;
-
+
this->databases = linked_list_create();
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
-
+
return &this->public;
}
* @return database_t instance, NULL if not supported/failed
*/
database_t* (*create)(database_factory_t *this, char *uri);
-
+
/**
* Register a database constructor.
*
* @param create database constructor to register
*/
void (*add_database)(database_factory_t *this, database_constructor_t create);
-
+
/**
* Unregister a previously registered database constructor.
*
* @param create database constructor to unregister
*/
void (*remove_database)(database_factory_t *this, database_constructor_t create);
-
+
/**
* Destroy a database_factory instance.
*/
if (level <= 1)
{
va_list args;
-
+
va_start(args, fmt);
vfprintf(stderr, fmt, args);
fprintf(stderr, "\n");
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup debug debug
* @{ @ingroup libstrongswan
*
* This is a convenience macro to use when a enum_name list contains only
* one range, and is equal as defining ENUM_BEGIN followed by ENUM_END.
- *
+ *
* @param name name of the enum_name list
* @param first enum value of the first enum string
* @param last enum value of the last enum string
/**
* printf hook function for enum_names_t.
*
- * Arguments are:
+ * Arguments are:
* enum_names_t *names, int value
*/
int enum_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
*/
enum fetcher_option_t {
- /**
+ /**
* Data to include in fetch request, e.g. on a HTTP post.
* Additional argument is a chunk_t
*/
FETCH_REQUEST_DATA,
-
- /**
+
+ /**
* Mime-Type of data included in FETCH_REQUEST_DATA.
* Additional argument is a char*.
*/
FETCH_REQUEST_TYPE,
-
- /**
+
+ /**
* HTTP header to be sent with with the fetch request.
* Additional argument is a char*.
*/
FETCH_REQUEST_HEADER,
- /**
+ /**
* Use HTTP Version 1.0 instead of 1.1.
* No additional argument is needed.
*/
FETCH_HTTP_VERSION_1_0,
- /**
+ /**
* Timeout to use for fetch, in seconds.
* Additional argument is u_int
*/
FETCH_TIMEOUT,
-
+
/**
* end of fetching options
*/
* - FAILED, NOT_FOUND, PARSE_ERROR on failure
*/
status_t (*fetch)(fetcher_t *this, char *uri, chunk_t *result);
-
+
/**
* Set a fetcher option, as defined in fetcher_option_t.
*
* @return TRUE if option supported, FALSE otherwise
*/
bool (*set_option)(fetcher_t *this, fetcher_option_t option, ...);
-
+
/**
* Destroy the fetcher instance.
*/
- void (*destroy)(fetcher_t *this);
+ void (*destroy)(fetcher_t *this);
};
#endif /** FETCHER_H_ @}*/
* public functions
*/
fetcher_manager_t public;
-
+
/**
* list of registered fetchers, as entry_t
*/
linked_list_t *fetchers;
-
+
/**
* read write lock to list
*/
status_t status = NOT_SUPPORTED;
entry_t *entry;
bool capable = FALSE;
-
+
this->lock->read_lock(this->lock);
enumerator = this->fetchers->create_enumerator(this->fetchers);
while (enumerator->enumerate(enumerator, &entry))
fetcher->destroy(fetcher);
continue;
}
-
+
status = fetcher->fetch(fetcher, url, response);
fetcher->destroy(fetcher);
/* try another fetcher only if this one does not support that URL */
/**
* Implementation of fetcher_manager_t.add_fetcher.
*/
-static void add_fetcher(private_fetcher_manager_t *this,
+static void add_fetcher(private_fetcher_manager_t *this,
fetcher_constructor_t create, char *url)
{
entry_t *entry = malloc_thing(entry_t);
-
+
entry->url = strdup(url);
entry->create = create;
{
enumerator_t *enumerator;
entry_t *entry;
-
+
this->lock->write_lock(this->lock);
enumerator = this->fetchers->create_enumerator(this->fetchers);
while (enumerator->enumerate(enumerator, &entry))
fetcher_manager_t *fetcher_manager_create()
{
private_fetcher_manager_t *this = malloc_thing(private_fetcher_manager_t);
-
+
this->public.fetch = (status_t(*)(fetcher_manager_t*, char *url, chunk_t *response, ...))fetch;
this->public.add_fetcher = (void(*)(fetcher_manager_t*, fetcher_constructor_t,char*))add_fetcher;
this->public.remove_fetcher = (void(*)(fetcher_manager_t*, fetcher_constructor_t))remove_fetcher;
this->public.destroy = (void(*)(fetcher_manager_t*))destroy;
-
+
this->fetchers = linked_list_create();
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
+
return &this->public;
}
*/
void (*add_fetcher)(fetcher_manager_t *this,
fetcher_constructor_t constructor, char *url);
-
+
/**
* Unregister a previously registered fetcher implementation.
*
* @param constructor fetcher constructor function to unregister
*/
- void (*remove_fetcher)(fetcher_manager_t *this,
+ void (*remove_fetcher)(fetcher_manager_t *this,
fetcher_constructor_t constructor);
-
+
/**
* Destroy a fetcher_manager instance.
*/
* Private data of an integrity_checker_t object.
*/
struct private_integrity_checker_t {
-
+
/**
* Public integrity_checker_t interface.
*/
integrity_checker_t public;
-
+
/**
* dlopen handle to checksum library
*/
void *handle;
-
+
/**
* checksum array
*/
integrity_checksum_t *checksums;
-
+
/**
* number of checksums in array
*/
struct stat sb;
void *addr;
int fd;
-
+
fd = open(file, O_RDONLY);
if (fd == -1)
{
DBG1(" opening '%s' failed: %s", file, strerror(errno));
return 0;
}
-
+
if (fstat(fd, &sb) == -1)
{
DBG1(" getting file size of '%s' failed: %s", file, strerror(errno));
close(fd);
return 0;
}
-
+
addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
if (addr == MAP_FAILED)
{
return 0;
}
- *len = sb.st_size;
+ *len = sb.st_size;
contents = chunk_create(addr, sb.st_size);
checksum = chunk_hash(contents);
-
+
munmap(addr, sb.st_size);
close(fd);
-
+
return checksum;
}
dlpi->dlpi_name && *dlpi->dlpi_name)
{
int i;
-
+
for (i = 0; i < dlpi->dlpi_phnum; i++)
{
const ElfW(Phdr) *sgmt = &dlpi->dlpi_phdr[i];
-
+
/* we are interested in the executable LOAD segment */
if (sgmt->p_type == PT_LOAD && (sgmt->p_flags & PF_X))
{
{
chunk_t segment;
Dl_info dli;
-
+
if (dladdr(sym, &dli) == 0)
{
DBG1(" unable to locate symbol: %s", dlerror());
DBG1(" executable section not found");
return 0;
}
-
+
segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase);
*len = segment.len;
return chunk_hash(segment);
char *name)
{
int i;
-
+
for (i = 0; i < this->checksum_count; i++)
{
if (streq(this->checksums[i].name, name))
integrity_checksum_t *cs;
u_int32_t sum;
size_t len = 0;
-
+
cs = find_checksum(this, name);
if (!cs)
{
integrity_checksum_t *cs;
u_int32_t sum;
size_t len = 0;
-
+
cs = find_checksum(this, name);
if (!cs)
{
static bool check(private_integrity_checker_t *this, char *name, void *sym)
{
Dl_info dli;
-
+
if (dladdr(sym, &dli) == 0)
{
DBG1("unable to locate symbol: %s", dlerror());
integrity_checker_t *integrity_checker_create(char *checksum_library)
{
private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t);
-
+
this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file;
this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file, size_t *len))build_file;
this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment;
this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym, size_t *len))build_segment;
this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check;
this->public.destroy = (void(*)(integrity_checker_t*))destroy;
-
+
this->checksum_count = 0;
this->handle = NULL;
if (checksum_library)
if (this->handle)
{
int *checksum_count;
-
+
this->checksums = dlsym(this->handle, "checksums");
checksum_count = dlsym(this->handle, "checksum_count");
if (this->checksums && checksum_count)
/* name of the checksum */
char *name;
/* size in bytes of the file on disk */
- size_t file_len;
+ size_t file_len;
/* checksum of the file on disk */
u_int32_t file;
/* size in bytes of executable segment in memory */
- size_t segment_len;
+ size_t segment_len;
/* checksum of the executable segment in memory */
u_int32_t segment;
};
* @return TRUE if integrity tested successfully
*/
bool (*check_file)(integrity_checker_t *this, char *name, char *file);
-
+
/**
* Build the integrity checksum of a file on disk.
*
* @return checksum, 0 on error
*/
u_int32_t (*build_file)(integrity_checker_t *this, char *file, size_t *len);
-
+
/**
* Check the integrity of the code segment in memory.
*
* @return checksum, 0 on error
*/
u_int32_t (*build_segment)(integrity_checker_t *this, void *sym, size_t *len);
-
+
/**
* Check both, on disk file integrity and loaded segment.
*
* @return TRUE if integrity tested successfully
*/
bool (*check)(integrity_checker_t *this, char *name, void *sym);
-
+
/**
* Destroy a integrity_checker_t.
*/
{
this->public.integrity->destroy(this->public.integrity);
}
-
+
#ifdef LEAK_DETECTIVE
if (this->detective)
{
printf_hook_t *pfh;
private_library_t *this = malloc_thing(private_library_t);
lib = &this->public;
-
+
lib->leak_detective = FALSE;
-
+
#ifdef LEAK_DETECTIVE
this->detective = leak_detective_create();
#endif /* LEAK_DETECTIVE */
pfh = printf_hook_create();
this->public.printf_hook = pfh;
-
+
pfh->add_handler(pfh, 'b', mem_printf_hook,
PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_INT,
PRINTF_HOOK_ARGTYPE_END);
PRINTF_HOOK_ARGTYPE_END);
pfh->add_handler(pfh, 'Y', identification_printf_hook,
PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END);
-
+
this->public.settings = settings_create(settings);
this->public.crypto = crypto_factory_create();
this->public.creds = credential_factory_create();
this->public.db = database_factory_create();
this->public.plugins = plugin_loader_create();
this->public.integrity = NULL;
-
+
if (lib->settings->get_bool(lib->settings,
"libstrongswan.integrity_test", FALSE))
{
* Printf hook registering facility
*/
printf_hook_t *printf_hook;
-
+
/**
* crypto algorithm registry and factory
*/
crypto_factory_t *crypto;
-
+
/**
* credential constructor registry and factory
*/
credential_factory_t *creds;
-
+
/**
* key encoding registry and factory
*/
key_encoding_t *encoding;
-
+
/**
* URL fetching facility
*/
fetcher_manager_t *fetcher;
-
+
/**
* database construction factory
*/
database_factory_t *db;
-
+
/**
* plugin loading facility
*/
plugin_loader_t *plugins;
-
+
/**
* various settings loaded from settings file
*/
settings_t *settings;
-
+
/**
* integrity checker to verify code integrity
*/
integrity_checker_t *integrity;
-
+
/**
* is leak detective running?
*/
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#include "aes_crypter.h"
/*
/**
* Class implementing the AES symmetric encryption algorithm.
- *
+ *
* @ingroup crypters
*/
struct private_aes_crypter_t {
-
+
/**
* Public part of this class.
*/
aes_crypter_t public;
-
+
/**
* Number of words in the key input block.
*/
u_int32_t aes_Nkey;
-
+
/**
* The number of cipher rounds.
*/
u_int32_t aes_Nrnd;
-
+
/**
* The encryption key schedule.
*/
* The decryption key schedule.
*/
u_int32_t aes_d_key[AES_KS_LENGTH];
-
+
/**
* Key size of this AES cypher object.
*/
* is not defined, individually declared 32-bit words are used.
* 6. Define FAST_VARIABLE if a high speed variable block implementation
* is needed (essentially three separate fixed block size code sequences)
- * 7. Define either ONE_TABLE or FOUR_TABLES for a fast table driven
+ * 7. Define either ONE_TABLE or FOUR_TABLES for a fast table driven
* version using 1 table (2 kbytes of table space) or 4 tables (8
* kbytes of table space) for higher speed.
- * 8. Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed
+ * 8. Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed
* increase by using tables for the last rounds but with more table
* space (2 or 8 kbytes extra).
- * 9. If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but
+ * 9. If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but
* slower version is provided.
* 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
* or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
#if defined(AES_BLOCK_SIZE) && AES_BLOCK_SIZE != 16 && AES_BLOCK_SIZE != 24 && AES_BLOCK_SIZE != 32
#error an illegal block size has been specified
-#endif
+#endif
/**
- * Rotates bytes within words by n positions, moving bytes
+ * Rotates bytes within words by n positions, moving bytes
* to higher index positions with wrap around into low positions.
- */
+ */
#define upr(x,n) (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
/**
- * Moves bytes by n positions to higher index positions in
+ * Moves bytes by n positions to higher index positions in
* words but without wrap around.
- */
+ */
#define ups(x,n) ((x) << 8 * (n))
/**
/* little endian processor without data alignment restrictions: AES_LE_OK */
/* original code: i386 */
-#if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386)
+#if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386)
#define AES_LE_OK 1
/* added (tested): alpha --jjo */
#elif defined(__alpha__)|| defined (__alpha)
// give improved performance if a fast 32-bit multiply is not available. Note
// that a temporary variable u needs to be defined where FFmulX is used.
-// #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))
+// #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6))
// #define m4 0x1b1b1b1b
-// #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)
+// #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4)
// perform column mix operation on four bytes in parallel
#define w2(p) 0x00##p##0000
#define w3(p) 0x##p##000000
-#if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES))
+#if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES))
// data for forward tables (other than last round)
#endif
-#if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES))
+#if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES))
// data for inverse tables (last round)
#endif
-#if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES))
+#if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES))
#define m_table \
r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
#if !defined(FF_TABLES)
-// It will generally be sensible to use tables to compute finite
-// field multiplies and inverses but where memory is scarse this
+// It will generally be sensible to use tables to compute finite
+// field multiplies and inverses but where memory is scarse this
// code might sometimes be better.
// return 2 ^ (n - 1) where n is the bit number of the highest bit
static unsigned char hibit(const u_int32_t x)
{ unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
-
+
r |= (r >> 2);
r |= (r >> 4);
return (r + 1) >> 1;
if(!n1) return v1;
while(n2 >= n1)
- {
+ {
n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
}
-
+
if(!n2) return v2;
while(n1 >= n2)
- {
+ {
n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
}
}
// 0x011b as modular polynomial - the simplest primitive
// root is 0x03, used here to generate the tables
- i = 0; w = 1;
+ i = 0; w = 1;
do
- {
+ {
pow[i] = (unsigned char)w;
pow[i + 255] = (unsigned char)w;
log[w] = (unsigned char)i++;
// is being computed, return the input state variables which are
// needed for each row (r) of the state
-// For the fixed block size options, compilers reduce these two
-// expressions to fixed variable references. For variable block
+// For the fixed block size options, compilers reduce these two
+// expressions to fixed variable references. For variable block
// size code conditional clauses will sometimes be returned
#define unused 77 // Sunset Strip
switch(this->aes_Nrnd)
{
- case 14: round(fwd_rnd, b1, b0, kp );
+ case 14: round(fwd_rnd, b1, b0, kp );
round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
- case 12: round(fwd_rnd, b1, b0, kp );
+ case 12: round(fwd_rnd, b1, b0, kp );
round(fwd_rnd, b0, b1, kp + nc ); kp += 2 * nc;
- case 10: round(fwd_rnd, b1, b0, kp );
+ case 10: round(fwd_rnd, b1, b0, kp );
round(fwd_rnd, b0, b1, kp + nc);
- round(fwd_rnd, b1, b0, kp + 2 * nc);
+ round(fwd_rnd, b1, b0, kp + 2 * nc);
round(fwd_rnd, b0, b1, kp + 3 * nc);
- round(fwd_rnd, b1, b0, kp + 4 * nc);
+ round(fwd_rnd, b1, b0, kp + 4 * nc);
round(fwd_rnd, b0, b1, kp + 5 * nc);
- round(fwd_rnd, b1, b0, kp + 6 * nc);
+ round(fwd_rnd, b1, b0, kp + 6 * nc);
round(fwd_rnd, b0, b1, kp + 7 * nc);
round(fwd_rnd, b1, b0, kp + 8 * nc);
round(fwd_lrnd, b0, b1, kp + 9 * nc);
for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
{
- round(fwd_rnd, b1, b0, kp);
+ round(fwd_rnd, b1, b0, kp);
round(fwd_rnd, b0, b1, kp + nc); kp += 2 * nc;
}
for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
{
- round(fwd_rnd, b1, b0, kp);
+ round(fwd_rnd, b1, b0, kp);
l_copy(b0, b1); kp += nc;
}
const u_int32_t *kp = this->aes_d_key;
#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
- u_int32_t f2, f4, f8, f9;
+ u_int32_t f2, f4, f8, f9;
#endif
state_in(b0, in_blk, kp); kp += nc;
round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
case 12: round(inv_rnd, b1, b0, kp );
round(inv_rnd, b0, b1, kp + nc ); kp += 2 * nc;
- case 10: round(inv_rnd, b1, b0, kp );
+ case 10: round(inv_rnd, b1, b0, kp );
round(inv_rnd, b0, b1, kp + nc);
- round(inv_rnd, b1, b0, kp + 2 * nc);
+ round(inv_rnd, b1, b0, kp + 2 * nc);
round(inv_rnd, b0, b1, kp + 3 * nc);
- round(inv_rnd, b1, b0, kp + 4 * nc);
+ round(inv_rnd, b1, b0, kp + 4 * nc);
round(inv_rnd, b0, b1, kp + 5 * nc);
- round(inv_rnd, b1, b0, kp + 6 * nc);
+ round(inv_rnd, b1, b0, kp + 6 * nc);
round(inv_rnd, b0, b1, kp + 7 * nc);
round(inv_rnd, b1, b0, kp + 8 * nc);
round(inv_lrnd, b0, b1, kp + 9 * nc);
for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
{
- round(inv_rnd, b1, b0, kp);
+ round(inv_rnd, b1, b0, kp);
round(inv_rnd, b0, b1, kp + nc); kp += 2 * nc;
}
for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
{
- round(inv_rnd, b1, b0, kp);
+ round(inv_rnd, b1, b0, kp);
l_copy(b0, b1); kp += nc;
}
int pos;
const u_int32_t *iv_i;
u_int8_t *in, *out;
-
+
if (decrypted)
{
*decrypted = chunk_alloc(data.len);
out = data.ptr;
}
in = data.ptr;
-
+
pos = data.len-16;
in += pos;
out += pos;
int pos;
const u_int32_t *iv_i;
u_int8_t *in, *out;
-
+
in = data.ptr;
out = data.ptr;
if (encrypted)
*encrypted = chunk_alloc(data.len);
out = encrypted->ptr;
}
-
+
pos=0;
while(pos<data.len)
{
{
u_int32_t *kf, *kt, rci, f = 0;
u_int8_t *in_key = key.ptr;
-
- this->aes_Nrnd = (this->aes_Nkey > (nc) ? this->aes_Nkey : (nc)) + 6;
-
+
+ this->aes_Nrnd = (this->aes_Nkey > (nc) ? this->aes_Nkey : (nc)) + 6;
+
this->aes_e_key[0] = const_word_in(in_key );
this->aes_e_key[1] = const_word_in(in_key + 4);
this->aes_e_key[2] = const_word_in(in_key + 8);
this->aes_e_key[3] = const_word_in(in_key + 12);
-
- kf = this->aes_e_key;
- kt = kf + nc * (this->aes_Nrnd + 1) - this->aes_Nkey;
+
+ kf = this->aes_e_key;
+ kt = kf + nc * (this->aes_Nrnd + 1) - this->aes_Nkey;
rci = 0;
-
+
switch(this->aes_Nkey)
{
case 4: do
}
while(kf < kt);
break;
-
+
case 6: this->aes_e_key[4] = const_word_in(in_key + 16);
this->aes_e_key[5] = const_word_in(in_key + 20);
do
while (kf < kt);
break;
}
-
+
if(!f)
{
u_int32_t i;
kt = this->aes_d_key + nc * this->aes_Nrnd;
kf = this->aes_e_key;
-
+
cpy(kt, kf); kt -= 2 * nc;
-
+
for(i = 1; i < this->aes_Nrnd; ++i)
- {
+ {
#if defined(ONE_TABLE) || defined(FOUR_TABLES)
#if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
u_int32_t f2, f4, f8, f9;
aes_crypter_t *aes_crypter_create(encryption_algorithm_t algo, size_t key_size)
{
private_aes_crypter_t *this;
-
+
if (algo != ENCR_AES_CBC)
{
return NULL;
}
-
+
this = malloc_thing(private_aes_crypter_t);
-
+
#if !defined(FIXED_TABLES)
if(!tab_gen) { gen_tabs(); tab_gen = 1; }
#endif
-
+
this->key_size = key_size;
switch(key_size)
{
free(this);
return NULL;
}
-
+
this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
+
return &(this->public);
}
* Class implementing the AES encryption algorithm.
*/
struct aes_crypter_t {
-
+
/**
* The crypter_t interface.
*/
/**
* Constructor to create aes_crypter_t objects.
- *
+ *
* @param key_size key size in bytes
* @param algo algorithm to implement
* @return aes_crypter_t object, NULL if not supported
plugin_t *plugin_create()
{
private_aes_plugin_t *this = malloc_thing(private_aes_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
(crypter_constructor_t)aes_crypter_create);
-
+
return &this->public.plugin;
}
plugin_t *plugin_create()
{
private_agent_plugin_t *this = malloc_thing(private_agent_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
(builder_constructor_t)agent_private_key_builder);
return &this->public.plugin;
/**
* @defgroup agent_p agent
* @ingroup plugins
- *
+ *
* @defgroup agent_plugin agent_plugin
* @{ @ingroup agent_p
*/
* Public interface for this signer.
*/
agent_private_key_t public;
-
+
/**
* ssh-agent unix socket connection
*/
int socket;
-
+
/**
* key identity blob in ssh format
*/
chunk_t key;
-
+
/**
* keysize in bytes
*/
size_t key_size;
-
+
/**
* reference count
*/
{
int len;
chunk_t str;
-
+
len = read_uint32(blob);
if (len > blob->len)
{
DBG1("opening ssh-agent socket %s failed: %s:", path, strerror(errno));
return -1;
}
-
+
addr.sun_family = AF_UNIX;
addr.sun_path[UNIX_PATH_MAX - 1] = '\0';
strncpy(addr.sun_path, path, UNIX_PATH_MAX - 1);
-
+
if (connect(s, (struct sockaddr*)&addr, SUN_LEN(&addr)) != 0)
{
DBG1("connecting to ssh-agent socket failed: %s", strerror(errno));
return s;
}
-/**
+/**
* Get the first usable key from the agent
*/
static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
int len, count;
char buf[2048];
chunk_t blob = chunk_from_buf(buf), key, type, n;
-
+
len = htonl(1);
buf[0] = SSH_AGENT_ID_REQUEST;
if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
DBG1("writing to ssh-agent failed");
return FALSE;
}
-
+
blob.len = read(this->socket, blob.ptr, blob.len);
-
+
if (blob.len < sizeof(u_int32_t) + sizeof(u_char) ||
read_uint32(&blob) != blob.len ||
read_byte(&blob) != SSH_AGENT_ID_RESPONSE)
return FALSE;
}
count = read_uint32(&blob);
-
+
while (blob.len)
{
key = read_string(&blob);
/**
* Implementation of agent_private_key.destroy.
*/
-static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
+static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
chunk_t data, chunk_t *signature)
{
u_int32_t len, flags;
char buf[2048];
chunk_t blob = chunk_from_buf(buf);
-
+
if (scheme != SIGN_RSA_EMSA_PKCS1_SHA1)
{
DBG1("signature scheme %N not supported by ssh-agent",
signature_scheme_names, scheme);
return FALSE;
}
-
+
len = htonl(1 + sizeof(u_int32_t) * 3 + this->key.len + data.len);
buf[0] = SSH_AGENT_SIGN_REQUEST;
if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
DBG1("writing to ssh-agent failed");
return FALSE;
}
-
+
len = htonl(this->key.len);
if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
write(this->socket, this->key.ptr, this->key.len) != this->key.len)
DBG1("writing to ssh-agent failed");
return FALSE;
}
-
+
len = htonl(data.len);
if (write(this->socket, &len, sizeof(len)) != sizeof(len) ||
write(this->socket, data.ptr, data.len) != data.len)
DBG1("writing to ssh-agent failed");
return FALSE;
}
-
+
flags = htonl(0);
if (write(this->socket, &flags, sizeof(flags)) != sizeof(flags))
{
DBG1("writing to ssh-agent failed");
return FALSE;
}
-
+
blob.len = read(this->socket, blob.ptr, blob.len);
if (blob.len < sizeof(u_int32_t) + sizeof(u_char) ||
read_uint32(&blob) != blob.len ||
static public_key_t* get_public_key(private_agent_private_key_t *this)
{
chunk_t key, n, e;
-
+
key = this->key;
read_string(&key);
e = read_string(&key);
n = read_string(&key);
-
+
return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
}
key_encoding_type_t type, chunk_t *fp)
{
chunk_t n, e, key;
-
+
if (lib->encoding->get_cache(lib->encoding, type, this, fp))
{
return TRUE;
read_string(&key);
e = read_string(&key);
n = read_string(&key);
-
+
return lib->encoding->encode(lib->encoding, type, this, fp,
KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
}
public_key_t *pubkey)
{
private_agent_private_key_t *this = malloc_thing(private_agent_private_key_t);
-
+
this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-
+
this->socket = open_connection(path);
if (this->socket < 0)
{
}
this->key = chunk_empty;
this->ref = 1;
-
+
if (!read_key(this, pubkey))
{
destroy(this);
static agent_private_key_t *build(private_builder_t *this)
{
agent_private_key_t *key = NULL;
-
+
if (this->socket)
{
key = agent_private_key_create(this->socket, this->pubkey);
static void add(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
-
+
switch (part)
{
case BUILD_AGENT_SOCKET:
builder_t *agent_private_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_RSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->pubkey = NULL;
this->socket = NULL;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
0xc0ac29b7L, 0xc97c50ddL, 0x3f84d5b5L, 0xb5470917L,
0x9216d5d9L, 0x8979fb1b
},{
- 0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L,
- 0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L,
- 0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L,
- 0x636920d8L, 0x71574e69L, 0xa458fea3L, 0xf4933d7eL,
- 0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL,
- 0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L,
- 0xc5d1b023L, 0x286085f0L, 0xca417918L, 0xb8db38efL,
- 0x8e79dcb0L, 0x603a180eL, 0x6c9e0e8bL, 0xb01e8a3eL,
- 0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, 0x55605c60L,
- 0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L,
- 0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL,
- 0xa15486afL, 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL,
- 0x2ba9c55dL, 0x741831f6L, 0xce5c3e16L, 0x9b87931eL,
- 0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, 0x28958677L,
- 0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L,
- 0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L,
- 0xef845d5dL, 0xe98575b1L, 0xdc262302L, 0xeb651b88L,
- 0x23893e81L, 0xd396acc5L, 0x0f6d6ff3L, 0x83f44239L,
- 0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, 0x9e1f9b5eL,
- 0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L,
- 0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L,
- 0x6eef0b6cL, 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L,
- 0xa1f1651dL, 0x39af0176L, 0x66ca593eL, 0x82430e88L,
- 0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, 0x3b8b5ebeL,
- 0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L,
- 0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL,
- 0x37d0d724L, 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL,
- 0x075372c9L, 0x80991b7bL, 0x25d479d8L, 0xf6e8def7L,
- 0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, 0x04c006baL,
- 0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L,
- 0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL,
- 0x6dfc511fL, 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L,
- 0xbee3d004L, 0xde334afdL, 0x660f2807L, 0x192e4bb3L,
- 0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, 0xb9d3fbdbL,
- 0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L,
- 0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L,
- 0x3c7516dfL, 0xfd616b15L, 0x2f501ec8L, 0xad0552abL,
- 0x323db5faL, 0xfd238760L, 0x53317b48L, 0x3e00df82L,
- 0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, 0xdf1769dbL,
- 0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L,
- 0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L,
- 0x10fa3d98L, 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL,
- 0x9a53e479L, 0xb6f84565L, 0xd28e49bcL, 0x4bfb9790L,
- 0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, 0xcee4c6e8L,
- 0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L,
- 0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L,
- 0xd08ed1d0L, 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L,
- 0x8ff6e2fbL, 0xf2122b64L, 0x8888b812L, 0x900df01cL,
- 0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, 0xb3a8c1adL,
- 0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L,
- 0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L,
- 0xb4a84fe0L, 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L,
- 0x165fa266L, 0x80957705L, 0x93cc7314L, 0x211a1477L,
- 0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, 0xfb9d35cfL,
- 0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L,
- 0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL,
- 0x2464369bL, 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL,
- 0x78c14389L, 0xd95a537fL, 0x207d5ba2L, 0x02e5b9c5L,
- 0x83260376L, 0x6295cfa9L, 0x11c81968L, 0x4e734a41L,
- 0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L,
- 0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L,
- 0x08ba6fb5L, 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L,
- 0xb6636521L, 0xe7b9f9b6L, 0xff34052eL, 0xc5855664L,
- 0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, 0x6e85076aL,
- 0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L,
- 0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L,
- 0xecaa8c71L, 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L,
- 0x193602a5L, 0x75094c29L, 0xa0591340L, 0xe4183a3eL,
- 0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, 0x99f73fd6L,
- 0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L,
- 0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL,
- 0x09686b3fL, 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L,
- 0x687f3584L, 0x52a0e286L, 0xb79c5305L, 0xaa500737L,
- 0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, 0x5716f2b8L,
- 0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL,
- 0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL,
- 0xd19113f9L, 0x7ca92ff6L, 0x94324773L, 0x22f54701L,
- 0x3ae5e581L, 0x37c2dadcL, 0xc8b57634L, 0x9af3dda7L,
- 0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, 0xa4751e41L,
- 0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L,
- 0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL,
- 0x2cb81290L, 0x24977c79L, 0x5679b072L, 0xbcaf89afL,
- 0xde9a771fL, 0xd9930810L, 0xb38bae12L, 0xdccf3f2eL,
- 0x5512721fL, 0x2e6b7124L, 0x501adde6L, 0x9f84cd87L,
- 0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL,
- 0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L,
- 0xef1c1847L, 0x3215d908L, 0xdd433b37L, 0x24c2ba16L,
- 0x12a14d43L, 0x2a65c451L, 0x50940002L, 0x133ae4ddL,
- 0x71dff89eL, 0x10314e55L, 0x81ac77d6L, 0x5f11199bL,
- 0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L,
- 0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL,
- 0x86e34570L, 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L,
- 0x771fe71cL, 0x4e3d06faL, 0x2965dcb9L, 0x99e71d0fL,
- 0x803e89d6L, 0x5266c825L, 0x2e4cc978L, 0x9c10b36aL,
- 0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L,
- 0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L,
- 0x5223a708L, 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L,
- 0xe3bc4595L, 0xa67bc883L, 0xb17f37d1L, 0x018cff28L,
- 0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, 0x68ab9802L,
- 0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L,
- 0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L,
- 0x13cca830L, 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL,
- 0xb5735c90L, 0x4c70a239L, 0xd59e9e0bL, 0xcbaade14L,
- 0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, 0xb2f3846eL,
- 0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L,
- 0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L,
- 0x9b540b19L, 0x875fa099L, 0x95f7997eL, 0x623d7da8L,
- 0xf837889aL, 0x97e32d77L, 0x11ed935fL, 0x16681281L,
- 0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, 0x7858ba99L,
- 0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L,
- 0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L,
- 0x58ebf2efL, 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L,
- 0x5d4a14d9L, 0xe864b7e3L, 0x42105d14L, 0x203e13e0L,
- 0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, 0xfacb4fd0L,
- 0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L,
- 0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L,
- 0xcf62a1f2L, 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L,
- 0x7f1524c3L, 0x69cb7492L, 0x47848a0bL, 0x5692b285L,
- 0x095bbf00L, 0xad19489dL, 0x1462b174L, 0x23820e00L,
- 0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L,
- 0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL,
- 0x7cde3759L, 0xcbee7460L, 0x4085f2a7L, 0xce77326eL,
- 0xa6078084L, 0x19f8509eL, 0xe8efd855L, 0x61d99735L,
- 0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, 0x800bcadcL,
- 0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L,
- 0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L,
- 0xc5c43465L, 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L,
- 0x153e21e7L, 0x8fb03d4aL, 0xe6e39f2bL, 0xdb83adf7L,
- 0xe93d5a68L, 0x948140f7L, 0xf64c261cL, 0x94692934L,
- 0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L,
- 0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL,
- 0x1e39f62eL, 0x97244546L, 0x14214f74L, 0xbf8b8840L,
- 0x4d95fc1dL, 0x96b591afL, 0x70f4ddd3L, 0x66a02f45L,
- 0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, 0x31cb8504L,
- 0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL,
- 0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL,
- 0x68dc1462L, 0xd7486900L, 0x680ec0a4L, 0x27a18deeL,
- 0x4f3ffea2L, 0xe887ad8cL, 0xb58ce006L, 0x7af4d6b6L,
- 0xaace1e7cL, 0xd3375fecL, 0xce78a399L, 0x406b2a42L,
- 0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL,
- 0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L,
- 0x3a6efa74L, 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL,
- 0xfb0af54eL, 0xd8feb397L, 0x454056acL, 0xba489527L,
- 0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, 0xd096954bL,
- 0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L,
- 0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL,
- 0xfdf8e802L, 0x04272f70L, 0x80bb155cL, 0x05282ce3L,
- 0x95c11548L, 0xe4c66d22L, 0x48c1133fL, 0xc70f86dcL,
- 0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, 0x5d886e17L,
- 0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L,
- 0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL,
- 0x0e12b4c2L, 0x02e1329eL, 0xaf664fd1L, 0xcad18115L,
- 0x6b2395e0L, 0x333e92e1L, 0x3b240b62L, 0xeebeb922L,
- 0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, 0x2da2f728L,
- 0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L,
- 0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL,
- 0x0a476341L, 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L,
- 0xa812dc60L, 0xa1ebddf8L, 0x991be14cL, 0xdb6e6b0dL,
- 0xc67b5510L, 0x6d672c37L, 0x2765d43bL, 0xdcd0e804L,
- 0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL,
- 0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L,
- 0xbb132f88L, 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL,
- 0x37392eb3L, 0xcc115979L, 0x8026e297L, 0xf42e312dL,
- 0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, 0x782ef11cL,
- 0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L,
- 0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L,
- 0x44421659L, 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL,
- 0x64af674eL, 0xda86a85fL, 0xbebfe988L, 0x64e4c3feL,
- 0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, 0x6003604dL,
- 0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL,
- 0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL,
- 0x77a057beL, 0xbde8ae24L, 0x55464299L, 0xbf582e61L,
- 0x4e58f48fL, 0xf2ddfda2L, 0xf474ef38L, 0x8789bdc2L,
- 0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, 0x46fcd9b9L,
- 0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L,
- 0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL,
- 0xb90bace1L, 0xbb8205d0L, 0x11a86248L, 0x7574a99eL,
- 0xb77f19b6L, 0xe0a9dc09L, 0x662d09a1L, 0xc4324633L,
- 0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, 0x1d6efe10L,
- 0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L,
- 0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L,
- 0x50115e01L, 0xa70683faL, 0xa002b5c4L, 0x0de6d027L,
- 0x9af88c27L, 0x773f8641L, 0xc3604c06L, 0x61a806b5L,
- 0xf0177a28L, 0xc0f586e0L, 0x006058aaL, 0x30dc7d62L,
- 0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L,
- 0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L,
- 0x6f05e409L, 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L,
- 0x86e3725fL, 0x724d9db9L, 0x1ac15bb4L, 0xd39eb8fcL,
- 0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, 0x4dad0fc4L,
- 0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL,
- 0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L,
- 0xd79a3234L, 0x92638212L, 0x670efa8eL, 0x406000e0L,
- 0x3a39ce37L, 0xd3faf5cfL, 0xabc27737L, 0x5ac52d1bL,
- 0x5cb0679eL, 0x4fa33742L, 0xd3822740L, 0x99bc9bbeL,
- 0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL,
- 0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L,
- 0x5748ab2fL, 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L,
- 0x530ff8eeL, 0x468dde7dL, 0xd5730a1dL, 0x4cd04dc6L,
- 0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, 0xbe5ee304L,
- 0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L,
- 0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L,
- 0x83c061baL, 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L,
- 0x2826a2f9L, 0xa73a3ae1L, 0x4ba99586L, 0xef5562e9L,
- 0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, 0x77fa0a59L,
- 0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L,
- 0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L,
- 0x96d5ac3aL, 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L,
- 0x1f9f25cfL, 0xadf2b89bL, 0x5ad6b472L, 0x5a88f54cL,
- 0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, 0xed93fa9bL,
- 0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L,
- 0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL,
- 0x15056dd4L, 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL,
- 0xc3eb9e15L, 0x3c9057a2L, 0x97271aecL, 0xa93a072aL,
- 0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, 0x26dcf319L,
- 0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL,
- 0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL,
- 0x4de81751L, 0x3830dc8eL, 0x379d5862L, 0x9320f991L,
- 0xea7a90c2L, 0xfb3e7bceL, 0x5121ce64L, 0x774fbe32L,
- 0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, 0x6413e680L,
- 0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L,
- 0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL,
- 0x5bbef7ddL, 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL,
- 0xdda26a7eL, 0x3a59ff45L, 0x3e350a44L, 0xbcb4cdd5L,
- 0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, 0xbf3c6f47L,
- 0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L,
- 0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL,
- 0x4040cb08L, 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L,
- 0xe1b00428L, 0x95983a1dL, 0x06b89fb4L, 0xce6ea048L,
- 0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, 0x277227f8L,
- 0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL,
- 0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L,
- 0xe01cc87eL, 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L,
- 0x1a908749L, 0xd44fbd9aL, 0xd0dadecbL, 0xd50ada38L,
- 0x0339c32aL, 0xc6913667L, 0x8df9317cL, 0xe0b12b4fL,
- 0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL,
- 0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L,
- 0xfae59361L, 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L,
- 0xb6c1075eL, 0xe3056a0cL, 0x10d25065L, 0xcb03a442L,
- 0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, 0x3278e964L,
- 0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL,
- 0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L,
- 0xdf359f8dL, 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL,
- 0xe54cda54L, 0x1edad891L, 0xce6279cfL, 0xcd3e7e6fL,
- 0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, 0xf6fb2299L,
- 0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L,
- 0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL,
- 0xde966292L, 0x81b949d0L, 0x4c50901bL, 0x71c65614L,
- 0xe6c6c7bdL, 0x327a140aL, 0x45e1d006L, 0xc3f27b9aL,
- 0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, 0x35bdd2f6L,
- 0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL,
- 0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L,
- 0xba38209cL, 0xf746ce76L, 0x77afa1c5L, 0x20756060L,
- 0x85cbfe4eL, 0x8ae88dd8L, 0x7aaaf9b0L, 0x4cf9aa7eL,
- 0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, 0xd6ebe1f9L,
- 0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL,
- 0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L,
+ 0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L,
+ 0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L,
+ 0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L,
+ 0x636920d8L, 0x71574e69L, 0xa458fea3L, 0xf4933d7eL,
+ 0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL,
+ 0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L,
+ 0xc5d1b023L, 0x286085f0L, 0xca417918L, 0xb8db38efL,
+ 0x8e79dcb0L, 0x603a180eL, 0x6c9e0e8bL, 0xb01e8a3eL,
+ 0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, 0x55605c60L,
+ 0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L,
+ 0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL,
+ 0xa15486afL, 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL,
+ 0x2ba9c55dL, 0x741831f6L, 0xce5c3e16L, 0x9b87931eL,
+ 0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, 0x28958677L,
+ 0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L,
+ 0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L,
+ 0xef845d5dL, 0xe98575b1L, 0xdc262302L, 0xeb651b88L,
+ 0x23893e81L, 0xd396acc5L, 0x0f6d6ff3L, 0x83f44239L,
+ 0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, 0x9e1f9b5eL,
+ 0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L,
+ 0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L,
+ 0x6eef0b6cL, 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L,
+ 0xa1f1651dL, 0x39af0176L, 0x66ca593eL, 0x82430e88L,
+ 0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, 0x3b8b5ebeL,
+ 0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L,
+ 0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL,
+ 0x37d0d724L, 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL,
+ 0x075372c9L, 0x80991b7bL, 0x25d479d8L, 0xf6e8def7L,
+ 0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, 0x04c006baL,
+ 0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L,
+ 0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL,
+ 0x6dfc511fL, 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L,
+ 0xbee3d004L, 0xde334afdL, 0x660f2807L, 0x192e4bb3L,
+ 0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, 0xb9d3fbdbL,
+ 0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L,
+ 0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L,
+ 0x3c7516dfL, 0xfd616b15L, 0x2f501ec8L, 0xad0552abL,
+ 0x323db5faL, 0xfd238760L, 0x53317b48L, 0x3e00df82L,
+ 0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, 0xdf1769dbL,
+ 0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L,
+ 0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L,
+ 0x10fa3d98L, 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL,
+ 0x9a53e479L, 0xb6f84565L, 0xd28e49bcL, 0x4bfb9790L,
+ 0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, 0xcee4c6e8L,
+ 0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L,
+ 0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L,
+ 0xd08ed1d0L, 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L,
+ 0x8ff6e2fbL, 0xf2122b64L, 0x8888b812L, 0x900df01cL,
+ 0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, 0xb3a8c1adL,
+ 0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L,
+ 0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L,
+ 0xb4a84fe0L, 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L,
+ 0x165fa266L, 0x80957705L, 0x93cc7314L, 0x211a1477L,
+ 0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, 0xfb9d35cfL,
+ 0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L,
+ 0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL,
+ 0x2464369bL, 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL,
+ 0x78c14389L, 0xd95a537fL, 0x207d5ba2L, 0x02e5b9c5L,
+ 0x83260376L, 0x6295cfa9L, 0x11c81968L, 0x4e734a41L,
+ 0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L,
+ 0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L,
+ 0x08ba6fb5L, 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L,
+ 0xb6636521L, 0xe7b9f9b6L, 0xff34052eL, 0xc5855664L,
+ 0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, 0x6e85076aL,
+ 0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L,
+ 0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L,
+ 0xecaa8c71L, 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L,
+ 0x193602a5L, 0x75094c29L, 0xa0591340L, 0xe4183a3eL,
+ 0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, 0x99f73fd6L,
+ 0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L,
+ 0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL,
+ 0x09686b3fL, 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L,
+ 0x687f3584L, 0x52a0e286L, 0xb79c5305L, 0xaa500737L,
+ 0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, 0x5716f2b8L,
+ 0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL,
+ 0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL,
+ 0xd19113f9L, 0x7ca92ff6L, 0x94324773L, 0x22f54701L,
+ 0x3ae5e581L, 0x37c2dadcL, 0xc8b57634L, 0x9af3dda7L,
+ 0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, 0xa4751e41L,
+ 0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L,
+ 0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL,
+ 0x2cb81290L, 0x24977c79L, 0x5679b072L, 0xbcaf89afL,
+ 0xde9a771fL, 0xd9930810L, 0xb38bae12L, 0xdccf3f2eL,
+ 0x5512721fL, 0x2e6b7124L, 0x501adde6L, 0x9f84cd87L,
+ 0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL,
+ 0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L,
+ 0xef1c1847L, 0x3215d908L, 0xdd433b37L, 0x24c2ba16L,
+ 0x12a14d43L, 0x2a65c451L, 0x50940002L, 0x133ae4ddL,
+ 0x71dff89eL, 0x10314e55L, 0x81ac77d6L, 0x5f11199bL,
+ 0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L,
+ 0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL,
+ 0x86e34570L, 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L,
+ 0x771fe71cL, 0x4e3d06faL, 0x2965dcb9L, 0x99e71d0fL,
+ 0x803e89d6L, 0x5266c825L, 0x2e4cc978L, 0x9c10b36aL,
+ 0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L,
+ 0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L,
+ 0x5223a708L, 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L,
+ 0xe3bc4595L, 0xa67bc883L, 0xb17f37d1L, 0x018cff28L,
+ 0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, 0x68ab9802L,
+ 0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L,
+ 0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L,
+ 0x13cca830L, 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL,
+ 0xb5735c90L, 0x4c70a239L, 0xd59e9e0bL, 0xcbaade14L,
+ 0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, 0xb2f3846eL,
+ 0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L,
+ 0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L,
+ 0x9b540b19L, 0x875fa099L, 0x95f7997eL, 0x623d7da8L,
+ 0xf837889aL, 0x97e32d77L, 0x11ed935fL, 0x16681281L,
+ 0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, 0x7858ba99L,
+ 0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L,
+ 0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L,
+ 0x58ebf2efL, 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L,
+ 0x5d4a14d9L, 0xe864b7e3L, 0x42105d14L, 0x203e13e0L,
+ 0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, 0xfacb4fd0L,
+ 0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L,
+ 0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L,
+ 0xcf62a1f2L, 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L,
+ 0x7f1524c3L, 0x69cb7492L, 0x47848a0bL, 0x5692b285L,
+ 0x095bbf00L, 0xad19489dL, 0x1462b174L, 0x23820e00L,
+ 0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L,
+ 0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL,
+ 0x7cde3759L, 0xcbee7460L, 0x4085f2a7L, 0xce77326eL,
+ 0xa6078084L, 0x19f8509eL, 0xe8efd855L, 0x61d99735L,
+ 0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, 0x800bcadcL,
+ 0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L,
+ 0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L,
+ 0xc5c43465L, 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L,
+ 0x153e21e7L, 0x8fb03d4aL, 0xe6e39f2bL, 0xdb83adf7L,
+ 0xe93d5a68L, 0x948140f7L, 0xf64c261cL, 0x94692934L,
+ 0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L,
+ 0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL,
+ 0x1e39f62eL, 0x97244546L, 0x14214f74L, 0xbf8b8840L,
+ 0x4d95fc1dL, 0x96b591afL, 0x70f4ddd3L, 0x66a02f45L,
+ 0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, 0x31cb8504L,
+ 0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL,
+ 0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL,
+ 0x68dc1462L, 0xd7486900L, 0x680ec0a4L, 0x27a18deeL,
+ 0x4f3ffea2L, 0xe887ad8cL, 0xb58ce006L, 0x7af4d6b6L,
+ 0xaace1e7cL, 0xd3375fecL, 0xce78a399L, 0x406b2a42L,
+ 0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL,
+ 0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L,
+ 0x3a6efa74L, 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL,
+ 0xfb0af54eL, 0xd8feb397L, 0x454056acL, 0xba489527L,
+ 0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, 0xd096954bL,
+ 0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L,
+ 0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL,
+ 0xfdf8e802L, 0x04272f70L, 0x80bb155cL, 0x05282ce3L,
+ 0x95c11548L, 0xe4c66d22L, 0x48c1133fL, 0xc70f86dcL,
+ 0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, 0x5d886e17L,
+ 0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L,
+ 0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL,
+ 0x0e12b4c2L, 0x02e1329eL, 0xaf664fd1L, 0xcad18115L,
+ 0x6b2395e0L, 0x333e92e1L, 0x3b240b62L, 0xeebeb922L,
+ 0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, 0x2da2f728L,
+ 0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L,
+ 0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL,
+ 0x0a476341L, 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L,
+ 0xa812dc60L, 0xa1ebddf8L, 0x991be14cL, 0xdb6e6b0dL,
+ 0xc67b5510L, 0x6d672c37L, 0x2765d43bL, 0xdcd0e804L,
+ 0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL,
+ 0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L,
+ 0xbb132f88L, 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL,
+ 0x37392eb3L, 0xcc115979L, 0x8026e297L, 0xf42e312dL,
+ 0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, 0x782ef11cL,
+ 0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L,
+ 0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L,
+ 0x44421659L, 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL,
+ 0x64af674eL, 0xda86a85fL, 0xbebfe988L, 0x64e4c3feL,
+ 0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, 0x6003604dL,
+ 0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL,
+ 0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL,
+ 0x77a057beL, 0xbde8ae24L, 0x55464299L, 0xbf582e61L,
+ 0x4e58f48fL, 0xf2ddfda2L, 0xf474ef38L, 0x8789bdc2L,
+ 0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, 0x46fcd9b9L,
+ 0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L,
+ 0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL,
+ 0xb90bace1L, 0xbb8205d0L, 0x11a86248L, 0x7574a99eL,
+ 0xb77f19b6L, 0xe0a9dc09L, 0x662d09a1L, 0xc4324633L,
+ 0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, 0x1d6efe10L,
+ 0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L,
+ 0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L,
+ 0x50115e01L, 0xa70683faL, 0xa002b5c4L, 0x0de6d027L,
+ 0x9af88c27L, 0x773f8641L, 0xc3604c06L, 0x61a806b5L,
+ 0xf0177a28L, 0xc0f586e0L, 0x006058aaL, 0x30dc7d62L,
+ 0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L,
+ 0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L,
+ 0x6f05e409L, 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L,
+ 0x86e3725fL, 0x724d9db9L, 0x1ac15bb4L, 0xd39eb8fcL,
+ 0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, 0x4dad0fc4L,
+ 0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL,
+ 0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L,
+ 0xd79a3234L, 0x92638212L, 0x670efa8eL, 0x406000e0L,
+ 0x3a39ce37L, 0xd3faf5cfL, 0xabc27737L, 0x5ac52d1bL,
+ 0x5cb0679eL, 0x4fa33742L, 0xd3822740L, 0x99bc9bbeL,
+ 0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL,
+ 0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L,
+ 0x5748ab2fL, 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L,
+ 0x530ff8eeL, 0x468dde7dL, 0xd5730a1dL, 0x4cd04dc6L,
+ 0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, 0xbe5ee304L,
+ 0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L,
+ 0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L,
+ 0x83c061baL, 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L,
+ 0x2826a2f9L, 0xa73a3ae1L, 0x4ba99586L, 0xef5562e9L,
+ 0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, 0x77fa0a59L,
+ 0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L,
+ 0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L,
+ 0x96d5ac3aL, 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L,
+ 0x1f9f25cfL, 0xadf2b89bL, 0x5ad6b472L, 0x5a88f54cL,
+ 0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, 0xed93fa9bL,
+ 0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L,
+ 0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL,
+ 0x15056dd4L, 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL,
+ 0xc3eb9e15L, 0x3c9057a2L, 0x97271aecL, 0xa93a072aL,
+ 0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, 0x26dcf319L,
+ 0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL,
+ 0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL,
+ 0x4de81751L, 0x3830dc8eL, 0x379d5862L, 0x9320f991L,
+ 0xea7a90c2L, 0xfb3e7bceL, 0x5121ce64L, 0x774fbe32L,
+ 0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, 0x6413e680L,
+ 0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L,
+ 0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL,
+ 0x5bbef7ddL, 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL,
+ 0xdda26a7eL, 0x3a59ff45L, 0x3e350a44L, 0xbcb4cdd5L,
+ 0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, 0xbf3c6f47L,
+ 0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L,
+ 0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL,
+ 0x4040cb08L, 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L,
+ 0xe1b00428L, 0x95983a1dL, 0x06b89fb4L, 0xce6ea048L,
+ 0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, 0x277227f8L,
+ 0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL,
+ 0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L,
+ 0xe01cc87eL, 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L,
+ 0x1a908749L, 0xd44fbd9aL, 0xd0dadecbL, 0xd50ada38L,
+ 0x0339c32aL, 0xc6913667L, 0x8df9317cL, 0xe0b12b4fL,
+ 0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL,
+ 0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L,
+ 0xfae59361L, 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L,
+ 0xb6c1075eL, 0xe3056a0cL, 0x10d25065L, 0xcb03a442L,
+ 0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, 0x3278e964L,
+ 0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL,
+ 0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L,
+ 0xdf359f8dL, 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL,
+ 0xe54cda54L, 0x1edad891L, 0xce6279cfL, 0xcd3e7e6fL,
+ 0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, 0xf6fb2299L,
+ 0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L,
+ 0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL,
+ 0xde966292L, 0x81b949d0L, 0x4c50901bL, 0x71c65614L,
+ 0xe6c6c7bdL, 0x327a140aL, 0x45e1d006L, 0xc3f27b9aL,
+ 0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, 0x35bdd2f6L,
+ 0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL,
+ 0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L,
+ 0xba38209cL, 0xf746ce76L, 0x77afa1c5L, 0x20756060L,
+ 0x85cbfe4eL, 0x8ae88dd8L, 0x7aaaf9b0L, 0x4cf9aa7eL,
+ 0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, 0xd6ebe1f9L,
+ 0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL,
+ 0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L,
}
};
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* So I've chosen long...
* <appro@fy.chalmers.se>
*/
-
+
/* des.h-like hack <jjo-ipsec@mendoza.gov.ar> */
#ifndef BF_LONG
#ifdef __KERNEL__
BF_LONG S[4*256];
} BF_KEY;
-
+
void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
void BF_encrypt(BF_LONG *data,const BF_KEY *key);
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* (From LECTURE NOTES IN COMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION,
* CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993)
*/
-
+
#include "blowfish_crypter.h"
typedef struct private_blowfish_crypter_t private_blowfish_crypter_t;
/**
* Class implementing the Blowfish symmetric encryption algorithm.
- *
+ *
* @ingroup crypters
*/
struct private_blowfish_crypter_t {
-
+
/**
* Public part of this class.
*/
blowfish_crypter_t public;
-
+
/**
* Blowfish key schedule
*/
chunk_t *decrypted)
{
u_int8_t *in, *out;
-
+
if (decrypted)
{
*decrypted = chunk_alloc(data.len);
chunk_t *encrypted)
{
u_int8_t *in, *out;
-
+
if (encrypted)
{
*encrypted = chunk_alloc(data.len);
blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t key_size)
{
private_blowfish_crypter_t *this;
-
+
if (algo != ENCR_BLOWFISH)
{
return NULL;
}
-
+
this = malloc_thing(private_blowfish_crypter_t);
-
+
this->key_size = key_size;
this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
+
return &(this->public);
}
* Class implementing the Blowfish encryption algorithm.
*/
struct blowfish_crypter_t {
-
+
/**
* The crypter_t interface.
*/
/**
* Constructor to create blowfish_crypter_t objects.
- *
+ *
* @param key_size key size in bytes
* @param algo algorithm to implement
* @return blowfish_crypter_t object, NULL if not supported
plugin_t *plugin_create()
{
private_blowfish_plugin_t *this = malloc_thing(private_blowfish_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
(crypter_constructor_t)blowfish_crypter_create);
-
+
return &this->public.plugin;
}
* Public data
*/
curl_fetcher_t public;
-
+
/**
* CURL handle
*/
CURL* curl;
-
+
/**
* Optional HTTP headers
*/
static size_t append(void *ptr, size_t size, size_t nmemb, chunk_t *data)
{
size_t realsize = size * nmemb;
-
+
data->ptr = (u_char*)realloc(data->ptr, data->len + realsize);
if (data->ptr)
{
{
char error[CURL_ERROR_SIZE];
status_t status;
-
+
*result = chunk_empty;
-
+
if (curl_easy_setopt(this->curl, CURLOPT_URL, uri) != CURLE_OK)
{ /* URL type not supported by curl */
return NOT_SUPPORTED;
{
curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, this->headers);
}
-
+
DBG2(" sending http request to '%s'...", uri);
switch (curl_easy_perform(this->curl))
{
static bool set_option(private_curl_fetcher_t *this, fetcher_option_t option, ...)
{
va_list args;
-
+
va_start(args, option);
switch (option)
{
curl_fetcher_t *curl_fetcher_create()
{
private_curl_fetcher_t *this = malloc_thing(private_curl_fetcher_t);
-
+
this->curl = curl_easy_init();
if (this->curl == NULL)
{
return NULL;
}
this->headers = NULL;
-
+
this->public.interface.fetch = (status_t(*)(fetcher_t*,char*,chunk_t*))fetch;
this->public.interface.set_option = (bool(*)(fetcher_t*, fetcher_option_t option, ...))set_option;
this->public.interface.destroy = (void (*)(fetcher_t*))destroy;
-
+
return &this->public;
}
* Implements fetcher interface
*/
fetcher_t interface;
-
+
/**
* Destroy a curl_fetcher instance.
*/
{
CURLcode res;
private_curl_plugin_t *this = malloc_thing(private_curl_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
res = curl_global_init(CURL_GLOBAL_NOTHING);
if (res == CURLE_OK)
{
lib->fetcher->add_fetcher(lib->fetcher,
(fetcher_constructor_t)curl_fetcher_create, "file://");
- lib->fetcher->add_fetcher(lib->fetcher,
+ lib->fetcher->add_fetcher(lib->fetcher,
(fetcher_constructor_t)curl_fetcher_create, "http://");
lib->fetcher->add_fetcher(lib->fetcher,
(fetcher_constructor_t)curl_fetcher_create, "https://");
- lib->fetcher->add_fetcher(lib->fetcher,
+ lib->fetcher->add_fetcher(lib->fetcher,
(fetcher_constructor_t)curl_fetcher_create, "ftp://");
}
else
{
- DBG1("global libcurl initializing failed: %s, curl disabled",
+ DBG1("global libcurl initializing failed: %s, curl disabled",
curl_easy_strerror(res));
}
return &this->public.plugin;
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to.
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* Private data for des_crypter_t
*/
struct private_des_crypter_t {
-
+
/**
* Public part of this class.
*/
des_crypter_t public;
-
+
/**
* Key size, depends on algoritm...
*/
size_t key_size;
-
+
union {
/** key schedule for single des */
des_key_schedule ks;
even newer MIPS CPU's, but at the moment one size fits all for
optimization options. Older Sparc's work better with only UNROLL, but
there's no way to tell at compile time what it is you're running on */
-
+
#if defined( sun ) /* Newer Sparc's */
#define DES_PTR
#define DES_RISC1
c2l(in,c);
c2l(in,d);
- /* do PC1 in 60 simple operations */
+ /* do PC1 in 60 simple operations */
/* PERM_OP(d,c,t,4,0x0f0f0f0fL);
HPERM_OP(c,t,-2, 0xcccc0000L);
HPERM_OP(c,t,-1, 0xaaaa0000L);
/**
* DES CBC encrypt decrypt routine
*/
-static void des_cbc_encrypt(des_cblock *input, des_cblock *output, long length,
+static void des_cbc_encrypt(des_cblock *input, des_cblock *output, long length,
des_key_schedule schedule, des_cblock *ivec, int enc)
{
register DES_LONG tin0,tin1;
/**
* DES ECB encrypt decrypt routine
*/
-static void des_ecb_encrypt(des_cblock *input, des_cblock *output, long length,
+static void des_ecb_encrypt(des_cblock *input, des_cblock *output, long length,
des_key_schedule schedule, int enc)
{
register DES_LONG tin0,tin1;
/**
* Single block 3DES EDE encrypt routine
*/
-static void des_encrypt3(DES_LONG *data, des_key_schedule ks1,
+static void des_encrypt3(DES_LONG *data, des_key_schedule ks1,
des_key_schedule ks2, des_key_schedule ks3)
{
register DES_LONG l,r;
/**
* Single block 3DES EDE decrypt routine
*/
-static void des_decrypt3(DES_LONG *data, des_key_schedule ks1,
+static void des_decrypt3(DES_LONG *data, des_key_schedule ks1,
des_key_schedule ks2, des_key_schedule ks3)
{
register DES_LONG l,r;
{
c2l(in,tin0);
c2l(in,tin1);
-
+
t0=tin0;
t1=tin1;
des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
tout0=tin[0];
tout1=tin[1];
-
+
tout0^=xor0;
tout1^=xor1;
l2cn(tout0,tout1,out,l+8);
{
des_cblock ivb;
u_int8_t *out;
-
+
out = data.ptr;
if (decrypted)
{
{
des_cblock ivb;
u_int8_t *out;
-
+
out = data.ptr;
if (encrypted)
{
chunk_t *decrypted)
{
u_int8_t *out;
-
+
out = data.ptr;
if (decrypted)
{
chunk_t *encrypted)
{
u_int8_t *out;
-
+
out = data.ptr;
if (encrypted)
{
{
des_cblock ivb;
u_int8_t *out;
-
+
out = data.ptr;
if (decrypted)
{
{
des_cblock ivb;
u_int8_t *out;
-
+
out = data.ptr;
if (encrypted)
{
* Implementation of crypter_t.set_key for 3DES.
*/
static void set_key3(private_des_crypter_t *this, chunk_t key)
-{
+{
des_set_key((des_cblock*)(key.ptr) + 0, &this->ks3[0]);
des_set_key((des_cblock*)(key.ptr) + 1, &this->ks3[1]);
des_set_key((des_cblock*)(key.ptr) + 2, &this->ks3[2]);
des_crypter_t *des_crypter_create(encryption_algorithm_t algo)
{
private_des_crypter_t *this = malloc_thing(private_des_crypter_t);
-
- /* functions of crypter_t interface */
+
+ /* functions of crypter_t interface */
this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
+
/* use functions depending on algorithm */
switch (algo)
{
* Class implementing the DES and 3DES encryption algorithms.
*/
struct des_crypter_t {
-
+
/**
* The crypter_t interface.
*/
/**
* Constructor to create des_crypter_t objects.
- *
+ *
* @param algo ENCR_DES for single DES, ENCR_3DES for triple DES
* @return des_crypter_t object, NULL if algo not supported
*/
plugin_t *plugin_create()
{
private_des_plugin_t *this = malloc_thing(private_des_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
(crypter_constructor_t)des_crypter_create);
lib->crypto->add_crypter(lib->crypto, ENCR_DES,
(crypter_constructor_t)des_crypter_create);
lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB,
(crypter_constructor_t)des_crypter_create);
-
+
return &this->public.plugin;
}
static public_key_t *parse_public_key(chunk_t blob)
{
dnskey_rr_t *rr = (dnskey_rr_t*)blob.ptr;
-
+
if (blob.len < sizeof(dnskey_rr_t))
{
DBG1("DNSKEY too short");
return NULL;
}
blob = chunk_skip(blob, sizeof(dnskey_rr_t));
-
+
switch (rr->algorithm)
{
case DNSKEY_ALG_RSA_SHA1:
static public_key_t *parse_rsa_public_key(chunk_t blob)
{
chunk_t n, e;
-
+
if (blob.len < 3)
{
DBG1("RFC 3110 public key blob too short for exponent length");
return NULL;
}
-
+
if (blob.ptr[0])
{
e.len = blob.ptr[0];
return NULL;
}
n = chunk_skip(blob, e.len);
-
+
return lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e,
BUILD_END);
static public_key_t *build_public(private_builder_t *this)
{
public_key_t *key = NULL;
-
+
switch (this->type)
{
case KEY_ANY:
static void add_public(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
-
+
switch (part)
{
case BUILD_BLOB_DNSKEY:
builder_t *dnskey_public_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_ANY && type != KEY_RSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->blob = chunk_empty;
this->type = type;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add_public;
this->public.build = (void*(*)(builder_t *this))build_public;
-
+
return &this->public;
}
plugin_t *plugin_create()
{
private_dnskey_plugin_t *this = malloc_thing(private_dnskey_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
(builder_constructor_t)dnskey_public_key_builder);
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
(builder_constructor_t)dnskey_public_key_builder);
-
+
return &this->public.plugin;
}
* Public fips_prf_t interface.
*/
fips_prf_t public;
-
+
/**
* key of prf function, "b" long
*/
u_int8_t *key;
-
+
/**
* size of "b" in bytes
*/
size_t b;
-
+
/**
* Keyed SHA1 prf: It does not use SHA1Final operation
*/
prf_t *keyed_prf;
-
+
/**
* G function, either SHA1 or DES
*/
static void add_mod(size_t length, u_int8_t a[], u_int8_t b[], u_int8_t sum[])
{
int i, c = 0;
-
+
for(i = length - 1; i >= 0; i--)
{
u_int32_t tmp;
-
+
tmp = a[i] + b[i] + c;
sum[i] = 0xff & tmp;
c = tmp >> 8;
u_int8_t *xkey = this->key;
u_int8_t one[this->b];
chunk_t xval_chunk = chunk_from_buf(xval);
-
+
memset(one, 0, this->b);
one[this->b - 1] = 0x01;
-
+
/* 3.1 */
chunk_mod(this->b, seed, xseed);
-
+
/* 3.2 */
for (i = 0; i < 2; i++) /* twice */
{
add_mod(this->b, sum, one, xkey);
DBG3("XKEY %b", xkey, this->b);
}
-
+
/* 3.3 done already, mod q not used */
}
void g_sha1(private_fips_prf_t *this, chunk_t c, u_int8_t res[])
{
u_int8_t buf[64];
-
+
if (c.len < sizeof(buf))
{
/* pad c with zeros */
/* not more than 512 bits can be G()-ed */
c.len = sizeof(buf);
}
-
+
/* use the keyed hasher, but use an empty key to use SHA1 IV */
this->keyed_prf->set_key(this->keyed_prf, chunk_empty);
this->keyed_prf->get_bytes(this->keyed_prf, c, res);
fips_prf_t *fips_prf_create(pseudo_random_function_t algo)
{
private_fips_prf_t *this = malloc_thing(private_fips_prf_t);
-
+
this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
-
+
switch (algo)
{
case PRF_FIPS_SHA1_160:
return NULL;
}
this->key = malloc(this->b);
-
+
return &this->public;
}
* The FIPS PRF is stateful; the key changes every time when bytes are acquired.
*/
struct fips_prf_t {
-
+
/**
* Generic prf_t interface for this fips_prf_t class.
*/
/**
* Creates a new fips_prf_t object.
- *
+ *
* FIPS 186-2 defines G() functions used in the PRF function. It can
* be implemented either based on SHA1 or DES.
* The G() function is selected using the algo parameter.
plugin_t *plugin_create()
{
private_fips_prf_plugin_t *this = malloc_thing(private_fips_prf_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160,
(prf_constructor_t)fips_prf_create);
-
+
return &this->public.plugin;
}
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Private data of gcrypt_crypter_t
*/
struct private_gcrypt_crypter_t {
-
+
/**
* Public part of this class.
*/
gcrypt_crypter_t public;
-
+
/**
* gcrypt cipher handle
*/
gcry_cipher_hd_t h;
-
+
/**
* gcrypt algorithm identifier
*/
chunk_t iv, chunk_t *dst)
{
gcry_cipher_setiv(this->h, iv.ptr, iv.len);
-
+
if (dst)
{
*dst = chunk_alloc(data.len);
chunk_t iv, chunk_t *dst)
{
gcry_cipher_setiv(this->h, iv.ptr, iv.len);
-
+
if (dst)
{
*dst = chunk_alloc(data.len);
static size_t get_block_size(private_gcrypt_crypter_t *this)
{
size_t len = 0;
-
+
gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len);
return len;
}
static size_t get_key_size(private_gcrypt_crypter_t *this)
{
size_t len = 0;
-
+
gcry_cipher_algo_info(this->alg, GCRYCTL_GET_KEYLEN, NULL, &len);
return len;
}
int gcrypt_alg;
int mode = GCRY_CIPHER_MODE_CBC;
gcry_error_t err;
-
+
switch (algo)
{
case ENCR_DES:
default:
return NULL;
}
-
+
this = malloc_thing(private_gcrypt_crypter_t);
-
+
this->alg = gcrypt_alg;
err = gcry_cipher_open(&this->h, gcrypt_alg, mode, 0);
if (err)
free(this);
return NULL;
}
-
+
this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *))encrypt;
this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *))decrypt;
this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *))get_block_size;
this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *))get_key_size;
this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t))set_key;
this->public.crypter_interface.destroy = (void (*) (crypter_t *))destroy;
-
+
return &this->public;
}
* Implementation of crypters using gcrypt.
*/
struct gcrypt_crypter_t {
-
+
/**
* The crypter_t interface.
*/
/**
* Constructor to create gcrypt_crypter_t.
- *
+ *
* @param algo algorithm to implement
* @param key_size key size in bytes
* @return gcrypt_crypter_t, NULL if not supported
typedef struct modulus_entry_t modulus_entry_t;
-/**
+/**
* Entry of the modulus list.
*/
struct modulus_entry_t {
static modulus_entry_t *find_entry(diffie_hellman_group_t group)
{
int i;
-
+
for (i = 0; i < countof(modulus_entries); i++)
{
if (modulus_entries[i].group == group)
* Private data of an gcrypt_dh_t object.
*/
struct private_gcrypt_dh_t {
-
+
/**
* Public gcrypt_dh_t interface
*/
gcrypt_dh_t public;
-
+
/**
* Diffie Hellman group number
*/
u_int16_t group;
-
- /*
+
+ /*
* Generator value
- */
+ */
gcry_mpi_t g;
-
+
/**
* Own private value
*/
gcry_mpi_t xa;
-
+
/**
* Own public value
*/
gcry_mpi_t ya;
-
+
/**
* Other public value
*/
gcry_mpi_t yb;
-
+
/**
* Shared secret
*/
gcry_mpi_t zz;
-
+
/**
* Modulus
*/
gcry_mpi_t p;
-
+
/**
* Modulus length.
*/
{
gcry_mpi_t p_min_1;
gcry_error_t err;
-
+
if (this->yb)
{
gcry_mpi_release(this->yb);
DBG1("importing mpi yb failed: %s", gpg_strerror(err));
return;
}
-
+
p_min_1 = gcry_mpi_new(this->p_len * 8);
gcry_mpi_sub_ui(p_min_1, this->p, 1);
-
- /* check public value:
+
+ /* check public value:
* 1. 0 or 1 is invalid as 0^a = 0 and 1^a = 1
* 2. a public value larger or equal the modulus is invalid */
if (gcry_mpi_cmp_ui(this->yb, 1) > 0 &&
{
chunk_t chunk;
size_t written;
-
+
chunk = chunk_alloc(len);
gcry_mpi_print(GCRYMPI_FMT_USG, chunk.ptr, chunk.len, &written, value);
if (written < len)
chunk_t random;
rng_t *rng;
size_t len;
-
+
entry = find_entry(group);
if (!entry)
{
return NULL;
}
-
+
this = malloc_thing(private_gcrypt_dh_t);
-
+
this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
-
+
this->group = group;
this->p_len = entry->modulus.len;
err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG,
{
len = entry->opt_len;
}
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
if (rng)
{ /* prefer external randomizer */
/* achieve bitsof(p)-1 by setting MSB to 0 */
gcry_mpi_clear_bit(this->xa, len * 8 - 1);
}
-
+
this->g = gcry_mpi_set_ui(NULL, entry->g);
this->ya = gcry_mpi_new(this->p_len * 8);
this->yb = NULL;
this->zz = NULL;
-
+
gcry_mpi_powm(this->ya, this->g, this->xa, this->p);
-
+
return &this->public;
}
* Implementation of the Diffie-Hellman algorithm using libgcrypt mpi.
*/
struct gcrypt_dh_t {
-
+
/**
* Implements diffie_hellman_t interface.
*/
/**
* Creates a new gcrypt_dh_t object.
- *
+ *
* @param group Diffie Hellman group number to use
* @return gcrypt_dh_t object, NULL if not supported
*/
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Private data of gcrypt_hasher_t
*/
struct private_gcrypt_hasher_t {
-
+
/**
* Public part of this class.
*/
gcrypt_hasher_t public;
-
+
/**
* gcrypt hasher context
*/
private_gcrypt_hasher_t *this;
int gcrypt_alg;
gcry_error_t err;
-
+
switch (algo)
{
case HASH_MD2:
default:
return NULL;
}
-
+
this = malloc_thing(private_gcrypt_hasher_t);
-
+
err = gcry_md_open(&this->hd, gcrypt_alg, 0);
if (err)
{
free(this);
return NULL;
}
-
+
this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
+
return &this->public;
}
* Implementation of hashers using libgcrypt.
*/
struct gcrypt_hasher_t {
-
+
/**
* The hasher_t interface.
*/
/**
* Constructor to create gcrypt_hasher_t.
- *
+ *
* @param algo algorithm
* @return gcrypt_hasher_t, NULL if not supported
*/
static int mutex_destroy(void **lock)
{
mutex_t *mutex = *lock;
-
+
mutex->destroy(mutex);
return 0;
}
static int mutex_lock(void **lock)
{
mutex_t *mutex = *lock;
-
+
mutex->lock(mutex);
return 0;
}
static int mutex_unlock(void **lock)
{
mutex_t *mutex = *lock;
-
+
mutex->unlock(mutex);
return 0;
}
plugin_t *plugin_create()
{
private_gcrypt_plugin_t *this;
-
+
gcry_control(GCRYCTL_SET_THREAD_CBS, &thread_functions);
-
+
if (!gcry_check_version(GCRYPT_VERSION))
{
DBG1("libgcrypt version mismatch");
return NULL;
}
-
+
/* we currently do not use secure memory */
gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
if (lib->settings->get_bool(lib->settings,
gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
}
gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
-
+
this = malloc_thing(private_gcrypt_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
/* hashers */
lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
(hasher_constructor_t)gcrypt_hasher_create);
(hasher_constructor_t)gcrypt_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
(hasher_constructor_t)gcrypt_hasher_create);
-
+
/* crypters */
lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
(crypter_constructor_t)gcrypt_crypter_create);
(crypter_constructor_t)gcrypt_crypter_create);
lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC,
(crypter_constructor_t)gcrypt_crypter_create);
-
+
/* random numbers */
- lib->crypto->add_rng(lib->crypto, RNG_WEAK,
+ lib->crypto->add_rng(lib->crypto, RNG_WEAK,
(rng_constructor_t)gcrypt_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_STRONG,
+ lib->crypto->add_rng(lib->crypto, RNG_STRONG,
(rng_constructor_t)gcrypt_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_TRUE,
+ lib->crypto->add_rng(lib->crypto, RNG_TRUE,
(rng_constructor_t)gcrypt_rng_create);
-
+
/* diffie hellman groups, using modp */
- lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
(dh_constructor_t)gcrypt_dh_create);
lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
(dh_constructor_t)gcrypt_dh_create);
- lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
(dh_constructor_t)gcrypt_dh_create);
-
+
/* RSA */
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
(builder_constructor_t)gcrypt_rsa_private_key_builder);
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
(builder_constructor_t)gcrypt_rsa_public_key_builder);
-
+
return &this->public.plugin;
}
* Public gcrypt_rng_t interface.
*/
gcrypt_rng_t public;
-
+
/**
* RNG quality of this instance
*/
gcrypt_rng_t *gcrypt_rng_create(rng_quality_t quality)
{
private_gcrypt_rng_t *this;
-
+
switch (quality)
{
case RNG_WEAK:
default:
return NULL;
}
-
+
this = malloc_thing(private_gcrypt_rng_t);
-
+
this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
this->public.rng.destroy = (void (*) (rng_t *))destroy;
-
+
this->quality = quality;
-
+
return &this->public;
}
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup gcrypt_rng gcrypt_rng
* @{ @ingroup gcrypt_p
* rng_t implementation using libgcrypt.
*/
struct gcrypt_rng_t {
-
+
/**
* Implements rng_t.
*/
/**
* Creates an gcrypt_rng_t instance.
- *
+ *
* @param quality required quality of gcryptness
* @return created gcrypt_rng_t
*/
* Private data of a gcrypt_rsa_private_key_t object.
*/
struct private_gcrypt_rsa_private_key_t {
-
+
/**
* Public interface
*/
gcrypt_rsa_private_key_t public;
-
+
/**
* gcrypt S-expression representing an RSA key
*/
gcry_sexp_t key;
-
+
/**
* reference count
*/
gcry_sexp_t token;
chunk_t data = chunk_empty, tmp;
size_t len = 0;
-
+
token = gcry_sexp_find_token(sexp, name, 1);
if (token)
{
gcry_error_t err;
chunk_t em;
size_t k;
-
+
/* EM = 0x00 || 0x01 || PS || 0x00 || T
* PS = 0xFF padding, with length to fill em
* T = data
em.ptr[1] = 0x01;
em.ptr[em.len - data.len - 1] = 0x00;
memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
-
+
err = gcry_sexp_build(&in, NULL, "(data(flags raw)(value %b))",
em.len, em.ptr);
chunk_free(&em);
gcry_error_t err;
gcry_sexp_t in, out;
int hash_oid;
-
+
hash_oid = hasher_algorithm_to_oid(hash_algorithm);
if (hash_oid == OID_UNKNOWN)
{
}
hasher->allocate_hash(hasher, data, &hash);
hasher->destroy(hasher);
-
+
err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))",
hash_name, hash.len, hash.ptr);
chunk_free(&hash);
/**
* Implementation of gcrypt_rsa_private_key.destroy.
*/
-static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
+static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
chunk_t data, chunk_t *sig)
{
switch (scheme)
gcry_sexp_t in, out;
chunk_t padded;
u_char *pos = NULL;;
-
+
err = gcry_sexp_build(&in, NULL, "(enc-val(flags)(rsa(a %b)))",
encrypted.len, encrypted.ptr);
if (err)
{
chunk_t n, e;
public_key_t *public;
-
+
n = gcrypt_rsa_find_token(this->key, "n", NULL);
e = gcrypt_rsa_find_token(this->key, "e", NULL);
-
+
public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
chunk_free(&n);
chunk_free(&e);
-
+
return public;
}
gcry_mpi_t p = NULL, q = NULL, d = NULL, exp1, exp2;
gcry_error_t err;
bool success;
-
+
/* p and q are swapped, gcrypt expects p < q */
cp = gcrypt_rsa_find_token(this->key, "q", NULL);
cq = gcrypt_rsa_find_token(this->key, "p", NULL);
cd = gcrypt_rsa_find_token(this->key, "d", NULL);
-
+
err = gcry_mpi_scan(&p, GCRYMPI_FMT_USG, cp.ptr, cp.len, NULL)
| gcry_mpi_scan(&q, GCRYMPI_FMT_USG, cq.ptr, cq.len, NULL)
| gcry_mpi_scan(&d, GCRYMPI_FMT_USG, cd.ptr, cd.len, NULL);
DBG1("scanning mpi for export failed: %s", gpg_strerror(err));
return FALSE;
}
-
+
gcry_mpi_sub_ui(p, p, 1);
exp1 = gcry_mpi_new(gcry_pk_get_nbits(this->key));
gcry_mpi_mod(exp1, d, p);
gcry_mpi_release(p);
-
+
gcry_mpi_sub_ui(q, q, 1);
exp2 = gcry_mpi_new(gcry_pk_get_nbits(this->key));
gcry_mpi_mod(exp1, d, q);
gcry_mpi_release(q);
-
+
err = gcry_mpi_aprint(GCRYMPI_FMT_USG, &cexp1.ptr, &cexp1.len, exp1)
| gcry_mpi_aprint(GCRYMPI_FMT_USG, &cexp2.ptr, &cexp2.len, exp2);
-
+
gcry_mpi_release(d);
gcry_mpi_release(exp1);
gcry_mpi_release(exp2);
-
+
if (err)
{
DBG1("printing mpi for export failed: %s", gpg_strerror(err));
chunk_clear(&cexp2);
return FALSE;
}
-
+
cn = gcrypt_rsa_find_token(this->key, "n", NULL);
ce = gcrypt_rsa_find_token(this->key, "e", NULL);
cu = gcrypt_rsa_find_token(this->key, "u", NULL);
-
+
success = lib->encoding->encode(lib->encoding, type, NULL, encoding,
KEY_PART_RSA_MODULUS, cn,
KEY_PART_RSA_PUB_EXP, ce, KEY_PART_RSA_PRIV_EXP, cd,
chunk_clear(&cexp1);
chunk_clear(&cexp2);
chunk_clear(&cu);
-
+
return success;
}
{
chunk_t n, e;
bool success;
-
+
if (lib->encoding->get_cache(lib->encoding, type, this, fp))
{
return TRUE;
}
n = gcrypt_rsa_find_token(this->key, "n", NULL);
e = gcrypt_rsa_find_token(this->key, "e", NULL);
-
+
success = lib->encoding->encode(lib->encoding,
type, this, fp, KEY_PART_RSA_MODULUS, n,
KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
static private_gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_create_empty()
{
private_gcrypt_rsa_private_key_t *this = malloc_thing(private_gcrypt_rsa_private_key_t);
-
+
this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-
+
this->key = NULL;
this->ref = 1;
-
+
return this;
}
private_gcrypt_rsa_private_key_t *this;
gcry_sexp_t param, key;
gcry_error_t err;
-
+
err = gcry_sexp_build(¶m, NULL, "(genkey(rsa(nbits %d)))", key_size);
if (err)
{
DBG1("building S-expression failed: %s", gpg_strerror(err));
return NULL;
}
-
+
err = gcry_pk_genkey(&key, param);
gcry_sexp_release(param);
if (err)
}
this = gcrypt_rsa_private_key_create_empty();
this->key = key;
-
+
return &this->public;
}
{
gcry_error_t err;
private_gcrypt_rsa_private_key_t *this = gcrypt_rsa_private_key_create_empty();
-
+
err = gcry_sexp_build(&this->key, NULL,
"(private-key(rsa(n %b)(e %b)(d %b)(p %b)(q %b)(u %b)))",
n.len, n.ptr, e.len, e.ptr, d.len, d.ptr,
static void add(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
-
+
va_start(args, part);
switch (part)
{
builder_t *gcrypt_rsa_private_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_RSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->key_size = 0;
this->n = this->e = this->d = this->p = this->q = this->u = chunk_empty;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
* Private_key_t implementation of RSA algorithm using libgcrypt.
*/
struct gcrypt_rsa_private_key_t {
-
+
/**
* Implements private_key_t interface
*/
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#include <gcrypt.h>
#include "gcrypt_rsa_public_key.h"
* Private data structure with signing context.
*/
struct private_gcrypt_rsa_public_key_t {
-
+
/**
* Public interface for this signer.
*/
gcrypt_rsa_public_key_t public;
-
+
/**
* gcrypt S-expression representing an public RSA key
*/
gcry_sexp_t key;
-
+
/**
* reference counter
*/
gcry_error_t err;
chunk_t em;
size_t k;
-
+
/* EM = 0x00 || 0x01 || PS || 0x00 || T
* PS = 0xFF padding, with length to fill em
* T = data
em.ptr[1] = 0x01;
em.ptr[em.len - data.len - 1] = 0x00;
memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
-
+
err = gcry_sexp_build(&in, NULL, "(data(flags raw)(value %b))",
em.len, em.ptr);
chunk_free(&em);
chunk_t hash;
gcry_error_t err;
gcry_sexp_t in, sig;
-
+
hasher = lib->crypto->create_hasher(lib->crypto, algorithm);
if (!hasher)
{
}
hasher->allocate_hash(hasher, data, &hash);
hasher->destroy(hasher);
-
+
err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(hash %s %b))",
hash_name, hash.len, hash.ptr);
chunk_free(&hash);
DBG1("building data S-expression failed: %s", gpg_strerror(err));
return FALSE;
}
-
+
err = gcry_sexp_build(&sig, NULL, "(sig-val(rsa(s %b)))",
signature.len, signature.ptr);
if (err)
{
gcry_sexp_t in, out;
gcry_error_t err;
-
+
/* "pkcs1" uses PKCS 1.5 (section 8.1) block type 2 encryption:
* 00 | 02 | RANDOM | 00 | DATA */
err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(value %b))",
{
chunk_t n, e;
bool success;
-
+
n = gcrypt_rsa_find_token(this->key, "n", NULL);
e = gcrypt_rsa_find_token(this->key, "e", NULL);
success = lib->encoding->encode(lib->encoding, type, NULL, encoding,
KEY_PART_END);
chunk_free(&n);
chunk_free(&e);
-
+
return success;
}
{
chunk_t n, e;
bool success;
-
+
if (lib->encoding->get_cache(lib->encoding, type, this, fp))
{
return TRUE;
}
n = gcrypt_rsa_find_token(this->key, "n", NULL);
e = gcrypt_rsa_find_token(this->key, "e", NULL);
-
+
success = lib->encoding->encode(lib->encoding,
type, this, fp, KEY_PART_RSA_MODULUS, n,
KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
static private_gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_create_empty()
{
private_gcrypt_rsa_public_key_t *this = malloc_thing(private_gcrypt_rsa_public_key_t);
-
+
this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
+
this->key = NULL;
this->ref = 1;
-
+
return this;
}
{
private_gcrypt_rsa_public_key_t *this;
gcry_error_t err;
-
+
this = gcrypt_rsa_public_key_create_empty();
err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
n.len, n.ptr, e.len, e.ptr);
static gcrypt_rsa_public_key_t *build(private_builder_t *this)
{
gcrypt_rsa_public_key_t *key;
-
+
key = load(this->n, this->e);
free(this);
return key;
static void add(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
-
+
va_start(args, part);
switch (part)
{
builder_t *gcrypt_rsa_public_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_RSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->n = this->e = chunk_empty;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
typedef struct modulus_entry_t modulus_entry_t;
-/**
+/**
* Entry of the modulus list.
*/
struct modulus_entry_t {
* Group number as it is defined in file transform_substructure.h.
*/
diffie_hellman_group_t group;
-
+
/**
* Pointer to first byte of modulus (network order).
*/
u_int8_t *modulus;
-
- /*
+
+ /*
* Length of modulus in bytes.
- */
+ */
size_t modulus_len;
-
- /*
+
+ /*
* Optimum length of exponent in bytes.
- */
+ */
size_t opt_exponent_len;
- /*
+ /*
* Generator value.
- */
+ */
u_int16_t generator;
};
* Public gmp_diffie_hellman_t interface.
*/
gmp_diffie_hellman_t public;
-
+
/**
* Diffie Hellman group number.
*/
u_int16_t group;
-
- /*
+
+ /*
* Generator value.
- */
+ */
mpz_t g;
-
+
/**
* My private value.
*/
mpz_t xa;
-
+
/**
* My public value.
*/
mpz_t ya;
-
+
/**
* Other public value.
- */
+ */
mpz_t yb;
-
+
/**
* Shared secret.
- */
+ */
mpz_t zz;
/**
* Modulus.
*/
mpz_t p;
-
+
/**
* Modulus length.
*/
size_t p_len;
-
+
/**
* Optimal exponent length.
*/
static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t value)
{
mpz_t p_min_1;
-
+
mpz_init(p_min_1);
mpz_sub_ui(p_min_1, this->p, 1);
-
+
mpz_import(this->yb, value.len, 1, 1, 1, 0, value.ptr);
-
- /* check public value:
+
+ /* check public value:
* 1. 0 or 1 is invalid as 0^a = 0 and 1^a = 1
* 2. a public value larger or equal the modulus is invalid */
if (mpz_cmp_ui(this->yb, 1) > 0 &&
#ifdef EXTENDED_DH_TEST
/* 3. test if y ^ q mod p = 1, where q = (p - 1)/2. */
mpz_t q, one;
-
+
mpz_init(q);
mpz_init(one);
mpz_fdiv_q_2exp(q, p_min_1, 1);
{
int i;
status_t status = NOT_FOUND;
-
+
for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
{
if (modulus_entries[i].group == this->group)
this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
-
+
/* private variables */
this->group = group;
mpz_init(this->p);
mpz_init(this->xa);
mpz_init(this->zz);
mpz_init(this->g);
-
+
this->computed = FALSE;
-
- /* find a modulus according to group */
+
+ /* find a modulus according to group */
if (set_modulus(this) != SUCCESS)
{
destroy(this);
ansi_x9_42 = lib->settings->get_int(lib->settings,
"libstrongswan.dh_exponent_ansi_x9_42", TRUE);
- exponent_len = (ansi_x9_42) ? this->p_len : this->opt_exponent_len;
+ exponent_len = (ansi_x9_42) ? this->p_len : this->opt_exponent_len;
rng->allocate_bytes(rng, exponent_len, &random);
rng->destroy(rng);
DBG2("size of DH secret exponent: %u bits", mpz_sizeinbase(this->xa, 2));
mpz_powm(this->ya, this->g, this->xa, this->p);
-
+
return &this->public;
}
* Implementation of the Diffie-Hellman algorithm, as in RFC2631. Uses libgmp.
*/
struct gmp_diffie_hellman_t {
-
+
/**
* Implements diffie_hellman_t interface.
*/
/**
* Creates a new gmp_diffie_hellman_t object.
- *
+ *
* @param group Diffie Hellman group number to use
* @return gmp_diffie_hellman_t object, NULL if not supported
*/
plugin_t *plugin_create()
{
private_gmp_plugin_t *this = malloc_thing(private_gmp_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
- lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
+
+ lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
(dh_constructor_t)gmp_diffie_hellman_create);
lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
(dh_constructor_t)gmp_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
(dh_constructor_t)gmp_diffie_hellman_create);
-
+
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
(builder_constructor_t)gmp_rsa_private_key_builder);
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
(builder_constructor_t)gmp_rsa_public_key_builder);
-
+
return &this->public.plugin;
}
/**
* @defgroup gmp_p gmp
* @ingroup plugins
- *
+ *
* @defgroup gmp_plugin gmp_plugin
* @{ @ingroup gmp_p
*/
* Public interface for this signer.
*/
gmp_rsa_private_key_t public;
-
+
/**
* Public modulus.
*/
mpz_t n;
-
+
/**
* Public exponent.
*/
mpz_t e;
-
+
/**
* Private prime 1.
*/
mpz_t p;
-
+
/**
* Private Prime 2.
*/
mpz_t q;
-
+
/**
* Private exponent.
*/
mpz_t d;
-
+
/**
* Private exponent 1.
*/
mpz_t exp1;
-
+
/**
* Private exponent 2.
*/
mpz_t exp2;
-
+
/**
* Private coefficient.
*/
mpz_t coeff;
-
+
/**
* Keysize in bytes.
*/
size_t k;
-
+
/**
* reference count
*/
chunk_t gmp_mpz_to_chunk(const mpz_t value)
{
chunk_t n;
-
+
n.len = 1 + mpz_sizeinbase(value, 2) / BITS_PER_BYTE;
n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
if (n.ptr == NULL)
{
size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
u_int8_t *random = alloca(len);
-
+
memset(random, 0, len);
/* overwrite mpz_t with zero bytes before clearing it */
mpz_import(z, len, 1, 1, 1, 0, random);
{
rng_t *rng;
chunk_t random_bytes;
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
if (!rng)
{
DBG1("no RNG of quality %N found", rng_quality_names, RNG_TRUE);
return FAILED;
}
-
+
mpz_init(*prime);
do
{
rng->allocate_bytes(rng, prime_size, &random_bytes);
/* make sure most significant bit is set */
random_bytes.ptr[0] = random_bytes.ptr[0] | 0x80;
-
+
mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
mpz_nextprime (*prime, *prime);
chunk_clear(&random_bytes);
}
/* check if it isn't too large */
while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
-
+
rng->destroy(rng);
return SUCCESS;
}
{
mpz_t t1, t2;
chunk_t decrypted;
-
+
mpz_init(t1);
mpz_init(t2);
-
+
mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
-
+
mpz_powm(t2, t1, this->exp1, this->p); /* m1 = c^dP mod p */
mpz_powm(t1, t1, this->exp2, this->q); /* m2 = c^dQ mod Q */
mpz_sub(t2, t2, t1); /* h = qInv (m1 - m2) mod p */
mpz_mod(t2, t2, this->p);
mpz_mul(t2, t2, this->coeff);
mpz_mod(t2, t2, this->p);
-
+
mpz_mul(t2, t2, this->q); /* m = m2 + h q */
mpz_add(t1, t1, t2);
-
+
decrypted.len = this->k;
decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
if (decrypted.ptr == NULL)
{
decrypted.len = 0;
}
-
+
mpz_clear_sensitive(t1);
mpz_clear_sensitive(t2);
-
+
return decrypted;
}
hasher_t *hasher;
chunk_t hash;
int hash_oid = hasher_algorithm_to_oid(hash_algorithm);
-
+
if (hash_oid == OID_UNKNOWN)
{
return FALSE;
}
hasher->allocate_hash(hasher, data, &hash);
hasher->destroy(hasher);
-
+
/* build DER-encoded digestInfo */
digestInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_algorithmIdentifier(hash_oid),
DBG1("unable to sign %d bytes using a %dbit key", data.len, this->k * 8);
return FALSE;
}
-
+
/* build chunk to rsa-decrypt:
- * EM = 0x00 || 0x01 || PS || 0x00 || T.
+ * EM = 0x00 || 0x01 || PS || 0x00 || T.
* PS = 0xFF padding, with length to fill em
* T = encoded_hash
*/
em.len = this->k;
em.ptr = malloc(em.len);
-
+
/* fill em with padding */
memset(em.ptr, 0xFF, em.len);
/* set magic bytes */
/* build signature */
*signature = rsasp1(this, em);
-
+
free(digestInfo.ptr);
free(em.ptr);
-
- return TRUE;
+
+ return TRUE;
}
/**
/**
* Implementation of gmp_rsa_private_key.sign.
*/
-static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
+static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
chunk_t data, chunk_t *signature)
{
switch (scheme)
{
chunk_t em, stripped;
bool success = FALSE;
-
+
/* rsa decryption using PKCS#1 RSADP */
stripped = em = rsadp(this, crypto);
{
chunk_t n, e;
public_key_t *public;
-
+
n = gmp_mpz_to_chunk(this->n);
e = gmp_mpz_to_chunk(this->e);
-
+
public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
chunk_free(&n);
chunk_free(&e);
-
+
return public;
}
{
chunk_t n, e, d, p, q, exp1, exp2, coeff;
bool success;
-
+
n = gmp_mpz_to_chunk(this->n);
e = gmp_mpz_to_chunk(this->e);
d = gmp_mpz_to_chunk(this->d);
exp1 = gmp_mpz_to_chunk(this->exp1);
exp2 = gmp_mpz_to_chunk(this->exp2);
coeff = gmp_mpz_to_chunk(this->coeff);
-
+
success = lib->encoding->encode(lib->encoding,
type, NULL, encoding, KEY_PART_RSA_MODULUS, n,
KEY_PART_RSA_PUB_EXP, e, KEY_PART_RSA_PRIV_EXP, d,
chunk_clear(&exp1);
chunk_clear(&exp2);
chunk_clear(&coeff);
-
+
return success;
}
{
chunk_t n, e;
bool success;
-
+
if (lib->encoding->get_cache(lib->encoding, type, this, fp))
{
return TRUE;
}
n = gmp_mpz_to_chunk(this->n);
e = gmp_mpz_to_chunk(this->e);
-
+
success = lib->encoding->encode(lib->encoding, type, this, fp,
KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
chunk_free(&n);
chunk_free(&e);
-
+
return success;
}
{
mpz_t t, u, q1;
status_t status = SUCCESS;
-
+
/* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
* We actually require more (for security).
*/
DBG1("key shorter than 512 bits");
return FAILED;
}
-
+
/* we picked a max modulus size to simplify buffer allocation */
if (this->k > 8192 / BITS_PER_BYTE)
{
DBG1("key larger than 8192 bits");
return FAILED;
}
-
+
mpz_init(t);
mpz_init(u);
mpz_init(q1);
-
+
/* check that n == p * q */
mpz_mul(u, this->p, this->q);
if (mpz_cmp(u, this->n) != 0)
{
status = FAILED;
}
-
+
/* check that e divides neither p-1 nor q-1 */
mpz_sub_ui(t, this->p, 1);
mpz_mod(t, t, this->e);
{
status = FAILED;
}
-
+
mpz_sub_ui(t, this->q, 1);
mpz_mod(t, t, this->e);
if (mpz_cmp_ui(t, 0) == 0)
{
status = FAILED;
}
-
+
/* check that d is e^-1 (mod lcm(p-1, q-1)) */
/* see PKCS#1v2, aka RFC 2437, for the "lcm" */
mpz_sub_ui(q1, this->q, 1);
mpz_gcd(t, u, q1); /* t := gcd(p-1, q-1) */
mpz_mul(u, u, q1); /* u := (p-1) * (q-1) */
mpz_divexact(u, u, t); /* u := lcm(p-1, q-1) */
-
+
mpz_mul(t, this->d, this->e);
mpz_mod(t, t, u);
if (mpz_cmp_ui(t, 1) != 0)
{
status = FAILED;
}
-
+
/* check that exp1 is d mod (p-1) */
mpz_sub_ui(u, this->p, 1);
mpz_mod(t, this->d, u);
{
status = FAILED;
}
-
+
/* check that exp2 is d mod (q-1) */
mpz_sub_ui(u, this->q, 1);
mpz_mod(t, this->d, u);
{
status = FAILED;
}
-
+
/* check that coeff is (q^-1) mod p */
mpz_mul(t, this->coeff, this->q);
mpz_mod(t, t, this->p);
{
status = FAILED;
}
-
+
mpz_clear_sensitive(t);
mpz_clear_sensitive(u);
mpz_clear_sensitive(q1);
static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
{
private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
-
+
this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
this->public.interface.destroy = (void (*) (private_key_t*))destroy;
-
+
this->ref = 1;
-
+
return this;
}
mpz_t p, q, n, e, d, exp1, exp2, coeff;
mpz_t m, q1, t;
private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
-
+
key_size = key_size / BITS_PER_BYTE;
-
+
/* Get values of primes p and q */
if (compute_prime(this, key_size/2, &p) != SUCCESS)
{
free(this);
return NULL;
- }
+ }
if (compute_prime(this, key_size/2, &q) != SUCCESS)
{
mpz_clear(p);
free(this);
return NULL;
}
-
+
mpz_init(t);
mpz_init(n);
mpz_init(d);
mpz_init(exp1);
mpz_init(exp2);
mpz_init(coeff);
-
+
/* Swapping Primes so p is larger then q */
if (mpz_cmp(p, q) < 0)
{
mpz_swap(p, q);
}
-
+
mpz_mul(n, p, q); /* n = p*q */
mpz_init_set_ui(e, PUBLIC_EXPONENT); /* assign public exponent */
mpz_init_set(m, p); /* m = p */
mpz_mod(exp1, d, t); /* exp1 = d mod p-1 */
mpz_sub_ui(t, q, 1); /* t = q-1 */
mpz_mod(exp2, d, t); /* exp2 = d mod q-1 */
-
+
mpz_invert(coeff, q, p); /* coeff = q^-1 mod p */
if (mpz_cmp_ui(coeff, 0) < 0) /* make coeff d is positive */
{
*(this->exp1) = *exp1;
*(this->exp2) = *exp2;
*(this->coeff) = *coeff;
-
+
/* set key size in bytes */
this->k = key_size;
-
+
return &this->public;
}
chunk_t p, chunk_t q, chunk_t exp1, chunk_t exp2, chunk_t coeff)
{
private_gmp_rsa_private_key_t *this = gmp_rsa_private_key_create_empty();
-
+
mpz_init(this->n);
mpz_init(this->e);
mpz_init(this->p);
mpz_init(this->exp1);
mpz_init(this->exp2);
mpz_init(this->coeff);
-
+
mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr);
mpz_import(this->d, d.len, 1, 1, 1, 0, d.ptr);
static gmp_rsa_private_key_t *build(private_builder_t *this)
{
gmp_rsa_private_key_t *key = NULL;
-
+
if (this->key_size)
{
key = generate(this->key_size);
static void add(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
-
+
va_start(args, part);
switch (part)
{
builder_t *gmp_rsa_private_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_RSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->n = this->e = this->d = this->p = this->q = chunk_empty;
this->exp1 = this->exp2 = this->coeff = chunk_empty;
this->key_size = 0;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#include <gmp.h>
#include <sys/stat.h>
#include <unistd.h>
* Public interface for this signer.
*/
gmp_rsa_public_key_t public;
-
+
/**
* Public modulus.
*/
mpz_t n;
-
+
/**
* Public exponent.
*/
mpz_t e;
-
+
/**
* Keysize in bytes.
*/
size_t k;
-
+
/**
* reference counter
*/
{
mpz_t m, c;
chunk_t encrypted;
-
+
mpz_init(c);
mpz_init(m);
-
+
mpz_import(m, data.len, 1, 1, 1, 0, data.ptr);
-
+
mpz_powm(c, m, this->e, this->n);
encrypted.len = this->k;
{
encrypted.len = 0;
}
-
+
mpz_clear(c);
mpz_clear(m);
-
+
return encrypted;
}
{
chunk_t em_ori, em;
bool success = FALSE;
-
+
/* remove any preceding 0-bytes from signature */
while (signature.len && *(signature.ptr) == 0x00)
{
signature = chunk_skip(signature, 1);
}
-
+
if (signature.len == 0 || signature.len > this->k)
{
return INVALID_ARG;
}
-
+
/* unpack signature */
em_ori = em = rsavp1(this, signature);
-
+
/* result should look like this:
- * EM = 0x00 || 0x01 || PS || 0x00 || T.
+ * EM = 0x00 || 0x01 || PS || 0x00 || T.
* PS = 0xFF padding, with length to fill em
* T = oid || hash
*/
-
+
/* check magic bytes */
if (*(em.ptr) != 0x00 || *(em.ptr+1) != 0x01)
{
goto end;
}
em = chunk_skip(em, 2);
-
+
/* find magic 0x00 */
while (em.len > 0)
{
{
chunk_t hash;
hasher_t *hasher;
-
+
hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
if (hasher == NULL)
{
/**
* Implementation of public_key_t.verify.
*/
-static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme,
+static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme,
chunk_t data, chunk_t signature)
{
switch (scheme)
/* padding according to PKCS#1 7.2.1 (RSAES-PKCS1-v1.5-ENCRYPT) */
DBG2("padding %u bytes of data to the rsa modulus size of %u bytes",
- plain.len, this->k);
+ plain.len, this->k);
em.len = this->k;
- em.ptr = malloc(em.len);
+ em.ptr = malloc(em.len);
pos = em.ptr;
*pos++ = 0x00;
*pos++ = 0x02;
/* now add the data */
memcpy(pos, plain.ptr, plain.len);
DBG3("padded data before rsa encryption: %B", &em);
-
+
/* rsa encryption using PKCS#1 RSAEP */
*crypto = rsaep(this, em);
DBG3("rsa encrypted data: %B", crypto);
{
chunk_t n, e;
bool success;
-
+
n = gmp_mpz_to_chunk(this->n);
e = gmp_mpz_to_chunk(this->e);
-
- success = lib->encoding->encode(lib->encoding, type, NULL, encoding,
+
+ success = lib->encoding->encode(lib->encoding, type, NULL, encoding,
KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
chunk_free(&n);
chunk_free(&e);
-
+
return success;
}
{
chunk_t n, e;
bool success;
-
+
if (lib->encoding->get_cache(lib->encoding, type, this, fp))
{
return TRUE;
}
n = gmp_mpz_to_chunk(this->n);
e = gmp_mpz_to_chunk(this->e);
-
+
success = lib->encoding->encode(lib->encoding, type, this, fp,
KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END);
chunk_free(&n);
chunk_free(&e);
-
+
return success;
}
static private_gmp_rsa_public_key_t *gmp_rsa_public_key_create_empty()
{
private_gmp_rsa_public_key_t *this = malloc_thing(private_gmp_rsa_public_key_t);
-
+
this->public.interface.get_type = (key_type_t (*) (public_key_t*))get_type;
this->public.interface.verify = (bool (*) (public_key_t*, signature_scheme_t, chunk_t, chunk_t))verify;
this->public.interface.encrypt = (bool (*) (public_key_t*, chunk_t, chunk_t*))encrypt_;
this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
this->public.interface.get_ref = (public_key_t* (*) (public_key_t *this))get_ref;
this->public.interface.destroy = (void (*) (public_key_t *this))destroy;
-
+
this->ref = 1;
-
+
return this;
}
static gmp_rsa_public_key_t *load(chunk_t n, chunk_t e)
{
private_gmp_rsa_public_key_t *this = gmp_rsa_public_key_create_empty();
-
+
mpz_init(this->n);
mpz_init(this->e);
-
+
mpz_import(this->n, n.len, 1, 1, 1, 0, n.ptr);
mpz_import(this->e, e.len, 1, 1, 1, 0, e.ptr);
-
+
this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
-
+
return &this->public;
}
static gmp_rsa_public_key_t *build(private_builder_t *this)
{
gmp_rsa_public_key_t *key;
-
+
key = load(this->n, this->e);
free(this);
return key;
static void add(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
-
+
va_start(args, part);
switch (part)
{
builder_t *gmp_rsa_public_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_RSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->n = this->e = chunk_empty;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
/**
* Private data of a hmac_t object.
- *
+ *
* The variable names are the same as in the RFC.
*/
struct private_hmac_t {
* Public hmac_t interface.
*/
hmac_t hmac;
-
+
/**
* Block size, as in RFC.
*/
u_int8_t b;
-
+
/**
* Hash function.
*/
hasher_t *h;
-
+
/**
* Previously xor'ed key using opad.
*/
chunk_t opaded_key;
-
+
/**
* Previously xor'ed key using ipad.
*/
*/
static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out)
{
- /* H(K XOR opad, H(K XOR ipad, text))
- *
+ /* H(K XOR opad, H(K XOR ipad, text))
+ *
* if out is NULL, we append text to the inner hash.
* else, we complete the inner and do the outer.
- *
+ *
*/
-
+
u_int8_t buffer[this->h->get_hash_size(this->h)];
chunk_t inner;
-
+
if (out == NULL)
{
/* append data to inner */
/* append and do outer hash */
inner.ptr = buffer;
inner.len = this->h->get_hash_size(this->h);
-
+
/* complete inner */
this->h->get_hash(this->h, data, buffer);
-
+
/* do outer */
this->h->get_hash(this->h, this->opaded_key, NULL);
this->h->get_hash(this->h, inner, out);
-
+
/* reinit for next call */
this->h->get_hash(this->h, this->ipaded_key, NULL);
}
this->hmac.get_mac(&(this->hmac), data, out->ptr);
}
}
-
+
/**
* Implementation of hmac_t.get_block_size.
*/
{
int i;
u_int8_t buffer[this->b];
-
+
memset(buffer, 0, this->b);
-
+
if (key.len > this->b)
- {
+ {
/* if key is too long, it will be hashed */
this->h->get_hash(this->h, key, buffer);
}
else
- {
+ {
/* if not, just copy it in our pre-padded k */
- memcpy(buffer, key.ptr, key.len);
+ memcpy(buffer, key.ptr, key.len);
}
-
+
/* apply ipad and opad to key */
for (i = 0; i < this->b; i++)
{
this->ipaded_key.ptr[i] = buffer[i] ^ 0x36;
this->opaded_key.ptr[i] = buffer[i] ^ 0x5C;
}
-
+
/* begin hashing of inner pad */
this->h->reset(this->h);
this->h->get_hash(this->h, this->ipaded_key, NULL);
this->hmac.get_block_size = (size_t (*)(hmac_t *))get_block_size;
this->hmac.set_key = (void (*)(hmac_t *,chunk_t))set_key;
this->hmac.destroy = (void (*)(hmac_t *))destroy;
-
+
/* set b, according to hasher */
switch (hash_algorithm)
{
break;
default:
free(this);
- return NULL;
+ return NULL;
}
-
+
/* build the hasher */
this->h = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
if (this->h == NULL)
{
free(this);
- return NULL;
+ return NULL;
}
/* build ipad and opad */
struct hmac_t {
/**
* Generate message authentication code.
- *
+ *
* If buffer is NULL, no result is given back. A next call will
- * append the data to already supplied data. If buffer is not NULL,
+ * append the data to already supplied data. If buffer is not NULL,
* the mac of all apended data is calculated, returned and the
* state of the hmac_t is reseted.
- *
+ *
* @param data chunk of data to authenticate
* @param buffer pointer where the generated bytes will be written
*/
void (*get_mac) (hmac_t *this, chunk_t data, u_int8_t *buffer);
-
+
/**
* Generates message authentication code and allocate space for them.
- *
+ *
* If chunk is NULL, no result is given back. A next call will
- * append the data to already supplied. If chunk is not NULL,
+ * append the data to already supplied. If chunk is not NULL,
* the mac of all apended data is calculated, returned and the
* state of the hmac_t reset;
- *
+ *
* @param data chunk of data to authenticate
* @param chunk chunk which will hold generated bytes
*/
void (*allocate_mac) (hmac_t *this, chunk_t data, chunk_t *chunk);
-
+
/**
* Get the block size of this hmac_t object.
- *
+ *
* @return block size in bytes
*/
- size_t (*get_block_size) (hmac_t *this);
-
+ size_t (*get_block_size) (hmac_t *this);
+
/**
* Set the key for this hmac_t object.
- *
+ *
* Any key length is accepted.
- *
+ *
* @param key key to set
*/
void (*set_key) (hmac_t *this, chunk_t key);
-
+
/**
* Destroys a hmac_t object.
*/
/**
* Creates a new hmac_t object.
- *
+ *
* @param hash_algorithm hash algorithm to use
* @return hmac_t object, NULL if not supported
*/
plugin_t *plugin_create()
{
private_hmac_plugin_t *this = malloc_thing(private_hmac_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256,
+
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256,
(prf_constructor_t)hmac_prf_create);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1,
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1,
(prf_constructor_t)hmac_prf_create);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5,
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5,
(prf_constructor_t)hmac_prf_create);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384,
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384,
(prf_constructor_t)hmac_prf_create);
- lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512,
+ lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512,
(prf_constructor_t)hmac_prf_create);
-
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96,
+
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96,
(signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128,
(signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160,
(signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128,
(signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96,
(signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128,
(signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192,
(signer_constructor_t)hmac_signer_create);
- lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256,
+ lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256,
(signer_constructor_t)hmac_signer_create);
return &this->public.plugin;
/**
* Public hmac_prf_t interface.
*/
- hmac_prf_t public;
-
+ hmac_prf_t public;
+
/**
* Hmac to use for generation.
*/
{
private_hmac_prf_t *this;
hash_algorithm_t hash;
-
+
switch (algo)
{
case PRF_HMAC_SHA1:
default:
return NULL;
}
-
+
this = malloc_thing(private_hmac_prf_t);
this->hmac = hmac_create(hash);
if (this->hmac == NULL)
{
free(this);
- return NULL;
+ return NULL;
}
-
+
this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
-
+
return &(this->public);
}
/**
* Implementation of prf_t interface using the HMAC algorithm.
- *
+ *
* This simply wraps a hmac_t in a prf_t. More a question of
* interface matching.
*/
struct hmac_prf_t {
-
+
/**
* Generic prf_t interface for this hmac_prf_t class.
*/
/**
* Creates a new hmac_prf_t object.
- *
+ *
* @param algo algorithm to implement
* @return hmac_prf_t object, NULL if hash not supported
*/
* Public interface of hmac_signer_t.
*/
hmac_signer_t public;
-
+
/**
* Assigned hmac function.
*/
hmac_t *hmac;
-
+
/**
* Block size (truncation of HMAC Hash)
*/
else
{
u_int8_t mac[this->hmac->get_block_size(this->hmac)];
-
+
this->hmac->get_mac(this->hmac, data, mac);
memcpy(buffer, mac, this->block_size);
}
else
{
u_int8_t mac[this->hmac->get_block_size(this->hmac)];
-
+
this->hmac->get_mac(this->hmac, data, mac);
chunk->ptr = malloc(this->block_size);
chunk->len = this->block_size;
-
+
memcpy(chunk->ptr, mac, this->block_size);
}
}
chunk_t data, chunk_t signature)
{
u_int8_t mac[this->hmac->get_block_size(this->hmac)];
-
+
this->hmac->get_mac(this->hmac, data, mac);
-
+
if (signature.len != this->block_size)
{
return FALSE;
private_hmac_signer_t *this;
size_t trunc;
hash_algorithm_t hash;
-
+
switch (algo)
{
case AUTH_HMAC_SHA1_96:
default:
return NULL;
}
-
+
this = malloc_thing(private_hmac_signer_t);
this->hmac = hmac_create(hash);
if (this->hmac == NULL)
}
/* prevent invalid truncation */
this->block_size = min(trunc, this->hmac->get_block_size(this->hmac));
-
+
/* interface functions */
this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
-
+
return &(this->public);
}
* HMAC uses a standard hash function implemented in a hasher_t to build a MAC.
*/
struct hmac_signer_t {
-
+
/**
* generic signer_t interface for this signer
*/
* Public data
*/
ldap_fetcher_t public;
-
+
/**
* timeout to use for fetches
*/
}
else
{
- DBG1("getting LDAP values failed: %s",
+ DBG1("getting LDAP values failed: %s",
ldap_err2string(ldap_result2error(ldap, entry, 0)));
}
ldap_memfree(attr);
int ldap_version = LDAP_VERSION3;
struct timeval timeout;
status_t status = FAILED;
-
+
if (!strneq(url, "ldap", 4))
{
return NOT_SUPPORTED;
ldap_free_urldesc(lurl);
return FAILED;
}
-
+
timeout.tv_sec = this->timeout;
timeout.tv_usec = 0;
static bool set_option(private_ldap_fetcher_t *this, fetcher_option_t option, ...)
{
va_list args;
-
+
va_start(args, option);
switch (option)
{
this->public.interface.fetch = (status_t(*)(fetcher_t*,char*,chunk_t*))fetch;
this->public.interface.set_option = (bool(*)(fetcher_t*, fetcher_option_t option, ...))set_option;
this->public.interface.destroy = (void (*)(fetcher_t*))destroy;
-
+
this->timeout = DEFAULT_TIMEOUT;
-
+
return &this->public;
}
*/
static void destroy(private_ldap_plugin_t *this)
{
- lib->fetcher->remove_fetcher(lib->fetcher,
+ lib->fetcher->remove_fetcher(lib->fetcher,
(fetcher_constructor_t)ldap_fetcher_create);
free(this);
}
plugin_t *plugin_create()
{
private_ldap_plugin_t *this = malloc_thing(private_ldap_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
lib->fetcher->add_fetcher(lib->fetcher,
(fetcher_constructor_t)ldap_fetcher_create, "ldap://");
lib->fetcher->add_fetcher(lib->fetcher,
(fetcher_constructor_t)ldap_fetcher_create, "ldaps://");
-
+
return &this->public.plugin;
}
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
- * Copyright (C) 1990-1992, RSA Data Security, Inc. Created 1990.
+ * Copyright (C) 1990-1992, RSA Data Security, Inc. Created 1990.
* All rights reserved.
- *
+ *
* Derived from the RSA Data Security, Inc. MD4 Message-Digest Algorithm.
* Ported to fulfill hasher_t interface.
*
* Public interface for this hasher.
*/
md4_hasher_t public;
-
+
/*
* State of the hasher.
*/
{
size_t i, j;
- for (i = 0, j = 0; j < len; i++, j += 4)
+ for (i = 0, j = 0; j < len; i++, j += 4)
{
output[j] = (u_int8_t)(input[i] & 0xff);
output[j+1] = (u_int8_t)((input[i] >> 8) & 0xff);
partLen = 64 - index;
/* Transform as many times as possible. */
- if (inputLen >= partLen)
+ if (inputLen >= partLen)
{
memcpy(&this->buffer[index], input, partLen);
MD4Transform (this->state, this->buffer);
static void allocate_hash(private_md4_hasher_t *this, chunk_t chunk, chunk_t *hash)
{
chunk_t allocated_hash;
-
+
MD4Update(this, chunk.ptr, chunk.len);
if (hash != NULL)
{
MD4Final(this, allocated_hash.ptr);
this->public.hasher_interface.reset(&(this->public.hasher_interface));
-
+
*hash = allocated_hash;
}
}
-
+
/**
* Implementation of hasher_t.get_hash_size.
*/
md4_hasher_t *md4_hasher_create(hash_algorithm_t algo)
{
private_md4_hasher_t *this;
-
+
if (algo != HASH_MD4)
{
return NULL;
}
this = malloc_thing(private_md4_hasher_t);
-
+
this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
+
/* initialize */
reset(this);
-
+
return &(this->public);
}
* Implementation of hasher_t interface using the MD4 algorithm.
*/
struct md4_hasher_t {
-
+
/**
* Generic hasher_t interface for this hasher.
*/
/**
* Creates a new md4_hasher_t.
- *
+ *
* @param algo hash algorithm, must be HASH_MD4
* @return md4_hasher_t object, NULL if not supported
*/
plugin_t *plugin_create()
{
private_md4_plugin_t *this = malloc_thing(private_md4_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->crypto->add_hasher(lib->crypto, HASH_MD4,
(hasher_constructor_t)md4_hasher_create);
-
+
return &this->public.plugin;
}
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
- * Copyright (C) 1991-1992, RSA Data Security, Inc. Created 1991.
+ * Copyright (C) 1991-1992, RSA Data Security, Inc. Created 1991.
* All rights reserved.
- *
+ *
* Derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm.
* Ported to fulfill hasher_t interface.
*
/*
* ugly macro stuff
- */
+ */
/* F, G, H and I are basic MD5 functions.
*/
#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
* Public interface for this hasher.
*/
md5_hasher_t public;
-
+
/*
* State of the hasher.
*/
{
size_t i, j;
- for (i = 0, j = 0; j < len; i++, j += 4)
+ for (i = 0, j = 0; j < len; i++, j += 4)
{
output[j] = (u_int8_t)(input[i] & 0xff);
output[j+1] = (u_int8_t)((input[i] >> 8) & 0xff);
partLen = 64 - index;
/* Transform as many times as possible. */
- if (inputLen >= partLen)
+ if (inputLen >= partLen)
{
memcpy(&this->buffer[index], input, partLen);
MD5Transform (this->state, this->buffer);
static void allocate_hash(private_md5_hasher_t *this, chunk_t chunk, chunk_t *hash)
{
chunk_t allocated_hash;
-
+
MD5Update(this, chunk.ptr, chunk.len);
if (hash != NULL)
{
MD5Final(this, allocated_hash.ptr);
this->public.hasher_interface.reset(&(this->public.hasher_interface));
-
+
*hash = allocated_hash;
}
}
-
+
/**
* Implementation of hasher_t.get_hash_size.
*/
md5_hasher_t *md5_hasher_create(hash_algorithm_t algo)
{
private_md5_hasher_t *this;
-
+
if (algo != HASH_MD5)
{
return NULL;
}
this = malloc_thing(private_md5_hasher_t);
-
+
this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
+
/* initialize */
reset(this);
-
+
return &(this->public);
}
* Implementation of hasher_t interface using the MD5 algorithm.
*/
struct md5_hasher_t {
-
+
/**
* Generic hasher_t interface for this hasher.
*/
/**
* Creates a new md5_hasher_t.
- *
+ *
* @param algo hash algorithm, must be HASH_MD5
* @return md5_hasher_t object, NULL if not supported
*/
plugin_t *plugin_create()
{
private_md5_plugin_t *this = malloc_thing(private_md5_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->crypto->add_hasher(lib->crypto, HASH_MD5,
(hasher_constructor_t)md5_hasher_create);
-
+
return &this->public.plugin;
}
* public functions
*/
mysql_database_t public;
-
+
/**
* connection pool, contains conn_t
*/
linked_list_t *pool;
-
+
/**
* mutex to lock pool
*/
mutex_t *mutex;
-
+
/**
* hostname to connect to
*/
char *host;
-
+
/**
* username to use
*/
char *username;
-
+
/**
* password
*/
char *password;
-
+
/**
* database name
*/
char *database;
-
+
/**
* tcp port
*/
* connection pool entry
*/
struct conn_t {
-
+
/**
* MySQL database connection
*/
MYSQL *mysql;
-
+
/**
* connection in use?
*/
{
conn_t *current, *found = NULL;
enumerator_t *enumerator;
-
+
thread_initialize();
-
+
while (TRUE)
{
this->mutex->lock(this->mutex);
{
MYSQL_STMT *stmt;
int params;
-
+
stmt = mysql_stmt_init(mysql);
if (stmt == NULL)
{
{
int i;
MYSQL_BIND *bind;
-
+
bind = alloca(sizeof(MYSQL_BIND) * params);
memset(bind, 0, sizeof(MYSQL_BIND) * params);
-
+
for (i = 0; i < params; i++)
{
switch (va_arg(*args, db_type_t))
break;
}
case DB_BLOB:
- {
+ {
chunk_t chunk = va_arg(*args, chunk_t);
bind[i].buffer_type = MYSQL_TYPE_BLOB;
bind[i].buffer = chunk.ptr;
static void mysql_enumerator_destroy(mysql_enumerator_t *this)
{
int columns, i;
-
+
columns = mysql_stmt_field_count(this->stmt);
-
+
for (i = 0; i < columns; i++)
{
switch (this->bind[i].buffer_type)
{
int i, columns;
va_list args;
-
+
columns = mysql_stmt_field_count(this->stmt);
-
+
/* free/reset data set of previous call */
for (i = 0; i < columns; i++)
{
DBG1("fetching MySQL row failed: %s", mysql_stmt_error(this->stmt));
return FALSE;
}
-
+
va_start(args, this);
for (i = 0; i < columns; i++)
{
va_list args;
mysql_enumerator_t *enumerator = NULL;
conn_t *conn;
-
+
conn = conn_get(this);
if (!conn)
{
if (stmt)
{
int columns, i;
-
+
enumerator = malloc_thing(mysql_enumerator_t);
enumerator->public.enumerate = (void*)mysql_enumerator_enumerate;
enumerator->public.destroy = (void*)mysql_enumerator_destroy;
break;
}
case DB_BLOB:
- {
+ {
enumerator->bind[i].buffer_type = MYSQL_TYPE_BLOB;
enumerator->bind[i].length = &enumerator->length[i];
break;
va_list args;
conn_t *conn;
int affected = -1;
-
+
conn = conn_get(this);
if (!conn)
{
conn_release(conn);
return affected;
}
-
+
/**
* Implementation of database_t.get_driver
*/
{
*pos = '\0';
database = pos + 1;
-
+
this->host = strdup(host);
this->username = strdup(username);
this->password = strdup(password);
{
conn_t *conn;
private_mysql_database_t *this;
-
+
if (!strneq(uri, "mysql://", 8))
{
return NULL;
}
this = malloc_thing(private_mysql_database_t);
-
+
this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query;
this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute;
this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
this->public.db.destroy = (void(*)(database_t*))destroy;
-
+
if (!parse_uri(this, uri))
{
free(this);
}
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->pool = linked_list_create();
-
+
/* check connectivity */
conn = conn_get(this);
if (!conn)
plugin_t *plugin_create()
{
private_mysql_plugin_t *this;
-
+
if (!mysql_database_init())
{
DBG1("MySQL client library initialization failed");
return NULL;
}
-
+
this = malloc_thing(private_mysql_plugin_t);
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->db->add_database(lib->db,
(database_constructor_t)mysql_database_create);
/*
* Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Private data of openssl_crypter_t
*/
struct private_openssl_crypter_t {
-
+
/**
* Public part of this class.
*/
openssl_crypter_t public;
-
+
/*
* the key
*/
chunk_t key;
-
+
/*
* the cipher to use
*/
* Identifier specified in IKEv2
*/
int ikev2_id;
-
+
/**
* Name of the algorithm, as used in OpenSSL
*/
char *name;
-
+
/**
* Minimum valid key length in bytes
*/
size_t key_size_min;
-
+
/**
* Maximum valid key length in bytes
*/
/**
* Look up an OpenSSL algorithm name and validate its key size
*/
-static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
+static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
u_int16_t ikev2_algo, size_t *key_size)
{
while (openssl_algo->ikev2_id != END_OF_LIST)
{
*key_size = openssl_algo->key_size_min;
}
-
+
/* validate key size */
if (*key_size < openssl_algo->key_size_min ||
*key_size > openssl_algo->key_size_max)
{
int len;
u_char *out;
-
+
out = data.ptr;
if (dst)
{
/**
* Implementation of crypter_t.decrypt.
*/
-static void decrypt(private_openssl_crypter_t *this, chunk_t data,
+static void decrypt(private_openssl_crypter_t *this, chunk_t data,
chunk_t iv, chunk_t *dst)
{
crypt(this, data, iv, dst, 0);
/**
* Implementation of crypter_t.encrypt.
*/
-static void encrypt (private_openssl_crypter_t *this, chunk_t data,
+static void encrypt (private_openssl_crypter_t *this, chunk_t data,
chunk_t iv, chunk_t *dst)
{
crypt(this, data, iv, dst, 1);
/*
* Described in header
*/
-openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
+openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
size_t key_size)
{
private_openssl_crypter_t *this;
-
+
this = malloc_thing(private_openssl_crypter_t);
-
+
switch (algo)
{
case ENCR_NULL:
this->cipher = EVP_get_cipherbyname("aes192");
break;
case 32: /* AES-256 */
- this->cipher = EVP_get_cipherbyname("aes256");
+ this->cipher = EVP_get_cipherbyname("aes256");
break;
default:
free(this);
this->cipher = EVP_get_cipherbyname("camellia192");
break;
case 32: /* CAMELLIA 256 */
- this->cipher = EVP_get_cipherbyname("camellia256");
+ this->cipher = EVP_get_cipherbyname("camellia256");
break;
default:
free(this);
break;
}
}
-
+
if (!this->cipher)
{
/* OpenSSL does not support the requested algo */
free(this);
return NULL;
}
-
+
this->key = chunk_alloc(key_size);
-
+
this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
+
return &this->public;
}
* Implementation of crypters using OpenSSL.
*/
struct openssl_crypter_t {
-
+
/**
* The crypter_t interface.
*/
/**
* Constructor to create openssl_crypter_t.
- *
+ *
* @param algo algorithm to implement
* @param key_size key size in bytes
* @return openssl_crypter_t, NULL if not supported
typedef struct modulus_entry_t modulus_entry_t;
-/**
+/**
* Entry of the modulus list.
*/
struct modulus_entry_t {
* Group number as it is defined in file transform_substructure.h.
*/
diffie_hellman_group_t group;
-
+
/**
* Pointer to the function to get the modulus.
*/
BIGNUM *(*get_prime)(BIGNUM *bn);
-
- /*
+
+ /*
* Optimum length of exponent in bits.
- */
+ */
long opt_exponent_len;
-
- /*
+
+ /*
* Generator value.
- */
+ */
u_int16_t generator;
};
* Public openssl_diffie_hellman_t interface.
*/
openssl_diffie_hellman_t public;
-
+
/**
* Diffie Hellman group number.
*/
u_int16_t group;
-
+
/**
* Diffie Hellman object
*/
DH *dh;
-
+
/**
* Other public value
*/
BIGNUM *pub_key;
-
+
/**
* Shared secret
*/
chunk_t shared_secret;
-
+
/**
* True if shared secret is computed
*/
/* shared secret should requires a len according the DH group */
*secret = chunk_alloc(DH_size(this->dh));
memset(secret->ptr, 0, secret->len);
- memcpy(secret->ptr + secret->len - this->shared_secret.len,
+ memcpy(secret->ptr + secret->len - this->shared_secret.len,
this->shared_secret.ptr, this->shared_secret.len);
return SUCCESS;
chunk_t value)
{
int len;
-
+
BN_bin2bn(value.ptr, value.len, this->pub_key);
chunk_clear(&this->shared_secret);
this->shared_secret.ptr = malloc(DH_size(this->dh));
{
int i;
bool ansi_x9_42;
-
+
ansi_x9_42 = lib->settings->get_bool(lib->settings,
"libstrongswan.dh_exponent_ansi_x9_42", TRUE);
-
+
for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
{
if (modulus_entries[i].group == this->group)
openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group)
{
private_openssl_diffie_hellman_t *this = malloc_thing(private_openssl_diffie_hellman_t);
-
+
this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
-
+
this->dh = DH_new();
if (!this->dh)
{
free(this);
return NULL;
}
-
+
this->group = group;
this->computed = FALSE;
this->pub_key = BN_new();
this->shared_secret = chunk_empty;
-
+
/* find a modulus according to group */
if (set_modulus(this) != SUCCESS)
{
destroy(this);
return NULL;
}
-
+
/* generate my public and private values */
if (!DH_generate_key(this->dh))
{
return NULL;
}
DBG2("size of DH secret exponent: %d bits", BN_num_bits(this->dh->priv_key));
-
+
return &this->public;
}
* Implementation of the Diffie-Hellman algorithm using OpenSSL.
*/
struct openssl_diffie_hellman_t {
-
+
/**
* Implements diffie_hellman_t interface.
*/
/**
* Creates a new openssl_diffie_hellman_t object.
- *
+ *
* @param group Diffie Hellman group number to use
* @return openssl_diffie_hellman_t object, NULL if not supported
*/
* Public openssl_ec_diffie_hellman_t interface.
*/
openssl_ec_diffie_hellman_t public;
-
+
/**
* Diffie Hellman group number.
*/
u_int16_t group;
-
+
/**
* EC private (public) key
*/
EC_KEY *key;
-
+
/**
* EC group
*/
const EC_GROUP *ec_group;
-
+
/**
* Other public key
*/
EC_POINT *pub_key;
-
+
/**
* Shared secret
*/
BN_CTX *ctx;
BIGNUM *x, *y;
bool ret = FALSE;
-
+
ctx = BN_CTX_new();
if (!ctx)
{
return FALSE;
}
-
+
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
{
goto error;
}
-
+
if (!openssl_bn_split(chunk, x, y))
{
goto error;
}
-
+
if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
{
goto error;
}
-
+
ret = TRUE;
error:
BN_CTX_end(ctx);
BN_CTX *ctx;
BIGNUM *x, *y;
bool ret = FALSE;
-
+
ctx = BN_CTX_new();
if (!ctx)
{
return FALSE;
}
-
+
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
{
goto error;
}
-
+
if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
{
goto error;
}
-
+
if (x_coordinate_only)
{
y = NULL;
{
goto error;
}
-
+
ret = TRUE;
error:
BN_CTX_end(ctx);
/**
* Compute the shared secret.
- *
+ *
* We cannot use the function ECDH_compute_key() because that returns only the
* x coordinate of the shared secret point (which is defined, for instance, in
* 'NIST SP 800-56A').
const BIGNUM *priv_key;
EC_POINT *secret = NULL;
bool x_coordinate_only, ret = FALSE;
-
+
priv_key = EC_KEY_get0_private_key(this->key);
if (!priv_key)
{
goto error;
}
-
+
secret = EC_POINT_new(this->ec_group);
if (!secret)
{
{
goto error;
}
-
+
/*
* The default setting ecp_x_coordinate_only = TRUE
* applies the following errata for RFC 4753:
{
goto error;
}
-
+
ret = TRUE;
error:
if (secret)
DBG1("ECDH public value is malformed");
return;
}
-
+
chunk_free(&this->shared_secret);
-
+
if (!compute_shared_key(this, &this->shared_secret)) {
DBG1("ECDH shared secret computation failed");
return;
}
-
+
this->computed = TRUE;
}
openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_group_t group)
{
private_openssl_ec_diffie_hellman_t *this = malloc_thing(private_openssl_ec_diffie_hellman_t);
-
+
this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
-
+
switch (group)
{
case ECP_192_BIT:
this->key = NULL;
break;
}
-
+
if (!this->key)
{
free(this);
return NULL;
}
-
+
/* caching the EC group */
this->ec_group = EC_KEY_get0_group(this->key);
-
+
this->pub_key = EC_POINT_new(this->ec_group);
if (!this->pub_key)
{
free(this);
return NULL;
}
-
+
/* generate an EC private (public) key */
if (!EC_KEY_generate_key(this->key))
{
free(this);
return NULL;
}
-
+
this->group = group;
this->computed = FALSE;
-
+
this->shared_secret = chunk_empty;
-
+
return &this->public;
}
* Implementation of the EC Diffie-Hellman algorithm using OpenSSL.
*/
struct openssl_ec_diffie_hellman_t {
-
+
/**
* Implements diffie_hellman_t interface.
*/
/**
* Creates a new openssl_ec_diffie_hellman_t object.
- *
+ *
* @param group EC Diffie Hellman group number to use
* @return openssl_ec_diffie_hellman_t object, NULL if not supported
*/
* Public interface for this signer.
*/
openssl_ec_private_key_t public;
-
+
/**
* EC key object
*/
EC_KEY *ec;
-
+
/**
* reference count
*/
{
bool built = FALSE;
ECDSA_SIG *sig;
-
+
sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
if (sig)
{
EC_GROUP *req_group;
chunk_t hash;
bool built;
-
+
req_group = EC_GROUP_new_by_curve_name(nid_curve);
if (!req_group)
{
chunk_t hash, sig;
int siglen = 0;
bool built;
-
+
if (!openssl_hash_chunk(hash_nid, data, &hash))
{
return FALSE;
case SIGN_ECDSA_WITH_SHA512_DER:
return build_der_signature(this, NID_sha512, data, signature);
case SIGN_ECDSA_256:
- return build_curve_signature(this, scheme, NID_sha256,
+ return build_curve_signature(this, scheme, NID_sha256,
NID_X9_62_prime256v1, data, signature);
case SIGN_ECDSA_384:
return build_curve_signature(this, scheme, NID_sha384,
public_key_t *public;
chunk_t key;
u_char *p;
-
+
key = chunk_alloc(i2d_EC_PUBKEY(this->ec, NULL));
p = key.ptr;
i2d_EC_PUBKEY(this->ec, &p);
-
+
public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
BUILD_BLOB_ASN1_DER, key, BUILD_END);
free(key.ptr);
key_encoding_type_t type, chunk_t *encoding)
{
u_char *p;
-
+
switch (type)
{
case KEY_PRIV_ASN1_DER:
static private_openssl_ec_private_key_t *create_empty(void)
{
private_openssl_ec_private_key_t *this = malloc_thing(private_openssl_ec_private_key_t);
-
+
this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-
+
this->ec = NULL;
this->ref = 1;
-
+
return this;
}
static openssl_ec_private_key_t *generate(size_t key_size)
{
private_openssl_ec_private_key_t *this = create_empty();
-
+
switch (key_size)
{
case 256:
static openssl_ec_private_key_t *load(chunk_t blob)
{
private_openssl_ec_private_key_t *this = create_empty();
-
+
this->ec = d2i_ECPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
-
+
if (!this->ec)
{
destroy(this);
static openssl_ec_private_key_t *build(private_builder_t *this)
{
openssl_ec_private_key_t *key = this->key;
-
+
free(this);
return key;
}
if (!this->key)
{
va_list args;
-
+
switch (part)
{
case BUILD_KEY_SIZE:
builder_t *openssl_ec_private_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_ECDSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->key = NULL;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
* Public interface for this signer.
*/
openssl_ec_public_key_t public;
-
+
/**
* EC key object
*/
EC_KEY *ec;
-
+
/**
* reference counter
*/
{
bool valid = FALSE;
ECDSA_SIG *sig;
-
+
sig = ECDSA_SIG_new();
if (sig)
{
EC_GROUP *req_group;
chunk_t hash;
bool valid;
-
+
req_group = EC_GROUP_new_by_curve_name(nid_curve);
if (!req_group)
{
{
chunk_t hash;
bool valid = FALSE;
-
+
/* remove any preceding 0-bytes from signature */
while (signature.len && signature.ptr[0] == 0x00)
{
hasher_t *hasher;
chunk_t key;
u_char *p;
-
+
if (lib->encoding->get_cache(lib->encoding, type, ec, fp))
{
return TRUE;
key_encoding_type_t type, chunk_t *encoding)
{
u_char *p;
-
+
switch (type)
{
case KEY_PUB_SPKI_ASN1_DER:
static private_openssl_ec_public_key_t *create_empty()
{
private_openssl_ec_public_key_t *this = malloc_thing(private_openssl_ec_public_key_t);
-
+
this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
+
this->ec = NULL;
this->ref = 1;
-
+
return this;
}
{
private_openssl_ec_public_key_t *this = create_empty();
u_char *p = blob.ptr;
-
+
this->ec = d2i_EC_PUBKEY(NULL, (const u_char**)&p, blob.len);
-
+
if (!this->ec)
{
destroy(this);
static openssl_ec_public_key_t *build(private_builder_t *this)
{
openssl_ec_public_key_t *key = this->key;
-
+
free(this);
return key;
}
if (!this->key)
{
va_list args;
-
+
switch (part)
{
case BUILD_BLOB_ASN1_DER:
builder_t *openssl_ec_public_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_ECDSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->key = NULL;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
/*
* Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Private data of openssl_hasher_t
*/
struct private_openssl_hasher_t {
-
+
/**
* Public part of this class.
*/
openssl_hasher_t public;
-
+
/**
* the hasher to use
*/
const EVP_MD *hasher;
-
+
/**
- * the current digest context
+ * the current digest context
*/
EVP_MD_CTX *ctx;
};
* Identifier specified in IKEv2
*/
int ikev2_id;
-
+
/**
* Name of the algorithm, as used in OpenSSL
*/
/**
* Look up an OpenSSL algorithm name
*/
-static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
+static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
u_int16_t ikev2_algo)
{
while (openssl_algo->ikev2_id != END_OF_LIST)
}
else
{
- get_hash(this, chunk, NULL);
+ get_hash(this, chunk, NULL);
}
}
openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
{
private_openssl_hasher_t *this;
-
+
char* name = lookup_algorithm(integrity_algs, algo);
if (!name)
{
}
this = malloc_thing(private_openssl_hasher_t);
-
+
this->hasher = EVP_get_digestbyname(name);
if (!this->hasher)
{
free(this);
return NULL;
}
-
+
this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
+
this->ctx = EVP_MD_CTX_create();
-
+
/* initialization */
reset(this);
-
+
return &this->public;
}
* Implementation of hashers using OpenSSL.
*/
struct openssl_hasher_t {
-
+
/**
* The hasher_t interface.
*/
/**
* Constructor to create openssl_hasher_t.
- *
+ *
* @param algo algorithm
* @return openssl_hasher_t, NULL if not supported
*/
static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
{
struct CRYPTO_dynlock_value *lock;
-
+
lock = malloc_thing(struct CRYPTO_dynlock_value);
lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
return lock;
CRYPTO_set_id_callback(id_function);
CRYPTO_set_locking_callback(locking_function);
-
+
CRYPTO_set_dynlock_create_callback(create_function);
CRYPTO_set_dynlock_lock_callback(lock_function);
CRYPTO_set_dynlock_destroy_callback(destroy_function);
-
+
num_locks = CRYPTO_num_locks();
mutex = malloc(sizeof(mutex_t*) * num_locks);
for (i = 0; i < num_locks; i++)
static void threading_cleanup()
{
int i, num_locks;
-
+
num_locks = CRYPTO_num_locks();
for (i = 0; i < num_locks; i++)
{
(crypter_constructor_t)openssl_crypter_create);
lib->crypto->remove_hasher(lib->crypto,
(hasher_constructor_t)openssl_hasher_create);
- lib->crypto->remove_dh(lib->crypto,
+ lib->crypto->remove_dh(lib->crypto,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->remove_dh(lib->crypto,
+ lib->crypto->remove_dh(lib->crypto,
(dh_constructor_t)openssl_ec_diffie_hellman_create);
lib->creds->remove_builder(lib->creds,
(builder_constructor_t)openssl_rsa_private_key_builder);
(builder_constructor_t)openssl_ec_private_key_builder);
lib->creds->remove_builder(lib->creds,
(builder_constructor_t)openssl_ec_public_key_builder);
-
+
ENGINE_cleanup();
EVP_cleanup();
CONF_modules_free();
-
+
threading_cleanup();
-
+
free(this);
}
plugin_t *plugin_create()
{
private_openssl_plugin_t *this = malloc_thing(private_openssl_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
threading_init();
-
+
OPENSSL_config(NULL);
OpenSSL_add_all_algorithms();
-
+
/* activate support for hardware accelerators */
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
-
+
/* crypter */
lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
(crypter_constructor_t)openssl_crypter_create);
(crypter_constructor_t)openssl_crypter_create);
lib->crypto->add_crypter(lib->crypto, ENCR_NULL,
(crypter_constructor_t)openssl_crypter_create);
-
+
/* hasher */
lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
(hasher_constructor_t)openssl_hasher_create);
(hasher_constructor_t)openssl_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
(hasher_constructor_t)openssl_hasher_create);
-
+
/* ec diffie hellman */
lib->crypto->add_dh(lib->crypto, ECP_192_BIT,
(dh_constructor_t)openssl_ec_diffie_hellman_create);
(dh_constructor_t)openssl_ec_diffie_hellman_create);
lib->crypto->add_dh(lib->crypto, ECP_521_BIT,
(dh_constructor_t)openssl_ec_diffie_hellman_create);
-
+
/* diffie hellman */
- lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_1536_BIT,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_3072_BIT,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_4096_BIT,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_6144_BIT,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_8192_BIT,
(dh_constructor_t)openssl_diffie_hellman_create);
lib->crypto->add_dh(lib->crypto, MODP_1024_BIT,
(dh_constructor_t)openssl_diffie_hellman_create);
- lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
+ lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
(dh_constructor_t)openssl_diffie_hellman_create);
-
+
/* rsa */
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
(builder_constructor_t)openssl_rsa_private_key_builder);
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
(builder_constructor_t)openssl_rsa_public_key_builder);
-
+
/* ec */
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
(builder_constructor_t)openssl_ec_private_key_builder);
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
(builder_constructor_t)openssl_ec_public_key_builder);
-
+
return &this->public.plugin;
}
* Public interface for this signer.
*/
openssl_rsa_private_key_t public;
-
+
/**
* RSA object from OpenSSL
*/
RSA *rsa;
-
+
/**
* TRUE if the key is from an OpenSSL ENGINE and might not be readable
*/
bool engine;
-
+
/**
* reference count
*/
EVP_PKEY *key;
const EVP_MD *hasher;
u_int len;
-
+
hasher = EVP_get_digestbynid(type);
if (!hasher)
{
return FALSE;
}
-
+
ctx = EVP_MD_CTX_create();
key = EVP_PKEY_new();
if (!ctx || !key)
{
success = TRUE;
}
-
+
error:
if (key)
{
/**
* Implementation of openssl_rsa_private_key.sign.
*/
-static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t scheme,
+static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t scheme,
chunk_t data, chunk_t *signature)
{
switch (scheme)
chunk_t enc;
public_key_t *key;
u_char *p;
-
+
enc = chunk_alloc(i2d_RSAPublicKey(this->rsa, NULL));
p = enc.ptr;
i2d_RSAPublicKey(this->rsa, &p);
key_encoding_type_t type, chunk_t *encoding)
{
u_char *p;
-
+
if (this->engine)
{
return FALSE;
static private_openssl_rsa_private_key_t *create_empty(void)
{
private_openssl_rsa_private_key_t *this = malloc_thing(private_openssl_rsa_private_key_t);
-
+
this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
this->public.interface.destroy = (void (*) (private_key_t*))destroy;
-
+
this->engine = FALSE;
this->ref = 1;
-
+
return this;
}
static openssl_rsa_private_key_t *generate(size_t key_size)
{
private_openssl_rsa_private_key_t *this = create_empty();
-
+
this->rsa = RSA_generate_key(key_size, PUBLIC_EXPONENT, NULL, NULL);
-
+
return &this->public;
}
{
u_char *p = blob.ptr;
private_openssl_rsa_private_key_t *this = create_empty();
-
+
this->rsa = d2i_RSAPrivateKey(NULL, (const u_char**)&p, blob.len);
if (!this->rsa)
{
EVP_PKEY *key;
char *engine_id = lib->settings->get_str(lib->settings,
"library.plugins.openssl.engine_id", "pkcs11");
-
+
ENGINE *engine = ENGINE_by_id(engine_id);
if (!engine)
{
DBG1("engine '%s' is not available", engine_id);
return NULL;
}
-
+
if (!ENGINE_init(engine))
{
DBG1("failed to initialize engine '%s'", engine_id);
goto error;
}
-
+
if (!ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
{
DBG1("failed to set PIN on engine '%s'", engine_id);
goto error;
}
-
+
key = ENGINE_load_private_key(engine, keyid, NULL, NULL);
-
+
if (!key)
{
DBG1("failed to load private key with ID '%s' from engine '%s'", keyid,
goto error;
}
ENGINE_free(engine);
-
+
this = create_empty();
this->rsa = EVP_PKEY_get1_RSA(key);
this->engine = TRUE;
-
+
return &this->public;
-
+
error:
ENGINE_free(engine);
return NULL;
static openssl_rsa_private_key_t *build(private_builder_t *this)
{
openssl_rsa_private_key_t *key = this->key;
-
+
if (this->keyid && this->pin)
{
key = load_from_smartcard(this->keyid, this->pin);
if (!this->key)
{
va_list args;
-
+
switch (part)
{
case BUILD_BLOB_ASN1_DER:
builder_t *openssl_rsa_private_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_RSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->key = NULL;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
this->keyid = NULL;
this->pin = NULL;
-
+
return &this->public;
}
* Public interface for this signer.
*/
openssl_rsa_public_key_t public;
-
+
/**
* RSA object from OpenSSL
*/
RSA *rsa;
-
+
/**
* reference counter
*/
goto error;
}
valid = (EVP_VerifyFinal(ctx, signature.ptr, signature.len, key) == 1);
-
+
error:
if (key)
{
/**
* Implementation of public_key_t.verify.
*/
-static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t scheme,
+static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t scheme,
chunk_t data, chunk_t signature)
{
switch (scheme)
hasher_t *hasher;
chunk_t key;
u_char *p;
-
+
if (lib->encoding->get_cache(lib->encoding, type, rsa, fp))
{
return TRUE;
key_encoding_type_t type, chunk_t *encoding)
{
u_char *p;
-
+
switch (type)
{
case KEY_PUB_SPKI_ASN1_DER:
static private_openssl_rsa_public_key_t *create_empty()
{
private_openssl_rsa_public_key_t *this = malloc_thing(private_openssl_rsa_public_key_t);
-
+
this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding;
this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
+
this->rsa = NULL;
this->ref = 1;
-
+
return this;
}
{
u_char *p = blob.ptr;
private_openssl_rsa_public_key_t *this = create_empty();
-
+
this->rsa = d2i_RSAPublicKey(NULL, (const u_char**)&p, blob.len);
if (!this->rsa)
{
destroy(this);
return NULL;
}
-
+
return &this->public;
}
static openssl_rsa_public_key_t *build(private_builder_t *this)
{
openssl_rsa_public_key_t *key = this->key;
-
+
free(this);
return key;
}
if (!this->key)
{
va_list args;
-
+
switch (part)
{
case BUILD_BLOB_ASN1_DER:
builder_t *openssl_rsa_public_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_RSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->key = NULL;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
{
return FALSE;
}
-
- ctx = EVP_MD_CTX_create();
+
+ ctx = EVP_MD_CTX_create();
if (!ctx)
{
goto error;
}
-
+
if (!EVP_DigestInit_ex(ctx, hasher, NULL))
{
goto error;
}
-
+
if (!EVP_DigestUpdate(ctx, data.ptr, data.len))
{
goto error;
}
-
+
*hash = chunk_alloc(hasher->md_size);
if (!EVP_DigestFinal_ex(ctx, hash->ptr, NULL))
{
chunk_free(hash);
goto error;
}
-
+
ret = TRUE;
error:
if (ctx)
bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk)
{
int offset;
-
+
chunk->len = len + (b ? len : 0);
chunk->ptr = malloc(chunk->len);
memset(chunk->ptr, 0, chunk->len);
-
+
/* convert a */
offset = len - BN_num_bytes(a);
if (!BN_bn2bin(a, chunk->ptr + offset))
{
goto error;
}
-
+
/* optionally convert and concatenate b */
if (b)
{
{
goto error;
}
- }
-
+ }
+
return TRUE;
error:
chunk_free(chunk);
bool openssl_bn_split(chunk_t chunk, BIGNUM *a, BIGNUM *b)
{
int len;
-
+
if ((chunk.len % 2) != 0)
{
return FALSE;
}
-
+
len = chunk.len / 2;
-
+
if (!BN_bin2bn(chunk.ptr, len, a) ||
!BN_bin2bn(chunk.ptr + len, len, b))
{
return FALSE;
}
-
+
return TRUE;
}
/**
* Creates a hash of a given type of a chunk of data.
- *
+ *
* Note: this function allocates memory for the hash
- *
+ *
* @param hash_type NID of the hash
* @param data the chunk of data to hash
* @param hash chunk that contains the hash
/**
* Concatenates two bignums into a chunk, thereby enfocing the length of
* a single BIGNUM, if necessary, by pre-pending it with zeros.
- *
+ *
* Note: this function allocates memory for the chunk
- *
+ *
* @param len the length of a single BIGNUM
* @param a first BIGNUM
* @param b second BIGNUM
/**
* Splits a chunk into two bignums of equal binary length.
- *
+ *
* @param chunk a chunk that contains the two BIGNUMs
* @param a first BIGNUM
* @param b second BIGNUM
/*
* Copyright (C) 2008 Thomas Kallenberg
* Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Private data of padlock_aes_crypter_t
*/
struct private_padlock_aes_crypter_t {
-
+
/**
* Public part of this class.
*/
padlock_aes_crypter_t public;
-
+
/*
* the key
*/
/**
* Invoke the actual de/encryption
*/
-static void padlock_crypt(void *key, void *ctrl, void *src, void *dst,
+static void padlock_crypt(void *key, void *ctrl, void *src, void *dst,
int count, void *iv)
{
asm volatile(
/*
* Implementation of crypter_t.crypt
*/
-static void crypt(private_padlock_aes_crypter_t *this, char *iv,
+static void crypt(private_padlock_aes_crypter_t *this, char *iv,
chunk_t src, chunk_t *dst, bool enc)
{
cword cword PADLOCK_ALIGN;
/**
* Implementation of crypter_t.decrypt.
*/
-static void decrypt(private_padlock_aes_crypter_t *this, chunk_t data,
+static void decrypt(private_padlock_aes_crypter_t *this, chunk_t data,
chunk_t iv, chunk_t *dst)
{
crypt(this, iv.ptr, data, dst, TRUE);
/**
* Implementation of crypter_t.encrypt.
*/
-static void encrypt (private_padlock_aes_crypter_t *this, chunk_t data,
+static void encrypt (private_padlock_aes_crypter_t *this, chunk_t data,
chunk_t iv, chunk_t *dst)
{
crypt(this, iv.ptr, data, dst, FALSE);
/*
* Described in header
*/
-padlock_aes_crypter_t *padlock_aes_crypter_create(encryption_algorithm_t algo,
+padlock_aes_crypter_t *padlock_aes_crypter_create(encryption_algorithm_t algo,
size_t key_size)
{
private_padlock_aes_crypter_t *this;
-
+
if (algo != ENCR_AES_CBC)
{
return NULL;
}
-
+
this = malloc_thing(private_padlock_aes_crypter_t);
-
+
switch (key_size)
{
case 16: /* AES 128 */
free(this);
return NULL;
}
-
+
this->key = chunk_alloc(key_size);
-
+
this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
+
return &this->public;
}
* Implementation of AES-128 using VIA Padlock.
*/
struct padlock_aes_crypter_t {
-
+
/**
* The crypter_t interface.
*/
/**
* Constructor to create padlock_aes_crypter_t.
- *
+ *
* @param key_size key size in bytes, currently supports only 16.
* @param algo algorithm to implement, must be ENCR_AES_CBC
* @return padlock_aes_crypter_t, NULL if not supported
* public functions
*/
padlock_plugin_t public;
-
+
/**
* features supported by Padlock
*/
{
char vendor[3 * sizeof(int) + 1];
int a, b, c, d;
-
+
cpuid(0, a, b, c, d);
/* VendorID string is in b-d-c (yes, in this order) */
snprintf(vendor, sizeof(vendor), "%.4s%.4s%.4s", &b, &d, &c);
-
+
/* check if we have a VIA chip */
if (streq(vendor, "CentaurHauls"))
{
plugin_t *plugin_create()
{
private_padlock_plugin_t *this = malloc_thing(private_padlock_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
this->features = get_padlock_features();
if (!this->features)
{
this->features & PADLOCK_ACE2_ENABLED ? " ACE2" : "",
this->features & PADLOCK_PHE_ENABLED ? " PHE" : "",
this->features & PADLOCK_PMM_ENABLED ? " PMM" : "");
-
+
if (this->features & PADLOCK_RNG_ENABLED)
{
lib->crypto->add_rng(lib->crypto, RNG_TRUE,
* Private data of an padlock_rng_t object.
*/
struct private_padlock_rng_t {
-
+
/**
* Public padlock_rng_t interface.
*/
padlock_rng_t public;
-
+
/**
* Padlock quality factor
*/
while (len > 0)\r
{
int status;
-
+
/* run XSTORE until we have all bytes needed. We do not use REP, as
* this should not be performance critical and it's easier this way. */
asm volatile (
".byte 0x0F,0xA7,0xC0 \n\t"\r
: "=D"(buf), "=a"(status)\r
: "d"(quality), "D"(buf));
-
+
/* bits[0..4] of status word contains the number of bytes read */
len -= status & 0x1F;
}
chunk->len = bytes;
/* padlock requires some additional bytes */
chunk->ptr = malloc(bytes + 7);
-
+
rng(chunk->ptr, chunk->len, this->quality);
}
u_int8_t *buffer)
{
chunk_t chunk;
-
+
/* Padlock needs a larger buffer than "bytes", we need a new buffer */
allocate_bytes(this, bytes, &chunk);
memcpy(buffer, chunk.ptr, bytes);
padlock_rng_t *padlock_rng_create(rng_quality_t quality)
{
private_padlock_rng_t *this = malloc_thing(private_padlock_rng_t);
-
+
this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
this->public.rng.destroy = (void (*) (rng_t *))destroy;
-
+
/* map RNG quality to Padlock quality factor */
switch (quality)
{
this->quality = PADLOCK_QF3;
break;
}
-
+
return &this->public;
}
* Hardware-RNG based on via Padlock.
*/
struct padlock_rng_t {
-
+
/**
* Implements rng_t interface.
*/
* Public interface for this hasher.
*/
padlock_sha1_hasher_t public;
-
+
/**
* data collected to hash
*/
{
/* rep xsha1 */
asm volatile (
- ".byte 0xf3, 0x0f, 0xa6, 0xc8"
+ ".byte 0xf3, 0x0f, 0xa6, 0xc8"
: "+S"(in), "+D"(out)
: "c"(len), "a"(0));
}
static void sha1(chunk_t data, u_int32_t *digest)
{
u_int32_t hash[128] PADLOCK_ALIGN;
-
+
hash[0] = 0x67452301;
hash[1] = 0xefcdab89;
hash[2] = 0x98badcfe;
sha1(this->data, (u_int32_t*)hash);
}
else
- { /* hash directly if no previous data found */
+ { /* hash directly if no previous data found */
sha1(chunk, (u_int32_t*)hash);
}
reset(this);
}
else
{
- append_data(this, chunk);
+ append_data(this, chunk);
}
}
}
else
{
- get_hash(this, chunk, NULL);
+ get_hash(this, chunk, NULL);
}
}
-
+
/**
* Implementation of hasher_t.get_hash_size.
*/
padlock_sha1_hasher_t *padlock_sha1_hasher_create(hash_algorithm_t algo)
{
private_padlock_sha1_hasher_t *this;
-
+
if (algo != HASH_SHA1)
{
return NULL;
}
-
+
this = malloc_thing(private_padlock_sha1_hasher_t);
this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
+
this->data = chunk_empty;
-
+
return &(this->public);
}
* Implementation of hasher_t interface using the SHA1 algorithm.
*/
struct padlock_sha1_hasher_t {
-
+
/**
* Implements hasher_t interface.
*/
static bool present(char* pattern, chunk_t* ch)
{
u_int len = strlen(pattern);
-
+
if (ch->len >= len && strneq(ch->ptr, pattern, len))
{
*ch = chunk_skip(*ch, len);
static bool find_boundary(char* tag, chunk_t *line)
{
chunk_t name = chunk_empty;
-
+
if (!present("-----", line) ||
!present(tag, line) ||
*line->ptr != ' ')
return FALSE;
}
*line = chunk_skip(*line, 1);
-
+
/* extract name */
name.ptr = line->ptr;
while (line->len > 0)
chunk_t decrypted;
chunk_t key = {alloca(key_size), key_size};
u_int8_t padding, *last_padding_pos, *first_padding_pos;
-
+
/* build key from passphrase and IV */
hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
if (hasher == NULL)
hasher->get_hash(hasher, passphrase, NULL);
hasher->get_hash(hasher, salt, hash.ptr);
memcpy(key.ptr, hash.ptr, hash.len);
-
+
if (key.len > hash.len)
{
hasher->get_hash(hasher, hash, NULL);
memcpy(key.ptr + hash.len, hash.ptr, key.len - hash.len);
}
hasher->destroy(hasher);
-
+
/* decrypt blob */
crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size);
if (crypter == NULL)
return NOT_SUPPORTED;
}
crypter->set_key(crypter, key);
-
+
if (iv.len != crypter->get_block_size(crypter) ||
blob->len % iv.len)
{
crypter->destroy(crypter);
memcpy(blob->ptr, decrypted.ptr, blob->len);
chunk_free(&decrypted);
-
+
/* determine amount of padding */
last_padding_pos = blob->ptr + blob->len - 1;
padding = *last_padding_pos;
PEM_POST = 4,
PEM_ABORT = 5
} state_t;
-
+
encryption_algorithm_t alg = ENCR_UNDEFINED;
size_t key_size = 0;
bool encrypted = FALSE;
chunk_t passphrase;
int try = 0;
u_char iv_buf[HASH_SIZE_MD5];
-
+
dst.len = 0;
iv.ptr = iv_buf;
iv.len = 0;
-
+
while (fetchline(&src, &line))
{
if (state == PEM_PRE)
err_t ugh = NULL;
chunk_t name = chunk_empty;
chunk_t value = chunk_empty;
-
+
/* an empty line separates HEADER and BODY */
if (line.len == 0)
{
state = PEM_BODY;
continue;
}
-
+
/* we are looking for a parameter: value pair */
DBG2(" %.*s", (int)line.len, line.ptr);
ugh = extract_parameter_value(&name, &value, &line);
else if (match("DEK-Info", &name))
{
chunk_t dek;
-
+
if (!extract_token(&dek, ',', &value))
{
dek = value;
else /* state is PEM_BODY */
{
chunk_t data;
-
+
/* remove any trailing whitespace */
if (!extract_token(&data ,' ', &line))
{
data = line;
}
-
+
/* check for PGP armor checksum */
if (*data.ptr == '=')
{
DBG2(" armor checksum: %.*s", (int)data.len, data.ptr);
continue;
}
-
+
if (blob->len - dst.len < data.len / 4 * 3)
{
state = PEM_ABORT;
{
void *cred = NULL;
bool pgp = FALSE;
-
+
blob = chunk_clone(blob);
if (!is_asn1(blob))
{
struct stat sb;
void *addr;
int fd;
-
+
fd = open(file, O_RDONLY);
if (fd == -1)
{
DBG1(" opening '%s' failed: %s", file, strerror(errno));
return NULL;
}
-
+
if (fstat(fd, &sb) == -1)
{
DBG1(" getting file size of '%s' failed: %s", file, strerror(errno));
close(fd);
return NULL;
}
-
+
addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
if (addr == MAP_FAILED)
{
close(fd);
return NULL;
}
-
+
cred = build_from_blob(this, chunk_create(addr, sb.st_size));
-
+
munmap(addr, sb.st_size);
close(fd);
return cred;
char buf[8096];
char *pos = buf;
ssize_t len, total = 0;
-
+
while (TRUE)
{
len = read(fd, pos, buf + sizeof(buf) - pos);
static void *build(private_builder_t *this)
{
void *cred = NULL;
-
+
if (this->pem.ptr)
{
cred = build_from_blob(this, this->pem);
static void add(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
-
+
switch (part)
{
case BUILD_FROM_FILE:
static builder_t *pem_builder(credential_type_t type, int subtype)
{
private_builder_t *this = malloc_thing(private_builder_t);
-
+
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
this->type = type;
this->subtype = subtype;
this->file = NULL;
this->cb = NULL;
this->data = NULL;
this->flags = 0;
-
+
return &this->public;
}
plugin_t *plugin_create()
{
private_pem_plugin_t *this = malloc_thing(private_pem_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
/* register private key PEM decoding builders */
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
(builder_constructor_t)private_key_pem_builder);
(builder_constructor_t)private_key_pem_builder);
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_DSA,
(builder_constructor_t)private_key_pem_builder);
-
+
/* register public key PEM decoding builders */
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
(builder_constructor_t)public_key_pem_builder);
(builder_constructor_t)public_key_pem_builder);
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_DSA,
(builder_constructor_t)public_key_pem_builder);
-
+
/* register certificate PEM decoding builders */
lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_ANY,
(builder_constructor_t)certificate_pem_builder);
(builder_constructor_t)certificate_pem_builder);
lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG,
(builder_constructor_t)certificate_pem_builder);
-
+
/* register pluto specific certificate formats */
lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT,
(builder_constructor_t)certificate_pem_builder);
(builder_constructor_t)certificate_pem_builder);
lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
(builder_constructor_t)certificate_pem_builder);
-
+
return &this->public.plugin;
}
/**
* @defgroup pem_p pem
* @ingroup plugins
- *
+ *
* @defgroup pem_plugin pem_plugin
* @{ @ingroup pem_p
*/
static bool read_scalar(chunk_t *blob, size_t bytes, u_int32_t *scalar)
{
u_int32_t res = 0;
-
+
if (bytes > blob->len)
{
DBG1("PGP data too short to read %d byte scalar", bytes);
{
/* bits 0 and 1 define the packet length type */
u_char type;
-
+
if (!blob->len)
{
return FALSE;
}
type = 0x03 & blob->ptr[0];
*blob = chunk_skip(*blob, 1);
-
+
if (type > 2)
{
return FALSE;
static bool read_mpi(chunk_t *blob, chunk_t *mpi)
{
u_int32_t bits, bytes;
-
+
if (!read_scalar(blob, 2, &bits))
{
DBG1("PGP data too short to read MPI length");
{
u_int32_t alg;
public_key_t *key;
-
+
if (!read_scalar(&blob, 1, &alg))
{
return NULL;
{
chunk_t mpi[2];
int i;
-
+
for (i = 0; i < 2; i++)
{
if (!read_mpi(&blob, &mpi[i]))
chunk_t mpi[6];
u_int32_t s2k;
int i;
-
+
for (i = 0; i < 2; i++)
{
if (!read_mpi(&blob, &mpi[i]))
DBG1("%N private key encryption not supported", pgp_sym_alg_names, s2k);
return NULL;
}
-
+
for (i = 2; i < 6; i++)
{
if (!read_mpi(&blob, &mpi[i]))
return NULL;
}
}
-
+
/* PGP has uses p < q, but we use p > q */
- return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+ return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_RSA_MODULUS, mpi[0], BUILD_RSA_PUB_EXP, mpi[1],
BUILD_RSA_PRIV_EXP, mpi[2], BUILD_RSA_PRIME2, mpi[3],
BUILD_RSA_PRIME1, mpi[4], BUILD_RSA_COEFF, mpi[5],
u_char tag, type;
u_int32_t len, version, created, days, alg;
private_key_t *key;
-
+
tag = blob.ptr[0];
-
+
/* bit 7 must be set */
if (!(tag & 0x80))
{
DBG1("new PGP packet format not supported");
return NULL;
}
-
+
type = (tag & 0x3C) >> 2;
if (!old_packet_length(&blob, &len) || len > blob.len)
{
packet.len = len;
packet.ptr = blob.ptr;
blob = chunk_skip(blob, len);
-
+
if (!read_scalar(&packet, 1, &version))
{
return NULL;
static public_key_t *build_public(private_builder_t *this)
{
public_key_t *key = NULL;
-
+
switch (this->type)
{
case KEY_ANY:
static void add_public(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
-
+
switch (part)
{
case BUILD_BLOB_PGP:
builder_t *pgp_public_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_ANY && type != KEY_RSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->blob = chunk_empty;
this->type = type;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add_public;
this->public.build = (void*(*)(builder_t *this))build_public;
-
+
return &this->public;
}
static private_key_t *build_private(private_builder_t *this)
{
private_key_t *key = NULL;
-
+
switch (this->type)
{
case KEY_ANY:
static void add_private(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
-
+
switch (part)
{
case BUILD_BLOB_PGP:
builder_t *pgp_private_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_ANY && type != KEY_RSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->blob = chunk_empty;
this->type = type;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add_private;
this->public.build = (void*(*)(builder_t *this))build_private;
-
+
return &this->public;
}
{
hasher_t *hasher;
chunk_t n, e;
-
+
if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END))
{
(builder_constructor_t)pgp_public_key_builder);
lib->creds->remove_builder(lib->creds,
(builder_constructor_t)pgp_private_key_builder);
-
+
lib->encoding->remove_encoder(lib->encoding, pgp_encoder_encode);
-
+
free(this);
}
plugin_t *plugin_create()
{
private_pgp_plugin_t *this = malloc_thing(private_pgp_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
(builder_constructor_t)pgp_public_key_builder);
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
(builder_constructor_t)pgp_private_key_builder);
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
(builder_constructor_t)pgp_private_key_builder);
-
+
lib->encoding->add_encoder(lib->encoding, pgp_encoder_encode);
-
+
return &this->public.plugin;
}
key_type_t type = KEY_ANY;
parser = asn1_parser_create(pkinfoObjects, blob);
-
+
while (parser->iterate(parser, &objectID, &object))
{
switch (objectID)
{
int oid = asn1_parse_algorithmIdentifier(object,
parser->get_level(parser)+1, NULL);
-
+
if (oid == OID_RSA_ENCRYPTION)
{
type = KEY_RSA;
else if (oid == OID_EC_PUBLICKEY)
{
/* we need the whole subjectPublicKeyInfo for EC public keys */
- key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+ key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
KEY_ECDSA, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
goto end;
}
BUILD_BLOB_ASN1_DER, object, BUILD_END);
break;
}
- }
-
+ }
+
end:
parser->destroy(parser);
- return key;
+ return key;
}
/**
chunk_t object;
int objectID;
bool success = FALSE;
-
+
parser = asn1_parser_create(pubkeyObjects, blob);
-
+
while (parser->iterate(parser, &objectID, &object))
{
switch (objectID)
chunk_t object;
int objectID ;
bool success = FALSE;
-
+
parser = asn1_parser_create(privkeyObjects, blob);
parser->set_flags(parser, FALSE, TRUE);
-
+
while (parser->iterate(parser, &objectID, &object))
{
switch (objectID)
{
return NULL;
}
- return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+ return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_RSA_PRIV_EXP, d,
- BUILD_RSA_PRIME1, p, BUILD_RSA_PRIME2, q, BUILD_RSA_EXP1, exp1,
+ BUILD_RSA_PRIME1, p, BUILD_RSA_PRIME2, q, BUILD_RSA_EXP1, exp1,
BUILD_RSA_EXP2, exp2, BUILD_RSA_COEFF, coeff, BUILD_END);
}
static public_key_t *build_public(private_builder_t *this)
{
public_key_t *key = NULL;
-
+
switch (this->type)
{
case KEY_ANY:
static void add_public(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
-
+
switch (part)
{
case BUILD_BLOB_ASN1_DER:
builder_t *pkcs1_public_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_ANY && type != KEY_RSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->blob = chunk_empty;
this->type = type;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add_public;
this->public.build = (void*(*)(builder_t *this))build_public;
-
+
return &this->public;
}
static private_key_t *build_private(private_builder_t *this)
{
private_key_t *key;
-
+
key = parse_rsa_private_key(this->blob);
free(this);
return key;
static void add_private(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
-
+
switch (part)
{
case BUILD_BLOB_ASN1_DER:
builder_t *pkcs1_private_key_builder(key_type_t type)
{
private_builder_t *this;
-
+
if (type != KEY_RSA)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->blob = chunk_empty;
this->type = type;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add_private;
this->public.build = (void*(*)(builder_t *this))build_private;
-
+
return &this->public;
}
bool build_pub(chunk_t *encoding, va_list args)
{
chunk_t n, e;
-
+
if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END))
{
bool build_pub_info(chunk_t *encoding, va_list args)
{
chunk_t n, e;
-
+
if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END))
{
bool build_priv(chunk_t *encoding, va_list args)
{
chunk_t n, e, d, p, q, exp1, exp2, coeff;
-
+
if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n,
KEY_PART_RSA_PUB_EXP, &e, KEY_PART_RSA_PRIV_EXP, &d,
KEY_PART_RSA_PRIME1, &p, KEY_PART_RSA_PRIME2, &q,
static bool hash_pubkey(chunk_t pubkey, chunk_t *hash)
{
hasher_t *hasher;
-
+
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (hasher == NULL)
{
static bool build_info_sha1(chunk_t *encoding, va_list args)
{
chunk_t pubkey;
-
+
if (build_pub_info(&pubkey, args))
{
return hash_pubkey(pubkey, encoding);
static bool build_sha1(chunk_t *encoding, va_list args)
{
chunk_t pubkey;
-
+
if (build_pub(&pubkey, args))
{
return hash_pubkey(pubkey, encoding);
(builder_constructor_t)pkcs1_public_key_builder);
lib->creds->remove_builder(lib->creds,
(builder_constructor_t)pkcs1_private_key_builder);
-
+
lib->encoding->remove_encoder(lib->encoding, pkcs1_encoder_encode);
-
+
free(this);
}
plugin_t *plugin_create()
{
private_pkcs1_plugin_t *this = malloc_thing(private_pkcs1_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
(builder_constructor_t)pkcs1_public_key_builder);
lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
(builder_constructor_t)pkcs1_public_key_builder);
lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
(builder_constructor_t)pkcs1_private_key_builder);
-
+
lib->encoding->add_encoder(lib->encoding, pkcs1_encoder_encode);
-
+
return &this->public.plugin;
}
* Interface definition of a plugin.
*/
struct plugin_t {
-
+
/**
* Destroy a plugin instance.
*/
* public functions
*/
plugin_loader_t public;
-
+
/**
* list of loaded plugins
*/
linked_list_t *plugins;
-
+
/**
* names of loaded plugins
*/
void *handle;
plugin_t *plugin;
plugin_constructor_t constructor;
-
+
snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, name);
-
+
if (lib->integrity)
{
if (!lib->integrity->check_file(lib->integrity, name, file))
return NULL;
}
DBG2("plugin '%s': loaded successfully", name);
-
+
/* we do not store or free dlopen() handles, leak_detective requires
* the modules to keep loaded until leak report */
return plugin;
enumerator_t *enumerator;
char *token;
bool critical_failed = FALSE;
-
+
enumerator = enumerator_create_token(list, " ", " ");
while (!critical_failed && enumerator->enumerate(enumerator, &token))
{
plugin_t *plugin;
bool critical = FALSE;
int len;
-
+
token = strdup(token);
len = strlen(token);
if (token[len-1] == '!')
{
plugin_t *plugin;
char *name;
-
+
while (this->plugins->remove_first(this->plugins,
(void**)&plugin) == SUCCESS)
{
static enumerator_t* create_plugin_enumerator(private_plugin_loader_t *this)
{
return this->names->create_enumerator(this->names);
-}
+}
/**
* Implementation of plugin_loader_t.destroy
plugin_loader_t *plugin_loader_create()
{
private_plugin_loader_t *this = malloc_thing(private_plugin_loader_t);
-
+
this->public.load = (bool(*)(plugin_loader_t*, char *path, char *prefix))load;
this->public.unload = (void(*)(plugin_loader_t*))unload;
this->public.create_plugin_enumerator = (enumerator_t*(*)(plugin_loader_t*))create_plugin_enumerator;
this->public.destroy = (void(*)(plugin_loader_t*))destroy;
-
+
this->plugins = linked_list_create();
this->names = linked_list_create();
-
+
return &this->public;
}
/**
* The plugin_loader loads plugins from a directory and initializes them
*/
-struct plugin_loader_t {
-
+struct plugin_loader_t {
+
/**
* Load a list of plugins from a directory.
*
* @return TRUE if all critical plugins loaded successfully
*/
bool (*load)(plugin_loader_t *this, char *path, char *list);
-
+
/**
* Unload all loaded plugins.
*/
void (*unload)(plugin_loader_t *this);
-
+
/**
* Create an enumerator over all loaded plugin names.
*
* @return enumerator over char*
*/
enumerator_t* (*create_plugin_enumerator)(plugin_loader_t *this);
-
+
/**
* Unload loaded plugins, destroy plugin_loader instance.
*/
* public functions
*/
pubkey_cert_t public;
-
+
/**
* wrapped public key
*/
public_key_t *key;
-
+
/**
* dummy issuer id, ID_ANY
*/
identification_t *issuer;
-
+
/**
* subject, ID_KEY_ID of the public key
*/
identification_t *subject;
-
+
/**
* reference count
*/
{
key_encoding_type_t type;
chunk_t fingerprint;
-
+
for (type = 0; type < KEY_ENCODING_MAX; type++)
{
if (this->key->get_fingerprint(this->key, type, &fingerprint) &&
static bool equals(private_pubkey_cert_t *this, certificate_t *other)
{
public_key_t *other_key;
-
+
other_key = other->get_public_key(other);
if (other_key)
{
static chunk_t get_encoding(private_pubkey_cert_t *this)
{
chunk_t encoding;
-
+
if (this->key->get_encoding(this->key, KEY_PUB_ASN1_DER, &encoding))
{
return encoding;
{
private_pubkey_cert_t *this = malloc_thing(private_pubkey_cert_t);
chunk_t fingerprint;
-
+
this->public.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
this->public.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
this->public.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
this->public.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
this->public.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
this->public.interface.destroy = (void (*)(certificate_t *this))destroy;
-
+
this->ref = 1;
this->key = key;
this->issuer = identification_create_from_encoding(ID_ANY, chunk_empty);
{
this->subject = identification_create_from_encoding(ID_ANY, chunk_empty);
}
-
+
return &this->public;
}
static pubkey_cert_t *build(private_builder_t *this)
{
pubkey_cert_t *key = this->key;
-
+
free(this);
return key;
}
{
public_key_t *key;
va_list args;
-
+
switch (part)
{
case BUILD_BLOB_ASN1_DER:
builder_t *pubkey_cert_builder(certificate_type_t type)
{
private_builder_t *this;
-
+
if (type != CERT_TRUSTED_PUBKEY)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->key = NULL;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
plugin_t *plugin_create()
{
private_pubkey_plugin_t *this = malloc_thing(private_pubkey_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
plugin_t *plugin_create()
{
private_random_plugin_t *this = malloc_thing(private_random_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
- lib->crypto->add_rng(lib->crypto, RNG_STRONG,
+
+ lib->crypto->add_rng(lib->crypto, RNG_STRONG,
(rng_constructor_t)random_rng_create);
- lib->crypto->add_rng(lib->crypto, RNG_TRUE,
+ lib->crypto->add_rng(lib->crypto, RNG_TRUE,
(rng_constructor_t)random_rng_create);
-
+
return &this->public.plugin;
}
/**
* @defgroup random_p random
* @ingroup plugins
- *
+ *
* @defgroup random_plugin random_plugin
* @{ @ingroup random_p
*/
* Public random_rng_t interface.
*/
random_rng_t public;
-
+
/**
* random device, depends on quality
*/
int dev;
-
+
/**
* file we read random bytes from
*/
{
size_t done;
ssize_t got;
-
+
done = 0;
-
+
while (done < bytes)
{
got = read(this->dev, buffer + done, bytes - done);
{
this->file = DEV_URANDOM;
}
-
+
this->dev = open(this->file, 0);
if (this->dev < 0)
{
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup random_rng random_rng
* @{ @ingroup random_p
* rng_t implementation on top of /dev/[u]random
*/
struct random_rng_t {
-
+
/**
* Implements rng_t.
*/
/**
* Creates an random_rng_t instance.
- *
+ *
* @param quality required quality of randomness
* @return created random_rng_t
*/
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
- *
+ *
* Ported from Steve Reid's <steve@edmweb.com> implementation
* "SHA1 in C" found in strongSwan.
*
/*
* ugly macro stuff
- */
+ */
#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
#if BYTE_ORDER == LITTLE_ENDIAN
* Public interface for this hasher.
*/
sha1_hasher_t public;
-
+
/*
* State of the hasher. Shared with sha1_prf.c, do not change it!!!
*/
u_int8_t buffer[64];
};
-/*
+/*
* Hash a single 512-bit block. This is the core of the algorithm. *
*/
static void SHA1Transform(u_int32_t state[5], const unsigned char buffer[64])
}
this->count[1] += (len>>29);
j = (j >> 3) & 63;
- if ((j + len) > 63)
+ if ((j + len) > 63)
{
memcpy(&this->buffer[j], data, (i = 64-j));
SHA1Transform(this->state, this->buffer);
- for ( ; i + 63 < len; i += 64)
+ for ( ; i + 63 < len; i += 64)
{
SHA1Transform(this->state, &data[i]);
}
j = 0;
}
- else
+ else
{
i = 0;
}
}
-/*
- * Add padding and return the message digest.
+/*
+ * Add padding and return the message digest.
*/
static void SHA1Final(private_sha1_hasher_t *this, u_int8_t *digest)
{
u_int8_t finalcount[8];
u_int8_t c;
- for (i = 0; i < 8; i++)
+ for (i = 0; i < 8; i++)
{
finalcount[i] = (u_int8_t)((this->count[(i >= 4 ? 0 : 1)]
>> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */
}
c = 0200;
SHA1Update(this, &c, 1);
- while ((this->count[0] & 504) != 448)
+ while ((this->count[0] & 504) != 448)
{
c = 0000;
SHA1Update(this, &c, 1);
}
SHA1Update(this, finalcount, 8); /* Should cause a SHA1Transform() */
- for (i = 0; i < 20; i++)
+ for (i = 0; i < 20; i++)
{
digest[i] = (u_int8_t)((this->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
}
{
SHA1Update(this, chunk.ptr, chunk.len);
if (hash != NULL)
- {
+ {
hash->ptr = malloc(HASH_SIZE_SHA1);
hash->len = HASH_SIZE_SHA1;
-
+
SHA1Final(this, hash->ptr);
reset(this);
}
}
-
+
/**
* Implementation of hasher_t.get_hash_size.
*/
this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
+
/* initialize */
reset(this);
-
+
return &(this->public);
}
* Implementation of hasher_t interface using the SHA1 algorithm.
*/
struct sha1_hasher_t {
-
+
/**
* Implements hasher_t interface.
*/
plugin_t *plugin_create()
{
private_sha1_plugin_t *this = malloc_thing(private_sha1_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
(hasher_constructor_t)sha1_hasher_create);
lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1,
(prf_constructor_t)sha1_prf_create);
-
+
return &this->public.plugin;
}
* Public interface for this hasher.
*/
sha1_hasher_t public;
-
+
/*
* State of the hasher. From sha1_hasher.c, do not change it!
*/
{
int i, rounds;
u_int32_t *iv = (u_int32_t*)key.ptr;
-
+
this->hasher->public.hasher_interface.reset(&this->hasher->public.hasher_interface);
rounds = min(key.len/sizeof(u_int32_t), sizeof(this->hasher->state));
for (i = 0; i < rounds; i++)
this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
-
+
this->hasher = (private_sha1_hasher_t*)sha1_hasher_create(HASH_SHA1);
-
+
return &this->public;
}
* Implementation of prf_t interface using keyed SHA1 algorithm (used for EAP-AKA).
*/
struct sha1_prf_t {
-
+
/**
* Implements prf_t interface.
*/
* Public interface for this hasher.
*/
sha2_hasher_t public;
-
+
unsigned char sha_out[128]; /* results are here, bytes 0..47/0..63 */
u_int64_t sha_H[8];
u_int64_t sha_blocks;
* Public interface for this hasher.
*/
sha2_hasher_t public;
-
+
unsigned char sha_out[64]; /* results are here, bytes 0...31 */
u_int32_t sha_H[8];
u_int64_t sha_blocks;
static const u_int32_t sha224_hashInit[8] = {
0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511,
- 0x64f98fa7, 0xbefa4fa4
+ 0x64f98fa7, 0xbefa4fa4
};
static const u_int32_t sha256_hashInit[8] = {
/**
* Single block SHA256 transformation
*/
-static void sha256_transform(private_sha256_hasher_t *ctx,
+static void sha256_transform(private_sha256_hasher_t *ctx,
const unsigned char *datap)
{
register int j;
j = 0;
do
{
- if(j >= 16)
+ if(j >= 16)
{
Wm2 = W[j - 2];
Wm15 = W[j - 15];
/**
* Update SHA256 hash
*/
-static void sha256_write(private_sha256_hasher_t *ctx,
+static void sha256_write(private_sha256_hasher_t *ctx,
const unsigned char *datap, int length)
{
while(length > 0)
{
sha256_write(ctx, &padByte, 1);
}
-
+
/* write bit length, big endian byte order */
ctx->sha_out[56] = bitLength >> 56;
ctx->sha_out[57] = bitLength >> 48;
ctx->sha_out[62] = bitLength >> 8;
ctx->sha_out[63] = bitLength;
sha256_transform(ctx, &ctx->sha_out[0]);
-
+
/* return results in ctx->sha_out[0...31] */
datap = &ctx->sha_out[0];
j = 0;
/**
* Single block SHA384/SHA512 transformation
*/
-static void sha512_transform(private_sha512_hasher_t *ctx,
+static void sha512_transform(private_sha512_hasher_t *ctx,
const unsigned char *datap)
{
register int j;
/**
* Update a SHA384/SHA512 hash
*/
-static void sha512_write(private_sha512_hasher_t *ctx,
+static void sha512_write(private_sha512_hasher_t *ctx,
const unsigned char *datap, int length)
{
- while(length > 0)
+ while(length > 0)
{
- if(!ctx->sha_bufCnt)
+ if(!ctx->sha_bufCnt)
{
- while(length >= sizeof(ctx->sha_out))
+ while(length >= sizeof(ctx->sha_out))
{
sha512_transform(ctx, datap);
datap += sizeof(ctx->sha_out);
}
ctx->sha_out[ctx->sha_bufCnt] = *datap++;
length--;
- if(++ctx->sha_bufCnt == sizeof(ctx->sha_out))
+ if(++ctx->sha_bufCnt == sizeof(ctx->sha_out))
{
sha512_transform(ctx, &ctx->sha_out[0]);
ctx->sha_bufCnt = 0;
/* pad extra space with zeroes */
padByte = 0;
- while(ctx->sha_bufCnt != 112)
+ while(ctx->sha_bufCnt != 112)
{
sha512_write(ctx, &padByte, 1);
}
ctx->sha_out[126] = bitLength >> 8;
ctx->sha_out[127] = bitLength;
sha512_transform(ctx, &ctx->sha_out[0]);
-
+
/* return results in ctx->sha_out[0...63] */
datap = &ctx->sha_out[0];
j = 0;
/**
* Implementation of hasher_t.get_hash for SHA224.
*/
-static void get_hash224(private_sha256_hasher_t *this,
+static void get_hash224(private_sha256_hasher_t *this,
chunk_t chunk, u_int8_t *buffer)
{
sha256_write(this, chunk.ptr, chunk.len);
/**
* Implementation of hasher_t.get_hash for SHA256.
*/
-static void get_hash256(private_sha256_hasher_t *this,
+static void get_hash256(private_sha256_hasher_t *this,
chunk_t chunk, u_int8_t *buffer)
{
sha256_write(this, chunk.ptr, chunk.len);
/**
* Implementation of hasher_t.allocate_hash for SHA224.
*/
-static void allocate_hash224(private_sha256_hasher_t *this,
+static void allocate_hash224(private_sha256_hasher_t *this,
chunk_t chunk, chunk_t *hash)
{
chunk_t allocated_hash;
-
+
sha256_write(this, chunk.ptr, chunk.len);
if (hash != NULL)
{
/**
* Implementation of hasher_t.allocate_hash for SHA256.
*/
-static void allocate_hash256(private_sha256_hasher_t *this,
+static void allocate_hash256(private_sha256_hasher_t *this,
chunk_t chunk, chunk_t *hash)
{
chunk_t allocated_hash;
-
+
sha256_write(this, chunk.ptr, chunk.len);
if (hash != NULL)
{
/**
* Implementation of hasher_t.allocate_hash for SHA384.
*/
-static void allocate_hash384(private_sha512_hasher_t *this,
+static void allocate_hash384(private_sha512_hasher_t *this,
chunk_t chunk, chunk_t *hash)
{
chunk_t allocated_hash;
-
+
sha512_write(this, chunk.ptr, chunk.len);
if (hash != NULL)
{
/**
* Implementation of hasher_t.allocate_hash for SHA512.
*/
-static void allocate_hash512(private_sha512_hasher_t *this,
+static void allocate_hash512(private_sha512_hasher_t *this,
chunk_t chunk, chunk_t *hash)
{
chunk_t allocated_hash;
-
+
sha512_write(this, chunk.ptr, chunk.len);
if (hash != NULL)
{
{
return HASH_SIZE_SHA256;
}
-
+
/**
* Implementation of hasher_t.get_hash_size for SHA384.
*/
{
return HASH_SIZE_SHA384;
}
-
+
/**
* Implementation of hasher_t.get_hash_size for SHA512.
*/
sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm)
{
sha2_hasher_t *this;
-
+
switch (algorithm)
{
case HASH_SHA224:
return NULL;
}
this->hasher_interface.destroy = (void(*)(hasher_t*))destroy;
-
+
/* initialize */
this->hasher_interface.reset(&this->hasher_interface);
-
+
return this;
}
* the SHA hash algorithm.
*/
struct sha2_hasher_t {
-
+
/**
* Generic hasher_t interface for this hasher.
*/
/**
* Creates a new sha2_hasher_t.
- *
+ *
* @param algorithm HASH_SHA256, HASH_SHA384 or HASH_SHA512
* @return sha2_hasher_t object, NULL if not supported
*/
plugin_t *plugin_create()
{
private_sha2_plugin_t *this = malloc_thing(private_sha2_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
(hasher_constructor_t)sha2_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
(hasher_constructor_t)sha2_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
(hasher_constructor_t)sha2_hasher_create);
-
+
return &this->public.plugin;
}
* public functions
*/
sqlite_database_t public;
-
+
/**
* sqlite database connection
*/
sqlite3 *db;
-
+
/**
* mutex used to lock execute()
*/
va_list args;
sqlite_enumerator_t *enumerator = NULL;
int i;
-
+
#if SQLITE_VERSION_NUMBER < 3005000
/* sqlite connections prior to 3.5 may be used by a single thread only, */
this->mutex->lock(this->mutex);
#endif
-
+
va_start(args, sql);
stmt = run(this, sql, &args);
if (stmt)
sqlite3_stmt *stmt;
int affected = -1;
va_list args;
-
+
/* we need a lock to get our rowid/changes correctly */
this->mutex->lock(this->mutex);
va_start(args, sql);
{
char *file;
private_sqlite_database_t *this;
-
+
/**
* parse sqlite:///path/to/file.db uri
*/
return NULL;
}
file = uri + 9;
-
+
this = malloc_thing(private_sqlite_database_t);
-
+
this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query;
this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute;
this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
this->public.db.destroy = (void(*)(database_t*))destroy;
-
+
this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-
+
if (sqlite3_open(file, &this->db) != SQLITE_OK)
{
DBG1("opening SQLite database '%s' failed: %s",
destroy(this);
return NULL;
}
-
+
sqlite3_busy_handler(this->db, (void*)busy_handler, this);
-
+
return &this->public;
}
plugin_t *plugin_create()
{
private_sqlite_plugin_t *this = malloc_thing(private_sqlite_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
lib->db->add_database(lib->db,
(database_constructor_t)sqlite_database_create);
};
/**
- * Test vector by Chilkat Software
+ * Test vector by Chilkat Software
* (www.chilkatsoft.com/p/php_blowfish.asp)
*/
crypter_test_vector_t blowfish2 = {
static bool test_monobit(monobit_t *param, chunk_t data)
{
int i, j, bits = 0;
-
+
for (i = 0; i < data.len; i++)
{
for (j = 0; j < 8; j++)
{
int i, counter[16];
double sum = 0.0;
-
+
memset(counter, 0, sizeof(counter));
-
+
for (i = 0; i < data.len; i++)
{
counter[data.ptr[i] & 0x0F]++;
counter[(data.ptr[i] & 0xF0) >> 4]++;
}
-
+
for (i = 0; i < countof(counter); i++)
{
sum += (counter[i] * counter[i]) / 5000.0 * 16.0;
static bool test_runs(runs_t *param, chunk_t data)
{
int i, j, zero_runs[7], one_runs[7], zero = 0, one = 0, longrun = 0;
-
+
memset(one_runs, 0, sizeof(zero_runs));
memset(zero_runs, 0, sizeof(one_runs));
-
+
for (i = 0; i < data.len; i++)
{
for (j = 0; j < 8; j++)
}
}
}
-
+
DBG2(" Runs: zero: %d/%d/%d/%d/%d/%d, one: %d/%d/%d/%d/%d/%d, "
"longruns: %d",
zero_runs[1], zero_runs[2], zero_runs[3],
one_runs[1], one_runs[2], one_runs[3],
one_runs[4], one_runs[5], one_runs[6],
longrun);
-
+
if (longrun)
{
return FALSE;
}
-
+
for (i = 1; i < countof(zero_runs); i++)
{
if (zero_runs[i] <= param->lower[i] ||
{
private_test_vectors_plugin_t *this = malloc_thing(private_test_vectors_plugin_t);
int i;
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
for (i = 0; i < countof(crypter); i++)
{
lib->crypto->add_test_vector(lib->crypto,
lib->crypto->add_test_vector(lib->crypto,
RANDOM_NUMBER_GENERATOR, rng[i]);
}
-
+
return &this->public.plugin;
}
-/*
+/*
* Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
/**
* Compares two ietfAttributes
- *
+ *
* return -1 if this is earlier in the alphabet than other
* return 0 if this equals other
* return +1 if this is later in the alphabet than other
/**
* Destroys the ietfAttr_t object.
- *
+ *
* @param this ietfAttr_t to destroy
*/
void (*destroy) (ietfAttr_t *this);
{
return 1;
}
-
+
cmp_len = this->value.len - other->value.len;
len = (cmp_len < 0)? this->value.len : other->value.len;
cmp_value = memcmp(this->value.ptr, other->value.ptr, len);
if (group.len > 0)
{
ietfAttr_t *attr = ietfAttr_create(IETF_ATTRIBUTE_STRING, group);
-
+
ietfAttr_add(list, attr);
}
}
ietfAttribute = asn1_simple_object(type, attr->value);
/* copy ietfAttribute into ietfAttributes chunk */
- memcpy(pos, ietfAttribute.ptr, ietfAttribute.len);
+ memcpy(pos, ietfAttribute.ptr, ietfAttribute.len);
pos += ietfAttribute.len;
free(ietfAttribute.ptr);
}
*
* @param list_a first alphabetically-sorted list
* @param list_b second alphabetically-sorted list
- * @return TRUE if equal
+ * @return TRUE if equal
*/
bool ietfAttr_list_equals(linked_list_t *list_a, linked_list_t *list_b);
* @brief Lists a linked list of ietfAttr_t objects
*
* @param list alphabetically-sorted linked list of attributes
- * @param out output file
+ * @param out output file
*/
void ietfAttr_list_list(linked_list_t *list, FILE *out);
* private data of x509_ac_t object
*/
struct private_x509_ac_t {
-
+
/**
* public functions
*/
x509_ac_t public;
-
+
/**
* X.509 attribute certificate encoding in ASN.1 DER format
*/
chunk_t encoding;
-
+
/**
* X.509 attribute certificate body over which signature is computed
*/
chunk_t certificateInfo;
-
+
/**
* Version of the X.509 attribute certificate
*/
u_int version;
-
+
/**
* Serial number of the X.509 attribute certificate
*/
chunk_t serialNumber;
-
+
/**
* ID representing the issuer of the holder certificate
*/
identification_t *holderIssuer;
-
+
/**
* Serial number of the holder certificate
*/
chunk_t holderSerial;
-
+
/**
* ID representing the holder
*/
identification_t *entityName;
-
+
/**
* ID representing the attribute certificate issuer
*/
identification_t *issuerName;
-
+
/**
* Start time of certificate validity
*/
time_t notBefore;
-
+
/**
* End time of certificate validity
*/
time_t notAfter;
-
+
/**
* List of charging attributes
*/
linked_list_t *charging;
-
+
/**
* List of groub attributes
*/
linked_list_t *groups;
-
+
/**
* Authority Key Identifier
*/
chunk_t authKeyIdentifier;
-
+
/**
* Authority Key Serial Number
*/
chunk_t authKeySerialNumber;
-
+
/**
* No revocation information available
*/
bool noRevAvail;
-
+
/**
* Signature algorithm
*/
int algorithm;
-
+
/**
* Signature
*/
chunk_t signature;
-
+
/**
* Holder certificate
*/
certificate_t *holderCert;
-
+
/**
* Signer certificate
*/
certificate_t *signerCert;
-
+
/**
* Signer private key;
*/
private_key_t *signerKey;
-
+
/**
* reference count
*/
identification_t *issuer;
public_key_t *public;
x509_t *x509;
-
+
x509 = (x509_t*)this->signerCert;
issuer = this->signerCert->get_issuer(this->signerCert);
public = this->signerCert->get_public_key(this->signerCert);
signature_scheme_t scheme;
bool valid;
x509_t *x509 = (x509_t*)issuer;
-
+
/* check if issuer is an X.509 AA certificate */
if (issuer->get_type(issuer) != CERT_X509)
{
{
return FALSE;
}
-
+
/* get the public key of the issuer */
key = issuer->get_public_key(issuer);
-
+
/* compare keyIdentifiers if available, otherwise use DNs */
if (this->authKeyIdentifier.ptr && key)
{
chunk_t fingerprint;
-
+
if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
!chunk_equals(fingerprint, this->authKeyIdentifier))
{
return FALSE;
}
}
- else
+ else
{
if (!this->issuerName->equals(this->issuerName,
issuer->get_subject(issuer)))
return FALSE;
}
}
-
+
/* determine signature scheme */
scheme = signature_scheme_from_oid(this->algorithm);
-
+
if (scheme == SIGN_UNKNOWN || key == NULL)
{
return FALSE;
time_t *not_before, time_t *not_after)
{
time_t t;
-
+
if (when)
{
t = *when;
&that_update, FALSE, new ? "replaced":"retained");
return new;
}
-
+
/**
* Implementation of certificate_t.get_encoding.
*/
{
chunk_t encoding;
bool equal;
-
+
if ((certificate_t*)this == other)
{
return TRUE;
}
if (other->equals == (void*)equals)
{ /* skip allocation if we have the same implementation */
- return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding);
+ return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding);
}
encoding = other->get_encoding(other);
equal = chunk_equals(this->encoding, encoding);
static private_x509_ac_t *create_empty(void)
{
private_x509_ac_t *this = malloc_thing(private_x509_ac_t);
-
+
/* public functions */
this->public.interface.get_serial = (chunk_t (*)(ac_t*))get_serial;
this->public.interface.get_holderSerial = (chunk_t (*)(ac_t*))get_holderSerial;
static private_x509_ac_t* build(private_builder_t *this)
{
private_x509_ac_t *ac = this->ac;
-
+
free(this);
-
+
/* synthesis if encoding does not exist */
if (ac && ac->encoding.ptr == NULL)
{
builder_t *x509_ac_builder(certificate_type_t type)
{
private_builder_t *this;
-
+
if (type != CERT_X509_AC)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->ac = create_empty();
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
* Public interface for this certificate.
*/
x509_cert_t public;
-
+
/**
* X.509 certificate encoding in ASN.1 DER format
*/
chunk_t encoding;
-
+
/**
* SHA1 hash of the DER encoding of this X.509 certificate
*/
chunk_t encoding_hash;
-
+
/**
* X.509 certificate body over which signature is computed
*/
* Version of the X.509 certificate
*/
u_int version;
-
+
/**
* Serial number of the X.509 certificate
*/
chunk_t serialNumber;
-
+
/**
* ID representing the certificate issuer
*/
identification_t *issuer;
-
+
/**
* Start time of certificate validity
*/
time_t notBefore;
-
+
/**
* End time of certificate validity
*/
time_t notAfter;
-
+
/**
* ID representing the certificate subject
*/
identification_t *subject;
-
+
/**
* List of subjectAltNames as identification_t
*/
linked_list_t *subjectAltNames;
-
+
/**
* List of crlDistributionPoints as allocated char*
*/
linked_list_t *crl_uris;
-
+
/**
* List ocspAccessLocations as identification_t
*/
linked_list_t *ocsp_uris;
-
+
/**
* certificates embedded public key
*/
public_key_t *public_key;
-
+
/**
* Subject Key Identifier
*/
chunk_t subjectKeyID;
-
+
/**
* Authority Key Identifier
*/
chunk_t authKeyIdentifier;
-
+
/**
* Authority Key Serial Number
*/
chunk_t authKeySerialNumber;
-
+
/**
* x509 constraints and other flags
*/
x509_flag_t flags;
-
+
/**
* Signature algorithm
*/
int algorithm;
-
+
/**
* Signature
*/
chunk_t signature;
-
+
/**
* Certificate parsed from blob/file?
*/
bool parsed;
-
+
/**
* reference count
*/
static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_sAN_oid_buf);
/**
- * ASN.1 definition of a basicConstraints extension
+ * ASN.1 definition of a basicConstraints extension
*/
static const asn1Object_t basicConstraintsObjects[] = {
{ 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
}
/**
- * ASN.1 definition of otherName
+ * ASN.1 definition of otherName
*/
static const asn1Object_t otherNameObjects[] = {
{0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
}
}
success = parser->success(parser);
-
+
end:
parser->destroy(parser);
return success;
}
/**
- * ASN.1 definition of generalName
+ * ASN.1 definition of generalName
*/
static const asn1Object_t generalNameObjects[] = {
{ 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
asn1_parser_t *parser;
chunk_t object;
int objectID ;
-
+
identification_t *gn = NULL;
-
+
parser = asn1_parser_create(generalNameObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
id_type_t id_type = ID_ANY;
-
+
switch (objectID)
{
case GN_OBJ_RFC822_NAME:
goto end;
}
}
-
+
end:
parser->destroy(parser);
return gn;
}
/**
- * ASN.1 definition of generalNames
+ * ASN.1 definition of generalNames
*/
static const asn1Object_t generalNamesObjects[] = {
{ 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
asn1_parser_t *parser;
chunk_t object;
int objectID;
-
+
parser = asn1_parser_create(generalNamesObjects, blob);
parser->set_top_level(parser, level0);
parser->set_flags(parser, implicit, FALSE);
-
+
while (parser->iterate(parser, &objectID, &object))
{
if (objectID == GENERAL_NAMES_GN)
{
identification_t *gn = parse_generalName(object,
parser->get_level(parser)+1);
-
+
if (gn)
{
list->insert_last(list, (void *)gn);
}
/**
- * ASN.1 definition of a authorityKeyIdentifier extension
+ * ASN.1 definition of a authorityKeyIdentifier extension
*/
static const asn1Object_t authKeyIdentifierObjects[] = {
{ 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
chunk_t object;
int objectID;
chunk_t authKeyIdentifier = chunk_empty;
-
+
*authKeySerialNumber = chunk_empty;
-
+
parser = asn1_parser_create(authKeyIdentifierObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
- switch (objectID)
+ switch (objectID)
{
case AUTH_KEY_ID_KEY_ID:
authKeyIdentifier = chunk_clone(object);
}
/**
- * ASN.1 definition of a authorityInfoAccess extension
+ * ASN.1 definition of a authorityInfoAccess extension
*/
static const asn1Object_t authInfoAccessObjects[] = {
{ 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
chunk_t object;
int objectID;
int accessMethod = OID_UNKNOWN;
-
+
parser = asn1_parser_create(authInfoAccessObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
- switch (objectID)
+ switch (objectID)
{
case AUTH_INFO_ACCESS_METHOD:
accessMethod = asn1_known_oid(object);
{
identification_t *id;
char *uri;
-
+
id = parse_generalName(object,
parser->get_level(parser)+1);
if (id == NULL)
break;
}
}
-
+
end:
parser->destroy(parser);
}
chunk_t object;
int objectID;
bool ocsp_signing = FALSE;
-
+
parser = asn1_parser_create(extendedKeyUsageObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
- if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
+ if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
asn1_known_oid(object) == OID_OCSP_SIGNING)
{
ocsp_signing = TRUE;
chunk_t object;
int objectID;
linked_list_t *list = linked_list_create();
-
+
parser = asn1_parser_create(crlDistributionPointsObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
if (objectID == CRL_DIST_POINTS_FULLNAME)
{
identification_t *id;
-
+
/* append extracted generalNames to existing chained list */
x509_parse_generalNames(object, parser->get_level(parser)+1,
TRUE, list);
-
+
while (list->remove_last(list, (void**)&id) == SUCCESS)
{
char *uri;
-
+
if (asprintf(&uri, "%Y", id) > 0)
{
this->crl_uris->insert_last(this->crl_uris, uri);
int sig_alg = OID_UNKNOWN;
bool success = FALSE;
bool critical;
-
+
parser = asn1_parser_create(certObjects, this->encoding);
-
+
while (parser->iterate(parser, &objectID, &object))
{
u_int level = parser->get_level(parser)+1;
-
+
switch (objectID)
{
case X509_OBJ_TBS_CERTIFICATE:
case OID_NS_CA_REVOCATION_URL:
case OID_NS_CA_POLICY_URL:
case OID_NS_COMMENT:
- if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
+ if (!asn1_parse_simple_object(&object, ASN1_IA5STRING,
level, oid_names[extn_oid].name))
{
goto end;
}
}
success = parser->success(parser);
-
+
end:
parser->destroy(parser);
return success;
identification_t *current;
enumerator_t *enumerator;
id_match_t match, best;
-
+
if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID)
{
if (chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
return ID_MATCH_PERFECT;
}
}
-
+
best = this->subject->matches(this->subject, subject);
enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
while (enumerator->enumerate(enumerator, ¤t))
signature_scheme_t scheme;
bool valid;
x509_t *x509 = (x509_t*)issuer;
-
+
if (&this->public.interface.interface == issuer)
{
if (this->flags & X509_SELF_SIGNED)
time_t *not_before, time_t *not_after)
{
time_t t;
-
+
if (when)
{
t = *when;
{
time_t this_update, that_update, now = time(NULL);
bool new;
-
+
this->get_validity(this, &now, &this_update, NULL);
that->get_validity(that, &now, &that_update, NULL);
new = this_update > that_update;
&that_update, FALSE, new ? "replaced":"retained");
return new;
}
-
+
/**
* Implementation of certificate_t.get_encoding.
*/
{
chunk_t encoding;
bool equal;
-
+
if (this == (private_x509_cert_t*)other)
{
return TRUE;
}
if (other->equals == (void*)equals)
{ /* skip allocation if we have the same implementation */
- return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
+ return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding);
}
encoding = other->get_encoding(other);
equal = chunk_equals(this->encoding, encoding);
static private_x509_cert_t* create_empty(void)
{
private_x509_cert_t *this = malloc_thing(private_x509_cert_t);
-
+
this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type;
this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject;
this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer;
this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
-
+
this->encoding = chunk_empty;
this->encoding_hash = chunk_empty;
this->tbsCertificate = chunk_empty;
this->version = 3;
- this->serialNumber = chunk_empty;
+ this->serialNumber = chunk_empty;
this->notBefore = 0;
this->notAfter = 0;
this->public_key = NULL;
this->flags = 0;
this->ref = 1;
this->parsed = FALSE;
-
+
return this;
}
{
hasher_t *hasher;
private_x509_cert_t *this = create_empty();
-
+
this->encoding = chunk;
this->parsed = TRUE;
if (!parse_certificate(this))
destroy(this);
return NULL;
}
-
+
/* check if the certificate is self-signed */
if (issued_by(this, &this->public.interface.interface))
{
this->flags |= X509_SELF_SIGNED;
}
-
+
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (hasher == NULL)
{
- DBG1(" unable to create hash of certificate, SHA1 not supported");
+ DBG1(" unable to create hash of certificate, SHA1 not supported");
destroy(this);
- return NULL;
+ return NULL;
}
hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
hasher->destroy(hasher);
-
+
return this;
}
chunk_t key_info;
signature_scheme_t scheme;
hasher_t *hasher;
-
+
subject = this->cert->subject;
if (this->sign_cert)
{
this->cert->notAfter = this->cert->notBefore + 60 * 60 * 24 * 365;
}
this->cert->flags = this->flags;
-
+
/* select signature scheme */
switch (this->sign_key->get_type(this->sign_key))
{
{
/* TODO: encode subjectAltNames */
}
-
- this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
+
+ this->cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2),
asn1_integer("c", this->cert->serialNumber),
asn1_algorithmIdentifier(this->cert->algorithm),
asn1_from_time(&this->cert->notAfter, ASN1_UTCTIME)),
subject->get_encoding(subject),
key_info, extensions);
-
- if (!this->sign_key->sign(this->sign_key, scheme,
+
+ if (!this->sign_key->sign(this->sign_key, scheme,
this->cert->tbsCertificate, &this->cert->signature))
{
return FALSE;
this->cert->tbsCertificate,
asn1_algorithmIdentifier(this->cert->algorithm),
asn1_bitstring("c", this->cert->signature));
-
+
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (!hasher)
{
static private_x509_cert_t *build(private_builder_t *this)
{
private_x509_cert_t *cert;
-
+
if (this->cert)
{
this->cert->flags |= this->flags;
va_list args;
chunk_t chunk;
bool handled = TRUE;
-
+
va_start(args, part);
switch (part)
{
va_end(args);
return;
}
-
+
switch (part)
{
case BUILD_PUBLIC_KEY:
builder_t *x509_cert_builder(certificate_type_t type)
{
private_builder_t *this;
-
+
if (type != CERT_X509)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->cert = NULL;
this->flags = 0;
this->sign_cert = NULL;
this->digest_alg = HASH_SHA1;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
* serial of the revoked certificate
*/
chunk_t serial;
-
+
/**
* date of revocation
*/
time_t date;
-
+
/**
* reason for revocation
*/
* public functions
*/
x509_crl_t public;
-
+
/**
* X.509 crl encoding in ASN.1 DER format
*/
* Version of the X.509 crl
*/
u_int version;
-
+
/**
* ID representing the crl issuer
*/
identification_t *issuer;
-
+
/**
* CRL number
*/
* list of revoked certificates as revoked_t
*/
linked_list_t *revoked;
-
+
/**
* Authority Key Identifier
*/
* Authority Key Serial Number
*/
chunk_t authKeySerialNumber;
-
+
/**
* Signature algorithm
*/
int algorithm;
-
+
/**
* Signature
*/
chunk_t signature;
-
+
/**
* reference counter
*/
* from x509_cert
*/
extern chunk_t x509_parse_authorityKeyIdentifier(
- chunk_t blob, int level0,
+ chunk_t blob, int level0,
chunk_t *authKeySerialNumber);
/**
{ 2, "version", ASN1_INTEGER, ASN1_OPT |
ASN1_BODY }, /* 2 */
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
- { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 4 */
+ { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 4 */
{ 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
{ 2, "thisUpdate", ASN1_EOC, ASN1_RAW }, /* 6 */
{ 2, "nextUpdate", ASN1_EOC, ASN1_RAW }, /* 7 */
static enumerator_t* create_enumerator(private_x509_crl_t *this)
{
return enumerator_create_filter(
- this->revoked->create_enumerator(this->revoked),
+ this->revoked->create_enumerator(this->revoked),
(void*)filter, NULL, NULL);
}
signature_scheme_t scheme;
bool valid;
x509_t *x509 = (x509_t*)issuer;
-
+
/* check if issuer is an X.509 CA certificate */
if (issuer->get_type(issuer) != CERT_X509)
{
if (this->authKeyIdentifier.ptr && key)
{
chunk_t fingerprint;
-
+
if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
!chunk_equals(fingerprint, this->authKeyIdentifier))
{
return FALSE;
}
}
- else
+ else
{
if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
{
return FALSE;
}
}
-
+
/* determine signature scheme */
scheme = signature_scheme_from_oid(this->algorithm);
-
+
if (scheme == SIGN_UNKNOWN || key == NULL)
{
return FALSE;
time_t *not_before, time_t *not_after)
{
time_t t;
-
+
if (when)
{
t = *when;
{
chunk_t that_crlNumber = that->get_serial(that);
bool new;
-
+
/* compare crlNumbers if available - otherwise use thisUpdate */
if (this->crlNumber.ptr != NULL && that_crlNumber.ptr != NULL)
{
&this->crlNumber, new ? "newer":"not newer",
&that_crlNumber, new ? "replaced":"retained");
}
- else
+ else
{
certificate_t *this_cert = &this->public.crl.certificate;
certificate_t *that_cert = &that->certificate;
}
return new;
}
-
+
/**
* Implementation of certificate_t.get_encoding.
*/
{
chunk_t encoding;
bool equal;
-
+
if ((certificate_t*)this == other)
{
return TRUE;
}
if (other->equals == (void*)equals)
{ /* skip allocation if we have the same implementation */
- return chunk_equals(this->encoding, ((private_x509_crl_t*)other)->encoding);
+ return chunk_equals(this->encoding, ((private_x509_crl_t*)other)->encoding);
}
encoding = other->get_encoding(other);
equal = chunk_equals(this->encoding, encoding);
static private_x509_crl_t* create_empty(void)
{
private_x509_crl_t *this = malloc_thing(private_x509_crl_t);
-
+
this->public.crl.get_serial = (chunk_t (*)(crl_t*))get_serial;
this->public.crl.get_authKeyIdentifier = (chunk_t (*)(crl_t*))get_authKeyIdentifier;
this->public.crl.create_enumerator = (enumerator_t* (*)(crl_t*))create_enumerator;
this->public.crl.certificate.equals = (bool (*)(certificate_t*, certificate_t *other))equals;
this->public.crl.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
this->public.crl.certificate.destroy = (void (*)(certificate_t *this))destroy;
-
+
this->encoding = chunk_empty;
this->tbsCertList = chunk_empty;
this->issuer = NULL;
this->authKeyIdentifier = chunk_empty;
this->authKeySerialNumber = chunk_empty;
this->ref = 1;
-
+
return this;
}
static private_x509_crl_t *build(private_builder_t *this)
{
private_x509_crl_t *crl = NULL;
-
+
if (this->blob.len && this->blob.ptr)
{
crl = create_empty();
static void add(private_builder_t *this, builder_part_t part, ...)
{
va_list args;
-
+
switch (part)
{
case BUILD_BLOB_ASN1_DER:
builder_t *x509_crl_builder(certificate_type_t type)
{
private_builder_t *this;
-
+
if (type != CERT_X509_CRL)
{
return NULL;
}
this = malloc_thing(private_builder_t);
-
+
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
this->blob = chunk_empty;
-
+
return &this->public;
}
* public functions
*/
x509_ocsp_request_t public;
-
+
/**
* CA the candidates belong to
*/
x509_t *ca;
-
+
/**
* Requestor name, subject of cert used if not set
*/
* Requestor certificate, included in request
*/
certificate_t *cert;
-
+
/**
* Requestor private key to sign request
*/
private_key_t *key;
-
+
/**
* list of certificates to check, x509_t
*/
linked_list_t *candidates;
-
+
/**
* nonce used in request
*/
chunk_t nonce;
-
+
/**
* encoded OCSP request
*/
chunk_t encoding;
-
+
/**
* reference count
*/
return asn1_wrap(ASN1_CONTEXT_C_1, "m",
asn1_simple_object(ASN1_CONTEXT_C_4,
this->requestor->get_encoding(this->requestor)));
-
+
}
return chunk_empty;
}
certificate_t *cert;
chunk_t list = chunk_empty;
public_key_t *public;
-
+
cert = (certificate_t*)this->ca;
public = cert->get_public_key(cert);
if (public)
&issuerKeyHash))
{
enumerator_t *enumerator;
-
+
issuer = cert->get_subject(cert);
hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
&issuerNameHash);
hasher->destroy(hasher);
-
+
enumerator = this->candidates->create_enumerator(this->candidates);
while (enumerator->enumerate(enumerator, &x509))
{
chunk_t request, serialNumber;
-
+
serialNumber = x509->get_serial(x509);
request = build_Request(this, issuerNameHash, issuerKeyHash,
serialNumber);
static chunk_t build_nonce(private_x509_ocsp_request_t *this)
{
rng_t *rng;
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (rng)
{
int oid;
signature_scheme_t scheme;
chunk_t certs, signature;
-
+
switch (this->key->get_type(this->key))
{
/* TODO: use a generic mapping function */
key_type_names, this->key->get_type(this->key));
return chunk_empty;
}
-
+
if (!this->key->sign(this->key, scheme, tbsRequest, &signature))
{
DBG1("creating OCSP signature failed, skipped");
this->cert->get_encoding(this->cert)));
}
return asn1_wrap(ASN1_CONTEXT_C_0, "m",
- asn1_wrap(ASN1_SEQUENCE, "cmm",
+ asn1_wrap(ASN1_SEQUENCE, "cmm",
asn1_algorithmIdentifier(oid),
asn1_bitstring("m", signature),
certs));
static chunk_t build_OCSPRequest(private_x509_ocsp_request_t *this)
{
chunk_t tbsRequest, optionalSignature = chunk_empty;
-
+
tbsRequest = build_tbsRequest(this);
if (this->key)
{
static identification_t* get_subject(private_x509_ocsp_request_t *this)
{
certificate_t *ca = (certificate_t*)this->ca;
-
+
if (this->requestor)
{
return this->requestor;
static identification_t* get_issuer(private_x509_ocsp_request_t *this)
{
certificate_t *ca = (certificate_t*)this->ca;
-
+
return ca->get_subject(ca);
}
match = current->has_subject(current, subject);
if (match > best)
{
- best = match;
+ best = match;
}
}
enumerator->destroy(enumerator);
- return best;
+ return best;
}
/**
}
return cert->get_validity(cert, when, not_before, not_after);
}
-
+
/**
* Implementation of certificate_t.get_encoding.
*/
{
chunk_t encoding;
bool equal;
-
+
if (this == (private_x509_ocsp_request_t*)other)
{
return TRUE;
}
if (other->equals == (void*)equals)
{ /* skip allocation if we have the same implementation */
- return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding);
+ return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding);
}
encoding = other->get_encoding(other);
equal = chunk_equals(this->encoding, encoding);
static private_x509_ocsp_request_t *create_empty()
{
private_x509_ocsp_request_t *this = malloc_thing(private_x509_ocsp_request_t);
-
+
this->public.interface.interface.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
this->public.interface.interface.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
this->public.interface.interface.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals;
this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref;
this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy;
-
+
this->ca = NULL;
this->requestor = NULL;
this->cert = NULL;
this->encoding = chunk_empty;
this->candidates = linked_list_create();
this->ref = 1;
-
+
return this;
}
static x509_ocsp_request_t *build(private_builder_t *this)
{
private_x509_ocsp_request_t *req;
-
+
req = this->req;
free(this);
if (req->ca)
certificate_t *cert;
identification_t *subject;
private_key_t *private;
-
+
va_start(args, part);
switch (part)
{
builder_t *x509_ocsp_request_builder(certificate_type_t type)
{
private_builder_t *this;
-
+
if (type != CERT_X509_OCSP_REQUEST)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->req = create_empty();
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
* Public interface for this ocsp object.
*/
x509_ocsp_response_t public;
-
+
/**
* complete encoded OCSP response
*/
chunk_t encoding;
-
+
/**
* data for signature verficiation
*/
chunk_t tbsResponseData;
-
+
/**
* signature algorithm (OID)
*/
int signatureAlgorithm;
-
+
/**
* signature
*/
chunk_t signature;
-
+
/**
* name or keyid of the responder
*/
identification_t *responderId;
-
+
/**
* time of response production
*/
time_t producedAt;
-
+
/**
* latest nextUpdate in this OCSP response
*/
time_t usableUntil;
-
+
/**
* list of included certificates
*/
* Nonce required for ocsp request and response
*/
chunk_t nonce;
-
+
/**
* reference counter
*/
single_response_t *response;
cert_validation_t status = VALIDATION_FAILED;
certificate_t *issuercert = &issuer->interface;
-
+
enumerator = this->responses->create_enumerator(this->responses);
while (enumerator->enumerate(enumerator, &response))
{
identification_t *id;
key_encoding_type_t type;
chunk_t hash, fingerprint;
-
+
/* check serial first, is cheaper */
if (!chunk_equals(subject->get_serial(subject), response->serialNumber))
{
if (response->issuerKeyHash.ptr)
{
public_key_t *public;
-
+
public = issuercert->get_public_key(issuercert);
if (!public)
{
/* check issuerNameHash, if available */
else if (response->issuerNameHash.ptr)
{
- hasher = lib->crypto->create_hasher(lib->crypto,
+ hasher = lib->crypto->create_hasher(lib->crypto,
hasher_algorithm_from_oid(response->hashAlgorithm));
if (!hasher)
{
*revocation_reason = response->revocationReason;
*this_update = response->thisUpdate;
*next_update = response->nextUpdate;
-
+
break;
}
enumerator->destroy(enumerator);
bool success = FALSE;
single_response_t *response;
-
+
response = malloc_thing(single_response_t);
response->hashAlgorithm = OID_UNKNOWN;
response->issuerNameHash = chunk_empty;
/**
* Parse all responses
*/
-static bool parse_responses(private_x509_ocsp_response_t *this,
+static bool parse_responses(private_x509_ocsp_response_t *this,
chunk_t blob, int level0)
{
asn1_parser_t *parser;
chunk_t object;
int objectID;
bool success = FALSE;
-
+
parser = asn1_parser_create(responsesObjects, blob);
parser->set_top_level(parser, level0);
/**
* Parse a basicOCSPResponse
*/
-static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
+static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
chunk_t blob, int level0)
{
asn1_parser_t *parser;
certificate_t *cert;
bool success = FALSE;
bool critical;
-
+
parser = asn1_parser_create(basicResponseObjects, blob);
parser->set_top_level(parser, level0);
signature_scheme_t scheme;
bool valid;
x509_t *x509 = (x509_t*)issuer;
-
+
if (issuer->get_type(issuer) != CERT_X509)
{
return FALSE;
if (this->responderId->get_type(this->responderId) == ID_KEY_ID)
{
chunk_t fingerprint;
-
+
key = issuer->get_public_key(issuer);
if (!key ||
!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
}
key->destroy(key);
}
- else
+ else
{
if (!this->responderId->equals(this->responderId,
issuer->get_subject(issuer)))
&that_update, FALSE, new ? "replaced":"retained");
return new;
}
-
+
/**
* Implementation of certificate_t.get_encoding.
*/
{
chunk_t encoding;
bool equal;
-
+
if (this == (private_x509_ocsp_response_t*)other)
{
return TRUE;
}
if (other->equals == (void*)equals)
{ /* skip allocation if we have the same implementation */
- return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding);
+ return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding);
}
encoding = other->get_encoding(other);
equal = chunk_equals(this->encoding, encoding);
static x509_ocsp_response_t *load(chunk_t data)
{
private_x509_ocsp_response_t *this;
-
+
this = malloc_thing(private_x509_ocsp_response_t);
-
+
this->public.interface.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
this->public.interface.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_issuer;
this->public.interface.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy;
this->public.interface.get_status = (cert_validation_t(*)(ocsp_response_t*, x509_t *subject, x509_t *issuer, time_t *revocation_time,crl_reason_t *revocation_reason,time_t *this_update, time_t *next_update))get_status;
this->public.interface.create_cert_enumerator = (enumerator_t*(*)(ocsp_response_t*))create_cert_enumerator;
-
+
this->ref = 1;
this->encoding = data;
this->tbsResponseData = chunk_empty;
static x509_ocsp_response_t *build(private_builder_t *this)
{
x509_ocsp_response_t *res = this->res;
-
+
free(this);
return res;
}
{
va_list args;
chunk_t chunk;
-
+
switch (part)
{
case BUILD_BLOB_ASN1_DER:
builder_t *x509_ocsp_response_builder(certificate_type_t type)
{
private_builder_t *this;
-
+
if (type != CERT_X509_OCSP_RESPONSE)
{
return NULL;
}
-
+
this = malloc_thing(private_builder_t);
-
+
this->res = NULL;
this->public.add = (void(*)(builder_t *this, builder_part_t part, ...))add;
this->public.build = (void*(*)(builder_t *this))build;
-
+
return &this->public;
}
plugin_t *plugin_create()
{
private_x509_plugin_t *this = malloc_thing(private_x509_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
/**
* Private data of a xcbc_t object.
- *
+ *
* The variable names are the same as in the RFC.
*/
struct private_xcbc_t {
* Public xcbc_t interface.
*/
xcbc_t xcbc;
-
+
/**
* Block size, in bytes
*/
u_int8_t b;
-
+
/**
* crypter using k1
*/
crypter_t *k1;
-
+
/**
* k2
*/
u_int8_t *k2;
-
+
/**
* k3
*/
u_int8_t *k3;
-
+
/**
* E
*/
u_int8_t *e;
-
+
/**
* remaining, unprocessed bytes in append mode
*/
u_int8_t *remaining;
-
+
/**
* number of bytes in remaining
*/
int remaining_bytes;
-
+
/**
* TRUE if we have zero bytes to xcbc in final()
*/
static void update(private_xcbc_t *this, chunk_t data)
{
chunk_t iv;
-
+
if (data.len)
{
this->zero = FALSE;
}
-
+
if (this->remaining_bytes + data.len <= this->b)
{ /* no complete block, just copy into remaining */
memcpy(this->remaining + this->remaining_bytes, data.ptr, data.len);
this->remaining_bytes += data.len;
return;
}
-
+
iv = chunk_alloca(this->b);
memset(iv.ptr, 0, iv.len);
-
+
/* (3) For each block M[i], where i = 1 ... n-1:
* XOR M[i] with E[i-1], then encrypt the result with Key K1,
* yielding E[i].
*/
-
+
/* append data to remaining bytes, process block M[1] */
memcpy(this->remaining + this->remaining_bytes, data.ptr,
this->b - this->remaining_bytes);
data = chunk_skip(data, this->b - this->remaining_bytes);
memxor(this->e, this->remaining, this->b);
this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
-
+
/* process blocks M[2] ... M[n-1] */
while (data.len > this->b)
{
memxor(this->e, this->remaining, this->b);
this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
}
-
+
/* store remaining bytes of block M[n] */
memcpy(this->remaining, data.ptr, data.len);
this->remaining_bytes = data.len;
static void final(private_xcbc_t *this, u_int8_t *out)
{
chunk_t iv;
-
+
iv = chunk_alloca(this->b);
memset(iv.ptr, 0, iv.len);
-
+
/* (4) For block M[n]: */
if (this->remaining_bytes == this->b && !this->zero)
{
memxor(this->e, this->k3, this->b);
this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
}
-
+
memcpy(out, this->e, this->b);
-
+
/* (2) Define E[0] = 0x00000000000000000000000000000000 */
memset(this->e, 0, this->b);
this->remaining_bytes = 0;
{
/* update E, do not process last block */
update(this, data);
-
+
if (out)
{ /* if not in append mode, process last block and output result */
final(this, out);
}
}
-
+
/**
* Implementation of xcbc_t.get_block_size.
*/
k1 = chunk_alloca(this->b);
iv = chunk_alloca(this->b);
memset(iv.ptr, 0, iv.len);
-
- /*
+
+ /*
* (1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret
* key K, as follows:
* K1 = 0x01010101010101010101010101010101 encrypted with Key K
{
private_xcbc_t *this;
crypter_t *crypter;
-
+
crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size);
if (!crypter)
{
crypter->destroy(crypter);
return NULL;
}
-
+
this = malloc_thing(private_xcbc_t);
this->xcbc.get_mac = (void (*)(xcbc_t *,chunk_t,u_int8_t*))get_mac;
this->xcbc.get_block_size = (size_t (*)(xcbc_t *))get_block_size;
this->xcbc.set_key = (void (*)(xcbc_t *,chunk_t))set_key;
this->xcbc.destroy = (void (*)(xcbc_t *))destroy;
-
+
this->b = crypter->get_block_size(crypter);
this->k1 = crypter;
this->k2 = malloc(this->b);
* described in RFC3566.
*/
struct xcbc_t {
-
+
/**
* Generate message authentication code.
- *
+ *
* If buffer is NULL, no result is given back. A next call will
- * append the data to already supplied data. If buffer is not NULL,
+ * append the data to already supplied data. If buffer is not NULL,
* the mac of all apended data is calculated, returned and the
* state of the xcbc_t is reseted.
- *
+ *
* @param data chunk of data to authenticate
* @param buffer pointer where the generated bytes will be written
*/
void (*get_mac) (xcbc_t *this, chunk_t data, u_int8_t *buffer);
-
+
/**
* Get the block size of this xcbc_t object.
- *
+ *
* @return block size in bytes
*/
size_t (*get_block_size) (xcbc_t *this);
-
+
/**
* Set the key for this xcbc_t object.
- *
+ *
* @param key key to set
*/
void (*set_key) (xcbc_t *this, chunk_t key);
-
+
/**
* Destroys a xcbc_t object.
*/
/**
* Creates a new xcbc_t object.
- *
+ *
* @param algo underlying crypto algorithm
* @param key_size key size to use, if required for algorithm
* @return xcbc_t object, NULL if not supported
plugin_t *plugin_create()
{
private_xcbc_plugin_t *this = malloc_thing(private_xcbc_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
- lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC,
+
+ lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC,
(prf_constructor_t)xcbc_prf_create);
- lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96,
+ lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96,
(signer_constructor_t)xcbc_signer_create);
return &this->public.plugin;
/**
* Public xcbc_prf_t interface.
*/
- xcbc_prf_t public;
-
+ xcbc_prf_t public;
+
/**
* xcbc to use for generation.
*/
{
private_xcbc_prf_t *this;
xcbc_t *xcbc;
-
+
switch (algo)
{
case PRF_AES128_XCBC:
{
return NULL;
}
-
+
this = malloc_thing(private_xcbc_prf_t);
this->xcbc = xcbc;
-
+
this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
-
+
return &this->public;
}
/**
* Implementation of prf_t on CBC block cipher using XCBC, RFC3664/RFC4434.
- *
+ *
* This simply wraps a xcbc_t in a prf_t. More a question of
* interface matching.
*/
struct xcbc_prf_t {
-
+
/**
* Generic prf_t interface for this xcbc_prf_t class.
*/
/**
* Creates a new xcbc_prf_t object.
- *
+ *
* @param algo algorithm to implement
* @return xcbc_prf_t object, NULL if hash not supported
*/
* Public interface of xcbc_signer_t.
*/
xcbc_signer_t public;
-
+
/**
* Assigned xcbc function.
*/
xcbc_t *xcbc;
-
+
/**
* Block size (truncation of XCBC MAC)
*/
else
{
u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
-
+
this->xcbc->get_mac(this->xcbc, data, mac);
memcpy(buffer, mac, this->block_size);
}
else
{
u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
-
+
this->xcbc->get_mac(this->xcbc, data, mac);
chunk->ptr = malloc(this->block_size);
chunk->len = this->block_size;
-
+
memcpy(chunk->ptr, mac, this->block_size);
}
}
chunk_t data, chunk_t signature)
{
u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
-
+
if (signature.len != this->block_size)
{
return FALSE;
}
-
+
this->xcbc->get_mac(this->xcbc, data, mac);
return memeq(signature.ptr, mac, this->block_size);
}
private_xcbc_signer_t *this;
size_t trunc;
xcbc_t *xcbc;
-
+
switch (algo)
{
case AUTH_AES_XCBC_96:
{
return NULL;
}
-
+
this = malloc_thing(private_xcbc_signer_t);
this->xcbc = xcbc;
this->block_size = min(trunc, xcbc->get_block_size(xcbc));
-
+
/* interface functions */
this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
-
+
return &this->public;
}
* Implementation of signer_t based on CBC symmetric cypher. XCBC, RFC3566.
*/
struct xcbc_signer_t {
-
+
/**
* generic signer_t interface for this signer
*/
* struct with information about a registered handler
*/
struct printf_hook_handler_t {
-
+
/**
* callback function
*/
printf_hook_function_t hook;
-
+
/**
* number of arguments
*/
int numargs;
-
+
/**
* types of the arguments
*/
char buf[PRINTF_BUF_LEN];
printf_hook_spec_t spec;
printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(info->spec)];
-
+
spec.hash = info->alt;
spec.minus = info->left;
spec.width = info->width;
-
+
written = handler->hook(buf, sizeof(buf), &spec, args);
if (written > 0)
{
{
int i;
printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(info->spec)];
-
+
if (handler->numargs <= n)
{
for (i = 0; i < handler->numargs; ++i)
const void *args[ARGS_MAX];
printf_hook_spec_t spec;
printf_hook_handler_t *handler = printf_hooks[SPEC_TO_INDEX(fmt_spec->name[0])];
-
+
for (i = 0; i < handler->numargs; i++)
{
switch(handler->argtypes[i])
break;
}
}
-
+
spec.hash = fmt_spec->fmt_hash;
spec.minus = fmt_spec->fmt_minus;
spec.width = fmt_spec->fmt_field_width;
-
+
written = handler->hook(buf, sizeof(buf), &spec, args);
if (written > 0)
{
printf_hook_handler_t *handler;
printf_hook_argtype_t argtype;
va_list args;
-
+
if (!IS_VALID_SPEC(spec))
{
DBG1("'%c' is not a valid printf hook specifier, not registered!", spec);
return;
}
-
+
handler = malloc_thing(printf_hook_handler_t);
handler->hook = hook;
-
+
va_start(args, hook);
while ((argtype = va_arg(args, printf_hook_argtype_t)) != PRINTF_HOOK_ARGTYPE_END)
{
handler->argtypes[i] = argtype;
}
va_end(args);
-
+
handler->numargs = i + 1;
-
+
if (handler->numargs > 0)
{
#if defined(HAVE_PRINTF_HOOKS) && !defined(USE_VSTR)
#ifdef USE_VSTR
Vstr_conf *conf = get_vstr_conf();
#endif
-
+
for (i = 0; i < NUM_HANDLERS; ++i)
{
printf_hook_handler_t *handler = printf_hooks[i];
free(handler);
}
}
-
+
#ifdef USE_VSTR
/* freeing the Vstr_conf of the main thread */
pthread_key_delete(vstr_conf_key);
printf_hook_t *printf_hook_create()
{
private_printf_hook_t *this = malloc_thing(private_printf_hook_t);
-
+
this->public.add_handler = (void(*)(printf_hook_t*, char, printf_hook_function_t, ...))add_handler;
this->public.destroy = (void(*)(printf_hook_t*))destroy;
-
+
memset(printf_hooks, 0, sizeof(printf_hooks));
-
+
#ifdef USE_VSTR
if (!vstr_init())
{
return NULL;
}
#endif
-
+
return &this->public;
}
/**
* Callback function type for printf hooks.
- *
+ *
* @param dst destination buffer
* @param len length of the buffer
* @param spec format specifier
* TRUE if a '#' was used in the format specifier
*/
int hash;
-
+
/**
* TRUE if a '-' was used in the format specifier
*/
int minus;
-
+
/**
* The width as given in the format specifier.
*/
* Printf handler management.
*/
struct printf_hook_t {
-
+
/**
* Register a printf handler.
*
*/
void (*add_handler)(printf_hook_t *this, char spec,
printf_hook_function_t hook, ...);
-
+
/**
* Destroy a printf_hook instance.
*/
* public functions
*/
settings_t public;
-
+
/**
* top level section
*/
section_t *top;
-
+
/**
* allocated file text
*/
* subsections, as section_t
*/
linked_list_t *sections;
-
+
/**
* key value pairs, as kv_t
*/
* key string, relative
*/
char *key;
-
+
/**
* value as string
*/
char name[512], *pos;
enumerator_t *enumerator;
section_t *current, *found = NULL;
-
+
if (section == NULL)
{
return NULL;
{
return NULL;
}
-
+
pos = strchr(name, '.');
if (pos)
{
enumerator_t *enumerator;
kv_t *kv;
section_t *current, *found = NULL;
-
+
if (section == NULL)
{
return NULL;
}
-
+
if (vsnprintf(name, sizeof(name), key, args) >= sizeof(name))
{
return NULL;
}
-
+
pos = strchr(name, '.');
if (pos)
{
{
char *value;
va_list args;
-
+
va_start(args, def);
value = find_value(this->top, key, args);
va_end(args);
{
char *value;
va_list args;
-
+
va_start(args, def);
value = find_value(this->top, key, args);
va_end(args);
char *value;
int intval;
va_list args;
-
+
va_start(args, def);
value = find_value(this->top, key, args);
va_end(args);
char *value, *endptr;
u_int32_t timeval;
va_list args;
-
+
va_start(args, def);
value = find_value(this->top, key, args);
va_end(args);
{
section_t *section;
va_list args;
-
+
va_start(args, key);
section = find_section(this->top, key, args);
va_end(args);
-
+
if (!section)
- {
+ {
return enumerator_create_empty();
}
return enumerator_create_filter(
{
this->kv->destroy_function(this->kv, free);
this->sections->destroy_function(this->sections, (void*)section_destroy);
-
+
free(this);
}
{
char *pos = *text;
int level = 1;
-
+
/* find terminator */
while (*pos)
{
section_t *sub, *section;
bool finished = FALSE;
char *key, *value, *inner;
-
+
static int lev = 0;
lev++;
-
+
section = malloc_thing(section_t);
section->name = name;
section->sections = linked_list_create();
section->kv = linked_list_create();
-
+
while (!finished)
{
switch (parse(text, "\t\n ", "{=#", NULL, &key))
settings_t *settings_create(char *file)
{
private_settings_t *this = malloc_thing(private_settings_t);
-
+
this->public.get_str = (char*(*)(settings_t*, char *key, char* def, ...))get_str;
this->public.get_int = (int(*)(settings_t*, char *key, int def, ...))get_int;
this->public.get_time = (u_int32_t(*)(settings_t*, char *key, u_int32_t def, ...))get_time;
this->public.get_bool = (bool(*)(settings_t*, char *key, bool def, ...))get_bool;
this->public.create_section_enumerator = (enumerator_t*(*)(settings_t*,char *section, ...))create_section_enumerator;
this->public.destroy = (void(*)(settings_t*))destroy;
-
+
this->top = NULL;
this->text = NULL;
-
+
if (file)
{
FILE *fd;
int len;
char *pos;
-
+
fd = fopen(file, "r");
if (fd == NULL)
{
* @return value pointing to internal string
*/
char* (*get_str)(settings_t *this, char *key, char *def, ...);
-
+
/**
* Get a boolean yes|no, true|false value.
*
* @return value of the key
*/
bool (*get_bool)(settings_t *this, char *key, bool def, ...);
-
+
/**
* Get an integer value.
*
* @return value of the key
*/
int (*get_int)(settings_t *this, char *key, int def, ...);
-
+
/**
* Get a time value.
*
* @return value of the key
*/
u_int32_t (*get_time)(settings_t *this, char *key, u_int32_t def, ...);
-
+
/**
* Create an enumerator over subsection names of a section.
*
{
void *data;
data = malloc(size);
-
+
memcpy(data, pointer, size);
-
+
return (data);
}
void memxor(u_int8_t dst[], u_int8_t src[], size_t n)
{
int m, i;
-
+
/* byte wise XOR until dst aligned */
for (i = 0; (uintptr_t)&dst[i] % sizeof(long); i++)
{
/* as we use time_monotonic() for condvar operations, we use the
* monotonic time source only if it is also supported by pthread. */
timespec_t ts;
-
+
if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
{
if (tv)
#include <pthread.h>
/**
- * We use a single mutex for all refcount variables.
+ * We use a single mutex for all refcount variables.
*/
static pthread_mutex_t ref_mutex = PTHREAD_MUTEX_INITIALIZER;
bool ref_put(refcount_t *ref)
{
bool more_refs;
-
+
pthread_mutex_lock(&ref_mutex);
more_refs = --(*ref);
pthread_mutex_unlock(&ref_mutex);
time_t *time = *((time_t**)(args[0]));
bool utc = *((bool*)(args[1]));;
struct tm t;
-
+
if (time == UNDEFINED_TIME)
{
return print_in_hook(dst, len, "--- -- --:--:--%s----",
time_t *arg1 = *((time_t**)(args[0]));
time_t *arg2 = *((time_t**)(args[1]));
time_t delta = abs(*arg1 - *arg2);
-
+
if (delta > 2 * 60 * 60 * 24)
{
delta /= 60 * 60 * 24;
{
char *bytes = *((void**)(args[0]));
int len = *((size_t*)(args[1]));
-
+
char buffer[BYTES_PER_LINE * 3];
char ascii_buffer[BYTES_PER_LINE + 1];
char *buffer_pos = buffer;
int line_start = 0;
int i = 0;
int written = 0;
-
+
written += print_in_hook(dst, dstlen, "=> %d bytes @ %p", len, bytes);
-
+
while (bytes_pos < bytes_roof)
{
*buffer_pos++ = hexdig_upper[(*bytes_pos >> 4) & 0xF];
ascii_buffer[i++] =
(*bytes_pos > 31 && *bytes_pos < 127) ? *bytes_pos : '.';
- if (++bytes_pos == bytes_roof || i == BYTES_PER_LINE)
+ if (++bytes_pos == bytes_roof || i == BYTES_PER_LINE)
{
int padding = 3 * (BYTES_PER_LINE - i);
-
+
while (padding--)
{
*buffer_pos++ = ' ';
}
*buffer_pos++ = '\0';
ascii_buffer[i] = '\0';
-
+
written += print_in_hook(dst, dstlen, "\n%4d: %s %s",
line_start, buffer, ascii_buffer);
-
+
buffer_pos = buffer;
line_start += BYTES_PER_LINE;
i = 0;
* Call succeeded.
*/
SUCCESS,
-
+
/**
* Call failed.
*/
FAILED,
-
+
/**
* Out of resources.
*/
OUT_OF_RES,
-
+
/**
* The suggested operation is already done
*/
ALREADY_DONE,
-
+
/**
* Not supported.
*/
NOT_SUPPORTED,
-
+
/**
* One of the arguments is invalid.
*/
INVALID_ARG,
-
+
/**
* Something could not be found.
*/
NOT_FOUND,
-
+
/**
* Error while parsing.
*/
PARSE_ERROR,
-
+
/**
* Error while verifying.
*/
VERIFY_ERROR,
-
+
/**
* Object in invalid state.
*/
INVALID_STATE,
-
+
/**
* Destroy object which called method belongs to.
*/
DESTROY_ME,
-
+
/**
* Another call to the method is required.
*/
void *memstr(const void *haystack, const char *needle, size_t n);
/**
- * Creates a directory and all required parent directories.
+ * Creates a directory and all required parent directories.
*
* @param path path to the new directory
- * @param mode permissions of the new directory/directories
+ * @param mode permissions of the new directory/directories
* @return TRUE on success
*/
bool mkdir_p(const char *path, mode_t mode);
/**
* Put back a unused reference.
*
- * Decrements the reference counter atomic and
+ * Decrements the reference counter atomic and
* says if more references available.
*
* @param ref pointer to ref counter
/**
* printf hook for time_t.
*
- * Arguments are:
+ * Arguments are:
* time_t* time, bool utc
*/
int time_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
/**
* printf hook for time_t deltas.
*
- * Arguments are:
+ * Arguments are:
* time_t* begin, time_t* end
*/
int time_delta_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
/**
* printf hook for memory areas.
*
- * Arguments are:
+ * Arguments are:
* u_char *ptr, int len
*/
int mem_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
* Private data of an backtrace_t object.
*/
struct private_backtrace_t {
-
+
/**
* Public backtrace_t interface.
*/
backtrace_t public;
-
+
/**
* Number of stacks frames obtained in stack_frames
*/
int frame_count;
-
+
/**
* Recorded stack frames.
*/
#ifdef HAVE_BACKTRACE
size_t i;
char **strings;
-
+
strings = backtrace_symbols(this->frames, this->frame_count);
fprintf(file, " dumping %d stack frame addresses:\n", this->frame_count);
{
#ifdef HAVE_DLADDR
Dl_info info;
-
+
if (dladdr(this->frames[i], &info))
{
char cmd[1024];
FILE *output;
char c;
void *ptr = this->frames[i];
-
+
if (strstr(info.dli_fname, ".so"))
{
ptr = (void*)(this->frames[i] - info.dli_fbase);
for (i = 0; i< this->frame_count; i++)
{
Dl_info info;
-
+
if (dladdr(this->frames[i], &info) && info.dli_sname)
{
if (streq(info.dli_sname, function))
private_backtrace_t *this;
void *frames[50];
int frame_count = 0;
-
+
#ifdef HAVE_BACKTRACE
frame_count = backtrace(frames, countof(frames));
#endif /* HAVE_BACKTRACE */
this = malloc(sizeof(private_backtrace_t) + frame_count * sizeof(void*));
memcpy(this->frames, frames + skip, frame_count * sizeof(void*));
this->frame_count = frame_count;
-
+
this->public.log = (void(*)(backtrace_t*,FILE*))log_;
this->public.contains_function = (bool(*)(backtrace_t*, char *function))contains_function;
this->public.destroy = (void(*)(backtrace_t*))destroy;
-
+
return &this->public;
}
* A backtrace registers the frames on the stack during creation.
*/
struct backtrace_t {
-
+
/**
* Log the backtrace to a FILE stream.
*/
void (*log)(backtrace_t *this, FILE *file);
-
+
/**
* Check if the backtrace contains a frame in a specific function.
*
* @return TRUE if function is in the stack
*/
bool (*contains_function)(backtrace_t *this, char *function);
-
+
/**
* Destroy a backtrace instance.
*/
{
struct dirent *entry = readdir(this->dir);
size_t len, remaining;
-
+
if (!entry)
{
return FALSE;
*relative = entry->d_name;
}
if (absolute || st)
- {
+ {
remaining = sizeof(this->full) - (this->full_end - this->full);
len = snprintf(this->full_end, remaining, "%s", entry->d_name);
if (len < 0 || len >= remaining)
dir_enum_t *this = malloc_thing(dir_enum_t);
this->public.enumerate = (void*)enumerate_dir_enum;
this->public.destroy = (void*)destroy_dir_enum;
-
+
if (*path == '\0')
{
path = "./";
this->full[len] = '\0';
}
this->full_end = &this->full[len];
-
+
this->dir = opendir(path);
if (this->dir == NULL)
{
{
char *pos = NULL, *tmp, *sep, *trim;
bool last = FALSE;
-
+
/* trim leading characters/separators */
while (*this->pos)
{
break;
}
}
-
+
switch (*this->pos)
{
case '"':
break;
}
}
-
+
/* trim trailing characters/separators */
pos--;
while (pos >= *token)
break;
}
}
-
+
if (!last || pos >= *token)
{
return TRUE;
enumerator_t* enumerator_create_token(char *string, char *sep, char *trim)
{
token_enum_t *enumerator = malloc_thing(token_enum_t);
-
+
enumerator->public.enumerate = (void*)enumerate_token_enum;
enumerator->public.destroy = (void*)destroy_token_enum;
enumerator->string = strdup(string);
enumerator->pos = enumerator->string;
enumerator->sep = sep;
enumerator->trim = trim;
-
+
return &enumerator->public;
}
while (TRUE)
{
while (this->inner == NULL)
- {
+ {
void *outer;
-
+
if (!this->outer->enumerate(this->outer, &outer))
{
return FALSE;
void *data, void (*destroy_data)(void *data))
{
nested_enumerator_t *enumerator = malloc_thing(nested_enumerator_t);
-
+
enumerator->public.enumerate = (void*)enumerate_nested;
enumerator->public.destroy = (void*)destroy_nested;
enumerator->outer = outer;
enumerator->create_inner = (void*)inner_constructor;
enumerator->data = data;
enumerator->destroy_data = destroy_data;
-
+
return &enumerator->public;
}
void *data, void (*destructor)(void *data))
{
filter_enumerator_t *this = malloc_thing(filter_enumerator_t);
-
+
this->public.enumerate = (void*)enumerate_filter;
this->public.destroy = (void*)destroy_filter;
this->unfiltered = unfiltered;
this->filter = filter;
this->data = data;
this->destructor = destructor;
-
+
return &this->public;
}
void (*cleanup)(void *data), void *data)
{
cleaner_enumerator_t *this = malloc_thing(cleaner_enumerator_t);
-
+
this->public.enumerate = (void*)enumerate_cleaner;
this->public.destroy = (void*)destroy_cleaner;
this->wrapped = wrapped;
this->cleanup = cleanup;
this->data = data;
-
+
return &this->public;
}
enumerator_t *enumerator_create_single(void *item, void (*cleanup)(void *item))
{
single_enumerator_t *this = malloc_thing(single_enumerator_t);
-
+
this->public.enumerate = (void*)enumerate_single;
this->public.destroy = (void*)destroy_single;
this->item = item;
this->cleanup = cleanup;
this->done = FALSE;
-
+
return &this->public;
}
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup enumerator enumerator
* @{ @ingroup utils
/**
* Enumerate collection.
*
- * The enumerate function takes a variable argument list containing
+ * The enumerate function takes a variable argument list containing
* pointers where the enumerated values get written.
*
* @param ... variable list of enumerated items, implementation dependant
* @return TRUE if pointers returned
*/
bool (*enumerate)(enumerator_t *this, ...);
-
+
/**
* Destroy a enumerator instance.
*/
char *rel, *abs;
struct stat st;
enumerator_t *e;
-
+
e = enumerator_create_directory("/tmp");
if (e)
{
/**
* Creates an enumerator which enumerates over enumerated enumerators :-).
- *
+ *
* The variable argument list of enumeration values is limit to 5.
*
* @param outer outer enumerator
* Key of a hash table item.
*/
void *key;
-
+
/**
* Value of a hash table item.
*/
void *value;
-
+
/**
* Cached hash (used in case of a resize).
*/
pair_t *pair_create(void *key, void *value, u_int hash)
{
pair_t *this = malloc_thing(pair_t);
-
+
this->key = key;
this->value = value;
this->hash = hash;
-
+
return this;
}
* Public part of hash table.
*/
hashtable_t public;
-
+
/**
- * The number of items in the hash table.
+ * The number of items in the hash table.
*/
u_int count;
-
+
/**
* The current capacity of the hash table (always a power of 2).
*/
u_int capacity;
-
+
/**
- * The current mask to calculate the row index (capacity - 1).
+ * The current mask to calculate the row index (capacity - 1).
*/
u_int mask;
-
+
/**
* The load factor.
*/
float load_factor;
-
+
/**
* The actual table.
*/
linked_list_t **table;
-
+
/**
* The hashing function.
*/
hashtable_hash_t hash;
-
+
/**
* The equality function.
*/
* implements enumerator interface
*/
enumerator_t enumerator;
-
+
/**
* associated hash table
*/
private_hashtable_t *table;
-
+
/**
* current row index
*/
u_int row;
-
+
/**
* enumerator for the current row
*/
this->capacity = get_nearest_powerof2(capacity);
this->mask = this->capacity - 1;
this->load_factor = 0.75;
-
+
this->table = calloc(this->capacity, sizeof(linked_list_t*));
}
u_int row;
u_int old_capacity = this->capacity;
linked_list_t **old_table = this->table;
-
+
if (old_capacity >= MAX_CAPACITY)
{
return;
}
-
+
init_hashtable(this, old_capacity << 1);
-
+
for (row = 0; row < old_capacity; ++row)
{
linked_list_t *list;
void *old_value = NULL;
u_int hash = this->hash(key);
u_int row = hash & this->mask;
-
+
if ((list = this->table[row]) != NULL)
{
pair_t *pair;
{
list = this->table[row] = linked_list_create();
}
-
+
if (!old_value)
{
list->insert_last(list, pair_create(key, value, hash));
this->count++;
}
-
+
if (this->count >= this->capacity * this->load_factor)
{
rehash(this);
}
-
+
return old_value;
}
-
+
/**
- * Implementation of hashtable_t.get
+ * Implementation of hashtable_t.get
*/
static void *get(private_hashtable_t *this, void *key)
{
void *value = NULL;
linked_list_t *list;
u_int row = this->hash(key) & this->mask;
-
+
if ((list = this->table[row]) != NULL)
{
pair_t *pair;
value = pair->value;
}
}
-
+
return value;
}
-
+
/**
* Implementation of hashtable_t.remove
*/
{
void *value = NULL;
linked_list_t *list;
- u_int row = this->hash(key) & this->mask;
-
+ u_int row = this->hash(key) & this->mask;
+
if ((list = this->table[row]) != NULL)
{
pair_t *pair;
}
enumerator->destroy(enumerator);
}
-
+
return value;
}
-
+
/**
* Implementation of hashtable_t.get_count
*/
if (this->current)
{
pair_t *pair;
-
+
if (this->current->enumerate(this->current, &pair))
{
if (key)
else
{
linked_list_t *list;
-
+
if ((list = this->table->table[this->row]) != NULL)
{
this->current = list->create_enumerator(list);
static enumerator_t* create_enumerator(private_hashtable_t *this)
{
private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
-
+
enumerator->enumerator.enumerate = (void*)enumerate;
enumerator->enumerator.destroy = (void*)enumerator_destroy;
enumerator->table = this;
enumerator->row = 0;
enumerator->current = NULL;
-
+
return &enumerator->enumerator;
}
-
+
/**
* Implementation of hashtable_t.destroy
*/
private_hashtable_t *this = malloc_thing(private_hashtable_t);
this->public.put = (void*(*)(hashtable_t*,void*,void*))put;
- this->public.get = (void*(*)(hashtable_t*,void*))get;
+ this->public.get = (void*(*)(hashtable_t*,void*))get;
this->public.remove = (void*(*)(hashtable_t*,void*))remove_;
this->public.get_count = (u_int(*)(hashtable_t*))get_count;
this->public.create_enumerator = (enumerator_t*(*)(hashtable_t*))create_enumerator;
this->public.destroy = (void(*)(hashtable_t*))destroy;
-
+
this->count = 0;
this->capacity = 0;
this->mask = 0;
this->table = NULL;
this->hash = hash;
this->equals = equals;
-
+
init_hashtable(this, capacity);
-
+
return &this->public;
}
* General purpose hash table. This hash table is not synchronized.
*/
struct hashtable_t {
-
+
/**
* Create an enumerator over the hash table key/value pairs.
- *
+ *
* @return enumerator over (void *key, void *value)
*/
enumerator_t *(*create_enumerator) (hashtable_t *this);
-
+
/**
* Adds the given value with the given key to the hash table, if there
* exists no entry with that key. NULL is returned in this case.
* Otherwise the existing value is replaced and the function returns the
* old value.
- *
+ *
* @param key the key to store
* @param value the value to store
* @return NULL if no item was replaced, the old value otherwise
*/
void *(*put) (hashtable_t *this, void *key, void *value);
-
+
/**
* Returns the value with the given key, if the hash table contains such an
* entry, otherwise NULL is returned.
- *
+ *
* @param key the key of the requested value
- * @return the value, NULL if not found
+ * @return the value, NULL if not found
*/
void *(*get) (hashtable_t *this, void *key);
-
+
/**
* Removes the value with the given key from the hash table and returns the
* removed value (or NULL if no such value existed).
- *
+ *
* @param key the key of the value to remove
* @return the removed value, NULL if not found
*/
void *(*remove) (hashtable_t *this, void *key);
-
+
/**
* Gets the number of items in the hash table.
- *
+ *
* @return number of items
*/
u_int (*get_count) (hashtable_t *this);
-
+
/**
* Destroys a hash table object.
*/
void (*destroy) (hashtable_t *this);
-
+
};
/**
* Creates an empty hash table object.
- *
+ *
* @param hash hash function
* @param equals equals function
* @param capacity initial capacity
* Public data
*/
host_t public;
-
+
/**
* low-lewel structure, wich stores the address
*/
{
private_host_t *this = *((private_host_t**)(args[0]));
char buffer[INET6_ADDRSTRLEN + 16];
-
+
if (this == NULL)
{
snprintf(buffer, sizeof(buffer), "(null)");
void *address;
u_int16_t port;
int len;
-
+
address = &this->address6.sin6_addr;
port = this->address6.sin6_port;
-
+
switch (this->address.sa_family)
{
case AF_INET:
port = this->address4.sin_port;
/* fall */
case AF_INET6:
-
+
if (inet_ntop(this->address.sa_family, address,
buffer, sizeof(buffer)) == NULL)
{
static chunk_t get_address(private_host_t *this)
{
chunk_t address = chunk_empty;
-
+
switch (this->address.sa_family)
{
case AF_INET:
static private_host_t *clone_(private_host_t *this)
{
private_host_t *new = malloc_thing(private_host_t);
-
+
memcpy(new, this, sizeof(private_host_t));
return new;
}
/* 0.0.0.0 and 0::0 are equal */
return (is_anyaddr(this) && is_anyaddr(other));
}
-
+
switch (this->address.sa_family)
{
case AF_INET:
static host_diff_t get_differences(host_t *this, host_t *other)
{
host_diff_t ret = HOST_DIFF_NONE;
-
+
if (!this->ip_equals(this, other))
{
ret |= HOST_DIFF_ADDR;
{
ret |= HOST_DIFF_PORT;
}
-
+
return ret;
}
{
return FALSE;
}
-
+
switch (this->address.sa_family)
{
case AF_INET:
static private_host_t *host_create_empty(void)
{
private_host_t *this = malloc_thing(private_host_t);
-
+
this->public.get_sockaddr = (sockaddr_t* (*) (host_t*))get_sockaddr;
this->public.get_sockaddr_len = (socklen_t*(*) (host_t*))get_sockaddr_len;
this->public.clone = (host_t* (*) (host_t*))clone_;
this->public.equals = (bool (*) (host_t *,host_t *)) equals;
this->public.is_anyaddr = (bool (*) (host_t *)) is_anyaddr;
this->public.destroy = (void (*) (host_t*))destroy;
-
+
return this;
}
static host_t *host_create_any_port(int family, u_int16_t port)
{
host_t *this;
-
+
this = host_create_any(family);
this->set_port(this, port);
return this;
host_t *host_create_from_string(char *string, u_int16_t port)
{
private_host_t *this;
-
+
if (streq(string, "%any"))
{
return host_create_any_port(AF_INET, port);
{
return host_create_any_port(AF_INET6, port);
}
-
+
this = host_create_empty();
if (strchr(string, '.'))
{
host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
{
private_host_t *this = host_create_empty();
-
+
switch (sockaddr->sa_family)
{
case AF_INET:
private_host_t *this;
struct addrinfo hints, *result;
int error;
-
+
if (streq(string, "%any"))
{
return host_create_any_port(af ? af : AF_INET, port);
{
return host_create_any_port(af ? af : AF_INET6, port);
}
-
+
memset(&hints, 0, sizeof(hints));
hints.ai_family = af;
error = getaddrinfo(string, NULL, &hints, &result);
host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
{
private_host_t *this;
-
+
switch (family)
{
case AF_INET:
host_t *host_create_any(int family)
{
private_host_t *this = host_create_empty();
-
+
memset(&this->address_max, 0, sizeof(struct sockaddr_storage));
this->address.sa_family = family;
-
+
switch (family)
{
case AF_INET:
/**
* Representates a Host
- *
- * Host object, identifies a address:port pair and defines some
+ *
+ * Host object, identifies a address:port pair and defines some
* useful functions on it.
*/
struct host_t {
-
- /**
+
+ /**
* Build a clone of this host object.
- *
+ *
* @return cloned host
*/
host_t *(*clone) (host_t *this);
-
- /**
+
+ /**
* Get a pointer to the internal sockaddr struct.
- *
+ *
* This is used for sending and receiving via sockets.
- *
+ *
* @return pointer to the internal sockaddr structure
*/
sockaddr_t *(*get_sockaddr) (host_t *this);
-
- /**
+
+ /**
* Get the length of the sockaddr struct.
- *
+ *
* Depending on the family, the length of the sockaddr struct
* is different. Use this function to get the length of the sockaddr
* struct returned by get_sock_addr.
- *
+ *
* This is used for sending and receiving via sockets.
- *
+ *
* @return length of the sockaddr struct
*/
socklen_t *(*get_sockaddr_len) (host_t *this);
-
+
/**
* Gets the family of the address
- *
+ *
* @return family
*/
int (*get_family) (host_t *this);
-
- /**
+
+ /**
* Checks if the ip address of host is set to default route.
- *
+ *
* @return TRUE if host is 0.0.0.0 or 0::0, FALSE otherwise
*/
bool (*is_anyaddr) (host_t *this);
-
- /**
+
+ /**
* Get the address of this host as chunk_t
- *
+ *
* Returned chunk points to internal data.
- *
- * @return address string,
+ *
+ * @return address string,
*/
chunk_t (*get_address) (host_t *this);
-
- /**
+
+ /**
* Get the port of this host
- *
+ *
* @return port number
*/
u_int16_t (*get_port) (host_t *this);
- /**
+ /**
* Set the port of this host
*
* @param port port numer
*/
void (*set_port) (host_t *this, u_int16_t port);
-
- /**
+
+ /**
* Compare the ips of two hosts hosts.
- *
+ *
* @param other the other to compare
* @return TRUE if addresses are equal.
*/
bool (*ip_equals) (host_t *this, host_t *other);
-
- /**
+
+ /**
* Compare two hosts, with port.
- *
+ *
* @param other the other to compare
* @return TRUE if addresses and ports are equal.
*/
bool (*equals) (host_t *this, host_t *other);
- /**
+ /**
* Compare two hosts and return the differences.
*
* @param other the other to compare
* @return differences in a combination of host_diff_t's
*/
host_diff_t (*get_differences) (host_t *this, host_t *other);
-
- /**
+
+ /**
* Destroy this host object.
*/
void (*destroy) (host_t *this);
/**
* printf hook function for host_t.
*
- * Arguments are:
+ * Arguments are:
* host_t *host
* Use #-modifier to include port number
*/
ENUM_END(id_type_names, ID_MYID);
/**
- * coding of X.501 distinguished name
+ * coding of X.501 distinguished name
*/
typedef struct {
const u_char *name;
* Public interface.
*/
identification_t public;
-
+
/**
* Encoded representation of this ID.
*/
chunk_t encoded;
-
+
/**
* Type of this ID.
*/
u_char *type, chunk_t *data)
{
chunk_t rdn;
-
+
/* a DN contains one or more SET, each containing one or more SEQUENCES,
* each containing a OID/value RDN */
if (!this->seqs.len)
asn1_unwrap(&rdn, oid) == ASN1_OID)
{
int t = asn1_unwrap(&rdn, data);
-
+
if (t != ASN1_INVALID)
{
*type = t;
static enumerator_t* create_rdn_enumerator(chunk_t dn)
{
rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t);
-
+
e->public.enumerate = (void*)rdn_enumerate;
e->public.destroy = (void*)free;
-
+
/* a DN is a SEQUENCE, get the first SET of it */
if (asn1_unwrap(&dn, &e->sets) == ASN1_SEQUENCE)
{
{OID_EMAIL_ADDRESS, ID_PART_RDN_E},
{OID_EMPLOYEE_NUMBER, ID_PART_RDN_EN},
};
-
+
while (this->inner->enumerate(this->inner, &oid, &strtype, &inner_data))
{
known_oid = asn1_known_oid(oid);
case ID_DER_ASN1_DN:
{
rdn_part_enumerator_t *e = malloc_thing(rdn_part_enumerator_t);
-
+
e->inner = create_rdn_enumerator(this->encoded);
e->public.enumerate = (void*)rdn_part_enumerate;
e->public.destroy = (void*)rdn_part_enumerator_destroy;
-
+
return &e->public;
}
case ID_RFC822_ADDR:
u_char type;
int oid, written;
bool finished = FALSE;
-
+
e = create_rdn_enumerator(dn);
while (e->enumerate(e, &oid_data, &type, &data))
{
oid = asn1_known_oid(oid_data);
-
+
if (oid == OID_UNKNOWN)
{
written = snprintf(buf, len, "%#B=", &oid_data);
}
buf += written;
len -= written;
-
+
if (chunk_printable(data, NULL, '?'))
{
written = snprintf(buf, len, "%.*s", data.len, data.ptr);
}
buf += written;
len -= written;
-
+
if (data.ptr + data.len != dn.ptr + dn.len)
{
written = snprintf(buf, len, ", ");
READ_NAME = 3,
UNKNOWN_OID = 4
} state_t;
-
+
chunk_t oid = chunk_empty;
chunk_t name = chunk_empty;
chunk_t rdns[RDN_MAX];
asn1_t rdn_type;
state_t state = SEARCH_OID;
status_t status = SUCCESS;
-
+
do
{
switch (state)
else
{
bool found = FALSE;
-
+
for (i = 0; i < countof(x501rdns); i++)
{
if (strlen(x501rdns[i].name) == oid.len &&
rdn_type = (x501rdns[i].type == ASN1_PRINTABLESTRING
&& !asn1_is_printablestring(name))
? ASN1_T61STRING : x501rdns[i].type;
-
+
if (rdn_count < RDN_MAX)
{
chunk_t rdn_oid;
-
+
rdn_oid = asn1_build_known_oid(x501rdns[i].oid);
if (rdn_oid.len)
{
- rdns[rdn_count] =
+ rdns[rdn_count] =
asn1_wrap(ASN1_SET, "m",
asn1_wrap(ASN1_SEQUENCE, "mm",
rdn_oid,
break;
}
} while (*src++ != '\0');
-
+
/* build the distinguished name sequence */
{
int i;
u_char *pos = asn1_build_object(dn, ASN1_SEQUENCE, dn_len);
-
+
for (i = 0; i < rdn_count; i++)
{
- memcpy(pos, rdns[i].ptr, rdns[i].len);
+ memcpy(pos, rdns[i].ptr, rdns[i].len);
pos += rdns[i].len;
free(rdns[i].ptr);
}
}
-
+
if (status != SUCCESS)
{
free(dn->ptr);
bool contains = FALSE;
id_part_t type;
chunk_t data;
-
+
enumerator = create_part_enumerator(this);
while (enumerator->enumerate(enumerator, &type, &data))
{
chunk_t t_oid, o_oid, t_data, o_data;
u_char t_type, o_type;
bool t_next, o_next, finished = FALSE;
-
+
if (wc)
{
*wc = 0;
{
return TRUE;
}
-
+
t = create_rdn_enumerator(t_dn);
o = create_rdn_enumerator(o_dn);
while (TRUE)
{
t_next = t->enumerate(t, &t_oid, &t_type, &t_data);
o_next = o->enumerate(o, &o_oid, &o_type, &o_data);
-
+
if (!o_next && !t_next)
{
break;
static bool equals_strcasecmp(private_identification_t *this,
private_identification_t *other)
{
- /* we do some extra sanity checks to check for invalid IDs with a
+ /* we do some extra sanity checks to check for invalid IDs with a
* terminating null in it. */
if (this->encoded.len == other->encoded.len &&
memchr(this->encoded.ptr, 0, this->encoded.len) == NULL &&
/**
* Default implementation of identification_t.matches.
*/
-static id_match_t matches_binary(private_identification_t *this,
+static id_match_t matches_binary(private_identification_t *this,
private_identification_t *other)
{
if (other->type == ID_ANY)
{
return ID_MATCH_ANY;
}
- if (this->type == other->type &&
+ if (this->type == other->type &&
chunk_equals(this->encoded, other->encoded))
{
return ID_MATCH_PERFECT;
private_identification_t *other)
{
u_int len = other->encoded.len;
-
+
if (other->type == ID_ANY)
{
return ID_MATCH_ANY;
{ /* not better than ID_ANY */
return ID_MATCH_ANY;
}
- if (strncasecmp(this->encoded.ptr + this->encoded.len - len,
+ if (strncasecmp(this->encoded.ptr + this->encoded.len - len,
other->encoded.ptr + 1, len) == 0)
{
return ID_MATCH_ONE_WILDCARD;
private_identification_t *other)
{
int wc;
-
+
if (other->type == ID_ANY)
{
return ID_MATCH_ANY;
}
-
+
if (this->type == other->type)
{
if (compare_dn(this->encoded, other->encoded, &wc))
private_identification_t *this = *((private_identification_t**)(args[0]));
chunk_t proper;
char buf[512];
-
+
if (this == NULL)
{
return print_in_hook(dst, len, "%*s", spec->width, "(null)");
}
-
+
switch (this->type)
{
case ID_ANY:
static identification_t *clone_(private_identification_t *this)
{
private_identification_t *clone = malloc_thing(private_identification_t);
-
+
memcpy(clone, this, sizeof(private_identification_t));
if (this->encoded.len)
{
static private_identification_t *identification_create(id_type_t type)
{
private_identification_t *this = malloc_thing(private_identification_t);
-
+
this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding;
this->public.get_type = (id_type_t (*) (identification_t*))get_type;
this->public.create_part_enumerator = (enumerator_t*(*)(identification_t*))create_part_enumerator;
this->public.clone = (identification_t* (*) (identification_t*))clone_;
this->public.destroy = (void (*) (identification_t*))destroy;
-
+
switch (type)
{
case ID_ANY:
this->public.contains_wildcards = (bool (*) (identification_t *this))return_false;
break;
}
-
+
this->type = type;
this->encoded = chunk_empty;
-
+
return this;
}
{
private_identification_t *this;
chunk_t encoded;
-
+
if (string == NULL)
{
string = "%any";
{
struct in_addr address;
chunk_t chunk = {(void*)&address, sizeof(address)};
-
+
if (inet_pton(AF_INET, string, &address) > 0)
{ /* is IPv4 */
this = identification_create(ID_IPV4_ADDR);
{
struct in6_addr address;
chunk_t chunk = {(void*)&address, sizeof(address)};
-
+
if (inet_pton(AF_INET6, string, &address) > 0)
{ /* is IPv6 */
this = identification_create(ID_IPV6_ADDR);
chunk_t encoded)
{
private_identification_t *this = identification_create(type);
-
+
/* apply encoded chunk */
if (type != ID_ANY)
{
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup identification identification
* @{ @ingroup utils
#include <library.h>
-/**
+/**
* Matches returned from identification_t.match
*/
enum id_match_t {
* ID Types in a ID payload.
*/
enum id_type_t {
-
+
/**
* private type which matches any other id.
*/
ID_ANY = 0,
-
+
/**
* ID data is a single four (4) octet IPv4 address.
*/
ID_IPV4_ADDR = 1,
-
+
/**
* ID data is a fully-qualified domain name string.
* An example of a ID_FQDN is "example.com".
* The string MUST not contain any terminators (e.g., NULL, CR, etc.).
*/
ID_FQDN = 2,
-
+
/**
* ID data is a fully-qualified RFC822 email address string.
* An example of an ID_RFC822_ADDR is "jsmith@example.com".
*/
ID_USER_FQDN = 3, /* IKEv1 only */
ID_RFC822_ADDR = 3, /* IKEv2 only */
-
+
/**
* ID data is an IPv4 subnet (IKEv1 only)
*/
ID_IPV4_ADDR_SUBNET = 4,
-
+
/**
* ID data is a single sixteen (16) octet IPv6 address.
*/
ID_IPV6_ADDR = 5,
-
+
/**
* ID data is an IPv6 subnet (IKEv1 only)
*/
ID_IPV6_ADDR_SUBNET = 6,
-
+
/**
* ID data is an IPv4 address range (IKEv1 only)
*/
ID_IPV4_ADDR_RANGE = 7,
-
+
/**
* ID data is an IPv6 address range (IKEv1 only)
*/
ID_IPV6_ADDR_RANGE = 8,
-
+
/**
* ID data is the binary DER encoding of an ASN.1 X.501 Distinguished Name
*/
ID_DER_ASN1_DN = 9,
-
+
/**
* ID data is the binary DER encoding of an ASN.1 X.509 GeneralName
*/
ID_DER_ASN1_GN = 10,
-
+
/**
* ID data is an opaque octet stream which may be used to pass vendor-
* specific information necessary to do certain proprietary
* types of identification.
*/
ID_KEY_ID = 11,
-
+
/**
* private type which represents a GeneralName of type URI
*/
ID_DER_ASN1_GN_URI = 201,
-
+
/**
* IETF Attribute Syntax String (RFC 3281)
*/
ID_IETF_ATTR_STRING = 202,
-
+
/**
* Private ID used by the pluto daemon for opportunistic encryption
*/
ID_PART_USERNAME,
/** Domain part of an RFC822_ADDR */
ID_PART_DOMAIN,
-
+
/** Top-Level domain of a FQDN */
ID_PART_TLD,
/** Second-Level domain of a FQDN */
ID_PART_SLD,
/** Another Level domain of a FQDN */
ID_PART_ALD,
-
+
/** Country RDN of a DN */
ID_PART_RDN_C,
/** CommonName RDN of a DN */
/**
* Generic identification, such as used in ID payload.
- *
+ *
* @todo Support for ID_DER_ASN1_GN is minimal right now. Comparison
* between them and ID_IPV4_ADDR/RFC822_ADDR would be nice.
*/
struct identification_t {
-
+
/**
* Get the encoding of this id, to send over
* the network.
- *
+ *
* Result points to internal data, do not free.
- *
+ *
* @return a chunk containing the encoded bytes
*/
chunk_t (*get_encoding) (identification_t *this);
-
+
/**
* Get the type of this identification.
- *
+ *
* @return id_type_t
*/
id_type_t (*get_type) (identification_t *this);
-
+
/**
* Check if two identification_t objects are equal.
- *
+ *
* @param other other identification_t object
* @return TRUE if the IDs are equal
*/
bool (*equals) (identification_t *this, identification_t *other);
-
+
/**
* Check if an ID matches a wildcard ID.
- *
+ *
* An identification_t may contain wildcards, such as
* *.strongswan.org. This call checks if a given ID
* (e.g. tester.strongswan.org) belongs to a such wildcard
*
* The larger the return value is, the better is the match. Zero means
* no match at all, 1 means a bad match, and 2 a slightly better match.
- *
+ *
* @param other the ID containing one or more wildcards
* @param wildcards returns the number of wildcards, may be NULL
* @return match value as described above
*/
id_match_t (*matches) (identification_t *this, identification_t *other);
-
+
/**
* Check if an ID is a wildcard ID.
*
* If the ID represents multiple IDs (with wildcards, or
* as the type ID_ANY), TRUE is returned. If it is unique,
* FALSE is returned.
- *
+ *
* @return TRUE if ID contains wildcards
*/
bool (*contains_wildcards) (identification_t *this);
-
+
/**
* Create an enumerator over subparts of an identity.
*
* @return an enumerator over (id_part_t type, chunk_t data)
*/
enumerator_t* (*create_part_enumerator)(identification_t *this);
-
+
/**
* Clone a identification_t instance.
- *
+ *
* @return clone of this
*/
identification_t *(*clone) (identification_t *this);
* pluto resolves domainnames without an @ to IPv4 addresses. Since
* we use a seperate host_t class for addresses, this doesn't
* make sense for us.
- *
+ *
* A distinguished name may contain one or more of the following RDNs:
* ND, UID, DC, CN, S, SN, serialNumber, C, L, ST, O, OU, T, D,
- * N, G, I, ID, EN, EmployeeNumber, E, Email, emailAddress, UN,
+ * N, G, I, ID, EN, EmployeeNumber, E, Email, emailAddress, UN,
* unstructuredName, TCGID.
- *
+ *
* This constructor never returns NULL. If it does not find a suitable
* conversion function, it will copy the string to an ID_KEY_ID.
- *
+ *
* @param string input string, which will be converted
* @return identification_t
*/
/**
* Creates an identification_t object from an encoded chunk.
- *
+ *
* @param type type of this id, such as ID_IPV4_ADDR
* @param encoded encoded bytes, such as from identification_t.get_encoding
* @return identification_t
/**
* printf hook function for identification_t.
*
- * Arguments are:
+ * Arguments are:
* identification_t *identification
*/
int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup iterator iterator
* @{ @ingroup utils
/**
* Return number of list items.
- *
+ *
* @return number of list items
*/
int (*get_count) (iterator_t *this);
-
+
/**
* Iterate over all items.
- *
+ *
* The easy way to iterate over items.
- *
+ *
* @param value item
* @return TRUE, if there was an element available, FALSE otherwise
*/
bool (*iterate) (iterator_t *this, void** value);
-
+
/**
* Inserts a new item before the given iterator position.
- *
+ *
* The iterator position is not changed after inserting
- *
+ *
* @param item value to insert in list
*/
void (*insert_before) (iterator_t *this, void *item);
/**
* Inserts a new item after the given iterator position.
- *
+ *
* The iterator position is not changed after inserting.
- *
+ *
* @param this calling iterator
* @param item value to insert in list
*/
void (*insert_after) (iterator_t *this, void *item);
-
+
/**
* Replace the current item at current iterator position.
- *
+ *
* The iterator position is not changed after replacing.
- *
+ *
* @param this calling iterator
* @param old old value will be written here(can be NULL)
* @param new new value
/**
* Removes an element from list at the given iterator position.
- *
+ *
* The iterator is set the the following position:
* - to the item before, if available
* - it gets reseted, otherwise
- *
+ *
* @return SUCCESS, FAILED if iterator is on an invalid position
*/
status_t (*remove) (iterator_t *this);
-
+
/**
* Resets the iterator position.
- *
+ *
* After reset, the iterator_t objects doesn't point to an element.
* A call to iterator_t.has_next is necessary to do any other operations
* with the resetted iterator.
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
#define _GNU_SOURCE
#include <sched.h>
#include <stddef.h>
#include <string.h>
#include <stdio.h>
#include <malloc.h>
-#include <signal.h>
+#include <signal.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
* Header which is prepended to each allocated memory block
*/
struct memory_header_t {
-
+
/**
* Number of bytes following after the header
*/
u_int bytes;
-
+
/**
* Pointer to previous entry in linked list
*/
memory_header_t *previous;
-
+
/**
* Pointer to next entry in linked list
*/
memory_header_t *next;
-
+
/**
* backtrace taken during (re-)allocation
*/
backtrace_t *backtrace;
-
+
/**
* magic bytes to detect bad free or heap underflow, MEMORY_HEADER_MAGIC
*/
u_int32_t magic;
-
+
}__attribute__((__packed__));
/**
* Magic bytes to detect heap overflow, MEMORY_TAIL_MAGIC
*/
u_int32_t magic;
-
+
}__attribute__((__packed__));
/**
- * first mem header is just a dummy to chain
+ * first mem header is just a dummy to chain
* the others on it...
*/
static memory_header_t first_header = {
};
/**
- * are the hooks currently installed?
+ * are the hooks currently installed?
*/
static bool installed = FALSE;
* Leak report white list
*
* List of functions using static allocation buffers or should be suppressed
- * otherwise on leak report.
+ * otherwise on leak report.
*/
char *whitelist[] = {
/* backtraces, including own */
{
memory_header_t *hdr;
int leaks = 0, whitelisted = 0;
-
+
for (hdr = first_header.next; hdr != NULL; hdr = hdr->next)
{
if (is_whitelisted(hdr->backtrace))
leaks++;
}
}
-
+
switch (leaks)
{
case 0:
pthread_t thread_id = pthread_self();
int oldpolicy;
struct sched_param oldparams, params;
-
+
pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-
+
params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
pthread_setschedparam(thread_id, SCHED_FIFO, ¶ms);
-
+
count_malloc++;
uninstall_hooks();
hdr = malloc(sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
/* set to something which causes crashes */
memset(hdr, MEMORY_ALLOC_PATTERN,
sizeof(memory_header_t) + bytes + sizeof(memory_tail_t));
-
+
hdr->magic = MEMORY_HEADER_MAGIC;
hdr->bytes = bytes;
hdr->backtrace = backtrace_create(3);
tail->magic = MEMORY_TAIL_MAGIC;
install_hooks();
-
+
/* insert at the beginning of the list */
hdr->next = first_header.next;
if (hdr->next)
}
hdr->previous = &first_header;
first_header.next = hdr;
-
+
pthread_setschedparam(thread_id, oldpolicy, &oldparams);
-
+
return hdr + 1;
}
pthread_t thread_id = pthread_self();
int oldpolicy;
struct sched_param oldparams, params;
-
+
/* allow freeing of NULL */
if (ptr == NULL)
{
}
hdr = ptr - sizeof(memory_header_t);
tail = ptr + hdr->bytes;
-
+
pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-
+
params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
pthread_setschedparam(thread_id, SCHED_FIFO, ¶ms);
-
+
count_free++;
uninstall_hooks();
if (hdr->magic != MEMORY_HEADER_MAGIC ||
}
hdr->previous->next = hdr->next;
hdr->backtrace->destroy(hdr->backtrace);
-
+
/* clear MAGIC, set mem to something remarkable */
memset(hdr, MEMORY_FREE_PATTERN, hdr->bytes + sizeof(memory_header_t));
-
+
free(hdr);
}
-
+
install_hooks();
pthread_setschedparam(thread_id, oldpolicy, &oldparams);
}
pthread_t thread_id = pthread_self();
int oldpolicy;
struct sched_param oldparams, params;
-
+
/* allow reallocation of NULL */
if (old == NULL)
{
return malloc_hook(bytes, caller);
}
-
+
hdr = old - sizeof(memory_header_t);
tail = old + hdr->bytes;
-
+
pthread_getschedparam(thread_id, &oldpolicy, &oldparams);
-
+
params.__sched_priority = sched_get_priority_max(SCHED_FIFO);
pthread_setschedparam(thread_id, SCHED_FIFO, ¶ms);
-
+
count_realloc++;
uninstall_hooks();
if (hdr->magic != MEMORY_HEADER_MAGIC ||
leak_detective_t *leak_detective_create()
{
private_leak_detective_t *this = malloc_thing(private_leak_detective_t);
-
+
this->public.destroy = (void(*)(leak_detective_t*))destroy;
-
+
if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
{
cpu_set_t mask;
-
+
CPU_ZERO(&mask);
CPU_SET(0, &mask);
-
+
if (sched_setaffinity(0, sizeof(cpu_set_t), &mask) != 0)
{
fprintf(stderr, "setting CPU affinity failed: %m");
}
-
+
lib->leak_detective = TRUE;
install_hooks();
}
* and dynamic whitelisting.
*/
struct leak_detective_t {
-
+
/**
* Destroy a leak_detective instance.
*/
bool extract_token(chunk_t *token, const char termination, chunk_t *src)
{
u_char *eot = memchr(src->ptr, termination, src->len);
-
+
if (termination == ' ')
{
u_char *eot_tab = memchr(src->ptr, '\t', src->len);
-
+
/* check if a tab instead of a space terminates the token */
eot = ( eot_tab == NULL || (eot && eot < eot_tab) ) ? eot : eot_tab;
}
-
+
/* initialize empty token */
*token = chunk_empty;
-
+
if (eot == NULL) /* termination symbol not found */
{
return FALSE;
}
-
+
/* extract token */
token->ptr = src->ptr;
token->len = (u_int)(eot - src->ptr);
-
+
/* advance src pointer after termination symbol */
src->ptr = eot + 1;
src->len -= (token->len + 1);
-
+
return TRUE;
}
{
u_char *eot = memstr(src->ptr, termination, src->len);
size_t l = strlen(termination);
-
+
/* initialize empty token */
*token = chunk_empty;
-
+
if (eot == NULL) /* termination string not found */
{
return FALSE;
}
-
+
/* extract token */
token->ptr = src->ptr;
token->len = (u_int)(eot - src->ptr);
-
+
/* advance src pointer after termination string */
src->ptr = eot + l;
src->len -= (token->len + l);
-
+
return TRUE;
}
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup lexparser lexparser
* @{ @ingroup utils
/**
* Previous list element.
- *
+ *
* NULL if first element in list.
*/
element_t *previous;
-
+
/**
* Next list element.
- *
+ *
* NULL if last element in list.
*/
element_t *next;
element_t *element_create(void *value)
{
element_t *this = malloc_thing(element_t);
-
+
this->previous = NULL;
this->next = NULL;
this->value = value;
-
+
return (this);
}
* NULL if no elements in list.
*/
element_t *first;
-
+
/**
* Last element in list.
* NULL if no elements in list.
* implements enumerator interface
*/
enumerator_t enumerator;
-
+
/**
* associated linked list
*/
private_linked_list_t *list;
-
+
/**
* current item
*/
static enumerator_t* create_enumerator(private_linked_list_t *this)
{
private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
-
+
enumerator->enumerator.enumerate = (void*)enumerate;
enumerator->enumerator.destroy = (void*)free;
enumerator->list = this;
enumerator->current = NULL;
-
+
return &enumerator->enumerator;
}
this->current->previous->next = this->current->next;
this->current->next->previous = this->current->previous;
}
-
+
this->list->count--;
free(this->current);
/* set the new iterator position */
{
iterator->list->public.insert_first(&(iterator->list->public), item);
}
-
+
element_t *element = element_create(item);
if (iterator->current->previous == NULL)
{
*old_item = this->current->value;
}
this->current->value = new_item;
-
+
return SUCCESS;
}
iterator->list->public.insert_first(&(iterator->list->public),item);
return;
}
-
+
element_t *element = element_create(item);
if (iterator->current->next == NULL)
{
static void insert_first(private_linked_list_t *this, void *item)
{
element_t *element;
-
+
element = element_create(item);
if (this->count == 0)
{
next = element->next;
previous = element->previous;
free(element);
- if (next)
+ if (next)
{
next->previous = previous;
}
static void insert_last(private_linked_list_t *this, void *item)
{
element_t *element = element_create(item);
-
+
if (this->count == 0)
{
/* first entry in list */
}
return NOT_FOUND;
}
-
+
/**
* Implementation of linked_list_t.remove.
*/
{
element_t *current = this->first;
int removed = 0;
-
+
while (current)
{
if ((compare && compare(current->value, item)) ||
void **item, void *d1, void *d2, void *d3, void *d4, void *d5)
{
element_t *current = this->first;
-
+
while (current)
{
if ((match && match(current->value, d1, d2, d3, d4, d5)) ||
void **item, void *d1, void *d2, void *d3, void *d4, void *d5)
{
element_t *current = this->last;
-
+
while (current)
{
if ((match && match(current->value, d1, d2, d3, d4, d5)) ||
void *d1, void *d2, void *d3, void *d4, void *d5)
{
element_t *current = this->first;
-
+
while (current)
{
linked_list_invoke_t *method = current->value + offset;
void *d1, void *d2, void *d3, void *d4, void *d5)
{
element_t *current = this->first;
-
+
while (current)
{
fn(current->value, d1, d2, d3, d4, d5);
{
linked_list_t *clone = linked_list_create();
element_t *current = this->first;
-
+
while (current)
{
void* (**method)(void*) = current->value + offset;
clone->insert_last(clone, (*method)(current->value));
current = current->next;
}
-
+
return clone;
}
{
linked_list_t *clone = linked_list_create();
element_t *current = this->first;
-
+
while (current)
{
clone->insert_last(clone, fn(current->value));
current = current->next;
}
-
+
return clone;
}
static void destroy_offset(private_linked_list_t *this, size_t offset)
{
element_t *current = this->first, *next;
-
+
while (current)
{
void (**method)(void*) = current->value + offset;
static void destroy_function(private_linked_list_t *this, void (*fn)(void*))
{
element_t *current = this->first, *next;
-
+
while (current)
{
fn(current->value);
static iterator_t *create_iterator(private_linked_list_t *linked_list, bool forward)
{
private_iterator_t *this = malloc_thing(private_iterator_t);
-
+
this->public.get_count = (int (*) (iterator_t*)) get_list_count;
this->public.iterate = (bool (*) (iterator_t*, void **value)) iterate;
this->public.insert_before = (void (*) (iterator_t*, void *item)) insert_before;
this->public.remove = (status_t (*) (iterator_t*)) iterator_remove;
this->public.reset = (void (*) (iterator_t*)) iterator_reset;
this->public.destroy = (void (*) (iterator_t*)) iterator_destroy;
-
+
this->forward = forward;
this->current = NULL;
this->list = linked_list;
-
+
return &this->public;
}
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup linked_list linked_list
* @{ @ingroup utils
/**
* Gets the count of items in the list.
- *
+ *
* @return number of items in list
*/
int (*get_count) (linked_list_t *this);
-
+
/**
* Creates a iterator for the given list.
- *
+ *
* @warning Created iterator_t object has to get destroyed by the caller.
*
* @deprecated Iterator is obsolete and will disappear, it is too
* complicated to implement. Use enumerator instead.
- *
+ *
* @param forward iterator direction (TRUE: front to end)
* @return new iterator_t object
*/
iterator_t *(*create_iterator) (linked_list_t *this, bool forward);
-
+
/**
* Create an enumerator over the list.
*
* @return enumerator over list items
*/
enumerator_t* (*create_enumerator)(linked_list_t *this);
-
+
/**
* Inserts a new item at the beginning of the list.
*
/**
* Removes the first item in the list and returns its value.
- *
+ *
* @param item returned value of first item, or NULL
* @return SUCCESS, or NOT_FOUND if list is empty
*/
status_t (*remove_first) (linked_list_t *this, void **item);
-
+
/**
* Remove an item from the list where the enumerator points to.
*
* @param enumerator enumerator with position
*/
void (*remove_at)(linked_list_t *this, enumerator_t *enumerator);
-
+
/**
* Remove items from the list matching item.
- *
+ *
* If a compare function is given, it is called for each item, where
* the first parameter is the current list item and the second parameter
* is the supplied item parameter.
* @return number of removed items
*/
int (*remove)(linked_list_t *this, void *item, bool (*compare)(void *,void*));
-
+
/**
* Returns the value of the first list item without removing it.
- *
+ *
* @param this calling object
* @param item returned value of first item
* @return SUCCESS, NOT_FOUND if list is empty
/**
* Inserts a new item at the end of the list.
- *
+ *
* @param item value to insert into list
*/
void (*insert_last) (linked_list_t *this, void *item);
/**
* Removes the last item in the list and returns its value.
- *
+ *
* @param this calling object
* @param item returned value of last item, or NULL
* @return SUCCESS, NOT_FOUND if list is empty
/**
* Returns the value of the last list item without removing it.
- *
+ *
* @param this calling object
* @param item returned value of last item
* @return SUCCESS, NOT_FOUND if list is empty
*/
status_t (*get_last) (linked_list_t *this, void **item);
-
+
/** Find the first matching element in the list.
- *
+ *
* The first object passed to the match function is the current list item,
* followed by the user supplied data.
* If the supplied function returns TRUE this function returns SUCCESS, and
* the next item is checked.
*
* If match is NULL, *item and the current object are compared.
- *
+ *
* @warning Only use pointers as user supplied data.
*
* @param match comparison function to call on each object, or NULL
*/
status_t (*find_first) (linked_list_t *this, linked_list_match_t match,
void **item, ...);
-
+
/** Find the last matching element in the list.
- *
+ *
* The first object passed to the match function is the current list item,
* followed by the user supplied data.
* If the supplied function returns TRUE this function returns SUCCESS, and
* the current object is returned in the third parameter, otherwise,
* the next item is checked.
- *
+ *
* If match is NULL, *item and the current object are compared.
- *
+ *
* @warning Only use pointers as user supplied data.
*
* @param match comparison function to call on each object, or NULL
*/
status_t (*find_last) (linked_list_t *this, linked_list_match_t match,
void **item, ...);
-
+
/**
* Invoke a method on all of the contained objects.
*
* method is specified by an offset of the function pointer,
* which can be evalutated at compile time using the offsetof
* macro, e.g.: list->invoke(list, offsetof(object_t, method));
- *
+ *
* @param offset offset of the method to invoke on objects
* @param ... user data to supply to called function (limited to 5 arguments)
*/
void (*invoke_offset) (linked_list_t *this, size_t offset, ...);
-
+
/**
* Invoke a function on all of the contained objects.
- *
+ *
* @param function offset of the method to invoke on objects
* @param ... user data to supply to called function (limited to 5 arguments)
*/
void (*invoke_function) (linked_list_t *this, linked_list_invoke_t function, ...);
-
+
/**
* Clones a list and its objects using the objects' clone method.
- *
+ *
* @param offset offset ot the objects clone function
* @return cloned list
*/
linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset);
-
+
/**
* Clones a list and its objects using a given function.
- *
+ *
* @param function function that clones an object
* @return cloned list
*/
linked_list_t *(*clone_function) (linked_list_t *this, void*(*)(void*));
-
+
/**
* Destroys a linked_list object.
*/
void (*destroy) (linked_list_t *this);
-
+
/**
* Destroys a list and its objects using the destructor.
*
* @param offset offset of the objects destructor
*/
void (*destroy_offset) (linked_list_t *this, size_t offset);
-
+
/**
* Destroys a list and its contents using a a cleanup function.
- *
+ *
* If a linked list and its contents should get destroyed using a specific
* cleanup function, use destroy_function. This is useful when the
* list contains malloc()-ed blocks which should get freed,
/**
* Creates an empty linked list object.
- *
+ *
* @return linked_list_t object.
*/
linked_list_t *linked_list_create(void);
* how long threads have waited for the lock in this mutex so far
*/
timeval_t waited;
-
+
/**
* backtrace where mutex has been created
*/
#define profiler_start(profile) { \
struct timeval _start, _end, _diff; \
time_monotonic(&_start);
-
+
#define profiler_end(profile) \
time_monotonic(&_end); \
timersub(&_end, &_start, &_diff); \
* public functions
*/
mutex_t public;
-
+
/**
* wrapped pthread mutex
*/
pthread_mutex_t mutex;
-
+
/**
* is this a recursiv emutex, implementing private_r_mutex_t?
*/
bool recursive;
-
+
/**
* profiling info, if enabled
*/
* Extends private_mutex_t
*/
private_mutex_t generic;
-
+
/**
* thread which currently owns mutex
*/
pthread_t thread;
-
+
/**
* times we have locked the lock, stored per thread
*/
* public functions
*/
condvar_t public;
-
+
/**
* wrapped pthread condvar
*/
* public functions
*/
rwlock_t public;
-
+
/**
* wrapped pthread rwlock
*/
pthread_rwlock_t rwlock;
-
+
/**
* profiling info, if enabled
*/
static void lock(private_mutex_t *this)
{
int err;
-
+
profiler_start(&this->profile);
err = pthread_mutex_lock(&this->mutex);
if (err)
static void unlock(private_mutex_t *this)
{
int err;
-
+
err = pthread_mutex_unlock(&this->mutex);
if (err)
{
if (this->thread == self)
{
uintptr_t times;
-
+
/* times++ */
times = (uintptr_t)pthread_getspecific(this->times);
pthread_setspecific(this->times, (void*)times + 1);
/* times-- */
times = (uintptr_t)pthread_getspecific(this->times);
pthread_setspecific(this->times, (void*)--times);
-
+
if (times == 0)
{
this->thread = 0;
case MUTEX_TYPE_RECURSIVE:
{
private_r_mutex_t *this = malloc_thing(private_r_mutex_t);
-
+
this->generic.public.lock = (void(*)(mutex_t*))lock_r;
this->generic.public.unlock = (void(*)(mutex_t*))unlock_r;
- this->generic.public.destroy = (void(*)(mutex_t*))mutex_destroy_r;
-
+ this->generic.public.destroy = (void(*)(mutex_t*))mutex_destroy_r;
+
pthread_mutex_init(&this->generic.mutex, NULL);
pthread_key_create(&this->times, NULL);
this->generic.recursive = TRUE;
profiler_init(&this->generic.profile);
this->thread = 0;
-
+
return &this->generic.public;
}
case MUTEX_TYPE_DEFAULT:
default:
{
private_mutex_t *this = malloc_thing(private_mutex_t);
-
+
this->public.lock = (void(*)(mutex_t*))lock;
this->public.unlock = (void(*)(mutex_t*))unlock;
this->public.destroy = (void(*)(mutex_t*))mutex_destroy;
-
+
pthread_mutex_init(&this->mutex, NULL);
this->recursive = FALSE;
profiler_init(&this->profile);
-
+
return &this->public;
}
}
if (mutex->recursive)
{
private_r_mutex_t* recursive = (private_r_mutex_t*)mutex;
-
+
/* mutex owner gets cleared during condvar wait */
recursive->thread = 0;
pthread_cond_wait(&this->condvar, &mutex->mutex);
{
struct timespec ts;
bool timed_out;
-
+
ts.tv_sec = time.tv_sec;
ts.tv_nsec = time.tv_usec * 1000;
-
+
if (mutex->recursive)
{
private_r_mutex_t* recursive = (private_r_mutex_t*)mutex;
-
+
recursive->thread = 0;
timed_out = pthread_cond_timedwait(&this->condvar, &mutex->mutex,
&ts) == ETIMEDOUT;
{
timeval_t tv;
u_int s, ms;
-
+
time_monotonic(&tv);
-
+
s = timeout / 1000;
ms = timeout % 1000;
-
+
tv.tv_sec += s;
tv.tv_usec += ms * 1000;
-
+
if (tv.tv_usec > 1000000 /* 1s */)
{
tv.tv_usec -= 1000000;
{
pthread_condattr_t condattr;
private_condvar_t *this = malloc_thing(private_condvar_t);
-
+
this->public.wait = (void(*)(condvar_t*, mutex_t *mutex))_wait;
this->public.timed_wait = (bool(*)(condvar_t*, mutex_t *mutex, u_int timeout))timed_wait;
this->public.timed_wait_abs = (bool(*)(condvar_t*, mutex_t *mutex, timeval_t time))timed_wait_abs;
this->public.signal = (void(*)(condvar_t*))_signal;
this->public.broadcast = (void(*)(condvar_t*))broadcast;
this->public.destroy = (void(*)(condvar_t*))condvar_destroy;
-
+
pthread_condattr_init(&condattr);
#ifdef HAVE_CONDATTR_CLOCK_MONOTONIC
pthread_condattr_setclock(&condattr, CLOCK_MONOTONIC);
#endif
pthread_cond_init(&this->condvar, &condattr);
pthread_condattr_destroy(&condattr);
-
+
return &this->public;
}
}
static void read_lock(private_rwlock_t *this)
{
int err;
-
+
profiler_start(&this->profile);
err = pthread_rwlock_rdlock(&this->rwlock);
if (err != 0)
static void write_lock(private_rwlock_t *this)
{
int err;
-
+
profiler_start(&this->profile);
err = pthread_rwlock_wrlock(&this->rwlock);
if (err != 0)
static void rw_unlock(private_rwlock_t *this)
{
int err;
-
+
err = pthread_rwlock_unlock(&this->rwlock);
if (err != 0)
{
default:
{
private_rwlock_t *this = malloc_thing(private_rwlock_t);
-
+
this->public.read_lock = (void(*)(rwlock_t*))read_lock;
this->public.write_lock = (void(*)(rwlock_t*))write_lock;
this->public.try_write_lock = (bool(*)(rwlock_t*))try_write_lock;
this->public.unlock = (void(*)(rwlock_t*))rw_unlock;
this->public.destroy = (void(*)(rwlock_t*))rw_destroy;
-
+
pthread_rwlock_init(&this->rwlock, NULL);
profiler_init(&this->profile);
-
+
return &this->public;
}
}
* Acquire the lock to the mutex.
*/
void (*lock)(mutex_t *this);
-
+
/**
* Release the lock on the mutex.
*/
void (*unlock)(mutex_t *this);
-
+
/**
* Destroy a mutex instance.
*/
* @param mutex mutex to release while waiting
*/
void (*wait)(condvar_t *this, mutex_t *mutex);
-
+
/**
* Wait on a condvar until it gets signalized, or times out.
*
* @return TRUE if timed out, FALSE otherwise
*/
bool (*timed_wait)(condvar_t *this, mutex_t *mutex, u_int timeout);
-
+
/**
* Wait on a condvar until it gets signalized, or times out.
*
* @return TRUE if timed out, FALSE otherwise
*/
bool (*timed_wait_abs)(condvar_t *this, mutex_t *mutex, timeval_t tv);
-
+
/**
* Wake up a single thread in a condvar.
*/
void (*signal)(condvar_t *this);
-
+
/**
* Wake up all threads in a condvar.
*/
void (*broadcast)(condvar_t *this);
-
+
/**
* Destroy a condvar and free its resources.
*/
* Acquire the read lock.
*/
void (*read_lock)(rwlock_t *this);
-
+
/**
* Acquire the write lock.
*/
void (*write_lock)(rwlock_t *this);
-
+
/**
* Try to acquire the write lock.
*
*
* @return TRUE if lock acquired
*/
- bool (*try_write_lock)(rwlock_t *this);
-
+ bool (*try_write_lock)(rwlock_t *this);
+
/**
* Release any acquired lock.
*/
void (*unlock)(rwlock_t *this);
-
+
/**
* Destroy the read-write lock.
*/
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
- *
+ *
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
DBG1("optionsfrom called %d times by \"%s\" - looping?", this->nuses + 1, (*argvp)[0]);
return FALSE;
}
-
+
fd = fopen(filename, "r");
if (fd == NULL)
{
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
-
+
/**
* @defgroup optionsfrom optionsfrom
* @{ @ingroup utils
* Reads additional command line arguments from a file
*/
struct options_t {
-
+
/**
* Check if the PKCS#7 contentType is data
*
* public functions
*/
auth_controller_t public;
-
+
/**
* manager instance
*/
static void check(private_auth_controller_t *this, request_t *request)
{
char *username, *password;
-
+
username = request->get_query_data(request, "username");
password = request->get_query_data(request, "password");
if (username && password &&
{
return login(this, request);
}
- else if (streq(action, "check"))
+ else if (streq(action, "check"))
{
return check(this, request);
}
- else if (streq(action, "logout"))
+ else if (streq(action, "logout"))
{
return logout(this, request);
}
this->public.controller.get_name = (char*(*)(controller_t*))get_name;
this->public.controller.handle = (void(*)(controller_t*,request_t*,char*,char*,char*,char*,char*))handle;
this->public.controller.destroy = (void(*)(controller_t*))destroy;
-
+
this->manager = (manager_t*)context;
-
+
return &this->public.controller;
}
* public functions
*/
config_controller_t public;
-
+
/**
* manager instance
*/
{
if (streq(name, "name"))
{
- config = value;
+ config = value;
}
else if (streq(name, "ikeconfig"))
{
if (streq(name, "childconfig"))
{
int num = 0;
-
+
e2 = xml->children(xml);
while (e2->enumerate(e2, &xml, &name, &value))
{
this->public.controller.get_name = (char*(*)(controller_t*))get_name;
this->public.controller.handle = (void(*)(controller_t*,request_t*,char*,char*,char*,char*,char*))handle;
this->public.controller.destroy = (void(*)(controller_t*))destroy;
-
+
this->manager = (manager_t*)context;
-
+
return &this->public.controller;
}
* public functions
*/
control_controller_t public;
-
+
/**
* manager instance
*/
xml_t *xml;
char *name, *value;
int num = 0;
-
+
if (e)
{
while (e->enumerate(e, &xml, &name, &value))
{
gateway_t *gateway;
enumerator_t *e;
-
+
r->setf(r, "title=Terminate %s SA %d", ike ? "IKE" : "CHILD", id);
gateway = this->manager->select_gateway(this->manager, 0);
e = gateway->terminate(gateway, ike, id);
if (action)
{
u_int32_t id;
-
+
if (streq(action, "terminateike"))
{
if (str && (id = atoi(str)))
this->public.controller.get_name = (char*(*)(controller_t*))get_name;
this->public.controller.handle = (void(*)(controller_t*,request_t*,char*,char*,char*,char*,char*))handle;
this->public.controller.destroy = (void(*)(controller_t*))destroy;
-
+
this->manager = (manager_t*)context;
-
+
return &this->public.controller;
}
* public functions
*/
gateway_controller_t public;
-
+
/**
* manager instance
*/
manager_t *manager;
-
+
};
static void list(private_gateway_controller_t *this, request_t *request)
enumerator_t *enumerator;
char *name, *address;
int id, port;
-
+
enumerator = this->manager->create_gateway_enumerator(this->manager);
while (enumerator->enumerate(enumerator, &id, &name, &port, &address))
{
static void _select(private_gateway_controller_t *this, request_t *request)
{
char *id;
-
+
id = request->get_query_data(request, "gateway");
if (id)
{
{
return list(this, request);
}
- else if (streq(action, "select"))
+ else if (streq(action, "select"))
{
return _select(this, request);
}
this->public.controller.get_name = (char*(*)(controller_t*))get_name;
this->public.controller.handle = (void(*)(controller_t*,request_t*,char*,char*,char*,char*,char*))handle;
this->public.controller.destroy = (void(*)(controller_t*))destroy;
-
+
this->manager = (manager_t*)context;
-
+
return &this->public.controller;
}
* public functions
*/
ikesa_controller_t public;
-
+
/**
* manager instance
*/
enumerator_t *e1, *e2;
char *name, *value, *reqid = "", *section = "";
int num = 0;
-
+
while (e->enumerate(e, &xml, &name, &value))
{
if (streq(name, "reqid"))
{
if (streq(name, "id"))
{
- id = value;
+ id = value;
}
else if (streq(name, "local") || streq(name, "remote"))
{
this->public.controller.get_name = (char*(*)(controller_t*))get_name;
this->public.controller.handle = (void(*)(controller_t*,request_t*,char*,char*,char*,char*,char*))handle;
this->public.controller.destroy = (void(*)(controller_t*))destroy;
-
+
this->manager = (manager_t*)context;
-
+
return &this->public.controller;
}
* public functions
*/
gateway_t public;
-
+
/**
* name of the gateway
*/
char *name;
-
+
/**
* host to connect using tcp
*/
host_t *host;
-
+
/**
* socket file descriptor, > 0 if connected
*/
int fd;
-
+
/**
* unique id assigned to each xml message
*/
addr = (struct sockaddr*)&unix_addr;
len = sizeof(unix_addr);
}
-
+
this->fd = socket(family, SOCK_STREAM, 0);
if (this->fd < 0)
{
char buf[8096];
ssize_t len;
va_list args;
-
+
va_start(args, xml);
len = vsnprintf(buf, sizeof(buf), xml, args);
va_end(args);
char *str, *name, *value;
xml_t *xml;
enumerator_t *e1, *e2, *e3, *e4 = NULL;
-
+
str = request(this, "<message type=\"request\" id=\"%d\">"
"<query>"
"<ikesalist/>"
{
return NULL;
}
-
+
e1 = xml->children(xml);
free(str);
while (e1->enumerate(e1, &xml, &name, &value))
return NULL;
}
-
+
/**
* Implementation of gateway_t.query_configlist.
*/
char *str, *name, *value;
xml_t *xml;
enumerator_t *e1, *e2, *e3, *e4 = NULL;
-
+
str = request(this, "<message type=\"request\" id=\"%d\">"
"<query>"
"<configlist/>"
{
return NULL;
}
-
+
e1 = xml->children(xml);
free(str);
while (e1->enumerate(e1, &xml, &name, &value))
static enumerator_t* initiate(private_gateway_t *this, bool ike, char *name)
{
char *str, *kind;
-
+
if (ike)
{
kind = "ike";
static enumerator_t* terminate(private_gateway_t *this, bool ike, u_int32_t id)
{
char *str, *kind;
-
+
if (ike)
{
kind = "ike";
static private_gateway_t *gateway_create(char *name)
{
private_gateway_t *this = malloc_thing(private_gateway_t);
-
+
this->public.request = (char*(*)(gateway_t*, char *xml))request;
this->public.query_ikesalist = (enumerator_t*(*)(gateway_t*))query_ikesalist;
this->public.query_configlist = (enumerator_t*(*)(gateway_t*))query_configlist;
this->public.initiate = (enumerator_t*(*)(gateway_t*, bool ike, char *name))initiate;
this->public.terminate = (enumerator_t*(*)(gateway_t*, bool ike, u_int32_t id))terminate;
this->public.destroy = (void(*)(gateway_t*))destroy;
-
+
this->name = strdup(name);
this->host = NULL;
this->fd = -1;
this->xmlid = 1;
-
+
return this;
}
gateway_t *gateway_create_tcp(char *name, host_t *host)
{
private_gateway_t *this = gateway_create(name);
-
+
this->host = host;
-
+
return &this->public;
}
gateway_t *gateway_create_unix(char *name)
{
private_gateway_t *this = gateway_create(name);
-
+
return &this->public;
}
* A connection to a gateway.
*/
struct gateway_t {
-
+
/**
* Send an XML request to the gateway.
*
* @return allocated xml response string
*/
char* (*request)(gateway_t *this, char *xml);
-
+
/**
* Query the list of IKE_SAs and all its children.
*
* @return enumerator over ikesa XML elements
*/
enumerator_t* (*query_ikesalist)(gateway_t *this);
-
+
/**
* Query the list of peer configs and its subconfigs.
*
* @return enumerator over peerconfig XML elements
*/
enumerator_t* (*query_configlist)(gateway_t *this);
-
+
/**
* Terminate an IKE or a CHILD SA.
*
* @return enumerator over control response XML children
*/
enumerator_t* (*terminate)(gateway_t *this, bool ike, u_int32_t id);
-
+
/**
* Initiate an IKE or a CHILD SA.
*
* @return enumerator over control response XML children
*/
enumerator_t* (*initiate)(gateway_t *this, bool ike, char *name);
-
+
/**
* Destroy a gateway instance.
*/
{
return 1;
}
-
+
socket = lib->settings->get_str(lib->settings, "manager.socket", NULL);
debug = lib->settings->get_bool(lib->settings, "manager.debug", FALSE);
timeout = lib->settings->get_time(lib->settings, "manager.timeout", 900);
DBG1("database URI undefined, set manager.database in strongswan.conf");
return 1;
}
-
+
storage = storage_create(database);
if (storage == NULL)
{
return 1;
}
-
+
dispatcher = dispatcher_create(socket, debug, timeout,
(context_constructor_t)manager_create, storage);
dispatcher->add_controller(dispatcher, ikesa_controller_create, NULL);
dispatcher->add_controller(dispatcher, auth_controller_create, NULL);
dispatcher->add_controller(dispatcher, control_controller_create, NULL);
dispatcher->add_controller(dispatcher, config_controller_create, NULL);
-
+
dispatcher->run(dispatcher, threads);
-
+
dispatcher->waitsignal(dispatcher);
-
+
dispatcher->destroy(dispatcher);
storage->destroy(storage);
-
+
library_deinit();
return 0;
* public functions
*/
manager_t public;
-
+
/**
* underlying storage database
*/
storage_t *store;
-
+
/**
* user id, if we are logged in
*/
int user;
-
+
/**
* selected gateway
*/
gateway_t *gateway;
-};
-
+};
+
/**
* Implementation of manager_t.create_gateway_enumerator.
*/
int id, port;
char *name, *address;
host_t *host;
-
+
if (this->gateway) this->gateway->destroy(this->gateway);
this->gateway = NULL;
-
+
enumerator = this->store->create_gateway_enumerator(this->store, this->user);
while (enumerator->enumerate(enumerator, &id, &name, &port, &address))
{
manager_t *manager_create(storage_t *storage)
{
private_manager_t *this = malloc_thing(private_manager_t);
-
+
this->public.login = (bool(*)(manager_t*, char *username, char *password))login;
this->public.logged_in = (bool(*)(manager_t*))logged_in;
this->public.logout = (void(*)(manager_t*))logout;
this->public.create_gateway_enumerator = (enumerator_t*(*)(manager_t*))create_gateway_enumerator;
this->public.select_gateway = (gateway_t*(*)(manager_t*, int id))select_gateway;
this->public.context.destroy = (void(*)(context_t*))destroy;
-
+
this->user = 0;
this->store = storage;
this->gateway = NULL;
-
+
return &this->public;
}
* implements context_t interface
*/
context_t context;
-
+
/**
* Create an iterator over all configured gateways.
*
* @return enumerator
*/
enumerator_t* (*create_gateway_enumerator)(manager_t *this);
-
+
/**
* Select a gateway.
*
* @return selected gateway, or NULL
*/
gateway_t* (*select_gateway)(manager_t *this, int id);
-
+
/**
* Try to log in.
*
* @return TRUE if login successful
*/
bool (*login)(manager_t *this, char *username, char *password);
-
+
/**
* Check if user logged in.
*
* @return TRUE if logged in
*/
bool (*logged_in)(manager_t *this);
-
+
/**
* Log out.
*/
* public functions
*/
storage_t public;
-
+
/**
* database connection
*/
size_t username_len, password_len;
int uid = 0;
enumerator_t *enumerator;
-
+
/* hash = SHA1( username | password ) */
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (hasher == NULL)
hasher->get_hash(hasher, data, hash.ptr);
hasher->destroy(hasher);
hex_str = chunk_to_hex(hash, NULL, FALSE);
-
- enumerator = this->db->query(this->db,
+
+ enumerator = this->db->query(this->db,
"SELECT oid FROM users WHERE username = ? AND password = ?;",
DB_TEXT, username, DB_TEXT, hex_str.ptr,
DB_INT);
static enumerator_t* create_gateway_enumerator(private_storage_t *this, int user)
{
enumerator_t *enumerator;
-
- enumerator = this->db->query(this->db,
+
+ enumerator = this->db->query(this->db,
"SELECT gateways.oid AS gid, name, port, address FROM "
"gateways, user_gateway AS ug ON gid = ug.gateway WHERE ug.user = ?;",
DB_INT, user,
storage_t *storage_create(char *uri)
{
private_storage_t *this = malloc_thing(private_storage_t);
-
+
this->public.login = (int(*)(storage_t*, char *username, char *password))login;
this->public.create_gateway_enumerator = (enumerator_t*(*)(storage_t*,int))create_gateway_enumerator;
this->public.destroy = (void(*)(storage_t*))destroy;
-
+
this->db = lib->db->create(lib->db, uri);
if (this->db == NULL)
{
* @return user ID if login good, 0 otherwise
*/
int (*login)(storage_t *this, char *username, char *password);
-
+
/**
* Create an iterator over the gateways.
*
* @param user user Id
* @return enumerator
*/
- enumerator_t* (*create_gateway_enumerator)(storage_t *this, int user);
+ enumerator_t* (*create_gateway_enumerator)(storage_t *this, int user);
/**
* Destroy a storage instance.
* public functions
*/
xml_t public;
-
+
/**
* root node of this xml (part)
*/
xmlNode *node;
-
+
/**
* document, only for root xml_t
*/
xmlDoc *doc;
-
+
/**
* Root xml_t*
*/
private_xml_t *root;
-
+
/**
* number of enumerator instances
*/
if (e->node)
{
xmlNode *text;
-
+
text = e->node->children;
*value = NULL;
-
+
while (text && text->type != XML_TEXT_NODE)
{
text = text->next;
}
/**
- * destroy enumerator, and complete tree if this was the last enumerator
+ * destroy enumerator, and complete tree if this was the last enumerator
*/
static void child_destroy(child_enum_t *this)
{
xml_t *xml_create(char *xml)
{
private_xml_t *this = malloc_thing(private_xml_t);
-
+
this->public.get_attribute = (char*(*)(xml_t*,char*))get_attribute;
this->public.children = (enumerator_t*(*)(xml_t*))children;
-
+
this->doc = xmlReadMemory(xml, strlen(xml), NULL, NULL, 0);
if (this->doc == NULL)
{
this->node = xmlDocGetRootElement(this->doc);
this->root = this;
this->enums = 0;
-
+
return &this->public;
}
* @return enumerator over (xml_t* child, char *name, char *value)
*/
enumerator_t* (*children)(xml_t *this);
-
+
/**
* Get an attribute value by its name.
*
* active user session
*/
user_t *user;
-
- /**
+
+ /**
* underlying database
*/
database_t *db;
static void list(private_peer_controller_t *this, request_t *request)
{
enumerator_t *query;
-
+
query = this->db->query(this->db,
"SELECT id, alias, keyid FROM peer WHERE user = ? ORDER BY alias",
DB_UINT, this->user->get_user(this->user),
DB_UINT, DB_TEXT, DB_BLOB);
-
+
if (query)
{
u_int id;
char *alias;
chunk_t keyid;
identification_t *identifier;
-
+
while (query->enumerate(query, &id, &alias, &keyid))
{
request->setf(request, "peers.%d.alias=%s", id, alias);
if (!alias || *alias == '\0')
{
request->setf(request, "error=Alias is missing.");
- return FALSE;
+ return FALSE;
}
while (*alias != '\0')
{
{
public_key_t *public;
chunk_t blob, id;
-
+
if (!public_key || *public_key == '\0')
{
request->setf(request, "error=Public key is missing.");
static void add(private_peer_controller_t *this, request_t *request)
{
char *alias = "", *public_key = "";
-
+
if (request->get_query_data(request, "back"))
{
return request->redirect(request, "peer/list");
while (request->get_query_data(request, "add"))
{
chunk_t encoding, keyid;
-
+
alias = request->get_query_data(request, "alias");
public_key = request->get_query_data(request, "public_key");
-
+
if (!verify_alias(this, request, alias))
{
break;
}
request->set(request, "alias", alias);
request->set(request, "public_key", public_key);
-
+
return request->render(request, "templates/peer/add.cs");
}
char *pem;
chunk_t base64;
int i = 0;
-
+
base64 = chunk_to_base64(der, NULL);
len = strlen(begin) + base64.len + base64.len/64 + strlen(end) + 2;
pem = malloc(len + 1);
}
while (i < base64.len - 2);
strcat(pem, end);
-
+
free(base64.ptr);
return pem;
}
{
char *alias = "", *public_key = "", *pem;
chunk_t encoding, keyid;
-
+
if (request->get_query_data(request, "back"))
{
return request->redirect(request, "peer/list");
{
alias = request->get_query_data(request, "alias");
public_key = request->get_query_data(request, "public_key");
-
+
if (!verify_alias(this, request, alias))
{
break;
{
id = atoi(idstr);
}
-
+
if (streq(action, "list"))
{
return list(this, request);
* database connection
*/
database_t *db;
-
+
/**
* user session
*/
user_t *user;
-
+
/**
* minimum required password lenght
*/
{
hasher_t *hasher;
chunk_t hash, data;
-
+
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (!hasher)
{
if (request->get_query_data(request, "submit"))
{
char *login, *password;
-
+
login = request->get_query_data(request, "login");
password = request->get_query_data(request, "password");
-
+
if (login && password)
{
enumerator_t *query;
u_int id = 0;
chunk_t hash;
-
+
hash = hash_password(login, password);
query = this->db->query(this->db,
"SELECT id FROM user WHERE login = ? AND password = ?",
if (!login || *login == '\0')
{
request->setf(request, "error=Username is missing.");
- return FALSE;
+ return FALSE;
}
while (*login != '\0')
{
login = request->get_query_data(request, "new_login");
password = request->get_query_data(request, "new_password");
confirm = request->get_query_data(request, "confirm_password");
-
+
if (!verify_login(this, request, login) ||
!verify_password(this, request, password, confirm))
{
break;
}
-
+
hash = hash_password(login, password);
if (!hash.ptr || this->db->execute(this->db, &id,
"INSERT INTO user (login, password) VALUES (?, ?)",
{
enumerator_t *query;
char *old_login;
-
+
/* lookup old login */
query = this->db->query(this->db, "SELECT login FROM user WHERE id = ?",
DB_INT, this->user->get_user(this->user),
{
char *new_login, *old_pass, *new_pass, *confirm;
chunk_t old_hash, new_hash;
-
+
new_login = request->get_query_data(request, "old_login");
old_pass = request->get_query_data(request, "old_password");
new_pass = request->get_query_data(request, "new_password");
confirm = request->get_query_data(request, "confirm_password");
-
+
if (!verify_login(this, request, new_login) ||
!verify_password(this, request, new_pass, confirm))
{
}
old_hash = hash_password(old_login, old_pass);
new_hash = hash_password(new_login, new_pass);
-
+
if (this->db->execute(this->db, NULL,
"UPDATE user SET login = ?, password = ? "
"WHERE id = ? AND password = ?",
* user session\r
*/\r
user_t *user;
-
+
/**
* database connection
*/
{
enumerator_t *query;
char *login;
-
+
query = this->db->query(this->db, "SELECT login FROM user WHERE id = ?",
DB_INT, this->user->get_user(this->user),
DB_TEXT);
bool debug;
char *uri;
int timeout, threads;
-
+
library_init(STRONGSWAN_CONF);
if (!lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
lib->settings->get_str(lib->settings, "medsrv.load", PLUGINS)))
{
return 1;
}
-
+
socket = lib->settings->get_str(lib->settings, "medsrv.socket", NULL);
debug = lib->settings->get_bool(lib->settings, "medsrv.debug", FALSE);
timeout = lib->settings->get_time(lib->settings, "medsrv.timeout", 900);
fprintf(stderr, "database URI medsrv.database not defined.\n");
return 1;
}
-
+
db = lib->db->create(lib->db, uri);
if (db == NULL)
{
fprintf(stderr, "opening database failed.\n");
return 1;
}
-
+
dispatcher = dispatcher_create(socket, debug, timeout,
(context_constructor_t)user_create, db);
dispatcher->add_filter(dispatcher,
(controller_constructor_t)user_controller_create, db);
dispatcher->add_controller(dispatcher,
(controller_constructor_t)peer_controller_create, db);
-
+
dispatcher->run(dispatcher, threads);
-
+
dispatcher->waitsignal(dispatcher);
dispatcher->destroy(dispatcher);
db->destroy(db);
-
+
library_deinit();
return 0;
}
* Per session context. Contains user user state and data.
*/
struct user_t {
-
+
/**
* implements context_t interface
*/
context_t context;
-
+
/**
* Set the user ID of the logged in user.
*/
void (*set_user)(user_t *this, u_int id);
-
+
/**
* Get the user ID of the logged in user.
*/
/**
* @file openac.c
- *
+ *
* @brief Generation of X.509 attribute certificates.
- *
+ *
*/
/*
chunk_t hex, serial = chunk_empty;
char one[] = {0x01};
FILE *fd;
-
+
fd = fopen(OPENAC_SERIAL, "r");
if (fd)
{
char buffer[8192];
char *current = buffer, *next;
va_list args;
-
+
if (level <= debug_level)
{
if (!stderr_quiet)
chunk_t attr_chunk = chunk_empty;
int status = 1;
-
+
/* enable openac debugging hook */
dbg = openac_dbg;
fprintf(stderr, "integrity check of openac failed\n");
exit(SS_RC_DAEMON_INTEGRITY);
}
- if (!lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
+ if (!lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
lib->settings->get_str(lib->settings, "openac.load", PLUGINS)))
{
exit(SS_RC_INITIALIZATION_FAILED);
{ "debug", required_argument, NULL, 'd' },
{ 0,0,0,0 }
};
-
+
int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
/* Note: "breaking" from case terminates loop */
{
goto end;
}
-
+
/* write the attribute certificate to file */
attr_chunk = attr_cert->get_encoding(attr_cert);
if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
static int usage(char *error)
{
FILE *out = stdout;
-
+
if (error)
{
out = stderr;
u_int size = 0;
private_key_t *key;
chunk_t encoding;
-
+
struct option long_opts[] = {
{ "type", required_argument, NULL, 't' },
{ "size", required_argument, NULL, 's' },
chunk_t encoding;
char *file = NULL;
void *cred;
-
+
struct option long_opts[] = {
{ "type", required_argument, NULL, 't' },
{ "outform", required_argument, NULL, 'f' },
cred = lib->creds->create(lib->creds, type, subtype,
BUILD_FROM_FD, 0, BUILD_END);
}
-
+
if (type == CRED_PRIVATE_KEY)
{
private = cred;
char *file = NULL;
void *cred;
chunk_t id;
-
+
struct option long_opts[] = {
{ "type", required_argument, NULL, 't' },
{ "in", required_argument, NULL, 'i' },
fprintf(stderr, "parsing input failed\n");
return 1;
}
-
+
if (type == CRED_PRIVATE_KEY)
{
private = cred;
int lifetime = 1080;
chunk_t serial, encoding;
time_t not_before, not_after;
-
+
struct option long_opts[] = {
{ "type", required_argument, NULL, 't' },
{ "in", required_argument, NULL, 'i' },
{ "digest", required_argument, NULL, 'h' },
{ 0,0,0,0 }
};
-
+
while (TRUE)
{
switch (getopt_long(argc, argv, "", long_opts, NULL))
}
break;
}
-
+
if (!dn)
{
return usage("--dn is required");
certificate_t *cert, *ca;
char *file = NULL, *cafile = NULL;
bool good = FALSE;
-
+
struct option long_opts[] = {
{ "in", required_argument, NULL, 'i' },
{ "ca", required_argument, NULL, 'c' },
{ 0,0,0,0 }
};
-
+
while (TRUE)
{
switch (getopt_long(argc, argv, "", long_opts, NULL))
}
break;
}
-
+
if (file)
{
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
ca->destroy(ca);
}
cert->destroy(cert);
-
+
return good ? 0 : 2;
}
{ "verify", no_argument, NULL, 'v' },
{ 0,0,0,0 }
};
-
+
atexit(library_deinit);
if (!library_init(STRONGSWAN_CONF))
{
{
exit(SS_RC_INITIALIZATION_FAILED);
}
-
+
switch (getopt_long(argc, argv, "", long_opts, NULL))
{
case 'h':
/* cannot compare OID with STRING or OCTETS attributes */
if (a->kind == IETF_ATTRIBUTE_OID && b->kind != IETF_ATTRIBUTE_OID)
return 1;
-
+
cmp_len = a->value.len - b->value.len;
len = (cmp_len < 0)? a->value.len : b->value.len;
cmp_value = memcmp(a->value.ptr, b->value.ptr, len);
list = *plist;
}
*plist = list->next;
-
+
free(attr->value.ptr);
free(attr);
free(list);
* Free all attribute certificates in the chained list
*/
void free_acerts(void)
-{
+{
while (x509acerts != NULL)
free_first_acert();
}
dntoa(buf, BUF_LEN, ac->issuerName);
DBG_log("issuer: '%s'",buf);
)
-
+
ugh = check_ac_validity(ac);
if (ugh != NULL)
{
char *filename = filelist[n]->d_name;
x509acert_t *ac;
-
+
ac = lib->creds->create(lib->creds, CRED_CERTIFICATE,
CERT_PLUTO_AC, BUILD_FROM_FILE, filename,
BUILD_END);
, (int)attr->value.len, attr->value.ptr);
first_group = FALSE;
-
+
/* return value of snprintf() up to glibc 2.0.6 */
if (written < 0)
break;
void list_groups(bool utc)
{
ietfAttrList_t *list = ietfAttributes;
-
+
if (list != NULL)
{
whack_log(RC_COMMENT, " ");
ietfAttr_t *attr = list->attr;
whack_log(RC_COMMENT, "%T, count: %d", &attr->installed, utc, attr->count);
-
+
switch (attr->kind)
{
case IETF_ATTRIBUTE_OCTETS:
* merging alg_info (ike_info) contents
*/
-static int default_ike_groups[] = {
+static int default_ike_groups[] = {
MODP_1536_BIT,
MODP_1024_BIT
};
-/*
+/*
* Add IKE alg info _with_ logic (policy):
*/
static void alg_info_ike_add (struct alg_info *alg_info, int ealg_id,
n_groups=0;
goto in_loop;
}
-
+
for (; n_groups--; i++)
{
modp_id = default_ike_groups[i];
eat_whitespace(&string);
- if (string.len > 0)
+ if (string.len > 0)
{
chunk_t alg;
* several connections instances,
* handle free() with ref_cnts
*/
-void
+void
alg_info_addref(struct alg_info *alg_info)
{
if (alg_info != NULL)
struct esp_info *esp_info;
struct ike_info *ike_info;
int cnt;
-
+
switch (alg_info->alg_info_protoid) {
case PROTO_IPSEC_ESP:
{
, "buffer space exhausted in alg_info_snprint_ike(), buflen=%d"
, buflen);
}
-
+
return ptr - buf;
}
extern int alg_info_snprint_ike(char *buf, int buflen
, struct alg_info_ike *alg_info);
#define ALG_INFO_ESP_FOREACH(ai, ai_esp, i) \
- for (i=(ai)->alg_info_cnt,ai_esp=(ai)->esp; i--; ai_esp++)
+ for (i=(ai)->alg_info_cnt,ai_esp=(ai)->esp; i--; ai_esp++)
#define ALG_INFO_IKE_FOREACH(ai, ai_ike, i) \
- for (i=(ai)->alg_info_cnt,ai_ike=(ai)->ike; i--; ai_ike++)
+ for (i=(ai)->alg_info_cnt,ai_ike=(ai)->ike; i--; ai_ike++)
#endif /* ALG_INFO_H */
va_start(args, part);
blob = va_arg(args, chunk_t);
va_end(args);
-
+
switch (part)
{
case BUILD_BLOB_PGP:
va_start(args, part);
blob = va_arg(args, chunk_t);
va_end(args);
-
+
this->ac = malloc_thing(x509acert_t);
*this->ac = empty_ac;
static void *build(private_builder_t *this)
{
void *cred;
-
+
cred = this->cred;
free(this);
-
+
return cred;
}
static builder_t *builder(int subtype)
{
private_builder_t *this = malloc_thing(private_builder_t);
-
+
switch (subtype)
{
case CERT_PLUTO_CERT:
}
this->public.build = (void*(*)(builder_t*))build;
this->cred = NULL;
-
+
return &this->public;
}
/* go one level up in the CA chain */
a = cacert->issuer;
}
-
+
unlock_authcert_list("trusted_ca");
return match;
}
/* does the authname already exist? */
ca = get_ca_info(cacert->subject, cacert->serialNumber
, cacert->subjectKeyID);
-
+
if (ca != NULL)
{
/* ca_info is already present */
/* name */
ca->name = clone_str(msg->name);
-
+
/* authName */
ca->authName = chunk_clone(cacert->subject);
dntoa(buf, BUF_LEN, ca->authName);
ca->next = ca_infos;
ca_infos = ca;
ca->installed = time(NULL);
-
+
unlock_ca_info_list("add_ca_info");
/* add cacert to list of authcerts */
list_ca_infos(bool utc)
{
ca_info_t *ca = ca_infos;
-
+
if (ca != NULL)
{
whack_log(RC_COMMENT, " ");
{
private_key_t *key = NULL;
char *path;
-
+
path = concatenate_paths(PRIVATE_KEY_PATH, filename);
if (pass && pass->prompt && pass->fd != NULL_FD)
{ /* use passphrase callback */
{ /* no passphrase */
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
BUILD_FROM_FILE, path, BUILD_END);
-
+
}
if (key)
{
/* default hisaddr to an appropriate any */
if (hisaddr == NULL)
hisaddr = aftoinfo(addrtypeof(myaddr))->any;
-
+
if (nat_traversal_enabled)
{
/**
loglog(RC_LOG_SERIOUS, "esp string error");
}
}
-
+
if (wm->ike)
{
DBG(DBG_CONTROL,
loglog(RC_LOG_SERIOUS, "ike string error:");
}
}
-
+
c->sa_ike_life_seconds = wm->sa_ike_life_seconds;
c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds;
c->sa_rekey_margin = wm->sa_rekey_margin;
if (t->spd.that.virt)
{
DBG_log("virtual_ip not supported in group instance");
- t->spd.that.virt = NULL;
+ t->spd.that.virt = NULL;
}
/* add to connections list */
DBG(DBG_CONTROL, DBG_log("creating new instance from \"%s\"%s"
, c->name
, (fmt_conn_instance(c, cib), cib)));
-
+
idtoa(&sr->this.id, mycredentialstr, sizeof(mycredentialstr));
*/
if (!isanyaddr(&c->spd.that.host_srcip) && !c->spd.that.has_natip)
c->spd.that.modecfg = TRUE;
-
+
if (uniqueIDs)
{
/* for all connections: if the same Phase 1 IDs are used
if (c->spd.that.groups != NULL)
{
char buf[BUF_LEN];
-
+
format_groups(c->spd.that.groups, buf, BUF_LEN);
whack_log(RC_COMMENT
, "\"%s\"%s: groups: %s"
, (unsigned long) c->sa_keying_tries);
/* show DPD parameters if defined */
-
+
if (c->dpd_action != DPD_ACTION_NONE)
whack_log(RC_COMMENT
, "\"%s\"%s: dpd_action: %N;"
, instance
, c->newest_isakmp_sa
, c->newest_ipsec_sa);
-
+
if (all)
{
ike_alg_show_connection(c, instance);
extern chunk_t get_peer_ca_and_groups(struct connection *c
, const ietfAttrList_t **peer_list);
-
+
/* instantiating routines
* Note: connection_discard() is in state.h because all its work
* is looking through state objects.
"clear",
"hold",
"restart"
-);
-
+);
+
/* Timer events */
ENUM(timer_event_names, EVENT_NULL, EVENT_LOG_DAILY,
static enum_names payload_names_nat_d =
{ ISAKMP_NEXT_NATD_DRAFTS, ISAKMP_NEXT_NATOA_DRAFTS, payload_name_nat_d, NULL };
-
+
enum_names payload_names =
{ ISAKMP_NEXT_NONE, ISAKMP_NEXT_NATOA_RFC, payload_name, &payload_names_nat_d };
"ECDSA signature",
"ECDSA-256 signature",
"ECDSA-384 signature",
- "ECDSA-521-signature",
+ "ECDSA-521-signature",
};
static const char *const oakley_auth_name2[] = {
oakley_group_name_rfc3526, &oakley_group_names_rfc4753 };
enum_names oakley_group_names =
- { MODP_768_BIT, MODP_1536_BIT,
+ { MODP_768_BIT, MODP_1536_BIT,
oakley_group_name, &oakley_group_names_rfc3526 };
/* Oakley Group Type attribute */
"4", "5", "6", "7",
"8", "9", "10", "11",
"12", "13", "14", "15",
- "16", "17", "18", "19",
+ "16", "17", "18", "19",
"20", "21", "22", "23",
"24", "25", "26", "27",
"28", "29",
static char bitnamesbuf[200]; /* only one! I hope that it is big enough! */
-int
-enum_search(enum_names *ed, const char *str)
+int
+enum_search(enum_names *ed, const char *str)
{
enum_names *p;
const char *ptr;
typedef enum certpolicy {
CERT_ALWAYS_SEND = 0,
- CERT_SEND_IF_ASKED = 1,
+ CERT_SEND_IF_ASKED = 1,
CERT_NEVER_SEND = 2,
CERT_YES_SEND = 3, /* synonym for CERT_ALWAYS_SEND */
{ 2, "version", ASN1_INTEGER, ASN1_OPT |
ASN1_BODY }, /* 2 */
{ 2, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
- { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 4 */
+ { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 4 */
{ 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
{ 2, "thisUpdate", ASN1_EOC, ASN1_RAW }, /* 6 */
{ 2, "nextUpdate", ASN1_EOC, ASN1_RAW }, /* 7 */
char digest_buf[HASH_SIZE_SHA1];
chunk_t subjectKeyID = chunk_from_buf(digest_buf);
bool has_keyID;
-
+
if (issuer_cert->subjectKeyID.ptr == NULL)
{
has_keyID = compute_subjectKeyID(issuer_cert, subjectKeyID);
{
char *filename = filelist[n]->d_name;
x509crl_t *crl;
-
+
crl = lib->creds->create(lib->creds, CRED_CERTIFICATE,
CERT_PLUTO_CRL, BUILD_FROM_FILE, filename, BUILD_END);
if (crl)
*revocationDate = UNDEFINED_TIME;
*revocationReason = CRL_REASON_UNSPECIFIED;
-
+
DBG(DBG_CONTROL,
DBG_dump_chunk("serial number:", serial)
)
, crl->authKeyID, AUTH_CA);
valid = x509_check_signature(crl->tbsCertList, crl->signature,
crl->algorithm, issuer_cert);
-
+
unlock_authcert_list("verify_by_crl");
if (valid)
/*
* check periodically for expired crls
- */
+ */
extern long crl_check_interval;
/* used for initialization */
#include "log.h"
static struct encrypt_desc encrypt_desc_3des =
-{
+{
algo_type: IKE_ALG_ENCRYPT,
- algo_id: OAKLEY_3DES_CBC,
+ algo_id: OAKLEY_3DES_CBC,
algo_next: NULL,
- enc_blocksize: DES_BLOCK_SIZE,
+ enc_blocksize: DES_BLOCK_SIZE,
keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
{
algo_type: IKE_ALG_ENCRYPT,
algo_id: OAKLEY_AES_CBC,
- algo_next: NULL,
+ algo_next: NULL,
enc_blocksize: AES_BLOCK_SIZE,
keyminlen: AES_KEY_MIN_LEN,
{
algo_type: IKE_ALG_ENCRYPT,
algo_id: OAKLEY_BLOWFISH_CBC,
- algo_next: NULL,
+ algo_next: NULL,
enc_blocksize: BLOWFISH_BLOCK_SIZE,
keyminlen: BLOWFISH_KEY_MIN_LEN,
#define TWOFISH_KEY_DEF_LEN 128
#define TWOFISH_KEY_MAX_LEN 256
-static struct encrypt_desc encrypt_desc_twofish =
+static struct encrypt_desc encrypt_desc_twofish =
{
algo_type: IKE_ALG_ENCRYPT,
algo_id: OAKLEY_TWOFISH_CBC,
};
static struct hash_desc hash_desc_md5 =
-{
+{
algo_type: IKE_ALG_HASH,
algo_id: OAKLEY_MD5,
- algo_next: NULL,
+ algo_next: NULL,
hash_digest_size: HASH_SIZE_MD5,
};
static struct hash_desc hash_desc_sha1 =
-{
+{
algo_type: IKE_ALG_HASH,
algo_id: OAKLEY_SHA,
- algo_next: NULL,
+ algo_next: NULL,
hash_digest_size: HASH_SIZE_SHA1,
};
const struct dh_desc unset_group = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: MODP_NONE,
+ algo_id: MODP_NONE,
algo_next: NULL,
ke_size: 0
};
-static struct dh_desc dh_desc_modp_1024 = {
+static struct dh_desc dh_desc_modp_1024 = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: MODP_1024_BIT,
+ algo_id: MODP_1024_BIT,
algo_next: NULL,
ke_size: 1024 / BITS_PER_BYTE
};
-static struct dh_desc dh_desc_modp_1536 = {
+static struct dh_desc dh_desc_modp_1536 = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: MODP_1536_BIT,
+ algo_id: MODP_1536_BIT,
algo_next: NULL,
ke_size: 1536 / BITS_PER_BYTE
};
-static struct dh_desc dh_desc_modp_2048 = {
+static struct dh_desc dh_desc_modp_2048 = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: MODP_2048_BIT,
+ algo_id: MODP_2048_BIT,
algo_next: NULL,
ke_size: 2048 / BITS_PER_BYTE
};
-static struct dh_desc dh_desc_modp_3072 = {
+static struct dh_desc dh_desc_modp_3072 = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: MODP_3072_BIT,
+ algo_id: MODP_3072_BIT,
algo_next: NULL,
ke_size: 3072 / BITS_PER_BYTE
};
-static struct dh_desc dh_desc_modp_4096 = {
+static struct dh_desc dh_desc_modp_4096 = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: MODP_4096_BIT,
+ algo_id: MODP_4096_BIT,
algo_next: NULL,
ke_size: 4096 / BITS_PER_BYTE
};
-static struct dh_desc dh_desc_modp_6144 = {
+static struct dh_desc dh_desc_modp_6144 = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: MODP_6144_BIT,
+ algo_id: MODP_6144_BIT,
algo_next: NULL,
ke_size: 6144 / BITS_PER_BYTE
};
-static struct dh_desc dh_desc_modp_8192 = {
+static struct dh_desc dh_desc_modp_8192 = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: MODP_8192_BIT,
+ algo_id: MODP_8192_BIT,
algo_next: NULL,
ke_size: 8192 / BITS_PER_BYTE
};
-static struct dh_desc dh_desc_ecp_256 = {
+static struct dh_desc dh_desc_ecp_256 = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: ECP_256_BIT,
+ algo_id: ECP_256_BIT,
algo_next: NULL,
ke_size: 2*256 / BITS_PER_BYTE
};
-static struct dh_desc dh_desc_ecp_384 = {
+static struct dh_desc dh_desc_ecp_384 = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: ECP_384_BIT,
+ algo_id: ECP_384_BIT,
algo_next: NULL,
ke_size: 2*384 / BITS_PER_BYTE
};
-static struct dh_desc dh_desc_ecp_521 = {
+static struct dh_desc dh_desc_ecp_521 = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: ECP_521_BIT,
+ algo_id: ECP_521_BIT,
algo_next: NULL,
ke_size: 2*528 / BITS_PER_BYTE
};
-static struct dh_desc dh_desc_ecp_192 = {
+static struct dh_desc dh_desc_ecp_192 = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: ECP_192_BIT,
+ algo_id: ECP_192_BIT,
algo_next: NULL,
ke_size: 2*192 / BITS_PER_BYTE
};
-static struct dh_desc dh_desc_ecp_224 = {
+static struct dh_desc dh_desc_ecp_224 = {
algo_type: IKE_ALG_DH_GROUP,
- algo_id: ECP_224_BIT,
+ algo_id: ECP_224_BIT,
algo_next: NULL,
ke_size: 2*224 / BITS_PER_BYTE
};
(no_md5) ? "MD5" : "");
return FALSE;
}
-
+
enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &encryption_alg))
{
const struct encrypt_desc *desc;
-
+
switch (encryption_alg)
{
case ENCR_3DES:
desc = &encrypt_desc_serpent;
break;
default:
- continue;
+ continue;
}
ike_alg_add((struct ike_alg *)desc);
}
case OAKLEY_DES_CBC:
return ENCR_DES;
case OAKLEY_IDEA_CBC:
- return ENCR_IDEA;
+ return ENCR_IDEA;
case OAKLEY_BLOWFISH_CBC:
return ENCR_BLOWFISH;
case OAKLEY_RC5_R16_B64_CBC:
/* Dynamic db (proposal, transforms, attributes) handling.
* Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* for more details.
*/
-/*
+/*
* The stratedy is to have (full contained) struct db_prop in db_context
* pointing to ONE dynamically sizable transform vector (trans0).
* Each transform stores attrib. in ONE dyn. sizable attribute vector (attrs0)
- * in a "serialized" way (attributes storage is used in linear sequence for
+ * in a "serialized" way (attributes storage is used in linear sequence for
* subsecuent transforms).
*
* Resizing for both trans0 and attrs0 is supported:
* also update trans_cur (by offset)
* - For attrs0: after allocating and copying attrs, I must rewrite each
* trans->attrs present in trans0; to achieve this, calculate
- * attrs pointer offset (new minus old) and iterate over
+ * attrs pointer offset (new minus old) and iterate over
* each transform "adding" this difference.
* also update attrs_cur (by offset)
*
#ifdef NOT_YET
/*
* Allocator cache:
- * Because of the single-threaded nature of pluto/spdb.c,
+ * Because of the single-threaded nature of pluto/spdb.c,
* alloc()/free() is exercised many times with very small
* lifetime objects.
* Just caching last object (currently it will select the
#endif
#ifndef NO_DB_OPS_STATS
-/*
- * stats: do account for allocations
- * displayed in db_ops_show_status()
+/*
+ * stats: do account for allocations
+ * displayed in db_ops_show_status()
*/
struct db_ops_stats {
int st_curr_cnt; /* current number of allocations */
static struct db_ops_stats db_context_st = DB_OPS_ZERO;
static struct db_ops_stats db_trans_st = DB_OPS_ZERO;
static struct db_ops_stats db_attrs_st = DB_OPS_ZERO;
-static __inline__ void *malloc_bytes_st(size_t size, struct db_ops_stats *st)
+static __inline__ void *malloc_bytes_st(size_t size, struct db_ops_stats *st)
{
void *ptr = malloc(size);
if (ptr)
st->st_curr_cnt++;
st->st_total_cnt++;
if (size > st->st_maxsz) st->st_maxsz=size;
- }
+ }
return ptr;
}
#define ALLOC_BYTES_ST(z,st) malloc_bytes_st(z, &st);
* as a result of "add" operations
*/
int
-db_prop_init(struct db_context *ctx, u_int8_t protoid, int max_trans, int max_attrs)
+db_prop_init(struct db_context *ctx, u_int8_t protoid, int max_trans, int max_attrs)
{
ctx->trans0 = NULL;
ctx->attrs0 = NULL;
if (max_trans > 0) { /* quite silly if not */
- ctx->trans0 = ALLOC_BYTES_ST ( sizeof(struct db_trans) * max_trans,
+ ctx->trans0 = ALLOC_BYTES_ST ( sizeof(struct db_trans) * max_trans,
db_trans_st);
memset(ctx->trans0, '\0', sizeof(struct db_trans) * max_trans);
}
int offset;
old_trans = ctx->trans0;
- new_trans = ALLOC_BYTES_ST ( sizeof (struct db_trans) * max_trans,
+ new_trans = ALLOC_BYTES_ST ( sizeof (struct db_trans) * max_trans,
db_trans_st);
if (!new_trans)
goto out;
memcpy(new_trans, old_trans, ctx->max_trans * sizeof(struct db_trans));
-
+
/* update trans0 (obviously) */
ctx->trans0 = ctx->prop.trans = new_trans;
/* update trans_cur (by offset) */
{
char *cctx = (char *)(ctx->trans_cur);
-
+
cctx += offset;
ctx->trans_cur = (struct db_trans *)cctx;
}
out:
return ret;
}
-/*
+/*
* Expand storage for attributes by delta_attrs number AND
* rewrite trans->attr pointers
*/
int offset;
old_attrs = ctx->attrs0;
- new_attrs = ALLOC_BYTES_ST ( sizeof (struct db_attr) * max_attrs,
+ new_attrs = ALLOC_BYTES_ST ( sizeof (struct db_attr) * max_attrs,
db_attrs_st);
if (!new_attrs)
goto out;
memcpy(new_attrs, old_attrs, ctx->max_attrs * sizeof(struct db_attr));
-
+
/* update attrs0 and attrs_cur (obviously) */
offset = (char *)(new_attrs) - (char *)(old_attrs);
-
+
{
char *actx = (char *)(ctx->attrs0);
-
+
actx += offset;
ctx->attrs0 = (struct db_attr *)actx;
-
+
actx = (char *)ctx->attrs_cur;
actx += offset;
ctx->attrs_cur = (struct db_attr *)actx;
return ret;
}
/* Allocate a new db object */
-struct db_context *
-db_prop_new(u_int8_t protoid, int max_trans, int max_attrs)
+struct db_context *
+db_prop_new(u_int8_t protoid, int max_trans, int max_attrs)
{
struct db_context *ctx;
ctx = ALLOC_BYTES_ST ( sizeof (struct db_context), db_context_st);
if (!ctx) goto out;
-
+
if (db_prop_init(ctx, protoid, max_trans, max_attrs) < 0) {
PFREE_ST(ctx, db_context_st);
ctx=NULL;
/* skip incrementing current trans pointer the 1st time*/
if (ctx->trans_cur && ctx->trans_cur->attr_cnt)
ctx->trans_cur++;
- /*
- * Strategy: if more space is needed, expand by
+ /*
+ * Strategy: if more space is needed, expand by
* <current_size>/2 + 1
*
* This happens to produce a "reasonable" sequence
}
/* Add attr copy to current transform, expanding attrs0 if needed */
int
-db_attr_add(struct db_context *ctx, const struct db_attr *a)
+db_attr_add(struct db_context *ctx, const struct db_attr *a)
{
- /*
- * Strategy: if more space is needed, expand by
+ /*
+ * Strategy: if more space is needed, expand by
* <current_size>/2 + 1
*/
if ((ctx->attrs_cur - ctx->attrs0) >= ctx->max_attrs) {
ctx->trans_cur->attr_cnt++;
return 0;
}
-/* Add attr copy (by value) to current transform,
+/* Add attr copy (by value) to current transform,
* expanding attrs0 if needed, just calls db_attr_add().
*/
int
int
db_ops_show_status(void)
{
- whack_log(RC_COMMENT, "stats " __FILE__ ": "
+ whack_log(RC_COMMENT, "stats " __FILE__ ": "
DB_OPS_STATS_DESC " :"
DB_OPS_STATS_STR("context")
DB_OPS_STATS_STR("trans")
return 0;
}
#endif /* NO_DB_OPS_STATS */
-/*
+/*
* From below to end just testing stuff ....
*/
#ifdef TEST
default:
continue;
}
- printf(" transid=\"%s\"\n",
+ printf(" transid=\"%s\"\n",
enum_name(n, t->transid));
for (ai=0, a=t->attrs; ai < t->attr_cnt; ai++, a++) {
int i;
default:
continue;
}
- printf(" type=\"%s\" value=\"%s\"\n",
+ printf(" type=\"%s\" value=\"%s\"\n",
enum_name(n_at, i),
enum_name(n_av, a->val));
}
}
}
-static void db_print(struct db_context *ctx)
+static void db_print(struct db_context *ctx)
{
- printf("trans_cur diff=%d, attrs_cur diff=%d\n",
+ printf("trans_cur diff=%d, attrs_cur diff=%d\n",
ctx->trans_cur - ctx->trans0,
ctx->attrs_cur - ctx->attrs0);
db_prop_print(&ctx->prop);
{
memcpy(st->st_ph1_iv, st->st_new_iv, st->st_new_iv_len);
st->st_ph1_iv_len = st->st_new_iv_len;
-
+
/* backup new_iv */
new_iv_len = st->st_new_iv_len;
passert(new_iv_len <= MAX_DIGEST_LEN)
}
else
{
- set_cur_state(st);
+ set_cur_state(st);
from_state = st->st_state;
}
default:
auth = st->st_oakley.auth;
}
-
+
while (!LHAS(smc->flags, auth))
{
smc++;
memcpy(new_iv, data.ptr + data.len - crypter_block_size,
crypter_block_size);
- crypter->set_key(crypter, st->st_enc_key);
+ crypter->set_key(crypter, st->st_enc_key);
crypter->decrypt(crypter, data, iv, NULL);
crypter->destroy(crypter);
const char *story = state_story[st->st_state - STATE_MAIN_R0];
enum rc_type w = RC_NEW_STATE + st->st_state;
char sadetails[128];
-
+
sadetails[0]='\0';
if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
recover_adns_die(void)
{
struct adns_continuation *cr = NULL;
-
+
adns_pid = 0;
if(adns_restart_count < ADNS_RESTART_MAX) {
adns_restart_count++;
if(continuations != NULL) {
for (; cr->previous != NULL; cr = cr->previous);
}
-
+
next_query = cr;
if(next_query != NULL) {
if (symbol != NULL)
{
size_t type_len = symbol - ptr;
-
+
if (type_len >= 4 && strncasecmp(ptr, "ldap", 4) == 0)
{
ptr = symbol + 1;
{
len -= 2;
symbol = memchr(ptr, '/', len);
-
+
if (symbol != NULL && symbol - ptr == 0 && ldaphost != NULL)
{
uri = malloc(distPoint.len + strlen(ldaphost) + 1);
}
}
}
-
+
/* default action: copy distributionPoint without change */
uri = malloc(distPoint.len + 1);
sprintf(uri, "%.*s", (int)distPoint.len, distPoint.ptr);
{
char *uri = complete_uri(gn->name, ldaphost);
x509crl_t *crl;
-
+
crl = fetch_crl(uri);
if (crl)
{
*(uri + location->uri.len) = '\0';
DBG1(" requesting ocsp status from '%s' ...", uri);
- if (lib->fetcher->fetch(lib->fetcher, uri, &response,
+ if (lib->fetcher->fetch(lib->fetcher, uri, &response,
FETCH_REQUEST_DATA, request,
FETCH_REQUEST_TYPE, "application/ocsp-request",
FETCH_END) == SUCCESS)
/* increment the trial counter of the unresolved fetch requests */
{
ocsp_certinfo_t *certinfo = location->certinfo;
-
+
while (certinfo != NULL)
{
certinfo->trials++;
{
/* skip empty distribution point */
if (newPoints->name.len > 0)
- {
+ {
bool add = TRUE;
generalName_t *gn = *distributionPoints;
enum_show(&oakley_enc_names, ealg));
continue;
}
- if (!ike_alg_get_hasher(halg))
+ if (!ike_alg_get_hasher(halg))
{
plog("ike alg: hasher %s not present",
enum_show(&oakley_hash_names, halg));
continue;
}
- if (!ike_alg_get_dh_group(modp))
+ if (!ike_alg_get_dh_group(modp))
{
plog("ike alg: dh group %s not present",
enum_show(&oakley_group_names, modp));
init_phase2_iv(encst, &msgid);
if (!encrypt_message(&r_hdr_pbs, encst))
impossible();
-
+
/* restore preserved st_iv and st_new_iv */
memcpy(encst->st_iv, old_iv, old_iv_len);
memcpy(encst->st_new_iv, new_iv, new_iv_len);
else
{
struct connection *oldc;
-
+
oldc = cur_connection;
set_cur_connection(dst->st_connection);
{
struct connection *rc = dst->st_connection;
struct connection *oldc;
-
+
oldc = cur_connection;
set_cur_connection(rc);
pb_stream rbody;
int vids_to_send = 0;
-
+
/* set up new state */
st->st_connection = c;
set_cur_state(st); /* we must reset before exit */
prf->allocate_bytes(prf, st->st_shared, NULL);
prf->allocate_bytes(prf, icookie, NULL);
prf->allocate_bytes(prf, rcookie, NULL);
- prf->allocate_bytes(prf, seed_skeyid_d, &st->st_skeyid_d);
+ prf->allocate_bytes(prf, seed_skeyid_d, &st->st_skeyid_d);
/* SKEYID_A */
free(st->st_skeyid_a.ptr);
prf->allocate_bytes(prf, st->st_shared, NULL);
prf->allocate_bytes(prf, icookie, NULL);
prf->allocate_bytes(prf, rcookie, NULL);
- prf->allocate_bytes(prf, seed_skeyid_a, &st->st_skeyid_a);
+ prf->allocate_bytes(prf, seed_skeyid_a, &st->st_skeyid_a);
/* SKEYID_E */
free(st->st_skeyid_e.ptr);
prf->allocate_bytes(prf, st->st_shared, NULL);
prf->allocate_bytes(prf, icookie, NULL);
prf->allocate_bytes(prf, rcookie, NULL);
- prf->allocate_bytes(prf, seed_skeyid_e, &st->st_skeyid_e);
+ prf->allocate_bytes(prf, seed_skeyid_e, &st->st_skeyid_e);
prf->destroy(prf);
}
DBG_dump_chunk("DH_i:", st->st_gi);
DBG_dump_chunk("DH_r:", st->st_gr);
);
-
+
hasher->get_hash(hasher, st->st_gi, NULL);
hasher->get_hash(hasher, st->st_gr, st->st_new_iv);
hasher->destroy(hasher);
*/
{
size_t keysize = st->st_oakley.enckeylen/BITS_PER_BYTE;
-
+
/* free any existing key */
free(st->st_enc_key.ptr);
prf = lib->crypto->create_prf(lib->crypto, prf_alg);
prf->set_key(prf, st->st_skeyid_e);
prf_block_size = prf->get_block_size(prf);
-
+
for (i = 0;;)
{
prf->get_bytes(prf, seed, &keytemp[i]);
else
{
st->st_enc_key = chunk_create(st->st_skeyid_e.ptr, keysize);
- }
+ }
st->st_enc_key = chunk_clone(st->st_enc_key);
}
*/
struct tac_state {
struct state *st;
- chunk_t hash;
+ chunk_t hash;
chunk_t sig;
int tried_cnt; /* number of keys tried */
};
crypter->set_key(crypter, st->st_enc_key);
crypter->encrypt(crypter, data, iv, NULL);
crypter->destroy(crypter);
-
+
new_iv = data.ptr + data.len - crypter_block_size;
memcpy(st->st_new_iv, new_iv, crypter_block_size);
update_iv(st);
if (hash2)
{
prf->get_bytes(prf, st->st_ni, NULL); /* include Ni_b in the hash */
- }
+ }
prf->get_bytes(prf, msg_chunk, dest);
prf_block_size = prf->get_block_size(prf);
prf->destroy(prf);
pseudo_random_function_t prf_alg;
prf_t *prf;
size_t prf_block_size;
-
+
prf_alg = oakley_to_prf(st->st_oakley.hash);
prf = lib->crypto->create_prf(lib->crypto, prf_alg);
prf->set_key(prf, st->st_skeyid_a);
st->st_new_iv_len = hasher->get_hash_size(hasher);
passert(st->st_new_iv_len <= sizeof(st->st_new_iv));
-
+
hasher->get_hash(hasher, iv_chunk, NULL);
hasher->get_hash(hasher, msgid_chunk, st->st_new_iv);
hasher->destroy(hasher);
bool has_client = c->spd.this.has_client || c->spd.that.has_client ||
c->spd.this.protocol || c->spd.that.protocol ||
c->spd.this.port || c->spd.that.port;
-
+
bool send_natoa = FALSE;
u_int8_t np = ISAKMP_NEXT_NONE;
/* SA out */
- /*
+ /*
* See if pfs_group has been specified for this conn,
* if not, fallback to old use-same-as-P1 behaviour
*/
{
struct isakmp_cr *const cr = &p->payload.cr;
chunk_t ca_name;
-
+
ca_name.len = pbs_left(&p->pbs);
ca_name.ptr = (ca_name.len > 0)? p->pbs.cur : NULL;
if (ca_name.len > 0)
{
generalName_t *gn;
-
+
if (!is_asn1(ca_name))
continue;
if (needed_len && pi->attrs.key_len)
{
needed_len = pi->attrs.key_len / BITS_PER_BYTE;
- }
+ }
switch (pi->attrs.transid)
{
char *keymat_i_peer = pi->peer_keymat + i;
chunk_t keymat_our = { keymat_i_our, prf_block_size };
chunk_t keymat_peer = { keymat_i_peer, prf_block_size };
-
+
if (st->st_shared.ptr != NULL)
{
/* PFS: include the g^xy */
#endif /* USE_KEYRR */
kc == NULL? NULL : kc->ac.gateways_from_dns
);
-
+
if (r == STF_SUSPEND)
{
/* initiate/resume asynchronous DNS lookup for key */
* to find authentication, or we run out of things
* to try.
*/
-static void key_continue(struct adns_continuation *cr, err_t ugh,
+static void key_continue(struct adns_continuation *cr, err_t ugh,
key_tail_fn *tail)
{
struct key_continuation *kc = (void *)cr;
if (!decode_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs
, &b.my.net, "our client"))
return STF_FAIL + INVALID_ID_INFORMATION;
-
+
b.my.proto = id_pd->next->payload.ipsec_id.isaiid_protoid;
b.my.port = id_pd->next->payload.ipsec_id.isaiid_port;
b.my.net.addr.u.v4.sin_port = htons(b.my.port);
{
public_key_t *pub_key;
struct gw_info *gwp;
-
+
/* check that the public key that authenticated
* the ISAKMP SA (p1st) will do for this gateway.
*/
{
struct state *p1st = find_state(st->st_icookie, st->st_rcookie
, &st->st_connection->spd.that.host_addr, 0);
-
+
if (p1st == NULL)
loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD");
else if (p1st->st_dpd)
{
plog("Dead Peer Detection (RFC 3706) enabled");
/* randomize the first DPD event */
-
+
event_schedule(EVENT_DPD
, (0.5 + rand()/(RAND_MAX + 1.E0)) * st->st_connection->dpd_delay
, st);
}
/* check the peer's group attributes */
-
+
{
const ietfAttrList_t *peer_list = NULL;
-
+
get_peer_ca_and_groups(st->st_connection, &peer_list);
if (!group_membership(peer_list, st->st_connection->name
, st->st_connection->newest_ipsec_sa
, st->st_connection->spd.eroute_owner));
}
-
+
st->st_connection->newest_ipsec_sa = st->st_serialno;
/* note (presumed) success */
u_char
*r_hashval, /* where in reply to jam hash value */
*r_hash_start; /* start of what is to be hashed */
-
+
msgid = generate_msgid(st);
-
+
init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "ISAKMP notify");
/* HDR* */
isan.isan_np = ISAKMP_NEXT_NONE;
isan.isan_doi = ISAKMP_DOI_IPSEC;
isan.isan_protoid = PROTO_ISAKMP;
- isan.isan_spisize = COOKIE_SIZE * 2;
+ isan.isan_spisize = COOKIE_SIZE * 2;
isan.isan_type = type;
if (!out_struct(&isan, &isakmp_notification_desc, &rbody, ¬ify_pbs))
return STF_INTERNAL_ERROR;
if (!out_raw(st->st_icookie, COOKIE_SIZE, ¬ify_pbs, "notify icookie"))
- return STF_INTERNAL_ERROR;
+ return STF_INTERNAL_ERROR;
if (!out_raw(st->st_rcookie, COOKIE_SIZE, ¬ify_pbs, "notify rcookie"))
- return STF_INTERNAL_ERROR;
+ return STF_INTERNAL_ERROR;
if (data != NULL && len > 0)
if (!out_raw(data, len, ¬ify_pbs, "notify data"))
- return STF_INTERNAL_ERROR;
+ return STF_INTERNAL_ERROR;
close_output_pbs(¬ify_pbs);
}
-
+
{
- /* finish computing HASH */
+ /* finish computing HASH */
chunk_t msgid_chunk = chunk_from_thing(msgid);
chunk_t msg_chunk = { r_hash_start, rbody.cur-r_hash_start };
pseudo_random_function_t prf_alg;
init_phase2_iv(st, &msgid);
if (!encrypt_message(&rbody, st))
return STF_INTERNAL_ERROR;
-
+
/* restore preserved st_iv and st_new_iv */
memcpy(st->st_iv, old_iv, old_iv_len);
memcpy(st->st_new_iv, new_iv, new_iv_len);
* this allows the entry to be deleted.
*/
static struct bare_shunt** bare_shunt_ptr(const ip_subnet *ours,
- const ip_subnet *his,
+ const ip_subnet *his,
int transport_proto)
{
struct bare_shunt *p, **pp;
if (ei == &esp_info[countof(esp_info)])
{
/* Check for additional kernel alg */
- if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid,
+ if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid,
st->st_esp.attrs.auth))!=NULL)
{
break;
{
case ESP_3DES:
/* 168 bits in kernel, need 192 bits for keymat_len */
- if (key_len == 21)
+ if (key_len == 21)
{
key_len = 24;
}
case ESP_DES:
/* 56 bits in kernel, need 64 bits for keymat_len */
if (key_len == 7)
- {
+ {
key_len = 8;
}
break;
key_len += 4;
break;
default:
- break;
+ break;
}
/* divide up keying material */
{
struct pfkey_proto_info proto_info[4];
int i = 0;
-
+
if (st->st_ipcomp.present)
{
proto_info[i].proto = IPPROTO_COMP;
proto_info[i].reqid = c->spd.reqid + 2;
i++;
}
-
+
if (st->st_esp.present)
{
proto_info[i].proto = IPPROTO_ESP;
proto_info[i].reqid = c->spd.reqid + 1;
i++;
}
-
+
if (st->st_ah.present)
{
proto_info[i].proto = IPPROTO_AH;
proto_info[i].reqid = c->spd.reqid;
i++;
}
-
+
proto_info[i].proto = 0;
-
+
if (kernel_ops->inbound_eroute
&& encapsulation == ENCAPSULATION_MODE_TUNNEL)
{
proto_info[i].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
}
}
-
+
/* MCR - should be passed a spd_eroute structure here */
(void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
, &c->spd.this.host_addr, &c->spd.this.client
}
/* If there are multiple SPIs, group them. */
-
+
if (kernel_ops->grp_sa && said_next > &said[1])
{
struct kernel_sa *s;
-
+
/* group SAs, two at a time, inner to outer (backwards in said[])
* The grouping is by pairs. So if said[] contains ah esp ipip,
* the grouping would be ipip:esp, esp:ah.
text_said1[SATOT_BUF];
/* group s[1] and s[0], in that order */
-
+
set_text_said(text_said0, s[0].dst, s[0].spi, s[0].proto);
set_text_said(text_said1, s[1].dst, s[1].spi, s[1].proto);
-
+
DBG(DBG_KLIPS, DBG_log("grouping %s and %s", text_said1, text_said0));
-
+
s[0].text_said = text_said0;
s[1].text_said = text_said1;
-
+
if (!kernel_ops->grp_sa(s + 1, s))
{
goto fail;
, c->name
, (c->policy_next ? c->policy_next->name : "none")
, ero ? ero->name : "null"
- , esr
+ , esr
, ro ? ro->name : "null"
, rosr
, st ? st->st_serialno : 0));
{
struct connection *c = st->st_connection;
char text_said[SATOT_BUF];
- struct kernel_sa sa;
+ struct kernel_sa sa;
ip_address
src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
ret = *idle_time >= idle_max;
}
}
- else
+ else
{
while (f != NULL)
{
default:
return NULL;
}
-
+
return alg_p;
}
if (!ret) goto out;
alg_p = &esp_ealg[alg_id];
-
+
/*
* test #2: if key_len specified, it must be in range
*/
return ret;
}
-/*
- * ML: make F_STRICT logic consider enc,auth algorithms
+/*
+ * ML: make F_STRICT logic consider enc,auth algorithms
*/
bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg,
struct alg_info_esp *alg_info)
return TRUE;
}
-/**
+/**
* Load kernel_alg arrays from /proc used in manual mode from klips/utils/spi.c
*/
int kernel_alg_proc_read(void)
return 0;
}
-/**
+/**
* Load kernel_alg arrays pluto's SADB_REGISTER user by pluto/kernel.c
*/
void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
break;
}
-none:
+none:
DBG(DBG_KLIPS,
DBG_log("kernel_alg_esp_enc_keylen(): alg_id=%d, keylen=%d",
alg_id, keylen)
}
}
whack_log(RC_COMMENT, " encryption:%s", buf);
-
+
pos = buf;
*pos = '\0';
len = BUF_LEN;
pfsgroup_name = (c->policy & POLICY_PFS) ?
(c->alg_info_esp->esp_pfsgroup) ?
- enum_show(&oakley_group_names,
+ enum_show(&oakley_group_names,
c->alg_info_esp->esp_pfsgroup) :
"<Phase1>" : "<N/A>";
DBG_log("kernel_alg_db_add() kernel enc ealg_id=%d not present", ealg_id);
return FALSE;
}
-
+
if (!(policy & POLICY_AUTHENTICATE) && /* skip ESP auth attrs for AH */
esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE)
{
{
db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen);
}
-
+
return TRUE;
}
-/*
+/*
* Create proposal with runtime kernel algos, merging
* with passed proposal if not NULL
*
else
{
u_int ealg_id;
-
+
ESP_EALG_FOR_EACH_UPDOWN(ealg_id)
{
u_int aalg_id;
* @param hdr - Data to be sent.
* @param rbuf - Return Buffer - contains data returned from the send.
* @param rbuf_len - Length of rbuf
- * @param description - String - user friendly description of what is
+ * @param description - String - user friendly description of what is
* being attempted. Used for diagnostics
* @param text_said - String
* @return bool True if the message was succesfully sent.
* @param proto int (Currently unused) Contains protocol (u=tcp, 17=udp, etc...)
* @param transport_proto int (Currently unused) 0=tunnel, 1=transport
* @param satype int
- * @param proto_info
+ * @param proto_info
* @param lifetime (Currently unused)
* @param ip int
* @return boolean True if successful
char data[1024];
} req;
struct rtattr *attr;
- u_int16_t icv_size = 64;
+ u_int16_t icv_size = 64;
memset(&req, 0, sizeof(req));
req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
attr->rta_type = XFRMA_ALG_AEAD;
attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + sa->enckeylen);
req.n.nlmsg_len += attr->rta_len;
-
+
algo = (struct xfrm_algo_aead*)RTA_DATA(attr);
algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE;
algo->alg_icv_len = icv_size;
strcpy(algo->alg_name, name);
memcpy(algo->alg_key, sa->enckey, sa->enckeylen);
-
+
attr = (struct rtattr *)((char *)attr + attr->rta_len);
break;
}
/** Create ip_address out of xfrm_address_t.
*
- * @param family
+ * @param family
* @param src xfrm formatted IP address
* @param dst ip_address formatted destination
* @return err_t NULL if okay, otherwise an error
if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src))
|| (ugh = xfrm_to_ip_address(family, &sel->daddr, dst)))
- {
+ {
return ugh;
}
const struct kernel_ops noklips_kernel_ops = {
type: KERNEL_TYPE_NONE,
async_fdp: NULL,
-
+
init: init_noklips,
pfkey_register: noklips_register,
pfkey_register_response: noklips_register_response,
NE(SADB_X_DELFLOW),
NE(SADB_X_DEBUG),
NE(SADB_X_NAT_T_NEW_MAPPING),
- NE(SADB_MAX),
+ NE(SADB_MAX),
{ 0, sparse_end }
};
, const char *text_said
, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
{
- return (transport_proto == 0)? TRUE
+ return (transport_proto == 0)? TRUE
: pfkey_build(
pfkey_x_protocol_build(extensions + SADB_X_EXT_PROTOCOL, transport_proto)
, description, text_said, extensions);
RSA_PART_EXPONENT1 = 5,
RSA_PART_EXPONENT2 = 6,
RSA_PART_COEFFICIENT = 7
-};
+};
const char *rsa_private_key_part_names[] = {
"Modulus",
goto end;
}
- *key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+ *key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_RSA_MODULUS, rsa_chunk[RSA_PART_MODULUS],
BUILD_RSA_PUB_EXP, rsa_chunk[RSA_PART_PUBLIC_EXPONENT],
BUILD_RSA_PRIV_EXP, rsa_chunk[RSA_PART_PRIVATE_EXPONENT],
BUILD_RSA_PRIME1, rsa_chunk[RSA_PART_PRIME1],
BUILD_RSA_PRIME2, rsa_chunk[RSA_PART_PRIME2],
- BUILD_RSA_EXP1, rsa_chunk[RSA_PART_EXPONENT1],
+ BUILD_RSA_EXP1, rsa_chunk[RSA_PART_EXPONENT1],
BUILD_RSA_EXP2, rsa_chunk[RSA_PART_EXPONENT2],
BUILD_RSA_COEFF, rsa_chunk[RSA_PART_COEFFICIENT],
BUILD_END);
{
chunk_clear(&rsa_chunk[p]);
}
- return ugh;
+ return ugh;
}
/**
}
}
else
- {
+ {
/* we read the pin directly from ipsec.secrets */
err_t ugh = process_psk_secret(&sc->pin);
if (ugh != NULL)
else if (cur_debugging & DBG_RAW)
{
debug_level = 3;
- }
+ }
else if (cur_debugging & DBG_PARSING)
{
debug_level = 2;
}
- else
+ else
{
debug_level = 1;
}
char buf[BUF_LEN], *plugin;
int len = 0;
enumerator_t *enumerator;
-
- buf[0] = '\0';
+
+ buf[0] = '\0';
enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
{
c->spd.that.client.addr = ia->ipaddr;
c->spd.that.client.maskbits = 32;
c->spd.that.has_client = TRUE;
-
+
ia->attr_set = LELEM(INTERNAL_IP4_ADDRESS)
| LELEM(INTERNAL_IP4_NETMASK);
}
}
plog("assigning DNS server %s to peer", dns_str);
- /* differentiate between IP4 and IP6 in modecfg_build_msg() */
+ /* differentiate between IP4 and IP6 in modecfg_build_msg() */
ia->attr_set |= LELEM(INTERNAL_IP4_DNS);
dns_idx++;
}
}
plog("assigning NBNS server %s to peer", nbns_str);
- /* differentiate between IP4 and IP6 in modecfg_build_msg() */
+ /* differentiate between IP4 and IP6 in modecfg_build_msg() */
ia->attr_set |= LELEM(INTERNAL_IP4_NBNS);
nbns_idx++;
}
plog("replacing virtual IP source address %s by %s"
, old_srcip, new_srcip);
}
-
+
/* setting srcip */
c->spd.this.host_srcip = ia->ipaddr;
DBG(DBG_CRYPT,
DBG_log("ModeCfg HASH computed:");
DBG_dump("", dest, prf_block_size)
- )
+ )
return prf_block_size;
}
-/*
+/*
* Generate an IKE message containing ModeCfg information (eg: IP, DNS, WINS)
*/
static stf_status
is_unity_attr_set = FALSE;
}
}
-
+
dont_advance = FALSE;
if (attr_set & 1)
mask[t] = 0xff;
m -= 8;
}
-#endif
+#endif
if (st->st_connection->spd.this.client.maskbits == 0)
{
mask = 0;
return STF_OK;
}
-/*
+/*
* Parse a ModeCfg message
*/
static stf_status
/* STATE_MODE_CFG_I1:
* HDR*, HASH, ATTR(REPLY=IP)
*
- * used in ModeCfg pull mode, on the client (initiator)
+ * used in ModeCfg pull mode, on the client (initiator)
*/
stf_status
modecfg_inI1(struct msg_digest *md)
plog("user password attribute is missing in XAUTH reply");
st->st_xauth.status = FALSE;
}
- else
+ else
{
xauth_peer_t peer;
/* Mode Config related functions
* Copyright (C) 2001-2002 Colubris Networks
* Copyright (C) 2003-2004 Xelerance Corporation
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
addr_chunk = chunk_from_thing(ip->u.v6.sin6_addr.s6_addr);
break;
default:
- addr_chunk = chunk_empty; /* should never occur */
+ addr_chunk = chunk_empty; /* should never occur */
}
hasher->get_hash(hasher, addr_chunk, NULL);
hasher->get_hash(hasher, port_chunk, hash);
DBG(DBG_EMITTING,
DBG_log("sending NATD payloads")
)
-
+
/*
* First one with sender IP & port
*/
/*
* nat_traversal_natoa_lookup()
- *
+ *
* Look for NAT-OA in message
*/
void nat_traversal_natoa_lookup(struct msg_digest *md)
{
char ip_t[ADDRTOT_BUF];
addrtot(&ip, 0, ip_t, sizeof(ip_t));
-
+
DBG_log("received NAT-OA: %s", ip_t);
}
)
mth = natt_type_bitnames[2];
break;
}
-
+
switch (nt & NAT_T_DETECTED)
{
case 0:
{
hasher_t *hasher;
static u_char digest[HASH_SIZE_SHA1]; /* temporary storage */
-
+
location->uri = cert->accessLocation;
if (location->uri.ptr == NULL)
return FALSE;
}
}
-
+
/* compute authNameID from as SHA-1 hash of issuer DN */
location->authNameID = chunk_create(digest, HASH_SIZE_SHA1);
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
location->issuer = cert->issuer;
location->authKeyID = cert->authKeyID;
location->authKeySerialNumber = cert->authKeySerialNumber;
-
- if (cert->authKeyID.ptr == NULL)
+
+ if (cert->authKeyID.ptr == NULL)
{
x509cert_t *authcert = get_authcert(cert->issuer
, cert->authKeySerialNumber, cert->authKeyID, AUTH_CA);
*revocationDate = UNDEFINED_TIME;
*revocationReason = CRL_REASON_UNSPECIFIED;
-
+
/* is an ocsp location defined? */
if (!build_ocsp_location(cert, &location))
return CERT_UNDEFINED;
lock_ocsp_cache("check_ocsp");
location = ocsp_cache;
-
+
while (location != NULL)
{
char buf[BUF_LEN];
unlock_authcert_list("valid_ocsp_response");
return FALSE;
}
-
+
DBG(DBG_CONTROL,
DBG_log("certificate is valid")
)
-
+
authcert = get_authcert(cert->issuer, cert->authKeySerialNumber
, cert->authKeyID, AUTH_CA);
*certinfop = cnew;
certinfo = cnew;
}
-
+
DBG(DBG_CONTROL,
datatot(info->serialNumber.ptr, info->serialNumber.len, ':'
, buf, BUF_LEN);
if (request)
{
certinfo->status = CERT_UNDEFINED;
-
+
if (cmp != 0)
{
certinfo->thisUpdate = now;
certinfo->status = info->status;
certinfo->revocationTime = info->revocationTime;
certinfo->revocationReason = info->revocationReason;
-
+
certinfo->thisUpdate = (info->thisUpdate != UNDEFINED_TIME)?
info->thisUpdate : now;
plog("ocsp single response has wrong issuer");
return;
}
-
+
/* traverse list of certinfos in increasing order */
certinfop = &location->certinfo;
certinfo = *certinfop;
/* unlink cert from ocsp fetch request list */
*certinfop = certinfo->next;
-
+
/* update certinfo using the single response information */
certinfo->thisUpdate = sres->thisUpdate;
certinfo->nextUpdate = sres->nextUpdate;
certinfo->status = sres->status;
certinfo->revocationTime = sres->revocationTime;
certinfo->revocationReason = sres->revocationReason;
-
+
/* add or update certinfo in ocsp cache */
lock_ocsp_cache("process_single_response");
add_certinfo(location, certinfo, &ocsp_cache, FALSE);
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ! Type ! RESERVED ! Identifier !
+ ! Type ! RESERVED ! Identifier !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
~ Attributes ~
else
{
chunk_t fp;
-
+
/* V3 fingerprint is computed by public_key_t class */
if (!cert->public_key->get_fingerprint(cert->public_key, KEY_ID_PGPV3,
&fp))
/* should not occur, nothing to parse */
return FALSE;
}
-
+
/* parse a PGP certificate file */
cert->certificate = blob;
time(&cert->installed);
0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06
};
-static const chunk_t ASN1_pkcs7_data_oid =
+static const chunk_t ASN1_pkcs7_data_oid =
chunk_from_buf(ASN1_pkcs7_data_oid_str);
static const chunk_t ASN1_pkcs7_signed_data_oid =
chunk_from_buf(ASN1_pkcs7_signed_data_oid_str);
static const chunk_t ASN1_pkcs7_enveloped_data_oid =
chunk_from_buf(ASN1_pkcs7_enveloped_data_oid_str);
-static const chunk_t ASN1_pkcs7_signed_enveloped_data_oid =
+static const chunk_t ASN1_pkcs7_signed_enveloped_data_oid =
chunk_from_buf(ASN1_pkcs7_signed_enveloped_data_oid_str);
static const chunk_t ASN1_pkcs7_digested_data_oid =
chunk_from_buf(ASN1_pkcs7_digested_data_oid_str);
0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x07
};
-static const chunk_t ASN1_3des_ede_cbc_oid =
+static const chunk_t ASN1_3des_ede_cbc_oid =
chunk_from_buf(ASN1_3des_ede_cbc_oid_str);
static const chunk_t ASN1_des_cbc_oid =
chunk_from_buf(ASN1_des_cbc_oid_str);
case PKCS7_SIGNER_INFO:
signerInfos++;
DBG2(" signer #%d", signerInfos);
- break;
+ break;
case PKCS7_SIGNED_ISSUER:
dntoa(buf, BUF_LEN, object);
DBG2(" '%s'",buf);
case PKCS7_ISSUER:
dntoa(buf, BUF_LEN, object);
DBG2(" '%s'", buf);
- break;
+ break;
case PKCS7_SERIAL_NUMBER:
if (!chunk_equals(serialNumber, object))
{
DBG1("serial numbers do not match");
goto end;
- }
- break;
+ }
+ break;
case PKCS7_ENCRYPTION_ALG:
enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL);
if (enc_alg != OID_RSA_ENCRYPTION)
{
DBG1("only rsa encryption supported");
goto end;
- }
+ }
break;
case PKCS7_ENCRYPTED_KEY:
if (!key->decrypt(key, object, &symmetric_key))
break;
case PKCS7_CONTENT_ENC_ALGORITHM:
content_enc_alg = asn1_parse_algorithmIdentifier(object, level, &iv);
-
+
if (content_enc_alg == OID_UNKNOWN)
{
DBG1("unknown content encryption algorithm");
/**
* @brief Builds a messageDigest attribute
- *
- *
+ *
+ *
* @param[in] blob content to create digest of
* @param[in] digest_alg digest algorithm to be used
* @return ASN.1 encoded messageDigest attribute
- *
+ *
*/
chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg)
{
/* generate a true random symmetric encryption key and a pseudo-random iv */
{
rng_t *rng;
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
rng->allocate_bytes(rng, crypter->get_key_size(crypter), &symmetricKey);
DBG4("symmetric encryption key %B", &symmetricKey);
cert->public_key->encrypt(cert->public_key, symmetricKey, &protectedKey);
- /* build pkcs7 enveloped data object */
+ /* build pkcs7 enveloped data object */
{
-
+
chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm"
, asn1_build_known_oid(enc_alg)
, asn1_simple_object(ASN1_OCTET_STRING, iv));
-
+
chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "cmm"
, ASN1_pkcs7_data_oid
, contentEncryptionAlgorithm
char buf[BUF_LEN], *plugin;
int len = 0;
enumerator_t *enumerator;
-
- buf[0] = '\0';
+
+ buf[0] = '\0';
enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
{
}
/* load plugins, further infrastructure may need it */
- if (!lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
+ if (!lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
lib->settings->get_str(lib->settings, "pluto.load", PLUGINS)))
{
exit(SS_RC_INITIALIZATION_FAILED);
/* drop unneeded capabilities and change UID/GID */
prctl(PR_SET_KEEPCAPS, 1);
-
+
#ifdef IPSEC_GROUP
{
struct group group, *grp;
if (msg.whack_ca && msg.cacert != NULL)
add_ca_info(&msg);
-
+
/* process "listen" before any operation that could require it */
if (msg.whack_listen)
{
* License is also granted to make and use derivative works provided that
* such works are identified as "derived from the RSA Security Inc. PKCS #11
- * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
* referencing the derived work.
- * RSA Security Inc. makes no representations concerning either the
+ * RSA Security Inc. makes no representations concerning either the
* merchantability of this software or the suitability of this software for
* any particular purpose. It is provided "as is" without express or implied
* warranty of any kind.
#define CK_PKCS11_FUNCTION_INFO(name) \
__PASTE(CK_,name) name;
-
+
struct CK_FUNCTION_LIST {
CK_VERSION version; /* Cryptoki version */
* License is also granted to make and use derivative works provided that
* such works are identified as "derived from the RSA Security Inc. PKCS #11
- * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
* referencing the derived work.
- * RSA Security Inc. makes no representations concerning either the
+ * RSA Security Inc. makes no representations concerning either the
* merchantability of this software or the suitability of this software for
* any particular purpose. It is provided "as is" without express or implied
* warranty of any kind.
/* C_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data,
+ * where the signature is (will be) an appendix to the data,
* and plaintext cannot be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
#ifdef CK_NEED_ARG_LIST
#endif
-/* C_SignFinal finishes a multiple-part signature operation,
+/* C_SignFinal finishes a multiple-part signature operation,
* returning the signature. */
CK_PKCS11_FUNCTION_INFO(C_SignFinal)
#ifdef CK_NEED_ARG_LIST
(
CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
- CK_OBJECT_HANDLE hKey /* verification key */
+ CK_OBJECT_HANDLE hKey /* verification key */
);
#endif
-/* C_Verify verifies a signature in a single-part operation,
+/* C_Verify verifies a signature in a single-part operation,
* where the signature is an appendix to the data, and plaintext
* cannot be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_Verify)
/* C_VerifyUpdate continues a multiple-part verification
- * operation, where the signature is an appendix to the data,
+ * operation, where the signature is an appendix to the data,
* and plaintext cannot be recovered from the signature. */
CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
#ifdef CK_NEED_ARG_LIST
#endif
-/* C_GenerateKeyPair generates a public-key/private-key pair,
+/* C_GenerateKeyPair generates a public-key/private-key pair,
* creating new key objects. */
CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
#ifdef CK_NEED_ARG_LIST
};
static const char *const pkcs11_return_name_20[] = {
- "CKR_DATA_INVALID",
+ "CKR_DATA_INVALID",
"CKR_DATA_LEN_RANGE"
};
, enum_show(&pkcs11_return_names, rv));
continue;
}
-
+
if (!(info.flags & CKF_TOKEN_PRESENT))
{
plog("no token present in slot %lu", slot);
}
/*
- * finalize and unload PKCS#11 cryptoki module
+ * finalize and unload PKCS#11 cryptoki module
*/
void
scx_finalize(void)
#ifdef SMARTCARD
/*
- * find a specific object on the smartcard
+ * find a specific object on the smartcard
*/
static bool
-scx_pkcs11_find_object( CK_SESSION_HANDLE session,
- CK_OBJECT_HANDLE_PTR object,
- CK_OBJECT_CLASS class,
+scx_pkcs11_find_object( CK_SESSION_HANDLE session,
+ CK_OBJECT_HANDLE_PTR object,
+ CK_OBJECT_CLASS class,
const char* id)
{
size_t len;
, enum_show(&pkcs11_return_names, rv));
return FALSE;
}
-
+
if (!(info.flags & CKF_TOKEN_PRESENT))
{
plog("no token present in slot %lu", slot);
sc->session_opened = TRUE;
return TRUE;
}
-
+
rv = pkcs11_functions->C_CloseSession(session);
if (rv != CKR_OK)
{
)
return TRUE;
}
-
+
if (sc->pin.ptr == NULL)
{
plog("unable to log in without PIN!");
return FALSE;
}
- rv = pkcs11_functions->C_Login(sc->session, CKU_USER
+ rv = pkcs11_functions->C_Login(sc->session, CKU_USER
, (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len);
if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
{
scx_logout(smartcard_t *sc)
{
CK_RV rv;
-
+
rv = pkcs11_functions->C_Logout(sc->session);
if (rv != CKR_OK)
plog("error in C_Logout: %s"
scx_logout(sc);
sc->session_opened = FALSE;
-
+
rv = pkcs11_functions->C_CloseSession(sc->session);
if (rv != CKR_OK)
plog("error in C_CloseSession: %s"
if (len == 0) /* default: use certificate #1 */
{
- sc->number = 1;
+ sc->number = 1;
}
else if (*number_slot_id == '#') /* #number scheme */
{
{
#ifdef SMARTCARD
CK_RV rv;
-
+
if (!sc->pinpad)
sc->valid = FALSE;
#endif
}
-/*
+/*
* encrypt data block with an RSA public key
*/
bool
scx_release_context(sc);
return FALSE;
}
-
+
/* there must be enough space left for the PKCS#1 v1.5 padding */
if (inlen > attr[0].ulValueLen - 11)
{
rsa_key = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_integer("m", rsa_modulus),
asn1_integer("m", rsa_exponent));
- key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+ key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
BUILD_BLOB_ASN1_DER, rsa_key, BUILD_END);
free(rsa_key.ptr);
if (key == NULL)
return FALSE;
#endif
}
-/*
+/*
* decrypt a data block with an RSA private key
*/
bool
scx_release_context(sc);
return FALSE;
}
-
+
DBG(DBG_CONTROL,
DBG_log("doing RSA decryption on smartcard")
)
DBG_dump("smartcard output data:\n", inbuf, outlen)
)
- if (outbase == 0) /* use default base */
+ if (outbase == 0) /* use default base */
outbase = DEFAULT_BASE;
if (outbase == 256) /* ascii plain text */
, scx_print_slot(sc, " ")
, sc->session_opened? "opened" : "closed"
, sc->logged_in? "in" : "out"
- , sc->pinpad? "pin pad"
+ , sc->pinpad? "pin pad"
: ((sc->pin.ptr == NULL)? "no pin"
: sc->valid? "valid pin" : "invalid pin"));
if (sc->id != NULL)
}
/* Preparse the body of an ISAKMP SA Payload and
- * return body of ISAKMP Proposal Payload
+ * return body of ISAKMP Proposal Payload
*
* Only IPsec DOI is accepted (what is the ISAKMP DOI?).
* Error response is rudimentary.
, (long) val
, OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
#endif
- }
+ }
ta.life_seconds = val;
break;
case OAKLEY_LIFE_KILOBYTES:
}
if (tn == esp_proposal.isap_notrans)
continue; /* we didn't find a nice one */
-
+
esp_attrs.spi = esp_spi;
inner_proto = IPPROTO_ESP;
if (esp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
}
}
}
-
+
sr = &c->spd;
while (sr != NULL)
{
memcpy(nst->st_icookie, st->st_icookie, COOKIE_SIZE);
memcpy(nst->st_rcookie, st->st_rcookie, COOKIE_SIZE);
-
+
nst->st_connection = st->st_connection;
nst->st_doi = st->st_doi;
nst->st_situation = st->st_situation;
? "; eroute owner" : "";
const char *dpd = (all && st->st_dpd && c->dpd_action != DPD_ACTION_NONE)
? "; DPD active" : "";
-
+
passert(st->st_event != 0);
fmt_conn_instance(c, inst);
bool init_secret(void)
{
rng_t *rng;
-
+
rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
if (rng == NULL)
passert(st->st_dpd_event == ev);
st->st_dpd_event = NULL;
}
- else
+ else
{
passert(st->st_event == ev);
st->st_event = NULL;
{ VID_CISCO3K, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "Cisco VPN 3000 Series" ,
{ "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a\x50", 14 } },
- { VID_CISCO_IOS, VID_KEEP | VID_SUBSTRING_MATCH,
+ { VID_CISCO_IOS, VID_KEEP | VID_SUBSTRING_MATCH,
NULL, "Cisco IOS Device", { "\x3e\x98\x40\x48", 4 } },
/*
DEC_MD5_VID(NATT_RFC, "RFC 3947")
/* misc */
-
+
{ VID_MISC_XAUTH, VID_KEEP, NULL, "XAUTH",
{ "\x09\x00\x26\x89\xdf\xd6\xb7\x12", 8 } },
{ "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00", 16 } },
DEC_MD5_VID(MISC_FRAGMENTATION, "FRAGMENTATION")
-
+
DEC_MD5_VID(INITIAL_CONTACT, "Vid-Initial-Contact")
/**
else if (vid->flags & VID_MD5HASH)
{
chunk_t vid_data = { (u_char *)vid->data, strlen(vid->data) };
-
+
/** VendorID is a string to hash with MD5 **/
hasher->allocate_hash(hasher, vid_data, &vid->vid);
}
}
else
goto fail;
-
+
str = *next ? next+1 : NULL;
}
if (c->spd.that.virt->n_net
&& net_in_list(peer_net, c->spd.that.virt->net, c->spd.that.virt->n_net))
return TRUE;
-
+
if (c->spd.that.virt->flags & F_VIRTUAL_ALL)
{
/** %all must only be used for testing - log it **/
static x509cert_t *x509certs = NULL;
/**
- * ASN.1 definition of a basicConstraints extension
+ * ASN.1 definition of a basicConstraints extension
*/
static const asn1Object_t basicConstraintsObjects[] = {
{ 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
#define BASIC_CONSTRAINTS_CA 1
/**
- * ASN.1 definition of a authorityKeyIdentifier extension
+ * ASN.1 definition of a authorityKeyIdentifier extension
*/
static const asn1Object_t authKeyIdentifierObjects[] = {
{ 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
#define AUTH_KEY_ID_CERT_SERIAL 5
/**
- * ASN.1 definition of a authorityInfoAccess extension
+ * ASN.1 definition of a authorityInfoAccess extension
*/
static const asn1Object_t authInfoAccessObjects[] = {
{ 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
#define EXT_KEY_USAGE_PURPOSE_ID 1
/**
- * ASN.1 definition of generalNames
+ * ASN.1 definition of generalNames
*/
static const asn1Object_t generalNamesObjects[] = {
{ 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
#define GENERAL_NAMES_GN 1
/**
- * ASN.1 definition of generalName
+ * ASN.1 definition of generalName
*/
static const asn1Object_t generalNameObjects[] = {
{ 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_BODY }, /* 0 */
#define GN_OBJ_REGISTERED_ID 16
/**
- * ASN.1 definition of otherName
+ * ASN.1 definition of otherName
*/
static const asn1Object_t otherNameObjects[] = {
{0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
return "RDN is not a SET";
}
attribute->len = asn1_length(rdn);
-
+
if (attribute->len == ASN1_INVALID_LENGTH)
{
return "Invalid attribute length";
/* extract the attribute body */
body.len = asn1_length(attribute);
-
+
if (body.len == ASN1_INVALID_LENGTH)
{
return "Invalid attribute body length";
}
body.ptr = attribute->ptr;
-
+
/* advance to start of next attribute */
attribute->ptr += body.len;
attribute->len -= body.len;
/* extract OID */
oid->len = asn1_length(&body);
-
- if (oid->len == ASN1_INVALID_LENGTH)
+
+ if (oid->len == ASN1_INVALID_LENGTH)
{
return "Invalid attribute OID length";
}
/* extract string value */
value->len = asn1_length(&body);
-
+
if (value->len == ASN1_INVALID_LENGTH)
{
return "Invalid attribute string length";
chunk_t names;
size_t len = 0;
generalName_t *gn = subjectAltNames;
-
+
/* compute the total size of the ASN.1 attributes object */
while (gn != NULL)
{
rsa->get_encoding(rsa, KEY_PUB_ASN1_DER, &key);
chunk_t keyInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+ asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
asn1_bitstring("m", key));
if (cert->subjectAltName != NULL)
, asn1_algorithmIdentifier(cert->sigAlg)
, cert->issuer
, asn1_wrap(ASN1_SEQUENCE, "mm"
- , asn1_from_time(&cert->notBefore, ASN1_UTCTIME)
+ , asn1_from_time(&cert->notBefore, ASN1_UTCTIME)
, asn1_from_time(&cert->notAfter, ASN1_UTCTIME)
)
, cert->subject
if (cert->isCA)
{
*pp = cert->next;
-
+
/* we don't accept self-signed CA certs */
if (same_dn(cert->issuer, cert->subject))
{
}
/* now verify the candidate CA certs */
-
+
while (cacerts != NULL)
{
x509cert_t *cert = cacerts;
-
+
cacerts = cacerts->next;
if (trust_authcert_candidate(cert, cacerts))
free_x509cert(cert);
}
}
-
+
/* now verify the end certificates */
pp = firstcert;
{
return FALSE;
}
- return key->verify(key, scheme, tbs, sig);
+ return key->verify(key, scheme, tbs, sig);
}
/**
if (scheme == SIGN_UNKNOWN || !key->sign(key, scheme, tbs, &signature))
{
return chunk_empty;
- }
+ }
return (bit_string) ? asn1_bitstring("m", signature)
: asn1_wrap(ASN1_OCTET_STRING, "m", signature);
}
bool compute_subjectKeyID(x509cert_t *cert, chunk_t subjectKeyID)
{
chunk_t fingerprint;
-
+
if (!cert->public_key->get_fingerprint(cert->public_key, KEY_ID_PUBKEY_SHA1,
&fingerprint))
{
}
}
success = parser->success(parser);
-
+
end:
parser->destroy(parser);
return success;
parser = asn1_parser_create(generalNameObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
bool valid_gn = FALSE;
-
+
switch (objectID) {
case GN_OBJ_RFC822_NAME:
case GN_OBJ_DNS_NAME:
goto end;
}
}
-
+
end:
parser->destroy(parser);
return gn;
parser = asn1_parser_create(generalNamesObjects, blob);
parser->set_top_level(parser, level0);
parser->set_flags(parser, implicit, FALSE);
-
+
while (parser->iterate(parser, &objectID, &object))
{
if (objectID == GENERAL_NAMES_GN)
parser = asn1_parser_create(authKeyIdentifierObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
switch (objectID)
parser = asn1_parser_create(authInfoAccessObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
switch (objectID)
break;
}
}
-
+
end:
parser->destroy(parser);
}
parser = asn1_parser_create(extendedKeyUsageObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
if (objectID == EXT_KEY_USAGE_PURPOSE_ID
parser = asn1_parser_create(crlDistributionPointsObjects, blob);
parser->set_top_level(parser, level0);
-
+
while (parser->iterate(parser, &objectID, &object))
{
if (objectID == CRL_DIST_POINTS_FULLNAME)
while (parser->iterate(parser, &objectID, &object))
{
u_int level = parser->get_level(parser) + 1;
-
+
switch (objectID) {
case X509_OBJ_CERTIFICATE:
cert->certificate = object;
DBG(DBG_CONTROL,
DBG_log("certificate is good")
)
-
+
/* with strict crl policy the public key must have the same
* lifetime as the validity of the ocsp status or crl lifetime
*/
check_expiry(cert->notAfter, CA_CERT_WARNING_INTERVAL, TRUE));
whack_log(RC_COMMENT, " pubkey: %N %4d bits%s",
key_type_names, key->get_type(key),
- key->get_keysize(key) * BITS_PER_BYTE,
+ key->get_keysize(key) * BITS_PER_BYTE,
cert->smartcard ? ", on smartcard" :
(has_private_key(c)? ", has private key" : ""));
if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
time_t notBefore;
time_t notAfter;
chunk_t subject;
- public_key_t *public_key;
+ public_key_t *public_key;
/* issuerUniqueID */
/* subjectUniqueID */
/* v3 extensions */
/* Initialization and finalization of the dynamic XAUTH module
* Copyright (C) 2006 Andreas Steffen
* Hochschule fuer Technik Rapperswil, Switzerland
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
#include "keys.h"
#include "log.h"
-void
+void
xauth_init(void)
{
#ifdef XAUTH_DEFAULT_LIB
/* Interface definition of the XAUTH server and|or client module
* Copyright (C) 2006 Andreas Steffen
* Hochschule fuer Technik Rapperswil, Switzerland
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
else if (cur_debugging & DBG_RAW)
{
debug_level = 3;
- }
+ }
else if (cur_debugging & DBG_PARSING)
{
debug_level = 2;
}
- else
+ else
{
debug_level = 1;
}
static const chunk_t ASN1_extensionRequest_oid = chunk_from_buf(ASN1_extensionRequest_oid_str);
-/**
+/**
* @brief Adds a subjectAltName in DER-coded form to a linked list
- *
+ *
* @param[in,out] subjectAltNames head of the linked list of subjectAltNames
* @param[in] kind type of the subjectAltName (which is a generalName)
* @param[in] value value of the subjectAltName as an ASCII string
*/
void
pkcs10_add_subjectAltName(generalName_t **subjectAltNames, generalNames_t kind
-, char *value)
+, char *value)
{
generalName_t *gn;
asn1_t asn1_type = ASN1_EOC;
}
/**
- * @brief Builds the requestInfoAttributes of the certificationRequestInfo-field
- *
+ * @brief Builds the requestInfoAttributes of the certificationRequestInfo-field
+ *
* challenge password ans subjectAltNames are only included,
* when avaiable in given #pkcs10_t structure
*
chunk_t subjectAltNames = chunk_empty;
chunk_t challengePassword = chunk_empty;
- if (pkcs10->subjectAltNames != NULL)
+ if (pkcs10->subjectAltNames != NULL)
{
subjectAltNames = asn1_wrap(ASN1_SEQUENCE, "cm"
pkcs10_build_request(pkcs10_t *pkcs10, int signature_alg)
{
chunk_t key = chunk_empty;
-
+
pkcs10->public_key->get_encoding(pkcs10->public_key, KEY_PUB_ASN1_DER, &key);
-
+
chunk_t keyInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+ asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
asn1_bitstring("m", key));
chunk_t cert_req_info = asn1_wrap(ASN1_SEQUENCE, "ccmm",
/**
* @file pkcs10.h
* @brief Functions to build PKCS#10 Request's
- *
+ *
* Contains functions to build DER encoded pkcs#10 certificate requests
*/
/*
* Copyright (C) 2005 Jan Hutter, Martin Willi
* Hochschule fuer Technik Rapperswil
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
/**
* @brief type representating a pkcs#10 request.
*
- * A pkcs#10 request contains a distinguished name, an optional
+ * A pkcs#10 request contains a distinguished name, an optional
* challenge password, a public key and optional subjectAltNames.
- *
+ *
* The RSA private key is needed to compute the signature of the given request
*/
struct pkcs10_struct {
/**
* @file scep.c
* @brief SCEP specific functions
- *
+ *
* Contains functions to build SCEP request's and to parse SCEP reply's.
*/
DBG(DBG_CONTROL | DBG_PARSING,
DBG_log("parsing attributes")
)
-
+
while (parser->iterate(parser, &objectID, &object))
{
switch (objectID)
}
}
success = parser->success(parser);
-
+
end:
parser->destroy(parser);
return success;
}
/**
- * Generates a unique fingerprint of the pkcs10 request
+ * Generates a unique fingerprint of the pkcs10 request
* by computing an MD5 hash over it
*/
chunk_t scep_generate_pkcs10_fingerprint(chunk_t pkcs10)
hasher_t *hasher;
bool msb_set;
u_char *pos;
-
+
key->get_encoding(key, KEY_PUB_ASN1_DER, &keyEncoding);
-
+
keyInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+ asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
asn1_bitstring("m", keyEncoding));
hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
free(escaped_req);
status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
- FETCH_HTTP_VERSION_1_0,
+ FETCH_HTTP_VERSION_1_0,
FETCH_REQUEST_HEADER, "Pragma:",
FETCH_REQUEST_HEADER, "Host:",
FETCH_REQUEST_HEADER, "Accept:",
complete_url = malloc(len);
snprintf(complete_url, len, "%s?operation=%s", url, operation);
- status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
+ status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
FETCH_REQUEST_DATA, pkcs7,
FETCH_REQUEST_TYPE, "",
FETCH_REQUEST_HEADER, "Expect:",
snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier"
, url, operation);
- status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
+ status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
FETCH_END);
}
/**
* @file scep.h
* @brief SCEP specific functions
- *
+ *
* Contains functions to build and parse SCEP requests and replies
*/
char buf[BUF_LEN], *plugin;
int len = 0;
enumerator_t *enumerator;
-
+
enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin))
{
}
continue;
}
-
+
case 'f': /* --force */
force = TRUE;
continue;
}
if (strcaseeq("email", optarg))
- {
+ {
kind = GN_RFC822_NAME;
}
else if (strcaseeq("dns", optarg))
base_debugging |= DBG_PRIVATE;
continue;
#endif
- default:
+ default:
usage("unknown option");
}
/* break from loop */
init_log("scepclient");
/* load plugins, further infrastructure may need it */
- if (!lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
+ if (!lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS)))
{
exit_scepclient("plugin loading failed");
/*
* input of PKCS#1 file
*/
- if (filetype_in & PKCS1) /* load an RSA key pair from file */
+ if (filetype_in & PKCS1) /* load an RSA key pair from file */
{
prompt_pass_t pass = { "", FALSE, STDIN_FILENO };
char *path = concatenate_paths(PRIVATE_KEY_PATH, file_in_pkcs1);
plog(" fingerprint: %s", fingerprint.ptr);
}
- /*
+ /*
* output of PKCS#10 file
*/
if (filetype_out & PKCS10)
x509_ca_enc = cert.u.x509;
}
- /*
+ /*
* input of PKCS#7 file
*/
if (filetype_in & PKCS7)
case ARG_UINT:
{
char *endptr;
- u_int *u = (u_int *)p;
+ u_int *u = (u_int *)p;
*u = strtoul(kw->value, &endptr, 10);
{
char ** lst;
- for (lst = *listp; lst && *lst; lst++)
+ for (lst = *listp; lst && *lst; lst++)
{
bool match = FALSE;
list = token_info[token].list;
-
+
while (*list != NULL && !match)
{
match = streq(*lst, *list++);
bool assigned = FALSE;
kw_token_t token = kw->entry->token;
-
+
if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
{
plog("# unsupported keyword '%s' in config setup", kw->entry->name);
ip_subnet net;
char *pos;
int len = 0;
-
+
end->has_client = TRUE;
conn->tunnel_addr_family = ip_version(value);
-
+
pos = strchr(value, ',');
if (pos)
{
{
ip_address addr;
ip_subnet net;
-
+
conn->tunnel_addr_family = ip_version(value);
if (strchr(value, '/'))
{ /* CIDR notation, address pool */
case KW_SUBNETWITHIN:
{
ip_subnet net;
-
+
end->has_client = TRUE;
end->has_client_wildcard = TRUE;
conn->tunnel_addr_family = ip_version(value);
if (streq(value, "%defaultroute"))
{
char buf[64];
-
+
if (cfg->defaultroute.defined)
{
addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf));
else
{
ip_address addr;
-
+
conn->tunnel_addr_family = ip_version(value);
ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
if (ugh != NULL)
}
else if (streq(kw->value, "transport_proxy"))
{
- conn->policy |= POLICY_PROXY;
- }
+ conn->policy |= POLICY_PROXY;
+ }
else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
{
conn->policy |= POLICY_SHUNT_PASS;
break;
case KW_COMPRESS:
KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
- break;
+ break;
case KW_AUTH:
KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
- break;
+ break;
case KW_AUTHBY:
conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT);
case KW_EAP:
{
char *sep;
-
+
/* check for vendor-type format */
sep = strchr(kw->value, '-');
if (sep)
/*
* free the memory used by a starter_config_t object
*/
-void
+void
confread_free(starter_config_t *cfg)
{
starter_conn_t *conn = cfg->conn_first;
for (ca = cfg->ca_first; ca; ca = ca->next)
{
also_t *also = ca->also;
-
+
while (also != NULL)
{
kw_list_t *kw = find_also_ca(also->name, cfg->ca_first, cfg);
for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
{
u_int previous_err;
-
+
/* skip %default conn section */
if (streq(sconn->name, "%default"))
continue;
conn_default(sconn->name, conn, &cfg->conn_default);
conn->kw = sconn->kw;
conn->next = NULL;
-
+
previous_err = cfg->err;
load_conn(conn, conn->kw, cfg);
if (cfg->err > previous_err)
char *esp;
char *ike;
char *pfsgroup;
-
+
time_t dpd_delay;
time_t dpd_timeout;
dpd_action_t dpd_action;
int dpd_count;
-
+
bool me_mediation;
char *me_mediated_by;
char *me_peerid;
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
};
-
+
if (attach_gdb)
{
argc = 0;
{
break;
}
-
+
/* get next */
pos = strchr(pos, ',');
if (pos)
/* be more and more aggressive */
for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
{
-
+
if (i < 10)
{
kill(pid, SIGTERM);
{
kill(pid, SIGKILL);
plog("starter_stop_pluto(): pluto does not respond, sending KILL");
- }
+ }
else
{
kill(pid, SIGKILL);
};
printf ("starter_start_pluto entered\n");
-
+
if (attach_gdb)
{
argc = 0;
return FALSE;
}
}
-
+
/* load crypto algorithm modules */
ignore_result(system("modprobe -qv ipsec_aes"));
ignore_result(system("modprobe -qv ipsec_blowfish"));
DBG(DBG_CONTROL,
DBG_log("Found KLIPS IPsec stack")
)
-
+
return TRUE;
}
-/* strongSwan KLIPS initialization and cleanup
+/* strongSwan KLIPS initialization and cleanup
* Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
*
* This program is free software; you can redistribute it and/or modify it
-/* strongSwan netkey initialization and cleanup
+/* strongSwan netkey initialization and cleanup
* Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
*
* This program is free software; you can redistribute it and/or modify it
static void generate_selfcert()
{
struct stat stb;
-
+
/* if ipsec.secrets file is missing then generate RSA default key pair */
if (stat(SECRETS_FILE, &stb) != 0)
{
{
char buf[1024];
struct group group, *grp;
-
+
if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && grp)
{
gid = grp->gr_gid;
{
char buf[1024];
struct passwd passwd, *pwp;
-
+
if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && pwp)
{
uid = pwp->pw_uid;
plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
exit(LSB_RC_SUCCESS);
}
-
+
generate_selfcert();
/* fork if we're not debugging stuff */
dup2(fnull, STDERR_FILENO);
close(fnull);
}
- setsid();
+ setsid();
}
break;
case -1:
_action_ |= FLAG_ACTION_LISTEN;
}
- if (!starter_cmp_pluto(cfg, new_cfg))
+ if (!starter_cmp_pluto(cfg, new_cfg))
{
plog("Pluto has changed");
if (starter_pluto_pid())
conn->state = STATE_TO_ADD;
}
}
-
+
/*
* Start charon
*/
ctl_addr.sun_family = AF_UNIX;
strcpy(ctl_addr.sun_path, CHARON_CTL_FILE);
-
+
/* starter is not called from commandline, and therefore absolutely silent */
msg->output_verbosity = -1;
static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
{
char buffer[INET6_ADDRSTRLEN];
-
+
msg_end->auth = push_string(msg, conn_end->auth);
msg_end->auth2 = push_string(msg, conn_end->auth2);
msg_end->id = push_string(msg, conn_end->id);
msg.length = offsetof(stroke_msg_t, buffer);
msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
msg.add_conn.name = push_string(&msg, connection_name(conn));
-
+
/* PUBKEY is preferred to PSK and EAP */
if (conn->policy & POLICY_PUBKEY)
{
msg.add_conn.eap_type = conn->eap_type;
msg.add_conn.eap_vendor = conn->eap_vendor;
msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
-
+
if (conn->policy & POLICY_TUNNEL)
{
msg.add_conn.mode = MODE_TUNNEL;
{
msg.add_conn.mode = MODE_TRANSPORT;
msg.add_conn.proxy_mode = TRUE;
- }
+ }
else
{
msg.add_conn.mode = MODE_TRANSPORT;
int starter_stroke_configure(starter_config_t *cfg)
{
stroke_msg_t msg;
-
+
if (cfg->setup.cachecrls)
{
msg.type = STR_CONFIG;
static void
set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
-{
+{
if (end->srcip && end->srcip[0] != '%')
{
int len = 0;
}
else
{
- anyaddr(AF_INET, &w->host_srcip);
+ anyaddr(AF_INET, &w->host_srcip);
}
-
+
w->id = end->id;
w->cert = end->cert;
w->ca = end->ca;
ctl_addr.sun_family = AF_UNIX;
strcpy(ctl_addr.sun_path, STROKE_SOCKET);
-
+
msg->output_verbosity = 1; /* CONTROL */
-
+
sock = socket(AF_UNIX, SOCK_STREAM, 0);
if (sock < 0)
{
close(sock);
return -1;
}
-
+
/* send message */
if (write(sock, msg, msg->length) != msg->length)
{
close(sock);
return -1;
}
-
+
while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
{
buffer[byte_count] = '\0';
printf("%s", buffer);
-
+
/* we prompt if we receive the "Passphrase:" magic keyword */
if (byte_count >= 12 &&
strcmp(buffer + byte_count - 12, "Passphrase:\n") == 0)
{
fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
}
-
+
close(sock);
return 0;
}
static int add_connection(char *name,
- char *my_id, char *other_id,
+ char *my_id, char *other_id,
char *my_addr, char *other_addr,
char *my_nets, char *other_nets)
{
stroke_msg_t msg;
-
+
memset(&msg, 0, sizeof(msg));
msg.length = offsetof(stroke_msg_t, buffer);
msg.type = STR_ADD_CONN;
-
+
msg.add_conn.name = push_string(&msg, name);
msg.add_conn.ikev2 = 1;
msg.add_conn.auth_method = 2;
msg.add_conn.mode = 1;
msg.add_conn.mobike = 1;
msg.add_conn.dpd.action = 1;
-
+
msg.add_conn.me.id = push_string(&msg, my_id);
msg.add_conn.me.address = push_string(&msg, my_addr);
msg.add_conn.me.subnets = push_string(&msg, my_nets);
msg.add_conn.me.sendcert = 1;
-
+
msg.add_conn.other.id = push_string(&msg, other_id);
msg.add_conn.other.address = push_string(&msg, other_addr);
msg.add_conn.other.subnets = push_string(&msg, other_nets);
msg.add_conn.other.sendcert = 1;
-
+
return send_stroke_msg(&msg);
}
static int del_connection(char *name)
{
stroke_msg_t msg;
-
+
msg.length = offsetof(stroke_msg_t, buffer);
msg.type = STR_DEL_CONN;
msg.initiate.name = push_string(&msg, name);
static int initiate_connection(char *name)
{
stroke_msg_t msg;
-
+
msg.length = offsetof(stroke_msg_t, buffer);
msg.type = STR_INITIATE;
msg.initiate.name = push_string(&msg, name);
static int terminate_connection(char *name)
{
stroke_msg_t msg;
-
+
msg.type = STR_TERMINATE;
msg.length = offsetof(stroke_msg_t, buffer);
msg.initiate.name = push_string(&msg, name);
static int terminate_connection_srcip(char *start, char *end)
{
stroke_msg_t msg;
-
+
msg.type = STR_TERMINATE_SRCIP;
msg.length = offsetof(stroke_msg_t, buffer);
msg.terminate_srcip.start = push_string(&msg, start);
static int route_connection(char *name)
{
stroke_msg_t msg;
-
+
msg.type = STR_ROUTE;
msg.length = offsetof(stroke_msg_t, buffer);
msg.route.name = push_string(&msg, name);
static int unroute_connection(char *name)
{
stroke_msg_t msg;
-
+
msg.type = STR_UNROUTE;
msg.length = offsetof(stroke_msg_t, buffer);
msg.unroute.name = push_string(&msg, name);
static int show_status(stroke_keyword_t kw, char *connection)
{
stroke_msg_t msg;
-
+
msg.type = (kw == STROKE_STATUS)? STR_STATUS:STR_STATUS_ALL;
msg.length = offsetof(stroke_msg_t, buffer);
msg.status.name = push_string(&msg, connection);
static int list(stroke_keyword_t kw, int utc)
{
stroke_msg_t msg;
-
+
msg.type = STR_LIST;
msg.length = offsetof(stroke_msg_t, buffer);
msg.list.utc = utc;
static int reread(stroke_keyword_t kw)
{
stroke_msg_t msg;
-
+
msg.type = STR_REREAD;
msg.length = offsetof(stroke_msg_t, buffer);
msg.reread.flags = reread_flags[kw - STROKE_REREAD_FIRST];
static int purge(stroke_keyword_t kw)
{
stroke_msg_t msg;
-
+
msg.type = STR_PURGE;
msg.length = offsetof(stroke_msg_t, buffer);
msg.purge.flags = purge_flags[kw - STROKE_PURGE_FIRST];
{
stroke_msg_t msg;
-
+
msg.type = STR_LEASES;
msg.length = offsetof(stroke_msg_t, buffer);
msg.leases.pool = push_string(&msg, pool);
static int set_loglevel(char *type, u_int level)
{
stroke_msg_t msg;
-
+
msg.type = STR_LOGLEVEL;
msg.length = offsetof(stroke_msg_t, buffer);
msg.loglevel.type = push_string(&msg, type);
{
exit_usage(NULL);
}
-
+
token = in_word_set(argv[1], strlen(argv[1]));
if (token == NULL)
exit_usage("\"add\" needs more parameters...");
}
res = add_connection(argv[2],
- argv[3], argv[4],
- argv[5], argv[6],
+ argv[3], argv[4],
+ argv[5], argv[6],
argv[7], argv[8]);
break;
case STROKE_DELETE:
{
exit_usage("\"logtype\" needs more parameters...");
}
- res = set_loglevel(argv[2], atoi(argv[3]));
+ res = set_loglevel(argv[2], atoi(argv[3]));
break;
case STROKE_STATUS:
case STROKE_STATUSALL:
STR_LEASES,
/* more to come */
} type;
-
+
/* verbosity of output returned from charon (-from -1=silent to 4=private)*/
int output_verbosity;
struct {
char *name;
} initiate, route, unroute, terminate, status, del_conn, del_ca;
-
+
/* data for STR_TERMINATE_SRCIP */
struct {
char *start;
char *type;
int level;
} loglevel;
-
+
/* data for STR_CONFIG */
struct {
int cachecrl;
END_SRCIP,
END_HOSTACCESS,
END_UPDOWN,
-
+
#define END_LAST END_UPDOWN /* last end description*/
/* Connection Description options -- segregated */
CD_DPDTIMEOUT,
CD_IKE,
CD_PFSGROUP,
- CD_ESP,
+ CD_ESP,
# define CD_LAST CD_ESP /* last connection description */
msg.addr_family = AF_INET;
msg.tunnel_addr_family = AF_INET;
-
+
msg.cacert = NULL;
msg.ldaphost = NULL;
msg.ldapbase = NULL;
if (!options->from(options, optarg, &argc, &argv, optind))
{
fprintf(stderr, "optionsfrom failed");
- whack_exit(RC_WHACK_PROBLEM);
+ whack_exit(RC_WHACK_PROBLEM);
}
continue;
case OPT_STATUS: /* --status */
msg.whack_status = TRUE;
continue;
-
+
case OPT_SHUTDOWN: /* --shutdown */
msg.whack_shutdown = TRUE;
continue;
base = 256;
else
diagq("not a valid base", optarg);
-
+
if (c == SC_INBASE)
msg.inbase = base;
else
case CD_IKE: /* --ike <ike_alg1,ike_alg2,...> */
msg.ike = optarg;
continue;
-
+
case CD_PFSGROUP: /* --pfsgroup modpXXXX */
msg.pfsgroup = optarg;
continue;
{
if (msg.dpd_delay <= 0)
diag("dpddelay must be larger than zero");
-
+
if (msg.dpd_timeout <= 0)
diag("dpdtimeout must be larger than zero");
-
+
if (msg.dpd_timeout <= msg.dpd_delay)
diag("dpdtimeout must be larger than dpddelay");
}
/* build esp message as esp="<esp>;<pfsgroup>" */
if (msg.pfsgroup) {
- snprintf(esp_buf, sizeof (esp_buf), "%s;%s",
+ snprintf(esp_buf, sizeof (esp_buf), "%s;%s",
msg.esp ? msg.esp : "",
msg.pfsgroup ? msg.pfsgroup : "");
msg.esp=esp_buf;
/* entry of secrets */
RC_ENTERSECRET = 40,
-
+
/* progress: start of range for successful state transition.
* Actual value is RC_NEW_STATE plus the new state code.
*/
projects / thirdparty / strongswan.git / commitdiff
