diff options
| author | Martin Willi <martin@strongswan.org> | 2006-03-20 15:43:26 +0000 |
|---|---|---|
| committer | Martin Willi <martin@strongswan.org> | 2006-03-20 15:43:26 +0000 |
| commit | 87a217f9f1640ed08dbe06564f6fbcd3cdfdeefb (patch) | |
| tree | 928291a14cedbcb875d205b5a38527a37f515561 /Source | |
| parent | e8d25806f3281b71d2512e926c08f50f72d5d505 (diff) | |
| download | strongswan-87a217f9f1640ed08dbe06564f6fbcd3cdfdeefb.tar.bz2 strongswan-87a217f9f1640ed08dbe06564f6fbcd3cdfdeefb.tar.xz | |
- works quite well now with ipsec.conf & ipsec starter
Diffstat (limited to 'Source')
22 files changed, 631 insertions, 127 deletions
diff --git a/Source/charon/config/connection.c b/Source/charon/config/connection.c index 789cebb49..e0b29ac2f 100644 --- a/Source/charon/config/connection.c +++ b/Source/charon/config/connection.c @@ -114,6 +114,15 @@ static void update_my_host(private_connection_t *this, host_t *my_host) } /** + * Implementation of connection_t.update_other_host. + */ +static void update_other_host(private_connection_t *this, host_t *other_host) +{ + this->other_host->destroy(this->other_host); + this->other_host = other_host; +} + +/** * Implementation of connection_t.get_other_host. */ static host_t * get_other_host (private_connection_t *this) @@ -238,6 +247,33 @@ static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh } /** + * Implementation of connection_t.clone. + */ +static connection_t *clone(private_connection_t *this) +{ + iterator_t *iterator; + proposal_t *proposal; + private_connection_t *clone = (private_connection_t*)connection_create( + this->my_host->clone(this->my_host), + this->other_host->clone(this->other_host), + this->my_id->clone(this->my_id), + this->other_id->clone(this->other_id), + this->auth_method); + + /* clone all proposals */ + iterator = this->proposals->create_iterator(this->proposals, TRUE); + while (iterator->has_next(iterator)) + { + iterator->current(iterator, (void**)&proposal); + proposal = proposal->clone(proposal); + clone->proposals->insert_last(clone->proposals, (void*)proposal); + } + iterator->destroy(iterator); + + return &clone->public; +} + +/** * Implementation of connection_t.destroy. */ static void destroy (private_connection_t *this) @@ -269,6 +305,7 @@ connection_t * connection_create(host_t *my_host, host_t *other_host, identifica this->public.get_other_id = (identification_t*(*)(connection_t*))get_other_id; this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host; this->public.update_my_host = (void(*)(connection_t*,host_t*))update_my_host; + this->public.update_other_host = (void(*)(connection_t*,host_t*))update_other_host; this->public.get_other_host = (host_t*(*)(connection_t*))get_other_host; this->public.get_proposals = (linked_list_t*(*)(connection_t*))get_proposals; this->public.select_proposal = (proposal_t*(*)(connection_t*,linked_list_t*))select_proposal; @@ -276,6 +313,7 @@ connection_t * connection_create(host_t *my_host, host_t *other_host, identifica this->public.get_auth_method = (auth_method_t(*)(connection_t*)) get_auth_method; this->public.get_dh_group = (diffie_hellman_group_t(*)(connection_t*)) get_dh_group; this->public.check_dh_group = (bool(*)(connection_t*,diffie_hellman_group_t)) check_dh_group; + this->public.clone = (connection_t*(*)(connection_t*))clone; this->public.destroy = (void(*)(connection_t*))destroy; /* private variables */ diff --git a/Source/charon/config/connection.h b/Source/charon/config/connection.h index b112ace70..9ec26b778 100644 --- a/Source/charon/config/connection.h +++ b/Source/charon/config/connection.h @@ -123,7 +123,7 @@ struct connection_t { /** * @brief Update address of my host. * - * It may be necessary to uptdate this address, as it + * It may be necessary to uptdate own address, as it * is set to the default route (0.0.0.0) in some cases. * Old host is destroyed, new one NOT cloned. * @@ -131,6 +131,18 @@ struct connection_t { * @param my_host new host to set as my_host */ void (*update_my_host) (connection_t *this, host_t *my_host); + + /** + * @brief Update address of remote host. + * + * It may be necessary to uptdate remote address, as a + * connection may define %any (0.0.0.0) or a subnet. + * Old host is destroyed, new one NOT cloned. + * + * @param this calling object + * @param my_host new host to set as other_host + */ + void (*update_other_host) (connection_t *this, host_t *other_host); /** * @brief Returns a list of all supported proposals. @@ -193,6 +205,14 @@ struct connection_t { bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group); /** + * @brief Clone a connection_t object. + * + * @param this connection to clone + * @return clone of it + */ + connection_t *(*clone) (connection_t *this); + + /** * @brief Destroys a connection_t object. * * @param this calling object diff --git a/Source/charon/config/connection_store.h b/Source/charon/config/connection_store.h index aac10574b..8b80c0fea 100755 --- a/Source/charon/config/connection_store.h +++ b/Source/charon/config/connection_store.h @@ -33,7 +33,7 @@ typedef struct connection_store_t connection_store_t; * @brief The interface for a store of connection_t's. * * @b Constructors: - * - connection_store_create() + * - stroke_create() * * @ingroup config */ @@ -42,6 +42,8 @@ struct connection_store_t { /** * @brief Returns a connection definition identified by two IDs. * + * This call is usefull to get a connection identified by addresses. + * It may be used after kernel request for traffic protection. * The returned connection gets created/cloned and therefore must * be destroyed after usage. * @@ -57,6 +59,8 @@ struct connection_store_t { /** * @brief Returns a connection definition identified by two hosts. * + * This call is useful to get a connection which is identified by IDs + * rather than addresses, e.g. for connection setup on user request. * The returned connection gets created/cloned and therefore must * be destroyed after usage. * diff --git a/Source/charon/config/credential_store.h b/Source/charon/config/credential_store.h index 89e9704b3..27f957aa1 100755 --- a/Source/charon/config/credential_store.h +++ b/Source/charon/config/credential_store.h @@ -34,7 +34,7 @@ typedef struct credential_store_t credential_store_t; * @brief The interface for a credential_store backend. * * @b Constructors: - * - credential_store_create() + * - stroke_create() * * @ingroup config */ @@ -43,8 +43,7 @@ struct credential_store_t { /** * @brief Returns the preshared secret of a specific ID. * - * The returned preshared secret MUST NOT be destroyed cause it's managed by - * this credential_store_t object. + * The returned chunk must be destroyed by the caller after usage. * * @param this calling object * @param identification identification_t object identifiying the secret. @@ -59,8 +58,7 @@ struct credential_store_t { /** * @brief Returns the RSA public key of a specific ID. * - * The returned rsa_public_key_t object MUST NOT be destroyed cause it's managed by - * this credential_store_t object. + * The returned rsa_public_key_t must be destroyed by the caller after usage. * * @param this calling object * @param identification identification_t object identifiying the key. @@ -75,8 +73,7 @@ struct credential_store_t { /** * @brief Returns the RSA private key of a specific ID. * - * The returned rsa_private_key_t object MUST NOT be destroyed cause it's managed by - * this credential_store_t object. + * The returned rsa_private_key_t must be destroyed by the caller after usage. * * @param this calling object * @param identification identification_t object identifiying the key diff --git a/Source/charon/config/policy.c b/Source/charon/config/policy.c index 0d9e8487d..fbdc46def 100644 --- a/Source/charon/config/policy.c +++ b/Source/charon/config/policy.c @@ -87,6 +87,57 @@ static identification_t *get_other_id(private_policy_t *this) } /** + * Implementation of policy_t.update_my_id + */ +static void update_my_id(private_policy_t *this, identification_t *my_id) +{ + this->my_id->destroy(this->my_id); + this->my_id = my_id; +} + +/** + * Implementation of policy_t.update_other_id + */ +static void update_other_id(private_policy_t *this, identification_t *other_id) +{ + this->other_id->destroy(this->other_id); + this->other_id = other_id; +} + +/** + * Helper function which does the work for policy_t.update_my_ts and update_other_ts + */ +static void update_ts(linked_list_t* list, host_t *new_host) +{ + traffic_selector_t *ts; + iterator_t *iterator; + + iterator = list->create_iterator(list, TRUE); + while (iterator->has_next(iterator)) + { + iterator->current(iterator, (void**)&ts); + ts->update_address_range(ts, new_host); + } + iterator->destroy(iterator); +} + +/** + * Implementation of policy_t.update_my_id + */ +static void update_my_ts(private_policy_t *this, host_t *my_host) +{ + update_ts(this->my_ts, my_host); +} + +/** + * Implementation of policy_t.update_other_ts + */ +static void update_other_ts(private_policy_t *this, host_t *my_host) +{ + update_ts(this->other_ts, my_host); +} + +/** * Implementation of policy_t.get_my_traffic_selectors */ static linked_list_t *get_my_traffic_selectors(private_policy_t *this) @@ -263,6 +314,50 @@ static status_t destroy(private_policy_t *this) return SUCCESS; } +/** + * Implements policy_t.clone. + */ +static policy_t *clone(private_policy_t *this) +{ + private_policy_t *clone = (private_policy_t*)policy_create(this->my_id->clone(this->my_id), + this->other_id->clone(this->other_id)); + iterator_t *iterator; + proposal_t *proposal; + traffic_selector_t *ts; + + /* clone all proposals */ + iterator = this->proposals->create_iterator(this->proposals, TRUE); + while (iterator->has_next(iterator)) + { + iterator->current(iterator, (void**)&proposal); + proposal = proposal->clone(proposal); + clone->proposals->insert_last(clone->proposals, (void*)proposal); + } + iterator->destroy(iterator); + + /* clone all local traffic selectors */ + iterator = this->my_ts->create_iterator(this->my_ts, TRUE); + while (iterator->has_next(iterator)) + { + iterator->current(iterator, (void**)&ts); + ts = ts->clone(ts); + clone->my_ts->insert_last(clone->my_ts, (void*)ts); + } + iterator->destroy(iterator); + + /* clone all remote traffic selectors */ + iterator = this->other_ts->create_iterator(this->other_ts, TRUE); + while (iterator->has_next(iterator)) + { + iterator->current(iterator, (void**)&ts); + ts = ts->clone(ts); + clone->other_ts->insert_last(clone->other_ts, (void*)ts); + } + iterator->destroy(iterator); + + return &clone->public; +} + /* * Described in header-file */ @@ -273,6 +368,10 @@ policy_t *policy_create(identification_t *my_id, identification_t *other_id) /* public functions */ this->public.get_my_id = (identification_t*(*)(policy_t*))get_my_id; this->public.get_other_id = (identification_t*(*)(policy_t*))get_other_id; + this->public.update_my_id = (void(*)(policy_t*,identification_t*))update_my_id; + this->public.update_other_id = (void(*)(policy_t*,identification_t*))update_other_id; + this->public.update_my_ts = (void(*)(policy_t*,host_t*))update_my_ts; + this->public.update_other_ts = (void(*)(policy_t*,host_t*))update_other_ts; this->public.get_my_traffic_selectors = (linked_list_t*(*)(policy_t*))get_my_traffic_selectors; this->public.select_my_traffic_selectors = (linked_list_t*(*)(policy_t*,linked_list_t*))select_my_traffic_selectors; this->public.get_other_traffic_selectors = (linked_list_t*(*)(policy_t*))get_other_traffic_selectors; @@ -282,6 +381,7 @@ policy_t *policy_create(identification_t *my_id, identification_t *other_id) this->public.add_my_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_my_traffic_selector; this->public.add_other_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_other_traffic_selector; this->public.add_proposal = (void(*)(policy_t*,proposal_t*))add_proposal; + this->public.clone = (policy_t*(*)(policy_t*))clone; this->public.destroy = (void(*)(policy_t*))destroy; /* apply init values */ diff --git a/Source/charon/config/policy.h b/Source/charon/config/policy.h index ddae051b9..78cda1e8b 100644 --- a/Source/charon/config/policy.h +++ b/Source/charon/config/policy.h @@ -64,6 +64,56 @@ struct policy_t { * @return other id */ identification_t *(*get_other_id) (policy_t *this); + + /** + * @brief Update own ID. + * + * It may be necessary to uptdate own ID, as it + * is set to %any or to e.g. *@strongswan.org in + * some cases. + * Old ID is destroyed, new one NOT cloned. + * + * @param this calling object + * @param my_id new ID to set as my_id + */ + void (*update_my_id) (policy_t *this, identification_t *my_id); + + /** + * @brief Update others ID. + * + * It may be necessary to uptdate others ID, as it + * is set to %any or to e.g. *@strongswan.org in + * some cases. + * Old ID is destroyed, new one NOT cloned. + * + * @param this calling object + * @param other_id new ID to set as other_id + */ + void (*update_other_id) (policy_t *this, identification_t *other_id); + + /** + * @brief Update own address in traffic selectors. + * + * Update own 0.0.0.0 address in traffic selectors + * with supplied one. The size of the subnet will be + * set to /32. + * + * @param this calling object + * @param my_host new address to set in traffic selectors + */ + void (*update_my_ts) (policy_t *this, host_t *my_host); + + /** + * @brief Update others address in traffic selectors. + * + * Update remote 0.0.0.0 address in traffic selectors + * with supplied one. The size of the subnet will be + * set to /32. + * + * @param this calling object + * @param other_host new address to set in traffic selectors + */ + void (*update_other_ts) (policy_t *this, host_t *other_host); /** * @brief Get configured traffic selectors for our site. @@ -170,7 +220,15 @@ struct policy_t { void (*add_proposal) (policy_t *this, proposal_t *proposal); /** - * @brief Destroys the config object + * @brief Clone a policy. + * + * @param this policy to clone + * @return clone of it + */ + policy_t *(*clone) (policy_t *this); + + /** + * @brief Destroys the policy object * * @param this calling object */ diff --git a/Source/charon/config/policy_store.h b/Source/charon/config/policy_store.h index 1c4402393..467e27d1d 100755 --- a/Source/charon/config/policy_store.h +++ b/Source/charon/config/policy_store.h @@ -30,10 +30,10 @@ typedef struct policy_store_t policy_store_t; /** - * @brief The interface for a store of polcy_t's. + * @brief The interface for a store of policy_t's. * * @b Constructors: - * - policy_store_create() + * - stroke_create() * * @ingroup config */ @@ -42,6 +42,9 @@ struct policy_store_t { /** * @brief Returns a policy identified by two IDs. * + * The returned policy gets created/cloned and therefore must be + * destroyed by the caller. + * * @param this calling object * @param my_id own ID of the policy * @param other_id others ID of the policy diff --git a/Source/charon/config/proposal.c b/Source/charon/config/proposal.c index a547583d9..e5a8a64cc 100644 --- a/Source/charon/config/proposal.c +++ b/Source/charon/config/proposal.c @@ -533,6 +533,50 @@ static u_int64_t get_spi(private_proposal_t *this, protocol_id_t proto) } /** + * Clone a algorithm list + */ +static void clone_algo_list(linked_list_t *list, linked_list_t *clone_list) +{ + algorithm_t *algo, *clone_algo; + iterator_t *iterator = list->create_iterator(list, TRUE); + while (iterator->has_next(iterator)) + { + iterator->current(iterator, (void**)&algo); + clone_algo = allocator_alloc_thing(algorithm_t); + memcpy(clone_algo, algo, sizeof(algorithm_t)); + clone_list->insert_last(clone_list, (void*)clone_algo); + } + iterator->destroy(iterator); +} + +/** + * Implements proposal_t.clone + */ +static proposal_t *clone(private_proposal_t *this) +{ + private_proposal_t *clone = (private_proposal_t*)proposal_create(this->number); + + iterator_t *iterator = this->protocol_proposals->create_iterator(this->protocol_proposals, TRUE); + while (iterator->has_next(iterator)) + { + protocol_proposal_t *proto_prop, *clone_proto_prop; + iterator->current(iterator, (void**)&proto_prop); + + clone_proto_prop = get_protocol_proposal(clone, proto_prop->protocol, TRUE); + memcpy(clone_proto_prop->spi.ptr, proto_prop->spi.ptr, clone_proto_prop->spi.len); + + clone_algo_list(proto_prop->encryption_algos, clone_proto_prop->encryption_algos); + clone_algo_list(proto_prop->integrity_algos, clone_proto_prop->integrity_algos); + clone_algo_list(proto_prop->prf_algos, clone_proto_prop->prf_algos); + clone_algo_list(proto_prop->dh_groups, clone_proto_prop->dh_groups); + clone_algo_list(proto_prop->esns, clone_proto_prop->esns); + } + iterator->destroy(iterator); + + return &clone->public; +} + +/** * Frees all list items and destroys the list */ static void free_algo_list(linked_list_t *list) @@ -586,6 +630,7 @@ proposal_t *proposal_create(u_int8_t number) this->public.get_protocols = (void(*)(proposal_t *this, protocol_id_t ids[2]))get_protocols; this->public.set_spi = (void(*)(proposal_t*,protocol_id_t,u_int64_t spi))set_spi; this->public.get_spi = (u_int64_t(*)(proposal_t*,protocol_id_t))get_spi; + this->public.clone = (proposal_t*(*)(proposal_t*))clone; this->public.destroy = (void(*)(proposal_t*))destroy; /* init private members*/ diff --git a/Source/charon/config/proposal.h b/Source/charon/config/proposal.h index 48ed4ea79..e2a4856e9 100644 --- a/Source/charon/config/proposal.h +++ b/Source/charon/config/proposal.h @@ -237,6 +237,14 @@ struct proposal_t { void (*set_spi) (proposal_t *this, protocol_id_t proto, u_int64_t spi); /** + * @brief Clone a proposal. + * + * @param this proposal to clone + * @return clone of it + */ + proposal_t *(*clone) (proposal_t *this); + + /** * @brief Destroys the proposal object. * * @param this calling object diff --git a/Source/charon/config/traffic_selector.c b/Source/charon/config/traffic_selector.c index 317b7a38e..0b8193135 100644 --- a/Source/charon/config/traffic_selector.c +++ b/Source/charon/config/traffic_selector.c @@ -225,7 +225,7 @@ static u_int8_t get_netmask(private_traffic_selector_t *this) return bit; } } - return 0; + return 32; } case TS_IPV6_ADDR_RANGE: default: @@ -236,6 +236,24 @@ static u_int8_t get_netmask(private_traffic_selector_t *this) } /** + * Implements traffic_selector_t.update_address_range. + */ +static void update_address_range(private_traffic_selector_t *this, host_t *host) +{ + if (host->get_family(host) == AF_INET && + this->type == TS_IPV4_ADDR_RANGE) + { + if (this->from_addr_ipv4 == 0) + { + chunk_t from = host->get_address_as_chunk(host); + this->from_addr_ipv4 = ntohl(*((u_int32_t*)from.ptr)); + this->to_addr_ipv4 = this->from_addr_ipv4; + allocator_free_chunk(&from); + } + } +} + +/** * Implements traffic_selector_t.clone. */ static traffic_selector_t *clone(private_traffic_selector_t *this) @@ -315,7 +333,15 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, u_int8_t ne this->type = TS_IPV4_ADDR_RANGE; from = net->get_address_as_chunk(net); this->from_addr_ipv4 = ntohl(*((u_int32_t*)from.ptr)); - this->to_addr_ipv4 = this->from_addr_ipv4 | ((1 << (32 - netbits)) - 1); + if (this->from_addr_ipv4 == 0) + { + /* use /32 for 0.0.0.0 */ + this->to_addr_ipv4 = 0xFFFFFF; + } + else + { + this->to_addr_ipv4 = this->from_addr_ipv4 | ((1 << (32 - netbits)) - 1); + } allocator_free_chunk(&from); break; } @@ -386,6 +412,7 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts this->public.get_type = (ts_type_t(*)(traffic_selector_t*))get_type; this->public.get_protocol = (u_int8_t(*)(traffic_selector_t*))get_protocol; this->public.get_netmask = (u_int8_t(*)(traffic_selector_t*))get_netmask; + this->public.update_address_range = (void(*)(traffic_selector_t*,host_t*))update_address_range; this->public.clone = (traffic_selector_t*(*)(traffic_selector_t*))clone; this->public.destroy = (void(*)(traffic_selector_t*))destroy; diff --git a/Source/charon/config/traffic_selector.h b/Source/charon/config/traffic_selector.h index 2980520ce..7e59b53fc 100644 --- a/Source/charon/config/traffic_selector.h +++ b/Source/charon/config/traffic_selector.h @@ -169,12 +169,27 @@ struct traffic_selector_t { * * Returns the number of bits associated to the subnet. * (As the "24" in "192.168.0.0/24"). This is approximated - * if the address range is not a complete subnet! + * if the address range is not a complete subnet! Since Linux + * does not support full IP address ranges (yet), we can't do this + * (much) better. * * @param this calling obect * @return netmask as "bits for subnet" */ u_int8_t (*get_netmask) (traffic_selector_t *this); + + /** + * @brief Update the address of a traffic selector. + * + * Update the address range of a traffic selector, + * if the current address is 0.0.0.0. The new address range + * starts from the supplied address and also ends there + * (which means it is a one-host-address-range ;-). + * + * @param this calling obect + * @param host host_t specifying the address range + */ + void (*update_address_range) (traffic_selector_t *this, host_t* host); /** * @brief Destroys the ts object @@ -222,6 +237,22 @@ traffic_selector_t *traffic_selector_create_from_string(u_int8_t protocol, ts_ty */ traffic_selector_t *traffic_selector_create_from_bytes(u_int8_t protocol, ts_type_t type, chunk_t from_address, int16_t from_port, chunk_t to_address, u_int16_t to_port); +/** + * @brief Create a new traffic selector defining a whole subnet. + * + * In most cases, definition of a traffic selector for full subnets + * is sufficient. This constructor creates a traffic selector for + * all protocols, all ports and the address range specified by the + * subnet. + * + * @param net subnet to use + * @param netbits size of the subnet, as used in e.g. 192.168.0.0/24 notation + * @return + * - traffic_selector_t object + * - NULL if address family of net not supported + * + * @ingroup config + */ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, u_int8_t netbits); #endif /* TRAFFIC_SELECTOR_H_ */ diff --git a/Source/charon/daemon.h b/Source/charon/daemon.h index 4b7003179..421dbd16a 100644 --- a/Source/charon/daemon.h +++ b/Source/charon/daemon.h @@ -66,7 +66,7 @@ /** * Output of log, use NULL for syslog */ -#define LOG_OUTPUT stdout +#define LOG_OUTPUT NULL /** * @brief Default loglevel for every logger context. diff --git a/Source/charon/sa/authenticator.c b/Source/charon/sa/authenticator.c index d735b633e..8b96246ac 100644 --- a/Source/charon/sa/authenticator.c +++ b/Source/charon/sa/authenticator.c @@ -206,9 +206,9 @@ static status_t verify_auth_data (private_authenticator_t *this, status = charon->credentials->get_shared_secret(charon->credentials, other_id, &preshared_secret); - other_id->destroy(other_id); if (status != SUCCESS) { + other_id->destroy(other_id); return status; } @@ -218,20 +218,26 @@ static status_t verify_auth_data (private_authenticator_t *this, other_id_payload, initiator, preshared_secret); + allocator_free_chunk(&preshared_secret); if (auth_data.len != my_auth_data.len) { allocator_free_chunk(&my_auth_data); - return FAILED; + status = FAILED; } - if (memcmp(auth_data.ptr,my_auth_data.ptr, my_auth_data.len) == 0) + else if (memcmp(auth_data.ptr,my_auth_data.ptr, my_auth_data.len) == 0) { + this->logger->log(this->logger, CONTROL, "Authentication of %s with preshared secret successful", + other_id->get_string(other_id)); status = SUCCESS; } else { + this->logger->log(this->logger, CONTROL, "Authentication of %s with preshared secret failed", + other_id->get_string(other_id)); status = FAILED; } + other_id->destroy(other_id); allocator_free_chunk(&my_auth_data); return status; } @@ -247,16 +253,28 @@ static status_t verify_auth_data (private_authenticator_t *this, status = charon->credentials->get_rsa_public_key(charon->credentials, other_id, &public_key); - other_id->destroy(other_id); if (status != SUCCESS) { + other_id->destroy(other_id); return status; } octets = this->allocate_octets(this,last_received_packet, my_nonce,other_id_payload, initiator); status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data); + if (status == SUCCESS) + { + this->logger->log(this->logger, CONTROL, "Authentication of %s with RSA successful", + other_id->get_string(other_id)); + } + else + { + this->logger->log(this->logger, CONTROL, "Authentication of %s with RSA failed", + other_id->get_string(other_id)); + } + public_key->destroy(public_key); + other_id->destroy(other_id); allocator_free_chunk(&octets); return status; } @@ -300,6 +318,7 @@ static status_t compute_auth_data (private_authenticator_t *this, auth_data = this->build_preshared_secret_signature(this, last_sent_packet, other_nonce, my_id_payload, initiator, preshared_secret); + allocator_free_chunk(&preshared_secret); *auth_payload = auth_payload_create(); (*auth_payload)->set_auth_method(*auth_payload, SHARED_KEY_MESSAGE_INTEGRITY_CODE); (*auth_payload)->set_data(*auth_payload, auth_data); @@ -334,6 +353,7 @@ static status_t compute_auth_data (private_authenticator_t *this, (*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE); (*auth_payload)->set_data(*auth_payload, auth_data); + private_key->destroy(private_key); allocator_free_chunk(&auth_data); return SUCCESS; } diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c index 6517c388c..c990e1dac 100644 --- a/Source/charon/sa/ike_sa.c +++ b/Source/charon/sa/ike_sa.c @@ -210,8 +210,8 @@ static status_t process_message (private_ike_sa_t *this, message_t *message) is_request = message->get_request(message); exchange_type = message->get_exchange_type(message); - this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s", - (is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type)); + this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s", + (is_request) ? "request" : "response",mapping_find(exchange_type_m,exchange_type)); message_id = message->get_message_id(message); @@ -966,53 +966,61 @@ static void destroy (private_ike_sa_t *this) /* inform other peer of delete */ send_delete_ike_sa_request(this); - while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS) { child_sa->destroy(child_sa); } this->child_sas->destroy(this->child_sas); - if (this->crypter_initiator != NULL) + + if (this->crypter_initiator) { this->crypter_initiator->destroy(this->crypter_initiator); } - if (this->crypter_responder != NULL) + if (this->crypter_responder) { this->crypter_responder->destroy(this->crypter_responder); } - if (this->signer_initiator != NULL) + if (this->signer_initiator) { this->signer_initiator->destroy(this->signer_initiator); } - if (this->signer_responder != NULL) + if (this->signer_responder) { this->signer_responder->destroy(this->signer_responder); } - if (this->prf != NULL) + if (this->prf) { this->prf->destroy(this->prf); } - if (this->child_prf != NULL) + if (this->child_prf) { this->child_prf->destroy(this->child_prf); } - if (this->prf_auth_i != NULL) + if (this->prf_auth_i) { this->prf_auth_i->destroy(this->prf_auth_i); } - if (this->prf_auth_r != NULL) + if (this->prf_auth_r) { this->prf_auth_r->destroy(this->prf_auth_r); } - this->ike_sa_id->destroy(this->ike_sa_id); - if (this->last_requested_message != NULL) + if (this->connection) + { + this->connection->destroy(this->connection); + } + if (this->policy) + { + this->policy->destroy(this->policy); + } + if (this->last_requested_message) { this->last_requested_message->destroy(this->last_requested_message); } - if (this->last_responded_message != NULL) + if (this->last_responded_message) { this->last_responded_message->destroy(this->last_responded_message); } + this->ike_sa_id->destroy(this->ike_sa_id); this->randomizer->destroy(this->randomizer); this->current_state->destroy(this->current_state); charon->logger_manager->destroy_logger(charon->logger_manager, this->logger); diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c index c80b7f72a..3fedf431c 100644 --- a/Source/charon/sa/states/ike_auth_requested.c +++ b/Source/charon/sa/states/ike_auth_requested.c @@ -352,16 +352,17 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i } this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply)); + /* create new state */ + this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); + this->destroy_after_state_change(this); + connection = this->ike_sa->get_connection(this->ike_sa); my_host = connection->get_my_host(connection); other_host = connection->get_other_host(connection); - this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s", - my_host->get_address(my_host), other_host->get_address(other_host), - mapping_find(auth_method_m, auth_payload->get_auth_method(auth_payload))); - - this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); - this->destroy_after_state_change(this); + this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s", + my_host->get_address(my_host), other_host->get_address(other_host)); + return SUCCESS; } diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c index 5e641f9b3..0c4b6b690 100644 --- a/Source/charon/sa/states/ike_sa_init_requested.c +++ b/Source/charon/sa/states/ike_sa_init_requested.c @@ -215,6 +215,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t iterator_t *payloads; host_t *me; connection_t *connection; + policy_t *policy; message_t *request; status_t status; @@ -344,6 +345,8 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t connection = this->ike_sa->get_connection(this->ike_sa); me = ike_sa_init_reply->get_destination(ike_sa_init_reply); connection->update_my_host(connection, me->clone(me)); + policy = this->ike_sa->get_policy(this->ike_sa); + policy->update_my_ts(policy, me); /* build empty message */ this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request); diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c index 8c93e3275..751f13517 100644 --- a/Source/charon/sa/states/ike_sa_init_responded.c +++ b/Source/charon/sa/states/ike_sa_init_responded.c @@ -247,10 +247,9 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t sa_request = (sa_payload_t*)payload; break; } - case TRAFFIC_SELECTOR_INITIATOR: { - tsi_request = (ts_payload_t*)payload; + tsi_request = (ts_payload_t*)payload; break; } case TRAFFIC_SELECTOR_RESPONDER: @@ -360,16 +359,15 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t this->ike_sa->add_child_sa(this->ike_sa, this->child_sa); } - /* create new state */ + /* create new state */ + this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); + this->destroy_after_state_change(this); + connection = this->ike_sa->get_connection(this->ike_sa); my_host = connection->get_my_host(connection); other_host = connection->get_other_host(connection); - this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s", - my_host->get_address(my_host), other_host->get_address(other_host), - mapping_find(auth_method_m, auth_request->get_auth_method(auth_request))); - - this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); - this->destroy_after_state_change(this); + this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s", + my_host->get_address(my_host), other_host->get_address(other_host)); return SUCCESS; } @@ -396,13 +394,13 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl { if (my_id) { - this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses IDs %s to %s, which we have no policy for", + this->logger->log(this->logger, AUDIT, "We don't have a policy for IDs %s - %s. Deleting IKE_SA", other_id->get_string(other_id),my_id->get_string(my_id)); my_id->destroy(my_id); } else { - this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses ID %s, which we have no policy for", + this->logger->log(this->logger, AUDIT, "We don't have a policy for remote ID %s. Deleting IKE_SA", other_id->get_string(other_id)); } other_id->destroy(other_id); @@ -416,7 +414,10 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl other_id->destroy(other_id); /* get my id, if not requested */ - my_id = this->policy->get_my_id(this->policy); + my_id = this->policy->get_my_id(this->policy); + + /* update others traffic selectors with actually used address */ + this->policy->update_other_ts(this->policy, response->get_destination(response)); /* set policy in ike_sa for other states */ this->ike_sa->set_policy(this->ike_sa, this->policy); diff --git a/Source/charon/threads/stroke.c b/Source/charon/threads/stroke.c index 9dad95d3c..1bc94c85d 100755 --- a/Source/charon/threads/stroke.c +++ b/Source/charon/threads/stroke.c @@ -119,6 +119,16 @@ struct private_stroke_t { * Holding all configurations. */ linked_list_t *configurations; + + /** + * The list of RSA private keys accessible through crendial_store_t interface + */ + linked_list_t *rsa_private_keys; + + /** + * The list of RSA public keys accessible through crendial_store_t interface + */ + linked_list_t *rsa_public_keys; /** * Assigned logger_t object. @@ -153,10 +163,14 @@ struct private_stroke_t { * stroke_msg). They must be corrected if they reach our address * space... */ -static void fix_string(stroke_msg_t *msg, char **string) +static void pop_string(stroke_msg_t *msg, char **string) { /* check for sanity of string pointer and string */ - if (string < (char**)msg || + if (*string == NULL) + { + *string = ""; + } + else if (string < (char**)msg || string > (char**)msg + sizeof(stroke_msg_t) || *string < (char*)msg->buffer - (u_int)msg || *string > (char*)(u_int)msg->length) @@ -210,7 +224,7 @@ static void stroke_receive(private_stroke_t *this) continue; } - this->logger->log_bytes(this->logger, RAW|LEVEL1, "stroke message", (void*)msg, msg_length); + this->logger->log_bytes(this->logger, CONTROL, "stroke message", (void*)msg, msg_length); switch (msg->type) { @@ -218,8 +232,8 @@ static void stroke_receive(private_stroke_t *this) { initiate_ike_sa_job_t *job; connection_t *connection; - fix_string(msg, &(msg->initiate.name)); - this->logger->log(this->logger, CONTROL|LEVEL1, "received stroke: initiate \"%s\"", msg->initiate.name); + pop_string(msg, &(msg->initiate.name)); + this->logger->log(this->logger, CONTROL, "received stroke: initiate \"%s\"", msg->initiate.name); connection = this->get_connection_by_name(this, msg->initiate.name); if (connection == NULL) { @@ -234,8 +248,8 @@ static void stroke_receive(private_stroke_t *this) } case STR_INSTALL: { - fix_string(msg, &(msg->install.name)); - this->logger->log(this->logger, CONTROL|LEVEL1, "received stroke: install \"%s\"", msg->install.name); + pop_string(msg, &(msg->install.name)); + this->logger->log(this->logger, CONTROL, "received stroke: install \"%s\"", msg->install.name); break; } case STR_ADD_CONN: @@ -245,28 +259,84 @@ static void stroke_receive(private_stroke_t *this) identification_t *my_id, *other_id; host_t *my_host, *other_host, *my_subnet, *other_subnet; proposal_t *proposal; - traffic_selector_t *ts; - chunk_t chunk; + traffic_selector_t *my_ts, *other_ts; + + pop_string(msg, &msg->add_conn.name); + pop_string(msg, &msg->add_conn.me.address); + pop_string(msg, &msg->add_conn.other.address); + pop_string(msg, &msg->add_conn.me.id); + pop_string(msg, &msg->add_conn.other.id); + pop_string(msg, &msg->add_conn.me.subnet); + pop_string(msg, &msg->add_conn.other.subnet); + + this->logger->log(this->logger, CONTROL, "received stroke: add connection \"%s\"", msg->add_conn.name); + + my_host = host_create(AF_INET, msg->add_conn.me.address, 500); + if (my_host == NULL) + { + this->logger->log(this->logger, ERROR, "received invalid host: %s", msg->add_conn.me.address); + break; + } + other_host = host_create(AF_INET, msg->add_conn.other.address, 500); + if (other_host == NULL) + { + this->logger->log(this->logger, ERROR, "received invalid host: %s", msg->add_conn.other.address); + my_host->destroy(my_host); + break; + } + my_id = identification_create_from_string(ID_IPV4_ADDR, + *msg->add_conn.me.id ? msg->add_conn.me.id : msg->add_conn.me.address); + if (my_id == NULL) + { + this->logger->log(this->logger, ERROR, "received invalid id: %s", msg->add_conn.me.id); + my_host->destroy(my_host); + other_host->destroy(other_host); + break; + } + other_id = identification_create_from_string(ID_IPV4_ADDR, + *msg->add_conn.other.id ? msg->add_conn.other.id : msg->add_conn.other.address); + if (other_id == NULL) + { + my_host->destroy(my_host); + other_host->destroy(other_host); + my_id->destroy(my_id); + this->logger->log(this->logger, ERROR, "received invalid id: %s", msg->add_conn.other.id); + break; + } - fix_string(msg, &msg->add_conn.name); - this->logger->log(this->logger, CONTROL|LEVEL1, "received stroke: add connection \"%s\"", msg->add_conn.name); + my_subnet = host_create(AF_INET, *msg->add_conn.me.subnet ? msg->add_conn.me.subnet : msg->add_conn.me.address, 500); + if (my_subnet == NULL) + { + my_host->destroy(my_host); + other_host->destroy(other_host); + my_id->destroy(my_id); + other_id->destroy(other_id); + this->logger->log(this->logger, ERROR, "received invalid subnet: %s", msg->add_conn.me.subnet); + break; + } - msg->add_conn.me.address.v4.sin_port = htons(500); - msg->add_conn.other.address.v4.sin_port = htons(500); - my_host = host_create_from_sockaddr(&msg->add_conn.me.address.saddr); - other_host = host_create_from_sockaddr(&msg->add_conn.other.address.saddr); + other_subnet = host_create(AF_INET, *msg->add_conn.other.subnet ? msg->add_conn.other.subnet : msg->add_conn.other.address, 500); + if (other_subnet == NULL) + { + my_host->destroy(my_host); + other_host->destroy(other_host); + my_id->destroy(my_id); + other_id->destroy(other_id); + my_subnet->destroy(my_subnet); + this->logger->log(this->logger, ERROR, "received invalid subnet: %s", msg->add_conn.me.subnet); + break; + } - fix_string(msg, &msg->add_conn.me.id); - fix_string(msg, &msg->add_conn.other.id); - my_id = identification_create_from_string(ID_IPV4_ADDR, msg->add_conn.me.id); - other_id = identification_create_from_string(ID_IPV4_ADDR, msg->add_conn.other.id); + this->logger->log(this->logger, CONTROL, "my ID %s, others ID %s", + my_id->get_string(my_id), + other_id->get_string(other_id)); connection = connection_create(my_host, other_host, my_id->clone(my_id), other_id->clone(other_id), SHARED_KEY_MESSAGE_INTEGRITY_CODE); proposal = proposal_create(1); proposal->add_algorithm(proposal, IKE, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16); proposal->add_algorithm(proposal, IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); proposal->add_algorithm(proposal, IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0); - proposal->add_algorithm(proposal, IKE, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); + proposal->add_algorithm(proposal, IKE, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); connection->add_proposal(connection, proposal); policy = policy_create(my_id, other_id); @@ -275,23 +345,19 @@ static void stroke_receive(private_stroke_t *this) proposal->add_algorithm(proposal, ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); policy->add_proposal(policy, proposal); - my_subnet = host_create_from_sockaddr(&msg->add_conn.me.subnet.saddr); - ts = traffic_selector_create_from_subnet(my_subnet, msg->add_conn.me.subnet_netbits); + my_ts = traffic_selector_create_from_subnet(my_subnet, *msg->add_conn.me.subnet ? msg->add_conn.me.subnet_mask : 32); my_subnet->destroy(my_subnet); - policy->add_my_traffic_selector(policy, ts); - - other_subnet = host_create_from_sockaddr(&msg->add_conn.other.subnet.saddr); - ts = traffic_selector_create_from_subnet(other_subnet, msg->add_conn.other.subnet_netbits); + policy->add_my_traffic_selector(policy, my_ts); + other_ts = traffic_selector_create_from_subnet(other_subnet, *msg->add_conn.other.subnet ? msg->add_conn.other.subnet_mask : 32); other_subnet->destroy(other_subnet); - policy->add_other_traffic_selector(policy, ts); + policy->add_other_traffic_selector(policy, other_ts); this->configurations->insert_last(this->configurations, configuration_entry_create(msg->add_conn.name, connection, policy)); - this->logger->log(this->logger, CONTROL|LEVEL1, "connection \"%s\" added (%d in store)", + this->logger->log(this->logger, CONTROL, "connection \"%s\" added (%d in store)", msg->add_conn.name, this->configurations->get_count(this->configurations)); - break; } case STR_DEL_CONN: @@ -299,6 +365,7 @@ static void stroke_receive(private_stroke_t *this) this->logger->log(this->logger, ERROR, "received invalid stroke"); } + close(strokefd); allocator_free(msg); } } @@ -335,13 +402,13 @@ static connection_t *get_connection_by_hosts(connection_store_t *store, host_t * /* could be right one, check my_host for default route*/ if (config_my_host->is_default_route(config_my_host)) { - found = entry->connection; + found = entry->connection->clone(entry->connection); break; } /* check now if host informations are the same */ else if (config_my_host->ip_is_equal(config_my_host,my_host)) { - found = entry->connection; + found = entry->connection->clone(entry->connection); break; } @@ -354,19 +421,26 @@ static connection_t *get_connection_by_hosts(connection_store_t *store, host_t * /* could be right one, check my_host for default route*/ if (config_my_host->is_default_route(config_my_host)) { - found = entry->connection; + found = entry->connection->clone(entry->connection); break; } /* check now if host informations are the same */ else if (config_my_host->ip_is_equal(config_my_host,my_host)) { - found = entry->connection; + found = entry->connection->clone(entry->connection); break; } } } iterator->destroy(iterator); + /* apply hosts as they are supplied since my_host may be %defaultroute, and other_host may be %any. */ + if (found) + { + found->update_my_host(found, my_host->clone(my_host)); + found->update_other_host(found, other_host->clone(other_host)); + } + return found; } @@ -400,7 +474,7 @@ static connection_t *get_connection_by_ids(connection_store_t *store, identifica { this->logger->log(this->logger, CONTROL|LEVEL2, "config entry with remote id %s", config_other_id->get_string(config_other_id)); - found = entry->connection; + found = entry->connection->clone(entry->connection); break; } } @@ -426,7 +500,7 @@ static connection_t *get_connection_by_name(private_stroke_t *this, char *name) if (strcmp(entry->name,name) == 0) { /* found configuration */ - found = entry->connection; + found = entry->connection->clone(entry->connection); break; } } @@ -452,64 +526,92 @@ static policy_t *get_policy(policy_store_t *store,identification_t *my_id, ident identification_t *config_my_id = entry->policy->get_my_id(entry->policy); identification_t *config_other_id = entry->policy->get_other_id(entry->policy); - /* host informations seem to be the same */ - if (config_other_id->equals(config_other_id, other_id)) + /* check other host first */ + if (config_other_id->belongs_to(config_other_id, other_id)) { - /* other ids seems to match */ + /* get it if my_id not specified */ if (my_id == NULL) { - /* first matching one is selected */ - /* TODO priorize found entries */ - found = entry->policy; + found = entry->policy->clone(entry->policy); break; } - if (config_my_id->equals(config_my_id, my_id)) + if (config_my_id->belongs_to(config_my_id, my_id)) { - found = entry->policy; + found = entry->policy->clone(entry->policy); break; } - } } iterator->destroy(iterator); + /* apply IDs as they are requsted, since they may be configured as %any or such */ + if (found) + { + if (my_id) + { + found->update_my_id(found, my_id->clone(my_id)); + } + found->update_other_id(found, other_id->clone(other_id)); + } return found; } - +/** + * Implementation of credential_store_t.get_shared_secret. + */ static status_t get_shared_secret(credential_store_t *this, identification_t *identification, chunk_t *preshared_secret) { char *secret = "schluessel"; preshared_secret->ptr = secret; - preshared_secret->len = strlen(secret) + 1; + preshared_secret->len = strlen(secret) + 1; + + *preshared_secret = allocator_clone_chunk(*preshared_secret); return SUCCESS; } +/** + * Implementation of credential_store_t.get_rsa_public_key. + */ static status_t get_rsa_public_key(credential_store_t *this, identification_t *identification, rsa_public_key_t **public_key) { return FAILED; } +/** + * Implementation of credential_store_t.get_rsa_private_key. + */ static status_t get_rsa_private_key(credential_store_t *this, identification_t *identification, rsa_private_key_t **private_key) { return FAILED; } - - - /** * Implementation of stroke_t.destroy. */ static void destroy(private_stroke_t *this) { configuration_entry_t *entry; + rsa_public_key_t *pub_key; + rsa_private_key_t *priv_key; + while (this->configurations->remove_first(this->configurations, (void **)&entry) == SUCCESS) { entry->destroy(entry); } this->configurations->destroy(this->configurations); + + while (this->rsa_private_keys->remove_first(this->rsa_private_keys, (void **)&priv_key) == SUCCESS) + { + priv_key->destroy(priv_key); + } + this->rsa_private_keys->destroy(this->rsa_private_keys); + + while (this->rsa_public_keys->remove_first(this->rsa_public_keys, (void **)&pub_key) == SUCCESS) + { + pub_key->destroy(pub_key); + } + this->rsa_public_keys->destroy(this->rsa_public_keys); charon->logger_manager->destroy_logger(charon->logger_manager,this->logger); close(this->socket); @@ -592,10 +694,13 @@ stroke_t *stroke_create() close(this->socket); unlink(socket_addr.sun_path); allocator_free(this); + return NULL; } /* private variables */ this->configurations = linked_list_create(); + this->rsa_private_keys = linked_list_create(); + this->rsa_public_keys = linked_list_create(); return (&this->public); } diff --git a/Source/charon/threads/stroke.h b/Source/charon/threads/stroke.h index 4fc0fe5e7..267c455f0 100644 --- a/Source/charon/threads/stroke.h +++ b/Source/charon/threads/stroke.h @@ -60,20 +60,10 @@ struct stroke_msg_t { struct { char *name; struct { - union { - u_int16_t family; - struct sockaddr saddr; - struct sockaddr_in v4; - struct sockaddr_in6 v6; - } address; char *id; - union { - u_int16_t family; - struct sockaddr saddr; - struct sockaddr_in v4; - struct sockaddr_in6 v6; - } subnet; - u_int8_t subnet_netbits; + char *address; + char *subnet; + u_int8_t subnet_mask; } me, other; } add_conn; }; @@ -99,10 +89,12 @@ typedef struct stroke_t stroke_t; * stroke_t.interface_xy to access the specific interface! You have * been warned... * + * @todo Add clean thread cancellation + * * @b Constructors: * - stroke_create() * - * @ingroup config + * @ingroup threads */ struct stroke_t { @@ -135,7 +127,7 @@ struct stroke_t { * * @return stroke_t object * - * @ingroup config + * @ingroup threads */ stroke_t *stroke_create(); diff --git a/Source/charon/utils/identification.c b/Source/charon/utils/identification.c index 73f218874..72d1610af 100644 --- a/Source/charon/utils/identification.c +++ b/Source/charon/utils/identification.c @@ -116,6 +116,28 @@ static bool equals (private_identification_t *this,private_identification_t *oth } /** + * Implementation of identification_t.belongs_to. + */ +static bool belongs_to(private_identification_t *this, private_identification_t *other) +{ + if (this->public.equals(&this->public, &other->public)) + { + return TRUE; + } + + if (this->type == other->type && this->type == ID_IPV4_ADDR) + { + /* is this %any (0.0.0.0)?*/ + if (*((u_int32_t*)this->encoded.ptr) == 0) + { + return TRUE; + } + /* TODO: Do we need subnet support? */ + } + return FALSE; +} + +/** * Implementation of identification_t.clone. */ static identification_t *clone(private_identification_t *this) @@ -150,6 +172,7 @@ static private_identification_t *identification_create() private_identification_t *this = allocator_alloc_thing(private_identification_t); this->public.equals = (bool (*) (identification_t*,identification_t*))equals; + this->public.belongs_to = (bool (*) (identification_t*,identification_t*))belongs_to; this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding; this->public.get_type = (id_type_t (*) (identification_t*))get_type; this->public.get_string = (char* (*) (identification_t*))get_string; diff --git a/Source/charon/utils/identification.h b/Source/charon/utils/identification.h index 38bac5ee1..b973da9a4 100644 --- a/Source/charon/utils/identification.h +++ b/Source/charon/utils/identification.h @@ -153,6 +153,20 @@ struct identification_t { bool (*equals) (identification_t *this,identification_t *other); /** + * @brief Check if an ID belongs to a wildcard ID. + * + * An identification_t may contain wildcards, such as + * *@strongswan.org. This call checks if a given ID + * (e.g. tester@strongswan.org) belongs to a such wildcard + * ID. Returns TRUE if IDs are identical. + * + * @param this the ID containing a wildcard + * @param other the ID without wildcard + * @return TRUE if other belongs to this + */ + bool (*belongs_to) (identification_t *this, identification_t *other); + + /** * @brief Clone a identification_t instance. * * @param this the identification_t object to clone diff --git a/Source/charon/utils/logger.c b/Source/charon/utils/logger.c index 29f485baa..3e2c93860 100644 --- a/Source/charon/utils/logger.c +++ b/Source/charon/utils/logger.c @@ -178,6 +178,7 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab if ((this->level & loglevel) == loglevel) { char buffer[MAX_LOG]; + char ascii_buffer[17]; char *format; char *buffer_pos; char *bytes_pos, *bytes_roof; @@ -207,6 +208,7 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab bytes_pos = bytes; bytes_roof = bytes + len; buffer_pos = buffer; + memset(ascii_buffer, 0, 17); for (i = 1; bytes_pos < bytes_roof; i++) { @@ -219,30 +221,34 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab buffer_pos = buffer; if (this->output == NULL) { - syslog(LOG_INFO, "[=>] [%5d ] %s", line_start, buffer); + syslog(LOG_INFO, "[=>] [%5d ] %s %s", line_start, buffer, ascii_buffer); } else { - fprintf(this->output, "[=>] [%5d ] %s\n", line_start, buffer); + fprintf(this->output, "[=>] [%5d ] %s %s\n", line_start, buffer, ascii_buffer); } + memset(ascii_buffer, 0, 16); line_start += 16; } - else if ((i % 8) == 0) - { - *buffer_pos++ = ' '; - *buffer_pos++ = ' '; - *buffer_pos++ = ' '; - } else if ((i % 4) == 0) { *buffer_pos++ = ' '; - *buffer_pos++ = ' '; + // *buffer_pos++ = ' '; } else { *buffer_pos++ = ' '; } + if (*bytes_pos > 31 && *bytes_pos < 127) + { + ascii_buffer[(i % 16)] = *bytes_pos; + } + else + { + ascii_buffer[(i % 16)] = '*'; + } + bytes_pos++; } @@ -252,11 +258,11 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab buffer_pos = buffer; if (this->output == NULL) { - syslog(LOG_INFO, "[=>] [%5d ] %s", line_start, buffer); + syslog(LOG_INFO, "[=>] [%5d ] %s %16s", line_start, buffer, ascii_buffer); } else { - fprintf(this->output, "[=>] [%5d ] %s\n", line_start, buffer); + fprintf(this->output, "[=>] [%5d ] %s %16s\n", line_start, buffer, ascii_buffer); } } pthread_mutex_unlock(&mutex); |