diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2009-04-30 11:37:54 +0000 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2009-04-30 11:37:54 +0000 |
| commit | d24a74c5b4fb62b720a79b632021746b69de7c45 (patch) | |
| tree | fd8854673b9d72059d7f9459a82663d5a70617ce /src/charon/plugins | |
| parent | 466f11bfaf56c389947b2cbee6dd4f1fb56a821e (diff) | |
| download | strongswan-d24a74c5b4fb62b720a79b632021746b69de7c45.tar.bz2 strongswan-d24a74c5b4fb62b720a79b632021746b69de7c45.tar.xz | |
merging changes from portability branch back to trunk
important change for developers: %Y replaces %D to print identities!
Diffstat (limited to 'src/charon/plugins')
27 files changed, 1117 insertions, 130 deletions
diff --git a/src/charon/plugins/eap_aka/eap_aka.c b/src/charon/plugins/eap_aka/eap_aka.c index da06d8059..da2adeb8a 100644 --- a/src/charon/plugins/eap_aka/eap_aka.c +++ b/src/charon/plugins/eap_aka/eap_aka.c @@ -880,7 +880,7 @@ static status_t server_initiate_challenge(private_eap_aka_t *this, chunk_t sqn, /* Get the shared key K: */ if (load_key(this->server, this->peer, &this->k) != SUCCESS) { - DBG1(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate " + DBG1(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate " "with EAP-AKA", this->server, this->peer); return FAILED; } @@ -1202,7 +1202,7 @@ static status_t peer_process_challenge(private_eap_aka_t *this, { *out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_AUTHENTICATION_REJECT, AT_END); - DBG3(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate " + DBG3(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate " "with EAP-AKA, sending %N", this->peer, this->server, aka_subtype_names, AKA_AUTHENTICATION_REJECT); return NEED_MORE; diff --git a/src/charon/plugins/eap_gtc/eap_gtc.c b/src/charon/plugins/eap_gtc/eap_gtc.c index 0a93a90f6..9bcdbd686 100644 --- a/src/charon/plugins/eap_gtc/eap_gtc.c +++ b/src/charon/plugins/eap_gtc/eap_gtc.c @@ -174,7 +174,7 @@ static status_t process_peer(private_eap_gtc_t *this, this->peer, this->server); if (shared == NULL) { - DBG1(DBG_IKE, "no EAP key found for '%D' - '%D'", + DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'", this->peer, this->server); return FAILED; } diff --git a/src/charon/plugins/eap_md5/eap_md5.c b/src/charon/plugins/eap_md5/eap_md5.c index 533948000..47494388b 100644 --- a/src/charon/plugins/eap_md5/eap_md5.c +++ b/src/charon/plugins/eap_md5/eap_md5.c @@ -90,7 +90,7 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response) this->server, this->peer); if (shared == NULL) { - DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'", + DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", this->server, this->peer); return NOT_FOUND; } diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c index 9bbff817a..ef142c1cd 100644 --- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c @@ -667,7 +667,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this, SHARED_EAP, this->peer, this->server); if (shared == NULL) { - DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'", + DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", this->server, this->peer); return NOT_FOUND; } @@ -1019,14 +1019,14 @@ static status_t process_server_response(private_eap_mschapv2_t *this, name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255); snprintf(buf, sizeof(buf), "%.*s", name_len, res->name); userid = identification_create_from_string(buf); - DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%D'", userid); + DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid); username = extract_username(userid); shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP, this->server, userid); if (shared == NULL) { - DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'", + DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", this->server, userid); /* FIXME: windows 7 always sends the username that is first entered in * the username box, even, if the user changes it during retries (probably diff --git a/src/charon/plugins/eap_sim/eap_sim.c b/src/charon/plugins/eap_sim/eap_sim.c index c2902b54b..fc33d6c93 100644 --- a/src/charon/plugins/eap_sim/eap_sim.c +++ b/src/charon/plugins/eap_sim/eap_sim.c @@ -571,7 +571,7 @@ static bool get_card_triplet(private_eap_sim_t *this, enumerator->destroy(enumerator); if (!card) { - DBG1(DBG_IKE, "no SIM card found matching '%D'", this->peer); + DBG1(DBG_IKE, "no SIM card found matching '%Y'", this->peer); } return success; } @@ -775,7 +775,7 @@ static bool get_provider_triplet(private_eap_sim_t *this, tried++; } enumerator->destroy(enumerator); - DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%D'", + DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'", tried, this->peer); return FALSE; } diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c index e130c0526..627857f3d 100644 --- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c +++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c @@ -220,7 +220,7 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path) continue; } - DBG2(DBG_CFG, "triplet: imsi %D\nrand %b\nsres %b\nkc %b", + DBG2(DBG_CFG, "triplet: imsi %Y\nrand %b\nsres %b\nkc %b", triplet->imsi, triplet->rand, RAND_LEN, triplet->sres, SRES_LEN, triplet->kc, KC_LEN); diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c index 3d84805c8..1751ee807 100644 --- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1938,8 +1938,9 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -2610,7 +2611,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index e3b683474..977740663 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -375,6 +375,24 @@ static protocol_id_t proto_kernel2ike(u_int8_t proto) } /** + * convert the general ipsec mode to the one defined in xfrm.h + */ +static u_int8_t mode2kernel(ipsec_mode_t mode) +{ + switch (mode) + { + case MODE_TRANSPORT: + return XFRM_MODE_TRANSPORT; + case MODE_TUNNEL: + return XFRM_MODE_TUNNEL; + case MODE_BEET: + return XFRM_MODE_BEET; + default: + return mode; + } +} + +/** * convert a host_t to a struct xfrm_address */ static void host2xfrm(host_t *host, xfrm_address_t *xfrm) @@ -803,7 +821,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, host2xfrm(src, &userspi->info.saddr); host2xfrm(dst, &userspi->info.id.daddr); userspi->info.id.proto = proto; - userspi->info.mode = TRUE; /* tunnel mode */ + userspi->info.mode = XFRM_MODE_TUNNEL; userspi->info.reqid = reqid; userspi->info.family = src->get_family(src); userspi->min = min; @@ -941,7 +959,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, sa->id.spi = spi; sa->id.proto = proto_ike2kernel(protocol); sa->family = src->get_family(src); - sa->mode = mode; + sa->mode = mode2kernel(mode); if (mode == MODE_TUNNEL) { sa->flags |= XFRM_STATE_AF_UNSPEC; @@ -1216,8 +1234,9 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { netlink_buf_t request; struct nlmsghdr *hdr; @@ -1226,7 +1245,7 @@ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst, /* if IPComp was used, we first delete the additional IPComp SA */ if (cpi) { - del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0); + del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0); } memset(&request, 0, sizeof(request)); @@ -1339,7 +1358,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this, } /* delete the old SA (without affecting the IPComp SA) */ - if (del_sa(this, dst, spi, protocol, 0) != SUCCESS) + if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS) { DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi)); free(out); @@ -1526,7 +1545,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, tmpl->reqid = reqid; tmpl->id.proto = IPPROTO_COMP; tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode; + tmpl->mode = mode2kernel(mode); tmpl->optional = direction != POLICY_OUT; tmpl->family = src->get_family(src); @@ -1547,7 +1566,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, tmpl->reqid = reqid; tmpl->id.proto = proto_ike2kernel(protocol); tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode; + tmpl->mode = mode2kernel(mode); tmpl->family = src->get_family(src); host2xfrm(src, &tmpl->saddr); @@ -1871,7 +1890,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c index f18a5359c..9090e3215 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c @@ -1175,7 +1175,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty /** * Implementation of kernel_net_t.add_route. */ -status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, +static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) { return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL, @@ -1185,7 +1185,7 @@ status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, /** * Implementation of kernel_net_t.del_route. */ -status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net, +static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) { return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen, diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 6ef5b52a2..95932eb9c 100644 --- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2009 Tobias Brunner * Copyright (C) 2008 Andreas Steffen * Hochschule fuer Technik Rapperswil * @@ -18,10 +18,32 @@ #include <sys/types.h> #include <sys/socket.h> + +#ifdef HAVE_NET_PFKEYV2_H +#include <net/pfkeyv2.h> +#else #include <stdint.h> -#include <linux/ipsec.h> #include <linux/pfkeyv2.h> +#endif + +#ifdef SADB_X_EXT_NAT_T_TYPE +#define HAVE_NATT +#endif + +#ifdef HAVE_NETIPSEC_IPSEC_H +#include <netipsec/ipsec.h> +#else +#include <linux/ipsec.h> +#endif + +#ifdef HAVE_NATT +#ifdef HAVE_NETINET_UDP_H +#include <netinet/udp.h> +#else #include <linux/udp.h> +#endif /*HAVE_NETINET_UDP_H*/ +#endif /*HAVE_NATT*/ + #include <unistd.h> #include <pthread.h> #include <errno.h> @@ -38,6 +60,30 @@ #include <processing/jobs/delete_child_sa_job.h> #include <processing/jobs/update_sa_job.h> +/** non linux specific */ +#ifndef IPPROTO_COMP +#define IPPROTO_COMP IPPROTO_IPCOMP +#endif + +#ifndef SADB_X_AALG_SHA2_256HMAC +#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256 +#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384 +#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512 +#endif + +#ifndef SADB_X_EALG_AESCBC +#define SADB_X_EALG_AESCBC SADB_X_EALG_AES +#endif + +#ifndef SADB_X_EALG_CASTCBC +#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC +#endif + +#ifndef SOL_IP +#define SOL_IP IPPROTO_IP +#define SOL_IPV6 IPPROTO_IPV6 +#endif + /** from linux/in.h */ #ifndef IP_IPSEC_POLICY #define IP_IPSEC_POLICY 16 @@ -46,7 +92,7 @@ /* missing on uclibc */ #ifndef IPV6_IPSEC_POLICY #define IPV6_IPSEC_POLICY 34 -#endif /*IPV6_IPSEC_POLICY*/ +#endif /** default priority of installed policies */ #define PRIO_LOW 3000 @@ -160,8 +206,8 @@ struct route_entry_t { static void route_entry_destroy(route_entry_t *this) { free(this->if_name); - this->src_ip->destroy(this->src_ip); - this->gateway->destroy(this->gateway); + DESTROY_IF(this->src_ip); + DESTROY_IF(this->gateway); chunk_free(&this->dst_net); free(this); } @@ -217,7 +263,7 @@ static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts, /* src or dest proto may be "any" (0), use more restrictive one */ policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts)); - policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY; + policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY; policy->dst.proto = policy->src.proto; return policy; @@ -268,7 +314,6 @@ struct pfkey_msg_t */ struct sadb_msg *msg; - /** * PF_KEY message extensions */ @@ -305,7 +350,7 @@ struct pfkey_msg_t }; }; -ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS, +ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX, "SADB_EXT_RESERVED", "SADB_EXT_SA", "SADB_EXT_LIFETIME_CURRENT", @@ -333,6 +378,7 @@ ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS, "SADB_X_EXT_SEC_CTX", "SADB_X_EXT_KMADDRESS" ); + /** * convert a IKEv2 specific protocol identifier to the PF_KEY sa type */ @@ -396,8 +442,10 @@ static u_int8_t mode2kernel(ipsec_mode_t mode) return IPSEC_MODE_TRANSPORT; case MODE_TUNNEL: return IPSEC_MODE_TUNNEL; +#ifdef IPSEC_MODE_BEET case MODE_BEET: return IPSEC_MODE_BEET; +#endif default: return mode; } @@ -414,13 +462,16 @@ static u_int8_t dir2kernel(policy_dir_t dir) return IPSEC_DIR_INBOUND; case POLICY_OUT: return IPSEC_DIR_OUTBOUND; +#ifdef IPSEC_DIR_FWD case POLICY_FWD: return IPSEC_DIR_FWD; +#endif default: return dir; } } +#ifdef SADB_X_MIGRATE /** * convert the policy direction in ipsec.h to the general one. */ @@ -432,12 +483,16 @@ static policy_dir_t kernel2dir(u_int8_t dir) return POLICY_IN; case IPSEC_DIR_OUTBOUND: return POLICY_OUT; +#ifdef IPSEC_DIR_FWD case IPSEC_DIR_FWD: return POLICY_FWD; +#endif default: return dir; } } +#endif /*SADB_X_MIGRATE*/ + typedef struct kernel_algorithm_t kernel_algorithm_t; /** @@ -461,32 +516,32 @@ struct kernel_algorithm_t { * Algorithms for encryption */ static kernel_algorithm_t encryption_algs[] = { -/* {ENCR_DES_IV64, 0 }, */ - {ENCR_DES, SADB_EALG_DESCBC }, - {ENCR_3DES, SADB_EALG_3DESCBC }, -/* {ENCR_RC5, 0 }, */ -/* {ENCR_IDEA, 0 }, */ - {ENCR_CAST, SADB_X_EALG_CASTCBC }, - {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC }, -/* {ENCR_3IDEA, 0 }, */ -/* {ENCR_DES_IV32, 0 }, */ - {ENCR_NULL, SADB_EALG_NULL }, - {ENCR_AES_CBC, SADB_X_EALG_AESCBC }, -/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */ +/* {ENCR_DES_IV64, 0 }, */ + {ENCR_DES, SADB_EALG_DESCBC }, + {ENCR_3DES, SADB_EALG_3DESCBC }, +/* {ENCR_RC5, 0 }, */ +/* {ENCR_IDEA, 0 }, */ + {ENCR_CAST, SADB_X_EALG_CASTCBC }, + {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC }, +/* {ENCR_3IDEA, 0 }, */ +/* {ENCR_DES_IV32, 0 }, */ + {ENCR_NULL, SADB_EALG_NULL }, + {ENCR_AES_CBC, SADB_X_EALG_AESCBC }, +/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */ /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */ /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */ /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */ /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */ /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */ /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */ - {END_OF_LIST, 0 }, + {END_OF_LIST, 0 }, }; /** * Algorithms for integrity protection */ static kernel_algorithm_t integrity_algs[] = { - {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC }, + {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC }, {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC }, {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC }, {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC }, @@ -494,7 +549,7 @@ static kernel_algorithm_t integrity_algs[] = { /* {AUTH_DES_MAC, 0, }, */ /* {AUTH_KPDK_MD5, 0, }, */ {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, }, - {END_OF_LIST, 0, }, + {END_OF_LIST, 0, }, }; #if 0 @@ -502,11 +557,11 @@ static kernel_algorithm_t integrity_algs[] = { * Algorithms for IPComp, unused yet */ static kernel_algorithm_t compression_algs[] = { -/* {IPCOMP_OUI, 0 }, */ +/* {IPCOMP_OUI, 0 }, */ {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE }, {IPCOMP_LZS, SADB_X_CALG_LZS }, {IPCOMP_LZJH, SADB_X_CALG_LZJH }, - {END_OF_LIST, 0 }, + {END_OF_LIST, 0 }, }; #endif @@ -533,8 +588,11 @@ static void host2ext(host_t *host, struct sadb_address *ext) { sockaddr_t *host_addr = host->get_sockaddr(host); socklen_t *len = host->get_sockaddr_len(host); - memcpy((char*)(ext + 1), host_addr, *len); - ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len); +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN + host_addr->sa_len = *len; +#endif + memcpy((char*)(ext + 1), host_addr, *len); + ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len); } /** @@ -562,10 +620,14 @@ static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type) addr->sadb_address_exttype = type; sockaddr_t *saddr = (sockaddr_t*)(addr + 1); saddr->sa_family = family; - addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len); +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN + saddr->sa_len = len; +#endif + addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len); PFKEY_EXT_ADD(msg, addr); } +#ifdef HAVE_NATT /** * add udp encap extensions to a sadb_msg */ @@ -592,6 +654,7 @@ static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst) nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst)); PFKEY_EXT_ADD(msg, nat_port); } +#endif /*HAVE_NATT*/ /** * Convert a sadb_address to a traffic_selector @@ -606,7 +669,7 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address) */ host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ; ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen, - address->sadb_address_proto, host->get_port(host)); + address->sadb_address_proto, host->get_port(host)); return ts; } @@ -645,7 +708,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out) if (out->ext[ext->sadb_ext_type]) { - DBG1(DBG_KNL, "duplicate %N extension", + DBG1(DBG_KNL, "duplicate %N extension", sadb_ext_type_names, ext->sadb_ext_type); break; } @@ -699,7 +762,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket } while (TRUE) - { + { msg = (struct sadb_msg*)buf; len = recv(socket, buf, sizeof(buf), 0); @@ -757,7 +820,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket *out_len = len; *out = (struct sadb_msg*)malloc(len); memcpy(*out, buf, len); - + this->mutex_pfkey->unlock(this->mutex_pfkey); return SUCCESS; @@ -868,8 +931,9 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* charon->processor->queue_job(charon->processor, job); } +#ifdef SADB_X_MIGRATE /** - * Process a SADB_MIGRATE message from the kernel + * Process a SADB_X_MIGRATE message from the kernel */ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg) { @@ -893,7 +957,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts, policy_dir_names, dir); - /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */ + /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */ if (response.x_kmaddress) { sockaddr_t *local_addr, *remote_addr; @@ -924,7 +988,9 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* DESTROY_IF(remote); } } +#endif /*SADB_X_MIGRATE*/ +#ifdef HAVE_NATT /** * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel */ @@ -980,6 +1046,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* } } } +#endif /*HAVE_NATT*/ /** * Receives events from kernel @@ -991,7 +1058,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) int len, oldstate; pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - len = recv(this->socket_events, buf, sizeof(buf), 0); + len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0); pthread_setcancelstate(oldstate, NULL); if (len < 0) @@ -1035,12 +1102,16 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) case SADB_EXPIRE: process_expire(this, msg); break; +#ifdef SADB_X_MIGRATE case SADB_X_MIGRATE: process_migrate(this, msg); break; +#endif /*SADB_X_MIGRATE*/ +#ifdef HAVE_NATT case SADB_X_NAT_T_NEW_MAPPING: process_mapping(this, msg); break; +#endif /*HAVE_NATT*/ default: break; } @@ -1051,8 +1122,8 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) /** * Implementation of kernel_interface_t.get_spi. */ -static status_t get_spi(private_kernel_pfkey_ipsec_t *this, - host_t *src, host_t *dst, +static status_t get_spi(private_kernel_pfkey_ipsec_t *this, + host_t *src, host_t *dst, protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) { @@ -1099,7 +1170,7 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this, { received_spi = response.sa->sadb_sa_spi; } - free(out); + free(out); } if (received_spi == 0) @@ -1114,8 +1185,8 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this, /** * Implementation of kernel_interface_t.get_cpi. */ -static status_t get_cpi(private_kernel_pfkey_ipsec_t *this, - host_t *src, host_t *dst, +static status_t get_cpi(private_kernel_pfkey_ipsec_t *this, + host_t *src, host_t *dst, u_int32_t reqid, u_int16_t *cpi) { return FAILED; @@ -1226,11 +1297,13 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this, { /*TODO*/ } - + +#ifdef HAVE_NATT if (encap) { add_encap_ext(msg, src, dst); } +#endif /*HAVE_NATT*/ if (pfkey_send(this, msg, &out, &len) != SUCCESS) { @@ -1346,11 +1419,13 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, { PFKEY_EXT_COPY(msg, response.key_auth); } - + +#ifdef HAVE_NATT if (new_encap) { add_encap_ext(msg, new_src, new_dst); } +#endif /*HAVE_NATT*/ free(out); @@ -1374,8 +1449,9 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1398,9 +1474,8 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst, sa->sadb_sa_spi = spi; PFKEY_EXT_ADD(msg, sa); - /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though - * it is not used for anything. */ - add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC); + /* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */ + add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); if (pfkey_send(this, msg, &out, &len) != SUCCESS) @@ -1424,7 +1499,7 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst, /** * Implementation of kernel_interface_t.add_policy. */ -static status_t add_policy(private_kernel_pfkey_ipsec_t *this, +static status_t add_policy(private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, @@ -1463,7 +1538,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, this->policies->insert_last(this->policies, policy); policy->refcount = 1; } - + memset(&request, 0, sizeof(request)); DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts, @@ -1480,12 +1555,14 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy)); pol->sadb_x_policy_id = 0; pol->sadb_x_policy_dir = dir2kernel(direction); + pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; +#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY /* calculate priority based on source selector size, small size = high prio */ pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH; pol->sadb_x_policy_priority -= policy->src.mask * 10; pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0; pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0; - pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; +#endif /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */ req = (struct sadb_x_ipsecrequest*)(pol + 1); @@ -1599,9 +1676,9 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, { free(route); } - } + } - this->mutex->unlock(this->mutex); + this->mutex->unlock(this->mutex); return SUCCESS; } @@ -1610,7 +1687,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, * Implementation of kernel_interface_t.query_policy. */ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, - traffic_selector_t *src_ts, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time) { @@ -1689,7 +1766,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, *use_time = response.lft_current->sadb_lifetime_usetime; free(out); - + return SUCCESS; } @@ -1697,7 +1774,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, * Implementation of kernel_interface_t.del_policy. */ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, - traffic_selector_t *src_ts, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted) { @@ -1722,7 +1799,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, if (--found->refcount > 0) { /* is used by more SAs, keep in kernel */ - DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); + DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); policy_entry_destroy(policy); this->mutex->unlock(this->mutex); return SUCCESS; @@ -1741,7 +1818,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, return NOT_FOUND; } this->mutex->unlock(this->mutex); - + memset(&request, 0, sizeof(request)); msg = (struct sadb_msg*)request; @@ -1791,7 +1868,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, DBG1(DBG_KNL, "error uninstalling route installed with " "policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); - } + } route_entry_destroy(route); } @@ -1863,22 +1940,26 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this) switch (family) { case AF_INET: + { sol = SOL_IP; ipsec_policy = IP_IPSEC_POLICY; break; + } case AF_INET6: { sol = SOL_IPV6; ipsec_policy = IPV6_IPSEC_POLICY; break; } + default: + continue; } memset(&policy, 0, sizeof(policy)); policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t); policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS; - + policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { @@ -1890,7 +1971,7 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this) policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND; if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { - DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", + DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", strerror(errno)); status = FALSE; break; @@ -1912,7 +1993,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am new file mode 100644 index 000000000..3ad445c09 --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/Makefile.am @@ -0,0 +1,10 @@ + +INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon + +AM_CFLAGS = -rdynamic + +plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la + +libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \ + kernel_pfroute_net.h kernel_pfroute_net.c +libstrongswan_kernel_pfroute_la_LDFLAGS = -module diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c new file mode 100644 index 000000000..7805b6354 --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -0,0 +1,715 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include <sys/types.h> +#include <sys/socket.h> +#include <net/if.h> +#include <ifaddrs.h> +#include <net/route.h> +#include <unistd.h> +#include <pthread.h> +#include <errno.h> + +#include "kernel_pfroute_net.h" + +#include <daemon.h> +#include <utils/host.h> +#include <utils/mutex.h> +#include <utils/linked_list.h> +#include <processing/jobs/callback_job.h> +#include <processing/jobs/roam_job.h> + +#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN +#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member. +#endif + +/** delay before firing roam jobs (ms) */ +#define ROAM_DELAY 100 + +/** buffer size for PF_ROUTE messages */ +#define PFROUTE_BUFFER_SIZE 4096 + +typedef struct addr_entry_t addr_entry_t; + +/** + * IP address in an inface_entry_t + */ +struct addr_entry_t { + + /** The ip address */ + host_t *ip; + + /** virtual IP managed by us */ + bool virtual; + + /** Number of times this IP is used, if virtual */ + u_int refcount; +}; + +/** + * destroy a addr_entry_t object + */ +static void addr_entry_destroy(addr_entry_t *this) +{ + this->ip->destroy(this->ip); + free(this); +} + +typedef struct iface_entry_t iface_entry_t; + +/** + * A network interface on this system, containing addr_entry_t's + */ +struct iface_entry_t { + + /** interface index */ + int ifindex; + + /** name of the interface */ + char ifname[IFNAMSIZ]; + + /** interface flags, as in netdevice(7) SIOCGIFFLAGS */ + u_int flags; + + /** list of addresses as host_t */ + linked_list_t *addrs; +}; + +/** + * destroy an interface entry + */ +static void iface_entry_destroy(iface_entry_t *this) +{ + this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy); + free(this); +} + + +typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t; + +/** + * Private variables and functions of kernel_pfroute class. + */ +struct private_kernel_pfroute_net_t +{ + /** + * Public part of the kernel_pfroute_t object. + */ + kernel_pfroute_net_t public; + + /** + * mutex to lock access to various lists + */ + mutex_t *mutex; + + /** + * Cached list of interfaces and their addresses (iface_entry_t) + */ + linked_list_t *ifaces; + + /** + * job receiving PF_ROUTE events + */ + callback_job_t *job; + + /** + * mutex to lock access to the PF_ROUTE socket + */ + mutex_t *mutex_pfroute; + + /** + * PF_ROUTE socket to communicate with the kernel + */ + int socket; + + /** + * PF_ROUTE socket to receive events + */ + int socket_events; + + /** + * sequence number for messages sent to the kernel + */ + int seq; + + /** + * time of last roam job + */ + struct timeval last_roam; +}; + +/** + * Start a roaming job. We delay it a bit and fire only one job + * for multiple events. Otherwise we would create too many jobs. + */ +static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address) +{ + struct timeval now; + + if (gettimeofday(&now, NULL) == 0) + { + if (timercmp(&now, &this->last_roam, >)) + { + now.tv_usec += ROAM_DELAY * 1000; + while (now.tv_usec > 1000000) + { + now.tv_sec++; + now.tv_usec -= 1000000; + } + this->last_roam = now; + charon->scheduler->schedule_job_ms(charon->scheduler, + (job_t*)roam_job_create(address), ROAM_DELAY); + } + } +} + +/** + * Process an RTM_*ADDR message from the kernel + */ +static void process_addr(private_kernel_pfroute_net_t *this, + struct rt_msghdr *msg) +{ + struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg; + sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1); + host_t *host = NULL; + enumerator_t *ifaces, *addrs; + iface_entry_t *iface; + addr_entry_t *addr; + bool found = FALSE, changed = FALSE, roam = FALSE; + int i; + + for (i = 1; i < (1 << RTAX_MAX); i <<= 1) + { + if (ifa->ifam_addrs & i) + { + if (RTA_IFA & i) + { + host = host_create_from_sockaddr(sockaddr); + break; + } + sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len); + } + } + + if (!host) + { + return; + } + + this->mutex->lock(this->mutex); + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, &iface)) + { + if (iface->ifindex == ifa->ifam_index) + { + addrs = iface->addrs->create_enumerator(iface->addrs); + while (addrs->enumerate(addrs, &addr)) + { + if (host->ip_equals(host, addr->ip)) + { + found = TRUE; + if (ifa->ifam_type == RTM_DELADDR) + { + iface->addrs->remove_at(iface->addrs, addrs); + if (!addr->virtual) + { + changed = TRUE; + DBG1(DBG_KNL, "%H disappeared from %s", + host, iface->ifname); + } + addr_entry_destroy(addr); + } + else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual) + { + addr->refcount = 1; + } + } + } + addrs->destroy(addrs); + + if (!found && ifa->ifam_type == RTM_NEWADDR) + { + changed = TRUE; + addr = malloc_thing(addr_entry_t); + addr->ip = host->clone(host); + addr->virtual = FALSE; + addr->refcount = 1; + iface->addrs->insert_last(iface->addrs, addr); + DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname); + } + + if (changed && (iface->flags & IFF_UP)) + { + roam = TRUE; + } + break; + } + } + ifaces->destroy(ifaces); + this->mutex->unlock(this->mutex); + host->destroy(host); + + if (roam) + { + fire_roam_job(this, TRUE); + } +} + +/** + * Process an RTM_IFINFO message from the kernel + */ +static void process_link(private_kernel_pfroute_net_t *this, + struct rt_msghdr *hdr) +{ + struct if_msghdr *msg = (struct if_msghdr*)hdr; + enumerator_t *enumerator; + iface_entry_t *iface; + bool roam = FALSE; + + if (msg->ifm_flags & IFF_LOOPBACK) + { /* ignore loopback interfaces */ + return; + } + + this->mutex->lock(this->mutex); + enumerator = this->ifaces->create_enumerator(this->ifaces); + while (enumerator->enumerate(enumerator, &iface)) + { + if (iface->ifindex == msg->ifm_index) + { + if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP)) + { + roam = TRUE; + DBG1(DBG_KNL, "interface %s activated", iface->ifname); + } + else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP)) + { + roam = TRUE; + DBG1(DBG_KNL, "interface %s deactivated", iface->ifname); + } + iface->flags = msg->ifm_flags; + break; + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + + if (roam) + { + fire_roam_job(this, TRUE); + } +} + +/** + * Process an RTM_*ROUTE message from the kernel + */ +static void process_route(private_kernel_pfroute_net_t *this, + struct rt_msghdr *msg) +{ + +} + +/** + * Receives events from kernel + */ +static job_requeue_t receive_events(private_kernel_pfroute_net_t *this) +{ + unsigned char buf[PFROUTE_BUFFER_SIZE]; + struct rt_msghdr *msg = (struct rt_msghdr*)buf; + int len, oldstate; + + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0); + pthread_setcancelstate(oldstate, NULL); + + if (len < 0) + { + switch (errno) + { + case EINTR: + /* interrupted, try again */ + return JOB_REQUEUE_DIRECT; + case EAGAIN: + /* no data ready, select again */ + return JOB_REQUEUE_DIRECT; + default: + DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket"); + sleep(1); + return JOB_REQUEUE_FAIR; + } + } + + if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen || + msg->rtm_version != RTM_VERSION) + { + DBG2(DBG_KNL, "received corrupted PF_ROUTE message"); + return JOB_REQUEUE_DIRECT; + } + + switch (msg->rtm_type) + { + case RTM_NEWADDR: + case RTM_DELADDR: + process_addr(this, msg); + break; + case RTM_IFINFO: + /*case RTM_IFANNOUNCE <- what about this*/ + process_link(this, msg); + break; + case RTM_ADD: + case RTM_DELETE: + process_route(this, msg); + default: + break; + } + + return JOB_REQUEUE_DIRECT; +} + + +/** enumerator over addresses */ +typedef struct { + private_kernel_pfroute_net_t* this; + /** whether to enumerate down interfaces */ + bool include_down_ifaces; + /** whether to enumerate virtual ip addresses */ + bool include_virtual_ips; +} address_enumerator_t; + +/** + * cleanup function for address enumerator + */ +static void address_enumerator_destroy(address_enumerator_t *data) +{ + data->this->mutex->unlock(data->this->mutex); + free(data); +} + +/** + * filter for addresses + */ +static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out) +{ + host_t *ip; + if (!data->include_virtual_ips && (*in)->virtual) + { /* skip virtual interfaces added by us */ + return FALSE; + } + ip = (*in)->ip; + if (ip->get_family(ip) == AF_INET6) + { + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip); + if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) + { /* skip addresses with a unusable scope */ + return FALSE; + } + } + *out = ip; + return TRUE; +} + +/** + * enumerator constructor for interfaces + */ +static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data) +{ + return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs), + (void*)filter_addresses, data, NULL); +} + +/** + * filter for interfaces + */ +static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out) +{ + if (!data->include_down_ifaces && !((*in)->flags & IFF_UP)) + { /* skip interfaces not up */ + return FALSE; + } + *out = *in; + return TRUE; +} + +/** + * implementation of kernel_net_t.create_address_enumerator + */ +static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this, + bool include_down_ifaces, bool include_virtual_ips) +{ + address_enumerator_t *data = malloc_thing(address_enumerator_t); + data->this = this; + data->include_down_ifaces = include_down_ifaces; + data->include_virtual_ips = include_virtual_ips; + + this->mutex->lock(this->mutex); + return enumerator_create_nested( + enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces), + (void*)filter_interfaces, data, NULL), + (void*)create_iface_enumerator, data, (void*)address_enumerator_destroy); +} + +/** + * implementation of kernel_net_t.get_interface_name + */ +static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip) +{ + enumerator_t *ifaces, *addrs; + iface_entry_t *iface; + addr_entry_t *addr; + char *name = NULL; + + DBG2(DBG_KNL, "getting interface name for %H", ip); + + this->mutex->lock(this->mutex); + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, &iface)) + { + addrs = iface->addrs->create_enumerator(iface->addrs); + while (addrs->enumerate(addrs, &addr)) + { + if (ip->ip_equals(ip, addr->ip)) + { + name = strdup(iface->ifname); + break; + } + } + addrs->destroy(addrs); + if (name) + { + break; + } + } + ifaces->destroy(ifaces); + this->mutex->unlock(this->mutex); + + if (name) + { + DBG2(DBG_KNL, "%H is on interface %s", ip, name); + } + else + { + DBG2(DBG_KNL, "%H is not a local address", ip); + } + return name; +} + +/** + * Implementation of kernel_net_t.get_source_addr. + */ +static host_t* get_source_addr(private_kernel_pfroute_net_t *this, + host_t *dest, host_t *src) +{ + return NULL; +} + +/** + * Implementation of kernel_net_t.get_nexthop. + */ +static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest) +{ + return NULL; +} + +/** + * Implementation of kernel_net_t.add_ip. + */ +static status_t add_ip(private_kernel_pfroute_net_t *this, + host_t *virtual_ip, host_t *iface_ip) +{ + return FAILED; +} + +/** + * Implementation of kernel_net_t.del_ip. + */ +static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip) +{ + return FAILED; +} + +/** + * Implementation of kernel_net_t.add_route. + */ +static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) +{ + return FAILED; +} + +/** + * Implementation of kernel_net_t.del_route. + */ +static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) +{ + return FAILED; +} + +/** + * Initialize a list of local addresses. + */ +static status_t init_address_list(private_kernel_pfroute_net_t *this) +{ + struct ifaddrs *ifap, *ifa; + iface_entry_t *iface, *current; + addr_entry_t *addr; + enumerator_t *ifaces, *addrs; + + DBG1(DBG_KNL, "listening on interfaces:"); + + if (getifaddrs(&ifap) < 0) + { + DBG1(DBG_KNL, " failed to get interfaces!"); + return FAILED; + } + + for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) + { + if (ifa->ifa_addr == NULL) + { + continue; + } + switch(ifa->ifa_addr->sa_family) + { + case AF_LINK: + case AF_INET: + case AF_INET6: + { + if (ifa->ifa_flags & IFF_LOOPBACK) + { /* ignore loopback interfaces */ + continue; + } + + iface = NULL; + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, ¤t)) + { + if (streq(current->ifname, ifa->ifa_name)) + { + iface = current; + break; + } + } + ifaces->destroy(ifaces); + + if (!iface) + { + iface = malloc_thing(iface_entry_t); + memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ); + iface->ifindex = if_nametoindex(ifa->ifa_name); + iface->flags = ifa->ifa_flags; + iface->addrs = linked_list_create(); + this->ifaces->insert_last(this->ifaces, iface); + } + + if (ifa->ifa_addr->sa_family != AF_LINK) + { + addr = malloc_thing(addr_entry_t); + addr->ip = host_create_from_sockaddr(ifa->ifa_addr); + addr->virtual = FALSE; + addr->refcount = 1; + iface->addrs->insert_last(iface->addrs, addr); + } + } + } + } + freeifaddrs(ifap); + + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, &iface)) + { + if (iface->flags & IFF_UP) + { + DBG1(DBG_KNL, " %s", iface->ifname); + addrs = iface->addrs->create_enumerator(iface->addrs); + while (addrs->enumerate(addrs, (void**)&addr)) + { + DBG1(DBG_KNL, " %H", addr->ip); + } + addrs->destroy(addrs); + } + } + ifaces->destroy(ifaces); + + return SUCCESS; +} + +/** + * Implementation of kernel_netlink_net_t.destroy. + */ +static void destroy(private_kernel_pfroute_net_t *this) +{ + this->job->cancel(this->job); + close(this->socket); + close(this->socket_events); + this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy); + this->mutex->destroy(this->mutex); + this->mutex_pfroute->destroy(this->mutex_pfroute); + free(this); +} + +/* + * Described in header. + */ +kernel_pfroute_net_t *kernel_pfroute_net_create() +{ + private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t); + + /* public functions */ + this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name; + this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator; + this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr; + this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop; + this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip; + this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip; + this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route; + this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route; + + this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy; + + /* private members */ + this->ifaces = linked_list_create(); + this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex_pfroute = mutex_create(MUTEX_DEFAULT); + + this->seq = 0; + + /* create a PF_ROUTE socket to communicate with the kernel */ + this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); + if (this->socket <= 0) + { + charon->kill(charon, "unable to create PF_ROUTE socket"); + } + + /* create a PF_ROUTE socket to receive events */ + this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); + if (this->socket_events <= 0) + { + charon->kill(charon, "unable to create PF_ROUTE event socket"); + } + + this->job = callback_job_create((callback_job_cb_t)receive_events, + this, NULL, NULL); + charon->processor->queue_job(charon->processor, (job_t*)this->job); + + if (init_address_list(this) != SUCCESS) + { + charon->kill(charon, "unable to get interface list"); + } + + return &this->public; +} diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h new file mode 100644 index 000000000..9138befc1 --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup kernel_pfroute_net_i kernel_pfroute_net + * @{ @ingroup kernel_pfroute + */ + +#ifndef KERNEL_PFROUTE_NET_H_ +#define KERNEL_PFROUTE_NET_H_ + +#include <kernel/kernel_net.h> + +typedef struct kernel_pfroute_net_t kernel_pfroute_net_t; + +/** + * Implementation of the kernel net interface using PF_ROUTE. + */ +struct kernel_pfroute_net_t { + + /** + * Implements kernel_net_t interface + */ + kernel_net_t interface; +}; + +/** + * Create a PF_ROUTE kernel net interface instance. + * + * @return kernel_pfroute_net_t instance + */ +kernel_pfroute_net_t *kernel_pfroute_net_create(); + +#endif /** KERNEL_PFROUTE_NET_H_ @}*/ diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c new file mode 100644 index 000000000..a6d95283b --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + + +#include "kernel_pfroute_plugin.h" + +#include "kernel_pfroute_net.h" + +#include <daemon.h> + +typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t; + +/** + * private data of kernel PF_ROUTE plugin + */ +struct private_kernel_pfroute_plugin_t { + /** + * implements plugin interface + */ + kernel_pfroute_plugin_t public; +}; + +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_kernel_pfroute_plugin_t *this) +{ + charon->kernel_interface->remove_net_interface(charon->kernel_interface, + (kernel_net_constructor_t)kernel_pfroute_net_create); + free(this); +} + +/* + * see header file + */ +plugin_t *plugin_create() +{ + private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + charon->kernel_interface->add_net_interface(charon->kernel_interface, + (kernel_net_constructor_t)kernel_pfroute_net_create); + + return &this->public.plugin; +} diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h new file mode 100644 index 000000000..f8ae1a96a --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup kernel_pfroute kernel_pfroute + * @ingroup cplugins + * + * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin + * @{ @ingroup kernel_pfroute + */ + +#ifndef KERNEL_PFROUTE_PLUGIN_H_ +#define KERNEL_PFROUTE_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t; + +/** + * PF_ROUTE kernel interface plugin + */ +struct kernel_pfroute_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +/** + * Create a kernel_pfroute_plugin instance. + */ +plugin_t *plugin_create(); + +#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/ diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c index 9abd65195..66ebd07c4 100644 --- a/src/charon/plugins/load_tester/load_tester_ipsec.c +++ b/src/charon/plugins/load_tester/load_tester_ipsec.c @@ -88,8 +88,9 @@ static status_t update_sa(private_load_tester_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_load_tester_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { return SUCCESS; } @@ -152,7 +153,7 @@ load_tester_ipsec_t *load_tester_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/medcli/medcli_creds.c b/src/charon/plugins/medcli/medcli_creds.c index 1e99f6990..2a4972046 100644 --- a/src/charon/plugins/medcli/medcli_creds.c +++ b/src/charon/plugins/medcli/medcli_creds.c @@ -96,7 +96,7 @@ static enumerator_t* create_private_enumerator(private_medcli_creds_t *this, if ((type != KEY_RSA && type != KEY_ANY) || id == NULL || id->get_type(id) != ID_KEY_ID) { - DBG1(DBG_CFG, "%N - %D", key_type_names, type, id); + DBG1(DBG_CFG, "%N - %Y", key_type_names, type, id); return NULL; } diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.c b/src/charon/plugins/resolv_conf/resolv_conf_handler.c index c76222f28..1eab8f2c0 100644 --- a/src/charon/plugins/resolv_conf/resolv_conf_handler.c +++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.c @@ -79,7 +79,7 @@ static bool handle(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa, if (out) { addr = host_create_from_chunk(family, data, 0); - fprintf(out, "nameserver %H # by strongSwan, from %D\n", + fprintf(out, "nameserver %H # by strongSwan, from %Y\n", addr, ike_sa->get_other_id(ike_sa)); DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file); addr->destroy(addr); @@ -140,7 +140,7 @@ static void release(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa, { addr = host_create_from_chunk(family, data, 0); snprintf(matcher, sizeof(matcher), - "nameserver %H # by strongSwan, from %D\n", + "nameserver %H # by strongSwan, from %Y\n", addr, ike_sa->get_other_id(ike_sa)); /* copy all, but matching line */ diff --git a/src/charon/plugins/smp/smp.c b/src/charon/plugins/smp/smp.c index 33a2bb491..40eeefc74 100644 --- a/src/charon/plugins/smp/smp.c +++ b/src/charon/plugins/smp/smp.c @@ -109,7 +109,7 @@ static void write_id(xmlTextWriterPtr writer, char *element, identification_t *i break; } xmlTextWriterWriteAttribute(writer, "type", type); - xmlTextWriterWriteFormatString(writer, "%D", id); + xmlTextWriterWriteFormatString(writer, "%Y", id); break; } default: diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c index a1c67c691..28cd038c9 100644 --- a/src/charon/plugins/sql/pool.c +++ b/src/charon/plugins/sql/pool.c @@ -562,7 +562,7 @@ static void leases(char *filter, bool utc) printf(" "); } } - printf("%D\n", identity); + printf("%Y\n", identity); DESTROY_IF(address); identity->destroy(identity); } diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c index a3beb3a62..56237694e 100644 --- a/src/charon/plugins/stroke/stroke_attribute.c +++ b/src/charon/plugins/stroke/stroke_attribute.c @@ -223,7 +223,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, id = pool->ids->get(pool->ids, id); if (id) { - DBG1(DBG_CFG, "reassigning offline lease to %D", id); + DBG1(DBG_CFG, "reassigning offline lease to %Y", id); pool->online->put(pool->online, id, (void*)offset); break; } @@ -233,7 +233,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, offset = (uintptr_t)pool->online->get(pool->online, id); if (offset && offset == host2offset(pool, requested)) { - DBG1(DBG_CFG, "reassigning online lease to %D", id); + DBG1(DBG_CFG, "reassigning online lease to %Y", id); break; } @@ -245,7 +245,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, id = id->clone(id); pool->ids->put(pool->ids, id, id); pool->online->put(pool->online, id, (void*)offset); - DBG1(DBG_CFG, "assigning new lease to %D", id); + DBG1(DBG_CFG, "assigning new lease to %Y", id); break; } /* no more addresses, replace the first found offline lease */ @@ -257,7 +257,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, { /* destroy reference to old ID */ old_id = pool->ids->remove(pool->ids, old_id); - DBG1(DBG_CFG, "reassigning existing offline lease of %D to %D", + DBG1(DBG_CFG, "reassigning existing offline lease of %Y to %Y", old_id, id); if (old_id) { @@ -305,7 +305,7 @@ static bool release_address(private_stroke_attribute_t *this, id = pool->ids->get(pool->ids, id); if (id) { - DBG1(DBG_CFG, "lease %H of %D went offline", address, id); + DBG1(DBG_CFG, "lease %H of %Y went offline", address, id); pool->offline->put(pool->offline, id, (void*)offset); found = TRUE; } diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c index 54356436f..dffa8e235 100644 --- a/src/charon/plugins/stroke/stroke_ca.c +++ b/src/charon/plugins/stroke/stroke_ca.c @@ -398,14 +398,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) first = FALSE; } fprintf(out, "\n"); - fprintf(out, " authname: \"%D\"\n", cert->get_subject(cert)); + fprintf(out, " authname: \"%Y\"\n", cert->get_subject(cert)); /* list authkey and keyid */ if (public) { - fprintf(out, " authkey: %D\n", + fprintf(out, " authkey: %Y\n", public->get_id(public, ID_PUBKEY_SHA1)); - fprintf(out, " keyid: %D\n", + fprintf(out, " keyid: %Y\n", public->get_id(public, ID_PUBKEY_INFO_SHA1)); public->destroy(public); } diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c index 4a0b1ff42..21e2fd2f2 100644 --- a/src/charon/plugins/stroke/stroke_config.c +++ b/src/charon/plugins/stroke/stroke_config.c @@ -386,8 +386,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, if (identity->get_type(identity) == ID_ANY || !certificate->has_subject(certificate, identity)) { - DBG1(DBG_CFG, " peerid %D not confirmed by certificate, " - "defaulting to subject DN: %D", identity, + DBG1(DBG_CFG, " peerid %Y not confirmed by certificate, " + "defaulting to subject DN: %Y", identity, certificate->get_subject(certificate)); identity->destroy(identity); identity = certificate->get_subject(certificate); diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c index 08d50519c..634a89d1d 100644 --- a/src/charon/plugins/stroke/stroke_control.c +++ b/src/charon/plugins/stroke/stroke_control.c @@ -249,7 +249,7 @@ static void terminate_srcip(private_stroke_control_t *this, enumerator_t *enumerator; ike_sa_t *ike_sa; host_t *start = NULL, *end = NULL, *vip; - chunk_t chunk_start, chunk_end, chunk_vip; + chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip; if (msg->terminate_srcip.start) { diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c index 066591c9d..689e463b4 100644 --- a/src/charon/plugins/stroke/stroke_list.c +++ b/src/charon/plugins/stroke/stroke_list.c @@ -74,7 +74,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) fprintf(out, " %V ago", &now, &established); } - fprintf(out, ", %H[%D]...%H[%D]\n", + fprintf(out, ", %H[%Y]...%H[%Y]\n", ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa), ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa)); @@ -266,7 +266,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local); while (enumerator->enumerate(enumerator, &auth)) { - fprintf(out, "%12s: %s [%D] uses ", name, local ? "local: " : "remote:", + fprintf(out, "%12s: %s [%Y] uses ", name, local ? "local: " : "remote:", auth->get(auth, AUTH_RULE_IDENTITY)); auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS); @@ -297,7 +297,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) id = auth->get(auth, AUTH_RULE_EAP_IDENTITY); if (id) { - fprintf(out, " with EAP identity '%D'", id); + fprintf(out, " with EAP identity '%Y'", id); } fprintf(out, "\n"); } @@ -305,19 +305,19 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) cert = auth->get(auth, AUTH_RULE_CA_CERT); if (cert) { - fprintf(out, "%12s: ca: \"%D\"\n", name, cert->get_subject(cert)); + fprintf(out, "%12s: ca: \"%Y\"\n", name, cert->get_subject(cert)); } cert = auth->get(auth, AUTH_RULE_IM_CERT); if (cert) { - fprintf(out, "%12s: im-ca: \"%D\"\n", name, cert->get_subject(cert)); + fprintf(out, "%12s: im-ca: \"%Y\"\n", name, cert->get_subject(cert)); } cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); if (cert) { - fprintf(out, "%12s: cert: \"%D\"\n", name, + fprintf(out, "%12s: cert: \"%Y\"\n", name, cert->get_subject(cert)); } @@ -340,7 +340,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) { if (rule == AUTH_RULE_AC_GROUP) { - fprintf(out, "%12s: group: %D\n", name, id); + fprintf(out, "%12s: group: %Y\n", name, id); } } rules->destroy(rules); @@ -593,8 +593,8 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out) key_type_names, public->get_type(public), public->get_keysize(public) * 8, private ? ", has private key" : ""); - fprintf(out, " keyid: %D\n", keyid); - fprintf(out, " subjkey: %D\n", id); + fprintf(out, " keyid: %Y\n", keyid); + fprintf(out, " subjkey: %Y\n", id); DESTROY_IF(private); public->destroy(public); } @@ -650,7 +650,7 @@ static void stroke_list_certs(linked_list_t *list, char *label, { fprintf(out, ", "); } - fprintf(out, "%D", altName); + fprintf(out, "%Y", altName); } if (!first_altName) { @@ -658,8 +658,8 @@ static void stroke_list_certs(linked_list_t *list, char *label, } enumerator->destroy(enumerator); - fprintf(out, " subject: \"%D\"\n", cert->get_subject(cert)); - fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert)); + fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert)); + fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); fprintf(out, " serial: %#B\n", &serial); /* list validity */ @@ -704,8 +704,8 @@ static void stroke_list_certs(linked_list_t *list, char *label, key_type_names, public->get_type(public), public->get_keysize(public) * 8, private ? ", has private key" : ""); - fprintf(out, " keyid: %D\n", keyid); - fprintf(out, " subjkey: %D\n", id); + fprintf(out, " keyid: %Y\n", keyid); + fprintf(out, " subjkey: %Y\n", id); DESTROY_IF(private); public->destroy(public); } @@ -713,7 +713,7 @@ static void stroke_list_certs(linked_list_t *list, char *label, /* list optional authorityKeyIdentifier */ if (authkey) { - fprintf(out, " authkey: %D\n", authkey); + fprintf(out, " authkey: %Y\n", authkey); } } } @@ -749,17 +749,17 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) if (entityName) { - fprintf(out, " holder: \"%D\"\n", entityName); + fprintf(out, " holder: \"%Y\"\n", entityName); } if (holderIssuer) { - fprintf(out, " hissuer: \"%D\"\n", holderIssuer); + fprintf(out, " hissuer: \"%Y\"\n", holderIssuer); } if (holderSerial.ptr) { fprintf(out, " hserial: %#B\n", &holderSerial); } - fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert)); + fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); fprintf(out, " serial: %#B\n", &serial); /* list validity */ @@ -783,7 +783,7 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) /* list optional authorityKeyIdentifier */ if (authkey) { - fprintf(out, " authkey: %D\n", authkey); + fprintf(out, " authkey: %Y\n", authkey); } } enumerator->destroy(enumerator); @@ -813,7 +813,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) } fprintf(out, "\n"); - fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert)); + fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); /* list optional crlNumber */ if (serial.ptr) @@ -856,7 +856,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) /* list optional authorityKeyIdentifier */ if (authkey) { - fprintf(out, " authkey: %D\n", authkey); + fprintf(out, " authkey: %Y\n", authkey); } } enumerator->destroy(enumerator); @@ -881,7 +881,7 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) first = FALSE; } - fprintf(out, " signer: \"%D\"\n", cert->get_issuer(cert)); + fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert)); } enumerator->destroy(enumerator); } @@ -1024,7 +1024,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool, { if (!address || address->ip_equals(address, lease)) { - fprintf(out, " %15H %s '%D'\n", + fprintf(out, " %15H %s '%Y'\n", lease, on ? "online" : "offline", id); found++; } diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c index d8cc69c20..e1c3e58ab 100644 --- a/src/charon/plugins/stroke/stroke_socket.c +++ b/src/charon/plugins/stroke/stroke_socket.c @@ -571,8 +571,11 @@ static job_requeue_t receive(private_stroke_socket_t *this) */ static bool open_socket(private_stroke_socket_t *this) { - struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET}; + struct sockaddr_un socket_addr; mode_t old; + + socket_addr.sun_family = AF_UNIX; + strcpy(socket_addr.sun_path, STROKE_SOCKET); /* set up unix socket */ this->socket = socket(AF_UNIX, SOCK_STREAM, 0); diff --git a/src/charon/plugins/updown/updown_listener.c b/src/charon/plugins/updown/updown_listener.c index 7dfb874cb..4feffd9c4 100644 --- a/src/charon/plugins/updown/updown_listener.c +++ b/src/charon/plugins/updown/updown_listener.c @@ -188,14 +188,14 @@ static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa, "PLUTO_INTERFACE='%s' " "PLUTO_REQID='%u' " "PLUTO_ME='%H' " - "PLUTO_MY_ID='%D' " + "PLUTO_MY_ID='%Y' " "PLUTO_MY_CLIENT='%s/%s' " "PLUTO_MY_CLIENT_NET='%s' " "PLUTO_MY_CLIENT_MASK='%s' " "PLUTO_MY_PORT='%u' " "PLUTO_MY_PROTOCOL='%u' " "PLUTO_PEER='%H' " - "PLUTO_PEER_ID='%D' " + "PLUTO_PEER_ID='%Y' " "PLUTO_PEER_CLIENT='%s/%s' " "PLUTO_PEER_CLIENT_NET='%s' " "PLUTO_PEER_CLIENT_MASK='%s' " |