diff options
120 files changed, 1409 insertions, 3053 deletions
diff --git a/src/_updown/Makefile.am b/src/_updown/Makefile.am index 9fd592797..5fc04ab88 100644 --- a/src/_updown/Makefile.am +++ b/src/_updown/Makefile.am @@ -8,5 +8,5 @@ _updown : _updown.in -e "s:@IPSEC_SBINDIR@:$(sbindir):" \ -e "s:\@IPSEC_ROUTING_TABLE\@:$(IPSEC_ROUTING_TABLE):" \ -e "s:\@IPSEC_ROUTING_TABLE_PRIO\@:$(IPSEC_ROUTING_TABLE_PRIO):" \ - $< > $@ + $(srcdir)/$@.in > $@ chmod +x $@ diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index 7c5e139e4..1d27d13cd 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -106,13 +106,14 @@ AM_CFLAGS = -rdynamic \ -DIPSEC_PIDDIR=\"${piddir}\" \ -DIPSEC_PLUGINDIR=\"${plugindir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" -charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm -ldl +charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB) EXTRA_DIST = config/proposal_keywords.txt -MAINTAINERCLEANFILES = config/proposal_keywords.c +BUILT_SOURCES = $(srcdir)/config/proposal_keywords.c +MAINTAINERCLEANFILES = $(srcdir)/config/proposal_keywords.c -config/proposal_keywords.c: config/proposal_keywords.txt config/proposal_keywords.h - (cd `dirname $<` && $(GPERF) -C -G -c -t < `basename $<` > `basename $@` ) +$(srcdir)/config/proposal_keywords.c: $(srcdir)/config/proposal_keywords.txt $(srcdir)/config/proposal_keywords.h + $(GPERF) -C -G -c -t -D < $(srcdir)/config/proposal_keywords.txt > $@ # compile options ################# @@ -162,6 +163,11 @@ if USE_KERNEL_PFKEY PLUGINS += kernel-pfkey endif +if USE_KERNEL_PFROUTE + SUBDIRS += plugins/kernel_pfroute + PLUGINS += kernel-pfroute +endif + if USE_KERNEL_KLIPS SUBDIRS += plugins/kernel_klips PLUGINS += kernel-klips diff --git a/src/charon/config/auth_cfg.c b/src/charon/config/auth_cfg.c index 87aca3813..c8566087c 100644 --- a/src/charon/config/auth_cfg.c +++ b/src/charon/config/auth_cfg.c @@ -340,7 +340,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, if (!success && log_error) { DBG1(DBG_CFG, "constraint check failed: peer not " - "authenticated by CA '%D'.", c1->get_subject(c1)); + "authenticated by CA '%Y'.", c1->get_subject(c1)); } break; } @@ -356,7 +356,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, if (log_error) { DBG1(DBG_CFG, "constraint check failed: peer not " - "authenticated with peer cert '%D'.", + "authenticated with peer cert '%Y'.", c1->get_subject(c1)); } } @@ -411,7 +411,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, success = FALSE; if (log_error) { - DBG1(DBG_CFG, "constraint check failed: %sidentity '%D'" + DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'" " required ", t1 == AUTH_RULE_IDENTITY ? "" : "EAP ", id1); } diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c index 28e50ef0a..43d9594fe 100644 --- a/src/charon/config/backend_manager.c +++ b/src/charon/config/backend_manager.c @@ -339,7 +339,7 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this, return enumerator; } - DBG1(DBG_CFG, "looking for peer configs matching %H[%D]...%H[%D]", + DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]", me, my_id, other, other_id); configs = linked_list_create(); diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c index 3cd4e35ed..695022448 100644 --- a/src/charon/credentials/credential_manager.c +++ b/src/charon/credentials/credential_manager.c @@ -530,7 +530,7 @@ static bool verify_ocsp(private_credential_manager_t *this, { if (this->cache->issued_by(this->cache, subject, issuer)) { - DBG1(DBG_CFG, " ocsp response correctly signed by \"%D\"", + DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", issuer->get_subject(issuer)); verified = TRUE; break; @@ -756,7 +756,7 @@ static bool verify_crl(private_credential_manager_t *this, certificate_t *crl) { if (this->cache->issued_by(this->cache, crl, issuer)) { - DBG1(DBG_CFG, " crl correctly signed by \"%D\"", + DBG1(DBG_CFG, " crl correctly signed by \"%Y\"", issuer->get_subject(issuer)); verified = TRUE; break; @@ -966,7 +966,7 @@ static bool check_certificate(private_credential_manager_t *this, { if (ocsp || crl) { - DBG1(DBG_CFG, "checking certificate status of \"%D\"", + DBG1(DBG_CFG, "checking certificate status of \"%Y\"", subject->get_subject(subject)); } if (ocsp) @@ -1082,7 +1082,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, if (this->cache->issued_by(this->cache, issuer, issuer)) { auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); - DBG1(DBG_CFG, " using trusted ca certificate \"%D\"", + DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", issuer->get_subject(issuer)); trusted = TRUE; } @@ -1090,7 +1090,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, { auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer)); DBG1(DBG_CFG, " using trusted intermediate ca certificate " - "\"%D\"", issuer->get_subject(issuer)); + "\"%Y\"", issuer->get_subject(issuer)); } } else @@ -1100,18 +1100,18 @@ static bool verify_trust_chain(private_credential_manager_t *this, { if (current->equals(current, issuer)) { - DBG1(DBG_CFG, " self-signed certificate \"%D\" is not trusted", + DBG1(DBG_CFG, " self-signed certificate \"%Y\" is not trusted", current->get_subject(current)); issuer->destroy(issuer); break; } auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer)); DBG1(DBG_CFG, " using untrusted intermediate certificate " - "\"%D\"", issuer->get_subject(issuer)); + "\"%Y\"", issuer->get_subject(issuer)); } else { - DBG1(DBG_CFG, "no issuer certificate found for \"%D\"", + DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"", current->get_subject(current)); break; } @@ -1197,7 +1197,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this, { this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, this->pretrusted->get_ref(this->pretrusted)); - DBG1(DBG_CFG, " using trusted certificate \"%D\"", + DBG1(DBG_CFG, " using trusted certificate \"%Y\"", this->pretrusted->get_subject(this->pretrusted)); *cert = this->pretrusted; if (auth) @@ -1217,7 +1217,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this, continue; } - DBG1(DBG_CFG, " using certificate \"%D\"", + DBG1(DBG_CFG, " using certificate \"%Y\"", current->get_subject(current)); if (verify_trust_chain(this->this, current, this->auth, FALSE, this->crl, this->ocsp)) diff --git a/src/charon/credentials/sets/auth_cfg_wrapper.c b/src/charon/credentials/sets/auth_cfg_wrapper.c index 2e93cc53a..55f265513 100644 --- a/src/charon/credentials/sets/auth_cfg_wrapper.c +++ b/src/charon/credentials/sets/auth_cfg_wrapper.c @@ -96,7 +96,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, return FALSE; } - DBG1(DBG_CFG, " fetched certificate \"%D\"", cert->get_subject(cert)); + DBG1(DBG_CFG, " fetched certificate \"%Y\"", cert->get_subject(cert)); charon->credentials->cache_cert(charon->credentials, cert); if (*rule == AUTH_HELPER_IM_HASH_URL) diff --git a/src/charon/daemon.c b/src/charon/daemon.c index 6dcb39a89..339846a85 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -17,7 +17,9 @@ */ #include <stdio.h> +#ifdef HAVE_PRCTL #include <sys/prctl.h> +#endif #include <signal.h> #include <pthread.h> #include <sys/stat.h> @@ -240,8 +242,10 @@ static void kill_daemon(private_daemon_t *this, char *reason) * drop daemon capabilities */ static void drop_capabilities(private_daemon_t *this) -{ +{ +#ifdef HAVE_PRCTL prctl(PR_SET_KEEPCAPS, 1); +#endif if (setgid(charon->gid) != 0) { diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c index fca149613..159831667 100644 --- a/src/charon/kernel/kernel_interface.c +++ b/src/charon/kernel/kernel_interface.c @@ -109,10 +109,10 @@ static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi, /** * Implementation of kernel_interface_t.del_sa */ -static status_t del_sa(private_kernel_interface_t *this, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_kernel_interface_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) { - return this->ipsec->del_sa(this->ipsec, dst, spi, protocol, cpi); + return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi); } /** @@ -373,7 +373,7 @@ kernel_interface_t *kernel_interface_create() this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h index 85ba881cf..e1089a0de 100644 --- a/src/charon/kernel/kernel_interface.h +++ b/src/charon/kernel/kernel_interface.h @@ -145,14 +145,15 @@ struct kernel_interface_t { /** * Delete a previously installed SA from the SAD. * + * @param src source address for this SA * @param dst destination address for this SA * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) * @param cpi CPI for IPComp or 0 * @return SUCCESS if operation completed */ - status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int16_t cpi); + status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi); /** * Add a policy to the SPD. diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h index 6360e5fd9..d0b15a4ad 100644 --- a/src/charon/kernel/kernel_ipsec.h +++ b/src/charon/kernel/kernel_ipsec.h @@ -35,17 +35,15 @@ typedef struct kernel_ipsec_t kernel_ipsec_t; #include <encoding/payloads/proposal_substructure.h> /** - * Mode of an CHILD_SA. - * - * These are equal to those defined in XFRM, so don't change. + * Mode of a CHILD_SA. */ enum ipsec_mode_t { /** transport mode, no inner address */ - MODE_TRANSPORT = 0, + MODE_TRANSPORT = 1, /** tunnel mode, inner and outer addresses */ - MODE_TUNNEL = 1, + MODE_TUNNEL, /** BEET mode, tunnel mode but fixed, bound inner addresses */ - MODE_BEET = 4, + MODE_BEET, }; /** @@ -177,14 +175,15 @@ struct kernel_ipsec_t { /** * Delete a previusly installed SA from the SAD. * + * @param src source address for this SA * @param dst destination address for this SA * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) * @param cpi CPI for IPComp or 0 * @return SUCCESS if operation completed */ - status_t (*del_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int16_t cpi); + status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi); /** * Add a policy to the SPD. diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c index c43ba0207..d93a8d520 100644 --- a/src/charon/network/socket.c +++ b/src/charon/network/socket.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2008 Tobias Brunner + * Copyright (C) 2006-2009 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -30,12 +30,11 @@ #include <stdlib.h> #include <fcntl.h> #include <sys/ioctl.h> +#include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip6.h> #include <netinet/udp.h> -#include <linux/types.h> -#include <linux/filter.h> #include <net/if.h> #include "socket.h" @@ -54,10 +53,12 @@ #define UDP_ENCAP_ESPINUDP 2 #endif /*UDP_ENCAP_ESPINUDP*/ -/* needed for older kernel headers */ -#ifndef IPV6_2292PKTINFO -#define IPV6_2292PKTINFO 2 -#endif /*IPV6_2292PKTINFO*/ +/* these are not defined on some platforms */ +#ifndef SOL_IP +#define SOL_IP IPPROTO_IP +#define SOL_IPV6 IPPROTO_IPV6 +#define SOL_UDP IPPROTO_UDP +#endif typedef struct private_socket_t private_socket_t; @@ -201,7 +202,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet) } if (cmsgptr->cmsg_level == SOL_IPV6 && - cmsgptr->cmsg_type == IPV6_2292PKTINFO) + cmsgptr->cmsg_type == IPV6_PKTINFO) { struct in6_pktinfo *pktinfo; pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr); @@ -214,14 +215,26 @@ static status_t receiver(private_socket_t *this, packet_t **packet) dest = host_create_from_sockaddr((sockaddr_t*)&dst); } if (cmsgptr->cmsg_level == SOL_IP && - cmsgptr->cmsg_type == IP_PKTINFO) - { +#ifdef IP_RECVDSTADDR + cmsgptr->cmsg_type == IP_RECVDSTADDR +#else + cmsgptr->cmsg_type == IP_PKTINFO +#endif + ) + { + struct in_addr *addr; + struct sockaddr_in dst; + +#ifdef IP_RECVDSTADDR + addr = (struct in_addr*)CMSG_DATA(cmsgptr); +#else struct in_pktinfo *pktinfo; pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr); - struct sockaddr_in dst; - + addr = &pktinfo->ipi_addr; +#endif memset(&dst, 0, sizeof(dst)); - memcpy(&dst.sin_addr, &pktinfo->ipi_addr, sizeof(dst.sin_addr)); + memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr)); + dst.sin_family = AF_INET; dst.sin_port = htons(port); dest = host_create_from_sockaddr((sockaddr_t*)&dst); @@ -340,24 +353,35 @@ status_t sender(private_socket_t *this, packet_t *packet) msg.msg_iovlen = 1; msg.msg_flags = 0; - if (!dst->is_anyaddr(dst)) + if (!src->is_anyaddr(src)) { if (family == AF_INET) { + struct in_addr *addr; + struct sockaddr_in *sin; +#ifdef IP_SENDSRCADDR + char buf[CMSG_SPACE(sizeof(struct in_addr))]; +#else char buf[CMSG_SPACE(sizeof(struct in_pktinfo))]; struct in_pktinfo *pktinfo; - struct sockaddr_in *sin; - +#endif msg.msg_control = buf; msg.msg_controllen = sizeof(buf); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_level = SOL_IP; +#ifdef IP_SENDSRCADDR + cmsg->cmsg_type = IP_SENDSRCADDR; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); + addr = (struct in_addr*)CMSG_DATA(cmsg); +#else cmsg->cmsg_type = IP_PKTINFO; cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg); memset(pktinfo, 0, sizeof(struct in_pktinfo)); + addr = &pktinfo->ipi_spec_dst; +#endif sin = (struct sockaddr_in*)src->get_sockaddr(src); - memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr)); + memcpy(addr, &sin->sin_addr, sizeof(struct in_addr)); } else { @@ -369,7 +393,7 @@ status_t sender(private_socket_t *this, packet_t *packet) msg.msg_controllen = sizeof(buf); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_level = SOL_IPV6; - cmsg->cmsg_type = IPV6_2292PKTINFO; + cmsg->cmsg_type = IPV6_PKTINFO; cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg); memset(pktinfo, 0, sizeof(struct in6_pktinfo)); @@ -389,13 +413,14 @@ status_t sender(private_socket_t *this, packet_t *packet) } /** - * open a socket to send packets + * open a socket to send and receive packets */ static int open_socket(private_socket_t *this, int family, u_int16_t port) { int on = TRUE; int type = UDP_ENCAP_ESPINUDP; struct sockaddr_storage addr; + socklen_t addrlen; u_int sol, pktinfo; int skt; @@ -409,8 +434,13 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port) sin->sin_family = AF_INET; sin->sin_addr.s_addr = INADDR_ANY; sin->sin_port = htons(port); + addrlen = sizeof(struct sockaddr_in); sol = SOL_IP; +#ifdef IP_RECVDSTADDR + pktinfo = IP_RECVDSTADDR; +#else pktinfo = IP_PKTINFO; +#endif break; } case AF_INET6: @@ -419,8 +449,9 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port) sin6->sin6_family = AF_INET6; memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any)); sin6->sin6_port = htons(port); + addrlen = sizeof(struct sockaddr_in6); sol = SOL_IPV6; - pktinfo = IPV6_2292PKTINFO; + pktinfo = IPV6_RECVPKTINFO; break; } default: @@ -440,8 +471,8 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port) return 0; } - /* bind the send socket */ - if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0) + /* bind the socket */ + if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0) { DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno)); close(skt); diff --git a/src/charon/plugins/eap_aka/eap_aka.c b/src/charon/plugins/eap_aka/eap_aka.c index da06d8059..da2adeb8a 100644 --- a/src/charon/plugins/eap_aka/eap_aka.c +++ b/src/charon/plugins/eap_aka/eap_aka.c @@ -880,7 +880,7 @@ static status_t server_initiate_challenge(private_eap_aka_t *this, chunk_t sqn, /* Get the shared key K: */ if (load_key(this->server, this->peer, &this->k) != SUCCESS) { - DBG1(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate " + DBG1(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate " "with EAP-AKA", this->server, this->peer); return FAILED; } @@ -1202,7 +1202,7 @@ static status_t peer_process_challenge(private_eap_aka_t *this, { *out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_AUTHENTICATION_REJECT, AT_END); - DBG3(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate " + DBG3(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate " "with EAP-AKA, sending %N", this->peer, this->server, aka_subtype_names, AKA_AUTHENTICATION_REJECT); return NEED_MORE; diff --git a/src/charon/plugins/eap_gtc/eap_gtc.c b/src/charon/plugins/eap_gtc/eap_gtc.c index 0a93a90f6..9bcdbd686 100644 --- a/src/charon/plugins/eap_gtc/eap_gtc.c +++ b/src/charon/plugins/eap_gtc/eap_gtc.c @@ -174,7 +174,7 @@ static status_t process_peer(private_eap_gtc_t *this, this->peer, this->server); if (shared == NULL) { - DBG1(DBG_IKE, "no EAP key found for '%D' - '%D'", + DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'", this->peer, this->server); return FAILED; } diff --git a/src/charon/plugins/eap_md5/eap_md5.c b/src/charon/plugins/eap_md5/eap_md5.c index 533948000..47494388b 100644 --- a/src/charon/plugins/eap_md5/eap_md5.c +++ b/src/charon/plugins/eap_md5/eap_md5.c @@ -90,7 +90,7 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response) this->server, this->peer); if (shared == NULL) { - DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'", + DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", this->server, this->peer); return NOT_FOUND; } diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c index 9bbff817a..ef142c1cd 100644 --- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c @@ -667,7 +667,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this, SHARED_EAP, this->peer, this->server); if (shared == NULL) { - DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'", + DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", this->server, this->peer); return NOT_FOUND; } @@ -1019,14 +1019,14 @@ static status_t process_server_response(private_eap_mschapv2_t *this, name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255); snprintf(buf, sizeof(buf), "%.*s", name_len, res->name); userid = identification_create_from_string(buf); - DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%D'", userid); + DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid); username = extract_username(userid); shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP, this->server, userid); if (shared == NULL) { - DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'", + DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", this->server, userid); /* FIXME: windows 7 always sends the username that is first entered in * the username box, even, if the user changes it during retries (probably diff --git a/src/charon/plugins/eap_sim/eap_sim.c b/src/charon/plugins/eap_sim/eap_sim.c index c2902b54b..fc33d6c93 100644 --- a/src/charon/plugins/eap_sim/eap_sim.c +++ b/src/charon/plugins/eap_sim/eap_sim.c @@ -571,7 +571,7 @@ static bool get_card_triplet(private_eap_sim_t *this, enumerator->destroy(enumerator); if (!card) { - DBG1(DBG_IKE, "no SIM card found matching '%D'", this->peer); + DBG1(DBG_IKE, "no SIM card found matching '%Y'", this->peer); } return success; } @@ -775,7 +775,7 @@ static bool get_provider_triplet(private_eap_sim_t *this, tried++; } enumerator->destroy(enumerator); - DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%D'", + DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'", tried, this->peer); return FALSE; } diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c index e130c0526..627857f3d 100644 --- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c +++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c @@ -220,7 +220,7 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path) continue; } - DBG2(DBG_CFG, "triplet: imsi %D\nrand %b\nsres %b\nkc %b", + DBG2(DBG_CFG, "triplet: imsi %Y\nrand %b\nsres %b\nkc %b", triplet->imsi, triplet->rand, RAND_LEN, triplet->sres, SRES_LEN, triplet->kc, KC_LEN); diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c index 3d84805c8..1751ee807 100644 --- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1938,8 +1938,9 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -2610,7 +2611,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index e3b683474..977740663 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -375,6 +375,24 @@ static protocol_id_t proto_kernel2ike(u_int8_t proto) } /** + * convert the general ipsec mode to the one defined in xfrm.h + */ +static u_int8_t mode2kernel(ipsec_mode_t mode) +{ + switch (mode) + { + case MODE_TRANSPORT: + return XFRM_MODE_TRANSPORT; + case MODE_TUNNEL: + return XFRM_MODE_TUNNEL; + case MODE_BEET: + return XFRM_MODE_BEET; + default: + return mode; + } +} + +/** * convert a host_t to a struct xfrm_address */ static void host2xfrm(host_t *host, xfrm_address_t *xfrm) @@ -803,7 +821,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, host2xfrm(src, &userspi->info.saddr); host2xfrm(dst, &userspi->info.id.daddr); userspi->info.id.proto = proto; - userspi->info.mode = TRUE; /* tunnel mode */ + userspi->info.mode = XFRM_MODE_TUNNEL; userspi->info.reqid = reqid; userspi->info.family = src->get_family(src); userspi->min = min; @@ -941,7 +959,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, sa->id.spi = spi; sa->id.proto = proto_ike2kernel(protocol); sa->family = src->get_family(src); - sa->mode = mode; + sa->mode = mode2kernel(mode); if (mode == MODE_TUNNEL) { sa->flags |= XFRM_STATE_AF_UNSPEC; @@ -1216,8 +1234,9 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { netlink_buf_t request; struct nlmsghdr *hdr; @@ -1226,7 +1245,7 @@ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst, /* if IPComp was used, we first delete the additional IPComp SA */ if (cpi) { - del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0); + del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0); } memset(&request, 0, sizeof(request)); @@ -1339,7 +1358,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this, } /* delete the old SA (without affecting the IPComp SA) */ - if (del_sa(this, dst, spi, protocol, 0) != SUCCESS) + if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS) { DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi)); free(out); @@ -1526,7 +1545,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, tmpl->reqid = reqid; tmpl->id.proto = IPPROTO_COMP; tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode; + tmpl->mode = mode2kernel(mode); tmpl->optional = direction != POLICY_OUT; tmpl->family = src->get_family(src); @@ -1547,7 +1566,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, tmpl->reqid = reqid; tmpl->id.proto = proto_ike2kernel(protocol); tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode; + tmpl->mode = mode2kernel(mode); tmpl->family = src->get_family(src); host2xfrm(src, &tmpl->saddr); @@ -1871,7 +1890,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c index f18a5359c..9090e3215 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c @@ -1175,7 +1175,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty /** * Implementation of kernel_net_t.add_route. */ -status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, +static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) { return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL, @@ -1185,7 +1185,7 @@ status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, /** * Implementation of kernel_net_t.del_route. */ -status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net, +static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) { return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen, diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 6ef5b52a2..95932eb9c 100644 --- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2009 Tobias Brunner * Copyright (C) 2008 Andreas Steffen * Hochschule fuer Technik Rapperswil * @@ -18,10 +18,32 @@ #include <sys/types.h> #include <sys/socket.h> + +#ifdef HAVE_NET_PFKEYV2_H +#include <net/pfkeyv2.h> +#else #include <stdint.h> -#include <linux/ipsec.h> #include <linux/pfkeyv2.h> +#endif + +#ifdef SADB_X_EXT_NAT_T_TYPE +#define HAVE_NATT +#endif + +#ifdef HAVE_NETIPSEC_IPSEC_H +#include <netipsec/ipsec.h> +#else +#include <linux/ipsec.h> +#endif + +#ifdef HAVE_NATT +#ifdef HAVE_NETINET_UDP_H +#include <netinet/udp.h> +#else #include <linux/udp.h> +#endif /*HAVE_NETINET_UDP_H*/ +#endif /*HAVE_NATT*/ + #include <unistd.h> #include <pthread.h> #include <errno.h> @@ -38,6 +60,30 @@ #include <processing/jobs/delete_child_sa_job.h> #include <processing/jobs/update_sa_job.h> +/** non linux specific */ +#ifndef IPPROTO_COMP +#define IPPROTO_COMP IPPROTO_IPCOMP +#endif + +#ifndef SADB_X_AALG_SHA2_256HMAC +#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256 +#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384 +#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512 +#endif + +#ifndef SADB_X_EALG_AESCBC +#define SADB_X_EALG_AESCBC SADB_X_EALG_AES +#endif + +#ifndef SADB_X_EALG_CASTCBC +#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC +#endif + +#ifndef SOL_IP +#define SOL_IP IPPROTO_IP +#define SOL_IPV6 IPPROTO_IPV6 +#endif + /** from linux/in.h */ #ifndef IP_IPSEC_POLICY #define IP_IPSEC_POLICY 16 @@ -46,7 +92,7 @@ /* missing on uclibc */ #ifndef IPV6_IPSEC_POLICY #define IPV6_IPSEC_POLICY 34 -#endif /*IPV6_IPSEC_POLICY*/ +#endif /** default priority of installed policies */ #define PRIO_LOW 3000 @@ -160,8 +206,8 @@ struct route_entry_t { static void route_entry_destroy(route_entry_t *this) { free(this->if_name); - this->src_ip->destroy(this->src_ip); - this->gateway->destroy(this->gateway); + DESTROY_IF(this->src_ip); + DESTROY_IF(this->gateway); chunk_free(&this->dst_net); free(this); } @@ -217,7 +263,7 @@ static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts, /* src or dest proto may be "any" (0), use more restrictive one */ policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts)); - policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY; + policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY; policy->dst.proto = policy->src.proto; return policy; @@ -268,7 +314,6 @@ struct pfkey_msg_t */ struct sadb_msg *msg; - /** * PF_KEY message extensions */ @@ -305,7 +350,7 @@ struct pfkey_msg_t }; }; -ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS, +ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX, "SADB_EXT_RESERVED", "SADB_EXT_SA", "SADB_EXT_LIFETIME_CURRENT", @@ -333,6 +378,7 @@ ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS, "SADB_X_EXT_SEC_CTX", "SADB_X_EXT_KMADDRESS" ); + /** * convert a IKEv2 specific protocol identifier to the PF_KEY sa type */ @@ -396,8 +442,10 @@ static u_int8_t mode2kernel(ipsec_mode_t mode) return IPSEC_MODE_TRANSPORT; case MODE_TUNNEL: return IPSEC_MODE_TUNNEL; +#ifdef IPSEC_MODE_BEET case MODE_BEET: return IPSEC_MODE_BEET; +#endif default: return mode; } @@ -414,13 +462,16 @@ static u_int8_t dir2kernel(policy_dir_t dir) return IPSEC_DIR_INBOUND; case POLICY_OUT: return IPSEC_DIR_OUTBOUND; +#ifdef IPSEC_DIR_FWD case POLICY_FWD: return IPSEC_DIR_FWD; +#endif default: return dir; } } +#ifdef SADB_X_MIGRATE /** * convert the policy direction in ipsec.h to the general one. */ @@ -432,12 +483,16 @@ static policy_dir_t kernel2dir(u_int8_t dir) return POLICY_IN; case IPSEC_DIR_OUTBOUND: return POLICY_OUT; +#ifdef IPSEC_DIR_FWD case IPSEC_DIR_FWD: return POLICY_FWD; +#endif default: return dir; } } +#endif /*SADB_X_MIGRATE*/ + typedef struct kernel_algorithm_t kernel_algorithm_t; /** @@ -461,32 +516,32 @@ struct kernel_algorithm_t { * Algorithms for encryption */ static kernel_algorithm_t encryption_algs[] = { -/* {ENCR_DES_IV64, 0 }, */ - {ENCR_DES, SADB_EALG_DESCBC }, - {ENCR_3DES, SADB_EALG_3DESCBC }, -/* {ENCR_RC5, 0 }, */ -/* {ENCR_IDEA, 0 }, */ - {ENCR_CAST, SADB_X_EALG_CASTCBC }, - {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC }, -/* {ENCR_3IDEA, 0 }, */ -/* {ENCR_DES_IV32, 0 }, */ - {ENCR_NULL, SADB_EALG_NULL }, - {ENCR_AES_CBC, SADB_X_EALG_AESCBC }, -/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */ +/* {ENCR_DES_IV64, 0 }, */ + {ENCR_DES, SADB_EALG_DESCBC }, + {ENCR_3DES, SADB_EALG_3DESCBC }, +/* {ENCR_RC5, 0 }, */ +/* {ENCR_IDEA, 0 }, */ + {ENCR_CAST, SADB_X_EALG_CASTCBC }, + {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC }, +/* {ENCR_3IDEA, 0 }, */ +/* {ENCR_DES_IV32, 0 }, */ + {ENCR_NULL, SADB_EALG_NULL }, + {ENCR_AES_CBC, SADB_X_EALG_AESCBC }, +/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */ /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */ /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */ /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */ /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */ /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */ /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */ - {END_OF_LIST, 0 }, + {END_OF_LIST, 0 }, }; /** * Algorithms for integrity protection */ static kernel_algorithm_t integrity_algs[] = { - {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC }, + {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC }, {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC }, {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC }, {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC }, @@ -494,7 +549,7 @@ static kernel_algorithm_t integrity_algs[] = { /* {AUTH_DES_MAC, 0, }, */ /* {AUTH_KPDK_MD5, 0, }, */ {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, }, - {END_OF_LIST, 0, }, + {END_OF_LIST, 0, }, }; #if 0 @@ -502,11 +557,11 @@ static kernel_algorithm_t integrity_algs[] = { * Algorithms for IPComp, unused yet */ static kernel_algorithm_t compression_algs[] = { -/* {IPCOMP_OUI, 0 }, */ +/* {IPCOMP_OUI, 0 }, */ {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE }, {IPCOMP_LZS, SADB_X_CALG_LZS }, {IPCOMP_LZJH, SADB_X_CALG_LZJH }, - {END_OF_LIST, 0 }, + {END_OF_LIST, 0 }, }; #endif @@ -533,8 +588,11 @@ static void host2ext(host_t *host, struct sadb_address *ext) { sockaddr_t *host_addr = host->get_sockaddr(host); socklen_t *len = host->get_sockaddr_len(host); - memcpy((char*)(ext + 1), host_addr, *len); - ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len); +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN + host_addr->sa_len = *len; +#endif + memcpy((char*)(ext + 1), host_addr, *len); + ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len); } /** @@ -562,10 +620,14 @@ static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type) addr->sadb_address_exttype = type; sockaddr_t *saddr = (sockaddr_t*)(addr + 1); saddr->sa_family = family; - addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len); +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN + saddr->sa_len = len; +#endif + addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len); PFKEY_EXT_ADD(msg, addr); } +#ifdef HAVE_NATT /** * add udp encap extensions to a sadb_msg */ @@ -592,6 +654,7 @@ static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst) nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst)); PFKEY_EXT_ADD(msg, nat_port); } +#endif /*HAVE_NATT*/ /** * Convert a sadb_address to a traffic_selector @@ -606,7 +669,7 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address) */ host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ; ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen, - address->sadb_address_proto, host->get_port(host)); + address->sadb_address_proto, host->get_port(host)); return ts; } @@ -645,7 +708,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out) if (out->ext[ext->sadb_ext_type]) { - DBG1(DBG_KNL, "duplicate %N extension", + DBG1(DBG_KNL, "duplicate %N extension", sadb_ext_type_names, ext->sadb_ext_type); break; } @@ -699,7 +762,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket } while (TRUE) - { + { msg = (struct sadb_msg*)buf; len = recv(socket, buf, sizeof(buf), 0); @@ -757,7 +820,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket *out_len = len; *out = (struct sadb_msg*)malloc(len); memcpy(*out, buf, len); - + this->mutex_pfkey->unlock(this->mutex_pfkey); return SUCCESS; @@ -868,8 +931,9 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* charon->processor->queue_job(charon->processor, job); } +#ifdef SADB_X_MIGRATE /** - * Process a SADB_MIGRATE message from the kernel + * Process a SADB_X_MIGRATE message from the kernel */ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg) { @@ -893,7 +957,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts, policy_dir_names, dir); - /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */ + /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */ if (response.x_kmaddress) { sockaddr_t *local_addr, *remote_addr; @@ -924,7 +988,9 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* DESTROY_IF(remote); } } +#endif /*SADB_X_MIGRATE*/ +#ifdef HAVE_NATT /** * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel */ @@ -980,6 +1046,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* } } } +#endif /*HAVE_NATT*/ /** * Receives events from kernel @@ -991,7 +1058,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) int len, oldstate; pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - len = recv(this->socket_events, buf, sizeof(buf), 0); + len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0); pthread_setcancelstate(oldstate, NULL); if (len < 0) @@ -1035,12 +1102,16 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) case SADB_EXPIRE: process_expire(this, msg); break; +#ifdef SADB_X_MIGRATE case SADB_X_MIGRATE: process_migrate(this, msg); break; +#endif /*SADB_X_MIGRATE*/ +#ifdef HAVE_NATT case SADB_X_NAT_T_NEW_MAPPING: process_mapping(this, msg); break; +#endif /*HAVE_NATT*/ default: break; } @@ -1051,8 +1122,8 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) /** * Implementation of kernel_interface_t.get_spi. */ -static status_t get_spi(private_kernel_pfkey_ipsec_t *this, - host_t *src, host_t *dst, +static status_t get_spi(private_kernel_pfkey_ipsec_t *this, + host_t *src, host_t *dst, protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) { @@ -1099,7 +1170,7 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this, { received_spi = response.sa->sadb_sa_spi; } - free(out); + free(out); } if (received_spi == 0) @@ -1114,8 +1185,8 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this, /** * Implementation of kernel_interface_t.get_cpi. */ -static status_t get_cpi(private_kernel_pfkey_ipsec_t *this, - host_t *src, host_t *dst, +static status_t get_cpi(private_kernel_pfkey_ipsec_t *this, + host_t *src, host_t *dst, u_int32_t reqid, u_int16_t *cpi) { return FAILED; @@ -1226,11 +1297,13 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this, { /*TODO*/ } - + +#ifdef HAVE_NATT if (encap) { add_encap_ext(msg, src, dst); } +#endif /*HAVE_NATT*/ if (pfkey_send(this, msg, &out, &len) != SUCCESS) { @@ -1346,11 +1419,13 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, { PFKEY_EXT_COPY(msg, response.key_auth); } - + +#ifdef HAVE_NATT if (new_encap) { add_encap_ext(msg, new_src, new_dst); } +#endif /*HAVE_NATT*/ free(out); @@ -1374,8 +1449,9 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1398,9 +1474,8 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst, sa->sadb_sa_spi = spi; PFKEY_EXT_ADD(msg, sa); - /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though - * it is not used for anything. */ - add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC); + /* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */ + add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); if (pfkey_send(this, msg, &out, &len) != SUCCESS) @@ -1424,7 +1499,7 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst, /** * Implementation of kernel_interface_t.add_policy. */ -static status_t add_policy(private_kernel_pfkey_ipsec_t *this, +static status_t add_policy(private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, @@ -1463,7 +1538,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, this->policies->insert_last(this->policies, policy); policy->refcount = 1; } - + memset(&request, 0, sizeof(request)); DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts, @@ -1480,12 +1555,14 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy)); pol->sadb_x_policy_id = 0; pol->sadb_x_policy_dir = dir2kernel(direction); + pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; +#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY /* calculate priority based on source selector size, small size = high prio */ pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH; pol->sadb_x_policy_priority -= policy->src.mask * 10; pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0; pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0; - pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; +#endif /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */ req = (struct sadb_x_ipsecrequest*)(pol + 1); @@ -1599,9 +1676,9 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, { free(route); } - } + } - this->mutex->unlock(this->mutex); + this->mutex->unlock(this->mutex); return SUCCESS; } @@ -1610,7 +1687,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, * Implementation of kernel_interface_t.query_policy. */ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, - traffic_selector_t *src_ts, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time) { @@ -1689,7 +1766,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, *use_time = response.lft_current->sadb_lifetime_usetime; free(out); - + return SUCCESS; } @@ -1697,7 +1774,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, * Implementation of kernel_interface_t.del_policy. */ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, - traffic_selector_t *src_ts, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted) { @@ -1722,7 +1799,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, if (--found->refcount > 0) { /* is used by more SAs, keep in kernel */ - DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); + DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); policy_entry_destroy(policy); this->mutex->unlock(this->mutex); return SUCCESS; @@ -1741,7 +1818,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, return NOT_FOUND; } this->mutex->unlock(this->mutex); - + memset(&request, 0, sizeof(request)); msg = (struct sadb_msg*)request; @@ -1791,7 +1868,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, DBG1(DBG_KNL, "error uninstalling route installed with " "policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); - } + } route_entry_destroy(route); } @@ -1863,22 +1940,26 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this) switch (family) { case AF_INET: + { sol = SOL_IP; ipsec_policy = IP_IPSEC_POLICY; break; + } case AF_INET6: { sol = SOL_IPV6; ipsec_policy = IPV6_IPSEC_POLICY; break; } + default: + continue; } memset(&policy, 0, sizeof(policy)); policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t); policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS; - + policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { @@ -1890,7 +1971,7 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this) policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND; if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { - DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", + DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", strerror(errno)); status = FALSE; break; @@ -1912,7 +1993,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am new file mode 100644 index 000000000..3ad445c09 --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/Makefile.am @@ -0,0 +1,10 @@ + +INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon + +AM_CFLAGS = -rdynamic + +plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la + +libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \ + kernel_pfroute_net.h kernel_pfroute_net.c +libstrongswan_kernel_pfroute_la_LDFLAGS = -module diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c new file mode 100644 index 000000000..7805b6354 --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -0,0 +1,715 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include <sys/types.h> +#include <sys/socket.h> +#include <net/if.h> +#include <ifaddrs.h> +#include <net/route.h> +#include <unistd.h> +#include <pthread.h> +#include <errno.h> + +#include "kernel_pfroute_net.h" + +#include <daemon.h> +#include <utils/host.h> +#include <utils/mutex.h> +#include <utils/linked_list.h> +#include <processing/jobs/callback_job.h> +#include <processing/jobs/roam_job.h> + +#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN +#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member. +#endif + +/** delay before firing roam jobs (ms) */ +#define ROAM_DELAY 100 + +/** buffer size for PF_ROUTE messages */ +#define PFROUTE_BUFFER_SIZE 4096 + +typedef struct addr_entry_t addr_entry_t; + +/** + * IP address in an inface_entry_t + */ +struct addr_entry_t { + + /** The ip address */ + host_t *ip; + + /** virtual IP managed by us */ + bool virtual; + + /** Number of times this IP is used, if virtual */ + u_int refcount; +}; + +/** + * destroy a addr_entry_t object + */ +static void addr_entry_destroy(addr_entry_t *this) +{ + this->ip->destroy(this->ip); + free(this); +} + +typedef struct iface_entry_t iface_entry_t; + +/** + * A network interface on this system, containing addr_entry_t's + */ +struct iface_entry_t { + + /** interface index */ + int ifindex; + + /** name of the interface */ + char ifname[IFNAMSIZ]; + + /** interface flags, as in netdevice(7) SIOCGIFFLAGS */ + u_int flags; + + /** list of addresses as host_t */ + linked_list_t *addrs; +}; + +/** + * destroy an interface entry + */ +static void iface_entry_destroy(iface_entry_t *this) +{ + this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy); + free(this); +} + + +typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t; + +/** + * Private variables and functions of kernel_pfroute class. + */ +struct private_kernel_pfroute_net_t +{ + /** + * Public part of the kernel_pfroute_t object. + */ + kernel_pfroute_net_t public; + + /** + * mutex to lock access to various lists + */ + mutex_t *mutex; + + /** + * Cached list of interfaces and their addresses (iface_entry_t) + */ + linked_list_t *ifaces; + + /** + * job receiving PF_ROUTE events + */ + callback_job_t *job; + + /** + * mutex to lock access to the PF_ROUTE socket + */ + mutex_t *mutex_pfroute; + + /** + * PF_ROUTE socket to communicate with the kernel + */ + int socket; + + /** + * PF_ROUTE socket to receive events + */ + int socket_events; + + /** + * sequence number for messages sent to the kernel + */ + int seq; + + /** + * time of last roam job + */ + struct timeval last_roam; +}; + +/** + * Start a roaming job. We delay it a bit and fire only one job + * for multiple events. Otherwise we would create too many jobs. + */ +static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address) +{ + struct timeval now; + + if (gettimeofday(&now, NULL) == 0) + { + if (timercmp(&now, &this->last_roam, >)) + { + now.tv_usec += ROAM_DELAY * 1000; + while (now.tv_usec > 1000000) + { + now.tv_sec++; + now.tv_usec -= 1000000; + } + this->last_roam = now; + charon->scheduler->schedule_job_ms(charon->scheduler, + (job_t*)roam_job_create(address), ROAM_DELAY); + } + } +} + +/** + * Process an RTM_*ADDR message from the kernel + */ +static void process_addr(private_kernel_pfroute_net_t *this, + struct rt_msghdr *msg) +{ + struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg; + sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1); + host_t *host = NULL; + enumerator_t *ifaces, *addrs; + iface_entry_t *iface; + addr_entry_t *addr; + bool found = FALSE, changed = FALSE, roam = FALSE; + int i; + + for (i = 1; i < (1 << RTAX_MAX); i <<= 1) + { + if (ifa->ifam_addrs & i) + { + if (RTA_IFA & i) + { + host = host_create_from_sockaddr(sockaddr); + break; + } + sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len); + } + } + + if (!host) + { + return; + } + + this->mutex->lock(this->mutex); + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, &iface)) + { + if (iface->ifindex == ifa->ifam_index) + { + addrs = iface->addrs->create_enumerator(iface->addrs); + while (addrs->enumerate(addrs, &addr)) + { + if (host->ip_equals(host, addr->ip)) + { + found = TRUE; + if (ifa->ifam_type == RTM_DELADDR) + { + iface->addrs->remove_at(iface->addrs, addrs); + if (!addr->virtual) + { + changed = TRUE; + DBG1(DBG_KNL, "%H disappeared from %s", + host, iface->ifname); + } + addr_entry_destroy(addr); + } + else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual) + { + addr->refcount = 1; + } + } + } + addrs->destroy(addrs); + + if (!found && ifa->ifam_type == RTM_NEWADDR) + { + changed = TRUE; + addr = malloc_thing(addr_entry_t); + addr->ip = host->clone(host); + addr->virtual = FALSE; + addr->refcount = 1; + iface->addrs->insert_last(iface->addrs, addr); + DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname); + } + + if (changed && (iface->flags & IFF_UP)) + { + roam = TRUE; + } + break; + } + } + ifaces->destroy(ifaces); + this->mutex->unlock(this->mutex); + host->destroy(host); + + if (roam) + { + fire_roam_job(this, TRUE); + } +} + +/** + * Process an RTM_IFINFO message from the kernel + */ +static void process_link(private_kernel_pfroute_net_t *this, + struct rt_msghdr *hdr) +{ + struct if_msghdr *msg = (struct if_msghdr*)hdr; + enumerator_t *enumerator; + iface_entry_t *iface; + bool roam = FALSE; + + if (msg->ifm_flags & IFF_LOOPBACK) + { /* ignore loopback interfaces */ + return; + } + + this->mutex->lock(this->mutex); + enumerator = this->ifaces->create_enumerator(this->ifaces); + while (enumerator->enumerate(enumerator, &iface)) + { + if (iface->ifindex == msg->ifm_index) + { + if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP)) + { + roam = TRUE; + DBG1(DBG_KNL, "interface %s activated", iface->ifname); + } + else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP)) + { + roam = TRUE; + DBG1(DBG_KNL, "interface %s deactivated", iface->ifname); + } + iface->flags = msg->ifm_flags; + break; + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + + if (roam) + { + fire_roam_job(this, TRUE); + } +} + +/** + * Process an RTM_*ROUTE message from the kernel + */ +static void process_route(private_kernel_pfroute_net_t *this, + struct rt_msghdr *msg) +{ + +} + +/** + * Receives events from kernel + */ +static job_requeue_t receive_events(private_kernel_pfroute_net_t *this) +{ + unsigned char buf[PFROUTE_BUFFER_SIZE]; + struct rt_msghdr *msg = (struct rt_msghdr*)buf; + int len, oldstate; + + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0); + pthread_setcancelstate(oldstate, NULL); + + if (len < 0) + { + switch (errno) + { + case EINTR: + /* interrupted, try again */ + return JOB_REQUEUE_DIRECT; + case EAGAIN: + /* no data ready, select again */ + return JOB_REQUEUE_DIRECT; + default: + DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket"); + sleep(1); + return JOB_REQUEUE_FAIR; + } + } + + if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen || + msg->rtm_version != RTM_VERSION) + { + DBG2(DBG_KNL, "received corrupted PF_ROUTE message"); + return JOB_REQUEUE_DIRECT; + } + + switch (msg->rtm_type) + { + case RTM_NEWADDR: + case RTM_DELADDR: + process_addr(this, msg); + break; + case RTM_IFINFO: + /*case RTM_IFANNOUNCE <- what about this*/ + process_link(this, msg); + break; + case RTM_ADD: + case RTM_DELETE: + process_route(this, msg); + default: + break; + } + + return JOB_REQUEUE_DIRECT; +} + + +/** enumerator over addresses */ +typedef struct { + private_kernel_pfroute_net_t* this; + /** whether to enumerate down interfaces */ + bool include_down_ifaces; + /** whether to enumerate virtual ip addresses */ + bool include_virtual_ips; +} address_enumerator_t; + +/** + * cleanup function for address enumerator + */ +static void address_enumerator_destroy(address_enumerator_t *data) +{ + data->this->mutex->unlock(data->this->mutex); + free(data); +} + +/** + * filter for addresses + */ +static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out) +{ + host_t *ip; + if (!data->include_virtual_ips && (*in)->virtual) + { /* skip virtual interfaces added by us */ + return FALSE; + } + ip = (*in)->ip; + if (ip->get_family(ip) == AF_INET6) + { + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip); + if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) + { /* skip addresses with a unusable scope */ + return FALSE; + } + } + *out = ip; + return TRUE; +} + +/** + * enumerator constructor for interfaces + */ +static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data) +{ + return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs), + (void*)filter_addresses, data, NULL); +} + +/** + * filter for interfaces + */ +static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out) +{ + if (!data->include_down_ifaces && !((*in)->flags & IFF_UP)) + { /* skip interfaces not up */ + return FALSE; + } + *out = *in; + return TRUE; +} + +/** + * implementation of kernel_net_t.create_address_enumerator + */ +static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this, + bool include_down_ifaces, bool include_virtual_ips) +{ + address_enumerator_t *data = malloc_thing(address_enumerator_t); + data->this = this; + data->include_down_ifaces = include_down_ifaces; + data->include_virtual_ips = include_virtual_ips; + + this->mutex->lock(this->mutex); + return enumerator_create_nested( + enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces), + (void*)filter_interfaces, data, NULL), + (void*)create_iface_enumerator, data, (void*)address_enumerator_destroy); +} + +/** + * implementation of kernel_net_t.get_interface_name + */ +static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip) +{ + enumerator_t *ifaces, *addrs; + iface_entry_t *iface; + addr_entry_t *addr; + char *name = NULL; + + DBG2(DBG_KNL, "getting interface name for %H", ip); + + this->mutex->lock(this->mutex); + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, &iface)) + { + addrs = iface->addrs->create_enumerator(iface->addrs); + while (addrs->enumerate(addrs, &addr)) + { + if (ip->ip_equals(ip, addr->ip)) + { + name = strdup(iface->ifname); + break; + } + } + addrs->destroy(addrs); + if (name) + { + break; + } + } + ifaces->destroy(ifaces); + this->mutex->unlock(this->mutex); + + if (name) + { + DBG2(DBG_KNL, "%H is on interface %s", ip, name); + } + else + { + DBG2(DBG_KNL, "%H is not a local address", ip); + } + return name; +} + +/** + * Implementation of kernel_net_t.get_source_addr. + */ +static host_t* get_source_addr(private_kernel_pfroute_net_t *this, + host_t *dest, host_t *src) +{ + return NULL; +} + +/** + * Implementation of kernel_net_t.get_nexthop. + */ +static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest) +{ + return NULL; +} + +/** + * Implementation of kernel_net_t.add_ip. + */ +static status_t add_ip(private_kernel_pfroute_net_t *this, + host_t *virtual_ip, host_t *iface_ip) +{ + return FAILED; +} + +/** + * Implementation of kernel_net_t.del_ip. + */ +static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip) +{ + return FAILED; +} + +/** + * Implementation of kernel_net_t.add_route. + */ +static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) +{ + return FAILED; +} + +/** + * Implementation of kernel_net_t.del_route. + */ +static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) +{ + return FAILED; +} + +/** + * Initialize a list of local addresses. + */ +static status_t init_address_list(private_kernel_pfroute_net_t *this) +{ + struct ifaddrs *ifap, *ifa; + iface_entry_t *iface, *current; + addr_entry_t *addr; + enumerator_t *ifaces, *addrs; + + DBG1(DBG_KNL, "listening on interfaces:"); + + if (getifaddrs(&ifap) < 0) + { + DBG1(DBG_KNL, " failed to get interfaces!"); + return FAILED; + } + + for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) + { + if (ifa->ifa_addr == NULL) + { + continue; + } + switch(ifa->ifa_addr->sa_family) + { + case AF_LINK: + case AF_INET: + case AF_INET6: + { + if (ifa->ifa_flags & IFF_LOOPBACK) + { /* ignore loopback interfaces */ + continue; + } + + iface = NULL; + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, ¤t)) + { + if (streq(current->ifname, ifa->ifa_name)) + { + iface = current; + break; + } + } + ifaces->destroy(ifaces); + + if (!iface) + { + iface = malloc_thing(iface_entry_t); + memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ); + iface->ifindex = if_nametoindex(ifa->ifa_name); + iface->flags = ifa->ifa_flags; + iface->addrs = linked_list_create(); + this->ifaces->insert_last(this->ifaces, iface); + } + + if (ifa->ifa_addr->sa_family != AF_LINK) + { + addr = malloc_thing(addr_entry_t); + addr->ip = host_create_from_sockaddr(ifa->ifa_addr); + addr->virtual = FALSE; + addr->refcount = 1; + iface->addrs->insert_last(iface->addrs, addr); + } + } + } + } + freeifaddrs(ifap); + + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, &iface)) + { + if (iface->flags & IFF_UP) + { + DBG1(DBG_KNL, " %s", iface->ifname); + addrs = iface->addrs->create_enumerator(iface->addrs); + while (addrs->enumerate(addrs, (void**)&addr)) + { + DBG1(DBG_KNL, " %H", addr->ip); + } + addrs->destroy(addrs); + } + } + ifaces->destroy(ifaces); + + return SUCCESS; +} + +/** + * Implementation of kernel_netlink_net_t.destroy. + */ +static void destroy(private_kernel_pfroute_net_t *this) +{ + this->job->cancel(this->job); + close(this->socket); + close(this->socket_events); + this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy); + this->mutex->destroy(this->mutex); + this->mutex_pfroute->destroy(this->mutex_pfroute); + free(this); +} + +/* + * Described in header. + */ +kernel_pfroute_net_t *kernel_pfroute_net_create() +{ + private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t); + + /* public functions */ + this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name; + this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator; + this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr; + this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop; + this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip; + this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip; + this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route; + this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route; + + this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy; + + /* private members */ + this->ifaces = linked_list_create(); + this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex_pfroute = mutex_create(MUTEX_DEFAULT); + + this->seq = 0; + + /* create a PF_ROUTE socket to communicate with the kernel */ + this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); + if (this->socket <= 0) + { + charon->kill(charon, "unable to create PF_ROUTE socket"); + } + + /* create a PF_ROUTE socket to receive events */ + this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); + if (this->socket_events <= 0) + { + charon->kill(charon, "unable to create PF_ROUTE event socket"); + } + + this->job = callback_job_create((callback_job_cb_t)receive_events, + this, NULL, NULL); + charon->processor->queue_job(charon->processor, (job_t*)this->job); + + if (init_address_list(this) != SUCCESS) + { + charon->kill(charon, "unable to get interface list"); + } + + return &this->public; +} diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h new file mode 100644 index 000000000..9138befc1 --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup kernel_pfroute_net_i kernel_pfroute_net + * @{ @ingroup kernel_pfroute + */ + +#ifndef KERNEL_PFROUTE_NET_H_ +#define KERNEL_PFROUTE_NET_H_ + +#include <kernel/kernel_net.h> + +typedef struct kernel_pfroute_net_t kernel_pfroute_net_t; + +/** + * Implementation of the kernel net interface using PF_ROUTE. + */ +struct kernel_pfroute_net_t { + + /** + * Implements kernel_net_t interface + */ + kernel_net_t interface; +}; + +/** + * Create a PF_ROUTE kernel net interface instance. + * + * @return kernel_pfroute_net_t instance + */ +kernel_pfroute_net_t *kernel_pfroute_net_create(); + +#endif /** KERNEL_PFROUTE_NET_H_ @}*/ diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c new file mode 100644 index 000000000..a6d95283b --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + + +#include "kernel_pfroute_plugin.h" + +#include "kernel_pfroute_net.h" + +#include <daemon.h> + +typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t; + +/** + * private data of kernel PF_ROUTE plugin + */ +struct private_kernel_pfroute_plugin_t { + /** + * implements plugin interface + */ + kernel_pfroute_plugin_t public; +}; + +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_kernel_pfroute_plugin_t *this) +{ + charon->kernel_interface->remove_net_interface(charon->kernel_interface, + (kernel_net_constructor_t)kernel_pfroute_net_create); + free(this); +} + +/* + * see header file + */ +plugin_t *plugin_create() +{ + private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + charon->kernel_interface->add_net_interface(charon->kernel_interface, + (kernel_net_constructor_t)kernel_pfroute_net_create); + + return &this->public.plugin; +} diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h new file mode 100644 index 000000000..f8ae1a96a --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup kernel_pfroute kernel_pfroute + * @ingroup cplugins + * + * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin + * @{ @ingroup kernel_pfroute + */ + +#ifndef KERNEL_PFROUTE_PLUGIN_H_ +#define KERNEL_PFROUTE_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t; + +/** + * PF_ROUTE kernel interface plugin + */ +struct kernel_pfroute_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +/** + * Create a kernel_pfroute_plugin instance. + */ +plugin_t *plugin_create(); + +#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/ diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c index 9abd65195..66ebd07c4 100644 --- a/src/charon/plugins/load_tester/load_tester_ipsec.c +++ b/src/charon/plugins/load_tester/load_tester_ipsec.c @@ -88,8 +88,9 @@ static status_t update_sa(private_load_tester_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_load_tester_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { return SUCCESS; } @@ -152,7 +153,7 @@ load_tester_ipsec_t *load_tester_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/medcli/medcli_creds.c b/src/charon/plugins/medcli/medcli_creds.c index 1e99f6990..2a4972046 100644 --- a/src/charon/plugins/medcli/medcli_creds.c +++ b/src/charon/plugins/medcli/medcli_creds.c @@ -96,7 +96,7 @@ static enumerator_t* create_private_enumerator(private_medcli_creds_t *this, if ((type != KEY_RSA && type != KEY_ANY) || id == NULL || id->get_type(id) != ID_KEY_ID) { - DBG1(DBG_CFG, "%N - %D", key_type_names, type, id); + DBG1(DBG_CFG, "%N - %Y", key_type_names, type, id); return NULL; } diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.c b/src/charon/plugins/resolv_conf/resolv_conf_handler.c index c76222f28..1eab8f2c0 100644 --- a/src/charon/plugins/resolv_conf/resolv_conf_handler.c +++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.c @@ -79,7 +79,7 @@ static bool handle(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa, if (out) { addr = host_create_from_chunk(family, data, 0); - fprintf(out, "nameserver %H # by strongSwan, from %D\n", + fprintf(out, "nameserver %H # by strongSwan, from %Y\n", addr, ike_sa->get_other_id(ike_sa)); DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file); addr->destroy(addr); @@ -140,7 +140,7 @@ static void release(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa, { addr = host_create_from_chunk(family, data, 0); snprintf(matcher, sizeof(matcher), - "nameserver %H # by strongSwan, from %D\n", + "nameserver %H # by strongSwan, from %Y\n", addr, ike_sa->get_other_id(ike_sa)); /* copy all, but matching line */ diff --git a/src/charon/plugins/smp/smp.c b/src/charon/plugins/smp/smp.c index 33a2bb491..40eeefc74 100644 --- a/src/charon/plugins/smp/smp.c +++ b/src/charon/plugins/smp/smp.c @@ -109,7 +109,7 @@ static void write_id(xmlTextWriterPtr writer, char *element, identification_t *i break; } xmlTextWriterWriteAttribute(writer, "type", type); - xmlTextWriterWriteFormatString(writer, "%D", id); + xmlTextWriterWriteFormatString(writer, "%Y", id); break; } default: diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c index a1c67c691..28cd038c9 100644 --- a/src/charon/plugins/sql/pool.c +++ b/src/charon/plugins/sql/pool.c @@ -562,7 +562,7 @@ static void leases(char *filter, bool utc) printf(" "); } } - printf("%D\n", identity); + printf("%Y\n", identity); DESTROY_IF(address); identity->destroy(identity); } diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c index a3beb3a62..56237694e 100644 --- a/src/charon/plugins/stroke/stroke_attribute.c +++ b/src/charon/plugins/stroke/stroke_attribute.c @@ -223,7 +223,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, id = pool->ids->get(pool->ids, id); if (id) { - DBG1(DBG_CFG, "reassigning offline lease to %D", id); + DBG1(DBG_CFG, "reassigning offline lease to %Y", id); pool->online->put(pool->online, id, (void*)offset); break; } @@ -233,7 +233,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, offset = (uintptr_t)pool->online->get(pool->online, id); if (offset && offset == host2offset(pool, requested)) { - DBG1(DBG_CFG, "reassigning online lease to %D", id); + DBG1(DBG_CFG, "reassigning online lease to %Y", id); break; } @@ -245,7 +245,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, id = id->clone(id); pool->ids->put(pool->ids, id, id); pool->online->put(pool->online, id, (void*)offset); - DBG1(DBG_CFG, "assigning new lease to %D", id); + DBG1(DBG_CFG, "assigning new lease to %Y", id); break; } /* no more addresses, replace the first found offline lease */ @@ -257,7 +257,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, { /* destroy reference to old ID */ old_id = pool->ids->remove(pool->ids, old_id); - DBG1(DBG_CFG, "reassigning existing offline lease of %D to %D", + DBG1(DBG_CFG, "reassigning existing offline lease of %Y to %Y", old_id, id); if (old_id) { @@ -305,7 +305,7 @@ static bool release_address(private_stroke_attribute_t *this, id = pool->ids->get(pool->ids, id); if (id) { - DBG1(DBG_CFG, "lease %H of %D went offline", address, id); + DBG1(DBG_CFG, "lease %H of %Y went offline", address, id); pool->offline->put(pool->offline, id, (void*)offset); found = TRUE; } diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c index 54356436f..dffa8e235 100644 --- a/src/charon/plugins/stroke/stroke_ca.c +++ b/src/charon/plugins/stroke/stroke_ca.c @@ -398,14 +398,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) first = FALSE; } fprintf(out, "\n"); - fprintf(out, " authname: \"%D\"\n", cert->get_subject(cert)); + fprintf(out, " authname: \"%Y\"\n", cert->get_subject(cert)); /* list authkey and keyid */ if (public) { - fprintf(out, " authkey: %D\n", + fprintf(out, " authkey: %Y\n", public->get_id(public, ID_PUBKEY_SHA1)); - fprintf(out, " keyid: %D\n", + fprintf(out, " keyid: %Y\n", public->get_id(public, ID_PUBKEY_INFO_SHA1)); public->destroy(public); } diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c index 4a0b1ff42..21e2fd2f2 100644 --- a/src/charon/plugins/stroke/stroke_config.c +++ b/src/charon/plugins/stroke/stroke_config.c @@ -386,8 +386,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, if (identity->get_type(identity) == ID_ANY || !certificate->has_subject(certificate, identity)) { - DBG1(DBG_CFG, " peerid %D not confirmed by certificate, " - "defaulting to subject DN: %D", identity, + DBG1(DBG_CFG, " peerid %Y not confirmed by certificate, " + "defaulting to subject DN: %Y", identity, certificate->get_subject(certificate)); identity->destroy(identity); identity = certificate->get_subject(certificate); diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c index 08d50519c..634a89d1d 100644 --- a/src/charon/plugins/stroke/stroke_control.c +++ b/src/charon/plugins/stroke/stroke_control.c @@ -249,7 +249,7 @@ static void terminate_srcip(private_stroke_control_t *this, enumerator_t *enumerator; ike_sa_t *ike_sa; host_t *start = NULL, *end = NULL, *vip; - chunk_t chunk_start, chunk_end, chunk_vip; + chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip; if (msg->terminate_srcip.start) { diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c index 066591c9d..689e463b4 100644 --- a/src/charon/plugins/stroke/stroke_list.c +++ b/src/charon/plugins/stroke/stroke_list.c @@ -74,7 +74,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) fprintf(out, " %V ago", &now, &established); } - fprintf(out, ", %H[%D]...%H[%D]\n", + fprintf(out, ", %H[%Y]...%H[%Y]\n", ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa), ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa)); @@ -266,7 +266,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local); while (enumerator->enumerate(enumerator, &auth)) { - fprintf(out, "%12s: %s [%D] uses ", name, local ? "local: " : "remote:", + fprintf(out, "%12s: %s [%Y] uses ", name, local ? "local: " : "remote:", auth->get(auth, AUTH_RULE_IDENTITY)); auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS); @@ -297,7 +297,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) id = auth->get(auth, AUTH_RULE_EAP_IDENTITY); if (id) { - fprintf(out, " with EAP identity '%D'", id); + fprintf(out, " with EAP identity '%Y'", id); } fprintf(out, "\n"); } @@ -305,19 +305,19 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) cert = auth->get(auth, AUTH_RULE_CA_CERT); if (cert) { - fprintf(out, "%12s: ca: \"%D\"\n", name, cert->get_subject(cert)); + fprintf(out, "%12s: ca: \"%Y\"\n", name, cert->get_subject(cert)); } cert = auth->get(auth, AUTH_RULE_IM_CERT); if (cert) { - fprintf(out, "%12s: im-ca: \"%D\"\n", name, cert->get_subject(cert)); + fprintf(out, "%12s: im-ca: \"%Y\"\n", name, cert->get_subject(cert)); } cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); if (cert) { - fprintf(out, "%12s: cert: \"%D\"\n", name, + fprintf(out, "%12s: cert: \"%Y\"\n", name, cert->get_subject(cert)); } @@ -340,7 +340,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) { if (rule == AUTH_RULE_AC_GROUP) { - fprintf(out, "%12s: group: %D\n", name, id); + fprintf(out, "%12s: group: %Y\n", name, id); } } rules->destroy(rules); @@ -593,8 +593,8 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out) key_type_names, public->get_type(public), public->get_keysize(public) * 8, private ? ", has private key" : ""); - fprintf(out, " keyid: %D\n", keyid); - fprintf(out, " subjkey: %D\n", id); + fprintf(out, " keyid: %Y\n", keyid); + fprintf(out, " subjkey: %Y\n", id); DESTROY_IF(private); public->destroy(public); } @@ -650,7 +650,7 @@ static void stroke_list_certs(linked_list_t *list, char *label, { fprintf(out, ", "); } - fprintf(out, "%D", altName); + fprintf(out, "%Y", altName); } if (!first_altName) { @@ -658,8 +658,8 @@ static void stroke_list_certs(linked_list_t *list, char *label, } enumerator->destroy(enumerator); - fprintf(out, " subject: \"%D\"\n", cert->get_subject(cert)); - fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert)); + fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert)); + fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); fprintf(out, " serial: %#B\n", &serial); /* list validity */ @@ -704,8 +704,8 @@ static void stroke_list_certs(linked_list_t *list, char *label, key_type_names, public->get_type(public), public->get_keysize(public) * 8, private ? ", has private key" : ""); - fprintf(out, " keyid: %D\n", keyid); - fprintf(out, " subjkey: %D\n", id); + fprintf(out, " keyid: %Y\n", keyid); + fprintf(out, " subjkey: %Y\n", id); DESTROY_IF(private); public->destroy(public); } @@ -713,7 +713,7 @@ static void stroke_list_certs(linked_list_t *list, char *label, /* list optional authorityKeyIdentifier */ if (authkey) { - fprintf(out, " authkey: %D\n", authkey); + fprintf(out, " authkey: %Y\n", authkey); } } } @@ -749,17 +749,17 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) if (entityName) { - fprintf(out, " holder: \"%D\"\n", entityName); + fprintf(out, " holder: \"%Y\"\n", entityName); } if (holderIssuer) { - fprintf(out, " hissuer: \"%D\"\n", holderIssuer); + fprintf(out, " hissuer: \"%Y\"\n", holderIssuer); } if (holderSerial.ptr) { fprintf(out, " hserial: %#B\n", &holderSerial); } - fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert)); + fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); fprintf(out, " serial: %#B\n", &serial); /* list validity */ @@ -783,7 +783,7 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) /* list optional authorityKeyIdentifier */ if (authkey) { - fprintf(out, " authkey: %D\n", authkey); + fprintf(out, " authkey: %Y\n", authkey); } } enumerator->destroy(enumerator); @@ -813,7 +813,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) } fprintf(out, "\n"); - fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert)); + fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); /* list optional crlNumber */ if (serial.ptr) @@ -856,7 +856,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) /* list optional authorityKeyIdentifier */ if (authkey) { - fprintf(out, " authkey: %D\n", authkey); + fprintf(out, " authkey: %Y\n", authkey); } } enumerator->destroy(enumerator); @@ -881,7 +881,7 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) first = FALSE; } - fprintf(out, " signer: \"%D\"\n", cert->get_issuer(cert)); + fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert)); } enumerator->destroy(enumerator); } @@ -1024,7 +1024,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool, { if (!address || address->ip_equals(address, lease)) { - fprintf(out, " %15H %s '%D'\n", + fprintf(out, " %15H %s '%Y'\n", lease, on ? "online" : "offline", id); found++; } diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c index d8cc69c20..e1c3e58ab 100644 --- a/src/charon/plugins/stroke/stroke_socket.c +++ b/src/charon/plugins/stroke/stroke_socket.c @@ -571,8 +571,11 @@ static job_requeue_t receive(private_stroke_socket_t *this) */ static bool open_socket(private_stroke_socket_t *this) { - struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET}; + struct sockaddr_un socket_addr; mode_t old; + + socket_addr.sun_family = AF_UNIX; + strcpy(socket_addr.sun_path, STROKE_SOCKET); /* set up unix socket */ this->socket = socket(AF_UNIX, SOCK_STREAM, 0); diff --git a/src/charon/plugins/updown/updown_listener.c b/src/charon/plugins/updown/updown_listener.c index 7dfb874cb..4feffd9c4 100644 --- a/src/charon/plugins/updown/updown_listener.c +++ b/src/charon/plugins/updown/updown_listener.c @@ -188,14 +188,14 @@ static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa, "PLUTO_INTERFACE='%s' " "PLUTO_REQID='%u' " "PLUTO_ME='%H' " - "PLUTO_MY_ID='%D' " + "PLUTO_MY_ID='%Y' " "PLUTO_MY_CLIENT='%s/%s' " "PLUTO_MY_CLIENT_NET='%s' " "PLUTO_MY_CLIENT_MASK='%s' " "PLUTO_MY_PORT='%u' " "PLUTO_MY_PROTOCOL='%u' " "PLUTO_PEER='%H' " - "PLUTO_PEER_ID='%D' " + "PLUTO_PEER_ID='%Y' " "PLUTO_PEER_CLIENT='%s/%s' " "PLUTO_PEER_CLIENT_NET='%s' " "PLUTO_PEER_CLIENT_MASK='%s' " diff --git a/src/charon/processing/jobs/mediation_job.c b/src/charon/processing/jobs/mediation_job.c index 5894b6aab..607286b01 100644 --- a/src/charon/processing/jobs/mediation_job.c +++ b/src/charon/processing/jobs/mediation_job.c @@ -101,7 +101,7 @@ static void execute(private_mediation_job_t *this) /* send callback to a peer */ if (target_sa->callback(target_sa, this->source) != SUCCESS) { - DBG1(DBG_JOB, "callback for '%D' to '%D' failed", + DBG1(DBG_JOB, "callback for '%Y' to '%Y' failed", this->source, this->target); charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa); destroy(this); @@ -114,7 +114,7 @@ static void execute(private_mediation_job_t *this) if (target_sa->relay(target_sa, this->source, this->connect_id, this->connect_key, this->endpoints, this->response) != SUCCESS) { - DBG1(DBG_JOB, "mediation between '%D' and '%D' failed", + DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed", this->source, this->target); charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa); /* FIXME: notify the initiator */ @@ -127,13 +127,13 @@ static void execute(private_mediation_job_t *this) } else { - DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: " + DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: " "SA not found", this->source, this->target); } } else { - DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: " + DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: " "peer is not online anymore", this->source, this->target); } destroy(this); diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c index 876cb7b74..27cec2d72 100644 --- a/src/charon/sa/authenticators/eap_authenticator.c +++ b/src/charon/sa/authenticators/eap_authenticator.c @@ -217,7 +217,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, { snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr); this->eap_identity = identification_create_from_string(buf); - DBG1(DBG_IKE, "received EAP identity '%D'", + DBG1(DBG_IKE, "received EAP identity '%Y'", this->eap_identity); } /* restart EAP exchange, but with real method */ @@ -254,12 +254,12 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, if (vendor) { DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for " - "peer %D", type, vendor, + "peer %Y", type, vendor, this->ike_sa->get_other_id(this->ike_sa)); } else { - DBG1(DBG_IKE, "EAP method %N failed for peer %D", + DBG1(DBG_IKE, "EAP method %N failed for peer %Y", eap_type_names, type, this->ike_sa->get_other_id(this->ike_sa)); } @@ -290,7 +290,7 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this, { id = this->ike_sa->get_my_id(this->ike_sa); } - DBG1(DBG_IKE, "server requested %N, sending '%D'", + DBG1(DBG_IKE, "server requested %N, sending '%Y'", eap_type_names, type, id); this->eap_identity = id->clone(id); @@ -380,7 +380,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message) } chunk_free(&auth_data); - DBG1(DBG_IKE, "authentication of '%D' with %N successful", + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", other_id, auth_class_names, AUTH_CLASS_EAP); this->auth_complete = TRUE; auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); @@ -401,7 +401,7 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message) my_id = this->ike_sa->get_my_id(this->ike_sa); keymat = this->ike_sa->get_keymat(this->ike_sa); - DBG1(DBG_IKE, "authentication of '%D' (myself) with %N", + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_class_names, AUTH_CLASS_EAP); auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c index 45baa8e9c..5ce919355 100644 --- a/src/charon/sa/authenticators/psk_authenticator.c +++ b/src/charon/sa/authenticators/psk_authenticator.c @@ -63,13 +63,13 @@ static status_t build(private_psk_authenticator_t *this, message_t *message) keymat = this->ike_sa->get_keymat(this->ike_sa); my_id = this->ike_sa->get_my_id(this->ike_sa); other_id = this->ike_sa->get_other_id(this->ike_sa); - DBG1(DBG_IKE, "authentication of '%D' (myself) with %N", + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_method_names, AUTH_PSK); key = charon->credentials->get_shared(charon->credentials, SHARED_IKE, my_id, other_id); if (key == NULL) { - DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id); + DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id); return NOT_FOUND; } auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, @@ -119,7 +119,7 @@ static status_t process(private_psk_authenticator_t *this, message_t *message) this->nonce, key->get_key(key), other_id); if (auth_data.len && chunk_equals(auth_data, recv_auth_data)) { - DBG1(DBG_IKE, "authentication of '%D' with %N successful", + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", other_id, auth_method_names, AUTH_PSK); authenticated = TRUE; } @@ -131,10 +131,10 @@ static status_t process(private_psk_authenticator_t *this, message_t *message) { if (keys_found == 0) { - DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id); + DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id); return NOT_FOUND; } - DBG1(DBG_IKE, "tried %d shared key%s for '%D' - '%D', but MAC mismatched", + DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched", keys_found, keys_found == 1 ? "" : "s", my_id, other_id); return FAILED; } diff --git a/src/charon/sa/authenticators/pubkey_authenticator.c b/src/charon/sa/authenticators/pubkey_authenticator.c index 482d6b91d..b8335a69d 100644 --- a/src/charon/sa/authenticators/pubkey_authenticator.c +++ b/src/charon/sa/authenticators/pubkey_authenticator.c @@ -71,7 +71,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message) id, auth); if (private == NULL) { - DBG1(DBG_IKE, "no private key found for '%D'", id); + DBG1(DBG_IKE, "no private key found for '%Y'", id); return NOT_FOUND; } @@ -122,7 +122,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message) message->add_payload(message, (payload_t*)auth_payload); status = SUCCESS; } - DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", id, + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id, auth_method_names, auth_method, (status == SUCCESS)? "successful":"failed"); chunk_free(&octets); @@ -186,7 +186,7 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message { if (public->verify(public, scheme, octets, auth_data)) { - DBG1(DBG_IKE, "authentication of '%D' with %N successful", + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, auth_method_names, auth_method); status = SUCCESS; auth->merge(auth, current_auth, FALSE); @@ -203,7 +203,7 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message chunk_free(&octets); if (status == NOT_FOUND) { - DBG1(DBG_IKE, "no trusted %N public key found for '%D'", + DBG1(DBG_IKE, "no trusted %N public key found for '%Y'", key_type_names, key_type, id); } return status; diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c index 092210bb2..1ea9539b0 100644 --- a/src/charon/sa/child_sa.c +++ b/src/charon/sa/child_sa.c @@ -724,14 +724,14 @@ static void destroy(private_child_sa_t *this) if (this->my_spi) { charon->kernel_interface->del_sa(charon->kernel_interface, - this->my_addr, this->my_spi, this->protocol, - this->my_cpi); + this->other_addr, this->my_addr, this->my_spi, + this->protocol, this->my_cpi); } if (this->other_spi) { charon->kernel_interface->del_sa(charon->kernel_interface, - this->other_addr, this->other_spi, this->protocol, - this->other_cpi); + this->my_addr, this->other_addr, this->other_spi, + this->protocol, this->other_cpi); } if (this->config->install_policy(this->config)) diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c index 4574ea3a9..89d8882bf 100644 --- a/src/charon/sa/connect_manager.c +++ b/src/charon/sa/connect_manager.c @@ -1196,8 +1196,8 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli } else { - DBG1(DBG_IKE, "there is no mediated connection waiting between '%D' " - "and '%D'", checklist->initiator.id, checklist->responder.id); + DBG1(DBG_IKE, "there is no mediated connection waiting between '%Y' " + "and '%Y'", checklist->initiator.id, checklist->responder.id); } } } @@ -1396,7 +1396,7 @@ static bool check_and_register(private_connect_manager_t *this, if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS) { - DBG2(DBG_IKE, "registered waiting mediated connection with '%D'", peer_id); + DBG2(DBG_IKE, "registered waiting mediated connection with '%Y'", peer_id); initiated = initiated_create(id, peer_id); this->initiated->insert_last(this->initiated, initiated); already_there = FALSE; @@ -1425,7 +1425,7 @@ static void check_and_initiate(private_connect_manager_t *this, ike_sa_id_t *med if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS) { - DBG2(DBG_IKE, "no waiting mediated connections with '%D'", peer_id); + DBG2(DBG_IKE, "no waiting mediated connections with '%Y'", peer_id); this->mutex->unlock(this->mutex); return; } diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c index f6abb0c35..311b18c8c 100644 --- a/src/charon/sa/ike_sa_manager.c +++ b/src/charon/sa/ike_sa_manager.c @@ -1436,7 +1436,7 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) { case UNIQUE_REPLACE: DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer " - "'%D' due to uniqueness policy", other); + "'%Y' due to uniqueness policy", other); status = duplicate->delete(duplicate); break; case UNIQUE_KEEP: diff --git a/src/charon/sa/mediation_manager.c b/src/charon/sa/mediation_manager.c index fbdf3ad58..b652c29e6 100644 --- a/src/charon/sa/mediation_manager.c +++ b/src/charon/sa/mediation_manager.c @@ -227,12 +227,12 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe if (!found) { - DBG2(DBG_IKE, "adding peer '%D'", peer_id); + DBG2(DBG_IKE, "adding peer '%Y'", peer_id); peer = peer_create(peer_id, NULL); this->peers->insert_last(this->peers, peer); } - DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%D'", peer_id); + DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id); peer->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL; /* send callbacks to registered peers */ @@ -284,7 +284,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this, if (get_peer_by_id(this, peer_id, &peer) != SUCCESS) { - DBG2(DBG_IKE, "adding peer %D", peer_id); + DBG2(DBG_IKE, "adding peer %Y", peer_id); peer = peer_create(peer_id, NULL); this->peers->insert_last(this->peers, peer); } @@ -292,7 +292,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this, if (!peer->ike_sa_id) { /* the peer is not online */ - DBG2(DBG_IKE, "requested peer '%D' is offline, registering peer '%D'", peer_id, requester); + DBG2(DBG_IKE, "requested peer '%Y' is offline, registering peer '%Y'", peer_id, requester); register_peer(peer, requester); this->mutex->unlock(this->mutex); return NULL; diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index d594e3baa..b5ef17ab8 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -642,7 +642,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) { /* IDr received, check if it matches configuration */ if (id_cfg && !id->matches(id, id_cfg)) { - DBG1(DBG_CFG, "received IDr %D, but require %D", id, id_cfg); + DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg); message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); return FAILED; @@ -730,7 +730,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) return FAILED; } this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", + DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), @@ -907,7 +907,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) return FAILED; } this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", + DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c index da3ee4dce..3ef1cafc4 100644 --- a/src/charon/sa/tasks/ike_cert_post.c +++ b/src/charon/sa/tasks/ike_cert_post.c @@ -140,7 +140,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message) { break; } - DBG1(DBG_IKE, "sending end entity cert \"%D\"", + DBG1(DBG_IKE, "sending end entity cert \"%Y\"", cert->get_subject(cert)); message->add_payload(message, (payload_t*)payload); @@ -152,7 +152,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message) payload = cert_payload_create_from_cert(cert); if (payload) { - DBG1(DBG_IKE, "sending issuer cert \"%D\"", + DBG1(DBG_IKE, "sending issuer cert \"%Y\"", cert->get_subject(cert)); message->add_payload(message, (payload_t*)payload); } diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c index 0ec7004c2..db9e7bcc6 100644 --- a/src/charon/sa/tasks/ike_cert_pre.c +++ b/src/charon/sa/tasks/ike_cert_pre.c @@ -95,14 +95,14 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) CERT_X509, KEY_ANY, id, TRUE); if (cert) { - DBG1(DBG_IKE, "received cert request for \"%D\"", + DBG1(DBG_IKE, "received cert request for \"%Y\"", cert->get_subject(cert)); auth->add(auth, AUTH_RULE_CA_CERT, cert); } else { DBG1(DBG_IKE, "received cert request for unknown ca " - "with keyid %D", id); + "with keyid %Y", id); } id->destroy(id); } @@ -211,14 +211,14 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) { if (first) { /* the first is an end entity certificate */ - DBG1(DBG_IKE, "received end entity cert \"%D\"", + DBG1(DBG_IKE, "received end entity cert \"%Y\"", cert->get_subject(cert)); auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert); first = FALSE; } else { - DBG1(DBG_IKE, "received issuer cert \"%D\"", + DBG1(DBG_IKE, "received issuer cert \"%Y\"", cert->get_subject(cert)); auth->add(auth, AUTH_HELPER_IM_CERT, cert); } @@ -300,7 +300,7 @@ static void add_certreq(certreq_payload_t **req, certificate_t *cert) keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1); (*req)->add_keyid(*req, keyid->get_encoding(keyid)); public->destroy(public); - DBG1(DBG_IKE, "sending cert request for \"%D\"", + DBG1(DBG_IKE, "sending cert request for \"%Y\"", cert->get_subject(cert)); break; } diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c index 7ff969044..185010040 100644 --- a/src/charon/sa/tasks/ike_delete.c +++ b/src/charon/sa/tasks/ike_delete.c @@ -56,7 +56,7 @@ static status_t build_i(private_ike_delete_t *this, message_t *message) { delete_payload_t *delete_payload; - DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]", + DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), @@ -95,7 +95,7 @@ static status_t process_r(private_ike_delete_t *this, message_t *message) DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa)); - DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]", + DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), diff --git a/src/charon/sa/tasks/ike_me.c b/src/charon/sa/tasks/ike_me.c index 07dfb20a5..bb6f4f41e 100644 --- a/src/charon/sa/tasks/ike_me.c +++ b/src/charon/sa/tasks/ike_me.c @@ -339,7 +339,7 @@ static status_t process_r(private_ike_me_t *this, message_t *message) if (this->callback) { - DBG1(DBG_IKE, "received ME_CALLBACK for '%D'", this->peer_id); + DBG1(DBG_IKE, "received ME_CALLBACK for '%Y'", this->peer_id); break; } @@ -471,7 +471,7 @@ static status_t process_i(private_ike_me_t *this, message_t *message) if (this->failed) { - DBG1(DBG_IKE, "peer '%D' is not online", this->peer_id); + DBG1(DBG_IKE, "peer '%Y' is not online", this->peer_id); /* FIXME: notify the mediated connection (job?) */ } else diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c index ef6e4721a..f564012e7 100644 --- a/src/charon/sa/tasks/ike_rekey.c +++ b/src/charon/sa/tasks/ike_rekey.c @@ -177,7 +177,7 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message) this->ike_sa->set_state(this->ike_sa, IKE_REKEYING); this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED); - DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", + DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", this->new_sa->get_name(this->new_sa), this->new_sa->get_unique_id(this->new_sa), this->ike_sa->get_my_host(this->ike_sa), @@ -246,7 +246,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message) } this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED); - DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", + DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", this->new_sa->get_name(this->new_sa), this->new_sa->get_unique_id(this->new_sa), this->ike_sa->get_my_host(this->ike_sa), diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am index 44964e041..f3ca1ca06 100644 --- a/src/ipsec/Makefile.am +++ b/src/ipsec/Makefile.am @@ -12,5 +12,5 @@ ipsec : ipsec.in -e "s:@IPSEC_SBINDIR@:$(sbindir):" \ -e "s:@IPSEC_CONFDIR@:$(confdir):" \ -e "s:@IPSEC_PIDDIR@:$(piddir):" \ - $< > $@ + $(srcdir)/$@.in > $@ chmod +x $@ diff --git a/src/libfreeswan/Makefile.am b/src/libfreeswan/Makefile.am index 190a8c892..c07444184 100644 --- a/src/libfreeswan/Makefile.am +++ b/src/libfreeswan/Makefile.am @@ -1,13 +1,10 @@ noinst_LIBRARIES = libfreeswan.a libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \ atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ - goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipcomp.h \ - ipsec_ah.h ipsec_alg.h ipsec_encap.h ipsec_eroute.h ipsec_errs.h \ - ipsec_esp.h ipsec_ipe4.h ipsec_kversion.h ipsec_life.h ipsec_md5h.h \ - ipsec_param.h ipsec_policy.h ipsec_proto.h ipsec_radij.h ipsec_rcv.h \ - ipsec_sa.h ipsec_sha1.h ipsec_stats.h ipsec_tunnel.h ipsec_xform.h \ - ipsec_xmit.h keyblobtoid.c optionsfrom.c pfkey_v2_build.c pfkey_v2_debug.c \ - pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c radij.h rangetoa.c \ + goodmask.c initaddr.c initsaid.c initsubnet.c internal.h \ + ipsec_param.h ipsec_policy.h \ + keyblobtoid.c optionsfrom.c pfkey_v2_build.c pfkey_v2_debug.c \ + pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \ pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \ satot.c subnetof.c subnettoa.c subnettot.c \ subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \ diff --git a/src/libfreeswan/addrtot.c b/src/libfreeswan/addrtot.c index 51ab76839..d92745a95 100644 --- a/src/libfreeswan/addrtot.c +++ b/src/libfreeswan/addrtot.c @@ -14,6 +14,8 @@ * * RCSID $Id$ */ +#include <sys/socket.h> + #include "internal.h" #include "freeswan.h" diff --git a/src/libfreeswan/addrtypeof.c b/src/libfreeswan/addrtypeof.c index ab303cce3..c55f7ab83 100644 --- a/src/libfreeswan/addrtypeof.c +++ b/src/libfreeswan/addrtypeof.c @@ -14,6 +14,8 @@ * * RCSID $Id$ */ +#include <sys/socket.h> + #include "internal.h" #include "freeswan.h" diff --git a/src/libfreeswan/anyaddr.c b/src/libfreeswan/anyaddr.c index 473fc5d11..d55ceea6c 100644 --- a/src/libfreeswan/anyaddr.c +++ b/src/libfreeswan/anyaddr.c @@ -14,6 +14,8 @@ * * RCSID $Id$ */ +#include <sys/socket.h> + #include "internal.h" #include "freeswan.h" diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h index 56b9893b0..09af2c24a 100644 --- a/src/libfreeswan/freeswan.h +++ b/src/libfreeswan/freeswan.h @@ -18,19 +18,7 @@ */ #define _FREESWAN_H /* seen it, no need to see it again */ - - -/* - * We've just got to have some datatypes defined... And annoyingly, just - * where we get them depends on whether we're in userland or not. - */ -#ifdef __KERNEL__ - -# include <linux/types.h> -# include <linux/in.h> - -#else /* __KERNEL__ */ - +# include <sys/types.h> # include <stdio.h> # include <netinet/in.h> @@ -41,25 +29,13 @@ # define DEBUG_NO_STATIC static -#endif /* __KERNEL__ */ - #include <ipsec_param.h> #include <utils.h> /* - * Grab the kernel version to see if we have NET_21, and therefore - * IPv6. Some of this is repeated from ipsec_kversions.h. Of course, - * we aren't really testing if the kernel has IPv6, but rather if the - * the include files do. + * We assume header files have IPv6 (i.e. kernel version >= 2.1.0) */ -#include <linux/version.h> -#ifndef KERNEL_VERSION -#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z)) -#endif - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0) #define NET_21 -#endif #ifndef IPPROTO_COMP # define IPPROTO_COMP 108 @@ -84,28 +60,6 @@ * use their definitions directly, they are subject to change! */ -/* first, some quick fakes in case we're on an old system with no IPv6 */ -#ifndef s6_addr16 -struct in6_addr { - union - { - __u8 u6_addr8[16]; - __u16 u6_addr16[8]; - __u32 u6_addr32[4]; - } in6_u; -#define s6_addr in6_u.u6_addr8 -#define s6_addr16 in6_u.u6_addr16 -#define s6_addr32 in6_u.u6_addr32 -}; -struct sockaddr_in6 { - unsigned short int sin6_family; /* AF_INET6 */ - __u16 sin6_port; /* Transport layer port # */ - __u32 sin6_flowinfo; /* IPv6 flow information */ - struct in6_addr sin6_addr; /* IPv6 address */ - __u32 sin6_scope_id; /* scope id (new in RFC2553) */ -}; -#endif /* !s6_addr16 */ - /* then the main types */ typedef struct { union { @@ -119,11 +73,7 @@ typedef struct { } ip_subnet; /* and the SA ID stuff */ -#ifdef __KERNEL__ -typedef __u32 ipsec_spi_t; -#else typedef u_int32_t ipsec_spi_t; -#endif typedef struct { /* to identify an SA, we need: */ ip_address dst; /* A. destination host */ ipsec_spi_t spi; /* B. 32-bit SPI, assigned by dest. host */ @@ -159,6 +109,8 @@ struct prng { /* pseudo-random-number-generator guts */ */ typedef uint32_t IPsecSAref_t; +#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH) + #define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t)) #define IPsecSAref2NFmark(x) ((x) << (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH)) @@ -441,11 +393,9 @@ bitstomask( * general utilities */ -#ifndef __KERNEL__ -/* option pickup from files (userland only because of use of FILE) */ +/* option pickup from files */ const char *optionsfrom(const char *filename, int *argcp, char ***argvp, int optind, FILE *errorreport); -#endif /* * Debugging levels for pfkey_lib_debug diff --git a/src/libfreeswan/initaddr.c b/src/libfreeswan/initaddr.c index b8427c653..51f7f6f45 100644 --- a/src/libfreeswan/initaddr.c +++ b/src/libfreeswan/initaddr.c @@ -14,6 +14,8 @@ * * RCSID $Id$ */ +#include <sys/socket.h> + #include "internal.h" #include "freeswan.h" diff --git a/src/libfreeswan/internal.h b/src/libfreeswan/internal.h index c18db31f5..a97cce905 100644 --- a/src/libfreeswan/internal.h +++ b/src/libfreeswan/internal.h @@ -35,47 +35,14 @@ #define PASSTHROUGHDST 0 #endif -/* - * Headers, greatly complicated by stupid and unnecessary inconsistencies - * between the user environment and the kernel environment. These are done - * here so that this mess need exist in only one place. - * - * It may seem like a -I or two could avoid most of this, but on closer - * inspection it is not quite that easy. - */ - -/* things that need to come from one place or the other, depending */ -#ifdef __KERNEL__ -#include <linux/types.h> -#include <linux/socket.h> -#include <linux/in.h> -#include <linux/string.h> -#include <linux/ctype.h> -#define assert(foo) /* nothing */ -#else #include <sys/types.h> #include <netinet/in.h> #include <string.h> #include <ctype.h> #include <assert.h> -#endif - -/* things that exist only in userland */ -#ifndef __KERNEL__ - -/* You'd think this would be okay in the kernel too -- it's just a */ -/* bunch of constants -- but no, in RH5.1 it screws up other things. */ -/* (Credit: Mike Warfield tracked this problem down. Thanks Mike!) */ -/* Fortunately, we don't need it in the kernel subset of the library. */ #include <limits.h> - -/* header files for things that should never be called in kernel */ #include <netdb.h> - -/* memory allocation, currently user-only, macro-ized just in case */ #include <stdlib.h> #define MALLOC(n) malloc(n) #define FREE(p) free(p) -#endif /* __KERNEL__ */ - diff --git a/src/libfreeswan/ipcomp.h b/src/libfreeswan/ipcomp.h deleted file mode 100644 index fd8e35dde..000000000 --- a/src/libfreeswan/ipcomp.h +++ /dev/null @@ -1,61 +0,0 @@ -/* - * IPCOMP zlib interface code. - * Copyright (C) 2000 Svenning Soerensen <svenning@post5.tele.dk> - * Copyright (C) 2000, 2001 Richard Guy Briggs <rgb@conscoop.ottawa.on.ca> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - - RCSID $Id$ - - */ - -/* SSS */ - -#ifndef _IPCOMP_H -#define _IPCOMP_H - -/* Prefix all global deflate symbols with "ipcomp_" to avoid collisions with ppp_deflate & ext2comp */ -#ifndef IPCOMP_PREFIX -#define IPCOMP_PREFIX -#endif /* IPCOMP_PREFIX */ - -#ifndef IPPROTO_COMP -#define IPPROTO_COMP 108 -#endif /* IPPROTO_COMP */ - -#ifdef CONFIG_IPSEC_DEBUG -extern int sysctl_ipsec_debug_ipcomp; -#endif /* CONFIG_IPSEC_DEBUG */ - -struct ipcomphdr { /* IPCOMP header */ - __u8 ipcomp_nh; /* Next header (protocol) */ - __u8 ipcomp_flags; /* Reserved, must be 0 */ - __u16 ipcomp_cpi; /* Compression Parameter Index */ -}; - -extern struct inet_protocol comp_protocol; -extern int sysctl_ipsec_debug_ipcomp; - -#define IPCOMP_UNCOMPRESSABLE 0x000000001 -#define IPCOMP_COMPRESSIONERROR 0x000000002 -#define IPCOMP_PARMERROR 0x000000004 -#define IPCOMP_DECOMPRESSIONERROR 0x000000008 - -#define IPCOMP_ADAPT_INITIAL_TRIES 8 -#define IPCOMP_ADAPT_INITIAL_SKIP 4 -#define IPCOMP_ADAPT_SUBSEQ_TRIES 2 -#define IPCOMP_ADAPT_SUBSEQ_SKIP 8 - -/* Function prototypes */ -struct sk_buff *skb_compress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags); -struct sk_buff *skb_decompress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags); - -#endif /* _IPCOMP_H */ diff --git a/src/libfreeswan/ipsec_ah.h b/src/libfreeswan/ipsec_ah.h deleted file mode 100644 index ccf40b6a2..000000000 --- a/src/libfreeswan/ipsec_ah.h +++ /dev/null @@ -1,111 +0,0 @@ -/* - * Authentication Header declarations - * Copyright (C) 1996, 1997 John Ioannidis. - * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - */ - -#include "ipsec_md5h.h" -#include "ipsec_sha1.h" - -#ifndef IPPROTO_AH -#define IPPROTO_AH 51 -#endif /* IPPROTO_AH */ - -#define AH_FLENGTH 12 /* size of fixed part */ -#define AHMD5_KMAX 64 /* MD5 max 512 bits key */ -#define AHMD5_AMAX 12 /* MD5 96 bits of authenticator */ - -#define AHMD596_KLEN 16 /* MD5 128 bits key */ -#define AHSHA196_KLEN 20 /* SHA1 160 bits key */ - -#define AHMD596_ALEN 16 /* MD5 128 bits authentication length */ -#define AHSHA196_ALEN 20 /* SHA1 160 bits authentication length */ - -#define AHMD596_BLKLEN 64 /* MD5 block length */ -#define AHSHA196_BLKLEN 64 /* SHA1 block length */ -#define AHSHA2_256_BLKLEN 64 /* SHA2-256 block length */ -#define AHSHA2_384_BLKLEN 128 /* SHA2-384 block length (?) */ -#define AHSHA2_512_BLKLEN 128 /* SHA2-512 block length */ - -#define AH_BLKLEN_MAX 128 /* keep up to date! */ - -#define AH_AMAX AHSHA196_ALEN /* keep up to date! */ -#define AHHMAC_HASHLEN 12 /* authenticator length of 96bits */ -#define AHHMAC_RPLLEN 4 /* 32 bit replay counter */ - -#define DB_AH_PKTRX 0x0001 -#define DB_AH_PKTRX2 0x0002 -#define DB_AH_DMP 0x0004 -#define DB_AH_IPSA 0x0010 -#define DB_AH_XF 0x0020 -#define DB_AH_INAU 0x0040 -#define DB_AH_REPLAY 0x0100 - -#ifdef __KERNEL__ - -/* General HMAC algorithm is described in RFC 2104 */ - -#define HMAC_IPAD 0x36 -#define HMAC_OPAD 0x5C - -struct md5_ctx { - MD5_CTX ictx; /* context after H(K XOR ipad) */ - MD5_CTX octx; /* context after H(K XOR opad) */ -}; - -struct sha1_ctx { - SHA1_CTX ictx; /* context after H(K XOR ipad) */ - SHA1_CTX octx; /* context after H(K XOR opad) */ -}; - -struct auth_alg { - void (*init)(void *ctx); - void (*update)(void *ctx, unsigned char *bytes, __u32 len); - void (*final)(unsigned char *hash, void *ctx); - int hashlen; -}; - -extern struct inet_protocol ah_protocol; - -struct options; - -extern int -ah_rcv(struct sk_buff *skb, - struct device *dev, - struct options *opt, - __u32 daddr, - unsigned short len, - __u32 saddr, - int redo, - struct inet_protocol *protocol); - -struct ahhdr /* Generic AH header */ -{ - __u8 ah_nh; /* Next header (protocol) */ - __u8 ah_hl; /* AH length, in 32-bit words */ - __u16 ah_rv; /* reserved, must be 0 */ - __u32 ah_spi; /* Security Parameters Index */ - __u32 ah_rpl; /* Replay prevention */ - __u8 ah_data[AHHMAC_HASHLEN];/* Authentication hash */ -}; -#define AH_BASIC_LEN 8 /* basic AH header is 8 bytes, nh,hl,rv,spi - * and the ah_hl, says how many bytes after that - * to cover. */ - - -#ifdef CONFIG_IPSEC_DEBUG -extern int debug_ah; -#endif /* CONFIG_IPSEC_DEBUG */ -#endif /* __KERNEL__ */ diff --git a/src/libfreeswan/ipsec_alg.h b/src/libfreeswan/ipsec_alg.h deleted file mode 100644 index 920e921f6..000000000 --- a/src/libfreeswan/ipsec_alg.h +++ /dev/null @@ -1,254 +0,0 @@ -/* - * Modular extensions service and registration functions interface - * - * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar> - * - * $Id$ - * - */ -/* - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - */ -#ifndef IPSEC_ALG_H -#define IPSEC_ALG_H - -/* - * gcc >= 3.2 has removed __FUNCTION__, replaced by C99 __func__ - * *BUT* its a compiler variable. - */ -#if (__GNUC__ >= 3) -#ifndef __FUNCTION__ -#define __FUNCTION__ __func__ -#endif -#endif - -/* Version 0.8.1-0 */ -#define IPSEC_ALG_VERSION 0x00080100 - -#include <linux/types.h> -#include <linux/list.h> -#include <asm/atomic.h> -/* - * The following structs are used via pointers in ipsec_alg object to - * avoid ipsec_alg.h coupling with freeswan headers, thus simplifying - * module development - */ -struct ipsec_sa; -struct esp; - -/************************************** - * - * Main registration object - * - *************************************/ -#define IPSEC_ALG_VERSION_QUAD(v) \ - (v>>24),((v>>16)&0xff),((v>>8)&0xff),(v&0xff) -/* - * Main ipsec_alg objects: "OOPrograming wannabe" - * Hierachy (carefully handled with _minimal_ cast'ing): - * - * ipsec_alg+ - * +->ipsec_alg_enc (ixt_alg_type=SADB_EXT_SUPPORTED_ENCRYPT) - * +->ipsec_alg_auth (ixt_alg_type=SADB_EXT_SUPPORTED_AUTH) - */ - -/*************************************************************** - * - * INTERFACE object: struct ipsec_alg - * - ***************************************************************/ - -/* - * common part for every struct ipsec_alg_* - * (sortof poor's man OOP) - */ -#define IPSEC_ALG_STRUCT_COMMON \ - unsigned ixt_version; /* only allow this version (or 'near')*/ \ - struct list_head ixt_list; /* dlinked list */ \ - struct module *ixt_module; /* THIS_MODULE */ \ - unsigned ixt_state; /* state flags */ \ - atomic_t ixt_refcnt; /* ref. count when pointed from ipsec_sa */ \ - char ixt_name[16]; /* descriptive short name, eg. "3des" */ \ - void *ixt_data; /* private for algo implementation */ \ - uint8_t ixt_blocksize; /* blocksize in bytes */ \ - \ - /* THIS IS A COPY of struct supported (lib/pfkey.h) \ - * please keep in sync until we migrate 'supported' stuff \ - * to ipsec_alg \ - */ \ - uint16_t ixt_alg_type; /* correspond to IPSEC_ALG_{ENCRYPT,AUTH} */ \ - uint8_t ixt_alg_id; /* enc. alg. number, eg. ESP_3DES */ \ - uint8_t ixt_ivlen; /* ivlen in bits, expected to be multiple of 8! */ \ - uint16_t ixt_keyminbits;/* min. keybits (of entropy) */ \ - uint16_t ixt_keymaxbits;/* max. keybits (of entropy) */ - -#define ixt_support ixt_alg_type - -#define IPSEC_ALG_ST_SUPP 0x01 -#define IPSEC_ALG_ST_REGISTERED 0x02 -#define IPSEC_ALG_ST_EXCL 0x04 -struct ipsec_alg { - IPSEC_ALG_STRUCT_COMMON -}; -/* - * Note the const in cbc_encrypt IV arg: - * some ciphers like to toast passed IV (eg. 3DES): make a local IV copy - */ -struct ipsec_alg_enc { - IPSEC_ALG_STRUCT_COMMON - unsigned ixt_e_keylen; /* raw key length in bytes */ - unsigned ixt_e_ctx_size; /* sa_p->key_e_size */ - int (*ixt_e_set_key)(struct ipsec_alg_enc *alg, __u8 *key_e, const __u8 *key, size_t keysize); - __u8 *(*ixt_e_new_key)(struct ipsec_alg_enc *alg, const __u8 *key, size_t keysize); - void (*ixt_e_destroy_key)(struct ipsec_alg_enc *alg, __u8 *key_e); - int (*ixt_e_cbc_encrypt)(struct ipsec_alg_enc *alg, __u8 *key_e, __u8 *in, int ilen, const __u8 *iv, int encrypt); -}; -struct ipsec_alg_auth { - IPSEC_ALG_STRUCT_COMMON - unsigned ixt_a_keylen; /* raw key length in bytes */ - unsigned ixt_a_ctx_size; /* sa_p->key_a_size */ - unsigned ixt_a_authlen; /* 'natural' auth. hash len (bytes) */ - int (*ixt_a_hmac_set_key)(struct ipsec_alg_auth *alg, __u8 *key_a, const __u8 *key, int keylen); - int (*ixt_a_hmac_hash)(struct ipsec_alg_auth *alg, __u8 *key_a, const __u8 *dat, int len, __u8 *hash, int hashlen); -}; -/* - * These are _copies_ of SADB_EXT_SUPPORTED_{AUTH,ENCRYPT}, - * to avoid header coupling for true constants - * about headers ... "cp is your friend" --Linus - */ -#define IPSEC_ALG_TYPE_AUTH 14 -#define IPSEC_ALG_TYPE_ENCRYPT 15 - -/*************************************************************** - * - * INTERFACE for module loading,testing, and unloading - * - ***************************************************************/ -/* - registration calls */ -int register_ipsec_alg(struct ipsec_alg *); -int unregister_ipsec_alg(struct ipsec_alg *); -/* - optional (simple test) for algos */ -int ipsec_alg_test(unsigned alg_type, unsigned alg_id, int testparm); -/* inline wrappers (usefull for type validation */ -static inline int register_ipsec_alg_enc(struct ipsec_alg_enc *ixt) { - return register_ipsec_alg((struct ipsec_alg*)ixt); -} -static inline int unregister_ipsec_alg_enc(struct ipsec_alg_enc *ixt) { - return unregister_ipsec_alg((struct ipsec_alg*)ixt); -} -static inline int register_ipsec_alg_auth(struct ipsec_alg_auth *ixt) { - return register_ipsec_alg((struct ipsec_alg*)ixt); -} -static inline int unregister_ipsec_alg_auth(struct ipsec_alg_auth *ixt) { - return unregister_ipsec_alg((struct ipsec_alg*)ixt); -} - -/***************************************************************** - * - * INTERFACE for ENC services: key creation, encrypt function - * - *****************************************************************/ - -#define IPSEC_ALG_ENCRYPT 1 -#define IPSEC_ALG_DECRYPT 0 - -/* encryption key context creation function */ -int ipsec_alg_enc_key_create(struct ipsec_sa *sa_p); -/* - * ipsec_alg_esp_encrypt(): encrypt ilen bytes in idat returns - * 0 or ERR<0 - */ -int ipsec_alg_esp_encrypt(struct ipsec_sa *sa_p, __u8 *idat, int ilen, const __u8 *iv, int action); - -/*************************************************************** - * - * INTERFACE for AUTH services: key creation, hash functions - * - ***************************************************************/ -int ipsec_alg_auth_key_create(struct ipsec_sa *sa_p); -int ipsec_alg_sa_esp_hash(const struct ipsec_sa *sa_p, const __u8 *espp, int len, __u8 *hash, int hashlen) ; -#define ipsec_alg_sa_esp_update(c,k,l) ipsec_alg_sa_esp_hash(c,k,l,NULL,0) - -/* only called from ipsec_init.c */ -int ipsec_alg_init(void); - -/* algo module glue for static algos */ -void ipsec_alg_static_init(void); -typedef int (*ipsec_alg_init_func_t) (void); - -/********************************************** - * - * INTERFACE for ipsec_sa init and wipe - * - **********************************************/ - -/* returns true if ipsec_sa has ipsec_alg obj attached */ -/* - * Initializes ipsec_sa's ipsec_alg object, using already loaded - * proto, authalg, encalg.; links ipsec_alg objects (enc, auth) - */ -int ipsec_alg_sa_init(struct ipsec_sa *sa_p); -/* - * Destroys ipsec_sa's ipsec_alg object - * unlinking ipsec_alg objects - */ -int ipsec_alg_sa_wipe(struct ipsec_sa *sa_p); - -/********************************************** - * - * 2.2 backport for some 2.4 useful module stuff - * - **********************************************/ -#ifdef MODULE -#ifndef THIS_MODULE -#define THIS_MODULE (&__this_module) -#endif -#ifndef module_init -typedef int (*__init_module_func_t)(void); -typedef void (*__cleanup_module_func_t)(void); - -#define module_init(x) \ - int init_module(void) __attribute__((alias(#x))); \ - static inline __init_module_func_t __init_module_inline(void) \ - { return x; } -#define module_exit(x) \ - void cleanup_module(void) __attribute__((alias(#x))); \ - static inline __cleanup_module_func_t __cleanup_module_inline(void) \ - { return x; } -#endif - -#define IPSEC_ALG_MODULE_INIT( func_name ) \ - static int func_name(void); \ - module_init(func_name); \ - static int __init func_name(void) -#define IPSEC_ALG_MODULE_EXIT( func_name ) \ - static void func_name(void); \ - module_exit(func_name); \ - static void __exit func_name(void) -#else /* not MODULE */ -#ifndef THIS_MODULE -#define THIS_MODULE NULL -#endif -/* - * I only want module_init() magic - * when algo.c file *is THE MODULE*, in all other - * cases, initialization is called explicitely from ipsec_alg_init() - */ -#define IPSEC_ALG_MODULE_INIT( func_name ) \ - extern int func_name(void); \ - int func_name(void) -#define IPSEC_ALG_MODULE_EXIT( func_name ) \ - extern void func_name(void); \ - void func_name(void) -#endif - -#endif /* IPSEC_ALG_H */ diff --git a/src/libfreeswan/ipsec_encap.h b/src/libfreeswan/ipsec_encap.h deleted file mode 100644 index 69b2ca357..000000000 --- a/src/libfreeswan/ipsec_encap.h +++ /dev/null @@ -1,55 +0,0 @@ -/* - * declarations relevant to encapsulation-like operations - * Copyright (C) 1996, 1997 John Ioannidis. - * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - */ - -#ifndef _IPSEC_ENCAP_H_ - -#define SENT_IP4 16 /* data is two struct in_addr + proto + ports*/ - /* (2 * sizeof(struct in_addr)) */ - /* sizeof(struct sockaddr_encap) - - offsetof(struct sockaddr_encap, Sen.Sip4.Src) */ - -struct sockaddr_encap -{ - __u8 sen_len; /* length */ - __u8 sen_family; /* AF_ENCAP */ - __u16 sen_type; /* see SENT_* */ - union - { - struct /* SENT_IP4 */ - { - struct in_addr Src; - struct in_addr Dst; - __u8 Proto; - __u16 Sport; - __u16 Dport; - } Sip4; - } Sen; -}; - -#define sen_ip_src Sen.Sip4.Src -#define sen_ip_dst Sen.Sip4.Dst -#define sen_proto Sen.Sip4.Proto -#define sen_sport Sen.Sip4.Sport -#define sen_dport Sen.Sip4.Dport - -#ifndef AF_ENCAP -#define AF_ENCAP 26 -#endif /* AF_ENCAP */ - -#define _IPSEC_ENCAP_H_ -#endif /* _IPSEC_ENCAP_H_ */ diff --git a/src/libfreeswan/ipsec_eroute.h b/src/libfreeswan/ipsec_eroute.h deleted file mode 100644 index 0afabf0db..000000000 --- a/src/libfreeswan/ipsec_eroute.h +++ /dev/null @@ -1,82 +0,0 @@ -/* - * @(#) declarations of eroute structures - * - * Copyright (C) 1996, 1997 John Ioannidis. - * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs <rgb@freeswan.org> - * Copyright (C) 2001 Michael Richardson <mcr@freeswan.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - * - * derived from ipsec_encap.h 1.15 on 2001/9/18 by mcr. - * - */ - -#ifndef _IPSEC_EROUTE_H_ - -#include "radij.h" -#include "ipsec_encap.h" -#include "ipsec_radij.h" - -/* - * The "type" is really part of the address as far as the routing - * system is concerned. By using only one bit in the type field - * for each type, we sort-of make sure that different types of - * encapsulation addresses won't be matched against the wrong type. - */ - -/* - * An entry in the radix tree - */ - -struct rjtentry -{ - struct radij_node rd_nodes[2]; /* tree glue, and other values */ -#define rd_key(r) ((struct sockaddr_encap *)((r)->rd_nodes->rj_key)) -#define rd_mask(r) ((struct sockaddr_encap *)((r)->rd_nodes->rj_mask)) - short rd_flags; - short rd_count; -}; - -struct ident -{ - __u16 type; /* identity type */ - __u64 id; /* identity id */ - __u8 len; /* identity len */ - caddr_t data; /* identity data */ -}; - -/* - * An encapsulation route consists of a pointer to a - * radix tree entry and a SAID (a destination_address/SPI/protocol triple). - */ - -struct eroute -{ - struct rjtentry er_rjt; - struct sa_id er_said; - uint32_t er_pid; - uint32_t er_count; - uint64_t er_lasttime; - struct sockaddr_encap er_eaddr; /* MCR get rid of _encap, it is silly*/ - struct sockaddr_encap er_emask; - struct ident er_ident_s; - struct ident er_ident_d; - struct sk_buff* er_first; - struct sk_buff* er_last; -}; - -#define er_dst er_said.dst -#define er_spi er_said.spi - -#define _IPSEC_EROUTE_H_ -#endif /* _IPSEC_EROUTE_H_ */ diff --git a/src/libfreeswan/ipsec_errs.h b/src/libfreeswan/ipsec_errs.h deleted file mode 100644 index cfd549832..000000000 --- a/src/libfreeswan/ipsec_errs.h +++ /dev/null @@ -1,32 +0,0 @@ -/* - * @(#) definition of ipsec_errs structure - * - * Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org> - * and Michael Richardson <mcr@freeswan.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - * - */ - -/* - * This file describes the errors/statistics that FreeSWAN collects. - * - */ - -struct ipsec_errs { - __u32 ips_alg_errs; /* number of algorithm errors */ - __u32 ips_auth_errs; /* # of authentication errors */ - __u32 ips_encsize_errs; /* # of encryption size errors*/ - __u32 ips_encpad_errs; /* # of encryption pad errors*/ - __u32 ips_replaywin_errs; /* # of pkt sequence errors */ -}; diff --git a/src/libfreeswan/ipsec_esp.h b/src/libfreeswan/ipsec_esp.h deleted file mode 100644 index 2bd9f3c3b..000000000 --- a/src/libfreeswan/ipsec_esp.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 1996, 1997 John Ioannidis. - * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - */ - -#include "freeswan/ipsec_md5h.h" -#include "freeswan/ipsec_sha1.h" - -#include "crypto/des.h" - -#ifndef IPPROTO_ESP -#define IPPROTO_ESP 50 -#endif /* IPPROTO_ESP */ - -#define ESP_HEADER_LEN 8 /* 64 bits header (spi+rpl)*/ - -#define EMT_ESPDESCBC_ULEN 20 /* coming from user mode */ -#define EMT_ESPDES_KMAX 64 /* 512 bit secret key enough? */ -#define EMT_ESPDES_KEY_SZ 8 /* 56 bit secret key with parity = 64 bits */ -#define EMT_ESP3DES_KEY_SZ 24 /* 168 bit secret key with parity = 192 bits */ -#define EMT_ESPDES_IV_SZ 8 /* IV size */ -#define ESP_DESCBC_BLKLEN 8 /* DES-CBC block size */ - -#define ESP_IV_MAXSZ 16 /* This is _critical_ */ -#define ESP_IV_MAXSZ_INT (ESP_IV_MAXSZ/sizeof(int)) - -#define DB_ES_PKTRX 0x0001 -#define DB_ES_PKTRX2 0x0002 -#define DB_ES_IPSA 0x0010 -#define DB_ES_XF 0x0020 -#define DB_ES_IPAD 0x0040 -#define DB_ES_INAU 0x0080 -#define DB_ES_OINFO 0x0100 -#define DB_ES_OINFO2 0x0200 -#define DB_ES_OH 0x0400 -#define DB_ES_REPLAY 0x0800 - -#ifdef __KERNEL__ -struct des_eks { - des_key_schedule ks; -}; - -extern struct inet_protocol esp_protocol; - -struct options; - -extern int -esp_rcv(struct sk_buff *skb, - struct device *dev, - struct options *opt, - __u32 daddr, - unsigned short len, - __u32 saddr, - int redo, - struct inet_protocol *protocol); - -/* Only for 64 bits IVs, eg. ESP_3DES :P */ -struct esphdr -{ - __u32 esp_spi; /* Security Parameters Index */ - __u32 esp_rpl; /* Replay counter */ - __u8 esp_iv[8]; /* iv */ -}; - -#ifdef CONFIG_IPSEC_DEBUG -extern int debug_esp; -#endif /* CONFIG_IPSEC_DEBUG */ -#endif /* __KERNEL__ */ diff --git a/src/libfreeswan/ipsec_ipe4.h b/src/libfreeswan/ipsec_ipe4.h deleted file mode 100644 index 698bf55d1..000000000 --- a/src/libfreeswan/ipsec_ipe4.h +++ /dev/null @@ -1,27 +0,0 @@ -/* - * IP-in-IP Header declarations - * Copyright (C) 1996, 1997 John Ioannidis. - * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - */ - -/* The packet header is an IP header! */ - -struct ipe4_xdata /* transform table data */ -{ - struct in_addr i4_src; - struct in_addr i4_dst; -}; - -#define EMT_IPE4_ULEN 8 /* coming from user mode */ diff --git a/src/libfreeswan/ipsec_kversion.h b/src/libfreeswan/ipsec_kversion.h deleted file mode 100644 index a7741b8c8..000000000 --- a/src/libfreeswan/ipsec_kversion.h +++ /dev/null @@ -1,191 +0,0 @@ -#ifndef _FREESWAN_KVERSIONS_H -/* - * header file for FreeS/WAN library functions - * Copyright (C) 1998, 1999, 2000 Henry Spencer. - * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs - * - * This library is free software; you can redistribute it and/or modify it - * under the terms of the GNU Library General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>. - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public - * License for more details. - * - * RCSID $Id$ - */ -#define _FREESWAN_KVERSIONS_H /* seen it, no need to see it again */ - -/* - * this file contains a series of atomic defines that depend upon - * kernel version numbers. The kernel versions are arranged - * in version-order number (which is often not chronological) - * and each clause enables or disables a feature. - */ - -/* - * First, assorted kernel-version-dependent trickery. - */ -#include <linux/version.h> -#ifndef KERNEL_VERSION -#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z)) -#endif - -#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,0) -#define HEADER_CACHE_BIND_21 -#endif - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0) -#define SPINLOCK -#define PROC_FS_21 -#define NETLINK_SOCK -#define NET_21 -#endif - -#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,19) -#define net_device_stats enet_statistics -#endif - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0) -#define SPINLOCK_23 -#define NETDEV_23 -# ifndef CONFIG_IP_ALIAS -# define CONFIG_IP_ALIAS -# endif -#include <linux/socket.h> -#include <linux/skbuff.h> -#include <linux/netlink.h> -# ifdef NETLINK_XFRM -# define NETDEV_25 -# endif -#endif - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,25) -#define PROC_FS_2325 -#undef PROC_FS_21 -#endif - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,30) -#define PROC_NO_DUMMY -#endif - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,35) -#define SKB_COPY_EXPAND -#endif - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,37) -#define IP_SELECT_IDENT -#endif - -#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,50)) && defined(CONFIG_NETFILTER) -#define SKB_RESET_NFCT -#endif - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,2) -#define IP_SELECT_IDENT_NEW -#endif - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) -#define IPH_is_SKB_PULLED -#define SKB_COW_NEW -#define PROTO_HANDLER_SINGLE_PARM -#define IP_FRAGMENT_LINEARIZE 1 -#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */ -# ifdef REDHAT_BOGOSITY -# define IP_SELECT_IDENT_NEW -# define IPH_is_SKB_PULLED -# define SKB_COW_NEW -# define PROTO_HANDLER_SINGLE_PARM -# endif /* REDHAT_BOGOSITY */ -#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */ - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9) -#define MALLOC_SLAB -#define LINUX_KERNEL_HAS_SNPRINTF -#endif - -#ifdef NET_21 -# include <linux/in6.h> -#else - /* old kernel in.h has some IPv6 stuff, but not quite enough */ -# define s6_addr16 s6_addr -# define AF_INET6 10 -# define uint8_t __u8 -# define uint16_t __u16 -# define uint32_t __u32 -# define uint64_t __u64 -#endif - -#ifdef NET_21 -# define ipsec_kfree_skb(a) kfree_skb(a) -#else /* NET_21 */ -# define ipsec_kfree_skb(a) kfree_skb(a, FREE_WRITE) -#endif /* NET_21 */ - -#ifdef NETDEV_23 -# define device net_device -# define ipsec_dev_get dev_get_by_name -# define __ipsec_dev_get __dev_get_by_name -# define ipsec_dev_put(x) dev_put(x) -# define __ipsec_dev_put(x) __dev_put(x) -# define ipsec_dev_hold(x) dev_hold(x) -#else /* NETDEV_23 */ -# define ipsec_dev_get dev_get -# define __ipsec_dev_put(x) -# define ipsec_dev_put(x) -# define ipsec_dev_hold(x) -#endif /* NETDEV_23 */ - -#ifndef SPINLOCK -# include <linux/bios32.h> - /* simulate spin locks and read/write locks */ - typedef struct { - volatile char lock; - } spinlock_t; - - typedef struct { - volatile unsigned int lock; - } rwlock_t; - -# define spin_lock_init(x) { (x)->lock = 0;} -# define rw_lock_init(x) { (x)->lock = 0; } - -# define spin_lock(x) { while ((x)->lock) barrier(); (x)->lock=1;} -# define spin_lock_irq(x) { cli(); spin_lock(x);} -# define spin_lock_irqsave(x,flags) { save_flags(flags); spin_lock_irq(x);} - -# define spin_unlock(x) { (x)->lock=0;} -# define spin_unlock_irq(x) { spin_unlock(x); sti();} -# define spin_unlock_irqrestore(x,flags) { spin_unlock(x); restore_flags(flags);} - -# define read_lock(x) spin_lock(x) -# define read_lock_irq(x) spin_lock_irq(x) -# define read_lock_irqsave(x,flags) spin_lock_irqsave(x,flags) - -# define read_unlock(x) spin_unlock(x) -# define read_unlock_irq(x) spin_unlock_irq(x) -# define read_unlock_irqrestore(x,flags) spin_unlock_irqrestore(x,flags) - -# define write_lock(x) spin_lock(x) -# define write_lock_irq(x) spin_lock_irq(x) -# define write_lock_irqsave(x,flags) spin_lock_irqsave(x,flags) - -# define write_unlock(x) spin_unlock(x) -# define write_unlock_irq(x) spin_unlock_irq(x) -# define write_unlock_irqrestore(x,flags) spin_unlock_irqrestore(x,flags) -#endif /* !SPINLOCK */ - -#ifndef SPINLOCK_23 -# define spin_lock_bh(x) spin_lock_irq(x) -# define spin_unlock_bh(x) spin_unlock_irq(x) - -# define read_lock_bh(x) read_lock_irq(x) -# define read_unlock_bh(x) read_unlock_irq(x) - -# define write_lock_bh(x) write_lock_irq(x) -# define write_unlock_bh(x) write_unlock_irq(x) -#endif /* !SPINLOCK_23 */ - -#endif /* _FREESWAN_KVERSIONS_H */ diff --git a/src/libfreeswan/ipsec_life.h b/src/libfreeswan/ipsec_life.h deleted file mode 100644 index 817d27316..000000000 --- a/src/libfreeswan/ipsec_life.h +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Definitions relevant to IPSEC lifetimes - * Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org> - * and Michael Richardson <mcr@freeswan.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - * - * This file derived from ipsec_xform.h on 2001/9/18 by mcr. - * - */ - -/* - * This file describes the book keeping fields for the - * IPsec Security Association Structure. ("ipsec_sa") - * - * This structure is never allocated directly by kernel code, - * (it is always a static/auto or is part of a structure) - * so it does not have a reference count. - * - */ - -#ifndef _IPSEC_LIFE_H_ - -/* - * _count is total count. - * _hard is hard limit (kill SA after this number) - * _soft is soft limit (try to renew SA after this number) - * _last is used in some special cases. - * - */ - -struct ipsec_lifetime64 -{ - __u64 ipl_count; - __u64 ipl_soft; - __u64 ipl_hard; - __u64 ipl_last; -}; - -struct ipsec_lifetimes -{ - /* number of bytes processed */ - struct ipsec_lifetime64 ipl_bytes; - - /* number of packets processed */ - struct ipsec_lifetime64 ipl_packets; - - /* time since SA was added */ - struct ipsec_lifetime64 ipl_addtime; - - /* time since SA was first used */ - struct ipsec_lifetime64 ipl_usetime; - - /* from rfc2367: - * For CURRENT, the number of different connections, - * endpoints, or flows that the association has been - * allocated towards. For HARD and SOFT, the number of - * these the association may be allocated towards - * before it expires. The concept of a connection, - * flow, or endpoint is system specific. - * - * mcr(2001-9-18) it is unclear what purpose these serve for FreeSWAN. - * They are maintained for PF_KEY compatibility. - */ - struct ipsec_lifetime64 ipl_allocations; -}; - -enum ipsec_life_alive { - ipsec_life_harddied = -1, - ipsec_life_softdied = 0, - ipsec_life_okay = 1 -}; - -enum ipsec_life_type { - ipsec_life_timebased = 1, - ipsec_life_countbased= 0 -}; - -#define _IPSEC_LIFE_H_ -#endif /* _IPSEC_LIFE_H_ */ diff --git a/src/libfreeswan/ipsec_md5h.h b/src/libfreeswan/ipsec_md5h.h deleted file mode 100644 index 0bc73b6ab..000000000 --- a/src/libfreeswan/ipsec_md5h.h +++ /dev/null @@ -1,83 +0,0 @@ -/* - * RCSID $Id$ - */ - -/* - * The rest of this file is Copyright RSA DSI. See the following comments - * for the full Copyright notice. - */ - -#ifndef _IPSEC_MD5H_H_ -#define _IPSEC_MD5H_H_ - -/* GLOBAL.H - RSAREF types and constants - */ - -/* PROTOTYPES should be set to one if and only if the compiler supports - function argument prototyping. - The following makes PROTOTYPES default to 0 if it has not already - been defined with C compiler flags. - */ -#ifndef PROTOTYPES -#define PROTOTYPES 1 -#endif /* !PROTOTYPES */ - -/* POINTER defines a generic pointer type */ -typedef __u8 *POINTER; - -/* UINT2 defines a two byte word */ -typedef __u16 UINT2; - -/* UINT4 defines a four byte word */ -typedef __u32 UINT4; - -/* PROTO_LIST is defined depending on how PROTOTYPES is defined above. - If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it - returns an empty list. - */ - -#if PROTOTYPES -#define PROTO_LIST(list) list -#else /* PROTOTYPES */ -#define PROTO_LIST(list) () -#endif /* PROTOTYPES */ - - -/* MD5.H - header file for MD5C.C - */ - -/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All -rights reserved. - -License to copy and use this software is granted provided that it -is identified as the "RSA Data Security, Inc. MD5 Message-Digest -Algorithm" in all material mentioning or referencing this software -or this function. - -License is also granted to make and use derivative works provided -that such works are identified as "derived from the RSA Data -Security, Inc. MD5 Message-Digest Algorithm" in all material -mentioning or referencing the derived work. - -RSA Data Security, Inc. makes no representations concerning either -the merchantability of this software or the suitability of this -software for any particular purpose. It is provided "as is" -without express or implied warranty of any kind. - -These notices must be retained in any copies of any part of this -documentation and/or software. - */ - -/* MD5 context. */ -typedef struct { - UINT4 state[4]; /* state (ABCD) */ - UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ - unsigned char buffer[64]; /* input buffer */ -} MD5_CTX; - -void MD5Init PROTO_LIST ((void *)); -void MD5Update PROTO_LIST - ((void *, unsigned char *, __u32)); -void MD5Final PROTO_LIST ((unsigned char [16], void *)); - -#endif /* _IPSEC_MD5H_H_ */ diff --git a/src/libfreeswan/ipsec_param.h b/src/libfreeswan/ipsec_param.h index 63309ca34..98ba48cad 100644 --- a/src/libfreeswan/ipsec_param.h +++ b/src/libfreeswan/ipsec_param.h @@ -28,40 +28,6 @@ #ifndef _IPSEC_PARAM_H_ -#ifdef __KERNEL__ -#include "ipsec_kversion.h" - -/* Set number of ipsecX virtual devices here. */ -/* This must be < exp(field width of IPSEC_DEV_FORMAT) */ -/* It must also be reasonable so as not to overload the memory and CPU */ -/* constraints of the host. */ -#define IPSEC_NUM_IF 4 -/* The field width must be < IF_NAM_SIZ - strlen("ipsec") - 1. */ -/* With "ipsec" being 5 characters, that means 10 is the max field width */ -/* but machine memory and CPU constraints are not likely to tollerate */ -/* more than 3 digits. The default is one digit. */ -/* Update: userland scripts get upset if they can't find "ipsec0", so */ -/* for now, no "0"-padding should be used (which would have been helpful */ -/* to make text-searches work */ -#define IPSEC_DEV_FORMAT "ipsec%d" -/* For, say, 500 virtual ipsec devices, I would recommend: */ -/* #define IPSEC_NUM_IF 500 */ -/* #define IPSEC_DEV_FORMAT "ipsec%03d" */ -/* Note that the "interfaces=" line in /etc/ipsec.conf would be, um, challenging. */ - -/* use dynamic ipsecX device allocation */ -#ifndef CONFIG_IPSEC_DYNDEV -#define CONFIG_IPSEC_DYNDEV 1 -#endif /* CONFIG_IPSEC_DYNDEV */ - - -#ifdef CONFIG_IPSEC_BIGGATE -# define SADB_HASHMOD 8069 -#else /* CONFIG_IPSEC_BIGGATE */ -# define SADB_HASHMOD 257 -#endif /* CONFIG_IPSEC_BIGGATE */ -#endif /* __KERNEL__ */ - /* * This is for the SA reference table. This number is related to the * maximum number of SAs that KLIPS can concurrently deal with, plus enough @@ -87,140 +53,5 @@ # define IPSEC_SA_REF_CODE 1 #endif -#ifdef __KERNEL__ -/* This is defined for 2.4, but not 2.2.... */ -#ifndef ARPHRD_VOID -# define ARPHRD_VOID 0xFFFF -#endif - -/* - * Worry about PROC_FS stuff - */ -#if defined(PROC_FS_2325) -/* kernel 2.4 */ -# define IPSEC_PROC_LAST_ARG ,int *eof,void *data -# define IPSEC_PROCFS_DEBUG_NO_STATIC -# define IPSEC_PROC_SUBDIRS -#else -/* kernel <2.4 */ -# define IPSEC_PROCFS_DEBUG_NO_STATIC DEBUG_NO_STATIC - -# ifndef PROC_NO_DUMMY -# define IPSEC_PROC_LAST_ARG , int dummy -# else -# define IPSEC_PROC_LAST_ARG -# endif /* !PROC_NO_DUMMY */ -#endif /* PROC_FS_2325 */ - -#if !defined(LINUX_KERNEL_HAS_SNPRINTF) -/* GNU CPP specific! */ -# define snprintf(buf, len, fmt...) sprintf(buf, ##fmt) -#endif /* !LINUX_KERNEL_HAS_SNPRINTF */ - -#ifdef SPINLOCK -# ifdef SPINLOCK_23 -# include <linux/spinlock.h> /* *lock* */ -# else /* SPINLOCK_23 */ -# include <asm/spinlock.h> /* *lock* */ -# endif /* SPINLOCK_23 */ -#endif /* SPINLOCK */ - -#ifndef KLIPS_FIXES_DES_PARITY -# define KLIPS_FIXES_DES_PARITY 1 -#endif /* !KLIPS_FIXES_DES_PARITY */ - -/* we don't really want to print these unless there are really big problems */ -#ifndef KLIPS_DIVULGE_CYPHER_KEY -# define KLIPS_DIVULGE_CYPHER_KEY 0 -#endif /* !KLIPS_DIVULGE_CYPHER_KEY */ - -#ifndef KLIPS_DIVULGE_HMAC_KEY -# define KLIPS_DIVULGE_HMAC_KEY 0 -#endif /* !KLIPS_DIVULGE_HMAC_KEY */ - -#ifndef IPSEC_DISALLOW_IPOPTIONS -# define IPSEC_DISALLOW_IPOPTIONS 1 -#endif /* !KLIPS_DIVULGE_HMAC_KEY */ - -/* extra toggles for regression testing */ -#ifdef CONFIG_IPSEC_REGRESS - -/* - * should pfkey_acquire() become 100% lossy? - * - */ -extern int sysctl_ipsec_regress_pfkey_lossage; -#ifndef KLIPS_PFKEY_ACQUIRE_LOSSAGE -# ifdef CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE -# define KLIPS_PFKEY_ACQUIRE_LOSSAGE 100 -# else /* CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE */ -/* not by default! */ -# define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0 -# endif /* CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE */ -#endif /* KLIPS_PFKEY_ACQUIRE_LOSSAGE */ - -#endif /* CONFIG_IPSEC_REGRESS */ - -/* - * debugging routines. - */ -#ifdef CONFIG_IPSEC_DEBUG -extern void ipsec_print_ip(struct iphdr *ip); - - #define KLIPS_PRINT(flag, format, args...) \ - ((flag) ? printk(KERN_INFO format , ## args) : 0) - #define KLIPS_PRINTMORE(flag, format, args...) \ - ((flag) ? printk(format , ## args) : 0) - #define KLIPS_IP_PRINT(flag, ip) \ - ((flag) ? ipsec_print_ip(ip) : 0) -#else /* CONFIG_IPSEC_DEBUG */ - #define KLIPS_PRINT(flag, format, args...) do ; while(0) - #define KLIPS_PRINTMORE(flag, format, args...) do ; while(0) - #define KLIPS_IP_PRINT(flag, ip) do ; while(0) -#endif /* CONFIG_IPSEC_DEBUG */ - - -/* - * Stupid kernel API differences in APIs. Not only do some - * kernels not have ip_select_ident, but some have differing APIs, - * and SuSE has one with one parameter, but no way of checking to - * see what is really what. - */ - -#ifdef SUSE_LINUX_2_4_19_IS_STUPID -#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph) -#else - -/* simplest case, nothing */ -#if !defined(IP_SELECT_IDENT) -#define KLIPS_IP_SELECT_IDENT(iph, skb) do { iph->id = htons(ip_id_count++); } while(0) -#endif - -/* kernels > 2.3.37-ish */ -#if defined(IP_SELECT_IDENT) && !defined(IP_SELECT_IDENT_NEW) -#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst) -#endif - -/* kernels > 2.4.2 */ -#if defined(IP_SELECT_IDENT) && defined(IP_SELECT_IDENT_NEW) -#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst, NULL) -#endif - -#endif /* SUSE_LINUX_2_4_19_IS_STUPID */ - -/* - * make klips fail test:east-espiv-01. - * exploit is at testing/attacks/espiv - * - */ -#define KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK 0 - - -/* IP_FRAGMENT_LINEARIZE is set in freeswan.h if Kernel > 2.4.4 */ -#ifndef IP_FRAGMENT_LINEARIZE -# define IP_FRAGMENT_LINEARIZE 0 -#endif /* IP_FRAGMENT_LINEARIZE */ -#endif /* __KERNEL__ */ - #define _IPSEC_PARAM_H_ #endif /* _IPSEC_PARAM_H_ */ diff --git a/src/libfreeswan/ipsec_proto.h b/src/libfreeswan/ipsec_proto.h deleted file mode 100644 index 8c7495e11..000000000 --- a/src/libfreeswan/ipsec_proto.h +++ /dev/null @@ -1,111 +0,0 @@ -/* - * @(#) prototypes for FreeSWAN functions - * - * Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org> - * and Michael Richardson <mcr@freeswan.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - * - */ - -#ifndef _IPSEC_PROTO_H_ - -#include "ipsec_param.h" - -/* - * This file is a kernel only file that declares prototypes for - * all intra-module function calls and global data structures. - * - * Include this file last. - * - */ - -/* ipsec_init.c */ -extern struct prng ipsec_prng; - -/* ipsec_sa.c */ -extern struct ipsec_sa *ipsec_sadb_hash[SADB_HASHMOD]; -extern spinlock_t tdb_lock; -extern int ipsec_sadb_init(void); - -extern struct ipsec_sa *ipsec_sa_getbyid(struct sa_id*); -extern int ipsec_sa_put(struct ipsec_sa *); -extern /* void */ int ipsec_sa_del(struct ipsec_sa *); -extern /* void */ int ipsec_sa_delchain(struct ipsec_sa *); -extern /* void */ int ipsec_sa_add(struct ipsec_sa *); - -extern int ipsec_sadb_cleanup(__u8); -extern int ipsec_sa_wipe(struct ipsec_sa *); - -/* debug declarations */ - -/* ipsec_proc.c */ -extern int ipsec_proc_init(void); -extern void ipsec_proc_cleanup(void); - -/* ipsec_radij.c */ -extern int ipsec_makeroute(struct sockaddr_encap *ea, - struct sockaddr_encap *em, - struct sa_id said, - uint32_t pid, - struct sk_buff *skb, - struct ident *ident_s, - struct ident *ident_d); - -extern int ipsec_breakroute(struct sockaddr_encap *ea, - struct sockaddr_encap *em, - struct sk_buff **first, - struct sk_buff **last); - -int ipsec_radijinit(void); -int ipsec_cleareroutes(void); -int ipsec_radijcleanup(void); - -/* ipsec_life.c */ -extern enum ipsec_life_alive ipsec_lifetime_check(struct ipsec_lifetime64 *il64, - const char *lifename, - const char *saname, - enum ipsec_life_type ilt, - enum ipsec_direction idir, - struct ipsec_sa *ips); - - -extern int ipsec_lifetime_format(char *buffer, - int buflen, - char *lifename, - enum ipsec_life_type timebaselife, - struct ipsec_lifetime64 *lifetime); - -extern void ipsec_lifetime_update_hard(struct ipsec_lifetime64 *lifetime, - __u64 newvalue); - -extern void ipsec_lifetime_update_soft(struct ipsec_lifetime64 *lifetime, - __u64 newvalue); - - - - -#ifdef CONFIG_IPSEC_DEBUG - -extern int debug_xform; -extern int debug_eroute; -extern int debug_spi; -extern int debug_netlink; - -#endif /* CONFIG_IPSEC_DEBUG */ - - - - -#define _IPSEC_PROTO_H -#endif /* _IPSEC_PROTO_H_ */ diff --git a/src/libfreeswan/ipsec_radij.h b/src/libfreeswan/ipsec_radij.h deleted file mode 100644 index 7b45f18be..000000000 --- a/src/libfreeswan/ipsec_radij.h +++ /dev/null @@ -1,63 +0,0 @@ -/* - * @(#) Definitions relevant to the IPSEC <> radij tree interfacing - * Copyright (C) 1996, 1997 John Ioannidis. - * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - */ - -#ifndef _IPSEC_RADIJ_H - -#include <freeswan.h> - -int ipsec_walk(char *); - -int ipsec_rj_walker_procprint(struct radij_node *, void *); -int ipsec_rj_walker_delete(struct radij_node *, void *); - -/* This structure is used to pass information between - * ipsec_eroute_get_info and ipsec_rj_walker_procprint - * (through rj_walktree) and between calls of ipsec_rj_walker_procprint. - */ -struct wsbuf -{ - /* from caller of ipsec_eroute_get_info: */ - char *const buffer; /* start of buffer provided */ - const int length; /* length of buffer provided */ - const off_t offset; /* file position of first character of interest */ - /* accumulated by ipsec_rj_walker_procprint: */ - int len; /* number of character filled into buffer */ - off_t begin; /* file position contained in buffer[0] (<=offset) */ -}; - - -extern struct radij_node_head *rnh; -extern spinlock_t eroute_lock; - -struct eroute * ipsec_findroute(struct sockaddr_encap *); - -#define O1(x) (int)(((x)>>24)&0xff) -#define O2(x) (int)(((x)>>16)&0xff) -#define O3(x) (int)(((x)>>8)&0xff) -#define O4(x) (int)(((x))&0xff) - -#ifdef CONFIG_IPSEC_DEBUG -extern int debug_radij; -void rj_dumptrees(void); - -#define DB_RJ_DUMPTREES 0x0001 -#define DB_RJ_FINDROUTE 0x0002 -#endif /* CONFIG_IPSEC_DEBUG */ - -#define _IPSEC_RADIJ_H -#endif diff --git a/src/libfreeswan/ipsec_rcv.h b/src/libfreeswan/ipsec_rcv.h deleted file mode 100644 index c8ed8f556..000000000 --- a/src/libfreeswan/ipsec_rcv.h +++ /dev/null @@ -1,72 +0,0 @@ -/* - * - * Copyright (C) 1996, 1997 John Ioannidis. - * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - */ - -#define DB_RX_PKTRX 0x0001 -#define DB_RX_PKTRX2 0x0002 -#define DB_RX_DMP 0x0004 -#define DB_RX_IPSA 0x0010 -#define DB_RX_XF 0x0020 -#define DB_RX_IPAD 0x0040 -#define DB_RX_INAU 0x0080 -#define DB_RX_OINFO 0x0100 -#define DB_RX_OINFO2 0x0200 -#define DB_RX_OH 0x0400 -#define DB_RX_REPLAY 0x0800 - -#ifdef __KERNEL__ -/* struct options; */ - -#define __NO_VERSION__ -#include <linux/module.h> -#include <linux/config.h> /* for CONFIG_IP_FORWARD */ -#include <linux/version.h> -#include <freeswan.h> - -#define IPSEC_BIRTH_TEMPLATE_MAXLEN 256 - -struct ipsec_birth_reply { - int packet_template_len; - unsigned char packet_template[IPSEC_BIRTH_TEMPLATE_MAXLEN]; -}; - -extern struct ipsec_birth_reply ipsec_ipv4_birth_packet; -extern struct ipsec_birth_reply ipsec_ipv6_birth_packet; - -extern int -#ifdef PROTO_HANDLER_SINGLE_PARM -ipsec_rcv(struct sk_buff *skb); -#else /* PROTO_HANDLER_SINGLE_PARM */ -ipsec_rcv(struct sk_buff *skb, -#ifdef NET_21 - unsigned short xlen); -#else /* NET_21 */ - struct device *dev, - struct options *opt, - __u32 daddr, - unsigned short len, - __u32 saddr, - int redo, - struct inet_protocol *protocol); -#endif /* NET_21 */ -#endif /* PROTO_HANDLER_SINGLE_PARM */ - -#ifdef CONFIG_IPSEC_DEBUG -extern int debug_rcv; -#endif /* CONFIG_IPSEC_DEBUG */ -extern int sysctl_ipsec_inbound_policy_check; -#endif /* __KERNEL__ */ diff --git a/src/libfreeswan/ipsec_sa.h b/src/libfreeswan/ipsec_sa.h deleted file mode 100644 index 7b1e5f0fc..000000000 --- a/src/libfreeswan/ipsec_sa.h +++ /dev/null @@ -1,252 +0,0 @@ -/* - * @(#) Definitions of IPsec Security Association (ipsec_sa) - * - * Copyright (C) 2001, 2002, 2003 - * Richard Guy Briggs <rgb@freeswan.org> - * and Michael Richardson <mcr@freeswan.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - * - * This file derived from ipsec_xform.h on 2001/9/18 by mcr. - * - */ - -/* - * This file describes the IPsec Security Association Structure. - * - * This structure keeps track of a single transform that may be done - * to a set of packets. It can describe applying the transform or - * apply the reverse. (e.g. compression vs expansion). However, it - * only describes one at a time. To describe both, two structures would - * be used, but since the sides of the transform are performed - * on different machines typically it is usual to have only one side - * of each association. - * - */ - -#ifndef _IPSEC_SA_H_ - -#ifdef __KERNEL__ -#include "ipsec_stats.h" -#include "ipsec_life.h" -#include "ipsec_eroute.h" -#endif /* __KERNEL__ */ -#include "ipsec_param.h" - - -/* SAs are held in a table. - * Entries in this table are referenced by IPsecSAref_t values. - * IPsecSAref_t values are conceptually subscripts. Because - * we want to allocate the table piece-meal, the subscripting - * is implemented with two levels, a bit like paged virtual memory. - * This representation mechanism is known as an Iliffe Vector. - * - * The Main table (AKA the refTable) consists of 2^IPSEC_SA_REF_MAINTABLE_IDX_WIDTH - * pointers to subtables. - * Each subtable has 2^IPSEC_SA_REF_SUBTABLE_IDX_WIDTH entries, each of which - * is a pointer to an SA. - * - * An IPsecSAref_t contains either an exceptional value (signified by the - * high-order bit being on) or a reference to a table entry. A table entry - * reference has the subtable subscript in the low-order - * IPSEC_SA_REF_SUBTABLE_IDX_WIDTH bits and the Main table subscript - * in the next lowest IPSEC_SA_REF_MAINTABLE_IDX_WIDTH bits. - * - * The Maintable entry for an IPsecSAref_t x, a pointer to its subtable, is - * IPsecSAref2table(x). It is of type struct IPsecSArefSubTable *. - * - * The pointer to the SA for x is IPsecSAref2SA(x). It is of type - * struct ipsec_sa*. The macro definition clearly shows the two-level - * access needed to find the SA pointer. - * - * The Maintable is allocated when IPsec is initialized. - * Each subtable is allocated when needed, but the first is allocated - * when IPsec is initialized. - * - * IPsecSAref_t is designed to be smaller than an NFmark so that - * they can be stored in NFmarks and still leave a few bits for other - * purposes. The spare bits are in the low order of the NFmark - * but in the high order of the IPsecSAref_t, so conversion is required. - * We pick the upper bits of NFmark on the theory that they are less likely to - * interfere with more pedestrian uses of nfmark. - */ - - -typedef unsigned short int IPsecRefTableUnusedCount; - -#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH) - -#ifdef __KERNEL__ -#if ((IPSEC_SA_REF_TABLE_IDX_WIDTH - (1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) < 0) -#error "IPSEC_SA_REF_TABLE_IDX_WIDTH("IPSEC_SA_REF_TABLE_IDX_WIDTH") MUST be < 1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH("IPSEC_SA_REF_MAINTABLE_IDX_WIDTH")" -#endif - -#define IPSEC_SA_REF_SUBTABLE_IDX_WIDTH (IPSEC_SA_REF_TABLE_IDX_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH) - -#define IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_MAINTABLE_IDX_WIDTH) -#define IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) - -#ifdef CONFIG_NETFILTER -#define IPSEC_SA_REF_HOST_FIELD(x) ((struct sk_buff*)(x))->nfmark -#define IPSEC_SA_REF_HOST_FIELD_TYPE typeof(IPSEC_SA_REF_HOST_FIELD(NULL)) -#else /* CONFIG_NETFILTER */ -/* just make it work for now, it doesn't matter, since there is no nfmark */ -#define IPSEC_SA_REF_HOST_FIELD_TYPE unsigned long -#endif /* CONFIG_NETFILTER */ -#define IPSEC_SA_REF_HOST_FIELD_WIDTH (8 * sizeof(IPSEC_SA_REF_HOST_FIELD_TYPE)) -#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t)) - -#define IPSEC_SA_REF_MASK (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH)) -#define IPSEC_SA_REF_TABLE_MASK ((IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) -#define IPSEC_SA_REF_ENTRY_MASK (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)) - -#define IPsecSAref2table(x) (((x) & IPSEC_SA_REF_TABLE_MASK) >> IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) -#define IPsecSAref2entry(x) ((x) & IPSEC_SA_REF_ENTRY_MASK) -#define IPsecSArefBuild(x,y) (((x) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) + (y)) - -#define IPsecSAref2SA(x) (ipsec_sadb.refTable[IPsecSAref2table(x)]->entry[IPsecSAref2entry(x)]) -#define IPsecSA2SAref(x) ((x)->ips_ref) - -#define EMT_INBOUND 0x01 /* SA direction, 1=inbound */ - -/* 'struct ipsec_sa' should be 64bit aligned when allocated. */ -struct ipsec_sa -{ - IPsecSAref_t ips_ref; /* reference table entry number */ - atomic_t ips_refcount; /* reference count for this struct */ - struct ipsec_sa *ips_hnext; /* next in hash chain */ - struct ipsec_sa *ips_inext; /* pointer to next xform */ - struct ipsec_sa *ips_onext; /* pointer to prev xform */ - - struct ifnet *ips_rcvif; /* related rcv encap interface */ - - struct sa_id ips_said; /* SA ID */ - - __u32 ips_seq; /* seq num of msg that initiated this SA */ - __u32 ips_pid; /* PID of process that initiated this SA */ - __u8 ips_authalg; /* auth algorithm for this SA */ - __u8 ips_encalg; /* enc algorithm for this SA */ - - struct ipsec_stats ips_errs; - - __u8 ips_replaywin; /* replay window size */ - __u8 ips_state; /* state of SA */ - __u32 ips_replaywin_lastseq; /* last pkt sequence num */ - __u64 ips_replaywin_bitmap; /* bitmap of received pkts */ - __u32 ips_replaywin_maxdiff; /* max pkt sequence difference */ - - __u32 ips_flags; /* generic xform flags */ - - - struct ipsec_lifetimes ips_life; /* lifetime records */ - - /* selector information */ - struct sockaddr*ips_addr_s; /* src sockaddr */ - struct sockaddr*ips_addr_d; /* dst sockaddr */ - struct sockaddr*ips_addr_p; /* proxy sockaddr */ - __u16 ips_addr_s_size; - __u16 ips_addr_d_size; - __u16 ips_addr_p_size; - ip_address ips_flow_s; - ip_address ips_flow_d; - ip_address ips_mask_s; - ip_address ips_mask_d; - - __u16 ips_key_bits_a; /* size of authkey in bits */ - __u16 ips_auth_bits; /* size of authenticator in bits */ - __u16 ips_key_bits_e; /* size of enckey in bits */ - __u16 ips_iv_bits; /* size of IV in bits */ - __u8 ips_iv_size; - __u16 ips_key_a_size; - __u16 ips_key_e_size; - - caddr_t ips_key_a; /* authentication key */ - caddr_t ips_key_e; /* encryption key */ - caddr_t ips_iv; /* Initialisation Vector */ - - struct ident ips_ident_s; /* identity src */ - struct ident ips_ident_d; /* identity dst */ - -#ifdef CONFIG_IPSEC_IPCOMP - __u16 ips_comp_adapt_tries; /* ipcomp self-adaption tries */ - __u16 ips_comp_adapt_skip; /* ipcomp self-adaption to-skip */ - __u64 ips_comp_ratio_cbytes; /* compressed bytes */ - __u64 ips_comp_ratio_dbytes; /* decompressed (or uncompressed) bytes */ -#endif /* CONFIG_IPSEC_IPCOMP */ - -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL - __u8 ips_natt_type; - __u8 ips_natt_reserved[3]; - __u16 ips_natt_sport; - __u16 ips_natt_dport; - - struct sockaddr *ips_natt_oa; - __u16 ips_natt_oa_size; - __u16 ips_natt_reserved2; -#endif - -#if 0 - __u32 ips_sens_dpd; - __u8 ips_sens_sens_level; - __u8 ips_sens_sens_len; - __u64* ips_sens_sens_bitmap; - __u8 ips_sens_integ_level; - __u8 ips_sens_integ_len; - __u64* ips_sens_integ_bitmap; -#endif - struct ipsec_alg_enc *ips_alg_enc; - struct ipsec_alg_auth *ips_alg_auth; - IPsecSAref_t ips_ref_rel; -}; - -struct IPsecSArefSubTable -{ - struct ipsec_sa* entry[IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES]; -}; - -struct ipsec_sadb { - struct IPsecSArefSubTable* refTable[IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES]; - IPsecSAref_t refFreeList[IPSEC_SA_REF_FREELIST_NUM_ENTRIES]; - int refFreeListHead; - int refFreeListTail; - IPsecSAref_t refFreeListCont; - IPsecSAref_t said_hash[SADB_HASHMOD]; - spinlock_t sadb_lock; -}; - -extern struct ipsec_sadb ipsec_sadb; - -extern int ipsec_SAref_recycle(void); -extern int ipsec_SArefSubTable_alloc(unsigned table); -extern int ipsec_saref_freelist_init(void); -extern int ipsec_sadb_init(void); -extern struct ipsec_sa *ipsec_sa_alloc(int*error); /* pass in error var by pointer */ -extern IPsecSAref_t ipsec_SAref_alloc(int*erorr); /* pass in error var by pointer */ -extern int ipsec_sa_free(struct ipsec_sa* ips); -extern struct ipsec_sa *ipsec_sa_getbyid(struct sa_id *said); -extern int ipsec_sa_put(struct ipsec_sa *ips); -extern int ipsec_sa_add(struct ipsec_sa *ips); -extern int ipsec_sa_del(struct ipsec_sa *ips); -extern int ipsec_sa_delchain(struct ipsec_sa *ips); -extern int ipsec_sadb_cleanup(__u8 proto); -extern int ipsec_sadb_free(void); -extern int ipsec_sa_wipe(struct ipsec_sa *ips); -#endif /* __KERNEL__ */ - -enum ipsec_direction { - ipsec_incoming = 1, - ipsec_outgoing = 2 -}; - -#define _IPSEC_SA_H_ -#endif /* _IPSEC_SA_H_ */ diff --git a/src/libfreeswan/ipsec_sha1.h b/src/libfreeswan/ipsec_sha1.h deleted file mode 100644 index a0fcd90e1..000000000 --- a/src/libfreeswan/ipsec_sha1.h +++ /dev/null @@ -1,32 +0,0 @@ -/* - * RCSID $Id$ - */ - -/* - * Here is the original comment from the distribution: - -SHA-1 in C -By Steve Reid <steve@edmweb.com> -100% Public Domain - - * Adapted for use by the IPSEC code by John Ioannidis - */ - - -#ifndef _IPSEC_SHA1_H_ -#define _IPSEC_SHA1_H_ - -typedef struct -{ - __u32 state[5]; - __u32 count[2]; - __u8 buffer[64]; -} SHA1_CTX; - -void SHA1Transform(__u32 state[5], __u8 buffer[64]); -void SHA1Init(void *context); -void SHA1Update(void *context, unsigned char *data, __u32 len); -void SHA1Final(unsigned char digest[20], void *context); - - -#endif /* _IPSEC_SHA1_H_ */ diff --git a/src/libfreeswan/ipsec_stats.h b/src/libfreeswan/ipsec_stats.h deleted file mode 100644 index 41b304487..000000000 --- a/src/libfreeswan/ipsec_stats.h +++ /dev/null @@ -1,38 +0,0 @@ -/* - * @(#) definition of ipsec_stats structure - * - * Copyright (C) 2001 Richard Guy Briggs <rgb@freeswan.org> - * and Michael Richardson <mcr@freeswan.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - * - */ - -/* - * This file describes the errors/statistics that FreeSWAN collects. - */ - -#ifndef _IPSEC_STATS_H_ - -struct ipsec_stats { - __u32 ips_alg_errs; /* number of algorithm errors */ - __u32 ips_auth_errs; /* # of authentication errors */ - __u32 ips_encsize_errs; /* # of encryption size errors*/ - __u32 ips_encpad_errs; /* # of encryption pad errors*/ - __u32 ips_replaywin_errs; /* # of pkt sequence errors */ -}; - -extern int ipsec_snprintf(char * buf, ssize_t size, const char *fmt, ...); - -#define _IPSEC_STATS_H_ -#endif /* _IPSEC_STATS_H_ */ diff --git a/src/libfreeswan/ipsec_tunnel.h b/src/libfreeswan/ipsec_tunnel.h deleted file mode 100644 index d3b688e92..000000000 --- a/src/libfreeswan/ipsec_tunnel.h +++ /dev/null @@ -1,128 +0,0 @@ -/* - * IPSEC tunneling code - * Copyright (C) 1996, 1997 John Ioannidis. - * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 Richard Guy Briggs. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - */ - -#include <linux/types.h> - -#ifdef NET_21 -# define DEV_QUEUE_XMIT(skb, device, pri) {\ - skb->dev = device; \ - neigh_compat_output(skb); \ - /* skb->dst->output(skb); */ \ - } -# define ICMP_SEND(skb_in, type, code, info, dev) \ - icmp_send(skb_in, type, code, htonl(info)) -# define IP_SEND(skb, dev) \ - ip_send(skb); -#else /* NET_21 */ -# define DEV_QUEUE_XMIT(skb, device, pri) {\ - dev_queue_xmit(skb, device, pri); \ - } -# define ICMP_SEND(skb_in, type, code, info, dev) \ - icmp_send(skb_in, type, code, info, dev) -# define IP_SEND(skb, dev) \ - if(ntohs(iph->tot_len) > physmtu) { \ - ip_fragment(NULL, skb, dev, 0); \ - ipsec_kfree_skb(skb); \ - } else { \ - dev_queue_xmit(skb, dev, SOPRI_NORMAL); \ - } -#endif /* NET_21 */ - - -/* - * Heavily based on drivers/net/new_tunnel.c. Lots - * of ideas also taken from the 2.1.x version of drivers/net/shaper.c - */ - -struct ipsectunnelconf -{ - __u32 cf_cmd; - union - { - char cfu_name[12]; - } cf_u; -#define cf_name cf_u.cfu_name -}; - -#define IPSEC_SET_DEV (SIOCDEVPRIVATE) -#define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1) -#define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2) - -#ifdef __KERNEL__ -#include <linux/version.h> -#ifndef KERNEL_VERSION -# define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z)) -#endif -struct ipsecpriv -{ - struct sk_buff_head sendq; - struct device *dev; - struct wait_queue *wait_queue; - char locked; - int (*hard_start_xmit) (struct sk_buff *skb, - struct device *dev); - int (*hard_header) (struct sk_buff *skb, - struct device *dev, - unsigned short type, - void *daddr, - void *saddr, - unsigned len); -#ifdef NET_21 - int (*rebuild_header)(struct sk_buff *skb); -#else /* NET_21 */ - int (*rebuild_header)(void *buff, struct device *dev, - unsigned long raddr, struct sk_buff *skb); -#endif /* NET_21 */ - int (*set_mac_address)(struct device *dev, void *addr); -#ifndef NET_21 - void (*header_cache_bind)(struct hh_cache **hhp, struct device *dev, - unsigned short htype, __u32 daddr); -#endif /* !NET_21 */ - void (*header_cache_update)(struct hh_cache *hh, struct device *dev, unsigned char * haddr); - struct net_device_stats *(*get_stats)(struct device *dev); - struct net_device_stats mystats; - int mtu; /* What is the desired MTU? */ -}; - -extern char ipsec_tunnel_c_version[]; - -extern struct device *ipsecdevices[IPSEC_NUM_IF]; - -int ipsec_tunnel_init_devices(void); - -/* void */ int ipsec_tunnel_cleanup_devices(void); - -extern /* void */ int ipsec_init(void); - -extern int ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev); - -#ifdef CONFIG_IPSEC_DEBUG -extern int debug_tunnel; -extern int sysctl_ipsec_debug_verbose; -#endif /* CONFIG_IPSEC_DEBUG */ -#endif /* __KERNEL__ */ - -#ifdef CONFIG_IPSEC_DEBUG -#define DB_TN_INIT 0x0001 -#define DB_TN_PROCFS 0x0002 -#define DB_TN_XMIT 0x0010 -#define DB_TN_OHDR 0x0020 -#define DB_TN_CROUT 0x0040 -#define DB_TN_OXFS 0x0080 -#define DB_TN_REVEC 0x0100 -#endif /* CONFIG_IPSEC_DEBUG */ diff --git a/src/libfreeswan/ipsec_xform.h b/src/libfreeswan/ipsec_xform.h deleted file mode 100644 index d06d968ee..000000000 --- a/src/libfreeswan/ipsec_xform.h +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Definitions relevant to IPSEC transformations - * Copyright (C) 1996, 1997 John Ioannidis. - * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - */ - -#ifndef _IPSEC_XFORM_H_ - -#include <freeswan.h> -#include "ipsec_policy.h" - -#define XF_NONE 0 /* No transform set */ -#define XF_IP4 1 /* IPv4 inside IPv4 */ -#define XF_AHMD5 2 /* AH MD5 */ -#define XF_AHSHA 3 /* AH SHA */ -#define XF_ESP3DES 5 /* ESP DES3-CBC */ -#define XF_AHHMACMD5 6 /* AH-HMAC-MD5 with opt replay prot */ -#define XF_AHHMACSHA1 7 /* AH-HMAC-SHA1 with opt replay prot */ -#define XF_ESP3DESMD5 9 /* triple DES, HMAC-MD-5, 128-bits of authentication */ -#define XF_ESP3DESMD596 10 /* triple DES, HMAC-MD-5, 96-bits of authentication */ -#define XF_ESPNULLMD596 12 /* NULL, HMAC-MD-5 with 96-bits of authentication */ -#define XF_ESPNULLSHA196 13 /* NULL, HMAC-SHA-1 with 96-bits of authentication */ -#define XF_ESP3DESSHA196 14 /* triple DES, HMAC-SHA-1, 96-bits of authentication */ -#define XF_IP6 15 /* IPv6 inside IPv6 */ -#define XF_COMPDEFLATE 16 /* IPCOMP deflate */ - -#define XF_CLR 126 /* Clear SA table */ -#define XF_DEL 127 /* Delete SA */ - -#define XFT_AUTH 0x0001 -#define XFT_CONF 0x0100 - -/* available if CONFIG_IPSEC_DEBUG is defined */ -#define DB_XF_INIT 0x0001 - -#define PROTO2TXT(x) \ - (x) == IPPROTO_AH ? "AH" : \ - (x) == IPPROTO_ESP ? "ESP" : \ - (x) == IPPROTO_IPIP ? "IPIP" : \ - (x) == IPPROTO_COMP ? "COMP" : \ - "UNKNOWN_proto" -static inline const char *enc_name_id (unsigned id) { - static char buf[16]; - snprintf(buf, sizeof(buf), "_ID%d", id); - return buf; -} -static inline const char *auth_name_id (unsigned id) { - static char buf[16]; - snprintf(buf, sizeof(buf), "_ID%d", id); - return buf; -} -#define IPS_XFORM_NAME(x) \ - PROTO2TXT((x)->ips_said.proto), \ - (x)->ips_said.proto == IPPROTO_COMP ? \ - ((x)->ips_encalg == SADB_X_CALG_DEFLATE ? \ - "_DEFLATE" : "_UNKNOWN_comp") : \ - (x)->ips_encalg == ESP_NONE ? "" : \ - (x)->ips_encalg == ESP_3DES ? "_3DES" : \ - (x)->ips_encalg == ESP_AES ? "_AES" : \ - (x)->ips_encalg == ESP_SERPENT ? "_SERPENT" : \ - (x)->ips_encalg == ESP_TWOFISH ? "_TWOFISH" : \ - enc_name_id(x->ips_encalg)/* "_UNKNOWN_encr" */, \ - (x)->ips_authalg == AH_NONE ? "" : \ - (x)->ips_authalg == AH_MD5 ? "_HMAC_MD5" : \ - (x)->ips_authalg == AH_SHA ? "_HMAC_SHA1" : \ - (x)->ips_authalg == AH_SHA2_256 ? "_HMAC_SHA2_256" : \ - (x)->ips_authalg == AH_SHA2_384 ? "_HMAC_SHA2_384" : \ - (x)->ips_authalg == AH_SHA2_512 ? "_HMAC_SHA2_512" : \ - auth_name_id(x->ips_authalg) /* "_UNKNOWN_auth" */ \ - -#define _IPSEC_XFORM_H_ -#endif /* _IPSEC_XFORM_H_ */ diff --git a/src/libfreeswan/ipsec_xmit.h b/src/libfreeswan/ipsec_xmit.h deleted file mode 100644 index 886e84a13..000000000 --- a/src/libfreeswan/ipsec_xmit.h +++ /dev/null @@ -1,140 +0,0 @@ -/* - * IPSEC tunneling code - * Copyright (C) 1996, 1997 John Ioannidis. - * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 Richard Guy Briggs. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id$ - */ - -#include "freeswan/ipsec_sa.h" - -enum ipsec_xmit_value -{ - IPSEC_XMIT_STOLEN=2, - IPSEC_XMIT_PASS=1, - IPSEC_XMIT_OK=0, - IPSEC_XMIT_ERRMEMALLOC=-1, - IPSEC_XMIT_ESP_BADALG=-2, - IPSEC_XMIT_BADPROTO=-3, - IPSEC_XMIT_ESP_PUSHPULLERR=-4, - IPSEC_XMIT_BADLEN=-5, - IPSEC_XMIT_AH_BADALG=-6, - IPSEC_XMIT_SAIDNOTFOUND=-7, - IPSEC_XMIT_SAIDNOTLIVE=-8, - IPSEC_XMIT_REPLAYROLLED=-9, - IPSEC_XMIT_LIFETIMEFAILED=-10, - IPSEC_XMIT_CANNOTFRAG=-11, - IPSEC_XMIT_MSSERR=-12, - IPSEC_XMIT_ERRSKBALLOC=-13, - IPSEC_XMIT_ENCAPFAIL=-14, - IPSEC_XMIT_NODEV=-15, - IPSEC_XMIT_NOPRIVDEV=-16, - IPSEC_XMIT_NOPHYSDEV=-17, - IPSEC_XMIT_NOSKB=-18, - IPSEC_XMIT_NOIPV6=-19, - IPSEC_XMIT_NOIPOPTIONS=-20, - IPSEC_XMIT_TTLEXPIRED=-21, - IPSEC_XMIT_BADHHLEN=-22, - IPSEC_XMIT_PUSHPULLERR=-23, - IPSEC_XMIT_ROUTEERR=-24, - IPSEC_XMIT_RECURSDETECT=-25, - IPSEC_XMIT_IPSENDFAILURE=-26, -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL - IPSEC_XMIT_ESPUDP=-27, -#endif -}; - -struct ipsec_xmit_state -{ - struct sk_buff *skb; /* working skb pointer */ - struct device *dev; /* working dev pointer */ - struct ipsecpriv *prv; /* Our device' private space */ - struct sk_buff *oskb; /* Original skb pointer */ - struct net_device_stats *stats; /* This device's statistics */ - struct iphdr *iph; /* Our new IP header */ - __u32 newdst; /* The other SG's IP address */ - __u32 orgdst; /* Original IP destination address */ - __u32 orgedst; /* 1st SG's IP address */ - __u32 newsrc; /* The new source SG's IP address */ - __u32 orgsrc; /* Original IP source address */ - __u32 innersrc; /* Innermost IP source address */ - int iphlen; /* IP header length */ - int pyldsz; /* upper protocol payload size */ - int headroom; - int tailroom; - int max_headroom; /* The extra header space needed */ - int max_tailroom; /* The extra stuffing needed */ - int ll_headroom; /* The extra link layer hard_header space needed */ - int tot_headroom; /* The total header space needed */ - int tot_tailroom; /* The totalstuffing needed */ - __u8 *saved_header; /* saved copy of the hard header */ - unsigned short sport, dport; - - struct sockaddr_encap matcher; /* eroute search key */ - struct eroute *eroute; - struct ipsec_sa *ipsp, *ipsq; /* ipsec_sa pointers */ - char sa_txt[SATOA_BUF]; - size_t sa_len; - int hard_header_stripped; /* has the hard header been removed yet? */ - int hard_header_len; - struct device *physdev; -/* struct device *virtdev; */ - short physmtu; - short mtudiff; -#ifdef NET_21 - struct rtable *route; -#endif /* NET_21 */ - struct sa_id outgoing_said; -#ifdef NET_21 - int pass; -#endif /* NET_21 */ - int error; - uint32_t eroute_pid; - struct ipsec_sa ips; -#ifdef CONFIG_IPSEC_NAT_TRAVERSAL - uint8_t natt_type; - uint8_t natt_head; - uint16_t natt_sport; - uint16_t natt_dport; -#endif -}; - -#if 0 /* save for alg refactorisation */ -struct xform_functions -{ - enum ipsec_xmit_value (*checks)(struct ipsec_xmit_state *ixs, - struct sk_buff *skb); - enum ipsec_xmit_value (*encrypt)(struct ipsec_xmit_state *ixs); - - enum ipsec_xmit_value (*setup_auth)(struct ipsec_xmit_state *ixs, - struct sk_buff *skb, - __u32 *replay, - unsigned char **authenticator); - enum ipsec_xmit_value (*calc_auth)(struct ipsec_xmit_state *ixs, - struct sk_buff *skb); -}; -#endif - -enum ipsec_xmit_value -ipsec_xmit_sanity_check_dev(struct ipsec_xmit_state *ixs); - -enum ipsec_xmit_value -ipsec_xmit_sanity_check_skb(struct ipsec_xmit_state *ixs); - -enum ipsec_xmit_value -ipsec_xmit_encap_bundle(struct ipsec_xmit_state *ixs); - -extern int ipsec_xmit_trap_count; -extern int ipsec_xmit_trap_sendcount; - -extern void ipsec_extract_ports(struct iphdr * iph, struct sockaddr_encap * er); diff --git a/src/libfreeswan/pfkey.h b/src/libfreeswan/pfkey.h index 25c4f93dd..b3793b093 100644 --- a/src/libfreeswan/pfkey.h +++ b/src/libfreeswan/pfkey.h @@ -17,122 +17,9 @@ #ifndef __NET_IPSEC_PF_KEY_H #define __NET_IPSEC_PF_KEY_H -#ifdef __KERNEL__ -extern struct proto_ops pfkey_proto_ops; -typedef struct sock pfkey_sock; -extern int debug_pfkey; - -extern /* void */ int pfkey_init(void); -extern /* void */ int pfkey_cleanup(void); - -extern struct sock *pfkey_sock_list; -struct socket_list -{ - struct socket *socketp; - struct socket_list *next; -}; -extern int pfkey_list_insert_socket(struct socket*, struct socket_list**); -extern int pfkey_list_remove_socket(struct socket*, struct socket_list**); -extern struct socket_list *pfkey_open_sockets; -extern struct socket_list *pfkey_registered_sockets[SADB_SATYPE_MAX+1]; - -/* - * There is a field-by-field copy in klips/net/ipsec/ipsec_alg.h - * please keep in sync until we migrate all support stuff - * to ipsec_alg objects - */ -struct supported -{ - uint16_t supported_alg_exttype; - uint8_t supported_alg_id; - uint8_t supported_alg_ivlen; - uint16_t supported_alg_minbits; - uint16_t supported_alg_maxbits; -}; -extern struct supported_list *pfkey_supported_list[SADB_SATYPE_MAX+1]; -struct supported_list -{ - struct supported *supportedp; - struct supported_list *next; -}; -extern int pfkey_list_insert_supported(struct supported*, struct supported_list**); -extern int pfkey_list_remove_supported(struct supported*, struct supported_list**); - -struct sockaddr_key -{ - uint16_t key_family; /* PF_KEY */ - uint16_t key_pad; /* not used */ - uint32_t key_pid; /* process ID */ -}; - -struct pfkey_extracted_data -{ - struct ipsec_sa* ips; - struct ipsec_sa* ips2; - struct eroute *eroute; -}; - -extern int -pfkey_alloc_eroute(struct eroute** eroute); - -extern int -pfkey_sa_process(struct sadb_ext *pfkey_ext, - struct pfkey_extracted_data* extr); - -extern int -pfkey_lifetime_process(struct sadb_ext *pfkey_ext, - struct pfkey_extracted_data* extr); - -extern int -pfkey_address_process(struct sadb_ext *pfkey_ext, - struct pfkey_extracted_data* extr); - -extern int -pfkey_key_process(struct sadb_ext *pfkey_ext, - struct pfkey_extracted_data* extr); - -extern int -pfkey_ident_process(struct sadb_ext *pfkey_ext, - struct pfkey_extracted_data* extr); - -extern int -pfkey_sens_process(struct sadb_ext *pfkey_ext, - struct pfkey_extracted_data* extr); - -extern int -pfkey_prop_process(struct sadb_ext *pfkey_ext, - struct pfkey_extracted_data* extr); - -extern int -pfkey_supported_process(struct sadb_ext *pfkey_ext, - struct pfkey_extracted_data* extr); - -extern int -pfkey_spirange_process(struct sadb_ext *pfkey_ext, - struct pfkey_extracted_data* extr); - -extern int -pfkey_x_kmprivate_process(struct sadb_ext *pfkey_ext, - struct pfkey_extracted_data* extr); - -extern int -pfkey_x_satype_process(struct sadb_ext *pfkey_ext, - struct pfkey_extracted_data* extr); - -extern int -pfkey_x_debug_process(struct sadb_ext *pfkey_ext, - struct pfkey_extracted_data* extr); - -extern int pfkey_register_reply(int satype, struct sadb_msg *); -extern int pfkey_upmsg(struct socket *, struct sadb_msg *); -extern int pfkey_expire(struct ipsec_sa *, int); -extern int pfkey_acquire(struct ipsec_sa *); -#else /* ! __KERNEL__ */ extern void (*pfkey_debug_func)(const char *message, ...); -#endif /* __KERNEL__ */ - extern uint8_t satype2proto(uint8_t satype); extern uint8_t proto2satype(uint8_t proto); extern char* satype2name(uint8_t satype); @@ -242,12 +129,6 @@ pfkey_ident_build(struct sadb_ext** pfkey_ext, uint8_t ident_len, char* ident_string); -#ifdef __KERNEL__ -extern int pfkey_nat_t_new_mapping(struct ipsec_sa *, struct sockaddr *, __u16); -extern int pfkey_x_nat_t_type_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr); -extern int pfkey_x_nat_t_port_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr); -#endif /* __KERNEL__ */ - int pfkey_x_nat_t_type_build(struct sadb_ext** pfkey_ext, uint8_t type); diff --git a/src/libfreeswan/pfkey_v2_build.c b/src/libfreeswan/pfkey_v2_build.c index 312edbcf5..12ef26fd2 100644 --- a/src/libfreeswan/pfkey_v2_build.c +++ b/src/libfreeswan/pfkey_v2_build.c @@ -21,41 +21,10 @@ char pfkey_v2_build_c_version[] = "$Id$"; -/* - * Some ugly stuff to allow consistent debugging code for use in the - * kernel and in user space -*/ - -#ifdef __KERNEL__ - -# include <linux/kernel.h> /* for printk */ - -# include "freeswan/ipsec_kversion.h" /* for malloc switch */ -# ifdef MALLOC_SLAB -# include <linux/slab.h> /* kmalloc() */ -# else /* MALLOC_SLAB */ -# include <linux/malloc.h> /* kmalloc() */ -# endif /* MALLOC_SLAB */ -# include <linux/errno.h> /* error codes */ -# include <linux/types.h> /* size_t */ -# include <linux/interrupt.h> /* mark_bh */ - -# include <linux/netdevice.h> /* struct device, and other headers */ -# include <linux/etherdevice.h> /* eth_type_trans */ -# include <linux/ip.h> /* struct iphdr */ -# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) -# include <linux/ipv6.h> /* struct ipv6hdr */ -# endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */ - -# define MALLOC(size) kmalloc(size, GFP_ATOMIC) -# define FREE(obj) kfree(obj) -# include <freeswan.h> -#else /* __KERNEL__ */ - # include <sys/types.h> -# include <linux/types.h> -# include <linux/errno.h> -# include <malloc.h> +# include <sys/socket.h> +# include <stdlib.h> +# include <errno.h> # include <string.h> /* memset */ # include <freeswan.h> @@ -63,8 +32,6 @@ unsigned int pfkey_lib_debug = 0; void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1); -/* #define PLUTO */ - #define DEBUGGING(args...) if(pfkey_lib_debug) { \ if(pfkey_debug_func != NULL) { \ (*pfkey_debug_func)("pfkey_lib_debug:" args); \ @@ -73,22 +40,10 @@ void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1); } } # define MALLOC(size) malloc(size) # define FREE(obj) free(obj) -#endif /* __KERNEL__ */ #include <pfkeyv2.h> #include <pfkey.h> -#ifdef __KERNEL__ - -#include "freeswan/radij.h" /* rd_nodes */ -#include "freeswan/ipsec_encap.h" /* sockaddr_encap */ - -# define DEBUGGING(args...) \ - KLIPS_PRINT(debug_pfkey, "klips_debug:" args) -#endif /* __KERNEL__ */ - -#include "ipsec_sa.h" /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */ - #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0) void @@ -483,14 +438,14 @@ pfkey_address_build(struct sadb_ext** pfkey_ext, "found address family AF_INET6.\n"); saddr_len = sizeof(struct sockaddr_in6); sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x-%x" - , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[0]) - , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[1]) - , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[2]) - , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[3]) - , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[4]) - , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[5]) - , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[6]) - , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[7]) + , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[0]) + , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[1]) + , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[2]) + , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[3]) + , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[4]) + , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[5]) + , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[6]) + , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[7]) , ntohs(((struct sockaddr_in6*)address)->sin6_port)); break; default: diff --git a/src/libfreeswan/pfkey_v2_debug.c b/src/libfreeswan/pfkey_v2_debug.c index e50a6510e..eca568dc4 100644 --- a/src/libfreeswan/pfkey_v2_debug.c +++ b/src/libfreeswan/pfkey_v2_debug.c @@ -18,31 +18,8 @@ * */ -#ifdef __KERNEL__ - -# include <linux/kernel.h> /* for printk */ - -# include "freeswan/ipsec_kversion.h" /* for malloc switch */ -# ifdef MALLOC_SLAB -# include <linux/slab.h> /* kmalloc() */ -# else /* MALLOC_SLAB */ -# include <linux/malloc.h> /* kmalloc() */ -# endif /* MALLOC_SLAB */ -# include <linux/errno.h> /* error codes */ -# include <linux/types.h> /* size_t */ -# include <linux/interrupt.h> /* mark_bh */ - -# include <linux/netdevice.h> /* struct device, and other headers */ -# include <linux/etherdevice.h> /* eth_type_trans */ -extern int debug_pfkey; - -#else /* __KERNEL__ */ - # include <sys/types.h> -# include <linux/types.h> -# include <linux/errno.h> - -#endif /* __KERNEL__ */ +# include <errno.h> #include "freeswan.h" #include "pfkeyv2.h" diff --git a/src/libfreeswan/pfkey_v2_ext_bits.c b/src/libfreeswan/pfkey_v2_ext_bits.c index 7264ac46f..4daf0cd84 100644 --- a/src/libfreeswan/pfkey_v2_ext_bits.c +++ b/src/libfreeswan/pfkey_v2_ext_bits.c @@ -21,38 +21,8 @@ char pfkey_v2_ext_bits_c_version[] = "$Id$"; -/* - * Some ugly stuff to allow consistent debugging code for use in the - * kernel and in user space -*/ - -#ifdef __KERNEL__ - -# include <linux/kernel.h> /* for printk */ - -# include "freeswan/ipsec_kversion.h" /* for malloc switch */ -# ifdef MALLOC_SLAB -# include <linux/slab.h> /* kmalloc() */ -# else /* MALLOC_SLAB */ -# include <linux/malloc.h> /* kmalloc() */ -# endif /* MALLOC_SLAB */ -# include <linux/errno.h> /* error codes */ -# include <linux/types.h> /* size_t */ -# include <linux/interrupt.h> /* mark_bh */ - -# include <linux/netdevice.h> /* struct device, and other headers */ -# include <linux/etherdevice.h> /* eth_type_trans */ -# include <linux/ip.h> /* struct iphdr */ -# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) -# include <linux/ipv6.h> -# endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */ - -#else /* __KERNEL__ */ - # include <sys/types.h> -# include <linux/types.h> -# include <linux/errno.h> -#endif +# include <errno.h> #include <freeswan.h> #include <pfkeyv2.h> diff --git a/src/libfreeswan/pfkey_v2_parse.c b/src/libfreeswan/pfkey_v2_parse.c index 7032bd87d..d1bbbcd83 100644 --- a/src/libfreeswan/pfkey_v2_parse.c +++ b/src/libfreeswan/pfkey_v2_parse.c @@ -21,73 +21,24 @@ char pfkey_v2_parse_c_version[] = "$Id$"; -/* - * Some ugly stuff to allow consistent debugging code for use in the - * kernel and in user space -*/ - -#ifdef __KERNEL__ - -# include <linux/kernel.h> /* for printk */ - -#include "freeswan/ipsec_kversion.h" /* for malloc switch */ - -# ifdef MALLOC_SLAB -# include <linux/slab.h> /* kmalloc() */ -# else /* MALLOC_SLAB */ -# include <linux/malloc.h> /* kmalloc() */ -# endif /* MALLOC_SLAB */ -# include <linux/errno.h> /* error codes */ -# include <linux/types.h> /* size_t */ -# include <linux/interrupt.h> /* mark_bh */ - -# include <linux/netdevice.h> /* struct device, and other headers */ -# include <linux/etherdevice.h> /* eth_type_trans */ -# include <linux/ip.h> /* struct iphdr */ -# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) -# include <linux/ipv6.h> /* struct ipv6hdr */ -# endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */ -extern int debug_pfkey; - -#include "freeswan.h" - -#include "ipsec_encap.h" - -#else /* __KERNEL__ */ - # include <sys/types.h> -# include <linux/types.h> -# include <linux/errno.h> +# include <sys/socket.h> +# include <errno.h> # include <freeswan.h> # include <constants.h> # include <defs.h> /* for PRINTF_LIKE */ # include <log.h> /* for debugging and DBG_log */ -/* #define PLUTO */ - # ifdef PLUTO # define DEBUGGING(level, args...) { DBG_log("pfkey_lib_debug:" args); } # else # define DEBUGGING(level, args...) if(pfkey_lib_debug & level) { printf("pfkey_lib_debug:" args); } else { ; } # endif -#endif /* __KERNEL__ */ - - #include <pfkeyv2.h> #include <pfkey.h> -#ifdef __KERNEL__ -extern int sysctl_ipsec_debug_verbose; -# define DEBUGGING(level, args...) \ - KLIPS_PRINT( \ - ((debug_pfkey & level & (PF_KEY_DEBUG_PARSE_STRUCT | PF_KEY_DEBUG_PARSE_PROBLEM)) \ - || (sysctl_ipsec_debug_verbose && (debug_pfkey & level & PF_KEY_DEBUG_PARSE_FLOW))) \ - , "klips_debug:" args) -#endif /* __KERNEL__ */ -#include "ipsec_sa.h" /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */ - #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0) @@ -96,21 +47,11 @@ struct satype_tbl { uint8_t satype; char* name; } static satype_tbl[] = { -#ifdef __KERNEL__ - { IPPROTO_ESP, SADB_SATYPE_ESP, "ESP" }, - { IPPROTO_AH, SADB_SATYPE_AH, "AH" }, - { IPPROTO_IPIP, SADB_X_SATYPE_IPIP, "IPIP" }, -#ifdef CONFIG_IPSEC_IPCOMP - { IPPROTO_COMP, SADB_X_SATYPE_COMP, "COMP" }, -#endif /* CONFIG_IPSEC_IPCOMP */ - { IPPROTO_INT, SADB_X_SATYPE_INT, "INT" }, -#else /* __KERNEL__ */ { SA_ESP, SADB_SATYPE_ESP, "ESP" }, { SA_AH, SADB_SATYPE_AH, "AH" }, { SA_IPIP, SADB_X_SATYPE_IPIP, "IPIP" }, { SA_COMP, SADB_X_SATYPE_COMP, "COMP" }, { SA_INT, SADB_X_SATYPE_INT, "INT" }, -#endif /* __KERNEL__ */ { 0, 0, "UNKNOWN" } }; @@ -418,14 +359,14 @@ pfkey_address_parse(struct sadb_ext *pfkey_ext) case AF_INET6: saddr_len = sizeof(struct sockaddr_in6); sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x" - , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[0]) - , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[1]) - , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[2]) - , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[3]) - , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[4]) - , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[5]) - , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[6]) - , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[7])); + , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[0]) + , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[1]) + , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[2]) + , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[3]) + , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[4]) + , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[5]) + , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[6]) + , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[7])); DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT, "pfkey_address_parse: " "found exttype=%u(%s) family=%d(AF_INET6) address=%s proto=%u port=%u.\n", diff --git a/src/libfreeswan/portof.c b/src/libfreeswan/portof.c index 2669ee6c4..6a5127c10 100644 --- a/src/libfreeswan/portof.c +++ b/src/libfreeswan/portof.c @@ -14,6 +14,8 @@ * * RCSID $Id$ */ +#include <sys/socket.h> + #include "internal.h" #include "freeswan.h" diff --git a/src/libfreeswan/radij.h b/src/libfreeswan/radij.h deleted file mode 100644 index c6a2fc0a5..000000000 --- a/src/libfreeswan/radij.h +++ /dev/null @@ -1,201 +0,0 @@ -/* - * RCSID $Id$ - */ - -/* - * This file is defived from ${SRC}/sys/net/radix.h of BSD 4.4lite - * - * Variable and procedure names have been modified so that they don't - * conflict with the original BSD code, as a small number of modifications - * have been introduced and we may want to reuse this code in BSD. - * - * The `j' in `radij' is pronounced as a voiceless guttural (like a Greek - * chi or a German ch sound (as `doch', not as in `milch'), or even a - * spanish j as in Juan. It is not as far back in the throat like - * the corresponding Hebrew sound, nor is it a soft breath like the English h. - * It has nothing to do with the Dutch ij sound. - * - * Here is the appropriate copyright notice: - */ - -/* - * Copyright (c) 1988, 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)radix.h 8.1 (Berkeley) 6/10/93 - */ - -#ifndef _RADIJ_H_ -#define _RADIJ_H_ - -/* -#define RJ_DEBUG -*/ - -#ifdef __KERNEL__ - -#ifndef __P -#ifdef __STDC__ -#define __P(x) x -#else -#define __P(x) () -#endif -#endif - -/* - * Radix search tree node layout. - */ - -struct radij_node -{ - struct radij_mask *rj_mklist; /* list of masks contained in subtree */ - struct radij_node *rj_p; /* parent */ - short rj_b; /* bit offset; -1-index(netmask) */ - char rj_bmask; /* node: mask for bit test*/ - u_char rj_flags; /* enumerated next */ -#define RJF_NORMAL 1 /* leaf contains normal route */ -#define RJF_ROOT 2 /* leaf is root leaf for tree */ -#define RJF_ACTIVE 4 /* This node is alive (for rtfree) */ - union { - struct { /* leaf only data: */ - caddr_t rj_Key; /* object of search */ - caddr_t rj_Mask; /* netmask, if present */ - struct radij_node *rj_Dupedkey; - } rj_leaf; - struct { /* node only data: */ - int rj_Off; /* where to start compare */ - struct radij_node *rj_L;/* progeny */ - struct radij_node *rj_R;/* progeny */ - }rj_node; - } rj_u; -#ifdef RJ_DEBUG - int rj_info; - struct radij_node *rj_twin; - struct radij_node *rj_ybro; -#endif -}; - -#define rj_dupedkey rj_u.rj_leaf.rj_Dupedkey -#define rj_key rj_u.rj_leaf.rj_Key -#define rj_mask rj_u.rj_leaf.rj_Mask -#define rj_off rj_u.rj_node.rj_Off -#define rj_l rj_u.rj_node.rj_L -#define rj_r rj_u.rj_node.rj_R - -/* - * Annotations to tree concerning potential routes applying to subtrees. - */ - -extern struct radij_mask { - short rm_b; /* bit offset; -1-index(netmask) */ - char rm_unused; /* cf. rj_bmask */ - u_char rm_flags; /* cf. rj_flags */ - struct radij_mask *rm_mklist; /* more masks to try */ - caddr_t rm_mask; /* the mask */ - int rm_refs; /* # of references to this struct */ -} *rj_mkfreelist; - -#define MKGet(m) {\ - if (rj_mkfreelist) {\ - m = rj_mkfreelist; \ - rj_mkfreelist = (m)->rm_mklist; \ - } else \ - R_Malloc(m, struct radij_mask *, sizeof (*(m))); }\ - -#define MKFree(m) { (m)->rm_mklist = rj_mkfreelist; rj_mkfreelist = (m);} - -struct radij_node_head { - struct radij_node *rnh_treetop; - int rnh_addrsize; /* permit, but not require fixed keys */ - int rnh_pktsize; /* permit, but not require fixed keys */ -#if 0 - struct radij_node *(*rnh_addaddr) /* add based on sockaddr */ - __P((void *v, void *mask, - struct radij_node_head *head, struct radij_node nodes[])); -#endif - int (*rnh_addaddr) /* add based on sockaddr */ - __P((void *v, void *mask, - struct radij_node_head *head, struct radij_node nodes[])); - struct radij_node *(*rnh_addpkt) /* add based on packet hdr */ - __P((void *v, void *mask, - struct radij_node_head *head, struct radij_node nodes[])); -#if 0 - struct radij_node *(*rnh_deladdr) /* remove based on sockaddr */ - __P((void *v, void *mask, struct radij_node_head *head)); -#endif - int (*rnh_deladdr) /* remove based on sockaddr */ - __P((void *v, void *mask, struct radij_node_head *head, struct radij_node **node)); - struct radij_node *(*rnh_delpkt) /* remove based on packet hdr */ - __P((void *v, void *mask, struct radij_node_head *head)); - struct radij_node *(*rnh_matchaddr) /* locate based on sockaddr */ - __P((void *v, struct radij_node_head *head)); - struct radij_node *(*rnh_matchpkt) /* locate based on packet hdr */ - __P((void *v, struct radij_node_head *head)); - int (*rnh_walktree) /* traverse tree */ - __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w)); - struct radij_node rnh_nodes[3]; /* empty tree for common case */ -}; - - -#define Bcmp(a, b, n) memcmp(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n)) -#define Bcopy(a, b, n) memmove(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n)) -#define Bzero(p, n) memset((caddr_t)(p), 0, (unsigned)(n)) -#define R_Malloc(p, t, n) ((p = (t) kmalloc((size_t)(n), GFP_ATOMIC)), Bzero((p),(n))) -#define Free(p) kfree((caddr_t)p); - -void rj_init __P((void)); -int rj_inithead __P((void **, int)); -int rj_refines __P((void *, void *)); -int rj_walktree __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w)); -struct radij_node - *rj_addmask __P((void *, int, int)) /* , rgb */ ; -int /* * */ rj_addroute __P((void *, void *, struct radij_node_head *, - struct radij_node [2])) /* , rgb */ ; -int /* * */ rj_delete __P((void *, void *, struct radij_node_head *, struct radij_node **)) /* , rgb */ ; -struct radij_node /* rgb */ - *rj_insert __P((void *, struct radij_node_head *, int *, - struct radij_node [2])), - *rj_match __P((void *, struct radij_node_head *)), - *rj_newpair __P((void *, int, struct radij_node[2])), - *rj_search __P((void *, struct radij_node *)), - *rj_search_m __P((void *, struct radij_node *, void *)); - -void rj_deltree(struct radij_node_head *); -void rj_delnodes(struct radij_node *); -void rj_free_mkfreelist(void); -int radijcleartree(void); -int radijcleanup(void); - -extern struct radij_node_head *mask_rjhead; -extern int maj_keylen; -#endif /* __KERNEL__ */ - -#endif /* _RADIJ_H_ */ diff --git a/src/libfreeswan/satot.c b/src/libfreeswan/satot.c index 6e4bcca2b..72e8c09eb 100644 --- a/src/libfreeswan/satot.c +++ b/src/libfreeswan/satot.c @@ -14,6 +14,8 @@ * * RCSID $Id$ */ +#include <sys/socket.h> + #include "internal.h" #include "freeswan.h" diff --git a/src/libfreeswan/ttoaddr.c b/src/libfreeswan/ttoaddr.c index c228f5a4c..70107a2f9 100644 --- a/src/libfreeswan/ttoaddr.c +++ b/src/libfreeswan/ttoaddr.c @@ -14,6 +14,8 @@ * * RCSID $Id$ */ +#include <sys/socket.h> + #include "internal.h" #include "freeswan.h" diff --git a/src/libfreeswan/ttosa.c b/src/libfreeswan/ttosa.c index c9df7bbe2..b8b160f6b 100644 --- a/src/libfreeswan/ttosa.c +++ b/src/libfreeswan/ttosa.c @@ -14,6 +14,8 @@ * * RCSID $Id$ */ +#include <sys/socket.h> + #include "internal.h" #include "freeswan.h" diff --git a/src/libfreeswan/ttosubnet.c b/src/libfreeswan/ttosubnet.c index 47379dcff..9d8de5cf4 100644 --- a/src/libfreeswan/ttosubnet.c +++ b/src/libfreeswan/ttosubnet.c @@ -14,6 +14,8 @@ * * RCSID $Id$ */ +#include <sys/socket.h> + #include "internal.h" #include "freeswan.h" diff --git a/src/libfreeswan/version.c b/src/libfreeswan/version.c index 8f87f639c..ba6b35d26 100644 --- a/src/libfreeswan/version.c +++ b/src/libfreeswan/version.c @@ -15,10 +15,6 @@ * RCSID $Id$ */ -#ifdef __KERNEL__ -#include <linux/netdevice.h> -#endif - #include "freeswan.h" static const char strongswan_number[] = VERSION; diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index acce5702b..369ade43b 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -54,7 +54,7 @@ utils/mutex.c utils/mutex.h \ utils/backtrace.c utils/backtrace.h \ plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h -libstrongswan_la_LIBADD = -lpthread -ldl +libstrongswan_la_LIBADD = -lpthread $(DLLIB) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = \ @@ -81,14 +81,14 @@ if USE_VSTR endif EXTRA_DIST = asn1/oid.txt asn1/oid.pl -BUILT_SOURCES = asn1/oid.c asn1/oid.h -MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h +BUILT_SOURCES = $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h +MAINTAINERCLEANFILES = $(srcdir)/asn1/oid.c $(srcdir)/asn1/oid.h -asn1/oid.c : asn1/oid.pl asn1/oid.txt - (cd `dirname $<` && $(PERL) `basename $<`) +$(srcdir)/asn1/oid.c : $(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt + (cd $(srcdir)/asn1/ && $(PERL) oid.pl) -asn1/oid.h : asn1/oid.pl asn1/oid.txt - (cd `dirname $<` && $(PERL) `basename $<`) +$(srcdir)/asn1/oid.h : $(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt + (cd $(srcdir)/asn1/ && $(PERL) oid.pl) # build plugins with their own Makefile diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index de8c5ea4c..170095271 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -307,8 +307,8 @@ u_int asn1_length(chunk_t *blob) */ time_t asn1_to_time(const chunk_t *utctime, asn1_t type) { - struct tm t; - time_t tc, tz_offset; + struct tm t, local; + time_t tc, tz_offset, now; u_char *eot = NULL; if ((eot = memchr(utctime->ptr, 'Z', utctime->len)) != NULL) @@ -375,9 +375,16 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type) /* convert to time_t */ tc = mktime(&t); + + if (tc == -1) + { + return TIME_MAX; + } /* if no conversion overflow occurred, compensate timezone */ - return (tc == -1) ? TIME_MAX : (tc - timezone - tz_offset); + now = time(NULL); + localtime_r(&now, &local); + return tc - local.tm_gmtoff - tz_offset; } /** diff --git a/src/libstrongswan/asn1/oid.pl b/src/libstrongswan/asn1/oid.pl index 027a850fd..ed26febc9 100644 --- a/src/libstrongswan/asn1/oid.pl +++ b/src/libstrongswan/asn1/oid.pl @@ -32,6 +32,7 @@ print OID_H "/* Object identifiers (OIDs) used by strongSwan\n", " * ", $automatic, "\n", " * ", $warning, "\n", " */\n\n", + "#include <sys/types.h>\n\n", "#ifndef OID_H_\n", "#define OID_H_\n\n", "typedef struct {\n", diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c index 61a027014..2375ad65c 100644 --- a/src/libstrongswan/crypto/pkcs7.c +++ b/src/libstrongswan/crypto/pkcs7.c @@ -334,7 +334,7 @@ static bool parse_signedData(private_pkcs7_t *this, x509_t *cacert) identification_t *issuer; issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); - DBG2(" '%D'", issuer); + DBG2(" '%Y'", issuer); issuer->destroy(issuer); break; } @@ -522,7 +522,7 @@ static bool parse_envelopedData(private_pkcs7_t *this, chunk_t serialNumber, identification_t *issuer; issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); - DBG2(" '%D'", issuer); + DBG2(" '%Y'", issuer); issuer->destroy(issuer); } break; diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index da7b0fca7..583865a0a 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -101,8 +101,6 @@ void library_init(char *settings) PRINTF_HOOK_ARGTYPE_END); pfh->add_handler(pfh, 'B', chunk_printf_hook, PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); - pfh->add_handler(pfh, 'D', identification_printf_hook, - PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); pfh->add_handler(pfh, 'H', host_printf_hook, PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); pfh->add_handler(pfh, 'N', enum_printf_hook, @@ -114,6 +112,8 @@ void library_init(char *settings) pfh->add_handler(pfh, 'V', time_delta_printf_hook, PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); + pfh->add_handler(pfh, 'Y', identification_printf_hook, + PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); this->public.crypto = crypto_factory_create(); this->public.creds = credential_factory_create(); diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index c5f8244a7..ab52c3c97 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -311,7 +311,7 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme /** * Implementation of public_key_t.get_keysize. */ -static bool encrypt(private_gmp_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain) +static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain) { DBG1("RSA public key encryption not implemented"); return FALSE; @@ -385,7 +385,7 @@ static private_gmp_rsa_public_key_t *gmp_rsa_public_key_create_empty() this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type; this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify; - this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt; + this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_; this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize; this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id; this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding; diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c index ae5ede28d..250221693 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c @@ -178,7 +178,7 @@ static bool verify(private_openssl_ec_public_key_t *this, signature_scheme_t sch /** * Implementation of public_key_t.get_keysize. */ -static bool encrypt(private_openssl_ec_public_key_t *this, chunk_t crypto, chunk_t *plain) +static bool encrypt_(private_openssl_ec_public_key_t *this, chunk_t crypto, chunk_t *plain) { DBG1("EC public key encryption not implemented"); return FALSE; @@ -279,7 +279,7 @@ static private_openssl_ec_public_key_t *openssl_ec_public_key_create_empty() this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type; this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify; - this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt; + this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_; this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize; this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id; this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding; diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index eb051b7ab..e35d334e3 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -147,7 +147,7 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc /** * Implementation of public_key_t.get_keysize. */ -static bool encrypt(private_openssl_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain) +static bool encrypt_(private_openssl_rsa_public_key_t *this, chunk_t crypto, chunk_t *plain) { DBG1("RSA public key encryption not implemented"); return FALSE; @@ -263,7 +263,7 @@ static private_openssl_rsa_public_key_t *openssl_rsa_public_key_create_empty() this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type; this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify; - this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt; + this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_; this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize; this->public.interface.get_id = (identification_t* (*) (public_key_t *this,id_type_t))get_id; this->public.interface.get_encoding = (chunk_t(*)(public_key_t*))get_encoding; diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index b09f446b2..ca03f735d 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -353,7 +353,7 @@ static identification_t *parse_generalName(chunk_t blob, int level0) if (id_type != ID_ANY) { gn = identification_create_from_encoding(id_type, object); - DBG2(" '%D'", gn); + DBG2(" '%Y'", gn); goto end; } } @@ -510,9 +510,9 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, /* parsing went wrong - abort */ goto end; } - DBG2(" '%D'", id); + DBG2(" '%Y'", id); if (accessMethod == OID_OCSP && - asprintf(&uri, "%D", id) > 0) + asprintf(&uri, "%Y", id) > 0) { this->ocsp_uris->insert_last(this->ocsp_uris, uri); } @@ -619,7 +619,7 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0, { char *uri; - if (asprintf(&uri, "%D", id) > 0) + if (asprintf(&uri, "%Y", id) > 0) { this->crl_uris->insert_last(this->crl_uris, uri); } @@ -714,7 +714,7 @@ static bool parse_certificate(private_x509_cert_t *this) break; case X509_OBJ_ISSUER: this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); - DBG2(" '%D'", this->issuer); + DBG2(" '%Y'", this->issuer); break; case X509_OBJ_NOT_BEFORE: this->notBefore = asn1_parse_time(object, level); @@ -724,7 +724,7 @@ static bool parse_certificate(private_x509_cert_t *this) break; case X509_OBJ_SUBJECT: this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object); - DBG2(" '%D'", this->subject); + DBG2(" '%Y'", this->subject); break; case X509_OBJ_SUBJECT_PUBLIC_KEY_INFO: this->public_key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index 3bb097c4d..b6639e476 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -226,7 +226,7 @@ static bool parse(private_x509_crl_t *this) break; case CRL_OBJ_ISSUER: this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); - DBG2(" '%D'", this->issuer); + DBG2(" '%Y'", this->issuer); break; case CRL_OBJ_THIS_UPDATE: this->thisUpdate = asn1_parse_time(object, level); diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index 257ae7597..65978b8eb 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -523,12 +523,12 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this, case BASIC_RESPONSE_ID_BY_NAME: this->responderId = identification_create_from_encoding( ID_DER_ASN1_DN, object); - DBG2(" '%D'", this->responderId); + DBG2(" '%Y'", this->responderId); break; case BASIC_RESPONSE_ID_BY_KEY: this->responderId = identification_create_from_encoding( ID_PUBKEY_INFO_SHA1, object); - DBG2(" '%D'", this->responderId); + DBG2(" '%Y'", this->responderId); break; case BASIC_RESPONSE_PRODUCED_AT: this->producedAt = asn1_to_time(&object, ASN1_GENERALIZEDTIME); diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c index f46718953..ab7bd77ef 100644 --- a/src/libstrongswan/printf_hook.c +++ b/src/libstrongswan/printf_hook.c @@ -165,7 +165,7 @@ static int custom_fmt_cb(Vstr_base *base, size_t pos, Vstr_fmt_spec *fmt_spec) } /** - * Add a custom format handler to the given Vstr_conf object + * Add a custom format handler to the given Vstr_conf object */ static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler) { @@ -340,7 +340,7 @@ static void add_handler(private_printf_hook_t *this, char spec, return; } - handler = malloc_thing(printf_hook_handler_t); + handler = malloc_thing(printf_hook_handler_t); handler->hook = hook; va_start(args, hook); diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h index a1773fd26..1906d0159 100644 --- a/src/libstrongswan/printf_hook.h +++ b/src/libstrongswan/printf_hook.h @@ -30,10 +30,11 @@ typedef enum printf_hook_argtype_t printf_hook_argtype_t; #ifdef HAVE_PRINTF_HOOKS +#include <stdio.h> #include <printf.h> enum printf_hook_argtype_t { - PRINTF_HOOK_ARGTYPE_END = PA_LAST, + PRINTF_HOOK_ARGTYPE_END = -1, PRINTF_HOOK_ARGTYPE_INT = PA_INT, PRINTF_HOOK_ARGTYPE_POINTER = PA_POINTER, }; diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c index 75b02a865..ab717fd14 100644 --- a/src/libstrongswan/utils.c +++ b/src/libstrongswan/utils.c @@ -22,6 +22,7 @@ #include <string.h> #include <stdio.h> #include <unistd.h> +#include <limits.h> #include <dirent.h> #include <time.h> diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c index 48c0b5484..0435fb4fa 100644 --- a/src/libstrongswan/utils/enumerator.c +++ b/src/libstrongswan/utils/enumerator.c @@ -21,6 +21,7 @@ #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> +#include <limits.h> #include <stdio.h> #include <dirent.h> #include <errno.h> diff --git a/src/medsrv/controller/peer_controller.c b/src/medsrv/controller/peer_controller.c index 22fc6df2f..6ce63f788 100755 --- a/src/medsrv/controller/peer_controller.c +++ b/src/medsrv/controller/peer_controller.c @@ -72,7 +72,7 @@ static void list(private_peer_controller_t *this, request_t *request) { request->setf(request, "peers.%d.alias=%s", id, alias); identifier = identification_create_from_encoding(ID_KEY_ID, keyid); - request->setf(request, "peers.%d.identifier=%D", id, identifier); + request->setf(request, "peers.%d.identifier=%Y", id, identifier); identifier->destroy(identifier); } query->destroy(query); diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index a6c60b56d..7f295f00f 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -92,11 +92,11 @@ pluto_LDADD = \ $(LIBSTRONGSWANDIR)/libstrongswan.la \ $(LIBFREESWANDIR)/libfreeswan.a \ $(LIBCRYPTODIR)/libcrypto.a \ --lgmp -lresolv -lpthread -ldl +-lgmp -lresolv -lpthread $(DLLIB) _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ --lresolv -ldl +-lresolv $(DLLIB) dist_man_MANS = pluto.8 ipsec.secrets.5 diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am index f12e6e0f2..1596e44b1 100644 --- a/src/scepclient/Makefile.am +++ b/src/scepclient/Makefile.am @@ -38,7 +38,7 @@ $(LIBCRYPTOBUILDDIR)/libcrypto.a \ # This compile option activates smartcard support if USE_SMARTCARD AM_CFLAGS += -DSMARTCARD - scepclient_LDADD += -ldl + scepclient_LDADD += $(DLLIB) endif dist_man_MANS = scepclient.8 diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index e9c707c2b..57205665f 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -30,20 +30,20 @@ if USE_CHARON AM_CFLAGS += -DSTART_CHARON endif -lex.yy.c: parser.l parser.y parser.h y.tab.c - $(LEX) --nounput $< +lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h + $(LEX) $(srcdir)/parser.l -y.tab.c: parser.y parser.l parser.h - $(YACC) -v -d $< +y.tab.c: $(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h + $(YACC) -v -d $(srcdir)/parser.y -y.tab.h: parser.y parser.l parser.h - $(YACC) -v -d $< +y.tab.h: $(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h + $(YACC) -v -d $(srcdir)/parser.y -keywords.c: keywords.txt keywords.h - $(GPERF) -C -G -t < $< > $@ +keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h + $(GPERF) -C -G -D -t < $(srcdir)/keywords.txt > $@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h - $(COMPILE) -c -o $@ $< + $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c install-exec-local : test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c index 04cfc9f77..f28aca33e 100644 --- a/src/starter/interfaces.c +++ b/src/starter/interfaces.c @@ -16,14 +16,12 @@ #include <sys/socket.h> #include <sys/ioctl.h> -#include <linux/if.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <freeswan.h> -#include <ipsec_tunnel.h> #include <constants.h> #include <defs.h> diff --git a/src/starter/interfaces.h b/src/starter/interfaces.h index 324b0cc2f..08257f73a 100644 --- a/src/starter/interfaces.h +++ b/src/starter/interfaces.h @@ -17,7 +17,9 @@ #ifndef _STARTER_INTERFACES_H_ #define _STARTER_INTERFACES_H_ -#include <linux/if.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <net/if.h> #include "../pluto/constants.h" diff --git a/src/starter/parser.l b/src/starter/parser.l index 7b93e53b7..582371e4f 100644 --- a/src/starter/parser.l +++ b/src/starter/parser.l @@ -1,3 +1,5 @@ +%option noinput +%option nounput %{ /* FreeS/WAN config file parser (parser.l) * Copyright (C) 2001 Mathieu Lafon - Arkoon Network Security @@ -23,8 +25,6 @@ #define MAX_INCLUDE_DEPTH 20 -#define YY_NO_INPUT -#define YY_NO_UNPUT extern void yyerror(const char *); extern int yylex (void); diff --git a/src/starter/starter.c b/src/starter/starter.c index db4756e9e..b66ebdefb 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -328,11 +328,11 @@ int main (int argc, char **argv) /* determine if we have a native netkey IPsec stack */ if (!starter_netkey_init()) { - plog("no netkey IPSec stack detected"); + plog("no netkey IPsec stack detected"); if (!starter_klips_init()) { - plog("no KLIPS IPSec stack detected"); - exit(LSB_RC_FAILURE); + plog("no KLIPS IPsec stack detected"); + plog("no known IPsec stack detected, ignoring!"); } } diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index a695feb46..c36afe64b 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -21,10 +21,10 @@ #include <stddef.h> #include <unistd.h> #include <stdlib.h> +#include <string.h> #include <errno.h> #include <netinet/in.h> #include <arpa/inet.h> -#include <linux/xfrm.h> #include <freeswan.h> @@ -42,6 +42,15 @@ #define IPV6_LEN 16 /** + * Mode of an IPsec SA, must be the same as in charons kernel_ipsec.h + */ +enum ipsec_mode_t { + MODE_TRANSPORT = 1, + MODE_TUNNEL, + MODE_BEET +}; + +/** * Authentication methods, must be the same as in charons authenticator.h */ enum auth_method_t { @@ -68,9 +77,12 @@ static char* push_string(stroke_msg_t *msg, char *string) static int send_stroke_msg (stroke_msg_t *msg) { - struct sockaddr_un ctl_addr = { AF_UNIX, CHARON_CTL_FILE }; + struct sockaddr_un ctl_addr; int byte_count; char buffer[64]; + + ctl_addr.sun_family = AF_UNIX; + strcpy(ctl_addr.sun_path, CHARON_CTL_FILE); /* starter is not called from commandline, and therefore absolutely silent */ msg->output_verbosity = -1; @@ -247,20 +259,20 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) if (conn->policy & POLICY_TUNNEL) { - msg.add_conn.mode = XFRM_MODE_TUNNEL; + msg.add_conn.mode = MODE_TUNNEL; } else if (conn->policy & POLICY_BEET) { - msg.add_conn.mode = XFRM_MODE_BEET; + msg.add_conn.mode = MODE_BEET; } else if (conn->policy & POLICY_PROXY) { - msg.add_conn.mode = XFRM_MODE_TRANSPORT; + msg.add_conn.mode = MODE_TRANSPORT; msg.add_conn.proxy_mode = TRUE; } else { - msg.add_conn.mode = XFRM_MODE_TRANSPORT; + msg.add_conn.mode = MODE_TRANSPORT; } if (!(conn->policy & POLICY_DONT_REKEY)) diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c index 0588cf35b..4bc76de01 100644 --- a/src/starter/starterwhack.c +++ b/src/starter/starterwhack.c @@ -19,6 +19,7 @@ #include <sys/un.h> #include <stddef.h> #include <unistd.h> +#include <string.h> #include <errno.h> #include <freeswan.h> @@ -56,11 +57,14 @@ pack_str (char **p, char **next, char **roof) static int send_whack_msg (whack_message_t *msg) { - struct sockaddr_un ctl_addr = { AF_UNIX, PLUTO_CTL_FILE }; + struct sockaddr_un ctl_addr; int sock; ssize_t len; char *str_next, *str_roof; + ctl_addr.sun_family = AF_UNIX; + strcpy(ctl_addr.sun_path, PLUTO_CTL_FILE); + /* pack strings */ str_next = (char *)msg->string; str_roof = (char *)&msg->string[sizeof(msg->string)]; diff --git a/src/stroke/Makefile.am b/src/stroke/Makefile.am index df20252e2..22f317f8f 100644 --- a/src/stroke/Makefile.am +++ b/src/stroke/Makefile.am @@ -3,8 +3,9 @@ ipsec_PROGRAMS = stroke stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h INCLUDES = -I$(top_srcdir)/src/libstrongswan EXTRA_DIST = stroke_keywords.txt +BUILT_SOURCES = stroke_keywords.c MAINTAINERCLEANFILES = stroke_keywords.c AM_CFLAGS = -DIPSEC_PIDDIR=\"${piddir}\" -stroke_keywords.c: stroke_keywords.txt stroke_keywords.h - $(GPERF) -C -G -t < $< > $@ +stroke_keywords.c: $(srcdir)/stroke_keywords.txt $(srcdir)/stroke_keywords.h + $(GPERF) -D -C -G -t < $(srcdir)/stroke_keywords.txt > $@ diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index 66028900d..a8b705697 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -27,6 +27,7 @@ #include <errno.h> #include <stdio.h> #include <stddef.h> +#include <string.h> #include "stroke_msg.h" #include "stroke_keywords.h" @@ -54,10 +55,13 @@ static char* push_string(stroke_msg_t *msg, char *string) static int send_stroke_msg (stroke_msg_t *msg) { - struct sockaddr_un ctl_addr = { AF_UNIX, STROKE_SOCKET }; + struct sockaddr_un ctl_addr; int sock; char buffer[64]; int byte_count; + + ctl_addr.sun_family = AF_UNIX; + strcpy(ctl_addr.sun_path, STROKE_SOCKET); msg->output_verbosity = 1; /* CONTROL */ |