diff options
Diffstat (limited to 'src/charon')
51 files changed, 1262 insertions, 234 deletions
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index 7c5e139e4..1d27d13cd 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -106,13 +106,14 @@ AM_CFLAGS = -rdynamic \ -DIPSEC_PIDDIR=\"${piddir}\" \ -DIPSEC_PLUGINDIR=\"${plugindir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" -charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm -ldl +charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB) EXTRA_DIST = config/proposal_keywords.txt -MAINTAINERCLEANFILES = config/proposal_keywords.c +BUILT_SOURCES = $(srcdir)/config/proposal_keywords.c +MAINTAINERCLEANFILES = $(srcdir)/config/proposal_keywords.c -config/proposal_keywords.c: config/proposal_keywords.txt config/proposal_keywords.h - (cd `dirname $<` && $(GPERF) -C -G -c -t < `basename $<` > `basename $@` ) +$(srcdir)/config/proposal_keywords.c: $(srcdir)/config/proposal_keywords.txt $(srcdir)/config/proposal_keywords.h + $(GPERF) -C -G -c -t -D < $(srcdir)/config/proposal_keywords.txt > $@ # compile options ################# @@ -162,6 +163,11 @@ if USE_KERNEL_PFKEY PLUGINS += kernel-pfkey endif +if USE_KERNEL_PFROUTE + SUBDIRS += plugins/kernel_pfroute + PLUGINS += kernel-pfroute +endif + if USE_KERNEL_KLIPS SUBDIRS += plugins/kernel_klips PLUGINS += kernel-klips diff --git a/src/charon/config/auth_cfg.c b/src/charon/config/auth_cfg.c index 87aca3813..c8566087c 100644 --- a/src/charon/config/auth_cfg.c +++ b/src/charon/config/auth_cfg.c @@ -340,7 +340,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, if (!success && log_error) { DBG1(DBG_CFG, "constraint check failed: peer not " - "authenticated by CA '%D'.", c1->get_subject(c1)); + "authenticated by CA '%Y'.", c1->get_subject(c1)); } break; } @@ -356,7 +356,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, if (log_error) { DBG1(DBG_CFG, "constraint check failed: peer not " - "authenticated with peer cert '%D'.", + "authenticated with peer cert '%Y'.", c1->get_subject(c1)); } } @@ -411,7 +411,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, success = FALSE; if (log_error) { - DBG1(DBG_CFG, "constraint check failed: %sidentity '%D'" + DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'" " required ", t1 == AUTH_RULE_IDENTITY ? "" : "EAP ", id1); } diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c index 28e50ef0a..43d9594fe 100644 --- a/src/charon/config/backend_manager.c +++ b/src/charon/config/backend_manager.c @@ -339,7 +339,7 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this, return enumerator; } - DBG1(DBG_CFG, "looking for peer configs matching %H[%D]...%H[%D]", + DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]", me, my_id, other, other_id); configs = linked_list_create(); diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c index 3cd4e35ed..695022448 100644 --- a/src/charon/credentials/credential_manager.c +++ b/src/charon/credentials/credential_manager.c @@ -530,7 +530,7 @@ static bool verify_ocsp(private_credential_manager_t *this, { if (this->cache->issued_by(this->cache, subject, issuer)) { - DBG1(DBG_CFG, " ocsp response correctly signed by \"%D\"", + DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", issuer->get_subject(issuer)); verified = TRUE; break; @@ -756,7 +756,7 @@ static bool verify_crl(private_credential_manager_t *this, certificate_t *crl) { if (this->cache->issued_by(this->cache, crl, issuer)) { - DBG1(DBG_CFG, " crl correctly signed by \"%D\"", + DBG1(DBG_CFG, " crl correctly signed by \"%Y\"", issuer->get_subject(issuer)); verified = TRUE; break; @@ -966,7 +966,7 @@ static bool check_certificate(private_credential_manager_t *this, { if (ocsp || crl) { - DBG1(DBG_CFG, "checking certificate status of \"%D\"", + DBG1(DBG_CFG, "checking certificate status of \"%Y\"", subject->get_subject(subject)); } if (ocsp) @@ -1082,7 +1082,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, if (this->cache->issued_by(this->cache, issuer, issuer)) { auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); - DBG1(DBG_CFG, " using trusted ca certificate \"%D\"", + DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", issuer->get_subject(issuer)); trusted = TRUE; } @@ -1090,7 +1090,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, { auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer)); DBG1(DBG_CFG, " using trusted intermediate ca certificate " - "\"%D\"", issuer->get_subject(issuer)); + "\"%Y\"", issuer->get_subject(issuer)); } } else @@ -1100,18 +1100,18 @@ static bool verify_trust_chain(private_credential_manager_t *this, { if (current->equals(current, issuer)) { - DBG1(DBG_CFG, " self-signed certificate \"%D\" is not trusted", + DBG1(DBG_CFG, " self-signed certificate \"%Y\" is not trusted", current->get_subject(current)); issuer->destroy(issuer); break; } auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer)); DBG1(DBG_CFG, " using untrusted intermediate certificate " - "\"%D\"", issuer->get_subject(issuer)); + "\"%Y\"", issuer->get_subject(issuer)); } else { - DBG1(DBG_CFG, "no issuer certificate found for \"%D\"", + DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"", current->get_subject(current)); break; } @@ -1197,7 +1197,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this, { this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, this->pretrusted->get_ref(this->pretrusted)); - DBG1(DBG_CFG, " using trusted certificate \"%D\"", + DBG1(DBG_CFG, " using trusted certificate \"%Y\"", this->pretrusted->get_subject(this->pretrusted)); *cert = this->pretrusted; if (auth) @@ -1217,7 +1217,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this, continue; } - DBG1(DBG_CFG, " using certificate \"%D\"", + DBG1(DBG_CFG, " using certificate \"%Y\"", current->get_subject(current)); if (verify_trust_chain(this->this, current, this->auth, FALSE, this->crl, this->ocsp)) diff --git a/src/charon/credentials/sets/auth_cfg_wrapper.c b/src/charon/credentials/sets/auth_cfg_wrapper.c index 2e93cc53a..55f265513 100644 --- a/src/charon/credentials/sets/auth_cfg_wrapper.c +++ b/src/charon/credentials/sets/auth_cfg_wrapper.c @@ -96,7 +96,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, return FALSE; } - DBG1(DBG_CFG, " fetched certificate \"%D\"", cert->get_subject(cert)); + DBG1(DBG_CFG, " fetched certificate \"%Y\"", cert->get_subject(cert)); charon->credentials->cache_cert(charon->credentials, cert); if (*rule == AUTH_HELPER_IM_HASH_URL) diff --git a/src/charon/daemon.c b/src/charon/daemon.c index 6dcb39a89..339846a85 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -17,7 +17,9 @@ */ #include <stdio.h> +#ifdef HAVE_PRCTL #include <sys/prctl.h> +#endif #include <signal.h> #include <pthread.h> #include <sys/stat.h> @@ -240,8 +242,10 @@ static void kill_daemon(private_daemon_t *this, char *reason) * drop daemon capabilities */ static void drop_capabilities(private_daemon_t *this) -{ +{ +#ifdef HAVE_PRCTL prctl(PR_SET_KEEPCAPS, 1); +#endif if (setgid(charon->gid) != 0) { diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c index fca149613..159831667 100644 --- a/src/charon/kernel/kernel_interface.c +++ b/src/charon/kernel/kernel_interface.c @@ -109,10 +109,10 @@ static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi, /** * Implementation of kernel_interface_t.del_sa */ -static status_t del_sa(private_kernel_interface_t *this, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_kernel_interface_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) { - return this->ipsec->del_sa(this->ipsec, dst, spi, protocol, cpi); + return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi); } /** @@ -373,7 +373,7 @@ kernel_interface_t *kernel_interface_create() this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h index 85ba881cf..e1089a0de 100644 --- a/src/charon/kernel/kernel_interface.h +++ b/src/charon/kernel/kernel_interface.h @@ -145,14 +145,15 @@ struct kernel_interface_t { /** * Delete a previously installed SA from the SAD. * + * @param src source address for this SA * @param dst destination address for this SA * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) * @param cpi CPI for IPComp or 0 * @return SUCCESS if operation completed */ - status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int16_t cpi); + status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi); /** * Add a policy to the SPD. diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h index 6360e5fd9..d0b15a4ad 100644 --- a/src/charon/kernel/kernel_ipsec.h +++ b/src/charon/kernel/kernel_ipsec.h @@ -35,17 +35,15 @@ typedef struct kernel_ipsec_t kernel_ipsec_t; #include <encoding/payloads/proposal_substructure.h> /** - * Mode of an CHILD_SA. - * - * These are equal to those defined in XFRM, so don't change. + * Mode of a CHILD_SA. */ enum ipsec_mode_t { /** transport mode, no inner address */ - MODE_TRANSPORT = 0, + MODE_TRANSPORT = 1, /** tunnel mode, inner and outer addresses */ - MODE_TUNNEL = 1, + MODE_TUNNEL, /** BEET mode, tunnel mode but fixed, bound inner addresses */ - MODE_BEET = 4, + MODE_BEET, }; /** @@ -177,14 +175,15 @@ struct kernel_ipsec_t { /** * Delete a previusly installed SA from the SAD. * + * @param src source address for this SA * @param dst destination address for this SA * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) * @param cpi CPI for IPComp or 0 * @return SUCCESS if operation completed */ - status_t (*del_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int16_t cpi); + status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi); /** * Add a policy to the SPD. diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c index c43ba0207..d93a8d520 100644 --- a/src/charon/network/socket.c +++ b/src/charon/network/socket.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2008 Tobias Brunner + * Copyright (C) 2006-2009 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -30,12 +30,11 @@ #include <stdlib.h> #include <fcntl.h> #include <sys/ioctl.h> +#include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip6.h> #include <netinet/udp.h> -#include <linux/types.h> -#include <linux/filter.h> #include <net/if.h> #include "socket.h" @@ -54,10 +53,12 @@ #define UDP_ENCAP_ESPINUDP 2 #endif /*UDP_ENCAP_ESPINUDP*/ -/* needed for older kernel headers */ -#ifndef IPV6_2292PKTINFO -#define IPV6_2292PKTINFO 2 -#endif /*IPV6_2292PKTINFO*/ +/* these are not defined on some platforms */ +#ifndef SOL_IP +#define SOL_IP IPPROTO_IP +#define SOL_IPV6 IPPROTO_IPV6 +#define SOL_UDP IPPROTO_UDP +#endif typedef struct private_socket_t private_socket_t; @@ -201,7 +202,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet) } if (cmsgptr->cmsg_level == SOL_IPV6 && - cmsgptr->cmsg_type == IPV6_2292PKTINFO) + cmsgptr->cmsg_type == IPV6_PKTINFO) { struct in6_pktinfo *pktinfo; pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr); @@ -214,14 +215,26 @@ static status_t receiver(private_socket_t *this, packet_t **packet) dest = host_create_from_sockaddr((sockaddr_t*)&dst); } if (cmsgptr->cmsg_level == SOL_IP && - cmsgptr->cmsg_type == IP_PKTINFO) - { +#ifdef IP_RECVDSTADDR + cmsgptr->cmsg_type == IP_RECVDSTADDR +#else + cmsgptr->cmsg_type == IP_PKTINFO +#endif + ) + { + struct in_addr *addr; + struct sockaddr_in dst; + +#ifdef IP_RECVDSTADDR + addr = (struct in_addr*)CMSG_DATA(cmsgptr); +#else struct in_pktinfo *pktinfo; pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr); - struct sockaddr_in dst; - + addr = &pktinfo->ipi_addr; +#endif memset(&dst, 0, sizeof(dst)); - memcpy(&dst.sin_addr, &pktinfo->ipi_addr, sizeof(dst.sin_addr)); + memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr)); + dst.sin_family = AF_INET; dst.sin_port = htons(port); dest = host_create_from_sockaddr((sockaddr_t*)&dst); @@ -340,24 +353,35 @@ status_t sender(private_socket_t *this, packet_t *packet) msg.msg_iovlen = 1; msg.msg_flags = 0; - if (!dst->is_anyaddr(dst)) + if (!src->is_anyaddr(src)) { if (family == AF_INET) { + struct in_addr *addr; + struct sockaddr_in *sin; +#ifdef IP_SENDSRCADDR + char buf[CMSG_SPACE(sizeof(struct in_addr))]; +#else char buf[CMSG_SPACE(sizeof(struct in_pktinfo))]; struct in_pktinfo *pktinfo; - struct sockaddr_in *sin; - +#endif msg.msg_control = buf; msg.msg_controllen = sizeof(buf); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_level = SOL_IP; +#ifdef IP_SENDSRCADDR + cmsg->cmsg_type = IP_SENDSRCADDR; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); + addr = (struct in_addr*)CMSG_DATA(cmsg); +#else cmsg->cmsg_type = IP_PKTINFO; cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg); memset(pktinfo, 0, sizeof(struct in_pktinfo)); + addr = &pktinfo->ipi_spec_dst; +#endif sin = (struct sockaddr_in*)src->get_sockaddr(src); - memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr)); + memcpy(addr, &sin->sin_addr, sizeof(struct in_addr)); } else { @@ -369,7 +393,7 @@ status_t sender(private_socket_t *this, packet_t *packet) msg.msg_controllen = sizeof(buf); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_level = SOL_IPV6; - cmsg->cmsg_type = IPV6_2292PKTINFO; + cmsg->cmsg_type = IPV6_PKTINFO; cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg); memset(pktinfo, 0, sizeof(struct in6_pktinfo)); @@ -389,13 +413,14 @@ status_t sender(private_socket_t *this, packet_t *packet) } /** - * open a socket to send packets + * open a socket to send and receive packets */ static int open_socket(private_socket_t *this, int family, u_int16_t port) { int on = TRUE; int type = UDP_ENCAP_ESPINUDP; struct sockaddr_storage addr; + socklen_t addrlen; u_int sol, pktinfo; int skt; @@ -409,8 +434,13 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port) sin->sin_family = AF_INET; sin->sin_addr.s_addr = INADDR_ANY; sin->sin_port = htons(port); + addrlen = sizeof(struct sockaddr_in); sol = SOL_IP; +#ifdef IP_RECVDSTADDR + pktinfo = IP_RECVDSTADDR; +#else pktinfo = IP_PKTINFO; +#endif break; } case AF_INET6: @@ -419,8 +449,9 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port) sin6->sin6_family = AF_INET6; memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any)); sin6->sin6_port = htons(port); + addrlen = sizeof(struct sockaddr_in6); sol = SOL_IPV6; - pktinfo = IPV6_2292PKTINFO; + pktinfo = IPV6_RECVPKTINFO; break; } default: @@ -440,8 +471,8 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port) return 0; } - /* bind the send socket */ - if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0) + /* bind the socket */ + if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0) { DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno)); close(skt); diff --git a/src/charon/plugins/eap_aka/eap_aka.c b/src/charon/plugins/eap_aka/eap_aka.c index da06d8059..da2adeb8a 100644 --- a/src/charon/plugins/eap_aka/eap_aka.c +++ b/src/charon/plugins/eap_aka/eap_aka.c @@ -880,7 +880,7 @@ static status_t server_initiate_challenge(private_eap_aka_t *this, chunk_t sqn, /* Get the shared key K: */ if (load_key(this->server, this->peer, &this->k) != SUCCESS) { - DBG1(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate " + DBG1(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate " "with EAP-AKA", this->server, this->peer); return FAILED; } @@ -1202,7 +1202,7 @@ static status_t peer_process_challenge(private_eap_aka_t *this, { *out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_AUTHENTICATION_REJECT, AT_END); - DBG3(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate " + DBG3(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate " "with EAP-AKA, sending %N", this->peer, this->server, aka_subtype_names, AKA_AUTHENTICATION_REJECT); return NEED_MORE; diff --git a/src/charon/plugins/eap_gtc/eap_gtc.c b/src/charon/plugins/eap_gtc/eap_gtc.c index 0a93a90f6..9bcdbd686 100644 --- a/src/charon/plugins/eap_gtc/eap_gtc.c +++ b/src/charon/plugins/eap_gtc/eap_gtc.c @@ -174,7 +174,7 @@ static status_t process_peer(private_eap_gtc_t *this, this->peer, this->server); if (shared == NULL) { - DBG1(DBG_IKE, "no EAP key found for '%D' - '%D'", + DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'", this->peer, this->server); return FAILED; } diff --git a/src/charon/plugins/eap_md5/eap_md5.c b/src/charon/plugins/eap_md5/eap_md5.c index 533948000..47494388b 100644 --- a/src/charon/plugins/eap_md5/eap_md5.c +++ b/src/charon/plugins/eap_md5/eap_md5.c @@ -90,7 +90,7 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response) this->server, this->peer); if (shared == NULL) { - DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'", + DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", this->server, this->peer); return NOT_FOUND; } diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c index 9bbff817a..ef142c1cd 100644 --- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c @@ -667,7 +667,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this, SHARED_EAP, this->peer, this->server); if (shared == NULL) { - DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'", + DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", this->server, this->peer); return NOT_FOUND; } @@ -1019,14 +1019,14 @@ static status_t process_server_response(private_eap_mschapv2_t *this, name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255); snprintf(buf, sizeof(buf), "%.*s", name_len, res->name); userid = identification_create_from_string(buf); - DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%D'", userid); + DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid); username = extract_username(userid); shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP, this->server, userid); if (shared == NULL) { - DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'", + DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", this->server, userid); /* FIXME: windows 7 always sends the username that is first entered in * the username box, even, if the user changes it during retries (probably diff --git a/src/charon/plugins/eap_sim/eap_sim.c b/src/charon/plugins/eap_sim/eap_sim.c index c2902b54b..fc33d6c93 100644 --- a/src/charon/plugins/eap_sim/eap_sim.c +++ b/src/charon/plugins/eap_sim/eap_sim.c @@ -571,7 +571,7 @@ static bool get_card_triplet(private_eap_sim_t *this, enumerator->destroy(enumerator); if (!card) { - DBG1(DBG_IKE, "no SIM card found matching '%D'", this->peer); + DBG1(DBG_IKE, "no SIM card found matching '%Y'", this->peer); } return success; } @@ -775,7 +775,7 @@ static bool get_provider_triplet(private_eap_sim_t *this, tried++; } enumerator->destroy(enumerator); - DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%D'", + DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'", tried, this->peer); return FALSE; } diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c index e130c0526..627857f3d 100644 --- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c +++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c @@ -220,7 +220,7 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path) continue; } - DBG2(DBG_CFG, "triplet: imsi %D\nrand %b\nsres %b\nkc %b", + DBG2(DBG_CFG, "triplet: imsi %Y\nrand %b\nsres %b\nkc %b", triplet->imsi, triplet->rand, RAND_LEN, triplet->sres, SRES_LEN, triplet->kc, KC_LEN); diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c index 3d84805c8..1751ee807 100644 --- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1938,8 +1938,9 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -2610,7 +2611,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index e3b683474..977740663 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -375,6 +375,24 @@ static protocol_id_t proto_kernel2ike(u_int8_t proto) } /** + * convert the general ipsec mode to the one defined in xfrm.h + */ +static u_int8_t mode2kernel(ipsec_mode_t mode) +{ + switch (mode) + { + case MODE_TRANSPORT: + return XFRM_MODE_TRANSPORT; + case MODE_TUNNEL: + return XFRM_MODE_TUNNEL; + case MODE_BEET: + return XFRM_MODE_BEET; + default: + return mode; + } +} + +/** * convert a host_t to a struct xfrm_address */ static void host2xfrm(host_t *host, xfrm_address_t *xfrm) @@ -803,7 +821,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, host2xfrm(src, &userspi->info.saddr); host2xfrm(dst, &userspi->info.id.daddr); userspi->info.id.proto = proto; - userspi->info.mode = TRUE; /* tunnel mode */ + userspi->info.mode = XFRM_MODE_TUNNEL; userspi->info.reqid = reqid; userspi->info.family = src->get_family(src); userspi->min = min; @@ -941,7 +959,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, sa->id.spi = spi; sa->id.proto = proto_ike2kernel(protocol); sa->family = src->get_family(src); - sa->mode = mode; + sa->mode = mode2kernel(mode); if (mode == MODE_TUNNEL) { sa->flags |= XFRM_STATE_AF_UNSPEC; @@ -1216,8 +1234,9 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { netlink_buf_t request; struct nlmsghdr *hdr; @@ -1226,7 +1245,7 @@ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst, /* if IPComp was used, we first delete the additional IPComp SA */ if (cpi) { - del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0); + del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0); } memset(&request, 0, sizeof(request)); @@ -1339,7 +1358,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this, } /* delete the old SA (without affecting the IPComp SA) */ - if (del_sa(this, dst, spi, protocol, 0) != SUCCESS) + if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS) { DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi)); free(out); @@ -1526,7 +1545,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, tmpl->reqid = reqid; tmpl->id.proto = IPPROTO_COMP; tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode; + tmpl->mode = mode2kernel(mode); tmpl->optional = direction != POLICY_OUT; tmpl->family = src->get_family(src); @@ -1547,7 +1566,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, tmpl->reqid = reqid; tmpl->id.proto = proto_ike2kernel(protocol); tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode; + tmpl->mode = mode2kernel(mode); tmpl->family = src->get_family(src); host2xfrm(src, &tmpl->saddr); @@ -1871,7 +1890,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c index f18a5359c..9090e3215 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c @@ -1175,7 +1175,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty /** * Implementation of kernel_net_t.add_route. */ -status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, +static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) { return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL, @@ -1185,7 +1185,7 @@ status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, /** * Implementation of kernel_net_t.del_route. */ -status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net, +static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) { return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen, diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 6ef5b52a2..95932eb9c 100644 --- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2009 Tobias Brunner * Copyright (C) 2008 Andreas Steffen * Hochschule fuer Technik Rapperswil * @@ -18,10 +18,32 @@ #include <sys/types.h> #include <sys/socket.h> + +#ifdef HAVE_NET_PFKEYV2_H +#include <net/pfkeyv2.h> +#else #include <stdint.h> -#include <linux/ipsec.h> #include <linux/pfkeyv2.h> +#endif + +#ifdef SADB_X_EXT_NAT_T_TYPE +#define HAVE_NATT +#endif + +#ifdef HAVE_NETIPSEC_IPSEC_H +#include <netipsec/ipsec.h> +#else +#include <linux/ipsec.h> +#endif + +#ifdef HAVE_NATT +#ifdef HAVE_NETINET_UDP_H +#include <netinet/udp.h> +#else #include <linux/udp.h> +#endif /*HAVE_NETINET_UDP_H*/ +#endif /*HAVE_NATT*/ + #include <unistd.h> #include <pthread.h> #include <errno.h> @@ -38,6 +60,30 @@ #include <processing/jobs/delete_child_sa_job.h> #include <processing/jobs/update_sa_job.h> +/** non linux specific */ +#ifndef IPPROTO_COMP +#define IPPROTO_COMP IPPROTO_IPCOMP +#endif + +#ifndef SADB_X_AALG_SHA2_256HMAC +#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256 +#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384 +#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512 +#endif + +#ifndef SADB_X_EALG_AESCBC +#define SADB_X_EALG_AESCBC SADB_X_EALG_AES +#endif + +#ifndef SADB_X_EALG_CASTCBC +#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC +#endif + +#ifndef SOL_IP +#define SOL_IP IPPROTO_IP +#define SOL_IPV6 IPPROTO_IPV6 +#endif + /** from linux/in.h */ #ifndef IP_IPSEC_POLICY #define IP_IPSEC_POLICY 16 @@ -46,7 +92,7 @@ /* missing on uclibc */ #ifndef IPV6_IPSEC_POLICY #define IPV6_IPSEC_POLICY 34 -#endif /*IPV6_IPSEC_POLICY*/ +#endif /** default priority of installed policies */ #define PRIO_LOW 3000 @@ -160,8 +206,8 @@ struct route_entry_t { static void route_entry_destroy(route_entry_t *this) { free(this->if_name); - this->src_ip->destroy(this->src_ip); - this->gateway->destroy(this->gateway); + DESTROY_IF(this->src_ip); + DESTROY_IF(this->gateway); chunk_free(&this->dst_net); free(this); } @@ -217,7 +263,7 @@ static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts, /* src or dest proto may be "any" (0), use more restrictive one */ policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts)); - policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY; + policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY; policy->dst.proto = policy->src.proto; return policy; @@ -268,7 +314,6 @@ struct pfkey_msg_t */ struct sadb_msg *msg; - /** * PF_KEY message extensions */ @@ -305,7 +350,7 @@ struct pfkey_msg_t }; }; -ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS, +ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX, "SADB_EXT_RESERVED", "SADB_EXT_SA", "SADB_EXT_LIFETIME_CURRENT", @@ -333,6 +378,7 @@ ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS, "SADB_X_EXT_SEC_CTX", "SADB_X_EXT_KMADDRESS" ); + /** * convert a IKEv2 specific protocol identifier to the PF_KEY sa type */ @@ -396,8 +442,10 @@ static u_int8_t mode2kernel(ipsec_mode_t mode) return IPSEC_MODE_TRANSPORT; case MODE_TUNNEL: return IPSEC_MODE_TUNNEL; +#ifdef IPSEC_MODE_BEET case MODE_BEET: return IPSEC_MODE_BEET; +#endif default: return mode; } @@ -414,13 +462,16 @@ static u_int8_t dir2kernel(policy_dir_t dir) return IPSEC_DIR_INBOUND; case POLICY_OUT: return IPSEC_DIR_OUTBOUND; +#ifdef IPSEC_DIR_FWD case POLICY_FWD: return IPSEC_DIR_FWD; +#endif default: return dir; } } +#ifdef SADB_X_MIGRATE /** * convert the policy direction in ipsec.h to the general one. */ @@ -432,12 +483,16 @@ static policy_dir_t kernel2dir(u_int8_t dir) return POLICY_IN; case IPSEC_DIR_OUTBOUND: return POLICY_OUT; +#ifdef IPSEC_DIR_FWD case IPSEC_DIR_FWD: return POLICY_FWD; +#endif default: return dir; } } +#endif /*SADB_X_MIGRATE*/ + typedef struct kernel_algorithm_t kernel_algorithm_t; /** @@ -461,32 +516,32 @@ struct kernel_algorithm_t { * Algorithms for encryption */ static kernel_algorithm_t encryption_algs[] = { -/* {ENCR_DES_IV64, 0 }, */ - {ENCR_DES, SADB_EALG_DESCBC }, - {ENCR_3DES, SADB_EALG_3DESCBC }, -/* {ENCR_RC5, 0 }, */ -/* {ENCR_IDEA, 0 }, */ - {ENCR_CAST, SADB_X_EALG_CASTCBC }, - {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC }, -/* {ENCR_3IDEA, 0 }, */ -/* {ENCR_DES_IV32, 0 }, */ - {ENCR_NULL, SADB_EALG_NULL }, - {ENCR_AES_CBC, SADB_X_EALG_AESCBC }, -/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */ +/* {ENCR_DES_IV64, 0 }, */ + {ENCR_DES, SADB_EALG_DESCBC }, + {ENCR_3DES, SADB_EALG_3DESCBC }, +/* {ENCR_RC5, 0 }, */ +/* {ENCR_IDEA, 0 }, */ + {ENCR_CAST, SADB_X_EALG_CASTCBC }, + {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC }, +/* {ENCR_3IDEA, 0 }, */ +/* {ENCR_DES_IV32, 0 }, */ + {ENCR_NULL, SADB_EALG_NULL }, + {ENCR_AES_CBC, SADB_X_EALG_AESCBC }, +/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */ /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */ /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */ /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */ /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */ /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */ /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */ - {END_OF_LIST, 0 }, + {END_OF_LIST, 0 }, }; /** * Algorithms for integrity protection */ static kernel_algorithm_t integrity_algs[] = { - {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC }, + {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC }, {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC }, {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC }, {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC }, @@ -494,7 +549,7 @@ static kernel_algorithm_t integrity_algs[] = { /* {AUTH_DES_MAC, 0, }, */ /* {AUTH_KPDK_MD5, 0, }, */ {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, }, - {END_OF_LIST, 0, }, + {END_OF_LIST, 0, }, }; #if 0 @@ -502,11 +557,11 @@ static kernel_algorithm_t integrity_algs[] = { * Algorithms for IPComp, unused yet */ static kernel_algorithm_t compression_algs[] = { -/* {IPCOMP_OUI, 0 }, */ +/* {IPCOMP_OUI, 0 }, */ {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE }, {IPCOMP_LZS, SADB_X_CALG_LZS }, {IPCOMP_LZJH, SADB_X_CALG_LZJH }, - {END_OF_LIST, 0 }, + {END_OF_LIST, 0 }, }; #endif @@ -533,8 +588,11 @@ static void host2ext(host_t *host, struct sadb_address *ext) { sockaddr_t *host_addr = host->get_sockaddr(host); socklen_t *len = host->get_sockaddr_len(host); - memcpy((char*)(ext + 1), host_addr, *len); - ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len); +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN + host_addr->sa_len = *len; +#endif + memcpy((char*)(ext + 1), host_addr, *len); + ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len); } /** @@ -562,10 +620,14 @@ static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type) addr->sadb_address_exttype = type; sockaddr_t *saddr = (sockaddr_t*)(addr + 1); saddr->sa_family = family; - addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len); +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN + saddr->sa_len = len; +#endif + addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len); PFKEY_EXT_ADD(msg, addr); } +#ifdef HAVE_NATT /** * add udp encap extensions to a sadb_msg */ @@ -592,6 +654,7 @@ static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst) nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst)); PFKEY_EXT_ADD(msg, nat_port); } +#endif /*HAVE_NATT*/ /** * Convert a sadb_address to a traffic_selector @@ -606,7 +669,7 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address) */ host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ; ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen, - address->sadb_address_proto, host->get_port(host)); + address->sadb_address_proto, host->get_port(host)); return ts; } @@ -645,7 +708,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out) if (out->ext[ext->sadb_ext_type]) { - DBG1(DBG_KNL, "duplicate %N extension", + DBG1(DBG_KNL, "duplicate %N extension", sadb_ext_type_names, ext->sadb_ext_type); break; } @@ -699,7 +762,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket } while (TRUE) - { + { msg = (struct sadb_msg*)buf; len = recv(socket, buf, sizeof(buf), 0); @@ -757,7 +820,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket *out_len = len; *out = (struct sadb_msg*)malloc(len); memcpy(*out, buf, len); - + this->mutex_pfkey->unlock(this->mutex_pfkey); return SUCCESS; @@ -868,8 +931,9 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* charon->processor->queue_job(charon->processor, job); } +#ifdef SADB_X_MIGRATE /** - * Process a SADB_MIGRATE message from the kernel + * Process a SADB_X_MIGRATE message from the kernel */ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg) { @@ -893,7 +957,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts, policy_dir_names, dir); - /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */ + /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */ if (response.x_kmaddress) { sockaddr_t *local_addr, *remote_addr; @@ -924,7 +988,9 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* DESTROY_IF(remote); } } +#endif /*SADB_X_MIGRATE*/ +#ifdef HAVE_NATT /** * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel */ @@ -980,6 +1046,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* } } } +#endif /*HAVE_NATT*/ /** * Receives events from kernel @@ -991,7 +1058,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) int len, oldstate; pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - len = recv(this->socket_events, buf, sizeof(buf), 0); + len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0); pthread_setcancelstate(oldstate, NULL); if (len < 0) @@ -1035,12 +1102,16 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) case SADB_EXPIRE: process_expire(this, msg); break; +#ifdef SADB_X_MIGRATE case SADB_X_MIGRATE: process_migrate(this, msg); break; +#endif /*SADB_X_MIGRATE*/ +#ifdef HAVE_NATT case SADB_X_NAT_T_NEW_MAPPING: process_mapping(this, msg); break; +#endif /*HAVE_NATT*/ default: break; } @@ -1051,8 +1122,8 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) /** * Implementation of kernel_interface_t.get_spi. */ -static status_t get_spi(private_kernel_pfkey_ipsec_t *this, - host_t *src, host_t *dst, +static status_t get_spi(private_kernel_pfkey_ipsec_t *this, + host_t *src, host_t *dst, protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) { @@ -1099,7 +1170,7 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this, { received_spi = response.sa->sadb_sa_spi; } - free(out); + free(out); } if (received_spi == 0) @@ -1114,8 +1185,8 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this, /** * Implementation of kernel_interface_t.get_cpi. */ -static status_t get_cpi(private_kernel_pfkey_ipsec_t *this, - host_t *src, host_t *dst, +static status_t get_cpi(private_kernel_pfkey_ipsec_t *this, + host_t *src, host_t *dst, u_int32_t reqid, u_int16_t *cpi) { return FAILED; @@ -1226,11 +1297,13 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this, { /*TODO*/ } - + +#ifdef HAVE_NATT if (encap) { add_encap_ext(msg, src, dst); } +#endif /*HAVE_NATT*/ if (pfkey_send(this, msg, &out, &len) != SUCCESS) { @@ -1346,11 +1419,13 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, { PFKEY_EXT_COPY(msg, response.key_auth); } - + +#ifdef HAVE_NATT if (new_encap) { add_encap_ext(msg, new_src, new_dst); } +#endif /*HAVE_NATT*/ free(out); @@ -1374,8 +1449,9 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1398,9 +1474,8 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst, sa->sadb_sa_spi = spi; PFKEY_EXT_ADD(msg, sa); - /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though - * it is not used for anything. */ - add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC); + /* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */ + add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); if (pfkey_send(this, msg, &out, &len) != SUCCESS) @@ -1424,7 +1499,7 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst, /** * Implementation of kernel_interface_t.add_policy. */ -static status_t add_policy(private_kernel_pfkey_ipsec_t *this, +static status_t add_policy(private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, @@ -1463,7 +1538,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, this->policies->insert_last(this->policies, policy); policy->refcount = 1; } - + memset(&request, 0, sizeof(request)); DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts, @@ -1480,12 +1555,14 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy)); pol->sadb_x_policy_id = 0; pol->sadb_x_policy_dir = dir2kernel(direction); + pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; +#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY /* calculate priority based on source selector size, small size = high prio */ pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH; pol->sadb_x_policy_priority -= policy->src.mask * 10; pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0; pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0; - pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; +#endif /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */ req = (struct sadb_x_ipsecrequest*)(pol + 1); @@ -1599,9 +1676,9 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, { free(route); } - } + } - this->mutex->unlock(this->mutex); + this->mutex->unlock(this->mutex); return SUCCESS; } @@ -1610,7 +1687,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, * Implementation of kernel_interface_t.query_policy. */ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, - traffic_selector_t *src_ts, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time) { @@ -1689,7 +1766,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, *use_time = response.lft_current->sadb_lifetime_usetime; free(out); - + return SUCCESS; } @@ -1697,7 +1774,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, * Implementation of kernel_interface_t.del_policy. */ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, - traffic_selector_t *src_ts, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted) { @@ -1722,7 +1799,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, if (--found->refcount > 0) { /* is used by more SAs, keep in kernel */ - DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); + DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); policy_entry_destroy(policy); this->mutex->unlock(this->mutex); return SUCCESS; @@ -1741,7 +1818,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, return NOT_FOUND; } this->mutex->unlock(this->mutex); - + memset(&request, 0, sizeof(request)); msg = (struct sadb_msg*)request; @@ -1791,7 +1868,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, DBG1(DBG_KNL, "error uninstalling route installed with " "policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); - } + } route_entry_destroy(route); } @@ -1863,22 +1940,26 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this) switch (family) { case AF_INET: + { sol = SOL_IP; ipsec_policy = IP_IPSEC_POLICY; break; + } case AF_INET6: { sol = SOL_IPV6; ipsec_policy = IPV6_IPSEC_POLICY; break; } + default: + continue; } memset(&policy, 0, sizeof(policy)); policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t); policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS; - + policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { @@ -1890,7 +1971,7 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this) policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND; if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { - DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", + DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", strerror(errno)); status = FALSE; break; @@ -1912,7 +1993,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am new file mode 100644 index 000000000..3ad445c09 --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/Makefile.am @@ -0,0 +1,10 @@ + +INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon + +AM_CFLAGS = -rdynamic + +plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la + +libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \ + kernel_pfroute_net.h kernel_pfroute_net.c +libstrongswan_kernel_pfroute_la_LDFLAGS = -module diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c new file mode 100644 index 000000000..7805b6354 --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -0,0 +1,715 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include <sys/types.h> +#include <sys/socket.h> +#include <net/if.h> +#include <ifaddrs.h> +#include <net/route.h> +#include <unistd.h> +#include <pthread.h> +#include <errno.h> + +#include "kernel_pfroute_net.h" + +#include <daemon.h> +#include <utils/host.h> +#include <utils/mutex.h> +#include <utils/linked_list.h> +#include <processing/jobs/callback_job.h> +#include <processing/jobs/roam_job.h> + +#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN +#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member. +#endif + +/** delay before firing roam jobs (ms) */ +#define ROAM_DELAY 100 + +/** buffer size for PF_ROUTE messages */ +#define PFROUTE_BUFFER_SIZE 4096 + +typedef struct addr_entry_t addr_entry_t; + +/** + * IP address in an inface_entry_t + */ +struct addr_entry_t { + + /** The ip address */ + host_t *ip; + + /** virtual IP managed by us */ + bool virtual; + + /** Number of times this IP is used, if virtual */ + u_int refcount; +}; + +/** + * destroy a addr_entry_t object + */ +static void addr_entry_destroy(addr_entry_t *this) +{ + this->ip->destroy(this->ip); + free(this); +} + +typedef struct iface_entry_t iface_entry_t; + +/** + * A network interface on this system, containing addr_entry_t's + */ +struct iface_entry_t { + + /** interface index */ + int ifindex; + + /** name of the interface */ + char ifname[IFNAMSIZ]; + + /** interface flags, as in netdevice(7) SIOCGIFFLAGS */ + u_int flags; + + /** list of addresses as host_t */ + linked_list_t *addrs; +}; + +/** + * destroy an interface entry + */ +static void iface_entry_destroy(iface_entry_t *this) +{ + this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy); + free(this); +} + + +typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t; + +/** + * Private variables and functions of kernel_pfroute class. + */ +struct private_kernel_pfroute_net_t +{ + /** + * Public part of the kernel_pfroute_t object. + */ + kernel_pfroute_net_t public; + + /** + * mutex to lock access to various lists + */ + mutex_t *mutex; + + /** + * Cached list of interfaces and their addresses (iface_entry_t) + */ + linked_list_t *ifaces; + + /** + * job receiving PF_ROUTE events + */ + callback_job_t *job; + + /** + * mutex to lock access to the PF_ROUTE socket + */ + mutex_t *mutex_pfroute; + + /** + * PF_ROUTE socket to communicate with the kernel + */ + int socket; + + /** + * PF_ROUTE socket to receive events + */ + int socket_events; + + /** + * sequence number for messages sent to the kernel + */ + int seq; + + /** + * time of last roam job + */ + struct timeval last_roam; +}; + +/** + * Start a roaming job. We delay it a bit and fire only one job + * for multiple events. Otherwise we would create too many jobs. + */ +static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address) +{ + struct timeval now; + + if (gettimeofday(&now, NULL) == 0) + { + if (timercmp(&now, &this->last_roam, >)) + { + now.tv_usec += ROAM_DELAY * 1000; + while (now.tv_usec > 1000000) + { + now.tv_sec++; + now.tv_usec -= 1000000; + } + this->last_roam = now; + charon->scheduler->schedule_job_ms(charon->scheduler, + (job_t*)roam_job_create(address), ROAM_DELAY); + } + } +} + +/** + * Process an RTM_*ADDR message from the kernel + */ +static void process_addr(private_kernel_pfroute_net_t *this, + struct rt_msghdr *msg) +{ + struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg; + sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1); + host_t *host = NULL; + enumerator_t *ifaces, *addrs; + iface_entry_t *iface; + addr_entry_t *addr; + bool found = FALSE, changed = FALSE, roam = FALSE; + int i; + + for (i = 1; i < (1 << RTAX_MAX); i <<= 1) + { + if (ifa->ifam_addrs & i) + { + if (RTA_IFA & i) + { + host = host_create_from_sockaddr(sockaddr); + break; + } + sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len); + } + } + + if (!host) + { + return; + } + + this->mutex->lock(this->mutex); + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, &iface)) + { + if (iface->ifindex == ifa->ifam_index) + { + addrs = iface->addrs->create_enumerator(iface->addrs); + while (addrs->enumerate(addrs, &addr)) + { + if (host->ip_equals(host, addr->ip)) + { + found = TRUE; + if (ifa->ifam_type == RTM_DELADDR) + { + iface->addrs->remove_at(iface->addrs, addrs); + if (!addr->virtual) + { + changed = TRUE; + DBG1(DBG_KNL, "%H disappeared from %s", + host, iface->ifname); + } + addr_entry_destroy(addr); + } + else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual) + { + addr->refcount = 1; + } + } + } + addrs->destroy(addrs); + + if (!found && ifa->ifam_type == RTM_NEWADDR) + { + changed = TRUE; + addr = malloc_thing(addr_entry_t); + addr->ip = host->clone(host); + addr->virtual = FALSE; + addr->refcount = 1; + iface->addrs->insert_last(iface->addrs, addr); + DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname); + } + + if (changed && (iface->flags & IFF_UP)) + { + roam = TRUE; + } + break; + } + } + ifaces->destroy(ifaces); + this->mutex->unlock(this->mutex); + host->destroy(host); + + if (roam) + { + fire_roam_job(this, TRUE); + } +} + +/** + * Process an RTM_IFINFO message from the kernel + */ +static void process_link(private_kernel_pfroute_net_t *this, + struct rt_msghdr *hdr) +{ + struct if_msghdr *msg = (struct if_msghdr*)hdr; + enumerator_t *enumerator; + iface_entry_t *iface; + bool roam = FALSE; + + if (msg->ifm_flags & IFF_LOOPBACK) + { /* ignore loopback interfaces */ + return; + } + + this->mutex->lock(this->mutex); + enumerator = this->ifaces->create_enumerator(this->ifaces); + while (enumerator->enumerate(enumerator, &iface)) + { + if (iface->ifindex == msg->ifm_index) + { + if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP)) + { + roam = TRUE; + DBG1(DBG_KNL, "interface %s activated", iface->ifname); + } + else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP)) + { + roam = TRUE; + DBG1(DBG_KNL, "interface %s deactivated", iface->ifname); + } + iface->flags = msg->ifm_flags; + break; + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + + if (roam) + { + fire_roam_job(this, TRUE); + } +} + +/** + * Process an RTM_*ROUTE message from the kernel + */ +static void process_route(private_kernel_pfroute_net_t *this, + struct rt_msghdr *msg) +{ + +} + +/** + * Receives events from kernel + */ +static job_requeue_t receive_events(private_kernel_pfroute_net_t *this) +{ + unsigned char buf[PFROUTE_BUFFER_SIZE]; + struct rt_msghdr *msg = (struct rt_msghdr*)buf; + int len, oldstate; + + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0); + pthread_setcancelstate(oldstate, NULL); + + if (len < 0) + { + switch (errno) + { + case EINTR: + /* interrupted, try again */ + return JOB_REQUEUE_DIRECT; + case EAGAIN: + /* no data ready, select again */ + return JOB_REQUEUE_DIRECT; + default: + DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket"); + sleep(1); + return JOB_REQUEUE_FAIR; + } + } + + if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen || + msg->rtm_version != RTM_VERSION) + { + DBG2(DBG_KNL, "received corrupted PF_ROUTE message"); + return JOB_REQUEUE_DIRECT; + } + + switch (msg->rtm_type) + { + case RTM_NEWADDR: + case RTM_DELADDR: + process_addr(this, msg); + break; + case RTM_IFINFO: + /*case RTM_IFANNOUNCE <- what about this*/ + process_link(this, msg); + break; + case RTM_ADD: + case RTM_DELETE: + process_route(this, msg); + default: + break; + } + + return JOB_REQUEUE_DIRECT; +} + + +/** enumerator over addresses */ +typedef struct { + private_kernel_pfroute_net_t* this; + /** whether to enumerate down interfaces */ + bool include_down_ifaces; + /** whether to enumerate virtual ip addresses */ + bool include_virtual_ips; +} address_enumerator_t; + +/** + * cleanup function for address enumerator + */ +static void address_enumerator_destroy(address_enumerator_t *data) +{ + data->this->mutex->unlock(data->this->mutex); + free(data); +} + +/** + * filter for addresses + */ +static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out) +{ + host_t *ip; + if (!data->include_virtual_ips && (*in)->virtual) + { /* skip virtual interfaces added by us */ + return FALSE; + } + ip = (*in)->ip; + if (ip->get_family(ip) == AF_INET6) + { + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip); + if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) + { /* skip addresses with a unusable scope */ + return FALSE; + } + } + *out = ip; + return TRUE; +} + +/** + * enumerator constructor for interfaces + */ +static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data) +{ + return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs), + (void*)filter_addresses, data, NULL); +} + +/** + * filter for interfaces + */ +static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out) +{ + if (!data->include_down_ifaces && !((*in)->flags & IFF_UP)) + { /* skip interfaces not up */ + return FALSE; + } + *out = *in; + return TRUE; +} + +/** + * implementation of kernel_net_t.create_address_enumerator + */ +static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this, + bool include_down_ifaces, bool include_virtual_ips) +{ + address_enumerator_t *data = malloc_thing(address_enumerator_t); + data->this = this; + data->include_down_ifaces = include_down_ifaces; + data->include_virtual_ips = include_virtual_ips; + + this->mutex->lock(this->mutex); + return enumerator_create_nested( + enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces), + (void*)filter_interfaces, data, NULL), + (void*)create_iface_enumerator, data, (void*)address_enumerator_destroy); +} + +/** + * implementation of kernel_net_t.get_interface_name + */ +static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip) +{ + enumerator_t *ifaces, *addrs; + iface_entry_t *iface; + addr_entry_t *addr; + char *name = NULL; + + DBG2(DBG_KNL, "getting interface name for %H", ip); + + this->mutex->lock(this->mutex); + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, &iface)) + { + addrs = iface->addrs->create_enumerator(iface->addrs); + while (addrs->enumerate(addrs, &addr)) + { + if (ip->ip_equals(ip, addr->ip)) + { + name = strdup(iface->ifname); + break; + } + } + addrs->destroy(addrs); + if (name) + { + break; + } + } + ifaces->destroy(ifaces); + this->mutex->unlock(this->mutex); + + if (name) + { + DBG2(DBG_KNL, "%H is on interface %s", ip, name); + } + else + { + DBG2(DBG_KNL, "%H is not a local address", ip); + } + return name; +} + +/** + * Implementation of kernel_net_t.get_source_addr. + */ +static host_t* get_source_addr(private_kernel_pfroute_net_t *this, + host_t *dest, host_t *src) +{ + return NULL; +} + +/** + * Implementation of kernel_net_t.get_nexthop. + */ +static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest) +{ + return NULL; +} + +/** + * Implementation of kernel_net_t.add_ip. + */ +static status_t add_ip(private_kernel_pfroute_net_t *this, + host_t *virtual_ip, host_t *iface_ip) +{ + return FAILED; +} + +/** + * Implementation of kernel_net_t.del_ip. + */ +static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip) +{ + return FAILED; +} + +/** + * Implementation of kernel_net_t.add_route. + */ +static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) +{ + return FAILED; +} + +/** + * Implementation of kernel_net_t.del_route. + */ +static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net, + u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) +{ + return FAILED; +} + +/** + * Initialize a list of local addresses. + */ +static status_t init_address_list(private_kernel_pfroute_net_t *this) +{ + struct ifaddrs *ifap, *ifa; + iface_entry_t *iface, *current; + addr_entry_t *addr; + enumerator_t *ifaces, *addrs; + + DBG1(DBG_KNL, "listening on interfaces:"); + + if (getifaddrs(&ifap) < 0) + { + DBG1(DBG_KNL, " failed to get interfaces!"); + return FAILED; + } + + for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) + { + if (ifa->ifa_addr == NULL) + { + continue; + } + switch(ifa->ifa_addr->sa_family) + { + case AF_LINK: + case AF_INET: + case AF_INET6: + { + if (ifa->ifa_flags & IFF_LOOPBACK) + { /* ignore loopback interfaces */ + continue; + } + + iface = NULL; + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, ¤t)) + { + if (streq(current->ifname, ifa->ifa_name)) + { + iface = current; + break; + } + } + ifaces->destroy(ifaces); + + if (!iface) + { + iface = malloc_thing(iface_entry_t); + memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ); + iface->ifindex = if_nametoindex(ifa->ifa_name); + iface->flags = ifa->ifa_flags; + iface->addrs = linked_list_create(); + this->ifaces->insert_last(this->ifaces, iface); + } + + if (ifa->ifa_addr->sa_family != AF_LINK) + { + addr = malloc_thing(addr_entry_t); + addr->ip = host_create_from_sockaddr(ifa->ifa_addr); + addr->virtual = FALSE; + addr->refcount = 1; + iface->addrs->insert_last(iface->addrs, addr); + } + } + } + } + freeifaddrs(ifap); + + ifaces = this->ifaces->create_enumerator(this->ifaces); + while (ifaces->enumerate(ifaces, &iface)) + { + if (iface->flags & IFF_UP) + { + DBG1(DBG_KNL, " %s", iface->ifname); + addrs = iface->addrs->create_enumerator(iface->addrs); + while (addrs->enumerate(addrs, (void**)&addr)) + { + DBG1(DBG_KNL, " %H", addr->ip); + } + addrs->destroy(addrs); + } + } + ifaces->destroy(ifaces); + + return SUCCESS; +} + +/** + * Implementation of kernel_netlink_net_t.destroy. + */ +static void destroy(private_kernel_pfroute_net_t *this) +{ + this->job->cancel(this->job); + close(this->socket); + close(this->socket_events); + this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy); + this->mutex->destroy(this->mutex); + this->mutex_pfroute->destroy(this->mutex_pfroute); + free(this); +} + +/* + * Described in header. + */ +kernel_pfroute_net_t *kernel_pfroute_net_create() +{ + private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t); + + /* public functions */ + this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name; + this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator; + this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr; + this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop; + this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip; + this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip; + this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route; + this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route; + + this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy; + + /* private members */ + this->ifaces = linked_list_create(); + this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex_pfroute = mutex_create(MUTEX_DEFAULT); + + this->seq = 0; + + /* create a PF_ROUTE socket to communicate with the kernel */ + this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); + if (this->socket <= 0) + { + charon->kill(charon, "unable to create PF_ROUTE socket"); + } + + /* create a PF_ROUTE socket to receive events */ + this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); + if (this->socket_events <= 0) + { + charon->kill(charon, "unable to create PF_ROUTE event socket"); + } + + this->job = callback_job_create((callback_job_cb_t)receive_events, + this, NULL, NULL); + charon->processor->queue_job(charon->processor, (job_t*)this->job); + + if (init_address_list(this) != SUCCESS) + { + charon->kill(charon, "unable to get interface list"); + } + + return &this->public; +} diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h new file mode 100644 index 000000000..9138befc1 --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup kernel_pfroute_net_i kernel_pfroute_net + * @{ @ingroup kernel_pfroute + */ + +#ifndef KERNEL_PFROUTE_NET_H_ +#define KERNEL_PFROUTE_NET_H_ + +#include <kernel/kernel_net.h> + +typedef struct kernel_pfroute_net_t kernel_pfroute_net_t; + +/** + * Implementation of the kernel net interface using PF_ROUTE. + */ +struct kernel_pfroute_net_t { + + /** + * Implements kernel_net_t interface + */ + kernel_net_t interface; +}; + +/** + * Create a PF_ROUTE kernel net interface instance. + * + * @return kernel_pfroute_net_t instance + */ +kernel_pfroute_net_t *kernel_pfroute_net_create(); + +#endif /** KERNEL_PFROUTE_NET_H_ @}*/ diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c new file mode 100644 index 000000000..a6d95283b --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + + +#include "kernel_pfroute_plugin.h" + +#include "kernel_pfroute_net.h" + +#include <daemon.h> + +typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t; + +/** + * private data of kernel PF_ROUTE plugin + */ +struct private_kernel_pfroute_plugin_t { + /** + * implements plugin interface + */ + kernel_pfroute_plugin_t public; +}; + +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_kernel_pfroute_plugin_t *this) +{ + charon->kernel_interface->remove_net_interface(charon->kernel_interface, + (kernel_net_constructor_t)kernel_pfroute_net_create); + free(this); +} + +/* + * see header file + */ +plugin_t *plugin_create() +{ + private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + + charon->kernel_interface->add_net_interface(charon->kernel_interface, + (kernel_net_constructor_t)kernel_pfroute_net_create); + + return &this->public.plugin; +} diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h new file mode 100644 index 000000000..f8ae1a96a --- /dev/null +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2009 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup kernel_pfroute kernel_pfroute + * @ingroup cplugins + * + * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin + * @{ @ingroup kernel_pfroute + */ + +#ifndef KERNEL_PFROUTE_PLUGIN_H_ +#define KERNEL_PFROUTE_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t; + +/** + * PF_ROUTE kernel interface plugin + */ +struct kernel_pfroute_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +/** + * Create a kernel_pfroute_plugin instance. + */ +plugin_t *plugin_create(); + +#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/ diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c index 9abd65195..66ebd07c4 100644 --- a/src/charon/plugins/load_tester/load_tester_ipsec.c +++ b/src/charon/plugins/load_tester/load_tester_ipsec.c @@ -88,8 +88,9 @@ static status_t update_sa(private_load_tester_ipsec_t *this, /** * Implementation of kernel_interface_t.del_sa. */ -static status_t del_sa(private_load_tester_ipsec_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) +static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi) { return SUCCESS; } @@ -152,7 +153,7 @@ load_tester_ipsec_t *load_tester_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; + this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; diff --git a/src/charon/plugins/medcli/medcli_creds.c b/src/charon/plugins/medcli/medcli_creds.c index 1e99f6990..2a4972046 100644 --- a/src/charon/plugins/medcli/medcli_creds.c +++ b/src/charon/plugins/medcli/medcli_creds.c @@ -96,7 +96,7 @@ static enumerator_t* create_private_enumerator(private_medcli_creds_t *this, if ((type != KEY_RSA && type != KEY_ANY) || id == NULL || id->get_type(id) != ID_KEY_ID) { - DBG1(DBG_CFG, "%N - %D", key_type_names, type, id); + DBG1(DBG_CFG, "%N - %Y", key_type_names, type, id); return NULL; } diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.c b/src/charon/plugins/resolv_conf/resolv_conf_handler.c index c76222f28..1eab8f2c0 100644 --- a/src/charon/plugins/resolv_conf/resolv_conf_handler.c +++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.c @@ -79,7 +79,7 @@ static bool handle(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa, if (out) { addr = host_create_from_chunk(family, data, 0); - fprintf(out, "nameserver %H # by strongSwan, from %D\n", + fprintf(out, "nameserver %H # by strongSwan, from %Y\n", addr, ike_sa->get_other_id(ike_sa)); DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file); addr->destroy(addr); @@ -140,7 +140,7 @@ static void release(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa, { addr = host_create_from_chunk(family, data, 0); snprintf(matcher, sizeof(matcher), - "nameserver %H # by strongSwan, from %D\n", + "nameserver %H # by strongSwan, from %Y\n", addr, ike_sa->get_other_id(ike_sa)); /* copy all, but matching line */ diff --git a/src/charon/plugins/smp/smp.c b/src/charon/plugins/smp/smp.c index 33a2bb491..40eeefc74 100644 --- a/src/charon/plugins/smp/smp.c +++ b/src/charon/plugins/smp/smp.c @@ -109,7 +109,7 @@ static void write_id(xmlTextWriterPtr writer, char *element, identification_t *i break; } xmlTextWriterWriteAttribute(writer, "type", type); - xmlTextWriterWriteFormatString(writer, "%D", id); + xmlTextWriterWriteFormatString(writer, "%Y", id); break; } default: diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c index a1c67c691..28cd038c9 100644 --- a/src/charon/plugins/sql/pool.c +++ b/src/charon/plugins/sql/pool.c @@ -562,7 +562,7 @@ static void leases(char *filter, bool utc) printf(" "); } } - printf("%D\n", identity); + printf("%Y\n", identity); DESTROY_IF(address); identity->destroy(identity); } diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c index a3beb3a62..56237694e 100644 --- a/src/charon/plugins/stroke/stroke_attribute.c +++ b/src/charon/plugins/stroke/stroke_attribute.c @@ -223,7 +223,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, id = pool->ids->get(pool->ids, id); if (id) { - DBG1(DBG_CFG, "reassigning offline lease to %D", id); + DBG1(DBG_CFG, "reassigning offline lease to %Y", id); pool->online->put(pool->online, id, (void*)offset); break; } @@ -233,7 +233,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, offset = (uintptr_t)pool->online->get(pool->online, id); if (offset && offset == host2offset(pool, requested)) { - DBG1(DBG_CFG, "reassigning online lease to %D", id); + DBG1(DBG_CFG, "reassigning online lease to %Y", id); break; } @@ -245,7 +245,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, id = id->clone(id); pool->ids->put(pool->ids, id, id); pool->online->put(pool->online, id, (void*)offset); - DBG1(DBG_CFG, "assigning new lease to %D", id); + DBG1(DBG_CFG, "assigning new lease to %Y", id); break; } /* no more addresses, replace the first found offline lease */ @@ -257,7 +257,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this, { /* destroy reference to old ID */ old_id = pool->ids->remove(pool->ids, old_id); - DBG1(DBG_CFG, "reassigning existing offline lease of %D to %D", + DBG1(DBG_CFG, "reassigning existing offline lease of %Y to %Y", old_id, id); if (old_id) { @@ -305,7 +305,7 @@ static bool release_address(private_stroke_attribute_t *this, id = pool->ids->get(pool->ids, id); if (id) { - DBG1(DBG_CFG, "lease %H of %D went offline", address, id); + DBG1(DBG_CFG, "lease %H of %Y went offline", address, id); pool->offline->put(pool->offline, id, (void*)offset); found = TRUE; } diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c index 54356436f..dffa8e235 100644 --- a/src/charon/plugins/stroke/stroke_ca.c +++ b/src/charon/plugins/stroke/stroke_ca.c @@ -398,14 +398,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) first = FALSE; } fprintf(out, "\n"); - fprintf(out, " authname: \"%D\"\n", cert->get_subject(cert)); + fprintf(out, " authname: \"%Y\"\n", cert->get_subject(cert)); /* list authkey and keyid */ if (public) { - fprintf(out, " authkey: %D\n", + fprintf(out, " authkey: %Y\n", public->get_id(public, ID_PUBKEY_SHA1)); - fprintf(out, " keyid: %D\n", + fprintf(out, " keyid: %Y\n", public->get_id(public, ID_PUBKEY_INFO_SHA1)); public->destroy(public); } diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c index 4a0b1ff42..21e2fd2f2 100644 --- a/src/charon/plugins/stroke/stroke_config.c +++ b/src/charon/plugins/stroke/stroke_config.c @@ -386,8 +386,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, if (identity->get_type(identity) == ID_ANY || !certificate->has_subject(certificate, identity)) { - DBG1(DBG_CFG, " peerid %D not confirmed by certificate, " - "defaulting to subject DN: %D", identity, + DBG1(DBG_CFG, " peerid %Y not confirmed by certificate, " + "defaulting to subject DN: %Y", identity, certificate->get_subject(certificate)); identity->destroy(identity); identity = certificate->get_subject(certificate); diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c index 08d50519c..634a89d1d 100644 --- a/src/charon/plugins/stroke/stroke_control.c +++ b/src/charon/plugins/stroke/stroke_control.c @@ -249,7 +249,7 @@ static void terminate_srcip(private_stroke_control_t *this, enumerator_t *enumerator; ike_sa_t *ike_sa; host_t *start = NULL, *end = NULL, *vip; - chunk_t chunk_start, chunk_end, chunk_vip; + chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip; if (msg->terminate_srcip.start) { diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c index 066591c9d..689e463b4 100644 --- a/src/charon/plugins/stroke/stroke_list.c +++ b/src/charon/plugins/stroke/stroke_list.c @@ -74,7 +74,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) fprintf(out, " %V ago", &now, &established); } - fprintf(out, ", %H[%D]...%H[%D]\n", + fprintf(out, ", %H[%Y]...%H[%Y]\n", ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa), ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa)); @@ -266,7 +266,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local); while (enumerator->enumerate(enumerator, &auth)) { - fprintf(out, "%12s: %s [%D] uses ", name, local ? "local: " : "remote:", + fprintf(out, "%12s: %s [%Y] uses ", name, local ? "local: " : "remote:", auth->get(auth, AUTH_RULE_IDENTITY)); auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS); @@ -297,7 +297,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) id = auth->get(auth, AUTH_RULE_EAP_IDENTITY); if (id) { - fprintf(out, " with EAP identity '%D'", id); + fprintf(out, " with EAP identity '%Y'", id); } fprintf(out, "\n"); } @@ -305,19 +305,19 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) cert = auth->get(auth, AUTH_RULE_CA_CERT); if (cert) { - fprintf(out, "%12s: ca: \"%D\"\n", name, cert->get_subject(cert)); + fprintf(out, "%12s: ca: \"%Y\"\n", name, cert->get_subject(cert)); } cert = auth->get(auth, AUTH_RULE_IM_CERT); if (cert) { - fprintf(out, "%12s: im-ca: \"%D\"\n", name, cert->get_subject(cert)); + fprintf(out, "%12s: im-ca: \"%Y\"\n", name, cert->get_subject(cert)); } cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); if (cert) { - fprintf(out, "%12s: cert: \"%D\"\n", name, + fprintf(out, "%12s: cert: \"%Y\"\n", name, cert->get_subject(cert)); } @@ -340,7 +340,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) { if (rule == AUTH_RULE_AC_GROUP) { - fprintf(out, "%12s: group: %D\n", name, id); + fprintf(out, "%12s: group: %Y\n", name, id); } } rules->destroy(rules); @@ -593,8 +593,8 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out) key_type_names, public->get_type(public), public->get_keysize(public) * 8, private ? ", has private key" : ""); - fprintf(out, " keyid: %D\n", keyid); - fprintf(out, " subjkey: %D\n", id); + fprintf(out, " keyid: %Y\n", keyid); + fprintf(out, " subjkey: %Y\n", id); DESTROY_IF(private); public->destroy(public); } @@ -650,7 +650,7 @@ static void stroke_list_certs(linked_list_t *list, char *label, { fprintf(out, ", "); } - fprintf(out, "%D", altName); + fprintf(out, "%Y", altName); } if (!first_altName) { @@ -658,8 +658,8 @@ static void stroke_list_certs(linked_list_t *list, char *label, } enumerator->destroy(enumerator); - fprintf(out, " subject: \"%D\"\n", cert->get_subject(cert)); - fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert)); + fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert)); + fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); fprintf(out, " serial: %#B\n", &serial); /* list validity */ @@ -704,8 +704,8 @@ static void stroke_list_certs(linked_list_t *list, char *label, key_type_names, public->get_type(public), public->get_keysize(public) * 8, private ? ", has private key" : ""); - fprintf(out, " keyid: %D\n", keyid); - fprintf(out, " subjkey: %D\n", id); + fprintf(out, " keyid: %Y\n", keyid); + fprintf(out, " subjkey: %Y\n", id); DESTROY_IF(private); public->destroy(public); } @@ -713,7 +713,7 @@ static void stroke_list_certs(linked_list_t *list, char *label, /* list optional authorityKeyIdentifier */ if (authkey) { - fprintf(out, " authkey: %D\n", authkey); + fprintf(out, " authkey: %Y\n", authkey); } } } @@ -749,17 +749,17 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) if (entityName) { - fprintf(out, " holder: \"%D\"\n", entityName); + fprintf(out, " holder: \"%Y\"\n", entityName); } if (holderIssuer) { - fprintf(out, " hissuer: \"%D\"\n", holderIssuer); + fprintf(out, " hissuer: \"%Y\"\n", holderIssuer); } if (holderSerial.ptr) { fprintf(out, " hserial: %#B\n", &holderSerial); } - fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert)); + fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); fprintf(out, " serial: %#B\n", &serial); /* list validity */ @@ -783,7 +783,7 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) /* list optional authorityKeyIdentifier */ if (authkey) { - fprintf(out, " authkey: %D\n", authkey); + fprintf(out, " authkey: %Y\n", authkey); } } enumerator->destroy(enumerator); @@ -813,7 +813,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) } fprintf(out, "\n"); - fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert)); + fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); /* list optional crlNumber */ if (serial.ptr) @@ -856,7 +856,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) /* list optional authorityKeyIdentifier */ if (authkey) { - fprintf(out, " authkey: %D\n", authkey); + fprintf(out, " authkey: %Y\n", authkey); } } enumerator->destroy(enumerator); @@ -881,7 +881,7 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) first = FALSE; } - fprintf(out, " signer: \"%D\"\n", cert->get_issuer(cert)); + fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert)); } enumerator->destroy(enumerator); } @@ -1024,7 +1024,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool, { if (!address || address->ip_equals(address, lease)) { - fprintf(out, " %15H %s '%D'\n", + fprintf(out, " %15H %s '%Y'\n", lease, on ? "online" : "offline", id); found++; } diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c index d8cc69c20..e1c3e58ab 100644 --- a/src/charon/plugins/stroke/stroke_socket.c +++ b/src/charon/plugins/stroke/stroke_socket.c @@ -571,8 +571,11 @@ static job_requeue_t receive(private_stroke_socket_t *this) */ static bool open_socket(private_stroke_socket_t *this) { - struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET}; + struct sockaddr_un socket_addr; mode_t old; + + socket_addr.sun_family = AF_UNIX; + strcpy(socket_addr.sun_path, STROKE_SOCKET); /* set up unix socket */ this->socket = socket(AF_UNIX, SOCK_STREAM, 0); diff --git a/src/charon/plugins/updown/updown_listener.c b/src/charon/plugins/updown/updown_listener.c index 7dfb874cb..4feffd9c4 100644 --- a/src/charon/plugins/updown/updown_listener.c +++ b/src/charon/plugins/updown/updown_listener.c @@ -188,14 +188,14 @@ static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa, "PLUTO_INTERFACE='%s' " "PLUTO_REQID='%u' " "PLUTO_ME='%H' " - "PLUTO_MY_ID='%D' " + "PLUTO_MY_ID='%Y' " "PLUTO_MY_CLIENT='%s/%s' " "PLUTO_MY_CLIENT_NET='%s' " "PLUTO_MY_CLIENT_MASK='%s' " "PLUTO_MY_PORT='%u' " "PLUTO_MY_PROTOCOL='%u' " "PLUTO_PEER='%H' " - "PLUTO_PEER_ID='%D' " + "PLUTO_PEER_ID='%Y' " "PLUTO_PEER_CLIENT='%s/%s' " "PLUTO_PEER_CLIENT_NET='%s' " "PLUTO_PEER_CLIENT_MASK='%s' " diff --git a/src/charon/processing/jobs/mediation_job.c b/src/charon/processing/jobs/mediation_job.c index 5894b6aab..607286b01 100644 --- a/src/charon/processing/jobs/mediation_job.c +++ b/src/charon/processing/jobs/mediation_job.c @@ -101,7 +101,7 @@ static void execute(private_mediation_job_t *this) /* send callback to a peer */ if (target_sa->callback(target_sa, this->source) != SUCCESS) { - DBG1(DBG_JOB, "callback for '%D' to '%D' failed", + DBG1(DBG_JOB, "callback for '%Y' to '%Y' failed", this->source, this->target); charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa); destroy(this); @@ -114,7 +114,7 @@ static void execute(private_mediation_job_t *this) if (target_sa->relay(target_sa, this->source, this->connect_id, this->connect_key, this->endpoints, this->response) != SUCCESS) { - DBG1(DBG_JOB, "mediation between '%D' and '%D' failed", + DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed", this->source, this->target); charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa); /* FIXME: notify the initiator */ @@ -127,13 +127,13 @@ static void execute(private_mediation_job_t *this) } else { - DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: " + DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: " "SA not found", this->source, this->target); } } else { - DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: " + DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: " "peer is not online anymore", this->source, this->target); } destroy(this); diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c index 876cb7b74..27cec2d72 100644 --- a/src/charon/sa/authenticators/eap_authenticator.c +++ b/src/charon/sa/authenticators/eap_authenticator.c @@ -217,7 +217,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, { snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr); this->eap_identity = identification_create_from_string(buf); - DBG1(DBG_IKE, "received EAP identity '%D'", + DBG1(DBG_IKE, "received EAP identity '%Y'", this->eap_identity); } /* restart EAP exchange, but with real method */ @@ -254,12 +254,12 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, if (vendor) { DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for " - "peer %D", type, vendor, + "peer %Y", type, vendor, this->ike_sa->get_other_id(this->ike_sa)); } else { - DBG1(DBG_IKE, "EAP method %N failed for peer %D", + DBG1(DBG_IKE, "EAP method %N failed for peer %Y", eap_type_names, type, this->ike_sa->get_other_id(this->ike_sa)); } @@ -290,7 +290,7 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this, { id = this->ike_sa->get_my_id(this->ike_sa); } - DBG1(DBG_IKE, "server requested %N, sending '%D'", + DBG1(DBG_IKE, "server requested %N, sending '%Y'", eap_type_names, type, id); this->eap_identity = id->clone(id); @@ -380,7 +380,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message) } chunk_free(&auth_data); - DBG1(DBG_IKE, "authentication of '%D' with %N successful", + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", other_id, auth_class_names, AUTH_CLASS_EAP); this->auth_complete = TRUE; auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); @@ -401,7 +401,7 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message) my_id = this->ike_sa->get_my_id(this->ike_sa); keymat = this->ike_sa->get_keymat(this->ike_sa); - DBG1(DBG_IKE, "authentication of '%D' (myself) with %N", + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_class_names, AUTH_CLASS_EAP); auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c index 45baa8e9c..5ce919355 100644 --- a/src/charon/sa/authenticators/psk_authenticator.c +++ b/src/charon/sa/authenticators/psk_authenticator.c @@ -63,13 +63,13 @@ static status_t build(private_psk_authenticator_t *this, message_t *message) keymat = this->ike_sa->get_keymat(this->ike_sa); my_id = this->ike_sa->get_my_id(this->ike_sa); other_id = this->ike_sa->get_other_id(this->ike_sa); - DBG1(DBG_IKE, "authentication of '%D' (myself) with %N", + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_method_names, AUTH_PSK); key = charon->credentials->get_shared(charon->credentials, SHARED_IKE, my_id, other_id); if (key == NULL) { - DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id); + DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id); return NOT_FOUND; } auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, @@ -119,7 +119,7 @@ static status_t process(private_psk_authenticator_t *this, message_t *message) this->nonce, key->get_key(key), other_id); if (auth_data.len && chunk_equals(auth_data, recv_auth_data)) { - DBG1(DBG_IKE, "authentication of '%D' with %N successful", + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", other_id, auth_method_names, AUTH_PSK); authenticated = TRUE; } @@ -131,10 +131,10 @@ static status_t process(private_psk_authenticator_t *this, message_t *message) { if (keys_found == 0) { - DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id); + DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id); return NOT_FOUND; } - DBG1(DBG_IKE, "tried %d shared key%s for '%D' - '%D', but MAC mismatched", + DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched", keys_found, keys_found == 1 ? "" : "s", my_id, other_id); return FAILED; } diff --git a/src/charon/sa/authenticators/pubkey_authenticator.c b/src/charon/sa/authenticators/pubkey_authenticator.c index 482d6b91d..b8335a69d 100644 --- a/src/charon/sa/authenticators/pubkey_authenticator.c +++ b/src/charon/sa/authenticators/pubkey_authenticator.c @@ -71,7 +71,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message) id, auth); if (private == NULL) { - DBG1(DBG_IKE, "no private key found for '%D'", id); + DBG1(DBG_IKE, "no private key found for '%Y'", id); return NOT_FOUND; } @@ -122,7 +122,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message) message->add_payload(message, (payload_t*)auth_payload); status = SUCCESS; } - DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", id, + DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id, auth_method_names, auth_method, (status == SUCCESS)? "successful":"failed"); chunk_free(&octets); @@ -186,7 +186,7 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message { if (public->verify(public, scheme, octets, auth_data)) { - DBG1(DBG_IKE, "authentication of '%D' with %N successful", + DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, auth_method_names, auth_method); status = SUCCESS; auth->merge(auth, current_auth, FALSE); @@ -203,7 +203,7 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message chunk_free(&octets); if (status == NOT_FOUND) { - DBG1(DBG_IKE, "no trusted %N public key found for '%D'", + DBG1(DBG_IKE, "no trusted %N public key found for '%Y'", key_type_names, key_type, id); } return status; diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c index 092210bb2..1ea9539b0 100644 --- a/src/charon/sa/child_sa.c +++ b/src/charon/sa/child_sa.c @@ -724,14 +724,14 @@ static void destroy(private_child_sa_t *this) if (this->my_spi) { charon->kernel_interface->del_sa(charon->kernel_interface, - this->my_addr, this->my_spi, this->protocol, - this->my_cpi); + this->other_addr, this->my_addr, this->my_spi, + this->protocol, this->my_cpi); } if (this->other_spi) { charon->kernel_interface->del_sa(charon->kernel_interface, - this->other_addr, this->other_spi, this->protocol, - this->other_cpi); + this->my_addr, this->other_addr, this->other_spi, + this->protocol, this->other_cpi); } if (this->config->install_policy(this->config)) diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c index 4574ea3a9..89d8882bf 100644 --- a/src/charon/sa/connect_manager.c +++ b/src/charon/sa/connect_manager.c @@ -1196,8 +1196,8 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli } else { - DBG1(DBG_IKE, "there is no mediated connection waiting between '%D' " - "and '%D'", checklist->initiator.id, checklist->responder.id); + DBG1(DBG_IKE, "there is no mediated connection waiting between '%Y' " + "and '%Y'", checklist->initiator.id, checklist->responder.id); } } } @@ -1396,7 +1396,7 @@ static bool check_and_register(private_connect_manager_t *this, if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS) { - DBG2(DBG_IKE, "registered waiting mediated connection with '%D'", peer_id); + DBG2(DBG_IKE, "registered waiting mediated connection with '%Y'", peer_id); initiated = initiated_create(id, peer_id); this->initiated->insert_last(this->initiated, initiated); already_there = FALSE; @@ -1425,7 +1425,7 @@ static void check_and_initiate(private_connect_manager_t *this, ike_sa_id_t *med if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS) { - DBG2(DBG_IKE, "no waiting mediated connections with '%D'", peer_id); + DBG2(DBG_IKE, "no waiting mediated connections with '%Y'", peer_id); this->mutex->unlock(this->mutex); return; } diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c index f6abb0c35..311b18c8c 100644 --- a/src/charon/sa/ike_sa_manager.c +++ b/src/charon/sa/ike_sa_manager.c @@ -1436,7 +1436,7 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) { case UNIQUE_REPLACE: DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer " - "'%D' due to uniqueness policy", other); + "'%Y' due to uniqueness policy", other); status = duplicate->delete(duplicate); break; case UNIQUE_KEEP: diff --git a/src/charon/sa/mediation_manager.c b/src/charon/sa/mediation_manager.c index fbdf3ad58..b652c29e6 100644 --- a/src/charon/sa/mediation_manager.c +++ b/src/charon/sa/mediation_manager.c @@ -227,12 +227,12 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe if (!found) { - DBG2(DBG_IKE, "adding peer '%D'", peer_id); + DBG2(DBG_IKE, "adding peer '%Y'", peer_id); peer = peer_create(peer_id, NULL); this->peers->insert_last(this->peers, peer); } - DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%D'", peer_id); + DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id); peer->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL; /* send callbacks to registered peers */ @@ -284,7 +284,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this, if (get_peer_by_id(this, peer_id, &peer) != SUCCESS) { - DBG2(DBG_IKE, "adding peer %D", peer_id); + DBG2(DBG_IKE, "adding peer %Y", peer_id); peer = peer_create(peer_id, NULL); this->peers->insert_last(this->peers, peer); } @@ -292,7 +292,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this, if (!peer->ike_sa_id) { /* the peer is not online */ - DBG2(DBG_IKE, "requested peer '%D' is offline, registering peer '%D'", peer_id, requester); + DBG2(DBG_IKE, "requested peer '%Y' is offline, registering peer '%Y'", peer_id, requester); register_peer(peer, requester); this->mutex->unlock(this->mutex); return NULL; diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index d594e3baa..b5ef17ab8 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -642,7 +642,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) { /* IDr received, check if it matches configuration */ if (id_cfg && !id->matches(id, id_cfg)) { - DBG1(DBG_CFG, "received IDr %D, but require %D", id, id_cfg); + DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg); message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); return FAILED; @@ -730,7 +730,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) return FAILED; } this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", + DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), @@ -907,7 +907,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) return FAILED; } this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", + DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c index da3ee4dce..3ef1cafc4 100644 --- a/src/charon/sa/tasks/ike_cert_post.c +++ b/src/charon/sa/tasks/ike_cert_post.c @@ -140,7 +140,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message) { break; } - DBG1(DBG_IKE, "sending end entity cert \"%D\"", + DBG1(DBG_IKE, "sending end entity cert \"%Y\"", cert->get_subject(cert)); message->add_payload(message, (payload_t*)payload); @@ -152,7 +152,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message) payload = cert_payload_create_from_cert(cert); if (payload) { - DBG1(DBG_IKE, "sending issuer cert \"%D\"", + DBG1(DBG_IKE, "sending issuer cert \"%Y\"", cert->get_subject(cert)); message->add_payload(message, (payload_t*)payload); } diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c index 0ec7004c2..db9e7bcc6 100644 --- a/src/charon/sa/tasks/ike_cert_pre.c +++ b/src/charon/sa/tasks/ike_cert_pre.c @@ -95,14 +95,14 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) CERT_X509, KEY_ANY, id, TRUE); if (cert) { - DBG1(DBG_IKE, "received cert request for \"%D\"", + DBG1(DBG_IKE, "received cert request for \"%Y\"", cert->get_subject(cert)); auth->add(auth, AUTH_RULE_CA_CERT, cert); } else { DBG1(DBG_IKE, "received cert request for unknown ca " - "with keyid %D", id); + "with keyid %Y", id); } id->destroy(id); } @@ -211,14 +211,14 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) { if (first) { /* the first is an end entity certificate */ - DBG1(DBG_IKE, "received end entity cert \"%D\"", + DBG1(DBG_IKE, "received end entity cert \"%Y\"", cert->get_subject(cert)); auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert); first = FALSE; } else { - DBG1(DBG_IKE, "received issuer cert \"%D\"", + DBG1(DBG_IKE, "received issuer cert \"%Y\"", cert->get_subject(cert)); auth->add(auth, AUTH_HELPER_IM_CERT, cert); } @@ -300,7 +300,7 @@ static void add_certreq(certreq_payload_t **req, certificate_t *cert) keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1); (*req)->add_keyid(*req, keyid->get_encoding(keyid)); public->destroy(public); - DBG1(DBG_IKE, "sending cert request for \"%D\"", + DBG1(DBG_IKE, "sending cert request for \"%Y\"", cert->get_subject(cert)); break; } diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c index 7ff969044..185010040 100644 --- a/src/charon/sa/tasks/ike_delete.c +++ b/src/charon/sa/tasks/ike_delete.c @@ -56,7 +56,7 @@ static status_t build_i(private_ike_delete_t *this, message_t *message) { delete_payload_t *delete_payload; - DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]", + DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), @@ -95,7 +95,7 @@ static status_t process_r(private_ike_delete_t *this, message_t *message) DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa)); - DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]", + DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]", this->ike_sa->get_name(this->ike_sa), this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), diff --git a/src/charon/sa/tasks/ike_me.c b/src/charon/sa/tasks/ike_me.c index 07dfb20a5..bb6f4f41e 100644 --- a/src/charon/sa/tasks/ike_me.c +++ b/src/charon/sa/tasks/ike_me.c @@ -339,7 +339,7 @@ static status_t process_r(private_ike_me_t *this, message_t *message) if (this->callback) { - DBG1(DBG_IKE, "received ME_CALLBACK for '%D'", this->peer_id); + DBG1(DBG_IKE, "received ME_CALLBACK for '%Y'", this->peer_id); break; } @@ -471,7 +471,7 @@ static status_t process_i(private_ike_me_t *this, message_t *message) if (this->failed) { - DBG1(DBG_IKE, "peer '%D' is not online", this->peer_id); + DBG1(DBG_IKE, "peer '%Y' is not online", this->peer_id); /* FIXME: notify the mediated connection (job?) */ } else diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c index ef6e4721a..f564012e7 100644 --- a/src/charon/sa/tasks/ike_rekey.c +++ b/src/charon/sa/tasks/ike_rekey.c @@ -177,7 +177,7 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message) this->ike_sa->set_state(this->ike_sa, IKE_REKEYING); this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED); - DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", + DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", this->new_sa->get_name(this->new_sa), this->new_sa->get_unique_id(this->new_sa), this->ike_sa->get_my_host(this->ike_sa), @@ -246,7 +246,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message) } this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED); - DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", + DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]", this->new_sa->get_name(this->new_sa), this->new_sa->get_unique_id(this->new_sa), this->ike_sa->get_my_host(this->ike_sa), |