diff options
Diffstat (limited to 'src')
210 files changed, 2132 insertions, 1487 deletions
diff --git a/src/charon/charon.c b/src/charon/charon.c index f4bd27d34..812b7620b 100644 --- a/src/charon/charon.c +++ b/src/charon/charon.c @@ -175,6 +175,7 @@ static void segv_handler(int signal) DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal); backtrace = backtrace_create(2); + backtrace->log(backtrace, NULL, TRUE); backtrace->log(backtrace, stderr, TRUE); backtrace->destroy(backtrace); diff --git a/src/conftest/config.c b/src/conftest/config.c index 10b773de2..7f05e9c72 100644 --- a/src/conftest/config.c +++ b/src/conftest/config.c @@ -188,7 +188,7 @@ static child_cfg_t *load_child_config(private_config_t *this, enumerator = enumerator_create_token(token, ",", " "); while (enumerator->enumerate(enumerator, &token)) { - ts = traffic_selector_create_from_cidr(token, 0, 0); + ts = traffic_selector_create_from_cidr(token, 0, 0, 65535); if (ts) { child_cfg->add_traffic_selector(child_cfg, TRUE, ts); @@ -212,7 +212,7 @@ static child_cfg_t *load_child_config(private_config_t *this, enumerator = enumerator_create_token(token, ",", " "); while (enumerator->enumerate(enumerator, &token)) { - ts = traffic_selector_create_from_cidr(token, 0, 0); + ts = traffic_selector_create_from_cidr(token, 0, 0, 65535); if (ts) { child_cfg->add_traffic_selector(child_cfg, FALSE, ts); diff --git a/src/conftest/config.h b/src/conftest/config.h index 2a62b9ce0..ce9e24586 100644 --- a/src/conftest/config.h +++ b/src/conftest/config.h @@ -14,7 +14,7 @@ */ /** - * @defgroup config config + * @defgroup config_t config * @{ @ingroup conftest */ diff --git a/src/conftest/hooks/hook.h b/src/conftest/hooks/hook.h index 39a15f21b..b93711726 100644 --- a/src/conftest/hooks/hook.h +++ b/src/conftest/hooks/hook.h @@ -14,8 +14,8 @@ */ /** - * @defgroup hook hook - * @{ @ingroup hooks + * @defgroup hook_t hook + * @{ @ingroup conftest */ #ifndef HOOK_H_ diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_creds.h b/src/frontends/android/jni/libandroidbridge/backend/android_creds.h index a3ecddde4..918708f14 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_creds.h +++ b/src/frontends/android/jni/libandroidbridge/backend/android_creds.h @@ -49,7 +49,7 @@ struct android_creds_t { /** * Load the user certificate and private key * - * @preturn loaded client certificate, NULL on failure + * @return loaded client certificate, NULL on failure */ certificate_t *(*load_user_certificate)(android_creds_t *this); diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c index 2f13be93c..c83f0b4dc 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c @@ -167,6 +167,10 @@ static job_requeue_t handle_plain(private_android_service_t *this) if (len < 0) { + if (errno == EBADF) + { /* the TUN device got closed just before calling select(), retry */ + return JOB_REQUEUE_FAIR; + } DBG1(DBG_DMN, "select on TUN device failed: %s", strerror(errno)); return JOB_REQUEUE_NONE; } diff --git a/src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.h b/src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.h index 3a2e8343f..b68c8b2a9 100644 --- a/src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.h +++ b/src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.h @@ -16,7 +16,7 @@ /** * @defgroup kernel_android_ipsec kernel_android_ipsec - * @{ @ingroup kernel_android + * @{ @ingroup android_kernel */ #ifndef KERNEL_ANDROID_IPSEC_H_ diff --git a/src/frontends/android/jni/libandroidbridge/kernel/android_net.h b/src/frontends/android/jni/libandroidbridge/kernel/android_net.h index 470029fad..f0605390d 100644 --- a/src/frontends/android/jni/libandroidbridge/kernel/android_net.h +++ b/src/frontends/android/jni/libandroidbridge/kernel/android_net.h @@ -15,7 +15,7 @@ /** * @defgroup kernel_android_net kernel_android_net - * @{ @ingroup kernel_android + * @{ @ingroup android_kernel */ #ifndef KERNEL_ANDROID_NET_H_ diff --git a/src/frontends/android/jni/libandroidbridge/kernel/network_manager.h b/src/frontends/android/jni/libandroidbridge/kernel/network_manager.h index 2638b5aa0..da0106829 100644 --- a/src/frontends/android/jni/libandroidbridge/kernel/network_manager.h +++ b/src/frontends/android/jni/libandroidbridge/kernel/network_manager.h @@ -15,7 +15,7 @@ /** * @defgroup network_manager network_manager - * @{ @ingroup kernel_android + * @{ @ingroup android_kernel */ #ifndef NETWORK_MANAGER_H_ diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk index b64174f8b..a9319088f 100644 --- a/src/libcharon/Android.mk +++ b/src/libcharon/Android.mk @@ -125,9 +125,8 @@ processing/jobs/adopt_children_job.c processing/jobs/adopt_children_job.h # adding the plugin source files -LOCAL_SRC_FILES += $(call add_plugin, android) -ifneq ($(call plugin_enabled, android),) -LOCAL_C_INCLUDES += frameworks/base/cmds/keystore +LOCAL_SRC_FILES += $(call add_plugin, android-dns) +ifneq ($(call plugin_enabled, android-dns),) LOCAL_SHARED_LIBRARIES += libcutils endif diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index bc25dcf21..536bab473 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -457,10 +457,10 @@ if MONOLITHIC endif endif -if USE_ANDROID - SUBDIRS += plugins/android +if USE_ANDROID_DNS + SUBDIRS += plugins/android_dns if MONOLITHIC - libcharon_la_LIBADD += plugins/android/libstrongswan-android.la + libcharon_la_LIBADD += plugins/android_dns/libstrongswan-android-dns.la endif endif @@ -513,6 +513,13 @@ if MONOLITHIC endif endif +if USE_SYSTIME_FIX + SUBDIRS += plugins/systime_fix +if MONOLITHIC + libcharon_la_LIBADD += plugins/systime_fix/libstrongswan-systime-fix.la +endif +endif + if USE_LED SUBDIRS += plugins/led if MONOLITHIC diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c index d168e1c12..f7a13d728 100644 --- a/src/libcharon/encoding/payloads/notify_payload.c +++ b/src/libcharon/encoding/payloads/notify_payload.c @@ -65,7 +65,7 @@ ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_ "ME_CONNECT_FAILED"); ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED, "MS_NOTIFY_STATUS"); -ENUM_NEXT(notify_type_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS, +ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS, "INITIAL_CONTACT", "SET_WINDOW_SIZE", "ADDITIONAL_TS_POSSIBLE", @@ -108,8 +108,9 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS, "IPSEC_REPLAY_COUNTER_SYNC", "SECURE PASSWORD_METHOD", "PSK_PERSIST", - "PSK_CONFIRM"); -ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, PSK_CONFIRM, + "PSK_CONFIRM", + "ERX_SUPPORTED"); +ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED, "INITIAL_CONTACT"); ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1, "DPD_R_U_THERE", @@ -170,7 +171,7 @@ ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_S "ME_CONN_FAIL"); ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED, "MS_STATUS"); -ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS, +ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS, "INIT_CONTACT", "SET_WINSIZE", "ADD_TS_POSS", @@ -213,8 +214,9 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATU "RPL_CTR_SYN", "SEC_PASSWD", "PSK_PST", - "PSK_CFM"); -ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, PSK_CONFIRM, + "PSK_CFM", + "ERX_SUP"); +ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED, "INITIAL_CONTACT"); ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1, "DPD", diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h index 498c659b1..847fddc69 100644 --- a/src/libcharon/encoding/payloads/notify_payload.h +++ b/src/libcharon/encoding/payloads/notify_payload.h @@ -140,9 +140,11 @@ enum notify_type_t { IPSEC_REPLAY_COUNTER_SYNC = 16423, /* Secure password methods, RFC 6467 */ SECURE_PASSWORD_METHOD = 16424, - /* PACE - draft-kuegler-ipsecme-pace-ikev2 */ + /* PACE, RFC 6631 */ PSK_PERSIST = 16425, PSK_CONFIRM = 16426, + /* EAP Re-authentication Extension, RFC 6867 */ + ERX_SUPPORTED = 16427, /* IKEv1 initial contact */ INITIAL_CONTACT_IKEV1 = 24578, /* IKEv1 DPD */ diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c index 15f791b95..334823db9 100644 --- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c +++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c @@ -114,7 +114,11 @@ METHOD(payload_t, verify, status_t, { if (this->start_port > this->end_port) { - return FAILED; + /* OPAQUE ports are the only exception */ + if (this->start_port != 0xffff && this->end_port != 0) + { + return FAILED; + } } switch (this->ts_type) { diff --git a/src/libcharon/plugins/android/Makefile.am b/src/libcharon/plugins/android/Makefile.am deleted file mode 100644 index b10cd9527..000000000 --- a/src/libcharon/plugins/android/Makefile.am +++ /dev/null @@ -1,20 +0,0 @@ - -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon - -AM_CFLAGS = -rdynamic - -if MONOLITHIC -noinst_LTLIBRARIES = libstrongswan-android.la -else -plugin_LTLIBRARIES = libstrongswan-android.la -endif - -libstrongswan_android_la_SOURCES = \ - android_plugin.c android_plugin.h \ - android_service.c android_service.h \ - android_handler.c android_handler.h \ - android_creds.c android_creds.h - -libstrongswan_android_la_LDFLAGS = -module -avoid-version -libstrongswan_android_la_LIBADD = -lcutils diff --git a/src/libcharon/plugins/android/android_creds.c b/src/libcharon/plugins/android/android_creds.c deleted file mode 100644 index 601c91e7b..000000000 --- a/src/libcharon/plugins/android/android_creds.c +++ /dev/null @@ -1,294 +0,0 @@ -/* - * Copyright (C) 2010 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <keystore_get.h> - -#include "android_creds.h" - -#include <daemon.h> -#include <threading/rwlock.h> - -typedef struct private_android_creds_t private_android_creds_t; - -/** - * Private data of an android_creds_t object - */ -struct private_android_creds_t { - - /** - * Public interface - */ - android_creds_t public; - - /** - * List of trusted certificates, certificate_t* - */ - linked_list_t *certs; - - /** - * User name (ID) - */ - identification_t *user; - - /** - * User password - */ - char *pass; - - /** - * read/write lock - */ - rwlock_t *lock; - -}; - -/** - * Certificate enumerator data - */ -typedef struct { - private_android_creds_t *this; - key_type_t key; - identification_t *id; -} cert_data_t; - -/** - * Filter function for certificates enumerator - */ -static bool cert_filter(cert_data_t *data, certificate_t **in, - certificate_t **out) -{ - certificate_t *cert = *in; - public_key_t *public; - - public = cert->get_public_key(cert); - if (!public) - { - return FALSE; - } - if (data->key != KEY_ANY && public->get_type(public) != data->key) - { - public->destroy(public); - return FALSE; - } - if (data->id && data->id->get_type(data->id) == ID_KEY_ID && - public->has_fingerprint(public, data->id->get_encoding(data->id))) - { - public->destroy(public); - *out = cert; - return TRUE; - } - public->destroy(public); - if (data->id && !cert->has_subject(cert, data->id)) - { - return FALSE; - } - *out = cert; - return TRUE; -} - -/** - * Destroy certificate enumerator data - */ -static void cert_data_destroy(cert_data_t *this) -{ - this->this->lock->unlock(this->this->lock); - free(this); -} - -METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, - private_android_creds_t *this, certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) -{ - if (cert == CERT_X509 || cert == CERT_ANY) - { - cert_data_t *data; - this->lock->read_lock(this->lock); - INIT(data, .this = this, .id = id, .key = key); - return enumerator_create_filter( - this->certs->create_enumerator(this->certs), - (void*)cert_filter, data, (void*)cert_data_destroy); - } - return NULL; -} - -/** - * Shared key enumerator implementation - */ -typedef struct { - enumerator_t public; - private_android_creds_t *this; - shared_key_t *key; - bool done; -} shared_enumerator_t; - -METHOD(enumerator_t, shared_enumerate, bool, - shared_enumerator_t *this, shared_key_t **key, id_match_t *me, - id_match_t *other) -{ - if (this->done) - { - return FALSE; - } - *key = this->key; - *me = ID_MATCH_PERFECT; - *other = ID_MATCH_ANY; - this->done = TRUE; - return TRUE; -} - -METHOD(enumerator_t, shared_destroy, void, - shared_enumerator_t *this) -{ - this->key->destroy(this->key); - this->this->lock->unlock(this->this->lock); - free(this); -} - -METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, - private_android_creds_t *this, shared_key_type_t type, - identification_t *me, identification_t *other) -{ - shared_enumerator_t *enumerator; - - this->lock->read_lock(this->lock); - - if (!this->user || !this->pass) - { - this->lock->unlock(this->lock); - return NULL; - } - if (type != SHARED_EAP && type != SHARED_IKE) - { - this->lock->unlock(this->lock); - return NULL; - } - if (me && !me->equals(me, this->user)) - { - this->lock->unlock(this->lock); - return NULL; - } - - INIT(enumerator, - .public = { - .enumerate = (void*)_shared_enumerate, - .destroy = _shared_destroy, - }, - .this = this, - .done = FALSE, - .key = shared_key_create(type, chunk_clone(chunk_create(this->pass, - strlen(this->pass)))), - ); - return &enumerator->public; -} - -METHOD(android_creds_t, add_certificate, bool, - private_android_creds_t *this, char *name) -{ - certificate_t *cert = NULL; - bool status = FALSE; - chunk_t chunk; -#ifdef KEYSTORE_MESSAGE_SIZE - /* most current interface, the eclair interface (without key length) is - * currently not supported */ - char value[KEYSTORE_MESSAGE_SIZE]; - chunk.ptr = value; - chunk.len = keystore_get(name, strlen(name), chunk.ptr); - if (chunk.len > 0) -#else - /* 1.6 interface, allocates memory */ - chunk.ptr = keystore_get(name, &chunk.len); - if (chunk.ptr) -#endif /* KEYSTORE_MESSAGE_SIZE */ - { - cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_PEM, chunk, BUILD_END); - if (cert) - { - this->lock->write_lock(this->lock); - this->certs->insert_last(this->certs, cert); - this->lock->unlock(this->lock); - status = TRUE; - } -#ifndef KEYSTORE_MESSAGE_SIZE - free(chunk.ptr); -#endif /* KEYSTORE_MESSAGE_SIZE */ - } - return status; -} - -METHOD(android_creds_t, set_username_password, void, - private_android_creds_t *this, identification_t *id, char *password) -{ - this->lock->write_lock(this->lock); - DESTROY_IF(this->user); - this->user = id->clone(id); - free(this->pass); - this->pass = strdupnull(password); - this->lock->unlock(this->lock); -} - -METHOD(android_creds_t, clear, void, - private_android_creds_t *this) -{ - certificate_t *cert; - this->lock->write_lock(this->lock); - while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS) - { - cert->destroy(cert); - } - DESTROY_IF(this->user); - free(this->pass); - this->user = NULL; - this->pass = NULL; - this->lock->unlock(this->lock); -} - -METHOD(android_creds_t, destroy, void, - private_android_creds_t *this) -{ - clear(this); - this->certs->destroy(this->certs); - this->lock->destroy(this->lock); - free(this); -} - -/** - * Described in header. - */ -android_creds_t *android_creds_create() -{ - private_android_creds_t *this; - - INIT(this, - .public = { - .set = { - .create_cert_enumerator = _create_cert_enumerator, - .create_shared_enumerator = _create_shared_enumerator, - .create_private_enumerator = (void*)return_null, - .create_cdp_enumerator = (void*)return_null, - .cache_cert = (void*)nop, - }, - .add_certificate = _add_certificate, - .set_username_password = _set_username_password, - .clear = _clear, - .destroy = _destroy, - }, - .certs = linked_list_create(), - .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), - ); - - return &this->public; -} - diff --git a/src/libcharon/plugins/android/android_creds.h b/src/libcharon/plugins/android/android_creds.h deleted file mode 100644 index 0f7b8e0ea..000000000 --- a/src/libcharon/plugins/android/android_creds.h +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright (C) 2010 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup android_creds android_creds - * @{ @ingroup android - */ - -#ifndef ANDROID_CREDS_H_ -#define ANDROID_CREDS_H_ - -#include <credentials/credential_set.h> - -typedef struct android_creds_t android_creds_t; - -/** - * Android credentials helper. - */ -struct android_creds_t { - - /** - * Implements credential_set_t - */ - credential_set_t set; - - /** - * Add a trusted CA certificate from the Android keystore to serve by - * this set. - * - * @param name name/ID of the certificate in the keystore - * @return FALSE if the certificate does not exist or is invalid - */ - bool (*add_certificate)(android_creds_t *this, char *name); - - /** - * Set the username and password for authentication. - * - * @param id ID of the user - * @param password password to use for authentication - */ - void (*set_username_password)(android_creds_t *this, identification_t *id, - char *password); - - /** - * Clear the stored credentials. - */ - void (*clear)(android_creds_t *this); - - /** - * Destroy a android_creds instance. - */ - void (*destroy)(android_creds_t *this); - -}; - -/** - * Create an android_creds instance. - */ -android_creds_t *android_creds_create(); - -#endif /** ANDROID_CREDS_H_ @}*/ diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c deleted file mode 100644 index 9b9bcc3f5..000000000 --- a/src/libcharon/plugins/android/android_service.c +++ /dev/null @@ -1,389 +0,0 @@ -/* - * Copyright (C) 2010 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <unistd.h> -#include <cutils/sockets.h> -#include <cutils/properties.h> -#include <signal.h> - -#include "android_service.h" - -#include <daemon.h> -#include <threading/thread.h> -#include <processing/jobs/callback_job.h> - -typedef struct private_android_service_t private_android_service_t; - -/** - * private data of Android service - */ -struct private_android_service_t { - - /** - * public interface - */ - android_service_t public; - - /** - * current IKE_SA - */ - ike_sa_t *ike_sa; - - /** - * android credentials - */ - android_creds_t *creds; - - /** - * android control socket - */ - int control; - -}; - -/** - * Some of the error codes defined in VpnManager.java - */ -typedef enum { - /** Error code to indicate an error from authentication. */ - VPN_ERROR_AUTH = 51, - /** Error code to indicate the connection attempt failed. */ - VPN_ERROR_CONNECTION_FAILED = 101, - /** Error code to indicate an error of remote server hanging up. */ - VPN_ERROR_REMOTE_HUNG_UP = 7, - /** Error code to indicate an error of losing connectivity. */ - VPN_ERROR_CONNECTION_LOST = 103, -} android_vpn_errors_t; - -/** - * send a status code back to the Android app - */ -static void send_status(private_android_service_t *this, u_char code) -{ - DBG1(DBG_CFG, "status of Android plugin changed: %d", code); - send(this->control, &code, 1, 0); -} - -METHOD(listener_t, ike_updown, bool, - private_android_service_t *this, ike_sa_t *ike_sa, bool up) -{ - /* this callback is only registered during initiation, so if the IKE_SA - * goes down we assume an authentication error */ - if (this->ike_sa == ike_sa && !up) - { - send_status(this, VPN_ERROR_AUTH); - return FALSE; - } - return TRUE; -} - -METHOD(listener_t, child_state_change, bool, - private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, - child_sa_state_t state) -{ - /* this callback is only registered during initiation, so we still have - * the control socket open */ - if (this->ike_sa == ike_sa && state == CHILD_DESTROYING) - { - send_status(this, VPN_ERROR_CONNECTION_FAILED); - return FALSE; - } - return TRUE; -} - -/** - * Callback used to shutdown the daemon - */ -static job_requeue_t shutdown_callback(void *data) -{ - kill(0, SIGTERM); - return JOB_REQUEUE_NONE; -} - -METHOD(listener_t, child_updown, bool, - private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, - bool up) -{ - if (this->ike_sa == ike_sa) - { - if (up) - { - /* disable the hooks registered to catch initiation failures */ - this->public.listener.ike_updown = NULL; - this->public.listener.child_state_change = NULL; - property_set("vpn.status", "ok"); - } - else - { - callback_job_t *job; - /* the control socket is closed as soon as vpn.status is set to "ok" - * and the daemon proxy then only checks for terminated daemons to - * detect lost connections, so... */ - DBG1(DBG_CFG, "connection lost, raising delayed SIGTERM"); - /* to avoid any conflicts we send the SIGTERM not directly from this - * callback, but from a different thread. we also delay it to avoid - * a race condition during a regular shutdown */ - job = callback_job_create(shutdown_callback, NULL, NULL, NULL); - lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, 1); - return FALSE; - } - } - return TRUE; -} - -METHOD(listener_t, ike_rekey, bool, - private_android_service_t *this, ike_sa_t *old, ike_sa_t *new) -{ - if (this->ike_sa == old) - { - this->ike_sa = new; - } - return TRUE; -} - -/** - * Read a string argument from the Android control socket - */ -static char *read_argument(int fd, u_char length) -{ - int offset = 0; - char *data = malloc(length + 1); - while (offset < length) - { - int n = recv(fd, &data[offset], length - offset, 0); - if (n < 0) - { - DBG1(DBG_CFG, "failed to read argument from Android" - " control socket: %s", strerror(errno)); - free(data); - return NULL; - } - offset += n; - } - data[length] = '\0'; - DBG3(DBG_CFG, "received argument from Android control socket: %s", data); - return data; -} - -/** - * handle the request received from the Android control socket - */ -static job_requeue_t initiate(private_android_service_t *this) -{ - bool oldstate; - int fd, i = 0; - char *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL; - identification_t *gateway = NULL, *user = NULL; - ike_cfg_t *ike_cfg; - peer_cfg_t *peer_cfg; - child_cfg_t *child_cfg; - traffic_selector_t *ts; - ike_sa_t *ike_sa; - auth_cfg_t *auth; - lifetime_cfg_t lifetime = { - .time = { - .life = 10800, /* 3h */ - .rekey = 10200, /* 2h50min */ - .jitter = 300 /* 5min */ - } - }; - - fd = accept(this->control, NULL, 0); - if (fd < 0) - { - DBG1(DBG_CFG, "accept on Android control socket failed: %s", - strerror(errno)); - return JOB_REQUEUE_NONE; - } - /* the original control socket is not used anymore */ - close(this->control); - this->control = fd; - - while (TRUE) - { - u_char length; - if (recv(fd, &length, 1, 0) != 1) - { - DBG1(DBG_CFG, "failed to read from Android control socket: %s", - strerror(errno)); - return JOB_REQUEUE_NONE; - } - - if (length == 0xFF) - { /* last argument */ - break; - } - else - { - switch (i++) - { - case 0: /* gateway */ - hostname = read_argument(fd, length); - break; - case 1: /* CA certificate name */ - cacert = read_argument(fd, length); - break; - case 2: /* username */ - username = read_argument(fd, length); - break; - case 3: /* password */ - password = read_argument(fd, length); - break; - } - } - } - - if (cacert) - { - if (!this->creds->add_certificate(this->creds, cacert)) - { - DBG1(DBG_CFG, "failed to load CA certificate"); - } - /* if this is a server cert we could use the cert subject as id - * but we have to test first if that possible to configure */ - } - - gateway = identification_create_from_string(hostname); - DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway); - - if (username) - { - user = identification_create_from_string(username); - this->creds->set_username_password(this->creds, user, password); - } - - ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE, - charon->socket->get_port(charon->socket, FALSE), - hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO, - 0); - ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); - - peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED, - UNIQUE_REPLACE, 1, /* keyingtries */ - 36000, 0, /* rekey 10h, reauth none */ - 600, 600, /* jitter, over 10min */ - TRUE, FALSE, /* mobike, aggressive */ - 0, 0, /* DPD delay, timeout */ - FALSE, NULL, NULL); /* mediation */ - peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0)); - - auth = auth_cfg_create(); - auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); - auth->add(auth, AUTH_RULE_IDENTITY, user); - peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); - auth = auth_cfg_create(); - auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); - auth->add(auth, AUTH_RULE_IDENTITY, gateway); - peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); - - child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, - 0, 0, NULL, NULL, 0); - child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); - ts = traffic_selector_create_dynamic(0, 0, 65535); - child_cfg->add_traffic_selector(child_cfg, TRUE, ts); - ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0", - 0, "255.255.255.255", 65535); - child_cfg->add_traffic_selector(child_cfg, FALSE, ts); - peer_cfg->add_child_cfg(peer_cfg, child_cfg); - - /* get us an IKE_SA */ - ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, - peer_cfg); - if (!ike_sa) - { - peer_cfg->destroy(peer_cfg); - send_status(this, VPN_ERROR_CONNECTION_FAILED); - return JOB_REQUEUE_NONE; - } - - if (!ike_sa->get_peer_cfg(ike_sa)) - { - ike_sa->set_peer_cfg(ike_sa, peer_cfg); - } - peer_cfg->destroy(peer_cfg); - - /* store the IKE_SA so we can track its progress */ - this->ike_sa = ike_sa; - - /* confirm that we received the request */ - send_status(this, i); - - /* get an additional reference because initiate consumes one */ - child_cfg->get_ref(child_cfg); - if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS) - { - DBG1(DBG_CFG, "failed to initiate tunnel"); - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, - ike_sa); - send_status(this, VPN_ERROR_CONNECTION_FAILED); - return JOB_REQUEUE_NONE; - } - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - return JOB_REQUEUE_NONE; -} - -METHOD(android_service_t, destroy, void, - private_android_service_t *this) -{ - charon->bus->remove_listener(charon->bus, &this->public.listener); - close(this->control); - free(this); -} - -/** - * See header - */ -android_service_t *android_service_create(android_creds_t *creds) -{ - private_android_service_t *this; - - INIT(this, - .public = { - .listener = { - .ike_updown = _ike_updown, - .child_state_change = _child_state_change, - .child_updown = _child_updown, - .ike_rekey = _ike_rekey, - }, - .destroy = _destroy, - }, - .creds = creds, - ); - - this->control = android_get_control_socket("charon"); - if (this->control == -1) - { - DBG1(DBG_CFG, "failed to get Android control socket"); - free(this); - return NULL; - } - - if (listen(this->control, 1) < 0) - { - DBG1(DBG_CFG, "failed to listen on Android control socket: %s", - strerror(errno)); - close(this->control); - free(this); - return NULL; - } - - charon->bus->add_listener(charon->bus, &this->public.listener); - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create((callback_job_cb_t)initiate, this, - NULL, NULL)); - - return &this->public; -} diff --git a/src/libcharon/plugins/android/android_service.h b/src/libcharon/plugins/android/android_service.h deleted file mode 100644 index d096d6cd5..000000000 --- a/src/libcharon/plugins/android/android_service.h +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (C) 2010 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup android_service android_service - * @{ @ingroup android - */ - -#ifndef ANDROID_SERVICE_H_ -#define ANDROID_SERVICE_H_ - -typedef struct android_service_t android_service_t; - -#include <bus/listeners/listener.h> - -#include "android_creds.h" - -/** - * Service that interacts with the Android Settings frontend. - */ -struct android_service_t { - - /** - * Implements listener_t. - */ - listener_t listener; - - /** - * Destroy a android_service_t. - */ - void (*destroy)(android_service_t *this); - -}; - -/** - * Create an Android service instance. - * - * @param creds Android credentials - */ -android_service_t *android_service_create(android_creds_t *creds); - -#endif /** ANDROID_SERVICE_H_ @}*/ diff --git a/src/libcharon/plugins/android_dns/Makefile.am b/src/libcharon/plugins/android_dns/Makefile.am new file mode 100644 index 000000000..0d25f11d7 --- /dev/null +++ b/src/libcharon/plugins/android_dns/Makefile.am @@ -0,0 +1,18 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-android-dns.la +else +plugin_LTLIBRARIES = libstrongswan-android-dns.la +endif + +libstrongswan_android_dns_la_SOURCES = \ + android_dns_plugin.c android_dns_plugin.h \ + android_dns_handler.c android_dns_handler.h + +libstrongswan_android_dns_la_LDFLAGS = -module -avoid-version +libstrongswan_android_dns_la_LIBADD = -lcutils
\ No newline at end of file diff --git a/src/libcharon/plugins/android/android_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c index 29dbbbfd0..526810355 100644 --- a/src/libcharon/plugins/android/android_handler.c +++ b/src/libcharon/plugins/android_dns/android_dns_handler.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2011 Tobias Brunner + * Copyright (C) 2010-2013 Tobias Brunner * Copyright (C) 2010 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -14,41 +14,35 @@ * for more details. */ -#include "android_handler.h" +#include "android_dns_handler.h" #include <networking/host.h> #include <collections/linked_list.h> #include <cutils/properties.h> -typedef struct private_android_handler_t private_android_handler_t; +typedef struct private_android_dns_handler_t private_android_dns_handler_t; /** - * Private data of an android_handler_t object. + * Private data of an android_dns_handler_t object. */ -struct private_android_handler_t { +struct private_android_dns_handler_t { /** - * Public android_handler_t interface. + * Public interface */ - android_handler_t public; + android_dns_handler_t public; /** * List of registered DNS servers */ linked_list_t *dns; - - /** - * Whether the VPN frontend is used - */ - bool frontend; }; /** - * Prefixes to be used when installing DNS servers + * Prefix to be used when installing DNS servers */ #define DNS_PREFIX_DEFAULT "net" -#define DNS_PREFIX_FRONTEND "vpn" /** * Struct to store a pair of old and installed DNS servers @@ -63,7 +57,7 @@ typedef struct { /** * Destroy a pair of old and installed DNS servers */ -void destroy_dns_pair(dns_pair_t *this) +static void destroy_dns_pair(dns_pair_t *this) { DESTROY_IF(this->dns); DESTROY_IF(this->old); @@ -73,7 +67,7 @@ void destroy_dns_pair(dns_pair_t *this) /** * Filter pairs of DNS servers */ -bool filter_dns_pair(void *data, dns_pair_t **in, host_t **out) +static bool filter_dns_pair(void *data, dns_pair_t **in, host_t **out) { *out = (*in)->dns; return TRUE; @@ -82,11 +76,11 @@ bool filter_dns_pair(void *data, dns_pair_t **in, host_t **out) /** * Read DNS server property with a given index */ -host_t *get_dns_server(private_android_handler_t *this, int index) +static host_t *get_dns_server(private_android_dns_handler_t *this, int index) { host_t *dns = NULL; char key[10], value[PROPERTY_VALUE_MAX], - *prefix = this->frontend ? DNS_PREFIX_FRONTEND : DNS_PREFIX_DEFAULT; + *prefix = DNS_PREFIX_DEFAULT; if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key)) { @@ -103,10 +97,11 @@ host_t *get_dns_server(private_android_handler_t *this, int index) /** * Set DNS server property with a given index */ -bool set_dns_server(private_android_handler_t *this, int index, host_t *dns) +static bool set_dns_server(private_android_dns_handler_t *this, int index, + host_t *dns) { char key[10], value[PROPERTY_VALUE_MAX], - *prefix = this->frontend ? DNS_PREFIX_FRONTEND : DNS_PREFIX_DEFAULT; + *prefix = DNS_PREFIX_DEFAULT; if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key)) { @@ -133,7 +128,7 @@ bool set_dns_server(private_android_handler_t *this, int index, host_t *dns) } METHOD(attribute_handler_t, handle, bool, - private_android_handler_t *this, identification_t *id, + private_android_dns_handler_t *this, identification_t *id, configuration_attribute_type_t type, chunk_t data) { switch (type) @@ -163,7 +158,7 @@ METHOD(attribute_handler_t, handle, bool, } METHOD(attribute_handler_t, release, void, - private_android_handler_t *this, identification_t *server, + private_android_dns_handler_t *this, identification_t *server, configuration_attribute_type_t type, chunk_t data) { if (type == INTERNAL_IP4_DNS) @@ -197,7 +192,8 @@ METHOD(enumerator_t, enumerate_dns, bool, } METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *, - android_handler_t *this, identification_t *id, linked_list_t *vips) + private_android_dns_handler_t *this, identification_t *id, + linked_list_t *vips) { enumerator_t *enumerator; @@ -208,8 +204,8 @@ METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *, return enumerator; } -METHOD(android_handler_t, destroy, void, - private_android_handler_t *this) +METHOD(android_dns_handler_t, destroy, void, + private_android_dns_handler_t *this) { this->dns->destroy_function(this->dns, (void*)destroy_dns_pair); free(this); @@ -218,9 +214,9 @@ METHOD(android_handler_t, destroy, void, /** * See header */ -android_handler_t *android_handler_create(bool frontend) +android_dns_handler_t *android_dns_handler_create() { - private_android_handler_t *this; + private_android_dns_handler_t *this; INIT(this, .public = { @@ -232,7 +228,6 @@ android_handler_t *android_handler_create(bool frontend) .destroy = _destroy, }, .dns = linked_list_create(), - .frontend = frontend, ); return &this->public; diff --git a/src/libcharon/plugins/android/android_handler.h b/src/libcharon/plugins/android_dns/android_dns_handler.h index 0170958ee..d7b089dca 100644 --- a/src/libcharon/plugins/android/android_handler.h +++ b/src/libcharon/plugins/android_dns/android_dns_handler.h @@ -15,21 +15,21 @@ */ /** - * @defgroup android_handler android_handler - * @{ @ingroup android + * @defgroup android_dns_handler android_dns_handler + * @{ @ingroup android_dns */ -#ifndef ANDROID_HANDLER_H_ -#define ANDROID_HANDLER_H_ +#ifndef ANDROID_DNS_HANDLER_H_ +#define ANDROID_DNS_HANDLER_H_ #include <attributes/attribute_handler.h> -typedef struct android_handler_t android_handler_t; +typedef struct android_dns_handler_t android_dns_handler_t; /** * Android specific DNS attribute handler. */ -struct android_handler_t { +struct android_dns_handler_t { /** * Implements attribute_handler_t. @@ -37,16 +37,14 @@ struct android_handler_t { attribute_handler_t handler; /** - * Destroy a android_handler_t. + * Destroy a android_dns_handler_t. */ - void (*destroy)(android_handler_t *this); + void (*destroy)(android_dns_handler_t *this); }; /** - * Create a android_handler instance. - * - * @param frontend TRUE if the VPN frontend is used + * Create an android_dns_handler_t instance. */ -android_handler_t *android_handler_create(bool frontend); +android_dns_handler_t *android_dns_handler_create(); -#endif /** ANDROID_HANDLER_H_ @}*/ +#endif /** ANDROID_DNS_HANDLER_H_ @}*/ diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android_dns/android_dns_plugin.c index c0f58e9b4..4e2b5f58b 100644 --- a/src/libcharon/plugins/android/android_plugin.c +++ b/src/libcharon/plugins/android_dns/android_dns_plugin.c @@ -1,6 +1,5 @@ /* - * Copyright (C) 2010 Tobias Brunner - * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010-2013 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -14,66 +13,51 @@ * for more details. */ -#include "android_plugin.h" -#include "android_handler.h" -#include "android_creds.h" -#include "android_service.h" +#include "android_dns_plugin.h" +#include "android_dns_handler.h" #include <hydra.h> #include <daemon.h> -typedef struct private_android_plugin_t private_android_plugin_t; +typedef struct private_android_dns_plugin_t private_android_dns_plugin_t; /** - * Private data of an android_plugin_t object. + * Private data of an android_dns_plugin_t object. */ -struct private_android_plugin_t { +struct private_android_dns_plugin_t { /** - * Public android_plugin_t interface. + * Public interface */ - android_plugin_t public; + android_dns_plugin_t public; /** * Android specific DNS handler */ - android_handler_t *handler; - - /** - * Android specific credential set - */ - android_creds_t *creds; - - /** - * Service that interacts with the Android Settings frontend - */ - android_service_t *service; + android_dns_handler_t *handler; }; METHOD(plugin_t, get_name, char*, - private_android_plugin_t *this) + private_android_dns_plugin_t *this) { - return "android"; + return "android-dns"; } METHOD(plugin_t, destroy, void, - private_android_plugin_t *this) + private_android_dns_plugin_t *this) { hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); - lib->credmgr->remove_set(lib->credmgr, &this->creds->set); - this->creds->destroy(this->creds); this->handler->destroy(this->handler); - DESTROY_IF(this->service); free(this); } /** * See header */ -plugin_t *android_plugin_create() +plugin_t *android_dns_plugin_create() { - private_android_plugin_t *this; + private_android_dns_plugin_t *this; INIT(this, .public = { @@ -83,15 +67,10 @@ plugin_t *android_plugin_create() .destroy = _destroy, }, }, - .creds = android_creds_create(), + .handler = android_dns_handler_create(), ); - this->service = android_service_create(this->creds); - this->handler = android_handler_create(this->service != NULL); - - lib->credmgr->add_set(lib->credmgr, &this->creds->set); hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); return &this->public.plugin; } - diff --git a/src/libcharon/plugins/android/android_plugin.h b/src/libcharon/plugins/android_dns/android_dns_plugin.h index 987f2aa37..e9e57dc24 100644 --- a/src/libcharon/plugins/android/android_plugin.h +++ b/src/libcharon/plugins/android_dns/android_dns_plugin.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Martin Willi + * Copyright (C) 2013 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -14,24 +14,24 @@ */ /** - * @defgroup android android + * @defgroup android_dns android_dns * @ingroup cplugins * - * @defgroup android_plugin android_plugin - * @{ @ingroup android + * @defgroup android_dns_plugin android_dns_plugin + * @{ @ingroup android_dns */ -#ifndef ANDROID_PLUGIN_H_ -#define ANDROID_PLUGIN_H_ +#ifndef ANDROID_DNS_PLUGIN_H_ +#define ANDROID_DNS_PLUGIN_H_ #include <plugins/plugin.h> -typedef struct android_plugin_t android_plugin_t; +typedef struct android_dns_plugin_t android_dns_plugin_t; /** - * Plugin providing functionality specific to the Android platform. + * Plugin providing an Android-specific handler for DNS servers. */ -struct android_plugin_t { +struct android_dns_plugin_t { /** * Implements plugin interface. @@ -39,4 +39,4 @@ struct android_plugin_t { plugin_t plugin; }; -#endif /** ANDROID_PLUGIN_H_ @}*/ +#endif /** ANDROID_DNS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/ipseckey/ipseckey.h b/src/libcharon/plugins/ipseckey/ipseckey.h index 0afc067a5..5885daeee 100644 --- a/src/libcharon/plugins/ipseckey/ipseckey.h +++ b/src/libcharon/plugins/ipseckey/ipseckey.h @@ -14,7 +14,7 @@ */ /** - * @defgroup ipseckey_cred_i ipseckey + * @defgroup ipseckey_i ipseckey * @{ @ingroup ipseckey */ diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index 187946579..52afe1b0a 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -369,7 +369,7 @@ static void add_ts(char *string, child_cfg_t *cfg, bool local) if (string) { - ts = traffic_selector_create_from_cidr(string, 0, 0); + ts = traffic_selector_create_from_cidr(string, 0, 0, 65535); if (!ts) { DBG1(DBG_CFG, "parsing TS string '%s' failed", string); diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index d3bd29a1b..2bff70307 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -63,7 +63,7 @@ static traffic_selector_t *ts_from_string(char *str) { traffic_selector_t *ts; - ts = traffic_selector_create_from_cidr(str, 0, 0); + ts = traffic_selector_create_from_cidr(str, 0, 0, 65535); if (ts) { return ts; diff --git a/src/libcharon/plugins/medsrv/medsrv_config.h b/src/libcharon/plugins/medsrv/medsrv_config.h index fc8b0e972..03a41a7ce 100644 --- a/src/libcharon/plugins/medsrv/medsrv_config.h +++ b/src/libcharon/plugins/medsrv/medsrv_config.h @@ -15,7 +15,7 @@ /** * @defgroup medsrv_config_i medsrv_config - * @{ @ingroup medsrv + * @{ @ingroup medsrv_p */ #ifndef MEDSRV_CONFIG_H_ diff --git a/src/libcharon/plugins/medsrv/medsrv_creds.h b/src/libcharon/plugins/medsrv/medsrv_creds.h index d08adf3bf..2079601af 100644 --- a/src/libcharon/plugins/medsrv/medsrv_creds.h +++ b/src/libcharon/plugins/medsrv/medsrv_creds.h @@ -15,7 +15,7 @@ /** * @defgroup medsrv_creds_i medsrv_creds - * @{ @ingroup medsrv + * @{ @ingroup medsrv_p */ #ifndef MEDSRV_CREDS_H_ diff --git a/src/libcharon/plugins/medsrv/medsrv_plugin.h b/src/libcharon/plugins/medsrv/medsrv_plugin.h index 8736822ee..179fa3b3a 100644 --- a/src/libcharon/plugins/medsrv/medsrv_plugin.h +++ b/src/libcharon/plugins/medsrv/medsrv_plugin.h @@ -14,11 +14,11 @@ */ /** - * @defgroup medsrv medsrv + * @defgroup medsrv_p medsrv * @ingroup cplugins * * @defgroup medsrv_plugin medsrv_plugin - * @{ @ingroup medsrv + * @{ @ingroup medsrv_p */ #ifndef MEDSRV_PLUGIN_H_ diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 7bca94d43..5970e7cf3 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -448,25 +448,42 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, identity = identification_create_from_string(id); if (cert) { - certificate = this->cred->load_peer(this->cred, cert); - if (certificate) + enumerator_t *enumerator; + bool has_subject = FALSE; + certificate_t *first = NULL; + + enumerator = enumerator_create_token(cert, ",", " "); + while (enumerator->enumerate(enumerator, &cert)) { - if (local) - { - this->ca->check_for_hash_and_url(this->ca, certificate); - } - cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate); - if (identity->get_type(identity) == ID_ANY || - !certificate->has_subject(certificate, identity)) + certificate = this->cred->load_peer(this->cred, cert); + if (certificate) { - DBG1(DBG_CFG, " id '%Y' not confirmed by certificate, " - "defaulting to '%Y'", identity, - certificate->get_subject(certificate)); - identity->destroy(identity); - identity = certificate->get_subject(certificate); - identity = identity->clone(identity); + if (local) + { + this->ca->check_for_hash_and_url(this->ca, certificate); + } + cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate); + if (!first) + { + first = certificate; + } + if (identity->get_type(identity) != ID_ANY && + certificate->has_subject(certificate, identity)) + { + has_subject = TRUE; + } } } + enumerator->destroy(enumerator); + + if (first && !has_subject) + { + DBG1(DBG_CFG, " id '%Y' not confirmed by certificate, " + "defaulting to '%Y'", identity, first->get_subject(first)); + identity->destroy(identity); + identity = first->get_subject(first); + identity = identity->clone(identity); + } } if (identity->get_type(identity) != ID_ANY) { @@ -878,7 +895,7 @@ static void add_ts(private_stroke_config_t *this, if (end->tohost) { ts = traffic_selector_create_dynamic(end->protocol, - end->port ? end->port : 0, end->port ? end->port : 65535); + end->from_port, end->to_port); child_cfg->add_traffic_selector(child_cfg, local, ts); } else @@ -891,7 +908,7 @@ static void add_ts(private_stroke_config_t *this, if (net) { ts = traffic_selector_create_from_subnet(net, 0, end->protocol, - end->port); + end->from_port, end->to_port); child_cfg->add_traffic_selector(child_cfg, local, ts); } } @@ -903,8 +920,8 @@ static void add_ts(private_stroke_config_t *this, enumerator = enumerator_create_token(end->subnets, ",", " "); while (enumerator->enumerate(enumerator, &subnet)) { - ts = traffic_selector_create_from_cidr(subnet, - end->protocol, end->port); + ts = traffic_selector_create_from_cidr(subnet, end->protocol, + end->from_port, end->to_port); if (ts) { child_cfg->add_traffic_selector(child_cfg, local, ts); diff --git a/src/libcharon/plugins/systime_fix/Makefile.am b/src/libcharon/plugins/systime_fix/Makefile.am new file mode 100644 index 000000000..a1f843db7 --- /dev/null +++ b/src/libcharon/plugins/systime_fix/Makefile.am @@ -0,0 +1,15 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-systime-fix.la +else +plugin_LTLIBRARIES = libstrongswan-systime-fix.la +endif + +libstrongswan_systime_fix_la_SOURCES = \ + systime_fix_validator.h systime_fix_validator.c \ + systime_fix_plugin.h systime_fix_plugin.c + +libstrongswan_systime_fix_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/systime_fix/systime_fix_plugin.c b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c new file mode 100644 index 000000000..7727ba03b --- /dev/null +++ b/src/libcharon/plugins/systime_fix/systime_fix_plugin.c @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "systime_fix_plugin.h" +#include "systime_fix_validator.h" + +#include <daemon.h> +#include <processing/jobs/callback_job.h> +#include <processing/jobs/delete_ike_sa_job.h> +#include <processing/jobs/rekey_ike_sa_job.h> + +#include <time.h> + +/** + * Defining _XOPEN_SOURCE is difficult with libstrongswan includes, + * declare function explicitly. + */ +char *strptime(const char *s, const char *format, struct tm *tm); + +typedef struct private_systime_fix_plugin_t private_systime_fix_plugin_t; + +/** + * Private data of systime_fix plugin + */ +struct private_systime_fix_plugin_t { + + /** + * Implements plugin interface + */ + systime_fix_plugin_t public; + + /** + * Certificate lifetime validator + */ + systime_fix_validator_t *validator; + + /** + * Interval we check for a now-valid system time, in seconds. 0 if disabled + */ + u_int interval; + + /** + * Timestamp where we start considering system time valid + */ + time_t threshold; + + /** + * Do we trigger reauth or delete when finding expired certificates? + */ + bool reauth; +}; + +METHOD(plugin_t, get_name, char*, + private_systime_fix_plugin_t *this) +{ + return "systime-fix"; +} + +METHOD(plugin_t, destroy, void, + private_systime_fix_plugin_t *this) +{ + if (this->validator) + { + lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator); + this->validator->destroy(this->validator); + } + free(this); +} + +/** + * Check if all certificates associated to an IKE_SA have valid lifetimes + */ +static bool has_invalid_certs(ike_sa_t *ike_sa) +{ + enumerator_t *cfgs, *items; + certificate_t *cert; + auth_rule_t type; + auth_cfg_t *auth; + time_t not_before, not_after; + bool valid = TRUE; + + cfgs = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE); + while (valid && cfgs->enumerate(cfgs, &auth)) + { + items = auth->create_enumerator(auth); + while (valid && items->enumerate(items, &type, &cert)) + { + switch (type) + { + case AUTH_RULE_SUBJECT_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_CA_CERT: + if (!cert->get_validity(cert, NULL, ¬_before, ¬_after)) + { + DBG1(DBG_CFG, "certificate '%Y' invalid " + "(valid from %T to %T)", cert->get_subject(cert), + ¬_before, FALSE, ¬_after, FALSE); + valid = FALSE; + } + break; + default: + break; + } + } + items->destroy(items); + } + cfgs->destroy(cfgs); + + if (valid) + { + DBG1(DBG_CFG, "all certificates have valid lifetimes"); + } + return !valid; +} + +/** + * Check system time, reevaluate certificates + */ +static job_requeue_t check_systime(private_systime_fix_plugin_t *this) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + char *action; + job_t *job; + + if (time(NULL) < this->threshold) + { + DBG2(DBG_CFG, "systime not valid, rechecking in %ds", this->interval); + lib->scheduler->schedule_job(lib->scheduler, (job_t*) + callback_job_create((callback_job_cb_t)check_systime, this, + NULL, NULL), this->interval); + return JOB_REQUEUE_NONE; + } + + DBG1(DBG_CFG, "system time got valid, rechecking certificates"); + + enumerator = charon->ike_sa_manager->create_enumerator( + charon->ike_sa_manager, TRUE); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + if (has_invalid_certs(ike_sa)) + { + if (this->reauth) + { + action = "reauthenticating"; + job = &rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), + TRUE)->job_interface; + } + else + { + action = "deleting"; + job = &delete_ike_sa_job_create(ike_sa->get_id(ike_sa), + TRUE)->job_interface; + } + DBG1(DBG_CFG, "%s[%d] has certificates not valid, %s IKE_SA", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), + action); + lib->processor->queue_job(lib->processor, job); + } + } + enumerator->destroy(enumerator); + + return JOB_REQUEUE_NONE; +} + +/** + * Load cert lifetime validator configuration + */ +static bool load_validator(private_systime_fix_plugin_t *this) +{ + struct tm tm = { + .tm_mday = 1, + }; + char *str, *fmt; + + fmt = lib->settings->get_str(lib->settings, + "%s.plugins.%s.threshold_format", "%Y", charon->name, get_name(this)); + str = lib->settings->get_str(lib->settings, + "%s.plugins.%s.threshold", NULL, charon->name, get_name(this)); + if (!str) + { + DBG1(DBG_CFG, "no threshold configured for %s, disabled", + get_name(this)); + return FALSE; + } + if (strptime(str, fmt, &tm) == NULL) + { + DBG1(DBG_CFG, "threshold for %s invalid, disabled", get_name(this)); + return FALSE; + } + this->threshold = mktime(&tm); + if (this->threshold == -1) + { + DBG1(DBG_CFG, "converting threshold for %s failed, disabled", + get_name(this)); + return FALSE; + } + if (time(NULL) >= this->threshold) + { + DBG1(DBG_CFG, "system time looks good, disabling %s", get_name(this)); + return FALSE; + } + + DBG1(DBG_CFG, "enabling %s, threshold: %s", get_name(this), asctime(&tm)); + this->validator = systime_fix_validator_create(this->threshold); + lib->credmgr->add_validator(lib->credmgr, &this->validator->validator); + + return TRUE; +} + +/** + * Plugin constructor + */ +plugin_t *systime_fix_plugin_create() +{ + private_systime_fix_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .reload = (void*)return_false, + .destroy = _destroy, + }, + }, + .interval = lib->settings->get_int(lib->settings, + "%s.plugins.%s.interval", 0, charon->name, get_name(this)), + .reauth = lib->settings->get_bool(lib->settings, + "%s.plugins.%s.reauth", FALSE, charon->name, get_name(this)), + ); + + if (load_validator(this)) + { + if (this->interval != 0) + { + DBG1(DBG_CFG, "starting systime check, interval: %ds", + this->interval); + lib->scheduler->schedule_job(lib->scheduler, (job_t*) + callback_job_create((callback_job_cb_t)check_systime, this, + NULL, NULL), this->interval); + } + } + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/systime_fix/systime_fix_plugin.h b/src/libcharon/plugins/systime_fix/systime_fix_plugin.h new file mode 100644 index 000000000..402659539 --- /dev/null +++ b/src/libcharon/plugins/systime_fix/systime_fix_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup systime_fix systime_fix + * @ingroup cplugins + * + * @defgroup systime_fix_plugin systime_fix_plugin + * @{ @ingroup systime_fix + */ + +#ifndef SYSTIME_FIX_PLUGIN_H_ +#define SYSTIME_FIX_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct systime_fix_plugin_t systime_fix_plugin_t; + +/** + * Plugin handling cert lifetimes gracefully if system time is out of sync. + */ +struct systime_fix_plugin_t { + + /** + * Implements plugin interface. + */ + plugin_t plugin; +}; + +#endif /** SYSTIME_FIX_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/systime_fix/systime_fix_validator.c b/src/libcharon/plugins/systime_fix/systime_fix_validator.c new file mode 100644 index 000000000..340e86cbc --- /dev/null +++ b/src/libcharon/plugins/systime_fix/systime_fix_validator.c @@ -0,0 +1,83 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "systime_fix_validator.h" + +#include <errno.h> +#include <time.h> + +#include <daemon.h> + +typedef struct private_systime_fix_validator_t private_systime_fix_validator_t; + +/** + * Private data of an systime_fix_validator_t object. + */ +struct private_systime_fix_validator_t { + + /** + * Public systime_fix_validator_t interface. + */ + systime_fix_validator_t public; + + /** + * Timestamp where we start to consider system time valid + */ + time_t threshold; +}; + +METHOD(cert_validator_t, check_lifetime, status_t, + private_systime_fix_validator_t *this, certificate_t *cert, + int pathlen, bool anchor, auth_cfg_t *auth) +{ + if (time(NULL) < this->threshold) + { + /* our system time seems to be invalid, accept certificate */ + if (pathlen) + { /* report only once per validated chain */ + DBG1(DBG_CFG, "system time out of sync, skipping certificate " + "lifetime check"); + } + return SUCCESS; + } + /* validate this certificate normally */ + return NEED_MORE; +} + +METHOD(systime_fix_validator_t, destroy, void, + private_systime_fix_validator_t *this) +{ + free(this); +} + +/** + * See header + */ +systime_fix_validator_t *systime_fix_validator_create(time_t threshold) +{ + private_systime_fix_validator_t *this; + + INIT(this, + .public = { + .validator = { + .check_lifetime = _check_lifetime, + }, + .destroy = _destroy, + }, + .threshold = threshold, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/systime_fix/systime_fix_validator.h b/src/libcharon/plugins/systime_fix/systime_fix_validator.h new file mode 100644 index 000000000..3e651fd91 --- /dev/null +++ b/src/libcharon/plugins/systime_fix/systime_fix_validator.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup systime_fix_validator systime_fix_validator + * @{ @ingroup systime_fix + */ + +#ifndef SYSTIME_FIX_VALIDATOR_H_ +#define SYSTIME_FIX_VALIDATOR_H_ + +#include <credentials/cert_validator.h> + +typedef struct systime_fix_validator_t systime_fix_validator_t; + +/** + * Validator that accepts cert lifetimes if system time is out of sync. + */ +struct systime_fix_validator_t { + + /** + * Implements cert_validator_t interface. + */ + cert_validator_t validator; + + /** + * Destroy a systime_fix_validator_t. + */ + void (*destroy)(systime_fix_validator_t *this); +}; + +/** + * Create a systime_fix_validator instance. + */ +systime_fix_validator_t *systime_fix_validator_create(); + +#endif /** SYSTIME_FIX_VALIDATOR_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c index b1f6d1eaa..d87e0ccea 100644 --- a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c +++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c @@ -201,7 +201,7 @@ METHOD(pb_tnc_batch_t, build, void, } enumerator->destroy(enumerator); - this->encoding = chunk_clone(writer->get_buf(writer)); + this->encoding = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c index 4d317b6cc..b58d120c1 100644 --- a/src/libcharon/plugins/uci/uci_config.c +++ b/src/libcharon/plugins/uci/uci_config.c @@ -89,7 +89,7 @@ static traffic_selector_t *create_ts(char *string) { traffic_selector_t *ts; - ts = traffic_selector_create_from_cidr(string, 0, 0); + ts = traffic_selector_create_from_cidr(string, 0, 0, 65535); if (ts) { return ts; diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c index 31d13add2..9d145b93f 100644 --- a/src/libcharon/plugins/unity/unity_handler.c +++ b/src/libcharon/plugins/unity/unity_handler.c @@ -174,7 +174,6 @@ static job_requeue_t add_exclude_async(entry_t *entry) ike_sa_t *ike_sa; char name[128]; host_t *host; - bool has_vip = FALSE; ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, entry->sa, FALSE); @@ -187,23 +186,21 @@ static job_requeue_t add_exclude_async(entry_t *entry) FALSE, 0, 0, NULL, NULL, FALSE); child_cfg->add_traffic_selector(child_cfg, FALSE, entry->ts->clone(entry->ts)); + host = ike_sa->get_my_host(ike_sa); + child_cfg->add_traffic_selector(child_cfg, TRUE, + traffic_selector_create_from_subnet(host->clone(host), + 32, 0, 0, 65535)); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE); while (enumerator->enumerate(enumerator, &host)) { - has_vip = TRUE; child_cfg->add_traffic_selector(child_cfg, TRUE, - traffic_selector_create_from_subnet(host->clone(host), 32, 0, 0)); + traffic_selector_create_from_subnet(host->clone(host), + 32, 0, 0, 65535)); } enumerator->destroy(enumerator); - if (!has_vip) - { - host = ike_sa->get_my_host(ike_sa); - child_cfg->add_traffic_selector(child_cfg, TRUE, - traffic_selector_create_from_subnet(host->clone(host), 32, 0, 0)); - } - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - charon->shunts->install(charon->shunts, child_cfg); child_cfg->destroy(child_cfg); diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 258e562d4..0157599c1 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -900,7 +900,7 @@ METHOD(ike_sa_t, update_hosts, void, else { /* update our address in any case */ - if (!me->equals(me, this->my_host)) + if (force && !me->equals(me, this->my_host)) { set_my_host(this, me->clone(me)); update = TRUE; @@ -909,7 +909,8 @@ METHOD(ike_sa_t, update_hosts, void, if (!other->equals(other, this->other_host)) { /* update others address if we are NOT NATed */ - if (force || !has_condition(this, COND_NAT_HERE)) + if ((has_condition(this, COND_NAT_THERE) && + !has_condition(this, COND_NAT_HERE)) || force ) { set_other_host(this, other->clone(other)); update = TRUE; @@ -1250,24 +1251,6 @@ METHOD(ike_sa_t, process_message, status_t, { /* do not handle messages in passive state */ return FAILED; } - switch (message->get_exchange_type(message)) - { - case ID_PROT: - case AGGRESSIVE: - case IKE_SA_INIT: - case IKE_AUTH: - if (this->state != IKE_CREATED && - this->state != IKE_CONNECTING && - message->get_first_payload_type(message) != FRAGMENT_V1) - { - DBG1(DBG_IKE, "ignoring %N in established IKE_SA state", - exchange_type_names, message->get_exchange_type(message)); - return FAILED; - } - break; - default: - break; - } if (message->get_major_version(message) != this->version) { DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA", diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 2ac8c3123..4fbc4da8e 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -108,9 +108,9 @@ struct entry_t { identification_t *other_id; /** - * message ID currently processing, if any + * message ID or hash of currently processing message, -1 if none */ - u_int32_t message_id; + u_int32_t processing; }; /** @@ -135,23 +135,12 @@ static status_t entry_destroy(entry_t *this) */ static entry_t *entry_create() { - entry_t *this = malloc_thing(entry_t); - - this->waiting_threads = 0; - this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); - - /* we set checkout flag when we really give it out */ - this->checked_out = FALSE; - this->driveout_new_threads = FALSE; - this->driveout_waiting_threads = FALSE; - this->message_id = -1; - this->init_hash = chunk_empty; - this->other = NULL; - this->half_open = FALSE; - this->my_id = NULL; - this->other_id = NULL; - this->ike_sa_id = NULL; - this->ike_sa = NULL; + entry_t *this; + + INIT(this, + .condvar = condvar_create(CONDVAR_TYPE_DEFAULT), + .processing = -1, + ); return this; } @@ -1171,6 +1160,20 @@ METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*, return ike_sa; } +/** + * Get the message ID or message hash to detect early retransmissions + */ +static u_int32_t get_message_id_or_hash(message_t *message) +{ + /* Use the message ID, or the message hash in IKEv1 Main/Aggressive mode */ + if (message->get_major_version(message) == IKEV1_MAJOR_VERSION && + message->get_message_id(message) == 0) + { + return chunk_hash(message->get_packet_data(message)); + } + return message->get_message_id(message); +} + METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, private_ike_sa_manager_t* this, message_t *message) { @@ -1246,7 +1249,7 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, entry->checked_out = TRUE; unlock_single_segment(this, segment); - entry->message_id = message->get_message_id(message); + entry->processing = get_message_id_or_hash(message); entry->init_hash = hash; DBG2(DBG_MGR, "created IKE_SA %s[%u]", @@ -1290,12 +1293,11 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, if (get_entry_by_id(this, id, &entry, &segment) == SUCCESS) { - /* only check out in IKEv2 if we are not already processing it */ - if (message->get_request(message) && - message->get_message_id(message) == entry->message_id) + /* only check out if we are not already processing it. */ + if (entry->processing == get_message_id_or_hash(message)) { DBG1(DBG_MGR, "ignoring request with ID %u, already processing", - entry->message_id); + entry->processing); } else if (wait_for_entry(this, entry, segment)) { @@ -1305,7 +1307,7 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, entry->checked_out = TRUE; if (message->get_first_payload_type(message) != FRAGMENT_V1) { - entry->message_id = message->get_message_id(message); + entry->processing = get_message_id_or_hash(message); } if (ike_id->get_responder_spi(ike_id) == 0) { @@ -1564,7 +1566,7 @@ METHOD(ike_sa_manager_t, checkin, void, entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa)); /* signal waiting threads */ entry->checked_out = FALSE; - entry->message_id = -1; + entry->processing = -1; /* check if this SA is half-open */ if (entry->half_open && ike_sa->get_state(ike_sa) != IKE_CONNECTING) { @@ -1745,6 +1747,23 @@ METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*, (void*)id_enumerator_cleanup, ids); } +/** + * Move all CHILD_SAs from old to new + */ +static void adopt_children(ike_sa_t *old, ike_sa_t *new) +{ + enumerator_t *enumerator; + child_sa_t *child_sa; + + enumerator = old->create_child_sa_enumerator(old); + while (enumerator->enumerate(enumerator, &child_sa)) + { + old->remove_child_sa(old, enumerator); + new->add_child_sa(new, child_sa); + } + enumerator->destroy(enumerator); +} + METHOD(ike_sa_manager_t, check_uniqueness, bool, private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace) { @@ -1782,6 +1801,7 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool, { DBG1(DBG_IKE, "destroying duplicate IKE_SA for peer '%Y', " "received INITIAL_CONTACT", other); + charon->bus->ike_updown(charon->bus, duplicate, FALSE); checkin_and_destroy(this, duplicate); continue; } @@ -1796,6 +1816,10 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool, { case UNIQUE_REPLACE: charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE); + if (duplicate->get_version(duplicate) == IKEV1) + { + adopt_children(duplicate, ike_sa); + } DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer " "'%Y' due to uniqueness policy", other); status = duplicate->delete(duplicate); diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index 8a4761d5c..7a84d1cef 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -1471,6 +1471,21 @@ METHOD(task_manager_t, process_message, status_t, charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg); return SUCCESS; } + + /* reject Main/Agressive Modes once established */ + if (msg->get_exchange_type(msg) == ID_PROT || + msg->get_exchange_type(msg) == AGGRESSIVE) + { + if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED && + this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING && + msg->get_first_payload_type(msg) != FRAGMENT_V1) + { + DBG1(DBG_IKE, "ignoring %N in established IKE_SA state", + exchange_type_names, msg->get_exchange_type(msg)); + return FAILED; + } + } + if (msg->get_exchange_type(msg) == TRANSACTION && this->active_tasks->get_count(this->active_tasks)) { /* main mode not yet complete, queue XAuth/Mode config tasks */ @@ -2030,4 +2045,3 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa) return &this->public; } - diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 1eae6aa93..afdff8cf9 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -576,12 +576,12 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) if (!tsi) { tsi = traffic_selector_create_from_subnet(hsi->clone(hsi), - hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0); + hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0, 65535); } if (!tsr) { tsr = traffic_selector_create_from_subnet(hsr->clone(hsr), - hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0); + hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0, 65535); } if (this->mode == MODE_TRANSPORT && this->udp && (!tsi->is_host(tsi, hsi) || !tsr->is_host(tsr, hsr))) @@ -594,20 +594,27 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) if (this->initiator) { + traffic_selector_t *tsisub, *tsrsub; + /* check if peer selection is valid */ - if (!tsr->is_contained_in(tsr, this->tsr) || - !tsi->is_contained_in(tsi, this->tsi)) + tsisub = this->tsi->get_subset(this->tsi, tsi); + tsrsub = this->tsr->get_subset(this->tsr, tsr); + if (!tsisub || !tsrsub) { DBG1(DBG_IKE, "peer selected invalid traffic selectors: " "%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr); + DESTROY_IF(tsisub); + DESTROY_IF(tsrsub); tsi->destroy(tsi); tsr->destroy(tsr); return FALSE; } + tsi->destroy(tsi); + tsr->destroy(tsr); this->tsi->destroy(this->tsi); this->tsr->destroy(this->tsr); - this->tsi = tsi; - this->tsr = tsr; + this->tsi = tsisub; + this->tsr = tsrsub; } else { diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c index aa0644033..b8359cc88 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c @@ -667,6 +667,16 @@ METHOD(authenticator_t, build_client, status_t, METHOD(authenticator_t, is_mutual, bool, private_eap_authenticator_t *this) { + if (this->method) + { + u_int32_t vendor; + + if (this->method->get_type(this->method, &vendor) != EAP_IDENTITY || + vendor != 0) + { + return this->method->is_mutual(this->method); + } + } /* we don't know yet, but insist on it after EAP is complete */ this->require_mutual = TRUE; return TRUE; diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index ea0117c54..29d8d830e 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -1123,6 +1123,18 @@ METHOD(task_manager_t, process_message, status_t, { if (mid == this->responding.mid) { + /* reject initial messages once established */ + if (msg->get_exchange_type(msg) == IKE_SA_INIT || + msg->get_exchange_type(msg) == IKE_AUTH) + { + if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED && + this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING) + { + DBG1(DBG_IKE, "ignoring %N in established IKE_SA state", + exchange_type_names, msg->get_exchange_type(msg)); + return FAILED; + } + } if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED || this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING || msg->get_exchange_type(msg) != IKE_SA_INIT) diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index eb3972c29..32c0e8c4a 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -18,6 +18,7 @@ #include "child_create.h" #include <daemon.h> +#include <hydra.h> #include <sa/ikev2/keymat_v2.h> #include <crypto/diffie_hellman.h> #include <credentials/certificates/x509.h> @@ -615,6 +616,7 @@ static void build_payloads(private_child_create_t *this, message_t *message) nonce_payload_t *nonce_payload; ke_payload_t *ke_payload; ts_payload_t *ts_payload; + kernel_feature_t features; /* add SA payload */ if (this->initiator) @@ -661,6 +663,13 @@ static void build_payloads(private_child_create_t *this, message_t *message) default: break; } + + features = hydra->kernel_interface->get_features(hydra->kernel_interface); + if (!(features & KERNEL_ESP_V3_TFC)) + { + message->add_notify(message, FALSE, ESP_TFC_PADDING_NOT_SUPPORTED, + chunk_empty); + } } /** diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index 70efcd7af..942f97cf5 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -223,6 +223,18 @@ static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local) } /** + * Move the currently active auth config to the auth configs completed + */ +static void apply_auth_cfg(private_ike_auth_t *this, bool local) +{ + auth_cfg_t *cfg; + + cfg = auth_cfg_create(); + cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, local), local); + this->ike_sa->add_auth_cfg(this->ike_sa, local, cfg); +} + +/** * Check if we have should initiate another authentication round */ static bool do_another_auth(private_ike_auth_t *this) @@ -307,7 +319,7 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict) { if (this->peer_cfg) { - bool complies = TRUE; + char *comply_error = NULL; enumerator_t *e1, *e2, *tmp; auth_cfg_t *c1, *c2; @@ -324,22 +336,30 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict) while (e1->enumerate(e1, &c1)) { /* check if done authentications comply to configured ones */ - if ((!e2->enumerate(e2, &c2)) || - (!strict && !c1->complies(c1, c2, TRUE)) || - (strict && !c2->complies(c2, c1, TRUE))) + if (!e2->enumerate(e2, &c2)) + { + comply_error = "insufficient authentication rounds"; + break; + } + if (!strict && !c1->complies(c1, c2, TRUE)) { - complies = FALSE; + comply_error = "non-matching authentication done"; + break; + } + if (strict && !c2->complies(c2, c1, TRUE)) + { + comply_error = "constraint checking failed"; break; } } e1->destroy(e1); e2->destroy(e2); - if (complies) + if (!comply_error) { break; } - DBG1(DBG_CFG, "selected peer config '%s' inacceptable", - this->peer_cfg->get_name(this->peer_cfg)); + DBG1(DBG_CFG, "selected peer config '%s' inacceptable: %s", + this->peer_cfg->get_name(this->peer_cfg), comply_error); this->peer_cfg->destroy(this->peer_cfg); } if (this->candidates->remove_first(this->candidates, @@ -464,10 +484,7 @@ METHOD(task_t, build_i, status_t, switch (this->my_auth->build(this->my_auth, message)) { case SUCCESS: - /* authentication step complete, reset authenticator */ - cfg = auth_cfg_create(); - cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE); - this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg); + apply_auth_cfg(this, TRUE); this->my_auth->destroy(this->my_auth); this->my_auth = NULL; break; @@ -640,10 +657,7 @@ METHOD(task_t, process_r, status_t, return NEED_MORE; } - /* store authentication information */ - cfg = auth_cfg_create(); - cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); - this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); + apply_auth_cfg(this, FALSE); if (!update_cfg_candidates(this, FALSE)) { @@ -778,10 +792,7 @@ METHOD(task_t, build_r, status_t, switch (this->my_auth->build(this->my_auth, message)) { case SUCCESS: - cfg = auth_cfg_create(); - cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), - TRUE); - this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg); + apply_auth_cfg(this, TRUE); this->my_auth->destroy(this->my_auth); this->my_auth = NULL; break; @@ -969,10 +980,10 @@ METHOD(task_t, process_i, status_t, goto peer_auth_failed; } - /* store authentication information, reset authenticator */ - cfg = auth_cfg_create(); - cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); - this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); + if (!mutual_eap) + { + apply_auth_cfg(this, FALSE); + } } if (this->my_auth) @@ -980,10 +991,11 @@ METHOD(task_t, process_i, status_t, switch (this->my_auth->process(this->my_auth, message)) { case SUCCESS: - cfg = auth_cfg_create(); - cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), - TRUE); - this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg); + apply_auth_cfg(this, TRUE); + if (this->my_auth->is_mutual(this->my_auth)) + { + apply_auth_cfg(this, FALSE); + } this->my_auth->destroy(this->my_auth); this->my_auth = NULL; this->do_another_auth = do_another_auth(this); diff --git a/src/libfast/controller.h b/src/libfast/controller.h index 1edf72e90..7a7efc706 100644 --- a/src/libfast/controller.h +++ b/src/libfast/controller.h @@ -14,7 +14,7 @@ */ /** - * @defgroup controller_i controller + * @defgroup controller controller * @{ @ingroup libfast */ diff --git a/src/libhydra/attributes/mem_pool.h b/src/libhydra/attributes/mem_pool.h index 692885ecd..f273b18e9 100644 --- a/src/libhydra/attributes/mem_pool.h +++ b/src/libhydra/attributes/mem_pool.h @@ -89,7 +89,7 @@ struct mem_pool_t { * * @param id the id to acquire an address for * @param requested acquire this address, if possible - * @param existing TRUE to look for an existing lease, FALSE for a new one + * @param operation acquire operation to perform, see above * @return the acquired address */ host_t* (*acquire_address)(mem_pool_t *this, identification_t *id, @@ -128,9 +128,9 @@ struct mem_pool_t { * * @param name name of this pool * @param base base address of this pool, NULL to create an empty pool - * @param bits net mask + * @param bits number of non-network bits in base, as in CIDR notation + * @return memory pool instance */ mem_pool_t *mem_pool_create(char *name, host_t *base, int bits); #endif /** MEM_POOL_H_ @} */ - diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c index 8948e0561..b82fd6d3d 100644 --- a/src/libhydra/kernel/kernel_interface.c +++ b/src/libhydra/kernel/kernel_interface.c @@ -137,6 +137,22 @@ struct private_kernel_interface_t { bool ifaces_exclude; }; +METHOD(kernel_interface_t, get_features, kernel_feature_t, + private_kernel_interface_t *this) +{ + kernel_feature_t features = 0; + + if (this->ipsec && this->ipsec->get_features) + { + features |= this->ipsec->get_features(this->ipsec); + } + if (this->net && this->net->get_features) + { + features |= this->net->get_features(this->net); + } + return features; +} + METHOD(kernel_interface_t, get_spi, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) @@ -682,6 +698,7 @@ kernel_interface_t *kernel_interface_create() INIT(this, .public = { + .get_features = _get_features, .get_spi = _get_spi, .get_cpi = _get_cpi, .add_sa = _add_sa, @@ -757,4 +774,3 @@ kernel_interface_t *kernel_interface_create() return &this->public; } - diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index 8d8ef2e83..8d8d048d0 100644 --- a/src/libhydra/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -47,6 +47,7 @@ #define KERNEL_INTERFACE_H_ typedef struct kernel_interface_t kernel_interface_t; +typedef enum kernel_feature_t kernel_feature_t; #include <networking/host.h> #include <crypto/prf_plus.h> @@ -56,6 +57,17 @@ typedef struct kernel_interface_t kernel_interface_t; #include <kernel/kernel_net.h> /** + * Bitfield of optional features a kernel backend supports. + * + * This feature-set is for both, kernel_ipsec_t and kernel_net_t. Each + * backend returns a subset of these features. + */ +enum kernel_feature_t { + /** IPsec can process ESPv3 (RFC 4303) TFC padded packets */ + KERNEL_ESP_V3_TFC = (1<<0), +}; + +/** * Constructor function for ipsec kernel interface */ typedef kernel_ipsec_t* (*kernel_ipsec_constructor_t)(void); @@ -74,6 +86,13 @@ typedef kernel_net_t* (*kernel_net_constructor_t)(void); struct kernel_interface_t { /** + * Get the feature set supported by the net and ipsec kernel backends. + * + * @return ORed feature-set of backends + */ + kernel_feature_t (*get_features)(kernel_interface_t *this); + + /** * Get a SPI from the kernel. * * @param src source address of SA diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index 1da0805cb..c8afcaffd 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -30,6 +30,7 @@ typedef struct kernel_ipsec_t kernel_ipsec_t; #include <ipsec/ipsec_types.h> #include <selectors/traffic_selector.h> #include <plugins/plugin.h> +#include <kernel/kernel_interface.h> /** * Interface to the ipsec subsystem of the kernel. @@ -45,6 +46,13 @@ typedef struct kernel_ipsec_t kernel_ipsec_t; struct kernel_ipsec_t { /** + * Get the feature set supported by this kernel backend. + * + * @return ORed feature-set of backend + */ + kernel_feature_t (*get_features)(kernel_ipsec_t *this); + + /** * Get a SPI from the kernel. * * @param src source address of SA diff --git a/src/libhydra/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h index 6a3b2cee7..0d3417f1d 100644 --- a/src/libhydra/kernel/kernel_net.h +++ b/src/libhydra/kernel/kernel_net.h @@ -28,6 +28,7 @@ typedef enum kernel_address_type_t kernel_address_type_t; #include <collections/enumerator.h> #include <networking/host.h> #include <plugins/plugin.h> +#include <kernel/kernel_interface.h> /** * Type of addresses (e.g. when enumerating them) @@ -56,6 +57,13 @@ enum kernel_address_type_t { struct kernel_net_t { /** + * Get the feature set supported by this kernel backend. + * + * @return ORed feature-set of backend + */ + kernel_feature_t (*get_features)(kernel_net_t *this); + + /** * Get our outgoing source address for a destination. * * Does a route lookup to get the source address used to reach dest. diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index f9b2634a0..e81e55c24 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -787,7 +787,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) if (host) { return traffic_selector_create_from_subnet(host, prefixlen, - sel->proto, port); + sel->proto, port, port ?: 65535); } return NULL; } @@ -1036,6 +1036,12 @@ static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this) return JOB_REQUEUE_DIRECT; } +METHOD(kernel_ipsec_t, get_features, kernel_feature_t, + private_kernel_netlink_ipsec_t *this) +{ + return KERNEL_ESP_V3_TFC; +} + /** * Get an SPI for a specific protocol from the kernel. */ @@ -2196,14 +2202,15 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, /* install a route, if: * - this is a forward policy (to just get one for each child) - * - we are in tunnel/BEET mode + * - we are in tunnel/BEET mode or install a bypass policy * - routing is not disabled via strongswan.conf */ - if (policy->direction == POLICY_FWD && - ipsec->cfg.mode != MODE_TRANSPORT && this->install_routes) + if (policy->direction == POLICY_FWD && this->install_routes && + (mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT)) { policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping; route_entry_t *route; + host_t *iface; INIT(route, .prefixlen = policy->sel.prefixlen_s, @@ -2219,9 +2226,17 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16); memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len); + /* get the interface to install the route for. If we have a local + * address, use it. Otherwise (for shunt policies) use the + * routes source address. */ + iface = ipsec->dst; + if (iface->is_anyaddr(iface)) + { + iface = route->src_ip; + } /* install route via outgoing interface */ if (!hydra->kernel_interface->get_interface(hydra->kernel_interface, - ipsec->dst, &route->if_name)) + iface, &route->if_name)) { this->mutex->unlock(this->mutex); route_entry_destroy(route); @@ -2734,6 +2749,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() INIT(this, .public = { .interface = { + .get_features = _get_features, .get_spi = _get_spi, .get_cpi = _get_cpi, .add_sa = _add_sa, @@ -2822,4 +2838,3 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() return &this->public; } - diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c index e47887859..b6df9879c 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c @@ -1757,6 +1757,10 @@ METHOD(kernel_net_t, add_ip, status_t, DBG2(DBG_KNL, "virtual IP %H installed on %s", virtual_ip, entry->iface->ifname); this->lock->unlock(this->lock); + /* during IKEv1 reauthentication, children get moved from + * old the new SA before the virtual IP is available. This + * kills the route for our virtual IP, reinstall. */ + queue_route_reinstall(this, entry->iface->ifname); return SUCCESS; } } diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 71bdbbe2b..88b028447 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -953,7 +953,8 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address) ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen, address->sadb_address_proto, - host->get_port(host)); + host->get_port(host), + host->get_port(host) ?: 65535); return ts; } @@ -2654,4 +2655,3 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() return &this->public; } - diff --git a/src/libimcv/ietf/ietf_attr.h b/src/libimcv/ietf/ietf_attr.h index a1ba42565..d22175d94 100644 --- a/src/libimcv/ietf/ietf_attr.h +++ b/src/libimcv/ietf/ietf_attr.h @@ -14,8 +14,8 @@ */ /** - * @defgroup ietf_attrt ietf_attr - * @{ @ingroup ietf_attr + * @defgroup ietf_attr ietf_attr + * @{ @ingroup libimcv */ #ifndef IETF_ATTR_H_ diff --git a/src/libimcv/ietf/ietf_attr_assess_result.c b/src/libimcv/ietf/ietf_attr_assess_result.c index 1c0d6b0eb..55226e3bb 100644 --- a/src/libimcv/ietf/ietf_attr_assess_result.c +++ b/src/libimcv/ietf/ietf_attr_assess_result.c @@ -106,7 +106,7 @@ METHOD(pa_tnc_attr_t, build, void, writer = bio_writer_create(ASSESS_RESULT_SIZE); writer->write_uint32(writer, this->result); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ietf/ietf_attr_assess_result.h b/src/libimcv/ietf/ietf_attr_assess_result.h index fab8bc3f0..e94b57b88 100644 --- a/src/libimcv/ietf/ietf_attr_assess_result.h +++ b/src/libimcv/ietf/ietf_attr_assess_result.h @@ -15,7 +15,7 @@ /** * @defgroup ietf_attr_assess_resultt ietf_attr_assess_result - * @{ @ingroup ietf + * @{ @ingroup ietf_attr */ #ifndef IETF_ATTR_ASSESS_RESULT_H_ diff --git a/src/libimcv/ietf/ietf_attr_attr_request.c b/src/libimcv/ietf/ietf_attr_attr_request.c index c93c9276e..5dc487030 100644 --- a/src/libimcv/ietf/ietf_attr_attr_request.c +++ b/src/libimcv/ietf/ietf_attr_attr_request.c @@ -125,7 +125,7 @@ METHOD(pa_tnc_attr_t, build, void, } enumerator->destroy(enumerator); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ietf/ietf_attr_attr_request.h b/src/libimcv/ietf/ietf_attr_attr_request.h index 387ba345d..fc9e08676 100644 --- a/src/libimcv/ietf/ietf_attr_attr_request.h +++ b/src/libimcv/ietf/ietf_attr_attr_request.h @@ -15,7 +15,7 @@ /** * @defgroup ietf_attr_attr_requestt ietf_attr_attr_request - * @{ @ingroup ietf + * @{ @ingroup ietf_attr */ #ifndef IETF_ATTR_ATTR_REQUEST_H_ diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c index 2022f45cf..2c6b3d542 100644 --- a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c +++ b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.c @@ -106,7 +106,7 @@ METHOD(pa_tnc_attr_t, build, void, writer = bio_writer_create(DEFAULT_PWD_ENABLED_SIZE); writer->write_uint32(writer, this->status); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h index f6026b0e8..6fe1a02b1 100644 --- a/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h +++ b/src/libimcv/ietf/ietf_attr_default_pwd_enabled.h @@ -15,7 +15,7 @@ /** * @defgroup ietf_attr_default_pwd_enabled ietf_attr_default_pwd_enabled - * @{ @ingroup ietf + * @{ @ingroup ietf_attr */ #ifndef IETF_ATTR_PWD_ENABLED_H_ diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.c b/src/libimcv/ietf/ietf_attr_fwd_enabled.c index 911ee5b89..a906b2258 100644 --- a/src/libimcv/ietf/ietf_attr_fwd_enabled.c +++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.c @@ -106,7 +106,7 @@ METHOD(pa_tnc_attr_t, build, void, writer = bio_writer_create(FORWARDING_ENABLED_SIZE); writer->write_uint32(writer, this->fwd_status); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.h b/src/libimcv/ietf/ietf_attr_fwd_enabled.h index bfde1a7b1..41714380e 100644 --- a/src/libimcv/ietf/ietf_attr_fwd_enabled.h +++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.h @@ -15,7 +15,7 @@ /** * @defgroup ietf_attr_fwd_enabled ietf_attr_fwd_enabled - * @{ @ingroup ietf + * @{ @ingroup ietf_attr */ #ifndef IETF_ATTR_FWD_ENABLED_H_ diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.c b/src/libimcv/ietf/ietf_attr_installed_packages.c index 72a3c1344..462805e38 100644 --- a/src/libimcv/ietf/ietf_attr_installed_packages.c +++ b/src/libimcv/ietf/ietf_attr_installed_packages.c @@ -144,7 +144,7 @@ METHOD(pa_tnc_attr_t, build, void, } enumerator->destroy(enumerator); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.h b/src/libimcv/ietf/ietf_attr_installed_packages.h index a9f6768e0..b79c4040c 100644 --- a/src/libimcv/ietf/ietf_attr_installed_packages.h +++ b/src/libimcv/ietf/ietf_attr_installed_packages.h @@ -15,7 +15,7 @@ /** * @defgroup ietf_attr_installed_packagest ietf_attr_installed_packages - * @{ @ingroup ietf_attr_installed_packages + * @{ @ingroup ietf_attr */ #ifndef IETF_ATTR_INSTALLED_PACKAGES_H_ diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.c b/src/libimcv/ietf/ietf_attr_numeric_version.c index 797205473..739256457 100644 --- a/src/libimcv/ietf/ietf_attr_numeric_version.c +++ b/src/libimcv/ietf/ietf_attr_numeric_version.c @@ -137,7 +137,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint16(writer, this->service_pack_major); writer->write_uint16(writer, this->service_pack_minor); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.h b/src/libimcv/ietf/ietf_attr_numeric_version.h index f7d6c909d..bbda6b895 100644 --- a/src/libimcv/ietf/ietf_attr_numeric_version.h +++ b/src/libimcv/ietf/ietf_attr_numeric_version.h @@ -15,7 +15,7 @@ /** * @defgroup ietf_attr_numeric_versiont ietf_attr_numeric_version - * @{ @ingroup ietf + * @{ @ingroup ietf_attr */ #ifndef IETF_ATTR_NUMERIC_VERSION_H_ diff --git a/src/libimcv/ietf/ietf_attr_op_status.c b/src/libimcv/ietf/ietf_attr_op_status.c index d9610b29d..23530684a 100644 --- a/src/libimcv/ietf/ietf_attr_op_status.c +++ b/src/libimcv/ietf/ietf_attr_op_status.c @@ -153,7 +153,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint16(writer, 0x0000); writer->write_data (writer, chunk_create(last_use, 20)); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ietf/ietf_attr_op_status.h b/src/libimcv/ietf/ietf_attr_op_status.h index 2e14148c4..b70fab608 100644 --- a/src/libimcv/ietf/ietf_attr_op_status.h +++ b/src/libimcv/ietf/ietf_attr_op_status.h @@ -15,7 +15,7 @@ /** * @defgroup ietf_attr_op_statust ietf_attr_op_status - * @{ @ingroup ietf + * @{ @ingroup ietf_attr */ #ifndef IETF_ATTR_OP_STATUS_H_ @@ -40,7 +40,7 @@ enum op_status_t { }; extern enum_name_t *op_status_names; - + /** * Operational Result type */ @@ -92,7 +92,7 @@ struct ietf_attr_op_status_t { * * @param status Operational Status * @param result Operational Result - * @param last_use Time of last use + * @param last_use Time of last use */ pa_tnc_attr_t* ietf_attr_op_status_create(u_int8_t status, u_int8_t result, time_t last_use); diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c index cc3ec28c5..5f20f8958 100644 --- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c +++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c @@ -206,7 +206,7 @@ METHOD(pa_tnc_attr_t, build, void, break; } } - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h index a5a10d470..faa38f8f9 100644 --- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h +++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h @@ -15,7 +15,7 @@ /** * @defgroup ietf_attr_pa_tnc_errort ietf_attr_pa_tnc_error - * @{ @ingroup ietf_attr_pa_tnc_error + * @{ @ingroup ietf_attr */ #ifndef IETF_ATTR_PA_TNC_ERROR_H_ @@ -96,7 +96,7 @@ struct ietf_attr_pa_tnc_error_t { * * @param error_code Vendor-specific PA-TNC error code * @param header PA-TNC message header (first 8 bytes) - * + * */ pa_tnc_attr_t* ietf_attr_pa_tnc_error_create(pen_type_t error_code, chunk_t header); @@ -107,7 +107,7 @@ pa_tnc_attr_t* ietf_attr_pa_tnc_error_create(pen_type_t error_code, * @param error_code Vendor-specifica PA-TNC error code * @param header PA-TNC message header (first 8 bytes) * @param error_offset PA-TNC error offset in bytes - * + * */ pa_tnc_attr_t* ietf_attr_pa_tnc_error_create_with_offset(pen_type_t error_code, chunk_t header, diff --git a/src/libimcv/ietf/ietf_attr_port_filter.c b/src/libimcv/ietf/ietf_attr_port_filter.c index 8b8da3a41..1d516a51f 100644 --- a/src/libimcv/ietf/ietf_attr_port_filter.c +++ b/src/libimcv/ietf/ietf_attr_port_filter.c @@ -130,7 +130,7 @@ METHOD(pa_tnc_attr_t, build, void, } enumerator->destroy(enumerator); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ietf/ietf_attr_port_filter.h b/src/libimcv/ietf/ietf_attr_port_filter.h index ad5553417..93b696e45 100644 --- a/src/libimcv/ietf/ietf_attr_port_filter.h +++ b/src/libimcv/ietf/ietf_attr_port_filter.h @@ -15,7 +15,7 @@ /** * @defgroup ietf_attr_port_filtert ietf_attr_port_filter - * @{ @ingroup ietf_attr_port_filter + * @{ @ingroup ietf_attr */ #ifndef IETF_ATTR_PORT_FILTER_H_ diff --git a/src/libimcv/ietf/ietf_attr_product_info.c b/src/libimcv/ietf/ietf_attr_product_info.c index 115f00130..a107c27d3 100644 --- a/src/libimcv/ietf/ietf_attr_product_info.c +++ b/src/libimcv/ietf/ietf_attr_product_info.c @@ -119,7 +119,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint16(writer, this->product_id); writer->write_data (writer, this->product_name); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ietf/ietf_attr_product_info.h b/src/libimcv/ietf/ietf_attr_product_info.h index dfaa67d6c..d0b2d2a84 100644 --- a/src/libimcv/ietf/ietf_attr_product_info.h +++ b/src/libimcv/ietf/ietf_attr_product_info.h @@ -15,7 +15,7 @@ /** * @defgroup ietf_attr_product_infot ietf_attr_product_info - * @{ @ingroup ietf + * @{ @ingroup ietf_attr */ #ifndef IETF_ATTR_PRODUCT_INFO_H_ diff --git a/src/libimcv/ietf/ietf_attr_remediation_instr.c b/src/libimcv/ietf/ietf_attr_remediation_instr.c index d28631ec7..5d85e5d89 100644 --- a/src/libimcv/ietf/ietf_attr_remediation_instr.c +++ b/src/libimcv/ietf/ietf_attr_remediation_instr.c @@ -154,7 +154,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint32(writer, this->parameters_type.type); writer->write_data (writer, this->parameters); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ietf/ietf_attr_remediation_instr.h b/src/libimcv/ietf/ietf_attr_remediation_instr.h index 473280c33..5c7c8891b 100644 --- a/src/libimcv/ietf/ietf_attr_remediation_instr.h +++ b/src/libimcv/ietf/ietf_attr_remediation_instr.h @@ -15,7 +15,7 @@ /** * @defgroup ietf_attr_remediation_instrt ietf_attr_remediation_instr - * @{ @ingroup ietf + * @{ @ingroup ietf_attr */ #ifndef IETF_ATTR_REMEDIATION_INSTR_H_ diff --git a/src/libimcv/ietf/ietf_attr_string_version.c b/src/libimcv/ietf/ietf_attr_string_version.c index 8f4129eac..68adde612 100644 --- a/src/libimcv/ietf/ietf_attr_string_version.c +++ b/src/libimcv/ietf/ietf_attr_string_version.c @@ -123,7 +123,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_data8(writer, this->build); writer->write_data8(writer, this->config); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ietf/ietf_attr_string_version.h b/src/libimcv/ietf/ietf_attr_string_version.h index 5ffbea8e0..9ccc1f0ee 100644 --- a/src/libimcv/ietf/ietf_attr_string_version.h +++ b/src/libimcv/ietf/ietf_attr_string_version.h @@ -15,7 +15,7 @@ /** * @defgroup ietf_attr_string_versiont ietf_attr_string_version - * @{ @ingroup ietf + * @{ @ingroup ietf_attr */ #ifndef IETF_ATTR_STRING_VERSION_H_ diff --git a/src/libimcv/imc/imc_agent.h b/src/libimcv/imc/imc_agent.h index aef10c0d7..0a1638f47 100644 --- a/src/libimcv/imc/imc_agent.h +++ b/src/libimcv/imc/imc_agent.h @@ -16,7 +16,7 @@ /** * * @defgroup imc_agent_t imc_agent - * @{ @ingroup imc_agent + * @{ @ingroup libimcv_imc */ #ifndef IMC_AGENT_H_ diff --git a/src/libimcv/imc/imc_msg.h b/src/libimcv/imc/imc_msg.h index 9a4623ae9..588225dbe 100644 --- a/src/libimcv/imc/imc_msg.h +++ b/src/libimcv/imc/imc_msg.h @@ -15,7 +15,7 @@ /** * @defgroup imc_msg imc_msg - * @{ @ingroup libimcv + * @{ @ingroup libimcv_imc */ #ifndef IMC_MSG_H_ @@ -141,7 +141,6 @@ imc_msg_t* imc_msg_create_from_data(imc_agent_t *agent, imc_state_t *state, * @param connection_id connection ID * @param src_id source IMV ID * @param dst_id destination IMC ID - * @param msg_flags PA-TNC message flags * @param msg_vid PA-TNC message vendor ID * @param msg_subtype PA-TNC subtype * @param msg received PA-TNC message blob diff --git a/src/libimcv/imc/imc_state.h b/src/libimcv/imc/imc_state.h index c34441f0f..7e763fbe1 100644 --- a/src/libimcv/imc/imc_state.h +++ b/src/libimcv/imc/imc_state.h @@ -16,7 +16,7 @@ /** * * @defgroup imc_state_t imc_state - * @{ @ingroup imc_state + * @{ @ingroup libimcv_imc */ #ifndef IMC_STATE_H_ @@ -68,7 +68,7 @@ struct imc_state_t { /** * Set the maximum size of a PA-TNC message for this TNCCS connection * - * @max_msg_len maximum size of a PA-TNC message + * @param max_msg_len maximum size of a PA-TNC message */ void (*set_max_msg_len)(imc_state_t *this, u_int32_t max_msg_len); diff --git a/src/libimcv/imcv.h b/src/libimcv/imcv.h index a1a5a5f43..3a37e3d8c 100644 --- a/src/libimcv/imcv.h +++ b/src/libimcv/imcv.h @@ -15,7 +15,16 @@ /** * @defgroup libimcv libimcv * - * @defgroup iplugins plugins + * @defgroup libimcv_imc imc + * @ingroup libimcv + * + * @defgroup libimcv_imv imv + * @ingroup libimcv + * + * @defgroup pa_tnc pa_tnc + * @ingroup libimcv + * + * @defgroup libimcv_plugins plugins * @ingroup libimcv * * @addtogroup libimcv diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c index 78e584dfb..2eec0ecde 100644 --- a/src/libimcv/imv/imv_agent.c +++ b/src/libimcv/imv/imv_agent.c @@ -73,6 +73,11 @@ struct private_imv_agent_t { rwlock_t *connection_lock; /** + * Access Requestor ID + */ + identification_t *ar_id; + + /** * Inform a TNCS about the set of message types the IMV is able to receive * * @param imv_id IMV ID assigned by TNCS @@ -445,7 +450,6 @@ METHOD(imv_agent_t, create_state, TNC_Result, int tcg_id_type, tcg_subject_type, tcg_auth_type; chunk_t id_value; id_type_t ike_type; - identification_t *id; id_type = tnc_id->get_identity_type(tnc_id); id_value = tnc_id->get_identity_value(tnc_id); @@ -468,12 +472,14 @@ METHOD(imv_agent_t, create_state, TNC_Result, ike_type = ID_IPV6_ADDR; break; case TNC_ID_FQDN: - case TNC_ID_USER_NAME: ike_type = ID_FQDN; break; case TNC_ID_RFC822_ADDR: ike_type = ID_RFC822_ADDR; break; + case TNC_ID_USER_NAME: + ike_type = ID_USER_ID; + break; case TNC_ID_DER_ASN1_DN: ike_type = ID_DER_ASN1_DN; break; @@ -486,11 +492,10 @@ METHOD(imv_agent_t, create_state, TNC_Result, break; } - id = identification_create_from_encoding(ike_type, id_value); - DBG2(DBG_IMV, "%N identity '%Y' authenticated by %N", - TNC_Subject_names, tcg_subject_type, id, - TNC_Authentication_names, tcg_auth_type); - id->destroy(id); + this->ar_id = identification_create_from_encoding(ike_type, id_value); + DBG2(DBG_IMV, " %N AR identity '%Y' authenticated by %N", + TNC_Subject_names, tcg_subject_type, this->ar_id, + TNC_Authentication_names, tcg_auth_type); } enumerator->destroy(enumerator); @@ -593,6 +598,12 @@ METHOD(imv_agent_t, get_id, TNC_IMVID, return this->id; } +METHOD(imv_agent_t, get_ar_id, identification_t*, + private_imv_agent_t *this) +{ + return this->ar_id; +} + METHOD(imv_agent_t, reserve_additional_ids, TNC_Result, private_imv_agent_t *this, int count) { @@ -782,6 +793,7 @@ METHOD(imv_agent_t, destroy, void, private_imv_agent_t *this) { DBG1(DBG_IMV, "IMV %u \"%s\" terminated", this->id, this->name); + DESTROY_IF(this->ar_id); this->additional_ids->destroy(this->additional_ids); this->connections->destroy_offset(this->connections, offsetof(imv_state_t, destroy)); @@ -816,6 +828,7 @@ imv_agent_t *imv_agent_create(const char *name, .get_state = _get_state, .get_name = _get_name, .get_id = _get_id, + .get_ar_id = _get_ar_id, .reserve_additional_ids = _reserve_additional_ids, .count_additional_ids = _count_additional_ids, .create_id_enumerator = _create_id_enumerator, diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h index 5b2cffefe..737caa173 100644 --- a/src/libimcv/imv/imv_agent.h +++ b/src/libimcv/imv/imv_agent.h @@ -16,7 +16,7 @@ /** * * @defgroup imv_agent_t imv_agent - * @{ @ingroup imv_agent + * @{ @ingroup libimcv_imv */ #ifndef IMV_AGENT_H_ @@ -152,6 +152,13 @@ struct imv_agent_t { TNC_IMVID (*get_id)(imv_agent_t *this); /** + * Get Access Requestor ID + * + * return Access Requestor ID + */ + identification_t* (*get_ar_id)(imv_agent_t *this); + + /** * Reserve additional IMV IDs from TNCS * * @param count number of additional IMV IDs to be assigned diff --git a/src/libimcv/imv/imv_lang_string.h b/src/libimcv/imv/imv_lang_string.h index 90a66db76..56b4572f8 100644 --- a/src/libimcv/imv/imv_lang_string.h +++ b/src/libimcv/imv/imv_lang_string.h @@ -16,7 +16,7 @@ /** * * @defgroup imv_lang_string_t imv_lang_string - * @{ @ingroup imv_lang_string + * @{ @ingroup libimcv_imv */ #ifndef IMV_LANG_STRING_H_ diff --git a/src/libimcv/imv/imv_msg.h b/src/libimcv/imv/imv_msg.h index 2a2810170..9e56d9fe7 100644 --- a/src/libimcv/imv/imv_msg.h +++ b/src/libimcv/imv/imv_msg.h @@ -14,8 +14,8 @@ */ /** - * @defgroup imv_msg imv_msg - * @{ @ingroup libimcv + * @defgroup imv_msg_t imv_msg + * @{ @ingroup libimcv_imv */ #ifndef IMV_MSG_H_ @@ -155,7 +155,6 @@ imv_msg_t* imv_msg_create_from_data(imv_agent_t *agent, imv_state_t *state, * @param connection_id connection ID * @param src_id source IMC ID * @param dst_id destination IMV ID - * @param msg_flags PA-TNC message flags * @param msg_vid PA-TNC message vendor ID * @param msg_subtype PA-TNC subtype * @param msg received PA-TNC message blob diff --git a/src/libimcv/imv/imv_reason_string.c b/src/libimcv/imv/imv_reason_string.c index 18eade01b..d1447ec35 100644 --- a/src/libimcv/imv/imv_reason_string.c +++ b/src/libimcv/imv/imv_reason_string.c @@ -51,7 +51,7 @@ METHOD(imv_reason_string_t, add_reason, void, if (this->reasons.len) { /* append any further reasons */ - this->reasons = chunk_cat("cm", this->reasons, chunk_from_chars('\n'), + this->reasons = chunk_cat("mcc", this->reasons, chunk_from_chars('\n'), chunk_create(s_reason, strlen(s_reason))); } else diff --git a/src/libimcv/imv/imv_reason_string.h b/src/libimcv/imv/imv_reason_string.h index 320b2476a..cb4c27f93 100644 --- a/src/libimcv/imv/imv_reason_string.h +++ b/src/libimcv/imv/imv_reason_string.h @@ -16,7 +16,7 @@ /** * * @defgroup imv_reason_string_t imv_reason_string - * @{ @ingroup imv_reason_string + * @{ @ingroup libimcv_imv */ #ifndef IMV_REASON_STRING_H_ diff --git a/src/libimcv/imv/imv_remediation_string.h b/src/libimcv/imv/imv_remediation_string.h index 9249c2aab..605013abb 100644 --- a/src/libimcv/imv/imv_remediation_string.h +++ b/src/libimcv/imv/imv_remediation_string.h @@ -16,7 +16,7 @@ /** * * @defgroup imv_remediation_string_t imv_remediation_string - * @{ @ingroup imv_remediation_string + * @{ @ingroup libimcv_imv */ #ifndef IMV_REMEDIATION_STRING_H_ diff --git a/src/libimcv/imv/imv_state.h b/src/libimcv/imv/imv_state.h index f40402e2b..0684690ca 100644 --- a/src/libimcv/imv/imv_state.h +++ b/src/libimcv/imv/imv_state.h @@ -16,7 +16,7 @@ /** * * @defgroup imv_state_t imv_state - * @{ @ingroup imv_state + * @{ @ingroup libimcv_imv */ #ifndef IMV_STATE_H_ @@ -66,7 +66,7 @@ struct imv_state_t { /** * Set the maximum size of a PA-TNC message for this TNCCS connection * - * @max_msg_len maximum size of a PA-TNC message + * @param max_msg_len maximum size of a PA-TNC message */ void (*set_max_msg_len)(imv_state_t *this, u_int32_t max_msg_len); diff --git a/src/libimcv/ita/ita_attr.h b/src/libimcv/ita/ita_attr.h index d7b06146f..38469f03f 100644 --- a/src/libimcv/ita/ita_attr.h +++ b/src/libimcv/ita/ita_attr.h @@ -14,8 +14,8 @@ */ /** - * @defgroup ita_attrt ita_attr - * @{ @ingroup ita_attr + * @defgroup ita_attr ita_attr + * @{ @ingroup libimcv */ #ifndef ITA_ATTR_H_ diff --git a/src/libimcv/ita/ita_attr_angel.h b/src/libimcv/ita/ita_attr_angel.h index c392f7927..d42e7119a 100644 --- a/src/libimcv/ita/ita_attr_angel.h +++ b/src/libimcv/ita/ita_attr_angel.h @@ -14,8 +14,8 @@ */ /** - * @defgroup ita_attr_angelt ita_attr_angel - * @{ @ingroup ita_attr_angel + * @defgroup ita_attr_angel ita_attr_angel + * @{ @ingroup ita_attr */ #ifndef ITA_ATTR_ANGEL_H_ diff --git a/src/libimcv/ita/ita_attr_command.h b/src/libimcv/ita/ita_attr_command.h index 372355197..3926c3887 100644 --- a/src/libimcv/ita/ita_attr_command.h +++ b/src/libimcv/ita/ita_attr_command.h @@ -14,8 +14,8 @@ */ /** - * @defgroup ita_attr_commandt ita_attr_command - * @{ @ingroup ita_attr_command + * @defgroup ita_attr_command ita_attr_command + * @{ @ingroup ita_attr */ #ifndef ITA_ATTR_COMMAND_H_ @@ -54,7 +54,7 @@ pa_tnc_attr_t* ita_attr_command_create(char *command); /** * Creates an ita_attr_command_t object from received data * - * @param command ITA command string + * @param value binary value blob */ pa_tnc_attr_t* ita_attr_command_create_from_data(chunk_t value); diff --git a/src/libimcv/ita/ita_attr_dummy.h b/src/libimcv/ita/ita_attr_dummy.h index afd543b52..1f85ece54 100644 --- a/src/libimcv/ita/ita_attr_dummy.h +++ b/src/libimcv/ita/ita_attr_dummy.h @@ -14,8 +14,8 @@ */ /** - * @defgroup ita_attr_dummyt ita_attr_dummy - * @{ @ingroup ita_attr_dummy + * @defgroup ita_attr_dummy ita_attr_dummy + * @{ @ingroup ita_attr */ #ifndef ITA_ATTR_DUMMY_H_ @@ -47,14 +47,14 @@ struct ita_attr_dummy_t { /** * Creates an ita_attr_dummy_t object with a given size * - * @param size size of dummy attribute value + * @param size size of dummy attribute value */ pa_tnc_attr_t* ita_attr_dummy_create(int size); /** * Creates an ita_attr_dummy_t object from received data * - * @param command ITA command string + * @param value binary value blob */ pa_tnc_attr_t* ita_attr_dummy_create_from_data(chunk_t value); diff --git a/src/libimcv/ita/ita_attr_get_settings.c b/src/libimcv/ita/ita_attr_get_settings.c index 8016b761d..0695af314 100644 --- a/src/libimcv/ita/ita_attr_get_settings.c +++ b/src/libimcv/ita/ita_attr_get_settings.c @@ -128,7 +128,7 @@ METHOD(pa_tnc_attr_t, build, void, } enumerator->destroy(enumerator); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ita/ita_attr_get_settings.h b/src/libimcv/ita/ita_attr_get_settings.h index cc5c18140..55306ecc8 100644 --- a/src/libimcv/ita/ita_attr_get_settings.h +++ b/src/libimcv/ita/ita_attr_get_settings.h @@ -14,8 +14,8 @@ */ /** - * @defgroup ita_attr_get_settingst ita_attr_get_settings - * @{ @ingroup ita_attr_get_settings + * @defgroup ita_attr_get_settings ita_attr_get_settings + * @{ @ingroup ita_attr */ #ifndef ITA_ATTR_GET_SETTINGS_H_ diff --git a/src/libimcv/ita/ita_attr_settings.c b/src/libimcv/ita/ita_attr_settings.c index 7941cf69e..9ce253d28 100644 --- a/src/libimcv/ita/ita_attr_settings.c +++ b/src/libimcv/ita/ita_attr_settings.c @@ -157,7 +157,7 @@ METHOD(pa_tnc_attr_t, build, void, } enumerator->destroy(enumerator); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libimcv/ita/ita_attr_settings.h b/src/libimcv/ita/ita_attr_settings.h index f3d1fd438..eb7eedae3 100644 --- a/src/libimcv/ita/ita_attr_settings.h +++ b/src/libimcv/ita/ita_attr_settings.h @@ -14,8 +14,8 @@ */ /** - * @defgroup ita_attr_settingst ita_attr_settings - * @{ @ingroup ita_attr_settings + * @defgroup ita_attr_settings ita_attr_settings + * @{ @ingroup ita_attr */ #ifndef ITA_ATTR_SETTINGS_H_ diff --git a/src/libimcv/pa_tnc/pa_tnc_attr.h b/src/libimcv/pa_tnc/pa_tnc_attr.h index 9abdba78c..e2ce06ee4 100644 --- a/src/libimcv/pa_tnc/pa_tnc_attr.h +++ b/src/libimcv/pa_tnc/pa_tnc_attr.h @@ -15,7 +15,7 @@ /** * @defgroup pa_tnc_attr pa_tnc_attr - * @{ @ingroup libimcv + * @{ @ingroup pa_tnc */ #ifndef PA_TNC_ATTR_H_ diff --git a/src/libimcv/pa_tnc/pa_tnc_attr_manager.h b/src/libimcv/pa_tnc/pa_tnc_attr_manager.h index 40c3ab335..121be7f90 100644 --- a/src/libimcv/pa_tnc/pa_tnc_attr_manager.h +++ b/src/libimcv/pa_tnc/pa_tnc_attr_manager.h @@ -15,7 +15,7 @@ /** * @defgroup pa_tnc_attr_manager pa_tnc_attr_manager - * @{ @ingroup libimcv + * @{ @ingroup pa_tnc */ #ifndef PA_TNC_ATTR_MANAGER_H_ @@ -56,7 +56,7 @@ struct pa_tnc_attr_manager_t { * Return the PA-TNC attribute names for a given vendor ID * * @param vendor_id Private Enterprise Number (PEN) - * @return PA-TNC attribute names if found, NULL else + * @return PA-TNC attribute names if found, NULL else */ enum_name_t* (*get_names)(pa_tnc_attr_manager_t *this, pen_t vendor_id); @@ -66,7 +66,7 @@ struct pa_tnc_attr_manager_t { * @param vendor_id Private Enterprise Number (PEN) * @param type PA-TNC attribute type * @param value PA-TNC attribute value as encoded data - * @return PA-TNC attribute object if supported, NULL else + * @return PA-TNC attribute object if supported, NULL else */ pa_tnc_attr_t* (*create)(pa_tnc_attr_manager_t *this, pen_t vendor_id, u_int32_t type, chunk_t value); diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c index d3aceee06..140463b83 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.c +++ b/src/libimcv/pa_tnc/pa_tnc_msg.c @@ -194,7 +194,7 @@ METHOD(pa_tnc_msg_t, build, bool, enumerator->destroy(enumerator); free(this->encoding.ptr); - this->encoding = chunk_clone(writer->get_buf(writer)); + this->encoding = writer->extract_buf(writer); writer->destroy(writer); return TRUE; diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.h b/src/libimcv/pa_tnc/pa_tnc_msg.h index 332f2506f..218d3d673 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.h +++ b/src/libimcv/pa_tnc/pa_tnc_msg.h @@ -15,7 +15,7 @@ /** * @defgroup pa_tnc_msg pa_tnc_msg - * @{ @ingroup libimcv + * @{ @ingroup pa_tnc */ #ifndef PA_TNC_MSG_H_ diff --git a/src/libimcv/plugins/imc_os/imc_os_state.h b/src/libimcv/plugins/imc_os/imc_os_state.h index 1fe23175a..366e2b60c 100644 --- a/src/libimcv/plugins/imc_os/imc_os_state.h +++ b/src/libimcv/plugins/imc_os/imc_os_state.h @@ -14,9 +14,11 @@ */ /** + * @defgroup imc_os imc_os + * @ingroup libimcv_plugins * * @defgroup imc_os_state_t imc_os_state - * @{ @ingroup imc_os_state + * @{ @ingroup imc_os */ #ifndef IMC_OS_STATE_H_ diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner_state.h b/src/libimcv/plugins/imc_scanner/imc_scanner_state.h index 76aa4165b..3b40575e3 100644 --- a/src/libimcv/plugins/imc_scanner/imc_scanner_state.h +++ b/src/libimcv/plugins/imc_scanner/imc_scanner_state.h @@ -13,9 +13,11 @@ */ /** + * @defgroup imc_scanner imc_scanner + * @ingroup libimcv_plugins * * @defgroup imc_scanner_state_t imc_scanner_state - * @{ @ingroup imc_scanner_state + * @{ @ingroup imc_scanner */ #ifndef IMC_SCANNER_STATE_H_ diff --git a/src/libimcv/plugins/imc_test/imc_test_state.h b/src/libimcv/plugins/imc_test/imc_test_state.h index 402fd14b3..5f9ee2537 100644 --- a/src/libimcv/plugins/imc_test/imc_test_state.h +++ b/src/libimcv/plugins/imc_test/imc_test_state.h @@ -13,9 +13,11 @@ */ /** + * @defgroup imc_test imc_test + * @ingroup libimcv_plugins * * @defgroup imc_test_state_t imc_test_state - * @{ @ingroup imc_test_state + * @{ @ingroup imc_test */ #ifndef IMC_TEST_STATE_H_ diff --git a/src/libimcv/plugins/imv_os/imv_os.c b/src/libimcv/plugins/imv_os/imv_os.c index ecc6cfc4f..68b14abfb 100644 --- a/src/libimcv/plugins/imv_os/imv_os.c +++ b/src/libimcv/plugins/imv_os/imv_os.c @@ -390,7 +390,7 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg) device_id = os_state->get_device_id(os_state); if (os_db && device_id) { - os_db->set_device_info(os_db, device_id, + os_db->set_device_info(os_db, device_id, imv_os->get_ar_id(imv_os), os_state->get_info(os_state, NULL, NULL, NULL), count, count_update, count_blacklist, os_settings); } diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c index c6db9953f..730099af4 100644 --- a/src/libimcv/plugins/imv_os/imv_os_database.c +++ b/src/libimcv/plugins/imv_os/imv_os_database.c @@ -214,12 +214,14 @@ METHOD(imv_os_database_t, get_device_id, int, } METHOD(imv_os_database_t, set_device_info, void, - private_imv_os_database_t *this, int device_id, char *os_info, - int count, int count_update, int count_blacklist, u_int flags) + private_imv_os_database_t *this, int device_id, identification_t *ar_id, + char *os_info, int count, int count_update, int count_blacklist, + u_int flags) { enumerator_t *e; time_t last_time; - int pid = 0, last_pid = 0, last_count_update = 0, last_count_blacklist = 0; + int pid = 0, last_pid = 0, iid = 0, last_iid; + int last_count_update = 0, last_count_blacklist = 0; u_int last_flags; bool found = FALSE; @@ -233,26 +235,47 @@ METHOD(imv_os_database_t, set_device_info, void, e->destroy(e); } - /* if OS ifo string has not been found - register it */ + /* if OS info string has not been found - register it */ if (!pid) { this->db->execute(this->db, &pid, "INSERT INTO products (name) VALUES (?)", DB_TEXT, os_info); } + /* get primary key of AR identity if it exists */ + e = this->db->query(this->db, + "SELECT id FROM identities WHERE type = ? AND data = ?", + DB_INT, ar_id->get_type(ar_id), + DB_BLOB, ar_id->get_encoding(ar_id), DB_INT); + if (e) + { + e->enumerate(e, &iid); + e->destroy(e); + } + + /* if AR identity has not been found - register it */ + if (!iid) + { + this->db->execute(this->db, &iid, + "INSERT INTO identities (type, data) VALUES (?, ?)", + DB_INT, ar_id->get_type(ar_id), + DB_BLOB, ar_id->get_encoding(ar_id)); + } + /* get latest device info record if it exists */ e = this->db->query(this->db, - "SELECT time, product, count_update, count_blacklist, flags " + "SELECT time, ar_id, product, count_update, count_blacklist, flags " "FROM device_infos WHERE device = ? ORDER BY time DESC", - DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT); + DB_INT, device_id, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_UINT); if (e) { - found = e->enumerate(e, &last_time, &last_pid, &last_count_update, - &last_count_blacklist, &last_flags); + found = e->enumerate(e, &last_time, &last_iid, &last_pid, + &last_count_update, &last_count_blacklist, + &last_flags); e->destroy(e); } if (found && !last_count_update && !last_count_blacklist && !last_flags && - pid == last_pid) + iid == last_iid && pid == last_pid) { /* update device info */ this->db->execute(this->db, NULL, @@ -266,9 +289,10 @@ METHOD(imv_os_database_t, set_device_info, void, { /* insert device info */ this->db->execute(this->db, NULL, - "INSERT INTO device_infos (device, time, product, count, " - "count_update, count_blacklist, flags) VALUES (?, ?, ?, ?, ?, ?, ?)", - DB_INT, device_id, DB_UINT, time(NULL), DB_INT, pid, + "INSERT INTO device_infos (device, time, ar_id, product, count, " + "count_update, count_blacklist, flags) " + "VALUES (?, ?, ?, ?, ?, ?, ?, ?)", + DB_INT, device_id, DB_UINT, time(NULL), DB_INT, iid, DB_INT, pid, DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist, DB_UINT, flags); } diff --git a/src/libimcv/plugins/imv_os/imv_os_database.h b/src/libimcv/plugins/imv_os/imv_os_database.h index 9ce748f9b..790467f33 100644 --- a/src/libimcv/plugins/imv_os/imv_os_database.h +++ b/src/libimcv/plugins/imv_os/imv_os_database.h @@ -14,9 +14,8 @@ */ /** - * * @defgroup imv_os_database_t imv_os_database - * @{ @ingroup imv_os_database + * @{ @ingroup imv_os */ #ifndef IMV_OS_DATABASE_H_ @@ -53,13 +52,15 @@ struct imv_os_database_t { * Set health infos for a given device * * @param device_id Device ID primary key + * @param ar_id Access Requestor ID * @param os_info OS info string * @param count Number of installed packages * @param count_update Number of packages to be updated * @param count_blacklist Number of blacklisted packages * @param flags Various flags, e.g. illegal OS settings */ - void (*set_device_info)(imv_os_database_t *this, int device_id, char *os_info, + void (*set_device_info)(imv_os_database_t *this, int device_id, + identification_t *ar_id, char *os_info, int count, int count_update, int count_blacklist, u_int flags); diff --git a/src/libimcv/plugins/imv_os/imv_os_state.h b/src/libimcv/plugins/imv_os/imv_os_state.h index d3e319171..1c2adeaf9 100644 --- a/src/libimcv/plugins/imv_os/imv_os_state.h +++ b/src/libimcv/plugins/imv_os/imv_os_state.h @@ -14,9 +14,11 @@ */ /** + * @defgroup imv_os imv_os + * @ingroup libimcv_plugins * * @defgroup imv_os_state_t imv_os_state - * @{ @ingroup imv_os_state + * @{ @ingroup imv_os */ #ifndef IMV_OS_STATE_H_ @@ -61,7 +63,7 @@ struct imv_os_state_t { * @param type OS type (enumerated) * @param name OS name (string) * @param version OS version - * @return OS name & version as a concatenated string + * @return OS name & version as a concatenated string */ char* (*get_info)(imv_os_state_t *this, os_type_t *os_type, chunk_t *name, chunk_t *version); diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.h b/src/libimcv/plugins/imv_scanner/imv_scanner_state.h index 9a0930396..a15eb0778 100644 --- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.h +++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.h @@ -13,9 +13,11 @@ */ /** + * @defgroup imv_scanner imv_scanner + * @ingroup libimcv_plugins * * @defgroup imv_scanner_state_t imv_scanner_state - * @{ @ingroup imv_scanner_state + * @{ @ingroup imv_scanner */ #ifndef IMV_SCANNER_STATE_H_ diff --git a/src/libimcv/plugins/imv_test/imv_test_state.h b/src/libimcv/plugins/imv_test/imv_test_state.h index af78d1470..2de5b6ffc 100644 --- a/src/libimcv/plugins/imv_test/imv_test_state.h +++ b/src/libimcv/plugins/imv_test/imv_test_state.h @@ -13,9 +13,11 @@ */ /** + * @defgroup imv_test imv_test + * @ingroup libimcv_plugins * * @defgroup imv_test_state_t imv_test_state - * @{ @ingroup imv_test_state + * @{ @ingroup imv_test */ #ifndef IMV_TEST_STATE_H_ diff --git a/src/libpts/libpts.h b/src/libpts/libpts.h index 7b2959728..0846aaea2 100644 --- a/src/libpts/libpts.h +++ b/src/libpts/libpts.h @@ -15,7 +15,7 @@ /** * @defgroup libpts libpts * - * @defgroup iplugins plugins + * @defgroup libpts_plugins plugins * @ingroup libpts * * @addtogroup libpts diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.h b/src/libpts/plugins/imc_attestation/imc_attestation_process.h index 5ada104fa..a2f1b4e3c 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_process.h +++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.h @@ -14,9 +14,8 @@ */ /** - * * @defgroup imc_attestation_process_t imc_attestation_process - * @{ @ingroup imc_attestation_process + * @{ @ingroup imc_attestation */ #ifndef IMC_ATTESTATION_PROCESS_H_ diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_state.h b/src/libpts/plugins/imc_attestation/imc_attestation_state.h index e4fca71bb..4b93931c3 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_state.h +++ b/src/libpts/plugins/imc_attestation/imc_attestation_state.h @@ -14,9 +14,11 @@ */ /** + * @defgroup imc_attestation imc_attestation + * @ingroup libpts_plugins * * @defgroup imc_attestation_state_t imc_attestation_state - * @{ @ingroup imc_attestation_state + * @{ @ingroup imc_attestation */ #ifndef IMC_ATTESTATION_STATE_H_ diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c index 91e9766d0..5885e26a1 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ b/src/libpts/plugins/imv_attestation/attest_db.c @@ -804,26 +804,29 @@ METHOD(attest_db_t, list_components, void, METHOD(attest_db_t, list_devices, void, private_attest_db_t *this) { - enumerator_t *e; - chunk_t value; + enumerator_t *e, *e_ar; + chunk_t value, ar_data; char *product; time_t timestamp; - int id, last_id = 0, device_count = 0; + int id, last_id = 0, iid = 0, last_iid = 0, device_count = 0; int count, count_update, count_blacklist; + id_type_t ar_type; + identification_t *ar_id = NULL; u_int tstamp, flags = 0; e = this->db->query(this->db, "SELECT d.id, d.value, i.time, i.count, i.count_update, " - "i.count_blacklist, i.flags, p.name FROM devices AS d " + "i.count_blacklist, i.flags, i.ar_id, p.name FROM devices AS d " "JOIN device_infos AS i ON d.id = i.device " "JOIN products AS p ON p.id = i.product " "ORDER BY d.value, i.time DESC", - DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT); + DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, + DB_INT, DB_TEXT); if (e) { while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update, - &count_blacklist, &flags, &product)) + &count_blacklist, &flags, &iid, &product)) { if (id != last_id) { @@ -832,10 +835,35 @@ METHOD(attest_db_t, list_devices, void, last_id = id; } timestamp = tstamp; - printf(" %T, %4d, %3d, %3d, %1u, '%s'\n", ×tamp, this->utc, + printf(" %T, %4d, %3d, %3d, %1u, '%s'", ×tamp, this->utc, count, count_update, count_blacklist, flags, product); + if (iid) + { + if (iid != last_iid) + { + DESTROY_IF(ar_id); + ar_id = NULL; + + e_ar = this->db->query(this->db, + "SELECT type, data FROM identities " + "WHERE id = ?", DB_INT, iid, DB_INT, DB_BLOB); + if (e_ar->enumerate(e_ar, &ar_type, &ar_data)) + { + ar_id = identification_create_from_encoding(ar_type, + ar_data); + } + e_ar->destroy(e_ar); + } + if (ar_id) + { + printf(" %Y", ar_id); + } + } + printf("\n"); } e->destroy(e); + DESTROY_IF(ar_id); + printf("%d device%s found\n", device_count, (device_count == 1) ? "" : "s"); } diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h index e2297d0c4..a20023fcd 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.h +++ b/src/libpts/plugins/imv_attestation/attest_db.h @@ -14,9 +14,8 @@ */ /** - * * @defgroup attest_db_t attest_db - * @{ @ingroup attest_db + * @{ @ingroup libpts */ #ifndef ATTEST_DB_H_ diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.h b/src/libpts/plugins/imv_attestation/imv_attestation_build.h index 0fc10f0ce..108f6f923 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_build.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.h @@ -14,9 +14,8 @@ */ /** - * * @defgroup imv_attestation_build_t imv_attestation_build - * @{ @ingroup imv_attestation_build + * @{ @ingroup imv_attestation */ #ifndef IMV_ATTESTATION_BUILD_H_ diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.h b/src/libpts/plugins/imv_attestation/imv_attestation_process.h index 73b4251e0..74e4644b4 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.h @@ -14,9 +14,8 @@ */ /** - * * @defgroup imv_attestation_process_t imv_attestation_process - * @{ @ingroup imv_attestation_process + * @{ @ingroup imv_attestation */ #ifndef IMV_ATTESTATION_PROCESS_H_ diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h index f64314e71..ab77d3042 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h @@ -14,9 +14,11 @@ */ /** + * @defgroup imv_attestation imv_attestation + * @ingroup libpts_plugins * * @defgroup imv_attestation_state_t imv_attestation_state - * @{ @ingroup imv_attestation_state + * @{ @ingroup imv_attestation */ #ifndef IMV_ATTESTATION_STATE_H_ @@ -73,7 +75,7 @@ struct imv_attestation_state_t { */ imv_attestation_handshake_state_t (*get_handshake_state)( imv_attestation_state_t *this); - + /** * Set state of the handshake * @@ -133,7 +135,7 @@ struct imv_attestation_state_t { /** * Get a Functional Component with a given name * - * @param name Name of the requested Functional Component + * @param name Name of the requested Functional Component * @return Functional Component if found, NULL otherwise */ pts_component_t* (*get_component)(imv_attestation_state_t *this, diff --git a/src/libpts/plugins/imv_attestation/tables.sql b/src/libpts/plugins/imv_attestation/tables.sql index 8a79ea7cf..0c038d365 100644 --- a/src/libpts/plugins/imv_attestation/tables.sql +++ b/src/libpts/plugins/imv_attestation/tables.sql @@ -126,13 +126,21 @@ CREATE INDEX devices_value ON devices ( DROP TABLE IF EXISTS device_infos; CREATE TABLE device_infos ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, device INTEGER NOT NULL, time INTEGER NOT NULL, + ar_id INTEGER DEFAULT 0, product INTEGER DEFAULT 0, count INTEGER DEFAULT 0, count_update INTEGER DEFAULT 0, count_blacklist INTEGER DEFAULT 0, - flags INTEGER DEFAULT 0, - PRIMARY KEY (device, time) + flags INTEGER DEFAULT 0 ); +DROP TABLE IF EXISTS identities; +CREATE TABLE identities ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + type INTEGER NOT NULL, + data BLOB NOT NULL, + UNIQUE (type, data) +); diff --git a/src/libpts/pts/components/pts_comp_func_name.h b/src/libpts/pts/components/pts_comp_func_name.h index a3ffa1ba9..90ad7083f 100644 --- a/src/libpts/pts/components/pts_comp_func_name.h +++ b/src/libpts/pts/components/pts_comp_func_name.h @@ -95,7 +95,7 @@ struct pts_comp_func_name_t { * * @param vid PTS Component Functional Name Vendor ID * @param name PTS Component Functional Name - * @param PTS Component Functional Name Qualifier + * @param qualifier PTS Component Functional Name Qualifier */ pts_comp_func_name_t* pts_comp_func_name_create(u_int32_t vid, u_int32_t name, u_int8_t qualifier); diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c index 84a9961c8..f646d67e1 100644 --- a/src/libpts/pts/pts.c +++ b/src/libpts/pts/pts.c @@ -1043,7 +1043,7 @@ METHOD(pts_t, get_quote_info, bool, } /* TPM Quote Info */ - *out_quote_info = chunk_clone(writer->get_buf(writer)); + *out_quote_info = writer->extract_buf(writer); DBG3(DBG_PTS, "constructed TPM Quote Info: %B", out_quote_info); writer->destroy(writer); diff --git a/src/libpts/pts/pts.h b/src/libpts/pts/pts.h index 423a4c802..11154aa38 100644 --- a/src/libpts/pts/pts.h +++ b/src/libpts/pts/pts.h @@ -15,7 +15,7 @@ /** * @defgroup pts pts - * @{ @ingroup pts + * @{ @ingroup libpts */ #ifndef PTS_H_ diff --git a/src/libpts/pts/pts_dh_group.h b/src/libpts/pts/pts_dh_group.h index 8664a4b84..2aab90263 100644 --- a/src/libpts/pts/pts_dh_group.h +++ b/src/libpts/pts/pts_dh_group.h @@ -48,12 +48,12 @@ enum pts_dh_group_t { * Diffie-Hellman Group Values * see section 3.8.6 of PTS Protocol: Binding to TNC IF-M Specification * - * 1 - * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 + * 1 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * |1|2|3|4|5|R|R|R|R|R|R|R|R|R|R|R| * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - * + * */ /** @@ -90,8 +90,8 @@ bool pts_dh_group_update(char *dh_group, pts_dh_group_t *dh_groups); * @param offered_groups set of offered DH groups * @return selected DH group */ -pts_dh_group_t pts_dh_group_select(pts_dh_group_t supported_dh_groups, - pts_dh_group_t offered_dh_groups); +pts_dh_group_t pts_dh_group_select(pts_dh_group_t supported_groups, + pts_dh_group_t offered_groups); /** * Convert pts_dh_group_t to diffie_hellman_group_t diff --git a/src/libpts/pts/pts_file_meas.h b/src/libpts/pts/pts_file_meas.h index 71efd5026..a13bb29ba 100644 --- a/src/libpts/pts/pts_file_meas.h +++ b/src/libpts/pts/pts_file_meas.h @@ -57,7 +57,7 @@ struct pts_file_meas_t { /** * Create a PTS File Measurement enumerator * - * @return Enumerator returning filename and measurement + * @return Enumerator returning filename and measurement */ enumerator_t* (*create_enumerator)(pts_file_meas_t *this); @@ -76,7 +76,7 @@ struct pts_file_meas_t { * Verify stored hashes against PTS File Measurements * * @param e_hash Hash enumerator - * @paraem is_dir TRUE for directory contents hashes + * @param is_dir TRUE for directory contents hashes * @return TRUE if all hashes match a measurement */ bool (*verify)(pts_file_meas_t *this, enumerator_t *e_hash, bool is_dir); diff --git a/src/libpts/tcg/tcg_attr.c b/src/libpts/tcg/tcg_attr.c index 656791a8f..b91bf8283 100644 --- a/src/libpts/tcg/tcg_attr.c +++ b/src/libpts/tcg/tcg_attr.c @@ -31,8 +31,23 @@ #include "tcg/tcg_pts_attr_req_file_meta.h" #include "tcg/tcg_pts_attr_unix_file_meta.h" -ENUM_BEGIN(tcg_attr_names, TCG_PTS_REQ_FUNC_COMP_EVID, +ENUM_BEGIN(tcg_attr_names, TCG_SCAP_REFERENCES, + TCG_SCAP_SUMMARY_RESULTS, + "SCAP References", + "SCAP Capabilities and Inventory", + "SCAP Content", + "SCAP Assessment", + "SCAP Results", + "SCAP Summary Results"); +ENUM_NEXT(tcg_attr_names, TCG_SWID_INVENTORY_REQUEST, + TCG_SWID_TAG_IDENTIFIER_RESPONSE, + TCG_SCAP_SUMMARY_RESULTS, + "SWID Inventory Request", + "SWID Tag Response", + "SWID Tag Identifier Response"); +ENUM_NEXT(tcg_attr_names, TCG_PTS_REQ_FUNC_COMP_EVID, TCG_PTS_REQ_FUNC_COMP_EVID, + TCG_SWID_TAG_IDENTIFIER_RESPONSE, "Request Functional Component Evidence"); ENUM_NEXT(tcg_attr_names, TCG_PTS_GEN_ATTEST_EVID, TCG_PTS_GEN_ATTEST_EVID, diff --git a/src/libpts/tcg/tcg_attr.h b/src/libpts/tcg/tcg_attr.h index b45e1488f..ed6c97619 100644 --- a/src/libpts/tcg/tcg_attr.h +++ b/src/libpts/tcg/tcg_attr.h @@ -14,8 +14,8 @@ */ /** - * @defgroup tcg_attrt tcg_attr - * @{ @ingroup tcg_attr + * @defgroup tcg_attr tcg_attr + * @{ @ingroup libpts */ #ifndef TCG_ATTR_H_ @@ -31,6 +31,19 @@ typedef enum tcg_attr_t tcg_attr_t; */ enum tcg_attr_t { + /* SCAP Messages */ + TCG_SCAP_REFERENCES = 0x00000001, + TCG_SCAP_CAPS_AND_INVENTORY = 0x00000002, + TCG_SCAP_CONTENT = 0x00000003, + TCG_SCAP_ASSESSMENT = 0x00000004, + TCG_SCAP_RESULTS = 0x00000005, + TCG_SCAP_SUMMARY_RESULTS = 0x00000006, + + /* SWID Messages */ + TCG_SWID_INVENTORY_REQUEST = 0x00000011, + TCG_SWID_TAG_RESPONSE = 0x00000012, + TCG_SWID_TAG_IDENTIFIER_RESPONSE = 0x00000013, + /* PTS Protocol Negotiations */ TCG_PTS_REQ_PROTO_CAPS = 0x01000000, TCG_PTS_PROTO_CAPS = 0x02000000, diff --git a/src/libpts/tcg/tcg_pts_attr_aik.c b/src/libpts/tcg/tcg_pts_attr_aik.c index d5bbdc9cd..17a8db5d6 100644 --- a/src/libpts/tcg/tcg_pts_attr_aik.c +++ b/src/libpts/tcg/tcg_pts_attr_aik.c @@ -123,9 +123,9 @@ METHOD(pa_tnc_attr_t, build, void, writer = bio_writer_create(PTS_AIK_SIZE); writer->write_uint8(writer, flags); writer->write_data (writer, aik_blob); - this->value = chunk_clone(writer->get_buf(writer)); - free(aik_blob.ptr); + this->value = writer->extract_buf(writer); writer->destroy(writer); + free(aik_blob.ptr); } METHOD(pa_tnc_attr_t, process, status_t, diff --git a/src/libpts/tcg/tcg_pts_attr_aik.h b/src/libpts/tcg/tcg_pts_attr_aik.h index 96e90582b..758fd58db 100644 --- a/src/libpts/tcg/tcg_pts_attr_aik.h +++ b/src/libpts/tcg/tcg_pts_attr_aik.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_aik tcg_pts_attr_aik - * @{ @ingroup tcg_pts_attr_aik + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_AIK_H_ @@ -38,7 +38,7 @@ struct tcg_pts_attr_aik_t { * Public PA-TNC attribute interface */ pa_tnc_attr_t pa_tnc_attribute; - + /** * Get AIK * @@ -50,7 +50,7 @@ struct tcg_pts_attr_aik_t { /** * Creates an tcg_pts_attr_aik_t object - * + * * @param aik Attestation Identity Key */ pa_tnc_attr_t* tcg_pts_attr_aik_create(certificate_t *aik); diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c index 4d7281243..6119b4973 100644 --- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c +++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c @@ -128,7 +128,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_data (writer, this->initiator_value); writer->write_data (writer, this->initiator_nonce); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h index 7148065c5..57cb5a9b6 100644 --- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h +++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_dh_nonce_finish tcg_pts_attr_dh_nonce_finish - * @{ @ingroup tcg_pts_attr_dh_nonce_finish + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_DH_NONCE_FINISH_H_ @@ -64,7 +64,7 @@ struct tcg_pts_attr_dh_nonce_finish_t { * @return DH Initiator Nonce */ chunk_t (*get_initiator_nonce)(tcg_pts_attr_dh_nonce_finish_t *this); - + }; /** @@ -76,7 +76,7 @@ struct tcg_pts_attr_dh_nonce_finish_t { */ pa_tnc_attr_t* tcg_pts_attr_dh_nonce_finish_create( pts_meas_algorithms_t hash_algo, - chunk_t initiator_value, + chunk_t initiator_value, chunk_t initiator_nonce); /** diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c index 7796dbaab..7761b977d 100644 --- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c +++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c @@ -117,7 +117,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint8 (writer, this->min_nonce_len); writer->write_uint16(writer, this->dh_groups); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h index 170077156..22e1bd189 100644 --- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h +++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_dh_nonce_params_req tcg_pts_attr_dh_nonce_params_req - * @{ @ingroup tcg_pts_attr_dh_nonce_params_req + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_DH_NONCE_PARAMS_REQ_H_ diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c index 1e82e7098..eb0d0e533 100644 --- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c +++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c @@ -136,7 +136,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_data (writer, this->responder_nonce); writer->write_data (writer, this->responder_value); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h index d2141f8b9..aaf85ef37 100644 --- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h +++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_dh_nonce_params_resp tcg_pts_attr_dh_nonce_params_resp - * @{ @ingroup tcg_pts_attr_dh_nonce_params_resp + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_DH_NONCE_PARAMS_RESP_H_ @@ -67,7 +67,7 @@ struct tcg_pts_attr_dh_nonce_params_resp_t { * @return DH Responder Public Value */ chunk_t (*get_responder_value)(tcg_pts_attr_dh_nonce_params_resp_t *this); - + }; /** @@ -76,11 +76,11 @@ struct tcg_pts_attr_dh_nonce_params_resp_t { * @param dh_group Selected DH group * @param hash_algo_set Set of supported hash algorithms * @param responder_nonce DH Responder Nonce - * @param responder_pub_val DH Responder Public value + * @param responder_value DH Responder Public value */ pa_tnc_attr_t* tcg_pts_attr_dh_nonce_params_resp_create(pts_dh_group_t dh_group, pts_meas_algorithms_t hash_algo_set, - chunk_t responder_nonce, + chunk_t responder_nonce, chunk_t responder_value); /** diff --git a/src/libpts/tcg/tcg_pts_attr_file_meas.c b/src/libpts/tcg/tcg_pts_attr_file_meas.c index 1daac70e5..b9095f5be 100644 --- a/src/libpts/tcg/tcg_pts_attr_file_meas.c +++ b/src/libpts/tcg/tcg_pts_attr_file_meas.c @@ -154,7 +154,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint16(writer, 0); } - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_file_meas.h b/src/libpts/tcg/tcg_pts_attr_file_meas.h index c432ba9a9..8d50cd9c6 100644 --- a/src/libpts/tcg/tcg_pts_attr_file_meas.h +++ b/src/libpts/tcg/tcg_pts_attr_file_meas.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_file_meas tcg_pts_attr_file_meas - * @{ @ingroup tcg_pts_attr_file_meas + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_FILE_MEAS_H_ @@ -38,19 +38,19 @@ struct tcg_pts_attr_file_meas_t { * Public PA-TNC attribute interface */ pa_tnc_attr_t pa_tnc_attribute; - + /** * Get PTS File Measurements * * @return PTS File Measurements */ pts_file_meas_t* (*get_measurements)(tcg_pts_attr_file_meas_t *this); - + }; /** * Creates an tcg_pts_attr_file_meas_t object - * + * * @param measurements PTS File Measurements */ pa_tnc_attr_t* tcg_pts_attr_file_meas_create(pts_file_meas_t *measurements); diff --git a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c index 9103e06b2..f263747a3 100644 --- a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c +++ b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c @@ -106,7 +106,7 @@ METHOD(pa_tnc_attr_t, build, void, writer = bio_writer_create(PTS_GEN_ATTEST_EVID_SIZE); writer->write_uint32 (writer, PTS_GEN_ATTEST_EVID_RESERVED); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h index 0a65f2143..88f070406 100644 --- a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h +++ b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_gen_attest_evid tcg_pts_attr_gen_attest_evid - * @{ @ingroup tcg_pts_attr_gen_attest_evid + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_GEN_ATTEST_EVID_H_ diff --git a/src/libpts/tcg/tcg_pts_attr_get_aik.c b/src/libpts/tcg/tcg_pts_attr_get_aik.c index 6f35f5419..cf944d2a9 100644 --- a/src/libpts/tcg/tcg_pts_attr_get_aik.c +++ b/src/libpts/tcg/tcg_pts_attr_get_aik.c @@ -103,7 +103,7 @@ METHOD(pa_tnc_attr_t, build, void, writer = bio_writer_create(PTS_GET_AIK_SIZE); writer->write_uint32 (writer, PTS_GET_AIK_RESERVED); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_get_aik.h b/src/libpts/tcg/tcg_pts_attr_get_aik.h index e5c74b4dc..aca890a20 100644 --- a/src/libpts/tcg/tcg_pts_attr_get_aik.h +++ b/src/libpts/tcg/tcg_pts_attr_get_aik.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_get_aik tcg_pts_attr_get_aik - * @{ @ingroup tcg_pts_attr_get_aik + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_GET_AIK_H_ diff --git a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c index 4dd64e3a7..647c426ed 100644 --- a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c +++ b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c @@ -106,7 +106,7 @@ METHOD(pa_tnc_attr_t, build, void, writer = bio_writer_create(PTS_GET_TPM_VER_INFO_SIZE); writer->write_uint32 (writer, PTS_GET_TPM_VER_INFO_RESERVED); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h index 1b693402a..360049690 100644 --- a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h +++ b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_get_tpm_version_info tcg_pts_attr_get_tpm_version_info - * @{ @ingroup tcg_pts_attr_get_tpm_version_info + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_GET_TPM_VERSION_INFO_H_ diff --git a/src/libpts/tcg/tcg_pts_attr_meas_algo.c b/src/libpts/tcg/tcg_pts_attr_meas_algo.c index abef45bdd..a4dac9070 100644 --- a/src/libpts/tcg/tcg_pts_attr_meas_algo.c +++ b/src/libpts/tcg/tcg_pts_attr_meas_algo.c @@ -109,7 +109,7 @@ METHOD(pa_tnc_attr_t, build, void, writer = bio_writer_create(PTS_MEAS_ALGO_SIZE); writer->write_uint16(writer, PTS_MEAS_ALGO_RESERVED); writer->write_uint16(writer, this->algorithms); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_meas_algo.h b/src/libpts/tcg/tcg_pts_attr_meas_algo.h index 885e2c16b..758100bbc 100644 --- a/src/libpts/tcg/tcg_pts_attr_meas_algo.h +++ b/src/libpts/tcg/tcg_pts_attr_meas_algo.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_meas_algo tcg_pts_attr_meas_algo - * @{ @ingroup tcg_pts_attr_meas_algo + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_MEAS_ALGO_H_ diff --git a/src/libpts/tcg/tcg_pts_attr_proto_caps.c b/src/libpts/tcg/tcg_pts_attr_proto_caps.c index 360883282..6473ea808 100644 --- a/src/libpts/tcg/tcg_pts_attr_proto_caps.c +++ b/src/libpts/tcg/tcg_pts_attr_proto_caps.c @@ -110,7 +110,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint16(writer, PTS_PROTO_CAPS_RESERVED); writer->write_uint16(writer, this->flags); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_proto_caps.h b/src/libpts/tcg/tcg_pts_attr_proto_caps.h index 15cfbc7cb..cc59f4ef1 100644 --- a/src/libpts/tcg/tcg_pts_attr_proto_caps.h +++ b/src/libpts/tcg/tcg_pts_attr_proto_caps.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_proto_caps tcg_pts_attr_proto_caps - * @{ @ingroup tcg_pts_attr_proto_caps + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_PROTO_CAPS_H_ diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meas.c b/src/libpts/tcg/tcg_pts_attr_req_file_meas.c index 8b4bfe54d..f0bc7cf60 100644 --- a/src/libpts/tcg/tcg_pts_attr_req_file_meas.c +++ b/src/libpts/tcg/tcg_pts_attr_req_file_meas.c @@ -143,7 +143,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint16(writer, this->request_id); writer->write_uint32(writer, this->delimiter); writer->write_data (writer, pathname); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meas.h b/src/libpts/tcg/tcg_pts_attr_req_file_meas.h index 19d189eff..85a6b9a43 100644 --- a/src/libpts/tcg/tcg_pts_attr_req_file_meas.h +++ b/src/libpts/tcg/tcg_pts_attr_req_file_meas.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_req_file_meas tcg_pts_attr_req_file_meas - * @{ @ingroup tcg_pts_attr_req_file_meas + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_REQ_FILE_MEAS_H_ @@ -36,7 +36,7 @@ struct tcg_pts_attr_req_file_meas_t { * Public PA-TNC attribute interface */ pa_tnc_attr_t pa_tnc_attribute; - + /** * Get flag for PTS Request File Measurement * @@ -50,7 +50,6 @@ struct tcg_pts_attr_req_file_meas_t { * @return Request ID */ u_int16_t (*get_request_id)(tcg_pts_attr_req_file_meas_t *this); - /** * Get Delimiter @@ -58,19 +57,19 @@ struct tcg_pts_attr_req_file_meas_t { * @return UTF-8 encoding of a Delimiter Character */ u_int32_t (*get_delimiter)(tcg_pts_attr_req_file_meas_t *this); - + /** * Get Fully Qualified File Pathname * * @return Pathname */ char* (*get_pathname)(tcg_pts_attr_req_file_meas_t *this); - + }; /** * Creates an tcg_pts_attr_req_file_meas_t object - * + * * @param directory_flag Directory Contents Flag * @param request_id Request ID * @param delimiter Delimiter Character diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meta.c b/src/libpts/tcg/tcg_pts_attr_req_file_meta.c index ff5581435..e475cd35b 100644 --- a/src/libpts/tcg/tcg_pts_attr_req_file_meta.c +++ b/src/libpts/tcg/tcg_pts_attr_req_file_meta.c @@ -136,7 +136,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint16(writer, PTS_REQ_FILE_META_RESERVED); writer->write_data (writer, pathname); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meta.h b/src/libpts/tcg/tcg_pts_attr_req_file_meta.h index 7620c50ab..311418be2 100644 --- a/src/libpts/tcg/tcg_pts_attr_req_file_meta.h +++ b/src/libpts/tcg/tcg_pts_attr_req_file_meta.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_req_file_meta tcg_pts_attr_req_file_meta - * @{ @ingroup tcg_pts_attr_req_file_meta + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_REQ_FILE_META_H_ @@ -36,7 +36,7 @@ struct tcg_pts_attr_req_file_meta_t { * Public PA-TNC attribute interface */ pa_tnc_attr_t pa_tnc_attribute; - + /** * Get directory flag for PTS Request File Metadata * @@ -50,19 +50,19 @@ struct tcg_pts_attr_req_file_meta_t { * @return UTF-8 encoding of a Delimiter Character */ u_int8_t (*get_delimiter)(tcg_pts_attr_req_file_meta_t *this); - + /** * Get Fully Qualified File Pathname * * @return Pathname */ char* (*get_pathname)(tcg_pts_attr_req_file_meta_t *this); - + }; /** * Creates an tcg_pts_attr_req_file_meta_t object - * + * * @param directory_flag Directory Contents Flag * @param delimiter Delimiter Character * @param pathname File Pathname diff --git a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c index 8bb43aef8..5249fa2ad 100644 --- a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c +++ b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c @@ -183,7 +183,7 @@ METHOD(pa_tnc_attr_t, build, void, } enumerator->destroy(enumerator); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h index 031955aca..749413c2e 100644 --- a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h +++ b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_req_func_comp_evid tcg_pts_attr_req_func_comp_evid - * @{ @ingroup tcg_pts_attr_req_func_comp_evid + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_REQ_FUNC_COMP_EVID_H_ @@ -37,7 +37,7 @@ struct tcg_pts_attr_req_func_comp_evid_t { * Public PA-TNC attribute interface */ pa_tnc_attr_t pa_tnc_attribute; - + /** * Add a component to the Functional Component Evidence Request * @@ -62,7 +62,7 @@ struct tcg_pts_attr_req_func_comp_evid_t { * @return Entry enumerator */ enumerator_t* (*create_enumerator)(tcg_pts_attr_req_func_comp_evid_t *this); - + }; /** diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c index c659443b7..40f380ab4 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c +++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c @@ -242,7 +242,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_data(writer, measurement); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h index 3a80904c8..494418261 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h +++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_simple_comp_evid tcg_pts_attr_simple_comp_evid - * @{ @ingroup tcg_pts_attr_simple_comp_evid + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_SIMPLE_COMP_EVID_H_ @@ -24,7 +24,7 @@ typedef struct tcg_pts_attr_simple_comp_evid_t tcg_pts_attr_simple_comp_evid_t; #include "tcg_attr.h" -#include "pts/components/pts_comp_evidence.h" +#include "pts/components/pts_comp_evidence.h" #include "pa_tnc/pa_tnc_attr.h" /** @@ -44,12 +44,12 @@ struct tcg_pts_attr_simple_comp_evid_t { * @return Component Evidence */ pts_comp_evidence_t* (*get_comp_evidence)(tcg_pts_attr_simple_comp_evid_t *this); - + }; /** * Creates an tcg_pts_attr_simple_comp_evid_t object - * + * * @param evid Component Evidence */ pa_tnc_attr_t* tcg_pts_attr_simple_comp_evid_create(pts_comp_evidence_t *evid); diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c index 8c76651d6..baadd943f 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c +++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c @@ -194,7 +194,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_data (writer, this->evid_sig); } - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.h b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.h index 3d98bfce7..6778afbdc 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.h +++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_simple_evid_final tcg_pts_attr_simple_evid_final - * @{ @ingroup tcg_pts_attr_simple_evid_final + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_SIMPLE_EVID_FINAL_H_ @@ -44,27 +44,29 @@ struct tcg_pts_attr_simple_evid_final_t { * @param comp_hash_algo Optional Composite Hash Algorithm * @param pcr_comp Optional PCR Composite * @param tpm_quote sig Optional TPM Quote Signature - * @return PTS_SIMPLE_EVID_FINAL flags + * @return PTS_SIMPLE_EVID_FINAL flags */ u_int8_t (*get_quote_info)(tcg_pts_attr_simple_evid_final_t *this, pts_meas_algorithms_t *comp_hash_algo, chunk_t *pcr_comp, chunk_t *tpm_quote_sig); - + /** * Get Optional Evidence Signature * - * @evid_sig Optional Evidence Signature + * @param evid_sig Optional Evidence Signature * @return TRUE if Evidence Signature is available */ - bool (*get_evid_sig)(tcg_pts_attr_simple_evid_final_t *this, chunk_t *evid_sig); + bool (*get_evid_sig)(tcg_pts_attr_simple_evid_final_t *this, + chunk_t *evid_sig); /** * Set Optional Evidence Signature * - * @evid_sig Optional Evidence Signature + * @param vid_sig Optional Evidence Signature */ - void (*set_evid_sig)(tcg_pts_attr_simple_evid_final_t *this, chunk_t evid_sig); - + void (*set_evid_sig)(tcg_pts_attr_simple_evid_final_t *this, + chunk_t evid_sig); + }; /** diff --git a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c index 5143e1676..b776cb662 100644 --- a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c +++ b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c @@ -110,7 +110,7 @@ METHOD(pa_tnc_attr_t, build, void, writer = bio_writer_create(PTS_TPM_VER_INFO_SIZE); writer->write_data(writer, this->tpm_version_info); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.h b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.h index 2c12bb068..4ac18fb9e 100644 --- a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.h +++ b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_tpm_version_info tcg_pts_attr_tpm_version_info - * @{ @ingroup tcg_pts_attr_tpm_version_info + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_TPM_VERSION_INFO_H_ @@ -36,7 +36,7 @@ struct tcg_pts_attr_tpm_version_info_t { * Public PA-TNC attribute interface */ pa_tnc_attr_t pa_tnc_attribute; - + /** * Get TPM Version Info * @@ -55,7 +55,7 @@ struct tcg_pts_attr_tpm_version_info_t { /** * Creates an tcg_pts_attr_tpm_version_info_t object - * + * * @param tpm_version_info TPM version info */ pa_tnc_attr_t* tcg_pts_attr_tpm_version_info_create(chunk_t tpm_version_info); diff --git a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c index 56686d8ca..f96371b8b 100644 --- a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c +++ b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c @@ -166,7 +166,7 @@ METHOD(pa_tnc_attr_t, build, void, } enumerator->destroy(enumerator); - this->value = chunk_clone(writer->get_buf(writer)); + this->value = writer->extract_buf(writer); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.h b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.h index 8a594eab5..ad9794b45 100644 --- a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.h +++ b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.h @@ -15,7 +15,7 @@ /** * @defgroup tcg_pts_attr_unix_file_meta tcg_pts_attr_unix_file_meta - * @{ @ingroup tcg_pts_attr_unix_file_meta + * @{ @ingroup tcg_attr */ #ifndef TCG_PTS_ATTR_UNIX_FILE_META_H_ @@ -38,19 +38,19 @@ struct tcg_pts_attr_file_meta_t { * Public PA-TNC attribute interface */ pa_tnc_attr_t pa_tnc_attribute; - + /** * Get PTS File Metadata * * @return PTS File Metadata */ pts_file_meta_t* (*get_metadata)(tcg_pts_attr_file_meta_t *this); - + }; /** * Creates an tcg_pts_attr_file_meta_t object - * + * * @param metadata PTS File Metadata */ pa_tnc_attr_t* tcg_pts_attr_unix_file_meta_create(pts_file_meta_t *metadata); diff --git a/src/libpttls/pt_tls.h b/src/libpttls/pt_tls.h index 0031c1ebd..cb8bde05c 100644 --- a/src/libpttls/pt_tls.h +++ b/src/libpttls/pt_tls.h @@ -15,7 +15,9 @@ /** * @defgroup pt_tls pt_tls - * @{ @ingroup pt_tls + * + * @addtogroup pt_tls + * @{ */ #ifndef PT_TLS_H_ diff --git a/src/libradius/radius_message.h b/src/libradius/radius_message.h index f9c57c5ef..18ec581e5 100644 --- a/src/libradius/radius_message.h +++ b/src/libradius/radius_message.h @@ -280,11 +280,6 @@ struct radius_message_t { }; /** - * Dummy libradius initialization function needed for integrity test - */ -void libradius_init(void); - -/** * Create an empty RADIUS message. * * @param code request type @@ -300,4 +295,13 @@ radius_message_t *radius_message_create(radius_message_code_t code); */ radius_message_t *radius_message_parse(chunk_t data); +/** + * @} + * @addtogroup libradius + * @{ + * + * Dummy libradius initialization function needed for integrity test + */ +void libradius_init(void); + #endif /** RADIUS_MESSAGE_H_ @}*/ diff --git a/src/libsimaka/simaka_manager.h b/src/libsimaka/simaka_manager.h index 810cb0685..bdd50296e 100644 --- a/src/libsimaka/simaka_manager.h +++ b/src/libsimaka/simaka_manager.h @@ -279,11 +279,6 @@ struct simaka_manager_t { }; /** - * Dummy libsimaka initialization function needed for integrity test - */ -void libsimaka_init(void); - -/** * Create an SIM/AKA manager to handle multiple (U)SIM cards/providers. * * @return simaka_t object @@ -312,4 +307,13 @@ typedef void* (*simaka_manager_register_cb_t)(plugin_t *plugin); bool simaka_manager_register(plugin_t *plugin, plugin_feature_t *feature, bool reg, void *data); +/** + * @} + * @addtogroup libsimaka + * @{ + * + * Dummy libsimaka initialization function needed for integrity test + */ +void libsimaka_init(void); + #endif /** SIMAKA_MANAGER_H_ @}*/ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index c4677a537..49ef1cdf2 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -213,7 +213,13 @@ 0x08 "timeStamping" 0x09 "ocspSigning" OID_OCSP_SIGNING 0x08 "id-otherNames" + 0x01 "personalData" + 0x02 "userGroup" + 0x03 "id-on-permanentIdentifier" + 0x04 "id-on-hardwareModuleName" 0x05 "xmppAddr" OID_XMPP_ADDR + 0x06 "id-on-SIM" + 0x07 "id-on-dnsSRV" 0x0A "id-aca" 0x01 "authenticationInfo" OID_AUTHENTICATION_INFO 0x02 "accessIdentity" OID_ACCESS_IDENTITY diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index a718de3dc..d2d0a7d72 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -76,7 +76,6 @@ static inline bool is_multi_value_rule(auth_rule_t type) case AUTH_RULE_AAA_IDENTITY: case AUTH_RULE_XAUTH_IDENTITY: case AUTH_RULE_XAUTH_BACKEND: - case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_SUBJECT_HASH_URL: case AUTH_RULE_MAX: @@ -84,6 +83,7 @@ static inline bool is_multi_value_rule(auth_rule_t type) case AUTH_RULE_OCSP_VALIDATION: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_GROUP: + case AUTH_RULE_SUBJECT_CERT: case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_CERT_POLICY: @@ -503,8 +503,9 @@ METHOD(auth_cfg_t, complies, bool, private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error) { enumerator_t *e1, *e2; - bool success = TRUE, group_match = FALSE; + bool success = TRUE, group_match = FALSE, cert_match = FALSE; identification_t *require_group = NULL; + certificate_t *require_cert = NULL; signature_scheme_t scheme = SIGN_UNKNOWN; u_int strength = 0; auth_rule_t t1, t2; @@ -542,20 +543,21 @@ METHOD(auth_cfg_t, complies, bool, } case AUTH_RULE_SUBJECT_CERT: { - certificate_t *c1, *c2; + certificate_t *cert; - c1 = (certificate_t*)value; - c2 = get(this, AUTH_RULE_SUBJECT_CERT); - if (!c2 || !c1->equals(c1, c2)) + /* for certs, a match of a single cert is sufficient */ + require_cert = (certificate_t*)value; + + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &cert)) { - success = FALSE; - if (log_error) + if (t2 == AUTH_RULE_SUBJECT_CERT && + cert->equals(cert, require_cert)) { - DBG1(DBG_CFG, "constraint check failed: peer not " - "authenticated with peer cert '%Y'.", - c1->get_subject(c1)); + cert_match = TRUE; } } + e2->destroy(e2); break; } case AUTH_RULE_CRL_VALIDATION: @@ -828,6 +830,17 @@ METHOD(auth_cfg_t, complies, bool, } return FALSE; } + + if (require_cert && !cert_match) + { + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: peer not " + "authenticated with peer cert '%Y'.", + require_cert->get_subject(require_cert)); + } + return FALSE; + } return success; } @@ -999,14 +1012,15 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*, { enumerator_t *enumerator; auth_cfg_t *clone; - entry_t *entry; + auth_rule_t type; + void *value; clone = auth_cfg_create(); /* this enumerator skips duplicates for rules we expect only once */ - enumerator = this->entries->create_enumerator(this->entries); - while (enumerator->enumerate(enumerator, &entry)) + enumerator = create_enumerator(this); + while (enumerator->enumerate(enumerator, &type, &value)) { - switch (entry->type) + switch (type) { case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: @@ -1014,8 +1028,8 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*, case AUTH_RULE_GROUP: case AUTH_RULE_XAUTH_IDENTITY: { - identification_t *id = (identification_t*)entry->value; - clone->add(clone, entry->type, id->clone(id)); + identification_t *id = (identification_t*)value; + clone->add(clone, type, id->clone(id)); break; } case AUTH_RULE_CA_CERT: @@ -1025,8 +1039,8 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*, case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_REVOCATION_CERT: { - certificate_t *cert = (certificate_t*)entry->value; - clone->add(clone, entry->type, cert->get_ref(cert)); + certificate_t *cert = (certificate_t*)value; + clone->add(clone, type, cert->get_ref(cert)); break; } case AUTH_RULE_XAUTH_BACKEND: @@ -1034,7 +1048,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*, case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { - clone->add(clone, entry->type, strdup(entry->value)); + clone->add(clone, type, strdup(value)); break; } case AUTH_RULE_IDENTITY_LOOSE: @@ -1046,7 +1060,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*, case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: - clone->add(clone, entry->type, (uintptr_t)entry->value); + clone->add(clone, type, (uintptr_t)value); break; case AUTH_RULE_MAX: break; diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h index 00e30d7a0..325fa0af3 100644 --- a/src/libstrongswan/credentials/cert_validator.h +++ b/src/libstrongswan/credentials/cert_validator.h @@ -35,6 +35,22 @@ typedef struct cert_validator_t cert_validator_t; struct cert_validator_t { /** + * Check the lifetime of a certificate. + * + * If this function returns SUCCESS or FAILED, the certificate lifetime is + * considered definitely (in-)valid, without asking other validators. + * If all registered validaters return NEED_MORE, the default + * lifetime check is performed. + * + * @param cert certificate to check lifetime + * @param pathlen the current length of the path bottom-up + * @param anchor is certificate trusted root anchor? + * @param auth container for resulting authentication info + * @return SUCCESS, FAILED or NEED_MORE to ask next validator + */ + status_t (*check_lifetime)(cert_validator_t *this, certificate_t *cert, + int pathlen, bool anchor, auth_cfg_t *auth); + /** * Validate a subject certificate in relation to its issuer. * * @param subject subject certificate to check @@ -43,6 +59,7 @@ struct cert_validator_t { * @param pathlen the current length of the path bottom-up * @param anchor is issuer trusted root anchor * @param auth container for resulting authentication info + * @return TRUE if subject certificate valid */ bool (*validate)(cert_validator_t *this, certificate_t *subject, certificate_t *issuer, bool online, u_int pathlen, diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 9e40c5a10..f4cd9b9e6 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -515,32 +515,74 @@ static void cache_queue(private_credential_manager_t *this) } /** + * Use validators to check the lifetime of certificates + */ +static bool check_lifetime(private_credential_manager_t *this, + certificate_t *cert, char *label, + int pathlen, bool trusted, auth_cfg_t *auth) +{ + time_t not_before, not_after; + cert_validator_t *validator; + enumerator_t *enumerator; + status_t status = NEED_MORE; + + enumerator = this->validators->create_enumerator(this->validators); + while (enumerator->enumerate(enumerator, &validator)) + { + if (!validator->check_lifetime) + { + continue; + } + status = validator->check_lifetime(validator, cert, + pathlen, trusted, auth); + if (status != NEED_MORE) + { + break; + } + } + enumerator->destroy(enumerator); + + switch (status) + { + case NEED_MORE: + if (!cert->get_validity(cert, NULL, ¬_before, ¬_after)) + { + DBG1(DBG_CFG, "%s certificate invalid (valid from %T to %T)", + label, ¬_before, FALSE, ¬_after, FALSE); + return FALSE; + } + return TRUE; + case SUCCESS: + return TRUE; + case FAILED: + default: + return FALSE; + } +} + +/** * check a certificate for its lifetime */ static bool check_certificate(private_credential_manager_t *this, certificate_t *subject, certificate_t *issuer, bool online, int pathlen, bool trusted, auth_cfg_t *auth) { - time_t not_before, not_after; cert_validator_t *validator; enumerator_t *enumerator; - if (!subject->get_validity(subject, NULL, ¬_before, ¬_after)) + if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) || + !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth)) { - DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)", - ¬_before, FALSE, ¬_after, FALSE); - return FALSE; - } - if (!issuer->get_validity(issuer, NULL, ¬_before, ¬_after)) - { - DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)", - ¬_before, FALSE, ¬_after, FALSE); return FALSE; } enumerator = this->validators->create_enumerator(this->validators); while (enumerator->enumerate(enumerator, &validator)) { + if (!validator->validate) + { + continue; + } if (!validator->validate(validator, subject, issuer, online, pathlen, trusted, auth)) { @@ -1041,6 +1083,29 @@ static private_key_t *get_private_by_cert(private_credential_manager_t *this, return private; } +/** + * Move the actually used certificate to front, so it gets returned with get() + */ +static void prefer_cert(auth_cfg_t *auth, certificate_t *cert) +{ + enumerator_t *enumerator; + auth_rule_t rule; + certificate_t *current; + + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &rule, ¤t)) + { + if (rule == AUTH_RULE_SUBJECT_CERT) + { + current->get_ref(current); + auth->replace(auth, enumerator, AUTH_RULE_SUBJECT_CERT, cert); + cert = current; + } + } + enumerator->destroy(enumerator); + auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert); +} + METHOD(credential_manager_t, get_private, private_key_t*, private_credential_manager_t *this, key_type_t type, identification_t *id, auth_cfg_t *auth) @@ -1049,6 +1114,7 @@ METHOD(credential_manager_t, get_private, private_key_t*, certificate_t *cert; private_key_t *private = NULL; auth_cfg_t *trustchain; + auth_rule_t rule; /* check if this is a lookup by key ID, and do it if so */ if (id && id->get_type(id) == ID_KEY_ID) @@ -1062,7 +1128,35 @@ METHOD(credential_manager_t, get_private, private_key_t*, if (auth) { - /* if a specific certificate is preferred, check for a matching key */ + /* try to find a trustchain with one of the configured subject certs */ + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &rule, &cert)) + { + if (rule == AUTH_RULE_SUBJECT_CERT) + { + private = get_private_by_cert(this, cert, type); + if (private) + { + trustchain = build_trustchain(this, cert, auth); + if (trustchain) + { + auth->merge(auth, trustchain, FALSE); + prefer_cert(auth, cert->get_ref(cert)); + trustchain->destroy(trustchain); + break; + } + private->destroy(private); + private = NULL; + } + } + } + enumerator->destroy(enumerator); + if (private) + { + return private; + } + + /* if none yielded a trustchain, enforce the first configured cert */ cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); if (cert) { diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index 08b226468..12db0961b 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -451,7 +451,10 @@ METHOD(crypto_tester_t, test_aead, bool, failure: aead->destroy(aead); chunk_free(&cipher); - chunk_free(&plain); + if (plain.ptr != vector->plain) + { + chunk_free(&plain); + } if (failed) { DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.h b/src/libstrongswan/plugins/ccm/ccm_aead.h index d5e302f94..79ab31804 100644 --- a/src/libstrongswan/plugins/ccm/ccm_aead.h +++ b/src/libstrongswan/plugins/ccm/ccm_aead.h @@ -42,8 +42,8 @@ struct ccm_aead_t { /** * Create a ccm_aead instance. * - * @param key_size key size in bytes * @param algo algorithm to implement, a CCM mode + * @param key_size key size in bytes * @return aead, NULL if not supported */ ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size); diff --git a/src/libstrongswan/plugins/dnskey/dnskey_encoder.h b/src/libstrongswan/plugins/dnskey/dnskey_encoder.h index 698d29301..127260308 100644 --- a/src/libstrongswan/plugins/dnskey/dnskey_encoder.h +++ b/src/libstrongswan/plugins/dnskey/dnskey_encoder.h @@ -15,7 +15,7 @@ /** * @defgroup dnskey_encoder dnskey_encoder - * @{ @ingroup dnskey + * @{ @ingroup dnskey_p */ #ifndef DNSKEY_ENCODER_H_ diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h index db4be2442..846c3c76c 100644 --- a/src/libstrongswan/plugins/gcm/gcm_aead.h +++ b/src/libstrongswan/plugins/gcm/gcm_aead.h @@ -42,8 +42,8 @@ struct gcm_aead_t { /** * Create a gcm_aead instance. * - * @param key_size key size in bytes * @param algo algorithm to implement, a gcm mode + * @param key_size key size in bytes * @return aead, NULL if not supported */ gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size); diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am index f971a5e08..e71567311 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.am +++ b/src/libstrongswan/plugins/openssl/Makefile.am @@ -25,7 +25,8 @@ libstrongswan_openssl_la_SOURCES = \ openssl_crl.c openssl_crl.h \ openssl_pkcs7.c openssl_pkcs7.h \ openssl_rng.c openssl_rng.h \ - openssl_hmac.c openssl_hmac.h + openssl_hmac.c openssl_hmac.h \ + openssl_gcm.c openssl_gcm.h libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = -lcrypto diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.c b/src/libstrongswan/plugins/openssl/openssl_gcm.c new file mode 100644 index 000000000..89d1cd589 --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_gcm.c @@ -0,0 +1,265 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <openssl/opensslv.h> + +#if OPENSSL_VERSION_NUMBER >= 0x1000100fL + +#include "openssl_gcm.h" + +#include <openssl/evp.h> + +/** as defined in RFC 4106 */ +#define IV_LEN 8 +#define SALT_LEN 4 +#define NONCE_LEN (IV_LEN + SALT_LEN) + +typedef struct private_aead_t private_aead_t; + +/** + * Private data of aead_t + */ +struct private_aead_t { + + /** + * Public interface + */ + aead_t public; + + /** + * The encryption key + */ + chunk_t key; + + /** + * Salt value + */ + char salt[SALT_LEN]; + + /** + * Size of the integrity check value + */ + size_t icv_size; + + /** + * The cipher to use + */ + const EVP_CIPHER *cipher; +}; + +/** + * Do the actual en/decryption in an EVP context + */ +static bool crypt(private_aead_t *this, chunk_t data, chunk_t assoc, chunk_t iv, + u_char *out, int enc) +{ + EVP_CIPHER_CTX ctx; + u_char nonce[NONCE_LEN]; + bool success = FALSE; + int len; + + memcpy(nonce, this->salt, SALT_LEN); + memcpy(nonce + SALT_LEN, iv.ptr, IV_LEN); + + EVP_CIPHER_CTX_init(&ctx); + EVP_CIPHER_CTX_set_padding(&ctx, 0); + if (!EVP_CipherInit_ex(&ctx, this->cipher, NULL, NULL, NULL, enc) || + !EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, NONCE_LEN, NULL) || + !EVP_CipherInit_ex(&ctx, NULL, NULL, this->key.ptr, nonce, enc)) + { + goto done; + } + if (!enc && !EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, this->icv_size, + data.ptr + data.len)) + { /* set ICV for verification on decryption */ + goto done; + } + if (assoc.len && !EVP_CipherUpdate(&ctx, NULL, &len, assoc.ptr, assoc.len)) + { /* set AAD if specified */ + goto done; + } + if (!EVP_CipherUpdate(&ctx, out, &len, data.ptr, data.len) || + !EVP_CipherFinal_ex(&ctx, out + len, &len)) + { /* EVP_CipherFinal_ex fails if ICV is incorrect on decryption */ + goto done; + } + if (enc && !EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, this->icv_size, + out + data.len)) + { /* copy back the ICV when encrypting */ + goto done; + } + success = TRUE; + +done: + EVP_CIPHER_CTX_cleanup(&ctx); + return success; +} + +METHOD(aead_t, encrypt, bool, + private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv, + chunk_t *encrypted) +{ + u_char *out; + + out = plain.ptr; + if (encrypted) + { + *encrypted = chunk_alloc(plain.len + this->icv_size); + out = encrypted->ptr; + } + return crypt(this, plain, assoc, iv, out, 1); +} + +METHOD(aead_t, decrypt, bool, + private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv, + chunk_t *plain) +{ + u_char *out; + + if (encrypted.len < this->icv_size) + { + return FALSE; + } + encrypted.len -= this->icv_size; + + out = encrypted.ptr; + if (plain) + { + *plain = chunk_alloc(encrypted.len); + out = plain->ptr; + } + return crypt(this, encrypted, assoc, iv, out, 0); +} + +METHOD(aead_t, get_block_size, size_t, + private_aead_t *this) +{ + return this->cipher->block_size; +} + +METHOD(aead_t, get_icv_size, size_t, + private_aead_t *this) +{ + return this->icv_size; +} + +METHOD(aead_t, get_iv_size, size_t, + private_aead_t *this) +{ + return IV_LEN; +} + +METHOD(aead_t, get_key_size, size_t, + private_aead_t *this) +{ + return this->key.len + SALT_LEN; +} + +METHOD(aead_t, set_key, bool, + private_aead_t *this, chunk_t key) +{ + if (key.len != get_key_size(this)) + { + return FALSE; + } + memcpy(this->salt, key.ptr + key.len - SALT_LEN, SALT_LEN); + memcpy(this->key.ptr, key.ptr, this->key.len); + return TRUE; +} + +METHOD(aead_t, destroy, void, + private_aead_t *this) +{ + chunk_clear(&this->key); + free(this); +} + +/* + * Described in header + */ +aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size) +{ + private_aead_t *this; + + INIT(this, + .public = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_icv_size = _get_icv_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + ); + + switch (algo) + { + case ENCR_AES_GCM_ICV8: + this->icv_size = 8; + break; + case ENCR_AES_GCM_ICV12: + this->icv_size = 12; + break; + case ENCR_AES_GCM_ICV16: + this->icv_size = 16; + break; + default: + free(this); + return NULL; + } + + switch (algo) + { + case ENCR_AES_GCM_ICV8: + case ENCR_AES_GCM_ICV12: + case ENCR_AES_GCM_ICV16: + switch (key_size) + { + case 0: + key_size = 16; + /* FALL */ + case 16: + this->cipher = EVP_get_cipherbyname("aes-128-gcm"); + break; + case 24: + this->cipher = EVP_get_cipherbyname("aes-192-gcm"); + break; + case 32: + this->cipher = EVP_get_cipherbyname("aes-256-gcm"); + break; + default: + free(this); + return NULL; + } + break; + default: + free(this); + return NULL; + } + + if (!this->cipher) + { + free(this); + return NULL; + } + + this->key = chunk_alloc(key_size); + + return &this->public; +} + +#endif /* OPENSSL_VERSION_NUMBER */ diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.h b/src/libstrongswan/plugins/openssl/openssl_gcm.h new file mode 100644 index 000000000..12d2e8ab6 --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_gcm.h @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * Implements the aead_t interface using OpenSSL in GCM mode. + * + * @defgroup openssl_gcm openssl_gcm + * @{ @ingroup openssl_p + */ + +#ifndef OPENSSL_GCM_H_ +#define OPENSSL_GCM_H_ + +#include <crypto/aead.h> + +/** + * Constructor to create aead_t implementation. + * + * @param algo algorithm to implement + * @param key_size key size in bytes + * @return aead_t object, NULL if not supported + */ +aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size); + +#endif /** OPENSSL_GCM_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 0f5b07137..915082234 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -43,6 +43,7 @@ #include "openssl_pkcs7.h" #include "openssl_rng.h" #include "openssl_hmac.h" +#include "openssl_gcm.h" typedef struct private_openssl_plugin_t private_openssl_plugin_t; @@ -304,6 +305,21 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256), #endif #endif /* OPENSSL_NO_HMAC */ +#if OPENSSL_VERSION_NUMBER >= 0x1000100fL +#ifndef OPENSSL_NO_AES + /* AES GCM */ + PLUGIN_REGISTER(AEAD, openssl_gcm_create), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32), +#endif /* OPENSSL_NO_AES */ +#endif /* OPENSSL_VERSION_NUMBER */ #ifndef OPENSSL_NO_DH /* MODP DH groups */ PLUGIN_REGISTER(DH, openssl_diffie_hellman_create), diff --git a/src/libstrongswan/plugins/unbound/unbound_response.h b/src/libstrongswan/plugins/unbound/unbound_response.h index d63ead08b..c82f39d45 100644 --- a/src/libstrongswan/plugins/unbound/unbound_response.h +++ b/src/libstrongswan/plugins/unbound/unbound_response.h @@ -41,11 +41,11 @@ struct unbound_response_t { /** * Create an unbound_response instance from a response of the unbound library. * - * @param a response of the unbound library - * @return an unbound_response conforming to the resolver_response - * interface, or NULL on failure + * @param response a response of the unbound library + * @return an unbound_response conforming to the resolver_response + * interface, or NULL on failure */ unbound_response_t *unbound_response_create_frm_libub_response( - struct ub_result *libub_response); + struct ub_result *response); #endif /** UNBOUND_RESPONSE_H_ @}*/ diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c index 87e57095c..ff8285f8c 100644 --- a/src/libstrongswan/selectors/traffic_selector.c +++ b/src/libstrongswan/selectors/traffic_selector.c @@ -174,7 +174,24 @@ static u_int8_t calc_netbits(private_traffic_selector_t *this) /** * internal generic constructor */ -static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts_type_t type, u_int16_t from_port, u_int16_t to_port); +static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, + ts_type_t type, u_int16_t from_port, u_int16_t to_port); + +/** + * Check if TS contains "opaque" ports + */ +static bool is_opaque(private_traffic_selector_t *this) +{ + return this->from_port == 0xffff && this->to_port == 0; +} + +/** + * Check if TS contains "any" ports + */ +static bool is_any(private_traffic_selector_t *this) +{ + return this->from_port == 0 && this->to_port == 0xffff; +} /** * Described in header. @@ -248,7 +265,7 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, /* check if we have protocol and/or port selectors */ has_proto = this->protocol != 0; - has_ports = !(this->from_port == 0 && this->to_port == 0xFFFF); + has_ports = !is_any(this); if (!has_proto && !has_ports) { @@ -283,8 +300,9 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, { if (this->from_port == this->to_port) { - struct servent *serv = getservbyport(htons(this->from_port), serv_proto); + struct servent *serv; + serv = getservbyport(htons(this->from_port), serv_proto); if (serv) { written += print_in_hook(data, "%s", serv->s_name); @@ -294,9 +312,14 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, written += print_in_hook(data, "%d", this->from_port); } } + else if (is_opaque(this)) + { + written += print_in_hook(data, "OPAQUE"); + } else { - written += print_in_hook(data, "%d-%d", this->from_port, this->to_port); + written += print_in_hook(data, "%d-%d", + this->from_port, this->to_port); } } @@ -305,24 +328,55 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, return written; } -/** - * Implements traffic_selector_t.get_subset - */ -static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_traffic_selector_t *other) +METHOD(traffic_selector_t, get_subset, traffic_selector_t*, + private_traffic_selector_t *this, traffic_selector_t *other_public) { + private_traffic_selector_t *other, *subset; + u_int16_t from_port, to_port; + u_char *from, *to; + u_int8_t protocol; + size_t size; + + other = (private_traffic_selector_t*)other_public; + if (this->dynamic || other->dynamic) { /* no set_address() applied, TS has no subset */ return NULL; } - if (this->type == other->type && (this->protocol == other->protocol || - this->protocol == 0 || other->protocol == 0)) + + if (this->type != other->type) + { + return NULL; + } + switch (this->type) + { + case TS_IPV4_ADDR_RANGE: + size = sizeof(this->from4); + break; + case TS_IPV6_ADDR_RANGE: + size = sizeof(this->from6); + break; + default: + return NULL; + } + + if (this->protocol != other->protocol && + this->protocol != 0 && other->protocol != 0) { - u_int16_t from_port, to_port; - u_char *from, *to; - u_int8_t protocol; - size_t size; - private_traffic_selector_t *new_ts; + return NULL; + } + /* select protocol, which is not zero */ + protocol = max(this->protocol, other->protocol); + if ((is_opaque(this) && is_opaque(other)) || + (is_opaque(this) && is_any(other)) || + (is_opaque(other) && is_any(this))) + { + from_port = 0xffff; + to_port = 0; + } + else + { /* calculate the maximum port range allowed for both */ from_port = max(this->from_port, other->from_port); to_port = min(this->to_port, other->to_port); @@ -330,60 +384,46 @@ static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_ { return NULL; } - /* select protocol, which is not zero */ - protocol = max(this->protocol, other->protocol); - - switch (this->type) - { - case TS_IPV4_ADDR_RANGE: - size = sizeof(this->from4); - break; - case TS_IPV6_ADDR_RANGE: - size = sizeof(this->from6); - break; - default: - return NULL; - } + } + /* get higher from-address */ + if (memcmp(this->from, other->from, size) > 0) + { + from = this->from; + } + else + { + from = other->from; + } + /* get lower to-address */ + if (memcmp(this->to, other->to, size) > 0) + { + to = other->to; + } + else + { + to = this->to; + } + /* if "from" > "to", we don't have a match */ + if (memcmp(from, to, size) > 0) + { + return NULL; + } - /* get higher from-address */ - if (memcmp(this->from, other->from, size) > 0) - { - from = this->from; - } - else - { - from = other->from; - } - /* get lower to-address */ - if (memcmp(this->to, other->to, size) > 0) - { - to = other->to; - } - else - { - to = this->to; - } - /* if "from" > "to", we don't have a match */ - if (memcmp(from, to, size) > 0) - { - return NULL; - } + /* we have a match in protocol, port, and address: return it... */ + subset = traffic_selector_create(protocol, this->type, from_port, to_port); + memcpy(subset->from, from, size); + memcpy(subset->to, to, size); + calc_netbits(subset); - /* we have a match in protocol, port, and address: return it... */ - new_ts = traffic_selector_create(protocol, this->type, from_port, to_port); - memcpy(new_ts->from, from, size); - memcpy(new_ts->to, to, size); - calc_netbits(new_ts); - return &new_ts->public; - } - return NULL; + return &subset->public; } -/** - * Implements traffic_selector_t.equals - */ -static bool equals(private_traffic_selector_t *this, private_traffic_selector_t *other) +METHOD(traffic_selector_t, equals, bool, + private_traffic_selector_t *this, traffic_selector_t *other_public) { + private_traffic_selector_t *other; + + other = (private_traffic_selector_t*)other_public; if (this->type != other->type) { return FALSE; @@ -535,11 +575,8 @@ METHOD(traffic_selector_t, set_address, void, } } -/** - * Implements traffic_selector_t.is_contained_in. - */ -static bool is_contained_in(private_traffic_selector_t *this, - private_traffic_selector_t *other) +METHOD(traffic_selector_t, is_contained_in, bool, + private_traffic_selector_t *this, traffic_selector_t *other) { private_traffic_selector_t *subset; bool contained_in = FALSE; @@ -548,7 +585,7 @@ static bool is_contained_in(private_traffic_selector_t *this, if (subset) { - if (equals(subset, this)) + if (equals(subset, &this->public)) { contained_in = TRUE; } @@ -739,12 +776,13 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type, * see header */ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, - u_int8_t netbits, u_int8_t protocol, u_int16_t port) + u_int8_t netbits, u_int8_t protocol, + u_int16_t from_port, u_int16_t to_port) { private_traffic_selector_t *this; chunk_t from; - this = traffic_selector_create(protocol, 0, 0, 65535); + this = traffic_selector_create(protocol, 0, from_port, to_port); switch (net->get_family(net)) { @@ -763,11 +801,6 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, memcpy(this->from, from.ptr, from.len); netbits = min(netbits, this->type == TS_IPV4_ADDR_RANGE ? 32 : 128); calc_range(this, netbits); - if (port) - { - this->from_port = port; - this->to_port = port; - } net->destroy(net); return &this->public; @@ -818,8 +851,9 @@ traffic_selector_t *traffic_selector_create_from_string( /* * see header */ -traffic_selector_t *traffic_selector_create_from_cidr(char *string, - u_int8_t protocol, u_int16_t port) +traffic_selector_t *traffic_selector_create_from_cidr( + char *string, u_int8_t protocol, + u_int16_t from_port, u_int16_t to_port) { host_t *net; int bits; @@ -827,7 +861,8 @@ traffic_selector_t *traffic_selector_create_from_cidr(char *string, net = host_create_from_subnet(string, &bits); if (net) { - return traffic_selector_create_from_subnet(net, bits, protocol, port); + return traffic_selector_create_from_subnet(net, bits, protocol, + from_port, to_port); } return NULL; } @@ -859,8 +894,8 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, INIT(this, .public = { - .get_subset = (traffic_selector_t*(*)(traffic_selector_t*,traffic_selector_t*))get_subset, - .equals = (bool(*)(traffic_selector_t*,traffic_selector_t*))equals, + .get_subset = _get_subset, + .equals = _equals, .get_from_address = _get_from_address, .get_to_address = _get_to_address, .get_from_port = _get_from_port, @@ -869,7 +904,7 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, .get_protocol = _get_protocol, .is_host = _is_host, .is_dynamic = _is_dynamic, - .is_contained_in = (bool(*)(traffic_selector_t*,traffic_selector_t*))is_contained_in, + .is_contained_in = _is_contained_in, .includes = _includes, .set_address = _set_address, .to_subnet = _to_subnet, @@ -884,4 +919,3 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, return this; } - diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h index b6da391aa..0de358b99 100644 --- a/src/libstrongswan/selectors/traffic_selector.h +++ b/src/libstrongswan/selectors/traffic_selector.h @@ -238,11 +238,13 @@ traffic_selector_t *traffic_selector_create_from_string( * * @param string CIDR string, such as 10.1.0.0/16 * @param protocol protocol for this ts, such as TCP or UDP - * @param port single port for this TS, 0 for any port + * @param from_port start of allowed port range + * @param to_port end of port range * @return traffic selector, NULL if string invalid */ -traffic_selector_t *traffic_selector_create_from_cidr(char *string, - u_int8_t protocol, u_int16_t port); +traffic_selector_t *traffic_selector_create_from_cidr( + char *string, u_int8_t protocol, + u_int16_t from_port, u_int16_t to_port); /** * Create a new traffic selector using data read from the net. @@ -288,14 +290,15 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type, * @param net subnet to use * @param netbits size of the subnet, as used in e.g. 192.168.0.0/24 notation * @param protocol protocol for this ts, such as TCP or UDP - * @param port port number, host order + * @param from_port start of allowed port range + * @param to_port end of port range * @return * - traffic_selector_t object * - NULL if address family of net not supported */ traffic_selector_t *traffic_selector_create_from_subnet( - host_t *net, u_int8_t netbits, - u_int8_t protocol, u_int16_t port); + host_t *net, u_int8_t netbits, u_int8_t protocol, + u_int16_t from_port, u_int16_t to_port); /** * Create a traffic selector for host-to-host cases. diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c index 0b6683233..45571981e 100644 --- a/src/libstrongswan/utils/backtrace.c +++ b/src/libstrongswan/utils/backtrace.c @@ -27,6 +27,8 @@ #include "backtrace.h" +#include <utils/debug.h> + typedef struct private_backtrace_t private_backtrace_t; /** @@ -50,6 +52,40 @@ struct private_backtrace_t { void *frames[]; }; +/** + * Same as tty_escape_get(), but for a potentially NULL FILE* + */ +static char* esc(FILE *file, tty_escape_t escape) +{ + if (file) + { + return tty_escape_get(fileno(file), escape); + } + return ""; +} + +/** + * Write a format string with arguments to a FILE line, if it is NULL to DBG + */ +static void println(FILE *file, char *format, ...) +{ + char buf[512]; + va_list args; + + va_start(args, format); + if (file) + { + vfprintf(file, format, args); + fputs("\n", file); + } + else + { + vsnprintf(buf, sizeof(buf), format, args); + DBG1(DBG_LIB, "%s", buf); + } + va_end(args); +} + #ifdef HAVE_DLADDR #ifdef HAVE_BFD_H @@ -158,6 +194,7 @@ static void find_addr(bfd *abfd, asection *section, bfd_find_data_t *data) bfd_vma vma; const char *source; const char *function; + char fbuf[512] = "", sbuf[512] = ""; u_int line; if (!data->found || (bfd_get_section_flags(abfd, section) & SEC_ALLOC) != 0) @@ -175,16 +212,18 @@ static void find_addr(bfd *abfd, asection *section, bfd_find_data_t *data) { if (source || function) { - fprintf(data->file, " -> "); if (function) { - fprintf(data->file, "\e[34m%s() ", function); + snprintf(fbuf, sizeof(fbuf), "%s%s() ", + esc(data->file, TTY_FG_BLUE), function); } if (source) { - fprintf(data->file, "\e[32m@ %s:%d", source, line); + snprintf(sbuf, sizeof(sbuf), "%s@ %s:%d", + esc(data->file, TTY_FG_GREEN), source, line); } - fprintf(data->file, "\e[0m\n"); + println(data->file, " -> %s%s%s", fbuf, sbuf, + esc(data->file, TTY_FG_DEF)); } } } @@ -296,26 +335,28 @@ void backtrace_deinit() {} */ static void print_sourceline(FILE *file, char *filename, void *ptr) { - char cmd[1024]; + char buf[1024]; FILE *output; - int c; + int c, i = 0; - snprintf(cmd, sizeof(cmd), "addr2line -e %s %p", filename, ptr); - output = popen(cmd, "r"); + snprintf(buf, sizeof(buf), "addr2line -e %s %p", filename, ptr); + output = popen(buf, "r"); if (output) { - fprintf(file, " -> \e[32m"); - while (TRUE) + while (i < sizeof(buf)) { c = getc(output); if (c == '\n' || c == EOF) { + buf[i++] = 0; break; } - fputc(c, file); + buf[i++] = c; } pclose(output); - fprintf(file, "\e[0m\n"); + + println(file, " -> %s%s%s", esc(file, TTY_FG_GREEN), buf, + esc(file, TTY_FG_DEF)); } } @@ -337,7 +378,7 @@ METHOD(backtrace_t, log_, void, strings = backtrace_symbols(this->frames, this->frame_count); - fprintf(file, " dumping %d stack frame addresses:\n", this->frame_count); + println(file, " dumping %d stack frame addresses:", this->frame_count); for (i = 0; i < this->frame_count; i++) { #ifdef HAVE_DLADDR @@ -353,16 +394,20 @@ METHOD(backtrace_t, log_, void, } if (info.dli_sname) { - fprintf(file, " \e[33m%s\e[0m @ %p (\e[31m%s\e[0m+0x%tx) [%p]\n", - info.dli_fname, info.dli_fbase, info.dli_sname, - this->frames[i] - info.dli_saddr, this->frames[i]); + println(file, " %s%s%s @ %p (%s%s%s+0x%tx) [%p]", + esc(file, TTY_FG_YELLOW), info.dli_fname, + esc(file, TTY_FG_DEF), info.dli_fbase, + esc(file, TTY_FG_RED), info.dli_sname, + esc(file, TTY_FG_DEF), this->frames[i] - info.dli_saddr, + this->frames[i]); } else { - fprintf(file, " \e[33m%s\e[0m @ %p [%p]\n", info.dli_fname, - info.dli_fbase, this->frames[i]); + println(file, " %s%s%s @ %p [%p]", + esc(file, TTY_FG_YELLOW), info.dli_fname, + esc(file, TTY_FG_DEF), info.dli_fbase, this->frames[i]); } - if (detailed) + if (detailed && info.dli_fname[0]) { print_sourceline(file, (char*)info.dli_fname, ptr); } @@ -370,12 +415,12 @@ METHOD(backtrace_t, log_, void, else #endif /* HAVE_DLADDR */ { - fprintf(file, " %s\n", strings[i]); + println(file, " %s", strings[i]); } } free (strings); #else /* !HAVE_BACKTRACE */ - fprintf(file, "C library does not support backtrace().\n"); + println(file, "C library does not support backtrace()."); #endif /* HAVE_BACKTRACE */ } @@ -511,9 +556,8 @@ void backtrace_dump(char *label, FILE *file, bool detailed) if (label) { - fprintf(file, "Debug backtrace: %s\n", label); + println(file, "Debug backtrace: %s", label); } backtrace->log(backtrace, file, detailed); backtrace->destroy(backtrace); } - diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h index aeeba4dd6..62104238d 100644 --- a/src/libstrongswan/utils/backtrace.h +++ b/src/libstrongswan/utils/backtrace.h @@ -35,7 +35,10 @@ struct backtrace_t { /** * Log the backtrace to a FILE stream. * - * @param file FILE to log backtrace to + * If no file pointer is given, the backtrace is reported over the debug + * framework to the registered dbg() callback function. + * + * @param file FILE to log backtrace to, NULL for dbg() function * @param detailed TRUE to resolve line/file using addr2line (slow) */ void (*log)(backtrace_t *this, FILE *file, bool detailed); @@ -81,7 +84,7 @@ backtrace_t *backtrace_create(int skip); * Create a backtrace, dump it and clean it up. * * @param label description to print for this backtrace, or NULL - * @param file FILE to log backtrace to + * @param file FILE to log backtrace to, NULL to dbg() function * @param detailed TRUE to resolve line/file using addr2line (slow) */ void backtrace_dump(char *label, FILE *file, bool detailed); diff --git a/src/libstrongswan/utils/capabilities.c b/src/libstrongswan/utils/capabilities.c index c36a76efe..44a14496c 100644 --- a/src/libstrongswan/utils/capabilities.c +++ b/src/libstrongswan/utils/capabilities.c @@ -29,7 +29,9 @@ #include <utils/debug.h> -#if !defined(HAVE_GETPWNAM_R) || !defined(HAVE_GETGRNAM_R) +#if !defined(HAVE_GETPWNAM_R) || \ + !defined(HAVE_GETGRNAM_R) || \ + !defined(HAVE_GETPWUID_R) # include <threading/mutex.h> # define EMULATE_R_FUNCS #endif @@ -188,6 +190,34 @@ METHOD(capabilities_t, resolve_gid, bool, return FALSE; } +/** + * Initialize supplementary groups for unprivileged user + */ +static bool init_supplementary_groups(private_capabilities_t *this) +{ + struct passwd *pwp; + int res = -1; + +#ifdef HAVE_GETPWUID_R + struct passwd pwd; + char buf[1024]; + + if (getpwuid_r(this->uid, &pwd, buf, sizeof(buf), &pwp) == 0 && pwp) + { + res = initgroups(pwp->pw_name, this->gid); + } +#else /* HAVE_GETPWUID_R */ + this->mutex->lock(this->mutex); + pwp = getpwuid(this->uid); + if (pwp) + { + res = initgroups(pwp->pw_name, this->gid); + } + this->mutex->unlock(this->mutex); +#endif /* HAVE_GETPWUID_R */ + return res == 0; +} + METHOD(capabilities_t, drop, bool, private_capabilities_t *this) { @@ -195,6 +225,12 @@ METHOD(capabilities_t, drop, bool, prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0); #endif + if (!init_supplementary_groups(this)) + { + DBG1(DBG_LIB, "initializing supplementary groups for %u failed", + this->uid); + return FALSE; + } if (this->gid && setgid(this->gid) != 0) { DBG1(DBG_LIB, "change to unprivileged group %u failed: %s", diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 2669c2da6..4176320dc 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -49,10 +49,10 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID, "ID_DER_ASN1_DN", "ID_DER_ASN1_GN", "ID_KEY_ID"); -ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID, +ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_USER_ID, ID_KEY_ID, "ID_DER_ASN1_GN_URI", - "ID_MYID"); -ENUM_END(id_type_names, ID_MYID); + "ID_USER_ID"); +ENUM_END(id_type_names, ID_USER_ID); /** * coding of X.501 distinguished name @@ -790,6 +790,7 @@ int identification_printf_hook(printf_hook_data_t *data, case ID_FQDN: case ID_RFC822_ADDR: case ID_DER_ASN1_GN_URI: + case ID_USER_ID: chunk_printable(this->encoded, &proper, '?'); snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr); chunk_free(&proper); @@ -812,9 +813,6 @@ int identification_printf_hook(printf_hook_data_t *data, snprintf(buf, sizeof(buf), "%#B", &this->encoded); } break; - case ID_MYID: - snprintf(buf, sizeof(buf), "%%myid"); - break; default: snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type); break; @@ -873,6 +871,7 @@ static private_identification_t *identification_create(id_type_t type) break; case ID_FQDN: case ID_RFC822_ADDR: + case ID_USER_ID: this->public.matches = _matches_string; this->public.equals = _equals_strcasecmp; this->public.contains_wildcards = _contains_wildcards_memchr; @@ -1023,9 +1022,16 @@ identification_t * identification_create_from_data(chunk_t data) { char buf[data.len + 1]; - /* use string constructor */ - snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr); - return identification_create_from_string(buf); + if (is_asn1(data)) + { + return identification_create_from_encoding(ID_DER_ASN1_DN, data); + } + else + { + /* use string constructor */ + snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr); + return identification_create_from_string(buf); + } } /* diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h index cdf229127..00d740765 100644 --- a/src/libstrongswan/utils/identification.h +++ b/src/libstrongswan/utils/identification.h @@ -126,14 +126,14 @@ enum id_type_t { ID_KEY_ID = 11, /** - * private type which represents a GeneralName of type URI + * Private ID type which represents a GeneralName of type URI */ ID_DER_ASN1_GN_URI = 201, /** - * Private ID used by the pluto daemon for opportunistic encryption + * Private ID type which represents a user ID */ - ID_MYID = 203, + ID_USER_ID = 202 }; /** diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index 2b0be1661..6bf4d63cd 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -226,6 +226,8 @@ char *whitelist[] = { "setpwent", "endpwent", "getspnam_r", + "getpwuid_r", + "initgroups", /* ignore dlopen, as we do not dlclose to get proper leak reports */ "dlopen", "dlerror", diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c index 0850df9bc..2f38d8a93 100644 --- a/src/libstrongswan/utils/utils.c +++ b/src/libstrongswan/utils/utils.c @@ -194,6 +194,69 @@ bool mkdir_p(const char *path, mode_t mode) return TRUE; } +ENUM(tty_color_names, TTY_RESET, TTY_BG_DEF, + "\e[0m", + "\e[1m", + "\e[4m", + "\e[5m", + "\e[30m", + "\e[31m", + "\e[32m", + "\e[33m", + "\e[34m", + "\e[35m", + "\e[36m", + "\e[37m", + "\e[39m", + "\e[40m", + "\e[41m", + "\e[42m", + "\e[43m", + "\e[44m", + "\e[45m", + "\e[46m", + "\e[47m", + "\e[49m", +); + +/** + * Get the escape string for a given TTY color, empty string on non-tty FILE + */ +char* tty_escape_get(int fd, tty_escape_t escape) +{ + if (!isatty(fd)) + { + return ""; + } + switch (escape) + { + case TTY_RESET: + case TTY_BOLD: + case TTY_UNDERLINE: + case TTY_BLINKING: + case TTY_FG_BLACK: + case TTY_FG_RED: + case TTY_FG_GREEN: + case TTY_FG_YELLOW: + case TTY_FG_BLUE: + case TTY_FG_MAGENTA: + case TTY_FG_CYAN: + case TTY_FG_WHITE: + case TTY_FG_DEF: + case TTY_BG_BLACK: + case TTY_BG_RED: + case TTY_BG_GREEN: + case TTY_BG_YELLOW: + case TTY_BG_BLUE: + case TTY_BG_MAGENTA: + case TTY_BG_CYAN: + case TTY_BG_WHITE: + case TTY_BG_DEF: + return enum_to_name(tty_color_names, escape); + /* warn if a excape code is missing */ + } + return ""; +} /** * The size of the thread-specific error buffer diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h index 6c24a261f..c66c665e0 100644 --- a/src/libstrongswan/utils/utils.h +++ b/src/libstrongswan/utils/utils.h @@ -314,6 +314,46 @@ enum status_t { */ extern enum_name_t *status_names; +typedef enum tty_escape_t tty_escape_t; + +/** + * Excape codes for tty colors + */ +enum tty_escape_t { + /** text properties */ + TTY_RESET, + TTY_BOLD, + TTY_UNDERLINE, + TTY_BLINKING, + + /** foreground colors */ + TTY_FG_BLACK, + TTY_FG_RED, + TTY_FG_GREEN, + TTY_FG_YELLOW, + TTY_FG_BLUE, + TTY_FG_MAGENTA, + TTY_FG_CYAN, + TTY_FG_WHITE, + TTY_FG_DEF, + + /** background colors */ + TTY_BG_BLACK, + TTY_BG_RED, + TTY_BG_GREEN, + TTY_BG_YELLOW, + TTY_BG_BLUE, + TTY_BG_MAGENTA, + TTY_BG_CYAN, + TTY_BG_WHITE, + TTY_BG_DEF, +}; + +/** + * Get the escape string for a given TTY color, empty string on non-tty fd + */ +char* tty_escape_get(int fd, tty_escape_t escape); + /** * deprecated pluto style return value: * error message, NULL for success diff --git a/src/libtncif/tncif_pa_subtypes.c b/src/libtncif/tncif_pa_subtypes.c index 135be3c31..1936dff1f 100644 --- a/src/libtncif/tncif_pa_subtypes.c +++ b/src/libtncif/tncif_pa_subtypes.c @@ -33,11 +33,13 @@ ENUM_NEXT(pa_subtype_ietf_names, PA_SUBTYPE_IETF_ANY, PA_SUBTYPE_IETF_ANY, ); ENUM_END(pa_subtype_ietf_names, PA_SUBTYPE_IETF_ANY); -ENUM_BEGIN(pa_subtype_tcg_names, PA_SUBTYPE_TCG_PTS, PA_SUBTYPE_TCG_PTS, - "PTS" +ENUM_BEGIN(pa_subtype_tcg_names, PA_SUBTYPE_TCG_PTS, PA_SUBTYPE_TCG_SWID, + "PTS", + "SCAP", + "SWID" ); ENUM_NEXT(pa_subtype_tcg_names, PA_SUBTYPE_TCG_ANY, PA_SUBTYPE_TCG_ANY, - PA_SUBTYPE_TCG_PTS, + PA_SUBTYPE_TCG_SWID, "ANY" ); ENUM_END(pa_subtype_tcg_names, PA_SUBTYPE_TCG_ANY); diff --git a/src/libtncif/tncif_pa_subtypes.h b/src/libtncif/tncif_pa_subtypes.h index 2dc4c9220..f0ed93903 100644 --- a/src/libtncif/tncif_pa_subtypes.h +++ b/src/libtncif/tncif_pa_subtypes.h @@ -54,6 +54,8 @@ extern enum_name_t *pa_subtype_ietf_names; */ enum pa_subtype_tcg_t { PA_SUBTYPE_TCG_PTS = 0x01, + PA_SUBTYPE_TCG_SCAP = 0x02, + PA_SUBTYPE_TCG_SWID = 0x03, PA_SUBTYPE_TCG_ANY = 0xff }; diff --git a/src/manager/controller/auth_controller.h b/src/manager/controller/auth_controller.h index 41e669fd0..8489d9dd3 100644 --- a/src/manager/controller/auth_controller.h +++ b/src/manager/controller/auth_controller.h @@ -15,7 +15,7 @@ /** * @defgroup auth_controller auth_controller - * @{ @ingroup controller + * @{ @ingroup manager_controller */ #ifndef AUTH_CONTROLLER_H_ diff --git a/src/manager/controller/config_controller.h b/src/manager/controller/config_controller.h index 07cafd4ff..a84678c9a 100644 --- a/src/manager/controller/config_controller.h +++ b/src/manager/controller/config_controller.h @@ -15,7 +15,7 @@ /** * @defgroup config_controller config_controller - * @{ @ingroup controller + * @{ @ingroup manager_controller */ #ifndef CONFIG_CONTROLLER_H_ diff --git a/src/manager/controller/control_controller.h b/src/manager/controller/control_controller.h index c9bc1e4b3..22e3a7022 100644 --- a/src/manager/controller/control_controller.h +++ b/src/manager/controller/control_controller.h @@ -15,7 +15,7 @@ /** * @defgroup control_controller control_controller - * @{ @ingroup controller + * @{ @ingroup manager_controller */ #ifndef CONTROL_CONTROLLER_H_ diff --git a/src/manager/controller/gateway_controller.h b/src/manager/controller/gateway_controller.h index 7d77bdccb..a0999295e 100644 --- a/src/manager/controller/gateway_controller.h +++ b/src/manager/controller/gateway_controller.h @@ -15,7 +15,7 @@ /** * @defgroup gateway_controller gateway_controller - * @{ @ingroup controller + * @{ @ingroup manager_controller */ #ifndef GATEWAY_CONTROLLER_H_ diff --git a/src/manager/controller/ikesa_controller.h b/src/manager/controller/ikesa_controller.h index 3f6779629..72f8242f1 100644 --- a/src/manager/controller/ikesa_controller.h +++ b/src/manager/controller/ikesa_controller.h @@ -15,7 +15,7 @@ /** * @defgroup ikesa_controller ikesa_controller - * @{ @ingroup controller + * @{ @ingroup manager_controller */ #ifndef IKESA_CONTROLLER_H_ diff --git a/src/manager/manager.h b/src/manager/manager.h index f7620833a..a72801f1b 100644 --- a/src/manager/manager.h +++ b/src/manager/manager.h @@ -16,7 +16,7 @@ /** * @defgroup manager manager * - * @defgroup controller controller + * @defgroup manager_controller controller * @ingroup manager * * @defgroup manager_i manager diff --git a/src/medsrv/controller/peer_controller.h b/src/medsrv/controller/peer_controller.h index f25c30281..b5a5e0bb8 100644 --- a/src/medsrv/controller/peer_controller.h +++ b/src/medsrv/controller/peer_controller.h @@ -16,7 +16,7 @@ /** * @defgroup peer_controller_server peer_controller - * @{ @ingroup controller_server + * @{ @ingroup medsrv */ #ifndef PEER_CONTROLLER_H_ @@ -45,4 +45,4 @@ struct peer_controller_t { */ controller_t *peer_controller_create(user_t *user, database_t *db); -#endif /* PEER_CONTROLLER_H_ @} */ +#endif /** PEER_CONTROLLER_H_ @}*/ diff --git a/src/medsrv/controller/user_controller.h b/src/medsrv/controller/user_controller.h index 9d23795d7..540dc74a2 100644 --- a/src/medsrv/controller/user_controller.h +++ b/src/medsrv/controller/user_controller.h @@ -16,7 +16,7 @@ /** * @defgroup user_controller_server user_controller - * @{ @ingroup controller_server + * @{ @ingroup medsrv */ #ifndef USER_CONTROLLER_H_ @@ -45,4 +45,4 @@ struct user_controller_t { */ controller_t *user_controller_create(user_t *user, database_t *db); -#endif /* USER_CONTROLLER_H_ @} */ +#endif /** USER_CONTROLLER_H_ @}*/ diff --git a/src/medsrv/filter/auth_filter.h b/src/medsrv/filter/auth_filter.h index c46de40a5..beae27965 100644 --- a/src/medsrv/filter/auth_filter.h +++ b/src/medsrv/filter/auth_filter.h @@ -16,7 +16,7 @@ /** * @defgroup auth_filter_server auth_filter - * @{ @ingroup filter_server + * @{ @ingroup medsrv */ #ifndef AUTH_FILTER_H_ @@ -45,4 +45,4 @@ struct auth_filter_t { */ filter_t *auth_filter_create(user_t *user, database_t *db); -#endif /* AUTH_FILTER_H_ @}*/ +#endif /** AUTH_FILTER_H_ @}*/ diff --git a/src/medsrv/user.h b/src/medsrv/user.h index f14650f03..beeed6ec1 100644 --- a/src/medsrv/user.h +++ b/src/medsrv/user.h @@ -13,6 +13,13 @@ * for more details. */ +/** + * @defgroup medsrv medsrv + * + * @defgroup user user + * @{ @ingroup medsrv + */ + #ifndef USER_H_ #define USER_H_ @@ -47,4 +54,4 @@ struct user_t { */ user_t *user_create(void *param); -#endif /* USER_H_ @} */ +#endif /** USER_H_ @} */ diff --git a/src/pki/command.h b/src/pki/command.h index a6f8bc758..1a884fb73 100644 --- a/src/pki/command.h +++ b/src/pki/command.h @@ -92,4 +92,4 @@ int command_dispatch(int argc, char *argv[]); */ int command_usage(char *error); -#endif /* COMMAND_H_ @}*/ +#endif /** COMMAND_H_ @}*/ diff --git a/src/pki/pki.h b/src/pki/pki.h index f72b1804c..09c50c6c2 100644 --- a/src/pki/pki.h +++ b/src/pki/pki.h @@ -15,7 +15,9 @@ /** * @defgroup pki pki - * @{ @ingroup pki + * + * @addtogroup pki + * @{ */ #ifndef PKI_H_ diff --git a/src/starter/cmp.c b/src/starter/cmp.c index aaba7b11d..cea864a4a 100644 --- a/src/starter/cmp.c +++ b/src/starter/cmp.c @@ -27,7 +27,8 @@ static bool starter_cmp_end(starter_end_t *c1, starter_end_t *c2) return FALSE; VARCMP(modecfg); - VARCMP(port); + VARCMP(from_port); + VARCMP(to_port); VARCMP(protocol); return cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2); @@ -63,4 +64,3 @@ bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2) return cmp_args(KW_CA_NAME, KW_CA_LAST, (char *)c1, (char *)c2); } - diff --git a/src/starter/confread.c b/src/starter/confread.c index fecb998df..883534aad 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -142,6 +142,9 @@ static void default_values(starter_config_t *cfg) cfg->conn_default.left.ikeport = 500; cfg->conn_default.right.ikeport = 500; + cfg->conn_default.left.to_port = 0xffff; + cfg->conn_default.right.to_port = 0xffff; + cfg->ca_default.seen = SEEN_NONE; } @@ -292,24 +295,46 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token, } if (streq(port, "%any")) { - end->port = 0; + end->from_port = 0; + end->to_port = 0xffff; } - else + else if (streq(port, "%opaque")) + { + end->from_port = 0xffff; + end->to_port = 0; + } + else if (*port) { svc = getservbyname(port, NULL); if (svc) { - end->port = ntohs(svc->s_port); + end->from_port = end->to_port = ntohs(svc->s_port); } else { p = strtol(port, &endptr, 0); - if ((*port && *endptr) || p < 0 || p > 0xffff) + if (p < 0 || p > 0xffff) + { + DBG1(DBG_APP, "# bad port: %s=%s", name, port); + goto err; + } + end->from_port = p; + if (*endptr == '-') + { + port = endptr + 1; + p = strtol(port, &endptr, 0); + if (p < 0 || p > 0xffff) + { + DBG1(DBG_APP, "# bad port: %s=%s", name, port); + goto err; + } + } + end->to_port = p; + if (*endptr) { - DBG1(DBG_APP, "# bad port: %s=%s", name, value); + DBG1(DBG_APP, "# bad port: %s=%s", name, port); goto err; } - end->port = (u_int16_t)p; } } if (sep) diff --git a/src/starter/confread.h b/src/starter/confread.h index 8dd56080d..0690bed4e 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -115,7 +115,8 @@ struct starter_end { bool hostaccess; bool allow_any; char *updown; - u_int16_t port; + u_int16_t from_port; + u_int16_t to_port; u_int8_t protocol; char *sourceip; char *dns; diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 9d096453a..cc447c41f 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -146,7 +146,8 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->tohost = !conn_end->subnet; msg_end->allow_any = conn_end->allow_any; msg_end->protocol = conn_end->protocol; - msg_end->port = conn_end->port; + msg_end->from_port = conn_end->from_port; + msg_end->to_port = conn_end->to_port; } int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index e289296c1..c2a505141 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -151,12 +151,14 @@ static int add_connection(char *name, msg.add_conn.me.ikeport = 500; msg.add_conn.me.subnets = push_string(&msg, my_nets); msg.add_conn.me.sendcert = 1; + msg.add_conn.me.to_port = 65535; msg.add_conn.other.id = push_string(&msg, other_id); msg.add_conn.other.address = push_string(&msg, other_addr); msg.add_conn.other.ikeport = 500; msg.add_conn.other.subnets = push_string(&msg, other_nets); msg.add_conn.other.sendcert = 1; + msg.add_conn.other.to_port = 65535; return send_stroke_msg(&msg); } diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index b2df887ae..a9c6f2369 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -167,7 +167,8 @@ struct stroke_end_t { int tohost; int allow_any; u_int8_t protocol; - u_int16_t port; + u_int16_t from_port; + u_int16_t to_port; }; typedef struct stroke_msg_t stroke_msg_t; |