- works quite well now with ipsec.conf & ipsec starter
authorMartin Willi <martin@strongswan.org>
Mon, 20 Mar 2006 15:43:26 +0000 (15:43 -0000)
committerMartin Willi <martin@strongswan.org>
Mon, 20 Mar 2006 15:43:26 +0000 (15:43 -0000)
22 files changed:
Source/charon/config/connection.c
Source/charon/config/connection.h
Source/charon/config/connection_store.h
Source/charon/config/credential_store.h
Source/charon/config/policy.c
Source/charon/config/policy.h
Source/charon/config/policy_store.h
Source/charon/config/proposal.c
Source/charon/config/proposal.h
Source/charon/config/traffic_selector.c
Source/charon/config/traffic_selector.h
Source/charon/daemon.h
Source/charon/sa/authenticator.c
Source/charon/sa/ike_sa.c
Source/charon/sa/states/ike_auth_requested.c
Source/charon/sa/states/ike_sa_init_requested.c
Source/charon/sa/states/ike_sa_init_responded.c
Source/charon/threads/stroke.c
Source/charon/threads/stroke.h
Source/charon/utils/identification.c
Source/charon/utils/identification.h
Source/charon/utils/logger.c

index 789cebb..e0b29ac 100644 (file)
@@ -114,6 +114,15 @@ static void update_my_host(private_connection_t *this, host_t *my_host)
 }
 
 /**
+ * Implementation of connection_t.update_other_host.
+ */
+static void update_other_host(private_connection_t *this, host_t *other_host)
+{
+       this->other_host->destroy(this->other_host);
+       this->other_host = other_host;
+}
+
+/**
  * Implementation of connection_t.get_other_host.
  */
 static host_t * get_other_host (private_connection_t *this)
@@ -238,6 +247,33 @@ static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh
 }
 
 /**
+ * Implementation of connection_t.clone.
+ */
+static connection_t *clone(private_connection_t *this)
+{
+       iterator_t *iterator;
+       proposal_t *proposal;
+       private_connection_t *clone = (private_connection_t*)connection_create(
+                       this->my_host->clone(this->my_host),
+                       this->other_host->clone(this->other_host),
+                       this->my_id->clone(this->my_id),
+                       this->other_id->clone(this->other_id),
+                       this->auth_method);
+       
+       /* clone all proposals */
+       iterator = this->proposals->create_iterator(this->proposals, TRUE);
+       while (iterator->has_next(iterator))
+       {
+               iterator->current(iterator, (void**)&proposal);
+               proposal = proposal->clone(proposal);
+               clone->proposals->insert_last(clone->proposals, (void*)proposal);
+       }
+       iterator->destroy(iterator);
+       
+       return &clone->public;
+}
+
+/**
  * Implementation of connection_t.destroy.
  */
 static void destroy (private_connection_t *this)
@@ -269,6 +305,7 @@ connection_t * connection_create(host_t *my_host, host_t *other_host, identifica
        this->public.get_other_id = (identification_t*(*)(connection_t*))get_other_id;
        this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host;
        this->public.update_my_host = (void(*)(connection_t*,host_t*))update_my_host;
+       this->public.update_other_host = (void(*)(connection_t*,host_t*))update_other_host;
        this->public.get_other_host = (host_t*(*)(connection_t*))get_other_host;
        this->public.get_proposals = (linked_list_t*(*)(connection_t*))get_proposals;
        this->public.select_proposal = (proposal_t*(*)(connection_t*,linked_list_t*))select_proposal;
@@ -276,6 +313,7 @@ connection_t * connection_create(host_t *my_host, host_t *other_host, identifica
        this->public.get_auth_method = (auth_method_t(*)(connection_t*)) get_auth_method;
        this->public.get_dh_group = (diffie_hellman_group_t(*)(connection_t*)) get_dh_group;
        this->public.check_dh_group = (bool(*)(connection_t*,diffie_hellman_group_t)) check_dh_group;
+       this->public.clone = (connection_t*(*)(connection_t*))clone;
        this->public.destroy = (void(*)(connection_t*))destroy;
        
        /* private variables */
index b112ace..9ec26b7 100644 (file)
@@ -123,7 +123,7 @@ struct connection_t {
        /**
         * @brief Update address of my host.
         * 
-        * It may be necessary to uptdate this address, as it 
+        * It may be necessary to uptdate own address, as it 
         * is set to the default route (0.0.0.0) in some cases.
         * Old host is destroyed, new one NOT cloned.
         * 
@@ -131,6 +131,18 @@ struct connection_t {
         * @param my_host       new host to set as my_host
         */
        void (*update_my_host) (connection_t *this, host_t *my_host);
+
+       /**
+        * @brief Update address of remote host.
+        * 
+        * It may be necessary to uptdate remote address, as a
+        * connection may define %any (0.0.0.0) or a subnet.
+        * Old host is destroyed, new one NOT cloned.
+        * 
+        * @param this          calling object
+        * @param my_host       new host to set as other_host
+        */
+       void (*update_other_host) (connection_t *this, host_t *other_host);
        
        /**
         * @brief Returns a list of all supported proposals.
@@ -193,6 +205,14 @@ struct connection_t {
        bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group);
        
        /**
+        * @brief Clone a connection_t object.
+        * 
+        * @param this  connection to clone
+        * @return              clone of it
+        */
+       connection_t *(*clone) (connection_t *this);
+       
+       /**
         * @brief Destroys a connection_t object.
         * 
         * @param this  calling object
index aac1057..8b80c0f 100755 (executable)
@@ -33,7 +33,7 @@ typedef struct connection_store_t connection_store_t;
  * @brief The interface for a store of connection_t's.
  * 
  * @b Constructors:
- *     - connection_store_create()
+ *     - stroke_create()
  * 
  * @ingroup config
  */
@@ -42,6 +42,8 @@ struct connection_store_t {
        /**
         * @brief Returns a connection definition identified by two IDs.
         * 
+        * This call is usefull to get a connection identified by addresses.
+        * It may be used after kernel request for traffic protection.
         * The returned connection gets created/cloned and therefore must
         * be destroyed after usage.
         * 
@@ -57,6 +59,8 @@ struct connection_store_t {
        /**
         * @brief Returns a connection definition identified by two hosts.
         * 
+        * This call is useful to get a connection which is identified by IDs
+        * rather than addresses, e.g. for connection setup on user request.
         * The returned connection gets created/cloned and therefore must
         * be destroyed after usage.
         * 
index 89e9704..27f957a 100755 (executable)
@@ -34,7 +34,7 @@ typedef struct credential_store_t credential_store_t;
  * @brief The interface for a credential_store backend.
  * 
  * @b Constructors:
- *     - credential_store_create()
+ *     - stroke_create()
  * 
  * @ingroup config
  */
@@ -43,8 +43,7 @@ struct credential_store_t {
        /**
         * @brief Returns the preshared secret of a specific ID.
         * 
-        * The returned preshared secret MUST NOT be destroyed cause it's managed by 
-        * this credential_store_t object.
+        * The returned chunk must be destroyed by the caller after usage.
         * 
         * @param this                                  calling object
         * @param identification                identification_t object identifiying the secret.
@@ -59,8 +58,7 @@ struct credential_store_t {
        /**
         * @brief Returns the RSA public key of a specific ID.
         * 
-        * The returned rsa_public_key_t object MUST NOT be destroyed cause it's managed by 
-        * this credential_store_t object.
+        * The returned rsa_public_key_t must be destroyed by the caller after usage.
         * 
         * @param this                                  calling object
         * @param identification                identification_t object identifiying the key.
@@ -75,8 +73,7 @@ struct credential_store_t {
        /**
         * @brief Returns the RSA private key of a specific ID.
         * 
-        * The returned rsa_private_key_t object MUST NOT be destroyed cause it's managed by 
-        * this credential_store_t object.
+        * The returned rsa_private_key_t must be destroyed by the caller after usage.
         * 
         * @param this                                  calling object
         * @param identification                identification_t object identifiying the key
index 0d9e848..fbdc46d 100644 (file)
@@ -87,6 +87,57 @@ static identification_t *get_other_id(private_policy_t *this)
 }
 
 /**
+ * Implementation of policy_t.update_my_id
+ */
+static void update_my_id(private_policy_t *this, identification_t *my_id)
+{
+       this->my_id->destroy(this->my_id);
+       this->my_id = my_id;
+}
+
+/**
+ * Implementation of policy_t.update_other_id
+ */
+static void update_other_id(private_policy_t *this, identification_t *other_id)
+{
+       this->other_id->destroy(this->other_id);
+       this->other_id = other_id;
+}
+
+/** 
+ * Helper function which does the work for policy_t.update_my_ts and update_other_ts
+ */
+static void update_ts(linked_list_t* list, host_t *new_host)
+{
+       traffic_selector_t *ts;
+       iterator_t *iterator;
+        
+       iterator = list->create_iterator(list, TRUE);
+       while (iterator->has_next(iterator))
+       {
+               iterator->current(iterator, (void**)&ts);
+               ts->update_address_range(ts, new_host);
+       }
+       iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of policy_t.update_my_id
+ */
+static void update_my_ts(private_policy_t *this, host_t *my_host)
+{
+       update_ts(this->my_ts, my_host);
+}
+
+/**
+ * Implementation of policy_t.update_other_ts
+ */
+static void update_other_ts(private_policy_t *this, host_t *my_host)
+{
+       update_ts(this->other_ts, my_host);
+}
+
+/**
  * Implementation of policy_t.get_my_traffic_selectors
  */
 static linked_list_t *get_my_traffic_selectors(private_policy_t *this)
@@ -263,6 +314,50 @@ static status_t destroy(private_policy_t *this)
        return SUCCESS;
 }
 
+/**
+ * Implements policy_t.clone.
+ */
+static policy_t *clone(private_policy_t *this)
+{
+       private_policy_t *clone = (private_policy_t*)policy_create(this->my_id->clone(this->my_id), 
+                                                                                                                          this->other_id->clone(this->other_id));
+       iterator_t *iterator;
+       proposal_t *proposal;
+       traffic_selector_t *ts;
+       
+       /* clone all proposals */
+       iterator = this->proposals->create_iterator(this->proposals, TRUE);
+       while (iterator->has_next(iterator))
+       {
+               iterator->current(iterator, (void**)&proposal);
+               proposal = proposal->clone(proposal);
+               clone->proposals->insert_last(clone->proposals, (void*)proposal);
+       }
+       iterator->destroy(iterator);
+       
+       /* clone all local traffic selectors */
+       iterator = this->my_ts->create_iterator(this->my_ts, TRUE);
+       while (iterator->has_next(iterator))
+       {
+               iterator->current(iterator, (void**)&ts);
+               ts = ts->clone(ts);
+               clone->my_ts->insert_last(clone->my_ts, (void*)ts);
+       }
+       iterator->destroy(iterator);
+       
+       /* clone all remote traffic selectors */
+       iterator = this->other_ts->create_iterator(this->other_ts, TRUE);
+       while (iterator->has_next(iterator))
+       {
+               iterator->current(iterator, (void**)&ts);
+               ts = ts->clone(ts);
+               clone->other_ts->insert_last(clone->other_ts, (void*)ts);
+       }
+       iterator->destroy(iterator);
+       
+       return &clone->public;
+}
+
 /*
  * Described in header-file
  */
@@ -273,6 +368,10 @@ policy_t *policy_create(identification_t *my_id, identification_t *other_id)
        /* public functions */
        this->public.get_my_id = (identification_t*(*)(policy_t*))get_my_id;
        this->public.get_other_id = (identification_t*(*)(policy_t*))get_other_id;
+       this->public.update_my_id = (void(*)(policy_t*,identification_t*))update_my_id;
+       this->public.update_other_id = (void(*)(policy_t*,identification_t*))update_other_id;
+       this->public.update_my_ts = (void(*)(policy_t*,host_t*))update_my_ts;
+       this->public.update_other_ts = (void(*)(policy_t*,host_t*))update_other_ts;
        this->public.get_my_traffic_selectors = (linked_list_t*(*)(policy_t*))get_my_traffic_selectors;
        this->public.select_my_traffic_selectors = (linked_list_t*(*)(policy_t*,linked_list_t*))select_my_traffic_selectors;
        this->public.get_other_traffic_selectors = (linked_list_t*(*)(policy_t*))get_other_traffic_selectors;
@@ -282,6 +381,7 @@ policy_t *policy_create(identification_t *my_id, identification_t *other_id)
        this->public.add_my_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_my_traffic_selector;
        this->public.add_other_traffic_selector = (void(*)(policy_t*,traffic_selector_t*))add_other_traffic_selector;
        this->public.add_proposal = (void(*)(policy_t*,proposal_t*))add_proposal;
+       this->public.clone = (policy_t*(*)(policy_t*))clone;
        this->public.destroy = (void(*)(policy_t*))destroy;
        
        /* apply init values */
index ddae051..78cda1e 100644 (file)
@@ -64,6 +64,56 @@ struct policy_t {
         * @return                              other id
         */
        identification_t *(*get_other_id) (policy_t *this);
+
+       /**
+        * @brief Update own ID.
+        * 
+        * It may be necessary to uptdate own ID, as it 
+        * is set to %any or to e.g. *@strongswan.org in 
+        * some cases.
+        * Old ID is destroyed, new one NOT cloned.
+        * 
+        * @param this          calling object
+        * @param my_id         new ID to set as my_id
+        */
+       void (*update_my_id) (policy_t *this, identification_t *my_id);
+
+       /**
+        * @brief Update others ID.
+        * 
+        * It may be necessary to uptdate others ID, as it 
+        * is set to %any or to e.g. *@strongswan.org in 
+        * some cases.
+        * Old ID is destroyed, new one NOT cloned.
+        * 
+        * @param this          calling object
+        * @param other_id      new ID to set as other_id
+        */
+       void (*update_other_id) (policy_t *this, identification_t *other_id);
+
+       /**
+        * @brief Update own address in traffic selectors.
+        * 
+        * Update own 0.0.0.0 address in traffic selectors
+        * with supplied one. The size of the subnet will be
+        * set to /32.
+        * 
+        * @param this          calling object
+        * @param my_host       new address to set in traffic selectors
+        */
+       void (*update_my_ts) (policy_t *this, host_t *my_host);
+
+       /**
+        * @brief Update others address in traffic selectors.
+        * 
+        * Update remote 0.0.0.0 address in traffic selectors
+        * with supplied one. The size of the subnet will be
+        * set to /32.
+        * 
+        * @param this          calling object
+        * @param other_host    new address to set in traffic selectors
+        */
+       void (*update_other_ts) (policy_t *this, host_t *other_host);
        
        /**
         * @brief Get configured traffic selectors for our site.
@@ -170,7 +220,15 @@ struct policy_t {
        void (*add_proposal) (policy_t *this, proposal_t *proposal);
        
        /**
-        * @brief Destroys the config object
+        * @brief Clone a policy.
+        * 
+        * @param this                          policy to clone
+        * @return                                      clone of it
+        */
+       policy_t *(*clone) (policy_t *this);
+       
+       /**
+        * @brief Destroys the policy object
         * 
         * @param this                          calling object
         */
index 1c44023..467e27d 100755 (executable)
 typedef struct policy_store_t policy_store_t;
 
 /**
- * @brief The interface for a store of polcy_t's.
+ * @brief The interface for a store of policy_t's.
  * 
  * @b Constructors:
- * - policy_store_create()
+ * - stroke_create()
  * 
  * @ingroup config
  */
@@ -42,6 +42,9 @@ struct policy_store_t {
        /**
         * @brief Returns a policy identified by two IDs.
         * 
+        * The returned policy gets created/cloned and therefore must be
+        * destroyed by the caller.
+        * 
         * @param this          calling object
         * @param my_id         own ID of the policy
         * @param other_id      others ID of the policy
index a547583..e5a8a64 100644 (file)
@@ -533,6 +533,50 @@ static u_int64_t get_spi(private_proposal_t *this, protocol_id_t proto)
 }
 
 /**
+ * Clone a algorithm list
+ */
+static void clone_algo_list(linked_list_t *list, linked_list_t *clone_list)
+{
+       algorithm_t *algo, *clone_algo;
+       iterator_t *iterator = list->create_iterator(list, TRUE);
+       while (iterator->has_next(iterator))
+       {
+               iterator->current(iterator, (void**)&algo);
+               clone_algo = allocator_alloc_thing(algorithm_t);
+               memcpy(clone_algo, algo, sizeof(algorithm_t));
+               clone_list->insert_last(clone_list, (void*)clone_algo);
+       }
+       iterator->destroy(iterator);
+}
+
+/**
+ * Implements proposal_t.clone
+ */
+static proposal_t *clone(private_proposal_t *this)
+{
+       private_proposal_t *clone = (private_proposal_t*)proposal_create(this->number);
+       
+       iterator_t *iterator = this->protocol_proposals->create_iterator(this->protocol_proposals, TRUE);
+       while (iterator->has_next(iterator))
+       {
+               protocol_proposal_t *proto_prop, *clone_proto_prop;
+               iterator->current(iterator, (void**)&proto_prop);
+               
+               clone_proto_prop = get_protocol_proposal(clone, proto_prop->protocol, TRUE);
+               memcpy(clone_proto_prop->spi.ptr, proto_prop->spi.ptr, clone_proto_prop->spi.len);
+               
+               clone_algo_list(proto_prop->encryption_algos, clone_proto_prop->encryption_algos);
+               clone_algo_list(proto_prop->integrity_algos, clone_proto_prop->integrity_algos);
+               clone_algo_list(proto_prop->prf_algos, clone_proto_prop->prf_algos);
+               clone_algo_list(proto_prop->dh_groups, clone_proto_prop->dh_groups);
+               clone_algo_list(proto_prop->esns, clone_proto_prop->esns);
+       }
+       iterator->destroy(iterator);
+       
+       return &clone->public;
+}
+
+/**
  * Frees all list items and destroys the list
  */
 static void free_algo_list(linked_list_t *list)
@@ -586,6 +630,7 @@ proposal_t *proposal_create(u_int8_t number)
        this->public.get_protocols = (void(*)(proposal_t *this, protocol_id_t ids[2]))get_protocols;
        this->public.set_spi = (void(*)(proposal_t*,protocol_id_t,u_int64_t spi))set_spi;
        this->public.get_spi = (u_int64_t(*)(proposal_t*,protocol_id_t))get_spi;
+       this->public.clone = (proposal_t*(*)(proposal_t*))clone;
        this->public.destroy = (void(*)(proposal_t*))destroy;
        
        /* init private members*/
index 48ed4ea..e2a4856 100644 (file)
@@ -237,6 +237,14 @@ struct proposal_t {
        void (*set_spi) (proposal_t *this, protocol_id_t proto, u_int64_t spi);
        
        /**
+        * @brief Clone a proposal.
+        * 
+        * @param this                          proposal to clone
+        * @return                                      clone of it
+        */
+       proposal_t *(*clone) (proposal_t *this);
+       
+       /**
         * @brief Destroys the proposal object.
         * 
         * @param this                          calling object
index 317b7a3..0b81931 100644 (file)
@@ -225,7 +225,7 @@ static u_int8_t get_netmask(private_traffic_selector_t *this)
                                        return bit;
                                }
                        }
-                       return 0;
+                       return 32;
                }
                case TS_IPV6_ADDR_RANGE:
                default:
@@ -236,6 +236,24 @@ static u_int8_t get_netmask(private_traffic_selector_t *this)
 }
 
 /**
+ * Implements traffic_selector_t.update_address_range.
+ */
+static void update_address_range(private_traffic_selector_t *this, host_t *host)
+{
+       if (host->get_family(host) == AF_INET &&
+               this->type == TS_IPV4_ADDR_RANGE)
+       {
+               if (this->from_addr_ipv4 == 0)
+               {
+                       chunk_t from = host->get_address_as_chunk(host);
+                       this->from_addr_ipv4 = ntohl(*((u_int32_t*)from.ptr));
+                       this->to_addr_ipv4 = this->from_addr_ipv4;
+                       allocator_free_chunk(&from);
+               }
+       }
+}
+
+/**
  * Implements traffic_selector_t.clone.
  */
 static traffic_selector_t *clone(private_traffic_selector_t *this)
@@ -315,7 +333,15 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, u_int8_t ne
                        this->type = TS_IPV4_ADDR_RANGE;
                        from = net->get_address_as_chunk(net);
                        this->from_addr_ipv4 = ntohl(*((u_int32_t*)from.ptr));
-                       this->to_addr_ipv4 = this->from_addr_ipv4 | ((1 << (32 - netbits)) - 1);
+                       if (this->from_addr_ipv4 == 0)
+                       {
+                               /* use /32 for 0.0.0.0 */
+                               this->to_addr_ipv4 = 0xFFFFFF;
+                       }
+                       else
+                       {
+                               this->to_addr_ipv4 = this->from_addr_ipv4 | ((1 << (32 - netbits)) - 1);
+                       }
                        allocator_free_chunk(&from);
                        break;  
                }
@@ -386,6 +412,7 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts
        this->public.get_type = (ts_type_t(*)(traffic_selector_t*))get_type;    
        this->public.get_protocol = (u_int8_t(*)(traffic_selector_t*))get_protocol;
        this->public.get_netmask = (u_int8_t(*)(traffic_selector_t*))get_netmask;
+       this->public.update_address_range = (void(*)(traffic_selector_t*,host_t*))update_address_range;
        this->public.clone = (traffic_selector_t*(*)(traffic_selector_t*))clone;
        this->public.destroy = (void(*)(traffic_selector_t*))destroy;
        
index 2980520..7e59b53 100644 (file)
@@ -169,12 +169,27 @@ struct traffic_selector_t {
         * 
         * Returns the number of bits associated to the subnet.
         * (As the "24" in "192.168.0.0/24"). This is approximated
-        * if the address range is not a complete subnet!
+        * if the address range is not a complete subnet! Since Linux
+        * does not support full IP address ranges (yet), we can't do this
+        * (much) better.
         * 
         * @param this          calling obect
         * @return                      netmask as "bits for subnet"
         */
        u_int8_t (*get_netmask) (traffic_selector_t *this);
+               
+       /**
+        * @brief Update the address of a traffic selector.
+        * 
+        * Update the address range of a traffic selector, 
+        * if the current address is 0.0.0.0. The new address range
+        * starts from the supplied address and also ends there 
+        * (which means it is a one-host-address-range ;-).
+        * 
+        * @param this          calling obect
+        * @param host          host_t specifying the address range
+        */
+       void (*update_address_range) (traffic_selector_t *this, host_t* host);
        
        /**
         * @brief Destroys the ts object
@@ -222,6 +237,22 @@ traffic_selector_t *traffic_selector_create_from_string(u_int8_t protocol, ts_ty
  */
 traffic_selector_t *traffic_selector_create_from_bytes(u_int8_t protocol, ts_type_t type, chunk_t from_address, int16_t from_port, chunk_t to_address, u_int16_t to_port);
 
+/**
+ * @brief Create a new traffic selector defining a whole subnet.
+ * 
+ * In most cases, definition of a traffic selector for full subnets
+ * is sufficient. This constructor creates a traffic selector for
+ * all protocols, all ports and the address range specified by the
+ * subnet.
+ * 
+ * @param net                  subnet to use
+ * @param netbits              size of the subnet, as used in e.g. 192.168.0.0/24 notation
+ * @return
+ *                                             - traffic_selector_t object
+ *                                             - NULL if address family of net not supported
+ *
+ * @ingroup config
+ */
 traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, u_int8_t netbits);
 
 #endif /* TRAFFIC_SELECTOR_H_ */
index 4b70031..421dbd1 100644 (file)
@@ -66,7 +66,7 @@
 /**
  * Output of log, use NULL for syslog
  */
-#define LOG_OUTPUT stdout
+#define LOG_OUTPUT NULL
 
 /**
  * @brief Default loglevel for every logger context.
index d735b63..8b96246 100644 (file)
@@ -206,9 +206,9 @@ static status_t verify_auth_data (private_authenticator_t *this,
                        status = charon->credentials->get_shared_secret(charon->credentials,
                                                                                                                        other_id,
                                                                                                                        &preshared_secret);
-                       other_id->destroy(other_id);
                        if (status != SUCCESS)
                        {
+                               other_id->destroy(other_id);
                                return status;  
                        }
                        
@@ -218,20 +218,26 @@ static status_t verify_auth_data (private_authenticator_t *this,
                                                                                                                                                                  other_id_payload,
                                                                                                                                                                  initiator,
                                                                                                                                                                  preshared_secret);
+                       allocator_free_chunk(&preshared_secret);
                        
                        if (auth_data.len != my_auth_data.len)
                        {
                                allocator_free_chunk(&my_auth_data);
-                               return FAILED;
+                               status = FAILED;
                        }
-                       if (memcmp(auth_data.ptr,my_auth_data.ptr, my_auth_data.len) == 0)
+                       else if (memcmp(auth_data.ptr,my_auth_data.ptr, my_auth_data.len) == 0)
                        {
+                               this->logger->log(this->logger, CONTROL, "Authentication of %s with preshared secret successful",
+                                                                               other_id->get_string(other_id));
                                status = SUCCESS;
                        }
                        else
                        {
+                               this->logger->log(this->logger, CONTROL, "Authentication of %s with preshared secret failed",
+                                                                               other_id->get_string(other_id));
                                status = FAILED;
                        }
+                       other_id->destroy(other_id);
                        allocator_free_chunk(&my_auth_data);
                        return status;
                }
@@ -247,16 +253,28 @@ static status_t verify_auth_data (private_authenticator_t *this,
                        status = charon->credentials->get_rsa_public_key(charon->credentials,
                                                                                                                        other_id,
                                                                                                                        &public_key);
-                       other_id->destroy(other_id);
                        if (status != SUCCESS)
                        {
+                               other_id->destroy(other_id);
                                return status;  
                        }
                        
                        octets = this->allocate_octets(this,last_received_packet, my_nonce,other_id_payload, initiator);
                        
                        status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data);
+                       if (status == SUCCESS)
+                       {
+                               this->logger->log(this->logger, CONTROL, "Authentication of %s with RSA successful",
+                                                                               other_id->get_string(other_id));
+                       }
+                       else
+                       {
+                               this->logger->log(this->logger, CONTROL, "Authentication of %s with RSA failed",
+                                                                               other_id->get_string(other_id));
+                       }
                        
+                       public_key->destroy(public_key);
+                       other_id->destroy(other_id);
                        allocator_free_chunk(&octets);
                        return status;
                }
@@ -300,6 +318,7 @@ static status_t compute_auth_data (private_authenticator_t *this,
                        
                        auth_data = this->build_preshared_secret_signature(this, last_sent_packet, other_nonce,
                                                                                                                           my_id_payload, initiator, preshared_secret);
+                       allocator_free_chunk(&preshared_secret);
                        *auth_payload = auth_payload_create();
                        (*auth_payload)->set_auth_method(*auth_payload, SHARED_KEY_MESSAGE_INTEGRITY_CODE);
                        (*auth_payload)->set_data(*auth_payload, auth_data);
@@ -334,6 +353,7 @@ static status_t compute_auth_data (private_authenticator_t *this,
                        (*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE);
                        (*auth_payload)->set_data(*auth_payload, auth_data);
 
+                       private_key->destroy(private_key);
                        allocator_free_chunk(&auth_data);
                        return SUCCESS;
                }
index 6517c38..c990e1d 100644 (file)
@@ -210,8 +210,8 @@ static status_t process_message (private_ike_sa_t *this, message_t *message)
        is_request = message->get_request(message);
        exchange_type = message->get_exchange_type(message);
 
-       this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s",
-                                         (is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type));
+       this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s",
+                                         (is_request) ? "request" : "response",mapping_find(exchange_type_m,exchange_type));
 
        message_id = message->get_message_id(message);
 
@@ -966,53 +966,61 @@ static void destroy (private_ike_sa_t *this)
 
        /* inform other peer of delete */
        send_delete_ike_sa_request(this);
-       
        while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS)
        {
                child_sa->destroy(child_sa);
        }
        this->child_sas->destroy(this->child_sas);
-       if (this->crypter_initiator != NULL)
+       
+       if (this->crypter_initiator)
        {
                this->crypter_initiator->destroy(this->crypter_initiator);
        }
-       if (this->crypter_responder != NULL)
+       if (this->crypter_responder)
        {
                this->crypter_responder->destroy(this->crypter_responder);
        }
-       if (this->signer_initiator != NULL)
+       if (this->signer_initiator)
        {
                this->signer_initiator->destroy(this->signer_initiator);
        }
-       if (this->signer_responder != NULL)
+       if (this->signer_responder)
        {
                this->signer_responder->destroy(this->signer_responder);
        }
-       if (this->prf != NULL)
+       if (this->prf)
        {
                this->prf->destroy(this->prf);
        }
-       if (this->child_prf != NULL)
+       if (this->child_prf)
        {
                this->child_prf->destroy(this->child_prf);
        }
-       if (this->prf_auth_i != NULL)
+       if (this->prf_auth_i)
        {
                this->prf_auth_i->destroy(this->prf_auth_i);
        }
-       if (this->prf_auth_r != NULL)
+       if (this->prf_auth_r)
        {
                this->prf_auth_r->destroy(this->prf_auth_r);
        }
-       this->ike_sa_id->destroy(this->ike_sa_id);
-       if (this->last_requested_message != NULL)
+       if (this->connection)
+       {
+               this->connection->destroy(this->connection);
+       }
+       if (this->policy)
+       {
+               this->policy->destroy(this->policy);
+       }
+       if (this->last_requested_message)
        {
                this->last_requested_message->destroy(this->last_requested_message);
        }
-       if (this->last_responded_message != NULL)
+       if (this->last_responded_message)
        {
                this->last_responded_message->destroy(this->last_responded_message);
        }
+       this->ike_sa_id->destroy(this->ike_sa_id);
        this->randomizer->destroy(this->randomizer);
        this->current_state->destroy(this->current_state);
        charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
index c80b7f7..3fedf43 100644 (file)
@@ -352,16 +352,17 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
        }
        
        this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
+       
        /* create new state */
+       this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
+       this->destroy_after_state_change(this);
+       
        connection = this->ike_sa->get_connection(this->ike_sa);
        my_host = connection->get_my_host(connection);
        other_host = connection->get_other_host(connection);
-       this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s", 
-                                               my_host->get_address(my_host), other_host->get_address(other_host),
-                                               mapping_find(auth_method_m, auth_payload->get_auth_method(auth_payload)));
-                                               
-       this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
-       this->destroy_after_state_change(this);
+       this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s", 
+                                         my_host->get_address(my_host), other_host->get_address(other_host));
+       
        return SUCCESS;
 }
 
index 5e641f9..0c4b6b6 100644 (file)
@@ -215,6 +215,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
        iterator_t *payloads;
        host_t *me;
        connection_t *connection;
+       policy_t *policy;
 
        message_t *request;
        status_t status;
@@ -344,6 +345,8 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
        connection = this->ike_sa->get_connection(this->ike_sa);
        me = ike_sa_init_reply->get_destination(ike_sa_init_reply);
        connection->update_my_host(connection, me->clone(me));
+       policy = this->ike_sa->get_policy(this->ike_sa);
+       policy->update_my_ts(policy, me);
        
        /*  build empty message */
        this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request);
index 8c93e32..751f135 100644 (file)
@@ -247,10 +247,9 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
                                sa_request = (sa_payload_t*)payload;
                                break;
                        }
-
                        case TRAFFIC_SELECTOR_INITIATOR:
                        {
-                               tsi_request = (ts_payload_t*)payload;                           
+                               tsi_request = (ts_payload_t*)payload;
                                break;  
                        }
                        case TRAFFIC_SELECTOR_RESPONDER:
@@ -360,16 +359,15 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
                this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
        }
        
-       /* create new state */
+       /* create new state */                                          
+       this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
+       this->destroy_after_state_change(this);
+       
        connection = this->ike_sa->get_connection(this->ike_sa);
        my_host = connection->get_my_host(connection);
        other_host = connection->get_other_host(connection);
-       this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s", 
-                                               my_host->get_address(my_host), other_host->get_address(other_host),
-                                               mapping_find(auth_method_m, auth_request->get_auth_method(auth_request)));
-                                               
-       this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
-       this->destroy_after_state_change(this);
+       this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s", 
+                                         my_host->get_address(my_host), other_host->get_address(other_host));
 
        return SUCCESS;
 }
@@ -396,13 +394,13 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
        {       
                if (my_id)
                {
-                       this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses IDs %s to %s, which we have no policy for", 
+                       this->logger->log(this->logger, AUDIT, "We don't have a policy for IDs %s - %s. Deleting IKE_SA", 
                                                        other_id->get_string(other_id),my_id->get_string(my_id));
                        my_id->destroy(my_id);  
                }
                else
                {
-                       this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses ID %s, which we have no policy for", 
+                       this->logger->log(this->logger, AUDIT, "We don't have a policy for remote ID %s. Deleting IKE_SA", 
                                                        other_id->get_string(other_id));
                }
                other_id->destroy(other_id);
@@ -416,7 +414,10 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
        other_id->destroy(other_id);
        
        /* get my id, if not requested */
-       my_id = this->policy->get_my_id(this->policy);  
+       my_id = this->policy->get_my_id(this->policy);
+       
+       /* update others traffic selectors with actually used address */
+       this->policy->update_other_ts(this->policy, response->get_destination(response));
        
        /* set policy in ike_sa for other states */
        this->ike_sa->set_policy(this->ike_sa, this->policy);
index 9dad95d..1bc94c8 100755 (executable)
@@ -119,6 +119,16 @@ struct private_stroke_t {
         * Holding all configurations.
         */
        linked_list_t *configurations;
+       
+       /**
+        * The list of RSA private keys accessible through crendial_store_t interface
+        */
+       linked_list_t *rsa_private_keys;
+       
+       /**
+        * The list of RSA public keys accessible through crendial_store_t interface
+        */
+       linked_list_t *rsa_public_keys;
 
        /**
         * Assigned logger_t object.
@@ -153,10 +163,14 @@ struct private_stroke_t {
  * stroke_msg). They must be corrected if they reach our address
  * space...
  */
-static void fix_string(stroke_msg_t *msg, char **string)
+static void pop_string(stroke_msg_t *msg, char **string)
 {
        /* check for sanity of string pointer and string */
-       if (string < (char**)msg ||
+       if (*string == NULL)
+       {
+               *string = "";
+       }
+       else if (string < (char**)msg ||
                string > (char**)msg + sizeof(stroke_msg_t) ||
                *string < (char*)msg->buffer - (u_int)msg ||
                *string > (char*)(u_int)msg->length)
@@ -210,7 +224,7 @@ static void stroke_receive(private_stroke_t *this)
                        continue;
                }
                
-               this->logger->log_bytes(this->logger, RAW|LEVEL1, "stroke message", (void*)msg, msg_length);
+               this->logger->log_bytes(this->logger, CONTROL, "stroke message", (void*)msg, msg_length);
                
                switch (msg->type)
                {
@@ -218,8 +232,8 @@ static void stroke_receive(private_stroke_t *this)
                        {
                                initiate_ike_sa_job_t *job;
                                connection_t *connection;
-                               fix_string(msg, &(msg->initiate.name));
-                               this->logger->log(this->logger, CONTROL|LEVEL1, "received stroke: initiate \"%s\"", msg->initiate.name);
+                               pop_string(msg, &(msg->initiate.name));
+                               this->logger->log(this->logger, CONTROL, "received stroke: initiate \"%s\"", msg->initiate.name);
                                connection = this->get_connection_by_name(this, msg->initiate.name);
                                if (connection == NULL)
                                {
@@ -234,8 +248,8 @@ static void stroke_receive(private_stroke_t *this)
                        }
                        case STR_INSTALL:
                        {
-                               fix_string(msg, &(msg->install.name));
-                               this->logger->log(this->logger, CONTROL|LEVEL1, "received stroke: install \"%s\"", msg->install.name);
+                               pop_string(msg, &(msg->install.name));
+                               this->logger->log(this->logger, CONTROL, "received stroke: install \"%s\"", msg->install.name);
                                break;
                        }
                        case STR_ADD_CONN:
@@ -245,28 +259,84 @@ static void stroke_receive(private_stroke_t *this)
                                identification_t *my_id, *other_id;
                                host_t *my_host, *other_host, *my_subnet, *other_subnet;
                                proposal_t *proposal;
-                               traffic_selector_t *ts;
-                               chunk_t chunk;
+                               traffic_selector_t *my_ts, *other_ts;
+                               
+                               pop_string(msg, &msg->add_conn.name);
+                               pop_string(msg, &msg->add_conn.me.address);
+                               pop_string(msg, &msg->add_conn.other.address);
+                               pop_string(msg, &msg->add_conn.me.id);
+                               pop_string(msg, &msg->add_conn.other.id);
+                               pop_string(msg, &msg->add_conn.me.subnet);
+                               pop_string(msg, &msg->add_conn.other.subnet);
+                               
+                               this->logger->log(this->logger, CONTROL, "received stroke: add connection \"%s\"", msg->add_conn.name);
+                               
+                               my_host = host_create(AF_INET, msg->add_conn.me.address, 500);
+                               if (my_host == NULL)
+                               {
+                                       this->logger->log(this->logger, ERROR, "received invalid host: %s", msg->add_conn.me.address);
+                                       break;
+                               }
+                               other_host = host_create(AF_INET, msg->add_conn.other.address, 500);
+                               if (other_host == NULL)
+                               {
+                                       this->logger->log(this->logger, ERROR, "received invalid host: %s", msg->add_conn.other.address);
+                                       my_host->destroy(my_host);
+                                       break;
+                               }
+                               my_id = identification_create_from_string(ID_IPV4_ADDR, 
+                                               *msg->add_conn.me.id ? msg->add_conn.me.id : msg->add_conn.me.address);
+                               if (my_id == NULL)
+                               {
+                                       this->logger->log(this->logger, ERROR, "received invalid id: %s", msg->add_conn.me.id);
+                                       my_host->destroy(my_host);
+                                       other_host->destroy(other_host);
+                                       break;
+                               }
+                               other_id = identification_create_from_string(ID_IPV4_ADDR, 
+                                               *msg->add_conn.other.id ? msg->add_conn.other.id : msg->add_conn.other.address);
+                               if (other_id == NULL)
+                               {
+                                       my_host->destroy(my_host);
+                                       other_host->destroy(other_host);
+                                       my_id->destroy(my_id);
+                                       this->logger->log(this->logger, ERROR, "received invalid id: %s", msg->add_conn.other.id);
+                                       break;
+                               }
                                
-                               fix_string(msg, &msg->add_conn.name);
-                               this->logger->log(this->logger, CONTROL|LEVEL1, "received stroke: add connection \"%s\"", msg->add_conn.name);
+                               my_subnet = host_create(AF_INET, *msg->add_conn.me.subnet ? msg->add_conn.me.subnet : msg->add_conn.me.address, 500);
+                               if (my_subnet == NULL)
+                               {
+                                       my_host->destroy(my_host);
+                                       other_host->destroy(other_host);
+                                       my_id->destroy(my_id);
+                                       other_id->destroy(other_id);
+                                       this->logger->log(this->logger, ERROR, "received invalid subnet: %s", msg->add_conn.me.subnet);
+                                       break;
+                               }
                                
-                               msg->add_conn.me.address.v4.sin_port = htons(500);
-                               msg->add_conn.other.address.v4.sin_port = htons(500);
-                               my_host = host_create_from_sockaddr(&msg->add_conn.me.address.saddr);
-                               other_host = host_create_from_sockaddr(&msg->add_conn.other.address.saddr);
+                               other_subnet = host_create(AF_INET, *msg->add_conn.other.subnet ? msg->add_conn.other.subnet : msg->add_conn.other.address, 500);
+                               if (other_subnet == NULL)
+                               {
+                                       my_host->destroy(my_host);
+                                       other_host->destroy(other_host);
+                                       my_id->destroy(my_id);
+                                       other_id->destroy(other_id);
+                                       my_subnet->destroy(my_subnet);
+                                       this->logger->log(this->logger, ERROR, "received invalid subnet: %s", msg->add_conn.me.subnet);
+                                       break;
+                               }
                                
-                               fix_string(msg, &msg->add_conn.me.id);
-                               fix_string(msg, &msg->add_conn.other.id);
-                               my_id = identification_create_from_string(ID_IPV4_ADDR, msg->add_conn.me.id);
-                               other_id = identification_create_from_string(ID_IPV4_ADDR, msg->add_conn.other.id);
+                               this->logger->log(this->logger, CONTROL, "my ID %s, others ID %s",
+                                                                 my_id->get_string(my_id),
+                                                                 other_id->get_string(other_id));
                                
                                connection = connection_create(my_host, other_host, my_id->clone(my_id), other_id->clone(other_id), SHARED_KEY_MESSAGE_INTEGRITY_CODE);
                                proposal = proposal_create(1);
                                proposal->add_algorithm(proposal, IKE, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 16);
                                proposal->add_algorithm(proposal, IKE, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
                                proposal->add_algorithm(proposal, IKE, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0);
-                               proposal->add_algorithm(proposal, IKE, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
+                               proposal->add_algorithm(proposal, IKE, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
                                connection->add_proposal(connection, proposal);
                                
                                policy = policy_create(my_id, other_id);
@@ -275,23 +345,19 @@ static void stroke_receive(private_stroke_t *this)
                                proposal->add_algorithm(proposal, ESP, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
                                policy->add_proposal(policy, proposal);
                                
-                               my_subnet = host_create_from_sockaddr(&msg->add_conn.me.subnet.saddr);
-                               ts = traffic_selector_create_from_subnet(my_subnet, msg->add_conn.me.subnet_netbits);
+                               my_ts = traffic_selector_create_from_subnet(my_subnet, *msg->add_conn.me.subnet ? msg->add_conn.me.subnet_mask : 32);
                                my_subnet->destroy(my_subnet);
-                               policy->add_my_traffic_selector(policy, ts);
-                               
-                               other_subnet = host_create_from_sockaddr(&msg->add_conn.other.subnet.saddr);
-                               ts = traffic_selector_create_from_subnet(other_subnet, msg->add_conn.other.subnet_netbits);
+                               policy->add_my_traffic_selector(policy, my_ts);
+                               other_ts = traffic_selector_create_from_subnet(other_subnet, *msg->add_conn.other.subnet ? msg->add_conn.other.subnet_mask : 32);
                                other_subnet->destroy(other_subnet);
-                               policy->add_other_traffic_selector(policy, ts);
+                               policy->add_other_traffic_selector(policy, other_ts);
                                
                                this->configurations->insert_last(this->configurations, 
                                                configuration_entry_create(msg->add_conn.name, connection, policy));
                                
-                               this->logger->log(this->logger, CONTROL|LEVEL1, "connection \"%s\" added (%d in store)", 
+                               this->logger->log(this->logger, CONTROL, "connection \"%s\" added (%d in store)", 
                                                                  msg->add_conn.name,
                                                                  this->configurations->get_count(this->configurations));
-                               
                                break;
                        }
                        case STR_DEL_CONN:
@@ -299,6 +365,7 @@ static void stroke_receive(private_stroke_t *this)
                                this->logger->log(this->logger, ERROR, "received invalid stroke");
                }
                
+               close(strokefd);
                allocator_free(msg);
        }
 }
@@ -335,13 +402,13 @@ static connection_t *get_connection_by_hosts(connection_store_t *store, host_t *
                        /* could be right one, check my_host for default route*/
                        if (config_my_host->is_default_route(config_my_host))
                        {
-                               found = entry->connection;
+                               found = entry->connection->clone(entry->connection);
                                break;
                        }
                        /* check now if host informations are the same */
                        else if (config_my_host->ip_is_equal(config_my_host,my_host))
                        {
-                               found = entry->connection;
+                               found = entry->connection->clone(entry->connection);
                                break;
                        }
                        
@@ -354,19 +421,26 @@ static connection_t *get_connection_by_hosts(connection_store_t *store, host_t *
                        /* could be right one, check my_host for default route*/
                        if (config_my_host->is_default_route(config_my_host))
                        {
-                               found = entry->connection;
+                               found = entry->connection->clone(entry->connection);
                                break;
                        }
                        /* check now if host informations are the same */
                        else if (config_my_host->ip_is_equal(config_my_host,my_host))
                        {
-                               found = entry->connection;
+                               found = entry->connection->clone(entry->connection);
                                break;
                        }
                }
        }
        iterator->destroy(iterator);
        
+       /* apply hosts as they are supplied since my_host may be %defaultroute, and other_host may be %any. */
+       if (found)
+       {
+               found->update_my_host(found, my_host->clone(my_host));
+               found->update_other_host(found, other_host->clone(other_host));
+       }
+       
        return found;
 }
 
@@ -400,7 +474,7 @@ static connection_t *get_connection_by_ids(connection_store_t *store, identifica
                {
                        this->logger->log(this->logger, CONTROL|LEVEL2, "config entry with remote id %s", 
                                                          config_other_id->get_string(config_other_id));
-                       found = entry->connection;
+                       found = entry->connection->clone(entry->connection);
                        break;
                }
        }
@@ -426,7 +500,7 @@ static connection_t *get_connection_by_name(private_stroke_t *this, char *name)
                if (strcmp(entry->name,name) == 0)
                {
                        /* found configuration */
-                       found = entry->connection;
+                       found = entry->connection->clone(entry->connection);
                        break;
                }
        }
@@ -452,64 +526,92 @@ static policy_t *get_policy(policy_store_t *store,identification_t *my_id, ident
                identification_t *config_my_id = entry->policy->get_my_id(entry->policy);
                identification_t *config_other_id = entry->policy->get_other_id(entry->policy);
                
-               /* host informations seem to be the same */
-               if (config_other_id->equals(config_other_id, other_id))
+               /* check other host first */
+               if (config_other_id->belongs_to(config_other_id, other_id))
                {               
-                       /* other ids seems to match */
+                       /* get it if my_id not specified */
                        if (my_id == NULL)
                        {
-                               /* first matching one is selected */
-                               /* TODO priorize found entries */
-                               found = entry->policy;
+                               found = entry->policy->clone(entry->policy);
                                break;
                        }
 
-                       if (config_my_id->equals(config_my_id, my_id))
+                       if (config_my_id->belongs_to(config_my_id, my_id))
                        {
-                               found = entry->policy;
+                               found = entry->policy->clone(entry->policy);
                                break;
                        }
-
                }
        }
        iterator->destroy(iterator);
        
+       /* apply IDs as they are requsted, since they may be configured as %any or such */
+       if (found)
+       {
+               if (my_id)
+               {
+                       found->update_my_id(found, my_id->clone(my_id));
+               }
+               found->update_other_id(found, other_id->clone(other_id));
+       }
        return found;
 }
 
-       
+/**
+ * Implementation of credential_store_t.get_shared_secret.
+ */    
 static status_t get_shared_secret(credential_store_t *this, identification_t *identification, chunk_t *preshared_secret)
 {
        char *secret = "schluessel";
        preshared_secret->ptr = secret;
-       preshared_secret->len = strlen(secret) + 1; 
+       preshared_secret->len = strlen(secret) + 1;
+       
+       *preshared_secret = allocator_clone_chunk(*preshared_secret);
        return SUCCESS;
 }
 
+/**
+ * Implementation of credential_store_t.get_rsa_public_key.
+ */
 static status_t get_rsa_public_key(credential_store_t *this, identification_t *identification, rsa_public_key_t **public_key)
 {
        return FAILED;
 }
 
+/**
+ * Implementation of credential_store_t.get_rsa_private_key.
+ */
 static status_t get_rsa_private_key(credential_store_t *this, identification_t *identification, rsa_private_key_t **private_key)
 {
        return FAILED;
 }
 
-       
-       
-
 /**
  * Implementation of stroke_t.destroy.
  */
 static void destroy(private_stroke_t *this)
 {
        configuration_entry_t *entry;
+       rsa_public_key_t *pub_key;
+       rsa_private_key_t *priv_key;
+       
        while (this->configurations->remove_first(this->configurations, (void **)&entry) == SUCCESS)
        {
                entry->destroy(entry);
        }
        this->configurations->destroy(this->configurations);
+       
+       while (this->rsa_private_keys->remove_first(this->rsa_private_keys, (void **)&priv_key) == SUCCESS)
+       {
+               priv_key->destroy(priv_key);
+       }
+       this->rsa_private_keys->destroy(this->rsa_private_keys);
+       
+       while (this->rsa_public_keys->remove_first(this->rsa_public_keys, (void **)&pub_key) == SUCCESS)
+       {
+               pub_key->destroy(pub_key);
+       }
+       this->rsa_public_keys->destroy(this->rsa_public_keys);
 
        charon->logger_manager->destroy_logger(charon->logger_manager,this->logger);
        close(this->socket);
@@ -592,10 +694,13 @@ stroke_t *stroke_create()
                close(this->socket);
                unlink(socket_addr.sun_path);
                allocator_free(this);
+               return NULL;
        }
        
        /* private variables */
        this->configurations = linked_list_create();
+       this->rsa_private_keys = linked_list_create();
+       this->rsa_public_keys = linked_list_create();
        
        return (&this->public);
 }
index 4fc0fe5..267c455 100644 (file)
@@ -60,20 +60,10 @@ struct stroke_msg_t {
                struct {
                        char *name;
                        struct {
-                               union {
-                                       u_int16_t family;
-                                       struct sockaddr saddr;
-                                       struct sockaddr_in v4;
-                                       struct sockaddr_in6 v6;
-                               } address;
                                char *id;
-                               union {
-                                       u_int16_t family;
-                                       struct sockaddr saddr;
-                                       struct sockaddr_in v4;
-                                       struct sockaddr_in6 v6;
-                               } subnet;
-                               u_int8_t subnet_netbits;
+                               char *address;
+                               char *subnet;
+                               u_int8_t subnet_mask;
                        } me, other;
                } add_conn;
        };
@@ -99,10 +89,12 @@ typedef struct stroke_t stroke_t;
  * stroke_t.interface_xy to access the specific interface! You have
  * been warned...
  * 
+ * @todo Add clean thread cancellation
+ * 
  * @b Constructors:
  * - stroke_create()
  * 
- * @ingroup config
+ * @ingroup threads
  */
 struct stroke_t {
 
@@ -135,7 +127,7 @@ struct stroke_t {
  * 
  * @return stroke_t object
  * 
- * @ingroup config
+ * @ingroup threads
  */
 stroke_t *stroke_create();
 
index 73f2188..72d1610 100644 (file)
@@ -116,6 +116,28 @@ static bool equals (private_identification_t *this,private_identification_t *oth
 }
 
 /**
+ * Implementation of identification_t.belongs_to.
+ */
+static bool belongs_to(private_identification_t *this, private_identification_t *other)
+{
+       if (this->public.equals(&this->public, &other->public))
+       {
+               return TRUE;
+       }
+       
+       if (this->type == other->type && this->type == ID_IPV4_ADDR)
+       {
+               /* is this %any (0.0.0.0)?*/
+               if (*((u_int32_t*)this->encoded.ptr) == 0)
+               {
+                       return TRUE;
+               }
+               /* TODO: Do we need subnet support? */
+       }
+       return FALSE;
+}
+
+/**
  * Implementation of identification_t.clone.
  */
 static identification_t *clone(private_identification_t *this)
@@ -150,6 +172,7 @@ static private_identification_t *identification_create()
        private_identification_t *this = allocator_alloc_thing(private_identification_t);
        
        this->public.equals = (bool (*) (identification_t*,identification_t*))equals;
+       this->public.belongs_to = (bool (*) (identification_t*,identification_t*))belongs_to;
        this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding;
        this->public.get_type = (id_type_t (*) (identification_t*))get_type;
        this->public.get_string = (char* (*) (identification_t*))get_string;
index 38bac5e..b973da9 100644 (file)
@@ -153,6 +153,20 @@ struct identification_t {
        bool (*equals) (identification_t *this,identification_t *other);
        
        /**
+        * @brief Check if an ID belongs to a wildcard ID.
+        * 
+        * An identification_t may contain wildcards, such as
+        * *@strongswan.org. This call checks if a given ID
+        * (e.g. tester@strongswan.org) belongs to a such wildcard
+        * ID. Returns TRUE if IDs are identical.
+        * 
+        * @param this          the ID containing a wildcard
+        * @param other         the ID without wildcard
+        * @return                      TRUE if other belongs to this
+        */
+       bool (*belongs_to) (identification_t *this, identification_t *other);
+       
+       /**
         * @brief Clone a identification_t instance.
         * 
         * @param this          the identification_t object to clone
index 29f485b..3e2c938 100644 (file)
@@ -178,6 +178,7 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab
        if ((this->level & loglevel) == loglevel)
        {
                char buffer[MAX_LOG];
+               char ascii_buffer[17];
                char *format;
                char *buffer_pos;
                char *bytes_pos, *bytes_roof;
@@ -207,6 +208,7 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab
                bytes_pos = bytes;
                bytes_roof = bytes + len;
                buffer_pos = buffer;
+               memset(ascii_buffer, 0, 17);
 
                for (i = 1; bytes_pos < bytes_roof; i++)
                {
@@ -219,30 +221,34 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab
                                buffer_pos = buffer;
                                if (this->output == NULL)
                                {
-                                       syslog(LOG_INFO, "[=>] [%5d ] %s", line_start, buffer); 
+                                       syslog(LOG_INFO, "[=>] [%5d ] %s %s", line_start, buffer, ascii_buffer);        
                                }
                                else
                                {
-                                       fprintf(this->output, "[=>] [%5d ] %s\n", line_start, buffer);
+                                       fprintf(this->output, "[=>] [%5d ] %s %s\n", line_start, buffer, ascii_buffer);
                                }
+                               memset(ascii_buffer, 0, 16);
                                line_start += 16;
                        }
-                       else if ((i % 8) == 0)
-                       {
-                               *buffer_pos++ = ' ';
-                               *buffer_pos++ = ' ';
-                               *buffer_pos++ = ' ';
-                       }
                        else if ((i % 4) == 0)
                        {
                                *buffer_pos++ = ' ';
-                               *buffer_pos++ = ' ';
+               //              *buffer_pos++ = ' ';
                        }
                        else 
                        {       
                                *buffer_pos++ = ' ';
                        }
                        
+                       if (*bytes_pos > 31 && *bytes_pos < 127)
+                       {
+                               ascii_buffer[(i % 16)] = *bytes_pos;
+                       }
+                       else
+                       {
+                               ascii_buffer[(i % 16)] = '*';
+                       }
+                       
                        bytes_pos++;
                }
                
@@ -252,11 +258,11 @@ static void log_bytes(private_logger_t *this, logger_level_t loglevel, char *lab
                        buffer_pos = buffer;
                        if (this->output == NULL)
                        {               
-                               syslog(LOG_INFO, "[=>] [%5d ] %s", line_start, buffer);
+                               syslog(LOG_INFO, "[=>] [%5d ] %s %16s", line_start, buffer, ascii_buffer);
                        }
                        else
                        {
-                               fprintf(this->output, "[=>] [%5d ] %s\n", line_start, buffer);
+                               fprintf(this->output, "[=>] [%5d ] %s %16s\n", line_start, buffer, ascii_buffer);
                        }
                }
                pthread_mutex_unlock(&mutex);