merging changes from portability branch back to trunk
authorTobias Brunner <tobias@strongswan.org>
Thu, 30 Apr 2009 11:37:54 +0000 (11:37 -0000)
committerTobias Brunner <tobias@strongswan.org>
Thu, 30 Apr 2009 11:37:54 +0000 (11:37 -0000)
important change for developers: %Y replaces %D to print identities!

120 files changed:
src/_updown/Makefile.am
src/charon/Makefile.am
src/charon/config/auth_cfg.c
src/charon/config/backend_manager.c
src/charon/credentials/credential_manager.c
src/charon/credentials/sets/auth_cfg_wrapper.c
src/charon/daemon.c
src/charon/kernel/kernel_interface.c
src/charon/kernel/kernel_interface.h
src/charon/kernel/kernel_ipsec.h
src/charon/network/socket.c
src/charon/plugins/eap_aka/eap_aka.c
src/charon/plugins/eap_gtc/eap_gtc.c
src/charon/plugins/eap_md5/eap_md5.c
src/charon/plugins/eap_mschapv2/eap_mschapv2.c
src/charon/plugins/eap_sim/eap_sim.c
src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/charon/plugins/kernel_netlink/kernel_netlink_net.c
src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
src/charon/plugins/kernel_pfroute/Makefile.am [new file with mode: 0644]
src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c [new file with mode: 0644]
src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h [new file with mode: 0644]
src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c [new file with mode: 0644]
src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h [new file with mode: 0644]
src/charon/plugins/load_tester/load_tester_ipsec.c
src/charon/plugins/medcli/medcli_creds.c
src/charon/plugins/resolv_conf/resolv_conf_handler.c
src/charon/plugins/smp/smp.c
src/charon/plugins/sql/pool.c
src/charon/plugins/stroke/stroke_attribute.c
src/charon/plugins/stroke/stroke_ca.c
src/charon/plugins/stroke/stroke_config.c
src/charon/plugins/stroke/stroke_control.c
src/charon/plugins/stroke/stroke_list.c
src/charon/plugins/stroke/stroke_socket.c
src/charon/plugins/updown/updown_listener.c
src/charon/processing/jobs/mediation_job.c
src/charon/sa/authenticators/eap_authenticator.c
src/charon/sa/authenticators/psk_authenticator.c
src/charon/sa/authenticators/pubkey_authenticator.c
src/charon/sa/child_sa.c
src/charon/sa/connect_manager.c
src/charon/sa/ike_sa_manager.c
src/charon/sa/mediation_manager.c
src/charon/sa/tasks/ike_auth.c
src/charon/sa/tasks/ike_cert_post.c
src/charon/sa/tasks/ike_cert_pre.c
src/charon/sa/tasks/ike_delete.c
src/charon/sa/tasks/ike_me.c
src/charon/sa/tasks/ike_rekey.c
src/ipsec/Makefile.am
src/libfreeswan/Makefile.am
src/libfreeswan/addrtot.c
src/libfreeswan/addrtypeof.c
src/libfreeswan/anyaddr.c
src/libfreeswan/freeswan.h
src/libfreeswan/initaddr.c
src/libfreeswan/internal.h
src/libfreeswan/ipcomp.h [deleted file]
src/libfreeswan/ipsec_ah.h [deleted file]
src/libfreeswan/ipsec_alg.h [deleted file]
src/libfreeswan/ipsec_encap.h [deleted file]
src/libfreeswan/ipsec_eroute.h [deleted file]
src/libfreeswan/ipsec_errs.h [deleted file]
src/libfreeswan/ipsec_esp.h [deleted file]
src/libfreeswan/ipsec_ipe4.h [deleted file]
src/libfreeswan/ipsec_kversion.h [deleted file]
src/libfreeswan/ipsec_life.h [deleted file]
src/libfreeswan/ipsec_md5h.h [deleted file]
src/libfreeswan/ipsec_param.h
src/libfreeswan/ipsec_proto.h [deleted file]
src/libfreeswan/ipsec_radij.h [deleted file]
src/libfreeswan/ipsec_rcv.h [deleted file]
src/libfreeswan/ipsec_sa.h [deleted file]
src/libfreeswan/ipsec_sha1.h [deleted file]
src/libfreeswan/ipsec_stats.h [deleted file]
src/libfreeswan/ipsec_tunnel.h [deleted file]
src/libfreeswan/ipsec_xform.h [deleted file]
src/libfreeswan/ipsec_xmit.h [deleted file]
src/libfreeswan/pfkey.h
src/libfreeswan/pfkey_v2_build.c
src/libfreeswan/pfkey_v2_debug.c
src/libfreeswan/pfkey_v2_ext_bits.c
src/libfreeswan/pfkey_v2_parse.c
src/libfreeswan/portof.c
src/libfreeswan/radij.h [deleted file]
src/libfreeswan/satot.c
src/libfreeswan/ttoaddr.c
src/libfreeswan/ttosa.c
src/libfreeswan/ttosubnet.c
src/libfreeswan/version.c
src/libstrongswan/Makefile.am
src/libstrongswan/asn1/asn1.c
src/libstrongswan/asn1/oid.pl
src/libstrongswan/crypto/pkcs7.c
src/libstrongswan/library.c
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/plugins/x509/x509_crl.c
src/libstrongswan/plugins/x509/x509_ocsp_response.c
src/libstrongswan/printf_hook.c
src/libstrongswan/printf_hook.h
src/libstrongswan/utils.c
src/libstrongswan/utils/enumerator.c
src/medsrv/controller/peer_controller.c
src/pluto/Makefile.am
src/scepclient/Makefile.am
src/starter/Makefile.am
src/starter/interfaces.c
src/starter/interfaces.h
src/starter/parser.l
src/starter/starter.c
src/starter/starterstroke.c
src/starter/starterwhack.c
src/stroke/Makefile.am
src/stroke/stroke.c

index 9fd5927..5fc04ab 100644 (file)
@@ -8,5 +8,5 @@ _updown : _updown.in
        -e "s:@IPSEC_SBINDIR@:$(sbindir):" \
        -e "s:\@IPSEC_ROUTING_TABLE\@:$(IPSEC_ROUTING_TABLE):" \
        -e "s:\@IPSEC_ROUTING_TABLE_PRIO\@:$(IPSEC_ROUTING_TABLE_PRIO):" \
-       $< > $@
+       $(srcdir)/$@.in > $@
        chmod +x $@
index 7c5e139..1d27d13 100644 (file)
@@ -106,13 +106,14 @@ AM_CFLAGS = -rdynamic \
   -DIPSEC_PIDDIR=\"${piddir}\" \
   -DIPSEC_PLUGINDIR=\"${plugindir}\" \
   -DSTRONGSWAN_CONF=\"${strongswan_conf}\"
-charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm -ldl
+charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB)
 
 EXTRA_DIST = config/proposal_keywords.txt
-MAINTAINERCLEANFILES = config/proposal_keywords.c
+BUILT_SOURCES = $(srcdir)/config/proposal_keywords.c
+MAINTAINERCLEANFILES = $(srcdir)/config/proposal_keywords.c
 
-config/proposal_keywords.c:    config/proposal_keywords.txt config/proposal_keywords.h
-               (cd `dirname $<` && $(GPERF) -C -G -c -t < `basename $<` > `basename $@` )
+$(srcdir)/config/proposal_keywords.c:  $(srcdir)/config/proposal_keywords.txt $(srcdir)/config/proposal_keywords.h
+               $(GPERF) -C -G -c -t -D < $(srcdir)/config/proposal_keywords.txt > $@
 
 # compile options
 #################
@@ -162,6 +163,11 @@ if USE_KERNEL_PFKEY
   PLUGINS += kernel-pfkey
 endif
 
+if USE_KERNEL_PFROUTE
+  SUBDIRS += plugins/kernel_pfroute
+  PLUGINS += kernel-pfroute
+endif
+
 if USE_KERNEL_KLIPS
   SUBDIRS += plugins/kernel_klips
   PLUGINS += kernel-klips
index 87aca38..c856608 100644 (file)
@@ -340,7 +340,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
                                if (!success && log_error)
                                {
                                        DBG1(DBG_CFG, "constraint check failed: peer not "
-                                                "authenticated by CA '%D'.", c1->get_subject(c1));
+                                                "authenticated by CA '%Y'.", c1->get_subject(c1));
                                }
                                break;
                        }
@@ -356,7 +356,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
                                        if (log_error)
                                        {
                                                DBG1(DBG_CFG, "constraint check failed: peer not "
-                                                        "authenticated with peer cert '%D'.",
+                                                        "authenticated with peer cert '%Y'.",
                                                         c1->get_subject(c1));
                                        }
                                }
@@ -411,7 +411,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
                                        success = FALSE;
                                        if (log_error)
                                        {
-                                               DBG1(DBG_CFG, "constraint check failed: %sidentity '%D'"
+                                               DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'"
                                                         " required ", t1 == AUTH_RULE_IDENTITY ? "" :
                                                         "EAP ", id1);
                                        }
index 28e50ef..43d9594 100644 (file)
@@ -339,7 +339,7 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
                return enumerator;
        }
        
-       DBG1(DBG_CFG, "looking for peer configs matching %H[%D]...%H[%D]",
+       DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
                 me, my_id, other, other_id);
        
        configs = linked_list_create();
index 3cd4e35..6950224 100644 (file)
@@ -530,7 +530,7 @@ static bool verify_ocsp(private_credential_manager_t *this,
        {
                if (this->cache->issued_by(this->cache, subject, issuer))
                {
-                       DBG1(DBG_CFG, "  ocsp response correctly signed by \"%D\"",
+                       DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
                                                     issuer->get_subject(issuer));
                        verified = TRUE;
                        break;
@@ -756,7 +756,7 @@ static bool verify_crl(private_credential_manager_t *this, certificate_t *crl)
        {
                if (this->cache->issued_by(this->cache, crl, issuer))
                {
-                       DBG1(DBG_CFG, "  crl correctly signed by \"%D\"",
+                       DBG1(DBG_CFG, "  crl correctly signed by \"%Y\"",
                                                   issuer->get_subject(issuer));
                        verified = TRUE;
                        break;
@@ -966,7 +966,7 @@ static bool check_certificate(private_credential_manager_t *this,
        {
                if (ocsp || crl)
                {
-                       DBG1(DBG_CFG, "checking certificate status of \"%D\"",
+                       DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
                                                   subject->get_subject(subject));
                }
                if (ocsp)
@@ -1082,7 +1082,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
                        if (this->cache->issued_by(this->cache, issuer, issuer))
                        {
                                auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
-                               DBG1(DBG_CFG, "  using trusted ca certificate \"%D\"",
+                               DBG1(DBG_CFG, "  using trusted ca certificate \"%Y\"",
                                         issuer->get_subject(issuer));
                                trusted = TRUE;
                        }
@@ -1090,7 +1090,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
                        {
                                auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
                                DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
-                                        "\"%D\"", issuer->get_subject(issuer));
+                                        "\"%Y\"", issuer->get_subject(issuer));
                        }
                }
                else
@@ -1100,18 +1100,18 @@ static bool verify_trust_chain(private_credential_manager_t *this,
                        {
                                if (current->equals(current, issuer))
                                {
-                                       DBG1(DBG_CFG, "  self-signed certificate \"%D\" is not trusted",
+                                       DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not trusted",
                                                 current->get_subject(current));
                                        issuer->destroy(issuer);
                                        break;
                                }
                                auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
                                DBG1(DBG_CFG, "  using untrusted intermediate certificate "
-                                        "\"%D\"", issuer->get_subject(issuer));
+                                        "\"%Y\"", issuer->get_subject(issuer));
                        }
                        else
                        {
-                               DBG1(DBG_CFG, "no issuer certificate found for \"%D\"", 
+                               DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"", 
                                         current->get_subject(current));
                                break;
                        }
@@ -1197,7 +1197,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
                        {
                                this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
                                                                this->pretrusted->get_ref(this->pretrusted));
-                               DBG1(DBG_CFG, "  using trusted certificate \"%D\"",
+                               DBG1(DBG_CFG, "  using trusted certificate \"%Y\"",
                                         this->pretrusted->get_subject(this->pretrusted));
                                *cert = this->pretrusted;
                                if (auth)
@@ -1217,7 +1217,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
                        continue;
                }
        
-               DBG1(DBG_CFG, "  using certificate \"%D\"",
+               DBG1(DBG_CFG, "  using certificate \"%Y\"",
                         current->get_subject(current));
                if (verify_trust_chain(this->this, current, this->auth, FALSE,
                                                           this->crl, this->ocsp))
index 2e93cc5..55f2655 100644 (file)
@@ -96,7 +96,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator,
                return FALSE;
        }
        
-       DBG1(DBG_CFG, "  fetched certificate \"%D\"", cert->get_subject(cert));
+       DBG1(DBG_CFG, "  fetched certificate \"%Y\"", cert->get_subject(cert));
        charon->credentials->cache_cert(charon->credentials, cert);
        
        if (*rule == AUTH_HELPER_IM_HASH_URL)
index 6dcb39a..339846a 100644 (file)
@@ -17,7 +17,9 @@
  */
 
 #include <stdio.h>
+#ifdef HAVE_PRCTL
 #include <sys/prctl.h>
+#endif
 #include <signal.h>
 #include <pthread.h>
 #include <sys/stat.h>
@@ -240,8 +242,10 @@ static void kill_daemon(private_daemon_t *this, char *reason)
  * drop daemon capabilities
  */
 static void drop_capabilities(private_daemon_t *this)
-{      
+{
+#ifdef HAVE_PRCTL
        prctl(PR_SET_KEEPCAPS, 1);
+#endif
 
        if (setgid(charon->gid) != 0)
        {
index fca1496..1598316 100644 (file)
@@ -109,10 +109,10 @@ static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
 /**
  * Implementation of kernel_interface_t.del_sa
  */
-static status_t del_sa(private_kernel_interface_t *this, host_t *dst, u_int32_t spi,
-                               protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
+                               u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
 {
-       return this->ipsec->del_sa(this->ipsec, dst, spi, protocol, cpi);
+       return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi);
 }
 
 /**
@@ -373,7 +373,7 @@ kernel_interface_t *kernel_interface_create()
        this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
        this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
        this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-       this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+       this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
        this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
        this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
        this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
index 85ba881..e1089a0 100644 (file)
@@ -145,14 +145,15 @@ struct kernel_interface_t {
        /**
         * Delete a previously installed SA from the SAD.
         * 
+        * @param src                   source address for this SA
         * @param dst                   destination address for this SA
         * @param spi                   SPI allocated by us or remote peer
         * @param protocol              protocol for this SA (ESP/AH)
         * @param cpi                   CPI for IPComp or 0
         * @return                              SUCCESS if operation completed
         */
-       status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi,
-                                               protocol_id_t protocol, u_int16_t cpi);
+       status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
+                                               u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
        
        /**
         * Add a policy to the SPD.
index 6360e5f..d0b15a4 100644 (file)
@@ -35,17 +35,15 @@ typedef struct kernel_ipsec_t kernel_ipsec_t;
 #include <encoding/payloads/proposal_substructure.h>
 
 /**
- * Mode of an CHILD_SA.
- *
- * These are equal to those defined in XFRM, so don't change.
+ * Mode of a CHILD_SA.
  */
 enum ipsec_mode_t {
        /** transport mode, no inner address */
-       MODE_TRANSPORT = 0,
+       MODE_TRANSPORT = 1,
        /** tunnel mode, inner and outer addresses */
-       MODE_TUNNEL = 1,
+       MODE_TUNNEL,
        /** BEET mode, tunnel mode but fixed, bound inner addresses */
-       MODE_BEET = 4,
+       MODE_BEET,
 };
 
 /**
@@ -177,14 +175,15 @@ struct kernel_ipsec_t {
        /**
         * Delete a previusly installed SA from the SAD.
         * 
+        * @param src                   source address for this SA
         * @param dst                   destination address for this SA
         * @param spi                   SPI allocated by us or remote peer
         * @param protocol              protocol for this SA (ESP/AH)
         * @param cpi                   CPI for IPComp or 0
         * @return                              SUCCESS if operation completed
         */
-       status_t (*del_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi,
-                                               protocol_id_t protocol, u_int16_t cpi);
+       status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
+                                               u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
        
        /**
         * Add a policy to the SPD.
index c43ba02..d93a8d5 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
 #include <stdlib.h>
 #include <fcntl.h>
 #include <sys/ioctl.h>
+#include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
 #include <netinet/udp.h>
-#include <linux/types.h>
-#include <linux/filter.h>
 #include <net/if.h>
 
 #include "socket.h"
 #define UDP_ENCAP_ESPINUDP 2
 #endif /*UDP_ENCAP_ESPINUDP*/
 
-/* needed for older kernel headers */
-#ifndef IPV6_2292PKTINFO
-#define IPV6_2292PKTINFO 2
-#endif /*IPV6_2292PKTINFO*/
+/* these are not defined on some platforms */
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#define SOL_IPV6 IPPROTO_IPV6
+#define SOL_UDP IPPROTO_UDP
+#endif
 
 typedef struct private_socket_t private_socket_t;
 
@@ -201,7 +202,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
                        }
                        
                        if (cmsgptr->cmsg_level == SOL_IPV6 &&
-                               cmsgptr->cmsg_type == IPV6_2292PKTINFO)
+                               cmsgptr->cmsg_type == IPV6_PKTINFO)
                        {
                                struct in6_pktinfo *pktinfo;
                                pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
@@ -214,14 +215,26 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
                                dest = host_create_from_sockaddr((sockaddr_t*)&dst);
                        }
                        if (cmsgptr->cmsg_level == SOL_IP &&
-                               cmsgptr->cmsg_type == IP_PKTINFO)
-                       {                       
+#ifdef IP_RECVDSTADDR
+                               cmsgptr->cmsg_type == IP_RECVDSTADDR
+#else
+                               cmsgptr->cmsg_type == IP_PKTINFO
+#endif
+                               )
+                       {
+                               struct in_addr *addr;
+                               struct sockaddr_in dst; 
+
+#ifdef IP_RECVDSTADDR
+                               addr = (struct in_addr*)CMSG_DATA(cmsgptr);
+#else
                                struct in_pktinfo *pktinfo;
                                pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
-                               struct sockaddr_in dst;
-                               
+                               addr = &pktinfo->ipi_addr;
+#endif
                                memset(&dst, 0, sizeof(dst));
-                               memcpy(&dst.sin_addr, &pktinfo->ipi_addr, sizeof(dst.sin_addr));
+                               memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
+                               
                                dst.sin_family = AF_INET;
                                dst.sin_port = htons(port);
                                dest = host_create_from_sockaddr((sockaddr_t*)&dst);
@@ -340,24 +353,35 @@ status_t sender(private_socket_t *this, packet_t *packet)
        msg.msg_iovlen = 1;
        msg.msg_flags = 0;
        
-       if (!dst->is_anyaddr(dst))
+       if (!src->is_anyaddr(src))
        {
                if (family == AF_INET)
                {
+                       struct in_addr *addr;
+                       struct sockaddr_in *sin;
+#ifdef IP_SENDSRCADDR
+                       char buf[CMSG_SPACE(sizeof(struct in_addr))];
+#else
                        char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
                        struct in_pktinfo *pktinfo;
-                       struct sockaddr_in *sin;
-                       
+#endif
                        msg.msg_control = buf;
                        msg.msg_controllen = sizeof(buf);
                        cmsg = CMSG_FIRSTHDR(&msg);
                        cmsg->cmsg_level = SOL_IP;
+#ifdef IP_SENDSRCADDR
+                       cmsg->cmsg_type = IP_SENDSRCADDR;
+                       cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
+                       addr = (struct in_addr*)CMSG_DATA(cmsg);
+#else
                        cmsg->cmsg_type = IP_PKTINFO;
                        cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
                        pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
                        memset(pktinfo, 0, sizeof(struct in_pktinfo));
+                       addr = &pktinfo->ipi_spec_dst;
+#endif
                        sin = (struct sockaddr_in*)src->get_sockaddr(src);
-                       memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
+                       memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
                }
                else
                {
@@ -369,7 +393,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
                        msg.msg_controllen = sizeof(buf);
                        cmsg = CMSG_FIRSTHDR(&msg);
                        cmsg->cmsg_level = SOL_IPV6;
-                       cmsg->cmsg_type = IPV6_2292PKTINFO;
+                       cmsg->cmsg_type = IPV6_PKTINFO;
                        cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
                        pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
                        memset(pktinfo, 0, sizeof(struct in6_pktinfo));
@@ -389,13 +413,14 @@ status_t sender(private_socket_t *this, packet_t *packet)
 }
 
 /**
- * open a socket to send packets
+ * open a socket to send and receive packets
  */
 static int open_socket(private_socket_t *this, int family, u_int16_t port)
 {
        int on = TRUE;
        int type = UDP_ENCAP_ESPINUDP;
        struct sockaddr_storage addr;
+       socklen_t addrlen;
        u_int sol, pktinfo;
        int skt;
        
@@ -409,8 +434,13 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
                        sin->sin_family = AF_INET;
                        sin->sin_addr.s_addr = INADDR_ANY;
                        sin->sin_port = htons(port);
+                       addrlen = sizeof(struct sockaddr_in);
                        sol = SOL_IP;
+#ifdef IP_RECVDSTADDR
+                       pktinfo = IP_RECVDSTADDR;
+#else
                        pktinfo = IP_PKTINFO;
+#endif
                        break;
                }
                case AF_INET6:
@@ -419,8 +449,9 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
                        sin6->sin6_family = AF_INET6;
                        memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
                        sin6->sin6_port = htons(port);
+                       addrlen = sizeof(struct sockaddr_in6);
                        sol = SOL_IPV6;
-                       pktinfo = IPV6_2292PKTINFO;
+                       pktinfo = IPV6_RECVPKTINFO;
                        break;
                }
                default:
@@ -440,8 +471,8 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
                return 0;
        }
        
-       /* bind the send socket */
-       if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+       /* bind the socket */
+       if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
        {
                DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
                close(skt);
index da06d80..da2adeb 100644 (file)
@@ -880,7 +880,7 @@ static status_t server_initiate_challenge(private_eap_aka_t *this, chunk_t sqn,
        /* Get the shared key K: */
        if (load_key(this->server, this->peer, &this->k) != SUCCESS)
        {
-               DBG1(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate "
+               DBG1(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate "
                                "with EAP-AKA", this->server, this->peer);
                return FAILED;
        }
@@ -1202,7 +1202,7 @@ static status_t peer_process_challenge(private_eap_aka_t *this,
        {
                *out = build_aka_payload(this, EAP_RESPONSE, identifier,
                                                                 AKA_AUTHENTICATION_REJECT, AT_END);
-               DBG3(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate "
+               DBG3(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate "
                         "with EAP-AKA, sending %N", this->peer, this->server,
                         aka_subtype_names, AKA_AUTHENTICATION_REJECT);
                return NEED_MORE;
index 0a93a90..9bcdbd6 100644 (file)
@@ -174,7 +174,7 @@ static status_t process_peer(private_eap_gtc_t *this,
                                                                                         this->peer, this->server);
        if (shared == NULL)
        {
-               DBG1(DBG_IKE, "no EAP key found for '%D' - '%D'",
+               DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'",
                         this->peer, this->server);
                return FAILED;
        }
index 5339480..4749438 100644 (file)
@@ -90,7 +90,7 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response)
                                                                                         this->server, this->peer);
        if (shared == NULL)
        {
-               DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+               DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
                         this->server, this->peer);
                return NOT_FOUND;
        }
index 9bbff81..ef142c1 100644 (file)
@@ -667,7 +667,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
                                                                                SHARED_EAP, this->peer, this->server);
        if (shared == NULL)
        {
-               DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+               DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
                         this->server, this->peer);
                return NOT_FOUND;
        }
@@ -1019,14 +1019,14 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
        name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255);
        snprintf(buf, sizeof(buf), "%.*s", name_len, res->name);
        userid = identification_create_from_string(buf);
-       DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%D'", userid);
+       DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
        username = extract_username(userid);
        
        shared = charon->credentials->get_shared(charon->credentials,
                                                                                         SHARED_EAP, this->server, userid);
        if (shared == NULL)
        {
-               DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+               DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
                                          this->server, userid);
                /* FIXME: windows 7 always sends the username that is first entered in
                 * the username box, even, if the user changes it during retries (probably
index c2902b5..fc33d6c 100644 (file)
@@ -571,7 +571,7 @@ static bool get_card_triplet(private_eap_sim_t *this,
        enumerator->destroy(enumerator);
        if (!card)
        {
-               DBG1(DBG_IKE, "no SIM card found matching '%D'", this->peer);
+               DBG1(DBG_IKE, "no SIM card found matching '%Y'", this->peer);
        }
        return success;
 }
@@ -775,7 +775,7 @@ static bool get_provider_triplet(private_eap_sim_t *this,
                tried++;
        }
        enumerator->destroy(enumerator);
-       DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%D'",
+       DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'",
                 tried, this->peer);
        return FALSE;
 }
index e130c05..627857f 100644 (file)
@@ -220,7 +220,7 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
                        continue;
                }
                
-               DBG2(DBG_CFG, "triplet: imsi %D\nrand %b\nsres %b\nkc %b",
+               DBG2(DBG_CFG, "triplet: imsi %Y\nrand %b\nsres %b\nkc %b",
                         triplet->imsi, triplet->rand, RAND_LEN,
                         triplet->sres, SRES_LEN, triplet->kc, KC_LEN);
                         
index 3d84805..1751ee8 100644 (file)
@@ -1938,8 +1938,9 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
-static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *dst,
-                                          u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src,
+                                          host_t *dst, u_int32_t spi, protocol_id_t protocol,
+                                          u_int16_t cpi)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
@@ -2610,7 +2611,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
        this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
        this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
        this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-       this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+       this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
        this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
        this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
        this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
index e3b6834..9777406 100644 (file)
@@ -375,6 +375,24 @@ static protocol_id_t proto_kernel2ike(u_int8_t proto)
 }
 
 /**
+ * convert the general ipsec mode to the one defined in xfrm.h
+ */
+static u_int8_t mode2kernel(ipsec_mode_t mode)
+{
+       switch (mode)
+       {
+               case MODE_TRANSPORT:
+                       return XFRM_MODE_TRANSPORT;
+               case MODE_TUNNEL:
+                       return XFRM_MODE_TUNNEL;
+               case MODE_BEET:
+                       return XFRM_MODE_BEET;
+               default:
+                       return mode;
+       }
+}
+
+/**
  * convert a host_t to a struct xfrm_address
  */
 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
@@ -803,7 +821,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
        host2xfrm(src, &userspi->info.saddr);
        host2xfrm(dst, &userspi->info.id.daddr);
        userspi->info.id.proto = proto;
-       userspi->info.mode = TRUE; /* tunnel mode */
+       userspi->info.mode = XFRM_MODE_TUNNEL;
        userspi->info.reqid = reqid;
        userspi->info.family = src->get_family(src);
        userspi->min = min;
@@ -941,7 +959,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
        sa->id.spi = spi;
        sa->id.proto = proto_ike2kernel(protocol);
        sa->family = src->get_family(src);
-       sa->mode = mode;
+       sa->mode = mode2kernel(mode);
        if (mode == MODE_TUNNEL)
        {
                sa->flags |= XFRM_STATE_AF_UNSPEC;
@@ -1216,8 +1234,9 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
-static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
-                                          u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
+                                          host_t *dst, u_int32_t spi, protocol_id_t protocol,
+                                          u_int16_t cpi)
 {
        netlink_buf_t request;
        struct nlmsghdr *hdr;
@@ -1226,7 +1245,7 @@ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
        /* if IPComp was used, we first delete the additional IPComp SA */
        if (cpi)
        {
-               del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
+               del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
        }
        
        memset(&request, 0, sizeof(request));
@@ -1339,7 +1358,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
        }
        
        /* delete the old SA (without affecting the IPComp SA) */
-       if (del_sa(this, dst, spi, protocol, 0) != SUCCESS)
+       if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS)
        {
                DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
                free(out);
@@ -1526,7 +1545,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
                tmpl->reqid = reqid;
                tmpl->id.proto = IPPROTO_COMP;
                tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-               tmpl->mode = mode;
+               tmpl->mode = mode2kernel(mode);
                tmpl->optional = direction != POLICY_OUT;
                tmpl->family = src->get_family(src);
                
@@ -1547,7 +1566,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
        tmpl->reqid = reqid;
        tmpl->id.proto = proto_ike2kernel(protocol);
        tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-       tmpl->mode = mode;
+       tmpl->mode = mode2kernel(mode);
        tmpl->family = src->get_family(src);
        
        host2xfrm(src, &tmpl->saddr);
@@ -1871,7 +1890,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
        this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
        this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
        this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-       this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+       this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
        this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
        this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
        this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
index f18a535..9090e32 100644 (file)
@@ -1175,7 +1175,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty
 /**
  * Implementation of kernel_net_t.add_route.
  */
-status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
                u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
 {
        return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
@@ -1185,7 +1185,7 @@ status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
 /**
  * Implementation of kernel_net_t.del_route.
  */
-status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
                u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
 {
        return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
index 6ef5b52..95932eb 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2008 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
 
 #include <sys/types.h>
 #include <sys/socket.h>
+
+#ifdef HAVE_NET_PFKEYV2_H
+#include <net/pfkeyv2.h>
+#else
 #include <stdint.h>
-#include <linux/ipsec.h>
 #include <linux/pfkeyv2.h>
+#endif
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+#define HAVE_NATT
+#endif
+
+#ifdef HAVE_NETIPSEC_IPSEC_H
+#include <netipsec/ipsec.h>
+#else
+#include <linux/ipsec.h>
+#endif
+
+#ifdef HAVE_NATT
+#ifdef HAVE_NETINET_UDP_H
+#include <netinet/udp.h>
+#else
 #include <linux/udp.h>
+#endif /*HAVE_NETINET_UDP_H*/
+#endif /*HAVE_NATT*/
+
 #include <unistd.h>
 #include <pthread.h>
 #include <errno.h>
 #include <processing/jobs/delete_child_sa_job.h>
 #include <processing/jobs/update_sa_job.h>
 
+/** non linux specific */
+#ifndef IPPROTO_COMP
+#define IPPROTO_COMP IPPROTO_IPCOMP
+#endif
+
+#ifndef SADB_X_AALG_SHA2_256HMAC
+#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
+#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
+#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
+#endif
+
+#ifndef SADB_X_EALG_AESCBC
+#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
+#endif
+
+#ifndef SADB_X_EALG_CASTCBC
+#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
+#endif
+
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#define SOL_IPV6 IPPROTO_IPV6
+#endif
+
 /** from linux/in.h */
 #ifndef IP_IPSEC_POLICY
 #define IP_IPSEC_POLICY 16
@@ -46,7 +92,7 @@
 /* missing on uclibc */
 #ifndef IPV6_IPSEC_POLICY
 #define IPV6_IPSEC_POLICY 34
-#endif /*IPV6_IPSEC_POLICY*/
+#endif
 
 /** default priority of installed policies */
 #define PRIO_LOW 3000
@@ -160,8 +206,8 @@ struct route_entry_t {
 static void route_entry_destroy(route_entry_t *this)
 {
        free(this->if_name);
-       this->src_ip->destroy(this->src_ip);
-       this->gateway->destroy(this->gateway);
+       DESTROY_IF(this->src_ip);
+       DESTROY_IF(this->gateway);
        chunk_free(&this->dst_net);
        free(this);
 }
@@ -217,7 +263,7 @@ static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
        
        /* src or dest proto may be "any" (0), use more restrictive one */
        policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
-       policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY; 
+       policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
        policy->dst.proto = policy->src.proto;
        
        return policy;
@@ -268,7 +314,6 @@ struct pfkey_msg_t
         */
        struct sadb_msg *msg;
        
-       
        /**
         * PF_KEY message extensions
         */
@@ -305,7 +350,7 @@ struct pfkey_msg_t
        };
 };
 
-ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
+ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
        "SADB_EXT_RESERVED",
        "SADB_EXT_SA",
        "SADB_EXT_LIFETIME_CURRENT",
@@ -333,6 +378,7 @@ ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
        "SADB_X_EXT_SEC_CTX",
        "SADB_X_EXT_KMADDRESS"
 );
+
 /**
  * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
  */
@@ -396,8 +442,10 @@ static u_int8_t mode2kernel(ipsec_mode_t mode)
                        return IPSEC_MODE_TRANSPORT;
                case MODE_TUNNEL:
                        return IPSEC_MODE_TUNNEL;
+#ifdef IPSEC_MODE_BEET
                case MODE_BEET:
                        return IPSEC_MODE_BEET;
+#endif
                default:
                        return mode;
        }
@@ -414,13 +462,16 @@ static u_int8_t dir2kernel(policy_dir_t dir)
                        return IPSEC_DIR_INBOUND;
                case POLICY_OUT:
                        return IPSEC_DIR_OUTBOUND;
+#ifdef IPSEC_DIR_FWD
                case POLICY_FWD:
                        return IPSEC_DIR_FWD;
+#endif
                default:
                        return dir;
        }
 }
 
+#ifdef SADB_X_MIGRATE
 /**
  * convert the policy direction in ipsec.h to the general one.
  */
@@ -432,12 +483,16 @@ static policy_dir_t kernel2dir(u_int8_t  dir)
                        return POLICY_IN;
                case IPSEC_DIR_OUTBOUND:
                        return POLICY_OUT;
+#ifdef IPSEC_DIR_FWD
                case IPSEC_DIR_FWD:
                        return POLICY_FWD;
+#endif
                default:
                        return dir;
        }
 }
+#endif /*SADB_X_MIGRATE*/
+
 typedef struct kernel_algorithm_t kernel_algorithm_t;
 
 /**
@@ -461,32 +516,32 @@ struct kernel_algorithm_t {
  * Algorithms for encryption
  */
 static kernel_algorithm_t encryption_algs[] = {
-/*     {ENCR_DES_IV64,                         0                                                       }, */
-       {ENCR_DES,                                      SADB_EALG_DESCBC                        },
-       {ENCR_3DES,                             SADB_EALG_3DESCBC                       },
-/*     {ENCR_RC5,                                      0                                                       }, */
-/*     {ENCR_IDEA,                             0                                                       }, */
-       {ENCR_CAST,                             SADB_X_EALG_CASTCBC                     },
-       {ENCR_BLOWFISH,                         SADB_X_EALG_BLOWFISHCBC         },
-/*     {ENCR_3IDEA,                            0                                                       }, */
-/*     {ENCR_DES_IV32,                         0                                                       }, */
-       {ENCR_NULL,                             SADB_EALG_NULL                          },
-       {ENCR_AES_CBC,                          SADB_X_EALG_AESCBC                      },
-/*     {ENCR_AES_CTR,                          SADB_X_EALG_AESCTR                      }, */
+/*     {ENCR_DES_IV64,                         0                                                       }, */
+       {ENCR_DES,                                      SADB_EALG_DESCBC                        },
+       {ENCR_3DES,                                     SADB_EALG_3DESCBC                       },
+/*     {ENCR_RC5,                                      0                                                       }, */
+/*     {ENCR_IDEA,                                     0                                                       }, */
+       {ENCR_CAST,                                     SADB_X_EALG_CASTCBC                     },
+       {ENCR_BLOWFISH,                         SADB_X_EALG_BLOWFISHCBC         },
+/*     {ENCR_3IDEA,                            0                                                       }, */
+/*     {ENCR_DES_IV32,                         0                                                       }, */
+       {ENCR_NULL,                                     SADB_EALG_NULL                          },
+       {ENCR_AES_CBC,                          SADB_X_EALG_AESCBC                      },
+/*     {ENCR_AES_CTR,                          SADB_X_EALG_AESCTR                      }, */
 /*  {ENCR_AES_CCM_ICV8,                        SADB_X_EALG_AES_CCM_ICV8        }, */
 /*     {ENCR_AES_CCM_ICV12,            SADB_X_EALG_AES_CCM_ICV12       }, */
 /*     {ENCR_AES_CCM_ICV16,            SADB_X_EALG_AES_CCM_ICV16       }, */
 /*     {ENCR_AES_GCM_ICV8,                     SADB_X_EALG_AES_GCM_ICV8        }, */
 /*     {ENCR_AES_GCM_ICV12,            SADB_X_EALG_AES_GCM_ICV12       }, */
 /*     {ENCR_AES_GCM_ICV16,            SADB_X_EALG_AES_GCM_ICV16       }, */
-       {END_OF_LIST,                           0                                                       },
+       {END_OF_LIST,                           0                                                       },
 };
 
 /**
  * Algorithms for integrity protection
  */
 static kernel_algorithm_t integrity_algs[] = {
-       {AUTH_HMAC_MD5_96,                      SADB_AALG_MD5HMAC                       },
+       {AUTH_HMAC_MD5_96,                      SADB_AALG_MD5HMAC                       },
        {AUTH_HMAC_SHA1_96,                     SADB_AALG_SHA1HMAC                      },
        {AUTH_HMAC_SHA2_256_128,        SADB_X_AALG_SHA2_256HMAC        },
        {AUTH_HMAC_SHA2_384_192,        SADB_X_AALG_SHA2_384HMAC        },
@@ -494,7 +549,7 @@ static kernel_algorithm_t integrity_algs[] = {
 /*     {AUTH_DES_MAC,                          0,                                                      }, */
 /*     {AUTH_KPDK_MD5,                         0,                                                      }, */
        {AUTH_AES_XCBC_96,                      SADB_X_AALG_AES_XCBC_MAC,       },
-       {END_OF_LIST,                           0,                                                      },
+       {END_OF_LIST,                           0,                                                      },
 };
 
 #if 0
@@ -502,11 +557,11 @@ static kernel_algorithm_t integrity_algs[] = {
  * Algorithms for IPComp, unused yet
  */
 static kernel_algorithm_t compression_algs[] = {
-/*     {IPCOMP_OUI,                            0                                                       }, */
+/*     {IPCOMP_OUI,                            0                                                       }, */
        {IPCOMP_DEFLATE,                        SADB_X_CALG_DEFLATE                     },
        {IPCOMP_LZS,                            SADB_X_CALG_LZS                         },
        {IPCOMP_LZJH,                           SADB_X_CALG_LZJH                        },
-       {END_OF_LIST,                           0                                                       },
+       {END_OF_LIST,                           0                                                       },
 };
 #endif
 
@@ -533,8 +588,11 @@ static void host2ext(host_t *host, struct sadb_address *ext)
 {
        sockaddr_t *host_addr = host->get_sockaddr(host);
        socklen_t *len = host->get_sockaddr_len(host);
-       memcpy((char*)(ext + 1), host_addr, *len);
-       ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+       host_addr->sa_len = *len;
+#endif
+       memcpy((char*)(ext + 1), host_addr, *len);
+       ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
 }
 
 /**
@@ -562,10 +620,14 @@ static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
        addr->sadb_address_exttype = type;
        sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
        saddr->sa_family = family;
-       addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+       saddr->sa_len = len;
+#endif
+       addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
        PFKEY_EXT_ADD(msg, addr);
 }
 
+#ifdef HAVE_NATT
 /**
  * add udp encap extensions to a sadb_msg
  */
@@ -592,6 +654,7 @@ static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
        nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
        PFKEY_EXT_ADD(msg, nat_port);
 }
+#endif /*HAVE_NATT*/
 
 /**
  * Convert a sadb_address to a traffic_selector
@@ -606,7 +669,7 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
      */
        host = host_create_from_sockaddr((sockaddr_t*)&address[1])      ;
        ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
-                               address->sadb_address_proto, host->get_port(host));
+                               address->sadb_address_proto, host->get_port(host));
        return ts;
 }
 
@@ -645,7 +708,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
                
                if (out->ext[ext->sadb_ext_type])
                {
-                       DBG1(DBG_KNL, "duplicate %N extension",                 
+                       DBG1(DBG_KNL, "duplicate %N extension",
                                                   sadb_ext_type_names, ext->sadb_ext_type);
                        break;
                }
@@ -699,7 +762,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
        }
        
        while (TRUE)
-       {       
+       {
                msg = (struct sadb_msg*)buf;
                
                len = recv(socket, buf, sizeof(buf), 0);
@@ -757,7 +820,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
        *out_len = len;
        *out = (struct sadb_msg*)malloc(len);
        memcpy(*out, buf, len);
-               
+       
        this->mutex_pfkey->unlock(this->mutex_pfkey);
        
        return SUCCESS;
@@ -868,8 +931,9 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
        charon->processor->queue_job(charon->processor, job);
 }
 
+#ifdef SADB_X_MIGRATE
 /**
- * Process a SADB_MIGRATE message from the kernel
+ * Process a SADB_X_MIGRATE message from the kernel
  */
 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
 {
@@ -893,7 +957,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
        DBG2(DBG_KNL, "  policy %R === %R %N, id %u", src_ts, dst_ts,
                                         policy_dir_names, dir);
        
-       /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */   
+       /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
        if (response.x_kmaddress)
        {
                sockaddr_t *local_addr, *remote_addr;
@@ -924,7 +988,9 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
                DESTROY_IF(remote);
        }
 }
+#endif /*SADB_X_MIGRATE*/
 
+#ifdef HAVE_NATT
 /**
  * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
  */
@@ -980,6 +1046,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
                }
        }
 }
+#endif /*HAVE_NATT*/
 
 /**
  * Receives events from kernel
@@ -991,7 +1058,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
        int len, oldstate;
        
        pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-       len = recv(this->socket_events, buf, sizeof(buf), 0);
+       len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
        pthread_setcancelstate(oldstate, NULL);
        
        if (len < 0)
@@ -1035,12 +1102,16 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
                case SADB_EXPIRE:
                        process_expire(this, msg);
                        break;
+#ifdef SADB_X_MIGRATE
                case SADB_X_MIGRATE:
                        process_migrate(this, msg);
                        break;
+#endif /*SADB_X_MIGRATE*/
+#ifdef HAVE_NATT
                case SADB_X_NAT_T_NEW_MAPPING:
                        process_mapping(this, msg);
                        break;
+#endif /*HAVE_NATT*/
                default:
                        break;
        }
@@ -1051,8 +1122,8 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 /**
  * Implementation of kernel_interface_t.get_spi.
  */
-static status_t get_spi(private_kernel_pfkey_ipsec_t *this, 
-                                               host_t *src, host_t *dst, 
+static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
+                                               host_t *src, host_t *dst,
                                                protocol_id_t protocol, u_int32_t reqid,
                                                u_int32_t *spi)
 {
@@ -1099,7 +1170,7 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
                {
                        received_spi = response.sa->sadb_sa_spi;
                }
-               free(out);      
+               free(out);
        }
        
        if (received_spi == 0)
@@ -1114,8 +1185,8 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.get_cpi.
  */
-static status_t get_cpi(private_kernel_pfkey_ipsec_t *this, 
-                                               host_t *src, host_t *dst, 
+static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
+                                               host_t *src, host_t *dst,
                                                u_int32_t reqid, u_int16_t *cpi)
 {
        return FAILED;
@@ -1226,11 +1297,13 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
        {
                /*TODO*/
        }
-       
+
+#ifdef HAVE_NATT
        if (encap)
        {
                add_encap_ext(msg, src, dst);
        }
+#endif /*HAVE_NATT*/
        
        if (pfkey_send(this, msg, &out, &len) != SUCCESS)
        {
@@ -1346,11 +1419,13 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
        {
                PFKEY_EXT_COPY(msg, response.key_auth);
        }
-       
+
+#ifdef HAVE_NATT
        if (new_encap)
        {
                add_encap_ext(msg, new_src, new_dst);
        }
+#endif /*HAVE_NATT*/
        
        free(out);
        
@@ -1374,8 +1449,9 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
-static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
-                                          u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
+                                          host_t *dst, u_int32_t spi, protocol_id_t protocol,
+                                          u_int16_t cpi)
 {
        unsigned char request[PFKEY_BUFFER_SIZE];
        struct sadb_msg *msg, *out;
@@ -1398,9 +1474,8 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
        sa->sadb_sa_spi = spi;
        PFKEY_EXT_ADD(msg, sa);
        
-       /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
-        * it is not used for anything. */
-       add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+       /* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */
+       add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
        add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
        
        if (pfkey_send(this, msg, &out, &len) != SUCCESS)
@@ -1424,7 +1499,7 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
 /**
  * Implementation of kernel_interface_t.add_policy.
  */
-static status_t add_policy(private_kernel_pfkey_ipsec_t *this, 
+static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
                                                   host_t *src, host_t *dst,
                                                   traffic_selector_t *src_ts,
                                                   traffic_selector_t *dst_ts,
@@ -1463,7 +1538,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
                this->policies->insert_last(this->policies, policy);
                policy->refcount = 1;
        }
-               
+       
        memset(&request, 0, sizeof(request));
        
        DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
@@ -1480,12 +1555,14 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
        pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
        pol->sadb_x_policy_id = 0;
        pol->sadb_x_policy_dir = dir2kernel(direction);
+       pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
        /* calculate priority based on source selector size, small size = high prio */
        pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
        pol->sadb_x_policy_priority -= policy->src.mask * 10;
        pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
        pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
-       pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+#endif
        
        /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
        req = (struct sadb_x_ipsecrequest*)(pol + 1);
@@ -1599,9 +1676,9 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
                {
                        free(route);
                }
-       }       
+       }
        
-       this->mutex->unlock(this->mutex);       
+       this->mutex->unlock(this->mutex);
        
        return SUCCESS;
 }
@@ -1610,7 +1687,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
  * Implementation of kernel_interface_t.query_policy.
  */
 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
-                                                        traffic_selector_t *src_ts, 
+                                                        traffic_selector_t *src_ts,
                                                         traffic_selector_t *dst_ts,
                                                         policy_dir_t direction, u_int32_t *use_time)
 {
@@ -1689,7 +1766,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
        *use_time = response.lft_current->sadb_lifetime_usetime;
        
        free(out);
-                       
+       
        return SUCCESS;
 }
 
@@ -1697,7 +1774,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
  * Implementation of kernel_interface_t.del_policy.
  */
 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
-                                                  traffic_selector_t *src_ts, 
+                                                  traffic_selector_t *src_ts,
                                                   traffic_selector_t *dst_ts,
                                                   policy_dir_t direction, bool unrouted)
 {
@@ -1722,7 +1799,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
                if (--found->refcount > 0)
                {
                        /* is used by more SAs, keep in kernel */
-                       DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");    
+                       DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
                        policy_entry_destroy(policy);
                        this->mutex->unlock(this->mutex);
                        return SUCCESS;
@@ -1741,7 +1818,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
                return NOT_FOUND;
        }
        this->mutex->unlock(this->mutex);
-               
+       
        memset(&request, 0, sizeof(request));
        
        msg = (struct sadb_msg*)request;
@@ -1791,7 +1868,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
                        DBG1(DBG_KNL, "error uninstalling route installed with "
                                                  "policy %R === %R %N", src_ts, dst_ts,
                                                   policy_dir_names, direction);
-               }               
+               }
                route_entry_destroy(route);
        }
        
@@ -1863,22 +1940,26 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
                switch (family)
                {
                        case AF_INET:
+                       {
                                sol = SOL_IP;
                                ipsec_policy = IP_IPSEC_POLICY;
                                break;
+                       }
                        case AF_INET6:
                        {
                                sol = SOL_IPV6;
                                ipsec_policy = IPV6_IPSEC_POLICY;
                                break;
                        }
+                       default:
+                               continue;
                }
                
                memset(&policy, 0, sizeof(policy));
                policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
                policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
                policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-       
+               
                policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
                if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
                {
@@ -1890,7 +1971,7 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
                policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
                if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
                {
-                       DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", 
+                       DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
                                 strerror(errno));
                        status = FALSE;
                        break;
@@ -1912,7 +1993,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
        this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
        this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
        this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-       this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+       this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
        this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
        this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
        this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am
new file mode 100644 (file)
index 0000000..3ad445c
--- /dev/null
@@ -0,0 +1,10 @@
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+
+libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
+       kernel_pfroute_net.h kernel_pfroute_net.c
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
new file mode 100644 (file)
index 0000000..7805b63
--- /dev/null
@@ -0,0 +1,715 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#include <ifaddrs.h>
+#include <net/route.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <errno.h>
+
+#include "kernel_pfroute_net.h"
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <utils/mutex.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/roam_job.h>
+
+#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
+#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member.
+#endif
+
+/** delay before firing roam jobs (ms) */
+#define ROAM_DELAY 100
+
+/** buffer size for PF_ROUTE messages */
+#define PFROUTE_BUFFER_SIZE 4096
+
+typedef struct addr_entry_t addr_entry_t;
+
+/**
+ * IP address in an inface_entry_t
+ */
+struct addr_entry_t {
+       
+       /** The ip address */
+       host_t *ip;
+       
+       /** virtual IP managed by us */
+       bool virtual;
+       
+       /** Number of times this IP is used, if virtual */
+       u_int refcount;
+};
+
+/**
+ * destroy a addr_entry_t object
+ */
+static void addr_entry_destroy(addr_entry_t *this)
+{
+       this->ip->destroy(this->ip);
+       free(this);
+}
+
+typedef struct iface_entry_t iface_entry_t;
+
+/**
+ * A network interface on this system, containing addr_entry_t's
+ */
+struct iface_entry_t {
+       
+       /** interface index */
+       int ifindex;
+       
+       /** name of the interface */
+       char ifname[IFNAMSIZ];
+       
+       /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
+       u_int flags;
+       
+       /** list of addresses as host_t */
+       linked_list_t *addrs;
+};
+
+/**
+ * destroy an interface entry
+ */
+static void iface_entry_destroy(iface_entry_t *this)
+{
+       this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
+       free(this);
+}
+
+
+typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t;
+
+/**
+ * Private variables and functions of kernel_pfroute class.
+ */
+struct private_kernel_pfroute_net_t
+{
+       /**
+        * Public part of the kernel_pfroute_t object.
+        */
+       kernel_pfroute_net_t public;
+       
+       /**
+        * mutex to lock access to various lists
+        */
+       mutex_t *mutex;
+       
+       /**
+        * Cached list of interfaces and their addresses (iface_entry_t)
+        */
+       linked_list_t *ifaces;
+       
+       /**
+        * job receiving PF_ROUTE events
+        */
+       callback_job_t *job;
+       
+       /**
+        * mutex to lock access to the PF_ROUTE socket
+        */
+       mutex_t *mutex_pfroute;
+       
+       /**
+        * PF_ROUTE socket to communicate with the kernel
+        */
+       int socket;
+       
+       /**
+        * PF_ROUTE socket to receive events
+        */
+       int socket_events;
+       
+       /**
+        * sequence number for messages sent to the kernel
+        */
+       int seq;
+       
+       /**
+        * time of last roam job
+        */
+       struct timeval last_roam;
+};
+
+/**
+ * Start a roaming job. We delay it a bit and fire only one job
+ * for multiple events. Otherwise we would create too many jobs.
+ */
+static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address)
+{
+       struct timeval now;
+       
+       if (gettimeofday(&now, NULL) == 0)
+       {
+               if (timercmp(&now, &this->last_roam, >))
+               {
+                       now.tv_usec += ROAM_DELAY * 1000;
+                       while (now.tv_usec > 1000000)
+                       {
+                               now.tv_sec++;
+                               now.tv_usec -= 1000000;
+                       }
+                       this->last_roam = now;
+                       charon->scheduler->schedule_job_ms(charon->scheduler,
+                               (job_t*)roam_job_create(address), ROAM_DELAY);
+               }
+       }
+}
+
+/**
+ * Process an RTM_*ADDR message from the kernel
+ */
+static void process_addr(private_kernel_pfroute_net_t *this,
+                                                struct rt_msghdr *msg)
+{
+       struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg;
+       sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1);
+       host_t *host = NULL;
+       enumerator_t *ifaces, *addrs;
+       iface_entry_t *iface;
+       addr_entry_t *addr;
+       bool found = FALSE, changed = FALSE, roam = FALSE;
+       int i;
+       
+       for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
+       {
+               if (ifa->ifam_addrs & i)
+               {
+                       if (RTA_IFA & i)
+                       {
+                               host = host_create_from_sockaddr(sockaddr);
+                               break;
+                       }
+                       sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
+               }
+       }
+       
+       if (!host)
+       {
+               return;
+       }
+       
+       this->mutex->lock(this->mutex);
+       ifaces = this->ifaces->create_enumerator(this->ifaces);
+       while (ifaces->enumerate(ifaces, &iface))
+       {
+               if (iface->ifindex == ifa->ifam_index)
+               {
+                       addrs = iface->addrs->create_enumerator(iface->addrs);
+                       while (addrs->enumerate(addrs, &addr))
+                       {
+                               if (host->ip_equals(host, addr->ip))
+                               {
+                                       found = TRUE;
+                                       if (ifa->ifam_type == RTM_DELADDR)
+                                       {
+                                               iface->addrs->remove_at(iface->addrs, addrs);
+                                               if (!addr->virtual)
+                                               {
+                                                       changed = TRUE;
+                                                       DBG1(DBG_KNL, "%H disappeared from %s",
+                                                                host, iface->ifname);
+                                               }
+                                               addr_entry_destroy(addr);
+                                       }
+                                       else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual)
+                                       {
+                                               addr->refcount = 1;
+                                       }
+                               }
+                       }
+                       addrs->destroy(addrs);
+                       
+                       if (!found && ifa->ifam_type == RTM_NEWADDR)
+                       {
+                               changed = TRUE;
+                               addr = malloc_thing(addr_entry_t);
+                               addr->ip = host->clone(host);
+                               addr->virtual = FALSE;
+                               addr->refcount = 1;
+                               iface->addrs->insert_last(iface->addrs, addr);
+                               DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+                       }
+                       
+                       if (changed && (iface->flags & IFF_UP))
+                       {
+                               roam = TRUE;
+                       }
+                       break;
+               }
+       }
+       ifaces->destroy(ifaces);
+       this->mutex->unlock(this->mutex);
+       host->destroy(host);
+       
+       if (roam)
+       {
+               fire_roam_job(this, TRUE);
+       }
+}
+
+/**
+ * Process an RTM_IFINFO message from the kernel
+ */
+static void process_link(private_kernel_pfroute_net_t *this,
+                                                struct rt_msghdr *hdr)
+{
+       struct if_msghdr *msg = (struct if_msghdr*)hdr;
+       enumerator_t *enumerator;
+       iface_entry_t *iface;
+       bool roam = FALSE;
+       
+       if (msg->ifm_flags & IFF_LOOPBACK)
+       {       /* ignore loopback interfaces */
+               return;
+       }
+       
+       this->mutex->lock(this->mutex);
+       enumerator = this->ifaces->create_enumerator(this->ifaces);
+       while (enumerator->enumerate(enumerator, &iface))
+       {
+               if (iface->ifindex == msg->ifm_index)
+               {
+                       if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP))
+                       {
+                               roam = TRUE;
+                               DBG1(DBG_KNL, "interface %s activated", iface->ifname);
+                       }
+                       else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP))
+                       {
+                               roam = TRUE;
+                               DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
+                       }
+                       iface->flags = msg->ifm_flags;
+                       break;
+               }
+       }
+       enumerator->destroy(enumerator);
+       this->mutex->unlock(this->mutex);
+       
+       if (roam)
+       {
+               fire_roam_job(this, TRUE);
+       }
+}
+
+/**
+ * Process an RTM_*ROUTE message from the kernel
+ */
+static void process_route(private_kernel_pfroute_net_t *this,
+                                                 struct rt_msghdr *msg)
+{
+
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
+{
+       unsigned char buf[PFROUTE_BUFFER_SIZE];
+       struct rt_msghdr *msg = (struct rt_msghdr*)buf;
+       int len, oldstate;
+       
+       pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+       len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
+       pthread_setcancelstate(oldstate, NULL);
+       
+       if (len < 0)
+       {
+               switch (errno)
+               {
+                       case EINTR:
+                               /* interrupted, try again */
+                               return JOB_REQUEUE_DIRECT;
+                       case EAGAIN:
+                               /* no data ready, select again */
+                               return JOB_REQUEUE_DIRECT;
+                       default:
+                               DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket");
+                               sleep(1);
+                               return JOB_REQUEUE_FAIR;
+               }
+       }
+       
+       if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
+               msg->rtm_version != RTM_VERSION)
+       {
+               DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
+               return JOB_REQUEUE_DIRECT;
+       }
+       
+       switch (msg->rtm_type)
+       {
+               case RTM_NEWADDR:
+               case RTM_DELADDR:
+                       process_addr(this, msg);
+                       break;
+               case RTM_IFINFO:
+               /*case RTM_IFANNOUNCE <- what about this*/
+                       process_link(this, msg);
+                       break;
+               case RTM_ADD:
+               case RTM_DELETE:
+                       process_route(this, msg);
+               default:
+                       break;
+       }
+       
+       return JOB_REQUEUE_DIRECT;
+}
+
+
+/** enumerator over addresses */
+typedef struct {
+       private_kernel_pfroute_net_t* this;
+       /** whether to enumerate down interfaces */
+       bool include_down_ifaces;
+       /** whether to enumerate virtual ip addresses */
+       bool include_virtual_ips;
+} address_enumerator_t;
+
+/**
+ * cleanup function for address enumerator
+ */
+static void address_enumerator_destroy(address_enumerator_t *data)
+{
+       data->this->mutex->unlock(data->this->mutex);
+       free(data);
+}
+
+/**
+ * filter for addresses
+ */
+static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
+{
+       host_t *ip;
+       if (!data->include_virtual_ips && (*in)->virtual)
+       {   /* skip virtual interfaces added by us */
+               return FALSE;
+       }
+       ip = (*in)->ip;
+       if (ip->get_family(ip) == AF_INET6)
+       {
+               struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip);
+               if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+               {   /* skip addresses with a unusable scope */
+                       return FALSE;
+               }
+       }
+       *out = ip;
+       return TRUE;
+}
+
+/**
+ * enumerator constructor for interfaces
+ */
+static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
+{
+       return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
+                                                                       (void*)filter_addresses, data, NULL);
+}
+
+/**
+ * filter for interfaces
+ */
+static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
+{
+       if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
+       {   /* skip interfaces not up */
+               return FALSE;
+       }
+       *out = *in;
+       return TRUE;
+}
+
+/**
+ * implementation of kernel_net_t.create_address_enumerator
+ */
+static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this,
+               bool include_down_ifaces, bool include_virtual_ips)
+{
+       address_enumerator_t *data = malloc_thing(address_enumerator_t);
+       data->this = this;
+       data->include_down_ifaces = include_down_ifaces;
+       data->include_virtual_ips = include_virtual_ips;
+
+       this->mutex->lock(this->mutex);
+       return enumerator_create_nested(
+                               enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
+                                               (void*)filter_interfaces, data, NULL),
+                               (void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
+}
+
+/**
+ * implementation of kernel_net_t.get_interface_name
+ */
+static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip)
+{
+       enumerator_t *ifaces, *addrs;
+       iface_entry_t *iface;
+       addr_entry_t *addr;
+       char *name = NULL;
+
+       DBG2(DBG_KNL, "getting interface name for %H", ip);
+
+       this->mutex->lock(this->mutex);
+       ifaces = this->ifaces->create_enumerator(this->ifaces);
+       while (ifaces->enumerate(ifaces, &iface))
+       {
+               addrs = iface->addrs->create_enumerator(iface->addrs);
+               while (addrs->enumerate(addrs, &addr))
+               {
+                       if (ip->ip_equals(ip, addr->ip))
+                       {
+                               name = strdup(iface->ifname);
+                               break;
+                       }
+               }
+               addrs->destroy(addrs);
+               if (name)
+               {
+                       break;
+               }
+       }
+       ifaces->destroy(ifaces);
+       this->mutex->unlock(this->mutex);
+       
+       if (name)
+       {
+               DBG2(DBG_KNL, "%H is on interface %s", ip, name);
+       }
+       else
+       {
+               DBG2(DBG_KNL, "%H is not a local address", ip);
+       }
+       return name;
+}
+
+/**
+ * Implementation of kernel_net_t.get_source_addr.
+ */
+static host_t* get_source_addr(private_kernel_pfroute_net_t *this,
+                                                          host_t *dest, host_t *src)
+{
+       return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.get_nexthop.
+ */
+static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest)
+{
+       return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.add_ip.
+ */
+static status_t add_ip(private_kernel_pfroute_net_t *this,
+                                               host_t *virtual_ip, host_t *iface_ip)
+{
+       return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_ip.
+ */
+static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip)
+{
+       return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.add_route.
+ */
+static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+               u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+       return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_route.
+ */
+static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+               u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+       return FAILED;
+}
+
+/**
+ * Initialize a list of local addresses.
+ */
+static status_t init_address_list(private_kernel_pfroute_net_t *this)
+{
+       struct ifaddrs *ifap, *ifa;
+       iface_entry_t *iface, *current;
+       addr_entry_t *addr;
+       enumerator_t *ifaces, *addrs;
+       
+       DBG1(DBG_KNL, "listening on interfaces:");
+       
+       if (getifaddrs(&ifap) < 0)
+       {
+               DBG1(DBG_KNL, "  failed to get interfaces!");
+               return FAILED;
+       }
+       
+       for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
+       {
+               if (ifa->ifa_addr == NULL)
+               {
+                       continue;
+               }
+               switch(ifa->ifa_addr->sa_family)
+               {
+                       case AF_LINK:
+                       case AF_INET:
+                       case AF_INET6:
+                       {
+                               if (ifa->ifa_flags & IFF_LOOPBACK)
+                               {       /* ignore loopback interfaces */
+                                       continue;
+                               }
+                               
+                               iface = NULL;
+                               ifaces = this->ifaces->create_enumerator(this->ifaces);
+                               while (ifaces->enumerate(ifaces, &current))
+                               {
+                                       if (streq(current->ifname, ifa->ifa_name))
+                                       {
+                                               iface = current;
+                                               break;
+                                       }
+                               }
+                               ifaces->destroy(ifaces);
+                               
+                               if (!iface)
+                               {
+                                       iface = malloc_thing(iface_entry_t);
+                                       memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
+                                       iface->ifindex = if_nametoindex(ifa->ifa_name);
+                                       iface->flags = ifa->ifa_flags;
+                                       iface->addrs = linked_list_create();
+                                       this->ifaces->insert_last(this->ifaces, iface);
+                               }
+                               
+                               if (ifa->ifa_addr->sa_family != AF_LINK)
+                               {
+                                       addr = malloc_thing(addr_entry_t);
+                                       addr->ip = host_create_from_sockaddr(ifa->ifa_addr);
+                                       addr->virtual = FALSE;
+                                       addr->refcount = 1;
+                                       iface->addrs->insert_last(iface->addrs, addr);
+                               }
+                       }
+               }
+       }
+       freeifaddrs(ifap);
+       
+       ifaces = this->ifaces->create_enumerator(this->ifaces);
+       while (ifaces->enumerate(ifaces, &iface))
+       {
+               if (iface->flags & IFF_UP)
+               {
+                       DBG1(DBG_KNL, "  %s", iface->ifname);
+                       addrs = iface->addrs->create_enumerator(iface->addrs);
+                       while (addrs->enumerate(addrs, (void**)&addr))
+                       {
+                               DBG1(DBG_KNL, "    %H", addr->ip);
+                       }
+                       addrs->destroy(addrs);
+               }
+       }
+       ifaces->destroy(ifaces);
+       
+       return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_netlink_net_t.destroy.
+ */
+static void destroy(private_kernel_pfroute_net_t *this)
+{
+       this->job->cancel(this->job);
+       close(this->socket);
+       close(this->socket_events);
+       this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+       this->mutex->destroy(this->mutex);
+       this->mutex_pfroute->destroy(this->mutex_pfroute);
+       free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create()
+{
+       private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t);
+       
+       /* public functions */
+       this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
+       this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
+       this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
+       this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
+       this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
+       this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
+       this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
+       this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
+       
+       this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
+       
+       /* private members */
+       this->ifaces = linked_list_create();
+       this->mutex = mutex_create(MUTEX_DEFAULT);
+       this->mutex_pfroute = mutex_create(MUTEX_DEFAULT);
+       
+       this->seq = 0;
+       
+       /* create a PF_ROUTE socket to communicate with the kernel */
+       this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+       if (this->socket <= 0)
+       {
+               charon->kill(charon, "unable to create PF_ROUTE socket");
+       }
+       
+       /* create a PF_ROUTE socket to receive events */
+       this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+       if (this->socket_events <= 0)
+       {
+               charon->kill(charon, "unable to create PF_ROUTE event socket");
+       }
+       
+       this->job = callback_job_create((callback_job_cb_t)receive_events,
+                                                                       this, NULL, NULL);
+       charon->processor->queue_job(charon->processor, (job_t*)this->job);
+       
+       if (init_address_list(this) != SUCCESS)
+       {
+               charon->kill(charon, "unable to get interface list");
+       }
+       
+       return &this->public;
+}
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h
new file mode 100644 (file)
index 0000000..9138bef
--- /dev/null
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup kernel_pfroute_net_i kernel_pfroute_net
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_NET_H_
+#define KERNEL_PFROUTE_NET_H_
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_pfroute_net_t kernel_pfroute_net_t;
+
+/**
+ * Implementation of the kernel net interface using PF_ROUTE.
+ */
+struct kernel_pfroute_net_t {
+
+       /**
+        * Implements kernel_net_t interface
+        */
+       kernel_net_t interface;
+};
+
+/**
+ * Create a PF_ROUTE kernel net interface instance.
+ *
+ * @return                     kernel_pfroute_net_t instance
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create();
+
+#endif /** KERNEL_PFROUTE_NET_H_ @}*/
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
new file mode 100644 (file)
index 0000000..a6d9528
--- /dev/null
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+
+#include "kernel_pfroute_plugin.h"
+
+#include "kernel_pfroute_net.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t;
+
+/**
+ * private data of kernel PF_ROUTE plugin
+ */
+struct private_kernel_pfroute_plugin_t {
+       /**
+        * implements plugin interface
+        */
+       kernel_pfroute_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_pfroute_plugin_t *this)
+{
+       charon->kernel_interface->remove_net_interface(charon->kernel_interface,
+                                               (kernel_net_constructor_t)kernel_pfroute_net_create);
+       free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+       private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t);
+       
+       this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+       
+       charon->kernel_interface->add_net_interface(charon->kernel_interface,
+                                               (kernel_net_constructor_t)kernel_pfroute_net_create);
+       
+       return &this->public.plugin;
+}
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
new file mode 100644 (file)
index 0000000..f8ae1a9
--- /dev/null
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup kernel_pfroute kernel_pfroute
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_PLUGIN_H_
+#define KERNEL_PFROUTE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t;
+
+/**
+ * PF_ROUTE kernel interface plugin
+ */
+struct kernel_pfroute_plugin_t {
+
+       /**
+        * implements plugin interface
+        */
+       plugin_t plugin;
+};
+
+/**
+ * Create a kernel_pfroute_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/
index 9abd651..66ebd07 100644 (file)
@@ -88,8 +88,9 @@ static status_t update_sa(private_load_tester_ipsec_t *this,
 /**
  * Implementation of kernel_interface_t.del_sa.
  */
-static status_t del_sa(private_load_tester_ipsec_t *this, host_t *dst,
-                                          u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src,
+                                          host_t *dst, u_int32_t spi, protocol_id_t protocol,
+                                          u_int16_t cpi)
 {
        return SUCCESS;
 }
@@ -152,7 +153,7 @@ load_tester_ipsec_t *load_tester_ipsec_create()
        this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
        this->public.interface.add_sa  = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
        this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
-       this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+       this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
        this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy;
        this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
        this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
index 1e99f69..2a49720 100644 (file)
@@ -96,7 +96,7 @@ static enumerator_t* create_private_enumerator(private_medcli_creds_t *this,
        if ((type != KEY_RSA && type != KEY_ANY) ||
                id == NULL || id->get_type(id) != ID_KEY_ID)
        {
-               DBG1(DBG_CFG, "%N - %D", key_type_names, type, id);
+               DBG1(DBG_CFG, "%N - %Y", key_type_names, type, id);
                return NULL;
        }
        
index c76222f..1eab8f2 100644 (file)
@@ -79,7 +79,7 @@ static bool handle(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa,
        if (out)
        {
                addr = host_create_from_chunk(family, data, 0);
-               fprintf(out, "nameserver %H   # by strongSwan, from %D\n",
+               fprintf(out, "nameserver %H   # by strongSwan, from %Y\n",
                                addr, ike_sa->get_other_id(ike_sa));
                DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
                addr->destroy(addr);
@@ -140,7 +140,7 @@ static void release(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa,
                {
                        addr = host_create_from_chunk(family, data, 0);
                        snprintf(matcher, sizeof(matcher),
-                                        "nameserver %H   # by strongSwan, from %D\n",
+                                        "nameserver %H   # by strongSwan, from %Y\n",
                                         addr, ike_sa->get_other_id(ike_sa));
                        
                        /* copy all, but matching line */
index 33a2bb4..40eeefc 100644 (file)
@@ -109,7 +109,7 @@ static void write_id(xmlTextWriterPtr writer, char *element, identification_t *i
                                        break;
                        }
                        xmlTextWriterWriteAttribute(writer, "type", type);
-                       xmlTextWriterWriteFormatString(writer, "%D", id);
+                       xmlTextWriterWriteFormatString(writer, "%Y", id);
                        break;
                }
                default:
index a1c67c6..28cd038 100644 (file)
@@ -562,7 +562,7 @@ static void leases(char *filter, bool utc)
                                printf("    ");
                        }
                }
-               printf("%D\n", identity);
+               printf("%Y\n", identity);
                DESTROY_IF(address);
                identity->destroy(identity);
        }
index a3beb3a..5623769 100644 (file)
@@ -223,7 +223,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
                        id = pool->ids->get(pool->ids, id);
                        if (id)
                        {
-                               DBG1(DBG_CFG, "reassigning offline lease to %D", id);
+                               DBG1(DBG_CFG, "reassigning offline lease to %Y", id);
                                pool->online->put(pool->online, id, (void*)offset);
                                break;
                        }
@@ -233,7 +233,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
                offset = (uintptr_t)pool->online->get(pool->online, id);
                if (offset && offset == host2offset(pool, requested))
                {
-                       DBG1(DBG_CFG, "reassigning online lease to %D", id);
+                       DBG1(DBG_CFG, "reassigning online lease to %Y", id);
                        break;
                }
                
@@ -245,7 +245,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
                        id = id->clone(id);
                        pool->ids->put(pool->ids, id, id);
                        pool->online->put(pool->online, id, (void*)offset);
-                       DBG1(DBG_CFG, "assigning new lease to %D", id);
+                       DBG1(DBG_CFG, "assigning new lease to %Y", id);
                        break;
                }
                /* no more addresses, replace the first found offline lease */
@@ -257,7 +257,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
                        {
                                /* destroy reference to old ID */
                                old_id = pool->ids->remove(pool->ids, old_id);
-                               DBG1(DBG_CFG, "reassigning existing offline lease of %D to %D",
+                               DBG1(DBG_CFG, "reassigning existing offline lease of %Y to %Y",
                                         old_id, id);
                                if (old_id)
                                {
@@ -305,7 +305,7 @@ static bool release_address(private_stroke_attribute_t *this,
                                id = pool->ids->get(pool->ids, id);
                                if (id)
                                {
-                                       DBG1(DBG_CFG, "lease %H of %D went offline", address, id);
+                                       DBG1(DBG_CFG, "lease %H of %Y went offline", address, id);
                                        pool->offline->put(pool->offline, id, (void*)offset);
                                        found = TRUE;
                                }
index 5435643..dffa8e2 100644 (file)
@@ -398,14 +398,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
                        first = FALSE;
                }
                fprintf(out, "\n");
-               fprintf(out, "  authname:    \"%D\"\n", cert->get_subject(cert));
+               fprintf(out, "  authname:    \"%Y\"\n", cert->get_subject(cert));
 
                /* list authkey and keyid */
                if (public)
                {
-                       fprintf(out, "  authkey:      %D\n",
+                       fprintf(out, "  authkey:      %Y\n",
                                        public->get_id(public, ID_PUBKEY_SHA1));
-                       fprintf(out, "  keyid:        %D\n",
+                       fprintf(out, "  keyid:        %Y\n",
                                        public->get_id(public, ID_PUBKEY_INFO_SHA1));
                        public->destroy(public);
                }
index 4a0b1ff..21e2fd2 100644 (file)
@@ -386,8 +386,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
                        if (identity->get_type(identity) == ID_ANY ||
                                !certificate->has_subject(certificate, identity))
                        {
-                               DBG1(DBG_CFG, "  peerid %D not confirmed by certificate, "
-                                        "defaulting to subject DN: %D", identity,
+                               DBG1(DBG_CFG, "  peerid %Y not confirmed by certificate, "
+                                        "defaulting to subject DN: %Y", identity,
                                         certificate->get_subject(certificate));
                                identity->destroy(identity);
                                identity = certificate->get_subject(certificate);
index 08d5051..634a89d 100644 (file)
@@ -249,7 +249,7 @@ static void terminate_srcip(private_stroke_control_t *this,
        enumerator_t *enumerator;
        ike_sa_t *ike_sa;
        host_t *start = NULL, *end = NULL, *vip;
-       chunk_t chunk_start, chunk_end, chunk_vip;
+       chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip;
        
        if (msg->terminate_srcip.start)
        {
index 066591c..689e463 100644 (file)
@@ -74,7 +74,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
                fprintf(out, " %V ago", &now, &established);
        }
        
-       fprintf(out, ", %H[%D]...%H[%D]\n",
+       fprintf(out, ", %H[%Y]...%H[%Y]\n",
                        ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
                        ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
        
@@ -266,7 +266,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
        enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
        while (enumerator->enumerate(enumerator, &auth))
        {
-               fprintf(out, "%12s:   %s [%D] uses ", name,     local ? "local: " : "remote:",
+               fprintf(out, "%12s:   %s [%Y] uses ", name,     local ? "local: " : "remote:",
                                auth->get(auth, AUTH_RULE_IDENTITY));
 
                auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
@@ -297,7 +297,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
                        id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
                        if (id)
                        {
-                               fprintf(out, " with EAP identity '%D'", id);
+                               fprintf(out, " with EAP identity '%Y'", id);
                        }
                        fprintf(out, "\n");
                }
@@ -305,19 +305,19 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
                cert = auth->get(auth, AUTH_RULE_CA_CERT);
                if (cert)
                {
-                       fprintf(out, "%12s:    ca:    \"%D\"\n", name, cert->get_subject(cert));
+                       fprintf(out, "%12s:    ca:    \"%Y\"\n", name, cert->get_subject(cert));
                }
 
                cert = auth->get(auth, AUTH_RULE_IM_CERT);
                if (cert)
                {
-                       fprintf(out, "%12s:    im-ca: \"%D\"\n", name, cert->get_subject(cert));
+                       fprintf(out, "%12s:    im-ca: \"%Y\"\n", name, cert->get_subject(cert));
                }
 
                cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
                if (cert)
                {
-                       fprintf(out, "%12s:    cert:  \"%D\"\n", name,
+                       fprintf(out, "%12s:    cert:  \"%Y\"\n", name,
                                        cert->get_subject(cert));
                }
 
@@ -340,7 +340,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
                {
                        if (rule == AUTH_RULE_AC_GROUP)
                        {
-                               fprintf(out, "%12s:    group: %D\n", name, id);
+                               fprintf(out, "%12s:    group: %Y\n", name, id);
                        }
                }
                rules->destroy(rules);
@@ -593,8 +593,8 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
                                        key_type_names, public->get_type(public),
                                        public->get_keysize(public) * 8,
                                        private ? ", has private key" : "");
-                       fprintf(out, "  keyid:     %D\n", keyid);
-                       fprintf(out, "  subjkey:   %D\n", id);
+                       fprintf(out, "  keyid:     %Y\n", keyid);
+                       fprintf(out, "  subjkey:   %Y\n", id);
                        DESTROY_IF(private);
                        public->destroy(public);
                }
@@ -650,7 +650,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
                                {
                                        fprintf(out, ", ");
                                }
-                               fprintf(out, "%D", altName);
+                               fprintf(out, "%Y", altName);
                        }
                        if (!first_altName)
                        {
@@ -658,8 +658,8 @@ static void stroke_list_certs(linked_list_t *list, char *label,
                        }
                        enumerator->destroy(enumerator);
 
-                       fprintf(out, "  subject:  \"%D\"\n", cert->get_subject(cert));
-                       fprintf(out, "  issuer:   \"%D\"\n", cert->get_issuer(cert));
+                       fprintf(out, "  subject:  \"%Y\"\n", cert->get_subject(cert));
+                       fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
                        fprintf(out, "  serial:    %#B\n", &serial);
 
                        /* list validity */
@@ -704,8 +704,8 @@ static void stroke_list_certs(linked_list_t *list, char *label,
                                                key_type_names, public->get_type(public),
                                                public->get_keysize(public) * 8,
                                                private ? ", has private key" : "");
-                               fprintf(out, "  keyid:     %D\n", keyid);
-                               fprintf(out, "  subjkey:   %D\n", id);
+                               fprintf(out, "  keyid:     %Y\n", keyid);
+                               fprintf(out, "  subjkey:   %Y\n", id);
                                DESTROY_IF(private);
                                public->destroy(public);
                        }
@@ -713,7 +713,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
                        /* list optional authorityKeyIdentifier */
                        if (authkey)
                        {
-                               fprintf(out, "  authkey:   %D\n", authkey);
+                               fprintf(out, "  authkey:   %Y\n", authkey);
                        }
                }
        }
@@ -749,17 +749,17 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 
                if (entityName)
                {
-                       fprintf(out, "  holder:   \"%D\"\n", entityName);
+                       fprintf(out, "  holder:   \"%Y\"\n", entityName);
                }
                if (holderIssuer)
                {
-                       fprintf(out, "  hissuer:  \"%D\"\n", holderIssuer);
+                       fprintf(out, "  hissuer:  \"%Y\"\n", holderIssuer);
                }
                if (holderSerial.ptr)
                {
                        fprintf(out, "  hserial:   %#B\n", &holderSerial);
                }
-               fprintf(out, "  issuer:   \"%D\"\n", cert->get_issuer(cert));
+               fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
                fprintf(out, "  serial:    %#B\n", &serial);
 
                /* list validity */
@@ -783,7 +783,7 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
                /* list optional authorityKeyIdentifier */
                if (authkey)
                {
-                       fprintf(out, "  authkey:   %D\n", authkey);
+                       fprintf(out, "  authkey:   %Y\n", authkey);
                }
        }
        enumerator->destroy(enumerator);
@@ -813,7 +813,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
                }
                fprintf(out, "\n");
 
-               fprintf(out, "  issuer:   \"%D\"\n", cert->get_issuer(cert));
+               fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
 
                /* list optional crlNumber */
                if (serial.ptr)
@@ -856,7 +856,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
                /* list optional authorityKeyIdentifier */
                if (authkey)
                {
-                       fprintf(out, "  authkey:   %D\n", authkey);
+                       fprintf(out, "  authkey:   %Y\n", authkey);
                }
        }
        enumerator->destroy(enumerator);
@@ -881,7 +881,7 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
                        first = FALSE;
                }
 
-               fprintf(out, "  signer:   \"%D\"\n", cert->get_issuer(cert));
+               fprintf(out, "  signer:   \"%Y\"\n", cert->get_issuer(cert));
        }
        enumerator->destroy(enumerator);
 }
@@ -1024,7 +1024,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool,
        {
                if (!address || address->ip_equals(address, lease))
                {
-                       fprintf(out, "  %15H   %s   '%D'\n",
+                       fprintf(out, "  %15H   %s   '%Y'\n",
                                        lease, on ? "online" : "offline", id);
                        found++;
                }
index d8cc69c..e1c3e58 100644 (file)
@@ -571,8 +571,11 @@ static job_requeue_t receive(private_stroke_socket_t *this)
  */
 static bool open_socket(private_stroke_socket_t *this)
 {
-       struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET};
+       struct sockaddr_un socket_addr;
        mode_t old;
+
+       socket_addr.sun_family = AF_UNIX;
+       strcpy(socket_addr.sun_path, STROKE_SOCKET);
        
        /* set up unix socket */
        this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
index 7dfb874..4feffd9 100644 (file)
@@ -188,14 +188,14 @@ static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa,
                                "PLUTO_INTERFACE='%s' "
                                "PLUTO_REQID='%u' "
                                "PLUTO_ME='%H' "
-                               "PLUTO_MY_ID='%D' "
+                               "PLUTO_MY_ID='%Y' "
                                "PLUTO_MY_CLIENT='%s/%s' "
                                "PLUTO_MY_CLIENT_NET='%s' "
                                "PLUTO_MY_CLIENT_MASK='%s' "
                                "PLUTO_MY_PORT='%u' "
                                "PLUTO_MY_PROTOCOL='%u' "
                                "PLUTO_PEER='%H' "
-                               "PLUTO_PEER_ID='%D' "
+                               "PLUTO_PEER_ID='%Y' "
                                "PLUTO_PEER_CLIENT='%s/%s' "
                                "PLUTO_PEER_CLIENT_NET='%s' "
                                "PLUTO_PEER_CLIENT_MASK='%s' "
index 5894b6a..607286b 100644 (file)
@@ -101,7 +101,7 @@ static void execute(private_mediation_job_t *this)
                                /* send callback to a peer */
                                if (target_sa->callback(target_sa, this->source) != SUCCESS)
                                {
-                                       DBG1(DBG_JOB, "callback for '%D' to '%D' failed",
+                                       DBG1(DBG_JOB, "callback for '%Y' to '%Y' failed",
                                                        this->source, this->target);
                                        charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
                                        destroy(this);
@@ -114,7 +114,7 @@ static void execute(private_mediation_job_t *this)
                                if (target_sa->relay(target_sa, this->source, this->connect_id,
                                                this->connect_key, this->endpoints, this->response) != SUCCESS)
                                {
-                                       DBG1(DBG_JOB, "mediation between '%D' and '%D' failed",
+                                       DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed",
                                                        this->source, this->target);
                                        charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
                                        /* FIXME: notify the initiator */
@@ -127,13 +127,13 @@ static void execute(private_mediation_job_t *this)
                }
                else
                {
-                       DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: "
+                       DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
                                        "SA not found", this->source, this->target);
                }
        }
        else
        {
-               DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: "
+               DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
                                "peer is not online anymore", this->source, this->target);
        }
        destroy(this);
index 876cb7b..27cec2d 100644 (file)
@@ -217,7 +217,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
                                {
                                        snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr);
                                        this->eap_identity = identification_create_from_string(buf);
-                                       DBG1(DBG_IKE, "received EAP identity '%D'",
+                                       DBG1(DBG_IKE, "received EAP identity '%Y'",
                                                 this->eap_identity);
                                }
                                /* restart EAP exchange, but with real method */
@@ -254,12 +254,12 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
                        if (vendor)
                        {
                                DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
-                                        "peer %D", type, vendor, 
+                                        "peer %Y", type, vendor, 
                                         this->ike_sa->get_other_id(this->ike_sa));
                        }
                        else
                        {
-                               DBG1(DBG_IKE, "EAP method %N failed for peer %D",
+                               DBG1(DBG_IKE, "EAP method %N failed for peer %Y",
                                         eap_type_names, type,
                                         this->ike_sa->get_other_id(this->ike_sa));
                        }
@@ -290,7 +290,7 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
                {
                        id = this->ike_sa->get_my_id(this->ike_sa);
                }
-               DBG1(DBG_IKE, "server requested %N, sending '%D'",
+               DBG1(DBG_IKE, "server requested %N, sending '%Y'",
                         eap_type_names, type, id);
                this->eap_identity = id->clone(id);
                
@@ -380,7 +380,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message)
        }
        chunk_free(&auth_data);
        
-       DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+       DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
                 other_id, auth_class_names, AUTH_CLASS_EAP);
        this->auth_complete = TRUE;
        auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
@@ -401,7 +401,7 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message)
        my_id = this->ike_sa->get_my_id(this->ike_sa);
        keymat = this->ike_sa->get_keymat(this->ike_sa);
        
-       DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
+       DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
                 my_id, auth_class_names, AUTH_CLASS_EAP);
        
        auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
index 45baa8e..5ce9193 100644 (file)
@@ -63,13 +63,13 @@ static status_t build(private_psk_authenticator_t *this, message_t *message)
        keymat = this->ike_sa->get_keymat(this->ike_sa);
        my_id = this->ike_sa->get_my_id(this->ike_sa);
        other_id = this->ike_sa->get_other_id(this->ike_sa);
-       DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
+       DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
                 my_id, auth_method_names, AUTH_PSK);
        key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
                                                                                  my_id, other_id);
        if (key == NULL)
        {
-               DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+               DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
                return NOT_FOUND;
        }
        auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
@@ -119,7 +119,7 @@ static status_t process(private_psk_authenticator_t *this, message_t *message)
                                                                        this->nonce, key->get_key(key), other_id);
                if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
                {
-                       DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+                       DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
                                 other_id, auth_method_names, AUTH_PSK);
                        authenticated = TRUE;
                }
@@ -131,10 +131,10 @@ static status_t process(private_psk_authenticator_t *this, message_t *message)
        {
                if (keys_found == 0)
                {
-                       DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+                       DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
                        return NOT_FOUND;
                }
-               DBG1(DBG_IKE, "tried %d shared key%s for '%D' - '%D', but MAC mismatched",
+               DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched",
                         keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
                return FAILED;
        }
index 482d6b9..b8335a6 100644 (file)
@@ -71,7 +71,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
                                                                                           id, auth);
        if (private == NULL)
        {
-               DBG1(DBG_IKE, "no private key found for '%D'", id);
+               DBG1(DBG_IKE, "no private key found for '%Y'", id);
                return NOT_FOUND;
        }
        
@@ -122,7 +122,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
                message->add_payload(message, (payload_t*)auth_payload);
                status = SUCCESS;
        }
-       DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", id,
+       DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
                 auth_method_names, auth_method, 
                 (status == SUCCESS)? "successful":"failed");
        chunk_free(&octets);
@@ -186,7 +186,7 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message
        {
                if (public->verify(public, scheme, octets, auth_data))
                {
-                       DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+                       DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
                                                   id, auth_method_names, auth_method);
                        status = SUCCESS;
                        auth->merge(auth, current_auth, FALSE);
@@ -203,7 +203,7 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message
        chunk_free(&octets);
        if (status == NOT_FOUND)
        {
-               DBG1(DBG_IKE, "no trusted %N public key found for '%D'",
+               DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
                         key_type_names, key_type, id);
        }
        return status;
index 092210b..1ea9539 100644 (file)
@@ -724,14 +724,14 @@ static void destroy(private_child_sa_t *this)
        if (this->my_spi)
        {
                charon->kernel_interface->del_sa(charon->kernel_interface,
-                                       this->my_addr, this->my_spi, this->protocol,
-                                       this->my_cpi);
+                                       this->other_addr, this->my_addr, this->my_spi,
+                                       this->protocol, this->my_cpi);
        }
        if (this->other_spi)
        {
                charon->kernel_interface->del_sa(charon->kernel_interface,
-                                       this->other_addr, this->other_spi, this->protocol,
-                                       this->other_cpi);
+                                       this->my_addr, this->other_addr, this->other_spi,
+                                       this->protocol, this->other_cpi);
        }
        
        if (this->config->install_policy(this->config))
index 4574ea3..89d8882 100644 (file)
@@ -1196,8 +1196,8 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli
                }
                else
                {
-                       DBG1(DBG_IKE, "there is no mediated connection waiting between '%D' "
-                                       "and '%D'", checklist->initiator.id, checklist->responder.id);
+                       DBG1(DBG_IKE, "there is no mediated connection waiting between '%Y' "
+                                       "and '%Y'", checklist->initiator.id, checklist->responder.id);
                }
        }
 }
@@ -1396,7 +1396,7 @@ static bool check_and_register(private_connect_manager_t *this,
 
        if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
        {
-               DBG2(DBG_IKE, "registered waiting mediated connection with '%D'", peer_id);
+               DBG2(DBG_IKE, "registered waiting mediated connection with '%Y'", peer_id);
                initiated = initiated_create(id, peer_id);
                this->initiated->insert_last(this->initiated, initiated);
                already_there = FALSE;
@@ -1425,7 +1425,7 @@ static void check_and_initiate(private_connect_manager_t *this, ike_sa_id_t *med
 
        if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
        {
-               DBG2(DBG_IKE, "no waiting mediated connections with '%D'", peer_id);
+               DBG2(DBG_IKE, "no waiting mediated connections with '%Y'", peer_id);
                this->mutex->unlock(this->mutex);
                return;
        }
index f6abb0c..311b18c 100644 (file)
@@ -1436,7 +1436,7 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
                                        {
                                                case UNIQUE_REPLACE:
                                                        DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
-                                                                       "'%D' due to uniqueness policy", other);
+                                                                       "'%Y' due to uniqueness policy", other);
                                                        status = duplicate->delete(duplicate);
                                                        break;
                                                case UNIQUE_KEEP:
index fbdf3ad..b652c29 100644 (file)
@@ -227,12 +227,12 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe
        
        if (!found)
        {
-               DBG2(DBG_IKE, "adding peer '%D'", peer_id);
+               DBG2(DBG_IKE, "adding peer '%Y'", peer_id);
                peer = peer_create(peer_id, NULL);
                this->peers->insert_last(this->peers, peer);
        }
 
-       DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%D'", peer_id);                   
+       DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id);                   
        peer->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
        
        /* send callbacks to registered peers */
@@ -284,7 +284,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
 
        if (get_peer_by_id(this, peer_id, &peer) != SUCCESS)
        {
-               DBG2(DBG_IKE, "adding peer %D", peer_id);
+               DBG2(DBG_IKE, "adding peer %Y", peer_id);
                peer = peer_create(peer_id, NULL);
                this->peers->insert_last(this->peers, peer);
        }
@@ -292,7 +292,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
        if (!peer->ike_sa_id)
        {
                /* the peer is not online */
-               DBG2(DBG_IKE, "requested peer '%D' is offline, registering peer '%D'", peer_id, requester);
+               DBG2(DBG_IKE, "requested peer '%Y' is offline, registering peer '%Y'", peer_id, requester);
                register_peer(peer, requester);
                this->mutex->unlock(this->mutex);
                return NULL;
index d594e3b..b5ef17a 100644 (file)
@@ -642,7 +642,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
                {       /* IDr received, check if it matches configuration */
                        if (id_cfg && !id->matches(id, id_cfg))
                        {
-                               DBG1(DBG_CFG, "received IDr %D, but require %D", id, id_cfg);
+                               DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
                                message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
                                                                        chunk_empty);
                                return FAILED;
@@ -730,7 +730,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
                        return FAILED;
                }
                this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-               DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+               DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
                         this->ike_sa->get_name(this->ike_sa),
                         this->ike_sa->get_unique_id(this->ike_sa),
                         this->ike_sa->get_my_host(this->ike_sa),
@@ -907,7 +907,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
                        return FAILED;
                }
                this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-               DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+               DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
                         this->ike_sa->get_name(this->ike_sa),
                         this->ike_sa->get_unique_id(this->ike_sa),
                         this->ike_sa->get_my_host(this->ike_sa),
index da3ee4d..3ef1caf 100644 (file)
@@ -140,7 +140,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
                        {
                                break;
                        }
-                       DBG1(DBG_IKE, "sending end entity cert \"%D\"",
+                       DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
                                 cert->get_subject(cert));
                        message->add_payload(message, (payload_t*)payload);
                        
@@ -152,7 +152,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
                                        payload = cert_payload_create_from_cert(cert);
                                        if (payload)
                                        {
-                                               DBG1(DBG_IKE, "sending issuer cert \"%D\"",
+                                               DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
                                                         cert->get_subject(cert));
                                                message->add_payload(message, (payload_t*)payload);
                                        }
index 0ec7004..db9e7bc 100644 (file)
@@ -95,14 +95,14 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
                                                                                        CERT_X509, KEY_ANY, id, TRUE);
                                        if (cert)
                                        {
-                                               DBG1(DBG_IKE, "received cert request for \"%D\"",
+                                               DBG1(DBG_IKE, "received cert request for \"%Y\"",
                                                         cert->get_subject(cert));
                                                auth->add(auth, AUTH_RULE_CA_CERT, cert);
                                        }
                                        else
                                        {
                                                DBG1(DBG_IKE, "received cert request for unknown ca "
-                                                                         "with keyid %D", id);
+                                                                         "with keyid %Y", id);
                                        }
                                        id->destroy(id);
                                }
@@ -211,14 +211,14 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
                                        {
                                                if (first)
                                                {       /* the first is an end entity certificate */
-                                                       DBG1(DBG_IKE, "received end entity cert \"%D\"",
+                                                       DBG1(DBG_IKE, "received end entity cert \"%Y\"",
                                                                 cert->get_subject(cert));
                                                        auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
                                                        first = FALSE;
                                                }
                                                else
                                                {
-                                                       DBG1(DBG_IKE, "received issuer cert \"%D\"",
+                                                       DBG1(DBG_IKE, "received issuer cert \"%Y\"",
                                                                 cert->get_subject(cert));
                                                        auth->add(auth, AUTH_HELPER_IM_CERT, cert);
                                                }
@@ -300,7 +300,7 @@ static void add_certreq(certreq_payload_t **req, certificate_t *cert)
                        keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
                        (*req)->add_keyid(*req, keyid->get_encoding(keyid));
                        public->destroy(public);
-                       DBG1(DBG_IKE, "sending cert request for \"%D\"",
+                       DBG1(DBG_IKE, "sending cert request for \"%Y\"",
                                 cert->get_subject(cert));
                        break;
                }
index 7ff9690..1850100 100644 (file)
@@ -56,7 +56,7 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
 {
        delete_payload_t *delete_payload;
 
-       DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+       DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
                 this->ike_sa->get_name(this->ike_sa),
                 this->ike_sa->get_unique_id(this->ike_sa),
                 this->ike_sa->get_my_host(this->ike_sa),
@@ -95,7 +95,7 @@ static status_t process_r(private_ike_delete_t *this, message_t *message)
        DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
                 this->ike_sa->get_name(this->ike_sa),
                 this->ike_sa->get_unique_id(this->ike_sa));
-       DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+       DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
                 this->ike_sa->get_name(this->ike_sa),
                 this->ike_sa->get_unique_id(this->ike_sa),
                 this->ike_sa->get_my_host(this->ike_sa),
index 07dfb20..bb6f4f4 100644 (file)
@@ -339,7 +339,7 @@ static status_t process_r(private_ike_me_t *this, message_t *message)
                        
                        if (this->callback)
                        {
-                               DBG1(DBG_IKE, "received ME_CALLBACK for '%D'", this->peer_id);
+                               DBG1(DBG_IKE, "received ME_CALLBACK for '%Y'", this->peer_id);
                                break;
                        }                       
                        
@@ -471,7 +471,7 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
                        
                        if (this->failed)
                        {
-                               DBG1(DBG_IKE, "peer '%D' is not online", this->peer_id);
+                               DBG1(DBG_IKE, "peer '%Y' is not online", this->peer_id);
                                /* FIXME: notify the mediated connection (job?) */
                        }
                        else
index ef6e472..f564012 100644 (file)
@@ -177,7 +177,7 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
        
        this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
        this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
-       DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+       DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
                 this->new_sa->get_name(this->new_sa),
                 this->new_sa->get_unique_id(this->new_sa),
                 this->ike_sa->get_my_host(this->ike_sa),
@@ -246,7 +246,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
        }
        
        this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
-       DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+       DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
                 this->new_sa->get_name(this->new_sa),
                 this->new_sa->get_unique_id(this->new_sa),
                 this->ike_sa->get_my_host(this->ike_sa),
index 44964e0..f3ca1ca 100644 (file)
@@ -12,5 +12,5 @@ ipsec : ipsec.in
        -e "s:@IPSEC_SBINDIR@:$(sbindir):" \
        -e "s:@IPSEC_CONFDIR@:$(confdir):" \
        -e "s:@IPSEC_PIDDIR@:$(piddir):" \
-       $< > $@
+       $(srcdir)/$@.in > $@
        chmod +x $@
index 190a8c8..c074441 100644 (file)
@@ -1,13 +1,10 @@
 noinst_LIBRARIES = libfreeswan.a
 libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
                        atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
-                       goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipcomp.h \
-                       ipsec_ah.h ipsec_alg.h ipsec_encap.h ipsec_eroute.h ipsec_errs.h \
-                       ipsec_esp.h ipsec_ipe4.h ipsec_kversion.h ipsec_life.h ipsec_md5h.h \
-                       ipsec_param.h ipsec_policy.h ipsec_proto.h ipsec_radij.h ipsec_rcv.h \
-                       ipsec_sa.h ipsec_sha1.h ipsec_stats.h ipsec_tunnel.h ipsec_xform.h \
-                       ipsec_xmit.h  keyblobtoid.c optionsfrom.c pfkey_v2_build.c pfkey_v2_debug.c \
-                       pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c radij.h rangetoa.c \
+                       goodmask.c initaddr.c initsaid.c initsubnet.c internal.h \
+                       ipsec_param.h ipsec_policy.h \
+                       keyblobtoid.c optionsfrom.c pfkey_v2_build.c pfkey_v2_debug.c \
+                       pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \
                        pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \
                        satot.c subnetof.c subnettoa.c subnettot.c \
                        subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
index 51ab768..d92745a 100644 (file)
@@ -14,6 +14,8 @@
  *
  * RCSID $Id$
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
index ab303cc..c55f7ab 100644 (file)
@@ -14,6 +14,8 @@
  *
  * RCSID $Id$
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
index 473fc5d..d55ceea 100644 (file)
@@ -14,6 +14,8 @@
  *
  * RCSID $Id$
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
index 56b9893..09af2c2 100644 (file)
  */
 #define        _FREESWAN_H     /* seen it, no need to see it again */
 
-
-
-/*
- * We've just got to have some datatypes defined...  And annoyingly, just
- * where we get them depends on whether we're in userland or not.
- */
-#ifdef __KERNEL__
-
-#  include <linux/types.h>
-#  include <linux/in.h>
-
-#else /* __KERNEL__ */
-
+#  include <sys/types.h>
 #  include <stdio.h>
 #  include <netinet/in.h>
 
 
 #  define DEBUG_NO_STATIC static
 
-#endif /* __KERNEL__ */
-
 #include <ipsec_param.h>
 #include <utils.h>
 
 /*
- * Grab the kernel version to see if we have NET_21, and therefore 
- * IPv6. Some of this is repeated from ipsec_kversions.h. Of course, 
- * we aren't really testing if the kernel has IPv6, but rather if the
- * the include files do.
+ * We assume header files have IPv6 (i.e. kernel version >= 2.1.0)
  */
-#include <linux/version.h>
-#ifndef KERNEL_VERSION
-#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0)
 #define NET_21
-#endif
 
 #ifndef IPPROTO_COMP
 #  define IPPROTO_COMP 108
  * use their definitions directly, they are subject to change!
  */
 
-/* first, some quick fakes in case we're on an old system with no IPv6 */
-#ifndef s6_addr16
-struct in6_addr {
-       union 
-       {
-               __u8            u6_addr8[16];
-               __u16           u6_addr16[8];
-               __u32           u6_addr32[4];
-       } in6_u;
-#define s6_addr                        in6_u.u6_addr8
-#define s6_addr16              in6_u.u6_addr16
-#define s6_addr32              in6_u.u6_addr32
-};
-struct sockaddr_in6 {
-       unsigned short int      sin6_family;    /* AF_INET6 */
-       __u16                   sin6_port;      /* Transport layer port # */
-       __u32                   sin6_flowinfo;  /* IPv6 flow information */
-       struct in6_addr         sin6_addr;      /* IPv6 address */
-       __u32                   sin6_scope_id;  /* scope id (new in RFC2553) */
-};
-#endif /* !s6_addr16 */
-
 /* then the main types */
 typedef struct {
        union {
@@ -119,11 +73,7 @@ typedef struct {
 } ip_subnet;
 
 /* and the SA ID stuff */
-#ifdef __KERNEL__
-typedef __u32 ipsec_spi_t;
-#else
 typedef u_int32_t ipsec_spi_t;
-#endif
 typedef struct {               /* to identify an SA, we need: */
         ip_address dst;                /* A. destination host */
         ipsec_spi_t spi;       /* B. 32-bit SPI, assigned by dest. host */
@@ -159,6 +109,8 @@ struct prng {                       /* pseudo-random-number-generator guts */
  */
 typedef uint32_t IPsecSAref_t;
 
+#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH)
+
 #define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
 
 #define IPsecSAref2NFmark(x) ((x) << (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
@@ -441,11 +393,9 @@ bitstomask(
  * general utilities
  */
 
-#ifndef __KERNEL__
-/* option pickup from files (userland only because of use of FILE) */
+/* option pickup from files */
 const char *optionsfrom(const char *filename, int *argcp, char ***argvp,
                                                int optind, FILE *errorreport);
-#endif
 
 /*
  * Debugging levels for pfkey_lib_debug
index b8427c6..51f7f6f 100644 (file)
@@ -14,6 +14,8 @@
  *
  * RCSID $Id$
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
index c18db31..a97cce9 100644 (file)
 #define        PASSTHROUGHDST  0
 #endif
 
-/*
- * Headers, greatly complicated by stupid and unnecessary inconsistencies
- * between the user environment and the kernel environment.  These are done
- * here so that this mess need exist in only one place.
- *
- * It may seem like a -I or two could avoid most of this, but on closer
- * inspection it is not quite that easy.
- */
-
-/* things that need to come from one place or the other, depending */
-#ifdef __KERNEL__
-#include <linux/types.h>
-#include <linux/socket.h>
-#include <linux/in.h>
-#include <linux/string.h>
-#include <linux/ctype.h>
-#define        assert(foo)     /* nothing */
-#else
 #include <sys/types.h>
 #include <netinet/in.h>
 #include <string.h>
 #include <ctype.h>
 #include <assert.h>
-#endif
-
-/* things that exist only in userland */
-#ifndef __KERNEL__
-
-/* You'd think this would be okay in the kernel too -- it's just a */
-/* bunch of constants -- but no, in RH5.1 it screws up other things. */
-/* (Credit:  Mike Warfield tracked this problem down.  Thanks Mike!) */
-/* Fortunately, we don't need it in the kernel subset of the library. */
 #include <limits.h>
-
-/* header files for things that should never be called in kernel */
 #include <netdb.h>
-
-/* memory allocation, currently user-only, macro-ized just in case */
 #include <stdlib.h>
 #define        MALLOC(n)       malloc(n)
 #define        FREE(p)         free(p)
 
-#endif /* __KERNEL__ */
-
diff --git a/src/libfreeswan/ipcomp.h b/src/libfreeswan/ipcomp.h
deleted file mode 100644 (file)
index fd8e35d..0000000
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * IPCOMP zlib interface code.
- * Copyright (C) 2000  Svenning Soerensen <svenning@post5.tele.dk>
- * Copyright (C) 2000, 2001  Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
-
- RCSID $Id$
-
- */
-
-/* SSS */
-
-#ifndef _IPCOMP_H
-#define _IPCOMP_H
-
-/* Prefix all global deflate symbols with "ipcomp_" to avoid collisions with ppp_deflate & ext2comp */
-#ifndef IPCOMP_PREFIX
-#define IPCOMP_PREFIX
-#endif /* IPCOMP_PREFIX */
-
-#ifndef IPPROTO_COMP
-#define IPPROTO_COMP 108
-#endif /* IPPROTO_COMP */
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int sysctl_ipsec_debug_ipcomp;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-struct ipcomphdr {                     /* IPCOMP header */
-    __u8    ipcomp_nh;         /* Next header (protocol) */
-    __u8    ipcomp_flags;      /* Reserved, must be 0 */
-    __u16   ipcomp_cpi;                /* Compression Parameter Index */
-};
-
-extern struct inet_protocol comp_protocol;
-extern int sysctl_ipsec_debug_ipcomp;
-
-#define IPCOMP_UNCOMPRESSABLE     0x000000001
-#define IPCOMP_COMPRESSIONERROR   0x000000002
-#define IPCOMP_PARMERROR          0x000000004
-#define IPCOMP_DECOMPRESSIONERROR 0x000000008
-
-#define IPCOMP_ADAPT_INITIAL_TRIES     8
-#define IPCOMP_ADAPT_INITIAL_SKIP      4
-#define IPCOMP_ADAPT_SUBSEQ_TRIES      2
-#define IPCOMP_ADAPT_SUBSEQ_SKIP       8
-
-/* Function prototypes */
-struct sk_buff *skb_compress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags);
-struct sk_buff *skb_decompress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags);
-
-#endif /* _IPCOMP_H */
diff --git a/src/libfreeswan/ipsec_ah.h b/src/libfreeswan/ipsec_ah.h
deleted file mode 100644 (file)
index ccf40b6..0000000
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * Authentication Header declarations
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#include "ipsec_md5h.h"
-#include "ipsec_sha1.h"
-
-#ifndef IPPROTO_AH
-#define IPPROTO_AH 51
-#endif /* IPPROTO_AH */
-
-#define AH_FLENGTH             12              /* size of fixed part */
-#define AHMD5_KMAX             64              /* MD5 max 512 bits key */
-#define AHMD5_AMAX             12              /* MD5 96 bits of authenticator */
-
-#define AHMD596_KLEN           16              /* MD5 128 bits key */
-#define AHSHA196_KLEN          20              /* SHA1 160 bits key */
-
-#define AHMD596_ALEN           16              /* MD5 128 bits authentication length */
-#define AHSHA196_ALEN          20              /* SHA1 160 bits authentication length */
-
-#define AHMD596_BLKLEN         64              /* MD5 block length */
-#define AHSHA196_BLKLEN        64              /* SHA1 block length */
-#define AHSHA2_256_BLKLEN      64              /* SHA2-256 block length */
-#define AHSHA2_384_BLKLEN      128             /* SHA2-384 block length (?) */
-#define AHSHA2_512_BLKLEN      128             /* SHA2-512 block length */
-
-#define AH_BLKLEN_MAX          128             /* keep up to date! */
-
-#define AH_AMAX                AHSHA196_ALEN   /* keep up to date! */
-#define AHHMAC_HASHLEN         12              /* authenticator length of 96bits */
-#define AHHMAC_RPLLEN          4               /* 32 bit replay counter */
-
-#define DB_AH_PKTRX            0x0001
-#define DB_AH_PKTRX2           0x0002
-#define DB_AH_DMP              0x0004
-#define DB_AH_IPSA             0x0010
-#define DB_AH_XF               0x0020
-#define DB_AH_INAU             0x0040
-#define DB_AH_REPLAY           0x0100
-
-#ifdef __KERNEL__
-
-/* General HMAC algorithm is described in RFC 2104 */
-
-#define                HMAC_IPAD       0x36
-#define                HMAC_OPAD       0x5C
-
-struct md5_ctx {
-       MD5_CTX ictx;           /* context after H(K XOR ipad) */
-       MD5_CTX octx;           /* context after H(K XOR opad) */
-};
-
-struct sha1_ctx {
-       SHA1_CTX ictx;          /* context after H(K XOR ipad) */
-       SHA1_CTX octx;          /* context after H(K XOR opad) */
-};
-
-struct auth_alg {
-       void (*init)(void *ctx);
-       void (*update)(void *ctx, unsigned char *bytes, __u32 len);
-       void (*final)(unsigned char *hash, void *ctx);
-       int hashlen;
-};
-
-extern struct inet_protocol ah_protocol;
-
-struct options;
-
-extern int 
-ah_rcv(struct sk_buff *skb,
-       struct device *dev,
-       struct options *opt, 
-       __u32 daddr,
-       unsigned short len,
-       __u32 saddr,
-       int redo,
-       struct inet_protocol *protocol);
-
-struct ahhdr                           /* Generic AH header */
-{
-       __u8    ah_nh;                  /* Next header (protocol) */
-       __u8    ah_hl;                  /* AH length, in 32-bit words */
-       __u16   ah_rv;                  /* reserved, must be 0 */
-       __u32   ah_spi;                 /* Security Parameters Index */
-        __u32   ah_rpl;                 /* Replay prevention */
-       __u8    ah_data[AHHMAC_HASHLEN];/* Authentication hash */
-};
-#define AH_BASIC_LEN 8      /* basic AH header is 8 bytes, nh,hl,rv,spi
-                            * and the ah_hl, says how many bytes after that
-                            * to cover. */
-
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_ah;
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif /* __KERNEL__ */
diff --git a/src/libfreeswan/ipsec_alg.h b/src/libfreeswan/ipsec_alg.h
deleted file mode 100644 (file)
index 920e921..0000000
+++ /dev/null
@@ -1,254 +0,0 @@
-/*
- * Modular extensions service and registration functions interface
- *
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- *
- * $Id$
- *
- */
-/*
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- */
-#ifndef IPSEC_ALG_H
-#define IPSEC_ALG_H
-
-/* 
- *   gcc >= 3.2 has removed __FUNCTION__, replaced by C99 __func__
- *   *BUT* its a compiler variable.
- */
-#if (__GNUC__ >= 3)
-#ifndef __FUNCTION__
-#define __FUNCTION__ __func__
-#endif
-#endif
-
-/*     Version 0.8.1-0 */
-#define IPSEC_ALG_VERSION      0x00080100
-
-#include <linux/types.h>
-#include <linux/list.h>
-#include <asm/atomic.h>
-/*     
- *     The following structs are used via pointers in ipsec_alg object to
- *     avoid ipsec_alg.h coupling with freeswan headers, thus simplifying
- *     module development
- */
-struct ipsec_sa;
-struct esp;
-
-/**************************************
- *
- *     Main registration object 
- *
- *************************************/
-#define IPSEC_ALG_VERSION_QUAD(v)      \
-       (v>>24),((v>>16)&0xff),((v>>8)&0xff),(v&0xff)
-/*     
- *     Main ipsec_alg objects: "OOPrograming wannabe"
- *     Hierachy (carefully handled with _minimal_ cast'ing):
- *
- *      ipsec_alg+
- *              +->ipsec_alg_enc  (ixt_alg_type=SADB_EXT_SUPPORTED_ENCRYPT)
- *              +->ipsec_alg_auth (ixt_alg_type=SADB_EXT_SUPPORTED_AUTH)
- */
-
-/***************************************************************
- *
- *     INTERFACE object: struct ipsec_alg
- *
- ***************************************************************/
-
-/* 
- *     common part for every struct ipsec_alg_*        
- *     (sortof poor's man OOP)
- */
-#define IPSEC_ALG_STRUCT_COMMON \
-       unsigned ixt_version;   /* only allow this version (or 'near')*/ \
-       struct list_head ixt_list;      /* dlinked list */ \
-       struct module *ixt_module;      /* THIS_MODULE */ \
-       unsigned ixt_state;             /* state flags */ \
-       atomic_t ixt_refcnt;    /* ref. count when pointed from ipsec_sa */ \
-       char ixt_name[16];      /* descriptive short name, eg. "3des" */ \
-       void *ixt_data;         /* private for algo implementation */ \
-       uint8_t  ixt_blocksize; /* blocksize in bytes */ \
-       \
-       /* THIS IS A COPY of struct supported (lib/pfkey.h)        \
-        * please keep in sync until we migrate 'supported' stuff  \
-        * to ipsec_alg \
-        */ \
-       uint16_t ixt_alg_type;  /* correspond to IPSEC_ALG_{ENCRYPT,AUTH} */ \
-       uint8_t  ixt_alg_id;    /* enc. alg. number, eg. ESP_3DES */ \
-       uint8_t  ixt_ivlen;     /* ivlen in bits, expected to be multiple of 8! */ \
-       uint16_t ixt_keyminbits;/* min. keybits (of entropy) */ \
-       uint16_t ixt_keymaxbits;/* max. keybits (of entropy) */
-
-#define ixt_support ixt_alg_type
-       
-#define IPSEC_ALG_ST_SUPP      0x01
-#define IPSEC_ALG_ST_REGISTERED 0x02
-#define IPSEC_ALG_ST_EXCL      0x04
-struct ipsec_alg {
-       IPSEC_ALG_STRUCT_COMMON
-};
-/* 
- *     Note the const in cbc_encrypt IV arg:
- *     some ciphers like to toast passed IV (eg. 3DES): make a local IV copy
- */
-struct ipsec_alg_enc {
-       IPSEC_ALG_STRUCT_COMMON
-       unsigned ixt_e_keylen;          /* raw key length in bytes          */
-       unsigned ixt_e_ctx_size;        /* sa_p->key_e_size */
-       int (*ixt_e_set_key)(struct ipsec_alg_enc *alg, __u8 *key_e, const __u8 *key, size_t keysize);
-       __u8 *(*ixt_e_new_key)(struct ipsec_alg_enc *alg, const __u8 *key, size_t keysize);
-       void (*ixt_e_destroy_key)(struct ipsec_alg_enc *alg, __u8 *key_e);
-       int (*ixt_e_cbc_encrypt)(struct ipsec_alg_enc *alg, __u8 *key_e, __u8 *in, int ilen, const __u8 *iv, int encrypt);
-};
-struct ipsec_alg_auth {
-       IPSEC_ALG_STRUCT_COMMON
-       unsigned ixt_a_keylen;          /* raw key length in bytes          */
-       unsigned ixt_a_ctx_size;        /* sa_p->key_a_size */
-       unsigned ixt_a_authlen;         /* 'natural' auth. hash len (bytes) */
-       int (*ixt_a_hmac_set_key)(struct ipsec_alg_auth *alg, __u8 *key_a, const __u8 *key, int keylen);
-       int (*ixt_a_hmac_hash)(struct ipsec_alg_auth *alg, __u8 *key_a, const __u8 *dat, int len, __u8 *hash, int hashlen);
-};
-/*     
- *     These are _copies_ of SADB_EXT_SUPPORTED_{AUTH,ENCRYPT}, 
- *     to avoid header coupling for true constants
- *     about headers ... "cp is your friend" --Linus
- */
-#define IPSEC_ALG_TYPE_AUTH    14
-#define IPSEC_ALG_TYPE_ENCRYPT 15
-
-/***************************************************************
- *
- *     INTERFACE for module loading,testing, and unloading
- *
- ***************************************************************/
-/*     -  registration calls   */
-int register_ipsec_alg(struct ipsec_alg *);
-int unregister_ipsec_alg(struct ipsec_alg *);
-/*     -  optional (simple test) for algos     */
-int ipsec_alg_test(unsigned alg_type, unsigned alg_id, int testparm);
-/*     inline wrappers (usefull for type validation */
-static inline int register_ipsec_alg_enc(struct ipsec_alg_enc *ixt) {
-       return register_ipsec_alg((struct ipsec_alg*)ixt);
-}
-static inline int unregister_ipsec_alg_enc(struct ipsec_alg_enc *ixt) {
-       return unregister_ipsec_alg((struct ipsec_alg*)ixt);
-}
-static inline int register_ipsec_alg_auth(struct ipsec_alg_auth *ixt) {
-       return register_ipsec_alg((struct ipsec_alg*)ixt);
-}
-static inline int unregister_ipsec_alg_auth(struct ipsec_alg_auth *ixt) {
-       return unregister_ipsec_alg((struct ipsec_alg*)ixt);
-}
-
-/*****************************************************************
- *
- *     INTERFACE for ENC services: key creation, encrypt function
- *
- *****************************************************************/
-
-#define IPSEC_ALG_ENCRYPT 1
-#define IPSEC_ALG_DECRYPT 0
-
-/*     encryption key context creation function */
-int ipsec_alg_enc_key_create(struct ipsec_sa *sa_p);
-/* 
- *     ipsec_alg_esp_encrypt(): encrypt ilen bytes in idat returns
- *     0 or ERR<0
- */
-int ipsec_alg_esp_encrypt(struct ipsec_sa *sa_p, __u8 *idat, int ilen, const __u8 *iv, int action);
-
-/***************************************************************
- *
- *     INTERFACE for AUTH services: key creation, hash functions
- *
- ***************************************************************/
-int ipsec_alg_auth_key_create(struct ipsec_sa *sa_p);
-int ipsec_alg_sa_esp_hash(const struct ipsec_sa *sa_p, const __u8 *espp, int len, __u8 *hash, int hashlen) ;
-#define ipsec_alg_sa_esp_update(c,k,l) ipsec_alg_sa_esp_hash(c,k,l,NULL,0)
-
-/* only called from ipsec_init.c */
-int ipsec_alg_init(void);
-
-/* algo module glue for static algos */
-void ipsec_alg_static_init(void);
-typedef int (*ipsec_alg_init_func_t) (void);
-
-/**********************************************
- *
- *     INTERFACE for ipsec_sa init and wipe
- *
- **********************************************/
-
-/* returns true if ipsec_sa has ipsec_alg obj attached */
-/* 
- * Initializes ipsec_sa's ipsec_alg object, using already loaded
- * proto, authalg, encalg.; links ipsec_alg objects (enc, auth)
- */
-int ipsec_alg_sa_init(struct ipsec_sa *sa_p);
-/* 
- * Destroys ipsec_sa's ipsec_alg object
- * unlinking ipsec_alg objects
- */
-int ipsec_alg_sa_wipe(struct ipsec_sa *sa_p);
-
-/**********************************************
- *
- *     2.2 backport for some 2.4 useful module stuff
- *
- **********************************************/
-#ifdef MODULE
-#ifndef THIS_MODULE
-#define THIS_MODULE          (&__this_module)
-#endif
-#ifndef module_init
-typedef int (*__init_module_func_t)(void);
-typedef void (*__cleanup_module_func_t)(void);
-
-#define module_init(x) \
-        int init_module(void) __attribute__((alias(#x))); \
-        static inline __init_module_func_t __init_module_inline(void) \
-        { return x; }
-#define module_exit(x) \
-        void cleanup_module(void) __attribute__((alias(#x))); \
-        static inline __cleanup_module_func_t __cleanup_module_inline(void) \
-        { return x; }
-#endif
-
-#define IPSEC_ALG_MODULE_INIT( func_name )     \
-       static int func_name(void);             \
-       module_init(func_name);                 \
-       static int __init func_name(void)
-#define IPSEC_ALG_MODULE_EXIT( func_name )     \
-       static void func_name(void);            \
-       module_exit(func_name);                 \
-       static void __exit func_name(void)
-#else  /* not MODULE */
-#ifndef THIS_MODULE
-#define THIS_MODULE          NULL
-#endif
-/*     
- *     I only want module_init() magic 
- *     when algo.c file *is THE MODULE*, in all other
- *     cases, initialization is called explicitely from ipsec_alg_init()
- */
-#define IPSEC_ALG_MODULE_INIT( func_name )     \
-       extern int func_name(void);             \
-       int func_name(void)
-#define IPSEC_ALG_MODULE_EXIT( func_name )     \
-       extern void func_name(void);            \
-       void func_name(void)
-#endif
-
-#endif /* IPSEC_ALG_H */
diff --git a/src/libfreeswan/ipsec_encap.h b/src/libfreeswan/ipsec_encap.h
deleted file mode 100644 (file)
index 69b2ca3..0000000
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * declarations relevant to encapsulation-like operations
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#ifndef _IPSEC_ENCAP_H_
-
-#define SENT_IP4       16      /* data is two struct in_addr + proto + ports*/
-                       /* (2 * sizeof(struct in_addr)) */
-                       /* sizeof(struct sockaddr_encap)
-                          - offsetof(struct sockaddr_encap, Sen.Sip4.Src) */
-
-struct sockaddr_encap
-{
-       __u8    sen_len;                /* length */
-       __u8    sen_family;             /* AF_ENCAP */
-       __u16   sen_type;               /* see SENT_* */
-       union
-       {
-               struct                  /* SENT_IP4 */
-               {
-                       struct in_addr Src;
-                       struct in_addr Dst;
-                       __u8 Proto;
-                       __u16 Sport;
-                       __u16 Dport;
-               } Sip4;
-       } Sen;
-};
-
-#define sen_ip_src     Sen.Sip4.Src
-#define sen_ip_dst     Sen.Sip4.Dst
-#define sen_proto       Sen.Sip4.Proto
-#define sen_sport       Sen.Sip4.Sport
-#define sen_dport       Sen.Sip4.Dport
-
-#ifndef AF_ENCAP
-#define AF_ENCAP 26
-#endif /* AF_ENCAP */
-
-#define _IPSEC_ENCAP_H_
-#endif /* _IPSEC_ENCAP_H_ */
diff --git a/src/libfreeswan/ipsec_eroute.h b/src/libfreeswan/ipsec_eroute.h
deleted file mode 100644 (file)
index 0afabf0..0000000
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * @(#) declarations of eroute structures
- *
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs <rgb@freeswan.org>
- * Copyright (C) 2001                    Michael Richardson <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- *
- * derived from ipsec_encap.h 1.15 on 2001/9/18 by mcr.
- *
- */
-
-#ifndef _IPSEC_EROUTE_H_
-
-#include "radij.h"
-#include "ipsec_encap.h"
-#include "ipsec_radij.h"
-
-/*
- * The "type" is really part of the address as far as the routing
- * system is concerned. By using only one bit in the type field
- * for each type, we sort-of make sure that different types of
- * encapsulation addresses won't be matched against the wrong type.
- */
-
-/*
- * An entry in the radix tree 
- */
-
-struct rjtentry
-{
-       struct  radij_node rd_nodes[2]; /* tree glue, and other values */
-#define        rd_key(r)       ((struct sockaddr_encap *)((r)->rd_nodes->rj_key))
-#define        rd_mask(r)      ((struct sockaddr_encap *)((r)->rd_nodes->rj_mask))
-       short   rd_flags;
-       short   rd_count;
-};
-
-struct ident
-{
-       __u16   type;   /* identity type */
-       __u64   id;     /* identity id */
-       __u8    len;    /* identity len */
-       caddr_t data;   /* identity data */
-};
-
-/*
- * An encapsulation route consists of a pointer to a 
- * radix tree entry and a SAID (a destination_address/SPI/protocol triple).
- */
-
-struct eroute
-{
-       struct rjtentry er_rjt;
-       struct sa_id er_said;
-       uint32_t er_pid;
-       uint32_t er_count;
-       uint64_t er_lasttime;
-       struct sockaddr_encap er_eaddr; /* MCR get rid of _encap, it is silly*/
-       struct sockaddr_encap er_emask;
-        struct ident er_ident_s;
-        struct ident er_ident_d;
-       struct sk_buff* er_first;
-       struct sk_buff* er_last;
-};
-
-#define er_dst er_said.dst
-#define er_spi er_said.spi
-
-#define _IPSEC_EROUTE_H_
-#endif /* _IPSEC_EROUTE_H_ */
diff --git a/src/libfreeswan/ipsec_errs.h b/src/libfreeswan/ipsec_errs.h
deleted file mode 100644 (file)
index cfd5498..0000000
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * @(#) definition of ipsec_errs structure
- *
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- *
- */
-
-/* 
- * This file describes the errors/statistics that FreeSWAN collects.
- *
- */
-
-struct ipsec_errs {
-       __u32           ips_alg_errs;          /* number of algorithm errors */
-       __u32           ips_auth_errs;         /* # of authentication errors */
-       __u32           ips_encsize_errs;      /* # of encryption size errors*/
-       __u32           ips_encpad_errs;       /* # of encryption pad  errors*/
-       __u32           ips_replaywin_errs;    /* # of pkt sequence errors */
-};
diff --git a/src/libfreeswan/ipsec_esp.h b/src/libfreeswan/ipsec_esp.h
deleted file mode 100644 (file)
index 2bd9f3c..0000000
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#include "freeswan/ipsec_md5h.h"
-#include "freeswan/ipsec_sha1.h"
-
-#include "crypto/des.h"
-
-#ifndef IPPROTO_ESP
-#define IPPROTO_ESP 50
-#endif /* IPPROTO_ESP */
-
-#define ESP_HEADER_LEN         8       /* 64 bits header (spi+rpl)*/
-
-#define EMT_ESPDESCBC_ULEN     20      /* coming from user mode */
-#define EMT_ESPDES_KMAX                64      /* 512 bit secret key enough? */
-#define EMT_ESPDES_KEY_SZ      8       /* 56 bit secret key with parity = 64 bits */
-#define EMT_ESP3DES_KEY_SZ     24      /* 168 bit secret key with parity = 192 bits */
-#define EMT_ESPDES_IV_SZ       8       /* IV size */
-#define ESP_DESCBC_BLKLEN       8       /* DES-CBC block size */
-
-#define ESP_IV_MAXSZ           16      /* This is _critical_ */
-#define ESP_IV_MAXSZ_INT       (ESP_IV_MAXSZ/sizeof(int))
-
-#define DB_ES_PKTRX    0x0001
-#define DB_ES_PKTRX2   0x0002
-#define DB_ES_IPSA     0x0010
-#define DB_ES_XF       0x0020
-#define DB_ES_IPAD     0x0040
-#define DB_ES_INAU     0x0080
-#define DB_ES_OINFO    0x0100
-#define DB_ES_OINFO2   0x0200
-#define DB_ES_OH       0x0400
-#define DB_ES_REPLAY   0x0800
-
-#ifdef __KERNEL__
-struct des_eks {
-       des_key_schedule ks;
-};
-
-extern struct inet_protocol esp_protocol;
-
-struct options;
-
-extern int
-esp_rcv(struct sk_buff *skb,
-       struct device *dev,
-       struct options *opt, 
-       __u32 daddr,
-       unsigned short len,
-       __u32 saddr,
-       int redo,
-       struct inet_protocol *protocol);
-
-/* Only for 64 bits IVs, eg. ESP_3DES :P */
-struct esphdr
-{
-       __u32   esp_spi;                /* Security Parameters Index */
-        __u32   esp_rpl;                /* Replay counter */
-       __u8    esp_iv[8];              /* iv */
-};
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_esp;
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif /* __KERNEL__ */
diff --git a/src/libfreeswan/ipsec_ipe4.h b/src/libfreeswan/ipsec_ipe4.h
deleted file mode 100644 (file)
index 698bf55..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * IP-in-IP Header declarations
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-/* The packet header is an IP header! */
-
-struct ipe4_xdata                      /* transform table data */
-{
-       struct in_addr  i4_src;
-       struct in_addr  i4_dst;
-};
-
-#define EMT_IPE4_ULEN  8       /* coming from user mode */
diff --git a/src/libfreeswan/ipsec_kversion.h b/src/libfreeswan/ipsec_kversion.h
deleted file mode 100644 (file)
index a7741b8..0000000
+++ /dev/null
@@ -1,191 +0,0 @@
-#ifndef _FREESWAN_KVERSIONS_H
-/*
- * header file for FreeS/WAN library functions
- * Copyright (C) 1998, 1999, 2000  Henry Spencer.
- * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
- * 
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- *
- * RCSID $Id$
- */
-#define        _FREESWAN_KVERSIONS_H   /* seen it, no need to see it again */
-
-/*
- * this file contains a series of atomic defines that depend upon
- * kernel version numbers. The kernel versions are arranged
- * in version-order number (which is often not chronological)
- * and each clause enables or disables a feature.
- */
-
-/*
- * First, assorted kernel-version-dependent trickery.
- */
-#include <linux/version.h>
-#ifndef KERNEL_VERSION
-#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,0)
-#define HEADER_CACHE_BIND_21
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0)
-#define SPINLOCK
-#define PROC_FS_21
-#define NETLINK_SOCK
-#define NET_21
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,19)
-#define net_device_stats enet_statistics
-#endif                                                                         
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)
-#define SPINLOCK_23
-#define NETDEV_23
-#  ifndef CONFIG_IP_ALIAS
-#  define CONFIG_IP_ALIAS
-#  endif
-#include <linux/socket.h>
-#include <linux/skbuff.h>
-#include <linux/netlink.h>
-#  ifdef NETLINK_XFRM
-#  define NETDEV_25
-#  endif
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,25)
-#define PROC_FS_2325
-#undef  PROC_FS_21
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,30)
-#define PROC_NO_DUMMY
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,35)
-#define SKB_COPY_EXPAND
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,37)
-#define IP_SELECT_IDENT
-#endif
-
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,50)) && defined(CONFIG_NETFILTER)
-#define SKB_RESET_NFCT
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,2)
-#define IP_SELECT_IDENT_NEW
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4)
-#define IPH_is_SKB_PULLED
-#define SKB_COW_NEW
-#define PROTO_HANDLER_SINGLE_PARM
-#define IP_FRAGMENT_LINEARIZE 1
-#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */
-#  ifdef REDHAT_BOGOSITY
-#  define IP_SELECT_IDENT_NEW
-#  define IPH_is_SKB_PULLED
-#  define SKB_COW_NEW
-#  define PROTO_HANDLER_SINGLE_PARM
-#  endif /* REDHAT_BOGOSITY */
-#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9)
-#define MALLOC_SLAB
-#define LINUX_KERNEL_HAS_SNPRINTF
-#endif                                                                         
-
-#ifdef NET_21
-#  include <linux/in6.h>
-#else
-     /* old kernel in.h has some IPv6 stuff, but not quite enough */
-#  define      s6_addr16       s6_addr
-#  define      AF_INET6        10
-#  define uint8_t __u8
-#  define uint16_t __u16 
-#  define uint32_t __u32 
-#  define uint64_t __u64 
-#endif
-
-#ifdef NET_21
-# define ipsec_kfree_skb(a) kfree_skb(a)
-#else /* NET_21 */
-# define ipsec_kfree_skb(a) kfree_skb(a, FREE_WRITE)
-#endif /* NET_21 */
-
-#ifdef NETDEV_23
-# define device net_device
-# define ipsec_dev_get dev_get_by_name
-# define __ipsec_dev_get __dev_get_by_name
-# define ipsec_dev_put(x) dev_put(x)
-# define __ipsec_dev_put(x) __dev_put(x)
-# define ipsec_dev_hold(x) dev_hold(x)
-#else /* NETDEV_23 */
-# define ipsec_dev_get dev_get
-# define __ipsec_dev_put(x) 
-# define ipsec_dev_put(x)
-# define ipsec_dev_hold(x) 
-#endif /* NETDEV_23 */
-
-#ifndef SPINLOCK
-#  include <linux/bios32.h>
-     /* simulate spin locks and read/write locks */
-     typedef struct {
-       volatile char lock;
-     } spinlock_t;
-
-     typedef struct {
-       volatile unsigned int lock;
-     } rwlock_t;                                                                     
-
-#  define spin_lock_init(x) { (x)->lock = 0;}
-#  define rw_lock_init(x) { (x)->lock = 0; }
-
-#  define spin_lock(x) { while ((x)->lock) barrier(); (x)->lock=1;}
-#  define spin_lock_irq(x) { cli(); spin_lock(x);}
-#  define spin_lock_irqsave(x,flags) { save_flags(flags); spin_lock_irq(x);}
-
-#  define spin_unlock(x) { (x)->lock=0;}
-#  define spin_unlock_irq(x) { spin_unlock(x); sti();}
-#  define spin_unlock_irqrestore(x,flags) { spin_unlock(x); restore_flags(flags);}
-
-#  define read_lock(x) spin_lock(x)
-#  define read_lock_irq(x) spin_lock_irq(x)
-#  define read_lock_irqsave(x,flags) spin_lock_irqsave(x,flags)
-
-#  define read_unlock(x) spin_unlock(x)
-#  define read_unlock_irq(x) spin_unlock_irq(x)
-#  define read_unlock_irqrestore(x,flags) spin_unlock_irqrestore(x,flags)
-
-#  define write_lock(x) spin_lock(x)
-#  define write_lock_irq(x) spin_lock_irq(x)
-#  define write_lock_irqsave(x,flags) spin_lock_irqsave(x,flags)
-
-#  define write_unlock(x) spin_unlock(x)
-#  define write_unlock_irq(x) spin_unlock_irq(x)
-#  define write_unlock_irqrestore(x,flags) spin_unlock_irqrestore(x,flags)
-#endif /* !SPINLOCK */
-
-#ifndef SPINLOCK_23
-#  define spin_lock_bh(x)  spin_lock_irq(x)
-#  define spin_unlock_bh(x)  spin_unlock_irq(x)
-
-#  define read_lock_bh(x)  read_lock_irq(x)
-#  define read_unlock_bh(x)  read_unlock_irq(x)
-
-#  define write_lock_bh(x)  write_lock_irq(x)
-#  define write_unlock_bh(x)  write_unlock_irq(x)
-#endif /* !SPINLOCK_23 */
-
-#endif /* _FREESWAN_KVERSIONS_H */
diff --git a/src/libfreeswan/ipsec_life.h b/src/libfreeswan/ipsec_life.h
deleted file mode 100644 (file)
index 817d273..0000000
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Definitions relevant to IPSEC lifetimes
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- *
- * This file derived from ipsec_xform.h on 2001/9/18 by mcr.
- *
- */
-
-/* 
- * This file describes the book keeping fields for the 
- *   IPsec Security Association Structure. ("ipsec_sa")
- *
- * This structure is never allocated directly by kernel code,
- * (it is always a static/auto or is part of a structure)
- * so it does not have a reference count.
- *
- */
-
-#ifndef _IPSEC_LIFE_H_
-
-/*
- *  _count is total count.
- *  _hard is hard limit (kill SA after this number)
- *  _soft is soft limit (try to renew SA after this number)
- *  _last is used in some special cases.
- *
- */
-
-struct ipsec_lifetime64
-{
-       __u64           ipl_count;
-       __u64           ipl_soft;
-       __u64           ipl_hard;
-       __u64           ipl_last;  
-};
-
-struct ipsec_lifetimes
-{
-       /* number of bytes processed */
-       struct ipsec_lifetime64 ipl_bytes;
-
-       /* number of packets processed */
-       struct ipsec_lifetime64 ipl_packets;
-
-       /* time since SA was added */
-       struct ipsec_lifetime64 ipl_addtime;
-
-       /* time since SA was first used */
-       struct ipsec_lifetime64 ipl_usetime;
-
-       /* from rfc2367:  
-         *         For CURRENT, the number of different connections,
-         *         endpoints, or flows that the association has been
-         *          allocated towards. For HARD and SOFT, the number of
-         *          these the association may be allocated towards
-         *          before it expires. The concept of a connection,
-         *          flow, or endpoint is system specific.
-        *
-        * mcr(2001-9-18) it is unclear what purpose these serve for FreeSWAN.
-        *          They are maintained for PF_KEY compatibility. 
-        */
-       struct ipsec_lifetime64 ipl_allocations;
-};
-
-enum ipsec_life_alive {
-       ipsec_life_harddied = -1,
-       ipsec_life_softdied = 0,
-       ipsec_life_okay     = 1
-};
-
-enum ipsec_life_type {
-       ipsec_life_timebased = 1,
-       ipsec_life_countbased= 0
-};
-
-#define _IPSEC_LIFE_H_
-#endif /* _IPSEC_LIFE_H_ */
diff --git a/src/libfreeswan/ipsec_md5h.h b/src/libfreeswan/ipsec_md5h.h
deleted file mode 100644 (file)
index 0bc73b6..0000000
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * RCSID $Id$
- */
-
-/*
- * The rest of this file is Copyright RSA DSI. See the following comments
- * for the full Copyright notice.
- */
-
-#ifndef _IPSEC_MD5H_H_
-#define _IPSEC_MD5H_H_
-
-/* GLOBAL.H - RSAREF types and constants
- */
-
-/* PROTOTYPES should be set to one if and only if the compiler supports
-     function argument prototyping.
-   The following makes PROTOTYPES default to 0 if it has not already
-     been defined with C compiler flags.
- */
-#ifndef PROTOTYPES
-#define PROTOTYPES 1
-#endif /* !PROTOTYPES */
-
-/* POINTER defines a generic pointer type */
-typedef __u8 *POINTER;
-
-/* UINT2 defines a two byte word */
-typedef __u16 UINT2;
-
-/* UINT4 defines a four byte word */
-typedef __u32 UINT4;
-
-/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
-   If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
-     returns an empty list.
- */
-
-#if PROTOTYPES
-#define PROTO_LIST(list) list
-#else /* PROTOTYPES */
-#define PROTO_LIST(list) ()
-#endif /* PROTOTYPES */
-
-
-/* MD5.H - header file for MD5C.C
- */
-
-/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
-rights reserved.
-
-License to copy and use this software is granted provided that it
-is identified as the "RSA Data Security, Inc. MD5 Message-Digest
-Algorithm" in all material mentioning or referencing this software
-or this function.
-
-License is also granted to make and use derivative works provided
-that such works are identified as "derived from the RSA Data
-Security, Inc. MD5 Message-Digest Algorithm" in all material
-mentioning or referencing the derived work.
-
-RSA Data Security, Inc. makes no representations concerning either
-the merchantability of this software or the suitability of this
-software for any particular purpose. It is provided "as is"
-without express or implied warranty of any kind.
-
-These notices must be retained in any copies of any part of this
-documentation and/or software.
- */
-
-/* MD5 context. */
-typedef struct {
-  UINT4 state[4];                                   /* state (ABCD) */
-  UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
-  unsigned char buffer[64];                         /* input buffer */
-} MD5_CTX;
-
-void MD5Init PROTO_LIST ((void *));
-void MD5Update PROTO_LIST
-  ((void *, unsigned char *, __u32));
-void MD5Final PROTO_LIST ((unsigned char [16], void *));
-#endif /* _IPSEC_MD5H_H_ */
index 63309ca..98ba48c 100644 (file)
 
 #ifndef _IPSEC_PARAM_H_
 
-#ifdef __KERNEL__
-#include "ipsec_kversion.h"
-
-/* Set number of ipsecX virtual devices here. */
-/* This must be < exp(field width of IPSEC_DEV_FORMAT) */
-/* It must also be reasonable so as not to overload the memory and CPU */
-/* constraints of the host. */
-#define IPSEC_NUM_IF   4
-/* The field width must be < IF_NAM_SIZ - strlen("ipsec") - 1. */
-/* With "ipsec" being 5 characters, that means 10 is the max field width */
-/* but machine memory and CPU constraints are not likely to tollerate */
-/* more than 3 digits.  The default is one digit. */
-/* Update: userland scripts get upset if they can't find "ipsec0", so */
-/* for now, no "0"-padding should be used (which would have been helpful */
-/* to make text-searches work */
-#define IPSEC_DEV_FORMAT "ipsec%d"
-/* For, say, 500 virtual ipsec devices, I would recommend: */
-/* #define IPSEC_NUM_IF        500 */
-/* #define IPSEC_DEV_FORMAT "ipsec%03d" */
-/* Note that the "interfaces=" line in /etc/ipsec.conf would be, um, challenging. */
-
-/* use dynamic ipsecX device allocation */
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif /* CONFIG_IPSEC_DYNDEV */
-
-
-#ifdef CONFIG_IPSEC_BIGGATE
-# define SADB_HASHMOD   8069
-#else /* CONFIG_IPSEC_BIGGATE */
-# define SADB_HASHMOD  257
-#endif /* CONFIG_IPSEC_BIGGATE */
-#endif /* __KERNEL__ */
-
 /*
  * This is for the SA reference table. This number is related to the
  * maximum number of SAs that KLIPS can concurrently deal with, plus enough
 # define IPSEC_SA_REF_CODE 1 
 #endif
 
-#ifdef __KERNEL__
-/* This is defined for 2.4, but not 2.2.... */
-#ifndef ARPHRD_VOID
-# define ARPHRD_VOID 0xFFFF
-#endif
-
-/*
- * Worry about PROC_FS stuff
- */
-#if defined(PROC_FS_2325)
-/* kernel 2.4 */
-# define IPSEC_PROC_LAST_ARG ,int *eof,void *data
-# define IPSEC_PROCFS_DEBUG_NO_STATIC
-# define IPSEC_PROC_SUBDIRS
-#else
-/* kernel <2.4 */
-# define IPSEC_PROCFS_DEBUG_NO_STATIC DEBUG_NO_STATIC
-
-# ifndef PROC_NO_DUMMY
-#  define IPSEC_PROC_LAST_ARG , int dummy
-# else
-#  define IPSEC_PROC_LAST_ARG
-# endif /* !PROC_NO_DUMMY */
-#endif /* PROC_FS_2325 */
-
-#if !defined(LINUX_KERNEL_HAS_SNPRINTF)
-/* GNU CPP specific! */
-# define snprintf(buf, len, fmt...) sprintf(buf, ##fmt)
-#endif /* !LINUX_KERNEL_HAS_SNPRINTF */
-
-#ifdef SPINLOCK
-# ifdef SPINLOCK_23
-#  include <linux/spinlock.h> /* *lock* */
-# else /* SPINLOCK_23 */
-#  include <asm/spinlock.h> /* *lock* */
-# endif /* SPINLOCK_23 */
-#endif /* SPINLOCK */
-
-#ifndef KLIPS_FIXES_DES_PARITY
-# define KLIPS_FIXES_DES_PARITY 1
-#endif /* !KLIPS_FIXES_DES_PARITY */
-
-/* we don't really want to print these unless there are really big problems */
-#ifndef KLIPS_DIVULGE_CYPHER_KEY
-# define KLIPS_DIVULGE_CYPHER_KEY 0
-#endif /* !KLIPS_DIVULGE_CYPHER_KEY */
-
-#ifndef KLIPS_DIVULGE_HMAC_KEY
-# define KLIPS_DIVULGE_HMAC_KEY 0
-#endif /* !KLIPS_DIVULGE_HMAC_KEY */
-
-#ifndef IPSEC_DISALLOW_IPOPTIONS
-# define IPSEC_DISALLOW_IPOPTIONS 1
-#endif /* !KLIPS_DIVULGE_HMAC_KEY */
-
-/* extra toggles for regression testing */
-#ifdef CONFIG_IPSEC_REGRESS
-
-/* 
- * should pfkey_acquire() become 100% lossy?
- *
- */
-extern int sysctl_ipsec_regress_pfkey_lossage;
-#ifndef KLIPS_PFKEY_ACQUIRE_LOSSAGE
-# ifdef CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE
-#  define KLIPS_PFKEY_ACQUIRE_LOSSAGE 100
-# else /* CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE */
-/* not by default! */
-#  define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0
-# endif /* CONFIG_IPSEC_PFKEY_ACQUIRE_LOSSAGE */
-#endif /* KLIPS_PFKEY_ACQUIRE_LOSSAGE */
-
-#endif /* CONFIG_IPSEC_REGRESS */
-
-/*
- * debugging routines.
- */
-#ifdef CONFIG_IPSEC_DEBUG
-extern void ipsec_print_ip(struct iphdr *ip);
-
-       #define KLIPS_PRINT(flag, format, args...) \
-               ((flag) ? printk(KERN_INFO format , ## args) : 0)
-       #define KLIPS_PRINTMORE(flag, format, args...) \
-               ((flag) ? printk(format , ## args) : 0)
-       #define KLIPS_IP_PRINT(flag, ip) \
-               ((flag) ? ipsec_print_ip(ip) : 0)
-#else /* CONFIG_IPSEC_DEBUG */
-       #define KLIPS_PRINT(flag, format, args...) do ; while(0)
-       #define KLIPS_PRINTMORE(flag, format, args...) do ; while(0)
-       #define KLIPS_IP_PRINT(flag, ip) do ; while(0)
-#endif /* CONFIG_IPSEC_DEBUG */
-
-
-/* 
- * Stupid kernel API differences in APIs. Not only do some
- * kernels not have ip_select_ident, but some have differing APIs,
- * and SuSE has one with one parameter, but no way of checking to
- * see what is really what.
- */
-
-#ifdef SUSE_LINUX_2_4_19_IS_STUPID
-#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph)
-#else
-
-/* simplest case, nothing */
-#if !defined(IP_SELECT_IDENT)
-#define KLIPS_IP_SELECT_IDENT(iph, skb)  do { iph->id = htons(ip_id_count++); } while(0)
-#endif
-
-/* kernels > 2.3.37-ish */
-#if defined(IP_SELECT_IDENT) && !defined(IP_SELECT_IDENT_NEW)
-#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst)
-#endif
-
-/* kernels > 2.4.2 */
-#if defined(IP_SELECT_IDENT) && defined(IP_SELECT_IDENT_NEW)
-#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst, NULL)
-#endif
-
-#endif /* SUSE_LINUX_2_4_19_IS_STUPID */
-
-/*
- * make klips fail test:east-espiv-01.
- * exploit is at testing/attacks/espiv
- *
- */
-#define KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK 0
-
-
-/* IP_FRAGMENT_LINEARIZE is set in freeswan.h if Kernel > 2.4.4 */
-#ifndef IP_FRAGMENT_LINEARIZE
-# define IP_FRAGMENT_LINEARIZE 0
-#endif /* IP_FRAGMENT_LINEARIZE */
-#endif /* __KERNEL__ */
-
 #define _IPSEC_PARAM_H_
 #endif /* _IPSEC_PARAM_H_ */
diff --git a/src/libfreeswan/ipsec_proto.h b/src/libfreeswan/ipsec_proto.h
deleted file mode 100644 (file)
index 8c7495e..0000000
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * @(#) prototypes for FreeSWAN functions 
- *
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- *
- */
-
-#ifndef _IPSEC_PROTO_H_
-
-#include "ipsec_param.h"
-
-/*
- * This file is a kernel only file that declares prototypes for
- * all intra-module function calls and global data structures.
- *
- * Include this file last.
- *
- */
-
-/* ipsec_init.c */
-extern struct prng ipsec_prng;
-
-/* ipsec_sa.c */
-extern struct ipsec_sa *ipsec_sadb_hash[SADB_HASHMOD];
-extern spinlock_t       tdb_lock;
-extern int ipsec_sadb_init(void);
-
-extern struct ipsec_sa *ipsec_sa_getbyid(struct sa_id*);
-extern int ipsec_sa_put(struct ipsec_sa *);
-extern /* void */ int ipsec_sa_del(struct ipsec_sa *);
-extern /* void */ int ipsec_sa_delchain(struct ipsec_sa *);
-extern /* void */ int ipsec_sa_add(struct ipsec_sa *);
-
-extern int ipsec_sadb_cleanup(__u8);
-extern int ipsec_sa_wipe(struct ipsec_sa *);
-
-/* debug declarations */
-
-/* ipsec_proc.c */
-extern int  ipsec_proc_init(void);
-extern void ipsec_proc_cleanup(void);
-
-/* ipsec_radij.c */
-extern int ipsec_makeroute(struct sockaddr_encap *ea,
-                          struct sockaddr_encap *em,
-                          struct sa_id said,
-                          uint32_t pid,
-                          struct sk_buff *skb,
-                          struct ident *ident_s,
-                          struct ident *ident_d);
-
-extern int ipsec_breakroute(struct sockaddr_encap *ea,
-                           struct sockaddr_encap *em,
-                           struct sk_buff **first,
-                           struct sk_buff **last);
-
-int ipsec_radijinit(void);
-int ipsec_cleareroutes(void);
-int ipsec_radijcleanup(void);
-
-/* ipsec_life.c */
-extern enum ipsec_life_alive ipsec_lifetime_check(struct ipsec_lifetime64 *il64,
-                                                 const char *lifename,
-                                                 const char *saname,
-                                                 enum ipsec_life_type ilt,
-                                                 enum ipsec_direction idir,
-                                                 struct ipsec_sa *ips);
-
-
-extern int ipsec_lifetime_format(char *buffer,
-                                int   buflen,
-                                char *lifename,
-                                enum ipsec_life_type timebaselife,
-                                struct ipsec_lifetime64 *lifetime);
-
-extern void ipsec_lifetime_update_hard(struct ipsec_lifetime64 *lifetime,
-                                      __u64 newvalue);
-
-extern void ipsec_lifetime_update_soft(struct ipsec_lifetime64 *lifetime,
-                                      __u64 newvalue);
-
-
-
-
-#ifdef CONFIG_IPSEC_DEBUG
-
-extern int debug_xform;
-extern int debug_eroute;
-extern int debug_spi;
-extern int debug_netlink;
-
-#endif /* CONFIG_IPSEC_DEBUG */
-
-
-
-
-#define _IPSEC_PROTO_H
-#endif /* _IPSEC_PROTO_H_ */
diff --git a/src/libfreeswan/ipsec_radij.h b/src/libfreeswan/ipsec_radij.h
deleted file mode 100644 (file)
index 7b45f18..0000000
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * @(#) Definitions relevant to the IPSEC <> radij tree interfacing
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#ifndef _IPSEC_RADIJ_H
-
-#include <freeswan.h>
-
-int ipsec_walk(char *);
-
-int ipsec_rj_walker_procprint(struct radij_node *, void *);
-int ipsec_rj_walker_delete(struct radij_node *, void *);
-
-/* This structure is used to pass information between
- * ipsec_eroute_get_info and ipsec_rj_walker_procprint
- * (through rj_walktree) and between calls of ipsec_rj_walker_procprint.
- */
-struct wsbuf
-{
-       /* from caller of ipsec_eroute_get_info: */
-       char *const buffer;     /* start of buffer provided */
-       const int length;       /* length of buffer provided */
-       const off_t offset;     /* file position of first character of interest */
-       /* accumulated by ipsec_rj_walker_procprint: */
-       int len;                /* number of character filled into buffer */
-       off_t begin;            /* file position contained in buffer[0] (<=offset) */
-};
-
-
-extern struct radij_node_head *rnh;
-extern spinlock_t eroute_lock;
-
-struct eroute * ipsec_findroute(struct sockaddr_encap *);
-
-#define O1(x) (int)(((x)>>24)&0xff)
-#define O2(x) (int)(((x)>>16)&0xff)
-#define O3(x) (int)(((x)>>8)&0xff)
-#define O4(x) (int)(((x))&0xff)
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_radij;
-void rj_dumptrees(void);
-
-#define DB_RJ_DUMPTREES        0x0001
-#define DB_RJ_FINDROUTE 0x0002
-#endif /* CONFIG_IPSEC_DEBUG */
-
-#define _IPSEC_RADIJ_H
-#endif
diff --git a/src/libfreeswan/ipsec_rcv.h b/src/libfreeswan/ipsec_rcv.h
deleted file mode 100644 (file)
index c8ed8f5..0000000
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * 
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#define DB_RX_PKTRX    0x0001
-#define DB_RX_PKTRX2   0x0002
-#define DB_RX_DMP      0x0004
-#define DB_RX_IPSA     0x0010
-#define DB_RX_XF       0x0020
-#define DB_RX_IPAD     0x0040
-#define DB_RX_INAU     0x0080
-#define DB_RX_OINFO    0x0100
-#define DB_RX_OINFO2   0x0200
-#define DB_RX_OH       0x0400
-#define DB_RX_REPLAY   0x0800
-
-#ifdef __KERNEL__
-/* struct options; */
-
-#define __NO_VERSION__
-#include <linux/module.h>
-#include <linux/config.h>      /* for CONFIG_IP_FORWARD */
-#include <linux/version.h>
-#include <freeswan.h>
-
-#define IPSEC_BIRTH_TEMPLATE_MAXLEN 256
-
-struct ipsec_birth_reply {
-  int            packet_template_len;
-  unsigned char  packet_template[IPSEC_BIRTH_TEMPLATE_MAXLEN];
-};
-
-extern struct ipsec_birth_reply ipsec_ipv4_birth_packet;
-extern struct ipsec_birth_reply ipsec_ipv6_birth_packet;
-
-extern int
-#ifdef PROTO_HANDLER_SINGLE_PARM
-ipsec_rcv(struct sk_buff *skb);
-#else /* PROTO_HANDLER_SINGLE_PARM */
-ipsec_rcv(struct sk_buff *skb,
-#ifdef NET_21
-         unsigned short xlen);
-#else /* NET_21 */
-         struct device *dev,
-         struct options *opt, 
-         __u32 daddr,
-         unsigned short len,
-         __u32 saddr,
-         int redo,
-         struct inet_protocol *protocol);
-#endif /* NET_21 */
-#endif /* PROTO_HANDLER_SINGLE_PARM */
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_rcv;
-#endif /* CONFIG_IPSEC_DEBUG */
-extern int sysctl_ipsec_inbound_policy_check;
-#endif /* __KERNEL__ */
diff --git a/src/libfreeswan/ipsec_sa.h b/src/libfreeswan/ipsec_sa.h
deleted file mode 100644 (file)
index 7b1e5f0..0000000
+++ /dev/null
@@ -1,252 +0,0 @@
-/*
- * @(#) Definitions of IPsec Security Association (ipsec_sa)
- *
- * Copyright (C) 2001, 2002, 2003
- *                      Richard Guy Briggs  <rgb@freeswan.org>
- *                  and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- *
- * This file derived from ipsec_xform.h on 2001/9/18 by mcr.
- *
- */
-
-/* 
- * This file describes the IPsec Security Association Structure.
- *
- * This structure keeps track of a single transform that may be done
- * to a set of packets. It can describe applying the transform or
- * apply the reverse. (e.g. compression vs expansion). However, it
- * only describes one at a time. To describe both, two structures would
- * be used, but since the sides of the transform are performed 
- * on different machines typically it is usual to have only one side
- * of each association.
- * 
- */
-
-#ifndef _IPSEC_SA_H_
-
-#ifdef __KERNEL__
-#include "ipsec_stats.h"
-#include "ipsec_life.h"
-#include "ipsec_eroute.h"
-#endif /* __KERNEL__ */
-#include "ipsec_param.h"
-
-
-/* SAs are held in a table.
- * Entries in this table are referenced by IPsecSAref_t values.
- * IPsecSAref_t values are conceptually subscripts.  Because
- * we want to allocate the table piece-meal, the subscripting
- * is implemented with two levels, a bit like paged virtual memory.
- * This representation mechanism is known as an Iliffe Vector.
- *
- * The Main table (AKA the refTable) consists of 2^IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
- * pointers to subtables.
- * Each subtable has 2^IPSEC_SA_REF_SUBTABLE_IDX_WIDTH entries, each of which
- * is a pointer to an SA.
- *
- * An IPsecSAref_t contains either an exceptional value (signified by the
- * high-order bit being on) or a reference to a table entry.  A table entry
- * reference has the subtable subscript in the low-order
- * IPSEC_SA_REF_SUBTABLE_IDX_WIDTH bits and the Main table subscript
- * in the next lowest IPSEC_SA_REF_MAINTABLE_IDX_WIDTH bits.
- *
- * The Maintable entry for an IPsecSAref_t x, a pointer to its subtable, is
- * IPsecSAref2table(x).  It is of type struct IPsecSArefSubTable *.
- *
- * The pointer to the SA for x is IPsecSAref2SA(x).  It is of type
- * struct ipsec_sa*.  The macro definition clearly shows the two-level
- * access needed to find the SA pointer.
- *
- * The Maintable is allocated when IPsec is initialized.
- * Each subtable is allocated when needed, but the first is allocated
- * when IPsec is initialized.
- *
- * IPsecSAref_t is designed to be smaller than an NFmark so that
- * they can be stored in NFmarks and still leave a few bits for other
- * purposes.  The spare bits are in the low order of the NFmark
- * but in the high order of the IPsecSAref_t, so conversion is required.
- * We pick the upper bits of NFmark on the theory that they are less likely to
- * interfere with more pedestrian uses of nfmark.
- */
-
-
-typedef unsigned short int IPsecRefTableUnusedCount;
-
-#define IPSEC_SA_REF_TABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_TABLE_IDX_WIDTH)
-
-#ifdef __KERNEL__
-#if ((IPSEC_SA_REF_TABLE_IDX_WIDTH - (1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) < 0)
-#error "IPSEC_SA_REF_TABLE_IDX_WIDTH("IPSEC_SA_REF_TABLE_IDX_WIDTH") MUST be < 1 + IPSEC_SA_REF_MAINTABLE_IDX_WIDTH("IPSEC_SA_REF_MAINTABLE_IDX_WIDTH")"
-#endif
-
-#define IPSEC_SA_REF_SUBTABLE_IDX_WIDTH (IPSEC_SA_REF_TABLE_IDX_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)
-
-#define IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)
-#define IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES (1 << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
-
-#ifdef CONFIG_NETFILTER
-#define IPSEC_SA_REF_HOST_FIELD(x) ((struct sk_buff*)(x))->nfmark
-#define IPSEC_SA_REF_HOST_FIELD_TYPE typeof(IPSEC_SA_REF_HOST_FIELD(NULL))
-#else /* CONFIG_NETFILTER */
-/* just make it work for now, it doesn't matter, since there is no nfmark */
-#define IPSEC_SA_REF_HOST_FIELD_TYPE unsigned long
-#endif /* CONFIG_NETFILTER */
-#define IPSEC_SA_REF_HOST_FIELD_WIDTH (8 * sizeof(IPSEC_SA_REF_HOST_FIELD_TYPE))
-#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
-
-#define IPSEC_SA_REF_MASK        (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
-#define IPSEC_SA_REF_TABLE_MASK ((IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
-#define IPSEC_SA_REF_ENTRY_MASK  (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_SUBTABLE_IDX_WIDTH))
-
-#define IPsecSAref2table(x) (((x) & IPSEC_SA_REF_TABLE_MASK) >> IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
-#define IPsecSAref2entry(x) ((x) & IPSEC_SA_REF_ENTRY_MASK)
-#define IPsecSArefBuild(x,y) (((x) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) + (y))
-
-#define IPsecSAref2SA(x) (ipsec_sadb.refTable[IPsecSAref2table(x)]->entry[IPsecSAref2entry(x)])
-#define IPsecSA2SAref(x) ((x)->ips_ref)
-
-#define EMT_INBOUND    0x01    /* SA direction, 1=inbound */
-
-/* 'struct ipsec_sa' should be 64bit aligned when allocated. */
-struct ipsec_sa                                
-{
-       IPsecSAref_t    ips_ref;                /* reference table entry number */
-       atomic_t        ips_refcount;           /* reference count for this struct */
-       struct ipsec_sa *ips_hnext;             /* next in hash chain */
-       struct ipsec_sa *ips_inext;             /* pointer to next xform */
-       struct ipsec_sa *ips_onext;             /* pointer to prev xform */
-
-       struct ifnet    *ips_rcvif;             /* related rcv encap interface */
-
-       struct sa_id    ips_said;               /* SA ID */
-
-       __u32           ips_seq;                /* seq num of msg that initiated this SA */
-       __u32           ips_pid;                /* PID of process that initiated this SA */
-       __u8            ips_authalg;            /* auth algorithm for this SA */
-       __u8            ips_encalg;             /* enc algorithm for this SA */
-
-       struct ipsec_stats ips_errs;
-
-       __u8            ips_replaywin;          /* replay window size */
-       __u8            ips_state;              /* state of SA */
-       __u32           ips_replaywin_lastseq;  /* last pkt sequence num */
-       __u64           ips_replaywin_bitmap;   /* bitmap of received pkts */
-       __u32           ips_replaywin_maxdiff;  /* max pkt sequence difference */
-
-       __u32           ips_flags;              /* generic xform flags */
-
-
-       struct ipsec_lifetimes ips_life;        /* lifetime records */
-
-       /* selector information */
-       struct sockaddr*ips_addr_s;             /* src sockaddr */
-       struct sockaddr*ips_addr_d;             /* dst sockaddr */
-       struct sockaddr*ips_addr_p;             /* proxy sockaddr */
-       __u16           ips_addr_s_size;
-       __u16           ips_addr_d_size;
-       __u16           ips_addr_p_size;
-       ip_address      ips_flow_s;
-       ip_address      ips_flow_d;
-       ip_address      ips_mask_s;
-       ip_address      ips_mask_d;
-
-       __u16           ips_key_bits_a;         /* size of authkey in bits */
-       __u16           ips_auth_bits;          /* size of authenticator in bits */
-       __u16           ips_key_bits_e;         /* size of enckey in bits */
-       __u16           ips_iv_bits;            /* size of IV in bits */
-       __u8            ips_iv_size;
-       __u16           ips_key_a_size;
-       __u16           ips_key_e_size;
-
-       caddr_t         ips_key_a;              /* authentication key */
-       caddr_t         ips_key_e;              /* encryption key */
-       caddr_t         ips_iv;                 /* Initialisation Vector */
-
-       struct ident    ips_ident_s;            /* identity src */
-       struct ident    ips_ident_d;            /* identity dst */
-
-#ifdef CONFIG_IPSEC_IPCOMP
-       __u16           ips_comp_adapt_tries;   /* ipcomp self-adaption tries */
-       __u16           ips_comp_adapt_skip;    /* ipcomp self-adaption to-skip */
-       __u64           ips_comp_ratio_cbytes;  /* compressed bytes */
-       __u64           ips_comp_ratio_dbytes;  /* decompressed (or uncompressed) bytes */
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-       __u8            ips_natt_type;
-       __u8            ips_natt_reserved[3];
-       __u16           ips_natt_sport;
-       __u16           ips_natt_dport;
-
-       struct sockaddr *ips_natt_oa;
-       __u16           ips_natt_oa_size;
-       __u16           ips_natt_reserved2;
-#endif
-
-#if 0
-       __u32           ips_sens_dpd;
-       __u8            ips_sens_sens_level;
-       __u8            ips_sens_sens_len;
-       __u64*          ips_sens_sens_bitmap;
-       __u8            ips_sens_integ_level;
-       __u8            ips_sens_integ_len;
-       __u64*          ips_sens_integ_bitmap;
-#endif
-       struct ipsec_alg_enc *ips_alg_enc;
-       struct ipsec_alg_auth *ips_alg_auth;
-       IPsecSAref_t    ips_ref_rel;
-};
-
-struct IPsecSArefSubTable
-{
-       struct ipsec_sa* entry[IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES];
-};
-
-struct ipsec_sadb {
-       struct IPsecSArefSubTable* refTable[IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES];
-       IPsecSAref_t refFreeList[IPSEC_SA_REF_FREELIST_NUM_ENTRIES];
-       int refFreeListHead;
-       int refFreeListTail;
-       IPsecSAref_t refFreeListCont;
-       IPsecSAref_t said_hash[SADB_HASHMOD];
-       spinlock_t sadb_lock;
-};
-
-extern struct ipsec_sadb ipsec_sadb;
-
-extern int ipsec_SAref_recycle(void);
-extern int ipsec_SArefSubTable_alloc(unsigned table);
-extern int ipsec_saref_freelist_init(void);
-extern int ipsec_sadb_init(void);
-extern struct ipsec_sa *ipsec_sa_alloc(int*error); /* pass in error var by pointer */
-extern IPsecSAref_t ipsec_SAref_alloc(int*erorr); /* pass in error var by pointer */
-extern int ipsec_sa_free(struct ipsec_sa* ips);
-extern struct ipsec_sa *ipsec_sa_getbyid(struct sa_id *said);
-extern int ipsec_sa_put(struct ipsec_sa *ips);
-extern int ipsec_sa_add(struct ipsec_sa *ips);
-extern int ipsec_sa_del(struct ipsec_sa *ips);
-extern int ipsec_sa_delchain(struct ipsec_sa *ips);
-extern int ipsec_sadb_cleanup(__u8 proto);
-extern int ipsec_sadb_free(void);
-extern int ipsec_sa_wipe(struct ipsec_sa *ips);
-#endif /* __KERNEL__ */
-
-enum ipsec_direction {
-       ipsec_incoming = 1,
-       ipsec_outgoing = 2
-};
-
-#define _IPSEC_SA_H_
-#endif /* _IPSEC_SA_H_ */
diff --git a/src/libfreeswan/ipsec_sha1.h b/src/libfreeswan/ipsec_sha1.h
deleted file mode 100644 (file)
index a0fcd90..0000000
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * RCSID $Id$
- */
-
-/*
- * Here is the original comment from the distribution:
-
-SHA-1 in C
-By Steve Reid <steve@edmweb.com>
-100% Public Domain
-
- * Adapted for use by the IPSEC code by John Ioannidis
- */
-
-
-#ifndef _IPSEC_SHA1_H_
-#define _IPSEC_SHA1_H_
-
-typedef struct
-{
-       __u32   state[5];
-       __u32   count[2];
-       __u8    buffer[64];
-} SHA1_CTX;
-
-void SHA1Transform(__u32 state[5], __u8 buffer[64]);
-void SHA1Init(void *context);
-void SHA1Update(void *context, unsigned char *data, __u32 len);
-void SHA1Final(unsigned char digest[20], void *context);
-
-#endif /* _IPSEC_SHA1_H_ */
diff --git a/src/libfreeswan/ipsec_stats.h b/src/libfreeswan/ipsec_stats.h
deleted file mode 100644 (file)
index 41b3044..0000000
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * @(#) definition of ipsec_stats structure
- *
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- *
- */
-
-/* 
- * This file describes the errors/statistics that FreeSWAN collects.
- */
-
-#ifndef _IPSEC_STATS_H_
-
-struct ipsec_stats {
-       __u32           ips_alg_errs;          /* number of algorithm errors */
-       __u32           ips_auth_errs;         /* # of authentication errors */
-       __u32           ips_encsize_errs;      /* # of encryption size errors*/
-       __u32           ips_encpad_errs;       /* # of encryption pad  errors*/
-       __u32           ips_replaywin_errs;    /* # of pkt sequence errors */
-};
-
-extern int ipsec_snprintf(char * buf, ssize_t size, const char *fmt, ...);
-
-#define _IPSEC_STATS_H_
-#endif /* _IPSEC_STATS_H_ */
diff --git a/src/libfreeswan/ipsec_tunnel.h b/src/libfreeswan/ipsec_tunnel.h
deleted file mode 100644 (file)
index d3b688e..0000000
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
- * IPSEC tunneling code
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#include <linux/types.h>
-
-#ifdef NET_21
-# define DEV_QUEUE_XMIT(skb, device, pri) {\
-       skb->dev = device; \
-       neigh_compat_output(skb); \
-       /* skb->dst->output(skb); */ \
- }
-# define ICMP_SEND(skb_in, type, code, info, dev) \
-       icmp_send(skb_in, type, code, htonl(info))
-# define IP_SEND(skb, dev) \
-       ip_send(skb);
-#else /* NET_21 */
-# define DEV_QUEUE_XMIT(skb, device, pri) {\
-       dev_queue_xmit(skb, device, pri); \
- }
-# define ICMP_SEND(skb_in, type, code, info, dev) \
-       icmp_send(skb_in, type, code, info, dev)
-# define IP_SEND(skb, dev) \
-       if(ntohs(iph->tot_len) > physmtu) { \
-               ip_fragment(NULL, skb, dev, 0); \
-               ipsec_kfree_skb(skb); \
-       } else { \
-               dev_queue_xmit(skb, dev, SOPRI_NORMAL); \
-       }
-#endif /* NET_21 */
-
-
-/*
- * Heavily based on drivers/net/new_tunnel.c.  Lots
- * of ideas also taken from the 2.1.x version of drivers/net/shaper.c
- */
-
-struct ipsectunnelconf
-{
-       __u32   cf_cmd;
-       union
-       {
-               char    cfu_name[12];
-       } cf_u;
-#define cf_name cf_u.cfu_name
-};
-
-#define IPSEC_SET_DEV  (SIOCDEVPRIVATE)
-#define IPSEC_DEL_DEV  (SIOCDEVPRIVATE + 1)
-#define IPSEC_CLR_DEV  (SIOCDEVPRIVATE + 2)
-
-#ifdef __KERNEL__
-#include <linux/version.h>
-#ifndef KERNEL_VERSION
-#  define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
-#endif
-struct ipsecpriv
-{
-       struct sk_buff_head sendq;
-       struct device *dev;
-       struct wait_queue *wait_queue;
-       char locked;
-       int  (*hard_start_xmit) (struct sk_buff *skb,
-               struct device *dev);
-       int  (*hard_header) (struct sk_buff *skb,
-               struct device *dev,
-               unsigned short type,
-               void *daddr,
-               void *saddr,
-               unsigned len);
-#ifdef NET_21
-       int  (*rebuild_header)(struct sk_buff *skb);
-#else /* NET_21 */
-       int  (*rebuild_header)(void *buff, struct device *dev,
-                       unsigned long raddr, struct sk_buff *skb);
-#endif /* NET_21 */
-       int  (*set_mac_address)(struct device *dev, void *addr);
-#ifndef NET_21
-       void (*header_cache_bind)(struct hh_cache **hhp, struct device *dev,
-                                unsigned short htype, __u32 daddr);
-#endif /* !NET_21 */
-       void (*header_cache_update)(struct hh_cache *hh, struct device *dev, unsigned char *  haddr);
-       struct net_device_stats *(*get_stats)(struct device *dev);
-       struct net_device_stats mystats;
-       int mtu;        /* What is the desired MTU? */
-};
-
-extern char ipsec_tunnel_c_version[];
-
-extern struct device *ipsecdevices[IPSEC_NUM_IF];
-
-int ipsec_tunnel_init_devices(void);
-
-/* void */ int ipsec_tunnel_cleanup_devices(void);
-
-extern /* void */ int ipsec_init(void);
-
-extern int ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev);
-
-#ifdef CONFIG_IPSEC_DEBUG
-extern int debug_tunnel;
-extern int sysctl_ipsec_debug_verbose;
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif /* __KERNEL__ */
-
-#ifdef CONFIG_IPSEC_DEBUG
-#define DB_TN_INIT     0x0001
-#define DB_TN_PROCFS   0x0002
-#define DB_TN_XMIT     0x0010
-#define DB_TN_OHDR     0x0020
-#define DB_TN_CROUT    0x0040
-#define DB_TN_OXFS     0x0080
-#define DB_TN_REVEC    0x0100
-#endif /* CONFIG_IPSEC_DEBUG */
diff --git a/src/libfreeswan/ipsec_xform.h b/src/libfreeswan/ipsec_xform.h
deleted file mode 100644 (file)
index d06d968..0000000
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Definitions relevant to IPSEC transformations
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#ifndef _IPSEC_XFORM_H_
-
-#include <freeswan.h>
-#include "ipsec_policy.h"
-
-#define XF_NONE                        0       /* No transform set */
-#define XF_IP4                 1       /* IPv4 inside IPv4 */
-#define XF_AHMD5               2       /* AH MD5 */
-#define XF_AHSHA               3       /* AH SHA */
-#define XF_ESP3DES             5       /* ESP DES3-CBC */
-#define XF_AHHMACMD5           6       /* AH-HMAC-MD5 with opt replay prot */
-#define XF_AHHMACSHA1          7       /* AH-HMAC-SHA1 with opt replay prot */
-#define XF_ESP3DESMD5          9       /* triple DES, HMAC-MD-5, 128-bits of authentication */
-#define        XF_ESP3DESMD596         10      /* triple DES, HMAC-MD-5, 96-bits of authentication */
-#define        XF_ESPNULLMD596         12      /* NULL, HMAC-MD-5 with 96-bits of authentication */
-#define        XF_ESPNULLSHA196        13      /* NULL, HMAC-SHA-1 with 96-bits of authentication */
-#define        XF_ESP3DESSHA196        14      /* triple DES, HMAC-SHA-1, 96-bits of authentication */
-#define XF_IP6                 15      /* IPv6 inside IPv6 */
-#define XF_COMPDEFLATE         16      /* IPCOMP deflate */
-
-#define XF_CLR                 126     /* Clear SA table */
-#define XF_DEL                 127     /* Delete SA */
-
-#define XFT_AUTH               0x0001
-#define XFT_CONF               0x0100
-
-/* available if CONFIG_IPSEC_DEBUG is defined */
-#define DB_XF_INIT             0x0001
-
-#define PROTO2TXT(x) \
-       (x) == IPPROTO_AH ? "AH" : \
-       (x) == IPPROTO_ESP ? "ESP" : \
-       (x) == IPPROTO_IPIP ? "IPIP" : \
-       (x) == IPPROTO_COMP ? "COMP" : \
-       "UNKNOWN_proto"
-static inline const char *enc_name_id (unsigned id) {
-       static char buf[16];
-       snprintf(buf, sizeof(buf), "_ID%d", id);
-       return buf;
-}
-static inline const char *auth_name_id (unsigned id) {
-       static char buf[16];
-       snprintf(buf, sizeof(buf), "_ID%d", id);
-       return buf;
-}
-#define IPS_XFORM_NAME(x) \
-       PROTO2TXT((x)->ips_said.proto), \
-       (x)->ips_said.proto == IPPROTO_COMP ? \
-               ((x)->ips_encalg == SADB_X_CALG_DEFLATE ? \
-                "_DEFLATE" : "_UNKNOWN_comp") : \
-       (x)->ips_encalg == ESP_NONE ? "" : \
-       (x)->ips_encalg == ESP_3DES ? "_3DES" : \
-       (x)->ips_encalg == ESP_AES ? "_AES" : \
-       (x)->ips_encalg == ESP_SERPENT ? "_SERPENT" : \
-       (x)->ips_encalg == ESP_TWOFISH ? "_TWOFISH" : \
-       enc_name_id(x->ips_encalg)/* "_UNKNOWN_encr" */, \
-       (x)->ips_authalg == AH_NONE ? "" : \
-       (x)->ips_authalg == AH_MD5 ? "_HMAC_MD5" : \
-       (x)->ips_authalg == AH_SHA ? "_HMAC_SHA1" : \
-       (x)->ips_authalg == AH_SHA2_256 ? "_HMAC_SHA2_256" : \
-       (x)->ips_authalg == AH_SHA2_384 ? "_HMAC_SHA2_384" : \
-       (x)->ips_authalg == AH_SHA2_512 ? "_HMAC_SHA2_512" : \
-       auth_name_id(x->ips_authalg) /* "_UNKNOWN_auth" */ \
-
-#define _IPSEC_XFORM_H_
-#endif /* _IPSEC_XFORM_H_ */
diff --git a/src/libfreeswan/ipsec_xmit.h b/src/libfreeswan/ipsec_xmit.h
deleted file mode 100644 (file)
index 886e84a..0000000
+++ /dev/null
@@ -1,140 +0,0 @@
-/*
- * IPSEC tunneling code
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id$
- */
-
-#include "freeswan/ipsec_sa.h"
-
-enum ipsec_xmit_value
-{
-       IPSEC_XMIT_STOLEN=2,
-       IPSEC_XMIT_PASS=1,
-       IPSEC_XMIT_OK=0,
-       IPSEC_XMIT_ERRMEMALLOC=-1,
-       IPSEC_XMIT_ESP_BADALG=-2,
-       IPSEC_XMIT_BADPROTO=-3,
-       IPSEC_XMIT_ESP_PUSHPULLERR=-4,
-       IPSEC_XMIT_BADLEN=-5,
-       IPSEC_XMIT_AH_BADALG=-6,
-       IPSEC_XMIT_SAIDNOTFOUND=-7,
-       IPSEC_XMIT_SAIDNOTLIVE=-8,
-       IPSEC_XMIT_REPLAYROLLED=-9,
-       IPSEC_XMIT_LIFETIMEFAILED=-10,
-       IPSEC_XMIT_CANNOTFRAG=-11,
-       IPSEC_XMIT_MSSERR=-12,
-       IPSEC_XMIT_ERRSKBALLOC=-13,
-       IPSEC_XMIT_ENCAPFAIL=-14,
-       IPSEC_XMIT_NODEV=-15,
-       IPSEC_XMIT_NOPRIVDEV=-16,
-       IPSEC_XMIT_NOPHYSDEV=-17,
-       IPSEC_XMIT_NOSKB=-18,
-       IPSEC_XMIT_NOIPV6=-19,
-       IPSEC_XMIT_NOIPOPTIONS=-20,
-       IPSEC_XMIT_TTLEXPIRED=-21,
-       IPSEC_XMIT_BADHHLEN=-22,
-       IPSEC_XMIT_PUSHPULLERR=-23,
-       IPSEC_XMIT_ROUTEERR=-24,
-       IPSEC_XMIT_RECURSDETECT=-25,
-       IPSEC_XMIT_IPSENDFAILURE=-26,
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-       IPSEC_XMIT_ESPUDP=-27,
-#endif 
-};
-
-struct ipsec_xmit_state
-{
-       struct sk_buff *skb;            /* working skb pointer */
-       struct device *dev;             /* working dev pointer */
-       struct ipsecpriv *prv;          /* Our device' private space */
-       struct sk_buff *oskb;           /* Original skb pointer */
-       struct net_device_stats *stats; /* This device's statistics */
-       struct iphdr  *iph;             /* Our new IP header */
-       __u32   newdst;                 /* The other SG's IP address */
-       __u32   orgdst;                 /* Original IP destination address */
-       __u32   orgedst;                /* 1st SG's IP address */
-       __u32   newsrc;                 /* The new source SG's IP address */
-       __u32   orgsrc;                 /* Original IP source address */
-       __u32   innersrc;               /* Innermost IP source address */
-       int     iphlen;                 /* IP header length */
-       int     pyldsz;                 /* upper protocol payload size */
-       int     headroom;
-       int     tailroom;
-       int     max_headroom;           /* The extra header space needed */
-       int     max_tailroom;           /* The extra stuffing needed */
-       int     ll_headroom;            /* The extra link layer hard_header space needed */
-       int     tot_headroom;           /* The total header space needed */
-       int     tot_tailroom;           /* The totalstuffing needed */
-       __u8    *saved_header;          /* saved copy of the hard header */
-       unsigned short   sport, dport;
-
-       struct sockaddr_encap matcher;  /* eroute search key */
-       struct eroute *eroute;
-       struct ipsec_sa *ipsp, *ipsq;   /* ipsec_sa pointers */
-       char sa_txt[SATOA_BUF];
-       size_t sa_len;
-       int hard_header_stripped;       /* has the hard header been removed yet? */
-       int hard_header_len;
-       struct device *physdev;
-/*     struct device *virtdev; */
-       short physmtu;
-       short mtudiff;
-#ifdef NET_21
-       struct rtable *route;
-#endif /* NET_21 */
-       struct sa_id outgoing_said;
-#ifdef NET_21
-       int pass;
-#endif /* NET_21 */
-       int error;
-       uint32_t eroute_pid;
-       struct ipsec_sa ips;
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL      
-       uint8_t natt_type;
-       uint8_t natt_head;
-       uint16_t natt_sport;
-       uint16_t natt_dport;
-#endif         
-};
-
-#if 0 /* save for alg refactorisation */
-struct xform_functions
-{
-       enum ipsec_xmit_value (*checks)(struct ipsec_xmit_state *ixs,
-                                      struct sk_buff *skb);
-        enum ipsec_xmit_value (*encrypt)(struct ipsec_xmit_state *ixs);
-
-       enum ipsec_xmit_value (*setup_auth)(struct ipsec_xmit_state *ixs,
-                                          struct sk_buff *skb,
-                                          __u32          *replay,
-                                          unsigned char **authenticator);
-       enum ipsec_xmit_value (*calc_auth)(struct ipsec_xmit_state *ixs,
-                                       struct sk_buff *skb);
-};
-#endif
-
-enum ipsec_xmit_value
-ipsec_xmit_sanity_check_dev(struct ipsec_xmit_state *ixs);
-
-enum ipsec_xmit_value
-ipsec_xmit_sanity_check_skb(struct ipsec_xmit_state *ixs);
-
-enum ipsec_xmit_value
-ipsec_xmit_encap_bundle(struct ipsec_xmit_state *ixs);
-
-extern int ipsec_xmit_trap_count;
-extern int ipsec_xmit_trap_sendcount;
-
-extern void ipsec_extract_ports(struct iphdr * iph, struct sockaddr_encap * er);
index 25c4f93..b3793b0 100644 (file)
 
 #ifndef __NET_IPSEC_PF_KEY_H
 #define __NET_IPSEC_PF_KEY_H
-#ifdef __KERNEL__
-extern struct proto_ops pfkey_proto_ops;
-typedef struct sock pfkey_sock;
-extern int debug_pfkey;
-
-extern /* void */ int pfkey_init(void);
-extern /* void */ int pfkey_cleanup(void);
-
-extern struct sock *pfkey_sock_list;
-struct socket_list
-{
-       struct socket *socketp;
-       struct socket_list *next;
-};
-extern int pfkey_list_insert_socket(struct socket*, struct socket_list**);
-extern int pfkey_list_remove_socket(struct socket*, struct socket_list**);
-extern struct socket_list *pfkey_open_sockets;
-extern struct socket_list *pfkey_registered_sockets[SADB_SATYPE_MAX+1];
-
-/* 
- *     There is a field-by-field copy in klips/net/ipsec/ipsec_alg.h
- *     please keep in sync until we migrate all support stuff
- *     to ipsec_alg objects
- */
-struct supported
-{
-       uint16_t supported_alg_exttype;
-       uint8_t supported_alg_id;
-       uint8_t supported_alg_ivlen;
-       uint16_t supported_alg_minbits;
-       uint16_t supported_alg_maxbits;
-};
-extern struct supported_list *pfkey_supported_list[SADB_SATYPE_MAX+1];
-struct supported_list
-{
-       struct supported *supportedp;
-       struct supported_list *next;
-};
-extern int pfkey_list_insert_supported(struct supported*, struct supported_list**);
-extern int pfkey_list_remove_supported(struct supported*, struct supported_list**);
-
-struct sockaddr_key
-{
-       uint16_t        key_family;     /* PF_KEY */
-       uint16_t        key_pad;        /* not used */
-       uint32_t        key_pid;        /* process ID */
-};
-
-struct pfkey_extracted_data
-{
-       struct ipsec_sa* ips;
-       struct ipsec_sa* ips2;
-       struct eroute *eroute;
-};
-
-extern int
-pfkey_alloc_eroute(struct eroute** eroute);
-
-extern int
-pfkey_sa_process(struct sadb_ext *pfkey_ext,
-                struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_lifetime_process(struct sadb_ext *pfkey_ext,
-                      struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_address_process(struct sadb_ext *pfkey_ext,
-                     struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_key_process(struct sadb_ext *pfkey_ext,
-                 struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_ident_process(struct sadb_ext *pfkey_ext,
-                   struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_sens_process(struct sadb_ext *pfkey_ext,
-                  struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_prop_process(struct sadb_ext *pfkey_ext,
-                  struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_supported_process(struct sadb_ext *pfkey_ext,
-                       struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_spirange_process(struct sadb_ext *pfkey_ext,
-                      struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_x_kmprivate_process(struct sadb_ext *pfkey_ext,
-                         struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_x_satype_process(struct sadb_ext *pfkey_ext,
-                      struct pfkey_extracted_data* extr);
-
-extern int
-pfkey_x_debug_process(struct sadb_ext *pfkey_ext,
-                     struct pfkey_extracted_data* extr);
-
-extern int pfkey_register_reply(int satype, struct sadb_msg *);
-extern int pfkey_upmsg(struct socket *, struct sadb_msg *);
-extern int pfkey_expire(struct ipsec_sa *, int);
-extern int pfkey_acquire(struct ipsec_sa *);
-#else /* ! __KERNEL__ */
 
 extern void (*pfkey_debug_func)(const char *message, ...);
 
-#endif /* __KERNEL__ */
-
 extern uint8_t satype2proto(uint8_t satype);
 extern uint8_t proto2satype(uint8_t proto);
 extern char* satype2name(uint8_t satype);
@@ -242,12 +129,6 @@ pfkey_ident_build(struct sadb_ext**        pfkey_ext,
                  uint8_t               ident_len,
                  char*                 ident_string);
 
-#ifdef __KERNEL__
-extern int pfkey_nat_t_new_mapping(struct ipsec_sa *, struct sockaddr *, __u16);
-extern int pfkey_x_nat_t_type_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr);
-extern int pfkey_x_nat_t_port_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr);
-#endif /* __KERNEL__ */
-
 int
 pfkey_x_nat_t_type_build(struct sadb_ext**  pfkey_ext,
             uint8_t         type);
index 312edbc..12ef26f 100644 (file)
 
 char pfkey_v2_build_c_version[] = "$Id$";
 
-/*
- * Some ugly stuff to allow consistent debugging code for use in the
- * kernel and in user space
-*/
-
-#ifdef __KERNEL__
-
-# include <linux/kernel.h>  /* for printk */
-
-# include "freeswan/ipsec_kversion.h" /* for malloc switch */
-# ifdef MALLOC_SLAB
-#  include <linux/slab.h> /* kmalloc() */
-# else /* MALLOC_SLAB */
-#  include <linux/malloc.h> /* kmalloc() */
-# endif /* MALLOC_SLAB */
-# include <linux/errno.h>  /* error codes */
-# include <linux/types.h>  /* size_t */
-# include <linux/interrupt.h> /* mark_bh */
-
-# include <linux/netdevice.h>   /* struct device, and other headers */
-# include <linux/etherdevice.h> /* eth_type_trans */
-# include <linux/ip.h>          /* struct iphdr */ 
-# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-#  include <linux/ipv6.h>        /* struct ipv6hdr */
-# endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
-
-# define MALLOC(size) kmalloc(size, GFP_ATOMIC)
-# define FREE(obj) kfree(obj)
-# include <freeswan.h>
-#else /* __KERNEL__ */
-
 # include <sys/types.h>
-# include <linux/types.h>
-# include <linux/errno.h>
-# include <malloc.h>
+# include <sys/socket.h>
+# include <stdlib.h>
+# include <errno.h>
 # include <string.h> /* memset */
 
 # include <freeswan.h>
@@ -63,8 +32,6 @@ unsigned int pfkey_lib_debug = 0;
 
 void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
 
-/* #define PLUTO */
-
 #define DEBUGGING(args...)  if(pfkey_lib_debug) { \
                               if(pfkey_debug_func != NULL) { \
                                 (*pfkey_debug_func)("pfkey_lib_debug:" args); \
@@ -73,22 +40,10 @@ void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
                               } }
 # define MALLOC(size) malloc(size)
 # define FREE(obj) free(obj)
-#endif /* __KERNEL__ */
 
 #include <pfkeyv2.h>
 #include <pfkey.h>
 
-#ifdef __KERNEL__
-
-#include "freeswan/radij.h"  /* rd_nodes */
-#include "freeswan/ipsec_encap.h"  /* sockaddr_encap */
-
-# define DEBUGGING(args...) \
-         KLIPS_PRINT(debug_pfkey, "klips_debug:" args)
-#endif /* __KERNEL__ */
-
-#include "ipsec_sa.h"  /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
-
 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
 
 void
@@ -483,14 +438,14 @@ pfkey_address_build(struct sadb_ext**     pfkey_ext,
                        "found address family AF_INET6.\n");
                saddr_len = sizeof(struct sockaddr_in6);
                sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x-%x"
-                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[0])
-                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[1])
-                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[2])
-                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[3])
-                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[4])
-                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[5])
-                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[6])
-                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr16[7])
+                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[0])
+                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[1])
+                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[2])
+                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[3])
+                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[4])
+                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[5])
+                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[6])
+                       , ntohs(((struct sockaddr_in6*)address)->sin6_addr.s6_addr[7])
                        , ntohs(((struct sockaddr_in6*)address)->sin6_port));
                break;
        default:
index e50a651..eca568d 100644 (file)
  *
  */
 
-#ifdef __KERNEL__
-
-# include <linux/kernel.h>  /* for printk */
-
-# include "freeswan/ipsec_kversion.h" /* for malloc switch */
-# ifdef MALLOC_SLAB
-#  include <linux/slab.h> /* kmalloc() */
-# else /* MALLOC_SLAB */
-#  include <linux/malloc.h> /* kmalloc() */
-# endif /* MALLOC_SLAB */
-# include <linux/errno.h>  /* error codes */
-# include <linux/types.h>  /* size_t */
-# include <linux/interrupt.h> /* mark_bh */
-
-# include <linux/netdevice.h>   /* struct device, and other headers */
-# include <linux/etherdevice.h> /* eth_type_trans */
-extern int debug_pfkey;
-
-#else /* __KERNEL__ */
-
 # include <sys/types.h>
-# include <linux/types.h>
-# include <linux/errno.h>
-
-#endif /* __KERNEL__ */
+# include <errno.h>
 
 #include "freeswan.h"
 #include "pfkeyv2.h"
index 7264ac4..4daf0cd 100644 (file)
 
 char pfkey_v2_ext_bits_c_version[] = "$Id$";
 
-/*
- * Some ugly stuff to allow consistent debugging code for use in the
- * kernel and in user space
-*/
-
-#ifdef __KERNEL__
-
-# include <linux/kernel.h>  /* for printk */
-
-# include "freeswan/ipsec_kversion.h" /* for malloc switch */
-# ifdef MALLOC_SLAB
-#  include <linux/slab.h> /* kmalloc() */
-# else /* MALLOC_SLAB */
-#  include <linux/malloc.h> /* kmalloc() */
-# endif /* MALLOC_SLAB */
-# include <linux/errno.h>  /* error codes */
-# include <linux/types.h>  /* size_t */
-# include <linux/interrupt.h> /* mark_bh */
-
-# include <linux/netdevice.h>   /* struct device, and other headers */
-# include <linux/etherdevice.h> /* eth_type_trans */
-# include <linux/ip.h>          /* struct iphdr */ 
-# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-#  include <linux/ipv6.h>
-# endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
-
-#else /* __KERNEL__ */
-
 # include <sys/types.h>
-# include <linux/types.h>
-# include <linux/errno.h>
-#endif
+# include <errno.h>
 
 #include <freeswan.h>
 #include <pfkeyv2.h>
index 7032bd8..d1bbbcd 100644 (file)
 
 char pfkey_v2_parse_c_version[] = "$Id$";
 
-/*
- * Some ugly stuff to allow consistent debugging code for use in the
- * kernel and in user space
-*/
-
-#ifdef __KERNEL__
-
-# include <linux/kernel.h>  /* for printk */
-
-#include "freeswan/ipsec_kversion.h" /* for malloc switch */
-
-# ifdef MALLOC_SLAB
-#  include <linux/slab.h> /* kmalloc() */
-# else /* MALLOC_SLAB */
-#  include <linux/malloc.h> /* kmalloc() */
-# endif /* MALLOC_SLAB */
-# include <linux/errno.h>  /* error codes */
-# include <linux/types.h>  /* size_t */
-# include <linux/interrupt.h> /* mark_bh */
-
-# include <linux/netdevice.h>   /* struct device, and other headers */
-# include <linux/etherdevice.h> /* eth_type_trans */
-# include <linux/ip.h>          /* struct iphdr */ 
-# if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-#  include <linux/ipv6.h>        /* struct ipv6hdr */
-# endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
-extern int debug_pfkey;
-
-#include "freeswan.h"
-
-#include "ipsec_encap.h"
-
-#else /* __KERNEL__ */
-
 # include <sys/types.h>
-# include <linux/types.h>
-# include <linux/errno.h>
+# include <sys/socket.h>
+# include <errno.h>
 
 # include <freeswan.h>
 # include <constants.h>
 # include <defs.h>  /* for PRINTF_LIKE */
 # include <log.h>  /* for debugging and DBG_log */
 
-/* #define PLUTO */
-
 # ifdef PLUTO
 #  define DEBUGGING(level, args...)  { DBG_log("pfkey_lib_debug:" args);  }
 # else
 #  define DEBUGGING(level, args...)  if(pfkey_lib_debug & level) { printf("pfkey_lib_debug:" args); } else { ; }
 # endif
 
-#endif /* __KERNEL__ */
-
-
 #include <pfkeyv2.h>
 #include <pfkey.h>
 
-#ifdef __KERNEL__
-extern int sysctl_ipsec_debug_verbose;
-# define DEBUGGING(level, args...) \
-         KLIPS_PRINT( \
-               ((debug_pfkey & level & (PF_KEY_DEBUG_PARSE_STRUCT | PF_KEY_DEBUG_PARSE_PROBLEM)) \
-                || (sysctl_ipsec_debug_verbose && (debug_pfkey & level & PF_KEY_DEBUG_PARSE_FLOW))) \
-               , "klips_debug:" args)
-#endif /* __KERNEL__ */
-#include "ipsec_sa.h"  /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
-
 
 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
 
@@ -96,21 +47,11 @@ struct satype_tbl {
        uint8_t satype;
        char* name;
 } static satype_tbl[] = {
-#ifdef __KERNEL__
-       { IPPROTO_ESP,  SADB_SATYPE_ESP,        "ESP"  },
-       { IPPROTO_AH,   SADB_SATYPE_AH,         "AH"   },
-       { IPPROTO_IPIP, SADB_X_SATYPE_IPIP,     "IPIP" },
-#ifdef CONFIG_IPSEC_IPCOMP
-       { IPPROTO_COMP, SADB_X_SATYPE_COMP,     "COMP" },
-#endif /* CONFIG_IPSEC_IPCOMP */
-       { IPPROTO_INT,  SADB_X_SATYPE_INT,      "INT" },
-#else /* __KERNEL__ */
        { SA_ESP,       SADB_SATYPE_ESP,        "ESP"  },
        { SA_AH,        SADB_SATYPE_AH,         "AH"   },
        { SA_IPIP,      SADB_X_SATYPE_IPIP,     "IPIP" },
        { SA_COMP,      SADB_X_SATYPE_COMP,     "COMP" },
        { SA_INT,       SADB_X_SATYPE_INT,      "INT" },
-#endif /* __KERNEL__ */
        { 0,            0,                      "UNKNOWN" }
 };
 
@@ -418,14 +359,14 @@ pfkey_address_parse(struct sadb_ext *pfkey_ext)
        case AF_INET6:
                saddr_len = sizeof(struct sockaddr_in6);
                sprintf(ipaddr_txt, "%x:%x:%x:%x:%x:%x:%x:%x"
-                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[0])
-                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[1])
-                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[2])
-                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[3])
-                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[4])
-                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[5])
-                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[6])
-                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr16[7]));
+                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[0])
+                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[1])
+                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[2])
+                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[3])
+                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[4])
+                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[5])
+                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[6])
+                       , ntohs(((struct sockaddr_in6*)s)->sin6_addr.s6_addr[7]));
                DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
                          "pfkey_address_parse: "
                          "found exttype=%u(%s) family=%d(AF_INET6) address=%s proto=%u port=%u.\n",
index 2669ee6..6a5127c 100644 (file)
@@ -14,6 +14,8 @@
  *
  * RCSID $Id$
  */
+#include <sys/socket.h>
+
 #include "internal.h"
 #include "freeswan.h"
 
diff --git a/src/libfreeswan/radij.h b/src/libfreeswan/radij.h
deleted file mode 100644 (file)
index c6a2fc0..0000000
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * RCSID $Id$
- */
-
-/*
- * This file is defived from ${SRC}/sys/net/radix.h of BSD 4.4lite
- *
- * Variable and procedure names have been modified so that they don't
- * conflict with the original BSD code, as a small number of modifications
- * have been introduced and we may want to reuse this code in BSD.
- * 
- * The `j' in `radij' is pronounced as a voiceless guttural (like a Greek
- * chi or a German ch sound (as `doch', not as in `milch'), or even a 
- * spanish j as in Juan.  It is not as far back in the throat like
- * the corresponding Hebrew sound, nor is it a soft breath like the English h.
- * It has nothing to do with the Dutch ij sound.
- * 
- * Here is the appropriate copyright notice:
- */
-
-/*
- * Copyright (c) 1988, 1989, 1993
- *     The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *     This product includes software developed by the University of
- *     California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *     @(#)radix.h     8.1 (Berkeley) 6/10/93
- */
-
-#ifndef _RADIJ_H_
-#define        _RADIJ_H_
-
-/* 
-#define RJ_DEBUG
-*/
-
-#ifdef __KERNEL__
-
-#ifndef __P
-#ifdef __STDC__
-#define __P(x)  x
-#else
-#define __P(x)  ()
-#endif
-#endif
-
-/*
- * Radix search tree node layout.
- */
-
-struct radij_node
-{
-       struct  radij_mask *rj_mklist;  /* list of masks contained in subtree */
-       struct  radij_node *rj_p;       /* parent */
-       short   rj_b;                   /* bit offset; -1-index(netmask) */
-       char    rj_bmask;               /* node: mask for bit test*/
-       u_char  rj_flags;               /* enumerated next */
-#define RJF_NORMAL     1               /* leaf contains normal route */
-#define RJF_ROOT       2               /* leaf is root leaf for tree */
-#define RJF_ACTIVE     4               /* This node is alive (for rtfree) */
-       union {
-               struct {                        /* leaf only data: */
-                       caddr_t rj_Key; /* object of search */
-                       caddr_t rj_Mask;        /* netmask, if present */
-                       struct  radij_node *rj_Dupedkey;
-               } rj_leaf;
-               struct {                        /* node only data: */
-                       int     rj_Off;         /* where to start compare */
-                       struct  radij_node *rj_L;/* progeny */
-                       struct  radij_node *rj_R;/* progeny */
-               }rj_node;
-       }               rj_u;
-#ifdef RJ_DEBUG
-       int rj_info;
-       struct radij_node *rj_twin;
-       struct radij_node *rj_ybro;
-#endif
-};
-
-#define rj_dupedkey rj_u.rj_leaf.rj_Dupedkey
-#define rj_key rj_u.rj_leaf.rj_Key
-#define rj_mask rj_u.rj_leaf.rj_Mask
-#define rj_off rj_u.rj_node.rj_Off
-#define rj_l rj_u.rj_node.rj_L
-#define rj_r rj_u.rj_node.rj_R
-
-/*
- * Annotations to tree concerning potential routes applying to subtrees.
- */
-
-extern struct radij_mask {
-       short   rm_b;                   /* bit offset; -1-index(netmask) */
-       char    rm_unused;              /* cf. rj_bmask */
-       u_char  rm_flags;               /* cf. rj_flags */
-       struct  radij_mask *rm_mklist;  /* more masks to try */
-       caddr_t rm_mask;                /* the mask */
-       int     rm_refs;                /* # of references to this struct */
-} *rj_mkfreelist;
-
-#define MKGet(m) {\
-       if (rj_mkfreelist) {\
-               m = rj_mkfreelist; \
-               rj_mkfreelist = (m)->rm_mklist; \
-       } else \
-               R_Malloc(m, struct radij_mask *, sizeof (*(m))); }\
-
-#define MKFree(m) { (m)->rm_mklist = rj_mkfreelist; rj_mkfreelist = (m);}
-
-struct radij_node_head {
-       struct  radij_node *rnh_treetop;
-       int     rnh_addrsize;           /* permit, but not require fixed keys */
-       int     rnh_pktsize;            /* permit, but not require fixed keys */
-#if 0
-       struct  radij_node *(*rnh_addaddr)      /* add based on sockaddr */
-               __P((void *v, void *mask,
-                    struct radij_node_head *head, struct radij_node nodes[]));
-#endif
-       int (*rnh_addaddr)      /* add based on sockaddr */
-               __P((void *v, void *mask,
-                    struct radij_node_head *head, struct r