Merge branch 'stroke-timeout'
authorMartin Willi <martin@revosec.ch>
Mon, 18 Mar 2013 09:11:46 +0000 (10:11 +0100)
committerMartin Willi <martin@revosec.ch>
Mon, 18 Mar 2013 09:11:46 +0000 (10:11 +0100)
Add a strongswan.conf timeout option for stroke control commands.

464 files changed:
Android.mk
Doxyfile.in
NEWS
configure.in
m4/macros/enable-disable.m4
man/ipsec.conf.5.in
man/strongswan.conf.5.in
scripts/.gitignore
scripts/Makefile.am
scripts/dnssec.c [new file with mode: 0644]
src/Makefile.am
src/charon-nm/nm/nm_service.c
src/charon/charon.c
src/conftest/config.c
src/conftest/config.h
src/conftest/hooks/hook.h
src/frontends/android/AndroidManifest.xml
src/frontends/android/jni/libandroidbridge/backend/android_creds.h
src/frontends/android/jni/libandroidbridge/backend/android_service.c
src/frontends/android/jni/libandroidbridge/kernel/android_ipsec.h
src/frontends/android/jni/libandroidbridge/kernel/android_net.h
src/frontends/android/jni/libandroidbridge/kernel/network_manager.h
src/frontends/android/res/values-de/arrays.xml
src/frontends/android/res/values-pl/arrays.xml
src/frontends/android/res/values-ru/arrays.xml
src/frontends/android/res/values-ua/arrays.xml
src/frontends/android/res/values/arrays.xml
src/frontends/android/src/org/strongswan/android/data/VpnType.java
src/libcharon/Android.mk
src/libcharon/Makefile.am
src/libcharon/config/ike_cfg.c
src/libcharon/config/ike_cfg.h
src/libcharon/encoding/message.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/traffic_selector_substructure.c
src/libcharon/plugins/android/Makefile.am [deleted file]
src/libcharon/plugins/android/android_creds.c [deleted file]
src/libcharon/plugins/android/android_creds.h [deleted file]
src/libcharon/plugins/android/android_handler.c [deleted file]
src/libcharon/plugins/android/android_handler.h [deleted file]
src/libcharon/plugins/android/android_plugin.c [deleted file]
src/libcharon/plugins/android/android_plugin.h [deleted file]
src/libcharon/plugins/android/android_service.c [deleted file]
src/libcharon/plugins/android/android_service.h [deleted file]
src/libcharon/plugins/android_dns/Makefile.am [new file with mode: 0644]
src/libcharon/plugins/android_dns/android_dns_handler.c [new file with mode: 0644]
src/libcharon/plugins/android_dns/android_dns_handler.h [new file with mode: 0644]
src/libcharon/plugins/android_dns/android_dns_plugin.c [new file with mode: 0644]
src/libcharon/plugins/android_dns/android_dns_plugin.h [new file with mode: 0644]
src/libcharon/plugins/eap_tnc/eap_tnc.c
src/libcharon/plugins/eap_tnc/eap_tnc.h
src/libcharon/plugins/eap_ttls/eap_ttls_server.c
src/libcharon/plugins/ha/ha_tunnel.c
src/libcharon/plugins/ipseckey/Makefile.am [new file with mode: 0644]
src/libcharon/plugins/ipseckey/ipseckey.c [new file with mode: 0644]
src/libcharon/plugins/ipseckey/ipseckey.h [new file with mode: 0644]
src/libcharon/plugins/ipseckey/ipseckey_cred.c [new file with mode: 0644]
src/libcharon/plugins/ipseckey/ipseckey_cred.h [new file with mode: 0644]
src/libcharon/plugins/ipseckey/ipseckey_plugin.c [new file with mode: 0644]
src/libcharon/plugins/ipseckey/ipseckey_plugin.h [new file with mode: 0644]
src/libcharon/plugins/load_tester/load_tester_config.c
src/libcharon/plugins/maemo/maemo_service.c
src/libcharon/plugins/medcli/medcli_config.c
src/libcharon/plugins/medsrv/medsrv_config.c
src/libcharon/plugins/medsrv/medsrv_config.h
src/libcharon/plugins/medsrv/medsrv_creds.h
src/libcharon/plugins/medsrv/medsrv_plugin.h
src/libcharon/plugins/socket_default/socket_default_socket.c
src/libcharon/plugins/sql/sql_config.c
src/libcharon/plugins/stroke/stroke_config.c
src/libcharon/plugins/stroke/stroke_socket.c
src/libcharon/plugins/systime_fix/Makefile.am [new file with mode: 0644]
src/libcharon/plugins/systime_fix/systime_fix_plugin.c [new file with mode: 0644]
src/libcharon/plugins/systime_fix/systime_fix_plugin.h [new file with mode: 0644]
src/libcharon/plugins/systime_fix/systime_fix_validator.c [new file with mode: 0644]
src/libcharon/plugins/systime_fix/systime_fix_validator.h [new file with mode: 0644]
src/libcharon/plugins/tnc_imc/Makefile.am
src/libcharon/plugins/tnc_imv/Makefile.am
src/libcharon/plugins/tnc_pdp/tnc_pdp.c
src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h
src/libcharon/plugins/tnc_tnccs/Makefile.am
src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
src/libcharon/plugins/tnccs_11/tnccs_11.c
src/libcharon/plugins/tnccs_11/tnccs_11.h
src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c
src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c
src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h
src/libcharon/plugins/tnccs_20/tnccs_20.c
src/libcharon/plugins/tnccs_20/tnccs_20.h
src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c
src/libcharon/plugins/uci/uci_config.c
src/libcharon/plugins/unity/unity_handler.c
src/libcharon/sa/eap/eap_inner_method.h [new file with mode: 0644]
src/libcharon/sa/ike_sa.c
src/libcharon/sa/ike_sa_manager.c
src/libcharon/sa/ikev1/keymat_v1.c
src/libcharon/sa/ikev1/task_manager_v1.c
src/libcharon/sa/ikev1/tasks/quick_mode.c
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
src/libcharon/sa/ikev2/task_manager_v2.c
src/libcharon/sa/ikev2/tasks/child_create.c
src/libcharon/sa/ikev2/tasks/ike_auth.c
src/libcharon/sa/ikev2/tasks/ike_dpd.c
src/libfast/controller.h
src/libhydra/attributes/mem_pool.c
src/libhydra/attributes/mem_pool.h
src/libhydra/kernel/kernel_interface.c
src/libhydra/kernel/kernel_interface.h
src/libhydra/kernel/kernel_ipsec.h
src/libhydra/kernel/kernel_net.h
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
src/libimcv/ietf/ietf_attr.h
src/libimcv/ietf/ietf_attr_assess_result.c
src/libimcv/ietf/ietf_attr_assess_result.h
src/libimcv/ietf/ietf_attr_attr_request.c
src/libimcv/ietf/ietf_attr_attr_request.h
src/libimcv/ietf/ietf_attr_default_pwd_enabled.c
src/libimcv/ietf/ietf_attr_default_pwd_enabled.h
src/libimcv/ietf/ietf_attr_fwd_enabled.c
src/libimcv/ietf/ietf_attr_fwd_enabled.h
src/libimcv/ietf/ietf_attr_installed_packages.c
src/libimcv/ietf/ietf_attr_installed_packages.h
src/libimcv/ietf/ietf_attr_numeric_version.c
src/libimcv/ietf/ietf_attr_numeric_version.h
src/libimcv/ietf/ietf_attr_op_status.c
src/libimcv/ietf/ietf_attr_op_status.h
src/libimcv/ietf/ietf_attr_pa_tnc_error.c
src/libimcv/ietf/ietf_attr_pa_tnc_error.h
src/libimcv/ietf/ietf_attr_port_filter.c
src/libimcv/ietf/ietf_attr_port_filter.h
src/libimcv/ietf/ietf_attr_product_info.c
src/libimcv/ietf/ietf_attr_product_info.h
src/libimcv/ietf/ietf_attr_remediation_instr.c
src/libimcv/ietf/ietf_attr_remediation_instr.h
src/libimcv/ietf/ietf_attr_string_version.c
src/libimcv/ietf/ietf_attr_string_version.h
src/libimcv/imc/imc_agent.c
src/libimcv/imc/imc_agent.h
src/libimcv/imc/imc_msg.c
src/libimcv/imc/imc_msg.h
src/libimcv/imc/imc_state.h
src/libimcv/imcv.h
src/libimcv/imv/imv_agent.c
src/libimcv/imv/imv_agent.h
src/libimcv/imv/imv_lang_string.h
src/libimcv/imv/imv_msg.c
src/libimcv/imv/imv_msg.h
src/libimcv/imv/imv_reason_string.c
src/libimcv/imv/imv_reason_string.h
src/libimcv/imv/imv_remediation_string.h
src/libimcv/imv/imv_state.h
src/libimcv/ita/ita_attr.c
src/libimcv/ita/ita_attr.h
src/libimcv/ita/ita_attr_angel.h
src/libimcv/ita/ita_attr_command.h
src/libimcv/ita/ita_attr_dummy.h
src/libimcv/ita/ita_attr_get_settings.c
src/libimcv/ita/ita_attr_get_settings.h
src/libimcv/ita/ita_attr_settings.c
src/libimcv/ita/ita_attr_settings.h
src/libimcv/os_info/os_info.c
src/libimcv/pa_tnc/pa_tnc_attr.h
src/libimcv/pa_tnc/pa_tnc_attr_manager.h
src/libimcv/pa_tnc/pa_tnc_msg.c
src/libimcv/pa_tnc/pa_tnc_msg.h
src/libimcv/plugins/imc_os/imc_os_state.h
src/libimcv/plugins/imc_scanner/imc_scanner_state.h
src/libimcv/plugins/imc_test/imc_test_state.h
src/libimcv/plugins/imv_os/imv_os.c
src/libimcv/plugins/imv_os/imv_os_database.c
src/libimcv/plugins/imv_os/imv_os_database.h
src/libimcv/plugins/imv_os/imv_os_state.c
src/libimcv/plugins/imv_os/imv_os_state.h
src/libimcv/plugins/imv_scanner/imv_scanner_state.c
src/libimcv/plugins/imv_scanner/imv_scanner_state.h
src/libimcv/plugins/imv_test/imv_test_state.c
src/libimcv/plugins/imv_test/imv_test_state.h
src/libipsec/esp_packet.c
src/libpts/libpts.h
src/libpts/plugins/imc_attestation/imc_attestation_process.h
src/libpts/plugins/imc_attestation/imc_attestation_state.h
src/libpts/plugins/imv_attestation/attest_db.c
src/libpts/plugins/imv_attestation/attest_db.h
src/libpts/plugins/imv_attestation/imv_attestation_build.h
src/libpts/plugins/imv_attestation/imv_attestation_process.h
src/libpts/plugins/imv_attestation/imv_attestation_state.c
src/libpts/plugins/imv_attestation/imv_attestation_state.h
src/libpts/plugins/imv_attestation/tables.sql
src/libpts/pts/components/pts_comp_func_name.h
src/libpts/pts/pts.c
src/libpts/pts/pts.h
src/libpts/pts/pts_dh_group.h
src/libpts/pts/pts_file_meas.h
src/libpts/tcg/tcg_attr.c
src/libpts/tcg/tcg_attr.h
src/libpts/tcg/tcg_pts_attr_aik.c
src/libpts/tcg/tcg_pts_attr_aik.h
src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c
src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.h
src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c
src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.h
src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c
src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.h
src/libpts/tcg/tcg_pts_attr_file_meas.c
src/libpts/tcg/tcg_pts_attr_file_meas.h
src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c
src/libpts/tcg/tcg_pts_attr_gen_attest_evid.h
src/libpts/tcg/tcg_pts_attr_get_aik.c
src/libpts/tcg/tcg_pts_attr_get_aik.h
src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c
src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.h
src/libpts/tcg/tcg_pts_attr_meas_algo.c
src/libpts/tcg/tcg_pts_attr_meas_algo.h
src/libpts/tcg/tcg_pts_attr_proto_caps.c
src/libpts/tcg/tcg_pts_attr_proto_caps.h
src/libpts/tcg/tcg_pts_attr_req_file_meas.c
src/libpts/tcg/tcg_pts_attr_req_file_meas.h
src/libpts/tcg/tcg_pts_attr_req_file_meta.c
src/libpts/tcg/tcg_pts_attr_req_file_meta.h
src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c
src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.h
src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h
src/libpts/tcg/tcg_pts_attr_simple_evid_final.c
src/libpts/tcg/tcg_pts_attr_simple_evid_final.h
src/libpts/tcg/tcg_pts_attr_tpm_version_info.c
src/libpts/tcg/tcg_pts_attr_tpm_version_info.h
src/libpts/tcg/tcg_pts_attr_unix_file_meta.c
src/libpts/tcg/tcg_pts_attr_unix_file_meta.h
src/libpttls/Makefile.am [new file with mode: 0644]
src/libpttls/pt_tls.c [new file with mode: 0644]
src/libpttls/pt_tls.h [new file with mode: 0644]
src/libpttls/pt_tls_client.c [new file with mode: 0644]
src/libpttls/pt_tls_client.h [new file with mode: 0644]
src/libpttls/pt_tls_dispatcher.c [new file with mode: 0644]
src/libpttls/pt_tls_dispatcher.h [new file with mode: 0644]
src/libpttls/pt_tls_server.c [new file with mode: 0644]
src/libpttls/pt_tls_server.h [new file with mode: 0644]
src/libpttls/sasl/sasl_mechanism.c [new file with mode: 0644]
src/libpttls/sasl/sasl_mechanism.h [new file with mode: 0644]
src/libpttls/sasl/sasl_plain/sasl_plain.c [new file with mode: 0644]
src/libpttls/sasl/sasl_plain/sasl_plain.h [new file with mode: 0644]
src/libradius/radius_message.h
src/libsimaka/simaka_manager.h
src/libstrongswan/Android.mk
src/libstrongswan/Makefile.am
src/libstrongswan/asn1/oid.txt
src/libstrongswan/bio/bio_reader.c
src/libstrongswan/bio/bio_reader.h
src/libstrongswan/credentials/auth_cfg.c
src/libstrongswan/credentials/cert_validator.h
src/libstrongswan/credentials/cred_encoding.h
src/libstrongswan/credentials/credential_manager.c
src/libstrongswan/crypto/crypto_tester.c
src/libstrongswan/library.c
src/libstrongswan/library.h
src/libstrongswan/networking/packet.c
src/libstrongswan/networking/packet.h
src/libstrongswan/networking/tun_device.c
src/libstrongswan/pen/pen.c
src/libstrongswan/pen/pen.h
src/libstrongswan/plugins/ccm/ccm_aead.h
src/libstrongswan/plugins/curl/curl_fetcher.c
src/libstrongswan/plugins/dnskey/Makefile.am
src/libstrongswan/plugins/dnskey/dnskey_builder.c
src/libstrongswan/plugins/dnskey/dnskey_encoder.c [new file with mode: 0644]
src/libstrongswan/plugins/dnskey/dnskey_encoder.h [new file with mode: 0644]
src/libstrongswan/plugins/dnskey/dnskey_plugin.c
src/libstrongswan/plugins/gcm/gcm_aead.h
src/libstrongswan/plugins/openssl/Makefile.am
src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
src/libstrongswan/plugins/openssl/openssl_gcm.c [new file with mode: 0644]
src/libstrongswan/plugins/openssl/openssl_gcm.h [new file with mode: 0644]
src/libstrongswan/plugins/openssl/openssl_hmac.c
src/libstrongswan/plugins/openssl/openssl_pkcs7.c
src/libstrongswan/plugins/openssl/openssl_plugin.c
src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
src/libstrongswan/plugins/rdrand/rdrand_rng.h
src/libstrongswan/plugins/unbound/Makefile.am [new file with mode: 0644]
src/libstrongswan/plugins/unbound/unbound_plugin.c [new file with mode: 0644]
src/libstrongswan/plugins/unbound/unbound_plugin.h [new file with mode: 0644]
src/libstrongswan/plugins/unbound/unbound_resolver.c [new file with mode: 0644]
src/libstrongswan/plugins/unbound/unbound_resolver.h [new file with mode: 0644]
src/libstrongswan/plugins/unbound/unbound_response.c [new file with mode: 0644]
src/libstrongswan/plugins/unbound/unbound_response.h [new file with mode: 0644]
src/libstrongswan/plugins/unbound/unbound_rr.c [new file with mode: 0644]
src/libstrongswan/plugins/unbound/unbound_rr.h [new file with mode: 0644]
src/libstrongswan/resolver/resolver.h [new file with mode: 0644]
src/libstrongswan/resolver/resolver_manager.c [new file with mode: 0644]
src/libstrongswan/resolver/resolver_manager.h [new file with mode: 0644]
src/libstrongswan/resolver/resolver_response.h [new file with mode: 0644]
src/libstrongswan/resolver/rr.h [new file with mode: 0644]
src/libstrongswan/resolver/rr_set.c [new file with mode: 0644]
src/libstrongswan/resolver/rr_set.h [new file with mode: 0644]
src/libstrongswan/selectors/traffic_selector.c
src/libstrongswan/selectors/traffic_selector.h
src/libstrongswan/threading/thread.c
src/libstrongswan/utils/backtrace.c
src/libstrongswan/utils/backtrace.h
src/libstrongswan/utils/capabilities.c
src/libstrongswan/utils/chunk.h
src/libstrongswan/utils/identification.c
src/libstrongswan/utils/identification.h
src/libstrongswan/utils/leak_detective.c
src/libstrongswan/utils/utils.c
src/libstrongswan/utils/utils.h
src/libtls/tls.c
src/libtls/tls.h
src/libtls/tls_fragmentation.c
src/libtls/tls_handshake.h
src/libtls/tls_peer.c
src/libtls/tls_peer.h
src/libtls/tls_server.c
src/libtls/tls_server.h
src/libtls/tls_socket.c
src/libtls/tls_socket.h
src/libtnccs/Makefile.am
src/libtnccs/tnc/tnccs/tnccs.h
src/libtnccs/tnc/tnccs/tnccs_manager.h
src/libtncif/Android.mk
src/libtncif/Makefile.am
src/libtncif/tncif_identity.c [new file with mode: 0644]
src/libtncif/tncif_identity.h [new file with mode: 0644]
src/libtncif/tncif_names.c
src/libtncif/tncif_names.h
src/libtncif/tncif_pa_subtypes.c
src/libtncif/tncif_pa_subtypes.h
src/libtncif/tncifimv.h
src/manager/controller/auth_controller.h
src/manager/controller/config_controller.h
src/manager/controller/control_controller.h
src/manager/controller/gateway_controller.h
src/manager/controller/ikesa_controller.h
src/manager/manager.h
src/medsrv/controller/peer_controller.h
src/medsrv/controller/user_controller.h
src/medsrv/filter/auth_filter.h
src/medsrv/user.h
src/pki/command.h
src/pki/commands/pub.c
src/pki/pki.c
src/pki/pki.h
src/scepclient/scep.c
src/scepclient/scep.h
src/scepclient/scepclient.c
src/starter/args.c
src/starter/cmp.c
src/starter/confread.c
src/starter/confread.h
src/starter/keywords.h
src/starter/keywords.txt
src/starter/starterstroke.c
src/stroke/stroke.c
src/stroke/stroke_msg.h
testing/config/kernel/config-3.8 [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/K.+008+32329.key [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/K.+008+32329.private [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/K.+008+43749.key [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/K.+008+43749.private [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/Korg.+008+24285.key [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/Korg.+008+24285.private [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/Korg.+008+51859.key [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/Korg.+008+51859.private [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.key [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+00481.private [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.key [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/Kstrongswan.org.+008+09396.private [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/bind.keys [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/db.org [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/db.root [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/db.strongswan.org [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/named.conf.default-zones [new file with mode: 0644]
testing/hosts/winnetou/etc/bind/named.conf.local [new file with mode: 0644]
testing/scripts/build-baseimage
testing/scripts/build-guestimages
testing/scripts/recipes/005_strongswan.mk
testing/ssh [new file with mode: 0755]
testing/start-testing
testing/testing.conf
testing/tests/ikev1/net2net-fragmentation/description.txt [new file with mode: 0644]
testing/tests/ikev1/net2net-fragmentation/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev1/net2net-fragmentation/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-fragmentation/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/net2net-fragmentation/test.conf [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/description.txt [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/evaltest.dat [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/posttest.dat [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/pretest.dat [new file with mode: 0644]
testing/tests/ikev2/net2net-dnssec/test.conf [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/description.txt [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/evaltest.dat [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/posttest.dat [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/pretest.dat [new file with mode: 0644]
testing/tests/ikev2/rw-dnssec/test.conf [new file with mode: 0644]
testing/tests/openssl-ikev2/alg-aes-gcm/description.txt [new file with mode: 0644]
testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat [new file with mode: 0644]
testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf [new file with mode: 0644]
testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf [new file with mode: 0644]
testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat [new file with mode: 0644]
testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat [new file with mode: 0644]
testing/tests/openssl-ikev2/alg-aes-gcm/test.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp/evaltest.dat
testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-tls/evaltest.dat
testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf

index 0b8da5b..b17a3f6 100644 (file)
@@ -17,7 +17,7 @@ include $(CLEAR_VARS)
 # this is the list of plugins that are built into libstrongswan and charon
 # also these plugins are loaded by default (if not changed in strongswan.conf)
 strongswan_CHARON_PLUGINS := android-log openssl fips-prf random nonce pubkey \
-       pkcs1 pkcs8 pem xcbc hmac kernel-netlink socket-default android \
+       pkcs1 pkcs8 pem xcbc hmac kernel-netlink socket-default android-dns \
        stroke eap-identity eap-mschapv2 eap-md5 eap-gtc
 
 ifneq ($(strongswan_BUILD_SCEPCLIENT),)
index 343f130..ac0a96c 100644 (file)
@@ -1,14 +1,14 @@
-# Doxyfile 1.5.6
+# Doxyfile 1.8.1.2
 
 # This file describes the settings to be used by the documentation system
-# doxygen (www.doxygen.org) for a project
+# doxygen (www.doxygen.org) for a project.
 #
-# All text after a hash (#) is considered a comment and will be ignored
+# All text after a hash (#) is considered a comment and will be ignored.
 # The format is:
 #       TAG = value [value, ...]
 # For lists items can also be appended using:
 #       TAG += value [value, ...]
-# Values that contain spaces should be placed between quotes (" ")
+# Values that contain spaces should be placed between quotes (" ").
 
 #---------------------------------------------------------------------------
 # Project related configuration options
@@ -22,8 +22,9 @@
 
 DOXYFILE_ENCODING      = UTF-8
 
-# The PROJECT_NAME tag is a single word (or a sequence of words surrounded
-# by quotes) that should identify the project.
+# The PROJECT_NAME tag is a single word (or sequence of words) that should
+# identify the project. Note that if you do not use Doxywizard you need
+# to put quotes around the project name if it contains spaces.
 
 PROJECT_NAME           = "@PACKAGE_NAME@"
 
@@ -33,6 +34,19 @@ PROJECT_NAME           = "@PACKAGE_NAME@"
 
 PROJECT_NUMBER         = "@PACKAGE_VERSION@"
 
+# Using the PROJECT_BRIEF tag one can provide an optional one line description
+# for a project that appears at the top of each page and should give viewer
+# a quick idea about the purpose of the project. Keep the description short.
+
+PROJECT_BRIEF          =
+
+# With the PROJECT_LOGO tag one can specify an logo or icon that is
+# included in the documentation. The maximum height of the logo should not
+# exceed 55 pixels and the maximum width should not exceed 200 pixels.
+# Doxygen will copy the logo to the output directory.
+
+PROJECT_LOGO           =
+
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.
 # If a relative path is entered, it will be relative to the location
@@ -54,11 +68,11 @@ CREATE_SUBDIRS         = NO
 # information to generate all constant output in the proper language.
 # The default language is English, other supported languages are:
 # Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional,
-# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek,
-# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages),
-# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish,
-# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish,
-# and Ukrainian.
+# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German,
+# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English
+# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian,
+# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrillic, Slovak,
+# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese.
 
 OUTPUT_LANGUAGE        = English
 
@@ -126,7 +140,7 @@ STRIP_FROM_PATH        =
 STRIP_FROM_INC_PATH    =
 
 # If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter
-# (but less readable) file names. This can be useful is your file systems
+# (but less readable) file names. This can be useful if your file system
 # doesn't support long names like on DOS, Mac, or CD-ROM.
 
 SHORT_NAMES            = NO
@@ -181,6 +195,13 @@ TAB_SIZE               = 4
 
 ALIASES                =
 
+# This tag can be used to specify a number of word-keyword mappings (TCL only).
+# A mapping has the form "name=value". For example adding
+# "class=itcl::class" will allow you to use the command class in the
+# itcl::class meaning.
+
+TCL_SUBST              =
+
 # Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C
 # sources only. Doxygen will then generate output that is more tailored for C.
 # For instance, some of the names that are used will be different. The list
@@ -207,11 +228,32 @@ OPTIMIZE_FOR_FORTRAN   = NO
 
 OPTIMIZE_OUTPUT_VHDL   = NO
 
+# Doxygen selects the parser to use depending on the extension of the files it
+# parses. With this tag you can assign which parser to use for a given extension.
+# Doxygen has a built-in mapping, but you can override or extend it using this
+# tag. The format is ext=language, where ext is a file extension, and language
+# is one of the parsers supported by doxygen: IDL, Java, Javascript, CSharp, C,
+# C++, D, PHP, Objective-C, Python, Fortran, VHDL, C, C++. For instance to make
+# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C
+# (default is Fortran), use: inc=Fortran f=C. Note that for custom extensions
+# you also need to set FILE_PATTERNS otherwise the files are not read by doxygen.
+
+EXTENSION_MAPPING      =
+
+# If MARKDOWN_SUPPORT is enabled (the default) then doxygen pre-processes all
+# comments according to the Markdown format, which allows for more readable
+# documentation. See http://daringfireball.net/projects/markdown/ for details.
+# The output of markdown processing is further processed by doxygen, so you
+# can mix doxygen, HTML, and XML commands with Markdown formatting.
+# Disable only in case of backward compatibilities issues.
+
+MARKDOWN_SUPPORT       = YES
+
 # If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
 # to include (a tag file for) the STL sources as input, then you should
 # set this tag to YES in order to let doxygen match functions declarations and
 # definitions whose arguments contain STL classes (e.g. func(std::string); v.s.
-# func(std::string) {}). This also make the inheritance and collaboration
+# func(std::string) {}). This also makes the inheritance and collaboration
 # diagrams that involve STL classes more complete and accurate.
 
 BUILTIN_STL_SUPPORT    = NO
@@ -229,7 +271,7 @@ SIP_SUPPORT            = NO
 
 # For Microsoft's IDL there are propget and propput attributes to indicate getter
 # and setter methods for a property. Setting this option to YES (the default)
-# will make doxygen to replace the get and set methods by a property in the
+# will make doxygen replace the get and set methods by a property in the
 # documentation. This will only work if the methods are indeed getting or
 # setting a simple type. If this is not the case, or you want to show the
 # methods anyway, you should set this option to NO.
@@ -251,6 +293,22 @@ DISTRIBUTE_GROUP_DOC   = NO
 
 SUBGROUPING            = YES
 
+# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and
+# unions are shown inside the group in which they are included (e.g. using
+# @ingroup) instead of on a separate page (for HTML and Man pages) or
+# section (for LaTeX and RTF).
+
+INLINE_GROUPED_CLASSES = NO
+
+# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and
+# unions with only public data fields will be shown inline in the documentation
+# of the scope in which they are defined (i.e. file, namespace, or group
+# documentation), provided this scope is documented. If set to NO (the default),
+# structs, classes, and unions are shown on a separate page (for HTML and Man
+# pages) or section (for LaTeX and RTF).
+
+INLINE_SIMPLE_STRUCTS  = NO
+
 # When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum
 # is documented as struct, union, or enum with the name of the typedef. So
 # typedef struct TypeS {} TypeT, will appear in the documentation as a struct
@@ -261,6 +319,33 @@ SUBGROUPING            = YES
 
 TYPEDEF_HIDES_STRUCT   = YES
 
+# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to
+# determine which symbols to keep in memory and which to flush to disk.
+# When the cache is full, less often used symbols will be written to disk.
+# For small to medium size projects (<1000 input files) the default value is
+# probably good enough. For larger projects a too small cache size can cause
+# doxygen to be busy swapping symbols to and from disk most of the time
+# causing a significant performance penalty.
+# If the system has enough physical memory increasing the cache will improve the
+# performance by keeping more symbols in memory. Note that the value works on
+# a logarithmic scale so increasing the size by one will roughly double the
+# memory usage. The cache size is given by this formula:
+# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0,
+# corresponding to a cache size of 2^16 = 65536 symbols.
+
+SYMBOL_CACHE_SIZE      = 0
+
+# Similar to the SYMBOL_CACHE_SIZE the size of the symbol lookup cache can be
+# set using LOOKUP_CACHE_SIZE. This cache is used to resolve symbols given
+# their name and scope. Since this can be an expensive process and often the
+# same symbol appear multiple times in the code, doxygen keeps a cache of
+# pre-resolved symbols. If the cache is too small doxygen will become slower.
+# If the cache is too large, memory is wasted. The cache size is given by this
+# formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range is 0..9, the default is 0,
+# corresponding to a cache size of 2^16 = 65536 symbols.
+
+LOOKUP_CACHE_SIZE      = 0
+
 #---------------------------------------------------------------------------
 # Build related configuration options
 #---------------------------------------------------------------------------
@@ -277,6 +362,10 @@ EXTRACT_ALL            = NO
 
 EXTRACT_PRIVATE        = NO
 
+# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal scope will be included in the documentation.
+
+EXTRACT_PACKAGE        = NO
+
 # If the EXTRACT_STATIC tag is set to YES all static members of a file
 # will be included in the documentation.
 
@@ -299,7 +388,7 @@ EXTRACT_LOCAL_METHODS  = NO
 # extracted and appear in the documentation as a namespace called
 # 'anonymous_namespace{file}', where file will be replaced with the base
 # name of the file that contains the anonymous namespace. By default
-# anonymous namespace are hidden.
+# anonymous namespaces are hidden.
 
 EXTRACT_ANON_NSPACES   = NO
 
@@ -359,6 +448,12 @@ HIDE_SCOPE_NAMES       = NO
 
 SHOW_INCLUDE_FILES     = NO
 
+# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen
+# will list include files with double quotes in the documentation
+# rather than with sharp brackets.
+
+FORCE_LOCAL_INCLUDES   = NO
+
 # If the INLINE_INFO tag is set to YES (the default) then a tag [inline]
 # is inserted in the documentation for inline members.
 
@@ -378,6 +473,16 @@ SORT_MEMBER_DOCS       = NO
 
 SORT_BRIEF_DOCS        = NO
 
+# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen
+# will sort the (brief and detailed) documentation of class members so that
+# constructors and destructors are listed first. If set to NO (the default)
+# the constructors will appear in the respective orders defined by
+# SORT_MEMBER_DOCS and SORT_BRIEF_DOCS.
+# This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO
+# and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO.
+
+SORT_MEMBERS_CTORS_1ST = NO
+
 # If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the
 # hierarchy of group names into alphabetical order. If set to NO (the default)
 # the group names will appear in their defined order.
@@ -394,6 +499,15 @@ SORT_GROUP_NAMES       = NO
 
 SORT_BY_SCOPE_NAME     = NO
 
+# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to
+# do proper type resolution of all parameters of a function it will reject a
+# match between the prototype and the implementation of a member function even
+# if there is only one candidate or it is obvious which candidate to choose
+# by doing a simple string match. By disabling STRICT_PROTO_MATCHING doxygen
+# will still accept a match between prototype and implementation in such cases.
+
+STRICT_PROTO_MATCHING  = NO
+
 # The GENERATE_TODOLIST tag can be used to enable (YES) or
 # disable (NO) the todo list. This list is created by putting \todo
 # commands in the documentation.
@@ -424,10 +538,10 @@ GENERATE_DEPRECATEDLIST= NO
 ENABLED_SECTIONS       =
 
 # The MAX_INITIALIZER_LINES tag determines the maximum number of lines
-# the initial value of a variable or define consists of for it to appear in
+# the initial value of a variable or macro consists of for it to appear in
 # the documentation. If the initializer consists of more lines than specified
 # here it will be hidden. Use a value of 0 to hide initializers completely.
-# The appearance of the initializer of individual variables and defines in the
+# The appearance of the initializer of individual variables and macros in the
 # documentation can be controlled using \showinitializer or \hideinitializer
 # command in the documentation regardless of this setting.
 
@@ -439,20 +553,15 @@ MAX_INITIALIZER_LINES  = 30
 
 SHOW_USED_FILES        = NO
 
-# If the sources in your project are distributed over multiple directories
-# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy
-# in the documentation. The default is NO.
-
-SHOW_DIRECTORIES       = YES
-
 # Set the SHOW_FILES tag to NO to disable the generation of the Files page.
 # This will remove the Files entry from the Quick Index and from the
 # Folder Tree View (if specified). The default is YES.
 
-SHOW_FILES             = NO
+SHOW_FILES             = YES
 
 # Set the SHOW_NAMESPACES tag to NO to disable the generation of the
-# Namespaces page.  This will remove the Namespaces entry from the Quick Index
+# Namespaces page.
+# This will remove the Namespaces entry from the Quick Index
 # and from the Folder Tree View (if specified). The default is YES.
 
 SHOW_NAMESPACES        = YES
@@ -467,6 +576,25 @@ SHOW_NAMESPACES        = YES
 
 FILE_VERSION_FILTER    =
 
+# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
+# by doxygen. The layout file controls the global structure of the generated
+# output files in an output format independent way. To create the layout file
+# that represents doxygen's defaults, run doxygen with the -l option.
+# You can optionally specify a file name after the option, if omitted
+# DoxygenLayout.xml will be used as the name of the layout file.
+
+LAYOUT_FILE            =
+
+# The CITE_BIB_FILES tag can be used to specify one or more bib files
+# containing the references data. This must be a list of .bib files. The
+# .bib extension is automatically appended if omitted. Using this command
+# requires the bibtex tool to be installed. See also
+# http://en.wikipedia.org/wiki/BibTeX for more info. For LaTeX the style
+# of the bibliography can be controlled using LATEX_BIB_STYLE. To use this
+# feature you need bibtex and perl available in the search path.
+
+CITE_BIB_FILES         =
+
 #---------------------------------------------------------------------------
 # configuration options related to warning and progress messages
 #---------------------------------------------------------------------------
@@ -495,13 +623,13 @@ WARN_IF_UNDOCUMENTED   = NO
 
 WARN_IF_DOC_ERROR      = YES
 
-# This WARN_NO_PARAMDOC option can be abled to get warnings for
+# The WARN_NO_PARAMDOC option can be enabled to get warnings for
 # functions that are documented, but have no documentation for their parameters
 # or return value. If set to NO (the default) doxygen will only warn about
 # wrong or incomplete parameter documentation, but not about the absence of
 # documentation.
 
-WARN_NO_PARAMDOC       = NO
+WARN_NO_PARAMDOC       = YES
 
 # The WARN_FORMAT tag determines the format of the warning messages that
 # doxygen can produce. The string should contain the $file, $line, and $text
@@ -527,17 +655,7 @@ WARN_LOGFILE           =
 # directories like "/usr/src/myproject". Separate the files or directories
 # with spaces.
 
-INPUT                  = @SRC_DIR@/src/libstrongswan \
-                         @SRC_DIR@/src/libhydra \
-                         @SRC_DIR@/src/libcharon \
-                         @SRC_DIR@/src/libipsec \
-                         @SRC_DIR@/src/libsimaka \
-                         @SRC_DIR@/src/libtls \
-                         @SRC_DIR@/src/libradius \
-                         @SRC_DIR@/src/libtnccs \
-                         @SRC_DIR@/src/libtncif \
-                         @SRC_DIR@/src/libfast \
-                         @SRC_DIR@/src/manager
+INPUT                  = @SRC_DIR@/src/
 
 # This tag can be used to specify the character encoding of the source files
 # that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is
@@ -551,8 +669,9 @@ INPUT_ENCODING         = UTF-8
 # FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
 # and *.h) to filter out the source-files in the directories. If left
 # blank the following patterns are tested:
-# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx
-# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90
+# *.c *.cc *.cxx *.cpp *.c++ *.d *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh
+# *.hxx *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.dox *.py
+# *.f90 *.f *.for *.vhd *.vhdl
 
 FILE_PATTERNS          = *.h
 
@@ -562,17 +681,19 @@ FILE_PATTERNS          = *.h
 
 RECURSIVE              = YES
 
-# The EXCLUDE tag can be used to specify files and/or directories that should
+# The EXCLUDE tag can be used to specify files and/or directories that should be
 # excluded from the INPUT source files. This way you can easily exclude a
 # subdirectory from a directory tree whose root is specified with the INPUT tag.
+# Note that relative paths are relative to the directory from which doxygen is
+# run.
 
-EXCLUDE                =
+EXCLUDE                = @SRC_DIR@/src/include
 
-# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
-# directories that are symbolic links (a Unix filesystem feature) are excluded
+# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
+# directories that are symbolic links (a Unix file system feature) are excluded
 # from the input.
 
-EXCLUDE_SYMLINKS       = NO
+EXCLUDE_SYMLINKS       = YES
 
 # If the value of the INPUT tag contains directories, you can use the
 # EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
@@ -621,17 +742,20 @@ IMAGE_PATH             =
 # by executing (via popen()) the command <filter> <input-file>, where <filter>
 # is the value of the INPUT_FILTER tag, and <input-file> is the name of an
 # input file. Doxygen will then use the output that the filter program writes
-# to standard output.  If FILTER_PATTERNS is specified, this tag will be
+# to standard output.
+# If FILTER_PATTERNS is specified, this tag will be
 # ignored.
 
 INPUT_FILTER           =
 
 # The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
-# basis.  Doxygen will compare the file name with each pattern and apply the
-# filter if there is a match.  The filters are a list of the form:
+# basis.
+# Doxygen will compare the file name with each pattern and apply the
+# filter if there is a match.
+# The filters are a list of the form:
 # pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further
-# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER
-# is applied to all files.
+# info on how filters are used. If FILTER_PATTERNS is empty or if
+# non of the patterns match the file name, INPUT_FILTER is applied.
 
 FILTER_PATTERNS        =
 
@@ -641,6 +765,14 @@ FILTER_PATTERNS        =
 
 FILTER_SOURCE_FILES    = NO
 
+# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file
+# pattern. A pattern will override the setting for FILTER_PATTERN (if any)
+# and it is also possible to disable source filtering for a specific pattern
+# using *.ext= (so without naming a filter). This option only has effect when
+# FILTER_SOURCE_FILES is enabled.
+
+FILTER_SOURCE_PATTERNS =
+
 #---------------------------------------------------------------------------
 # configuration options related to source browsing
 #---------------------------------------------------------------------------
@@ -650,7 +782,7 @@ FILTER_SOURCE_FILES    = NO
 # Note: To get rid of all source code in the generated output, make sure also
 # VERBATIM_HEADERS is set to NO.
 
-SOURCE_BROWSER         = NO
+SOURCE_BROWSER         = YES
 
 # Setting the INLINE_SOURCES tag to YES will include the body
 # of functions and classes directly in the documentation.
@@ -659,7 +791,7 @@ INLINE_SOURCES         = NO
 
 # Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct
 # doxygen to hide any special comment blocks from generated source code
-# fragments. Normal C and C++ comments will always remain visible.
+# fragments. Normal C, C++ and Fortran comments will always remain visible.
 
 STRIP_CODE_COMMENTS    = NO
 
@@ -678,7 +810,8 @@ REFERENCES_RELATION    = NO
 # If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
 # and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
 # functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
-# link to the source code.  Otherwise they will link to the documentstion.
+# link to the source code.
+# Otherwise they will link to the documentation.
 
 REFERENCES_LINK_SOURCE = YES
 
@@ -742,7 +875,14 @@ HTML_FILE_EXTENSION    = .html
 
 # The HTML_HEADER tag can be used to specify a personal HTML header for
 # each generated HTML page. If it is left blank doxygen will generate a
-# standard header.
+# standard header. Note that when using a custom header you are responsible
+#  for the proper inclusion of any scripts and style sheets that doxygen
+# needs, which is dependent on the configuration options used.
+# It is advised to generate a default header using "doxygen -w html
+# header.html footer.html stylesheet.css YourConfigFile" and then modify
+# that header. Note that the header is subject to change so you typically
+# have to redo this when upgrading to a newer version of doxygen or when
+# changing the value of configuration settings such as GENERATE_TREEVIEW!
 
 HTML_HEADER            =
 
@@ -757,22 +897,66 @@ HTML_FOOTER            =
 # fine-tune the look of the HTML output. If the tag is left blank doxygen
 # will generate a default style sheet. Note that doxygen will try to copy
 # the style sheet file to the HTML output directory, so don't put your own
-# stylesheet in the HTML output directory as well, or it will be erased!
+# style sheet in the HTML output directory as well, or it will be erased!
 
 HTML_STYLESHEET        =
 
-# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes,
-# files or namespaces will be aligned in HTML using tables. If set to
-# NO a bullet list will be used.
+# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the HTML output directory. Note
+# that these files will be copied to the base HTML output directory. Use the
+# $relpath$ marker in the HTML_HEADER and/or HTML_FOOTER files to load these
+# files. In the HTML_STYLESHEET file, use the file name only. Also note that
+# the files will be copied as-is; there are no commands or markers available.
 
-HTML_ALIGN_MEMBERS     = YES
+HTML_EXTRA_FILES       =
 
-# If the GENERATE_HTMLHELP tag is set to YES, additional index files
-# will be generated that can be used as input for tools like the
-# Microsoft HTML help workshop to generate a compiled HTML help file (.chm)
-# of the generated HTML documentation.
+# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output.
+# Doxygen will adjust the colors in the style sheet and background images
+# according to this color. Hue is specified as an angle on a colorwheel,
+# see http://en.wikipedia.org/wiki/Hue for more information.
+# For instance the value 0 represents red, 60 is yellow, 120 is green,
+# 180 is cyan, 240 is blue, 300 purple, and 360 is red again.
+# The allowed range is 0 to 359.
 
-GENERATE_HTMLHELP      = NO
+HTML_COLORSTYLE_HUE    = 220
+
+# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of
+# the colors in the HTML output. For a value of 0 the output will use
+# grayscales only. A value of 255 will produce the most vivid colors.
+
+HTML_COLORSTYLE_SAT    = 100
+
+# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to
+# the luminance component of the colors in the HTML output. Values below
+# 100 gradually make the output lighter, whereas values above 100 make
+# the output darker. The value divided by 100 is the actual gamma applied,
+# so 80 represents a gamma of 0.8, The value 220 represents a gamma of 2.2,
+# and 100 does not change the gamma.
+
+HTML_COLORSTYLE_GAMMA  = 80
+
+# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
+# page will contain the date and time when the page was generated. Setting
+# this to NO can help when comparing the output of multiple runs.
+
+HTML_TIMESTAMP         = YES
+
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
+# documentation will contain sections that can be hidden and shown after the
+# page has loaded.
+
+HTML_DYNAMIC_SECTIONS  = YES
+
+# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of
+# entries shown in the various tree structured indices initially; the user
+# can expand and collapse entries dynamically later on. Doxygen will expand
+# the tree to such a level that at most the specified number of entries are
+# visible (unless a fully collapsed tree already exceeds this amount).
+# So setting the number of entries 1 will produce a full collapsed tree by
+# default. 0 is a special value representing an infinite number of entries
+# and will result in a full expanded tree by default.
+
+HTML_INDEX_NUM_ENTRIES = 100
 
 # If the GENERATE_DOCSET tag is set to YES, additional index files
 # will be generated that can be used as input for Apple's Xcode 3
@@ -782,6 +966,8 @@ GENERATE_HTMLHELP      = NO
 # directory and running "make install" will install the docset in
 # ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find
 # it at startup.
+# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html
+# for more information.
 
 GENERATE_DOCSET        = NO
 
@@ -799,13 +985,22 @@ DOCSET_FEEDNAME        = "Doxygen generated docs"
 
 DOCSET_BUNDLE_ID       = org.doxygen.Project
 
-# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
-# documentation will contain sections that can be hidden and shown after the
-# page has loaded. For this to work a browser that supports
-# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox
-# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari).
+# When GENERATE_PUBLISHER_ID tag specifies a string that should uniquely identify
+# the documentation publisher. This should be a reverse domain-name style
+# string, e.g. com.mycompany.MyDocSet.documentation.
 
-HTML_DYNAMIC_SECTIONS  = NO
+DOCSET_PUBLISHER_ID    = org.doxygen.Publisher
+
+# The GENERATE_PUBLISHER_NAME tag identifies the documentation publisher.
+
+DOCSET_PUBLISHER_NAME  = Publisher
+
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files
+# will be generated that can be used as input for tools like the
+# Microsoft HTML help workshop to generate a compiled HTML help file (.chm)
+# of the generated HTML documentation.
+
+GENERATE_HTMLHELP      = NO
 
 # If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can
 # be used to specify the file name of the resulting .chm file. You
@@ -844,40 +1039,114 @@ BINARY_TOC             = NO
 
 TOC_EXPAND             = NO
 
-# The DISABLE_INDEX tag can be used to turn on/off the condensed index at
-# top of each HTML page. The value NO (the default) enables the index and
-# the value YES disables it.
+# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and
+# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated
+# that can be used as input for Qt's qhelpgenerator to generate a
+# Qt Compressed Help (.qch) of the generated HTML documentation.
 
-DISABLE_INDEX          = NO
+GENERATE_QHP           = NO
 
-# This tag can be used to set the number of enum values (range [1..20])
-# that doxygen will group on one line in the generated HTML documentation.
+# If the QHG_LOCATION tag is specified, the QCH_FILE tag can
+# be used to specify the file name of the resulting .qch file.
+# The path specified is relative to the HTML output folder.
 
-ENUM_VALUES_PER_LINE   = 1
+QCH_FILE               =
+
+# The QHP_NAMESPACE tag specifies the namespace to use when generating
+# Qt Help Project output. For more information please see
+# http://doc.trolltech.com/qthelpproject.html#namespace
+
+QHP_NAMESPACE          = org.doxygen.Project
+
+# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating
+# Qt Help Project output. For more information please see
+# http://doc.trolltech.com/qthelpproject.html#virtual-folders
+
+QHP_VIRTUAL_FOLDER     = doc
+
+# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to
+# add. For more information please see
+# http://doc.trolltech.com/qthelpproject.html#custom-filters
+
+QHP_CUST_FILTER_NAME   =
+
+# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the
+# custom filter to add. For more information please see
+# <a href="http://doc.trolltech.com/qthelpproject.html#custom-filters">
+# Qt Help Project / Custom Filters</a>.
+
+QHP_CUST_FILTER_ATTRS  =
+
+# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
+# project's
+# filter section matches.
+# <a href="http://doc.trolltech.com/qthelpproject.html#filter-attributes">
+# Qt Help Project / Filter Attributes</a>.
+
+QHP_SECT_FILTER_ATTRS  =
+
+# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can
+# be used to specify the location of Qt's qhelpgenerator.
+# If non-empty doxygen will try to run qhelpgenerator on the generated
+# .qhp file.
+
+QHG_LOCATION           =
+
+# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files
+#  will be generated, which together with the HTML files, form an Eclipse help
+# plugin. To install this plugin and make it available under the help contents
+# menu in Eclipse, the contents of the directory containing the HTML and XML
+# files needs to be copied into the plugins directory of eclipse. The name of
+# the directory within the plugins directory should be the same as
+# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before
+# the help appears.
+
+GENERATE_ECLIPSEHELP   = NO
+
+# A unique identifier for the eclipse help plugin. When installing the plugin
+# the directory name containing the HTML and XML files should also have
+# this name.
+
+ECLIPSE_DOC_ID         = org.doxygen.Project
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs)
+# at top of each HTML page. The value NO (the default) enables the index and
+# the value YES disables it. Since the tabs have the same information as the
+# navigation tree you can set this option to NO if you already set
+# GENERATE_TREEVIEW to YES.
+
+DISABLE_INDEX          = NO
 
 # The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
 # structure should be generated to display hierarchical information.
-# If the tag value is set to FRAME, a side panel will be generated
+# If the tag value is set to YES, a side panel will be generated
 # containing a tree-like index structure (just like the one that
 # is generated for HTML Help). For this to work a browser that supports
-# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+,
-# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are
-# probably better off using the HTML help feature. Other possible values
-# for this tag are: HIERARCHIES, which will generate the Groups, Directories,
-# and Class Hiererachy pages using a tree view instead of an ordered list;
-# ALL, which combines the behavior of FRAME and HIERARCHIES; and NONE, which
-# disables this behavior completely. For backwards compatibility with previous
-# releases of Doxygen, the values YES and NO are equivalent to FRAME and NONE
-# respectively.
+# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser).
+# Windows users are probably better off using the HTML help feature.
+# Since the tree basically has the same information as the tab index you
+# could consider to set DISABLE_INDEX to NO when enabling this option.
 
 GENERATE_TREEVIEW      = YES
 
+# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values
+# (range [0,1..20]) that doxygen will group on one line in the generated HTML
+# documentation. Note that a value of 0 will completely suppress the enum
+# values from appearing in the overview section.
+
+ENUM_VALUES_PER_LINE   = 1
+
 # If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be
 # used to set the initial width (in pixels) of the frame in which the tree
 # is shown.
 
 TREEVIEW_WIDTH         = 250
 
+# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open
+# links to external symbols imported via tag files in a separate window.
+
+EXT_LINKS_IN_WINDOW    = NO
+
 # Use this tag to change the font size of Latex formulas included
 # as images in the HTML documentation. The default is 10. Note that
 # when you change the font size after a successful doxygen run you need
@@ -886,6 +1155,60 @@ TREEVIEW_WIDTH         = 250
 
 FORMULA_FONTSIZE       = 10
 
+# Use the FORMULA_TRANPARENT tag to determine whether or not the images
+# generated for formulas are transparent PNGs. Transparent PNGs are
+# not supported properly for IE 6.0, but are supported on all modern browsers.
+# Note that when changing this option you need to delete any form_*.png files
+# in the HTML output before the changes have effect.
+
+FORMULA_TRANSPARENT    = YES
+
+# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax
+# (see http://www.mathjax.org) which uses client side Javascript for the
+# rendering instead of using prerendered bitmaps. Use this if you do not
+# have LaTeX installed or if you want to formulas look prettier in the HTML
+# output. When enabled you may also need to install MathJax separately and
+# configure the path to it using the MATHJAX_RELPATH option.
+
+USE_MATHJAX            = NO
+
+# When MathJax is enabled you need to specify the location relative to the
+# HTML output directory using the MATHJAX_RELPATH option. The destination
+# directory should contain the MathJax.js script. For instance, if the mathjax
+# directory is located at the same level as the HTML output directory, then
+# MATHJAX_RELPATH should be ../mathjax. The default value points to
+# the MathJax Content Delivery Network so you can quickly see the result without
+# installing MathJax.
+# However, it is strongly recommended to install a local
+# copy of MathJax from http://www.mathjax.org before deployment.
+
+MATHJAX_RELPATH        = http://cdn.mathjax.org/mathjax/latest
+
+# The MATHJAX_EXTENSIONS tag can be used to specify one or MathJax extension
+# names that should be enabled during MathJax rendering.
+
+MATHJAX_EXTENSIONS     =
+
+# When the SEARCHENGINE tag is enabled doxygen will generate a search box
+# for the HTML output. The underlying search engine uses javascript
+# and DHTML and should work on any modern browser. Note that when using
+# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets
+# (GENERATE_DOCSET) there is already a search function so this one should
+# typically be disabled. For large projects the javascript based search engine
+# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution.
+
+SEARCHENGINE           = NO
+
+# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
+# implemented using a PHP enabled web server instead of at the web client
+# using Javascript. Doxygen will generate the search PHP script and index
+# file to put on the web server. The advantage of the server
+# based approach is that it scales better to large projects and allows
+# full text search. The disadvantages are that it is more difficult to setup
+# and does not have live searching capabilities.
+
+SERVER_BASED_SEARCH    = NO
+
 #---------------------------------------------------------------------------
 # configuration options related to the LaTeX output
 #---------------------------------------------------------------------------
@@ -903,6 +1226,9 @@ LATEX_OUTPUT           = latex
 
 # The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
 # invoked. If left blank `latex' will be used as the default command name.
+# Note that when enabling USE_PDFLATEX this option is only used for
+# generating bitmaps for formulas in the HTML output, but not in the
+# Makefile that is written to the output directory.
 
 LATEX_CMD_NAME         = latex
 
@@ -919,7 +1245,7 @@ MAKEINDEX_CMD_NAME     = makeindex
 COMPACT_LATEX          = NO
 
 # The PAPER_TYPE tag can be used to set the paper type that is used
-# by the printer. Possible values are: a4, a4wide, letter, legal and
+# by the printer. Possible values are: a4, letter, legal and
 # executive. If left blank a4wide will be used.
 
 PAPER_TYPE             = a4wide
@@ -936,6 +1262,13 @@ EXTRA_PACKAGES         =
 
 LATEX_HEADER           =
 
+# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for
+# the generated latex document. The footer should contain everything after
+# the last chapter. If it is left blank doxygen will generate a
+# standard footer. Notice: only use this tag if you know what you are doing!
+
+LATEX_FOOTER           =
+
 # If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated
 # is prepared for conversion to pdf (using ps2pdf). The pdf file will
 # contain links (just like the HTML output) instead of page references
@@ -962,6 +1295,19 @@ LATEX_BATCHMODE        = NO
 
 LATEX_HIDE_INDICES     = NO
 
+# If LATEX_SOURCE_CODE is set to YES then doxygen will include
+# source code with syntax highlighting in the LaTeX output.
+# Note that which sources are shown also depends on other settings
+# such as SOURCE_BROWSER.
+
+LATEX_SOURCE_CODE      = NO
+
+# The LATEX_BIB_STYLE tag can be used to specify the style to use for the
+# bibliography, e.g. plainnat, or ieeetr. The default style is "plain". See
+# http://en.wikipedia.org/wiki/BibTeX for more info.
+
+LATEX_BIB_STYLE        = plain
+
 #---------------------------------------------------------------------------
 # configuration options related to the RTF output
 #---------------------------------------------------------------------------
@@ -993,7 +1339,7 @@ COMPACT_RTF            = NO
 
 RTF_HYPERLINKS         = NO
 
-# Load stylesheet definitions from file. Syntax is similar to doxygen's
+# Load style sheet definitions from file. Syntax is similar to doxygen's
 # config file, i.e. a series of assignments. You only have to provide
 # replacements, missing definitions are set to their default value.
 
@@ -1098,8 +1444,10 @@ GENERATE_PERLMOD       = NO
 PERLMOD_LATEX          = NO
 
 # If the PERLMOD_PRETTY tag is set to YES the Perl module output will be
-# nicely formatted so it can be parsed by a human reader.  This is useful
-# if you want to understand what is going on.  On the other hand, if this
+# nicely formatted so it can be parsed by a human reader.
+# This is useful
+# if you want to understand what is going on.
+# On the other hand, if this
 # tag is set to NO the size of the Perl module output will be much smaller
 # and Perl will parse it just the same.
 
@@ -1136,7 +1484,7 @@ MACRO_EXPANSION        = YES
 EXPAND_ONLY_PREDEF     = NO
 
 # If the SEARCH_INCLUDES tag is set to YES (the default) the includes files
-# in the INCLUDE_PATH (see below) will be search if a #include is found.
+# pointed to by INCLUDE_PATH will be searched when a #include is found.
 
 SEARCH_INCLUDES        = YES
 
@@ -1161,20 +1509,20 @@ INCLUDE_FILE_PATTERNS  =
 # undefined via #undef or recursively expanded use the := operator
 # instead of the = operator.
 
-PREDEFINED             = LEAK_DETECTIVE
+PREDEFINED             = LEAK_DETECTIVE __attribute__(x)=
 
 # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then
 # this tag can be used to specify a list of macro names that should be expanded.
 # The macro definition that is found in the sources will be used.
-# Use the PREDEFINED tag if you want to use a different macro definition.
+# Use the PREDEFINED tag if you want to use a different macro definition that
+# overrules the definition found in the source code.
 
 EXPAND_AS_DEFINED      =
 
 # If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then
-# doxygen's preprocessor will remove all function-like macros that are alone
-# on a line, have an all uppercase name, and do not end with a semicolon. Such
-# function macros are typically used for boiler-plate code, and will confuse
-# the parser if not removed.
+# doxygen's preprocessor will remove all references to function-like macros
+# that are alone on a line, have an all uppercase name, and do not end with a
+# semicolon, because these will confuse the parser if not removed.
 
 SKIP_FUNCTION_MACROS   = YES
 
@@ -1182,20 +1530,18 @@ SKIP_FUNCTION_MACROS   = YES
 # Configuration::additions related to external references
 #---------------------------------------------------------------------------
 
-# The TAGFILES option can be used to specify one or more tagfiles.
-# Optionally an initial location of the external documentation
-# can be added for each tagfile. The format of a tag file without
-# this location is as follows:
-#   TAGFILES = file1 file2 ...
+# The TAGFILES option can be used to specify one or more tagfiles. For each
+# tag file the location of the external documentation should be added. The
+# format of a tag file without this location is as follows:
+#
+# TAGFILES = file1 file2 ...
 # Adding location for the tag files is done as follows:
-#   TAGFILES = file1=loc1 "file2 = loc2" ...
-# where "loc1" and "loc2" can be relative or absolute paths or
-# URLs. If a location is present for each tag, the installdox tool
-# does not have to be run to correct the links.
-# Note that each tag file must have a unique name
-# (where the name does NOT include the path)
-# If a tag file is not located in the directory in which doxygen
-# is run, you must also specify the path to the tagfile here.
+#
+# TAGFILES = file1=loc1 "file2 = loc2" ...
+# where "loc1" and "loc2" can be relative or absolute paths
+# or URLs. Note that each tag file must have a unique name (where the name does
+# NOT include the path). If a tag file is not located in the directory in which
+# doxygen is run, you must also specify the path to the tagfile here.
 
 TAGFILES               =
 
@@ -1228,9 +1574,8 @@ PERL_PATH              = /usr/bin/perl
 # If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will
 # generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base
 # or super classes. Setting the tag to NO turns the diagrams off. Note that
-# this option is superseded by the HAVE_DOT option below. This is only a
-# fallback. It is recommended to install and use dot, since it yields more
-# powerful graphs.
+# this option also works with HAVE_DOT disabled, but it is recommended to
+# install and use dot, since it yields more powerful graphs.
 
 CLASS_DIAGRAMS         = YES
 
@@ -1256,28 +1601,38 @@ HIDE_UNDOC_RELATIONS   = YES
 
 HAVE_DOT               = NO
 
-# By default doxygen will write a font called FreeSans.ttf to the output
-# directory and reference it in all dot files that doxygen generates. This
-# font does not include all possible unicode characters however, so when you need
-# these (or just want a differently looking font) you can specify the font name
-# using DOT_FONTNAME. You need need to make sure dot is able to find the font,
-# which can be done by putting it in a standard location or by setting the
-# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory
-# containing the font.
+# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is
+# allowed to run in parallel. When set to 0 (the default) doxygen will
+# base this on the number of processors available in the system. You can set it
+# explicitly to a value larger than 0 to get control over the balance
+# between CPU load and processing speed.
+
+DOT_NUM_THREADS        = 0
+
+# By default doxygen will use the Helvetica font for all dot files that
+# doxygen generates. When you want a differently looking font you can specify
+# the font name using DOT_FONTNAME. You need to make sure dot is able to find
+# the font, which can be done by putting it in a standard location or by setting
+# the DOTFONTPATH environment variable or by setting DOT_FONTPATH to the
+# directory containing the font.
 
 DOT_FONTNAME           = FreeSans
 
-# By default doxygen will tell dot to use the output directory to look for the
-# FreeSans.ttf font (which doxygen will put there itself). If you specify a
-# different font using DOT_FONTNAME you can set the path where dot
-# can find it using this tag.
+# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs.
+# The default size is 10pt.
+
+DOT_FONTSIZE           = 10
+
+# By default doxygen will tell dot to use the Helvetica font.
+# If you specify a different font using DOT_FONTNAME you can use DOT_FONTPATH to
+# set the path where dot can find it.
 
 DOT_FONTPATH           =
 
 # If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen
 # will generate a graph for each documented class showing the direct and
 # indirect inheritance relations. Setting this tag to YES will force the
-# the CLASS_DIAGRAMS tag to NO.
+# CLASS_DIAGRAMS tag to NO.
 
 CLASS_GRAPH            = YES
 
@@ -1299,6 +1654,15 @@ GROUP_GRAPHS           = YES
 
 UML_LOOK               = NO
 
+# If the UML_LOOK tag is enabled, the fields and methods are shown inside
+# the class node. If there are many fields or methods and many nodes the
+# graph may become too big to be useful. The UML_LIMIT_NUM_FIELDS
+# threshold limits the number of items for each type to make the size more
+# managable. Set this to 0 for no limit. Note that the threshold may be
+# exceeded by 50% before the limit is enforced.
+
+UML_LIMIT_NUM_FIELDS   = 10
+
 # If set to YES, the inheritance and collaboration graphs will show the
 # relations between templates and their instances.
 
@@ -1335,11 +1699,11 @@ CALL_GRAPH             = NO
 CALLER_GRAPH           = NO
 
 # If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen
-# will graphical hierarchy of all classes instead of a textual one.
+# will generate a graphical hierarchy of all classes instead of a textual one.
 
 GRAPHICAL_HIERARCHY    = YES
 
-# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES
+# If the DIRECTORY_GRAPH and HAVE_DOT tags are set to YES
 # then doxygen will show the dependencies a directory has on other directories
 # in a graphical way. The dependency relations are determined by the #include
 # relations between the files in the directories.
@@ -1347,11 +1711,22 @@ GRAPHICAL_HIERARCHY    = YES
 DIRECTORY_GRAPH        = YES
 
 # The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
-# generated by dot. Possible values are png, jpg, or gif
-# If left blank png will be used.
+# generated by dot. Possible values are svg, png, jpg, or gif.
+# If left blank png will be used. If you choose svg you need to set
+# HTML_FILE_EXTENSION to xhtml in order to make the SVG files
+# visible in IE 9+ (other browsers do not have this requirement).
 
 DOT_IMAGE_FORMAT       = png
 
+# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
+# enable generation of interactive SVG images that allow zooming and panning.
+# Note that this requires a modern browser other than Internet Explorer.
+# Tested and working are Firefox, Chrome, Safari, and Opera. For IE 9+ you
+# need to set HTML_FILE_EXTENSION to xhtml in order to make the SVG files
+# visible. Older versions of IE do not have SVG support.
+
+INTERACTIVE_SVG        = NO
+
 # The tag DOT_PATH can be used to specify the path where the dot tool can be
 # found. If left blank, it is assumed the dot tool can be found in the path.
 
@@ -1363,6 +1738,12 @@ DOT_PATH               =
 
 DOTFILE_DIRS           =
 
+# The MSCFILE_DIRS tag can be used to specify one or more directories that
+# contain msc files that are included in the documentation (see the
+# \mscfile command).
+
+MSCFILE_DIRS           =
+
 # The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of
 # nodes that will be shown in the graph. If the number of nodes in a graph
 # becomes larger than this value, doxygen will truncate the graph, which is
@@ -1384,10 +1765,10 @@ DOT_GRAPH_MAX_NODES    = 50
 MAX_DOT_GRAPH_DEPTH    = 0
 
 # Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
-# background. This is enabled by default, which results in a transparent
-# background. Warning: Depending on the platform used, enabling this option
-# may lead to badly anti-aliased labels on the edges of a graph (i.e. they
-# become hard to read).
+# background. This is disabled by default, because dot on Windows does not
+# seem to support this out of the box. Warning: Depending on the platform used,
+# enabling this option may lead to badly anti-aliased labels on the edges of
+# a graph (i.e. they become hard to read).
 
 DOT_TRANSPARENT        = NO
 
@@ -1409,12 +1790,3 @@ GENERATE_LEGEND        = YES
 # the various graphs.
 
 DOT_CLEANUP            = YES
-
-#---------------------------------------------------------------------------
-# Configuration::additions related to the search engine
-#---------------------------------------------------------------------------
-
-# The SEARCHENGINE tag specifies whether or not a search engine should be
-# used. If set to NO the values of all tags below this one will be ignored.
-
-SEARCHENGINE           = NO
diff --git a/NEWS b/NEWS
index 95f7e1c..7a5e6f0 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,20 @@
+strongswan-5.0.3
+----------------
+
+- The new ipseckey plugin enables authentication based on trustworthy public
+  keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC.
+  To do so it uses a DNSSEC enabled resolver, like the one provided by the new
+  unbound plugin, which is based on libldns and libunbound.  Both plugins were
+  created by Reto Guadagnini.
+
+- Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities
+  available to an IMV. The OS IMV stores the AR identity together with the
+  device ID in the attest database.
+
+- The openssl plugin now uses the AES-NI accelerated version of AES-GCM
+  if the hardware supports it.
+
+
 strongswan-5.0.2
 ----------------
 
@@ -49,6 +66,7 @@ strongswan-5.0.2
 - The integration test environment was updated and now uses KVM and reproducible
   guest images based on Debian.
 
+
 strongswan-5.0.1
 ----------------
 
@@ -122,6 +140,7 @@ strongswan-5.0.1
 - All crypto primitives gained return values for most operations, allowing
   crypto backends to fail, for example when using hardware accelerators.
 
+
 strongswan-5.0.0
 ----------------
 
index 2c3e739..996c8dd 100644 (file)
@@ -1,31 +1,34 @@
-dnl  configure.in for linux strongSwan
-dnl  Copyright (C) 2006 Martin Willi
-dnl  Hochschule fuer Technik Rapperswil
-dnl
-dnl  This program is free software; you can redistribute it and/or modify it
-dnl  under the terms of the GNU General Public License as published by the
-dnl  Free Software Foundation; either version 2 of the License, or (at your
-dnl  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-dnl
-dnl  This program is distributed in the hope that it will be useful, but
-dnl  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-dnl  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-dnl  for more details.
-
-dnl ===========================
-dnl  initialize & set some vars
-dnl ===========================
-
-AC_INIT(strongSwan,5.0.2)
+#
+# Copyright (C) 2007-2013 Tobias Brunner
+# Copyright (C) 2006-2013 Andreas Steffen
+# Copyright (C) 2006-2013 Martin Willi
+# Hochschule fuer Technik Rapperswil
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+
+# ============================
+#  initialize & set some vars
+# ============================
+
+AC_INIT([strongSwan],[5.0.3dr4])
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_CONFIG_MACRO_DIR([m4/config])
 AC_CONFIG_HEADERS([config.h])
 AC_DEFINE([CONFIG_H_INCLUDED], [], [defined if config.h included])
 PKG_PROG_PKG_CONFIG
 
-dnl =================================
-dnl  check --enable-xxx & --with-xxx
-dnl =================================
+# =================================
+#  check --enable-xxx & --with-xxx
+# =================================
 
 m4_include(m4/macros/with.m4)
 
@@ -101,6 +104,7 @@ AC_SUBST(ipsec_script_upper, [`echo -n "$ipsec_script" | tr a-z A-Z`])
 m4_include(m4/macros/enable-disable.m4)
 
 ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
+ARG_ENABL_SET([unbound],        [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
 ARG_ENABL_SET([soup],           [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
 ARG_ENABL_SET([ldap],           [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
 ARG_DISBL_SET([aes],            [disable AES software implementation plugin.])
@@ -124,6 +128,7 @@ ARG_DISBL_SET([pkcs7],          [disable PKCS7 container support plugin.])
 ARG_DISBL_SET([pkcs8],          [disable PKCS8 private key decoding plugin.])
 ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
 ARG_DISBL_SET([dnskey],         [disable DNS RR key decoding plugin.])
+ARG_ENABL_SET([ipseckey],       [enable IPSECKEY authentication plugin.])
 ARG_DISBL_SET([pem],            [disable PEM decoding plugin.])
 ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
 ARG_DISBL_SET([cmac],           [disable CMAC crypto implementation plugin.])
@@ -213,7 +218,7 @@ ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
 ARG_ENABL_SET([unity],          [enables Cisco Unity extension plugin.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
-ARG_ENABL_SET([android],        [enable Android specific plugin.])
+ARG_ENABL_SET([android-dns],    [enable Android specific DNS handler.])
 ARG_ENABL_SET([android-log],    [enable Android specific logger plugin.])
 ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
 ARG_ENABL_SET([nm],             [enable NetworkManager backend.])
@@ -222,6 +227,7 @@ ARG_ENABL_SET([whitelist],      [enable peer identity whitelisting plugin.])
 ARG_ENABL_SET([lookip],         [enable fast virtual IP lookup and notification plugin.])
 ARG_ENABL_SET([error-notify],   [enable error notification plugin.])
 ARG_ENABL_SET([certexpire],     [enable CSV export of expiration dates of used certificates.])
+ARG_ENABL_SET([systime-fix],    [enable plugin to handle cert lifetimes with invalid system time gracefully.])
 ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
 ARG_ENABL_SET([duplicheck],     [advanced duplicate checking plugin using liveness checks.])
 ARG_ENABL_SET([coupling],       [enable IKEv2 plugin to couple peer certificates permanently to authentication.])
@@ -230,9 +236,22 @@ ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replac
 ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
 ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
 
-dnl =========================
-dnl  set up compiler and flags
-dnl =========================
+# ===================================
+#  option to disable default options
+# ===================================
+
+ARG_DISBL_SET([defaults],       [disable all default plugins (they can be enabled with their respective --enable options)])
+
+if test x$defaults = xfalse; then
+       for option in $enabled_by_default; do
+               eval test x\${${option}_given} = xtrue && continue
+               let $option=false
+       done
+fi
+
+# ===========================
+#  set up compiler and flags
+# ===========================
 
 if test -z "$CFLAGS"; then
        CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign"
@@ -241,12 +260,12 @@ AC_PROG_CC
 AC_LIB_PREFIX
 AC_C_BIGENDIAN
 
-dnl =========================
-dnl  check required programs
-dnl =========================
+# =========================
+#  check required programs
+# =========================
 
+LT_INIT
 AC_PROG_INSTALL
-AC_PROG_LIBTOOL
 AC_PROG_EGREP
 AC_PROG_AWK
 AC_PROG_LEX
@@ -254,7 +273,7 @@ AC_PROG_YACC
 AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 
-dnl because gperf is not needed by end-users we just report it but do not abort on failure
+# because gperf is not needed by end-users we just report it but do not abort on failure
 AC_MSG_CHECKING([gperf version >= 3.0.0])
 if test -x "$GPERF"; then
        if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then
@@ -266,9 +285,9 @@ else
        AC_MSG_RESULT([not found])
 fi
 
-dnl =========================
-dnl  dependency calculation
-dnl =========================
+========================
+#  dependency calculation
+========================
 
 if test x$xauth_generic_given = xfalse -a x$ikev1 = xfalse; then
        xauth_generic=false;
@@ -335,91 +354,93 @@ if test x$medcli = xtrue; then
        mediation=true
 fi
 
-dnl ===========================================
-dnl  check required libraries and header files
-dnl ===========================================
+# ===========================================
+#  check required libraries and header files
+# ===========================================
 
 AC_HEADER_STDBOOL
 AC_FUNC_ALLOCA
 AC_FUNC_STRERROR_R
 
-dnl libraries needed on some platforms but not on others
-dnl ====================================================
+ libraries needed on some platforms but not on others
+# ------------------------------------------------------
 saved_LIBS=$LIBS
 
-dnl FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
+# FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl
 LIBS=""
 AC_SEARCH_LIBS(dlopen, dl, [DLLIB=$LIBS])
 AC_SUBST(DLLIB)
 
-dnl glibc's backtrace() can be replicated on FreeBSD with libexecinfo
+# glibc's backtrace() can be replicated on FreeBSD with libexecinfo
 LIBS=""
 AC_SEARCH_LIBS(backtrace, execinfo, [BTLIB=$LIBS])
 AC_CHECK_FUNCS(backtrace)
 AC_SUBST(BTLIB)
 
-dnl OpenSolaris needs libsocket and libnsl for socket()
+# OpenSolaris needs libsocket and libnsl for socket()
 LIBS=""
 AC_SEARCH_LIBS(socket, socket, [SOCKLIB=$LIBS],
        [AC_CHECK_LIB(nsl, socket, [SOCKLIB="-lsocket -lnsl"], [], [-lsocket])]
 )
 AC_SUBST(SOCKLIB)
 
-dnl FreeBSD has clock_gettime in libc, Linux needs librt
+# FreeBSD has clock_gettime in libc, Linux needs librt
 LIBS=""
 AC_SEARCH_LIBS(clock_gettime, rt, [RTLIB=$LIBS])
 AC_CHECK_FUNCS(clock_gettime)
 AC_SUBST(RTLIB)
 
-dnl Android has pthread_* functions in bionic (libc), others need libpthread
+# Android has pthread_* functions in bionic (libc), others need libpthread
 LIBS=""
 AC_SEARCH_LIBS(pthread_create, pthread, [PTHREADLIB=$LIBS])
 AC_SUBST(PTHREADLIB)
 
 LIBS=$saved_LIBS
-dnl ======================
+# ------------------------------------------------------
 
 AC_MSG_CHECKING(for dladdr)
-AC_TRY_COMPILE(
-       [#define _GNU_SOURCE
-        #include <dlfcn.h>],
-       [Dl_info* info = 0;
-        dladdr(0, info);],
+AC_COMPILE_IFELSE(
+       [AC_LANG_PROGRAM(
+               [[#define _GNU_SOURCE
+                 #include <dlfcn.h>]],
+               [[Dl_info* info = 0;
+                 dladdr(0, info);]])],
        [AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_DLADDR], [], [have dladdr()])],
        [AC_MSG_RESULT([no])]
 )
 
-dnl check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
+# check if pthread_condattr_setclock(CLOCK_MONOTONE) is supported
 saved_LIBS=$LIBS
 LIBS=$PTHREADLIB
 AC_MSG_CHECKING([for pthread_condattr_setclock(CLOCK_MONOTONE)])
-AC_TRY_RUN(
-       [#include <pthread.h>
-        int main() { pthread_condattr_t attr;
-               pthread_condattr_init(&attr);
-               return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}],
+AC_RUN_IFELSE(
+       [AC_LANG_SOURCE(
+               [[#include <pthread.h>
+                 int main() { pthread_condattr_t attr;
+                       pthread_condattr_init(&attr);
+                       return pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);}]])],
        [AC_MSG_RESULT([yes]);
         AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC], [],
                           [pthread_condattr_setclock supports CLOCK_MONOTONIC])],
        [AC_MSG_RESULT([no])],
-       dnl Check existence of pthread_condattr_setclock if cross-compiling
+       # Check existence of pthread_condattr_setclock if cross-compiling
        [AC_MSG_RESULT([unknown]);
         AC_CHECK_FUNCS(pthread_condattr_setclock,
                [AC_DEFINE([HAVE_CONDATTR_CLOCK_MONOTONIC], [],
                                   [have pthread_condattr_setclock()])]
        )]
 )
-dnl check if we actually are able to configure attributes on cond vars
+# check if we actually are able to configure attributes on cond vars
 AC_CHECK_FUNCS(pthread_condattr_init)
-dnl instead of pthread_condattr_setclock Android has this function
+# instead of pthread_condattr_setclock Android has this function
 AC_CHECK_FUNCS(pthread_cond_timedwait_monotonic)
-dnl check if we can cancel threads
+# check if we can cancel threads
 AC_CHECK_FUNCS(pthread_cancel)
-dnl check if native rwlocks are available
+# check if native rwlocks are available
 AC_CHECK_FUNCS(pthread_rwlock_init)
-dnl check if pthread spinlocks are available
+# check if pthread spinlocks are available
 AC_CHECK_FUNCS(pthread_spin_init)
-dnl check if we have POSIX semaphore functions, including timed-wait
+# check if we have POSIX semaphore functions, including timed-wait
 AC_CHECK_FUNCS(sem_timedwait)
 LIBS=$saved_LIBS
 
@@ -427,12 +448,13 @@ AC_CHECK_FUNC(
        [gettid],
        [AC_DEFINE([HAVE_GETTID], [], [have gettid()])],
        [AC_MSG_CHECKING([for SYS_gettid])
-        AC_TRY_COMPILE(
-               [#define _GNU_SOURCE
-                #include <unistd.h>
-                #include <sys/syscall.h>],
-               [int main() {
-                       return syscall(SYS_gettid);}],
+        AC_COMPILE_IFELSE(
+               [AC_LANG_PROGRAM(
+                       [[#define _GNU_SOURCE
+                         #include <unistd.h>
+                         #include <sys/syscall.h>]],
+                       [[int main() {
+                         return syscall(SYS_gettid);}]])],
                [AC_MSG_RESULT([yes]);
                 AC_DEFINE([HAVE_GETTID], [], [have gettid()])
                 AC_DEFINE([HAVE_SYS_GETTID], [], [have syscall(SYS_gettid)])],
@@ -440,7 +462,7 @@ AC_CHECK_FUNC(
        )]
 )
 
-AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r)
+AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r)
 
 AC_CHECK_HEADERS(sys/sockio.h glob.h)
 AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h)
@@ -464,101 +486,107 @@ AC_CHECK_MEMBERS([struct sadb_x_policy.sadb_x_policy_priority], [], [],
 ])
 
 AC_MSG_CHECKING([for in6addr_any])
-AC_TRY_COMPILE(
-       [#include <sys/types.h>
-       #include <sys/socket.h>
-       #include <netinet/in.h>],
-       [struct in6_addr in6;
-       in6 = in6addr_any;],
+AC_COMPILE_IFELSE(
+       [AC_LANG_PROGRAM(
+               [[#include <sys/types.h>
+                 #include <sys/socket.h>
+                 #include <netinet/in.h>]],
+               [[struct in6_addr in6;
+                 in6 = in6addr_any;]])],
        [AC_MSG_RESULT([yes]);
         AC_DEFINE([HAVE_IN6ADDR_ANY], [], [have struct in6_addr in6addr_any])],
        [AC_MSG_RESULT([no])]
 )
 
 AC_MSG_CHECKING([for in6_pktinfo])
-AC_TRY_COMPILE(
-       [#define _GNU_SOURCE
-       #include <sys/types.h>
-       #include <sys/socket.h>
-       #include <netinet/in.h>],
-       [struct in6_pktinfo pi;
-       if (pi.ipi6_ifindex)
-       {
-               return 0;
-       }],
+AC_COMPILE_IFELSE(
+       [AC_LANG_PROGRAM(
+               [[#define _GNU_SOURCE
+                 #include <sys/types.h>
+                 #include <sys/socket.h>
+                 #include <netinet/in.h>]],
+               [[struct in6_pktinfo pi;
+                 if (pi.ipi6_ifindex)
+                 {
+                   return 0;
+                 }]])],
        [AC_MSG_RESULT([yes]);
         AC_DEFINE([HAVE_IN6_PKTINFO], [], [have struct in6_pktinfo.ipi6_ifindex])],
        [AC_MSG_RESULT([no])]
 )
 
 AC_MSG_CHECKING([for IPSEC_MODE_BEET])
-AC_TRY_COMPILE(
-       [#include <sys/types.h>
-       #ifdef HAVE_NETIPSEC_IPSEC_H
-       #include <netipsec/ipsec.h>
-       #elif defined(HAVE_NETINET6_IPSEC_H)
-       #include <netinet6/ipsec.h>
-       #else
-       #include <stdint.h>
-       #include <linux/ipsec.h>
-       #endif],
-       [int mode = IPSEC_MODE_BEET;
-        return mode;],
+AC_COMPILE_IFELSE(
+       [AC_LANG_PROGRAM(
+               [[#include <sys/types.h>
+                 #ifdef HAVE_NETIPSEC_IPSEC_H
+                 #include <netipsec/ipsec.h>
+                 #elif defined(HAVE_NETINET6_IPSEC_H)
+                 #include <netinet6/ipsec.h>
+                 #else
+                 #include <stdint.h>
+                 #include <linux/ipsec.h>
+                 #endif]],
+               [[int mode = IPSEC_MODE_BEET;
+                 return mode;]])],
        [AC_MSG_RESULT([yes]);
         AC_DEFINE([HAVE_IPSEC_MODE_BEET], [], [have IPSEC_MODE_BEET defined])],
        [AC_MSG_RESULT([no])]
 )
 
 AC_MSG_CHECKING([for IPSEC_DIR_FWD])
-AC_TRY_COMPILE(
-       [#include <sys/types.h>
-       #ifdef HAVE_NETIPSEC_IPSEC_H
-       #include <netipsec/ipsec.h>
-       #elif defined(HAVE_NETINET6_IPSEC_H)
-       #include <netinet6/ipsec.h>
-       #else
-       #include <stdint.h>
-       #include <linux/ipsec.h>
-       #endif],
-       [int dir = IPSEC_DIR_FWD;
-        return dir;],
+AC_COMPILE_IFELSE(
+       [AC_LANG_PROGRAM(
+               [[#include <sys/types.h>
+                 #ifdef HAVE_NETIPSEC_IPSEC_H
+                 #include <netipsec/ipsec.h>
+                 #elif defined(HAVE_NETINET6_IPSEC_H)
+                 #include <netinet6/ipsec.h>
+                 #else
+                 #include <stdint.h>
+                 #include <linux/ipsec.h>
+                 #endif]],
+               [[int dir = IPSEC_DIR_FWD;
+                 return dir;]])],
        [AC_MSG_RESULT([yes]);
         AC_DEFINE([HAVE_IPSEC_DIR_FWD], [], [have IPSEC_DIR_FWD defined])],
        [AC_MSG_RESULT([no])]
 )
 
 AC_MSG_CHECKING([for RTA_TABLE])
-AC_TRY_COMPILE(
-       [#include <sys/socket.h>
-       #include <linux/netlink.h>
-       #include <linux/rtnetlink.h>],
-       [int rta_type = RTA_TABLE;
-        return rta_type;],
+AC_COMPILE_IFELSE(
+       [AC_LANG_PROGRAM(
+               [[#include <sys/socket.h>
+                 #include <linux/netlink.h>
+                 #include <linux/rtnetlink.h>]],
+               [[int rta_type = RTA_TABLE;
+                 return rta_type;]])],
        [AC_MSG_RESULT([yes]);
         AC_DEFINE([HAVE_RTA_TABLE], [], [have netlink RTA_TABLE defined])],
        [AC_MSG_RESULT([no])]
 )
 
 AC_MSG_CHECKING([for gcc atomic operations])
-AC_TRY_RUN(
-[
-       int main() {
-               volatile int ref = 1;
-               __sync_fetch_and_add (&ref, 1);
-               __sync_sub_and_fetch (&ref, 1);
-               /* Make sure test fails if operations are not supported */
-               __sync_val_compare_and_swap(&ref, 1, 0);
-               return ref;
-       }
-],
-[AC_MSG_RESULT([yes]);
- AC_DEFINE([HAVE_GCC_ATOMIC_OPERATIONS], [],
+AC_RUN_IFELSE([AC_LANG_SOURCE(
+       [[
+                       int main() {
+                       volatile int ref = 1;
+                       __sync_fetch_and_add (&ref, 1);
+                       __sync_sub_and_fetch (&ref, 1);
+                       /* Make sure test fails if operations are not supported */
+                       __sync_val_compare_and_swap(&ref, 1, 0);
+                       return ref;
+               }
+       ]])],
+       [AC_MSG_RESULT([yes]);
       AC_DEFINE([HAVE_GCC_ATOMIC_OPERATIONS], [],
                   [have GCC __sync_* atomic operations])],
-[AC_MSG_RESULT([no])],
-[AC_MSG_RESULT([no])])
+       [AC_MSG_RESULT([no])],
+       [AC_MSG_RESULT([no])]
+)
 
-dnl check for the new register_printf_specifier function with len argument,
-dnl or the deprecated register_printf_function without
+# check for the new register_printf_specifier function with len argument,
+# or the deprecated register_printf_function without
 AC_CHECK_FUNC(
        [register_printf_specifier],
        [AC_DEFINE([HAVE_PRINTF_SPECIFIER], [], [have register_printf_specifier()])],
@@ -573,20 +601,19 @@ AC_CHECK_FUNC(
 )
 
 if test x$vstr = xtrue; then
-       AC_HAVE_LIBRARY([vstr],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])])
+       AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
        AC_DEFINE([USE_VSTR], [], [use vstring library for printf hooks])
 fi
 
 if test x$gmp = xtrue; then
        saved_LIBS=$LIBS
-       AC_HAVE_LIBRARY([gmp],,[AC_MSG_ERROR([GNU Multi Precision library gmp not found])])
+       AC_CHECK_LIB([gmp],[main],[],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])],[])
        AC_MSG_CHECKING([mpz_powm_sec])
        if test x$mpz_powm_sec = xyes; then
-               AC_TRY_COMPILE(
-                       [#include "gmp.h"],
-                       [
-                               void *x = mpz_powm_sec;
-                       ],
+               AC_COMPILE_IFELSE(
+                       [AC_LANG_PROGRAM(
+                               [[#include "gmp.h"]],
+                               [[void *x = mpz_powm_sec;]])],
                        [AC_MSG_RESULT([yes]);
                         AC_DEFINE([HAVE_MPZ_POWM_SEC], [], [have mpz_mown_sec()])],
                        [AC_MSG_RESULT([no])]
@@ -596,28 +623,36 @@ if test x$gmp = xtrue; then
        fi
        LIBS=$saved_LIBS
        AC_MSG_CHECKING([gmp.h version >= 4.1.4])
-       AC_TRY_COMPILE(
-               [#include "gmp.h"],
-               [
-                       #if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
-                               #error bad gmp
-                       #endif
-               ],
-               [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
+       AC_COMPILE_IFELSE(
+               [AC_LANG_PROGRAM(
+                       [[#include "gmp.h"]],
+                       [[
+                               #if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
+                                       #error bad gmp
+                               #endif]])],
+               [AC_MSG_RESULT([yes])],
+               [AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
        )
 fi
 
 if test x$ldap = xtrue; then
-       AC_HAVE_LIBRARY([ldap],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])])
-       AC_HAVE_LIBRARY([lber],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])])
+       AC_CHECK_LIB([ldap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])],[])
+       AC_CHECK_LIB([lber],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])],[])
        AC_CHECK_HEADER([ldap.h],,[AC_MSG_ERROR([LDAP header ldap.h not found!])])
 fi
 
 if test x$curl = xtrue; then
-       AC_HAVE_LIBRARY([curl],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])])
+       AC_CHECK_LIB([curl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])],[])
        AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])])
 fi
 
+if test x$unbound = xtrue; then
+       AC_HAVE_LIBRARY([ldns],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library ldns not found])])
+       AC_CHECK_HEADER([ldns/ldns.h],,[AC_MSG_ERROR([UNBOUND header ldns/ldns.h not found!])])
+       AC_HAVE_LIBRARY([unbound],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library libunbound not found])])
+       AC_CHECK_HEADER([unbound.h],,[AC_MSG_ERROR([UNBOUND header unbound.h not found!])])
+fi
+
 if test x$soup = xtrue; then
        PKG_CHECK_MODULES(soup, [libsoup-2.4])
        AC_SUBST(soup_CFLAGS)
@@ -637,7 +672,7 @@ if test x$axis2c = xtrue; then
 fi
 
 if test x$tss = xtrousers; then
-       AC_HAVE_LIBRARY([tspi],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])])
+       AC_CHECK_LIB([tspi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])],[])
        AC_CHECK_HEADER([trousers/tss.h],,[AC_MSG_ERROR([TrouSerS header trousers/tss.h not found!])])
        AC_DEFINE([TSS_TROUSERS], [], [use TrouSerS library libtspi as TSS implementation])
 fi
@@ -683,28 +718,27 @@ if test x$dumm = xtrue; then
 fi
 
 if test x$fast = xtrue; then
-       AC_HAVE_LIBRARY([neo_cgi],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_cgi not found!])])
-       AC_HAVE_LIBRARY([neo_utl],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])])
+       AC_CHECK_LIB([neo_cgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_cgi not found!])],[])
+       AC_CHECK_LIB([neo_utl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])],[])
        AC_MSG_CHECKING([ClearSilver requires zlib])
        saved_CFLAGS=$CFLAGS
        saved_LIBS=$LIBS
        LIBS="-lneo_cgi -lneo_cs -lneo_utl"
        CFLAGS="-I/usr/include/ClearSilver"
-       AC_TRY_LINK(
-               [#include <ClearSilver.h>],
-               [
-                       NEOERR *err = cgi_display(NULL, NULL);
-               ],
+       AC_LINK_IFELSE(
+               [AC_LANG_PROGRAM(
+                       [[#include <ClearSilver.h>]],
+                       [[NEOERR *err = cgi_display(NULL, NULL);]])],
                [AC_MSG_RESULT([no]); clearsilver_LIBS="$LIBS"],
                [AC_MSG_RESULT([yes]); clearsilver_LIBS="$LIBS -lz"]
        )
        AC_SUBST(clearsilver_LIBS)
        LIBS=$saved_LIBS
        CFLAGS=$saved_CFLAGS
-dnl autoconf does not like CamelCase!? How to fix this?
-dnl    AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
+# autoconf does not like CamelCase!? How to fix this?
+#      AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
 
-       AC_HAVE_LIBRARY([fcgi],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])])
+       AC_CHECK_LIB([fcgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])],[])
        AC_CHECK_HEADER([fcgiapp.h],,[AC_MSG_ERROR([FastCGI header file fcgiapp.h not found!])])
 fi
 
@@ -718,40 +752,43 @@ if test x$mysql = xtrue; then
 fi
 
 if test x$sqlite = xtrue; then
-       AC_HAVE_LIBRARY([sqlite3],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])])
+       AC_CHECK_LIB([sqlite3],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])],[])
        AC_CHECK_HEADER([sqlite3.h],,[AC_MSG_ERROR([SQLite header sqlite3.h not found!])])
        AC_MSG_CHECKING([sqlite3_prepare_v2])
-       AC_TRY_COMPILE(
-               [#include <sqlite3.h>],
-               [
-                       void *test = sqlite3_prepare_v2;
-               ],
-               [AC_MSG_RESULT([yes])];
-                AC_DEFINE([HAVE_SQLITE3_PREPARE_V2], [], [have sqlite3_prepare_v2()]),
-               [AC_MSG_RESULT([no])])
+       AC_COMPILE_IFELSE(
+               [AC_LANG_PROGRAM(
+                       [[#include <sqlite3.h>]],
+                       [[void *test = sqlite3_prepare_v2;]])],
+               [AC_MSG_RESULT([yes]);
+                AC_DEFINE([HAVE_SQLITE3_PREPARE_V2], [], [have sqlite3_prepare_v2()])],
+               [AC_MSG_RESULT([no])]
+       )
        AC_MSG_CHECKING([sqlite3.h version >= 3.3.1])
-       AC_TRY_COMPILE(
-               [#include <sqlite3.h>],
-               [
-                       #if SQLITE_VERSION_NUMBER < 3003001
-                               #error bad sqlite
-                       #endif
-               ],
-               [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([SQLite version >= 3.3.1 required!])])
+       AC_COMPILE_IFELSE(
+               [AC_LANG_PROGRAM(
+                       [[#include <sqlite3.h>]],
+                       [[
+                               #if SQLITE_VERSION_NUMBER < 3003001
+                                       #error bad sqlite
+                               #endif]])],
+               [AC_MSG_RESULT([yes])],
+               [AC_MSG_RESULT([no]); AC_MSG_ERROR([SQLite version >= 3.3.1 required!])]
+       )
 fi
 
 if test x$openssl = xtrue; then
-       AC_HAVE_LIBRARY([crypto],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL crypto library not found])])
+       AC_CHECK_LIB([crypto],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL crypto library not found])],[])
        AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
 fi
 
 if test x$gcrypt = xtrue; then
-       AC_HAVE_LIBRARY([gcrypt],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
+       AC_CHECK_LIB([gcrypt],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
        AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])])
        AC_MSG_CHECKING([gcrypt CAMELLIA cipher])
-       AC_TRY_COMPILE(
-               [#include <gcrypt.h>],
-               [enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;],
+       AC_COMPILE_IFELSE(
+               [AC_LANG_PROGRAM(
+                       [[#include <gcrypt.h>]],
+                       [[enum gcry_cipher_algos alg = GCRY_CIPHER_CAMELLIA128;]])],
                [AC_MSG_RESULT([yes]);
                 AC_DEFINE([HAVE_GCRY_CIPHER_CAMELLIA], [], [have GCRY_CIPHER_CAMELLIA128])],
                [AC_MSG_RESULT([no])]
@@ -759,15 +796,15 @@ if test x$gcrypt = xtrue; then
 fi
 
 if test x$uci = xtrue; then
-       AC_HAVE_LIBRARY([uci],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])])
+       AC_CHECK_LIB([uci],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
        AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
 fi
 
-if test x$android = xtrue; then
-       AC_HAVE_LIBRARY([cutils],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])])
+if test x$android_dns = xtrue; then
+       AC_CHECK_LIB([cutils],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
        AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
-       dnl we have to force the use of libdl here because the autodetection
-       dnl above does not work correctly when cross-compiling for android.
+       # we have to force the use of libdl here because the autodetection
+       # above does not work correctly when cross-compiling for android.
        DLLIB="-ldl"
        AC_SUBST(DLLIB)
 fi
@@ -796,21 +833,21 @@ if test x$nm = xtrue; then
 fi
 
 if test x$xauth_pam = xtrue; then
-       AC_HAVE_LIBRARY([pam],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])])
+       AC_CHECK_LIB([pam],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])],[])
        AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
 fi
 
 if test x$capabilities = xnative; then
        AC_MSG_NOTICE([Usage of the native Linux capabilities interface is deprecated, use libcap instead])
-       dnl Linux requires the following for capset(), Android does not have it,
-       dnl but defines capset() in unistd.h instead.
+       # Linux requires the following for capset(), Android does not have it,
+       # but defines capset() in unistd.h instead.
        AC_CHECK_HEADERS([sys/capability.h])
        AC_CHECK_FUNC(capset,,[AC_MSG_ERROR([capset() not found!])])
        AC_DEFINE([CAPABILITIES_NATIVE], [], [have native linux capset()])
 fi
 
 if test x$capabilities = xlibcap; then
-       AC_HAVE_LIBRARY([cap],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])])
+       AC_CHECK_LIB([cap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])],[])
        AC_CHECK_HEADER([sys/capability.h],
                [AC_DEFINE([HAVE_SYS_CAPABILITY_H], [], [have sys/capability.h])],
                [AC_MSG_ERROR([libcap header sys/capability.h not found!])])
@@ -819,25 +856,29 @@ fi
 
 if test x$integrity_test = xtrue; then
        AC_MSG_CHECKING([for dladdr()])
-       AC_TRY_COMPILE(
-               [#define _GNU_SOURCE
-                #include <dlfcn.h>],
-               [Dl_info info; dladdr(main, &info);],
-               [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]);
+       AC_COMPILE_IFELSE(
+               [AC_LANG_PROGRAM(
+                       [[#define _GNU_SOURCE
+                         #include <dlfcn.h>]],
+                       [[Dl_info info; dladdr(main, &info);]])],
+               [AC_MSG_RESULT([yes])],
+               [AC_MSG_RESULT([no]);
                 AC_MSG_ERROR([dladdr() not supported, required by integrity-test!])]
        )
        AC_MSG_CHECKING([for dl_iterate_phdr()])
-       AC_TRY_COMPILE(
-               [#define _GNU_SOURCE
-                #include <link.h>],
-               [dl_iterate_phdr((void*)0, (void*)0);],
-               [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]);
+       AC_COMPILE_IFELSE(
+               [AC_LANG_PROGRAM(
+                       [[#define _GNU_SOURCE
+                         #include <link.h>]],
+                       [[dl_iterate_phdr((void*)0, (void*)0);]])],
+               [AC_MSG_RESULT([yes])],
+               [AC_MSG_RESULT([no]);
                 AC_MSG_ERROR([dl_iterate_phdr() not supported, required by integrity-test!])]
        )
 fi
 
 if test x$bfd_backtraces = xtrue; then
-       AC_HAVE_LIBRARY([bfd],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])])
+       AC_CHECK_LIB([bfd],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])],[])
        AC_CHECK_HEADER([bfd.h],[AC_DEFINE([HAVE_BFD_H],,[have binutils bfd.h])],
                [AC_MSG_ERROR([binutils bfd.h header not found!])])
        BFDLIB="-lbfd"
@@ -852,9 +893,9 @@ AC_SUBST(dev_headers)
 
 CFLAGS="$CFLAGS -include `pwd`/config.h"
 
-dnl ==============================================
-dnl  collect plugin list for strongSwan components
-dnl ==============================================
+# ===============================================
+#  collect plugin list for strongSwan components
+# ===============================================
 
 m4_include(m4/macros/add-plugin.m4)
 
@@ -880,6 +921,7 @@ s_plugins=
 ADD_PLUGIN([test-vectors],         [s charon openac scepclient pki])
 ADD_PLUGIN([curl],                 [s charon scepclient scripts nm])
 ADD_PLUGIN([soup],                 [s charon scripts nm])
+ADD_PLUGIN([unbound],              [s charon scripts])
 ADD_PLUGIN([ldap],                 [s charon scepclient scripts nm])
 ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
 ADD_PLUGIN([sqlite],               [s charon pool manager medsrv attest])
@@ -903,6 +945,7 @@ ADD_PLUGIN([pkcs7],                [s scepclient pki])
 ADD_PLUGIN([pkcs8],                [s charon openac scepclient pki scripts manager medsrv attest nm])
 ADD_PLUGIN([pgp],                  [s charon])
 ADD_PLUGIN([dnskey],               [s charon])
+ADD_PLUGIN([ipseckey],             [c charon])
 ADD_PLUGIN([pem],                  [s charon openac scepclient pki scripts manager medsrv attest nm])
 ADD_PLUGIN([padlock],              [s charon])
 ADD_PLUGIN([openssl],              [s charon openac scepclient pki scripts manager medsrv attest nm])
@@ -964,13 +1007,14 @@ ADD_PLUGIN([tnccs-dynamic],        [c charon])
 ADD_PLUGIN([medsrv],               [c charon])
 ADD_PLUGIN([medcli],               [c charon])
 ADD_PLUGIN([dhcp],                 [c charon])
-ADD_PLUGIN([android],              [c charon])
+ADD_PLUGIN([android-dns],          [c charon])
 ADD_PLUGIN([android-log],          [c charon])
 ADD_PLUGIN([ha],                   [c charon])
 ADD_PLUGIN([whitelist],            [c charon])
 ADD_PLUGIN([lookip],               [c charon])
 ADD_PLUGIN([error-notify],         [c charon])
 ADD_PLUGIN([certexpire],           [c charon])
+ADD_PLUGIN([systime-fix],          [c charon])
 ADD_PLUGIN([led],                  [c charon])
 ADD_PLUGIN([duplicheck],           [c charon])
 ADD_PLUGIN([coupling],             [c charon])
@@ -994,18 +1038,18 @@ AC_SUBST(medsrv_plugins)
 AC_SUBST(nm_plugins)
 
 AC_SUBST(c_plugins)
-AC_SUBST(p_plugins)
 AC_SUBST(h_plugins)
 AC_SUBST(s_plugins)
 
-dnl =========================
-dnl  set Makefile.am vars
-dnl =========================
+======================
+#  set Makefile.am vars
+======================
 
-dnl libstrongswan plugins
-dnl =====================
+ libstrongswan plugins
+# -----------------------
 AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue)
 AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
+AM_CONDITIONAL(USE_UNBOUND, test x$unbound = xtrue)
 AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue)
 AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue)
 AM_CONDITIONAL(USE_AES, test x$aes = xtrue)
@@ -1045,17 +1089,18 @@ AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
 AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
 AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
 
-dnl charon plugins
-dnl ==============
+ charon plugins
+# ----------------
 AM_CONDITIONAL(USE_STROKE, test x$stroke = xtrue)
 AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
 AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
 AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
-AM_CONDITIONAL(USE_ANDROID, test x$android = xtrue)
+AM_CONDITIONAL(USE_ANDROID_DNS, test x$android_dns = xtrue)
 AM_CONDITIONAL(USE_ANDROID_LOG, test x$android_log = xtrue)
 AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
 AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
 AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
+AM_CONDITIONAL(USE_IPSECKEY, test x$ipseckey = xtrue)
 AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
 AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
 AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
@@ -1065,6 +1110,7 @@ AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
 AM_CONDITIONAL(USE_LOOKIP, test x$lookip = xtrue)
 AM_CONDITIONAL(USE_ERROR_NOTIFY, test x$error_notify = xtrue)
 AM_CONDITIONAL(USE_CERTEXPIRE, test x$certexpire = xtrue)
+AM_CONDITIONAL(USE_SYSTIME_FIX, test x$systime_fix = xtrue)
 AM_CONDITIONAL(USE_LED, test x$led = xtrue)
 AM_CONDITIONAL(USE_DUPLICHECK, test x$duplicheck = xtrue)
 AM_CONDITIONAL(USE_COUPLING, test x$coupling = xtrue)
@@ -1112,8 +1158,8 @@ AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
 AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
 AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue)
 
-dnl hydra plugins
-dnl =============
+ hydra plugins
+# ---------------
 AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
 AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue -o x$sql = xtrue)
 AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
@@ -1122,8 +1168,8 @@ AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
 AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
 AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
 
-dnl other options
-dnl =============
+ other options
+# ---------------
 AM_CONDITIONAL(USE_LEAK_DETECTIVE, test x$leak_detective = xtrue)
 AM_CONDITIONAL(USE_LOCK_PROFILER, test x$lock_profiler = xtrue)
 AM_CONDITIONAL(USE_DUMM, test x$dumm = xtrue)
@@ -1147,6 +1193,7 @@ AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$n
 AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
 AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
 AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
+AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
 AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
 AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue)
 AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
@@ -1159,9 +1206,9 @@ AM_CONDITIONAL(USE_PTS, test x$pts = xtrue)
 AM_CONDITIONAL(USE_TROUSERS, test x$tss = xtrousers)
 AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
 
-dnl ==============================
-dnl  set global definitions
-dnl ==============================
+========================
+#  set global definitions
+========================
 
 if test x$mediation = xtrue; then
        AC_DEFINE([ME], [], [mediation extension support])
@@ -1179,11 +1226,11 @@ if test x$ikev2 = xtrue; then
        AC_DEFINE([USE_IKEV2], [], [support for IKEv2 protocol])
 fi
 
-dnl ==============================
-dnl  build Makefiles
-dnl ==============================
+=================
+#  build Makefiles
+=================
 
-AC_OUTPUT(
+AC_CONFIG_FILES([
        Makefile
        man/Makefile
        init/Makefile
@@ -1217,6 +1264,7 @@ AC_OUTPUT(
        src/libstrongswan/plugins/dnskey/Makefile
        src/libstrongswan/plugins/pem/Makefile
        src/libstrongswan/plugins/curl/Makefile
+       src/libstrongswan/plugins/unbound/Makefile
        src/libstrongswan/plugins/soup/Makefile
        src/libstrongswan/plugins/ldap/Makefile
        src/libstrongswan/plugins/mysql/Makefile
@@ -1245,6 +1293,7 @@ AC_OUTPUT(
        src/libradius/Makefile
        src/libtncif/Makefile
        src/libtnccs/Makefile
+       src/libpttls/Makefile
        src/libpts/Makefile
        src/libpts/plugins/imc_attestation/Makefile
        src/libpts/plugins/imv_attestation/Makefile
@@ -1292,6 +1341,7 @@ AC_OUTPUT(
        src/libcharon/plugins/farp/Makefile
        src/libcharon/plugins/smp/Makefile
        src/libcharon/plugins/sql/Makefile
+       src/libcharon/plugins/ipseckey/Makefile
        src/libcharon/plugins/medsrv/Makefile
        src/libcharon/plugins/medcli/Makefile
        src/libcharon/plugins/addrblock/Makefile
@@ -1302,11 +1352,12 @@ AC_OUTPUT(
        src/libcharon/plugins/lookip/Makefile
        src/libcharon/plugins/error_notify/Makefile
        src/libcharon/plugins/certexpire/Makefile
+       src/libcharon/plugins/systime_fix/Makefile
        src/libcharon/plugins/led/Makefile
        src/libcharon/plugins/duplicheck/Makefile
        src/libcharon/plugins/coupling/Makefile
        src/libcharon/plugins/radattr/Makefile
-       src/libcharon/plugins/android/Makefile
+       src/libcharon/plugins/android_dns/Makefile
        src/libcharon/plugins/android_log/Makefile
        src/libcharon/plugins/maemo/Makefile
        src/libcharon/plugins/stroke/Makefile
@@ -1332,4 +1383,18 @@ AC_OUTPUT(
        src/conftest/Makefile
        scripts/Makefile
        testing/Makefile
-)
+])
+AC_OUTPUT
+
+# ========================
+#  report enabled plugins
+# ========================
+
+AC_MSG_RESULT([])
+AC_MSG_RESULT([ strongSwan will be built with the following plugins])
+AC_MSG_RESULT([-----------------------------------------------------])
+
+AC_MSG_RESULT([libstrongswan:$s_plugins])
+AC_MSG_RESULT([libcharon:    $c_plugins])
+AC_MSG_RESULT([libhydra:     $h_plugins])
+AC_MSG_RESULT([])
index 3d42365..2e45520 100644 (file)
@@ -20,6 +20,7 @@ AC_DEFUN([ARG_ENABL_SET],
 # ARG_DISBL_SET(option, help)
 # ---------------------------
 # Create a --disable-$1 option with helptext, set a variable $1 to true/false
+# All $1 are collected in the variable $enabled_by_default
 AC_DEFUN([ARG_DISBL_SET],
        [AC_ARG_ENABLE(
                [$1],
@@ -32,5 +33,6 @@ AC_DEFUN([ARG_DISBL_SET],
                fi],
                [patsubst([$1], [-], [_])=true
                patsubst([$1], [-], [_])_given=false]
-       )]
+       )
+       enabled_by_default=${enabled_by_default}" patsubst([$1], [-], [_])"]
 )
index 2766cc4..e778ab7 100644 (file)
@@ -452,6 +452,11 @@ suites, the strict flag
 exclamation mark) can be used, e.g:
 .BR aes256-sha512-modp4096!
 .TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
+.TP
 .BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
 should last before being renegotiated. Also see EXPIRY/REKEY below.
@@ -613,6 +618,10 @@ connection. See ipsec.secrets(5) for details about smartcard definitions.
 is required only if selecting the certificate with
 .B leftid
 is not sufficient, for example if multiple certificates use the same subject.
+.br
+Multiple certificate paths or PKCS#11 backends can be specified in a comma
+separated list. The daemon chooses the certificate based on the received
+certificate requests if possible before enforcing the first.
 .TP
 .BR leftcert2 " = <path>"
 Same as
@@ -737,6 +746,14 @@ can be used to the same effect, e.g.
 .B leftprotoport=udp/%any
 or
 .BR leftprotoport=%any/53 .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
 .TP
 .BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
 the left participant's public key for RSA signature authentication, in RFC 2537
index 2fafed6..3d80d76 100644 (file)
@@ -569,6 +569,9 @@ Request peer authentication based on a client certificate
 .BR charon.plugins.ha.segment_count " [1]"
 
 .TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable the fetching of IPSECKEY RRs from the DNS
+.TP
 .BR charon.plugins.led.activity_led
 
 .TP
@@ -776,6 +779,12 @@ File to read random bytes from, instead of @DEV_RANDOM@
 .TP
 .BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
 File to read pseudo random bytes from, instead of @DEV_URANDOM@
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
@@ -1352,7 +1361,7 @@ Authentication method(s) the intiator uses
 Initiator ID used in load test
 .TP
 .BR charon.plugins.load-tester.initiator_match
-Initiator ID to to match against as responder
+Initiator ID to match against as responder
 .TP
 .BR charon.plugins.load-tester.initiator_tsi
 Traffic selector on initiator side, as proposed by initiator
index 2c8b800..b97347f 100644 (file)
@@ -11,3 +11,4 @@ crypt_burn
 hash_burn
 tls_test
 fetch
+dnssec
index ea399e8..f7ecd9e 100644 (file)
@@ -3,7 +3,8 @@ AM_CFLAGS = \
 -DPLUGINS="\"${scripts_plugins}\""
 
 noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \
-       thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch
+       thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch \
+       dnssec
 
 if USE_TLS
   noinst_PROGRAMS += tls_test
@@ -24,6 +25,7 @@ pubkey_speed_SOURCES = pubkey_speed.c
 crypt_burn_SOURCES = crypt_burn.c
 hash_burn_SOURCES = hash_burn.c
 fetch_SOURCES = fetch.c
+dnssec_SOURCES = dnssec.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -33,6 +35,7 @@ pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 hash_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 
 key2keyid.o :  $(top_builddir)/config.status
 
diff --git a/scripts/dnssec.c b/scripts/dnssec.c
new file mode 100644 (file)
index 0000000..89ea56e
--- /dev/null
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2011-2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+
+#include <library.h>
+
+int main(int argc, char *argv[])
+{
+       resolver_t *resolver;
+       resolver_response_t *response;
+       enumerator_t *enumerator;
+       rr_set_t *rrset;
+       rr_t *rr;
+       chunk_t chunk;
+
+       library_init(NULL);
+       atexit(library_deinit);
+       if (!lib->plugins->load(lib->plugins, NULL, PLUGINS))
+       {
+               return 1;
+       }
+       if (argc != 2)
+       {
+               fprintf(stderr, "usage: %s <name>\n", argv[0]);
+               return 1;
+       }
+
+       resolver = lib->resolver->create(lib->resolver);
+       if (!resolver)
+       {
+               printf("failed to create a resolver!\n");
+               return 1;
+       }
+
+       response = resolver->query(resolver, argv[1], RR_CLASS_IN, RR_TYPE_A);
+       if (!response)
+       {
+               printf("no response received!\n");
+               resolver->destroy(resolver);
+               return 1;
+       }
+
+       printf("DNS response:\n");
+       if (!response->has_data(response) || !response->query_name_exist(response))
+       {
+               if (!response->has_data(response))
+               {
+                       printf("  no data in the response\n");
+               }
+               if (!response->query_name_exist(response))
+               {
+                       printf("  query name does not exist\n");
+               }
+               response->destroy(response);
+               resolver->destroy(resolver);
+               return 1;
+       }
+
+       printf("  RRs in the response:\n");
+       rrset = response->get_rr_set(response);
+       if (!rrset)
+       {
+               printf("    response contains no RRset!\n");
+               response->destroy(response);
+               resolver->destroy(resolver);
+               return 1;
+       }
+
+       enumerator = rrset->create_rr_enumerator(rrset);
+       while (enumerator->enumerate(enumerator, &rr))
+       {
+               printf("    name: ");
+               printf(rr->get_name(rr));
+               printf("\n");
+       }
+
+       enumerator = rrset->create_rrsig_enumerator(rrset);
+       if (enumerator)
+       {
+               printf("  RRSIGs for the RRset:\n");
+               while (enumerator->enumerate(enumerator, &rr))
+               {
+                       printf("    name: ");
+                       printf(rr->get_name(rr));
+                       printf("\n    RDATA: ");
+                       chunk = rr->get_rdata(rr);
+                       chunk = chunk_to_hex(chunk, NULL, TRUE);
+                       printf(chunk.ptr);
+                       printf("\n");
+               }
+       }
+
+       printf("  security status of the response: ");
+       switch (response->get_security_state(response))
+       {
+               case SECURE:
+                       printf("SECURE\n\n");
+                       break;
+               case INSECURE:
+                       printf("INSECURE\n\n");
+                       break;
+               case BOGUS:
+                       printf("BOGUS\n\n");
+                       break;
+               case INDETERMINATE:
+                       printf("INDETERMINATE\n\n");
+                       break;
+       }
+       response->destroy(response);
+       resolver->destroy(resolver);
+       return 0;
+}
index e4c0374..e71f73d 100644 (file)
@@ -32,6 +32,10 @@ if USE_LIBTNCCS
   SUBDIRS += libtnccs
 endif
 
+if USE_LIBPTTLS
+  SUBDIRS += libpttls
+endif
+
 if USE_IMCV
   SUBDIRS += libimcv
 endif
index eb18749..b96ab41 100644 (file)
@@ -501,7 +501,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        ike_cfg = ike_cfg_create(IKEV2, TRUE, encap, "0.0.0.0", FALSE,
                                                         charon->socket->get_port(charon->socket, FALSE),
                                                        (char*)address, FALSE, IKEV2_UDP_PORT,
-                                                        FRAGMENTATION_NO);
+                                                        FRAGMENTATION_NO, 0);
        ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
        peer_cfg = peer_cfg_create(priv->name, ike_cfg,
                                        CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
@@ -718,4 +718,3 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
        }
        return plugin;
 }
-
index f4bd27d..812b762 100644 (file)
@@ -175,6 +175,7 @@ static void segv_handler(int signal)
 
        DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
        backtrace = backtrace_create(2);
+       backtrace->log(backtrace, NULL, TRUE);
        backtrace->log(backtrace, stderr, TRUE);
        backtrace->destroy(backtrace);
 
index ae0d934..7f05e9c 100644 (file)
@@ -107,7 +107,7 @@ static ike_cfg_t *load_ike_config(private_config_t *this,
                settings->get_int(settings, "configs.%s.lport", 500, config),
                settings->get_str(settings, "configs.%s.rhost", "%any", config), FALSE,
                settings->get_int(settings, "configs.%s.rport", 500, config),
-               FRAGMENTATION_NO);
+               FRAGMENTATION_NO, 0);
        token = settings->get_str(settings, "configs.%s.proposal", NULL, config);
        if (token)
        {
@@ -188,7 +188,7 @@ static child_cfg_t *load_child_config(private_config_t *this,
                enumerator = enumerator_create_token(token, ",", " ");
                while (enumerator->enumerate(enumerator, &token))
                {
-                       ts = traffic_selector_create_from_cidr(token, 0, 0);
+                       ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
                        if (ts)
                        {
                                child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
@@ -212,7 +212,7 @@ static child_cfg_t *load_child_config(private_config_t *this,
                enumerator = enumerator_create_token(token, ",", " ");
                while (enumerator->enumerate(enumerator, &token))
                {
-                       ts = traffic_selector_create_from_cidr(token, 0, 0);
+                       ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
                        if (ts)
                        {
                                child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
index 2a62b9c..ce9e245 100644 (file)
@@ -14,7 +14,7 @@
  */
 
 /**
- * @defgroup config config
+ * @defgroup config_t config
  * @{ @ingroup conftest
  */
 
index 39a15f2..b937117 100644 (file)
@@ -14,8 +14,8 @@
  */
 
 /**
- * @defgroup hook hook
- * @{ @ingroup hooks
+ * @defgroup hook_t hook
+ * @{ @ingroup conftest
  */
 
 #ifndef HOOK_H_
index 71288c6..c0ac8c1 100644 (file)
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-    Copyright (C) 2012 Tobias Brunner
+    Copyright (C) 2012-2013 Tobias Brunner
     Copyright (C) 2012 Giuliano Grassi
     Copyright (C) 2012 Ralf Sager
     Hochschule fuer Technik Rapperswil
@@ -17,8 +17,8 @@
 -->
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
     package="org.strongswan.android"
-    android:versionCode="9"
-    android:versionName="1.2.1" >
+    android:versionCode="10"
+    android:versionName="1.2.2" >
 
     <uses-sdk android:minSdkVersion="14" android:targetSdkVersion="17" />
 
index a3ecddd..918708f 100644 (file)
@@ -49,7 +49,7 @@ struct android_creds_t {
        /**
         * Load the user certificate and private key
         *
-        * @preturn                                     loaded client certificate, NULL on failure
+        * @return                                      loaded client certificate, NULL on failure
         */
        certificate_t *(*load_user_certificate)(android_creds_t *this);
 
index cce5ff0..76c1398 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2012 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Copyright (C) 2012 Giuliano Grassi
  * Copyright (C) 2012 Ralf Sager
  * Hochschule fuer Technik Rapperswil
@@ -167,6 +167,10 @@ static job_requeue_t handle_plain(private_android_service_t *this)
 
        if (len < 0)
        {
+               if (errno == EBADF)
+               {       /* the TUN device got closed just before calling select(), retry */
+                       return JOB_REQUEUE_FAIR;
+               }
                DBG1(DBG_DMN, "select on TUN device failed: %s", strerror(errno));
                return JOB_REQUEUE_NONE;
        }
@@ -452,9 +456,49 @@ METHOD(listener_t, ike_reestablish, bool,
        return TRUE;
 }
 
+static void add_auth_cfg_eap(private_android_service_t *this,
+                                                        peer_cfg_t *peer_cfg)
+{
+       identification_t *user;
+       auth_cfg_t *auth;
+
+       auth = auth_cfg_create();
+       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+       user = identification_create_from_string(this->username);
+       auth->add(auth, AUTH_RULE_IDENTITY, user);
+
+       this->creds->add_username_password(this->creds, this->username,
+                                                                          this->password);
+       memwipe(this->password, strlen(this->password));
+       peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+}
+
+static bool add_auth_cfg_cert(private_android_service_t *this,
+                                                         peer_cfg_t *peer_cfg)
+{
+       certificate_t *cert;
+       identification_t *id;
+       auth_cfg_t *auth;
+
+       cert = this->creds->load_user_certificate(this->creds);
+       if (!cert)
+       {
+               return FALSE;
+       }
+
+       auth = auth_cfg_create();
+       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+       auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
+
+       id = cert->get_subject(cert);
+       auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
+       peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+       return TRUE;
+}
+
 static job_requeue_t initiate(private_android_service_t *this)
 {
-       identification_t *gateway, *user;
+       identification_t *gateway;
        ike_cfg_t *ike_cfg;
        peer_cfg_t *peer_cfg;
        child_cfg_t *child_cfg;
@@ -472,7 +516,7 @@ static job_requeue_t initiate(private_android_service_t *this)
        ike_cfg = ike_cfg_create(IKEV2, TRUE, TRUE, "0.0.0.0", FALSE,
                                                         charon->socket->get_port(charon->socket, FALSE),
                                                         this->gateway, FALSE, IKEV2_UDP_PORT,
-                                                        FRAGMENTATION_NO);
+                                                        FRAGMENTATION_NO, 0);
        ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 
        peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED,
@@ -485,38 +529,21 @@ static job_requeue_t initiate(private_android_service_t *this)
        peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
 
        /* local auth config */
-       if (streq("ikev2-eap", this->type))
-       {
-               auth = auth_cfg_create();
-               auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-               user = identification_create_from_string(this->username);
-               auth->add(auth, AUTH_RULE_IDENTITY, user);
-
-               this->creds->add_username_password(this->creds, this->username,
-                                                                                  this->password);
-               memwipe(this->password, strlen(this->password));
-               peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
-       }
-       else if (streq("ikev2-cert", this->type))
+       if (streq("ikev2-cert", this->type) ||
+               streq("ikev2-cert-eap", this->type))
        {
-               certificate_t *cert;
-               identification_t *id;
-
-               cert = this->creds->load_user_certificate(this->creds);
-               if (!cert)
+               if (!add_auth_cfg_cert(this, peer_cfg))
                {
                        peer_cfg->destroy(peer_cfg);
                        charonservice->update_status(charonservice,
                                                                                 CHARONSERVICE_GENERIC_ERROR);
                        return JOB_REQUEUE_NONE;
-
                }
-               auth = auth_cfg_create();
-               auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-               auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
-               id = cert->get_subject(cert);
-               auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
-               peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+       }
+       if (streq("ikev2-eap", this->type) ||
+               streq("ikev2-cert-eap", this->type))
+       {
+               add_auth_cfg_eap(this, peer_cfg);
        }
 
        /* remote auth config */
index 3a2e834..b68c8b2 100644 (file)
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup kernel_android_ipsec kernel_android_ipsec
- * @{ @ingroup kernel_android
+ * @{ @ingroup android_kernel
  */
 
 #ifndef KERNEL_ANDROID_IPSEC_H_
index 470029f..f060539 100644 (file)
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_android_net kernel_android_net
- * @{ @ingroup kernel_android
+ * @{ @ingroup android_kernel
  */
 
 #ifndef KERNEL_ANDROID_NET_H_
index 2638b5a..da01068 100644 (file)
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup network_manager network_manager
- * @{ @ingroup kernel_android
+ * @{ @ingroup android_kernel
  */
 
 #ifndef NETWORK_MANAGER_H_
index efa4bcb..d0117b2 100644 (file)
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-    Copyright (C) 2012 Tobias Brunner
+    Copyright (C) 2012-2013 Tobias Brunner
     Hochschule fuer Technik Rapperswil
 
     This program is free software; you can redistribute it and/or modify it
@@ -18,5 +18,6 @@
     <string-array name="vpn_types">
         <item>IKEv2 EAP (Benutzername/Passwort)</item>
         <item>IKEv2 Zertifikat</item>
+        <item>IKEv2 Zertifikat + EAP (Benutzername/Passwort)</item>
     </string-array>
 </resources>
\ No newline at end of file
index 3e1af5f..1b74b2e 100644 (file)
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-    Copyright (C) 2012 Tobias Brunner
+    Copyright (C) 2012-2013 Tobias Brunner
     Hochschule fuer Technik Rapperswil
 
     This program is free software; you can redistribute it and/or modify it
@@ -18,5 +18,6 @@
     <string-array name="vpn_types">
         <item>IKEv2 EAP (użytkownik/hasło)</item>
         <item>IKEv2 certyfikat</item>
+        <item>IKEv2 certyfikat + EAP (użytkownik/hasło)</item>
     </string-array>
 </resources>
\ No newline at end of file
index 48a7219..55144f2 100644 (file)
@@ -16,6 +16,7 @@
     <!-- the order here must match the enum entries in VpnType.java -->
     <string-array name="vpn_types">
         <item>IKEv2 EAP (Логин/Пароль)</item>
-        <item>Сертификат IKEv2</item>
+        <item>IKEv2 Сертификат</item>
+        <item>IKEv2 Сертификат + EAP (Логин/Пароль)</item>
     </string-array>
 </resources>
index bd43664..490fea5 100644 (file)
@@ -16,6 +16,7 @@
     <!-- the order here must match the enum entries in VpnType.java -->
     <string-array name="vpn_types">
         <item>IKEv2 EAP (Логін/Пароль)</item>
-        <item>Сертифікати IKEv2</item>
+        <item>IKEv2 Сертифікати</item>
+        <item>IKEv2 Сертифікати + EAP (Логін/Пароль)</item>
     </string-array>
 </resources>
index 21576f2..1ac4cc2 100644 (file)
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-    Copyright (C) 2012 Tobias Brunner
+    Copyright (C) 2012-2013 Tobias Brunner
     Hochschule fuer Technik Rapperswil
 
     This program is free software; you can redistribute it and/or modify it
@@ -18,5 +18,6 @@
     <string-array name="vpn_types">
         <item>IKEv2 EAP (Username/Password)</item>
         <item>IKEv2 Certificate</item>
+        <item>IKEv2 Certificate + EAP (Username/Password)</item>
     </string-array>
 </resources>
\ No newline at end of file
index 44a4fa6..47cc1cb 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -19,7 +19,8 @@ public enum VpnType
 {
        /* the order here must match the items in R.array.vpn_types */
        IKEV2_EAP("ikev2-eap", true, false),
-       IKEV2_CERT("ikev2-cert", false, true);
+       IKEV2_CERT("ikev2-cert", false, true),
+       IKEV2_CERT_EAP("ikev2-cert-eap", true, true);
 
        private String mIdentifier;
        private boolean mCertificate;
index b2d6c31..a931908 100644 (file)
@@ -62,7 +62,7 @@ processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-sa/eap/eap_method.c sa/eap/eap_method.h \
+sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
 sa/eap/eap_manager.c sa/eap/eap_manager.h \
 sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
 sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
@@ -125,9 +125,8 @@ processing/jobs/adopt_children_job.c processing/jobs/adopt_children_job.h
 
 # adding the plugin source files
 
-LOCAL_SRC_FILES += $(call add_plugin, android)
-ifneq ($(call plugin_enabled, android),)
-LOCAL_C_INCLUDES += frameworks/base/cmds/keystore
+LOCAL_SRC_FILES += $(call add_plugin, android-dns)
+ifneq ($(call plugin_enabled, android-dns),)
 LOCAL_SHARED_LIBRARIES += libcutils
 endif
 
index 5203890..536bab4 100644 (file)
@@ -60,7 +60,7 @@ processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-sa/eap/eap_method.c sa/eap/eap_method.h \
+sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
 sa/eap/eap_manager.c sa/eap/eap_manager.h \
 sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
 sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \
@@ -212,6 +212,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_IPSECKEY
+  SUBDIRS += plugins/ipseckey
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/ipseckey/libstrongswan-ipseckey.la
+endif
+endif
+
 if USE_UPDOWN
   SUBDIRS += plugins/updown
 if MONOLITHIC
@@ -450,10 +457,10 @@ if MONOLITHIC
 endif
 endif
 
-if USE_ANDROID
-  SUBDIRS += plugins/android
+if USE_ANDROID_DNS
+  SUBDIRS += plugins/android_dns
 if MONOLITHIC
-  libcharon_la_LIBADD += plugins/android/libstrongswan-android.la
+  libcharon_la_LIBADD += plugins/android_dns/libstrongswan-android-dns.la
 endif
 endif
 
@@ -506,6 +513,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_SYSTIME_FIX
+  SUBDIRS += plugins/systime_fix
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/systime_fix/libstrongswan-systime-fix.la
+endif
+endif
+
 if USE_LED
   SUBDIRS += plugins/led
 if MONOLITHIC
index 5e5fbba..54a054e 100644 (file)
@@ -95,6 +95,11 @@ struct private_ike_cfg_t {
        fragmentation_t fragmentation;
 
        /**
+        * DSCP value to use on sent IKE packets
+        */
+       u_int8_t dscp;
+
+       /**
         * List of proposals to use
         */
        linked_list_t *proposals;
@@ -156,6 +161,12 @@ METHOD(ike_cfg_t, get_other_port, u_int16_t,
        return this->other_port;
 }
 
+METHOD(ike_cfg_t, get_dscp, u_int8_t,
+       private_ike_cfg_t *this)
+{
+       return this->dscp;
+}
+
 METHOD(ike_cfg_t, add_proposal, void,
        private_ike_cfg_t *this, proposal_t *proposal)
 {
@@ -312,7 +323,7 @@ METHOD(ike_cfg_t, destroy, void,
 ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
                                                  char *me, bool my_allow_any, u_int16_t my_port,
                                                  char *other, bool other_allow_any, u_int16_t other_port,
-                                                 fragmentation_t fragmentation)
+                                                 fragmentation_t fragmentation, u_int8_t dscp)
 {
        private_ike_cfg_t *this;
 
@@ -326,6 +337,7 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
                        .get_other_addr = _get_other_addr,
                        .get_my_port = _get_my_port,
                        .get_other_port = _get_other_port,
+                       .get_dscp = _get_dscp,
                        .add_proposal = _add_proposal,
                        .get_proposals = _get_proposals,
                        .select_proposal = _select_proposal,
@@ -345,6 +357,7 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
                .other_allow_any = other_allow_any,
                .my_port = my_port,
                .other_port = other_port,
+               .dscp = dscp,
                .proposals = linked_list_create(),
        );
 
index 5a7fae1..719ceb9 100644 (file)
@@ -108,6 +108,13 @@ struct ike_cfg_t {
        u_int16_t (*get_other_port)(ike_cfg_t *this);
 
        /**
+        * Get the DSCP value to use for IKE packets send from connections.
+        *
+        * @return                              DSCP value
+        */
+       u_int8_t (*get_dscp)(ike_cfg_t *this);
+
+       /**
         * Adds a proposal to the list.
         *
         * The first added proposal has the highest priority, the last
@@ -205,11 +212,12 @@ struct ike_cfg_t {
  * @param other_allow_any      allow override of remote address by any address
  * @param other_port           IKE port to use as dest, 500 uses IKEv2 port floating
  * @param fragmentation                use IKEv1 fragmentation
+ * @param dscp                         DSCP value to send IKE packets with
  * @return                                     ike_cfg_t object.
  */
 ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
                                                  char *me, bool my_allow_any, u_int16_t my_port,
                                                  char *other, bool other_allow_any, u_int16_t other_port,
-                                                 fragmentation_t fragmentation);
+                                                 fragmentation_t fragmentation, u_int8_t dscp);
 
 #endif /** IKE_CFG_H_ @}*/
index 28fdda7..ca964d7 100644 (file)
@@ -151,7 +151,7 @@ static payload_rule_t ike_sa_init_r_rules[] = {
        {SECURITY_ASSOCIATION,                  1,      1,                                              FALSE,  FALSE},
        {KEY_EXCHANGE,                                  1,      1,                                              FALSE,  FALSE},
        {NONCE,                                                 1,      1,                                              FALSE,  FALSE},
-       {CERTIFICATE_REQUEST,                   0,      1,                                              FALSE,  FALSE},
+       {CERTIFICATE_REQUEST,                   0,      MAX_CERTREQ_PAYLOADS,   FALSE,  FALSE},
        {VENDOR_ID,                                             0,      MAX_VID_PAYLOADS,               FALSE,  FALSE},
 };
 
@@ -181,7 +181,7 @@ static payload_rule_t ike_auth_i_rules[] = {
        {AUTHENTICATION,                                0,      1,                                              TRUE,   TRUE},
        {ID_INITIATOR,                                  0,      1,                                              TRUE,   FALSE},
        {CERTIFICATE,                                   0,      MAX_CERT_PAYLOADS,              TRUE,   FALSE},
-       {CERTIFICATE_REQUEST,                   0,      1,                                              TRUE,   FALSE},
+       {CERTIFICATE_REQUEST,                   0,      MAX_CERTREQ_PAYLOADS,   TRUE,   FALSE},
        {ID_RESPONDER,                                  0,      1,                                              TRUE,   FALSE},
 #ifdef ME
        {SECURITY_ASSOCIATION,                  0,      1,                                              TRUE,   FALSE},
index d168e1c..f7a13d7 100644 (file)
@@ -65,7 +65,7 @@ ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_
        "ME_CONNECT_FAILED");
 ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
        "MS_NOTIFY_STATUS");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
        "INITIAL_CONTACT",
        "SET_WINDOW_SIZE",
        "ADDITIONAL_TS_POSSIBLE",
@@ -108,8 +108,9 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
        "IPSEC_REPLAY_COUNTER_SYNC",
        "SECURE PASSWORD_METHOD",
        "PSK_PERSIST",
-       "PSK_CONFIRM");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, PSK_CONFIRM,
+       "PSK_CONFIRM",
+       "ERX_SUPPORTED");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED,
        "INITIAL_CONTACT");
 ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
        "DPD_R_U_THERE",
@@ -170,7 +171,7 @@ ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_S
        "ME_CONN_FAIL");
 ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
        "MS_STATUS");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
        "INIT_CONTACT",
        "SET_WINSIZE",
        "ADD_TS_POSS",
@@ -213,8 +214,9 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATU
        "RPL_CTR_SYN",
        "SEC_PASSWD",
        "PSK_PST",
-       "PSK_CFM");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, PSK_CONFIRM,
+       "PSK_CFM",
+       "ERX_SUP");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED,
        "INITIAL_CONTACT");
 ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
        "DPD",
index 498c659..847fddc 100644 (file)
@@ -140,9 +140,11 @@ enum notify_type_t {
        IPSEC_REPLAY_COUNTER_SYNC = 16423,
        /* Secure password methods, RFC 6467 */
        SECURE_PASSWORD_METHOD = 16424,
-       /* PACE - draft-kuegler-ipsecme-pace-ikev2 */
+       /* PACE, RFC 6631 */
        PSK_PERSIST = 16425,
        PSK_CONFIRM = 16426,
+       /* EAP Re-authentication Extension, RFC 6867 */
+       ERX_SUPPORTED = 16427,
        /* IKEv1 initial contact */
        INITIAL_CONTACT_IKEV1 = 24578,
        /* IKEv1 DPD */
index 15f791b..334823d 100644 (file)
@@ -114,7 +114,11 @@ METHOD(payload_t, verify, status_t,
 {
        if (this->start_port > this->end_port)
        {
-               return FAILED;
+               /* OPAQUE ports are the only exception */
+               if (this->start_port != 0xffff && this->end_port != 0)
+               {
+                       return FAILED;
+               }
        }
        switch (this->ts_type)
        {
diff --git a/src/libcharon/plugins/android/Makefile.am b/src/libcharon/plugins/android/Makefile.am
deleted file mode 100644 (file)
index b10cd95..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-       -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = -rdynamic
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-android.la
-else
-plugin_LTLIBRARIES = libstrongswan-android.la
-endif
-
-libstrongswan_android_la_SOURCES = \
-       android_plugin.c android_plugin.h \
-       android_service.c android_service.h \
-       android_handler.c android_handler.h \
-       android_creds.c android_creds.h
-
-libstrongswan_android_la_LDFLAGS = -module -avoid-version
-libstrongswan_android_la_LIBADD  = -lcutils
diff --git a/src/libcharon/plugins/android/android_creds.c b/src/libcharon/plugins/android/android_creds.c
deleted file mode 100644 (file)
index 601c91e..0000000
+++ /dev/null
@@ -1,294 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <keystore_get.h>
-
-#include "android_creds.h"
-
-#include <daemon.h>
-#include <threading/rwlock.h>
-
-typedef struct private_android_creds_t private_android_creds_t;
-
-/**
- * Private data of an android_creds_t object
- */
-struct private_android_creds_t {
-
-       /**
-        * Public interface
-        */
-       android_creds_t public;
-
-       /**
-        * List of trusted certificates, certificate_t*
-        */
-       linked_list_t *certs;
-
-       /**
-        * User name (ID)
-        */
-       identification_t *user;
-
-       /**
-        * User password
-        */
-       char *pass;
-
-       /**
-        * read/write lock
-        */
-       rwlock_t *lock;
-
-};
-
-/**
- * Certificate enumerator data
- */
-typedef struct {
-       private_android_creds_t *this;
-       key_type_t key;
-       identification_t *id;
-} cert_data_t;
-
-/**
- * Filter function for certificates enumerator
- */
-static bool cert_filter(cert_data_t *data, certificate_t **in,
-                                               certificate_t **out)
-{
-       certificate_t *cert = *in;
-       public_key_t *public;
-
-       public = cert->get_public_key(cert);
-       if (!public)
-       {
-               return FALSE;
-       }
-       if (data->key != KEY_ANY && public->get_type(public) != data->key)
-       {
-               public->destroy(public);
-               return FALSE;
-       }
-       if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
-               public->has_fingerprint(public, data->id->get_encoding(data->id)))
-       {
-               public->destroy(public);
-               *out = cert;
-               return TRUE;
-       }
-       public->destroy(public);
-       if (data->id && !cert->has_subject(cert, data->id))
-       {
-               return FALSE;
-       }
-       *out = cert;
-       return TRUE;
-}
-
-/**
- * Destroy certificate enumerator data
- */
-static void cert_data_destroy(cert_data_t *this)
-{
-       this->this->lock->unlock(this->this->lock);
-       free(this);
-}
-
-METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
-          private_android_creds_t *this, certificate_type_t cert, key_type_t key,
-          identification_t *id, bool trusted)
-{
-       if (cert == CERT_X509 || cert == CERT_ANY)
-       {
-               cert_data_t *data;
-               this->lock->read_lock(this->lock);
-               INIT(data, .this = this, .id = id, .key = key);
-               return enumerator_create_filter(
-                                               this->certs->create_enumerator(this->certs),
-                                               (void*)cert_filter, data, (void*)cert_data_destroy);
-       }
-       return NULL;
-}
-
-/**
- * Shared key enumerator implementation
- */
-typedef struct {
-       enumerator_t public;
-       private_android_creds_t *this;
-       shared_key_t *key;
-       bool done;
-} shared_enumerator_t;
-
-METHOD(enumerator_t, shared_enumerate, bool,
-          shared_enumerator_t *this, shared_key_t **key, id_match_t *me,
-          id_match_t *other)
-{
-       if (this->done)
-       {
-               return FALSE;
-       }
-       *key = this->key;
-       *me = ID_MATCH_PERFECT;
-       *other = ID_MATCH_ANY;
-       this->done = TRUE;
-       return TRUE;
-}
-
-METHOD(enumerator_t, shared_destroy, void,
-          shared_enumerator_t *this)
-{
-       this->key->destroy(this->key);
-       this->this->lock->unlock(this->this->lock);
-       free(this);
-}
-
-METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
-          private_android_creds_t *this, shared_key_type_t type,
-          identification_t *me, identification_t *other)
-{
-       shared_enumerator_t *enumerator;
-
-       this->lock->read_lock(this->lock);
-
-       if (!this->user || !this->pass)
-       {
-               this->lock->unlock(this->lock);
-               return NULL;
-       }
-       if (type != SHARED_EAP && type != SHARED_IKE)
-       {
-               this->lock->unlock(this->lock);
-               return NULL;
-       }
-       if (me && !me->equals(me, this->user))
-       {
-               this->lock->unlock(this->lock);
-               return NULL;
-       }
-
-       INIT(enumerator,
-               .public = {
-                       .enumerate = (void*)_shared_enumerate,
-                       .destroy = _shared_destroy,
-               },
-               .this = this,
-               .done = FALSE,
-               .key = shared_key_create(type, chunk_clone(chunk_create(this->pass,
-                                                                                                  strlen(this->pass)))),
-       );
-       return &enumerator->public;
-}
-
-METHOD(android_creds_t, add_certificate, bool,
-          private_android_creds_t *this, char *name)
-{
-       certificate_t *cert = NULL;
-       bool status = FALSE;
-       chunk_t chunk;
-#ifdef KEYSTORE_MESSAGE_SIZE
-       /* most current interface, the eclair interface (without key length) is
-        * currently not supported */
-       char value[KEYSTORE_MESSAGE_SIZE];
-       chunk.ptr = value;
-       chunk.len = keystore_get(name, strlen(name), chunk.ptr);
-       if (chunk.len > 0)
-#else
-       /* 1.6 interface, allocates memory */
-       chunk.ptr = keystore_get(name, &chunk.len);
-       if (chunk.ptr)
-#endif /* KEYSTORE_MESSAGE_SIZE */
-       {
-               cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-                                                                 BUILD_BLOB_PEM, chunk, BUILD_END);
-               if (cert)
-               {
-                       this->lock->write_lock(this->lock);
-                       this->certs->insert_last(this->certs, cert);
-                       this->lock->unlock(this->lock);
-                       status = TRUE;
-               }
-#ifndef KEYSTORE_MESSAGE_SIZE
-               free(chunk.ptr);
-#endif /* KEYSTORE_MESSAGE_SIZE */
-       }
-       return status;
-}
-
-METHOD(android_creds_t, set_username_password, void,
-          private_android_creds_t *this, identification_t *id, char *password)
-{
-       this->lock->write_lock(this->lock);
-       DESTROY_IF(this->user);
-       this->user = id->clone(id);
-       free(this->pass);
-       this->pass = strdupnull(password);
-       this->lock->unlock(this->lock);
-}
-
-METHOD(android_creds_t, clear, void,
-          private_android_creds_t *this)
-{
-       certificate_t *cert;
-       this->lock->write_lock(this->lock);
-       while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
-       {
-               cert->destroy(cert);
-       }
-       DESTROY_IF(this->user);
-       free(this->pass);
-       this->user = NULL;
-       this->pass = NULL;
-       this->lock->unlock(this->lock);
-}
-
-METHOD(android_creds_t, destroy, void,
-          private_android_creds_t *this)
-{
-       clear(this);
-       this->certs->destroy(this->certs);
-       this->lock->destroy(this->lock);
-       free(this);
-}
-
-/**
- * Described in header.
- */
-android_creds_t *android_creds_create()
-{
-       private_android_creds_t *this;
-
-       INIT(this,
-               .public = {
-                       .set = {
-                               .create_cert_enumerator = _create_cert_enumerator,
-                               .create_shared_enumerator = _create_shared_enumerator,
-                               .create_private_enumerator = (void*)return_null,
-                               .create_cdp_enumerator = (void*)return_null,
-                               .cache_cert = (void*)nop,
-                       },
-                       .add_certificate = _add_certificate,
-                       .set_username_password = _set_username_password,
-                       .clear = _clear,
-                       .destroy = _destroy,
-               },
-               .certs = linked_list_create(),
-               .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-       );
-
-       return &this->public;
-}
-
diff --git a/src/libcharon/plugins/android/android_creds.h b/src/libcharon/plugins/android/android_creds.h
deleted file mode 100644 (file)
index 0f7b8e0..0000000
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android_creds android_creds
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_CREDS_H_
-#define ANDROID_CREDS_H_
-
-#include <credentials/credential_set.h>
-
-typedef struct android_creds_t android_creds_t;
-
-/**
- * Android credentials helper.
- */
-struct android_creds_t {
-
-       /**
-        * Implements credential_set_t
-        */
-       credential_set_t set;
-
-       /**
-        * Add a trusted CA certificate from the Android keystore to serve by
-        * this set.
-        *
-        * @param name          name/ID of the certificate in the keystore
-        * @return                      FALSE if the certificate does not exist or is invalid
-        */
-       bool (*add_certificate)(android_creds_t *this, char *name);
-
-       /**
-        * Set the username and password for authentication.
-        *
-        * @param id            ID of the user
-        * @param password      password to use for authentication
-        */
-       void (*set_username_password)(android_creds_t *this, identification_t *id,
-                                                                 char *password);
-
-       /**
-        * Clear the stored credentials.
-        */
-       void (*clear)(android_creds_t *this);
-
-       /**
-        * Destroy a android_creds instance.
-        */
-       void (*destroy)(android_creds_t *this);
-
-};
-
-/**
- * Create an android_creds instance.
- */
-android_creds_t *android_creds_create();
-
-#endif /** ANDROID_CREDS_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_handler.c b/src/libcharon/plugins/android/android_handler.c
deleted file mode 100644 (file)
index 29dbbbf..0000000
+++ /dev/null
@@ -1,240 +0,0 @@
-/*
- * Copyright (C) 2010-2011 Tobias Brunner
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "android_handler.h"
-
-#include <networking/host.h>
-#include <collections/linked_list.h>
-
-#include <cutils/properties.h>
-
-typedef struct private_android_handler_t private_android_handler_t;
-
-/**
- * Private data of an android_handler_t object.
- */
-struct private_android_handler_t {
-
-       /**
-        * Public android_handler_t interface.
-        */
-       android_handler_t public;
-
-       /**
-        * List of registered DNS servers
-        */
-       linked_list_t *dns;
-
-       /**
-        * Whether the VPN frontend is used
-        */
-       bool frontend;
-};
-
-/**
- * Prefixes to be used when installing DNS servers
- */
-#define DNS_PREFIX_DEFAULT  "net"
-#define DNS_PREFIX_FRONTEND "vpn"
-
-/**
- * Struct to store a pair of old and installed DNS servers
- */
-typedef struct {
-       /** installed dns server */
-       host_t *dns;
-       /** old dns server */
-       host_t *old;
-} dns_pair_t;
-
-/**
- * Destroy a pair of old and installed DNS servers
- */
-void destroy_dns_pair(dns_pair_t *this)
-{
-       DESTROY_IF(this->dns);
-       DESTROY_IF(this->old);
-       free(this);
-}
-
-/**
- * Filter pairs of DNS servers
- */
-bool filter_dns_pair(void *data, dns_pair_t **in, host_t **out)
-{
-       *out = (*in)->dns;
-       return TRUE;
-}
-
-/**
- * Read DNS server property with a given index
- */
-host_t *get_dns_server(private_android_handler_t *this, int index)
-{
-       host_t *dns = NULL;
-       char key[10], value[PROPERTY_VALUE_MAX],
-                *prefix = this->frontend ? DNS_PREFIX_FRONTEND : DNS_PREFIX_DEFAULT;
-
-       if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key))
-       {
-               return NULL;
-       }
-
-       if (property_get(key, value, NULL) > 0)
-       {
-               dns = host_create_from_string(value, 0);
-       }
-       return dns;
-}
-
-/**
- * Set DNS server property with a given index
- */
-bool set_dns_server(private_android_handler_t *this, int index, host_t *dns)
-{
-       char key[10], value[PROPERTY_VALUE_MAX],
-                *prefix = this->frontend ? DNS_PREFIX_FRONTEND : DNS_PREFIX_DEFAULT;
-
-       if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key))
-       {
-               return FALSE;
-       }
-
-       if (dns)
-       {
-               if (snprintf(value, sizeof(value), "%H", dns) >= sizeof(value))
-               {
-                       return FALSE;
-               }
-       }
-       else
-       {
-               value[0] = '\0';
-       }
-
-       if (property_set(key, value) != 0)
-       {
-               return FALSE;
-       }
-       return TRUE;
-}
-
-METHOD(attribute_handler_t, handle, bool,
-       private_android_handler_t *this, identification_t *id,
-       configuration_attribute_type_t type, chunk_t data)
-{
-       switch (type)
-       {
-               case INTERNAL_IP4_DNS:
-               {
-                       host_t *dns;
-                       dns_pair_t *pair;
-                       int index;
-
-                       dns = host_create_from_chunk(AF_INET, data, 0);
-                       if (dns)
-                       {
-                               pair = malloc_thing(dns_pair_t);
-                               pair->dns = dns;
-                               index = this->dns->get_count(this->dns) + 1;
-                               pair->old = get_dns_server(this, index);
-                               set_dns_server(this, index, dns);
-                               this->dns->insert_last(this->dns, pair);
-                               return TRUE;
-                       }
-                       return FALSE;
-               }
-               default:
-                       return FALSE;
-       }
-}
-
-METHOD(attribute_handler_t, release, void,
-       private_android_handler_t *this, identification_t *server,
-       configuration_attribute_type_t type, chunk_t data)
-{
-       if (type == INTERNAL_IP4_DNS)
-       {
-               enumerator_t *enumerator;
-               dns_pair_t *pair;
-               int index;
-
-               enumerator = this->dns->create_enumerator(this->dns);
-               for (index = 1; enumerator->enumerate(enumerator, &pair); index++)
-               {
-                       if (chunk_equals(pair->dns->get_address(pair->dns), data))
-                       {
-                               this->dns->remove_at(this->dns, enumerator);
-                               set_dns_server(this, index, pair->old);
-                               destroy_dns_pair(pair);
-                       }
-               }
-               enumerator->destroy(enumerator);
-       }
-}
-
-METHOD(enumerator_t, enumerate_dns, bool,
-       enumerator_t *this, configuration_attribute_type_t *type, chunk_t *data)
-{
-       *type = INTERNAL_IP4_DNS;
-       *data = chunk_empty;
-       /* stop enumeration */
-       this->enumerate = (void*)return_false;
-       return TRUE;
-}
-
-METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
-       android_handler_t *this, identification_t *id, linked_list_t *vips)
-{
-       enumerator_t *enumerator;
-
-       INIT(enumerator,
-               .enumerate = (void*)_enumerate_dns,
-               .destroy = (void*)free,
-       );
-       return enumerator;
-}
-
-METHOD(android_handler_t, destroy, void,
-       private_android_handler_t *this)
-{
-       this->dns->destroy_function(this->dns, (void*)destroy_dns_pair);
-       free(this);
-}
-
-/**
- * See header
- */
-android_handler_t *android_handler_create(bool frontend)
-{
-       private_android_handler_t *this;
-
-       INIT(this,
-               .public = {
-                       .handler = {
-                               .handle = _handle,
-                               .release = _release,
-                               .create_attribute_enumerator = _create_attribute_enumerator,
-                       },
-                       .destroy = _destroy,
-               },
-               .dns = linked_list_create(),
-               .frontend = frontend,
-       );
-
-       return &this->public;
-}
-
diff --git a/src/libcharon/plugins/android/android_handler.h b/src/libcharon/plugins/android/android_handler.h
deleted file mode 100644 (file)
index 0170958..0000000
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2010-2011 Tobias Brunner
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android_handler android_handler
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_HANDLER_H_
-#define ANDROID_HANDLER_H_
-
-#include <attributes/attribute_handler.h>
-
-typedef struct android_handler_t android_handler_t;
-
-/**
- * Android specific DNS attribute handler.
- */
-struct android_handler_t {
-
-       /**
-        * Implements attribute_handler_t.
-        */
-       attribute_handler_t handler;
-
-       /**
-        * Destroy a android_handler_t.
-        */
-       void (*destroy)(android_handler_t *this);
-};
-
-/**
- * Create a android_handler instance.
- *
- * @param frontend             TRUE if the VPN frontend is used
- */
-android_handler_t *android_handler_create(bool frontend);
-
-#endif /** ANDROID_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android/android_plugin.c
deleted file mode 100644 (file)
index c0f58e9..0000000
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "android_plugin.h"
-#include "android_handler.h"
-#include "android_creds.h"
-#include "android_service.h"
-
-#include <hydra.h>
-#include <daemon.h>
-
-typedef struct private_android_plugin_t private_android_plugin_t;
-
-/**
- * Private data of an android_plugin_t object.
- */
-struct private_android_plugin_t {
-
-       /**
-        * Public android_plugin_t interface.
-        */
-       android_plugin_t public;
-
-       /**
-        * Android specific DNS handler
-        */
-       android_handler_t *handler;
-
-       /**
-        * Android specific credential set
-        */
-       android_creds_t *creds;
-
-       /**
-        * Service that interacts with the Android Settings frontend
-        */
-       android_service_t *service;
-};
-
-METHOD(plugin_t, get_name, char*,
-       private_android_plugin_t *this)
-{
-       return "android";
-}
-
-METHOD(plugin_t, destroy, void,
-       private_android_plugin_t *this)
-{
-       hydra->attributes->remove_handler(hydra->attributes,
-                                                                         &this->handler->handler);
-       lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
-       this->creds->destroy(this->creds);
-       this->handler->destroy(this->handler);
-       DESTROY_IF(this->service);
-       free(this);
-}
-
-/**
- * See header
- */
-plugin_t *android_plugin_create()
-{
-       private_android_plugin_t *this;
-
-       INIT(this,
-               .public = {
-                       .plugin = {
-                               .get_name = _get_name,
-                               .reload = (void*)return_false,
-                               .destroy = _destroy,
-                       },
-               },
-               .creds = android_creds_create(),
-       );
-
-       this->service = android_service_create(this->creds);
-       this->handler = android_handler_create(this->service != NULL);
-
-       lib->credmgr->add_set(lib->credmgr, &this->creds->set);
-       hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
-
-       return &this->public.plugin;
-}
-
diff --git a/src/libcharon/plugins/android/android_plugin.h b/src/libcharon/plugins/android/android_plugin.h
deleted file mode 100644 (file)
index 987f2aa..0000000
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2010 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android android
- * @ingroup cplugins
- *
- * @defgroup android_plugin android_plugin
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_PLUGIN_H_
-#define ANDROID_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct android_plugin_t android_plugin_t;
-
-/**
- * Plugin providing functionality specific to the Android platform.
- */
-struct android_plugin_t {
-
-       /**
-        * Implements plugin interface.
-        */
-       plugin_t plugin;
-};
-
-#endif /** ANDROID_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c
deleted file mode 100644 (file)
index 6af35e5..0000000
+++ /dev/null
@@ -1,389 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <unistd.h>
-#include <cutils/sockets.h>
-#include <cutils/properties.h>
-#include <signal.h>
-
-#include "android_service.h"
-
-#include <daemon.h>
-#include <threading/thread.h>
-#include <processing/jobs/callback_job.h>
-
-typedef struct private_android_service_t private_android_service_t;
-
-/**
- * private data of Android service
- */
-struct private_android_service_t {
-
-       /**
-        * public interface
-        */
-       android_service_t public;
-
-       /**
-        * current IKE_SA
-        */
-       ike_sa_t *ike_sa;
-
-       /**
-        * android credentials
-        */
-       android_creds_t *creds;
-
-       /**
-        * android control socket
-        */
-       int control;
-
-};
-
-/**
- * Some of the error codes defined in VpnManager.java
- */
-typedef enum {
-       /** Error code to indicate an error from authentication. */
-       VPN_ERROR_AUTH = 51,
-       /** Error code to indicate the connection attempt failed. */
-       VPN_ERROR_CONNECTION_FAILED = 101,
-       /** Error code to indicate an error of remote server hanging up. */
-       VPN_ERROR_REMOTE_HUNG_UP = 7,
-       /** Error code to indicate an error of losing connectivity. */
-       VPN_ERROR_CONNECTION_LOST = 103,
-} android_vpn_errors_t;
-
-/**
- * send a status code back to the Android app
- */
-static void send_status(private_android_service_t *this, u_char code)
-{
-       DBG1(DBG_CFG, "status of Android plugin changed: %d", code);
-       send(this->control, &code, 1, 0);
-}
-
-METHOD(listener_t, ike_updown, bool,
-          private_android_service_t *this, ike_sa_t *ike_sa, bool up)
-{
-       /* this callback is only registered during initiation, so if the IKE_SA
-        * goes down we assume an authentication error */
-       if (this->ike_sa == ike_sa && !up)
-       {
-               send_status(this, VPN_ERROR_AUTH);
-               return FALSE;
-       }
-       return TRUE;
-}
-
-METHOD(listener_t, child_state_change, bool,
-          private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-          child_sa_state_t state)
-{
-       /* this callback is only registered during initiation, so we still have
-        * the control socket open */
-       if (this->ike_sa == ike_sa && state == CHILD_DESTROYING)
-       {
-               send_status(this, VPN_ERROR_CONNECTION_FAILED);
-               return FALSE;
-       }
-       return TRUE;
-}
-
-/**
- * Callback used to shutdown the daemon
- */
-static job_requeue_t shutdown_callback(void *data)
-{
-       kill(0, SIGTERM);
-       return JOB_REQUEUE_NONE;
-}
-
-METHOD(listener_t, child_updown, bool,
-          private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
-          bool up)
-{
-       if (this->ike_sa == ike_sa)
-       {
-               if (up)
-               {
-                       /* disable the hooks registered to catch initiation failures */
-                       this->public.listener.ike_updown = NULL;
-                       this->public.listener.child_state_change = NULL;
-                       property_set("vpn.status", "ok");
-               }
-               else
-               {
-                       callback_job_t *job;
-                       /* the control socket is closed as soon as vpn.status is set to "ok"
-                        * and the daemon proxy then only checks for terminated daemons to
-                        * detect lost connections, so... */
-                       DBG1(DBG_CFG, "connection lost, raising delayed SIGTERM");
-                       /* to avoid any conflicts we send the SIGTERM not directly from this
-                        * callback, but from a different thread. we also delay it to avoid
-                        * a race condition during a regular shutdown */
-                       job = callback_job_create(shutdown_callback, NULL, NULL, NULL);
-                       lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, 1);
-                       return FALSE;
-               }
-       }
-       return TRUE;
-}
-
-METHOD(listener_t, ike_rekey, bool,
-          private_android_service_t *this, ike_sa_t *old, ike_sa_t *new)
-{
-       if (this->ike_sa == old)
-       {
-               this->ike_sa = new;
-       }
-       return TRUE;
-}
-
-/**
- * Read a string argument from the Android control socket
- */
-static char *read_argument(int fd, u_char length)
-{
-       int offset = 0;
-       char *data = malloc(length + 1);
-       while (offset < length)
-       {
-               int n = recv(fd, &data[offset], length - offset, 0);
-               if (n < 0)
-               {
-                       DBG1(DBG_CFG, "failed to read argument from Android"
-                                " control socket: %s", strerror(errno));
-                       free(data);
-                       return NULL;
-               }
-               offset += n;
-       }
-       data[length] = '\0';
-       DBG3(DBG_CFG, "received argument from Android control socket: %s", data);
-       return data;
-}
-
-/**
- * handle the request received from the Android control socket
- */
-static job_requeue_t initiate(private_android_service_t *this)
-{
-       bool oldstate;
-       int fd, i = 0;
-       char *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL;
-       identification_t *gateway = NULL, *user = NULL;
-       ike_cfg_t *ike_cfg;
-       peer_cfg_t *peer_cfg;
-       child_cfg_t *child_cfg;
-       traffic_selector_t *ts;
-       ike_sa_t *ike_sa;
-       auth_cfg_t *auth;
-       lifetime_cfg_t lifetime = {
-               .time = {
-                       .life = 10800, /* 3h */
-                       .rekey = 10200, /* 2h50min */
-                       .jitter = 300 /* 5min */
-               }
-       };
-
-       fd = accept(this->control, NULL, 0);
-       if (fd < 0)
-       {
-               DBG1(DBG_CFG, "accept on Android control socket failed: %s",
-                        strerror(errno));
-               return JOB_REQUEUE_NONE;
-       }
-       /* the original control socket is not used anymore */
-       close(this->control);
-       this->control = fd;
-
-       while (TRUE)
-       {
-               u_char length;
-               if (recv(fd, &length, 1, 0) != 1)
-               {
-                       DBG1(DBG_CFG, "failed to read from Android control socket: %s",
-                                strerror(errno));
-                       return JOB_REQUEUE_NONE;
-               }
-
-               if (length == 0xFF)
-               {       /* last argument */
-                       break;
-               }
-               else
-               {
-                       switch (i++)
-                       {
-                               case 0: /* gateway */
-                                       hostname = read_argument(fd, length);
-                                       break;
-                               case 1: /* CA certificate name */
-                                       cacert = read_argument(fd, length);
-                                       break;
-                               case 2: /* username */
-                                       username = read_argument(fd, length);
-                                       break;
-                               case 3: /* password */
-                                       password = read_argument(fd, length);
-                                       break;
-                       }
-               }
-       }
-
-       if (cacert)
-       {
-               if (!this->creds->add_certificate(this->creds, cacert))
-               {
-                       DBG1(DBG_CFG, "failed to load CA certificate");
-               }
-               /* if this is a server cert we could use the cert subject as id
-                * but we have to test first if that possible to configure */
-       }
-
-       gateway = identification_create_from_string(hostname);
-       DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway);
-
-       if (username)
-       {
-               user = identification_create_from_string(username);
-               this->creds->set_username_password(this->creds, user, password);
-       }
-
-       ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0", FALSE,
-                                                        charon->socket->get_port(charon->socket, FALSE),
-                                                        hostname, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
-       ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-
-       peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED,
-                                                          UNIQUE_REPLACE, 1, /* keyingtries */
-                                                          36000, 0, /* rekey 10h, reauth none */
-                                                          600, 600, /* jitter, over 10min */
-                                                          TRUE, FALSE, /* mobike, aggressive */
-                                                          0, 0, /* DPD delay, timeout */
-                                                          FALSE, NULL, NULL); /* mediation */
-       peer_cfg->add_virtual_ip(peer_cfg,  host_create_from_string("0.0.0.0", 0));
-
-       auth = auth_cfg_create();
-       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-       auth->add(auth, AUTH_RULE_IDENTITY, user);
-       peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
-       auth = auth_cfg_create();
-       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-       auth->add(auth, AUTH_RULE_IDENTITY, gateway);
-       peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
-
-       child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
-                                                                ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
-                                                                0, 0, NULL, NULL, 0);
-       child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
-       ts = traffic_selector_create_dynamic(0, 0, 65535);
-       child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
-       ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
-                                                                                        0, "255.255.255.255", 65535);
-       child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
-       peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-
-       /* get us an IKE_SA */
-       ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
-                                                                                                               peer_cfg);
-       if (!ike_sa)
-       {
-               peer_cfg->destroy(peer_cfg);
-               send_status(this, VPN_ERROR_CONNECTION_FAILED);
-               return JOB_REQUEUE_NONE;
-       }
-
-       if (!ike_sa->get_peer_cfg(ike_sa))
-       {
-               ike_sa->set_peer_cfg(ike_sa, peer_cfg);
-       }
-       peer_cfg->destroy(peer_cfg);
-
-       /* store the IKE_SA so we can track its progress */
-       this->ike_sa = ike_sa;
-
-       /* confirm that we received the request */
-       send_status(this, i);
-
-       /* get an additional reference because initiate consumes one */
-       child_cfg->get_ref(child_cfg);
-       if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
-       {
-               DBG1(DBG_CFG, "failed to initiate tunnel");
-               charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-                                                                                                       ike_sa);
-               send_status(this, VPN_ERROR_CONNECTION_FAILED);
-               return JOB_REQUEUE_NONE;
-       }
-       charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-       return JOB_REQUEUE_NONE;
-}
-
-METHOD(android_service_t, destroy, void,
-          private_android_service_t *this)
-{
-       charon->bus->remove_listener(charon->bus, &this->public.listener);
-       close(this->control);
-       free(this);
-}
-
-/**
- * See header
- */
-android_service_t *android_service_create(android_creds_t *creds)
-{
-       private_android_service_t *this;
-
-       INIT(this,
-               .public = {
-                       .listener = {
-                               .ike_updown = _ike_updown,
-                               .child_state_change = _child_state_change,
-                               .child_updown = _child_updown,
-                               .ike_rekey = _ike_rekey,
-                       },
-                       .destroy = _destroy,
-               },
-               .creds = creds,
-       );
-
-       this->control = android_get_control_socket("charon");
-       if (this->control == -1)
-       {
-               DBG1(DBG_CFG, "failed to get Android control socket");
-               free(this);
-               return NULL;
-       }
-
-       if (listen(this->control, 1) < 0)
-       {
-               DBG1(DBG_CFG, "failed to listen on Android control socket: %s",
-                        strerror(errno));
-               close(this->control);
-               free(this);
-               return NULL;
-       }
-
-       charon->bus->add_listener(charon->bus, &this->public.listener);
-       lib->processor->queue_job(lib->processor,
-               (job_t*)callback_job_create((callback_job_cb_t)initiate, this,
-                                                                       NULL, NULL));
-
-       return &this->public;
-}
-
diff --git a/src/libcharon/plugins/android/android_service.h b/src/libcharon/plugins/android/android_service.h
deleted file mode 100644 (file)
index d096d6c..0000000
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup android_service android_service
- * @{ @ingroup android
- */
-
-#ifndef ANDROID_SERVICE_H_
-#define ANDROID_SERVICE_H_
-
-typedef struct android_service_t android_service_t;
-
-#include <bus/listeners/listener.h>
-
-#include "android_creds.h"
-
-/**
- * Service that interacts with the Android Settings frontend.
- */
-struct android_service_t {
-
-       /**
-        * Implements listener_t.
-        */
-       listener_t listener;
-
-       /**
-        * Destroy a android_service_t.
-        */
-       void (*destroy)(android_service_t *this);
-
-};
-
-/**
- * Create an Android service instance.
- *
- * @param creds                Android credentials
- */
-android_service_t *android_service_create(android_creds_t *creds);
-
-#endif /** ANDROID_SERVICE_H_ @}*/
diff --git a/src/libcharon/plugins/android_dns/Makefile.am b/src/libcharon/plugins/android_dns/Makefile.am
new file mode 100644 (file)
index 0000000..0d25f11
--- /dev/null
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+       -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-android-dns.la
+else
+plugin_LTLIBRARIES = libstrongswan-android-dns.la
+endif
+
+libstrongswan_android_dns_la_SOURCES = \
+       android_dns_plugin.c android_dns_plugin.h \
+       android_dns_handler.c android_dns_handler.h
+
+libstrongswan_android_dns_la_LDFLAGS = -module -avoid-version
+libstrongswan_android_dns_la_LIBADD  = -lcutils
\ No newline at end of file
diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c
new file mode 100644 (file)
index 0000000..5268103
--- /dev/null
@@ -0,0 +1,235 @@
+/*
+ * Copyright (C) 2010-2013 Tobias Brunner
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "android_dns_handler.h"
+
+#include <networking/host.h>
+#include <collections/linked_list.h>
+
+#include <cutils/properties.h>
+
+typedef struct private_android_dns_handler_t private_android_dns_handler_t;
+
+/**
+ * Private data of an android_dns_handler_t object.
+ */
+struct private_android_dns_handler_t {
+
+       /**
+        * Public interface
+        */
+       android_dns_handler_t public;
+
+       /**
+        * List of registered DNS servers
+        */
+       linked_list_t *dns;
+};
+
+/**
+ * Prefix to be used when installing DNS servers
+ */
+#define DNS_PREFIX_DEFAULT  "net"
+
+/**
+ * Struct to store a pair of old and installed DNS servers
+ */
+typedef struct {
+       /** installed dns server */
+       host_t *dns;
+       /** old dns server */
+       host_t *old;
+} dns_pair_t;
+
+/**
+ * Destroy a pair of old and installed DNS servers
+ */
+static void destroy_dns_pair(dns_pair_t *this)
+{
+       DESTROY_IF(this->dns);
+       DESTROY_IF(this->old);
+       free(this);
+}
+
+/**
+ * Filter pairs of DNS servers
+ */
+static bool filter_dns_pair(void *data, dns_pair_t **in, host_t **out)
+{
+       *out = (*in)->dns;
+       return TRUE;
+}
+
+/**
+ * Read DNS server property with a given index
+ */
+static host_t *get_dns_server(private_android_dns_handler_t *this, int index)
+{
+       host_t *dns = NULL;
+       char key[10], value[PROPERTY_VALUE_MAX],
+                *prefix = DNS_PREFIX_DEFAULT;
+
+       if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key))
+       {
+               return NULL;
+       }
+
+       if (property_get(key, value, NULL) > 0)
+       {
+               dns = host_create_from_string(value, 0);
+       }
+       return dns;
+}
+
+/**
+ * Set DNS server property with a given index
+ */
+static bool set_dns_server(private_android_dns_handler_t *this, int index,
+                                                  host_t *dns)
+{
+       char key[10], value[PROPERTY_VALUE_MAX],
+                *prefix = DNS_PREFIX_DEFAULT;
+
+       if (snprintf(key, sizeof(key), "%s.dns%d", prefix, index) >= sizeof(key))
+       {
+               return FALSE;
+       }
+
+       if (dns)
+       {
+               if (snprintf(value, sizeof(value), "%H", dns) >= sizeof(value))
+               {
+                       return FALSE;
+               }
+       }
+       else
+       {
+               value[0] = '\0';
+       }
+
+       if (property_set(key, value) != 0)
+       {
+               return FALSE;
+       }
+       return TRUE;
+}
+
+METHOD(attribute_handler_t, handle, bool,
+       private_android_dns_handler_t *this, identification_t *id,
+       configuration_attribute_type_t type, chunk_t data)
+{
+       switch (type)
+       {
+               case INTERNAL_IP4_DNS:
+               {
+                       host_t *dns;
+                       dns_pair_t *pair;
+                       int index;
+
+                       dns = host_create_from_chunk(AF_INET, data, 0);
+                       if (dns)
+                       {
+                               pair = malloc_thing(dns_pair_t);
+                               pair->dns = dns;
+                               index = this->dns->get_count(this->dns) + 1;
+                               pair->old = get_dns_server(this, index);
+                               set_dns_server(this, index, dns);
+                               this->dns->insert_last(this->dns, pair);
+                               return TRUE;
+                       }
+                       return FALSE;
+               }
+               default:
+                       return FALSE;
+       }
+}
+
+METHOD(attribute_handler_t, release, void,
+       private_android_dns_handler_t *this, identification_t *server,
+       configuration_attribute_type_t type, chunk_t data)
+{
+       if (type == INTERNAL_IP4_DNS)
+       {
+               enumerator_t *enumerator;
+               dns_pair_t *pair;
+               int index;
+
+               enumerator = this->dns->create_enumerator(this->dns);
+               for (index = 1; enumerator->enumerate(enumerator, &pair); index++)
+               {
+                       if (chunk_equals(pair->dns->get_address(pair->dns), data))
+                       {
+                               this->dns->remove_at(this->dns, enumerator);
+                               set_dns_server(this, index, pair->old);
+                               destroy_dns_pair(pair);
+                       }
+               }
+               enumerator->destroy(enumerator);
+       }
+}
+
+METHOD(enumerator_t, enumerate_dns, bool,
+       enumerator_t *this, configuration_attribute_type_t *type, chunk_t *data)
+{
+       *type = INTERNAL_IP4_DNS;
+       *data = chunk_empty;
+       /* stop enumeration */
+       this->enumerate = (void*)return_false;
+       return TRUE;
+}
+
+METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
+       private_android_dns_handler_t *this, identification_t *id,
+       linked_list_t *vips)
+{
+       enumerator_t *enumerator;
+
+       INIT(enumerator,
+               .enumerate = (void*)_enumerate_dns,
+               .destroy = (void*)free,
+       );
+       return enumerator;
+}
+
+METHOD(android_dns_handler_t, destroy, void,
+       private_android_dns_handler_t *this)
+{
+       this->dns->destroy_function(this->dns, (void*)destroy_dns_pair);
+       free(this);
+}
+
+/**
+ * See header
+ */
+android_dns_handler_t *android_dns_handler_create()
+{
+       private_android_dns_handler_t *this;
+
+       INIT(this,
+               .public = {
+                       .handler = {
+                               .handle = _handle,
+                               .release = _release,
+                               .create_attribute_enumerator = _create_attribute_enumerator,
+                       },
+                       .destroy = _destroy,
+               },
+               .dns = linked_list_create(),
+       );
+
+       return &this->public;
+}
+
diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.h b/src/libcharon/plugins/android_dns/android_dns_handler.h
new file mode 100644 (file)
index 0000000..d7b089d
--- /dev/null
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2010-2011 Tobias Brunner
+ * Copyright (C) 2010 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android_dns_handler android_dns_handler
+ * @{ @ingroup android_dns
+ */
+
+#ifndef ANDROID_DNS_HANDLER_H_
+#define ANDROID_DNS_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct android_dns_handler_t android_dns_handler_t;
+
+/**
+ * Android specific DNS attribute handler.
+ */
+struct android_dns_handler_t {
+
+       /**
+        * Implements attribute_handler_t.
+        */
+       attribute_handler_t handler;
+
+       /**
+        * Destroy a android_dns_handler_t.
+        */
+       void (*destroy)(android_dns_handler_t *this);
+};
+
+/**
+ * Create an android_dns_handler_t instance.
+ */
+android_dns_handler_t *android_dns_handler_create();
+
+#endif /** ANDROID_DNS_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/android_dns/android_dns_plugin.c b/src/libcharon/plugins/android_dns/android_dns_plugin.c
new file mode 100644 (file)
index 0000000..4e2b5f5
--- /dev/null
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2010-2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "android_dns_plugin.h"
+#include "android_dns_handler.h"
+
+#include <hydra.h>
+#include <daemon.h>
+
+typedef struct private_android_dns_plugin_t private_android_dns_plugin_t;
+
+/**
+ * Private data of an android_dns_plugin_t object.
+ */
+struct private_android_dns_plugin_t {
+
+       /**
+        * Public interface
+        */
+       android_dns_plugin_t public;
+
+       /**
+        * Android specific DNS handler
+        */
+       android_dns_handler_t *handler;
+};
+
+METHOD(plugin_t, get_name, char*,
+       private_android_dns_plugin_t *this)
+{
+       return "android-dns";
+}
+
+METHOD(plugin_t, destroy, void,
+       private_android_dns_plugin_t *this)
+{
+       hydra->attributes->remove_handler(hydra->attributes,
+                                                                         &this->handler->handler);
+       this->handler->destroy(this->handler);
+       free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *android_dns_plugin_create()
+{
+       private_android_dns_plugin_t *this;
+
+       INIT(this,
+               .public = {
+                       .plugin = {
+                               .get_name = _get_name,
+                               .reload = (void*)return_false,
+                               .destroy = _destroy,
+                       },
+               },
+               .handler = android_dns_handler_create(),
+       );
+
+       hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+
+       return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/android_dns/android_dns_plugin.h b/src/libcharon/plugins/android_dns/android_dns_plugin.h
new file mode 100644 (file)
index 0000000..e9e57dc
--- /dev/null
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup android_dns android_dns
+ * @ingroup cplugins
+ *
+ * @defgroup android_dns_plugin android_dns_plugin
+ * @{ @ingroup android_dns
+ */
+
+#ifndef ANDROID_DNS_PLUGIN_H_
+#define ANDROID_DNS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct android_dns_plugin_t android_dns_plugin_t;
+
+/**
+ * Plugin providing an Android-specific handler for DNS servers.
+ */
+struct android_dns_plugin_t {
+
+       /**
+        * Implements plugin interface.
+        */
+       plugin_t plugin;
+};
+
+#endif /** ANDROID_DNS_PLUGIN_H_ @}*/
index ffa1bae..7363ade 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -21,6 +21,8 @@
 #include <utils/debug.h>
 #include <daemon.h>
 
+#include <tncifimv.h>
+
 /**
  * Maximum size of an EAP-TNC message
  */
@@ -44,15 +46,50 @@ struct private_eap_tnc_t {
        eap_tnc_t public;
 
        /**
+        * Outer EAP authentication type
+        */
+       eap_type_t auth_type;
+
+       /**
         * TLS stack, wrapped by EAP helper
         */
        tls_eap_t *tls_eap;
+
+       /**
+        * TNCCS instance running over EAP-TNC
+        */
+       tnccs_t *tnccs;
+
 };
 
 METHOD(eap_method_t, initiate, status_t,
        private_eap_tnc_t *this, eap_payload_t **out)
 {
        chunk_t data;
+       u_int32_t auth_type;
+
+       /* Determine TNC Client Authentication Type */
+       switch (this->auth_type)
+       {
+               case EAP_TLS:
+               case EAP_TTLS:
+               case EAP_PEAP:
+                       auth_type = TNC_AUTH_CERT;
+                       break;
+               case EAP_MD5:
+               case EAP_MSCHAPV2:
+               case EAP_GTC:
+               case EAP_OTP:
+                       auth_type = TNC_AUTH_PASSWORD;
+                       break;
+               case EAP_SIM:
+               case EAP_AKA:
+                       auth_type = TNC_AUTH_SIM;
+                       break;
+               default:
+                       auth_type = TNC_AUTH_UNKNOWN;
+       }
+       this->tnccs->set_auth_type(this->tnccs, auth_type);
 
        if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
        {
@@ -122,6 +159,18 @@ METHOD(eap_method_t, destroy, void,
        free(this);
 }
 
+METHOD(eap_inner_method_t, get_auth_type, eap_type_t,
+       private_eap_tnc_t *this)
+{
+       return this->auth_type;
+}
+
+METHOD(eap_inner_method_t, set_auth_type, void,
+       private_eap_tnc_t *this, eap_type_t type)
+{
+       this->auth_type = type;
+}
+
 /**
  * Generic private constructor
  */
@@ -132,19 +181,22 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
        int max_msg_count;
        char* protocol;
        tnccs_type_t type;
-       tnccs_t *tnccs;
 
        INIT(this,
                .public = {
-                       .eap_method = {
-                               .initiate = _initiate,
-                               .process = _process,
-                               .get_type = _get_type,
-                               .is_mutual = _is_mutual,
-                               .get_msk = _get_msk,
-                               .get_identifier = _get_identifier,
-                               .set_identifier = _set_identifier,
-                               .destroy = _destroy,
+                       .eap_inner_method = {
+                               .eap_method = {
+                                       .initiate = _initiate,
+                                       .process = _process,
+                                       .get_type = _get_type,
+                                       .is_mutual = _is_mutual,
+                                       .get_msk = _get_msk,
+                                       .get_identifier = _get_identifier,
+                                       .set_identifier = _set_identifier,
+                                       .destroy = _destroy,
+                               },
+                               .get_auth_type = _get_auth_type,
+                               .set_auth_type = _set_auth_type,
                        },
                },
        );
@@ -172,10 +224,11 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
                free(this);
                return NULL;
        }
-       tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server);
-       this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs,
-                                                                                        EAP_TNC_MAX_MESSAGE_LEN,
-                                                                                        max_msg_count, FALSE);
+       this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
+                                                                                         server, peer, TNC_IFT_EAP_1_1);
+       this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls,
+                                                                  EAP_TNC_MAX_MESSAGE_LEN,
+                                                                  max_msg_count, FALSE);
        if (!this->tls_eap)
        {
                free(this);
index 09abe60..8c881f6 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct eap_tnc_t eap_tnc_t;
 
-#include <sa/eap/eap_method.h>
+#include <sa/eap/eap_inner_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP-TNC.
@@ -31,9 +31,9 @@ typedef struct eap_tnc_t eap_tnc_t;
 struct eap_tnc_t {
 
        /**
-        * Implemented eap_method_t interface.
+        * Implemented eap_inner_method_t interface.
         */
-       eap_method_t eap_method;
+       eap_inner_method_t eap_inner_method;
 };
 
 /**
index 464de17..eef8d66 100644 (file)
@@ -20,6 +20,7 @@
 #include <daemon.h>
 
 #include <sa/eap/eap_method.h>
+#include <sa/eap/eap_inner_method.h>
 
 typedef struct private_eap_ttls_server_t private_eap_ttls_server_t;
 
@@ -108,8 +109,11 @@ static status_t start_phase2_auth(private_eap_ttls_server_t *this)
 /**
  * If configured, start EAP-TNC protocol
  */
-static status_t start_phase2_tnc(private_eap_ttls_server_t *this)
+static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
+                                                                eap_type_t auth_type)
 {
+       eap_inner_method_t *inner_method;
+
        if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
                                                "%s.plugins.eap-ttls.phase2_tnc", FALSE, charon->name))
        {
@@ -121,6 +125,9 @@ static status_t start_phase2_tnc(private_eap_ttls_server_t *this)
                        DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
                        return FAILED;
                }
+               inner_method = (eap_inner_method_t *)this->method;
+               inner_method->set_auth_type(inner_method, auth_type);
+
                this->start_phase2_tnc = FALSE;
                if (this->method->initiate(this->method, &this->out) == NEED_MORE)
                {
@@ -237,7 +244,7 @@ METHOD(tls_application_t, process, status_t,
                if (lib->settings->get_bool(lib->settings,
                                "%s.plugins.eap-ttls.request_peer_auth", FALSE, charon->name))
                {
-                       return start_phase2_tnc(this);
+                       return start_phase2_tnc(this, EAP_TLS);
                }
                else
                {
@@ -265,7 +272,7 @@ METHOD(tls_application_t, process, status_t,
                        this->method = NULL;
 
                        /* continue phase2 with EAP-TNC? */
-                       return start_phase2_tnc(this);
+                       return start_phase2_tnc(this, type);
                case NEED_MORE:
                        break;
                case FAILED:
index 130c86e..e6a09a7 100644 (file)
@@ -205,7 +205,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
        /* create config and backend */