Compare commits
13 Commits
5.9.3dr4
...
laforge/sw
Author | SHA1 | Date |
---|---|---|
Domonkos P. Tomcsanyi | cea991aea8 | |
Tomcsányi, Domonkos | 0ed91dc681 | |
Tomcsányi, Domonkos | 65f576bd9c | |
Tomcsányi, Domonkos | 18b4a240dd | |
Tomcsányi, Domonkos | f68dcde6c5 | |
Andreas Steffen | 4817d5ed0d | |
Andreas Steffen | a09a905e1d | |
Tobias Brunner | 2cd5314de7 | |
Tobias Brunner | 06e11b481b | |
Tobias Brunner | f6aafb3005 | |
Andreas Steffen | 30fab57124 | |
Tobias Brunner | 19611b1d28 | |
Andreas Steffen | 4baca5ca80 |
2
NEWS
2
NEWS
|
@ -2743,7 +2743,7 @@ strongswan-4.1.5
|
|||
strongswan-4.1.4
|
||||
----------------
|
||||
|
||||
- The pluto IKEv1 daemon now exhibits the same behaviour as its
|
||||
- The pluto IKEv1 daemon now exhibits the same behavior as its
|
||||
IKEv2 companion charon by inserting an explicit route via the
|
||||
_updown script only if a sourceip exists. This is admissible
|
||||
since routing through the IPsec tunnel is handled automatically
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# strongSwan Configuration #
|
||||
## Patched version, containing patch to disable parsing of AUTH payload in IKEv2 Phase2, because we only want EAP-AKA ##
|
||||
|
||||
## Overview ##
|
||||
|
||||
|
|
16
configure.ac
16
configure.ac
|
@ -3,6 +3,8 @@
|
|||
# Copyright (C) 2006-2019 Andreas Steffen
|
||||
# Copyright (C) 2006-2014 Martin Willi
|
||||
# HSR Hochschule fuer Technik Rapperswil
|
||||
# Copyright (C) 2017 Domonkos P. Tomcsanyi
|
||||
# umlaut Communications Gmbh.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by the
|
||||
|
@ -19,7 +21,7 @@
|
|||
# initialize & set some vars
|
||||
# ============================
|
||||
|
||||
AC_INIT([strongSwan],[5.9.3dr4])
|
||||
AC_INIT([strongSwan],[5.9.3])
|
||||
AM_INIT_AUTOMAKE(m4_esyscmd([
|
||||
echo tar-ustar
|
||||
echo subdir-objects
|
||||
|
@ -199,7 +201,8 @@ ARG_ENABL_SET([eap-sim-pcsc], [enable EAP-SIM backend based on a smartcard rea
|
|||
ARG_ENABL_SET([eap-aka], [enable EAP AKA authentication module.])
|
||||
ARG_ENABL_SET([eap-aka-3gpp], [enable EAP AKA backend implementing 3GPP MILENAGE algorithms in software.])
|
||||
ARG_ENABL_SET([eap-aka-3gpp2], [enable EAP AKA backend implementing 3GPP2 algorithms in software. Requires libgmp.])
|
||||
ARG_ENABL_SET([eap-simaka-sql], [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.])
|
||||
ARG_ENABL_SET([eap-simaka-pcsc], [enable EAP-SIM/AKA backend based on a smartcard reader. Requires libpcsclite.])
|
||||
ARG_ENABL_SET([eap-simaka-sql], [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.])
|
||||
ARG_ENABL_SET([eap-simaka-pseudonym], [enable EAP-SIM/AKA pseudonym storage plugin.])
|
||||
ARG_ENABL_SET([eap-simaka-reauth], [enable EAP-SIM/AKA reauthentication data storage plugin.])
|
||||
ARG_ENABL_SET([eap-identity], [enable EAP module providing EAP-Identity helper.])
|
||||
|
@ -1203,6 +1206,12 @@ if test x$eap_sim_pcsc = xtrue; then
|
|||
AC_SUBST(pcsclite_LIBS)
|
||||
fi
|
||||
|
||||
if test x$eap_simaka_pcsc = xtrue; then
|
||||
PKG_CHECK_MODULES(pcsclite, [libpcsclite])
|
||||
AC_SUBST(pcsclite_CFLAGS)
|
||||
AC_SUBST(pcsclite_LIBS)
|
||||
fi
|
||||
|
||||
if test x$nm = xtrue; then
|
||||
PKG_CHECK_MODULES(nm, [gthread-2.0 libnm])
|
||||
AC_SUBST(nm_CFLAGS)
|
||||
|
@ -1533,6 +1542,7 @@ ADD_PLUGIN([eap-sim-pcsc], [c charon])
|
|||
ADD_PLUGIN([eap-aka], [c charon])
|
||||
ADD_PLUGIN([eap-aka-3gpp], [c charon])
|
||||
ADD_PLUGIN([eap-aka-3gpp2], [c charon])
|
||||
ADD_PLUGIN([eap-simaka-pcsc], [c charon])
|
||||
ADD_PLUGIN([eap-simaka-sql], [c charon])
|
||||
ADD_PLUGIN([eap-simaka-pseudonym], [c charon])
|
||||
ADD_PLUGIN([eap-simaka-reauth], [c charon])
|
||||
|
@ -1704,6 +1714,7 @@ AM_CONDITIONAL(USE_RADATTR, test x$radattr = xtrue)
|
|||
AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
|
||||
AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
|
||||
AM_CONDITIONAL(USE_EAP_SIM_PCSC, test x$eap_sim_pcsc = xtrue)
|
||||
AM_CONDITIONAL(USE_EAP_SIMAKA_PCSC, test x$eap_simaka_pcsc = xtrue)
|
||||
AM_CONDITIONAL(USE_EAP_SIMAKA_SQL, test x$eap_simaka_sql = xtrue)
|
||||
AM_CONDITIONAL(USE_EAP_SIMAKA_PSEUDONYM, test x$eap_simaka_pseudonym = xtrue)
|
||||
AM_CONDITIONAL(USE_EAP_SIMAKA_REAUTH, test x$eap_simaka_reauth = xtrue)
|
||||
|
@ -1996,6 +2007,7 @@ AC_CONFIG_FILES([
|
|||
src/libcharon/plugins/eap_sim/Makefile
|
||||
src/libcharon/plugins/eap_sim_file/Makefile
|
||||
src/libcharon/plugins/eap_sim_pcsc/Makefile
|
||||
src/libcharon/plugins/eap_simaka_pcsc/Makefile
|
||||
src/libcharon/plugins/eap_simaka_sql/Makefile
|
||||
src/libcharon/plugins/eap_simaka_pseudonym/Makefile
|
||||
src/libcharon/plugins/eap_simaka_reauth/Makefile
|
||||
|
|
|
@ -37,7 +37,7 @@ build_botan()
|
|||
|
||||
build_wolfssl()
|
||||
{
|
||||
WOLFSSL_REV=v4.7.0-stable
|
||||
WOLFSSL_REV=0caf3ba456f1 # v4.7.1r + SHA-3 fix
|
||||
WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
|
||||
|
||||
if test -d "$WOLFSSL_DIR"; then
|
||||
|
@ -46,14 +46,15 @@ build_wolfssl()
|
|||
|
||||
echo "$ build_wolfssl()"
|
||||
|
||||
WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_ECC_BRAINPOOL"
|
||||
WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_AES_ECB \
|
||||
-DHAVE_ECC_BRAINPOOL -DWOLFSSL_MIN_AUTH_TAG_SZ=8"
|
||||
WOLFSSL_CONFIG="--prefix=$DEPS_PREFIX
|
||||
--disable-crypttests --disable-examples
|
||||
--enable-keygen --enable-rsapss --enable-aesccm
|
||||
--enable-aesctr --enable-des3 --enable-camellia
|
||||
--enable-curve25519 --enable-ed25519
|
||||
--enable-curve448 --enable-ed448
|
||||
--enable-sha3 --enable-shake256 --enable-ecccustcurves"
|
||||
--enable-aesccm --enable-aesctr --enable-camellia
|
||||
--enable-curve25519 --enable-curve448 --enable-des3
|
||||
--enable-ecccustcurves --enable-ed25519 --enable-ed448
|
||||
--enable-keygen --enable-md4 --enable-rsapss --enable-sha3
|
||||
--enable-shake256"
|
||||
|
||||
git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
|
||||
cd $WOLFSSL_DIR &&
|
||||
|
|
|
@ -118,7 +118,7 @@ public class SimpleFetcher
|
|||
/**
|
||||
* Disable the fetcher and abort any future requests.
|
||||
*
|
||||
* The native thread is not cancelable as it is working on an IKE_SA (cancelling the methods of
|
||||
* The native thread is not cancelable as it is working on an IKE_SA (canceling the methods of
|
||||
* HttpURLConnection is not reliably possible anyway), so to abort while fetching we cancel the
|
||||
* Future (causing a return from fetch() immediately) and let the executor thread continue its
|
||||
* thing in the background.
|
||||
|
|
|
@ -46,7 +46,7 @@ echo location of your Java installation.
|
|||
goto fail
|
||||
|
||||
:init
|
||||
@rem Get command-line arguments, handling Windowz variants
|
||||
@rem Get command-line arguments, handling Windows variants
|
||||
|
||||
if not "%OS%" == "Windows_NT" goto win9xME_args
|
||||
if "%@eval[2+2]" == "4" goto 4NT_args
|
||||
|
|
|
@ -64,7 +64,7 @@ typedef struct {
|
|||
} entry_t;
|
||||
|
||||
/**
|
||||
* Clean up an entry, cancelling connection
|
||||
* Clean up an entry, canceling connection
|
||||
*/
|
||||
static void destroy_entry(entry_t *entry)
|
||||
{
|
||||
|
|
|
@ -369,6 +369,13 @@ if MONOLITHIC
|
|||
endif
|
||||
endif
|
||||
|
||||
if USE_EAP_SIMAKA_PCSC
|
||||
SUBDIRS += plugins/eap_simaka_pcsc
|
||||
if MONOLITHIC
|
||||
libcharon_la_LIBADD += plugins/eap_simaka_pcsc/libstrongswan-eap-simaka-pcsc.la
|
||||
endif
|
||||
endif
|
||||
|
||||
if USE_EAP_SIMAKA_REAUTH
|
||||
SUBDIRS += plugins/eap_simaka_reauth
|
||||
if MONOLITHIC
|
||||
|
|
|
@ -66,7 +66,7 @@ METHOD(socket_manager_t, receiver, status_t,
|
|||
this->lock->unlock(this->lock);
|
||||
return NOT_SUPPORTED;
|
||||
}
|
||||
/* receive is blocking and the thread can be cancelled */
|
||||
/* receive is blocking and the thread can be canceled */
|
||||
thread_cleanup_push((thread_cleanup_t)this->lock->unlock, this->lock);
|
||||
status = this->socket->receive(this->socket, packet);
|
||||
thread_cleanup_pop(TRUE);
|
||||
|
|
|
@ -63,8 +63,8 @@ typedef struct eap_aka_3gpp_plugin_t eap_aka_3gpp_plugin_t;
|
|||
* SQN with its own locally stored value. This potentially allows an attacker
|
||||
* to do replay attacks. But since the server has proven his identity via IKE,
|
||||
* such an attack is only possible between server and AAA (if any).
|
||||
* Note that SEQ_CHECK only controls the compile-time default behaviour,
|
||||
* but the run-time behaviour can always be controlled by setting the
|
||||
* Note that SEQ_CHECK only controls the compile-time default behavior,
|
||||
* but the run-time behavior can always be controlled by setting the
|
||||
* charon.plugins.eap-aka-3gpp.seq_check config variable.
|
||||
*/
|
||||
struct eap_aka_3gpp_plugin_t {
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
AM_CPPFLAGS = \
|
||||
-I$(top_srcdir)/src/libstrongswan \
|
||||
-I$(top_srcdir)/src/libcharon \
|
||||
-I$(top_srcdir)/src/libsimaka
|
||||
|
||||
AM_CFLAGS = \
|
||||
${pcsclite_CFLAGS} \
|
||||
$(PLUGIN_CFLAGS)
|
||||
|
||||
libstrongswan_eap_simaka_pcsc_la_LIBADD = ${pcsclite_LIBS}
|
||||
|
||||
if MONOLITHIC
|
||||
noinst_LTLIBRARIES = libstrongswan-eap-simaka-pcsc.la
|
||||
else
|
||||
plugin_LTLIBRARIES = libstrongswan-eap-simaka-pcsc.la
|
||||
libstrongswan_eap_simaka_pcsc_la_LIBADD += $(top_builddir)/src/libsimaka/libsimaka.la
|
||||
endif
|
||||
|
||||
libstrongswan_eap_simaka_pcsc_la_SOURCES = \
|
||||
eap_simaka_pcsc_plugin.h eap_simaka_pcsc_plugin.c \
|
||||
eap_simaka_pcsc_card.h eap_simaka_pcsc_card.c
|
||||
|
||||
libstrongswan_eap_simaka_pcsc_la_LDFLAGS = -module -avoid-version
|
|
@ -0,0 +1,828 @@
|
|||
/*
|
||||
* Copyright (C) 2017 Domonkos P. Tomcsanyi
|
||||
* umlaut Communications Gmbh.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#define _GNU_SOURCE
|
||||
#include "eap_simaka_pcsc_card.h"
|
||||
#include <PCSC/wintypes.h>
|
||||
#include <PCSC/winscard.h>
|
||||
#include <daemon.h>
|
||||
#include <string.h>
|
||||
|
||||
typedef struct private_eap_simaka_pcsc_card_t private_eap_simaka_pcsc_card_t;
|
||||
|
||||
/**
|
||||
* Private data of an eap_simaka_pcsc_card_t object.
|
||||
*/
|
||||
struct private_eap_simaka_pcsc_card_t {
|
||||
|
||||
/**
|
||||
* Public eap_simaka_pcsc_card_t interface.
|
||||
*/
|
||||
eap_simaka_pcsc_card_t public;
|
||||
};
|
||||
|
||||
/**
|
||||
* Maximum length for an IMSI.
|
||||
*/
|
||||
#define SIM_IMSI_MAX_LEN 15
|
||||
|
||||
/**
|
||||
* Length of the status at the end of response APDUs.
|
||||
*/
|
||||
#define APDU_STATUS_LEN 2
|
||||
|
||||
/**
|
||||
* First byte of status word indicating success.
|
||||
*/
|
||||
#define APDU_SW1_SUCCESS 0x90
|
||||
|
||||
/**
|
||||
* First byte of status word indicating there is response data to be read.
|
||||
*/
|
||||
#define APDU_SW1_RESPONSE_DATA 0x9f
|
||||
|
||||
/*
|
||||
* Communication status
|
||||
*/
|
||||
#define ERROR_NONE 0
|
||||
#define ERROR_SCARD 1
|
||||
#define ERROR_CARD_ERROR 2
|
||||
|
||||
/**
|
||||
* Decode IMSI EF (Elementary File) into an ASCII string
|
||||
*/
|
||||
static bool decode_imsi_ef(unsigned char *input, int input_len, char *output)
|
||||
{
|
||||
/* Only digits 0-9 valid in IMSIs */
|
||||
static const char bcd_num_digits[] = {
|
||||
'0', '1', '2', '3', '4', '5', '6', '7',
|
||||
'8', '9', '\0', '\0', '\0', '\0', '\0', '\0'
|
||||
};
|
||||
int i;
|
||||
|
||||
/* Check length byte matches how many bytes we have, and that input
|
||||
* is correct length for an IMSI */
|
||||
if (input[0] != input_len-1 || input_len < 2 || input_len > 9)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/* Check type byte is IMSI (bottom 3 bits == 001) */
|
||||
if ((input[1] & 0x07) != 0x01)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
*output++ = bcd_num_digits[input[1] >> 4];
|
||||
|
||||
for (i = 2; i < input_len; i++)
|
||||
{
|
||||
*output++ = bcd_num_digits[input[i] & 0xf];
|
||||
*output++ = bcd_num_digits[input[i] >> 4];
|
||||
}
|
||||
|
||||
*output++ = '\0';
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
METHOD(simaka_card_t, get_triplet, bool,
|
||||
private_eap_simaka_pcsc_card_t *this, identification_t *id,
|
||||
char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
|
||||
{
|
||||
status_t found = FALSE;
|
||||
LONG rv;
|
||||
SCARDCONTEXT hContext;
|
||||
DWORD dwReaders;
|
||||
LPSTR mszReaders;
|
||||
char *cur_reader;
|
||||
char full_nai[128];
|
||||
SCARDHANDLE hCard;
|
||||
enum { DISCONNECTED, CONNECTED, TRANSACTION } hCard_status = DISCONNECTED;
|
||||
|
||||
snprintf(full_nai, sizeof(full_nai), "%Y", id);
|
||||
|
||||
DBG2(DBG_IKE, "looking for triplet: %Y rand %b", id, rand, SIM_RAND_LEN);
|
||||
|
||||
rv = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, &hContext);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardEstablishContext: %s", pcsc_stringify_error(rv));
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
rv = SCardListReaders(hContext, NULL, NULL, &dwReaders);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardListReaders: %s", pcsc_stringify_error(rv));
|
||||
return FALSE;
|
||||
}
|
||||
mszReaders = malloc(sizeof(char)*dwReaders);
|
||||
|
||||
rv = SCardListReaders(hContext, NULL, mszReaders, &dwReaders);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardListReaders: %s", pcsc_stringify_error(rv));
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/* mszReaders is a multi-string of readers, separated by '\0' and
|
||||
* terminated by an additional '\0' */
|
||||
for (cur_reader = mszReaders; *cur_reader != '\0' && found == FALSE;
|
||||
cur_reader += strlen(cur_reader) + 1)
|
||||
{
|
||||
DWORD dwActiveProtocol = -1;
|
||||
const SCARD_IO_REQUEST *pioSendPci;
|
||||
SCARD_IO_REQUEST pioRecvPci;
|
||||
BYTE pbRecvBuffer[64];
|
||||
DWORD dwRecvLength;
|
||||
char imsi[SIM_IMSI_MAX_LEN + 1];
|
||||
|
||||
/* See GSM 11.11 for SIM APDUs */
|
||||
static const BYTE pbSelectMF[] = { 0xa0, 0xa4, 0x00, 0x00, 0x02, 0x3f, 0x00 };
|
||||
static const BYTE pbSelectDFGSM[] = { 0xa0, 0xa4, 0x00, 0x00, 0x02, 0x7f, 0x20 };
|
||||
static const BYTE pbSelectIMSI[] = { 0xa0, 0xa4, 0x00, 0x00, 0x02, 0x6f, 0x07 };
|
||||
static const BYTE pbReadBinary[] = { 0xa0, 0xb0, 0x00, 0x00, 0x09 };
|
||||
BYTE pbRunGSMAlgorithm[5 + SIM_RAND_LEN] = { 0xa0, 0x88, 0x00, 0x00, 0x10 };
|
||||
static const BYTE pbGetResponse[] = { 0xa0, 0xc0, 0x00, 0x00, 0x0c };
|
||||
|
||||
/* If on 2nd or later reader, make sure we end the transaction
|
||||
* and disconnect card in the previous reader */
|
||||
switch (hCard_status)
|
||||
{
|
||||
case TRANSACTION:
|
||||
SCardEndTransaction(hCard, SCARD_LEAVE_CARD);
|
||||
/* FALLTHRU */
|
||||
case CONNECTED:
|
||||
SCardDisconnect(hCard, SCARD_LEAVE_CARD);
|
||||
/* FALLTHRU */
|
||||
case DISCONNECTED:
|
||||
hCard_status = DISCONNECTED;
|
||||
}
|
||||
|
||||
/* Copy RAND into APDU */
|
||||
memcpy(pbRunGSMAlgorithm + 5, rand, SIM_RAND_LEN);
|
||||
|
||||
rv = SCardConnect(hContext, cur_reader, SCARD_SHARE_SHARED,
|
||||
SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1, &hCard, &dwActiveProtocol);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardConnect: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
hCard_status = CONNECTED;
|
||||
|
||||
switch(dwActiveProtocol)
|
||||
{
|
||||
case SCARD_PROTOCOL_T0:
|
||||
pioSendPci = SCARD_PCI_T0;
|
||||
break;
|
||||
case SCARD_PROTOCOL_T1:
|
||||
pioSendPci = SCARD_PCI_T1;
|
||||
break;
|
||||
default:
|
||||
DBG1(DBG_IKE, "Unknown SCARD_PROTOCOL");
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Start transaction */
|
||||
rv = SCardBeginTransaction(hCard);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardBeginTransaction: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
hCard_status = TRANSACTION;
|
||||
|
||||
/* APDU: Select MF */
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, pbSelectMF, sizeof(pbSelectMF),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
if (dwRecvLength < APDU_STATUS_LEN ||
|
||||
pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
|
||||
{
|
||||
DBG1(DBG_IKE, "Select MF failed: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* APDU: Select DF GSM */
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, pbSelectDFGSM, sizeof(pbSelectDFGSM),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
if (dwRecvLength < APDU_STATUS_LEN ||
|
||||
pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
|
||||
{
|
||||
DBG1(DBG_IKE, "Select DF GSM failed: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* APDU: Select IMSI */
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, pbSelectIMSI, sizeof(pbSelectIMSI),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
if (dwRecvLength < APDU_STATUS_LEN ||
|
||||
pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
|
||||
{
|
||||
DBG1(DBG_IKE, "Select IMSI failed: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* APDU: Read Binary (of IMSI) */
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, pbReadBinary, sizeof(pbReadBinary),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
if (dwRecvLength < APDU_STATUS_LEN ||
|
||||
pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "Select IMSI failed: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
|
||||
if (!decode_imsi_ef(pbRecvBuffer, dwRecvLength-APDU_STATUS_LEN, imsi))
|
||||
{
|
||||
DBG1(DBG_IKE, "Couldn't decode IMSI EF: %b",
|
||||
pbRecvBuffer, (u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* The IMSI could be post/prefixed in the full NAI, so just make sure
|
||||
* it's in there */
|
||||
if (!(strlen(full_nai) && strstr(full_nai, imsi)))
|
||||
{
|
||||
DBG1(DBG_IKE, "Not the SIM we're looking for, IMSI: %s", imsi);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* APDU: Run GSM Algorithm */
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci,
|
||||
pbRunGSMAlgorithm, sizeof(pbRunGSMAlgorithm),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
if (dwRecvLength < APDU_STATUS_LEN ||
|
||||
pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
|
||||
{
|
||||
DBG1(DBG_IKE, "Run GSM Algorithm failed: %b",
|
||||
pbRecvBuffer, (u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* APDU: Get Response (of Run GSM Algorithm) */
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, pbGetResponse, sizeof(pbGetResponse),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
|
||||
if (dwRecvLength < APDU_STATUS_LEN ||
|
||||
pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "Get Response failed: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Extract out Kc and SRES from response */
|
||||
if (dwRecvLength == SIM_SRES_LEN + SIM_KC_LEN + APDU_STATUS_LEN)
|
||||
{
|
||||
memcpy(sres, pbRecvBuffer, SIM_SRES_LEN);
|
||||
memcpy(kc, pbRecvBuffer+4, SIM_KC_LEN);
|
||||
/* This will also cause the loop to exit */
|
||||
found = TRUE;
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG1(DBG_IKE, "Get Response incorrect length: %b",
|
||||
pbRecvBuffer, (u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Transaction will be ended and card disconnected at the
|
||||
* beginning of this loop or after this loop */
|
||||
}
|
||||
|
||||
/* Make sure we end any previous transaction and disconnect card */
|
||||
switch (hCard_status)
|
||||
{
|
||||
case TRANSACTION:
|
||||
SCardEndTransaction(hCard, SCARD_LEAVE_CARD);
|
||||
/* FALLTHRU */
|
||||
case CONNECTED:
|
||||
SCardDisconnect(hCard, SCARD_LEAVE_CARD);
|
||||
/* FALLTHRU */
|
||||
case DISCONNECTED:
|
||||
hCard_status = DISCONNECTED;
|
||||
}
|
||||
|
||||
rv = SCardReleaseContext(hContext);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardReleaseContext: %s", pcsc_stringify_error(rv));
|
||||
}
|
||||
|
||||
free(mszReaders);
|
||||
return found;
|
||||
}
|
||||
|
||||
METHOD(simaka_card_t, get_quintuplet, status_t,
|
||||
private_eap_simaka_pcsc_card_t *this, identification_t *id,
|
||||
char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
|
||||
char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len)
|
||||
{
|
||||
status_t found = SUCCESS;
|
||||
LONG rv;
|
||||
SCARDCONTEXT hContext;
|
||||
DWORD dwReaders;
|
||||
LPSTR mszReaders;
|
||||
char *cur_reader;
|
||||
char full_nai[128];
|
||||
SCARDHANDLE hCard;
|
||||
enum { DISCONNECTED, CONNECTED, TRANSACTION } hCard_status = DISCONNECTED;
|
||||
|
||||
snprintf(full_nai, sizeof(full_nai), "%Y", id);
|
||||
|
||||
DBG2(DBG_IKE, "looking for quintuplet: %Y rand %b", id, rand, SIM_RAND_LEN);
|
||||
|
||||
rv = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, &hContext);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardEstablishContext: %s", pcsc_stringify_error(rv));
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
rv = SCardListReaders(hContext, NULL, NULL, &dwReaders);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardListReaders: %s", pcsc_stringify_error(rv));
|
||||
return FALSE;
|
||||
}
|
||||
mszReaders = malloc(sizeof(char)*dwReaders);
|
||||
|
||||
rv = SCardListReaders(hContext, NULL, mszReaders, &dwReaders);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardListReaders: %s", pcsc_stringify_error(rv));
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/* mszReaders is a multi-string of readers, separated by '\0' and
|
||||
* terminated by an additional '\0' */
|
||||
for (cur_reader = mszReaders; *cur_reader != '\0' && found == FALSE;
|
||||
cur_reader += strlen(cur_reader) + 1)
|
||||
{
|
||||
DWORD dwActiveProtocol = -1;
|
||||
const SCARD_IO_REQUEST *pioSendPci;
|
||||
SCARD_IO_REQUEST pioRecvPci;
|
||||
BYTE pbRecvBuffer[512];
|
||||
DWORD dwRecvLength;
|
||||
char imsi[SIM_IMSI_MAX_LEN + 1];
|
||||
char aid_pattern[] = {0xA0, 0x00, 0x00, 0x00, 0x87, 0x10, 0x02}; //based on mitshell/card USIM.py:SELECT_ADF_USIM()
|
||||
char *correct_aid = NULL;
|
||||
int resLen = 0;
|
||||
|
||||
/* USIM APDUs */
|
||||
BYTE abSelectEFDIR[] = {0x00, 0xA4, 0x08, 0x04, 0x02, 0x2F, 0x00};
|
||||
// CLA SELECT P1 P2 len
|
||||
// 0x00 0xC0 0x00 0x00 0x00
|
||||
BYTE abGetResponse[] = {0x00, 0xC0, 0x00, 0x00, 0x1C};
|
||||
// CLA SELECT P1 (by fileID) P2(UICC) len DATA (EF_IMSI address)
|
||||
// 0x00 0xA4 0x00 0x04 0x02 0x6F 0x07
|
||||
BYTE abSelectIMSI[] = {0x00, 0xA4, 0x00, 0x04, 0x02, 0x6F, 0x07};
|
||||
BYTE abReadRecord[] = {0x00, 0xB2, 0x01, 0x04, 0x00}; //Le byte (last one) set to 0x00 so complete record is read up to 256 bytes
|
||||
// CLA SELECT P1 (AID) P2(UICC) len DATA (AID)
|
||||
// 0x00 0xA4 0x04 0x04 '0xc', '0xa0', '0x0', '0x0', '0x0', '0x87', '0x10', '0x2', '0xff', '0x49', '0xff', '0x5', '0x89'
|
||||
BYTE abSelectUICC[] = {0x00, 0xA4, 0x04, 0x04};
|
||||
BYTE abReadBinary[] = {0x00, 0xB0, 0x00, 0x00, 0x09};
|
||||
BYTE abAuthenticate[5 + 1 + SIM_RAND_LEN + 1 + SIM_RAND_LEN] = { 0x00, 0x88, 0x00, 0x81, 0x22, 0x10 }; //TOTAL_LEN + LEN(RAND) + RAND + LEN(AUTN) + AUTN
|
||||
int i,j;
|
||||
/* If on 2nd or later reader, make sure we end the transaction
|
||||
* and disconnect card in the previous reader */
|
||||
switch (hCard_status)
|
||||
{
|
||||
case TRANSACTION:
|
||||
SCardEndTransaction(hCard, SCARD_LEAVE_CARD);
|
||||
/* FALLTHRU */
|
||||
case CONNECTED:
|
||||
SCardDisconnect(hCard, SCARD_LEAVE_CARD);
|
||||
/* FALLTHRU */
|
||||
case DISCONNECTED:
|
||||
hCard_status = DISCONNECTED;
|
||||
}
|
||||
|
||||
/* Copy RAND into APDU */
|
||||
memcpy(abAuthenticate + 6, rand, SIM_RAND_LEN);
|
||||
abAuthenticate[6 + SIM_RAND_LEN] = 0x10; //LEN of AUTN
|
||||
memcpy(abAuthenticate + 6 + SIM_RAND_LEN + 1, autn, SIM_RAND_LEN); //Copy AUTN into APDU
|
||||
|
||||
rv = SCardConnect(hContext, cur_reader, SCARD_SHARE_SHARED,
|
||||
SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1, &hCard, &dwActiveProtocol);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardConnect: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
hCard_status = CONNECTED;
|
||||
|
||||
switch(dwActiveProtocol)
|
||||
{
|
||||
case SCARD_PROTOCOL_T0:
|
||||
pioSendPci = SCARD_PCI_T0;
|
||||
break;
|
||||
case SCARD_PROTOCOL_T1:
|
||||
pioSendPci = SCARD_PCI_T1;
|
||||
break;
|
||||
default:
|
||||
DBG1(DBG_IKE, "Unknown SCARD_PROTOCOL");
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Start transaction */
|
||||
rv = SCardBeginTransaction(hCard);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardBeginTransaction: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
hCard_status = TRANSACTION;
|
||||
|
||||
/* APDU: Select EFDIR */
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, abSelectEFDIR, sizeof(abSelectEFDIR),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
|
||||
|
||||
if (pbRecvBuffer[0] == 0x61 && dwRecvLength < 3)
|
||||
{ // Response bytes available, GET RESPONSE needs to be run
|
||||
abGetResponse[4] = pbRecvBuffer[1]; //setting the expected length to the one sent by the card
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, abGetResponse, sizeof(abGetResponse),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
|
||||
}
|
||||
else if ((pbRecvBuffer[0] == 0x6C && dwRecvLength < 3) || (pbRecvBuffer[0] == 0x67 && dwRecvLength < 3)) //WRONG length used, correcting it
|
||||
{
|
||||
abSelectEFDIR[4] = pbRecvBuffer[1]; //setting the expected length to the one sent by the card
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, abSelectEFDIR, sizeof(abSelectEFDIR),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
}
|
||||
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
/*
|
||||
if (dwRecvLength < APDU_STATUS_LEN ||
|
||||
pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
|
||||
{
|
||||
DBG1(DBG_IKE, "Select EFDIR failed: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
continue;
|
||||
}*/
|
||||
|
||||
for(j=0; j<5; j++) //Fingers crossed there is no SIM card with more than 5 applications in its EF_DIR
|
||||
{
|
||||
/* APDU: Read Record */
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
abReadRecord[2] = j;
|
||||
rv = SCardTransmit(hCard, pioSendPci, abReadRecord, sizeof(abReadRecord),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
/*
|
||||
if (dwRecvLength < APDU_STATUS_LEN ||
|
||||
pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
|
||||
{
|
||||
DBG1(DBG_IKE, "Read Record failed: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
*/
|
||||
DBG1(DBG_IKE, "READ RECORD #%d: %b", j, pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
if ((pbRecvBuffer[0] == 0x6C && dwRecvLength < 3) || (pbRecvBuffer[0] == 0x67 && dwRecvLength < 3)) //WRONG length used, correcting it
|
||||
{
|
||||
abReadRecord[4] = pbRecvBuffer[1]; //setting the expected length to the one sent by the card
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, abReadRecord, sizeof(abReadRecord),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
}
|
||||
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
|
||||
if ((pbRecvBuffer[0]== 0x61) && (pbRecvBuffer[2] == 0x4F) && dwRecvLength > 6)
|
||||
{
|
||||
correct_aid = memmem(pbRecvBuffer, dwRecvLength, aid_pattern, sizeof(aid_pattern));
|
||||
DBG1(DBG_IKE, "Detecting AIDs...");
|
||||
if(correct_aid)
|
||||
break;
|
||||
} else {
|
||||
DBG1(DBG_IKE, "Failed to get AID, will not be able to proceed: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
if(!correct_aid)
|
||||
{
|
||||
DBG1(DBG_IKE, "NOT finding USIM AID (see ETSI TS 101 220 Annex E) pattern, will not be able to proceed: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
continue;
|
||||
|
||||
} else {
|
||||
unsigned char aid[pbRecvBuffer[3]]; //the transaction buffer contains the right AID with its length
|
||||
for(i=0; i < sizeof(aid); i++) {
|
||||
aid[i] = (*correct_aid);
|
||||
correct_aid++;
|
||||
}
|
||||
unsigned char final_apdu[sizeof(aid)+4];
|
||||
for (i=0; i < sizeof(abSelectUICC); i++) {
|
||||
final_apdu[i] = abSelectUICC[i];
|
||||
}
|
||||
final_apdu[sizeof(abSelectUICC)] = sizeof(aid); //len byte
|
||||
for (i=0; i < sizeof(aid); i++) { //adding AID to the APDU
|
||||
final_apdu[i+5] = aid[i];
|
||||
}
|
||||
DBG1(DBG_IKE, "Got AID: %b", aid,
|
||||
sizeof(aid));
|
||||
|
||||
DBG1(DBG_IKE, "Selecting UICC...");
|
||||
/* APDU: Select UICC */
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
DBG1(DBG_IKE, "Sending APDU: %b", final_apdu,
|
||||
(u_int)pbRecvBuffer[3]+5);
|
||||
|
||||
rv = SCardTransmit(hCard, pioSendPci, final_apdu, pbRecvBuffer[3]+5,
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
if (pbRecvBuffer[0] == 0x61 && dwRecvLength < 3)
|
||||
{ // Response bytes available, GET RESPONSE needs to be run
|
||||
abGetResponse[4] = pbRecvBuffer[1]; //setting the expected length to the one sent by the card
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, abGetResponse, sizeof(abGetResponse),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
}
|
||||
}
|
||||
|
||||
/* if (dwRecvLength < APDU_STATUS_LEN ||
|
||||
pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
|
||||
{
|
||||
DBG1(DBG_IKE, "Select UICC failed: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
*/
|
||||
|
||||
|
||||
DBG1(DBG_IKE, "Selecting IMSI...");
|
||||
/* APDU: Select IMSI */
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, abSelectIMSI, sizeof(abSelectIMSI),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
if (pbRecvBuffer[0] == 0x61 && dwRecvLength < 3)
|
||||
{ // Response bytes available, GET RESPONSE needs to be run
|
||||
abGetResponse[4] = pbRecvBuffer[1]; //setting the expected length to the one sent by the card
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, abGetResponse, sizeof(abGetResponse),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
}
|
||||
/*
|
||||
if (dwRecvLength < APDU_STATUS_LEN ||
|
||||
pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
|
||||
{
|
||||
DBG1(DBG_IKE, "Select IMSI failed: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
*/
|
||||
/* APDU: Read Binary (of IMSI) */
|
||||
DBG1(DBG_IKE, "Reading binary of IMSI...");
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, abReadBinary, sizeof(abReadBinary),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
DBG1(DBG_IKE, "Response: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
|
||||
if (dwRecvLength < APDU_STATUS_LEN ||
|
||||
pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "Read binary of IMSI failed: %b", pbRecvBuffer,
|
||||
(u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
|
||||
if (!decode_imsi_ef(pbRecvBuffer, dwRecvLength-APDU_STATUS_LEN, imsi))
|
||||
{
|
||||
DBG1(DBG_IKE, "Couldn't decode IMSI EF: %b",
|
||||
pbRecvBuffer, (u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
DBG1(DBG_IKE, "Got IMSI: %s", imsi);
|
||||
/* The IMSI could be post/prefixed in the full NAI, so just make sure
|
||||
* it's in there */
|
||||
if (!(strlen(full_nai) && strstr(full_nai, imsi)))
|
||||
{
|
||||
DBG1(DBG_IKE, "Not the SIM we're looking for, IMSI: %s", imsi);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* APDU: Authenticate */
|
||||
DBG1(DBG_IKE, "Running AUTHENTICATE...");
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci,
|
||||
abAuthenticate, sizeof(abAuthenticate),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
|
||||
continue;
|
||||
}
|
||||
|
||||
if (pbRecvBuffer[0] == 0x61 && dwRecvLength < 3)
|
||||
{ // Response bytes available, GET RESPONSE needs to be run
|
||||
abGetResponse[4] = pbRecvBuffer[1]; //setting the expected length to the one sent by the card
|
||||
dwRecvLength = sizeof(pbRecvBuffer);
|
||||
rv = SCardTransmit(hCard, pioSendPci, abGetResponse, sizeof(abGetResponse),
|
||||
&pioRecvPci, pbRecvBuffer, &dwRecvLength);
|
||||
|
||||
}
|
||||
|
||||
DBG1(DBG_IKE, "Response: %b",
|
||||
pbRecvBuffer, (u_int)dwRecvLength);
|
||||
|
||||
/* if (dwRecvLength < APDU_STATUS_LEN ||
|
||||
pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
|
||||
{
|
||||
DBG1(DBG_IKE, "Authenticate failed: %b",
|
||||
pbRecvBuffer, (u_int)dwRecvLength);
|
||||
continue;
|
||||
}
|
||||
*/
|
||||
/* Parsing data from the response into RES, CK, IK */
|
||||
if(pbRecvBuffer[0] == 0xDB)
|
||||
{
|
||||
DBG1(DBG_IKE, "Successful 3G authentication");
|
||||
if(pbRecvBuffer[1] == 0x08 || pbRecvBuffer[1] == 0x04) //RES
|
||||
{
|
||||
resLen = pbRecvBuffer[1];
|
||||
for(i=0; i< pbRecvBuffer[1]; i++)
|
||||
{
|
||||
res[i] = pbRecvBuffer[i+2];
|
||||
}
|
||||
(*res_len) = resLen;
|
||||
} else {
|
||||
DBG1(DBG_IKE, "RES not 8 or 4 byte long, can't copy it.\n");
|
||||
continue;
|
||||
}
|
||||
if(pbRecvBuffer[resLen+2] == 0x10) //CK SUCCESS_BYTE 0xDB(len=1) + RES_LEN(len1) + resLen
|
||||
{
|
||||
for(i=0; i<16; i++)
|
||||
{
|
||||
ck[i] = pbRecvBuffer[i+resLen+3];
|
||||
}
|
||||
} else {
|
||||
DBG1(DBG_IKE, "CK not 16 byte long, can't copy it\n");
|
||||
continue;
|
||||
}
|
||||
if(pbRecvBuffer[resLen+3+16] == 0x10) //IK SUCCESS_BYTE(len1) + RES_LEN(len1) + res + CK_LEN(len1) + CK(len16)
|
||||
{
|
||||
for(i=0; i<16; i++)
|
||||
{
|
||||
ik[i] = pbRecvBuffer[i+ resLen+3+16+1];
|
||||
}
|
||||
} else {
|
||||
DBG1(DBG_IKE, "IK not 16 byte long, can't copy it\n");
|
||||
continue;
|
||||
}
|
||||
DBG1(DBG_IKE, "KEYs established. RES: %b", res, resLen);
|
||||
DBG1(DBG_IKE, "KEYs established. CK: %b", ck, 16);
|
||||
DBG1(DBG_IKE, "KEYs established. IK: %b", ik, 16);
|
||||
found = SUCCESS;
|
||||
|
||||
}
|
||||
if(pbRecvBuffer[0] == 0xDC)
|
||||
{
|
||||
DBG1(DBG_IKE, "Sync error between SIM card and network, currently NOT supported.\n");
|
||||
return NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
/* Transaction will be ended and card disconnected at the
|
||||
* beginning of this loop or after this loop */
|
||||
}
|
||||
|
||||
/* Make sure we end any previous transaction and disconnect card */
|
||||
switch (hCard_status)
|
||||
{
|
||||
case TRANSACTION:
|
||||
SCardEndTransaction(hCard, SCARD_LEAVE_CARD);
|
||||
/* FALLTHRU */
|
||||
case CONNECTED:
|
||||
SCardDisconnect(hCard, SCARD_LEAVE_CARD);
|
||||
/* FALLTHRU */
|
||||
case DISCONNECTED:
|
||||
hCard_status = DISCONNECTED;
|
||||
}
|
||||
|
||||
rv = SCardReleaseContext(hContext);
|
||||
if (rv != SCARD_S_SUCCESS)
|
||||
{
|
||||
DBG1(DBG_IKE, "SCardReleaseContext: %s", pcsc_stringify_error(rv));
|
||||
}
|
||||
|
||||
free(mszReaders);
|
||||
return found;
|
||||
}
|
||||
|
||||
METHOD(eap_simaka_pcsc_card_t, destroy, void,
|
||||
private_eap_simaka_pcsc_card_t *this)
|
||||
{
|
||||
free(this);
|
||||
}
|
||||
|
||||
/**
|
||||
* See header
|
||||
*/
|
||||
eap_simaka_pcsc_card_t *eap_simaka_pcsc_card_create()
|
||||
{
|
||||
private_eap_simaka_pcsc_card_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.card = {
|
||||
.get_triplet = _get_triplet,
|
||||
.get_quintuplet = _get_quintuplet,
|
||||
.resync = (void*)return_false,
|
||||
.get_pseudonym = (void*)return_null,
|
||||
.set_pseudonym = (void*)nop,
|
||||
.get_reauth = (void*)return_null,
|
||||
.set_reauth = (void*)nop,
|
||||
},
|
||||
.destroy = _destroy,
|
||||
},
|
||||
);
|
||||
return &this->public;
|
||||
}
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
/*
|
||||
* Copyright (C) 2017 Domonkos P. Tomcsanyi
|
||||
* umlaut Communications Gmbh.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#ifndef EAP_SIMAKA_PCSC_CARD_H_
|
||||
#define EAP_SIMAKA_PCSC_CARD_H_
|
||||
|
||||
#include <simaka_card.h>
|
||||
|
||||
typedef struct eap_simaka_pcsc_card_t eap_simaka_pcsc_card_t;
|
||||
|
||||
/**
|
||||
* SIM card implementing PC/SC backend.
|
||||
*/
|
||||
struct eap_simaka_pcsc_card_t {
|
||||
|
||||
/**
|
||||
* Implements simaka_card_t interface
|
||||
*/
|
||||
simaka_card_t card;
|
||||
|
||||
/**
|
||||
* Destroy a eap_simaka_pcsc_card_t.
|
||||
*/
|
||||
void (*destroy)(eap_simaka_pcsc_card_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
* Create a eap_simaka_pcsc_card instance.
|
||||
*/
|
||||
eap_simaka_pcsc_card_t *eap_simaka_pcsc_card_create();
|
||||
|
||||
#endif /** EAP_SIMAKA_PCSC_CARD_H_ @}*/
|
|
@ -0,0 +1,98 @@
|
|||
/*
|
||||
* Copyright (C) 2017 Domonkos P. Tomcsanyi
|
||||
* umlaut Communications Gmbh.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "eap_simaka_pcsc_plugin.h"
|
||||
#include "eap_simaka_pcsc_card.h"
|
||||
|
||||
#include <daemon.h>
|
||||
|
||||
typedef struct private_eap_simaka_pcsc_t private_eap_simaka_pcsc_t;
|
||||
|
||||
/**
|
||||
* Private data of an eap_simaka_pcsc_t object.
|
||||
*/
|
||||
struct private_eap_simaka_pcsc_t {
|
||||
|
||||
/**
|
||||
* Public eap_simaka_pcsc_plugin_t interface.
|
||||
*/
|
||||
eap_simaka_pcsc_plugin_t public;
|
||||
|
||||
/**
|
||||
* SIM card
|
||||
*/
|
||||
eap_simaka_pcsc_card_t *card;
|
||||
|
||||
};
|
||||
|
||||
METHOD(plugin_t, get_name, char*,
|
||||
private_eap_simaka_pcsc_t *this)
|
||||
{
|
||||
return "eap-simaka-pcsc";
|
||||
}
|
||||
|
||||
/**
|
||||
* Callback providing our card to register
|
||||
*/
|
||||
static simaka_card_t* get_card(private_eap_simaka_pcsc_t *this)
|
||||
{
|
||||
if (!this->card)
|
||||
{
|
||||
this->card = eap_simaka_pcsc_card_create();
|
||||
}
|
||||
return &this->card->card;
|
||||
}
|
||||
|
||||
METHOD(plugin_t, get_features, int,
|
||||
private_eap_simaka_pcsc_t *this, plugin_feature_t *features[])
|
||||
{
|
||||
static plugin_feature_t f[] = {
|
||||
PLUGIN_CALLBACK(simaka_manager_register, get_card),
|
||||
PLUGIN_PROVIDE(CUSTOM, "aka-card"),
|
||||
PLUGIN_DEPENDS(CUSTOM, "aka-manager"),
|
||||
PLUGIN_PROVIDE(CUSTOM, "sim-card"),
|
||||
PLUGIN_DEPENDS(CUSTOM, "sim-manager"),
|
||||
};
|
||||
*features = f;
|
||||
return countof(f);
|
||||
}
|
||||
|
||||
METHOD(plugin_t, destroy, void,
|
||||
private_eap_simaka_pcsc_t *this)
|
||||
{
|
||||
DESTROY_IF(this->card);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/**
|
||||
* See header
|
||||
*/
|
||||
plugin_t *eap_simaka_pcsc_plugin_create()
|
||||
{
|
||||
private_eap_simaka_pcsc_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.plugin = {
|
||||
.get_name = _get_name,
|
||||
.get_features = _get_features,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
},
|
||||
);
|
||||
|
||||
return &this->public.plugin;
|
||||
}
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
/*
|
||||
* Copyright (C) 2017 Domonkos P. Tomcsanyi
|
||||
* umlaut Communications Gmbh.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
|
||||
#ifndef EAP_SIMAKA_PCSC_PLUGIN_H_
|
||||
#define EAP_SIMAKA_PCSC_PLUGIN_H_
|
||||
|
||||
#include <plugins/plugin.h>
|
||||
|
||||
typedef struct eap_simaka_pcsc_plugin_t eap_simaka_pcsc_plugin_t;
|
||||
|
||||
/**
|
||||
* Plugin to provide EAP-AKA PC/SC based USIM card backend
|
||||
*/
|
||||
struct eap_simaka_pcsc_plugin_t {
|
||||
|
||||
/**
|
||||
* implements plugin interface
|
||||
*/
|
||||
plugin_t plugin;
|
||||
};
|
||||
|
||||
#endif /** EAP_SIMAKA_PCSC_PLUGIN_H_ @}*/
|
|
@ -1372,6 +1372,7 @@ static void process_route(private_kernel_netlink_net_t *this,
|
|||
if (RTA_PAYLOAD(rta) == sizeof(uint32_t) &&
|
||||
this->routing_table == *(uint32_t*)RTA_DATA(rta))
|
||||
{
|
||||
DESTROY_IF(host);
|
||||
return;
|
||||
}
|
||||
break;
|
||||
|
|
|
@ -624,7 +624,7 @@ static void add_ts(private_load_tester_config_t *this,
|
|||
/**
|
||||
* Allocate and install a dynamic external address to use
|
||||
*/
|
||||
static host_t *allocate_addr(private_load_tester_config_t *this, uint num)
|
||||
static host_t *allocate_addr(private_load_tester_config_t *this, u_int num)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
mem_pool_t *pool;
|
||||
|
@ -682,7 +682,7 @@ static host_t *allocate_addr(private_load_tester_config_t *this, uint num)
|
|||
/**
|
||||
* Generate a new initiator config, num = 0 for responder config
|
||||
*/
|
||||
static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
|
||||
static peer_cfg_t* generate_config(private_load_tester_config_t *this, u_int num)
|
||||
{
|
||||
ike_cfg_t *ike_cfg;
|
||||
child_cfg_t *child_cfg;
|
||||
|
|
|
@ -58,7 +58,7 @@
|
|||
* - vici_end_list(): Close a previously opened list
|
||||
* - vici_add_list_item() / vici_add_list_itemf(): Add list item
|
||||
*
|
||||
* Once the request message is complete, it can be sent or cancelled with:
|
||||
* Once the request message is complete, it can be sent or canceled with:
|
||||
*
|
||||
* - vici_submit()
|
||||
* - vici_free_req()
|
||||
|
|
|
@ -640,7 +640,7 @@ print $res ? "ok\n" : "failed: $errmsg\n";
|
|||
# close vici socket
|
||||
close($socket);
|
||||
|
||||
=head1 COPYRIGHT AND LICENCE
|
||||
=head1 COPYRIGHT AND LICENSE
|
||||
|
||||
Copyright (c) 2015 Andreas Steffen
|
||||
|
||||
|
|
|
@ -145,6 +145,7 @@ static void vadd_kv_or_li(private_vici_builder_t *this, char *key,
|
|||
{
|
||||
value = chunk_alloc(len + 1);
|
||||
len = vsnprintf(value.ptr, value.len, fmt, args);
|
||||
value.len = len;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
|
@ -1170,7 +1170,7 @@ struct ike_sa_t {
|
|||
void (*remove_task)(ike_sa_t *this, enumerator_t *enumerator);
|
||||
|
||||
/**
|
||||
* Flush a task queue, cancelling all tasks in it.
|
||||
* Flush a task queue, canceling all tasks in it.
|
||||
*
|
||||
* @param queue queue type to flush
|
||||
*/
|
||||
|
|
|
@ -142,7 +142,7 @@ struct ike_sa_manager_t {
|
|||
*
|
||||
* Measures are taken according to the uniqueness policy of the IKE_SA.
|
||||
* The return value indicates whether duplicates have been found and if
|
||||
* further measures should be taken (e.g. cancelling an IKE_AUTH exchange).
|
||||
* further measures should be taken (e.g. canceling an IKE_AUTH exchange).
|
||||
* check_uniqueness() must be called before the IKE_SA is complete,
|
||||
* deadlocks occur otherwise.
|
||||
*
|
||||
|
|
|
@ -487,7 +487,7 @@ METHOD(task_manager_t, initiate, status_t,
|
|||
message_t *message;
|
||||
host_t *me, *other;
|
||||
exchange_type_t exchange = EXCHANGE_TYPE_UNDEFINED;
|
||||
bool new_mid = FALSE, expect_response = FALSE, cancelled = FALSE, keep = FALSE;
|
||||
bool new_mid = FALSE, expect_response = FALSE, canceled = FALSE, keep = FALSE;
|
||||
|
||||
if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED &&
|
||||
this->initiating.type != INFORMATIONAL_V1)
|
||||
|
@ -672,7 +672,7 @@ METHOD(task_manager_t, initiate, status_t,
|
|||
/* processed, but task needs another exchange */
|
||||
continue;
|
||||
case ALREADY_DONE:
|
||||
cancelled = TRUE;
|
||||
canceled = TRUE;
|
||||
break;
|
||||
case FAILED:
|
||||
default:
|
||||
|
@ -697,7 +697,7 @@ METHOD(task_manager_t, initiate, status_t,
|
|||
{ /* tasks completed, no exchange active anymore */
|
||||
this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
|
||||
}
|
||||
if (cancelled)
|
||||
if (canceled)
|
||||
{
|
||||
message->destroy(message);
|
||||
return initiate(this);
|
||||
|
@ -754,7 +754,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
|
|||
task_t *task;
|
||||
message_t *message;
|
||||
host_t *me, *other;
|
||||
bool delete = FALSE, cancelled = FALSE, expect_request = FALSE;
|
||||
bool delete = FALSE, canceled = FALSE, expect_request = FALSE;
|
||||
|
||||
me = request->get_destination(request);
|
||||
other = request->get_source(request);
|
||||
|
@ -791,7 +791,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
|
|||
}
|
||||
continue;
|
||||
case ALREADY_DONE:
|
||||
cancelled = TRUE;
|
||||
canceled = TRUE;
|
||||
break;
|
||||
case INVALID_ARG:
|
||||
if (task->get_type(task) == TASK_QUICK_MODE)
|
||||
|
@ -813,7 +813,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
|
|||
enumerator->destroy(enumerator);
|
||||
|
||||
clear_packets(this->responding.packets);
|
||||
if (cancelled)
|
||||
if (canceled)
|
||||
{
|
||||
message->destroy(message);
|
||||
return initiate(this);
|
||||
|
|
|
@ -103,7 +103,7 @@ static bool establish(private_aggressive_mode_t *this)
|
|||
{
|
||||
if (!charon->bus->authorize(charon->bus, TRUE))
|
||||
{
|
||||
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
|
||||
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, canceling");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
@ -177,7 +177,7 @@ static status_t send_notify(private_aggressive_mode_t *this, notify_type_t type)
|
|||
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)informational_create(this->ike_sa, notify));
|
||||
/* cancel all active/passive tasks in favour of informational */
|
||||
/* cancel all active/passive tasks in favor of informational */
|
||||
this->ike_sa->flush_queue(this->ike_sa,
|
||||
this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
|
||||
return ALREADY_DONE;
|
||||
|
@ -190,7 +190,7 @@ static status_t send_delete(private_aggressive_mode_t *this)
|
|||
{
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)isakmp_delete_create(this->ike_sa, TRUE));
|
||||
/* cancel all active tasks in favour of informational */
|
||||
/* cancel all active tasks in favor of informational */
|
||||
this->ike_sa->flush_queue(this->ike_sa,
|
||||
this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
|
||||
return ALREADY_DONE;
|
||||
|
@ -320,7 +320,7 @@ METHOD(task_t, build_i, status_t,
|
|||
if (charon->ike_sa_manager->check_uniqueness(
|
||||
charon->ike_sa_manager, this->ike_sa, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
|
||||
DBG1(DBG_IKE, "canceling Aggressive Mode due to "
|
||||
"uniqueness policy");
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
|
@ -507,7 +507,7 @@ METHOD(task_t, process_r, status_t,
|
|||
if (!charon->bus->authorize(charon->bus, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids "
|
||||
"IKE_SA, cancelling");
|
||||
"IKE_SA, canceling");
|
||||
charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
|
||||
return send_delete(this);
|
||||
}
|
||||
|
@ -529,7 +529,7 @@ METHOD(task_t, process_r, status_t,
|
|||
if (charon->ike_sa_manager->check_uniqueness(
|
||||
charon->ike_sa_manager, this->ike_sa, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
|
||||
DBG1(DBG_IKE, "canceling Aggressive Mode due to "
|
||||
"uniqueness policy");
|
||||
return send_delete(this);
|
||||
}
|
||||
|
@ -709,7 +709,7 @@ METHOD(task_t, process_i, status_t,
|
|||
if (!charon->bus->authorize(charon->bus, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids IKE_SA, "
|
||||
"cancelling");
|
||||
"canceling");
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
|
||||
|
|
|
@ -100,7 +100,7 @@ static bool establish(private_main_mode_t *this)
|
|||
{
|
||||
if (!charon->bus->authorize(charon->bus, TRUE))
|
||||
{
|
||||
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
|
||||
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, canceling");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
@ -186,7 +186,7 @@ static status_t send_notify(private_main_mode_t *this, notify_type_t type)
|
|||
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)informational_create(this->ike_sa, notify));
|
||||
/* cancel all active/passive tasks in favour of informational */
|
||||
/* cancel all active/passive tasks in favor of informational */
|
||||
this->ike_sa->flush_queue(this->ike_sa,
|
||||
this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
|
||||
return ALREADY_DONE;
|
||||
|
@ -199,7 +199,7 @@ static status_t send_delete(private_main_mode_t *this)
|
|||
{
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)isakmp_delete_create(this->ike_sa, TRUE));
|
||||
/* cancel all active tasks in favour of informational */
|
||||
/* cancel all active tasks in favor of informational */
|
||||
this->ike_sa->flush_queue(this->ike_sa,
|
||||
this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
|
||||
return ALREADY_DONE;
|
||||
|
@ -483,7 +483,7 @@ METHOD(task_t, process_r, status_t,
|
|||
if (!charon->bus->authorize(charon->bus, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
|
||||
"cancelling");
|
||||
"canceling");
|
||||
charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
|
@ -565,7 +565,7 @@ METHOD(task_t, build_r, status_t,
|
|||
if (charon->ike_sa_manager->check_uniqueness(
|
||||
charon->ike_sa_manager, this->ike_sa, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "cancelling Main Mode due to uniqueness "
|
||||
DBG1(DBG_IKE, "canceling Main Mode due to uniqueness "
|
||||
"policy");
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
|
@ -725,7 +725,7 @@ METHOD(task_t, process_i, status_t,
|
|||
if (!charon->bus->authorize(charon->bus, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
|
||||
"cancelling");
|
||||
"canceling");
|
||||
charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
|
||||
return send_delete(this);
|
||||
}
|
||||
|
@ -748,7 +748,7 @@ METHOD(task_t, process_i, status_t,
|
|||
if (charon->ike_sa_manager->check_uniqueness(
|
||||
charon->ike_sa_manager, this->ike_sa, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "cancelling Main Mode due to uniqueness "
|
||||
DBG1(DBG_IKE, "canceling Main Mode due to uniqueness "
|
||||
"policy");
|
||||
return send_delete(this);
|
||||
}
|
||||
|
|
|
@ -773,7 +773,7 @@ static status_t send_notify(private_quick_mode_t *this, notify_type_t type)
|
|||
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)informational_create(this->ike_sa, notify));
|
||||
/* cancel all active/passive tasks in favour of informational */
|
||||
/* cancel all active/passive tasks in favor of informational */
|
||||
this->ike_sa->flush_queue(this->ike_sa,
|
||||
this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
|
||||
return ALREADY_DONE;
|
||||
|
|
|
@ -150,17 +150,17 @@ static bool allowed(private_xauth_t *this)
|
|||
if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
|
||||
this->ike_sa, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "cancelling XAuth due to uniqueness policy");
|
||||
DBG1(DBG_IKE, "canceling XAuth due to uniqueness policy");
|
||||
return FALSE;
|
||||
}
|
||||
if (!charon->bus->authorize(charon->bus, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "XAuth authorization hook forbids IKE_SA, cancelling");
|
||||
DBG1(DBG_IKE, "XAuth authorization hook forbids IKE_SA, canceling");
|
||||
return FALSE;
|
||||
}
|
||||
if (!charon->bus->authorize(charon->bus, TRUE))
|
||||
{
|
||||
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
|
||||
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, canceling");
|
||||
return FALSE;
|
||||
}
|
||||
return TRUE;
|
||||
|
|
|
@ -887,7 +887,7 @@ METHOD(task_t, process_r, status_t,
|
|||
/* another auth round done, invoke authorize hook */
|
||||
if (!charon->bus->authorize(charon->bus, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
|
||||
DBG1(DBG_IKE, "authorization hook forbids IKE_SA, canceling");
|
||||
this->authentication_failed = TRUE;
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
@ -1104,7 +1104,7 @@ METHOD(task_t, build_r, status_t,
|
|||
if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
|
||||
this->ike_sa, this->initial_contact))
|
||||
{
|
||||
DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
|
||||
DBG1(DBG_IKE, "canceling IKE_SA setup due to uniqueness policy");
|
||||
charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
|
||||
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
|
||||
chunk_empty);
|
||||
|
@ -1112,7 +1112,7 @@ METHOD(task_t, build_r, status_t,
|
|||
}
|
||||
if (!charon->bus->authorize(charon->bus, TRUE))
|
||||
{
|
||||
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
|
||||
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, canceling");
|
||||
goto peer_auth_failed;
|
||||
}
|
||||
if (this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_REDIRECTION) &&
|
||||
|
@ -1362,7 +1362,7 @@ METHOD(task_t, process_i, status_t,
|
|||
/* another auth round done, invoke authorize hook */
|
||||
if (!charon->bus->authorize(charon->bus, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
|
||||
DBG1(DBG_IKE, "authorization forbids IKE_SA, canceling");
|
||||
goto peer_auth_failed;
|
||||
}
|
||||
|
||||
|
@ -1453,7 +1453,7 @@ METHOD(task_t, process_i, status_t,
|
|||
if (!charon->bus->authorize(charon->bus, TRUE))
|
||||
{
|
||||
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
|
||||
"cancelling");
|
||||
"canceling");
|
||||
goto peer_auth_failed;
|
||||
}
|
||||
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
|
||||
|
|
|
@ -293,7 +293,7 @@ struct task_manager_t {
|
|||
void (*flush)(task_manager_t *this);
|
||||
|
||||
/**
|
||||
* Flush a queue, cancelling all tasks.
|
||||
* Flush a queue, canceling all tasks.
|
||||
*
|
||||
* @param queue queue to flush
|
||||
*/
|
||||
|
|
|
@ -121,13 +121,18 @@ METHOD(simaka_manager_t, card_get_quintuplet, status_t,
|
|||
switch (status)
|
||||
{ /* try next on error, but not on INVALID_STATE */
|
||||
case SUCCESS:
|
||||
DBG1(DBG_LIB, "SUCCESS");
|
||||
case INVALID_STATE:
|
||||
DBG1(DBG_LIB, "INVALID STATE");
|
||||
enumerator->destroy(enumerator);
|
||||
this->lock->unlock(this->lock);
|
||||
return status;
|
||||
case NOT_SUPPORTED:
|
||||
DBG1(DBG_LIB, "NOT_SUPPORTED");
|
||||
case FAILED:
|
||||
DBG1(DBG_LIB, "FAILED");
|
||||
default:
|
||||
DBG1(DBG_LIB, "DEFAULT");
|
||||
tried++;
|
||||
continue;
|
||||
}
|
||||
|
|
|
@ -944,6 +944,7 @@ METHOD(auth_cfg_t, complies, bool,
|
|||
|
||||
id1 = (identification_t*)value;
|
||||
id2 = get(this, t1);
|
||||
/*
|
||||
if (!id2 || !id2->matches(id2, id1))
|
||||
{
|
||||
if (t1 == AUTH_RULE_IDENTITY &&
|
||||
|
@ -965,6 +966,10 @@ METHOD(auth_cfg_t, complies, bool,
|
|||
"EAP ", id1);
|
||||
}
|
||||
}
|
||||
*/
|
||||
DBG1(DBG_CFG, "constraint check failed, but we are ignoring it for now: %sidentity '%Y'"
|
||||
" required ", t1 == AUTH_RULE_IDENTITY ? "" :
|
||||
"EAP ", id1);
|
||||
break;
|
||||
}
|
||||
case AUTH_RULE_AUTH_CLASS:
|
||||
|
|
|
@ -343,16 +343,16 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg)
|
|||
{
|
||||
switch (alg)
|
||||
{
|
||||
case HASH_IDENTITY:
|
||||
case HASH_SHA1:
|
||||
case HASH_SHA256:
|
||||
case HASH_SHA384:
|
||||
case HASH_SHA512:
|
||||
return TRUE;
|
||||
case HASH_IDENTITY:
|
||||
case HASH_UNKNOWN:
|
||||
case HASH_MD2:
|
||||
case HASH_MD4:
|
||||
case HASH_MD5:
|
||||
case HASH_SHA1:
|
||||
case HASH_SHA224:
|
||||
case HASH_SHA3_224:
|
||||
case HASH_SHA3_256:
|
||||
|
|
|
@ -117,7 +117,7 @@ struct fetcher_t {
|
|||
*
|
||||
* The fetcher returns NOT_SUPPORTED to indicate that it is uncappable
|
||||
* to handle such URLs. Other return values indicate a failure, and
|
||||
* fetching of that URL gets cancelled.
|
||||
* fetching of that URL gets canceled.
|
||||
* If no FETCH_CALLBACK function is set as option, userdata must be
|
||||
* a chunk_t*. This chunk gets allocated, accumulated data using the
|
||||
* fetcher_default_callback() function.
|
||||
|
|
|
@ -148,7 +148,7 @@ static job_requeue_t monitor_changes(private_keychain_creds_t *this)
|
|||
{
|
||||
this->loop = CFRunLoopGetCurrent();
|
||||
|
||||
/* does not return until cancelled */
|
||||
/* does not return until canceled */
|
||||
CFRunLoopRun();
|
||||
|
||||
this->loop = NULL;
|
||||
|
|
|
@ -173,7 +173,7 @@ CALLBACK(dispatch_slot_events, job_requeue_t,
|
|||
rv = entry->lib->f->C_WaitForSlotEvent(0, &slot, NULL);
|
||||
if (rv == CKR_FUNCTION_NOT_SUPPORTED || rv == CKR_NO_EVENT)
|
||||
{
|
||||
DBG1(DBG_CFG, "module '%s' does not support hot-plugging, cancelled",
|
||||
DBG1(DBG_CFG, "module '%s' does not support hot-plugging, canceled",
|
||||
entry->lib->get_name(entry->lib));
|
||||
return JOB_REQUEUE_NONE;
|
||||
}
|
||||
|
|
|
@ -165,7 +165,7 @@ static bool read_result(private_winhttp_fetcher_t *this, HINTERNET request,
|
|||
}
|
||||
if (!this->cb(user, chunk_create(buf, received)))
|
||||
{
|
||||
DBG1(DBG_LIB, "processing response failed or cancelled");
|
||||
DBG1(DBG_LIB, "processing response failed or canceled");
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -186,12 +186,12 @@ static void update(private_watcher_t *this)
|
|||
}
|
||||
|
||||
/**
|
||||
* Cleanup function if callback gets cancelled
|
||||
* Cleanup function if callback gets canceled
|
||||
*/
|
||||
static void unregister(notify_data_t *data)
|
||||
{
|
||||
/* if a thread processing a callback gets cancelled, we mark the entry
|
||||
* as cancelled, like the callback would return FALSE. This is required
|
||||
/* if a thread processing a callback gets canceled, we mark the entry
|
||||
* as canceled, like the callback would return FALSE. This is required
|
||||
* to not queue this watcher again if all threads have been gone. */
|
||||
data->keep = FALSE;
|
||||
}
|
||||
|
@ -276,7 +276,7 @@ static void activate_all(private_watcher_t *this)
|
|||
{
|
||||
entry_t *entry;
|
||||
|
||||
/* When the watcher thread gets cancelled, we have to reactivate any entry
|
||||
/* When the watcher thread gets canceled, we have to reactivate any entry
|
||||
* and signal threads in remove() to go on. */
|
||||
|
||||
this->mutex->lock(this->mutex);
|
||||
|
@ -398,7 +398,7 @@ static job_requeue_t watch(private_watcher_t *this)
|
|||
if (res == -1 && errno == EINTR)
|
||||
{
|
||||
/* LinuxThreads interrupts poll(), but does not make it a
|
||||
* cancellation point. Manually test if we got cancelled. */
|
||||
* cancellation point. Manually test if we got canceled. */
|
||||
thread_cancellation_point();
|
||||
}
|
||||
|
||||
|
|
|
@ -1130,7 +1130,7 @@ static void *cancel_onoff_run(void *data_in)
|
|||
thread_cancelability(FALSE);
|
||||
data->cancellable = FALSE;
|
||||
|
||||
/* we should not get cancelled here */
|
||||
/* we should not get canceled here */
|
||||
data->sem->wait(data->sem);
|
||||
|
||||
data->cancellable = TRUE;
|
||||
|
|
|
@ -84,7 +84,7 @@ struct private_thread_t {
|
|||
bool detached_or_joined;
|
||||
|
||||
/**
|
||||
* TRUE if the threads has terminated (cancelled, via thread_exit or
|
||||
* TRUE if the threads has terminated (canceled, via thread_exit or
|
||||
* returned from the main function)
|
||||
*/
|
||||
bool terminated;
|
||||
|
@ -130,7 +130,7 @@ static thread_value_t *current_thread;
|
|||
#endif
|
||||
|
||||
/* the signal handler for SIG_CANCEL uses pthread_exit to terminate the
|
||||
* "cancelled" thread */
|
||||
* "canceled" thread */
|
||||
static void cancel_signal_handler(int sig)
|
||||
{
|
||||
pthread_exit(NULL);
|
||||
|
|
|
@ -109,7 +109,7 @@ u_int thread_current_id();
|
|||
|
||||
/**
|
||||
* Push a function onto the current thread's cleanup handler stack.
|
||||
* The callback function is called whenever the thread is cancelled, exits or
|
||||
* The callback function is called whenever the thread is canceled, exits or
|
||||
* thread_cleanup_pop is called with TRUE as execute argument.
|
||||
*
|
||||
* @param cleanup function called on thread exit
|
||||
|
|
|
@ -87,7 +87,7 @@ struct private_thread_t {
|
|||
bool cancelability;
|
||||
|
||||
/**
|
||||
* Has the thread been cancelled by thread->cancel()?
|
||||
* Has the thread been canceled by thread->cancel()?
|
||||
*/
|
||||
bool canceled;
|
||||
|
||||
|
|
|
@ -299,7 +299,7 @@ struct identification_t {
|
|||
* - ID_RFC822_ADDR: alice@wonderland.org
|
||||
* - ID_DER_ASN1_DN: C=CH, O=Linux strongSwan, CN=bob
|
||||
*
|
||||
* In favour of pluto, domainnames are prepended with an @, since
|
||||
* In favor of pluto, domainnames are prepended with an @, since
|
||||
* pluto resolves domainnames without an @ to IPv4 addresses. Since
|
||||
* we use a separate host_t class for addresses, this doesn't
|
||||
* make sense for us.
|
||||
|
|
|
@ -323,7 +323,7 @@ static chunk_t create_ack(private_tls_eap_t *this)
|
|||
default:
|
||||
break;
|
||||
}
|
||||
DBG2(DBG_TLS, "sending %N acknowledgement packet",
|
||||
DBG2(DBG_TLS, "sending %N acknowledgment packet",
|
||||
eap_type_names, this->type);
|
||||
return chunk_clone(chunk_from_thing(pkt));
|
||||
}
|
||||
|
@ -370,7 +370,7 @@ METHOD(tls_eap_t, process, status_t,
|
|||
{
|
||||
if (in.len == sizeof(eap_tls_packet_t))
|
||||
{
|
||||
DBG2(DBG_TLS, "received %N acknowledgement packet",
|
||||
DBG2(DBG_TLS, "received %N acknowledgment packet",
|
||||
eap_type_names, this->type);
|
||||
status = build_pkt(this, out);
|
||||
if (status == INVALID_STATE && this->tls->is_complete(this->tls))
|
||||
|
|
|
@ -735,7 +735,7 @@ tls_hkdf_t *tls_hkdf_create(hash_algorithm_t hash_algorithm, chunk_t psk)
|
|||
DBG1(DBG_TLS, "%N not supported", hash_algorithm_names,
|
||||
hash_algorithm);
|
||||
}
|
||||
DBG1(DBG_TLS, "unable to initialise HKDF");
|
||||
DBG1(DBG_TLS, "unable to initialize HKDF");
|
||||
destroy(this);
|
||||
return NULL;
|
||||
}
|
||||
|
|
|
@ -360,7 +360,7 @@ METHOD(tls_t, process, status_t,
|
|||
this->mutex->lock(this->mutex);
|
||||
if (this->batch)
|
||||
{
|
||||
DBG1(DBG_TNC, "cancelling TNCCS batch");
|
||||
DBG1(DBG_TNC, "canceling TNCCS batch");
|
||||
this->batch->destroy(this->batch);
|
||||
this->batch_id--;
|
||||
}
|
||||
|
|
|
@ -209,7 +209,7 @@ static void change_batch_type(private_tnccs_20_client_t *this,
|
|||
{
|
||||
if (this->batch_type != PB_BATCH_NONE)
|
||||
{
|
||||
DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
|
||||
DBG1(DBG_TNC, "canceling PB-TNC %N batch",
|
||||
pb_tnc_batch_type_names, this->batch_type);
|
||||
|
||||
while (this->messages->remove_last(this->messages,
|
||||
|
|
|
@ -142,7 +142,7 @@ static void change_batch_type(private_tnccs_20_server_t *this,
|
|||
{
|
||||
if (this->batch_type != PB_BATCH_NONE)
|
||||
{
|
||||
DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
|
||||
DBG1(DBG_TNC, "canceling PB-TNC %N batch",
|
||||
pb_tnc_batch_type_names, this->batch_type);
|
||||
|
||||
while (this->messages->remove_last(this->messages,
|
||||
|
|
|
@ -1542,7 +1542,7 @@ jQuery.extend({
|
|||
});
|
||||
/*
|
||||
* A number of helper functions used for managing events.
|
||||
* Many of the ideas behind this code orignated from
|
||||
* Many of the ideas behind this code originated from
|
||||
* Dean Edwards' addEvent library.
|
||||
*/
|
||||
jQuery.event = {
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,10 +1,8 @@
|
|||
#!/usr/bin/make
|
||||
|
||||
PKG = wolfssl
|
||||
REV = 4.7.1r
|
||||
DIR = $(PKG)-$(REV)
|
||||
TAR = v$(REV).tar.gz
|
||||
SRC = https://github.com/wolfSSL/$(PKG)/archive/refs/tags/$(TAR)
|
||||
SRC = https://github.com/wolfSSL/$(PKG).git
|
||||
REV = 0caf3ba456f1 # v4.7.1r + SHA-3 fix
|
||||
|
||||
NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
|
||||
|
||||
|
@ -13,8 +11,7 @@ CFLAGS = \
|
|||
-DWOLFSSL_DES_ECB \
|
||||
-DHAVE_AES_ECB \
|
||||
-DHAVE_ECC_BRAINPOOL \
|
||||
-DWOLFSSL_MIN_AUTH_TAG_SZ=8 \
|
||||
-DHAVE_EX_DATA
|
||||
-DWOLFSSL_MIN_AUTH_TAG_SZ=8
|
||||
|
||||
CONFIG_OPTS = \
|
||||
--disable-crypttests \
|
||||
|
@ -22,35 +19,32 @@ CONFIG_OPTS = \
|
|||
--enable-silent-rules \
|
||||
--enable-aesccm \
|
||||
--enable-aesctr \
|
||||
--enable-ecccustcurves \
|
||||
--enable-curve25519 \
|
||||
--enable-ed25519 \
|
||||
--enable-curve448 \
|
||||
--enable-ed448 \
|
||||
--enable-rsapss \
|
||||
--enable-des3 \
|
||||
--enable-sha3 \
|
||||
--enable-shake256 \
|
||||
--enable-md4 \
|
||||
--enable-camellia \
|
||||
--enable-curve25519 \
|
||||
--enable-curve448 \
|
||||
--enable-des3 \
|
||||
--enable-ecccustcurves \
|
||||
--enable-ed25519 \
|
||||
--enable-ed448 \
|
||||
--enable-keygen \
|
||||
--enable-certgen \
|
||||
--enable-certreq \
|
||||
--enable-certext \
|
||||
--enable-sessioncerts
|
||||
--enable-md4 \
|
||||
--enable-rsapss \
|
||||
--enable-sha3 \
|
||||
--enable-shake256
|
||||
|
||||
all: install
|
||||
|
||||
$(TAR):
|
||||
wget $(SRC)
|
||||
|
||||
.$(PKG)-unpacked-$(REV): $(TAR)
|
||||
[ -d $(DIR) ] || tar xf $(TAR)
|
||||
.$(PKG)-cloned:
|
||||
[ -d $(PKG) ] || git clone $(SRC) $(PKG)
|
||||
@touch $@
|
||||
|
||||
.$(PKG)-built-$(REV): .$(PKG)-unpacked-$(REV)
|
||||
cd $(DIR) && ./autogen.sh && ./configure C_FLAGS="$(CFLAGS)" $(CONFIG_OPTS) && make -j $(NUM_CPUS)
|
||||
.$(PKG)-checkout-$(REV): .$(PKG)-cloned
|
||||
cd $(PKG) && git fetch && git checkout $(REV)
|
||||
@rm -f .$(PKG)-checkout-* && touch $@
|
||||
|
||||
.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
|
||||
cd $(PKG) && ./autogen.sh && ./configure C_FLAGS="$(CFLAGS)" $(CONFIG_OPTS) && make -j $(NUM_CPUS)
|
||||
@rm -f .$(PKG)-built-* && touch $@
|
||||
|
||||
install: .$(PKG)-built-$(REV)
|
||||
cd $(DIR) && make install && ldconfig
|
||||
cd $(PKG) && make install && ldconfig
|
||||
|
|
|
@ -1,16 +1,20 @@
|
|||
#!/usr/bin/make
|
||||
|
||||
PKG = swidGenerator
|
||||
ZIP = $(PKG)-master.zip
|
||||
SRC = https://github.com/strongswan/$(PKG)/archive/master.zip
|
||||
REV = v1.1.0
|
||||
DIR = $(PKG)-$(REV)
|
||||
TAR = $(PKG)-$(REV).tar.gz
|
||||
SRC = https://github.com/strongswan/$(PKG)/archive/$(REV).tar.gz
|
||||
|
||||
all: install
|
||||
|
||||
$(ZIP):
|
||||
wget --ca-directory="/usr/share/ca-certificates/mozilla" $(SRC) -O $(ZIP)
|
||||
$(TAR):
|
||||
wget --ca-directory="/usr/share/ca-certificates/mozilla" $(SRC) -O $(TAR)
|
||||
|
||||
$(PKG)-master: $(ZIP)
|
||||
unzip $(ZIP)
|
||||
.$(PKG)-unpacked-$(REV): $(TAR)
|
||||
# a tag's "v" prefix is not reflected in the directory name in the archive
|
||||
[ -d $(DIR) ] || (mkdir -p $(DIR); tar -xf $(TAR) --strip-components=1 -C $(DIR))
|
||||
@touch $@
|
||||
|
||||
install: $(PKG)-master
|
||||
cd $(PKG)-master && python setup.py install
|
||||
install: .$(PKG)-unpacked-$(REV)
|
||||
cd $(DIR) && python setup.py install
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
#!/usr/bin/make
|
||||
|
||||
PKG = strongTNC
|
||||
ZIP = $(PKG)-master.zip
|
||||
SRC = https://github.com/strongswan/$(PKG)/archive/master.zip
|
||||
REV = 0.9.9
|
||||
DIR = $(PKG)-$(REV)
|
||||
ZIP = $(PKG)-$(REV).zip
|
||||
SRC = https://github.com/strongswan/$(PKG)/archive/$(REV).zip
|
||||
DEPS = $(PKG)-deps
|
||||
|
||||
all: install
|
||||
|
@ -10,14 +12,16 @@ all: install
|
|||
$(ZIP):
|
||||
wget --ca-directory=/usr/share/ca-certificates/mozilla/ $(SRC) -O $(ZIP)
|
||||
|
||||
$(PKG)-master: $(ZIP)
|
||||
unzip -u $(ZIP)
|
||||
.$(PKG)-unpacked-$(REV): $(ZIP)
|
||||
[ -d $(DIR) ] || unzip $(ZIP)
|
||||
@touch $@
|
||||
|
||||
$(DEPS): $(PKG)-master
|
||||
.$(PKG)-deps-$(REV): .$(PKG)-unpacked-$(REV)
|
||||
mkdir -p $(DEPS)
|
||||
pip download -d $(DEPS) -r $(PKG)-master/requirements.txt six
|
||||
pip download -d $(DEPS) -r $(DIR)/requirements.txt six
|
||||
@touch $@
|
||||
|
||||
install: $(DEPS)
|
||||
install: .$(PKG)-deps-$(REV)
|
||||
# six is required for djangorestframework-camel-case
|
||||
pip install --no-index --find-links=file://`pwd`/$(DEPS) -r $(PKG)-master/requirements.txt six
|
||||
cp -r $(PKG)-master /var/www/tnc && chgrp -R www-data /var/www/tnc && chmod g+sw /var/www/tnc
|
||||
pip install --no-index --find-links=file://`pwd`/$(DEPS) -r $(DIR)/requirements.txt six
|
||||
cp -r $(DIR) /var/www/tnc && chgrp -R www-data /var/www/tnc && chmod g+sw /var/www/tnc
|
||||
|
|
|
@ -24,14 +24,14 @@ fi
|
|||
: ${TESTDIR=/srv/strongswan-testing}
|
||||
|
||||
# Kernel configuration
|
||||
: ${KERNELVERSION=5.12.12}
|
||||
: ${KERNELVERSION=5.13}
|
||||
: ${KERNEL=linux-$KERNELVERSION}
|
||||
: ${KERNELTARBALL=$KERNEL.tar.xz}
|
||||
: ${KERNELCONFIG=$DIR/../config/kernel/config-5.12}
|
||||
: ${KERNELCONFIG=$DIR/../config/kernel/config-5.13}
|
||||
: ${KERNELPATCH=ha-5.10-abicompat.patch.bz2}
|
||||
|
||||
# strongSwan version used in tests
|
||||
: ${SWANVERSION=5.9.3dr4}
|
||||
: ${SWANVERSION=5.9.3}
|
||||
|
||||
# Build directory where the guest kernel and images will be built
|
||||
: ${BUILDDIR=$TESTDIR/build}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
||||
to the virtual gateway <b>mars</b> implemented by the two real gateways
|
||||
<b>alice</b> and <b>moon</b> in a <b>High Availability</b> (HA) setup
|
||||
based on <b>ClusterIP</b>. The HA synchronisation link between the two
|
||||
based on <b>ClusterIP</b>. The HA synchronization link between the two
|
||||
gateways is secured by an IPsec transport connection. At the outset
|
||||
<b>alice</b> is the active and <b>moon</b> is the passive gateway.
|
||||
After <b>alice</b> gets killed <b>moon</b> automatically takes over
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
TThe roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
|
||||
and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>vips = 0.0.0.0</b>
|
||||
parameter. The <b>dhcp</b> plugin on gateway <b>moon</b> then requests an IP address and DNS/WINS server
|
||||
information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned statically
|
||||
|
|
|
@ -13,7 +13,7 @@ DIAGRAM="a-m-c-w-d.png"
|
|||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
TCPDUMPHOSTS="moon alice"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
|
|
Loading…
Reference in New Issue