RFC FC-SP-2

configure.ac

@@ -3,6 +3,7 @@
 # Copyright (C) 2006-2019 Andreas Steffen
 # Copyright (C) 2006-2014 Martin Willi
 # HSR Hochschule fuer Technik Rapperswil
+# Copyright (C) 2019-2020 Marvell
 #
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the
@@ -213,6 +214,7 @@ ARG_ENABL_SET([eap-tnc],        [enable EAP TNC trusted network connect module.]
 ARG_ENABL_SET([eap-dynamic],    [enable dynamic EAP proxy module.])
 ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
 ARG_ENABL_SET([ext-auth],       [enable plugin calling an external authorization script.])
+ARG_ENABL_SET([auth-els],       [enable auth els plugin authorization module.])
 ARG_ENABL_SET([ipseckey],       [enable IPSECKEY authentication plugin.])
 ARG_ENABL_SET([keychain],       [enables OS X Keychain Services credential set.])
 ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
@@ -331,6 +333,7 @@ ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
 ARG_ENABL_SET([lock-profiler],  [enable lock/mutex profiling code.])
 ARG_ENABL_SET([log-thread-ids], [use thread ID, if available, instead of an incremented value starting from 1, to identify threads.])
 ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
+ARG_ENABL_SET([auth-els-kmip],  [enable auth els kmip in auth els plugin.])
 
 # ===================================
 #  option to disable default options
@@ -606,6 +609,8 @@ AC_CHECK_FUNCS(pthread_rwlock_init)
 AC_CHECK_FUNCS(pthread_spin_init)
 # check if we have POSIX semaphore functions, including timed-wait
 AC_CHECK_FUNCS(sem_timedwait)
+# lookup major()/minor()/makedev()
+AC_HEADER_MAJOR
 LIBS=$saved_LIBS
 
 AC_CHECK_FUNC(
@@ -1501,6 +1506,7 @@ ADD_PLUGIN([kernel-wfp],           [c charon])
 ADD_PLUGIN([kernel-iph],           [c charon])
 ADD_PLUGIN([kernel-pfkey],         [c charon starter nm cmd])
 ADD_PLUGIN([kernel-pfroute],       [c charon starter nm cmd])
+ADD_PLUGIN([auth-els],             [c charon])
 ADD_PLUGIN([kernel-netlink],       [c charon starter nm cmd])
 ADD_PLUGIN([resolve],              [c charon cmd])
 ADD_PLUGIN([save-keys],            [c])
@@ -1683,6 +1689,8 @@ AM_CONDITIONAL(USE_KERNEL_WFP, test x$kernel_wfp = xtrue)
 AM_CONDITIONAL(USE_KERNEL_IPH, test x$kernel_iph = xtrue)
 AM_CONDITIONAL(USE_WHITELIST, test x$whitelist = xtrue)
 AM_CONDITIONAL(USE_EXT_AUTH, test x$ext_auth = xtrue)
+AM_CONDITIONAL(USE_AUTH_ELS, test x$auth_els = xtrue)
+AM_CONDITIONAL(USE_DISABLE_SIGNAL_HANDLER, test x$auth_els = xtrue)
 AM_CONDITIONAL(USE_LOOKIP, test x$lookip = xtrue)
 AM_CONDITIONAL(USE_ERROR_NOTIFY, test x$error_notify = xtrue)
 AM_CONDITIONAL(USE_CERTEXPIRE, test x$certexpire = xtrue)
@@ -1805,6 +1813,7 @@ AM_CONDITIONAL(USE_PYTHON_EGGS, test x$python_eggs = xtrue)
 AM_CONDITIONAL(USE_PERL_CPAN, test x$perl_cpan = xtrue)
 AM_CONDITIONAL(USE_TOX, test "x$TOX" != x)
 AM_CONDITIONAL(USE_PY_TEST, test "x$PY_TEST" != x -a "x$TOX" = x)
+AM_CONDITIONAL(USE_AUTH_ELS_KMIP, test x$auth_els_kmip = xtrue)
 
 # ========================
 #  set global definitions
@@ -2028,6 +2037,7 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/kernel_iph/Makefile
 	src/libcharon/plugins/whitelist/Makefile
 	src/libcharon/plugins/ext_auth/Makefile
+	src/libcharon/plugins/auth_els/Makefile
 	src/libcharon/plugins/lookip/Makefile
 	src/libcharon/plugins/error_notify/Makefile
 	src/libcharon/plugins/certexpire/Makefile

src/charon-cmd/cmd/cmd_connection.c

@@ -16,6 +16,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2019-2020 Marvell 
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "cmd_connection.h"
 
 #include <signal.h>
@@ -181,7 +203,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 			break;
 	}
 
-	ike.local_port = charon->socket->get_port(charon->socket, FALSE);
+	ike.local_port = charon->socket->get_port(charon->socket, SOCKET_FAMILY_BOTH, FALSE);
 	if (ike.local_port != IKEV2_UDP_PORT)
 	{
 		ike.remote_port = IKEV2_NATT_PORT;

src/charon-nm/nm/nm_service.c

@@ -16,6 +16,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2019-2020 Marvell 
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "nm_service.h"
 
 #include <daemon.h>
@@ -601,7 +623,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
 	ike_cfg_create_t ike = {
 		.version = IKEV2,
 		.local = "%any",
-		.local_port = charon->socket->get_port(charon->socket, FALSE),
+		.local_port = charon->socket->get_port(charon->socket, SOCKET_FAMILY_BOTH, FALSE),
 		.remote_port = IKEV2_UDP_PORT,
 		.fragmentation = FRAGMENTATION_YES,
 	};

src/charon/Makefile.am

@@ -17,4 +17,8 @@ charon_LDADD = \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(ATOMICLIB) $(DLLIB)
 
+if USE_DISABLE_SIGNAL_HANDLER
+  AM_CPPFLAGS += -DDISABLE_SIGNAL_HANDLER
+endif
+
 EXTRA_DIST = Android.mk

src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c

@@ -15,6 +15,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2019-2020 Marvell 
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include <errno.h>
 #include <unistd.h>
 
@@ -745,7 +767,7 @@ static job_requeue_t initiate(private_android_service_t *this)
 	ike_cfg_create_t ike = {
 		.version = IKEV2,
 		.local = "",
-		.local_port = charon->socket->get_port(charon->socket, FALSE),
+		.local_port = charon->socket->get_port(charon->socket, SOCKET_FAMILY_BOTH, FALSE),
 		.force_encap = TRUE,
 		.fragmentation = FRAGMENTATION_YES,
 	};

src/frontends/osx/charon-xpc/xpc_dispatch.c

@@ -13,6 +13,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2019-2020 Marvell 
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "xpc_dispatch.h"
 #include "xpc_channels.h"
 
@@ -96,7 +118,7 @@ static peer_cfg_t* create_peer_cfg(char *name, char *host)
 		.dpd = 30,
 	};
 
-	ike.local_port = charon->socket->get_port(charon->socket, FALSE);
+	ike.local_port = charon->socket->get_port(charon->socket, SOCKET_FAMILY_BOTH, FALSE);
 	if (ike.local_port != IKEV2_UDP_PORT)
 	{
 		ike.remote_port = IKEV2_NATT_PORT;

src/libcharon/Makefile.am

@@ -47,6 +47,7 @@ encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \
 encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
 kernel/kernel_interface.c kernel/kernel_interface.h \
 kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_fc_sp.c kernel/kernel_fc_sp.h \
 kernel/kernel_net.c kernel/kernel_net.h \
 kernel/kernel_listener.h kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
@@ -327,6 +328,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_AUTH_ELS
+  SUBDIRS += plugins/auth_els
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/auth_els/libstrongswan-auth-els.la
+endif
+endif
+
 if USE_EAP_IDENTITY
   SUBDIRS += plugins/eap_identity
 if MONOLITHIC

src/libcharon/config/ike_cfg.c

@@ -15,6 +15,28 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2019-2020 Marvell 
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #define _GNU_SOURCE /* for stdndup() */
 #include <string.h>
 
@@ -450,7 +472,7 @@ static traffic_selector_t* make_range(char *str)
 	{
 		return NULL;
 	}
-	if (to->get_family(to) == AF_INET)
+	if (to->get_family(to) == AF_INET || to->get_family(to) == AF_NETLINK)
 	{
 		type = TS_IPV4_ADDR_RANGE;
 	}

src/libcharon/encoding/parser.c

@@ -2,6 +2,7 @@
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2019-2020 Marvell
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -596,11 +597,20 @@ METHOD(parser_t, parse_payload, status_t,
 					return PARSE_ERROR;
 				}
 				ts_type = *(uint8_t*)(output + rule->offset);
+
+				if(ts_type == TS_FC_ADDR_RANGE)
+				{
+					traffic_selector_substructure_t *tsstruct = (traffic_selector_substructure_t*)pld;
+					tsstruct->set_ts_type(tsstruct, TS_FC_ADDR_RANGE);
+					rule_count = pld->get_encoding_rules(pld, &this->rules);
+				}
+
 				break;
 			}
 			case ADDRESS:
 			{
 				int address_length = (ts_type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+				address_length = ((ts_type == TS_FC_ADDR_RANGE) ? 3 : address_length);
 
 				if (!parse_chunk(this, rule_number, output + rule->offset,
 								 address_length))