Commit 7793611e authored by Yves-Alexis Perez's avatar Yves-Alexis Perez

New upstream version 5.6.2

parent e1d78dc2
......@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
)
# strongSwan version, replaced by top Makefile
strongswan_VERSION := "5.6.1"
strongswan_VERSION := "5.6.2"
strongswan-5.6.2
----------------
- Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that
was caused by insufficient input validation. One of the configurable
parameters in algorithm identifier structures for RSASSA-PSS signatures is the
mask generation function (MGF). Only MGF1 is currently specified for this
purpose. However, this in turn takes itself a parameter that specifies the
underlying hash function. strongSwan's parser did not correctly handle the
case of this parameter being absent, causing an undefined data read.
This vulnerability has been registered as CVE-2018-6459.
- The previously negotiated DH group is reused when rekeying an SA, instead of
using the first group in the configured proposals, which avoids an additional
exchange if the peer selected a different group via INVALID_KE_PAYLOAD when
the SA was created initially.
The selected DH group is also moved to the front of all sent proposals that
contain it and all proposals that don't are moved to the back in order to
convey the preference for this group to the peer.
- Handling of MOBIKE task queuing has been improved. In particular, the response
to an address update is not ignored anymore if only an address list update or
DPD is queued.
- The fallback drop policies installed to avoid traffic leaks when replacing
addresses in installed policies are now replaced by temporary drop policies,
which also prevent acquires because we currently delete and reinstall IPsec
SAs to update their addresses.
- Access X.509 certificates held in non-volatile storage of a TPM 2.0
referenced via the NV index.
- Adding the --keyid parameter to pki --print allows to print private keys
or certificates stored in a smartcard or a TPM 2.0.
- Fixed proposal selection if a peer incorrectly sends DH groups in the ESP
proposals during IKE_AUTH and also if a DH group is configured in the local
ESP proposal and charon.prefer_configured_proposals is disabled.
- MSKs received via RADIUS are now padded to 64 bytes to avoid compatibility
issues with EAP-MSCHAPv2 and PRFs that have a block size < 64 bytes (e.g.
AES-XCBC-PRF-128).
- The tpm_extendpcr command line tool extends a digest into a TPM PCR.
- Ported the NetworkManager backend from the deprecated libnm-glib to libnm.
- The save-keys debugging/development plugin saves IKE and/or ESP keys to files
compatible with Wireshark.
strongswan-5.6.1
----------------
......@@ -1370,7 +1421,7 @@ strongswan-4.4.1
- The openssl plugin now supports X.509 certificate and CRL functions.
- OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled
by default. Plase update manual load directives in strongswan.conf.
by default. Please update manual load directives in strongswan.conf.
- RFC3779 ipAddrBlock constraint checking has been moved to the addrblock
plugin, disabled by default. Enable it and update manual load directives
......@@ -1832,7 +1883,7 @@ strongswan-4.2.8
- Several MOBIKE improvements: Detect changes in NAT mappings in DPD exchanges,
handle events if kernel detects NAT mapping changes in UDP-encapsulated
ESP packets (requires kernel patch), reuse old addesses in MOBIKE updates as
ESP packets (requires kernel patch), reuse old addresses in MOBIKE updates as
long as possible and other fixes.
- Fixed a bug in addr_in_subnet() which caused insertion of wrong source
......@@ -2111,7 +2162,7 @@ strongswan-4.1.7
- In NAT traversal situations and multiple queued Quick Modes,
those pending connections inserted by auto=start after the
port floating from 500 to 4500 were erronously deleted.
port floating from 500 to 4500 were erroneously deleted.
- Added a "forceencaps" connection parameter to enforce UDP encapsulation
to surmount restrictive firewalls. NAT detection payloads are faked to
......@@ -2705,7 +2756,7 @@ strongswan-2.6.0
strongswan-2.5.7
----------------
- CA certicates are now automatically loaded from a smartcard
- CA certificates are now automatically loaded from a smartcard
or USB crypto token and appear in the ipsec auto --listcacerts
listing.
......@@ -2818,7 +2869,7 @@ strongswan-2.5.1
- Under the native IPsec of the Linux 2.6 kernel, a %trap eroute
installed either by setting auto=route in ipsec.conf or by
a connection put into hold, generates an XFRM_AQUIRE event
for each packet that wants to use the not-yet exisiting
for each packet that wants to use the not-yet existing
tunnel. Up to now each XFRM_AQUIRE event led to an entry in
the Quick Mode queue, causing multiple IPsec SA to be
established in rapid succession. Starting with strongswan-2.5.1
......
......@@ -36,7 +36,7 @@ Configuration on gateway _moon_:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
/etc/swanctl/priv/moonKey.pem
/etc/swanctl/private/moonKey.pem
/etc/swanctl/swanctl.conf:
......@@ -66,7 +66,7 @@ Configuration on gateway _sun_:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/sunCert.pem
/etc/swanctl/priv/sunKey.pem
/etc/swanctl/private/sunKey.pem
/etc/swanctl/swanctl.conf:
......@@ -120,7 +120,7 @@ connections we will use the default IPsec tunnel mode.
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
/etc/swanctl/priv/moonKey.pem
/etc/swanctl/private/moonKey.pem
/etc/swanctl/swanctl.conf:
......@@ -148,7 +148,7 @@ Configuration on host _sun_:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/sunCert.pem
/etc/swanctl/priv/sunKey.pem
/etc/swanctl/private/sunKey.pem
/etc/swanctl/swanctl.conf:
......@@ -185,7 +185,7 @@ Configuration on gateway _moon_:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
/etc/swanctl/priv/moonKey.pem
/etc/swanctl/private/moonKey.pem
/etc/swanctl/swanctl.conf:
......@@ -211,7 +211,7 @@ Configuration on roadwarrior _carol_:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/carolCert.pem
/etc/swanctl/priv/carolKey.pem
/etc/swanctl/private/carolKey.pem
/etc/swanctl/swanctl.conf:
......@@ -277,7 +277,7 @@ Configuration on gateway _moon_:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
/etc/swanctl/rsa/moonKey.pem
/etc/swanctl/private/moonKey.pem
/etc/swanctl/swanctl.conf:
......@@ -311,7 +311,7 @@ Configuration on roadwarrior _carol_:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/carolCert.pem
/etc/swanctl/priv/carolKey.pem
/etc/swanctl/private/carolKey.pem
/etc/swanctl/swanctl.conf:
......@@ -352,7 +352,7 @@ Configuration on gateway _moon_:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
/etc/swanctl/priv/moonKey.pem
/etc/swanctl/private/moonKey.pem
/etc/swanctl/swanctl.conf:
......@@ -437,7 +437,7 @@ Configuration on gateway _moon_:
/etc/swanctl/x509ca/strongswanCert.pem
/etc/swanctl/x509/moonCert.pem
/etc/swanctl/priv/moonKey.pem
/etc/swanctl/private/moonKey.pem
/etc/swanctl/swanctl.conf:
......@@ -571,7 +571,7 @@ In a next step the command
pki --req --type priv --in moonKey.pem \
--dn "C=CH, O=strongswan, CN=moon.strongswan.org \
--san moon.strongswan.org -- outform pem > moonReq.pem
--san moon.strongswan.org --outform pem > moonReq.pem
creates a PKCS#10 certificate request that has to be signed by the CA.
Through the [multiple] use of the `--san` parameter any number of desired
......
......@@ -87,6 +87,7 @@ plugins = \
plugins/random.opt \
plugins/resolve.opt \
plugins/revocation.opt \
plugins/save-keys.opt \
plugins/socket-default.opt \
plugins/sql.opt \
plugins/stroke.opt \
......
......@@ -493,6 +493,7 @@ plugins = \
plugins/random.opt \
plugins/resolve.opt \
plugins/revocation.opt \
plugins/save-keys.opt \
plugins/socket-default.opt \
plugins/sql.opt \
plugins/stroke.opt \
......
......@@ -7,9 +7,9 @@ charon {
# Maximum number of half-open IKE_SAs for a single peer IP.
# block_threshold = 5
# Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
# be saved under a unique file name derived from the public key of the
# Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
# Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
# should be saved under a unique file name derived from the public key of
# the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
# /etc/swanctl/x509crl (vici), respectively.
# cache_crls = no
......
......@@ -31,7 +31,7 @@ charon.cert_cache = yes
memory.
charon.cache_crls = no
Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
be saved under a unique file name derived from the public key of the
Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
**/etc/swanctl/x509crl** (vici), respectively.
......
......@@ -2,6 +2,13 @@ charon.plugins.ha.autobalance = 0
Interval in seconds to automatically balance handled segments between nodes.
Set to 0 to disable.
charon.plugin.ha.buflen = 2048
Buffer size for received HA messages.
Buffer size for received HA messages. For IKEv1 the public DH factors are
also transmitted so depending on the DH group the HA messages can get quite
big (the default should be fine up to _modp4096_).
charon.plugins.ha.fifo_interface = yes
charon.plugins.ha.heartbeat_delay = 1000
......
......@@ -6,6 +6,10 @@ libimcv.plugins.imc-os.device_id =
Manually set the client device ID in hexadecimal format
(e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31)
libimcv.plugins.imc-os.device_handle =
Manually set handle to a private key bound to a smartcard or TPM
(e.g. 0x81010004)
libimcv.plugins.imc-os.device_pubkey =
Manually set the path to the client device public key
(e.g. /etc/pts/aikPub.der)
......
......@@ -35,6 +35,9 @@ kernel-netlink {
# Whether to use port or socket based IKE XFRM bypass policies.
# port_bypass = no
# Whether to process changes in routing rules to trigger roam events.
# process_rules = no
# Maximum Netlink socket receive buffer in bytes.
# receive_buffer_size = 0
......
......@@ -7,7 +7,7 @@ charon.plugins.kernel-netlink.force_receive_buffer_size = no
If the maximum Netlink socket receive buffer in bytes set by
_receive_buffer_size_ exceeds the system-wide maximum from
/proc/sys/net/core/rmem_max, this option can be used to override the limit.
Enabling this option requires special priviliges (CAP_NET_ADMIN).
Enabling this option requires special privileges (CAP_NET_ADMIN).
charon.plugins.kernel-netlink.fwmark =
Firewall mark to set on the routing rule that directs traffic to our routing
......@@ -47,6 +47,13 @@ charon.plugins.kernel-netlink.port_bypass = no
port based policies use global XFRM bypass policies for the used IKE UDP
ports.
charon.plugins.kernel-netlink.process_rules = no
Whether to process changes in routing rules to trigger roam events.
Whether to process changes in routing rules to trigger roam events. This is
currently only useful if the kernel based route lookup is used (i.e. if
route installation is disabled or an inverted fwmark match is configured).
charon.plugins.kernel-netlink.receive_buffer_size = 0
Maximum Netlink socket receive buffer in bytes.
......
save-keys {
# Whether to save ESP keys.
# esp = no
# Whether to save IKE keys.
# ike = no
# Whether to load the plugin.
load = no
# Directory where the keys are stored in the format supported by Wireshark
# wireshark_keys =
}
charon.plugins.save-keys.load := no
Whether to load the plugin.
charon.plugins.save-keys.esp = no
Whether to save ESP keys.
charon.plugins.save-keys.ike = no
Whether to save IKE keys.
charon.plugins.save-keys.wireshark_keys
Directory where the keys are stored in the format supported by Wireshark
Directory where the keys are stored in the format supported by Wireshark.
IKEv1 keys are stored in the _ikev1_decryption_table_ file.
IKEv2 keys are stored in the _ikev2_decryption_table_ file.
Keys for ESP CHILD_SAs are stored in the _esp_sa_ file.
......@@ -51,7 +51,7 @@ Maximum number of half\-open IKE_SAs for a single peer IP.
.TP
.BR charon.cache_crls " [no]"
Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should be
Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be
saved under a unique file name derived from the public key of the Certification
Authority (CA) to
.RB "" "/etc/ipsec.d/crls" ""
......@@ -405,6 +405,14 @@ WINS servers assigned to peer via configuration payload (CP).
.BR charon.nbns2 " []"
WINS servers assigned to peer via configuration payload (CP).
.TP
.BR charon.plugin.ha.buflen " [2048]"
Buffer size for received HA messages. For IKEv1 the public DH factors are also
transmitted so depending on the DH group the HA messages can get quite big (the
default should be fine up to
.RI "" "modp4096" ")."
.TP
.BR charon.plugins.addrblock.strict " [yes]"
If set to yes, a subject certificate without an addrblock extension is rejected
......@@ -973,7 +981,7 @@ If the maximum Netlink socket receive buffer in bytes set by
.RI "" "receive_buffer_size" ""
exceeds the system\-wide maximum from
/proc/sys/net/core/rmem_max, this option can be used to override the limit.
Enabling this option requires special priviliges (CAP_NET_ADMIN).
Enabling this option requires special privileges (CAP_NET_ADMIN).
.TP
.BR charon.plugins.kernel-netlink.fwmark " []"
......@@ -1015,6 +1023,12 @@ policies are used to exempt IKE traffic from XFRM processing. The default socket
based policies are directly tied to the IKE UDP sockets, port based policies use
global XFRM bypass policies for the used IKE UDP ports.
.TP
.BR charon.plugins.kernel-netlink.process_rules " [no]"
Whether to process changes in routing rules to trigger roam events. This is
currently only useful if the kernel based route lookup is used (i.e. if route
installation is disabled or an inverted fwmark match is configured).
.TP
.BR charon.plugins.kernel-netlink.receive_buffer_size " [0]"
Maximum Netlink socket receive buffer in bytes. This value controls how many
......@@ -1416,6 +1430,30 @@ Whether CRL validation should be enabled.
.BR charon.plugins.revocation.enable_ocsp " [yes]"
Whether OCSP validation should be enabled.
.TP
.BR charon.plugins.save-keys.esp " [no]"
Whether to save ESP keys.
.TP
.BR charon.plugins.save-keys.ike " [no]"
Whether to save IKE keys.
.TP
.BR charon.plugins.save-keys.load " [no]"
Whether to load the plugin.
.TP
.BR charon.plugins.save-keys.wireshark_keys " []"
Directory where the keys are stored in the format supported by Wireshark. IKEv1
keys are stored in the
.RI "" "ikev1_decryption_table" ""
file. IKEv2 keys are stored in
the
.RI "" "ikev2_decryption_table" ""
file. Keys for ESP CHILD_SAs are stored in the
.RI "" "esp_sa" ""
file.
.TP
.BR charon.plugins.socket-default.fwmark " []"
Firewall mark to set on outbound packets.
......@@ -2120,6 +2158,11 @@ manufacturer of the hardcopy device.
Manually set the path to the client device certificate (e.g.
/etc/pts/aikCert.der)
.TP
.BR libimcv.plugins.imc-os.device_handle " []"
Manually set handle to a private key bound to a smartcard or TPM (e.g.
0x81010004)
.TP
.BR libimcv.plugins.imc-os.device_id " []"
Manually set the client device ID in hexadecimal format (e.g.
......
This diff is collapsed.
......@@ -19,7 +19,7 @@
# initialize & set some vars
# ============================
AC_INIT([strongSwan],[5.6.1])
AC_INIT([strongSwan],[5.6.2])
AM_INIT_AUTOMAKE(m4_esyscmd([
echo tar-ustar
echo subdir-objects
......@@ -273,6 +273,7 @@ ARG_ENABL_SET([led], [enable plugin to control LEDs on IKEv2 activity
ARG_ENABL_SET([load-tester], [enable load testing plugin for IKEv2 daemon.])
ARG_ENABL_SET([lookip], [enable fast virtual IP lookup and notification plugin.])
ARG_ENABL_SET([radattr], [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.])
ARG_ENABL_SET([save-keys], [enable development/debugging plugin that saves IKE and ESP keys in Wireshark format.])
ARG_ENABL_SET([systime-fix], [enable plugin to handle cert lifetimes with invalid system time gracefully.])
ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.])
ARG_DISBL_SET([updown], [disable updown firewall script plugin.])
......@@ -1174,10 +1175,7 @@ if test x$eap_sim_pcsc = xtrue; then
fi
if test x$nm = xtrue; then
PKG_CHECK_EXISTS([libnm-glib],
[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn])],
[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn])]
)
PKG_CHECK_MODULES(nm, [gthread-2.0 libnm])
AC_SUBST(nm_CFLAGS)
AC_SUBST(nm_LIBS)
fi
......@@ -1438,6 +1436,7 @@ ADD_PLUGIN([kernel-pfkey], [c charon starter nm cmd])
ADD_PLUGIN([kernel-pfroute], [c charon starter nm cmd])
ADD_PLUGIN([kernel-netlink], [c charon starter nm cmd])
ADD_PLUGIN([resolve], [c charon cmd])
ADD_PLUGIN([save-keys], [c])
ADD_PLUGIN([socket-default], [c charon nm cmd])
ADD_PLUGIN([socket-dynamic], [c charon cmd])
ADD_PLUGIN([socket-win], [c charon])
......@@ -1667,6 +1666,7 @@ AM_CONDITIONAL(USE_IMC_SWIMA, test x$imc_swima = xtrue)
AM_CONDITIONAL(USE_IMV_SWIMA, test x$imv_swima = xtrue)
AM_CONDITIONAL(USE_IMC_HCD, test x$imc_hcd = xtrue)
AM_CONDITIONAL(USE_IMV_HCD, test x$imv_hcd = xtrue)
AM_CONDITIONAL(USE_SAVE_KEYS, test x$save_keys = xtrue)
AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
AM_CONDITIONAL(USE_SOCKET_WIN, test x$socket_win = xtrue)
......@@ -1931,6 +1931,7 @@ AC_CONFIG_FILES([
src/libcharon/plugins/xauth_noauth/Makefile
src/libcharon/plugins/tnc_ifmap/Makefile
src/libcharon/plugins/tnc_pdp/Makefile
src/libcharon/plugins/save_keys/Makefile
src/libcharon/plugins/socket_default/Makefile
src/libcharon/plugins/socket_dynamic/Makefile
src/libcharon/plugins/socket_win/Makefile
......@@ -1991,6 +1992,7 @@ AC_CONFIG_FILES([
src/_copyright/Makefile
src/scepclient/Makefile
src/aikgen/Makefile
src/tpm_extendpcr/Makefile
src/pki/Makefile
src/pki/man/Makefile
src/pool/Makefile
......
......@@ -609,9 +609,10 @@ To limit the acceptable set of hashing algorithms for trustchain validation,
append hash algorithms to
.BR pubkey
or a key strength definition (for example
.BR pubkey-sha1-sha256
.BR pubkey-sha256-sha512 ,
.BR rsa-2048-sha256-sha384-sha512 ,
or
.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
.BR rsa-2048-sha256-ecdsa-256-sha256-sha384 ).
Unless disabled in
.BR strongswan.conf (5),
or explicit IKEv2 signature constraints are configured (see below), such key
......
......@@ -143,3 +143,7 @@ endif
if USE_AIKGEN
SUBDIRS += aikgen
endif
if USE_TPM
SUBDIRS += tpm_extendpcr
endif
......@@ -123,6 +123,7 @@ host_triplet = @host@
@USE_IMV_SWIMA_TRUE@am__append_34 = sec-updater
@USE_INTEGRITY_TEST_TRUE@am__append_35 = checksum
@USE_AIKGEN_TRUE@am__append_36 = aikgen
@USE_TPM_TRUE@am__append_37 = tpm_extendpcr
subdir = src
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
......@@ -201,7 +202,8 @@ DIST_SUBDIRS = . include libstrongswan libipsec libsimaka libtls \
libcharon starter ipsec _copyright charon charon-systemd \
charon-nm stroke _updown scepclient pki swanctl conftest dumm \
libfast manager medsrv pool charon-tkm charon-cmd charon-svc \
pt-tls-client sw-collector sec-updater checksum aikgen
pt-tls-client sw-collector sec-updater checksum aikgen \
tpm_extendpcr
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
......@@ -478,7 +480,8 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
$(am__append_25) $(am__append_26) $(am__append_27) \
$(am__append_28) $(am__append_29) $(am__append_30) \
$(am__append_31) $(am__append_32) $(am__append_33) \
$(am__append_34) $(am__append_35) $(am__append_36)
$(am__append_34) $(am__append_35) $(am__append_36) \
$(am__append_37)
all: all-recursive
.SUFFIXES:
......
......@@ -63,7 +63,7 @@ struct cmd_option_t {
const char *name;
/** takes argument */
int has_arg;
/** decription of argument */
/** description of argument */
const char *arg;
/** short description to option */
const char *desc;
......
......@@ -55,7 +55,7 @@ struct nm_backend_t {
static nm_backend_t *nm_backend = NULL;
/**
* NM plugin processing routine, creates and handles NMVPNPlugin
* NM plugin processing routine, creates and handles NMVpnServicePlugin
*/
static job_requeue_t run(nm_backend_t *this)
{
......
/*
* Copyright (C) 2017 Lubomir Rintel
*
* Copyright (C) 2013 Tobias Brunner
* Copyright (C) 2008-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
......@@ -14,8 +16,6 @@
* for more details.
*/
#include <nm-setting-vpn.h>
#include <nm-setting-connection.h>
#include "nm_service.h"
#include <daemon.h>
......@@ -26,7 +26,7 @@
#include <stdio.h>
G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_SERVICE_PLUGIN)
/**
* Private data of NMStrongswanPlugin
......@@ -37,7 +37,7 @@ typedef struct {
/* IKE_SA we are listening on */
ike_sa_t *ike_sa;
/* backref to public plugin */
NMVPNPlugin *plugin;
NMVpnServicePlugin *plugin;
/* credentials to use for authentication */
nm_creds_t *creds;
/* attribute handler for DNS/NBNS server information */
......@@ -53,50 +53,46 @@ typedef struct {
/**
* convert enumerated handler chunks to a UINT_ARRAY GValue
*/
static GValue* handler_to_val(nm_handler_t *handler,
static GVariant* handler_to_variant(nm_handler_t *handler,
configuration_attribute_type_t type)
{
GValue *val;
GArray *array;
GVariantBuilder builder;
enumerator_t *enumerator;
chunk_t chunk;
g_variant_builder_init (&builder, G_VARIANT_TYPE ("au"));
enumerator = handler->create_enumerator(handler, type);
array = g_array_new (FALSE, TRUE, sizeof (guint32));
while (enumerator->enumerate(enumerator, &chunk))
{
g_array_append_val (array, *(uint32_t*)chunk.ptr);
g_variant_builder_add (&builder, "u",
g_variant_new_uint32 (*(uint32_t*)chunk.ptr));
}
enumerator->destroy(enumerator);
val = g_slice_new0 (GValue);
g_value_init (val, DBUS_TYPE_G_UINT_ARRAY);
g_value_set_boxed (val, array);
return val;
return g_variant_builder_end (&builder);
}
/**
* signal IPv4 config to NM, set connection as established
*/
static void signal_ipv4_config(NMVPNPlugin *plugin,
static void signal_ipv4_config(NMVpnServicePlugin *plugin,
ike_sa_t *ike_sa, child_sa_t *child_sa)
{
NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
GValue *val;
GHashTable *config;
GVariantBuilder builder;
enumerator_t *enumerator;
host_t *me, *other;
nm_handler_t *handler;
config = g_hash_table_new(g_str_hash, g_str_equal);
g_variant_builder_init (&builder, G_VARIANT_TYPE_VARDICT);
handler = priv->handler;
/* NM apparently requires to know the gateway */
val = g_slice_new0 (GValue);
g_value_init (val, G_TYPE_UINT);
other = ike_sa->get_other_host(ike_sa);
g_value_set_uint (val, *(uint32_t*)other->get_address(other).ptr);
g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_EXT_GATEWAY, val);
g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_EXT_GATEWAY,
g_variant_new_uint32 (*(uint32_t*)other->get_address(other).ptr));