Import initial strongswan 2.7.0 version into SVN.

4 files changed, 362 insertions, 0 deletions

diff --git a/programs/_plutorun/.cvsignore b/programs/_plutorun/.cvsignore
new file mode 100644
index 000000000..13e0ae1a1
--- /dev/null
+++ b/programs/_plutorun/.cvsignore
@@ -0,0 +1 @@
+_plutorun
diff --git a/programs/_plutorun/Makefile b/programs/_plutorun/Makefile
new file mode 100644
index 000000000..b0928797c
--- /dev/null
+++ b/programs/_plutorun/Makefile
@@ -0,0 +1,43 @@
+# Makefile for miscelaneous programs
+# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
+
+FREESWANSRCDIR=../..
+include ${FREESWANSRCDIR}/Makefile.inc
+
+PROGRAM=_plutorun
+PROGRAMDIR=${LIBDIR}
+
+include ../Makefile.program
+
+#
+# $Log: Makefile,v $
+# Revision 1.1  2004/03/15 20:35:27  as
+# added files from freeswan-2.04-x509-1.5.3
+#
+# Revision 1.3  2002/08/02 16:01:26  mcr
+# 	moved user visible programs to $PREFIX/libexec, while moving
+# 	private files to $PREFIX/lib.
+#
+# Revision 1.2  2002/06/02 22:02:14  mcr
+# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
+# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
+# 	kernel sense.)
+#
+# Revision 1.1  2002/04/24 07:55:32  mcr
+# 	#include patches and Makefiles for post-reorg compilation.
+#
+#
+#
+
diff --git a/programs/_plutorun/_plutorun.8 b/programs/_plutorun/_plutorun.8
new file mode 100644
index 000000000..9de6927dc
--- /dev/null
+++ b/programs/_plutorun/_plutorun.8
@@ -0,0 +1,37 @@
+.TH _PLUTORUN 8 "25 Apr 2002"
+.\"
+.\" RCSID $Id: _plutorun.8,v 1.1 2004/03/15 20:35:27 as Exp $
+.\"
+.SH NAME
+ipsec _plutorun \- internal script to start pluto
+.SH DESCRIPTION
+.I _plutorun
+is called by
+.B _realsetup
+to configure and bring up 
+.B ipsec_pluto(8).
+It calls 
+.B _plutoload
+to invoke pluto, and watches to makes sure that pluto is restarted if it fails.
+.SH "SEE ALSO"
+ipsec(8), ipsec_setup(8), ipsec__realsetup(8), ipsec__plutoload(8), ipsec_pluto(8).
+.SH HISTORY
+Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
+by Michael Richardson. Original program written by Henry Spencer.
+.\"
+.\" $Log: _plutorun.8,v $
+.\" Revision 1.1  2004/03/15 20:35:27  as
+.\" added files from freeswan-2.04-x509-1.5.3
+.\"
+.\" Revision 1.2  2002/04/29 22:39:31  mcr
+.\" 	added basic man page for all internal commands.
+.\"
+.\" Revision 1.1  2002/04/26 01:21:43  mcr
+.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
+.\" 	MCR has decided that it is not okay for each program subdir to have
+.\" 	some subset (determined with -f) of possible files.
+.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
+.\" 	Optional PROGRAM.5 files have been added to the makefiles.
+.\"
+.\"
+.\"
diff --git a/programs/_plutorun/_plutorun.in b/programs/_plutorun/_plutorun.in
new file mode 100755
index 000000000..b02afeefb
--- /dev/null
+++ b/programs/_plutorun/_plutorun.in
@@ -0,0 +1,281 @@
+#!/bin/sh
+# Pluto control daemon
+# Copyright (C) 1998, 1999, 2001  Henry Spencer.
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: _plutorun.in,v 1.9 2005/10/16 13:28:15 as Exp $
+
+me='ipsec _plutorun'		# for messages
+
+info=/var/run/ipsec.info
+
+popts=
+stderrlog=
+plutorestartoncrash=true
+
+wherelog=daemon.error
+pidfile=/var/run/pluto.pid
+verb="Starting"
+for dummy
+do
+	case "$1" in
+	--re)	verb="Restarting"	;;
+	--plutorestartoncrash) plutorestartoncrash="$2"; shift ;;
+	--debug)	plutodebug="$2" ; shift	;;
+	--uniqueids)	uniqueids="$2" ; shift	;;
+	--nat_traversal)    nat_traversal="$2" ; shift  ;;
+	--keep_alive)   keep_alive="$2" ; shift ;;
+	--force_keepalive)   force_keepalive="$2" ; shift ;;
+	--disable_port_floating)    disable_port_floating="$2" ; shift  ;;
+	--virtual_private)  virtual_private="$2" ; shift ;; 	
+	--nocrsend)	nocrsend="$2" ; shift	;;
+	--strictcrlpolicy)	strictcrlpolicy="$2" ; shift ;;
+	--crlcheckinterval)	crlcheckinterval="$2"; shift ;;
+	--cachecrls)		cachecrls="$2" ; shift	;;
+	--pkcs11module)		pkcs11module="$2"; shift ;;
+	--pkcs11keepstate)	pkcs11keepstate="$2"; shift ;;
+	--pkcs11proxy)		pkcs11proxy="$2"; shift	;;
+	--dump)	dumpdir="$2" ; shift	;;
+	--opts)	popts="$2" ; shift	;;
+	--stderrlog) stderrlog="$2" ; shift	;;
+	--wait)	plutowait="$2" ; shift	;;
+	--pre)	prepluto="$2" ; shift	;;
+	--post)	postpluto="$2" ; shift	;;
+	--log)	wherelog="$2" ; shift	;;
+	--pid)	pidfile="$2" ; shift	;;
+	--)	shift ; break	;;
+	-*)	echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
+	*)	break	;;
+	esac
+	shift
+done
+
+# initially we are in the foreground, with parent looking after logging
+
+# precautions
+if test -f $pidfile
+then
+	echo "pluto appears to be running already (\`$pidfile' exists), will not start another"
+	exit 1
+fi
+if test ! -e /dev/urandom
+then
+	echo "cannot start Pluto, system lacks \`/dev/urandom'!?!"
+	exit 1
+fi
+
+# sort out options
+for d in $plutodebug
+do
+	popts="$popts --debug-$d"
+done
+case "$uniqueids" in
+yes)	popts="$popts --uniqueids"	;;
+no|'')				;;
+*)	echo "unknown uniqueids value (not yes/no) \`$IPSECuniqueids'"	;;
+esac
+case "$nocrsend" in
+yes)  popts="$popts --nocrsend"       ;;
+no|'')                                ;;
+*)    echo "unknown nocrsend value (not yes/no) \`$IPSECnocrsend'"    ;;
+esac
+case "$strictcrlpolicy" in
+yes)  popts="$popts --strictcrlpolicy"        ;;
+no|'')                                ;;
+*)    echo "unknown strictcrlpolicy value (not yes/no) \`$IPSECstrictcrlpolicy'"      ;;
+esac
+case "$cachecrls" in
+yes)  popts="$popts --cachecrls"        ;;
+no|'')                                ;;
+*)    echo "unknown cachecrls value (not yes/no) \`$IPSECcachecrls'"      ;;
+esac
+case "$nat_traversal" in
+yes)  popts="$popts --nat_traversal"  ;;
+no|'')                ;;
+*)    echo "unknown nat_traversal value (not yes/no) \`$IPSECnat_traversal'" ;;
+esac
+[ -n "$keep_alive" ] && popts="$popts --keep_alive $keep_alive"
+case "$force_keepalive" in
+yes)  popts="$popts --force_keepalive"  ;;
+no|'')                ;;
+*)    echo "unknown force_keepalive value (not yes/no) \`$IPSECforce_keepalive'" ;;
+esac
+case "$disable_port_floating" in
+yes)  popts="$popts --disable_port_floating"  ;;
+no|'')                ;;
+*)    echo "unknown disable_port_floating (not yes/no) \`$disable_port_floating'" ;;
+esac
+case "$pkcs11keepstate" in
+yes)  popts="$popts --pkcs11keepstate" ;;
+no|'')                ;;
+*)    echo "unknown pkcs11keepstate value (not yes/no) \`$IPSECpkcs11keepstate'" ;;
+esac
+case "$pkcs11proxy" in
+yes)  popts="$popts --pkcs11proxy" ;;
+no|'')                ;;
+*)    echo "unknown pkcs11proxy value (not yes/no) \`$IPSECpkcs11proxy'" ;;
+esac
+
+[ -n "$virtual_private" ] && popts="$popts --virtual_private $virtual_private"
+
+# add crl check interval
+if test ${crlcheckinterval:-0} -gt 0
+then
+	popts="$popts --crlcheckinterval $crlcheckinterval"
+fi
+
+if test -n "$pkcs11module"
+then
+	popts="$popts --pkcs11module $pkcs11module"
+fi
+
+if test -n "$stderrlog"
+then
+	popts="$popts --stderrlog 2>>$stderrlog"
+
+	if test -f $stderrlog
+	then
+		if test ! -w $stderrlog
+		then
+			echo Cannot write to \"$stderrlog\".
+			exit 1
+		fi
+	else
+		if test ! -w "`dirname $stderrlog`"
+		then
+			echo Cannot write to directory to create \"$stderrlog\".
+			exit 1
+		fi
+	fi
+
+	echo "Plutorun started on "`date` >$stderrlog
+fi
+
+# set up dump directory
+if test " $dumpdir" = " "
+then
+	ulimit -c 0			# preclude core dumps
+elif test ! -d "$dumpdir"
+then
+	echo "dumpdir \`$dumpdir' does not exist, ignored"
+	ulimit -c 0			# preclude core dumps
+elif cd $dumpdir			# put them where desired
+then
+	ulimit -c unlimited		# permit them
+else
+	echo "cannot cd to dumpdir \`$dumpdir', ignored"
+	ulimit -c 0			# preclude them
+fi
+
+# execute any preliminaries
+if test " $prepluto" != " "
+then
+	$prepluto
+	st=$?
+	if test " $st" -ne 0
+	then
+		echo "...prepluto command exited with status $st"
+	fi
+fi
+
+IPSEC_SECRETS=${IPSEC_CONFS}/ipsec.secrets
+if test ! -f "${IPSEC_SECRETS}"
+then
+    ( logger -p authpriv.info -t ipsec__plutorun No file ${IPSEC_SECRETS}, generating key.
+      ipsec scepclient --out pkcs1 --out cert-self --quiet
+      echo -e "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n" > ${IPSEC_SECRETS}
+      chmod 600 ${IPSEC_SECRETS}
+      echo ": RSA myKey.der" >> ${IPSEC_SECRETS}
+
+      # tell pluto to go re-read the file
+      ipsec auto --rereadsecrets
+    ) &
+fi
+
+# 
+# make sure that the isakmp port is open!
+#
+if test -f /etc/sysconfig/ipchains
+then
+    if egrep -q 500:500 /etc/sysconfig/ipchains
+    then
+	:
+    else
+	ipchains -I input 1 -p udp -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 500:500 -j ACCEPT
+	# if it redhat, then save the rules again.
+	if [ -f /etc/redhat-release ]
+	then
+	    sh /etc/rc.d/init.d/ipchains save
+	fi
+    fi
+fi
+
+# spin off into the background, with our own logging
+echo "$verb Pluto subsystem..." | logger -p authpriv.error -t ipsec__plutorun
+execdir=${IPSEC_EXECDIR-@IPSEC_EXECDIR@}
+libdir=${IPSEC_LIBDIR-@IPSEC_LIBDIR@}
+until (
+	if test -s $info
+	then
+		. $info
+		export defaultroutephys defaultroutevirt defaultrouteaddr defaultroutenexthop
+	fi
+	# eval allows $popts to contain redirection and other magic
+	eval $execdir/pluto --nofork --secretsfile "$IPSEC_SECRETS" --policygroupsdir "${IPSEC_CONFS}/ipsec.d/policies" $popts
+	status=$?
+	echo "exit"
+	echo $status
+	) | $libdir/_plutoload --wait "$plutowait" --post "$postpluto"
+do
+	status=$?
+	case "$status" in
+	13)	echo "internal failure in pluto scripts, impossible to carry on"
+		exit 1
+		;;
+	10)	echo "pluto apparently already running (?!?), giving up"
+		exit 1
+		;;
+	137)	echo "pluto killed by SIGKILL, terminating without restart or unlock"
+		exit 0
+		;;
+	143)	echo "pluto killed by SIGTERM, terminating without restart"
+		# pluto now does its own unlock for this
+		exit 0
+		;;
+	*)	st=$status
+	        if $plutorestartoncrash
+		then
+		    :
+		else
+		    exit 0
+		fi
+
+		if test $st -gt 128
+		then
+			st="$st (signal `expr $st - 128`)"
+		fi
+		echo "!pluto failure!:  exited with error status $st"
+		echo "restarting IPsec after pause..."
+		(
+			sleep 10
+			ipsec setup _autorestart
+		) </dev/null >/dev/null 2>&1 &
+		exit 1
+		###sleep 10
+		###rm -rf $pidfile
+		#### and go around the loop again
+		;;
+	esac
+done </dev/null 2>&1 |
+	logger -s -p $wherelog -t ipsec__plutorun >/dev/null 2>/dev/null &
+
+exit 0