diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2008-07-10 12:47:56 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2008-07-10 12:47:56 +0000 |
| commit | eb841c5ef668a48782ef1154fda65cb6048f5885 (patch) | |
| tree | 00dd0cb4313bf2291d94ed511fe51f0b4bc7ea7a /src/starter | |
| parent | 738206039047924ae7e4762a53d121be1ca43000 (diff) | |
| download | vyos-strongswan-eb841c5ef668a48782ef1154fda65cb6048f5885.tar.gz vyos-strongswan-eb841c5ef668a48782ef1154fda65cb6048f5885.zip | |
- Updated to new upstream.
Diffstat (limited to 'src/starter')
| -rw-r--r-- | src/starter/Makefile.am | 16 | ||||
| -rw-r--r-- | src/starter/Makefile.in | 52 | ||||
| -rw-r--r-- | src/starter/args.c | 27 | ||||
| -rw-r--r-- | src/starter/cmp.c | 8 | ||||
| -rw-r--r-- | src/starter/confread.c | 156 | ||||
| -rw-r--r-- | src/starter/confread.h | 21 | ||||
| -rw-r--r-- | src/starter/invokecharon.c | 58 | ||||
| -rw-r--r-- | src/starter/invokepluto.c | 58 | ||||
| -rw-r--r-- | src/starter/ipsec.conf.5 | 87 | ||||
| -rw-r--r-- | src/starter/keywords.c | 270 | ||||
| -rw-r--r-- | src/starter/keywords.h | 17 | ||||
| -rw-r--r-- | src/starter/keywords.txt | 13 | ||||
| -rw-r--r-- | src/starter/lex.yy.c | 43 | ||||
| -rw-r--r-- | src/starter/starter.c | 67 | ||||
| -rw-r--r-- | src/starter/starterstroke.c | 109 | ||||
| -rw-r--r-- | src/starter/starterstroke.h | 5 | ||||
| -rw-r--r-- | src/starter/starterwhack.c | 54 |
17 files changed, 605 insertions, 456 deletions
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index 40725a996..e6346a585 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -16,7 +16,7 @@ PLUTODIR=$(top_srcdir)/src/pluto SCEPCLIENTDIR=$(top_srcdir)/src/scepclient lex.yy.c: y.tab.c parser.l parser.y parser.h - $(LEX) parser.l + $(LEX) --nounput parser.l y.tab.c: parser.l parser.y parser.h $(YACC) -v -d parser.y @@ -30,5 +30,15 @@ keywords.c: keywords.txt keywords.h defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $< -install-exec-local : - test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf +install-exec-local : + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true + test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 644 ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true + diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index a9e86fab0..03bb318a5 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.10.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -95,6 +95,7 @@ CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ ECHO = @ECHO@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ @@ -124,6 +125,7 @@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NMEDIT = @NMEDIT@ OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ @@ -154,7 +156,6 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ -backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -165,12 +166,11 @@ builddir = @builddir@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ -dbus_CFLAGS = @dbus_CFLAGS@ -dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ -eapdir = @eapdir@ exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -180,12 +180,12 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ -ipsecuid = @ipsecuid@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ +libstrongswan_plugins = @libstrongswan_plugins@ linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -198,10 +198,12 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +resolv_conf = @resolv_conf@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ simreader = @simreader@ srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_builddir = @top_builddir@ @@ -264,8 +266,8 @@ install-ipsecPROGRAMS: $(ipsec_PROGRAMS) || test -f $$p1 \ ; then \ f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \ else :; fi; \ done @@ -431,8 +433,8 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS @@ -444,8 +446,8 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ @@ -455,13 +457,12 @@ ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ test -z "$(CTAGS_ARGS)$$tags$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$tags $$unique @@ -613,7 +614,7 @@ uninstall-man: uninstall-man5 uninstall-man8 lex.yy.c: y.tab.c parser.l parser.y parser.h - $(LEX) parser.l + $(LEX) --nounput parser.l y.tab.c: parser.l parser.y parser.h $(YACC) -v -d parser.y @@ -627,8 +628,17 @@ keywords.c: keywords.txt keywords.h defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $< -install-exec-local : - test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf +install-exec-local : + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true + test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 644 ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/starter/args.c b/src/starter/args.c index 8539f209b..8a0262d8d 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -1,5 +1,4 @@ /* automatic handling of confread struct arguments - * Copyright (C) 2007 Tobias Brunner * Copyright (C) 2006 Andreas Steffen * Hochschule fuer Technik Rapperswil, Switzerland * @@ -13,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: args.c 3267 2007-10-08 19:57:54Z andreas $ + * RCSID $Id: args.c 3932 2008-05-12 10:05:49Z andreas $ */ #include <stddef.h> @@ -62,6 +61,14 @@ static const char *LST_sendcert[] = { NULL }; +static const char *LST_unique[] = { + "no", + "yes", + "replace", + "keep", + NULL +}; + static const char *LST_strict[] = { "no", "yes", @@ -163,7 +170,8 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_config_t, setup.charondebug), NULL }, { ARG_STR, offsetof(starter_config_t, setup.prepluto), NULL }, { ARG_STR, offsetof(starter_config_t, setup.postpluto), NULL }, - { ARG_ENUM, offsetof(starter_config_t, setup.uniqueids), LST_bool }, + { ARG_STR, offsetof(starter_config_t, setup.plutostderrlog), NULL }, + { ARG_ENUM, offsetof(starter_config_t, setup.uniqueids), LST_unique }, { ARG_UINT, offsetof(starter_config_t, setup.overridemtu), NULL }, { ARG_TIME, offsetof(starter_config_t, setup.crlcheckinterval), NULL }, { ARG_ENUM, offsetof(starter_config_t, setup.cachecrls), LST_bool }, @@ -171,8 +179,8 @@ static const token_info_t token_info[] = { ARG_ENUM, offsetof(starter_config_t, setup.nocrsend), LST_bool }, { ARG_ENUM, offsetof(starter_config_t, setup.nat_traversal), LST_bool }, { ARG_TIME, offsetof(starter_config_t, setup.keep_alive), NULL }, + { ARG_ENUM, offsetof(starter_config_t, setup.force_keepalive), LST_bool }, { ARG_STR, offsetof(starter_config_t, setup.virtual_private), NULL }, - { ARG_STR, offsetof(starter_config_t, setup.eapdir), NULL }, { ARG_STR, offsetof(starter_config_t, setup.pkcs11module), NULL }, { ARG_STR, offsetof(starter_config_t, setup.pkcs11initargs), NULL }, { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool }, @@ -211,9 +219,9 @@ static const token_info_t token_info[] = { ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action }, { ARG_MISC, 0, NULL /* KW_MODECONFIG */ }, { ARG_MISC, 0, NULL /* KW_XAUTH */ }, - { ARG_ENUM, offsetof(starter_conn_t, p2p_mediation), LST_bool }, - { ARG_STR, offsetof(starter_conn_t, p2p_mediated_by), NULL }, - { ARG_STR, offsetof(starter_conn_t, p2p_peerid), NULL }, + { ARG_ENUM, offsetof(starter_conn_t, me_mediation), LST_bool }, + { ARG_STR, offsetof(starter_conn_t, me_mediated_by), NULL }, + { ARG_STR, offsetof(starter_conn_t, me_peerid), NULL }, /* ca section keywords */ { ARG_STR, offsetof(starter_ca_t, name), NULL }, @@ -225,14 +233,15 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_ca_t, crluri2), NULL }, { ARG_STR, offsetof(starter_ca_t, ocspuri), NULL }, { ARG_STR, offsetof(starter_ca_t, ocspuri2), NULL }, + { ARG_STR, offsetof(starter_ca_t, certuribase), NULL }, /* end keywords */ { ARG_MISC, 0, NULL /* KW_HOST */ }, { ARG_MISC, 0, NULL /* KW_NEXTHOP */ }, - { ARG_MISC, 0, NULL /* KW_SUBNET */ }, + { ARG_STR, offsetof(starter_end_t, subnet), NULL }, { ARG_MISC, 0, NULL /* KW_SUBNETWITHIN */ }, { ARG_MISC, 0, NULL /* KW_PROTOPORT */ }, - { ARG_MISC, 0, NULL /* KW_SOURCEIP */ }, + { ARG_STR, offsetof(starter_end_t, srcip), NULL }, { ARG_MISC, 0, NULL /* KW_NATIP */ }, { ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool }, { ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool }, diff --git a/src/starter/cmp.c b/src/starter/cmp.c index a4198ce41..5abb8399b 100644 --- a/src/starter/cmp.c +++ b/src/starter/cmp.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: cmp.c 3267 2007-10-08 19:57:54Z andreas $ + * RCSID $Id: cmp.c 3881 2008-04-27 11:04:13Z andreas $ */ #include <string.h> @@ -29,6 +29,7 @@ #define VARCMP(obj) if (c1->obj != c2->obj) return FALSE #define ADDCMP(obj) if (!sameaddr(&c1->obj,&c2->obj)) return FALSE #define SUBCMP(obj) if (!samesubnet(&c1->obj,&c2->obj)) return FALSE +#define STRCMP(obj) if (strcmp(c1->obj,c2->obj)) return FALSE static bool starter_cmp_end(starter_end_t *c1, starter_end_t *c2) @@ -45,12 +46,11 @@ starter_cmp_end(starter_end_t *c1, starter_end_t *c2) ADDCMP(addr); } ADDCMP(nexthop); - ADDCMP(srcip); - SUBCMP(subnet); VARCMP(has_client); VARCMP(has_client_wildcard); VARCMP(has_port_wildcard); - VARCMP(has_srcip); + VARCMP(has_natip); + VARCMP(has_virt); VARCMP(modecfg); VARCMP(port); VARCMP(protocol); diff --git a/src/starter/confread.c b/src/starter/confread.c index 7a312d893..df9be43bb 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: confread.c 3405 2007-12-19 00:49:32Z andreas $ + * RCSID $Id: confread.c 4051 2008-06-10 09:08:27Z tobias $ */ #include <stddef.h> @@ -32,7 +32,7 @@ #include "interfaces.h" /* strings containing a colon are interpreted as an IPv6 address */ -#define ip_version(string) (strchr(string, ':') != NULL)? AF_INET6 : AF_INET; +#define ip_version(string) (strchr(string, '.') ? AF_INET : AF_INET6) static const char ike_defaults[] = "aes128-sha-modp2048"; static const char esp_defaults[] = "aes128-sha1, 3des-md5"; @@ -79,6 +79,8 @@ static void default_values(starter_config_t *cfg) cfg->conn_default.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT; cfg->conn_default.addr_family = AF_INET; cfg->conn_default.tunnel_addr_family = AF_INET; + cfg->conn_default.dpd_delay = 30; /* seconds */ + cfg->conn_default.dpd_timeout = 150; /* seconds */ cfg->conn_default.left.seen = LEMPTY; cfg->conn_default.right.seen = LEMPTY; @@ -88,10 +90,8 @@ static void default_values(starter_config_t *cfg) anyaddr(AF_INET, &cfg->conn_default.left.addr); anyaddr(AF_INET, &cfg->conn_default.left.nexthop); - anyaddr(AF_INET, &cfg->conn_default.left.srcip); anyaddr(AF_INET, &cfg->conn_default.right.addr); anyaddr(AF_INET, &cfg->conn_default.right.nexthop); - anyaddr(AF_INET, &cfg->conn_default.right.srcip); cfg->ca_default.seen = LEMPTY; } @@ -146,17 +146,91 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned)) goto err; - if (token == KW_SENDCERT) + /* post processing of some keywords that were assigned automatically */ + switch (token) { + case KW_SUBNET: + if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0) + || (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0)) + { + /* used by pluto only */ + end->has_virt = TRUE; + } + else + { + ip_subnet net; + char *pos; + int len = 0; + + end->has_client = TRUE; + conn->tunnel_addr_family = ip_version(value); + + pos = strchr(value, ','); + if (pos) + { + len = pos - value; + } + ugh = ttosubnet(value, len, ip_version(value), &net); + if (ugh != NULL) + { + plog("# bad subnet: %s=%s [%s]", name, value, ugh); + goto err; + } + } + break; + case KW_SOURCEIP: + if (end->has_natip) + { + plog("# natip and sourceip cannot be defined at the same time"); + goto err; + } + if (streq(value, "%modeconfig") || streq(value, "%modecfg") || + streq(value, "%config") || streq(value, "%cfg")) + { + pfree(end->srcip); + end->srcip = NULL; + end->modecfg = TRUE; + } + else + { + ip_address addr; + ip_subnet net; + + conn->tunnel_addr_family = ip_version(value); + if (strchr(value, '/')) + { /* CIDR notation, address pool */ + ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net); + } + else if (value[0] != '%') + { /* old style fixed srcip, a %poolname otherwise */ + ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr); + } + if (ugh != NULL) + { + plog("# bad addr: %s=%s [%s]", name, value, ugh); + goto err; + } + } + conn->policy |= POLICY_TUNNEL; + break; + case KW_SENDCERT: if (end->sendcert == CERT_YES_SEND) + { end->sendcert = CERT_ALWAYS_SEND; + } else if (end->sendcert == CERT_NO_SEND) + { end->sendcert = CERT_NEVER_SEND; + } + break; + default: + break; } if (assigned) return; + /* individual processing of keywords that were not assigned automatically */ switch (token) { case KW_HOST: @@ -189,7 +263,6 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token conn->policy |= POLICY_GROUP | POLICY_TUNNEL; anyaddr(conn->addr_family, &end->addr); anyaddr(conn->tunnel_addr_family, &any); - initsubnet(&any, 0, '0', &end->subnet); end->has_client = TRUE; } else @@ -243,69 +316,41 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token goto err; } break; - case KW_SUBNET: - if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0) - || (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0)) - { - end->virt = clone_str(value, "virt"); - } - else - { - end->has_client = TRUE; - conn->tunnel_addr_family = ip_version(value); - ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet); - if (ugh != NULL) - { - plog("# bad subnet: %s=%s [%s]", name, value, ugh); - goto err; - } - } - break; case KW_SUBNETWITHIN: + { + ip_subnet net; + end->has_client = TRUE; end->has_client_wildcard = TRUE; conn->tunnel_addr_family = ip_version(value); - ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet); + + ugh = ttosubnet(value, 0, ip_version(value), &net); + if (ugh != NULL) + { + plog("# bad subnet: %s=%s [%s]", name, value, ugh); + goto err; + } + end->subnet = clone_str(value, "subnetwithin"); break; + } case KW_PROTOPORT: ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard); end->has_port_wildcard = has_port_wildcard; break; - case KW_SOURCEIP: - if (end->has_natip) - { - plog("# natip and sourceip cannot be defined at the same time"); - goto err; - } - if (streq(value, "%modeconfig") || streq(value, "%modecfg") || - streq(value, "%config") || streq(value, "%cfg")) - { - end->modecfg = TRUE; - } - else - { - conn->tunnel_addr_family = ip_version(value); - ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip); - if (ugh != NULL) - { - plog("# bad addr: %s=%s [%s]", name, value, ugh); - goto err; - } - end->has_srcip = TRUE; - } - conn->policy |= POLICY_TUNNEL; - break; case KW_NATIP: - if (end->has_srcip) + if (end->srcip) { plog("# natip and sourceip cannot be defined at the same time"); goto err; } if (streq(value, "%defaultroute")) { + char buf[64]; + if (cfg->defaultroute.defined) { - end->srcip = cfg->defaultroute.addr; + addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf)); + end->srcip = clone_str(buf, "natip"); } else { @@ -315,13 +360,16 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token } else { + ip_address addr; + conn->tunnel_addr_family = ip_version(value); - ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip); + ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr); if (ugh != NULL) { plog("# bad addr: %s=%s [%s]", name, value, ugh); goto err; } + end->srcip = clone_str(value, "srcip"); } end->has_natip = TRUE; conn->policy |= POLICY_TUNNEL; @@ -487,10 +535,12 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) /* also handles the cases secret|rsasig and rsasig|secret */ for (;;) { - if (streq(value, "rsasig")) + if (streq(value, "rsa") || streq(value, "rsasig")) conn->policy |= POLICY_RSASIG | POLICY_ENCRYPT; else if (streq(value, "secret") || streq(value, "psk")) conn->policy |= POLICY_PSK | POLICY_ENCRYPT; + else if (streq(value, "ecdsa") || streq(value, "ecdsasig")) + conn->policy |= POLICY_ECDSASIG | POLICY_ENCRYPT; else if (streq(value, "xauthrsasig")) conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT; else if (streq(value, "xauthpsk")) diff --git a/src/starter/confread.h b/src/starter/confread.h index a32e7116d..41f02476f 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -1,6 +1,4 @@ /* strongSwan IPsec config file parser - * Copyright (C) 2007 Tobias Brunner - * Hochschule fuer Technik Rapperswil * Copyright (C) 2001-2002 Mathieu Lafon * Arkoon Network Security * @@ -14,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: confread.h 3394 2007-12-13 17:31:21Z martin $ + * RCSID $Id: confread.h 3932 2008-05-12 10:05:49Z andreas $ */ #ifndef _IPSEC_CONFREAD_H_ @@ -67,13 +65,12 @@ struct starter_end { char *iface; ip_address addr; ip_address nexthop; - ip_address srcip; - ip_subnet subnet; + char *subnet; bool has_client; bool has_client_wildcard; bool has_port_wildcard; - bool has_srcip; bool has_natip; + bool has_virt; bool modecfg; certpolicy_t sendcert; bool firewall; @@ -83,7 +80,7 @@ struct starter_end { char *updown; u_int16_t port; u_int8_t protocol; - char *virt; + char *srcip; }; typedef struct also also_t; @@ -130,9 +127,9 @@ struct starter_conn { dpd_action_t dpd_action; int dpd_count; - bool p2p_mediation; - char *p2p_mediated_by; - char *p2p_peerid; + bool me_mediation; + char *me_mediated_by; + char *me_peerid; starter_conn_t *next; }; @@ -155,6 +152,7 @@ struct starter_ca { char *crluri2; char *ocspuri; char *ocspuri2; + char *certuribase; bool strict; @@ -176,6 +174,7 @@ struct starter_config { char *charondebug; char *prepluto; char *postpluto; + char *plutostderrlog; bool uniqueids; u_int overridemtu; u_int crlcheckinterval; @@ -184,8 +183,8 @@ struct starter_config { bool nocrsend; bool nat_traversal; u_int keep_alive; + u_int force_keepalive; char *virtual_private; - char *eapdir; char *pkcs11module; char *pkcs11initargs; bool pkcs11keepstate; diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c index 111bb9c6f..849a0af32 100644 --- a/src/starter/invokecharon.c +++ b/src/starter/invokecharon.c @@ -14,7 +14,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: invokecharon.c 3344 2007-11-15 18:34:05Z martin $ + * RCSID $Id: invokecharon.c 3928 2008-05-11 07:59:00Z andreas $ */ #include <sys/types.h> @@ -101,11 +101,11 @@ starter_stop_charon (void) int -starter_start_charon (starter_config_t *cfg, bool debug) +starter_start_charon (starter_config_t *cfg, bool no_fork) { - int pid, i; struct stat stb; - char buffer[BUF_LEN], buffer1[BUF_LEN]; + int pid, i; + char buffer[BUF_LEN]; int argc = 1; char *arg[] = { CHARON_CMD, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, @@ -114,30 +114,10 @@ starter_start_charon (starter_config_t *cfg, bool debug) NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; - if (!debug) + if (!no_fork) { arg[argc++] = "--use-syslog"; } - if (cfg->setup.strictcrlpolicy) - { - arg[argc++] = "--strictcrlpolicy"; - arg[argc++] = cfg->setup.strictcrlpolicy == STRICT_IFURI ? "2":"1"; - } - if (cfg->setup.cachecrls) - { - arg[argc++] = "--cachecrls"; - } - if (cfg->setup.crlcheckinterval > 0) - { - snprintf(buffer1, BUF_LEN, "%u", cfg->setup.crlcheckinterval); - arg[argc++] = "--crlcheckinterval"; - arg[argc++] = buffer1; - } - if (cfg->setup.eapdir) - { - arg[argc++] = "--eapdir"; - arg[argc++] = cfg->setup.eapdir; - } { /* parse debug string */ char *pos, *level, *buf_pos, type[4]; @@ -179,34 +159,6 @@ starter_start_charon (starter_config_t *cfg, bool debug) unlink(CHARON_CTL_FILE); _stop_requested = 0; - /* if ipsec.secrets file is missing then generate RSA default key pair */ - if (stat(SECRETS_FILE, &stb) != 0) - { - mode_t oldmask; - FILE *f; - - plog("no %s file, generating RSA key", SECRETS_FILE); - seteuid(IPSEC_UID); - setegid(IPSEC_GID); - system("ipsec scepclient --out pkcs1 --out cert-self --quiet"); - seteuid(0); - setegid(0); - - /* ipsec.secrets is root readable only */ - oldmask = umask(0066); - - f = fopen(SECRETS_FILE, "w"); - if (f) - { - fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n"); - fprintf(f, "\n"); - fprintf(f, ": RSA myKey.der\n"); - fclose(f); - } - chown(SECRETS_FILE, IPSEC_UID, IPSEC_GID); - umask(oldmask); - } - pid = fork(); switch (pid) { diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c index 5234722be..a3cf3a786 100644 --- a/src/starter/invokepluto.c +++ b/src/starter/invokepluto.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: invokepluto.c 3267 2007-10-08 19:57:54Z andreas $ + * RCSID $Id: invokepluto.c 3942 2008-05-13 07:37:08Z martin $ */ #include <sys/types.h> @@ -21,6 +21,7 @@ #include <string.h> #include <stdlib.h> #include <errno.h> +#include <fcntl.h> #include <freeswan.h> @@ -104,10 +105,10 @@ starter_stop_pluto (void) } int -starter_start_pluto (starter_config_t *cfg, bool debug) +starter_start_pluto (starter_config_t *cfg, bool no_fork) { - int i; struct stat stb; + int i; pid_t pid; char **l; int argc = 2; @@ -121,7 +122,7 @@ starter_start_pluto (starter_config_t *cfg, bool debug) printf ("starter_start_pluto entered\n"); - if (debug) + if (cfg->setup.plutostderrlog || no_fork) { arg[argc++] = "--stderrlog"; } @@ -167,6 +168,10 @@ starter_start_pluto (starter_config_t *cfg, bool debug) { arg[argc++] = "--nat_traversal"; } + if (cfg->setup.force_keepalive) + { + arg[argc++] = "--force_keepalive"; + } if (cfg->setup.keep_alive) { static char buf2[15]; @@ -175,13 +180,11 @@ starter_start_pluto (starter_config_t *cfg, bool debug) snprintf(buf2, sizeof(buf2), "%u", cfg->setup.keep_alive); arg[argc++] = buf2; } -#ifdef VIRTUAL_IP if (cfg->setup.virtual_private) { arg[argc++] = "--virtual_private"; arg[argc++] = cfg->setup.virtual_private; } -#endif if (cfg->setup.pkcs11module) { arg[argc++] = "--pkcs11module"; @@ -214,34 +217,6 @@ starter_start_pluto (starter_config_t *cfg, bool debug) if (cfg->setup.prepluto) system(cfg->setup.prepluto); - /* if ipsec.secrets file is missing then generate RSA default key pair */ - if (stat(SECRETS_FILE, &stb) != 0) - { - mode_t oldmask; - FILE *f; - - plog("no %s file, generating RSA key", SECRETS_FILE); - seteuid(IPSEC_UID); - setegid(IPSEC_GID); - system("ipsec scepclient --out pkcs1 --out cert-self --quiet"); - seteuid(0); - setegid(0); - - /* ipsec.secrets is root readable only */ - oldmask = umask(0066); - - f = fopen(SECRETS_FILE, "w"); - if (f) - { - fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n"); - fprintf(f, "\n"); - fprintf(f, ": RSA myKey.der\n"); - fclose(f); - } - chown(SECRETS_FILE, IPSEC_UID, IPSEC_GID); - umask(oldmask); - } - pid = fork(); switch (pid) { @@ -250,6 +225,21 @@ starter_start_pluto (starter_config_t *cfg, bool debug) return -1; case 0: /* child */ + if (cfg->setup.plutostderrlog) + { + int f = creat(cfg->setup.plutostderrlog, 00644); + + /* redirect stderr to file */ + if (f < 0) + { + plog("couldn't open stderr redirection file '%s'", + cfg->setup.plutostderrlog); + } + else + { + dup2(f, 2); + } + } setsid(); sigprocmask(SIG_SETMASK, 0, NULL); execv(arg[0], arg); diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 index d542af555..bf8bcc0d2 100644 --- a/src/starter/ipsec.conf.5 +++ b/src/starter/ipsec.conf.5 @@ -1,5 +1,5 @@ .TH IPSEC.CONF 5 "27 Jun 2007" -.\" RCSID $Id: ipsec.conf.5 3394 2007-12-13 17:31:21Z martin $ +.\" RCSID $Id: ipsec.conf.5 3934 2008-05-12 12:46:30Z andreas $ .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION @@ -373,7 +373,7 @@ for the connection, e.g. (encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup and rekeying include a separate diffe hellman exchange (IKEv2 only). .TP -.B force_encap +.B forceencaps Force UDP encapsulation for ESP packets even if no NAT situation is detected. This may help to hurdle restrictive firewalls. To enforce the peer to encapsulate packets, NAT detection payloads are faked (IKEv2 only). @@ -633,7 +633,10 @@ The internal source IP to use in a tunnel for the remote peer. If the value is .B %config on the responder side, the initiator must propose a address which is then echoed -back. +back. The IKEv2 daemon also supports address pools expressed as +\fInetwork\fB/\fInetmask\fR +or the use of an external IP address pool using %\fIpoolname\fR +, where \fIpoolname\fR is the name of the IP address pool used for the lookup. .TP .B leftsubnet private subnet behind the left participant, expressed as @@ -643,7 +646,9 @@ private subnet behind the left participant, expressed as if omitted, essentially assumed to be \fIleft\fB/32\fR, signifying that the left end of the connection goes to the left participant only. When using IKEv2, the configured subnet of the peers may differ, the -protocol narrows it to the greates common subnet. +protocol narrows it to the greatest common subnet. Further, IKEv2 supports +multiple subnets separated by commas. IKEv1 only interprets the first subnet +of such a definition. .TP .B leftsubnetwithin the peer can propose any subnet or single IP address that fits within the @@ -788,31 +793,31 @@ and .B client (the default). -.SS "CONN PARAMETERS: PEER-TO-PEER" -The following parameters are relevant to Peer-to-Peer NAT-T operation -only. +.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION" +The following parameters are relevant to IKEv2 Mediation Extension +operation only. .TP 14 -.B p2p_mediation -whether this connection is a P2P mediation connection, ie. whether this +.B mediation +whether this connection is a mediation connection, ie. whether this connection is used to mediate other connections. Mediation connections create no child SA. Acceptable values are .B no (the default) and .BR yes . .TP -.B p2p_mediated_by +.B mediated_by the name of the connection to mediate this connection through. If given, the connection will be mediated through the named mediation connection. The mediation connection must set -.BR p2p_mediation=yes . +.BR mediation=yes . .TP -.B p2p_peerid +.B me_peerid ID as which the peer is known to the mediation server, ie. which the other end of this connection uses as its .B leftid on its connection to the mediation server. This is the ID we request the mediation server to mediate us with. If -.B p2p_peerid +.B me_peerid is not given, the .B rightid of this connection will be used as peer ID. @@ -855,6 +860,11 @@ synonym for .TP .B ocspuri2 defines an alternative OCSP URI. Currently used by IKEv2 only. +.B certuribase +defines the base URI for the Hash and URL feature supported by IKEv2. +Instead of exchanging complete certificates, IKEv2 allows to send an URI +that resolves to the DER encoded certificate. The certificate URIs are built +by appending the SHA1 hash of the DER encoded certificates to this base URI. .SH "CONFIG SECTIONS" At present, the only .B config @@ -882,7 +892,7 @@ The currently-accepted names in a .B config .B setup -section are: +section affecting both daemons are: .TP 14 .B cachecrls certificate revocation lists (CRLs) fetched via http or ldap will be cached in @@ -902,11 +912,6 @@ Accepted values are or .BR no . .TP -.B crlcheckinterval -interval in seconds. CRL fetching is enabled if the value is greater than zero. -Asynchronous, periodic checking for fresh CRLs is currently done by the -IKEv1 Pluto daemon only. -.TP .B dumpdir in what directory should things started by \fBipsec starter\fR (notably the Pluto and Charon daemons) be allowed to dump core? @@ -937,11 +942,37 @@ which reverts to if at least one CRL URI is defined and to .B no if no URI is known. +.TP +.B uniqueids +whether a particular participant ID should be kept unique, +with any new (automatically keyed) +connection using an ID from a different IP address +deemed to replace all old ones using that ID; +acceptable values are +.B yes +(the default) +and +.BR no . +Participant IDs normally \fIare\fR unique, +so a new (automatically-keyed) connection using the same ID is +almost invariably intended to replace an old one. +The IKEv2 daemon also accepts the value +.B replace +wich is identical to +.B yes +and the value +.B keep +to reject new IKE_SA setups and keep the duplicate established earlier. .PP The following .B config section parameters are used by the IKEv1 Pluto daemon only: .TP +.B crlcheckinterval +interval in seconds. CRL fetching is enabled if the value is greater than zero. +Asynchronous, periodic checking for fresh CRLs is currently done by the +IKEv1 Pluto daemon only. +.TP .B keep_alive interval in seconds between NAT keep alive packets, the default being 20 seconds. .TP @@ -1004,6 +1035,10 @@ separated by white space) are enabled; for details on available debugging types, see .IR pluto (8). .TP +.B plutostderrlog +Pluto will not use syslog, but rather log to stderr, and redirect stderr +to the argument file. +.TP .B postpluto shell command to run after starting Pluto (e.g., to remove a decrypted copy of the @@ -1032,20 +1067,6 @@ Default is none. .TP .B virtual_private defines private networks using a wildcard notation. -.TP -.B uniqueids -whether a particular participant ID should be kept unique, -with any new (automatically keyed) -connection using an ID from a different IP address -deemed to replace all old ones using that ID; -acceptable values are -.B yes -(the default) -and -.BR no . -Participant IDs normally \fIare\fR unique, -so a new (automatically-keyed) connection using the same ID is -almost invariably intended to replace an old one. .PP The following .B config section diff --git a/src/starter/keywords.c b/src/starter/keywords.c index 0d3e850bb..b96019d83 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -1,4 +1,4 @@ -/* C code produced by gperf version 3.0.1 */ +/* C code produced by gperf version 3.0.3 */ /* Command-line: /usr/bin/gperf -C -G -t */ /* Computed positions: -k'1-2,$' */ @@ -31,7 +31,6 @@ error "gperf generated tables don't work with this execution character set. Plea /* strongSwan keywords - * Copyright (C) 2007 Tobias Brunner * Copyright (C) 2005 Andreas Steffen * Hochschule fuer Technik Rapperswil, Switzerland * @@ -45,7 +44,7 @@ error "gperf generated tables don't work with this execution character set. Plea * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: keywords.txt 3267 2007-10-08 19:57:54Z andreas $ + * RCSID $Id: keywords.txt 3928 2008-05-11 07:59:00Z andreas $ */ #include <string.h> @@ -57,12 +56,12 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 98 +#define TOTAL_KEYWORDS 100 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 15 -#define MAX_HASH_VALUE 236 -/* maximum key range = 222, duplicates = 0 */ +#define MIN_HASH_VALUE 6 +#define MAX_HASH_VALUE 263 +/* maximum key range = 258, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -76,191 +75,194 @@ hash (str, len) register const char *str; register unsigned int len; { - static const unsigned char asso_values[] = + static const unsigned short asso_values[] = { - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 40, - 5, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 90, 237, 25, - 75, 5, 85, 0, 95, 0, 237, 55, 0, 45, - 0, 70, 20, 237, 15, 70, 40, 20, 5, 237, - 5, 65, 0, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237, 237, 237, 237, 237, - 237, 237, 237, 237, 237, 237 + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 10, + 0, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 15, 264, 0, + 100, 5, 90, 85, 60, 0, 264, 60, 10, 55, + 80, 75, 15, 264, 0, 50, 35, 5, 25, 264, + 10, 75, 0, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264, 264, 264, 264, 264, + 264, 264, 264, 264, 264, 264 }; return len + asso_values[(unsigned char)str[1]] + asso_values[(unsigned char)str[0]] + asso_values[(unsigned char)str[len - 1]]; } static const struct kw_entry wordlist[] = { - {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {"leftupdown", KW_LEFTUPDOWN}, - {""}, - {"leftfirewall", KW_LEFTFIREWALL}, - {""}, {""}, {""}, - {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, + {"crluri", KW_CRLURI}, + {"crluri2", KW_CRLURI2}, + {""}, {""}, {""}, {""}, {""}, {""}, + {"rekeyfuzz", KW_REKEYFUZZ}, + {""}, {""}, + {"crluri1", KW_CRLURI}, {""}, {""}, {""}, - {"virtual_private", KW_VIRTUAL_PRIVATE}, - {"rightupdown", KW_RIGHTUPDOWN}, - {""}, + {"certuribase", KW_CERTURIBASE}, + {"rightca", KW_RIGHTCA}, {"rightfirewall", KW_RIGHTFIREWALL}, - {"rekeyfuzz", KW_REKEYFUZZ}, - {"plutodebug", KW_PLUTODEBUG}, - {"rekeymargin", KW_REKEYMARGIN}, - {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, - {""}, - {"leftnatip", KW_LEFTNATIP}, {""}, - {"leftnexthop", KW_LEFTNEXTHOP}, - {"leftsourceip", KW_LEFTSOURCEIP}, - {"p2p_mediation", KW_P2P_MEDIATION}, - {""}, {""}, {""}, {""}, {""}, {""}, {"rightnatip", KW_RIGHTNATIP}, - {"crluri", KW_CRLURI}, + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, {"rightnexthop", KW_RIGHTNEXTHOP}, {"rightsourceip", KW_RIGHTSOURCEIP}, + {""}, {""}, {""}, {""}, {""}, {""}, {""}, + {"leftca", KW_LEFTCA}, + {"leftfirewall", KW_LEFTFIREWALL}, + {"eap", KW_EAP}, + {"leftnatip", KW_LEFTNATIP}, + {"right", KW_RIGHT}, + {"leftnexthop", KW_LEFTNEXTHOP}, + {"leftsourceip", KW_LEFTSOURCEIP}, + {""}, + {"rightcert", KW_RIGHTCERT}, + {"virtual_private", KW_VIRTUAL_PRIVATE}, + {"rightsubnet", KW_RIGHTSUBNET}, + {""}, + {"rightsendcert", KW_RIGHTSENDCERT}, + {"rightprotoport", KW_RIGHTPROTOPORT}, + {""}, {""}, {""}, {""}, {"left", KW_LEFT}, - {""}, {""}, - {"crluri2", KW_CRLURI2}, + {""}, + {"cacert", KW_CACERT}, + {""}, {"leftcert", KW_LEFTCERT,}, {""}, {"leftsubnet", KW_LEFTSUBNET}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, + {"rightgroups", KW_RIGHTGROUPS}, {"leftsendcert", KW_LEFTSENDCERT}, {"leftprotoport", KW_LEFTPROTOPORT}, {""}, - {"right", KW_RIGHT}, + {"righthostaccess", KW_RIGHTHOSTACCESS}, {""}, {""}, {"ike", KW_IKE}, - {"rightcert", KW_RIGHTCERT}, - {"klipsdebug", KW_KLIPSDEBUG}, - {"rightsubnet", KW_RIGHTSUBNET}, {""}, - {"rightsendcert", KW_RIGHTSENDCERT}, - {"rightprotoport", KW_RIGHTPROTOPORT}, {"plutostart", KW_PLUTOSTART}, + {"reauth", KW_REAUTH}, + {""}, + {"esp", KW_ESP}, + {"cachecrls", KW_CACHECRLS}, + {"leftgroups", KW_LEFTGROUPS}, {"ikelifetime", KW_IKELIFETIME}, {"keylife", KW_KEYLIFE}, - {""}, {""}, + {"packetdefault", KW_PACKETDEFAULT}, + {"lefthostaccess", KW_LEFTHOSTACCESS}, {"keep_alive", KW_KEEP_ALIVE}, {"keyexchange", KW_KEYEXCHANGE}, - {""}, {""}, {""}, - {"interfaces", KW_INTERFACES}, - {""}, - {"leftallowany", KW_LEFTALLOWANY}, - {"leftrsasigkey", KW_LEFTRSASIGKEY}, - {""}, - {"leftgroups", KW_LEFTGROUPS}, - {"leftid", KW_LEFTID}, - {"crluri1", KW_CRLURI}, - {"ldapbase", KW_LDAPBASE}, - {"lefthostaccess", KW_LEFTHOSTACCESS}, + {"ocspuri", KW_OCSPURI}, + {"ocspuri2", KW_OCSPURI2}, + {"auth", KW_AUTH}, {"rekey", KW_REKEY}, - {""}, - {"pkcs11module", KW_PKCS11MODULE}, + {""}, {""}, {"rightallowany", KW_RIGHTALLOWANY}, {"rightrsasigkey", KW_RIGHTRSASIGKEY}, - {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, - {"rightgroups", KW_RIGHTGROUPS}, - {"rightid", KW_RIGHTID}, - {"esp", KW_ESP}, - {"uniqueids", KW_UNIQUEIDS}, - {"righthostaccess", KW_RIGHTHOSTACCESS}, - {"leftca", KW_LEFTCA}, - {"ocspuri", KW_OCSPURI}, - {"nat_traversal", KW_NAT_TRAVERSAL}, - {"dpdaction", KW_DPDACTION}, - {"p2p_mediated_by", KW_P2P_MEDIATED_BY}, - {"overridemtu", KW_OVERRIDEMTU}, - {""}, - {"ocspuri2", KW_OCSPURI2}, - {""}, - {"p2p_peerid", KW_P2P_PEERID}, + {"xauth", KW_XAUTH}, + {"rightupdown", KW_RIGHTUPDOWN}, + {"pkcs11module", KW_PKCS11MODULE}, + {"ocspuri1", KW_OCSPURI}, {""}, - {"rightca", KW_RIGHTCA}, + {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, + {"rekeymargin", KW_REKEYMARGIN}, + {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, {"prepluto", KW_PREPLUTO}, - {"type", KW_TYPE}, + {"auto", KW_AUTO}, {""}, - {"eapdir", KW_EAPDIR}, + {"authby", KW_AUTHBY}, + {"leftallowany", KW_LEFTALLOWANY}, + {"leftrsasigkey", KW_LEFTRSASIGKEY}, + {"also", KW_ALSO}, + {"leftupdown", KW_LEFTUPDOWN}, + {"charonstart", KW_CHARONSTART}, + {"rightid", KW_RIGHTID}, + {""}, {""}, {""}, + {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, {"dumpdir", KW_DUMPDIR}, - {"eap", KW_EAP}, + {"fragicmp", KW_FRAGICMP}, {""}, {""}, - {"reauth", KW_REAUTH}, + {"overridemtu", KW_OVERRIDEMTU}, + {"hidetos", KW_HIDETOS}, + {"nat_traversal", KW_NAT_TRAVERSAL}, + {"type", KW_TYPE}, + {"plutodebug", KW_PLUTODEBUG}, + {"leftid", KW_LEFTID}, {""}, - {"ldaphost", KW_LDAPHOST}, + {"ldapbase", KW_LDAPBASE}, + {"plutostderrlog", KW_PLUTOSTDERRLOG}, {""}, - {"modeconfig", KW_MODECONFIG}, + {"keyingtries", KW_KEYINGTRIES}, + {""}, + {"pfsgroup", KW_PFSGROUP}, + {""}, {""}, {""}, {""}, + {"compress", KW_COMPRESS}, + {""}, {""}, {""}, {""}, {""}, + {"pkcs11initargs", KW_PKCS11INITARGS}, + {"interfaces", KW_INTERFACES}, {"mobike", KW_MOBIKE}, + {""}, {""}, + {"uniqueids", KW_UNIQUEIDS}, {""}, - {"fragicmp", KW_FRAGICMP}, + {"mediated_by", KW_MEDIATED_BY}, + {""}, {""}, + {"mediation", KW_MEDIATION}, + {""}, {""}, {""}, + {"ldaphost", KW_LDAPHOST}, {""}, {""}, {"charondebug", KW_CHARONDEBUG}, {""}, - {"pfsgroup", KW_PFSGROUP}, - {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {"keyingtries", KW_KEYINGTRIES}, - {""}, - {"ocspuri1", KW_OCSPURI}, + {"pfs", KW_PFS}, {""}, {"dpdtimeout", KW_DPDTIMEOUT}, - {""}, {""}, {""}, {""}, {""}, {"pkcs11proxy", KW_PKCS11PROXY}, - {""}, - {"nocrsend", KW_NOCRSEND}, - {""}, {""}, {""}, {""}, {""}, - {"pkcs11initargs", KW_PKCS11INITARGS}, - {""}, - {"cacert", KW_CACERT}, - {""}, - {"packetdefault", KW_PACKETDEFAULT}, - {"also", KW_ALSO}, {""}, {""}, {""}, - {"dpddelay", KW_DPDDELAY}, - {"postpluto", KW_POSTPLUTO}, - {""}, - {"charonstart", KW_CHARONSTART}, - {"hidetos", KW_HIDETOS}, - {"compress", KW_COMPRESS}, + {"klipsdebug", KW_KLIPSDEBUG}, + {""}, {""}, {""}, + {"me_peerid", KW_ME_PEERID}, {""}, {""}, {""}, {""}, - {"pfs", KW_PFS}, - {""}, {""}, - {"authby", KW_AUTHBY}, - {""}, {""}, - {"auto", KW_AUTO}, - {""}, {""}, {""}, {""}, {""}, + {"postpluto", KW_POSTPLUTO}, {"strictcrlpolicy", KW_STRICTCRLPOLICY}, + {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, + {"force_keepalive", KW_FORCE_KEEPALIVE}, + {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {"cachecrls", KW_CACHECRLS}, - {"xauth", KW_XAUTH}, + {"dpddelay", KW_DPDDELAY}, + {""}, {""}, {""}, {""}, {""}, + {"dpdaction", KW_DPDACTION}, + {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, + {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, + {""}, {""}, + {"modeconfig", KW_MODECONFIG}, + {"forceencaps", KW_FORCEENCAPS}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {""}, {""}, {""}, {""}, - {"auth", KW_AUTH}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {"forceencaps", KW_FORCEENCAPS} + {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, + {"nocrsend", KW_NOCRSEND} }; #ifdef __GNUC__ __inline +#ifdef __GNUC_STDC_INLINE__ +__attribute__ ((__gnu_inline__)) +#endif #endif const struct kw_entry * in_word_set (str, len) diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 7973dfae7..39b544267 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -1,5 +1,4 @@ /* strongSwan keywords - * Copyright (C) 2007 Tobias Brunner * Copyright (C) 2005 Andreas Steffen * Hochschule fuer Technik Rapperswil, Switzerland * @@ -13,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: keywords.h 3267 2007-10-08 19:57:54Z andreas $ + * RCSID $Id: keywords.h 3928 2008-05-11 07:59:00Z andreas $ */ #ifndef _KEYWORDS_H_ @@ -31,6 +30,7 @@ typedef enum { KW_CHARONDEBUG, KW_PREPLUTO, KW_POSTPLUTO, + KW_PLUTOSTDERRLOG, KW_UNIQUEIDS, KW_OVERRIDEMTU, KW_CRLCHECKINTERVAL, @@ -39,8 +39,8 @@ typedef enum { KW_NOCRSEND, KW_NAT_TRAVERSAL, KW_KEEP_ALIVE, + KW_FORCE_KEEPALIVE, KW_VIRTUAL_PRIVATE, - KW_EAPDIR, KW_PKCS11MODULE, KW_PKCS11INITARGS, KW_PKCS11KEEPSTATE, @@ -88,12 +88,12 @@ typedef enum { KW_DPDACTION, KW_MODECONFIG, KW_XAUTH, - KW_P2P_MEDIATION, - KW_P2P_MEDIATED_BY, - KW_P2P_PEERID, + KW_MEDIATION, + KW_MEDIATED_BY, + KW_ME_PEERID, #define KW_CONN_FIRST KW_CONN_SETUP -#define KW_CONN_LAST KW_P2P_PEERID +#define KW_CONN_LAST KW_ME_PEERID /* ca section keywords */ KW_CA_NAME, @@ -105,9 +105,10 @@ typedef enum { KW_CRLURI2, KW_OCSPURI, KW_OCSPURI2, + KW_CERTURIBASE, #define KW_CA_FIRST KW_CA_SETUP -#define KW_CA_LAST KW_OCSPURI2 +#define KW_CA_LAST KW_CERTURIBASE /* end keywords */ KW_HOST, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 5f7422d0d..d0435d1c7 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -1,6 +1,5 @@ %{ /* strongSwan keywords - * Copyright (C) 2007 Tobias Brunner * Copyright (C) 2005 Andreas Steffen * Hochschule fuer Technik Rapperswil, Switzerland * @@ -14,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: keywords.txt 3267 2007-10-08 19:57:54Z andreas $ + * RCSID $Id: keywords.txt 3928 2008-05-11 07:59:00Z andreas $ */ #include <string.h> @@ -36,6 +35,7 @@ plutodebug, KW_PLUTODEBUG charondebug, KW_CHARONDEBUG prepluto, KW_PREPLUTO postpluto, KW_POSTPLUTO +plutostderrlog, KW_PLUTOSTDERRLOG fragicmp, KW_FRAGICMP packetdefault, KW_PACKETDEFAULT hidetos, KW_HIDETOS @@ -47,9 +47,9 @@ strictcrlpolicy, KW_STRICTCRLPOLICY nocrsend, KW_NOCRSEND nat_traversal, KW_NAT_TRAVERSAL keep_alive, KW_KEEP_ALIVE +force_keepalive, KW_FORCE_KEEPALIVE virtual_private, KW_VIRTUAL_PRIVATE eap, KW_EAP -eapdir, KW_EAPDIR mobike, KW_MOBIKE forceencaps, KW_FORCEENCAPS pkcs11module, KW_PKCS11MODULE @@ -77,9 +77,9 @@ dpdtimeout, KW_DPDTIMEOUT dpdaction, KW_DPDACTION modeconfig, KW_MODECONFIG xauth, KW_XAUTH -p2p_mediation, KW_P2P_MEDIATION -p2p_mediated_by, KW_P2P_MEDIATED_BY -p2p_peerid, KW_P2P_PEERID +mediation, KW_MEDIATION +mediated_by, KW_MEDIATED_BY +me_peerid, KW_ME_PEERID cacert, KW_CACERT ldaphost, KW_LDAPHOST ldapbase, KW_LDAPBASE @@ -89,6 +89,7 @@ crluri2, KW_CRLURI2 ocspuri, KW_OCSPURI ocspuri1, KW_OCSPURI ocspuri2, KW_OCSPURI2 +certuribase, KW_CERTURIBASE left, KW_LEFT leftnexthop, KW_LEFTNEXTHOP leftsubnet, KW_LEFTSUBNET diff --git a/src/starter/lex.yy.c b/src/starter/lex.yy.c index a903b154e..cd3535318 100644 --- a/src/starter/lex.yy.c +++ b/src/starter/lex.yy.c @@ -647,8 +647,6 @@ extern int yywrap (void ); #endif #endif - static void yyunput (int c,char *buf_ptr ); - #ifndef yytext_ptr static void yy_flex_strncpy (char *,yyconst char *,int ); #endif @@ -776,7 +774,7 @@ YY_DECL #line 134 "parser.l" -#line 780 "lex.yy.c" +#line 778 "lex.yy.c" if ( !(yy_init) ) { @@ -960,7 +958,7 @@ YY_RULE_SETUP #line 184 "parser.l" ECHO; YY_BREAK -#line 964 "lex.yy.c" +#line 962 "lex.yy.c" case YY_END_OF_BUFFER: { @@ -1288,43 +1286,6 @@ static int yy_get_next_buffer (void) return yy_is_jam ? 0 : yy_current_state; } - static void yyunput (int c, register char * yy_bp ) -{ - register char *yy_cp; - - yy_cp = (yy_c_buf_p); - - /* undo effects of setting up yytext */ - *yy_cp = (yy_hold_char); - - if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 ) - { /* need to shift things up to make room */ - /* +2 for EOB chars. */ - register int number_to_move = (yy_n_chars) + 2; - register char *dest = &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[ - YY_CURRENT_BUFFER_LVALUE->yy_buf_size + 2]; - register char *source = - &YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]; - - while ( source > YY_CURRENT_BUFFER_LVALUE->yy_ch_buf ) - *--dest = *--source; - - yy_cp += (int) (dest - source); - yy_bp += (int) (dest - source); - YY_CURRENT_BUFFER_LVALUE->yy_n_chars = - (yy_n_chars) = YY_CURRENT_BUFFER_LVALUE->yy_buf_size; - - if ( yy_cp < YY_CURRENT_BUFFER_LVALUE->yy_ch_buf + 2 ) - YY_FATAL_ERROR( "flex scanner push-back overflow" ); - } - - *--yy_cp = (char) c; - - (yytext_ptr) = yy_bp; - (yy_hold_char) = *yy_cp; - (yy_c_buf_p) = yy_cp; -} - #ifndef YY_NO_INPUT #ifdef __cplusplus static int yyinput (void) diff --git a/src/starter/starter.c b/src/starter/starter.c index bc2e8f1df..6ff0ac29c 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: starter.c 3369 2007-11-28 17:02:12Z andreas $ + * RCSID $Id: starter.c 3914 2008-05-08 10:58:04Z martin $ */ #include <sys/types.h> @@ -26,6 +26,8 @@ #include <string.h> #include <errno.h> #include <fcntl.h> +#include <pwd.h> +#include <grp.h> #include <freeswan.h> @@ -139,6 +141,64 @@ fsig(int signal) } } +static void generate_selfcert() +{ + struct stat stb; + + /* if ipsec.secrets file is missing then generate RSA default key pair */ + if (stat(SECRETS_FILE, &stb) != 0) + { + mode_t oldmask; + FILE *f; + uid_t uid = 0; + gid_t gid = 0; + +#ifdef IPSEC_GROUP + { + char buf[1024]; + struct group group, *grp; + + if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && + grp) + { + gid = grp->gr_gid; + } + } +#endif +#ifdef IPSEC_USER + { + char buf[1024]; + struct passwd passwd, *pwp; + + if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && + pwp) + { + uid = pwp->pw_uid; + } + } +#endif + setegid(gid); + seteuid(uid); + system("ipsec scepclient --out pkcs1 --out cert-self --quiet"); + seteuid(0); + setegid(0); + + /* ipsec.secrets is root readable only */ + oldmask = umask(0066); + + f = fopen(SECRETS_FILE, "w"); + if (f) + { + fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n"); + fprintf(f, "\n"); + fprintf(f, ": RSA myKey.der\n"); + fclose(f); + } + chown(SECRETS_FILE, uid, gid); + umask(oldmask); + } +} + static void usage(char *name) { @@ -274,6 +334,8 @@ int main (int argc, char **argv) plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE); exit(LSB_RC_SUCCESS); } + + generate_selfcert(); /* fork if we're not debugging stuff */ if (!no_fork) @@ -541,6 +603,7 @@ int main (int argc, char **argv) /* schedule next try */ alarm(PLUTO_RESTART_DELAY); } + starter_stroke_configure(cfg); } _action_ &= ~FLAG_ACTION_START_CHARON; } @@ -589,7 +652,7 @@ int main (int argc, char **argv) } if (starter_charon_pid()) { - starter_stroke_add_conn(conn); + starter_stroke_add_conn(cfg, conn); } if (starter_pluto_pid()) { diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index fae895ba0..ffd5d28a6 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -1,5 +1,4 @@ /* Stroke for charon is the counterpart to whack from pluto - * Copyright (C) 2007 Tobias Brunner * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -13,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: starterstroke.c 3394 2007-12-13 17:31:21Z martin $ + * RCSID $Id: starterstroke.c 4100 2008-06-24 13:36:10Z martin $ */ #include <sys/types.h> @@ -32,20 +31,19 @@ #include <defs.h> #include <log.h> -#include <stroke.h> +#include <stroke_msg.h> #include "starterstroke.h" #include "confread.h" #include "files.h" /** - * Authentication mehtods, must be the same values as in charon + * Authentication methods, must be the same as in charons authenticator.h */ enum auth_method_t { - AUTH_RSA = 1, - AUTH_PSK = 2, - AUTH_DSS = 3, - AUTH_EAP = 201, + AUTH_PUBKEY = 1, + AUTH_PSK = 2, + AUTH_EAP = 3 }; static char* push_string(stroke_msg_t *msg, char *string) @@ -162,32 +160,62 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->updown = push_string(msg, conn_end->updown); ip_address2string(&conn_end->addr, buffer, sizeof(buffer)); msg_end->address = push_string(msg, buffer); - ip_address2string(&conn_end->subnet.addr, buffer, sizeof(buffer)); - msg_end->subnet = push_string(msg, buffer); - msg_end->subnet_mask = conn_end->subnet.maskbits; + msg_end->subnets = push_string(msg, conn_end->subnet); msg_end->sendcert = conn_end->sendcert; msg_end->hostaccess = conn_end->hostaccess; msg_end->tohost = !conn_end->has_client; msg_end->protocol = conn_end->protocol; msg_end->port = conn_end->port; - msg_end->virtual_ip = conn_end->modecfg || conn_end->has_srcip; - ip_address2string(&conn_end->srcip, buffer, sizeof(buffer)); - msg_end->sourceip = push_string(msg, buffer); + if (conn_end->srcip) + { + if (conn_end->srcip[0] == '%') + { /* %poolname, strip % */ + msg_end->sourceip_size = 0; + msg_end->sourceip = push_string(msg, conn_end->srcip + 1); + } + else + { + char *pos = strchr(conn_end->srcip, '/'); + if (pos) + { /* CIDR subnet definition */ + snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip); + msg_end->sourceip = push_string(msg, buffer); + msg_end->sourceip_size = atoi(pos + 1); + } + else + { /* a single address */ + msg_end->sourceip = push_string(msg, conn_end->srcip); + if (strchr(conn_end->srcip, ':')) + { /* IPv6 */ + msg_end->sourceip_size = 128; + } + else + { /* IPv4 */ + msg_end->sourceip_size = 32; + } + } + } + } + else if (conn_end->modecfg) + { + msg_end->sourceip_size = 1; + } } -int starter_stroke_add_conn(starter_conn_t *conn) +int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) { stroke_msg_t msg; + memset(&msg, 0, sizeof(msg)); msg.type = STR_ADD_CONN; msg.length = offsetof(stroke_msg_t, buffer); msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2; msg.add_conn.name = push_string(&msg, connection_name(conn)); - /* RSA is preferred before PSK and EAP */ - if (conn->policy & POLICY_RSASIG) + /* PUBKEY is preferred to PSK and EAP */ + if (conn->policy & POLICY_RSASIG || conn->policy & POLICY_ECDSASIG) { - msg.add_conn.auth_method = AUTH_RSA; + msg.add_conn.auth_method = AUTH_PUBKEY; } else if (conn->policy & POLICY_PSK) { @@ -213,15 +241,7 @@ int starter_stroke_add_conn(starter_conn_t *conn) msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */ } - if (conn->policy & POLICY_DONT_REKEY) - { - msg.add_conn.rekey.ipsec_lifetime = 0; - msg.add_conn.rekey.ike_lifetime = 0; - msg.add_conn.rekey.margin = 0; - msg.add_conn.rekey.tries = 0; - msg.add_conn.rekey.fuzz = 0; - } - else + if (!(conn->policy & POLICY_DONT_REKEY)) { msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY; msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds; @@ -232,13 +252,16 @@ int starter_stroke_add_conn(starter_conn_t *conn) } msg.add_conn.mobike = conn->policy & POLICY_MOBIKE; msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP; + msg.add_conn.ipcomp = conn->policy & POLICY_COMPRESS; + msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy; + msg.add_conn.unique = cfg->setup.uniqueids; msg.add_conn.algorithms.ike = push_string(&msg, conn->ike); msg.add_conn.algorithms.esp = push_string(&msg, conn->esp); msg.add_conn.dpd.delay = conn->dpd_delay; msg.add_conn.dpd.action = conn->dpd_action; - msg.add_conn.p2p.mediation = conn->p2p_mediation; - msg.add_conn.p2p.mediated_by = push_string(&msg, conn->p2p_mediated_by); - msg.add_conn.p2p.peerid = push_string(&msg, conn->p2p_peerid); + msg.add_conn.ikeme.mediation = conn->me_mediation; + msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by); + msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid); starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left); starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right); @@ -282,12 +305,13 @@ int starter_stroke_add_ca(starter_ca_t *ca) msg.type = STR_ADD_CA; msg.length = offsetof(stroke_msg_t, buffer); - msg.add_ca.name = push_string(&msg, ca->name); - msg.add_ca.cacert = push_string(&msg, ca->cacert); - msg.add_ca.crluri = push_string(&msg, ca->crluri); - msg.add_ca.crluri2 = push_string(&msg, ca->crluri2); - msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri); - msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2); + msg.add_ca.name = push_string(&msg, ca->name); + msg.add_ca.cacert = push_string(&msg, ca->cacert); + msg.add_ca.crluri = push_string(&msg, ca->crluri); + msg.add_ca.crluri2 = push_string(&msg, ca->crluri2); + msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri); + msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2); + msg.add_ca.certuribase = push_string(&msg, ca->certuribase); return send_stroke_msg(&msg); } @@ -301,4 +325,17 @@ int starter_stroke_del_ca(starter_ca_t *ca) return send_stroke_msg(&msg); } +int starter_stroke_configure(starter_config_t *cfg) +{ + stroke_msg_t msg; + + if (cfg->setup.cachecrls) + { + msg.type = STR_CONFIG; + msg.length = offsetof(stroke_msg_t, buffer); + msg.config.cachecrl = 1; + return send_stroke_msg(&msg); + } + return 0; +} diff --git a/src/starter/starterstroke.h b/src/starter/starterstroke.h index fbcf51eed..e6b9e5504 100644 --- a/src/starter/starterstroke.h +++ b/src/starter/starterstroke.h @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: starterstroke.h 3267 2007-10-08 19:57:54Z andreas $ + * RCSID $Id: starterstroke.h 3825 2008-04-17 15:01:57Z martin $ */ #ifndef _STARTER_STROKE_H_ @@ -19,11 +19,12 @@ #include "confread.h" -extern int starter_stroke_add_conn(starter_conn_t *conn); +extern int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn); extern int starter_stroke_del_conn(starter_conn_t *conn); extern int starter_stroke_route_conn(starter_conn_t *conn); extern int starter_stroke_initiate_conn(starter_conn_t *conn); extern int starter_stroke_add_ca(starter_ca_t *ca); extern int starter_stroke_del_ca(starter_ca_t *ca); +extern int starter_stroke_configure(starter_config_t *cfg); #endif /* _STARTER_STROKE_H_ */ diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c index d29b87873..8b7d500b8 100644 --- a/src/starter/starterwhack.c +++ b/src/starter/starterwhack.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: starterwhack.c 3405 2007-12-19 00:49:32Z andreas $ + * RCSID $Id: starterwhack.c 3880 2008-04-27 10:49:31Z andreas $ */ #include <sys/types.h> @@ -32,6 +32,8 @@ #include "confread.h" #include "files.h" +#define ip_version(string) (strchr(string, '.') ? AF_INET : AF_INET6) + static int pack_str (char **p, char **next, char **roof) { @@ -149,13 +151,31 @@ connection_name(starter_conn_t *conn) static void set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family) -{ +{ + if (end->srcip && end->srcip[0] != '%') + { + int len = 0; + char *pos; + + pos = strchr(end->srcip, '/'); + if (pos) + { + /* use first address only for pluto */ + len = pos - end->srcip; + } + w->has_srcip = !end->has_natip; + ttoaddr(end->srcip, len, ip_version(end->srcip), &w->host_srcip); + } + else + { + anyaddr(AF_INET, &w->host_srcip); + } + w->id = end->id; w->cert = end->cert; w->ca = end->ca; w->groups = end->groups; w->host_addr = end->addr; - w->host_srcip = end->srcip; w->has_client = end->has_client; if (family == AF_INET6 && isanyaddr(&end->nexthop)) @@ -165,13 +185,28 @@ set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family) w->host_nexthop = end->nexthop; if (w->has_client) - w->client = end->subnet; + { + char *pos; + int len = 0; + + pos = strchr(end->subnet, ','); + if (pos) + { + len = pos - end->subnet; + } + ttosubnet(end->subnet, len, ip_version(end->subnet), &w->client); + } else + { + if (end->has_virt) + { + w->virt = end->subnet; + } w->client.addr.u.v4.sin_family = addrtypeof(&w->host_addr); + } w->has_client_wildcard = end->has_client_wildcard; w->has_port_wildcard = end->has_port_wildcard; - w->has_srcip = end->has_srcip; w->has_natip = end->has_natip; w->allow_any = end->allow_any && !end->dns_failed; w->modecfg = end->modecfg; @@ -181,7 +216,6 @@ set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family) w->host_port = IKE_UDP_PORT; w->port = end->port; w->protocol = end->protocol; - w->virt = end->virt; if (w->port != 0) { @@ -251,6 +285,14 @@ starter_whack_add_conn(starter_conn_t *conn) msg.sa_keying_tries = conn->sa_keying_tries; msg.policy = conn->policy; + /* + * Make sure the IKEv2-only policy bits are unset for IKEv1 connections + */ + msg.policy &= ~POLICY_DONT_REAUTH; + msg.policy &= ~POLICY_BEET; + msg.policy &= ~POLICY_MOBIKE; + msg.policy &= ~POLICY_FORCE_ENCAP; + set_whack_end(&msg.left, &conn->left, conn->addr_family); set_whack_end(&msg.right, &conn->right, conn->addr_family); |