summaryrefslogtreecommitdiff
path: root/src/starter
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2010-02-23 10:34:14 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2010-02-23 10:34:14 +0000
commited7d79f96177044949744da10f4431c1d6242241 (patch)
tree3aabaa55ed3b5291daef891cfee9befb5235e2b8 /src/starter
parent7410d3c6d6a9a1cd7aa55083c938946af6ff9498 (diff)
downloadvyos-strongswan-ed7d79f96177044949744da10f4431c1d6242241.tar.gz
vyos-strongswan-ed7d79f96177044949744da10f4431c1d6242241.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.3.6)
Diffstat (limited to 'src/starter')
-rw-r--r--src/starter/Makefile.am10
-rw-r--r--src/starter/Makefile.in353
-rw-r--r--src/starter/args.c44
-rw-r--r--src/starter/confread.c96
-rw-r--r--src/starter/confread.h13
-rw-r--r--src/starter/interfaces.c246
-rw-r--r--src/starter/interfaces.h1
-rw-r--r--src/starter/invokecharon.c4
-rw-r--r--src/starter/invokepluto.c6
-rw-r--r--src/starter/ipsec.conf.5163
-rw-r--r--src/starter/keywords.c262
-rw-r--r--src/starter/keywords.h7
-rw-r--r--src/starter/keywords.txt7
-rw-r--r--src/starter/klips.c4
-rw-r--r--src/starter/klips.h2
-rw-r--r--src/starter/netkey.h2
-rw-r--r--src/starter/starter.c20
-rw-r--r--src/starter/starterstroke.c59
-rw-r--r--src/starter/starterwhack.c137
19 files changed, 833 insertions, 603 deletions
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 3355b3afb..7524b5f26 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -6,7 +6,7 @@ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
INCLUDES = \
--I${linuxdir} \
+-I${linux_headers} \
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libfreeswan \
-I$(top_srcdir)/src/pluto \
@@ -15,9 +15,11 @@ INCLUDES = \
AM_CFLAGS = \
-DIPSEC_DIR=\"${ipsecdir}\" \
--DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_CONFDIR=\"${sysconfdir}\" \
-DIPSEC_PIDDIR=\"${piddir}\" \
-DIPSEC_EAPDIR=\"${eapdir}\" \
+-DDEV_RANDOM=\"${random_device}\" \
+-DDEV_URANDOM=\"${urandom_device}\" \
-DDEBUG
starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
@@ -37,7 +39,7 @@ if USE_CHARON
endif
lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h
- $(LEX) $(srcdir)/parser.l
+ $(LEX) $(srcdir)/parser.l
y.tab.c: $(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h
$(YACC) -v -d $(srcdir)/parser.y
@@ -51,7 +53,7 @@ keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h
defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
-install-exec-local :
+install-exec-local :
test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index a839c20b1..79ea9de32 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
VPATH = @srcdir@
pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
@@ -39,14 +41,21 @@ subdir = src/starter
DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \
$(srcdir)/Makefile.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/configure.in
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \
"$(DESTDIR)$(man8dir)"
-ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
PROGRAMS = $(ipsec_PROGRAMS)
am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \
@@ -63,6 +72,7 @@ starter_DEPENDENCIES = defs.o \
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
+am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -74,6 +84,27 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
$(LDFLAGS) -o $@
SOURCES = $(starter_SOURCES)
DIST_SOURCES = $(starter_SOURCES)
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
man5dir = $(mandir)/man5
man8dir = $(mandir)/man8
NROFF = nroff
@@ -114,25 +145,22 @@ INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
LD = @LD@
LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
@@ -144,11 +172,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
RANLIB = @RANLIB@
+RTLIB = @RTLIB@
RUBY = @RUBY@
RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
@@ -177,9 +208,9 @@ build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
-confdir = @confdir@
datadir = @datadir@
datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
@@ -202,7 +233,7 @@ ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
@@ -210,6 +241,7 @@ mandir = @mandir@
mkdir_p = @mkdir_p@
nm_CFLAGS = @nm_CFLAGS@
nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
@@ -218,10 +250,12 @@ pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
+random_device = @random_device@
resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
-simreader = @simreader@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
@@ -229,6 +263,7 @@ target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \
@@ -238,16 +273,18 @@ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
INCLUDES = \
--I${linuxdir} \
+-I${linux_headers} \
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libfreeswan \
-I$(top_srcdir)/src/pluto \
-I$(top_srcdir)/src/whack \
-I$(top_srcdir)/src/stroke
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
- -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" \
- -DDEBUG $(am__append_1) $(am__append_2)
+AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
+ -DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
+ -DIPSEC_EAPDIR=\"${eapdir}\" -DDEV_RANDOM=\"${random_device}\" \
+ -DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \
+ $(am__append_2)
starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
dist_man_MANS = ipsec.conf.5 starter.8
@@ -267,9 +304,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/starter/Makefile'; \
- cd $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/starter/Makefile
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/starter/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/starter/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
@@ -287,34 +324,50 @@ $(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
@$(NORMAL_INSTALL)
test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
- @list='$(ipsec_PROGRAMS)'; for p in $$list; do \
- p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
- if test -f $$p \
- || test -f $$p1 \
- ; then \
- f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
- echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
- $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
- else :; fi; \
- done
+ @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed 's/$(EXEEXT)$$//' | \
+ while read p p1; do if test -f $$p || test -f $$p1; \
+ then echo "$$p"; echo "$$p"; else :; fi; \
+ done | \
+ sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+ sed 'N;N;N;s,\n, ,g' | \
+ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+ if ($$2 == $$4) files[d] = files[d] " " $$1; \
+ else { print "f", $$3 "/" $$4, $$1; } } \
+ END { for (d in files) print "f", d, files[d] }' | \
+ while read type dir files; do \
+ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+ test -z "$$files" || { \
+ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
+ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+ } \
+ ; done
uninstall-ipsecPROGRAMS:
@$(NORMAL_UNINSTALL)
- @list='$(ipsec_PROGRAMS)'; for p in $$list; do \
- f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
- echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
- rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
- done
+ @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+ files=`for p in $$list; do echo "$$p"; done | \
+ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+ -e 's/$$/$(EXEEXT)/' `; \
+ test -n "$$list" || exit 0; \
+ echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
+ cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
clean-ipsecPROGRAMS:
- @list='$(ipsec_PROGRAMS)'; for p in $$list; do \
- f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f $$p $$f"; \
- rm -f $$p $$f ; \
- done
+ @list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES)
@rm -f starter$(EXEEXT)
$(LINK) $(starter_OBJECTS) $(starter_LDADD) $(LIBS)
@@ -344,21 +397,21 @@ distclean-compile:
.c.o:
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(COMPILE) -c $<
.c.obj:
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
@@ -368,96 +421,82 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
-install-man5: $(man5_MANS) $(man_MANS)
+install-man5: $(dist_man_MANS)
@$(NORMAL_INSTALL)
test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
- @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
- l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
- for i in $$l2; do \
- case "$$i" in \
- *.5*) list="$$list $$i" ;; \
- esac; \
+ @list=''; test -n "$(man5dir)" || exit 0; \
+ { for i in $$list; do echo "$$i"; done; \
+ l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ sed -n '/\.5[a-z]*$$/p'; \
+ } | while read p; do \
+ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; echo "$$p"; \
+ done | \
+ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+ sed 'N;N;s,\n, ,g' | { \
+ list=; while read file base inst; do \
+ if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
+ fi; \
done; \
- for i in $$list; do \
- if test -f $$i; then file=$$i; \
- else file=$(srcdir)/$$i; fi; \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- case "$$ext" in \
- 5*) ;; \
- *) ext='5' ;; \
- esac; \
- inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
- inst=`echo $$inst | sed -e 's/^.*\///'`; \
- inst=`echo $$inst | sed '$(transform)'`.$$ext; \
- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \
- done
+ for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+ while read files; do \
+ test -z "$$files" || { \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
+ done; }
+
uninstall-man5:
@$(NORMAL_UNINSTALL)
- @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
- l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
- for i in $$l2; do \
- case "$$i" in \
- *.5*) list="$$list $$i" ;; \
- esac; \
- done; \
- for i in $$list; do \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- case "$$ext" in \
- 5*) ;; \
- *) ext='5' ;; \
- esac; \
- inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
- inst=`echo $$inst | sed -e 's/^.*\///'`; \
- inst=`echo $$inst | sed '$(transform)'`.$$ext; \
- echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \
- rm -f "$(DESTDIR)$(man5dir)/$$inst"; \
- done
-install-man8: $(man8_MANS) $(man_MANS)
+ @list=''; test -n "$(man5dir)" || exit 0; \
+ files=`{ for i in $$list; do echo "$$i"; done; \
+ l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ sed -n '/\.5[a-z]*$$/p'; \
+ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+ test -z "$$files" || { \
+ echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
+ cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
+install-man8: $(dist_man_MANS)
@$(NORMAL_INSTALL)
test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
- @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
- l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
- for i in $$l2; do \
- case "$$i" in \
- *.8*) list="$$list $$i" ;; \
- esac; \
+ @list=''; test -n "$(man8dir)" || exit 0; \
+ { for i in $$list; do echo "$$i"; done; \
+ l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ sed -n '/\.8[a-z]*$$/p'; \
+ } | while read p; do \
+ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; echo "$$p"; \
+ done | \
+ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+ sed 'N;N;s,\n, ,g' | { \
+ list=; while read file base inst; do \
+ if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+ fi; \
done; \
- for i in $$list; do \
- if test -f $$i; then file=$$i; \
- else file=$(srcdir)/$$i; fi; \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- case "$$ext" in \
- 8*) ;; \
- *) ext='8' ;; \
- esac; \
- inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
- inst=`echo $$inst | sed -e 's/^.*\///'`; \
- inst=`echo $$inst | sed '$(transform)'`.$$ext; \
- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
- done
+ for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+ while read files; do \
+ test -z "$$files" || { \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+ done; }
+
uninstall-man8:
@$(NORMAL_UNINSTALL)
- @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
- l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
- for i in $$l2; do \
- case "$$i" in \
- *.8*) list="$$list $$i" ;; \
- esac; \
- done; \
- for i in $$list; do \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- case "$$ext" in \
- 8*) ;; \
- *) ext='8' ;; \
- esac; \
- inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
- inst=`echo $$inst | sed -e 's/^.*\///'`; \
- inst=`echo $$inst | sed '$(transform)'`.$$ext; \
- echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
- rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
- done
+ @list=''; test -n "$(man8dir)" || exit 0; \
+ files=`{ for i in $$list; do echo "$$i"; done; \
+ l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ sed -n '/\.8[a-z]*$$/p'; \
+ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+ test -z "$$files" || { \
+ echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
+ cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -471,7 +510,7 @@ tags: TAGS
TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
- tags=; \
+ set x; \
here=`pwd`; \
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
@@ -479,34 +518,52 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
- if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- $$tags $$unique; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
fi
ctags: CTAGS
CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
- tags=; \
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
- test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
- $$tags $$unique
+ $$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
- && cd $(top_srcdir) \
- && gtags -i $(GTAGS_ARGS) $$here
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(DISTFILES)
+ @list='$(MANS)'; if test -n "$$list"; then \
+ list=`for p in $$list; do \
+ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+ if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+ if test -n "$$list" && \
+ grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+ echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+ grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \
+ echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+ echo " typically \`make maintainer-clean' will remove them" >&2; \
+ exit 1; \
+ else :; fi; \
+ else :; fi
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@@ -522,13 +579,17 @@ distdir: $(DISTFILES)
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
- cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
- cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
- test -f $(distdir)/$$file \
- || cp -p $$d/$$file $(distdir)/$$file \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
@@ -559,6 +620,7 @@ clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -581,6 +643,8 @@ dvi-am:
html: html-am
+html-am:
+
info: info-am
info-am:
@@ -589,18 +653,28 @@ install-data-am: install-ipsecPROGRAMS install-man
install-dvi: install-dvi-am
+install-dvi-am:
+
install-exec-am: install-exec-local
install-html: install-html-am
+install-html-am:
+
install-info: install-info-am
+install-info-am:
+
install-man: install-man5 install-man8
install-pdf: install-pdf-am
+install-pdf-am:
+
install-ps: install-ps-am
+install-ps-am:
+
installcheck-am:
maintainer-clean: maintainer-clean-am
@@ -645,7 +719,7 @@ uninstall-man: uninstall-man5 uninstall-man8
lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h
- $(LEX) $(srcdir)/parser.l
+ $(LEX) $(srcdir)/parser.l
y.tab.c: $(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h
$(YACC) -v -d $(srcdir)/parser.y
@@ -659,7 +733,7 @@ keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h
defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
-install-exec-local :
+install-exec-local :
test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
@@ -670,6 +744,7 @@ install-exec-local :
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
+
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
diff --git a/src/starter/args.c b/src/starter/args.c
index 990d7588b..ebbd42cc8 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -36,6 +36,7 @@ typedef enum {
ARG_UINT,
ARG_TIME,
ARG_ULNG,
+ ARG_ULLI,
ARG_PCNT,
ARG_STR,
ARG_LST,
@@ -111,6 +112,11 @@ static const char *LST_pfsgroup[] = {
"modp4096",
"modp6144",
"modp8192",
+ "ecp192",
+ "ecp224",
+ "ecp256",
+ "ecp384",
+ "ecp521",
NULL
};
@@ -207,6 +213,10 @@ static const token_info_t token_info[] =
{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL },
{ ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL },
{ ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL },
+ { ARG_ULLI, offsetof(starter_conn_t, sa_ipsec_life_bytes), NULL },
+ { ARG_ULLI, offsetof(starter_conn_t, sa_ipsec_margin_bytes), NULL },
+ { ARG_ULLI, offsetof(starter_conn_t, sa_ipsec_life_packets), NULL },
+ { ARG_ULLI, offsetof(starter_conn_t, sa_ipsec_margin_packets), NULL },
{ ARG_MISC, 0, NULL /* KW_KEYINGTRIES */ },
{ ARG_PCNT, offsetof(starter_conn_t, sa_rekey_fuzz), NULL },
{ ARG_MISC, 0, NULL /* KW_REKEY */ },
@@ -217,6 +227,7 @@ static const token_info_t token_info[] =
{ ARG_TIME, offsetof(starter_conn_t, dpd_delay), NULL },
{ ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL },
{ ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action },
+ { ARG_TIME, offsetof(starter_conn_t, inactivity), NULL },
{ ARG_MISC, 0, NULL /* KW_MODECONFIG */ },
{ ARG_MISC, 0, NULL /* KW_XAUTH */ },
{ ARG_ENUM, offsetof(starter_conn_t, me_mediation), LST_bool },
@@ -241,7 +252,7 @@ static const token_info_t token_info[] =
{ ARG_STR, offsetof(starter_end_t, subnet), NULL },
{ ARG_MISC, 0, NULL /* KW_SUBNETWITHIN */ },
{ ARG_MISC, 0, NULL /* KW_PROTOPORT */ },
- { ARG_STR, offsetof(starter_end_t, srcip), NULL },
+ { ARG_MISC, 0, NULL /* KW_SOURCEIP */ },
{ ARG_MISC, 0, NULL /* KW_NATIP */ },
{ ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool },
{ ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool },
@@ -391,7 +402,7 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
case ARG_UINT:
{
char *endptr;
- u_int *u = (u_int *)p;
+ u_int *u = (u_int *)p;
*u = strtoul(kw->value, &endptr, 10);
@@ -429,6 +440,20 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
}
break;
+ case ARG_ULLI:
+ {
+ char *endptr;
+ unsigned long long *ll = (unsigned long long *)p;
+
+ *ll = strtoull(kw->value, &endptr, 10);
+
+ if (*endptr != '\0')
+ {
+ plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+ return FALSE;
+ }
+ }
+ break;
case ARG_TIME:
{
char *endptr;
@@ -490,12 +515,12 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
{
char ** lst;
- for (lst = *listp; lst && *lst; lst++)
+ for (lst = *listp; lst && *lst; lst++)
{
bool match = FALSE;
list = token_info[token].list;
-
+
while (*list != NULL && !match)
{
match = streq(*lst, *list++);
@@ -659,6 +684,17 @@ bool cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
}
}
break;
+ case ARG_ULLI:
+ {
+ unsigned long long *ll1 = (unsigned long long *)p1;
+ unsigned long long *ll2 = (unsigned long long *)p2;
+
+ if (*ll1 != *ll2)
+ {
+ return FALSE;
+ }
+ }
+ break;
case ARG_TIME:
{
time_t *t1 = (time_t *)p1;
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 5fd2b9fbf..07cc11503 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -119,7 +119,7 @@ load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
bool assigned = FALSE;
kw_token_t token = kw->entry->token;
-
+
if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
{
plog("# unsupported keyword '%s' in config setup", kw->entry->name);
@@ -136,9 +136,8 @@ load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
}
}
-static void
-kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
- , kw_list_t *kw, char *conn_name, starter_config_t *cfg)
+static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
+ kw_list_t *kw, char *conn_name, starter_config_t *cfg)
{
err_t ugh = NULL;
bool assigned = FALSE;
@@ -165,10 +164,10 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
ip_subnet net;
char *pos;
int len = 0;
-
+
end->has_client = TRUE;
conn->tunnel_addr_family = ip_version(value);
-
+
pos = strchr(value, ',');
if (pos)
{
@@ -188,31 +187,54 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
plog("# natip and sourceip cannot be defined at the same time");
goto err;
}
- if (streq(value, "%modeconfig") || streq(value, "%modecfg") ||
- streq(value, "%config") || streq(value, "%cfg"))
+ if (value[0] == '%')
{
- free(end->srcip);
- end->srcip = NULL;
+ if (streq(value, "%modeconfig") || streq(value, "%modecfg") ||
+ streq(value, "%config") || streq(value, "%cfg"))
+ {
+ /* request ip via config payload */
+ end->sourceip = NULL;
+ end->sourceip_mask = 1;
+ }
+ else
+ { /* %poolname, strip %, serve ip requests */
+ end->sourceip = clone_str(value+1);
+ end->sourceip_mask = 0;
+ }
end->modecfg = TRUE;
}
else
{
+ char *pos;
ip_address addr;
ip_subnet net;
-
+
conn->tunnel_addr_family = ip_version(value);
- if (strchr(value, '/'))
+ pos = strchr(value, '/');
+
+ if (pos)
{ /* CIDR notation, address pool */
ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net);
+ if (ugh != NULL)
+ {
+ plog("# bad subnet: %s=%s [%s]", name, value, ugh);
+ goto err;
+ }
+ *pos = '\0';
+ end->sourceip = clone_str(value);
+ end->sourceip_mask = atoi(pos + 1);
}
- else if (value[0] != '%')
- { /* old style fixed srcip, a %poolname otherwise */
+ else
+ { /* fixed srcip */
ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
- }
- if (ugh != NULL)
- {
- plog("# bad addr: %s=%s [%s]", name, value, ugh);
- goto err;
+ if (ugh != NULL)
+ {
+ plog("# bad addr: %s=%s [%s]", name, value, ugh);
+ goto err;
+ }
+ end->sourceip = clone_str(value);
+ end->sourceip_mask = (conn->tunnel_addr_family == AF_INET) ?
+ 32 : 128;
}
}
conn->policy |= POLICY_TUNNEL;
@@ -245,6 +267,10 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
end->addr = cfg->defaultroute.addr;
end->nexthop = cfg->defaultroute.nexthop;
}
+ else if (!cfg->defaultroute.supported)
+ {
+ plog("%%defaultroute not supported, fallback to %%any");
+ }
else
{
plog("# default route not known: %s=%s", name, value);
@@ -298,7 +324,9 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
if (streq(value, "%defaultroute"))
{
if (cfg->defaultroute.defined)
+ {
end->nexthop = cfg->defaultroute.nexthop;
+ }
else
{
plog("# default route not known: %s=%s", name, value);
@@ -323,7 +351,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
case KW_SUBNETWITHIN:
{
ip_subnet net;
-
+
end->has_client = TRUE;
end->has_client_wildcard = TRUE;
conn->tunnel_addr_family = ip_version(value);
@@ -342,7 +370,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
end->has_port_wildcard = has_port_wildcard;
break;
case KW_NATIP:
- if (end->srcip)
+ if (end->sourceip)
{
plog("# natip and sourceip cannot be defined at the same time");
goto err;
@@ -350,11 +378,11 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
if (streq(value, "%defaultroute"))
{
char buf[64];
-
+
if (cfg->defaultroute.defined)
{
addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf));
- end->srcip = clone_str(buf);
+ end->sourceip = clone_str(buf);
}
else
{
@@ -365,7 +393,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
else
{
ip_address addr;
-
+
conn->tunnel_addr_family = ip_version(value);
ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
if (ugh != NULL)
@@ -373,7 +401,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
plog("# bad addr: %s=%s [%s]", name, value, ugh);
goto err;
}
- end->srcip = clone_str(value);
+ end->sourceip = clone_str(value);
}
end->has_natip = TRUE;
conn->policy |= POLICY_TUNNEL;
@@ -510,8 +538,8 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
}
else if (streq(kw->value, "transport_proxy"))
{
- conn->policy |= POLICY_PROXY;
- }
+ conn->policy |= POLICY_PROXY;
+ }
else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
{
conn->policy |= POLICY_SHUNT_PASS;
@@ -535,10 +563,10 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
break;
case KW_COMPRESS:
KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
- break;
+ break;
case KW_AUTH:
KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
- break;
+ break;
case KW_AUTHBY:
conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT);
@@ -591,7 +619,7 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
case KW_EAP:
{
char *sep;
-
+
/* check for vendor-type format */
sep = strchr(kw->value, '-');
if (sep)
@@ -922,7 +950,7 @@ confread_free_ca(starter_ca_t *ca)
/*
* free the memory used by a starter_config_t object
*/
-void
+void
confread_free(starter_config_t *cfg)
{
starter_conn_t *conn = cfg->conn_first;
@@ -1046,7 +1074,7 @@ confread_load(const char *file)
for (ca = cfg->ca_first; ca; ca = ca->next)
{
also_t *also = ca->also;
-
+
while (also != NULL)
{
kw_list_t *kw = find_also_ca(also->name, cfg->ca_first, cfg);
@@ -1080,7 +1108,7 @@ confread_load(const char *file)
for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
{
u_int previous_err;
-
+
/* skip %default conn section */
if (streq(sconn->name, "%default"))
continue;
@@ -1093,7 +1121,7 @@ confread_load(const char *file)
conn_default(sconn->name, conn, &cfg->conn_default);
conn->kw = sconn->kw;
conn->next = NULL;
-
+
previous_err = cfg->err;
load_conn(conn, conn->kw, cfg);
if (cfg->err > previous_err)
diff --git a/src/starter/confread.h b/src/starter/confread.h
index b20c2e0d3..7f3211628 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -82,7 +82,8 @@ struct starter_end {
char *updown;
u_int16_t port;
u_int8_t protocol;
- char *srcip;
+ char *sourceip;
+ int sourceip_mask;
};
typedef struct also also_t;
@@ -112,6 +113,10 @@ struct starter_conn {
time_t sa_ike_life_seconds;
time_t sa_ipsec_life_seconds;
time_t sa_rekey_margin;
+ u_int64_t sa_ipsec_life_bytes;
+ u_int64_t sa_ipsec_margin_bytes;
+ u_int64_t sa_ipsec_life_packets;
+ u_int64_t sa_ipsec_margin_packets;
unsigned long sa_keying_tries;
unsigned long sa_rekey_fuzz;
sa_family_t addr_family;
@@ -124,12 +129,14 @@ struct starter_conn {
char *esp;
char *ike;
char *pfsgroup;
-
+
time_t dpd_delay;
time_t dpd_timeout;
dpd_action_t dpd_action;
int dpd_count;
-
+
+ time_t inactivity;
+
bool me_mediation;
char *me_mediated_by;
char *me_peerid;
diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c
index 3fff65be7..92b2c74a4 100644
--- a/src/starter/interfaces.c
+++ b/src/starter/interfaces.c
@@ -1,5 +1,6 @@
/* strongSwan IPsec interfaces management
* Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
+ * 2009 Heiko Hund - Astaro AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -12,12 +13,6 @@
* for more details.
*/
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#ifdef HAVE_SYS_SOCKIO_H
-#include <sys/sockio.h>
-#endif
-
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
@@ -33,120 +28,185 @@
#include "exec.h"
#include "files.h"
+#ifdef START_PLUTO
+
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <linux/rtnetlink.h>
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>
+#endif
+
/*
- * discover the default route via /proc/net/route
+ * Get the default route information via rtnetlink
*/
void
get_defaultroute(defaultroute_t *defaultroute)
{
- FILE *fd;
- char line[BUF_LEN];
- bool first = TRUE;
-
- memset(defaultroute, 0, sizeof(defaultroute_t));
+ union {
+ struct {
+ struct nlmsghdr nh;
+ struct rtmsg rt;
+ } m;
+ char buf[4096];
+ } rtu;
+
+ struct nlmsghdr *nh;
+ uint32_t best_metric = ~0;
+ ssize_t msglen;
+ int fd;
+
+ bzero(&rtu, sizeof(rtu));
+ rtu.m.nh.nlmsg_len = NLMSG_LENGTH(sizeof(rtu.m.rt));
+ rtu.m.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
+ rtu.m.nh.nlmsg_type = RTM_GETROUTE;
+ rtu.m.rt.rtm_family = AF_INET;
+ rtu.m.rt.rtm_table = RT_TABLE_UNSPEC;
+ rtu.m.rt.rtm_protocol = RTPROT_UNSPEC;
+ rtu.m.rt.rtm_type = RTN_UNICAST;
+
+ fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
+ if (fd == -1)
+ {
+ plog("could not create rtnetlink socket");
+ return;
+ }
- fd = fopen("/proc/net/route", "r");
+ if (send(fd, &rtu, rtu.m.nh.nlmsg_len, 0) == -1)
+ {
+ plog("could not write to rtnetlink socket");
+ close(fd);
+ return;
+ }
- if (!fd)
+ msglen = recv(fd, &rtu, sizeof(rtu), MSG_WAITALL);
+ if (msglen == -1)
{
- plog("could not open 'proc/net/route'");
+ plog("could not read from rtnetlink socket");
+ close(fd);
return;
}
- while (fgets(line, sizeof(line), fd) != 0)
+ close(fd);
+
+ for (nh = &rtu.m.nh; NLMSG_OK(nh, msglen); nh = NLMSG_NEXT(nh, msglen))
{
- char iface[11];
- char destination[9];
- char gateway[11];
- char flags[5];
- char mask[9];
-
- int refcnt;
- int use;
- int metric;
- int items;
-
- /* proc/net/route returns IP addresses in host order */
- strcpy(gateway, "0h");
-
- /* skip the header line */
- if (first)
+ struct rtmsg *rt;
+ struct rtattr *rta;
+ uint32_t rtalen, metric = 0;
+ struct in_addr gw = { .s_addr = INADDR_ANY };
+ int iface_idx = -1;
+
+ if (nh->nlmsg_type == NLMSG_ERROR)
{
- first = FALSE;
- continue;
+ plog("error from rtnetlink");
+ return;
}
- /* parsing a single line of proc/net/route */
- items = sscanf(line, "%10s\t%8s\t%8s\t%5s\t%d\t%d\t%d\t%8s\t"
- , iface, destination, gateway+2, flags, &refcnt, &use, &metric, mask);
- if (items < 8)
- {
- plog("parsing error while scanning /proc/net/route");
+ if (nh->nlmsg_type == NLMSG_DONE)
+ break;
+
+ rt = NLMSG_DATA(nh);
+ if ( rt->rtm_dst_len != 0
+ || (rt->rtm_table != RT_TABLE_MAIN
+ && rt->rtm_table != RT_TABLE_DEFAULT) )
continue;
+
+ rta = RTM_RTA(rt);
+ rtalen = RTM_PAYLOAD(nh);
+ while ( RTA_OK(rta, rtalen) )
+ {
+ switch (rta->rta_type)
+ {
+ case RTA_GATEWAY:
+ gw = *(struct in_addr *) RTA_DATA(rta);
+ break;
+ case RTA_OIF:
+ iface_idx = *(int *) RTA_DATA(rta);
+ break;
+ case RTA_PRIORITY:
+ metric = *(uint32_t *) RTA_DATA(rta);
+ break;
+ }
+ rta = RTA_NEXT(rta, rtalen);
}
- /* check for defaultroute (destination 0.0.0.0 and mask 0.0.0.0) */
- if (streq(destination, "00000000") && streq(mask, "00000000"))
+ if (metric < best_metric
+ && iface_idx != -1)
{
- if (defaultroute->defined)
+ struct ifreq req;
+
+ fd = socket(AF_INET, SOCK_DGRAM, 0);
+ if (fd < 0)
+ {
+ plog("could not open AF_INET socket");
+ break;
+ }
+ bzero(&req, sizeof(req));
+ req.ifr_ifindex = iface_idx;
+ if (ioctl(fd, SIOCGIFNAME, &req) < 0 ||
+ ioctl(fd, SIOCGIFADDR, &req) < 0)
{
- plog("multiple default routes - cannot cope with %%defaultroute!!!");
- defaultroute->defined = FALSE;
- fclose(fd);
- return;
+ plog("could not read interface data, ignoring route");
+ close(fd);
+ break;
}
- ttoaddr(gateway, strlen(gateway), AF_INET, &defaultroute->nexthop);
- strncpy(defaultroute->iface, iface, IFNAMSIZ);
+
+ strncpy(defaultroute->iface, req.ifr_name, IFNAMSIZ);
+ defaultroute->addr.u.v4 = *((struct sockaddr_in *) &req.ifr_addr);
+ defaultroute->nexthop.u.v4.sin_family = AF_INET;
+
+ if (gw.s_addr == INADDR_ANY)
+ {
+ if (ioctl(fd, SIOCGIFDSTADDR, &req) < 0 ||
+ ((struct sockaddr_in*) &req.ifr_dstaddr)->sin_addr.s_addr == INADDR_ANY)
+ {
+ DBG_log("Ignoring default route to device %s because we can't get it's destination",
+ req.ifr_name);
+ close(fd);
+ break;
+ }
+
+ defaultroute->nexthop.u.v4 = *((struct sockaddr_in *) &req.ifr_dstaddr);
+ }
+ else
+ defaultroute->nexthop.u.v4.sin_addr = gw;
+
+ close(fd);
+
+ DBG(DBG_CONTROL,
+ char addr[20];
+ char nexthop[20];
+ addrtot(&defaultroute->addr, 0, addr, sizeof(addr));
+ addrtot(&defaultroute->nexthop, 0, nexthop, sizeof(nexthop));
+
+ DBG_log(
+ ( !defaultroute->defined
+ ? "Default route found: iface=%s, addr=%s, nexthop=%s"
+ : "Better default route: iface=%s, addr=%s, nexthop=%s"
+ ), defaultroute->iface, addr, nexthop
+ )
+ );
+
+ best_metric = metric;
defaultroute->defined = TRUE;
}
}
- fclose(fd);
+ defaultroute->supported = TRUE;
if (!defaultroute->defined)
- {
plog("no default route - cannot cope with %%defaultroute!!!");
- }
- else
- {
- char addr_buf[20], nexthop_buf[20];
- struct ifreq physreq;
+}
- int sock = socket(AF_INET, SOCK_DGRAM, 0);
+#else /* !START_PLUTO */
- /* determine IP address of iface */
- if (sock < 0)
- {
- plog("could not open SOCK_DGRAM socket");
- defaultroute->defined = FALSE;
- return;
- }
- memset ((void*)&physreq, 0, sizeof(physreq));
- strncpy(physreq.ifr_name, defaultroute->iface, IFNAMSIZ);
- ioctl(sock, SIOCGIFADDR, &physreq);
- close(sock);
- defaultroute->addr.u.v4 = *((struct sockaddr_in *)&physreq.ifr_addr);
-
- addrtot(&defaultroute->addr, 0, addr_buf, sizeof(addr_buf));
- addrtot(&defaultroute->nexthop, 0, nexthop_buf, sizeof(nexthop_buf));
-
- DBG(DBG_CONTROL,
- DBG_log("Default route found: iface=%s, addr=%s, nexthop=%s"
- , defaultroute->iface, addr_buf, nexthop_buf)
- )
-
- /* for backwards-compatibility with the awk shell scripts
- * store the defaultroute in /var/run/ipsec.info
- */
- fd = fopen(INFO_FILE, "w");
-
- if (fd)
- {
- fprintf(fd, "defaultroutephys=%s\n", defaultroute->iface );
- fprintf(fd, "defaultroutevirt=ipsec0\n");
- fprintf(fd, "defaultrouteaddr=%s\n", addr_buf);
- fprintf(fd, "defaultroutenexthop=%s\n", nexthop_buf);
- fclose(fd);
- }
- }
- return;
+/**
+ * Pluto disabled, fall back to %any
+ */
+void
+get_defaultroute(defaultroute_t *defaultroute)
+{
+ defaultroute->supported = FALSE;
}
+#endif /* START_PLUTO */
+
diff --git a/src/starter/interfaces.h b/src/starter/interfaces.h
index abe4c8f9c..ff8535f0e 100644
--- a/src/starter/interfaces.h
+++ b/src/starter/interfaces.h
@@ -23,6 +23,7 @@
typedef struct {
bool defined;
+ bool supported;
char iface[IFNAMSIZ];
ip_address addr;
ip_address nexthop;
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index 1eb2a0332..f8aa5e6a9 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -127,7 +127,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
};
-
+
if (attach_gdb)
{
argc = 0;
@@ -163,7 +163,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
{
break;
}
-
+
/* get next */
pos = strchr(pos, ',');
if (pos)
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
index 08fb0657a..f91f4b6c9 100644
--- a/src/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -94,7 +94,7 @@ starter_stop_pluto (void)
/* be more and more aggressive */
for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
{
-
+
if (i < 10)
{
kill(pid, SIGTERM);
@@ -103,7 +103,7 @@ starter_stop_pluto (void)
{
kill(pid, SIGKILL);
plog("starter_stop_pluto(): pluto does not respond, sending KILL");
- }
+ }
else
{
kill(pid, SIGKILL);
@@ -147,7 +147,7 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork, bool attach_gdb)
};
printf ("starter_start_pluto entered\n");
-
+
if (attach_gdb)
{
argc = 0;
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 31e676324..d4dd7238f 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -248,7 +248,7 @@ for Elliptic Curve DSA signatures.
.B never
can be used if negotiation is never to be attempted or accepted (useful for
shunt-only conns).
-Digital signatures are superior in every way to shared secrets.
+Digital signatures are superior in every way to shared secrets.
IKEv1 additionally supports the values
.B xauthpsk
and
@@ -256,7 +256,7 @@ and
that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
based on shared secrets or digital RSA signatures, respectively.
This parameter is deprecated for IKEv2 connections, as two peers do not need
-to agree on an authentication method. Use the
+to agree on an authentication method. Use the
.B leftauth
parameter instead to define authentication methods in IKEv2.
.TP
@@ -282,7 +282,7 @@ and
loads a connection and brings it up immediatly.
.B ignore
ignores the connection. This is equal to delete a connection from the config
-file.
+file.
Relevant only locally, other end need not agree on it
(but in general, for an intended-to-be-permanent connection,
both ends should use
@@ -314,7 +314,7 @@ are periodically sent in order to check the
liveliness of the IPsec peer. The values
.BR clear ,
.BR hold ,
-and
+and
.B restart
all activate DPD. If no activity is detected, all connections with a dead peer
are stopped and unrouted (
@@ -348,19 +348,23 @@ defines the timeout interval, after which all connections to a peer are deleted
in case of inactivity. This only applies to IKEv1, in IKEv2 the default
retransmission timeout applies, as every exchange is used to detect dead peers.
.TP
+.B inactivity
+defines the timeout interval, after which a CHILD_SA is closed if it did
+not send or receive any traffic. Currently supported in IKEv2 connections only.
+.TP
.B eap
defines the EAP type to propose as server if the client requests EAP
authentication. This parameter is deprecated in the favour of
.B leftauth.
To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
+set
.B eap=radius
.TP
.B eap_identity
defines the identity the client uses to reply to a EAP Identity request.
If defined on the EAP server, the defined identity will be used as peer
-identity during EAP authentication. The special value
+identity during EAP authentication. The special value
.B %identity
uses the EAP Identity method to ask the client for a EAP identity. If not
defined, the IKEv2 identity will be used as EAP identity.
@@ -374,7 +378,7 @@ and rekeying include a separate diffe hellman exchange (IKEv2 only).
.TP
.B forceencaps
Force UDP encapsulation for ESP packets even if no NAT situation is detected.
-This may help to hurdle restrictive firewalls. To enforce the peer to
+This may help to hurdle restrictive firewalls. To enforce the peer to
encapsulate packets, NAT detection payloads are faked (IKEv2 only).
.TP
.B ike
@@ -403,8 +407,8 @@ which protocol should be used to initialize the connection. Connections marked w
.B ikev1
are initiated with pluto, those marked with
.B ikev2
-with charon. An incoming request from the remote peer is handled by the correct
-daemon, unaffected from the
+with charon. An incoming request from the remote peer is handled by the correct
+daemon, unaffected from the
.B keyexchange
setting. The default value
.B ike
@@ -421,30 +425,8 @@ means 'never give up'.
Relevant only locally, other end need not agree on it.
.TP
.B keylife
-how long a particular instance of a connection
-(a set of encryption/authentication keys for user packets) should last,
-from successful negotiation to expiry;
-acceptable values are an integer optionally followed by
-.BR s
-(a time in seconds)
-or a decimal number followed by
-.BR m ,
-.BR h ,
-or
-.B d
-(a time
-in minutes, hours, or days respectively)
-(default
-.BR 1h ,
-maximum
-.BR 24h ).
-Normally, the connection is renegotiated (via the keying channel)
-before it expires.
-The two ends need not exactly agree on
-.BR keylife ,
-although if they do not,
-there will be some clutter of superseded connections on the end
-which thinks the lifetime is longer.
+synonym for
+.BR lifetime .
.TP
.B left
(required)
@@ -494,14 +476,14 @@ and
.TP
.B leftauth
Authentication method to use (local) or require (remote) in this connection.
-This parameter is supported in IKEv2 only. Acceptable values are
+This parameter is supported in IKEv2 only. Acceptable values are
.B pubkey
-for public key authentication (RSA/ECDSA),
+for public key authentication (RSA/ECDSA),
.B psk
for pre-shared key authentication and
.B eap
to (require the) use of the Extensible Authentication Protocol. In the case
-of
+of
.B eap,
an optional EAP method can be appended. Currently defined methods are
.B eap-aka, eap-sim, eap-gtc, eap-md5
@@ -515,7 +497,7 @@ EAP methods are defined in the form
).
.TP
.B leftauth2
-Same as
+Same as
.B leftauth,
but defines an additional authentication exchange. IKEv2 supports multiple
authentication rounds using "Multiple Authentication Exchanges" defined
@@ -525,7 +507,7 @@ of host and user (IKEv2 only).
.B leftca
the distinguished name of a certificate authority which is required to
lie in the trust path going from the left participant's certificate up
-to the root certification authority.
+to the root certification authority.
.TP
.B leftca2
Same as
@@ -538,7 +520,7 @@ PEM or DER format. OpenPGP certificates are supported as well.
Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
are accepted. By default
.B leftcert
-sets
+sets
.B leftid
to the distinguished name of the certificate's subject and
.B leftca
@@ -679,7 +661,7 @@ or
.B %cfg,
an address is requested from the peer. In IKEv2, a defined address is requested,
but the server may change it. If the server does not support it, the address
-is enforced.
+is enforced.
.TP
.B rightsourceip
The internal source IP to use in a tunnel for the remote peer. If the
@@ -724,6 +706,61 @@ Relevant only locally, other end need not agree on it. IKEv2 uses the updown
script to insert firewall rules only. Routing is not support and will be
implemented directly into Charon.
.TP
+.B lifebytes
+the number of bytes transmitted over an IPsec SA before it expires (IKEv2
+only).
+.TP
+.B lifepackets
+the number of packets transmitted over an IPsec SA before it expires (IKEv2
+only).
+.TP
+.B lifetime
+how long a particular instance of a connection
+(a set of encryption/authentication keys for user packets) should last,
+from successful negotiation to expiry;
+acceptable values are an integer optionally followed by
+.BR s
+(a time in seconds)
+or a decimal number followed by
+.BR m ,
+.BR h ,
+or
+.B d
+(a time
+in minutes, hours, or days respectively)
+(default
+.BR 1h ,
+maximum
+.BR 24h ).
+Normally, the connection is renegotiated (via the keying channel)
+before it expires (see
+.BR margintime ).
+The two ends need not exactly agree on
+.BR lifetime ,
+although if they do not,
+there will be some clutter of superseded connections on the end
+which thinks the lifetime is longer.
+.TP
+.B marginbytes
+how many bytes before IPsec SA expiry (see
+.BR lifebytes )
+should attempts to negotiate a replacement begin (IKEv2 only).
+.TP
+.B marginpackets
+how many packets before IPsec SA expiry (see
+.BR lifepackets )
+should attempts to negotiate a replacement begin (IKEv2 only).
+.TP
+.B margintime
+how long before connection expiry or keying-channel expiry
+should attempts to
+negotiate a replacement
+begin; acceptable values as for
+.B lifetime
+(default
+.BR 9m ).
+Relevant only locally, other end need not agree on it.
+.TP
.B mobike
enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
.B yes
@@ -759,7 +796,7 @@ PFS is enforced by defining a Diffie-Hellman modp group in the
.B esp
parameter.
.TP
-.B pfsgroup
+.B pfsgroup
defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
.TP
@@ -789,35 +826,35 @@ will be largely ineffective unless both ends agree on it.
.TP
.B rekeyfuzz
maximum percentage by which
-.B rekeymargin
+.BR marginbytes ,
+.B marginpackets
+and
+.B margintime
should be randomly increased to randomize rekeying intervals
(important for hosts with many connections);
acceptable values are an integer,
which may exceed 100,
followed by a `%'
-(default set by
-.IR pluto (8),
-currently
+(defaults to
.BR 100% ).
The value of
-.BR rekeymargin ,
+.BR marginTYPE ,
after this random increase,
must not exceed
-.BR keylife .
+.B lifeTYPE
+(where TYPE is one of
+.IR bytes ,
+.I packets
+or
+.IR time ).
The value
.B 0%
-will suppress time randomization.
+will suppress randomization.
Relevant only locally, other end need not agree on it.
.TP
.B rekeymargin
-how long before connection expiry or keying-channel expiry
-should attempts to
-negotiate a replacement
-begin; acceptable values as for
-.B keylife
-(default
-.BR 9m ).
-Relevant only locally, other end need not agree on it.
+synonym for
+.BR margintime .
.TP
.B type
the type of the connection; currently the accepted values
@@ -854,7 +891,7 @@ and
(the default).
.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
-The following parameters are relevant to IKEv2 Mediation Extension
+The following parameters are relevant to IKEv2 Mediation Extension
operation only.
.TP 14
.B mediation
@@ -884,7 +921,7 @@ of this connection will be used as peer ID.
.SH "CA SECTIONS"
This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA). These parameters are not
+parameters to a Certification Authority (CA). These parameters are not
supported in IKEv2 yet.
.TP 10
.B auto
@@ -892,10 +929,10 @@ currently can have either the value
.B ignore
or
.B add
-.
+.
.TP
.B cacert
-defines a path to the CA certificate either relative to
+defines a path to the CA certificate either relative to
\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
.TP
.B crluri
@@ -970,7 +1007,7 @@ Accepted values are
.B yes
or
.BR no .
-The default is
+The default is
.B yes
if starter was compiled with IKEv2 support.
.TP
@@ -987,7 +1024,7 @@ Accepted values are
.B yes
or
.BR no .
-The default is
+The default is
.B yes
if starter was compiled with IKEv1 support.
.TP
@@ -1192,7 +1229,7 @@ value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
overriding IPsec's (large) default.
.SH CHOOSING A CONNECTION
.PP
-When choosing a connection to apply to an outbound packet caught with a
+When choosing a connection to apply to an outbound packet caught with a
.BR %trap,
the system prefers the one with the most specific eroute that
includes the packet's source and destination IP addresses.
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 3ca7a92f6..e379f78e9 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -54,12 +54,12 @@ struct kw_entry {
kw_token_t token;
};
-#define TOTAL_KEYWORDS 112
+#define TOTAL_KEYWORDS 119
#define MIN_WORD_LENGTH 3
#define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 13
-#define MAX_HASH_VALUE 200
-/* maximum key range = 188, duplicates = 0 */
+#define MIN_HASH_VALUE 17
+#define MAX_HASH_VALUE 215
+/* maximum key range = 199, duplicates = 0 */
#ifdef __GNUC__
__inline
@@ -75,32 +75,32 @@ hash (str, len)
{
static const unsigned char asso_values[] =
{
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 3,
- 42, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 1, 201, 9, 201, 5,
- 39, 1, 64, 47, 62, 1, 201, 88, 5, 83,
- 39, 30, 21, 201, 1, 10, 6, 44, 14, 201,
- 4, 54, 4, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201, 201, 201, 201, 201,
- 201, 201, 201, 201, 201, 201
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 12,
+ 78, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 4, 216, 20, 216, 45,
+ 55, 4, 77, 14, 78, 4, 216, 119, 4, 89,
+ 46, 34, 29, 216, 6, 12, 5, 56, 34, 216,
+ 4, 20, 5, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216, 216, 216, 216, 216,
+ 216, 216, 216, 216, 216, 216
};
register int hval = len;
@@ -124,143 +124,151 @@ hash (str, len)
static const struct kw_entry wordlist[] =
{
- {"right", KW_RIGHT},
- {"crluri", KW_CRLURI},
{"left", KW_LEFT},
- {"crluri1", KW_CRLURI},
- {"certuribase", KW_CERTURIBASE},
+ {"right", KW_RIGHT},
+ {"lifetime", KW_KEYLIFE},
{"leftcert", KW_LEFTCERT,},
- {"rightcert", KW_RIGHTCERT},
- {"rightca", KW_RIGHTCA},
{"leftfirewall", KW_LEFTFIREWALL},
{"leftsendcert", KW_LEFTSENDCERT},
{"leftprotoport", KW_LEFTPROTOPORT},
+ {"type", KW_TYPE},
+ {"rekey", KW_REKEY},
{"leftgroups", KW_LEFTGROUPS},
- {"crlcheckinterval", KW_CRLCHECKINTERVAL},
{"rightsubnet", KW_RIGHTSUBNET},
- {"leftca", KW_LEFTCA},
{"rightsendcert", KW_RIGHTSENDCERT},
- {"cacert", KW_CACERT},
- {"eap", KW_EAP},
+ {"leftallowany", KW_LEFTALLOWANY},
+ {"rightgroups", KW_RIGHTGROUPS},
{"esp", KW_ESP},
- {"cachecrls", KW_CACHECRLS},
+ {"lifebytes", KW_LIFEBYTES},
+ {"rightrsasigkey", KW_RIGHTRSASIGKEY},
+ {"lifepackets", KW_LIFEPACKETS},
{"leftnexthop", KW_LEFTNEXTHOP},
- {"virtual_private", KW_VIRTUAL_PRIVATE},
+ {"leftrsasigkey", KW_LEFTRSASIGKEY},
+ {"leftca", KW_LEFTCA},
+ {"eap", KW_EAP},
+ {"strictcrlpolicy", KW_STRICTCRLPOLICY},
{"rightprotoport", KW_RIGHTPROTOPORT},
- {"ocspuri", KW_OCSPURI},
- {"leftnatip", KW_LEFTNATIP},
- {"rightsourceip", KW_RIGHTSOURCEIP},
- {"ocspuri1", KW_OCSPURI},
- {"also", KW_ALSO},
- {"rightid", KW_RIGHTID},
{"plutostart", KW_PLUTOSTART},
- {"rightid2", KW_RIGHTID2},
- {"compress", KW_COMPRESS},
- {"packetdefault", KW_PACKETDEFAULT},
- {"crluri2", KW_CRLURI2},
- {"rightca2", KW_RIGHTCA2},
- {"leftcert2", KW_LEFTCERT2,},
- {"rightcert2", KW_RIGHTCERT2},
+ {"also", KW_ALSO},
+ {"rightallowany", KW_RIGHTALLOWANY},
+ {"rightsourceip", KW_RIGHTSOURCEIP},
+ {"crluri", KW_CRLURI},
+ {"leftnatip", KW_LEFTNATIP},
{"lefthostaccess", KW_LEFTHOSTACCESS},
- {"rekey", KW_REKEY},
- {"ldapbase", KW_LDAPBASE},
- {"rightauth2", KW_RIGHTAUTH2},
- {"leftca2", KW_LEFTCA2},
- {"type", KW_TYPE},
+ {"rightcert", KW_RIGHTCERT},
+ {"certuribase", KW_CERTURIBASE},
+ {"packetdefault", KW_PACKETDEFAULT},
+ {"plutostderrlog", KW_PLUTOSTDERRLOG},
+ {"crluri1", KW_CRLURI},
+ {"crlcheckinterval", KW_CRLCHECKINTERVAL},
+ {"rightid", KW_RIGHTID},
+ {"virtual_private", KW_VIRTUAL_PRIVATE},
{"leftsubnet", KW_LEFTSUBNET},
- {"nat_traversal", KW_NAT_TRAVERSAL},
- {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
+ {"cacert", KW_CACERT},
+ {"rightca", KW_RIGHTCA},
{"leftsourceip", KW_LEFTSOURCEIP},
- {"rightgroups", KW_RIGHTGROUPS},
- {"rightrsasigkey", KW_RIGHTRSASIGKEY},
+ {"inactivity", KW_INACTIVITY},
+ {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
+ {"installpolicy", KW_INSTALLPOLICY},
+ {"nat_traversal", KW_NAT_TRAVERSAL},
+ {"ldapbase", KW_LDAPBASE},
+ {"leftupdown", KW_LEFTUPDOWN},
{"rightnatip", KW_RIGHTNATIP},
+ {"ocspuri", KW_OCSPURI},
{"rightnexthop", KW_RIGHTNEXTHOP},
- {"leftupdown", KW_LEFTUPDOWN},
- {"leftallowany", KW_LEFTALLOWANY},
- {"rightallowany", KW_RIGHTALLOWANY},
+ {"leftcert2", KW_LEFTCERT2,},
+ {"rightid2", KW_RIGHTID2},
{"rekeyfuzz", KW_REKEYFUZZ},
- {"xauth", KW_XAUTH},
- {"rightauth", KW_RIGHTAUTH},
- {"leftrsasigkey", KW_LEFTRSASIGKEY},
+ {"compress", KW_COMPRESS},
{"rightfirewall", KW_RIGHTFIREWALL},
- {"ocspuri2", KW_OCSPURI2},
- {"auto", KW_AUTO},
+ {"ocspuri1", KW_OCSPURI},
{"ldaphost", KW_LDAPHOST},
+ {"xauth", KW_XAUTH},
+ {"postpluto", KW_POSTPLUTO},
+ {"eap_identity", KW_EAP_IDENTITY},
+ {"plutodebug", KW_PLUTODEBUG},
+ {"leftca2", KW_LEFTCA2},
+ {"auto", KW_AUTO},
{"righthostaccess", KW_RIGHTHOSTACCESS},
+ {"dpddelay", KW_DPDDELAY},
+ {"rightauth", KW_RIGHTAUTH},
+ {"rightauth2", KW_RIGHTAUTH2},
+ {"pfs", KW_PFS},
+ {"authby", KW_AUTHBY},
+ {"rightupdown", KW_RIGHTUPDOWN},
{"leftid", KW_LEFTID},
- {"strictcrlpolicy", KW_STRICTCRLPOLICY},
+ {"leftsubnetwithin", KW_LEFTSUBNETWITHIN},
+ {"uniqueids", KW_UNIQUEIDS},
{"dumpdir", KW_DUMPDIR},
+ {"mediated_by", KW_MEDIATED_BY},
{"ike", KW_IKE},
- {"leftid2", KW_LEFTID2},
- {"postpluto", KW_POSTPLUTO},
- {"rightupdown", KW_RIGHTUPDOWN},
- {"plutostderrlog", KW_PLUTOSTDERRLOG},
- {"pfs", KW_PFS},
- {"fragicmp", KW_FRAGICMP},
- {"overridemtu", KW_OVERRIDEMTU},
- {"leftauth2", KW_LEFTAUTH2},
- {"uniqueids", KW_UNIQUEIDS},
+ {"cachecrls", KW_CACHECRLS},
{"prepluto", KW_PREPLUTO},
- {"leftsubnetwithin", KW_LEFTSUBNETWITHIN},
- {"keyexchange", KW_KEYEXCHANGE},
- {"keep_alive", KW_KEEP_ALIVE},
- {"hidetos", KW_HIDETOS},
{"force_keepalive", KW_FORCE_KEEPALIVE},
- {"installpolicy", KW_INSTALLPOLICY},
- {"dpdaction", KW_DPDACTION},
- {"eap_identity", KW_EAP_IDENTITY},
+ {"hidetos", KW_HIDETOS},
+ {"mobike", KW_MOBIKE},
{"forceencaps", KW_FORCEENCAPS},
+ {"overridemtu", KW_OVERRIDEMTU},
+ {"crluri2", KW_CRLURI2},
+ {"rightca2", KW_RIGHTCA2},
+ {"rightcert2", KW_RIGHTCERT2},
+ {"dpdaction", KW_DPDACTION},
{"nocrsend", KW_NOCRSEND},
- {"auth", KW_AUTH},
- {"leftauth", KW_LEFTAUTH},
- {"mobike", KW_MOBIKE},
- {"plutodebug", KW_PLUTODEBUG},
- {"charonstart", KW_CHARONSTART},
+ {"leftid2", KW_LEFTID2},
{"interfaces", KW_INTERFACES},
+ {"leftauth", KW_LEFTAUTH},
+ {"leftauth2", KW_LEFTAUTH2},
+ {"mediation", KW_MEDIATION},
+ {"rekeymargin", KW_REKEYMARGIN},
+ {"keep_alive", KW_KEEP_ALIVE},
+ {"auth", KW_AUTH},
+ {"keyingtries", KW_KEYINGTRIES},
+ {"me_peerid", KW_ME_PEERID},
+ {"fragicmp", KW_FRAGICMP},
+ {"margintime", KW_REKEYMARGIN},
+ {"ocspuri2", KW_OCSPURI2},
+ {"reauth", KW_REAUTH},
{"pkcs11module", KW_PKCS11MODULE},
- {"dpddelay", KW_DPDDELAY},
+ {"pfsgroup", KW_PFSGROUP},
+ {"marginbytes", KW_MARGINBYTES},
{"pkcs11keepstate", KW_PKCS11KEEPSTATE},
- {"reauth", KW_REAUTH},
- {"me_peerid", KW_ME_PEERID},
- {"rekeymargin", KW_REKEYMARGIN},
+ {"marginpackets", KW_MARGINPACKETS},
+ {"modeconfig", KW_MODECONFIG},
+ {"keyexchange", KW_KEYEXCHANGE},
+ {"charonstart", KW_CHARONSTART},
{"pkcs11initargs", KW_PKCS11INITARGS},
- {"mediation", KW_MEDIATION},
- {"pfsgroup", KW_PFSGROUP},
- {"mediated_by", KW_MEDIATED_BY},
- {"keyingtries", KW_KEYINGTRIES},
{"dpdtimeout", KW_DPDTIMEOUT},
- {"keylife", KW_KEYLIFE},
- {"charondebug", KW_CHARONDEBUG},
- {"ikelifetime", KW_IKELIFETIME},
- {"authby", KW_AUTHBY},
{"pkcs11proxy", KW_PKCS11PROXY},
+ {"charondebug", KW_CHARONDEBUG},
{"klipsdebug", KW_KLIPSDEBUG},
- {"modeconfig", KW_MODECONFIG}
+ {"keylife", KW_KEYLIFE},
+ {"ikelifetime", KW_IKELIFETIME}
};
static const short lookup[] =
{
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, 0, 1, -1, 2, 3, -1, 4,
- -1, 5, 6, 7, 8, 9, 10, 11, 12, 13,
- 14, 15, 16, -1, 17, 18, -1, -1, 19, 20,
- 21, -1, -1, 22, 23, 24, 25, 26, 27, 28,
- -1, -1, 29, 30, 31, 32, 33, 34, 35, 36,
- 37, 38, 39, 40, 41, 42, 43, 44, 45, 46,
- 47, 48, 49, -1, 50, -1, 51, 52, 53, 54,
- 55, -1, 56, 57, 58, -1, 59, 60, 61, 62,
- 63, 64, 65, 66, 67, 68, 69, 70, 71, 72,
- 73, 74, -1, 75, 76, 77, 78, -1, -1, 79,
- 80, 81, 82, -1, 83, 84, 85, 86, -1, 87,
- 88, 89, 90, 91, 92, 93, -1, 94, 95, -1,
- -1, -1, 96, 97, -1, 98, 99, -1, 100, -1,
- -1, -1, -1, -1, 101, -1, -1, -1, -1, -1,
- -1, -1, -1, -1, -1, 102, -1, 103, -1, 104,
- -1, 105, -1, -1, 106, 107, -1, 108, -1, -1,
- -1, -1, -1, -1, -1, -1, -1, 109, -1, -1,
- -1, -1, -1, -1, -1, -1, -1, -1, -1, 110,
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- 111
+ -1, -1, -1, -1, -1, -1, -1, 0, -1, -1,
+ 1, -1, -1, -1, 2, 3, -1, -1, 4, 5,
+ -1, -1, 6, 7, -1, 8, 9, -1, 10, -1,
+ 11, -1, -1, -1, 12, -1, -1, 13, 14, 15,
+ 16, 17, 18, 19, 20, -1, 21, 22, 23, -1,
+ 24, -1, 25, 26, 27, 28, 29, -1, 30, 31,
+ 32, -1, 33, 34, 35, 36, 37, 38, -1, 39,
+ -1, 40, 41, 42, 43, 44, -1, 45, -1, 46,
+ -1, 47, -1, 48, -1, 49, 50, 51, -1, 52,
+ 53, 54, -1, 55, 56, 57, 58, 59, -1, -1,
+ 60, 61, 62, 63, 64, 65, 66, 67, 68, -1,
+ -1, 69, 70, 71, 72, -1, 73, 74, 75, 76,
+ 77, 78, -1, 79, 80, 81, -1, 82, 83, 84,
+ 85, 86, -1, 87, 88, -1, -1, 89, 90, 91,
+ 92, 93, -1, 94, -1, -1, 95, 96, 97, -1,
+ 98, 99, -1, -1, -1, 100, -1, -1, -1, 101,
+ -1, 102, 103, -1, -1, -1, 104, 105, 106, 107,
+ 108, 109, -1, 110, -1, 111, 112, -1, 113, -1,
+ -1, 114, -1, -1, 115, -1, -1, -1, -1, -1,
+ -1, -1, 116, -1, -1, -1, -1, -1, -1, -1,
+ -1, 117, -1, -1, -1, 118
};
#ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 3a115d15d..8be31d148 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -66,7 +66,7 @@ typedef enum {
KW_TYPE,
KW_PFS,
KW_COMPRESS,
- KW_INSTALLPOLICY,
+ KW_INSTALLPOLICY,
KW_AUTH,
KW_AUTHBY,
KW_EAP,
@@ -76,6 +76,10 @@ typedef enum {
KW_IKELIFETIME,
KW_KEYLIFE,
KW_REKEYMARGIN,
+ KW_LIFEBYTES,
+ KW_MARGINBYTES,
+ KW_LIFEPACKETS,
+ KW_MARGINPACKETS,
KW_KEYINGTRIES,
KW_REKEYFUZZ,
KW_REKEY,
@@ -86,6 +90,7 @@ typedef enum {
KW_DPDDELAY,
KW_DPDTIMEOUT,
KW_DPDACTION,
+ KW_INACTIVITY,
KW_MODECONFIG,
KW_XAUTH,
KW_MEDIATION,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 66c894850..adf3069bf 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -64,6 +64,12 @@ auth, KW_AUTH
authby, KW_AUTHBY
keylife, KW_KEYLIFE
rekeymargin, KW_REKEYMARGIN
+lifetime, KW_KEYLIFE
+margintime, KW_REKEYMARGIN
+lifebytes, KW_LIFEBYTES
+marginbytes, KW_MARGINBYTES
+lifepackets, KW_LIFEPACKETS
+marginpackets, KW_MARGINPACKETS
ikelifetime, KW_IKELIFETIME
keyingtries, KW_KEYINGTRIES
rekeyfuzz, KW_REKEYFUZZ
@@ -75,6 +81,7 @@ pfsgroup, KW_PFSGROUP
dpddelay, KW_DPDDELAY
dpdtimeout, KW_DPDTIMEOUT
dpdaction, KW_DPDACTION
+inactivity, KW_INACTIVITY
modeconfig, KW_MODECONFIG
xauth, KW_XAUTH
mediation, KW_MEDIATION
diff --git a/src/starter/klips.c b/src/starter/klips.c
index 061dee50c..79bd25c44 100644
--- a/src/starter/klips.c
+++ b/src/starter/klips.c
@@ -46,7 +46,7 @@ starter_klips_init(void)
return FALSE;
}
}
-
+
/* load crypto algorithm modules */
ignore_result(system("modprobe -qv ipsec_aes"));
ignore_result(system("modprobe -qv ipsec_blowfish"));
@@ -55,7 +55,7 @@ starter_klips_init(void)
DBG(DBG_CONTROL,
DBG_log("Found KLIPS IPsec stack")
)
-
+
return TRUE;
}
diff --git a/src/starter/klips.h b/src/starter/klips.h
index e93348df1..1a527d108 100644
--- a/src/starter/klips.h
+++ b/src/starter/klips.h
@@ -1,4 +1,4 @@
-/* strongSwan KLIPS initialization and cleanup
+/* strongSwan KLIPS initialization and cleanup
* Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
*
* This program is free software; you can redistribute it and/or modify it
diff --git a/src/starter/netkey.h b/src/starter/netkey.h
index 55f6a7c47..c12924174 100644
--- a/src/starter/netkey.h
+++ b/src/starter/netkey.h
@@ -1,4 +1,4 @@
-/* strongSwan netkey initialization and cleanup
+/* strongSwan netkey initialization and cleanup
* Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
*
* This program is free software; you can redistribute it and/or modify it
diff --git a/src/starter/starter.c b/src/starter/starter.c
index b675ccf1c..0aab76d43 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -163,7 +163,7 @@ static void fsig(int signal)
static void generate_selfcert()
{
struct stat stb;
-
+
/* if ipsec.secrets file is missing then generate RSA default key pair */
if (stat(SECRETS_FILE, &stb) != 0)
{
@@ -176,7 +176,7 @@ static void generate_selfcert()
{
char buf[1024];
struct group group, *grp;
-
+
if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && grp)
{
gid = grp->gr_gid;
@@ -187,7 +187,7 @@ static void generate_selfcert()
{
char buf[1024];
struct passwd passwd, *pwp;
-
+
if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && pwp)
{
uid = pwp->pw_uid;
@@ -353,14 +353,14 @@ int main (int argc, char **argv)
}
}
- last_reload = time(NULL);
+ last_reload = time_monotonic(NULL);
if (stat(STARTER_PID_FILE, &stb) == 0)
{
plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
exit(LSB_RC_SUCCESS);
}
-
+
generate_selfcert();
/* fork if we're not debugging stuff */
@@ -381,7 +381,7 @@ int main (int argc, char **argv)
dup2(fnull, STDERR_FILENO);
close(fnull);
}
- setsid();
+ setsid();
}
break;
case -1:
@@ -491,7 +491,7 @@ int main (int argc, char **argv)
_action_ |= FLAG_ACTION_LISTEN;
}
- if (!starter_cmp_pluto(cfg, new_cfg))
+ if (!starter_cmp_pluto(cfg, new_cfg))
{
plog("Pluto has changed");
if (starter_pluto_pid())
@@ -582,7 +582,7 @@ int main (int argc, char **argv)
}
}
_action_ &= ~FLAG_ACTION_UPDATE;
- last_reload = time(NULL);
+ last_reload = time_monotonic(NULL);
}
/*
@@ -620,7 +620,7 @@ int main (int argc, char **argv)
conn->state = STATE_TO_ADD;
}
}
-
+
/*
* Start charon
*/
@@ -736,7 +736,7 @@ int main (int argc, char **argv)
*/
if (auto_update)
{
- time_t now = time(NULL);
+ time_t now = time_monotonic(NULL);
tv.tv_sec = (now < last_reload + auto_update)
? (last_reload + auto_update-now) : 0;
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 054e37fa7..665350c00 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -81,7 +81,7 @@ static int send_stroke_msg (stroke_msg_t *msg)
ctl_addr.sun_family = AF_UNIX;
strcpy(ctl_addr.sun_path, CHARON_CTL_FILE);
-
+
/* starter is not called from commandline, and therefore absolutely silent */
msg->output_verbosity = -1;
@@ -173,7 +173,7 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len)
static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
{
char buffer[INET6_ADDRSTRLEN];
-
+
msg_end->auth = push_string(msg, conn_end->auth);
msg_end->auth2 = push_string(msg, conn_end->auth2);
msg_end->id = push_string(msg, conn_end->id);
@@ -187,45 +187,13 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
msg_end->address = push_string(msg, buffer);
msg_end->subnets = push_string(msg, conn_end->subnet);
+ msg_end->sourceip = push_string(msg, conn_end->sourceip);
+ msg_end->sourceip_mask = conn_end->sourceip_mask;
msg_end->sendcert = conn_end->sendcert;
msg_end->hostaccess = conn_end->hostaccess;
msg_end->tohost = !conn_end->has_client;
msg_end->protocol = conn_end->protocol;
msg_end->port = conn_end->port;
- if (conn_end->srcip)
- {
- if (conn_end->srcip[0] == '%')
- { /* %poolname, strip % */
- msg_end->sourceip_size = 0;
- msg_end->sourceip = push_string(msg, conn_end->srcip + 1);
- }
- else
- {
- char *pos = strchr(conn_end->srcip, '/');
- if (pos)
- { /* CIDR subnet definition */
- snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip);
- msg_end->sourceip = push_string(msg, buffer);
- msg_end->sourceip_size = atoi(pos + 1);
- }
- else
- { /* a single address */
- msg_end->sourceip = push_string(msg, conn_end->srcip);
- if (strchr(conn_end->srcip, ':'))
- { /* IPv6 */
- msg_end->sourceip_size = 128;
- }
- else
- { /* IPv4 */
- msg_end->sourceip_size = 32;
- }
- }
- }
- }
- else if (conn_end->modecfg)
- {
- msg_end->sourceip_size = 1;
- }
}
int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
@@ -237,7 +205,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
msg.length = offsetof(stroke_msg_t, buffer);
msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
msg.add_conn.name = push_string(&msg, connection_name(conn));
-
+
/* PUBKEY is preferred to PSK and EAP */
if (conn->policy & POLICY_PUBKEY)
{
@@ -254,7 +222,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
msg.add_conn.eap_type = conn->eap_type;
msg.add_conn.eap_vendor = conn->eap_vendor;
msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
-
+
if (conn->policy & POLICY_TUNNEL)
{
msg.add_conn.mode = MODE_TUNNEL;
@@ -267,7 +235,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
{
msg.add_conn.mode = MODE_TRANSPORT;
msg.add_conn.proxy_mode = TRUE;
- }
+ }
else
{
msg.add_conn.mode = MODE_TRANSPORT;
@@ -279,12 +247,16 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
msg.add_conn.rekey.margin = conn->sa_rekey_margin;
+ msg.add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes;
+ msg.add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes;
+ msg.add_conn.rekey.life_packets = conn->sa_ipsec_life_packets;
+ msg.add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets;
msg.add_conn.rekey.tries = conn->sa_keying_tries;
msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
}
- msg.add_conn.mobike = conn->policy & POLICY_MOBIKE;
- msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP;
- msg.add_conn.ipcomp = conn->policy & POLICY_COMPRESS;
+ msg.add_conn.mobike = (conn->policy & POLICY_MOBIKE) != 0;
+ msg.add_conn.force_encap = (conn->policy & POLICY_FORCE_ENCAP) != 0;
+ msg.add_conn.ipcomp = (conn->policy & POLICY_COMPRESS) != 0;
msg.add_conn.install_policy = conn->install_policy;
msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
msg.add_conn.unique = cfg->setup.uniqueids;
@@ -292,6 +264,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
msg.add_conn.dpd.delay = conn->dpd_delay;
msg.add_conn.dpd.action = conn->dpd_action;
+ msg.add_conn.inactivity = conn->inactivity;
msg.add_conn.ikeme.mediation = conn->me_mediation;
msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
@@ -361,7 +334,7 @@ int starter_stroke_del_ca(starter_ca_t *ca)
int starter_stroke_configure(starter_config_t *cfg)
{
stroke_msg_t msg;
-
+
if (cfg->setup.cachecrls)
{
msg.type = STR_CONFIG;
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
index 44b442ae2..67916395f 100644
--- a/src/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -33,8 +33,7 @@
#define ip_version(string) (strchr(string, '.') ? AF_INET : AF_INET6)
-static int
-pack_str (char **p, char **next, char **roof)
+static int pack_str (char **p, char **next, char **roof)
{
const char *s = (*p==NULL) ? "" : *p; /* note: NULL becomes ""! */
size_t len = strlen(s) + 1;
@@ -52,8 +51,7 @@ pack_str (char **p, char **next, char **roof)
}
}
-static int
-send_whack_msg (whack_message_t *msg)
+static int send_whack_msg (whack_message_t *msg)
{
struct sockaddr_un ctl_addr;
int sock;
@@ -67,37 +65,41 @@ send_whack_msg (whack_message_t *msg)
str_next = (char *)msg->string;
str_roof = (char *)&msg->string[sizeof(msg->string)];
- if (!pack_str(&msg->name, &str_next, &str_roof)
- || !pack_str(&msg->left.id, &str_next, &str_roof)
- || !pack_str(&msg->left.cert, &str_next, &str_roof)
- || !pack_str(&msg->left.ca, &str_next, &str_roof)
- || !pack_str(&msg->left.groups, &str_next, &str_roof)
- || !pack_str(&msg->left.updown, &str_next, &str_roof)
- || !pack_str(&msg->left.virt, &str_next, &str_roof)
- || !pack_str(&msg->right.id, &str_next, &str_roof)
- || !pack_str(&msg->right.cert, &str_next, &str_roof)
- || !pack_str(&msg->right.ca, &str_next, &str_roof)
- || !pack_str(&msg->right.groups, &str_next, &str_roof)
- || !pack_str(&msg->right.updown, &str_next, &str_roof)
- || !pack_str(&msg->right.virt, &str_next, &str_roof)
- || !pack_str(&msg->keyid, &str_next, &str_roof)
- || !pack_str(&msg->myid, &str_next, &str_roof)
- || !pack_str(&msg->cacert, &str_next, &str_roof)
- || !pack_str(&msg->ldaphost, &str_next, &str_roof)
- || !pack_str(&msg->ldapbase, &str_next, &str_roof)
- || !pack_str(&msg->crluri, &str_next, &str_roof)
- || !pack_str(&msg->crluri2, &str_next, &str_roof)
- || !pack_str(&msg->ocspuri, &str_next, &str_roof)
- || !pack_str(&msg->ike, &str_next, &str_roof)
- || !pack_str(&msg->esp, &str_next, &str_roof)
- || !pack_str(&msg->sc_data, &str_next, &str_roof)
- || (str_roof - str_next < msg->keyval.len))
+ if (!pack_str(&msg->name, &str_next, &str_roof)
+ || !pack_str(&msg->left.id, &str_next, &str_roof)
+ || !pack_str(&msg->left.cert, &str_next, &str_roof)
+ || !pack_str(&msg->left.ca, &str_next, &str_roof)
+ || !pack_str(&msg->left.groups, &str_next, &str_roof)
+ || !pack_str(&msg->left.updown, &str_next, &str_roof)
+ || !pack_str(&msg->left.sourceip, &str_next, &str_roof)
+ || !pack_str(&msg->left.virt, &str_next, &str_roof)
+ || !pack_str(&msg->right.id, &str_next, &str_roof)
+ || !pack_str(&msg->right.cert, &str_next, &str_roof)
+ || !pack_str(&msg->right.ca, &str_next, &str_roof)
+ || !pack_str(&msg->right.groups, &str_next, &str_roof)
+ || !pack_str(&msg->right.updown, &str_next, &str_roof)
+ || !pack_str(&msg->right.sourceip, &str_next, &str_roof)
+ || !pack_str(&msg->right.virt, &str_next, &str_roof)
+ || !pack_str(&msg->keyid, &str_next, &str_roof)
+ || !pack_str(&msg->myid, &str_next, &str_roof)
+ || !pack_str(&msg->cacert, &str_next, &str_roof)
+ || !pack_str(&msg->ldaphost, &str_next, &str_roof)
+ || !pack_str(&msg->ldapbase, &str_next, &str_roof)
+ || !pack_str(&msg->crluri, &str_next, &str_roof)
+ || !pack_str(&msg->crluri2, &str_next, &str_roof)
+ || !pack_str(&msg->ocspuri, &str_next, &str_roof)
+ || !pack_str(&msg->ike, &str_next, &str_roof)
+ || !pack_str(&msg->esp, &str_next, &str_roof)
+ || !pack_str(&msg->sc_data, &str_next, &str_roof)
+ || (str_roof - str_next < msg->keyval.len))
{
plog("send_wack_msg(): can't pack strings");
return -1;
}
if (msg->keyval.ptr)
+ {
memcpy(str_next, msg->keyval.ptr, msg->keyval.len);
+ }
msg->keyval.ptr = NULL;
str_next += msg->keyval.len;
len = str_next - (char *)msg;
@@ -130,15 +132,13 @@ send_whack_msg (whack_message_t *msg)
return 0;
}
-static void
-init_whack_msg(whack_message_t *msg)
+static void init_whack_msg(whack_message_t *msg)
{
memset(msg, 0, sizeof(whack_message_t));
msg->magic = WHACK_MAGIC;
}
-static char *
-connection_name(starter_conn_t *conn)
+static char *connection_name(starter_conn_t *conn)
{
/* if connection name is '%auto', create a new name like conn_xxxxx */
static char buf[32];
@@ -151,34 +151,26 @@ connection_name(starter_conn_t *conn)
return conn->name;
}
-static void
-set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
-{
- if (end->srcip && end->srcip[0] != '%')
- {
- int len = 0;
- char *pos;
-
- pos = strchr(end->srcip, '/');
- if (pos)
- {
- /* use first address only for pluto */
- len = pos - end->srcip;
- }
- w->has_srcip = !end->has_natip;
- ttoaddr(end->srcip, len, ip_version(end->srcip), &w->host_srcip);
- }
- else
- {
- anyaddr(AF_INET, &w->host_srcip);
- }
-
+static void set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
+{
w->id = end->id;
w->cert = end->cert;
w->ca = end->ca;
w->groups = end->groups;
w->host_addr = end->addr;
w->has_client = end->has_client;
+ w->sourceip = end->sourceip;
+ w->sourceip_mask = end->sourceip_mask;
+
+ if (end->sourceip && end->sourceip_mask > 0)
+ {
+ ttoaddr(end->sourceip, 0, ip_version(end->sourceip), &w->host_srcip);
+ w->has_srcip = !end->has_natip;
+ }
+ else
+ {
+ anyaddr(AF_INET, &w->host_srcip);
+ }
if (family == AF_INET6 && isanyaddr(&end->nexthop))
{
@@ -234,13 +226,14 @@ starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end
{
const char *err;
static char keyspace[1024 + 4];
+ char buf[ADDRTOT_BUF];
whack_message_t msg;
init_whack_msg(&msg);
msg.whack_key = TRUE;
msg.pubkey_alg = PUBKEY_ALG_RSA;
- if (end->id && end->rsakey)
+ if (end->rsakey)
{
/* special values to ignore */
if (streq(end->rsakey, "")
@@ -250,24 +243,28 @@ starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end
{
return 0;
}
- msg.keyid = end->id;
err = atobytes(end->rsakey, 0, keyspace, sizeof(keyspace), &msg.keyval.len);
if (err)
{
plog("conn %s/%s: rsakey malformed [%s]", connection_name(conn), lr, err);
return 1;
}
+ if (end->id)
+ {
+ msg.keyid = end->id;
+ }
else
{
- msg.keyval.ptr = keyspace;
- return send_whack_msg(&msg);
+ addrtot(&end->addr, 0, buf, sizeof(buf));
+ msg.keyid = buf;
}
+ msg.keyval.ptr = keyspace;
+ return send_whack_msg(&msg);
}
return 0;
}
-int
-starter_whack_add_conn(starter_conn_t *conn)
+int starter_whack_add_conn(starter_conn_t *conn)
{
whack_message_t msg;
int r;
@@ -332,8 +329,7 @@ starter_whack_add_conn(starter_conn_t *conn)
return r;
}
-int
-starter_whack_del_conn(starter_conn_t *conn)
+int starter_whack_del_conn(starter_conn_t *conn)
{
whack_message_t msg;
@@ -343,8 +339,7 @@ starter_whack_del_conn(starter_conn_t *conn)
return send_whack_msg(&msg);
}
-int
-starter_whack_route_conn(starter_conn_t *conn)
+int starter_whack_route_conn(starter_conn_t *conn)
{
whack_message_t msg;
@@ -354,8 +349,7 @@ starter_whack_route_conn(starter_conn_t *conn)
return send_whack_msg(&msg);
}
-int
-starter_whack_initiate_conn(starter_conn_t *conn)
+int starter_whack_initiate_conn(starter_conn_t *conn)
{
whack_message_t msg;
@@ -366,8 +360,7 @@ starter_whack_initiate_conn(starter_conn_t *conn)
return send_whack_msg(&msg);
}
-int
-starter_whack_listen(void)
+int starter_whack_listen(void)
{
whack_message_t msg;
init_whack_msg(&msg);
@@ -384,8 +377,7 @@ int starter_whack_shutdown(void)
return send_whack_msg(&msg);
}
-int
-starter_whack_add_ca(starter_ca_t *ca)
+int starter_whack_add_ca(starter_ca_t *ca)
{
whack_message_t msg;
@@ -404,8 +396,7 @@ starter_whack_add_ca(starter_ca_t *ca)
return send_whack_msg(&msg);
}
-int
-starter_whack_del_ca(starter_ca_t *ca)
+int starter_whack_del_ca(starter_ca_t *ca)
{
whack_message_t msg;