diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2007-07-05 00:05:56 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2007-07-05 00:05:56 +0000 |
| commit | 5db544cc26db378616a46dfa22138f0008cf2930 (patch) | |
| tree | ff9254d87967bb6f703a5ab5e63edcde2e8a6c17 /src/starter | |
| parent | 3d44c2edf1a3663c7d4acc4434bc8a3abace1ebf (diff) | |
| download | vyos-strongswan-5db544cc26db378616a46dfa22138f0008cf2930.tar.gz vyos-strongswan-5db544cc26db378616a46dfa22138f0008cf2930.zip | |
- Updated to new upstream release.
Diffstat (limited to 'src/starter')
| -rw-r--r-- | src/starter/Makefile.am | 2 | ||||
| -rw-r--r-- | src/starter/Makefile.in | 70 | ||||
| -rw-r--r-- | src/starter/args.c | 4 | ||||
| -rw-r--r-- | src/starter/confread.c | 257 | ||||
| -rw-r--r-- | src/starter/confread.h | 5 | ||||
| -rw-r--r-- | src/starter/interfaces.c | 445 | ||||
| -rw-r--r-- | src/starter/interfaces.h | 6 | ||||
| -rw-r--r-- | src/starter/invokepluto.c | 5 | ||||
| -rw-r--r-- | src/starter/ipsec.conf | 6 | ||||
| -rw-r--r-- | src/starter/ipsec.conf.5 | 960 | ||||
| -rw-r--r-- | src/starter/keywords.c | 181 | ||||
| -rw-r--r-- | src/starter/keywords.h | 8 | ||||
| -rw-r--r-- | src/starter/keywords.txt | 3 | ||||
| -rw-r--r-- | src/starter/starter.8 | 0 | ||||
| -rw-r--r-- | src/starter/starter.c | 14 | ||||
| -rw-r--r-- | src/starter/starterwhack.c | 1 |
16 files changed, 840 insertions, 1127 deletions
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index 7d5a4b69a..e2be69c01 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -9,7 +9,7 @@ INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_src AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG starter_LDADD = loglite.o defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf -dist_man_MANS = ipsec.conf.5 +dist_man_MANS = ipsec.conf.5 starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR=$(top_srcdir)/src/pluto diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 432b3d6d5..a8ccfc626 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -46,7 +46,8 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" +am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(ipsec_PROGRAMS) am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \ @@ -72,6 +73,7 @@ LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ SOURCES = $(starter_SOURCES) DIST_SOURCES = $(starter_SOURCES) man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 NROFF = nroff MANS = $(dist_man_MANS) ETAGS = etags @@ -136,6 +138,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ @@ -230,7 +233,7 @@ INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_src AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG starter_LDADD = loglite.o defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf -dist_man_MANS = ipsec.conf.5 +dist_man_MANS = ipsec.conf.5 starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR = $(top_srcdir)/src/pluto OPENACDIR = $(top_srcdir)/src/openac @@ -395,6 +398,51 @@ uninstall-man5: echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ done +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ @@ -475,7 +523,7 @@ check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) $(MANS) installdirs: - for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)"; do \ + for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(mkdir_p) "$$dir"; \ done install: install-am @@ -530,7 +578,7 @@ install-exec-am: install-exec-local install-info: install-info-am -install-man: install-man5 +install-man: install-man5 install-man8 installcheck-am: @@ -554,7 +602,7 @@ ps-am: uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man -uninstall-man: uninstall-man5 +uninstall-man: uninstall-man5 uninstall-man8 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ clean-ipsecPROGRAMS clean-libtool ctags distclean \ @@ -563,12 +611,12 @@ uninstall-man: uninstall-man5 install install-am install-data install-data-am install-exec \ install-exec-am install-exec-local install-info \ install-info-am install-ipsecPROGRAMS install-man install-man5 \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man \ - uninstall-man5 + install-man8 install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \ + uninstall-am uninstall-info-am uninstall-ipsecPROGRAMS \ + uninstall-man uninstall-man5 uninstall-man8 lex.yy.c: y.tab.c parser.l parser.y parser.h diff --git a/src/starter/args.c b/src/starter/args.c index fb8424841..605794281 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -173,6 +173,7 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_config_t, setup.virtual_private), NULL }, { ARG_STR, offsetof(starter_config_t, setup.eapdir), NULL }, { ARG_STR, offsetof(starter_config_t, setup.pkcs11module), NULL }, + { ARG_STR, offsetof(starter_config_t, setup.pkcs11initargs), NULL }, { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool }, { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11proxy), LST_bool }, @@ -195,7 +196,7 @@ static const token_info_t token_info[] = { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL }, { ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL }, { ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL }, - { ARG_ULNG, offsetof(starter_conn_t, sa_keying_tries), NULL }, + { ARG_MISC, 0, NULL /* KW_KEYINGTRIES */ }, { ARG_PCNT, offsetof(starter_conn_t, sa_rekey_fuzz), NULL }, { ARG_MISC, 0, NULL /* KW_REKEY */ }, { ARG_MISC, 0, NULL /* KW_REAUTH */ }, @@ -229,6 +230,7 @@ static const token_info_t token_info[] = { ARG_MISC, 0, NULL /* KW_NATIP */ }, { ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool }, { ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool }, + { ARG_ENUM, offsetof(starter_end_t, allow_any), LST_bool }, { ARG_STR, offsetof(starter_end_t, updown), NULL }, { ARG_STR, offsetof(starter_end_t, id), NULL }, { ARG_STR, offsetof(starter_end_t, rsakey), NULL }, diff --git a/src/starter/confread.c b/src/starter/confread.c index e7a4789a9..2fe5b8ca7 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -181,14 +181,42 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token conn->addr_family = AF_INET6; anyaddr(conn->addr_family, &end->addr); } + else if (streq(value, "%group")) + { + ip_address any; + + conn->policy |= POLICY_GROUP | POLICY_TUNNEL; + anyaddr(conn->addr_family, &end->addr); + anyaddr(conn->tunnel_addr_family, &any); + initsubnet(&any, 0, '0', &end->subnet); + end->has_client = TRUE; + } else { + bool fallback_to_any = FALSE; + + if (value[0] == '%') + { + fallback_to_any = TRUE; + end->allow_any = TRUE; + value++; + } conn->addr_family = ip_version(value); ugh = ttoaddr(value, 0, conn->addr_family, &end->addr); if (ugh != NULL) { plog("# bad addr: %s=%s [%s]", name, value, ugh); - goto err; + if (fallback_to_any) + { + plog("# fallback to %s=%%any due to '%%' prefix"); + anyaddr(conn->addr_family, &end->addr); + end->allow_any = FALSE; + cfg->non_fatal_err++; + } + else + { + goto err; + } } } break; @@ -465,11 +493,12 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) case KW_EAP: /* TODO: a gperf function for all EAP types */ if (streq(kw->value, "aka")) + { conn->eap = 23; + } else if (streq(kw->value, "sim")) { conn->eap = 18; - } else { @@ -481,6 +510,23 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) } } break; + case KW_KEYINGTRIES: + if (streq(kw->value, "%forever")) + { + conn->sa_keying_tries = 0; + } + else + { + char *endptr; + + conn->sa_keying_tries = strtoul(kw->value, &endptr, 10); + if (*endptr != '\0') + { + plog("# bad integer value: %s=%s", kw->entry->name, kw->value); + cfg->err++; + } + } + break; case KW_REKEY: KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY) break; @@ -695,7 +741,79 @@ find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg) return NULL; } +/* + * free the memory used by also_t objects + */ +static void +free_also(also_t *head) +{ + while (head != NULL) + { + also_t *also = head; + + head = also->next; + pfree(also->name); + pfree(also); + } +} + +/* + * free the memory used by a starter_conn_t object + */ +static void +confread_free_conn(starter_conn_t *conn) +{ + free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left); + free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->right); + free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn); + free_also(conn->also); +} + +/* + * free the memory used by a starter_ca_t object + */ +static void +confread_free_ca(starter_ca_t *ca) +{ + free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca); + free_also(ca->also); +} + +/* + * free the memory used by a starter_config_t object + */ +void +confread_free(starter_config_t *cfg) +{ + starter_conn_t *conn = cfg->conn_first; + starter_ca_t *ca = cfg->ca_first; + + free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg); + + confread_free_conn(&cfg->conn_default); + + while (conn != NULL) + { + starter_conn_t *conn_aux = conn; + + conn = conn->next; + confread_free_conn(conn_aux); + pfree(conn_aux); + } + + confread_free_ca(&cfg->ca_default); + + while (ca != NULL) + { + starter_ca_t *ca_aux = ca; + + ca = ca->next; + confread_free_ca(ca_aux); + pfree(ca_aux); + } + pfree(cfg); +} /* * load and parse an IPsec configuration file @@ -709,6 +827,7 @@ confread_load(const char *file) starter_conn_t *conn; starter_ca_t *ca; + u_int total_err; u_int visit = 0; /* load IPSec configuration file */ @@ -748,6 +867,8 @@ confread_load(const char *file) /* load other ca sections */ for (sca = cfgp->ca_first; sca; sca = sca->next) { + u_int previous_err; + /* skip %default ca section */ if (streq(sca->name, "%default")) continue; @@ -761,13 +882,24 @@ confread_load(const char *file) ca->kw = sca->kw; ca->next = NULL; - if (cfg->ca_last) - cfg->ca_last->next = ca; - cfg->ca_last = ca; - if (!cfg->ca_first) - cfg->ca_first = ca; - + previous_err = cfg->err; load_ca(ca, ca->kw, cfg); + if (cfg->err > previous_err) + { + /* errors occurred - free the ca */ + confread_free_ca(ca); + cfg->non_fatal_err += cfg->err - previous_err; + cfg->err = previous_err; + } + else + { + /* success - insert the ca into the chained list */ + if (cfg->ca_last) + cfg->ca_last->next = ca; + cfg->ca_last = ca; + if (!cfg->ca_first) + cfg->ca_first = ca; + } } for (ca = cfg->ca_first; ca; ca = ca->next) @@ -806,6 +938,8 @@ confread_load(const char *file) /* load other conn sections */ for (sconn = cfgp->conn_first; sconn; sconn = sconn->next) { + u_int previous_err; + /* skip %default conn section */ if (streq(sconn->name, "%default")) continue; @@ -818,14 +952,25 @@ confread_load(const char *file) conn_default(sconn->name, conn, &cfg->conn_default); conn->kw = sconn->kw; conn->next = NULL; - - if (cfg->conn_last) - cfg->conn_last->next = conn; - cfg->conn_last = conn; - if (!cfg->conn_first) - cfg->conn_first = conn; - + + previous_err = cfg->err; load_conn(conn, conn->kw, cfg); + if (cfg->err > previous_err) + { + /* error occurred - free the conn */ + confread_free_conn(conn); + cfg->non_fatal_err += cfg->err - previous_err; + cfg->err = previous_err; + } + else + { + /* success - insert the conn into the chained list */ + if (cfg->conn_last) + cfg->conn_last->next = conn; + cfg->conn_last = conn; + if (!cfg->conn_first) + cfg->conn_first = conn; + } } /* in the second round do not parse also statements */ @@ -851,86 +996,12 @@ confread_load(const char *file) parser_free_conf(cfgp); - if (cfg->err) + total_err = cfg->err + cfg->non_fatal_err; + if (total_err > 0) { - plog("### %d parsing error%s ###", cfg->err, (cfg->err > 1)?"s":""); - confread_free(cfg); - cfg = NULL; + plog("### %d parsing error%s (%d fatal) ###" + , total_err, (total_err > 1)?"s":"", cfg->err); } return cfg; } - -/* - * free the memory used by also_t objects - */ -static void -free_also(also_t *head) -{ - while (head != NULL) - { - also_t *also = head; - - head = also->next; - pfree(also->name); - pfree(also); - } -} - -/* - * free the memory used by a starter_conn_t object - */ -static void -confread_free_conn(starter_conn_t *conn) -{ - free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left); - free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->right); - free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn); - free_also(conn->also); -} - -/* - * free the memory used by a starter_ca_t object - */ -static void -confread_free_ca(starter_ca_t *ca) -{ - free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca); - free_also(ca->also); -} - -/* - * free the memory used by a starter_config_t object - */ -void -confread_free(starter_config_t *cfg) -{ - starter_conn_t *conn = cfg->conn_first; - starter_ca_t *ca = cfg->ca_first; - - free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg); - - confread_free_conn(&cfg->conn_default); - - while (conn != NULL) - { - starter_conn_t *conn_aux = conn; - - conn = conn->next; - confread_free_conn(conn_aux); - pfree(conn_aux); - } - - confread_free_ca(&cfg->ca_default); - - while (ca != NULL) - { - starter_ca_t *ca_aux = ca; - - ca = ca->next; - confread_free_ca(ca_aux); - pfree(ca_aux); - } - - pfree(cfg); -} diff --git a/src/starter/confread.h b/src/starter/confread.h index 2fe75fcc6..970166c90 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -75,6 +75,7 @@ struct starter_end { certpolicy_t sendcert; bool firewall; bool hostaccess; + bool allow_any; char *updown; u_int16_t port; u_int8_t protocol; @@ -177,6 +178,7 @@ struct starter_config { char *virtual_private; char *eapdir; char *pkcs11module; + char *pkcs11initargs; bool pkcs11keepstate; bool pkcs11proxy; @@ -191,7 +193,8 @@ struct starter_config { defaultroute_t defaultroute; /* number of encountered parsing errors */ - u_int err; + u_int err; + u_int non_fatal_err; /* do we parse also statements */ bool parse_also; diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c index a7c8efd44..a4baaa83d 100644 --- a/src/starter/interfaces.c +++ b/src/starter/interfaces.c @@ -33,449 +33,6 @@ #include "exec.h" #include "files.h" -#define MIN(a,b) ( ((a)>(b)) ? (b) : (a) ) - -#define N_IPSEC_IF 4 - -struct st_ipsec_if { - char name[IFNAMSIZ]; - char phys[IFNAMSIZ]; - int up; -}; - -static struct st_ipsec_if _ipsec_if[N_IPSEC_IF]; - -static char * -_find_physical_iface(int sock, char *iface) -{ - static char _if[IFNAMSIZ]; - char *b; - struct ifreq req; - FILE *fd; - char line[BUF_LEN]; - - strncpy(req.ifr_name, iface, IFNAMSIZ); - if (ioctl(sock, SIOCGIFFLAGS, &req)==0) - { - if (req.ifr_flags & IFF_UP) - { - strncpy(_if, iface, IFNAMSIZ); - return _if; - } - } - else - { - /* If there is a file named /var/run/dynip/<iface>, look if we - * can get interface name from there (IP_PHYS) - */ - b = (char *)alloc_bytes(strlen(DYNIP_DIR) + strlen(iface) + 10, "iface"); - if (b) - { - sprintf(b, "%s/%s", DYNIP_DIR, iface); - fd = fopen(b, "r"); - pfree(b); - if (fd) - { - memset(_if, 0, sizeof(_if)); - memset(line, 0, sizeof(line)); - while (fgets(line, sizeof(line), fd) != 0) - { - if ((strncmp(line,"IP_PHYS=\"", 9) == 0) - && (line[strlen(line) - 2] == '"') - && (line[strlen(line) - 1] == '\n')) - { - strncpy(_if, line + 9, MIN(strlen(line) - 11, IFNAMSIZ)); - break; - } - else if ((strncmp(line,"IP_PHYS=", 8) == 0) - && (line[8] != '"') - && (line[strlen(line) - 1] == '\n')) - { - strncpy(_if, line + 8, MIN(strlen(line) - 9, IFNAMSIZ)); - break; - } - } - fclose(fd); - - if (*_if) - { - strncpy(req.ifr_name, _if, IFNAMSIZ); - if (ioctl(sock, SIOCGIFFLAGS, &req) == 0) - { - if (req.ifr_flags & IFF_UP) - return _if; - } - } - } - } - } - return NULL; -} - -int -starter_iface_find(char *iface, int af, ip_address *dst, ip_address *nh) -{ - char *phys; - struct ifreq req; - struct sockaddr_in *sa = (struct sockaddr_in *)(&req.ifr_addr); - int sock; - - if (!iface) - return -1; - - sock = socket(af, SOCK_DGRAM, 0); - if (sock < 0) - return -1; - - phys = _find_physical_iface(sock, iface); - if (!phys) - goto failed; - - strncpy(req.ifr_name, phys, IFNAMSIZ); - if (ioctl(sock, SIOCGIFFLAGS, &req)!=0) - goto failed; - if (!(req.ifr_flags & IFF_UP)) - goto failed; - - if ((req.ifr_flags & IFF_POINTOPOINT) - && nh - && ioctl(sock, SIOCGIFDSTADDR, &req) == 0) - { - if (sa->sin_family == af) - initaddr((const void *)&sa->sin_addr, sizeof(struct in_addr), af, nh); - } - if ((dst) && (ioctl(sock, SIOCGIFADDR, &req) == 0)) - { - if (sa->sin_family == af) - initaddr((const void *)&sa->sin_addr, sizeof(struct in_addr), af, dst); - } - close(sock); - return 0; - -failed: - close(sock); - return -1; -} - -static int -valid_str(char *str, unsigned int *pn, char **pphys -, defaultroute_t *defaultroute) -{ - if (streq(str, "%defaultroute")) - { - if (!defaultroute->defined) - { - return 0; - } - *pn = 0; - *pphys = defaultroute->iface; - } - else - { - if (strlen(str) < 8 - || str[0] != 'i' || str[1] != 'p' || str[2] !='s' || str[3] != 'e' - || str[4] != 'c' || str[5] < '0' || str[5] > '9' || str[6] != '=') - { - return 0; - } - *pn = str[5] - '0'; - *pphys = &(str[7]); - } - return 1; -} - -static int -_iface_up (int sock, struct st_ipsec_if *iface, char *phys -, unsigned int mtu, bool nat_t) -{ - struct ifreq req; - struct ipsectunnelconf *shc=(struct ipsectunnelconf *)&req.ifr_data; - short phys_flags; - int ret = 0; - /* sscholz@astaro.com: for network mask 32 bit - struct sockaddr_in *inp; - */ - - strncpy(req.ifr_name, phys, IFNAMSIZ); - if (ioctl(sock, SIOCGIFFLAGS, &req) !=0 ) - return ret; - phys_flags = req.ifr_flags; - - strncpy(req.ifr_name, iface->name, IFNAMSIZ); - if (ioctl(sock, SIOCGIFFLAGS, &req) != 0) - return ret; - - if ((!(req.ifr_flags & IFF_UP)) || (!iface->up)) - { - DBG(DBG_CONTROL, - DBG_log("attaching interface %s to %s", iface->name, phys) - ) - ret = 1; - } - - if ((*iface->phys) && (strcmp(iface->phys, phys) != 0 )) - { - /* tncfg --detach if phys has changed */ - strncpy(req.ifr_name, iface->name, IFNAMSIZ); - ioctl(sock, IPSEC_DEL_DEV, &req); - ret = 1; - } - - /* tncfg --attach */ - strncpy(req.ifr_name, iface->name, IFNAMSIZ); - strncpy(shc->cf_name, phys, sizeof(shc->cf_name)); - ioctl(sock, IPSEC_SET_DEV, &req); - - /* set ipsec addr = phys addr */ - strncpy(req.ifr_name, phys, IFNAMSIZ); - if (ioctl(sock, SIOCGIFADDR, &req) == 0) - { - strncpy(req.ifr_name, iface->name, IFNAMSIZ); - ioctl(sock, SIOCSIFADDR, &req); - } - - /* set ipsec mask = phys mask */ - strncpy(req.ifr_name, phys, IFNAMSIZ); - if (ioctl(sock, SIOCGIFNETMASK, &req) == 0) - { - strncpy(req.ifr_name, iface->name, IFNAMSIZ); - /* sscholz@astaro.com: changed netmask to 32 bit - * in order to prevent network routes from being created - - inp = (struct sockaddr_in *)&req.ifr_addr; - inp->sin_addr.s_addr = 0xFFFFFFFFL; - - */ - ioctl(sock, SIOCSIFNETMASK, &req); - } - - /* set other flags & addr */ - strncpy(req.ifr_name, iface->name, IFNAMSIZ); - if (ioctl(sock, SIOCGIFFLAGS, &req)==0) - { -/* removed by sscholz@astaro.com (caused trouble with DSL/ppp0) */ -/* if (phys_flags & IFF_POINTOPOINT) - { - req.ifr_flags |= IFF_POINTOPOINT; - req.ifr_flags &= ~IFF_BROADCAST; - ioctl(sock, SIOCSIFFLAGS, &req); - strncpy(req.ifr_name, phys, IFNAMSIZ); - if (ioctl(sock, SIOCGIFDSTADDR, &req) == 0) - { - strncpy(req.ifr_name, iface->name, IFNAMSIZ); - ioctl(sock, SIOCSIFDSTADDR, &req); - } - } - else - */ - if (phys_flags & IFF_BROADCAST) - { - req.ifr_flags &= ~IFF_POINTOPOINT; - req.ifr_flags |= IFF_BROADCAST; - ioctl(sock, SIOCSIFFLAGS, &req); - strncpy(req.ifr_name, phys, IFNAMSIZ); - if (ioctl(sock, SIOCGIFBRDADDR, &req) == 0) - { - strncpy(req.ifr_name, iface->name, IFNAMSIZ); - ioctl(sock, SIOCSIFBRDADDR, &req); - } - } - else - { - req.ifr_flags &= ~IFF_POINTOPOINT; - req.ifr_flags &= ~IFF_BROADCAST; - ioctl(sock, SIOCSIFFLAGS, &req); - } - } - - /* - * guess MTU = phys interface MTU - ESP Overhead - * - * ESP overhead : 10+16+7+2+12=57 -> 60 by security - * NAT-T overhead : 20 - */ - if (mtu == 0) - { - strncpy(req.ifr_name, phys, IFNAMSIZ); - ioctl(sock, SIOCGIFMTU, &req); - mtu = req.ifr_mtu - 60; - if (nat_t) - mtu -= 20; - } - /* set MTU */ - if (mtu) - { - strncpy(req.ifr_name, iface->name, IFNAMSIZ); - req.ifr_mtu = mtu; - ioctl(sock, SIOCSIFMTU, &req); - } - - /* ipsec interface UP */ - strncpy(req.ifr_name, iface->name, IFNAMSIZ); - if (ioctl(sock, SIOCGIFFLAGS, &req) == 0) - { - req.ifr_flags |= IFF_UP; - ioctl(sock, SIOCSIFFLAGS, &req); - } - - iface->up = 1; - strncpy(iface->phys, phys, IFNAMSIZ); - return ret; -} - -static int -_iface_down(int sock, struct st_ipsec_if *iface) -{ - struct ifreq req; - int ret = 0; - - iface->up = 0; - - strncpy(req.ifr_name, iface->name, IFNAMSIZ); - if (ioctl(sock, SIOCGIFFLAGS, &req)!=0) - return ret; - - if (req.ifr_flags & IFF_UP) - { - DBG(DBG_CONTROL, - DBG_log("shutting down interface %s/%s", iface->name, iface->phys) - ) - req.ifr_flags &= ~IFF_UP; - ioctl(sock, SIOCSIFFLAGS, &req); - ret = 1; - } - - /* unset addr */ - memset(&req.ifr_addr, 0, sizeof(req.ifr_addr)); - req.ifr_addr.sa_family = AF_INET; - ioctl(sock, SIOCSIFADDR, &req); - - /* tncfg --detach */ - ioctl(sock, IPSEC_DEL_DEV, &req); - - memset(iface->phys, 0, sizeof(iface->phys)); - - return ret; -} - -void -starter_ifaces_init(void) -{ - int i; - - memset(_ipsec_if, 0, sizeof(_ipsec_if)); - for (i = 0; i < N_IPSEC_IF; i++) - snprintf(_ipsec_if[i].name, IFNAMSIZ, "ipsec%d", i); -} - -void -starter_ifaces_clear (void) -{ - int sock; - unsigned int i; - - sock = socket(AF_INET, SOCK_DGRAM, 0); - if (sock < 0) - return; - - for (i = 0; i < N_IPSEC_IF; i++) - _iface_down (sock, &(_ipsec_if[i])); -} - -int -starter_ifaces_load(char **ifaces, unsigned int omtu, bool nat_t -, defaultroute_t *defaultroute) -{ - char *tmp_phys, *phys; - int n; - char **i; - int sock; - int j, found; - int ret = 0; - struct ifreq physreq, ipsecreq; // re-attach interface - struct sockaddr_in *inp1, *inp2; // re-attach interface - - DBG(DBG_CONTROL, - DBG_log("starter_ifaces_load()") - ) - - sock = socket(AF_INET, SOCK_DGRAM, 0); - if (sock < 0) - return -1; - - for (j = 0; j < N_IPSEC_IF; j++) - { - found = 0; - - for (i = ifaces; i && *i; i++) - { - if (valid_str(*i, &n, &tmp_phys, defaultroute) - && tmp_phys - && n >= 0 - && n < N_IPSEC_IF) - { - if (n==j) - { - if (found) - { - plog( "ignoring duplicate entry for interface ipsec%d", j); - } - else - { - found++; - phys = _find_physical_iface(sock, tmp_phys); - - /* Re-attach ipsec interface if IP address changes - * sscholz@astaro.com - */ - if (phys) - { - memset ((void*)&physreq, 0, sizeof(physreq)); - memset ((void*)&ipsecreq, 0, sizeof(ipsecreq)); - strncpy(physreq.ifr_name, phys, IFNAMSIZ); - sprintf(ipsecreq.ifr_name, "ipsec%d", j); - ioctl(sock, SIOCGIFADDR, &physreq); - ioctl(sock, SIOCGIFADDR, &ipsecreq); - inp1 = (struct sockaddr_in *)&physreq.ifr_addr; - inp2 = (struct sockaddr_in *)&ipsecreq.ifr_addr; - if (inp1->sin_addr.s_addr != inp2->sin_addr.s_addr) - { - plog("IP address of physical interface changed " - "-> reinit of ipsec interface"); - _iface_down (sock, &(_ipsec_if[n])); - } - ret += _iface_up (sock, &(_ipsec_if[n]), phys, omtu, nat_t); - } - else - { - ret += _iface_down (sock, &(_ipsec_if[n])); - } - } - } - } - else if (j == 0) - { - /* Only log in the first loop */ - plog("ignoring invalid interface '%s'", *i); - } - } - if (!found) - ret += _iface_down (sock, &(_ipsec_if[j])); - } - - close(sock); - return ret; /* = number of changes - 'whack --listen' if > 0 */ -} - -/* - * initialize a defaultroute_t struct - */ -static void -init_defaultroute(defaultroute_t *defaultroute) -{ - memset(defaultroute, 0, sizeof(defaultroute_t)); -} - /* * discover the default route via /proc/net/route */ @@ -486,7 +43,7 @@ get_defaultroute(defaultroute_t *defaultroute) char line[BUF_LEN]; bool first = TRUE; - init_defaultroute(defaultroute); + memset(defaultroute, 0, sizeof(defaultroute_t)); fd = fopen("/proc/net/route", "r"); diff --git a/src/starter/interfaces.h b/src/starter/interfaces.h index 9898c0516..ed6b0ef57 100644 --- a/src/starter/interfaces.h +++ b/src/starter/interfaces.h @@ -28,12 +28,6 @@ typedef struct { ip_address nexthop; } defaultroute_t; -extern void starter_ifaces_init (void); -extern int starter_iface_find(char *iface, int af, ip_address *dst - , ip_address *nh); -extern int starter_ifaces_load (char **ifaces, unsigned int omtu, bool nat_t - , defaultroute_t *defaultroute); -extern void starter_ifaces_clear (void); extern void get_defaultroute(defaultroute_t *defaultroute); diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c index 240d98391..5ea47f69f 100644 --- a/src/starter/invokepluto.c +++ b/src/starter/invokepluto.c @@ -187,6 +187,11 @@ starter_start_pluto (starter_config_t *cfg, bool debug) arg[argc++] = "--pkcs11module"; arg[argc++] = cfg->setup.pkcs11module; } + if (cfg->setup.pkcs11initargs) + { + arg[argc++] = "--pkcs11initargs"; + arg[argc++] = cfg->setup.pkcs11initargs; + } if (cfg->setup.pkcs11keepstate) { arg[argc++] = "--pkcs11keepstate"; diff --git a/src/starter/ipsec.conf b/src/starter/ipsec.conf index 76b85b23a..b1e5d5e0c 100644 --- a/src/starter/ipsec.conf +++ b/src/starter/ipsec.conf @@ -1,14 +1,8 @@ # ipsec.conf - strongSwan IPsec configuration file -# Manual: man 5 ipsec.conf -# Help: http://www.strongswan.org/docs/readme.htm - -version 2.0 # conforms to second version of ipsec.conf specification - # basic configuration config setup - # Debug-logging controls: "none" for (almost) none, "all" for lots. # plutodebug=all # crlcheckinterval=600 # strictcrlpolicy=yes diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 index c80c5166b..2dbcfcfd7 100644 --- a/src/starter/ipsec.conf.5 +++ b/src/starter/ipsec.conf.5 @@ -1,4 +1,4 @@ -.TH IPSEC.CONF 5 "20 Jan 2006" +.TH IPSEC.CONF 5 "27 Jun 2007" .\" RCSID $Id: ipsec.conf.5,v 1.2 2006/01/22 15:33:46 as Exp $ .SH NAME ipsec.conf \- IPsec configuration and connections @@ -143,7 +143,7 @@ section specifies general configuration information for IPsec, a .B conn section specifies an IPsec connection, while a .B ca -section specifies special properties a certification authority. +section specifies special properties of a certification authority. .SH "CONN SECTIONS" A .B conn @@ -158,13 +158,12 @@ Here's a simple example: .ft B .ta 1c conn snt - left=10.11.11.1 - leftsubnet=10.0.1.0/24 - leftnexthop=172.16.55.66 - right=192.168.22.1 - rightsubnet=10.0.2.0/24 - rightnexthop=172.16.88.99 + left=192.168.0.1 + leftsubnet=10.1.0.0/16 + right=192.168.0.2 + rightsubnet=10.1.0.0/16 keyingtries=%forever + auto=add .ft .fi .PP @@ -172,7 +171,7 @@ A note on terminology: There are two kinds of communications going on: transmission of user IP packets, and gateway-to-gateway negotiations for keying, rekeying, and general control. The path to control the connection is called 'ISAKMP SA' in IKEv1 and -'IKE SA' in the IKEv2 protocol. That what is beeing negotiated, the kernel +'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel level data path, is called 'IPsec SA'. strongSwan currently uses two separate keying daemons. Pluto handles all IKEv1 connections, Charon is the new daemon supporting the IKEv2 protocol. @@ -220,151 +219,47 @@ Unless otherwise noted, for a connection to work, in general it is necessary for the two ends to agree exactly on the values of these parameters. .TP 14 -.B type -the type of the connection; currently the accepted values -are -.B tunnel -(the default) -signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; -.BR transport , -signifying host-to-host transport mode; -.BR passthrough , -signifying that no IPsec processing should be done at all; -.BR drop , -signifying that packets should be discarded; and -.BR reject , -signifying that packets should be discarded and a diagnostic ICMP returned. -Charon currently supports only -.BR tunnel -and -.BR transport -connection types. -.TP -.B left -(required) -the IP address of the left participant's public-network interface, -in any form accepted by -.IR ipsec_ttoaddr (3) -or one of several magic values. -If it is -.BR %defaultroute , -and -the -.B config -.B setup -section's, -.B interfaces -specification contains -.BR %defaultroute, -.B left -will be filled in automatically with the local address -of the default-route interface (as determined at IPsec startup time); -this also overrides any value supplied for -.BR leftnexthop . -(Either -.B left -or -.B right -may be -.BR %defaultroute , -but not both.) -The value -.B %any -signifies an address to be filled in (by automatic keying) during -negotiation. -.TP -.B leftsubnet -private subnet behind the left participant, expressed as -\fInetwork\fB/\fInetmask\fR -(actually, any form acceptable to -.IR ipsec_ttosubnet (3)); -if omitted, essentially assumed to be \fIleft\fB/32\fR, -signifying that the left end of the connection goes to the left participant -only. When using IKEv2, the configured subnet of the peers may differ, the -protocol narrows it to the greates common subnet. -.TP -.B leftnexthop -next-hop gateway IP address for the left participant's connection -to the public network; -defaults to -.B %direct -(meaning -.IR right ). -If the value is to be overridden by the -.B left=%defaultroute -method (see above), -an explicit value must -.I not -be given. -If that method is not being used, -but -.B leftnexthop -is -.BR %defaultroute , -and -.B interfaces=%defaultroute -is used in the -.B config -.B setup -section, -the next-hop gateway address of the default-route interface -will be used. -The magic value -.B %direct -signifies a value to be filled in (by automatic keying) -with the peer's address. -Relevant only locally, other end need not agree on it. Currently not supported -in IKEv2. +.B ah +AH authentication algorithm to be used +for the connection, e.g. +.B hmac-md5. .TP -.B leftupdown -what ``updown'' script to run to adjust routing and/or firewalling -when the status of the connection -changes (default -.BR "ipsec _updown" ). -May include positional parameters separated by white space -(although this requires enclosing the whole string in quotes); -including shell metacharacters is unwise. -See -.IR ipsec_pluto (8) -for details. -Relevant only locally, other end need not agree on it. IKEv2 uses the updown -script to insert firewall rules only. Routing is not support and will be -implemented directly into Charon. +.B auth +whether authentication should be done as part of +ESP encryption, or separately using the AH protocol; +acceptable values are +.B esp +(the default) and +.BR ah . +The IKEv2 daemon currently supports only ESP. .TP -.B leftfirewall -whether the left participant is doing forwarding-firewalling -(including masquerading) for traffic from \fIleftsubnet\fR, -which should be turned off (for traffic to the other subnet) -once the connection is established; +.B authby +how the two security gateways should authenticate each other; acceptable values are -.B yes -and (the default) -.BR no . -May not be used in the same connection description with -.BR leftupdown . -Implemented as a parameter to the default -.I updown -script. -See notes below. -Relevant only locally, other end need not agree on it. - -If one or both security gateways are doing forwarding firewalling -(possibly including masquerading), -and this is specified using the firewall parameters, -tunnels established with IPsec are exempted from it -so that packets can flow unchanged through the tunnels. -(This means that all subnets connected in this manner must have -distinct, non-overlapping subnet address blocks.) -This is done by the default -.I updown -script (see -.IR ipsec_pluto (8)). - -In situations calling for more control, -it may be preferable for the user to supply his own -.I updown -script, -which makes the appropriate adjustments for his system. +.B secret +or +.B psk +for shared secrets, +.B rsasig +for RSA digital signatures (the default), +.B secret|rsasig +for either, and +.B never +if negotiation is never to be attempted or accepted (useful for shunt-only conns). +Digital signatures are superior in every way to shared secrets. In IKEv2, the +two ends must not agree on this parameter, it is relevant for the +outbound authentication method only. +IKEv1 additionally supports the values +.B xauthpsk +and +.B xauthrsasig +that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode +based on shared secrets or digital RSA signatures, respectively. +IKEv2 additionally supports the value +.B eap, +which indicates an initiator to request EAP authentication. The EAP method to +use is selected by the server (see +.B eap). .TP .B auto what operation, if any, should be done automatically at IPsec startup; @@ -375,8 +270,7 @@ currently-accepted values are , .B start and -.B ignore -. +.BR ignore . .B add loads a connection without starting it. .B route @@ -396,34 +290,6 @@ both ends should use .B auto=start to ensure that any reboot causes immediate renegotiation). .TP -.B auth -whether authentication should be done as part of -ESP encryption, or separately using the AH protocol; -acceptable values are -.B esp -(the default) and -.BR ah . -The IKEv2 daemon currently supports only ESP. -.TP -.B authby -how the two security gateways should authenticate each other; -acceptable values are -.B secret -for shared secrets, -.B rsasig -for RSA digital signatures (the default), -.B secret|rsasig -for either, and -.B never -if negotiation is never to be attempted or accepted (useful for shunt-only conns). -Digital signatures are superior in every way to shared secrets. In IKEv2, the -two ends must not agree on this parameter, it is relevant for the own -authentication method only. IKEv2 additionally supports the value -.B eap, -which indicates an initiator to request EAP authentication. The EAP method to -use is selected by the server (see -.B eap). -.TP .B compress whether IPComp compression of content is proposed on the connection (link-level compression does not work on encrypted data, @@ -447,24 +313,26 @@ controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values -.B clear -and -.B hold -both activate DPD. If no activity is detected, all connections with a dead peer +.BR clear , +.BR hold , +and +.B restart +all activate DPD. If no activity is detected, all connections with a dead peer are stopped and unrouted ( .B clear -) or put in the hold state ( +), put in the hold state ( .B hold -). For -.B IKEv1 -, the default is +) or restarted ( +.B restart +). +For IKEv1, the default is .B none which disables the active sending of R_U_THERE notifications. Nevertheless pluto will always send the DPD Vendor ID during connection set up in order to signal the readiness to act passively as a responder if the peer -wants to use DPD. For -.B IKEv2, none -does't make sense, as all messages are used to detect dead peers. If specified, +wants to use DPD. For IKEv2, +.B none +does't make sense, since all messages are used to detect dead peers. If specified, it has the same meaning as the default ( .B clear ). @@ -481,16 +349,28 @@ defines the timeout interval, after which all connections to a peer are deleted in case of inactivity. This only applies to IKEv1, in IKEv2 the default retransmission timeout applies, as every exchange is used to detect dead peers. .TP -.B failureshunt -what to do with packets when negotiation fails. -The default is -.BR none : -no shunt; -.BR passthrough , -.BR drop , -and -.B reject -have the obvious meanings. Has no effect in IKEv2 yet. +.B eap +defines the EAP type to be used if +.B authby=eap +is selected. Acceptable values are +.B aka +for EAP-AKA and +.B sim +for EAP-SIM. +.TP +.B esp +ESP encryption/authentication algorithm to be used +for the connection, e.g. +.B 3des-md5 +(encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup +and rekeying include a separate diffe hellman exchange (IKEv2 only). +.TP +.B ike +IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g. +.B aes128-sha1-modp2048 +(encryption-integrity-dhgroup). In IKEv2, multiple algorithms and proposals +may be included, such as +.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. .TP .B ikelifetime how long the keying channel of a connection ('ISAKMP/IKE SA') @@ -545,6 +425,52 @@ although if they do not, there will be some clutter of superseded connections on the end which thinks the lifetime is longer. .TP +.B left +(required) +the IP address of the left participant's public-network interface, +in any form accepted by +.IR ttoaddr (3) +or one of several magic values. +If it is +.BR %defaultroute , +.B left +will be filled in automatically with the local address +of the default-route interface (as determined at IPsec startup time). +(Either +.B left +or +.B right +may be +.BR %defaultroute , +but not both.) +The value +.B %any +signifies an address to be filled in (by automatic keying) during +negotiation. The prefix +.B % +in front of a fully-qualified domain name or an IP address will implicitly set +.B leftallowany=yes. +If the domain name cannot be resolved into an IP address at IPsec startup or update time +then +.B left=%any +and +.B leftallowany=no +will be assumed. +.TP +.B leftallowany +a modifier for +.B left +, making it behave as +.B %any +although a concrete IP address has been assigned. +Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or +update time. +Acceptable values are +.B yes +and +.B no +(the default). +.TP .B leftca the distinguished name of a certificate authority which is required to lie in the trust path going from the left participant's certificate up @@ -553,8 +479,7 @@ to the root certification authority. .B leftcert the path to the left participant's X.509 certificate. The file can be coded either in PEM or DER format. OpenPGP certificates are supported as well. -Both absolute paths or paths relative to -.B /etc/ipsec.d/certs +Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP are accepted. By default .B leftcert sets @@ -566,14 +491,57 @@ The left participant's ID can be overriden by specifying a .B leftid value which must be certified by the certificate, though. .TP +.B leftfirewall +whether the left participant is doing forwarding-firewalling +(including masquerading) using iptables for traffic from \fIleftsubnet\fR, +which should be turned off (for traffic to the other subnet) +once the connection is established; +acceptable values are +.B yes +and +.B no +(the default). +May not be used in the same connection description with +.BR leftupdown . +Implemented as a parameter to the default \fBipsec _updown\fR script. +See notes below. +Relevant only locally, other end need not agree on it. + +If one or both security gateways are doing forwarding firewalling +(possibly including masquerading), +and this is specified using the firewall parameters, +tunnels established with IPsec are exempted from it +so that packets can flow unchanged through the tunnels. +(This means that all subnets connected in this manner must have +distinct, non-overlapping subnet address blocks.) +This is done by the default \fBipsec _updown\fR script (see +.IR pluto (8)). + +In situations calling for more control, +it may be preferable for the user to supply his own +.I updown +script, +which makes the appropriate adjustments for his system. +.TP .B leftgroups a comma separated list of group names. If the .B leftgroups parameter is present then the peer must be a member of at least one of the groups defined by the parameter. Group membership must be certified -by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts\fP thas has been +by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has been issued to the peer by a trusted Authorization Authority stored in -\fI/etc/ipsec.d/aacerts\fP. Attribute certificates are not supported in IKEv2 yet. +\fI/etc/ipsec.d/aacerts/\fP. Attribute certificates are not supported in IKEv2 yet. +.TP +.B lefthostaccess +inserts a pair of INPUT and OUTPUT iptables rules using the default +\fBipsec _updown\fR script, thus allowing access to the host itself +in the case where the host's internal interface is part of the +negotiated client subnet. +Acceptable values are +.B yes +and +.B no +(the default). .TP .B leftid how @@ -582,24 +550,67 @@ should be identified for authentication; defaults to .BR left . Can be an IP address (in any -.IR ipsec_ttoaddr (3) +.IR ttoaddr (3) syntax) or a fully-qualified domain name preceded by .B @ (which is used as a literal string and not resolved). +.TP +.B leftnexthop +this parameter is not needed any more because the NETKEY IPsec stack does +not require explicit routing entries for the traffic to be tunneled. +.TP +.B leftprotoport +restrict the traffic selector to a single protocol and/or port. +Examples: +.B leftprotoport=tcp/http +or +.B leftprotoport=6/80 +or +.B leftprotoport=udp +.TP +.B leftrsasigkey +the left participant's +public key for RSA signature authentication, +in RFC 2537 format using +.IR ttodata (3) +encoding. The magic value -.B %myid -stands for the current setting of \fImyid\fP. -This is set in \fBconfig setup\fP or by \fIipsec_whack\fP(8)), or, if not set, -it is the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise -it is the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined. +.B %none +means the same as not specifying a value (useful to override a default). +The value +.B %cert +(the default) +means that the key is extracted from a certificate. +The identity used for the left participant +must be a specific host, not +.B %any +or another magic value. +.B Caution: +if two connection descriptions +specify different public keys for the same +.BR leftid , +confusion and madness will ensue. +.TP +.B leftsendcert +Accepted values are +.B never +or +.BR no , +.B always +or +.BR yes , +and +.BR ifasked . .TP .B leftsourceip The internal source IP to use in a tunnel, also known as virtual IP. If the value is -.B %modeconfig +.BR %modeconfig , +.BR %modecfg , +.BR %config , or -.B %config, +.B %cfg, an address is requested from the peer. In IKEv2, a defined address is requested, but the server may change it. If the server does not support it, the address is enforced. @@ -611,9 +622,47 @@ value is on the responder side, the initiator must propose a address which is then echoed back. .TP +.B leftsubnet +private subnet behind the left participant, expressed as +\fInetwork\fB/\fInetmask\fR +(actually, any form acceptable to +.IR ttosubnet (3)); +if omitted, essentially assumed to be \fIleft\fB/32\fR, +signifying that the left end of the connection goes to the left participant +only. When using IKEv2, the configured subnet of the peers may differ, the +protocol narrows it to the greates common subnet. +.TP .B leftsubnetwithin +the peer can propose any subnet or single IP address that fits within the +range defined by +.BR leftsubnetwithin. Not relevant for IKEv2, as subnets are narrowed. .TP +.B leftupdown +what ``updown'' script to run to adjust routing and/or firewalling +when the status of the connection +changes (default +.BR "ipsec _updown" ). +May include positional parameters separated by white space +(although this requires enclosing the whole string in quotes); +including shell metacharacters is unwise. +See +.IR pluto (8) +for details. +Relevant only locally, other end need not agree on it. IKEv2 uses the updown +script to insert firewall rules only. Routing is not support and will be +implemented directly into Charon. +.TP +.B modeconfig +defines which mode is used to assign a virtual IP. +Accepted values are +.B push +and +.B pull +(the default). +Currently relevant for IKEv1 only since IKEv2 always uses the configuration +payload in pull mode. +.TP .B pfs whether Perfect Forward Secrecy of keys is desired on the connection's keying channel @@ -623,9 +672,20 @@ acceptable values are .B yes (the default) and -.BR no -. IKEv2 always uses PFS for IKE_SA rekeying. PFS for rekeying IPsec SAs is -currently not supported. +.BR no. +IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying +PFS is enforced by defining a Diffie-Hellman modp group in the +.B esp +parameter. +.TP +.B reauth +whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, +reauthentication is always done. In IKEv2, a value of +.B no +rekeys without uninstalling the IPsec SAs, a value of +.B yes +(the default) creates a new IKE_SA from scratch and tries to recreate +all IPsec SAs. .TP .B rekey whether a connection should be renegotiated when it is about to expire; @@ -634,8 +694,7 @@ acceptable values are (the default) and .BR no . -The two ends need not agree, -but while a value of +The two ends need not agree, but while a value of .B no prevents Pluto/Charon from requesting renegotiation, it does not prevent responding to renegotiation requested from the other end, @@ -643,15 +702,6 @@ so .B no will be largely ineffective unless both ends agree on it. .TP -.B reauth -whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, -reauthentication is always done. In IKEv2, a value of -.B no -rekeys without uninstalling the IPsec SAs, a value of -.B yes -(the default) creates a new IKE_SA from scratch and tries to recreate -all IPsec SAs. -.TP .B rekeyfuzz maximum percentage by which .B rekeymargin @@ -661,7 +711,7 @@ acceptable values are an integer, which may exceed 100, followed by a `%' (default set by -.IR ipsec_pluto (8), +.IR pluto (8), currently .BR 100% ). The value of @@ -684,24 +734,36 @@ begin; acceptable values as for .BR 9m ). Relevant only locally, other end need not agree on it. .TP -.B ike -IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g. -.B aes128-sha1-modp2048 -(encryption-integrity-dhgroup). In IKEv2, multiple algorithms and proposals -may be included, such as -.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. -.TP -.B esp -ESP encryption/authentication algorithm to be used -for the connection, e.g. -.B 3des-md5 -(encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup -and rekeying include a separate diffe hellman exchange (IKEv2 only). +.B type +the type of the connection; currently the accepted values +are +.B tunnel +(the default) +signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; +.BR transport , +signifying host-to-host transport mode; +.BR passthrough , +signifying that no IPsec processing should be done at all; +.BR drop , +signifying that packets should be discarded; and +.BR reject , +signifying that packets should be discarded and a diagnostic ICMP returned. +Charon currently supports only +.BR tunnel +and +.BR transport +connection types. .TP -.B ah -AH authentication algorithm to be used -for the connection, e.g. -.B hmac-md5. +.B xauth +specifies the role in the XAUTH protocol if activated by +.B authby=xauthpsk +or +.B authby=xauthrsasig. +Accepted values are +.B server +and +.B client +(the default). .SH "CA SECTIONS" This are optional sections that can be used to assign special parameters to a Certification Authority (CA). These parameters are not @@ -721,14 +783,25 @@ defines a path to the CA certificate either relative to .B crluri defines a CRL distribution point (ldap, http, or file URI) .TP +.B crluri1 +synonym for +.B crluri. +.TP .B crluri2 defines an alternative CRL distribution point (ldap, http, or file URI) .TP .B ldaphost -defines an ldap host. +defines an ldap host. Currently used by IKEv1 only. .TP .B ocspuri defines an OCSP URI. +.TP +.B ocspuri1 +synonym for +.B ocspuri. +.TP +.B ocspuri2 +defines an alternative OCSP URI. Currently used by IKEv2 only. .SH "CONFIG SECTIONS" At present, the only .B config @@ -736,7 +809,7 @@ section known to the IPsec software is the one named .BR setup , which contains information used when the software is being started (see -.IR ipsec_setup (8)). +.IR starter (8)). Here's an example: .PP .ne 8 @@ -744,10 +817,9 @@ Here's an example: .ft B .ta 1c config setup - interfaces="ipsec0=eth1 ipsec1=ppp0" - klipsdebug=none plutodebug=all - manualstart= + crlcheckinterval=10m + strictcrlpolicy=yes .ft .fi .PP @@ -759,78 +831,107 @@ names in a .B setup section are: .TP 14 -.B myid -the identity to be used for -.BR %myid . -.B %myid -is used in the implicit policy group conns and can be used as -an identity in explicit conns. -If unspecified, -.B %myid -is set to the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise -the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined. -An explicit value generally starts with ``\fB@\fP''. -.TP -.B interfaces -virtual and physical interfaces for IPsec to use: -a single -\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated -by white space, or -.BR %none . -One of the pairs may be written as -.BR %defaultroute , -which means: find the interface \fId\fR that the default route points to, -and then act as if the value was ``\fBipsec0=\fId\fR''. -.B %defaultroute -is the default; -.B %none -must be used to denote no interfaces. -If -.B %defaultroute -is used (implicitly or explicitly) -information about the default route and its interface is noted for -use by -.IR ipsec_manual (8) +.B cachecrls +certificate revocation lists (CRLs) fetched via http or ldap will be cached in +\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification +authority's public key. +Accepted values are +.B yes and -.IR ipsec_auto (8).) -.TP -.B forwardcontrol -whether -.I setup -should turn IP forwarding on -(if it's not already on) as IPsec is started, -and turn it off again (if it was off) as IPsec is stopped; -acceptable values are +.B no +(the default). +.TP +.B charonstart +whether to start the IKEv2 Charon daemon or not. +Accepted values are +.B yes +(the default) +or +.BR no . +.TP +.B crlcheckinterval +interval in seconds. CRL fetching is enabled if the value is greater than zero. +Asynchronous, periodic checking for fresh CRLs is currently done by the +IKEv1 Pluto daemon only. +.TP +.B dumpdir +in what directory should things started by \fBipsec starter\fR +(notably the Pluto and Charon daemons) be allowed to dump core? +The empty value (the default) means they are not +allowed to. +This feature is currently not yet supported by \fBipsec starter\fR. +.TP +.B plutostart +whether to start the IKEv1 Pluto daemon or not. +Accepted values are .B yes -and (the default) +(the default) +or .BR no . -For this to have full effect, forwarding must be -disabled before the hardware interfaces are brought -up (e.g., -.B "net.ipv4.ip_forward\ =\ 0" -in Red Hat 6.x -.IR /etc/sysctl.conf ), -because IPsec doesn't get control early enough to do that. -.TP -.B rp_filter -whether and how -.I setup -should adjust the reverse path filtering mechanism for the -physical devices to be used. -Values are \fB%unchanged\fP (to leave it alone) -or \fB0\fP, \fB1\fP, \fB2\fP (values to set it to). -\fI/proc/sys/net/ipv4/conf/PHYS/rp_filter\fP -is badly documented; it must be \fB0\fP in many cases -for ipsec to function. -The default value for the parameter is \fB0\fP. -.TP -.B syslog -the -.IR syslog (2) -``facility'' name and priority to use for -startup/shutdown log messages, -default -.BR daemon.error . +.TP +.B strictcrlpolicy +defines if a fresh CRL must be available in order for the peer authentication based +on RSA signatures to succeed. +Accepted values are +.B yes +and +.B no +(the default). +IKEv2 additionally recognizes +.B ifuri +which reverts to +.B yes +if at least one CRL URI is defined and to +.B no +if no URI is known. +.PP +The following +.B config section +parameters are used by the IKEv1 Pluto daemon only: +.TP +.B keep_alive +interval in seconds between NAT keep alive packets, the default being 20 seconds. +.TP +.B nat_traversal +activates NAT traversal by accepting source ISAKMP ports different from udp/500 and +being able of floating to udp/4500 if a NAT situation is detected. +Accepted values are +.B yes +and +.B no +(the default). +.B nocrsend +no certificate request payloads will be sent. +Accepted values are +.B yes +and +.B no +(the default). +Used by IKEv1 only, NAT traversal always being active in IKEv2. +.TP +.B pkcs11initargs +non-standard argument string for PKCS#11 C_Initialize() function; +required by NSS softoken. +.TP +.B pkcs11module +defines the path to a dynamically loadable PKCS #11 library. +.TP +.B pkcs11keepstate +PKCS #11 login sessions will be kept during the whole lifetime of the keying +daemon. Useful with pin-pad smart card readers. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B pkcs11proxy +Pluto will act as a PKCS #11 proxy accessible via the whack interface. +Accepted values are +.B yes +and +.B no +(the default). .TP .B plutodebug how much Pluto debugging output should be logged. @@ -847,57 +948,11 @@ Otherwise only the specified types of output prefix, separated by white space) are enabled; for details on available debugging types, see -.IR ipsec_pluto (8). -.TP -.B charondebug -how much Charon debugging output should be logged. -A comma separated list containing type level/pairs may -be specified, e.g: -.B dmn 3, ike 1, net -1. -Acceptable values for types are -.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib -and the level is one of -.B -1, 0, 1, 2, 3, 4 -(for silent, audit, control, controlmore, raw, private) +.IR pluto (8). .TP -.B plutoopts -additional options to pass to pluto upon startup. See -.IR ipsec_pluto (8). -.TP -.B plutostderrlog -do not use syslog, but rather log to stderr, and direct stderr to the -argument file. -.TP -.B dumpdir -in what directory should things started by -.I setup -(notably the Pluto daemon) be allowed to -dump core? -The empty value (the default) means they are not -allowed to. -.TP -.B pluto -whether to start Pluto or not; -Values are -.B yes -(the default) -or -.B no -(useful only in special circumstances). -.TP -.B plutowait -should Pluto wait for each -negotiation attempt that is part of startup to -finish before proceeding with the next? -Values are -.B yes -or -.BR no -(the default). -.TP -.B prepluto -shell command to run before starting Pluto -(e.g., to decrypt an encrypted copy of the +.B postpluto +shell command to run after starting Pluto +(e.g., to remove a decrypted copy of the .I ipsec.secrets file). It's run in a very simple way; @@ -908,9 +963,9 @@ so running interactive commands is difficult unless they use or equivalent for their interaction. Default is none. .TP -.B postpluto -shell command to run after starting Pluto -(e.g., to remove a decrypted copy of the +.B prepluto +shell command to run before starting Pluto +(e.g., to decrypt an encrypted copy of the .I ipsec.secrets file). It's run in a very simple way; @@ -921,6 +976,43 @@ so running interactive commands is difficult unless they use or equivalent for their interaction. Default is none. .TP +.B virtual_private +defines private networks using a wildcard notation. +.TP +.B uniqueids +whether a particular participant ID should be kept unique, +with any new (automatically keyed) +connection using an ID from a different IP address +deemed to replace all old ones using that ID; +acceptable values are +.B yes +(the default) +and +.BR no . +Participant IDs normally \fIare\fR unique, +so a new (automatically-keyed) connection using the same ID is +almost invariably intended to replace an old one. +.PP +The following +.B config section +parameters are used by the IKEv2 Charon daemon only: +.TP +.B charondebug +how much Charon debugging output should be logged. +A comma separated list containing type level/pairs may +be specified, e.g: +.B dmn 3, ike 1, net -1. +Acceptable values for types are +.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib +and the level is one of +.B -1, 0, 1, 2, 3, 4 +(for silent, audit, control, controlmore, raw, private). +.PP +The following +.B config section +parameters only make sense if the KLIPS IPsec stack +is used instead of the default NETKEY stack of the Linux 2.6 kernel: +.TP .B fragicmp whether a tunnel's need to fragment a packet should be reported back with an ICMP message, @@ -939,37 +1031,26 @@ acceptable values are .B yes (the default) and -.BR no . +.BR no .TP -.B uniqueids -whether a particular participant ID should be kept unique, -with any new (automatically keyed) -connection using an ID from a different IP address -deemed to replace all old ones using that ID; -acceptable values are -.B yes -(the default) -and -.BR no . -Participant IDs normally \fIare\fR unique, -so a new (automatically-keyed) connection using the same ID is -almost invariably intended to replace an old one. +.B interfaces +virtual and physical interfaces for IPsec to use: +a single +\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated +by white space, or +.BR %none . +One of the pairs may be written as +.BR %defaultroute , +which means: find the interface \fId\fR that the default route points to, +and then act as if the value was ``\fBipsec0=\fId\fR''. +.B %defaultroute +is the default; +.B %none +must be used to denote no interfaces. .TP .B overridemtu value that the MTU of the ipsec\fIn\fR interface(s) should be set to, overriding IPsec's (large) default. -This parameter is needed only in special situations. -.TP -.B nat_traversal -.TP -.B crlcheckinterval -.TP -.B strictcrlpolicy -.TP -.B pkcs11module -.TP -.B pkcs11keepstate - .SH CHOOSING A CONNECTION .PP When choosing a connection to apply to an outbound packet caught with a @@ -988,87 +1069,20 @@ information about the client subnets to complete the instantiation. .SH FILES .nf /etc/ipsec.conf +/etc/ipsec.d/aacerts +/etc/ipsec.d/acerts /etc/ipsec.d/cacerts /etc/ipsec.d/certs /etc/ipsec.d/crls -/etc/ipsec.d/aacerts -/etc/ipsec.d/acerts .SH SEE ALSO -ipsec(8), ipsec_ttoaddr(8), ipsec_auto(8), ipsec_manual(8), ipsec_rsasigkey(8) +ipsec(8), pluto(8), starter(8), ttoaddr(3), ttodata(3) .SH HISTORY -Written for the FreeS/WAN project -<http://www.freeswan.org> -by Henry Spencer. Extended for the strongSwan project +Written for the FreeS/WAN project by Henry Spencer. +Extended for the strongSwan project <http://www.strongswan.org> -by Andreas Steffen. Updated to respect IKEv2 specific configuration -by Martin Willi. +by Andreas Steffen. IKEv2-specific features by Martin Willi. .SH BUGS .PP -When -.B type -or -.B failureshunt -is set to -.B drop -or -.BR reject, -strongSwan blocks outbound packets using eroutes, but assumes inbound -blocking is handled by the firewall. strongSwan offers firewall hooks -via an ``updown'' script. However, the default -.B ipsec _updown -provides no help in controlling a modern firewall. -.PP -Including attributes of the keying channel -(authentication methods, -.BR ikelifetime , -etc.) -as an attribute of a connection, -rather than of a participant pair, is dubious and incurs limitations. -.PP -.IR Ipsec_manual -is not nearly as generous about the syntax of subnets, -addresses, etc. as the usual strongSwan user interfaces. -Four-component dotted-decimal must be used for all addresses. -It -.I is -smart enough to translate bit-count netmasks to dotted-decimal form. -.PP -It would be good to have a line-continuation syntax, -especially for the very long lines involved in -RSA signature keys. -.PP -The ability to specify different identities, -.BR authby , -and public keys for different automatic-keyed connections -between the same participants is misleading; -this doesn't work dependably because the identity of the participants -is not known early enough. -This is especially awkward for the ``Road Warrior'' case, -where the remote IP address is specified as -.BR 0.0.0.0 , -and that is considered to be the ``participant'' for such connections. -.PP -In principle it might be necessary to control MTU on an -interface-by-interface basis, -rather than with the single global override that -.B overridemtu -provides. -.PP -A number of features which \fIcould\fR be implemented in -both manual and automatic keying -actually are not yet implemented for manual keying. -This is unlikely to be fixed any time soon. -.PP -If conns are to be added before DNS is available, -\fBleft=\fP\fIFQDN\fP, -\fBleftnextop=\fP\fIFQDN\fP, -and -.B leftrsasigkey=%dnsonload +If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP will fail. -.IR ipsec_pluto (8) -does not actually use the public key for our side of a conn but it -isn't generally known at a add-time which side is ours (Road Warrior -and Opportunistic conns are currently exceptions). -.PP -The \fBmyid\fP option does not affect explicit \fB ipsec auto \-\-add\fP or \fBipsec auto \-\-replace\fP commands for implicit conns. diff --git a/src/starter/keywords.c b/src/starter/keywords.c index 215b95ad6..f7f24eefb 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -56,12 +56,12 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 90 +#define TOTAL_KEYWORDS 93 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 #define MIN_HASH_VALUE 15 -#define MAX_HASH_VALUE 188 -/* maximum key range = 174, duplicates = 0 */ +#define MAX_HASH_VALUE 209 +/* maximum key range = 195, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -77,32 +77,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 40, - 10, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 80, 189, 20, - 75, 5, 95, 0, 30, 0, 189, 55, 0, 45, - 0, 35, 20, 189, 15, 70, 40, 15, 20, 189, - 0, 25, 0, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189, 189, 189, 189, 189, - 189, 189, 189, 189, 189, 189 + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 40, + 5, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 90, 210, 25, + 75, 5, 85, 0, 95, 0, 210, 55, 0, 25, + 0, 70, 20, 210, 15, 70, 40, 20, 5, 210, + 5, 65, 0, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210, 210, 210, 210, 210, + 210, 210, 210, 210, 210, 210 }; return len + asso_values[(unsigned char)str[1]] + asso_values[(unsigned char)str[0]] + asso_values[(unsigned char)str[len - 1]]; } @@ -116,7 +116,8 @@ static const struct kw_entry wordlist[] = {"leftfirewall", KW_LEFTFIREWALL}, {""}, {""}, {""}, {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, - {""}, {""}, {""}, {""}, + {""}, {""}, {""}, + {"virtual_private", KW_VIRTUAL_PRIVATE}, {"rightupdown", KW_RIGHTUPDOWN}, {""}, {"rightfirewall", KW_RIGHTFIREWALL}, @@ -129,30 +130,23 @@ static const struct kw_entry wordlist[] = {""}, {"leftnexthop", KW_LEFTNEXTHOP}, {"leftsourceip", KW_LEFTSOURCEIP}, - {""}, {""}, - {"virtual_private", KW_VIRTUAL_PRIVATE}, - {"crluri", KW_CRLURI}, - {""}, - {"leftrsasigkey", KW_LEFTRSASIGKEY}, - {""}, + {""}, {""}, {""}, {""}, {""}, {""}, {""}, {"rightnatip", KW_RIGHTNATIP}, - {""}, + {"crluri", KW_CRLURI}, {"rightnexthop", KW_RIGHTNEXTHOP}, {"rightsourceip", KW_RIGHTSOURCEIP}, {"left", KW_LEFT}, - {"rekey", KW_REKEY}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, + {""}, {""}, {"crluri2", KW_CRLURI2}, {"leftcert", KW_LEFTCERT,}, - {"rightrsasigkey", KW_RIGHTRSASIGKEY}, + {""}, {"leftsubnet", KW_LEFTSUBNET}, - {"reauth", KW_REAUTH}, + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, {"leftsendcert", KW_LEFTSENDCERT}, {"leftprotoport", KW_LEFTPROTOPORT}, {""}, {"right", KW_RIGHT}, - {"charondebug", KW_CHARONDEBUG}, - {"ocspuri", KW_OCSPURI}, + {""}, {""}, {"ike", KW_IKE}, {"rightcert", KW_RIGHTCERT}, {"klipsdebug", KW_KLIPSDEBUG}, @@ -163,78 +157,95 @@ static const struct kw_entry wordlist[] = {"plutostart", KW_PLUTOSTART}, {"ikelifetime", KW_IKELIFETIME}, {"keylife", KW_KEYLIFE}, - {"ocspuri2", KW_OCSPURI2}, - {"type", KW_TYPE}, + {""}, {""}, {"keep_alive", KW_KEEP_ALIVE}, {"keyexchange", KW_KEYEXCHANGE}, + {""}, {""}, {""}, + {"interfaces", KW_INTERFACES}, {""}, - {"prepluto", KW_PREPLUTO}, + {"leftallowany", KW_LEFTALLOWANY}, + {"leftrsasigkey", KW_LEFTRSASIGKEY}, {""}, - {"interfaces", KW_INTERFACES}, - {"overridemtu", KW_OVERRIDEMTU}, - {"crluri1", KW_CRLURI}, - {""}, {""}, {"leftgroups", KW_LEFTGROUPS}, {"leftid", KW_LEFTID}, - {""}, + {"crluri1", KW_CRLURI}, {"ldapbase", KW_LDAPBASE}, {"lefthostaccess", KW_LEFTHOSTACCESS}, - {"modeconfig", KW_MODECONFIG}, - {"leftca", KW_LEFTCA}, + {"rekey", KW_REKEY}, + {""}, {"pkcs11module", KW_PKCS11MODULE}, - {"nat_traversal", KW_NAT_TRAVERSAL}, - {"uniqueids", KW_UNIQUEIDS}, + {"rightallowany", KW_RIGHTALLOWANY}, + {"rightrsasigkey", KW_RIGHTRSASIGKEY}, {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, {"rightgroups", KW_RIGHTGROUPS}, {"rightid", KW_RIGHTID}, {"esp", KW_ESP}, - {"postpluto", KW_POSTPLUTO}, + {"uniqueids", KW_UNIQUEIDS}, {"righthostaccess", KW_RIGHTHOSTACCESS}, - {"charonstart", KW_CHARONSTART}, - {"rightca", KW_RIGHTCA}, - {"ocspuri1", KW_OCSPURI}, + {"leftca", KW_LEFTCA}, + {"ocspuri", KW_OCSPURI}, + {"nat_traversal", KW_NAT_TRAVERSAL}, {"dpdaction", KW_DPDACTION}, + {"modeconfig", KW_MODECONFIG}, + {"overridemtu", KW_OVERRIDEMTU}, + {""}, + {"ocspuri2", KW_OCSPURI2}, + {""}, {""}, {""}, + {"rightca", KW_RIGHTCA}, + {"prepluto", KW_PREPLUTO}, + {"type", KW_TYPE}, {""}, {"eapdir", KW_EAPDIR}, - {"hidetos", KW_HIDETOS}, - {"eap", KW_EAP}, - {""}, {""}, - {"pkcs11proxy", KW_PKCS11PROXY}, {"dumpdir", KW_DUMPDIR}, + {"eap", KW_EAP}, {""}, {""}, - {"xauth", KW_XAUTH}, - {""}, {""}, - {"nocrsend", KW_NOCRSEND}, - {"also", KW_ALSO}, - {""}, {""}, {""}, - {"ldaphost", KW_LDAPHOST}, - {""}, {""}, - {"authby", KW_AUTHBY}, + {"reauth", KW_REAUTH}, {""}, - {"dpddelay", KW_DPDDELAY}, - {"auth", KW_AUTH}, - {""}, {""}, {""}, - {"compress", KW_COMPRESS}, - {"auto", KW_AUTO}, - {""}, {""}, {""}, + {"ldaphost", KW_LDAPHOST}, + {""}, {""}, {""}, {""}, {"fragicmp", KW_FRAGICMP}, {""}, {""}, - {"keyingtries", KW_KEYINGTRIES}, + {"charondebug", KW_CHARONDEBUG}, {""}, {"pfsgroup", KW_PFSGROUP}, + {""}, {""}, {""}, {""}, {""}, {""}, {""}, + {"keyingtries", KW_KEYINGTRIES}, + {""}, + {"ocspuri1", KW_OCSPURI}, {""}, {"dpdtimeout", KW_DPDTIMEOUT}, + {""}, {""}, {""}, {""}, {""}, + {"pkcs11proxy", KW_PKCS11PROXY}, + {""}, + {"nocrsend", KW_NOCRSEND}, + {""}, {""}, {""}, {""}, {""}, + {"pkcs11initargs", KW_PKCS11INITARGS}, + {""}, {"cacert", KW_CACERT}, + {""}, + {"packetdefault", KW_PACKETDEFAULT}, + {"also", KW_ALSO}, {""}, {""}, {""}, - {"strictcrlpolicy", KW_STRICTCRLPOLICY}, + {"dpddelay", KW_DPDDELAY}, + {"postpluto", KW_POSTPLUTO}, + {""}, + {"charonstart", KW_CHARONSTART}, + {"hidetos", KW_HIDETOS}, + {"compress", KW_COMPRESS}, + {""}, {""}, {""}, {""}, + {"pfs", KW_PFS}, {""}, {""}, - {"packetdefault", KW_PACKETDEFAULT}, - {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {""}, {""}, {""}, {""}, {""}, {""}, {""}, + {"authby", KW_AUTHBY}, + {""}, {""}, + {"auto", KW_AUTO}, + {""}, {""}, {""}, {""}, {""}, + {"strictcrlpolicy", KW_STRICTCRLPOLICY}, + {""}, {""}, {""}, {"cachecrls", KW_CACHECRLS}, - {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, - {"pfs", KW_PFS} + {"xauth", KW_XAUTH}, + {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, + {""}, {""}, {""}, {""}, + {"auth", KW_AUTH} }; #ifdef __GNUC__ diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 08d50fea0..8f5108ad8 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -25,9 +25,9 @@ typedef enum { KW_CHARONSTART, KW_PLUTOSTART, - /* pluto/charon keywords */ + /* pluto/charon keywords */ KW_PLUTODEBUG, - KW_CHARONDEBUG, + KW_CHARONDEBUG, KW_PREPLUTO, KW_POSTPLUTO, KW_UNIQUEIDS, @@ -41,6 +41,7 @@ typedef enum { KW_VIRTUAL_PRIVATE, KW_EAPDIR, KW_PKCS11MODULE, + KW_PKCS11INITARGS, KW_PKCS11KEEPSTATE, KW_PKCS11PROXY, @@ -112,6 +113,7 @@ typedef enum { KW_NATIP, KW_FIREWALL, KW_HOSTACCESS, + KW_ALLOWANY, KW_UPDOWN, KW_ID, KW_RSASIGKEY, @@ -134,6 +136,7 @@ typedef enum { KW_LEFTNATIP, KW_LEFTFIREWALL, KW_LEFTHOSTACCESS, + KW_LEFTALLOWANY, KW_LEFTUPDOWN, KW_LEFTID, KW_LEFTRSASIGKEY, @@ -155,6 +158,7 @@ typedef enum { KW_RIGHTNATIP, KW_RIGHTFIREWALL, KW_RIGHTHOSTACCESS, + KW_RIGHTALLOWANY, KW_RIGHTUPDOWN, KW_RIGHTID, KW_RIGHTRSASIGKEY, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 0f943fc3c..573a2389a 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -50,6 +50,7 @@ virtual_private, KW_VIRTUAL_PRIVATE eap, KW_EAP eapdir, KW_EAPDIR pkcs11module, KW_PKCS11MODULE +pkcs11initargs, KW_PKCS11INITARGS pkcs11keepstate, KW_PKCS11KEEPSTATE pkcs11proxy, KW_PKCS11PROXY keyexchange, KW_KEYEXCHANGE @@ -91,6 +92,7 @@ leftsourceip, KW_LEFTSOURCEIP leftnatip, KW_LEFTNATIP leftfirewall, KW_LEFTFIREWALL lefthostaccess, KW_LEFTHOSTACCESS +leftallowany, KW_LEFTALLOWANY leftupdown, KW_LEFTUPDOWN leftid, KW_LEFTID leftrsasigkey, KW_LEFTRSASIGKEY @@ -107,6 +109,7 @@ rightsourceip, KW_RIGHTSOURCEIP rightnatip, KW_RIGHTNATIP rightfirewall, KW_RIGHTFIREWALL righthostaccess, KW_RIGHTHOSTACCESS +rightallowany, KW_RIGHTALLOWANY rightupdown, KW_RIGHTUPDOWN rightid, KW_RIGHTID rightrsasigkey, KW_RIGHTRSASIGKEY diff --git a/src/starter/starter.8 b/src/starter/starter.8 new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/src/starter/starter.8 diff --git a/src/starter/starter.c b/src/starter/starter.c index 0bf1d7a71..3cf7017fd 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -237,9 +237,13 @@ int main (int argc, char **argv) } cfg = confread_load(CONFIG_FILE); - if (!cfg) + if (cfg == NULL || cfg->err > 0) { - plog("unable to start strongSwan -- errors in config"); + plog("unable to start strongSwan -- fatal errors in config"); + if (cfg) + { + confread_free(cfg); + } exit(1); } @@ -276,6 +280,7 @@ int main (int argc, char **argv) dup2(fnull, STDERR_FILENO); close(fnull); } + setsid(); } break; case -1: @@ -372,7 +377,7 @@ int main (int argc, char **argv) ); new_cfg = confread_load(CONFIG_FILE); - if (new_cfg) + if (new_cfg->err + new_cfg->non_fatal_err == 0) { /* Switch to new config. New conn will be loaded below */ if (!starter_cmp_defaultroute(&new_cfg->defaultroute @@ -465,7 +470,8 @@ int main (int argc, char **argv) } else { - plog("can't reload config file: %s -- keeping old one"); + plog("can't reload config file due to errors -- keeping old one"); + confread_free(new_cfg); } _action_ &= ~FLAG_ACTION_UPDATE; last_reload = time(NULL); diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c index 42328849a..e920fc7ee 100644 --- a/src/starter/starterwhack.c +++ b/src/starter/starterwhack.c @@ -170,6 +170,7 @@ set_whack_end(whack_end_t *w, starter_end_t *end) w->has_natip = end->has_natip; w->modecfg = end->modecfg; w->hostaccess = end->hostaccess; + w->allow_any = end->allow_any; w->sendcert = end->sendcert; w->updown = end->updown; w->host_port = IKE_UDP_PORT; |