diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2008-12-05 16:15:54 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2008-12-05 16:15:54 +0000 |
commit | c7f1b0530b85bc7654e68992f25ed8ced5d0a80d (patch) | |
tree | 861798cd7da646014ed6919766b053099646710d /src/starter | |
parent | 8b80ab5a6950ce6515f477624794defd7531642a (diff) | |
download | vyos-strongswan-c7f1b0530b85bc7654e68992f25ed8ced5d0a80d.tar.gz vyos-strongswan-c7f1b0530b85bc7654e68992f25ed8ced5d0a80d.zip |
[svn-upgrade] Integrating new upstream version, strongswan (4.2.9)
Diffstat (limited to 'src/starter')
-rw-r--r-- | src/starter/Makefile.am | 20 | ||||
-rw-r--r-- | src/starter/Makefile.in | 25 | ||||
-rw-r--r-- | src/starter/args.c | 3 | ||||
-rw-r--r-- | src/starter/confread.c | 31 | ||||
-rw-r--r-- | src/starter/confread.h | 4 | ||||
-rw-r--r-- | src/starter/files.h | 5 | ||||
-rw-r--r-- | src/starter/invokepluto.c | 6 | ||||
-rw-r--r-- | src/starter/ipsec.conf.5 | 22 | ||||
-rw-r--r-- | src/starter/keywords.c | 7 | ||||
-rw-r--r-- | src/starter/keywords.h | 3 | ||||
-rw-r--r-- | src/starter/keywords.txt | 3 | ||||
-rw-r--r-- | src/starter/klips.c | 82 | ||||
-rw-r--r-- | src/starter/klips.h | 24 | ||||
-rw-r--r-- | src/starter/lex.yy.c | 43 | ||||
-rw-r--r-- | src/starter/netkey.c | 22 | ||||
-rw-r--r-- | src/starter/parser.l | 3 | ||||
-rw-r--r-- | src/starter/starter.c | 13 | ||||
-rw-r--r-- | src/starter/starterstroke.c | 36 |
18 files changed, 265 insertions, 87 deletions
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index e6346a585..5ee614f1b 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -1,13 +1,13 @@ ipsec_PROGRAMS = starter starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \ starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \ -starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \ +starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \ -exec.h invokecharon.h lex.yy.c loglite.c +exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG -starter_LDADD = defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a +starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf dist_man_MANS = ipsec.conf.5 starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c @@ -15,17 +15,17 @@ MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR=$(top_srcdir)/src/pluto SCEPCLIENTDIR=$(top_srcdir)/src/scepclient -lex.yy.c: y.tab.c parser.l parser.y parser.h - $(LEX) --nounput parser.l +lex.yy.c: parser.l parser.y parser.h y.tab.c + $(LEX) --nounput $< -y.tab.c: parser.l parser.y parser.h - $(YACC) -v -d parser.y +y.tab.c: parser.y parser.l parser.h + $(YACC) -v -d $< -y.tab.h: parser.l parser.y parser.h - $(YACC) -v -d parser.y +y.tab.h: parser.y parser.l parser.h + $(YACC) -v -d $< keywords.c: keywords.txt keywords.h - $(GPERF) -C -G -t < keywords.txt > keywords.c + $(GPERF) -C -G -t < $< > $@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $< diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 4150a60e7..446edf8c5 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -51,10 +51,10 @@ am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \ invokepluto.$(OBJEXT) confread.$(OBJEXT) interfaces.$(OBJEXT) \ args.$(OBJEXT) keywords.$(OBJEXT) cmp.$(OBJEXT) \ starter.$(OBJEXT) exec.$(OBJEXT) invokecharon.$(OBJEXT) \ - lex.yy.$(OBJEXT) loglite.$(OBJEXT) + lex.yy.$(OBJEXT) loglite.$(OBJEXT) klips.$(OBJEXT) starter_OBJECTS = $(am_starter_OBJECTS) starter_DEPENDENCIES = defs.o \ - $(top_srcdir)/src/libfreeswan/libfreeswan.a + $(top_builddir)/src/libfreeswan/libfreeswan.a DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -214,13 +214,13 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \ starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \ -starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \ +starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \ -exec.h invokecharon.h lex.yy.c loglite.c +exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG -starter_LDADD = defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a +starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf dist_man_MANS = ipsec.conf.5 starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c @@ -305,6 +305,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokecharon.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokepluto.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keywords.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/klips.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.yy.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/netkey.Po@am__quote@ @@ -615,17 +616,17 @@ uninstall-man: uninstall-man5 uninstall-man8 uninstall-man8 -lex.yy.c: y.tab.c parser.l parser.y parser.h - $(LEX) --nounput parser.l +lex.yy.c: parser.l parser.y parser.h y.tab.c + $(LEX) --nounput $< -y.tab.c: parser.l parser.y parser.h - $(YACC) -v -d parser.y +y.tab.c: parser.y parser.l parser.h + $(YACC) -v -d $< -y.tab.h: parser.l parser.y parser.h - $(YACC) -v -d parser.y +y.tab.h: parser.y parser.l parser.h + $(YACC) -v -d $< keywords.c: keywords.txt keywords.h - $(GPERF) -C -G -t < keywords.txt > keywords.c + $(GPERF) -C -G -t < $< > $@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $< diff --git a/src/starter/args.c b/src/starter/args.c index 7af3b6310..c09bea986 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: args.c 4276 2008-08-22 10:44:51Z martin $ + * RCSID $Id: args.c 4612 2008-11-11 06:37:37Z andreas $ */ #include <stddef.h> @@ -199,6 +199,7 @@ static const token_info_t token_info[] = { ARG_MISC, 0, NULL /* KW_TYPE */ }, { ARG_MISC, 0, NULL /* KW_PFS */ }, { ARG_MISC, 0, NULL /* KW_COMPRESS */ }, + { ARG_ENUM, offsetof(starter_conn_t, install_policy), LST_bool }, { ARG_MISC, 0, NULL /* KW_AUTH */ }, { ARG_MISC, 0, NULL /* KW_AUTHBY */ }, { ARG_MISC, 0, NULL /* KW_EAP */ }, diff --git a/src/starter/confread.c b/src/starter/confread.c index 959a98b77..1560266c1 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: confread.c 4269 2008-08-21 12:10:07Z martin $ + * RCSID $Id: confread.c 4612 2008-11-11 06:37:37Z andreas $ */ #include <stddef.h> @@ -79,6 +79,7 @@ static void default_values(starter_config_t *cfg) cfg->conn_default.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT; cfg->conn_default.addr_family = AF_INET; cfg->conn_default.tunnel_addr_family = AF_INET; + cfg->conn_default.install_policy = TRUE; cfg->conn_default.dpd_delay = 30; /* seconds */ cfg->conn_default.dpd_timeout = 150; /* seconds */ @@ -497,15 +498,29 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) case KW_TYPE: conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK); if (streq(kw->value, "tunnel")) + { conn->policy |= POLICY_TUNNEL; + } else if (streq(kw->value, "beet")) + { conn->policy |= POLICY_BEET; + } + else if (streq(kw->value, "transport_proxy")) + { + conn->policy |= POLICY_PROXY; + } else if (streq(kw->value, "passthrough") || streq(kw->value, "pass")) + { conn->policy |= POLICY_SHUNT_PASS; + } else if (streq(kw->value, "drop")) + { conn->policy |= POLICY_SHUNT_DROP; + } else if (streq(kw->value, "reject")) + { conn->policy |= POLICY_SHUNT_REJECT; + } else if (strcmp(kw->value, "transport") != 0) { plog("# bad policy value: %s=%s", kw->entry->name, kw->value); @@ -530,21 +545,33 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) char *second = strchr(kw->value, '|'); if (second != NULL) + { *second = '\0'; + } /* also handles the cases secret|rsasig and rsasig|secret */ for (;;) { if (streq(value, "rsa") || streq(value, "rsasig")) + { conn->policy |= POLICY_RSASIG | POLICY_ENCRYPT; + } else if (streq(value, "secret") || streq(value, "psk")) + { conn->policy |= POLICY_PSK | POLICY_ENCRYPT; + } else if (streq(value, "ecdsa") || streq(value, "ecdsasig")) + { conn->policy |= POLICY_ECDSASIG | POLICY_ENCRYPT; + } else if (streq(value, "xauthrsasig")) + { conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT; + } else if (streq(value, "xauthpsk")) + { conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT; + } else { plog("# bad policy value: %s=%s", kw->entry->name, kw->value); @@ -552,7 +579,9 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) break; } if (second == NULL) + { break; + } value = second; second = NULL; /* traverse the loop no more than twice */ } diff --git a/src/starter/confread.h b/src/starter/confread.h index 2c6e45984..24a8d073e 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: confread.h 4276 2008-08-22 10:44:51Z martin $ + * RCSID $Id: confread.h 4612 2008-11-11 06:37:37Z andreas $ */ #ifndef _IPSEC_CONFREAD_H_ @@ -114,7 +114,7 @@ struct starter_conn { unsigned long sa_rekey_fuzz; sa_family_t addr_family; sa_family_t tunnel_addr_family; - + bool install_policy; starter_end_t left, right; unsigned long id; diff --git a/src/starter/files.h b/src/starter/files.h index b21db8bd1..a40574594 100644 --- a/src/starter/files.h +++ b/src/starter/files.h @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: files.h 3267 2007-10-08 19:57:54Z andreas $ + * RCSID $Id: files.h 4618 2008-11-11 09:22:00Z tobias $ */ #ifndef _STARTER_FILES_H_ @@ -19,7 +19,8 @@ #define STARTER_PID_FILE IPSEC_PIDDIR "/starter.pid" -#define PROC_NETKEY "/proc/net/pfkey" +#define PROC_NETKEY "/proc/net/pfkey" +#define PROC_KLIPS "/proc/net/pf_key" #define PROC_MODULES "/proc/modules" #define CONFIG_FILE IPSEC_CONFDIR "/ipsec.conf" diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c index a3cf3a786..e18d6e38d 100644 --- a/src/starter/invokepluto.c +++ b/src/starter/invokepluto.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: invokepluto.c 3942 2008-05-13 07:37:08Z martin $ + * RCSID $Id: invokepluto.c 4632 2008-11-11 18:37:19Z martin $ */ #include <sys/types.h> @@ -215,7 +215,7 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork) _stop_requested = 0; if (cfg->setup.prepluto) - system(cfg->setup.prepluto); + ignore_result(system(cfg->setup.prepluto)); pid = fork(); switch (pid) @@ -258,7 +258,7 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork) DBG_log("pluto (%d) started", _pluto_pid) ) if (cfg->setup.postpluto) - system(cfg->setup.postpluto); + ignore_result(system(cfg->setup.postpluto)); return 0; } } diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 index 40ff27d0b..10ce8348e 100644 --- a/src/starter/ipsec.conf.5 +++ b/src/starter/ipsec.conf.5 @@ -1,5 +1,5 @@ .TH IPSEC.CONF 5 "27 Jun 2007" -.\" RCSID $Id: ipsec.conf.5 4360 2008-09-30 12:36:58Z martin $ +.\" RCSID $Id: ipsec.conf.5 4645 2008-11-13 06:29:53Z andreas $ .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION @@ -397,6 +397,15 @@ may be included, such as how long the keying channel of a connection ('ISAKMP/IKE SA') should last before being renegotiated. .TP +.B installpolicy +decides whether IPsec policies are installed in the kernel by the IKEv2 +charon daemon for a given connection. Allows peaceful co-existence e.g. with +the Mobile IPv6 daemon mip6d who wants to control the kernel policies. +Acceptable values are +.B yes +(the default) and +.BR no . +.TP .B keyexchange method of key exchange; which protocol should be used to initialize the connection. Connections marked with @@ -782,17 +791,20 @@ are signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; .BR transport , signifying host-to-host transport mode; +.BR transport_proxy , +signifying the special Mobile IPv6 transport proxy mode; .BR passthrough , signifying that no IPsec processing should be done at all; .BR drop , signifying that packets should be discarded; and .BR reject , signifying that packets should be discarded and a diagnostic ICMP returned. -Charon currently supports only -.BR tunnel +Charon currently supports +.BR tunnel , +.BR transport , and -.BR transport -connection types. +.BR tunnel_proxy +connection types, only . .TP .B xauth specifies the role in the XAUTH protocol if activated by diff --git a/src/starter/keywords.c b/src/starter/keywords.c index 35c17b9b5..e51780dc1 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -44,7 +44,7 @@ error "gperf generated tables don't work with this execution character set. Plea * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: keywords.txt 4276 2008-08-22 10:44:51Z martin $ + * RCSID $Id: keywords.txt 4612 2008-11-11 06:37:37Z andreas $ */ #include <string.h> @@ -56,7 +56,7 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 101 +#define TOTAL_KEYWORDS 102 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 #define MIN_HASH_VALUE 6 @@ -239,7 +239,8 @@ static const struct kw_entry wordlist[] = {"pkcs11proxy", KW_PKCS11PROXY}, {""}, {""}, {""}, {""}, {"charondebug", KW_CHARONDEBUG}, - {""}, {""}, + {""}, + {"installpolicy", KW_INSTALLPOLICY}, {"cachecrls", KW_CACHECRLS}, {""}, {""}, {""}, {"packetdefault", KW_PACKETDEFAULT}, diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 1efa5dc2b..756c33075 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: keywords.h 4276 2008-08-22 10:44:51Z martin $ + * RCSID $Id: keywords.h 4612 2008-11-11 06:37:37Z andreas $ */ #ifndef _KEYWORDS_H_ @@ -68,6 +68,7 @@ typedef enum { KW_TYPE, KW_PFS, KW_COMPRESS, + KW_INSTALLPOLICY, KW_AUTH, KW_AUTHBY, KW_EAP, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 29bd404b5..8dfa03325 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: keywords.txt 4276 2008-08-22 10:44:51Z martin $ + * RCSID $Id: keywords.txt 4612 2008-11-11 06:37:37Z andreas $ */ #include <string.h> @@ -61,6 +61,7 @@ keyexchange, KW_KEYEXCHANGE type, KW_TYPE pfs, KW_PFS compress, KW_COMPRESS +installpolicy, KW_INSTALLPOLICY auth, KW_AUTH authby, KW_AUTHBY keylife, KW_KEYLIFE diff --git a/src/starter/klips.c b/src/starter/klips.c new file mode 100644 index 000000000..5c8164419 --- /dev/null +++ b/src/starter/klips.c @@ -0,0 +1,82 @@ +/* strongSwan KLIPS starter + * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: klips.c 4632 2008-11-11 18:37:19Z martin $ + */ + +#include <sys/types.h> +#include <sys/stat.h> +#include <stdlib.h> + +#include <freeswan.h> + +#include "../pluto/constants.h" +#include "../pluto/defs.h" +#include "../pluto/log.h" + +#include "files.h" + +bool +starter_klips_init(void) +{ + struct stat stb; + + if (stat(PROC_KLIPS, &stb) != 0) + { + /* ipsec module makes the pf_key proc interface visible */ + if (stat(PROC_MODULES, &stb) == 0) + { + ignore_result(system("modprobe -qv ipsec")); + } + + /* now test again */ + if (stat(PROC_KLIPS, &stb) != 0) + { + DBG(DBG_CONTROL, + DBG_log("kernel appears to lack the KLIPS IPsec stack") + ) + return FALSE; + } + } + + /* load crypto algorithm modules */ + ignore_result(system("modprobe -qv ipsec_aes")); + ignore_result(system("modprobe -qv ipsec_blowfish")); + ignore_result(system("modprobe -qv ipsec_sha2")); + + DBG(DBG_CONTROL, + DBG_log("Found KLIPS IPsec stack") + ) + + return TRUE; +} + +void +starter_klips_cleanup(void) +{ + if (system("type eroute > /dev/null 2>&1") == 0) + { + ignore_result(system("spi --clear")); + ignore_result(system("eroute --clear")); + } + else if (system("type setkey > /dev/null 2>&1") == 0) + { + ignore_result(system("setkey -F")); + ignore_result(system("setkey -FP")); + } + else + { + plog("WARNING: cannot flush IPsec state/policy database"); + } +} + diff --git a/src/starter/klips.h b/src/starter/klips.h new file mode 100644 index 000000000..60055b4f1 --- /dev/null +++ b/src/starter/klips.h @@ -0,0 +1,24 @@ +/* strongSwan KLIPS initialization and cleanup + * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: klips.h 4618 2008-11-11 09:22:00Z tobias $ + */ + +#ifndef _STARTER_KLIPS_H_ +#define _STARTER_KLIPS_H_ + +extern bool starter_klips_init (void); +extern void starter_klips_cleanup (void); + +#endif /* _STARTER_KLIPS_H_ */ + diff --git a/src/starter/lex.yy.c b/src/starter/lex.yy.c index cd3535318..4b3405eda 100644 --- a/src/starter/lex.yy.c +++ b/src/starter/lex.yy.c @@ -500,7 +500,7 @@ char *yytext; * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: parser.l 3267 2007-10-08 19:57:54Z andreas $ + * RCSID $Id: parser.l 4632 2008-11-11 18:37:19Z martin $ */ #include <string.h> @@ -511,6 +511,7 @@ char *yytext; #define MAX_INCLUDE_DEPTH 20 +#define YY_NO_INPUT #define YY_NO_UNPUT extern void yyerror(const char *); extern int yylex (void); @@ -617,7 +618,7 @@ int _parser_y_include (const char *filename) return 0; } -#line 621 "lex.yy.c" +#line 622 "lex.yy.c" #define INITIAL 0 @@ -771,10 +772,10 @@ YY_DECL register char *yy_cp, *yy_bp; register int yy_act; -#line 134 "parser.l" +#line 135 "parser.l" -#line 778 "lex.yy.c" +#line 779 "lex.yy.c" if ( !(yy_init) ) { @@ -859,7 +860,7 @@ do_action: /* This label is used only to access EOF actions. */ goto yy_find_action; case YY_STATE_EOF(INITIAL): -#line 136 "parser.l" +#line 137 "parser.l" { if (__parser_y_private.filename[__parser_y_private.stack_ptr]) { free(__parser_y_private.filename[__parser_y_private.stack_ptr]); @@ -879,23 +880,23 @@ case YY_STATE_EOF(INITIAL): YY_BREAK case 1: YY_RULE_SETUP -#line 153 "parser.l" +#line 154 "parser.l" return FIRST_SPACES; YY_BREAK case 2: YY_RULE_SETUP -#line 155 "parser.l" +#line 156 "parser.l" /* ignore spaces in line */ ; YY_BREAK case 3: YY_RULE_SETUP -#line 157 "parser.l" +#line 158 "parser.l" return EQUAL; YY_BREAK case 4: /* rule 4 can match eol */ YY_RULE_SETUP -#line 159 "parser.l" +#line 160 "parser.l" { __parser_y_private.line[__parser_y_private.stack_ptr]++; return EOL; @@ -903,37 +904,37 @@ YY_RULE_SETUP YY_BREAK case 5: YY_RULE_SETUP -#line 164 "parser.l" +#line 165 "parser.l" return CONFIG; YY_BREAK case 6: YY_RULE_SETUP -#line 165 "parser.l" +#line 166 "parser.l" return SETUP; YY_BREAK case 7: YY_RULE_SETUP -#line 166 "parser.l" +#line 167 "parser.l" return CONN; YY_BREAK case 8: YY_RULE_SETUP -#line 167 "parser.l" +#line 168 "parser.l" return CA; YY_BREAK case 9: YY_RULE_SETUP -#line 168 "parser.l" +#line 169 "parser.l" return INCLUDE; YY_BREAK case 10: YY_RULE_SETUP -#line 169 "parser.l" +#line 170 "parser.l" return FILE_VERSION; YY_BREAK case 11: YY_RULE_SETUP -#line 171 "parser.l" +#line 172 "parser.l" { yylval.s = strdup(yytext); return STRING; @@ -941,7 +942,7 @@ YY_RULE_SETUP YY_BREAK case 12: YY_RULE_SETUP -#line 176 "parser.l" +#line 177 "parser.l" { yylval.s = strdup(yytext+1); if (yylval.s) yylval.s[strlen(yylval.s)-1]='\0'; @@ -950,15 +951,15 @@ YY_RULE_SETUP YY_BREAK case 13: YY_RULE_SETUP -#line 182 "parser.l" +#line 183 "parser.l" yyerror(yytext); YY_BREAK case 14: YY_RULE_SETUP -#line 184 "parser.l" +#line 185 "parser.l" ECHO; YY_BREAK -#line 962 "lex.yy.c" +#line 963 "lex.yy.c" case YY_END_OF_BUFFER: { @@ -1920,7 +1921,7 @@ void yyfree (void * ptr ) #define YYTABLES_NAME "yytables" -#line 184 "parser.l" +#line 185 "parser.l" diff --git a/src/starter/netkey.c b/src/starter/netkey.c index d3c181456..1490abf29 100644 --- a/src/starter/netkey.c +++ b/src/starter/netkey.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: netkey.c 3267 2007-10-08 19:57:54Z andreas $ + * RCSID $Id: netkey.c 4632 2008-11-11 18:37:19Z martin $ */ #include <sys/types.h> @@ -36,7 +36,7 @@ starter_netkey_init(void) /* af_key module makes the netkey proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) { - system("modprobe -qv af_key"); + ignore_result(system("modprobe -qv af_key")); } /* now test again */ @@ -52,11 +52,11 @@ starter_netkey_init(void) /* make sure that all required IPsec modules are loaded */ if (stat(PROC_MODULES, &stb) == 0) { - system("modprobe -qv ah4"); - system("modprobe -qv esp4"); - system("modprobe -qv ipcomp"); - system("modprobe -qv xfrm4_tunnel"); - system("modprobe -qv xfrm_user"); + ignore_result(system("modprobe -qv ah4")); + ignore_result(system("modprobe -qv esp4")); + ignore_result(system("modprobe -qv ipcomp")); + ignore_result(system("modprobe -qv xfrm4_tunnel")); + ignore_result(system("modprobe -qv xfrm_user")); } DBG(DBG_CONTROL, @@ -70,13 +70,13 @@ starter_netkey_cleanup(void) { if (system("ip xfrm state > /dev/null 2>&1") == 0) { - system("ip xfrm state flush"); - system("ip xfrm policy flush"); + ignore_result(system("ip xfrm state flush")); + ignore_result(system("ip xfrm policy flush")); } else if (system("type setkey > /dev/null 2>&1") == 0) { - system("setkey -F"); - system("setkey -FP"); + ignore_result(system("setkey -F")); + ignore_result(system("setkey -FP")); } else { diff --git a/src/starter/parser.l b/src/starter/parser.l index 68d3b5556..e51d655df 100644 --- a/src/starter/parser.l +++ b/src/starter/parser.l @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: parser.l 3267 2007-10-08 19:57:54Z andreas $ + * RCSID $Id: parser.l 4632 2008-11-11 18:37:19Z martin $ */ #include <string.h> @@ -23,6 +23,7 @@ #define MAX_INCLUDE_DEPTH 20 +#define YY_NO_INPUT #define YY_NO_UNPUT extern void yyerror(const char *); extern int yylex (void); diff --git a/src/starter/starter.c b/src/starter/starter.c index 61f21d88c..e4ad5286c 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: starter.c 4140 2008-07-02 05:51:49Z andreas $ + * RCSID $Id: starter.c 4632 2008-11-11 18:37:19Z martin $ */ #include <sys/types.h> @@ -42,6 +42,7 @@ #include "invokepluto.h" #include "invokecharon.h" #include "netkey.h" +#include "klips.h" #include "cmp.h" #include "interfaces.h" @@ -179,7 +180,7 @@ static void generate_selfcert() #endif setegid(gid); seteuid(uid); - system("ipsec scepclient --out pkcs1 --out cert-self --quiet"); + ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet")); seteuid(0); setegid(0); @@ -194,7 +195,7 @@ static void generate_selfcert() fprintf(f, ": RSA myKey.der\n"); fclose(f); } - chown(SECRETS_FILE, uid, gid); + ignore_result(chown(SECRETS_FILE, uid, gid)); umask(oldmask); } } @@ -324,7 +325,11 @@ int main (int argc, char **argv) if (!starter_netkey_init()) { plog("no netkey IPSec stack detected"); - exit(LSB_RC_FAILURE); + if (!starter_klips_init()) + { + plog("no KLIPS IPSec stack detected"); + exit(LSB_RC_FAILURE); + } } last_reload = time(NULL); diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 4ee73128b..481b7de34 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: starterstroke.c 4276 2008-08-22 10:44:51Z martin $ + * RCSID $Id: starterstroke.c 4614 2008-11-11 07:28:52Z andreas $ */ #include <sys/types.h> @@ -24,6 +24,7 @@ #include <errno.h> #include <netinet/in.h> #include <arpa/inet.h> +#include <linux/xfrm.h> #include <freeswan.h> @@ -37,6 +38,9 @@ #include "confread.h" #include "files.h" +#define IPV4_LEN 4 +#define IPV6_LEN 16 + /** * Authentication methods, must be the same as in charons authenticator.h */ @@ -126,7 +130,11 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len) case AF_INET: { struct sockaddr_in* sin = (struct sockaddr_in*)addr; - if (inet_ntop(AF_INET, &sin->sin_addr, buffer, len)) + u_int8_t zeroes[IPV4_LEN]; + + memset(zeroes, 0, IPV4_LEN); + if (memcmp(zeroes, &(sin->sin_addr.s_addr), IPV4_LEN) && + inet_ntop(AF_INET, &sin->sin_addr, buffer, len)) { return; } @@ -135,7 +143,11 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len) case AF_INET6: { struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr; - if (inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len)) + u_int8_t zeroes[IPV6_LEN]; + + memset(zeroes, 0, IPV6_LEN); + if (memcmp(zeroes, &(sin6->sin6_addr.s6_addr), IPV6_LEN) && + inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len)) { return; } @@ -144,8 +156,8 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len) default: break; } - /* failed */ - snprintf(buffer, len, "0.0.0.0"); + /* default */ + snprintf(buffer, len, "%%any"); } @@ -231,17 +243,22 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) if (conn->policy & POLICY_TUNNEL) { - msg.add_conn.mode = 1; /* XFRM_MODE_TRANSPORT */ + msg.add_conn.mode = XFRM_MODE_TUNNEL; } else if (conn->policy & POLICY_BEET) { - msg.add_conn.mode = 4; /* XFRM_MODE_BEET */ + msg.add_conn.mode = XFRM_MODE_BEET; } + else if (conn->policy & POLICY_PROXY) + { + msg.add_conn.mode = XFRM_MODE_TRANSPORT; + msg.add_conn.proxy_mode = TRUE; + } else { - msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */ + msg.add_conn.mode = XFRM_MODE_TRANSPORT; } - + if (!(conn->policy & POLICY_DONT_REKEY)) { msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY; @@ -254,6 +271,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.mobike = conn->policy & POLICY_MOBIKE; msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP; msg.add_conn.ipcomp = conn->policy & POLICY_COMPRESS; + msg.add_conn.install_policy = conn->install_policy; msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy; msg.add_conn.unique = cfg->setup.uniqueids; msg.add_conn.algorithms.ike = push_string(&msg, conn->ike); |