[svn-upgrade] Integrating new upstream version, strongswan (4.1.10)

7 files changed, 88 insertions, 35 deletions

diff --git a/src/starter/confread.c b/src/starter/confread.c
index e481ff7cf..7a312d893 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: confread.c 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: confread.c 3405 2007-12-19 00:49:32Z andreas $
  */
 
 #include <stddef.h>
@@ -173,7 +173,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 				goto err;
 			}
 		}
-		else if (streq(value, "%any"))
+		else if (streq(value, "%any") || streq(value, "%any4"))
 		{
 			anyaddr(conn->addr_family, &end->addr);
 		}
@@ -509,25 +509,46 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 			}
 			break;
 		case KW_EAP:
-			/* TODO: a gperf function for all EAP types */
+		{
+			char *sep;
+		
+			/* check for vendor-type format */
+			sep = strchr(kw->value, '-');
+			if (sep)
+			{
+				*(sep++) = '\0';
+				conn->eap_type = atoi(kw->value);
+				conn->eap_vendor = atoi(sep);
+				if (conn->eap_type == 0 || conn->eap_vendor == 0)
+				{
+					plog("# invalid EAP type: %s=%s", kw->entry->name, kw->value);
+					cfg->err++;
+				}
+				break;
+			}
 			if (streq(kw->value, "aka"))
 			{
-				conn->eap = 23;
+				conn->eap_type = 23;
 			}
 			else if (streq(kw->value, "sim"))
 			{
-				conn->eap = 18;
+				conn->eap_type = 18;
+			}
+			else if (streq(kw->value, "md5"))
+			{
+				conn->eap_type = 4;
 			}
 			else
 			{
-				conn->eap = atoi(kw->value);
-				if (conn->eap == 0)
+				conn->eap_type = atoi(kw->value);
+				if (conn->eap_type == 0)
 				{
 					plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value);
 					cfg->err++;
 				}
 			}
 			break;
+		}
 		case KW_KEYINGTRIES:
 			if (streq(kw->value, "%forever"))
 			{
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 839f73e99..a32e7116d 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: confread.h 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: confread.h 3394 2007-12-13 17:31:21Z martin $
  */
 
 #ifndef _IPSEC_CONFREAD_H_
@@ -106,7 +106,8 @@ struct starter_conn {
 	starter_state_t	state;
 
 	keyexchange_t	keyexchange;
-	int			eap;
+	u_int32_t	eap_type;
+	u_int32_t	eap_vendor;
 	lset_t 		policy;
 	time_t 		sa_ike_life_seconds;
 	time_t		sa_ipsec_life_seconds;
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index 1cb0dfb63..111bb9c6f 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: invokecharon.c 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: invokecharon.c 3344 2007-11-15 18:34:05Z martin $
  */
 
 #include <sys/types.h>
@@ -78,9 +78,14 @@ starter_stop_charon (void)
 			kill(pid, SIGINT);
 	    else if (i < 10)
 			kill(pid, SIGTERM);
+	    else if (i == 10)
+	    {
+			kill(pid, SIGKILL);
+			plog("starter_stop_charon(): charon does not respond, sending KILL");
+	    }
 	    else
 			kill(pid, SIGKILL);
-	    usleep(20000);
+	    usleep(200000);
 	}
 	if (_charon_pid == 0)
 	    return 0;
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 1f581bce8..d542af555 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -1,5 +1,5 @@
 .TH IPSEC.CONF 5 "27 Jun 2007"
-.\" RCSID $Id: ipsec.conf.5 3267 2007-10-08 19:57:54Z andreas $
+.\" RCSID $Id: ipsec.conf.5 3394 2007-12-13 17:31:21Z martin $
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -350,13 +350,21 @@ in case of inactivity. This only applies to IKEv1, in IKEv2 the default
 retransmission timeout applies, as every exchange is used to detect dead peers.
 .TP
 .B eap
-defines the EAP type to be used if 
+defines the EAP type to propose as server if the client has 
 .B authby=eap
-is selected. Acceptable values are
+selected. Acceptable values are
 .B aka
-for EAP-AKA and
+for EAP-AKA,
 .B sim
-for EAP-SIM.
+for EAP-SIM and
+.B md5
+for EAP-MD5.
+Additionally, IANA assigned EAP method numbers are accepted, or a definition
+in the form
+.B eap=type-vendor
+(e.g.
+.B eap=7-12345
+) can be used to specify vendor specific EAP types.
 .TP
 .B esp
 ESP encryption/authentication algorithm to be used
diff --git a/src/starter/starter.c b/src/starter/starter.c
index cc591dc61..bc2e8f1df 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starter.c 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: starter.c 3369 2007-11-28 17:02:12Z andreas $
  */
 
 #include <sys/types.h>
@@ -43,6 +43,19 @@
 #include "cmp.h"
 #include "interfaces.h"
 
+/**
+ * Return codes defined by Linux Standard Base Core Specification 3.1
+ * in section 20.2. Init Script Actions
+ */
+#define LSB_RC_SUCCESS               0   /* success                          */
+#define LSB_RC_FAILURE               1   /* generic or unspecified error     */
+#define LSB_RC_INVALID_ARGUMENT      2   /* invalid or excess argument(s)    */
+#define LSB_RC_NOT_IMPLEMENTED       3   /* unimplemented feature (reload)   */
+#define LSB_RC_NOT_ALLOWED           4   /* user had insufficient privilege  */
+#define LSB_RC_NOT_INSTALLED         5   /* program is not installed         */
+#define LSB_RC_NOT_CONFIGURED        6   /* program is not configured        */
+#define LSB_RC_NOT_RUNNING           7   /* program is not running           */
+
 #define FLAG_ACTION_START_PLUTO   0x01
 #define FLAG_ACTION_UPDATE        0x02
 #define FLAG_ACTION_RELOAD        0x04
@@ -131,7 +144,7 @@ usage(char *name)
 {
     fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
 	    "[--debug|--debug-more|--debug-all]\n");
-    exit(1);
+    exit(LSB_RC_INVALID_ARGUMENT);
 }
 
 int main (int argc, char **argv)
@@ -205,7 +218,7 @@ int main (int argc, char **argv)
     if (getuid() != 0)
     {
 	plog("permission denied (must be superuser)");
-	exit(1);
+	exit(LSB_RC_NOT_ALLOWED);
     }
 
     if (stat(PLUTO_PID_FILE, &stb) == 0)
@@ -227,13 +240,13 @@ int main (int argc, char **argv)
     if (stat(DEV_RANDOM, &stb) != 0)
     {
 	plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
-	exit(1);
+	exit(LSB_RC_FAILURE);
     }
 
     if (stat(DEV_URANDOM, &stb)!= 0)
     {
 	plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
-	exit(1);
+	exit(LSB_RC_FAILURE);
     }
 
     cfg = confread_load(CONFIG_FILE);
@@ -244,14 +257,14 @@ int main (int argc, char **argv)
 	{
 	    confread_free(cfg);
 	}
-	exit(1);
+	exit(LSB_RC_INVALID_ARGUMENT);
     }
 
     /* determine if we have a native netkey IPsec stack */
     if (!starter_netkey_init())
     {
 	plog("no netkey IPSec stack detected");
-	exit(1);
+	exit(LSB_RC_FAILURE);
     }
 
     last_reload = time(NULL);
@@ -259,7 +272,7 @@ int main (int argc, char **argv)
     if (stat(STARTER_PID_FILE, &stb) == 0)
     {
 	plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
-	exit(0);
+	exit(LSB_RC_SUCCESS);
     }
 
     /* fork if we're not debugging stuff */
@@ -287,7 +300,7 @@ int main (int argc, char **argv)
 		plog("can't fork: %s", strerror(errno));
 		break;
 	    default:
-		exit(0);
+		exit(LSB_RC_SUCCESS);
 	}
     }
 
@@ -322,7 +335,7 @@ int main (int argc, char **argv)
 #endif /* LEAK_DETECTIVE */
 	    close_log();
 	    plog("ipsec starter stopped");
-	    exit(0);
+	    exit(LSB_RC_SUCCESS);
 	}
 
 	/*
@@ -643,7 +656,6 @@ int main (int argc, char **argv)
 	    _action_ |= FLAG_ACTION_UPDATE;
 	}
     }
-
-    return 0;
+    exit(LSB_RC_SUCCESS);
 }
 
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index eb5d20628..fae895ba0 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starterstroke.c 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: starterstroke.c 3394 2007-12-13 17:31:21Z martin $
  */
 
 #include <sys/types.h>
@@ -197,7 +197,8 @@ int starter_stroke_add_conn(starter_conn_t *conn)
 	{
 		msg.add_conn.auth_method = AUTH_EAP;
 	}
-	msg.add_conn.eap_type = conn->eap;
+	msg.add_conn.eap_type = conn->eap_type;
+	msg.add_conn.eap_vendor = conn->eap_vendor;
 	
 	if (conn->policy & POLICY_TUNNEL)
 	{
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
index 19fa9558f..d29b87873 100644
--- a/src/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starterwhack.c 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: starterwhack.c 3405 2007-12-19 00:49:32Z andreas $
  */
 
 #include <sys/types.h>
@@ -148,17 +148,22 @@ connection_name(starter_conn_t *conn)
 }
 
 static void
-set_whack_end(whack_end_t *w, starter_end_t *end)
+set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
 {
     w->id                  = end->id;
     w->cert                = end->cert;
     w->ca                  = end->ca;
     w->groups              = end->groups;
     w->host_addr           = end->addr;
-    w->host_nexthop        = end->nexthop;
     w->host_srcip          = end->srcip;
     w->has_client          = end->has_client;
 
+    if (family == AF_INET6 && isanyaddr(&end->nexthop))
+    {
+	anyaddr(AF_INET6, &end->nexthop);
+    }
+    w->host_nexthop        = end->nexthop;
+
     if (w->has_client)
 	w->client          = end->subnet;
     else
@@ -246,8 +251,8 @@ starter_whack_add_conn(starter_conn_t *conn)
     msg.sa_keying_tries       = conn->sa_keying_tries;
     msg.policy                = conn->policy;
 
-    set_whack_end(&msg.left, &conn->left);
-    set_whack_end(&msg.right, &conn->right);
+    set_whack_end(&msg.left, &conn->left, conn->addr_family);
+    set_whack_end(&msg.right, &conn->right, conn->addr_family);
 
     msg.esp = conn->esp;
     msg.ike = conn->ike;