diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2013-01-02 14:18:20 +0100 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2013-01-02 14:18:20 +0100 |
| commit | 2ea5b8ab2fa64487af984af2162039596a06015a (patch) | |
| tree | 58f9a4372d6007b33b1fca63ab18b53aa34b090d /src/starter | |
| parent | 4e331141b8693e5214b82fdd6c3c6f4fa65eafca (diff) | |
| parent | c1343b3278cdf99533b7902744d15969f9d6fdc1 (diff) | |
| download | vyos-strongswan-2ea5b8ab2fa64487af984af2162039596a06015a.tar.gz vyos-strongswan-2ea5b8ab2fa64487af984af2162039596a06015a.zip | |
Merge tag 'upstream/5.0.1'
Upstream version 5.0.1
Diffstat (limited to 'src/starter')
31 files changed, 993 insertions, 2917 deletions
diff --git a/src/starter/Android.mk b/src/starter/Android.mk index a82fe9385..c7e81d284 100644 --- a/src/starter/Android.mk +++ b/src/starter/Android.mk @@ -4,30 +4,22 @@ include $(CLEAR_VARS) # copy-n-paste from Makefile.am (update for LEX/YACC) LOCAL_SRC_FILES := \ parser.c lexer.c ipsec-parser.h netkey.c args.h netkey.h \ -starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \ -starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \ -keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \ -exec.h invokecharon.h loglite.c klips.c klips.h +starterstroke.c confread.c \ +starterstroke.h confread.h args.c \ +keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \ +invokecharon.h klips.c klips.h # build starter ---------------------------------------------------------------- LOCAL_C_INCLUDES += \ $(libvstr_PATH) \ $(strongswan_PATH)/src/libhydra \ - $(strongswan_PATH)/src/libfreeswan \ $(strongswan_PATH)/src/libstrongswan \ - $(strongswan_PATH)/src/libfreeswan \ - $(strongswan_PATH)/src/pluto \ - $(strongswan_PATH)/src/whack \ $(strongswan_PATH)/src/stroke LOCAL_CFLAGS := $(strongswan_CFLAGS) -DSTART_CHARON \ -DPLUGINS='"$(strongswan_STARTER_PLUGINS)"' -ifneq ($(strongswan_BUILD_PLUTO),) -LOCAL_CFLAGS += -DSTART_PLUTO -endif - LOCAL_MODULE := starter LOCAL_MODULE_TAGS := optional @@ -37,11 +29,8 @@ LOCAL_ARM_MODE := arm LOCAL_PRELINK_MODULE := false LOCAL_REQUIRED_MODULES := stroke -ifneq ($(strongswan_BUILD_PLUTO),) -LOCAL_REQUIRED_MODULES += whack -endif -LOCAL_SHARED_LIBRARIES += libstrongswan libhydra libfreeswan +LOCAL_SHARED_LIBRARIES += libstrongswan libhydra include $(BUILD_EXECUTABLE) diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index 94ddf5aba..c220c2e63 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -1,18 +1,15 @@ ipsec_PROGRAMS = starter starter_SOURCES = \ parser.y lexer.l ipsec-parser.h netkey.c args.h netkey.h \ -starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \ -starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \ -keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \ -exec.h invokecharon.h loglite.c klips.c klips.h +starterstroke.c confread.c \ +starterstroke.h confread.h args.c \ +keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \ +invokecharon.h klips.c klips.h INCLUDES = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ --I$(top_srcdir)/src/libfreeswan \ -I$(top_srcdir)/src/libhydra \ --I$(top_srcdir)/src/pluto \ --I$(top_srcdir)/src/whack \ -I$(top_srcdir)/src/stroke AM_CFLAGS = \ @@ -27,18 +24,11 @@ AM_CFLAGS = \ AM_YFLAGS = -v -d -starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB) +starter_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB) $(PTHREADLIB) EXTRA_DIST = keywords.txt ipsec.conf Android.mk MAINTAINERCLEANFILES = keywords.c BUILT_SOURCES = parser.h -PLUTODIR=$(top_srcdir)/src/pluto -SCEPCLIENTDIR=$(top_srcdir)/src/scepclient - -if USE_PLUTO - AM_CFLAGS += -DSTART_PLUTO -endif - if USE_CHARON AM_CFLAGS += -DSTART_CHARON endif @@ -54,11 +44,8 @@ endif keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h $(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@ -defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h - $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c - install-exec-local : - test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index f2c0cc38e..a6d55c5e2 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -35,10 +35,9 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ ipsec_PROGRAMS = starter$(EXEEXT) -@USE_PLUTO_TRUE@am__append_1 = -DSTART_PLUTO -@USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON -@USE_LOAD_WARNING_TRUE@am__append_3 = -DLOAD_WARNING -@USE_TOOLS_TRUE@am__append_4 = -DGENERATE_SELFCERT +@USE_CHARON_TRUE@am__append_1 = -DSTART_CHARON +@USE_LOAD_WARNING_TRUE@am__append_2 = -DLOAD_WARNING +@USE_TOOLS_TRUE@am__append_3 = -DGENERATE_SELFCERT subdir = src/starter DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ lexer.c parser.c parser.h @@ -55,23 +54,22 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(ipsecdir)" PROGRAMS = $(ipsec_PROGRAMS) am_starter_OBJECTS = parser.$(OBJEXT) lexer.$(OBJEXT) netkey.$(OBJEXT) \ - starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \ - invokepluto.$(OBJEXT) confread.$(OBJEXT) interfaces.$(OBJEXT) \ - args.$(OBJEXT) keywords.$(OBJEXT) cmp.$(OBJEXT) \ - starter.$(OBJEXT) exec.$(OBJEXT) invokecharon.$(OBJEXT) \ - loglite.$(OBJEXT) klips.$(OBJEXT) + starterstroke.$(OBJEXT) confread.$(OBJEXT) args.$(OBJEXT) \ + keywords.$(OBJEXT) cmp.$(OBJEXT) starter.$(OBJEXT) \ + invokecharon.$(OBJEXT) klips.$(OBJEXT) starter_OBJECTS = $(am_starter_OBJECTS) am__DEPENDENCIES_1 = -starter_DEPENDENCIES = defs.o \ - $(top_builddir)/src/libfreeswan/libfreeswan.a \ +starter_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(top_builddir)/src/libhydra/libhydra.la $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I.@am__isrc@ + $(top_builddir)/src/libhydra/libhydra.la $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f @@ -104,6 +102,7 @@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BFDLIB = @BFDLIB@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ @@ -198,11 +197,14 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ clearsilver_LIBS = @clearsilver_LIBS@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ -default_pkcs11 = @default_pkcs11@ +dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ @@ -219,11 +221,12 @@ imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ -libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ @@ -239,6 +242,7 @@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ @@ -248,7 +252,6 @@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ -pluto_plugins = @pluto_plugins@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ @@ -278,18 +281,15 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ starter_SOURCES = \ parser.y lexer.l ipsec-parser.h netkey.c args.h netkey.h \ -starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \ -starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \ -keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \ -exec.h invokecharon.h loglite.c klips.c klips.h +starterstroke.c confread.c \ +starterstroke.h confread.h args.c \ +keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \ +invokecharon.h klips.c klips.h INCLUDES = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ --I$(top_srcdir)/src/libfreeswan \ -I$(top_srcdir)/src/libhydra \ --I$(top_srcdir)/src/pluto \ --I$(top_srcdir)/src/whack \ -I$(top_srcdir)/src/stroke AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ @@ -297,14 +297,12 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_EAPDIR=\"${eapdir}\" -DDEV_RANDOM=\"${random_device}\" \ -DDEV_URANDOM=\"${urandom_device}\" \ -DPLUGINS=\""${starter_plugins}\"" -DDEBUG $(am__append_1) \ - $(am__append_2) $(am__append_3) $(am__append_4) + $(am__append_2) $(am__append_3) AM_YFLAGS = -v -d -starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB) +starter_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB) $(PTHREADLIB) EXTRA_DIST = keywords.txt ipsec.conf Android.mk MAINTAINERCLEANFILES = keywords.c BUILT_SOURCES = parser.h -PLUTODIR = $(top_srcdir)/src/pluto -SCEPCLIENTDIR = $(top_srcdir)/src/scepclient all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-am @@ -401,19 +399,14 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/args.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/confread.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/exec.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/interfaces.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokecharon.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokepluto.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keywords.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/klips.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexer.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/netkey.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starter.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starterstroke.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starterwhack.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -660,11 +653,8 @@ uninstall-am: uninstall-ipsecPROGRAMS keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h $(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@ -defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h - $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c - install-exec-local : - test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true diff --git a/src/starter/args.c b/src/starter/args.c index 65d0a753c..2416960bd 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -17,11 +17,8 @@ #include <stdlib.h> #include <string.h> -#include <freeswan.h> - -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/log.h" +#include <library.h> +#include <debug.h> #include "keywords.h" #include "confread.h" @@ -64,6 +61,7 @@ static const char *LST_unique[] = { "yes", "replace", "keep", + "never", NULL }; @@ -89,13 +87,6 @@ static const char *LST_startup[] = { NULL }; -static const char *LST_packetdefault[] = { - "drop", - "reject", - "pass", - NULL -}; - static const char *LST_keyexchange[] = { "ike", "ikev1", @@ -103,55 +94,17 @@ static const char *LST_keyexchange[] = { NULL }; -static const char *LST_pfsgroup[] = { - "modp1024", - "modp1536", - "modp2048", - "modp3072", - "modp4096", - "modp6144", - "modp8192", - "ecp192", - "ecp224", - "ecp256", - "ecp384", - "ecp521", - NULL -}; - -static const char *LST_plutodebug[] = { - "none", - "all", - "raw", - "crypt", - "parsing", - "emitting", - "control", - "lifecycle", - "klips", - "kernel", - "dns", - "natt", - "oppo", - "controlmore", - "private", - NULL -}; - -static const char *LST_klipsdebug[] = { - "tunnel", - "tunnel-xmit", - "pfkey", - "xform", - "eroute", - "spi", - "radij", - "esp", - "ah", - "ipcomp", - "verbose", - "all", - "none", +static const char *LST_authby[] = { + "psk", + "secret", + "pubkey", + "rsa", + "rsasig", + "ecdsa", + "ecdsasig", + "xauthpsk", + "xauthrsasig", + "never", NULL }; @@ -164,49 +117,23 @@ typedef struct { static const token_info_t token_info[] = { /* config setup keywords */ - { ARG_LST, offsetof(starter_config_t, setup.interfaces), NULL }, - { ARG_STR, offsetof(starter_config_t, setup.dumpdir), NULL }, - { ARG_ENUM, offsetof(starter_config_t, setup.charonstart), LST_bool }, - { ARG_ENUM, offsetof(starter_config_t, setup.plutostart), LST_bool }, - - /* pluto/charon keywords */ - { ARG_LST, offsetof(starter_config_t, setup.plutodebug), LST_plutodebug }, { ARG_STR, offsetof(starter_config_t, setup.charondebug), NULL }, - { ARG_STR, offsetof(starter_config_t, setup.prepluto), NULL }, - { ARG_STR, offsetof(starter_config_t, setup.postpluto), NULL }, - { ARG_STR, offsetof(starter_config_t, setup.plutostderrlog), NULL }, { ARG_ENUM, offsetof(starter_config_t, setup.uniqueids), LST_unique }, - { ARG_UINT, offsetof(starter_config_t, setup.overridemtu), NULL }, - { ARG_TIME, offsetof(starter_config_t, setup.crlcheckinterval), NULL }, { ARG_ENUM, offsetof(starter_config_t, setup.cachecrls), LST_bool }, { ARG_ENUM, offsetof(starter_config_t, setup.strictcrlpolicy), LST_strict }, - { ARG_ENUM, offsetof(starter_config_t, setup.nocrsend), LST_bool }, - { ARG_ENUM, offsetof(starter_config_t, setup.nat_traversal), LST_bool }, - { ARG_TIME, offsetof(starter_config_t, setup.keep_alive), NULL }, - { ARG_ENUM, offsetof(starter_config_t, setup.force_keepalive), LST_bool }, - { ARG_STR, offsetof(starter_config_t, setup.virtual_private), NULL }, - { ARG_STR, offsetof(starter_config_t, setup.pkcs11module), NULL }, - { ARG_STR, offsetof(starter_config_t, setup.pkcs11initargs), NULL }, - { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool }, - { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11proxy), LST_bool }, - - /* KLIPS keywords */ - { ARG_LST, offsetof(starter_config_t, setup.klipsdebug), LST_klipsdebug }, - { ARG_ENUM, offsetof(starter_config_t, setup.fragicmp), LST_bool }, - { ARG_STR, offsetof(starter_config_t, setup.packetdefault), LST_packetdefault }, - { ARG_ENUM, offsetof(starter_config_t, setup.hidetos), LST_bool }, + { ARG_MISC, 0, NULL /* KW_PKCS11_DEPRECATED */ }, + { ARG_MISC, 0, NULL /* KW_SETUP_DEPRECATED */ }, /* conn section keywords */ { ARG_STR, offsetof(starter_conn_t, name), NULL }, { ARG_ENUM, offsetof(starter_conn_t, startup), LST_startup }, { ARG_ENUM, offsetof(starter_conn_t, keyexchange), LST_keyexchange }, { ARG_MISC, 0, NULL /* KW_TYPE */ }, - { ARG_MISC, 0, NULL /* KW_PFS */ }, { ARG_MISC, 0, NULL /* KW_COMPRESS */ }, { ARG_ENUM, offsetof(starter_conn_t, install_policy), LST_bool }, + { ARG_ENUM, offsetof(starter_conn_t, aggressive), LST_bool }, { ARG_MISC, 0, NULL /* KW_AUTH */ }, - { ARG_MISC, 0, NULL /* KW_AUTHBY */ }, - { ARG_MISC, 0, NULL /* KW_EAP */ }, + { ARG_STR, offsetof(starter_conn_t, authby), LST_authby }, { ARG_STR, offsetof(starter_conn_t, eap_identity), NULL }, { ARG_STR, offsetof(starter_conn_t, aaa_identity), NULL }, { ARG_MISC, 0, NULL /* KW_MOBIKE */ }, @@ -224,7 +151,6 @@ static const token_info_t token_info[] = { ARG_MISC, 0, NULL /* KW_REAUTH */ }, { ARG_STR, offsetof(starter_conn_t, ike), NULL }, { ARG_STR, offsetof(starter_conn_t, esp), NULL }, - { ARG_STR, offsetof(starter_conn_t, pfsgroup), LST_pfsgroup }, { ARG_TIME, offsetof(starter_conn_t, dpd_delay), NULL }, { ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL }, { ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action }, @@ -241,28 +167,27 @@ static const token_info_t token_info[] = { ARG_MISC, 0, NULL /* KW_MARK_IN */ }, { ARG_MISC, 0, NULL /* KW_MARK_OUT */ }, { ARG_MISC, 0, NULL /* KW_TFC */ }, + { ARG_MISC, 0, NULL /* KW_PFS_DEPRECATED */ }, + { ARG_MISC, 0, NULL /* KW_CONN_DEPRECATED */ }, /* ca section keywords */ { ARG_STR, offsetof(starter_ca_t, name), NULL }, { ARG_ENUM, offsetof(starter_ca_t, startup), LST_startup }, { ARG_STR, offsetof(starter_ca_t, cacert), NULL }, - { ARG_STR, offsetof(starter_ca_t, ldaphost), NULL }, - { ARG_STR, offsetof(starter_ca_t, ldapbase), NULL }, { ARG_STR, offsetof(starter_ca_t, crluri), NULL }, { ARG_STR, offsetof(starter_ca_t, crluri2), NULL }, { ARG_STR, offsetof(starter_ca_t, ocspuri), NULL }, { ARG_STR, offsetof(starter_ca_t, ocspuri2), NULL }, { ARG_STR, offsetof(starter_ca_t, certuribase), NULL }, + { ARG_MISC, 0, NULL /* KW_CA_DEPRECATED */ }, /* end keywords */ { ARG_STR, offsetof(starter_end_t, host), NULL }, { ARG_UINT, offsetof(starter_end_t, ikeport), NULL }, - { ARG_MISC, 0, NULL /* KW_NEXTHOP */ }, - { ARG_STR, offsetof(starter_end_t, subnet), NULL }, - { ARG_MISC, 0, NULL /* KW_SUBNETWITHIN */ }, + { ARG_STR, offsetof(starter_end_t, subnet), NULL }, { ARG_MISC, 0, NULL /* KW_PROTOPORT */ }, { ARG_STR, offsetof(starter_end_t, sourceip), NULL }, - { ARG_MISC, 0, NULL /* KW_NATIP */ }, + { ARG_STR, offsetof(starter_end_t, dns), NULL }, { ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool }, { ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool }, { ARG_ENUM, offsetof(starter_end_t, allow_any), LST_bool }, @@ -279,7 +204,8 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_end_t, ca), NULL }, { ARG_STR, offsetof(starter_end_t, ca2), NULL }, { ARG_STR, offsetof(starter_end_t, groups), NULL }, - { ARG_STR, offsetof(starter_end_t, iface), NULL } + { ARG_STR, offsetof(starter_end_t, groups2), NULL }, + { ARG_MISC, 0, NULL /* KW_END_DEPRECATED */ }, }; static void free_list(char **list) @@ -298,7 +224,7 @@ char** new_list(char *value) char *val, *b, *e, *end, **ret; int count; - val = value ? clone_str(value) : NULL; + val = strdupnull(value); if (!val) { return NULL; @@ -326,7 +252,7 @@ char** new_list(char *value) for (e = b; (*e != '\0'); e++); if (e != b) { - ret[count++] = clone_str(b); + ret[count++] = strdupnull(b); } b = e + 1; } @@ -347,23 +273,20 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, int index = -1; /* used for enumeration arguments */ - lset_t *seen = (lset_t *)base; /* seen flags are at the top of the struct */ - lset_t f = LELEM(token - first); /* compute flag position of argument */ + seen_t *seen = (seen_t*)base; /* seen flags are at the top of the struct */ *assigned = FALSE; - DBG(DBG_CONTROLMORE, - DBG_log(" %s=%s", kw->entry->name, kw->value) - ) + DBG3(DBG_APP, " %s=%s", kw->entry->name, kw->value); - if (*seen & f) + if (*seen & SEEN_KW(token, first)) { - plog("# duplicate '%s' option", kw->entry->name); + DBG1(DBG_APP, "# duplicate '%s' option", kw->entry->name); return FALSE; } /* set flag that this argument has been seen */ - *seen |= f; + *seen |= SEEN_KW(token, first); /* is there a keyword list? */ if (list != NULL && token_info[token].type != ARG_LST) @@ -377,7 +300,7 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, } if (!match) { - plog("# bad value: %s=%s", kw->entry->name, kw->value); + DBG1(DBG_APP, "# bad value: %s=%s", kw->entry->name, kw->value); return FALSE; } } @@ -385,14 +308,14 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, switch (token_info[token].type) { case ARG_NONE: - plog("# option '%s' not supported yet", kw->entry->name); + DBG1(DBG_APP, "# option '%s' not supported yet", kw->entry->name); return FALSE; case ARG_ENUM: { if (index < 0) { - plog("# bad enumeration value: %s=%s (%d)" - , kw->entry->name, kw->value, index); + DBG1(DBG_APP, "# bad enumeration value: %s=%s (%d)", + kw->entry->name, kw->value, index); return FALSE; } @@ -418,7 +341,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, if (*endptr != '\0') { - plog("# bad integer value: %s=%s", kw->entry->name, kw->value); + DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name, + kw->value); return FALSE; } } @@ -435,7 +359,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, { if (*endptr != '\0') { - plog("# bad integer value: %s=%s", kw->entry->name, kw->value); + DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name, + kw->value); return FALSE; } } @@ -443,7 +368,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, { if ((*endptr != '%') || (endptr[1] != '\0') || endptr == kw->value) { - plog("# bad percent value: %s=%s", kw->entry->name, kw->value); + DBG1(DBG_APP, "# bad percent value: %s=%s", kw->entry->name, + kw->value); return FALSE; } } @@ -459,7 +385,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, if (*endptr != '\0') { - plog("# bad integer value: %s=%s", kw->entry->name, kw->value); + DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name, + kw->value); return FALSE; } } @@ -494,7 +421,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, break; } } - plog("# bad duration value: %s=%s", kw->entry->name, kw->value); + DBG1(DBG_APP, "# bad duration value: %s=%s", kw->entry->name, + kw->value); return FALSE; } case ARG_STR: @@ -505,7 +433,7 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, free(*cp); /* assign the new string */ - *cp = clone_str(kw->value); + *cp = strdupnull(kw->value); } break; case ARG_LST: @@ -537,7 +465,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, } if (!match) { - plog("# bad value: %s=%s", kw->entry->name, *lst); + DBG1(DBG_APP, "# bad value: %s=%s", + kw->entry->name, *lst); return FALSE; } } @@ -604,7 +533,7 @@ void clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2) char **cp1 = (char **)(base1 + token_info[token].offset); char **cp2 = (char **)(base2 + token_info[token].offset); - *cp1 = clone_str(*cp2); + *cp1 = strdupnull(*cp2); } } } diff --git a/src/starter/cmp.c b/src/starter/cmp.c index 0727cf5f0..aaba7b11d 100644 --- a/src/starter/cmp.c +++ b/src/starter/cmp.c @@ -14,62 +14,39 @@ #include <string.h> -#include <freeswan.h> - -#include "../pluto/constants.h" -#include "../pluto/defs.h" - #include "confread.h" #include "args.h" -#include "interfaces.h" #include "cmp.h" #define VARCMP(obj) if (c1->obj != c2->obj) return FALSE -#define ADDCMP(obj) if (!sameaddr(&c1->obj,&c2->obj)) return FALSE -#define SUBCMP(obj) if (!samesubnet(&c1->obj,&c2->obj)) return FALSE #define STRCMP(obj) if (strcmp(c1->obj,c2->obj)) return FALSE -static bool -starter_cmp_end(starter_end_t *c1, starter_end_t *c2) +static bool starter_cmp_end(starter_end_t *c1, starter_end_t *c2) { if ((c1 == NULL) || (c2 == NULL)) return FALSE; - if (c2->dns_failed) - { - c2->addr = c1->addr; - } - else - { - ADDCMP(addr); - } - VARCMP(ikeport); - ADDCMP(nexthop); - VARCMP(has_client); - VARCMP(has_client_wildcard); - VARCMP(has_port_wildcard); - VARCMP(has_natip); - VARCMP(has_virt); VARCMP(modecfg); VARCMP(port); VARCMP(protocol); return cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2); - } +} -bool -starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2) +bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2) { if ((c1 == NULL) || (c2 == NULL)) return FALSE; - VARCMP(policy); - VARCMP(addr_family); - VARCMP(tunnel_addr_family); + VARCMP(mode); + VARCMP(proxy_mode); + VARCMP(options); VARCMP(mark_in.value); VARCMP(mark_in.mask); VARCMP(mark_out.value); VARCMP(mark_in.mask); + VARCMP(tfc); + VARCMP(sa_keying_tries); if (!starter_cmp_end(&c1->left, &c2->left)) return FALSE; @@ -79,8 +56,7 @@ starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2) return cmp_args(KW_CONN_NAME, KW_CONN_LAST, (char *)c1, (char *)c2); } -bool -starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2) +bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2) { if (c1 == NULL || c2 == NULL) return FALSE; @@ -88,28 +64,3 @@ starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2) return cmp_args(KW_CA_NAME, KW_CA_LAST, (char *)c1, (char *)c2); } -bool -starter_cmp_klips(starter_config_t *c1, starter_config_t *c2) -{ - if ((c1 == NULL) || (c2 == NULL)) - return FALSE; - - return cmp_args(KW_KLIPS_FIRST, KW_KLIPS_LAST, (char *)c1, (char *)c2); -} - -bool -starter_cmp_pluto(starter_config_t *c1, starter_config_t *c2) -{ - if ((c1 == NULL) || (c2 == NULL)) - return FALSE; - - return cmp_args(KW_PLUTO_FIRST, KW_PLUTO_LAST, (char *)c1, (char *)c2); -} - -bool -starter_cmp_defaultroute(defaultroute_t *d1, defaultroute_t *d2) -{ - if ((d1 == NULL) || (d2 == NULL)) - return FALSE; - return memcmp(d1, d2, sizeof(defaultroute_t)) == 0; -} diff --git a/src/starter/cmp.h b/src/starter/cmp.h index cda6e44b9..c33ce8ec2 100644 --- a/src/starter/cmp.h +++ b/src/starter/cmp.h @@ -15,13 +15,8 @@ #ifndef _STARTER_CMP_H_ #define _STARTER_CMP_H_ -#include "interfaces.h" - -extern bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2); -extern bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2); -extern bool starter_cmp_klips(starter_config_t *c1, starter_config_t *c2); -extern bool starter_cmp_pluto(starter_config_t *c1, starter_config_t *c2); -extern bool starter_cmp_defaultroute(defaultroute_t *d1, defaultroute_t *d2); +bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2); +bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2); #endif diff --git a/src/starter/confread.c b/src/starter/confread.c index 627601e88..6544b1ccd 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -19,26 +19,24 @@ #include <stdlib.h> #include <string.h> #include <assert.h> +#include <netdb.h> -#include <freeswan.h> - -#include <eap/eap.h> - -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/log.h" +#include <library.h> +#include <debug.h> #include "keywords.h" #include "confread.h" #include "args.h" #include "files.h" -#include "interfaces.h" -/* strings containing a colon are interpreted as an IPv6 address */ -#define ip_version(string) (strchr(string, '.') ? AF_INET : AF_INET6) +#define IKE_LIFETIME_DEFAULT 10800 /* 3 hours */ +#define IPSEC_LIFETIME_DEFAULT 3600 /* 1 hour */ +#define SA_REPLACEMENT_MARGIN_DEFAULT 540 /* 9 minutes */ +#define SA_REPLACEMENT_FUZZ_DEFAULT 100 /* 100% of margin */ +#define SA_REPLACEMENT_RETRIES_DEFAULT 3 static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536"; -static const char esp_defaults[] = "aes128-sha1,3des-sha1"; +static const char esp_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536"; static const char firewall_defaults[] = "ipsec _updown iptables"; @@ -47,12 +45,53 @@ static bool daemon_exists(char *daemon, char *path) struct stat st; if (stat(path, &st) != 0) { - plog("Disabling %sstart option, '%s' not found", daemon, path); + DBG1(DBG_APP, "Disabling %sstart option, '%s' not found", daemon, path); return FALSE; } return TRUE; } +/** + * Process deprecated keywords + */ +static bool is_deprecated(kw_token_t token, kw_list_t *kw, char *name) +{ + switch (token) + { + case KW_SETUP_DEPRECATED: + case KW_PKCS11_DEPRECATED: + DBG1(DBG_APP, "# deprecated keyword '%s' in config setup", + kw->entry->name); + break; + case KW_CONN_DEPRECATED: + case KW_END_DEPRECATED: + case KW_PFS_DEPRECATED: + DBG1(DBG_APP, "# deprecated keyword '%s' in conn '%s'", + kw->entry->name, name); + break; + case KW_CA_DEPRECATED: + DBG1(DBG_APP, "# deprecated keyword '%s' in ca '%s'", + kw->entry->name, name); + break; + default: + return FALSE; + } + /* additional messages for some */ + switch (token) + { + case KW_PKCS11_DEPRECATED: + DBG1(DBG_APP, " use the 'pkcs11' plugin instead", kw->entry->name); + break; + case KW_PFS_DEPRECATED: + DBG1(DBG_APP, " PFS is enabled by specifying a DH group in the " + "'esp' cipher suite", kw->entry->name); + break; + default: + break; + } + return TRUE; +} + static void default_values(starter_config_t *cfg) { if (cfg == NULL) @@ -60,7 +99,7 @@ static void default_values(starter_config_t *cfg) memset(cfg, 0, sizeof(struct starter_config)); - /* is there enough space for all seen flags? */ + /* is there enough space for all seen flags? */ assert(KW_SETUP_LAST - KW_SETUP_FIRST < sizeof(cfg->setup.seen) * BITS_PER_BYTE); assert(KW_CONN_LAST - KW_CONN_FIRST < @@ -70,66 +109,52 @@ static void default_values(starter_config_t *cfg) assert(KW_CA_LAST - KW_CA_FIRST < sizeof(cfg->ca_default.seen) * BITS_PER_BYTE); - cfg->setup.seen = LEMPTY; - cfg->setup.fragicmp = TRUE; - cfg->setup.hidetos = TRUE; + cfg->setup.seen = SEEN_NONE; cfg->setup.uniqueids = TRUE; - cfg->setup.interfaces = new_list("%defaultroute"); #ifdef START_CHARON cfg->setup.charonstart = TRUE; #endif -#ifdef START_PLUTO - cfg->setup.plutostart = TRUE; -#endif - cfg->conn_default.seen = LEMPTY; + cfg->conn_default.seen = SEEN_NONE; cfg->conn_default.startup = STARTUP_NO; cfg->conn_default.state = STATE_IGNORE; - cfg->conn_default.policy = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_PUBKEY | - POLICY_PFS | POLICY_MOBIKE; + cfg->conn_default.mode = MODE_TUNNEL; + cfg->conn_default.options = SA_OPTION_MOBIKE; - cfg->conn_default.ike = clone_str(ike_defaults); - cfg->conn_default.esp = clone_str(esp_defaults); - cfg->conn_default.sa_ike_life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT; - cfg->conn_default.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT; + cfg->conn_default.ike = strdupnull(ike_defaults); + cfg->conn_default.esp = strdupnull(esp_defaults); + cfg->conn_default.sa_ike_life_seconds = IKE_LIFETIME_DEFAULT; + cfg->conn_default.sa_ipsec_life_seconds = IPSEC_LIFETIME_DEFAULT; cfg->conn_default.sa_rekey_margin = SA_REPLACEMENT_MARGIN_DEFAULT; cfg->conn_default.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT; cfg->conn_default.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT; - cfg->conn_default.addr_family = AF_INET; - cfg->conn_default.tunnel_addr_family = AF_INET; - cfg->conn_default.install_policy = TRUE; - cfg->conn_default.dpd_delay = 30; /* seconds */ - cfg->conn_default.dpd_timeout = 150; /* seconds */ + cfg->conn_default.install_policy = TRUE; + cfg->conn_default.dpd_delay = 30; /* seconds */ + cfg->conn_default.dpd_timeout = 150; /* seconds */ - cfg->conn_default.left.seen = LEMPTY; - cfg->conn_default.right.seen = LEMPTY; + cfg->conn_default.left.seen = SEEN_NONE; + cfg->conn_default.right.seen = SEEN_NONE; cfg->conn_default.left.sendcert = CERT_SEND_IF_ASKED; cfg->conn_default.right.sendcert = CERT_SEND_IF_ASKED; - anyaddr(AF_INET, &cfg->conn_default.left.addr); - anyaddr(AF_INET, &cfg->conn_default.left.nexthop); - anyaddr(AF_INET, &cfg->conn_default.right.addr); - anyaddr(AF_INET, &cfg->conn_default.right.nexthop); cfg->conn_default.left.ikeport = 500; cfg->conn_default.right.ikeport = 500; - cfg->ca_default.seen = LEMPTY; + cfg->ca_default.seen = SEEN_NONE; } -#define KW_POLICY_FLAG(sy, sn, fl) \ - if (streq(kw->value, sy)) { conn->policy |= fl; } \ - else if (streq(kw->value, sn)) { conn->policy &= ~fl; } \ - else { plog("# bad policy value: %s=%s", kw->entry->name, kw->value); cfg->err++; } +#define KW_SA_OPTION_FLAG(sy, sn, fl) \ + if (streq(kw->value, sy)) { conn->options |= fl; } \ + else if (streq(kw->value, sn)) { conn->options &= ~fl; } \ + else { DBG1(DBG_APP, "# bad option value: %s=%s", kw->entry->name, kw->value); cfg->err++; } static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp) { kw_list_t *kw; - DBG(DBG_CONTROL, - DBG_log("Loading config setup") - ) + DBG2(DBG_APP, "Loading config setup"); for (kw = cfgp->config_setup; kw; kw = kw->next) { @@ -139,45 +164,49 @@ static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp) if ((int)token < KW_SETUP_FIRST || token > KW_SETUP_LAST) { - plog("# unsupported keyword '%s' in config setup", kw->entry->name); + DBG1(DBG_APP, "# unsupported keyword '%s' in config setup", + kw->entry->name); cfg->err++; continue; } + if (is_deprecated(token, kw, "")) + { + cfg->non_fatal_err++; + continue; + } + if (!assign_arg(token, KW_SETUP_FIRST, kw, (char *)cfg, &assigned)) { - plog(" bad argument value in config setup"); + DBG1(DBG_APP, " bad argument value in config setup"); cfg->err++; continue; } } - /* verify the executables are actually available (some distros split - * packages but enabled both) */ + /* verify the executables are actually available */ #ifdef START_CHARON cfg->setup.charonstart = cfg->setup.charonstart && daemon_exists("charon", CHARON_CMD); #else cfg->setup.charonstart = FALSE; #endif -#ifdef START_PLUTO - cfg->setup.plutostart = cfg->setup.plutostart && - daemon_exists("pluto", PLUTO_CMD); -#else - cfg->setup.plutostart = FALSE; -#endif } static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token, kw_list_t *kw, char *conn_name, starter_config_t *cfg) { - err_t ugh = NULL; bool assigned = FALSE; - bool has_port_wildcard; /* set if port is %any */ char *name = kw->entry->name; char *value = kw->value; + if (is_deprecated(token, kw, conn_name)) + { + cfg->non_fatal_err++; + return; + } + if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned)) goto err; @@ -185,157 +214,25 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token, switch (token) { case KW_HOST: - free(end->host); - end->host = NULL; - if (streq(value, "%defaultroute")) + if (value && strlen(value) > 0 && value[0] == '%') { - if (cfg->defaultroute.defined) + if (streq(value, "%defaultroute")) { - end->addr = cfg->defaultroute.addr; - end->nexthop = cfg->defaultroute.nexthop; + value = "%any"; } - else if (!cfg->defaultroute.supported) - { - plog("%%defaultroute not supported, fallback to %%any"); - } - else - { - plog("# default route not known: %s=%s", name, value); - goto err; - } - } - else if (streq(value, "%any") || streq(value, "%any4")) - { - anyaddr(conn->addr_family, &end->addr); - } - else if (streq(value, "%any6")) - { - conn->addr_family = AF_INET6; - anyaddr(conn->addr_family, &end->addr); - } - else if (streq(value, "%group")) - { - ip_address any; - - conn->policy |= POLICY_GROUP | POLICY_TUNNEL; - anyaddr(conn->addr_family, &end->addr); - anyaddr(conn->tunnel_addr_family, &any); - end->has_client = TRUE; - } - else - { - /* check for allow_any prefix */ - if (value[0] == '%') - { + if (!streq(value, "%any") && !streq(value, "%any4") && + !streq(value, "%any6")) + { /* allow_any prefix */ end->allow_any = TRUE; value++; } - conn->addr_family = ip_version(value); - ugh = ttoaddr(value, 0, conn->addr_family, &end->addr); - if (ugh != NULL) - { - plog("# bad addr: %s=%s [%s]", name, value, ugh); - if (streq(ugh, "does not look numeric and name lookup failed")) - { - end->dns_failed = TRUE; - anyaddr(conn->addr_family, &end->addr); - } - else - { - goto err; - } - } - end->host = clone_str(value); - } - break; - case KW_SUBNET: - if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0) - || (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0)) - { - /* used by pluto only */ - end->has_virt = TRUE; - } - else - { - ip_subnet net; - char *pos; - int len = 0; - - end->has_client = TRUE; - conn->tunnel_addr_family = ip_version(value); - - pos = strchr(value, ','); - if (pos) - { - len = pos - value; - } - ugh = ttosubnet(value, len, ip_version(value), &net); - if (ugh != NULL) - { - plog("# bad subnet: %s=%s [%s]", name, value, ugh); - goto err; - } } + free(end->host); + end->host = strdupnull(value); break; case KW_SOURCEIP: - if (end->has_natip) - { - plog("# natip and sourceip cannot be defined at the same time"); - goto err; - } - if (value[0] == '%') - { - if (streq(value, "%modeconfig") || streq(value, "%modecfg") || - streq(value, "%config") || streq(value, "%cfg")) - { - /* request ip via config payload */ - free(end->sourceip); - end->sourceip = NULL; - end->sourceip_mask = 1; - } - else - { /* %poolname, strip %, serve ip requests */ - free(end->sourceip); - end->sourceip = clone_str(value+1); - end->sourceip_mask = 0; - } - end->modecfg = TRUE; - } - else - { - char *pos; - ip_address addr; - ip_subnet net; - - conn->tunnel_addr_family = ip_version(value); - pos = strchr(value, '/'); - - if (pos) - { /* CIDR notation, address pool */ - ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net); - if (ugh != NULL) - { - plog("# bad subnet: %s=%s [%s]", name, value, ugh); - goto err; - } - *pos = '\0'; - free(end->sourceip); - end->sourceip = clone_str(value); - end->sourceip_mask = atoi(pos + 1); - } - else - { /* fixed srcip */ - ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr); - if (ugh != NULL) - { - plog("# bad addr: %s=%s [%s]", name, value, ugh); - goto err; - } - end->sourceip_mask = (conn->tunnel_addr_family == AF_INET) ? - 32 : 128; - } - } - conn->policy |= POLICY_TUNNEL; + conn->mode = MODE_TUNNEL; + conn->proxy_mode = FALSE; break; case KW_SENDCERT: if (end->sendcert == CERT_YES_SEND) @@ -357,139 +254,97 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token, /* individual processing of keywords that were not assigned automatically */ switch (token) { - case KW_NEXTHOP: - if (streq(value, "%defaultroute")) + case KW_PROTOPORT: + { + struct protoent *proto; + struct servent *svc; + char *sep, *port = "", *endptr; + long int p; + + sep = strchr(value, '/'); + if (sep) + { /* protocol/port */ + *sep = '\0'; + port = sep + 1; + } + + if (streq(value, "%any")) { - if (cfg->defaultroute.defined) + end->protocol = 0; + } + else + { + proto = getprotobyname(value); + if (proto) { - end->nexthop = cfg->defaultroute.nexthop; + end->protocol = proto->p_proto; } else { - plog("# default route not known: %s=%s", name, value); - goto err; + p = strtol(value, &endptr, 0); + if ((*value && *endptr) || p < 0 || p > 0xff) + { + DBG1(DBG_APP, "# bad protocol: %s=%s", name, value); + goto err; + } + end->protocol = (u_int8_t)p; } } - else if (streq(value, "%direct")) + if (streq(port, "%any")) { - ugh = anyaddr(conn->addr_family, &end->nexthop); + end->port = 0; } else { - conn->addr_family = ip_version(value); - ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop); - } - if (ugh != NULL) - { - plog("# bad addr: %s=%s [%s]", name, value, ugh); - goto err; - } - break; - case KW_SUBNETWITHIN: - { - ip_subnet net; - - end->has_client = TRUE; - end->has_client_wildcard = TRUE; - conn->tunnel_addr_family = ip_version(value); - - ugh = ttosubnet(value, 0, ip_version(value), &net); - if (ugh != NULL) - { - plog("# bad subnet: %s=%s [%s]", name, value, ugh); - goto err; - } - end->subnet = clone_str(value); - break; - } - case KW_PROTOPORT: - ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard); - end->has_port_wildcard = has_port_wildcard; - break; - case KW_NATIP: - if (end->sourceip) - { - plog("# natip and sourceip cannot be defined at the same time"); - goto err; - } - if (streq(value, "%defaultroute")) - { - char buf[64]; - - if (cfg->defaultroute.defined) + svc = getservbyname(port, NULL); + if (svc) { - addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf)); - end->sourceip = clone_str(buf); + end->port = ntohs(svc->s_port); } else { - plog("# default route not known: %s=%s", name, value); - goto err; + p = strtol(port, &endptr, 0); + if ((*port && *endptr) || p < 0 || p > 0xffff) + { + DBG1(DBG_APP, "# bad port: %s=%s", name, value); + goto err; + } + end->port = (u_int16_t)p; } } - else - { - ip_address addr; - - conn->tunnel_addr_family = ip_version(value); - ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr); - if (ugh != NULL) - { - plog("# bad addr: %s=%s [%s]", name, value, ugh); - goto err; - } - end->sourceip = clone_str(value); + if (sep) + { /* restore the original text in case also= is used */ + *sep = '/'; } - end->has_natip = TRUE; - conn->policy |= POLICY_TUNNEL; break; + } default: break; } return; err: - plog(" bad argument value in conn '%s'", conn_name); + DBG1(DBG_APP, " bad argument value in conn '%s'", conn_name); cfg->err++; } /* - * handles left|right=<FQDN> DNS resolution failure - */ -static void handle_dns_failure(const char *label, starter_end_t *end, - starter_config_t *cfg, starter_conn_t *conn) -{ - if (end->dns_failed) - { - if (end->allow_any) - { - plog("# fallback to %s=%%any due to '%%' prefix or %sallowany=yes", - label, label); - } - else if (!end->host || conn->keyexchange == KEY_EXCHANGE_IKEV1) - { - /* declare an error */ - cfg->err++; - } - } -} - -/* * handles left|rightfirewall and left|rightupdown parameters */ static void handle_firewall(const char *label, starter_end_t *end, starter_config_t *cfg) { - if (end->firewall && (end->seen & LELEM(KW_FIREWALL - KW_END_FIRST))) + if (end->firewall && (end->seen & SEEN_KW(KW_FIREWALL, KW_END_FIRST))) { if (end->updown != NULL) { - plog("# cannot have both %sfirewall and %supdown", label, label); + DBG1(DBG_APP, "# cannot have both %sfirewall and %supdown", label, + label); cfg->err++; } else { - end->updown = clone_str(firewall_defaults); + end->updown = strdupnull(firewall_defaults); end->firewall = FALSE; } } @@ -497,16 +352,16 @@ static void handle_firewall(const char *label, starter_end_t *end, static bool handle_mark(char *value, mark_t *mark) { - char *pos, *endptr; + char *sep, *endptr; - pos = strchr(value, '/'); - if (pos) + sep = strchr(value, '/'); + if (sep) { - *pos = '\0'; - mark->mask = strtoul(pos+1, &endptr, 0); + *sep = '\0'; + mark->mask = strtoul(sep+1, &endptr, 0); if (*endptr != '\0') { - plog("# invalid mark mask: %s", pos+1); + DBG1(DBG_APP, "# invalid mark mask: %s", sep+1); return FALSE; } } @@ -523,10 +378,16 @@ static bool handle_mark(char *value, mark_t *mark) mark->value = strtoul(value, &endptr, 0); if (*endptr != '\0') { - plog("# invalid mark value: %s", value); + DBG1(DBG_APP, "# invalid mark value: %s", value); return FALSE; } } + if (sep) + { /* restore the original text in case also= is used */ + *sep = '/'; + } + /* apply the mask to ensure the value is in range */ + mark->value &= mark->mask; return TRUE; } @@ -566,28 +427,32 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg { also_t *also = malloc_thing(also_t); - also->name = clone_str(kw->value); + also->name = strdupnull(kw->value); also->next = conn->also; conn->also = also; - DBG(DBG_CONTROL, - DBG_log(" also=%s", kw->value) - ) + DBG2(DBG_APP, " also=%s", kw->value); } continue; } if (token < KW_CONN_FIRST || token > KW_CONN_LAST) { - plog("# unsupported keyword '%s' in conn '%s'" - , kw->entry->name, conn_name); + DBG1(DBG_APP, "# unsupported keyword '%s' in conn '%s'", + kw->entry->name, conn_name); cfg->err++; continue; } + if (is_deprecated(token, kw, conn_name)) + { + cfg->non_fatal_err++; + continue; + } + if (!assign_arg(token, KW_CONN_FIRST, kw, (char *)conn, &assigned)) { - plog(" bad argument value in conn '%s'", conn_name); + DBG1(DBG_APP, " bad argument value in conn '%s'", conn_name); cfg->err++; continue; } @@ -598,125 +463,42 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg switch (token) { case KW_TYPE: - conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK); + conn->mode = MODE_TRANSPORT; + conn->proxy_mode = FALSE; if (streq(kw->value, "tunnel")) { - conn->policy |= POLICY_TUNNEL; + conn->mode = MODE_TUNNEL; } else if (streq(kw->value, "beet")) { - conn->policy |= POLICY_BEET; + conn->mode = MODE_BEET; } else if (streq(kw->value, "transport_proxy")) { - conn->policy |= POLICY_PROXY; + conn->mode = MODE_TRANSPORT; + conn->proxy_mode = TRUE; } else if (streq(kw->value, "passthrough") || streq(kw->value, "pass")) { - conn->policy |= POLICY_SHUNT_PASS; + conn->mode = MODE_PASS; } - else if (streq(kw->value, "drop")) + else if (streq(kw->value, "drop") || streq(kw->value, "reject")) { - conn->policy |= POLICY_SHUNT_DROP; + conn->mode = MODE_DROP; } - else if (streq(kw->value, "reject")) + else if (!streq(kw->value, "transport")) { - conn->policy |= POLICY_SHUNT_REJECT; - } - else if (strcmp(kw->value, "transport") != 0) - { - plog("# bad policy value: %s=%s", kw->entry->name, kw->value); + DBG1(DBG_APP, "# bad policy value: %s=%s", kw->entry->name, + kw->value); cfg->err++; } break; - case KW_PFS: - KW_POLICY_FLAG("yes", "no", POLICY_PFS) - break; case KW_COMPRESS: - KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS) + KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_COMPRESS) break; case KW_AUTH: - KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE) - break; - case KW_AUTHBY: - conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT); - - if (!streq(kw->value, "never")) - { - char *value = kw->value; - char *second = strchr(kw->value, '|'); - - if (second != NULL) - { - *second = '\0'; - } - - /* also handles the cases secret|rsasig and rsasig|secret */ - for (;;) - { - if (streq(value, "rsa") || streq(value, "rsasig") || - streq(value, "ecdsa") || streq(value, "ecdsasig") || - streq(value, "pubkey")) - { - conn->policy |= POLICY_PUBKEY | POLICY_ENCRYPT; - } - else if (streq(value, "secret") || streq(value, "psk")) - { - conn->policy |= POLICY_PSK | POLICY_ENCRYPT; - } - else if (streq(value, "xauthrsasig")) - { - conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT; - } - else if (streq(value, "xauthpsk") || streq(value, "eap")) - { - conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT; - } - else - { - plog("# bad policy value: %s=%s", kw->entry->name, kw->value); - cfg->err++; - break; - } - if (second == NULL) - { - break; - } - value = second; - second = NULL; /* traverse the loop no more than twice */ - } - } - break; - case KW_EAP: - { - char *sep; - - /* check for vendor-type format */ - sep = strchr(kw->value, '-'); - if (sep) - { - *(sep++) = '\0'; - conn->eap_type = atoi(kw->value); - conn->eap_vendor = atoi(sep); - if (conn->eap_type == 0 || conn->eap_vendor == 0) - { - plog("# invalid EAP type: %s=%s", kw->entry->name, kw->value); - cfg->err++; - } - break; - } - conn->eap_type = eap_type_from_string(kw->value); - if (conn->eap_type == 0) - { - conn->eap_type = atoi(kw->value); - if (conn->eap_type == 0) - { - plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value); - cfg->err++; - } - } + KW_SA_OPTION_FLAG("ah", "esp", SA_OPTION_AUTHENTICATE) break; - } case KW_MARK: if (!handle_mark(kw->value, &conn->mark_in)) { @@ -749,7 +531,8 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg conn->tfc = strtoul(kw->value, &endptr, 10); if (*endptr != '\0') { - plog("# bad integer value: %s=%s", kw->entry->name, kw->value); + DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name, + kw->value); cfg->err++; } } @@ -766,36 +549,35 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg conn->sa_keying_tries = strtoul(kw->value, &endptr, 10); if (*endptr != '\0') { - plog("# bad integer value: %s=%s", kw->entry->name, kw->value); + DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name, + kw->value); cfg->err++; } } break; case KW_REKEY: - KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY) + KW_SA_OPTION_FLAG("no", "yes", SA_OPTION_DONT_REKEY) break; case KW_REAUTH: - KW_POLICY_FLAG("no", "yes", POLICY_DONT_REAUTH) + KW_SA_OPTION_FLAG("no", "yes", SA_OPTION_DONT_REAUTH) break; case KW_MOBIKE: - KW_POLICY_FLAG("yes", "no", POLICY_MOBIKE) + KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_MOBIKE) break; case KW_FORCEENCAPS: - KW_POLICY_FLAG("yes", "no", POLICY_FORCE_ENCAP) + KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_FORCE_ENCAP) break; case KW_MODECONFIG: - KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH) + KW_SA_OPTION_FLAG("push", "pull", SA_OPTION_MODECFG_PUSH) break; case KW_XAUTH: - KW_POLICY_FLAG("server", "client", POLICY_XAUTH_SERVER) + KW_SA_OPTION_FLAG("server", "client", SA_OPTION_XAUTH_SERVER) break; default: break; } } - handle_dns_failure("left", &conn->left, cfg, conn); - handle_dns_failure("right", &conn->right, cfg, conn); handle_firewall("left", &conn->left, cfg); handle_firewall("right", &conn->right, cfg); } @@ -806,7 +588,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg static void conn_default(char *name, starter_conn_t *conn, starter_conn_t *def) { memcpy(conn, def, sizeof(starter_conn_t)); - conn->name = clone_str(name); + conn->name = strdupnull(name); clone_args(KW_CONN_FIRST, KW_CONN_LAST, (char *)conn, (char *)def); clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left, (char *)&def->left); @@ -836,27 +618,32 @@ static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg) { also_t *also = malloc_thing(also_t); - also->name = clone_str(kw->value); + also->name = strdupnull(kw->value); also->next = ca->also; ca->also = also; - DBG(DBG_CONTROL, - DBG_log(" also=%s", kw->value) - ) + DBG2(DBG_APP, " also=%s", kw->value); } continue; } if (token < KW_CA_FIRST || token > KW_CA_LAST) { - plog("# unsupported keyword '%s' in ca '%s'", kw->entry->name, ca_name); + DBG1(DBG_APP, "# unsupported keyword '%s' in ca '%s'", + kw->entry->name, ca_name); cfg->err++; continue; } + if (is_deprecated(token, kw, ca_name)) + { + cfg->non_fatal_err++; + continue; + } + if (!assign_arg(token, KW_CA_FIRST, kw, (char *)ca, &assigned)) { - plog(" bad argument value in ca '%s'", ca_name); + DBG1(DBG_APP, " bad argument value in ca '%s'", ca_name); cfg->err++; } } @@ -872,7 +659,7 @@ static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg) static void ca_default(char *name, starter_ca_t *ca, starter_ca_t *def) { memcpy(ca, def, sizeof(starter_ca_t)); - ca->name = clone_str(name); + ca->name = strdupnull(name); clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def); } @@ -889,13 +676,12 @@ static void load_also_conns(starter_conn_t *conn, also_t *also, if (kw == NULL) { - plog(" conn '%s' cannot include '%s'", conn->name, also->name); + DBG1(DBG_APP, " conn '%s' cannot include '%s'", conn->name, + also->name); } else { - DBG(DBG_CONTROL, - DBG_log("conn '%s' includes '%s'", conn->name, also->name) - ) + DBG2(DBG_APP, "conn '%s' includes '%s'", conn->name, also->name); /* only load if no error occurred in the first round */ if (cfg->err == 0) load_conn(conn, kw, cfg); @@ -918,7 +704,7 @@ static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn, { if (conn->visit == c->visit) { - plog("# detected also loop"); + DBG1(DBG_APP, "# detected also loop"); cfg->err++; return NULL; } @@ -929,7 +715,7 @@ static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn, c = c->next; } - plog("# also '%s' not found", name); + DBG1(DBG_APP, "# also '%s' not found", name); cfg->err++; return NULL; } @@ -945,13 +731,12 @@ static void load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg) if (kw == NULL) { - plog(" ca '%s' cannot include '%s'", ca->name, also->name); + DBG1(DBG_APP, " ca '%s' cannot include '%s'", ca->name, + also->name); } else { - DBG(DBG_CONTROL, - DBG_log("ca '%s' includes '%s'", ca->name, also->name) - ) + DBG2(DBG_APP, "ca '%s' includes '%s'", ca->name, also->name); /* only load if no error occurred in the first round */ if (cfg->err == 0) load_ca(ca, kw, cfg); @@ -974,7 +759,7 @@ static kw_list_t* find_also_ca(const char* name, starter_ca_t *ca, { if (ca->visit == c->visit) { - plog("# detected also loop"); + DBG1(DBG_APP, "# detected also loop"); cfg->err++; return NULL; } @@ -985,7 +770,7 @@ static kw_list_t* find_also_ca(const char* name, starter_ca_t *ca, c = c->next; } - plog("# also '%s' not found", name); + DBG1(DBG_APP, "# also '%s' not found", name); cfg->err++; return NULL; } @@ -1086,9 +871,6 @@ starter_config_t* confread_load(const char *file) /* set default values */ default_values(cfg); - /* determine default route */ - get_defaultroute(&cfg->defaultroute); - /* load config setup section */ load_setup(cfg, cfgp); @@ -1100,15 +882,13 @@ starter_config_t* confread_load(const char *file) { if (streq(sca->name, "%default")) { - DBG(DBG_CONTROL, - DBG_log("Loading ca %%default") - ) + DBG2(DBG_APP, "Loading ca %%default"); load_ca(&cfg->ca_default, sca->kw, cfg); } } /* parameters defined in ca %default sections can be overloads */ - cfg->ca_default.seen = LEMPTY; + cfg->ca_default.seen = SEEN_NONE; /* load other ca sections */ for (sca = cfgp->ca_first; sca; sca = sca->next) @@ -1119,9 +899,7 @@ starter_config_t* confread_load(const char *file) if (streq(sca->name, "%default")) continue; - DBG(DBG_CONTROL, - DBG_log("Loading ca '%s'", sca->name) - ) + DBG2(DBG_APP, "Loading ca '%s'", sca->name); ca = malloc_thing(starter_ca_t); ca_default(sca->name, ca, &cfg->ca_default); @@ -1169,17 +947,15 @@ starter_config_t* confread_load(const char *file) { if (streq(sconn->name, "%default")) { - DBG(DBG_CONTROL, - DBG_log("Loading conn %%default") - ) + DBG2(DBG_APP, "Loading conn %%default"); load_conn(&cfg->conn_default, sconn->kw, cfg); } } - /* parameter defined in conn %default sections can be overloaded */ - cfg->conn_default.seen = LEMPTY; - cfg->conn_default.right.seen = LEMPTY; - cfg->conn_default.left.seen = LEMPTY; + /* parameters defined in conn %default sections can be overloaded */ + cfg->conn_default.seen = SEEN_NONE; + cfg->conn_default.right.seen = SEEN_NONE; + cfg->conn_default.left.seen = SEEN_NONE; /* load other conn sections */ for (sconn = cfgp->conn_first; sconn; sconn = sconn->next) @@ -1190,9 +966,7 @@ starter_config_t* confread_load(const char *file) if (streq(sconn->name, "%default")) continue; - DBG(DBG_CONTROL, - DBG_log("Loading conn '%s'", sconn->name) - ) + DBG2(DBG_APP, "Loading conn '%s'", sconn->name); conn = malloc_thing(starter_conn_t); conn_default(sconn->name, conn, &cfg->conn_default); @@ -1245,8 +1019,8 @@ starter_config_t* confread_load(const char *file) total_err = cfg->err + cfg->non_fatal_err; if (total_err > 0) { - plog("### %d parsing error%s (%d fatal) ###" - , total_err, (total_err > 1)?"s":"", cfg->err); + DBG1(DBG_APP, "### %d parsing error%s (%d fatal) ###", + total_err, (total_err > 1)?"s":"", cfg->err); } return cfg; diff --git a/src/starter/confread.h b/src/starter/confread.h index 9cb919ce5..3f2079883 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -16,12 +16,14 @@ #ifndef _IPSEC_CONFREAD_H_ #define _IPSEC_CONFREAD_H_ -#ifndef _FREESWAN_H -#include <freeswan.h> -#endif +#include <kernel/kernel_ipsec.h> #include "ipsec-parser.h" -#include "interfaces.h" + +/** to mark seen keywords */ +typedef u_int64_t seen_t; +#define SEEN_NONE 0; +#define SEEN_KW(kw, base) ((seen_t)1 << ((kw) - (base))) typedef enum { STARTUP_NO, @@ -39,9 +41,10 @@ typedef enum { } starter_state_t; typedef enum { - KEY_EXCHANGE_IKE, - KEY_EXCHANGE_IKEV1, - KEY_EXCHANGE_IKEV2 + /* shared with ike_version_t */ + KEY_EXCHANGE_IKE = 0, + KEY_EXCHANGE_IKEV1 = 1, + KEY_EXCHANGE_IKEV2 = 2, } keyexchange_t; typedef enum { @@ -50,10 +53,40 @@ typedef enum { STRICT_IFURI } strict_t; +typedef enum { + CERT_ALWAYS_SEND, + CERT_SEND_IF_ASKED, + CERT_NEVER_SEND, + CERT_YES_SEND, /* synonym for CERT_ALWAYS_SEND */ + CERT_NO_SEND, /* synonym for CERT_NEVER_SEND */ +} certpolicy_t; + +typedef enum { + DPD_ACTION_NONE, + DPD_ACTION_CLEAR, + DPD_ACTION_HOLD, + DPD_ACTION_RESTART, + DPD_ACTION_UNKNOW, +} dpd_action_t; + +typedef enum { + /* IPsec options */ + SA_OPTION_AUTHENTICATE = 1 << 0, /* use AH instead of ESP? */ + SA_OPTION_COMPRESS = 1 << 1, /* use IPComp */ + + /* IKE and other other options */ + SA_OPTION_DONT_REKEY = 1 << 2, /* don't rekey state either Phase */ + SA_OPTION_DONT_REAUTH = 1 << 3, /* don't reauthenticate on rekeying, IKEv2 only */ + SA_OPTION_MODECFG_PUSH = 1 << 4, /* is modecfg pushed by server? */ + SA_OPTION_XAUTH_SERVER = 1 << 5, /* are we an XAUTH server? */ + SA_OPTION_MOBIKE = 1 << 6, /* enable MOBIKE for IKEv2 */ + SA_OPTION_FORCE_ENCAP = 1 << 7, /* force UDP encapsulation */ +} sa_option_t; + typedef struct starter_end starter_end_t; struct starter_end { - lset_t seen; + seen_t seen; char *auth; char *auth2; char *id; @@ -64,29 +97,21 @@ struct starter_end { char *ca; char *ca2; char *groups; + char *groups2; char *cert_policy; - char *iface; char *host; - ip_address addr; u_int ikeport; - ip_address nexthop; char *subnet; - bool has_client; - bool has_client_wildcard; - bool has_port_wildcard; - bool has_natip; - bool has_virt; bool modecfg; certpolicy_t sendcert; bool firewall; bool hostaccess; bool allow_any; - bool dns_failed; char *updown; u_int16_t port; u_int8_t protocol; char *sourceip; - int sourceip_mask; + char *dns; }; typedef struct also also_t; @@ -100,7 +125,7 @@ struct also { typedef struct starter_conn starter_conn_t; struct starter_conn { - lset_t seen; + seen_t seen; char *name; also_t *also; kw_list_t *kw; @@ -109,35 +134,34 @@ struct starter_conn { starter_state_t state; keyexchange_t keyexchange; - u_int32_t eap_type; - u_int32_t eap_vendor; char *eap_identity; char *aaa_identity; char *xauth_identity; - lset_t policy; + char *authby; + ipsec_mode_t mode; + bool proxy_mode; + sa_option_t options; time_t sa_ike_life_seconds; time_t sa_ipsec_life_seconds; time_t sa_rekey_margin; - u_int64_t sa_ipsec_life_bytes; - u_int64_t sa_ipsec_margin_bytes; - u_int64_t sa_ipsec_life_packets; - u_int64_t sa_ipsec_margin_packets; + u_int64_t sa_ipsec_life_bytes; + u_int64_t sa_ipsec_margin_bytes; + u_int64_t sa_ipsec_life_packets; + u_int64_t sa_ipsec_margin_packets; unsigned long sa_keying_tries; unsigned long sa_rekey_fuzz; u_int32_t reqid; mark_t mark_in; mark_t mark_out; u_int32_t tfc; - sa_family_t addr_family; - sa_family_t tunnel_addr_family; bool install_policy; + bool aggressive; starter_end_t left, right; unsigned long id; char *esp; char *ike; - char *pfsgroup; time_t dpd_delay; time_t dpd_timeout; @@ -158,7 +182,7 @@ struct starter_conn { typedef struct starter_ca starter_ca_t; struct starter_ca { - lset_t seen; + seen_t seen; char *name; also_t *also; kw_list_t *kw; @@ -167,13 +191,11 @@ struct starter_ca { starter_state_t state; char *cacert; - char *ldaphost; - char *ldapbase; char *crluri; char *crluri2; char *ocspuri; char *ocspuri2; - char *certuribase; + char *certuribase; bool strict; @@ -184,43 +206,14 @@ typedef struct starter_config starter_config_t; struct starter_config { struct { - lset_t seen; - char **interfaces; - char *dumpdir; - bool charonstart; - bool plutostart; - - /* pluto/charon keywords */ - char **plutodebug; + seen_t seen; + bool charonstart; char *charondebug; - char *prepluto; - char *postpluto; - char *plutostderrlog; bool uniqueids; - u_int overridemtu; - time_t crlcheckinterval; bool cachecrls; strict_t strictcrlpolicy; - bool nocrsend; - bool nat_traversal; - time_t keep_alive; - u_int force_keepalive; - char *virtual_private; - char *pkcs11module; - char *pkcs11initargs; - bool pkcs11keepstate; - bool pkcs11proxy; - - /* KLIPS keywords */ - char **klipsdebug; - bool fragicmp; - char *packetdefault; - bool hidetos; } setup; - /* information about the default route */ - defaultroute_t defaultroute; - /* number of encountered parsing errors */ u_int err; u_int non_fatal_err; diff --git a/src/starter/exec.c b/src/starter/exec.c deleted file mode 100644 index d4c4f0657..000000000 --- a/src/starter/exec.c +++ /dev/null @@ -1,52 +0,0 @@ -/* strongSwan IPsec exec helper function - * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdlib.h> -#include <stdarg.h> -#include <string.h> -#include <stdio.h> - -#include <freeswan.h> - -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/log.h" - -#include "exec.h" - -#define BUF_SIZE 2048 - -/** - * TODO: - * o log stdout with LOG_LEVEL_INFO and stderr with LOG_LEVEL_ERR - */ - -int -starter_exec(const char *fmt, ...) -{ - va_list args; - static char buf[BUF_SIZE]; - int r; - - va_start (args, fmt); - vsnprintf(buf, BUF_SIZE-1, fmt, args); - buf[BUF_SIZE - 1] = '\0'; - va_end(args); - r = system(buf); - DBG(DBG_CONTROL, - DBG_log("starter_exec(%s) = %d", buf, r) - ) - return r; -} - diff --git a/src/starter/exec.h b/src/starter/exec.h deleted file mode 100644 index 6a6414578..000000000 --- a/src/starter/exec.h +++ /dev/null @@ -1,21 +0,0 @@ -/* strongSwan IPsec starter exec helper function - * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef _STARTER_EXEC_H_ -#define _STARTER_EXEC_H_ - -extern int starter_exec (const char *fmt, ...); - -#endif /* _STARTER_EXEC_H_ */ - diff --git a/src/starter/files.h b/src/starter/files.h index 88857c0b2..96b76fdf1 100644 --- a/src/starter/files.h +++ b/src/starter/files.h @@ -24,10 +24,6 @@ #define CONFIG_FILE IPSEC_CONFDIR "/ipsec.conf" #define SECRETS_FILE IPSEC_CONFDIR "/ipsec.secrets" -#define PLUTO_CMD IPSEC_DIR "/pluto" -#define PLUTO_CTL_FILE IPSEC_PIDDIR "/pluto.ctl" -#define PLUTO_PID_FILE IPSEC_PIDDIR "/pluto.pid" - #define CHARON_CMD IPSEC_DIR "/charon" #define CHARON_CTL_FILE IPSEC_PIDDIR "/charon.ctl" #define CHARON_PID_FILE IPSEC_PIDDIR "/charon.pid" diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c deleted file mode 100644 index 4a2ae0a57..000000000 --- a/src/starter/interfaces.c +++ /dev/null @@ -1,213 +0,0 @@ -/* strongSwan IPsec interfaces management - * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security - * 2009 Heiko Hund - Astaro AG - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdlib.h> -#include <string.h> -#include <unistd.h> -#include <errno.h> - -#include <freeswan.h> - -#include <constants.h> -#include <defs.h> -#include <log.h> - -#include "interfaces.h" -#include "exec.h" -#include "files.h" - -#ifdef START_PLUTO - -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <linux/rtnetlink.h> -#ifdef HAVE_SYS_SOCKIO_H -#include <sys/sockio.h> -#endif - -/* - * Get the default route information via rtnetlink - */ -void -get_defaultroute(defaultroute_t *defaultroute) -{ - union { - struct { - struct nlmsghdr nh; - struct rtmsg rt; - } m; - char buf[4096]; - } rtu; - - struct nlmsghdr *nh; - uint32_t best_metric = ~0; - ssize_t msglen; - int fd; - - memset(&rtu, 0, sizeof(rtu)); - rtu.m.nh.nlmsg_len = NLMSG_LENGTH(sizeof(rtu.m.rt)); - rtu.m.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP; - rtu.m.nh.nlmsg_type = RTM_GETROUTE; - rtu.m.rt.rtm_family = AF_INET; - rtu.m.rt.rtm_table = RT_TABLE_UNSPEC; - rtu.m.rt.rtm_protocol = RTPROT_UNSPEC; - rtu.m.rt.rtm_type = RTN_UNICAST; - - fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE); - if (fd == -1) - { - plog("could not create rtnetlink socket"); - return; - } - - if (send(fd, &rtu, rtu.m.nh.nlmsg_len, 0) == -1) - { - plog("could not write to rtnetlink socket"); - close(fd); - return; - } - - msglen = recv(fd, &rtu, sizeof(rtu), MSG_WAITALL); - if (msglen == -1) - { - plog("could not read from rtnetlink socket"); - close(fd); - return; - } - - close(fd); - - for (nh = &rtu.m.nh; NLMSG_OK(nh, msglen); nh = NLMSG_NEXT(nh, msglen)) - { - struct rtmsg *rt; - struct rtattr *rta; - uint32_t rtalen, metric = 0; - struct in_addr gw = { .s_addr = INADDR_ANY }; - int iface_idx = -1; - - if (nh->nlmsg_type == NLMSG_ERROR) - { - plog("error from rtnetlink"); - return; - } - - if (nh->nlmsg_type == NLMSG_DONE) - break; - - rt = NLMSG_DATA(nh); - if ( rt->rtm_dst_len != 0 - || (rt->rtm_table != RT_TABLE_MAIN - && rt->rtm_table != RT_TABLE_DEFAULT) ) - continue; - - rta = RTM_RTA(rt); - rtalen = RTM_PAYLOAD(nh); - while ( RTA_OK(rta, rtalen) ) - { - switch (rta->rta_type) - { - case RTA_GATEWAY: - gw = *(struct in_addr *) RTA_DATA(rta); - break; - case RTA_OIF: - iface_idx = *(int *) RTA_DATA(rta); - break; - case RTA_PRIORITY: - metric = *(uint32_t *) RTA_DATA(rta); - break; - } - rta = RTA_NEXT(rta, rtalen); - } - - if (metric < best_metric - && iface_idx != -1) - { - struct ifreq req; - - fd = socket(AF_INET, SOCK_DGRAM, 0); - if (fd < 0) - { - plog("could not open AF_INET socket"); - break; - } - memset(&req, 0, sizeof(req)); - req.ifr_ifindex = iface_idx; - if (ioctl(fd, SIOCGIFNAME, &req) < 0 || - ioctl(fd, SIOCGIFADDR, &req) < 0) - { - plog("could not read interface data, ignoring route"); - close(fd); - break; - } - - strncpy(defaultroute->iface, req.ifr_name, IFNAMSIZ); - defaultroute->iface[IFNAMSIZ-1] = '\0'; - defaultroute->addr.u.v4 = *((struct sockaddr_in *) &req.ifr_addr); - defaultroute->nexthop.u.v4.sin_family = AF_INET; - - if (gw.s_addr == INADDR_ANY) - { - if (ioctl(fd, SIOCGIFDSTADDR, &req) < 0 || - ((struct sockaddr_in*) &req.ifr_dstaddr)->sin_addr.s_addr == INADDR_ANY) - { - DBG_log("Ignoring default route to device %s because we can't get it's destination", - req.ifr_name); - close(fd); - break; - } - - defaultroute->nexthop.u.v4 = *((struct sockaddr_in *) &req.ifr_dstaddr); - } - else - defaultroute->nexthop.u.v4.sin_addr = gw; - - close(fd); - - DBG(DBG_CONTROL, - char addr[20]; - char nexthop[20]; - addrtot(&defaultroute->addr, 0, addr, sizeof(addr)); - addrtot(&defaultroute->nexthop, 0, nexthop, sizeof(nexthop)); - - DBG_log( - ( !defaultroute->defined - ? "Default route found: iface=%s, addr=%s, nexthop=%s" - : "Better default route: iface=%s, addr=%s, nexthop=%s" - ), defaultroute->iface, addr, nexthop - ) - ); - - best_metric = metric; - defaultroute->defined = TRUE; - } - } - defaultroute->supported = TRUE; - - if (!defaultroute->defined) - plog("no default route - cannot cope with %%defaultroute!!!"); -} - -#else /* !START_PLUTO */ - -/** - * Pluto disabled, fall back to %any - */ -void -get_defaultroute(defaultroute_t *defaultroute) -{ - defaultroute->supported = FALSE; -} -#endif /* START_PLUTO */ - diff --git a/src/starter/interfaces.h b/src/starter/interfaces.h deleted file mode 100644 index ff8535f0e..000000000 --- a/src/starter/interfaces.h +++ /dev/null @@ -1,36 +0,0 @@ -/* strongSwan IPsec interfaces management - * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef _STARTER_INTERFACES_H_ -#define _STARTER_INTERFACES_H_ - -#include <sys/types.h> -#include <sys/socket.h> -#include <net/if.h> - -#include "../pluto/constants.h" - -typedef struct { - bool defined; - bool supported; - char iface[IFNAMSIZ]; - ip_address addr; - ip_address nexthop; -} defaultroute_t; - -extern void get_defaultroute(defaultroute_t *defaultroute); - - -#endif /* _STARTER_INTERFACES_H_ */ - diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c index e88939415..102d1589e 100644 --- a/src/starter/invokecharon.c +++ b/src/starter/invokecharon.c @@ -23,11 +23,8 @@ #include <stdlib.h> #include <errno.h> -#include <freeswan.h> - -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/log.h" +#include <library.h> +#include <debug.h> #include "confread.h" #include "invokecharon.h" @@ -49,19 +46,19 @@ void starter_charon_sigchild(pid_t pid, int status) if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY || status == SS_RC_DAEMON_INTEGRITY) { - plog("charon has quit: integrity test of %s failed", - (status == 64) ? "libstrongswan" : "charon"); + DBG1(DBG_APP, "charon has quit: integrity test of %s failed", + (status == 64) ? "libstrongswan" : "charon"); _stop_requested = 1; } else if (status == SS_RC_INITIALIZATION_FAILED) { - plog("charon has quit: initialization failed"); + DBG1(DBG_APP, "charon has quit: initialization failed"); _stop_requested = 1; } if (!_stop_requested) { - plog("charon has died -- restart scheduled (%dsec)" - , CHARON_RESTART_DELAY); + DBG1(DBG_APP, "charon has died -- restart scheduled (%dsec)", + CHARON_RESTART_DELAY); alarm(CHARON_RESTART_DELAY); // restart in 5 sec } unlink(CHARON_PID_FILE); @@ -91,7 +88,7 @@ int starter_stop_charon (void) else if (i == 40) { kill(pid, SIGKILL); - plog("starter_stop_charon(): charon does not respond, sending KILL"); + DBG1(DBG_APP, "starter_stop_charon(): charon does not respond, sending KILL"); } else { @@ -101,15 +98,15 @@ int starter_stop_charon (void) } if (_charon_pid == 0) { - plog("charon stopped after %d ms", 200*i); + DBG1(DBG_APP, "charon stopped after %d ms", 200*i); return 0; } - plog("starter_stop_charon(): can't stop charon !!!"); + DBG1(DBG_APP, "starter_stop_charon(): can't stop charon !!!"); return -1; } else { - plog("stater_stop_charon(): charon was not started..."); + DBG1(DBG_APP, "stater_stop_charon(): charon was not started..."); } return -1; } @@ -175,7 +172,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb) if (_charon_pid) { - plog("starter_start_charon(): charon already started..."); + DBG1(DBG_APP, "starter_start_charon(): charon already started..."); return -1; } else @@ -187,34 +184,36 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb) switch (pid) { case -1: - plog("can't fork(): %s", strerror(errno)); + DBG1(DBG_APP, "can't fork(): %s", strerror(errno)); return -1; case 0: /* child */ setsid(); + closefrom(3); sigprocmask(SIG_SETMASK, 0, NULL); /* disable glibc's malloc checker, conflicts with leak detective */ setenv("MALLOC_CHECK_", "0", 1); execv(arg[0], arg); - plog("can't execv(%s,...): %s", arg[0], strerror(errno)); + DBG1(DBG_APP, "can't execv(%s,...): %s", arg[0], strerror(errno)); exit(1); default: /* father */ - _charon_pid = pid; - for (i = 0; i < 500 && _charon_pid; i++) + _charon_pid = pid; + for (i = 0; i < 500 && _charon_pid; i++) { /* wait for charon for a maximum of 500 x 20 ms = 10 s */ usleep(20000); if (stat(CHARON_PID_FILE, &stb) == 0) { - plog("charon (%d) started after %d ms", _charon_pid, 20*(i+1)); + DBG1(DBG_APP, "charon (%d) started after %d ms", + _charon_pid, 20*(i+1)); return 0; } } if (_charon_pid) { /* If charon is started but with no ctl file, stop it */ - plog("charon too long to start... - kill kill"); + DBG1(DBG_APP, "charon too long to start... - kill kill"); for (i = 0; i < 20 && (pid = _charon_pid) != 0; i++) { if (i == 0) @@ -234,7 +233,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb) } else { - plog("charon refused to be started"); + DBG1(DBG_APP, "charon refused to be started"); } return -1; } diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c deleted file mode 100644 index 70c0692ea..000000000 --- a/src/starter/invokepluto.c +++ /dev/null @@ -1,327 +0,0 @@ -/* strongSwan Pluto launcher - * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <sys/types.h> -#include <sys/stat.h> -#include <unistd.h> -#include <signal.h> -#include <string.h> -#include <stdlib.h> -#include <errno.h> -#include <fcntl.h> - -#include <freeswan.h> - -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/log.h" - -#include "confread.h" -#include "invokepluto.h" -#include "files.h" -#include "starterwhack.h" -# -static int _pluto_pid = 0; -static int _stop_requested; - -pid_t -starter_pluto_pid(void) -{ - return _pluto_pid; -} - -void -starter_pluto_sigchild(pid_t pid, int status) -{ - if (pid == _pluto_pid) - { - _pluto_pid = 0; - if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY || - status == SS_RC_DAEMON_INTEGRITY) - { - plog("pluto has quit: integrity test of %s failed", - (status == 64) ? "libstrongswan" : "pluto"); - _stop_requested = 1; - } - else if (status == SS_RC_INITIALIZATION_FAILED) - { - plog("pluto has quit: initialization failed"); - _stop_requested = 1; - } - if (!_stop_requested) - { - plog("pluto has died -- restart scheduled (%dsec)" - , PLUTO_RESTART_DELAY); - alarm(PLUTO_RESTART_DELAY); // restart in 5 sec - } - unlink(PLUTO_PID_FILE); - } -} - -int -starter_stop_pluto (void) -{ - int i; - pid_t pid = _pluto_pid; - - if (pid) - { - _stop_requested = 1; - - if (starter_whack_shutdown() == 0) - { - for (i = 0; i < 400; i++) - { - usleep(20000); /* sleep for 20 ms */ - if (_pluto_pid == 0) - { - plog("pluto stopped after %d ms", 20*(i+1)); - return 0; - } - } - } - /* be more and more aggressive */ - for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++) - { - - if (i < 10) - { - kill(pid, SIGTERM); - } - if (i == 10) - { - kill(pid, SIGKILL); - plog("starter_stop_pluto(): pluto does not respond, sending KILL"); - } - else - { - kill(pid, SIGKILL); - } - usleep(100000); /* sleep for 100 ms */ - } - if (_pluto_pid == 0) - { - plog("pluto stopped after %d ms", 8000 + 100*i); - return 0; - } - plog("starter_stop_pluto(): can't stop pluto !!!"); - return -1; - } - else - { - plog("stater_stop_pluto(): pluto is not started..."); - } - return -1; -} - -#define ADD_DEBUG(v) { \ - for (l = cfg->setup.plutodebug; l && *l; l++) if (streq(*l, v)) \ - arg[argc++] = "--debug-" v; \ - } - -int -starter_start_pluto (starter_config_t *cfg, bool no_fork, bool attach_gdb) -{ - struct stat stb; - int i; - pid_t pid; - char **l; - int argc = 2; - char *arg[] = { - PLUTO_CMD, "--nofork" - , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL - , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL - , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL - , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL - }; - - printf ("starter_start_pluto entered\n"); - - if (attach_gdb) - { - argc = 0; - arg[argc++] = "/usr/bin/gdb"; - arg[argc++] = "--args"; - arg[argc++] = PLUTO_CMD; - arg[argc++] = "--nofork"; - } - if (cfg->setup.plutostderrlog || no_fork) - { - arg[argc++] = "--stderrlog"; - } - if (cfg->setup.uniqueids) - { - arg[argc++] = "--uniqueids"; - } - ADD_DEBUG("none") - ADD_DEBUG("all") - ADD_DEBUG("raw") - ADD_DEBUG("crypt") - ADD_DEBUG("parsing") - ADD_DEBUG("emitting") - ADD_DEBUG("control") - ADD_DEBUG("lifecycle") - ADD_DEBUG("klips") - ADD_DEBUG("kernel") - ADD_DEBUG("dns") - ADD_DEBUG("natt") - ADD_DEBUG("oppo") - ADD_DEBUG("controlmore") - ADD_DEBUG("private") - if (cfg->setup.crlcheckinterval > 0) - { - static char buf1[15]; - - arg[argc++] = "--crlcheckinterval"; - snprintf(buf1, sizeof(buf1), "%d", (int)cfg->setup.crlcheckinterval); - arg[argc++] = buf1; - } - if (cfg->setup.cachecrls) - { - arg[argc++] = "--cachecrls"; - } - if (cfg->setup.strictcrlpolicy) - { - arg[argc++] = "--strictcrlpolicy"; - } - if (cfg->setup.nocrsend) - { - arg[argc++] = "--nocrsend"; - } - if (cfg->setup.nat_traversal) - { - arg[argc++] = "--nat_traversal"; - } - if (cfg->setup.force_keepalive) - { - arg[argc++] = "--force_keepalive"; - } - if (cfg->setup.keep_alive) - { - static char buf2[15]; - - arg[argc++] = "--keep_alive"; - snprintf(buf2, sizeof(buf2), "%d", (int)cfg->setup.keep_alive); - arg[argc++] = buf2; - } - if (cfg->setup.virtual_private) - { - arg[argc++] = "--virtual_private"; - arg[argc++] = cfg->setup.virtual_private; - } - if (cfg->setup.pkcs11module) - { - arg[argc++] = "--pkcs11module"; - arg[argc++] = cfg->setup.pkcs11module; - } - if (cfg->setup.pkcs11initargs) - { - arg[argc++] = "--pkcs11initargs"; - arg[argc++] = cfg->setup.pkcs11initargs; - } - if (cfg->setup.pkcs11keepstate) - { - arg[argc++] = "--pkcs11keepstate"; - } - if (cfg->setup.pkcs11proxy) - { - arg[argc++] = "--pkcs11proxy"; - } - - if (_pluto_pid) - { - plog("starter_start_pluto(): pluto already started..."); - return -1; - } - else - { - unlink(PLUTO_CTL_FILE); - _stop_requested = 0; - - if (cfg->setup.prepluto) - ignore_result(system(cfg->setup.prepluto)); - - pid = fork(); - switch (pid) - { - case -1: - plog("can't fork(): %s", strerror(errno)); - return -1; - case 0: - /* child */ - if (cfg->setup.plutostderrlog) - { - int f = creat(cfg->setup.plutostderrlog, 00644); - - /* redirect stderr to file */ - if (f < 0) - { - plog("couldn't open stderr redirection file '%s'", - cfg->setup.plutostderrlog); - } - else - { - dup2(f, 2); - } - } - setsid(); - sigprocmask(SIG_SETMASK, 0, NULL); - /* disable glibc's malloc checker, conflicts with leak detective */ - setenv("MALLOC_CHECK_", "0", 1); - execv(arg[0], arg); - plog("can't execv(%s,...): %s", arg[0], strerror(errno)); - exit(1); - default: - /* father */ - _pluto_pid = pid; - for (i = 0; i < 500 && _pluto_pid; i++) - { - /* wait for pluto for a maximum of 500 x 20 ms = 10 s */ - usleep(20000); - if (stat(PLUTO_CTL_FILE, &stb) == 0) - { - plog("pluto (%d) started after %d ms", _pluto_pid, 20*(i+1)); - if (cfg->setup.postpluto) - { - ignore_result(system(cfg->setup.postpluto)); - } - return 0; - } - } - if (_pluto_pid) - { - /* If pluto is started but with no ctl file, stop it */ - plog("pluto too long to start... - kill kill"); - for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++) - { - if (i < 10) - { - kill(pid, SIGTERM); - } - else - { - kill(pid, SIGKILL); - } - usleep(20000); /* sleep for 20 ms */ - } - } - else - { - plog("pluto refused to be started"); - } - return -1; - } - } - return -1; -} diff --git a/src/starter/invokepluto.h b/src/starter/invokepluto.h deleted file mode 100644 index c87f50c2a..000000000 --- a/src/starter/invokepluto.h +++ /dev/null @@ -1,26 +0,0 @@ -/* strongSwan pluto launcher - * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef _STARTER_PLUTO_H_ -#define _STARTER_PLUTO_H_ - -#define PLUTO_RESTART_DELAY 5 - -extern void starter_pluto_sigchild (pid_t pid, int status); -extern pid_t starter_pluto_pid (void); -extern int starter_stop_pluto (void); -extern int starter_start_pluto (struct starter_config *cfg, bool no_fork, bool attach_gdb); - -#endif /* _STARTER_PLUTO_H_ */ - diff --git a/src/starter/ipsec.conf b/src/starter/ipsec.conf index b1e5d5e0c..a33d68c0a 100644 --- a/src/starter/ipsec.conf +++ b/src/starter/ipsec.conf @@ -3,20 +3,14 @@ # basic configuration config setup - # plutodebug=all - # crlcheckinterval=600 # strictcrlpolicy=yes - # cachecrls=yes - # nat_traversal=yes - # charonstart=no - # plutostart=no + # uniqueids = no # Add connections here. # Sample VPN connections #conn sample-self-signed -# left=%defaultroute # leftsubnet=10.1.0.0/16 # leftcert=selfCert.der # leftsendcert=never @@ -26,11 +20,9 @@ config setup # auto=start #conn sample-with-ca-cert -# left=%defaultroute # leftsubnet=10.1.0.0/16 # leftcert=myCert.pem # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightid="C=CH, O=Linux strongSwan CN=peer name" -# keyexchange=ikev2 # auto=start diff --git a/src/starter/keywords.c b/src/starter/keywords.c index edb55ae7f..7615a81d2 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -30,7 +30,7 @@ error "gperf generated tables don't work with this execution character set. Plea #endif -/* strongSwan keywords +/* * Copyright (C) 2005 Andreas Steffen * Hochschule fuer Technik Rapperswil, Switzerland * @@ -54,12 +54,12 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 131 +#define TOTAL_KEYWORDS 134 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 #define MIN_HASH_VALUE 9 -#define MAX_HASH_VALUE 246 -/* maximum key range = 238, duplicates = 0 */ +#define MAX_HASH_VALUE 220 +/* maximum key range = 212, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -75,32 +75,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 12, - 126, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 51, 247, 11, 1, 92, - 43, 0, 6, 0, 110, 0, 247, 120, 56, 37, - 27, 72, 43, 1, 16, 0, 5, 75, 1, 247, - 247, 11, 5, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, - 247, 247, 247, 247, 247, 247 + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 62, + 117, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 0, 221, 27, 0, 79, + 26, 0, 6, 0, 92, 0, 221, 44, 58, 36, + 36, 73, 33, 5, 16, 0, 7, 87, 0, 221, + 221, 11, 3, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221 }; register int hval = len; @@ -123,166 +123,167 @@ hash (str, len) static const struct kw_entry wordlist[] = { - {"pfs", KW_PFS}, - {"right", KW_RIGHT}, + {"pfs", KW_PFS_DEPRECATED}, + {"aggressive", KW_AGGRESSIVE}, {"rightgroups", KW_RIGHTGROUPS}, + {"right", KW_RIGHT}, {"lifetime", KW_KEYLIFE}, {"left", KW_LEFT}, {"rightsubnet", KW_RIGHTSUBNET}, {"rightikeport", KW_RIGHTIKEPORT}, {"rightsendcert", KW_RIGHTSENDCERT}, {"leftcert", KW_LEFTCERT}, - {"keep_alive", KW_KEEP_ALIVE}, {"keyingtries", KW_KEYINGTRIES}, - {"leftsendcert", KW_LEFTSENDCERT}, {"keylife", KW_KEYLIFE}, + {"leftsendcert", KW_LEFTSENDCERT}, {"lifebytes", KW_LIFEBYTES}, - {"lifepackets", KW_LIFEPACKETS}, {"leftrsasigkey", KW_LEFTRSASIGKEY}, {"leftcertpolicy", KW_LEFTCERTPOLICY}, {"leftgroups", KW_LEFTGROUPS}, - {"leftca", KW_LEFTCA}, - {"rightallowany", KW_RIGHTALLOWANY}, - {"uniqueids", KW_UNIQUEIDS}, - {"leftprotoport", KW_LEFTPROTOPORT}, + {"rightid", KW_RIGHTID}, + {"rightdns", KW_RIGHTDNS}, + {"me_peerid", KW_ME_PEERID}, + {"reqid", KW_REQID}, + {"keep_alive", KW_SETUP_DEPRECATED}, {"rightrsasigkey", KW_RIGHTRSASIGKEY}, - {"virtual_private", KW_VIRTUAL_PRIVATE}, + {"leftprotoport", KW_LEFTPROTOPORT}, {"certuribase", KW_CERTURIBASE}, - {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, - {"interfaces", KW_INTERFACES}, - {"reqid", KW_REQID}, - {"rightid", KW_RIGHTID}, - {"strictcrlpolicy", KW_STRICTCRLPOLICY}, + {"lifepackets", KW_LIFEPACKETS}, + {"uniqueids", KW_UNIQUEIDS}, {"rightsourceip", KW_RIGHTSOURCEIP}, + {"ike", KW_IKE}, {"type", KW_TYPE}, - {"inactivity", KW_INACTIVITY}, - {"leftnexthop", KW_LEFTNEXTHOP}, - {"mark_in", KW_MARK_IN}, + {"leftdns", KW_LEFTDNS}, + {"leftnexthop", KW_LEFT_DEPRECATED}, + {"rightallowany", KW_RIGHTALLOWANY}, + {"rightsubnetwithin", KW_RIGHTSUBNET}, {"rightprotoport", KW_RIGHTPROTOPORT}, - {"margintime", KW_REKEYMARGIN}, - {"marginbytes", KW_MARGINBYTES}, - {"marginpackets", KW_MARGINPACKETS}, - {"leftnatip", KW_LEFTNATIP}, {"mediated_by", KW_MEDIATED_BY}, - {"ldapbase", KW_LDAPBASE}, + {"strictcrlpolicy", KW_STRICTCRLPOLICY}, + {"virtual_private", KW_SETUP_DEPRECATED}, + {"interfaces", KW_SETUP_DEPRECATED}, + {"rekey", KW_REKEY}, + {"ikelifetime", KW_IKELIFETIME}, + {"rekeyfuzz", KW_REKEYFUZZ}, + {"leftid", KW_LEFTID}, + {"leftca", KW_LEFTCA}, + {"leftikeport", KW_LEFTIKEPORT}, + {"esp", KW_ESP}, {"leftfirewall", KW_LEFTFIREWALL}, {"rightfirewall", KW_RIGHTFIREWALL}, - {"crluri", KW_CRLURI}, - {"mobike", KW_MOBIKE}, - {"rightnatip", KW_RIGHTNATIP}, - {"rightnexthop", KW_RIGHTNEXTHOP}, {"mediation", KW_MEDIATION}, - {"leftallowany", KW_LEFTALLOWANY}, + {"mobike", KW_MOBIKE}, + {"crluri", KW_CRLURI}, + {"rightnexthop", KW_RIGHT_DEPRECATED}, + {"inactivity", KW_INACTIVITY}, {"leftupdown", KW_LEFTUPDOWN}, - {"overridemtu", KW_OVERRIDEMTU}, - {"aaa_identity", KW_AAA_IDENTITY}, - {"esp", KW_ESP}, - {"crluri1", KW_CRLURI}, + {"mark_in", KW_MARK_IN}, + {"leftallowany", KW_LEFTALLOWANY}, + {"ldapbase", KW_CA_DEPRECATED}, + {"margintime", KW_REKEYMARGIN}, + {"marginbytes", KW_MARGINBYTES}, + {"mark", KW_MARK}, + {"marginpackets", KW_MARGINPACKETS}, {"lefthostaccess", KW_LEFTHOSTACCESS}, - {"leftsubnet", KW_LEFTSUBNET}, - {"leftid", KW_LEFTID}, - {"forceencaps", KW_FORCEENCAPS}, - {"eap", KW_EAP}, - {"nat_traversal", KW_NAT_TRAVERSAL}, - {"me_peerid", KW_ME_PEERID}, + {"klipsdebug", KW_SETUP_DEPRECATED}, {"rightcert", KW_RIGHTCERT}, - {"installpolicy", KW_INSTALLPOLICY}, - {"authby", KW_AUTHBY}, - {"klipsdebug", KW_KLIPSDEBUG}, - {"rightca", KW_RIGHTCA}, - {"mark_out", KW_MARK_OUT}, - {"rightupdown", KW_RIGHTUPDOWN}, + {"eap", KW_CONN_DEPRECATED}, + {"overridemtu", KW_SETUP_DEPRECATED}, + {"forceencaps", KW_FORCEENCAPS}, {"keyexchange", KW_KEYEXCHANGE}, {"ocspuri", KW_OCSPURI}, - {"compress", KW_COMPRESS}, + {"aaa_identity", KW_AAA_IDENTITY}, + {"force_keepalive", KW_SETUP_DEPRECATED}, {"rightcertpolicy", KW_RIGHTCERTPOLICY}, - {"cacert", KW_CACERT}, - {"eap_identity", KW_EAP_IDENTITY}, - {"hidetos", KW_HIDETOS}, - {"ike", KW_IKE}, - {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, + {"hidetos", KW_SETUP_DEPRECATED}, {"righthostaccess", KW_RIGHTHOSTACCESS}, - {"packetdefault", KW_PACKETDEFAULT}, + {"eap_identity", KW_EAP_IDENTITY}, + {"leftsubnet", KW_LEFTSUBNET}, {"dpdaction", KW_DPDACTION}, - {"ocspuri1", KW_OCSPURI}, - {"pfsgroup", KW_PFSGROUP}, - {"rightauth", KW_RIGHTAUTH}, - {"also", KW_ALSO}, + {"dpdtimeout", KW_DPDTIMEOUT}, + {"rightca", KW_RIGHTCA}, + {"compress", KW_COMPRESS}, + {"installpolicy", KW_INSTALLPOLICY}, + {"pfsgroup", KW_PFS_DEPRECATED}, + {"nat_traversal", KW_SETUP_DEPRECATED}, + {"authby", KW_AUTHBY}, {"leftsourceip", KW_LEFTSOURCEIP}, {"rightid2", KW_RIGHTID2}, - {"dumpdir", KW_DUMPDIR}, - {"rekey", KW_REKEY}, - {"ikelifetime", KW_IKELIFETIME}, - {"dpdtimeout", KW_DPDTIMEOUT}, - {"ldaphost", KW_LDAPHOST}, - {"rekeyfuzz", KW_REKEYFUZZ}, + {"cacert", KW_CACERT}, + {"rekeymargin", KW_REKEYMARGIN}, + {"rightauth", KW_RIGHTAUTH}, + {"rightgroups2", KW_RIGHTGROUPS2}, + {"mark_out", KW_MARK_OUT}, {"leftcert2", KW_LEFTCERT2}, - {"leftikeport", KW_LEFTIKEPORT}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, - {"plutostderrlog", KW_PLUTOSTDERRLOG}, - {"plutostart", KW_PLUTOSTART}, - {"rightauth2", KW_RIGHTAUTH2}, - {"leftca2", KW_LEFTCA2}, - {"mark", KW_MARK}, - {"force_keepalive", KW_FORCE_KEEPALIVE}, - {"auto", KW_AUTO}, - {"charondebug", KW_CHARONDEBUG}, + {"packetdefault", KW_SETUP_DEPRECATED}, + {"rightupdown", KW_RIGHTUPDOWN}, + {"also", KW_ALSO}, {"dpddelay", KW_DPDDELAY}, {"xauth_identity", KW_XAUTH_IDENTITY}, - {"charonstart", KW_CHARONSTART}, - {"fragicmp", KW_FRAGICMP}, - {"prepluto", KW_PREPLUTO}, - {"closeaction", KW_CLOSEACTION}, + {"ldaphost", KW_CA_DEPRECATED}, + {"crluri1", KW_CRLURI}, + {"leftsubnetwithin", KW_LEFTSUBNET}, + {"dumpdir", KW_SETUP_DEPRECATED}, + {"crlcheckinterval", KW_SETUP_DEPRECATED}, + {"leftgroups2", KW_LEFTGROUPS2}, + {"rightauth2", KW_RIGHTAUTH2}, {"leftid2", KW_LEFTID2}, - {"plutodebug", KW_PLUTODEBUG}, + {"leftca2", KW_LEFTCA2}, + {"plutostderrlog", KW_SETUP_DEPRECATED}, + {"plutostart", KW_SETUP_DEPRECATED}, + {"fragicmp", KW_SETUP_DEPRECATED}, + {"ocspuri1", KW_OCSPURI}, + {"charondebug", KW_CHARONDEBUG}, {"tfc", KW_TFC}, - {"auth", KW_AUTH}, - {"rekeymargin", KW_REKEYMARGIN}, + {"auto", KW_AUTO}, + {"charonstart", KW_SETUP_DEPRECATED}, + {"plutodebug", KW_SETUP_DEPRECATED}, {"modeconfig", KW_MODECONFIG}, + {"prepluto", KW_SETUP_DEPRECATED}, + {"nocrsend", KW_SETUP_DEPRECATED}, + {"auth", KW_AUTH}, {"leftauth", KW_LEFTAUTH}, - {"xauth", KW_XAUTH}, {"cachecrls", KW_CACHECRLS}, + {"pkcs11module", KW_PKCS11_DEPRECATED}, {"crluri2", KW_CRLURI2}, - {"postpluto", KW_POSTPLUTO}, - {"nocrsend", KW_NOCRSEND}, - {"leftauth2", KW_LEFTAUTH2}, + {"pkcs11initargs", KW_PKCS11_DEPRECATED}, + {"pkcs11keepstate", KW_PKCS11_DEPRECATED}, {"rightca2", KW_RIGHTCA2}, + {"closeaction", KW_CLOSEACTION}, {"rightcert2", KW_RIGHTCERT2}, - {"pkcs11module", KW_PKCS11MODULE}, + {"pkcs11proxy", KW_PKCS11_DEPRECATED}, + {"xauth", KW_XAUTH}, + {"postpluto", KW_SETUP_DEPRECATED}, {"reauth", KW_REAUTH}, - {"pkcs11initargs", KW_PKCS11INITARGS}, - {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, - {"ocspuri2", KW_OCSPURI2}, - {"pkcs11proxy", KW_PKCS11PROXY} + {"leftauth2", KW_LEFTAUTH2}, + {"ocspuri2", KW_OCSPURI2} }; static const short lookup[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, - 1, 2, -1, -1, 3, 4, 5, 6, 7, 8, - -1, 9, 10, 11, 12, -1, 13, -1, 14, -1, - 15, 16, 17, -1, 18, 19, 20, -1, -1, -1, - 21, 22, 23, 24, 25, -1, -1, -1, 26, 27, - 28, -1, 29, -1, -1, -1, 30, -1, 31, 32, - 33, 34, 35, -1, 36, 37, -1, 38, -1, 39, - 40, -1, -1, 41, 42, 43, -1, -1, 44, 45, - 46, -1, 47, -1, 48, 49, 50, 51, 52, 53, - -1, 54, 55, -1, -1, -1, 56, -1, 57, 58, - 59, 60, -1, 61, -1, -1, 62, 63, 64, 65, - 66, -1, 67, 68, 69, 70, -1, 71, 72, 73, - 74, -1, 75, 76, 77, 78, 79, 80, 81, 82, - 83, -1, 84, 85, 86, 87, 88, 89, 90, 91, - 92, 93, 94, -1, 95, 96, 97, 98, -1, -1, - 99, 100, -1, -1, 101, -1, 102, -1, -1, 103, - -1, 104, 105, -1, 106, -1, -1, -1, -1, -1, - 107, 108, -1, -1, -1, -1, -1, 109, -1, -1, - -1, -1, 110, -1, 111, -1, -1, -1, -1, -1, - -1, -1, -1, 112, 113, 114, -1, 115, -1, 116, - -1, 117, -1, -1, 118, 119, -1, -1, -1, 120, - -1, -1, -1, -1, -1, 121, 122, -1, -1, -1, - -1, -1, -1, -1, -1, -1, 123, -1, 124, -1, - -1, -1, -1, -1, -1, -1, 125, 126, 127, 128, - -1, -1, 129, -1, -1, -1, 130 + 1, 2, 3, -1, 4, -1, -1, 5, 6, 7, + 8, 9, 10, -1, 11, 12, 13, -1, -1, -1, + 14, 15, 16, 17, 18, 19, 20, 21, -1, -1, + -1, 22, 23, 24, 25, 26, 27, 28, 29, 30, + 31, 32, -1, 33, 34, 35, 36, -1, 37, 38, + 39, 40, 41, -1, 42, -1, 43, -1, 44, 45, + -1, -1, -1, -1, -1, -1, 46, 47, 48, 49, + 50, 51, -1, -1, 52, 53, 54, 55, 56, 57, + 58, 59, 60, 61, 62, 63, 64, -1, 65, -1, + 66, 67, 68, 69, 70, 71, 72, 73, -1, 74, + 75, 76, 77, 78, -1, -1, -1, 79, 80, -1, + 81, 82, 83, -1, 84, 85, 86, 87, 88, 89, + -1, 90, 91, 92, 93, 94, 95, -1, -1, 96, + -1, 97, -1, 98, -1, 99, 100, -1, 101, -1, + 102, -1, -1, -1, 103, -1, 104, 105, -1, 106, + -1, -1, 107, 108, -1, 109, 110, 111, -1, -1, + -1, 112, -1, 113, -1, -1, -1, -1, -1, -1, + -1, 114, 115, -1, 116, -1, 117, -1, -1, -1, + 118, -1, -1, 119, 120, -1, -1, 121, 122, 123, + 124, -1, -1, -1, 125, 126, 127, 128, -1, -1, + -1, 129, -1, 130, -1, -1, -1, 131, -1, 132, + 133 }; #ifdef __GNUC__ diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 02be919ea..537bceb07 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -1,4 +1,4 @@ -/* strongSwan keywords +/* * Copyright (C) 2005 Andreas Steffen * Hochschule fuer Technik Rapperswil, Switzerland * @@ -18,58 +18,26 @@ typedef enum { /* config setup keywords */ - KW_INTERFACES, - KW_DUMPDIR, - KW_CHARONSTART, - KW_PLUTOSTART, - - /* pluto/charon keywords */ - KW_PLUTODEBUG, KW_CHARONDEBUG, - KW_PREPLUTO, - KW_POSTPLUTO, - KW_PLUTOSTDERRLOG, KW_UNIQUEIDS, - KW_OVERRIDEMTU, - KW_CRLCHECKINTERVAL, KW_CACHECRLS, KW_STRICTCRLPOLICY, - KW_NOCRSEND, - KW_NAT_TRAVERSAL, - KW_KEEP_ALIVE, - KW_FORCE_KEEPALIVE, - KW_VIRTUAL_PRIVATE, - KW_PKCS11MODULE, - KW_PKCS11INITARGS, - KW_PKCS11KEEPSTATE, - KW_PKCS11PROXY, - -#define KW_PLUTO_FIRST KW_PLUTODEBUG -#define KW_PLUTO_LAST KW_PKCS11PROXY - - /* KLIPS keywords */ - KW_KLIPSDEBUG, - KW_FRAGICMP, - KW_PACKETDEFAULT, - KW_HIDETOS, - -#define KW_KLIPS_FIRST KW_KLIPSDEBUG -#define KW_KLIPS_LAST KW_HIDETOS - -#define KW_SETUP_FIRST KW_INTERFACES -#define KW_SETUP_LAST KW_HIDETOS + KW_PKCS11_DEPRECATED, + KW_SETUP_DEPRECATED, + +#define KW_SETUP_FIRST KW_CHARONDEBUG +#define KW_SETUP_LAST KW_SETUP_DEPRECATED /* conn section keywords */ KW_CONN_NAME, KW_CONN_SETUP, KW_KEYEXCHANGE, KW_TYPE, - KW_PFS, KW_COMPRESS, KW_INSTALLPOLICY, + KW_AGGRESSIVE, KW_AUTH, KW_AUTHBY, - KW_EAP, KW_EAP_IDENTITY, KW_AAA_IDENTITY, KW_MOBIKE, @@ -87,7 +55,6 @@ typedef enum { KW_REAUTH, KW_IKE, KW_ESP, - KW_PFSGROUP, KW_DPDDELAY, KW_DPDTIMEOUT, KW_DPDACTION, @@ -104,34 +71,33 @@ typedef enum { KW_MARK_IN, KW_MARK_OUT, KW_TFC, + KW_PFS_DEPRECATED, + KW_CONN_DEPRECATED, #define KW_CONN_FIRST KW_CONN_SETUP -#define KW_CONN_LAST KW_TFC +#define KW_CONN_LAST KW_CONN_DEPRECATED - /* ca section keywords */ + /* ca section keywords */ KW_CA_NAME, KW_CA_SETUP, KW_CACERT, - KW_LDAPHOST, - KW_LDAPBASE, KW_CRLURI, KW_CRLURI2, KW_OCSPURI, KW_OCSPURI2, KW_CERTURIBASE, + KW_CA_DEPRECATED, #define KW_CA_FIRST KW_CA_SETUP -#define KW_CA_LAST KW_CERTURIBASE +#define KW_CA_LAST KW_CA_DEPRECATED - /* end keywords */ + /* end keywords */ KW_HOST, KW_IKEPORT, - KW_NEXTHOP, KW_SUBNET, - KW_SUBNETWITHIN, KW_PROTOPORT, KW_SOURCEIP, - KW_NATIP, + KW_DNS, KW_FIREWALL, KW_HOSTACCESS, KW_ALLOWANY, @@ -148,20 +114,19 @@ typedef enum { KW_CA, KW_CA2, KW_GROUPS, - KW_IFACE, + KW_GROUPS2, + KW_END_DEPRECATED, #define KW_END_FIRST KW_HOST -#define KW_END_LAST KW_IFACE +#define KW_END_LAST KW_END_DEPRECATED - /* left end keywords */ + /* left end keywords */ KW_LEFT, KW_LEFTIKEPORT, - KW_LEFTNEXTHOP, KW_LEFTSUBNET, - KW_LEFTSUBNETWITHIN, KW_LEFTPROTOPORT, KW_LEFTSOURCEIP, - KW_LEFTNATIP, + KW_LEFTDNS, KW_LEFTFIREWALL, KW_LEFTHOSTACCESS, KW_LEFTALLOWANY, @@ -178,19 +143,19 @@ typedef enum { KW_LEFTCA, KW_LEFTCA2, KW_LEFTGROUPS, + KW_LEFTGROUPS2, + KW_LEFT_DEPRECATED, #define KW_LEFT_FIRST KW_LEFT -#define KW_LEFT_LAST KW_LEFTGROUPS +#define KW_LEFT_LAST KW_LEFT_DEPRECATED - /* right end keywords */ + /* right end keywords */ KW_RIGHT, KW_RIGHTIKEPORT, - KW_RIGHTNEXTHOP, KW_RIGHTSUBNET, - KW_RIGHTSUBNETWITHIN, KW_RIGHTPROTOPORT, KW_RIGHTSOURCEIP, - KW_RIGHTNATIP, + KW_RIGHTDNS, KW_RIGHTFIREWALL, KW_RIGHTHOSTACCESS, KW_RIGHTALLOWANY, @@ -207,13 +172,15 @@ typedef enum { KW_RIGHTCA, KW_RIGHTCA2, KW_RIGHTGROUPS, + KW_RIGHTGROUPS2, + KW_RIGHT_DEPRECATED, #define KW_RIGHT_FIRST KW_RIGHT -#define KW_RIGHT_LAST KW_RIGHTGROUPS +#define KW_RIGHT_LAST KW_RIGHT_DEPRECATED /* general section keywords */ KW_ALSO, - KW_AUTO + KW_AUTO, } kw_token_t; diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 548fa2f70..8366f5209 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -1,5 +1,5 @@ %{ -/* strongSwan keywords +/* * Copyright (C) 2005 Andreas Steffen * Hochschule fuer Technik Rapperswil, Switzerland * @@ -24,61 +24,37 @@ struct kw_entry { kw_token_t token; }; %% -interfaces, KW_INTERFACES -dumpdir, KW_DUMPDIR -charonstart, KW_CHARONSTART -plutostart, KW_PLUTOSTART -klipsdebug, KW_KLIPSDEBUG -plutodebug, KW_PLUTODEBUG +# regular keywords charondebug, KW_CHARONDEBUG -prepluto, KW_PREPLUTO -postpluto, KW_POSTPLUTO -plutostderrlog, KW_PLUTOSTDERRLOG -fragicmp, KW_FRAGICMP -packetdefault, KW_PACKETDEFAULT -hidetos, KW_HIDETOS uniqueids, KW_UNIQUEIDS -overridemtu, KW_OVERRIDEMTU -crlcheckinterval, KW_CRLCHECKINTERVAL cachecrls, KW_CACHECRLS strictcrlpolicy, KW_STRICTCRLPOLICY -nocrsend, KW_NOCRSEND -nat_traversal, KW_NAT_TRAVERSAL -keep_alive, KW_KEEP_ALIVE -force_keepalive, KW_FORCE_KEEPALIVE -virtual_private, KW_VIRTUAL_PRIVATE -eap, KW_EAP -eap_identity, KW_EAP_IDENTITY -aaa_identity, KW_AAA_IDENTITY -mobike, KW_MOBIKE -forceencaps, KW_FORCEENCAPS -pkcs11module, KW_PKCS11MODULE -pkcs11initargs, KW_PKCS11INITARGS -pkcs11keepstate, KW_PKCS11KEEPSTATE -pkcs11proxy, KW_PKCS11PROXY keyexchange, KW_KEYEXCHANGE type, KW_TYPE -pfs, KW_PFS compress, KW_COMPRESS installpolicy, KW_INSTALLPOLICY +aggressive, KW_AGGRESSIVE auth, KW_AUTH authby, KW_AUTHBY +eap_identity, KW_EAP_IDENTITY +aaa_identity, KW_AAA_IDENTITY +mobike, KW_MOBIKE +forceencaps, KW_FORCEENCAPS +ikelifetime, KW_IKELIFETIME +lifetime, KW_KEYLIFE keylife, KW_KEYLIFE rekeymargin, KW_REKEYMARGIN -lifetime, KW_KEYLIFE margintime, KW_REKEYMARGIN lifebytes, KW_LIFEBYTES marginbytes, KW_MARGINBYTES lifepackets, KW_LIFEPACKETS marginpackets, KW_MARGINPACKETS -ikelifetime, KW_IKELIFETIME keyingtries, KW_KEYINGTRIES rekeyfuzz, KW_REKEYFUZZ rekey, KW_REKEY reauth, KW_REAUTH -esp, KW_ESP ike, KW_IKE -pfsgroup, KW_PFSGROUP +esp, KW_ESP dpddelay, KW_DPDDELAY dpdtimeout, KW_DPDTIMEOUT dpdaction, KW_DPDACTION @@ -96,8 +72,6 @@ mark_in, KW_MARK_IN mark_out, KW_MARK_OUT tfc, KW_TFC cacert, KW_CACERT -ldaphost, KW_LDAPHOST -ldapbase, KW_LDAPBASE crluri, KW_CRLURI crluri1, KW_CRLURI crluri2, KW_CRLURI2 @@ -107,20 +81,19 @@ ocspuri2, KW_OCSPURI2 certuribase, KW_CERTURIBASE left, KW_LEFT leftikeport, KW_LEFTIKEPORT -leftnexthop, KW_LEFTNEXTHOP leftsubnet, KW_LEFTSUBNET -leftsubnetwithin, KW_LEFTSUBNETWITHIN +leftsubnetwithin, KW_LEFTSUBNET leftprotoport, KW_LEFTPROTOPORT leftsourceip, KW_LEFTSOURCEIP -leftnatip, KW_LEFTNATIP +leftdns, KW_LEFTDNS leftfirewall, KW_LEFTFIREWALL lefthostaccess, KW_LEFTHOSTACCESS leftallowany, KW_LEFTALLOWANY leftupdown, KW_LEFTUPDOWN -leftid, KW_LEFTID -leftid2, KW_LEFTID2 leftauth, KW_LEFTAUTH leftauth2, KW_LEFTAUTH2 +leftid, KW_LEFTID +leftid2, KW_LEFTID2 leftrsasigkey, KW_LEFTRSASIGKEY leftcert, KW_LEFTCERT leftcert2, KW_LEFTCERT2 @@ -129,22 +102,22 @@ leftsendcert, KW_LEFTSENDCERT leftca, KW_LEFTCA leftca2, KW_LEFTCA2 leftgroups, KW_LEFTGROUPS +leftgroups2, KW_LEFTGROUPS2 right, KW_RIGHT rightikeport, KW_RIGHTIKEPORT -rightnexthop, KW_RIGHTNEXTHOP rightsubnet, KW_RIGHTSUBNET -rightsubnetwithin, KW_RIGHTSUBNETWITHIN +rightsubnetwithin, KW_RIGHTSUBNET rightprotoport, KW_RIGHTPROTOPORT rightsourceip, KW_RIGHTSOURCEIP -rightnatip, KW_RIGHTNATIP +rightdns, KW_RIGHTDNS rightfirewall, KW_RIGHTFIREWALL righthostaccess, KW_RIGHTHOSTACCESS rightallowany, KW_RIGHTALLOWANY rightupdown, KW_RIGHTUPDOWN -rightid, KW_RIGHTID -rightid2, KW_RIGHTID2 rightauth, KW_RIGHTAUTH rightauth2, KW_RIGHTAUTH2 +rightid, KW_RIGHTID +rightid2, KW_RIGHTID2 rightrsasigkey, KW_RIGHTRSASIGKEY rightcert, KW_RIGHTCERT rightcert2, KW_RIGHTCERT2 @@ -153,5 +126,37 @@ rightsendcert, KW_RIGHTSENDCERT rightca, KW_RIGHTCA rightca2, KW_RIGHTCA2 rightgroups, KW_RIGHTGROUPS +rightgroups2, KW_RIGHTGROUPS2 also, KW_ALSO auto, KW_AUTO +# deprecated/removed keywords +interfaces, KW_SETUP_DEPRECATED +dumpdir, KW_SETUP_DEPRECATED +charonstart, KW_SETUP_DEPRECATED +plutostart, KW_SETUP_DEPRECATED +klipsdebug, KW_SETUP_DEPRECATED +plutodebug, KW_SETUP_DEPRECATED +prepluto, KW_SETUP_DEPRECATED +postpluto, KW_SETUP_DEPRECATED +plutostderrlog, KW_SETUP_DEPRECATED +fragicmp, KW_SETUP_DEPRECATED +packetdefault, KW_SETUP_DEPRECATED +hidetos, KW_SETUP_DEPRECATED +overridemtu, KW_SETUP_DEPRECATED +crlcheckinterval, KW_SETUP_DEPRECATED +nocrsend, KW_SETUP_DEPRECATED +nat_traversal, KW_SETUP_DEPRECATED +keep_alive, KW_SETUP_DEPRECATED +force_keepalive, KW_SETUP_DEPRECATED +virtual_private, KW_SETUP_DEPRECATED +pkcs11module, KW_PKCS11_DEPRECATED +pkcs11initargs, KW_PKCS11_DEPRECATED +pkcs11keepstate, KW_PKCS11_DEPRECATED +pkcs11proxy, KW_PKCS11_DEPRECATED +ldaphost, KW_CA_DEPRECATED +ldapbase, KW_CA_DEPRECATED +pfs, KW_PFS_DEPRECATED +pfsgroup, KW_PFS_DEPRECATED +eap, KW_CONN_DEPRECATED +leftnexthop, KW_LEFT_DEPRECATED +rightnexthop, KW_RIGHT_DEPRECATED diff --git a/src/starter/klips.c b/src/starter/klips.c index 79bd25c44..484b7e281 100644 --- a/src/starter/klips.c +++ b/src/starter/klips.c @@ -16,16 +16,12 @@ #include <sys/stat.h> #include <stdlib.h> -#include <freeswan.h> - -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/log.h" +#include <library.h> +#include <debug.h> #include "files.h" -bool -starter_klips_init(void) +bool starter_klips_init(void) { struct stat stb; @@ -40,9 +36,7 @@ starter_klips_init(void) /* now test again */ if (stat(PROC_KLIPS, &stb) != 0) { - DBG(DBG_CONTROL, - DBG_log("kernel appears to lack the KLIPS IPsec stack") - ) + DBG2(DBG_APP, "kernel appears to lack the KLIPS IPsec stack"); return FALSE; } } @@ -52,29 +46,25 @@ starter_klips_init(void) ignore_result(system("modprobe -qv ipsec_blowfish")); ignore_result(system("modprobe -qv ipsec_sha2")); - DBG(DBG_CONTROL, - DBG_log("Found KLIPS IPsec stack") - ) - + DBG2(DBG_APP, "found KLIPS IPsec stack"); return TRUE; } -void -starter_klips_cleanup(void) +void starter_klips_cleanup(void) { if (system("type eroute > /dev/null 2>&1") == 0) { ignore_result(system("spi --clear")); ignore_result(system("eroute --clear")); } - else if (system("type setkey > /dev/null 2>&1") == 0) + else if (system("type setkey > /dev/null 2>&1") == 0) { ignore_result(system("setkey -F")); ignore_result(system("setkey -FP")); } else { - plog("WARNING: cannot flush IPsec state/policy database"); + DBG1(DBG_APP, "WARNING: cannot flush IPsec state/policy database"); } } diff --git a/src/starter/loglite.c b/src/starter/loglite.c deleted file mode 100644 index c88b33bfd..000000000 --- a/src/starter/loglite.c +++ /dev/null @@ -1,297 +0,0 @@ -/* error logging functions - * Copyright (C) 1997 Angelos D. Keromytis. - * Copyright (C) 1998-2001 D. Hugh Redelmeier. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <ctype.h> -#include <stdarg.h> -#include <syslog.h> -#include <errno.h> -#include <string.h> -#include <unistd.h> -#include <signal.h> /* used only if MSG_NOSIGNAL not defined */ -#include <libgen.h> -#include <sys/stat.h> -#include <sys/types.h> - -#include <freeswan.h> - -#include <constants.h> -#include <defs.h> -#include <log.h> -#include <whack.h> - -#ifndef LOG_AUTHPRIV -#define LOG_AUTHPRIV LOG_AUTH -#endif - -bool - log_to_stderr = FALSE, /* should log go to stderr? */ - log_to_syslog = TRUE; /* should log go to syslog? */ - -void -init_log(const char *program) -{ - if (log_to_stderr) - setbuf(stderr, NULL); - if (log_to_syslog) - openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV); -} - -void -close_log(void) -{ - if (log_to_syslog) - closelog(); -} - -void -plog(const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "%s\n", m); - if (log_to_syslog) - syslog(LOG_WARNING, "%s", m); -} - -void -loglog(int mess_no, const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "%s\n", m); - if (log_to_syslog) - syslog(LOG_WARNING, "%s", m); -} - -void -log_errno_routine(int e, const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e)); - if (log_to_syslog) - syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e)); -} - -void -exit_log(const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "FATAL ERROR: %s\n", m); - if (log_to_syslog) - syslog(LOG_ERR, "FATAL ERROR: %s", m); - exit(1); -} - -void -exit_log_errno_routine(int e, const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e)); - if (log_to_syslog) - syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e)); - exit(1); -} - -void -whack_log(int mess_no, const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - fprintf(stderr, "%s\n", m); -} - -/* Build up a diagnostic in a static buffer. - * Although this would be a generally useful function, it is very - * hard to come up with a discipline that prevents different uses - * from interfering. It is intended that by limiting it to building - * diagnostics, we will avoid this problem. - * Juggling is performed to allow an argument to be a previous - * result: the new string may safely depend on the old one. This - * restriction is not checked in any way: violators will produce - * confusing results (without crashing!). - */ -char diag_space[sizeof(diag_space)]; - -err_t -builddiag(const char *fmt, ...) -{ - static char diag_space[LOG_WIDTH]; /* longer messages will be truncated */ - char t[sizeof(diag_space)]; /* build result here first */ - va_list args; - - va_start(args, fmt); - t[0] = '\0'; /* in case nothing terminates string */ - vsnprintf(t, sizeof(t), fmt, args); - va_end(args); - strcpy(diag_space, t); - return diag_space; -} - -/* Debugging message support */ - -#ifdef DEBUG - -void -switch_fail(int n, const char *file_str, unsigned long line_no) -{ - char buf[30]; - - snprintf(buf, sizeof(buf), "case %d unexpected", n); - passert_fail(buf, file_str, line_no); -} - -void -passert_fail(const char *pred_str, const char *file_str, unsigned long line_no) -{ - /* we will get a possibly unplanned prefix. Hope it works */ - loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str); - abort(); /* exiting correctly doesn't always work */ -} - -lset_t - base_debugging = DBG_NONE, /* default to reporting nothing */ - cur_debugging = DBG_NONE; - -void -pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no) -{ - /* we will get a possibly unplanned prefix. Hope it works */ - loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str); -} - -/* log a debugging message (prefixed by "| ") */ - -void -DBG_log(const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "| %s\n", m); - if (log_to_syslog) - syslog(LOG_DEBUG, "| %s", m); -} - -/* dump raw bytes in hex to stderr (for lack of any better destination) */ - -void -DBG_dump(const char *label, const void *p, size_t len) -{ -# define DUMP_LABEL_WIDTH 20 /* arbitrary modest boundary */ -# define DUMP_WIDTH (4 * (1 + 4 * 3) + 1) - char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH]; - char *bp; - const unsigned char *cp = p; - - bp = buf; - - if (label != NULL && label[0] != '\0') - { - /* Handle the label. Care must be taken to avoid buffer overrun. */ - size_t llen = strlen(label); - - if (llen + 1 > sizeof(buf)) - { - DBG_log("%s", label); - } - else - { - strcpy(buf, label); - if (buf[llen-1] == '\n') - { - buf[llen-1] = '\0'; /* get rid of newline */ - DBG_log("%s", buf); - } - else if (llen < DUMP_LABEL_WIDTH) - { - bp = buf + llen; - } - else - { - DBG_log("%s", buf); - } - } - } - - do { - int i, j; - - for (i = 0; len!=0 && i!=4; i++) - { - *bp++ = ' '; - for (j = 0; len!=0 && j!=4; len--, j++) - { - static const char hexdig[] = "0123456789abcdef"; - - *bp++ = ' '; - *bp++ = hexdig[(*cp >> 4) & 0xF]; - *bp++ = hexdig[*cp & 0xF]; - cp++; - } - } - *bp = '\0'; - DBG_log("%s", buf); - bp = buf; - } while (len != 0); -# undef DUMP_LABEL_WIDTH -# undef DUMP_WIDTH -} - -#endif /* DEBUG */ diff --git a/src/starter/netkey.c b/src/starter/netkey.c index 6646195cb..25f68e505 100644 --- a/src/starter/netkey.c +++ b/src/starter/netkey.c @@ -16,17 +16,13 @@ #include <sys/stat.h> #include <stdlib.h> -#include <freeswan.h> +#include <library.h> #include <hydra.h> - -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/log.h" +#include <debug.h> #include "files.h" -bool -starter_netkey_init(void) +bool starter_netkey_init(void) { struct stat stb; @@ -41,9 +37,7 @@ starter_netkey_init(void) /* now test again */ if (stat(PROC_NETKEY, &stb) != 0) { - DBG(DBG_CONTROL, - DBG_log("kernel appears to lack the native netkey IPsec stack") - ) + DBG2(DBG_APP, "kernel appears to lack the native netkey IPsec stack"); return FALSE; } } @@ -58,15 +52,19 @@ starter_netkey_init(void) ignore_result(system("modprobe -qv xfrm_user")); } - DBG(DBG_CONTROL, - DBG_log("Found netkey IPsec stack") - ) + DBG2(DBG_APP, "found netkey IPsec stack"); return TRUE; } -void -starter_netkey_cleanup(void) +void starter_netkey_cleanup(void) { + if (!lib->plugins->load(lib->plugins, NULL, + lib->settings->get_str(lib->settings, "starter.load", PLUGINS))) + { + DBG1(DBG_APP, "unable to load kernel plugins"); + return; + } hydra->kernel_interface->flush_sas(hydra->kernel_interface); hydra->kernel_interface->flush_policies(hydra->kernel_interface); + lib->plugins->unload(lib->plugins); } diff --git a/src/starter/parser.c b/src/starter/parser.c index ef668027d..beb752a51 100644 --- a/src/starter/parser.c +++ b/src/starter/parser.c @@ -88,11 +88,9 @@ #include <stdlib.h> #include <string.h> -#include <freeswan.h> +#include <library.h> +#include <debug.h> -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/log.h" #include "ipsec-parser.h" #define YYERROR_VERBOSE @@ -123,7 +121,7 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len); /* Line 189 of yacc.c */ -#line 127 "parser.c" +#line 125 "parser.c" /* Enabling traces. */ #ifndef YYDEBUG @@ -182,12 +180,12 @@ typedef union YYSTYPE { /* Line 214 of yacc.c */ -#line 54 "parser.y" +#line 52 "parser.y" char *s; /* Line 214 of yacc.c */ -#line 191 "parser.c" +#line 189 "parser.c" } YYSTYPE; # define YYSTYPE_IS_TRIVIAL 1 # define yystype YYSTYPE /* obsolescent; will be withdrawn */ @@ -199,7 +197,7 @@ typedef union YYSTYPE /* Line 264 of yacc.c */ -#line 203 "parser.c" +#line 201 "parser.c" #ifdef short # undef short @@ -487,8 +485,8 @@ static const yytype_int8 yyrhs[] = /* YYRLINE[YYN] -- source line where rule number YYN was defined. */ static const yytype_uint8 yyrline[] = { - 0, 65, 65, 66, 70, 75, 74, 80, 79, 96, - 95, 111, 110, 116, 120, 121, 125, 150, 154 + 0, 63, 63, 64, 68, 73, 72, 78, 77, 94, + 93, 109, 108, 114, 118, 119, 123, 148, 152 }; #endif @@ -1402,7 +1400,7 @@ yyreduce: case 4: /* Line 1455 of yacc.c */ -#line 71 "parser.y" +#line 69 "parser.y" { free((yyvsp[(2) - (3)].s)); } @@ -1411,7 +1409,7 @@ yyreduce: case 5: /* Line 1455 of yacc.c */ -#line 75 "parser.y" +#line 73 "parser.y" { _parser_kw = &(_parser_cfg->config_setup); _parser_kw_last = NULL; @@ -1421,11 +1419,11 @@ yyreduce: case 7: /* Line 1455 of yacc.c */ -#line 80 "parser.y" +#line 78 "parser.y" { section_list_t *section = malloc_thing(section_list_t); - - section->name = clone_str((yyvsp[(2) - (3)].s)); + + section->name = strdupnull((yyvsp[(2) - (3)].s)); section->kw = NULL; section->next = NULL; _parser_kw = &(section->kw); @@ -1442,10 +1440,10 @@ yyreduce: case 9: /* Line 1455 of yacc.c */ -#line 96 "parser.y" +#line 94 "parser.y" { section_list_t *section = malloc_thing(section_list_t); - section->name = clone_str((yyvsp[(2) - (3)].s)); + section->name = strdupnull((yyvsp[(2) - (3)].s)); section->kw = NULL; section->next = NULL; _parser_kw = &(section->kw); @@ -1462,7 +1460,7 @@ yyreduce: case 11: /* Line 1455 of yacc.c */ -#line 111 "parser.y" +#line 109 "parser.y" { extern void _parser_y_include (const char *f); _parser_y_include((yyvsp[(2) - (2)].s)); @@ -1473,7 +1471,7 @@ yyreduce: case 16: /* Line 1455 of yacc.c */ -#line 126 "parser.y" +#line 124 "parser.y" { kw_list_t *new; kw_entry_t *entry = in_word_set((yyvsp[(1) - (3)].s), strlen((yyvsp[(1) - (3)].s))); @@ -1487,7 +1485,7 @@ yyreduce: { new = (kw_list_t *)malloc_thing(kw_list_t); new->entry = entry; - new->value = clone_str((yyvsp[(3) - (3)].s)); + new->value = strdupnull((yyvsp[(3) - (3)].s)); new->next = NULL; if (_parser_kw_last) _parser_kw_last->next = new; @@ -1503,7 +1501,7 @@ yyreduce: case 17: /* Line 1455 of yacc.c */ -#line 151 "parser.y" +#line 149 "parser.y" { free((yyvsp[(1) - (2)].s)); } @@ -1512,7 +1510,7 @@ yyreduce: /* Line 1455 of yacc.c */ -#line 1516 "parser.c" +#line 1514 "parser.c" default: break; } YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc); @@ -1724,7 +1722,7 @@ yyreturn: /* Line 1675 of yacc.c */ -#line 157 "parser.y" +#line 155 "parser.y" void yyerror(const char *s) @@ -1794,7 +1792,7 @@ config_parsed_t *parser_load_conf(const char *file) if (err) { - plog("%s", parser_errstring); + DBG1(DBG_APP, "%s", parser_errstring); if (cfg) parser_free_conf(cfg); diff --git a/src/starter/parser.h b/src/starter/parser.h index f0e666bb5..eff532f6d 100644 --- a/src/starter/parser.h +++ b/src/starter/parser.h @@ -71,7 +71,7 @@ typedef union YYSTYPE { /* Line 1676 of yacc.c */ -#line 54 "parser.y" +#line 52 "parser.y" char *s; diff --git a/src/starter/parser.y b/src/starter/parser.y index dfaec9ee8..424e3a9fd 100644 --- a/src/starter/parser.y +++ b/src/starter/parser.y @@ -17,11 +17,9 @@ #include <stdlib.h> #include <string.h> -#include <freeswan.h> +#include <library.h> +#include <debug.h> -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/log.h" #include "ipsec-parser.h" #define YYERROR_VERBOSE @@ -63,7 +61,7 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len); config_file: config_file section_or_include - | /* NULL */ + | /* NULL */ ; section_or_include: @@ -79,8 +77,8 @@ section_or_include: | CONN STRING EOL { section_list_t *section = malloc_thing(section_list_t); - - section->name = clone_str($2); + + section->name = strdupnull($2); section->kw = NULL; section->next = NULL; _parser_kw = &(section->kw); @@ -95,7 +93,7 @@ section_or_include: | CA STRING EOL { section_list_t *section = malloc_thing(section_list_t); - section->name = clone_str($2); + section->name = strdupnull($2); section->kw = NULL; section->next = NULL; _parser_kw = &(section->kw); @@ -136,7 +134,7 @@ statement_kw: { new = (kw_list_t *)malloc_thing(kw_list_t); new->entry = entry; - new->value = clone_str($3); + new->value = strdupnull($3); new->next = NULL; if (_parser_kw_last) _parser_kw_last->next = new; @@ -223,7 +221,7 @@ config_parsed_t *parser_load_conf(const char *file) if (err) { - plog("%s", parser_errstring); + DBG1(DBG_APP, "%s", parser_errstring); if (cfg) parser_free_conf(cfg); diff --git a/src/starter/starter.c b/src/starter/starter.c index 44e21431c..c6efcb2f4 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -12,12 +12,14 @@ * for more details. */ +#include <sys/select.h> #include <sys/types.h> #include <sys/wait.h> #include <sys/stat.h> #include <stdlib.h> #include <stdio.h> #include <signal.h> +#include <syslog.h> #include <unistd.h> #include <sys/time.h> #include <time.h> @@ -26,25 +28,100 @@ #include <fcntl.h> #include <pwd.h> #include <grp.h> +#include <pthread.h> -#include <freeswan.h> #include <library.h> #include <hydra.h> - -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/log.h" +#include <utils/backtrace.h> +#include <threading/thread.h> +#include <debug.h> #include "confread.h" #include "files.h" -#include "starterwhack.h" #include "starterstroke.h" -#include "invokepluto.h" #include "invokecharon.h" #include "netkey.h" #include "klips.h" #include "cmp.h" -#include "interfaces.h" + +#ifndef LOG_AUTHPRIV +#define LOG_AUTHPRIV LOG_AUTH +#endif + +#define CHARON_RESTART_DELAY 5 + +/* logging */ +static bool log_to_stderr = TRUE; +static bool log_to_syslog = TRUE; +static level_t current_loglevel = 1; + +/** + * logging function for scepclient + */ +static void starter_dbg(debug_t group, level_t level, char *fmt, ...) +{ + char buffer[8192]; + char *current = buffer, *next; + va_list args; + + if (level <= current_loglevel) + { + if (log_to_stderr) + { + va_start(args, fmt); + vfprintf(stderr, fmt, args); + va_end(args); + fprintf(stderr, "\n"); + } + if (log_to_syslog) + { + /* write in memory buffer first */ + va_start(args, fmt); + vsnprintf(buffer, sizeof(buffer), fmt, args); + va_end(args); + + /* do a syslog with every line */ + while (current) + { + next = strchr(current, '\n'); + if (next) + { + *(next++) = '\0'; + } + syslog(LOG_INFO, "%s\n", current); + current = next; + } + } + } +} + +/** + * Initialize logging to stderr/syslog + */ +static void init_log(const char *program) +{ + dbg = starter_dbg; + + if (log_to_stderr) + { + setbuf(stderr, NULL); + } + if (log_to_syslog) + { + openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV); + } +} + +/** + * Deinitialize logging to syslog + */ +static void close_log() +{ + if (log_to_syslog) + { + closelog(); + } +} /** * Return codes defined by Linux Standard Base Core Specification 3.1 @@ -68,7 +145,10 @@ static unsigned int _action_ = 0; -static void fsig(int signal) +/** + * Handle signals in the main thread + */ +static void signal_handler(int signal) { switch (signal) { @@ -80,27 +160,19 @@ static void fsig(int signal) while ((pid = waitpid(-1, &status, WNOHANG)) > 0) { - if (pid == starter_pluto_pid()) - { - name = " (Pluto)"; - } if (pid == starter_charon_pid()) { name = " (Charon)"; } if (WIFSIGNALED(status)) { - DBG(DBG_CONTROL, - DBG_log("child %d%s has been killed by sig %d\n", - pid, name?name:"", WTERMSIG(status)) - ) + DBG2(DBG_APP, "child %d%s has been killed by sig %d\n", + pid, name?name:"", WTERMSIG(status)); } else if (WIFSTOPPED(status)) { - DBG(DBG_CONTROL, - DBG_log("child %d%s has been stopped by sig %d\n", - pid, name?name:"", WSTOPSIG(status)) - ) + DBG2(DBG_APP, "child %d%s has been stopped by sig %d\n", + pid, name?name:"", WSTOPSIG(status)); } else if (WIFEXITED(status)) { @@ -109,20 +181,12 @@ static void fsig(int signal) { _action_ = FLAG_ACTION_QUIT; } - DBG(DBG_CONTROL, - DBG_log("child %d%s has quit (exit code %d)\n", - pid, name?name:"", exit_status) - ) + DBG2(DBG_APP, "child %d%s has quit (exit code %d)\n", + pid, name?name:"", exit_status); } else { - DBG(DBG_CONTROL, - DBG_log("child %d%s has quit", pid, name?name:"") - ) - } - if (pid == starter_pluto_pid()) - { - starter_pluto_sigchild(pid, exit_status); + DBG2(DBG_APP, "child %d%s has quit", pid, name?name:""); } if (pid == starter_charon_pid()) { @@ -132,12 +196,7 @@ static void fsig(int signal) } break; - case SIGPIPE: - /** ignore **/ - break; - case SIGALRM: - _action_ |= FLAG_ACTION_START_PLUTO; _action_ |= FLAG_ACTION_START_CHARON; break; @@ -157,11 +216,27 @@ static void fsig(int signal) break; default: - plog("fsig(): unknown signal %d -- investigate", signal); + DBG1(DBG_APP, "fsig(): unknown signal %d -- investigate", signal); break; } } +/** + * Handle fatal signals raised by threads + */ +static void fatal_signal_handler(int signal) +{ + backtrace_t *backtrace; + + DBG1(DBG_APP, "thread %u received %d", thread_current_id(), signal); + backtrace = backtrace_create(2); + backtrace->log(backtrace, stderr, TRUE); + backtrace->destroy(backtrace); + + DBG1(DBG_APP, "killing ourself, received critical signal"); + abort(); +} + #ifdef GENERATE_SELFCERT static void generate_selfcert() { @@ -244,7 +319,7 @@ static bool check_pid(char *pid_file) return TRUE; } } - plog("removing pidfile '%s', process not running", pid_file); + DBG1(DBG_APP, "removing pidfile '%s', process not running", pid_file); unlink(pid_file); } return FALSE; @@ -252,8 +327,8 @@ static bool check_pid(char *pid_file) static void usage(char *name) { - fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] " - "[--debug|--debug-more|--debug-all]\n"); + fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>]\n" + " [--debug|--debug-more|--debug-all|--nolog]\n"); exit(LSB_RC_INVALID_ARGUMENT); } @@ -264,21 +339,18 @@ int main (int argc, char **argv) starter_conn_t *conn, *conn2; starter_ca_t *ca, *ca2; + struct sigaction action; struct stat stb; int i; int id = 1; - struct timeval tv; + struct timespec ts; unsigned long auto_update = 0; time_t last_reload; bool no_fork = FALSE; bool attach_gdb = FALSE; bool load_warning = FALSE; - /* global variables defined in log.h */ - log_to_stderr = TRUE; - base_debugging = DBG_NONE; - library_init(NULL); atexit(library_deinit); @@ -290,15 +362,19 @@ int main (int argc, char **argv) { if (streq(argv[i], "--debug")) { - base_debugging |= DBG_CONTROL; + current_loglevel = 2; } else if (streq(argv[i], "--debug-more")) { - base_debugging |= DBG_CONTROLMORE; + current_loglevel = 3; } else if (streq(argv[i], "--debug-all")) { - base_debugging |= DBG_ALL; + current_loglevel = 4; + } + else if (streq(argv[i], "--nolog")) + { + current_loglevel = 0; } else if (streq(argv[i], "--nofork")) { @@ -321,20 +397,12 @@ int main (int argc, char **argv) } } - /* Init */ init_log("ipsec_starter"); - cur_debugging = base_debugging; - - signal(SIGHUP, fsig); - signal(SIGCHLD, fsig); - signal(SIGPIPE, fsig); - signal(SIGINT, fsig); - signal(SIGTERM, fsig); - signal(SIGQUIT, fsig); - signal(SIGALRM, fsig); - signal(SIGUSR1, fsig); - plog("Starting strongSwan "VERSION" IPsec [starter]..."); + DBG1(DBG_APP, "Starting %sSwan "VERSION" IPsec [starter]...", + lib->settings->get_bool(lib->settings, + "charon.i_dont_care_about_security_and_use_aggressive_mode_psk", + FALSE) ? "weak" : "strong"); #ifdef LOAD_WARNING load_warning = TRUE; @@ -342,34 +410,24 @@ int main (int argc, char **argv) if (lib->settings->get_bool(lib->settings, "starter.load_warning", load_warning)) { - if (lib->settings->get_str(lib->settings, "charon.load", NULL) || - lib->settings->get_str(lib->settings, "pluto.load", NULL)) + if (lib->settings->get_str(lib->settings, "charon.load", NULL)) { - plog("!! Your strongswan.conf contains manual plugin load options for"); - plog("!! pluto and/or charon. This is recommended for experts only, see"); - plog("!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad"); + DBG1(DBG_APP, "!! Your strongswan.conf contains manual plugin load options for charon."); + DBG1(DBG_APP, "!! This is recommended for experts only, see"); + DBG1(DBG_APP, "!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad"); } } /* verify that we can start */ if (getuid() != 0) { - plog("permission denied (must be superuser)"); + DBG1(DBG_APP, "permission denied (must be superuser)"); exit(LSB_RC_NOT_ALLOWED); } - if (check_pid(PLUTO_PID_FILE)) - { - plog("pluto is already running (%s exists) -- skipping pluto start", - PLUTO_PID_FILE); - } - else - { - _action_ |= FLAG_ACTION_START_PLUTO; - } if (check_pid(CHARON_PID_FILE)) { - plog("charon is already running (%s exists) -- skipping charon start", + DBG1(DBG_APP, "charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE); } else @@ -378,20 +436,20 @@ int main (int argc, char **argv) } if (stat(DEV_RANDOM, &stb) != 0) { - plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM); + DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_RANDOM); exit(LSB_RC_FAILURE); } if (stat(DEV_URANDOM, &stb)!= 0) { - plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM); + DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_URANDOM); exit(LSB_RC_FAILURE); } cfg = confread_load(CONFIG_FILE); if (cfg == NULL || cfg->err > 0) { - plog("unable to start strongSwan -- fatal errors in config"); + DBG1(DBG_APP, "unable to start strongSwan -- fatal errors in config"); if (cfg) { confread_free(cfg); @@ -402,11 +460,11 @@ int main (int argc, char **argv) /* determine if we have a native netkey IPsec stack */ if (!starter_netkey_init()) { - plog("no netkey IPsec stack detected"); + DBG1(DBG_APP, "no netkey IPsec stack detected"); if (!starter_klips_init()) { - plog("no KLIPS IPsec stack detected"); - plog("no known IPsec stack detected, ignoring!"); + DBG1(DBG_APP, "no KLIPS IPsec stack detected"); + DBG1(DBG_APP, "no known IPsec stack detected, ignoring!"); } } @@ -414,7 +472,7 @@ int main (int argc, char **argv) if (check_pid(STARTER_PID_FILE)) { - plog("starter is already running (%s exists) -- no fork done", + DBG1(DBG_APP, "starter is already running (%s exists) -- no fork done", STARTER_PID_FILE); confread_free(cfg); exit(LSB_RC_SUCCESS); @@ -435,6 +493,7 @@ int main (int argc, char **argv) { int fnull; + close_log(); closefrom(3); fnull = open("/dev/null", O_RDWR); @@ -447,10 +506,11 @@ int main (int argc, char **argv) } setsid(); + init_log("ipsec_starter"); } break; case -1: - plog("can't fork: %s", strerror(errno)); + DBG1(DBG_APP, "can't fork: %s", strerror(errno)); break; default: confread_free(cfg); @@ -469,24 +529,46 @@ int main (int argc, char **argv) } } - /* load plugins */ - if (!lib->plugins->load(lib->plugins, NULL, - lib->settings->get_str(lib->settings, "starter.load", PLUGINS))) - { - exit(LSB_RC_FAILURE); - } + /* we handle these signals only in pselect() */ + memset(&action, 0, sizeof(action)); + sigemptyset(&action.sa_mask); + sigaddset(&action.sa_mask, SIGHUP); + sigaddset(&action.sa_mask, SIGINT); + sigaddset(&action.sa_mask, SIGTERM); + sigaddset(&action.sa_mask, SIGQUIT); + sigaddset(&action.sa_mask, SIGALRM); + sigaddset(&action.sa_mask, SIGUSR1); + pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL); + + /* install a handler for fatal signals */ + action.sa_handler = fatal_signal_handler; + sigaction(SIGSEGV, &action, NULL); + sigaction(SIGILL, &action, NULL); + sigaction(SIGBUS, &action, NULL); + action.sa_handler = SIG_IGN; + sigaction(SIGPIPE, &action, NULL); + + /* install main signal handler */ + action.sa_handler = signal_handler; + sigaction(SIGHUP, &action, NULL); + sigaction(SIGINT, &action, NULL); + sigaction(SIGTERM, &action, NULL); + sigaction(SIGQUIT, &action, NULL); + sigaction(SIGALRM, &action, NULL); + sigaction(SIGUSR1, &action, NULL); + /* this is not blocked above as we want to receive it asynchronously */ + sigaction(SIGCHLD, &action, NULL); + + /* empty mask for pselect() call below */ + sigemptyset(&action.sa_mask); for (;;) { /* - * Stop pluto/charon (if started) and exit + * Stop charon (if started) and exit */ if (_action_ & FLAG_ACTION_QUIT) { - if (starter_pluto_pid()) - { - starter_stop_pluto(); - } if (starter_charon_pid()) { starter_stop_charon(); @@ -494,8 +576,7 @@ int main (int argc, char **argv) starter_netkey_cleanup(); confread_free(cfg); unlink(STARTER_PID_FILE); - plog("ipsec starter stopped"); - lib->plugins->unload(lib->plugins); + DBG1(DBG_APP, "ipsec starter stopped"); close_log(); exit(LSB_RC_SUCCESS); } @@ -505,7 +586,7 @@ int main (int argc, char **argv) */ if (_action_ & FLAG_ACTION_RELOAD) { - if (starter_pluto_pid() || starter_charon_pid()) + if (starter_charon_pid()) { for (conn = cfg->conn_first; conn; conn = conn->next) { @@ -515,10 +596,6 @@ int main (int argc, char **argv) { starter_stroke_del_conn(conn); } - if (starter_pluto_pid()) - { - starter_whack_del_conn(conn); - } conn->state = STATE_TO_ADD; } } @@ -530,10 +607,6 @@ int main (int argc, char **argv) { starter_stroke_del_ca(ca); } - if (starter_pluto_pid()) - { - starter_whack_del_ca(ca); - } ca->state = STATE_TO_ADD; } } @@ -546,96 +619,68 @@ int main (int argc, char **argv) */ if (_action_ & FLAG_ACTION_UPDATE) { - DBG(DBG_CONTROL, - DBG_log("Reloading config...") - ); + DBG2(DBG_APP, "Reloading config..."); new_cfg = confread_load(CONFIG_FILE); if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0)) { /* Switch to new config. New conn will be loaded below */ - if (!starter_cmp_defaultroute(&new_cfg->defaultroute - , &cfg->defaultroute)) - { - _action_ |= FLAG_ACTION_LISTEN; - } - if (!starter_cmp_pluto(cfg, new_cfg)) - { - plog("Pluto has changed"); - if (starter_pluto_pid()) - starter_stop_pluto(); - _action_ &= ~FLAG_ACTION_LISTEN; - _action_ |= FLAG_ACTION_START_PLUTO; - } - else + /* Look for new connections that are already loaded */ + for (conn = cfg->conn_first; conn; conn = conn->next) { - /* Only reload conn and ca sections if pluto is not killed */ - - /* Look for new connections that are already loaded */ - for (conn = cfg->conn_first; conn; conn = conn->next) + if (conn->state == STATE_ADDED) { - if (conn->state == STATE_ADDED) + for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next) { - for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next) + if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2)) { - if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2)) - { - conn->state = STATE_REPLACED; - conn2->state = STATE_ADDED; - conn2->id = conn->id; - break; - } + conn->state = STATE_REPLACED; + conn2->state = STATE_ADDED; + conn2->id = conn->id; + break; } } } + } - /* Remove conn sections that have become unused */ - for (conn = cfg->conn_first; conn; conn = conn->next) + /* Remove conn sections that have become unused */ + for (conn = cfg->conn_first; conn; conn = conn->next) + { + if (conn->state == STATE_ADDED) { - if (conn->state == STATE_ADDED) + if (starter_charon_pid()) { - if (starter_charon_pid()) - { - starter_stroke_del_conn(conn); - } - if (starter_pluto_pid()) - { - starter_whack_del_conn(conn); - } + starter_stroke_del_conn(conn); } } + } - /* Look for new ca sections that are already loaded */ - for (ca = cfg->ca_first; ca; ca = ca->next) + /* Look for new ca sections that are already loaded */ + for (ca = cfg->ca_first; ca; ca = ca->next) + { + if (ca->state == STATE_ADDED) { - if (ca->state == STATE_ADDED) + for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next) { - for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next) + if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2)) { - if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2)) - { - ca->state = STATE_REPLACED; - ca2->state = STATE_ADDED; - break; - } + ca->state = STATE_REPLACED; + ca2->state = STATE_ADDED; + break; } } } + } - /* Remove ca sections that have become unused */ - for (ca = cfg->ca_first; ca; ca = ca->next) + /* Remove ca sections that have become unused */ + for (ca = cfg->ca_first; ca; ca = ca->next) + { + if (ca->state == STATE_ADDED) { - if (ca->state == STATE_ADDED) + if (starter_charon_pid()) { - if (starter_charon_pid()) - { - starter_stroke_del_ca(ca); - } - if (starter_pluto_pid()) - { - starter_whack_del_ca(ca); - } + starter_stroke_del_ca(ca); } } } @@ -644,7 +689,7 @@ int main (int argc, char **argv) } else { - plog("can't reload config file due to errors -- keeping old one"); + DBG1(DBG_APP, "can't reload config file due to errors -- keeping old one"); if (new_cfg) { confread_free(new_cfg); @@ -655,77 +700,43 @@ int main (int argc, char **argv) } /* - * Start pluto + * Start charon */ - if (_action_ & FLAG_ACTION_START_PLUTO) + if (_action_ & FLAG_ACTION_START_CHARON) { - if (cfg->setup.plutostart && !starter_pluto_pid()) + if (cfg->setup.charonstart && !starter_charon_pid()) { - DBG(DBG_CONTROL, - DBG_log("Attempting to start pluto...") - ); - - if (starter_start_pluto(cfg, no_fork, attach_gdb) == 0) - { - starter_whack_listen(); - } - else + DBG2(DBG_APP, "Attempting to start charon..."); + if (starter_start_charon(cfg, no_fork, attach_gdb)) { /* schedule next try */ - alarm(PLUTO_RESTART_DELAY); + alarm(CHARON_RESTART_DELAY); } + starter_stroke_configure(cfg); } - _action_ &= ~FLAG_ACTION_START_PLUTO; + _action_ &= ~FLAG_ACTION_START_CHARON; for (ca = cfg->ca_first; ca; ca = ca->next) { if (ca->state == STATE_ADDED) + { ca->state = STATE_TO_ADD; + } } for (conn = cfg->conn_first; conn; conn = conn->next) { if (conn->state == STATE_ADDED) - conn->state = STATE_TO_ADD; - } - } - - /* - * Start charon - */ - if (_action_ & FLAG_ACTION_START_CHARON) - { - if (cfg->setup.charonstart && !starter_charon_pid()) - { - DBG(DBG_CONTROL, - DBG_log("Attempting to start charon...") - ); - if (starter_start_charon(cfg, no_fork, attach_gdb)) { - /* schedule next try */ - alarm(PLUTO_RESTART_DELAY); + conn->state = STATE_TO_ADD; } - starter_stroke_configure(cfg); - } - _action_ &= ~FLAG_ACTION_START_CHARON; - } - - /* - * Tell pluto to reread its interfaces - */ - if (_action_ & FLAG_ACTION_LISTEN) - { - if (starter_pluto_pid()) - { - starter_whack_listen(); - _action_ &= ~FLAG_ACTION_LISTEN; } } /* * Add stale conn and ca sections */ - if (starter_pluto_pid() || starter_charon_pid()) + if (starter_charon_pid()) { for (ca = cfg->ca_first; ca; ca = ca->next) { @@ -735,10 +746,6 @@ int main (int argc, char **argv) { starter_stroke_add_ca(ca); } - if (starter_pluto_pid()) - { - starter_whack_add_ca(ca); - } ca->state = STATE_ADDED; } } @@ -756,44 +763,20 @@ int main (int argc, char **argv) { starter_stroke_add_conn(cfg, conn); } - if (starter_pluto_pid()) - { - starter_whack_add_conn(conn); - } conn->state = STATE_ADDED; if (conn->startup == STARTUP_START) { - if (conn->keyexchange != KEY_EXCHANGE_IKEV1) + if (starter_charon_pid()) { - if (starter_charon_pid()) - { - starter_stroke_initiate_conn(conn); - } - } - else - { - if (starter_pluto_pid()) - { - starter_whack_initiate_conn(conn); - } + starter_stroke_initiate_conn(conn); } } else if (conn->startup == STARTUP_ROUTE) { - if (conn->keyexchange != KEY_EXCHANGE_IKEV1) - { - if (starter_charon_pid()) - { - starter_stroke_route_conn(conn); - } - } - else + if (starter_charon_pid()) { - if (starter_pluto_pid()) - { - starter_whack_route_conn(conn); - } + starter_stroke_route_conn(conn); } } } @@ -807,15 +790,16 @@ int main (int argc, char **argv) { time_t now = time_monotonic(NULL); - tv.tv_sec = (now < last_reload + auto_update) - ? (last_reload + auto_update-now) : 0; - tv.tv_usec = 0; + ts.tv_sec = (now < last_reload + auto_update) ? + (last_reload + auto_update - now) : 0; + ts.tv_nsec = 0; } /* * Wait for something to happen */ - if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0) + if (pselect(0, NULL, NULL, NULL, auto_update ? &ts : NULL, + &action.sa_mask) == 0) { /* timeout -> auto_update */ _action_ |= FLAG_ACTION_UPDATE; diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index ae04c20dd..d6ad3eb89 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -1,4 +1,4 @@ -/* Stroke for charon is the counterpart to whack from pluto +/* * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -26,11 +26,8 @@ #include <credentials/auth_cfg.h> -#include <freeswan.h> - -#include <constants.h> -#include <defs.h> -#include <log.h> +#include <library.h> +#include <debug.h> #include <stroke_msg.h> @@ -73,12 +70,12 @@ static int send_stroke_msg (stroke_msg_t *msg) if (sock < 0) { - plog("socket() failed: %s", strerror(errno)); + DBG1(DBG_APP, "socket() failed: %s", strerror(errno)); return -1; } if (connect(sock, (struct sockaddr *)&ctl_addr, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0) { - plog("connect(charon_ctl) failed: %s", strerror(errno)); + DBG1(DBG_APP, "connect(charon_ctl) failed: %s", strerror(errno)); close(sock); return -1; } @@ -86,18 +83,18 @@ static int send_stroke_msg (stroke_msg_t *msg) /* send message */ if (write(sock, msg, msg->length) != msg->length) { - plog("write(charon_ctl) failed: %s", strerror(errno)); + DBG1(DBG_APP, "write(charon_ctl) failed: %s", strerror(errno)); close(sock); return -1; } while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0) { buffer[byte_count] = '\0'; - plog("%s", buffer); + DBG1(DBG_APP, "%s", buffer); } if (byte_count < 0) { - plog("read() failed: %s", strerror(errno)); + DBG1(DBG_APP, "read() failed: %s", strerror(errno)); } close(sock); @@ -117,47 +114,8 @@ static char* connection_name(starter_conn_t *conn) return conn->name; } -static void ip_address2string(ip_address *addr, char *buffer, size_t len) -{ - switch (((struct sockaddr*)addr)->sa_family) - { - case AF_INET6: - { - struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr; - u_int8_t zeroes[IPV6_LEN]; - - memset(zeroes, 0, IPV6_LEN); - if (memcmp(zeroes, &(sin6->sin6_addr.s6_addr), IPV6_LEN) && - inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len)) - { - return; - } - snprintf(buffer, len, "%%any6"); - break; - } - case AF_INET: - { - struct sockaddr_in* sin = (struct sockaddr_in*)addr; - u_int8_t zeroes[IPV4_LEN]; - - memset(zeroes, 0, IPV4_LEN); - if (memcmp(zeroes, &(sin->sin_addr.s_addr), IPV4_LEN) && - inet_ntop(AF_INET, &sin->sin_addr, buffer, len)) - { - return; - } - /* fall through to default */ - } - default: - snprintf(buffer, len, "%%any"); - break; - } -} - static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end) { - char buffer[INET6_ADDRSTRLEN]; - msg_end->auth = push_string(msg, conn_end->auth); msg_end->auth2 = push_string(msg, conn_end->auth2); msg_end->id = push_string(msg, conn_end->id); @@ -169,6 +127,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->ca = push_string(msg, conn_end->ca); msg_end->ca2 = push_string(msg, conn_end->ca2); msg_end->groups = push_string(msg, conn_end->groups); + msg_end->groups2 = push_string(msg, conn_end->groups2); msg_end->updown = push_string(msg, conn_end->updown); if (conn_end->host) { @@ -176,16 +135,16 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta } else { - ip_address2string(&conn_end->addr, buffer, sizeof(buffer)); - msg_end->address = push_string(msg, buffer); + msg_end->address = push_string(msg, "%any"); } msg_end->ikeport = conn_end->ikeport; msg_end->subnets = push_string(msg, conn_end->subnet); msg_end->sourceip = push_string(msg, conn_end->sourceip); - msg_end->sourceip_mask = conn_end->sourceip_mask; + msg_end->dns = push_string(msg, conn_end->dns); msg_end->sendcert = conn_end->sendcert; msg_end->hostaccess = conn_end->hostaccess; - msg_end->tohost = !conn_end->has_client; + msg_end->tohost = !conn_end->subnet; + msg_end->allow_any = conn_end->allow_any; msg_end->protocol = conn_end->protocol; msg_end->port = conn_end->port; } @@ -197,60 +156,18 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) memset(&msg, 0, sizeof(msg)); msg.type = STR_ADD_CONN; msg.length = offsetof(stroke_msg_t, buffer); - msg.add_conn.ikev2 = conn->keyexchange != KEY_EXCHANGE_IKEV1; + msg.add_conn.version = conn->keyexchange; msg.add_conn.name = push_string(&msg, connection_name(conn)); - - /* PUBKEY is preferred to PSK and EAP */ - if (conn->policy & POLICY_PUBKEY) - { - msg.add_conn.auth_method = AUTH_CLASS_PUBKEY; - } - else if (conn->policy & POLICY_PSK) - { - msg.add_conn.auth_method = AUTH_CLASS_PSK; - } - else if (conn->policy & POLICY_XAUTH_PSK) - { - msg.add_conn.auth_method = AUTH_CLASS_EAP; - } - else - { - msg.add_conn.auth_method = AUTH_CLASS_ANY; - } - msg.add_conn.eap_type = conn->eap_type; - msg.add_conn.eap_vendor = conn->eap_vendor; msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity); msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity); + msg.add_conn.xauth_identity = push_string(&msg, conn->xauth_identity); - if (conn->policy & POLICY_TUNNEL) - { - msg.add_conn.mode = MODE_TUNNEL; - } - else if (conn->policy & POLICY_BEET) - { - msg.add_conn.mode = MODE_BEET; - } - else if (conn->policy & POLICY_PROXY) - { - msg.add_conn.mode = MODE_TRANSPORT; - msg.add_conn.proxy_mode = TRUE; - } - else if (conn->policy & POLICY_SHUNT_PASS) - { - msg.add_conn.mode = MODE_PASS; - } - else if (conn->policy & (POLICY_SHUNT_DROP | POLICY_SHUNT_REJECT)) - { - msg.add_conn.mode = MODE_DROP; - } - else - { - msg.add_conn.mode = MODE_TRANSPORT; - } + msg.add_conn.mode = conn->mode; + msg.add_conn.proxy_mode = conn->proxy_mode; - if (!(conn->policy & POLICY_DONT_REKEY)) + if (!(conn->options & SA_OPTION_DONT_REKEY)) { - msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY; + msg.add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH); msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds; msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds; msg.add_conn.rekey.margin = conn->sa_rekey_margin; @@ -261,15 +178,17 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.rekey.tries = conn->sa_keying_tries; msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz; } - msg.add_conn.mobike = (conn->policy & POLICY_MOBIKE) != 0; - msg.add_conn.force_encap = (conn->policy & POLICY_FORCE_ENCAP) != 0; - msg.add_conn.ipcomp = (conn->policy & POLICY_COMPRESS) != 0; + msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE; + msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP; + msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS; msg.add_conn.install_policy = conn->install_policy; - msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy; + msg.add_conn.aggressive = conn->aggressive; + msg.add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy; msg.add_conn.unique = cfg->setup.uniqueids; msg.add_conn.algorithms.ike = push_string(&msg, conn->ike); msg.add_conn.algorithms.esp = push_string(&msg, conn->esp); msg.add_conn.dpd.delay = conn->dpd_delay; + msg.add_conn.dpd.timeout = conn->dpd_timeout; msg.add_conn.dpd.action = conn->dpd_action; msg.add_conn.close_action = conn->close_action; msg.add_conn.inactivity = conn->inactivity; @@ -286,6 +205,48 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left); starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right); + if (!msg.add_conn.me.auth && !msg.add_conn.other.auth && + conn->authby) + { /* leftauth/rightauth not set, use legacy options */ + if (streq(conn->authby, "rsa") || streq(conn->authby, "rsasig") || + streq(conn->authby, "ecdsa") || streq(conn->authby, "ecdsasig") || + streq(conn->authby, "pubkey")) + { + msg.add_conn.me.auth = push_string(&msg, "pubkey"); + msg.add_conn.other.auth = push_string(&msg, "pubkey"); + } + else if (streq(conn->authby, "secret") || streq(conn->authby, "psk")) + { + msg.add_conn.me.auth = push_string(&msg, "psk"); + msg.add_conn.other.auth = push_string(&msg, "psk"); + } + else if (streq(conn->authby, "xauthrsasig")) + { + msg.add_conn.me.auth = push_string(&msg, "pubkey"); + msg.add_conn.other.auth = push_string(&msg, "pubkey"); + if (conn->options & SA_OPTION_XAUTH_SERVER) + { + msg.add_conn.other.auth2 = push_string(&msg, "xauth"); + } + else + { + msg.add_conn.me.auth2 = push_string(&msg, "xauth"); + } + } + else if (streq(conn->authby, "xauthpsk")) + { + msg.add_conn.me.auth = push_string(&msg, "psk"); + msg.add_conn.other.auth = push_string(&msg, "psk"); + if (conn->options & SA_OPTION_XAUTH_SERVER) + { + msg.add_conn.other.auth2 = push_string(&msg, "xauth"); + } + else + { + msg.add_conn.me.auth2 = push_string(&msg, "xauth"); + } + } + } return send_stroke_msg(&msg); } diff --git a/src/starter/starterstroke.h b/src/starter/starterstroke.h index f9b01c99a..fd2a3e320 100644 --- a/src/starter/starterstroke.h +++ b/src/starter/starterstroke.h @@ -1,5 +1,6 @@ -/* Stroke for charon is the counterpart to whack from pluto - * Copyright (C) 2006 Martin Willi - Hochschule fuer Technik Rapperswil +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -17,12 +18,12 @@ #include "confread.h" -extern int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn); -extern int starter_stroke_del_conn(starter_conn_t *conn); -extern int starter_stroke_route_conn(starter_conn_t *conn); -extern int starter_stroke_initiate_conn(starter_conn_t *conn); -extern int starter_stroke_add_ca(starter_ca_t *ca); -extern int starter_stroke_del_ca(starter_ca_t *ca); -extern int starter_stroke_configure(starter_config_t *cfg); +int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn); +int starter_stroke_del_conn(starter_conn_t *conn); +int starter_stroke_route_conn(starter_conn_t *conn); +int starter_stroke_initiate_conn(starter_conn_t *conn); +int starter_stroke_add_ca(starter_ca_t *ca); +int starter_stroke_del_ca(starter_ca_t *ca); +int starter_stroke_configure(starter_config_t *cfg); #endif /* _STARTER_STROKE_H_ */ diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c deleted file mode 100644 index b7d916eae..000000000 --- a/src/starter/starterwhack.c +++ /dev/null @@ -1,420 +0,0 @@ -/* strongSwan whack functions to communicate with pluto (whack.c) - * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/un.h> -#include <stddef.h> -#include <unistd.h> -#include <string.h> -#include <errno.h> - -#include <freeswan.h> - -#include <constants.h> -#include <defs.h> -#include <log.h> -#include <whack.h> - -#include "starterwhack.h" -#include "confread.h" -#include "files.h" - -#define ip_version(string) (strchr(string, '.') ? AF_INET : AF_INET6) - -static int pack_str (char **p, char **next, char **roof) -{ - const char *s = (*p==NULL) ? "" : *p; /* note: NULL becomes ""! */ - size_t len = strlen(s) + 1; - - if ((*roof - *next) < len) - { - return 0; /* not enough space */ - } - else - { - strcpy(*next, s); - *next += len; - *p = NULL; /* don't send pointers on the wire! */ - return 1; - } -} - -static int send_whack_msg (whack_message_t *msg) -{ - struct sockaddr_un ctl_addr; - int sock; - ssize_t len; - char *str_next, *str_roof; - - ctl_addr.sun_family = AF_UNIX; - strcpy(ctl_addr.sun_path, PLUTO_CTL_FILE); - - /* pack strings */ - str_next = (char *)msg->string; - str_roof = (char *)&msg->string[sizeof(msg->string)]; - - if (!pack_str(&msg->name, &str_next, &str_roof) - || !pack_str(&msg->left.id, &str_next, &str_roof) - || !pack_str(&msg->left.cert, &str_next, &str_roof) - || !pack_str(&msg->left.ca, &str_next, &str_roof) - || !pack_str(&msg->left.groups, &str_next, &str_roof) - || !pack_str(&msg->left.updown, &str_next, &str_roof) - || !pack_str(&msg->left.sourceip, &str_next, &str_roof) - || !pack_str(&msg->left.virt, &str_next, &str_roof) - || !pack_str(&msg->right.id, &str_next, &str_roof) - || !pack_str(&msg->right.cert, &str_next, &str_roof) - || !pack_str(&msg->right.ca, &str_next, &str_roof) - || !pack_str(&msg->right.groups, &str_next, &str_roof) - || !pack_str(&msg->right.updown, &str_next, &str_roof) - || !pack_str(&msg->right.sourceip, &str_next, &str_roof) - || !pack_str(&msg->right.virt, &str_next, &str_roof) - || !pack_str(&msg->keyid, &str_next, &str_roof) - || !pack_str(&msg->myid, &str_next, &str_roof) - || !pack_str(&msg->cacert, &str_next, &str_roof) - || !pack_str(&msg->ldaphost, &str_next, &str_roof) - || !pack_str(&msg->ldapbase, &str_next, &str_roof) - || !pack_str(&msg->crluri, &str_next, &str_roof) - || !pack_str(&msg->crluri2, &str_next, &str_roof) - || !pack_str(&msg->ocspuri, &str_next, &str_roof) - || !pack_str(&msg->ike, &str_next, &str_roof) - || !pack_str(&msg->esp, &str_next, &str_roof) - || !pack_str(&msg->sc_data, &str_next, &str_roof) - || !pack_str(&msg->whack_lease_ip, &str_next, &str_roof) - || !pack_str(&msg->whack_lease_id, &str_next, &str_roof) - || !pack_str(&msg->xauth_identity, &str_next, &str_roof) - || (str_roof - str_next < msg->keyval.len)) - { - plog("send_wack_msg(): can't pack strings"); - return -1; - } - if (msg->keyval.ptr) - { - memcpy(str_next, msg->keyval.ptr, msg->keyval.len); - } - msg->keyval.ptr = NULL; - str_next += msg->keyval.len; - len = str_next - (char *)msg; - - /* connect to pluto ctl */ - sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock < 0) - { - plog("socket() failed: %s", strerror(errno)); - return -1; - } - if (connect(sock, (struct sockaddr *)&ctl_addr, - offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0) - { - plog("connect(pluto_ctl) failed: %s", strerror(errno)); - close(sock); - return -1; - } - - /* send message */ - if (write(sock, msg, len) != len) - { - plog("write(pluto_ctl) failed: %s", strerror(errno)); - close(sock); - return -1; - } - - /* TODO: read reply */ - close(sock); - return 0; -} - -static void init_whack_msg(whack_message_t *msg) -{ - memset(msg, 0, sizeof(whack_message_t)); - msg->magic = WHACK_MAGIC; -} - -static char *connection_name(starter_conn_t *conn, char *buf, size_t size) -{ - /* if connection name is '%auto', create a new name like conn_xxxxx */ - if (streq(conn->name, "%auto")) - { - snprintf(buf, size, "conn_%ld", conn->id); - return buf; - } - return conn->name; -} - -static void set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family) -{ - w->id = end->id; - w->cert = end->cert; - w->ca = end->ca; - w->groups = end->groups; - w->host_addr = end->addr; - w->has_client = end->has_client; - w->sourceip = end->sourceip; - w->sourceip_mask = end->sourceip_mask; - - if (end->sourceip && end->sourceip_mask > 0) - { - ttoaddr(end->sourceip, 0, ip_version(end->sourceip), &w->host_srcip); - w->has_srcip = !end->has_natip; - } - else - { - anyaddr(AF_INET, &w->host_srcip); - } - - if (family == AF_INET6 && isanyaddr(&end->nexthop)) - { - anyaddr(AF_INET6, &end->nexthop); - } - w->host_nexthop = end->nexthop; - - if (w->has_client) - { - char *pos; - int len = 0; - - pos = strchr(end->subnet, ','); - if (pos) - { - len = pos - end->subnet; - } - ttosubnet(end->subnet, len, ip_version(end->subnet), &w->client); - } - else - { - if (end->has_virt) - { - w->virt = end->subnet; - } - w->client.addr.u.v4.sin_family = addrtypeof(&w->host_addr); - } - - w->has_client_wildcard = end->has_client_wildcard; - w->has_port_wildcard = end->has_port_wildcard; - w->has_natip = end->has_natip; - w->allow_any = end->allow_any && !end->dns_failed; - w->modecfg = end->modecfg; - w->hostaccess = end->hostaccess; - w->sendcert = end->sendcert; - w->updown = end->updown; - w->host_port = IKE_UDP_PORT; - w->port = end->port; - w->protocol = end->protocol; - - if (w->port != 0) - { - int port = htons(w->port); - - setportof(port, &w->host_addr); - setportof(port, &w->client.addr); - } -} - -static int -starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end -, const char *lr) -{ - const char *err; - static char keyspace[1024 + 4]; - char buf[ADDRTOT_BUF], name[32]; - whack_message_t msg; - - init_whack_msg(&msg); - connection_name(conn, name, sizeof(name)); - - msg.whack_key = TRUE; - msg.pubkey_alg = PUBKEY_ALG_RSA; - if (end->rsakey) - { - /* special values to ignore */ - if (streq(end->rsakey, "") - || streq(end->rsakey, "%none") - || streq(end->rsakey, "%cert") - || streq(end->rsakey, "0x00")) - { - return 0; - } - err = atobytes(end->rsakey, 0, keyspace, sizeof(keyspace), &msg.keyval.len); - if (err) - { - plog("conn %s/%s: rsakey malformed [%s]", name, lr, err); - return 1; - } - if (end->id) - { - msg.keyid = end->id; - } - else - { - addrtot(&end->addr, 0, buf, sizeof(buf)); - msg.keyid = buf; - } - msg.keyval.ptr = keyspace; - return send_whack_msg(&msg); - } - return 0; -} - -int starter_whack_add_conn(starter_conn_t *conn) -{ - char esp_buf[256], name[32]; - whack_message_t msg; - int r; - - init_whack_msg(&msg); - - msg.whack_connection = TRUE; - msg.name = connection_name(conn, name, sizeof(name)); - - msg.ikev1 = conn->keyexchange == KEY_EXCHANGE_IKEV1; - msg.addr_family = conn->addr_family; - msg.tunnel_addr_family = conn->tunnel_addr_family; - msg.sa_ike_life_seconds = conn->sa_ike_life_seconds; - msg.sa_ipsec_life_seconds = conn->sa_ipsec_life_seconds; - msg.sa_rekey_margin = conn->sa_rekey_margin; - msg.sa_rekey_fuzz = conn->sa_rekey_fuzz; - msg.sa_keying_tries = conn->sa_keying_tries; - msg.policy = conn->policy; - msg.xauth_identity = conn->xauth_identity; - msg.reqid = conn->reqid; - msg.mark_in.value = conn->mark_in.value; - msg.mark_in.mask = conn->mark_in.mask; - msg.mark_out.value = conn->mark_out.value; - msg.mark_out.mask = conn->mark_out.mask; - - /* - * Make sure the IKEv2-only policy bits are unset for IKEv1 connections - */ - msg.policy &= ~POLICY_DONT_REAUTH; - msg.policy &= ~POLICY_BEET; - msg.policy &= ~POLICY_MOBIKE; - msg.policy &= ~POLICY_FORCE_ENCAP; - - set_whack_end(&msg.left, &conn->left, conn->addr_family); - set_whack_end(&msg.right, &conn->right, conn->addr_family); - - msg.esp = conn->esp; - msg.ike = conn->ike; - msg.pfsgroup = conn->pfsgroup; - - /* taken from pluto/whack.c */ - if (msg.pfsgroup) - { - snprintf(esp_buf, sizeof (esp_buf), "%s;%s" - , msg.esp ? msg.esp : "" - , msg.pfsgroup ? msg.pfsgroup : ""); - msg.esp = esp_buf; - - DBG(DBG_CONTROL, - DBG_log("Setting --esp=%s", msg.esp) - ) - } - msg.dpd_delay = conn->dpd_delay; - msg.dpd_timeout = conn->dpd_timeout; - msg.dpd_action = conn->dpd_action; -/* msg.dpd_count = conn->dpd_count; not supported yet by strongSwan */ - - r = send_whack_msg(&msg); - - if (r == 0 && (conn->policy & POLICY_PUBKEY)) - { - r += starter_whack_add_pubkey (conn, &conn->left, "left"); - r += starter_whack_add_pubkey (conn, &conn->right, "right"); - } - - return r; -} - -int starter_whack_del_conn(starter_conn_t *conn) -{ - char name[32]; - whack_message_t msg; - - init_whack_msg(&msg); - msg.whack_delete = TRUE; - msg.name = connection_name(conn, name, sizeof(name)); - return send_whack_msg(&msg); -} - -int starter_whack_route_conn(starter_conn_t *conn) -{ - char name[32]; - whack_message_t msg; - - init_whack_msg(&msg); - msg.whack_route = TRUE; - msg.name = connection_name(conn, name, sizeof(name)); - return send_whack_msg(&msg); -} - -int starter_whack_initiate_conn(starter_conn_t *conn) -{ - char name[32]; - whack_message_t msg; - - init_whack_msg(&msg); - msg.whack_initiate = TRUE; - msg.whack_async = TRUE; - msg.name = connection_name(conn, name, sizeof(name)); - return send_whack_msg(&msg); -} - -int starter_whack_listen(void) -{ - whack_message_t msg; - init_whack_msg(&msg); - msg.whack_listen = TRUE; - return send_whack_msg(&msg); -} - -int starter_whack_shutdown(void) -{ - whack_message_t msg; - - init_whack_msg(&msg); - msg.whack_shutdown = TRUE; - return send_whack_msg(&msg); -} - -int starter_whack_add_ca(starter_ca_t *ca) -{ - whack_message_t msg; - - init_whack_msg(&msg); - - msg.whack_ca = TRUE; - msg.name = ca->name; - msg.cacert = ca->cacert; - msg.ldaphost = ca->ldaphost; - msg.ldapbase = ca->ldapbase; - msg.crluri = ca->crluri; - msg.crluri2 = ca->crluri2; - msg.ocspuri = ca->ocspuri; - msg.whack_strict = ca->strict; - - return send_whack_msg(&msg); -} - -int starter_whack_del_ca(starter_ca_t *ca) -{ - whack_message_t msg; - - init_whack_msg(&msg); - - msg.whack_delete = TRUE; - msg.whack_ca = TRUE; - msg.name = ca->name; - - return send_whack_msg(&msg); -} diff --git a/src/starter/starterwhack.h b/src/starter/starterwhack.h deleted file mode 100644 index d56b02421..000000000 --- a/src/starter/starterwhack.h +++ /dev/null @@ -1,30 +0,0 @@ -/* FreeS/WAN whack functions to communicate with pluto (whack.h) - * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef _STARTER_WHACK_H_ -#define _STARTER_WHACK_H_ - -#include "confread.h" - -extern int starter_whack_add_conn(starter_conn_t *conn); -extern int starter_whack_del_conn(starter_conn_t *conn); -extern int starter_whack_route_conn(starter_conn_t *conn); -extern int starter_whack_initiate_conn(starter_conn_t *conn); -extern int starter_whack_listen(void); -extern int starter_whack_shutdown(void); -extern int starter_whack_add_ca(starter_ca_t *ca); -extern int starter_whack_del_ca(starter_ca_t *ca); - -#endif /* _STARTER_WHACK_H_ */ - |