diff options
Diffstat (limited to 'src/starter')
| -rw-r--r-- | src/starter/Android.mk | 47 | ||||
| -rw-r--r-- | src/starter/Makefile.am | 26 | ||||
| -rw-r--r-- | src/starter/Makefile.in | 83 | ||||
| -rw-r--r-- | src/starter/args.c | 5 | ||||
| -rw-r--r-- | src/starter/args.h | 2 | ||||
| -rw-r--r-- | src/starter/confread.c | 170 | ||||
| -rw-r--r-- | src/starter/confread.h | 9 | ||||
| -rw-r--r-- | src/starter/files.h | 1 | ||||
| -rw-r--r-- | src/starter/invokepluto.c | 5 | ||||
| -rw-r--r-- | src/starter/ipsec-parser.h | 55 | ||||
| -rw-r--r-- | src/starter/keywords.c | 267 | ||||
| -rw-r--r-- | src/starter/keywords.h | 1 | ||||
| -rw-r--r-- | src/starter/keywords.txt | 1 | ||||
| -rw-r--r-- | src/starter/lexer.c (renamed from src/starter/lex.yy.c) | 154 | ||||
| -rw-r--r-- | src/starter/lexer.l (renamed from src/starter/parser.l) | 108 | ||||
| -rw-r--r-- | src/starter/netkey.c | 17 | ||||
| -rw-r--r-- | src/starter/parser.c (renamed from src/starter/y.tab.c) | 30 | ||||
| -rw-r--r-- | src/starter/parser.h | 141 | ||||
| -rw-r--r-- | src/starter/parser.y | 2 | ||||
| -rw-r--r-- | src/starter/starter.c | 142 | ||||
| -rw-r--r-- | src/starter/starterstroke.c | 42 | ||||
| -rw-r--r-- | src/starter/y.tab.h | 88 |
22 files changed, 806 insertions, 590 deletions
diff --git a/src/starter/Android.mk b/src/starter/Android.mk new file mode 100644 index 000000000..a82fe9385 --- /dev/null +++ b/src/starter/Android.mk @@ -0,0 +1,47 @@ +LOCAL_PATH := $(call my-dir) +include $(CLEAR_VARS) + +# copy-n-paste from Makefile.am (update for LEX/YACC) +LOCAL_SRC_FILES := \ +parser.c lexer.c ipsec-parser.h netkey.c args.h netkey.h \ +starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \ +starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \ +keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \ +exec.h invokecharon.h loglite.c klips.c klips.h + +# build starter ---------------------------------------------------------------- + +LOCAL_C_INCLUDES += \ + $(libvstr_PATH) \ + $(strongswan_PATH)/src/libhydra \ + $(strongswan_PATH)/src/libfreeswan \ + $(strongswan_PATH)/src/libstrongswan \ + $(strongswan_PATH)/src/libfreeswan \ + $(strongswan_PATH)/src/pluto \ + $(strongswan_PATH)/src/whack \ + $(strongswan_PATH)/src/stroke + +LOCAL_CFLAGS := $(strongswan_CFLAGS) -DSTART_CHARON \ + -DPLUGINS='"$(strongswan_STARTER_PLUGINS)"' + +ifneq ($(strongswan_BUILD_PLUTO),) +LOCAL_CFLAGS += -DSTART_PLUTO +endif + +LOCAL_MODULE := starter + +LOCAL_MODULE_TAGS := optional + +LOCAL_ARM_MODE := arm + +LOCAL_PRELINK_MODULE := false + +LOCAL_REQUIRED_MODULES := stroke +ifneq ($(strongswan_BUILD_PLUTO),) +LOCAL_REQUIRED_MODULES += whack +endif + +LOCAL_SHARED_LIBRARIES += libstrongswan libhydra libfreeswan + +include $(BUILD_EXECUTABLE) + diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index f05aeca22..94ddf5aba 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -1,9 +1,10 @@ ipsec_PROGRAMS = starter -starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \ +starter_SOURCES = \ +parser.y lexer.l ipsec-parser.h netkey.c args.h netkey.h \ starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \ starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \ -exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h +exec.h invokecharon.h loglite.c klips.c klips.h INCLUDES = \ -I${linux_headers} \ @@ -21,11 +22,15 @@ AM_CFLAGS = \ -DIPSEC_EAPDIR=\"${eapdir}\" \ -DDEV_RANDOM=\"${random_device}\" \ -DDEV_URANDOM=\"${urandom_device}\" \ +-DPLUGINS=\""${starter_plugins}\"" \ -DDEBUG -starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf -MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c +AM_YFLAGS = -v -d + +starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB) +EXTRA_DIST = keywords.txt ipsec.conf Android.mk +MAINTAINERCLEANFILES = keywords.c +BUILT_SOURCES = parser.h PLUTODIR=$(top_srcdir)/src/pluto SCEPCLIENTDIR=$(top_srcdir)/src/scepclient @@ -42,14 +47,9 @@ if USE_LOAD_WARNING AM_CFLAGS += -DLOAD_WARNING endif -lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h - $(LEX) $(srcdir)/parser.l - -y.tab.c: $(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h - $(YACC) -v -d $(srcdir)/parser.y - -y.tab.h: $(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h - $(YACC) -v -d $(srcdir)/parser.y +if USE_TOOLS + AM_CFLAGS += -DGENERATE_SELFCERT +endif keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h $(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@ diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 72adbf7bc..f2c0cc38e 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -38,8 +38,10 @@ ipsec_PROGRAMS = starter$(EXEEXT) @USE_PLUTO_TRUE@am__append_1 = -DSTART_PLUTO @USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON @USE_LOAD_WARNING_TRUE@am__append_3 = -DLOAD_WARNING +@USE_TOOLS_TRUE@am__append_4 = -DGENERATE_SELFCERT subdir = src/starter -DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ + lexer.c parser.c parser.h ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -57,18 +59,18 @@ CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(ipsecdir)" PROGRAMS = $(ipsec_PROGRAMS) -am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \ +am_starter_OBJECTS = parser.$(OBJEXT) lexer.$(OBJEXT) netkey.$(OBJEXT) \ starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \ invokepluto.$(OBJEXT) confread.$(OBJEXT) interfaces.$(OBJEXT) \ args.$(OBJEXT) keywords.$(OBJEXT) cmp.$(OBJEXT) \ starter.$(OBJEXT) exec.$(OBJEXT) invokecharon.$(OBJEXT) \ - lex.yy.$(OBJEXT) loglite.$(OBJEXT) klips.$(OBJEXT) + loglite.$(OBJEXT) klips.$(OBJEXT) starter_OBJECTS = $(am_starter_OBJECTS) am__DEPENDENCIES_1 = starter_DEPENDENCIES = defs.o \ $(top_builddir)/src/libfreeswan/libfreeswan.a \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(am__DEPENDENCIES_1) + $(top_builddir)/src/libhydra/libhydra.la $(am__DEPENDENCIES_1) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -82,6 +84,13 @@ CCLD = $(CC) LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ +LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS) +LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS) +YLWRAP = $(top_srcdir)/ylwrap +YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS) +LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS) SOURCES = $(starter_SOURCES) DIST_SOURCES = $(starter_SOURCES) ETAGS = etags @@ -178,6 +187,9 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +axis2c_CFLAGS = @axis2c_CFLAGS@ +axis2c_LIBS = @axis2c_LIBS@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -186,6 +198,7 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +clearsilver_LIBS = @clearsilver_LIBS@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ @@ -202,11 +215,13 @@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ +imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -250,6 +265,7 @@ sharedstatedir = @sharedstatedir@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ +starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ @@ -260,11 +276,12 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \ +starter_SOURCES = \ +parser.y lexer.l ipsec-parser.h netkey.c args.h netkey.h \ starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \ starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \ -exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h +exec.h invokecharon.h loglite.c klips.c klips.h INCLUDES = \ -I${linux_headers} \ @@ -278,17 +295,21 @@ INCLUDES = \ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ -DIPSEC_EAPDIR=\"${eapdir}\" -DDEV_RANDOM=\"${random_device}\" \ - -DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \ - $(am__append_2) $(am__append_3) -starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf -MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c + -DDEV_URANDOM=\"${urandom_device}\" \ + -DPLUGINS=\""${starter_plugins}\"" -DDEBUG $(am__append_1) \ + $(am__append_2) $(am__append_3) $(am__append_4) +AM_YFLAGS = -v -d +starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB) +EXTRA_DIST = keywords.txt ipsec.conf Android.mk +MAINTAINERCLEANFILES = keywords.c +BUILT_SOURCES = parser.h PLUTODIR = $(top_srcdir)/src/pluto SCEPCLIENTDIR = $(top_srcdir)/src/scepclient -all: all-am +all: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) all-am .SUFFIXES: -.SUFFIXES: .c .lo .o .obj +.SUFFIXES: .c .l .lo .o .obj .y $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ @@ -362,6 +383,11 @@ clean-ipsecPROGRAMS: list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list +parser.h: parser.c + @if test ! -f $@; then \ + rm -f parser.c; \ + $(MAKE) $(AM_MAKEFLAGS) parser.c; \ + else :; fi starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES) @rm -f starter$(EXEEXT) $(LINK) $(starter_OBJECTS) $(starter_LDADD) $(LIBS) @@ -381,13 +407,13 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokepluto.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keywords.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/klips.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.yy.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexer.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/netkey.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starter.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starterstroke.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starterwhack.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/y.tab.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -410,6 +436,12 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +.l.c: + $(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE) + +.y.c: + $(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE) + mostlyclean-libtool: -rm -f *.lo @@ -499,13 +531,15 @@ distdir: $(DISTFILES) fi; \ done check-am: all-am -check: check-am +check: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) check-am all-am: Makefile $(PROGRAMS) installdirs: for dir in "$(DESTDIR)$(ipsecdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: install-am +install: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -530,6 +564,10 @@ distclean-generic: maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." + -rm -f lexer.c + -rm -f parser.c + -rm -f parser.h + -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-am @@ -602,7 +640,7 @@ ps-am: uninstall-am: uninstall-ipsecPROGRAMS -.MAKE: install-am install-strip +.MAKE: all check install install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ clean-ipsecPROGRAMS clean-libtool ctags distclean \ @@ -619,15 +657,6 @@ uninstall-am: uninstall-ipsecPROGRAMS tags uninstall uninstall-am uninstall-ipsecPROGRAMS -lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h - $(LEX) $(srcdir)/parser.l - -y.tab.c: $(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h - $(YACC) -v -d $(srcdir)/parser.y - -y.tab.h: $(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h - $(YACC) -v -d $(srcdir)/parser.y - keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h $(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@ diff --git a/src/starter/args.c b/src/starter/args.c index 4d8003aab..65d0a753c 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -24,7 +24,6 @@ #include "../pluto/log.h" #include "keywords.h" -#include "parser.h" #include "confread.h" #include "args.h" @@ -130,6 +129,7 @@ static const char *LST_plutodebug[] = { "control", "lifecycle", "klips", + "kernel", "dns", "natt", "oppo", @@ -228,6 +228,7 @@ static const token_info_t token_info[] = { ARG_TIME, offsetof(starter_conn_t, dpd_delay), NULL }, { ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL }, { ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action }, + { ARG_ENUM, offsetof(starter_conn_t, close_action), LST_dpd_action }, { ARG_TIME, offsetof(starter_conn_t, inactivity), NULL }, { ARG_MISC, 0, NULL /* KW_MODECONFIG */ }, { ARG_MISC, 0, NULL /* KW_XAUTH */ }, @@ -254,7 +255,7 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_ca_t, certuribase), NULL }, /* end keywords */ - { ARG_MISC, 0, NULL /* KW_HOST */ }, + { ARG_STR, offsetof(starter_end_t, host), NULL }, { ARG_UINT, offsetof(starter_end_t, ikeport), NULL }, { ARG_MISC, 0, NULL /* KW_NEXTHOP */ }, { ARG_STR, offsetof(starter_end_t, subnet), NULL }, diff --git a/src/starter/args.h b/src/starter/args.h index b003784c8..f5c13e6ba 100644 --- a/src/starter/args.h +++ b/src/starter/args.h @@ -17,7 +17,7 @@ #define _ARGS_H_ #include "keywords.h" -#include "parser.h" +#include "ipsec-parser.h" extern char **new_list(char *value); extern bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw diff --git a/src/starter/confread.c b/src/starter/confread.c index 1e7daa6a9..627601e88 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -12,6 +12,9 @@ * for more details. */ +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> #include <stddef.h> #include <stdlib.h> #include <string.h> @@ -26,9 +29,9 @@ #include "../pluto/log.h" #include "keywords.h" -#include "parser.h" #include "confread.h" #include "args.h" +#include "files.h" #include "interfaces.h" /* strings containing a colon are interpreted as an IPv6 address */ @@ -39,6 +42,17 @@ static const char esp_defaults[] = "aes128-sha1,3des-sha1"; static const char firewall_defaults[] = "ipsec _updown iptables"; +static bool daemon_exists(char *daemon, char *path) +{ + struct stat st; + if (stat(path, &st) != 0) + { + plog("Disabling %sstart option, '%s' not found", daemon, path); + return FALSE; + } + return TRUE; +} + static void default_values(starter_config_t *cfg) { if (cfg == NULL) @@ -123,7 +137,7 @@ static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp) kw_token_t token = kw->entry->token; - if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST) + if ((int)token < KW_SETUP_FIRST || token > KW_SETUP_LAST) { plog("# unsupported keyword '%s' in config setup", kw->entry->name); cfg->err++; @@ -137,6 +151,21 @@ static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp) continue; } } + + /* verify the executables are actually available (some distros split + * packages but enabled both) */ +#ifdef START_CHARON + cfg->setup.charonstart = cfg->setup.charonstart && + daemon_exists("charon", CHARON_CMD); +#else + cfg->setup.charonstart = FALSE; +#endif +#ifdef START_PLUTO + cfg->setup.plutostart = cfg->setup.plutostart && + daemon_exists("pluto", PLUTO_CMD); +#else + cfg->setup.plutostart = FALSE; +#endif } static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token, @@ -155,6 +184,70 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token, /* post processing of some keywords that were assigned automatically */ switch (token) { + case KW_HOST: + free(end->host); + end->host = NULL; + if (streq(value, "%defaultroute")) + { + if (cfg->defaultroute.defined) + { + end->addr = cfg->defaultroute.addr; + end->nexthop = cfg->defaultroute.nexthop; + } + else if (!cfg->defaultroute.supported) + { + plog("%%defaultroute not supported, fallback to %%any"); + } + else + { + plog("# default route not known: %s=%s", name, value); + goto err; + } + } + else if (streq(value, "%any") || streq(value, "%any4")) + { + anyaddr(conn->addr_family, &end->addr); + } + else if (streq(value, "%any6")) + { + conn->addr_family = AF_INET6; + anyaddr(conn->addr_family, &end->addr); + } + else if (streq(value, "%group")) + { + ip_address any; + + conn->policy |= POLICY_GROUP | POLICY_TUNNEL; + anyaddr(conn->addr_family, &end->addr); + anyaddr(conn->tunnel_addr_family, &any); + end->has_client = TRUE; + } + else + { + /* check for allow_any prefix */ + if (value[0] == '%') + { + end->allow_any = TRUE; + value++; + } + conn->addr_family = ip_version(value); + ugh = ttoaddr(value, 0, conn->addr_family, &end->addr); + if (ugh != NULL) + { + plog("# bad addr: %s=%s [%s]", name, value, ugh); + if (streq(ugh, "does not look numeric and name lookup failed")) + { + end->dns_failed = TRUE; + anyaddr(conn->addr_family, &end->addr); + } + else + { + goto err; + } + } + end->host = clone_str(value); + } + break; case KW_SUBNET: if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0) || (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0)) @@ -264,67 +357,6 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token, /* individual processing of keywords that were not assigned automatically */ switch (token) { - case KW_HOST: - if (streq(value, "%defaultroute")) - { - if (cfg->defaultroute.defined) - { - end->addr = cfg->defaultroute.addr; - end->nexthop = cfg->defaultroute.nexthop; - } - else if (!cfg->defaultroute.supported) - { - plog("%%defaultroute not supported, fallback to %%any"); - } - else - { - plog("# default route not known: %s=%s", name, value); - goto err; - } - } - else if (streq(value, "%any") || streq(value, "%any4")) - { - anyaddr(conn->addr_family, &end->addr); - } - else if (streq(value, "%any6")) - { - conn->addr_family = AF_INET6; - anyaddr(conn->addr_family, &end->addr); - } - else if (streq(value, "%group")) - { - ip_address any; - - conn->policy |= POLICY_GROUP | POLICY_TUNNEL; - anyaddr(conn->addr_family, &end->addr); - anyaddr(conn->tunnel_addr_family, &any); - end->has_client = TRUE; - } - else - { - /* check for allow_any prefix */ - if (value[0] == '%') - { - end->allow_any = TRUE; - value++; - } - conn->addr_family = ip_version(value); - ugh = ttoaddr(value, 0, conn->addr_family, &end->addr); - if (ugh != NULL) - { - plog("# bad addr: %s=%s [%s]", name, value, ugh); - if (streq(ugh, "does not look numeric and name lookup failed")) - { - end->dns_failed = TRUE; - anyaddr(conn->addr_family, &end->addr); - } - else - { - goto err; - } - } - } - break; case KW_NEXTHOP: if (streq(value, "%defaultroute")) { @@ -425,7 +457,7 @@ err: * handles left|right=<FQDN> DNS resolution failure */ static void handle_dns_failure(const char *label, starter_end_t *end, - starter_config_t *cfg) + starter_config_t *cfg, starter_conn_t *conn) { if (end->dns_failed) { @@ -434,7 +466,7 @@ static void handle_dns_failure(const char *label, starter_end_t *end, plog("# fallback to %s=%%any due to '%%' prefix or %sallowany=yes", label, label); } - else + else if (!end->host || conn->keyexchange == KEY_EXCHANGE_IKEV1) { /* declare an error */ cfg->err++; @@ -609,7 +641,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg case KW_AUTHBY: conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT); - if (!(streq(kw->value, "never") || streq(kw->value, "eap"))) + if (!streq(kw->value, "never")) { char *value = kw->value; char *second = strchr(kw->value, '|'); @@ -636,7 +668,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg { conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT; } - else if (streq(value, "xauthpsk")) + else if (streq(value, "xauthpsk") || streq(value, "eap")) { conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT; } @@ -762,8 +794,8 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg } } - handle_dns_failure("left", &conn->left, cfg); - handle_dns_failure("right", &conn->right, cfg); + handle_dns_failure("left", &conn->left, cfg, conn); + handle_dns_failure("right", &conn->right, cfg, conn); handle_firewall("left", &conn->left, cfg); handle_firewall("right", &conn->right, cfg); } diff --git a/src/starter/confread.h b/src/starter/confread.h index 4f9c5f7d0..9cb919ce5 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -20,7 +20,7 @@ #include <freeswan.h> #endif -#include "parser.h" +#include "ipsec-parser.h" #include "interfaces.h" typedef enum { @@ -66,6 +66,7 @@ struct starter_end { char *groups; char *cert_policy; char *iface; + char *host; ip_address addr; u_int ikeport; ip_address nexthop; @@ -143,6 +144,8 @@ struct starter_conn { dpd_action_t dpd_action; int dpd_count; + dpd_action_t close_action; + time_t inactivity; bool me_mediation; @@ -195,12 +198,12 @@ struct starter_config { char *plutostderrlog; bool uniqueids; u_int overridemtu; - u_int crlcheckinterval; + time_t crlcheckinterval; bool cachecrls; strict_t strictcrlpolicy; bool nocrsend; bool nat_traversal; - u_int keep_alive; + time_t keep_alive; u_int force_keepalive; char *virtual_private; char *pkcs11module; diff --git a/src/starter/files.h b/src/starter/files.h index ec41c9f2e..88857c0b2 100644 --- a/src/starter/files.h +++ b/src/starter/files.h @@ -33,7 +33,6 @@ #define CHARON_PID_FILE IPSEC_PIDDIR "/charon.pid" #define DYNIP_DIR IPSEC_PIDDIR "/dynip" -#define INFO_FILE IPSEC_PIDDIR "/ipsec.info" #endif /* _STARTER_FILES_H_ */ diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c index f91f4b6c9..70c0692ea 100644 --- a/src/starter/invokepluto.c +++ b/src/starter/invokepluto.c @@ -173,6 +173,7 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork, bool attach_gdb) ADD_DEBUG("control") ADD_DEBUG("lifecycle") ADD_DEBUG("klips") + ADD_DEBUG("kernel") ADD_DEBUG("dns") ADD_DEBUG("natt") ADD_DEBUG("oppo") @@ -183,7 +184,7 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork, bool attach_gdb) static char buf1[15]; arg[argc++] = "--crlcheckinterval"; - snprintf(buf1, sizeof(buf1), "%u", cfg->setup.crlcheckinterval); + snprintf(buf1, sizeof(buf1), "%d", (int)cfg->setup.crlcheckinterval); arg[argc++] = buf1; } if (cfg->setup.cachecrls) @@ -211,7 +212,7 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork, bool attach_gdb) static char buf2[15]; arg[argc++] = "--keep_alive"; - snprintf(buf2, sizeof(buf2), "%u", cfg->setup.keep_alive); + snprintf(buf2, sizeof(buf2), "%d", (int)cfg->setup.keep_alive); arg[argc++] = buf2; } if (cfg->setup.virtual_private) diff --git a/src/starter/ipsec-parser.h b/src/starter/ipsec-parser.h new file mode 100644 index 000000000..1c6cf20ef --- /dev/null +++ b/src/starter/ipsec-parser.h @@ -0,0 +1,55 @@ +/* strongSwan config file parser + * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef _IPSEC_PARSER_H_ +#define _IPSEC_PARSER_H_ + +#include "keywords.h" + +typedef struct kw_entry kw_entry_t; + +struct kw_entry { + char *name; + kw_token_t token; +}; + +typedef struct kw_list kw_list_t; + +struct kw_list { + kw_entry_t *entry; + char *value; + kw_list_t *next; +}; + +typedef struct section_list section_list_t; + +struct section_list { + char *name; + kw_list_t *kw; + section_list_t *next; +}; + +typedef struct config_parsed config_parsed_t; + +struct config_parsed { + kw_list_t *config_setup; + section_list_t *conn_first, *conn_last; + section_list_t *ca_first, *ca_last; +}; + +config_parsed_t *parser_load_conf (const char *file); +void parser_free_conf (config_parsed_t *cfg); + +#endif /* _IPSEC_PARSER_H_ */ + diff --git a/src/starter/keywords.c b/src/starter/keywords.c index 340b7131d..edb55ae7f 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -54,12 +54,12 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 130 +#define TOTAL_KEYWORDS 131 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 18 -#define MAX_HASH_VALUE 249 -/* maximum key range = 232, duplicates = 0 */ +#define MIN_HASH_VALUE 9 +#define MAX_HASH_VALUE 246 +/* maximum key range = 238, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -75,32 +75,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 11, - 125, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 20, 250, 18, 6, 55, - 59, 3, 9, 3, 92, 3, 250, 147, 71, 12, - 29, 83, 38, 4, 13, 3, 8, 80, 3, 250, - 250, 12, 9, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, - 250, 250, 250, 250, 250, 250 + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 12, + 126, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 51, 247, 11, 1, 92, + 43, 0, 6, 0, 110, 0, 247, 120, 56, 37, + 27, 72, 43, 1, 16, 0, 5, 75, 1, 247, + 247, 11, 5, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, + 247, 247, 247, 247, 247, 247 }; register int hval = len; @@ -126,162 +126,163 @@ static const struct kw_entry wordlist[] = {"pfs", KW_PFS}, {"right", KW_RIGHT}, {"rightgroups", KW_RIGHTGROUPS}, - {"left", KW_LEFT}, {"lifetime", KW_KEYLIFE}, + {"left", KW_LEFT}, {"rightsubnet", KW_RIGHTSUBNET}, {"rightikeport", KW_RIGHTIKEPORT}, {"rightsendcert", KW_RIGHTSENDCERT}, {"leftcert", KW_LEFTCERT}, + {"keep_alive", KW_KEEP_ALIVE}, {"keyingtries", KW_KEYINGTRIES}, - {"keylife", KW_KEYLIFE}, {"leftsendcert", KW_LEFTSENDCERT}, + {"keylife", KW_KEYLIFE}, {"lifebytes", KW_LIFEBYTES}, - {"keep_alive", KW_KEEP_ALIVE}, - {"leftgroups", KW_LEFTGROUPS}, + {"lifepackets", KW_LIFEPACKETS}, {"leftrsasigkey", KW_LEFTRSASIGKEY}, {"leftcertpolicy", KW_LEFTCERTPOLICY}, - {"certuribase", KW_CERTURIBASE}, - {"lifepackets", KW_LIFEPACKETS}, - {"rightrsasigkey", KW_RIGHTRSASIGKEY}, - {"leftprotoport", KW_LEFTPROTOPORT}, - {"uniqueids", KW_UNIQUEIDS}, + {"leftgroups", KW_LEFTGROUPS}, + {"leftca", KW_LEFTCA}, {"rightallowany", KW_RIGHTALLOWANY}, + {"uniqueids", KW_UNIQUEIDS}, + {"leftprotoport", KW_LEFTPROTOPORT}, + {"rightrsasigkey", KW_RIGHTRSASIGKEY}, {"virtual_private", KW_VIRTUAL_PRIVATE}, - {"leftca", KW_LEFTCA}, + {"certuribase", KW_CERTURIBASE}, {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, - {"strictcrlpolicy", KW_STRICTCRLPOLICY}, - {"type", KW_TYPE}, {"interfaces", KW_INTERFACES}, + {"reqid", KW_REQID}, + {"rightid", KW_RIGHTID}, + {"strictcrlpolicy", KW_STRICTCRLPOLICY}, {"rightsourceip", KW_RIGHTSOURCEIP}, + {"type", KW_TYPE}, + {"inactivity", KW_INACTIVITY}, {"leftnexthop", KW_LEFTNEXTHOP}, - {"rightprotoport", KW_RIGHTPROTOPORT}, {"mark_in", KW_MARK_IN}, - {"reqid", KW_REQID}, - {"inactivity", KW_INACTIVITY}, + {"rightprotoport", KW_RIGHTPROTOPORT}, {"margintime", KW_REKEYMARGIN}, {"marginbytes", KW_MARGINBYTES}, - {"rightid", KW_RIGHTID}, {"marginpackets", KW_MARGINPACKETS}, {"leftnatip", KW_LEFTNATIP}, - {"rightcert", KW_RIGHTCERT}, - {"ocspuri", KW_OCSPURI}, - {"esp", KW_ESP}, - {"rightnatip", KW_RIGHTNATIP}, - {"keyexchange", KW_KEYEXCHANGE}, - {"rightnexthop", KW_RIGHTNEXTHOP}, - {"rightca", KW_RIGHTCA}, - {"rightcertpolicy", KW_RIGHTCERTPOLICY}, - {"leftupdown", KW_LEFTUPDOWN}, - {"ocspuri1", KW_OCSPURI}, {"mediated_by", KW_MEDIATED_BY}, - {"me_peerid", KW_ME_PEERID}, - {"cacert", KW_CACERT}, - {"crluri", KW_CRLURI}, - {"eap", KW_EAP}, + {"ldapbase", KW_LDAPBASE}, {"leftfirewall", KW_LEFTFIREWALL}, {"rightfirewall", KW_RIGHTFIREWALL}, - {"overridemtu", KW_OVERRIDEMTU}, + {"crluri", KW_CRLURI}, {"mobike", KW_MOBIKE}, - {"packetdefault", KW_PACKETDEFAULT}, - {"crluri1", KW_CRLURI}, - {"ldapbase", KW_LDAPBASE}, - {"leftallowany", KW_LEFTALLOWANY}, + {"rightnatip", KW_RIGHTNATIP}, + {"rightnexthop", KW_RIGHTNEXTHOP}, {"mediation", KW_MEDIATION}, - {"compress", KW_COMPRESS}, - {"leftsubnet", KW_LEFTSUBNET}, + {"leftallowany", KW_LEFTALLOWANY}, + {"leftupdown", KW_LEFTUPDOWN}, + {"overridemtu", KW_OVERRIDEMTU}, + {"aaa_identity", KW_AAA_IDENTITY}, + {"esp", KW_ESP}, + {"crluri1", KW_CRLURI}, {"lefthostaccess", KW_LEFTHOSTACCESS}, + {"leftsubnet", KW_LEFTSUBNET}, + {"leftid", KW_LEFTID}, {"forceencaps", KW_FORCEENCAPS}, - {"dumpdir", KW_DUMPDIR}, - {"righthostaccess", KW_RIGHTHOSTACCESS}, - {"authby", KW_AUTHBY}, - {"aaa_identity", KW_AAA_IDENTITY}, - {"tfc", KW_TFC}, + {"eap", KW_EAP}, {"nat_traversal", KW_NAT_TRAVERSAL}, - {"rightauth", KW_RIGHTAUTH}, - {"rightupdown", KW_RIGHTUPDOWN}, - {"dpdtimeout", KW_DPDTIMEOUT}, + {"me_peerid", KW_ME_PEERID}, + {"rightcert", KW_RIGHTCERT}, {"installpolicy", KW_INSTALLPOLICY}, + {"authby", KW_AUTHBY}, + {"klipsdebug", KW_KLIPSDEBUG}, + {"rightca", KW_RIGHTCA}, {"mark_out", KW_MARK_OUT}, - {"fragicmp", KW_FRAGICMP}, - {"force_keepalive", KW_FORCE_KEEPALIVE}, - {"leftid", KW_LEFTID}, - {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, + {"rightupdown", KW_RIGHTUPDOWN}, + {"keyexchange", KW_KEYEXCHANGE}, + {"ocspuri", KW_OCSPURI}, + {"compress", KW_COMPRESS}, + {"rightcertpolicy", KW_RIGHTCERTPOLICY}, + {"cacert", KW_CACERT}, {"eap_identity", KW_EAP_IDENTITY}, - {"cachecrls", KW_CACHECRLS}, - {"pfsgroup", KW_PFSGROUP}, - {"rightid2", KW_RIGHTID2}, - {"dpdaction", KW_DPDACTION}, - {"xauth_identity", KW_XAUTH_IDENTITY}, - {"leftsourceip", KW_LEFTSOURCEIP}, - {"klipsdebug", KW_KLIPSDEBUG}, - {"leftcert2", KW_LEFTCERT2}, - {"charondebug", KW_CHARONDEBUG}, {"hidetos", KW_HIDETOS}, {"ike", KW_IKE}, - {"charonstart", KW_CHARONSTART}, - {"rightauth2", KW_RIGHTAUTH2}, + {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, + {"righthostaccess", KW_RIGHTHOSTACCESS}, + {"packetdefault", KW_PACKETDEFAULT}, + {"dpdaction", KW_DPDACTION}, + {"ocspuri1", KW_OCSPURI}, + {"pfsgroup", KW_PFSGROUP}, + {"rightauth", KW_RIGHTAUTH}, {"also", KW_ALSO}, - {"leftca2", KW_LEFTCA2}, + {"leftsourceip", KW_LEFTSOURCEIP}, + {"rightid2", KW_RIGHTID2}, + {"dumpdir", KW_DUMPDIR}, {"rekey", KW_REKEY}, - {"plutostderrlog", KW_PLUTOSTDERRLOG}, - {"plutostart", KW_PLUTOSTART}, {"ikelifetime", KW_IKELIFETIME}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, - {"auto", KW_AUTO}, + {"dpdtimeout", KW_DPDTIMEOUT}, {"ldaphost", KW_LDAPHOST}, {"rekeyfuzz", KW_REKEYFUZZ}, + {"leftcert2", KW_LEFTCERT2}, {"leftikeport", KW_LEFTIKEPORT}, + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, + {"plutostderrlog", KW_PLUTOSTDERRLOG}, + {"plutostart", KW_PLUTOSTART}, + {"rightauth2", KW_RIGHTAUTH2}, + {"leftca2", KW_LEFTCA2}, {"mark", KW_MARK}, - {"auth", KW_AUTH}, - {"prepluto", KW_PREPLUTO}, + {"force_keepalive", KW_FORCE_KEEPALIVE}, + {"auto", KW_AUTO}, + {"charondebug", KW_CHARONDEBUG}, {"dpddelay", KW_DPDDELAY}, + {"xauth_identity", KW_XAUTH_IDENTITY}, + {"charonstart", KW_CHARONSTART}, + {"fragicmp", KW_FRAGICMP}, + {"prepluto", KW_PREPLUTO}, + {"closeaction", KW_CLOSEACTION}, + {"leftid2", KW_LEFTID2}, + {"plutodebug", KW_PLUTODEBUG}, + {"tfc", KW_TFC}, + {"auth", KW_AUTH}, + {"rekeymargin", KW_REKEYMARGIN}, + {"modeconfig", KW_MODECONFIG}, {"leftauth", KW_LEFTAUTH}, - {"rightca2", KW_RIGHTCA2}, {"xauth", KW_XAUTH}, - {"rightcert2", KW_RIGHTCERT2}, - {"rekeymargin", KW_REKEYMARGIN}, - {"leftid2", KW_LEFTID2}, - {"ocspuri2", KW_OCSPURI2}, - {"nocrsend", KW_NOCRSEND}, - {"reauth", KW_REAUTH}, + {"cachecrls", KW_CACHECRLS}, {"crluri2", KW_CRLURI2}, - {"plutodebug", KW_PLUTODEBUG}, + {"postpluto", KW_POSTPLUTO}, + {"nocrsend", KW_NOCRSEND}, {"leftauth2", KW_LEFTAUTH2}, + {"rightca2", KW_RIGHTCA2}, + {"rightcert2", KW_RIGHTCERT2}, {"pkcs11module", KW_PKCS11MODULE}, + {"reauth", KW_REAUTH}, {"pkcs11initargs", KW_PKCS11INITARGS}, {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, - {"pkcs11proxy", KW_PKCS11PROXY}, - {"modeconfig", KW_MODECONFIG}, - {"postpluto", KW_POSTPLUTO} + {"ocspuri2", KW_OCSPURI2}, + {"pkcs11proxy", KW_PKCS11PROXY} }; static const short lookup[] = { - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, - -1, -1, -1, 2, 3, -1, 4, -1, 5, 6, - 7, 8, 9, -1, 10, 11, 12, 13, 14, -1, - 15, 16, -1, 17, 18, 19, 20, 21, -1, 22, - -1, -1, 23, -1, 24, 25, 26, 27, -1, 28, - 29, -1, -1, -1, 30, -1, 31, -1, -1, -1, - 32, 33, 34, 35, 36, 37, 38, 39, 40, -1, - -1, 41, 42, 43, 44, 45, 46, -1, 47, 48, - 49, -1, -1, 50, 51, 52, 53, 54, 55, 56, - 57, 58, 59, -1, -1, 60, 61, 62, 63, 64, - 65, -1, 66, 67, -1, 68, 69, -1, 70, 71, - -1, -1, 72, 73, -1, 74, 75, 76, 77, -1, - 78, -1, 79, -1, 80, -1, 81, 82, -1, 83, - 84, 85, 86, 87, 88, 89, 90, -1, -1, 91, - -1, -1, -1, 92, -1, 93, 94, -1, 95, 96, - -1, 97, 98, -1, -1, -1, -1, 99, -1, -1, - -1, 100, 101, 102, 103, 104, 105, 106, 107, -1, - -1, -1, 108, -1, 109, -1, -1, 110, 111, -1, - -1, -1, 112, -1, 113, 114, 115, -1, -1, -1, - -1, -1, 116, 117, 118, -1, -1, -1, 119, -1, - -1, 120, -1, -1, -1, -1, -1, -1, -1, 121, - -1, -1, -1, 122, -1, -1, 123, -1, 124, -1, - 125, 126, -1, -1, -1, -1, 127, -1, 128, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, 129 + -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, + 1, 2, -1, -1, 3, 4, 5, 6, 7, 8, + -1, 9, 10, 11, 12, -1, 13, -1, 14, -1, + 15, 16, 17, -1, 18, 19, 20, -1, -1, -1, + 21, 22, 23, 24, 25, -1, -1, -1, 26, 27, + 28, -1, 29, -1, -1, -1, 30, -1, 31, 32, + 33, 34, 35, -1, 36, 37, -1, 38, -1, 39, + 40, -1, -1, 41, 42, 43, -1, -1, 44, 45, + 46, -1, 47, -1, 48, 49, 50, 51, 52, 53, + -1, 54, 55, -1, -1, -1, 56, -1, 57, 58, + 59, 60, -1, 61, -1, -1, 62, 63, 64, 65, + 66, -1, 67, 68, 69, 70, -1, 71, 72, 73, + 74, -1, 75, 76, 77, 78, 79, 80, 81, 82, + 83, -1, 84, 85, 86, 87, 88, 89, 90, 91, + 92, 93, 94, -1, 95, 96, 97, 98, -1, -1, + 99, 100, -1, -1, 101, -1, 102, -1, -1, 103, + -1, 104, 105, -1, 106, -1, -1, -1, -1, -1, + 107, 108, -1, -1, -1, -1, -1, 109, -1, -1, + -1, -1, 110, -1, 111, -1, -1, -1, -1, -1, + -1, -1, -1, 112, 113, 114, -1, 115, -1, 116, + -1, 117, -1, -1, 118, 119, -1, -1, -1, 120, + -1, -1, -1, -1, -1, 121, 122, -1, -1, -1, + -1, -1, -1, -1, -1, -1, 123, -1, 124, -1, + -1, -1, -1, -1, -1, -1, 125, 126, 127, 128, + -1, -1, 129, -1, -1, -1, 130 }; #ifdef __GNUC__ diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 9f46a8b4b..02be919ea 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -91,6 +91,7 @@ typedef enum { KW_DPDDELAY, KW_DPDTIMEOUT, KW_DPDACTION, + KW_CLOSEACTION, KW_INACTIVITY, KW_MODECONFIG, KW_XAUTH, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 2c0e5de3d..548fa2f70 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -82,6 +82,7 @@ pfsgroup, KW_PFSGROUP dpddelay, KW_DPDDELAY dpdtimeout, KW_DPDTIMEOUT dpdaction, KW_DPDACTION +closeaction, KW_CLOSEACTION inactivity, KW_INACTIVITY modeconfig, KW_MODECONFIG xauth, KW_XAUTH diff --git a/src/starter/lex.yy.c b/src/starter/lexer.c index 13bf87f0b..f093354d5 100644 --- a/src/starter/lex.yy.c +++ b/src/starter/lexer.c @@ -1,5 +1,5 @@ -#line 3 "lex.yy.c" +#line 3 "lexer.c" #define YY_INT_ALIGNED short int @@ -487,9 +487,9 @@ int yy_flex_debug = 0; #define YY_MORE_ADJ 0 #define YY_RESTORE_YY_MORE_OFFSET char *yytext; -#line 1 "./parser.l" +#line 1 "lexer.l" #define YY_NO_INPUT 1 -#line 4 "./parser.l" +#line 4 "lexer.l" /* FreeS/WAN config file parser (parser.l) * Copyright (C) 2001 Mathieu Lafon - Arkoon Network Security * @@ -506,9 +506,12 @@ char *yytext; #include <string.h> #include <stdlib.h> + +#ifdef HAVE_GLOB_H #include <glob.h> +#endif -#include "y.tab.h" +#include "parser.h" #define MAX_INCLUDE_DEPTH 20 @@ -561,65 +564,86 @@ void _parser_y_fini (void) yylex_destroy(); } -int _parser_y_include (const char *filename) +/** + * parse the file located at filename + */ +int include_file(char *filename) { - glob_t files; - int i, ret; + unsigned int p = __parser_y_private.stack_ptr + 1; + FILE *f; - ret = glob(filename, GLOB_ERR, NULL, &files); - if (ret) + if (p >= MAX_INCLUDE_DEPTH) { - const char *err; - - switch (ret) - { - case GLOB_NOSPACE: - err = "include files ran out of memory"; - break; - case GLOB_ABORTED: - err = "include files aborted due to read error"; - break; - case GLOB_NOMATCH: - err = "include files found no matches"; - break; - default: - err = "unknown include files error"; - } - yyerror(err); + yyerror("max inclusion depth reached"); return 1; } - for (i = 0; i < files.gl_pathc; i++) + f = fopen(filename, "r"); + if (!f) + { + yyerror("can't open include filename"); + return 0; /* ignore this error */ + } + + __parser_y_private.stack_ptr++; + __parser_y_private.file[p] = f; + __parser_y_private.stack[p] = YY_CURRENT_BUFFER; + __parser_y_private.line[p] = 1; + __parser_y_private.filename[p] = strdup(filename); + + yy_switch_to_buffer(yy_create_buffer(f,YY_BUF_SIZE)); + return 0; +} + +int _parser_y_include (const char *filename) +{ + int ret = 0; +#ifdef HAVE_GLOB_H { - FILE *f; - unsigned int p = __parser_y_private.stack_ptr + 1; + glob_t files; + int i; - if (p >= MAX_INCLUDE_DEPTH) + ret = glob(filename, GLOB_ERR, NULL, &files); + if (ret) { - yyerror("max inclusion depth reached"); + const char *err; + + switch (ret) + { + case GLOB_NOSPACE: + err = "include files ran out of memory"; + break; + case GLOB_ABORTED: + err = "include files aborted due to read error"; + break; + case GLOB_NOMATCH: + err = "include files found no matches"; + break; + default: + err = "unknown include files error"; + } + globfree(&files); + yyerror(err); return 1; } - f = fopen(files.gl_pathv[i], "r"); - if (!f) + for (i = 0; i < files.gl_pathc; i++) { - yyerror("can't open include filename"); - continue; + if ((ret = include_file(files.gl_pathv[i]))) + { + break; + } } - - __parser_y_private.stack_ptr++; - __parser_y_private.file[p] = f; - __parser_y_private.stack[p] = YY_CURRENT_BUFFER; - __parser_y_private.line[p] = 1; - __parser_y_private.filename[p] = strdup(files.gl_pathv[i]); - - yy_switch_to_buffer(yy_create_buffer(f,YY_BUF_SIZE)); + globfree(&files); } - globfree(&files); - return 0; +#else /* HAVE_GLOB_H */ + /* if glob(3) is not available, try to load pattern directly */ + ret = include_file(filename); +#endif /* HAVE_GLOB_H */ + return ret; } -#line 623 "lex.yy.c" +#line 647 "lexer.c" #define INITIAL 0 @@ -807,10 +831,10 @@ YY_DECL register char *yy_cp, *yy_bp; register int yy_act; -#line 135 "./parser.l" +#line 159 "lexer.l" -#line 814 "lex.yy.c" +#line 838 "lexer.c" if ( !(yy_init) ) { @@ -895,7 +919,7 @@ do_action: /* This label is used only to access EOF actions. */ goto yy_find_action; case YY_STATE_EOF(INITIAL): -#line 137 "./parser.l" +#line 161 "lexer.l" { if (__parser_y_private.filename[__parser_y_private.stack_ptr]) { free(__parser_y_private.filename[__parser_y_private.stack_ptr]); @@ -915,23 +939,23 @@ case YY_STATE_EOF(INITIAL): YY_BREAK case 1: YY_RULE_SETUP -#line 154 "./parser.l" +#line 178 "lexer.l" return FIRST_SPACES; YY_BREAK case 2: YY_RULE_SETUP -#line 156 "./parser.l" +#line 180 "lexer.l" /* ignore spaces in line */ ; YY_BREAK case 3: YY_RULE_SETUP -#line 158 "./parser.l" +#line 182 "lexer.l" return EQUAL; YY_BREAK case 4: /* rule 4 can match eol */ YY_RULE_SETUP -#line 160 "./parser.l" +#line 184 "lexer.l" { __parser_y_private.line[__parser_y_private.stack_ptr]++; return EOL; @@ -939,37 +963,37 @@ YY_RULE_SETUP YY_BREAK case 5: YY_RULE_SETUP -#line 165 "./parser.l" +#line 189 "lexer.l" return CONFIG; YY_BREAK case 6: YY_RULE_SETUP -#line 166 "./parser.l" +#line 190 "lexer.l" return SETUP; YY_BREAK case 7: YY_RULE_SETUP -#line 167 "./parser.l" +#line 191 "lexer.l" return CONN; YY_BREAK case 8: YY_RULE_SETUP -#line 168 "./parser.l" +#line 192 "lexer.l" return CA; YY_BREAK case 9: YY_RULE_SETUP -#line 169 "./parser.l" +#line 193 "lexer.l" return INCLUDE; YY_BREAK case 10: YY_RULE_SETUP -#line 170 "./parser.l" +#line 194 "lexer.l" return FILE_VERSION; YY_BREAK case 11: YY_RULE_SETUP -#line 172 "./parser.l" +#line 196 "lexer.l" { yylval.s = strdup(yytext); return STRING; @@ -977,7 +1001,7 @@ YY_RULE_SETUP YY_BREAK case 12: YY_RULE_SETUP -#line 177 "./parser.l" +#line 201 "lexer.l" { yylval.s = strdup(yytext+1); if (yylval.s) yylval.s[strlen(yylval.s)-1]='\0'; @@ -986,15 +1010,15 @@ YY_RULE_SETUP YY_BREAK case 13: YY_RULE_SETUP -#line 183 "./parser.l" +#line 207 "lexer.l" yyerror(yytext); YY_BREAK case 14: YY_RULE_SETUP -#line 185 "./parser.l" +#line 209 "lexer.l" ECHO; YY_BREAK -#line 998 "lex.yy.c" +#line 1022 "lexer.c" case YY_END_OF_BUFFER: { @@ -1956,7 +1980,7 @@ void yyfree (void * ptr ) #define YYTABLES_NAME "yytables" -#line 185 "./parser.l" +#line 209 "lexer.l" diff --git a/src/starter/parser.l b/src/starter/lexer.l index c45847c5c..734776a74 100644 --- a/src/starter/parser.l +++ b/src/starter/lexer.l @@ -17,9 +17,12 @@ #include <string.h> #include <stdlib.h> + +#ifdef HAVE_GLOB_H #include <glob.h> +#endif -#include "y.tab.h" +#include "parser.h" #define MAX_INCLUDE_DEPTH 20 @@ -72,62 +75,83 @@ void _parser_y_fini (void) yylex_destroy(); } -int _parser_y_include (const char *filename) +/** + * parse the file located at filename + */ +int include_file(char *filename) { - glob_t files; - int i, ret; + unsigned int p = __parser_y_private.stack_ptr + 1; + FILE *f; - ret = glob(filename, GLOB_ERR, NULL, &files); - if (ret) + if (p >= MAX_INCLUDE_DEPTH) { - const char *err; - - switch (ret) - { - case GLOB_NOSPACE: - err = "include files ran out of memory"; - break; - case GLOB_ABORTED: - err = "include files aborted due to read error"; - break; - case GLOB_NOMATCH: - err = "include files found no matches"; - break; - default: - err = "unknown include files error"; - } - yyerror(err); + yyerror("max inclusion depth reached"); return 1; } - for (i = 0; i < files.gl_pathc; i++) + f = fopen(filename, "r"); + if (!f) + { + yyerror("can't open include filename"); + return 0; /* ignore this error */ + } + + __parser_y_private.stack_ptr++; + __parser_y_private.file[p] = f; + __parser_y_private.stack[p] = YY_CURRENT_BUFFER; + __parser_y_private.line[p] = 1; + __parser_y_private.filename[p] = strdup(filename); + + yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE)); + return 0; +} + +int _parser_y_include (const char *filename) +{ + int ret = 0; +#ifdef HAVE_GLOB_H { - FILE *f; - unsigned int p = __parser_y_private.stack_ptr + 1; + glob_t files; + int i; - if (p >= MAX_INCLUDE_DEPTH) + ret = glob(filename, GLOB_ERR, NULL, &files); + if (ret) { - yyerror("max inclusion depth reached"); + const char *err; + + switch (ret) + { + case GLOB_NOSPACE: + err = "include files ran out of memory"; + break; + case GLOB_ABORTED: + err = "include files aborted due to read error"; + break; + case GLOB_NOMATCH: + err = "include files found no matches"; + break; + default: + err = "unknown include files error"; + } + globfree(&files); + yyerror(err); return 1; } - f = fopen(files.gl_pathv[i], "r"); - if (!f) + for (i = 0; i < files.gl_pathc; i++) { - yyerror("can't open include filename"); - continue; + if ((ret = include_file(files.gl_pathv[i]))) + { + break; + } } - - __parser_y_private.stack_ptr++; - __parser_y_private.file[p] = f; - __parser_y_private.stack[p] = YY_CURRENT_BUFFER; - __parser_y_private.line[p] = 1; - __parser_y_private.filename[p] = strdup(files.gl_pathv[i]); - - yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE)); + globfree(&files); } - globfree(&files); - return 0; +#else /* HAVE_GLOB_H */ + /* if glob(3) is not available, try to load pattern directly */ + ret = include_file(filename); +#endif /* HAVE_GLOB_H */ + return ret; } %} diff --git a/src/starter/netkey.c b/src/starter/netkey.c index e0449f0b2..6646195cb 100644 --- a/src/starter/netkey.c +++ b/src/starter/netkey.c @@ -17,6 +17,7 @@ #include <stdlib.h> #include <freeswan.h> +#include <hydra.h> #include "../pluto/constants.h" #include "../pluto/defs.h" @@ -66,18 +67,6 @@ starter_netkey_init(void) void starter_netkey_cleanup(void) { - if (system("ip xfrm state > /dev/null 2>&1") == 0) - { - ignore_result(system("ip xfrm state flush")); - ignore_result(system("ip xfrm policy flush")); - } - else if (system("type setkey > /dev/null 2>&1") == 0) - { - ignore_result(system("setkey -F")); - ignore_result(system("setkey -FP")); - } - else - { - plog("WARNING: cannot flush IPsec state/policy database"); - } + hydra->kernel_interface->flush_sas(hydra->kernel_interface); + hydra->kernel_interface->flush_policies(hydra->kernel_interface); } diff --git a/src/starter/y.tab.c b/src/starter/parser.c index 504b5589e..ef668027d 100644 --- a/src/starter/y.tab.c +++ b/src/starter/parser.c @@ -68,7 +68,7 @@ /* Copy the first part of user declarations. */ /* Line 189 of yacc.c */ -#line 1 "./parser.y" +#line 1 "parser.y" /* strongSwan config file parser (parser.y) * Copyright (C) 2001 Mathieu Lafon - Arkoon Network Security @@ -93,7 +93,7 @@ #include "../pluto/constants.h" #include "../pluto/defs.h" #include "../pluto/log.h" -#include "parser.h" +#include "ipsec-parser.h" #define YYERROR_VERBOSE #define ERRSTRING_LEN 256 @@ -123,7 +123,7 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len); /* Line 189 of yacc.c */ -#line 127 "y.tab.c" +#line 127 "parser.c" /* Enabling traces. */ #ifndef YYDEBUG @@ -182,12 +182,12 @@ typedef union YYSTYPE { /* Line 214 of yacc.c */ -#line 54 "./parser.y" +#line 54 "parser.y" char *s; /* Line 214 of yacc.c */ -#line 191 "y.tab.c" +#line 191 "parser.c" } YYSTYPE; # define YYSTYPE_IS_TRIVIAL 1 # define yystype YYSTYPE /* obsolescent; will be withdrawn */ @@ -199,7 +199,7 @@ typedef union YYSTYPE /* Line 264 of yacc.c */ -#line 203 "y.tab.c" +#line 203 "parser.c" #ifdef short # undef short @@ -1402,7 +1402,7 @@ yyreduce: case 4: /* Line 1455 of yacc.c */ -#line 71 "./parser.y" +#line 71 "parser.y" { free((yyvsp[(2) - (3)].s)); } @@ -1411,7 +1411,7 @@ yyreduce: case 5: /* Line 1455 of yacc.c */ -#line 75 "./parser.y" +#line 75 "parser.y" { _parser_kw = &(_parser_cfg->config_setup); _parser_kw_last = NULL; @@ -1421,7 +1421,7 @@ yyreduce: case 7: /* Line 1455 of yacc.c */ -#line 80 "./parser.y" +#line 80 "parser.y" { section_list_t *section = malloc_thing(section_list_t); @@ -1442,7 +1442,7 @@ yyreduce: case 9: /* Line 1455 of yacc.c */ -#line 96 "./parser.y" +#line 96 "parser.y" { section_list_t *section = malloc_thing(section_list_t); section->name = clone_str((yyvsp[(2) - (3)].s)); @@ -1462,7 +1462,7 @@ yyreduce: case 11: /* Line 1455 of yacc.c */ -#line 111 "./parser.y" +#line 111 "parser.y" { extern void _parser_y_include (const char *f); _parser_y_include((yyvsp[(2) - (2)].s)); @@ -1473,7 +1473,7 @@ yyreduce: case 16: /* Line 1455 of yacc.c */ -#line 126 "./parser.y" +#line 126 "parser.y" { kw_list_t *new; kw_entry_t *entry = in_word_set((yyvsp[(1) - (3)].s), strlen((yyvsp[(1) - (3)].s))); @@ -1503,7 +1503,7 @@ yyreduce: case 17: /* Line 1455 of yacc.c */ -#line 151 "./parser.y" +#line 151 "parser.y" { free((yyvsp[(1) - (2)].s)); } @@ -1512,7 +1512,7 @@ yyreduce: /* Line 1455 of yacc.c */ -#line 1516 "y.tab.c" +#line 1516 "parser.c" default: break; } YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc); @@ -1724,7 +1724,7 @@ yyreturn: /* Line 1675 of yacc.c */ -#line 157 "./parser.y" +#line 157 "parser.y" void yyerror(const char *s) diff --git a/src/starter/parser.h b/src/starter/parser.h index 1c6cf20ef..f0e666bb5 100644 --- a/src/starter/parser.h +++ b/src/starter/parser.h @@ -1,55 +1,88 @@ -/* strongSwan config file parser - * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef _IPSEC_PARSER_H_ -#define _IPSEC_PARSER_H_ - -#include "keywords.h" - -typedef struct kw_entry kw_entry_t; - -struct kw_entry { - char *name; - kw_token_t token; -}; - -typedef struct kw_list kw_list_t; - -struct kw_list { - kw_entry_t *entry; - char *value; - kw_list_t *next; -}; - -typedef struct section_list section_list_t; - -struct section_list { - char *name; - kw_list_t *kw; - section_list_t *next; -}; - -typedef struct config_parsed config_parsed_t; - -struct config_parsed { - kw_list_t *config_setup; - section_list_t *conn_first, *conn_last; - section_list_t *ca_first, *ca_last; -}; - -config_parsed_t *parser_load_conf (const char *file); -void parser_free_conf (config_parsed_t *cfg); - -#endif /* _IPSEC_PARSER_H_ */ + +/* A Bison parser, made by GNU Bison 2.4.1. */ + +/* Skeleton interface for Bison's Yacc-like parsers in C + + Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006 + Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* As a special exception, you may create a larger work that contains + part or all of the Bison parser skeleton and distribute that work + under terms of your choice, so long as that work isn't itself a + parser generator using the skeleton or a modified version thereof + as a parser skeleton. Alternatively, if you modify or redistribute + the parser skeleton itself, you may (at your option) remove this + special exception, which will cause the skeleton and the resulting + Bison output files to be licensed under the GNU General Public + License without this special exception. + + This special exception was added by the Free Software Foundation in + version 2.2 of Bison. */ + + +/* Tokens. */ +#ifndef YYTOKENTYPE +# define YYTOKENTYPE + /* Put the tokens into the symbol table, so that GDB and other debuggers + know about them. */ + enum yytokentype { + EQUAL = 258, + FIRST_SPACES = 259, + EOL = 260, + CONFIG = 261, + SETUP = 262, + CONN = 263, + CA = 264, + INCLUDE = 265, + FILE_VERSION = 266, + STRING = 267 + }; +#endif +/* Tokens. */ +#define EQUAL 258 +#define FIRST_SPACES 259 +#define EOL 260 +#define CONFIG 261 +#define SETUP 262 +#define CONN 263 +#define CA 264 +#define INCLUDE 265 +#define FILE_VERSION 266 +#define STRING 267 + + + + +#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED +typedef union YYSTYPE +{ + +/* Line 1676 of yacc.c */ +#line 54 "parser.y" + char *s; + + +/* Line 1676 of yacc.c */ +#line 80 "parser.h" +} YYSTYPE; +# define YYSTYPE_IS_TRIVIAL 1 +# define yystype YYSTYPE /* obsolescent; will be withdrawn */ +# define YYSTYPE_IS_DECLARED 1 +#endif + +extern YYSTYPE yylval; + diff --git a/src/starter/parser.y b/src/starter/parser.y index b0b1f6f21..dfaec9ee8 100644 --- a/src/starter/parser.y +++ b/src/starter/parser.y @@ -22,7 +22,7 @@ #include "../pluto/constants.h" #include "../pluto/defs.h" #include "../pluto/log.h" -#include "parser.h" +#include "ipsec-parser.h" #define YYERROR_VERBOSE #define ERRSTRING_LEN 256 diff --git a/src/starter/starter.c b/src/starter/starter.c index fcef2f7ff..44e21431c 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -29,6 +29,7 @@ #include <freeswan.h> #include <library.h> +#include <hydra.h> #include "../pluto/constants.h" #include "../pluto/defs.h" @@ -161,60 +162,92 @@ static void fsig(int signal) } } +#ifdef GENERATE_SELFCERT static void generate_selfcert() { struct stat stb; - /* if ipsec.secrets file is missing then generate RSA default key pair */ - if (stat(SECRETS_FILE, &stb) != 0) - { - mode_t oldmask; - FILE *f; - uid_t uid = 0; - gid_t gid = 0; + /* if ipsec.secrets file is missing then generate RSA default key pair */ + if (stat(SECRETS_FILE, &stb) != 0) + { + mode_t oldmask; + FILE *f; + uid_t uid = 0; + gid_t gid = 0; #ifdef IPSEC_GROUP - { - char buf[1024]; - struct group group, *grp; + { + char buf[1024]; + struct group group, *grp; - if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && grp) - { - gid = grp->gr_gid; - } + if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && grp) + { + gid = grp->gr_gid; } + } #endif #ifdef IPSEC_USER - { - char buf[1024]; - struct passwd passwd, *pwp; + { + char buf[1024]; + struct passwd passwd, *pwp; - if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && pwp) - { - uid = pwp->pw_uid; - } + if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && pwp) + { + uid = pwp->pw_uid; } + } #endif - setegid(gid); - seteuid(uid); - ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet")); - seteuid(0); - setegid(0); + setegid(gid); + seteuid(uid); + ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet")); + seteuid(0); + setegid(0); + + /* ipsec.secrets is root readable only */ + oldmask = umask(0066); + + f = fopen(SECRETS_FILE, "w"); + if (f) + { + fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n"); + fprintf(f, "\n"); + fprintf(f, ": RSA myKey.der\n"); + fclose(f); + } + ignore_result(chown(SECRETS_FILE, uid, gid)); + umask(oldmask); + } +} +#endif /* GENERATE_SELFCERT */ - /* ipsec.secrets is root readable only */ - oldmask = umask(0066); +static bool check_pid(char *pid_file) +{ + struct stat stb; + FILE *pidfile; - f = fopen(SECRETS_FILE, "w"); - if (f) + if (stat(pid_file, &stb) == 0) + { + pidfile = fopen(pid_file, "r"); + if (pidfile) + { + char buf[64]; + pid_t pid = 0; + memset(buf, 0, sizeof(buf)); + if (fread(buf, 1, sizeof(buf), pidfile)) { - fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n"); - fprintf(f, "\n"); - fprintf(f, ": RSA myKey.der\n"); - fclose(f); + buf[sizeof(buf) - 1] = '\0'; + pid = atoi(buf); + } + fclose(pidfile); + if (pid && kill(pid, 0) == 0) + { /* such a process is running */ + return TRUE; } - ignore_result(chown(SECRETS_FILE, uid, gid)); - umask(oldmask); } + plog("removing pidfile '%s', process not running", pid_file); + unlink(pid_file); + } + return FALSE; } static void usage(char *name) @@ -233,7 +266,6 @@ int main (int argc, char **argv) struct stat stb; - char *err = NULL; int i; int id = 1; struct timeval tv; @@ -250,6 +282,9 @@ int main (int argc, char **argv) library_init(NULL); atexit(library_deinit); + libhydra_init("starter"); + atexit(libhydra_deinit); + /* parse command line */ for (i = 1; i < argc; i++) { @@ -323,17 +358,19 @@ int main (int argc, char **argv) exit(LSB_RC_NOT_ALLOWED); } - if (stat(PLUTO_PID_FILE, &stb) == 0) + if (check_pid(PLUTO_PID_FILE)) { - plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE); + plog("pluto is already running (%s exists) -- skipping pluto start", + PLUTO_PID_FILE); } else { _action_ |= FLAG_ACTION_START_PLUTO; } - if (stat(CHARON_PID_FILE, &stb) == 0) + if (check_pid(CHARON_PID_FILE)) { - plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE); + plog("charon is already running (%s exists) -- skipping charon start", + CHARON_PID_FILE); } else { @@ -375,14 +412,17 @@ int main (int argc, char **argv) last_reload = time_monotonic(NULL); - if (stat(STARTER_PID_FILE, &stb) == 0) + if (check_pid(STARTER_PID_FILE)) { - plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE); + plog("starter is already running (%s exists) -- no fork done", + STARTER_PID_FILE); confread_free(cfg); exit(LSB_RC_SUCCESS); } +#ifdef GENERATE_SELFCERT generate_selfcert(); +#endif /* fork if we're not debugging stuff */ if (!no_fork) @@ -393,8 +433,11 @@ int main (int argc, char **argv) { case 0: { - int fnull = open("/dev/null", O_RDWR); + int fnull; + closefrom(3); + + fnull = open("/dev/null", O_RDWR); if (fnull >= 0) { dup2(fnull, STDIN_FILENO); @@ -402,6 +445,7 @@ int main (int argc, char **argv) dup2(fnull, STDERR_FILENO); close(fnull); } + setsid(); } break; @@ -425,6 +469,13 @@ int main (int argc, char **argv) } } + /* load plugins */ + if (!lib->plugins->load(lib->plugins, NULL, + lib->settings->get_str(lib->settings, "starter.load", PLUGINS))) + { + exit(LSB_RC_FAILURE); + } + for (;;) { /* @@ -443,8 +494,8 @@ int main (int argc, char **argv) starter_netkey_cleanup(); confread_free(cfg); unlink(STARTER_PID_FILE); - unlink(INFO_FILE); plog("ipsec starter stopped"); + lib->plugins->unload(lib->plugins); close_log(); exit(LSB_RC_SUCCESS); } @@ -495,7 +546,6 @@ int main (int argc, char **argv) */ if (_action_ & FLAG_ACTION_UPDATE) { - err = NULL; DBG(DBG_CONTROL, DBG_log("Reloading config...") ); diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 7272b2530..ae04c20dd 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -24,6 +24,8 @@ #include <netinet/in.h> #include <arpa/inet.h> +#include <credentials/auth_cfg.h> + #include <freeswan.h> #include <constants.h> @@ -39,15 +41,6 @@ #define IPV4_LEN 4 #define IPV6_LEN 16 -/** - * Authentication methods, must be the same as in charons authenticator.h - */ -enum auth_method_t { - AUTH_PUBKEY = 1, - AUTH_PSK = 2, - AUTH_EAP = 3 -}; - static char* push_string(stroke_msg_t *msg, char *string) { unsigned long string_start = msg->length; @@ -169,6 +162,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->auth2 = push_string(msg, conn_end->auth2); msg_end->id = push_string(msg, conn_end->id); msg_end->id2 = push_string(msg, conn_end->id2); + msg_end->rsakey = push_string(msg, conn_end->rsakey); msg_end->cert = push_string(msg, conn_end->cert); msg_end->cert2 = push_string(msg, conn_end->cert2); msg_end->cert_policy = push_string(msg, conn_end->cert_policy); @@ -176,8 +170,15 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->ca2 = push_string(msg, conn_end->ca2); msg_end->groups = push_string(msg, conn_end->groups); msg_end->updown = push_string(msg, conn_end->updown); - ip_address2string(&conn_end->addr, buffer, sizeof(buffer)); - msg_end->address = push_string(msg, buffer); + if (conn_end->host) + { + msg_end->address = push_string(msg, conn_end->host); + } + else + { + ip_address2string(&conn_end->addr, buffer, sizeof(buffer)); + msg_end->address = push_string(msg, buffer); + } msg_end->ikeport = conn_end->ikeport; msg_end->subnets = push_string(msg, conn_end->subnet); msg_end->sourceip = push_string(msg, conn_end->sourceip); @@ -202,15 +203,19 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) /* PUBKEY is preferred to PSK and EAP */ if (conn->policy & POLICY_PUBKEY) { - msg.add_conn.auth_method = AUTH_PUBKEY; + msg.add_conn.auth_method = AUTH_CLASS_PUBKEY; } else if (conn->policy & POLICY_PSK) { - msg.add_conn.auth_method = AUTH_PSK; + msg.add_conn.auth_method = AUTH_CLASS_PSK; + } + else if (conn->policy & POLICY_XAUTH_PSK) + { + msg.add_conn.auth_method = AUTH_CLASS_EAP; } else { - msg.add_conn.auth_method = AUTH_EAP; + msg.add_conn.auth_method = AUTH_CLASS_ANY; } msg.add_conn.eap_type = conn->eap_type; msg.add_conn.eap_vendor = conn->eap_vendor; @@ -230,6 +235,14 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.mode = MODE_TRANSPORT; msg.add_conn.proxy_mode = TRUE; } + else if (conn->policy & POLICY_SHUNT_PASS) + { + msg.add_conn.mode = MODE_PASS; + } + else if (conn->policy & (POLICY_SHUNT_DROP | POLICY_SHUNT_REJECT)) + { + msg.add_conn.mode = MODE_DROP; + } else { msg.add_conn.mode = MODE_TRANSPORT; @@ -258,6 +271,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.algorithms.esp = push_string(&msg, conn->esp); msg.add_conn.dpd.delay = conn->dpd_delay; msg.add_conn.dpd.action = conn->dpd_action; + msg.add_conn.close_action = conn->close_action; msg.add_conn.inactivity = conn->inactivity; msg.add_conn.ikeme.mediation = conn->me_mediation; msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by); diff --git a/src/starter/y.tab.h b/src/starter/y.tab.h deleted file mode 100644 index caf6ea172..000000000 --- a/src/starter/y.tab.h +++ /dev/null @@ -1,88 +0,0 @@ - -/* A Bison parser, made by GNU Bison 2.4.1. */ - -/* Skeleton interface for Bison's Yacc-like parsers in C - - Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006 - Free Software Foundation, Inc. - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. */ - -/* As a special exception, you may create a larger work that contains - part or all of the Bison parser skeleton and distribute that work - under terms of your choice, so long as that work isn't itself a - parser generator using the skeleton or a modified version thereof - as a parser skeleton. Alternatively, if you modify or redistribute - the parser skeleton itself, you may (at your option) remove this - special exception, which will cause the skeleton and the resulting - Bison output files to be licensed under the GNU General Public - License without this special exception. - - This special exception was added by the Free Software Foundation in - version 2.2 of Bison. */ - - -/* Tokens. */ -#ifndef YYTOKENTYPE -# define YYTOKENTYPE - /* Put the tokens into the symbol table, so that GDB and other debuggers - know about them. */ - enum yytokentype { - EQUAL = 258, - FIRST_SPACES = 259, - EOL = 260, - CONFIG = 261, - SETUP = 262, - CONN = 263, - CA = 264, - INCLUDE = 265, - FILE_VERSION = 266, - STRING = 267 - }; -#endif -/* Tokens. */ -#define EQUAL 258 -#define FIRST_SPACES 259 -#define EOL 260 -#define CONFIG 261 -#define SETUP 262 -#define CONN 263 -#define CA 264 -#define INCLUDE 265 -#define FILE_VERSION 266 -#define STRING 267 - - - - -#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED -typedef union YYSTYPE -{ - -/* Line 1676 of yacc.c */ -#line 54 "./parser.y" - char *s; - - -/* Line 1676 of yacc.c */ -#line 80 "y.tab.h" -} YYSTYPE; -# define YYSTYPE_IS_TRIVIAL 1 -# define yystype YYSTYPE /* obsolescent; will be withdrawn */ -# define YYSTYPE_IS_DECLARED 1 -#endif - -extern YYSTYPE yylval; - - |