summaryrefslogtreecommitdiff
path: root/src/starter
diff options
context:
space:
mode:
Diffstat (limited to 'src/starter')
-rw-r--r--src/starter/Android.mk25
-rw-r--r--src/starter/Makefile.am64
-rw-r--r--src/starter/Makefile.in231
-rw-r--r--src/starter/args.c190
-rw-r--r--src/starter/cmp.c71
-rw-r--r--src/starter/cmp.h9
-rw-r--r--src/starter/confread.c709
-rw-r--r--src/starter/confread.h136
-rw-r--r--src/starter/exec.c52
-rw-r--r--src/starter/exec.h21
-rw-r--r--src/starter/files.h12
-rw-r--r--src/starter/interfaces.c213
-rw-r--r--src/starter/interfaces.h36
-rw-r--r--src/starter/invokecharon.c54
-rw-r--r--src/starter/invokepluto.c327
-rw-r--r--src/starter/invokepluto.h26
-rw-r--r--src/starter/ipsec.conf10
-rw-r--r--src/starter/keywords.c308
-rw-r--r--src/starter/keywords.h100
-rw-r--r--src/starter/keywords.txt105
-rw-r--r--src/starter/klips.c26
-rw-r--r--src/starter/loglite.c297
-rw-r--r--src/starter/netkey.c28
-rw-r--r--src/starter/parser.c507
-rw-r--r--src/starter/parser.h16
-rw-r--r--src/starter/parser.y18
-rw-r--r--src/starter/starter.c619
-rw-r--r--src/starter/starterstroke.c189
-rw-r--r--src/starter/starterstroke.h20
-rw-r--r--src/starter/starterwhack.c420
-rw-r--r--src/starter/starterwhack.h30
31 files changed, 1620 insertions, 3249 deletions
diff --git a/src/starter/Android.mk b/src/starter/Android.mk
index a82fe9385..91575c9ba 100644
--- a/src/starter/Android.mk
+++ b/src/starter/Android.mk
@@ -2,32 +2,26 @@ LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
# copy-n-paste from Makefile.am (update for LEX/YACC)
-LOCAL_SRC_FILES := \
+starter_SOURCES := \
parser.c lexer.c ipsec-parser.h netkey.c args.h netkey.h \
-starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
-starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
-keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
-exec.h invokecharon.h loglite.c klips.c klips.h
+starterstroke.c confread.c \
+starterstroke.h confread.h args.c \
+keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \
+invokecharon.h klips.c klips.h
+
+LOCAL_SRC_FILES := $(filter %.c,$(starter_SOURCES))
# build starter ----------------------------------------------------------------
LOCAL_C_INCLUDES += \
$(libvstr_PATH) \
$(strongswan_PATH)/src/libhydra \
- $(strongswan_PATH)/src/libfreeswan \
$(strongswan_PATH)/src/libstrongswan \
- $(strongswan_PATH)/src/libfreeswan \
- $(strongswan_PATH)/src/pluto \
- $(strongswan_PATH)/src/whack \
$(strongswan_PATH)/src/stroke
LOCAL_CFLAGS := $(strongswan_CFLAGS) -DSTART_CHARON \
-DPLUGINS='"$(strongswan_STARTER_PLUGINS)"'
-ifneq ($(strongswan_BUILD_PLUTO),)
-LOCAL_CFLAGS += -DSTART_PLUTO
-endif
-
LOCAL_MODULE := starter
LOCAL_MODULE_TAGS := optional
@@ -37,11 +31,8 @@ LOCAL_ARM_MODE := arm
LOCAL_PRELINK_MODULE := false
LOCAL_REQUIRED_MODULES := stroke
-ifneq ($(strongswan_BUILD_PLUTO),)
-LOCAL_REQUIRED_MODULES += whack
-endif
-LOCAL_SHARED_LIBRARIES += libstrongswan libhydra libfreeswan
+LOCAL_SHARED_LIBRARIES += libstrongswan libhydra
include $(BUILD_EXECUTABLE)
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 94ddf5aba..48110dd02 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -1,64 +1,51 @@
ipsec_PROGRAMS = starter
starter_SOURCES = \
parser.y lexer.l ipsec-parser.h netkey.c args.h netkey.h \
-starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
-starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
-keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
-exec.h invokecharon.h loglite.c klips.c klips.h
-
-INCLUDES = \
--I${linux_headers} \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libfreeswan \
--I$(top_srcdir)/src/libhydra \
--I$(top_srcdir)/src/pluto \
--I$(top_srcdir)/src/whack \
--I$(top_srcdir)/src/stroke
-
-AM_CFLAGS = \
--DIPSEC_DIR=\"${ipsecdir}\" \
--DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DIPSEC_PIDDIR=\"${piddir}\" \
--DIPSEC_EAPDIR=\"${eapdir}\" \
--DDEV_RANDOM=\"${random_device}\" \
--DDEV_URANDOM=\"${urandom_device}\" \
--DPLUGINS=\""${starter_plugins}\"" \
--DDEBUG
+starterstroke.c confread.c \
+starterstroke.h confread.h args.c \
+keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \
+invokecharon.h klips.c klips.h
+
+AM_CPPFLAGS = \
+ -I${linux_headers} \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/stroke \
+ -DIPSEC_DIR=\"${ipsecdir}\" \
+ -DIPSEC_CONFDIR=\"${sysconfdir}\" \
+ -DIPSEC_PIDDIR=\"${piddir}\" \
+ -DIPSEC_EAPDIR=\"${eapdir}\" \
+ -DIPSEC_SCRIPT=\"${ipsec_script}\" \
+ -DDEV_RANDOM=\"${random_device}\" \
+ -DDEV_URANDOM=\"${urandom_device}\" \
+ -DPLUGINS=\""${starter_plugins}\"" \
+ -DDEBUG
AM_YFLAGS = -v -d
-starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB)
+starter_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB) $(PTHREADLIB)
EXTRA_DIST = keywords.txt ipsec.conf Android.mk
MAINTAINERCLEANFILES = keywords.c
BUILT_SOURCES = parser.h
-PLUTODIR=$(top_srcdir)/src/pluto
-SCEPCLIENTDIR=$(top_srcdir)/src/scepclient
-
-if USE_PLUTO
- AM_CFLAGS += -DSTART_PLUTO
-endif
-
if USE_CHARON
- AM_CFLAGS += -DSTART_CHARON
+ AM_CPPFLAGS += -DSTART_CHARON
endif
if USE_LOAD_WARNING
- AM_CFLAGS += -DLOAD_WARNING
+ AM_CPPFLAGS += -DLOAD_WARNING
endif
if USE_TOOLS
- AM_CFLAGS += -DGENERATE_SELFCERT
+ AM_CPPFLAGS += -DGENERATE_SELFCERT
endif
keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h
+ $(AM_V_GEN) \
$(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@
-defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
- $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
-
install-exec-local :
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
@@ -68,4 +55,3 @@ install-exec-local :
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
-
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index f2c0cc38e..4b09e5d8c 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@@ -16,6 +16,23 @@
@SET_MAKE@
VPATH = @srcdir@
+am__make_dryrun = \
+ { \
+ am__dry=no; \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \
+ | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+ *) \
+ for am__flg in $$MAKEFLAGS; do \
+ case $$am__flg in \
+ *=*|--*) ;; \
+ *n*) am__dry=yes; break;; \
+ esac; \
+ done;; \
+ esac; \
+ test $$am__dry = yes; \
+ }
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -35,10 +52,9 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
ipsec_PROGRAMS = starter$(EXEEXT)
-@USE_PLUTO_TRUE@am__append_1 = -DSTART_PLUTO
-@USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON
-@USE_LOAD_WARNING_TRUE@am__append_3 = -DLOAD_WARNING
-@USE_TOOLS_TRUE@am__append_4 = -DGENERATE_SELFCERT
+@USE_CHARON_TRUE@am__append_1 = -DSTART_CHARON
+@USE_LOAD_WARNING_TRUE@am__append_2 = -DLOAD_WARNING
+@USE_TOOLS_TRUE@am__append_3 = -DGENERATE_SELFCERT
subdir = src/starter
DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
lexer.c parser.c parser.h
@@ -51,69 +67,102 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
$(top_srcdir)/m4/macros/with.m4 \
$(top_srcdir)/m4/macros/enable-disable.m4 \
$(top_srcdir)/m4/macros/add-plugin.m4 \
- $(top_srcdir)/configure.in
+ $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(ipsecdir)"
PROGRAMS = $(ipsec_PROGRAMS)
am_starter_OBJECTS = parser.$(OBJEXT) lexer.$(OBJEXT) netkey.$(OBJEXT) \
- starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \
- invokepluto.$(OBJEXT) confread.$(OBJEXT) interfaces.$(OBJEXT) \
- args.$(OBJEXT) keywords.$(OBJEXT) cmp.$(OBJEXT) \
- starter.$(OBJEXT) exec.$(OBJEXT) invokecharon.$(OBJEXT) \
- loglite.$(OBJEXT) klips.$(OBJEXT)
+ starterstroke.$(OBJEXT) confread.$(OBJEXT) args.$(OBJEXT) \
+ keywords.$(OBJEXT) cmp.$(OBJEXT) starter.$(OBJEXT) \
+ invokecharon.$(OBJEXT) klips.$(OBJEXT)
starter_OBJECTS = $(am_starter_OBJECTS)
am__DEPENDENCIES_1 =
-starter_DEPENDENCIES = defs.o \
- $(top_builddir)/src/libfreeswan/libfreeswan.a \
+starter_DEPENDENCIES = \
$(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(top_builddir)/src/libhydra/libhydra.la $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I.@am__isrc@
+ $(top_builddir)/src/libhydra/libhydra.la $(am__DEPENDENCIES_1) \
+ $(am__DEPENDENCIES_1)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
- $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
- $(LDFLAGS) -o $@
-LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS)
-LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+LEXCOMPILE = $(LEX) $(AM_LFLAGS) $(LFLAGS)
+LTLEXCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)
+AM_V_LEX = $(am__v_LEX_@AM_V@)
+am__v_LEX_ = $(am__v_LEX_@AM_DEFAULT_V@)
+am__v_LEX_0 = @echo " LEX " $@;
YLWRAP = $(top_srcdir)/ylwrap
-YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
+YACCCOMPILE = $(YACC) $(AM_YFLAGS) $(YFLAGS)
+LTYACCCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
+AM_V_YACC = $(am__v_YACC_@AM_V@)
+am__v_YACC_ = $(am__v_YACC_@AM_DEFAULT_V@)
+am__v_YACC_0 = @echo " YACC " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
SOURCES = $(starter_SOURCES)
DIST_SOURCES = $(starter_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BFDLIB = @BFDLIB@
BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -122,13 +171,16 @@ ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
+GENHTML = @GENHTML@
GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
GREP = @GREP@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
LD = @LD@
LDFLAGS = @LDFLAGS@
LEX = @LEX@
@@ -141,6 +193,7 @@ LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
MYSQLCFLAG = @MYSQLCFLAG@
MYSQLCONFIG = @MYSQLCONFIG@
@@ -168,11 +221,13 @@ RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
VERSION = @VERSION@
YACC = @YACC@
YFLAGS = @YFLAGS@
@@ -180,6 +235,7 @@ abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
@@ -188,8 +244,6 @@ am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -198,14 +252,19 @@ build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
datadir = @datadir@
datarootdir = @datarootdir@
dbusservicedir = @dbusservicedir@
-default_pkcs11 = @default_pkcs11@
+dev_headers = @dev_headers@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
h_plugins = @h_plugins@
@@ -219,17 +278,17 @@ imcvdir = @imcvdir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
ipsecdir = @ipsecdir@
ipsecgroup = @ipsecgroup@
ipseclibdir = @ipseclibdir@
ipsecuser = @ipsecuser@
-libcharon_plugins = @libcharon_plugins@
libdir = @libdir@
libexecdir = @libexecdir@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
maemo_CFLAGS = @maemo_CFLAGS@
maemo_LIBS = @maemo_LIBS@
manager_plugins = @manager_plugins@
@@ -239,16 +298,15 @@ mkdir_p = @mkdir_p@
nm_CFLAGS = @nm_CFLAGS@
nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
piddir = @piddir@
pki_plugins = @pki_plugins@
plugindir = @plugindir@
-pluto_plugins = @pluto_plugins@
pool_plugins = @pool_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
@@ -278,33 +336,25 @@ xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
starter_SOURCES = \
parser.y lexer.l ipsec-parser.h netkey.c args.h netkey.h \
-starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
-starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
-keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
-exec.h invokecharon.h loglite.c klips.c klips.h
-
-INCLUDES = \
--I${linux_headers} \
--I$(top_srcdir)/src/libstrongswan \
--I$(top_srcdir)/src/libfreeswan \
--I$(top_srcdir)/src/libhydra \
--I$(top_srcdir)/src/pluto \
--I$(top_srcdir)/src/whack \
--I$(top_srcdir)/src/stroke
-
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
- -DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
- -DIPSEC_EAPDIR=\"${eapdir}\" -DDEV_RANDOM=\"${random_device}\" \
+starterstroke.c confread.c \
+starterstroke.h confread.h args.c \
+keywords.c files.h keywords.h cmp.c starter.c cmp.h invokecharon.c \
+invokecharon.h klips.c klips.h
+
+AM_CPPFLAGS = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/stroke \
+ -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${sysconfdir}\" \
+ -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" \
+ -DIPSEC_SCRIPT=\"${ipsec_script}\" \
+ -DDEV_RANDOM=\"${random_device}\" \
-DDEV_URANDOM=\"${urandom_device}\" \
-DPLUGINS=\""${starter_plugins}\"" -DDEBUG $(am__append_1) \
- $(am__append_2) $(am__append_3) $(am__append_4)
+ $(am__append_2) $(am__append_3)
AM_YFLAGS = -v -d
-starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB)
+starter_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(top_builddir)/src/libhydra/libhydra.la $(SOCKLIB) $(PTHREADLIB)
EXTRA_DIST = keywords.txt ipsec.conf Android.mk
MAINTAINERCLEANFILES = keywords.c
BUILT_SOURCES = parser.h
-PLUTODIR = $(top_srcdir)/src/pluto
-SCEPCLIENTDIR = $(top_srcdir)/src/scepclient
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-am
@@ -342,8 +392,11 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps)
$(am__aclocal_m4_deps):
install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
@$(NORMAL_INSTALL)
- test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+ fi; \
for p in $$list; do echo "$$p $$p"; done | \
sed 's/$(EXEEXT)$$//' | \
while read p p1; do if test -f $$p || test -f $$p1; \
@@ -384,13 +437,11 @@ clean-ipsecPROGRAMS:
echo " rm -f" $$list; \
rm -f $$list
parser.h: parser.c
- @if test ! -f $@; then \
- rm -f parser.c; \
- $(MAKE) $(AM_MAKEFLAGS) parser.c; \
- else :; fi
-starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES)
+ @if test ! -f $@; then rm -f parser.c; else :; fi
+ @if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) parser.c; else :; fi
+starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES) $(EXTRA_starter_DEPENDENCIES)
@rm -f starter$(EXEEXT)
- $(LINK) $(starter_OBJECTS) $(starter_LDADD) $(LIBS)
+ $(AM_V_CCLD)$(LINK) $(starter_OBJECTS) $(starter_LDADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
@@ -401,46 +452,41 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/args.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmp.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/confread.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/exec.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/interfaces.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokecharon.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokepluto.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keywords.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/klips.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexer.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/netkey.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starter.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starterstroke.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starterwhack.Po@am__quote@
.c.o:
-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
.c.obj:
-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
.c.lo:
-@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
.l.c:
- $(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
+ $(AM_V_LEX)$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
.y.c:
- $(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
+ $(AM_V_YACC)$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
mostlyclean-libtool:
-rm -f *.lo
@@ -549,10 +595,15 @@ install-am: all-am
installcheck: installcheck-am
install-strip:
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- `test -z '$(STRIP)' || \
- echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
mostlyclean-generic:
clean-generic:
@@ -658,13 +709,11 @@ uninstall-am: uninstall-ipsecPROGRAMS
keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h
+ $(AM_V_GEN) \
$(GPERF) -m 10 -C -G -D -t < $(srcdir)/keywords.txt > $@
-defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
- $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
-
install-exec-local :
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
diff --git a/src/starter/args.c b/src/starter/args.c
index 65d0a753c..5fbf51856 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -17,11 +17,8 @@
#include <stdlib.h>
#include <string.h>
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <library.h>
+#include <utils/debug.h>
#include "keywords.h"
#include "confread.h"
@@ -36,6 +33,7 @@ typedef enum {
ARG_TIME,
ARG_ULNG,
ARG_ULLI,
+ ARG_UBIN,
ARG_PCNT,
ARG_STR,
ARG_LST,
@@ -64,6 +62,7 @@ static const char *LST_unique[] = {
"yes",
"replace",
"keep",
+ "never",
NULL
};
@@ -89,13 +88,6 @@ static const char *LST_startup[] = {
NULL
};
-static const char *LST_packetdefault[] = {
- "drop",
- "reject",
- "pass",
- NULL
-};
-
static const char *LST_keyexchange[] = {
"ike",
"ikev1",
@@ -103,55 +95,24 @@ static const char *LST_keyexchange[] = {
NULL
};
-static const char *LST_pfsgroup[] = {
- "modp1024",
- "modp1536",
- "modp2048",
- "modp3072",
- "modp4096",
- "modp6144",
- "modp8192",
- "ecp192",
- "ecp224",
- "ecp256",
- "ecp384",
- "ecp521",
- NULL
-};
-
-static const char *LST_plutodebug[] = {
- "none",
- "all",
- "raw",
- "crypt",
- "parsing",
- "emitting",
- "control",
- "lifecycle",
- "klips",
- "kernel",
- "dns",
- "natt",
- "oppo",
- "controlmore",
- "private",
+static const char *LST_authby[] = {
+ "psk",
+ "secret",
+ "pubkey",
+ "rsa",
+ "rsasig",
+ "ecdsa",
+ "ecdsasig",
+ "xauthpsk",
+ "xauthrsasig",
+ "never",
NULL
};
-static const char *LST_klipsdebug[] = {
- "tunnel",
- "tunnel-xmit",
- "pfkey",
- "xform",
- "eroute",
- "spi",
- "radij",
- "esp",
- "ah",
- "ipcomp",
- "verbose",
- "all",
- "none",
+static const char *LST_fragmentation[] = {
+ "no",
+ "yes",
+ "force",
NULL
};
@@ -164,53 +125,29 @@ typedef struct {
static const token_info_t token_info[] =
{
/* config setup keywords */
- { ARG_LST, offsetof(starter_config_t, setup.interfaces), NULL },
- { ARG_STR, offsetof(starter_config_t, setup.dumpdir), NULL },
- { ARG_ENUM, offsetof(starter_config_t, setup.charonstart), LST_bool },
- { ARG_ENUM, offsetof(starter_config_t, setup.plutostart), LST_bool },
-
- /* pluto/charon keywords */
- { ARG_LST, offsetof(starter_config_t, setup.plutodebug), LST_plutodebug },
{ ARG_STR, offsetof(starter_config_t, setup.charondebug), NULL },
- { ARG_STR, offsetof(starter_config_t, setup.prepluto), NULL },
- { ARG_STR, offsetof(starter_config_t, setup.postpluto), NULL },
- { ARG_STR, offsetof(starter_config_t, setup.plutostderrlog), NULL },
{ ARG_ENUM, offsetof(starter_config_t, setup.uniqueids), LST_unique },
- { ARG_UINT, offsetof(starter_config_t, setup.overridemtu), NULL },
- { ARG_TIME, offsetof(starter_config_t, setup.crlcheckinterval), NULL },
{ ARG_ENUM, offsetof(starter_config_t, setup.cachecrls), LST_bool },
{ ARG_ENUM, offsetof(starter_config_t, setup.strictcrlpolicy), LST_strict },
- { ARG_ENUM, offsetof(starter_config_t, setup.nocrsend), LST_bool },
- { ARG_ENUM, offsetof(starter_config_t, setup.nat_traversal), LST_bool },
- { ARG_TIME, offsetof(starter_config_t, setup.keep_alive), NULL },
- { ARG_ENUM, offsetof(starter_config_t, setup.force_keepalive), LST_bool },
- { ARG_STR, offsetof(starter_config_t, setup.virtual_private), NULL },
- { ARG_STR, offsetof(starter_config_t, setup.pkcs11module), NULL },
- { ARG_STR, offsetof(starter_config_t, setup.pkcs11initargs), NULL },
- { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool },
- { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11proxy), LST_bool },
-
- /* KLIPS keywords */
- { ARG_LST, offsetof(starter_config_t, setup.klipsdebug), LST_klipsdebug },
- { ARG_ENUM, offsetof(starter_config_t, setup.fragicmp), LST_bool },
- { ARG_STR, offsetof(starter_config_t, setup.packetdefault), LST_packetdefault },
- { ARG_ENUM, offsetof(starter_config_t, setup.hidetos), LST_bool },
+ { ARG_MISC, 0, NULL /* KW_PKCS11_DEPRECATED */ },
+ { ARG_MISC, 0, NULL /* KW_SETUP_DEPRECATED */ },
/* conn section keywords */
{ ARG_STR, offsetof(starter_conn_t, name), NULL },
{ ARG_ENUM, offsetof(starter_conn_t, startup), LST_startup },
{ ARG_ENUM, offsetof(starter_conn_t, keyexchange), LST_keyexchange },
{ ARG_MISC, 0, NULL /* KW_TYPE */ },
- { ARG_MISC, 0, NULL /* KW_PFS */ },
{ ARG_MISC, 0, NULL /* KW_COMPRESS */ },
{ ARG_ENUM, offsetof(starter_conn_t, install_policy), LST_bool },
+ { ARG_ENUM, offsetof(starter_conn_t, aggressive), LST_bool },
{ ARG_MISC, 0, NULL /* KW_AUTH */ },
- { ARG_MISC, 0, NULL /* KW_AUTHBY */ },
- { ARG_MISC, 0, NULL /* KW_EAP */ },
+ { ARG_STR, offsetof(starter_conn_t, authby), LST_authby },
{ ARG_STR, offsetof(starter_conn_t, eap_identity), NULL },
{ ARG_STR, offsetof(starter_conn_t, aaa_identity), NULL },
{ ARG_MISC, 0, NULL /* KW_MOBIKE */ },
{ ARG_MISC, 0, NULL /* KW_FORCEENCAPS */ },
+ { ARG_ENUM, offsetof(starter_conn_t, fragmentation), LST_fragmentation },
+ { ARG_UBIN, offsetof(starter_conn_t, ikedscp), NULL },
{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL },
{ ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL },
{ ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL },
@@ -224,7 +161,6 @@ static const token_info_t token_info[] =
{ ARG_MISC, 0, NULL /* KW_REAUTH */ },
{ ARG_STR, offsetof(starter_conn_t, ike), NULL },
{ ARG_STR, offsetof(starter_conn_t, esp), NULL },
- { ARG_STR, offsetof(starter_conn_t, pfsgroup), LST_pfsgroup },
{ ARG_TIME, offsetof(starter_conn_t, dpd_delay), NULL },
{ ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL },
{ ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action },
@@ -241,28 +177,27 @@ static const token_info_t token_info[] =
{ ARG_MISC, 0, NULL /* KW_MARK_IN */ },
{ ARG_MISC, 0, NULL /* KW_MARK_OUT */ },
{ ARG_MISC, 0, NULL /* KW_TFC */ },
+ { ARG_MISC, 0, NULL /* KW_PFS_DEPRECATED */ },
+ { ARG_MISC, 0, NULL /* KW_CONN_DEPRECATED */ },
/* ca section keywords */
{ ARG_STR, offsetof(starter_ca_t, name), NULL },
{ ARG_ENUM, offsetof(starter_ca_t, startup), LST_startup },
{ ARG_STR, offsetof(starter_ca_t, cacert), NULL },
- { ARG_STR, offsetof(starter_ca_t, ldaphost), NULL },
- { ARG_STR, offsetof(starter_ca_t, ldapbase), NULL },
{ ARG_STR, offsetof(starter_ca_t, crluri), NULL },
{ ARG_STR, offsetof(starter_ca_t, crluri2), NULL },
{ ARG_STR, offsetof(starter_ca_t, ocspuri), NULL },
{ ARG_STR, offsetof(starter_ca_t, ocspuri2), NULL },
{ ARG_STR, offsetof(starter_ca_t, certuribase), NULL },
+ { ARG_MISC, 0, NULL /* KW_CA_DEPRECATED */ },
/* end keywords */
{ ARG_STR, offsetof(starter_end_t, host), NULL },
{ ARG_UINT, offsetof(starter_end_t, ikeport), NULL },
- { ARG_MISC, 0, NULL /* KW_NEXTHOP */ },
- { ARG_STR, offsetof(starter_end_t, subnet), NULL },
- { ARG_MISC, 0, NULL /* KW_SUBNETWITHIN */ },
+ { ARG_STR, offsetof(starter_end_t, subnet), NULL },
{ ARG_MISC, 0, NULL /* KW_PROTOPORT */ },
{ ARG_STR, offsetof(starter_end_t, sourceip), NULL },
- { ARG_MISC, 0, NULL /* KW_NATIP */ },
+ { ARG_STR, offsetof(starter_end_t, dns), NULL },
{ ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool },
{ ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool },
{ ARG_ENUM, offsetof(starter_end_t, allow_any), LST_bool },
@@ -279,7 +214,8 @@ static const token_info_t token_info[] =
{ ARG_STR, offsetof(starter_end_t, ca), NULL },
{ ARG_STR, offsetof(starter_end_t, ca2), NULL },
{ ARG_STR, offsetof(starter_end_t, groups), NULL },
- { ARG_STR, offsetof(starter_end_t, iface), NULL }
+ { ARG_STR, offsetof(starter_end_t, groups2), NULL },
+ { ARG_MISC, 0, NULL /* KW_END_DEPRECATED */ },
};
static void free_list(char **list)
@@ -298,7 +234,7 @@ char** new_list(char *value)
char *val, *b, *e, *end, **ret;
int count;
- val = value ? clone_str(value) : NULL;
+ val = strdupnull(value);
if (!val)
{
return NULL;
@@ -326,7 +262,7 @@ char** new_list(char *value)
for (e = b; (*e != '\0'); e++);
if (e != b)
{
- ret[count++] = clone_str(b);
+ ret[count++] = strdupnull(b);
}
b = e + 1;
}
@@ -347,23 +283,20 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
int index = -1; /* used for enumeration arguments */
- lset_t *seen = (lset_t *)base; /* seen flags are at the top of the struct */
- lset_t f = LELEM(token - first); /* compute flag position of argument */
+ seen_t *seen = (seen_t*)base; /* seen flags are at the top of the struct */
*assigned = FALSE;
- DBG(DBG_CONTROLMORE,
- DBG_log(" %s=%s", kw->entry->name, kw->value)
- )
+ DBG3(DBG_APP, " %s=%s", kw->entry->name, kw->value);
- if (*seen & f)
+ if (*seen & SEEN_KW(token, first))
{
- plog("# duplicate '%s' option", kw->entry->name);
+ DBG1(DBG_APP, "# duplicate '%s' option", kw->entry->name);
return FALSE;
}
/* set flag that this argument has been seen */
- *seen |= f;
+ *seen |= SEEN_KW(token, first);
/* is there a keyword list? */
if (list != NULL && token_info[token].type != ARG_LST)
@@ -377,7 +310,7 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
}
if (!match)
{
- plog("# bad value: %s=%s", kw->entry->name, kw->value);
+ DBG1(DBG_APP, "# bad value: %s=%s", kw->entry->name, kw->value);
return FALSE;
}
}
@@ -385,14 +318,14 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
switch (token_info[token].type)
{
case ARG_NONE:
- plog("# option '%s' not supported yet", kw->entry->name);
+ DBG1(DBG_APP, "# option '%s' not supported yet", kw->entry->name);
return FALSE;
case ARG_ENUM:
{
if (index < 0)
{
- plog("# bad enumeration value: %s=%s (%d)"
- , kw->entry->name, kw->value, index);
+ DBG1(DBG_APP, "# bad enumeration value: %s=%s (%d)",
+ kw->entry->name, kw->value, index);
return FALSE;
}
@@ -418,7 +351,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
if (*endptr != '\0')
{
- plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+ DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name,
+ kw->value);
return FALSE;
}
}
@@ -435,7 +369,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
{
if (*endptr != '\0')
{
- plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+ DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name,
+ kw->value);
return FALSE;
}
}
@@ -443,7 +378,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
{
if ((*endptr != '%') || (endptr[1] != '\0') || endptr == kw->value)
{
- plog("# bad percent value: %s=%s", kw->entry->name, kw->value);
+ DBG1(DBG_APP, "# bad percent value: %s=%s", kw->entry->name,
+ kw->value);
return FALSE;
}
}
@@ -459,7 +395,23 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
if (*endptr != '\0')
{
- plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+ DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name,
+ kw->value);
+ return FALSE;
+ }
+ }
+ break;
+ case ARG_UBIN:
+ {
+ char *endptr;
+ u_int *u = (u_int *)p;
+
+ *u = strtoul(kw->value, &endptr, 2);
+
+ if (*endptr != '\0')
+ {
+ DBG1(DBG_APP, "# bad binary value: %s=%s", kw->entry->name,
+ kw->value);
return FALSE;
}
}
@@ -494,7 +446,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
break;
}
}
- plog("# bad duration value: %s=%s", kw->entry->name, kw->value);
+ DBG1(DBG_APP, "# bad duration value: %s=%s", kw->entry->name,
+ kw->value);
return FALSE;
}
case ARG_STR:
@@ -505,7 +458,7 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
free(*cp);
/* assign the new string */
- *cp = clone_str(kw->value);
+ *cp = strdupnull(kw->value);
}
break;
case ARG_LST:
@@ -537,7 +490,8 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
}
if (!match)
{
- plog("# bad value: %s=%s", kw->entry->name, *lst);
+ DBG1(DBG_APP, "# bad value: %s=%s",
+ kw->entry->name, *lst);
return FALSE;
}
}
@@ -604,7 +558,7 @@ void clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
char **cp1 = (char **)(base1 + token_info[token].offset);
char **cp2 = (char **)(base2 + token_info[token].offset);
- *cp1 = clone_str(*cp2);
+ *cp1 = strdupnull(*cp2);
}
}
}
diff --git a/src/starter/cmp.c b/src/starter/cmp.c
index 0727cf5f0..cea864a4a 100644
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@@ -14,62 +14,40 @@
#include <string.h>
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-
#include "confread.h"
#include "args.h"
-#include "interfaces.h"
#include "cmp.h"
#define VARCMP(obj) if (c1->obj != c2->obj) return FALSE
-#define ADDCMP(obj) if (!sameaddr(&c1->obj,&c2->obj)) return FALSE
-#define SUBCMP(obj) if (!samesubnet(&c1->obj,&c2->obj)) return FALSE
#define STRCMP(obj) if (strcmp(c1->obj,c2->obj)) return FALSE
-static bool
-starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
+static bool starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
{
if ((c1 == NULL) || (c2 == NULL))
return FALSE;
- if (c2->dns_failed)
- {
- c2->addr = c1->addr;
- }
- else
- {
- ADDCMP(addr);
- }
- VARCMP(ikeport);
- ADDCMP(nexthop);
- VARCMP(has_client);
- VARCMP(has_client_wildcard);
- VARCMP(has_port_wildcard);
- VARCMP(has_natip);
- VARCMP(has_virt);
VARCMP(modecfg);
- VARCMP(port);
+ VARCMP(from_port);
+ VARCMP(to_port);
VARCMP(protocol);
return cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2);
- }
+}
-bool
-starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2)
+bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2)
{
if ((c1 == NULL) || (c2 == NULL))
return FALSE;
- VARCMP(policy);
- VARCMP(addr_family);
- VARCMP(tunnel_addr_family);
+ VARCMP(mode);
+ VARCMP(proxy_mode);
+ VARCMP(options);
VARCMP(mark_in.value);
VARCMP(mark_in.mask);
VARCMP(mark_out.value);
VARCMP(mark_in.mask);
+ VARCMP(tfc);
+ VARCMP(sa_keying_tries);
if (!starter_cmp_end(&c1->left, &c2->left))
return FALSE;
@@ -79,37 +57,10 @@ starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2)
return cmp_args(KW_CONN_NAME, KW_CONN_LAST, (char *)c1, (char *)c2);
}
-bool
-starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2)
+bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2)
{
if (c1 == NULL || c2 == NULL)
return FALSE;
return cmp_args(KW_CA_NAME, KW_CA_LAST, (char *)c1, (char *)c2);
}
-
-bool
-starter_cmp_klips(starter_config_t *c1, starter_config_t *c2)
-{
- if ((c1 == NULL) || (c2 == NULL))
- return FALSE;
-
- return cmp_args(KW_KLIPS_FIRST, KW_KLIPS_LAST, (char *)c1, (char *)c2);
-}
-
-bool
-starter_cmp_pluto(starter_config_t *c1, starter_config_t *c2)
-{
- if ((c1 == NULL) || (c2 == NULL))
- return FALSE;
-
- return cmp_args(KW_PLUTO_FIRST, KW_PLUTO_LAST, (char *)c1, (char *)c2);
-}
-
-bool
-starter_cmp_defaultroute(defaultroute_t *d1, defaultroute_t *d2)
-{
- if ((d1 == NULL) || (d2 == NULL))
- return FALSE;
- return memcmp(d1, d2, sizeof(defaultroute_t)) == 0;
-}
diff --git a/src/starter/cmp.h b/src/starter/cmp.h
index cda6e44b9..c33ce8ec2 100644
--- a/src/starter/cmp.h
+++ b/src/starter/cmp.h
@@ -15,13 +15,8 @@
#ifndef _STARTER_CMP_H_
#define _STARTER_CMP_H_
-#include "interfaces.h"
-
-extern bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2);
-extern bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2);
-extern bool starter_cmp_klips(starter_config_t *c1, starter_config_t *c2);
-extern bool starter_cmp_pluto(starter_config_t *c1, starter_config_t *c2);
-extern bool starter_cmp_defaultroute(defaultroute_t *d1, defaultroute_t *d2);
+bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2);
+bool starter_cmp_ca(starter_ca_t *c1, starter_ca_t *c2);
#endif
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 627601e88..2fb022692 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -19,40 +19,79 @@
#include <stdlib.h>
#include <string.h>
#include <assert.h>
+#include <netdb.h>
-#include <freeswan.h>
-
-#include <eap/eap.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <library.h>
+#include <utils/debug.h>
#include "keywords.h"
#include "confread.h"
#include "args.h"
#include "files.h"
-#include "interfaces.h"
-/* strings containing a colon are interpreted as an IPv6 address */
-#define ip_version(string) (strchr(string, '.') ? AF_INET : AF_INET6)
+#define IKE_LIFETIME_DEFAULT 10800 /* 3 hours */
+#define IPSEC_LIFETIME_DEFAULT 3600 /* 1 hour */
+#define SA_REPLACEMENT_MARGIN_DEFAULT 540 /* 9 minutes */
+#define SA_REPLACEMENT_FUZZ_DEFAULT 100 /* 100% of margin */
+#define SA_REPLACEMENT_RETRIES_DEFAULT 3
static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
static const char esp_defaults[] = "aes128-sha1,3des-sha1";
-static const char firewall_defaults[] = "ipsec _updown iptables";
+static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";
static bool daemon_exists(char *daemon, char *path)
{
struct stat st;
if (stat(path, &st) != 0)
{
- plog("Disabling %sstart option, '%s' not found", daemon, path);
+ DBG1(DBG_APP, "Disabling %sstart option, '%s' not found", daemon, path);
return FALSE;
}
return TRUE;
}
+/**
+ * Process deprecated keywords
+ */
+static bool is_deprecated(kw_token_t token, kw_list_t *kw, char *name)
+{
+ switch (token)
+ {
+ case KW_SETUP_DEPRECATED:
+ case KW_PKCS11_DEPRECATED:
+ DBG1(DBG_APP, "# deprecated keyword '%s' in config setup",
+ kw->entry->name);
+ break;
+ case KW_CONN_DEPRECATED:
+ case KW_END_DEPRECATED:
+ case KW_PFS_DEPRECATED:
+ DBG1(DBG_APP, "# deprecated keyword '%s' in conn '%s'",
+ kw->entry->name, name);
+ break;
+ case KW_CA_DEPRECATED:
+ DBG1(DBG_APP, "# deprecated keyword '%s' in ca '%s'",
+ kw->entry->name, name);
+ break;
+ default:
+ return FALSE;
+ }
+ /* additional messages for some */
+ switch (token)
+ {
+ case KW_PKCS11_DEPRECATED:
+ DBG1(DBG_APP, " use the 'pkcs11' plugin instead", kw->entry->name);
+ break;
+ case KW_PFS_DEPRECATED:
+ DBG1(DBG_APP, " PFS is enabled by specifying a DH group in the "
+ "'esp' cipher suite", kw->entry->name);
+ break;
+ default:
+ break;
+ }
+ return TRUE;
+}
+
static void default_values(starter_config_t *cfg)
{
if (cfg == NULL)
@@ -60,7 +99,7 @@ static void default_values(starter_config_t *cfg)
memset(cfg, 0, sizeof(struct starter_config));
- /* is there enough space for all seen flags? */
+ /* is there enough space for all seen flags? */
assert(KW_SETUP_LAST - KW_SETUP_FIRST <
sizeof(cfg->setup.seen) * BITS_PER_BYTE);
assert(KW_CONN_LAST - KW_CONN_FIRST <
@@ -70,66 +109,55 @@ static void default_values(starter_config_t *cfg)
assert(KW_CA_LAST - KW_CA_FIRST <
sizeof(cfg->ca_default.seen) * BITS_PER_BYTE);
- cfg->setup.seen = LEMPTY;
- cfg->setup.fragicmp = TRUE;
- cfg->setup.hidetos = TRUE;
+ cfg->setup.seen = SEEN_NONE;
cfg->setup.uniqueids = TRUE;
- cfg->setup.interfaces = new_list("%defaultroute");
#ifdef START_CHARON
cfg->setup.charonstart = TRUE;
#endif
-#ifdef START_PLUTO
- cfg->setup.plutostart = TRUE;
-#endif
- cfg->conn_default.seen = LEMPTY;
+ cfg->conn_default.seen = SEEN_NONE;
cfg->conn_default.startup = STARTUP_NO;
cfg->conn_default.state = STATE_IGNORE;
- cfg->conn_default.policy = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_PUBKEY |
- POLICY_PFS | POLICY_MOBIKE;
+ cfg->conn_default.mode = MODE_TUNNEL;
+ cfg->conn_default.options = SA_OPTION_MOBIKE;
- cfg->conn_default.ike = clone_str(ike_defaults);
- cfg->conn_default.esp = clone_str(esp_defaults);
- cfg->conn_default.sa_ike_life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
- cfg->conn_default.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
+ cfg->conn_default.ike = strdupnull(ike_defaults);
+ cfg->conn_default.esp = strdupnull(esp_defaults);
+ cfg->conn_default.sa_ike_life_seconds = IKE_LIFETIME_DEFAULT;
+ cfg->conn_default.sa_ipsec_life_seconds = IPSEC_LIFETIME_DEFAULT;
cfg->conn_default.sa_rekey_margin = SA_REPLACEMENT_MARGIN_DEFAULT;
cfg->conn_default.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
cfg->conn_default.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT;
- cfg->conn_default.addr_family = AF_INET;
- cfg->conn_default.tunnel_addr_family = AF_INET;
- cfg->conn_default.install_policy = TRUE;
- cfg->conn_default.dpd_delay = 30; /* seconds */
- cfg->conn_default.dpd_timeout = 150; /* seconds */
+ cfg->conn_default.install_policy = TRUE;
+ cfg->conn_default.dpd_delay = 30; /* seconds */
+ cfg->conn_default.dpd_timeout = 150; /* seconds */
- cfg->conn_default.left.seen = LEMPTY;
- cfg->conn_default.right.seen = LEMPTY;
+ cfg->conn_default.left.seen = SEEN_NONE;
+ cfg->conn_default.right.seen = SEEN_NONE;
cfg->conn_default.left.sendcert = CERT_SEND_IF_ASKED;
cfg->conn_default.right.sendcert = CERT_SEND_IF_ASKED;
- anyaddr(AF_INET, &cfg->conn_default.left.addr);
- anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
- anyaddr(AF_INET, &cfg->conn_default.right.addr);
- anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
cfg->conn_default.left.ikeport = 500;
cfg->conn_default.right.ikeport = 500;
- cfg->ca_default.seen = LEMPTY;
+ cfg->conn_default.left.to_port = 0xffff;
+ cfg->conn_default.right.to_port = 0xffff;
+
+ cfg->ca_default.seen = SEEN_NONE;
}
-#define KW_POLICY_FLAG(sy, sn, fl) \
- if (streq(kw->value, sy)) { conn->policy |= fl; } \
- else if (streq(kw->value, sn)) { conn->policy &= ~fl; } \
- else { plog("# bad policy value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
+#define KW_SA_OPTION_FLAG(sy, sn, fl) \
+ if (streq(kw->value, sy)) { conn->options |= fl; } \
+ else if (streq(kw->value, sn)) { conn->options &= ~fl; } \
+ else { DBG1(DBG_APP, "# bad option value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
{
kw_list_t *kw;
- DBG(DBG_CONTROL,
- DBG_log("Loading config setup")
- )
+ DBG2(DBG_APP, "Loading config setup");
for (kw = cfgp->config_setup; kw; kw = kw->next)
{
@@ -139,45 +167,49 @@ static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
if ((int)token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
{
- plog("# unsupported keyword '%s' in config setup", kw->entry->name);
+ DBG1(DBG_APP, "# unsupported keyword '%s' in config setup",
+ kw->entry->name);
cfg->err++;
continue;
}
+ if (is_deprecated(token, kw, ""))
+ {
+ cfg->non_fatal_err++;
+ continue;
+ }
+
if (!assign_arg(token, KW_SETUP_FIRST, kw, (char *)cfg, &assigned))
{
- plog(" bad argument value in config setup");
+ DBG1(DBG_APP, " bad argument value in config setup");
cfg->err++;
continue;
}
}
- /* verify the executables are actually available (some distros split
- * packages but enabled both) */
+ /* verify the executables are actually available */
#ifdef START_CHARON
cfg->setup.charonstart = cfg->setup.charonstart &&
- daemon_exists("charon", CHARON_CMD);
+ daemon_exists(daemon_name, cmd);
#else
cfg->setup.charonstart = FALSE;
#endif
-#ifdef START_PLUTO
- cfg->setup.plutostart = cfg->setup.plutostart &&
- daemon_exists("pluto", PLUTO_CMD);
-#else
- cfg->setup.plutostart = FALSE;
-#endif
}
static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
kw_list_t *kw, char *conn_name, starter_config_t *cfg)
{
- err_t ugh = NULL;
bool assigned = FALSE;
- bool has_port_wildcard; /* set if port is %any */
char *name = kw->entry->name;
char *value = kw->value;
+ if (is_deprecated(token, kw, conn_name))
+ {
+ cfg->non_fatal_err++;
+ return;
+ }
+
if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned))
goto err;
@@ -185,157 +217,25 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
switch (token)
{
case KW_HOST:
- free(end->host);
- end->host = NULL;
- if (streq(value, "%defaultroute"))
+ if (value && strlen(value) > 0 && value[0] == '%')
{
- if (cfg->defaultroute.defined)
- {
- end->addr = cfg->defaultroute.addr;
- end->nexthop = cfg->defaultroute.nexthop;
- }
- else if (!cfg->defaultroute.supported)
+ if (streq(value, "%defaultroute"))
{
- plog("%%defaultroute not supported, fallback to %%any");
+ value = "%any";
}
- else
- {
- plog("# default route not known: %s=%s", name, value);
- goto err;
- }
- }
- else if (streq(value, "%any") || streq(value, "%any4"))
- {
- anyaddr(conn->addr_family, &end->addr);
- }
- else if (streq(value, "%any6"))
- {
- conn->addr_family = AF_INET6;
- anyaddr(conn->addr_family, &end->addr);
- }
- else if (streq(value, "%group"))
- {
- ip_address any;
-
- conn->policy |= POLICY_GROUP | POLICY_TUNNEL;
- anyaddr(conn->addr_family, &end->addr);
- anyaddr(conn->tunnel_addr_family, &any);
- end->has_client = TRUE;
- }
- else
- {
- /* check for allow_any prefix */
- if (value[0] == '%')
- {
+ if (!streq(value, "%any") && !streq(value, "%any4") &&
+ !streq(value, "%any6"))
+ { /* allow_any prefix */
end->allow_any = TRUE;
value++;
}
- conn->addr_family = ip_version(value);
- ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
- if (ugh != NULL)
- {
- plog("# bad addr: %s=%s [%s]", name, value, ugh);
- if (streq(ugh, "does not look numeric and name lookup failed"))
- {
- end->dns_failed = TRUE;
- anyaddr(conn->addr_family, &end->addr);
- }
- else
- {
- goto err;
- }
- }
- end->host = clone_str(value);
- }
- break;
- case KW_SUBNET:
- if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
- || (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
- {
- /* used by pluto only */
- end->has_virt = TRUE;
- }
- else
- {
- ip_subnet net;
- char *pos;
- int len = 0;
-
- end->has_client = TRUE;
- conn->tunnel_addr_family = ip_version(value);
-
- pos = strchr(value, ',');
- if (pos)
- {
- len = pos - value;
- }
- ugh = ttosubnet(value, len, ip_version(value), &net);
- if (ugh != NULL)
- {
- plog("# bad subnet: %s=%s [%s]", name, value, ugh);
- goto err;
- }
}
+ free(end->host);
+ end->host = strdupnull(value);
break;
case KW_SOURCEIP:
- if (end->has_natip)
- {
- plog("# natip and sourceip cannot be defined at the same time");
- goto err;
- }
- if (value[0] == '%')
- {
- if (streq(value, "%modeconfig") || streq(value, "%modecfg") ||
- streq(value, "%config") || streq(value, "%cfg"))
- {
- /* request ip via config payload */
- free(end->sourceip);
- end->sourceip = NULL;
- end->sourceip_mask = 1;
- }
- else
- { /* %poolname, strip %, serve ip requests */
- free(end->sourceip);
- end->sourceip = clone_str(value+1);
- end->sourceip_mask = 0;
- }
- end->modecfg = TRUE;
- }
- else
- {
- char *pos;
- ip_address addr;
- ip_subnet net;
-
- conn->tunnel_addr_family = ip_version(value);
- pos = strchr(value, '/');
-
- if (pos)
- { /* CIDR notation, address pool */
- ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net);
- if (ugh != NULL)
- {
- plog("# bad subnet: %s=%s [%s]", name, value, ugh);
- goto err;
- }
- *pos = '\0';
- free(end->sourceip);
- end->sourceip = clone_str(value);
- end->sourceip_mask = atoi(pos + 1);
- }
- else
- { /* fixed srcip */
- ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
- if (ugh != NULL)
- {
- plog("# bad addr: %s=%s [%s]", name, value, ugh);
- goto err;
- }
- end->sourceip_mask = (conn->tunnel_addr_family == AF_INET) ?
- 32 : 128;
- }
- }
- conn->policy |= POLICY_TUNNEL;
+ conn->mode = MODE_TUNNEL;
+ conn->proxy_mode = FALSE;
break;
case KW_SENDCERT:
if (end->sendcert == CERT_YES_SEND)
@@ -357,139 +257,119 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
/* individual processing of keywords that were not assigned automatically */
switch (token)
{
- case KW_NEXTHOP:
- if (streq(value, "%defaultroute"))
+ case KW_PROTOPORT:
+ {
+ struct protoent *proto;
+ struct servent *svc;
+ char *sep, *port = "", *endptr;
+ long int p;
+
+ sep = strchr(value, '/');
+ if (sep)
+ { /* protocol/port */
+ *sep = '\0';
+ port = sep + 1;
+ }
+
+ if (streq(value, "%any"))
+ {
+ end->protocol = 0;
+ }
+ else
{
- if (cfg->defaultroute.defined)
+ proto = getprotobyname(value);
+ if (proto)
{
- end->nexthop = cfg->defaultroute.nexthop;
+ end->protocol = proto->p_proto;
}
else
{
- plog("# default route not known: %s=%s", name, value);
- goto err;
+ p = strtol(value, &endptr, 0);
+ if ((*value && *endptr) || p < 0 || p > 0xff)
+ {
+ DBG1(DBG_APP, "# bad protocol: %s=%s", name, value);
+ goto err;
+ }
+ end->protocol = (u_int8_t)p;
}
}
- else if (streq(value, "%direct"))
+ if (streq(port, "%any"))
{
- ugh = anyaddr(conn->addr_family, &end->nexthop);
+ end->from_port = 0;
+ end->to_port = 0xffff;
}
- else
+ else if (streq(port, "%opaque"))
{
- conn->addr_family = ip_version(value);
- ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop);
+ end->from_port = 0xffff;
+ end->to_port = 0;
}
- if (ugh != NULL)
+ else if (*port)
{
- plog("# bad addr: %s=%s [%s]", name, value, ugh);
- goto err;
- }
- break;
- case KW_SUBNETWITHIN:
- {
- ip_subnet net;
-
- end->has_client = TRUE;
- end->has_client_wildcard = TRUE;
- conn->tunnel_addr_family = ip_version(value);
-
- ugh = ttosubnet(value, 0, ip_version(value), &net);
- if (ugh != NULL)
- {
- plog("# bad subnet: %s=%s [%s]", name, value, ugh);
- goto err;
- }
- end->subnet = clone_str(value);
- break;
- }
- case KW_PROTOPORT:
- ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard);
- end->has_port_wildcard = has_port_wildcard;
- break;
- case KW_NATIP:
- if (end->sourceip)
- {
- plog("# natip and sourceip cannot be defined at the same time");
- goto err;
- }
- if (streq(value, "%defaultroute"))
- {
- char buf[64];
-
- if (cfg->defaultroute.defined)
+ svc = getservbyname(port, NULL);
+ if (svc)
{
- addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf));
- end->sourceip = clone_str(buf);
+ end->from_port = end->to_port = ntohs(svc->s_port);
}
else
{
- plog("# default route not known: %s=%s", name, value);
- goto err;
+ p = strtol(port, &endptr, 0);
+ if (p < 0 || p > 0xffff)
+ {
+ DBG1(DBG_APP, "# bad port: %s=%s", name, port);
+ goto err;
+ }
+ end->from_port = p;
+ if (*endptr == '-')
+ {
+ port = endptr + 1;
+ p = strtol(port, &endptr, 0);
+ if (p < 0 || p > 0xffff)
+ {
+ DBG1(DBG_APP, "# bad port: %s=%s", name, port);
+ goto err;
+ }
+ }
+ end->to_port = p;
+ if (*endptr)
+ {
+ DBG1(DBG_APP, "# bad port: %s=%s", name, port);
+ goto err;
+ }
}
}
- else
- {
- ip_address addr;
-
- conn->tunnel_addr_family = ip_version(value);
- ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
- if (ugh != NULL)
- {
- plog("# bad addr: %s=%s [%s]", name, value, ugh);
- goto err;
- }
- end->sourceip = clone_str(value);
+ if (sep)
+ { /* restore the original text in case also= is used */
+ *sep = '/';
}
- end->has_natip = TRUE;
- conn->policy |= POLICY_TUNNEL;
break;
+ }
default:
break;
}
return;
err:
- plog(" bad argument value in conn '%s'", conn_name);
+ DBG1(DBG_APP, " bad argument value in conn '%s'", conn_name);
cfg->err++;
}
/*
- * handles left|right=<FQDN> DNS resolution failure
- */
-static void handle_dns_failure(const char *label, starter_end_t *end,
- starter_config_t *cfg, starter_conn_t *conn)
-{
- if (end->dns_failed)
- {
- if (end->allow_any)
- {
- plog("# fallback to %s=%%any due to '%%' prefix or %sallowany=yes",
- label, label);
- }
- else if (!end->host || conn->keyexchange == KEY_EXCHANGE_IKEV1)
- {
- /* declare an error */
- cfg->err++;
- }
- }
-}
-
-/*
* handles left|rightfirewall and left|rightupdown parameters
*/
static void handle_firewall(const char *label, starter_end_t *end,
starter_config_t *cfg)
{
- if (end->firewall && (end->seen & LELEM(KW_FIREWALL - KW_END_FIRST)))
+ if (end->firewall && (end->seen & SEEN_KW(KW_FIREWALL, KW_END_FIRST)))
{
if (end->updown != NULL)
{
- plog("# cannot have both %sfirewall and %supdown", label, label);
+ DBG1(DBG_APP, "# cannot have both %sfirewall and %supdown", label,
+ label);
cfg->err++;
}
else
{
- end->updown = clone_str(firewall_defaults);
+ end->updown = strdupnull(firewall_defaults);
end->firewall = FALSE;
}
}
@@ -497,16 +377,16 @@ static void handle_firewall(const char *label, starter_end_t *end,
static bool handle_mark(char *value, mark_t *mark)
{
- char *pos, *endptr;
+ char *sep, *endptr;
- pos = strchr(value, '/');
- if (pos)
+ sep = strchr(value, '/');
+ if (sep)
{
- *pos = '\0';
- mark->mask = strtoul(pos+1, &endptr, 0);
+ *sep = '\0';
+ mark->mask = strtoul(sep+1, &endptr, 0);
if (*endptr != '\0')
{
- plog("# invalid mark mask: %s", pos+1);
+ DBG1(DBG_APP, "# invalid mark mask: %s", sep+1);
return FALSE;
}
}
@@ -523,10 +403,16 @@ static bool handle_mark(char *value, mark_t *mark)
mark->value = strtoul(value, &endptr, 0);
if (*endptr != '\0')
{
- plog("# invalid mark value: %s", value);
+ DBG1(DBG_APP, "# invalid mark value: %s", value);
return FALSE;
}
}
+ if (sep)
+ { /* restore the original text in case also= is used */
+ *sep = '/';
+ }
+ /* apply the mask to ensure the value is in range */
+ mark->value &= mark->mask;
return TRUE;
}
@@ -566,28 +452,32 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
{
also_t *also = malloc_thing(also_t);
- also->name = clone_str(kw->value);
+ also->name = strdupnull(kw->value);
also->next = conn->also;
conn->also = also;
- DBG(DBG_CONTROL,
- DBG_log(" also=%s", kw->value)
- )
+ DBG2(DBG_APP, " also=%s", kw->value);
}
continue;
}
if (token < KW_CONN_FIRST || token > KW_CONN_LAST)
{
- plog("# unsupported keyword '%s' in conn '%s'"
- , kw->entry->name, conn_name);
+ DBG1(DBG_APP, "# unsupported keyword '%s' in conn '%s'",
+ kw->entry->name, conn_name);
cfg->err++;
continue;
}
+ if (is_deprecated(token, kw, conn_name))
+ {
+ cfg->non_fatal_err++;
+ continue;
+ }
+
if (!assign_arg(token, KW_CONN_FIRST, kw, (char *)conn, &assigned))
{
- plog(" bad argument value in conn '%s'", conn_name);
+ DBG1(DBG_APP, " bad argument value in conn '%s'", conn_name);
cfg->err++;
continue;
}
@@ -598,125 +488,42 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
switch (token)
{
case KW_TYPE:
- conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
+ conn->mode = MODE_TRANSPORT;
+ conn->proxy_mode = FALSE;
if (streq(kw->value, "tunnel"))
{
- conn->policy |= POLICY_TUNNEL;
+ conn->mode = MODE_TUNNEL;
}
else if (streq(kw->value, "beet"))
{
- conn->policy |= POLICY_BEET;
+ conn->mode = MODE_BEET;
}
else if (streq(kw->value, "transport_proxy"))
{
- conn->policy |= POLICY_PROXY;
+ conn->mode = MODE_TRANSPORT;
+ conn->proxy_mode = TRUE;
}
else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
{
- conn->policy |= POLICY_SHUNT_PASS;
+ conn->mode = MODE_PASS;
}
- else if (streq(kw->value, "drop"))
+ else if (streq(kw->value, "drop") || streq(kw->value, "reject"))
{
- conn->policy |= POLICY_SHUNT_DROP;
+ conn->mode = MODE_DROP;
}
- else if (streq(kw->value, "reject"))
+ else if (!streq(kw->value, "transport"))
{
- conn->policy |= POLICY_SHUNT_REJECT;
- }
- else if (strcmp(kw->value, "transport") != 0)
- {
- plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
+ DBG1(DBG_APP, "# bad policy value: %s=%s", kw->entry->name,
+ kw->value);
cfg->err++;
}
break;
- case KW_PFS:
- KW_POLICY_FLAG("yes", "no", POLICY_PFS)
- break;
case KW_COMPRESS:
- KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
+ KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_COMPRESS)
break;
case KW_AUTH:
- KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
+ KW_SA_OPTION_FLAG("ah", "esp", SA_OPTION_AUTHENTICATE)
break;
- case KW_AUTHBY:
- conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT);
-
- if (!streq(kw->value, "never"))
- {
- char *value = kw->value;
- char *second = strchr(kw->value, '|');
-
- if (second != NULL)
- {
- *second = '\0';
- }
-
- /* also handles the cases secret|rsasig and rsasig|secret */
- for (;;)
- {
- if (streq(value, "rsa") || streq(value, "rsasig") ||
- streq(value, "ecdsa") || streq(value, "ecdsasig") ||
- streq(value, "pubkey"))
- {
- conn->policy |= POLICY_PUBKEY | POLICY_ENCRYPT;
- }
- else if (streq(value, "secret") || streq(value, "psk"))
- {
- conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
- }
- else if (streq(value, "xauthrsasig"))
- {
- conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
- }
- else if (streq(value, "xauthpsk") || streq(value, "eap"))
- {
- conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
- }
- else
- {
- plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
- cfg->err++;
- break;
- }
- if (second == NULL)
- {
- break;
- }
- value = second;
- second = NULL; /* traverse the loop no more than twice */
- }
- }
- break;
- case KW_EAP:
- {
- char *sep;
-
- /* check for vendor-type format */
- sep = strchr(kw->value, '-');
- if (sep)
- {
- *(sep++) = '\0';
- conn->eap_type = atoi(kw->value);
- conn->eap_vendor = atoi(sep);
- if (conn->eap_type == 0 || conn->eap_vendor == 0)
- {
- plog("# invalid EAP type: %s=%s", kw->entry->name, kw->value);
- cfg->err++;
- }
- break;
- }
- conn->eap_type = eap_type_from_string(kw->value);
- if (conn->eap_type == 0)
- {
- conn->eap_type = atoi(kw->value);
- if (conn->eap_type == 0)
- {
- plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value);
- cfg->err++;
- }
- }
- break;
- }
case KW_MARK:
if (!handle_mark(kw->value, &conn->mark_in))
{
@@ -749,7 +556,8 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
conn->tfc = strtoul(kw->value, &endptr, 10);
if (*endptr != '\0')
{
- plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+ DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name,
+ kw->value);
cfg->err++;
}
}
@@ -766,36 +574,35 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
conn->sa_keying_tries = strtoul(kw->value, &endptr, 10);
if (*endptr != '\0')
{
- plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+ DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name,
+ kw->value);
cfg->err++;
}
}
break;
case KW_REKEY:
- KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
+ KW_SA_OPTION_FLAG("no", "yes", SA_OPTION_DONT_REKEY)
break;
case KW_REAUTH:
- KW_POLICY_FLAG("no", "yes", POLICY_DONT_REAUTH)
+ KW_SA_OPTION_FLAG("no", "yes", SA_OPTION_DONT_REAUTH)
break;
case KW_MOBIKE:
- KW_POLICY_FLAG("yes", "no", POLICY_MOBIKE)
+ KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_MOBIKE)
break;
case KW_FORCEENCAPS:
- KW_POLICY_FLAG("yes", "no", POLICY_FORCE_ENCAP)
+ KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_FORCE_ENCAP)
break;
case KW_MODECONFIG:
- KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH)
+ KW_SA_OPTION_FLAG("push", "pull", SA_OPTION_MODECFG_PUSH)
break;
case KW_XAUTH:
- KW_POLICY_FLAG("server", "client", POLICY_XAUTH_SERVER)
+ KW_SA_OPTION_FLAG("server", "client", SA_OPTION_XAUTH_SERVER)
break;
default:
break;
}
}
- handle_dns_failure("left", &conn->left, cfg, conn);
- handle_dns_failure("right", &conn->right, cfg, conn);
handle_firewall("left", &conn->left, cfg);
handle_firewall("right", &conn->right, cfg);
}
@@ -806,7 +613,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
static void conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
{
memcpy(conn, def, sizeof(starter_conn_t));
- conn->name = clone_str(name);
+ conn->name = strdupnull(name);
clone_args(KW_CONN_FIRST, KW_CONN_LAST, (char *)conn, (char *)def);
clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left, (char *)&def->left);
@@ -836,27 +643,32 @@ static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
{
also_t *also = malloc_thing(also_t);
- also->name = clone_str(kw->value);
+ also->name = strdupnull(kw->value);
also->next = ca->also;
ca->also = also;
- DBG(DBG_CONTROL,
- DBG_log(" also=%s", kw->value)
- )
+ DBG2(DBG_APP, " also=%s", kw->value);
}
continue;
}
if (token < KW_CA_FIRST || token > KW_CA_LAST)
{
- plog("# unsupported keyword '%s' in ca '%s'", kw->entry->name, ca_name);
+ DBG1(DBG_APP, "# unsupported keyword '%s' in ca '%s'",
+ kw->entry->name, ca_name);
cfg->err++;
continue;
}
+ if (is_deprecated(token, kw, ca_name))
+ {
+ cfg->non_fatal_err++;
+ continue;
+ }
+
if (!assign_arg(token, KW_CA_FIRST, kw, (char *)ca, &assigned))
{
- plog(" bad argument value in ca '%s'", ca_name);
+ DBG1(DBG_APP, " bad argument value in ca '%s'", ca_name);
cfg->err++;
}
}
@@ -872,7 +684,7 @@ static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
static void ca_default(char *name, starter_ca_t *ca, starter_ca_t *def)
{
memcpy(ca, def, sizeof(starter_ca_t));
- ca->name = clone_str(name);
+ ca->name = strdupnull(name);
clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def);
}
@@ -889,13 +701,12 @@ static void load_also_conns(starter_conn_t *conn, also_t *also,
if (kw == NULL)
{
- plog(" conn '%s' cannot include '%s'", conn->name, also->name);
+ DBG1(DBG_APP, " conn '%s' cannot include '%s'", conn->name,
+ also->name);
}
else
{
- DBG(DBG_CONTROL,
- DBG_log("conn '%s' includes '%s'", conn->name, also->name)
- )
+ DBG2(DBG_APP, "conn '%s' includes '%s'", conn->name, also->name);
/* only load if no error occurred in the first round */
if (cfg->err == 0)
load_conn(conn, kw, cfg);
@@ -918,7 +729,7 @@ static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn,
{
if (conn->visit == c->visit)
{
- plog("# detected also loop");
+ DBG1(DBG_APP, "# detected also loop");
cfg->err++;
return NULL;
}
@@ -929,7 +740,7 @@ static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn,
c = c->next;
}
- plog("# also '%s' not found", name);
+ DBG1(DBG_APP, "# also '%s' not found", name);
cfg->err++;
return NULL;
}
@@ -945,13 +756,12 @@ static void load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
if (kw == NULL)
{
- plog(" ca '%s' cannot include '%s'", ca->name, also->name);
+ DBG1(DBG_APP, " ca '%s' cannot include '%s'", ca->name,
+ also->name);
}
else
{
- DBG(DBG_CONTROL,
- DBG_log("ca '%s' includes '%s'", ca->name, also->name)
- )
+ DBG2(DBG_APP, "ca '%s' includes '%s'", ca->name, also->name);
/* only load if no error occurred in the first round */
if (cfg->err == 0)
load_ca(ca, kw, cfg);
@@ -974,7 +784,7 @@ static kw_list_t* find_also_ca(const char* name, starter_ca_t *ca,
{
if (ca->visit == c->visit)
{
- plog("# detected also loop");
+ DBG1(DBG_APP, "# detected also loop");
cfg->err++;
return NULL;
}
@@ -985,7 +795,7 @@ static kw_list_t* find_also_ca(const char* name, starter_ca_t *ca,
c = c->next;
}
- plog("# also '%s' not found", name);
+ DBG1(DBG_APP, "# also '%s' not found", name);
cfg->err++;
return NULL;
}
@@ -1086,9 +896,6 @@ starter_config_t* confread_load(const char *file)
/* set default values */
default_values(cfg);
- /* determine default route */
- get_defaultroute(&cfg->defaultroute);
-
/* load config setup section */
load_setup(cfg, cfgp);
@@ -1100,15 +907,13 @@ starter_config_t* confread_load(const char *file)
{
if (streq(sca->name, "%default"))
{
- DBG(DBG_CONTROL,
- DBG_log("Loading ca %%default")
- )
+ DBG2(DBG_APP, "Loading ca %%default");
load_ca(&cfg->ca_default, sca->kw, cfg);
}
}
/* parameters defined in ca %default sections can be overloads */
- cfg->ca_default.seen = LEMPTY;
+ cfg->ca_default.seen = SEEN_NONE;
/* load other ca sections */
for (sca = cfgp->ca_first; sca; sca = sca->next)
@@ -1119,9 +924,7 @@ starter_config_t* confread_load(const char *file)
if (streq(sca->name, "%default"))
continue;
- DBG(DBG_CONTROL,
- DBG_log("Loading ca '%s'", sca->name)
- )
+ DBG2(DBG_APP, "Loading ca '%s'", sca->name);
ca = malloc_thing(starter_ca_t);
ca_default(sca->name, ca, &cfg->ca_default);
@@ -1169,17 +972,15 @@ starter_config_t* confread_load(const char *file)
{
if (streq(sconn->name, "%default"))
{
- DBG(DBG_CONTROL,
- DBG_log("Loading conn %%default")
- )
+ DBG2(DBG_APP, "Loading conn %%default");
load_conn(&cfg->conn_default, sconn->kw, cfg);
}
}
- /* parameter defined in conn %default sections can be overloaded */
- cfg->conn_default.seen = LEMPTY;
- cfg->conn_default.right.seen = LEMPTY;
- cfg->conn_default.left.seen = LEMPTY;
+ /* parameters defined in conn %default sections can be overloaded */
+ cfg->conn_default.seen = SEEN_NONE;
+ cfg->conn_default.right.seen = SEEN_NONE;
+ cfg->conn_default.left.seen = SEEN_NONE;
/* load other conn sections */
for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
@@ -1190,9 +991,7 @@ starter_config_t* confread_load(const char *file)
if (streq(sconn->name, "%default"))
continue;
- DBG(DBG_CONTROL,
- DBG_log("Loading conn '%s'", sconn->name)
- )
+ DBG2(DBG_APP, "Loading conn '%s'", sconn->name);
conn = malloc_thing(starter_conn_t);
conn_default(sconn->name, conn, &cfg->conn_default);
@@ -1245,8 +1044,8 @@ starter_config_t* confread_load(const char *file)
total_err = cfg->err + cfg->non_fatal_err;
if (total_err > 0)
{
- plog("### %d parsing error%s (%d fatal) ###"
- , total_err, (total_err > 1)?"s":"", cfg->err);
+ DBG1(DBG_APP, "### %d parsing error%s (%d fatal) ###",
+ total_err, (total_err > 1)?"s":"", cfg->err);
}
return cfg;
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 9cb919ce5..0690bed4e 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -16,12 +16,14 @@
#ifndef _IPSEC_CONFREAD_H_
#define _IPSEC_CONFREAD_H_
-#ifndef _FREESWAN_H
-#include <freeswan.h>
-#endif
+#include <kernel/kernel_ipsec.h>
#include "ipsec-parser.h"
-#include "interfaces.h"
+
+/** to mark seen keywords */
+typedef u_int64_t seen_t;
+#define SEEN_NONE 0;
+#define SEEN_KW(kw, base) ((seen_t)1 << ((kw) - (base)))
typedef enum {
STARTUP_NO,
@@ -39,21 +41,59 @@ typedef enum {
} starter_state_t;
typedef enum {
- KEY_EXCHANGE_IKE,
- KEY_EXCHANGE_IKEV1,
- KEY_EXCHANGE_IKEV2
+ /* shared with ike_version_t */
+ KEY_EXCHANGE_IKE = 0,
+ KEY_EXCHANGE_IKEV1 = 1,
+ KEY_EXCHANGE_IKEV2 = 2,
} keyexchange_t;
typedef enum {
STRICT_NO,
STRICT_YES,
- STRICT_IFURI
+ STRICT_IFURI,
} strict_t;
+typedef enum {
+ CERT_ALWAYS_SEND,
+ CERT_SEND_IF_ASKED,
+ CERT_NEVER_SEND,
+ CERT_YES_SEND, /* synonym for CERT_ALWAYS_SEND */
+ CERT_NO_SEND, /* synonym for CERT_NEVER_SEND */
+} certpolicy_t;
+
+typedef enum {
+ DPD_ACTION_NONE,
+ DPD_ACTION_CLEAR,
+ DPD_ACTION_HOLD,
+ DPD_ACTION_RESTART,
+ DPD_ACTION_UNKNOW,
+} dpd_action_t;
+
+typedef enum {
+ /* same as in ike_cfg.h */
+ FRAGMENTATION_NO,
+ FRAGMENTATION_YES,
+ FRAGMENTATION_FORCE,
+} fragmentation_t;
+
+typedef enum {
+ /* IPsec options */
+ SA_OPTION_AUTHENTICATE = 1 << 0, /* use AH instead of ESP? */
+ SA_OPTION_COMPRESS = 1 << 1, /* use IPComp */
+
+ /* IKE and other other options */
+ SA_OPTION_DONT_REKEY = 1 << 2, /* don't rekey state either Phase */
+ SA_OPTION_DONT_REAUTH = 1 << 3, /* don't reauthenticate on rekeying, IKEv2 only */
+ SA_OPTION_MODECFG_PUSH = 1 << 4, /* is modecfg pushed by server? */
+ SA_OPTION_XAUTH_SERVER = 1 << 5, /* are we an XAUTH server? */
+ SA_OPTION_MOBIKE = 1 << 6, /* enable MOBIKE for IKEv2 */
+ SA_OPTION_FORCE_ENCAP = 1 << 7, /* force UDP encapsulation */
+} sa_option_t;
+
typedef struct starter_end starter_end_t;
struct starter_end {
- lset_t seen;
+ seen_t seen;
char *auth;
char *auth2;
char *id;
@@ -64,29 +104,22 @@ struct starter_end {
char *ca;
char *ca2;
char *groups;
+ char *groups2;
char *cert_policy;
- char *iface;
char *host;
- ip_address addr;
u_int ikeport;
- ip_address nexthop;
char *subnet;
- bool has_client;
- bool has_client_wildcard;
- bool has_port_wildcard;
- bool has_natip;
- bool has_virt;
bool modecfg;
certpolicy_t sendcert;
bool firewall;
bool hostaccess;
bool allow_any;
- bool dns_failed;
char *updown;
- u_int16_t port;
+ u_int16_t from_port;
+ u_int16_t to_port;
u_int8_t protocol;
char *sourceip;
- int sourceip_mask;
+ char *dns;
};
typedef struct also also_t;
@@ -100,7 +133,7 @@ struct also {
typedef struct starter_conn starter_conn_t;
struct starter_conn {
- lset_t seen;
+ seen_t seen;
char *name;
also_t *also;
kw_list_t *kw;
@@ -109,35 +142,36 @@ struct starter_conn {
starter_state_t state;
keyexchange_t keyexchange;
- u_int32_t eap_type;
- u_int32_t eap_vendor;
char *eap_identity;
char *aaa_identity;
char *xauth_identity;
- lset_t policy;
+ char *authby;
+ ipsec_mode_t mode;
+ bool proxy_mode;
+ fragmentation_t fragmentation;
+ u_int ikedscp;
+ sa_option_t options;
time_t sa_ike_life_seconds;
time_t sa_ipsec_life_seconds;
time_t sa_rekey_margin;
- u_int64_t sa_ipsec_life_bytes;
- u_int64_t sa_ipsec_margin_bytes;
- u_int64_t sa_ipsec_life_packets;
- u_int64_t sa_ipsec_margin_packets;
+ u_int64_t sa_ipsec_life_bytes;
+ u_int64_t sa_ipsec_margin_bytes;
+ u_int64_t sa_ipsec_life_packets;
+ u_int64_t sa_ipsec_margin_packets;
unsigned long sa_keying_tries;
unsigned long sa_rekey_fuzz;
u_int32_t reqid;
mark_t mark_in;
mark_t mark_out;
u_int32_t tfc;
- sa_family_t addr_family;
- sa_family_t tunnel_addr_family;
bool install_policy;
+ bool aggressive;
starter_end_t left, right;
unsigned long id;
char *esp;
char *ike;
- char *pfsgroup;
time_t dpd_delay;
time_t dpd_timeout;
@@ -158,7 +192,7 @@ struct starter_conn {
typedef struct starter_ca starter_ca_t;
struct starter_ca {
- lset_t seen;
+ seen_t seen;
char *name;
also_t *also;
kw_list_t *kw;
@@ -167,13 +201,11 @@ struct starter_ca {
starter_state_t state;
char *cacert;
- char *ldaphost;
- char *ldapbase;
char *crluri;
char *crluri2;
char *ocspuri;
char *ocspuri2;
- char *certuribase;
+ char *certuribase;
bool strict;
@@ -184,43 +216,14 @@ typedef struct starter_config starter_config_t;
struct starter_config {
struct {
- lset_t seen;
- char **interfaces;
- char *dumpdir;
- bool charonstart;
- bool plutostart;
-
- /* pluto/charon keywords */
- char **plutodebug;
+ seen_t seen;
+ bool charonstart;
char *charondebug;
- char *prepluto;
- char *postpluto;
- char *plutostderrlog;
bool uniqueids;
- u_int overridemtu;
- time_t crlcheckinterval;
bool cachecrls;
strict_t strictcrlpolicy;
- bool nocrsend;
- bool nat_traversal;
- time_t keep_alive;
- u_int force_keepalive;
- char *virtual_private;
- char *pkcs11module;
- char *pkcs11initargs;
- bool pkcs11keepstate;
- bool pkcs11proxy;
-
- /* KLIPS keywords */
- char **klipsdebug;
- bool fragicmp;
- char *packetdefault;
- bool hidetos;
} setup;
- /* information about the default route */
- defaultroute_t defaultroute;
-
/* number of encountered parsing errors */
u_int err;
u_int non_fatal_err;
@@ -245,4 +248,3 @@ extern starter_config_t *confread_load(const char *file);
extern void confread_free(starter_config_t *cfg);
#endif /* _IPSEC_CONFREAD_H_ */
-
diff --git a/src/starter/exec.c b/src/starter/exec.c
deleted file mode 100644
index d4c4f0657..000000000
--- a/src/starter/exec.c
+++ /dev/null
@@ -1,52 +0,0 @@
-/* strongSwan IPsec exec helper function
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <stdio.h>
-
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
-
-#include "exec.h"
-
-#define BUF_SIZE 2048
-
-/**
- * TODO:
- * o log stdout with LOG_LEVEL_INFO and stderr with LOG_LEVEL_ERR
- */
-
-int
-starter_exec(const char *fmt, ...)
-{
- va_list args;
- static char buf[BUF_SIZE];
- int r;
-
- va_start (args, fmt);
- vsnprintf(buf, BUF_SIZE-1, fmt, args);
- buf[BUF_SIZE - 1] = '\0';
- va_end(args);
- r = system(buf);
- DBG(DBG_CONTROL,
- DBG_log("starter_exec(%s) = %d", buf, r)
- )
- return r;
-}
-
diff --git a/src/starter/exec.h b/src/starter/exec.h
deleted file mode 100644
index 6a6414578..000000000
--- a/src/starter/exec.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* strongSwan IPsec starter exec helper function
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#ifndef _STARTER_EXEC_H_
-#define _STARTER_EXEC_H_
-
-extern int starter_exec (const char *fmt, ...);
-
-#endif /* _STARTER_EXEC_H_ */
-
diff --git a/src/starter/files.h b/src/starter/files.h
index 88857c0b2..76cdaa986 100644
--- a/src/starter/files.h
+++ b/src/starter/files.h
@@ -15,8 +15,6 @@
#ifndef _STARTER_FILES_H_
#define _STARTER_FILES_H_
-#define STARTER_PID_FILE IPSEC_PIDDIR "/starter.pid"
-
#define PROC_NETKEY "/proc/net/pfkey"
#define PROC_KLIPS "/proc/net/pf_key"
#define PROC_MODULES "/proc/modules"
@@ -24,13 +22,11 @@
#define CONFIG_FILE IPSEC_CONFDIR "/ipsec.conf"
#define SECRETS_FILE IPSEC_CONFDIR "/ipsec.secrets"
-#define PLUTO_CMD IPSEC_DIR "/pluto"
-#define PLUTO_CTL_FILE IPSEC_PIDDIR "/pluto.ctl"
-#define PLUTO_PID_FILE IPSEC_PIDDIR "/pluto.pid"
-
-#define CHARON_CMD IPSEC_DIR "/charon"
#define CHARON_CTL_FILE IPSEC_PIDDIR "/charon.ctl"
-#define CHARON_PID_FILE IPSEC_PIDDIR "/charon.pid"
+
+extern char *daemon_name;
+extern char *cmd;
+extern char *pid_file;
#define DYNIP_DIR IPSEC_PIDDIR "/dynip"
diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c
deleted file mode 100644
index 4a2ae0a57..000000000
--- a/src/starter/interfaces.c
+++ /dev/null
@@ -1,213 +0,0 @@
-/* strongSwan IPsec interfaces management
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- * 2009 Heiko Hund - Astaro AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include <freeswan.h>
-
-#include <constants.h>
-#include <defs.h>
-#include <log.h>
-
-#include "interfaces.h"
-#include "exec.h"
-#include "files.h"
-
-#ifdef START_PLUTO
-
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <linux/rtnetlink.h>
-#ifdef HAVE_SYS_SOCKIO_H
-#include <sys/sockio.h>
-#endif
-
-/*
- * Get the default route information via rtnetlink
- */
-void
-get_defaultroute(defaultroute_t *defaultroute)
-{
- union {
- struct {
- struct nlmsghdr nh;
- struct rtmsg rt;
- } m;
- char buf[4096];
- } rtu;
-
- struct nlmsghdr *nh;
- uint32_t best_metric = ~0;
- ssize_t msglen;
- int fd;
-
- memset(&rtu, 0, sizeof(rtu));
- rtu.m.nh.nlmsg_len = NLMSG_LENGTH(sizeof(rtu.m.rt));
- rtu.m.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
- rtu.m.nh.nlmsg_type = RTM_GETROUTE;
- rtu.m.rt.rtm_family = AF_INET;
- rtu.m.rt.rtm_table = RT_TABLE_UNSPEC;
- rtu.m.rt.rtm_protocol = RTPROT_UNSPEC;
- rtu.m.rt.rtm_type = RTN_UNICAST;
-
- fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
- if (fd == -1)
- {
- plog("could not create rtnetlink socket");
- return;
- }
-
- if (send(fd, &rtu, rtu.m.nh.nlmsg_len, 0) == -1)
- {
- plog("could not write to rtnetlink socket");
- close(fd);
- return;
- }
-
- msglen = recv(fd, &rtu, sizeof(rtu), MSG_WAITALL);
- if (msglen == -1)
- {
- plog("could not read from rtnetlink socket");
- close(fd);
- return;
- }
-
- close(fd);
-
- for (nh = &rtu.m.nh; NLMSG_OK(nh, msglen); nh = NLMSG_NEXT(nh, msglen))
- {
- struct rtmsg *rt;
- struct rtattr *rta;
- uint32_t rtalen, metric = 0;
- struct in_addr gw = { .s_addr = INADDR_ANY };
- int iface_idx = -1;
-
- if (nh->nlmsg_type == NLMSG_ERROR)
- {
- plog("error from rtnetlink");
- return;
- }
-
- if (nh->nlmsg_type == NLMSG_DONE)
- break;
-
- rt = NLMSG_DATA(nh);
- if ( rt->rtm_dst_len != 0
- || (rt->rtm_table != RT_TABLE_MAIN
- && rt->rtm_table != RT_TABLE_DEFAULT) )
- continue;
-
- rta = RTM_RTA(rt);
- rtalen = RTM_PAYLOAD(nh);
- while ( RTA_OK(rta, rtalen) )
- {
- switch (rta->rta_type)
- {
- case RTA_GATEWAY:
- gw = *(struct in_addr *) RTA_DATA(rta);
- break;
- case RTA_OIF:
- iface_idx = *(int *) RTA_DATA(rta);
- break;
- case RTA_PRIORITY:
- metric = *(uint32_t *) RTA_DATA(rta);
- break;
- }
- rta = RTA_NEXT(rta, rtalen);
- }
-
- if (metric < best_metric
- && iface_idx != -1)
- {
- struct ifreq req;
-
- fd = socket(AF_INET, SOCK_DGRAM, 0);
- if (fd < 0)
- {
- plog("could not open AF_INET socket");
- break;
- }
- memset(&req, 0, sizeof(req));
- req.ifr_ifindex = iface_idx;
- if (ioctl(fd, SIOCGIFNAME, &req) < 0 ||
- ioctl(fd, SIOCGIFADDR, &req) < 0)
- {
- plog("could not read interface data, ignoring route");
- close(fd);
- break;
- }
-
- strncpy(defaultroute->iface, req.ifr_name, IFNAMSIZ);
- defaultroute->iface[IFNAMSIZ-1] = '\0';
- defaultroute->addr.u.v4 = *((struct sockaddr_in *) &req.ifr_addr);
- defaultroute->nexthop.u.v4.sin_family = AF_INET;
-
- if (gw.s_addr == INADDR_ANY)
- {
- if (ioctl(fd, SIOCGIFDSTADDR, &req) < 0 ||
- ((struct sockaddr_in*) &req.ifr_dstaddr)->sin_addr.s_addr == INADDR_ANY)
- {
- DBG_log("Ignoring default route to device %s because we can't get it's destination",
- req.ifr_name);
- close(fd);
- break;
- }
-
- defaultroute->nexthop.u.v4 = *((struct sockaddr_in *) &req.ifr_dstaddr);
- }
- else
- defaultroute->nexthop.u.v4.sin_addr = gw;
-
- close(fd);
-
- DBG(DBG_CONTROL,
- char addr[20];
- char nexthop[20];
- addrtot(&defaultroute->addr, 0, addr, sizeof(addr));
- addrtot(&defaultroute->nexthop, 0, nexthop, sizeof(nexthop));
-
- DBG_log(
- ( !defaultroute->defined
- ? "Default route found: iface=%s, addr=%s, nexthop=%s"
- : "Better default route: iface=%s, addr=%s, nexthop=%s"
- ), defaultroute->iface, addr, nexthop
- )
- );
-
- best_metric = metric;
- defaultroute->defined = TRUE;
- }
- }
- defaultroute->supported = TRUE;
-
- if (!defaultroute->defined)
- plog("no default route - cannot cope with %%defaultroute!!!");
-}
-
-#else /* !START_PLUTO */
-
-/**
- * Pluto disabled, fall back to %any
- */
-void
-get_defaultroute(defaultroute_t *defaultroute)
-{
- defaultroute->supported = FALSE;
-}
-#endif /* START_PLUTO */
-
diff --git a/src/starter/interfaces.h b/src/starter/interfaces.h
deleted file mode 100644
index ff8535f0e..000000000
--- a/src/starter/interfaces.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/* strongSwan IPsec interfaces management
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#ifndef _STARTER_INTERFACES_H_
-#define _STARTER_INTERFACES_H_
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <net/if.h>
-
-#include "../pluto/constants.h"
-
-typedef struct {
- bool defined;
- bool supported;
- char iface[IFNAMSIZ];
- ip_address addr;
- ip_address nexthop;
-} defaultroute_t;
-
-extern void get_defaultroute(defaultroute_t *defaultroute);
-
-
-#endif /* _STARTER_INTERFACES_H_ */
-
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index e88939415..d981f6c17 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -23,11 +23,8 @@
#include <stdlib.h>
#include <errno.h>
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <library.h>
+#include <utils/debug.h>
#include "confread.h"
#include "invokecharon.h"
@@ -49,22 +46,22 @@ void starter_charon_sigchild(pid_t pid, int status)
if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY ||
status == SS_RC_DAEMON_INTEGRITY)
{
- plog("charon has quit: integrity test of %s failed",
- (status == 64) ? "libstrongswan" : "charon");
+ DBG1(DBG_APP, "%s has quit: integrity test of %s failed",
+ daemon_name, (status == 64) ? "libstrongswan" : daemon_name);
_stop_requested = 1;
}
else if (status == SS_RC_INITIALIZATION_FAILED)
{
- plog("charon has quit: initialization failed");
+ DBG1(DBG_APP, "%s has quit: initialization failed", daemon_name);
_stop_requested = 1;
}
if (!_stop_requested)
{
- plog("charon has died -- restart scheduled (%dsec)"
- , CHARON_RESTART_DELAY);
+ DBG1(DBG_APP, "%s has died -- restart scheduled (%dsec)",
+ daemon_name, CHARON_RESTART_DELAY);
alarm(CHARON_RESTART_DELAY); // restart in 5 sec
}
- unlink(CHARON_PID_FILE);
+ unlink(pid_file);
}
}
@@ -91,7 +88,8 @@ int starter_stop_charon (void)
else if (i == 40)
{
kill(pid, SIGKILL);
- plog("starter_stop_charon(): charon does not respond, sending KILL");
+ DBG1(DBG_APP, "starter_stop_charon(): %s does not respond, sending KILL",
+ daemon_name);
}
else
{
@@ -101,15 +99,15 @@ int starter_stop_charon (void)
}
if (_charon_pid == 0)
{
- plog("charon stopped after %d ms", 200*i);
+ DBG1(DBG_APP, "%s stopped after %d ms", daemon_name, 200*i);
return 0;
}
- plog("starter_stop_charon(): can't stop charon !!!");
+ DBG1(DBG_APP, "starter_stop_charon(): can't stop %s !!!", daemon_name);
return -1;
}
else
{
- plog("stater_stop_charon(): charon was not started...");
+ DBG1(DBG_APP, "stater_stop_charon(): %s was not started...", daemon_name);
}
return -1;
}
@@ -122,7 +120,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
char buffer[BUF_LEN];
int argc = 1;
char *arg[] = {
- CHARON_CMD, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+ cmd, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
@@ -133,7 +131,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
argc = 0;
arg[argc++] = "/usr/bin/gdb";
arg[argc++] = "--args";
- arg[argc++] = CHARON_CMD;
+ arg[argc++] = cmd;
}
if (!no_fork)
{
@@ -175,7 +173,8 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
if (_charon_pid)
{
- plog("starter_start_charon(): charon already started...");
+ DBG1(DBG_APP, "starter_start_charon(): %s already started...",
+ daemon_name);
return -1;
}
else
@@ -187,34 +186,37 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
switch (pid)
{
case -1:
- plog("can't fork(): %s", strerror(errno));
+ DBG1(DBG_APP, "can't fork(): %s", strerror(errno));
return -1;
case 0:
/* child */
setsid();
+ closefrom(3);
sigprocmask(SIG_SETMASK, 0, NULL);
/* disable glibc's malloc checker, conflicts with leak detective */
setenv("MALLOC_CHECK_", "0", 1);
execv(arg[0], arg);
- plog("can't execv(%s,...): %s", arg[0], strerror(errno));
+ DBG1(DBG_APP, "can't execv(%s,...): %s", arg[0], strerror(errno));
exit(1);
default:
/* father */
- _charon_pid = pid;
- for (i = 0; i < 500 && _charon_pid; i++)
+ _charon_pid = pid;
+ for (i = 0; i < 500 && _charon_pid; i++)
{
/* wait for charon for a maximum of 500 x 20 ms = 10 s */
usleep(20000);
- if (stat(CHARON_PID_FILE, &stb) == 0)
+ if (stat(pid_file, &stb) == 0)
{
- plog("charon (%d) started after %d ms", _charon_pid, 20*(i+1));
+ DBG1(DBG_APP, "%s (%d) started after %d ms", daemon_name,
+ _charon_pid, 20*(i+1));
return 0;
}
}
if (_charon_pid)
{
/* If charon is started but with no ctl file, stop it */
- plog("charon too long to start... - kill kill");
+ DBG1(DBG_APP, "%s too long to start... - kill kill",
+ daemon_name);
for (i = 0; i < 20 && (pid = _charon_pid) != 0; i++)
{
if (i == 0)
@@ -234,7 +236,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
}
else
{
- plog("charon refused to be started");
+ DBG1(DBG_APP, "%s refused to be started", daemon_name);
}
return -1;
}
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
deleted file mode 100644
index 70c0692ea..000000000
--- a/src/starter/invokepluto.c
+++ /dev/null
@@ -1,327 +0,0 @@
-/* strongSwan Pluto launcher
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <signal.h>
-#include <string.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <fcntl.h>
-
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
-
-#include "confread.h"
-#include "invokepluto.h"
-#include "files.h"
-#include "starterwhack.h"
-#
-static int _pluto_pid = 0;
-static int _stop_requested;
-
-pid_t
-starter_pluto_pid(void)
-{
- return _pluto_pid;
-}
-
-void
-starter_pluto_sigchild(pid_t pid, int status)
-{
- if (pid == _pluto_pid)
- {
- _pluto_pid = 0;
- if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY ||
- status == SS_RC_DAEMON_INTEGRITY)
- {
- plog("pluto has quit: integrity test of %s failed",
- (status == 64) ? "libstrongswan" : "pluto");
- _stop_requested = 1;
- }
- else if (status == SS_RC_INITIALIZATION_FAILED)
- {
- plog("pluto has quit: initialization failed");
- _stop_requested = 1;
- }
- if (!_stop_requested)
- {
- plog("pluto has died -- restart scheduled (%dsec)"
- , PLUTO_RESTART_DELAY);
- alarm(PLUTO_RESTART_DELAY); // restart in 5 sec
- }
- unlink(PLUTO_PID_FILE);
- }
-}
-
-int
-starter_stop_pluto (void)
-{
- int i;
- pid_t pid = _pluto_pid;
-
- if (pid)
- {
- _stop_requested = 1;
-
- if (starter_whack_shutdown() == 0)
- {
- for (i = 0; i < 400; i++)
- {
- usleep(20000); /* sleep for 20 ms */
- if (_pluto_pid == 0)
- {
- plog("pluto stopped after %d ms", 20*(i+1));
- return 0;
- }
- }
- }
- /* be more and more aggressive */
- for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
- {
-
- if (i < 10)
- {
- kill(pid, SIGTERM);
- }
- if (i == 10)
- {
- kill(pid, SIGKILL);
- plog("starter_stop_pluto(): pluto does not respond, sending KILL");
- }
- else
- {
- kill(pid, SIGKILL);
- }
- usleep(100000); /* sleep for 100 ms */
- }
- if (_pluto_pid == 0)
- {
- plog("pluto stopped after %d ms", 8000 + 100*i);
- return 0;
- }
- plog("starter_stop_pluto(): can't stop pluto !!!");
- return -1;
- }
- else
- {
- plog("stater_stop_pluto(): pluto is not started...");
- }
- return -1;
-}
-
-#define ADD_DEBUG(v) { \
- for (l = cfg->setup.plutodebug; l && *l; l++) if (streq(*l, v)) \
- arg[argc++] = "--debug-" v; \
- }
-
-int
-starter_start_pluto (starter_config_t *cfg, bool no_fork, bool attach_gdb)
-{
- struct stat stb;
- int i;
- pid_t pid;
- char **l;
- int argc = 2;
- char *arg[] = {
- PLUTO_CMD, "--nofork"
- , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
- , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
- , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
- , NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
- };
-
- printf ("starter_start_pluto entered\n");
-
- if (attach_gdb)
- {
- argc = 0;
- arg[argc++] = "/usr/bin/gdb";
- arg[argc++] = "--args";
- arg[argc++] = PLUTO_CMD;
- arg[argc++] = "--nofork";
- }
- if (cfg->setup.plutostderrlog || no_fork)
- {
- arg[argc++] = "--stderrlog";
- }
- if (cfg->setup.uniqueids)
- {
- arg[argc++] = "--uniqueids";
- }
- ADD_DEBUG("none")
- ADD_DEBUG("all")
- ADD_DEBUG("raw")
- ADD_DEBUG("crypt")
- ADD_DEBUG("parsing")
- ADD_DEBUG("emitting")
- ADD_DEBUG("control")
- ADD_DEBUG("lifecycle")
- ADD_DEBUG("klips")
- ADD_DEBUG("kernel")
- ADD_DEBUG("dns")
- ADD_DEBUG("natt")
- ADD_DEBUG("oppo")
- ADD_DEBUG("controlmore")
- ADD_DEBUG("private")
- if (cfg->setup.crlcheckinterval > 0)
- {
- static char buf1[15];
-
- arg[argc++] = "--crlcheckinterval";
- snprintf(buf1, sizeof(buf1), "%d", (int)cfg->setup.crlcheckinterval);
- arg[argc++] = buf1;
- }
- if (cfg->setup.cachecrls)
- {
- arg[argc++] = "--cachecrls";
- }
- if (cfg->setup.strictcrlpolicy)
- {
- arg[argc++] = "--strictcrlpolicy";
- }
- if (cfg->setup.nocrsend)
- {
- arg[argc++] = "--nocrsend";
- }
- if (cfg->setup.nat_traversal)
- {
- arg[argc++] = "--nat_traversal";
- }
- if (cfg->setup.force_keepalive)
- {
- arg[argc++] = "--force_keepalive";
- }
- if (cfg->setup.keep_alive)
- {
- static char buf2[15];
-
- arg[argc++] = "--keep_alive";
- snprintf(buf2, sizeof(buf2), "%d", (int)cfg->setup.keep_alive);
- arg[argc++] = buf2;
- }
- if (cfg->setup.virtual_private)
- {
- arg[argc++] = "--virtual_private";
- arg[argc++] = cfg->setup.virtual_private;
- }
- if (cfg->setup.pkcs11module)
- {
- arg[argc++] = "--pkcs11module";
- arg[argc++] = cfg->setup.pkcs11module;
- }
- if (cfg->setup.pkcs11initargs)
- {
- arg[argc++] = "--pkcs11initargs";
- arg[argc++] = cfg->setup.pkcs11initargs;
- }
- if (cfg->setup.pkcs11keepstate)
- {
- arg[argc++] = "--pkcs11keepstate";
- }
- if (cfg->setup.pkcs11proxy)
- {
- arg[argc++] = "--pkcs11proxy";
- }
-
- if (_pluto_pid)
- {
- plog("starter_start_pluto(): pluto already started...");
- return -1;
- }
- else
- {
- unlink(PLUTO_CTL_FILE);
- _stop_requested = 0;
-
- if (cfg->setup.prepluto)
- ignore_result(system(cfg->setup.prepluto));
-
- pid = fork();
- switch (pid)
- {
- case -1:
- plog("can't fork(): %s", strerror(errno));
- return -1;
- case 0:
- /* child */
- if (cfg->setup.plutostderrlog)
- {
- int f = creat(cfg->setup.plutostderrlog, 00644);
-
- /* redirect stderr to file */
- if (f < 0)
- {
- plog("couldn't open stderr redirection file '%s'",
- cfg->setup.plutostderrlog);
- }
- else
- {
- dup2(f, 2);
- }
- }
- setsid();
- sigprocmask(SIG_SETMASK, 0, NULL);
- /* disable glibc's malloc checker, conflicts with leak detective */
- setenv("MALLOC_CHECK_", "0", 1);
- execv(arg[0], arg);
- plog("can't execv(%s,...): %s", arg[0], strerror(errno));
- exit(1);
- default:
- /* father */
- _pluto_pid = pid;
- for (i = 0; i < 500 && _pluto_pid; i++)
- {
- /* wait for pluto for a maximum of 500 x 20 ms = 10 s */
- usleep(20000);
- if (stat(PLUTO_CTL_FILE, &stb) == 0)
- {
- plog("pluto (%d) started after %d ms", _pluto_pid, 20*(i+1));
- if (cfg->setup.postpluto)
- {
- ignore_result(system(cfg->setup.postpluto));
- }
- return 0;
- }
- }
- if (_pluto_pid)
- {
- /* If pluto is started but with no ctl file, stop it */
- plog("pluto too long to start... - kill kill");
- for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++)
- {
- if (i < 10)
- {
- kill(pid, SIGTERM);
- }
- else
- {
- kill(pid, SIGKILL);
- }
- usleep(20000); /* sleep for 20 ms */
- }
- }
- else
- {
- plog("pluto refused to be started");
- }
- return -1;
- }
- }
- return -1;
-}
diff --git a/src/starter/invokepluto.h b/src/starter/invokepluto.h
deleted file mode 100644
index c87f50c2a..000000000
--- a/src/starter/invokepluto.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/* strongSwan pluto launcher
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#ifndef _STARTER_PLUTO_H_
-#define _STARTER_PLUTO_H_
-
-#define PLUTO_RESTART_DELAY 5
-
-extern void starter_pluto_sigchild (pid_t pid, int status);
-extern pid_t starter_pluto_pid (void);
-extern int starter_stop_pluto (void);
-extern int starter_start_pluto (struct starter_config *cfg, bool no_fork, bool attach_gdb);
-
-#endif /* _STARTER_PLUTO_H_ */
-
diff --git a/src/starter/ipsec.conf b/src/starter/ipsec.conf
index b1e5d5e0c..a33d68c0a 100644
--- a/src/starter/ipsec.conf
+++ b/src/starter/ipsec.conf
@@ -3,20 +3,14 @@
# basic configuration
config setup
- # plutodebug=all
- # crlcheckinterval=600
# strictcrlpolicy=yes
- # cachecrls=yes
- # nat_traversal=yes
- # charonstart=no
- # plutostart=no
+ # uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
-# left=%defaultroute
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
@@ -26,11 +20,9 @@ config setup
# auto=start
#conn sample-with-ca-cert
-# left=%defaultroute
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
-# keyexchange=ikev2
# auto=start
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index edb55ae7f..20ec1501d 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -30,7 +30,7 @@ error "gperf generated tables don't work with this execution character set. Plea
#endif
-/* strongSwan keywords
+/*
* Copyright (C) 2005 Andreas Steffen
* Hochschule fuer Technik Rapperswil, Switzerland
*
@@ -54,12 +54,12 @@ struct kw_entry {
kw_token_t token;
};
-#define TOTAL_KEYWORDS 131
+#define TOTAL_KEYWORDS 138
#define MIN_WORD_LENGTH 3
#define MAX_WORD_LENGTH 17
#define MIN_HASH_VALUE 9
-#define MAX_HASH_VALUE 246
-/* maximum key range = 238, duplicates = 0 */
+#define MAX_HASH_VALUE 257
+/* maximum key range = 249, duplicates = 0 */
#ifdef __GNUC__
__inline
@@ -73,34 +73,34 @@ hash (str, len)
register const char *str;
register unsigned int len;
{
- static const unsigned char asso_values[] =
+ static const unsigned short asso_values[] =
{
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 12,
- 126, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 51, 247, 11, 1, 92,
- 43, 0, 6, 0, 110, 0, 247, 120, 56, 37,
- 27, 72, 43, 1, 16, 0, 5, 75, 1, 247,
- 247, 11, 5, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 247, 247, 247
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 14,
+ 129, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 3, 258, 31, 1, 83,
+ 50, 5, 4, 1, 60, 1, 258, 121, 62, 5,
+ 33, 51, 41, 2, 22, 1, 25, 103, 1, 258,
+ 258, 8, 2, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258, 258, 258, 258, 258,
+ 258, 258, 258, 258, 258, 258
};
register int hval = len;
@@ -123,166 +123,174 @@ hash (str, len)
static const struct kw_entry wordlist[] =
{
- {"pfs", KW_PFS},
- {"right", KW_RIGHT},
+ {"pfs", KW_PFS_DEPRECATED},
{"rightgroups", KW_RIGHTGROUPS},
+ {"aggressive", KW_AGGRESSIVE},
{"lifetime", KW_KEYLIFE},
+ {"rightsigkey", KW_RIGHTSIGKEY},
+ {"lifebytes", KW_LIFEBYTES},
+ {"keyingtries", KW_KEYINGTRIES},
+ {"leftsigkey", KW_LEFTSIGKEY},
+ {"keylife", KW_KEYLIFE},
+ {"leftrsasigkey", KW_LEFTSIGKEY},
+ {"right", KW_RIGHT},
+ {"leftcertpolicy", KW_LEFTCERTPOLICY},
{"left", KW_LEFT},
{"rightsubnet", KW_RIGHTSUBNET},
{"rightikeport", KW_RIGHTIKEPORT},
{"rightsendcert", KW_RIGHTSENDCERT},
+ {"leftgroups", KW_LEFTGROUPS},
+ {"rightrsasigkey", KW_RIGHTSIGKEY},
{"leftcert", KW_LEFTCERT},
- {"keep_alive", KW_KEEP_ALIVE},
- {"keyingtries", KW_KEYINGTRIES},
- {"leftsendcert", KW_LEFTSENDCERT},
- {"keylife", KW_KEYLIFE},
- {"lifebytes", KW_LIFEBYTES},
{"lifepackets", KW_LIFEPACKETS},
- {"leftrsasigkey", KW_LEFTRSASIGKEY},
- {"leftcertpolicy", KW_LEFTCERTPOLICY},
- {"leftgroups", KW_LEFTGROUPS},
- {"leftca", KW_LEFTCA},
- {"rightallowany", KW_RIGHTALLOWANY},
{"uniqueids", KW_UNIQUEIDS},
- {"leftprotoport", KW_LEFTPROTOPORT},
- {"rightrsasigkey", KW_RIGHTRSASIGKEY},
- {"virtual_private", KW_VIRTUAL_PRIVATE},
- {"certuribase", KW_CERTURIBASE},
- {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
- {"interfaces", KW_INTERFACES},
- {"reqid", KW_REQID},
- {"rightid", KW_RIGHTID},
- {"strictcrlpolicy", KW_STRICTCRLPOLICY},
+ {"leftdns", KW_LEFTDNS},
+ {"leftsendcert", KW_LEFTSENDCERT},
+ {"rightsubnetwithin", KW_RIGHTSUBNET},
+ {"rightallowany", KW_RIGHTALLOWANY},
+ {"keep_alive", KW_SETUP_DEPRECATED},
{"rightsourceip", KW_RIGHTSOURCEIP},
{"type", KW_TYPE},
- {"inactivity", KW_INACTIVITY},
- {"leftnexthop", KW_LEFTNEXTHOP},
- {"mark_in", KW_MARK_IN},
+ {"rightid", KW_RIGHTID},
+ {"rightdns", KW_RIGHTDNS},
+ {"reqid", KW_REQID},
+ {"certuribase", KW_CERTURIBASE},
+ {"leftnexthop", KW_LEFT_DEPRECATED},
+ {"mobike", KW_MOBIKE},
+ {"leftprotoport", KW_LEFTPROTOPORT},
+ {"compress", KW_COMPRESS},
+ {"me_peerid", KW_ME_PEERID},
+ {"interfaces", KW_SETUP_DEPRECATED},
+ {"virtual_private", KW_SETUP_DEPRECATED},
+ {"lefthostaccess", KW_LEFTHOSTACCESS},
+ {"leftca", KW_LEFTCA},
+ {"righthostaccess", KW_RIGHTHOSTACCESS},
+ {"rightfirewall", KW_RIGHTFIREWALL},
{"rightprotoport", KW_RIGHTPROTOPORT},
- {"margintime", KW_REKEYMARGIN},
- {"marginbytes", KW_MARGINBYTES},
- {"marginpackets", KW_MARGINPACKETS},
- {"leftnatip", KW_LEFTNATIP},
- {"mediated_by", KW_MEDIATED_BY},
- {"ldapbase", KW_LDAPBASE},
+ {"inactivity", KW_INACTIVITY},
{"leftfirewall", KW_LEFTFIREWALL},
- {"rightfirewall", KW_RIGHTFIREWALL},
- {"crluri", KW_CRLURI},
- {"mobike", KW_MOBIKE},
- {"rightnatip", KW_RIGHTNATIP},
- {"rightnexthop", KW_RIGHTNEXTHOP},
- {"mediation", KW_MEDIATION},
+ {"esp", KW_ESP},
+ {"rightnexthop", KW_RIGHT_DEPRECATED},
+ {"forceencaps", KW_FORCEENCAPS},
{"leftallowany", KW_LEFTALLOWANY},
+ {"crluri", KW_CRLURI},
{"leftupdown", KW_LEFTUPDOWN},
- {"overridemtu", KW_OVERRIDEMTU},
- {"aaa_identity", KW_AAA_IDENTITY},
- {"esp", KW_ESP},
+ {"mark_in", KW_MARK_IN},
+ {"strictcrlpolicy", KW_STRICTCRLPOLICY},
+ {"force_keepalive", KW_SETUP_DEPRECATED},
+ {"marginbytes", KW_MARGINBYTES},
+ {"mediated_by", KW_MEDIATED_BY},
+ {"marginpackets", KW_MARGINPACKETS},
+ {"margintime", KW_REKEYMARGIN},
+ {"rightauth", KW_RIGHTAUTH},
+ {"fragmentation", KW_FRAGMENTATION},
+ {"pfsgroup", KW_PFS_DEPRECATED},
{"crluri1", KW_CRLURI},
- {"lefthostaccess", KW_LEFTHOSTACCESS},
- {"leftsubnet", KW_LEFTSUBNET},
+ {"rightcertpolicy", KW_RIGHTCERTPOLICY},
+ {"hidetos", KW_SETUP_DEPRECATED},
+ {"keyexchange", KW_KEYEXCHANGE},
+ {"leftsourceip", KW_LEFTSOURCEIP},
+ {"ocspuri", KW_OCSPURI},
{"leftid", KW_LEFTID},
- {"forceencaps", KW_FORCEENCAPS},
- {"eap", KW_EAP},
- {"nat_traversal", KW_NAT_TRAVERSAL},
- {"me_peerid", KW_ME_PEERID},
- {"rightcert", KW_RIGHTCERT},
+ {"eap", KW_CONN_DEPRECATED},
{"installpolicy", KW_INSTALLPOLICY},
- {"authby", KW_AUTHBY},
- {"klipsdebug", KW_KLIPSDEBUG},
+ {"also", KW_ALSO},
+ {"rightcert", KW_RIGHTCERT},
+ {"overridemtu", KW_SETUP_DEPRECATED},
+ {"mediation", KW_MEDIATION},
{"rightca", KW_RIGHTCA},
- {"mark_out", KW_MARK_OUT},
- {"rightupdown", KW_RIGHTUPDOWN},
- {"keyexchange", KW_KEYEXCHANGE},
- {"ocspuri", KW_OCSPURI},
- {"compress", KW_COMPRESS},
- {"rightcertpolicy", KW_RIGHTCERTPOLICY},
- {"cacert", KW_CACERT},
- {"eap_identity", KW_EAP_IDENTITY},
- {"hidetos", KW_HIDETOS},
- {"ike", KW_IKE},
- {"leftsubnetwithin", KW_LEFTSUBNETWITHIN},
- {"righthostaccess", KW_RIGHTHOSTACCESS},
- {"packetdefault", KW_PACKETDEFAULT},
- {"dpdaction", KW_DPDACTION},
+ {"klipsdebug", KW_SETUP_DEPRECATED},
+ {"ldapbase", KW_CA_DEPRECATED},
{"ocspuri1", KW_OCSPURI},
- {"pfsgroup", KW_PFSGROUP},
- {"rightauth", KW_RIGHTAUTH},
- {"also", KW_ALSO},
- {"leftsourceip", KW_LEFTSOURCEIP},
- {"rightid2", KW_RIGHTID2},
- {"dumpdir", KW_DUMPDIR},
- {"rekey", KW_REKEY},
- {"ikelifetime", KW_IKELIFETIME},
{"dpdtimeout", KW_DPDTIMEOUT},
- {"ldaphost", KW_LDAPHOST},
+ {"aaa_identity", KW_AAA_IDENTITY},
+ {"ike", KW_IKE},
+ {"charondebug", KW_CHARONDEBUG},
+ {"mark_out", KW_MARK_OUT},
+ {"dumpdir", KW_SETUP_DEPRECATED},
+ {"rekey", KW_REKEY},
+ {"rightid2", KW_RIGHTID2},
{"rekeyfuzz", KW_REKEYFUZZ},
+ {"eap_identity", KW_EAP_IDENTITY},
+ {"rightgroups2", KW_RIGHTGROUPS2},
+ {"ikelifetime", KW_IKELIFETIME},
+ {"leftsubnet", KW_LEFTSUBNET},
+ {"rightupdown", KW_RIGHTUPDOWN},
+ {"authby", KW_AUTHBY},
{"leftcert2", KW_LEFTCERT2},
+ {"nat_traversal", KW_SETUP_DEPRECATED},
+ {"dpdaction", KW_DPDACTION},
+ {"xauth_identity", KW_XAUTH_IDENTITY},
+ {"charonstart", KW_SETUP_DEPRECATED},
+ {"leftsubnetwithin", KW_LEFTSUBNET},
+ {"reauth", KW_REAUTH},
+ {"modeconfig", KW_MODECONFIG},
+ {"ldaphost", KW_CA_DEPRECATED},
{"leftikeport", KW_LEFTIKEPORT},
- {"crlcheckinterval", KW_CRLCHECKINTERVAL},
- {"plutostderrlog", KW_PLUTOSTDERRLOG},
- {"plutostart", KW_PLUTOSTART},
+ {"crlcheckinterval", KW_SETUP_DEPRECATED},
+ {"dpddelay", KW_DPDDELAY},
+ {"cacert", KW_CACERT},
+ {"leftgroups2", KW_LEFTGROUPS2},
{"rightauth2", KW_RIGHTAUTH2},
+ {"tfc", KW_TFC},
+ {"postpluto", KW_SETUP_DEPRECATED},
+ {"rekeymargin", KW_REKEYMARGIN},
{"leftca2", KW_LEFTCA2},
+ {"packetdefault", KW_SETUP_DEPRECATED},
{"mark", KW_MARK},
- {"force_keepalive", KW_FORCE_KEEPALIVE},
+ {"leftauth", KW_LEFTAUTH},
+ {"plutostderrlog", KW_SETUP_DEPRECATED},
{"auto", KW_AUTO},
- {"charondebug", KW_CHARONDEBUG},
- {"dpddelay", KW_DPDDELAY},
- {"xauth_identity", KW_XAUTH_IDENTITY},
- {"charonstart", KW_CHARONSTART},
- {"fragicmp", KW_FRAGICMP},
- {"prepluto", KW_PREPLUTO},
+ {"fragicmp", KW_SETUP_DEPRECATED},
{"closeaction", KW_CLOSEACTION},
- {"leftid2", KW_LEFTID2},
- {"plutodebug", KW_PLUTODEBUG},
- {"tfc", KW_TFC},
+ {"prepluto", KW_SETUP_DEPRECATED},
{"auth", KW_AUTH},
- {"rekeymargin", KW_REKEYMARGIN},
- {"modeconfig", KW_MODECONFIG},
- {"leftauth", KW_LEFTAUTH},
+ {"leftid2", KW_LEFTID2},
+ {"nocrsend", KW_SETUP_DEPRECATED},
{"xauth", KW_XAUTH},
+ {"plutostart", KW_SETUP_DEPRECATED},
{"cachecrls", KW_CACHECRLS},
{"crluri2", KW_CRLURI2},
- {"postpluto", KW_POSTPLUTO},
- {"nocrsend", KW_NOCRSEND},
- {"leftauth2", KW_LEFTAUTH2},
{"rightca2", KW_RIGHTCA2},
{"rightcert2", KW_RIGHTCERT2},
- {"pkcs11module", KW_PKCS11MODULE},
- {"reauth", KW_REAUTH},
- {"pkcs11initargs", KW_PKCS11INITARGS},
- {"pkcs11keepstate", KW_PKCS11KEEPSTATE},
+ {"plutodebug", KW_SETUP_DEPRECATED},
+ {"pkcs11initargs", KW_PKCS11_DEPRECATED},
+ {"pkcs11module", KW_PKCS11_DEPRECATED},
+ {"pkcs11proxy", KW_PKCS11_DEPRECATED},
+ {"pkcs11keepstate", KW_PKCS11_DEPRECATED},
{"ocspuri2", KW_OCSPURI2},
- {"pkcs11proxy", KW_PKCS11PROXY}
+ {"leftauth2", KW_LEFTAUTH2},
+ {"ikedscp", KW_IKEDSCP,}
};
static const short lookup[] =
{
-1, -1, -1, -1, -1, -1, -1, -1, -1, 0,
- 1, 2, -1, -1, 3, 4, 5, 6, 7, 8,
- -1, 9, 10, 11, 12, -1, 13, -1, 14, -1,
- 15, 16, 17, -1, 18, 19, 20, -1, -1, -1,
- 21, 22, 23, 24, 25, -1, -1, -1, 26, 27,
- 28, -1, 29, -1, -1, -1, 30, -1, 31, 32,
- 33, 34, 35, -1, 36, 37, -1, 38, -1, 39,
- 40, -1, -1, 41, 42, 43, -1, -1, 44, 45,
- 46, -1, 47, -1, 48, 49, 50, 51, 52, 53,
- -1, 54, 55, -1, -1, -1, 56, -1, 57, 58,
- 59, 60, -1, 61, -1, -1, 62, 63, 64, 65,
- 66, -1, 67, 68, 69, 70, -1, 71, 72, 73,
- 74, -1, 75, 76, 77, 78, 79, 80, 81, 82,
- 83, -1, 84, 85, 86, 87, 88, 89, 90, 91,
- 92, 93, 94, -1, 95, 96, 97, 98, -1, -1,
- 99, 100, -1, -1, 101, -1, 102, -1, -1, 103,
- -1, 104, 105, -1, 106, -1, -1, -1, -1, -1,
- 107, 108, -1, -1, -1, -1, -1, 109, -1, -1,
- -1, -1, 110, -1, 111, -1, -1, -1, -1, -1,
- -1, -1, -1, 112, 113, 114, -1, 115, -1, 116,
- -1, 117, -1, -1, 118, 119, -1, -1, -1, 120,
- -1, -1, -1, -1, -1, 121, 122, -1, -1, -1,
- -1, -1, -1, -1, -1, -1, 123, -1, 124, -1,
- -1, -1, -1, -1, -1, -1, 125, 126, 127, 128,
- -1, -1, 129, -1, -1, -1, 130
+ -1, -1, -1, -1, -1, 1, -1, -1, 2, 3,
+ -1, -1, 4, 5, -1, -1, 6, -1, 7, 8,
+ -1, 9, 10, -1, -1, -1, 11, -1, 12, 13,
+ 14, 15, 16, -1, -1, -1, 17, 18, 19, 20,
+ 21, 22, -1, 23, 24, -1, 25, 26, 27, -1,
+ 28, 29, 30, -1, -1, 31, 32, -1, 33, 34,
+ 35, -1, 36, 37, 38, 39, -1, 40, 41, -1,
+ -1, 42, 43, 44, 45, -1, 46, -1, 47, -1,
+ 48, 49, 50, 51, 52, 53, 54, -1, 55, 56,
+ 57, 58, 59, -1, 60, 61, 62, -1, 63, -1,
+ 64, -1, 65, 66, 67, 68, 69, 70, 71, 72,
+ -1, 73, 74, 75, 76, 77, -1, -1, 78, -1,
+ -1, 79, 80, -1, 81, -1, 82, 83, 84, 85,
+ 86, 87, 88, -1, 89, -1, 90, 91, -1, 92,
+ 93, -1, 94, 95, -1, -1, -1, -1, 96, 97,
+ 98, 99, 100, 101, -1, 102, 103, 104, -1, 105,
+ 106, 107, 108, 109, 110, 111, 112, 113, 114, -1,
+ 115, 116, -1, 117, -1, 118, -1, -1, 119, 120,
+ -1, -1, 121, -1, -1, 122, -1, 123, -1, 124,
+ -1, 125, -1, -1, -1, -1, -1, 126, -1, -1,
+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+ -1, 127, 128, -1, 129, -1, 130, -1, -1, -1,
+ -1, -1, -1, 131, -1, 132, -1, 133, 134, -1,
+ -1, -1, -1, 135, -1, -1, -1, -1, -1, -1,
+ 136, -1, -1, -1, -1, -1, -1, 137
};
#ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 02be919ea..83ce4a7dd 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -1,4 +1,4 @@
-/* strongSwan keywords
+/*
* Copyright (C) 2005 Andreas Steffen
* Hochschule fuer Technik Rapperswil, Switzerland
*
@@ -18,62 +18,32 @@
typedef enum {
/* config setup keywords */
- KW_INTERFACES,
- KW_DUMPDIR,
- KW_CHARONSTART,
- KW_PLUTOSTART,
-
- /* pluto/charon keywords */
- KW_PLUTODEBUG,
KW_CHARONDEBUG,
- KW_PREPLUTO,
- KW_POSTPLUTO,
- KW_PLUTOSTDERRLOG,
KW_UNIQUEIDS,
- KW_OVERRIDEMTU,
- KW_CRLCHECKINTERVAL,
KW_CACHECRLS,
KW_STRICTCRLPOLICY,
- KW_NOCRSEND,
- KW_NAT_TRAVERSAL,
- KW_KEEP_ALIVE,
- KW_FORCE_KEEPALIVE,
- KW_VIRTUAL_PRIVATE,
- KW_PKCS11MODULE,
- KW_PKCS11INITARGS,
- KW_PKCS11KEEPSTATE,
- KW_PKCS11PROXY,
-
-#define KW_PLUTO_FIRST KW_PLUTODEBUG
-#define KW_PLUTO_LAST KW_PKCS11PROXY
-
- /* KLIPS keywords */
- KW_KLIPSDEBUG,
- KW_FRAGICMP,
- KW_PACKETDEFAULT,
- KW_HIDETOS,
-
-#define KW_KLIPS_FIRST KW_KLIPSDEBUG
-#define KW_KLIPS_LAST KW_HIDETOS
-
-#define KW_SETUP_FIRST KW_INTERFACES
-#define KW_SETUP_LAST KW_HIDETOS
+ KW_PKCS11_DEPRECATED,
+ KW_SETUP_DEPRECATED,
+
+#define KW_SETUP_FIRST KW_CHARONDEBUG
+#define KW_SETUP_LAST KW_SETUP_DEPRECATED
/* conn section keywords */
KW_CONN_NAME,
KW_CONN_SETUP,
KW_KEYEXCHANGE,
KW_TYPE,
- KW_PFS,
KW_COMPRESS,
KW_INSTALLPOLICY,
+ KW_AGGRESSIVE,
KW_AUTH,
KW_AUTHBY,
- KW_EAP,
KW_EAP_IDENTITY,
KW_AAA_IDENTITY,
KW_MOBIKE,
KW_FORCEENCAPS,
+ KW_FRAGMENTATION,
+ KW_IKEDSCP,
KW_IKELIFETIME,
KW_KEYLIFE,
KW_REKEYMARGIN,
@@ -87,7 +57,6 @@ typedef enum {
KW_REAUTH,
KW_IKE,
KW_ESP,
- KW_PFSGROUP,
KW_DPDDELAY,
KW_DPDTIMEOUT,
KW_DPDACTION,
@@ -104,34 +73,33 @@ typedef enum {
KW_MARK_IN,
KW_MARK_OUT,
KW_TFC,
+ KW_PFS_DEPRECATED,
+ KW_CONN_DEPRECATED,
#define KW_CONN_FIRST KW_CONN_SETUP
-#define KW_CONN_LAST KW_TFC
+#define KW_CONN_LAST KW_CONN_DEPRECATED
- /* ca section keywords */
+ /* ca section keywords */
KW_CA_NAME,
KW_CA_SETUP,
KW_CACERT,
- KW_LDAPHOST,
- KW_LDAPBASE,
KW_CRLURI,
KW_CRLURI2,
KW_OCSPURI,
KW_OCSPURI2,
KW_CERTURIBASE,
+ KW_CA_DEPRECATED,
#define KW_CA_FIRST KW_CA_SETUP
-#define KW_CA_LAST KW_CERTURIBASE
+#define KW_CA_LAST KW_CA_DEPRECATED
- /* end keywords */
+ /* end keywords */
KW_HOST,
KW_IKEPORT,
- KW_NEXTHOP,
KW_SUBNET,
- KW_SUBNETWITHIN,
KW_PROTOPORT,
KW_SOURCEIP,
- KW_NATIP,
+ KW_DNS,
KW_FIREWALL,
KW_HOSTACCESS,
KW_ALLOWANY,
@@ -140,7 +108,7 @@ typedef enum {
KW_AUTH2,
KW_ID,
KW_ID2,
- KW_RSASIGKEY,
+ KW_SIGKEY,
KW_CERT,
KW_CERT2,
KW_CERTPOLICY,
@@ -148,20 +116,19 @@ typedef enum {
KW_CA,
KW_CA2,
KW_GROUPS,
- KW_IFACE,
+ KW_GROUPS2,
+ KW_END_DEPRECATED,
#define KW_END_FIRST KW_HOST
-#define KW_END_LAST KW_IFACE
+#define KW_END_LAST KW_END_DEPRECATED
- /* left end keywords */
+ /* left end keywords */
KW_LEFT,
KW_LEFTIKEPORT,
- KW_LEFTNEXTHOP,
KW_LEFTSUBNET,
- KW_LEFTSUBNETWITHIN,
KW_LEFTPROTOPORT,
KW_LEFTSOURCEIP,
- KW_LEFTNATIP,
+ KW_LEFTDNS,
KW_LEFTFIREWALL,
KW_LEFTHOSTACCESS,
KW_LEFTALLOWANY,
@@ -170,7 +137,7 @@ typedef enum {
KW_LEFTAUTH2,
KW_LEFTID,
KW_LEFTID2,
- KW_LEFTRSASIGKEY,
+ KW_LEFTSIGKEY,
KW_LEFTCERT,
KW_LEFTCERT2,
KW_LEFTCERTPOLICY,
@@ -178,19 +145,19 @@ typedef enum {
KW_LEFTCA,
KW_LEFTCA2,
KW_LEFTGROUPS,
+ KW_LEFTGROUPS2,
+ KW_LEFT_DEPRECATED,
#define KW_LEFT_FIRST KW_LEFT
-#define KW_LEFT_LAST KW_LEFTGROUPS
+#define KW_LEFT_LAST KW_LEFT_DEPRECATED
- /* right end keywords */
+ /* right end keywords */
KW_RIGHT,
KW_RIGHTIKEPORT,
- KW_RIGHTNEXTHOP,
KW_RIGHTSUBNET,
- KW_RIGHTSUBNETWITHIN,
KW_RIGHTPROTOPORT,
KW_RIGHTSOURCEIP,
- KW_RIGHTNATIP,
+ KW_RIGHTDNS,
KW_RIGHTFIREWALL,
KW_RIGHTHOSTACCESS,
KW_RIGHTALLOWANY,
@@ -199,7 +166,7 @@ typedef enum {
KW_RIGHTAUTH2,
KW_RIGHTID,
KW_RIGHTID2,
- KW_RIGHTRSASIGKEY,
+ KW_RIGHTSIGKEY,
KW_RIGHTCERT,
KW_RIGHTCERT2,
KW_RIGHTCERTPOLICY,
@@ -207,15 +174,16 @@ typedef enum {
KW_RIGHTCA,
KW_RIGHTCA2,
KW_RIGHTGROUPS,
+ KW_RIGHTGROUPS2,
+ KW_RIGHT_DEPRECATED,
#define KW_RIGHT_FIRST KW_RIGHT
-#define KW_RIGHT_LAST KW_RIGHTGROUPS
+#define KW_RIGHT_LAST KW_RIGHT_DEPRECATED
/* general section keywords */
KW_ALSO,
- KW_AUTO
+ KW_AUTO,
} kw_token_t;
#endif /* _KEYWORDS_H_ */
-
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 548fa2f70..20d35ded0 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -1,5 +1,5 @@
%{
-/* strongSwan keywords
+/*
* Copyright (C) 2005 Andreas Steffen
* Hochschule fuer Technik Rapperswil, Switzerland
*
@@ -24,61 +24,39 @@ struct kw_entry {
kw_token_t token;
};
%%
-interfaces, KW_INTERFACES
-dumpdir, KW_DUMPDIR
-charonstart, KW_CHARONSTART
-plutostart, KW_PLUTOSTART
-klipsdebug, KW_KLIPSDEBUG
-plutodebug, KW_PLUTODEBUG
+# regular keywords
charondebug, KW_CHARONDEBUG
-prepluto, KW_PREPLUTO
-postpluto, KW_POSTPLUTO
-plutostderrlog, KW_PLUTOSTDERRLOG
-fragicmp, KW_FRAGICMP
-packetdefault, KW_PACKETDEFAULT
-hidetos, KW_HIDETOS
uniqueids, KW_UNIQUEIDS
-overridemtu, KW_OVERRIDEMTU
-crlcheckinterval, KW_CRLCHECKINTERVAL
cachecrls, KW_CACHECRLS
strictcrlpolicy, KW_STRICTCRLPOLICY
-nocrsend, KW_NOCRSEND
-nat_traversal, KW_NAT_TRAVERSAL
-keep_alive, KW_KEEP_ALIVE
-force_keepalive, KW_FORCE_KEEPALIVE
-virtual_private, KW_VIRTUAL_PRIVATE
-eap, KW_EAP
-eap_identity, KW_EAP_IDENTITY
-aaa_identity, KW_AAA_IDENTITY
-mobike, KW_MOBIKE
-forceencaps, KW_FORCEENCAPS
-pkcs11module, KW_PKCS11MODULE
-pkcs11initargs, KW_PKCS11INITARGS
-pkcs11keepstate, KW_PKCS11KEEPSTATE
-pkcs11proxy, KW_PKCS11PROXY
keyexchange, KW_KEYEXCHANGE
type, KW_TYPE
-pfs, KW_PFS
compress, KW_COMPRESS
installpolicy, KW_INSTALLPOLICY
+aggressive, KW_AGGRESSIVE
auth, KW_AUTH
authby, KW_AUTHBY
+eap_identity, KW_EAP_IDENTITY
+aaa_identity, KW_AAA_IDENTITY
+mobike, KW_MOBIKE
+forceencaps, KW_FORCEENCAPS
+fragmentation, KW_FRAGMENTATION
+ikedscp, KW_IKEDSCP,
+ikelifetime, KW_IKELIFETIME
+lifetime, KW_KEYLIFE
keylife, KW_KEYLIFE
rekeymargin, KW_REKEYMARGIN
-lifetime, KW_KEYLIFE
margintime, KW_REKEYMARGIN
lifebytes, KW_LIFEBYTES
marginbytes, KW_MARGINBYTES
lifepackets, KW_LIFEPACKETS
marginpackets, KW_MARGINPACKETS
-ikelifetime, KW_IKELIFETIME
keyingtries, KW_KEYINGTRIES
rekeyfuzz, KW_REKEYFUZZ
rekey, KW_REKEY
reauth, KW_REAUTH
-esp, KW_ESP
ike, KW_IKE
-pfsgroup, KW_PFSGROUP
+esp, KW_ESP
dpddelay, KW_DPDDELAY
dpdtimeout, KW_DPDTIMEOUT
dpdaction, KW_DPDACTION
@@ -96,8 +74,6 @@ mark_in, KW_MARK_IN
mark_out, KW_MARK_OUT
tfc, KW_TFC
cacert, KW_CACERT
-ldaphost, KW_LDAPHOST
-ldapbase, KW_LDAPBASE
crluri, KW_CRLURI
crluri1, KW_CRLURI
crluri2, KW_CRLURI2
@@ -107,21 +83,21 @@ ocspuri2, KW_OCSPURI2
certuribase, KW_CERTURIBASE
left, KW_LEFT
leftikeport, KW_LEFTIKEPORT
-leftnexthop, KW_LEFTNEXTHOP
leftsubnet, KW_LEFTSUBNET
-leftsubnetwithin, KW_LEFTSUBNETWITHIN
+leftsubnetwithin, KW_LEFTSUBNET
leftprotoport, KW_LEFTPROTOPORT
leftsourceip, KW_LEFTSOURCEIP
-leftnatip, KW_LEFTNATIP
+leftdns, KW_LEFTDNS
leftfirewall, KW_LEFTFIREWALL
lefthostaccess, KW_LEFTHOSTACCESS
leftallowany, KW_LEFTALLOWANY
leftupdown, KW_LEFTUPDOWN
-leftid, KW_LEFTID
-leftid2, KW_LEFTID2
leftauth, KW_LEFTAUTH
leftauth2, KW_LEFTAUTH2
-leftrsasigkey, KW_LEFTRSASIGKEY
+leftid, KW_LEFTID
+leftid2, KW_LEFTID2
+leftsigkey, KW_LEFTSIGKEY
+leftrsasigkey, KW_LEFTSIGKEY
leftcert, KW_LEFTCERT
leftcert2, KW_LEFTCERT2
leftcertpolicy, KW_LEFTCERTPOLICY
@@ -129,23 +105,24 @@ leftsendcert, KW_LEFTSENDCERT
leftca, KW_LEFTCA
leftca2, KW_LEFTCA2
leftgroups, KW_LEFTGROUPS
+leftgroups2, KW_LEFTGROUPS2
right, KW_RIGHT
rightikeport, KW_RIGHTIKEPORT
-rightnexthop, KW_RIGHTNEXTHOP
rightsubnet, KW_RIGHTSUBNET
-rightsubnetwithin, KW_RIGHTSUBNETWITHIN
+rightsubnetwithin, KW_RIGHTSUBNET
rightprotoport, KW_RIGHTPROTOPORT
rightsourceip, KW_RIGHTSOURCEIP
-rightnatip, KW_RIGHTNATIP
+rightdns, KW_RIGHTDNS
rightfirewall, KW_RIGHTFIREWALL
righthostaccess, KW_RIGHTHOSTACCESS
rightallowany, KW_RIGHTALLOWANY
rightupdown, KW_RIGHTUPDOWN
-rightid, KW_RIGHTID
-rightid2, KW_RIGHTID2
rightauth, KW_RIGHTAUTH
rightauth2, KW_RIGHTAUTH2
-rightrsasigkey, KW_RIGHTRSASIGKEY
+rightid, KW_RIGHTID
+rightid2, KW_RIGHTID2
+rightsigkey, KW_RIGHTSIGKEY
+rightrsasigkey, KW_RIGHTSIGKEY
rightcert, KW_RIGHTCERT
rightcert2, KW_RIGHTCERT2
rightcertpolicy, KW_RIGHTCERTPOLICY
@@ -153,5 +130,37 @@ rightsendcert, KW_RIGHTSENDCERT
rightca, KW_RIGHTCA
rightca2, KW_RIGHTCA2
rightgroups, KW_RIGHTGROUPS
+rightgroups2, KW_RIGHTGROUPS2
also, KW_ALSO
auto, KW_AUTO
+# deprecated/removed keywords
+interfaces, KW_SETUP_DEPRECATED
+dumpdir, KW_SETUP_DEPRECATED
+charonstart, KW_SETUP_DEPRECATED
+plutostart, KW_SETUP_DEPRECATED
+klipsdebug, KW_SETUP_DEPRECATED
+plutodebug, KW_SETUP_DEPRECATED
+prepluto, KW_SETUP_DEPRECATED
+postpluto, KW_SETUP_DEPRECATED
+plutostderrlog, KW_SETUP_DEPRECATED
+fragicmp, KW_SETUP_DEPRECATED
+packetdefault, KW_SETUP_DEPRECATED
+hidetos, KW_SETUP_DEPRECATED
+overridemtu, KW_SETUP_DEPRECATED
+crlcheckinterval, KW_SETUP_DEPRECATED
+nocrsend, KW_SETUP_DEPRECATED
+nat_traversal, KW_SETUP_DEPRECATED
+keep_alive, KW_SETUP_DEPRECATED
+force_keepalive, KW_SETUP_DEPRECATED
+virtual_private, KW_SETUP_DEPRECATED
+pkcs11module, KW_PKCS11_DEPRECATED
+pkcs11initargs, KW_PKCS11_DEPRECATED
+pkcs11keepstate, KW_PKCS11_DEPRECATED
+pkcs11proxy, KW_PKCS11_DEPRECATED
+ldaphost, KW_CA_DEPRECATED
+ldapbase, KW_CA_DEPRECATED
+pfs, KW_PFS_DEPRECATED
+pfsgroup, KW_PFS_DEPRECATED
+eap, KW_CONN_DEPRECATED
+leftnexthop, KW_LEFT_DEPRECATED
+rightnexthop, KW_RIGHT_DEPRECATED
diff --git a/src/starter/klips.c b/src/starter/klips.c
index 79bd25c44..22165465f 100644
--- a/src/starter/klips.c
+++ b/src/starter/klips.c
@@ -16,16 +16,12 @@
#include <sys/stat.h>
#include <stdlib.h>
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <library.h>
+#include <utils/debug.h>
#include "files.h"
-bool
-starter_klips_init(void)
+bool starter_klips_init(void)
{
struct stat stb;
@@ -40,9 +36,7 @@ starter_klips_init(void)
/* now test again */
if (stat(PROC_KLIPS, &stb) != 0)
{
- DBG(DBG_CONTROL,
- DBG_log("kernel appears to lack the KLIPS IPsec stack")
- )
+ DBG2(DBG_APP, "kernel appears to lack the KLIPS IPsec stack");
return FALSE;
}
}
@@ -52,29 +46,25 @@ starter_klips_init(void)
ignore_result(system("modprobe -qv ipsec_blowfish"));
ignore_result(system("modprobe -qv ipsec_sha2"));
- DBG(DBG_CONTROL,
- DBG_log("Found KLIPS IPsec stack")
- )
-
+ DBG2(DBG_APP, "found KLIPS IPsec stack");
return TRUE;
}
-void
-starter_klips_cleanup(void)
+void starter_klips_cleanup(void)
{
if (system("type eroute > /dev/null 2>&1") == 0)
{
ignore_result(system("spi --clear"));
ignore_result(system("eroute --clear"));
}
- else if (system("type setkey > /dev/null 2>&1") == 0)
+ else if (system("type setkey > /dev/null 2>&1") == 0)
{
ignore_result(system("setkey -F"));
ignore_result(system("setkey -FP"));
}
else
{
- plog("WARNING: cannot flush IPsec state/policy database");
+ DBG1(DBG_APP, "WARNING: cannot flush IPsec state/policy database");
}
}
diff --git a/src/starter/loglite.c b/src/starter/loglite.c
deleted file mode 100644
index c88b33bfd..000000000
--- a/src/starter/loglite.c
+++ /dev/null
@@ -1,297 +0,0 @@
-/* error logging functions
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001 D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <stdarg.h>
-#include <syslog.h>
-#include <errno.h>
-#include <string.h>
-#include <unistd.h>
-#include <signal.h> /* used only if MSG_NOSIGNAL not defined */
-#include <libgen.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-#include <freeswan.h>
-
-#include <constants.h>
-#include <defs.h>
-#include <log.h>
-#include <whack.h>
-
-#ifndef LOG_AUTHPRIV
-#define LOG_AUTHPRIV LOG_AUTH
-#endif
-
-bool
- log_to_stderr = FALSE, /* should log go to stderr? */
- log_to_syslog = TRUE; /* should log go to syslog? */
-
-void
-init_log(const char *program)
-{
- if (log_to_stderr)
- setbuf(stderr, NULL);
- if (log_to_syslog)
- openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
-}
-
-void
-close_log(void)
-{
- if (log_to_syslog)
- closelog();
-}
-
-void
-plog(const char *message, ...)
-{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- if (log_to_stderr)
- fprintf(stderr, "%s\n", m);
- if (log_to_syslog)
- syslog(LOG_WARNING, "%s", m);
-}
-
-void
-loglog(int mess_no, const char *message, ...)
-{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- if (log_to_stderr)
- fprintf(stderr, "%s\n", m);
- if (log_to_syslog)
- syslog(LOG_WARNING, "%s", m);
-}
-
-void
-log_errno_routine(int e, const char *message, ...)
-{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- if (log_to_stderr)
- fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
- if (log_to_syslog)
- syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
-}
-
-void
-exit_log(const char *message, ...)
-{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- if (log_to_stderr)
- fprintf(stderr, "FATAL ERROR: %s\n", m);
- if (log_to_syslog)
- syslog(LOG_ERR, "FATAL ERROR: %s", m);
- exit(1);
-}
-
-void
-exit_log_errno_routine(int e, const char *message, ...)
-{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- if (log_to_stderr)
- fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
- if (log_to_syslog)
- syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
- exit(1);
-}
-
-void
-whack_log(int mess_no, const char *message, ...)
-{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- fprintf(stderr, "%s\n", m);
-}
-
-/* Build up a diagnostic in a static buffer.
- * Although this would be a generally useful function, it is very
- * hard to come up with a discipline that prevents different uses
- * from interfering. It is intended that by limiting it to building
- * diagnostics, we will avoid this problem.
- * Juggling is performed to allow an argument to be a previous
- * result: the new string may safely depend on the old one. This
- * restriction is not checked in any way: violators will produce
- * confusing results (without crashing!).
- */
-char diag_space[sizeof(diag_space)];
-
-err_t
-builddiag(const char *fmt, ...)
-{
- static char diag_space[LOG_WIDTH]; /* longer messages will be truncated */
- char t[sizeof(diag_space)]; /* build result here first */
- va_list args;
-
- va_start(args, fmt);
- t[0] = '\0'; /* in case nothing terminates string */
- vsnprintf(t, sizeof(t), fmt, args);
- va_end(args);
- strcpy(diag_space, t);
- return diag_space;
-}
-
-/* Debugging message support */
-
-#ifdef DEBUG
-
-void
-switch_fail(int n, const char *file_str, unsigned long line_no)
-{
- char buf[30];
-
- snprintf(buf, sizeof(buf), "case %d unexpected", n);
- passert_fail(buf, file_str, line_no);
-}
-
-void
-passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
-{
- /* we will get a possibly unplanned prefix. Hope it works */
- loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
- abort(); /* exiting correctly doesn't always work */
-}
-
-lset_t
- base_debugging = DBG_NONE, /* default to reporting nothing */
- cur_debugging = DBG_NONE;
-
-void
-pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
-{
- /* we will get a possibly unplanned prefix. Hope it works */
- loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-}
-
-/* log a debugging message (prefixed by "| ") */
-
-void
-DBG_log(const char *message, ...)
-{
- va_list args;
- char m[LOG_WIDTH]; /* longer messages will be truncated */
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- if (log_to_stderr)
- fprintf(stderr, "| %s\n", m);
- if (log_to_syslog)
- syslog(LOG_DEBUG, "| %s", m);
-}
-
-/* dump raw bytes in hex to stderr (for lack of any better destination) */
-
-void
-DBG_dump(const char *label, const void *p, size_t len)
-{
-# define DUMP_LABEL_WIDTH 20 /* arbitrary modest boundary */
-# define DUMP_WIDTH (4 * (1 + 4 * 3) + 1)
- char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
- char *bp;
- const unsigned char *cp = p;
-
- bp = buf;
-
- if (label != NULL && label[0] != '\0')
- {
- /* Handle the label. Care must be taken to avoid buffer overrun. */
- size_t llen = strlen(label);
-
- if (llen + 1 > sizeof(buf))
- {
- DBG_log("%s", label);
- }
- else
- {
- strcpy(buf, label);
- if (buf[llen-1] == '\n')
- {
- buf[llen-1] = '\0'; /* get rid of newline */
- DBG_log("%s", buf);
- }
- else if (llen < DUMP_LABEL_WIDTH)
- {
- bp = buf + llen;
- }
- else
- {
- DBG_log("%s", buf);
- }
- }
- }
-
- do {
- int i, j;
-
- for (i = 0; len!=0 && i!=4; i++)
- {
- *bp++ = ' ';
- for (j = 0; len!=0 && j!=4; len--, j++)
- {
- static const char hexdig[] = "0123456789abcdef";
-
- *bp++ = ' ';
- *bp++ = hexdig[(*cp >> 4) & 0xF];
- *bp++ = hexdig[*cp & 0xF];
- cp++;
- }
- }
- *bp = '\0';
- DBG_log("%s", buf);
- bp = buf;
- } while (len != 0);
-# undef DUMP_LABEL_WIDTH
-# undef DUMP_WIDTH
-}
-
-#endif /* DEBUG */
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
index 6646195cb..2b500bab4 100644
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -16,17 +16,13 @@
#include <sys/stat.h>
#include <stdlib.h>
-#include <freeswan.h>
+#include <library.h>
#include <hydra.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <utils/debug.h>
#include "files.h"
-bool
-starter_netkey_init(void)
+bool starter_netkey_init(void)
{
struct stat stb;
@@ -41,9 +37,7 @@ starter_netkey_init(void)
/* now test again */
if (stat(PROC_NETKEY, &stb) != 0)
{
- DBG(DBG_CONTROL,
- DBG_log("kernel appears to lack the native netkey IPsec stack")
- )
+ DBG2(DBG_APP, "kernel appears to lack the native netkey IPsec stack");
return FALSE;
}
}
@@ -58,15 +52,19 @@ starter_netkey_init(void)
ignore_result(system("modprobe -qv xfrm_user"));
}
- DBG(DBG_CONTROL,
- DBG_log("Found netkey IPsec stack")
- )
+ DBG2(DBG_APP, "found netkey IPsec stack");
return TRUE;
}
-void
-starter_netkey_cleanup(void)
+void starter_netkey_cleanup(void)
{
+ if (!lib->plugins->load(lib->plugins,
+ lib->settings->get_str(lib->settings, "starter.load", PLUGINS)))
+ {
+ DBG1(DBG_APP, "unable to load kernel plugins");
+ return;
+ }
hydra->kernel_interface->flush_sas(hydra->kernel_interface);
hydra->kernel_interface->flush_policies(hydra->kernel_interface);
+ lib->plugins->unload(lib->plugins);
}
diff --git a/src/starter/parser.c b/src/starter/parser.c
index ef668027d..9a5831ef8 100644
--- a/src/starter/parser.c
+++ b/src/starter/parser.c
@@ -1,10 +1,8 @@
+/* A Bison parser, made by GNU Bison 2.5. */
-/* A Bison parser, made by GNU Bison 2.4.1. */
-
-/* Skeleton implementation for Bison's Yacc-like parsers in C
+/* Bison implementation for Yacc-like parsers in C
- Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
- Free Software Foundation, Inc.
+ Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -46,7 +44,7 @@
#define YYBISON 1
/* Bison version. */
-#define YYBISON_VERSION "2.4.1"
+#define YYBISON_VERSION "2.5"
/* Skeleton name. */
#define YYSKELETON_NAME "yacc.c"
@@ -67,7 +65,7 @@
/* Copy the first part of user declarations. */
-/* Line 189 of yacc.c */
+/* Line 268 of yacc.c */
#line 1 "parser.y"
/* strongSwan config file parser (parser.y)
@@ -88,11 +86,9 @@
#include <stdlib.h>
#include <string.h>
-#include <freeswan.h>
+#include <library.h>
+#include <utils/debug.h>
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
#include "ipsec-parser.h"
#define YYERROR_VERBOSE
@@ -122,8 +118,8 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
-/* Line 189 of yacc.c */
-#line 127 "parser.c"
+/* Line 268 of yacc.c */
+#line 123 "parser.c"
/* Enabling traces. */
#ifndef YYDEBUG
@@ -181,13 +177,13 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
typedef union YYSTYPE
{
-/* Line 214 of yacc.c */
-#line 54 "parser.y"
+/* Line 293 of yacc.c */
+#line 52 "parser.y"
char *s;
-/* Line 214 of yacc.c */
-#line 191 "parser.c"
+/* Line 293 of yacc.c */
+#line 187 "parser.c"
} YYSTYPE;
# define YYSTYPE_IS_TRIVIAL 1
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
@@ -198,8 +194,8 @@ typedef union YYSTYPE
/* Copy the second part of user declarations. */
-/* Line 264 of yacc.c */
-#line 203 "parser.c"
+/* Line 343 of yacc.c */
+#line 199 "parser.c"
#ifdef short
# undef short
@@ -249,7 +245,7 @@ typedef short int yytype_int16;
#define YYSIZE_MAXIMUM ((YYSIZE_T) -1)
#ifndef YY_
-# if YYENABLE_NLS
+# if defined YYENABLE_NLS && YYENABLE_NLS
# if ENABLE_NLS
# include <libintl.h> /* INFRINGES ON USER NAME SPACE */
# define YY_(msgid) dgettext ("bison-runtime", msgid)
@@ -302,11 +298,11 @@ YYID (yyi)
# define alloca _alloca
# else
# define YYSTACK_ALLOC alloca
-# if ! defined _ALLOCA_H && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+# if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
|| defined __cplusplus || defined _MSC_VER)
# include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
-# ifndef _STDLIB_H
-# define _STDLIB_H 1
+# ifndef EXIT_SUCCESS
+# define EXIT_SUCCESS 0
# endif
# endif
# endif
@@ -329,24 +325,24 @@ YYID (yyi)
# ifndef YYSTACK_ALLOC_MAXIMUM
# define YYSTACK_ALLOC_MAXIMUM YYSIZE_MAXIMUM
# endif
-# if (defined __cplusplus && ! defined _STDLIB_H \
+# if (defined __cplusplus && ! defined EXIT_SUCCESS \
&& ! ((defined YYMALLOC || defined malloc) \
&& (defined YYFREE || defined free)))
# include <stdlib.h> /* INFRINGES ON USER NAME SPACE */
-# ifndef _STDLIB_H
-# define _STDLIB_H 1
+# ifndef EXIT_SUCCESS
+# define EXIT_SUCCESS 0
# endif
# endif
# ifndef YYMALLOC
# define YYMALLOC malloc
-# if ! defined malloc && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+# if ! defined malloc && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
|| defined __cplusplus || defined _MSC_VER)
void *malloc (YYSIZE_T); /* INFRINGES ON USER NAME SPACE */
# endif
# endif
# ifndef YYFREE
# define YYFREE free
-# if ! defined free && ! defined _STDLIB_H && (defined __STDC__ || defined __C99__FUNC__ \
+# if ! defined free && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \
|| defined __cplusplus || defined _MSC_VER)
void free (void *); /* INFRINGES ON USER NAME SPACE */
# endif
@@ -375,23 +371,7 @@ union yyalloc
((N) * (sizeof (yytype_int16) + sizeof (YYSTYPE)) \
+ YYSTACK_GAP_MAXIMUM)
-/* Copy COUNT objects from FROM to TO. The source and destination do
- not overlap. */
-# ifndef YYCOPY
-# if defined __GNUC__ && 1 < __GNUC__
-# define YYCOPY(To, From, Count) \
- __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
-# else
-# define YYCOPY(To, From, Count) \
- do \
- { \
- YYSIZE_T yyi; \
- for (yyi = 0; yyi < (Count); yyi++) \
- (To)[yyi] = (From)[yyi]; \
- } \
- while (YYID (0))
-# endif
-# endif
+# define YYCOPY_NEEDED 1
/* Relocate STACK from its old location to the new one. The
local variables YYSIZE and YYSTACKSIZE give the old and new number of
@@ -411,6 +391,26 @@ union yyalloc
#endif
+#if defined YYCOPY_NEEDED && YYCOPY_NEEDED
+/* Copy COUNT objects from FROM to TO. The source and destination do
+ not overlap. */
+# ifndef YYCOPY
+# if defined __GNUC__ && 1 < __GNUC__
+# define YYCOPY(To, From, Count) \
+ __builtin_memcpy (To, From, (Count) * sizeof (*(From)))
+# else
+# define YYCOPY(To, From, Count) \
+ do \
+ { \
+ YYSIZE_T yyi; \
+ for (yyi = 0; yyi < (Count); yyi++) \
+ (To)[yyi] = (From)[yyi]; \
+ } \
+ while (YYID (0))
+# endif
+# endif
+#endif /* !YYCOPY_NEEDED */
+
/* YYFINAL -- State number of the termination state. */
#define YYFINAL 2
/* YYLAST -- Last index in YYTABLE. */
@@ -487,8 +487,8 @@ static const yytype_int8 yyrhs[] =
/* YYRLINE[YYN] -- source line where rule number YYN was defined. */
static const yytype_uint8 yyrline[] =
{
- 0, 65, 65, 66, 70, 75, 74, 80, 79, 96,
- 95, 111, 110, 116, 120, 121, 125, 150, 154
+ 0, 63, 63, 64, 68, 73, 72, 78, 77, 94,
+ 93, 109, 108, 114, 118, 119, 123, 148, 152
};
#endif
@@ -528,8 +528,8 @@ static const yytype_uint8 yyr2[] =
5, 0, 4, 1, 4, 0, 3, 2, 0
};
-/* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
- STATE-NUM when YYTABLE doesn't specify something else to do. Zero
+/* YYDEFACT[STATE-NAME] -- Default reduction number in state STATE-NUM.
+ Performed when YYTABLE doesn't specify something else to do. Zero
means the default is an error. */
static const yytype_uint8 yydefact[] =
{
@@ -564,8 +564,7 @@ static const yytype_int8 yypgoto[] =
/* YYTABLE[YYPACT[STATE-NUM]]. What to do in state STATE-NUM. If
positive, shift that token. If negative, reduce the rule which
- number is the opposite. If zero, do what YYDEFACT says.
- If YYTABLE_NINF, syntax error. */
+ number is the opposite. If YYTABLE_NINF, syntax error. */
#define YYTABLE_NINF -1
static const yytype_uint8 yytable[] =
{
@@ -574,6 +573,12 @@ static const yytype_uint8 yytable[] =
24, 28, 30, 31, 0, 0, 0, 32
};
+#define yypact_value_is_default(yystate) \
+ ((yystate) == (-20))
+
+#define yytable_value_is_error(yytable_value) \
+ YYID (0)
+
static const yytype_int8 yycheck[] =
{
0, 7, 21, 22, 12, 5, 6, 12, 8, 9,
@@ -603,9 +608,18 @@ static const yytype_uint8 yystos[] =
/* Like YYERROR except do call yyerror. This remains here temporarily
to ease the transition to the new meaning of YYERROR, for GCC.
- Once GCC version 2 has supplanted version 1, this can go. */
+ Once GCC version 2 has supplanted version 1, this can go. However,
+ YYFAIL appears to be in use. Nevertheless, it is formally deprecated
+ in Bison 2.4.2's NEWS entry, where a plan to phase it out is
+ discussed. */
#define YYFAIL goto yyerrlab
+#if defined YYFAIL
+ /* This is here to suppress warnings from the GCC cpp's
+ -Wunused-macros. Normally we don't worry about that warning, but
+ some users do, and we want to make it easy for users to remove
+ YYFAIL uses, which will produce warnings from Bison 2.5. */
+#endif
#define YYRECOVERING() (!!yyerrstatus)
@@ -615,7 +629,6 @@ do \
{ \
yychar = (Token); \
yylval = (Value); \
- yytoken = YYTRANSLATE (yychar); \
YYPOPSTACK (1); \
goto yybackup; \
} \
@@ -657,19 +670,10 @@ while (YYID (0))
#endif
-/* YY_LOCATION_PRINT -- Print the location on the stream.
- This macro was not mandated originally: define only if we know
- we won't break user code: when these are the locations we know. */
+/* This macro is provided for backward compatibility. */
#ifndef YY_LOCATION_PRINT
-# if YYLTYPE_IS_TRIVIAL
-# define YY_LOCATION_PRINT(File, Loc) \
- fprintf (File, "%d.%d-%d.%d", \
- (Loc).first_line, (Loc).first_column, \
- (Loc).last_line, (Loc).last_column)
-# else
-# define YY_LOCATION_PRINT(File, Loc) ((void) 0)
-# endif
+# define YY_LOCATION_PRINT(File, Loc) ((void) 0)
#endif
@@ -861,7 +865,6 @@ int yydebug;
# define YYMAXDEPTH 10000
#endif
-
#if YYERROR_VERBOSE
@@ -964,115 +967,142 @@ yytnamerr (char *yyres, const char *yystr)
}
# endif
-/* Copy into YYRESULT an error message about the unexpected token
- YYCHAR while in state YYSTATE. Return the number of bytes copied,
- including the terminating null byte. If YYRESULT is null, do not
- copy anything; just return the number of bytes that would be
- copied. As a special case, return 0 if an ordinary "syntax error"
- message will do. Return YYSIZE_MAXIMUM if overflow occurs during
- size calculation. */
-static YYSIZE_T
-yysyntax_error (char *yyresult, int yystate, int yychar)
-{
- int yyn = yypact[yystate];
+/* Copy into *YYMSG, which is of size *YYMSG_ALLOC, an error message
+ about the unexpected token YYTOKEN for the state stack whose top is
+ YYSSP.
- if (! (YYPACT_NINF < yyn && yyn <= YYLAST))
- return 0;
- else
+ Return 0 if *YYMSG was successfully written. Return 1 if *YYMSG is
+ not large enough to hold the message. In that case, also set
+ *YYMSG_ALLOC to the required number of bytes. Return 2 if the
+ required number of bytes is too large to store. */
+static int
+yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
+ yytype_int16 *yyssp, int yytoken)
+{
+ YYSIZE_T yysize0 = yytnamerr (0, yytname[yytoken]);
+ YYSIZE_T yysize = yysize0;
+ YYSIZE_T yysize1;
+ enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
+ /* Internationalized format string. */
+ const char *yyformat = 0;
+ /* Arguments of yyformat. */
+ char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
+ /* Number of reported tokens (one for the "unexpected", one per
+ "expected"). */
+ int yycount = 0;
+
+ /* There are many possibilities here to consider:
+ - Assume YYFAIL is not used. It's too flawed to consider. See
+ <http://lists.gnu.org/archive/html/bison-patches/2009-12/msg00024.html>
+ for details. YYERROR is fine as it does not invoke this
+ function.
+ - If this state is a consistent state with a default action, then
+ the only way this function was invoked is if the default action
+ is an error action. In that case, don't check for expected
+ tokens because there are none.
+ - The only way there can be no lookahead present (in yychar) is if
+ this state is a consistent state with a default action. Thus,
+ detecting the absence of a lookahead is sufficient to determine
+ that there is no unexpected or expected token to report. In that
+ case, just report a simple "syntax error".
+ - Don't assume there isn't a lookahead just because this state is a
+ consistent state with a default action. There might have been a
+ previous inconsistent state, consistent state with a non-default
+ action, or user semantic action that manipulated yychar.
+ - Of course, the expected token list depends on states to have
+ correct lookahead information, and it depends on the parser not
+ to perform extra reductions after fetching a lookahead from the
+ scanner and before detecting a syntax error. Thus, state merging
+ (from LALR or IELR) and default reductions corrupt the expected
+ token list. However, the list is correct for canonical LR with
+ one exception: it will still contain any token that will not be
+ accepted due to an error action in a later state.
+ */
+ if (yytoken != YYEMPTY)
{
- int yytype = YYTRANSLATE (yychar);
- YYSIZE_T yysize0 = yytnamerr (0, yytname[yytype]);
- YYSIZE_T yysize = yysize0;
- YYSIZE_T yysize1;
- int yysize_overflow = 0;
- enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 };
- char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM];
- int yyx;
-
-# if 0
- /* This is so xgettext sees the translatable formats that are
- constructed on the fly. */
- YY_("syntax error, unexpected %s");
- YY_("syntax error, unexpected %s, expecting %s");
- YY_("syntax error, unexpected %s, expecting %s or %s");
- YY_("syntax error, unexpected %s, expecting %s or %s or %s");
- YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s");
-# endif
- char *yyfmt;
- char const *yyf;
- static char const yyunexpected[] = "syntax error, unexpected %s";
- static char const yyexpecting[] = ", expecting %s";
- static char const yyor[] = " or %s";
- char yyformat[sizeof yyunexpected
- + sizeof yyexpecting - 1
- + ((YYERROR_VERBOSE_ARGS_MAXIMUM - 2)
- * (sizeof yyor - 1))];
- char const *yyprefix = yyexpecting;
-
- /* Start YYX at -YYN if negative to avoid negative indexes in
- YYCHECK. */
- int yyxbegin = yyn < 0 ? -yyn : 0;
-
- /* Stay within bounds of both yycheck and yytname. */
- int yychecklim = YYLAST - yyn + 1;
- int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
- int yycount = 1;
-
- yyarg[0] = yytname[yytype];
- yyfmt = yystpcpy (yyformat, yyunexpected);
-
- for (yyx = yyxbegin; yyx < yyxend; ++yyx)
- if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR)
- {
- if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
- {
- yycount = 1;
- yysize = yysize0;
- yyformat[sizeof yyunexpected - 1] = '\0';
- break;
- }
- yyarg[yycount++] = yytname[yyx];
- yysize1 = yysize + yytnamerr (0, yytname[yyx]);
- yysize_overflow |= (yysize1 < yysize);
- yysize = yysize1;
- yyfmt = yystpcpy (yyfmt, yyprefix);
- yyprefix = yyor;
- }
+ int yyn = yypact[*yyssp];
+ yyarg[yycount++] = yytname[yytoken];
+ if (!yypact_value_is_default (yyn))
+ {
+ /* Start YYX at -YYN if negative to avoid negative indexes in
+ YYCHECK. In other words, skip the first -YYN actions for
+ this state because they are default actions. */
+ int yyxbegin = yyn < 0 ? -yyn : 0;
+ /* Stay within bounds of both yycheck and yytname. */
+ int yychecklim = YYLAST - yyn + 1;
+ int yyxend = yychecklim < YYNTOKENS ? yychecklim : YYNTOKENS;
+ int yyx;
+
+ for (yyx = yyxbegin; yyx < yyxend; ++yyx)
+ if (yycheck[yyx + yyn] == yyx && yyx != YYTERROR
+ && !yytable_value_is_error (yytable[yyx + yyn]))
+ {
+ if (yycount == YYERROR_VERBOSE_ARGS_MAXIMUM)
+ {
+ yycount = 1;
+ yysize = yysize0;
+ break;
+ }
+ yyarg[yycount++] = yytname[yyx];
+ yysize1 = yysize + yytnamerr (0, yytname[yyx]);
+ if (! (yysize <= yysize1
+ && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
+ return 2;
+ yysize = yysize1;
+ }
+ }
+ }
- yyf = YY_(yyformat);
- yysize1 = yysize + yystrlen (yyf);
- yysize_overflow |= (yysize1 < yysize);
- yysize = yysize1;
+ switch (yycount)
+ {
+# define YYCASE_(N, S) \
+ case N: \
+ yyformat = S; \
+ break
+ YYCASE_(0, YY_("syntax error"));
+ YYCASE_(1, YY_("syntax error, unexpected %s"));
+ YYCASE_(2, YY_("syntax error, unexpected %s, expecting %s"));
+ YYCASE_(3, YY_("syntax error, unexpected %s, expecting %s or %s"));
+ YYCASE_(4, YY_("syntax error, unexpected %s, expecting %s or %s or %s"));
+ YYCASE_(5, YY_("syntax error, unexpected %s, expecting %s or %s or %s or %s"));
+# undef YYCASE_
+ }
- if (yysize_overflow)
- return YYSIZE_MAXIMUM;
+ yysize1 = yysize + yystrlen (yyformat);
+ if (! (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
+ return 2;
+ yysize = yysize1;
- if (yyresult)
- {
- /* Avoid sprintf, as that infringes on the user's name space.
- Don't have undefined behavior even if the translation
- produced a string with the wrong number of "%s"s. */
- char *yyp = yyresult;
- int yyi = 0;
- while ((*yyp = *yyf) != '\0')
- {
- if (*yyp == '%' && yyf[1] == 's' && yyi < yycount)
- {
- yyp += yytnamerr (yyp, yyarg[yyi++]);
- yyf += 2;
- }
- else
- {
- yyp++;
- yyf++;
- }
- }
- }
- return yysize;
+ if (*yymsg_alloc < yysize)
+ {
+ *yymsg_alloc = 2 * yysize;
+ if (! (yysize <= *yymsg_alloc
+ && *yymsg_alloc <= YYSTACK_ALLOC_MAXIMUM))
+ *yymsg_alloc = YYSTACK_ALLOC_MAXIMUM;
+ return 1;
}
+
+ /* Avoid sprintf, as that infringes on the user's name space.
+ Don't have undefined behavior even if the translation
+ produced a string with the wrong number of "%s"s. */
+ {
+ char *yyp = *yymsg;
+ int yyi = 0;
+ while ((*yyp = *yyformat) != '\0')
+ if (*yyp == '%' && yyformat[1] == 's' && yyi < yycount)
+ {
+ yyp += yytnamerr (yyp, yyarg[yyi++]);
+ yyformat += 2;
+ }
+ else
+ {
+ yyp++;
+ yyformat++;
+ }
+ }
+ return 0;
}
#endif /* YYERROR_VERBOSE */
-
/*-----------------------------------------------.
| Release the memory associated to this symbol. |
@@ -1105,6 +1135,7 @@ yydestruct (yymsg, yytype, yyvaluep)
}
}
+
/* Prevent warnings from -Wmissing-prototypes. */
#ifdef YYPARSE_PARAM
#if defined __STDC__ || defined __cplusplus
@@ -1131,10 +1162,9 @@ YYSTYPE yylval;
int yynerrs;
-
-/*-------------------------.
-| yyparse or yypush_parse. |
-`-------------------------*/
+/*----------.
+| yyparse. |
+`----------*/
#ifdef YYPARSE_PARAM
#if (defined __STDC__ || defined __C99__FUNC__ \
@@ -1158,8 +1188,6 @@ yyparse ()
#endif
#endif
{
-
-
int yystate;
/* Number of tokens to shift before error messages enabled. */
int yyerrstatus;
@@ -1314,7 +1342,7 @@ yybackup:
/* First try to decide what to do without reference to lookahead token. */
yyn = yypact[yystate];
- if (yyn == YYPACT_NINF)
+ if (yypact_value_is_default (yyn))
goto yydefault;
/* Not known => get a lookahead token if don't already have one. */
@@ -1345,8 +1373,8 @@ yybackup:
yyn = yytable[yyn];
if (yyn <= 0)
{
- if (yyn == 0 || yyn == YYTABLE_NINF)
- goto yyerrlab;
+ if (yytable_value_is_error (yyn))
+ goto yyerrlab;
yyn = -yyn;
goto yyreduce;
}
@@ -1401,8 +1429,8 @@ yyreduce:
{
case 4:
-/* Line 1455 of yacc.c */
-#line 71 "parser.y"
+/* Line 1806 of yacc.c */
+#line 69 "parser.y"
{
free((yyvsp[(2) - (3)].s));
}
@@ -1410,8 +1438,8 @@ yyreduce:
case 5:
-/* Line 1455 of yacc.c */
-#line 75 "parser.y"
+/* Line 1806 of yacc.c */
+#line 73 "parser.y"
{
_parser_kw = &(_parser_cfg->config_setup);
_parser_kw_last = NULL;
@@ -1420,12 +1448,12 @@ yyreduce:
case 7:
-/* Line 1455 of yacc.c */
-#line 80 "parser.y"
+/* Line 1806 of yacc.c */
+#line 78 "parser.y"
{
section_list_t *section = malloc_thing(section_list_t);
-
- section->name = clone_str((yyvsp[(2) - (3)].s));
+
+ section->name = strdupnull((yyvsp[(2) - (3)].s));
section->kw = NULL;
section->next = NULL;
_parser_kw = &(section->kw);
@@ -1441,11 +1469,11 @@ yyreduce:
case 9:
-/* Line 1455 of yacc.c */
-#line 96 "parser.y"
+/* Line 1806 of yacc.c */
+#line 94 "parser.y"
{
section_list_t *section = malloc_thing(section_list_t);
- section->name = clone_str((yyvsp[(2) - (3)].s));
+ section->name = strdupnull((yyvsp[(2) - (3)].s));
section->kw = NULL;
section->next = NULL;
_parser_kw = &(section->kw);
@@ -1461,8 +1489,8 @@ yyreduce:
case 11:
-/* Line 1455 of yacc.c */
-#line 111 "parser.y"
+/* Line 1806 of yacc.c */
+#line 109 "parser.y"
{
extern void _parser_y_include (const char *f);
_parser_y_include((yyvsp[(2) - (2)].s));
@@ -1472,8 +1500,8 @@ yyreduce:
case 16:
-/* Line 1455 of yacc.c */
-#line 126 "parser.y"
+/* Line 1806 of yacc.c */
+#line 124 "parser.y"
{
kw_list_t *new;
kw_entry_t *entry = in_word_set((yyvsp[(1) - (3)].s), strlen((yyvsp[(1) - (3)].s)));
@@ -1487,7 +1515,7 @@ yyreduce:
{
new = (kw_list_t *)malloc_thing(kw_list_t);
new->entry = entry;
- new->value = clone_str((yyvsp[(3) - (3)].s));
+ new->value = strdupnull((yyvsp[(3) - (3)].s));
new->next = NULL;
if (_parser_kw_last)
_parser_kw_last->next = new;
@@ -1502,8 +1530,8 @@ yyreduce:
case 17:
-/* Line 1455 of yacc.c */
-#line 151 "parser.y"
+/* Line 1806 of yacc.c */
+#line 149 "parser.y"
{
free((yyvsp[(1) - (2)].s));
}
@@ -1511,10 +1539,21 @@ yyreduce:
-/* Line 1455 of yacc.c */
-#line 1516 "parser.c"
+/* Line 1806 of yacc.c */
+#line 1544 "parser.c"
default: break;
}
+ /* User semantic actions sometimes alter yychar, and that requires
+ that yytoken be updated with the new translation. We take the
+ approach of translating immediately before every use of yytoken.
+ One alternative is translating here after every semantic action,
+ but that translation would be missed if the semantic action invokes
+ YYABORT, YYACCEPT, or YYERROR immediately after altering yychar or
+ if it invokes YYBACKUP. In the case of YYABORT or YYACCEPT, an
+ incorrect destructor might then be invoked immediately. In the
+ case of YYERROR or YYBACKUP, subsequent parser actions might lead
+ to an incorrect destructor call or verbose syntax error message
+ before the lookahead is translated. */
YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
YYPOPSTACK (yylen);
@@ -1542,6 +1581,10 @@ yyreduce:
| yyerrlab -- here on detecting error |
`------------------------------------*/
yyerrlab:
+ /* Make sure we have latest lookahead translation. See comments at
+ user semantic actions for why this is necessary. */
+ yytoken = yychar == YYEMPTY ? YYEMPTY : YYTRANSLATE (yychar);
+
/* If not already recovering from an error, report this error. */
if (!yyerrstatus)
{
@@ -1549,37 +1592,36 @@ yyerrlab:
#if ! YYERROR_VERBOSE
yyerror (YY_("syntax error"));
#else
+# define YYSYNTAX_ERROR yysyntax_error (&yymsg_alloc, &yymsg, \
+ yyssp, yytoken)
{
- YYSIZE_T yysize = yysyntax_error (0, yystate, yychar);
- if (yymsg_alloc < yysize && yymsg_alloc < YYSTACK_ALLOC_MAXIMUM)
- {
- YYSIZE_T yyalloc = 2 * yysize;
- if (! (yysize <= yyalloc && yyalloc <= YYSTACK_ALLOC_MAXIMUM))
- yyalloc = YYSTACK_ALLOC_MAXIMUM;
- if (yymsg != yymsgbuf)
- YYSTACK_FREE (yymsg);
- yymsg = (char *) YYSTACK_ALLOC (yyalloc);
- if (yymsg)
- yymsg_alloc = yyalloc;
- else
- {
- yymsg = yymsgbuf;
- yymsg_alloc = sizeof yymsgbuf;
- }
- }
-
- if (0 < yysize && yysize <= yymsg_alloc)
- {
- (void) yysyntax_error (yymsg, yystate, yychar);
- yyerror (yymsg);
- }
- else
- {
- yyerror (YY_("syntax error"));
- if (yysize != 0)
- goto yyexhaustedlab;
- }
+ char const *yymsgp = YY_("syntax error");
+ int yysyntax_error_status;
+ yysyntax_error_status = YYSYNTAX_ERROR;
+ if (yysyntax_error_status == 0)
+ yymsgp = yymsg;
+ else if (yysyntax_error_status == 1)
+ {
+ if (yymsg != yymsgbuf)
+ YYSTACK_FREE (yymsg);
+ yymsg = (char *) YYSTACK_ALLOC (yymsg_alloc);
+ if (!yymsg)
+ {
+ yymsg = yymsgbuf;
+ yymsg_alloc = sizeof yymsgbuf;
+ yysyntax_error_status = 2;
+ }
+ else
+ {
+ yysyntax_error_status = YYSYNTAX_ERROR;
+ yymsgp = yymsg;
+ }
+ }
+ yyerror (yymsgp);
+ if (yysyntax_error_status == 2)
+ goto yyexhaustedlab;
}
+# undef YYSYNTAX_ERROR
#endif
}
@@ -1638,7 +1680,7 @@ yyerrlab1:
for (;;)
{
yyn = yypact[yystate];
- if (yyn != YYPACT_NINF)
+ if (!yypact_value_is_default (yyn))
{
yyn += YYTERROR;
if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
@@ -1697,8 +1739,13 @@ yyexhaustedlab:
yyreturn:
if (yychar != YYEMPTY)
- yydestruct ("Cleanup: discarding lookahead",
- yytoken, &yylval);
+ {
+ /* Make sure we have latest lookahead translation. See comments at
+ user semantic actions for why this is necessary. */
+ yytoken = YYTRANSLATE (yychar);
+ yydestruct ("Cleanup: discarding lookahead",
+ yytoken, &yylval);
+ }
/* Do not reclaim the symbols of the rule which action triggered
this YYABORT or YYACCEPT. */
YYPOPSTACK (yylen);
@@ -1723,8 +1770,8 @@ yyreturn:
-/* Line 1675 of yacc.c */
-#line 157 "parser.y"
+/* Line 2067 of yacc.c */
+#line 155 "parser.y"
void yyerror(const char *s)
@@ -1794,7 +1841,7 @@ config_parsed_t *parser_load_conf(const char *file)
if (err)
{
- plog("%s", parser_errstring);
+ DBG1(DBG_APP, "%s", parser_errstring);
if (cfg)
parser_free_conf(cfg);
diff --git a/src/starter/parser.h b/src/starter/parser.h
index f0e666bb5..7007dfef5 100644
--- a/src/starter/parser.h
+++ b/src/starter/parser.h
@@ -1,10 +1,8 @@
+/* A Bison parser, made by GNU Bison 2.5. */
-/* A Bison parser, made by GNU Bison 2.4.1. */
-
-/* Skeleton interface for Bison's Yacc-like parsers in C
+/* Bison interface for Yacc-like parsers in C
- Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
- Free Software Foundation, Inc.
+ Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -70,13 +68,13 @@
typedef union YYSTYPE
{
-/* Line 1676 of yacc.c */
-#line 54 "parser.y"
+/* Line 2068 of yacc.c */
+#line 52 "parser.y"
char *s;
-/* Line 1676 of yacc.c */
-#line 80 "parser.h"
+/* Line 2068 of yacc.c */
+#line 78 "parser.h"
} YYSTYPE;
# define YYSTYPE_IS_TRIVIAL 1
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
diff --git a/src/starter/parser.y b/src/starter/parser.y
index dfaec9ee8..2cf0501f4 100644
--- a/src/starter/parser.y
+++ b/src/starter/parser.y
@@ -17,11 +17,9 @@
#include <stdlib.h>
#include <string.h>
-#include <freeswan.h>
+#include <library.h>
+#include <utils/debug.h>
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
#include "ipsec-parser.h"
#define YYERROR_VERBOSE
@@ -63,7 +61,7 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
config_file:
config_file section_or_include
- | /* NULL */
+ | /* NULL */
;
section_or_include:
@@ -79,8 +77,8 @@ section_or_include:
| CONN STRING EOL
{
section_list_t *section = malloc_thing(section_list_t);
-
- section->name = clone_str($2);
+
+ section->name = strdupnull($2);
section->kw = NULL;
section->next = NULL;
_parser_kw = &(section->kw);
@@ -95,7 +93,7 @@ section_or_include:
| CA STRING EOL
{
section_list_t *section = malloc_thing(section_list_t);
- section->name = clone_str($2);
+ section->name = strdupnull($2);
section->kw = NULL;
section->next = NULL;
_parser_kw = &(section->kw);
@@ -136,7 +134,7 @@ statement_kw:
{
new = (kw_list_t *)malloc_thing(kw_list_t);
new->entry = entry;
- new->value = clone_str($3);
+ new->value = strdupnull($3);
new->next = NULL;
if (_parser_kw_last)
_parser_kw_last->next = new;
@@ -223,7 +221,7 @@ config_parsed_t *parser_load_conf(const char *file)
if (err)
{
- plog("%s", parser_errstring);
+ DBG1(DBG_APP, "%s", parser_errstring);
if (cfg)
parser_free_conf(cfg);
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 44e21431c..06eb142bd 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -12,12 +12,16 @@
* for more details.
*/
+#define _GNU_SOURCE
+
+#include <sys/select.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <stdio.h>
#include <signal.h>
+#include <syslog.h>
#include <unistd.h>
#include <sys/time.h>
#include <time.h>
@@ -26,25 +30,111 @@
#include <fcntl.h>
#include <pwd.h>
#include <grp.h>
+#include <pthread.h>
-#include <freeswan.h>
#include <library.h>
#include <hydra.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <utils/backtrace.h>
+#include <threading/thread.h>
+#include <utils/debug.h>
#include "confread.h"
#include "files.h"
-#include "starterwhack.h"
#include "starterstroke.h"
-#include "invokepluto.h"
#include "invokecharon.h"
#include "netkey.h"
#include "klips.h"
#include "cmp.h"
-#include "interfaces.h"
+
+#ifndef LOG_AUTHPRIV
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
+
+#define CHARON_RESTART_DELAY 5
+
+static const char* cmd_default = IPSEC_DIR "/charon";
+static const char* pid_file_default = IPSEC_PIDDIR "/charon.pid";
+static const char* starter_pid_file_default = IPSEC_PIDDIR "/starter.pid";
+
+char *daemon_name = NULL;
+char *cmd = NULL;
+char *pid_file = NULL;
+char *starter_pid_file = NULL;
+
+static char *config_file = NULL;
+
+/* logging */
+static bool log_to_stderr = TRUE;
+static bool log_to_syslog = TRUE;
+static level_t current_loglevel = 1;
+
+/**
+ * logging function for scepclient
+ */
+static void starter_dbg(debug_t group, level_t level, char *fmt, ...)
+{
+ char buffer[8192];
+ char *current = buffer, *next;
+ va_list args;
+
+ if (level <= current_loglevel)
+ {
+ if (log_to_stderr)
+ {
+ va_start(args, fmt);
+ vfprintf(stderr, fmt, args);
+ va_end(args);
+ fprintf(stderr, "\n");
+ }
+ if (log_to_syslog)
+ {
+ /* write in memory buffer first */
+ va_start(args, fmt);
+ vsnprintf(buffer, sizeof(buffer), fmt, args);
+ va_end(args);
+
+ /* do a syslog with every line */
+ while (current)
+ {
+ next = strchr(current, '\n');
+ if (next)
+ {
+ *(next++) = '\0';
+ }
+ syslog(LOG_INFO, "%s\n", current);
+ current = next;
+ }
+ }
+ }
+}
+
+/**
+ * Initialize logging to stderr/syslog
+ */
+static void init_log(const char *program)
+{
+ dbg = starter_dbg;
+
+ if (log_to_stderr)
+ {
+ setbuf(stderr, NULL);
+ }
+ if (log_to_syslog)
+ {
+ openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+ }
+}
+
+/**
+ * Deinitialize logging to syslog
+ */
+static void close_log()
+{
+ if (log_to_syslog)
+ {
+ closelog();
+ }
+}
/**
* Return codes defined by Linux Standard Base Core Specification 3.1
@@ -68,7 +158,10 @@
static unsigned int _action_ = 0;
-static void fsig(int signal)
+/**
+ * Handle signals in the main thread
+ */
+static void signal_handler(int signal)
{
switch (signal)
{
@@ -80,27 +173,22 @@ static void fsig(int signal)
while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
{
- if (pid == starter_pluto_pid())
- {
- name = " (Pluto)";
- }
if (pid == starter_charon_pid())
{
- name = " (Charon)";
+ if (asprintf(&name, " (%s)", daemon_name) < 0)
+ {
+ name = NULL;
+ }
}
if (WIFSIGNALED(status))
{
- DBG(DBG_CONTROL,
- DBG_log("child %d%s has been killed by sig %d\n",
- pid, name?name:"", WTERMSIG(status))
- )
+ DBG2(DBG_APP, "child %d%s has been killed by sig %d\n",
+ pid, name?name:"", WTERMSIG(status));
}
else if (WIFSTOPPED(status))
{
- DBG(DBG_CONTROL,
- DBG_log("child %d%s has been stopped by sig %d\n",
- pid, name?name:"", WSTOPSIG(status))
- )
+ DBG2(DBG_APP, "child %d%s has been stopped by sig %d\n",
+ pid, name?name:"", WSTOPSIG(status));
}
else if (WIFEXITED(status))
{
@@ -109,35 +197,27 @@ static void fsig(int signal)
{
_action_ = FLAG_ACTION_QUIT;
}
- DBG(DBG_CONTROL,
- DBG_log("child %d%s has quit (exit code %d)\n",
- pid, name?name:"", exit_status)
- )
+ DBG2(DBG_APP, "child %d%s has quit (exit code %d)\n",
+ pid, name?name:"", exit_status);
}
else
{
- DBG(DBG_CONTROL,
- DBG_log("child %d%s has quit", pid, name?name:"")
- )
- }
- if (pid == starter_pluto_pid())
- {
- starter_pluto_sigchild(pid, exit_status);
+ DBG2(DBG_APP, "child %d%s has quit", pid, name?name:"");
}
if (pid == starter_charon_pid())
{
starter_charon_sigchild(pid, exit_status);
}
}
+
+ if (name)
+ {
+ free(name);
+ }
}
break;
- case SIGPIPE:
- /** ignore **/
- break;
-
case SIGALRM:
- _action_ |= FLAG_ACTION_START_PLUTO;
_action_ |= FLAG_ACTION_START_CHARON;
break;
@@ -157,11 +237,27 @@ static void fsig(int signal)
break;
default:
- plog("fsig(): unknown signal %d -- investigate", signal);
+ DBG1(DBG_APP, "fsig(): unknown signal %d -- investigate", signal);
break;
}
}
+/**
+ * Handle fatal signals raised by threads
+ */
+static void fatal_signal_handler(int signal)
+{
+ backtrace_t *backtrace;
+
+ DBG1(DBG_APP, "thread %u received %d", thread_current_id(), signal);
+ backtrace = backtrace_create(2);
+ backtrace->log(backtrace, stderr, TRUE);
+ backtrace->destroy(backtrace);
+
+ DBG1(DBG_APP, "killing ourself, received critical signal");
+ abort();
+}
+
#ifdef GENERATE_SELFCERT
static void generate_selfcert()
{
@@ -197,11 +293,11 @@ static void generate_selfcert()
}
}
#endif
- setegid(gid);
- seteuid(uid);
- ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
- seteuid(0);
- setegid(0);
+ ignore_result(setegid(gid));
+ ignore_result(seteuid(uid));
+ ignore_result(system(IPSEC_SCRIPT " scepclient --out pkcs1 --out cert-self --quiet"));
+ ignore_result(seteuid(0));
+ ignore_result(setegid(0));
/* ipsec.secrets is root readable only */
oldmask = umask(0066);
@@ -244,16 +340,63 @@ static bool check_pid(char *pid_file)
return TRUE;
}
}
- plog("removing pidfile '%s', process not running", pid_file);
+ DBG1(DBG_APP, "removing pidfile '%s', process not running", pid_file);
unlink(pid_file);
}
return FALSE;
}
+/* Set daemon name and adjust command and pid filenames accordingly */
+static bool set_daemon_name()
+{
+ if (!daemon_name)
+ {
+ daemon_name = "charon";
+ }
+
+ if (asprintf(&cmd, IPSEC_DIR"/%s", daemon_name) < 0)
+ {
+ cmd = (char*)cmd_default;
+ }
+
+ if (asprintf(&pid_file, IPSEC_PIDDIR"/%s.pid", daemon_name) < 0)
+ {
+ pid_file = (char*)pid_file_default;
+ }
+
+ if (asprintf(&starter_pid_file, IPSEC_PIDDIR"/starter.%s.pid",
+ daemon_name) < 0)
+ {
+ starter_pid_file = (char*)starter_pid_file_default;
+ }
+
+ return TRUE;
+}
+
+static void cleanup()
+{
+ if (cmd != cmd_default)
+ {
+ free(cmd);
+ }
+
+ if (pid_file != pid_file_default)
+ {
+ free(pid_file);
+ }
+
+ if (starter_pid_file != starter_pid_file_default)
+ {
+ free(starter_pid_file);
+ }
+}
+
static void usage(char *name)
{
- fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
- "[--debug|--debug-more|--debug-all]\n");
+ fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>]\n"
+ " [--debug|--debug-more|--debug-all|--nolog]\n"
+ " [--attach-gdb] [--daemon <name>]\n"
+ " [--conf <path to ipsec.conf>]\n");
exit(LSB_RC_INVALID_ARGUMENT);
}
@@ -264,21 +407,18 @@ int main (int argc, char **argv)
starter_conn_t *conn, *conn2;
starter_ca_t *ca, *ca2;
+ struct sigaction action;
struct stat stb;
int i;
int id = 1;
- struct timeval tv;
+ struct timespec ts;
unsigned long auto_update = 0;
time_t last_reload;
bool no_fork = FALSE;
bool attach_gdb = FALSE;
bool load_warning = FALSE;
- /* global variables defined in log.h */
- log_to_stderr = TRUE;
- base_debugging = DBG_NONE;
-
library_init(NULL);
atexit(library_deinit);
@@ -290,15 +430,19 @@ int main (int argc, char **argv)
{
if (streq(argv[i], "--debug"))
{
- base_debugging |= DBG_CONTROL;
+ current_loglevel = 2;
}
else if (streq(argv[i], "--debug-more"))
{
- base_debugging |= DBG_CONTROLMORE;
+ current_loglevel = 3;
}
else if (streq(argv[i], "--debug-all"))
{
- base_debugging |= DBG_ALL;
+ current_loglevel = 4;
+ }
+ else if (streq(argv[i], "--nolog"))
+ {
+ current_loglevel = 0;
}
else if (streq(argv[i], "--nofork"))
{
@@ -315,26 +459,36 @@ int main (int argc, char **argv)
if (!auto_update)
usage(argv[0]);
}
+ else if (streq(argv[i], "--daemon") && i+1 < argc)
+ {
+ daemon_name = argv[++i];
+ }
+ else if (streq(argv[i], "--conf") && i+1 < argc)
+ {
+ config_file = argv[++i];
+ }
else
{
usage(argv[0]);
}
}
- /* Init */
- init_log("ipsec_starter");
- cur_debugging = base_debugging;
+ if (!set_daemon_name())
+ {
+ DBG1(DBG_APP, "unable to set daemon name");
+ exit(LSB_RC_FAILURE);
+ }
+ if (!config_file)
+ {
+ config_file = CONFIG_FILE;
+ }
- signal(SIGHUP, fsig);
- signal(SIGCHLD, fsig);
- signal(SIGPIPE, fsig);
- signal(SIGINT, fsig);
- signal(SIGTERM, fsig);
- signal(SIGQUIT, fsig);
- signal(SIGALRM, fsig);
- signal(SIGUSR1, fsig);
+ init_log("ipsec_starter");
- plog("Starting strongSwan "VERSION" IPsec [starter]...");
+ DBG1(DBG_APP, "Starting %sSwan "VERSION" IPsec [starter]...",
+ lib->settings->get_bool(lib->settings,
+ "charon.i_dont_care_about_security_and_use_aggressive_mode_psk",
+ FALSE) ? "weak" : "strong");
#ifdef LOAD_WARNING
load_warning = TRUE;
@@ -342,35 +496,26 @@ int main (int argc, char **argv)
if (lib->settings->get_bool(lib->settings, "starter.load_warning", load_warning))
{
- if (lib->settings->get_str(lib->settings, "charon.load", NULL) ||
- lib->settings->get_str(lib->settings, "pluto.load", NULL))
+ if (lib->settings->get_str(lib->settings, "charon.load", NULL))
{
- plog("!! Your strongswan.conf contains manual plugin load options for");
- plog("!! pluto and/or charon. This is recommended for experts only, see");
- plog("!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad");
+ DBG1(DBG_APP, "!! Your strongswan.conf contains manual plugin load options for charon.");
+ DBG1(DBG_APP, "!! This is recommended for experts only, see");
+ DBG1(DBG_APP, "!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad");
}
}
/* verify that we can start */
if (getuid() != 0)
{
- plog("permission denied (must be superuser)");
+ DBG1(DBG_APP, "permission denied (must be superuser)");
+ cleanup();
exit(LSB_RC_NOT_ALLOWED);
}
- if (check_pid(PLUTO_PID_FILE))
- {
- plog("pluto is already running (%s exists) -- skipping pluto start",
- PLUTO_PID_FILE);
- }
- else
- {
- _action_ |= FLAG_ACTION_START_PLUTO;
- }
- if (check_pid(CHARON_PID_FILE))
+ if (check_pid(pid_file))
{
- plog("charon is already running (%s exists) -- skipping charon start",
- CHARON_PID_FILE);
+ DBG1(DBG_APP, "%s is already running (%s exists) -- skipping daemon start",
+ daemon_name, pid_file);
}
else
{
@@ -378,45 +523,49 @@ int main (int argc, char **argv)
}
if (stat(DEV_RANDOM, &stb) != 0)
{
- plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
+ DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
+ cleanup();
exit(LSB_RC_FAILURE);
}
if (stat(DEV_URANDOM, &stb)!= 0)
{
- plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
+ DBG1(DBG_APP, "unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
+ cleanup();
exit(LSB_RC_FAILURE);
}
- cfg = confread_load(CONFIG_FILE);
+ cfg = confread_load(config_file);
if (cfg == NULL || cfg->err > 0)
{
- plog("unable to start strongSwan -- fatal errors in config");
+ DBG1(DBG_APP, "unable to start strongSwan -- fatal errors in config");
if (cfg)
{
confread_free(cfg);
}
+ cleanup();
exit(LSB_RC_INVALID_ARGUMENT);
}
/* determine if we have a native netkey IPsec stack */
if (!starter_netkey_init())
{
- plog("no netkey IPsec stack detected");
+ DBG1(DBG_APP, "no netkey IPsec stack detected");
if (!starter_klips_init())
{
- plog("no KLIPS IPsec stack detected");
- plog("no known IPsec stack detected, ignoring!");
+ DBG1(DBG_APP, "no KLIPS IPsec stack detected");
+ DBG1(DBG_APP, "no known IPsec stack detected, ignoring!");
}
}
last_reload = time_monotonic(NULL);
- if (check_pid(STARTER_PID_FILE))
+ if (check_pid(starter_pid_file))
{
- plog("starter is already running (%s exists) -- no fork done",
- STARTER_PID_FILE);
+ DBG1(DBG_APP, "starter is already running (%s exists) -- no fork done",
+ starter_pid_file);
confread_free(cfg);
+ cleanup();
exit(LSB_RC_SUCCESS);
}
@@ -435,6 +584,7 @@ int main (int argc, char **argv)
{
int fnull;
+ close_log();
closefrom(3);
fnull = open("/dev/null", O_RDWR);
@@ -447,20 +597,22 @@ int main (int argc, char **argv)
}
setsid();
+ init_log("ipsec_starter");
}
break;
case -1:
- plog("can't fork: %s", strerror(errno));
+ DBG1(DBG_APP, "can't fork: %s", strerror(errno));
break;
default:
confread_free(cfg);
+ cleanup();
exit(LSB_RC_SUCCESS);
}
}
- /* save pid file in /var/run/starter.pid */
+ /* save pid file in /var/run/starter[.daemon_name].pid */
{
- FILE *fd = fopen(STARTER_PID_FILE, "w");
+ FILE *fd = fopen(starter_pid_file, "w");
if (fd)
{
@@ -469,33 +621,55 @@ int main (int argc, char **argv)
}
}
- /* load plugins */
- if (!lib->plugins->load(lib->plugins, NULL,
- lib->settings->get_str(lib->settings, "starter.load", PLUGINS)))
- {
- exit(LSB_RC_FAILURE);
- }
+ /* we handle these signals only in pselect() */
+ memset(&action, 0, sizeof(action));
+ sigemptyset(&action.sa_mask);
+ sigaddset(&action.sa_mask, SIGHUP);
+ sigaddset(&action.sa_mask, SIGINT);
+ sigaddset(&action.sa_mask, SIGTERM);
+ sigaddset(&action.sa_mask, SIGQUIT);
+ sigaddset(&action.sa_mask, SIGALRM);
+ sigaddset(&action.sa_mask, SIGUSR1);
+ pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
+
+ /* install a handler for fatal signals */
+ action.sa_handler = fatal_signal_handler;
+ sigaction(SIGSEGV, &action, NULL);
+ sigaction(SIGILL, &action, NULL);
+ sigaction(SIGBUS, &action, NULL);
+ action.sa_handler = SIG_IGN;
+ sigaction(SIGPIPE, &action, NULL);
+
+ /* install main signal handler */
+ action.sa_handler = signal_handler;
+ sigaction(SIGHUP, &action, NULL);
+ sigaction(SIGINT, &action, NULL);
+ sigaction(SIGTERM, &action, NULL);
+ sigaction(SIGQUIT, &action, NULL);
+ sigaction(SIGALRM, &action, NULL);
+ sigaction(SIGUSR1, &action, NULL);
+ /* this is not blocked above as we want to receive it asynchronously */
+ sigaction(SIGCHLD, &action, NULL);
+
+ /* empty mask for pselect() call below */
+ sigemptyset(&action.sa_mask);
for (;;)
{
/*
- * Stop pluto/charon (if started) and exit
+ * Stop charon (if started) and exit
*/
if (_action_ & FLAG_ACTION_QUIT)
{
- if (starter_pluto_pid())
- {
- starter_stop_pluto();
- }
if (starter_charon_pid())
{
starter_stop_charon();
}
starter_netkey_cleanup();
confread_free(cfg);
- unlink(STARTER_PID_FILE);
- plog("ipsec starter stopped");
- lib->plugins->unload(lib->plugins);
+ unlink(starter_pid_file);
+ cleanup();
+ DBG1(DBG_APP, "ipsec starter stopped");
close_log();
exit(LSB_RC_SUCCESS);
}
@@ -505,7 +679,7 @@ int main (int argc, char **argv)
*/
if (_action_ & FLAG_ACTION_RELOAD)
{
- if (starter_pluto_pid() || starter_charon_pid())
+ if (starter_charon_pid())
{
for (conn = cfg->conn_first; conn; conn = conn->next)
{
@@ -513,12 +687,12 @@ int main (int argc, char **argv)
{
if (starter_charon_pid())
{
+ if (conn->startup == STARTUP_ROUTE)
+ {
+ starter_stroke_unroute_conn(conn);
+ }
starter_stroke_del_conn(conn);
}
- if (starter_pluto_pid())
- {
- starter_whack_del_conn(conn);
- }
conn->state = STATE_TO_ADD;
}
}
@@ -530,10 +704,6 @@ int main (int argc, char **argv)
{
starter_stroke_del_ca(ca);
}
- if (starter_pluto_pid())
- {
- starter_whack_del_ca(ca);
- }
ca->state = STATE_TO_ADD;
}
}
@@ -546,96 +716,72 @@ int main (int argc, char **argv)
*/
if (_action_ & FLAG_ACTION_UPDATE)
{
- DBG(DBG_CONTROL,
- DBG_log("Reloading config...")
- );
- new_cfg = confread_load(CONFIG_FILE);
+ DBG2(DBG_APP, "Reloading config...");
+ new_cfg = confread_load(config_file);
- if (new_cfg && (new_cfg->err + new_cfg->non_fatal_err == 0))
+ if (new_cfg && (new_cfg->err == 0))
{
/* Switch to new config. New conn will be loaded below */
- if (!starter_cmp_defaultroute(&new_cfg->defaultroute
- , &cfg->defaultroute))
- {
- _action_ |= FLAG_ACTION_LISTEN;
- }
- if (!starter_cmp_pluto(cfg, new_cfg))
- {
- plog("Pluto has changed");
- if (starter_pluto_pid())
- starter_stop_pluto();
- _action_ &= ~FLAG_ACTION_LISTEN;
- _action_ |= FLAG_ACTION_START_PLUTO;
- }
- else
+ /* Look for new connections that are already loaded */
+ for (conn = cfg->conn_first; conn; conn = conn->next)
{
- /* Only reload conn and ca sections if pluto is not killed */
-
- /* Look for new connections that are already loaded */
- for (conn = cfg->conn_first; conn; conn = conn->next)
+ if (conn->state == STATE_ADDED)
{
- if (conn->state == STATE_ADDED)
+ for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
{
- for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
+ if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
{
- if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
- {
- conn->state = STATE_REPLACED;
- conn2->state = STATE_ADDED;
- conn2->id = conn->id;
- break;
- }
+ conn->state = STATE_REPLACED;
+ conn2->state = STATE_ADDED;
+ conn2->id = conn->id;
+ break;
}
}
}
+ }
- /* Remove conn sections that have become unused */
- for (conn = cfg->conn_first; conn; conn = conn->next)
+ /* Remove conn sections that have become unused */
+ for (conn = cfg->conn_first; conn; conn = conn->next)
+ {
+ if (conn->state == STATE_ADDED)
{
- if (conn->state == STATE_ADDED)
+ if (starter_charon_pid())
{
- if (starter_charon_pid())
+ if (conn->startup == STARTUP_ROUTE)
{
- starter_stroke_del_conn(conn);
- }
- if (starter_pluto_pid())
- {
- starter_whack_del_conn(conn);
+ starter_stroke_unroute_conn(conn);
}
+ starter_stroke_del_conn(conn);
}
}
+ }
- /* Look for new ca sections that are already loaded */
- for (ca = cfg->ca_first; ca; ca = ca->next)
+ /* Look for new ca sections that are already loaded */
+ for (ca = cfg->ca_first; ca; ca = ca->next)
+ {
+ if (ca->state == STATE_ADDED)
{
- if (ca->state == STATE_ADDED)
+ for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
{
- for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
+ if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
{
- if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
- {
- ca->state = STATE_REPLACED;
- ca2->state = STATE_ADDED;
- break;
- }
+ ca->state = STATE_REPLACED;
+ ca2->state = STATE_ADDED;
+ break;
}
}
}
+ }
- /* Remove ca sections that have become unused */
- for (ca = cfg->ca_first; ca; ca = ca->next)
+ /* Remove ca sections that have become unused */
+ for (ca = cfg->ca_first; ca; ca = ca->next)
+ {
+ if (ca->state == STATE_ADDED)
{
- if (ca->state == STATE_ADDED)
+ if (starter_charon_pid())
{
- if (starter_charon_pid())
- {
- starter_stroke_del_ca(ca);
- }
- if (starter_pluto_pid())
- {
- starter_whack_del_ca(ca);
- }
+ starter_stroke_del_ca(ca);
}
}
}
@@ -644,7 +790,7 @@ int main (int argc, char **argv)
}
else
{
- plog("can't reload config file due to errors -- keeping old one");
+ DBG1(DBG_APP, "can't reload config file due to errors -- keeping old one");
if (new_cfg)
{
confread_free(new_cfg);
@@ -655,77 +801,43 @@ int main (int argc, char **argv)
}
/*
- * Start pluto
+ * Start daemon
*/
- if (_action_ & FLAG_ACTION_START_PLUTO)
+ if (_action_ & FLAG_ACTION_START_CHARON)
{
- if (cfg->setup.plutostart && !starter_pluto_pid())
+ if (cfg->setup.charonstart && !starter_charon_pid())
{
- DBG(DBG_CONTROL,
- DBG_log("Attempting to start pluto...")
- );
-
- if (starter_start_pluto(cfg, no_fork, attach_gdb) == 0)
- {
- starter_whack_listen();
- }
- else
+ DBG2(DBG_APP, "Attempting to start %s...", daemon_name);
+ if (starter_start_charon(cfg, no_fork, attach_gdb))
{
/* schedule next try */
- alarm(PLUTO_RESTART_DELAY);
+ alarm(CHARON_RESTART_DELAY);
}
+ starter_stroke_configure(cfg);
}
- _action_ &= ~FLAG_ACTION_START_PLUTO;
+ _action_ &= ~FLAG_ACTION_START_CHARON;
for (ca = cfg->ca_first; ca; ca = ca->next)
{
if (ca->state == STATE_ADDED)
+ {
ca->state = STATE_TO_ADD;
+ }
}
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_ADDED)
- conn->state = STATE_TO_ADD;
- }
- }
-
- /*
- * Start charon
- */
- if (_action_ & FLAG_ACTION_START_CHARON)
- {
- if (cfg->setup.charonstart && !starter_charon_pid())
- {
- DBG(DBG_CONTROL,
- DBG_log("Attempting to start charon...")
- );
- if (starter_start_charon(cfg, no_fork, attach_gdb))
{
- /* schedule next try */
- alarm(PLUTO_RESTART_DELAY);
+ conn->state = STATE_TO_ADD;
}
- starter_stroke_configure(cfg);
- }
- _action_ &= ~FLAG_ACTION_START_CHARON;
- }
-
- /*
- * Tell pluto to reread its interfaces
- */
- if (_action_ & FLAG_ACTION_LISTEN)
- {
- if (starter_pluto_pid())
- {
- starter_whack_listen();
- _action_ &= ~FLAG_ACTION_LISTEN;
}
}
/*
* Add stale conn and ca sections
*/
- if (starter_pluto_pid() || starter_charon_pid())
+ if (starter_charon_pid())
{
for (ca = cfg->ca_first; ca; ca = ca->next)
{
@@ -735,10 +847,6 @@ int main (int argc, char **argv)
{
starter_stroke_add_ca(ca);
}
- if (starter_pluto_pid())
- {
- starter_whack_add_ca(ca);
- }
ca->state = STATE_ADDED;
}
}
@@ -756,44 +864,20 @@ int main (int argc, char **argv)
{
starter_stroke_add_conn(cfg, conn);
}
- if (starter_pluto_pid())
- {
- starter_whack_add_conn(conn);
- }
conn->state = STATE_ADDED;
if (conn->startup == STARTUP_START)
{
- if (conn->keyexchange != KEY_EXCHANGE_IKEV1)
- {
- if (starter_charon_pid())
- {
- starter_stroke_initiate_conn(conn);
- }
- }
- else
+ if (starter_charon_pid())
{
- if (starter_pluto_pid())
- {
- starter_whack_initiate_conn(conn);
- }
+ starter_stroke_initiate_conn(conn);
}
}
else if (conn->startup == STARTUP_ROUTE)
{
- if (conn->keyexchange != KEY_EXCHANGE_IKEV1)
- {
- if (starter_charon_pid())
- {
- starter_stroke_route_conn(conn);
- }
- }
- else
+ if (starter_charon_pid())
{
- if (starter_pluto_pid())
- {
- starter_whack_route_conn(conn);
- }
+ starter_stroke_route_conn(conn);
}
}
}
@@ -807,15 +891,17 @@ int main (int argc, char **argv)
{
time_t now = time_monotonic(NULL);
- tv.tv_sec = (now < last_reload + auto_update)
- ? (last_reload + auto_update-now) : 0;
- tv.tv_usec = 0;
+ ts.tv_sec = (now < last_reload + auto_update) ?
+ (last_reload + auto_update - now) : 0;
+ ts.tv_nsec = 0;
}
/*
* Wait for something to happen
*/
- if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0)
+ if (!_action_ &&
+ pselect(0, NULL, NULL, NULL, auto_update ? &ts : NULL,
+ &action.sa_mask) == 0)
{
/* timeout -> auto_update */
_action_ |= FLAG_ACTION_UPDATE;
@@ -823,4 +909,3 @@ int main (int argc, char **argv)
}
exit(LSB_RC_SUCCESS);
}
-
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index ae04c20dd..cc447c41f 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -1,4 +1,4 @@
-/* Stroke for charon is the counterpart to whack from pluto
+/*
* Copyright (C) 2006 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -26,11 +26,8 @@
#include <credentials/auth_cfg.h>
-#include <freeswan.h>
-
-#include <constants.h>
-#include <defs.h>
-#include <log.h>
+#include <library.h>
+#include <utils/debug.h>
#include <stroke_msg.h>
@@ -73,12 +70,12 @@ static int send_stroke_msg (stroke_msg_t *msg)
if (sock < 0)
{
- plog("socket() failed: %s", strerror(errno));
+ DBG1(DBG_APP, "socket() failed: %s", strerror(errno));
return -1;
}
if (connect(sock, (struct sockaddr *)&ctl_addr, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
{
- plog("connect(charon_ctl) failed: %s", strerror(errno));
+ DBG1(DBG_APP, "connect(charon_ctl) failed: %s", strerror(errno));
close(sock);
return -1;
}
@@ -86,18 +83,18 @@ static int send_stroke_msg (stroke_msg_t *msg)
/* send message */
if (write(sock, msg, msg->length) != msg->length)
{
- plog("write(charon_ctl) failed: %s", strerror(errno));
+ DBG1(DBG_APP, "write(charon_ctl) failed: %s", strerror(errno));
close(sock);
return -1;
}
while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
{
buffer[byte_count] = '\0';
- plog("%s", buffer);
+ DBG1(DBG_APP, "%s", buffer);
}
if (byte_count < 0)
{
- plog("read() failed: %s", strerror(errno));
+ DBG1(DBG_APP, "read() failed: %s", strerror(errno));
}
close(sock);
@@ -117,47 +114,8 @@ static char* connection_name(starter_conn_t *conn)
return conn->name;
}
-static void ip_address2string(ip_address *addr, char *buffer, size_t len)
-{
- switch (((struct sockaddr*)addr)->sa_family)
- {
- case AF_INET6:
- {
- struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
- u_int8_t zeroes[IPV6_LEN];
-
- memset(zeroes, 0, IPV6_LEN);
- if (memcmp(zeroes, &(sin6->sin6_addr.s6_addr), IPV6_LEN) &&
- inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
- {
- return;
- }
- snprintf(buffer, len, "%%any6");
- break;
- }
- case AF_INET:
- {
- struct sockaddr_in* sin = (struct sockaddr_in*)addr;
- u_int8_t zeroes[IPV4_LEN];
-
- memset(zeroes, 0, IPV4_LEN);
- if (memcmp(zeroes, &(sin->sin_addr.s_addr), IPV4_LEN) &&
- inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
- {
- return;
- }
- /* fall through to default */
- }
- default:
- snprintf(buffer, len, "%%any");
- break;
- }
-}
-
static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
{
- char buffer[INET6_ADDRSTRLEN];
-
msg_end->auth = push_string(msg, conn_end->auth);
msg_end->auth2 = push_string(msg, conn_end->auth2);
msg_end->id = push_string(msg, conn_end->id);
@@ -169,6 +127,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
msg_end->ca = push_string(msg, conn_end->ca);
msg_end->ca2 = push_string(msg, conn_end->ca2);
msg_end->groups = push_string(msg, conn_end->groups);
+ msg_end->groups2 = push_string(msg, conn_end->groups2);
msg_end->updown = push_string(msg, conn_end->updown);
if (conn_end->host)
{
@@ -176,18 +135,19 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
}
else
{
- ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
- msg_end->address = push_string(msg, buffer);
+ msg_end->address = push_string(msg, "%any");
}
msg_end->ikeport = conn_end->ikeport;
msg_end->subnets = push_string(msg, conn_end->subnet);
msg_end->sourceip = push_string(msg, conn_end->sourceip);
- msg_end->sourceip_mask = conn_end->sourceip_mask;
+ msg_end->dns = push_string(msg, conn_end->dns);
msg_end->sendcert = conn_end->sendcert;
msg_end->hostaccess = conn_end->hostaccess;
- msg_end->tohost = !conn_end->has_client;
+ msg_end->tohost = !conn_end->subnet;
+ msg_end->allow_any = conn_end->allow_any;
msg_end->protocol = conn_end->protocol;
- msg_end->port = conn_end->port;
+ msg_end->from_port = conn_end->from_port;
+ msg_end->to_port = conn_end->to_port;
}
int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
@@ -197,60 +157,18 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
memset(&msg, 0, sizeof(msg));
msg.type = STR_ADD_CONN;
msg.length = offsetof(stroke_msg_t, buffer);
- msg.add_conn.ikev2 = conn->keyexchange != KEY_EXCHANGE_IKEV1;
+ msg.add_conn.version = conn->keyexchange;
msg.add_conn.name = push_string(&msg, connection_name(conn));
-
- /* PUBKEY is preferred to PSK and EAP */
- if (conn->policy & POLICY_PUBKEY)
- {
- msg.add_conn.auth_method = AUTH_CLASS_PUBKEY;
- }
- else if (conn->policy & POLICY_PSK)
- {
- msg.add_conn.auth_method = AUTH_CLASS_PSK;
- }
- else if (conn->policy & POLICY_XAUTH_PSK)
- {
- msg.add_conn.auth_method = AUTH_CLASS_EAP;
- }
- else
- {
- msg.add_conn.auth_method = AUTH_CLASS_ANY;
- }
- msg.add_conn.eap_type = conn->eap_type;
- msg.add_conn.eap_vendor = conn->eap_vendor;
msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
+ msg.add_conn.xauth_identity = push_string(&msg, conn->xauth_identity);
- if (conn->policy & POLICY_TUNNEL)
- {
- msg.add_conn.mode = MODE_TUNNEL;
- }
- else if (conn->policy & POLICY_BEET)
- {
- msg.add_conn.mode = MODE_BEET;
- }
- else if (conn->policy & POLICY_PROXY)
- {
- msg.add_conn.mode = MODE_TRANSPORT;
- msg.add_conn.proxy_mode = TRUE;
- }
- else if (conn->policy & POLICY_SHUNT_PASS)
- {
- msg.add_conn.mode = MODE_PASS;
- }
- else if (conn->policy & (POLICY_SHUNT_DROP | POLICY_SHUNT_REJECT))
- {
- msg.add_conn.mode = MODE_DROP;
- }
- else
- {
- msg.add_conn.mode = MODE_TRANSPORT;
- }
+ msg.add_conn.mode = conn->mode;
+ msg.add_conn.proxy_mode = conn->proxy_mode;
- if (!(conn->policy & POLICY_DONT_REKEY))
+ if (!(conn->options & SA_OPTION_DONT_REKEY))
{
- msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
+ msg.add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH);
msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
msg.add_conn.rekey.margin = conn->sa_rekey_margin;
@@ -261,15 +179,19 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
msg.add_conn.rekey.tries = conn->sa_keying_tries;
msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
}
- msg.add_conn.mobike = (conn->policy & POLICY_MOBIKE) != 0;
- msg.add_conn.force_encap = (conn->policy & POLICY_FORCE_ENCAP) != 0;
- msg.add_conn.ipcomp = (conn->policy & POLICY_COMPRESS) != 0;
+ msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
+ msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
+ msg.add_conn.fragmentation = conn->fragmentation;
+ msg.add_conn.ikedscp = conn->ikedscp;
+ msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
msg.add_conn.install_policy = conn->install_policy;
- msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
+ msg.add_conn.aggressive = conn->aggressive;
+ msg.add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy;
msg.add_conn.unique = cfg->setup.uniqueids;
msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
msg.add_conn.dpd.delay = conn->dpd_delay;
+ msg.add_conn.dpd.timeout = conn->dpd_timeout;
msg.add_conn.dpd.action = conn->dpd_action;
msg.add_conn.close_action = conn->close_action;
msg.add_conn.inactivity = conn->inactivity;
@@ -286,6 +208,48 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
+ if (!msg.add_conn.me.auth && !msg.add_conn.other.auth &&
+ conn->authby)
+ { /* leftauth/rightauth not set, use legacy options */
+ if (streq(conn->authby, "rsa") || streq(conn->authby, "rsasig") ||
+ streq(conn->authby, "ecdsa") || streq(conn->authby, "ecdsasig") ||
+ streq(conn->authby, "pubkey"))
+ {
+ msg.add_conn.me.auth = push_string(&msg, "pubkey");
+ msg.add_conn.other.auth = push_string(&msg, "pubkey");
+ }
+ else if (streq(conn->authby, "secret") || streq(conn->authby, "psk"))
+ {
+ msg.add_conn.me.auth = push_string(&msg, "psk");
+ msg.add_conn.other.auth = push_string(&msg, "psk");
+ }
+ else if (streq(conn->authby, "xauthrsasig"))
+ {
+ msg.add_conn.me.auth = push_string(&msg, "pubkey");
+ msg.add_conn.other.auth = push_string(&msg, "pubkey");
+ if (conn->options & SA_OPTION_XAUTH_SERVER)
+ {
+ msg.add_conn.other.auth2 = push_string(&msg, "xauth");
+ }
+ else
+ {
+ msg.add_conn.me.auth2 = push_string(&msg, "xauth");
+ }
+ }
+ else if (streq(conn->authby, "xauthpsk"))
+ {
+ msg.add_conn.me.auth = push_string(&msg, "psk");
+ msg.add_conn.other.auth = push_string(&msg, "psk");
+ if (conn->options & SA_OPTION_XAUTH_SERVER)
+ {
+ msg.add_conn.other.auth2 = push_string(&msg, "xauth");
+ }
+ else
+ {
+ msg.add_conn.me.auth2 = push_string(&msg, "xauth");
+ }
+ }
+ }
return send_stroke_msg(&msg);
}
@@ -309,6 +273,16 @@ int starter_stroke_route_conn(starter_conn_t *conn)
return send_stroke_msg(&msg);
}
+int starter_stroke_unroute_conn(starter_conn_t *conn)
+{
+ stroke_msg_t msg;
+
+ msg.type = STR_UNROUTE;
+ msg.length = offsetof(stroke_msg_t, buffer);
+ msg.route.name = push_string(&msg, connection_name(conn));
+ return send_stroke_msg(&msg);
+}
+
int starter_stroke_initiate_conn(starter_conn_t *conn)
{
stroke_msg_t msg;
@@ -358,4 +332,3 @@ int starter_stroke_configure(starter_config_t *cfg)
}
return 0;
}
-
diff --git a/src/starter/starterstroke.h b/src/starter/starterstroke.h
index f9b01c99a..126486325 100644
--- a/src/starter/starterstroke.h
+++ b/src/starter/starterstroke.h
@@ -1,5 +1,6 @@
-/* Stroke for charon is the counterpart to whack from pluto
- * Copyright (C) 2006 Martin Willi - Hochschule fuer Technik Rapperswil
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -17,12 +18,13 @@
#include "confread.h"
-extern int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn);
-extern int starter_stroke_del_conn(starter_conn_t *conn);
-extern int starter_stroke_route_conn(starter_conn_t *conn);
-extern int starter_stroke_initiate_conn(starter_conn_t *conn);
-extern int starter_stroke_add_ca(starter_ca_t *ca);
-extern int starter_stroke_del_ca(starter_ca_t *ca);
-extern int starter_stroke_configure(starter_config_t *cfg);
+int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn);
+int starter_stroke_del_conn(starter_conn_t *conn);
+int starter_stroke_route_conn(starter_conn_t *conn);
+int starter_stroke_unroute_conn(starter_conn_t *conn);
+int starter_stroke_initiate_conn(starter_conn_t *conn);
+int starter_stroke_add_ca(starter_ca_t *ca);
+int starter_stroke_del_ca(starter_ca_t *ca);
+int starter_stroke_configure(starter_config_t *cfg);
#endif /* _STARTER_STROKE_H_ */
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
deleted file mode 100644
index b7d916eae..000000000
--- a/src/starter/starterwhack.c
+++ /dev/null
@@ -1,420 +0,0 @@
-/* strongSwan whack functions to communicate with pluto (whack.c)
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <stddef.h>
-#include <unistd.h>
-#include <string.h>
-#include <errno.h>
-
-#include <freeswan.h>
-
-#include <constants.h>
-#include <defs.h>
-#include <log.h>
-#include <whack.h>
-
-#include "starterwhack.h"
-#include "confread.h"
-#include "files.h"
-
-#define ip_version(string) (strchr(string, '.') ? AF_INET : AF_INET6)
-
-static int pack_str (char **p, char **next, char **roof)
-{
- const char *s = (*p==NULL) ? "" : *p; /* note: NULL becomes ""! */
- size_t len = strlen(s) + 1;
-
- if ((*roof - *next) < len)
- {
- return 0; /* not enough space */
- }
- else
- {
- strcpy(*next, s);
- *next += len;
- *p = NULL; /* don't send pointers on the wire! */
- return 1;
- }
-}
-
-static int send_whack_msg (whack_message_t *msg)
-{
- struct sockaddr_un ctl_addr;
- int sock;
- ssize_t len;
- char *str_next, *str_roof;
-
- ctl_addr.sun_family = AF_UNIX;
- strcpy(ctl_addr.sun_path, PLUTO_CTL_FILE);
-
- /* pack strings */
- str_next = (char *)msg->string;
- str_roof = (char *)&msg->string[sizeof(msg->string)];
-
- if (!pack_str(&msg->name, &str_next, &str_roof)
- || !pack_str(&msg->left.id, &str_next, &str_roof)
- || !pack_str(&msg->left.cert, &str_next, &str_roof)
- || !pack_str(&msg->left.ca, &str_next, &str_roof)
- || !pack_str(&msg->left.groups, &str_next, &str_roof)
- || !pack_str(&msg->left.updown, &str_next, &str_roof)
- || !pack_str(&msg->left.sourceip, &str_next, &str_roof)
- || !pack_str(&msg->left.virt, &str_next, &str_roof)
- || !pack_str(&msg->right.id, &str_next, &str_roof)
- || !pack_str(&msg->right.cert, &str_next, &str_roof)
- || !pack_str(&msg->right.ca, &str_next, &str_roof)
- || !pack_str(&msg->right.groups, &str_next, &str_roof)
- || !pack_str(&msg->right.updown, &str_next, &str_roof)
- || !pack_str(&msg->right.sourceip, &str_next, &str_roof)
- || !pack_str(&msg->right.virt, &str_next, &str_roof)
- || !pack_str(&msg->keyid, &str_next, &str_roof)
- || !pack_str(&msg->myid, &str_next, &str_roof)
- || !pack_str(&msg->cacert, &str_next, &str_roof)
- || !pack_str(&msg->ldaphost, &str_next, &str_roof)
- || !pack_str(&msg->ldapbase, &str_next, &str_roof)
- || !pack_str(&msg->crluri, &str_next, &str_roof)
- || !pack_str(&msg->crluri2, &str_next, &str_roof)
- || !pack_str(&msg->ocspuri, &str_next, &str_roof)
- || !pack_str(&msg->ike, &str_next, &str_roof)
- || !pack_str(&msg->esp, &str_next, &str_roof)
- || !pack_str(&msg->sc_data, &str_next, &str_roof)
- || !pack_str(&msg->whack_lease_ip, &str_next, &str_roof)
- || !pack_str(&msg->whack_lease_id, &str_next, &str_roof)
- || !pack_str(&msg->xauth_identity, &str_next, &str_roof)
- || (str_roof - str_next < msg->keyval.len))
- {
- plog("send_wack_msg(): can't pack strings");
- return -1;
- }
- if (msg->keyval.ptr)
- {
- memcpy(str_next, msg->keyval.ptr, msg->keyval.len);
- }
- msg->keyval.ptr = NULL;
- str_next += msg->keyval.len;
- len = str_next - (char *)msg;
-
- /* connect to pluto ctl */
- sock = socket(AF_UNIX, SOCK_STREAM, 0);
- if (sock < 0)
- {
- plog("socket() failed: %s", strerror(errno));
- return -1;
- }
- if (connect(sock, (struct sockaddr *)&ctl_addr,
- offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
- {
- plog("connect(pluto_ctl) failed: %s", strerror(errno));
- close(sock);
- return -1;
- }
-
- /* send message */
- if (write(sock, msg, len) != len)
- {
- plog("write(pluto_ctl) failed: %s", strerror(errno));
- close(sock);
- return -1;
- }
-
- /* TODO: read reply */
- close(sock);
- return 0;
-}
-
-static void init_whack_msg(whack_message_t *msg)
-{
- memset(msg, 0, sizeof(whack_message_t));
- msg->magic = WHACK_MAGIC;
-}
-
-static char *connection_name(starter_conn_t *conn, char *buf, size_t size)
-{
- /* if connection name is '%auto', create a new name like conn_xxxxx */
- if (streq(conn->name, "%auto"))
- {
- snprintf(buf, size, "conn_%ld", conn->id);
- return buf;
- }
- return conn->name;
-}
-
-static void set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
-{
- w->id = end->id;
- w->cert = end->cert;
- w->ca = end->ca;
- w->groups = end->groups;
- w->host_addr = end->addr;
- w->has_client = end->has_client;
- w->sourceip = end->sourceip;
- w->sourceip_mask = end->sourceip_mask;
-
- if (end->sourceip && end->sourceip_mask > 0)
- {
- ttoaddr(end->sourceip, 0, ip_version(end->sourceip), &w->host_srcip);
- w->has_srcip = !end->has_natip;
- }
- else
- {
- anyaddr(AF_INET, &w->host_srcip);
- }
-
- if (family == AF_INET6 && isanyaddr(&end->nexthop))
- {
- anyaddr(AF_INET6, &end->nexthop);
- }
- w->host_nexthop = end->nexthop;
-
- if (w->has_client)
- {
- char *pos;
- int len = 0;
-
- pos = strchr(end->subnet, ',');
- if (pos)
- {
- len = pos - end->subnet;
- }
- ttosubnet(end->subnet, len, ip_version(end->subnet), &w->client);
- }
- else
- {
- if (end->has_virt)
- {
- w->virt = end->subnet;
- }
- w->client.addr.u.v4.sin_family = addrtypeof(&w->host_addr);
- }
-
- w->has_client_wildcard = end->has_client_wildcard;
- w->has_port_wildcard = end->has_port_wildcard;
- w->has_natip = end->has_natip;
- w->allow_any = end->allow_any && !end->dns_failed;
- w->modecfg = end->modecfg;
- w->hostaccess = end->hostaccess;
- w->sendcert = end->sendcert;
- w->updown = end->updown;
- w->host_port = IKE_UDP_PORT;
- w->port = end->port;
- w->protocol = end->protocol;
-
- if (w->port != 0)
- {
- int port = htons(w->port);
-
- setportof(port, &w->host_addr);
- setportof(port, &w->client.addr);
- }
-}
-
-static int
-starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end
-, const char *lr)
-{
- const char *err;
- static char keyspace[1024 + 4];
- char buf[ADDRTOT_BUF], name[32];
- whack_message_t msg;
-
- init_whack_msg(&msg);
- connection_name(conn, name, sizeof(name));
-
- msg.whack_key = TRUE;
- msg.pubkey_alg = PUBKEY_ALG_RSA;
- if (end->rsakey)
- {
- /* special values to ignore */
- if (streq(end->rsakey, "")
- || streq(end->rsakey, "%none")
- || streq(end->rsakey, "%cert")
- || streq(end->rsakey, "0x00"))
- {
- return 0;
- }
- err = atobytes(end->rsakey, 0, keyspace, sizeof(keyspace), &msg.keyval.len);
- if (err)
- {
- plog("conn %s/%s: rsakey malformed [%s]", name, lr, err);
- return 1;
- }
- if (end->id)
- {
- msg.keyid = end->id;
- }
- else
- {
- addrtot(&end->addr, 0, buf, sizeof(buf));
- msg.keyid = buf;
- }
- msg.keyval.ptr = keyspace;
- return send_whack_msg(&msg);
- }
- return 0;
-}
-
-int starter_whack_add_conn(starter_conn_t *conn)
-{
- char esp_buf[256], name[32];
- whack_message_t msg;
- int r;
-
- init_whack_msg(&msg);
-
- msg.whack_connection = TRUE;
- msg.name = connection_name(conn, name, sizeof(name));
-
- msg.ikev1 = conn->keyexchange == KEY_EXCHANGE_IKEV1;
- msg.addr_family = conn->addr_family;
- msg.tunnel_addr_family = conn->tunnel_addr_family;
- msg.sa_ike_life_seconds = conn->sa_ike_life_seconds;
- msg.sa_ipsec_life_seconds = conn->sa_ipsec_life_seconds;
- msg.sa_rekey_margin = conn->sa_rekey_margin;
- msg.sa_rekey_fuzz = conn->sa_rekey_fuzz;
- msg.sa_keying_tries = conn->sa_keying_tries;
- msg.policy = conn->policy;
- msg.xauth_identity = conn->xauth_identity;
- msg.reqid = conn->reqid;
- msg.mark_in.value = conn->mark_in.value;
- msg.mark_in.mask = conn->mark_in.mask;
- msg.mark_out.value = conn->mark_out.value;
- msg.mark_out.mask = conn->mark_out.mask;
-
- /*
- * Make sure the IKEv2-only policy bits are unset for IKEv1 connections
- */
- msg.policy &= ~POLICY_DONT_REAUTH;
- msg.policy &= ~POLICY_BEET;
- msg.policy &= ~POLICY_MOBIKE;
- msg.policy &= ~POLICY_FORCE_ENCAP;
-
- set_whack_end(&msg.left, &conn->left, conn->addr_family);
- set_whack_end(&msg.right, &conn->right, conn->addr_family);
-
- msg.esp = conn->esp;
- msg.ike = conn->ike;
- msg.pfsgroup = conn->pfsgroup;
-
- /* taken from pluto/whack.c */
- if (msg.pfsgroup)
- {
- snprintf(esp_buf, sizeof (esp_buf), "%s;%s"
- , msg.esp ? msg.esp : ""
- , msg.pfsgroup ? msg.pfsgroup : "");
- msg.esp = esp_buf;
-
- DBG(DBG_CONTROL,
- DBG_log("Setting --esp=%s", msg.esp)
- )
- }
- msg.dpd_delay = conn->dpd_delay;
- msg.dpd_timeout = conn->dpd_timeout;
- msg.dpd_action = conn->dpd_action;
-/* msg.dpd_count = conn->dpd_count; not supported yet by strongSwan */
-
- r = send_whack_msg(&msg);
-
- if (r == 0 && (conn->policy & POLICY_PUBKEY))
- {
- r += starter_whack_add_pubkey (conn, &conn->left, "left");
- r += starter_whack_add_pubkey (conn, &conn->right, "right");
- }
-
- return r;
-}
-
-int starter_whack_del_conn(starter_conn_t *conn)
-{
- char name[32];
- whack_message_t msg;
-
- init_whack_msg(&msg);
- msg.whack_delete = TRUE;
- msg.name = connection_name(conn, name, sizeof(name));
- return send_whack_msg(&msg);
-}
-
-int starter_whack_route_conn(starter_conn_t *conn)
-{
- char name[32];
- whack_message_t msg;
-
- init_whack_msg(&msg);
- msg.whack_route = TRUE;
- msg.name = connection_name(conn, name, sizeof(name));
- return send_whack_msg(&msg);
-}
-
-int starter_whack_initiate_conn(starter_conn_t *conn)
-{
- char name[32];
- whack_message_t msg;
-
- init_whack_msg(&msg);
- msg.whack_initiate = TRUE;
- msg.whack_async = TRUE;
- msg.name = connection_name(conn, name, sizeof(name));
- return send_whack_msg(&msg);
-}
-
-int starter_whack_listen(void)
-{
- whack_message_t msg;
- init_whack_msg(&msg);
- msg.whack_listen = TRUE;
- return send_whack_msg(&msg);
-}
-
-int starter_whack_shutdown(void)
-{
- whack_message_t msg;
-
- init_whack_msg(&msg);
- msg.whack_shutdown = TRUE;
- return send_whack_msg(&msg);
-}
-
-int starter_whack_add_ca(starter_ca_t *ca)
-{
- whack_message_t msg;
-
- init_whack_msg(&msg);
-
- msg.whack_ca = TRUE;
- msg.name = ca->name;
- msg.cacert = ca->cacert;
- msg.ldaphost = ca->ldaphost;
- msg.ldapbase = ca->ldapbase;
- msg.crluri = ca->crluri;
- msg.crluri2 = ca->crluri2;
- msg.ocspuri = ca->ocspuri;
- msg.whack_strict = ca->strict;
-
- return send_whack_msg(&msg);
-}
-
-int starter_whack_del_ca(starter_ca_t *ca)
-{
- whack_message_t msg;
-
- init_whack_msg(&msg);
-
- msg.whack_delete = TRUE;
- msg.whack_ca = TRUE;
- msg.name = ca->name;
-
- return send_whack_msg(&msg);
-}
diff --git a/src/starter/starterwhack.h b/src/starter/starterwhack.h
deleted file mode 100644
index d56b02421..000000000
--- a/src/starter/starterwhack.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/* FreeS/WAN whack functions to communicate with pluto (whack.h)
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#ifndef _STARTER_WHACK_H_
-#define _STARTER_WHACK_H_
-
-#include "confread.h"
-
-extern int starter_whack_add_conn(starter_conn_t *conn);
-extern int starter_whack_del_conn(starter_conn_t *conn);
-extern int starter_whack_route_conn(starter_conn_t *conn);
-extern int starter_whack_initiate_conn(starter_conn_t *conn);
-extern int starter_whack_listen(void);
-extern int starter_whack_shutdown(void);
-extern int starter_whack_add_ca(starter_ca_t *ca);
-extern int starter_whack_del_ca(starter_ca_t *ca);
-
-#endif /* _STARTER_WHACK_H_ */
-
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-08 23:39:57 +0000