diff options
Diffstat (limited to 'src/starter')
| -rw-r--r-- | src/starter/Makefile.am | 10 | ||||
| -rw-r--r-- | src/starter/Makefile.in | 353 | ||||
| -rw-r--r-- | src/starter/args.c | 44 | ||||
| -rw-r--r-- | src/starter/confread.c | 96 | ||||
| -rw-r--r-- | src/starter/confread.h | 13 | ||||
| -rw-r--r-- | src/starter/interfaces.c | 61 | ||||
| -rw-r--r-- | src/starter/interfaces.h | 1 | ||||
| -rw-r--r-- | src/starter/invokecharon.c | 4 | ||||
| -rw-r--r-- | src/starter/invokepluto.c | 6 | ||||
| -rw-r--r-- | src/starter/ipsec.conf.5 | 163 | ||||
| -rw-r--r-- | src/starter/keywords.c | 262 | ||||
| -rw-r--r-- | src/starter/keywords.h | 7 | ||||
| -rw-r--r-- | src/starter/keywords.txt | 7 | ||||
| -rw-r--r-- | src/starter/klips.c | 4 | ||||
| -rw-r--r-- | src/starter/klips.h | 2 | ||||
| -rw-r--r-- | src/starter/netkey.h | 2 | ||||
| -rw-r--r-- | src/starter/starter.c | 20 | ||||
| -rw-r--r-- | src/starter/starterstroke.c | 59 | ||||
| -rw-r--r-- | src/starter/starterwhack.c | 137 |
19 files changed, 728 insertions, 523 deletions
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index 3355b3afb..7524b5f26 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -6,7 +6,7 @@ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \ exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h INCLUDES = \ --I${linuxdir} \ +-I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libfreeswan \ -I$(top_srcdir)/src/pluto \ @@ -15,9 +15,11 @@ INCLUDES = \ AM_CFLAGS = \ -DIPSEC_DIR=\"${ipsecdir}\" \ --DIPSEC_CONFDIR=\"${confdir}\" \ +-DIPSEC_CONFDIR=\"${sysconfdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" \ -DIPSEC_EAPDIR=\"${eapdir}\" \ +-DDEV_RANDOM=\"${random_device}\" \ +-DDEV_URANDOM=\"${urandom_device}\" \ -DDEBUG starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) @@ -37,7 +39,7 @@ if USE_CHARON endif lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h - $(LEX) $(srcdir)/parser.l + $(LEX) $(srcdir)/parser.l y.tab.c: $(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h $(YACC) -v -d $(srcdir)/parser.y @@ -51,7 +53,7 @@ keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c -install-exec-local : +install-exec-local : test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index a839c20b1..79ea9de32 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10.2 from Makefile.am. +# Makefile.in generated by automake 1.11 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,8 +17,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -39,14 +41,21 @@ subdir = src/starter DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/configure.in +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \ "$(DESTDIR)$(man8dir)" -ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(ipsec_PROGRAMS) am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \ starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \ @@ -63,6 +72,7 @@ starter_DEPENDENCIES = defs.o \ DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles +am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ @@ -74,6 +84,27 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(starter_SOURCES) DIST_SOURCES = $(starter_SOURCES) +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff @@ -114,25 +145,22 @@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@ -IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@ -LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@ -LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ -LINUX_HEADERS = @LINUX_HEADERS@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ @@ -144,11 +172,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ +RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ @@ -177,9 +208,9 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ -confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ @@ -202,7 +233,7 @@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ libstrongswan_plugins = @libstrongswan_plugins@ -linuxdir = @linuxdir@ +linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ @@ -210,6 +241,7 @@ mandir = @mandir@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ @@ -218,10 +250,12 @@ pluto_plugins = @pluto_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +random_device = @random_device@ resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ -simreader = @simreader@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -229,6 +263,7 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \ @@ -238,16 +273,18 @@ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \ exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h INCLUDES = \ --I${linuxdir} \ +-I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libfreeswan \ -I$(top_srcdir)/src/pluto \ -I$(top_srcdir)/src/whack \ -I$(top_srcdir)/src/stroke -AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \ - -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" \ - -DDEBUG $(am__append_1) $(am__append_2) +AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ + -DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ + -DIPSEC_EAPDIR=\"${eapdir}\" -DDEV_RANDOM=\"${random_device}\" \ + -DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \ + $(am__append_2) starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf dist_man_MANS = ipsec.conf.5 starter.8 @@ -267,9 +304,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/starter/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/starter/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/starter/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/starter/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -287,34 +324,50 @@ $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-ipsecPROGRAMS: $(ipsec_PROGRAMS) @$(NORMAL_INSTALL) test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" - @list='$(ipsec_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \ - else :; fi; \ - done + @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p || test -f $$p1; \ + then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \ + } \ + ; done uninstall-ipsecPROGRAMS: @$(NORMAL_UNINSTALL) - @list='$(ipsec_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \ - rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \ - done + @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files clean-ipsecPROGRAMS: - @list='$(ipsec_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done + @list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES) @rm -f starter$(EXEEXT) $(LINK) $(starter_OBJECTS) $(starter_LDADD) $(LIBS) @@ -344,21 +397,21 @@ distclean-compile: .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< @@ -368,96 +421,82 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man5: $(man5_MANS) $(man_MANS) +install-man5: $(dist_man_MANS) @$(NORMAL_INSTALL) test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ + @list=''; test -n "$(man5dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ done; \ - for i in $$list; do \ - if test -f $$i; then file=$$i; \ - else file=$(srcdir)/$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 5*) ;; \ - *) ext='5' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ - done + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + uninstall-man5: @$(NORMAL_UNINSTALL) - @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.5*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 5*) ;; \ - *) ext='5' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ - done -install-man8: $(man8_MANS) $(man_MANS) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man5dir)" && rm -f $$files; } +install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ + @list=''; test -n "$(man8dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ done; \ - for i in $$list; do \ - if test -f $$i; then file=$$i; \ - else file=$(srcdir)/$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + uninstall-man8: @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ @@ -471,7 +510,7 @@ tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ @@ -479,34 +518,52 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) + @list='$(MANS)'; if test -n "$$list"; then \ + list=`for p in $$list; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ + if test -n "$$list" && \ + grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ + echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ + grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ + echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ + echo " typically \`make maintainer-clean' will remove them" >&2; \ + exit 1; \ + else :; fi; \ + else :; fi @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -522,13 +579,17 @@ distdir: $(DISTFILES) if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -559,6 +620,7 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -581,6 +643,8 @@ dvi-am: html: html-am +html-am: + info: info-am info-am: @@ -589,18 +653,28 @@ install-data-am: install-ipsecPROGRAMS install-man install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-exec-local install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-man5 install-man8 install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -645,7 +719,7 @@ uninstall-man: uninstall-man5 uninstall-man8 lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h - $(LEX) $(srcdir)/parser.l + $(LEX) $(srcdir)/parser.l y.tab.c: $(srcdir)/parser.y $(srcdir)/parser.l $(srcdir)/parser.h $(YACC) -v -d $(srcdir)/parser.y @@ -659,7 +733,7 @@ keywords.c: $(srcdir)/keywords.txt $(srcdir)/keywords.h defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c -install-exec-local : +install-exec-local : test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true @@ -670,6 +744,7 @@ install-exec-local : test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/starter/args.c b/src/starter/args.c index 990d7588b..ebbd42cc8 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -36,6 +36,7 @@ typedef enum { ARG_UINT, ARG_TIME, ARG_ULNG, + ARG_ULLI, ARG_PCNT, ARG_STR, ARG_LST, @@ -111,6 +112,11 @@ static const char *LST_pfsgroup[] = { "modp4096", "modp6144", "modp8192", + "ecp192", + "ecp224", + "ecp256", + "ecp384", + "ecp521", NULL }; @@ -207,6 +213,10 @@ static const token_info_t token_info[] = { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL }, { ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL }, { ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL }, + { ARG_ULLI, offsetof(starter_conn_t, sa_ipsec_life_bytes), NULL }, + { ARG_ULLI, offsetof(starter_conn_t, sa_ipsec_margin_bytes), NULL }, + { ARG_ULLI, offsetof(starter_conn_t, sa_ipsec_life_packets), NULL }, + { ARG_ULLI, offsetof(starter_conn_t, sa_ipsec_margin_packets), NULL }, { ARG_MISC, 0, NULL /* KW_KEYINGTRIES */ }, { ARG_PCNT, offsetof(starter_conn_t, sa_rekey_fuzz), NULL }, { ARG_MISC, 0, NULL /* KW_REKEY */ }, @@ -217,6 +227,7 @@ static const token_info_t token_info[] = { ARG_TIME, offsetof(starter_conn_t, dpd_delay), NULL }, { ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL }, { ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action }, + { ARG_TIME, offsetof(starter_conn_t, inactivity), NULL }, { ARG_MISC, 0, NULL /* KW_MODECONFIG */ }, { ARG_MISC, 0, NULL /* KW_XAUTH */ }, { ARG_ENUM, offsetof(starter_conn_t, me_mediation), LST_bool }, @@ -241,7 +252,7 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_end_t, subnet), NULL }, { ARG_MISC, 0, NULL /* KW_SUBNETWITHIN */ }, { ARG_MISC, 0, NULL /* KW_PROTOPORT */ }, - { ARG_STR, offsetof(starter_end_t, srcip), NULL }, + { ARG_MISC, 0, NULL /* KW_SOURCEIP */ }, { ARG_MISC, 0, NULL /* KW_NATIP */ }, { ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool }, { ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool }, @@ -391,7 +402,7 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, case ARG_UINT: { char *endptr; - u_int *u = (u_int *)p; + u_int *u = (u_int *)p; *u = strtoul(kw->value, &endptr, 10); @@ -429,6 +440,20 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, } break; + case ARG_ULLI: + { + char *endptr; + unsigned long long *ll = (unsigned long long *)p; + + *ll = strtoull(kw->value, &endptr, 10); + + if (*endptr != '\0') + { + plog("# bad integer value: %s=%s", kw->entry->name, kw->value); + return FALSE; + } + } + break; case ARG_TIME: { char *endptr; @@ -490,12 +515,12 @@ bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, { char ** lst; - for (lst = *listp; lst && *lst; lst++) + for (lst = *listp; lst && *lst; lst++) { bool match = FALSE; list = token_info[token].list; - + while (*list != NULL && !match) { match = streq(*lst, *list++); @@ -659,6 +684,17 @@ bool cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) } } break; + case ARG_ULLI: + { + unsigned long long *ll1 = (unsigned long long *)p1; + unsigned long long *ll2 = (unsigned long long *)p2; + + if (*ll1 != *ll2) + { + return FALSE; + } + } + break; case ARG_TIME: { time_t *t1 = (time_t *)p1; diff --git a/src/starter/confread.c b/src/starter/confread.c index 5fd2b9fbf..07cc11503 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -119,7 +119,7 @@ load_setup(starter_config_t *cfg, config_parsed_t *cfgp) bool assigned = FALSE; kw_token_t token = kw->entry->token; - + if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST) { plog("# unsupported keyword '%s' in config setup", kw->entry->name); @@ -136,9 +136,8 @@ load_setup(starter_config_t *cfg, config_parsed_t *cfgp) } } -static void -kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token - , kw_list_t *kw, char *conn_name, starter_config_t *cfg) +static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token, + kw_list_t *kw, char *conn_name, starter_config_t *cfg) { err_t ugh = NULL; bool assigned = FALSE; @@ -165,10 +164,10 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token ip_subnet net; char *pos; int len = 0; - + end->has_client = TRUE; conn->tunnel_addr_family = ip_version(value); - + pos = strchr(value, ','); if (pos) { @@ -188,31 +187,54 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token plog("# natip and sourceip cannot be defined at the same time"); goto err; } - if (streq(value, "%modeconfig") || streq(value, "%modecfg") || - streq(value, "%config") || streq(value, "%cfg")) + if (value[0] == '%') { - free(end->srcip); - end->srcip = NULL; + if (streq(value, "%modeconfig") || streq(value, "%modecfg") || + streq(value, "%config") || streq(value, "%cfg")) + { + /* request ip via config payload */ + end->sourceip = NULL; + end->sourceip_mask = 1; + } + else + { /* %poolname, strip %, serve ip requests */ + end->sourceip = clone_str(value+1); + end->sourceip_mask = 0; + } end->modecfg = TRUE; } else { + char *pos; ip_address addr; ip_subnet net; - + conn->tunnel_addr_family = ip_version(value); - if (strchr(value, '/')) + pos = strchr(value, '/'); + + if (pos) { /* CIDR notation, address pool */ ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net); + if (ugh != NULL) + { + plog("# bad subnet: %s=%s [%s]", name, value, ugh); + goto err; + } + *pos = '\0'; + end->sourceip = clone_str(value); + end->sourceip_mask = atoi(pos + 1); } - else if (value[0] != '%') - { /* old style fixed srcip, a %poolname otherwise */ + else + { /* fixed srcip */ ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr); - } - if (ugh != NULL) - { - plog("# bad addr: %s=%s [%s]", name, value, ugh); - goto err; + if (ugh != NULL) + { + plog("# bad addr: %s=%s [%s]", name, value, ugh); + goto err; + } + end->sourceip = clone_str(value); + end->sourceip_mask = (conn->tunnel_addr_family == AF_INET) ? + 32 : 128; } } conn->policy |= POLICY_TUNNEL; @@ -245,6 +267,10 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token end->addr = cfg->defaultroute.addr; end->nexthop = cfg->defaultroute.nexthop; } + else if (!cfg->defaultroute.supported) + { + plog("%%defaultroute not supported, fallback to %%any"); + } else { plog("# default route not known: %s=%s", name, value); @@ -298,7 +324,9 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token if (streq(value, "%defaultroute")) { if (cfg->defaultroute.defined) + { end->nexthop = cfg->defaultroute.nexthop; + } else { plog("# default route not known: %s=%s", name, value); @@ -323,7 +351,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token case KW_SUBNETWITHIN: { ip_subnet net; - + end->has_client = TRUE; end->has_client_wildcard = TRUE; conn->tunnel_addr_family = ip_version(value); @@ -342,7 +370,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token end->has_port_wildcard = has_port_wildcard; break; case KW_NATIP: - if (end->srcip) + if (end->sourceip) { plog("# natip and sourceip cannot be defined at the same time"); goto err; @@ -350,11 +378,11 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token if (streq(value, "%defaultroute")) { char buf[64]; - + if (cfg->defaultroute.defined) { addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf)); - end->srcip = clone_str(buf); + end->sourceip = clone_str(buf); } else { @@ -365,7 +393,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token else { ip_address addr; - + conn->tunnel_addr_family = ip_version(value); ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr); if (ugh != NULL) @@ -373,7 +401,7 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token plog("# bad addr: %s=%s [%s]", name, value, ugh); goto err; } - end->srcip = clone_str(value); + end->sourceip = clone_str(value); } end->has_natip = TRUE; conn->policy |= POLICY_TUNNEL; @@ -510,8 +538,8 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) } else if (streq(kw->value, "transport_proxy")) { - conn->policy |= POLICY_PROXY; - } + conn->policy |= POLICY_PROXY; + } else if (streq(kw->value, "passthrough") || streq(kw->value, "pass")) { conn->policy |= POLICY_SHUNT_PASS; @@ -535,10 +563,10 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) break; case KW_COMPRESS: KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS) - break; + break; case KW_AUTH: KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE) - break; + break; case KW_AUTHBY: conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT); @@ -591,7 +619,7 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) case KW_EAP: { char *sep; - + /* check for vendor-type format */ sep = strchr(kw->value, '-'); if (sep) @@ -922,7 +950,7 @@ confread_free_ca(starter_ca_t *ca) /* * free the memory used by a starter_config_t object */ -void +void confread_free(starter_config_t *cfg) { starter_conn_t *conn = cfg->conn_first; @@ -1046,7 +1074,7 @@ confread_load(const char *file) for (ca = cfg->ca_first; ca; ca = ca->next) { also_t *also = ca->also; - + while (also != NULL) { kw_list_t *kw = find_also_ca(also->name, cfg->ca_first, cfg); @@ -1080,7 +1108,7 @@ confread_load(const char *file) for (sconn = cfgp->conn_first; sconn; sconn = sconn->next) { u_int previous_err; - + /* skip %default conn section */ if (streq(sconn->name, "%default")) continue; @@ -1093,7 +1121,7 @@ confread_load(const char *file) conn_default(sconn->name, conn, &cfg->conn_default); conn->kw = sconn->kw; conn->next = NULL; - + previous_err = cfg->err; load_conn(conn, conn->kw, cfg); if (cfg->err > previous_err) diff --git a/src/starter/confread.h b/src/starter/confread.h index b20c2e0d3..7f3211628 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -82,7 +82,8 @@ struct starter_end { char *updown; u_int16_t port; u_int8_t protocol; - char *srcip; + char *sourceip; + int sourceip_mask; }; typedef struct also also_t; @@ -112,6 +113,10 @@ struct starter_conn { time_t sa_ike_life_seconds; time_t sa_ipsec_life_seconds; time_t sa_rekey_margin; + u_int64_t sa_ipsec_life_bytes; + u_int64_t sa_ipsec_margin_bytes; + u_int64_t sa_ipsec_life_packets; + u_int64_t sa_ipsec_margin_packets; unsigned long sa_keying_tries; unsigned long sa_rekey_fuzz; sa_family_t addr_family; @@ -124,12 +129,14 @@ struct starter_conn { char *esp; char *ike; char *pfsgroup; - + time_t dpd_delay; time_t dpd_timeout; dpd_action_t dpd_action; int dpd_count; - + + time_t inactivity; + bool me_mediation; char *me_mediated_by; char *me_peerid; diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c index d12bf0bdf..92b2c74a4 100644 --- a/src/starter/interfaces.c +++ b/src/starter/interfaces.c @@ -13,13 +13,6 @@ * for more details. */ -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <linux/rtnetlink.h> -#ifdef HAVE_SYS_SOCKIO_H -#include <sys/sockio.h> -#endif - #include <stdlib.h> #include <string.h> #include <unistd.h> @@ -35,6 +28,15 @@ #include "exec.h" #include "files.h" +#ifdef START_PLUTO + +#include <sys/socket.h> +#include <sys/ioctl.h> +#include <linux/rtnetlink.h> +#ifdef HAVE_SYS_SOCKIO_H +#include <sys/sockio.h> +#endif + /* * Get the default route information via rtnetlink */ @@ -130,7 +132,6 @@ get_defaultroute(defaultroute_t *defaultroute) } if (metric < best_metric - && gw.s_addr != INADDR_ANY && iface_idx != -1) { struct ifreq req; @@ -139,19 +140,39 @@ get_defaultroute(defaultroute_t *defaultroute) if (fd < 0) { plog("could not open AF_INET socket"); - defaultroute->defined = FALSE; break; } bzero(&req, sizeof(req)); req.ifr_ifindex = iface_idx; - ioctl(fd, SIOCGIFNAME, &req); - ioctl(fd, SIOCGIFADDR, &req); - close(fd); + if (ioctl(fd, SIOCGIFNAME, &req) < 0 || + ioctl(fd, SIOCGIFADDR, &req) < 0) + { + plog("could not read interface data, ignoring route"); + close(fd); + break; + } strncpy(defaultroute->iface, req.ifr_name, IFNAMSIZ); defaultroute->addr.u.v4 = *((struct sockaddr_in *) &req.ifr_addr); defaultroute->nexthop.u.v4.sin_family = AF_INET; - defaultroute->nexthop.u.v4.sin_addr = gw; + + if (gw.s_addr == INADDR_ANY) + { + if (ioctl(fd, SIOCGIFDSTADDR, &req) < 0 || + ((struct sockaddr_in*) &req.ifr_dstaddr)->sin_addr.s_addr == INADDR_ANY) + { + DBG_log("Ignoring default route to device %s because we can't get it's destination", + req.ifr_name); + close(fd); + break; + } + + defaultroute->nexthop.u.v4 = *((struct sockaddr_in *) &req.ifr_dstaddr); + } + else + defaultroute->nexthop.u.v4.sin_addr = gw; + + close(fd); DBG(DBG_CONTROL, char addr[20]; @@ -171,7 +192,21 @@ get_defaultroute(defaultroute_t *defaultroute) defaultroute->defined = TRUE; } } + defaultroute->supported = TRUE; if (!defaultroute->defined) plog("no default route - cannot cope with %%defaultroute!!!"); } + +#else /* !START_PLUTO */ + +/** + * Pluto disabled, fall back to %any + */ +void +get_defaultroute(defaultroute_t *defaultroute) +{ + defaultroute->supported = FALSE; +} +#endif /* START_PLUTO */ + diff --git a/src/starter/interfaces.h b/src/starter/interfaces.h index abe4c8f9c..ff8535f0e 100644 --- a/src/starter/interfaces.h +++ b/src/starter/interfaces.h @@ -23,6 +23,7 @@ typedef struct { bool defined; + bool supported; char iface[IFNAMSIZ]; ip_address addr; ip_address nexthop; diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c index 1eb2a0332..f8aa5e6a9 100644 --- a/src/starter/invokecharon.c +++ b/src/starter/invokecharon.c @@ -127,7 +127,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb) NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; - + if (attach_gdb) { argc = 0; @@ -163,7 +163,7 @@ int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb) { break; } - + /* get next */ pos = strchr(pos, ','); if (pos) diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c index 08fb0657a..f91f4b6c9 100644 --- a/src/starter/invokepluto.c +++ b/src/starter/invokepluto.c @@ -94,7 +94,7 @@ starter_stop_pluto (void) /* be more and more aggressive */ for (i = 0; i < 20 && (pid = _pluto_pid) != 0; i++) { - + if (i < 10) { kill(pid, SIGTERM); @@ -103,7 +103,7 @@ starter_stop_pluto (void) { kill(pid, SIGKILL); plog("starter_stop_pluto(): pluto does not respond, sending KILL"); - } + } else { kill(pid, SIGKILL); @@ -147,7 +147,7 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork, bool attach_gdb) }; printf ("starter_start_pluto entered\n"); - + if (attach_gdb) { argc = 0; diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 index 31e676324..d4dd7238f 100644 --- a/src/starter/ipsec.conf.5 +++ b/src/starter/ipsec.conf.5 @@ -248,7 +248,7 @@ for Elliptic Curve DSA signatures. .B never can be used if negotiation is never to be attempted or accepted (useful for shunt-only conns). -Digital signatures are superior in every way to shared secrets. +Digital signatures are superior in every way to shared secrets. IKEv1 additionally supports the values .B xauthpsk and @@ -256,7 +256,7 @@ and that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode based on shared secrets or digital RSA signatures, respectively. This parameter is deprecated for IKEv2 connections, as two peers do not need -to agree on an authentication method. Use the +to agree on an authentication method. Use the .B leftauth parameter instead to define authentication methods in IKEv2. .TP @@ -282,7 +282,7 @@ and loads a connection and brings it up immediatly. .B ignore ignores the connection. This is equal to delete a connection from the config -file. +file. Relevant only locally, other end need not agree on it (but in general, for an intended-to-be-permanent connection, both ends should use @@ -314,7 +314,7 @@ are periodically sent in order to check the liveliness of the IPsec peer. The values .BR clear , .BR hold , -and +and .B restart all activate DPD. If no activity is detected, all connections with a dead peer are stopped and unrouted ( @@ -348,19 +348,23 @@ defines the timeout interval, after which all connections to a peer are deleted in case of inactivity. This only applies to IKEv1, in IKEv2 the default retransmission timeout applies, as every exchange is used to detect dead peers. .TP +.B inactivity +defines the timeout interval, after which a CHILD_SA is closed if it did +not send or receive any traffic. Currently supported in IKEv2 connections only. +.TP .B eap defines the EAP type to propose as server if the client requests EAP authentication. This parameter is deprecated in the favour of .B leftauth. To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin, -set +set .B eap=radius .TP .B eap_identity defines the identity the client uses to reply to a EAP Identity request. If defined on the EAP server, the defined identity will be used as peer -identity during EAP authentication. The special value +identity during EAP authentication. The special value .B %identity uses the EAP Identity method to ask the client for a EAP identity. If not defined, the IKEv2 identity will be used as EAP identity. @@ -374,7 +378,7 @@ and rekeying include a separate diffe hellman exchange (IKEv2 only). .TP .B forceencaps Force UDP encapsulation for ESP packets even if no NAT situation is detected. -This may help to hurdle restrictive firewalls. To enforce the peer to +This may help to hurdle restrictive firewalls. To enforce the peer to encapsulate packets, NAT detection payloads are faked (IKEv2 only). .TP .B ike @@ -403,8 +407,8 @@ which protocol should be used to initialize the connection. Connections marked w .B ikev1 are initiated with pluto, those marked with .B ikev2 -with charon. An incoming request from the remote peer is handled by the correct -daemon, unaffected from the +with charon. An incoming request from the remote peer is handled by the correct +daemon, unaffected from the .B keyexchange setting. The default value .B ike @@ -421,30 +425,8 @@ means 'never give up'. Relevant only locally, other end need not agree on it. .TP .B keylife -how long a particular instance of a connection -(a set of encryption/authentication keys for user packets) should last, -from successful negotiation to expiry; -acceptable values are an integer optionally followed by -.BR s -(a time in seconds) -or a decimal number followed by -.BR m , -.BR h , -or -.B d -(a time -in minutes, hours, or days respectively) -(default -.BR 1h , -maximum -.BR 24h ). -Normally, the connection is renegotiated (via the keying channel) -before it expires. -The two ends need not exactly agree on -.BR keylife , -although if they do not, -there will be some clutter of superseded connections on the end -which thinks the lifetime is longer. +synonym for +.BR lifetime . .TP .B left (required) @@ -494,14 +476,14 @@ and .TP .B leftauth Authentication method to use (local) or require (remote) in this connection. -This parameter is supported in IKEv2 only. Acceptable values are +This parameter is supported in IKEv2 only. Acceptable values are .B pubkey -for public key authentication (RSA/ECDSA), +for public key authentication (RSA/ECDSA), .B psk for pre-shared key authentication and .B eap to (require the) use of the Extensible Authentication Protocol. In the case -of +of .B eap, an optional EAP method can be appended. Currently defined methods are .B eap-aka, eap-sim, eap-gtc, eap-md5 @@ -515,7 +497,7 @@ EAP methods are defined in the form ). .TP .B leftauth2 -Same as +Same as .B leftauth, but defines an additional authentication exchange. IKEv2 supports multiple authentication rounds using "Multiple Authentication Exchanges" defined @@ -525,7 +507,7 @@ of host and user (IKEv2 only). .B leftca the distinguished name of a certificate authority which is required to lie in the trust path going from the left participant's certificate up -to the root certification authority. +to the root certification authority. .TP .B leftca2 Same as @@ -538,7 +520,7 @@ PEM or DER format. OpenPGP certificates are supported as well. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP are accepted. By default .B leftcert -sets +sets .B leftid to the distinguished name of the certificate's subject and .B leftca @@ -679,7 +661,7 @@ or .B %cfg, an address is requested from the peer. In IKEv2, a defined address is requested, but the server may change it. If the server does not support it, the address -is enforced. +is enforced. .TP .B rightsourceip The internal source IP to use in a tunnel for the remote peer. If the @@ -724,6 +706,61 @@ Relevant only locally, other end need not agree on it. IKEv2 uses the updown script to insert firewall rules only. Routing is not support and will be implemented directly into Charon. .TP +.B lifebytes +the number of bytes transmitted over an IPsec SA before it expires (IKEv2 +only). +.TP +.B lifepackets +the number of packets transmitted over an IPsec SA before it expires (IKEv2 +only). +.TP +.B lifetime +how long a particular instance of a connection +(a set of encryption/authentication keys for user packets) should last, +from successful negotiation to expiry; +acceptable values are an integer optionally followed by +.BR s +(a time in seconds) +or a decimal number followed by +.BR m , +.BR h , +or +.B d +(a time +in minutes, hours, or days respectively) +(default +.BR 1h , +maximum +.BR 24h ). +Normally, the connection is renegotiated (via the keying channel) +before it expires (see +.BR margintime ). +The two ends need not exactly agree on +.BR lifetime , +although if they do not, +there will be some clutter of superseded connections on the end +which thinks the lifetime is longer. +.TP +.B marginbytes +how many bytes before IPsec SA expiry (see +.BR lifebytes ) +should attempts to negotiate a replacement begin (IKEv2 only). +.TP +.B marginpackets +how many packets before IPsec SA expiry (see +.BR lifepackets ) +should attempts to negotiate a replacement begin (IKEv2 only). +.TP +.B margintime +how long before connection expiry or keying-channel expiry +should attempts to +negotiate a replacement +begin; acceptable values as for +.B lifetime +(default +.BR 9m ). +Relevant only locally, other end need not agree on it. +.TP .B mobike enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are .B yes @@ -759,7 +796,7 @@ PFS is enforced by defining a Diffie-Hellman modp group in the .B esp parameter. .TP -.B pfsgroup +.B pfsgroup defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode differing from the DH group used for IKEv1 Main Mode (IKEv1 only). .TP @@ -789,35 +826,35 @@ will be largely ineffective unless both ends agree on it. .TP .B rekeyfuzz maximum percentage by which -.B rekeymargin +.BR marginbytes , +.B marginpackets +and +.B margintime should be randomly increased to randomize rekeying intervals (important for hosts with many connections); acceptable values are an integer, which may exceed 100, followed by a `%' -(default set by -.IR pluto (8), -currently +(defaults to .BR 100% ). The value of -.BR rekeymargin , +.BR marginTYPE , after this random increase, must not exceed -.BR keylife . +.B lifeTYPE +(where TYPE is one of +.IR bytes , +.I packets +or +.IR time ). The value .B 0% -will suppress time randomization. +will suppress randomization. Relevant only locally, other end need not agree on it. .TP .B rekeymargin -how long before connection expiry or keying-channel expiry -should attempts to -negotiate a replacement -begin; acceptable values as for -.B keylife -(default -.BR 9m ). -Relevant only locally, other end need not agree on it. +synonym for +.BR margintime . .TP .B type the type of the connection; currently the accepted values @@ -854,7 +891,7 @@ and (the default). .SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION" -The following parameters are relevant to IKEv2 Mediation Extension +The following parameters are relevant to IKEv2 Mediation Extension operation only. .TP 14 .B mediation @@ -884,7 +921,7 @@ of this connection will be used as peer ID. .SH "CA SECTIONS" This are optional sections that can be used to assign special -parameters to a Certification Authority (CA). These parameters are not +parameters to a Certification Authority (CA). These parameters are not supported in IKEv2 yet. .TP 10 .B auto @@ -892,10 +929,10 @@ currently can have either the value .B ignore or .B add -. +. .TP .B cacert -defines a path to the CA certificate either relative to +defines a path to the CA certificate either relative to \fI/etc/ipsec.d/cacerts\fP or as an absolute path. .TP .B crluri @@ -970,7 +1007,7 @@ Accepted values are .B yes or .BR no . -The default is +The default is .B yes if starter was compiled with IKEv2 support. .TP @@ -987,7 +1024,7 @@ Accepted values are .B yes or .BR no . -The default is +The default is .B yes if starter was compiled with IKEv1 support. .TP @@ -1192,7 +1229,7 @@ value that the MTU of the ipsec\fIn\fR interface(s) should be set to, overriding IPsec's (large) default. .SH CHOOSING A CONNECTION .PP -When choosing a connection to apply to an outbound packet caught with a +When choosing a connection to apply to an outbound packet caught with a .BR %trap, the system prefers the one with the most specific eroute that includes the packet's source and destination IP addresses. diff --git a/src/starter/keywords.c b/src/starter/keywords.c index 3ca7a92f6..e379f78e9 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -54,12 +54,12 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 112 +#define TOTAL_KEYWORDS 119 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 13 -#define MAX_HASH_VALUE 200 -/* maximum key range = 188, duplicates = 0 */ +#define MIN_HASH_VALUE 17 +#define MAX_HASH_VALUE 215 +/* maximum key range = 199, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -75,32 +75,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 3, - 42, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 1, 201, 9, 201, 5, - 39, 1, 64, 47, 62, 1, 201, 88, 5, 83, - 39, 30, 21, 201, 1, 10, 6, 44, 14, 201, - 4, 54, 4, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, - 201, 201, 201, 201, 201, 201 + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 12, + 78, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 4, 216, 20, 216, 45, + 55, 4, 77, 14, 78, 4, 216, 119, 4, 89, + 46, 34, 29, 216, 6, 12, 5, 56, 34, 216, + 4, 20, 5, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216, 216, 216, 216, 216, + 216, 216, 216, 216, 216, 216 }; register int hval = len; @@ -124,143 +124,151 @@ hash (str, len) static const struct kw_entry wordlist[] = { - {"right", KW_RIGHT}, - {"crluri", KW_CRLURI}, {"left", KW_LEFT}, - {"crluri1", KW_CRLURI}, - {"certuribase", KW_CERTURIBASE}, + {"right", KW_RIGHT}, + {"lifetime", KW_KEYLIFE}, {"leftcert", KW_LEFTCERT,}, - {"rightcert", KW_RIGHTCERT}, - {"rightca", KW_RIGHTCA}, {"leftfirewall", KW_LEFTFIREWALL}, {"leftsendcert", KW_LEFTSENDCERT}, {"leftprotoport", KW_LEFTPROTOPORT}, + {"type", KW_TYPE}, + {"rekey", KW_REKEY}, {"leftgroups", KW_LEFTGROUPS}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, {"rightsubnet", KW_RIGHTSUBNET}, - {"leftca", KW_LEFTCA}, {"rightsendcert", KW_RIGHTSENDCERT}, - {"cacert", KW_CACERT}, - {"eap", KW_EAP}, + {"leftallowany", KW_LEFTALLOWANY}, + {"rightgroups", KW_RIGHTGROUPS}, {"esp", KW_ESP}, - {"cachecrls", KW_CACHECRLS}, + {"lifebytes", KW_LIFEBYTES}, + {"rightrsasigkey", KW_RIGHTRSASIGKEY}, + {"lifepackets", KW_LIFEPACKETS}, {"leftnexthop", KW_LEFTNEXTHOP}, - {"virtual_private", KW_VIRTUAL_PRIVATE}, + {"leftrsasigkey", KW_LEFTRSASIGKEY}, + {"leftca", KW_LEFTCA}, + {"eap", KW_EAP}, + {"strictcrlpolicy", KW_STRICTCRLPOLICY}, {"rightprotoport", KW_RIGHTPROTOPORT}, - {"ocspuri", KW_OCSPURI}, - {"leftnatip", KW_LEFTNATIP}, - {"rightsourceip", KW_RIGHTSOURCEIP}, - {"ocspuri1", KW_OCSPURI}, - {"also", KW_ALSO}, - {"rightid", KW_RIGHTID}, {"plutostart", KW_PLUTOSTART}, - {"rightid2", KW_RIGHTID2}, - {"compress", KW_COMPRESS}, - {"packetdefault", KW_PACKETDEFAULT}, - {"crluri2", KW_CRLURI2}, - {"rightca2", KW_RIGHTCA2}, - {"leftcert2", KW_LEFTCERT2,}, - {"rightcert2", KW_RIGHTCERT2}, + {"also", KW_ALSO}, + {"rightallowany", KW_RIGHTALLOWANY}, + {"rightsourceip", KW_RIGHTSOURCEIP}, + {"crluri", KW_CRLURI}, + {"leftnatip", KW_LEFTNATIP}, {"lefthostaccess", KW_LEFTHOSTACCESS}, - {"rekey", KW_REKEY}, - {"ldapbase", KW_LDAPBASE}, - {"rightauth2", KW_RIGHTAUTH2}, - {"leftca2", KW_LEFTCA2}, - {"type", KW_TYPE}, + {"rightcert", KW_RIGHTCERT}, + {"certuribase", KW_CERTURIBASE}, + {"packetdefault", KW_PACKETDEFAULT}, + {"plutostderrlog", KW_PLUTOSTDERRLOG}, + {"crluri1", KW_CRLURI}, + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, + {"rightid", KW_RIGHTID}, + {"virtual_private", KW_VIRTUAL_PRIVATE}, {"leftsubnet", KW_LEFTSUBNET}, - {"nat_traversal", KW_NAT_TRAVERSAL}, - {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, + {"cacert", KW_CACERT}, + {"rightca", KW_RIGHTCA}, {"leftsourceip", KW_LEFTSOURCEIP}, - {"rightgroups", KW_RIGHTGROUPS}, - {"rightrsasigkey", KW_RIGHTRSASIGKEY}, + {"inactivity", KW_INACTIVITY}, + {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, + {"installpolicy", KW_INSTALLPOLICY}, + {"nat_traversal", KW_NAT_TRAVERSAL}, + {"ldapbase", KW_LDAPBASE}, + {"leftupdown", KW_LEFTUPDOWN}, {"rightnatip", KW_RIGHTNATIP}, + {"ocspuri", KW_OCSPURI}, {"rightnexthop", KW_RIGHTNEXTHOP}, - {"leftupdown", KW_LEFTUPDOWN}, - {"leftallowany", KW_LEFTALLOWANY}, - {"rightallowany", KW_RIGHTALLOWANY}, + {"leftcert2", KW_LEFTCERT2,}, + {"rightid2", KW_RIGHTID2}, {"rekeyfuzz", KW_REKEYFUZZ}, - {"xauth", KW_XAUTH}, - {"rightauth", KW_RIGHTAUTH}, - {"leftrsasigkey", KW_LEFTRSASIGKEY}, + {"compress", KW_COMPRESS}, {"rightfirewall", KW_RIGHTFIREWALL}, - {"ocspuri2", KW_OCSPURI2}, - {"auto", KW_AUTO}, + {"ocspuri1", KW_OCSPURI}, {"ldaphost", KW_LDAPHOST}, + {"xauth", KW_XAUTH}, + {"postpluto", KW_POSTPLUTO}, + {"eap_identity", KW_EAP_IDENTITY}, + {"plutodebug", KW_PLUTODEBUG}, + {"leftca2", KW_LEFTCA2}, + {"auto", KW_AUTO}, {"righthostaccess", KW_RIGHTHOSTACCESS}, + {"dpddelay", KW_DPDDELAY}, + {"rightauth", KW_RIGHTAUTH}, + {"rightauth2", KW_RIGHTAUTH2}, + {"pfs", KW_PFS}, + {"authby", KW_AUTHBY}, + {"rightupdown", KW_RIGHTUPDOWN}, {"leftid", KW_LEFTID}, - {"strictcrlpolicy", KW_STRICTCRLPOLICY}, + {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, + {"uniqueids", KW_UNIQUEIDS}, {"dumpdir", KW_DUMPDIR}, + {"mediated_by", KW_MEDIATED_BY}, {"ike", KW_IKE}, - {"leftid2", KW_LEFTID2}, - {"postpluto", KW_POSTPLUTO}, - {"rightupdown", KW_RIGHTUPDOWN}, - {"plutostderrlog", KW_PLUTOSTDERRLOG}, - {"pfs", KW_PFS}, - {"fragicmp", KW_FRAGICMP}, - {"overridemtu", KW_OVERRIDEMTU}, - {"leftauth2", KW_LEFTAUTH2}, - {"uniqueids", KW_UNIQUEIDS}, + {"cachecrls", KW_CACHECRLS}, {"prepluto", KW_PREPLUTO}, - {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, - {"keyexchange", KW_KEYEXCHANGE}, - {"keep_alive", KW_KEEP_ALIVE}, - {"hidetos", KW_HIDETOS}, {"force_keepalive", KW_FORCE_KEEPALIVE}, - {"installpolicy", KW_INSTALLPOLICY}, - {"dpdaction", KW_DPDACTION}, - {"eap_identity", KW_EAP_IDENTITY}, + {"hidetos", KW_HIDETOS}, + {"mobike", KW_MOBIKE}, {"forceencaps", KW_FORCEENCAPS}, + {"overridemtu", KW_OVERRIDEMTU}, + {"crluri2", KW_CRLURI2}, + {"rightca2", KW_RIGHTCA2}, + {"rightcert2", KW_RIGHTCERT2}, + {"dpdaction", KW_DPDACTION}, {"nocrsend", KW_NOCRSEND}, - {"auth", KW_AUTH}, - {"leftauth", KW_LEFTAUTH}, - {"mobike", KW_MOBIKE}, - {"plutodebug", KW_PLUTODEBUG}, - {"charonstart", KW_CHARONSTART}, + {"leftid2", KW_LEFTID2}, {"interfaces", KW_INTERFACES}, + {"leftauth", KW_LEFTAUTH}, + {"leftauth2", KW_LEFTAUTH2}, + {"mediation", KW_MEDIATION}, + {"rekeymargin", KW_REKEYMARGIN}, + {"keep_alive", KW_KEEP_ALIVE}, + {"auth", KW_AUTH}, + {"keyingtries", KW_KEYINGTRIES}, + {"me_peerid", KW_ME_PEERID}, + {"fragicmp", KW_FRAGICMP}, + {"margintime", KW_REKEYMARGIN}, + {"ocspuri2", KW_OCSPURI2}, + {"reauth", KW_REAUTH}, {"pkcs11module", KW_PKCS11MODULE}, - {"dpddelay", KW_DPDDELAY}, + {"pfsgroup", KW_PFSGROUP}, + {"marginbytes", KW_MARGINBYTES}, {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, - {"reauth", KW_REAUTH}, - {"me_peerid", KW_ME_PEERID}, - {"rekeymargin", KW_REKEYMARGIN}, + {"marginpackets", KW_MARGINPACKETS}, + {"modeconfig", KW_MODECONFIG}, + {"keyexchange", KW_KEYEXCHANGE}, + {"charonstart", KW_CHARONSTART}, {"pkcs11initargs", KW_PKCS11INITARGS}, - {"mediation", KW_MEDIATION}, - {"pfsgroup", KW_PFSGROUP}, - {"mediated_by", KW_MEDIATED_BY}, - {"keyingtries", KW_KEYINGTRIES}, {"dpdtimeout", KW_DPDTIMEOUT}, - {"keylife", KW_KEYLIFE}, - {"charondebug", KW_CHARONDEBUG}, - {"ikelifetime", KW_IKELIFETIME}, - {"authby", KW_AUTHBY}, {"pkcs11proxy", KW_PKCS11PROXY}, + {"charondebug", KW_CHARONDEBUG}, {"klipsdebug", KW_KLIPSDEBUG}, - {"modeconfig", KW_MODECONFIG} + {"keylife", KW_KEYLIFE}, + {"ikelifetime", KW_IKELIFETIME} }; static const short lookup[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, 0, 1, -1, 2, 3, -1, 4, - -1, 5, 6, 7, 8, 9, 10, 11, 12, 13, - 14, 15, 16, -1, 17, 18, -1, -1, 19, 20, - 21, -1, -1, 22, 23, 24, 25, 26, 27, 28, - -1, -1, 29, 30, 31, 32, 33, 34, 35, 36, - 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, - 47, 48, 49, -1, 50, -1, 51, 52, 53, 54, - 55, -1, 56, 57, 58, -1, 59, 60, 61, 62, - 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, - 73, 74, -1, 75, 76, 77, 78, -1, -1, 79, - 80, 81, 82, -1, 83, 84, 85, 86, -1, 87, - 88, 89, 90, 91, 92, 93, -1, 94, 95, -1, - -1, -1, 96, 97, -1, 98, 99, -1, 100, -1, - -1, -1, -1, -1, 101, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, 102, -1, 103, -1, 104, - -1, 105, -1, -1, 106, 107, -1, 108, -1, -1, - -1, -1, -1, -1, -1, -1, -1, 109, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, 110, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - 111 + -1, -1, -1, -1, -1, -1, -1, 0, -1, -1, + 1, -1, -1, -1, 2, 3, -1, -1, 4, 5, + -1, -1, 6, 7, -1, 8, 9, -1, 10, -1, + 11, -1, -1, -1, 12, -1, -1, 13, 14, 15, + 16, 17, 18, 19, 20, -1, 21, 22, 23, -1, + 24, -1, 25, 26, 27, 28, 29, -1, 30, 31, + 32, -1, 33, 34, 35, 36, 37, 38, -1, 39, + -1, 40, 41, 42, 43, 44, -1, 45, -1, 46, + -1, 47, -1, 48, -1, 49, 50, 51, -1, 52, + 53, 54, -1, 55, 56, 57, 58, 59, -1, -1, + 60, 61, 62, 63, 64, 65, 66, 67, 68, -1, + -1, 69, 70, 71, 72, -1, 73, 74, 75, 76, + 77, 78, -1, 79, 80, 81, -1, 82, 83, 84, + 85, 86, -1, 87, 88, -1, -1, 89, 90, 91, + 92, 93, -1, 94, -1, -1, 95, 96, 97, -1, + 98, 99, -1, -1, -1, 100, -1, -1, -1, 101, + -1, 102, 103, -1, -1, -1, 104, 105, 106, 107, + 108, 109, -1, 110, -1, 111, 112, -1, 113, -1, + -1, 114, -1, -1, 115, -1, -1, -1, -1, -1, + -1, -1, 116, -1, -1, -1, -1, -1, -1, -1, + -1, 117, -1, -1, -1, 118 }; #ifdef __GNUC__ diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 3a115d15d..8be31d148 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -66,7 +66,7 @@ typedef enum { KW_TYPE, KW_PFS, KW_COMPRESS, - KW_INSTALLPOLICY, + KW_INSTALLPOLICY, KW_AUTH, KW_AUTHBY, KW_EAP, @@ -76,6 +76,10 @@ typedef enum { KW_IKELIFETIME, KW_KEYLIFE, KW_REKEYMARGIN, + KW_LIFEBYTES, + KW_MARGINBYTES, + KW_LIFEPACKETS, + KW_MARGINPACKETS, KW_KEYINGTRIES, KW_REKEYFUZZ, KW_REKEY, @@ -86,6 +90,7 @@ typedef enum { KW_DPDDELAY, KW_DPDTIMEOUT, KW_DPDACTION, + KW_INACTIVITY, KW_MODECONFIG, KW_XAUTH, KW_MEDIATION, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 66c894850..adf3069bf 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -64,6 +64,12 @@ auth, KW_AUTH authby, KW_AUTHBY keylife, KW_KEYLIFE rekeymargin, KW_REKEYMARGIN +lifetime, KW_KEYLIFE +margintime, KW_REKEYMARGIN +lifebytes, KW_LIFEBYTES +marginbytes, KW_MARGINBYTES +lifepackets, KW_LIFEPACKETS +marginpackets, KW_MARGINPACKETS ikelifetime, KW_IKELIFETIME keyingtries, KW_KEYINGTRIES rekeyfuzz, KW_REKEYFUZZ @@ -75,6 +81,7 @@ pfsgroup, KW_PFSGROUP dpddelay, KW_DPDDELAY dpdtimeout, KW_DPDTIMEOUT dpdaction, KW_DPDACTION +inactivity, KW_INACTIVITY modeconfig, KW_MODECONFIG xauth, KW_XAUTH mediation, KW_MEDIATION diff --git a/src/starter/klips.c b/src/starter/klips.c index 061dee50c..79bd25c44 100644 --- a/src/starter/klips.c +++ b/src/starter/klips.c @@ -46,7 +46,7 @@ starter_klips_init(void) return FALSE; } } - + /* load crypto algorithm modules */ ignore_result(system("modprobe -qv ipsec_aes")); ignore_result(system("modprobe -qv ipsec_blowfish")); @@ -55,7 +55,7 @@ starter_klips_init(void) DBG(DBG_CONTROL, DBG_log("Found KLIPS IPsec stack") ) - + return TRUE; } diff --git a/src/starter/klips.h b/src/starter/klips.h index e93348df1..1a527d108 100644 --- a/src/starter/klips.h +++ b/src/starter/klips.h @@ -1,4 +1,4 @@ -/* strongSwan KLIPS initialization and cleanup +/* strongSwan KLIPS initialization and cleanup * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security * * This program is free software; you can redistribute it and/or modify it diff --git a/src/starter/netkey.h b/src/starter/netkey.h index 55f6a7c47..c12924174 100644 --- a/src/starter/netkey.h +++ b/src/starter/netkey.h @@ -1,4 +1,4 @@ -/* strongSwan netkey initialization and cleanup +/* strongSwan netkey initialization and cleanup * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security * * This program is free software; you can redistribute it and/or modify it diff --git a/src/starter/starter.c b/src/starter/starter.c index b675ccf1c..0aab76d43 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -163,7 +163,7 @@ static void fsig(int signal) static void generate_selfcert() { struct stat stb; - + /* if ipsec.secrets file is missing then generate RSA default key pair */ if (stat(SECRETS_FILE, &stb) != 0) { @@ -176,7 +176,7 @@ static void generate_selfcert() { char buf[1024]; struct group group, *grp; - + if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) == 0 && grp) { gid = grp->gr_gid; @@ -187,7 +187,7 @@ static void generate_selfcert() { char buf[1024]; struct passwd passwd, *pwp; - + if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) == 0 && pwp) { uid = pwp->pw_uid; @@ -353,14 +353,14 @@ int main (int argc, char **argv) } } - last_reload = time(NULL); + last_reload = time_monotonic(NULL); if (stat(STARTER_PID_FILE, &stb) == 0) { plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE); exit(LSB_RC_SUCCESS); } - + generate_selfcert(); /* fork if we're not debugging stuff */ @@ -381,7 +381,7 @@ int main (int argc, char **argv) dup2(fnull, STDERR_FILENO); close(fnull); } - setsid(); + setsid(); } break; case -1: @@ -491,7 +491,7 @@ int main (int argc, char **argv) _action_ |= FLAG_ACTION_LISTEN; } - if (!starter_cmp_pluto(cfg, new_cfg)) + if (!starter_cmp_pluto(cfg, new_cfg)) { plog("Pluto has changed"); if (starter_pluto_pid()) @@ -582,7 +582,7 @@ int main (int argc, char **argv) } } _action_ &= ~FLAG_ACTION_UPDATE; - last_reload = time(NULL); + last_reload = time_monotonic(NULL); } /* @@ -620,7 +620,7 @@ int main (int argc, char **argv) conn->state = STATE_TO_ADD; } } - + /* * Start charon */ @@ -736,7 +736,7 @@ int main (int argc, char **argv) */ if (auto_update) { - time_t now = time(NULL); + time_t now = time_monotonic(NULL); tv.tv_sec = (now < last_reload + auto_update) ? (last_reload + auto_update-now) : 0; diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 054e37fa7..665350c00 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -81,7 +81,7 @@ static int send_stroke_msg (stroke_msg_t *msg) ctl_addr.sun_family = AF_UNIX; strcpy(ctl_addr.sun_path, CHARON_CTL_FILE); - + /* starter is not called from commandline, and therefore absolutely silent */ msg->output_verbosity = -1; @@ -173,7 +173,7 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len) static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end) { char buffer[INET6_ADDRSTRLEN]; - + msg_end->auth = push_string(msg, conn_end->auth); msg_end->auth2 = push_string(msg, conn_end->auth2); msg_end->id = push_string(msg, conn_end->id); @@ -187,45 +187,13 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta ip_address2string(&conn_end->addr, buffer, sizeof(buffer)); msg_end->address = push_string(msg, buffer); msg_end->subnets = push_string(msg, conn_end->subnet); + msg_end->sourceip = push_string(msg, conn_end->sourceip); + msg_end->sourceip_mask = conn_end->sourceip_mask; msg_end->sendcert = conn_end->sendcert; msg_end->hostaccess = conn_end->hostaccess; msg_end->tohost = !conn_end->has_client; msg_end->protocol = conn_end->protocol; msg_end->port = conn_end->port; - if (conn_end->srcip) - { - if (conn_end->srcip[0] == '%') - { /* %poolname, strip % */ - msg_end->sourceip_size = 0; - msg_end->sourceip = push_string(msg, conn_end->srcip + 1); - } - else - { - char *pos = strchr(conn_end->srcip, '/'); - if (pos) - { /* CIDR subnet definition */ - snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip); - msg_end->sourceip = push_string(msg, buffer); - msg_end->sourceip_size = atoi(pos + 1); - } - else - { /* a single address */ - msg_end->sourceip = push_string(msg, conn_end->srcip); - if (strchr(conn_end->srcip, ':')) - { /* IPv6 */ - msg_end->sourceip_size = 128; - } - else - { /* IPv4 */ - msg_end->sourceip_size = 32; - } - } - } - } - else if (conn_end->modecfg) - { - msg_end->sourceip_size = 1; - } } int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) @@ -237,7 +205,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.length = offsetof(stroke_msg_t, buffer); msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2; msg.add_conn.name = push_string(&msg, connection_name(conn)); - + /* PUBKEY is preferred to PSK and EAP */ if (conn->policy & POLICY_PUBKEY) { @@ -254,7 +222,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.eap_type = conn->eap_type; msg.add_conn.eap_vendor = conn->eap_vendor; msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity); - + if (conn->policy & POLICY_TUNNEL) { msg.add_conn.mode = MODE_TUNNEL; @@ -267,7 +235,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) { msg.add_conn.mode = MODE_TRANSPORT; msg.add_conn.proxy_mode = TRUE; - } + } else { msg.add_conn.mode = MODE_TRANSPORT; @@ -279,12 +247,16 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds; msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds; msg.add_conn.rekey.margin = conn->sa_rekey_margin; + msg.add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes; + msg.add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes; + msg.add_conn.rekey.life_packets = conn->sa_ipsec_life_packets; + msg.add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets; msg.add_conn.rekey.tries = conn->sa_keying_tries; msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz; } - msg.add_conn.mobike = conn->policy & POLICY_MOBIKE; - msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP; - msg.add_conn.ipcomp = conn->policy & POLICY_COMPRESS; + msg.add_conn.mobike = (conn->policy & POLICY_MOBIKE) != 0; + msg.add_conn.force_encap = (conn->policy & POLICY_FORCE_ENCAP) != 0; + msg.add_conn.ipcomp = (conn->policy & POLICY_COMPRESS) != 0; msg.add_conn.install_policy = conn->install_policy; msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy; msg.add_conn.unique = cfg->setup.uniqueids; @@ -292,6 +264,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.algorithms.esp = push_string(&msg, conn->esp); msg.add_conn.dpd.delay = conn->dpd_delay; msg.add_conn.dpd.action = conn->dpd_action; + msg.add_conn.inactivity = conn->inactivity; msg.add_conn.ikeme.mediation = conn->me_mediation; msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by); msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid); @@ -361,7 +334,7 @@ int starter_stroke_del_ca(starter_ca_t *ca) int starter_stroke_configure(starter_config_t *cfg) { stroke_msg_t msg; - + if (cfg->setup.cachecrls) { msg.type = STR_CONFIG; diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c index 44b442ae2..67916395f 100644 --- a/src/starter/starterwhack.c +++ b/src/starter/starterwhack.c @@ -33,8 +33,7 @@ #define ip_version(string) (strchr(string, '.') ? AF_INET : AF_INET6) -static int -pack_str (char **p, char **next, char **roof) +static int pack_str (char **p, char **next, char **roof) { const char *s = (*p==NULL) ? "" : *p; /* note: NULL becomes ""! */ size_t len = strlen(s) + 1; @@ -52,8 +51,7 @@ pack_str (char **p, char **next, char **roof) } } -static int -send_whack_msg (whack_message_t *msg) +static int send_whack_msg (whack_message_t *msg) { struct sockaddr_un ctl_addr; int sock; @@ -67,37 +65,41 @@ send_whack_msg (whack_message_t *msg) str_next = (char *)msg->string; str_roof = (char *)&msg->string[sizeof(msg->string)]; - if (!pack_str(&msg->name, &str_next, &str_roof) - || !pack_str(&msg->left.id, &str_next, &str_roof) - || !pack_str(&msg->left.cert, &str_next, &str_roof) - || !pack_str(&msg->left.ca, &str_next, &str_roof) - || !pack_str(&msg->left.groups, &str_next, &str_roof) - || !pack_str(&msg->left.updown, &str_next, &str_roof) - || !pack_str(&msg->left.virt, &str_next, &str_roof) - || !pack_str(&msg->right.id, &str_next, &str_roof) - || !pack_str(&msg->right.cert, &str_next, &str_roof) - || !pack_str(&msg->right.ca, &str_next, &str_roof) - || !pack_str(&msg->right.groups, &str_next, &str_roof) - || !pack_str(&msg->right.updown, &str_next, &str_roof) - || !pack_str(&msg->right.virt, &str_next, &str_roof) - || !pack_str(&msg->keyid, &str_next, &str_roof) - || !pack_str(&msg->myid, &str_next, &str_roof) - || !pack_str(&msg->cacert, &str_next, &str_roof) - || !pack_str(&msg->ldaphost, &str_next, &str_roof) - || !pack_str(&msg->ldapbase, &str_next, &str_roof) - || !pack_str(&msg->crluri, &str_next, &str_roof) - || !pack_str(&msg->crluri2, &str_next, &str_roof) - || !pack_str(&msg->ocspuri, &str_next, &str_roof) - || !pack_str(&msg->ike, &str_next, &str_roof) - || !pack_str(&msg->esp, &str_next, &str_roof) - || !pack_str(&msg->sc_data, &str_next, &str_roof) - || (str_roof - str_next < msg->keyval.len)) + if (!pack_str(&msg->name, &str_next, &str_roof) + || !pack_str(&msg->left.id, &str_next, &str_roof) + || !pack_str(&msg->left.cert, &str_next, &str_roof) + || !pack_str(&msg->left.ca, &str_next, &str_roof) + || !pack_str(&msg->left.groups, &str_next, &str_roof) + || !pack_str(&msg->left.updown, &str_next, &str_roof) + || !pack_str(&msg->left.sourceip, &str_next, &str_roof) + || !pack_str(&msg->left.virt, &str_next, &str_roof) + || !pack_str(&msg->right.id, &str_next, &str_roof) + || !pack_str(&msg->right.cert, &str_next, &str_roof) + || !pack_str(&msg->right.ca, &str_next, &str_roof) + || !pack_str(&msg->right.groups, &str_next, &str_roof) + || !pack_str(&msg->right.updown, &str_next, &str_roof) + || !pack_str(&msg->right.sourceip, &str_next, &str_roof) + || !pack_str(&msg->right.virt, &str_next, &str_roof) + || !pack_str(&msg->keyid, &str_next, &str_roof) + || !pack_str(&msg->myid, &str_next, &str_roof) + || !pack_str(&msg->cacert, &str_next, &str_roof) + || !pack_str(&msg->ldaphost, &str_next, &str_roof) + || !pack_str(&msg->ldapbase, &str_next, &str_roof) + || !pack_str(&msg->crluri, &str_next, &str_roof) + || !pack_str(&msg->crluri2, &str_next, &str_roof) + || !pack_str(&msg->ocspuri, &str_next, &str_roof) + || !pack_str(&msg->ike, &str_next, &str_roof) + || !pack_str(&msg->esp, &str_next, &str_roof) + || !pack_str(&msg->sc_data, &str_next, &str_roof) + || (str_roof - str_next < msg->keyval.len)) { plog("send_wack_msg(): can't pack strings"); return -1; } if (msg->keyval.ptr) + { memcpy(str_next, msg->keyval.ptr, msg->keyval.len); + } msg->keyval.ptr = NULL; str_next += msg->keyval.len; len = str_next - (char *)msg; @@ -130,15 +132,13 @@ send_whack_msg (whack_message_t *msg) return 0; } -static void -init_whack_msg(whack_message_t *msg) +static void init_whack_msg(whack_message_t *msg) { memset(msg, 0, sizeof(whack_message_t)); msg->magic = WHACK_MAGIC; } -static char * -connection_name(starter_conn_t *conn) +static char *connection_name(starter_conn_t *conn) { /* if connection name is '%auto', create a new name like conn_xxxxx */ static char buf[32]; @@ -151,34 +151,26 @@ connection_name(starter_conn_t *conn) return conn->name; } -static void -set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family) -{ - if (end->srcip && end->srcip[0] != '%') - { - int len = 0; - char *pos; - - pos = strchr(end->srcip, '/'); - if (pos) - { - /* use first address only for pluto */ - len = pos - end->srcip; - } - w->has_srcip = !end->has_natip; - ttoaddr(end->srcip, len, ip_version(end->srcip), &w->host_srcip); - } - else - { - anyaddr(AF_INET, &w->host_srcip); - } - +static void set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family) +{ w->id = end->id; w->cert = end->cert; w->ca = end->ca; w->groups = end->groups; w->host_addr = end->addr; w->has_client = end->has_client; + w->sourceip = end->sourceip; + w->sourceip_mask = end->sourceip_mask; + + if (end->sourceip && end->sourceip_mask > 0) + { + ttoaddr(end->sourceip, 0, ip_version(end->sourceip), &w->host_srcip); + w->has_srcip = !end->has_natip; + } + else + { + anyaddr(AF_INET, &w->host_srcip); + } if (family == AF_INET6 && isanyaddr(&end->nexthop)) { @@ -234,13 +226,14 @@ starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end { const char *err; static char keyspace[1024 + 4]; + char buf[ADDRTOT_BUF]; whack_message_t msg; init_whack_msg(&msg); msg.whack_key = TRUE; msg.pubkey_alg = PUBKEY_ALG_RSA; - if (end->id && end->rsakey) + if (end->rsakey) { /* special values to ignore */ if (streq(end->rsakey, "") @@ -250,24 +243,28 @@ starter_whack_add_pubkey (starter_conn_t *conn, starter_end_t *end { return 0; } - msg.keyid = end->id; err = atobytes(end->rsakey, 0, keyspace, sizeof(keyspace), &msg.keyval.len); if (err) { plog("conn %s/%s: rsakey malformed [%s]", connection_name(conn), lr, err); return 1; } + if (end->id) + { + msg.keyid = end->id; + } else { - msg.keyval.ptr = keyspace; - return send_whack_msg(&msg); + addrtot(&end->addr, 0, buf, sizeof(buf)); + msg.keyid = buf; } + msg.keyval.ptr = keyspace; + return send_whack_msg(&msg); } return 0; } -int -starter_whack_add_conn(starter_conn_t *conn) +int starter_whack_add_conn(starter_conn_t *conn) { whack_message_t msg; int r; @@ -332,8 +329,7 @@ starter_whack_add_conn(starter_conn_t *conn) return r; } -int -starter_whack_del_conn(starter_conn_t *conn) +int starter_whack_del_conn(starter_conn_t *conn) { whack_message_t msg; @@ -343,8 +339,7 @@ starter_whack_del_conn(starter_conn_t *conn) return send_whack_msg(&msg); } -int -starter_whack_route_conn(starter_conn_t *conn) +int starter_whack_route_conn(starter_conn_t *conn) { whack_message_t msg; @@ -354,8 +349,7 @@ starter_whack_route_conn(starter_conn_t *conn) return send_whack_msg(&msg); } -int -starter_whack_initiate_conn(starter_conn_t *conn) +int starter_whack_initiate_conn(starter_conn_t *conn) { whack_message_t msg; @@ -366,8 +360,7 @@ starter_whack_initiate_conn(starter_conn_t *conn) return send_whack_msg(&msg); } -int -starter_whack_listen(void) +int starter_whack_listen(void) { whack_message_t msg; init_whack_msg(&msg); @@ -384,8 +377,7 @@ int starter_whack_shutdown(void) return send_whack_msg(&msg); } -int -starter_whack_add_ca(starter_ca_t *ca) +int starter_whack_add_ca(starter_ca_t *ca) { whack_message_t msg; @@ -404,8 +396,7 @@ starter_whack_add_ca(starter_ca_t *ca) return send_whack_msg(&msg); } -int -starter_whack_del_ca(starter_ca_t *ca) +int starter_whack_del_ca(starter_ca_t *ca) { whack_message_t msg; |