9 files changed, 81 insertions, 29 deletions
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 80410a205..432b3d6d5 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -121,6 +121,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -133,6 +134,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -143,8 +145,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -166,6 +172,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -175,6 +182,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -188,9 +197,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -205,6 +218,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \
 starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
 starterstroke.h interfaces.c invokepluto.h confread.h  interfaces.h args.c \
diff --git a/src/starter/args.c b/src/starter/args.c
index 82e957f59..fb8424841 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -61,6 +61,12 @@ static const char *LST_sendcert[] = {
      NULL
 };
 
+static const char *LST_strict[] = {
+    "no",
+    "yes",
+    "ifuri",
+     NULL
+};
 static const char *LST_dpd_action[] = {
     "none",
     "clear",
@@ -160,7 +166,7 @@ static const token_info_t token_info[] =
     { ARG_UINT, offsetof(starter_config_t, setup.overridemtu), NULL                },
     { ARG_TIME, offsetof(starter_config_t, setup.crlcheckinterval), NULL           },
     { ARG_ENUM, offsetof(starter_config_t, setup.cachecrls), LST_bool              },
-    { ARG_ENUM, offsetof(starter_config_t, setup.strictcrlpolicy), LST_bool        },
+    { ARG_ENUM, offsetof(starter_config_t, setup.strictcrlpolicy), LST_strict      },
     { ARG_ENUM, offsetof(starter_config_t, setup.nocrsend), LST_bool               },
     { ARG_ENUM, offsetof(starter_config_t, setup.nat_traversal), LST_bool          },
     { ARG_TIME, offsetof(starter_config_t, setup.keep_alive), NULL                 },
diff --git a/src/starter/confread.h b/src/starter/confread.h
index e0de68376..2fe75fcc6 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -46,6 +46,12 @@ typedef enum {
 	KEY_EXCHANGE_IKEV2
 } keyexchange_t;
 
+typedef enum {
+	STRICT_NO,
+	STRICT_YES,
+	STRICT_IFURI
+} strict_t;
+
 typedef struct starter_end starter_end_t;
 
 struct starter_end {
@@ -156,23 +162,23 @@ struct starter_config {
 		bool	plutostart;
 
 		/* pluto/charon keywords */
-		char	**plutodebug;
-		char	*charondebug;
-		char	*prepluto;
-		char	*postpluto;
-		bool	uniqueids;
-		u_int	overridemtu;
-		u_int	crlcheckinterval;
-		bool	cachecrls;
-		bool	strictcrlpolicy;
-		bool	nocrsend;
-		bool	nat_traversal;
-		u_int	keep_alive;
-		char	*virtual_private;
-		char	*eapdir;
-		char	*pkcs11module;
-		bool	pkcs11keepstate;
-		bool	pkcs11proxy;
+		char	 **plutodebug;
+		char	 *charondebug;
+		char	 *prepluto;
+		char	 *postpluto;
+		bool	 uniqueids;
+		u_int	 overridemtu;
+		u_int	 crlcheckinterval;
+		bool	 cachecrls;
+		strict_t strictcrlpolicy;
+		bool	 nocrsend;
+		bool	 nat_traversal;
+		u_int	 keep_alive;
+		char	 *virtual_private;
+		char	 *eapdir;
+		char	 *pkcs11module;
+		bool	 pkcs11keepstate;
+		bool	 pkcs11proxy;
 
 		/* KLIPS keywords */
 		char	**klipsdebug;
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index e97c8388b..48cb4151b 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -100,6 +100,7 @@ starter_start_charon (starter_config_t *cfg, bool debug)
 {
     int pid, i;
     struct stat stb;
+    char buffer[BUF_LEN], buffer1[BUF_LEN];
     int argc = 1;
     char *arg[] = {
 	CHARON_CMD, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
@@ -115,6 +116,7 @@ starter_start_charon (starter_config_t *cfg, bool debug)
     if (cfg->setup.strictcrlpolicy)
     {
 	arg[argc++] = "--strictcrlpolicy";
+	arg[argc++] = cfg->setup.strictcrlpolicy == STRICT_IFURI ? "2":"1";
     }
     if (cfg->setup.cachecrls)
     {
@@ -122,11 +124,9 @@ starter_start_charon (starter_config_t *cfg, bool debug)
     }
     if (cfg->setup.crlcheckinterval > 0)
     {
-	char buffer[BUF_LEN];
-
-	snprintf(buffer, BUF_LEN, "%u", cfg->setup.crlcheckinterval);
+	snprintf(buffer1, BUF_LEN, "%u", cfg->setup.crlcheckinterval);
 	arg[argc++] = "--crlcheckinterval";
-	arg[argc++] = buffer;
+	arg[argc++] = buffer1;
     }
     if (cfg->setup.eapdir)
     {
@@ -135,7 +135,7 @@ starter_start_charon (starter_config_t *cfg, bool debug)
     }
 
     {   /* parse debug string */
-    	char *pos, *level, *buf_pos, type[4], buffer[BUF_LEN];
+    	char *pos, *level, *buf_pos, type[4];
 	pos = cfg->setup.charondebug;
 	buf_pos = buffer;
 	while (pos && sscanf(pos, "%4s %d,", type, &level) == 2)
@@ -181,7 +181,11 @@ starter_start_charon (starter_config_t *cfg, bool debug)
 	    FILE *f;
 
 	    plog("no %s file, generating RSA key", SECRETS_FILE);
+	    seteuid(IPSEC_UID);
+	    setegid(IPSEC_GID);
 	    system("ipsec scepclient --out pkcs1 --out cert-self --quiet");
+	    seteuid(0);
+	    setegid(0);
 
 	    /* ipsec.secrets is root readable only */
 	    oldmask = umask(0066);
@@ -194,6 +198,7 @@ starter_start_charon (starter_config_t *cfg, bool debug)
 		fprintf(f, ": RSA myKey.der\n");
 		fclose(f);
 	    }
+	    chown(SECRETS_FILE, IPSEC_UID, IPSEC_GID);
 	    umask(oldmask);
 	}
 
@@ -207,6 +212,8 @@ starter_start_charon (starter_config_t *cfg, bool debug)
 	    /* child */
 	    setsid();
 	    sigprocmask(SIG_SETMASK, 0, NULL);
+	    /* disable glibc's malloc checker, conflicts with leak detective */
+	    setenv("MALLOC_CHECK_", "0", 1);
 	    execv(arg[0], arg);
 	    plog("can't execv(%s,...): %s", arg[0], strerror(errno));
 	    exit(1);
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
index 1b11b4a10..240d98391 100644
--- a/src/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -216,7 +216,11 @@ starter_start_pluto (starter_config_t *cfg, bool debug)
 	    FILE *f;
 
 	    plog("no %s file, generating RSA key", SECRETS_FILE);
+	    seteuid(IPSEC_UID);
+	    setegid(IPSEC_GID);
 	    system("ipsec scepclient --out pkcs1 --out cert-self --quiet");
+	    seteuid(0);
+	    setegid(0);
 
 	    /* ipsec.secrets is root readable only */
 	    oldmask = umask(0066);
@@ -229,6 +233,7 @@ starter_start_pluto (starter_config_t *cfg, bool debug)
 		fprintf(f, ": RSA myKey.der\n");
 		fclose(f);
 	    }
+	    chown(SECRETS_FILE, IPSEC_UID, IPSEC_GID);
 	    umask(oldmask);
 	}
 
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 3e59190e3..c80c5166b 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -600,7 +600,16 @@ value is
 .B %modeconfig
 or
 .B %config,
-an address is requested from the peer.
+an address is requested from the peer. In IKEv2, a defined address is requested,
+but the server may change it. If the server does not support it, the address
+is enforced. 
+.TP
+.B rightsourceip
+The internal source IP to use in a tunnel for the remote peer. If the
+value is
+.B %config
+on the responder side, the initiator must propose a address which is then echoed
+back.
 .TP
 .B leftsubnetwithin
 Not relevant for IKEv2, as subnets are narrowed.
@@ -678,13 +687,16 @@ Relevant only locally, other end need not agree on it.
 .B ike
 IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g.
 .B aes128-sha1-modp2048
-(encryption-integrity-dhgroup).
+(encryption-integrity-dhgroup). In IKEv2, multiple algorithms and proposals
+may be included, such as
+.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
 .TP
 .B esp
 ESP encryption/authentication algorithm to be used
 for the connection, e.g.
 .B 3des-md5
-(encryption-integrity).
+(encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup
+and rekeying include a separate diffe hellman exchange (IKEv2 only).
 .TP
 .B ah
 AH authentication algorithm to be used
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index fb8e74b8c..13c2f4326 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -156,6 +156,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->id = push_string(msg, conn_end->id);
 	msg_end->cert = push_string(msg, conn_end->cert);
 	msg_end->ca = push_string(msg, conn_end->ca);
+	msg_end->groups = push_string(msg, conn_end->groups);
 	msg_end->updown = push_string(msg, conn_end->updown);
 	ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
 	msg_end->address = push_string(msg, buffer);
@@ -167,7 +168,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->tohost = !conn_end->has_client;
 	msg_end->protocol = conn_end->protocol;
 	msg_end->port = conn_end->port;
-	msg_end->virtual_ip = conn_end->modecfg;
+	msg_end->virtual_ip = conn_end->modecfg || conn_end->has_srcip;
 	ip_address2string(&conn_end->srcip, buffer, sizeof(buffer));
 	msg_end->sourceip = push_string(msg, buffer);
 }
diff --git a/src/starter/y.tab.c b/src/starter/y.tab.c
index 11a0373e9..49da832c0 100644
--- a/src/starter/y.tab.c
+++ b/src/starter/y.tab.c
@@ -172,7 +172,7 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 typedef union YYSTYPE
 #line 56 "parser.y"
 { char *s; }
-/* Line 193 of yacc.c.  */
+/* Line 187 of yacc.c.  */
 #line 177 "y.tab.c"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
diff --git a/src/starter/y.tab.h b/src/starter/y.tab.h
index 4b55cb005..b4352e6b4 100644
--- a/src/starter/y.tab.h
+++ b/src/starter/y.tab.h
@@ -70,7 +70,7 @@
 typedef union YYSTYPE
 #line 56 "parser.y"
 { char *s; }
-/* Line 1528 of yacc.c.  */
+/* Line 1488 of yacc.c.  */
 #line 75 "y.tab.h"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */