summaryrefslogtreecommitdiff
path: root/src/starter
diff options
context:
space:
mode:
Diffstat (limited to 'src/starter')
-rw-r--r--src/starter/Makefile.am20
-rw-r--r--src/starter/Makefile.in25
-rw-r--r--src/starter/args.c3
-rw-r--r--src/starter/confread.c31
-rw-r--r--src/starter/confread.h4
-rw-r--r--src/starter/files.h5
-rw-r--r--src/starter/invokepluto.c6
-rw-r--r--src/starter/ipsec.conf.522
-rw-r--r--src/starter/keywords.c7
-rw-r--r--src/starter/keywords.h3
-rw-r--r--src/starter/keywords.txt3
-rw-r--r--src/starter/klips.c82
-rw-r--r--src/starter/klips.h24
-rw-r--r--src/starter/lex.yy.c43
-rw-r--r--src/starter/netkey.c22
-rw-r--r--src/starter/parser.l3
-rw-r--r--src/starter/starter.c13
-rw-r--r--src/starter/starterstroke.c36
18 files changed, 265 insertions, 87 deletions
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index e6346a585..5ee614f1b 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -1,13 +1,13 @@
ipsec_PROGRAMS = starter
starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \
starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
-starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
+starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
-exec.h invokecharon.h lex.yy.c loglite.c
+exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
-starter_LDADD = defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a
+starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a
EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
dist_man_MANS = ipsec.conf.5 starter.8
MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
@@ -15,17 +15,17 @@ MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
PLUTODIR=$(top_srcdir)/src/pluto
SCEPCLIENTDIR=$(top_srcdir)/src/scepclient
-lex.yy.c: y.tab.c parser.l parser.y parser.h
- $(LEX) --nounput parser.l
+lex.yy.c: parser.l parser.y parser.h y.tab.c
+ $(LEX) --nounput $<
-y.tab.c: parser.l parser.y parser.h
- $(YACC) -v -d parser.y
+y.tab.c: parser.y parser.l parser.h
+ $(YACC) -v -d $<
-y.tab.h: parser.l parser.y parser.h
- $(YACC) -v -d parser.y
+y.tab.h: parser.y parser.l parser.h
+ $(YACC) -v -d $<
keywords.c: keywords.txt keywords.h
- $(GPERF) -C -G -t < keywords.txt > keywords.c
+ $(GPERF) -C -G -t < $< > $@
defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
$(COMPILE) -c -o $@ $<
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 4150a60e7..446edf8c5 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -51,10 +51,10 @@ am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
invokepluto.$(OBJEXT) confread.$(OBJEXT) interfaces.$(OBJEXT) \
args.$(OBJEXT) keywords.$(OBJEXT) cmp.$(OBJEXT) \
starter.$(OBJEXT) exec.$(OBJEXT) invokecharon.$(OBJEXT) \
- lex.yy.$(OBJEXT) loglite.$(OBJEXT)
+ lex.yy.$(OBJEXT) loglite.$(OBJEXT) klips.$(OBJEXT)
starter_OBJECTS = $(am_starter_OBJECTS)
starter_DEPENDENCIES = defs.o \
- $(top_srcdir)/src/libfreeswan/libfreeswan.a
+ $(top_builddir)/src/libfreeswan/libfreeswan.a
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
@@ -214,13 +214,13 @@ xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \
starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
-starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
+starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \
keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
-exec.h invokecharon.h lex.yy.c loglite.c
+exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h
INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
-starter_LDADD = defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a
+starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a
EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
dist_man_MANS = ipsec.conf.5 starter.8
MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
@@ -305,6 +305,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokecharon.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokepluto.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keywords.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/klips.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.yy.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/netkey.Po@am__quote@
@@ -615,17 +616,17 @@ uninstall-man: uninstall-man5 uninstall-man8
uninstall-man8
-lex.yy.c: y.tab.c parser.l parser.y parser.h
- $(LEX) --nounput parser.l
+lex.yy.c: parser.l parser.y parser.h y.tab.c
+ $(LEX) --nounput $<
-y.tab.c: parser.l parser.y parser.h
- $(YACC) -v -d parser.y
+y.tab.c: parser.y parser.l parser.h
+ $(YACC) -v -d $<
-y.tab.h: parser.l parser.y parser.h
- $(YACC) -v -d parser.y
+y.tab.h: parser.y parser.l parser.h
+ $(YACC) -v -d $<
keywords.c: keywords.txt keywords.h
- $(GPERF) -C -G -t < keywords.txt > keywords.c
+ $(GPERF) -C -G -t < $< > $@
defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
$(COMPILE) -c -o $@ $<
diff --git a/src/starter/args.c b/src/starter/args.c
index 7af3b6310..c09bea986 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: args.c 4276 2008-08-22 10:44:51Z martin $
+ * RCSID $Id: args.c 4612 2008-11-11 06:37:37Z andreas $
*/
#include <stddef.h>
@@ -199,6 +199,7 @@ static const token_info_t token_info[] =
{ ARG_MISC, 0, NULL /* KW_TYPE */ },
{ ARG_MISC, 0, NULL /* KW_PFS */ },
{ ARG_MISC, 0, NULL /* KW_COMPRESS */ },
+ { ARG_ENUM, offsetof(starter_conn_t, install_policy), LST_bool },
{ ARG_MISC, 0, NULL /* KW_AUTH */ },
{ ARG_MISC, 0, NULL /* KW_AUTHBY */ },
{ ARG_MISC, 0, NULL /* KW_EAP */ },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 959a98b77..1560266c1 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: confread.c 4269 2008-08-21 12:10:07Z martin $
+ * RCSID $Id: confread.c 4612 2008-11-11 06:37:37Z andreas $
*/
#include <stddef.h>
@@ -79,6 +79,7 @@ static void default_values(starter_config_t *cfg)
cfg->conn_default.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT;
cfg->conn_default.addr_family = AF_INET;
cfg->conn_default.tunnel_addr_family = AF_INET;
+ cfg->conn_default.install_policy = TRUE;
cfg->conn_default.dpd_delay = 30; /* seconds */
cfg->conn_default.dpd_timeout = 150; /* seconds */
@@ -497,15 +498,29 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
case KW_TYPE:
conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
if (streq(kw->value, "tunnel"))
+ {
conn->policy |= POLICY_TUNNEL;
+ }
else if (streq(kw->value, "beet"))
+ {
conn->policy |= POLICY_BEET;
+ }
+ else if (streq(kw->value, "transport_proxy"))
+ {
+ conn->policy |= POLICY_PROXY;
+ }
else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
+ {
conn->policy |= POLICY_SHUNT_PASS;
+ }
else if (streq(kw->value, "drop"))
+ {
conn->policy |= POLICY_SHUNT_DROP;
+ }
else if (streq(kw->value, "reject"))
+ {
conn->policy |= POLICY_SHUNT_REJECT;
+ }
else if (strcmp(kw->value, "transport") != 0)
{
plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
@@ -530,21 +545,33 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
char *second = strchr(kw->value, '|');
if (second != NULL)
+ {
*second = '\0';
+ }
/* also handles the cases secret|rsasig and rsasig|secret */
for (;;)
{
if (streq(value, "rsa") || streq(value, "rsasig"))
+ {
conn->policy |= POLICY_RSASIG | POLICY_ENCRYPT;
+ }
else if (streq(value, "secret") || streq(value, "psk"))
+ {
conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
+ }
else if (streq(value, "ecdsa") || streq(value, "ecdsasig"))
+ {
conn->policy |= POLICY_ECDSASIG | POLICY_ENCRYPT;
+ }
else if (streq(value, "xauthrsasig"))
+ {
conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
+ }
else if (streq(value, "xauthpsk"))
+ {
conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
+ }
else
{
plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
@@ -552,7 +579,9 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
break;
}
if (second == NULL)
+ {
break;
+ }
value = second;
second = NULL; /* traverse the loop no more than twice */
}
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 2c6e45984..24a8d073e 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: confread.h 4276 2008-08-22 10:44:51Z martin $
+ * RCSID $Id: confread.h 4612 2008-11-11 06:37:37Z andreas $
*/
#ifndef _IPSEC_CONFREAD_H_
@@ -114,7 +114,7 @@ struct starter_conn {
unsigned long sa_rekey_fuzz;
sa_family_t addr_family;
sa_family_t tunnel_addr_family;
-
+ bool install_policy;
starter_end_t left, right;
unsigned long id;
diff --git a/src/starter/files.h b/src/starter/files.h
index b21db8bd1..a40574594 100644
--- a/src/starter/files.h
+++ b/src/starter/files.h
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: files.h 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: files.h 4618 2008-11-11 09:22:00Z tobias $
*/
#ifndef _STARTER_FILES_H_
@@ -19,7 +19,8 @@
#define STARTER_PID_FILE IPSEC_PIDDIR "/starter.pid"
-#define PROC_NETKEY "/proc/net/pfkey"
+#define PROC_NETKEY "/proc/net/pfkey"
+#define PROC_KLIPS "/proc/net/pf_key"
#define PROC_MODULES "/proc/modules"
#define CONFIG_FILE IPSEC_CONFDIR "/ipsec.conf"
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
index a3cf3a786..e18d6e38d 100644
--- a/src/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: invokepluto.c 3942 2008-05-13 07:37:08Z martin $
+ * RCSID $Id: invokepluto.c 4632 2008-11-11 18:37:19Z martin $
*/
#include <sys/types.h>
@@ -215,7 +215,7 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork)
_stop_requested = 0;
if (cfg->setup.prepluto)
- system(cfg->setup.prepluto);
+ ignore_result(system(cfg->setup.prepluto));
pid = fork();
switch (pid)
@@ -258,7 +258,7 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork)
DBG_log("pluto (%d) started", _pluto_pid)
)
if (cfg->setup.postpluto)
- system(cfg->setup.postpluto);
+ ignore_result(system(cfg->setup.postpluto));
return 0;
}
}
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 40ff27d0b..10ce8348e 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -1,5 +1,5 @@
.TH IPSEC.CONF 5 "27 Jun 2007"
-.\" RCSID $Id: ipsec.conf.5 4360 2008-09-30 12:36:58Z martin $
+.\" RCSID $Id: ipsec.conf.5 4645 2008-11-13 06:29:53Z andreas $
.SH NAME
ipsec.conf \- IPsec configuration and connections
.SH DESCRIPTION
@@ -397,6 +397,15 @@ may be included, such as
how long the keying channel of a connection ('ISAKMP/IKE SA')
should last before being renegotiated.
.TP
+.B installpolicy
+decides whether IPsec policies are installed in the kernel by the IKEv2
+charon daemon for a given connection. Allows peaceful co-existence e.g. with
+the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
+Acceptable values are
+.B yes
+(the default) and
+.BR no .
+.TP
.B keyexchange
method of key exchange;
which protocol should be used to initialize the connection. Connections marked with
@@ -782,17 +791,20 @@ are
signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
.BR transport ,
signifying host-to-host transport mode;
+.BR transport_proxy ,
+signifying the special Mobile IPv6 transport proxy mode;
.BR passthrough ,
signifying that no IPsec processing should be done at all;
.BR drop ,
signifying that packets should be discarded; and
.BR reject ,
signifying that packets should be discarded and a diagnostic ICMP returned.
-Charon currently supports only
-.BR tunnel
+Charon currently supports
+.BR tunnel ,
+.BR transport ,
and
-.BR transport
-connection types.
+.BR tunnel_proxy
+connection types, only .
.TP
.B xauth
specifies the role in the XAUTH protocol if activated by
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 35c17b9b5..e51780dc1 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -44,7 +44,7 @@ error "gperf generated tables don't work with this execution character set. Plea
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: keywords.txt 4276 2008-08-22 10:44:51Z martin $
+ * RCSID $Id: keywords.txt 4612 2008-11-11 06:37:37Z andreas $
*/
#include <string.h>
@@ -56,7 +56,7 @@ struct kw_entry {
kw_token_t token;
};
-#define TOTAL_KEYWORDS 101
+#define TOTAL_KEYWORDS 102
#define MIN_WORD_LENGTH 3
#define MAX_WORD_LENGTH 17
#define MIN_HASH_VALUE 6
@@ -239,7 +239,8 @@ static const struct kw_entry wordlist[] =
{"pkcs11proxy", KW_PKCS11PROXY},
{""}, {""}, {""}, {""},
{"charondebug", KW_CHARONDEBUG},
- {""}, {""},
+ {""},
+ {"installpolicy", KW_INSTALLPOLICY},
{"cachecrls", KW_CACHECRLS},
{""}, {""}, {""},
{"packetdefault", KW_PACKETDEFAULT},
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 1efa5dc2b..756c33075 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: keywords.h 4276 2008-08-22 10:44:51Z martin $
+ * RCSID $Id: keywords.h 4612 2008-11-11 06:37:37Z andreas $
*/
#ifndef _KEYWORDS_H_
@@ -68,6 +68,7 @@ typedef enum {
KW_TYPE,
KW_PFS,
KW_COMPRESS,
+ KW_INSTALLPOLICY,
KW_AUTH,
KW_AUTHBY,
KW_EAP,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 29bd404b5..8dfa03325 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -13,7 +13,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: keywords.txt 4276 2008-08-22 10:44:51Z martin $
+ * RCSID $Id: keywords.txt 4612 2008-11-11 06:37:37Z andreas $
*/
#include <string.h>
@@ -61,6 +61,7 @@ keyexchange, KW_KEYEXCHANGE
type, KW_TYPE
pfs, KW_PFS
compress, KW_COMPRESS
+installpolicy, KW_INSTALLPOLICY
auth, KW_AUTH
authby, KW_AUTHBY
keylife, KW_KEYLIFE
diff --git a/src/starter/klips.c b/src/starter/klips.c
new file mode 100644
index 000000000..5c8164419
--- /dev/null
+++ b/src/starter/klips.c
@@ -0,0 +1,82 @@
+/* strongSwan KLIPS starter
+ * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: klips.c 4632 2008-11-11 18:37:19Z martin $
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdlib.h>
+
+#include <freeswan.h>
+
+#include "../pluto/constants.h"
+#include "../pluto/defs.h"
+#include "../pluto/log.h"
+
+#include "files.h"
+
+bool
+starter_klips_init(void)
+{
+ struct stat stb;
+
+ if (stat(PROC_KLIPS, &stb) != 0)
+ {
+ /* ipsec module makes the pf_key proc interface visible */
+ if (stat(PROC_MODULES, &stb) == 0)
+ {
+ ignore_result(system("modprobe -qv ipsec"));
+ }
+
+ /* now test again */
+ if (stat(PROC_KLIPS, &stb) != 0)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("kernel appears to lack the KLIPS IPsec stack")
+ )
+ return FALSE;
+ }
+ }
+
+ /* load crypto algorithm modules */
+ ignore_result(system("modprobe -qv ipsec_aes"));
+ ignore_result(system("modprobe -qv ipsec_blowfish"));
+ ignore_result(system("modprobe -qv ipsec_sha2"));
+
+ DBG(DBG_CONTROL,
+ DBG_log("Found KLIPS IPsec stack")
+ )
+
+ return TRUE;
+}
+
+void
+starter_klips_cleanup(void)
+{
+ if (system("type eroute > /dev/null 2>&1") == 0)
+ {
+ ignore_result(system("spi --clear"));
+ ignore_result(system("eroute --clear"));
+ }
+ else if (system("type setkey > /dev/null 2>&1") == 0)
+ {
+ ignore_result(system("setkey -F"));
+ ignore_result(system("setkey -FP"));
+ }
+ else
+ {
+ plog("WARNING: cannot flush IPsec state/policy database");
+ }
+}
+
diff --git a/src/starter/klips.h b/src/starter/klips.h
new file mode 100644
index 000000000..60055b4f1
--- /dev/null
+++ b/src/starter/klips.h
@@ -0,0 +1,24 @@
+/* strongSwan KLIPS initialization and cleanup
+ * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: klips.h 4618 2008-11-11 09:22:00Z tobias $
+ */
+
+#ifndef _STARTER_KLIPS_H_
+#define _STARTER_KLIPS_H_
+
+extern bool starter_klips_init (void);
+extern void starter_klips_cleanup (void);
+
+#endif /* _STARTER_KLIPS_H_ */
+
diff --git a/src/starter/lex.yy.c b/src/starter/lex.yy.c
index cd3535318..4b3405eda 100644
--- a/src/starter/lex.yy.c
+++ b/src/starter/lex.yy.c
@@ -500,7 +500,7 @@ char *yytext;
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: parser.l 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: parser.l 4632 2008-11-11 18:37:19Z martin $
*/
#include <string.h>
@@ -511,6 +511,7 @@ char *yytext;
#define MAX_INCLUDE_DEPTH 20
+#define YY_NO_INPUT
#define YY_NO_UNPUT
extern void yyerror(const char *);
extern int yylex (void);
@@ -617,7 +618,7 @@ int _parser_y_include (const char *filename)
return 0;
}
-#line 621 "lex.yy.c"
+#line 622 "lex.yy.c"
#define INITIAL 0
@@ -771,10 +772,10 @@ YY_DECL
register char *yy_cp, *yy_bp;
register int yy_act;
-#line 134 "parser.l"
+#line 135 "parser.l"
-#line 778 "lex.yy.c"
+#line 779 "lex.yy.c"
if ( !(yy_init) )
{
@@ -859,7 +860,7 @@ do_action: /* This label is used only to access EOF actions. */
goto yy_find_action;
case YY_STATE_EOF(INITIAL):
-#line 136 "parser.l"
+#line 137 "parser.l"
{
if (__parser_y_private.filename[__parser_y_private.stack_ptr]) {
free(__parser_y_private.filename[__parser_y_private.stack_ptr]);
@@ -879,23 +880,23 @@ case YY_STATE_EOF(INITIAL):
YY_BREAK
case 1:
YY_RULE_SETUP
-#line 153 "parser.l"
+#line 154 "parser.l"
return FIRST_SPACES;
YY_BREAK
case 2:
YY_RULE_SETUP
-#line 155 "parser.l"
+#line 156 "parser.l"
/* ignore spaces in line */ ;
YY_BREAK
case 3:
YY_RULE_SETUP
-#line 157 "parser.l"
+#line 158 "parser.l"
return EQUAL;
YY_BREAK
case 4:
/* rule 4 can match eol */
YY_RULE_SETUP
-#line 159 "parser.l"
+#line 160 "parser.l"
{
__parser_y_private.line[__parser_y_private.stack_ptr]++;
return EOL;
@@ -903,37 +904,37 @@ YY_RULE_SETUP
YY_BREAK
case 5:
YY_RULE_SETUP
-#line 164 "parser.l"
+#line 165 "parser.l"
return CONFIG;
YY_BREAK
case 6:
YY_RULE_SETUP
-#line 165 "parser.l"
+#line 166 "parser.l"
return SETUP;
YY_BREAK
case 7:
YY_RULE_SETUP
-#line 166 "parser.l"
+#line 167 "parser.l"
return CONN;
YY_BREAK
case 8:
YY_RULE_SETUP
-#line 167 "parser.l"
+#line 168 "parser.l"
return CA;
YY_BREAK
case 9:
YY_RULE_SETUP
-#line 168 "parser.l"
+#line 169 "parser.l"
return INCLUDE;
YY_BREAK
case 10:
YY_RULE_SETUP
-#line 169 "parser.l"
+#line 170 "parser.l"
return FILE_VERSION;
YY_BREAK
case 11:
YY_RULE_SETUP
-#line 171 "parser.l"
+#line 172 "parser.l"
{
yylval.s = strdup(yytext);
return STRING;
@@ -941,7 +942,7 @@ YY_RULE_SETUP
YY_BREAK
case 12:
YY_RULE_SETUP
-#line 176 "parser.l"
+#line 177 "parser.l"
{
yylval.s = strdup(yytext+1);
if (yylval.s) yylval.s[strlen(yylval.s)-1]='\0';
@@ -950,15 +951,15 @@ YY_RULE_SETUP
YY_BREAK
case 13:
YY_RULE_SETUP
-#line 182 "parser.l"
+#line 183 "parser.l"
yyerror(yytext);
YY_BREAK
case 14:
YY_RULE_SETUP
-#line 184 "parser.l"
+#line 185 "parser.l"
ECHO;
YY_BREAK
-#line 962 "lex.yy.c"
+#line 963 "lex.yy.c"
case YY_END_OF_BUFFER:
{
@@ -1920,7 +1921,7 @@ void yyfree (void * ptr )
#define YYTABLES_NAME "yytables"
-#line 184 "parser.l"
+#line 185 "parser.l"
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
index d3c181456..1490abf29 100644
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: netkey.c 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: netkey.c 4632 2008-11-11 18:37:19Z martin $
*/
#include <sys/types.h>
@@ -36,7 +36,7 @@ starter_netkey_init(void)
/* af_key module makes the netkey proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
- system("modprobe -qv af_key");
+ ignore_result(system("modprobe -qv af_key"));
}
/* now test again */
@@ -52,11 +52,11 @@ starter_netkey_init(void)
/* make sure that all required IPsec modules are loaded */
if (stat(PROC_MODULES, &stb) == 0)
{
- system("modprobe -qv ah4");
- system("modprobe -qv esp4");
- system("modprobe -qv ipcomp");
- system("modprobe -qv xfrm4_tunnel");
- system("modprobe -qv xfrm_user");
+ ignore_result(system("modprobe -qv ah4"));
+ ignore_result(system("modprobe -qv esp4"));
+ ignore_result(system("modprobe -qv ipcomp"));
+ ignore_result(system("modprobe -qv xfrm4_tunnel"));
+ ignore_result(system("modprobe -qv xfrm_user"));
}
DBG(DBG_CONTROL,
@@ -70,13 +70,13 @@ starter_netkey_cleanup(void)
{
if (system("ip xfrm state > /dev/null 2>&1") == 0)
{
- system("ip xfrm state flush");
- system("ip xfrm policy flush");
+ ignore_result(system("ip xfrm state flush"));
+ ignore_result(system("ip xfrm policy flush"));
}
else if (system("type setkey > /dev/null 2>&1") == 0)
{
- system("setkey -F");
- system("setkey -FP");
+ ignore_result(system("setkey -F"));
+ ignore_result(system("setkey -FP"));
}
else
{
diff --git a/src/starter/parser.l b/src/starter/parser.l
index 68d3b5556..e51d655df 100644
--- a/src/starter/parser.l
+++ b/src/starter/parser.l
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: parser.l 3267 2007-10-08 19:57:54Z andreas $
+ * RCSID $Id: parser.l 4632 2008-11-11 18:37:19Z martin $
*/
#include <string.h>
@@ -23,6 +23,7 @@
#define MAX_INCLUDE_DEPTH 20
+#define YY_NO_INPUT
#define YY_NO_UNPUT
extern void yyerror(const char *);
extern int yylex (void);
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 61f21d88c..e4ad5286c 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: starter.c 4140 2008-07-02 05:51:49Z andreas $
+ * RCSID $Id: starter.c 4632 2008-11-11 18:37:19Z martin $
*/
#include <sys/types.h>
@@ -42,6 +42,7 @@
#include "invokepluto.h"
#include "invokecharon.h"
#include "netkey.h"
+#include "klips.h"
#include "cmp.h"
#include "interfaces.h"
@@ -179,7 +180,7 @@ static void generate_selfcert()
#endif
setegid(gid);
seteuid(uid);
- system("ipsec scepclient --out pkcs1 --out cert-self --quiet");
+ ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
seteuid(0);
setegid(0);
@@ -194,7 +195,7 @@ static void generate_selfcert()
fprintf(f, ": RSA myKey.der\n");
fclose(f);
}
- chown(SECRETS_FILE, uid, gid);
+ ignore_result(chown(SECRETS_FILE, uid, gid));
umask(oldmask);
}
}
@@ -324,7 +325,11 @@ int main (int argc, char **argv)
if (!starter_netkey_init())
{
plog("no netkey IPSec stack detected");
- exit(LSB_RC_FAILURE);
+ if (!starter_klips_init())
+ {
+ plog("no KLIPS IPSec stack detected");
+ exit(LSB_RC_FAILURE);
+ }
}
last_reload = time(NULL);
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 4ee73128b..481b7de34 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: starterstroke.c 4276 2008-08-22 10:44:51Z martin $
+ * RCSID $Id: starterstroke.c 4614 2008-11-11 07:28:52Z andreas $
*/
#include <sys/types.h>
@@ -24,6 +24,7 @@
#include <errno.h>
#include <netinet/in.h>
#include <arpa/inet.h>
+#include <linux/xfrm.h>
#include <freeswan.h>
@@ -37,6 +38,9 @@
#include "confread.h"
#include "files.h"
+#define IPV4_LEN 4
+#define IPV6_LEN 16
+
/**
* Authentication methods, must be the same as in charons authenticator.h
*/
@@ -126,7 +130,11 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len)
case AF_INET:
{
struct sockaddr_in* sin = (struct sockaddr_in*)addr;
- if (inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
+ u_int8_t zeroes[IPV4_LEN];
+
+ memset(zeroes, 0, IPV4_LEN);
+ if (memcmp(zeroes, &(sin->sin_addr.s_addr), IPV4_LEN) &&
+ inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
{
return;
}
@@ -135,7 +143,11 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len)
case AF_INET6:
{
struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
- if (inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
+ u_int8_t zeroes[IPV6_LEN];
+
+ memset(zeroes, 0, IPV6_LEN);
+ if (memcmp(zeroes, &(sin6->sin6_addr.s6_addr), IPV6_LEN) &&
+ inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
{
return;
}
@@ -144,8 +156,8 @@ static void ip_address2string(ip_address *addr, char *buffer, size_t len)
default:
break;
}
- /* failed */
- snprintf(buffer, len, "0.0.0.0");
+ /* default */
+ snprintf(buffer, len, "%%any");
}
@@ -231,17 +243,22 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
if (conn->policy & POLICY_TUNNEL)
{
- msg.add_conn.mode = 1; /* XFRM_MODE_TRANSPORT */
+ msg.add_conn.mode = XFRM_MODE_TUNNEL;
}
else if (conn->policy & POLICY_BEET)
{
- msg.add_conn.mode = 4; /* XFRM_MODE_BEET */
+ msg.add_conn.mode = XFRM_MODE_BEET;
}
+ else if (conn->policy & POLICY_PROXY)
+ {
+ msg.add_conn.mode = XFRM_MODE_TRANSPORT;
+ msg.add_conn.proxy_mode = TRUE;
+ }
else
{
- msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */
+ msg.add_conn.mode = XFRM_MODE_TRANSPORT;
}
-
+
if (!(conn->policy & POLICY_DONT_REKEY))
{
msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
@@ -254,6 +271,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
msg.add_conn.mobike = conn->policy & POLICY_MOBIKE;
msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP;
msg.add_conn.ipcomp = conn->policy & POLICY_COMPRESS;
+ msg.add_conn.install_policy = conn->install_policy;
msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
msg.add_conn.unique = cfg->setup.uniqueids;
msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);