diff options
| -rw-r--r-- | Makefile.inc | 5 | ||||
| -rw-r--r-- | programs/Makefile | 4 | ||||
| -rwxr-xr-x | programs/ipsec/ipsec.in | 21 | ||||
| -rw-r--r-- | programs/pluto/Makefile | 5 | ||||
| -rw-r--r-- | programs/pluto/demux.c | 16 | ||||
| -rw-r--r-- | programs/starter/Makefile | 10 | ||||
| -rw-r--r-- | programs/starter/args.c | 4 | ||||
| -rw-r--r-- | programs/starter/files.h | 11 | ||||
| -rw-r--r-- | programs/starter/invokepluto.c | 6 | ||||
| -rw-r--r-- | programs/starter/starter.c | 110 | ||||
| -rw-r--r-- | programs/starter/starterwhack.c | 2 |
11 files changed, 177 insertions, 17 deletions
diff --git a/Makefile.inc b/Makefile.inc index f5ec6741d..359e6588f 100644 --- a/Makefile.inc +++ b/Makefile.inc @@ -84,6 +84,8 @@ SBINDIR=$(DESTDIR)$(FINALSBINDIR) FINALLIBDIR=$(INC_USRLOCAL)/lib/ipsec LIBDIR=$(DESTDIR)$(FINALLIBDIR) +# sharedlibdir is where shared libraries go +SHAREDLIBDIR=$(DESTDIR)$(INC_USRLOCAL)/lib # where the appropriate manpage tree is located # location within INC_USRLOCAL @@ -284,6 +286,9 @@ LDAP_VERSION=3 # include PKCS11-based smartcard support USE_SMARTCARD?=false +# support IKEv2 via charon +USE_IKEV2?=true + # Default PKCS11 library # Uncomment this line if using OpenSC <= 0.9.6 PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\" diff --git a/programs/Makefile b/programs/Makefile index 03c9d582a..6ef59a88e 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -32,6 +32,10 @@ ifeq ($(USE_IPSECPOLICY),true) SUBDIRS+=showpolicy endif +ifeq ($(USE_IKEV2),true) +SUBDIRS+=charon +endif + def: @echo "Please read doc/intro.html or INSTALL before running make" @false diff --git a/programs/ipsec/ipsec.in b/programs/ipsec/ipsec.in index 0616561d8..940ca99d5 100755 --- a/programs/ipsec/ipsec.in +++ b/programs/ipsec/ipsec.in @@ -26,6 +26,7 @@ IPSEC_DIR="$IPSEC_LIBDIR" export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR IPSEC_STARTER_PID="/var/run/starter.pid" +IPSEC_CHARON_PID="/var/run/charon.pid" # standardize PATH, and export it for everything else's benefit PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin @@ -123,6 +124,10 @@ case "$1" in down) shift $IPSEC_EXECDIR/whack --name "$1" --terminate + if test -e $IPSEC_CHARON_PID + then + $IPSEC_EXECDIR/stroke down "$1" + fi exit 0 ;; listalgs|listpubkeys|listcerts|listcacerts|\ @@ -134,6 +139,10 @@ rereadacerts|rereadcrls|rereadall) op="$1" shift $IPSEC_EXECDIR/whack "$@" "--$op" + if test -e $IPSEC_CHARON_PID + then + $IPSEC_EXECDIR/stroke "$op" + fi exit 0 ;; ready) @@ -180,8 +189,16 @@ status|statusall) if test $# -eq 0 then $IPSEC_EXECDIR/whack "--$op" + if test -e $IPSEC_CHARON_PID + then + $IPSEC_EXECDIR/stroke "$op" + fi else $IPSEC_EXECDIR/whack --name "$1" "--$op" + if test -e $IPSEC_CHARON_PID + then + $IPSEC_EXECDIR/stroke "$op" "$1" + fi fi exit 0 ;; @@ -198,6 +215,10 @@ stop) up) shift $IPSEC_EXECDIR/whack --name "$1" --initiate + if test -e $IPSEC_CHARON_PID + then + $IPSEC_EXECDIR/stroke up "$1" + fi exit 0 ;; update) diff --git a/programs/pluto/Makefile b/programs/pluto/Makefile index 515b3fac0..29e2a9ecd 100644 --- a/programs/pluto/Makefile +++ b/programs/pluto/Makefile @@ -170,6 +170,11 @@ ifeq ($(USE_SMARTCARD),true) LIBSPLUTO+= -ldl endif +# enable IKEv2 support +ifeq ($(USE_IKEV2),true) + DEFINES+= -DIKEV2 +endif + # This compile option activates the leak detective ifeq ($(USE_LEAK_DETECTIVE),true) DEFINES+= -DLEAK_DETECTIVE diff --git a/programs/pluto/demux.c b/programs/pluto/demux.c index 2f8fb9a8f..bbd50f93c 100644 --- a/programs/pluto/demux.c +++ b/programs/pluto/demux.c @@ -1196,6 +1196,21 @@ read_packet(struct msg_digest *md) } #endif +#ifdef IKEV2 +#define IKEV2_VERSION_OFFSET 17 +#define IKEV2_VERSION 0x20 + + /* ignore IKEv2 packets - they will be handled by charon */ + if (pbs_room(&md->packet_pbs) > IKEV2_VERSION_OFFSET + && md->packet_pbs.start[IKEV2_VERSION_OFFSET] == IKEV2_VERSION) + { + DBG(DBG_CONTROLMORE, + DBG_log(" ignoring IKEv2 packet") + ) + return FALSE; + } +#endif /* IKEV2 */ + return TRUE; } @@ -1229,6 +1244,7 @@ process_packet(struct msg_digest **mdp) if (md->packet_pbs.roof - md->packet_pbs.cur >= (ptrdiff_t)isakmp_hdr_desc.size) { struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur; + if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION) { SEND_NOTIFICATION(INVALID_MAJOR_VERSION); diff --git a/programs/starter/Makefile b/programs/starter/Makefile index 60e95d360..9d531d3c6 100644 --- a/programs/starter/Makefile +++ b/programs/starter/Makefile @@ -34,6 +34,11 @@ ifeq ($(USE_LEAK_DETECTIVE),true) DEFINES+= -DLEAK_DETECTIVE endif +# Enable charon support +ifeq ($(USE_IKEV2),true) + DEFINES+= -DIKEV2 +endif + INCLUDES=-I${FREESWANDIR}/linux/include CFLAGS=$(DEFINES) $(INCLUDES) -Wall CFLAGS+=-DIPSEC_EXECDIR=\"${FINALLIBEXECDIR}\" -DIPSEC_CONFDDIR=\"${FINALCONFDDIR}\" @@ -46,6 +51,11 @@ OBJS=starter.o parser.tab.o lex.yy.o keywords.o args.o invokepluto.o \ starterwhack.o klips.o netkey.o interfaces.o exec.o cmp.o confread.o \ loglite.o ${PLUTO_OBJS} +# Build charon-only objs +ifeq ($(USE_IKEV2),true) + OBJS+= invokecharon.o starterstroke.o +endif + DISTSRC=$(OBJS:.o=.c) DISTSRC+=cmp.h confread.h confwrite.h exec.h files.h interfaces.h klips.h netkey.h DISTSRC+=parser.h args.h invokepluto.h starterwhack.h keywords.h keywords.txt diff --git a/programs/starter/args.c b/programs/starter/args.c index 6f3da63eb..56b286beb 100644 --- a/programs/starter/args.c +++ b/programs/starter/args.c @@ -86,6 +86,10 @@ static const char *LST_packetdefault[] = { static const char *LST_keyexchange[] = { "ike", +#ifdef IKEV2 + "ikev1", + "ikev2", +#endif /* IKEV2 */ NULL }; diff --git a/programs/starter/files.h b/programs/starter/files.h index 286cdf105..83d27e152 100644 --- a/programs/starter/files.h +++ b/programs/starter/files.h @@ -37,8 +37,15 @@ #define SECRETS_FILE IPSEC_CONFDIR"/ipsec.secrets" #define PLUTO_CMD IPSEC_EXECDIR"/pluto" -#define CTL_FILE DEFAULT_CTLBASE CTL_SUFFIX -#define PID_FILE DEFAULT_CTLBASE PID_SUFFIX +#define PLUTO_CTL_FILE DEFAULT_CTLBASE CTL_SUFFIX +#define PLUTO_PID_FILE DEFAULT_CTLBASE PID_SUFFIX + +#ifdef IKEV2 +#define CHARON_CMD IPSEC_EXECDIR"/charon" +#define CHARON_BASE "/var/run/charon" +#define CHARON_CTL_FILE CHARON_BASE CTL_SUFFIX +#define CHARON_PID_FILE CHARON_BASE PID_SUFFIX +#endif /* IKEV2 */ #define DYNIP_DIR "/var/run/dynip" #define INFO_FILE "/var/run/ipsec.info" diff --git a/programs/starter/invokepluto.c b/programs/starter/invokepluto.c index 70376e380..c7e047329 100644 --- a/programs/starter/invokepluto.c +++ b/programs/starter/invokepluto.c @@ -54,7 +54,7 @@ starter_pluto_sigchild(pid_t pid) , PLUTO_RESTART_DELAY); alarm(PLUTO_RESTART_DELAY); // restart in 5 sec } - unlink(PID_FILE); + unlink(PLUTO_PID_FILE); } } @@ -203,7 +203,7 @@ starter_start_pluto (starter_config_t *cfg, bool debug) } else { - unlink(CTL_FILE); + unlink(PLUTO_CTL_FILE); _stop_requested = 0; if (cfg->setup.prepluto) @@ -252,7 +252,7 @@ starter_start_pluto (starter_config_t *cfg, bool debug) { /* wait for pluto */ usleep(20000); - if (stat(CTL_FILE, &stb) == 0) + if (stat(PLUTO_CTL_FILE, &stb) == 0) { DBG(DBG_CONTROL, DBG_log("pluto (%d) started", _pluto_pid) diff --git a/programs/starter/starter.c b/programs/starter/starter.c index 0b2c83369..42c98574a 100644 --- a/programs/starter/starter.c +++ b/programs/starter/starter.c @@ -37,6 +37,7 @@ #include "files.h" #include "starterwhack.h" #include "invokepluto.h" +#include "invokecharon.h" #include "klips.h" #include "netkey.h" #include "cmp.h" @@ -47,6 +48,9 @@ #define FLAG_ACTION_RELOAD 0x04 #define FLAG_ACTION_QUIT 0x08 #define FLAG_ACTION_LISTEN 0x10 +#ifdef IKEV2 +#define FLAG_ACTION_START_CHARON 0x20 +#endif /* IKEV2 */ static unsigned int _action_ = 0; @@ -65,6 +69,10 @@ fsig(int signal) { if (pid == starter_pluto_pid()) name = " (Pluto)"; +#ifdef IKEV2 + if (pid == starter_charon_pid()) + name = " (Charon)"; +#endif /* IKEV2 */ if (WIFSIGNALED(status)) DBG(DBG_CONTROL, DBG_log("child %d%s has been killed by sig %d\n", @@ -87,6 +95,10 @@ fsig(int signal) if (pid == starter_pluto_pid()) starter_pluto_sigchild(pid); +#ifdef IKEV2 + if (pid == starter_charon_pid()) + starter_charon_sigchild(pid); +#endif /* IKEV2 */ } } break; @@ -97,6 +109,9 @@ fsig(int signal) case SIGALRM: _action_ |= FLAG_ACTION_START_PLUTO; +#ifdef IKEV2 + _action_ |= FLAG_ACTION_START_CHARON; +#endif /* IKEV2 */ break; case SIGHUP: @@ -193,6 +208,9 @@ int main (int argc, char **argv) signal(SIGQUIT, fsig); signal(SIGALRM, fsig); signal(SIGUSR1, fsig); + + + plog("Starting strongSwan IPsec %s [starter]...", ipsec_version_code()); /* verify that we can start */ if (getuid() != 0) @@ -201,12 +219,24 @@ int main (int argc, char **argv) exit(1); } - if (stat(PID_FILE, &stb) == 0) + if (stat(PLUTO_PID_FILE, &stb) == 0) { - plog("pluto is already running (%s exists) -- aborting", PID_FILE); - exit(1); + plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE); } - + else + { + _action_ |= FLAG_ACTION_START_PLUTO; + } +#ifdef IKEV2 + if (stat(CHARON_PID_FILE, &stb) == 0) + { + plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE); + } + else + { + _action_ |= FLAG_ACTION_START_CHARON; + } +#endif /* IKEV2 */ if (stat(DEV_RANDOM, &stb) != 0) { plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM); @@ -247,7 +277,11 @@ int main (int argc, char **argv) last_reload = time(NULL); - plog("Starting strongSwan IPsec %s [starter]...", ipsec_version_code()); + if (stat(MY_PID_FILE, &stb) == 0) + { + plog("starter is already running (%s exists) -- no fork done", MY_PID_FILE); + exit(0); + } /* fork if we're not debugging stuff */ if (!no_fork) @@ -296,17 +330,19 @@ int main (int argc, char **argv) , &cfg->defaultroute); } - _action_ = FLAG_ACTION_START_PLUTO; - for (;;) { /* - * Stop pluto (if started) and exit - */ + * Stop pluto/charon (if started) and exit + */ if (_action_ & FLAG_ACTION_QUIT) { if (starter_pluto_pid()) starter_stop_pluto(); +#ifdef IKEV2 + if (starter_charon_pid()) + starter_stop_charon(); +#endif IKEV2 if (has_netkey) starter_netkey_cleanup(); else @@ -337,6 +373,9 @@ int main (int argc, char **argv) if (conn->state == STATE_ADDED) { starter_whack_del_conn(conn); +#ifdef IKEV2 + starter_stroke_del_conn(conn); +#endif /* IKEV2 */ conn->state = STATE_TO_ADD; } } @@ -427,6 +466,9 @@ int main (int argc, char **argv) { if (conn->state == STATE_ADDED) starter_whack_del_conn(conn); +#ifdef IKEV2 + starter_stroke_del_conn(conn); +#endif /* IKEV2 */ } /* Look for new ca sections that are already loaded */ @@ -502,6 +544,27 @@ int main (int argc, char **argv) conn->state = STATE_TO_ADD; } } + +#ifdef IKEV2 + /* + * Start charon + */ + if (_action_ & FLAG_ACTION_START_CHARON) + { + if (starter_charon_pid() == 0) + { + DBG(DBG_CONTROL, + DBG_log("Attempting to start charon...") + ) + if (starter_start_charon(cfg, no_fork) != 0) + { + /* schedule next try */ + alarm(PLUTO_RESTART_DELAY); + } + } + _action_ &= ~FLAG_ACTION_START_CHARON; + } +#endif /* IKEV2 */ /* * Tell pluto to reread its interfaces @@ -536,11 +599,36 @@ int main (int argc, char **argv) conn->id = id++; } starter_whack_add_conn(conn); +#ifdef IKEV2 + starter_stroke_add_conn(conn); +#endif /* IKEV2 */ conn->state = STATE_ADDED; if (conn->startup == STARTUP_START) - starter_whack_initiate_conn(conn); + { +#ifdef IKEV2 + if (conn->keyexchange == 2) + { + starter_stroke_initiate_conn(conn); + } + else +#endif /* IKEV2 */ + { + starter_whack_initiate_conn(conn); + } + } else if (conn->startup == STARTUP_ROUTE) - starter_whack_route_conn(conn); + { +#ifdef IKEV2 + if (conn->keyexchange == 2) + { + starter_stroke_route_conn(conn); + } + else +#endif /* IKEV2 */ + { + starter_whack_route_conn(conn); + } + } } } } diff --git a/programs/starter/starterwhack.c b/programs/starter/starterwhack.c index a671c560c..a42d91991 100644 --- a/programs/starter/starterwhack.c +++ b/programs/starter/starterwhack.c @@ -54,7 +54,7 @@ pack_str (char **p, char **next, char **roof) static int send_whack_msg (whack_message_t *msg) { - struct sockaddr_un ctl_addr = { AF_UNIX, CTL_FILE }; + struct sockaddr_un ctl_addr = { AF_UNIX, PLUTO_CTL_FILE }; int sock; ssize_t len; char *str_next, *str_roof; |