aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--INSTALL2
-rw-r--r--Makefile.inc3
-rw-r--r--src/Makefile6
-rw-r--r--src/charon/doc/Todo-list.txt4
-rw-r--r--src/starter/Makefile9
-rw-r--r--src/starter/args.c4
-rw-r--r--src/starter/confread.c1184
-rw-r--r--src/starter/confread.h2
-rw-r--r--src/starter/files.h2
-rw-r--r--src/starter/keywords.c122
-rw-r--r--src/starter/keywords.h2
-rw-r--r--src/starter/keywords.txt4
-rw-r--r--src/starter/starter.c56
-rw-r--r--testing/tests/ikev2-net2net/description.txt9
-rw-r--r--testing/tests/ikev2-net2net/hosts/moon/etc/ipsec.conf3
-rw-r--r--testing/tests/ikev2-net2net/hosts/sun/etc/ipsec.conf3
16 files changed, 688 insertions, 727 deletions
diff --git a/INSTALL b/INSTALL
index df334ffc7..40060d16a 100644
--- a/INSTALL
+++ b/INSTALL
@@ -152,7 +152,7 @@ Contents
o esp4
o ipcomp
o xfrm_user
- o xfrm_tunnel
+ o xfrm4_tunnel
Also the built-in kernel Cryptoapi modules with selected encryption and
hash algorithms should be available.
diff --git a/Makefile.inc b/Makefile.inc
index 670bf1214..d4d38f0f9 100644
--- a/Makefile.inc
+++ b/Makefile.inc
@@ -211,9 +211,6 @@ LDAP_VERSION=3
# include PKCS11-based smartcard support
USE_SMARTCARD?=false
-# support IKEv2 via charon
-USE_IKEV2?=true
-
# Default PKCS11 library
# Uncomment this line if using OpenSC <= 0.9.6
#PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
diff --git a/src/Makefile b/src/Makefile
index 5d167b805..59b4e18ab 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -17,11 +17,7 @@
FREESWANSRCDIR=..
include ${FREESWANSRCDIR}/Makefile.inc
-SUBDIRS=_copyright _updown _updown_espmark ipsec starter openac scepclient pluto
-
-ifeq ($(USE_IKEV2),true)
-SUBDIRS+=charon
-endif
+SUBDIRS=_copyright _updown _updown_espmark ipsec starter openac scepclient pluto charon
def:
@echo "Please read doc/intro.html or INSTALL before running make"
diff --git a/src/charon/doc/Todo-list.txt b/src/charon/doc/Todo-list.txt
index 11b30fb7d..2c4d163a7 100644
--- a/src/charon/doc/Todo-list.txt
+++ b/src/charon/doc/Todo-list.txt
@@ -38,6 +38,10 @@
- certificate validation/chaining
- certificate exchange
+- stroke status should show configured connections
+- stroke loglevel update
+- stroke argument parsing via getopts/gperf?
+
- implement 3DES to load encrypted pem files
- ipsec.secrets parsing
diff --git a/src/starter/Makefile b/src/starter/Makefile
index 0aeceb60f..a0ff51bfa 100644
--- a/src/starter/Makefile
+++ b/src/starter/Makefile
@@ -34,11 +34,6 @@ ifeq ($(USE_LEAK_DETECTIVE),true)
DEFINES+= -DLEAK_DETECTIVE
endif
-# Enable charon support
-ifeq ($(USE_IKEV2),true)
- DEFINES+= -DIKEV2
-endif
-
INCLUDES=-I${FREESWANDIR}/linux/include
CFLAGS=$(DEFINES) $(INCLUDES) -Wall
CFLAGS+=-DIPSEC_EXECDIR=\"${FINALLIBEXECDIR}\" -DIPSEC_CONFDDIR=\"${FINALCONFDDIR}\"
@@ -52,9 +47,7 @@ OBJS=starter.o parser.tab.o lex.yy.o keywords.o args.o invokepluto.o \
loglite.o ${PLUTO_OBJS}
# Build charon-only objs
-ifeq ($(USE_IKEV2),true)
- OBJS+= invokecharon.o starterstroke.o
-endif
+OBJS+= invokecharon.o starterstroke.o
DISTSRC=$(OBJS:.o=.c)
DISTSRC+=cmp.h confread.h confwrite.h exec.h files.h interfaces.h netkey.h
diff --git a/src/starter/args.c b/src/starter/args.c
index 56b286beb..a473cf639 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -86,10 +86,8 @@ static const char *LST_packetdefault[] = {
static const char *LST_keyexchange[] = {
"ike",
-#ifdef IKEV2
"ikev1",
"ikev2",
-#endif /* IKEV2 */
NULL
};
@@ -150,6 +148,8 @@ static const token_info_t token_info[] =
/* config setup keywords */
{ ARG_LST, offsetof(starter_config_t, setup.interfaces), NULL },
{ ARG_STR, offsetof(starter_config_t, setup.dumpdir), NULL },
+ { ARG_ENUM, offsetof(starter_config_t, setup.charonstart), LST_bool },
+ { ARG_ENUM, offsetof(starter_config_t, setup.plutostart), LST_bool },
/* pluto keywords */
{ ARG_LST, offsetof(starter_config_t, setup.plutodebug), LST_plutodebug },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index cf12d05ca..cd7a6f29d 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -39,54 +39,55 @@ static const char firewall_defaults[] = "ipsec _updown iptables";
static void
default_values(starter_config_t *cfg)
{
- if (cfg == NULL)
- return;
+ if (cfg == NULL)
+ return;
- memset(cfg, 0, sizeof(struct starter_config));
+ memset(cfg, 0, sizeof(struct starter_config));
/* is there enough space for all seen flags? */
- assert(KW_SETUP_LAST - KW_SETUP_FIRST <
- sizeof(cfg->setup.seen) * BITS_PER_BYTE);
- assert(KW_CONN_LAST - KW_CONN_FIRST <
- sizeof(cfg->conn_default.seen) * BITS_PER_BYTE);
- assert(KW_END_LAST - KW_END_FIRST <
- sizeof(cfg->conn_default.right.seen) * BITS_PER_BYTE);
- assert(KW_CA_LAST - KW_CA_FIRST <
- sizeof(cfg->ca_default.seen) * BITS_PER_BYTE);
-
- cfg->setup.seen = LEMPTY;
- cfg->setup.fragicmp = TRUE;
- cfg->setup.hidetos = TRUE;
- cfg->setup.uniqueids = TRUE;
- cfg->setup.interfaces = new_list("%defaultroute");
-
- cfg->conn_default.seen = LEMPTY;
- cfg->conn_default.startup = STARTUP_NO;
- cfg->conn_default.state = STATE_IGNORE;
- cfg->conn_default.policy = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG
- | POLICY_PFS;
-
- cfg->conn_default.ike = clone_str(ike_defaults, "ike_defaults");
- cfg->conn_default.esp = clone_str(esp_defaults, "esp_defaults");
- cfg->conn_default.sa_ike_life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
- cfg->conn_default.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
- cfg->conn_default.sa_rekey_margin = SA_REPLACEMENT_MARGIN_DEFAULT;
- cfg->conn_default.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
- cfg->conn_default.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT;
- cfg->conn_default.addr_family = AF_INET;
- cfg->conn_default.tunnel_addr_family = AF_INET;
-
- cfg->conn_default.left.seen = LEMPTY;
- cfg->conn_default.right.seen = LEMPTY;
-
- anyaddr(AF_INET, &cfg->conn_default.left.addr);
- anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
- anyaddr(AF_INET, &cfg->conn_default.left.srcip);
- anyaddr(AF_INET, &cfg->conn_default.right.addr);
- anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
- anyaddr(AF_INET, &cfg->conn_default.right.srcip);
-
- cfg->ca_default.seen = LEMPTY;
+ assert(KW_SETUP_LAST - KW_SETUP_FIRST <
+ sizeof(cfg->setup.seen) * BITS_PER_BYTE);
+ assert(KW_CONN_LAST - KW_CONN_FIRST <
+ sizeof(cfg->conn_default.seen) * BITS_PER_BYTE);
+ assert(KW_END_LAST - KW_END_FIRST <
+ sizeof(cfg->conn_default.right.seen) * BITS_PER_BYTE);
+ assert(KW_CA_LAST - KW_CA_FIRST <
+ sizeof(cfg->ca_default.seen) * BITS_PER_BYTE);
+
+ cfg->setup.seen = LEMPTY;
+ cfg->setup.fragicmp = TRUE;
+ cfg->setup.hidetos = TRUE;
+ cfg->setup.uniqueids = TRUE;
+ cfg->setup.interfaces = new_list("%defaultroute");
+ cfg->setup.charonstart = TRUE;
+ cfg->setup.plutostart = TRUE;
+
+ cfg->conn_default.seen = LEMPTY;
+ cfg->conn_default.startup = STARTUP_NO;
+ cfg->conn_default.state = STATE_IGNORE;
+ cfg->conn_default.policy = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG | POLICY_PFS;
+
+ cfg->conn_default.ike = clone_str(ike_defaults, "ike_defaults");
+ cfg->conn_default.esp = clone_str(esp_defaults, "esp_defaults");
+ cfg->conn_default.sa_ike_life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
+ cfg->conn_default.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
+ cfg->conn_default.sa_rekey_margin = SA_REPLACEMENT_MARGIN_DEFAULT;
+ cfg->conn_default.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
+ cfg->conn_default.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT;
+ cfg->conn_default.addr_family = AF_INET;
+ cfg->conn_default.tunnel_addr_family = AF_INET;
+
+ cfg->conn_default.left.seen = LEMPTY;
+ cfg->conn_default.right.seen = LEMPTY;
+
+ anyaddr(AF_INET, &cfg->conn_default.left.addr);
+ anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
+ anyaddr(AF_INET, &cfg->conn_default.left.srcip);
+ anyaddr(AF_INET, &cfg->conn_default.right.addr);
+ anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
+ anyaddr(AF_INET, &cfg->conn_default.right.srcip);
+
+ cfg->ca_default.seen = LEMPTY;
}
#define KW_POLICY_FLAG(sy, sn, fl) \
@@ -97,173 +98,172 @@ default_values(starter_config_t *cfg)
static void
load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
{
- kw_list_t *kw;
+ kw_list_t *kw;
- DBG(DBG_CONTROL,
- DBG_log("Loading config setup")
+ DBG(DBG_CONTROL,
+ DBG_log("Loading config setup")
)
- for (kw = cfgp->config_setup; kw; kw = kw->next)
- {
- bool assigned = FALSE;
+ for (kw = cfgp->config_setup; kw; kw = kw->next)
+ {
+ bool assigned = FALSE;
- kw_token_t token = kw->entry->token;
+ kw_token_t token = kw->entry->token;
- if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
- {
- plog("# unsupported keyword '%s' in config setup", kw->entry->name);
- cfg->err++;
- continue;
- }
+ if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
+ {
+ plog("# unsupported keyword '%s' in config setup", kw->entry->name);
+ cfg->err++;
+ continue;
+ }
- if (!assign_arg(token, KW_SETUP_FIRST, kw, (char *)cfg, &assigned))
- {
- plog(" bad argument value in config setup");
- cfg->err++;
- continue;
+ if (!assign_arg(token, KW_SETUP_FIRST, kw, (char *)cfg, &assigned))
+ {
+ plog(" bad argument value in config setup");
+ cfg->err++;
+ continue;
+ }
}
- }
}
static void
kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
, kw_list_t *kw, char *conn_name, starter_config_t *cfg)
{
- err_t ugh = NULL;
- bool assigned = FALSE;
- int has_port_wildcard; /* set if port is %any */
-
- char *name = kw->entry->name;
- char *value = kw->value;
-
- if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned))
- goto err;
+ err_t ugh = NULL;
+ bool assigned = FALSE;
+ int has_port_wildcard; /* set if port is %any */
- if (token == KW_SENDCERT)
- {
- if (end->sendcert == CERT_YES_SEND)
- end->sendcert = CERT_ALWAYS_SEND;
- else if (end->sendcert == CERT_NO_SEND)
- end->sendcert = CERT_NEVER_SEND;
- }
+ char *name = kw->entry->name;
+ char *value = kw->value;
- if (assigned)
- return;
-
- switch (token)
- {
- case KW_HOST:
- if (streq(value, "%defaultroute"))
- {
- if (cfg->defaultroute.defined)
- {
- end->addr = cfg->defaultroute.addr;
- end->nexthop = cfg->defaultroute.nexthop;
- }
- else
- {
- plog("# default route not known: %s=%s", name, value);
- goto err;
- }
- }
- else if (streq(value,"%any"))
- {
- anyaddr(conn->addr_family, &end->addr);
- }
- else if (value[0] == '%')
- {
- if (end->iface)
- pfree(end->iface);
- end->iface = clone_str(value+1, "iface");
- if (starter_iface_find(end->iface, conn->addr_family, &end->addr,
- &end->nexthop) == -1)
- {
- conn->state = STATE_INVALID;
- }
- }
- else
- {
- ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
- if (ugh != NULL)
- {
- plog("# bad addr: %s=%s [%s]", name, value, ugh);
- goto err;
- }
- }
- break;
- case KW_NEXTHOP:
- if (streq(value, "%defaultroute"))
- {
- if (cfg->defaultroute.defined)
- end->nexthop = cfg->defaultroute.nexthop;
- else
- {
- plog("# default route not known: %s=%s", name, value);
+ if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned))
goto err;
- }
- }
- else if (streq(value, "%direct"))
- ugh = anyaddr(conn->addr_family, &end->nexthop);
- else
- ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop);
- if (ugh != NULL)
+ if (token == KW_SENDCERT)
{
- plog("# bad addr: %s=%s [%s]", name, value, ugh);
- goto err;
+ if (end->sendcert == CERT_YES_SEND)
+ end->sendcert = CERT_ALWAYS_SEND;
+ else if (end->sendcert == CERT_NO_SEND)
+ end->sendcert = CERT_NEVER_SEND;
}
- break;
- case KW_SUBNET:
- if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
- || (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
- {
- end->virt = clone_str(value, "virt");
- }
- else
- {
- end->has_client = TRUE;
- ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
- if (ugh != NULL)
- {
- plog("# bad subnet: %s=%s [%s]", name, value, ugh);
- goto err;
- }
- }
- break;
- case KW_SUBNETWITHIN:
- end->has_client = TRUE;
- end->has_client_wildcard = TRUE;
- ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
- break;
- case KW_PROTOPORT:
- ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard);
- end->has_port_wildcard = has_port_wildcard;
- break;
- case KW_SOURCEIP:
- if (streq(value, "%modeconfig") || streq(value, "%modecfg"))
- {
- end->modecfg = TRUE;
- }
- else
+
+ if (assigned)
+ return;
+
+ switch (token)
{
- ugh = ttoaddr(value, 0, conn->addr_family, &end->srcip);
- if (ugh != NULL)
- {
- plog("# bad addr: %s=%s [%s]", name, value, ugh);
- goto err;
- }
- end->has_srcip = TRUE;
+ case KW_HOST:
+ if (streq(value, "%defaultroute"))
+ {
+ if (cfg->defaultroute.defined)
+ {
+ end->addr = cfg->defaultroute.addr;
+ end->nexthop = cfg->defaultroute.nexthop;
+ }
+ else
+ {
+ plog("# default route not known: %s=%s", name, value);
+ goto err;
+ }
+ }
+ else if (streq(value,"%any"))
+ {
+ anyaddr(conn->addr_family, &end->addr);
+ }
+ else if (value[0] == '%')
+ {
+ if (end->iface)
+ pfree(end->iface);
+ end->iface = clone_str(value+1, "iface");
+ if (starter_iface_find(end->iface, conn->addr_family, &end->addr, &end->nexthop) == -1)
+ {
+ conn->state = STATE_INVALID;
+ }
+ }
+ else
+ {
+ ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
+ if (ugh != NULL)
+ {
+ plog("# bad addr: %s=%s [%s]", name, value, ugh);
+ goto err;
+ }
+ }
+ break;
+ case KW_NEXTHOP:
+ if (streq(value, "%defaultroute"))
+ {
+ if (cfg->defaultroute.defined)
+ end->nexthop = cfg->defaultroute.nexthop;
+ else
+ {
+ plog("# default route not known: %s=%s", name, value);
+ goto err;
+ }
+ }
+ else if (streq(value, "%direct"))
+ ugh = anyaddr(conn->addr_family, &end->nexthop);
+ else
+ ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop);
+
+ if (ugh != NULL)
+ {
+ plog("# bad addr: %s=%s [%s]", name, value, ugh);
+ goto err;
+ }
+ break;
+ case KW_SUBNET:
+ if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
+ || (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
+ {
+ end->virt = clone_str(value, "virt");
+ }
+ else
+ {
+ end->has_client = TRUE;
+ ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
+ if (ugh != NULL)
+ {
+ plog("# bad subnet: %s=%s [%s]", name, value, ugh);
+ goto err;
+ }
+ }
+ break;
+ case KW_SUBNETWITHIN:
+ end->has_client = TRUE;
+ end->has_client_wildcard = TRUE;
+ ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
+ break;
+ case KW_PROTOPORT:
+ ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard);
+ end->has_port_wildcard = has_port_wildcard;
+ break;
+ case KW_SOURCEIP:
+ if (streq(value, "%modeconfig") || streq(value, "%modecfg"))
+ {
+ end->modecfg = TRUE;
+ }
+ else
+ {
+ ugh = ttoaddr(value, 0, conn->addr_family, &end->srcip);
+ if (ugh != NULL)
+ {
+ plog("# bad addr: %s=%s [%s]", name, value, ugh);
+ goto err;
+ }
+ end->has_srcip = TRUE;
+ }
+ conn->policy |= POLICY_TUNNEL;
+ break;
+ default:
+ break;
}
- conn->policy |= POLICY_TUNNEL;
- break;
- default:
- break;
- }
- return;
+ return;
err:
- plog(" bad argument value in conn '%s'", conn_name);
- cfg->err++;
+ plog(" bad argument value in conn '%s'", conn_name);
+ cfg->err++;
}
/*
@@ -272,19 +272,19 @@ err:
static void
handle_firewall( const char *label, starter_end_t *end, starter_config_t *cfg)
{
- if (end->firewall && (end->seen & LELEM(KW_FIREWALL - KW_END_FIRST)))
- {
- if (end->updown != NULL)
+ if (end->firewall && (end->seen & LELEM(KW_FIREWALL - KW_END_FIRST)))
{
- plog("# cannot have both %sfirewall and %supdown", label, label);
- cfg->err++;
- }
- else
- {
- end->updown = clone_str(firewall_defaults, "firewall_defaults");
- end->firewall = FALSE;
+ if (end->updown != NULL)
+ {
+ plog("# cannot have both %sfirewall and %supdown", label, label);
+ cfg->err++;
+ }
+ else
+ {
+ end->updown = clone_str(firewall_defaults, "firewall_defaults");
+ end->firewall = FALSE;
+ }
}
- }
}
/*
@@ -293,133 +293,133 @@ handle_firewall( const char *label, starter_end_t *end, starter_config_t *cfg)
static void
load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
{
- char *conn_name = (conn->name == NULL)? "%default":conn->name;
+ char *conn_name = (conn->name == NULL)? "%default":conn->name;
- for ( ; kw; kw = kw->next)
- {
- bool assigned = FALSE;
-
- kw_token_t token = kw->entry->token;
-
- if (token >= KW_LEFT_FIRST && token <= KW_LEFT_LAST)
+ for ( ; kw; kw = kw->next)
{
- kw_end(conn, &conn->left, token - KW_LEFT_FIRST + KW_END_FIRST
- , kw, conn_name, cfg);
- continue;
- }
- else if (token >= KW_RIGHT_FIRST && token <= KW_RIGHT_LAST)
- {
- kw_end(conn, &conn->right, token - KW_RIGHT_FIRST + KW_END_FIRST
- , kw, conn_name, cfg);
- continue;
- }
+ bool assigned = FALSE;
- if (token == KW_AUTO)
- {
- token = KW_CONN_SETUP;
- }
- else if (token == KW_ALSO)
- {
- if (cfg->parse_also)
- {
- also_t *also = alloc_thing(also_t, "also_t");
+ kw_token_t token = kw->entry->token;
- also->name = clone_str(kw->value, "also");
- also->next = conn->also;
- conn->also = also;
+ if (token >= KW_LEFT_FIRST && token <= KW_LEFT_LAST)
+ {
+ kw_end(conn, &conn->left, token - KW_LEFT_FIRST + KW_END_FIRST
+ , kw, conn_name, cfg);
+ continue;
+ }
+ else if (token >= KW_RIGHT_FIRST && token <= KW_RIGHT_LAST)
+ {
+ kw_end(conn, &conn->right, token - KW_RIGHT_FIRST + KW_END_FIRST
+ , kw, conn_name, cfg);
+ continue;
+ }
- DBG(DBG_CONTROL,
- DBG_log(" also=%s", kw->value)
- )
- }
- continue;
- }
+ if (token == KW_AUTO)
+ {
+ token = KW_CONN_SETUP;
+ }
+ else if (token == KW_ALSO)
+ {
+ if (cfg->parse_also)
+ {
+ also_t *also = alloc_thing(also_t, "also_t");
+
+ also->name = clone_str(kw->value, "also");
+ also->next = conn->also;
+ conn->also = also;
+
+ DBG(DBG_CONTROL,
+ DBG_log(" also=%s", kw->value)
+ )
+ }
+ continue;
+ }
- if (token < KW_CONN_FIRST || token > KW_CONN_LAST)
- {
- plog("# unsupported keyword '%s' in conn '%s'"
- , kw->entry->name, conn_name);
- cfg->err++;
- continue;
- }
+ if (token < KW_CONN_FIRST || token > KW_CONN_LAST)
+ {
+ plog("# unsupported keyword '%s' in conn '%s'"
+ , kw->entry->name, conn_name);
+ cfg->err++;
+ continue;
+ }
- if (!assign_arg(token, KW_CONN_FIRST, kw, (char *)conn, &assigned))
- {
- plog(" bad argument value in conn '%s'", conn_name);
- cfg->err++;
- continue;
- }
+ if (!assign_arg(token, KW_CONN_FIRST, kw, (char *)conn, &assigned))
+ {
+ plog(" bad argument value in conn '%s'", conn_name);
+ cfg->err++;
+ continue;
+ }
- if (assigned)
- continue;
+ if (assigned)
+ continue;
- switch (token)
- {
- case KW_TYPE:
- conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
- if (streq(kw->value, "tunnel"))
- conn->policy |= POLICY_TUNNEL;
- else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
- conn->policy |= POLICY_SHUNT_PASS;
- else if (streq(kw->value, "drop"))
- conn->policy |= POLICY_SHUNT_DROP;
- else if (streq(kw->value, "reject"))
- conn->policy |= POLICY_SHUNT_REJECT;
- else if (strcmp(kw->value, "transport") != 0)
- {
- plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
- cfg->err++;
- }
- break;
- case KW_PFS:
- KW_POLICY_FLAG("yes", "no", POLICY_PFS)
- break;
- case KW_COMPRESS:
- KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
- break;
- case KW_AUTH:
- KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
- break;
- case KW_AUTHBY:
- conn->policy &= ~(POLICY_RSASIG | POLICY_PSK | POLICY_ENCRYPT);
-
- if (strcmp(kw->value, "never") != 0)
- {
- char *value = kw->value;
- char *second = strchr(kw->value, '|');
-
- if (second != NULL)
- *second = '\0';
-
- /* also handles the cases secret|rsasig and rsasig|secret */
- for (;;)
- {
- if (streq(value, "rsasig"))
- conn->policy |= POLICY_RSASIG | POLICY_ENCRYPT;
- else if (streq(value, "secret"))
- conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
- else
- {
- plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
- cfg->err++;
+ switch (token)
+ {
+ case KW_TYPE:
+ conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
+ if (streq(kw->value, "tunnel"))
+ conn->policy |= POLICY_TUNNEL;
+ else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
+ conn->policy |= POLICY_SHUNT_PASS;
+ else if (streq(kw->value, "drop"))
+ conn->policy |= POLICY_SHUNT_DROP;
+ else if (streq(kw->value, "reject"))
+ conn->policy |= POLICY_SHUNT_REJECT;
+ else if (strcmp(kw->value, "transport") != 0)
+ {
+ plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
+ cfg->err++;
+ }
break;
- }
- if (second == NULL)
+ case KW_PFS:
+ KW_POLICY_FLAG("yes", "no", POLICY_PFS)
break;
- value = second;
- second = NULL; /* traverse the loop no more than twice */
- }
- }
- break;
- case KW_REKEY:
- KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
- break;
- default:
- break;
+ case KW_COMPRESS:
+ KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
+ break;
+ case KW_AUTH:
+ KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
+ break;
+ case KW_AUTHBY:
+ conn->policy &= ~(POLICY_RSASIG | POLICY_PSK | POLICY_ENCRYPT);
+
+ if (strcmp(kw->value, "never") != 0)
+ {
+ char *value = kw->value;
+ char *second = strchr(kw->value, '|');
+
+ if (second != NULL)
+ *second = '\0';
+
+ /* also handles the cases secret|rsasig and rsasig|secret */
+ for (;;)
+ {
+ if (streq(value, "rsasig"))
+ conn->policy |= POLICY_RSASIG | POLICY_ENCRYPT;
+ else if (streq(value, "secret"))
+ conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
+ else
+ {
+ plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
+ cfg->err++;
+ break;
+ }
+ if (second == NULL)
+ break;
+ value = second;
+ second = NULL; /* traverse the loop no more than twice */
+ }
+ }
+ break;
+ case KW_REKEY:
+ KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
+ break;
+ default:
+ break;
+ }
}
- }
- handle_firewall("left", &conn->left, cfg);
- handle_firewall("right", &conn->right, cfg);
+ handle_firewall("left", &conn->left, cfg);
+ handle_firewall("right", &conn->right, cfg);
}
/*
@@ -428,15 +428,12 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
static void
conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
{
- memcpy(conn, def, sizeof(starter_conn_t));
- conn->name = clone_str(name, "conn name");
-
- clone_args(KW_CONN_FIRST, KW_CONN_LAST
- , (char *)conn, (char *)def);
- clone_args(KW_END_FIRST, KW_END_LAST
- , (char *)&conn->left, (char *)&def->left);
- clone_args(KW_END_FIRST, KW_END_LAST
- , (char *)&conn->right, (char *)&def->right);
+ memcpy(conn, def, sizeof(starter_conn_t));
+ conn->name = clone_str(name, "conn name");
+
+ clone_args(KW_CONN_FIRST, KW_CONN_LAST, (char *)conn, (char *)def);
+ clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left, (char *)&def->left);
+ clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->right, (char *)&def->right);
}
/*
@@ -445,53 +442,52 @@ conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
static void
load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
{
- char *ca_name = (ca->name == NULL)? "%default":ca->name;
-
- for ( ; kw; kw = kw->next)
- {
- bool assigned = FALSE;
+ char *ca_name = (ca->name == NULL)? "%default":ca->name;
- kw_token_t token = kw->entry->token;
-
- if (token == KW_AUTO)
- {
- token = KW_CA_SETUP;
- }
- else if (token == KW_ALSO)
+ for ( ; kw; kw = kw->next)
{
- if (cfg->parse_also)
- {
- also_t *also = alloc_thing(also_t, "also_t");
+ bool assigned = FALSE;
- also->name = clone_str(kw->value, "also");
- also->next = ca->also;
- ca->also = also;
+ kw_token_t token = kw->entry->token;
- DBG(DBG_CONTROL,
- DBG_log(" also=%s", kw->value)
- )
- }
- continue;
- }
+ if (token == KW_AUTO)
+ {
+ token = KW_CA_SETUP;
+ }
+ else if (token == KW_ALSO)
+ {
+ if (cfg->parse_also)
+ {
+ also_t *also = alloc_thing(also_t, "also_t");
+
+ also->name = clone_str(kw->value, "also");
+ also->next = ca->also;
+ ca->also = also;
+
+ DBG(DBG_CONTROL,
+ DBG_log(" also=%s", kw->value)
+ )
+ }
+ continue;
+ }
- if (token < KW_CA_FIRST || token > KW_CA_LAST)
- {
- plog("# unsupported keyword '%s' in ca '%s'"
- , kw->entry->name, ca_name);
- cfg->err++;
- continue;
- }
+ if (token < KW_CA_FIRST || token > KW_CA_LAST)
+ {
+ plog("# unsupported keyword '%s' in ca '%s'", kw->entry->name, ca_name);
+ cfg->err++;
+ continue;
+ }
- if (!assign_arg(token, KW_CA_FIRST, kw, (char *)ca, &assigned))
- {
- plog(" bad argument value in ca '%s'", ca_name);
- cfg->err++;
+ if (!assign_arg(token, KW_CA_FIRST, kw, (char *)ca, &assigned))
+ {
+ plog(" bad argument value in ca '%s'", ca_name);
+ cfg->err++;
+ }
}
- }
- /* treat 'route' and 'start' as 'add' */
- if (ca->startup != STARTUP_NO)
- ca->startup = STARTUP_ADD;
+ /* treat 'route' and 'start' as 'add' */
+ if (ca->startup != STARTUP_NO)
+ ca->startup = STARTUP_ADD;
}
/*
@@ -500,10 +496,10 @@ load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
static void
ca_default(char *name, starter_ca_t *ca, starter_ca_t *def)
{
- memcpy(ca, def, sizeof(starter_ca_t));
- ca->name = clone_str(name, "ca name");
+ memcpy(ca, def, sizeof(starter_ca_t));
+ ca->name = clone_str(name, "ca name");
- clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def);
+ clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def);
}
static kw_list_t*
@@ -512,25 +508,25 @@ find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg);
static void
load_also_conns(starter_conn_t *conn, also_t *also, starter_config_t *cfg)
{
- while (also != NULL)
- {
- kw_list_t *kw = find_also_conn(also->name, conn, cfg);
-
- if (kw == NULL)
- {
- plog(" conn '%s' cannot include '%s'", conn->name, also->name);
- }
- else
+ while (also != NULL)
{
- DBG(DBG_CONTROL,
- DBG_log("conn '%s' includes '%s'", conn->name, also->name)
- )
- /* only load if no error occurred in the first round */
- if (cfg->err == 0)
- load_conn(conn, kw, cfg);
+ kw_list_t *kw = find_also_conn(also->name, conn, cfg);
+
+ if (kw == NULL)
+ {
+ plog(" conn '%s' cannot include '%s'", conn->name, also->name);
+ }
+ else
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("conn '%s' includes '%s'", conn->name, also->name)
+ )
+ /* only load if no error occurred in the first round */
+ if (cfg->err == 0)
+ load_conn(conn, kw, cfg);
+ }
+ also = also->next;
}
- also = also->next;
- }
}
/*
@@ -539,28 +535,28 @@ load_also_conns(starter_conn_t *conn, also_t *also, starter_config_t *cfg)
static kw_list_t*
find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg)
{
- starter_conn_t *c = cfg->conn_first;
+ starter_conn_t *c = cfg->conn_first;
- while (c != NULL)
- {
- if (streq(name, c->name))
+ while (c != NULL)
{
- if (conn->visit == c->visit)
- {
- plog("# detected also loop");
- cfg->err++;
- return NULL;
- }
- c->visit = conn->visit;
- load_also_conns(conn, c->also, cfg);
- return c->kw;
+ if (streq(name, c->name))
+ {
+ if (conn->visit == c->visit)
+ {
+ plog("# detected also loop");
+ cfg->err++;
+ return NULL;
+ }
+ c->visit = conn->visit;
+ load_also_conns(conn, c->also, cfg);
+ return c->kw;
+ }
+ c = c->next;
}
- c = c->next;
- }
- plog("# also '%s' not found", name);
- cfg->err++;
- return NULL;
+ plog("# also '%s' not found", name);
+ cfg->err++;
+ return NULL;
}
static kw_list_t*
@@ -569,25 +565,25 @@ find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg);
static void
load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
{
- while (also != NULL)
- {
- kw_list_t *kw = find_also_ca(also->name, ca, cfg);
-
- if (kw == NULL)
- {
- plog(" ca '%s' cannot include '%s'", ca->name, also->name);
- }
- else
+ while (also != NULL)
{
- DBG(DBG_CONTROL,
- DBG_log("ca '%s' includes '%s'", ca->name, also->name)
- )
- /* only load if no error occurred in the first round */
- if (cfg->err == 0)
- load_ca(ca, kw, cfg);
+ kw_list_t *kw = find_also_ca(also->name, ca, cfg);
+
+ if (kw == NULL)
+ {
+ plog(" ca '%s' cannot include '%s'", ca->name, also->name);
+ }
+ else
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("ca '%s' includes '%s'", ca->name, also->name)
+ )
+ /* only load if no error occurred in the first round */
+ if (cfg->err == 0)
+ load_ca(ca, kw, cfg);
+ }
+ also = also->next;
}
- also = also->next;
- }
}
/*
@@ -596,28 +592,28 @@ load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
static kw_list_t*
find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg)
{
- starter_ca_t *c = cfg->ca_first;
+ starter_ca_t *c = cfg->ca_first;
- while (c != NULL)
- {
- if (streq(name, c->name))
+ while (c != NULL)
{
- if (ca->visit == c->visit)
- {
- plog("# detected also loop");
- cfg->err++;
- return NULL;
- }
- c->visit = ca->visit;
- load_also_cas(ca, c->also, cfg);
- return c->kw;
+ if (streq(name, c->name))
+ {
+ if (ca->visit == c->visit)
+ {
+ plog("# detected also loop");
+ cfg->err++;
+ return NULL;
+ }
+ c->visit = ca->visit;
+ load_also_cas(ca, c->also, cfg);
+ return c->kw;
+ }
+ c = c->next;
}
- c = c->next;
- }
- plog("# also '%s' not found", name);
- cfg->err++;
- return NULL;
+ plog("# also '%s' not found", name);
+ cfg->err++;
+ return NULL;
}
@@ -628,162 +624,162 @@ find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg)
starter_config_t *
confread_load(const char *file)
{
- starter_config_t *cfg = NULL;
- config_parsed_t *cfgp;
- section_list_t *sconn, *sca;
- starter_conn_t *conn;
- starter_ca_t *ca;
+ starter_config_t *cfg = NULL;
+ config_parsed_t *cfgp;
+ section_list_t *sconn, *sca;
+ starter_conn_t *conn;
+ starter_ca_t *ca;
- u_int visit = 0;
+ u_int visit = 0;
- /* load IPSec configuration file */
- cfgp = parser_load_conf(file);
- if (!cfgp)
- return NULL;
+ /* load IPSec configuration file */
+ cfgp = parser_load_conf(file);
+ if (!cfgp)
+ return NULL;
- cfg = (starter_config_t *)alloc_thing(starter_config_t, "starter_config_t");
+ cfg = (starter_config_t *)alloc_thing(starter_config_t, "starter_config_t");
- /* set default values */
- default_values(cfg);
+ /* set default values */
+ default_values(cfg);
- /* determine default route */
- get_defaultroute(&cfg->defaultroute);
-
- /* load config setup section */
- load_setup(cfg, cfgp);
+ /* determine default route */
+ get_defaultroute(&cfg->defaultroute);
- /* in the first round parse also statements */
- cfg->parse_also = TRUE;
+ /* load config setup section */
+ load_setup(cfg, cfgp);
- /* find %default ca section */
- for (sca = cfgp->ca_first; sca; sca = sca->next)
- {
- if (streq(sca->name, "%default"))
+ /* in the first round parse also statements */
+ cfg->parse_also = TRUE;
+
+ /* find %default ca section */
+ for (sca = cfgp->ca_first; sca; sca = sca->next)
{
- DBG(DBG_CONTROL,
- DBG_log("Loading ca %%default")
- )
- load_ca(&cfg->ca_default, sca->kw, cfg);
+ if (streq(sca->name, "%default"))
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("Loading ca %%default")
+ )
+ load_ca(&cfg->ca_default, sca->kw, cfg);
+ }
}
- }
- /* parameters defined in ca %default sections can be overloads */
- cfg->ca_default.seen = LEMPTY;
+ /* parameters defined in ca %default sections can be overloads */
+ cfg->ca_default.seen = LEMPTY;
- /* load other ca sections */
- for (sca = cfgp->ca_first; sca; sca = sca->next)
- {
- /* skip %default ca section */
- if (streq(sca->name, "%default"))
- continue;
-
- DBG(DBG_CONTROL,
- DBG_log("Loading ca '%s'", sca->name)
- )
- ca = (starter_ca_t *)alloc_thing(starter_ca_t, "starter_ca_t");
-
- ca_default(sca->name, ca, &cfg->ca_default);
- ca->kw = sca->kw;
- ca->next = NULL;
-
- if (cfg->ca_last)
- cfg->ca_last->next = ca;
- cfg->ca_last = ca;
- if (!cfg->ca_first)
- cfg->ca_first = ca;
-
- load_ca(ca, ca->kw, cfg);
- }
-
- for (ca = cfg->ca_first; ca; ca = ca->next)
- {
- also_t *also = ca->also;
-
- while (also != NULL)
+ /* load other ca sections */
+ for (sca = cfgp->ca_first; sca; sca = sca->next)
{
- kw_list_t *kw = find_also_ca(also->name, cfg->ca_first, cfg);
+ /* skip %default ca section */
+ if (streq(sca->name, "%default"))
+ continue;
+
+ DBG(DBG_CONTROL,
+ DBG_log("Loading ca '%s'", sca->name)
+ )
+ ca = (starter_ca_t *)alloc_thing(starter_ca_t, "starter_ca_t");
- load_ca(ca, kw, cfg);
- also = also->next;
+ ca_default(sca->name, ca, &cfg->ca_default);
+ ca->kw = sca->kw;
+ ca->next = NULL;
+
+ if (cfg->ca_last)
+ cfg->ca_last->next = ca;
+ cfg->ca_last = ca;
+ if (!cfg->ca_first)
+ cfg->ca_first = ca;
+
+ load_ca(ca, ca->kw, cfg);
}
- if (ca->startup != STARTUP_NO)
- ca->state = STATE_TO_ADD;
- }
+ for (ca = cfg->ca_first; ca; ca = ca->next)
+ {
+ also_t *also = ca->also;
+
+ while (also != NULL)
+ {
+ kw_list_t *kw = find_also_ca(also->name, cfg->ca_first, cfg);
- /* find %default conn sections */
- for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
- {
- if (streq(sconn->name, "%default"))
+ load_ca(ca, kw, cfg);
+ also = also->next;
+ }
+
+ if (ca->startup != STARTUP_NO)
+ ca->state = STATE_TO_ADD;
+ }
+
+ /* find %default conn sections */
+ for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
{
- DBG(DBG_CONTROL,
- DBG_log("Loading conn %%default")
- )
- load_conn(&cfg->conn_default, sconn->kw, cfg);
+ if (streq(sconn->name, "%default"))
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("Loading conn %%default")
+ )
+ load_conn(&cfg->conn_default, sconn->kw, cfg);
+ }
}
- }
- /* parameter defined in conn %default sections can be overloaded */
- cfg->conn_default.seen = LEMPTY;
- cfg->conn_default.right.seen = LEMPTY;
- cfg->conn_default.left.seen = LEMPTY;
+ /* parameter defined in conn %default sections can be overloaded */
+ cfg->conn_default.seen = LEMPTY;
+ cfg->conn_default.right.seen = LEMPTY;
+ cfg->conn_default.left.seen = LEMPTY;
- /* load other conn sections */
- for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
- {
- /* skip %default conn section */
- if (streq(sconn->name, "%default"))
- continue;
+ /* load other conn sections */
+ for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
+ {
+ /* skip %default conn section */
+ if (streq(sconn->name, "%default"))
+ continue;
- DBG(DBG_CONTROL,
- DBG_log("Loading conn '%s'", sconn->name)
- )
- conn = (starter_conn_t *)alloc_thing(starter_conn_t, "starter_conn_t");
+ DBG(DBG_CONTROL,
+ DBG_log("Loading conn '%s'", sconn->name)
+ )
+ conn = (starter_conn_t *)alloc_thing(starter_conn_t, "starter_conn_t");
- conn_default(sconn->name, conn, &cfg->conn_default);
- conn->kw = sconn->kw;
- conn->next = NULL;
+ conn_default(sconn->name, conn, &cfg->conn_default);
+ conn->kw = sconn->kw;
+ conn->next = NULL;
- if (cfg->conn_last)
- cfg->conn_last->next = conn;
- cfg->conn_last = conn;
- if (!cfg->conn_first)
- cfg->conn_first = conn;
+ if (cfg->conn_last)
+ cfg->conn_last->next = conn;
+ cfg->conn_last = conn;
+ if (!cfg->conn_first)
+ cfg->conn_first = conn;
- load_conn(conn, conn->kw, cfg);
- }
+ load_conn(conn, conn->kw, cfg);
+ }
- /* in the second round do not parse also statements */
- cfg->parse_also = FALSE;
+ /* in the second round do not parse also statements */
+ cfg->parse_also = FALSE;
- for (ca = cfg->ca_first; ca; ca = ca->next)
- {
- ca->visit = ++visit;
- load_also_cas(ca, ca->also, cfg);
+ for (ca = cfg->ca_first; ca; ca = ca->next)
+ {
+ ca->visit = ++visit;
+ load_also_cas(ca, ca->also, cfg);
- if (ca->startup != STARTUP_NO)
- ca->state = STATE_TO_ADD;
- }
+ if (ca->startup != STARTUP_NO)
+ ca->state = STATE_TO_ADD;
+ }
- for (conn = cfg->conn_first; conn; conn = conn->next)
- {
- conn->visit = ++visit;
- load_also_conns(conn, conn->also, cfg);
+ for (conn = cfg->conn_first; conn; conn = conn->next)
+ {
+ conn->visit = ++visit;
+ load_also_conns(conn, conn->also, cfg);
- if (conn->startup != STARTUP_NO)
- conn->state = STATE_TO_ADD;
- }
+ if (conn->startup != STARTUP_NO)
+ conn->state = STATE_TO_ADD;
+ }
- parser_free_conf(cfgp);
+ parser_free_conf(cfgp);
- if (cfg->err)
- {
- plog("### %d parsing error%s ###", cfg->err, (cfg->err > 1)?"s":"");
- confread_free(cfg);
- cfg = NULL;
- }
+ if (cfg->err)
+ {
+ plog("### %d parsing error%s ###", cfg->err, (cfg->err > 1)?"s":"");
+ confread_free(cfg);
+ cfg = NULL;
+ }
- return cfg;
+ return cfg;
}
/*
@@ -792,14 +788,14 @@ confread_load(const char *file)
static void
free_also(also_t *head)
{
- while (head != NULL)
- {
- also_t *also = head;
-
- head = also->next;
- pfree(also->name);
- pfree(also);
- }
+ while (head != NULL)
+ {
+ also_t *also = head;
+
+ head = also->next;
+ pfree(also->name);
+ pfree(also);
+ }
}
/*
@@ -808,10 +804,10 @@ free_also(also_t *head)
static void
confread_free_conn(starter_conn_t *conn)
{
- free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left);
- free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->right);
- free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn);
- free_also(conn->also);
+ free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left);
+ free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->right);
+ free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn);
+ free_also(conn->also);
}
/*
@@ -820,8 +816,8 @@ confread_free_conn(starter_conn_t *conn)
static void
confread_free_ca(starter_ca_t *ca)
{
- free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca);
- free_also(ca->also);
+ free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca);
+ free_also(ca->also);
}
/*
@@ -830,32 +826,32 @@ confread_free_ca(starter_ca_t *ca)
void
confread_free(starter_config_t *cfg)
{
- starter_conn_t *conn = cfg->conn_first;
- starter_ca_t *ca = cfg->ca_first;
+ starter_conn_t *conn = cfg->conn_first;
+ starter_ca_t *ca = cfg->ca_first;
- free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg);
+ free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg);
- confread_free_conn(&cfg->conn_default);
+ confread_free_conn(&cfg->conn_default);
- while (conn != NULL)
- {
- starter_conn_t *conn_aux = conn;
+ while (conn != NULL)
+ {
+ starter_conn_t *conn_aux = conn;
- conn = conn->next;
- confread_free_conn(conn_aux);
- pfree(conn_aux);
- }
+ conn = conn->next;
+ confread_free_conn(conn_aux);
+ pfree(conn_aux);
+ }
- confread_free_ca(&cfg->ca_default);
+ confread_free_ca(&cfg->ca_default);
- while (ca != NULL)
- {
- starter_ca_t *ca_aux = ca;
+ while (ca != NULL)
+ {
+ starter_ca_t *ca_aux = ca;
- ca = ca->next;
- confread_free_ca(ca_aux);
- pfree(ca_aux);
- }
+ ca = ca->next;
+ confread_free_ca(ca_aux);
+ pfree(ca_aux);
+ }
- pfree(cfg);
+ pfree(cfg);
}
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 9793a55a5..051ce0057 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -151,6 +151,8 @@ struct starter_config {
lset_t seen;
char **interfaces;
char *dumpdir;
+ bool charonstart;
+ bool plutostart;
/* pluto keywords */
char **plutodebug;
diff --git a/src/starter/files.h b/src/starter/files.h
index 83d27e152..61f03b84e 100644
--- a/src/starter/files.h
+++ b/src/starter/files.h
@@ -40,12 +40,10 @@
#define PLUTO_CTL_FILE DEFAULT_CTLBASE CTL_SUFFIX
#define PLUTO_PID_FILE DEFAULT_CTLBASE PID_SUFFIX
-#ifdef IKEV2
#define CHARON_CMD IPSEC_EXECDIR"/charon"
#define CHARON_BASE "/var/run/charon"
#define CHARON_CTL_FILE CHARON_BASE CTL_SUFFIX
#define CHARON_PID_FILE CHARON_BASE PID_SUFFIX
-#endif /* IKEV2 */
#define DYNIP_DIR "/var/run/dynip"
#define INFO_FILE "/var/run/ipsec.info"
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 4cc5c03e8..12db4b7ec 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -44,7 +44,7 @@ error "gperf generated tables don't work with this execution character set. Plea
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: keywords.c,v 1.7 2006/04/17 10:32:48 as Exp $
+ * RCSID $Id: keywords.txt,v 1.6 2006/04/17 10:30:27 as Exp $
*/
#include <string.h>
@@ -56,12 +56,12 @@ struct kw_entry {
kw_token_t token;
};
-#define TOTAL_KEYWORDS 77
+#define TOTAL_KEYWORDS 79
#define MIN_WORD_LENGTH 3
#define MAX_WORD_LENGTH 17
#define MIN_HASH_VALUE 9
-#define MAX_HASH_VALUE 146
-/* maximum key range = 138, duplicates = 0 */
+#define MAX_HASH_VALUE 156
+/* maximum key range = 148, duplicates = 0 */
#ifdef __GNUC__
__inline
@@ -77,32 +77,32 @@ hash (str, len)
{
static const unsigned char asso_values[] =
{
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 15, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 85, 147, 40,
- 25, 25, 0, 10, 5, 80, 147, 35, 60, 35,
- 60, 55, 10, 147, 15, 20, 5, 65, 147, 147,
- 147, 35, 0, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 147
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 20, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 75, 157, 40,
+ 25, 25, 0, 10, 5, 55, 157, 65, 60, 35,
+ 80, 65, 10, 157, 15, 20, 5, 80, 157, 157,
+ 157, 35, 5, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157
};
return len + asso_values[(unsigned char)str[2]] + asso_values[(unsigned char)str[len - 1]];
}
@@ -142,7 +142,7 @@ static const struct kw_entry wordlist[] =
{"rightgroups", KW_RIGHTGROUPS},
{"rightid", KW_RIGHTID},
{"pfs", KW_PFS},
- {"rekeyfuzz", KW_REKEYFUZZ},
+ {""},
{"righthostaccess", KW_RIGHTHOSTACCESS},
{"authby", KW_AUTHBY},
{""},
@@ -161,54 +161,62 @@ static const struct kw_entry wordlist[] =
{"ikelifetime", KW_IKELIFETIME},
{""},
{"compress", KW_COMPRESS},
- {"auto", KW_AUTO},
+ {""},
{"strictcrlpolicy", KW_STRICTCRLPOLICY},
{"keyingtries", KW_KEYINGTRIES},
{"keylife", KW_KEYLIFE},
{"dpddelay", KW_DPDDELAY},
{"cachecrls", KW_CACHECRLS},
- {"leftupdown", KW_LEFTUPDOWN},
+ {""},
{"keyexchange", KW_KEYEXCHANGE},
{"leftfirewall", KW_LEFTFIREWALL},
{"nocrsend", KW_NOCRSEND},
+ {"auto", KW_AUTO},
+ {"klipsdebug", KW_KLIPSDEBUG},
{""},
- {"rekey", KW_REKEY},
- {"leftsubnetwithin", KW_LEFTSUBNETWITHIN},
{"pkcs11module", KW_PKCS11MODULE},
{"nat_traversal", KW_NAT_TRAVERSAL},
- {"also", KW_ALSO},
+ {"rekeyfuzz", KW_REKEYFUZZ},
{"pkcs11keepstate", KW_PKCS11KEEPSTATE},
- {"rightupdown", KW_RIGHTUPDOWN},
- {"crluri2", KW_CRLURI2},
+ {"leftca", KW_LEFTCA},
+ {"ocspuri", KW_OCSPURI},
{"rightfirewall", KW_RIGHTFIREWALL},
- {"postpluto", KW_POSTPLUTO},
- {"plutodebug", KW_PLUTODEBUG},
+ {"uniqueids", KW_UNIQUEIDS},
+ {""},
{"pkcs11proxy", KW_PKCS11PROXY},
- {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
- {"prepluto", KW_PREPLUTO},
- {""}, {""},
- {"leftca", KW_LEFTCA},
- {""}, {""},
- {"dpdaction", KW_DPDACTION},
- {""}, {""}, {""},
+ {"crluri2", KW_CRLURI2},
{"ldaphost", KW_LDAPHOST},
- {""},
- {"klipsdebug", KW_KLIPSDEBUG},
- {"overridemtu", KW_OVERRIDEMTU},
+ {"also", KW_ALSO},
+ {"leftupdown", KW_LEFTUPDOWN},
+ {"charonstart", KW_CHARONSTART},
{"rightca", KW_RIGHTCA},
{"fragicmp", KW_FRAGICMP},
- {""}, {""},
- {"rekeymargin", KW_REKEYMARGIN},
- {"ocspuri", KW_OCSPURI},
+ {"postpluto", KW_POSTPLUTO},
+ {"plutostart", KW_PLUTOSTART},
+ {"leftsubnetwithin", KW_LEFTSUBNETWITHIN},
{""},
- {"uniqueids", KW_UNIQUEIDS},
- {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+ {"prepluto", KW_PREPLUTO},
+ {""},
+ {"plutodebug", KW_PLUTODEBUG},
+ {"rightupdown", KW_RIGHTUPDOWN},
+ {""}, {""}, {""},
+ {"rekey", KW_REKEY},
+ {""},
+ {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
{"ldapbase", KW_LDAPBASE},
+ {""}, {""}, {""}, {""}, {""},
+ {"dpdaction", KW_DPDACTION},
+ {""},
+ {"overridemtu", KW_OVERRIDEMTU},
+ {""}, {""}, {""}, {""},
+ {"crluri", KW_CRLURI},
{""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
- {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+ {""}, {""}, {""}, {""}, {""},
{"crlcheckinterval", KW_CRLCHECKINTERVAL},
{""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
- {"crluri", KW_CRLURI}
+ {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+ {""},
+ {"rekeymargin", KW_REKEYMARGIN}
};
#ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 6542ae1be..d62a83df8 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -22,6 +22,8 @@ typedef enum {
/* config setup keywords */
KW_INTERFACES,
KW_DUMPDIR,
+ KW_CHARONSTART,
+ KW_PLUTOSTART,
/* pluto keywords */
KW_PLUTODEBUG,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index dcfdafc98..789c8f3a7 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -27,9 +27,11 @@ struct kw_entry {
};
%%
interfaces, KW_INTERFACES
+dumpdir, KW_DUMPDIR
+charonstart, KW_CHARONSTART
+plutostart, KW_PLUTOSTART
klipsdebug, KW_KLIPSDEBUG
plutodebug, KW_PLUTODEBUG
-dumpdir, KW_DUMPDIR
prepluto, KW_PREPLUTO
postpluto, KW_POSTPLUTO
fragicmp, KW_FRAGICMP
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 1f857ce44..2806622e4 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -67,10 +67,8 @@ fsig(int signal)
{
if (pid == starter_pluto_pid())
name = " (Pluto)";
-#ifdef IKEV2
if (pid == starter_charon_pid())
name = " (Charon)";
-#endif /* IKEV2 */
if (WIFSIGNALED(status))
DBG(DBG_CONTROL,
DBG_log("child %d%s has been killed by sig %d\n",
@@ -93,10 +91,8 @@ fsig(int signal)
if (pid == starter_pluto_pid())
starter_pluto_sigchild(pid);
-#ifdef IKEV2
if (pid == starter_charon_pid())
starter_charon_sigchild(pid);
-#endif /* IKEV2 */
}
}
break;
@@ -106,10 +102,8 @@ fsig(int signal)
break;
case SIGALRM:
- _action_ |= FLAG_ACTION_START_PLUTO;
-#ifdef IKEV2
- _action_ |= FLAG_ACTION_START_CHARON;
-#endif /* IKEV2 */
+ _action_ |= FLAG_ACTION_START_PLUTO;
+ _action_ |= FLAG_ACTION_START_CHARON;
break;
case SIGHUP:
@@ -223,7 +217,6 @@ int main (int argc, char **argv)
{
_action_ |= FLAG_ACTION_START_PLUTO;
}
-#ifdef IKEV2
if (stat(CHARON_PID_FILE, &stb) == 0)
{
plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
@@ -232,7 +225,6 @@ int main (int argc, char **argv)
{
_action_ |= FLAG_ACTION_START_CHARON;
}
-#endif /* IKEV2 */
if (stat(DEV_RANDOM, &stb) != 0)
{
plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
@@ -315,10 +307,8 @@ int main (int argc, char **argv)
{
if (starter_pluto_pid())
starter_stop_pluto();
-#ifdef IKEV2
if (starter_charon_pid())
starter_stop_charon();
-#endif /* IKEV2 */
starter_netkey_cleanup();
confread_free(cfg);
unlink(MY_PID_FILE);
@@ -336,22 +326,16 @@ int main (int argc, char **argv)
*/
if (_action_ & FLAG_ACTION_RELOAD)
{
- if (starter_pluto_pid())
+ if (starter_pluto_pid() || starter_charon_pid())
{
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_ADDED)
{
-#ifdef IKEV2
if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
- {
starter_stroke_del_conn(conn);
- }
-#endif /* IKEV2 */
else
- {
starter_whack_del_conn(conn);
- }
conn->state = STATE_TO_ADD;
}
}
@@ -423,16 +407,10 @@ int main (int argc, char **argv)
{
if (conn->state == STATE_ADDED)
{
-#ifdef IKEV2
if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
- {
starter_stroke_del_conn(conn);
- }
else
-#endif /* IKEV2 */
- {
starter_whack_del_conn(conn);
- }
}
}
@@ -477,7 +455,7 @@ int main (int argc, char **argv)
*/
if (_action_ & FLAG_ACTION_START_PLUTO)
{
- if (starter_pluto_pid() == 0)
+ if (cfg->setup.plutostart && !starter_pluto_pid())
{
DBG(DBG_CONTROL,
DBG_log("Attempting to start pluto...")
@@ -508,18 +486,17 @@ int main (int argc, char **argv)
}
}
-#ifdef IKEV2
/*
* Start charon
*/
if (_action_ & FLAG_ACTION_START_CHARON)
{
- if (starter_charon_pid() == 0)
+ if (cfg->setup.charonstart && !starter_charon_pid())
{
DBG(DBG_CONTROL,
DBG_log("Attempting to start charon...")
)
- if (starter_start_charon(cfg, no_fork) != 0)
+ if (starter_start_charon(cfg, no_fork))
{
/* schedule next try */
alarm(PLUTO_RESTART_DELAY);
@@ -527,7 +504,6 @@ int main (int argc, char **argv)
}
_action_ &= ~FLAG_ACTION_START_CHARON;
}
-#endif /* IKEV2 */
/*
* Tell pluto to reread its interfaces
@@ -541,7 +517,7 @@ int main (int argc, char **argv)
/*
* Add stale conn and ca sections
*/
- if (starter_pluto_pid() != 0)
+ if (starter_pluto_pid() || starter_charon_pid())
{
for (ca = cfg->ca_first; ca; ca = ca->next)
{
@@ -561,43 +537,25 @@ int main (int argc, char **argv)
/* affect new unique id */
conn->id = id++;
}
-#ifdef IKEV2
if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
- {
starter_stroke_add_conn(conn);
- }
else
-#endif /* IKEV2 */
- {
starter_whack_add_conn(conn);
- }
conn->state = STATE_ADDED;
if (conn->startup == STARTUP_START)
{
-#ifdef IKEV2
if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
- {
starter_stroke_initiate_conn(conn);
- }
else
-#endif /* IKEV2 */
- {
starter_whack_initiate_conn(conn);
- }
}
else if (conn->startup == STARTUP_ROUTE)
{
-#ifdef IKEV2
if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
- {
starter_stroke_route_conn(conn);
- }
else
-#endif /* IKEV2 */
- {
starter_whack_route_conn(conn);
- }
}
}
}
diff --git a/testing/tests/ikev2-net2net/description.txt b/testing/tests/ikev2-net2net/description.txt
index 7eea9192f..1f371c95e 100644
--- a/testing/tests/ikev2-net2net/description.txt
+++ b/testing/tests/ikev2-net2net/description.txt
@@ -1,6 +1,5 @@
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up using the IKEv2 key exchange protocol. The authentication is based on
+locally importerd <b>X.509 certificates</b>.
+In order to test the established tunnel, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2-net2net/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2-net2net/hosts/moon/etc/ipsec.conf
index 9a95d4040..16f46cf8d 100644
--- a/testing/tests/ikev2-net2net/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2-net2net/hosts/moon/etc/ipsec.conf
@@ -2,6 +2,9 @@
version 2.0 # conforms to second version of ipsec.conf specification
+config setup
+ plutostart=no
+
conn net-net
left=192.168.0.1
leftcert=moonCert.pem
diff --git a/testing/tests/ikev2-net2net/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-net2net/hosts/sun/etc/ipsec.conf
index b2c2b71ec..a90a4ce7d 100644
--- a/testing/tests/ikev2-net2net/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2-net2net/hosts/sun/etc/ipsec.conf
@@ -2,6 +2,9 @@
version 2.0 # conforms to second version of ipsec.conf specification
+config setup
+ plutostart=no
+
conn net-net
left=192.168.0.2
leftcert=sunCert.pem
generated by cgit v1.2.3 (git 2.25.1) at 2025-03-06 03:36:45 +0000