diff options
Diffstat (limited to 'src/starter')
| -rw-r--r-- | src/starter/Makefile.am | 9 | ||||
| -rw-r--r-- | src/starter/args.c | 5 | ||||
| -rw-r--r-- | src/starter/confread.h | 6 | ||||
| -rw-r--r-- | src/starter/invokecharon.c | 11 | ||||
| -rw-r--r-- | src/starter/invokecharon.h | 2 | ||||
| -rw-r--r-- | src/starter/invokepluto.c | 12 | ||||
| -rw-r--r-- | src/starter/invokepluto.h | 2 | ||||
| -rw-r--r-- | src/starter/ipsec.conf.5 | 80 | ||||
| -rw-r--r-- | src/starter/keywords.h | 10 | ||||
| -rw-r--r-- | src/starter/keywords.txt | 10 | ||||
| -rw-r--r-- | src/starter/starter.c | 10 | ||||
| -rw-r--r-- | src/starter/starterstroke.c | 5 |
12 files changed, 125 insertions, 37 deletions
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index 8a9ba54c9..e9c707c2b 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -5,7 +5,14 @@ starterstroke.h interfaces.c invokepluto.h confread.h interfaces.h args.c \ keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \ exec.h invokecharon.h lex.yy.c loglite.c klips.c klips.h -INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke +INCLUDES = \ +-I${linuxdir} \ +-I$(top_srcdir)/src/libstrongswan \ +-I$(top_srcdir)/src/libfreeswan \ +-I$(top_srcdir)/src/pluto \ +-I$(top_srcdir)/src/whack \ +-I$(top_srcdir)/src/stroke + AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf diff --git a/src/starter/args.c b/src/starter/args.c index b5f716069..825824586 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -249,11 +249,16 @@ static const token_info_t token_info[] = { ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool }, { ARG_ENUM, offsetof(starter_end_t, allow_any), LST_bool }, { ARG_STR, offsetof(starter_end_t, updown), NULL }, + { ARG_STR, offsetof(starter_end_t, auth), NULL }, + { ARG_STR, offsetof(starter_end_t, auth2), NULL }, { ARG_STR, offsetof(starter_end_t, id), NULL }, + { ARG_STR, offsetof(starter_end_t, id2), NULL }, { ARG_STR, offsetof(starter_end_t, rsakey), NULL }, { ARG_STR, offsetof(starter_end_t, cert), NULL }, + { ARG_STR, offsetof(starter_end_t, cert2), NULL }, { ARG_ENUM, offsetof(starter_end_t, sendcert), LST_sendcert }, { ARG_STR, offsetof(starter_end_t, ca), NULL }, + { ARG_STR, offsetof(starter_end_t, ca2), NULL }, { ARG_STR, offsetof(starter_end_t, groups), NULL }, { ARG_STR, offsetof(starter_end_t, iface), NULL } }; diff --git a/src/starter/confread.h b/src/starter/confread.h index ed344fe6f..3d4829ea1 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -20,7 +20,6 @@ #ifndef _FREESWAN_H #include <freeswan.h> -#include "../pluto/constants.h" #endif #include "parser.h" @@ -57,10 +56,15 @@ typedef struct starter_end starter_end_t; struct starter_end { lset_t seen; + char *auth; + char *auth2; char *id; + char *id2; char *rsakey; char *cert; + char *cert2; char *ca; + char *ca2; char *groups; char *iface; ip_address addr; diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c index 1cce4e41d..a511f55dd 100644 --- a/src/starter/invokecharon.c +++ b/src/starter/invokecharon.c @@ -109,7 +109,7 @@ starter_stop_charon (void) int -starter_start_charon (starter_config_t *cfg, bool no_fork) +starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb) { struct stat stb; int pid, i; @@ -121,7 +121,14 @@ starter_start_charon (starter_config_t *cfg, bool no_fork) NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }; - + + if (attach_gdb) + { + argc = 0; + arg[argc++] = "/usr/bin/gdb"; + arg[argc++] = "--args"; + arg[argc++] = CHARON_CMD; + } if (!no_fork) { arg[argc++] = "--use-syslog"; diff --git a/src/starter/invokecharon.h b/src/starter/invokecharon.h index f62221da6..03c592f1e 100644 --- a/src/starter/invokecharon.h +++ b/src/starter/invokecharon.h @@ -25,7 +25,7 @@ extern void starter_charon_sigchild (pid_t pid); extern pid_t starter_charon_pid (void); extern int starter_stop_charon (void); -extern int starter_start_charon(struct starter_config *cfg, bool debug); +extern int starter_start_charon(struct starter_config *cfg, bool no_fork, bool attach_gdb); #endif /* _STARTER_CHARON_H_ */ diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c index 6fdf46ffd..5e840bac2 100644 --- a/src/starter/invokepluto.c +++ b/src/starter/invokepluto.c @@ -121,7 +121,7 @@ starter_stop_pluto (void) } int -starter_start_pluto (starter_config_t *cfg, bool no_fork) +starter_start_pluto (starter_config_t *cfg, bool no_fork, bool attach_gdb) { struct stat stb; int i; @@ -137,7 +137,15 @@ starter_start_pluto (starter_config_t *cfg, bool no_fork) }; printf ("starter_start_pluto entered\n"); - + + if (attach_gdb) + { + argc = 0; + arg[argc++] = "/usr/bin/gdb"; + arg[argc++] = "--args"; + arg[argc++] = PLUTO_CMD; + arg[argc++] = "--nofork"; + } if (cfg->setup.plutostderrlog || no_fork) { arg[argc++] = "--stderrlog"; diff --git a/src/starter/invokepluto.h b/src/starter/invokepluto.h index 6366d1f50..768bec28c 100644 --- a/src/starter/invokepluto.h +++ b/src/starter/invokepluto.h @@ -22,7 +22,7 @@ extern void starter_pluto_sigchild (pid_t pid); extern pid_t starter_pluto_pid (void); extern int starter_stop_pluto (void); -extern int starter_start_pluto (struct starter_config *cfg, bool debug); +extern int starter_start_pluto (struct starter_config *cfg, bool no_fork, bool attach_gdb); #endif /* _STARTER_PLUTO_H_ */ diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 index c9074868a..2567dfe7e 100644 --- a/src/starter/ipsec.conf.5 +++ b/src/starter/ipsec.conf.5 @@ -246,20 +246,17 @@ for RSA digital signatures (the default), for either, and .B never if negotiation is never to be attempted or accepted (useful for shunt-only conns). -Digital signatures are superior in every way to shared secrets. In IKEv2, the -two ends must not agree on this parameter, it is relevant for the -outbound authentication method only. +Digital signatures are superior in every way to shared secrets. IKEv1 additionally supports the values .B xauthpsk and .B xauthrsasig that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode based on shared secrets or digital RSA signatures, respectively. -IKEv2 additionally supports the value -.B eap, -which indicates an initiator to request EAP authentication. The EAP method to -use is selected by the server (see -.B eap). +This parameter is deprecated for IKEv2 connections, as two peers do not need +to agree on an authentication method. Use the +.B leftauth +parameter instead to define authentication methods in IKEv2. .TP .B auto what operation, if any, should be done automatically at IPsec startup; @@ -350,25 +347,9 @@ in case of inactivity. This only applies to IKEv1, in IKEv2 the default retransmission timeout applies, as every exchange is used to detect dead peers. .TP .B eap -defines the EAP type to propose as server if the client has -.B authby=eap -selected. Acceptable values are -.B aka -for EAP-AKA, -.B sim -for EAP-SIM, -.B gtc -for EAP-GTC, -.B md5 -for EAP-MD5, and -.B mschapv2 -for EAP-MS-CHAPv2. -Additionally, IANA assigned EAP method numbers are accepted, or a definition -in the form -.B eap=type-vendor -(e.g. -.B eap=7-12345 -) can be used to specify vendor specific EAP types. +defines the EAP type to propose as server if the client requests EAP +authentication. This parameter is deprecated in the favour of +.B leftauth. To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin, set @@ -509,11 +490,46 @@ and .B no (the default). .TP +.B leftauth +Authentication method to use (local) or require (remote) in this connection. +This parameter is supported in IKEv2 only. Acceptable values are +.B pubkey +for public key authentication (RSA/ECDSA), +.B psk +for pre-shared key authentication and +.B eap +to (require the) use of the Extensible Authentication Protocol. In the case +of +.B eap, +an optional EAP method can be appended. Currently defined methods are +.B eap-aka, eap-sim, eap-gtc, eap-md5 +and +.B eap-mschapv2. +Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific +EAP methods are defined in the form +.B eap-type-vendor +(e.g. +.B eap-7-12345 +). +.TP +.B leftauth2 +Same as +.B leftauth, +but defines an additional authentication exchange. IKEv2 supports multiple +authentication rounds using "Multiple Authentication Exchanges" defined +in RFC4739. This allows, for example, separated authentication +of host and user (IKEv2 only). +.TP .B leftca the distinguished name of a certificate authority which is required to lie in the trust path going from the left participant's certificate up to the root certification authority. .TP +.B leftca2 +Same as +.B leftca, +but for the second authentication round (IKEv2 only). +.TP .B leftcert the path to the left participant's X.509 certificate. The file can be coded either in PEM or DER format. OpenPGP certificates are supported as well. @@ -529,6 +545,11 @@ The left participant's ID can be overriden by specifying a .B leftid value which must be certified by the certificate, though. .TP +.B leftcert2 +Same as +.B leftcert, +but for the second authentication round (IKEv2 only). +.TP .B leftfirewall whether the left participant is doing forwarding-firewalling (including masquerading) using iptables for traffic from \fIleftsubnet\fR, @@ -594,6 +615,11 @@ or a fully-qualified domain name preceded by .B @ (which is used as a literal string and not resolved). .TP +.B leftid2 +identity to use for a second authentication for the left participant +(IKEv2 only); defaults to +.BR leftid . +.TP .B leftnexthop this parameter is not needed any more because the NETKEY IPsec stack does not require explicit routing entries for the traffic to be tunneled. diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 17789d9bd..3b6704450 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -147,11 +147,16 @@ typedef enum { KW_LEFTHOSTACCESS, KW_LEFTALLOWANY, KW_LEFTUPDOWN, + KW_LEFTAUTH, + KW_LEFTAUTH2, KW_LEFTID, + KW_LEFTID2, KW_LEFTRSASIGKEY, KW_LEFTCERT, + KW_LEFTCERT2, KW_LEFTSENDCERT, KW_LEFTCA, + KW_LEFTCA2, KW_LEFTGROUPS, #define KW_LEFT_FIRST KW_LEFT @@ -169,11 +174,16 @@ typedef enum { KW_RIGHTHOSTACCESS, KW_RIGHTALLOWANY, KW_RIGHTUPDOWN, + KW_RIGHTAUTH, + KW_RIGHTAUTH2, KW_RIGHTID, + KW_RIGHTID2, KW_RIGHTRSASIGKEY, KW_RIGHTCERT, + KW_RIGHTCERT2, KW_RIGHTSENDCERT, KW_RIGHTCA, + KW_RIGHTCA2, KW_RIGHTGROUPS, #define KW_RIGHT_FIRST KW_RIGHT diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index d834fe425..be8f305fe 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -104,10 +104,15 @@ lefthostaccess, KW_LEFTHOSTACCESS leftallowany, KW_LEFTALLOWANY leftupdown, KW_LEFTUPDOWN leftid, KW_LEFTID +leftid2, KW_LEFTID2 +leftauth, KW_LEFTAUTH +leftauth2, KW_LEFTAUTH2 leftrsasigkey, KW_LEFTRSASIGKEY leftcert, KW_LEFTCERT, +leftcert2, KW_LEFTCERT2, leftsendcert, KW_LEFTSENDCERT leftca, KW_LEFTCA +leftca2, KW_LEFTCA2 leftgroups, KW_LEFTGROUPS right, KW_RIGHT rightnexthop, KW_RIGHTNEXTHOP @@ -121,10 +126,15 @@ righthostaccess, KW_RIGHTHOSTACCESS rightallowany, KW_RIGHTALLOWANY rightupdown, KW_RIGHTUPDOWN rightid, KW_RIGHTID +rightid2, KW_RIGHTID2 +rightauth, KW_RIGHTAUTH +rightauth2, KW_RIGHTAUTH2 rightrsasigkey, KW_RIGHTRSASIGKEY rightcert, KW_RIGHTCERT +rightcert2, KW_RIGHTCERT2 rightsendcert, KW_RIGHTSENDCERT rightca, KW_RIGHTCA +rightca2, KW_RIGHTCA2 rightgroups, KW_RIGHTGROUPS also, KW_ALSO auto, KW_AUTO diff --git a/src/starter/starter.c b/src/starter/starter.c index de8567583..a299d5671 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -224,6 +224,7 @@ int main (int argc, char **argv) unsigned long auto_update = 0; time_t last_reload; bool no_fork = FALSE; + bool attach_gdb = FALSE; /* global variables defined in log.h */ log_to_stderr = TRUE; @@ -248,6 +249,11 @@ int main (int argc, char **argv) { no_fork = TRUE; } + else if (streq(argv[i], "--attach-gdb")) + { + no_fork = TRUE; + attach_gdb = TRUE; + } else if (streq(argv[i], "--auto-update") && i+1 < argc) { auto_update = atoi(argv[++i]); @@ -571,7 +577,7 @@ int main (int argc, char **argv) DBG_log("Attempting to start pluto...") ); - if (starter_start_pluto(cfg, no_fork) == 0) + if (starter_start_pluto(cfg, no_fork, attach_gdb) == 0) { starter_whack_listen(); } @@ -606,7 +612,7 @@ int main (int argc, char **argv) DBG(DBG_CONTROL, DBG_log("Attempting to start charon...") ); - if (starter_start_charon(cfg, no_fork)) + if (starter_start_charon(cfg, no_fork, attach_gdb)) { /* schedule next try */ alarm(PLUTO_RESTART_DELAY); diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 9ce7edee3..a695feb46 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -164,9 +164,14 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta { char buffer[INET6_ADDRSTRLEN]; + msg_end->auth = push_string(msg, conn_end->auth); + msg_end->auth2 = push_string(msg, conn_end->auth2); msg_end->id = push_string(msg, conn_end->id); + msg_end->id2 = push_string(msg, conn_end->id2); msg_end->cert = push_string(msg, conn_end->cert); + msg_end->cert2 = push_string(msg, conn_end->cert2); msg_end->ca = push_string(msg, conn_end->ca); + msg_end->ca2 = push_string(msg, conn_end->ca2); msg_end->groups = push_string(msg, conn_end->groups); msg_end->updown = push_string(msg, conn_end->updown); ip_address2string(&conn_end->addr, buffer, sizeof(buffer)); |