ARG_ENABL_SET([uci], [enable OpenWRT UCI configuration plugin.])
ARG_ENABL_SET([android], [enable Android specific plugin.])
ARG_ENABL_SET([maemo], [enable Maemo specific plugin.])
-ARG_ENABL_SET([nm], [enable NetworkManager plugin.])
+ARG_ENABL_SET([nm], [enable NetworkManager backend.])
ARG_ENABL_SET([ha], [enable high availability cluster plugin.])
ARG_ENABL_SET([whitelist], [enable peer identity whitelisting plugin.])
ARG_ENABL_SET([certexpire], [enable CSV export of expiration dates of used certificates.])
scripts_plugins=
manager_plugins=
medsrv_plugins=
+nm_plugins=
# location specific lists for checksumming,
# for src/libcharon, src/pluto, src/libhydra and src/libstrongswan
s_plugins=
ADD_PLUGIN([test-vectors], [s charon pluto openac scepclient pki])
-ADD_PLUGIN([curl], [s charon pluto scepclient scripts])
-ADD_PLUGIN([soup], [s charon pluto scripts])
-ADD_PLUGIN([ldap], [s charon pluto scepclient scripts])
+ADD_PLUGIN([curl], [s charon pluto scepclient scripts nm])
+ADD_PLUGIN([soup], [s charon pluto scripts nm])
+ADD_PLUGIN([ldap], [s charon pluto scepclient scripts nm])
ADD_PLUGIN([mysql], [s charon pluto pool manager medsrv attest])
ADD_PLUGIN([sqlite], [s charon pluto pool manager medsrv attest])
-ADD_PLUGIN([pkcs11], [s charon pki])
-ADD_PLUGIN([aes], [s charon pluto openac scepclient pki scripts])
-ADD_PLUGIN([des], [s charon pluto openac scepclient pki scripts])
-ADD_PLUGIN([blowfish], [s charon pluto openac scepclient pki scripts])
-ADD_PLUGIN([sha1], [s charon pluto openac scepclient pki scripts medsrv attest])
-ADD_PLUGIN([sha2], [s charon pluto openac scepclient pki scripts medsrv attest])
-ADD_PLUGIN([md4], [s charon openac manager scepclient pki])
-ADD_PLUGIN([md5], [s charon pluto openac scepclient pki scripts attest])
-ADD_PLUGIN([random], [s charon pluto openac scepclient pki scripts medsrv attest])
-ADD_PLUGIN([x509], [s charon pluto openac scepclient pki scripts attest])
-ADD_PLUGIN([revocation], [s charon])
-ADD_PLUGIN([constraints], [s charon])
+ADD_PLUGIN([pkcs11], [s charon pki nm])
+ADD_PLUGIN([aes], [s charon pluto openac scepclient pki scripts nm])
+ADD_PLUGIN([des], [s charon pluto openac scepclient pki scripts nm])
+ADD_PLUGIN([blowfish], [s charon pluto openac scepclient pki scripts nm])
+ADD_PLUGIN([sha1], [s charon pluto openac scepclient pki scripts medsrv attest nm])
+ADD_PLUGIN([sha2], [s charon pluto openac scepclient pki scripts medsrv attest nm])
+ADD_PLUGIN([md4], [s charon openac manager scepclient pki nm])
+ADD_PLUGIN([md5], [s charon pluto openac scepclient pki scripts attest nm])
+ADD_PLUGIN([random], [s charon pluto openac scepclient pki scripts medsrv attest nm])
+ADD_PLUGIN([x509], [s charon pluto openac scepclient pki scripts attest nm])
+ADD_PLUGIN([revocation], [s charon nm])
+ADD_PLUGIN([constraints], [s charon nm])
ADD_PLUGIN([pubkey], [s charon])
-ADD_PLUGIN([pkcs1], [s charon pluto openac scepclient pki scripts manager medsrv attest])
-ADD_PLUGIN([pkcs8], [s charon pluto openac scepclient pki scripts manager medsrv attest])
+ADD_PLUGIN([pkcs1], [s charon pluto openac scepclient pki scripts manager medsrv attest nm])
+ADD_PLUGIN([pkcs8], [s charon pluto openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([pgp], [s charon pluto])
ADD_PLUGIN([dnskey], [s pluto])
-ADD_PLUGIN([pem], [s charon pluto openac scepclient pki scripts manager medsrv attest])
+ADD_PLUGIN([pem], [s charon pluto openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([padlock], [s charon])
-ADD_PLUGIN([openssl], [s charon pluto openac scepclient pki scripts manager medsrv attest])
-ADD_PLUGIN([gcrypt], [s charon pluto openac scepclient pki scripts manager medsrv attest])
-ADD_PLUGIN([af-alg], [s charon pluto openac scepclient pki scripts medsrv attest])
-ADD_PLUGIN([fips-prf], [s charon])
-ADD_PLUGIN([gmp], [s charon pluto openac scepclient pki scripts manager medsrv attest])
-ADD_PLUGIN([agent], [s charon])
-ADD_PLUGIN([xcbc], [s charon])
-ADD_PLUGIN([cmac], [s charon])
-ADD_PLUGIN([hmac], [s charon pluto scripts])
-ADD_PLUGIN([ctr], [s charon scripts])
-ADD_PLUGIN([ccm], [s charon scripts])
-ADD_PLUGIN([gcm], [s charon scripts])
+ADD_PLUGIN([openssl], [s charon pluto openac scepclient pki scripts manager medsrv attest nm])
+ADD_PLUGIN([gcrypt], [s charon pluto openac scepclient pki scripts manager medsrv attest nm])
+ADD_PLUGIN([af-alg], [s charon pluto openac scepclient pki scripts medsrv attest nm])
+ADD_PLUGIN([fips-prf], [s charon nm])
+ADD_PLUGIN([gmp], [s charon pluto openac scepclient pki scripts manager medsrv attest nm])
+ADD_PLUGIN([agent], [s charon nm])
+ADD_PLUGIN([xcbc], [s charon nm])
+ADD_PLUGIN([cmac], [s charon nm])
+ADD_PLUGIN([hmac], [s charon pluto scripts nm])
+ADD_PLUGIN([ctr], [s charon scripts nm])
+ADD_PLUGIN([ccm], [s charon scripts nm])
+ADD_PLUGIN([gcm], [s charon scripts nm])
ADD_PLUGIN([xauth], [p pluto])
ADD_PLUGIN([attr], [h charon pluto])
ADD_PLUGIN([attr-sql], [h charon pluto])
ADD_PLUGIN([load-tester], [c charon])
-ADD_PLUGIN([kernel-pfkey], [h charon pluto starter])
-ADD_PLUGIN([kernel-pfroute], [h charon pluto starter])
+ADD_PLUGIN([kernel-pfkey], [h charon pluto starter nm])
+ADD_PLUGIN([kernel-pfroute], [h charon pluto starter nm])
ADD_PLUGIN([kernel-klips], [h charon pluto starter])
-ADD_PLUGIN([kernel-netlink], [h charon pluto starter])
+ADD_PLUGIN([kernel-netlink], [h charon pluto starter nm])
ADD_PLUGIN([resolve], [h charon pluto])
-ADD_PLUGIN([socket-default], [c charon])
-ADD_PLUGIN([socket-raw], [c charon])
+ADD_PLUGIN([socket-default], [c charon nm])
+ADD_PLUGIN([socket-raw], [c charon nm])
ADD_PLUGIN([socket-dynamic], [c charon])
ADD_PLUGIN([farp], [c charon])
ADD_PLUGIN([stroke], [c charon])
ADD_PLUGIN([smp], [c charon])
ADD_PLUGIN([sql], [c charon])
ADD_PLUGIN([updown], [c charon])
-ADD_PLUGIN([eap-identity], [c charon])
+ADD_PLUGIN([eap-identity], [c charon nm])
ADD_PLUGIN([eap-sim], [c charon])
ADD_PLUGIN([eap-sim-file], [c charon])
ADD_PLUGIN([eap-sim-pcsc], [c charon])
ADD_PLUGIN([eap-simaka-sql], [c charon])
ADD_PLUGIN([eap-simaka-pseudonym], [c charon])
ADD_PLUGIN([eap-simaka-reauth], [c charon])
-ADD_PLUGIN([eap-md5], [c charon])
-ADD_PLUGIN([eap-gtc], [c charon])
-ADD_PLUGIN([eap-mschapv2], [c charon])
+ADD_PLUGIN([eap-md5], [c charon nm])
+ADD_PLUGIN([eap-gtc], [c charon nm])
+ADD_PLUGIN([eap-mschapv2], [c charon nm])
ADD_PLUGIN([eap-radius], [c charon])
-ADD_PLUGIN([eap-tls], [c charon])
-ADD_PLUGIN([eap-ttls], [c charon])
-ADD_PLUGIN([eap-peap], [c charon])
+ADD_PLUGIN([eap-tls], [c charon nm])
+ADD_PLUGIN([eap-ttls], [c charon nm])
+ADD_PLUGIN([eap-peap], [c charon nm])
ADD_PLUGIN([eap-tnc], [c charon])
ADD_PLUGIN([xauth-generic], [c charon])
ADD_PLUGIN([xauth-eap], [c charon])
AC_SUBST(scripts_plugins)
AC_SUBST(manager_plugins)
AC_SUBST(medsrv_plugins)
+AC_SUBST(nm_plugins)
AC_SUBST(c_plugins)
AC_SUBST(p_plugins)
AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue)
AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
+AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue)
-AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$pluto = xtrue)
-AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue)
+AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$pluto = xtrue -o x$nm = xtrue)
+AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue)
AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
src/pluto/plugins/xauth/Makefile
src/whack/Makefile
src/charon/Makefile
+ src/charon-nm/Makefile
src/libcharon/Makefile
src/libcharon/plugins/eap_aka/Makefile
src/libcharon/plugins/eap_aka_3gpp2/Makefile
--- /dev/null
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <syslog.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
+#ifdef HAVE_PRCTL
+#include <sys/prctl.h>
+#endif
+
+#include <hydra.h>
+#include <daemon.h>
+
+#include <library.h>
+#include <utils/backtrace.h>
+#include <threading/thread.h>
+
+/**
+ * Hook in library for debugging messages
+ */
+extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
+
+/**
+ * Simple logging hook for library logs, using syslog output
+ */
+static void dbg_syslog(debug_t group, level_t level, char *fmt, ...)
+{
+ if (level <= 1)
+ {
+ char buffer[8192], groupstr[4];
+ va_list args;
+
+ va_start(args, fmt);
+ /* write in memory buffer first */
+ vsnprintf(buffer, sizeof(buffer), fmt, args);
+ /* cache group name */
+ snprintf(groupstr, sizeof(groupstr), "%N", debug_names, group);
+ syslog(LOG_DAEMON|LOG_INFO, "00[%s] %s", groupstr, buffer);
+ va_end(args);
+ }
+}
+
+/**
+ * Run the daemon and handle unix signals
+ */
+static void run()
+{
+ sigset_t set;
+
+ /* handle SIGINT and SIGTERM in this handler */
+ sigemptyset(&set);
+ sigaddset(&set, SIGINT);
+ sigaddset(&set, SIGTERM);
+ sigprocmask(SIG_BLOCK, &set, NULL);
+
+ while (TRUE)
+ {
+ int sig;
+ int error;
+
+ error = sigwait(&set, &sig);
+ if (error)
+ {
+ DBG1(DBG_DMN, "error %d while waiting for a signal", error);
+ return;
+ }
+ switch (sig)
+ {
+ case SIGINT:
+ {
+ DBG1(DBG_DMN, "signal of type SIGINT received. Shutting down");
+ charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+ return;
+ }
+ case SIGTERM:
+ {
+ DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down");
+ charon->bus->alert(charon->bus, ALERT_SHUTDOWN_SIGNAL, sig);
+ return;
+ }
+ default:
+ {
+ DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
+ break;
+ }
+ }
+ }
+}
+
+/**
+ * Handle SIGSEGV/SIGILL signals raised by threads
+ */
+static void segv_handler(int signal)
+{
+ backtrace_t *backtrace;
+
+ DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal);
+ backtrace = backtrace_create(2);
+ backtrace->log(backtrace, stderr, TRUE);
+ backtrace->destroy(backtrace);
+
+ DBG1(DBG_DMN, "killing ourself, received critical signal");
+ abort();
+}
+
+/**
+ * Initialize logging to syslog
+ */
+static void initialize_logger()
+{
+ sys_logger_t *sys_logger;
+ debug_t group;
+ level_t def;
+
+ sys_logger = sys_logger_create(LOG_DAEMON, FALSE);
+ def = lib->settings->get_int(lib->settings,
+ "charon-nm.syslog.default", 1);
+ for (group = 0; group < DBG_MAX; group++)
+ {
+ sys_logger->set_level(sys_logger, group,
+ lib->settings->get_int(lib->settings, "charon-nm.syslog.%N", def,
+ debug_lower_names, group));
+ }
+ charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger);
+ charon->bus->add_logger(charon->bus, &sys_logger->logger);
+}
+
+/**
+ * Lookup UID and GID
+ */
+static bool lookup_uid_gid()
+{
+#ifdef IPSEC_USER
+ {
+ char buf[1024];
+ struct passwd passwd, *pwp;
+
+ if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
+ pwp == NULL)
+ {
+ DBG1(DBG_DMN, "resolving user '"IPSEC_USER"' failed");
+ return FALSE;
+ }
+ charon->uid = pwp->pw_uid;
+ }
+#endif
+#ifdef IPSEC_GROUP
+ {
+ char buf[1024];
+ struct group group, *grp;
+
+ if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
+ grp == NULL)
+ {
+ DBG1(DBG_DMN, "resolving group '"IPSEC_GROUP"' failed");
+ return FALSE;
+ }
+ charon->gid = grp->gr_gid;
+ }
+#endif
+ return TRUE;
+}
+
+/**
+ * Drop process capabilities
+ */
+static bool drop_capabilities()
+{
+#ifdef HAVE_PRCTL
+ prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
+#endif
+
+ if (setgid(charon->gid) != 0)
+ {
+ DBG1(DBG_DMN, "change to unprivileged group failed");
+ return FALSE;
+ }
+ if (setuid(charon->uid) != 0)
+ {
+ DBG1(DBG_DMN, "change to unprivileged user failed");
+ return FALSE;
+ }
+ if (!charon->drop_capabilities(charon))
+ {
+ DBG1(DBG_DMN, "unable to drop daemon capabilities");
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Main function, starts NetworkManager backend.
+ */
+int main(int argc, char *argv[])
+{
+ struct sigaction action;
+ int status = SS_RC_INITIALIZATION_FAILED;
+
+ /* logging for library during initialization, as we have no bus yet */
+ dbg = dbg_syslog;
+
+ /* initialize library */
+ if (!library_init(NULL))
+ {
+ library_deinit();
+ exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+ }
+
+ if (lib->integrity &&
+ !lib->integrity->check_file(lib->integrity, "charon-nm", argv[0]))
+ {
+ dbg_syslog(DBG_DMN, 1, "integrity check of charon-nm failed");
+ library_deinit();
+ exit(SS_RC_DAEMON_INTEGRITY);
+ }
+
+ if (!libhydra_init("charon-nm"))
+ {
+ dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
+ libhydra_deinit();
+ library_deinit();
+ exit(SS_RC_INITIALIZATION_FAILED);
+ }
+
+ if (!libcharon_init())
+ {
+ dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
+ goto deinit;
+ }
+
+ if (!lookup_uid_gid())
+ {
+ dbg_syslog(DBG_DMN, 1, "invalid uid/gid - aborting charon-nm");
+ goto deinit;
+ }
+
+ initialize_logger();
+
+ DBG1(DBG_DMN, "Starting charon NetworkManager backend (strongSwan "VERSION")");
+ if (lib->integrity)
+ {
+ DBG1(DBG_DMN, "integrity tests enabled:");
+ DBG1(DBG_DMN, "lib 'libstrongswan': passed file and segment integrity tests");
+ DBG1(DBG_DMN, "lib 'libhydra': passed file and segment integrity tests");
+ DBG1(DBG_DMN, "lib 'libcharon': passed file and segment integrity tests");
+ DBG1(DBG_DMN, "daemon 'charon-nm': passed file integrity test");
+ }
+
+ /* initialize daemon */
+ if (!charon->initialize(charon,
+ lib->settings->get_str(lib->settings, "charon-nm.load", PLUGINS)))
+ {
+ DBG1(DBG_DMN, "initialization failed - aborting charon-nm");
+ goto deinit;
+ }
+
+ if (!drop_capabilities())
+ {
+ DBG1(DBG_DMN, "capability dropping failed - aborting charon-nm");
+ goto deinit;
+ }
+
+ /* add handler for SEGV and ILL,
+ * INT and TERM are handled by sigwait() in run() */
+ action.sa_handler = segv_handler;
+ action.sa_flags = 0;
+ sigemptyset(&action.sa_mask);
+ sigaddset(&action.sa_mask, SIGINT);
+ sigaddset(&action.sa_mask, SIGTERM);
+ sigaction(SIGSEGV, &action, NULL);
+ sigaction(SIGILL, &action, NULL);
+ sigaction(SIGBUS, &action, NULL);
+ action.sa_handler = SIG_IGN;
+ sigaction(SIGPIPE, &action, NULL);
+
+ pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL);
+
+ /* start daemon (i.e. the threads in the thread-pool) */
+ charon->start(charon);
+
+ /* main thread goes to run loop */
+ run();
+
+ status = 0;
+
+deinit:
+ libcharon_deinit();
+ libhydra_deinit();
+ library_deinit();
+ return status;
+}
+
projects / strongswan.git / commitdiff