- applied patch for charon (this time really)
authorMartin Willi <martin@strongswan.org>
Fri, 28 Apr 2006 07:16:42 +0000 (07:16 -0000)
committerMartin Willi <martin@strongswan.org>
Fri, 28 Apr 2006 07:16:42 +0000 (07:16 -0000)
Makefile.inc
programs/Makefile
programs/ipsec/ipsec.in
programs/pluto/Makefile
programs/pluto/demux.c
programs/starter/Makefile
programs/starter/args.c
programs/starter/files.h
programs/starter/invokepluto.c
programs/starter/starter.c
programs/starter/starterwhack.c

index f5ec674..359e658 100644 (file)
@@ -84,6 +84,8 @@ SBINDIR=$(DESTDIR)$(FINALSBINDIR)
 FINALLIBDIR=$(INC_USRLOCAL)/lib/ipsec
 LIBDIR=$(DESTDIR)$(FINALLIBDIR)
 
+# sharedlibdir is where shared libraries go
+SHAREDLIBDIR=$(DESTDIR)$(INC_USRLOCAL)/lib
 
 # where the appropriate manpage tree is located
 # location within INC_USRLOCAL
@@ -284,6 +286,9 @@ LDAP_VERSION=3
 # include PKCS11-based smartcard support
 USE_SMARTCARD?=false
 
+# support IKEv2 via charon
+USE_IKEV2?=true
+
 # Default PKCS11 library
 # Uncomment this line if using OpenSC <= 0.9.6
 PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
index 03c9d58..6ef59a8 100644 (file)
@@ -32,6 +32,10 @@ ifeq ($(USE_IPSECPOLICY),true)
 SUBDIRS+=showpolicy
 endif
 
+ifeq ($(USE_IKEV2),true)
+SUBDIRS+=charon
+endif
+
 def:
        @echo "Please read doc/intro.html or INSTALL before running make"
        @false
index 0616561..940ca99 100755 (executable)
@@ -26,6 +26,7 @@ IPSEC_DIR="$IPSEC_LIBDIR"
 export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
 
 IPSEC_STARTER_PID="/var/run/starter.pid"
+IPSEC_CHARON_PID="/var/run/charon.pid"
 
 # standardize PATH, and export it for everything else's benefit
 PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
@@ -123,6 +124,10 @@ case "$1" in
 down)
        shift
        $IPSEC_EXECDIR/whack --name "$1" --terminate
+       if test -e $IPSEC_CHARON_PID
+       then
+           $IPSEC_EXECDIR/stroke down "$1"
+       fi
        exit 0
        ;;
 listalgs|listpubkeys|listcerts|listcacerts|\
@@ -134,6 +139,10 @@ rereadacerts|rereadcrls|rereadall)
        op="$1"
        shift
         $IPSEC_EXECDIR/whack "$@" "--$op"
+       if test -e $IPSEC_CHARON_PID
+       then
+            $IPSEC_EXECDIR/stroke "$op"
+        fi
        exit 0
        ;;
 ready)
@@ -180,8 +189,16 @@ status|statusall)
        if test $# -eq 0
        then
            $IPSEC_EXECDIR/whack "--$op"
+           if test -e $IPSEC_CHARON_PID
+           then
+               $IPSEC_EXECDIR/stroke "$op"
+           fi
        else
            $IPSEC_EXECDIR/whack --name "$1" "--$op"
+           if test -e $IPSEC_CHARON_PID
+           then
+               $IPSEC_EXECDIR/stroke "$op" "$1"
+           fi
        fi
        exit 0
        ;;
@@ -198,6 +215,10 @@ stop)
 up)
        shift
        $IPSEC_EXECDIR/whack --name "$1" --initiate
+       if test -e $IPSEC_CHARON_PID
+       then
+           $IPSEC_EXECDIR/stroke up "$1"
+       fi
        exit 0
        ;;
 update)
index 515b3fa..29e2a9e 100644 (file)
@@ -170,6 +170,11 @@ ifeq ($(USE_SMARTCARD),true)
   LIBSPLUTO+= -ldl
 endif
 
+# enable IKEv2 support
+ifeq ($(USE_IKEV2),true)
+  DEFINES+= -DIKEV2
+endif
+
 # This compile option activates the leak detective
 ifeq ($(USE_LEAK_DETECTIVE),true)
   DEFINES+= -DLEAK_DETECTIVE
index 2f8fb9a..bbd50f9 100644 (file)
@@ -1196,6 +1196,21 @@ read_packet(struct msg_digest *md)
        }
 #endif
 
+#ifdef IKEV2
+#define IKEV2_VERSION_OFFSET   17
+#define IKEV2_VERSION          0x20
+
+    /* ignore IKEv2 packets - they will be handled by charon */
+    if (pbs_room(&md->packet_pbs) > IKEV2_VERSION_OFFSET
+    &&  md->packet_pbs.start[IKEV2_VERSION_OFFSET] == IKEV2_VERSION)
+    {
+       DBG(DBG_CONTROLMORE,
+           DBG_log("  ignoring IKEv2 packet")
+       )
+       return FALSE;
+    }
+#endif /* IKEV2 */
+
     return TRUE;
 }
 
@@ -1229,6 +1244,7 @@ process_packet(struct msg_digest **mdp)
        if (md->packet_pbs.roof - md->packet_pbs.cur >= (ptrdiff_t)isakmp_hdr_desc.size)
        {
            struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur;
+
            if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION)
            {
                SEND_NOTIFICATION(INVALID_MAJOR_VERSION);
index 60e95d3..9d531d3 100644 (file)
@@ -34,6 +34,11 @@ ifeq ($(USE_LEAK_DETECTIVE),true)
   DEFINES+= -DLEAK_DETECTIVE
 endif
 
+# Enable charon support
+ifeq ($(USE_IKEV2),true)
+  DEFINES+= -DIKEV2
+endif
+
 INCLUDES=-I${FREESWANDIR}/linux/include
 CFLAGS=$(DEFINES) $(INCLUDES) -Wall
 CFLAGS+=-DIPSEC_EXECDIR=\"${FINALLIBEXECDIR}\" -DIPSEC_CONFDDIR=\"${FINALCONFDDIR}\"
@@ -46,6 +51,11 @@ OBJS=starter.o parser.tab.o lex.yy.o keywords.o args.o invokepluto.o \
      starterwhack.o klips.o netkey.o interfaces.o exec.o cmp.o confread.o \
      loglite.o ${PLUTO_OBJS}
 
+# Build charon-only objs
+ifeq ($(USE_IKEV2),true)
+  OBJS+= invokecharon.o starterstroke.o
+endif
+
 DISTSRC=$(OBJS:.o=.c)
 DISTSRC+=cmp.h confread.h confwrite.h exec.h files.h interfaces.h klips.h netkey.h
 DISTSRC+=parser.h args.h invokepluto.h starterwhack.h keywords.h keywords.txt
index 6f3da63..56b286b 100644 (file)
@@ -86,6 +86,10 @@ static const char *LST_packetdefault[] = {
 
 static const char *LST_keyexchange[] = {
     "ike",
+#ifdef IKEV2
+    "ikev1",
+    "ikev2",
+#endif /* IKEV2 */
      NULL
 };
 
index 286cdf1..83d27e1 100644 (file)
 #define SECRETS_FILE   IPSEC_CONFDIR"/ipsec.secrets"
 
 #define PLUTO_CMD       IPSEC_EXECDIR"/pluto"
-#define CTL_FILE        DEFAULT_CTLBASE CTL_SUFFIX
-#define PID_FILE        DEFAULT_CTLBASE PID_SUFFIX
+#define PLUTO_CTL_FILE  DEFAULT_CTLBASE CTL_SUFFIX
+#define PLUTO_PID_FILE  DEFAULT_CTLBASE PID_SUFFIX
+
+#ifdef IKEV2
+#define CHARON_CMD             IPSEC_EXECDIR"/charon"
+#define CHARON_BASE            "/var/run/charon"
+#define CHARON_CTL_FILE CHARON_BASE CTL_SUFFIX
+#define CHARON_PID_FILE CHARON_BASE PID_SUFFIX
+#endif /* IKEV2 */
 
 #define DYNIP_DIR       "/var/run/dynip"
 #define INFO_FILE       "/var/run/ipsec.info"
index 70376e3..c7e0473 100644 (file)
@@ -54,7 +54,7 @@ starter_pluto_sigchild(pid_t pid)
                , PLUTO_RESTART_DELAY);
            alarm(PLUTO_RESTART_DELAY);   // restart in 5 sec
        }
-       unlink(PID_FILE);
+       unlink(PLUTO_PID_FILE);
     }
 }
 
@@ -203,7 +203,7 @@ starter_start_pluto (starter_config_t *cfg, bool debug)
     }
     else
     {
-       unlink(CTL_FILE);
+       unlink(PLUTO_CTL_FILE);
        _stop_requested = 0;
 
        if (cfg->setup.prepluto)
@@ -252,7 +252,7 @@ starter_start_pluto (starter_config_t *cfg, bool debug)
            {
                /* wait for pluto */
                usleep(20000);
-               if (stat(CTL_FILE, &stb) == 0)
+               if (stat(PLUTO_CTL_FILE, &stb) == 0)
                {
                    DBG(DBG_CONTROL,
                        DBG_log("pluto (%d) started", _pluto_pid)
index 0b2c833..42c9857 100644 (file)
@@ -37,6 +37,7 @@
 #include "files.h"
 #include "starterwhack.h"
 #include "invokepluto.h"
+#include "invokecharon.h"
 #include "klips.h"
 #include "netkey.h"
 #include "cmp.h"
@@ -47,6 +48,9 @@
 #define FLAG_ACTION_RELOAD        0x04
 #define FLAG_ACTION_QUIT          0x08
 #define FLAG_ACTION_LISTEN        0x10
+#ifdef IKEV2
+#define FLAG_ACTION_START_CHARON  0x20
+#endif /* IKEV2 */
 
 static unsigned int _action_ = 0;
 
@@ -65,6 +69,10 @@ fsig(int signal)
            {
                if (pid == starter_pluto_pid())
                    name = " (Pluto)";
+#ifdef IKEV2
+               if (pid == starter_charon_pid())
+                   name = " (Charon)";
+#endif /* IKEV2 */
                if (WIFSIGNALED(status))
                    DBG(DBG_CONTROL,
                        DBG_log("child %d%s has been killed by sig %d\n",
@@ -87,6 +95,10 @@ fsig(int signal)
 
                if (pid == starter_pluto_pid())
                    starter_pluto_sigchild(pid);
+#ifdef IKEV2
+               if (pid == starter_charon_pid())
+                   starter_charon_sigchild(pid);
+#endif /* IKEV2 */
            }
        }
        break;
@@ -97,6 +109,9 @@ fsig(int signal)
 
     case SIGALRM:
        _action_ |= FLAG_ACTION_START_PLUTO;
+#ifdef IKEV2
+       _action_ |= FLAG_ACTION_START_CHARON;
+#endif /* IKEV2 */
        break;
 
     case SIGHUP:
@@ -193,6 +208,9 @@ int main (int argc, char **argv)
     signal(SIGQUIT, fsig);
     signal(SIGALRM, fsig);
     signal(SIGUSR1, fsig);
+       
+       
+       plog("Starting strongSwan IPsec %s [starter]...", ipsec_version_code());
 
     /* verify that we can start */
     if (getuid() != 0)
@@ -201,12 +219,24 @@ int main (int argc, char **argv)
        exit(1);
     }
 
-    if (stat(PID_FILE, &stb) == 0)
+    if (stat(PLUTO_PID_FILE, &stb) == 0)
     {
-       plog("pluto is already running (%s exists) -- aborting", PID_FILE);
-       exit(1);
+       plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE);
     }
-
+    else
+    {
+       _action_ |= FLAG_ACTION_START_PLUTO;
+    }
+#ifdef IKEV2
+    if (stat(CHARON_PID_FILE, &stb) == 0)
+    {
+       plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
+    }
+    else
+    {
+       _action_ |= FLAG_ACTION_START_CHARON;
+    }
+#endif /* IKEV2 */
     if (stat(DEV_RANDOM, &stb) != 0)
     {
        plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
@@ -247,7 +277,11 @@ int main (int argc, char **argv)
 
     last_reload = time(NULL);
 
-    plog("Starting strongSwan IPsec %s [starter]...", ipsec_version_code());
+    if (stat(MY_PID_FILE, &stb) == 0)
+    {
+       plog("starter is already running (%s exists) -- no fork done", MY_PID_FILE);
+       exit(0);
+    }
 
     /* fork if we're not debugging stuff */
     if (!no_fork)
@@ -296,17 +330,19 @@ int main (int argc, char **argv)
                      , &cfg->defaultroute);
     }
 
-    _action_ = FLAG_ACTION_START_PLUTO;
-
     for (;;)
     {
        /*
-        * Stop pluto (if started) and exit
-         */
+        * Stop pluto/charon (if started) and exit
+        */
        if (_action_ & FLAG_ACTION_QUIT)
        {
            if (starter_pluto_pid())
                starter_stop_pluto();
+#ifdef IKEV2
+               if (starter_charon_pid())
+               starter_stop_charon();
+#endif IKEV2
            if (has_netkey)
                starter_netkey_cleanup();
            else
@@ -337,6 +373,9 @@ int main (int argc, char **argv)
                    if (conn->state == STATE_ADDED)
                    {
                        starter_whack_del_conn(conn);
+#ifdef IKEV2
+                       starter_stroke_del_conn(conn);
+#endif /* IKEV2 */
                        conn->state = STATE_TO_ADD;
                    }
                }
@@ -427,6 +466,9 @@ int main (int argc, char **argv)
                    {
                        if (conn->state == STATE_ADDED)
                            starter_whack_del_conn(conn);
+#ifdef IKEV2
+                           starter_stroke_del_conn(conn);
+#endif /* IKEV2 */
                    }
 
                    /* Look for new ca sections that are already loaded */
@@ -502,6 +544,27 @@ int main (int argc, char **argv)
                    conn->state = STATE_TO_ADD;
            }
        }
+       
+#ifdef IKEV2
+       /*
+        * Start charon
+        */
+       if (_action_ & FLAG_ACTION_START_CHARON)
+       {
+               if (starter_charon_pid() == 0)
+               {
+                       DBG(DBG_CONTROL,
+                               DBG_log("Attempting to start charon...")
+                          )
+                       if (starter_start_charon(cfg, no_fork) != 0)
+                       {
+                               /* schedule next try */
+                               alarm(PLUTO_RESTART_DELAY);
+                       }
+               }
+               _action_ &= ~FLAG_ACTION_START_CHARON;
+       }
+#endif /* IKEV2 */
 
        /*
         * Tell pluto to reread its interfaces
@@ -536,11 +599,36 @@ int main (int argc, char **argv)
                        conn->id = id++;
                    }
                    starter_whack_add_conn(conn);
+#ifdef IKEV2
+                   starter_stroke_add_conn(conn);
+#endif /* IKEV2 */
                    conn->state = STATE_ADDED;
                    if (conn->startup == STARTUP_START)
-                       starter_whack_initiate_conn(conn);
+                   {
+#ifdef IKEV2
+                       if (conn->keyexchange == 2)
+                       {
+                           starter_stroke_initiate_conn(conn);
+                       }
+                       else
+#endif /* IKEV2 */
+                       {
+                           starter_whack_initiate_conn(conn);
+                       }
+                   }
                    else if (conn->startup == STARTUP_ROUTE)
-                       starter_whack_route_conn(conn);
+                   {
+#ifdef IKEV2
+                       if (conn->keyexchange == 2)
+                       {
+                               starter_stroke_route_conn(conn);
+                       }
+                       else
+#endif /* IKEV2 */
+                       {
+                               starter_whack_route_conn(conn); 
+                       }
+                   }
                }
            }
        }
index a671c56..a42d919 100644 (file)
@@ -54,7 +54,7 @@ pack_str (char **p, char **next, char **roof)
 static int
 send_whack_msg (whack_message_t *msg)
 {
-    struct sockaddr_un ctl_addr = { AF_UNIX, CTL_FILE };
+    struct sockaddr_un ctl_addr = { AF_UNIX, PLUTO_CTL_FILE };
     int sock;
     ssize_t len;
     char *str_next, *str_roof;