ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

- applied patch from andreas 

- added charonstart option to config
  - new ikev2 tests for UML
This commit is contained in:
Martin Willi 2006-05-06 07:09:45 +00:00
parent 9820c0e208
commit 65cf07ac1d
16 changed files with 687 additions and 726 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
INSTALL
View File

@ -152,7 +152,7 @@ Contents
o esp4
o ipcomp
o xfrm_user
o xfrm_tunnel
o xfrm4_tunnel
Also the built-in kernel Cryptoapi modules with selected encryption and
hash algorithms should be available.

3
Makefile.inc
View File

@ -211,9 +211,6 @@ LDAP_VERSION=3
# include PKCS11-based smartcard support
USE_SMARTCARD?=false
# support IKEv2 via charon
USE_IKEV2?=true
# Default PKCS11 library
# Uncomment this line if using OpenSC <= 0.9.6
#PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"

6
src/Makefile
View File

@ -17,11 +17,7 @@
FREESWANSRCDIR=..
include ${FREESWANSRCDIR}/Makefile.inc
SUBDIRS=_copyright _updown _updown_espmark ipsec starter openac scepclient pluto
ifeq ($(USE_IKEV2),true)
SUBDIRS+=charon
endif
SUBDIRS=_copyright _updown _updown_espmark ipsec starter openac scepclient pluto charon
def:
@echo "Please read doc/intro.html or INSTALL before running make"

4
src/charon/doc/Todo-list.txt
View File

@ -38,6 +38,10 @@
- certificate validation/chaining
- certificate exchange
- stroke status should show configured connections
- stroke loglevel update
- stroke argument parsing via getopts/gperf?
- implement 3DES to load encrypted pem files
- ipsec.secrets parsing

9
src/starter/Makefile
View File

@ -34,11 +34,6 @@ ifeq ($(USE_LEAK_DETECTIVE),true)
DEFINES+= -DLEAK_DETECTIVE
endif
# Enable charon support
ifeq ($(USE_IKEV2),true)
DEFINES+= -DIKEV2
endif
INCLUDES=-I${FREESWANDIR}/linux/include
CFLAGS=$(DEFINES) $(INCLUDES) -Wall
CFLAGS+=-DIPSEC_EXECDIR=\"${FINALLIBEXECDIR}\" -DIPSEC_CONFDDIR=\"${FINALCONFDDIR}\"
@ -52,9 +47,7 @@ OBJS=starter.o parser.tab.o lex.yy.o keywords.o args.o invokepluto.o \
loglite.o ${PLUTO_OBJS}
# Build charon-only objs
ifeq ($(USE_IKEV2),true)
OBJS+= invokecharon.o starterstroke.o
endif
OBJS+= invokecharon.o starterstroke.o
DISTSRC=$(OBJS:.o=.c)
DISTSRC+=cmp.h confread.h confwrite.h exec.h files.h interfaces.h netkey.h

4
src/starter/args.c
View File

@ -86,10 +86,8 @@ static const char *LST_packetdefault[] = {
static const char *LST_keyexchange[] = {
"ike",
#ifdef IKEV2
"ikev1",
"ikev2",
#endif /* IKEV2 */
NULL
};
@ -150,6 +148,8 @@ static const token_info_t token_info[] =
/* config setup keywords */
{ ARG_LST, offsetof(starter_config_t, setup.interfaces), NULL },
{ ARG_STR, offsetof(starter_config_t, setup.dumpdir), NULL },
{ ARG_ENUM, offsetof(starter_config_t, setup.charonstart), LST_bool },
{ ARG_ENUM, offsetof(starter_config_t, setup.plutostart), LST_bool },
/* pluto keywords */
{ ARG_LST, offsetof(starter_config_t, setup.plutodebug), LST_plutodebug },

1180
src/starter/confread.c
View File

File diff suppressed because it is too large Load Diff

2
src/starter/confread.h
View File

@ -151,6 +151,8 @@ struct starter_config {
lset_t seen;
char **interfaces;
char *dumpdir;
bool charonstart;
bool plutostart;
/* pluto keywords */
char **plutodebug;

2
src/starter/files.h
View File

@ -40,12 +40,10 @@
#define PLUTO_CTL_FILE DEFAULT_CTLBASE CTL_SUFFIX
#define PLUTO_PID_FILE DEFAULT_CTLBASE PID_SUFFIX
#ifdef IKEV2
#define CHARON_CMD IPSEC_EXECDIR"/charon"
#define CHARON_BASE "/var/run/charon"
#define CHARON_CTL_FILE CHARON_BASE CTL_SUFFIX
#define CHARON_PID_FILE CHARON_BASE PID_SUFFIX
#endif /* IKEV2 */
#define DYNIP_DIR "/var/run/dynip"
#define INFO_FILE "/var/run/ipsec.info"

124
src/starter/keywords.c
View File

@ -44,7 +44,7 @@ error "gperf generated tables don't work with this execution character set. Plea
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
* RCSID $Id: keywords.c,v 1.7 2006/04/17 10:32:48 as Exp $
* RCSID $Id: keywords.txt,v 1.6 2006/04/17 10:30:27 as Exp $
*/
#include <string.h>
@ -56,12 +56,12 @@ struct kw_entry {
kw_token_t token;
};
#define TOTAL_KEYWORDS 77
#define TOTAL_KEYWORDS 79
#define MIN_WORD_LENGTH 3
#define MAX_WORD_LENGTH 17
#define MIN_HASH_VALUE 9
#define MAX_HASH_VALUE 146
/* maximum key range = 138, duplicates = 0 */
#define MAX_HASH_VALUE 156
/* maximum key range = 148, duplicates = 0 */
#ifdef __GNUC__
__inline
@ -77,32 +77,32 @@ hash (str, len)
{
static const unsigned char asso_values[] =
{
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
15, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 85, 147, 40,
25, 25, 0, 10, 5, 80, 147, 35, 60, 35,
60, 55, 10, 147, 15, 20, 5, 65, 147, 147,
147, 35, 0, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
147, 147, 147, 147, 147, 147
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
20, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 75, 157, 40,
25, 25, 0, 10, 5, 55, 157, 65, 60, 35,
80, 65, 10, 157, 15, 20, 5, 80, 157, 157,
157, 35, 5, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
157, 157, 157, 157, 157, 157
};
return len + asso_values[(unsigned char)str[2]] + asso_values[(unsigned char)str[len - 1]];
}
@ -142,7 +142,7 @@ static const struct kw_entry wordlist[] =
{"rightgroups", KW_RIGHTGROUPS},
{"rightid", KW_RIGHTID},
{"pfs", KW_PFS},
{"rekeyfuzz", KW_REKEYFUZZ},
{""},
{"righthostaccess", KW_RIGHTHOSTACCESS},
{"authby", KW_AUTHBY},
{""},
@ -161,54 +161,62 @@ static const struct kw_entry wordlist[] =
{"ikelifetime", KW_IKELIFETIME},
{""},
{"compress", KW_COMPRESS},
{"auto", KW_AUTO},
{""},
{"strictcrlpolicy", KW_STRICTCRLPOLICY},
{"keyingtries", KW_KEYINGTRIES},
{"keylife", KW_KEYLIFE},
{"dpddelay", KW_DPDDELAY},
{"cachecrls", KW_CACHECRLS},
{"leftupdown", KW_LEFTUPDOWN},
{""},
{"keyexchange", KW_KEYEXCHANGE},
{"leftfirewall", KW_LEFTFIREWALL},
{"nocrsend", KW_NOCRSEND},
{"auto", KW_AUTO},
{"klipsdebug", KW_KLIPSDEBUG},
{""},
{"rekey", KW_REKEY},
{"leftsubnetwithin", KW_LEFTSUBNETWITHIN},
{"pkcs11module", KW_PKCS11MODULE},
{"nat_traversal", KW_NAT_TRAVERSAL},
{"also", KW_ALSO},
{"rekeyfuzz", KW_REKEYFUZZ},
{"pkcs11keepstate", KW_PKCS11KEEPSTATE},
{"rightupdown", KW_RIGHTUPDOWN},
{"crluri2", KW_CRLURI2},
{"rightfirewall", KW_RIGHTFIREWALL},
{"postpluto", KW_POSTPLUTO},
{"plutodebug", KW_PLUTODEBUG},
{"pkcs11proxy", KW_PKCS11PROXY},
{"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
{"prepluto", KW_PREPLUTO},
{""}, {""},
{"leftca", KW_LEFTCA},
{""}, {""},
{"dpdaction", KW_DPDACTION},
{""}, {""}, {""},
{"ldaphost", KW_LDAPHOST},
{"ocspuri", KW_OCSPURI},
{"rightfirewall", KW_RIGHTFIREWALL},
{"uniqueids", KW_UNIQUEIDS},
{""},
{"klipsdebug", KW_KLIPSDEBUG},
{"overridemtu", KW_OVERRIDEMTU},
{"pkcs11proxy", KW_PKCS11PROXY},
{"crluri2", KW_CRLURI2},
{"ldaphost", KW_LDAPHOST},
{"also", KW_ALSO},
{"leftupdown", KW_LEFTUPDOWN},
{"charonstart", KW_CHARONSTART},
{"rightca", KW_RIGHTCA},
{"fragicmp", KW_FRAGICMP},
{""}, {""},
{"rekeymargin", KW_REKEYMARGIN},
{"ocspuri", KW_OCSPURI},
{"postpluto", KW_POSTPLUTO},
{"plutostart", KW_PLUTOSTART},
{"leftsubnetwithin", KW_LEFTSUBNETWITHIN},
{""},
{"uniqueids", KW_UNIQUEIDS},
{""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
{"prepluto", KW_PREPLUTO},
{""},
{"plutodebug", KW_PLUTODEBUG},
{"rightupdown", KW_RIGHTUPDOWN},
{""}, {""}, {""},
{"rekey", KW_REKEY},
{""},
{"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
{"ldapbase", KW_LDAPBASE},
{""}, {""}, {""}, {""}, {""},
{"dpdaction", KW_DPDACTION},
{""},
{"overridemtu", KW_OVERRIDEMTU},
{""}, {""}, {""}, {""},
{"crluri", KW_CRLURI},
{""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
{""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
{""}, {""}, {""}, {""}, {""},
{"crlcheckinterval", KW_CRLCHECKINTERVAL},
{""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
{"crluri", KW_CRLURI}
{""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
{""},
{"rekeymargin", KW_REKEYMARGIN}
};
#ifdef __GNUC__

2
src/starter/keywords.h
View File

@ -22,6 +22,8 @@ typedef enum {
/* config setup keywords */
KW_INTERFACES,
KW_DUMPDIR,
KW_CHARONSTART,
KW_PLUTOSTART,
/* pluto keywords */
KW_PLUTODEBUG,

4
src/starter/keywords.txt
View File

@ -27,9 +27,11 @@ struct kw_entry {
};
%%
interfaces, KW_INTERFACES
dumpdir, KW_DUMPDIR
charonstart, KW_CHARONSTART
plutostart, KW_PLUTOSTART
klipsdebug, KW_KLIPSDEBUG
plutodebug, KW_PLUTODEBUG
dumpdir, KW_DUMPDIR
prepluto, KW_PREPLUTO
postpluto, KW_POSTPLUTO
fragicmp, KW_FRAGICMP

56
src/starter/starter.c
View File

@ -67,10 +67,8 @@ fsig(int signal)
{
if (pid == starter_pluto_pid())
name = " (Pluto)";
#ifdef IKEV2
if (pid == starter_charon_pid())
name = " (Charon)";
#endif /* IKEV2 */
if (WIFSIGNALED(status))
DBG(DBG_CONTROL,
DBG_log("child %d%s has been killed by sig %d\n",
@ -93,10 +91,8 @@ fsig(int signal)
if (pid == starter_pluto_pid())
starter_pluto_sigchild(pid);
#ifdef IKEV2
if (pid == starter_charon_pid())
starter_charon_sigchild(pid);
#endif /* IKEV2 */
}
}
break;
@ -106,10 +102,8 @@ fsig(int signal)
break;
case SIGALRM:
_action_ |= FLAG_ACTION_START_PLUTO;
#ifdef IKEV2
_action_ |= FLAG_ACTION_START_CHARON;
#endif /* IKEV2 */
_action_ |= FLAG_ACTION_START_PLUTO;
_action_ |= FLAG_ACTION_START_CHARON;
break;
case SIGHUP:
@ -223,7 +217,6 @@ int main (int argc, char **argv)
{
_action_ |= FLAG_ACTION_START_PLUTO;
}
#ifdef IKEV2
if (stat(CHARON_PID_FILE, &stb) == 0)
{
plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
@ -232,7 +225,6 @@ int main (int argc, char **argv)
{
_action_ |= FLAG_ACTION_START_CHARON;
}
#endif /* IKEV2 */
if (stat(DEV_RANDOM, &stb) != 0)
{
plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
@ -315,10 +307,8 @@ int main (int argc, char **argv)
{
if (starter_pluto_pid())
starter_stop_pluto();
#ifdef IKEV2
if (starter_charon_pid())
starter_stop_charon();
#endif /* IKEV2 */
starter_netkey_cleanup();
confread_free(cfg);
unlink(MY_PID_FILE);
@ -336,22 +326,16 @@ int main (int argc, char **argv)
*/
if (_action_ & FLAG_ACTION_RELOAD)
{
if (starter_pluto_pid())
if (starter_pluto_pid() || starter_charon_pid())
{
for (conn = cfg->conn_first; conn; conn = conn->next)
{
if (conn->state == STATE_ADDED)
{
#ifdef IKEV2
if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
{
starter_stroke_del_conn(conn);
}
#endif /* IKEV2 */
else
{
starter_whack_del_conn(conn);
}
conn->state = STATE_TO_ADD;
}
}
@ -423,16 +407,10 @@ int main (int argc, char **argv)
{
if (conn->state == STATE_ADDED)
{
#ifdef IKEV2
if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
{
starter_stroke_del_conn(conn);
}
else
#endif /* IKEV2 */
{
starter_whack_del_conn(conn);
}
}
}
@ -477,7 +455,7 @@ int main (int argc, char **argv)
*/
if (_action_ & FLAG_ACTION_START_PLUTO)
{
if (starter_pluto_pid() == 0)
if (cfg->setup.plutostart && !starter_pluto_pid())
{
DBG(DBG_CONTROL,
DBG_log("Attempting to start pluto...")
@ -508,18 +486,17 @@ int main (int argc, char **argv)
}
}
#ifdef IKEV2
/*
* Start charon
*/
if (_action_ & FLAG_ACTION_START_CHARON)
{
if (starter_charon_pid() == 0)
if (cfg->setup.charonstart && !starter_charon_pid())
{
DBG(DBG_CONTROL,
DBG_log("Attempting to start charon...")
)
if (starter_start_charon(cfg, no_fork) != 0)
if (starter_start_charon(cfg, no_fork))
{
/* schedule next try */
alarm(PLUTO_RESTART_DELAY);
@ -527,7 +504,6 @@ int main (int argc, char **argv)
}
_action_ &= ~FLAG_ACTION_START_CHARON;
}
#endif /* IKEV2 */
/*
* Tell pluto to reread its interfaces
@ -541,7 +517,7 @@ int main (int argc, char **argv)
/*
* Add stale conn and ca sections
*/
if (starter_pluto_pid() != 0)
if (starter_pluto_pid() || starter_charon_pid())
{
for (ca = cfg->ca_first; ca; ca = ca->next)
{
@ -561,43 +537,25 @@ int main (int argc, char **argv)
/* affect new unique id */
conn->id = id++;
}
#ifdef IKEV2
if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
{
starter_stroke_add_conn(conn);
}
else
#endif /* IKEV2 */
{
starter_whack_add_conn(conn);
}
conn->state = STATE_ADDED;
if (conn->startup == STARTUP_START)
{
#ifdef IKEV2
if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
{
starter_stroke_initiate_conn(conn);
}
else
#endif /* IKEV2 */
{
starter_whack_initiate_conn(conn);
}
}
else if (conn->startup == STARTUP_ROUTE)
{
#ifdef IKEV2
if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
{
starter_stroke_route_conn(conn);
}
else
#endif /* IKEV2 */
{
starter_whack_route_conn(conn);
}
}
}
}

9
testing/tests/ikev2-net2net/description.txt
View File

@ -1,6 +1,5 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
The authentication is based on <b>X.509 certificates</b>. Upon the successful
establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
is set up using the IKEv2 key exchange protocol. The authentication is based on
locally importerd <b>X.509 certificates</b>.
In order to test the established tunnel, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.

3
testing/tests/ikev2-net2net/hosts/moon/etc/ipsec.conf
View File

@ -2,6 +2,9 @@
version 2.0 # conforms to second version of ipsec.conf specification
config setup
plutostart=no
conn net-net
left=192.168.0.1
leftcert=moonCert.pem

3
testing/tests/ikev2-net2net/hosts/sun/etc/ipsec.conf
View File

@ -2,6 +2,9 @@
version 2.0 # conforms to second version of ipsec.conf specification
config setup
plutostart=no
conn net-net
left=192.168.0.2
leftcert=sunCert.pem