- import of strongswan-2.7.0

- applied patch for charon
This commit is contained in:
Martin Willi 2006-04-28 07:14:48 +00:00
parent 52923c9acb
commit 997358a6c4
2043 changed files with 346842 additions and 0 deletions

691
CHANGES Normal file
View File

@ -0,0 +1,691 @@
strongswan-2.7.0
----------------
- the dynamic iptables rules from the _updown_x509 template
for KLIPS and the _updown_policy template for NETKEY have
been merged into the default _updown script. The existing
left|rightfirewall keyword causes the automatic insertion
and deletion of ACCEPT rules for tunneled traffic upon
the successful setup and teardown of an IPsec SA, respectively.
left|rightfirwall can be used with KLIPS under any Linux 2.4
kernel or with NETKEY under a Linux kernel version >= 2.6.16
in conjuction with iptables >= 1.3.5. For NETKEY under a Linux
kernel version < 2.6.16 which does not support IPsec policy
matching yet, please continue to use a copy of the _updown_espmark
template loaded via the left|rightupdown keyword.
- a new left|righthostaccess keyword has been introduced which
can be used in conjunction with left|rightfirewall and the
default _updown script. By default leftfirewall=yes inserts
a bi-directional iptables FORWARD rule for a local client network
with a netmask different from 255.255.255.255 (single host).
This does not allow to access the VPN gateway host via its
internal network interface which is part of the client subnet
because an iptables INPUT and OUTPUT rule would be required.
lefthostaccess=yes will cause this additional ACCEPT rules to
be inserted.
- mixed PSK|RSA roadwarriors are now supported. The ISAKMP proposal
payload is preparsed in order to find out whether the roadwarrior
requests PSK or RSA so that a matching connection candidate can
be found.
strongswan-2.6.4
----------------
- the new _updown_policy template allows ipsec policy based
iptables firewall rules. Required are iptables version
>= 1.3.5 and linux kernel >= 2.6.16. This script obsoletes
the _updown_espmark template, so that no INPUT mangle rules
are required any more.
- added support of DPD restart mode
- ipsec starter now allows the use of wildcards in include
statements as e.g. in "include /etc/my_ipsec/*.conf".
Patch courtesy of Matthias Haas.
- the Netscape OID 'employeeNumber' is now recognized and can be
used as a Relative Distinguished Name in certificates.
strongswan-2.6.3
----------------
- /etc/init.d/ipsec or /etc/rc.d/ipsec is now a copy of the ipsec
command and not of ipsec setup any more.
- ipsec starter now supports AH authentication in conjunction with
ESP encryption. AH authentication is configured in ipsec.conf
via the auth=ah parameter.
- The command ipsec scencrypt|scdecrypt <args> is now an alias for
ipsec whack --scencrypt|scdecrypt <args>.
- get_sa_info() now determines for the native netkey IPsec stack
the exact time of the last use of an active eroute. This information
is used by the Dead Peer Detection algorithm and is also displayed by
the ipsec status command.
strongswan-2.6.2
----------------
- running under the native Linux 2.6 IPsec stack, the function
get_sa_info() is called by ipsec auto --status to display the current
number of transmitted bytes per IPsec SA.
- get_sa_info() is also used by the Dead Peer Detection process to detect
recent ESP activity. If ESP traffic was received from the peer within
the last dpd_delay interval then no R_Y_THERE notification must be sent.
- strongSwan now supports the Relative Distinguished Name "unstructuredName"
in ID_DER_ASN1_DN identities. The following notations are possible:
rightid="unstructuredName=John Doe"
rightid="UN=John Doe"
- fixed a long-standing bug which caused PSK-based roadwarrior connections
to segfault in the function id.c:same_id() called by keys.c:get_secret()
if an FQDN, USER_FQDN, or Key ID was defined, as in the following example.
conn rw
right=%any
rightid=@foo.bar
authby=secret
- the ipsec command now supports most ipsec auto commands (e.g. ipsec listall).
- ipsec starter didn't set host_addr and client.addr ports in whack msg.
- in order to guarantee backwards-compatibility with the script-based
auto function (e.g. auto --replace), the ipsec starter scripts stores
the defaultroute information in the temporary file /var/run/ipsec.info.
- The compile-time option USE_XAUTH_VID enables the sending of the XAUTH
Vendor ID which is expected by Cisco PIX 7 boxes that act as IKE Mode Config
servers.
- the ipsec starter now also recognizes the parameters authby=never and
type=passthrough|pass|drop|reject.
strongswan-2.6.1
----------------
- ipsec starter now supports the also parameter which allows
a modular structure of the connection definitions. Thus
"ipsec start" is now ready to replace "ipsec setup".
strongswan-2.6.0
----------------
- Mathieu Lafon's popular ipsec starter tool has been added to the
strongSwan distribution. Many thanks go to Stephan Scholz from astaro
for his integration work. ipsec starter is a C program which is going
to replace the various shell and awk starter scripts (setup, _plutoload,
_plutostart, _realsetup, _startklips, _confread, and auto). Since
ipsec.conf is now parsed only once, the starting of multiple tunnels is
accelerated tremedously.
- Added support of %defaultroute to the ipsec starter. If the IP address
changes, a HUP signal to the ipsec starter will automatically
reload pluto's connections.
- moved most compile time configurations from pluto/Makefile to
Makefile.inc by defining the options USE_LIBCURL, USE_LDAP,
USE_SMARTCARD, and USE_NAT_TRAVERSAL_TRANSPORT_MODE.
- removed the ipsec verify and ipsec newhostkey commands
- fixed some 64-bit issues in formatted print statements
- The scepclient functionality implementing the Simple Certificate
Enrollment Protocol (SCEP) is nearly complete but hasn't been
documented yet.
strongswan-2.5.7
----------------
- CA certicates are now automatically loaded from a smartcard
or USB crypto token and appear in the ipsec auto --listcacerts
listing.
strongswan-2.5.6
----------------
- when using "ipsec whack --scencrypt <data>" with a PKCS#11
library that does not support the C_Encrypt() Cryptoki
function (e.g. OpenSC), the RSA encryption is done in
software using the public key fetched from the smartcard.
- The scepclient function now allows to define the
validity of a self-signed certificate using the --days,
--startdate, and --enddate options. The default validity
has been changed from one year to five years.
strongswan-2.5.5
----------------
- the config setup parameter pkcs11proxy=yes opens pluto's PKCS#11
interface to other applications for RSA encryption and decryption
via the whack interface. Notation:
ipsec whack --scencrypt <data>
[--inbase 16|hex|64|base64|256|text|ascii]
[--outbase 16|hex|64|base64|256|text|ascii]
[--keyid <keyid>]
ipsec whack --scdecrypt <data>
[--inbase 16|hex|64|base64|256|text|ascii]
[--outbase 16|hex|64|base64|256|text|ascii]
[--keyid <keyid>]
The default setting for inbase and outbase is hex.
The new proxy interface can be used for securing symmetric
encryption keys required by the cryptoloop or dm-crypt
disk encryption schemes, especially in the case when
pkcs11keepstate=yes causes pluto to lock the pkcs11 slot
permanently.
- if the file /etc/ipsec.secrets is lacking during the startup of
pluto then the root-readable file /etc/ipsec.d/private/myKey.der
containing a 2048 bit RSA private key and a matching self-signed
certificate stored in the file /etc/ipsec.d/certs/selfCert.der
is automatically generated by calling the function
ipsec scepclient --out pkcs1 --out cert-self
scepclient was written by Jan Hutter and Martin Willi, students
at the University of Applied Sciences in Rapperswil, Switzerland.
strongswan-2.5.4
----------------
- the current extension of the PKCS#7 framework introduced
a parsing error in PKCS#7 wrapped X.509 certificates that are
e.g. transmitted by Windows XP when multi-level CAs are used.
the parsing syntax has been fixed.
- added a patch by Gerald Richter which tolerates multiple occurrences
of the ipsec0 interface when using KLIPS.
strongswan-2.5.3
----------------
- with gawk-3.1.4 the word "default2 has become a protected
keyword for use in switch statements and cannot be used any
more in the strongSwan scripts. This problem has been
solved by renaming "default" to "defaults" and "setdefault"
in the scripts _confread and auto, respectively.
- introduced the parameter leftsendcert with the values
always|yes (the default, always send a cert)
ifasked (send the cert only upon a cert request)
never|no (never send a cert, used for raw RSA keys and
self-signed certs)
- fixed the initialization of the ESP key length to a default of
128 bits in the case that the peer does not send a key length
attribute for AES encryption.
- applied Herbert Xu's uniqueIDs patch
- applied Herbert Xu's CLOEXEC patches
strongswan-2.5.2
----------------
- CRLs can now be cached also in the case when the issuer's
certificate does not contain a subjectKeyIdentifier field.
In that case the subjectKeyIdentifier is computed by pluto as the
160 bit SHA-1 hash of the issuer's public key in compliance
with section 4.2.1.2 of RFC 3280.
- Fixed a bug introduced by strongswan-2.5.1 which eliminated
not only multiple Quick Modes of a given connection but also
multiple connections between two security gateways.
strongswan-2.5.1
----------------
- Under the native IPsec of the Linux 2.6 kernel, a %trap eroute
installed either by setting auto=route in ipsec.conf or by
a connection put into hold, generates an XFRM_AQUIRE event
for each packet that wants to use the not-yet exisiting
tunnel. Up to now each XFRM_AQUIRE event led to an entry in
the Quick Mode queue, causing multiple IPsec SA to be
established in rapid succession. Starting with strongswan-2.5.1
only a single IPsec SA is established per host-pair connection.
- Right after loading the PKCS#11 module, all smartcard slots are
searched for certificates. The result can be viewed using
the command
ipsec auto --listcards
The certificate objects found in the slots are numbered
starting with #1, #2, etc. This position number can be used to address
certificates (leftcert=%smartcard) and keys (: PIN %smartcard)
in ipsec.conf and ipsec.secrets, respectively:
%smartcard (selects object #1)
%smartcard#1 (selects object #1)
%smartcard#3 (selects object #3)
As an alternative the existing retrieval scheme can be used:
%smartcard:45 (selects object with id=45)
%smartcard0 (selects first object in slot 0)
%smartcard4:45 (selects object in slot 4 with id=45)
- Depending on the settings of CKA_SIGN and CKA_DECRYPT
private key flags either C_Sign() or C_Decrypt() is used
to generate a signature.
- The output buffer length parameter siglen in C_Sign()
is now initialized to the actual size of the output
buffer prior to the function call. This fixes the
CKR_BUFFER_TOO_SMALL error that could occur when using
the OpenSC PKCS#11 module.
- Changed the initialization of the PKCS#11 CK_MECHANISM in
C_SignInit() to mech = { CKM_RSA_PKCS, NULL_PTR, 0 }.
- Refactored the RSA public/private key code and transferred it
from keys.c to the new pkcs1.c file as a preparatory step
towards the release of the SCEP client.
strongswan-2.5.0
----------------
- The loading of a PKCS#11 smartcard library module during
runtime does not require OpenSC library functions any more
because the corresponding code has been integrated into
smartcard.c. Also the RSAREF pkcs11 header files have been
included in a newly created pluto/rsaref directory so that
no external include path has to be defined any longer.
- A long-awaited feature has been implemented at last:
The local caching of CRLs fetched via HTTP or LDAP, activated
by the parameter cachecrls=yes in the config setup section
of ipsec.conf. The dynamically fetched CRLs are stored under
a unique file name containing the issuer's subjectKeyID
in /etc/ipsec.d/crls.
- Applied a one-line patch courtesy of Michael Richardson
from the Openswan project which fixes the kernel-oops
in KLIPS when an snmp daemon is running on the same box.
strongswan-2.4.4
----------------
- Eliminated null length CRL distribution point strings.
- Fixed a trust path evaluation bug introduced with 2.4.3
strongswan-2.4.3
----------------
- Improved the joint OCSP / CRL revocation policy.
OCSP responses have precedence over CRL entries.
- Introduced support of CRLv2 reason codes.
- Fixed a bug with key-pad equipped readers which caused
pluto to prompt for the pin via the console when the first
occasion to enter the pin via the key-pad was missed.
- When pluto is built with LDAP_V3 enabled, the library
liblber required by newer versions of openldap is now
included.
strongswan-2.4.2
----------------
- Added the _updown_espmark template which requires all
incoming ESP traffic to be marked with a default mark
value of 50.
- Introduced the pkcs11keepstate parameter in the config setup
section of ipsec.conf. With pkcs11keepstate=yes the PKCS#11
session and login states are kept as long as possible during
the lifetime of pluto. This means that a PIN entry via a key
pad has to be done only once.
- Introduced the pkcs11module parameter in the config setup
section of ipsec.conf which specifies the PKCS#11 module
to be used with smart cards. Example:
pkcs11module=/usr/lib/pkcs11/opensc-pkcs11.lo
- Added support of smartcard readers equipped with a PIN pad.
- Added patch by Jay Pfeifer which detects when netkey
modules have been statically built into the Linux 2.6 kernel.
- Added two patches by Herbert Xu. The first uses ip xfrm
instead of setkey to flush the IPsec policy database. The
second sets the optional flag in inbound IPComp SAs only.
- Applied Ulrich Weber's patch which fixes an interoperability
problem between native IPsec and KLIPS systems caused by
setting the replay window to 32 instead of 0 for ipcomp.
strongswan-2.4.1
----------------
- Fixed a bug which caused an unwanted Mode Config request
to be initiated in the case where "right" was used to denote
the local side in ipsec.conf and "left" the remote side,
contrary to the recommendation that "right" be remote and
"left" be"local".
strongswan-2.4.0a
-----------------
- updated Vendor ID to strongSwan-2.4.0
- updated copyright statement to include David Buechi and
Michael Meier
strongswan-2.4.0
----------------
- strongSwan now communicates with attached smartcards and
USB crypto tokens via the standardized PKCS #11 interface.
By default the OpenSC library from www.opensc.org is used
but any other PKCS#11 library could be dynamically linked.
strongSwan's PKCS#11 API was implemented by David Buechi
and Michael Meier, both graduates of the Zurich University
of Applied Sciences in Winterthur, Switzerland.
- When a %trap eroute is triggered by an outgoing IP packet
then the native IPsec stack of the Linux 2.6 kernel [often/
always?] returns an XFRM_ACQUIRE message with an undefined
protocol family field and the connection setup fails.
As a workaround IPv4 (AF_INET) is now assumed.
- the results of the UML test scenarios are now enhanced
with block diagrams of the virtual network topology used
in a particular test.
strongswan-2.3.2
----------------
- fixed IV used to decrypt informational messages.
This bug was introduced with Mode Config functionality.
- fixed NCP Vendor ID.
- undid one of Ulrich Weber's maximum udp size patches
because it caused a segmentation fault with NAT-ed
Delete SA messages.
- added UML scenarios wildcards and attr-cert which
demonstrate the implementation of IPsec policies based
on wildcard parameters contained in Distinguished Names and
on X.509 attribute certificates, respectively.
strongswan-2.3.1
----------------
- Added basic Mode Config functionality
- Added Mathieu Lafon's patch which upgrades the status of
the NAT-Traversal implementation to RFC 3947.
- The _startklips script now also loads the xfrm4_tunnel
module.
- Added Ulrich Weber's netlink replay window size and
maximum udp size patches.
- UML testing now uses the Linux 2.6.10 UML kernel by default.
strongswan-2.3.0
----------------
- Eric Marchionni and Patrik Rayo, both recent graduates from
the Zuercher Hochschule Winterthur in Switzerland, created a
User-Mode-Linux test setup for strongSwan. For more details
please read the INSTALL and README documents in the testing
subdirectory.
- Full support of group attributes based on X.509 attribute
certificates. Attribute certificates can be generated
using the openac facility. For more details see
man ipsec_openac.
The group attributes can be used in connection definitions
in order to give IPsec access to specific user groups.
This is done with the new parameter left|rightgroups as in
rightgroups="Research, Sales"
giving access to users possessing the group attributes
Research or Sales, only.
- In Quick Mode clients with subnet mask /32 are now
coded as IP_V4_ADDRESS or IP_V6_ADDRESS. This should
fix rekeying problems with the SafeNet/SoftRemote and NCP
Secure Entry Clients.
- Changed the defaults of the ikelifetime and keylife parameters
to 3h and 1h, respectively. The maximum allowable values are
now both set to 24 h.
- Suppressed notification wars between two IPsec peers that
could e.g. be triggered by incorrect ISAKMP encryption.
- Public RSA keys can now have identical IDs if either the
issuing CA or the serial number is different. The serial
number of a certificate is now shown by the command
ipsec auto --listpubkeys
strongswan-2.2.2
----------------
- Added Tuomo Soini's sourceip feature which allows a strongSwan
roadwarrior to use a fixed Virtual IP (see README section 2.6)
and reduces the well-known four tunnel case on VPN gateways to
a single tunnel definition (see README section 2.4).
- Fixed a bug occuring with NAT-Traversal enabled when the responder
suddenly turns initiator and the initiator cannot find a matching
connection because of the floated IKE port 4500.
- Removed misleading ipsec verify command from barf.
- Running under the native IP stack, ipsec --version now shows
the Linux kernel version (courtesy to the Openswan project).
strongswan-2.2.1
----------------
- Introduced the ipsec auto --listalgs monitoring command which lists
all currently registered IKE and ESP algorithms.
- Fixed a bug in the ESP algorithm selection occuring when the strict flag
is set and the first proposed transform does not match.
- Fixed another deadlock in the use of the lock_certs_and_keys() mutex,
occuring when a smartcard is present.
- Prevented that a superseded Phase1 state can trigger a DPD_TIMEOUT event.
- Fixed the printing of the notification names (null)
- Applied another of Herbert Xu's Netlink patches.
strongswan-2.2.0
----------------
- Support of Dead Peer Detection. The connection parameter
dpdaction=clear|hold
activates DPD for the given connection.
- The default Opportunistic Encryption (OE) policy groups are not
automatically included anymore. Those wishing to activate OE can include
the policy group with the following statement in ipsec.conf:
include /etc/ipsec.d/examples/oe.conf
The default for [right|left]rsasigkey is now set to %cert.
- strongSwan now has a Vendor ID of its own which can be activated
using the compile option VENDORID
- Applied Herbert Xu's patch which sets the compression algorithm correctly.
- Applied Herbert Xu's patch fixing an ESPINUDP problem
- Applied Herbert Xu's patch setting source/destination port numbers.
- Reapplied one of Herbert Xu's NAT-Traversal patches which got
lost during the migration from SuperFreeS/WAN.
- Fixed a deadlock in the use of the lock_certs_and_keys() mutex.
- Fixed the unsharing of alg parameters when instantiating group
connection.
strongswan-2.1.5
----------------
- Thomas Walpuski made me aware of a potential DoS attack via
a PKCS#7-wrapped certificate bundle which could overwrite valid CA
certificates in Pluto's authority certificate store. This vulnerability
was fixed by establishing trust in CA candidate certificates up to a
trusted root CA prior to insertion into Pluto's chained list.
- replaced the --assign option by the -v option in the auto awk script
in order to make it run with mawk under debian/woody.
strongswan-2.1.4
----------------
- Split of the status information between ipsec auto --status (concise)
and ipsec auto --statusall (verbose). Both commands can be used with
an optional connection selector:
ipsec auto --status[all] <connection_name>
- Added the description of X.509 related features to the ipsec_auto(8)
man page.
- Hardened the ASN.1 parser in debug mode, especially the printing
of malformed distinguished names.
- The size of an RSA public key received in a certificate is now restricted to
512 bits <= modulus length <= 8192 bits.
- Fixed the debug mode enumeration.
strongswan-2.1.3
----------------
- Fixed another PKCS#7 vulnerability which could lead to an
endless loop while following the X.509 trust chain.
strongswan-2.1.2
----------------
- Fixed the PKCS#7 vulnerability discovered by Thomas Walpuski
that accepted end certificates having identical issuer and subject
distinguished names in a multi-tier X.509 trust chain.
strongswan-2.1.1
----------------
- Removed all remaining references to ipsec_netlink.h in KLIPS.
strongswan-2.1.0
----------------
- The new "ca" section allows to define the following parameters:
ca kool
cacert=koolCA.pem # cacert of kool CA
ocspuri=http://ocsp.kool.net:8001 # ocsp server
ldapserver=ldap.kool.net # default ldap server
crluri=http://www.kool.net/kool.crl # crl distribution point
crluri2="ldap:///O=Kool, C= .." # crl distribution point #2
auto=add # add, ignore
The ca definitions can be monitored via the command
ipsec auto --listcainfos
- Fixed cosmetic corruption of /proc filesystem by integrating
D. Hugh Redelmeier's freeswan-2.06 kernel fixes.
strongswan-2.0.2
----------------
- Added support for the 818043 NAT-Traversal update of Microsoft's
Windows 2000/XP IPsec client which sends an ID_FQDN during Quick Mode.
- A symbolic link to libcrypto is now added in the kernel sources
during kernel compilation
- Fixed a couple of 64 bit issues (mostly casts to int).
Thanks to Ken Bantoft who checked my sources on a 64 bit platform.
- Replaced s[n]printf() statements in the kernel by ipsec_snprintf().
Credits go to D. Hugh Redelmeier, Michael Richardson, and Sam Sgro
of the FreeS/WAN team who solved this problem with the 2.4.25 kernel.
strongswan-2.0.1
----------------
- an empty ASN.1 SEQUENCE OF or SET OF object (e.g. a subjectAltName
certificate extension which contains no generalName item) can cause
a pluto crash. This bug has been fixed. Additionally the ASN.1 parser has
been hardened to make it more robust against malformed ASN.1 objects.
- applied Herbert Xu's NAT-T patches which fixes NAT-T under the native
Linux 2.6 IPsec stack.
strongswan-2.0.0
----------------
- based on freeswan-2.04, x509-1.5.3, nat-0.6c, alg-0.8.1rc12

340
COPYING Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

110
CREDITS Normal file
View File

@ -0,0 +1,110 @@
We haven't kept proper track of everybody who has helped us, alas, but
here's a first attempt at acknowledgements...
Most of the FreeS/WAN software has been done by Richard Guy Briggs
(KLIPS), D. Hugh Redelmeier (Pluto), Michael Richardson (technical lead,
KLIPS, testing, etc.), Henry Spencer (past technical lead, scripts,
libraries, packaging, etc.), Sandy Harris (documentation), Claudia
Schmeing (support, documentation), and Sam Sgro (support, releases).
Peter Onion has collaborated extensively with RGB on PFKEY2 stuff. The
original version of our IPComp code came from Svenning Soerensen, who has
also contributed various bug fixes and improvements.
The first versions of KLIPS were done by John Ioannidis <ji@hol.gr>. The
first versions of Pluto (and further work on KLIPS) were done by Angelos
D. Keromytis <angelos@dsl.cis.upenn.edu>.
The MD2 implementation is from RSA Data Security Inc., so this package must
include the following phrase: "RSA Data Security, Inc. MD2 Message Digest
Algorithm" It is not under the GPL; see details in programs/pluto/md2.c.
The MD5 implementation is from RSA Data Security Inc., so this package must
include the following phrase: "derived from the RSA Data Security, Inc.
MD5 Message-Digest Algorithm". It is not under the GPL; see details in
linux/net/ipsec/ipsec_md5c.c.
The PKCS#11 header files in programs/pluto/rsaref/ are from RSA Security Inc.,
so they must include the following phrase: "RSA Security Inc. PKCS#11
Cryptographic Token Interface (Cryptoki)". The headers are not under the GPL;
see details in programs/pluto/rsaref/pkcs11.h.
The LIBDES library by Eric Young is used. It is not under the GPL -- see
details in libdes/COPYRIGHT -- although he has graciously waived the
advertising clause for FreeS/WAN use of LIBDES.
The SHA-1 code is derived from Steve Reid's; it is public domain.
Some bits of Linux code, notably drivers/net/new_tunnel.c and net/ipv4/ipip.c,
are used in heavily modified forms.
The radix-tree code from 4.4BSD is used in a modified form. It is not
under the GPL; see details in klips/net/ipsec/radij.c.
The lib/pfkeyv2.h header file contains public-domain material published in
RFC 2367.
Delete SA code and Notification messages were contributed by Mathieu Lafon.
He also implemented the vital NAT traversal support.
Peter Onion has been immensely helpful in finding portability bugs in
general, and in making FreeS/WAN work on the Alpha in particular. Rob
Hatfield likewise found and fixed some problems making it work on the
Netwinder.
John S. Denker of AT&T Shannon Labs has found a number of bugs the hard
way, has pointed out various problems (some of which we have fixed!) in
using the software in production applications, and has suggested some
substantial improvements to the documentation.
Marc Boucher <marc@mbsi.ca> did a quick-and-dirty port of KLIPS to the
Linux 2.2.x kernels, at a time when we needed it badly, and has helped
chase down 2.2.xx bugs and keep us current with 2.4.x development.
John Gilmore organized the FreeS/WAN project and continues to direct it.
Hugh Daniel handles day-to-day management, customer interface, and both
constructive and destructive testing. See the project's web page
<http://www.freeswan.org> for other contributors to this project and
related ones.
Herbert Xu ported the FreeS/WAN code to the native IPsec stack
of the Linux 2.6 kernel.
Kai Martius added initial support of OpenPGP certificates.
Andreas Steffen introduced the support of X.509 certificates in 2000
and has been both maintaining the X.509 code and adding extensions
to it ever since.
Andreas Hess, Patric Lichtsteiner, and Roger Wegmann implemented the
the initial X.509 certificate support, relying on Kai Martius's work.
Marco Bertossa and Andreas Schleiss implemented the verification of
the X.509 chain from the peer certificate up to the root CA.
Ueli Galizzi and Ariane Seiler did the original work on the support
of attribute certificates.
Martin Berner and Lukas Suter implemented the definition of group
attributes and dynamic fetching of attribute certificates.
Christoph Gysin and Simon Zwahlen implemented PKCS#15-based
smartcard suppport and contributed a fully operational OCSP client.
David Buechi and Michael Meier implemented the PKCS#11 smartcard
interface.
The support of port and protocol selectors was based on Stephen J.
Bevan's original work.
Stephane Laroche donated the original LDAP and HTTP fetching code
based on pthreads.
JuanJo Ciarlante introduced the modular support of alternative
encryption and authentication algorithms (AES, Serpent, twofish, etc).
The ipsec starter is based on Mathieu Lafon's original work.
Jan Hutter and Martin Willi developed the scepclient which fully
supports Cisco's Simple Certificate Enrollment Protocol (SCEP).
This file is RCSID $Id: CREDITS,v 1.6 2006/01/22 21:28:27 as Exp $

249
INSTALL Normal file
View File

@ -0,0 +1,249 @@
---------------------------
strongSwan - Installation
---------------------------
Contents
--------
1. Required packages
2. Optional packages
2.1 libcurl
2.2 OpenLDAP
2.3 PKCS#11 smartcard library modules
3. Building strongSwan with a Linux 2.4 kernel
4. Updating strongSwan with a Linux 2.4 kernel
5. Building strongSwan with a Linux 2.6 kernel
1. Required packages
-----------------
In order to be able to build strongSwan you'll need the GNU Multiprecision
Arithmetic Library (GMP) available from http://www.swox.com/gmp/.
The libgmp library and the corresponding header file gmp.h are usually
included in the form of one or two packages in the major Linux
distributions (SuSE: gmp; Debian unstable: libgmp3, libgmp3-dev).
2. Optional packages
-----------------
2.1 libcurl
-------
If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
from an HTTP server or as an alternative want to use the Online
Certificate Status Protocol (OCSP) then you will need the libcurl library
available from http://curl.haxx.se/.
In order to keep the library as compact as possible for use with strongSwan
you can build libcurl from the sources with the optimized options
./configure --prefix=<dir> --without-ssl \
--disable-ldap --disable-telnet \
--disable-dict --disable-gopher \
--disable-debug \
--enable-nonblocking --enable-thread
As an alternative you can use the ready-made packages included with your
favorite Linux distribution (SuSE: curl, curl-devel).
In order to activate the use of the libcurl library in strongSwan you must
set the USE_LIBCURL option in "Makefile.inc":
# include libcurl support (CRL fetching, OCSP and SCEP)
USE_LIBCURL?=true
Under Gentoo emerge strongSwan with
USE="curl -ssl" emerge strongswan
2.2 OpenLDAP
--------
If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
from an LDAP server then you will need the libldap library available
from http://www.openldap.org/.
OpenLDAP is usually included with your Linux distribution. You will need
both the run-time and development environments (SuSE: openldap2,
openldap2-devel).
In order to activate the use of the libldap library in strongSwan you must
set the USE_LDAP option in "Makefile.inc":
# include LDAP support (CRL fetching)
USE_LDAP?=true
Depending upon whether your LDAP server understands the V3 (preferred) or
V2 LDAP protocol, uncomment one ot the two following lines:
# Uncomment to enable dynamic CRL fetching using LDAP V3
LDAP_VERSION=3
# Uncomment to enable dynamic CRL fetching using LDAP V2
#LDAP_VERSION=2
The latest OpenLDAP releases use the LDAP V3 protocol, whereas older
versions require LDAP V2.
Under Gentoo emerge strongSwan with
USE="ldap -ssl" emerge strongswan
2.3 PKCS#11 smartcard library modules
---------------------------------
If you want to securely store your X.509 certificates and private RSA keys
on a smart card or a USB crypto token then you will need a PKCS #11 library
for the smart card of your choice. The OpenSC PKCS#11 library (use
versions >= 0.9.4) available from http://www.opensc.org/ supports quite a
selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger
Cryptoflex e-gate, Oberthur AuthentIC, etc.) but requires that a PKCS#15
directory structure be present on the smart card. But in principle
any other PKCS#11 library could be used since the PKCS#11 API hides the
internal data representation on the card.
For USB crypto token support you must add the OpenCT driver library
(version >= 0.6.2) from the OpenSC site, whereas for serial smartcard
readers you'll need the pcsc-lite library and the matching driver from the
M.U.S.C.L.E project http://www.linuxnet.com/ .
In order to activate the PKCS#11-based smartcard support in strongSwan
you must set the USE_SMARTCARD option in "Makefile.inc":
#include PKCS11-based smartcard support
USE_SMARTCARD?=true
During compilation no externel smart card libraries must be present.
strongSwan directly references a copy of the standard RSAREF pkcs11.h
header files stored in the pluto/rsaref sub directory. During compile
time a pathname to a default PKCS#11 dynamical library can be specified
in "Makefile.inc"
# Uncomment this line if using OpenSC <= 0.9.6
PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
# Uncomment tis line if using OpenSC >= 0.10.0
#PKCS11_DEFAULT_LIB=\"usr/lib/opensc-pkcs11.so\"
This default path to the easily-obtainable OpenSC library module can be
simply overridden during run-time by specifying an alternative path in
ipsec.conf pointing to any dynamic PKCS#11 library of your choice.
config setup
pkcs11module="/usr/lib/xyz-pkcs11.so"
Under Gentoo emerge strongSwan with
USE="smartcard usb -pam -X" emerge strongswan
3. Building strongSwan with a Linux 2.4 kernel
-------------------------------------------
* Building strongSwan with a Linux 2.4 kernel requires the presence of the
matching kernel sources referenced via the symbolic link /usr/src/linux.
The use of the vanilla kernel sources from ftp.kernel.org is strongly
recommended.
Before building strongSwan you must have compiled the kernel sources at
least once:
make menuconfig; make dep; make bzImage; make modules
* Now change into the strongswan-2.x.x source directory.
First uncomment any desired compile options in "programs/pluto/Makefile"
(see section 2. Optional packages).
Then in the top source directory type
make menumod
This command applies an ESP_IN_UDP encapsulation patch which is required
for NAT-Traversal to the kernel sources.
In the "Networking options" menu set
<M> IP Security Protocol (strongSwan IPsec)
in order to build KLIPS as a loadable kernel module "ipsec.o". Do not
forget to save the modified configuration file when leaving "menumod".
The strongSwan userland programs are now automatically built and
installed, whereas the ipsec.o kernel module and the crypto modules
are only built and must be installed with the command
make minstall
* If you intend to use the NAT-Traversal feature then you must compile the
patched kernel sources again by executing
make bzImage
and then install and boot the modified kernel.
* Next add your connections to "/etc/ipsec.conf" and start strongSwan with
ipsec setup start
4. Updating strongSwan with a Linux 2.4 kernel
-------------------------------------------
* If you have already successfully installed strongSwan and want to update
to a newer version then the following shortcut can be taken:
First uncomment any desired compile options in "programs/pluto/Makefile"
(see section 2. Optional packages).
Then in the strongwan-2.x.x top directory type
make programs; make install
followed by
make module; make minstall
* You can then start the updated strongSwan version with
ipsec setup restart
5. Building strongSwan with a Linux 2.6 kernel
-------------------------------------------
* Because the Linux 2.6 kernel comes with a built-in native IPsec stack,
you won't need to build the strongSwan kernel modules. Please make sure
that the the following Linux 2.6 IPsec kernel modules are available:
o af_key
o ah4
o esp4
o ipcomp
o xfrm_user
Also the built-in kernel Cryptoapi modules with selected encryption and
hash algorithms should be available.
* First uncomment any desired compile options in "programs/pluto/Makefile"
(see section 2. Optional packages).
Then in the strongwan-2.x.x top directory type
make programs
followed by
make install
* Next add your connections to "etc/ipsec.conf" and start strongSwan with
ipsec setup start
-----------------------------------------------------------------------------
This file is RCSID $Id: INSTALL,v 1.8 2006/01/22 16:22:23 as Exp $

33
LICENSE Normal file
View File

@ -0,0 +1,33 @@
Except for the DES library, MD2 and MD5 code, the PKCS#11 headers, and
linux/net/ipsec/radij.c this software is under the GNU Public License,
see the file COPYING.
See the file CREDITS for details on origins of more of the code.
The DES library is under a BSD style license, see
linux/crypto/ciphers/des/COPYRIGHT.
Note that this software has a advertising clause in it.
The MD2 implementation is from RSA Data Security Inc., so this package must
include the following phrase: "RSA Data Security, Inc. MD2 Message Digest
Algorithm" It is not under the GPL; see details in programs/pluto/md2.c.
The MD5 implementation is from RSA Data Security Inc., so this package must
include the following phrase: "derived from the RSA Data Security, Inc.
MD5 Message-Digest Algorithm". It is not under the GPL; see details in
linux/net/ipsec/ipsec_md5c.c.
The PKCS#11 header files in programs/pluto/rsaref/ are from RSA Security Inc.,
so they must include the following phrase: "RSA Security Inc. PKCS#11
Cryptographic Token Interface (Cryptoki)". The headers are not under the GPL;
see details in programs/pluto/rsaref/pkcs11.h.
The linux/net/ipsec/radij.c code is derived from BSD 4.4lite code
from sys/net/radix.c.
In addition to the terms set out under the GPL, permission is granted to
link the software against the libdes, md5c.c, and radij.c libraries just
mentioned.

602
Makefile Normal file
View File

@ -0,0 +1,602 @@
# FreeS/WAN master makefile
# Copyright (C) 1998-2002 Henry Spencer.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: Makefile,v 1.4 2004/11/14 21:50:59 as Exp $
FREESWANSRCDIR=$(shell pwd)
export FREESWANSRCDIR
include Makefile.inc
PATCHES=linux
# where KLIPS goes in the kernel
# note, some of the patches know the last part of this path
KERNELKLIPS=$(KERNELSRC)/net/ipsec
KERNELCRYPTODES=$(KERNELSRC)/crypto/ciphers/des
KERNELLIBFREESWAN=$(KERNELSRC)/lib/libfreeswan
KERNELLIBZLIB=$(KERNELSRC)/lib/zlib
KERNELLIBCRYPTO=$(KERNELSRC)/lib/libcrypto
KERNELINCLUDE=$(KERNELSRC)/include
KERNELALG=$(KERNELKLIPS)/alg
MAKEUTILS=packaging/utils
ERRCHECK=${MAKEUTILS}/errcheck
KVUTIL=${MAKEUTILS}/kernelversion
KVSHORTUTIL=${MAKEUTILS}/kernelversion-short
# kernel details
# what variant of our patches should we use, and where is it
KERNELREL=$(shell ${KVSHORTUTIL} ${KERNELSRC}/Makefile)
# directories visited by all recursion
SUBDIRS=doc lib programs linux
# declaration for make's benefit
.PHONY: def insert kpatch klink klibcryptolink patches _patches _patches2.2 _patches2.4 \
klipsdefaults programs install clean distclean \
ogo oldgo menugo xgo \
omod oldmod menumod xmod \
pcf ocf mcf xcf rcf nopromptgo \
precheck verset confcheck kernel module kinstall minstall \
backup unpatch uinstall install_file_list \
snapready relready ready buildready devready uml check taroldinstall \
umluserland
# dummy default rule
def:
@echo "Please read doc/intro.html or INSTALL before running make"
@false
# everything that's necessary to put Klips into the kernel
insert: patches klink klipsdefaults
kpatch: unapplypatch applypatch klipsdefaults
unapplypatch:
-if [ -f ${KERNELSRC}/freeswan.patch ]; then \
echo Undoing previous patches; \
cat ${KERNELSRC}/freeswan.patch | (cd ${KERNELSRC} && patch -p1 -R --force -E -z .preipsec --reverse --ignore-whitespace ); \
fi
applypatch:
echo Now performing forward patches;
make kernelpatch${KERNELREL} | tee ${KERNELSRC}/freeswan.patch | (cd ${KERNELSRC} && patch -p1 -b -z .preipsec --forward --ignore-whitespace )
kdiff:
echo Comparing ${KERNELSRC} to ${FREESWANSRCDIR}/linux.
packaging/utils/kerneldiff ${KERNELSRC}
# create KERNELKLIPS and populate it with symlinks to the sources
klink:
-[ -L $(KERNELKLIPS)/ipsec_init.c ] && rm -rf ${KERNELKLIPS}
-[ -L $(KERNELCRYPTODES)/cbc_enc.c ] && rm -rf ${KERNELCRYPTODES}
-[ -L $(KERNELLIBFREESWAN)/subnettoa.c ] && rm -rf ${KERNELLIBFREESWAN}
-[ -L ${KERNELLIBZLIB}/deflate.c ] && rm -rf ${KERNELLIBZLIB}
-[ -L ${KERNELINCLUDE}/freeswan.h ] && for i in linux/include/*; do rm -f ${KERNELINCLUDE}/$$i; done
-[ -L $(KERNELALG)/Makefile ] && rm -rf $(KERNELALG)
-[ -L $(KERNELLIBCRYPTO) ] && rm -f $(KERNELLIBCRYPTO)
mkdir -p $(KERNELKLIPS)
mkdir -p $(KERNELCRYPTODES)
mkdir -p $(KERNELLIBFREESWAN)
mkdir -p $(KERNELLIBZLIB)
mkdir -p $(KERNELALG)
$(KLIPSLINK) `pwd`/Makefile.ver $(KERNELKLIPS)
$(KLIPSLINK) `pwd`/linux/include/* $(KERNELINCLUDE)
$(KLIPSLINK) `pwd`/linux/net/ipsec/Makefile* $(KERNELKLIPS)
$(KLIPSLINK) `pwd`/linux/net/ipsec/Config.in $(KERNELKLIPS)
$(KLIPSLINK) `pwd`/linux/net/ipsec/defconfig $(KERNELKLIPS)
$(KLIPSLINK) `pwd`/linux/net/ipsec/*.[ch] $(KERNELKLIPS)
$(KLIPSLINK) `pwd`/linux/net/ipsec/alg/Makefile* $(KERNELALG)
$(KLIPSLINK) `pwd`/linux/net/ipsec/alg/Config.* $(KERNELALG)
$(KLIPSLINK) `pwd`/linux/net/ipsec/alg/ipsec_alg*.[ch] $(KERNELALG)
$(KLIPSLINK) `pwd`/linux/net/ipsec/alg/scripts $(KERNELALG)
# Each ALGo does it own symlinks
$(KLIPSLINK) `pwd`/lib/libcrypto $(KERNELLIBCRYPTO)
$(KLIPSLINK) `pwd`/linux/lib/zlib/*.[ch] $(KERNELLIBZLIB)
$(KLIPSLINK) `pwd`/linux/lib/zlib/Makefile* $(KERNELLIBZLIB)
$(KLIPSLINK) `pwd`/linux/lib/libfreeswan/*.[ch] $(KERNELLIBFREESWAN)
$(KLIPSLINK) `pwd`/linux/lib/libfreeswan/Makefile* $(KERNELLIBFREESWAN)
$(KLIPSLINK) `pwd`/linux/crypto/ciphers/des/*.[chsS] $(KERNELCRYPTODES)
$(KLIPSLINK) `pwd`/linux/crypto/ciphers/des/Makefile* $(KERNELCRYPTODES)
sed '/"/s/xxx/$(IPSECVERSION)/' linux/lib/libfreeswan/version.in.c >$(KERNELKLIPS)/version.c
# create libcrypto symlink
klibcryptolink:
-[ -L $(KERNELLIBCRYPTO) ] && rm -f $(KERNELLIBCRYPTO)
$(KLIPSLINK) `pwd`/lib/libcrypto $(KERNELLIBCRYPTO)
# patch kernel
PATCHER=packaging/utils/patcher
patches:
@echo \"make patches\" is obsolete. See \"make kpatch\".
exit 1
_patches:
echo "===============" >>out.kpatch
echo "`date` `cd $(KERNELSRC) ; pwd`" >>out.kpatch
$(MAKE) __patches$(KERNELREL) >>out.kpatch
# Linux-2.0.x version
__patches __patches2.0:
@$(PATCHER) -v $(KERNELSRC) Documentation/Configure.help \
'CONFIG_IPSEC' $(PATCHES)/Documentation/Configure.help.fs2_0.patch
@$(PATCHER) -v $(KERNELSRC) net/Config.in \
'CONFIG_IPSEC' $(PATCHES)/net/Config.in.fs2_0.patch
@$(PATCHER) -v $(KERNELSRC) net/Makefile \
'CONFIG_IPSEC' $(PATCHES)/net/Makefile.fs2_0.patch
@$(PATCHER) -v $(KERNELSRC) net/ipv4/af_inet.c \
'CONFIG_IPSEC' $(PATCHES)/net/ipv4/af_inet.c.fs2_0.patch
# Removed patches, will unpatch automatically.
@$(PATCHER) -v $(KERNELSRC) include/linux/proc_fs.h
@$(PATCHER) -v $(KERNELSRC) net/core/dev.c
@$(PATCHER) -v $(KERNELSRC) net/ipv4/protocol.c
@$(PATCHER) -v $(KERNELSRC) drivers/net/Space.c
@$(PATCHER) -v $(KERNELSRC) net/netlink.c
@$(PATCHER) -v $(KERNELSRC) drivers/isdn/isdn_net.c
# Linux-2.2.x version
PATCHES24=klips/patches2.3
__patches2.2:
@$(PATCHER) -v -c $(KERNELSRC) Documentation/Configure.help \
'CONFIG_IPSEC' $(PATCHES)/Documentation/Configure.help.fs2_2.patch
@$(PATCHER) -v $(KERNELSRC) net/Config.in \
'CONFIG_IPSEC' $(PATCHES)/net/Config.in.fs2_2.patch
@$(PATCHER) -v $(KERNELSRC) net/Makefile \
'CONFIG_IPSEC' $(PATCHES)/net/Makefile.fs2_2.patch
@$(PATCHER) -v $(KERNELSRC) net/ipv4/af_inet.c \
'CONFIG_IPSEC' $(PATCHES)/net/ipv4/af_inet.c.fs2_2.patch
@$(PATCHER) -v $(KERNELSRC) net/ipv4/udp.c \
'CONFIG_IPSEC' $(PATCHES)/net/ipv4/udp.c.fs2_2.patch
@$(PATCHER) -v $(KERNELSRC) include/net/sock.h \
'CONFIG_IPSEC' $(PATCHES)/net/include.net.sock.h.fs2_2.patch
# Removed patches, will unpatch automatically.
@$(PATCHER) -v $(KERNELSRC) include/linux/proc_fs.h
@$(PATCHER) -v $(KERNELSRC) net/core/dev.c
@$(PATCHER) -v $(KERNELSRC) net/ipv4/protocol.c
@$(PATCHER) -v $(KERNELSRC) drivers/net/Space.c
@$(PATCHER) -v $(KERNELSRC) include/linux/netlink.h
@$(PATCHER) -v $(KERNELSRC) net/netlink/af_netlink.c
@$(PATCHER) -v $(KERNELSRC) net/netlink/netlink_dev.c
@$(PATCHER) -v $(KERNELSRC) include/linux/socket.h
@$(PATCHER) -v $(KERNELSRC) drivers/isdn/isdn_net.c
# Linux-2.4.0 version
PATCHES22=klips/patches2.2
__patches2.3 __patches2.4:
@$(PATCHER) -v -c $(KERNELSRC) Documentation/Configure.help \
'CONFIG_IPSEC' $(PATCHES)/Documentation/Configure.help.fs2_2.patch
@$(PATCHER) -v $(KERNELSRC) net/Config.in \
'CONFIG_IPSEC' $(PATCHES)/net/Config.in.fs2_4.patch
@$(PATCHER) -v $(KERNELSRC) net/Makefile \
'CONFIG_IPSEC' $(PATCHES)/net/Makefile.fs2_4.patch
@$(PATCHER) -v $(KERNELSRC) net/ipv4/af_inet.c \
'CONFIG_IPSEC' $(PATCHES)/net/ipv4/af_inet.c.fs2_4.patch
@$(PATCHER) -v $(KERNELSRC) net/ipv4/udp.c \
'CONFIG_IPSEC' $(PATCHES)/net/ipv4/udp.c.fs2_4.patch
@$(PATCHER) -v $(KERNELSRC) include/net/sock.h \
'CONFIG_IPSEC' $(PATCHES)/net/include.net.sock.h.fs2_4.patch
# Removed patches, will unpatch automatically.
@$(PATCHER) -v $(KERNELSRC) include/linux/proc_fs.h
@$(PATCHER) -v $(KERNELSRC) net/core/dev.c
@$(PATCHER) -v $(KERNELSRC) net/ipv4/protocol.c
@$(PATCHER) -v $(KERNELSRC) drivers/net/Space.c
@$(PATCHER) -v $(KERNELSRC) include/linux/netlink.h
@$(PATCHER) -v $(KERNELSRC) net/netlink/af_netlink.c
@$(PATCHER) -v $(KERNELSRC) net/netlink/netlink_dev.c
@$(PATCHER) -v $(KERNELSRC) drivers/isdn/isdn_net.c
klipsdefaults:
@KERNELDEFCONFIG=$(KERNELSRC)/arch/$(ARCH)/defconfig ; \
KERNELCONFIG=$(KCFILE) ; \
if ! egrep -q 'CONFIG_IPSEC' $$KERNELDEFCONFIG ; \
then \
set -x ; \
cp -a $$KERNELDEFCONFIG $$KERNELDEFCONFIG.orig ; \
chmod u+w $$KERNELDEFCONFIG ; \
cat $$KERNELDEFCONFIG $(KERNELKLIPS)/defconfig \
>$$KERNELDEFCONFIG.tmp ; \
rm -f $$KERNELDEFCONFIG ; \
cp -a $$KERNELDEFCONFIG.tmp $$KERNELDEFCONFIG ; \
rm -f $$KERNELDEFCONFIG.tmp ; \
fi ; \
if ! egrep -q 'CONFIG_IPSEC' $$KERNELCONFIG ; \
then \
set -x ; \
cp -a $$KERNELCONFIG $$KERNELCONFIG.orig ; \
chmod u+w $$KERNELCONFIG ; \
cat $$KERNELCONFIG $(KERNELKLIPS)/defconfig \
>$$KERNELCONFIG.tmp ; \
rm -f $$KERNELCONFIG ; \
cp -a $$KERNELCONFIG.tmp $$KERNELCONFIG ; \
rm -f $$KERNELCONFIG.tmp ; \
fi
# programs
checkv199install:
if [ -f ${LIBDIR}/pluto ]; \
then \
echo WARNING: FreeS/WAN 1.99 still installed. ;\
echo WARNING: moving ${LIBDIR} to ${LIBDIR}.v1 ;\
mv ${LIBDIR} ${LIBDIR}.v1 ;\
fi
install:: checkv199install
programs install clean checkprograms::
@for d in $(SUBDIRS) ; \
do \
(cd $$d && $(MAKE) FREESWANSRCDIR=.. $@ ) || exit 1; \
done; \
clean::
rm -rf $(RPMTMPDIR) $(RPMDEST)
rm -f out.*build out.*install # but leave out.kpatch
rm -f rpm.spec
distclean: clean
rm -f out.kpatch
if [ -f umlsetup.sh ]; then source umlsetup.sh; if [ -d "$$POOLSPACE" ]; then rm -rf $$POOLSPACE; fi; fi
# proxies for major kernel make operations
# do-everything entries
KINSERT_PRE=precheck verset insert
PRE=precheck verset kpatch klibcryptolink
POST=confcheck programs kernel install
MPOST=confcheck programs module install
ogo: $(PRE) pcf $(POST)
oldgo: $(PRE) ocf $(POST)
nopromptgo: $(PRE) rcf $(POST)
menugo: $(PRE) mcf $(POST)
xgo: $(PRE) xcf $(POST)
omod: $(PRE) pcf $(MPOST)
oldmod: $(PRE) ocf $(MPOST)
menumod: $(PRE) mcf $(MPOST)
xmod: $(PRE) xcf $(MPOST)
# preliminaries
precheck:
@if test ! -d $(KERNELSRC) -a ! -L $(KERNELSRC) ; \
then \
echo '*** cannot find directory "$(KERNELSRC)"!!' ; \
echo '*** may be necessary to add symlink to kernel source' ; \
exit 1 ; \
fi
@if ! cd $(KERNELSRC) ; \
then \
echo '*** cannot "cd $(KERNELSRC)"!!' ; \
echo '*** may be necessary to add symlink to kernel source' ; \
exit 1 ; \
fi
@if test ! -f $(KCFILE) ; \
then \
echo '*** cannot find "$(KCFILE)"!!' ; \
echo '*** perhaps kernel has never been configured?' ; \
echo '*** please do that first; the results are necessary.' ; \
exit 1 ; \
fi
@if test ! -f $(VERFILE) ; \
then \
echo '*** cannot find "$(VERFILE)"!!' ; \
echo '*** perhaps kernel has never been compiled?' ; \
echo '*** please do that first; the results are necessary.' ; \
exit 1 ; \
fi
# set version code if this is a fresh CVS checkout
ifeq ($(wildcard cvs.datemark),cvs.datemark)
verset Makefile.ver: cvs.datemark
echo IPSECVERSION=`date -r cvs.datemark +cvs%Y%b%d_%H:%M:%S` >Makefile.ver
rm -f cvs.datemark;
else
verset Makefile.ver:
@grep IPSECVERSION Makefile.ver
endif
Makefile: Makefile.ver
# configuring (exit statuses disregarded, something fishy here sometimes)
xcf:
-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) xconfig
mcf:
-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) menuconfig
pcf:
-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) config
ocf:
-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) oldconfig
rcf:
cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) oldconfig_nonint </dev/null
cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) dep >/dev/null
confcheck:
@if test ! -f $(KCFILE) ; \
then echo '*** no kernel configuration file written!!' ; exit 1 ; \
fi
@if ! egrep -q '^CONFIG_IPSEC=[my]' $(KCFILE) ; \
then echo '*** IPsec not in kernel config ($(KCFILE))!!' ; exit 1 ; \
fi
@if ! egrep -q 'CONFIG_IPSEC[ ]+1' $(ACFILE) && \
! egrep -q 'CONFIG_IPSEC_MODULE[ ]+1' $(ACFILE) ; \