summaryrefslogtreecommitdiff
path: root/src/pluto
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2007-06-03 17:36:35 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2007-06-03 17:36:35 +0000
commit08ee5250bd9c43fda5f24d10b791ca2c4c17fcee (patch)
treed4e2fc7144e288d624555a38955593e1ee066531 /src/pluto
parentb0d8ed94fe9e74afb49fdf5f11e4add29879c65c (diff)
downloadvyos-strongswan-08ee5250bd9c43fda5f24d10b791ca2c4c17fcee.tar.gz
vyos-strongswan-08ee5250bd9c43fda5f24d10b791ca2c4c17fcee.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.1.3)
Diffstat (limited to 'src/pluto')
-rw-r--r--src/pluto/Makefile.am3
-rw-r--r--src/pluto/Makefile.in18
-rw-r--r--src/pluto/crl.c14
-rw-r--r--src/pluto/crl.h1
-rw-r--r--src/pluto/fetch.c3
-rw-r--r--src/pluto/kernel_netlink.c4
-rw-r--r--src/pluto/keys.c2
-rw-r--r--src/pluto/linux26/netlink.h90
-rw-r--r--src/pluto/linux26/rtnetlink.h562
-rw-r--r--src/pluto/linux26/xfrm.h233
-rw-r--r--src/pluto/modecfg.c3
-rw-r--r--src/pluto/oid.c283
-rw-r--r--src/pluto/oid.h115
-rw-r--r--src/pluto/oid.txt1
-rw-r--r--src/pluto/plutomain.c29
-rw-r--r--src/pluto/vendor.c4
-rw-r--r--src/pluto/vendor.h2
-rw-r--r--src/pluto/xauth.c2
-rw-r--r--src/pluto/xauth.h2
19 files changed, 278 insertions, 1093 deletions
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index b1b848c76..7dd5f422b 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -64,12 +64,12 @@ xauth.c xauth.h \
x509.c x509.h \
alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \
alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \
-linux26/netlink.h linux26/rtnetlink.h linux26/xfrm.h \
rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
_pluto_adns_SOURCES = adns.c adns.h
INCLUDES = \
+-I${linuxdir} \
-I$(top_srcdir)/src/libfreeswan \
-I$(top_srcdir)/src/libcrypto \
-I$(top_srcdir)/src/whack
@@ -137,4 +137,5 @@ install-exec-local :
mkdir -p -m 755 $(confdir)/ipsec.d/crls
mkdir -p -m 755 $(confdir)/ipsec.d/reqs
mkdir -p -m 700 $(confdir)/ipsec.d/private
+ chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 1f996a065..e164717a9 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -164,6 +164,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
@@ -176,6 +177,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -186,8 +188,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -209,6 +215,7 @@ am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
+backenddir = @backenddir@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -218,6 +225,8 @@ build_vendor = @build_vendor@
confdir = @confdir@
datadir = @datadir@
datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
docdir = @docdir@
dvidir = @dvidir@
eapdir = @eapdir@
@@ -231,9 +240,13 @@ htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
+interfacedir = @interfacedir@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
libdir = @libdir@
libexecdir = @libexecdir@
+linuxdir = @linuxdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
@@ -248,6 +261,8 @@ sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
pluto_SOURCES = \
ac.c ac.h \
alg_info.c alg_info.h \
@@ -308,11 +323,11 @@ xauth.c xauth.h \
x509.c x509.h \
alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \
alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \
-linux26/netlink.h linux26/rtnetlink.h linux26/xfrm.h \
rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
_pluto_adns_SOURCES = adns.c adns.h
INCLUDES = \
+-I${linuxdir} \
-I$(top_srcdir)/src/libfreeswan \
-I$(top_srcdir)/src/libcrypto \
-I$(top_srcdir)/src/whack
@@ -873,6 +888,7 @@ install-exec-local :
mkdir -p -m 755 $(confdir)/ipsec.d/crls
mkdir -p -m 755 $(confdir)/ipsec.d/reqs
mkdir -p -m 700 $(confdir)/ipsec.d/private
+ chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index 05e8d1402..dc8932769 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -121,6 +121,7 @@ const x509crl_t empty_x509crl = {
/* extnValue */
{ NULL, 0 } , /* authKeyID */
{ NULL, 0 } , /* authKeySerialNumber */
+ { NULL, 0 } , /* crlNumber */
OID_UNKNOWN , /* algorithm */
{ NULL, 0 } /* signature */
};
@@ -491,6 +492,12 @@ parse_x509crl(chunk_t blob, u_int level0, x509crl_t *crl)
parse_authorityKeyIdentifier(object, level
, &crl->authKeyID, &crl->authKeySerialNumber);
}
+ else if (extn_oid == OID_CRL_NUMBER)
+ {
+ if (!parse_asn1_simple_object(&object, ASN1_INTEGER, level, "crlNumber"))
+ return FALSE;
+ crl->crlNumber = object;
+ }
}
break;
case CRL_OBJ_ALGORITHM:
@@ -735,7 +742,12 @@ list_crls(bool utc, bool strict)
timetoa(&crl->installed, utc), revoked);
dntoa(buf, BUF_LEN, crl->issuer);
whack_log(RC_COMMENT, " issuer: '%s'", buf);
-
+ if (crl->crlNumber.ptr != NULL)
+ {
+ datatot(crl->crlNumber.ptr, crl->crlNumber.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " crlnumber: %s", buf);
+ }
list_distribution_points(crl->distributionPoints);
whack_log(RC_COMMENT, " updates: this %s",
diff --git a/src/pluto/crl.h b/src/pluto/crl.h
index 9f985b6cd..328539770 100644
--- a/src/pluto/crl.h
+++ b/src/pluto/crl.h
@@ -52,6 +52,7 @@ struct x509crl {
/* extnValue */
chunk_t authKeyID;
chunk_t authKeySerialNumber;
+ chunk_t crlNumber;
/* signatureAlgorithm */
int algorithm;
diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c
index e3e56d3a8..8f48152f6 100644
--- a/src/pluto/fetch.c
+++ b/src/pluto/fetch.c
@@ -32,6 +32,9 @@
#include <freeswan.h>
#ifdef LIBLDAP
+#ifndef LDAP_DEPRECATED
+#define LDAP_DEPRECATED 1
+#endif
#include <ldap.h>
#endif
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index 1947ddbac..9b9d7b9ed 100644
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -24,10 +24,10 @@
#include <sys/types.h>
#include <sys/queue.h>
#include <unistd.h>
+#include <linux/xfrm.h>
+#include <linux/rtnetlink.h>
#include "kameipsec.h"
-#include "linux26/rtnetlink.h"
-#include "linux26/xfrm.h"
#include <freeswan.h>
#include <pfkeyv2.h>
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index eed81230f..1efe85228 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -647,7 +647,7 @@ xauth_get_secret(xauth_t *xauth_secret)
* find a matching secret
*/
static bool
-xauth_verify_secret(const xauth_t *xauth_secret)
+xauth_verify_secret(const char *conn_name, const xauth_t *xauth_secret)
{
bool found = FALSE;
secret_t *s;
diff --git a/src/pluto/linux26/netlink.h b/src/pluto/linux26/netlink.h
deleted file mode 100644
index 6b0896da6..000000000
--- a/src/pluto/linux26/netlink.h
+++ /dev/null
@@ -1,90 +0,0 @@
-#ifndef __LINUX_NETLINK_H
-#define __LINUX_NETLINK_H
-
-#include <stdint.h>
-#include <sys/socket.h> /* for sa_family_t */
-
-#define NETLINK_ROUTE 0 /* Routing/device hook */
-#define NETLINK_SKIP 1 /* Reserved for ENskip */
-#define NETLINK_USERSOCK 2 /* Reserved for user mode socket protocols */
-#define NETLINK_FIREWALL 3 /* Firewalling hook */
-#define NETLINK_TCPDIAG 4 /* TCP socket monitoring */
-#define NETLINK_NFLOG 5 /* netfilter/iptables ULOG */
-#define NETLINK_XFRM 6 /* ipsec */
-#define NETLINK_ARPD 8
-#define NETLINK_ROUTE6 11 /* af_inet6 route comm channel */
-#define NETLINK_IP6_FW 13
-#define NETLINK_DNRTMSG 14 /* DECnet routing messages */
-#define NETLINK_TAPBASE 16 /* 16 to 31 are ethertap */
-
-#define MAX_LINKS 32
-
-struct sockaddr_nl
-{
- sa_family_t nl_family; /* AF_NETLINK */
- unsigned short nl_pad; /* zero */
- uint32_t nl_pid; /* process pid */
- uint32_t nl_groups; /* multicast groups mask */
-};
-
-struct nlmsghdr
-{
- uint32_t nlmsg_len; /* Length of message including header */
- uint16_t nlmsg_type; /* Message content */
- uint16_t nlmsg_flags; /* Additional flags */
- uint32_t nlmsg_seq; /* Sequence number */
- uint32_t nlmsg_pid; /* Sending process PID */
-};
-
-/* Flags values */
-
-#define NLM_F_REQUEST 1 /* It is request message. */
-#define NLM_F_MULTI 2 /* Multipart message, terminated by NLMSG_DONE */
-#define NLM_F_ACK 4 /* Reply with ack, with zero or error code */
-#define NLM_F_ECHO 8 /* Echo this request */
-
-/* Modifiers to GET request */
-#define NLM_F_ROOT 0x100 /* specify tree root */
-#define NLM_F_MATCH 0x200 /* return all matching */
-#define NLM_F_ATOMIC 0x400 /* atomic GET */
-#define NLM_F_DUMP (NLM_F_ROOT|NLM_F_MATCH)
-
-/* Modifiers to NEW request */
-#define NLM_F_REPLACE 0x100 /* Override existing */
-#define NLM_F_EXCL 0x200 /* Do not touch, if it exists */
-#define NLM_F_CREATE 0x400 /* Create, if it does not exist */
-#define NLM_F_APPEND 0x800 /* Add to end of list */
-
-/*
- 4.4BSD ADD NLM_F_CREATE|NLM_F_EXCL
- 4.4BSD CHANGE NLM_F_REPLACE
-
- True CHANGE NLM_F_CREATE|NLM_F_REPLACE
- Append NLM_F_CREATE
- Check NLM_F_EXCL
- */
-
-#define NLMSG_ALIGNTO 4
-#define NLMSG_ALIGN(len) ( ((len)+NLMSG_ALIGNTO-1) & ~(NLMSG_ALIGNTO-1) )
-#define NLMSG_LENGTH(len) ((len)+NLMSG_ALIGN(sizeof(struct nlmsghdr)))
-#define NLMSG_SPACE(len) NLMSG_ALIGN(NLMSG_LENGTH(len))
-#define NLMSG_DATA(nlh) ((void*)(((char*)nlh) + NLMSG_LENGTH(0)))
-#define NLMSG_NEXT(nlh,len) ((len) -= NLMSG_ALIGN((nlh)->nlmsg_len), \
- (struct nlmsghdr*)(((char*)(nlh)) + NLMSG_ALIGN((nlh)->nlmsg_len)))
-#define NLMSG_OK(nlh,len) ((len) > 0 && (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \
- (nlh)->nlmsg_len <= (len))
-#define NLMSG_PAYLOAD(nlh,len) ((nlh)->nlmsg_len - NLMSG_SPACE((len)))
-
-#define NLMSG_NOOP 0x1 /* Nothing. */
-#define NLMSG_ERROR 0x2 /* Error */
-#define NLMSG_DONE 0x3 /* End of a dump */
-#define NLMSG_OVERRUN 0x4 /* Data lost */
-
-struct nlmsgerr
-{
- int error;
- struct nlmsghdr msg;
-};
-
-#define NET_MAJOR 36 /* Major 36 is reserved for networking */
-#endif /* __LINUX_NETLINK_H */
diff --git a/src/pluto/linux26/rtnetlink.h b/src/pluto/linux26/rtnetlink.h
deleted file mode 100644
index 341bc1f86..000000000
--- a/src/pluto/linux26/rtnetlink.h
+++ /dev/null
@@ -1,562 +0,0 @@
-#ifndef __LINUX_RTNETLINK_H
-#define __LINUX_RTNETLINK_H
-
-#include "netlink.h"
-#include <stdint.h>
-
-#define RTNL_DEBUG 1
-
-
-/****
- * Routing/neighbour discovery messages.
- ****/
-
-/* Types of messages */
-
-#define RTM_BASE 0x10
-
-#define RTM_NEWLINK (RTM_BASE+0)
-#define RTM_DELLINK (RTM_BASE+1)
-#define RTM_GETLINK (RTM_BASE+2)
-#define RTM_SETLINK (RTM_BASE+3)
-
-#define RTM_NEWADDR (RTM_BASE+4)
-#define RTM_DELADDR (RTM_BASE+5)
-#define RTM_GETADDR (RTM_BASE+6)
-
-#define RTM_NEWROUTE (RTM_BASE+8)
-#define RTM_DELROUTE (RTM_BASE+9)
-#define RTM_GETROUTE (RTM_BASE+10)
-
-#define RTM_NEWNEIGH (RTM_BASE+12)
-#define RTM_DELNEIGH (RTM_BASE+13)
-#define RTM_GETNEIGH (RTM_BASE+14)
-
-#define RTM_NEWRULE (RTM_BASE+16)
-#define RTM_DELRULE (RTM_BASE+17)
-#define RTM_GETRULE (RTM_BASE+18)
-
-#define RTM_NEWQDISC (RTM_BASE+20)
-#define RTM_DELQDISC (RTM_BASE+21)
-#define RTM_GETQDISC (RTM_BASE+22)
-
-#define RTM_NEWTCLASS (RTM_BASE+24)
-#define RTM_DELTCLASS (RTM_BASE+25)
-#define RTM_GETTCLASS (RTM_BASE+26)
-
-#define RTM_NEWTFILTER (RTM_BASE+28)
-#define RTM_DELTFILTER (RTM_BASE+29)
-#define RTM_GETTFILTER (RTM_BASE+30)
-
-#define RTM_MAX (RTM_BASE+31)
-
-/*
- Generic structure for encapsulation optional route information.
- It is reminiscent of sockaddr, but with sa_family replaced
- with attribute type.
- */
-
-struct rtattr
-{
- unsigned short rta_len;
- unsigned short rta_type;
-};
-
-/* Macros to handle rtattributes */
-
-#define RTA_ALIGNTO 4
-#define RTA_ALIGN(len) ( ((len)+RTA_ALIGNTO-1) & ~(RTA_ALIGNTO-1) )
-#define RTA_OK(rta,len) ((len) > 0 && (rta)->rta_len >= sizeof(struct rtattr) && \
- (rta)->rta_len <= (len))
-#define RTA_NEXT(rta,attrlen) ((attrlen) -= RTA_ALIGN((rta)->rta_len), \
- (struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
-#define RTA_LENGTH(len) (RTA_ALIGN(sizeof(struct rtattr)) + (len))
-#define RTA_SPACE(len) RTA_ALIGN(RTA_LENGTH(len))
-#define RTA_DATA(rta) ((void*)(((char*)(rta)) + RTA_LENGTH(0)))
-#define RTA_PAYLOAD(rta) ((int)((rta)->rta_len) - RTA_LENGTH(0))
-
-
-
-
-/******************************************************************************
- * Definitions used in routing table administation.
- ****/
-
-struct rtmsg
-{
- unsigned char rtm_family;
- unsigned char rtm_dst_len;
- unsigned char rtm_src_len;
- unsigned char rtm_tos;
-
- unsigned char rtm_table; /* Routing table id */
- unsigned char rtm_protocol; /* Routing protocol; see below */
- unsigned char rtm_scope; /* See below */
- unsigned char rtm_type; /* See below */
-
- unsigned rtm_flags;
-};
-
-/* rtm_type */
-
-enum
-{
- RTN_UNSPEC,
- RTN_UNICAST, /* Gateway or direct route */
- RTN_LOCAL, /* Accept locally */
- RTN_BROADCAST, /* Accept locally as broadcast,
- send as broadcast */
- RTN_ANYCAST, /* Accept locally as broadcast,
- but send as unicast */
- RTN_MULTICAST, /* Multicast route */
- RTN_BLACKHOLE, /* Drop */
- RTN_UNREACHABLE, /* Destination is unreachable */
- RTN_PROHIBIT, /* Administratively prohibited */
- RTN_THROW, /* Not in this table */
- RTN_NAT, /* Translate this address */
- RTN_XRESOLVE, /* Use external resolver */
-};
-
-#define RTN_MAX RTN_XRESOLVE
-
-
-/* rtm_protocol */
-
-#define RTPROT_UNSPEC 0
-#define RTPROT_REDIRECT 1 /* Route installed by ICMP redirects;
- not used by current IPv4 */
-#define RTPROT_KERNEL 2 /* Route installed by kernel */
-#define RTPROT_BOOT 3 /* Route installed during boot */
-#define RTPROT_STATIC 4 /* Route installed by administrator */
-
-/* Values of protocol >= RTPROT_STATIC are not interpreted by kernel;
- they just passed from user and back as is.
- It will be used by hypothetical multiple routing daemons.
- Note that protocol values should be standardized in order to
- avoid conflicts.
- */
-
-#define RTPROT_GATED 8 /* Apparently, GateD */
-#define RTPROT_RA 9 /* RDISC/ND router advertisments */
-#define RTPROT_MRT 10 /* Merit MRT */
-#define RTPROT_ZEBRA 11 /* Zebra */
-#define RTPROT_BIRD 12 /* BIRD */
-#define RTPROT_DNROUTED 13 /* DECnet routing daemon */
-
-/* rtm_scope
-
- Really it is not scope, but sort of distance to the destination.
- NOWHERE are reserved for not existing destinations, HOST is our
- local addresses, LINK are destinations, located on directly attached
- link and UNIVERSE is everywhere in the Universe.
-
- Intermediate values are also possible f.e. interior routes
- could be assigned a value between UNIVERSE and LINK.
-*/
-
-enum rt_scope_t
-{
- RT_SCOPE_UNIVERSE=0,
-/* User defined values */
- RT_SCOPE_SITE=200,
- RT_SCOPE_LINK=253,
- RT_SCOPE_HOST=254,
- RT_SCOPE_NOWHERE=255
-};
-
-/* rtm_flags */
-
-#define RTM_F_NOTIFY 0x100 /* Notify user of route change */
-#define RTM_F_CLONED 0x200 /* This route is cloned */
-#define RTM_F_EQUALIZE 0x400 /* Multipath equalizer: NI */
-
-/* Reserved table identifiers */
-
-enum rt_class_t
-{
- RT_TABLE_UNSPEC=0,
-/* User defined values */
- RT_TABLE_DEFAULT=253,
- RT_TABLE_MAIN=254,
- RT_TABLE_LOCAL=255
-};
-#define RT_TABLE_MAX RT_TABLE_LOCAL
-
-
-
-/* Routing message attributes */
-
-enum rtattr_type_t
-{
- RTA_UNSPEC,
- RTA_DST,
- RTA_SRC,
- RTA_IIF,
- RTA_OIF,
- RTA_GATEWAY,
- RTA_PRIORITY,
- RTA_PREFSRC,
- RTA_METRICS,
- RTA_MULTIPATH,
- RTA_PROTOINFO,
- RTA_FLOW,
- RTA_CACHEINFO,
- RTA_SESSION,
-};
-
-#define RTA_MAX RTA_SESSION
-
-#define RTM_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct rtmsg))))
-#define RTM_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct rtmsg))
-
-/* RTM_MULTIPATH --- array of struct rtnexthop.
- *
- * "struct rtnexthop" describres all necessary nexthop information,
- * i.e. parameters of path to a destination via this nextop.
- *
- * At the moment it is impossible to set different prefsrc, mtu, window
- * and rtt for different paths from multipath.
- */
-
-struct rtnexthop
-{
- unsigned short rtnh_len;
- unsigned char rtnh_flags;
- unsigned char rtnh_hops;
- int rtnh_ifindex;
-};
-
-/* rtnh_flags */
-
-#define RTNH_F_DEAD 1 /* Nexthop is dead (used by multipath) */
-#define RTNH_F_PERVASIVE 2 /* Do recursive gateway lookup */
-#define RTNH_F_ONLINK 4 /* Gateway is forced on link */
-
-/* Macros to handle hexthops */
-
-#define RTNH_ALIGNTO 4
-#define RTNH_ALIGN(len) ( ((len)+RTNH_ALIGNTO-1) & ~(RTNH_ALIGNTO-1) )
-#define RTNH_OK(rtnh,len) ((rtnh)->rtnh_len >= sizeof(struct rtnexthop) && \
- ((int)(rtnh)->rtnh_len) <= (len))
-#define RTNH_NEXT(rtnh) ((struct rtnexthop*)(((char*)(rtnh)) + RTNH_ALIGN((rtnh)->rtnh_len)))
-#define RTNH_LENGTH(len) (RTNH_ALIGN(sizeof(struct rtnexthop)) + (len))
-#define RTNH_SPACE(len) RTNH_ALIGN(RTNH_LENGTH(len))
-#define RTNH_DATA(rtnh) ((struct rtattr*)(((char*)(rtnh)) + RTNH_LENGTH(0)))
-
-/* RTM_CACHEINFO */
-
-struct rta_cacheinfo
-{
- uint32_t rta_clntref;
- uint32_t rta_lastuse;
- int32_t rta_expires;
- uint32_t rta_error;
- uint32_t rta_used;
-
-#define RTNETLINK_HAVE_PEERINFO 1
- uint32_t rta_id;
- uint32_t rta_ts;
- uint32_t rta_tsage;
-};
-
-/* RTM_METRICS --- array of struct rtattr with types of RTAX_* */
-
-enum
-{
- RTAX_UNSPEC,
-#define RTAX_UNSPEC RTAX_UNSPEC
- RTAX_LOCK,
-#define RTAX_LOCK RTAX_LOCK
- RTAX_MTU,
-#define RTAX_MTU RTAX_MTU
- RTAX_WINDOW,
-#define RTAX_WINDOW RTAX_WINDOW
- RTAX_RTT,
-#define RTAX_RTT RTAX_RTT
- RTAX_RTTVAR,
-#define RTAX_RTTVAR RTAX_RTTVAR
- RTAX_SSTHRESH,
-#define RTAX_SSTHRESH RTAX_SSTHRESH
- RTAX_CWND,
-#define RTAX_CWND RTAX_CWND
- RTAX_ADVMSS,
-#define RTAX_ADVMSS RTAX_ADVMSS
- RTAX_REORDERING,
-#define RTAX_REORDERING RTAX_REORDERING
-};
-
-#define RTAX_MAX RTAX_REORDERING
-
-struct rta_session
-{
- uint8_t proto;
-
- union {
- struct {
- uint16_t sport;
- uint16_t dport;
- } ports;
-
- struct {
- uint8_t type;
- uint8_t code;
- uint16_t ident;
- } icmpt;
-
- uint32_t spi;
- } u;
-};
-
-
-/*********************************************************
- * Interface address.
- ****/
-
-struct ifaddrmsg
-{
- unsigned char ifa_family;
- unsigned char ifa_prefixlen; /* The prefix length */
- unsigned char ifa_flags; /* Flags */
- unsigned char ifa_scope; /* See above */
- int ifa_index; /* Link index */
-};
-
-enum
-{
- IFA_UNSPEC,
- IFA_ADDRESS,
- IFA_LOCAL,
- IFA_LABEL,
- IFA_BROADCAST,
- IFA_ANYCAST,
- IFA_CACHEINFO
-};
-
-#define IFA_MAX IFA_CACHEINFO
-
-/* ifa_flags */
-
-#define IFA_F_SECONDARY 0x01
-#define IFA_F_TEMPORARY IFA_F_SECONDARY
-
-#define IFA_F_DEPRECATED 0x20
-#define IFA_F_TENTATIVE 0x40
-#define IFA_F_PERMANENT 0x80
-
-struct ifa_cacheinfo
-{
- int32_t ifa_prefered;
- int32_t ifa_valid;
-};
-
-
-#define IFA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg))))
-#define IFA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifaddrmsg))
-
-/*
- Important comment:
- IFA_ADDRESS is prefix address, rather than local interface address.
- It makes no difference for normally configured broadcast interfaces,
- but for point-to-point IFA_ADDRESS is DESTINATION address,
- local address is supplied in IFA_LOCAL attribute.
- */
-
-/**************************************************************
- * Neighbour discovery.
- ****/
-
-struct ndmsg
-{
- unsigned char ndm_family;
- unsigned char ndm_pad1;
- unsigned short ndm_pad2;
- int ndm_ifindex; /* Link index */
- uint16_t ndm_state;
- uint8_t ndm_flags;
- uint8_t ndm_type;
-};
-
-enum
-{
- NDA_UNSPEC,
- NDA_DST,
- NDA_LLADDR,
- NDA_CACHEINFO
-};
-
-#define NDA_MAX NDA_CACHEINFO
-
-#define NDA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg))))
-#define NDA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg))
-
-/*
- * Neighbor Cache Entry Flags
- */
-
-#define NTF_PROXY 0x08 /* == ATF_PUBL */
-#define NTF_ROUTER 0x80
-
-/*
- * Neighbor Cache Entry States.
- */
-
-#define NUD_INCOMPLETE 0x01
-#define NUD_REACHABLE 0x02
-#define NUD_STALE 0x04
-#define NUD_DELAY 0x08
-#define NUD_PROBE 0x10
-#define NUD_FAILED 0x20
-
-/* Dummy states */
-#define NUD_NOARP 0x40
-#define NUD_PERMANENT 0x80
-#define NUD_NONE 0x00
-
-
-struct nda_cacheinfo
-{
- uint32_t ndm_confirmed;
- uint32_t ndm_used;
- uint32_t ndm_updated;
- uint32_t ndm_refcnt;
-};
-
-/****
- * General form of address family dependent message.
- ****/
-
-struct rtgenmsg
-{
- unsigned char rtgen_family;
-};
-
-/*****************************************************************
- * Link layer specific messages.
- ****/
-
-/* struct ifinfomsg
- * passes link level specific information, not dependent
- * on network protocol.
- */
-
-struct ifinfomsg
-{
- unsigned char ifi_family;
- unsigned char __ifi_pad;
- unsigned short ifi_type; /* ARPHRD_* */
- int ifi_index; /* Link index */
- unsigned ifi_flags; /* IFF_* flags */
- unsigned ifi_change; /* IFF_* change mask */
-};
-
-enum
-{
- IFLA_UNSPEC,
- IFLA_ADDRESS,
- IFLA_BROADCAST,
- IFLA_IFNAME,
- IFLA_MTU,
- IFLA_LINK,
- IFLA_QDISC,
- IFLA_STATS,
- IFLA_COST,
-#define IFLA_COST IFLA_COST
- IFLA_PRIORITY,
-#define IFLA_PRIORITY IFLA_PRIORITY
- IFLA_MASTER,
-#define IFLA_MASTER IFLA_MASTER
- IFLA_WIRELESS, /* Wireless Extension event - see wireless.h */
-#define IFLA_WIRELESS IFLA_WIRELESS
-};
-
-
-#define IFLA_MAX IFLA_WIRELESS
-
-#define IFLA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifinfomsg))))
-#define IFLA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifinfomsg))
-
-/* ifi_flags.
-
- IFF_* flags.
-
- The only change is:
- IFF_LOOPBACK, IFF_BROADCAST and IFF_POINTOPOINT are
- more not changeable by user. They describe link media
- characteristics and set by device driver.
-
- Comments:
- - Combination IFF_BROADCAST|IFF_POINTOPOINT is invalid
- - If neiher of these three flags are set;
- the interface is NBMA.
-
- - IFF_MULTICAST does not mean anything special:
- multicasts can be used on all not-NBMA links.
- IFF_MULTICAST means that this media uses special encapsulation
- for multicast frames. Apparently, all IFF_POINTOPOINT and
- IFF_BROADCAST devices are able to use multicasts too.
- */
-
-/* IFLA_LINK.
- For usual devices it is equal ifi_index.
- If it is a "virtual interface" (f.e. tunnel), ifi_link
- can point to real physical interface (f.e. for bandwidth calculations),
- or maybe 0, what means, that real media is unknown (usual
- for IPIP tunnels, when route to endpoint is allowed to change)
- */
-
-/*****************************************************************
- * Traffic control messages.
- ****/
-
-struct tcmsg
-{
- unsigned char tcm_family;
- unsigned char tcm__pad1;
- unsigned short tcm__pad2;
- int tcm_ifindex;
- uint32_t tcm_handle;
- uint32_t tcm_parent;
- uint32_t tcm_info;
-};
-
-enum
-{
- TCA_UNSPEC,
- TCA_KIND,
- TCA_OPTIONS,
- TCA_STATS,
- TCA_XSTATS,
- TCA_RATE,
-};
-
-#define TCA_MAX TCA_RATE
-
-#define TCA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcmsg))))
-#define TCA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcmsg))
-
-
-/* SUMMARY: maximal rtattr understood by kernel */
-
-#define RTATTR_MAX RTA_MAX
-
-/* RTnetlink multicast groups */
-
-#define RTMGRP_LINK 1
-#define RTMGRP_NOTIFY 2
-#define RTMGRP_NEIGH 4
-#define RTMGRP_TC 8
-
-#define RTMGRP_IPV4_IFADDR 0x10
-#define RTMGRP_IPV4_MROUTE 0x20
-#define RTMGRP_IPV4_ROUTE 0x40
-
-#define RTMGRP_IPV6_IFADDR 0x100
-#define RTMGRP_IPV6_MROUTE 0x200
-#define RTMGRP_IPV6_ROUTE 0x400
-
-#define RTMGRP_DECnet_IFADDR 0x1000
-#define RTMGRP_DECnet_ROUTE 0x4000
-
-/* End of information exported to user level */
-
-#endif /* __LINUX_RTNETLINK_H */
diff --git a/src/pluto/linux26/xfrm.h b/src/pluto/linux26/xfrm.h
deleted file mode 100644
index 4269ae29b..000000000
--- a/src/pluto/linux26/xfrm.h
+++ /dev/null
@@ -1,233 +0,0 @@
-#ifndef _LINUX_XFRM_H
-#define _LINUX_XFRM_H
-
-#include <stdint.h>
-
-/* All of the structures in this file may not change size as they are
- * passed into the kernel from userspace via netlink sockets.
- */
-
-/* Structure to encapsulate addresses. I do not want to use
- * "standard" structure. My apologies.
- */
-typedef union
-{
- uint32_t a4;
- uint32_t a6[4];
-} xfrm_address_t;
-
-/* Ident of a specific xfrm_state. It is used on input to lookup
- * the state by (spi,daddr,ah/esp) or to store information about
- * spi, protocol and tunnel address on output.
- */
-struct xfrm_id
-{
- xfrm_address_t daddr;
- uint32_t spi;
- uint8_t proto;
-};
-
-/* Selector, used as selector both on policy rules (SPD) and SAs. */
-
-struct xfrm_selector
-{
- xfrm_address_t daddr;
- xfrm_address_t saddr;
- uint16_t dport;
- uint16_t dport_mask;
- uint16_t sport;
- uint16_t sport_mask;
- uint16_t family;
- uint8_t prefixlen_d;
- uint8_t prefixlen_s;
- uint8_t proto;
- int ifindex;
- uid_t user;
-};
-
-#define XFRM_INF (~(uint64_t)0)
-
-struct xfrm_lifetime_cfg
-{
- uint64_t soft_byte_limit;
- uint64_t hard_byte_limit;
- uint64_t soft_packet_limit;
- uint64_t hard_packet_limit;
- uint64_t soft_add_expires_seconds;
- uint64_t hard_add_expires_seconds;
- uint64_t soft_use_expires_seconds;
- uint64_t hard_use_expires_seconds;
-};
-
-struct xfrm_lifetime_cur
-{
- uint64_t bytes;
- uint64_t packets;
- uint64_t add_time;
- uint64_t use_time;
-};
-
-struct xfrm_replay_state
-{
- uint32_t oseq;
- uint32_t seq;
- uint32_t bitmap;
-};
-
-struct xfrm_algo {
- char alg_name[64];
- int alg_key_len; /* in bits */
- char alg_key[0];
-};
-
-struct xfrm_stats {
- uint32_t replay_window;
- uint32_t replay;
- uint32_t integrity_failed;
-};
-
-enum
-{
- XFRM_POLICY_IN = 0,
- XFRM_POLICY_OUT = 1,
- XFRM_POLICY_FWD = 2,
- XFRM_POLICY_MAX = 3
-};
-
-enum
-{
- XFRM_SHARE_ANY, /* No limitations */
- XFRM_SHARE_SESSION, /* For this session only */
- XFRM_SHARE_USER, /* For this user only */
- XFRM_SHARE_UNIQUE /* Use once */
-};
-
-/* Netlink configuration messages. */
-#define XFRM_MSG_BASE 0x10
-
-#define XFRM_MSG_NEWSA (XFRM_MSG_BASE + 0)
-#define XFRM_MSG_DELSA (XFRM_MSG_BASE + 1)
-#define XFRM_MSG_GETSA (XFRM_MSG_BASE + 2)
-
-#define XFRM_MSG_NEWPOLICY (XFRM_MSG_BASE + 3)
-#define XFRM_MSG_DELPOLICY (XFRM_MSG_BASE + 4)
-#define XFRM_MSG_GETPOLICY (XFRM_MSG_BASE + 5)
-
-#define XFRM_MSG_ALLOCSPI (XFRM_MSG_BASE + 6)
-#define XFRM_MSG_ACQUIRE (XFRM_MSG_BASE + 7)
-#define XFRM_MSG_EXPIRE (XFRM_MSG_BASE + 8)
-
-#define XFRM_MSG_UPDPOLICY (XFRM_MSG_BASE + 9)
-#define XFRM_MSG_UPDSA (XFRM_MSG_BASE + 10)
-
-#define XFRM_MSG_POLEXPIRE (XFRM_MSG_BASE + 11)
-
-#define XFRM_MSG_MAX (XFRM_MSG_POLEXPIRE+1)
-
-struct xfrm_user_tmpl {
- struct xfrm_id id;
- uint16_t family;
- xfrm_address_t saddr;
- uint32_t reqid;
- uint8_t mode;
- uint8_t share;
- uint8_t optional;
- uint32_t aalgos;
- uint32_t ealgos;
- uint32_t calgos;
-};
-
-struct xfrm_encap_tmpl {
- uint16_t encap_type;
- uint16_t encap_sport;
- uint16_t encap_dport;
- xfrm_address_t encap_oa;
-};
-
-/* Netlink message attributes. */
-enum xfrm_attr_type_t {
- XFRMA_UNSPEC,
- XFRMA_ALG_AUTH, /* struct xfrm_algo */
- XFRMA_ALG_CRYPT, /* struct xfrm_algo */
- XFRMA_ALG_COMP, /* struct xfrm_algo */
- XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */
- XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */
-
-#define XFRMA_MAX XFRMA_TMPL
-};
-
-struct xfrm_usersa_info {
- struct xfrm_selector sel;
- struct xfrm_id id;
- xfrm_address_t saddr;
- struct xfrm_lifetime_cfg lft;
- struct xfrm_lifetime_cur curlft;
- struct xfrm_stats stats;
- uint32_t seq;
- uint32_t reqid;
- uint16_t family;
- uint8_t mode; /* 0=transport,1=tunnel */
- uint8_t replay_window;
- uint8_t flags;
-#define XFRM_STATE_NOECN 1
-};
-
-struct xfrm_usersa_id {
- xfrm_address_t daddr;
- uint32_t spi;
- uint16_t family;
- uint8_t proto;
-};
-
-struct xfrm_userspi_info {
- struct xfrm_usersa_info info;
- uint32_t min;
- uint32_t max;
-};
-
-struct xfrm_userpolicy_info {
- struct xfrm_selector sel;
- struct xfrm_lifetime_cfg lft;
- struct xfrm_lifetime_cur curlft;
- uint32_t priority;
- uint32_t index;
- uint8_t dir;
- uint8_t action;
-#define XFRM_POLICY_ALLOW 0
-#define XFRM_POLICY_BLOCK 1
- uint8_t flags;
-#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
- uint8_t share;
-};
-
-struct xfrm_userpolicy_id {
- struct xfrm_selector sel;
- uint32_t index;
- uint8_t dir;
-};
-
-struct xfrm_user_acquire {
- struct xfrm_id id;
- xfrm_address_t saddr;
- struct xfrm_selector sel;
- struct xfrm_userpolicy_info policy;
- uint32_t aalgos;
- uint32_t ealgos;
- uint32_t calgos;
- uint32_t seq;
-};
-
-struct xfrm_user_expire {
- struct xfrm_usersa_info state;
- uint8_t hard;
-};
-
-struct xfrm_user_polexpire {
- struct xfrm_userpolicy_info pol;
- uint8_t hard;
-};
-
-#define XFRMGRP_ACQUIRE 1
-#define XFRMGRP_EXPIRE 2
-
-#endif /* _LINUX_XFRM_H */
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
index ab44a113e..cda6007c7 100644
--- a/src/pluto/modecfg.c
+++ b/src/pluto/modecfg.c
@@ -978,7 +978,8 @@ xauth_inR1(struct msg_digest *md)
, ia.xauth_secret.user_password.ptr)
)
/* verify the user credentials using a plugn function */
- st->st_xauth.status = xauth_module.verify_secret(&ia.xauth_secret);
+ st->st_xauth.status = xauth_module.verify_secret(st->st_connection->name
+ , &ia.xauth_secret);
plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
}
diff --git a/src/pluto/oid.c b/src/pluto/oid.c
index 4b0632de2..48df1b7c4 100644
--- a/src/pluto/oid.c
+++ b/src/pluto/oid.c
@@ -28,7 +28,7 @@ const oid_t oid_names[] = {
{ 0x01, 0, 1, "pilotAttributeType" }, /* 15 */
{ 0x01, 17, 0, "UID" }, /* 16 */
{ 0x19, 0, 0, "DC" }, /* 17 */
- {0x55, 51, 1, "X.500" }, /* 18 */
+ {0x55, 52, 1, "X.500" }, /* 18 */
{ 0x04, 36, 1, "X.509" }, /* 19 */
{ 0x03, 21, 0, "CN" }, /* 20 */
{ 0x04, 22, 0, "S" }, /* 21 */
@@ -54,144 +54,145 @@ const oid_t oid_names[] = {
{ 0x11, 42, 0, "subjectAltName" }, /* 41 */
{ 0x12, 43, 0, "issuerAltName" }, /* 42 */
{ 0x13, 44, 0, "basicConstraints" }, /* 43 */
- { 0x15, 45, 0, "reasonCode" }, /* 44 */
- { 0x1F, 46, 0, "crlDistributionPoints" }, /* 45 */
- { 0x20, 47, 0, "certificatePolicies" }, /* 46 */
- { 0x23, 48, 0, "authorityKeyIdentifier" }, /* 47 */
- { 0x25, 49, 0, "extendedKeyUsage" }, /* 48 */
- { 0x37, 50, 0, "targetInformation" }, /* 49 */
- { 0x38, 0, 0, "noRevAvail" }, /* 50 */
- {0x2A, 88, 1, "" }, /* 51 */
- { 0x86, 0, 1, "" }, /* 52 */
- { 0x48, 0, 1, "" }, /* 53 */
- { 0x86, 0, 1, "" }, /* 54 */
- { 0xF7, 0, 1, "" }, /* 55 */
- { 0x0D, 0, 1, "RSADSI" }, /* 56 */
- { 0x01, 83, 1, "PKCS" }, /* 57 */
- { 0x01, 66, 1, "PKCS-1" }, /* 58 */
- { 0x01, 60, 0, "rsaEncryption" }, /* 59 */
- { 0x02, 61, 0, "md2WithRSAEncryption" }, /* 60 */
- { 0x04, 62, 0, "md5WithRSAEncryption" }, /* 61 */
- { 0x05, 63, 0, "sha-1WithRSAEncryption" }, /* 62 */
- { 0x0B, 64, 0, "sha256WithRSAEncryption"}, /* 63 */
- { 0x0C, 65, 0, "sha384WithRSAEncryption"}, /* 64 */
- { 0x0D, 0, 0, "sha512WithRSAEncryption"}, /* 65 */
- { 0x07, 73, 1, "PKCS-7" }, /* 66 */
- { 0x01, 68, 0, "data" }, /* 67 */
- { 0x02, 69, 0, "signedData" }, /* 68 */
- { 0x03, 70, 0, "envelopedData" }, /* 69 */
- { 0x04, 71, 0, "signedAndEnvelopedData" }, /* 70 */
- { 0x05, 72, 0, "digestedData" }, /* 71 */
- { 0x06, 0, 0, "encryptedData" }, /* 72 */
- { 0x09, 0, 1, "PKCS-9" }, /* 73 */
- { 0x01, 75, 0, "E" }, /* 74 */
- { 0x02, 76, 0, "unstructuredName" }, /* 75 */
- { 0x03, 77, 0, "contentType" }, /* 76 */
- { 0x04, 78, 0, "messageDigest" }, /* 77 */
- { 0x05, 79, 0, "signingTime" }, /* 78 */
- { 0x06, 80, 0, "counterSignature" }, /* 79 */
- { 0x07, 81, 0, "challengePassword" }, /* 80 */
- { 0x08, 82, 0, "unstructuredAddress" }, /* 81 */
- { 0x0E, 0, 0, "extensionRequest" }, /* 82 */
- { 0x02, 86, 1, "digestAlgorithm" }, /* 83 */
- { 0x02, 85, 0, "md2" }, /* 84 */
- { 0x05, 0, 0, "md5" }, /* 85 */
- { 0x03, 0, 1, "encryptionAlgorithm" }, /* 86 */
- { 0x07, 0, 0, "3des-ede-cbc" }, /* 87 */
- {0x2B, 149, 1, "" }, /* 88 */
- { 0x06, 136, 1, "dod" }, /* 89 */
- { 0x01, 0, 1, "internet" }, /* 90 */
- { 0x04, 105, 1, "private" }, /* 91 */
- { 0x01, 0, 1, "enterprise" }, /* 92 */
- { 0x82, 98, 1, "" }, /* 93 */
- { 0x37, 0, 1, "Microsoft" }, /* 94 */
- { 0x0A, 0, 1, "" }, /* 95 */
- { 0x03, 0, 1, "" }, /* 96 */
- { 0x03, 0, 0, "msSGC" }, /* 97 */
- { 0x89, 0, 1, "" }, /* 98 */
- { 0x31, 0, 1, "" }, /* 99 */
- { 0x01, 0, 1, "" }, /* 100 */
- { 0x01, 0, 1, "" }, /* 101 */
- { 0x02, 0, 1, "" }, /* 102 */
- { 0x02, 104, 0, "" }, /* 103 */
- { 0x4B, 0, 0, "TCGID" }, /* 104 */
- { 0x05, 0, 1, "security" }, /* 105 */
- { 0x05, 0, 1, "mechanisms" }, /* 106 */
- { 0x07, 0, 1, "id-pkix" }, /* 107 */
- { 0x01, 110, 1, "id-pe" }, /* 108 */
- { 0x01, 0, 0, "authorityInfoAccess" }, /* 109 */
- { 0x03, 120, 1, "id-kp" }, /* 110 */
- { 0x01, 112, 0, "serverAuth" }, /* 111 */
- { 0x02, 113, 0, "clientAuth" }, /* 112 */
- { 0x03, 114, 0, "codeSigning" }, /* 113 */
- { 0x04, 115, 0, "emailProtection" }, /* 114 */
- { 0x05, 116, 0, "ipsecEndSystem" }, /* 115 */
- { 0x06, 117, 0, "ipsecTunnel" }, /* 116 */
- { 0x07, 118, 0, "ipsecUser" }, /* 117 */
- { 0x08, 119, 0, "timeStamping" }, /* 118 */
- { 0x09, 0, 0, "ocspSigning" }, /* 119 */
- { 0x08, 122, 1, "id-otherNames" }, /* 120 */
- { 0x05, 0, 0, "xmppAddr" }, /* 121 */
- { 0x0A, 127, 1, "id-aca" }, /* 122 */
- { 0x01, 124, 0, "authenticationInfo" }, /* 123 */
- { 0x02, 125, 0, "accessIdentity" }, /* 124 */
- { 0x03, 126, 0, "chargingIdentity" }, /* 125 */
- { 0x04, 0, 0, "group" }, /* 126 */
- { 0x30, 0, 1, "id-ad" }, /* 127 */
- { 0x01, 0, 1, "ocsp" }, /* 128 */
- { 0x01, 130, 0, "basic" }, /* 129 */
- { 0x02, 131, 0, "nonce" }, /* 130 */
- { 0x03, 132, 0, "crl" }, /* 131 */
- { 0x04, 133, 0, "response" }, /* 132 */
- { 0x05, 134, 0, "noCheck" }, /* 133 */
- { 0x06, 135, 0, "archiveCutoff" }, /* 134 */
- { 0x07, 0, 0, "serviceLocator" }, /* 135 */
- { 0x0E, 142, 1, "oiw" }, /* 136 */
- { 0x03, 0, 1, "secsig" }, /* 137 */
- { 0x02, 0, 1, "algorithms" }, /* 138 */
- { 0x07, 140, 0, "des-cbc" }, /* 139 */
- { 0x1A, 141, 0, "sha-1" }, /* 140 */
- { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 141 */
- { 0x24, 0, 1, "TeleTrusT" }, /* 142 */
- { 0x03, 0, 1, "algorithm" }, /* 143 */
- { 0x03, 0, 1, "signatureAlgorithm" }, /* 144 */
- { 0x01, 0, 1, "rsaSignature" }, /* 145 */
- { 0x02, 147, 0, "rsaSigWithripemd160" }, /* 146 */
- { 0x03, 148, 0, "rsaSigWithripemd128" }, /* 147 */
- { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 148 */
- {0x60, 0, 1, "" }, /* 149 */
- { 0x86, 0, 1, "" }, /* 150 */
- { 0x48, 0, 1, "" }, /* 151 */
- { 0x01, 0, 1, "organization" }, /* 152 */
- { 0x65, 160, 1, "gov" }, /* 153 */
- { 0x03, 0, 1, "csor" }, /* 154 */
- { 0x04, 0, 1, "nistalgorithm" }, /* 155 */
- { 0x02, 0, 1, "hashalgs" }, /* 156 */
- { 0x01, 158, 0, "id-SHA-256" }, /* 157 */
- { 0x02, 159, 0, "id-SHA-384" }, /* 158 */
- { 0x03, 0, 0, "id-SHA-512" }, /* 159 */
- { 0x86, 0, 1, "" }, /* 160 */
- { 0xf8, 0, 1, "" }, /* 161 */
- { 0x42, 174, 1, "netscape" }, /* 162 */
- { 0x01, 169, 1, "" }, /* 163 */
- { 0x01, 165, 0, "nsCertType" }, /* 164 */
- { 0x03, 166, 0, "nsRevocationUrl" }, /* 165 */
- { 0x04, 167, 0, "nsCaRevocationUrl" }, /* 166 */
- { 0x08, 168, 0, "nsCaPolicyUrl" }, /* 167 */
- { 0x0d, 0, 0, "nsComment" }, /* 168 */
- { 0x03, 172, 1, "directory" }, /* 169 */
- { 0x01, 0, 1, "" }, /* 170 */
- { 0x03, 0, 0, "employeeNumber" }, /* 171 */
- { 0x04, 0, 1, "policy" }, /* 172 */
- { 0x01, 0, 0, "nsSGC" }, /* 173 */
- { 0x45, 0, 1, "verisign" }, /* 174 */
- { 0x01, 0, 1, "pki" }, /* 175 */
- { 0x09, 0, 1, "attributes" }, /* 176 */
- { 0x02, 178, 0, "messageType" }, /* 177 */
- { 0x03, 179, 0, "pkiStatus" }, /* 178 */
- { 0x04, 180, 0, "failInfo" }, /* 179 */
- { 0x05, 181, 0, "senderNonce" }, /* 180 */
- { 0x06, 182, 0, "recipientNonce" }, /* 181 */
- { 0x07, 183, 0, "transID" }, /* 182 */
- { 0x08, 0, 0, "extensionReq" } /* 183 */
+ { 0x14, 45, 0, "crlNumber" }, /* 44 */
+ { 0x15, 46, 0, "reasonCode" }, /* 45 */
+ { 0x1F, 47, 0, "crlDistributionPoints" }, /* 46 */
+ { 0x20, 48, 0, "certificatePolicies" }, /* 47 */
+ { 0x23, 49, 0, "authorityKeyIdentifier" }, /* 48 */
+ { 0x25, 50, 0, "extendedKeyUsage" }, /* 49 */
+ { 0x37, 51, 0, "targetInformation" }, /* 50 */
+ { 0x38, 0, 0, "noRevAvail" }, /* 51 */
+ {0x2A, 89, 1, "" }, /* 52 */
+ { 0x86, 0, 1, "" }, /* 53 */
+ { 0x48, 0, 1, "" }, /* 54 */
+ { 0x86, 0, 1, "" }, /* 55 */
+ { 0xF7, 0, 1, "" }, /* 56 */
+ { 0x0D, 0, 1, "RSADSI" }, /* 57 */
+ { 0x01, 84, 1, "PKCS" }, /* 58 */
+ { 0x01, 67, 1, "PKCS-1" }, /* 59 */
+ { 0x01, 61, 0, "rsaEncryption" }, /* 60 */
+ { 0x02, 62, 0, "md2WithRSAEncryption" }, /* 61 */
+ { 0x04, 63, 0, "md5WithRSAEncryption" }, /* 62 */
+ { 0x05, 64, 0, "sha-1WithRSAEncryption" }, /* 63 */
+ { 0x0B, 65, 0, "sha256WithRSAEncryption"}, /* 64 */
+ { 0x0C, 66, 0, "sha384WithRSAEncryption"}, /* 65 */
+ { 0x0D, 0, 0, "sha512WithRSAEncryption"}, /* 66 */
+ { 0x07, 74, 1, "PKCS-7" }, /* 67 */
+ { 0x01, 69, 0, "data" }, /* 68 */
+ { 0x02, 70, 0, "signedData" }, /* 69 */
+ { 0x03, 71, 0, "envelopedData" }, /* 70 */
+ { 0x04, 72, 0, "signedAndEnvelopedData" }, /* 71 */
+ { 0x05, 73, 0, "digestedData" }, /* 72 */
+ { 0x06, 0, 0, "encryptedData" }, /* 73 */
+ { 0x09, 0, 1, "PKCS-9" }, /* 74 */
+ { 0x01, 76, 0, "E" }, /* 75 */
+ { 0x02, 77, 0, "unstructuredName" }, /* 76 */
+ { 0x03, 78, 0, "contentType" }, /* 77 */
+ { 0x04, 79, 0, "messageDigest" }, /* 78 */
+ { 0x05, 80, 0, "signingTime" }, /* 79 */
+ { 0x06, 81, 0, "counterSignature" }, /* 80 */
+ { 0x07, 82, 0, "challengePassword" }, /* 81 */
+ { 0x08, 83, 0, "unstructuredAddress" }, /* 82 */
+ { 0x0E, 0, 0, "extensionRequest" }, /* 83 */
+ { 0x02, 87, 1, "digestAlgorithm" }, /* 84 */
+ { 0x02, 86, 0, "md2" }, /* 85 */
+ { 0x05, 0, 0, "md5" }, /* 86 */
+ { 0x03, 0, 1, "encryptionAlgorithm" }, /* 87 */
+ { 0x07, 0, 0, "3des-ede-cbc" }, /* 88 */
+ {0x2B, 150, 1, "" }, /* 89 */
+ { 0x06, 137, 1, "dod" }, /* 90 */
+ { 0x01, 0, 1, "internet" }, /* 91 */
+ { 0x04, 106, 1, "private" }, /* 92 */
+ { 0x01, 0, 1, "enterprise" }, /* 93 */
+ { 0x82, 99, 1, "" }, /* 94 */
+ { 0x37, 0, 1, "Microsoft" }, /* 95 */
+ { 0x0A, 0, 1, "" }, /* 96 */
+ { 0x03, 0, 1, "" }, /* 97 */
+ { 0x03, 0, 0, "msSGC" }, /* 98 */
+ { 0x89, 0, 1, "" }, /* 99 */
+ { 0x31, 0, 1, "" }, /* 100 */
+ { 0x01, 0, 1, "" }, /* 101 */
+ { 0x01, 0, 1, "" }, /* 102 */
+ { 0x02, 0, 1, "" }, /* 103 */
+ { 0x02, 105, 0, "" }, /* 104 */
+ { 0x4B, 0, 0, "TCGID" }, /* 105 */
+ { 0x05, 0, 1, "security" }, /* 106 */
+ { 0x05, 0, 1, "mechanisms" }, /* 107 */
+ { 0x07, 0, 1, "id-pkix" }, /* 108 */
+ { 0x01, 111, 1, "id-pe" }, /* 109 */
+ { 0x01, 0, 0, "authorityInfoAccess" }, /* 110 */
+ { 0x03, 121, 1, "id-kp" }, /* 111 */
+ { 0x01, 113, 0, "serverAuth" }, /* 112 */
+ { 0x02, 114, 0, "clientAuth" }, /* 113 */
+ { 0x03, 115, 0, "codeSigning" }, /* 114 */
+ { 0x04, 116, 0, "emailProtection" }, /* 115 */
+ { 0x05, 117, 0, "ipsecEndSystem" }, /* 116 */
+ { 0x06, 118, 0, "ipsecTunnel" }, /* 117 */
+ { 0x07, 119, 0, "ipsecUser" }, /* 118 */
+ { 0x08, 120, 0, "timeStamping" }, /* 119 */
+ { 0x09, 0, 0, "ocspSigning" }, /* 120 */
+ { 0x08, 123, 1, "id-otherNames" }, /* 121 */
+ { 0x05, 0, 0, "xmppAddr" }, /* 122 */
+ { 0x0A, 128, 1, "id-aca" }, /* 123 */
+ { 0x01, 125, 0, "authenticationInfo" }, /* 124 */
+ { 0x02, 126, 0, "accessIdentity" }, /* 125 */
+ { 0x03, 127, 0, "chargingIdentity" }, /* 126 */
+ { 0x04, 0, 0, "group" }, /* 127 */
+ { 0x30, 0, 1, "id-ad" }, /* 128 */
+ { 0x01, 0, 1, "ocsp" }, /* 129 */
+ { 0x01, 131, 0, "basic" }, /* 130 */
+ { 0x02, 132, 0, "nonce" }, /* 131 */
+ { 0x03, 133, 0, "crl" }, /* 132 */
+ { 0x04, 134, 0, "response" }, /* 133 */
+ { 0x05, 135, 0, "noCheck" }, /* 134 */
+ { 0x06, 136, 0, "archiveCutoff" }, /* 135 */
+ { 0x07, 0, 0, "serviceLocator" }, /* 136 */
+ { 0x0E, 143, 1, "oiw" }, /* 137 */
+ { 0x03, 0, 1, "secsig" }, /* 138 */
+ { 0x02, 0, 1, "algorithms" }, /* 139 */
+ { 0x07, 141, 0, "des-cbc" }, /* 140 */
+ { 0x1A, 142, 0, "sha-1" }, /* 141 */
+ { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 142 */
+ { 0x24, 0, 1, "TeleTrusT" }, /* 143 */
+ { 0x03, 0, 1, "algorithm" }, /* 144 */
+ { 0x03, 0, 1, "signatureAlgorithm" }, /* 145 */
+ { 0x01, 0, 1, "rsaSignature" }, /* 146 */
+ { 0x02, 148, 0, "rsaSigWithripemd160" }, /* 147 */
+ { 0x03, 149, 0, "rsaSigWithripemd128" }, /* 148 */
+ { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 149 */
+ {0x60, 0, 1, "" }, /* 150 */
+ { 0x86, 0, 1, "" }, /* 151 */
+ { 0x48, 0, 1, "" }, /* 152 */
+ { 0x01, 0, 1, "organization" }, /* 153 */
+ { 0x65, 161, 1, "gov" }, /* 154 */
+ { 0x03, 0, 1, "csor" }, /* 155 */
+ { 0x04, 0, 1, "nistalgorithm" }, /* 156 */
+ { 0x02, 0, 1, "hashalgs" }, /* 157 */
+ { 0x01, 159, 0, "id-SHA-256" }, /* 158 */
+ { 0x02, 160, 0, "id-SHA-384" }, /* 159 */
+ { 0x03, 0, 0, "id-SHA-512" }, /* 160 */
+ { 0x86, 0, 1, "" }, /* 161 */
+ { 0xf8, 0, 1, "" }, /* 162 */
+ { 0x42, 175, 1, "netscape" }, /* 163 */
+ { 0x01, 170, 1, "" }, /* 164 */
+ { 0x01, 166, 0, "nsCertType" }, /* 165 */
+ { 0x03, 167, 0, "nsRevocationUrl" }, /* 166 */
+ { 0x04, 168, 0, "nsCaRevocationUrl" }, /* 167 */
+ { 0x08, 169, 0, "nsCaPolicyUrl" }, /* 168 */
+ { 0x0d, 0, 0, "nsComment" }, /* 169 */
+ { 0x03, 173, 1, "directory" }, /* 170 */
+ { 0x01, 0, 1, "" }, /* 171 */
+ { 0x03, 0, 0, "employeeNumber" }, /* 172 */
+ { 0x04, 0, 1, "policy" }, /* 173 */
+ { 0x01, 0, 0, "nsSGC" }, /* 174 */
+ { 0x45, 0, 1, "verisign" }, /* 175 */
+ { 0x01, 0, 1, "pki" }, /* 176 */
+ { 0x09, 0, 1, "attributes" }, /* 177 */
+ { 0x02, 179, 0, "messageType" }, /* 178 */
+ { 0x03, 180, 0, "pkiStatus" }, /* 179 */
+ { 0x04, 181, 0, "failInfo" }, /* 180 */
+ { 0x05, 182, 0, "senderNonce" }, /* 181 */
+ { 0x06, 183, 0, "recipientNonce" }, /* 182 */
+ { 0x07, 184, 0, "transID" }, /* 183 */
+ { 0x08, 0, 0, "extensionReq" } /* 184 */
};
diff --git a/src/pluto/oid.h b/src/pluto/oid.h
index ccdfb2954..869a87eb0 100644
--- a/src/pluto/oid.h
+++ b/src/pluto/oid.h
@@ -19,60 +19,61 @@ extern const oid_t oid_names[];
#define OID_SUBJECT_KEY_ID 38
#define OID_SUBJECT_ALT_NAME 41
#define OID_BASIC_CONSTRAINTS 43
-#define OID_CRL_REASON_CODE 44
-#define OID_CRL_DISTRIBUTION_POINTS 45
-#define OID_AUTHORITY_KEY_ID 47
-#define OID_EXTENDED_KEY_USAGE 48
-#define OID_TARGET_INFORMATION 49
-#define OID_NO_REV_AVAIL 50
-#define OID_RSA_ENCRYPTION 59
-#define OID_MD2_WITH_RSA 60
-#define OID_MD5_WITH_RSA 61
-#define OID_SHA1_WITH_RSA 62
-#define OID_SHA256_WITH_RSA 63
-#define OID_SHA384_WITH_RSA 64
-#define OID_SHA512_WITH_RSA 65
-#define OID_PKCS7_DATA 67
-#define OID_PKCS7_SIGNED_DATA 68
-#define OID_PKCS7_ENVELOPED_DATA 69
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA 70
-#define OID_PKCS7_DIGESTED_DATA 71
-#define OID_PKCS7_ENCRYPTED_DATA 72
-#define OID_PKCS9_EMAIL 74
-#define OID_PKCS9_CONTENT_TYPE 76
-#define OID_PKCS9_MESSAGE_DIGEST 77
-#define OID_PKCS9_SIGNING_TIME 78
-#define OID_MD2 84
-#define OID_MD5 85
-#define OID_3DES_EDE_CBC 87
-#define OID_AUTHORITY_INFO_ACCESS 109
-#define OID_OCSP_SIGNING 119
-#define OID_XMPP_ADDR 121
-#define OID_AUTHENTICATION_INFO 123
-#define OID_ACCESS_IDENTITY 124
-#define OID_CHARGING_IDENTITY 125
-#define OID_GROUP 126
-#define OID_OCSP 128
-#define OID_BASIC 129
-#define OID_NONCE 130
-#define OID_CRL 131
-#define OID_RESPONSE 132
-#define OID_NO_CHECK 133
-#define OID_ARCHIVE_CUTOFF 134
-#define OID_SERVICE_LOCATOR 135
-#define OID_DES_CBC 139
-#define OID_SHA1 140
-#define OID_SHA1_WITH_RSA_OIW 141
-#define OID_SHA256 157
-#define OID_SHA384 158
-#define OID_SHA512 159
-#define OID_NS_REVOCATION_URL 165
-#define OID_NS_CA_REVOCATION_URL 166
-#define OID_NS_CA_POLICY_URL 167
-#define OID_NS_COMMENT 168
-#define OID_PKI_MESSAGE_TYPE 177
-#define OID_PKI_STATUS 178
-#define OID_PKI_FAIL_INFO 179
-#define OID_PKI_SENDER_NONCE 180
-#define OID_PKI_RECIPIENT_NONCE 181
-#define OID_PKI_TRANS_ID 182
+#define OID_CRL_NUMBER 44
+#define OID_CRL_REASON_CODE 45
+#define OID_CRL_DISTRIBUTION_POINTS 46
+#define OID_AUTHORITY_KEY_ID 48
+#define OID_EXTENDED_KEY_USAGE 49
+#define OID_TARGET_INFORMATION 50
+#define OID_NO_REV_AVAIL 51
+#define OID_RSA_ENCRYPTION 60
+#define OID_MD2_WITH_RSA 61
+#define OID_MD5_WITH_RSA 62
+#define OID_SHA1_WITH_RSA 63
+#define OID_SHA256_WITH_RSA 64
+#define OID_SHA384_WITH_RSA 65
+#define OID_SHA512_WITH_RSA 66
+#define OID_PKCS7_DATA 68
+#define OID_PKCS7_SIGNED_DATA 69
+#define OID_PKCS7_ENVELOPED_DATA 70
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA 71
+#define OID_PKCS7_DIGESTED_DATA 72
+#define OID_PKCS7_ENCRYPTED_DATA 73
+#define OID_PKCS9_EMAIL 75
+#define OID_PKCS9_CONTENT_TYPE 77
+#define OID_PKCS9_MESSAGE_DIGEST 78
+#define OID_PKCS9_SIGNING_TIME 79
+#define OID_MD2 85
+#define OID_MD5 86
+#define OID_3DES_EDE_CBC 88
+#define OID_AUTHORITY_INFO_ACCESS 110
+#define OID_OCSP_SIGNING 120
+#define OID_XMPP_ADDR 122
+#define OID_AUTHENTICATION_INFO 124
+#define OID_ACCESS_IDENTITY 125
+#define OID_CHARGING_IDENTITY 126
+#define OID_GROUP 127
+#define OID_OCSP 129
+#define OID_BASIC 130
+#define OID_NONCE 131
+#define OID_CRL 132
+#define OID_RESPONSE 133
+#define OID_NO_CHECK 134
+#define OID_ARCHIVE_CUTOFF 135
+#define OID_SERVICE_LOCATOR 136
+#define OID_DES_CBC 140
+#define OID_SHA1 141
+#define OID_SHA1_WITH_RSA_OIW 142
+#define OID_SHA256 158
+#define OID_SHA384 159
+#define OID_SHA512 160
+#define OID_NS_REVOCATION_URL 166
+#define OID_NS_CA_REVOCATION_URL 167
+#define OID_NS_CA_POLICY_URL 168
+#define OID_NS_COMMENT 169
+#define OID_PKI_MESSAGE_TYPE 178
+#define OID_PKI_STATUS 179
+#define OID_PKI_FAIL_INFO 180
+#define OID_PKI_SENDER_NONCE 181
+#define OID_PKI_RECIPIENT_NONCE 182
+#define OID_PKI_TRANS_ID 183
diff --git a/src/pluto/oid.txt b/src/pluto/oid.txt
index e8750024e..2b3c96ae3 100644
--- a/src/pluto/oid.txt
+++ b/src/pluto/oid.txt
@@ -42,6 +42,7 @@
0x11 "subjectAltName" OID_SUBJECT_ALT_NAME
0x12 "issuerAltName"
0x13 "basicConstraints" OID_BASIC_CONSTRAINTS
+ 0x14 "crlNumber" OID_CRL_NUMBER
0x15 "reasonCode" OID_CRL_REASON_CODE
0x1F "crlDistributionPoints" OID_CRL_DISTRIBUTION_POINTS
0x20 "certificatePolicies"
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index e235ff765..d9b2167c8 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -29,6 +29,8 @@
#include <resolv.h>
#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
#include <sys/queue.h>
+#include <linux/capability.h>
+#include <sys/prctl.h>
#include <freeswan.h>
@@ -64,6 +66,11 @@
#include "nat_traversal.h"
#include "virtual.h"
+/* on some distros, a capset() definition is missing */
+#ifdef NO_CAPSET_DEFINED
+extern int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
+#endif /* NO_CAPSET_DEFINED */
+
static void
usage(const char *mess)
{
@@ -221,6 +228,8 @@ main(int argc, char **argv)
bool force_keepalive = FALSE;
char *virtual_private = NULL;
int lockfd;
+ struct __user_cap_header_struct hdr;
+ struct __user_cap_data_struct data;
/* handle arguments */
for (;;)
@@ -596,6 +605,26 @@ main(int argc, char **argv)
init_id();
init_fetch();
+ /* drop unneeded capabilities and change UID/GID */
+ hdr.version = _LINUX_CAPABILITY_VERSION;
+ hdr.pid = 0;
+ data.effective = data.permitted = 1<<CAP_NET_ADMIN | 1<<CAP_NET_BIND_SERVICE;
+ data.inheritable = 0;
+
+ prctl(PR_SET_KEEPCAPS, 1);
+
+# if IPSEC_GID
+ setgid(IPSEC_GID);
+# endif
+# if IPSEC_UID
+ setuid(IPSEC_UID);
+# endif
+ if (capset(&hdr, &data))
+ {
+ plog("unable to drop root privileges");
+ abort();
+ }
+
/* loading X.509 CA certificates */
load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
/* loading X.509 AA certificates */
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index e888d5e16..c2ea2b5a0 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -205,7 +205,9 @@ static struct vid_struct _vid_tab[] = {
/*
* strongSwan
*/
- DEC_MD5_VID(STRONGSWAN, "strongSwan 4.1.1")
+ DEC_MD5_VID(STRONGSWAN, "strongSwan 4.1.3")
+ DEC_MD5_VID(STRONGSWAN_4_1_2, "strongSwan 4.1.2")
+ DEC_MD5_VID(STRONGSWAN_4_1_1, "strongSwan 4.1.1")
DEC_MD5_VID(STRONGSWAN_4_1_0, "strongSwan 4.1.0")
DEC_MD5_VID(STRONGSWAN_4_0_7, "strongSwan 4.0.7")
DEC_MD5_VID(STRONGSWAN_4_0_6, "strongSwan 4.0.6")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 8e0444f4d..5ba65ea37 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -99,6 +99,8 @@ enum known_vendorid {
VID_STRONGSWAN_4_0_6 = 76,
VID_STRONGSWAN_4_0_7 = 77,
VID_STRONGSWAN_4_1_0 = 78,
+ VID_STRONGSWAN_4_1_1 = 79,
+ VID_STRONGSWAN_4_1_2 = 80,
/* 101 - 200 : NAT-Traversal */
VID_NATT_STENBERG_01 =101,
diff --git a/src/pluto/xauth.c b/src/pluto/xauth.c
index 3d30ad227..77ac8dee7 100644
--- a/src/pluto/xauth.c
+++ b/src/pluto/xauth.c
@@ -44,7 +44,7 @@ xauth_init(void)
DBG_log("xauth module: found get_secret() function");
}
)
- xauth_module.verify_secret = (bool (*) (const xauth_t*))
+ xauth_module.verify_secret = (bool (*) (const char*, const xauth_t*))
dlsym(xauth_module.handle, "verify_secret");
DBG(DBG_CONTROL,
if (xauth_module.verify_secret != NULL)
diff --git a/src/pluto/xauth.h b/src/pluto/xauth.h
index 1f06aefd9..740618750 100644
--- a/src/pluto/xauth.h
+++ b/src/pluto/xauth.h
@@ -30,7 +30,7 @@ typedef struct {
typedef struct {
void *handle;
bool (*get_secret) (xauth_t *xauth_secret);
- bool (*verify_secret) (const xauth_t *xauth_secret);
+ bool (*verify_secret) (const char *conn_name, const xauth_t *xauth_secret);
} xauth_module_t;
extern xauth_module_t xauth_module;