summaryrefslogtreecommitdiff
path: root/src/pluto
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2008-07-09 21:02:41 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2008-07-09 21:02:41 +0000
commitdb67c87db3c9089ea8d2e14f617bf3d9e2af261f (patch)
tree665c0caea83d34c11c1517c4c57137bb58cba6fb /src/pluto
parent1c088a8b6237ec67f63c23f97a0f2dc4e99af869 (diff)
downloadvyos-strongswan-db67c87db3c9089ea8d2e14f617bf3d9e2af261f.tar.gz
vyos-strongswan-db67c87db3c9089ea8d2e14f617bf3d9e2af261f.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.2.4)
Diffstat (limited to 'src/pluto')
-rw-r--r--src/pluto/Makefile.am11
-rw-r--r--src/pluto/Makefile.in51
-rw-r--r--src/pluto/ac.c12
-rw-r--r--src/pluto/alg/ike_alg_aes.c2
-rw-r--r--src/pluto/alg_info.c12
-rw-r--r--src/pluto/connections.c6
-rw-r--r--src/pluto/connections.h4
-rw-r--r--src/pluto/constants.c22
-rw-r--r--src/pluto/constants.h5
-rw-r--r--src/pluto/crl.c4
-rw-r--r--src/pluto/demux.c4
-rw-r--r--src/pluto/fetch.c4
-rw-r--r--src/pluto/ike_alg.c5
-rw-r--r--src/pluto/ipsec_doi.c13
-rw-r--r--src/pluto/kernel.c22
-rw-r--r--src/pluto/kernel_netlink.c31
-rw-r--r--src/pluto/keys.c10
-rw-r--r--src/pluto/log.c32
-rw-r--r--src/pluto/modecfg.c13
-rw-r--r--src/pluto/plutomain.c40
-rw-r--r--src/pluto/smartcard.c10
-rw-r--r--src/pluto/spdb.c16
-rw-r--r--src/pluto/vendor.c9
-rw-r--r--src/pluto/vendor.h26
-rw-r--r--src/pluto/xauth.c4
-rw-r--r--src/pluto/xauth.h13
26 files changed, 228 insertions, 153 deletions
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 69902ad8f..156b81018 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -123,12 +123,19 @@ if USE_NAT_TRANSPORT
endif
# This compile option activates dynamic URL fetching using libcurl
-if USE_LIBCURL
+if USE_CURL
pluto_LDADD += -lcurl
+ AM_CFLAGS += -DLIBCURL
endif
# This compile option activates dynamic LDAP CRL fetching
-if USE_LIBLDAP
+if USE_LDAP
pluto_LDADD += -lldap -llber
+ AM_CFLAGS += -DLIBLDAP
+endif
+
+# This compile option activates smartcard support
+if USE_SMARTCARD
+ AM_CFLAGS += -DSMARTCARD
endif
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index a9ae01d65..42017641c 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.10 from Makefile.am.
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@@ -51,10 +51,15 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
@USE_NAT_TRANSPORT_TRUE@am__append_4 = -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
# This compile option activates dynamic URL fetching using libcurl
-@USE_LIBCURL_TRUE@am__append_5 = -lcurl
+@USE_CURL_TRUE@am__append_5 = -lcurl
+@USE_CURL_TRUE@am__append_6 = -DLIBCURL
# This compile option activates dynamic LDAP CRL fetching
-@USE_LIBLDAP_TRUE@am__append_6 = -lldap -llber
+@USE_LDAP_TRUE@am__append_7 = -lldap -llber
+@USE_LDAP_TRUE@am__append_8 = -DLIBLDAP
+
+# This compile option activates smartcard support
+@USE_SMARTCARD_TRUE@am__append_9 = -DSMARTCARD
subdir = src/pluto
DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
$(srcdir)/Makefile.in TODO
@@ -138,6 +143,7 @@ CXXFLAGS = @CXXFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
ECHO = @ECHO@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
@@ -167,6 +173,7 @@ LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
OBJEXT = @OBJEXT@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
@@ -197,7 +204,6 @@ am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
-backenddir = @backenddir@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -208,12 +214,11 @@ builddir = @builddir@
confdir = @confdir@
datadir = @datadir@
datarootdir = @datarootdir@
-dbus_CFLAGS = @dbus_CFLAGS@
-dbus_LIBS = @dbus_LIBS@
docdir = @docdir@
dvidir = @dvidir@
-eapdir = @eapdir@
exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -223,12 +228,12 @@ htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
-interfacedir = @interfacedir@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecuid = @ipsecuid@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
linuxdir = @linuxdir@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -241,10 +246,12 @@ plugindir = @plugindir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
+resolv_conf = @resolv_conf@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
simreader = @simreader@
srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_builddir = @top_builddir@
@@ -328,10 +335,11 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
-DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \
-DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO \
-DKLIPS -DDEBUG -DTHREADS $(am__append_1) $(am__append_2) \
- $(am__append_3) $(am__append_4)
+ $(am__append_3) $(am__append_4) $(am__append_6) \
+ $(am__append_8) $(am__append_9)
pluto_LDADD = oid.o $(LIBFREESWANDIR)/libfreeswan.a \
$(LIBCRYPTODIR)/libcrypto.a -lgmp -lresolv -lpthread -ldl \
- $(am__append_5) $(am__append_6)
+ $(am__append_5) $(am__append_7)
_pluto_adns_LDADD = \
$(LIBFREESWANDIR)/libfreeswan.a \
-lresolv -ldl
@@ -379,8 +387,8 @@ install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
|| test -f $$p1 \
; then \
f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
- echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
- $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
else :; fi; \
done
@@ -681,8 +689,8 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) ' { files[$$0] = 1; } \
- END { for (i in files) print i; }'`; \
+ $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
@@ -694,8 +702,8 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) ' { files[$$0] = 1; } \
- END { for (i in files) print i; }'`; \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
@@ -705,13 +713,12 @@ ctags: CTAGS
CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
tags=; \
- here=`pwd`; \
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) ' { files[$$0] = 1; } \
- END { for (i in files) print i; }'`; \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
test -z "$(CTAGS_ARGS)$$tags$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$tags $$unique
diff --git a/src/pluto/ac.c b/src/pluto/ac.c
index 43ebf91d9..77e0b40bb 100644
--- a/src/pluto/ac.c
+++ b/src/pluto/ac.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: ac.c 3253 2007-10-06 21:39:00Z andreas $
+ * RCSID $Id: ac.c 3686 2008-03-28 11:48:14Z martin $
*/
#include <stdlib.h>
@@ -599,16 +599,6 @@ parse_ac(chunk_t blob, x509acert_t *ac)
}
/*
- * compare two X.509 attribute certificates by comparing their signatures
- */
-static bool
-same_x509acert(x509acert_t *a, x509acert_t *b)
-{
- return a->signature.len == b->signature.len &&
- memcmp(a->signature.ptr, b->signature.ptr, b->signature.len) == 0;
-}
-
-/*
* release an ietfAttribute, free it if count reaches zero
*/
static void
diff --git a/src/pluto/alg/ike_alg_aes.c b/src/pluto/alg/ike_alg_aes.c
index 44de09b4c..c635af723 100644
--- a/src/pluto/alg/ike_alg_aes.c
+++ b/src/pluto/alg/ike_alg_aes.c
@@ -34,7 +34,7 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *
memcpy(new_iv=iv_bak, (char*) buf + buf_len - AES_CBC_BLOCK_SIZE
, AES_CBC_BLOCK_SIZE);
- AES_cbc_encrypt(&aes_ctx, buf, buf, buf_len, iv, enc);
+ SS_AES_cbc_encrypt(&aes_ctx, buf, buf, buf_len, iv, enc);
if (enc)
new_iv = (char*) buf + buf_len-AES_CBC_BLOCK_SIZE;
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index 145e492d4..cd02d2358 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: alg_info.c 3253 2007-10-06 21:39:00Z andreas $
+ * RCSID $Id: alg_info.c 3846 2008-04-18 17:01:45Z andreas $
*/
#include <stddef.h>
@@ -96,8 +96,8 @@ alg_info_esp_sadb2aa(int sadb_aalg)
int auth = 0;
switch(sadb_aalg) {
- case SADB_AALG_MD5_HMAC:
- case SADB_AALG_SHA1_HMAC:
+ case SADB_AALG_MD5HMAC:
+ case SADB_AALG_SHA1HMAC:
auth = sadb_aalg - 1;
break;
/* since they are the same ... :) */
@@ -195,7 +195,11 @@ aalg_getbyname_esp(const char *const str, int len)
/* interpret 'SHA' as 'SHA1' */
if (strncasecmp("SHA", str, len) == 0)
- return enum_search(&auth_alg_names, "AUTH_ALGORITHM_HMAC_SHA1");
+ return AUTH_ALGORITHM_HMAC_SHA1;
+
+ /* interpret 'AESXCBC' as 'AES_XCBC_MAC' */
+ if (strncasecmp("AESXCBC", str, len) == 0)
+ return AUTH_ALGORITHM_AES_XCBC_MAC;
ret = enum_search_prefix(&auth_alg_names,"AUTH_ALGORITHM_HMAC_", str ,len);
if (ret >= 0)
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index 8fbf969b6..13a004794 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: connections.c 3361 2007-11-21 23:42:27Z andreas $
+ * RCSID $Id: connections.c 3686 2008-03-28 11:48:14Z martin $
*/
#include <string.h>
@@ -2354,7 +2354,7 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
* DNS query (if any). It also selects the kind of the next step.
* The second chunk initiates the next DNS query (if any).
*/
- enum find_oppo_step next_step;
+ enum find_oppo_step next_step = fos_myid_ip_txt;
err_t ugh = ac_ugh;
char mycredentialstr[BUF_LEN];
char cib[CONN_INST_BUF];
@@ -3279,7 +3279,7 @@ refine_host_connection(const struct state *st, const struct id *peer_id
struct connection *d;
struct connection *best_found = NULL;
u_int16_t auth = st->st_oakley.auth;
- lset_t auth_policy;
+ lset_t auth_policy = POLICY_PSK;
const chunk_t *psk = NULL;
bool wcpip; /* wildcard Peer IP? */
int best_prio = PRIO_NO_MATCH_FOUND;
diff --git a/src/pluto/connections.h b/src/pluto/connections.h
index 3000f888a..b11565296 100644
--- a/src/pluto/connections.h
+++ b/src/pluto/connections.h
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: connections.h 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: connections.h 4024 2008-05-29 07:49:47Z andreas $
*/
#ifndef _CONNECTIONS_H
@@ -186,7 +186,7 @@ struct connection {
char *log_file_name; /* name of log file */
FILE *log_file; /* possibly open FILE */
- CIRCLEQ_ENTRY(connection) log_link; /* linked list of open conns */
+ TAILQ_ENTRY(connection) log_link; /* linked list of open conns */
bool log_file_err; /* only bitch once */
struct spd_route spd;
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index 93e430957..ca548afab 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: constants.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: constants.c 3839 2008-04-18 11:25:37Z andreas $
*/
/*
@@ -377,11 +377,13 @@ static const char *const ah_transform_name[] = {
"AH_SHA2_256",
"AH_SHA2_384",
"AH_SHA2_512",
- "AH_RIPEMD"
+ "AH_RIPEMD",
+ "AH_AES_XCBC_MAC",
+ "AH_RSA"
};
enum_names ah_transformid_names =
- { AH_MD5, AH_RIPEMD, ah_transform_name, NULL };
+ { AH_MD5, AH_RSA, ah_transform_name, NULL };
/* IPsec ESP transform values */
@@ -401,7 +403,13 @@ static const char *const esp_transform_name[] = {
"ESP_AES-CTR",
"ESP_AES-CCM_8",
"ESP_AES-CCM_12",
- "ESP_AES-CCM_16"
+ "ESP_AES-CCM_16",
+ "ESP_UNASSIGNED_17",
+ "ESP_AES_GCM_8",
+ "ESP_AES_GCM_12",
+ "ESP_AES_GCM_16",
+ "ESP_SEED_CBC",
+ "ESP_CAMELLIA"
};
/*
@@ -417,7 +425,7 @@ enum_names esp_transformid_names_high =
{ ESP_SERPENT, ESP_TWOFISH, esp_transform_name_high, NULL };
enum_names esp_transformid_names =
- { ESP_DES_IV64, ESP_AES_CCM_16, esp_transform_name, &esp_transformid_names_high };
+ { ESP_DES_IV64, ESP_CAMELLIA, esp_transform_name, &esp_transformid_names_high };
/* IPCOMP transform values */
@@ -684,6 +692,8 @@ static const char *const auth_alg_name[] = {
"AUTH_ALGORITHM_HMAC_SHA2_384",
"AUTH_ALGORITHM_HMAC_SHA2_512",
"AUTH_ALGORITHM_HMAC_RIPEMD",
+ "AUTH_ALGORITHM_AES_XCBC_MAC",
+ "AUTH_ALGORITHM_SIG_RSA"
};
static const char *const extended_auth_alg_name[] = {
@@ -694,7 +704,7 @@ enum_names extended_auth_alg_names =
{ AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, extended_auth_alg_name, NULL };
enum_names auth_alg_names =
- { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_HMAC_RIPEMD, auth_alg_name
+ { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_SIG_RSA, auth_alg_name
, &extended_auth_alg_names };
/* From draft-beaulieu-ike-xauth */
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index ddfe76293..e6357164f 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -13,7 +13,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: constants.h 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: constants.h 4051 2008-06-10 09:08:27Z tobias $
*/
#ifndef _CONSTANTS_H
@@ -877,6 +877,7 @@ extern const char *prettypolicy(lset_t policy);
#define POLICY_BEET LELEM(22) /* bound end2end tunnel, IKEv2 */
#define POLICY_MOBIKE LELEM(23) /* enable MOBIKE for IKEv2 */
#define POLICY_FORCE_ENCAP LELEM(24) /* force UDP encapsulation (IKEv2) */
+#define POLICY_ECDSASIG LELEM(25) /* ecdsa signature (IKEv2) */
/* Any IPsec policy? If not, a connection description
* is only for ISAKMP SA, not IPSEC SA. (A pun, I admit.)
@@ -992,6 +993,8 @@ extern enum_names auth_alg_names, extended_auth_alg_names;
#define AUTH_ALGORITHM_HMAC_SHA2_384 6
#define AUTH_ALGORITHM_HMAC_SHA2_512 7
#define AUTH_ALGORITHM_HMAC_RIPEMD 8
+#define AUTH_ALGORITHM_AES_XCBC_MAC 9
+#define AUTH_ALGORITHM_SIG_RSA 10
#define AUTH_ALGORITHM_NULL 251
/* Oakley Lifetime Type attribute
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index 8998207c2..6e1093661 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: crl.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: crl.c 3686 2008-03-28 11:48:14Z martin $
*/
#include <stdlib.h>
@@ -406,7 +406,7 @@ parse_x509crl(chunk_t blob, u_int level0, x509crl_t *crl)
asn1_ctx_t ctx;
bool critical;
chunk_t extnID;
- chunk_t userCertificate;
+ chunk_t userCertificate = empty_chunk;
chunk_t object;
u_int level;
int objectID = 0;
diff --git a/src/pluto/demux.c b/src/pluto/demux.c
index 9bc889b4b..04728a4a8 100644
--- a/src/pluto/demux.c
+++ b/src/pluto/demux.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: demux.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: demux.c 3686 2008-03-28 11:48:14Z martin $
*/
/* Ordering Constraints on Payloads
@@ -2167,7 +2167,7 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
/* Schedule for whatever timeout is specified */
{
- time_t delay;
+ time_t delay = UNDEFINED_TIME;
enum event_type kind = smc->timeout_event;
bool agreed_time = FALSE;
struct connection *c = st->st_connection;
diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c
index c0bf3fed6..cd8b58df2 100644
--- a/src/pluto/fetch.c
+++ b/src/pluto/fetch.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: fetch.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: fetch.c 3686 2008-03-28 11:48:14Z martin $
*/
#include <stdlib.h>
@@ -825,7 +825,9 @@ fetch_thread(void *arg)
void
init_fetch(void)
{
+#if defined(LIBCURL) || defined (THREADS)
int status;
+#endif
#ifdef LIBCURL
/* init curl */
diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c
index 52f2c5c80..6759059fa 100644
--- a/src/pluto/ike_alg.c
+++ b/src/pluto/ike_alg.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: ike_alg.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: ike_alg.c 3686 2008-03-28 11:48:14Z martin $
*/
#include <stdio.h>
@@ -521,9 +521,6 @@ ike_alg_test(void)
for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
{
-
- struct encrypt_desc *desc = (struct encrypt_desc*)a;
-
plog(" %s self-test not available", enum_name(&oakley_enc_names, a->algo_id));
}
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 852b2e73e..88536e6d6 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: ipsec_doi.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: ipsec_doi.c 3686 2008-03-28 11:48:14Z martin $
*/
#include <stdio.h>
@@ -952,7 +952,6 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
/* SA out */
{
u_char *sa_start = rbody.cur;
- lset_t auth_policy = policy & POLICY_ID_AUTH_MASK;
if (!out_sa(&rbody, &oakley_sadb, st, TRUE
, vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE))
@@ -2800,7 +2799,7 @@ compute_proto_keymat(struct state *st
, u_int8_t protoid
, struct ipsec_proto_info *pi)
{
- size_t needed_len; /* bytes of keying material needed */
+ size_t needed_len = 0; /* bytes of keying material needed */
/* Add up the requirements for keying material
* (It probably doesn't matter if we produce too much!)
@@ -3754,7 +3753,7 @@ main_id_and_auth(struct msg_digest *md
struct key_continuation *nkc
= alloc_thing(struct key_continuation, "key continuation");
enum key_oppo_step step_done = kc == NULL? kos_null : kc->step;
- err_t ugh;
+ err_t ugh = NULL;
/* Record that state is used by a suspended md */
passert(st->st_suspended_md == NULL);
@@ -4308,7 +4307,7 @@ report_verify_failure(struct verify_oppo_bundle *b, err_t ugh)
char fgwb[ADDRTOT_BUF]
, cb[ADDRTOT_BUF];
ip_address client;
- err_t which;
+ err_t which = NULL;
switch (b->step)
{
@@ -4384,7 +4383,7 @@ quick_inI1_outR1_start_query(struct verify_oppo_bundle *b
, *our_id /* needed for myid playing */
, our_id_space; /* ephemeral: no need for unshare_id_content */
ip_address client;
- err_t ugh;
+ err_t ugh = NULL;
/* Record that state is used by a suspended md */
b->step = next_step; /* not just vc->b.step */
@@ -4495,7 +4494,7 @@ quick_inI1_outR1_process_answer(struct verify_oppo_bundle *b
, struct state *p1st)
{
struct connection *c = p1st->st_connection;
- enum verify_oppo_step next_step;
+ enum verify_oppo_step next_step = vos_our_client;
err_t ugh = NULL;
DBG(DBG_CONTROL,
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index 5f31d5ca3..d42ac3372 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: kernel.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: kernel.c 3846 2008-04-18 17:01:45Z andreas $
*/
#include <stddef.h>
@@ -1827,30 +1827,30 @@ setup_half_ipsec_sa(struct state *st, bool inbound)
static const struct esp_info esp_info[] = {
{ ESP_NULL, AUTH_ALGORITHM_HMAC_MD5,
0, HMAC_MD5_KEY_LEN,
- SADB_EALG_NULL, SADB_AALG_MD5_HMAC },
+ SADB_EALG_NULL, SADB_AALG_MD5HMAC },
{ ESP_NULL, AUTH_ALGORITHM_HMAC_SHA1,
0, HMAC_SHA1_KEY_LEN,
- SADB_EALG_NULL, SADB_AALG_SHA1_HMAC },
+ SADB_EALG_NULL, SADB_AALG_SHA1HMAC },
{ ESP_DES, AUTH_ALGORITHM_NONE,
DES_CBC_BLOCK_SIZE, 0,
- SADB_EALG_DES_CBC, SADB_AALG_NONE },
+ SADB_EALG_DESCBC, SADB_AALG_NONE },
{ ESP_DES, AUTH_ALGORITHM_HMAC_MD5,
DES_CBC_BLOCK_SIZE, HMAC_MD5_KEY_LEN,
- SADB_EALG_DES_CBC, SADB_AALG_MD5_HMAC },
+ SADB_EALG_DESCBC, SADB_AALG_MD5HMAC },
{ ESP_DES, AUTH_ALGORITHM_HMAC_SHA1,
DES_CBC_BLOCK_SIZE,
- HMAC_SHA1_KEY_LEN, SADB_EALG_DES_CBC, SADB_AALG_SHA1_HMAC },
+ HMAC_SHA1_KEY_LEN, SADB_EALG_DESCBC, SADB_AALG_SHA1HMAC },
{ ESP_3DES, AUTH_ALGORITHM_NONE,
DES_CBC_BLOCK_SIZE * 3, 0,
- SADB_EALG_3DES_CBC, SADB_AALG_NONE },
+ SADB_EALG_3DESCBC, SADB_AALG_NONE },
{ ESP_3DES, AUTH_ALGORITHM_HMAC_MD5,
DES_CBC_BLOCK_SIZE * 3, HMAC_MD5_KEY_LEN,
- SADB_EALG_3DES_CBC, SADB_AALG_MD5_HMAC },
+ SADB_EALG_3DESCBC, SADB_AALG_MD5HMAC },
{ ESP_3DES, AUTH_ALGORITHM_HMAC_SHA1,
DES_CBC_BLOCK_SIZE * 3, HMAC_SHA1_KEY_LEN,
- SADB_EALG_3DES_CBC, SADB_AALG_SHA1_HMAC },
+ SADB_EALG_3DESCBC, SADB_AALG_SHA1HMAC },
};
u_int8_t natt_type = 0;
@@ -1976,11 +1976,11 @@ setup_half_ipsec_sa(struct state *st, bool inbound)
switch (st->st_ah.attrs.auth)
{
case AUTH_ALGORITHM_HMAC_MD5:
- authalg = SADB_AALG_MD5_HMAC;
+ authalg = SADB_AALG_MD5HMAC;
break;
case AUTH_ALGORITHM_HMAC_SHA1:
- authalg = SADB_AALG_SHA1_HMAC;
+ authalg = SADB_AALG_SHA1HMAC;
break;
default:
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index abdb603de..4269de66e 100644
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: kernel_netlink.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: kernel_netlink.c 3850 2008-04-18 20:01:49Z andreas $
*/
#if defined(linux) && defined(KERNEL26_SUPPORT)
@@ -83,12 +83,13 @@ static sparse_names xfrm_type_names = {
/* Authentication algorithms */
static sparse_names aalg_list = {
{ SADB_X_AALG_NULL, "digest_null" },
- { SADB_AALG_MD5_HMAC, "md5" },
- { SADB_AALG_SHA1_HMAC, "sha1" },
- { SADB_AALG_SHA2_256_HMAC, "sha256" },
- { SADB_AALG_SHA2_384_HMAC, "sha384" },
- { SADB_AALG_SHA2_512_HMAC, "sha512" },
- { SADB_AALG_RIPEMD_160_HMAC, "ripemd160" },
+ { SADB_AALG_MD5HMAC, "md5" },
+ { SADB_AALG_SHA1HMAC, "sha1" },
+ { SADB_X_AALG_SHA2_256HMAC, "sha256" },
+ { SADB_X_AALG_SHA2_384HMAC, "sha384" },
+ { SADB_X_AALG_SHA2_512HMAC, "sha512" },
+ { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
+ { SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"},
{ SADB_X_AALG_NULL, "null" },
{ 0, sparse_end }
};
@@ -96,14 +97,14 @@ static sparse_names aalg_list = {
/* Encryption algorithms */
static sparse_names ealg_list = {
{ SADB_EALG_NULL, "cipher_null" },
- { SADB_EALG_DES_CBC, "des" },
- { SADB_EALG_3DES_CBC, "des3_ede" },
- { SADB_EALG_IDEA_CBC, "idea" },
- { SADB_EALG_CAST_CBC, "cast128" },
- { SADB_EALG_BLOWFISH_CBC, "blowfish" },
- { SADB_EALG_AES_CBC, "aes" },
- { SADB_X_EALG_SERPENT_CBC, "serpent" },
- { SADB_X_EALG_TWOFISH_CBC, "twofish" },
+ { SADB_EALG_DESCBC, "des" },
+ { SADB_EALG_3DESCBC, "des3_ede" },
+ { SADB_X_EALG_CASTCBC, "cast128" },
+ { SADB_X_EALG_BLOWFISHCBC, "blowfish" },
+ { SADB_X_EALG_AESCBC, "aes" },
+ { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" },
+ { SADB_X_EALG_SERPENTCBC, "serpent" },
+ { SADB_X_EALG_TWOFISHCBC, "twofish" },
{ 0, sparse_end }
};
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index eab9dfc4a..1aed7a63f 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: keys.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: keys.c 3738 2008-04-02 19:04:45Z andreas $
*/
#include <stddef.h>
@@ -83,7 +83,7 @@ static pubkey_t*
allocate_RSA_public_key(const cert_t cert)
{
pubkey_t *pk = alloc_thing(pubkey_t, "pubkey");
- chunk_t e, n;
+ chunk_t e = empty_chunk, n = empty_chunk;
switch (cert.type)
{
@@ -335,7 +335,7 @@ get_x509_private_key(const x509cert_t *cert)
{
secret_t *s;
const RSA_private_key_t *pri = NULL;
- const cert_t c = {CERT_X509_SIGNATURE, {cert}};
+ const cert_t c = {CERT_X509_SIGNATURE, {(x509cert_t*)cert}};
pubkey_t *pubkey = allocate_RSA_public_key(c);
@@ -647,7 +647,7 @@ xauth_get_secret(xauth_t *xauth_secret)
* find a matching secret
*/
static bool
-xauth_verify_secret(const char *conn_name, const xauth_t *xauth_secret)
+xauth_verify_secret(const xauth_peer_t *peer, const xauth_t *xauth_secret)
{
bool found = FALSE;
secret_t *s;
@@ -1473,7 +1473,7 @@ add_pgp_public_key(pgpcert_t *cert , time_t until
void
remove_x509_public_key(const x509cert_t *cert)
{
- const cert_t c = {CERT_X509_SIGNATURE, {cert}};
+ const cert_t c = {CERT_X509_SIGNATURE, {(x509cert_t*)cert}};
pubkey_list_t *p, **pp;
pubkey_t *revoked_pk;
diff --git a/src/pluto/log.c b/src/pluto/log.c
index ca0576b69..0fb5f1d25 100644
--- a/src/pluto/log.c
+++ b/src/pluto/log.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: log.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: log.c 4024 2008-05-29 07:49:47Z andreas $
*/
#include <stdio.h>
@@ -65,7 +65,7 @@ const char *base_perpeer_logdir = PERPEERLOGDIR;
static int perpeer_count = 0;
/* from sys/queue.h */
-static CIRCLEQ_HEAD(,connection) perpeer_list;
+static TAILQ_HEAD(perpeer, connection) perpeer_list;
/* Context for logging.
@@ -88,19 +88,19 @@ init_log(const char *program)
if (log_to_syslog)
openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
- CIRCLEQ_INIT(&perpeer_list);
+ TAILQ_INIT(&perpeer_list);
}
void
close_peerlog(void)
{
- /* end of circular queue is given by pointer to "HEAD"
- * BUT if the queue is not initialized, this won't be true
- * so we must guard by test perpeer_list.cqh_first != NULL
- */
- if (perpeer_list.cqh_first != NULL)
- while (perpeer_list.cqh_first != (void *)&perpeer_list)
- perpeer_logclose(perpeer_list.cqh_first);
+ /* exit if the queue has not been initialized */
+ if (TAILQ_LAST(&perpeer_list, perpeer) == NULL)
+ return;
+
+ /* end of queue is given by pointer to "HEAD" */
+ while (TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list)
+ perpeer_logclose(TAILQ_LAST(&perpeer_list, perpeer));
}
void
@@ -231,7 +231,7 @@ perpeer_logclose(struct connection *c)
{
passert(perpeer_count > 0);
- CIRCLEQ_REMOVE(&perpeer_list, c, log_link);
+ TAILQ_REMOVE(&perpeer_list, c, log_link);
perpeer_count--;
fclose(c->log_file);
c->log_file=NULL;
@@ -366,13 +366,13 @@ open_peerlog(struct connection *c)
while (perpeer_count >= MAX_PEERLOG_COUNT)
{
/* can not be NULL because perpeer_count > 0 */
- passert(perpeer_list.cqh_last != (void *)&perpeer_list);
+ passert(TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list);
- perpeer_logclose(perpeer_list.cqh_last);
+ perpeer_logclose(TAILQ_LAST(&perpeer_list, perpeer));
}
/* insert this into the list */
- CIRCLEQ_INSERT_HEAD(&perpeer_list, c, log_link);
+ TAILQ_INSERT_HEAD(&perpeer_list, c, log_link);
passert(c->log_file != NULL);
perpeer_count++;
}
@@ -406,8 +406,8 @@ peerlog(const char *prefix, const char *m)
fprintf(cur_connection->log_file, "%s %s%s\n", datebuf, prefix, m);
/* now move it to the front of the list */
- CIRCLEQ_REMOVE(&perpeer_list, cur_connection, log_link);
- CIRCLEQ_INSERT_HEAD(&perpeer_list, cur_connection, log_link);
+ TAILQ_REMOVE(&perpeer_list, cur_connection, log_link);
+ TAILQ_INSERT_HEAD(&perpeer_list, cur_connection, log_link);
}
}
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
index b7f8aef93..93624588a 100644
--- a/src/pluto/modecfg.c
+++ b/src/pluto/modecfg.c
@@ -14,7 +14,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: modecfg.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: modecfg.c 3738 2008-04-02 19:04:45Z andreas $
*
* This code originally written by Colubris Networks, Inc.
* Extraction of patch and porting to 1.99 codebases by Xelerance Corporation
@@ -967,6 +967,12 @@ xauth_inR1(struct msg_digest *md)
}
else
{
+ xauth_peer_t peer;
+
+ peer.conn_name = st->st_connection->name;
+ addrtot(&md->sender, 0, peer.ip_address, sizeof(peer.ip_address));
+ idtoa(&md->st->st_connection->spd.that.id, peer.id, sizeof(peer.id));
+
DBG(DBG_CONTROL,
DBG_log("peer xauth user name is '%.*s'"
, ia.xauth_secret.user_name.len
@@ -977,9 +983,8 @@ xauth_inR1(struct msg_digest *md)
, ia.xauth_secret.user_password.len
, ia.xauth_secret.user_password.ptr)
)
- /* verify the user credentials using a plugn function */
- st->st_xauth.status = xauth_module.verify_secret(st->st_connection->name
- , &ia.xauth_secret);
+ /* verify the user credentials using a plugin function */
+ st->st_xauth.status = xauth_module.verify_secret(&peer, &ia.xauth_secret);
plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
}
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index fccd2e461..5662c5c41 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: plutomain.c 3253 2007-10-06 21:39:00Z andreas $
+ * RCSID $Id: plutomain.c 3914 2008-05-08 10:58:04Z martin $
*/
#include <stdio.h>
@@ -31,6 +31,8 @@
#include <sys/queue.h>
#include <linux/capability.h>
#include <sys/prctl.h>
+#include <pwd.h>
+#include <grp.h>
#include <freeswan.h>
@@ -617,19 +619,43 @@ main(int argc, char **argv)
init_fetch();
/* drop unneeded capabilities and change UID/GID */
+#ifdef _LINUX_CAPABILITY_VERSION_1
+ hdr.version = _LINUX_CAPABILITY_VERSION_1;
+#else
hdr.version = _LINUX_CAPABILITY_VERSION;
+#endif
hdr.pid = 0;
data.inheritable = data.effective = data.permitted =
1<<CAP_NET_ADMIN | 1<<CAP_NET_BIND_SERVICE;
prctl(PR_SET_KEEPCAPS, 1);
+
+#ifdef IPSEC_GROUP
+ {
+ struct group group, *grp;
+ char buf[1024];
-# if IPSEC_GID
- setgid(IPSEC_GID);
-# endif
-# if IPSEC_UID
- setuid(IPSEC_UID);
-# endif
+ if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
+ grp == NULL || setgid(grp->gr_gid) != 0)
+ {
+ plog("unable to change daemon group");
+ abort();
+ }
+ }
+#endif
+#ifdef IPSEC_USER
+ {
+ struct passwd passwd, *pwp;
+ char buf[1024];
+
+ if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
+ pwp == NULL || setuid(pwp->pw_uid) != 0)
+ {
+ plog("unable to change daemon user");
+ abort();
+ }
+ }
+#endif
if (capset(&hdr, &data))
{
plog("unable to drop root privileges");
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c
index c46e3cf9a..937c3f93a 100644
--- a/src/pluto/smartcard.c
+++ b/src/pluto/smartcard.c
@@ -18,7 +18,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: smartcard.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: smartcard.c 3686 2008-03-28 11:48:14Z martin $
*/
#include <stdio.h>
@@ -701,7 +701,7 @@ void
scx_init(const char* module, const char *init_args)
{
#ifdef SMARTCARD
- CK_C_INITIALIZE_ARGS args = { .pReserved = init_args, };
+ CK_C_INITIALIZE_ARGS args = { .pReserved = (char *)init_args, };
CK_RV rv;
if (scx_initialized)
@@ -1442,7 +1442,7 @@ scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
if (rv == CKR_FUNCTION_NOT_SUPPORTED)
{
RSA_public_key_t rsa;
- chunk_t plain_text = {in, inlen};
+ chunk_t plain_text = {(u_char*)in, inlen};
chunk_t cipher_text;
DBG(DBG_CONTROL,
@@ -1496,7 +1496,7 @@ scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
DBG(DBG_CONTROL,
DBG_log("doing RSA encryption on smartcard")
)
- rv = pkcs11_functions->C_Encrypt(sc->session, in, inlen
+ rv = pkcs11_functions->C_Encrypt(sc->session, (u_char*)in, inlen
, out, &len);
if (rv != CKR_OK)
{
@@ -1570,7 +1570,7 @@ scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen
return FALSE;
}
- rv = pkcs11_functions->C_Decrypt(sc->session, in, inlen
+ rv = pkcs11_functions->C_Decrypt(sc->session, (u_char*)in, inlen
, out, &len);
if (rv != CKR_OK)
{
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
index 7003b127a..9d1bf8843 100644
--- a/src/pluto/spdb.c
+++ b/src/pluto/spdb.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: spdb.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: spdb.c 3845 2008-04-18 17:00:30Z andreas $
*/
#include <stdio.h>
@@ -296,9 +296,9 @@ out_sa(pb_stream *outs
struct db_prop *p = &pc->props[pn];
pb_stream proposal_pbs;
struct isakmp_proposal proposal;
- struct_desc *trans_desc;
- struct_desc *attr_desc;
- enum_names **attr_val_descs;
+ struct_desc *trans_desc = NULL;
+ struct_desc *attr_desc = NULL;
+ enum_names **attr_val_descs = NULL;
int tn;
bool tunnel_mode;
@@ -1166,6 +1166,8 @@ parse_isakmp_sa_body(u_int32_t ipsecdoisit
case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TLV:
#endif
default:
+ /* fix compiler warning */
+ memset(&ta, 0, sizeof(ta));
ugh = "unsupported OAKLEY attribute";
break;
}
@@ -1761,7 +1763,9 @@ parse_ipsec_sa_body(
{
int propno = next_proposal.isap_proposal;
pb_stream ah_prop_pbs, esp_prop_pbs, ipcomp_prop_pbs;
- struct isakmp_proposal ah_proposal, esp_proposal, ipcomp_proposal;
+ struct isakmp_proposal ah_proposal = {0, 0, 0, 0, 0, 0, 0};
+ struct isakmp_proposal esp_proposal = {0, 0, 0, 0, 0, 0, 0};
+ struct isakmp_proposal ipcomp_proposal = {0, 0, 0, 0, 0, 0, 0};
ipsec_spi_t ah_spi = 0;
ipsec_spi_t esp_spi = 0;
ipsec_spi_t ipcomp_cpi = 0;
@@ -2054,7 +2058,7 @@ parse_ipsec_sa_body(
/* set default key length for AES encryption */
if (!esp_attrs.key_len && esp_attrs.transid == ESP_AES)
{
- esp_attrs.key_len = 128 / BITS_PER_BYTE;
+ esp_attrs.key_len = 128; /* bits */
}
if (!kernel_alg_esp_enc_ok(esp_attrs.transid, esp_attrs.key_len
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index c31a4195b..3b779ed24 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: vendor.c 3472 2008-02-14 21:26:21Z andreas $
+ * RCSID $Id: vendor.c 4016 2008-05-25 10:35:39Z andreas $
*/
#include <stdlib.h>
@@ -206,7 +206,12 @@ static struct vid_struct _vid_tab[] = {
/*
* strongSwan
*/
- DEC_MD5_VID(STRONGSWAN, "strongSwan 4.1.11")
+ DEC_MD5_VID(STRONGSWAN, "strongSwan 4.2.4")
+ DEC_MD5_VID(STRONGSWAN_4_2_3, "strongSwan 4.2.3")
+ DEC_MD5_VID(STRONGSWAN_4_2_2, "strongSwan 4.2.2")
+ DEC_MD5_VID(STRONGSWAN_4_2_1, "strongSwan 4.2.1")
+ DEC_MD5_VID(STRONGSWAN_4_2_0, "strongSwan 4.2.0")
+ DEC_MD5_VID(STRONGSWAN_4_1_11,"strongSwan 4.1.11")
DEC_MD5_VID(STRONGSWAN_4_1_10,"strongSwan 4.1.10")
DEC_MD5_VID(STRONGSWAN_4_1_9, "strongSwan 4.1.9")
DEC_MD5_VID(STRONGSWAN_4_1_8, "strongSwan 4.1.8")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 03d2fde77..c1d8870bc 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: vendor.h 3413 2007-12-24 18:07:55Z andreas $
+ * RCSID $Id: vendor.h 4016 2008-05-25 10:35:39Z andreas $
*/
#ifndef _VENDOR_H_
@@ -114,17 +114,23 @@ enum known_vendorid {
VID_STRONGSWAN_4_1_8 = 96,
VID_STRONGSWAN_4_1_9 = 97,
VID_STRONGSWAN_4_1_10 = 98,
+ VID_STRONGSWAN_4_1_11 = 99,
+
+ VID_STRONGSWAN_4_2_0 =100,
+ VID_STRONGSWAN_4_2_1 =101,
+ VID_STRONGSWAN_4_2_2 =102,
+ VID_STRONGSWAN_4_2_3 =103,
/* 101 - 200 : NAT-Traversal */
- VID_NATT_STENBERG_01 =101,
- VID_NATT_STENBERG_02 =102,
- VID_NATT_HUTTUNEN =103,
- VID_NATT_HUTTUNEN_ESPINUDP =104,
- VID_NATT_IETF_00 =105,
- VID_NATT_IETF_02_N =106,
- VID_NATT_IETF_02 =107,
- VID_NATT_IETF_03 =108,
- VID_NATT_RFC =109,
+ VID_NATT_STENBERG_01 =151,
+ VID_NATT_STENBERG_02 =152,
+ VID_NATT_HUTTUNEN =153,
+ VID_NATT_HUTTUNEN_ESPINUDP =154,
+ VID_NATT_IETF_00 =155,
+ VID_NATT_IETF_02_N =156,
+ VID_NATT_IETF_02 =157,
+ VID_NATT_IETF_03 =158,
+ VID_NATT_RFC =159,
/* 201 - 300 : Misc */
VID_MISC_XAUTH =201,
diff --git a/src/pluto/xauth.c b/src/pluto/xauth.c
index 0188b1950..8f4dc2460 100644
--- a/src/pluto/xauth.c
+++ b/src/pluto/xauth.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: xauth.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: xauth.c 3738 2008-04-02 19:04:45Z andreas $
*/
#include <dlfcn.h>
@@ -44,7 +44,7 @@ xauth_init(void)
DBG_log("xauth module: found get_secret() function");
}
)
- xauth_module.verify_secret = (bool (*) (const char*, const xauth_t*))
+ xauth_module.verify_secret = (bool (*) (const xauth_peer_t*, const xauth_t*))
dlsym(xauth_module.handle, "verify_secret");
DBG(DBG_CONTROL,
if (xauth_module.verify_secret != NULL)
diff --git a/src/pluto/xauth.h b/src/pluto/xauth.h
index 277340ab0..fd7e5399f 100644
--- a/src/pluto/xauth.h
+++ b/src/pluto/xauth.h
@@ -12,17 +12,26 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: xauth.h 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: xauth.h 3738 2008-04-02 19:04:45Z andreas $
*/
#ifndef _XAUTH_H
#define _XAUTH_H
+#include <freeswan.h>
+#include "defs.h"
+
/* XAUTH credentials */
struct chunk_t;
typedef struct {
+ char *conn_name;
+ char id[BUF_LEN];
+ char ip_address[ADDRTOT_BUF];
+} xauth_peer_t;
+
+typedef struct {
chunk_t user_name;
chunk_t user_password;
} xauth_t;
@@ -30,7 +39,7 @@ typedef struct {
typedef struct {
void *handle;
bool (*get_secret) (xauth_t *xauth_secret);
- bool (*verify_secret) (const char *conn_name, const xauth_t *xauth_secret);
+ bool (*verify_secret) (const xauth_peer_t *peer, const xauth_t *xauth_secret);
} xauth_module_t;
extern xauth_module_t xauth_module;