summaryrefslogtreecommitdiff
path: root/src/pluto
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2007-07-04 23:47:20 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2007-07-04 23:47:20 +0000
commit7b0305f59ddab9ea026b202a8c569912e5bf9a90 (patch)
tree131d39a22cf97e9e8c6da58ddefabc8138a731c2 /src/pluto
parent08ee5250bd9c43fda5f24d10b791ca2c4c17fcee (diff)
downloadvyos-strongswan-7b0305f59ddab9ea026b202a8c569912e5bf9a90.tar.gz
vyos-strongswan-7b0305f59ddab9ea026b202a8c569912e5bf9a90.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.1.4)
Diffstat (limited to 'src/pluto')
-rw-r--r--src/pluto/Makefile.am20
-rw-r--r--src/pluto/Makefile.in21
-rw-r--r--src/pluto/connections.c118
-rw-r--r--src/pluto/connections.h1
-rw-r--r--src/pluto/plutomain.c15
-rw-r--r--src/pluto/smartcard.c12
-rw-r--r--src/pluto/smartcard.h2
-rw-r--r--src/pluto/vendor.c5
-rw-r--r--src/pluto/vendor.h25
9 files changed, 105 insertions, 114 deletions
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 7dd5f422b..9aeac029d 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -128,14 +128,14 @@ if USE_LIBLDAP
endif
install-exec-local :
- mkdir -p -m 755 $(confdir)/ipsec.d
- mkdir -p -m 755 $(confdir)/ipsec.d/cacerts
- mkdir -p -m 755 $(confdir)/ipsec.d/ocspcerts
- mkdir -p -m 755 $(confdir)/ipsec.d/certs
- mkdir -p -m 755 $(confdir)/ipsec.d/acerts
- mkdir -p -m 755 $(confdir)/ipsec.d/aacerts
- mkdir -p -m 755 $(confdir)/ipsec.d/crls
- mkdir -p -m 755 $(confdir)/ipsec.d/reqs
- mkdir -p -m 700 $(confdir)/ipsec.d/private
- chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/cacerts
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/ocspcerts
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/certs
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/acerts
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/aacerts
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/crls
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/reqs
+ mkdir -p -m 700 $(DESTDIR)$(confdir)/ipsec.d/private
+ chown -R $(ipsecuid):$(ipsecgid) $(DESTDIR)$(confdir)/ipsec.d
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index e164717a9..4cefa58ca 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -179,6 +179,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
STRIP = @STRIP@
@@ -879,16 +880,16 @@ oid.h: oid.txt oid.pl
$(PERL) oid.pl
install-exec-local :
- mkdir -p -m 755 $(confdir)/ipsec.d
- mkdir -p -m 755 $(confdir)/ipsec.d/cacerts
- mkdir -p -m 755 $(confdir)/ipsec.d/ocspcerts
- mkdir -p -m 755 $(confdir)/ipsec.d/certs
- mkdir -p -m 755 $(confdir)/ipsec.d/acerts
- mkdir -p -m 755 $(confdir)/ipsec.d/aacerts
- mkdir -p -m 755 $(confdir)/ipsec.d/crls
- mkdir -p -m 755 $(confdir)/ipsec.d/reqs
- mkdir -p -m 700 $(confdir)/ipsec.d/private
- chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/cacerts
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/ocspcerts
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/certs
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/acerts
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/aacerts
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/crls
+ mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/reqs
+ mkdir -p -m 700 $(DESTDIR)$(confdir)/ipsec.d/private
+ chown -R $(ipsecuid):$(ipsecgid) $(DESTDIR)$(confdir)/ipsec.d
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index 0d02b979c..c4d5dae4d 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -122,7 +122,7 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport
for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next)
{
if (sameaddr(&p->me.addr, myaddr) && p->me.port == myport
- && sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
+ && sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
{
if (prev != NULL)
{
@@ -162,15 +162,21 @@ connect_to_host_pair(struct connection *c)
{
if (oriented(*c))
{
- struct host_pair *hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
- , &c->spd.that.host_addr, c->spd.that.host_port);
+ struct host_pair *hp;
+
+ ip_address his_addr = (c->spd.that.allow_any)
+ ? *aftoinfo(addrtypeof(&c->spd.that.host_addr))->any
+ : c->spd.that.host_addr;
+
+ hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
+ , &his_addr, c->spd.that.host_port);
if (hp == NULL)
{
/* no suitable host_pair -- build one */
hp = alloc_thing(struct host_pair, "host_pair");
hp->me.addr = c->spd.this.host_addr;
- hp->him.addr = c->spd.that.host_addr;
+ hp->him.addr = his_addr;
hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port;
hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port;
hp->initial_connection_sent = FALSE;
@@ -632,24 +638,15 @@ format_end(char *buf
strcpy(&host_id[len < 0? (ptrdiff_t)sizeof(host_id)-2 : 1 + len], "]");
}
- /* [---hop] */
- hop[0] = '\0';
- hop_sep = "";
- if (that != NULL && !sameaddr(&this->host_nexthop, &that->host_addr))
- {
- addrtot(&this->host_nexthop, 0, hop, sizeof(hop));
- hop_sep = "---";
- }
-
if (is_left)
- snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s"
- , open_brackets, client, close_brackets
- , client_sep, host, host_port, host_id
- , protoport, hop_sep, hop);
+ snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s"
+ , open_brackets, client, close_brackets, client_sep
+ , this->allow_any? "%":""
+ , host, host_port, host_id, protoport);
else
- snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s"
- , hop, hop_sep, host, host_port, host_id
- , protoport, client_sep
+ snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s"
+ , this->allow_any? "%":""
+ , host, host_port, host_id, protoport, client_sep
, open_brackets, client, close_brackets);
return strlen(buf);
}
@@ -855,6 +852,7 @@ extract_end(struct end *dst, const whack_end_t *src, const char *which)
dst->has_client_wildcard = src->has_client_wildcard;
dst->modecfg = src->modecfg;
dst->hostaccess = src->hostaccess;
+ dst->allow_any = src->allow_any;
dst->sendcert = src->sendcert;
dst->updown = src->updown;
dst->host_port = src->host_port;
@@ -1067,7 +1065,8 @@ add_connection(const whack_message_t *wm)
* or any wildcard ID to that end
*/
if (isanyaddr(&c->spd.this.host_addr) || c->spd.this.has_client_wildcard
- || c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards)
+ || c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards
+ || c->spd.this.allow_any)
{
struct end t = c->spd.this;
@@ -1095,7 +1094,7 @@ add_connection(const whack_message_t *wm)
}
else if ((isanyaddr(&c->spd.that.host_addr) && !NEVER_NEGOTIATE(c->policy))
|| c->spd.that.has_client_wildcard || c->spd.that.has_port_wildcard
- || c->spd.that.has_id_wildcards)
+ || c->spd.that.has_id_wildcards || c->spd.that.allow_any)
{
/* Opportunistic or Road Warrior or wildcard client subnet
* or wildcard ID */
@@ -1263,6 +1262,8 @@ instantiate(struct connection *c, const ip_address *him
c->instance_serial++;
d = clone_thing(*c, "temporary connection");
+ d->spd.that.allow_any = FALSE;
+
if (his_id != NULL)
{
passert(match_id(his_id, &d->spd.that.id, &wildcards));
@@ -1306,6 +1307,10 @@ instantiate(struct connection *c, const ip_address *him
connect_to_host_pair(d);
return d;
+ if (sameaddr(&d->spd.that.host_addr, &d->spd.this.host_nexthop))
+ {
+ d->spd.this.host_nexthop = *him;
+ }
}
struct connection *
@@ -1803,7 +1808,7 @@ initiate_connection(const char *name, int whackfd)
loglog(RC_INITSHUNT
, "cannot initiate an authby=never connection");
}
- else if (c->kind != CK_PERMANENT)
+ else if (c->kind != CK_PERMANENT && !c->spd.that.allow_any)
{
if (isanyaddr(&c->spd.that.host_addr))
loglog(RC_NOPEERIP, "cannot initiate connection without knowing peer IP address");
@@ -1812,22 +1817,30 @@ initiate_connection(const char *name, int whackfd)
}
else
{
- /* We will only request an IPsec SA if policy isn't empty
- * (ignoring Main Mode items).
- * This is a fudge, but not yet important.
- * If we are to proceed asynchronously, whackfd will be NULL_FD.
- */
- c->policy |= POLICY_UP;
/* do we have to prompt for a PIN code? */
if (c->spd.this.sc != NULL && !c->spd.this.sc->valid && whackfd != NULL_FD)
+ {
scx_get_pin(c->spd.this.sc, whackfd);
-
+ }
if (c->spd.this.sc != NULL && !c->spd.this.sc->valid)
{
loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN");
}
else
{
+
+ if (c->spd.that.allow_any)
+ {
+ c = instantiate(c, &c->spd.that.host_addr, c->spd.that.host_port
+ , &c->spd.that.id);
+ }
+
+ /* We will only request an IPsec SA if policy isn't empty
+ * (ignoring Main Mode items).
+ * This is a fudge, but not yet important.
+ * If we are to proceed asynchronously, whackfd will be NULL_FD.
+ */
+ c->policy |= POLICY_UP;
ipsecdoi_initiate(whackfd, c, c->policy, 1, SOS_NOBODY);
whackfd = NULL_FD; /* protect from close */
}
@@ -2975,51 +2988,6 @@ terminate_connection(const char *nm)
} while (c != NULL);
}
-/* check nexthop safety
- * Our nexthop must not be within a routed client subnet, and vice versa.
- * Note: we don't think this is true. We think that KLIPS will
- * not process a packet output by an eroute.
- */
-#ifdef NEVER
-//bool
-//check_nexthop(const struct connection *c)
-//{
-// struct connection *d;
-//
-// if (addrinsubnet(&c->spd.this.host_nexthop, &c->spd.that.client))
-// {
-// loglog(RC_LOG_SERIOUS, "cannot perform routing for connection \"%s\""
-// " because nexthop is within peer's client network",
-// c->name);
-// return FALSE;
-// }
-//
-// for (d = connections; d != NULL; d = d->next)
-// {
-// if (d->routing != RT_UNROUTED)
-// {
-// if (addrinsubnet(&c->spd.this.host_nexthop, &d->spd.that.client))
-// {
-// loglog(RC_LOG_SERIOUS, "cannot do routing for connection \"%s\"
-// " because nexthop is contained in"
-// " existing routing for connection \"%s\"",
-// c->name, d->name);
-// return FALSE;
-// }
-// if (addrinsubnet(&d->spd.this.host_nexthop, &c->spd.that.client))
-// {
-// loglog(RC_LOG_SERIOUS, "cannot do routing for connection \"%s\"
-// " because it contains nexthop of"
-// " existing routing for connection \"%s\"",
-// c->name, d->name);
-// return FALSE;
-// }
-// }
-// }
-// return TRUE;
-//}
-#endif /* NEVER */
-
/* an ISAKMP SA has been established.
* Note the serial number, and release any connections with
* the same peer ID but different peer IP address.
diff --git a/src/pluto/connections.h b/src/pluto/connections.h
index df3af9dd4..40cbfc497 100644
--- a/src/pluto/connections.h
+++ b/src/pluto/connections.h
@@ -155,6 +155,7 @@ struct end {
/* that end: give local addresses to clients */
bool hostaccess; /* allow access to host via iptables INPUT/OUTPUT */
/* rules if client behind host is a subnet */
+ bool allow_any; /* IP address is subject to change */
certpolicy_t sendcert; /* whether or not to send the certificate */
};
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index d9b2167c8..a5bf82768 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -104,7 +104,8 @@ usage(const char *mess)
" \\\n\t"
"[--adns <pathname>]"
"[--pkcs11module <path>]"
- "[--pkcs11keepstate"
+ "[--pkcs11keepstate]"
+ "[--pkcs11initargs <string>]"
#ifdef DEBUG
" \\\n\t"
"[--debug-none]"
@@ -217,6 +218,11 @@ bool pkcs11_keep_state = FALSE;
/* by default pluto does not allow pkcs11 proxy access via whack */
bool pkcs11_proxy = FALSE;
+/* argument string to pass to PKCS#11 module.
+ * Not used for compliant modules, just for NSS softoken
+ */
+static const char *pkcs11_init_args = NULL;
+
int
main(int argc, char **argv)
{
@@ -263,6 +269,7 @@ main(int argc, char **argv)
#endif /* !USE_LWRES */
{ "pkcs11module", required_argument, NULL, 'm' },
{ "pkcs11keepstate", no_argument, NULL, 'k' },
+ { "pkcs11initargs", required_argument, NULL, 'z' },
{ "pkcs11proxy", no_argument, NULL, 'y' },
{ "nat_traversal", no_argument, NULL, '1' },
{ "keep_alive", required_argument, NULL, '2' },
@@ -432,6 +439,10 @@ main(int argc, char **argv)
pkcs11_proxy = TRUE;
continue;
+ case 'z': /* --pkcs11initargs */
+ pkcs11_init_args = optarg;
+ continue;
+
#ifdef DEBUG
case 'N': /* --debug-none */
base_debugging = DBG_NONE;
@@ -593,7 +604,7 @@ main(int argc, char **argv)
init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
init_virtual_ip(virtual_private);
- scx_init(pkcs11_module_path); /* load and initialize PKCS #11 module */
+ scx_init(pkcs11_module_path, pkcs11_init_args); /* load and initialize PKCS #11 module */
xauth_init(); /* load and initialize XAUTH module */
init_rnd_pool();
init_secret();
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c
index 744f8a6f3..067d0f046 100644
--- a/src/pluto/smartcard.c
+++ b/src/pluto/smartcard.c
@@ -690,12 +690,16 @@ scx_find_all_cert_objects(void)
#endif
/*
- * load and initialize PKCS#11 cryptoki module
+ * load and initialize PKCS#11 cryptoki module
+ *
+ * init_args should be unused when we have a PKCS#11 compliant module,
+ * but NSS softoken breaks that API.
*/
void
-scx_init(const char* module)
+scx_init(const char* module, const char *init_args)
{
#ifdef SMARTCARD
+ CK_C_INITIALIZE_ARGS args = { .pReserved = init_args, };
CK_RV rv;
if (scx_initialized)
@@ -726,8 +730,8 @@ scx_init(const char* module)
DBG(DBG_CONTROL | DBG_CRYPT,
DBG_log("pkcs11 module initializing...")
- )
- rv = pkcs11_functions->C_Initialize(NULL);
+ )
+ rv = pkcs11_functions->C_Initialize(init_args ? &args : NULL);
if (rv != CKR_OK)
{
plog("failed to initialize pkcs11 module: %s"
diff --git a/src/pluto/smartcard.h b/src/pluto/smartcard.h
index c004ca7dd..864f630a1 100644
--- a/src/pluto/smartcard.h
+++ b/src/pluto/smartcard.h
@@ -69,7 +69,7 @@ extern bool pkcs11_keep_state;
extern bool pkcs11_proxy;
extern smartcard_t* scx_parse_number_slot_id(const char *number_slot_id);
-extern void scx_init(const char *module);
+extern void scx_init(const char *module, const char *init_args);
extern void scx_finalize(void);
extern bool scx_establish_context(smartcard_t *sc);
extern bool scx_login(smartcard_t *sc);
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index c2ea2b5a0..086cb4dd7 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -205,7 +205,8 @@ static struct vid_struct _vid_tab[] = {
/*
* strongSwan
*/
- DEC_MD5_VID(STRONGSWAN, "strongSwan 4.1.3")
+ DEC_MD5_VID(STRONGSWAN, "strongSwan 4.1.4")
+ DEC_MD5_VID(STRONGSWAN_4_1_3, "strongSwan 4.1.3")
DEC_MD5_VID(STRONGSWAN_4_1_2, "strongSwan 4.1.2")
DEC_MD5_VID(STRONGSWAN_4_1_1, "strongSwan 4.1.1")
DEC_MD5_VID(STRONGSWAN_4_1_0, "strongSwan 4.1.0")
@@ -218,6 +219,8 @@ static struct vid_struct _vid_tab[] = {
DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
+ DEC_MD5_VID(STRONGSWAN_2_8_6, "strongSwan 2.8.6")
+ DEC_MD5_VID(STRONGSWAN_2_8_5, "strongSwan 2.8.5")
DEC_MD5_VID(STRONGSWAN_2_8_4, "strongSwan 2.8.4")
DEC_MD5_VID(STRONGSWAN_2_8_3, "strongSwan 2.8.3")
DEC_MD5_VID(STRONGSWAN_2_8_2, "strongSwan 2.8.2")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 5ba65ea37..6c7eeafb3 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -89,18 +89,21 @@ enum known_vendorid {
VID_STRONGSWAN_2_8_2 = 67,
VID_STRONGSWAN_2_8_3 = 68,
VID_STRONGSWAN_2_8_4 = 69,
+ VID_STRONGSWAN_2_8_5 = 70,
+ VID_STRONGSWAN_2_8_6 = 71,
- VID_STRONGSWAN_4_0_0 = 70,
- VID_STRONGSWAN_4_0_1 = 71,
- VID_STRONGSWAN_4_0_2 = 72,
- VID_STRONGSWAN_4_0_3 = 73,
- VID_STRONGSWAN_4_0_4 = 74,
- VID_STRONGSWAN_4_0_5 = 75,
- VID_STRONGSWAN_4_0_6 = 76,
- VID_STRONGSWAN_4_0_7 = 77,
- VID_STRONGSWAN_4_1_0 = 78,
- VID_STRONGSWAN_4_1_1 = 79,
- VID_STRONGSWAN_4_1_2 = 80,
+ VID_STRONGSWAN_4_0_0 = 80,
+ VID_STRONGSWAN_4_0_1 = 81,
+ VID_STRONGSWAN_4_0_2 = 82,
+ VID_STRONGSWAN_4_0_3 = 83,
+ VID_STRONGSWAN_4_0_4 = 84,
+ VID_STRONGSWAN_4_0_5 = 85,
+ VID_STRONGSWAN_4_0_6 = 86,
+ VID_STRONGSWAN_4_0_7 = 87,
+ VID_STRONGSWAN_4_1_0 = 88,
+ VID_STRONGSWAN_4_1_1 = 89,
+ VID_STRONGSWAN_4_1_2 = 90,
+ VID_STRONGSWAN_4_1_3 = 91,
/* 101 - 200 : NAT-Traversal */
VID_NATT_STENBERG_01 =101,