diff options
Diffstat (limited to 'programs/pluto')
| -rw-r--r-- | programs/pluto/Makefile | 14 | ||||
| -rw-r--r-- | programs/pluto/constants.c | 25 | ||||
| -rw-r--r-- | programs/pluto/constants.h | 29 | ||||
| -rw-r--r-- | programs/pluto/demux.c | 13 | ||||
| -rw-r--r-- | programs/pluto/ike_alg.c | 9 | ||||
| -rw-r--r-- | programs/pluto/modecfg.c | 196 | ||||
| -rw-r--r-- | programs/pluto/plutomain.c | 23 | ||||
| -rw-r--r-- | programs/pluto/rcv_info.c | 308 | ||||
| -rw-r--r-- | programs/pluto/rcv_info.h | 18 | ||||
| -rw-r--r-- | programs/pluto/server.c | 65 | ||||
| -rw-r--r-- | programs/pluto/vendor.c | 6 | ||||
| -rw-r--r-- | programs/pluto/vendor.h | 4 |
12 files changed, 228 insertions, 482 deletions
diff --git a/programs/pluto/Makefile b/programs/pluto/Makefile index a11a755c0..d466d0209 100644 --- a/programs/pluto/Makefile +++ b/programs/pluto/Makefile @@ -12,7 +12,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: Makefile,v 1.47 2007/01/11 21:47:13 as Exp $ +# RCSID $Id: Makefile,v 1.49 2007/01/29 08:27:19 as Exp $ # relative path to top directory of FreeS/WAN source # Note: referenced in ${FREESWANSRCDIR}/Makefile.inc @@ -90,13 +90,6 @@ else BINNAMEADNSIFNEEDED=$(BINNAMEADNS) endif -ifeq ($(USE_IPSECPOLICY),true) - IPSECPOLICY_FILES=rcv_info.c - IPSECPOLICY_DEFINES=-DIPSECPOLICY - IPSECPOLICY_LIBS=$(POLICYLIB) - IPSECPOLICY_OBJS=rcv_info.o -endif - ifeq ($(USE_KEYRR),true) KEYRR_DEFINES=-DUSE_KEYRR endif @@ -130,7 +123,7 @@ DEFINES = $(EXTRA_DEFINES) \ # libefence is a free memory allocation debugger # Solaris 2 needs -lsocket -lnsl LIBSPLUTO = $(OBJSGCRYPT) $(LIBDESLITE) $(FREESWANLIB) $(IPSECPOLICY_LIBS) -LIBSPLUTO+= -lgmp -lresolv # -lefence +LIBSPLUTO+= -lgmp -ldl -lresolv # -lefence ifeq ($(USE_VENDORID),true) @@ -167,7 +160,6 @@ ifeq ($(USE_SMARTCARD),true) ifdef PKCS11_DEFAULT_LIB DEFINES+= -DPKCS11_DEFAULT_LIB=$(PKCS11_DEFAULT_LIB) endif - LIBSPLUTO+= -ldl endif # This compile option activates the leak detective @@ -929,6 +921,7 @@ plutomain.o: ipsec_doi.h plutomain.o: ocsp.h plutomain.o: crl.h plutomain.o: fetch.h +plutomain.o: xauth.h plutomain.o: sha1.h plutomain.o: md5.h plutomain.o: crypto.h @@ -982,7 +975,6 @@ server.o: timer.h server.o: packet.h server.o: demux.h server.o: rcv_whack.h -server.o: rcv_info.h server.o: keys.h server.o: adns.h server.o: dnskey.h diff --git a/programs/pluto/constants.c b/programs/pluto/constants.c index f4aa9d5d1..322de74ac 100644 --- a/programs/pluto/constants.c +++ b/programs/pluto/constants.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: constants.c,v 1.23 2007/01/10 00:36:19 as Exp $ + * RCSID $Id: constants.c,v 1.24 2007/01/21 08:35:47 as Exp $ */ /* @@ -707,7 +707,7 @@ static const char *const xauth_type_name[] = { }; enum_names xauth_type_names = - { XAUTH_TYPE_GENERIC, XAUTH_TYPE_SKEY, xauth_type_name, NULL}; + { XAUTH_TYPE_GENERIC, XAUTH_TYPE_SKEY, xauth_type_name, NULL}; /* From draft-beaulieu-ike-xauth */ static const char *const xauth_attr_tv_name[] = { @@ -725,6 +725,24 @@ enum_names xauth_attr_tv_names = { XAUTH_TYPE + ISAKMP_ATTR_AF_TV, XAUTH_STATUS + ISAKMP_ATTR_AF_TV, xauth_attr_tv_name, NULL }; +static const char *const unity_attr_name[] = { + "UNITY_BANNER", + "UNITY_SAVE_PASSWD", + "UNITY_DEF_DOMAIN", + "UNITY_SPLITDNS_NAME", + "UNITY_SPLIT_INCLUDE", + "UNITY_NATT_PORT", + "UNITY_LOCAL_LAN", + "UNITY_PFS", + "UNITY_FW_TYPE", + "UNITY_BACKUP_SERVERS", + "UNITY_DDNS_HOSTNAME", +}; + +enum_names unity_attr_names = + { UNITY_BANNER , UNITY_DDNS_HOSTNAME, unity_attr_name , &xauth_attr_tv_names }; + + static const char *const xauth_attr_name[] = { "XAUTH_USER_NAME", "XAUTH_USER_PASSWORD", @@ -738,7 +756,7 @@ static const char *const xauth_attr_name[] = { }; enum_names xauth_attr_names = - { XAUTH_USER_NAME , XAUTH_ANSWER, xauth_attr_name , &xauth_attr_tv_names }; + { XAUTH_USER_NAME , XAUTH_ANSWER, xauth_attr_name , &unity_attr_names }; static const char *const modecfg_attr_name[] = { "INTERNAL_IP4_ADDRESS", @@ -756,7 +774,6 @@ static const char *const modecfg_attr_name[] = { "INTERNAL_IP4_SUBNET", "SUPPORTED_ATTRIBUTES", "INTERNAL_IP6_SUBNET", - NULL }; enum_names modecfg_attr_names = diff --git a/programs/pluto/constants.h b/programs/pluto/constants.h index f18e93fed..cd0d6357d 100644 --- a/programs/pluto/constants.h +++ b/programs/pluto/constants.h @@ -1,3 +1,4 @@ + /* manifest constants * Copyright (C) 1997 Angelos D. Keromytis. * Copyright (C) 1998-2002 D. Hugh Redelmeier. @@ -12,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: constants.h,v 1.23 2007/01/10 00:36:19 as Exp $ + * RCSID $Id: constants.h,v 1.27 2007/01/29 08:27:53 as Exp $ */ #ifndef _CONSTANTS_H @@ -551,8 +552,8 @@ enum state_kind { #define IS_ISAKMP_SA_ESTABLISHED(s) ( \ (s) == STATE_MAIN_R3 \ || (s) == STATE_MAIN_I4 \ - || (s) == STATE_XAUTH_R3 \ || (s) == STATE_XAUTH_I2 \ + || (s) == STATE_XAUTH_R3 \ || (s) == STATE_MODE_CFG_R1 \ || (s) == STATE_MODE_CFG_I2 \ || (s) == STATE_MODE_CFG_I3 \ @@ -661,9 +662,8 @@ extern enum_names attr_msg_type_names; #define SUPPORTED_ATTRIBUTES 14 #define INTERNAL_IP6_SUBNET 15 -#define MODECFG_ROOF 16 - extern enum_names modecfg_attr_names; + /* XAUTH attribute values */ #define XAUTH_TYPE 16520 #define XAUTH_USER_NAME 16521 @@ -680,12 +680,33 @@ extern enum_names modecfg_attr_names; extern enum_names xauth_attr_names; +/* ISAKMP mode config attributes specific to the Unity vendor Id */ +#define UNITY_BANNER 28672 +#define UNITY_SAVE_PASSWD 28673 +#define UNITY_DEF_DOMAIN 28674 +#define UNITY_SPLITDNS_NAME 28675 +#define UNITY_SPLIT_INCLUDE 28676 +#define UNITY_NATT_PORT 28677 +#define UNITY_LOCAL_LAN 28678 +#define UNITY_PFS 28679 +#define UNITY_FW_TYPE 28680 +#define UNITY_BACKUP_SERVERS 28681 +#define UNITY_DDNS_HOSTNAME 28682 + +#define UNITY_BASE UNITY_BANNER + +extern enum_names unity_attr_names; + /* XAUTH authentication types */ #define XAUTH_TYPE_GENERIC 0 #define XAUTH_TYPE_CHAP 1 #define XAUTH_TYPE_OTP 2 #define XAUTH_TYPE_SKEY 3 +/* Values for XAUTH_STATUS */ +#define XAUTH_STATUS_FAIL 0 +#define XAUTH_STATUS_OK 1 + extern enum_names xauth_type_names; /* Exchange types diff --git a/programs/pluto/demux.c b/programs/pluto/demux.c index 304d790e3..71aa771c7 100644 --- a/programs/pluto/demux.c +++ b/programs/pluto/demux.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: demux.c,v 1.17 2007/01/10 00:36:19 as Exp $ + * RCSID $Id: demux.c,v 1.18 2007/01/29 08:27:53 as Exp $ */ /* Ordering Constraints on Payloads @@ -461,7 +461,7 @@ static const struct state_microcode state_microcode_table[] = { , EVENT_RETRANSMIT, xauth_inI0 }, { STATE_XAUTH_R1, STATE_XAUTH_R2 - , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY + , SMF_ALL_AUTH | SMF_ENCRYPTED , P(ATTR) | P(HASH), P(VID), PT(HASH) , EVENT_RETRANSMIT, xauth_inR1 }, @@ -1572,6 +1572,15 @@ process_packet(struct msg_digest **mdp) set_cur_state(st); + /* the XAUTH_STATUS message might have a new msgid */ + if (st->st_state == STATE_XAUTH_I1) + { + init_phase2_iv(st, &md->hdr.isa_msgid); + new_iv_set = TRUE; + from_state = st->st_state; + break; + } + if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state)) { loglog(RC_LOG_SERIOUS, "ModeCfg message is unacceptable because" diff --git a/programs/pluto/ike_alg.c b/programs/pluto/ike_alg.c index 456ca3a96..508e4ed2a 100644 --- a/programs/pluto/ike_alg.c +++ b/programs/pluto/ike_alg.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: ike_alg.c,v 1.7 2007/01/10 00:36:19 as Exp $ + * RCSID $Id: ike_alg.c,v 1.8 2007/01/15 07:48:01 as Exp $ */ #include <stdio.h> @@ -231,11 +231,12 @@ ike_alg_db_new(struct alg_info_ike *ai , lset_t policy) { struct db_context *db_ctx = NULL; struct ike_info *ike_info; - u_int ealg, halg, modp, eklen = 0; struct encrypt_desc *enc_desc; - bool is_xauth_server; + u_int ealg, halg, modp, eklen = 0; int i; + bool is_xauth_server = (policy & POLICY_XAUTH_SERVER) != LEMPTY; + if (!ai) { whack_log(RC_LOG_SERIOUS, "no IKE algorithms " @@ -305,8 +306,6 @@ ike_alg_db_new(struct alg_info_ike *ai , lset_t policy) db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp); } - is_xauth_server = (policy & POLICY_XAUTH_SERVER) != LEMPTY; - if (policy & POLICY_XAUTH_RSASIG) { db_trans_add(db_ctx, KEY_IKE); diff --git a/programs/pluto/modecfg.c b/programs/pluto/modecfg.c index 01bab8c6e..620c595fb 100644 --- a/programs/pluto/modecfg.c +++ b/programs/pluto/modecfg.c @@ -2,7 +2,7 @@ * Copyright (C) 2001-2002 Colubris Networks * Copyright (C) 2003 Sean Mathews - Nu Tech Software Solutions, inc. * Copyright (C) 2003-2004 Xelerance Corporation - * Copyright (C) 2006 Andreas Steffen - Hochschule fuer Technik Rapperswil + * Copyright (C) 2006-2007 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -14,7 +14,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: modecfg.c,v 1.10 2007/01/10 00:36:19 as Exp $ + * RCSID $Id: modecfg.c,v 1.16 2007/01/29 08:27:54 as Exp $ * * This code originally written by Colubris Networks, Inc. * Extraction of patch and porting to 1.99 codebases by Xelerance Corporation @@ -43,12 +43,17 @@ #define MAX_XAUTH_TRIES 3 -#define SUPPORTED_ATTR_SET ( LELEM(INTERNAL_IP4_ADDRESS) \ - | LELEM(INTERNAL_IP4_NETMASK) \ - | LELEM(INTERNAL_IP4_DNS) \ - | LELEM(INTERNAL_IP4_NBNS) \ +#define SUPPORTED_ATTR_SET ( LELEM(INTERNAL_IP4_ADDRESS) \ + | LELEM(INTERNAL_IP4_NETMASK) \ + | LELEM(INTERNAL_IP4_DNS) \ + | LELEM(INTERNAL_IP4_NBNS) \ + | LELEM(APPLICATION_VERSION) \ ) +#define SUPPORTED_UNITY_ATTR_SET ( LELEM(UNITY_BANNER - UNITY_BASE) ) + +#define UNITY_BANNER_STR "Welcome to strongSwan - the Linux VPN Solution!\n" + /* * Addresses assigned (usually via ModeCfg) to the Initiator */ @@ -57,12 +62,16 @@ typedef struct internal_addr internal_addr_t; struct internal_addr { lset_t attr_set; + lset_t xauth_attr_set; + lset_t unity_attr_set; /* ModeCfg variables */ ip_address ipaddr; ip_address dns[2]; ip_address wins[2]; + char *unity_banner; + /* XAUTH variables */ u_int16_t xauth_type; xauth_t xauth_secret; @@ -76,9 +85,13 @@ static void init_internal_addr(internal_addr_t *ia) { ia->attr_set = LEMPTY; + ia->xauth_attr_set = LEMPTY; ia->xauth_secret.user_name = empty_chunk; ia->xauth_secret.user_password = empty_chunk; - ia->xauth_status = FALSE; + ia->xauth_type = XAUTH_TYPE_GENERIC; + ia->xauth_status = XAUTH_STATUS_FAIL; + ia->unity_attr_set = LEMPTY; + ia->unity_banner = NULL; anyaddr(AF_INET, &ia->ipaddr); anyaddr(AF_INET, &ia->dns[0]); @@ -93,8 +106,6 @@ init_internal_addr(internal_addr_t *ia) static void get_internal_addr(struct connection *c, internal_addr_t *ia) { - init_internal_addr(ia); - if (isanyaddr(&c->spd.that.host_srcip)) { /* not defined in connection - fetch it from LDAP */ @@ -115,10 +126,10 @@ get_internal_addr(struct connection *c, internal_addr_t *ia) c->spd.that.client.maskbits = 32; c->spd.that.has_client = TRUE; - ia->attr_set |= LELEM(INTERNAL_IP4_ADDRESS) | LELEM(INTERNAL_IP4_NETMASK); + ia->attr_set = LELEM(INTERNAL_IP4_ADDRESS) + | LELEM(INTERNAL_IP4_NETMASK); } - if (!isanyaddr(&ia->dns[0])) /* We got DNS addresses, send them */ ia->attr_set |= LELEM(INTERNAL_IP4_DNS); @@ -210,6 +221,8 @@ modecfg_build_msg(struct state *st, pb_stream *rbody int attr_type; int dns_idx, wins_idx; bool dont_advance; + bool is_xauth_attr_set = ia->xauth_attr_set != LEMPTY; + bool is_unity_attr_set = ia->unity_attr_set != LEMPTY; lset_t attr_set = ia->attr_set; attrh.isama_np = ISAKMP_NEXT_NONE; @@ -223,9 +236,26 @@ modecfg_build_msg(struct state *st, pb_stream *rbody dns_idx = 0; wins_idx = 0; - while (attr_set != 0) + while (attr_set != LEMPTY || is_xauth_attr_set || is_unity_attr_set) { + if (attr_set == LEMPTY) + { + if (is_xauth_attr_set) + { + attr_set = ia->xauth_attr_set; + attr_type = XAUTH_BASE; + is_xauth_attr_set = FALSE; + } + else + { + attr_set = ia->unity_attr_set; + attr_type = UNITY_BASE; + is_unity_attr_set = FALSE; + } + } + dont_advance = FALSE; + if (attr_set & 1) { const u_char *byte_ptr; @@ -343,6 +373,14 @@ modecfg_build_msg(struct state *st, pb_stream *rbody break; case XAUTH_STATUS: break; + case UNITY_BANNER: + if (ia->unity_banner != NULL) + { + out_raw(ia->unity_banner + , strlen(ia->unity_banner) + , &attrval, "UNITY_BANNER"); + } + break; default: plog("attempt to send unsupported mode cfg attribute %s." , enum_show(&modecfg_attr_names, attr_type)); @@ -353,10 +391,6 @@ modecfg_build_msg(struct state *st, pb_stream *rbody if (!dont_advance) { attr_type++; - if (attr_type == MODECFG_ROOF) - { - attr_type = XAUTH_BASE; - } attr_set >>= 1; } } @@ -454,28 +488,81 @@ modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia) { initaddr((char *)(strattr.cur), 4, AF_INET, &ia->ipaddr); } - /* fall through to set attribute flags */ + /* fall through to set attribute flag */ case INTERNAL_IP4_NETMASK: case INTERNAL_IP4_DNS: case INTERNAL_IP4_SUBNET: case INTERNAL_IP4_NBNS: + case INTERNAL_ADDRESS_EXPIRY: + case INTERNAL_IP4_DHCP: + case INTERNAL_IP6_ADDRESS: + case INTERNAL_IP6_NETMASK: + case INTERNAL_IP6_DNS: + case INTERNAL_IP6_NBNS: + case INTERNAL_IP6_DHCP: + case SUPPORTED_ATTRIBUTES: + case INTERNAL_IP6_SUBNET: + ia->attr_set |= LELEM(attr_type); + break; + case APPLICATION_VERSION: + if (attr_len > 0) + { + DBG(DBG_PARSING, + DBG_log(" '%.*s'", attr_len, strattr.cur) + ) + } ia->attr_set |= LELEM(attr_type); break; case XAUTH_TYPE: ia->xauth_type = attr.isaat_lv; - ia->attr_set |= LELEM(attr_type - XAUTH_BASE + MODECFG_ROOF); + ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); break; case XAUTH_USER_NAME: setchunk(ia->xauth_secret.user_name, strattr.cur, attr_len); - ia->attr_set |= LELEM(attr_type - XAUTH_BASE + MODECFG_ROOF); + ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); break; case XAUTH_USER_PASSWORD: setchunk(ia->xauth_secret.user_password, strattr.cur, attr_len); - ia->attr_set |= LELEM(attr_type - XAUTH_BASE + MODECFG_ROOF); + ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); break; case XAUTH_STATUS: ia->xauth_status = attr.isaat_lv; - ia->attr_set |= LELEM(attr_type - XAUTH_BASE + MODECFG_ROOF); + ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); + break; + case XAUTH_MESSAGE: + if (attr_len > 0) + { + DBG(DBG_PARSING, + DBG_log(" '%.*s'", attr_len, strattr.cur) + ) + } + /* fall through to set attribute flag */ + case XAUTH_PASSCODE: + case XAUTH_CHALLENGE: + case XAUTH_DOMAIN: + case XAUTH_NEXT_PIN: + case XAUTH_ANSWER: + ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); + break; + case UNITY_DDNS_HOSTNAME: + if (attr_len > 0) + { + DBG(DBG_PARSING, + DBG_log(" '%.*s'", attr_len, strattr.cur) + ) + } + /* fall through to set attribute flag */ + case UNITY_BANNER: + case UNITY_SAVE_PASSWD: + case UNITY_DEF_DOMAIN: + case UNITY_SPLITDNS_NAME: + case UNITY_SPLIT_INCLUDE: + case UNITY_NATT_PORT: + case UNITY_LOCAL_LAN: + case UNITY_PFS: + case UNITY_FW_TYPE: + case UNITY_BACKUP_SERVERS: + ia->unity_attr_set |= LELEM(attr_type - UNITY_BASE); break; default: plog("unsupported ModeCfg attribute %s received." @@ -547,6 +634,7 @@ modecfg_send_request(struct state *st) internal_addr_t ia; init_internal_addr(&ia); + ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS) | LELEM(INTERNAL_IP4_NETMASK); @@ -569,14 +657,24 @@ modecfg_inR0(struct msg_digest *md) struct state *const st = md->st; u_int16_t isama_id; internal_addr_t ia; + bool want_unity_banner; stf_status stat, stat_build; stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia); if (stat != STF_OK) return stat; - + + want_unity_banner = (ia.unity_attr_set & LELEM(UNITY_BANNER - UNITY_BASE)) != LEMPTY; + + init_internal_addr(&ia); get_internal_addr(st->st_connection, &ia); + if (want_unity_banner) + { + ia.unity_banner = UNITY_BANNER_STR; + ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE); + } + plog("sending ModeCfg reply"); stat_build = modecfg_build_msg(st, &md->rbody @@ -624,9 +722,15 @@ modecfg_send_set(struct state *st) stf_status stat; internal_addr_t ia; + init_internal_addr(&ia); get_internal_addr(st->st_connection, &ia); - plog("sending ModeCfg set"); +#ifdef CISCO_QUIRKS + ia.unity_banner = UNITY_BANNER_STR; + ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE); +#endif + + plog("sending ModeCfg set"); st->st_state = STATE_MODE_CFG_R3; stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia); if (stat == STF_OK) @@ -645,7 +749,7 @@ modecfg_inI0(struct msg_digest *md) struct state *const st = md->st; u_int16_t isama_id; internal_addr_t ia; - lset_t attr_set; + lset_t attr_set, unity_attr_set; stf_status stat, stat_build; plog("parsing ModeCfg set"); @@ -658,8 +762,10 @@ modecfg_inI0(struct msg_digest *md) /* prepare ModeCfg ack which sends zero length attributes */ attr_set = ia.attr_set; + unity_attr_set = ia.unity_attr_set; init_internal_addr(&ia); ia.attr_set = attr_set & SUPPORTED_ATTR_SET; + ia.unity_attr_set = unity_attr_set & SUPPORTED_UNITY_ATTR_SET; plog("sending ModeCfg ack"); @@ -707,8 +813,8 @@ xauth_send_request(struct state *st) internal_addr_t ia; init_internal_addr(&ia); - ia.attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF) - | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF); + ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE) + | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE); plog("sending XAUTH request"); st->st_state = STATE_XAUTH_R1; @@ -730,6 +836,7 @@ xauth_inI0(struct msg_digest *md) u_int16_t isama_id; internal_addr_t ia; stf_status stat, stat_build; + bool xauth_type_present; plog("parsing XAUTH request"); @@ -738,18 +845,19 @@ xauth_inI0(struct msg_digest *md) return stat; /* check XAUTH attributes */ - if ((ia.attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE + MODECFG_ROOF)) != LEMPTY - && ia.xauth_type != XAUTH_TYPE_GENERIC) + xauth_type_present = (ia.xauth_attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE)) != LEMPTY; + + if (xauth_type_present && ia.xauth_type != XAUTH_TYPE_GENERIC) { plog("xauth type %s is not supported", enum_name(&xauth_type_names, ia.xauth_type)); stat = STF_FAIL; } - else if ((ia.attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY) + else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY) { plog("user name attribute is missing in XAUTH request"); stat = STF_FAIL; } - else if ((ia.attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY) + else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY) { plog("user password attribute is missing in XAUTH request"); stat = STF_FAIL; @@ -779,13 +887,15 @@ xauth_inI0(struct msg_digest *md) , ia.xauth_secret.user_password.len , ia.xauth_secret.user_password.ptr) ) - ia.attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF) - | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF); + ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE) + | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE); + if (xauth_type_present) + ia.xauth_attr_set |= LELEM(XAUTH_TYPE - XAUTH_BASE); } else { - ia.attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE + MODECFG_ROOF); - ia.xauth_status = FALSE; + ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE); + ia.xauth_status = XAUTH_STATUS_FAIL; } plog("sending XAUTH reply"); @@ -800,6 +910,7 @@ xauth_inI0(struct msg_digest *md) if (stat == STF_OK) { st->st_xauth.started = TRUE; + st->st_msgid = 0; return STF_OK; } else @@ -834,7 +945,7 @@ xauth_inR1(struct msg_digest *md) return stat; /* did the client return an XAUTH FAIL status? */ - if ((ia.attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE + MODECFG_ROOF)) != LEMPTY) + if ((ia.xauth_attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE)) != LEMPTY) { plog("received FAIL status in XAUTH reply"); @@ -844,12 +955,12 @@ xauth_inR1(struct msg_digest *md) } /* check XAUTH reply */ - if ((ia.attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY) + if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY) { plog("user name attribute is missing in XAUTH reply"); st->st_xauth.status = FALSE; } - else if ((ia.attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE + MODECFG_ROOF)) == LEMPTY) + else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY) { plog("user password attribute is missing in XAUTH reply"); st->st_xauth.status = FALSE; @@ -873,16 +984,13 @@ xauth_inR1(struct msg_digest *md) /* prepare XAUTH set which sends the authentication status */ init_internal_addr(&ia); - ia.attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE + MODECFG_ROOF); - ia.xauth_status = st->st_xauth.status; + ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE); + ia.xauth_status = (st->st_xauth.status)? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL; plog("sending XAUTH status:"); - stat_build = modecfg_build_msg(st, &md->rbody - , ISAKMP_CFG_SET - , &ia - , isama_id); - if (stat_build != STF_OK) + stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia); + if (stat_build != STF_OK) return stat_build; return STF_OK; } diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c index 613f8d50f..d7e9d8a2c 100644 --- a/programs/pluto/plutomain.c +++ b/programs/pluto/plutomain.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: plutomain.c,v 1.18 2007/01/14 10:11:56 as Exp $ + * RCSID $Id: plutomain.c,v 1.19 2007/01/29 08:27:19 as Exp $ */ #include <stdio.h> @@ -531,19 +531,6 @@ main(int argc, char **argv) } } -#ifdef IPSECPOLICY - /* create info socket. */ - { - err_t ugh = init_info_socket(); - - if (ugh != NULL) - { - fprintf(stderr, "pluto: %s", ugh); - exit_pluto(1); - } - } -#endif - /* If not suppressed, do daemon fork */ if (fork_desired) @@ -595,12 +582,10 @@ main(int argc, char **argv) int i; for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */ - if ((!log_to_stderr || i != 2) -#ifdef IPSECPOLICY - && i != info_fd -#endif - && i != ctl_fd) + { + if ((!log_to_stderr || i != 2) && i != ctl_fd) close(i); + } /* make sure that stdin, stdout, stderr are reserved */ if (open("/dev/null", O_RDONLY) != 0) diff --git a/programs/pluto/rcv_info.c b/programs/pluto/rcv_info.c deleted file mode 100644 index 1f6127830..000000000 --- a/programs/pluto/rcv_info.c +++ /dev/null @@ -1,308 +0,0 @@ -/* info/policy communicating routines - * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id: rcv_info.c,v 1.2 2004/04/01 18:44:38 as Exp $ - */ - -#include <stdio.h> -#include <stddef.h> -#include <string.h> -#include <unistd.h> -#include <errno.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/un.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <resolv.h> -#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */ -#include <sys/queue.h> - -#include <freeswan.h> - -#include "constants.h" -#include "defs.h" -#include "id.h" -#include "connections.h" -#include "foodgroups.h" -#include "whack.h" /* needs connections.h */ -#include "packet.h" -#include "demux.h" /* needs packet.h */ -#include "state.h" -#include "ipsec_doi.h" /* needs demux.h and state.h */ -#include "kernel.h" -#include "rcv_whack.h" -#include "log.h" -#include "keys.h" -#include "adns.h" /* needs <resolv.h> */ -#include "dnskey.h" /* needs keys.h and adns.h */ -#include "server.h" - -#include "freeswan/ipsec_policy.h" -#include "rcv_info.h" - -/* global */ -int info_fd = -1; - -static void -info_lookuphostpair(struct ipsec_policy_cmd_query *ipcq) -{ - struct connection *c; - struct state *p1st, *p2st; - - - /* default result: no crypto */ - ipcq->strength = IPSEC_PRIVACY_NONE; - ipcq->bandwidth = IPSEC_QOS_WIRESPEED; - ipcq->credential_count = 0; - -#ifdef DEBUG - { - char sstr[ADDRTOT_BUF], dstr[ADDRTOT_BUF]; - - addrtot(&ipcq->query_local, 0, sstr, sizeof(sstr)); - addrtot(&ipcq->query_remote, 0, dstr, sizeof(dstr)); - DBG_log("info request for %s -> %s", sstr, dstr); - } -#endif - - /* okay, look up what connection handles this ip pair */ - - c = find_connection_for_clients(NULL, - &ipcq->query_local, - &ipcq->query_remote); - if (c == NULL) - { - /* try reversing it */ - c = find_connection_for_clients(NULL, - &ipcq->query_remote, - &ipcq->query_local); - if (c != NULL) - { - ip_address tmp; - tmp = ipcq->query_local; - ipcq->query_local = ipcq->query_remote; - ipcq->query_remote = tmp; - } - } - - if (c == NULL) - { -#ifdef DEBUG - DBG_log("no connection found"); -#endif - return; /* no crypto */ - } - - if (c->newest_ipsec_sa == SOS_NOBODY) - { - ip_subnet us, them; - - DBG_log("connection %s found, no ipsec state, looking again", c->name); - addrtosubnet(&ipcq->query_local, &us); - addrtosubnet(&ipcq->query_remote, &them); - c = find_client_connection(c, &us, &them); - - if (c == NULL) - return; /* no crypto */ - } - - DBG_log("connection %s[%ld] with state %u" - , c->name, c->instance_serial - , (unsigned int)c->newest_ipsec_sa); - - if (c->newest_ipsec_sa == SOS_NOBODY) - return; /* no crypto */ - - /* we found a connection, try to lookup the state */ - p2st = state_with_serialno(c->newest_ipsec_sa); - - p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES); - - if (p1st == NULL || p2st == NULL) - { - DBG_log("connection %s[%ld] has missing states %s %s" - , c->name, c->instance_serial - , (p1st ? "phase1" : "") - , (p2st ? "phase1" : "")); - return; /* no crypto */ - } - - /* if we have AH present, then record minimal info */ - if (p2st->st_ah.present) - { - ipcq->strength = IPSEC_PRIVACY_INTEGRAL; - ipcq->auth_detail = p2st->st_esp.attrs.auth; - } - - if (p2st->st_esp.present) - { - /* - * XXX-mcr Please do not shout at me about relative strengths - * here. I'm not a cryptographer. I just diddle bits. - */ - switch (p2st->st_esp.attrs.transid) - { - case ESP_NULL: - /* actually, do not change it if we set it from AH */ - break; - - case ESP_DES: - case ESP_DES_IV64: - case ESP_DES_IV32: - case ESP_RC4: - ipcq->strength = IPSEC_PRIVACY_ROT13; - break; - - case ESP_RC5: - case ESP_IDEA: - case ESP_CAST: - case ESP_BLOWFISH: - case ESP_3DES: - ipcq->strength = IPSEC_PRIVACY_PRIVATE; - ipcq->bandwidth = IPSEC_QOS_VOIP; - break; - - case ESP_3IDEA: - ipcq->strength = IPSEC_PRIVACY_STRONG; - ipcq->bandwidth = IPSEC_QOS_INTERACTIVE; - break; - - case ESP_AES: - ipcq->strength = IPSEC_PRIVACY_STRONG; - ipcq->bandwidth = IPSEC_QOS_FTP; - break; - } - ipcq->esp_detail = p2st->st_esp.attrs.transid; - } - - if (p2st->st_ipcomp.present) - ipcq->comp_detail = p2st->st_esp.attrs.transid; - - /* now! the credentails that were used */ - /* for the moment we only have 1 credential, the DNS name, - * because the DNS servers do not return the chain of SIGs yet - */ - - if(!c->spd.this.key_from_DNS_on_demand) - { - /* the key didn't come from the DNS in some way, - * so it must have been loaded locally. - */ - ipcq->credential_count = 1; - ipcq->credentials[0].ii_type = c->spd.this.id.kind; - ipcq->credentials[0].ii_format = CERT_RAW_RSA; - } - -#if 0 - switch (c->spd.id.kind) - { - case ID_IPV4_ADDR: - } - if (c->gw_info == NULL) - { - plog("rcv_info: connection %s had NULL gw_info.", c->name); - return - } -#endif - - ipcq->credential_count = 1; - - /* pull credentials out of gw_info */ - - switch (p1st->st_peer_pubkey->dns_auth_level) - { - case DAL_UNSIGNED: - case DAL_NOTSEC: - /* these seem to be the same for this purpose */ - ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind; - ipcq->credentials[0].ii_type = CERT_NONE; - idtoa(&p1st->st_peer_pubkey->id - , ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn - , sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn)); - break; - - case DAL_SIGNED: - ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind; - ipcq->credentials[0].ii_format = CERT_DNS_SIGNED_KEY; - idtoa(&p1st->st_peer_pubkey->id - , ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn - , sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn)); - - if (p1st->st_peer_pubkey->dns_sig != NULL) - { - strncat(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig - , p1st->st_peer_pubkey->dns_sig - , sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig)); - } - break; - - case DAL_LOCAL: - ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind; - ipcq->credentials[0].ii_format = CERT_RAW_RSA; - idtoa(&p1st->st_peer_pubkey->id - , ipcq->credentials[0].ii_credential.ipsec_raw_key.id_name - , sizeof(ipcq->credentials[0].ii_credential.ipsec_raw_key.id_name)); - break; - } -} - -/* - * Handle an info/policy request. - * - * For now, we close the socket after answering the request. - * - */ -void -info_handle(int infoctlfd) -{ - struct sockaddr_un info_client_addr; - int info_addr_len = sizeof(info_client_addr); - /* Note: actual value in n should fit in int. To print, cast to int. */ - int infofd; - err_t err; - struct ipsec_policy_cmd_query ipcq; - - infofd = accept(infoctlfd, (struct sockaddr *)&info_client_addr - , &info_addr_len); - - if (infofd < 0) - { - log_errno((e, "accept() failed in info_handle()")); - return; - } - - err = ipsec_policy_readmsg(infofd, (unsigned char *)&ipcq, sizeof(ipcq)); - - if (err != NULL) - { - log_errno((e, "readmsg said: %s", err)); - close(infofd); - return; - } - - switch (ipcq.head.ipm_msg_type) - { - case IPSEC_CMD_QUERY_HOSTPAIR: - info_lookuphostpair(&ipcq); - write(infofd, &ipcq, ipcq.head.ipm_msg_len); - break; - - default: - plog("got unimplemented msg type: %d", ipcq.head.ipm_msg_type); - break; - } - - /* for now, close the socket */ - close(infofd); -} diff --git a/programs/pluto/rcv_info.h b/programs/pluto/rcv_info.h deleted file mode 100644 index b5eaef219..000000000 --- a/programs/pluto/rcv_info.h +++ /dev/null @@ -1,18 +0,0 @@ -/* whack communicating routines - * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id: rcv_info.h,v 1.1 2004/03/15 20:35:29 as Exp $ - */ - -#include "freeswan/ipsec_policy.h" -extern void info_handle(int infoctlfd); diff --git a/programs/pluto/server.c b/programs/pluto/server.c index 30251138e..17b70eba4 100644 --- a/programs/pluto/server.c +++ b/programs/pluto/server.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: server.c,v 1.9 2005/09/09 14:15:35 as Exp $ + * RCSID $Id: server.c,v 1.10 2007/01/29 08:27:19 as Exp $ */ #include <stdio.h> @@ -54,7 +54,6 @@ #include "packet.h" #include "demux.h" /* needs packet.h */ #include "rcv_whack.h" -#include "rcv_info.h" #include "keys.h" #include "adns.h" /* needs <resolv.h> */ #include "dnskey.h" /* needs keys.h and adns.h */ @@ -128,50 +127,6 @@ delete_ctl_socket(void) unlink(ctl_addr.sun_path); } -#ifdef IPSECPOLICY -/* Initialize the info socket. - */ -err_t -init_info_socket(void) -{ - err_t failed = NULL; - - delete_info_socket(); /* preventative medicine */ - info_fd = socket(AF_UNIX, SOCK_STREAM, 0); - if (info_fd == -1) - failed = "create"; - else if (fcntl(info_fd, F_SETFD, FD_CLOEXEC) == -1) - failed = "fcntl FD+CLOEXEC"; - else if (setsockopt(info_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0) - failed = "setsockopt"; - else - { - /* this socket should be openable by all proceses */ - mode_t ou = umask(0); - - if (bind(info_fd, (struct sockaddr *)&info_addr - , offsetof(struct sockaddr_un, sun_path) + strlen(info_addr.sun_path)) < 0) - failed = "bind"; - umask(ou); - } - - /* 64 might be big enough, and the system may limit us anyway. - */ - if (failed == NULL && listen(info_fd, 64) < 0) - failed = "listen() on"; - - return failed == NULL? NULL : builddiag("could not %s info socket: %d %s" - , failed, errno, strerror(errno)); -} - -void -delete_info_socket(void) -{ - unlink(info_addr.sun_path); -} -#endif /* IPSECPOLICY */ - - bool listening = FALSE; /* should we pay attention to IKE messages? */ struct iface *interfaces = NULL; /* public interfaces */ @@ -885,11 +840,6 @@ call_server(void) FD_ZERO(&readfds); FD_ZERO(&writefds); FD_SET(ctl_fd, &readfds); -#ifdef IPSECPOLICY - FD_SET(info_fd, &readfds); - if (maxfd < info_fd) - maxfd = info_fd; -#endif /* the only write file-descriptor of interest */ if (adns_qfd != NULL_FD && unsent_ADNS_queries) @@ -1039,19 +989,6 @@ call_server(void) ndes--; } -#ifdef IPSECPOLICY - if (FD_ISSET(info_fd, &readfds)) - { - passert(ndes > 0); - DBG(DBG_CONTROL, - DBG_log(BLANK_FORMAT); - DBG_log("*received info message")); - info_handle(info_fd); - passert(GLOBALS_ARE_RESET()); - ndes--; - } -#endif - passert(ndes == 0); } } diff --git a/programs/pluto/vendor.c b/programs/pluto/vendor.c index 3e2e0768a..4ca3adffc 100644 --- a/programs/pluto/vendor.c +++ b/programs/pluto/vendor.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: vendor.c,v 1.43 2007/01/10 00:31:36 as Exp $ + * RCSID $Id: vendor.c,v 1.45 2007/01/20 18:01:13 as Exp $ */ #include <stdlib.h> @@ -208,8 +208,10 @@ static struct vid_struct _vid_tab[] = { DEC_MD5_VID(STRONGSWAN_4_0_4, "strongSwan 4.0.4") DEC_MD5_VID(STRONGSWAN_4_0_5, "strongSwan 4.0.5") DEC_MD5_VID(STRONGSWAN_4_0_6, "strongSwan 4.0.6") + DEC_MD5_VID(STRONGSWAN_4_0_7, "strongSwan 4.0.7") - DEC_MD5_VID(STRONGSWAN, "strongSwan 2.8.1") + DEC_MD5_VID(STRONGSWAN, "strongSwan 2.8.2") + DEC_MD5_VID(STRONGSWAN_2_8_1, "strongSwan 2.8.1") DEC_MD5_VID(STRONGSWAN_2_8_0, "strongSwan 2.8.0") DEC_MD5_VID(STRONGSWAN_2_7_3, "strongSwan 2.7.3") DEC_MD5_VID(STRONGSWAN_2_7_2, "strongSwan 2.7.2") diff --git a/programs/pluto/vendor.h b/programs/pluto/vendor.h index 060311b92..2649c5b2f 100644 --- a/programs/pluto/vendor.h +++ b/programs/pluto/vendor.h @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: vendor.h,v 1.38 2007/01/10 00:31:36 as Exp $ + * RCSID $Id: vendor.h,v 1.40 2007/01/20 18:01:13 as Exp $ */ #ifndef _VENDOR_H_ @@ -82,6 +82,7 @@ enum known_vendorid { VID_STRONGSWAN_2_7_2 = 61, VID_STRONGSWAN_2_7_3 = 62, VID_STRONGSWAN_2_8_0 = 63, + VID_STRONGSWAN_2_8_1 = 64, VID_STRONGSWAN_4_0_0 = 70, VID_STRONGSWAN_4_0_1 = 71, @@ -90,6 +91,7 @@ enum known_vendorid { VID_STRONGSWAN_4_0_4 = 74, VID_STRONGSWAN_4_0_5 = 75, VID_STRONGSWAN_4_0_6 = 76, + VID_STRONGSWAN_4_0_7 = 77, /* 101 - 200 : NAT-Traversal */ VID_NATT_STENBERG_01 =101, |