diff options
Diffstat (limited to 'src/pluto')
41 files changed, 610 insertions, 699 deletions
diff --git a/src/pluto/Android.mk b/src/pluto/Android.mk new file mode 100644 index 000000000..618f79c42 --- /dev/null +++ b/src/pluto/Android.mk @@ -0,0 +1,80 @@ +LOCAL_PATH := $(call my-dir) +include $(CLEAR_VARS) + +# copy-n-paste from Makefile.am +LOCAL_SRC_FILES := \ +ac.c ac.h \ +alg_info.c alg_info.h \ +ca.c ca.h \ +certs.c certs.h \ +connections.c connections.h \ +constants.c constants.h \ +cookie.c cookie.h \ +crl.c crl.h \ +crypto.c crypto.h \ +db_ops.c db_ops.h \ +defs.c defs.h \ +demux.c demux.h \ +event_queue.c event_queue.h \ +fetch.c fetch.h \ +foodgroups.c foodgroups.h \ +ike_alg.c ike_alg.h \ +ipsec_doi.c ipsec_doi.h \ +kameipsec.h \ +kernel.c kernel.h \ +kernel_alg.c kernel_alg.h \ +kernel_pfkey.c kernel_pfkey.h \ +keys.c keys.h \ +lex.c lex.h \ +log.c log.h \ +myid.c myid.h \ +modecfg.c modecfg.h \ +nat_traversal.c nat_traversal.h \ +ocsp.c ocsp.h \ +packet.c packet.h \ +pkcs7.c pkcs7.h \ +plugin_list.c plugin_list.h \ +pluto.c pluto.h \ +plutomain.c \ +rcv_whack.c rcv_whack.h \ +server.c server.h \ +smartcard.c smartcard.h \ +spdb.c spdb.h \ +state.c state.h \ +timer.c timer.h \ +vendor.c vendor.h \ +virtual.c virtual.h \ +whack_attribute.c whack_attribute.h \ +xauth/xauth_manager.c xauth/xauth_manager.h \ +xauth/xauth_provider.h xauth/xauth_verifier.h \ +x509.c x509.h \ +builder.c builder.h \ +rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h + +LOCAL_SRC_FILES += $(call add_plugin, xauth) + +# build pluto ------------------------------------------------------------------ + +LOCAL_C_INCLUDES += \ + $(libvstr_PATH) \ + $(strongswan_PATH)/src/libhydra \ + $(strongswan_PATH)/src/libstrongswan \ + $(strongswan_PATH)/src/libfreeswan \ + $(strongswan_PATH)/src/whack + +LOCAL_CFLAGS := $(strongswan_CFLAGS) \ + -DPLUTO -DVENDORID -DXAUTH_VID -DCISCO_QUIRKS \ + -DTHREADS -DKERNEL26_HAS_KAME_DUPLICATES \ + -DPLUGINS='"$(strongswan_PLUTO_PLUGINS)"' + +LOCAL_MODULE := pluto + +LOCAL_MODULE_TAGS := optional + +LOCAL_ARM_MODE := arm + +LOCAL_PRELINK_MODULE := false + +LOCAL_SHARED_LIBRARIES += libstrongswan libhydra libfreeswan libcutils + +include $(BUILD_EXECUTABLE) diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index 934b11a46..3fd0e039c 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -2,7 +2,11 @@ # painless way. Only the most important options are included, # further work may be necessary here... -ipsec_PROGRAMS = pluto _pluto_adns +ipsec_PROGRAMS = pluto + +if USE_ADNS +ipsec_PROGRAMS += _pluto_adns +endif pluto_SOURCES = \ ac.c ac.h \ @@ -17,7 +21,6 @@ crypto.c crypto.h \ db_ops.c db_ops.h \ defs.c defs.h \ demux.c demux.h \ -dnskey.c dnskey.h \ event_queue.c event_queue.h \ fetch.c fetch.h \ foodgroups.c foodgroups.h \ @@ -36,6 +39,7 @@ nat_traversal.c nat_traversal.h \ ocsp.c ocsp.h \ packet.c packet.h \ pkcs7.c pkcs7.h \ +plugin_list.c plugin_list.h \ pluto.c pluto.h \ plutomain.c \ rcv_whack.c rcv_whack.h \ @@ -53,7 +57,13 @@ x509.c x509.h \ builder.c builder.h \ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h -_pluto_adns_SOURCES = adns.c adns.h +if USE_ADNS +pluto_SOURCES += \ +dnskey.c dnskey.h + +_pluto_adns_SOURCES = \ +adns.c adns.h +endif plutomain.o : $(top_builddir)/config.status @@ -75,7 +85,7 @@ AM_CFLAGS = -rdynamic \ -DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \ -DPLUGINS=\""${pluto_plugins}\"" \ -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \ --DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \ +-DKERNEL26_HAS_KAME_DUPLICATES \ -DPLUTO -DDEBUG pluto_LDADD = \ @@ -84,12 +94,16 @@ $(LIBFREESWANDIR)/libfreeswan.a \ $(LIBHYDRADIR)/libhydra.la \ -lresolv $(PTHREADLIB) $(DLLIB) +if USE_ADNS _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ -lresolv $(DLLIB) +endif dist_man_MANS = pluto.8 +EXTRA_DIST = Android.mk + # compile options ################# @@ -126,6 +140,10 @@ if USE_THREADS AM_CFLAGS += -DTHREADS endif +if USE_ADNS + AM_CFLAGS += -DADNS +endif + # build optional plugins ######################## diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 92e66db17..b055ba289 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -38,28 +38,33 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT) +ipsec_PROGRAMS = pluto$(EXEEXT) $(am__EXEEXT_1) +@USE_ADNS_TRUE@am__append_1 = _pluto_adns +@USE_ADNS_TRUE@am__append_2 = \ +@USE_ADNS_TRUE@dnskey.c dnskey.h + # compile options ################# # This compile option activates the sending of a strongSwan VID -@USE_VENDORID_TRUE@am__append_1 = -DVENDORID +@USE_VENDORID_TRUE@am__append_3 = -DVENDORID # This compile option activates the sending of the XAUTH VID -@USE_XAUTH_VID_TRUE@am__append_2 = -DXAUTH_VID +@USE_XAUTH_VID_TRUE@am__append_4 = -DXAUTH_VID # This compile option activates the support of the Cisco VPN client -@USE_CISCO_QUIRKS_TRUE@am__append_3 = -DCISCO_QUIRKS +@USE_CISCO_QUIRKS_TRUE@am__append_5 = -DCISCO_QUIRKS # This compile option activates NAT traversal with IPSec transport mode -@USE_NAT_TRANSPORT_TRUE@am__append_4 = -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT +@USE_NAT_TRANSPORT_TRUE@am__append_6 = -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT # This compile option activates smartcard support -@USE_SMARTCARD_TRUE@am__append_5 = -DSMARTCARD -@USE_LIBCAP_TRUE@am__append_6 = -lcap -@USE_THREADS_TRUE@am__append_7 = -DTHREADS -@USE_XAUTH_TRUE@am__append_8 = plugins/xauth +@USE_SMARTCARD_TRUE@am__append_7 = -DSMARTCARD +@USE_LIBCAP_TRUE@am__append_8 = -lcap +@USE_THREADS_TRUE@am__append_9 = -DTHREADS +@USE_ADNS_TRUE@am__append_10 = -DADNS +@USE_XAUTH_TRUE@am__append_11 = plugins/xauth subdir = src/pluto DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in @@ -78,28 +83,50 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +@USE_ADNS_TRUE@am__EXEEXT_1 = _pluto_adns$(EXEEXT) am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" PROGRAMS = $(ipsec_PROGRAMS) -am__pluto_adns_OBJECTS = adns.$(OBJEXT) +am___pluto_adns_SOURCES_DIST = adns.c adns.h +@USE_ADNS_TRUE@am__pluto_adns_OBJECTS = adns.$(OBJEXT) _pluto_adns_OBJECTS = $(am__pluto_adns_OBJECTS) am__DEPENDENCIES_1 = -_pluto_adns_DEPENDENCIES = $(LIBFREESWANDIR)/libfreeswan.a \ - $(am__DEPENDENCIES_1) +@USE_ADNS_TRUE@_pluto_adns_DEPENDENCIES = \ +@USE_ADNS_TRUE@ $(LIBFREESWANDIR)/libfreeswan.a \ +@USE_ADNS_TRUE@ $(am__DEPENDENCIES_1) +am__pluto_SOURCES_DIST = ac.c ac.h alg_info.c alg_info.h ca.c ca.h \ + certs.c certs.h connections.c connections.h constants.c \ + constants.h cookie.c cookie.h crl.c crl.h crypto.c crypto.h \ + db_ops.c db_ops.h defs.c defs.h demux.c demux.h event_queue.c \ + event_queue.h fetch.c fetch.h foodgroups.c foodgroups.h \ + ike_alg.c ike_alg.h ipsec_doi.c ipsec_doi.h kameipsec.h \ + kernel.c kernel.h kernel_alg.c kernel_alg.h kernel_pfkey.c \ + kernel_pfkey.h keys.c keys.h lex.c lex.h log.c log.h myid.c \ + myid.h modecfg.c modecfg.h nat_traversal.c nat_traversal.h \ + ocsp.c ocsp.h packet.c packet.h pkcs7.c pkcs7.h plugin_list.c \ + plugin_list.h pluto.c pluto.h plutomain.c rcv_whack.c \ + rcv_whack.h server.c server.h smartcard.c smartcard.h spdb.c \ + spdb.h state.c state.h timer.c timer.h vendor.c vendor.h \ + virtual.c virtual.h whack_attribute.c whack_attribute.h \ + xauth/xauth_manager.c xauth/xauth_manager.h \ + xauth/xauth_provider.h xauth/xauth_verifier.h x509.c x509.h \ + builder.c builder.h rsaref/pkcs11t.h rsaref/pkcs11.h \ + rsaref/unix.h rsaref/pkcs11f.h dnskey.c dnskey.h +@USE_ADNS_TRUE@am__objects_1 = dnskey.$(OBJEXT) am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) ca.$(OBJEXT) \ certs.$(OBJEXT) connections.$(OBJEXT) constants.$(OBJEXT) \ cookie.$(OBJEXT) crl.$(OBJEXT) crypto.$(OBJEXT) \ db_ops.$(OBJEXT) defs.$(OBJEXT) demux.$(OBJEXT) \ - dnskey.$(OBJEXT) event_queue.$(OBJEXT) fetch.$(OBJEXT) \ - foodgroups.$(OBJEXT) ike_alg.$(OBJEXT) ipsec_doi.$(OBJEXT) \ - kernel.$(OBJEXT) kernel_alg.$(OBJEXT) kernel_pfkey.$(OBJEXT) \ - keys.$(OBJEXT) lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) \ - modecfg.$(OBJEXT) nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) \ - packet.$(OBJEXT) pkcs7.$(OBJEXT) pluto.$(OBJEXT) \ + event_queue.$(OBJEXT) fetch.$(OBJEXT) foodgroups.$(OBJEXT) \ + ike_alg.$(OBJEXT) ipsec_doi.$(OBJEXT) kernel.$(OBJEXT) \ + kernel_alg.$(OBJEXT) kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) \ + lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) modecfg.$(OBJEXT) \ + nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) packet.$(OBJEXT) \ + pkcs7.$(OBJEXT) plugin_list.$(OBJEXT) pluto.$(OBJEXT) \ plutomain.$(OBJEXT) rcv_whack.$(OBJEXT) server.$(OBJEXT) \ smartcard.$(OBJEXT) spdb.$(OBJEXT) state.$(OBJEXT) \ timer.$(OBJEXT) vendor.$(OBJEXT) virtual.$(OBJEXT) \ whack_attribute.$(OBJEXT) xauth_manager.$(OBJEXT) \ - x509.$(OBJEXT) builder.$(OBJEXT) + x509.$(OBJEXT) builder.$(OBJEXT) $(am__objects_1) pluto_OBJECTS = $(am_pluto_OBJECTS) pluto_DEPENDENCIES = $(LIBSTRONGSWANDIR)/libstrongswan.la \ $(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \ @@ -119,7 +146,8 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES) -DIST_SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES) +DIST_SOURCES = $(am___pluto_adns_SOURCES_DIST) \ + $(am__pluto_SOURCES_DIST) RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ html-recursive info-recursive install-data-recursive \ install-dvi-recursive install-exec-recursive \ @@ -276,6 +304,9 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +axis2c_CFLAGS = @axis2c_CFLAGS@ +axis2c_LIBS = @axis2c_LIBS@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -284,6 +315,7 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +clearsilver_LIBS = @clearsilver_LIBS@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ @@ -300,11 +332,13 @@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ +imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -348,6 +382,7 @@ sharedstatedir = @sharedstatedir@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ +starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ @@ -358,56 +393,27 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -pluto_SOURCES = \ -ac.c ac.h \ -alg_info.c alg_info.h \ -ca.c ca.h \ -certs.c certs.h \ -connections.c connections.h \ -constants.c constants.h \ -cookie.c cookie.h \ -crl.c crl.h \ -crypto.c crypto.h \ -db_ops.c db_ops.h \ -defs.c defs.h \ -demux.c demux.h \ -dnskey.c dnskey.h \ -event_queue.c event_queue.h \ -fetch.c fetch.h \ -foodgroups.c foodgroups.h \ -ike_alg.c ike_alg.h \ -ipsec_doi.c ipsec_doi.h \ -kameipsec.h \ -kernel.c kernel.h \ -kernel_alg.c kernel_alg.h \ -kernel_pfkey.c kernel_pfkey.h \ -keys.c keys.h \ -lex.c lex.h \ -log.c log.h \ -myid.c myid.h \ -modecfg.c modecfg.h \ -nat_traversal.c nat_traversal.h \ -ocsp.c ocsp.h \ -packet.c packet.h \ -pkcs7.c pkcs7.h \ -pluto.c pluto.h \ -plutomain.c \ -rcv_whack.c rcv_whack.h \ -server.c server.h \ -smartcard.c smartcard.h \ -spdb.c spdb.h \ -state.c state.h \ -timer.c timer.h \ -vendor.c vendor.h \ -virtual.c virtual.h \ -whack_attribute.c whack_attribute.h \ -xauth/xauth_manager.c xauth/xauth_manager.h \ -xauth/xauth_provider.h xauth/xauth_verifier.h \ -x509.c x509.h \ -builder.c builder.h \ -rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h - -_pluto_adns_SOURCES = adns.c adns.h +pluto_SOURCES = ac.c ac.h alg_info.c alg_info.h ca.c ca.h certs.c \ + certs.h connections.c connections.h constants.c constants.h \ + cookie.c cookie.h crl.c crl.h crypto.c crypto.h db_ops.c \ + db_ops.h defs.c defs.h demux.c demux.h event_queue.c \ + event_queue.h fetch.c fetch.h foodgroups.c foodgroups.h \ + ike_alg.c ike_alg.h ipsec_doi.c ipsec_doi.h kameipsec.h \ + kernel.c kernel.h kernel_alg.c kernel_alg.h kernel_pfkey.c \ + kernel_pfkey.h keys.c keys.h lex.c lex.h log.c log.h myid.c \ + myid.h modecfg.c modecfg.h nat_traversal.c nat_traversal.h \ + ocsp.c ocsp.h packet.c packet.h pkcs7.c pkcs7.h plugin_list.c \ + plugin_list.h pluto.c pluto.h plutomain.c rcv_whack.c \ + rcv_whack.h server.c server.h smartcard.c smartcard.h spdb.c \ + spdb.h state.c state.h timer.c timer.h vendor.c vendor.h \ + virtual.c virtual.h whack_attribute.c whack_attribute.h \ + xauth/xauth_manager.c xauth/xauth_manager.h \ + xauth/xauth_provider.h xauth/xauth_verifier.h x509.c x509.h \ + builder.c builder.h rsaref/pkcs11t.h rsaref/pkcs11.h \ + rsaref/unix.h rsaref/pkcs11f.h $(am__append_2) +@USE_ADNS_TRUE@_pluto_adns_SOURCES = \ +@USE_ADNS_TRUE@adns.c adns.h + LIBSTRONGSWANDIR = $(top_builddir)/src/libstrongswan LIBFREESWANDIR = $(top_builddir)/src/libfreeswan LIBHYDRADIR = $(top_builddir)/src/libhydra @@ -422,22 +428,23 @@ AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ -DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \ -DPLUGINS=\""${pluto_plugins}\"" \ - -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" -DKERNEL26_SUPPORT \ - -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DDEBUG $(am__append_1) \ - $(am__append_2) $(am__append_3) $(am__append_4) \ - $(am__append_5) $(am__append_7) + -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \ + -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DDEBUG $(am__append_3) \ + $(am__append_4) $(am__append_5) $(am__append_6) \ + $(am__append_7) $(am__append_9) $(am__append_10) pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \ $(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \ - -lresolv $(PTHREADLIB) $(DLLIB) $(am__append_6) -_pluto_adns_LDADD = \ -$(LIBFREESWANDIR)/libfreeswan.a \ --lresolv $(DLLIB) + -lresolv $(PTHREADLIB) $(DLLIB) $(am__append_8) +@USE_ADNS_TRUE@_pluto_adns_LDADD = \ +@USE_ADNS_TRUE@$(LIBFREESWANDIR)/libfreeswan.a \ +@USE_ADNS_TRUE@-lresolv $(DLLIB) dist_man_MANS = pluto.8 +EXTRA_DIST = Android.mk # build optional plugins ######################## -SUBDIRS = . $(am__append_8) +SUBDIRS = . $(am__append_11) all: all-recursive .SUFFIXES: @@ -560,6 +567,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plugin_list.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pluto.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plutomain.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcv_whack.Po@am__quote@ diff --git a/src/pluto/ac.c b/src/pluto/ac.c index 3339d91fb..cd8007aea 100644 --- a/src/pluto/ac.c +++ b/src/pluto/ac.c @@ -261,7 +261,7 @@ void ac_list_certs(bool utc) whack_log(RC_COMMENT, " hissuer: \"%Y\"", holderIssuer); } - holderSerial = ac->get_holderSerial(ac); + holderSerial = chunk_skip_zero(ac->get_holderSerial(ac)); if (holderSerial.ptr) { whack_log(RC_COMMENT, " hserial: %#B", &holderSerial); @@ -277,7 +277,7 @@ void ac_list_certs(bool utc) issuer = cert->get_issuer(cert); whack_log(RC_COMMENT, " issuer: \"%Y\"", issuer); - serial = ac->get_serial(ac); + serial = chunk_skip_zero(ac->get_serial(ac)); whack_log(RC_COMMENT, " serial: %#B", &serial); cert->get_validity(cert, &now, ¬Before, ¬After); diff --git a/src/pluto/adns.c b/src/pluto/adns.c index 5d6979447..76b459216 100644 --- a/src/pluto/adns.c +++ b/src/pluto/adns.c @@ -12,8 +12,6 @@ * for more details. */ -#ifndef USE_LWRES /* whole file! */ - /* This program executes as multiple processes. The Master process * receives queries (struct adns_query messages) from Pluto and distributes * them amongst Worker processes. These Worker processes are created @@ -610,5 +608,3 @@ main(int argc UNUSED, char **argv) return master(); } - -#endif /* !USE_LWRES */ diff --git a/src/pluto/adns.h b/src/pluto/adns.h index f564be232..dfbcbaf16 100644 --- a/src/pluto/adns.h +++ b/src/pluto/adns.h @@ -12,7 +12,13 @@ * for more details. */ -#ifndef USE_LWRES /* whole file! */ +#ifndef ADNS + +/* dummy struct to make compilers happy */ +struct adns_query { +}; + +#else /* rest of file */ /* The interface in RHL6.x and BIND distribution 8.2.2 are different, * so we build some of our own :-( @@ -69,5 +75,4 @@ enum helper_exit_status { HES_BAD_LEN, /* implausible .len field */ HES_BAD_MAGIC, /* .magic field wrong */ }; - -#endif /* !USE_LWRES */ +#endif /* ADNS */ diff --git a/src/pluto/builder.c b/src/pluto/builder.c index d7ec3feb9..a6e05a330 100644 --- a/src/pluto/builder.c +++ b/src/pluto/builder.c @@ -71,17 +71,17 @@ static cert_t *builder_load_cert(certificate_type_t type, va_list args) if (pgp) { cert->cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_GPG, - BUILD_BLOB_PGP, blob, - BUILD_END); + CRED_CERTIFICATE, CERT_GPG, + BUILD_BLOB_PGP, blob, + BUILD_END); } else { cert->cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_ASN1_DER, blob, + CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, blob, BUILD_X509_FLAG, flags, - BUILD_END); + BUILD_END); } if (cert->cert) { @@ -121,9 +121,9 @@ static x509crl_t *builder_load_crl(certificate_type_t type, va_list args) crl->next = NULL; crl->distributionPoints = linked_list_create(); crl->crl = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_CRL, - BUILD_BLOB_ASN1_DER, blob, - BUILD_END); + CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_BLOB_ASN1_DER, blob, + BUILD_END); if (crl->crl) { return crl; diff --git a/src/pluto/ca.c b/src/pluto/ca.c index add85def8..827b98121 100644 --- a/src/pluto/ca.c +++ b/src/pluto/ca.c @@ -87,7 +87,7 @@ bool trusted_ca(identification_t *a, identification_t *b, int *pathlen) break; } certificate = cacert->cert; - + /* is the certificate self-signed? */ { x509_t *x509 = (x509_t*)certificate; @@ -219,7 +219,8 @@ cert_t* get_authcert(identification_t *subject, chunk_t keyid, } /* compare the subjectDistinguishedNames */ - if (!certificate->has_subject(certificate, subject)) + if (!(subject && certificate->has_subject(certificate, subject)) && + (subject || !keyid.ptr)) { continue; } @@ -248,7 +249,7 @@ cert_t* add_authcert(cert_t *cert, x509_flag_t auth_flags) lock_authcert_list("add_authcert"); - old_cert = get_authcert(certificate->get_subject(certificate), + old_cert = get_authcert(certificate->get_subject(certificate), x509->get_subjectKeyIdentifier(x509), auth_flags); if (old_cert) diff --git a/src/pluto/connections.c b/src/pluto/connections.c index 2194362d2..27cec40fc 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -425,8 +425,9 @@ void delete_connection(connection_t *c, bool relations) c->requested_ca->destroy_offset(c->requested_ca, offsetof(identification_t, destroy)); } +#ifdef ADNS gw_delref(&c->gw_info); - +#endif lock_certs_and_keys("delete_connection"); cert_release(c->spd.this.cert); scx_release(c->spd.this.sc); @@ -1477,6 +1478,8 @@ connection_t *rw_instantiate(connection_t *c, const ip_address *him, return d; } +#ifdef ADNS + connection_t *oppo_instantiate(connection_t *c, const ip_address *him, identification_t *his_id, struct gw_info *gw, const ip_address *our_client USED_BY_DEBUG, @@ -1544,6 +1547,8 @@ connection_t *oppo_instantiate(connection_t *c, const ip_address *him, return d; } +#endif /* ADNS */ + /* priority formatting */ void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]) { @@ -1767,6 +1772,8 @@ connection_t *find_connection_for_clients(struct spd_route **srp, return best; } +#ifdef ADNS + /* Find and instantiate a connection for an outgoing Opportunistic connection. * We've already discovered its gateway. * We look for a the connection such that: @@ -1869,6 +1876,8 @@ connection_t *build_outgoing_opportunistic_connection(struct gw_info *gw, } } +#endif /* ADNS */ + bool orient(connection_t *c) { struct spd_route *sr; @@ -2179,6 +2188,8 @@ void initiate_opportunistic(const ip_address *our_client, initiate_opportunistic_body(&b, NULL, NULL); } +#ifdef ADNS + static void continue_oppo(struct adns_continuation *acr, err_t ugh) { struct find_oppo_continuation *cr = (void *)acr; /* inherit, damn you! */ @@ -2242,6 +2253,8 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh) close_any(whackfd); } +#endif /* ADNS */ + #ifdef USE_KEYRR static err_t check_key_recs(enum myid_state try_state, const connection_t *c, struct adns_continuation *ac) @@ -2298,6 +2311,8 @@ static err_t check_key_recs(enum myid_state try_state, const connection_t *c, } #endif /* USE_KEYRR */ +#ifdef ADNS + static err_t check_txt_recs(enum myid_state try_state, const connection_t *c, struct adns_continuation *ac) { @@ -2355,6 +2370,8 @@ static err_t check_txt_recs(enum myid_state try_state, const connection_t *c, return ugh; } +#endif /* ADNS */ + /* note: gateways_from_dns must be NULL iff this is the first call */ static void initiate_opportunistic_body(struct find_oppo_bundle *b, @@ -2431,6 +2448,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY); b->whackfd = NULL_FD; /* protect from close */ } +#ifdef ADNS else { /* We are handling an opportunistic situation. @@ -2996,6 +3014,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, cannot_oppo(c, b, ugh); } } +#endif /* ADNS */ close_any(b->whackfd); } diff --git a/src/pluto/constants.c b/src/pluto/constants.c index ec7bfaf78..73ec0bc54 100644 --- a/src/pluto/constants.c +++ b/src/pluto/constants.c @@ -1105,6 +1105,8 @@ bool subnetisnone(const ip_subnet *sn) return isanyaddr(&base) && subnetishost(sn); } +#ifdef ADNS + /* BIND enumerated types */ #include <arpa/nameser.h> @@ -1169,6 +1171,8 @@ static const char *const rr_class_name[] = { enum_names rr_class_names = { C_IN, C_IN, rr_class_name, NULL }; +#endif /* ADNS */ + /* * NAT-Traversal defines for nat_traveral type from nat_traversal.h * diff --git a/src/pluto/constants.h b/src/pluto/constants.h index 075579d6d..c931f1782 100644 --- a/src/pluto/constants.h +++ b/src/pluto/constants.h @@ -658,7 +658,7 @@ extern const char *prettypolicy(lset_t policy); #define POLICY_COMPRESS LELEM(4) /* must be third */ #define POLICY_TUNNEL LELEM(5) #define POLICY_PFS LELEM(6) -#define POLICY_DISABLEARRIVALCHECK LELEM(7) /* supress tunnel egress address checking */ +#define POLICY_DISABLEARRIVALCHECK LELEM(7) /* suppress tunnel egress address checking */ #define POLICY_IPSEC_SHIFT 2 /* log2(POLICY_ENCRYPT) */ #define POLICY_IPSEC_MASK LRANGES(POLICY_ENCRYPT, POLICY_DISABLEARRIVALCHECK) diff --git a/src/pluto/crl.c b/src/pluto/crl.c index 38db0f2fd..c49b09e19 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -507,7 +507,7 @@ void list_crls(bool utc, bool strict) whack_log(RC_COMMENT, " "); whack_log(RC_COMMENT, " issuer: \"%Y\"", cert_crl->get_issuer(cert_crl)); - serial = crl->get_serial(crl); + serial = chunk_skip_zero(crl->get_serial(crl)); if (serial.ptr) { whack_log(RC_COMMENT, " serial: %#B", &serial); diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c index f01966c72..a4f678222 100644 --- a/src/pluto/crypto.c +++ b/src/pluto/crypto.c @@ -30,7 +30,7 @@ static struct encrypt_desc encrypt_desc_3des = algo_id: OAKLEY_3DES_CBC, plugin_name: NULL, algo_next: NULL, - + enc_blocksize: DES_BLOCK_SIZE, keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, diff --git a/src/pluto/defs.c b/src/pluto/defs.c index f83318e12..7f3a819de 100644 --- a/src/pluto/defs.c +++ b/src/pluto/defs.c @@ -16,6 +16,7 @@ #include <string.h> #include <stdio.h> #include <dirent.h> +#include <inttypes.h> #include <time.h> #include <sys/types.h> #include <sys/stat.h> @@ -91,8 +92,7 @@ mv_chunk(u_char **pos, chunk_t content) const char* check_expiry(time_t expiration_date, int warning_interval, bool strict) { - time_t now; - int time_left; + time_t now, time_left; if (expiration_date == UNDEFINED_TIME) return "ok (expires never)"; @@ -125,8 +125,8 @@ check_expiry(time_t expiration_date, int warning_interval, bool strict) time_left /= 60; unit = "minute"; } - snprintf(buf, 35, "warning (expires in %d %s%s)", time_left, - unit, (time_left == 1)?"":"s"); + snprintf(buf, 35, "warning (expires in %" PRIu64 " %s%s)", + (u_int64_t)time_left, unit, (time_left == 1) ? "" : "s"); return buf; } } diff --git a/src/pluto/demux.c b/src/pluto/demux.c index 294601295..612e0813c 100644 --- a/src/pluto/demux.c +++ b/src/pluto/demux.c @@ -544,7 +544,7 @@ init_demux(void) * - ip(7) describes IP_RECVERR * - recvmsg(2) describes MSG_ERRQUEUE * - readv(2) describes iovec - * - cmsg(3) describes how to process auxilliary messages + * - cmsg(3) describes how to process auxiliary messages * * ??? we should link this message with one we've sent * so that the diagnostic can refer to that negotiation. @@ -1580,7 +1580,7 @@ process_packet(struct msg_digest **mdp) /* * okay, now we have to figure out if we are receiving a bogus - * new message in an oustanding XAUTH server conversation + * new message in an outstanding XAUTH server conversation * (i.e. a reply to our challenge) * (this occurs with some broken other implementations). * diff --git a/src/pluto/dnskey.c b/src/pluto/dnskey.c index 4f8e4ebf4..91b1b6ac1 100644 --- a/src/pluto/dnskey.c +++ b/src/pluto/dnskey.c @@ -60,13 +60,8 @@ void init_adns(void) { const char *adns_path = pluto_adns_option; -#ifndef USE_LWRES static const char adns_name[] = "_pluto_adns"; const char *helper_bin_dir = getenv("IPSEC_LIBDIR"); -#else /* USE_LWRES */ - static const char adns_name[] = "lwdnsq"; - const char *helper_bin_dir = getenv("IPSEC_EXECDIR"); -#endif /* USE_LWRES */ char adns_path_space[4096]; /* plenty long? */ int qfds[2]; int afds[2]; @@ -460,85 +455,6 @@ rr_typename(int type) } -#ifdef USE_LWRES - -# ifdef USE_KEYRR -static err_t -process_lwdnsq_key(u_char *str -, enum dns_auth_level dns_auth_level -, struct adns_continuation *const cr) -{ - /* fields of KEY record. See RFC 2535 3.1 KEY RDATA format. */ - unsigned long flags /* 16 bits */ - , protocol /* 8 bits */ - , algorithm; /* 8 bits */ - - char *rest = str - , *p - , *endofnumber; - - /* flags */ - p = strsep(&rest, " \t"); - if (p == NULL) - return "lwdnsq KEY: missing flags"; - - flags = strtoul(p, &endofnumber, 10); - if (*endofnumber != '\0') - return "lwdnsq KEY: malformed flags"; - - /* protocol */ - p = strsep(&rest, " \t"); - if (p == NULL) - return "lwdnsq KEY: missing protocol"; - - protocol = strtoul(p, &endofnumber, 10); - if (*endofnumber != '\0') - return "lwdnsq KEY: malformed protocol"; - - /* algorithm */ - p = strsep(&rest, " \t"); - if (p == NULL) - return "lwdnsq KEY: missing algorithm"; - - algorithm = strtoul(p, &endofnumber, 10); - if (*endofnumber != '\0') - return "lwdnsq KEY: malformed algorithm"; - - /* is this key interesting? */ - if (protocol == 4 /* IPSEC (RFC 2535 3.1.3) */ - && algorithm == 1 /* RSA/MD5 (RFC 2535 3.2) */ - && (flags & 0x8000ul) == 0 /* use for authentication (3.1.2) */ - && (flags & 0x2CF0ul) == 0) /* must be zero */ - { - /* Decode base 64 encoding of key. - * Similar code is in process_txt_rr_body. - */ - u_char kb[RSA_MAX_ENCODING_BYTES]; /* plenty of space for binary form of public key */ - chunk_t kbc; - err_t ugh = ttodatav(rest, 0, 64, kb, sizeof(kb), &kbc.len - , diag_space, sizeof(diag_space), TTODATAV_IGNORESPACE); - - if (ugh != NULL) - return builddiag("malformed key data: %s", ugh); - - if (kbc.len > sizeof(kb)) - return builddiag("key data larger than %lu bytes" - , (unsigned long) sizeof(kb)); - - kbc.ptr = kb; - TRY(add_public_key(&cr->id, dns_auth_level, PUBKEY_ALG_RSA, &kbc - , &cr->keys_from_dns)); - - /* keep a reference to last one */ - unreference_key(&cr->last_info); - cr->last_info = reference_key(cr->keys_from_dns->key); - } - return NULL; -} -# endif /* USE_KEYRR */ - -#else /* ! USE_LWRES */ - /* structure of Query Reply (RFC 1035 4.1.1): * * +---------------------+ @@ -1218,9 +1134,6 @@ process_dns_answer(struct adns_continuation *const cr , qr_header.ancount, cr); } -#endif /* ! USE_LWRES */ - - /****************************************************************/ static err_t build_dns_name(u_char name_buf[NS_MAXDNAME + 2], @@ -1427,7 +1340,7 @@ err_t start_adns_query(identification_t *id, /* domain to query */ cr->sgw_specified = (sgw_id != NULL); cr->sgw_id = cr->sgw_specified ? sgw_id->clone(sgw_id) : - identification_create_from_string("%any"); + identification_create_from_string("%any"); cr->gateways_from_dns = NULL; #ifdef USE_KEYRR cr->keys_from_dns = NULL; @@ -1515,21 +1428,6 @@ send_unsent_ADNS_queries(void) break; /* done! */ } -#ifdef USE_LWRES - next_query->used = FALSE; - { - /* NOTE STATIC: */ - static unsigned char qbuf[LWDNSQ_CMDBUF_LEN + 1]; /* room for NUL */ - - snprintf(qbuf, sizeof(qbuf), "%s %lu %s\n" - , rr_typename(next_query->type) - , next_query->qtid - , next_query->query.name_buf); - DBG(DBG_DNS, DBG_log("lwdnsq query: %.*s", (int)(strlen(qbuf) - 1), qbuf)); - buf_cur = qbuf; - buf_end = qbuf + strlen(qbuf); - } -#else /* !USE_LWRES */ next_query->query.debugging = next_query->debugging; next_query->query.serial = next_query->qtid; next_query->query.len = sizeof(next_query->query); @@ -1537,210 +1435,13 @@ send_unsent_ADNS_queries(void) next_query->query.type = next_query->type; buf_cur = (const void *)&next_query->query; buf_end = buf_cur + sizeof(next_query->query); -#endif /* !USE_LWRES */ + next_query = next_query->next; adns_in_flight++; } } } -#ifdef USE_LWRES -/* Process a line of lwdnsq answer. - * Returns with error message iff lwdnsq result is malformed. - * Most errors will be in DNS data and will be handled by cr->cont_fn. - */ -static err_t process_lwdnsq_answer(char *ts) -{ - err_t ugh = NULL; - char *rest; - char *p; - char *endofnumber; - struct adns_continuation *cr = NULL; - unsigned long qtid; - time_t anstime; /* time of answer */ - char *atype; /* type of answer */ - long ttl; /* ttl of answer; int, but long for conversion */ - bool AuthenticatedData = FALSE; - static char scratch_null_str[] = ""; /* cannot be const, but isn't written */ - - /* query transaction id */ - rest = ts; - p = strsep(&rest, " \t"); - if (p == NULL) - return "lwdnsq: answer missing query transaction ID"; - - qtid = strtoul(p, &endofnumber, 10); - if (*endofnumber != '\0') - return "lwdnsq: malformed query transaction ID"; - - cr = continuation_for_qtid(qtid); - if (qtid != 0 && cr == NULL) - return "lwdnsq: unrecognized qtid"; /* can't happen! */ - - /* time */ - p = strsep(&rest, " \t"); - if (p == NULL) - return "lwdnsq: missing time"; - - anstime = strtoul(p, &endofnumber, 10); - if (*endofnumber != '\0') - return "lwdnsq: malformed time"; - - /* TTL */ - p = strsep(&rest, " \t"); - if (p == NULL) - return "lwdnsq: missing TTL"; - - ttl = strtol(p, &endofnumber, 10); - if (*endofnumber != '\0') - return "lwdnsq: malformed TTL"; - - /* type */ - atype = strsep(&rest, " \t"); - if (atype == NULL) - return "lwdnsq: missing type"; - - /* if rest is NULL, make it "", otherwise eat whitespace after type */ - rest = rest == NULL? scratch_null_str : rest + strspn(rest, " \t"); - - if (strncasecmp(atype, "AD-", 3) == 0) - { - AuthenticatedData = TRUE; - atype += 3; - } - - /* deal with each type */ - - if (cr == NULL) - { - /* we don't actually know which this applies to */ - return builddiag("lwdnsq: 0 qtid invalid with %s", atype); - } - else if (strcaseeq(atype, "START")) - { - /* ignore */ - } - else if (strcaseeq(atype, "DONE")) - { - if (!cr->used) - { - /* "no results returned by lwdnsq" should not happen */ - cr->cont_fn(cr - , cr->gateways_from_dns == NULL -#ifdef USE_KEYRR - && cr->keys_from_dns == NULL -#endif /* USE_KEYRR */ - ? "no results returned by lwdnsq" : NULL); - cr->used = TRUE; - } - reset_globals(); - release_adns_continuation(cr); - adns_in_flight--; - } - else if (strcaseeq(atype, "RETRY")) - { - if (!cr->used) - { - cr->cont_fn(cr, rest); - cr->used = TRUE; - } - } - else if (strcaseeq(atype, "FATAL")) - { - if (!cr->used) - { - cr->cont_fn(cr, rest); - cr->used = TRUE; - } - } - else if (strcaseeq(atype, "DNSSEC")) - { - /* ignore */ - } - else if (strcaseeq(atype, "NAME")) - { - /* ignore */ - } - else if (strcaseeq(atype, "TXT")) - { - char *end = rest + strlen(rest); - err_t txt_ugh; - - if (*rest == '"' && end[-1] == '"') - { - /* strip those pesky quotes */ - rest++; - *--end = '\0'; - } - - txt_ugh = process_txt_rr_body(rest - , TRUE - , AuthenticatedData? DAL_SIGNED : DAL_NOTSEC - , cr); - - if (txt_ugh != NULL) - { - DBG(DBG_DNS, - DBG_log("error processing TXT resource record (%s) while processing: %s" - , txt_ugh, rest)); - cr->cont_fn(cr, txt_ugh); - cr->used = TRUE; - } - } - else if (strcaseeq(atype, "SIG")) - { - /* record the SIG records for posterity */ - if (cr->last_info != NULL) - { - free(cr->last_info->dns_sig); - cr->last_info->dns_sig = clone_str(rest); - } - } - else if (strcaseeq(atype, "A")) - { - /* ignore */ - } - else if (strcaseeq(atype, "AAAA")) - { - /* ignore */ - } - else if (strcaseeq(atype, "CNAME")) - { - /* ignore */ - } - else if (strcaseeq(atype, "CNAMEFROM")) - { - /* ignore */ - } - else if (strcaseeq(atype, "PTR")) - { - /* ignore */ - } -#ifdef USE_KEYRR - else if (strcaseeq(atype, "KEY")) - { - err_t key_ugh = process_lwdnsq_key(rest - , AuthenticatedData? DAL_SIGNED : DAL_NOTSEC - , cr); - - if (key_ugh != NULL) - { - DBG(DBG_DNS, - DBG_log("error processing KEY resource record (%s) while processing: %s" - , key_ugh, rest)); - cr->cont_fn(cr, key_ugh); - cr->used = TRUE; - } - } -#endif /* USE_KEYRR */ - else - { - ugh = "lwdnsq: unrecognized type"; - } - return ugh; -} -#endif /* USE_LWRES */ - static void recover_adns_die(void) { struct adns_continuation *cr = NULL; @@ -1779,12 +1480,7 @@ void handle_adns_answer(void) { /* These are retained across calls to handle_adns_answer. */ static size_t buflen = 0; /* bytes in answer buffer */ -#ifndef USE_LWRES static struct adns_answer buf; -#else /* USE_LWRES */ - static char buf[LWDNSQ_RESULT_LEN_MAX]; - static char buf_copy[LWDNSQ_RESULT_LEN_MAX]; -#endif /* USE_LWRES */ ssize_t n; @@ -1826,7 +1522,6 @@ void handle_adns_answer(void) } buflen += n; -#ifndef USE_LWRES while (buflen >= offsetof(struct adns_answer, ans) && buflen >= buf.len) { /* we've got a tasty answer -- process it */ @@ -1892,36 +1587,4 @@ void handle_adns_answer(void) buflen -= buf.len; memmove((unsigned char *)&buf, (unsigned char *)&buf + buf.len, buflen); } -#else /* USE_LWRES */ - for (;;) - { - err_t ugh; - char *nlp = memchr(buf, '\n', buflen); - - if (nlp == NULL) - break; - - /* we've got a line */ - *nlp++ = '\0'; - - DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL | DBG_DNS - , DBG_log("lwdns: %s", buf)); - - /* process lwdnsq_answer may modify buf, so make a copy. */ - buf_copy[0]='\0'; - strncat(buf_copy, buf, sizeof(buf_copy)); - - ugh = process_lwdnsq_answer(buf_copy); - if (ugh != NULL) - plog("failure processing lwdnsq output: %s; record: %s" - , ugh, buf); - - passert(GLOBALS_ARE_RESET()); - reset_globals(); - - /* shift out answer that we've consumed */ - buflen -= nlp - buf; - memmove(buf, nlp, buflen); - } -#endif /* USE_LWRES */ } diff --git a/src/pluto/dnskey.h b/src/pluto/dnskey.h index d26a0e64f..39a406cbd 100644 --- a/src/pluto/dnskey.h +++ b/src/pluto/dnskey.h @@ -47,14 +47,7 @@ struct adns_continuation { #endif struct adns_continuation *previous, *next; struct pubkey *last_info; /* the last structure we accumulated */ -#ifdef USE_LWRES - bool used; /* have we called the cont_fn yet? */ - struct { - u_char name_buf[NS_MAXDNAME + 2]; - } query; -#else /* ! USE_LWRES */ struct adns_query query; -#endif /* ! USE_LWRES */ }; extern err_t start_adns_query(identification_t *id /* domain to query */ diff --git a/src/pluto/event_queue.c b/src/pluto/event_queue.c index 55d064f26..602a013ee 100644 --- a/src/pluto/event_queue.c +++ b/src/pluto/event_queue.c @@ -147,13 +147,13 @@ METHOD(event_queue_t, destroy, void, free(this); } -bool set_nonblock(int socket) +static bool set_nonblock(int socket) { int flags = fcntl(socket, F_GETFL); return flags != -1 && fcntl(socket, F_SETFL, flags | O_NONBLOCK) != -1; } -bool set_cloexec(int socket) +static bool set_cloexec(int socket) { int flags = fcntl(socket, F_GETFD); return flags != -1 && fcntl(socket, F_SETFD, flags | FD_CLOEXEC) != -1; diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index c8a347b45..3e7adcc40 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -3862,10 +3862,11 @@ main_id_and_auth(struct msg_digest *md if (r == STF_SUSPEND) { + err_t ugh = NULL; +#ifdef ADNS /* initiate/resume asynchronous DNS lookup for key */ struct key_continuation *nkc = malloc_thing(struct key_continuation); enum key_oppo_step step_done = kc == NULL? kos_null : kc->step; - err_t ugh = NULL; /* Record that state is used by a suspended md */ passert(st->st_suspended_md == NULL); @@ -3896,7 +3897,9 @@ main_id_and_auth(struct msg_digest *md default: bad_case(step_done); } - +#else /* ADNS */ + ugh = "adns not supported"; +#endif /* ADNS */ if (ugh != NULL) { report_key_dns_failure(peer, ugh); @@ -4444,6 +4447,8 @@ stf_status quick_inI1_outR1(struct msg_digest *md) return quick_inI1_outR1_tail(&b, NULL); } +#ifdef ADNS + static void report_verify_failure(struct verify_oppo_bundle *b, err_t ugh) { @@ -4808,6 +4813,8 @@ static enum verify_oppo_step quick_inI1_outR1_process_answer( return next_step; } +#endif /* ADNS */ + static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, struct adns_continuation *ac) { @@ -4871,6 +4878,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, */ if (p->policy & POLICY_OPPO) { +#ifdef ADNS /* Opportunistic case: delegation must be verified. * Here be dragons. */ @@ -4925,6 +4933,11 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, */ p = oppo_instantiate(p, &c->spd.that.host_addr, c->spd.that.id , NULL, &our_client, &his_client); +#else /* ADNS */ + plog("opportunistic connections not supported because" + " adns is not available"); + return STF_INTERNAL_ERROR; +#endif /* ADNS */ } else { diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index 8bed1fcfc..e4729ef08 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -23,10 +23,10 @@ #include <stdio.h> #include <stdlib.h> #include <errno.h> -#include <wait.h> #include <unistd.h> #include <fcntl.h> #include <sys/queue.h> +#include <sys/wait.h> #include <sys/stat.h> #include <sys/socket.h> @@ -780,8 +780,9 @@ static bool raw_eroute(const ip_address *this_host, host_t *host_src, *host_dst; policy_type_t type = POLICY_IPSEC; policy_dir_t dir = POLICY_OUT; + policy_priority_t priority = POLICY_PRIORITY_DEFAULT; char text_said[SATOT_BUF]; - bool ok = TRUE, routed = FALSE, + bool ok = TRUE, deleting = (op & ERO_MASK) == ERO_DELETE, replacing = op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT); @@ -819,7 +820,7 @@ static bool raw_eroute(const ip_address *this_host, { return TRUE; } - routed = TRUE; + priority = POLICY_PRIORITY_ROUTED; break; } } @@ -837,14 +838,14 @@ static bool raw_eroute(const ip_address *this_host, if (deleting || replacing) { hydra->kernel_interface->del_policy(hydra->kernel_interface, - ts_src, ts_dst, dir, mark, routed); + ts_src, ts_dst, dir, sa->reqid, mark, priority); } if (!deleting) { ok = hydra->kernel_interface->add_policy(hydra->kernel_interface, host_src, host_dst, ts_src, ts_dst, dir, type, sa, - mark, routed) == SUCCESS; + mark, priority) == SUCCESS; } if (dir == POLICY_IN) @@ -853,7 +854,7 @@ static bool raw_eroute(const ip_address *this_host, if (deleting || replacing) { hydra->kernel_interface->del_policy(hydra->kernel_interface, - ts_src, ts_dst, dir, mark, routed); + ts_src, ts_dst, dir, sa->reqid, mark, priority); } if (!deleting && ok && @@ -861,7 +862,7 @@ static bool raw_eroute(const ip_address *this_host, { ok = hydra->kernel_interface->add_policy(hydra->kernel_interface, host_src, host_dst, ts_src, ts_dst, dir, type, sa, - mark, routed) == SUCCESS; + mark, priority) == SUCCESS; } } diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c index eab2a8f06..b4b18fd80 100644 --- a/src/pluto/kernel_alg.c +++ b/src/pluto/kernel_alg.c @@ -205,7 +205,7 @@ bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg, /* * key_len passed comes from esp_attrs read from peer - * For many older algoritms (eg 3DES) this key_len is fixed + * For many older algorithms (eg 3DES) this key_len is fixed * and get passed as 0. * ... then get default key_len */ diff --git a/src/pluto/keys.c b/src/pluto/keys.c index 4b0e08791..c5adbfd11 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -27,10 +27,12 @@ #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */ #include <sys/queue.h> +#ifdef HAVE_GLOB_H #include <glob.h> #ifndef GLOB_ABORTED # define GLOB_ABORTED GLOB_ABEND /* fix for old versions */ #endif +#endif #include <freeswan.h> @@ -833,14 +835,7 @@ static void process_secret(secret_t *s, int whackfd) err_t ugh = NULL; s->kind = SECRET_PSK; /* default */ - if (*tok == '"' || *tok == '\'') - { - log_psk("PSK", s); - - /* old PSK format: just a string */ - ugh = process_psk_secret(&s->u.preshared_secret); - } - else if (tokeqword("psk")) + if (tokeqword("psk")) { log_psk("PSK", s); @@ -987,13 +982,7 @@ static void process_secret_records(int whackfd) for (;;) { - if (tok[0] == '"' || tok[0] == '\'') - { - /* found key part */ - process_secret(s, whackfd); - break; - } - else if (tokeq(":")) + if (tokeq(":")) { /* found key part */ shift(); /* discard explicit separator */ @@ -1033,7 +1022,6 @@ static void process_secrets_file(const char *file_pat, int whackfd) { struct file_lex_position pos; char **fnp; - glob_t globbuf; pos.depth = flp == NULL? 0 : flp->depth + 1; @@ -1043,8 +1031,10 @@ static void process_secrets_file(const char *file_pat, int whackfd) return; } +#ifdef HAVE_GLOB_H /* do globbing */ { + glob_t globbuf; int r = glob(file_pat, GLOB_ERR, globugh, &globbuf); if (r != 0) @@ -1066,21 +1056,31 @@ static void process_secrets_file(const char *file_pat, int whackfd) globfree(&globbuf); return; } - } - /* for each file... */ - for (fnp = globbuf.gl_pathv; *fnp != NULL; fnp++) - { - if (lexopen(&pos, *fnp, FALSE)) + /* for each file... */ + for (fnp = globbuf.gl_pathv; *fnp != NULL; fnp++) { - plog("loading secrets from \"%s\"", *fnp); - (void) flushline("file starts with indentation (continuation notation)"); - process_secret_records(whackfd); - lexclose(); + if (lexopen(&pos, *fnp, FALSE)) + { + plog("loading secrets from \"%s\"", *fnp); + flushline("file starts with indentation (continuation notation)"); + process_secret_records(whackfd); + lexclose(); + } } - } - globfree(&globbuf); + globfree(&globbuf); + } +#else /* HAVE_GLOB_H */ + /* if glob(3) is not available, try to load pattern directly */ + if (lexopen(&pos, file_pat, FALSE)) + { + plog("loading secrets from \"%s\"", file_pat); + flushline("file starts with indentation (continuation notation)"); + process_secret_records(whackfd); + lexclose(); + } +#endif /* HAVE_GLOB_H */ } void free_preshared_secrets(void) @@ -1435,6 +1435,7 @@ void remove_x509_public_key(const cert_t *cert) void list_public_keys(bool utc) { pubkey_list_t *p = pubkeys; + chunk_t serial; if (p != NULL) { @@ -1465,7 +1466,8 @@ void list_public_keys(bool utc) } if (key->serial.len) { - whack_log(RC_COMMENT," serial: %#B", &key->serial); + serial = chunk_skip_zero(key->serial); + whack_log(RC_COMMENT," serial: %#B", &serial); } p = p->next; } diff --git a/src/pluto/lex.h b/src/pluto/lex.h index f16769144..aa0be7829 100644 --- a/src/pluto/lex.h +++ b/src/pluto/lex.h @@ -22,7 +22,7 @@ struct file_lex_position int lino; /* line number in file */ char buffer[MAX_TOK_LEN + 1]; /* note: one extra char for our use (jamming '"') */ char *cur; /* cursor */ - char under; /* except in shift(): character orignally at *cur */ + char under; /* except in shift(): character originally at *cur */ struct file_lex_position *previous; }; diff --git a/src/pluto/log.c b/src/pluto/log.c index c5f1776ec..f6fa226d5 100644 --- a/src/pluto/log.c +++ b/src/pluto/log.c @@ -28,6 +28,10 @@ #include <sys/stat.h> #include <sys/types.h> +#ifdef ANDROID +#include <android/log.h> +#endif + #include <freeswan.h> #include <library.h> #include <debug.h> @@ -124,7 +128,11 @@ static void pluto_dbg(debug_t group, level_t level, char *fmt, ...) vfprintf(stderr, fmt, args); fprintf(stderr, "\n"); } - if (log_to_syslog) + if (log_to_syslog +#ifdef ANDROID + || TRUE +#endif + ) { /* write in memory buffer first */ vsnprintf(buffer, sizeof(buffer), fmt, args); @@ -138,6 +146,11 @@ static void pluto_dbg(debug_t group, level_t level, char *fmt, ...) *(next++) = '\0'; } syslog(priority, "%s%s\n", (level > 1)? "| ":"", current); +#ifdef ANDROID + __android_log_print(level > 1 ? ANDROID_LOG_DEBUG + : ANDROID_LOG_INFO, "pluto", + "%s%s\n", level > 1 ? "| " : "", current); +#endif current = next; } } @@ -497,6 +510,9 @@ plog(const char *message, ...) syslog(LOG_WARNING, "%s", m); if (log_to_perpeer) peerlog("", m); +#ifdef ANDROID + __android_log_print(ANDROID_LOG_WARN, "pluto", "%s\n", m); +#endif whack_log(RC_LOG, "~%s", m); } @@ -517,6 +533,9 @@ loglog(int mess_no, const char *message, ...) syslog(LOG_WARNING, "%s", m); if (log_to_perpeer) peerlog("", m); +#ifdef ANDROID + __android_log_print(ANDROID_LOG_WARN, "pluto", "%s\n", m); +#endif whack_log(mess_no, "~%s", m); } @@ -536,9 +555,11 @@ log_errno_routine(int e, const char *message, ...) if (log_to_syslog) syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e)); if (log_to_perpeer) - { peerlog(strerror(e), m); - } +#ifdef ANDROID + __android_log_print(ANDROID_LOG_ERROR, "pluto", "ERROR: %s. Errno %d: %s\n", + m, e, strerror(e)); +#endif whack_log(RC_LOG_SERIOUS , "~ERROR: %s. Errno %d: %s", m, e, strerror(e)); @@ -560,6 +581,9 @@ exit_log(const char *message, ...) syslog(LOG_ERR, "FATAL ERROR: %s", m); if (log_to_perpeer) peerlog("FATAL ERROR: ", m); +#ifdef ANDROID + __android_log_print(ANDROID_LOG_ERROR, "pluto", "FATAL ERROR: %s\n", m); +#endif whack_log(RC_LOG_SERIOUS, "~FATAL ERROR: %s", m); @@ -582,6 +606,10 @@ exit_log_errno_routine(int e, const char *message, ...) syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e)); if (log_to_perpeer) peerlog(strerror(e), m); +#ifdef ANDROID + __android_log_print(ANDROID_LOG_ERROR, "pluto", "FATAL ERROR: %s. " + "Errno %d: %s\n", m, e, strerror(e)); +#endif whack_log(RC_LOG_SERIOUS , "~FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e)); @@ -631,6 +659,9 @@ whack_log(int mess_no, const char *message, ...) syslog(LOG_WARNING, "%s", m + prelen); if (log_to_perpeer) peerlog("", m); +#ifdef ANDROID + __android_log_print(ANDROID_LOG_WARN, "pluto", "%s\n", m + prelen); +#endif } #endif @@ -763,6 +794,9 @@ DBG_log(const char *message, ...) syslog(LOG_DEBUG, "| %s", m); if (log_to_perpeer) peerlog("| ", m); +#ifdef ANDROID + __android_log_print(ANDROID_LOG_DEBUG, "pluto", "| %s\n", m); +#endif } /* dump raw bytes in hex to stderr (for lack of any better destination) */ @@ -834,19 +868,8 @@ DBG_dump(const char *label, const void *p, size_t len) static void show_loaded_plugins() { - char buf[BUF_LEN]; - plugin_t *plugin; - int len = 0; - enumerator_t *enumerator; - - buf[0] = '\0'; - enumerator = lib->plugins->create_plugin_enumerator(lib->plugins); - while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin)) - { - len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin->get_name(plugin)); - } - enumerator->destroy(enumerator); - whack_log(RC_COMMENT, "loaded plugins: %s", buf); + whack_log(RC_COMMENT, "loaded plugins: %s", + lib->plugins->loaded_plugins(lib->plugins)); } void show_status(bool all, const char *name) diff --git a/src/pluto/myid.c b/src/pluto/myid.c index ad4eefd15..c90d14ef8 100644 --- a/src/pluto/myid.c +++ b/src/pluto/myid.c @@ -72,7 +72,7 @@ void set_myid(enum myid_state s, char *idstr) if (idstr) { myids[s]->destroy(myids[s]); - myids[s] = identification_create_from_string(idstr); + myids[s] = identification_create_from_string(idstr); if (s == MYID_SPECIFIED) { myid_state = MYID_SPECIFIED; diff --git a/src/pluto/nat_traversal.c b/src/pluto/nat_traversal.c index 5e9353b72..28be76825 100644 --- a/src/pluto/nat_traversal.c +++ b/src/pluto/nat_traversal.c @@ -232,7 +232,7 @@ void nat_traversal_natd_lookup(struct msg_digest *md) if (i < 2) { loglog(RC_LOG_SERIOUS, - "NAT-Traversal: Only %d NAT-D - Aborting NAT-Traversal negociation", i); + "NAT-Traversal: Only %d NAT-D - Aborting NAT-Traversal negotiation", i); st->nat_traversal = 0; return; } diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index f5ee07398..c299e3d39 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -607,24 +607,24 @@ void list_ocsp_locations(ocsp_location_t *location, bool requests, } while (certinfo) { + chunk_t serial = chunk_skip_zero(certinfo->serialNumber); + if (requests) { whack_log(RC_COMMENT, " serial: %#B, %d trials", - &certinfo->serialNumber, certinfo->trials); + &serial, certinfo->trials); } else if (certinfo->once) { whack_log(RC_COMMENT, " serial: %#B, %s, once%s", - &certinfo->serialNumber, - cert_status_names[certinfo->status], + &serial, cert_status_names[certinfo->status], (certinfo->nextUpdate < time(NULL))? " (expired)": ""); } else { whack_log(RC_COMMENT, " serial: %#B, %s, until %T %s", - &certinfo->serialNumber, - cert_status_names[certinfo->status], - &certinfo->nextUpdate, utc, + &serial, cert_status_names[certinfo->status], + &certinfo->nextUpdate, utc, check_expiry(certinfo->nextUpdate, OCSP_WARNING_INTERVAL, strict)); } certinfo = certinfo->next; @@ -1144,9 +1144,9 @@ static bool parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res) *cert = cert_empty; cert->cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_ASN1_DER, object, - BUILD_END); + CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, object, + BUILD_END); if (cert->cert == NULL) { DBG(DBG_CONTROL | DBG_PARSING, diff --git a/src/pluto/plugin_list.c b/src/pluto/plugin_list.c new file mode 100644 index 000000000..499218904 --- /dev/null +++ b/src/pluto/plugin_list.c @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2011 Martin Willi, revosec AG + * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <whack.h> +#include <log.h> + +#include <library.h> +#include <utils/linked_list.h> + +/** + * List loaded plugin information + */ +void plugin_list(void) +{ + plugin_feature_t *features, *fp; + enumerator_t *enumerator; + linked_list_t *list; + plugin_t *plugin; + int count, i; + bool loaded; + char *str; + + whack_log(RC_COMMENT, " "); + whack_log(RC_COMMENT, "List of loaded Plugins:"); + whack_log(RC_COMMENT, " "); + + enumerator = lib->plugins->create_plugin_enumerator(lib->plugins); + while (enumerator->enumerate(enumerator, &plugin, &list)) + { + whack_log(RC_COMMENT, "%s:", plugin->get_name(plugin)); + if (plugin->get_features) + { + count = plugin->get_features(plugin, &features); + for (i = 0; i < count; i++) + { + str = plugin_feature_get_string(&features[i]); + switch (features[i].kind) + { + case FEATURE_PROVIDE: + fp = &features[i]; + loaded = list->find_first(list, NULL, + (void**)&fp) == SUCCESS; + whack_log(RC_COMMENT, " %s%s", + str, loaded ? "" : " (not loaded)"); + break; + case FEATURE_DEPENDS: + whack_log(RC_COMMENT, " %s", str); + break; + case FEATURE_SDEPEND: + whack_log(RC_COMMENT, " %s(soft)", str); + break; + default: + break; + } + free(str); + } + } + } + enumerator->destroy(enumerator); +} diff --git a/src/pluto/plugin_list.h b/src/pluto/plugin_list.h new file mode 100644 index 000000000..62e4a167d --- /dev/null +++ b/src/pluto/plugin_list.h @@ -0,0 +1,21 @@ +/* Generates a list of all loaded plugins and their dependencies + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef _PLUGIN_LIST_H +#define _PLUGIN_LIST_H + +extern void plugin_list(void); + +#endif /* _PLUGIN_LIST_H */ diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in index 3ae6ea12b..5a575548e 100644 --- a/src/pluto/plugins/xauth/Makefile.in +++ b/src/pluto/plugins/xauth/Makefile.in @@ -190,6 +190,9 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +axis2c_CFLAGS = @axis2c_CFLAGS@ +axis2c_LIBS = @axis2c_LIBS@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -198,6 +201,7 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +clearsilver_LIBS = @clearsilver_LIBS@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ @@ -214,11 +218,13 @@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ +imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +268,7 @@ sharedstatedir = @sharedstatedir@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ +starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ diff --git a/src/pluto/plugins/xauth/xauth_default_verifier.c b/src/pluto/plugins/xauth/xauth_default_verifier.c index 776f77134..ca2e36aa0 100644 --- a/src/pluto/plugins/xauth/xauth_default_verifier.c +++ b/src/pluto/plugins/xauth/xauth_default_verifier.c @@ -43,6 +43,13 @@ METHOD(xauth_verifier_t, verify_secret, bool, if (get_xauth_secret(user, server, &xauth_secret)) { success = chunk_equals(secret, xauth_secret); + + if (!success && secret.len && secret.ptr[secret.len - 1] == 0) + { /* fix for null-terminated passwords (e.g. from Android 4) */ + secret.len--; + success = chunk_equals(secret, xauth_secret); + } + chunk_clear(&xauth_secret); } return success; diff --git a/src/pluto/pluto.8 b/src/pluto/pluto.8 index 9ac537bd9..ed6f78050 100644 --- a/src/pluto/pluto.8 +++ b/src/pluto/pluto.8 @@ -1437,7 +1437,7 @@ Phase 1. \fBPluto\fP responds to \fBSIGHUP\fP by issuing a suggestion that ``\fBwhack\fP \-\-listen'' might have been intended. .LP -\fBPluto\fP exits when it recieves \fBSIGTERM\fP. +\fBPluto\fP exits when it receives \fBSIGTERM\fP. .SH EXIT STATUS .LP \fBpluto\fP normally forks a daemon process, so the exit status is @@ -1558,7 +1558,7 @@ There is no good way for a connection to be automatically terminated. This is a problem for Road Warrior and Opportunistic connections. The \fB\-\-dontrekey\fP option does prevent the SAs from being rekeyed on expiry. -Additonally, if a Road Warrior connection has a client subnet with a fixed IP +Additionally, if a Road Warrior connection has a client subnet with a fixed IP address, a negotiation with that subnet will cause any other connection instantiations with that same subnet to be unoriented (deleted, in effect). diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index 309bde649..dbc857ce2 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -22,6 +22,7 @@ #include <string.h> #include <sys/types.h> #include <sys/stat.h> +#include <sys/socket.h> #include <sys/un.h> #include <fcntl.h> #include <getopt.h> @@ -29,6 +30,7 @@ #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */ #include <sys/queue.h> #include <sys/prctl.h> +#include <signal.h> #include <pwd.h> #include <grp.h> @@ -79,11 +81,32 @@ #include "whack_attribute.h" #include "pluto.h" +#ifdef ANDROID +#include <private/android_filesystem_config.h> /* for AID_VPN */ +#endif + /** * Number of threads in the thread pool, if not specified in config. */ #define DEFAULT_THREADS 4 +/** + * PID file, in which pluto stores its process id + */ +static char pluto_lock[sizeof(ctl_addr.sun_path)] = DEFAULT_CTLBASE LOCK_SUFFIX; + +/** + * TRUE if the lock has been checked. This helps to avoid any unintended + * deletion of the lock or control socket. + */ +static bool pluto_lock_checked = FALSE; + +/** + * Global reference to PID file (required to truncate, if undeletable) + */ +static FILE *pidfile = NULL; + + static void usage(const char *mess) { if (mess != NULL && *mess != '\0') @@ -148,59 +171,66 @@ static void usage(const char *mess) exit_pluto(mess == NULL? 0 : 1); } - -/* lock file support - * - provides convenient way for scripts to find Pluto's pid - * - prevents multiple Plutos competing for the same port - * - same basename as unix domain control socket - * NOTE: will not take account of sharing LOCK_DIR with other systems. - */ - -static char pluto_lock[sizeof(ctl_addr.sun_path)] = DEFAULT_CTLBASE LOCK_SUFFIX; -static bool pluto_lock_created = FALSE; - -/* create lockfile, or die in the attempt */ -static int create_lock(void) +static bool check_lock() { - int fd = open(pluto_lock, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC - , S_IRUSR | S_IRGRP | S_IROTH); + struct stat stb; + FILE *fpid; - if (fd < 0) + if (stat(pluto_lock, &stb) == 0) { - if (errno == EEXIST) - { - fprintf(stderr, "pluto: lock file \"%s\" already exists\n" - , pluto_lock); - exit_pluto(10); - } - else + fpid = fopen(pluto_lock, "r"); + if (fpid) { - fprintf(stderr - , "pluto: unable to create lock file \"%s\" (%d %s)\n" - , pluto_lock, errno, strerror(errno)); - exit_pluto(1); + char buf[64]; + pid_t pid = 0; + + memset(buf, 0, sizeof(buf)); + if (fread(buf, 1, sizeof(buf), fpid)) + { + buf[sizeof(buf) - 1] = '\0'; + pid = atoi(buf); + } + fclose(fpid); + if (pid && kill(pid, 0) == 0) + { /* such a process is running */ + return TRUE; + } } + fprintf(stderr, "pluto: removing lock file \"%s\", process not " + "running\n", pluto_lock); + unlink(pluto_lock); } - pluto_lock_created = TRUE; - return fd; + pluto_lock_checked = TRUE; + return FALSE; } -static bool fill_lock(int lockfd, pid_t pid) +static void fill_lock(void) { - char buf[30]; /* holds "<pid>\n" */ - int len = snprintf(buf, sizeof(buf), "%u\n", (unsigned int) pid); - bool ok = len > 0 && write(lockfd, buf, len) == len; - - close(lockfd); - return ok; + pidfile = fopen(pluto_lock, "w"); + if (pidfile) + { + fprintf(pidfile, "%u\n", (u_int)getpid()); + fflush(pidfile); + } + /* keep pidfile open so we can truncate it, if we cannot delete it */ } static void delete_lock(void) { - if (pluto_lock_created) + /* because unlinking the PID file may fail, we truncate it to ensure the + * daemon can be properly restarted. one probable cause for this is the + * combination of not running as root and the effective user lacking + * permissions on the parent dir(s) of the PID file */ + if (pluto_lock_checked) { + if (pidfile) + { + ignore_result(ftruncate(fileno(pidfile), 0)); + fclose(pidfile); + } + unlink(pluto_lock); + /* delete this here to avoid that exit_pluto calls delete the socket */ delete_ctl_socket(); - unlink(pluto_lock); /* is noting failure useful? */ } } @@ -234,26 +264,6 @@ static const char *pkcs11_init_args = NULL; /* options read by optionsfrom */ options_t *options; -/** - * Log loaded plugins - */ -static void print_plugins() -{ - char buf[BUF_LEN]; - plugin_t *plugin; - int len = 0; - enumerator_t *enumerator; - - buf[0] = '\0'; - enumerator = lib->plugins->create_plugin_enumerator(lib->plugins); - while (len < BUF_LEN && enumerator->enumerate(enumerator, &plugin)) - { - len += snprintf(&buf[len], BUF_LEN-len, "%s ", plugin->get_name(plugin)); - } - enumerator->destroy(enumerator); - DBG1(DBG_DMN, "loaded plugins: %s", buf); -} - int main(int argc, char **argv) { bool fork_desired = TRUE; @@ -263,9 +273,14 @@ int main(int argc, char **argv) unsigned int keep_alive = 0; bool force_keepalive = FALSE; char *virtual_private = NULL; - int lockfd; #ifdef CAPABILITIES - int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE }; + int keep[] = { + CAP_NET_ADMIN, + CAP_NET_BIND_SERVICE, +#ifdef ANDROID + CAP_NET_RAW, +#endif + }; #endif /* CAPABILITIES */ /* initialize library and optionsfrom */ @@ -313,11 +328,7 @@ int main(int argc, char **argv) { "perpeerlogbase", required_argument, NULL, 'P' }, { "perpeerlog", no_argument, NULL, 'l' }, { "policygroupsdir", required_argument, NULL, 'f' }, -#ifdef USE_LWRES - { "lwdnsq", required_argument, NULL, 'a' }, -#else /* !USE_LWRES */ { "adns", required_argument, NULL, 'a' }, -#endif /* !USE_LWRES */ { "pkcs11module", required_argument, NULL, 'm' }, { "pkcs11keepstate", no_argument, NULL, 'k' }, { "pkcs11initargs", required_argument, NULL, 'z' }, @@ -471,11 +482,11 @@ int main(int argc, char **argv) case 'f': /* --policygroupsdir <policygroups-dir> */ policygroups_dir = optarg; continue; - +#ifdef ADNS case 'a': /* --adns <pathname> */ pluto_adns_option = optarg; continue; - +#endif case 'm': /* --pkcs11module <pathname> */ pkcs11_module_path = optarg; continue; @@ -545,7 +556,12 @@ int main(int argc, char **argv) if (optind != argc) usage("unexpected argument"); reset_debugging(); - lockfd = create_lock(); + + if (check_lock()) + { + fprintf(stderr, "pluto: lock file \"%s\" already exists\n", pluto_lock); + exit_pluto(10); + } /* select between logging methods */ @@ -598,11 +614,13 @@ int main(int argc, char **argv) if (pid != 0) { - /* parent: die, after filling PID into lock file. + /* parent: die * must not use exit_pluto: lock would be removed! */ - exit(fill_lock(lockfd, pid)? 0 : 1); + exit(0); } + /* child: fill PID into lock file */ + fill_lock(); } if (setsid() < 0) @@ -617,7 +635,7 @@ int main(int argc, char **argv) else { /* no daemon fork: we have to fill in lock file */ - (void) fill_lock(lockfd, getpid()); + fill_lock(); fprintf(stdout, "Pluto initialized\n"); fflush(stdout); } @@ -637,6 +655,9 @@ int main(int argc, char **argv) close(fd); } + /* for uncritical pseudo random numbers */ + srand(time(NULL) + getpid()); + init_constants(); init_log("pluto"); @@ -660,7 +681,8 @@ int main(int argc, char **argv) { exit(SS_RC_INITIALIZATION_FAILED); } - print_plugins(); + DBG1(DBG_DMN, "loaded plugins: %s", + lib->plugins->loaded_plugins(lib->plugins)); init_builder(); if (!init_secret() || !init_crypto()) @@ -674,22 +696,24 @@ int main(int argc, char **argv) init_states(); init_demux(); init_kernel(); +#ifdef ADNS init_adns(); +#endif init_myid(); fetch_initialize(); ac_initialize(); whack_attribute_initialize(); /* drop unneeded capabilities and change UID/GID */ - prctl(PR_SET_KEEPCAPS, 1); + prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0); #ifdef IPSEC_GROUP { struct group group, *grp; - char buf[1024]; + char buf[1024]; if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 || - grp == NULL || setgid(grp->gr_gid) != 0) + grp == NULL || setgid(grp->gr_gid) != 0) { plog("unable to change daemon group"); abort(); @@ -699,15 +723,22 @@ int main(int argc, char **argv) #ifdef IPSEC_USER { struct passwd passwd, *pwp; - char buf[1024]; + char buf[1024]; if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 || - pwp == NULL || setuid(pwp->pw_uid) != 0) + pwp == NULL || setuid(pwp->pw_uid) != 0) { plog("unable to change daemon user"); abort(); } - } + } +#endif +#ifdef ANDROID + if (setuid(AID_VPN) != 0) + { + plog("unable to change daemon user"); + abort(); + } #endif #ifdef CAPABILITIES_LIBCAP @@ -793,7 +824,9 @@ void exit_pluto(int status) free_ifaces(); ac_finalize(); /* free X.509 attribute certificates */ scx_finalize(); /* finalize and unload PKCS #11 module */ +#ifdef ADNS stop_adns(); +#endif free_md_pool(); free_crypto(); free_myid(); /* free myids */ @@ -803,6 +836,7 @@ void exit_pluto(int status) delete_lock(); options->destroy(options); pluto_deinit(); + lib->credmgr->flush_cache(lib->credmgr, CERT_ANY); lib->plugins->unload(lib->plugins); libhydra_deinit(); library_deinit(); diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c index c140095f0..0a7b33ab5 100644 --- a/src/pluto/rcv_whack.c +++ b/src/pluto/rcv_whack.c @@ -57,6 +57,7 @@ #include "myid.h" #include "kernel_alg.h" #include "ike_alg.h" +#include "plugin_list.h" #include "whack_attribute.h" /* helper variables and function to decode strings from whack message */ @@ -132,6 +133,8 @@ static void key_add_merge(struct key_add_common *oc, identification_t *keyid) } } +#ifdef ADNS + static void key_add_continue(struct adns_continuation *ac, err_t ugh) { struct key_add_continuation *kc = (void *) ac; @@ -159,6 +162,8 @@ static void key_add_continue(struct adns_continuation *ac, err_t ugh) whack_log_fd = NULL_FD; } +#endif /* ADNS */ + static void key_add_request(const whack_message_t *msg) { identification_t *key_id; @@ -189,9 +194,11 @@ static void key_add_request(const whack_message_t *msg) kc = malloc_thing(struct key_add_continuation); kc->common = oc; kc->lookingfor = kaa; + ugh = NULL; switch (kaa) { +#ifdef ADNS case ka_TXT: ugh = start_adns_query(key_id , key_id /* same */ @@ -199,6 +206,7 @@ static void key_add_request(const whack_message_t *msg) , key_add_continue , &kc->ac); break; +#endif /* ADNS */ #ifdef USE_KEYRR case ka_KEY: ugh = start_adns_query(key_id @@ -282,7 +290,7 @@ void whack_handle(int whackctlfd) { if (msg.magic == WHACK_BASIC_MAGIC) { - /* Only shutdown command. Simpler inter-version compatability. */ + /* Only shutdown command. Simpler inter-version compatibility. */ if (msg.whack_shutdown) { plog("shutting down"); @@ -437,7 +445,9 @@ void whack_handle(int whackctlfd) plog("listening for IKE messages"); listening = TRUE; daily_log_reset(); +#ifdef ADNS reset_adns_restart_count(); +#endif set_myFQDN(); find_ifaces(); load_preshared_secrets(NULL_FD); @@ -548,6 +558,11 @@ void whack_handle(int whackctlfd) kernel_alg_list(); } + if (msg.whack_list & LIST_PLUGINS) + { + plugin_list(); + } + if (msg.whack_key) { /* add a public key */ diff --git a/src/pluto/server.c b/src/pluto/server.c index 4d07843c1..167b1d4c7 100644 --- a/src/pluto/server.c +++ b/src/pluto/server.c @@ -222,10 +222,6 @@ use_interface(const char *rifn) } } -#ifndef IPSECDEVPREFIX -# define IPSECDEVPREFIX "ipsec" -#endif - static struct raw_iface * find_raw_ifaces4(void) { @@ -233,7 +229,7 @@ find_raw_ifaces4(void) struct ifconf ifconf; struct ifreq buf[300]; /* for list of interfaces -- arbitrary limit */ struct raw_iface *rifaces = NULL; - int master_sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); /* Get a UDP socket */ + int master_sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); /* Get a UDP socket */ /* get list of interfaces with assigned IPv4 addresses from system */ @@ -401,7 +397,6 @@ find_raw_ifaces6(void) return rifaces; } -#if 1 static int create_socket(struct raw_iface *ifp, const char *v_name, int port) { @@ -414,7 +409,6 @@ create_socket(struct raw_iface *ifp, const char *v_name, int port) return -1; } -#if 1 /* Set socket Nonblocking */ if ((fcntl_flags=fcntl(fd, F_GETFL)) >= 0) { if (!(fcntl_flags & O_NONBLOCK)) { @@ -422,7 +416,6 @@ create_socket(struct raw_iface *ifp, const char *v_name, int port) fcntl(fd, F_SETFL, fcntl_flags); } } -#endif if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) { @@ -467,7 +460,6 @@ create_socket(struct raw_iface *ifp, const char *v_name, int port) } #endif -#if defined(linux) && defined(KERNEL26_SUPPORT) { struct sadb_x_policy policy; int level, opt; @@ -509,7 +501,6 @@ create_socket(struct raw_iface *ifp, const char *v_name, int port) return -1; } } -#endif setportof(htons(port), &ifp->addr); if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0) @@ -523,29 +514,21 @@ create_socket(struct raw_iface *ifp, const char *v_name, int port) setportof(htons(pluto_port), &ifp->addr); return fd; } -#endif static void process_raw_ifaces(struct raw_iface *rifaces) { struct raw_iface *ifp; - /* Find all virtual/real interface pairs. - * For each real interface... + /* For each real interface... */ for (ifp = rifaces; ifp != NULL; ifp = ifp->next) { - struct raw_iface *v = NULL; /* matching ipsecX interface */ + struct raw_iface *v = NULL; bool after = FALSE; /* has vfp passed ifp on the list? */ bool bad = FALSE; struct raw_iface *vfp; - /* ignore if virtual (ipsec*) interface */ - if (strneq(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1)) - { - continue; - } - for (vfp = rifaces; vfp != NULL; vfp = vfp->next) { if (vfp == ifp) @@ -554,74 +537,26 @@ process_raw_ifaces(struct raw_iface *rifaces) } else if (sameaddr(&ifp->addr, &vfp->addr)) { - /* Different entries with matching IP addresses. - * Many interesting cases. + /* ugh: a second interface with the same IP address + * "after" allows us to avoid double reporting. */ - if (strneq(vfp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1)) + if (after) { - if (v != NULL && !streq(v->name, vfp->name)) - { - loglog(RC_LOG_SERIOUS - , "ipsec interfaces %s and %s share same address %s" - , v->name, vfp->name, ip_str(&ifp->addr)); - bad = TRUE; - } - else - { - v = vfp; /* current winner */ - } - } - else - { - /* ugh: a second real interface with the same IP address - * "after" allows us to avoid double reporting. - */ -#if defined(linux) && defined(KERNEL26_SUPPORT) - { - if (after) - { - bad = TRUE; - break; - } - continue; - } -#endif - if (after) - { - loglog(RC_LOG_SERIOUS - , "IP interfaces %s and %s share address %s!" - , ifp->name, vfp->name, ip_str(&ifp->addr)); - } bad = TRUE; + break; } + continue; } } if (bad) continue; -#if defined(linux) && defined(KERNEL26_SUPPORT) - { - v = ifp; - goto add_entry; - } -#endif - - /* what if we didn't find a virtual interface? */ - if (v == NULL) - { - DBG(DBG_CONTROL, - DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored" - , ifp->name, ip_str(&ifp->addr))); - continue; - } + v = ifp; /* We've got all we need; see if this is a new thing: * search old interfaces list. */ -#if defined(linux) && defined(KERNEL26_SUPPORT) -add_entry: -#endif { struct iface **p = &interfaces; @@ -787,6 +722,7 @@ call_server(void) act.sa_handler = &termhandler; r = sigaction(SIGTERM, &act, NULL); + r = sigaction(SIGINT, &act, NULL); passert(r == 0); } @@ -821,6 +757,7 @@ call_server(void) FD_ZERO(&writefds); FD_SET(ctl_fd, &readfds); +#ifdef ADNS /* the only write file-descriptor of interest */ if (adns_qfd != NULL_FD && unsent_ADNS_queries) { @@ -835,6 +772,7 @@ call_server(void) maxfd = adns_afd; FD_SET(adns_afd, &readfds); } +#endif /* ADNS */ events_fd = pluto->events->get_event_fd(pluto->events); if (maxfd < events_fd) @@ -902,6 +840,7 @@ call_server(void) { /* at least one file descriptor is ready */ +#ifdef ADNS if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds)) { passert(ndes > 0); @@ -920,6 +859,7 @@ call_server(void) passert(GLOBALS_ARE_RESET()); ndes--; } +#endif /* ADNS*/ if (FD_ISSET(events_fd, &readfds)) { diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c index 48585432b..06fe7d7c8 100644 --- a/src/pluto/spdb.c +++ b/src/pluto/spdb.c @@ -1300,7 +1300,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, * proposal is emitted into it. * * If "selection" is true, the SA is supposed to represent the - * single tranform that the peer has accepted. + * single transform that the peer has accepted. * ??? We only check that it is acceptable, not that it is one that we offered! * * Only IPsec DOI is accepted (what is the ISAKMP DOI?). diff --git a/src/pluto/spdb.h b/src/pluto/spdb.h index 221cc00bb..8a0bffbbd 100644 --- a/src/pluto/spdb.h +++ b/src/pluto/spdb.h @@ -100,7 +100,7 @@ extern notification_t parse_ipsec_sa_body( pb_stream *sa_pbs, /* body of input SA Payload */ const struct isakmp_sa *sa, /* header of input SA Payload */ pb_stream *r_sa_pbs, /* if non-NULL, where to emit winning SA */ - bool selection, /* if this SA is a selection, only one tranform can appear */ + bool selection, /* if this SA is a selection, only one transform can appear */ struct state *st); /* current state object */ extern void backup_pbs(pb_stream *pbs); diff --git a/src/pluto/state.c b/src/pluto/state.c index e4234bc87..f5185888e 100644 --- a/src/pluto/state.c +++ b/src/pluto/state.c @@ -216,7 +216,7 @@ struct state *state_with_serialno(so_serial_t sn) } /* Insert a state object in the hash table. The object is inserted - * at the begining of list. + * at the beginning of list. * Needs cookies, connection, and msgid. */ void insert_state(struct state *st) diff --git a/src/pluto/timer.c b/src/pluto/timer.c index c1ad55f5e..1d34d2c54 100644 --- a/src/pluto/timer.c +++ b/src/pluto/timer.c @@ -46,18 +46,7 @@ */ time_t now(void) { - static time_t delta = 0 - , last_time = 0; - time_t n = time(NULL); - - passert(n != (time_t)-1); - if (last_time > n) - { - plog("time moved backwards %ld seconds", (long)(last_time - n)); - delta += last_time - n; - } - last_time = n; - return n + delta; + return time_monotonic(NULL); } /* This file has the event handling routines. Events are diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c index 99cfc5734..6cc599d8d 100644 --- a/src/pluto/vendor.c +++ b/src/pluto/vendor.c @@ -346,7 +346,7 @@ static void handle_known_vendorid (struct msg_digest *md, const char *vidstr, case VID_STRONGSWAN: vid_useful = TRUE; break; - + /* Remote side supports OpenPGP certificates */ case VID_OPENPGP: md->openpgp = TRUE; diff --git a/src/pluto/x509.c b/src/pluto/x509.c index 7e2aca862..f017e5775 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -410,7 +410,7 @@ void list_x509cert_chain(const char *caption, cert_t* cert, certificate->get_subject(certificate)); whack_log(RC_COMMENT, " issuer: \"%Y\"", certificate->get_issuer(certificate)); - serial = x509->get_serial(x509); + serial = chunk_skip_zero(x509->get_serial(x509)); whack_log(RC_COMMENT, " serial: %#B", &serial); /* list validity */ |