diff options
Diffstat (limited to 'src/pluto')
-rw-r--r-- | src/pluto/Makefile.am | 3 | ||||
-rw-r--r-- | src/pluto/Makefile.in | 18 | ||||
-rw-r--r-- | src/pluto/crl.c | 14 | ||||
-rw-r--r-- | src/pluto/crl.h | 1 | ||||
-rw-r--r-- | src/pluto/fetch.c | 3 | ||||
-rw-r--r-- | src/pluto/kernel_netlink.c | 4 | ||||
-rw-r--r-- | src/pluto/keys.c | 2 | ||||
-rw-r--r-- | src/pluto/linux26/netlink.h | 90 | ||||
-rw-r--r-- | src/pluto/linux26/rtnetlink.h | 562 | ||||
-rw-r--r-- | src/pluto/linux26/xfrm.h | 233 | ||||
-rw-r--r-- | src/pluto/modecfg.c | 3 | ||||
-rw-r--r-- | src/pluto/oid.c | 283 | ||||
-rw-r--r-- | src/pluto/oid.h | 115 | ||||
-rw-r--r-- | src/pluto/oid.txt | 1 | ||||
-rw-r--r-- | src/pluto/plutomain.c | 29 | ||||
-rw-r--r-- | src/pluto/vendor.c | 4 | ||||
-rw-r--r-- | src/pluto/vendor.h | 2 | ||||
-rw-r--r-- | src/pluto/xauth.c | 2 | ||||
-rw-r--r-- | src/pluto/xauth.h | 2 |
19 files changed, 278 insertions, 1093 deletions
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index b1b848c76..7dd5f422b 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -64,12 +64,12 @@ xauth.c xauth.h \ x509.c x509.h \ alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \ alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \ -linux26/netlink.h linux26/rtnetlink.h linux26/xfrm.h \ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h _pluto_adns_SOURCES = adns.c adns.h INCLUDES = \ +-I${linuxdir} \ -I$(top_srcdir)/src/libfreeswan \ -I$(top_srcdir)/src/libcrypto \ -I$(top_srcdir)/src/whack @@ -137,4 +137,5 @@ install-exec-local : mkdir -p -m 755 $(confdir)/ipsec.d/crls mkdir -p -m 755 $(confdir)/ipsec.d/reqs mkdir -p -m 700 $(confdir)/ipsec.d/private + chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 1f996a065..e164717a9 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -164,6 +164,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ +LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ @@ -176,6 +177,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -186,8 +188,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ +USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ +USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ @@ -209,6 +215,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -218,6 +225,8 @@ build_vendor = @build_vendor@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ +dbus_CFLAGS = @dbus_CFLAGS@ +dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ eapdir = @eapdir@ @@ -231,9 +240,13 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecuid = @ipsecuid@ libdir = @libdir@ libexecdir = @libexecdir@ +linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ @@ -248,6 +261,8 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ pluto_SOURCES = \ ac.c ac.h \ alg_info.c alg_info.h \ @@ -308,11 +323,11 @@ xauth.c xauth.h \ x509.c x509.h \ alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \ alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \ -linux26/netlink.h linux26/rtnetlink.h linux26/xfrm.h \ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h _pluto_adns_SOURCES = adns.c adns.h INCLUDES = \ +-I${linuxdir} \ -I$(top_srcdir)/src/libfreeswan \ -I$(top_srcdir)/src/libcrypto \ -I$(top_srcdir)/src/whack @@ -873,6 +888,7 @@ install-exec-local : mkdir -p -m 755 $(confdir)/ipsec.d/crls mkdir -p -m 755 $(confdir)/ipsec.d/reqs mkdir -p -m 700 $(confdir)/ipsec.d/private + chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/pluto/crl.c b/src/pluto/crl.c index 05e8d1402..dc8932769 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -121,6 +121,7 @@ const x509crl_t empty_x509crl = { /* extnValue */ { NULL, 0 } , /* authKeyID */ { NULL, 0 } , /* authKeySerialNumber */ + { NULL, 0 } , /* crlNumber */ OID_UNKNOWN , /* algorithm */ { NULL, 0 } /* signature */ }; @@ -491,6 +492,12 @@ parse_x509crl(chunk_t blob, u_int level0, x509crl_t *crl) parse_authorityKeyIdentifier(object, level , &crl->authKeyID, &crl->authKeySerialNumber); } + else if (extn_oid == OID_CRL_NUMBER) + { + if (!parse_asn1_simple_object(&object, ASN1_INTEGER, level, "crlNumber")) + return FALSE; + crl->crlNumber = object; + } } break; case CRL_OBJ_ALGORITHM: @@ -735,7 +742,12 @@ list_crls(bool utc, bool strict) timetoa(&crl->installed, utc), revoked); dntoa(buf, BUF_LEN, crl->issuer); whack_log(RC_COMMENT, " issuer: '%s'", buf); - + if (crl->crlNumber.ptr != NULL) + { + datatot(crl->crlNumber.ptr, crl->crlNumber.len, ':' + , buf, BUF_LEN); + whack_log(RC_COMMENT, " crlnumber: %s", buf); + } list_distribution_points(crl->distributionPoints); whack_log(RC_COMMENT, " updates: this %s", diff --git a/src/pluto/crl.h b/src/pluto/crl.h index 9f985b6cd..328539770 100644 --- a/src/pluto/crl.h +++ b/src/pluto/crl.h @@ -52,6 +52,7 @@ struct x509crl { /* extnValue */ chunk_t authKeyID; chunk_t authKeySerialNumber; + chunk_t crlNumber; /* signatureAlgorithm */ int algorithm; diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c index e3e56d3a8..8f48152f6 100644 --- a/src/pluto/fetch.c +++ b/src/pluto/fetch.c @@ -32,6 +32,9 @@ #include <freeswan.h> #ifdef LIBLDAP +#ifndef LDAP_DEPRECATED +#define LDAP_DEPRECATED 1 +#endif #include <ldap.h> #endif diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c index 1947ddbac..9b9d7b9ed 100644 --- a/src/pluto/kernel_netlink.c +++ b/src/pluto/kernel_netlink.c @@ -24,10 +24,10 @@ #include <sys/types.h> #include <sys/queue.h> #include <unistd.h> +#include <linux/xfrm.h> +#include <linux/rtnetlink.h> #include "kameipsec.h" -#include "linux26/rtnetlink.h" -#include "linux26/xfrm.h" #include <freeswan.h> #include <pfkeyv2.h> diff --git a/src/pluto/keys.c b/src/pluto/keys.c index eed81230f..1efe85228 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -647,7 +647,7 @@ xauth_get_secret(xauth_t *xauth_secret) * find a matching secret */ static bool -xauth_verify_secret(const xauth_t *xauth_secret) +xauth_verify_secret(const char *conn_name, const xauth_t *xauth_secret) { bool found = FALSE; secret_t *s; diff --git a/src/pluto/linux26/netlink.h b/src/pluto/linux26/netlink.h deleted file mode 100644 index 6b0896da6..000000000 --- a/src/pluto/linux26/netlink.h +++ /dev/null @@ -1,90 +0,0 @@ -#ifndef __LINUX_NETLINK_H -#define __LINUX_NETLINK_H - -#include <stdint.h> -#include <sys/socket.h> /* for sa_family_t */ - -#define NETLINK_ROUTE 0 /* Routing/device hook */ -#define NETLINK_SKIP 1 /* Reserved for ENskip */ -#define NETLINK_USERSOCK 2 /* Reserved for user mode socket protocols */ -#define NETLINK_FIREWALL 3 /* Firewalling hook */ -#define NETLINK_TCPDIAG 4 /* TCP socket monitoring */ -#define NETLINK_NFLOG 5 /* netfilter/iptables ULOG */ -#define NETLINK_XFRM 6 /* ipsec */ -#define NETLINK_ARPD 8 -#define NETLINK_ROUTE6 11 /* af_inet6 route comm channel */ -#define NETLINK_IP6_FW 13 -#define NETLINK_DNRTMSG 14 /* DECnet routing messages */ -#define NETLINK_TAPBASE 16 /* 16 to 31 are ethertap */ - -#define MAX_LINKS 32 - -struct sockaddr_nl -{ - sa_family_t nl_family; /* AF_NETLINK */ - unsigned short nl_pad; /* zero */ - uint32_t nl_pid; /* process pid */ - uint32_t nl_groups; /* multicast groups mask */ -}; - -struct nlmsghdr -{ - uint32_t nlmsg_len; /* Length of message including header */ - uint16_t nlmsg_type; /* Message content */ - uint16_t nlmsg_flags; /* Additional flags */ - uint32_t nlmsg_seq; /* Sequence number */ - uint32_t nlmsg_pid; /* Sending process PID */ -}; - -/* Flags values */ - -#define NLM_F_REQUEST 1 /* It is request message. */ -#define NLM_F_MULTI 2 /* Multipart message, terminated by NLMSG_DONE */ -#define NLM_F_ACK 4 /* Reply with ack, with zero or error code */ -#define NLM_F_ECHO 8 /* Echo this request */ - -/* Modifiers to GET request */ -#define NLM_F_ROOT 0x100 /* specify tree root */ -#define NLM_F_MATCH 0x200 /* return all matching */ -#define NLM_F_ATOMIC 0x400 /* atomic GET */ -#define NLM_F_DUMP (NLM_F_ROOT|NLM_F_MATCH) - -/* Modifiers to NEW request */ -#define NLM_F_REPLACE 0x100 /* Override existing */ -#define NLM_F_EXCL 0x200 /* Do not touch, if it exists */ -#define NLM_F_CREATE 0x400 /* Create, if it does not exist */ -#define NLM_F_APPEND 0x800 /* Add to end of list */ - -/* - 4.4BSD ADD NLM_F_CREATE|NLM_F_EXCL - 4.4BSD CHANGE NLM_F_REPLACE - - True CHANGE NLM_F_CREATE|NLM_F_REPLACE - Append NLM_F_CREATE - Check NLM_F_EXCL - */ - -#define NLMSG_ALIGNTO 4 -#define NLMSG_ALIGN(len) ( ((len)+NLMSG_ALIGNTO-1) & ~(NLMSG_ALIGNTO-1) ) -#define NLMSG_LENGTH(len) ((len)+NLMSG_ALIGN(sizeof(struct nlmsghdr))) -#define NLMSG_SPACE(len) NLMSG_ALIGN(NLMSG_LENGTH(len)) -#define NLMSG_DATA(nlh) ((void*)(((char*)nlh) + NLMSG_LENGTH(0))) -#define NLMSG_NEXT(nlh,len) ((len) -= NLMSG_ALIGN((nlh)->nlmsg_len), \ - (struct nlmsghdr*)(((char*)(nlh)) + NLMSG_ALIGN((nlh)->nlmsg_len))) -#define NLMSG_OK(nlh,len) ((len) > 0 && (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \ - (nlh)->nlmsg_len <= (len)) -#define NLMSG_PAYLOAD(nlh,len) ((nlh)->nlmsg_len - NLMSG_SPACE((len))) - -#define NLMSG_NOOP 0x1 /* Nothing. */ -#define NLMSG_ERROR 0x2 /* Error */ -#define NLMSG_DONE 0x3 /* End of a dump */ -#define NLMSG_OVERRUN 0x4 /* Data lost */ - -struct nlmsgerr -{ - int error; - struct nlmsghdr msg; -}; - -#define NET_MAJOR 36 /* Major 36 is reserved for networking */ -#endif /* __LINUX_NETLINK_H */ diff --git a/src/pluto/linux26/rtnetlink.h b/src/pluto/linux26/rtnetlink.h deleted file mode 100644 index 341bc1f86..000000000 --- a/src/pluto/linux26/rtnetlink.h +++ /dev/null @@ -1,562 +0,0 @@ -#ifndef __LINUX_RTNETLINK_H -#define __LINUX_RTNETLINK_H - -#include "netlink.h" -#include <stdint.h> - -#define RTNL_DEBUG 1 - - -/**** - * Routing/neighbour discovery messages. - ****/ - -/* Types of messages */ - -#define RTM_BASE 0x10 - -#define RTM_NEWLINK (RTM_BASE+0) -#define RTM_DELLINK (RTM_BASE+1) -#define RTM_GETLINK (RTM_BASE+2) -#define RTM_SETLINK (RTM_BASE+3) - -#define RTM_NEWADDR (RTM_BASE+4) -#define RTM_DELADDR (RTM_BASE+5) -#define RTM_GETADDR (RTM_BASE+6) - -#define RTM_NEWROUTE (RTM_BASE+8) -#define RTM_DELROUTE (RTM_BASE+9) -#define RTM_GETROUTE (RTM_BASE+10) - -#define RTM_NEWNEIGH (RTM_BASE+12) -#define RTM_DELNEIGH (RTM_BASE+13) -#define RTM_GETNEIGH (RTM_BASE+14) - -#define RTM_NEWRULE (RTM_BASE+16) -#define RTM_DELRULE (RTM_BASE+17) -#define RTM_GETRULE (RTM_BASE+18) - -#define RTM_NEWQDISC (RTM_BASE+20) -#define RTM_DELQDISC (RTM_BASE+21) -#define RTM_GETQDISC (RTM_BASE+22) - -#define RTM_NEWTCLASS (RTM_BASE+24) -#define RTM_DELTCLASS (RTM_BASE+25) -#define RTM_GETTCLASS (RTM_BASE+26) - -#define RTM_NEWTFILTER (RTM_BASE+28) -#define RTM_DELTFILTER (RTM_BASE+29) -#define RTM_GETTFILTER (RTM_BASE+30) - -#define RTM_MAX (RTM_BASE+31) - -/* - Generic structure for encapsulation optional route information. - It is reminiscent of sockaddr, but with sa_family replaced - with attribute type. - */ - -struct rtattr -{ - unsigned short rta_len; - unsigned short rta_type; -}; - -/* Macros to handle rtattributes */ - -#define RTA_ALIGNTO 4 -#define RTA_ALIGN(len) ( ((len)+RTA_ALIGNTO-1) & ~(RTA_ALIGNTO-1) ) -#define RTA_OK(rta,len) ((len) > 0 && (rta)->rta_len >= sizeof(struct rtattr) && \ - (rta)->rta_len <= (len)) -#define RTA_NEXT(rta,attrlen) ((attrlen) -= RTA_ALIGN((rta)->rta_len), \ - (struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len))) -#define RTA_LENGTH(len) (RTA_ALIGN(sizeof(struct rtattr)) + (len)) -#define RTA_SPACE(len) RTA_ALIGN(RTA_LENGTH(len)) -#define RTA_DATA(rta) ((void*)(((char*)(rta)) + RTA_LENGTH(0))) -#define RTA_PAYLOAD(rta) ((int)((rta)->rta_len) - RTA_LENGTH(0)) - - - - -/****************************************************************************** - * Definitions used in routing table administation. - ****/ - -struct rtmsg -{ - unsigned char rtm_family; - unsigned char rtm_dst_len; - unsigned char rtm_src_len; - unsigned char rtm_tos; - - unsigned char rtm_table; /* Routing table id */ - unsigned char rtm_protocol; /* Routing protocol; see below */ - unsigned char rtm_scope; /* See below */ - unsigned char rtm_type; /* See below */ - - unsigned rtm_flags; -}; - -/* rtm_type */ - -enum -{ - RTN_UNSPEC, - RTN_UNICAST, /* Gateway or direct route */ - RTN_LOCAL, /* Accept locally */ - RTN_BROADCAST, /* Accept locally as broadcast, - send as broadcast */ - RTN_ANYCAST, /* Accept locally as broadcast, - but send as unicast */ - RTN_MULTICAST, /* Multicast route */ - RTN_BLACKHOLE, /* Drop */ - RTN_UNREACHABLE, /* Destination is unreachable */ - RTN_PROHIBIT, /* Administratively prohibited */ - RTN_THROW, /* Not in this table */ - RTN_NAT, /* Translate this address */ - RTN_XRESOLVE, /* Use external resolver */ -}; - -#define RTN_MAX RTN_XRESOLVE - - -/* rtm_protocol */ - -#define RTPROT_UNSPEC 0 -#define RTPROT_REDIRECT 1 /* Route installed by ICMP redirects; - not used by current IPv4 */ -#define RTPROT_KERNEL 2 /* Route installed by kernel */ -#define RTPROT_BOOT 3 /* Route installed during boot */ -#define RTPROT_STATIC 4 /* Route installed by administrator */ - -/* Values of protocol >= RTPROT_STATIC are not interpreted by kernel; - they just passed from user and back as is. - It will be used by hypothetical multiple routing daemons. - Note that protocol values should be standardized in order to - avoid conflicts. - */ - -#define RTPROT_GATED 8 /* Apparently, GateD */ -#define RTPROT_RA 9 /* RDISC/ND router advertisments */ -#define RTPROT_MRT 10 /* Merit MRT */ -#define RTPROT_ZEBRA 11 /* Zebra */ -#define RTPROT_BIRD 12 /* BIRD */ -#define RTPROT_DNROUTED 13 /* DECnet routing daemon */ - -/* rtm_scope - - Really it is not scope, but sort of distance to the destination. - NOWHERE are reserved for not existing destinations, HOST is our - local addresses, LINK are destinations, located on directly attached - link and UNIVERSE is everywhere in the Universe. - - Intermediate values are also possible f.e. interior routes - could be assigned a value between UNIVERSE and LINK. -*/ - -enum rt_scope_t -{ - RT_SCOPE_UNIVERSE=0, -/* User defined values */ - RT_SCOPE_SITE=200, - RT_SCOPE_LINK=253, - RT_SCOPE_HOST=254, - RT_SCOPE_NOWHERE=255 -}; - -/* rtm_flags */ - -#define RTM_F_NOTIFY 0x100 /* Notify user of route change */ -#define RTM_F_CLONED 0x200 /* This route is cloned */ -#define RTM_F_EQUALIZE 0x400 /* Multipath equalizer: NI */ - -/* Reserved table identifiers */ - -enum rt_class_t -{ - RT_TABLE_UNSPEC=0, -/* User defined values */ - RT_TABLE_DEFAULT=253, - RT_TABLE_MAIN=254, - RT_TABLE_LOCAL=255 -}; -#define RT_TABLE_MAX RT_TABLE_LOCAL - - - -/* Routing message attributes */ - -enum rtattr_type_t -{ - RTA_UNSPEC, - RTA_DST, - RTA_SRC, - RTA_IIF, - RTA_OIF, - RTA_GATEWAY, - RTA_PRIORITY, - RTA_PREFSRC, - RTA_METRICS, - RTA_MULTIPATH, - RTA_PROTOINFO, - RTA_FLOW, - RTA_CACHEINFO, - RTA_SESSION, -}; - -#define RTA_MAX RTA_SESSION - -#define RTM_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct rtmsg)))) -#define RTM_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct rtmsg)) - -/* RTM_MULTIPATH --- array of struct rtnexthop. - * - * "struct rtnexthop" describres all necessary nexthop information, - * i.e. parameters of path to a destination via this nextop. - * - * At the moment it is impossible to set different prefsrc, mtu, window - * and rtt for different paths from multipath. - */ - -struct rtnexthop -{ - unsigned short rtnh_len; - unsigned char rtnh_flags; - unsigned char rtnh_hops; - int rtnh_ifindex; -}; - -/* rtnh_flags */ - -#define RTNH_F_DEAD 1 /* Nexthop is dead (used by multipath) */ -#define RTNH_F_PERVASIVE 2 /* Do recursive gateway lookup */ -#define RTNH_F_ONLINK 4 /* Gateway is forced on link */ - -/* Macros to handle hexthops */ - -#define RTNH_ALIGNTO 4 -#define RTNH_ALIGN(len) ( ((len)+RTNH_ALIGNTO-1) & ~(RTNH_ALIGNTO-1) ) -#define RTNH_OK(rtnh,len) ((rtnh)->rtnh_len >= sizeof(struct rtnexthop) && \ - ((int)(rtnh)->rtnh_len) <= (len)) -#define RTNH_NEXT(rtnh) ((struct rtnexthop*)(((char*)(rtnh)) + RTNH_ALIGN((rtnh)->rtnh_len))) -#define RTNH_LENGTH(len) (RTNH_ALIGN(sizeof(struct rtnexthop)) + (len)) -#define RTNH_SPACE(len) RTNH_ALIGN(RTNH_LENGTH(len)) -#define RTNH_DATA(rtnh) ((struct rtattr*)(((char*)(rtnh)) + RTNH_LENGTH(0))) - -/* RTM_CACHEINFO */ - -struct rta_cacheinfo -{ - uint32_t rta_clntref; - uint32_t rta_lastuse; - int32_t rta_expires; - uint32_t rta_error; - uint32_t rta_used; - -#define RTNETLINK_HAVE_PEERINFO 1 - uint32_t rta_id; - uint32_t rta_ts; - uint32_t rta_tsage; -}; - -/* RTM_METRICS --- array of struct rtattr with types of RTAX_* */ - -enum -{ - RTAX_UNSPEC, -#define RTAX_UNSPEC RTAX_UNSPEC - RTAX_LOCK, -#define RTAX_LOCK RTAX_LOCK - RTAX_MTU, -#define RTAX_MTU RTAX_MTU - RTAX_WINDOW, -#define RTAX_WINDOW RTAX_WINDOW - RTAX_RTT, -#define RTAX_RTT RTAX_RTT - RTAX_RTTVAR, -#define RTAX_RTTVAR RTAX_RTTVAR - RTAX_SSTHRESH, -#define RTAX_SSTHRESH RTAX_SSTHRESH - RTAX_CWND, -#define RTAX_CWND RTAX_CWND - RTAX_ADVMSS, -#define RTAX_ADVMSS RTAX_ADVMSS - RTAX_REORDERING, -#define RTAX_REORDERING RTAX_REORDERING -}; - -#define RTAX_MAX RTAX_REORDERING - -struct rta_session -{ - uint8_t proto; - - union { - struct { - uint16_t sport; - uint16_t dport; - } ports; - - struct { - uint8_t type; - uint8_t code; - uint16_t ident; - } icmpt; - - uint32_t spi; - } u; -}; - - -/********************************************************* - * Interface address. - ****/ - -struct ifaddrmsg -{ - unsigned char ifa_family; - unsigned char ifa_prefixlen; /* The prefix length */ - unsigned char ifa_flags; /* Flags */ - unsigned char ifa_scope; /* See above */ - int ifa_index; /* Link index */ -}; - -enum -{ - IFA_UNSPEC, - IFA_ADDRESS, - IFA_LOCAL, - IFA_LABEL, - IFA_BROADCAST, - IFA_ANYCAST, - IFA_CACHEINFO -}; - -#define IFA_MAX IFA_CACHEINFO - -/* ifa_flags */ - -#define IFA_F_SECONDARY 0x01 -#define IFA_F_TEMPORARY IFA_F_SECONDARY - -#define IFA_F_DEPRECATED 0x20 -#define IFA_F_TENTATIVE 0x40 -#define IFA_F_PERMANENT 0x80 - -struct ifa_cacheinfo -{ - int32_t ifa_prefered; - int32_t ifa_valid; -}; - - -#define IFA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg)))) -#define IFA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifaddrmsg)) - -/* - Important comment: - IFA_ADDRESS is prefix address, rather than local interface address. - It makes no difference for normally configured broadcast interfaces, - but for point-to-point IFA_ADDRESS is DESTINATION address, - local address is supplied in IFA_LOCAL attribute. - */ - -/************************************************************** - * Neighbour discovery. - ****/ - -struct ndmsg -{ - unsigned char ndm_family; - unsigned char ndm_pad1; - unsigned short ndm_pad2; - int ndm_ifindex; /* Link index */ - uint16_t ndm_state; - uint8_t ndm_flags; - uint8_t ndm_type; -}; - -enum -{ - NDA_UNSPEC, - NDA_DST, - NDA_LLADDR, - NDA_CACHEINFO -}; - -#define NDA_MAX NDA_CACHEINFO - -#define NDA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg)))) -#define NDA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg)) - -/* - * Neighbor Cache Entry Flags - */ - -#define NTF_PROXY 0x08 /* == ATF_PUBL */ -#define NTF_ROUTER 0x80 - -/* - * Neighbor Cache Entry States. - */ - -#define NUD_INCOMPLETE 0x01 -#define NUD_REACHABLE 0x02 -#define NUD_STALE 0x04 -#define NUD_DELAY 0x08 -#define NUD_PROBE 0x10 -#define NUD_FAILED 0x20 - -/* Dummy states */ -#define NUD_NOARP 0x40 -#define NUD_PERMANENT 0x80 -#define NUD_NONE 0x00 - - -struct nda_cacheinfo -{ - uint32_t ndm_confirmed; - uint32_t ndm_used; - uint32_t ndm_updated; - uint32_t ndm_refcnt; -}; - -/**** - * General form of address family dependent message. - ****/ - -struct rtgenmsg -{ - unsigned char rtgen_family; -}; - -/***************************************************************** - * Link layer specific messages. - ****/ - -/* struct ifinfomsg - * passes link level specific information, not dependent - * on network protocol. - */ - -struct ifinfomsg -{ - unsigned char ifi_family; - unsigned char __ifi_pad; - unsigned short ifi_type; /* ARPHRD_* */ - int ifi_index; /* Link index */ - unsigned ifi_flags; /* IFF_* flags */ - unsigned ifi_change; /* IFF_* change mask */ -}; - -enum -{ - IFLA_UNSPEC, - IFLA_ADDRESS, - IFLA_BROADCAST, - IFLA_IFNAME, - IFLA_MTU, - IFLA_LINK, - IFLA_QDISC, - IFLA_STATS, - IFLA_COST, -#define IFLA_COST IFLA_COST - IFLA_PRIORITY, -#define IFLA_PRIORITY IFLA_PRIORITY - IFLA_MASTER, -#define IFLA_MASTER IFLA_MASTER - IFLA_WIRELESS, /* Wireless Extension event - see wireless.h */ -#define IFLA_WIRELESS IFLA_WIRELESS -}; - - -#define IFLA_MAX IFLA_WIRELESS - -#define IFLA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifinfomsg)))) -#define IFLA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifinfomsg)) - -/* ifi_flags. - - IFF_* flags. - - The only change is: - IFF_LOOPBACK, IFF_BROADCAST and IFF_POINTOPOINT are - more not changeable by user. They describe link media - characteristics and set by device driver. - - Comments: - - Combination IFF_BROADCAST|IFF_POINTOPOINT is invalid - - If neiher of these three flags are set; - the interface is NBMA. - - - IFF_MULTICAST does not mean anything special: - multicasts can be used on all not-NBMA links. - IFF_MULTICAST means that this media uses special encapsulation - for multicast frames. Apparently, all IFF_POINTOPOINT and - IFF_BROADCAST devices are able to use multicasts too. - */ - -/* IFLA_LINK. - For usual devices it is equal ifi_index. - If it is a "virtual interface" (f.e. tunnel), ifi_link - can point to real physical interface (f.e. for bandwidth calculations), - or maybe 0, what means, that real media is unknown (usual - for IPIP tunnels, when route to endpoint is allowed to change) - */ - -/***************************************************************** - * Traffic control messages. - ****/ - -struct tcmsg -{ - unsigned char tcm_family; - unsigned char tcm__pad1; - unsigned short tcm__pad2; - int tcm_ifindex; - uint32_t tcm_handle; - uint32_t tcm_parent; - uint32_t tcm_info; -}; - -enum -{ - TCA_UNSPEC, - TCA_KIND, - TCA_OPTIONS, - TCA_STATS, - TCA_XSTATS, - TCA_RATE, -}; - -#define TCA_MAX TCA_RATE - -#define TCA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcmsg)))) -#define TCA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcmsg)) - - -/* SUMMARY: maximal rtattr understood by kernel */ - -#define RTATTR_MAX RTA_MAX - -/* RTnetlink multicast groups */ - -#define RTMGRP_LINK 1 -#define RTMGRP_NOTIFY 2 -#define RTMGRP_NEIGH 4 -#define RTMGRP_TC 8 - -#define RTMGRP_IPV4_IFADDR 0x10 -#define RTMGRP_IPV4_MROUTE 0x20 -#define RTMGRP_IPV4_ROUTE 0x40 - -#define RTMGRP_IPV6_IFADDR 0x100 -#define RTMGRP_IPV6_MROUTE 0x200 -#define RTMGRP_IPV6_ROUTE 0x400 - -#define RTMGRP_DECnet_IFADDR 0x1000 -#define RTMGRP_DECnet_ROUTE 0x4000 - -/* End of information exported to user level */ - -#endif /* __LINUX_RTNETLINK_H */ diff --git a/src/pluto/linux26/xfrm.h b/src/pluto/linux26/xfrm.h deleted file mode 100644 index 4269ae29b..000000000 --- a/src/pluto/linux26/xfrm.h +++ /dev/null @@ -1,233 +0,0 @@ -#ifndef _LINUX_XFRM_H -#define _LINUX_XFRM_H - -#include <stdint.h> - -/* All of the structures in this file may not change size as they are - * passed into the kernel from userspace via netlink sockets. - */ - -/* Structure to encapsulate addresses. I do not want to use - * "standard" structure. My apologies. - */ -typedef union -{ - uint32_t a4; - uint32_t a6[4]; -} xfrm_address_t; - -/* Ident of a specific xfrm_state. It is used on input to lookup - * the state by (spi,daddr,ah/esp) or to store information about - * spi, protocol and tunnel address on output. - */ -struct xfrm_id -{ - xfrm_address_t daddr; - uint32_t spi; - uint8_t proto; -}; - -/* Selector, used as selector both on policy rules (SPD) and SAs. */ - -struct xfrm_selector -{ - xfrm_address_t daddr; - xfrm_address_t saddr; - uint16_t dport; - uint16_t dport_mask; - uint16_t sport; - uint16_t sport_mask; - uint16_t family; - uint8_t prefixlen_d; - uint8_t prefixlen_s; - uint8_t proto; - int ifindex; - uid_t user; -}; - -#define XFRM_INF (~(uint64_t)0) - -struct xfrm_lifetime_cfg -{ - uint64_t soft_byte_limit; - uint64_t hard_byte_limit; - uint64_t soft_packet_limit; - uint64_t hard_packet_limit; - uint64_t soft_add_expires_seconds; - uint64_t hard_add_expires_seconds; - uint64_t soft_use_expires_seconds; - uint64_t hard_use_expires_seconds; -}; - -struct xfrm_lifetime_cur -{ - uint64_t bytes; - uint64_t packets; - uint64_t add_time; - uint64_t use_time; -}; - -struct xfrm_replay_state -{ - uint32_t oseq; - uint32_t seq; - uint32_t bitmap; -}; - -struct xfrm_algo { - char alg_name[64]; - int alg_key_len; /* in bits */ - char alg_key[0]; -}; - -struct xfrm_stats { - uint32_t replay_window; - uint32_t replay; - uint32_t integrity_failed; -}; - -enum -{ - XFRM_POLICY_IN = 0, - XFRM_POLICY_OUT = 1, - XFRM_POLICY_FWD = 2, - XFRM_POLICY_MAX = 3 -}; - -enum -{ - XFRM_SHARE_ANY, /* No limitations */ - XFRM_SHARE_SESSION, /* For this session only */ - XFRM_SHARE_USER, /* For this user only */ - XFRM_SHARE_UNIQUE /* Use once */ -}; - -/* Netlink configuration messages. */ -#define XFRM_MSG_BASE 0x10 - -#define XFRM_MSG_NEWSA (XFRM_MSG_BASE + 0) -#define XFRM_MSG_DELSA (XFRM_MSG_BASE + 1) -#define XFRM_MSG_GETSA (XFRM_MSG_BASE + 2) - -#define XFRM_MSG_NEWPOLICY (XFRM_MSG_BASE + 3) -#define XFRM_MSG_DELPOLICY (XFRM_MSG_BASE + 4) -#define XFRM_MSG_GETPOLICY (XFRM_MSG_BASE + 5) - -#define XFRM_MSG_ALLOCSPI (XFRM_MSG_BASE + 6) -#define XFRM_MSG_ACQUIRE (XFRM_MSG_BASE + 7) -#define XFRM_MSG_EXPIRE (XFRM_MSG_BASE + 8) - -#define XFRM_MSG_UPDPOLICY (XFRM_MSG_BASE + 9) -#define XFRM_MSG_UPDSA (XFRM_MSG_BASE + 10) - -#define XFRM_MSG_POLEXPIRE (XFRM_MSG_BASE + 11) - -#define XFRM_MSG_MAX (XFRM_MSG_POLEXPIRE+1) - -struct xfrm_user_tmpl { - struct xfrm_id id; - uint16_t family; - xfrm_address_t saddr; - uint32_t reqid; - uint8_t mode; - uint8_t share; - uint8_t optional; - uint32_t aalgos; - uint32_t ealgos; - uint32_t calgos; -}; - -struct xfrm_encap_tmpl { - uint16_t encap_type; - uint16_t encap_sport; - uint16_t encap_dport; - xfrm_address_t encap_oa; -}; - -/* Netlink message attributes. */ -enum xfrm_attr_type_t { - XFRMA_UNSPEC, - XFRMA_ALG_AUTH, /* struct xfrm_algo */ - XFRMA_ALG_CRYPT, /* struct xfrm_algo */ - XFRMA_ALG_COMP, /* struct xfrm_algo */ - XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */ - XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ - -#define XFRMA_MAX XFRMA_TMPL -}; - -struct xfrm_usersa_info { - struct xfrm_selector sel; - struct xfrm_id id; - xfrm_address_t saddr; - struct xfrm_lifetime_cfg lft; - struct xfrm_lifetime_cur curlft; - struct xfrm_stats stats; - uint32_t seq; - uint32_t reqid; - uint16_t family; - uint8_t mode; /* 0=transport,1=tunnel */ - uint8_t replay_window; - uint8_t flags; -#define XFRM_STATE_NOECN 1 -}; - -struct xfrm_usersa_id { - xfrm_address_t daddr; - uint32_t spi; - uint16_t family; - uint8_t proto; -}; - -struct xfrm_userspi_info { - struct xfrm_usersa_info info; - uint32_t min; - uint32_t max; -}; - -struct xfrm_userpolicy_info { - struct xfrm_selector sel; - struct xfrm_lifetime_cfg lft; - struct xfrm_lifetime_cur curlft; - uint32_t priority; - uint32_t index; - uint8_t dir; - uint8_t action; -#define XFRM_POLICY_ALLOW 0 -#define XFRM_POLICY_BLOCK 1 - uint8_t flags; -#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ - uint8_t share; -}; - -struct xfrm_userpolicy_id { - struct xfrm_selector sel; - uint32_t index; - uint8_t dir; -}; - -struct xfrm_user_acquire { - struct xfrm_id id; - xfrm_address_t saddr; - struct xfrm_selector sel; - struct xfrm_userpolicy_info policy; - uint32_t aalgos; - uint32_t ealgos; - uint32_t calgos; - uint32_t seq; -}; - -struct xfrm_user_expire { - struct xfrm_usersa_info state; - uint8_t hard; -}; - -struct xfrm_user_polexpire { - struct xfrm_userpolicy_info pol; - uint8_t hard; -}; - -#define XFRMGRP_ACQUIRE 1 -#define XFRMGRP_EXPIRE 2 - -#endif /* _LINUX_XFRM_H */ diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c index ab44a113e..cda6007c7 100644 --- a/src/pluto/modecfg.c +++ b/src/pluto/modecfg.c @@ -978,7 +978,8 @@ xauth_inR1(struct msg_digest *md) , ia.xauth_secret.user_password.ptr) ) /* verify the user credentials using a plugn function */ - st->st_xauth.status = xauth_module.verify_secret(&ia.xauth_secret); + st->st_xauth.status = xauth_module.verify_secret(st->st_connection->name + , &ia.xauth_secret); plog("extended authentication %s", st->st_xauth.status? "was successful":"failed"); } diff --git a/src/pluto/oid.c b/src/pluto/oid.c index 4b0632de2..48df1b7c4 100644 --- a/src/pluto/oid.c +++ b/src/pluto/oid.c @@ -28,7 +28,7 @@ const oid_t oid_names[] = { { 0x01, 0, 1, "pilotAttributeType" }, /* 15 */ { 0x01, 17, 0, "UID" }, /* 16 */ { 0x19, 0, 0, "DC" }, /* 17 */ - {0x55, 51, 1, "X.500" }, /* 18 */ + {0x55, 52, 1, "X.500" }, /* 18 */ { 0x04, 36, 1, "X.509" }, /* 19 */ { 0x03, 21, 0, "CN" }, /* 20 */ { 0x04, 22, 0, "S" }, /* 21 */ @@ -54,144 +54,145 @@ const oid_t oid_names[] = { { 0x11, 42, 0, "subjectAltName" }, /* 41 */ { 0x12, 43, 0, "issuerAltName" }, /* 42 */ { 0x13, 44, 0, "basicConstraints" }, /* 43 */ - { 0x15, 45, 0, "reasonCode" }, /* 44 */ - { 0x1F, 46, 0, "crlDistributionPoints" }, /* 45 */ - { 0x20, 47, 0, "certificatePolicies" }, /* 46 */ - { 0x23, 48, 0, "authorityKeyIdentifier" }, /* 47 */ - { 0x25, 49, 0, "extendedKeyUsage" }, /* 48 */ - { 0x37, 50, 0, "targetInformation" }, /* 49 */ - { 0x38, 0, 0, "noRevAvail" }, /* 50 */ - {0x2A, 88, 1, "" }, /* 51 */ - { 0x86, 0, 1, "" }, /* 52 */ - { 0x48, 0, 1, "" }, /* 53 */ - { 0x86, 0, 1, "" }, /* 54 */ - { 0xF7, 0, 1, "" }, /* 55 */ - { 0x0D, 0, 1, "RSADSI" }, /* 56 */ - { 0x01, 83, 1, "PKCS" }, /* 57 */ - { 0x01, 66, 1, "PKCS-1" }, /* 58 */ - { 0x01, 60, 0, "rsaEncryption" }, /* 59 */ - { 0x02, 61, 0, "md2WithRSAEncryption" }, /* 60 */ - { 0x04, 62, 0, "md5WithRSAEncryption" }, /* 61 */ - { 0x05, 63, 0, "sha-1WithRSAEncryption" }, /* 62 */ - { 0x0B, 64, 0, "sha256WithRSAEncryption"}, /* 63 */ - { 0x0C, 65, 0, "sha384WithRSAEncryption"}, /* 64 */ - { 0x0D, 0, 0, "sha512WithRSAEncryption"}, /* 65 */ - { 0x07, 73, 1, "PKCS-7" }, /* 66 */ - { 0x01, 68, 0, "data" }, /* 67 */ - { 0x02, 69, 0, "signedData" }, /* 68 */ - { 0x03, 70, 0, "envelopedData" }, /* 69 */ - { 0x04, 71, 0, "signedAndEnvelopedData" }, /* 70 */ - { 0x05, 72, 0, "digestedData" }, /* 71 */ - { 0x06, 0, 0, "encryptedData" }, /* 72 */ - { 0x09, 0, 1, "PKCS-9" }, /* 73 */ - { 0x01, 75, 0, "E" }, /* 74 */ - { 0x02, 76, 0, "unstructuredName" }, /* 75 */ - { 0x03, 77, 0, "contentType" }, /* 76 */ - { 0x04, 78, 0, "messageDigest" }, /* 77 */ - { 0x05, 79, 0, "signingTime" }, /* 78 */ - { 0x06, 80, 0, "counterSignature" }, /* 79 */ - { 0x07, 81, 0, "challengePassword" }, /* 80 */ - { 0x08, 82, 0, "unstructuredAddress" }, /* 81 */ - { 0x0E, 0, 0, "extensionRequest" }, /* 82 */ - { 0x02, 86, 1, "digestAlgorithm" }, /* 83 */ - { 0x02, 85, 0, "md2" }, /* 84 */ - { 0x05, 0, 0, "md5" }, /* 85 */ - { 0x03, 0, 1, "encryptionAlgorithm" }, /* 86 */ - { 0x07, 0, 0, "3des-ede-cbc" }, /* 87 */ - {0x2B, 149, 1, "" }, /* 88 */ - { 0x06, 136, 1, "dod" }, /* 89 */ - { 0x01, 0, 1, "internet" }, /* 90 */ - { 0x04, 105, 1, "private" }, /* 91 */ - { 0x01, 0, 1, "enterprise" }, /* 92 */ - { 0x82, 98, 1, "" }, /* 93 */ - { 0x37, 0, 1, "Microsoft" }, /* 94 */ - { 0x0A, 0, 1, "" }, /* 95 */ - { 0x03, 0, 1, "" }, /* 96 */ - { 0x03, 0, 0, "msSGC" }, /* 97 */ - { 0x89, 0, 1, "" }, /* 98 */ - { 0x31, 0, 1, "" }, /* 99 */ - { 0x01, 0, 1, "" }, /* 100 */ - { 0x01, 0, 1, "" }, /* 101 */ - { 0x02, 0, 1, "" }, /* 102 */ - { 0x02, 104, 0, "" }, /* 103 */ - { 0x4B, 0, 0, "TCGID" }, /* 104 */ - { 0x05, 0, 1, "security" }, /* 105 */ - { 0x05, 0, 1, "mechanisms" }, /* 106 */ - { 0x07, 0, 1, "id-pkix" }, /* 107 */ - { 0x01, 110, 1, "id-pe" }, /* 108 */ - { 0x01, 0, 0, "authorityInfoAccess" }, /* 109 */ - { 0x03, 120, 1, "id-kp" }, /* 110 */ - { 0x01, 112, 0, "serverAuth" }, /* 111 */ - { 0x02, 113, 0, "clientAuth" }, /* 112 */ - { 0x03, 114, 0, "codeSigning" }, /* 113 */ - { 0x04, 115, 0, "emailProtection" }, /* 114 */ - { 0x05, 116, 0, "ipsecEndSystem" }, /* 115 */ - { 0x06, 117, 0, "ipsecTunnel" }, /* 116 */ - { 0x07, 118, 0, "ipsecUser" }, /* 117 */ - { 0x08, 119, 0, "timeStamping" }, /* 118 */ - { 0x09, 0, 0, "ocspSigning" }, /* 119 */ - { 0x08, 122, 1, "id-otherNames" }, /* 120 */ - { 0x05, 0, 0, "xmppAddr" }, /* 121 */ - { 0x0A, 127, 1, "id-aca" }, /* 122 */ - { 0x01, 124, 0, "authenticationInfo" }, /* 123 */ - { 0x02, 125, 0, "accessIdentity" }, /* 124 */ - { 0x03, 126, 0, "chargingIdentity" }, /* 125 */ - { 0x04, 0, 0, "group" }, /* 126 */ - { 0x30, 0, 1, "id-ad" }, /* 127 */ - { 0x01, 0, 1, "ocsp" }, /* 128 */ - { 0x01, 130, 0, "basic" }, /* 129 */ - { 0x02, 131, 0, "nonce" }, /* 130 */ - { 0x03, 132, 0, "crl" }, /* 131 */ - { 0x04, 133, 0, "response" }, /* 132 */ - { 0x05, 134, 0, "noCheck" }, /* 133 */ - { 0x06, 135, 0, "archiveCutoff" }, /* 134 */ - { 0x07, 0, 0, "serviceLocator" }, /* 135 */ - { 0x0E, 142, 1, "oiw" }, /* 136 */ - { 0x03, 0, 1, "secsig" }, /* 137 */ - { 0x02, 0, 1, "algorithms" }, /* 138 */ - { 0x07, 140, 0, "des-cbc" }, /* 139 */ - { 0x1A, 141, 0, "sha-1" }, /* 140 */ - { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 141 */ - { 0x24, 0, 1, "TeleTrusT" }, /* 142 */ - { 0x03, 0, 1, "algorithm" }, /* 143 */ - { 0x03, 0, 1, "signatureAlgorithm" }, /* 144 */ - { 0x01, 0, 1, "rsaSignature" }, /* 145 */ - { 0x02, 147, 0, "rsaSigWithripemd160" }, /* 146 */ - { 0x03, 148, 0, "rsaSigWithripemd128" }, /* 147 */ - { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 148 */ - {0x60, 0, 1, "" }, /* 149 */ - { 0x86, 0, 1, "" }, /* 150 */ - { 0x48, 0, 1, "" }, /* 151 */ - { 0x01, 0, 1, "organization" }, /* 152 */ - { 0x65, 160, 1, "gov" }, /* 153 */ - { 0x03, 0, 1, "csor" }, /* 154 */ - { 0x04, 0, 1, "nistalgorithm" }, /* 155 */ - { 0x02, 0, 1, "hashalgs" }, /* 156 */ - { 0x01, 158, 0, "id-SHA-256" }, /* 157 */ - { 0x02, 159, 0, "id-SHA-384" }, /* 158 */ - { 0x03, 0, 0, "id-SHA-512" }, /* 159 */ - { 0x86, 0, 1, "" }, /* 160 */ - { 0xf8, 0, 1, "" }, /* 161 */ - { 0x42, 174, 1, "netscape" }, /* 162 */ - { 0x01, 169, 1, "" }, /* 163 */ - { 0x01, 165, 0, "nsCertType" }, /* 164 */ - { 0x03, 166, 0, "nsRevocationUrl" }, /* 165 */ - { 0x04, 167, 0, "nsCaRevocationUrl" }, /* 166 */ - { 0x08, 168, 0, "nsCaPolicyUrl" }, /* 167 */ - { 0x0d, 0, 0, "nsComment" }, /* 168 */ - { 0x03, 172, 1, "directory" }, /* 169 */ - { 0x01, 0, 1, "" }, /* 170 */ - { 0x03, 0, 0, "employeeNumber" }, /* 171 */ - { 0x04, 0, 1, "policy" }, /* 172 */ - { 0x01, 0, 0, "nsSGC" }, /* 173 */ - { 0x45, 0, 1, "verisign" }, /* 174 */ - { 0x01, 0, 1, "pki" }, /* 175 */ - { 0x09, 0, 1, "attributes" }, /* 176 */ - { 0x02, 178, 0, "messageType" }, /* 177 */ - { 0x03, 179, 0, "pkiStatus" }, /* 178 */ - { 0x04, 180, 0, "failInfo" }, /* 179 */ - { 0x05, 181, 0, "senderNonce" }, /* 180 */ - { 0x06, 182, 0, "recipientNonce" }, /* 181 */ - { 0x07, 183, 0, "transID" }, /* 182 */ - { 0x08, 0, 0, "extensionReq" } /* 183 */ + { 0x14, 45, 0, "crlNumber" }, /* 44 */ + { 0x15, 46, 0, "reasonCode" }, /* 45 */ + { 0x1F, 47, 0, "crlDistributionPoints" }, /* 46 */ + { 0x20, 48, 0, "certificatePolicies" }, /* 47 */ + { 0x23, 49, 0, "authorityKeyIdentifier" }, /* 48 */ + { 0x25, 50, 0, "extendedKeyUsage" }, /* 49 */ + { 0x37, 51, 0, "targetInformation" }, /* 50 */ + { 0x38, 0, 0, "noRevAvail" }, /* 51 */ + {0x2A, 89, 1, "" }, /* 52 */ + { 0x86, 0, 1, "" }, /* 53 */ + { 0x48, 0, 1, "" }, /* 54 */ + { 0x86, 0, 1, "" }, /* 55 */ + { 0xF7, 0, 1, "" }, /* 56 */ + { 0x0D, 0, 1, "RSADSI" }, /* 57 */ + { 0x01, 84, 1, "PKCS" }, /* 58 */ + { 0x01, 67, 1, "PKCS-1" }, /* 59 */ + { 0x01, 61, 0, "rsaEncryption" }, /* 60 */ + { 0x02, 62, 0, "md2WithRSAEncryption" }, /* 61 */ + { 0x04, 63, 0, "md5WithRSAEncryption" }, /* 62 */ + { 0x05, 64, 0, "sha-1WithRSAEncryption" }, /* 63 */ + { 0x0B, 65, 0, "sha256WithRSAEncryption"}, /* 64 */ + { 0x0C, 66, 0, "sha384WithRSAEncryption"}, /* 65 */ + { 0x0D, 0, 0, "sha512WithRSAEncryption"}, /* 66 */ + { 0x07, 74, 1, "PKCS-7" }, /* 67 */ + { 0x01, 69, 0, "data" }, /* 68 */ + { 0x02, 70, 0, "signedData" }, /* 69 */ + { 0x03, 71, 0, "envelopedData" }, /* 70 */ + { 0x04, 72, 0, "signedAndEnvelopedData" }, /* 71 */ + { 0x05, 73, 0, "digestedData" }, /* 72 */ + { 0x06, 0, 0, "encryptedData" }, /* 73 */ + { 0x09, 0, 1, "PKCS-9" }, /* 74 */ + { 0x01, 76, 0, "E" }, /* 75 */ + { 0x02, 77, 0, "unstructuredName" }, /* 76 */ + { 0x03, 78, 0, "contentType" }, /* 77 */ + { 0x04, 79, 0, "messageDigest" }, /* 78 */ + { 0x05, 80, 0, "signingTime" }, /* 79 */ + { 0x06, 81, 0, "counterSignature" }, /* 80 */ + { 0x07, 82, 0, "challengePassword" }, /* 81 */ + { 0x08, 83, 0, "unstructuredAddress" }, /* 82 */ + { 0x0E, 0, 0, "extensionRequest" }, /* 83 */ + { 0x02, 87, 1, "digestAlgorithm" }, /* 84 */ + { 0x02, 86, 0, "md2" }, /* 85 */ + { 0x05, 0, 0, "md5" }, /* 86 */ + { 0x03, 0, 1, "encryptionAlgorithm" }, /* 87 */ + { 0x07, 0, 0, "3des-ede-cbc" }, /* 88 */ + {0x2B, 150, 1, "" }, /* 89 */ + { 0x06, 137, 1, "dod" }, /* 90 */ + { 0x01, 0, 1, "internet" }, /* 91 */ + { 0x04, 106, 1, "private" }, /* 92 */ + { 0x01, 0, 1, "enterprise" }, /* 93 */ + { 0x82, 99, 1, "" }, /* 94 */ + { 0x37, 0, 1, "Microsoft" }, /* 95 */ + { 0x0A, 0, 1, "" }, /* 96 */ + { 0x03, 0, 1, "" }, /* 97 */ + { 0x03, 0, 0, "msSGC" }, /* 98 */ + { 0x89, 0, 1, "" }, /* 99 */ + { 0x31, 0, 1, "" }, /* 100 */ + { 0x01, 0, 1, "" }, /* 101 */ + { 0x01, 0, 1, "" }, /* 102 */ + { 0x02, 0, 1, "" }, /* 103 */ + { 0x02, 105, 0, "" }, /* 104 */ + { 0x4B, 0, 0, "TCGID" }, /* 105 */ + { 0x05, 0, 1, "security" }, /* 106 */ + { 0x05, 0, 1, "mechanisms" }, /* 107 */ + { 0x07, 0, 1, "id-pkix" }, /* 108 */ + { 0x01, 111, 1, "id-pe" }, /* 109 */ + { 0x01, 0, 0, "authorityInfoAccess" }, /* 110 */ + { 0x03, 121, 1, "id-kp" }, /* 111 */ + { 0x01, 113, 0, "serverAuth" }, /* 112 */ + { 0x02, 114, 0, "clientAuth" }, /* 113 */ + { 0x03, 115, 0, "codeSigning" }, /* 114 */ + { 0x04, 116, 0, "emailProtection" }, /* 115 */ + { 0x05, 117, 0, "ipsecEndSystem" }, /* 116 */ + { 0x06, 118, 0, "ipsecTunnel" }, /* 117 */ + { 0x07, 119, 0, "ipsecUser" }, /* 118 */ + { 0x08, 120, 0, "timeStamping" }, /* 119 */ + { 0x09, 0, 0, "ocspSigning" }, /* 120 */ + { 0x08, 123, 1, "id-otherNames" }, /* 121 */ + { 0x05, 0, 0, "xmppAddr" }, /* 122 */ + { 0x0A, 128, 1, "id-aca" }, /* 123 */ + { 0x01, 125, 0, "authenticationInfo" }, /* 124 */ + { 0x02, 126, 0, "accessIdentity" }, /* 125 */ + { 0x03, 127, 0, "chargingIdentity" }, /* 126 */ + { 0x04, 0, 0, "group" }, /* 127 */ + { 0x30, 0, 1, "id-ad" }, /* 128 */ + { 0x01, 0, 1, "ocsp" }, /* 129 */ + { 0x01, 131, 0, "basic" }, /* 130 */ + { 0x02, 132, 0, "nonce" }, /* 131 */ + { 0x03, 133, 0, "crl" }, /* 132 */ + { 0x04, 134, 0, "response" }, /* 133 */ + { 0x05, 135, 0, "noCheck" }, /* 134 */ + { 0x06, 136, 0, "archiveCutoff" }, /* 135 */ + { 0x07, 0, 0, "serviceLocator" }, /* 136 */ + { 0x0E, 143, 1, "oiw" }, /* 137 */ + { 0x03, 0, 1, "secsig" }, /* 138 */ + { 0x02, 0, 1, "algorithms" }, /* 139 */ + { 0x07, 141, 0, "des-cbc" }, /* 140 */ + { 0x1A, 142, 0, "sha-1" }, /* 141 */ + { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 142 */ + { 0x24, 0, 1, "TeleTrusT" }, /* 143 */ + { 0x03, 0, 1, "algorithm" }, /* 144 */ + { 0x03, 0, 1, "signatureAlgorithm" }, /* 145 */ + { 0x01, 0, 1, "rsaSignature" }, /* 146 */ + { 0x02, 148, 0, "rsaSigWithripemd160" }, /* 147 */ + { 0x03, 149, 0, "rsaSigWithripemd128" }, /* 148 */ + { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 149 */ + {0x60, 0, 1, "" }, /* 150 */ + { 0x86, 0, 1, "" }, /* 151 */ + { 0x48, 0, 1, "" }, /* 152 */ + { 0x01, 0, 1, "organization" }, /* 153 */ + { 0x65, 161, 1, "gov" }, /* 154 */ + { 0x03, 0, 1, "csor" }, /* 155 */ + { 0x04, 0, 1, "nistalgorithm" }, /* 156 */ + { 0x02, 0, 1, "hashalgs" }, /* 157 */ + { 0x01, 159, 0, "id-SHA-256" }, /* 158 */ + { 0x02, 160, 0, "id-SHA-384" }, /* 159 */ + { 0x03, 0, 0, "id-SHA-512" }, /* 160 */ + { 0x86, 0, 1, "" }, /* 161 */ + { 0xf8, 0, 1, "" }, /* 162 */ + { 0x42, 175, 1, "netscape" }, /* 163 */ + { 0x01, 170, 1, "" }, /* 164 */ + { 0x01, 166, 0, "nsCertType" }, /* 165 */ + { 0x03, 167, 0, "nsRevocationUrl" }, /* 166 */ + { 0x04, 168, 0, "nsCaRevocationUrl" }, /* 167 */ + { 0x08, 169, 0, "nsCaPolicyUrl" }, /* 168 */ + { 0x0d, 0, 0, "nsComment" }, /* 169 */ + { 0x03, 173, 1, "directory" }, /* 170 */ + { 0x01, 0, 1, "" }, /* 171 */ + { 0x03, 0, 0, "employeeNumber" }, /* 172 */ + { 0x04, 0, 1, "policy" }, /* 173 */ + { 0x01, 0, 0, "nsSGC" }, /* 174 */ + { 0x45, 0, 1, "verisign" }, /* 175 */ + { 0x01, 0, 1, "pki" }, /* 176 */ + { 0x09, 0, 1, "attributes" }, /* 177 */ + { 0x02, 179, 0, "messageType" }, /* 178 */ + { 0x03, 180, 0, "pkiStatus" }, /* 179 */ + { 0x04, 181, 0, "failInfo" }, /* 180 */ + { 0x05, 182, 0, "senderNonce" }, /* 181 */ + { 0x06, 183, 0, "recipientNonce" }, /* 182 */ + { 0x07, 184, 0, "transID" }, /* 183 */ + { 0x08, 0, 0, "extensionReq" } /* 184 */ }; diff --git a/src/pluto/oid.h b/src/pluto/oid.h index ccdfb2954..869a87eb0 100644 --- a/src/pluto/oid.h +++ b/src/pluto/oid.h @@ -19,60 +19,61 @@ extern const oid_t oid_names[]; #define OID_SUBJECT_KEY_ID 38 #define OID_SUBJECT_ALT_NAME 41 #define OID_BASIC_CONSTRAINTS 43 -#define OID_CRL_REASON_CODE 44 -#define OID_CRL_DISTRIBUTION_POINTS 45 -#define OID_AUTHORITY_KEY_ID 47 -#define OID_EXTENDED_KEY_USAGE 48 -#define OID_TARGET_INFORMATION 49 -#define OID_NO_REV_AVAIL 50 -#define OID_RSA_ENCRYPTION 59 -#define OID_MD2_WITH_RSA 60 -#define OID_MD5_WITH_RSA 61 -#define OID_SHA1_WITH_RSA 62 -#define OID_SHA256_WITH_RSA 63 -#define OID_SHA384_WITH_RSA 64 -#define OID_SHA512_WITH_RSA 65 -#define OID_PKCS7_DATA 67 -#define OID_PKCS7_SIGNED_DATA 68 -#define OID_PKCS7_ENVELOPED_DATA 69 -#define OID_PKCS7_SIGNED_ENVELOPED_DATA 70 -#define OID_PKCS7_DIGESTED_DATA 71 -#define OID_PKCS7_ENCRYPTED_DATA 72 -#define OID_PKCS9_EMAIL 74 -#define OID_PKCS9_CONTENT_TYPE 76 -#define OID_PKCS9_MESSAGE_DIGEST 77 -#define OID_PKCS9_SIGNING_TIME 78 -#define OID_MD2 84 -#define OID_MD5 85 -#define OID_3DES_EDE_CBC 87 -#define OID_AUTHORITY_INFO_ACCESS 109 -#define OID_OCSP_SIGNING 119 -#define OID_XMPP_ADDR 121 -#define OID_AUTHENTICATION_INFO 123 -#define OID_ACCESS_IDENTITY 124 -#define OID_CHARGING_IDENTITY 125 -#define OID_GROUP 126 -#define OID_OCSP 128 -#define OID_BASIC 129 -#define OID_NONCE 130 -#define OID_CRL 131 -#define OID_RESPONSE 132 -#define OID_NO_CHECK 133 -#define OID_ARCHIVE_CUTOFF 134 -#define OID_SERVICE_LOCATOR 135 -#define OID_DES_CBC 139 -#define OID_SHA1 140 -#define OID_SHA1_WITH_RSA_OIW 141 -#define OID_SHA256 157 -#define OID_SHA384 158 -#define OID_SHA512 159 -#define OID_NS_REVOCATION_URL 165 -#define OID_NS_CA_REVOCATION_URL 166 -#define OID_NS_CA_POLICY_URL 167 -#define OID_NS_COMMENT 168 -#define OID_PKI_MESSAGE_TYPE 177 -#define OID_PKI_STATUS 178 -#define OID_PKI_FAIL_INFO 179 -#define OID_PKI_SENDER_NONCE 180 -#define OID_PKI_RECIPIENT_NONCE 181 -#define OID_PKI_TRANS_ID 182 +#define OID_CRL_NUMBER 44 +#define OID_CRL_REASON_CODE 45 +#define OID_CRL_DISTRIBUTION_POINTS 46 +#define OID_AUTHORITY_KEY_ID 48 +#define OID_EXTENDED_KEY_USAGE 49 +#define OID_TARGET_INFORMATION 50 +#define OID_NO_REV_AVAIL 51 +#define OID_RSA_ENCRYPTION 60 +#define OID_MD2_WITH_RSA 61 +#define OID_MD5_WITH_RSA 62 +#define OID_SHA1_WITH_RSA 63 +#define OID_SHA256_WITH_RSA 64 +#define OID_SHA384_WITH_RSA 65 +#define OID_SHA512_WITH_RSA 66 +#define OID_PKCS7_DATA 68 +#define OID_PKCS7_SIGNED_DATA 69 +#define OID_PKCS7_ENVELOPED_DATA 70 +#define OID_PKCS7_SIGNED_ENVELOPED_DATA 71 +#define OID_PKCS7_DIGESTED_DATA 72 +#define OID_PKCS7_ENCRYPTED_DATA 73 +#define OID_PKCS9_EMAIL 75 +#define OID_PKCS9_CONTENT_TYPE 77 +#define OID_PKCS9_MESSAGE_DIGEST 78 +#define OID_PKCS9_SIGNING_TIME 79 +#define OID_MD2 85 +#define OID_MD5 86 +#define OID_3DES_EDE_CBC 88 +#define OID_AUTHORITY_INFO_ACCESS 110 +#define OID_OCSP_SIGNING 120 +#define OID_XMPP_ADDR 122 +#define OID_AUTHENTICATION_INFO 124 +#define OID_ACCESS_IDENTITY 125 +#define OID_CHARGING_IDENTITY 126 +#define OID_GROUP 127 +#define OID_OCSP 129 +#define OID_BASIC 130 +#define OID_NONCE 131 +#define OID_CRL 132 +#define OID_RESPONSE 133 +#define OID_NO_CHECK 134 +#define OID_ARCHIVE_CUTOFF 135 +#define OID_SERVICE_LOCATOR 136 +#define OID_DES_CBC 140 +#define OID_SHA1 141 +#define OID_SHA1_WITH_RSA_OIW 142 +#define OID_SHA256 158 +#define OID_SHA384 159 +#define OID_SHA512 160 +#define OID_NS_REVOCATION_URL 166 +#define OID_NS_CA_REVOCATION_URL 167 +#define OID_NS_CA_POLICY_URL 168 +#define OID_NS_COMMENT 169 +#define OID_PKI_MESSAGE_TYPE 178 +#define OID_PKI_STATUS 179 +#define OID_PKI_FAIL_INFO 180 +#define OID_PKI_SENDER_NONCE 181 +#define OID_PKI_RECIPIENT_NONCE 182 +#define OID_PKI_TRANS_ID 183 diff --git a/src/pluto/oid.txt b/src/pluto/oid.txt index e8750024e..2b3c96ae3 100644 --- a/src/pluto/oid.txt +++ b/src/pluto/oid.txt @@ -42,6 +42,7 @@ 0x11 "subjectAltName" OID_SUBJECT_ALT_NAME 0x12 "issuerAltName" 0x13 "basicConstraints" OID_BASIC_CONSTRAINTS + 0x14 "crlNumber" OID_CRL_NUMBER 0x15 "reasonCode" OID_CRL_REASON_CODE 0x1F "crlDistributionPoints" OID_CRL_DISTRIBUTION_POINTS 0x20 "certificatePolicies" diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index e235ff765..d9b2167c8 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -29,6 +29,8 @@ #include <resolv.h> #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */ #include <sys/queue.h> +#include <linux/capability.h> +#include <sys/prctl.h> #include <freeswan.h> @@ -64,6 +66,11 @@ #include "nat_traversal.h" #include "virtual.h" +/* on some distros, a capset() definition is missing */ +#ifdef NO_CAPSET_DEFINED +extern int capset(cap_user_header_t hdrp, const cap_user_data_t datap); +#endif /* NO_CAPSET_DEFINED */ + static void usage(const char *mess) { @@ -221,6 +228,8 @@ main(int argc, char **argv) bool force_keepalive = FALSE; char *virtual_private = NULL; int lockfd; + struct __user_cap_header_struct hdr; + struct __user_cap_data_struct data; /* handle arguments */ for (;;) @@ -596,6 +605,26 @@ main(int argc, char **argv) init_id(); init_fetch(); + /* drop unneeded capabilities and change UID/GID */ + hdr.version = _LINUX_CAPABILITY_VERSION; + hdr.pid = 0; + data.effective = data.permitted = 1<<CAP_NET_ADMIN | 1<<CAP_NET_BIND_SERVICE; + data.inheritable = 0; + + prctl(PR_SET_KEEPCAPS, 1); + +# if IPSEC_GID + setgid(IPSEC_GID); +# endif +# if IPSEC_UID + setuid(IPSEC_UID); +# endif + if (capset(&hdr, &data)) + { + plog("unable to drop root privileges"); + abort(); + } + /* loading X.509 CA certificates */ load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA); /* loading X.509 AA certificates */ diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c index e888d5e16..c2ea2b5a0 100644 --- a/src/pluto/vendor.c +++ b/src/pluto/vendor.c @@ -205,7 +205,9 @@ static struct vid_struct _vid_tab[] = { /* * strongSwan */ - DEC_MD5_VID(STRONGSWAN, "strongSwan 4.1.1") + DEC_MD5_VID(STRONGSWAN, "strongSwan 4.1.3") + DEC_MD5_VID(STRONGSWAN_4_1_2, "strongSwan 4.1.2") + DEC_MD5_VID(STRONGSWAN_4_1_1, "strongSwan 4.1.1") DEC_MD5_VID(STRONGSWAN_4_1_0, "strongSwan 4.1.0") DEC_MD5_VID(STRONGSWAN_4_0_7, "strongSwan 4.0.7") DEC_MD5_VID(STRONGSWAN_4_0_6, "strongSwan 4.0.6") diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h index 8e0444f4d..5ba65ea37 100644 --- a/src/pluto/vendor.h +++ b/src/pluto/vendor.h @@ -99,6 +99,8 @@ enum known_vendorid { VID_STRONGSWAN_4_0_6 = 76, VID_STRONGSWAN_4_0_7 = 77, VID_STRONGSWAN_4_1_0 = 78, + VID_STRONGSWAN_4_1_1 = 79, + VID_STRONGSWAN_4_1_2 = 80, /* 101 - 200 : NAT-Traversal */ VID_NATT_STENBERG_01 =101, diff --git a/src/pluto/xauth.c b/src/pluto/xauth.c index 3d30ad227..77ac8dee7 100644 --- a/src/pluto/xauth.c +++ b/src/pluto/xauth.c @@ -44,7 +44,7 @@ xauth_init(void) DBG_log("xauth module: found get_secret() function"); } ) - xauth_module.verify_secret = (bool (*) (const xauth_t*)) + xauth_module.verify_secret = (bool (*) (const char*, const xauth_t*)) dlsym(xauth_module.handle, "verify_secret"); DBG(DBG_CONTROL, if (xauth_module.verify_secret != NULL) diff --git a/src/pluto/xauth.h b/src/pluto/xauth.h index 1f06aefd9..740618750 100644 --- a/src/pluto/xauth.h +++ b/src/pluto/xauth.h @@ -30,7 +30,7 @@ typedef struct { typedef struct { void *handle; bool (*get_secret) (xauth_t *xauth_secret); - bool (*verify_secret) (const xauth_t *xauth_secret); + bool (*verify_secret) (const char *conn_name, const xauth_t *xauth_secret); } xauth_module_t; extern xauth_module_t xauth_module; |