diff options
Diffstat (limited to 'src/pluto')
| -rw-r--r-- | src/pluto/Makefile.am | 20 | ||||
| -rw-r--r-- | src/pluto/Makefile.in | 21 | ||||
| -rw-r--r-- | src/pluto/connections.c | 118 | ||||
| -rw-r--r-- | src/pluto/connections.h | 1 | ||||
| -rw-r--r-- | src/pluto/plutomain.c | 15 | ||||
| -rw-r--r-- | src/pluto/smartcard.c | 12 | ||||
| -rw-r--r-- | src/pluto/smartcard.h | 2 | ||||
| -rw-r--r-- | src/pluto/vendor.c | 5 | ||||
| -rw-r--r-- | src/pluto/vendor.h | 25 |
9 files changed, 105 insertions, 114 deletions
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index 7dd5f422b..9aeac029d 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -128,14 +128,14 @@ if USE_LIBLDAP endif install-exec-local : - mkdir -p -m 755 $(confdir)/ipsec.d - mkdir -p -m 755 $(confdir)/ipsec.d/cacerts - mkdir -p -m 755 $(confdir)/ipsec.d/ocspcerts - mkdir -p -m 755 $(confdir)/ipsec.d/certs - mkdir -p -m 755 $(confdir)/ipsec.d/acerts - mkdir -p -m 755 $(confdir)/ipsec.d/aacerts - mkdir -p -m 755 $(confdir)/ipsec.d/crls - mkdir -p -m 755 $(confdir)/ipsec.d/reqs - mkdir -p -m 700 $(confdir)/ipsec.d/private - chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/cacerts + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/ocspcerts + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/certs + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/acerts + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/aacerts + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/crls + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/reqs + mkdir -p -m 700 $(DESTDIR)$(confdir)/ipsec.d/private + chown -R $(ipsecuid):$(ipsecgid) $(DESTDIR)$(confdir)/ipsec.d diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index e164717a9..4cefa58ca 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -179,6 +179,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ +SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ @@ -879,16 +880,16 @@ oid.h: oid.txt oid.pl $(PERL) oid.pl install-exec-local : - mkdir -p -m 755 $(confdir)/ipsec.d - mkdir -p -m 755 $(confdir)/ipsec.d/cacerts - mkdir -p -m 755 $(confdir)/ipsec.d/ocspcerts - mkdir -p -m 755 $(confdir)/ipsec.d/certs - mkdir -p -m 755 $(confdir)/ipsec.d/acerts - mkdir -p -m 755 $(confdir)/ipsec.d/aacerts - mkdir -p -m 755 $(confdir)/ipsec.d/crls - mkdir -p -m 755 $(confdir)/ipsec.d/reqs - mkdir -p -m 700 $(confdir)/ipsec.d/private - chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/cacerts + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/ocspcerts + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/certs + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/acerts + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/aacerts + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/crls + mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/reqs + mkdir -p -m 700 $(DESTDIR)$(confdir)/ipsec.d/private + chown -R $(ipsecuid):$(ipsecgid) $(DESTDIR)$(confdir)/ipsec.d # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/pluto/connections.c b/src/pluto/connections.c index 0d02b979c..c4d5dae4d 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -122,7 +122,7 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next) { if (sameaddr(&p->me.addr, myaddr) && p->me.port == myport - && sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport) + && sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport) { if (prev != NULL) { @@ -162,15 +162,21 @@ connect_to_host_pair(struct connection *c) { if (oriented(*c)) { - struct host_pair *hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port - , &c->spd.that.host_addr, c->spd.that.host_port); + struct host_pair *hp; + + ip_address his_addr = (c->spd.that.allow_any) + ? *aftoinfo(addrtypeof(&c->spd.that.host_addr))->any + : c->spd.that.host_addr; + + hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port + , &his_addr, c->spd.that.host_port); if (hp == NULL) { /* no suitable host_pair -- build one */ hp = alloc_thing(struct host_pair, "host_pair"); hp->me.addr = c->spd.this.host_addr; - hp->him.addr = c->spd.that.host_addr; + hp->him.addr = his_addr; hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port; hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port; hp->initial_connection_sent = FALSE; @@ -632,24 +638,15 @@ format_end(char *buf strcpy(&host_id[len < 0? (ptrdiff_t)sizeof(host_id)-2 : 1 + len], "]"); } - /* [---hop] */ - hop[0] = '\0'; - hop_sep = ""; - if (that != NULL && !sameaddr(&this->host_nexthop, &that->host_addr)) - { - addrtot(&this->host_nexthop, 0, hop, sizeof(hop)); - hop_sep = "---"; - } - if (is_left) - snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s" - , open_brackets, client, close_brackets - , client_sep, host, host_port, host_id - , protoport, hop_sep, hop); + snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s" + , open_brackets, client, close_brackets, client_sep + , this->allow_any? "%":"" + , host, host_port, host_id, protoport); else - snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s" - , hop, hop_sep, host, host_port, host_id - , protoport, client_sep + snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s" + , this->allow_any? "%":"" + , host, host_port, host_id, protoport, client_sep , open_brackets, client, close_brackets); return strlen(buf); } @@ -855,6 +852,7 @@ extract_end(struct end *dst, const whack_end_t *src, const char *which) dst->has_client_wildcard = src->has_client_wildcard; dst->modecfg = src->modecfg; dst->hostaccess = src->hostaccess; + dst->allow_any = src->allow_any; dst->sendcert = src->sendcert; dst->updown = src->updown; dst->host_port = src->host_port; @@ -1067,7 +1065,8 @@ add_connection(const whack_message_t *wm) * or any wildcard ID to that end */ if (isanyaddr(&c->spd.this.host_addr) || c->spd.this.has_client_wildcard - || c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards) + || c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards + || c->spd.this.allow_any) { struct end t = c->spd.this; @@ -1095,7 +1094,7 @@ add_connection(const whack_message_t *wm) } else if ((isanyaddr(&c->spd.that.host_addr) && !NEVER_NEGOTIATE(c->policy)) || c->spd.that.has_client_wildcard || c->spd.that.has_port_wildcard - || c->spd.that.has_id_wildcards) + || c->spd.that.has_id_wildcards || c->spd.that.allow_any) { /* Opportunistic or Road Warrior or wildcard client subnet * or wildcard ID */ @@ -1263,6 +1262,8 @@ instantiate(struct connection *c, const ip_address *him c->instance_serial++; d = clone_thing(*c, "temporary connection"); + d->spd.that.allow_any = FALSE; + if (his_id != NULL) { passert(match_id(his_id, &d->spd.that.id, &wildcards)); @@ -1306,6 +1307,10 @@ instantiate(struct connection *c, const ip_address *him connect_to_host_pair(d); return d; + if (sameaddr(&d->spd.that.host_addr, &d->spd.this.host_nexthop)) + { + d->spd.this.host_nexthop = *him; + } } struct connection * @@ -1803,7 +1808,7 @@ initiate_connection(const char *name, int whackfd) loglog(RC_INITSHUNT , "cannot initiate an authby=never connection"); } - else if (c->kind != CK_PERMANENT) + else if (c->kind != CK_PERMANENT && !c->spd.that.allow_any) { if (isanyaddr(&c->spd.that.host_addr)) loglog(RC_NOPEERIP, "cannot initiate connection without knowing peer IP address"); @@ -1812,22 +1817,30 @@ initiate_connection(const char *name, int whackfd) } else { - /* We will only request an IPsec SA if policy isn't empty - * (ignoring Main Mode items). - * This is a fudge, but not yet important. - * If we are to proceed asynchronously, whackfd will be NULL_FD. - */ - c->policy |= POLICY_UP; /* do we have to prompt for a PIN code? */ if (c->spd.this.sc != NULL && !c->spd.this.sc->valid && whackfd != NULL_FD) + { scx_get_pin(c->spd.this.sc, whackfd); - + } if (c->spd.this.sc != NULL && !c->spd.this.sc->valid) { loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN"); } else { + + if (c->spd.that.allow_any) + { + c = instantiate(c, &c->spd.that.host_addr, c->spd.that.host_port + , &c->spd.that.id); + } + + /* We will only request an IPsec SA if policy isn't empty + * (ignoring Main Mode items). + * This is a fudge, but not yet important. + * If we are to proceed asynchronously, whackfd will be NULL_FD. + */ + c->policy |= POLICY_UP; ipsecdoi_initiate(whackfd, c, c->policy, 1, SOS_NOBODY); whackfd = NULL_FD; /* protect from close */ } @@ -2975,51 +2988,6 @@ terminate_connection(const char *nm) } while (c != NULL); } -/* check nexthop safety - * Our nexthop must not be within a routed client subnet, and vice versa. - * Note: we don't think this is true. We think that KLIPS will - * not process a packet output by an eroute. - */ -#ifdef NEVER -//bool -//check_nexthop(const struct connection *c) -//{ -// struct connection *d; -// -// if (addrinsubnet(&c->spd.this.host_nexthop, &c->spd.that.client)) -// { -// loglog(RC_LOG_SERIOUS, "cannot perform routing for connection \"%s\"" -// " because nexthop is within peer's client network", -// c->name); -// return FALSE; -// } -// -// for (d = connections; d != NULL; d = d->next) -// { -// if (d->routing != RT_UNROUTED) -// { -// if (addrinsubnet(&c->spd.this.host_nexthop, &d->spd.that.client)) -// { -// loglog(RC_LOG_SERIOUS, "cannot do routing for connection \"%s\" -// " because nexthop is contained in" -// " existing routing for connection \"%s\"", -// c->name, d->name); -// return FALSE; -// } -// if (addrinsubnet(&d->spd.this.host_nexthop, &c->spd.that.client)) -// { -// loglog(RC_LOG_SERIOUS, "cannot do routing for connection \"%s\" -// " because it contains nexthop of" -// " existing routing for connection \"%s\"", -// c->name, d->name); -// return FALSE; -// } -// } -// } -// return TRUE; -//} -#endif /* NEVER */ - /* an ISAKMP SA has been established. * Note the serial number, and release any connections with * the same peer ID but different peer IP address. diff --git a/src/pluto/connections.h b/src/pluto/connections.h index df3af9dd4..40cbfc497 100644 --- a/src/pluto/connections.h +++ b/src/pluto/connections.h @@ -155,6 +155,7 @@ struct end { /* that end: give local addresses to clients */ bool hostaccess; /* allow access to host via iptables INPUT/OUTPUT */ /* rules if client behind host is a subnet */ + bool allow_any; /* IP address is subject to change */ certpolicy_t sendcert; /* whether or not to send the certificate */ }; diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index d9b2167c8..a5bf82768 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -104,7 +104,8 @@ usage(const char *mess) " \\\n\t" "[--adns <pathname>]" "[--pkcs11module <path>]" - "[--pkcs11keepstate" + "[--pkcs11keepstate]" + "[--pkcs11initargs <string>]" #ifdef DEBUG " \\\n\t" "[--debug-none]" @@ -217,6 +218,11 @@ bool pkcs11_keep_state = FALSE; /* by default pluto does not allow pkcs11 proxy access via whack */ bool pkcs11_proxy = FALSE; +/* argument string to pass to PKCS#11 module. + * Not used for compliant modules, just for NSS softoken + */ +static const char *pkcs11_init_args = NULL; + int main(int argc, char **argv) { @@ -263,6 +269,7 @@ main(int argc, char **argv) #endif /* !USE_LWRES */ { "pkcs11module", required_argument, NULL, 'm' }, { "pkcs11keepstate", no_argument, NULL, 'k' }, + { "pkcs11initargs", required_argument, NULL, 'z' }, { "pkcs11proxy", no_argument, NULL, 'y' }, { "nat_traversal", no_argument, NULL, '1' }, { "keep_alive", required_argument, NULL, '2' }, @@ -432,6 +439,10 @@ main(int argc, char **argv) pkcs11_proxy = TRUE; continue; + case 'z': /* --pkcs11initargs */ + pkcs11_init_args = optarg; + continue; + #ifdef DEBUG case 'N': /* --debug-none */ base_debugging = DBG_NONE; @@ -593,7 +604,7 @@ main(int argc, char **argv) init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf); init_virtual_ip(virtual_private); - scx_init(pkcs11_module_path); /* load and initialize PKCS #11 module */ + scx_init(pkcs11_module_path, pkcs11_init_args); /* load and initialize PKCS #11 module */ xauth_init(); /* load and initialize XAUTH module */ init_rnd_pool(); init_secret(); diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c index 744f8a6f3..067d0f046 100644 --- a/src/pluto/smartcard.c +++ b/src/pluto/smartcard.c @@ -690,12 +690,16 @@ scx_find_all_cert_objects(void) #endif /* - * load and initialize PKCS#11 cryptoki module + * load and initialize PKCS#11 cryptoki module + * + * init_args should be unused when we have a PKCS#11 compliant module, + * but NSS softoken breaks that API. */ void -scx_init(const char* module) +scx_init(const char* module, const char *init_args) { #ifdef SMARTCARD + CK_C_INITIALIZE_ARGS args = { .pReserved = init_args, }; CK_RV rv; if (scx_initialized) @@ -726,8 +730,8 @@ scx_init(const char* module) DBG(DBG_CONTROL | DBG_CRYPT, DBG_log("pkcs11 module initializing...") - ) - rv = pkcs11_functions->C_Initialize(NULL); + ) + rv = pkcs11_functions->C_Initialize(init_args ? &args : NULL); if (rv != CKR_OK) { plog("failed to initialize pkcs11 module: %s" diff --git a/src/pluto/smartcard.h b/src/pluto/smartcard.h index c004ca7dd..864f630a1 100644 --- a/src/pluto/smartcard.h +++ b/src/pluto/smartcard.h @@ -69,7 +69,7 @@ extern bool pkcs11_keep_state; extern bool pkcs11_proxy; extern smartcard_t* scx_parse_number_slot_id(const char *number_slot_id); -extern void scx_init(const char *module); +extern void scx_init(const char *module, const char *init_args); extern void scx_finalize(void); extern bool scx_establish_context(smartcard_t *sc); extern bool scx_login(smartcard_t *sc); diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c index c2ea2b5a0..086cb4dd7 100644 --- a/src/pluto/vendor.c +++ b/src/pluto/vendor.c @@ -205,7 +205,8 @@ static struct vid_struct _vid_tab[] = { /* * strongSwan */ - DEC_MD5_VID(STRONGSWAN, "strongSwan 4.1.3") + DEC_MD5_VID(STRONGSWAN, "strongSwan 4.1.4") + DEC_MD5_VID(STRONGSWAN_4_1_3, "strongSwan 4.1.3") DEC_MD5_VID(STRONGSWAN_4_1_2, "strongSwan 4.1.2") DEC_MD5_VID(STRONGSWAN_4_1_1, "strongSwan 4.1.1") DEC_MD5_VID(STRONGSWAN_4_1_0, "strongSwan 4.1.0") @@ -218,6 +219,8 @@ static struct vid_struct _vid_tab[] = { DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1") DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0") + DEC_MD5_VID(STRONGSWAN_2_8_6, "strongSwan 2.8.6") + DEC_MD5_VID(STRONGSWAN_2_8_5, "strongSwan 2.8.5") DEC_MD5_VID(STRONGSWAN_2_8_4, "strongSwan 2.8.4") DEC_MD5_VID(STRONGSWAN_2_8_3, "strongSwan 2.8.3") DEC_MD5_VID(STRONGSWAN_2_8_2, "strongSwan 2.8.2") diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h index 5ba65ea37..6c7eeafb3 100644 --- a/src/pluto/vendor.h +++ b/src/pluto/vendor.h @@ -89,18 +89,21 @@ enum known_vendorid { VID_STRONGSWAN_2_8_2 = 67, VID_STRONGSWAN_2_8_3 = 68, VID_STRONGSWAN_2_8_4 = 69, + VID_STRONGSWAN_2_8_5 = 70, + VID_STRONGSWAN_2_8_6 = 71, - VID_STRONGSWAN_4_0_0 = 70, - VID_STRONGSWAN_4_0_1 = 71, - VID_STRONGSWAN_4_0_2 = 72, - VID_STRONGSWAN_4_0_3 = 73, - VID_STRONGSWAN_4_0_4 = 74, - VID_STRONGSWAN_4_0_5 = 75, - VID_STRONGSWAN_4_0_6 = 76, - VID_STRONGSWAN_4_0_7 = 77, - VID_STRONGSWAN_4_1_0 = 78, - VID_STRONGSWAN_4_1_1 = 79, - VID_STRONGSWAN_4_1_2 = 80, + VID_STRONGSWAN_4_0_0 = 80, + VID_STRONGSWAN_4_0_1 = 81, + VID_STRONGSWAN_4_0_2 = 82, + VID_STRONGSWAN_4_0_3 = 83, + VID_STRONGSWAN_4_0_4 = 84, + VID_STRONGSWAN_4_0_5 = 85, + VID_STRONGSWAN_4_0_6 = 86, + VID_STRONGSWAN_4_0_7 = 87, + VID_STRONGSWAN_4_1_0 = 88, + VID_STRONGSWAN_4_1_1 = 89, + VID_STRONGSWAN_4_1_2 = 90, + VID_STRONGSWAN_4_1_3 = 91, /* 101 - 200 : NAT-Traversal */ VID_NATT_STENBERG_01 =101, |