pluto: Option added to disable adns.
This basically disables opportunistic encryption.
This commit is contained in:
parent
2b9c3642e4
commit
d52c37790e
|
@ -161,6 +161,7 @@ ARG_DISBL_SET([load-warning], [disable the charon/pluto plugin load option war
|
|||
ARG_DISBL_SET([pluto], [disable the IKEv1 keying daemon pluto.])
|
||||
ARG_DISBL_SET([xauth], [disable xauth plugin.])
|
||||
ARG_DISBL_SET([threads], [disable the use of threads in pluto. Charon always uses threads.])
|
||||
ARG_DISBL_SET([adns], [disable the use of adns in pluto (disables opportunistic encryption).])
|
||||
ARG_DISBL_SET([charon], [disable the IKEv2 keying daemon charon.])
|
||||
ARG_DISBL_SET([tools], [disable additional utilities (openac, scepclient and pki).])
|
||||
ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).])
|
||||
|
@ -1001,6 +1002,7 @@ AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
|
|||
AM_CONDITIONAL(USE_LOAD_WARNING, test x$load_warning = xtrue)
|
||||
AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
|
||||
AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
|
||||
AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue)
|
||||
AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
|
||||
AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
|
||||
AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
|
||||
|
|
|
@ -15,7 +15,6 @@ crypto.c crypto.h \
|
|||
db_ops.c db_ops.h \
|
||||
defs.c defs.h \
|
||||
demux.c demux.h \
|
||||
dnskey.c dnskey.h \
|
||||
event_queue.c event_queue.h \
|
||||
fetch.c fetch.h \
|
||||
foodgroups.c foodgroups.h \
|
||||
|
|
|
@ -2,7 +2,11 @@
|
|||
# painless way. Only the most important options are included,
|
||||
# further work may be necessary here...
|
||||
|
||||
ipsec_PROGRAMS = pluto _pluto_adns
|
||||
ipsec_PROGRAMS = pluto
|
||||
|
||||
if USE_ADNS
|
||||
ipsec_PROGRAMS += _pluto_adns
|
||||
endif
|
||||
|
||||
pluto_SOURCES = \
|
||||
ac.c ac.h \
|
||||
|
@ -17,7 +21,6 @@ crypto.c crypto.h \
|
|||
db_ops.c db_ops.h \
|
||||
defs.c defs.h \
|
||||
demux.c demux.h \
|
||||
dnskey.c dnskey.h \
|
||||
event_queue.c event_queue.h \
|
||||
fetch.c fetch.h \
|
||||
foodgroups.c foodgroups.h \
|
||||
|
@ -53,7 +56,13 @@ x509.c x509.h \
|
|||
builder.c builder.h \
|
||||
rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
|
||||
|
||||
_pluto_adns_SOURCES = adns.c adns.h
|
||||
if USE_ADNS
|
||||
pluto_SOURCES += \
|
||||
dnskey.c dnskey.h
|
||||
|
||||
_pluto_adns_SOURCES = \
|
||||
adns.c adns.h
|
||||
endif
|
||||
|
||||
plutomain.o : $(top_builddir)/config.status
|
||||
|
||||
|
@ -84,9 +93,11 @@ $(LIBFREESWANDIR)/libfreeswan.a \
|
|||
$(LIBHYDRADIR)/libhydra.la \
|
||||
-lresolv $(PTHREADLIB) $(DLLIB)
|
||||
|
||||
if USE_ADNS
|
||||
_pluto_adns_LDADD = \
|
||||
$(LIBFREESWANDIR)/libfreeswan.a \
|
||||
-lresolv $(DLLIB)
|
||||
endif
|
||||
|
||||
dist_man_MANS = pluto.8
|
||||
|
||||
|
@ -126,6 +137,10 @@ if USE_THREADS
|
|||
AM_CFLAGS += -DTHREADS
|
||||
endif
|
||||
|
||||
if USE_ADNS
|
||||
AM_CFLAGS += -DADNS
|
||||
endif
|
||||
|
||||
# build optional plugins
|
||||
########################
|
||||
|
||||
|
|
|
@ -12,6 +12,14 @@
|
|||
* for more details.
|
||||
*/
|
||||
|
||||
#ifndef ADNS
|
||||
|
||||
/* dummy struct to make compilers happy */
|
||||
struct adns_query {
|
||||
};
|
||||
|
||||
#else /* rest of file */
|
||||
|
||||
/* The interface in RHL6.x and BIND distribution 8.2.2 are different,
|
||||
* so we build some of our own :-(
|
||||
*/
|
||||
|
@ -67,3 +75,4 @@ enum helper_exit_status {
|
|||
HES_BAD_LEN, /* implausible .len field */
|
||||
HES_BAD_MAGIC, /* .magic field wrong */
|
||||
};
|
||||
#endif /* ADNS */
|
||||
|
|
|
@ -425,8 +425,9 @@ void delete_connection(connection_t *c, bool relations)
|
|||
c->requested_ca->destroy_offset(c->requested_ca,
|
||||
offsetof(identification_t, destroy));
|
||||
}
|
||||
#ifdef ADNS
|
||||
gw_delref(&c->gw_info);
|
||||
|
||||
#endif
|
||||
lock_certs_and_keys("delete_connection");
|
||||
cert_release(c->spd.this.cert);
|
||||
scx_release(c->spd.this.sc);
|
||||
|
@ -1477,6 +1478,8 @@ connection_t *rw_instantiate(connection_t *c, const ip_address *him,
|
|||
return d;
|
||||
}
|
||||
|
||||
#ifdef ADNS
|
||||
|
||||
connection_t *oppo_instantiate(connection_t *c, const ip_address *him,
|
||||
identification_t *his_id, struct gw_info *gw,
|
||||
const ip_address *our_client USED_BY_DEBUG,
|
||||
|
@ -1544,6 +1547,8 @@ connection_t *oppo_instantiate(connection_t *c, const ip_address *him,
|
|||
return d;
|
||||
}
|
||||
|
||||
#endif /* ADNS */
|
||||
|
||||
/* priority formatting */
|
||||
void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF])
|
||||
{
|
||||
|
@ -1767,6 +1772,8 @@ connection_t *find_connection_for_clients(struct spd_route **srp,
|
|||
return best;
|
||||
}
|
||||
|
||||
#ifdef ADNS
|
||||
|
||||
/* Find and instantiate a connection for an outgoing Opportunistic connection.
|
||||
* We've already discovered its gateway.
|
||||
* We look for a the connection such that:
|
||||
|
@ -1869,6 +1876,8 @@ connection_t *build_outgoing_opportunistic_connection(struct gw_info *gw,
|
|||
}
|
||||
}
|
||||
|
||||
#endif /* ADNS */
|
||||
|
||||
bool orient(connection_t *c)
|
||||
{
|
||||
struct spd_route *sr;
|
||||
|
@ -2179,6 +2188,8 @@ void initiate_opportunistic(const ip_address *our_client,
|
|||
initiate_opportunistic_body(&b, NULL, NULL);
|
||||
}
|
||||
|
||||
#ifdef ADNS
|
||||
|
||||
static void continue_oppo(struct adns_continuation *acr, err_t ugh)
|
||||
{
|
||||
struct find_oppo_continuation *cr = (void *)acr; /* inherit, damn you! */
|
||||
|
@ -2242,6 +2253,8 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh)
|
|||
close_any(whackfd);
|
||||
}
|
||||
|
||||
#endif /* ADNS */
|
||||
|
||||
#ifdef USE_KEYRR
|
||||
static err_t check_key_recs(enum myid_state try_state, const connection_t *c,
|
||||
struct adns_continuation *ac)
|
||||
|
@ -2298,6 +2311,8 @@ static err_t check_key_recs(enum myid_state try_state, const connection_t *c,
|
|||
}
|
||||
#endif /* USE_KEYRR */
|
||||
|
||||
#ifdef ADNS
|
||||
|
||||
static err_t check_txt_recs(enum myid_state try_state, const connection_t *c,
|
||||
struct adns_continuation *ac)
|
||||
{
|
||||
|
@ -2355,6 +2370,8 @@ static err_t check_txt_recs(enum myid_state try_state, const connection_t *c,
|
|||
return ugh;
|
||||
}
|
||||
|
||||
#endif /* ADNS */
|
||||
|
||||
|
||||
/* note: gateways_from_dns must be NULL iff this is the first call */
|
||||
static void initiate_opportunistic_body(struct find_oppo_bundle *b,
|
||||
|
@ -2431,6 +2448,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
|
|||
ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
|
||||
b->whackfd = NULL_FD; /* protect from close */
|
||||
}
|
||||
#ifdef ADNS
|
||||
else
|
||||
{
|
||||
/* We are handling an opportunistic situation.
|
||||
|
@ -2996,6 +3014,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
|
|||
cannot_oppo(c, b, ugh);
|
||||
}
|
||||
}
|
||||
#endif /* ADNS */
|
||||
close_any(b->whackfd);
|
||||
}
|
||||
|
||||
|
|
|
@ -1105,6 +1105,8 @@ bool subnetisnone(const ip_subnet *sn)
|
|||
return isanyaddr(&base) && subnetishost(sn);
|
||||
}
|
||||
|
||||
#ifdef ADNS
|
||||
|
||||
/* BIND enumerated types */
|
||||
|
||||
#include <arpa/nameser.h>
|
||||
|
@ -1169,6 +1171,8 @@ static const char *const rr_class_name[] = {
|
|||
|
||||
enum_names rr_class_names = { C_IN, C_IN, rr_class_name, NULL };
|
||||
|
||||
#endif /* ADNS */
|
||||
|
||||
/*
|
||||
* NAT-Traversal defines for nat_traveral type from nat_traversal.h
|
||||
*
|
||||
|
|
|
@ -3862,10 +3862,11 @@ main_id_and_auth(struct msg_digest *md
|
|||
|
||||
if (r == STF_SUSPEND)
|
||||
{
|
||||
err_t ugh = NULL;
|
||||
#ifdef ADNS
|
||||
/* initiate/resume asynchronous DNS lookup for key */
|
||||
struct key_continuation *nkc = malloc_thing(struct key_continuation);
|
||||
enum key_oppo_step step_done = kc == NULL? kos_null : kc->step;
|
||||
err_t ugh = NULL;
|
||||
|
||||
/* Record that state is used by a suspended md */
|
||||
passert(st->st_suspended_md == NULL);
|
||||
|
@ -3896,7 +3897,9 @@ main_id_and_auth(struct msg_digest *md
|
|||
default:
|
||||
bad_case(step_done);
|
||||
}
|
||||
|
||||
#else /* ADNS */
|
||||
ugh = "adns not supported";
|
||||
#endif /* ADNS */
|
||||
if (ugh != NULL)
|
||||
{
|
||||
report_key_dns_failure(peer, ugh);
|
||||
|
@ -4444,6 +4447,8 @@ stf_status quick_inI1_outR1(struct msg_digest *md)
|
|||
return quick_inI1_outR1_tail(&b, NULL);
|
||||
}
|
||||
|
||||
#ifdef ADNS
|
||||
|
||||
static void
|
||||
report_verify_failure(struct verify_oppo_bundle *b, err_t ugh)
|
||||
{
|
||||
|
@ -4808,6 +4813,8 @@ static enum verify_oppo_step quick_inI1_outR1_process_answer(
|
|||
return next_step;
|
||||
}
|
||||
|
||||
#endif /* ADNS */
|
||||
|
||||
static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
|
||||
struct adns_continuation *ac)
|
||||
{
|
||||
|
@ -4871,6 +4878,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
|
|||
*/
|
||||
if (p->policy & POLICY_OPPO)
|
||||
{
|
||||
#ifdef ADNS
|
||||
/* Opportunistic case: delegation must be verified.
|
||||
* Here be dragons.
|
||||
*/
|
||||
|
@ -4925,6 +4933,11 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
|
|||
*/
|
||||
p = oppo_instantiate(p, &c->spd.that.host_addr, c->spd.that.id
|
||||
, NULL, &our_client, &his_client);
|
||||
#else /* ADNS */
|
||||
plog("opportunistic connections not supported because"
|
||||
" adns is not available");
|
||||
return STF_INTERNAL_ERROR;
|
||||
#endif /* ADNS */
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
|
@ -491,11 +491,11 @@ int main(int argc, char **argv)
|
|||
case 'f': /* --policygroupsdir <policygroups-dir> */
|
||||
policygroups_dir = optarg;
|
||||
continue;
|
||||
|
||||
#ifdef ADNS
|
||||
case 'a': /* --adns <pathname> */
|
||||
pluto_adns_option = optarg;
|
||||
continue;
|
||||
|
||||
#endif
|
||||
case 'm': /* --pkcs11module <pathname> */
|
||||
pkcs11_module_path = optarg;
|
||||
continue;
|
||||
|
@ -701,7 +701,9 @@ int main(int argc, char **argv)
|
|||
init_states();
|
||||
init_demux();
|
||||
init_kernel();
|
||||
#ifdef ADNS
|
||||
init_adns();
|
||||
#endif
|
||||
init_myid();
|
||||
fetch_initialize();
|
||||
ac_initialize();
|
||||
|
@ -820,7 +822,9 @@ void exit_pluto(int status)
|
|||
free_ifaces();
|
||||
ac_finalize(); /* free X.509 attribute certificates */
|
||||
scx_finalize(); /* finalize and unload PKCS #11 module */
|
||||
#ifdef ADNS
|
||||
stop_adns();
|
||||
#endif
|
||||
free_md_pool();
|
||||
free_crypto();
|
||||
free_myid(); /* free myids */
|
||||
|
|
|
@ -132,6 +132,8 @@ static void key_add_merge(struct key_add_common *oc, identification_t *keyid)
|
|||
}
|
||||
}
|
||||
|
||||
#ifdef ADNS
|
||||
|
||||
static void key_add_continue(struct adns_continuation *ac, err_t ugh)
|
||||
{
|
||||
struct key_add_continuation *kc = (void *) ac;
|
||||
|
@ -159,6 +161,8 @@ static void key_add_continue(struct adns_continuation *ac, err_t ugh)
|
|||
whack_log_fd = NULL_FD;
|
||||
}
|
||||
|
||||
#endif /* ADNS */
|
||||
|
||||
static void key_add_request(const whack_message_t *msg)
|
||||
{
|
||||
identification_t *key_id;
|
||||
|
@ -189,9 +193,11 @@ static void key_add_request(const whack_message_t *msg)
|
|||
kc = malloc_thing(struct key_add_continuation);
|
||||
kc->common = oc;
|
||||
kc->lookingfor = kaa;
|
||||
ugh = NULL;
|
||||
|
||||
switch (kaa)
|
||||
{
|
||||
#ifdef ADNS
|
||||
case ka_TXT:
|
||||
ugh = start_adns_query(key_id
|
||||
, key_id /* same */
|
||||
|
@ -199,6 +205,7 @@ static void key_add_request(const whack_message_t *msg)
|
|||
, key_add_continue
|
||||
, &kc->ac);
|
||||
break;
|
||||
#endif /* ADNS */
|
||||
#ifdef USE_KEYRR
|
||||
case ka_KEY:
|
||||
ugh = start_adns_query(key_id
|
||||
|
@ -437,7 +444,9 @@ void whack_handle(int whackctlfd)
|
|||
plog("listening for IKE messages");
|
||||
listening = TRUE;
|
||||
daily_log_reset();
|
||||
#ifdef ADNS
|
||||
reset_adns_restart_count();
|
||||
#endif
|
||||
set_myFQDN();
|
||||
find_ifaces();
|
||||
load_preshared_secrets(NULL_FD);
|
||||
|
|
|
@ -822,6 +822,7 @@ call_server(void)
|
|||
FD_ZERO(&writefds);
|
||||
FD_SET(ctl_fd, &readfds);
|
||||
|
||||
#ifdef ADNS
|
||||
/* the only write file-descriptor of interest */
|
||||
if (adns_qfd != NULL_FD && unsent_ADNS_queries)
|
||||
{
|
||||
|
@ -836,6 +837,7 @@ call_server(void)
|
|||
maxfd = adns_afd;
|
||||
FD_SET(adns_afd, &readfds);
|
||||
}
|
||||
#endif /* ADNS */
|
||||
|
||||
events_fd = pluto->events->get_event_fd(pluto->events);
|
||||
if (maxfd < events_fd)
|
||||
|
@ -903,6 +905,7 @@ call_server(void)
|
|||
{
|
||||
/* at least one file descriptor is ready */
|
||||
|
||||
#ifdef ADNS
|
||||
if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
|
||||
{
|
||||
passert(ndes > 0);
|
||||
|
@ -921,6 +924,7 @@ call_server(void)
|
|||
passert(GLOBALS_ARE_RESET());
|
||||
ndes--;
|
||||
}
|
||||
#endif /* ADNS*/
|
||||
|
||||
if (FD_ISSET(events_fd, &readfds))
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue