pluto: Option added to disable adns.

This basically disables opportunistic encryption.
2011-10-14 14:34:45 +02:00 · 2011-10-14 14:34:45 +02:00 · d52c37790e
parent 2b9c3642e4
commit d52c37790e
10 changed files with 87 additions and 9 deletions
--- a/configure.in
+++ b/configure.in
@ -161,6 +161,7 @@ ARG_DISBL_SET([load-warning],   [disable the charon/pluto plugin load option war
 ARG_DISBL_SET([pluto],          [disable the IKEv1 keying daemon pluto.])
 ARG_DISBL_SET([xauth],          [disable xauth plugin.])
 ARG_DISBL_SET([threads],        [disable the use of threads in pluto. Charon always uses threads.])
+ARG_DISBL_SET([adns],           [disable the use of adns in pluto (disables opportunistic encryption).])
 ARG_DISBL_SET([charon],         [disable the IKEv2 keying daemon charon.])
 ARG_DISBL_SET([tools],          [disable additional utilities (openac, scepclient and pki).])
 ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
@ -1001,6 +1002,7 @@ AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
 AM_CONDITIONAL(USE_LOAD_WARNING, test x$load_warning = xtrue)
 AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
 AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
+AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue)
 AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
 AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
 AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
--- a/src/pluto/Android.mk
+++ b/src/pluto/Android.mk
@ -15,7 +15,6 @@ crypto.c crypto.h \
 db_ops.c db_ops.h \
 defs.c defs.h \
 demux.c demux.h \
-dnskey.c dnskey.h \
 event_queue.c event_queue.h \
 fetch.c fetch.h \
 foodgroups.c foodgroups.h \
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@ -2,7 +2,11 @@
 # painless way. Only the most important options are included,
 # further work may be necessary here...

-ipsec_PROGRAMS = pluto _pluto_adns
+ipsec_PROGRAMS = pluto
+
+if USE_ADNS
+ipsec_PROGRAMS += _pluto_adns
+endif

 pluto_SOURCES = \
 ac.c ac.h \
@ -17,7 +21,6 @@ crypto.c crypto.h \
 db_ops.c db_ops.h \
 defs.c defs.h \
 demux.c demux.h \
-dnskey.c dnskey.h \
 event_queue.c event_queue.h \
 fetch.c fetch.h \
 foodgroups.c foodgroups.h \
@ -53,7 +56,13 @@ x509.c x509.h \
 builder.c builder.h \
 rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h

-_pluto_adns_SOURCES = adns.c adns.h
+if USE_ADNS
+pluto_SOURCES += \
+dnskey.c dnskey.h
+
+_pluto_adns_SOURCES = \
+adns.c adns.h
+endif

 plutomain.o :	$(top_builddir)/config.status

@ -84,9 +93,11 @@ $(LIBFREESWANDIR)/libfreeswan.a \
 $(LIBHYDRADIR)/libhydra.la \
 -lresolv $(PTHREADLIB) $(DLLIB)

+if USE_ADNS
 _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv $(DLLIB)
+endif

 dist_man_MANS = pluto.8

@ -126,6 +137,10 @@ if USE_THREADS
  AM_CFLAGS += -DTHREADS
 endif

+if USE_ADNS
+  AM_CFLAGS += -DADNS
+endif
+
 # build optional plugins
 ########################

--- a/src/pluto/adns.h
+++ b/src/pluto/adns.h
@ -12,6 +12,14 @@
 * for more details.
 */

+#ifndef ADNS
+
+/* dummy struct to make compilers happy */
+struct adns_query {
+};
+
+#else /* rest of file */
+
 /* The interface in RHL6.x and BIND distribution 8.2.2 are different,
 * so we build some of our own :-(
 */
@ -67,3 +75,4 @@ enum helper_exit_status {
 	HES_BAD_LEN,        /* implausible .len field */
 	HES_BAD_MAGIC,      /* .magic field wrong */
 };
+#endif /* ADNS */
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@ -425,8 +425,9 @@ void delete_connection(connection_t *c, bool relations)
 		c->requested_ca->destroy_offset(c->requested_ca,
 										offsetof(identification_t, destroy));
 	}
+#ifdef ADNS
 	gw_delref(&c->gw_info);
-
+#endif
 	lock_certs_and_keys("delete_connection");
 	cert_release(c->spd.this.cert);
 	scx_release(c->spd.this.sc);
@ -1477,6 +1478,8 @@ connection_t *rw_instantiate(connection_t *c, const ip_address *him,
 	return d;
 }

+#ifdef ADNS
+
 connection_t *oppo_instantiate(connection_t *c, const ip_address *him,
 							   identification_t *his_id, struct gw_info *gw,
 							   const ip_address *our_client USED_BY_DEBUG,
@ -1544,6 +1547,8 @@ connection_t *oppo_instantiate(connection_t *c, const ip_address *him,
 	return d;
 }

+#endif /* ADNS */
+
 /* priority formatting */
 void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF])
 {
@ -1767,6 +1772,8 @@ connection_t *find_connection_for_clients(struct spd_route **srp,
 	return best;
 }

+#ifdef ADNS
+
 /* Find and instantiate a connection for an outgoing Opportunistic connection.
 * We've already discovered its gateway.
 * We look for a the connection such that:
@ -1869,6 +1876,8 @@ connection_t *build_outgoing_opportunistic_connection(struct gw_info *gw,
 	}
 }

+#endif /* ADNS */
+
 bool orient(connection_t *c)
 {
 	struct spd_route *sr;
@ -2179,6 +2188,8 @@ void initiate_opportunistic(const ip_address *our_client,
 	initiate_opportunistic_body(&b, NULL, NULL);
 }

+#ifdef ADNS
+
 static void continue_oppo(struct adns_continuation *acr, err_t ugh)
 {
 	struct find_oppo_continuation *cr = (void *)acr;    /* inherit, damn you! */
@ -2242,6 +2253,8 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh)
 	close_any(whackfd);
 }

+#endif /* ADNS */
+
 #ifdef USE_KEYRR
 static err_t check_key_recs(enum myid_state try_state, const connection_t *c,
 							struct adns_continuation *ac)
@ -2298,6 +2311,8 @@ static err_t check_key_recs(enum myid_state try_state, const connection_t *c,
 }
 #endif /* USE_KEYRR */

+#ifdef ADNS
+
 static err_t check_txt_recs(enum myid_state try_state, const connection_t *c,
 							struct adns_continuation *ac)
 {
@ -2355,6 +2370,8 @@ static err_t check_txt_recs(enum myid_state try_state, const connection_t *c,
 	return ugh;
 }

+#endif /* ADNS */
+

 /* note: gateways_from_dns must be NULL iff this is the first call */
 static void initiate_opportunistic_body(struct find_oppo_bundle *b,
@ -2431,6 +2448,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 		ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
 		b->whackfd = NULL_FD;   /* protect from close */
 	}
+#ifdef ADNS
 	else
 	{
 		/* We are handling an opportunistic situation.
@ -2996,6 +3014,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 				cannot_oppo(c, b, ugh);
 		}
 	}
+#endif /* ADNS */
 	close_any(b->whackfd);
 }

--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@ -1105,6 +1105,8 @@ bool subnetisnone(const ip_subnet *sn)
 	return isanyaddr(&base) && subnetishost(sn);
 }

+#ifdef ADNS
+
 /* BIND enumerated types */

 #include <arpa/nameser.h>
@ -1169,6 +1171,8 @@ static const char *const rr_class_name[] = {

 enum_names rr_class_names = { C_IN, C_IN, rr_class_name, NULL };

+#endif /* ADNS */
+
 /*
 * NAT-Traversal defines for nat_traveral type from nat_traversal.h
 *
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@ -3862,10 +3862,11 @@ main_id_and_auth(struct msg_digest *md

 		if (r == STF_SUSPEND)
 		{
+			err_t ugh = NULL;
+#ifdef ADNS
 			/* initiate/resume asynchronous DNS lookup for key */
 			struct key_continuation *nkc = malloc_thing(struct key_continuation);
 			enum key_oppo_step step_done = kc == NULL? kos_null : kc->step;
-			err_t ugh = NULL;

 			/* Record that state is used by a suspended md */
 			passert(st->st_suspended_md == NULL);
@ -3896,7 +3897,9 @@ main_id_and_auth(struct msg_digest *md
 			default:
 				bad_case(step_done);
 			}
-
+#else /* ADNS */
+			ugh = "adns not supported";
+#endif /* ADNS */
 			if (ugh != NULL)
 			{
 				report_key_dns_failure(peer, ugh);
@ -4444,6 +4447,8 @@ stf_status quick_inI1_outR1(struct msg_digest *md)
 	return quick_inI1_outR1_tail(&b, NULL);
 }

+#ifdef ADNS
+
 static void
 report_verify_failure(struct verify_oppo_bundle *b, err_t ugh)
 {
@ -4808,6 +4813,8 @@ static enum verify_oppo_step quick_inI1_outR1_process_answer(
 	return next_step;
 }

+#endif /* ADNS */
+
 static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 										struct adns_continuation *ac)
 {
@ -4871,6 +4878,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 				 */
 				if (p->policy & POLICY_OPPO)
 				{
+#ifdef ADNS
 					/* Opportunistic case: delegation must be verified.
 					 * Here be dragons.
 					 */
@ -4925,6 +4933,11 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 					 */
 					p = oppo_instantiate(p, &c->spd.that.host_addr, c->spd.that.id
 						, NULL, &our_client, &his_client);
+#else /* ADNS */
+					plog("opportunistic connections not supported because"
+						 " adns is not available");
+					return STF_INTERNAL_ERROR;
+#endif /* ADNS */
 				}
 				else
 				{
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@ -491,11 +491,11 @@ int main(int argc, char **argv)
 		case 'f':       /* --policygroupsdir <policygroups-dir> */
 			policygroups_dir = optarg;
 			continue;
-
+#ifdef ADNS
 		case 'a':       /* --adns <pathname> */
 			pluto_adns_option = optarg;
 			continue;
-
+#endif
 		case 'm':       /* --pkcs11module <pathname> */
 			pkcs11_module_path = optarg;
 			continue;
@ -701,7 +701,9 @@ int main(int argc, char **argv)
 	init_states();
 	init_demux();
 	init_kernel();
+#ifdef ADNS
 	init_adns();
+#endif
 	init_myid();
 	fetch_initialize();
 	ac_initialize();
@ -820,7 +822,9 @@ void exit_pluto(int status)
 	free_ifaces();
 	ac_finalize();              /* free X.509 attribute certificates */
 	scx_finalize();             /* finalize and unload PKCS #11 module */
+#ifdef ADNS
 	stop_adns();
+#endif
 	free_md_pool();
 	free_crypto();
 	free_myid();                /* free myids */
--- a/src/pluto/rcv_whack.c
+++ b/src/pluto/rcv_whack.c
@ -132,6 +132,8 @@ static void key_add_merge(struct key_add_common *oc, identification_t *keyid)
 	}
 }

+#ifdef ADNS
+
 static void key_add_continue(struct adns_continuation *ac, err_t ugh)
 {
 	struct key_add_continuation *kc = (void *) ac;
@ -159,6 +161,8 @@ static void key_add_continue(struct adns_continuation *ac, err_t ugh)
 	whack_log_fd = NULL_FD;
 }

+#endif /* ADNS */
+
 static void key_add_request(const whack_message_t *msg)
 {
 	identification_t *key_id;
@ -189,9 +193,11 @@ static void key_add_request(const whack_message_t *msg)
 			kc = malloc_thing(struct key_add_continuation);
 			kc->common = oc;
 			kc->lookingfor = kaa;
+			ugh = NULL;

 			switch (kaa)
 			{
+#ifdef ADNS
 				case ka_TXT:
 					ugh = start_adns_query(key_id
 							, key_id        /* same */
@ -199,6 +205,7 @@ static void key_add_request(const whack_message_t *msg)
 							, key_add_continue
 							, &kc->ac);
 					break;
+#endif /* ADNS */
 #ifdef USE_KEYRR
 				case ka_KEY:
 					ugh = start_adns_query(key_id
@ -437,7 +444,9 @@ void whack_handle(int whackctlfd)
 		plog("listening for IKE messages");
 		listening = TRUE;
 		daily_log_reset();
+#ifdef ADNS
 		reset_adns_restart_count();
+#endif
 		set_myFQDN();
 		find_ifaces();
 		load_preshared_secrets(NULL_FD);
--- a/src/pluto/server.c
+++ b/src/pluto/server.c
@ -822,6 +822,7 @@ call_server(void)
 			FD_ZERO(&writefds);
 			FD_SET(ctl_fd, &readfds);

+#ifdef ADNS
 			/* the only write file-descriptor of interest */
 			if (adns_qfd != NULL_FD && unsent_ADNS_queries)
 			{
@ -836,6 +837,7 @@ call_server(void)
 					maxfd = adns_afd;
 				FD_SET(adns_afd, &readfds);
 			}
+#endif /* ADNS */

 			events_fd = pluto->events->get_event_fd(pluto->events);
 			if (maxfd < events_fd)
@ -903,6 +905,7 @@ call_server(void)
 		{
 			/* at least one file descriptor is ready */

+#ifdef ADNS
 			if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
 			{
 				passert(ndes > 0);
@ -921,6 +924,7 @@ call_server(void)
 				passert(GLOBALS_ARE_RESET());
 				ndes--;
 			}
+#endif /* ADNS*/

 			if (FD_ISSET(events_fd, &readfds))
 			{