Permalink
Browse files

* XAUTH: Use incoming XAUTH VID when picking best connection

I have prepared a patch witch solves for me following issue with Xauth
in Openswan.  Pluto may refuse to connect with a road warrior If some
misc connections (with and without Xauth) are configured. The reason is
that pluto do not regard Xauth policy in main_inI1_outR2 and may just
choose a not suitable connection for proceeding. In my patch I evaluate
XAUTH VID and use this information by connection finding.

Signed-off-by: Paul Wouters <paul@libreswan.org>
  • Loading branch information...
Andrey Alexandrenko authored and Jehreg committed Aug 21, 2012
1 parent 706ce34 commit 0fc468c34cb6417fbd0b1835e064037e15706400
@@ -550,6 +550,10 @@ static int validate_end(struct starter_conn *conn_st
if (ugh) ERR_FOUND("bad %sprotoport=%s [%s]", leftright, value, ugh);
}
+ if(end->options_set[KNCF_XAUTHSERVER]) {
+ conn_st->policy |= POLICY_XAUTH;
+ }
+
/*
KSCF_SUBNETWITHIN --- not sure what to do with it.
KSCF_ESPENCKEY --- todo (manual keying)
@@ -281,7 +281,7 @@ const char *const sa_policy_bit_names[] = {
"GROUP",
"GROUTED",
"UP",
- "dummy1(XAUTH)",
+ "XAUTH",
"MODECFGPULL",
"AGGRESSIVE",
"PERHOST",
@@ -1366,6 +1366,11 @@ add_connection(const struct whack_message *wm)
same_leftca = extract_end(&c->spd.this, &wm->left, "left");
same_rightca = extract_end(&c->spd.that, &wm->right, "right");
+ if (c->spd.this.xauth_server || c->spd.that.xauth_server)
+ {
+ c->policy |= POLICY_XAUTH;
+ }
+
if (same_rightca)
c->spd.that.ca = c->spd.this.ca;
else if (same_leftca)
@@ -2425,6 +2430,8 @@ find_host_connection2(const char *func
, c->name));
if(NEVER_NEGOTIATE(c->policy)) continue;
+ if ((policy & POLICY_XAUTH) != (c->policy & POLICY_XAUTH)) continue;
+
if ((c->policy & policy) == policy)
break;
}
@@ -767,6 +767,13 @@ main_inI1_outR1(struct msg_digest *md)
{
pb_stream pre_sa_pbs = sa_pd->pbs;
lset_t policy = preparse_isakmp_sa_body(&pre_sa_pbs);
+ /*
+ * If there is XAUTH VID, copy it to policies.
+ */
+ if (md->quirks.xauth_vid == TRUE)
+ {
+ policy |= POLICY_XAUTH;
+ }
/* See if a wildcarded connection can be found.
* We cannot pick the right connection, so we're making a guess.
* All Road Warrior connections are fair game:
View
@@ -24,6 +24,7 @@ struct isakmp_quirks {
* xauth set, such as for SSH Sentinel. */
bool modecfg_pull_mode; /* if the client should request his IP */
unsigned short nat_traversal_vid; /**< which NAT-type vendor IDs we got */
+ bool xauth_vid; /**< if the client has XAUTH */
};
extern void copy_quirks(struct isakmp_quirks *dq
View
@@ -1739,6 +1739,7 @@ void copy_quirks(struct isakmp_quirks *dq
dq->xauth_ack_msgid |= sq->xauth_ack_msgid;
dq->modecfg_pull_mode |= sq->modecfg_pull_mode;
dq->nat_traversal_vid |= sq->nat_traversal_vid;
+ dq->xauth_vid |= sq->xauth_vid;
}
void set_state_ike_endpoints(struct state *st
View
@@ -583,6 +583,7 @@ static void handle_known_vendorid (struct msg_digest *md
break;
case VID_MISC_XAUTH:
+ md->quirks.xauth_vid = TRUE;
vid_usefull=1;
break;
#endif

0 comments on commit 0fc468c

Please sign in to comment.