* XAUTH: Use incoming XAUTH VID when picking best connection

I have prepared a patch witch solves for me following issue with Xauth in Openswan. Pluto may refuse to connect with a road warrior If some misc connections (with and without Xauth) are configured. The reason is that pluto do not regard Xauth policy in main_inI1_outR2 and may just choose a not suitable connection for proceeding. In my patch I evaluate XAUTH VID and use this information by connection finding. Signed-off-by: Paul Wouters <paul@libreswan.org>
xelerance · Jan 27, 2014 · 0fc468c · 0fc468c
1 parent 706ce34
commit 0fc468c
Show file tree

Hide file tree

Showing 7 changed files with 22 additions and 1 deletion.
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
@@ -550,6 +550,10 @@ static int validate_end(struct starter_conn *conn_st
 	if (ugh) ERR_FOUND("bad %sprotoport=%s [%s]", leftright, value, ugh);
     }
 
+    if(end->options_set[KNCF_XAUTHSERVER]) {
+	conn_st->policy |= POLICY_XAUTH;
+    }
+
     /*
     KSCF_SUBNETWITHIN    --- not sure what to do with it.
     KSCF_ESPENCKEY       --- todo (manual keying)

diff --git a/lib/libpluto/pluto_constants.c b/lib/libpluto/pluto_constants.c
@@ -281,7 +281,7 @@ const char *const sa_policy_bit_names[] = {
 	"GROUP",
 	"GROUTED",
 	"UP",
-	"dummy1(XAUTH)",
+	"XAUTH",
 	"MODECFGPULL",
 	"AGGRESSIVE",
 	"PERHOST",

diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
@@ -1366,6 +1366,11 @@ add_connection(const struct whack_message *wm)
 	same_leftca  = extract_end(&c->spd.this, &wm->left, "left");
 	same_rightca = extract_end(&c->spd.that, &wm->right, "right");
 
+	if (c->spd.this.xauth_server || c->spd.that.xauth_server)
+	{
+	    c->policy |= POLICY_XAUTH;
+	}
+
 	if (same_rightca)
 	    c->spd.that.ca = c->spd.this.ca;
 	else if (same_leftca)
@@ -2425,6 +2430,8 @@ find_host_connection2(const char *func
 			, c->name));
 	    if(NEVER_NEGOTIATE(c->policy)) continue;
 
+	    if ((policy & POLICY_XAUTH) != (c->policy & POLICY_XAUTH)) continue;
+
 	    if ((c->policy & policy) == policy)
 		break;
 	}

diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c
@@ -767,6 +767,13 @@ main_inI1_outR1(struct msg_digest *md)
     {
 	pb_stream pre_sa_pbs = sa_pd->pbs;
 	lset_t policy = preparse_isakmp_sa_body(&pre_sa_pbs);
+	/*
+	 * If there is XAUTH VID, copy it to policies.
+	 */
+	if (md->quirks.xauth_vid == TRUE)
+	{
+	  policy |= POLICY_XAUTH;
+	}
 	/* See if a wildcarded connection can be found.
 	 * We cannot pick the right connection, so we're making a guess.
 	 * All Road Warrior connections are fair game:

diff --git a/programs/pluto/quirks.h b/programs/pluto/quirks.h
@@ -24,6 +24,7 @@ struct isakmp_quirks {
 				 * xauth set, such as for SSH Sentinel. */
   bool modecfg_pull_mode;       /* if the client should request his IP */
   unsigned short nat_traversal_vid;  /**< which NAT-type vendor IDs we got */
+  bool xauth_vid;               /**< if the client has XAUTH */
 };
 
 extern void copy_quirks(struct isakmp_quirks *dq

diff --git a/programs/pluto/state.c b/programs/pluto/state.c
@@ -1739,6 +1739,7 @@ void copy_quirks(struct isakmp_quirks *dq
     dq->xauth_ack_msgid   |= sq->xauth_ack_msgid;
     dq->modecfg_pull_mode |= sq->modecfg_pull_mode;
     dq->nat_traversal_vid |= sq->nat_traversal_vid;
+    dq->xauth_vid |= sq->xauth_vid;
 }
 
 void set_state_ike_endpoints(struct state *st

diff --git a/programs/pluto/vendor.c b/programs/pluto/vendor.c
@@ -583,6 +583,7 @@ static void handle_known_vendorid (struct msg_digest *md
 	  break;
 
 	case VID_MISC_XAUTH:
+	    md->quirks.xauth_vid = TRUE;
 	    vid_usefull=1;
 	    break;
 #endif