From d52c37790e5ee1f1404907a93bcd810c884e9210 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 14 Oct 2011 14:34:45 +0200 Subject: pluto: Option added to disable adns. This basically disables opportunistic encryption. --- configure.in | 2 ++ src/pluto/Android.mk | 1 - src/pluto/Makefile.am | 21 ++++++++++++++++++--- src/pluto/adns.h | 9 +++++++++ src/pluto/connections.c | 21 ++++++++++++++++++++- src/pluto/constants.c | 4 ++++ src/pluto/ipsec_doi.c | 17 +++++++++++++++-- src/pluto/plutomain.c | 8 ++++++-- src/pluto/rcv_whack.c | 9 +++++++++ src/pluto/server.c | 4 ++++ 10 files changed, 87 insertions(+), 9 deletions(-) diff --git a/configure.in b/configure.in index c8aa68ace..6db827658 100644 --- a/configure.in +++ b/configure.in @@ -161,6 +161,7 @@ ARG_DISBL_SET([load-warning], [disable the charon/pluto plugin load option war ARG_DISBL_SET([pluto], [disable the IKEv1 keying daemon pluto.]) ARG_DISBL_SET([xauth], [disable xauth plugin.]) ARG_DISBL_SET([threads], [disable the use of threads in pluto. Charon always uses threads.]) +ARG_DISBL_SET([adns], [disable the use of adns in pluto (disables opportunistic encryption).]) ARG_DISBL_SET([charon], [disable the IKEv2 keying daemon charon.]) ARG_DISBL_SET([tools], [disable additional utilities (openac, scepclient and pki).]) ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).]) @@ -1001,6 +1002,7 @@ AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue) AM_CONDITIONAL(USE_LOAD_WARNING, test x$load_warning = xtrue) AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue) AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue) +AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue) AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue) AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue) AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue) diff --git a/src/pluto/Android.mk b/src/pluto/Android.mk index a6b2fd506..d12d9be1d 100644 --- a/src/pluto/Android.mk +++ b/src/pluto/Android.mk @@ -15,7 +15,6 @@ crypto.c crypto.h \ db_ops.c db_ops.h \ defs.c defs.h \ demux.c demux.h \ -dnskey.c dnskey.h \ event_queue.c event_queue.h \ fetch.c fetch.h \ foodgroups.c foodgroups.h \ diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index 934b11a46..41c4807f5 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -2,7 +2,11 @@ # painless way. Only the most important options are included, # further work may be necessary here... -ipsec_PROGRAMS = pluto _pluto_adns +ipsec_PROGRAMS = pluto + +if USE_ADNS +ipsec_PROGRAMS += _pluto_adns +endif pluto_SOURCES = \ ac.c ac.h \ @@ -17,7 +21,6 @@ crypto.c crypto.h \ db_ops.c db_ops.h \ defs.c defs.h \ demux.c demux.h \ -dnskey.c dnskey.h \ event_queue.c event_queue.h \ fetch.c fetch.h \ foodgroups.c foodgroups.h \ @@ -53,7 +56,13 @@ x509.c x509.h \ builder.c builder.h \ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h -_pluto_adns_SOURCES = adns.c adns.h +if USE_ADNS +pluto_SOURCES += \ +dnskey.c dnskey.h + +_pluto_adns_SOURCES = \ +adns.c adns.h +endif plutomain.o : $(top_builddir)/config.status @@ -84,9 +93,11 @@ $(LIBFREESWANDIR)/libfreeswan.a \ $(LIBHYDRADIR)/libhydra.la \ -lresolv $(PTHREADLIB) $(DLLIB) +if USE_ADNS _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ -lresolv $(DLLIB) +endif dist_man_MANS = pluto.8 @@ -126,6 +137,10 @@ if USE_THREADS AM_CFLAGS += -DTHREADS endif +if USE_ADNS + AM_CFLAGS += -DADNS +endif + # build optional plugins ######################## diff --git a/src/pluto/adns.h b/src/pluto/adns.h index cc45cf418..dfbcbaf16 100644 --- a/src/pluto/adns.h +++ b/src/pluto/adns.h @@ -12,6 +12,14 @@ * for more details. */ +#ifndef ADNS + +/* dummy struct to make compilers happy */ +struct adns_query { +}; + +#else /* rest of file */ + /* The interface in RHL6.x and BIND distribution 8.2.2 are different, * so we build some of our own :-( */ @@ -67,3 +75,4 @@ enum helper_exit_status { HES_BAD_LEN, /* implausible .len field */ HES_BAD_MAGIC, /* .magic field wrong */ }; +#endif /* ADNS */ diff --git a/src/pluto/connections.c b/src/pluto/connections.c index 2194362d2..27cec40fc 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -425,8 +425,9 @@ void delete_connection(connection_t *c, bool relations) c->requested_ca->destroy_offset(c->requested_ca, offsetof(identification_t, destroy)); } +#ifdef ADNS gw_delref(&c->gw_info); - +#endif lock_certs_and_keys("delete_connection"); cert_release(c->spd.this.cert); scx_release(c->spd.this.sc); @@ -1477,6 +1478,8 @@ connection_t *rw_instantiate(connection_t *c, const ip_address *him, return d; } +#ifdef ADNS + connection_t *oppo_instantiate(connection_t *c, const ip_address *him, identification_t *his_id, struct gw_info *gw, const ip_address *our_client USED_BY_DEBUG, @@ -1544,6 +1547,8 @@ connection_t *oppo_instantiate(connection_t *c, const ip_address *him, return d; } +#endif /* ADNS */ + /* priority formatting */ void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]) { @@ -1767,6 +1772,8 @@ connection_t *find_connection_for_clients(struct spd_route **srp, return best; } +#ifdef ADNS + /* Find and instantiate a connection for an outgoing Opportunistic connection. * We've already discovered its gateway. * We look for a the connection such that: @@ -1869,6 +1876,8 @@ connection_t *build_outgoing_opportunistic_connection(struct gw_info *gw, } } +#endif /* ADNS */ + bool orient(connection_t *c) { struct spd_route *sr; @@ -2179,6 +2188,8 @@ void initiate_opportunistic(const ip_address *our_client, initiate_opportunistic_body(&b, NULL, NULL); } +#ifdef ADNS + static void continue_oppo(struct adns_continuation *acr, err_t ugh) { struct find_oppo_continuation *cr = (void *)acr; /* inherit, damn you! */ @@ -2242,6 +2253,8 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh) close_any(whackfd); } +#endif /* ADNS */ + #ifdef USE_KEYRR static err_t check_key_recs(enum myid_state try_state, const connection_t *c, struct adns_continuation *ac) @@ -2298,6 +2311,8 @@ static err_t check_key_recs(enum myid_state try_state, const connection_t *c, } #endif /* USE_KEYRR */ +#ifdef ADNS + static err_t check_txt_recs(enum myid_state try_state, const connection_t *c, struct adns_continuation *ac) { @@ -2355,6 +2370,8 @@ static err_t check_txt_recs(enum myid_state try_state, const connection_t *c, return ugh; } +#endif /* ADNS */ + /* note: gateways_from_dns must be NULL iff this is the first call */ static void initiate_opportunistic_body(struct find_oppo_bundle *b, @@ -2431,6 +2448,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY); b->whackfd = NULL_FD; /* protect from close */ } +#ifdef ADNS else { /* We are handling an opportunistic situation. @@ -2996,6 +3014,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, cannot_oppo(c, b, ugh); } } +#endif /* ADNS */ close_any(b->whackfd); } diff --git a/src/pluto/constants.c b/src/pluto/constants.c index ec7bfaf78..73ec0bc54 100644 --- a/src/pluto/constants.c +++ b/src/pluto/constants.c @@ -1105,6 +1105,8 @@ bool subnetisnone(const ip_subnet *sn) return isanyaddr(&base) && subnetishost(sn); } +#ifdef ADNS + /* BIND enumerated types */ #include @@ -1169,6 +1171,8 @@ static const char *const rr_class_name[] = { enum_names rr_class_names = { C_IN, C_IN, rr_class_name, NULL }; +#endif /* ADNS */ + /* * NAT-Traversal defines for nat_traveral type from nat_traversal.h * diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index c8a347b45..3e7adcc40 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -3862,10 +3862,11 @@ main_id_and_auth(struct msg_digest *md if (r == STF_SUSPEND) { + err_t ugh = NULL; +#ifdef ADNS /* initiate/resume asynchronous DNS lookup for key */ struct key_continuation *nkc = malloc_thing(struct key_continuation); enum key_oppo_step step_done = kc == NULL? kos_null : kc->step; - err_t ugh = NULL; /* Record that state is used by a suspended md */ passert(st->st_suspended_md == NULL); @@ -3896,7 +3897,9 @@ main_id_and_auth(struct msg_digest *md default: bad_case(step_done); } - +#else /* ADNS */ + ugh = "adns not supported"; +#endif /* ADNS */ if (ugh != NULL) { report_key_dns_failure(peer, ugh); @@ -4444,6 +4447,8 @@ stf_status quick_inI1_outR1(struct msg_digest *md) return quick_inI1_outR1_tail(&b, NULL); } +#ifdef ADNS + static void report_verify_failure(struct verify_oppo_bundle *b, err_t ugh) { @@ -4808,6 +4813,8 @@ static enum verify_oppo_step quick_inI1_outR1_process_answer( return next_step; } +#endif /* ADNS */ + static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, struct adns_continuation *ac) { @@ -4871,6 +4878,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, */ if (p->policy & POLICY_OPPO) { +#ifdef ADNS /* Opportunistic case: delegation must be verified. * Here be dragons. */ @@ -4925,6 +4933,11 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, */ p = oppo_instantiate(p, &c->spd.that.host_addr, c->spd.that.id , NULL, &our_client, &his_client); +#else /* ADNS */ + plog("opportunistic connections not supported because" + " adns is not available"); + return STF_INTERNAL_ERROR; +#endif /* ADNS */ } else { diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index af7720274..4eac5a22a 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -491,11 +491,11 @@ int main(int argc, char **argv) case 'f': /* --policygroupsdir */ policygroups_dir = optarg; continue; - +#ifdef ADNS case 'a': /* --adns */ pluto_adns_option = optarg; continue; - +#endif case 'm': /* --pkcs11module */ pkcs11_module_path = optarg; continue; @@ -701,7 +701,9 @@ int main(int argc, char **argv) init_states(); init_demux(); init_kernel(); +#ifdef ADNS init_adns(); +#endif init_myid(); fetch_initialize(); ac_initialize(); @@ -820,7 +822,9 @@ void exit_pluto(int status) free_ifaces(); ac_finalize(); /* free X.509 attribute certificates */ scx_finalize(); /* finalize and unload PKCS #11 module */ +#ifdef ADNS stop_adns(); +#endif free_md_pool(); free_crypto(); free_myid(); /* free myids */ diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c index 8db8a965e..94b07bd75 100644 --- a/src/pluto/rcv_whack.c +++ b/src/pluto/rcv_whack.c @@ -132,6 +132,8 @@ static void key_add_merge(struct key_add_common *oc, identification_t *keyid) } } +#ifdef ADNS + static void key_add_continue(struct adns_continuation *ac, err_t ugh) { struct key_add_continuation *kc = (void *) ac; @@ -159,6 +161,8 @@ static void key_add_continue(struct adns_continuation *ac, err_t ugh) whack_log_fd = NULL_FD; } +#endif /* ADNS */ + static void key_add_request(const whack_message_t *msg) { identification_t *key_id; @@ -189,9 +193,11 @@ static void key_add_request(const whack_message_t *msg) kc = malloc_thing(struct key_add_continuation); kc->common = oc; kc->lookingfor = kaa; + ugh = NULL; switch (kaa) { +#ifdef ADNS case ka_TXT: ugh = start_adns_query(key_id , key_id /* same */ @@ -199,6 +205,7 @@ static void key_add_request(const whack_message_t *msg) , key_add_continue , &kc->ac); break; +#endif /* ADNS */ #ifdef USE_KEYRR case ka_KEY: ugh = start_adns_query(key_id @@ -437,7 +444,9 @@ void whack_handle(int whackctlfd) plog("listening for IKE messages"); listening = TRUE; daily_log_reset(); +#ifdef ADNS reset_adns_restart_count(); +#endif set_myFQDN(); find_ifaces(); load_preshared_secrets(NULL_FD); diff --git a/src/pluto/server.c b/src/pluto/server.c index e290e36e7..7a0b1618c 100644 --- a/src/pluto/server.c +++ b/src/pluto/server.c @@ -822,6 +822,7 @@ call_server(void) FD_ZERO(&writefds); FD_SET(ctl_fd, &readfds); +#ifdef ADNS /* the only write file-descriptor of interest */ if (adns_qfd != NULL_FD && unsent_ADNS_queries) { @@ -836,6 +837,7 @@ call_server(void) maxfd = adns_afd; FD_SET(adns_afd, &readfds); } +#endif /* ADNS */ events_fd = pluto->events->get_event_fd(pluto->events); if (maxfd < events_fd) @@ -903,6 +905,7 @@ call_server(void) { /* at least one file descriptor is ready */ +#ifdef ADNS if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds)) { passert(ndes > 0); @@ -921,6 +924,7 @@ call_server(void) passert(GLOBALS_ARE_RESET()); ndes--; } +#endif /* ADNS*/ if (FD_ISSET(events_fd, &readfds)) { -- cgit v1.2.3