Attachment 615286 Details for Bug 815127 – Openswan 2.6.38 - Patch to have runtime selectable VPN clients authentications

[patch] Openswan 2.6.38 - Patch to have runtime selectable VPN clients authentications

openswan-2.6.38.diff (text/plain), 20.64 KB, created by Philippe Vouters on 2012-09-21 06:03:31 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Philippe Vouters

Created: 2012-09-21 06:03:31 UTC

Size: 20.64 KB

patch

obsolete

>diff -Naur openswan-2.6.38/Makefile.inc ../openswan-2.6.38/Makefile.inc
>--- openswan-2.6.38/Makefile.inc	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/Makefile.inc	2012-09-20 23:17:23.000000000 +0200
>@@ -47,6 +47,9 @@
> 
> ### install pathnames
> 
>+# Determine OS for eventual PAM support.
>+OS=$(shell uname -s)
>+
> # DESTDIR can be used to supply a prefix to all install targets.
> # (Note that "final" pathnames, signifying where files will eventually
> # reside rather than where install puts them, are exempt from this.)
>@@ -356,12 +359,12 @@
> # do additional configuration - but it is often needed for Cisco interop
> USE_XAUTH?=true
> 
>-# When doing XAUTH, include PAM support as well, requires HAVE_THREADS be
>+# When doing XAUTH, include PAM support as well.
> # true as well
>-USE_XAUTHPAM?=false
>+#USE_XAUTHPAM?=false
> 
>-ifeq ($(USE_XAUTHPAM),true)
>-HAVE_THREADS=true
>+ifeq ($(OS),Linux)
>+USE_XAUTHPAM=true
> endif
> 
> # Support for integrity check for binaries (requires USE_LIBNSS and fipscheck-devel)
>diff -Naur openswan-2.6.38/contrib/labeled-ipsec/selinux.patch ../openswan-2.6.38/contrib/labeled-ipsec/selinux.patch
>--- openswan-2.6.38/contrib/labeled-ipsec/selinux.patch	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/contrib/labeled-ipsec/selinux.patch	2012-09-15 23:51:02.000000000 +0200
>@@ -2434,7 +2434,7 @@
>      init_id();
> +    init_avc();
>  
>- #ifdef HAVE_THREADS
>+ #if 0              
>      init_fetch();
> --- openswan-2.4.9.orig/programs/pluto/security.c	1969-12-31 18:00:00.000000000 -0600
> +++ openswan-2.4.9/programs/pluto/security.c	2007-10-30 08:40:08.000000000 -0500
>diff -Naur openswan-2.6.38/contrib/pam.d/pluto ../openswan-2.6.38/contrib/pam.d/pluto
>--- openswan-2.6.38/contrib/pam.d/pluto	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/contrib/pam.d/pluto	2012-09-14 19:33:01.000000000 +0200
>@@ -1,8 +1,15 @@
>-auth       required     /lib/security/pam_securetty.so
>-auth       required     /lib/security/pam_stack.so service=system-auth
>-auth       required     /lib/security/pam_nologin.so
>-auth       required     /lib/security/pam_env.so debug
>-account    required     /lib/security/pam_stack.so service=system-auth
>-password   required     /lib/security/pam_stack.so service=system-auth
>-session    required     /lib/security/pam_stack.so service=system-auth
>-
>+#auth       required     /lib/security/pam_securetty.so
>+#auth       required     /lib/security/pam_stack.so service=system-auth
>+#auth       required     /lib/security/pam_nologin.so
>+#auth       required     /lib/security/pam_env.so debug
>+#account    required     /lib/security/pam_stack.so service=system-auth
>+#password   required     /lib/security/pam_stack.so service=system-auth
>+#session    required     /lib/security/pam_stack.so service=system-auth
>+#%PAM-1.0
>+auth include system-auth
>+account required pam_nologin.so
>+account include system-auth
>+password include system-auth
>+session optional pam_keyinit.so force revoke
>+session include system-auth
>+session required pam_loginuid.so
>diff -Naur openswan-2.6.38/include/ipsecconf/keywords.h ../openswan-2.6.38/include/ipsecconf/keywords.h
>--- openswan-2.6.38/include/ipsecconf/keywords.h	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/include/ipsecconf/keywords.h	2012-09-19 22:18:45.000000000 +0200
>@@ -113,6 +113,7 @@
>     KBF_SAREFTRACK, /* saref tracking paramter for _updown */
>     KBF_WARNIGNORE, /* to ignore obsoleted keywords */
>     KBF_SECCTX, /*security context attribute value for labeled ipsec*/
>+    KBF_AUTHENTICATION,
>     KBF_MAX         
> };
> 
>diff -Naur openswan-2.6.38/include/pluto_constants.h ../openswan-2.6.38/include/pluto_constants.h
>--- openswan-2.6.38/include/pluto_constants.h	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/include/pluto_constants.h	2012-09-20 19:17:57.000000000 +0200
>@@ -49,6 +49,11 @@
>     CISCO  = 1,
> };
> 
>+enum keyword_authentication {
>+    XAUTH_MD5 = 0,
>+    XAUTH_PAM = 1,
>+};
>+
> enum keyword_sha2_truncbug {
>     SHA2_TRUNCBUG_NO = 0,
>     SHA2_TRUNCBUG_YES = 1,
>diff -Naur openswan-2.6.38/include/secrets.h ../openswan-2.6.38/include/secrets.h
>--- openswan-2.6.38/include/secrets.h	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/include/secrets.h	2012-09-15 23:51:03.000000000 +0200
>@@ -179,7 +179,7 @@
> 					    , const struct id *his_id
> 					    , bool asym);
> 
>-#ifdef HAVE_THREADS
>+#if 0              
> extern void lock_certs_and_keys(const char *who);
> extern void unlock_certs_and_keys(const char *who);
> #else
>diff -Naur openswan-2.6.38/include/whack.h ../openswan-2.6.38/include/whack.h
>--- openswan-2.6.38/include/whack.h	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/include/whack.h	2012-09-20 20:53:07.000000000 +0200
>@@ -130,6 +130,9 @@
>     /*Cisco interop:  remote peer type*/
>     enum keyword_remotepeertype remotepeertype;
> 
>+    /* Authentication can be MD5 (default) or PAM */
>+    enum keyword_authentication authentication;
>+
>     /* Force the use of NAT-T on a connection */
>     bool forceencaps;
> 
>diff -Naur openswan-2.6.38/include/x509.h ../openswan-2.6.38/include/x509.h
>--- openswan-2.6.38/include/x509.h	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/include/x509.h	2012-09-15 23:51:03.000000000 +0200
>@@ -213,7 +213,7 @@
> extern x509cert_t *x509_get_authcerts_chain(void);
> 
> 
>-#ifdef HAVE_THREADS
>+#if 0              
> extern void lock_crl_list(const char *who);
> extern void unlock_crl_list(const char *who);
> extern void lock_cacert_list(const char *who);
>diff -Naur openswan-2.6.38/lib/libipsecconf/confread.c ../openswan-2.6.38/lib/libipsecconf/confread.c
>--- openswan-2.6.38/lib/libipsecconf/confread.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/lib/libipsecconf/confread.c	2012-09-19 23:37:07.000000000 +0200
>@@ -83,6 +83,9 @@
> 	cfg->conn_default.options[KBF_NMCONFIGURED] = NM_NO;
> #endif
> 
>+	/* default authentication policy is MD5 */
>+	cfg->conn_default.options[KBF_AUTHENTICATION] = XAUTH_MD5;
>+
> #ifdef HAVE_LABELED_IPSEC
> 	cfg->conn_default.options[KBF_LOOPBACK] = LB_NO;
> 	cfg->conn_default.options[KBF_LABELED_IPSEC] = LI_NO;
>@@ -116,7 +119,6 @@
> 	cfg->conn_default.left.key_from_DNS_on_demand = TRUE;
> 	cfg->conn_default.right.key_from_DNS_on_demand = TRUE;
> 
>-
> 	cfg->conn_default.options[KBF_AUTO] = STARTUP_NO;
> 	cfg->conn_default.state = STATE_LOADED;
> 
>diff -Naur openswan-2.6.38/lib/libipsecconf/keywords.c ../openswan-2.6.38/lib/libipsecconf/keywords.c
>--- openswan-2.6.38/lib/libipsecconf/keywords.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/lib/libipsecconf/keywords.c	2012-09-19 23:34:14.000000000 +0200
>@@ -220,6 +220,17 @@
>     { kw_nm_configured_list, sizeof(kw_nm_configured_list)/sizeof(struct keyword_enum_value)};
> #endif
> 
>+/*
>+ * Values for authentication={md5,pam}
>+ */
>+struct keyword_enum_value kw_authentication_list[]={
>+    { "md5",	      XAUTH_MD5 },
>+    { "pam",	      XAUTH_PAM },
>+};
>+
>+struct keyword_enum_values kw_authentication=
>+    { kw_authentication_list, sizeof(kw_authentication_list)/sizeof(struct keyword_enum_value)};
>+
> #ifdef HAVE_LABELED_IPSEC
> struct keyword_enum_value kw_loopback_list[]={
>     { "yes",         LB_YES },
>@@ -425,6 +436,7 @@
>     {"nm_configured", kv_conn|kv_auto, kt_enum, KBF_NMCONFIGURED, &kw_nm_configured},
> #endif
> 
>+    {"authentication", kv_conn|kv_auto, kt_enum, KBF_AUTHENTICATION, &kw_authentication},
> #ifdef NAT_TRAVERSAL
>     {"forceencaps",    kv_conn|kv_auto, kt_bool,   KBF_FORCEENCAP, NOT_ENUM},
> #endif
>diff -Naur openswan-2.6.38/lib/libipsecconf/starterwhack.c ../openswan-2.6.38/lib/libipsecconf/starterwhack.c
>--- openswan-2.6.38/lib/libipsecconf/starterwhack.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/lib/libipsecconf/starterwhack.c	2012-09-20 19:44:09.000000000 +0200
>@@ -530,6 +530,10 @@
> 		msg.remotepeertype=conn->options[KBF_REMOTEPEERTYPE];
> 	}
> 
>+	if(conn->options_set[KBF_AUTHENTICATION]) {
>+	        msg.authentication=conn->options[KBF_AUTHENTICATION];
>+	}
>+
> 	if(conn->options_set[KBF_SHA2_TRUNCBUG]) {
> 		msg.sha2_truncbug=conn->options[KBF_SHA2_TRUNCBUG];
> 	}
>@@ -541,7 +545,6 @@
> 	}
> #endif
> 
>-
> #ifdef HAVE_LABELED_IPSEC
> 	/*Labeled ipsec support*/
> 	if(conn->options_set[KBF_LOOPBACK]) {
>@@ -555,6 +558,7 @@
> 	msg.policy_label = conn->policy_label;
> #endif
> 
>+	
> 	set_whack_end(cfg, "left",  &msg.left, &conn->left);
> 	set_whack_end(cfg, "right", &msg.right, &conn->right);
> 
>diff -Naur openswan-2.6.38/lib/libopenswan/x509chain.c ../openswan-2.6.38/lib/libopenswan/x509chain.c
>--- openswan-2.6.38/lib/libopenswan/x509chain.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/lib/libopenswan/x509chain.c	2012-09-15 23:51:03.000000000 +0200
>@@ -349,7 +349,7 @@
> void
> check_crls(void)
> {
>-#ifdef HAVE_THREADS
>+#if 0              
>     x509crl_t *crl;
>     time_t current_time = time(NULL);
> 
>diff -Naur openswan-2.6.38/lib/libwhack/whacklib.c ../openswan-2.6.38/lib/libwhack/whacklib.c
>--- openswan-2.6.38/lib/libwhack/whacklib.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/lib/libwhack/whacklib.c	2012-09-20 21:01:43.000000000 +0200
>@@ -48,9 +48,9 @@
>  * @return bool True if operation was successful
>  */
> static bool
>-pack_str(struct whackpacker *wp, char **p)
>+pack_str(struct whackpacker *wp, char **p) 
> {
>-    const char *s = *p == NULL? "" : *p;	/* note: NULL becomes ""! */
>+    const char *s = (*p == NULL? "" : *p);	/* note: NULL becomes ""! */
>     size_t len = strlen(s) + 1;
> 
>     if (wp->str_roof - wp->str_next < (ptrdiff_t)len)
>diff -Naur openswan-2.6.38/linux/include/openswan.h ../openswan-2.6.38/linux/include/openswan.h
>--- openswan-2.6.38/linux/include/openswan.h	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/linux/include/openswan.h	2012-09-19 23:00:59.000000000 +0200
>@@ -562,7 +562,6 @@
>     KDF_NATT        = 13,
> };
> 
>-
> /*
>  * Debugging levels for pfkey_lib_debug
>  */
>diff -Naur openswan-2.6.38/programs/pluto/connections.c ../openswan-2.6.38/programs/pluto/connections.c
>--- openswan-2.6.38/programs/pluto/connections.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/programs/pluto/connections.c	2012-09-20 17:38:34.000000000 +0200
>@@ -946,7 +946,6 @@
>     dst->host_nexthop = src->host_nexthop;
>     dst->host_srcip = src->host_srcip;
>     dst->client = src->client;
>-
> #ifdef HAVE_SIN_LEN
>     /* XXX need to fix this for v6 */
>     dst->client.addr.u.v4.sin_len  = sizeof(struct sockaddr_in);
>@@ -1332,6 +1331,9 @@
>         /* Cisco interop: remote peer type */
>         c->remotepeertype=wm->remotepeertype;
> 
>+	/* XAUTH pam or md5 */
>+	c->authentication=wm->authentication;
>+
> 	c->sha2_truncbug=wm->sha2_truncbug;
> 
>         /* Network Manager support */
>diff -Naur openswan-2.6.38/programs/pluto/connections.h ../openswan-2.6.38/programs/pluto/connections.h
>--- openswan-2.6.38/programs/pluto/connections.h	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/programs/pluto/connections.h	2012-09-20 19:16:27.000000000 +0200
>@@ -200,6 +200,8 @@
>     /*Cisco interop: remote peer type*/
>     enum keyword_remotepeertype remotepeertype;
> 
>+    enum keyword_authentication authentication;
>+
>     enum keyword_sha2_truncbug sha2_truncbug;
> 
>     /*Network Manager support*/
>diff -Naur openswan-2.6.38/programs/pluto/fetch.c ../openswan-2.6.38/programs/pluto/fetch.c
>--- openswan-2.6.38/programs/pluto/fetch.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/programs/pluto/fetch.c	2012-09-15 23:51:03.000000000 +0200
>@@ -244,7 +244,7 @@
> 	DBG(DBG_CONTROLMORE,
> 	    DBG_log("fetch thread wake call by '%s'", who)
> 	)
>-#ifdef HAVE_THREADS
>+#if 0              
> 	pthread_mutex_lock(&fetch_wake_mutex);
> 	pthread_cond_signal(&fetch_wake_cond);
> 	pthread_mutex_unlock(&fetch_wake_mutex);
>@@ -719,7 +719,7 @@
> 	DBG_log("fetch thread started")
>     )
> 
>-#ifdef HAVE_THREADS
>+#if 0              
>     pthread_mutex_lock(&fetch_wake_mutex);
> #endif
>     while(1)
>diff -Naur openswan-2.6.38/programs/pluto/ocsp.c ../openswan-2.6.38/programs/pluto/ocsp.c
>--- openswan-2.6.38/programs/pluto/ocsp.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/programs/pluto/ocsp.c	2012-09-15 23:51:04.000000000 +0200
>@@ -430,7 +430,7 @@
>     status = get_ocsp_status(&location, cert->serialNumber, &nextUpdate);
>     unlock_ocsp_cache("verify_by_ocsp");
> 
>-#ifdef HAVE_THREADS
>+#if 0              
>     if (status == CERT_UNDEFINED || nextUpdate < time(NULL))
>     {
> 	openswan_log("ocsp status is stale or not in cache");
>@@ -487,7 +487,7 @@
> 	bool first = TRUE;
> #endif
> 	ocsp_certinfo_t *certinfo = location->certinfo;
>-#ifdef HAVE_THREADS
>+#if 0              
> 	time_t time_left = certinfo->nextUpdate - time(NULL);
> #endif
> 
>@@ -509,7 +509,7 @@
> 			}
> 			first = FALSE;
> 		    } );
>-#ifdef HAVE_THREADS
>+#if 0              
> 		DBG(DBG_CONTROL,
> 		    char buf[BUF_LEN];
> 		    datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len
>@@ -518,7 +518,7 @@
> 			    , (unsigned long)time_left));
> #endif
> 
>-#ifdef HAVE_THREADS
>+#if 0              
> 		if (time_left < 2*crl_check_interval)
> 		    add_ocsp_fetch_request(location, certinfo->serialNumber);
> #endif
>diff -Naur openswan-2.6.38/programs/pluto/plutomain.c ../openswan-2.6.38/programs/pluto/plutomain.c
>--- openswan-2.6.38/programs/pluto/plutomain.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/programs/pluto/plutomain.c	2012-09-15 23:51:04.000000000 +0200
>@@ -1073,7 +1073,7 @@
>     init_tpm();
> #endif
> 
>-#ifdef HAVE_THREADS
>+#if 0              
>     init_fetch();
> #endif
> 
>@@ -1128,7 +1128,7 @@
>     free_tpm();
> #endif
> 
>-#ifdef HAVE_THREADS
>+#if 0              
>     free_crl_fetch();          /* free chain of crl fetch requests */
> #endif
> #ifdef HAVE_OCSP
>diff -Naur openswan-2.6.38/programs/pluto/rcv_whack.c ../openswan-2.6.38/programs/pluto/rcv_whack.c
>--- openswan-2.6.38/programs/pluto/rcv_whack.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/programs/pluto/rcv_whack.c	2012-09-15 23:51:04.000000000 +0200
>@@ -542,7 +542,7 @@
>     if (msg.whack_list & LIST_CRLS)
>     {
> 	list_crls(msg.whack_utc, strict_crl_policy);
>-#ifdef HAVE_THREADS
>+#if 0              
> 	list_crl_fetch_requests(msg.whack_utc);
> #endif
>     }
>diff -Naur openswan-2.6.38/programs/pluto/whack.c ../openswan-2.6.38/programs/pluto/whack.c
>--- openswan-2.6.38/programs/pluto/whack.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/programs/pluto/whack.c	2012-09-20 18:58:12.000000000 +0200
>@@ -128,6 +128,8 @@
> 	    " \\\n   "
> 	    "[--nm_configured]"
> 	    " \\\n   "
>+	    "[--authentication <md5 or pam>]"
>+	    " \\\n   "
> 	    " [--dontrekey]"
> 	    " [--aggrmode]"
> 	    " [--forceencaps]"
>@@ -496,6 +498,7 @@
>     CD_IKE,
>     CD_PFSGROUP,
>     CD_REMOTEPEERTYPE,
>+    CD_AUTHENTICATION,
>     CD_SHA2_TRUNCBUG,
>     CD_NMCONFIGURED,
>     CD_LOOPBACK,
>@@ -722,6 +725,7 @@
>     { "pfsgroup", required_argument, NULL, CD_PFSGROUP + OO },
>     { "esp", required_argument, NULL, CD_ESP + OO },
>     { "remote_peer_type", required_argument, NULL, CD_REMOTEPEERTYPE + OO},
>+    { "authentication", required_argument, NULL, CD_AUTHENTICATION + OO},
> #ifdef HAVE_NM
>     { "nm_configured", no_argument, NULL, CD_NMCONFIGURED + OO},
> #endif
>@@ -942,6 +946,8 @@
> 
>     msg.remotepeertype = NON_CISCO;
> 
>+    msg.authentication = XAUTH_MD5;
>+
>     msg.sha2_truncbug = SHA2_TRUNCBUG_NO;
> 
>     /*Network Manager support*/
>@@ -1569,7 +1575,14 @@
> 		msg.remotepeertype = NON_CISCO;
> 	    }
> 	    continue;
>-
>+	case CD_AUTHENTICATION: /* --authentication <md5 or pam>*/
>+	    if ( strcmp(optarg, "pam" ) == 0) {
>+		msg.authentication = XAUTH_PAM;
>+	    }
>+	    else {
>+		msg.authentication = XAUTH_MD5;
>+	    }
>+	    continue;
> 	case CD_SHA2_TRUNCBUG: /* --sha2_truncbug */
> 	    if ( strcmp(optarg, "yes" ) == 0) {
> 		msg.sha2_truncbug = SHA2_TRUNCBUG_YES;
>@@ -1953,6 +1966,11 @@
>             msg.remotepeertype = NON_CISCO; /*NON_CISCO=0*/
>     }
> 
>+   if (msg.authentication != XAUTH_MD5 && msg.authentication != XAUTH_PAM) {
>+	   diag("authentication can only be \"XAUTH_MD5\" or \"XAUTH_PAM\" - defaulting to md5 authentication");
>+	msg.authentication = XAUTH_MD5;
>+   }
>+
>     /* pack strings for inclusion in message */
>     wp.msg = &msg;
> 
>diff -Naur openswan-2.6.38/programs/pluto/x509.c ../openswan-2.6.38/programs/pluto/x509.c
>--- openswan-2.6.38/programs/pluto/x509.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/programs/pluto/x509.c	2012-09-15 23:51:04.000000000 +0200
>@@ -373,7 +373,7 @@
> 	{
> 	    if (crl->thisUpdate > oldcrl->thisUpdate)
> 	    {
>-#ifdef HAVE_THREADS
>+#if 0              
> 		/* keep any known CRL distribution points */
> 		add_distribution_points(oldcrl->distributionPoints
> 		    , &crl->distributionPoints);
>@@ -492,7 +492,7 @@
> 	openswan_log("no crl from issuer \"%s\" found (strict=%s)", ibuf
> 		     , strict ? "yes" : "no");
> 
>-#ifdef HAVE_THREADS
>+#if 0              
> 	if (cert->crlDistributionPoints != NULL)
> 	{
> 	    add_crl_fetch_request(cert->issuer, cert->crlDistributionPoints);
>@@ -511,7 +511,7 @@
> 	    DBG_log("issuer crl \"%s\" found", ibuf)
> 	)
>      
>-#ifdef HAVE_THREADS
>+#if 0              
> 	add_distribution_points(cert->crlDistributionPoints
> 		, &crl->distributionPoints);
> #endif
>@@ -555,7 +555,7 @@
> 			     , cbuf
> 			     , timetoa(&crl->nextUpdate, TRUE, tbuf, sizeof(tbuf)));
> 
>-#ifdef HAVE_THREADS
>+#if 0              
> 		/* try to fetch a crl update */
> 		if (cert->crlDistributionPoints != NULL)
> 		{
>@@ -829,7 +829,7 @@
> 	dntoa(buf, ASN1_BUF_LEN, crl->issuer);
> 	whack_log(RC_COMMENT, "       issuer:  '%s'", buf);
> 
>-#ifdef HAVE_THREADS
>+#if 0              
> 	/* list all distribution points */
> 	list_distribution_points(crl->distributionPoints);
> #endif
>diff -Naur openswan-2.6.38/programs/pluto/xauth.c ../openswan-2.6.38/programs/pluto/xauth.c
>--- openswan-2.6.38/programs/pluto/xauth.c	2012-03-23 22:33:43.000000000 +0100
>+++ ../openswan-2.6.38/programs/pluto/xauth.c	2012-09-19 22:07:13.000000000 +0200
>@@ -77,7 +77,7 @@
> #include "xauth.h"
> #include "virtual.h"
> 
>-#ifdef HAVE_THREADS
>+#if 0              
> #include <pthread.h>
> #endif
> 
>@@ -217,6 +217,8 @@
>     else
> #endif
>     {
>+      if (con->authentication == XAUTH_PAM)
>+      {
> #ifdef XAUTH_USEPAM
> 	    if(con->pamh == NULL)
> 	    {
>@@ -255,6 +257,7 @@
> 		    get_addr(con->pamh,"WINS2",&ia->wins[1]);
> 	    }
> #endif
>+       }
>     }
>     return 0;
> } 
>@@ -900,11 +903,11 @@
>         switch (msgm[count]->msg_style) {
>         case PAM_PROMPT_ECHO_OFF:
> 	    string = alloc_bytes(arg->password.len+1, "pam_echo_off");
>-	    strcpy(string,arg->password.ptr);
>+	    strcpy(string,(const char *)arg->password.ptr);
>             break;
>         case PAM_PROMPT_ECHO_ON:
> 	    string = alloc_bytes(arg->name.len+1,"pam_echo_on");
>-	    strcpy(string,arg->name.ptr);
>+	    strcpy(string,(const char *)arg->name.ptr);
>             break;
>         }
> 	
>@@ -935,10 +938,12 @@
>     struct thread_arg	*arg = varg;
>     pam_handle_t *pamh=NULL;
>     int retval;
>+    struct pam_conv conv;
> 
>+    conv.conv = xauth_pam_conv;
>     conv.appdata_ptr = varg;
> 
>-    retval = pam_start("pluto", arg->name.ptr, &conv, &pamh);
>+    retval = pam_start("pluto", (const char *)arg->name.ptr, &conv, &pamh);
> 
> 	/* Send the remote host address to PAM */
>     if (retval == PAM_SUCCESS) 
>@@ -957,7 +962,8 @@
>     else
>       return FALSE;
> }
>-#else /* XAUTH_USEPAM */
>+#endif
>+//#else /* XAUTH_USEPAM */
> 
> /** Do authentication via /etc/ipsec.d/passwd file using MD5 passwords
>  *
>@@ -1084,7 +1090,7 @@
>     
>     return FALSE;
> }
>-#endif
>+//#endif
> 
> /** Main authentication routine will then call the actual compiled in 
>  *  method to verify the user/password
>@@ -1098,13 +1104,18 @@
>     
>     
> 
>+    if (st->st_connection->authentication == XAUTH_PAM) {
> #ifdef XAUTH_USEPAM
>-    openswan_log("XAUTH: pam authentication being called to authenticate user %s",arg->name.ptr);
>-    results=do_pam_authentication(varg);
>+        openswan_log("XAUTH: pam authentication being called to authenticate user %s",arg->name.ptr);
>+        results=do_pam_authentication(varg);
> #else
>-    openswan_log("XAUTH: md5 authentication being called to authenticate user %s",arg->name.ptr);
>-    results=do_md5_authentication(varg);
>+        results = FALSE;
> #endif
>+    }
>+    else {
>+       openswan_log("XAUTH: md5 authentication being called to authenticate user %s",arg->name.ptr);
>+       results=do_md5_authentication(varg);
>+    }
>     if(results)
>     {
>         openswan_log("XAUTH: User %s: Authentication Successful", arg->name.ptr);
>@@ -1146,24 +1157,30 @@
> 			 , chunk_t password
> 			 , chunk_t connname)
> {
>-#ifdef HAVE_THREADS
>+/*
>+#if 0              
>     pthread_attr_t pattr;
>     pthread_t tid;
> #endif
>+*/
>     struct thread_arg	*arg;
>     arg = alloc_thing(struct thread_arg,"ThreadArg");
>     arg->st = st;
>     arg->password = password;
>     arg->name = name;
>     arg->connname = connname;
>-#ifdef HAVE_THREADS
>+/*
>+#if 0              
>     pthread_attr_init(&pattr);
>     pthread_attr_setdetachstate(&pattr,PTHREAD_CREATE_DETACHED);
>     pthread_create(&tid,&pattr,do_authentication, (void*) arg);
>     pthread_attr_destroy(&pattr);
> #else
>+*/
>     do_authentication(arg);
>+/*
> #endif
>+*/
>     return 0;
> }
>

Actions: View | Diff

Attachments on bug 815127: 584067 | 613231 | 613361 | 615286 | 621003