Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 621003 Details for
Bug 815127
Changes to Openswan to support PAM authentication
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Openswan 2.6.38 6 - patch - Successfully tested with two simultaneous Shrew clients
openswan-2.6.38.diff (text/plain), 29.84 KB, created by
Philippe Vouters
on 2012-10-03 15:48:45 UTC
(
hide
)
Description:
Openswan 2.6.38 6 - patch - Successfully tested with two simultaneous Shrew clients
Filename:
MIME Type:
Creator:
Philippe Vouters
Created:
2012-10-03 15:48:45 UTC
Size:
29.84 KB
patch
obsolete
>diff -Naur openswan-2.6.38/Makefile.inc ../openswan-2.6.38/Makefile.inc >--- openswan-2.6.38/Makefile.inc 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/Makefile.inc 2012-09-27 00:31:26.000000000 +0200 >@@ -47,6 +47,9 @@ > > ### install pathnames > >+# Determine OS for eventual PAM support. >+OS=$(shell uname -s) >+ > # DESTDIR can be used to supply a prefix to all install targets. > # (Note that "final" pathnames, signifying where files will eventually > # reside rather than where install puts them, are exempt from this.) >@@ -356,12 +359,12 @@ > # do additional configuration - but it is often needed for Cisco interop > USE_XAUTH?=true > >-# When doing XAUTH, include PAM support as well, requires HAVE_THREADS be >+# When doing XAUTH, include PAM support as well. > # true as well >-USE_XAUTHPAM?=false >+#USE_XAUTHPAM?=false > >-ifeq ($(USE_XAUTHPAM),true) >-HAVE_THREADS=true >+ifeq ($(OS),Linux) >+USE_XAUTHPAM=true > endif > > # Support for integrity check for binaries (requires USE_LIBNSS and fipscheck-devel) >diff -Naur openswan-2.6.38/contrib/labeled-ipsec/selinux.patch ../openswan-2.6.38/contrib/labeled-ipsec/selinux.patch >--- openswan-2.6.38/contrib/labeled-ipsec/selinux.patch 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/contrib/labeled-ipsec/selinux.patch 2012-09-27 00:31:26.000000000 +0200 >@@ -2434,7 +2434,7 @@ > init_id(); > + init_avc(); > >- #ifdef HAVE_THREADS >+ #if 0 > init_fetch(); > --- openswan-2.4.9.orig/programs/pluto/security.c 1969-12-31 18:00:00.000000000 -0600 > +++ openswan-2.4.9/programs/pluto/security.c 2007-10-30 08:40:08.000000000 -0500 >diff -Naur openswan-2.6.38/contrib/pam.d/pluto ../openswan-2.6.38/contrib/pam.d/pluto >--- openswan-2.6.38/contrib/pam.d/pluto 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/contrib/pam.d/pluto 2012-09-27 00:31:26.000000000 +0200 >@@ -1,8 +1,15 @@ >-auth required /lib/security/pam_securetty.so >-auth required /lib/security/pam_stack.so service=system-auth >-auth required /lib/security/pam_nologin.so >-auth required /lib/security/pam_env.so debug >-account required /lib/security/pam_stack.so service=system-auth >-password required /lib/security/pam_stack.so service=system-auth >-session required /lib/security/pam_stack.so service=system-auth >- >+#auth required /lib/security/pam_securetty.so >+#auth required /lib/security/pam_stack.so service=system-auth >+#auth required /lib/security/pam_nologin.so >+#auth required /lib/security/pam_env.so debug >+#account required /lib/security/pam_stack.so service=system-auth >+#password required /lib/security/pam_stack.so service=system-auth >+#session required /lib/security/pam_stack.so service=system-auth >+#%PAM-1.0 >+auth include system-auth >+account required pam_nologin.so >+account include system-auth >+password include system-auth >+session optional pam_keyinit.so force revoke >+session include system-auth >+session required pam_loginuid.so >diff -Naur openswan-2.6.38/include/ipsecconf/keywords.h ../openswan-2.6.38/include/ipsecconf/keywords.h >--- openswan-2.6.38/include/ipsecconf/keywords.h 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/include/ipsecconf/keywords.h 2012-09-29 16:37:01.000000000 +0200 >@@ -113,6 +113,7 @@ > KBF_SAREFTRACK, /* saref tracking paramter for _updown */ > KBF_WARNIGNORE, /* to ignore obsoleted keywords */ > KBF_SECCTX, /*security context attribute value for labeled ipsec*/ >+ KBF_XAUTHBY, > KBF_MAX > }; > >diff -Naur openswan-2.6.38/include/pluto_constants.h ../openswan-2.6.38/include/pluto_constants.h >--- openswan-2.6.38/include/pluto_constants.h 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/include/pluto_constants.h 2012-09-29 16:14:31.000000000 +0200 >@@ -49,6 +49,11 @@ > CISCO = 1, > }; > >+enum keyword_xauthby { >+ XAUTHBY_FILE = 0, >+ XAUTHBY_PAM = 1, >+}; >+ > enum keyword_sha2_truncbug { > SHA2_TRUNCBUG_NO = 0, > SHA2_TRUNCBUG_YES = 1, >diff -Naur openswan-2.6.38/include/secrets.h ../openswan-2.6.38/include/secrets.h >--- openswan-2.6.38/include/secrets.h 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/include/secrets.h 2012-09-27 00:31:26.000000000 +0200 >@@ -179,7 +179,7 @@ > , const struct id *his_id > , bool asym); > >-#ifdef HAVE_THREADS >+#if 0 > extern void lock_certs_and_keys(const char *who); > extern void unlock_certs_and_keys(const char *who); > #else >diff -Naur openswan-2.6.38/include/whack.h ../openswan-2.6.38/include/whack.h >--- openswan-2.6.38/include/whack.h 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/include/whack.h 2012-09-29 16:15:35.000000000 +0200 >@@ -130,6 +130,9 @@ > /*Cisco interop: remote peer type*/ > enum keyword_remotepeertype remotepeertype; > >+ /* Authentication can be MD5 (default) or PAM */ >+ enum keyword_xauthby xauthby; >+ > /* Force the use of NAT-T on a connection */ > bool forceencaps; > >diff -Naur openswan-2.6.38/include/x509.h ../openswan-2.6.38/include/x509.h >--- openswan-2.6.38/include/x509.h 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/include/x509.h 2012-09-27 00:31:26.000000000 +0200 >@@ -213,7 +213,7 @@ > extern x509cert_t *x509_get_authcerts_chain(void); > > >-#ifdef HAVE_THREADS >+#if 0 > extern void lock_crl_list(const char *who); > extern void unlock_crl_list(const char *who); > extern void lock_cacert_list(const char *who); >diff -Naur openswan-2.6.38/lib/libipsecconf/confread.c ../openswan-2.6.38/lib/libipsecconf/confread.c >--- openswan-2.6.38/lib/libipsecconf/confread.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/lib/libipsecconf/confread.c 2012-09-29 16:17:33.000000000 +0200 >@@ -83,6 +83,9 @@ > cfg->conn_default.options[KBF_NMCONFIGURED] = NM_NO; > #endif > >+ /* default authentication policy is MD5 */ >+ cfg->conn_default.options[KBF_XAUTHBY] = XAUTHBY_FILE; >+ > #ifdef HAVE_LABELED_IPSEC > cfg->conn_default.options[KBF_LOOPBACK] = LB_NO; > cfg->conn_default.options[KBF_LABELED_IPSEC] = LI_NO; >@@ -116,7 +119,6 @@ > cfg->conn_default.left.key_from_DNS_on_demand = TRUE; > cfg->conn_default.right.key_from_DNS_on_demand = TRUE; > >- > cfg->conn_default.options[KBF_AUTO] = STARTUP_NO; > cfg->conn_default.state = STATE_LOADED; > >diff -Naur openswan-2.6.38/lib/libipsecconf/keywords.c ../openswan-2.6.38/lib/libipsecconf/keywords.c >--- openswan-2.6.38/lib/libipsecconf/keywords.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/lib/libipsecconf/keywords.c 2012-09-29 16:40:41.000000000 +0200 >@@ -220,6 +220,17 @@ > { kw_nm_configured_list, sizeof(kw_nm_configured_list)/sizeof(struct keyword_enum_value)}; > #endif > >+/* >+ * Values for xauthby={file,pam} >+ */ >+struct keyword_enum_value kw_xauthby_list[]={ >+ { "file", XAUTHBY_FILE }, >+ { "pam", XAUTHBY_PAM }, >+}; >+ >+struct keyword_enum_values kw_xauthby= >+ { kw_xauthby_list, sizeof(kw_xauthby_list)/sizeof(struct keyword_enum_value)}; >+ > #ifdef HAVE_LABELED_IPSEC > struct keyword_enum_value kw_loopback_list[]={ > { "yes", LB_YES }, >@@ -425,6 +436,7 @@ > {"nm_configured", kv_conn|kv_auto, kt_enum, KBF_NMCONFIGURED, &kw_nm_configured}, > #endif > >+ {"xauthby", kv_conn|kv_auto, kt_enum, KBF_XAUTHBY, &kw_xauthby}, > #ifdef NAT_TRAVERSAL > {"forceencaps", kv_conn|kv_auto, kt_bool, KBF_FORCEENCAP, NOT_ENUM}, > #endif >diff -Naur openswan-2.6.38/lib/libipsecconf/starterwhack.c ../openswan-2.6.38/lib/libipsecconf/starterwhack.c >--- openswan-2.6.38/lib/libipsecconf/starterwhack.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/lib/libipsecconf/starterwhack.c 2012-09-29 16:39:29.000000000 +0200 >@@ -530,6 +530,10 @@ > msg.remotepeertype=conn->options[KBF_REMOTEPEERTYPE]; > } > >+ if(conn->options_set[KBF_XAUTHBY]) { >+ msg.xauthby=conn->options[KBF_XAUTHBY]; >+ } >+ > if(conn->options_set[KBF_SHA2_TRUNCBUG]) { > msg.sha2_truncbug=conn->options[KBF_SHA2_TRUNCBUG]; > } >@@ -541,7 +545,6 @@ > } > #endif > >- > #ifdef HAVE_LABELED_IPSEC > /*Labeled ipsec support*/ > if(conn->options_set[KBF_LOOPBACK]) { >@@ -555,6 +558,7 @@ > msg.policy_label = conn->policy_label; > #endif > >+ > set_whack_end(cfg, "left", &msg.left, &conn->left); > set_whack_end(cfg, "right", &msg.right, &conn->right); > >diff -Naur openswan-2.6.38/lib/libopenswan/x509chain.c ../openswan-2.6.38/lib/libopenswan/x509chain.c >--- openswan-2.6.38/lib/libopenswan/x509chain.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/lib/libopenswan/x509chain.c 2012-09-27 00:31:26.000000000 +0200 >@@ -349,7 +349,7 @@ > void > check_crls(void) > { >-#ifdef HAVE_THREADS >+#if 0 > x509crl_t *crl; > time_t current_time = time(NULL); > >diff -Naur openswan-2.6.38/lib/libwhack/whacklib.c ../openswan-2.6.38/lib/libwhack/whacklib.c >--- openswan-2.6.38/lib/libwhack/whacklib.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/lib/libwhack/whacklib.c 2012-09-27 00:31:26.000000000 +0200 >@@ -48,9 +48,9 @@ > * @return bool True if operation was successful > */ > static bool >-pack_str(struct whackpacker *wp, char **p) >+pack_str(struct whackpacker *wp, char **p) > { >- const char *s = *p == NULL? "" : *p; /* note: NULL becomes ""! */ >+ const char *s = (*p == NULL? "" : *p); /* note: NULL becomes ""! */ > size_t len = strlen(s) + 1; > > if (wp->str_roof - wp->str_next < (ptrdiff_t)len) >diff -Naur openswan-2.6.38/linux/include/openswan.h ../openswan-2.6.38/linux/include/openswan.h >--- openswan-2.6.38/linux/include/openswan.h 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/linux/include/openswan.h 2012-09-27 00:31:26.000000000 +0200 >@@ -562,7 +562,6 @@ > KDF_NATT = 13, > }; > >- > /* > * Debugging levels for pfkey_lib_debug > */ >diff -Naur openswan-2.6.38/programs/pluto/Makefile.options ../openswan-2.6.38/programs/pluto/Makefile.options >--- openswan-2.6.38/programs/pluto/Makefile.options 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/programs/pluto/Makefile.options 2012-09-28 13:56:45.000000000 +0200 >@@ -186,6 +186,9 @@ > HAVE_THREADS_DEFS=-DHAVE_THREADS > HAVE_THREADS_OBJS=${HAVE_THREADS_DIST_OBJS} > HAVE_THREADS_SRCS=${HAVE_THREADS_DIST_SRCS} >+endif >+ >+ifeq ($(USE_XAUTHPAM),true) > HAVE_THREADS_LLIBS=-lpthread > endif > >diff -Naur openswan-2.6.38/programs/pluto/connections.c ../openswan-2.6.38/programs/pluto/connections.c >--- openswan-2.6.38/programs/pluto/connections.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/programs/pluto/connections.c 2012-09-29 16:23:51.000000000 +0200 >@@ -946,7 +946,6 @@ > dst->host_nexthop = src->host_nexthop; > dst->host_srcip = src->host_srcip; > dst->client = src->client; >- > #ifdef HAVE_SIN_LEN > /* XXX need to fix this for v6 */ > dst->client.addr.u.v4.sin_len = sizeof(struct sockaddr_in); >@@ -1332,6 +1331,9 @@ > /* Cisco interop: remote peer type */ > c->remotepeertype=wm->remotepeertype; > >+ /* XAUTH pam or md5 */ >+ c->xauthby=wm->xauthby; >+ > c->sha2_truncbug=wm->sha2_truncbug; > > /* Network Manager support */ >diff -Naur openswan-2.6.38/programs/pluto/connections.h ../openswan-2.6.38/programs/pluto/connections.h >--- openswan-2.6.38/programs/pluto/connections.h 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/programs/pluto/connections.h 2012-10-03 14:04:05.000000000 +0200 >@@ -200,6 +200,8 @@ > /*Cisco interop: remote peer type*/ > enum keyword_remotepeertype remotepeertype; > >+ enum keyword_xauthby xauthby; >+ > enum keyword_sha2_truncbug sha2_truncbug; > > /*Network Manager support*/ >diff -Naur openswan-2.6.38/programs/pluto/fetch.c ../openswan-2.6.38/programs/pluto/fetch.c >--- openswan-2.6.38/programs/pluto/fetch.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/programs/pluto/fetch.c 2012-09-27 00:31:26.000000000 +0200 >@@ -244,7 +244,7 @@ > DBG(DBG_CONTROLMORE, > DBG_log("fetch thread wake call by '%s'", who) > ) >-#ifdef HAVE_THREADS >+#if 0 > pthread_mutex_lock(&fetch_wake_mutex); > pthread_cond_signal(&fetch_wake_cond); > pthread_mutex_unlock(&fetch_wake_mutex); >@@ -719,7 +719,7 @@ > DBG_log("fetch thread started") > ) > >-#ifdef HAVE_THREADS >+#if 0 > pthread_mutex_lock(&fetch_wake_mutex); > #endif > while(1) >diff -Naur openswan-2.6.38/programs/pluto/ocsp.c ../openswan-2.6.38/programs/pluto/ocsp.c >--- openswan-2.6.38/programs/pluto/ocsp.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/programs/pluto/ocsp.c 2012-09-27 00:31:26.000000000 +0200 >@@ -430,7 +430,7 @@ > status = get_ocsp_status(&location, cert->serialNumber, &nextUpdate); > unlock_ocsp_cache("verify_by_ocsp"); > >-#ifdef HAVE_THREADS >+#if 0 > if (status == CERT_UNDEFINED || nextUpdate < time(NULL)) > { > openswan_log("ocsp status is stale or not in cache"); >@@ -487,7 +487,7 @@ > bool first = TRUE; > #endif > ocsp_certinfo_t *certinfo = location->certinfo; >-#ifdef HAVE_THREADS >+#if 0 > time_t time_left = certinfo->nextUpdate - time(NULL); > #endif > >@@ -509,7 +509,7 @@ > } > first = FALSE; > } ); >-#ifdef HAVE_THREADS >+#if 0 > DBG(DBG_CONTROL, > char buf[BUF_LEN]; > datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len >@@ -518,7 +518,7 @@ > , (unsigned long)time_left)); > #endif > >-#ifdef HAVE_THREADS >+#if 0 > if (time_left < 2*crl_check_interval) > add_ocsp_fetch_request(location, certinfo->serialNumber); > #endif >diff -Naur openswan-2.6.38/programs/pluto/plutomain.c ../openswan-2.6.38/programs/pluto/plutomain.c >--- openswan-2.6.38/programs/pluto/plutomain.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/programs/pluto/plutomain.c 2012-09-27 00:31:26.000000000 +0200 >@@ -1073,7 +1073,7 @@ > init_tpm(); > #endif > >-#ifdef HAVE_THREADS >+#if 0 > init_fetch(); > #endif > >@@ -1128,7 +1128,7 @@ > free_tpm(); > #endif > >-#ifdef HAVE_THREADS >+#if 0 > free_crl_fetch(); /* free chain of crl fetch requests */ > #endif > #ifdef HAVE_OCSP >diff -Naur openswan-2.6.38/programs/pluto/rcv_whack.c ../openswan-2.6.38/programs/pluto/rcv_whack.c >--- openswan-2.6.38/programs/pluto/rcv_whack.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/programs/pluto/rcv_whack.c 2012-09-27 00:31:26.000000000 +0200 >@@ -542,7 +542,7 @@ > if (msg.whack_list & LIST_CRLS) > { > list_crls(msg.whack_utc, strict_crl_policy); >-#ifdef HAVE_THREADS >+#if 0 > list_crl_fetch_requests(msg.whack_utc); > #endif > } >diff -Naur openswan-2.6.38/programs/pluto/state.c ../openswan-2.6.38/programs/pluto/state.c >--- openswan-2.6.38/programs/pluto/state.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/programs/pluto/state.c 2012-10-02 22:06:24.000000000 +0200 >@@ -356,6 +356,17 @@ > > DBG(DBG_CONTROL, DBG_log("deleting state #%lu", st->st_serialno)); > >+#ifdef XAUTH_USEPAM >+ /* >+ * If still an authentication thread alive, kill it. >+ */ >+ if (st->tid) { >+ pthread_kill(st->tid,SIGINT); >+ pthread_mutex_lock(&st->mutex); >+ pthread_mutex_unlock(&st->mutex); >+ } >+ pthread_mutex_destroy(&st->mutex); >+#endif > > /* If DPD is enabled on this state object, clear any pending events */ > if(st->st_dpd_event != NULL) >diff -Naur openswan-2.6.38/programs/pluto/state.h ../openswan-2.6.38/programs/pluto/state.h >--- openswan-2.6.38/programs/pluto/state.h 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/programs/pluto/state.h 2012-10-03 14:08:32.000000000 +0200 >@@ -33,6 +33,11 @@ > # include <pk11pub.h> > #endif > >+#ifdef XAUTH_USEPAM >+#include <pthread.h> >+#include <signal.h> >+#endif >+ > /* Message ID mechanism. > * > * A Message ID is contained in each IKE message header. >@@ -198,6 +203,10 @@ > bool st_ikev2; /* is this an IKEv2 state? */ > bool st_rekeytov2; /* true if this IKEv1 is about > * to be replaced with IKEv2 */ >+#ifdef XAUTH_USEPAM >+ pthread_mutex_t mutex; /* per state mutex */ >+ pthread_t tid; /* per state XAUTH_RO thread id */ >+#endif > > struct connection *st_connection; /* connection for this SA */ > int st_whack_sock; /* fd for our Whack TCP socket. >diff -Naur openswan-2.6.38/programs/pluto/whack.c ../openswan-2.6.38/programs/pluto/whack.c >--- openswan-2.6.38/programs/pluto/whack.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/programs/pluto/whack.c 2012-09-29 16:42:15.000000000 +0200 >@@ -128,6 +128,8 @@ > " \\\n " > "[--nm_configured]" > " \\\n " >+ "[--xauthby <file or pam>]" >+ " \\\n " > " [--dontrekey]" > " [--aggrmode]" > " [--forceencaps]" >@@ -496,6 +498,7 @@ > CD_IKE, > CD_PFSGROUP, > CD_REMOTEPEERTYPE, >+ CD_XAUTHBY, > CD_SHA2_TRUNCBUG, > CD_NMCONFIGURED, > CD_LOOPBACK, >@@ -722,6 +725,7 @@ > { "pfsgroup", required_argument, NULL, CD_PFSGROUP + OO }, > { "esp", required_argument, NULL, CD_ESP + OO }, > { "remote_peer_type", required_argument, NULL, CD_REMOTEPEERTYPE + OO}, >+ { "xauthby", required_argument, NULL, CD_XAUTHBY + OO}, > #ifdef HAVE_NM > { "nm_configured", no_argument, NULL, CD_NMCONFIGURED + OO}, > #endif >@@ -942,6 +946,8 @@ > > msg.remotepeertype = NON_CISCO; > >+ msg.xauthby = XAUTHBY_FILE; >+ > msg.sha2_truncbug = SHA2_TRUNCBUG_NO; > > /*Network Manager support*/ >@@ -1569,7 +1575,14 @@ > msg.remotepeertype = NON_CISCO; > } > continue; >- >+ case CD_XAUTHBY: /* --xauthby <file or pam>*/ >+ if ( strcmp(optarg, "pam" ) == 0) { >+ msg.xauthby = XAUTHBY_PAM; >+ } >+ else { >+ msg.xauthby = XAUTHBY_FILE; >+ } >+ continue; > case CD_SHA2_TRUNCBUG: /* --sha2_truncbug */ > if ( strcmp(optarg, "yes" ) == 0) { > msg.sha2_truncbug = SHA2_TRUNCBUG_YES; >@@ -1953,6 +1966,11 @@ > msg.remotepeertype = NON_CISCO; /*NON_CISCO=0*/ > } > >+ if (msg.xauthby != XAUTHBY_FILE && msg.xauthby != XAUTHBY_PAM) { >+ diag("xauthby can only be \"XAUTHBY_FILE\" or \"XAUTHBY_PAM\" - defaulting to file authentication"); >+ msg.xauthby = XAUTHBY_FILE; >+ } >+ > /* pack strings for inclusion in message */ > wp.msg = &msg; > >diff -Naur openswan-2.6.38/programs/pluto/x509.c ../openswan-2.6.38/programs/pluto/x509.c >--- openswan-2.6.38/programs/pluto/x509.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/programs/pluto/x509.c 2012-09-27 00:31:26.000000000 +0200 >@@ -373,7 +373,7 @@ > { > if (crl->thisUpdate > oldcrl->thisUpdate) > { >-#ifdef HAVE_THREADS >+#if 0 > /* keep any known CRL distribution points */ > add_distribution_points(oldcrl->distributionPoints > , &crl->distributionPoints); >@@ -492,7 +492,7 @@ > openswan_log("no crl from issuer \"%s\" found (strict=%s)", ibuf > , strict ? "yes" : "no"); > >-#ifdef HAVE_THREADS >+#if 0 > if (cert->crlDistributionPoints != NULL) > { > add_crl_fetch_request(cert->issuer, cert->crlDistributionPoints); >@@ -511,7 +511,7 @@ > DBG_log("issuer crl \"%s\" found", ibuf) > ) > >-#ifdef HAVE_THREADS >+#if 0 > add_distribution_points(cert->crlDistributionPoints > , &crl->distributionPoints); > #endif >@@ -555,7 +555,7 @@ > , cbuf > , timetoa(&crl->nextUpdate, TRUE, tbuf, sizeof(tbuf))); > >-#ifdef HAVE_THREADS >+#if 0 > /* try to fetch a crl update */ > if (cert->crlDistributionPoints != NULL) > { >@@ -829,7 +829,7 @@ > dntoa(buf, ASN1_BUF_LEN, crl->issuer); > whack_log(RC_COMMENT, " issuer: '%s'", buf); > >-#ifdef HAVE_THREADS >+#if 0 > /* list all distribution points */ > list_distribution_points(crl->distributionPoints); > #endif >diff -Naur openswan-2.6.38/programs/pluto/xauth.c ../openswan-2.6.38/programs/pluto/xauth.c >--- openswan-2.6.38/programs/pluto/xauth.c 2012-03-23 22:33:43.000000000 +0100 >+++ ../openswan-2.6.38/programs/pluto/xauth.c 2012-10-03 13:19:32.000000000 +0200 >@@ -54,6 +54,9 @@ > #include "certs.h" > #ifdef XAUTH_USEPAM > #include <security/pam_appl.h> >+#include <pthread.h> >+#include <signal.h> >+#include <setjmp.h> > #endif > #include "connections.h" /* needs id.h */ > #include "packet.h" >@@ -77,10 +80,6 @@ > #include "xauth.h" > #include "virtual.h" > >-#ifdef HAVE_THREADS >-#include <pthread.h> >-#endif >- > static stf_status > modecfg_inI2(struct msg_digest *md); > >@@ -88,9 +87,21 @@ > > extern bool encrypt_message(pb_stream *pbs, struct state *st); /* forward declaration */ > >+#ifdef XAUTH_USEPAM >+typedef struct >+{ >+ int in_use; >+ struct state *st; >+ sigjmp_buf jbuf; >+} st_jbuf_t; >+#endif >+ > struct thread_arg > { > struct state *st; >+#ifdef XAUTH_USEPAM >+ st_jbuf_t *ptr; >+#endif > chunk_t name; > chunk_t password; > chunk_t connname; >@@ -113,9 +124,15 @@ > struct pam_response **response, void *appdata_ptr); > > static >-struct pam_conv conv = { >+struct pam_conv conv = >+{ > xauth_pam_conv, >- NULL }; >+ NULL >+}; >+ >+static st_jbuf_t *st_jbuf_mem = NULL; >+ >+static pthread_mutex_t st_jbuf_mutex = PTHREAD_MUTEX_INITIALIZER; > > /** > * Get IP address from a PAM environment variable >@@ -126,6 +143,101 @@ > * @return int Return code > */ > static >+void dealloc_st_jbuf(st_jbuf_t *ptr) >+{ >+ >+ if (st_jbuf_mem == NULL) >+ osw_abort(); >+ if (ptr == NULL) >+ osw_abort(); >+ ptr->in_use = 0; >+ ptr = st_jbuf_mem; >+ while (ptr->st != NULL) { >+ if (ptr->in_use) { >+ return; >+ } >+ ptr++; >+ } >+ if (st_jbuf_mem) { >+ free(st_jbuf_mem); >+ st_jbuf_mem = NULL; >+ } >+} >+ >+static >+st_jbuf_t *get_ptr_matching_tid(void) >+{ >+ st_jbuf_t *ptr; >+ >+ ptr = st_jbuf_mem; >+ >+ if (ptr == NULL) >+ osw_abort(); >+ >+ while (ptr->st != NULL){ >+ if (ptr->in_use == 1 && ptr->st->tid == pthread_self()) >+ return ptr; >+ else >+ ptr++; >+ } >+ return NULL; >+} >+ >+static >+st_jbuf_t *alloc_st_jbuf(void) >+{ >+ st_jbuf_t *ptr; >+ size_t offset; >+ >+ pthread_mutex_lock(&st_jbuf_mutex); >+ if (!st_jbuf_mem) { >+ st_jbuf_mem = calloc(2,sizeof(st_jbuf_t)*2); >+ ptr = st_jbuf_mem; >+ goto end; >+ } >+ ptr = st_jbuf_mem; >+ if (ptr == NULL) >+ osw_abort(); >+ >+ while (ptr->st != NULL) { >+ if (ptr->in_use == 0 && ptr->st != NULL) >+ goto end; >+ ptr++; >+ } >+ offset = (size_t)((char *)ptr - (char *)st_jbuf_mem); >+ ptr = realloc(st_jbuf_mem, offset + sizeof(st_jbuf_t)*2); >+ if (ptr == NULL) >+ osw_abort(); >+ st_jbuf_mem = ptr; >+ ptr = (st_jbuf_t *)((char *)st_jbuf_mem + offset); >+ memset(ptr, 0, 2*sizeof(st_jbuf_t)); >+ (ptr + 1)->in_use = 0; >+ (ptr + 1)->st = NULL; >+end: >+ ptr->in_use=1; >+ pthread_mutex_unlock(&st_jbuf_mutex); >+ return ptr; >+} >+ >+static __attribute__ ((noinline)) >+void sigIntHandler(int sig) >+{ >+ st_jbuf_t *ptr; >+ >+ if (sig == SIGINT) >+ { >+ pthread_mutex_lock(&st_jbuf_mutex); >+ ptr = get_ptr_matching_tid(); >+ if (ptr) { >+ siglongjmp (ptr->jbuf,1); >+ } else { >+ pthread_mutex_unlock(&st_jbuf_mutex); >+ osw_abort(); >+ } >+ } >+} >+ >+static > int get_addr(pam_handle_t *pamh,const char *var,ip_address *addr) > { > const char *c; >@@ -217,6 +329,8 @@ > else > #endif > { >+ if (con->xauthby == XAUTHBY_PAM) >+ { > #ifdef XAUTH_USEPAM > if(con->pamh == NULL) > { >@@ -255,6 +369,7 @@ > get_addr(con->pamh,"WINS2",&ia->wins[1]); > } > #endif >+ } > } > return 0; > } >@@ -864,12 +979,14 @@ > > send_packet(st, "XAUTH: status", TRUE); > >- change_state(st, STATE_XAUTH_R1); >+ if (status) >+ change_state(st, STATE_XAUTH_R1); > > return STF_OK; > } > > #ifdef XAUTH_USEPAM >+ > /** XAUTH PAM conversation > * > * @param num_msg Int. >@@ -900,11 +1017,11 @@ > switch (msgm[count]->msg_style) { > case PAM_PROMPT_ECHO_OFF: > string = alloc_bytes(arg->password.len+1, "pam_echo_off"); >- strcpy(string,arg->password.ptr); >+ strcpy(string,(const char *)arg->password.ptr); > break; > case PAM_PROMPT_ECHO_ON: > string = alloc_bytes(arg->name.len+1,"pam_echo_on"); >- strcpy(string,arg->name.ptr); >+ strcpy(string,(const char *)arg->name.ptr); > break; > } > >@@ -933,23 +1050,24 @@ > int do_pam_authentication(void *varg) > { > struct thread_arg *arg = varg; >- pam_handle_t *pamh=NULL; > int retval; >+ pam_handle_t *pamh = NULL; >+ struct pam_conv conv; > >+ conv.conv = xauth_pam_conv; > conv.appdata_ptr = varg; > >- retval = pam_start("pluto", arg->name.ptr, &conv, &pamh); >+ retval = pam_start("pluto", (const char *)arg->name.ptr, &conv, &pamh); > > /* Send the remote host address to PAM */ > if (retval == PAM_SUCCESS) > retval = pam_set_item(pamh, PAM_RHOST, pluto_ip_str(&arg->st->st_remoteaddr)); > /* Two factor authentication - Check that the user is valid, >- and then check if they are permitted access */ >+ and then check if they are permitted access */ > if (retval == PAM_SUCCESS) > retval = pam_authenticate(pamh, PAM_SILENT); /* is user really user? */ > if (retval == PAM_SUCCESS) > retval = pam_acct_mgmt(pamh, 0); /* permitted access? */ >- > pam_end(pamh, PAM_SUCCESS); > > if(retval == PAM_SUCCESS) >@@ -957,7 +1075,8 @@ > else > return FALSE; > } >-#else /* XAUTH_USEPAM */ >+#endif >+//#else /* XAUTH_USEPAM */ > > /** Do authentication via /etc/ipsec.d/passwd file using MD5 passwords > * >@@ -1084,7 +1203,7 @@ > > return FALSE; > } >-#endif >+//#endif > > /** Main authentication routine will then call the actual compiled in > * method to verify the user/password >@@ -1094,17 +1213,69 @@ > struct thread_arg *arg = varg; > struct state *st = arg->st; > int results=FALSE; >+#ifdef XAUTH_USEPAM >+ struct sigaction sa; >+ struct sigaction oldsa; >+ st_jbuf_t *ptr = arg->ptr; >+ >+ pthread_mutex_lock(&st_jbuf_mutex); >+// ptr = get_ptr_matching_tid(); >+ if (!ptr) { >+ pthread_mutex_unlock(&st_jbuf_mutex); >+ freeanychunk(arg->password); >+ freeanychunk(arg->name); >+ freeanychunk(arg->connname); >+ pfree(varg); >+ pthread_mutex_unlock(&st->mutex); >+ st->tid = 0; >+ return NULL; >+ } >+ if (sigsetjmp(ptr->jbuf,1) == 1) >+ { >+ dealloc_st_jbuf(ptr); >+ if (st_jbuf_mem) /* Still one PAM thread ? */ >+ { >+ /* Yes, restart the one shot SIGINT handler */ >+ sigprocmask(SIG_BLOCK,NULL,&sa.sa_mask); >+ sa.sa_handler=sigIntHandler; >+ sa.sa_flags= SA_RESETHAND | SA_NODEFER | SA_ONSTACK; /* One shot handler */ >+ sigaddset(&sa.sa_mask,SIGINT); >+ sigaction(SIGINT,&sa,NULL); >+ } else { >+ sigaction(SIGINT,&oldsa,NULL); >+ } >+ pthread_mutex_unlock(&st_jbuf_mutex); >+ freeanychunk(arg->password); >+ freeanychunk(arg->name); >+ freeanychunk(arg->connname); >+ pfree(varg); >+ pthread_mutex_unlock(&st->mutex); >+ st->tid = 0; >+ return NULL; >+ } >+ >+ pthread_mutex_unlock(&st_jbuf_mutex); >+ sigprocmask(SIG_BLOCK,NULL,&sa.sa_mask); >+ pthread_sigmask(SIG_BLOCK,&sa.sa_mask,NULL); >+ sa.sa_handler=sigIntHandler; >+ sa.sa_flags= SA_RESETHAND | SA_NODEFER | SA_ONSTACK; /* One shot handler */ >+ sigaddset(&sa.sa_mask,SIGINT); >+ sigaction(SIGINT,&sa,&oldsa); >+#endif >+ > openswan_log("XAUTH: User %s: Attempting to login" , arg->name.ptr); >- >- > >+ if (st->st_connection->xauthby == XAUTHBY_PAM) { > #ifdef XAUTH_USEPAM >- openswan_log("XAUTH: pam authentication being called to authenticate user %s",arg->name.ptr); >- results=do_pam_authentication(varg); >+ openswan_log("XAUTH: pam authentication being called to authenticate user %s",arg->name.ptr); >+ results=do_pam_authentication(varg); > #else >- openswan_log("XAUTH: md5 authentication being called to authenticate user %s",arg->name.ptr); >- results=do_md5_authentication(varg); >+ results = FALSE; > #endif >+ } else { >+ openswan_log("XAUTH: file authentication being called to authenticate user %s",arg->name.ptr); >+ results=do_md5_authentication(varg); >+ } > if(results) > { > openswan_log("XAUTH: User %s: Authentication Successful", arg->name.ptr); >@@ -1115,15 +1286,26 @@ > } > > strncpy(st->st_xauth_username, (char *)arg->name.ptr, sizeof(st->st_xauth_username)); >- } else >- { >+ } else { > /** Login attempt failed, display error, send XAUTH status to client > * and reset state to XAUTH_R0 */ >+ > openswan_log("XAUTH: User %s: Authentication Failed: Incorrect Username or Password", arg->name.ptr); > xauth_send_status(st,0); >- change_state(st, STATE_XAUTH_R0); >+ //change_state(st, STATE_XAUTH_R0); > } >- >+#ifdef XAUTH_USEPAM >+ pthread_mutex_lock(&st_jbuf_mutex); >+ dealloc_st_jbuf(ptr); >+ if (!st_jbuf_mem) >+ { >+ sigaction(SIGINT,&oldsa,NULL); >+ } >+ pthread_mutex_unlock(&st_jbuf_mutex); >+ pthread_mutex_unlock(&st->mutex); >+ st->tid = 0; >+#endif >+ > freeanychunk(arg->password); > freeanychunk(arg->name); > freeanychunk(arg->connname); >@@ -1133,7 +1315,7 @@ > } > > >-/** Launch an authenication prompt >+/** Launch an authentication prompt > * > * @param st State Structure > * @param name Usernamd >@@ -1146,20 +1328,39 @@ > , chunk_t password > , chunk_t connname) > { >-#ifdef HAVE_THREADS >+#ifdef XAUTH_USEPAM > pthread_attr_t pattr; >- pthread_t tid; >+ st_jbuf_t *ptr; >+// pthread_t tid; > #endif > struct thread_arg *arg; >+ >+#ifdef XAUTH_USEPAM >+ if (st->tid) >+ { >+ return 0; >+ } >+#endif > arg = alloc_thing(struct thread_arg,"ThreadArg"); > arg->st = st; > arg->password = password; > arg->name = name; > arg->connname = connname; >-#ifdef HAVE_THREADS >+#ifdef XAUTH_USEPAM >+ // >+ // Start any kind of authentication in a thread. This includes MD5 >+ // authentication as the /etc/ipsec.d/passwd file may reside on >+ // a SAN, a NAS or an NFS disk. >+ // >+ >+ ptr = alloc_st_jbuf(); >+ ptr->st = st; >+ arg->ptr = ptr; >+ pthread_mutex_init(&st->mutex,NULL); >+ pthread_mutex_lock(&st->mutex); > pthread_attr_init(&pattr); > pthread_attr_setdetachstate(&pattr,PTHREAD_CREATE_DETACHED); >- pthread_create(&tid,&pattr,do_authentication, (void*) arg); >+ pthread_create(&st->tid,&pattr,do_authentication,(void*) arg); > pthread_attr_destroy(&pattr); > #else > do_authentication(arg);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 815127
:
584067
|
613231
|
613361
|
615286
| 621003