1 diff -urN openswan-2.4.0/include/ietf_constants.h openswan-2.4.0-OpenSClient/include/ietf_constants.h
2 --- openswan-2.4.0/include/ietf_constants.h 2005-06-23 03:45:55.000000000 +0200
3 +++ openswan-2.4.0-OpenSClient/include/ietf_constants.h 2005-09-26 16:51:13.000000000 +0200
5 #define INTERNAL_IP6_DNS 10
6 #define INTERNAL_IP6_NBNS 11
7 #define INTERNAL_IP6_DHCP 12
9 #define INTERNAL_IP4_SUBNET 13
10 #define SUPPORTED_ATTRIBUTES 14
11 #define INTERNAL_IP6_SUBNET 15
14 +/* Checkpoint attribute values */
16 +#define CPSC_USER_NAME 14
17 +#define CPSC_USER_PASSWORD 15
18 +#define CPSC_MESSAGE 17
19 +#define CPSC_CHALLENGE 18
20 +#define CPSC_STATUS 20
22 /* XAUTH attribute values */
23 #define XAUTH_TYPE 16520
25 #define XAUTH_NEXT_PIN 16528
26 #define XAUTH_ANSWER 16529
29 +#define CPSC_INTERNAL_DOMAIN_NAME 16387
30 +#define CPSC_CHKPT_MAC_ADDRESS 16388
31 +#define CPSC_MARCIPAN_REASON_CODE 16389
33 #define XAUTH_TYPE_GENERIC 0
34 #define XAUTH_TYPE_CHAP 1
35 #define XAUTH_TYPE_OTP 2
36 diff -urN openswan-2.4.0/include/pluto_constants.h openswan-2.4.0-OpenSClient/include/pluto_constants.h
37 --- openswan-2.4.0/include/pluto_constants.h 2005-08-19 19:53:03.000000000 +0200
38 +++ openswan-2.4.0-OpenSClient/include/pluto_constants.h 2005-09-26 16:51:13.000000000 +0200
40 #define DBG_NATT LELEM(11) /* debugging of NAT-traversal */
41 #define DBG_X509 LELEM(12) /* X.509/pkix verify, cert retrival */
42 #define DBG_DPD LELEM(13) /* DPD items */
43 -#define DBG_PRIVATE LELEM(20) /* private information: DANGER! */
44 +#define DBG_PRIVATE LELEM(21) /* private information: DANGER! */
46 #define IMPAIR0 21 /* first bit for IMPAIR_* */
49 STATE_XAUTH_I0, /* client state is awaiting request */
50 STATE_XAUTH_I1, /* client state is awaiting result code */
52 + STATE_CPSC_I0, /* client state is awaiting request */
53 + STATE_CPSC_I1, /* client state is awaiting for challenge */
54 + STATE_CPSC_I2, /* client state is awaiting result code */
60 #define IS_ISAKMP_ENCRYPTED(s) (STATE_MAIN_R2 <= (s) && STATE_AGGR_R0!=(s) && STATE_AGGR_I1 != (s))
61 #define IS_ISAKMP_AUTHENTICATED(s) (STATE_MAIN_R3 <= (s))
62 #define IS_ISAKMP_SA_ESTABLISHED(s) ((s) == STATE_MAIN_R3 || (s) == STATE_MAIN_I4 \
63 + || (s) == STATE_CPSC_I0 || (s) == STATE_CPSC_I1 \
64 + || (s) == STATE_CPSC_I2 \
65 || (s) == STATE_AGGR_I2 || (s) == STATE_AGGR_R2 \
66 || (s) == STATE_XAUTH_R0 || (s) == STATE_XAUTH_R1 \
67 || (s) == STATE_MODE_CFG_R0 || (s) == STATE_MODE_CFG_R1 \
69 #define POLICY_XAUTH LELEM(17) /* do we offer XAUTH? */
70 #define POLICY_MODECFG_PULL LELEM(18) /* is modecfg pulled by client? */
71 #define POLICY_AGGRESSIVE LELEM(19) /* do we do aggressive mode? */
72 +#define POLICY_CPSC LELEM(20) /* do we offer CP SecureClient? */
75 /* Any IPsec policy? If not, a connection description
76 diff -urN openswan-2.4.0/lib/libopenswan/constants.c openswan-2.4.0-OpenSClient/lib/libopenswan/constants.c
77 --- openswan-2.4.0/lib/libopenswan/constants.c 2005-06-23 03:45:55.000000000 +0200
78 +++ openswan-2.4.0-OpenSClient/lib/libopenswan/constants.c 2005-09-26 16:52:47.000000000 +0200
85 + "CPSC_USER_PASSWORD",
90 "INTERNAL_IP4_SUBNET",
91 "SUPPORTED_ATTRIBUTES",
92 "INTERNAL_IP6_SUBNET",
98 enum_names modecfg_attr_names_tv =
99 { INTERNAL_IP4_ADDRESS + ISAKMP_ATTR_AF_TV , INTERNAL_IP6_SUBNET + ISAKMP_ATTR_AF_TV, modecfg_attr_name , &xauth_attr_names };
101 enum_names modecfg_attr_names =
102 { INTERNAL_IP4_ADDRESS , INTERNAL_IP6_SUBNET, modecfg_attr_name , &modecfg_attr_names_tv };
105 +enum_names modecfg_attr_names_tv =
106 + { INTERNAL_IP4_ADDRESS + ISAKMP_ATTR_AF_TV , modecfg_attr_name , &xauth_attr_names };
108 +enum_names modecfg_attr_names =
109 + { INTERNAL_IP4_ADDRESS , modecfg_attr_name , &modecfg_attr_names_tv };
111 /* Oakley Lifetime Type attribute */
113 diff -urN openswan-2.4.0/programs/_confread/_confread.in openswan-2.4.0-OpenSClient/programs/_confread/_confread.in
114 --- openswan-2.4.0/programs/_confread/_confread.in 2005-06-14 01:10:49.000000000 +0200
115 +++ openswan-2.4.0-OpenSClient/programs/_confread/_confread.in 2005-09-26 16:51:13.000000000 +0200
117 left = " left leftsubnet leftnexthop leftupdown"
118 akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz"
119 akey = akey " dpddelay dpdtimeout dpdaction"
120 - akey = akey " xauth"
121 + akey = akey " xauth cpsc"
122 akey = akey " aggrmode"
123 akey = akey " compress"
124 akey = akey " keyingtries ikelifetime disablearrivalcheck failureshunt ike"
125 diff -urN openswan-2.4.0/programs/auto/auto.in openswan-2.4.0-OpenSClient/programs/auto/auto.in
126 --- openswan-2.4.0/programs/auto/auto.in 2005-01-11 18:52:49.000000000 +0100
127 +++ openswan-2.4.0-OpenSClient/programs/auto/auto.in 2005-09-26 16:51:13.000000000 +0200
130 default("pfs", "yes")
133 + default("cpsc", "no")
136 default("aggrmode", "no")
139 if (s["pfsgroup"] != "")
140 settings = settings " --pfsgroup " qs("pfsgroup")
142 + if (s["cpsc"] == "yes")
143 + settings = settings " --cpsc"
144 if (s["aggrmode"] == "yes")
145 settings = settings " --aggrmode"
147 diff -urN openswan-2.4.0/programs/pluto/demux.c openswan-2.4.0-OpenSClient/programs/pluto/demux.c
148 --- openswan-2.4.0/programs/pluto/demux.c 2005-08-19 19:52:42.000000000 +0200
149 +++ openswan-2.4.0-OpenSClient/programs/pluto/demux.c 2005-09-26 16:51:13.000000000 +0200
151 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
152 , P(ATTR) | P(HASH), P(VID), PT(HASH)
153 , EVENT_SA_REPLACE, xauth_inI1 },
155 + /* CheckPoint 2 stage authentication - Stage 1, ID only */
156 + { STATE_CPSC_I0, STATE_CPSC_I1
157 + , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
158 + , P(ATTR) | P(HASH), P(VID), PT(HASH)
159 + , EVENT_SA_REPLACE, xauth_inI0 },
161 + /* Stage 2, Password/Challenge */
162 + { STATE_CPSC_I1, STATE_CPSC_I2
163 + , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
164 + , P(ATTR) | P(HASH), P(VID), PT(HASH)
165 + , EVENT_SA_REPLACE, xauth_inI0 },
167 + { STATE_CPSC_I2, STATE_MAIN_I4
168 + , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
169 + , P(ATTR) | P(HASH), P(VID), PT(HASH)
170 + , EVENT_SA_REPLACE, xauth_inI1 },
175 @@ -1782,6 +1800,9 @@
176 else if(st->st_connection->spd.this.xauth_client
177 && IS_PHASE1(st->st_state))
179 + if(st->st_connection->policy & POLICY_CPSC)
180 + from_state = STATE_CPSC_I0;
182 from_state = STATE_XAUTH_I0;
184 else if(st->st_connection->spd.this.xauth_client
185 diff -urN openswan-2.4.0/programs/pluto/id.c openswan-2.4.0-OpenSClient/programs/pluto/id.c
186 --- openswan-2.4.0/programs/pluto/id.c 2005-02-14 06:56:02.000000000 +0100
187 +++ openswan-2.4.0-OpenSClient/programs/pluto/id.c 2005-09-26 16:51:13.000000000 +0200
192 + else if (*(src+1) == '!')
194 + /* Special CheckPoint Handling - use @! */
195 + id->kind = ID_USER_FQDN;
196 + id->name.ptr = src+2; /* discard @! */
197 + id->name.len = 0; /* ID protection - empty */
202 diff -urN openswan-2.4.0/programs/pluto/ipsec_doi.c openswan-2.4.0-OpenSClient/programs/pluto/ipsec_doi.c
203 --- openswan-2.4.0/programs/pluto/ipsec_doi.c 2005-08-12 19:05:59.000000000 +0200
204 +++ openswan-2.4.0-OpenSClient/programs/pluto/ipsec_doi.c 2005-09-26 16:51:13.000000000 +0200
205 @@ -2744,7 +2744,12 @@
206 struct state *const st = md->st;
207 pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
208 int auth_payload = st->st_oakley.auth == OAKLEY_PRESHARED_KEY
210 + ? ISAKMP_NEXT_HASH : (st->st_oakley.xauth == HybridInitRSA
211 + ? ISAKMP_NEXT_HASH : ISAKMP_NEXT_SIG);
213 ? ISAKMP_NEXT_HASH : ISAKMP_NEXT_SIG;
215 pb_stream id_pbs; /* ID Payload; also used for hash calculation */
216 bool send_cert = FALSE;
217 bool send_cr = FALSE;
218 diff -urN openswan-2.4.0/programs/pluto/pluto_constants.c openswan-2.4.0-OpenSClient/programs/pluto/pluto_constants.c
219 --- openswan-2.4.0/programs/pluto/pluto_constants.c 2005-08-19 19:58:09.000000000 +0200
220 +++ openswan-2.4.0-OpenSClient/programs/pluto/pluto_constants.c 2005-09-26 16:51:13.000000000 +0200
234 "XAUTH client - awaiting CFG_request", /* MODE_XAUTH_I0 */
235 "XAUTH client - awaiting CFG_set", /* MODE_XAUTH_I1 */
236 + "CP SecureClient - awaiting username request", /* MODE_CPSC_I0 */
237 + "CP SecureClient - awaiting password request", /* MODE_CPSC_I1 */
238 + "CP SecureClient - awaiting authentication status", /* MODE_CPSC_I2 */
239 "invalid state - IKE roof"
250 diff -urN openswan-2.4.0/programs/pluto/spdb.c openswan-2.4.0-OpenSClient/programs/pluto/spdb.c
251 --- openswan-2.4.0/programs/pluto/spdb.c 2005-07-06 00:07:06.000000000 +0200
252 +++ openswan-2.4.0-OpenSClient/programs/pluto/spdb.c 2005-09-26 16:51:13.000000000 +0200
254 { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
255 { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
257 +/* Checkpoint SecureClient proposal */
258 +static struct db_attr otrsasig1024des3md5CP_xauthc[] = {
259 + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
260 + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
261 + { OAKLEY_AUTHENTICATION_METHOD, HybridInitRSA },
262 + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
265 +static struct db_attr otrsasig1024des3shaCP_xauthc[] = {
266 + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
267 + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },
268 + { OAKLEY_AUTHENTICATION_METHOD, HybridInitRSA },
269 + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
272 static struct db_attr otpsk1024des3sha[] = {
273 { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
275 { KEY_IKE, AD(otrsasig1536des3sha_xauthc) },
276 { KEY_IKE, AD(otrsasig1024des3sha_xauthc) },
277 { KEY_IKE, AD(otrsasig1024des3md5_xauthc) },
278 + { KEY_IKE, AD(otrsasig1024des3shaCP_xauthc) },
279 + { KEY_IKE, AD(otrsasig1024des3md5CP_xauthc) },
281 static struct db_trans oakley_trans_rsasig_xauths[] = {
282 { KEY_IKE, AD(otrsasig1536des3md5_xauths) },
283 diff -urN openswan-2.4.0/programs/pluto/spdb_struct.c openswan-2.4.0-OpenSClient/programs/pluto/spdb_struct.c
284 --- openswan-2.4.0/programs/pluto/spdb_struct.c 2005-08-27 02:29:15.000000000 +0200
285 +++ openswan-2.4.0-OpenSClient/programs/pluto/spdb_struct.c 2005-09-26 16:51:13.000000000 +0200
290 + case HybridInitRSA:
294 diff -urN openswan-2.4.0/programs/pluto/whack.c openswan-2.4.0-OpenSClient/programs/pluto/whack.c
295 --- openswan-2.4.0/programs/pluto/whack.c 2005-07-26 04:11:23.000000000 +0200
296 +++ openswan-2.4.0-OpenSClient/programs/pluto/whack.c 2005-09-26 16:51:13.000000000 +0200
306 CD_DUMMY, /* same order as POLICY_* 17 -- was XAUTH */
307 CD_MODECFGPULL, /* same order as POLICY_* 18 */
308 CD_AGGRESSIVE, /* same order as POLICY_* 19 */
309 + CD_CPSC, /* same order as POLICY_* 20 */
314 { "dpdtimeout", required_argument, NULL, CD_DPDTIMEOUT + OO + NUMERIC_ARG },
315 { "dpdaction", required_argument, NULL, CD_DPDACTION + OO },
317 + { "cpsc", no_argument, NULL, CD_CPSC + OO },
318 { "xauth", no_argument, NULL, END_XAUTHSERVER + OO },
319 { "xauthserver", no_argument, NULL, END_XAUTHSERVER + OO },
320 { "xauthclient", no_argument, NULL, END_XAUTHCLIENT + OO },
321 @@ -1260,6 +1263,11 @@
325 + case CD_CPSC: /* --cpsc */
326 + msg.policy |= POLICY_CPSC;
327 + printf("\nXXX: CPSC\n");
330 case END_XAUTHSERVER: /* --xauthserver */
331 msg.right.xauth_server = TRUE;
333 @@ -1268,6 +1276,7 @@
334 msg.right.xauth_client = TRUE;
338 case END_XAUTHSERVER:
339 case END_XAUTHCLIENT:
340 diag("pluto is not built with XAUTH support");
341 diff -urN openswan-2.4.0/programs/pluto/xauth.c openswan-2.4.0-OpenSClient/programs/pluto/xauth.c
342 --- openswan-2.4.0/programs/pluto/xauth.c 2005-07-26 04:11:23.000000000 +0200
343 +++ openswan-2.4.0-OpenSClient/programs/pluto/xauth.c 2005-09-26 16:51:13.000000000 +0200
345 out_raw(&mask,4,&attrval,"IP4_mask");
350 case INTERNAL_IP4_SUBNET:
352 char mask[4],bits[8]={0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
359 case INTERNAL_IP4_DNS:
360 len = addrbytesptr(&ia.dns[dns_idx++], &byte_ptr);
361 out_raw(byte_ptr,len,&attrval,"IP4_dns");
366 -#define MODECFG_SET_ITEM ( LELEM(INTERNAL_IP4_ADDRESS) | LELEM(INTERNAL_IP4_SUBNET) | LELEM(INTERNAL_IP4_NBNS) | LELEM(INTERNAL_IP4_DNS) )
367 +//#define MODECFG_SET_ITEM ( LELEM(INTERNAL_IP4_ADDRESS) | LELEM(INTERNAL_IP4_SUBNET) | LELEM(INTERNAL_IP4_NBNS) | LELEM(INTERNAL_IP4_DNS) )
368 +#define MODECFG_SET_ITEM ( LELEM(INTERNAL_IP4_ADDRESS) | LELEM(INTERNAL_IP4_NBNS) | LELEM(INTERNAL_IP4_DNS) )
372 @@ -1386,7 +1387,7 @@
373 case INTERNAL_IP4_ADDRESS:
374 case INTERNAL_IP4_NETMASK:
375 case INTERNAL_IP4_DNS:
376 - case INTERNAL_IP4_SUBNET:
377 +// case INTERNAL_IP4_SUBNET:
378 case INTERNAL_IP4_NBNS:
379 resp |= LELEM(attr.isaat_af_type);
381 @@ -1519,7 +1520,7 @@
383 case INTERNAL_IP4_NETMASK:
384 case INTERNAL_IP4_DNS:
385 - case INTERNAL_IP4_SUBNET:
386 +// case INTERNAL_IP4_SUBNET:
387 case INTERNAL_IP4_NBNS:
388 resp |= LELEM(attr.isaat_af_type);
390 @@ -1626,7 +1627,7 @@
391 case INTERNAL_IP4_ADDRESS:
392 case INTERNAL_IP4_NETMASK:
393 case INTERNAL_IP4_DNS:
394 - case INTERNAL_IP4_SUBNET:
395 +// case INTERNAL_IP4_SUBNET:
396 case INTERNAL_IP4_NBNS:
397 resp |= LELEM(attr.isaat_af_type);
399 @@ -1695,7 +1696,7 @@
401 case INTERNAL_IP4_NETMASK:
402 case INTERNAL_IP4_DNS:
403 - case INTERNAL_IP4_SUBNET:
404 +// case INTERNAL_IP4_SUBNET:
405 case INTERNAL_IP4_NBNS:
406 resp |= LELEM(attr.isaat_af_type);
408 @@ -1784,12 +1785,18 @@
412 + if (st->st_connection->policy & POLICY_CPSC)
413 + attr.isaat_af_type = CPSC_TYPE | ISAKMP_ATTR_AF_TV;
415 attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
416 attr.isaat_lv = XAUTH_TYPE_GENERIC;
417 out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, NULL);
420 case XAUTH_USER_NAME:
421 + if (st->st_connection->policy & POLICY_CPSC)
422 + attr.isaat_af_type = CPSC_USER_NAME | ISAKMP_ATTR_AF_TLV;
424 attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV;
425 out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, &attrval);
426 if(st->st_whack_sock == -1)
427 @@ -1818,6 +1825,9 @@
430 case XAUTH_USER_PASSWORD:
431 + if (st->st_connection->policy & POLICY_CPSC)
432 + attr.isaat_af_type = CPSC_USER_PASSWORD | ISAKMP_ATTR_AF_TLV;
434 attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV;
435 out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, &attrval);
436 if(st->st_whack_sock == -1)
437 @@ -1981,18 +1991,23 @@
439 switch(attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK )
444 status = attr.isaat_lv;
450 memcpy(msgbuf, dat, len);
452 loglog(RC_LOG_SERIOUS, "XAUTH: Bad Message: %s", msgbuf);
457 + attr.isaat_af_type = XAUTH_TYPE;
461 if(type != XAUTH_TYPE_GENERIC)
462 @@ -2003,6 +2018,14 @@
463 xauth_resp |= XAUTHLELEM(attr.isaat_af_type);
466 + case CPSC_USER_NAME:
467 + attr.isaat_af_type = XAUTH_USER_NAME;
468 + goto cp_hybrid_common;
470 + case CPSC_USER_PASSWORD:
471 + attr.isaat_af_type = XAUTH_USER_PASSWORD;
474 case XAUTH_USER_NAME:
475 case XAUTH_USER_PASSWORD:
476 xauth_resp |= XAUTHLELEM(attr.isaat_af_type);
477 @@ -2011,7 +2034,7 @@
478 case INTERNAL_IP4_ADDRESS:
479 case INTERNAL_IP4_NETMASK:
480 case INTERNAL_IP4_DNS:
481 - case INTERNAL_IP4_SUBNET:
482 +// case INTERNAL_IP4_SUBNET:
483 case INTERNAL_IP4_NBNS:
484 xauth_resp |= LELEM(attr.isaat_af_type);
486 @@ -2081,8 +2104,10 @@
489 /* reset the message ID */
490 + if (!(st->st_connection->policy & POLICY_CPSC)) {
491 st->st_msgid_phase15b = st->st_msgid_phase15;
492 st->st_msgid_phase15 = 0;
495 DBG(DBG_CONTROLMORE, DBG_log("xauth_inI0(STF_OK)"));
497 @@ -2137,6 +2162,9 @@
498 attr_type = XAUTH_TYPE;
500 /* ISAKMP attr out */
501 + if (st->st_connection->policy & POLICY_CPSC)
502 + attr.isaat_af_type = CPSC_STATUS | ISAKMP_ATTR_AF_TV;
504 attr.isaat_af_type = XAUTH_STATUS | ISAKMP_ATTR_AF_TV;
506 out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, &attrval);
507 @@ -2225,6 +2253,8 @@
509 switch(attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK )
512 + attr.isaat_af_type = XAUTH_STATUS;
514 xauth_resp |= XAUTHLELEM(attr.isaat_af_type);
516 @@ -2246,6 +2276,9 @@
518 /* oops, something seriously wrong */
519 openswan_log("did not get status attribute in xauth_inI1, looking for new challenge.");
520 + if (st->st_connection->policy & POLICY_CPSC)
521 + st->st_state = STATE_CPSC_I0;
523 st->st_state = STATE_XAUTH_I0;
524 return xauth_inI0(md);