1 diff -ur openswan-2.6.25/include/ietf_constants.h openswan-2.6.25.yair/include/ietf_constants.h
2 --- openswan-2.6.25/include/ietf_constants.h 2010-03-21 19:39:35.000000000 +0200
3 +++ openswan-2.6.25.yair/include/ietf_constants.h 2010-05-14 18:50:02.859956843 +0300
5 #define INTERNAL_IP6_DNS 10
6 #define INTERNAL_IP6_NBNS 11
7 #define INTERNAL_IP6_DHCP 12
9 #define INTERNAL_IP4_SUBNET 13
10 #define SUPPORTED_ATTRIBUTES 14
11 #define INTERNAL_IP6_SUBNET 15
14 +/* Checkpoint attribute values */
16 +#define CPSC_USER_NAME 14
17 +#define CPSC_USER_PASSWORD 15
18 +#define CPSC_MESSAGE 17
19 +#define CPSC_CHALLENGE 18
20 +#define CPSC_STATUS 20
22 /* XAUTH attribute values */
23 #define XAUTH_TYPE 16520
25 #define XAUTH_NEXT_PIN 16528
26 #define XAUTH_ANSWER 16529
29 +#define CPSC_INTERNAL_DOMAIN_NAME 16387
30 +#define CPSC_CHKPT_MAC_ADDRESS 16388
31 +#define CPSC_MARCIPAN_REASON_CODE 16389
33 #define XAUTH_TYPE_GENERIC 0
34 #define XAUTH_TYPE_CHAP 1
35 #define XAUTH_TYPE_OTP 2
36 diff -ur openswan-2.6.25/include/ipsecconf/keywords.h openswan-2.6.25.yair/include/ipsecconf/keywords.h
37 --- openswan-2.6.25/include/ipsecconf/keywords.h 2010-03-21 19:39:35.000000000 +0200
38 +++ openswan-2.6.25.yair/include/ipsecconf/keywords.h 2010-05-14 19:03:23.039956841 +0300
47 diff -ur openswan-2.6.25/include/pluto_constants.h openswan-2.6.25.yair/include/pluto_constants.h
48 --- openswan-2.6.25/include/pluto_constants.h 2010-03-21 19:39:35.000000000 +0200
49 +++ openswan-2.6.25.yair/include/pluto_constants.h 2010-05-14 19:27:04.687457923 +0300
52 STATE_XAUTH_I0, /* client state is awaiting request */
53 STATE_XAUTH_I1, /* client state is awaiting result code */
54 + STATE_CPSC_I0, /* client state is awaiting request */
55 + STATE_CPSC_I1, /* client state is awaiting for challenge */
56 + STATE_CPSC_I2, /* client state is awaiting result code */
62 #define IS_ISAKMP_ENCRYPTED(s) (STATE_MAIN_R2 <= (s) && STATE_AGGR_R0!=(s) && STATE_AGGR_I1 != (s) && STATE_INFO != (s))
63 #define IS_ISAKMP_AUTHENTICATED(s) (STATE_MAIN_R3 <= (s))
64 #define IS_ISAKMP_SA_ESTABLISHED(s) ((s) == STATE_MAIN_R3 || (s) == STATE_MAIN_I4 \
65 + || (s) == STATE_CPSC_I0 || (s) == STATE_CPSC_I1 \
66 + || (s) == STATE_CPSC_I2 \
67 || (s) == STATE_AGGR_I2 || (s) == STATE_AGGR_R2 \
68 || (s) == STATE_XAUTH_R0 || (s) == STATE_XAUTH_R1 \
69 || (s) == STATE_MODE_CFG_R0 || (s) == STATE_MODE_CFG_R1 \
71 POLICY_MODECFGDNS2 = LELEM(28), /* should we offer another DNS server IP */
72 POLICY_MODECFGWINS1 = LELEM(29), /* should we offer a WINS server IP */
73 POLICY_MODECFGWINS2 = LELEM(30), /* should we offer another WINS server IP */
74 + POLICY_CPSC = LELEM(31), /* do we offer CP SecureClient? */
77 /* Any IPsec policy? If not, a connection description
78 diff -ur openswan-2.6.25/lib/libipsecconf/confread.c openswan-2.6.25.yair/lib/libipsecconf/confread.c
79 --- openswan-2.6.25/lib/libipsecconf/confread.c 2010-03-21 19:39:35.000000000 +0200
80 +++ openswan-2.6.25.yair/lib/libipsecconf/confread.c 2010-05-14 19:08:58.395957124 +0300
82 KW_POLICY_NEGATIVE_FLAG(KBF_REKEY, POLICY_DONT_REKEY);
84 KW_POLICY_FLAG(KBF_AGGRMODE, POLICY_AGGRESSIVE);
85 + KW_POLICY_FLAG(KBF_CPSC, POLICY_CPSC);
87 KW_POLICY_FLAG(KBF_MODECONFIGPULL, POLICY_MODECFG_PULL);
89 diff -ur openswan-2.6.25/lib/libipsecconf/keywords.c openswan-2.6.25.yair/lib/libipsecconf/keywords.c
90 --- openswan-2.6.25/lib/libipsecconf/keywords.c 2010-03-21 19:39:35.000000000 +0200
91 +++ openswan-2.6.25.yair/lib/libipsecconf/keywords.c 2010-05-14 19:02:17.327459031 +0300
94 /* aggr/xauth/modeconfig */
95 {"aggrmode", kv_conn|kv_auto, kt_invertbool, KBF_AGGRMODE,NOT_ENUM},
96 + {"cpsc", kv_conn|kv_auto, kt_invertbool, KBF_CPSC,NOT_ENUM},
97 {"xauthserver", kv_conn|kv_auto|kv_leftright, kt_bool, KNCF_XAUTHSERVER, NOT_ENUM},
98 {"xauthclient", kv_conn|kv_auto|kv_leftright, kt_bool, KNCF_XAUTHCLIENT, NOT_ENUM},
99 {"xauthname", kv_conn|kv_auto|kv_leftright, kt_string, KSCF_XAUTHUSERNAME, NOT_ENUM},
100 diff -ur openswan-2.6.25/lib/libopenswan/constants.c openswan-2.6.25.yair/lib/libopenswan/constants.c
101 --- openswan-2.6.25/lib/libopenswan/constants.c 2010-03-21 19:39:35.000000000 +0200
102 +++ openswan-2.6.25.yair/lib/libopenswan/constants.c 2010-05-15 11:18:15.531956709 +0300
103 @@ -640,17 +640,34 @@
109 + "CPSC_USER_PASSWORD",
116 "INTERNAL_IP4_SUBNET",
117 "SUPPORTED_ATTRIBUTES",
118 "INTERNAL_IP6_SUBNET",
124 enum_names modecfg_attr_names_tv =
125 { INTERNAL_IP4_ADDRESS + ISAKMP_ATTR_AF_TV , INTERNAL_IP6_SUBNET + ISAKMP_ATTR_AF_TV, modecfg_attr_name , &xauth_attr_names };
127 enum_names modecfg_attr_names =
128 { INTERNAL_IP4_ADDRESS , INTERNAL_IP6_SUBNET, modecfg_attr_name , &modecfg_attr_names_tv };
131 +enum_names modecfg_attr_names_tv =
132 + { INTERNAL_IP4_ADDRESS + ISAKMP_ATTR_AF_TV , CPSC_STATUS + ISAKMP_ATTR_AF_TV, modecfg_attr_name , &xauth_attr_names };
134 +enum_names modecfg_attr_names =
135 + { INTERNAL_IP4_ADDRESS , CPSC_STATUS, modecfg_attr_name , &modecfg_attr_names_tv };
137 /* Oakley Lifetime Type attribute */
139 diff -ur openswan-2.6.25/lib/libopenswan/id.c openswan-2.6.25.yair/lib/libopenswan/id.c
140 --- openswan-2.6.25/lib/libopenswan/id.c 2010-03-21 19:39:35.000000000 +0200
141 +++ openswan-2.6.25.yair/lib/libopenswan/id.c 2010-05-14 19:30:48.843957391 +0300
146 + else if (*(src+1) == '!')
148 + /* Special CheckPoint Handling - use @! */
149 + id->kind = ID_USER_FQDN;
150 + id->name.ptr = src+2; /* discard @! */
151 + id->name.len = 0; /* ID protection - empty */
156 diff -ur openswan-2.6.25/lib/libpluto/pluto_constants.c openswan-2.6.25.yair/lib/libpluto/pluto_constants.c
157 --- openswan-2.6.25/lib/libpluto/pluto_constants.c 2010-03-21 19:39:35.000000000 +0200
158 +++ openswan-2.6.25.yair/lib/libpluto/pluto_constants.c 2010-05-14 19:28:55.919957362 +0300
172 "XAUTH client - awaiting CFG_request", /* MODE_XAUTH_I0 */
173 "XAUTH client - awaiting CFG_set", /* MODE_XAUTH_I1 */
174 + "CP SecureClient - awaiting username request", /* MODE_CPSC_I0 */
175 + "CP SecureClient - awaiting password request", /* MODE_CPSC_I1 */
176 + "CP SecureClient - awaiting authentication status", /* MODE_CPSC_I2 */
177 "invalid state - IKE roof",
178 "invalid state - IKEv2 base",
179 "sent v2I1, expected v2R1", /* STATE_PARENT_I1 */
188 diff -ur openswan-2.6.25/programs/_confread/_confread.in openswan-2.6.25.yair/programs/_confread/_confread.in
189 --- openswan-2.6.25/programs/_confread/_confread.in 2010-03-21 19:39:35.000000000 +0200
190 +++ openswan-2.6.25.yair/programs/_confread/_confread.in 2010-05-14 18:51:03.647957474 +0300
192 left = " left leftsubnet leftnexthop leftupdown"
193 akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz"
194 akey = akey " dpddelay dpdtimeout dpdaction metric"
195 - akey = akey " xauth"
196 + akey = akey " xauth cpsc"
197 akey = akey " aggrmode"
198 akey = akey " compress"
199 akey = akey " overlapip"
200 diff -ur openswan-2.6.25/programs/pluto/ikev1.c openswan-2.6.25.yair/programs/pluto/ikev1.c
201 --- openswan-2.6.25/programs/pluto/ikev1.c 2010-03-21 19:39:35.000000000 +0200
202 +++ openswan-2.6.25.yair/programs/pluto/ikev1.c 2010-05-14 19:12:44.819956924 +0300
204 , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
205 , P(ATTR) | P(HASH), P(VID), PT(HASH)
206 , EVENT_SA_REPLACE, xauth_inI1 },
208 + /* CheckPoint 2 stage authentication - Stage 1, ID only */
209 + { STATE_CPSC_I0, STATE_CPSC_I1
210 + , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
211 + , P(ATTR) | P(HASH), P(VID), PT(HASH)
212 + , EVENT_SA_REPLACE, xauth_inI0 },
214 + /* Stage 2, Password/Challenge */
215 + { STATE_CPSC_I1, STATE_CPSC_I2
216 + , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
217 + , P(ATTR) | P(HASH), P(VID), PT(HASH)
218 + , EVENT_SA_REPLACE, xauth_inI0 },
220 + { STATE_CPSC_I2, STATE_MAIN_I4
221 + , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
222 + , P(ATTR) | P(HASH), P(VID), PT(HASH)
223 + , EVENT_SA_REPLACE, xauth_inI1 },
228 @@ -1185,6 +1203,9 @@
229 else if(st->st_connection->spd.this.xauth_client
230 && IS_PHASE1(st->st_state))
232 + if(st->st_connection->policy & POLICY_CPSC)
233 + from_state = STATE_CPSC_I0;
235 from_state = STATE_XAUTH_I0;
237 else if(st->st_connection->spd.this.xauth_client
238 diff -ur openswan-2.6.25/programs/pluto/ikev1_main.c openswan-2.6.25.yair/programs/pluto/ikev1_main.c
239 --- openswan-2.6.25/programs/pluto/ikev1_main.c 2010-03-21 19:39:35.000000000 +0200
240 +++ openswan-2.6.25.yair/programs/pluto/ikev1_main.c 2010-05-15 10:22:45.755957417 +0300
241 @@ -1537,7 +1537,12 @@
243 struct state *const st = md->st;
244 int auth_payload = st->st_oakley.auth == OAKLEY_PRESHARED_KEY
245 - ? ISAKMP_NEXT_HASH : ISAKMP_NEXT_SIG;
247 + ? ISAKMP_NEXT_HASH : (st->st_oakley.xauth == HybridInitRSA
248 + ? ISAKMP_NEXT_HASH : ISAKMP_NEXT_SIG);
250 + ? ISAKMP_NEXT_HASH : ISAKMP_NEXT_SIG;
252 pb_stream id_pbs; /* ID Payload; also used for hash calculation */
253 bool send_cert = FALSE;
254 bool send_cr = FALSE;
255 @@ -1863,14 +1868,17 @@
259 - r = RSA_check_signature(st, hash_val, hash_len
261 + r = RSA_check_signature(st, hash_val, hash_len
262 , &md->chain[ISAKMP_NEXT_SIG]->pbs
264 , kc == NULL? NULL : kc->ac.keys_from_dns
265 #endif /* USE_KEYRR */
266 , kc == NULL? NULL : kc->ac.gateways_from_dns
272 if (r == STF_SUSPEND)
274 /* initiate/resume asynchronous DNS lookup for key */
275 diff -ur openswan-2.6.25/programs/pluto/spdb.c openswan-2.6.25.yair/programs/pluto/spdb.c
276 --- openswan-2.6.25/programs/pluto/spdb.c 2010-03-21 19:39:35.000000000 +0200
277 +++ openswan-2.6.25.yair/programs/pluto/spdb.c 2010-05-15 10:13:56.415958649 +0300
279 { .type.oakley=OAKLEY_AUTHENTICATION_METHOD, .val=OAKLEY_PRESHARED_KEY },
280 { .type.oakley=OAKLEY_GROUP_DESCRIPTION, .val=OAKLEY_GROUP_MODP1024 },
282 +/* Checkpoint SecureClient proposal */
283 +static struct db_attr otrsasig1024des3md5CP_xauthc[] = {
284 + { .type.oakley=OAKLEY_ENCRYPTION_ALGORITHM, .val=OAKLEY_3DES_CBC },
285 + { .type.oakley=OAKLEY_HASH_ALGORITHM, .val=OAKLEY_MD5 },
286 + { .type.oakley=OAKLEY_AUTHENTICATION_METHOD, .val=HybridInitRSA },
287 + { .type.oakley=OAKLEY_GROUP_DESCRIPTION, .val=OAKLEY_GROUP_MODP1024 },
290 +static struct db_attr otrsasig1024des3shaCP_xauthc[] = {
291 + { .type.oakley=OAKLEY_ENCRYPTION_ALGORITHM, .val=OAKLEY_3DES_CBC },
292 + { .type.oakley=OAKLEY_HASH_ALGORITHM, .val=OAKLEY_SHA },
293 + { .type.oakley=OAKLEY_AUTHENTICATION_METHOD, .val=HybridInitRSA },
294 + { .type.oakley=OAKLEY_GROUP_DESCRIPTION, .val=OAKLEY_GROUP_MODP1024 },
297 static struct db_attr otpsk1536des3md5[] = {
298 { .type.oakley=OAKLEY_ENCRYPTION_ALGORITHM, .val=OAKLEY_3DES_CBC },
302 static struct db_trans oakley_trans_rsasig_xauthc[] = {
303 + { AD_TR(KEY_IKE,otrsasig1024des3shaCP_xauthc) },
304 + { AD_TR(KEY_IKE,otrsasig1024des3md5CP_xauthc) },
305 { AD_TR(KEY_IKE,otrsasig1536aessha1_xauthc) },
306 { AD_TR(KEY_IKE,otrsasig1536aesmd5_xauthc) },
307 { AD_TR(KEY_IKE,otrsasig1536des3sha1_xauthc) },
308 diff -ur openswan-2.6.25/programs/pluto/spdb_v1_struct.c openswan-2.6.25.yair/programs/pluto/spdb_v1_struct.c
309 --- openswan-2.6.25/programs/pluto/spdb_v1_struct.c 2010-03-21 19:39:35.000000000 +0200
310 +++ openswan-2.6.25.yair/programs/pluto/spdb_v1_struct.c 2010-05-14 19:17:34.819958386 +0300
311 @@ -1000,6 +1000,7 @@
315 + case HybridInitRSA:
319 diff -ur openswan-2.6.25/programs/pluto/whack.c openswan-2.6.25.yair/programs/pluto/whack.c
320 --- openswan-2.6.25/programs/pluto/whack.c 2010-03-21 19:39:35.000000000 +0200
321 +++ openswan-2.6.25.yair/programs/pluto/whack.c 2010-05-14 19:13:44.511958127 +0300
331 CD_DUMMY, /* same order as POLICY_* 17 -- was XAUTH */
332 CD_MODECFGPULL, /* same order as POLICY_* 18 */
333 CD_AGGRESSIVE, /* same order as POLICY_* 19 */
335 CD_PERHOST, /* should we specialize the policy to the host? */
336 CD_SUBHOST, /* if the policy applies below the host level (TCP/UDP/SCTP ports) */
337 CD_PERPROTO, /* should we specialize the policy to the protocol? */
339 { "dpdtimeout", required_argument, NULL, CD_DPDTIMEOUT + OO + NUMERIC_ARG },
340 { "dpdaction", required_argument, NULL, CD_DPDACTION + OO },
342 + { "cpsc", no_argument, NULL, CD_CPSC + OO },
343 { "xauth", no_argument, NULL, END_XAUTHSERVER + OO },
344 { "xauthserver", no_argument, NULL, END_XAUTHSERVER + OO },
345 { "xauthclient", no_argument, NULL, END_XAUTHCLIENT + OO },
346 @@ -1555,6 +1558,11 @@
350 + case CD_CPSC: /* --cpsc */
351 + msg.policy |= POLICY_CPSC;
352 + printf("\nXXX: CPSC\n");
355 case END_XAUTHSERVER: /* --xauthserver */
356 msg.right.xauth_server = TRUE;
358 @@ -1618,6 +1626,7 @@
363 case END_XAUTHSERVER:
364 case END_XAUTHCLIENT:
366 diff -ur openswan-2.6.25/programs/pluto/xauth.c openswan-2.6.25.yair/programs/pluto/xauth.c
367 --- openswan-2.6.25/programs/pluto/xauth.c 2010-03-21 19:39:35.000000000 +0200
368 +++ openswan-2.6.25.yair/programs/pluto/xauth.c 2010-05-15 09:23:49.787957031 +0300
370 out_raw(&mask,4,&attrval,"IP4_mask");
375 case INTERNAL_IP4_SUBNET:
377 char mask[4],bits[8]={0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
384 case INTERNAL_IP4_DNS:
385 len = addrbytesptr(&ia.dns[dns_idx++], &byte_ptr);
386 out_raw(byte_ptr,len,&attrval,"IP4_dns");
388 init_phase2_iv(st, &st->st_msgid_phase15);
391 -#define MODECFG_SET_ITEM ( LELEM(INTERNAL_IP4_ADDRESS) | LELEM(INTERNAL_IP4_SUBNET) | LELEM(INTERNAL_IP4_NBNS) | LELEM(INTERNAL_IP4_DNS) )
392 +//#define MODECFG_SET_ITEM ( LELEM(INTERNAL_IP4_ADDRESS) | LELEM(INTERNAL_IP4_SUBNET) | LELEM(INTERNAL_IP4_NBNS) | LELEM(INTERNAL_IP4_DNS) )
393 +#define MODECFG_SET_ITEM ( LELEM(INTERNAL_IP4_ADDRESS) | LELEM(INTERNAL_IP4_NBNS) | LELEM(INTERNAL_IP4_DNS) )
397 @@ -1454,7 +1455,7 @@
398 case INTERNAL_IP4_ADDRESS:
399 case INTERNAL_IP4_NETMASK:
400 case INTERNAL_IP4_DNS:
401 - case INTERNAL_IP4_SUBNET:
402 +// case INTERNAL_IP4_SUBNET:
403 case INTERNAL_IP4_NBNS:
404 resp |= LELEM(attr.isaat_af_type);
406 @@ -1587,7 +1588,7 @@
408 case INTERNAL_IP4_NETMASK:
409 case INTERNAL_IP4_DNS:
410 - case INTERNAL_IP4_SUBNET:
411 +// case INTERNAL_IP4_SUBNET:
412 case INTERNAL_IP4_NBNS:
413 resp |= LELEM(attr.isaat_af_type);
415 @@ -1695,7 +1696,7 @@
416 case INTERNAL_IP4_ADDRESS:
417 case INTERNAL_IP4_NETMASK:
418 case INTERNAL_IP4_DNS:
419 - case INTERNAL_IP4_SUBNET:
420 +// case INTERNAL_IP4_SUBNET:
421 case INTERNAL_IP4_NBNS:
422 resp |= LELEM(attr.isaat_af_type);
424 @@ -1806,7 +1807,7 @@
428 - case INTERNAL_IP4_SUBNET:
429 +// case INTERNAL_IP4_SUBNET:
430 case INTERNAL_IP4_NBNS:
431 resp |= LELEM(attr.isaat_af_type);
433 @@ -2004,12 +2005,18 @@
437 + if (st->st_connection->policy & POLICY_CPSC)
438 + attr.isaat_af_type = CPSC_TYPE | ISAKMP_ATTR_AF_TV;
440 attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
441 attr.isaat_lv = XAUTH_TYPE_GENERIC;
442 out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, NULL);
445 case XAUTH_USER_NAME:
446 + if (st->st_connection->policy & POLICY_CPSC)
447 + attr.isaat_af_type = CPSC_USER_NAME | ISAKMP_ATTR_AF_TLV;
449 attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV;
450 out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, &attrval);
452 @@ -2046,6 +2053,9 @@
455 case XAUTH_USER_PASSWORD:
456 + if (st->st_connection->policy & POLICY_CPSC)
457 + attr.isaat_af_type = CPSC_USER_PASSWORD | ISAKMP_ATTR_AF_TLV;
459 attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV;
460 out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, &attrval);
462 @@ -2247,18 +2257,23 @@
464 switch(attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK )
469 status = attr.isaat_lv;
475 memcpy(msgbuf, dat, len);
477 loglog(RC_LOG_SERIOUS, "XAUTH: Bad Message: %s", msgbuf);
482 + attr.isaat_af_type = XAUTH_TYPE;
486 if(type != XAUTH_TYPE_GENERIC)
487 @@ -2269,6 +2284,14 @@
488 xauth_resp |= XAUTHLELEM(attr.isaat_af_type);
491 + case CPSC_USER_NAME:
492 + attr.isaat_af_type = XAUTH_USER_NAME;
493 + goto cp_hybrid_common;
495 + case CPSC_USER_PASSWORD:
496 + attr.isaat_af_type = XAUTH_USER_PASSWORD;
499 case XAUTH_USER_NAME:
500 case XAUTH_USER_PASSWORD:
501 xauth_resp |= XAUTHLELEM(attr.isaat_af_type);
502 @@ -2277,7 +2300,7 @@
503 case INTERNAL_IP4_ADDRESS:
504 case INTERNAL_IP4_NETMASK:
505 case INTERNAL_IP4_DNS:
506 - case INTERNAL_IP4_SUBNET:
507 +// case INTERNAL_IP4_SUBNET:
508 case INTERNAL_IP4_NBNS:
509 xauth_resp |= LELEM(attr.isaat_af_type);
511 @@ -2347,8 +2370,10 @@
514 /* reset the message ID */
515 + if (!(st->st_connection->policy & POLICY_CPSC)) {
516 st->st_msgid_phase15b = st->st_msgid_phase15;
517 st->st_msgid_phase15 = 0;
520 DBG(DBG_CONTROLMORE, DBG_log("xauth_inI0(STF_OK)"));
522 @@ -2403,6 +2428,9 @@
523 attr_type = XAUTH_TYPE;
525 /* ISAKMP attr out */
526 + if (st->st_connection->policy & POLICY_CPSC)
527 + attr.isaat_af_type = CPSC_STATUS | ISAKMP_ATTR_AF_TV;
529 attr.isaat_af_type = XAUTH_STATUS | ISAKMP_ATTR_AF_TV;
531 out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, &attrval);
532 @@ -2491,6 +2519,8 @@
534 switch(attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK )
537 + attr.isaat_af_type = XAUTH_STATUS;
539 xauth_resp |= XAUTHLELEM(attr.isaat_af_type);
541 @@ -2512,6 +2542,9 @@
543 /* oops, something seriously wrong */
544 openswan_log("did not get status attribute in xauth_inI1, looking for new challenge.");
545 + if (st->st_connection->policy & POLICY_CPSC)
546 + st->st_state = STATE_CPSC_I0;
548 change_state(st, STATE_XAUTH_I0);
549 return xauth_inI0(md);