pluto: Option added to disable adns.
authorTobias Brunner <tobias@strongswan.org>
Fri, 14 Oct 2011 12:34:45 +0000 (14:34 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 14 Oct 2011 15:36:20 +0000 (17:36 +0200)
This basically disables opportunistic encryption.

configure.in
src/pluto/Android.mk
src/pluto/Makefile.am
src/pluto/adns.h
src/pluto/connections.c
src/pluto/constants.c
src/pluto/ipsec_doi.c
src/pluto/plutomain.c
src/pluto/rcv_whack.c
src/pluto/server.c

index c8aa68a..6db8276 100644 (file)
@@ -161,6 +161,7 @@ ARG_DISBL_SET([load-warning],   [disable the charon/pluto plugin load option war
 ARG_DISBL_SET([pluto],          [disable the IKEv1 keying daemon pluto.])
 ARG_DISBL_SET([xauth],          [disable xauth plugin.])
 ARG_DISBL_SET([threads],        [disable the use of threads in pluto. Charon always uses threads.])
+ARG_DISBL_SET([adns],           [disable the use of adns in pluto (disables opportunistic encryption).])
 ARG_DISBL_SET([charon],         [disable the IKEv2 keying daemon charon.])
 ARG_DISBL_SET([tools],          [disable additional utilities (openac, scepclient and pki).])
 ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
@@ -1001,6 +1002,7 @@ AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue)
 AM_CONDITIONAL(USE_LOAD_WARNING, test x$load_warning = xtrue)
 AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
 AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
+AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue)
 AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
 AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
 AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
index a6b2fd5..d12d9be 100644 (file)
@@ -15,7 +15,6 @@ crypto.c crypto.h \
 db_ops.c db_ops.h \
 defs.c defs.h \
 demux.c demux.h \
-dnskey.c dnskey.h \
 event_queue.c event_queue.h \
 fetch.c fetch.h \
 foodgroups.c foodgroups.h \
index 934b11a..41c4807 100644 (file)
@@ -2,7 +2,11 @@
 # painless way. Only the most important options are included,
 # further work may be necessary here...
 
-ipsec_PROGRAMS = pluto _pluto_adns
+ipsec_PROGRAMS = pluto
+
+if USE_ADNS
+ipsec_PROGRAMS += _pluto_adns
+endif
 
 pluto_SOURCES = \
 ac.c ac.h \
@@ -17,7 +21,6 @@ crypto.c crypto.h \
 db_ops.c db_ops.h \
 defs.c defs.h \
 demux.c demux.h \
-dnskey.c dnskey.h \
 event_queue.c event_queue.h \
 fetch.c fetch.h \
 foodgroups.c foodgroups.h \
@@ -53,7 +56,13 @@ x509.c x509.h \
 builder.c builder.h \
 rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
 
-_pluto_adns_SOURCES = adns.c adns.h
+if USE_ADNS
+pluto_SOURCES += \
+dnskey.c dnskey.h
+
+_pluto_adns_SOURCES = \
+adns.c adns.h
+endif
 
 plutomain.o :  $(top_builddir)/config.status
 
@@ -84,9 +93,11 @@ $(LIBFREESWANDIR)/libfreeswan.a \
 $(LIBHYDRADIR)/libhydra.la \
 -lresolv $(PTHREADLIB) $(DLLIB)
 
+if USE_ADNS
 _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv $(DLLIB)
+endif
 
 dist_man_MANS = pluto.8
 
@@ -126,6 +137,10 @@ if USE_THREADS
   AM_CFLAGS += -DTHREADS
 endif
 
+if USE_ADNS
+  AM_CFLAGS += -DADNS
+endif
+
 # build optional plugins
 ########################
 
index cc45cf4..dfbcbaf 100644 (file)
  * for more details.
  */
 
+#ifndef ADNS
+
+/* dummy struct to make compilers happy */
+struct adns_query {
+};
+
+#else /* rest of file */
+
 /* The interface in RHL6.x and BIND distribution 8.2.2 are different,
  * so we build some of our own :-(
  */
@@ -67,3 +75,4 @@ enum helper_exit_status {
        HES_BAD_LEN,        /* implausible .len field */
        HES_BAD_MAGIC,      /* .magic field wrong */
 };
+#endif /* ADNS */
index 2194362..27cec40 100644 (file)
@@ -425,8 +425,9 @@ void delete_connection(connection_t *c, bool relations)
                c->requested_ca->destroy_offset(c->requested_ca,
                                                                                offsetof(identification_t, destroy));
        }
+#ifdef ADNS
        gw_delref(&c->gw_info);
-
+#endif
        lock_certs_and_keys("delete_connection");
        cert_release(c->spd.this.cert);
        scx_release(c->spd.this.sc);
@@ -1477,6 +1478,8 @@ connection_t *rw_instantiate(connection_t *c, const ip_address *him,
        return d;
 }
 
+#ifdef ADNS
+
 connection_t *oppo_instantiate(connection_t *c, const ip_address *him,
                                                           identification_t *his_id, struct gw_info *gw,
                                                           const ip_address *our_client USED_BY_DEBUG,
@@ -1544,6 +1547,8 @@ connection_t *oppo_instantiate(connection_t *c, const ip_address *him,
        return d;
 }
 
+#endif /* ADNS */
+
 /* priority formatting */
 void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF])
 {
@@ -1767,6 +1772,8 @@ connection_t *find_connection_for_clients(struct spd_route **srp,
        return best;
 }
 
+#ifdef ADNS
+
 /* Find and instantiate a connection for an outgoing Opportunistic connection.
  * We've already discovered its gateway.
  * We look for a the connection such that:
@@ -1869,6 +1876,8 @@ connection_t *build_outgoing_opportunistic_connection(struct gw_info *gw,
        }
 }
 
+#endif /* ADNS */
+
 bool orient(connection_t *c)
 {
        struct spd_route *sr;
@@ -2179,6 +2188,8 @@ void initiate_opportunistic(const ip_address *our_client,
        initiate_opportunistic_body(&b, NULL, NULL);
 }
 
+#ifdef ADNS
+
 static void continue_oppo(struct adns_continuation *acr, err_t ugh)
 {
        struct find_oppo_continuation *cr = (void *)acr;    /* inherit, damn you! */
@@ -2242,6 +2253,8 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh)
        close_any(whackfd);
 }
 
+#endif /* ADNS */
+
 #ifdef USE_KEYRR
 static err_t check_key_recs(enum myid_state try_state, const connection_t *c,
                                                        struct adns_continuation *ac)
@@ -2298,6 +2311,8 @@ static err_t check_key_recs(enum myid_state try_state, const connection_t *c,
 }
 #endif /* USE_KEYRR */
 
+#ifdef ADNS
+
 static err_t check_txt_recs(enum myid_state try_state, const connection_t *c,
                                                        struct adns_continuation *ac)
 {
@@ -2355,6 +2370,8 @@ static err_t check_txt_recs(enum myid_state try_state, const connection_t *c,
        return ugh;
 }
 
+#endif /* ADNS */
+
 
 /* note: gateways_from_dns must be NULL iff this is the first call */
 static void initiate_opportunistic_body(struct find_oppo_bundle *b,
@@ -2431,6 +2448,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
                ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
                b->whackfd = NULL_FD;   /* protect from close */
        }
+#ifdef ADNS
        else
        {
                /* We are handling an opportunistic situation.
@@ -2996,6 +3014,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
                                cannot_oppo(c, b, ugh);
                }
        }
+#endif /* ADNS */
        close_any(b->whackfd);
 }
 
index ec7bfaf..73ec0bc 100644 (file)
@@ -1105,6 +1105,8 @@ bool subnetisnone(const ip_subnet *sn)
        return isanyaddr(&base) && subnetishost(sn);
 }
 
+#ifdef ADNS
+
 /* BIND enumerated types */
 
 #include <arpa/nameser.h>
@@ -1169,6 +1171,8 @@ static const char *const rr_class_name[] = {
 
 enum_names rr_class_names = { C_IN, C_IN, rr_class_name, NULL };
 
+#endif /* ADNS */
+
 /*
  * NAT-Traversal defines for nat_traveral type from nat_traversal.h
  *
index c8a347b..3e7adcc 100644 (file)
@@ -3862,10 +3862,11 @@ main_id_and_auth(struct msg_digest *md
 
                if (r == STF_SUSPEND)
                {
+                       err_t ugh = NULL;
+#ifdef ADNS
                        /* initiate/resume asynchronous DNS lookup for key */
                        struct key_continuation *nkc = malloc_thing(struct key_continuation);
                        enum key_oppo_step step_done = kc == NULL? kos_null : kc->step;
-                       err_t ugh = NULL;
 
                        /* Record that state is used by a suspended md */
                        passert(st->st_suspended_md == NULL);
@@ -3896,7 +3897,9 @@ main_id_and_auth(struct msg_digest *md
                        default:
                                bad_case(step_done);
                        }
-
+#else /* ADNS */
+                       ugh = "adns not supported";
+#endif /* ADNS */
                        if (ugh != NULL)
                        {
                                report_key_dns_failure(peer, ugh);
@@ -4444,6 +4447,8 @@ stf_status quick_inI1_outR1(struct msg_digest *md)
        return quick_inI1_outR1_tail(&b, NULL);
 }
 
+#ifdef ADNS
+
 static void
 report_verify_failure(struct verify_oppo_bundle *b, err_t ugh)
 {
@@ -4808,6 +4813,8 @@ static enum verify_oppo_step quick_inI1_outR1_process_answer(
        return next_step;
 }
 
+#endif /* ADNS */
+
 static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
                                                                                struct adns_continuation *ac)
 {
@@ -4871,6 +4878,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
                                 */
                                if (p->policy & POLICY_OPPO)
                                {
+#ifdef ADNS
                                        /* Opportunistic case: delegation must be verified.
                                         * Here be dragons.
                                         */
@@ -4925,6 +4933,11 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
                                         */
                                        p = oppo_instantiate(p, &c->spd.that.host_addr, c->spd.that.id
                                                , NULL, &our_client, &his_client);
+#else /* ADNS */
+                                       plog("opportunistic connections not supported because"
+                                                " adns is not available");
+                                       return STF_INTERNAL_ERROR;
+#endif /* ADNS */
                                }
                                else
                                {
index af77202..4eac5a2 100644 (file)
@@ -491,11 +491,11 @@ int main(int argc, char **argv)
                case 'f':       /* --policygroupsdir <policygroups-dir> */
                        policygroups_dir = optarg;
                        continue;
-
+#ifdef ADNS
                case 'a':       /* --adns <pathname> */
                        pluto_adns_option = optarg;
                        continue;
-
+#endif
                case 'm':       /* --pkcs11module <pathname> */
                        pkcs11_module_path = optarg;
                        continue;
@@ -701,7 +701,9 @@ int main(int argc, char **argv)
        init_states();
        init_demux();
        init_kernel();
+#ifdef ADNS
        init_adns();
+#endif
        init_myid();
        fetch_initialize();
        ac_initialize();
@@ -820,7 +822,9 @@ void exit_pluto(int status)
        free_ifaces();
        ac_finalize();              /* free X.509 attribute certificates */
        scx_finalize();             /* finalize and unload PKCS #11 module */
+#ifdef ADNS
        stop_adns();
+#endif
        free_md_pool();
        free_crypto();
        free_myid();                /* free myids */
index 8db8a96..94b07bd 100644 (file)
@@ -132,6 +132,8 @@ static void key_add_merge(struct key_add_common *oc, identification_t *keyid)
        }
 }
 
+#ifdef ADNS
+
 static void key_add_continue(struct adns_continuation *ac, err_t ugh)
 {
        struct key_add_continuation *kc = (void *) ac;
@@ -159,6 +161,8 @@ static void key_add_continue(struct adns_continuation *ac, err_t ugh)
        whack_log_fd = NULL_FD;
 }
 
+#endif /* ADNS */
+
 static void key_add_request(const whack_message_t *msg)
 {
        identification_t *key_id;
@@ -189,9 +193,11 @@ static void key_add_request(const whack_message_t *msg)
                        kc = malloc_thing(struct key_add_continuation);
                        kc->common = oc;
                        kc->lookingfor = kaa;
+                       ugh = NULL;
 
                        switch (kaa)
                        {
+#ifdef ADNS
                                case ka_TXT:
                                        ugh = start_adns_query(key_id
                                                        , key_id        /* same */
@@ -199,6 +205,7 @@ static void key_add_request(const whack_message_t *msg)
                                                        , key_add_continue
                                                        , &kc->ac);
                                        break;
+#endif /* ADNS */
 #ifdef USE_KEYRR
                                case ka_KEY:
                                        ugh = start_adns_query(key_id
@@ -437,7 +444,9 @@ void whack_handle(int whackctlfd)
                plog("listening for IKE messages");
                listening = TRUE;
                daily_log_reset();
+#ifdef ADNS
                reset_adns_restart_count();
+#endif
                set_myFQDN();
                find_ifaces();
                load_preshared_secrets(NULL_FD);
index e290e36..7a0b161 100644 (file)
@@ -822,6 +822,7 @@ call_server(void)
                        FD_ZERO(&writefds);
                        FD_SET(ctl_fd, &readfds);
 
+#ifdef ADNS
                        /* the only write file-descriptor of interest */
                        if (adns_qfd != NULL_FD && unsent_ADNS_queries)
                        {
@@ -836,6 +837,7 @@ call_server(void)
                                        maxfd = adns_afd;
                                FD_SET(adns_afd, &readfds);
                        }
+#endif /* ADNS */
 
                        events_fd = pluto->events->get_event_fd(pluto->events);
                        if (maxfd < events_fd)
@@ -903,6 +905,7 @@ call_server(void)
                {
                        /* at least one file descriptor is ready */
 
+#ifdef ADNS
                        if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
                        {
                                passert(ndes > 0);
@@ -921,6 +924,7 @@ call_server(void)
                                passert(GLOBALS_ARE_RESET());
                                ndes--;
                        }
+#endif /* ADNS*/
 
                        if (FD_ISSET(events_fd, &readfds))
                        {