This basically disables opportunistic encryption.
ARG_DISBL_SET([pluto], [disable the IKEv1 keying daemon pluto.])
ARG_DISBL_SET([xauth], [disable xauth plugin.])
ARG_DISBL_SET([threads], [disable the use of threads in pluto. Charon always uses threads.])
+ARG_DISBL_SET([adns], [disable the use of adns in pluto (disables opportunistic encryption).])
ARG_DISBL_SET([charon], [disable the IKEv2 keying daemon charon.])
ARG_DISBL_SET([tools], [disable additional utilities (openac, scepclient and pki).])
ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).])
AM_CONDITIONAL(USE_LOAD_WARNING, test x$load_warning = xtrue)
AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue)
AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue)
+AM_CONDITIONAL(USE_ADNS, test x$adns = xtrue)
AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue)
AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue)
AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
db_ops.c db_ops.h \
defs.c defs.h \
demux.c demux.h \
-dnskey.c dnskey.h \
event_queue.c event_queue.h \
fetch.c fetch.h \
foodgroups.c foodgroups.h \
# painless way. Only the most important options are included,
# further work may be necessary here...
-ipsec_PROGRAMS = pluto _pluto_adns
+ipsec_PROGRAMS = pluto
+
+if USE_ADNS
+ipsec_PROGRAMS += _pluto_adns
+endif
pluto_SOURCES = \
ac.c ac.h \
db_ops.c db_ops.h \
defs.c defs.h \
demux.c demux.h \
-dnskey.c dnskey.h \
event_queue.c event_queue.h \
fetch.c fetch.h \
foodgroups.c foodgroups.h \
builder.c builder.h \
rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
-_pluto_adns_SOURCES = adns.c adns.h
+if USE_ADNS
+pluto_SOURCES += \
+dnskey.c dnskey.h
+
+_pluto_adns_SOURCES = \
+adns.c adns.h
+endif
plutomain.o : $(top_builddir)/config.status
$(LIBHYDRADIR)/libhydra.la \
-lresolv $(PTHREADLIB) $(DLLIB)
+if USE_ADNS
_pluto_adns_LDADD = \
$(LIBFREESWANDIR)/libfreeswan.a \
-lresolv $(DLLIB)
+endif
dist_man_MANS = pluto.8
AM_CFLAGS += -DTHREADS
endif
+if USE_ADNS
+ AM_CFLAGS += -DADNS
+endif
+
# build optional plugins
########################
* for more details.
*/
+#ifndef ADNS
+
+/* dummy struct to make compilers happy */
+struct adns_query {
+};
+
+#else /* rest of file */
+
/* The interface in RHL6.x and BIND distribution 8.2.2 are different,
* so we build some of our own :-(
*/
HES_BAD_LEN, /* implausible .len field */
HES_BAD_MAGIC, /* .magic field wrong */
};
+#endif /* ADNS */
c->requested_ca->destroy_offset(c->requested_ca,
offsetof(identification_t, destroy));
}
+#ifdef ADNS
gw_delref(&c->gw_info);
-
+#endif
lock_certs_and_keys("delete_connection");
cert_release(c->spd.this.cert);
scx_release(c->spd.this.sc);
return d;
}
+#ifdef ADNS
+
connection_t *oppo_instantiate(connection_t *c, const ip_address *him,
identification_t *his_id, struct gw_info *gw,
const ip_address *our_client USED_BY_DEBUG,
return d;
}
+#endif /* ADNS */
+
/* priority formatting */
void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF])
{
return best;
}
+#ifdef ADNS
+
/* Find and instantiate a connection for an outgoing Opportunistic connection.
* We've already discovered its gateway.
* We look for a the connection such that:
}
}
+#endif /* ADNS */
+
bool orient(connection_t *c)
{
struct spd_route *sr;
initiate_opportunistic_body(&b, NULL, NULL);
}
+#ifdef ADNS
+
static void continue_oppo(struct adns_continuation *acr, err_t ugh)
{
struct find_oppo_continuation *cr = (void *)acr; /* inherit, damn you! */
close_any(whackfd);
}
+#endif /* ADNS */
+
#ifdef USE_KEYRR
static err_t check_key_recs(enum myid_state try_state, const connection_t *c,
struct adns_continuation *ac)
}
#endif /* USE_KEYRR */
+#ifdef ADNS
+
static err_t check_txt_recs(enum myid_state try_state, const connection_t *c,
struct adns_continuation *ac)
{
return ugh;
}
+#endif /* ADNS */
+
/* note: gateways_from_dns must be NULL iff this is the first call */
static void initiate_opportunistic_body(struct find_oppo_bundle *b,
ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
b->whackfd = NULL_FD; /* protect from close */
}
+#ifdef ADNS
else
{
/* We are handling an opportunistic situation.
cannot_oppo(c, b, ugh);
}
}
+#endif /* ADNS */
close_any(b->whackfd);
}
return isanyaddr(&base) && subnetishost(sn);
}
+#ifdef ADNS
+
/* BIND enumerated types */
#include <arpa/nameser.h>
enum_names rr_class_names = { C_IN, C_IN, rr_class_name, NULL };
+#endif /* ADNS */
+
/*
* NAT-Traversal defines for nat_traveral type from nat_traversal.h
*
if (r == STF_SUSPEND)
{
+ err_t ugh = NULL;
+#ifdef ADNS
/* initiate/resume asynchronous DNS lookup for key */
struct key_continuation *nkc = malloc_thing(struct key_continuation);
enum key_oppo_step step_done = kc == NULL? kos_null : kc->step;
- err_t ugh = NULL;
/* Record that state is used by a suspended md */
passert(st->st_suspended_md == NULL);
default:
bad_case(step_done);
}
-
+#else /* ADNS */
+ ugh = "adns not supported";
+#endif /* ADNS */
if (ugh != NULL)
{
report_key_dns_failure(peer, ugh);
return quick_inI1_outR1_tail(&b, NULL);
}
+#ifdef ADNS
+
static void
report_verify_failure(struct verify_oppo_bundle *b, err_t ugh)
{
return next_step;
}
+#endif /* ADNS */
+
static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
struct adns_continuation *ac)
{
*/
if (p->policy & POLICY_OPPO)
{
+#ifdef ADNS
/* Opportunistic case: delegation must be verified.
* Here be dragons.
*/
*/
p = oppo_instantiate(p, &c->spd.that.host_addr, c->spd.that.id
, NULL, &our_client, &his_client);
+#else /* ADNS */
+ plog("opportunistic connections not supported because"
+ " adns is not available");
+ return STF_INTERNAL_ERROR;
+#endif /* ADNS */
}
else
{
case 'f': /* --policygroupsdir <policygroups-dir> */
policygroups_dir = optarg;
continue;
-
+#ifdef ADNS
case 'a': /* --adns <pathname> */
pluto_adns_option = optarg;
continue;
-
+#endif
case 'm': /* --pkcs11module <pathname> */
pkcs11_module_path = optarg;
continue;
init_states();
init_demux();
init_kernel();
+#ifdef ADNS
init_adns();
+#endif
init_myid();
fetch_initialize();
ac_initialize();
free_ifaces();
ac_finalize(); /* free X.509 attribute certificates */
scx_finalize(); /* finalize and unload PKCS #11 module */
+#ifdef ADNS
stop_adns();
+#endif
free_md_pool();
free_crypto();
free_myid(); /* free myids */
}
}
+#ifdef ADNS
+
static void key_add_continue(struct adns_continuation *ac, err_t ugh)
{
struct key_add_continuation *kc = (void *) ac;
whack_log_fd = NULL_FD;
}
+#endif /* ADNS */
+
static void key_add_request(const whack_message_t *msg)
{
identification_t *key_id;
kc = malloc_thing(struct key_add_continuation);
kc->common = oc;
kc->lookingfor = kaa;
+ ugh = NULL;
switch (kaa)
{
+#ifdef ADNS
case ka_TXT:
ugh = start_adns_query(key_id
, key_id /* same */
, key_add_continue
, &kc->ac);
break;
+#endif /* ADNS */
#ifdef USE_KEYRR
case ka_KEY:
ugh = start_adns_query(key_id
plog("listening for IKE messages");
listening = TRUE;
daily_log_reset();
+#ifdef ADNS
reset_adns_restart_count();
+#endif
set_myFQDN();
find_ifaces();
load_preshared_secrets(NULL_FD);
FD_ZERO(&writefds);
FD_SET(ctl_fd, &readfds);
+#ifdef ADNS
/* the only write file-descriptor of interest */
if (adns_qfd != NULL_FD && unsent_ADNS_queries)
{
maxfd = adns_afd;
FD_SET(adns_afd, &readfds);
}
+#endif /* ADNS */
events_fd = pluto->events->get_event_fd(pluto->events);
if (maxfd < events_fd)
{
/* at least one file descriptor is ready */
+#ifdef ADNS
if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
{
passert(ndes > 0);
passert(GLOBALS_ARE_RESET());
ndes--;
}
+#endif /* ADNS*/
if (FD_ISSET(events_fd, &readfds))
{