openswan-2.4.0-secureclient.diff

ipsec vpn

diff -urN openswan-2.4.0/include/ietf_constants.h openswan-2.4.0-OpenSClient/include/ietf_constants.h
--- openswan-2.4.0/include/ietf_constants.h	2005-06-23 03:45:55.000000000 +0200
+++ openswan-2.4.0-OpenSClient/include/ietf_constants.h	2005-09-26 16:51:13.000000000 +0200
@@ -298,9 +298,19 @@
 #define    INTERNAL_IP6_DNS           10
 #define    INTERNAL_IP6_NBNS          11
 #define    INTERNAL_IP6_DHCP          12
+#if 0
 #define    INTERNAL_IP4_SUBNET        13
 #define    SUPPORTED_ATTRIBUTES       14
 #define    INTERNAL_IP6_SUBNET        15
+#endif
+
+/* Checkpoint attribute values */
+#define        CPSC_TYPE               13
+#define        CPSC_USER_NAME          14
+#define        CPSC_USER_PASSWORD      15
+#define        CPSC_MESSAGE            17
+#define        CPSC_CHALLENGE          18
+#define        CPSC_STATUS             20
 
 /* XAUTH attribute values */
 #define    XAUTH_TYPE                16520
@@ -314,6 +324,11 @@
 #define    XAUTH_NEXT_PIN            16528
 #define    XAUTH_ANSWER              16529
 
+
+#define        CPSC_INTERNAL_DOMAIN_NAME       16387
+#define        CPSC_CHKPT_MAC_ADDRESS          16388
+#define        CPSC_MARCIPAN_REASON_CODE       16389
+
 #define XAUTH_TYPE_GENERIC 0
 #define XAUTH_TYPE_CHAP    1
 #define XAUTH_TYPE_OTP     2
diff -urN openswan-2.4.0/include/pluto_constants.h openswan-2.4.0-OpenSClient/include/pluto_constants.h
--- openswan-2.4.0/include/pluto_constants.h	2005-08-19 19:53:03.000000000 +0200
+++ openswan-2.4.0-OpenSClient/include/pluto_constants.h	2005-09-26 16:51:13.000000000 +0200
@@ -160,7 +160,7 @@
 #define DBG_NATT        LELEM(11)       /* debugging of NAT-traversal */
 #define DBG_X509        LELEM(12)       /* X.509/pkix verify, cert retrival */
 #define DBG_DPD         LELEM(13)       /* DPD items */
-#define DBG_PRIVATE	LELEM(20)	/* private information: DANGER! */
+#define DBG_PRIVATE	LELEM(21)	/* private information: DANGER! */
 
 #define IMPAIR0	21	/* first bit for IMPAIR_* */
 
@@ -253,6 +253,10 @@
     STATE_XAUTH_I0,              /* client state is awaiting request */
     STATE_XAUTH_I1,              /* client state is awaiting result code */
 
+    STATE_CPSC_I0,             /* client state is awaiting request */
+    STATE_CPSC_I1,             /* client state is awaiting for challenge */
+    STATE_CPSC_I2,             /* client state is awaiting result code */
+
     STATE_IKE_ROOF
 
 };
@@ -287,6 +291,8 @@
 #define IS_ISAKMP_ENCRYPTED(s)     (STATE_MAIN_R2 <= (s) && STATE_AGGR_R0!=(s) && STATE_AGGR_I1 != (s))
 #define IS_ISAKMP_AUTHENTICATED(s) (STATE_MAIN_R3 <= (s))
 #define IS_ISAKMP_SA_ESTABLISHED(s) ((s) == STATE_MAIN_R3 || (s) == STATE_MAIN_I4 \
+				  || (s) == STATE_CPSC_I0 || (s) == STATE_CPSC_I1 \
+				  || (s) == STATE_CPSC_I2 \
 				  || (s) == STATE_AGGR_I2 || (s) == STATE_AGGR_R2 \
 				  || (s) == STATE_XAUTH_R0 || (s) == STATE_XAUTH_R1 \
 				  || (s) == STATE_MODE_CFG_R0 || (s) == STATE_MODE_CFG_R1 \
@@ -415,6 +421,7 @@
 #define POLICY_XAUTH        LELEM(17)   /* do we offer XAUTH? */
 #define POLICY_MODECFG_PULL LELEM(18)   /* is modecfg pulled by client? */
 #define POLICY_AGGRESSIVE   LELEM(19)   /* do we do aggressive mode? */
+#define POLICY_CPSC	    LELEM(20)   /* do we offer CP SecureClient? */
 
 
 /* Any IPsec policy?  If not, a connection description
diff -urN openswan-2.4.0/lib/libopenswan/constants.c openswan-2.4.0-OpenSClient/lib/libopenswan/constants.c
--- openswan-2.4.0/lib/libopenswan/constants.c	2005-06-23 03:45:55.000000000 +0200
+++ openswan-2.4.0-OpenSClient/lib/libopenswan/constants.c	2005-09-26 16:52:47.000000000 +0200
@@ -529,17 +529,32 @@
 	"INTERNAL_IP6_DNS",
 	"INTERNAL_IP6_NBNS",
 	"INTERNAL_IP6_DHCP",
+	"CPSC_TYPE",
+	"CPSC_USER_NAME",
+	"CPSC_USER_PASSWORD",
+	"CPSC_MESSAGE",
+	"CPSC_CHALLENGE",
+	"CPSC_STATUS",
+#if 0
 	"INTERNAL_IP4_SUBNET",
 	"SUPPORTED_ATTRIBUTES",
 	"INTERNAL_IP6_SUBNET",
+#endif
 	NULL
     };
-
+#if 0
 enum_names modecfg_attr_names_tv =
     { INTERNAL_IP4_ADDRESS + ISAKMP_ATTR_AF_TV , INTERNAL_IP6_SUBNET + ISAKMP_ATTR_AF_TV, modecfg_attr_name , &xauth_attr_names };
 
 enum_names modecfg_attr_names =
     { INTERNAL_IP4_ADDRESS , INTERNAL_IP6_SUBNET, modecfg_attr_name , &modecfg_attr_names_tv };
+#endif
+
+enum_names modecfg_attr_names_tv =
+    { INTERNAL_IP4_ADDRESS + ISAKMP_ATTR_AF_TV , modecfg_attr_name , &xauth_attr_names };
+
+enum_names modecfg_attr_names =
+    { INTERNAL_IP4_ADDRESS , modecfg_attr_name , &modecfg_attr_names_tv };
 
 /* Oakley Lifetime Type attribute */
 
diff -urN openswan-2.4.0/programs/_confread/_confread.in openswan-2.4.0-OpenSClient/programs/_confread/_confread.in
--- openswan-2.4.0/programs/_confread/_confread.in	2005-06-14 01:10:49.000000000 +0200
+++ openswan-2.4.0-OpenSClient/programs/_confread/_confread.in	2005-09-26 16:51:13.000000000 +0200
@@ -136,7 +136,7 @@
 	left = " left leftsubnet leftnexthop leftupdown"
 	akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz"
         akey = akey " dpddelay dpdtimeout dpdaction"
-	akey = akey " xauth"
+	akey = akey " xauth cpsc"
 	akey = akey " aggrmode"
 	akey = akey " compress"
 	akey = akey " keyingtries ikelifetime disablearrivalcheck failureshunt ike"
diff -urN openswan-2.4.0/programs/auto/auto.in openswan-2.4.0-OpenSClient/programs/auto/auto.in
--- openswan-2.4.0/programs/auto/auto.in	2005-01-11 18:52:49.000000000 +0100
+++ openswan-2.4.0-OpenSClient/programs/auto/auto.in	2005-09-26 16:51:13.000000000 +0200
@@ -372,6 +372,9 @@
 		yesno("pfs")
 		default("pfs", "yes")
 
+		yesno("cpsc")
+		default("cpsc", "no")
+
  		yesno("aggrmode")
  		default("aggrmode", "no")
 
@@ -496,6 +499,8 @@
 			if (s["pfsgroup"] != "")
 				settings = settings " --pfsgroup " qs("pfsgroup")
 		}
+		if (s["cpsc"] == "yes")
+			settings = settings " --cpsc"
  		if (s["aggrmode"] == "yes")
  			settings = settings " --aggrmode"
 
diff -urN openswan-2.4.0/programs/pluto/demux.c openswan-2.4.0-OpenSClient/programs/pluto/demux.c
--- openswan-2.4.0/programs/pluto/demux.c	2005-08-19 19:52:42.000000000 +0200
+++ openswan-2.4.0-OpenSClient/programs/pluto/demux.c	2005-09-26 16:51:13.000000000 +0200
@@ -617,6 +617,24 @@
     , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
     , P(ATTR) | P(HASH), P(VID), PT(HASH)
     , EVENT_SA_REPLACE, xauth_inI1 },
+
+    /* CheckPoint 2 stage authentication - Stage 1, ID only */
+    { STATE_CPSC_I0, STATE_CPSC_I1
+    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
+    , P(ATTR) | P(HASH), P(VID), PT(HASH)
+    , EVENT_SA_REPLACE, xauth_inI0 },
+
+    /* Stage 2, Password/Challenge */
+    { STATE_CPSC_I1, STATE_CPSC_I2
+    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
+    , P(ATTR) | P(HASH), P(VID), PT(HASH)
+    , EVENT_SA_REPLACE, xauth_inI0 },
+
+    { STATE_CPSC_I2, STATE_MAIN_I4
+    , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
+    , P(ATTR) | P(HASH), P(VID), PT(HASH)
+    , EVENT_SA_REPLACE, xauth_inI1 },
+
 #endif
 
 #undef P
@@ -1782,6 +1800,9 @@
 	    else if(st->st_connection->spd.this.xauth_client
 		    && IS_PHASE1(st->st_state))
 	    {
+		if(st->st_connection->policy & POLICY_CPSC)
+			from_state = STATE_CPSC_I0;
+		else
 		from_state = STATE_XAUTH_I0;
 	    }
 	    else if(st->st_connection->spd.this.xauth_client
diff -urN openswan-2.4.0/programs/pluto/id.c openswan-2.4.0-OpenSClient/programs/pluto/id.c
--- openswan-2.4.0/programs/pluto/id.c	2005-02-14 06:56:02.000000000 +0100
+++ openswan-2.4.0-OpenSClient/programs/pluto/id.c	2005-09-26 16:51:13.000000000 +0200
@@ -256,6 +256,13 @@
 		}
 		id->name.len = len;
 	    }
+	    else if (*(src+1) == '!')
+	    {
+	    /* Special CheckPoint Handling - use @! */
+		id->kind = ID_USER_FQDN;
+		id->name.ptr = src+2;   /* discard @! */
+		id->name.len = 0;       /* ID protection - empty */
+	    }
 	    else
 	    {
 		id->kind = ID_FQDN;
diff -urN openswan-2.4.0/programs/pluto/ipsec_doi.c openswan-2.4.0-OpenSClient/programs/pluto/ipsec_doi.c
--- openswan-2.4.0/programs/pluto/ipsec_doi.c	2005-08-12 19:05:59.000000000 +0200
+++ openswan-2.4.0-OpenSClient/programs/pluto/ipsec_doi.c	2005-09-26 16:51:13.000000000 +0200
@@ -2744,7 +2744,12 @@
     struct state *const st = md->st;
     pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
     int auth_payload = st->st_oakley.auth == OAKLEY_PRESHARED_KEY
+#ifdef XAUTH
+    	? ISAKMP_NEXT_HASH : (st->st_oakley.xauth == HybridInitRSA
+    	? ISAKMP_NEXT_HASH : ISAKMP_NEXT_SIG);
+#else
 	? ISAKMP_NEXT_HASH : ISAKMP_NEXT_SIG;
+#endif
     pb_stream id_pbs;	/* ID Payload; also used for hash calculation */
     bool send_cert = FALSE;
     bool send_cr = FALSE;
diff -urN openswan-2.4.0/programs/pluto/pluto_constants.c openswan-2.4.0-OpenSClient/programs/pluto/pluto_constants.c
--- openswan-2.4.0/programs/pluto/pluto_constants.c	2005-08-19 19:58:09.000000000 +0200
+++ openswan-2.4.0-OpenSClient/programs/pluto/pluto_constants.c	2005-09-26 16:51:13.000000000 +0200
@@ -129,6 +129,10 @@
 	"STATE_XAUTH_I0",
 	"STATE_XAUTH_I1",
 
+	"STATE_CPSC_I0",
+	"STATE_CPSC_I1",
+	"STATE_CPSC_I2",
+
 	"STATE_IKE_ROOF"  
     };
 
@@ -173,6 +177,9 @@
 
 	"XAUTH client - awaiting CFG_request",  /* MODE_XAUTH_I0 */
 	"XAUTH client - awaiting CFG_set",      /* MODE_XAUTH_I1 */
+	"CP SecureClient - awaiting username request",  /* MODE_CPSC_I0 */
+	"CP SecureClient - awaiting password request",  /* MODE_CPSC_I1 */
+	"CP SecureClient - awaiting authentication status",  /* MODE_CPSC_I2 */
 	"invalid state - IKE roof"
     };
 
@@ -262,6 +269,7 @@
 	"dummy1(XAUTH)",
 	"MODECFGPULL",
 	"AGGRESSIVE",
+	"CPSC",
 	NULL
     };
 
diff -urN openswan-2.4.0/programs/pluto/spdb.c openswan-2.4.0-OpenSClient/programs/pluto/spdb.c
--- openswan-2.4.0/programs/pluto/spdb.c	2005-07-06 00:07:06.000000000 +0200
+++ openswan-2.4.0-OpenSClient/programs/pluto/spdb.c	2005-09-26 16:51:13.000000000 +0200
@@ -100,6 +100,20 @@
 	{ OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },
 	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },
 	};
+/* Checkpoint SecureClient proposal */
+static struct db_attr otrsasig1024des3md5CP_xauthc[] = {
+       { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },
+       { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },
+       { OAKLEY_AUTHENTICATION_METHOD, HybridInitRSA },
+       { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },
+       };
+