diff -uNrp openswan-2.6.28.xauth/programs/pluto/connections.c openswan-2.6.28/programs/pluto/connections.c --- openswan-2.6.28.xauth/programs/pluto/connections.c 2010-07-29 14:45:59.000000000 -0400 +++ openswan-2.6.28/programs/pluto/connections.c 2012-10-15 09:26:26.478771881 -0400 @@ -319,6 +319,11 @@ delete_connection(struct connection *c, set_debugging(old_cur_debugging); #endif pfreeany(c->name); +#ifdef XAUTH + pfreeany(c->cisco_dns_info); + pfreeany(c->cisco_domain_info); + pfreeany(c->cisco_banner); +#endif #ifdef DYNAMICDNS pfreeany(c->dnshostname); #endif /* DYNAMICDNS */ @@ -756,6 +761,12 @@ unshare_connection_strings(struct connec c->name = clone_str(c->name, "connection name"); +#ifdef XAUTH + c->cisco_dns_info = clone_str(c->cisco_dns_info, "connection cisco_dns_info"); + c->cisco_domain_info = clone_str(c->cisco_domain_info, "connection cisco_domain_info"); + c->cisco_banner = clone_str(c->cisco_banner, "connection cisco_banner"); +#endif + #ifdef DYNAMICDNS c->dnshostname = clone_str(c->dnshostname, "connection dnshostname"); #endif /* DYNAMICDNS */ @@ -1197,7 +1208,13 @@ add_connection(const struct whack_messag c->name = wm->name; c->connalias = wm->connalias; +#ifdef XAUTH + c->cisco_dns_info = NULL; + c->cisco_domain_info = NULL; + c->cisco_banner = NULL; +#endif #ifdef DYNAMICDNS + c->dnshostname = NULL; if (wm->dnshostname) c->dnshostname = wm->dnshostname; #endif /* DYNAMICDNS */ @@ -1302,11 +1319,6 @@ add_connection(const struct whack_messag /* Cisco interop: remote peer type */ c->remotepeertype=wm->remotepeertype; - /* Initializing Cisco dns and domain info */ - if (c->remotepeertype == CISCO) { - c->cisco_dns_info[0] ='\0'; - c->cisco_domain_info[0] ='\0'; - } /* Network Manager support */ #ifdef HAVE_NM diff -uNrp openswan-2.6.28.xauth/programs/pluto/connections.h openswan-2.6.28/programs/pluto/connections.h --- openswan-2.6.28.xauth/programs/pluto/connections.h 2010-07-29 14:45:59.000000000 -0400 +++ openswan-2.6.28/programs/pluto/connections.h 2012-10-15 09:26:26.478771881 -0400 @@ -259,15 +259,17 @@ struct connection { #ifdef DYNAMICDNS char *dnshostname; #endif /* DYNAMICDNS */ +#ifdef XAUTH #ifdef MODECFG ip_address modecfg_dns1; ip_address modecfg_dns2; ip_address modecfg_wins1; ip_address modecfg_wins2; #endif - char cisco_dns_info[50]; - char cisco_domain_info[50]; - char server_banner[500]; + char *cisco_dns_info; + char *cisco_domain_info; + char *cisco_banner; +#endif /* XAUTH */ u_int8_t metric; /* metric for tunnel routes */ #ifdef HAVE_STATSD u_int32_t statsval; /* track what we have told statsd */ diff -uNrp openswan-2.6.28.xauth/programs/pluto/kernel.c openswan-2.6.28/programs/pluto/kernel.c --- openswan-2.6.28.xauth/programs/pluto/kernel.c 2010-07-29 14:45:59.000000000 -0400 +++ openswan-2.6.28/programs/pluto/kernel.c 2012-10-15 09:26:26.478771881 -0400 @@ -421,11 +421,15 @@ fmt_common_shell_out(char *buf, int blen "PLUTO_STACK='%s' " "%s " /* possible metric */ "PLUTO_CONN_POLICY='%s' " - "%s " /* XAUTH username */ - "%s " /* PLUTO_MY_SRCIP */ +#ifdef XAUTH + "%s " /* XAUTH username - if any */ +#endif + "%s " /* PLUTO_MY_SRCIP - if any */ +#ifdef XAUTH "PLUTO_CISCO_DNS_INFO='%s' " "PLUTO_CISCO_DOMAIN_INFO='%s' " "PLUTO_PEER_BANNER='%s' " +#endif #ifdef HAVE_NM "PLUTO_NM_CONFIGURED='%u' " #endif @@ -451,11 +455,15 @@ fmt_common_shell_out(char *buf, int blen , kernel_ops->kern_name , metric_str , prettypolicy(c->policy) +#ifdef XAUTH , secure_xauth_username_str +#endif , srcip_str +#ifdef XAUTH , c->cisco_dns_info , c->cisco_domain_info - , c->server_banner + , c->cisco_banner +#endif #ifdef HAVE_NM , c->nmconfigured #endif diff -uNrp openswan-2.6.28.xauth/programs/pluto/xauth.c openswan-2.6.28/programs/pluto/xauth.c --- openswan-2.6.28.xauth/programs/pluto/xauth.c 2010-07-29 14:45:59.000000000 -0400 +++ openswan-2.6.28/programs/pluto/xauth.c 2012-10-15 09:26:26.478771881 -0400 @@ -39,6 +39,8 @@ #include <openswan.h> #include <openswan/ipsec_policy.h> +#include "oswalloc.h" + #include "sysdep.h" #include "oswconf.h" #include "constants.h" @@ -1626,6 +1628,39 @@ modecfg_inI2(struct msg_digest *md) return STF_OK; } +/* Auxillary function for modecfg_inR1() */ +static char * +cisco_stringify(pb_stream *pbs, const char *attr_name) +{ + char strbuf[500]; /* Cisco maximum unknown - arbitrary choice */ + size_t len = pbs_left(pbs); + + if (len > sizeof(strbuf)-1) + len = sizeof(strbuf)-1; + + memcpy(strbuf, pbs->cur, len); + strbuf[len] = '\0'; + /* ' is poison to the way this string will be used + * in system() and hence shell. Remove any. + */ + { + char *s = strbuf; + + for (;;) + { + s = strchr(s, '\''); + if (s == NULL) + break; + *s = '?'; + } + } + (void)sanitize_string(strbuf, sizeof(strbuf)); + DBG(DBG_CONTROL, DBG_log("Received Cisco %s: %s", attr_name, strbuf)); + return clone_str(strbuf, attr_name); +} + + + /** STATE_MODE_CFG_R1: * HDR*, HASH, ATTR(SET=IP) --> HDR*, HASH, ATTR(ACK,OK) * @@ -1639,7 +1674,6 @@ modecfg_inR1(struct msg_digest *md) pb_stream *attrs = &md->chain[ISAKMP_NEXT_ATTR]->pbs; int resp = LEMPTY; struct payload_digest *p; - bool first_dns_flag = TRUE; DBG(DBG_CONTROL, DBG_log("modecfg_inR1")); openswan_log("received mode cfg reply"); @@ -1791,14 +1825,31 @@ modecfg_inR1(struct msg_digest *md) addrtot(&a, 0, caddr, sizeof(caddr)); openswan_log("Received DNS %s, len=%zd", caddr, strlen(caddr)); - if (first_dns_flag) { - strcpy(st->st_connection->cisco_dns_info, caddr); - first_dns_flag = 0; - } - else { - strcat(st->st_connection->cisco_dns_info, " "); - strcat(st->st_connection->cisco_dns_info, caddr); - } + + { + struct connection *c = st->st_connection; + char *old = c->cisco_dns_info; + + if (old == NULL) + { + c->cisco_dns_info = clone_str(caddr, "cisco_dns_info"); + } + else + { + /* concatenate new IP address string on end of + * existing string, separated by ' '. + */ + size_t sz_old = strlen(old); + size_t sz_added = strlen(caddr) + 1; + char *new = alloc_bytes(sz_old + 1 + sz_added, "cisco_dns_info+"); + + memcpy(new, old, sz_old); + *(new + sz_old) =' '; + memcpy(new + sz_old + 1, caddr, sz_added); + c->cisco_dns_info = new; + pfree(old); + } + } DBG_log("Cisco DNS info: %s, len=%zd", st->st_connection->cisco_dns_info, strlen(st->st_connection->cisco_dns_info)); } @@ -1812,28 +1863,15 @@ modecfg_inR1(struct msg_digest *md) break; case CISCO_BANNER: - { - DBG_dump("Received cisco banner: ", strattr.cur, pbs_left(&strattr)); - strncpy(st->st_connection->server_banner, strattr.cur, pbs_left(&strattr)); - st->st_connection->server_banner[pbs_left(&strattr)]='\0'; - DBG_log("Cisco banner: %s", st->st_connection->server_banner); - resp |= LELEM(attr.isaat_af_type); - } - break; + st->st_connection->cisco_banner = cisco_stringify(&strattr,"Cisco Banner"); + resp |= LELEM(attr.isaat_af_type); + break; case CISCO_DEF_DOMAIN: - { - char tmp[50]; - DBG_dump("Received cisco def domain: ", strattr.cur, pbs_left(&strattr)); - strncpy(tmp, strattr.cur, pbs_left(&strattr)); - tmp[pbs_left(&strattr)]='\0'; - DBG_log("Cisco defined domain: %s", tmp); - strcpy(st->st_connection->cisco_domain_info, tmp); - DBG_log("Cisco defined domain: %s", st->st_connection->cisco_domain_info); - resp |= LELEM(attr.isaat_af_type); - } - break; + st->st_connection->cisco_domain_info = cisco_stringify(&strattr,"Cisco Domain"); + resp |= LELEM(attr.isaat_af_type); + break; case CISCO_SPLIT_INC: {