| diff -rupN strongswan-4.6.3/src/pluto/ipsec_doi.c strongswan-4.6.3.patched/src/pluto/ipsec_doi.c |
| --- strongswan-4.6.3/src/pluto/ipsec_doi.c 2011-10-14 08:41:07.000000000 -0700 |
| +++ strongswan-4.6.3.patched/src/pluto/ipsec_doi.c 2012-05-08 11:01:16.921003004 -0700 |
| @@ -112,6 +112,8 @@ enum endpoint { |
| EP_REMOTE = 1 << 1, |
| }; |
| |
| +extern bool ignore_peer_id_check; |
| + |
| /* create output HDR as replica of input HDR */ |
| void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np) |
| { |
| @@ -2429,7 +2431,15 @@ static bool switch_connection(struct msg |
| loglog(RC_LOG_SERIOUS, |
| "we require peer to have ID '%Y', but peer declares '%Y'", |
| c->spd.that.id, peer); |
| - return FALSE; |
| + if (ignore_peer_id_check) |
| + { |
| + loglog(RC_LOG_SERIOUS, |
| + "ignore peer ID mismatch"); |
| + } |
| + else |
| + { |
| + return FALSE; |
| + } |
| } |
| |
| if (c->spd.that.ca) |
| diff -rupN strongswan-4.6.3/src/pluto/plutomain.c strongswan-4.6.3.patched/src/pluto/plutomain.c |
| --- strongswan-4.6.3/src/pluto/plutomain.c 2012-03-19 23:37:09.000000000 -0700 |
| +++ strongswan-4.6.3.patched/src/pluto/plutomain.c 2012-05-08 11:01:16.921003004 -0700 |
| @@ -256,6 +256,8 @@ bool pkcs11_keep_state = FALSE; |
| /* by default pluto does not allow pkcs11 proxy access via whack */ |
| bool pkcs11_proxy = FALSE; |
| |
| +bool ignore_peer_id_check = FALSE; |
| + |
| /* argument string to pass to PKCS#11 module. |
| * Not used for compliant modules, just for NSS softoken |
| */ |
| @@ -339,6 +341,7 @@ int main(int argc, char **argv) |
| { "disable_port_floating", no_argument, NULL, '4' }, |
| { "debug-natt", no_argument, NULL, '5' }, |
| { "virtual_private", required_argument, NULL, '6' }, |
| + { "ignorepeeridcheck", no_argument, NULL, '7' }, |
| #ifdef DEBUG |
| { "debug-none", no_argument, NULL, 'N' }, |
| { "debug-all", no_argument, NULL, 'A' }, |
| @@ -539,6 +542,9 @@ int main(int argc, char **argv) |
| case '6': /* --virtual_private */ |
| virtual_private = optarg; |
| continue; |
| + case '7': /* --ignorepeeridcheck */ |
| + ignore_peer_id_check = TRUE; |
| + continue; |
| |
| default: |
| #ifdef DEBUG |
| diff -rupN strongswan-4.6.3/src/starter/args.c strongswan-4.6.3.patched/src/starter/args.c |
| --- strongswan-4.6.3/src/starter/args.c 2012-04-12 00:28:28.000000000 -0700 |
| +++ strongswan-4.6.3.patched/src/starter/args.c 2012-05-08 11:01:16.921003004 -0700 |
| @@ -189,6 +189,7 @@ static const token_info_t token_info[] = |
| { ARG_STR, offsetof(starter_config_t, setup.pkcs11initargs), NULL }, |
| { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool }, |
| { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11proxy), LST_bool }, |
| + { ARG_ENUM, offsetof(starter_config_t, setup.ignorepeeridcheck), LST_bool }, |
| |
| /* KLIPS keywords */ |
| { ARG_LST, offsetof(starter_config_t, setup.klipsdebug), LST_klipsdebug }, |
| diff -rupN strongswan-4.6.3/src/starter/confread.h strongswan-4.6.3.patched/src/starter/confread.h |
| --- strongswan-4.6.3/src/starter/confread.h 2012-04-12 00:28:28.000000000 -0700 |
| +++ strongswan-4.6.3.patched/src/starter/confread.h 2012-05-08 11:01:16.921003004 -0700 |
| @@ -210,6 +210,7 @@ struct starter_config { |
| char *pkcs11initargs; |
| bool pkcs11keepstate; |
| bool pkcs11proxy; |
| + bool ignorepeeridcheck; |
| |
| /* KLIPS keywords */ |
| char **klipsdebug; |
| diff -rupN strongswan-4.6.3/src/starter/invokepluto.c strongswan-4.6.3.patched/src/starter/invokepluto.c |
| --- strongswan-4.6.3/src/starter/invokepluto.c 2012-03-19 23:37:09.000000000 -0700 |
| +++ strongswan-4.6.3.patched/src/starter/invokepluto.c 2012-05-08 11:01:16.921003004 -0700 |
| @@ -238,6 +238,10 @@ starter_start_pluto (starter_config_t *c |
| { |
| arg[argc++] = "--pkcs11proxy"; |
| } |
| + if (cfg->setup.ignorepeeridcheck) |
| + { |
| + arg[argc++] = "--ignorepeeridcheck"; |
| + } |
| |
| if (_pluto_pid) |
| { |
| diff -rupN strongswan-4.6.3/src/starter/keywords.c strongswan-4.6.3.patched/src/starter/keywords.c |
| --- strongswan-4.6.3/src/starter/keywords.c 2012-04-12 00:29:32.000000000 -0700 |
| +++ strongswan-4.6.3.patched/src/starter/keywords.c 2012-05-08 11:01:16.921003004 -0700 |
| @@ -54,7 +54,7 @@ struct kw_entry { |
| kw_token_t token; |
| }; |
| |
| -#define TOTAL_KEYWORDS 131 |
| +#define TOTAL_KEYWORDS 132 |
| #define MIN_WORD_LENGTH 3 |
| #define MAX_WORD_LENGTH 17 |
| #define MIN_HASH_VALUE 9 |
| @@ -79,15 +79,15 @@ hash (str, len) |
| 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, |
| 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, |
| 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, |
| - 247, 247, 247, 247, 247, 247, 247, 247, 247, 12, |
| + 247, 247, 247, 247, 247, 247, 247, 247, 247, 0, |
| 126, 247, 247, 247, 247, 247, 247, 247, 247, 247, |
| 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, |
| 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, |
| 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, |
| - 247, 247, 247, 247, 247, 51, 247, 11, 1, 92, |
| - 43, 0, 6, 0, 110, 0, 247, 120, 56, 37, |
| + 247, 247, 247, 247, 247, 20, 247, 11, 3, 92, |
| + 43, 0, 6, 0, 110, 0, 247, 132, 56, 57, |
| 27, 72, 43, 1, 16, 0, 5, 75, 1, 247, |
| - 247, 11, 5, 247, 247, 247, 247, 247, 247, 247, |
| + 247, 11, 4, 247, 247, 247, 247, 247, 247, 247, |
| 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, |
| 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, |
| 247, 247, 247, 247, 247, 247, 247, 247, 247, 247, |
| @@ -164,12 +164,14 @@ static const struct kw_entry wordlist[] |
| {"marginpackets", KW_MARGINPACKETS}, |
| {"leftnatip", KW_LEFTNATIP}, |
| {"mediated_by", KW_MEDIATED_BY}, |
| + {"me_peerid", KW_ME_PEERID}, |
| {"ldapbase", KW_LDAPBASE}, |
| {"leftfirewall", KW_LEFTFIREWALL}, |
| {"rightfirewall", KW_RIGHTFIREWALL}, |
| {"crluri", KW_CRLURI}, |
| - {"mobike", KW_MOBIKE}, |
| + {"crluri1", KW_CRLURI}, |
| {"rightnatip", KW_RIGHTNATIP}, |
| + {"mobike", KW_MOBIKE}, |
| {"rightnexthop", KW_RIGHTNEXTHOP}, |
| {"mediation", KW_MEDIATION}, |
| {"leftallowany", KW_LEFTALLOWANY}, |
| @@ -177,14 +179,12 @@ static const struct kw_entry wordlist[] |
| {"overridemtu", KW_OVERRIDEMTU}, |
| {"aaa_identity", KW_AAA_IDENTITY}, |
| {"esp", KW_ESP}, |
| - {"crluri1", KW_CRLURI}, |
| {"lefthostaccess", KW_LEFTHOSTACCESS}, |
| {"leftsubnet", KW_LEFTSUBNET}, |
| {"leftid", KW_LEFTID}, |
| {"forceencaps", KW_FORCEENCAPS}, |
| {"eap", KW_EAP}, |
| {"nat_traversal", KW_NAT_TRAVERSAL}, |
| - {"me_peerid", KW_ME_PEERID}, |
| {"rightcert", KW_RIGHTCERT}, |
| {"installpolicy", KW_INSTALLPOLICY}, |
| {"authby", KW_AUTHBY}, |
| @@ -194,50 +194,50 @@ static const struct kw_entry wordlist[] |
| {"rightupdown", KW_RIGHTUPDOWN}, |
| {"keyexchange", KW_KEYEXCHANGE}, |
| {"ocspuri", KW_OCSPURI}, |
| - {"compress", KW_COMPRESS}, |
| + {"ocspuri1", KW_OCSPURI}, |
| {"rightcertpolicy", KW_RIGHTCERTPOLICY}, |
| {"cacert", KW_CACERT}, |
| {"eap_identity", KW_EAP_IDENTITY}, |
| {"hidetos", KW_HIDETOS}, |
| - {"ike", KW_IKE}, |
| + {"force_keepalive", KW_FORCE_KEEPALIVE}, |
| {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, |
| {"righthostaccess", KW_RIGHTHOSTACCESS}, |
| {"packetdefault", KW_PACKETDEFAULT}, |
| {"dpdaction", KW_DPDACTION}, |
| - {"ocspuri1", KW_OCSPURI}, |
| {"pfsgroup", KW_PFSGROUP}, |
| {"rightauth", KW_RIGHTAUTH}, |
| + {"xauth_identity", KW_XAUTH_IDENTITY}, |
| {"also", KW_ALSO}, |
| {"leftsourceip", KW_LEFTSOURCEIP}, |
| {"rightid2", KW_RIGHTID2}, |
| - {"dumpdir", KW_DUMPDIR}, |
| - {"rekey", KW_REKEY}, |
| - {"ikelifetime", KW_IKELIFETIME}, |
| - {"dpdtimeout", KW_DPDTIMEOUT}, |
| + {"ike", KW_IKE}, |
| + {"compress", KW_COMPRESS}, |
| {"ldaphost", KW_LDAPHOST}, |
| - {"rekeyfuzz", KW_REKEYFUZZ}, |
| {"leftcert2", KW_LEFTCERT2}, |
| - {"leftikeport", KW_LEFTIKEPORT}, |
| {"crlcheckinterval", KW_CRLCHECKINTERVAL}, |
| {"plutostderrlog", KW_PLUTOSTDERRLOG}, |
| {"plutostart", KW_PLUTOSTART}, |
| {"rightauth2", KW_RIGHTAUTH2}, |
| + {"rekey", KW_REKEY}, |
| + {"ikelifetime", KW_IKELIFETIME}, |
| {"leftca2", KW_LEFTCA2}, |
| - {"mark", KW_MARK}, |
| - {"force_keepalive", KW_FORCE_KEEPALIVE}, |
| + {"rekeyfuzz", KW_REKEYFUZZ}, |
| + {"leftikeport", KW_LEFTIKEPORT}, |
| + {"dumpdir", KW_DUMPDIR}, |
| {"auto", KW_AUTO}, |
| + {"dpdtimeout", KW_DPDTIMEOUT}, |
| {"charondebug", KW_CHARONDEBUG}, |
| {"dpddelay", KW_DPDDELAY}, |
| - {"xauth_identity", KW_XAUTH_IDENTITY}, |
| + {"mark", KW_MARK}, |
| {"charonstart", KW_CHARONSTART}, |
| {"fragicmp", KW_FRAGICMP}, |
| {"prepluto", KW_PREPLUTO}, |
| + {"ignorepeeridcheck", KW_IGNOREPEERIDCHECK}, |
| {"closeaction", KW_CLOSEACTION}, |
| {"leftid2", KW_LEFTID2}, |
| {"plutodebug", KW_PLUTODEBUG}, |
| {"tfc", KW_TFC}, |
| {"auth", KW_AUTH}, |
| - {"rekeymargin", KW_REKEYMARGIN}, |
| {"modeconfig", KW_MODECONFIG}, |
| {"leftauth", KW_LEFTAUTH}, |
| {"xauth", KW_XAUTH}, |
| @@ -247,6 +247,7 @@ static const struct kw_entry wordlist[] |
| {"nocrsend", KW_NOCRSEND}, |
| {"leftauth2", KW_LEFTAUTH2}, |
| {"rightca2", KW_RIGHTCA2}, |
| + {"rekeymargin", KW_REKEYMARGIN}, |
| {"rightcert2", KW_RIGHTCERT2}, |
| {"pkcs11module", KW_PKCS11MODULE}, |
| {"reauth", KW_REAUTH}, |
| @@ -265,24 +266,24 @@ static const short lookup[] = |
| 21, 22, 23, 24, 25, -1, -1, -1, 26, 27, |
| 28, -1, 29, -1, -1, -1, 30, -1, 31, 32, |
| 33, 34, 35, -1, 36, 37, -1, 38, -1, 39, |
| - 40, -1, -1, 41, 42, 43, -1, -1, 44, 45, |
| - 46, -1, 47, -1, 48, 49, 50, 51, 52, 53, |
| - -1, 54, 55, -1, -1, -1, 56, -1, 57, 58, |
| - 59, 60, -1, 61, -1, -1, 62, 63, 64, 65, |
| - 66, -1, 67, 68, 69, 70, -1, 71, 72, 73, |
| - 74, -1, 75, 76, 77, 78, 79, 80, 81, 82, |
| - 83, -1, 84, 85, 86, 87, 88, 89, 90, 91, |
| - 92, 93, 94, -1, 95, 96, 97, 98, -1, -1, |
| - 99, 100, -1, -1, 101, -1, 102, -1, -1, 103, |
| - -1, 104, 105, -1, 106, -1, -1, -1, -1, -1, |
| - 107, 108, -1, -1, -1, -1, -1, 109, -1, -1, |
| - -1, -1, 110, -1, 111, -1, -1, -1, -1, -1, |
| - -1, -1, -1, 112, 113, 114, -1, 115, -1, 116, |
| + 40, -1, 41, 42, 43, 44, -1, -1, 45, 46, |
| + 47, 48, 49, -1, 50, 51, 52, 53, 54, 55, |
| + -1, -1, 56, -1, -1, -1, 57, -1, 58, 59, |
| + 60, 61, -1, -1, -1, -1, 62, 63, 64, 65, |
| + 66, -1, 67, 68, 69, 70, 71, -1, 72, 73, |
| + 74, -1, 75, 76, 77, 78, 79, 80, -1, 81, |
| + 82, 83, 84, 85, 86, 87, -1, 88, -1, 89, |
| + -1, 90, -1, -1, 91, 92, 93, 94, 95, 96, |
| + 97, 98, -1, -1, 99, 100, 101, -1, 102, 103, |
| + -1, 104, -1, 105, 106, -1, -1, -1, -1, -1, |
| + 107, 108, -1, -1, -1, -1, 109, 110, -1, -1, |
| + -1, -1, 111, -1, 112, -1, -1, -1, -1, -1, |
| + -1, -1, -1, 113, 114, -1, -1, 115, -1, 116, |
| -1, 117, -1, -1, 118, 119, -1, -1, -1, 120, |
| -1, -1, -1, -1, -1, 121, 122, -1, -1, -1, |
| - -1, -1, -1, -1, -1, -1, 123, -1, 124, -1, |
| - -1, -1, -1, -1, -1, -1, 125, 126, 127, 128, |
| - -1, -1, 129, -1, -1, -1, 130 |
| + -1, -1, -1, -1, -1, -1, 123, 124, 125, -1, |
| + -1, -1, -1, -1, -1, -1, 126, 127, 128, 129, |
| + -1, -1, 130, -1, -1, -1, 131 |
| }; |
| |
| #ifdef __GNUC__ |
| diff -rupN strongswan-4.6.3/src/starter/keywords.h strongswan-4.6.3.patched/src/starter/keywords.h |
| --- strongswan-4.6.3/src/starter/keywords.h 2012-04-12 00:28:28.000000000 -0700 |
| +++ strongswan-4.6.3.patched/src/starter/keywords.h 2012-05-08 11:01:16.921003004 -0700 |
| @@ -43,9 +43,10 @@ typedef enum { |
| KW_PKCS11INITARGS, |
| KW_PKCS11KEEPSTATE, |
| KW_PKCS11PROXY, |
| + KW_IGNOREPEERIDCHECK, |
| |
| #define KW_PLUTO_FIRST KW_PLUTODEBUG |
| -#define KW_PLUTO_LAST KW_PKCS11PROXY |
| +#define KW_PLUTO_LAST KW_IGNOREPEERIDCHECK |
| |
| /* KLIPS keywords */ |
| KW_KLIPSDEBUG, |
| @@ -218,4 +219,3 @@ typedef enum { |
| } kw_token_t; |
| |
| #endif /* _KEYWORDS_H_ */ |
| - |
| diff -rupN strongswan-4.6.3/src/starter/keywords.txt strongswan-4.6.3.patched/src/starter/keywords.txt |
| --- strongswan-4.6.3/src/starter/keywords.txt 2012-04-12 00:28:28.000000000 -0700 |
| +++ strongswan-4.6.3.patched/src/starter/keywords.txt 2012-05-08 11:01:16.921003004 -0700 |
| @@ -56,6 +56,7 @@ pkcs11module, KW_PKCS11MODULE |
| pkcs11initargs, KW_PKCS11INITARGS |
| pkcs11keepstate, KW_PKCS11KEEPSTATE |
| pkcs11proxy, KW_PKCS11PROXY |
| +ignorepeeridcheck, KW_IGNOREPEERIDCHECK |
| keyexchange, KW_KEYEXCHANGE |
| type, KW_TYPE |
| pfs, KW_PFS |