[Openswan dev] /etc/ipsec.d/passwd oddities in Openswan 2.4.7

[Mark-Andre Hopf]

Openswan 2.4.7, "doc/README.XAUTH" states that /etc/ipsec.d/passwd's format is

  userid:password:conname

were it says the following about 'conname'

  You can allow a user access to any connection class in ipsec.conf by
  leaving the last field of the password file blank or '*'

This does not seem to be correct. 

Now, the code in 'do_md5_authentication' (connname is stored in 'szconnid') is

        if ( strcasecmp(szconnid, arg->connname.ptr) == 0
             && strcmp( szuser, arg->name.ptr ) == 0 ) /* user correct ?*/
        {

but instead it should be something like this

        if ( ( szconnid[0]==0 ||
               (szconnid[0]=='*' && szconnid[1]=='\0') ||
               strcasecmp(szconnid, arg->connname.ptr) == 0 ) &&
             strcmp( szuser, arg->name.ptr ) == 0 ) /* user correct ?*/
        {

or, even better, with fnmatch handling the wildcard:

        if ( ( szconnid[0]==0 ||
               fnmatch(szconnid, arg->connname.ptr, 0) ||
               strcasecmp(szconnid, arg->connname.ptr) == 0 ) &&
             strcmp( szuser, arg->name.ptr ) == 0 ) /* user correct ?*/
        {

Have a nice day,
  Mark

-- 
mark-andre.hopf at innominate.com     innominate security technologies AG
senior software engineer                protecting industrial networks
development                                      http://innominate.com