Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync w/ latest racoon

This commit is contained in:
itojun 2003-07-12 09:02:24 +00:00
parent dc30725eaf
commit 03eefe2ecf
21 changed files with 238 additions and 507 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
crypto/dist/kame/racoon/algorithm.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: algorithm.c,v 1.25 2002/06/10 20:01:21 itojun Exp $ */
/* $KAME: algorithm.c,v 1.28 2003/07/12 08:44:44 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -57,6 +57,7 @@ static struct hash_algorithm oakley_hashdef[] = {
eay_sha1_init, eay_sha1_update,
eay_sha1_final, eay_sha1_hashlen,
eay_sha1_one, },
#ifdef WITH_SHA2
{ "sha2_256", algtype_sha2_256, OAKLEY_ATTR_HASH_ALG_SHA2_256,
eay_sha2_256_init, eay_sha2_256_update,
eay_sha2_256_final, eay_sha2_256_hashlen,
@ -69,6 +70,7 @@ static struct hash_algorithm oakley_hashdef[] = {
eay_sha2_512_init, eay_sha2_512_update,
eay_sha2_512_final, eay_sha2_512_hashlen,
eay_sha2_512_one, },
#endif
};
static struct hmac_algorithm oakley_hmacdef[] = {
@ -80,6 +82,7 @@ static struct hmac_algorithm oakley_hmacdef[] = {
eay_hmacsha1_init, eay_hmacsha1_update,
eay_hmacsha1_final, NULL,
eay_hmacsha1_one, },
#ifdef WITH_SHA2
{ "hmac_sha2_256", algtype_sha2_256, OAKLEY_ATTR_HASH_ALG_SHA2_256,
eay_hmacsha2_256_init, eay_hmacsha2_256_update,
eay_hmacsha2_256_final, NULL,
@ -92,6 +95,7 @@ static struct hmac_algorithm oakley_hmacdef[] = {
eay_hmacsha2_512_init, eay_hmacsha2_512_update,
eay_hmacsha2_512_final, NULL,
eay_hmacsha2_512_one, },
#endif
};
static struct enc_algorithm oakley_encdef[] = {

35
crypto/dist/kame/racoon/cfparse.h vendored
View File

@ -1,35 +0,0 @@
/* $KAME: cfparse.h,v 1.11 2001/03/15 11:44:08 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* cfparse.y */
extern int yyparse __P((void));
extern int cfparse __P((void));
extern int cfreparse __P((void));

50
crypto/dist/kame/racoon/cfparse.y vendored
View File

@ -1,4 +1,4 @@
/* $KAME: cfparse.y,v 1.113 2002/09/27 05:55:52 itojun Exp $ */
/* $KAME: cfparse.y,v 1.117 2003/06/27 07:32:37 sakane Exp $ */
%{
#include <sys/types.h>
@ -135,7 +135,7 @@ static int fix_lifebyte __P((u_long));
/* algorithm */
%token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
/* sainfo */
%token SAINFO
%token SAINFO FROM
/* remote */
%token REMOTE ANONYMOUS
%token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
@ -144,7 +144,7 @@ static int fix_lifebyte __P((u_long));
%token DNSSEC CERT_X509
%token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
%token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
%token GENERATE_POLICY SUPPORT_MIP6
%token GENERATE_POLICY SUPPORT_PROXY
%token PROPOSAL
%token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
%token GSSAPI_ID
@ -396,7 +396,7 @@ sainfo_statement
return -1;
}
}
sainfo_name BOC sainfo_specs
sainfo_name sainfo_peer BOC sainfo_specs
{
struct sainfo *check;
@ -418,7 +418,9 @@ sainfo_statement
}
/* duplicate check */
check = getsainfo(cur_sainfo->idsrc, cur_sainfo->iddst);
check = getsainfo(cur_sainfo->idsrc,
cur_sainfo->iddst,
cur_sainfo->id_i);
if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
yyerror("duplicated sainfo: %s",
sainfo2str(cur_sainfo));
@ -515,6 +517,38 @@ sainfo_id
memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
}
;
sainfo_peer
: /* nothing */
{
cur_sainfo->id_i = NULL;
}
| FROM IDENTIFIERTYPE identifierstring
{
struct ipsecdoi_id_b *id_b;
vchar_t *idv;
if (set_identifier(&idv, $2, $3) != 0) {
yyerror("failed to set identifer.\n");
return -1;
}
cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
if (cur_sainfo->id_i == NULL) {
yyerror("failed to allocate identifier");
return -1;
}
id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
id_b->type = idtype2doi($2);
id_b->proto_id = 0;
id_b->port = 0;
memcpy(cur_sainfo->id_i->v + sizeof(*id_b),
idv->v, idv->l);
vfree(idv);
}
;
sainfo_specs
: /* nothing */
| sainfo_specs sainfo_spec
@ -804,7 +838,7 @@ remote_spec
| KEEPALIVE { cur_rmconf->keepalive = TRUE; } EOS
| PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
| GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
| SUPPORT_MIP6 SWITCH { cur_rmconf->support_mip6 = $2; } EOS
| SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
| INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
| PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
| LIFETIME LIFETYPE_TIME NUMBER unittype_time
@ -1323,7 +1357,7 @@ cfparse()
yycf_init_buffer();
if (yycf_set_buffer(lcconf->racoon_conf) != 0)
if (yycf_switch_buffer(lcconf->racoon_conf) != 0)
return -1;
prhead = NULL;
@ -1365,7 +1399,7 @@ cfreparse()
clean_tmpalgtype();
yycf_init_buffer();
if (yycf_set_buffer(lcconf->racoon_conf) != 0)
if (yycf_switch_buffer(lcconf->racoon_conf) != 0)
return -1;
return(cfparse());

41
crypto/dist/kame/racoon/cftoken.h vendored
View File

@ -1,41 +0,0 @@
/* $KAME: cftoken.h,v 1.4 2000/10/04 17:40:58 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
extern int yyerrorcount;
extern int yylex __P((void));
extern void yyerror __P((char *, ...));
extern void yywarn __P((char *, ...));
extern int yycf_switch_buffer __P((char *));
extern int yycf_set_buffer __P((char *));
extern void yycf_init_buffer __P((void));
extern void yycf_clean_buffer __P((void));

61
crypto/dist/kame/racoon/cftoken.l vendored
View File

@ -1,4 +1,4 @@
/* $KAME: cftoken.l,v 1.69 2002/09/27 06:03:51 itojun Exp $ */
/* $KAME: cftoken.l,v 1.71 2003/06/27 07:32:38 sakane Exp $ */
%{
#include <sys/types.h>
@ -14,6 +14,7 @@
#include <errno.h>
#include <limits.h>
#include <ctype.h>
#include <glob.h>
#ifdef HAVE_STDARG_H
#include <stdarg.h>
#else
@ -64,8 +65,10 @@ int yyerrorcount = 0;
static struct include_stack {
char *path;
FILE *fp;
YY_BUFFER_STATE state;
YY_BUFFER_STATE prevstate;
int lineno;
glob_t matches;
int matchon;
} incstack[MAX_INCLUDE_DEPTH];
static int incstackp = 0;
@ -176,6 +179,7 @@ hexstring 0x{hexdigit}+
<S_SAINF>anonymous { YYD; return(ANONYMOUS); }
<S_SAINF>{blcl}any{elcl} { YYD; return(PORTANY); }
<S_SAINF>any { YYD; return(ANY); }
<S_SAINF>from { YYD; return(FROM); }
/* sainfo spec */
<S_SAINF>{bcl} { BEGIN S_SAINFS; return(BOC); }
<S_SAINF>{semi} { BEGIN S_INI; return(EOS); }
@ -222,7 +226,8 @@ hexstring 0x{hexdigit}+
<S_RMTS>dh_group { YYD; return(DH_GROUP); }
<S_RMTS>nonce_size { YYD; return(NONCE_SIZE); }
<S_RMTS>generate_policy { YYD; return(GENERATE_POLICY); }
<S_RMTS>support_mip6 { YYD; return(SUPPORT_MIP6); }
<S_RMTS>support_mip6 { YYD; yywarn("it is obsoleted. use \"support_proxy\"."); return(SUPPORT_PROXY); }
<S_RMTS>support_proxy { YYD; return(SUPPORT_PROXY); }
<S_RMTS>initial_contact { YYD; return(INITIAL_CONTACT); }
<S_RMTS>proposal_check { YYD; return(PROPOSAL_CHECK); }
<S_RMTS>obey { YYD; yylval.num = PROP_CHECK_OBEY; return(PROPOSAL_CHECK_LEVEL); }
@ -411,11 +416,26 @@ no { YYD; yylval.num = FALSE; return(BOOLEAN); }
}
<<EOF>> {
if ( --incstackp < 0 ) {
yyterminate();
yy_delete_buffer(YY_CURRENT_BUFFER);
incstackp--;
nextfile:
if (incstack[incstackp].matchon <
incstack[incstackp].matches.gl_pathc) {
char* filepath = incstack[incstackp].matches.gl_pathv[incstack[incstackp].matchon];
incstack[incstackp].matchon++;
incstackp++;
if (yycf_set_buffer(filepath) != 0) {
incstackp--;
goto nextfile;
}
yy_switch_to_buffer(yy_create_buffer(yyin, YY_BUF_SIZE));
BEGIN(S_INI);
} else {
yy_delete_buffer(YY_CURRENT_BUFFER);
yy_switch_to_buffer(incstack[incstackp].state);
globfree(&incstack[incstackp].matches);
if (incstackp == 0)
yyterminate();
else
yy_switch_to_buffer(incstack[incstackp].prevstate);
}
}
@ -470,6 +490,8 @@ int
yycf_switch_buffer(path)
char *path;
{
char *filepath = NULL;
/* got the include file name */
if (incstackp >= MAX_INCLUDE_DEPTH) {
plog(LLV_ERROR, LOCATION, NULL,
@ -477,10 +499,27 @@ yycf_switch_buffer(path)
return -1;
}
incstack[incstackp++].state = YY_CURRENT_BUFFER;
if (yycf_set_buffer(path) != 0)
if (glob(path, GLOB_TILDE, NULL, &incstack[incstackp].matches) != 0 ||
incstack[incstackp].matches.gl_pathc == 0) {
plog(LLV_ERROR, LOCATION, NULL,
"glob found no matches for path");
return -1;
}
incstack[incstackp].matchon = 0;
incstack[incstackp].prevstate = YY_CURRENT_BUFFER;
nextmatch:
if (incstack[incstackp].matchon >= incstack[incstackp].matches.gl_pathc)
return -1;
filepath =
incstack[incstackp].matches.gl_pathv[incstack[incstackp].matchon];
incstack[incstackp].matchon++;
incstackp++;
if (yycf_set_buffer(filepath) != 0) {
incstackp--;
goto nextmatch;
}
yy_switch_to_buffer(yy_create_buffer(yyin, YY_BUF_SIZE));
@ -507,6 +546,8 @@ yycf_set_buffer(path)
incstack[incstackp].fp = yyin;
incstack[incstackp].path = strdup(path);
incstack[incstackp].lineno = 1;
plog(LLV_DEBUG, LOCATION, NULL,
"reading config file %s\n", path, 0);
return 0;
}

109
crypto/dist/kame/racoon/crypto_openssl.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: crypto_openssl.c,v 1.72 2002/06/10 09:36:11 itojun Exp $ */
/* $KAME: crypto_openssl.c,v 1.79 2003/07/12 08:44:44 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -56,6 +56,7 @@
#endif
#ifdef HAVE_OPENSSL_X509_H
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#endif
#include <openssl/bn.h>
@ -85,6 +86,11 @@
#include "crypto/sha2/sha2.h"
#endif
/* 0.9.7 stuff? */
#if OPENSSL_VERSION_NUMBER < 0x0090700fL
typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
#endif
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
@ -100,7 +106,6 @@
#ifdef HAVE_SIGNING_C
static int cb_check_cert __P((int, X509_STORE_CTX *));
static void eay_setgentype __P((char *, int *));
static X509 *mem2x509 __P((vchar_t *));
#endif
@ -404,9 +409,8 @@ eay_get_x509asn1subjectname(cert)
/*
* get the subjectAltName from X509 certificate.
* the name is terminated by '\0'.
* the name must be terminated by '\0'.
*/
#include <openssl/x509v3.h>
int
eay_get_x509subjectaltname(cert, altname, type, pos)
vchar_t *cert;
@ -415,61 +419,51 @@ eay_get_x509subjectaltname(cert, altname, type, pos)
int pos;
{
X509 *x509 = NULL;
X509_EXTENSION *ext;
X509V3_EXT_METHOD *method = NULL;
STACK_OF(GENERAL_NAME) *name;
CONF_VALUE *cval = NULL;
STACK_OF(CONF_VALUE) *nval = NULL;
u_char *bp;
GENERAL_NAMES *gens;
GENERAL_NAME *gen;
int i, len;
int error = -1;
*altname = NULL;
*type = GENT_OTHERNAME;
bp = cert->v;
x509 = mem2x509(cert);
if (x509 == NULL)
goto end;
i = X509_get_ext_by_NID(x509, NID_subject_alt_name, -1);
if (i < 0)
goto end;
ext = X509_get_ext(x509, i);
method = X509V3_EXT_get(ext);
if(!method)
goto end;
bp = ext->value->data;
name = method->d2i(NULL, &bp, ext->value->length);
if(!name)
gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
if (gens == NULL)
goto end;
nval = method->i2v(method, name, NULL);
method->ext_free(name);
name = NULL;
if(!nval)
goto end;
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
/* skip the name */
for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
if (i + 1 != pos)
continue;
cval = sk_CONF_VALUE_value(nval, i);
len = strlen(cval->value) + 1; /* '\0' included */
*altname = racoon_malloc(len);
if (!*altname) {
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
goto end;
}
strlcpy(*altname, cval->value, len);
/* set type of the name */
eay_setgentype(cval->name, type);
break;
}
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
/* there is no data at "pos" */
if (i == sk_GENERAL_NAME_num(gens))
goto end;
gen = sk_GENERAL_NAME_value(gens, i);
/* make sure if the data is terminated by '\0'. */
if (gen->d.ia5->data[gen->d.ia5->length] != '\0') {
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"data is not terminated by '\0'.");
#endif
hexdump(gen->d.ia5->data, gen->d.ia5->length + 1);
goto end;
}
len = gen->d.ia5->length + 1;
*altname = racoon_malloc(len);
if (!*altname)
goto end;
strlcpy(*altname, gen->d.ia5->data, len);
*type = gen->type;
error = 0;
@ -491,27 +485,6 @@ eay_get_x509subjectaltname(cert, altname, type, pos)
return error;
}
static void
eay_setgentype(name, type)
char *name;
int *type;
{
/* XXX It's needed effective code */
if(!memcmp(name, "email", strlen("email"))) {
*type = GENT_EMAIL;
} else if(!memcmp(name, "URI", strlen("URI"))) {
*type = GENT_URI;
} else if(!memcmp(name, "DNS", strlen("DNS"))) {
*type = GENT_DNS;
} else if(!memcmp(name, "RID", strlen("RID"))) {
*type = GENT_RID;
} else if(!memcmp(name, "IP", strlen("IP"))) {
*type = GENT_IPADD;
} else {
*type = GENT_OTHERNAME;
}
}
/*
* decode a X509 certificate and make a readable text terminated '\n'.
* return the buffer allocated, so must free it later.
@ -1498,6 +1471,7 @@ eay_hmac_init(key, md)
return (caddr_t)c;
}
#ifdef WITH_SHA2
/*
* HMAC SHA2-512
*/
@ -1677,6 +1651,7 @@ eay_hmacsha2_256_final(c)
return(res);
}
#endif /* WITH_SHA2 */
/*
* HMAC SHA1
@ -1798,6 +1773,7 @@ eay_hmacmd5_final(c)
return(res);
}
#ifdef WITH_SHA2
/*
* SHA2-512 functions
*/
@ -1849,6 +1825,7 @@ eay_sha2_512_one(data)
return(res);
}
#endif
int
eay_sha2_512_hashlen()
@ -1856,6 +1833,7 @@ eay_sha2_512_hashlen()
return SHA512_DIGEST_LENGTH << 3;
}
#ifdef WITH_SHA2
/*
* SHA2-384 functions
*/
@ -1907,6 +1885,7 @@ eay_sha2_384_one(data)
return(res);
}
#endif
int
eay_sha2_384_hashlen()
@ -1914,6 +1893,7 @@ eay_sha2_384_hashlen()
return SHA384_DIGEST_LENGTH << 3;
}
#ifdef WITH_SHA2
/*
* SHA2-256 functions
*/
@ -1965,6 +1945,7 @@ eay_sha2_256_one(data)
return(res);
}
#endif
int
eay_sha2_256_hashlen()

8
crypto/dist/kame/racoon/eaytest.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: eaytest.c,v 1.39 2001/12/12 18:23:42 sakane Exp $ */
/* $KAME: eaytest.c,v 1.41 2003/07/12 08:44:45 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -69,7 +69,9 @@ void certtest __P((int, char **));
static char **getcerts __P((char *));
void ciphertest __P((int, char **));
void hmactest __P((int, char **));
#ifdef WITH_SHA2
void sha2test __P((int, char **));
#endif
void sha1test __P((int, char **));
void md5test __P((int, char **));
void dhtest __P((int, char **));
@ -644,7 +646,9 @@ hmactest(ac, av)
char *object2 = "8bb74958b9fee94e";
char *r_hmd5 = "5702d7d1 fd1bfc7e 210fc9fa cda7d02c";
char *r_hsha1 = "309999aa 9779a43e ebdea839 1b4e7ee1 d8646874";
#ifdef WITH_SHA2
char *r_hsha2 = "d47262d8 a5b6f39d d8686939 411b3e79 ed2e27f9 2c4ea89f dd0a06ae 0c0aa396";
#endif
vchar_t *key, *data, *data1, *data2, *res;
vchar_t mod;
caddr_t ctx;
@ -684,6 +688,7 @@ hmactest(ac, av)
free(mod.v);
vfree(res);
#ifdef WITH_SHA2
/* HMAC SHA2 */
printf("HMAC SHA2 by eay_hmacsha2_256_one()\n");
res = eay_hmacsha2_256_one(key, data);
@ -693,6 +698,7 @@ hmactest(ac, av)
printf(" XXX NG XXX\n");
free(mod.v);
vfree(res);
#endif
/* HMAC SHA1 */
printf("HMAC SHA1 by eay_hmacsha1_one()\n");

13
crypto/dist/kame/racoon/grabmyaddr.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: grabmyaddr.c,v 1.34 2002/06/11 15:26:55 itojun Exp $ */
/* $KAME: grabmyaddr.c,v 1.35 2003/01/14 07:07:36 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -166,8 +166,9 @@ grab_myaddrs()
if (!suitable_ifaddr(ifap->ifa_name, ifap->ifa_addr)) {
plog(LLV_ERROR, LOCATION, NULL,
"unsuitable ifaddr: %s\n",
saddr2str(ifap->ifa_addr));
"unsuitable address: %s %s\n",
ifap->ifa_name,
saddrwop2str(ifap->ifa_addr));
continue;
}
@ -281,8 +282,10 @@ grab_myaddrs()
case AF_INET6:
#endif
if (!suitable_ifaddr(ifr->ifr_name, &ifr->ifr_addr)) {
plog(LLV_DEBUG, LOCATION, NULL,
"unsuitable ifaddr %s\n");
plog(LLV_ERROR, LOCATION, NULL,
"unsuitable address: %s %s\n",
ifr->ifr_name,
saddrwop2str(&ifr->ifr_addr));
continue;
}

106
crypto/dist/kame/racoon/ipsec_doi.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: ipsec_doi.c,v 1.158 2002/09/27 05:55:52 itojun Exp $ */
/* $KAME: ipsec_doi.c,v 1.162 2003/06/27 07:32:38 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -100,7 +100,7 @@ static struct prop_pair *get_ph2approvalx __P((struct ph2handle *,
static void free_proppair0 __P((struct prop_pair *));
static int get_transform
__P((struct isakmp_pl_p *, struct prop_pair **, int *));
__P((struct isakmp_pl_p *, struct prop_pair **, int *, int));
static u_int32_t ipsecdoi_set_ld __P((vchar_t *));
static int check_doi __P((u_int32_t));
@ -1163,6 +1163,14 @@ get_proppair(sa, mode)
vfree(pbuf);
return NULL;
}
if (mode == IPSECDOI_TYPE_PH1
&& pa != (struct isakmp_parse_t *)pbuf->v) {
plog(LLV_ERROR, LOCATION, NULL,
"Only a single proposal payload is allowed "
"during phase 1 processing.\n");
vfree(pbuf);
return NULL;
}
prop = (struct isakmp_pl_p *)pa->ptr;
proplen = pa->len;
@ -1192,7 +1200,7 @@ get_proppair(sa, mode)
continue;
/* get transform */
if (get_transform(prop, pair, &num_p) < 0) {
if (get_transform(prop, pair, &num_p, mode) < 0) {
vfree(pbuf);
return NULL;
}
@ -1269,10 +1277,11 @@ get_proppair(sa, mode)
* 0 : No valid transform found.
*/
static int
get_transform(prop, pair, num_p)
get_transform(prop, pair, num_p, mode)
struct isakmp_pl_p *prop;
struct prop_pair **pair;
int *num_p;
int mode;
{
int tlen; /* total length of all transform in a proposal */
caddr_t bp;
@ -1304,6 +1313,13 @@ get_transform(prop, pair, num_p)
"Invalid payload type=%u\n", pa->type);
break;
}
if (mode == IPSECDOI_TYPE_PH1
&& pa != (struct isakmp_parse_t *)pbuf->v) {
plog(LLV_ERROR, LOCATION, NULL,
"Only a single transform payload is allowed "
"during phase 1 processing.\n");
break;
}
trns = (struct isakmp_pl_t *)pa->ptr;
trnslen = pa->len;
@ -2218,6 +2234,14 @@ ahmismatch:
return -1;
}
if (proto_id == IPSECDOI_PROTO_IPSEC_ESP
&& trns->t_id == IPSECDOI_ESP_NULL
&& !attrseen[IPSECDOI_ATTR_AUTH]) {
plog(LLV_ERROR, LOCATION, NULL,
"attr AUTH must be present for ESP NULL encryption.\n");
return -1;
}
return 0;
}
@ -2640,6 +2664,23 @@ setph2proposal0(iph2, pp, pr)
for (tr = pr->head; tr; tr = tr->next) {
switch (pr->proto_id) {
case IPSECDOI_PROTO_IPSEC_ESP:
/*
* don't build a null encryption
* with no authentication transform.
*/
if (tr->trns_id == IPSECDOI_ESP_NULL &&
tr->authtype == IPSECDOI_ATTR_AUTH_NONE) {
plog(LLV_ERROR, LOCATION, NULL,
"attr AUTH must be present "
"for ESP NULL encryption.\n");
vfree(p);
return NULL;
}
break;
}
if (np_t) {
*np_t = ISAKMP_NPTYPE_T;
prop->num_t++;
@ -2825,16 +2866,15 @@ ipsecdoi_setph2proposal(iph2)
}
/*
* return 1 if all of the proposed protocols are transport mode.
* return 1 if all of the given protocols are transport mode.
*/
int
ipsecdoi_transportmode(iph2)
struct ph2handle *iph2;
{
ipsecdoi_transportmode(pp)
struct saprop *pp;
{
struct saproto *pr = NULL;
for (pp = iph2->proposal; pp; pp = pp->next) {
for (; pp; pp = pp->next) {
for (pr = pp->head; pr; pr = pr->next) {
if (pr->encmode != IPSECDOI_ATTR_ENC_MODE_TRNS)
return 0;
@ -3309,48 +3349,16 @@ ipsecdoi_setid2(iph2)
return -1;
}
if (!iph2->sainfo->idv) {
iph2->id = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.src,
iph2->id = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.src,
sp->spidx.prefs, sp->spidx.ul_proto);
if (iph2->id == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get ID for %s\n",
spidx2str(&sp->spidx));
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL, "use local ID type %s\n",
s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id->v)->type));
} else {
struct ipsecdoi_id_b id_b;
vchar_t *ident;
id_b.type = idtype2doi(iph2->sainfo->idvtype);
if (id_b.type == 255) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to convert ID type to DOI.\n");
return -1;
}
id_b.proto_id = 0;
id_b.port = 0;
ident = getidval(iph2->sainfo->idvtype, iph2->sainfo->idv);
if (!ident) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get ID value.\n");
return -1;
}
iph2->id = vmalloc(sizeof(id_b) + ident->l);
if (iph2->id == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get ID buffer.\n");
vfree(ident);
return -1;
}
memcpy(iph2->id->v, &id_b, sizeof(id_b));
memcpy(iph2->id->v + sizeof(id_b), ident->v, ident->l);
vfree(ident);
if (iph2->id == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get ID for %s\n",
spidx2str(&sp->spidx));
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL, "use local ID type %s\n",
s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id->v)->type));
/* remote side */
iph2->id_p = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.dst,

10
crypto/dist/kame/racoon/isakmp.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: isakmp.c,v 1.176 2002/08/28 04:08:30 itojun Exp $ */
/* $KAME: isakmp.c,v 1.177 2003/05/29 08:59:51 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -755,9 +755,9 @@ quick_main(iph2, msg)
/* new negotiation of phase 1 for initiator */
int
isakmp_ph1begin_i(rmconf, remote)
isakmp_ph1begin_i(rmconf, remote, local)
struct remoteconf *rmconf;
struct sockaddr *remote;
struct sockaddr *remote, *local;
{
struct ph1handle *iph1;
#ifdef ENABLE_STATS
@ -782,7 +782,7 @@ isakmp_ph1begin_i(rmconf, remote)
iph1->approval = NULL;
/* XXX copy remote address */
if (copy_ph1addresses(iph1, rmconf, remote, NULL) < 0)
if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
return -1;
(void)insph1(iph1);
@ -1687,7 +1687,7 @@ isakmp_post_acquire(iph2)
saddrwop2str(iph2->dst));
/* start phase 1 negotiation as a initiator. */
if (isakmp_ph1begin_i(rmconf, iph2->dst) < 0) {
if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) < 0) {
SCHED_KILL(sc);
return -1;
}

10
crypto/dist/kame/racoon/isakmp_quick.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: isakmp_quick.c,v 1.93 2002/05/07 17:47:55 sakane Exp $ */
/* $KAME: isakmp_quick.c,v 1.94 2003/06/27 07:32:38 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -213,7 +213,7 @@ quick_i1send(iph2, msg)
/*
* we do not attach IDci nor IDcr, under the following condition:
* - all proposals are transport mode
* - no MIP6
* - no MIP6 or proxy
* - id payload suggests to encrypt all the traffic (no specific
* protocol type)
*/
@ -221,8 +221,8 @@ quick_i1send(iph2, msg)
id_p = (struct ipsecdoi_id_b *)iph2->id_p->v;
if (id->proto_id == 0
&& id_p->proto_id == 0
&& iph2->ph1->rmconf->support_mip6 == 0
&& ipsecdoi_transportmode(iph2)) {
&& iph2->ph1->rmconf->support_proxy == 0
&& ipsecdoi_transportmode(iph2->proposal)) {
idci = idcr = 0;
} else
idci = idcr = 1;
@ -1807,7 +1807,7 @@ get_sainfo_r(iph2)
goto end;
}
iph2->sainfo = getsainfo(idsrc, iddst);
iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p);
if (iph2->sainfo == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get sainfo.\n");

4
crypto/dist/kame/racoon/kmpstat.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: kmpstat.c,v 1.30 2002/08/31 07:53:20 itojun Exp $ */
/* $KAME: kmpstat.c,v 1.31 2003/05/23 05:15:42 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -181,8 +181,6 @@ main(ac, av)
int ac;
char **av;
{
extern char *optarg;
extern int optind;
vchar_t *combuf;
int c;

4
crypto/dist/kame/racoon/oakley.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: oakley.c,v 1.114 2002/06/10 20:01:21 itojun Exp $ */
/* $KAME: oakley.c,v 1.115 2003/01/10 08:38:23 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -1289,7 +1289,7 @@ oakley_validate_auth(iph1)
}
if (error != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"Invalid authority of the CERT.\n");
"the peer's certificate is not verified.\n");
return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY;
}
}

4
crypto/dist/kame/racoon/racoon.8 vendored
View File

@ -1,5 +1,5 @@
.\" $NetBSD: racoon.8,v 1.12 2003/07/04 12:33:11 wiz Exp $
.\" $KAME: racoon.8,v 1.30 2002/04/26 02:53:11 itojun Exp $
.\" $NetBSD: racoon.8,v 1.13 2003/07/12 09:02:25 itojun Exp $
.\" $KAME: racoon.8,v 1.31 2003/06/16 08:39:18 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
.\" All rights reserved.

6
crypto/dist/kame/racoon/racoon.conf.5 vendored
View File

@ -1,5 +1,5 @@
.\" $NetBSD: racoon.conf.5,v 1.19 2003/07/04 12:33:11 wiz Exp $
.\" $KAME: racoon.conf.5,v 1.101 2002/07/17 03:43:38 sakane Exp $
.\" $NetBSD: racoon.conf.5,v 1.20 2003/07/12 09:02:25 itojun Exp $
.\" $KAME: racoon.conf.5,v 1.106 2003/07/05 00:02:56 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
.\" All rights reserved.
@ -397,7 +397,7 @@ If PFS is required by both sides and if the responder's group is not equal to
the initiator's one, then the responder will reject the proposal.
.El
.\"
.It Ic support_mip6 (on \(ba off) ;
.It Ic support_proxy (on \(ba off) ;
If this value is set on then both values of ID payloads in phase 2 exchange
are always used as the addresses of end-point of IPsec-SAs.
The default is off.

77
crypto/dist/kame/racoon/random.c vendored
View File

@ -1,77 +0,0 @@
/* $KAME: random.c,v 1.5 2000/11/06 08:43:17 itojun Exp $ */
/*
* Copyright (C) 2000 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* a stub function to make random() to return good random numbers.
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/uio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <err.h>
#include "random.h"
static int fd = -1;
void
random_init()
{
fd = open("/dev/urandom", O_RDONLY, 0600);
if (fd < 0) {
err(1, "/dev/urandom");
/*NOTREACHED*/
}
}
long
random()
{
long v;
read(fd, &v, sizeof(v));
v &= ((~0UL) >> 1);
return v;
}
void
srandom(seed)
#ifdef __bsdi__
unsigned int seed;
#else
unsigned long seed;
#endif
{
/* nothing to do */
}

32
crypto/dist/kame/racoon/random.h vendored
View File

@ -1,32 +0,0 @@
/* $KAME: random.h,v 1.1 2000/10/05 06:34:56 itojun Exp $ */
/*
* Copyright (C) 2000 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
extern void random_init __P((void));

159
crypto/dist/kame/racoon/samples/sandiego.conf vendored
View File

@ -1,159 +0,0 @@
# $KAME: sandiego.conf,v 1.7 2000/03/26 10:52:59 itojun Exp $
# search this file for pre_shared_key with various ID key.
path pre_shared_key "./psk.txt" ;
# racoon will search this directory if the certificate or certificate request
# is received.
path certificate "./cert.txt" ;
# personal information.
identifier vendor_id "KAME/racoon";
identifier user_fqdn "sakane@kame.net";
identifier fqdn "mine.kame.net";
identifier keyid "./keyid.txt";
# "log" specifies logging level. It is followed by either "info", "notify",
# "debug" or "debug2".
log debug2;
# "padding" defines some parameter of padding. You should not touch these.
padding {
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
restrict_check off; # enable restrict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen {
# isakmp 127.0.0.1 [7000];
# isakmp 0.0.0.0 [500];
admin [7002]; # administrative's port by kmpstat.
}
# Specification of default various timer.
timer {
# These value can be changed per remote node.
counter 1; # maximum trying count to send.
interval 30 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 20 sec;
phase2 15 sec;
}
# main mode example, with "anonymous" (any peer) configuration
remote anonymous
{
# In below case, main mode and aggressive mode are accepted. When
# initiating, main mode is first to be sent.
exchange_mode main, aggressive;
identifier address;
nonce_size 16;
lifetime time 600 sec;
# for aggressive mode definition.
dh_group modp1024;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group modp1024;
}
proposal {
encryption_algorithm des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group modp1024;
}
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group modp1024;
}
}
remote 194.100.55.1 [500]
{
exchange_mode main, aggressive;
# default doi is "ipsec_doi".
doi ipsec_doi;
# default situation is "identity_only".
situation identity_only;
# specify the identifier type
# "address", "fqdn", "user_fqdn", "keyid"
identifier user_fqdn;
# specify the bytes length of nonce.
nonce_size 16;
# means to do keep-a-live. This should not be used in dial-up.
keepalive;
dh_group modp1024;
proposal {
# they can be defined explicitly.
encryption_algorithm des;
hash_algorithm md5;
dh_group modp768;
authentication_method pre_shared_key ;
}
proposal {
encryption_algorithm 3des;
authentication_method pre_shared_key ;
# they can be defined individually.
lifetime time 5 min;
lifetime byte 2 MB;
}
}
policy 206.175.160.20/32 206.175.160.21/32 any inout ipsec
{
#pfs_group modp768;
# This proposal means IP2|AH|ESP|ULP.
proposal {
lifetime time 300 second;
lifetime byte 10000 KB;
protocol esp {
level require ;
mode transport ;
encryption_algorithm des ;
authentication_algorithm hmac_sha1 ;
}
# "ah" means AH.
protocol ah {
level require ;
mode transport ;
authentication_algorithm hmac_sha1 ;
}
}
# This proposal means IP2|ESP|ULP.
proposal {
lifetime time 600 second;
lifetime byte 10000 KB;
protocol esp {
level require ;
mode transport ;
encryption_algorithm des ;
authentication_algorithm hmac_sha1 ;
}
}
}

2
crypto/dist/kame/racoon/sockmisc.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: sockmisc.c,v 1.36 2002/04/15 06:20:08 sakane Exp $ */
/* $KAME: sockmisc.c,v 1.38 2003/05/09 05:31:11 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.

2
crypto/dist/kame/racoon/var.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: var.h,v 1.12 2001/11/13 12:38:51 jinmei Exp $ */
/* $KAME: var.h,v 1.13 2003/05/17 18:18:34 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.

6
usr.sbin/racoon/racoon/Makefile
View File

@ -1,9 +1,9 @@
# $NetBSD: Makefile,v 1.16 2003/07/04 05:21:26 itojun Exp $
# $NetBSD: Makefile,v 1.17 2003/07/12 09:02:26 itojun Exp $
.include <bsd.own.mk>
PROG= racoon
SRCS= main.c session.c isakmp.c handler.c random.c \
SRCS= main.c session.c isakmp.c handler.c \
isakmp_ident.c isakmp_agg.c isakmp_base.c \
isakmp_quick.c isakmp_inf.c isakmp_newg.c \
gssapi.c \
@ -39,7 +39,7 @@ DPADD+= ${LIBIPSEC} ${LIBY} ${LIBL} ${LIBCRYPTO}
#CFLAGS+=-g
OPTFLAG+=-DHAVE_PFKEYV2 -DYIPS_DEBUG
CPPFLAGS+=-DINET6 -DHAVE_FUNCTION_MACRO=1 -DHAVE_LIBCRYPTO=1 -DHAVE_LIBL=1 -DHAVE_LIBY=1 -DENABLE_IPV6=1 -DADVAPI=1 -DHAVE_GETADDRINFO=1 -DHAVE_GETNAMEINFO=1 -DSTDC_HEADERS=1 -DHAVE_SYS_WAIT_H=1 -DHAVE_LIMITS_H=1 -DHAVE_SYS_TIME_H=1 -DHAVE_UNISTD_H=1 -DHAVE_STDARG_H=1 -DHAVE_VARARGS_H=1 -DTIME_WITH_SYS_TIME=1 -DRETSIGTYPE=void -DHAVE_VPRINTF=1 -DHAVE_GETTIMEOFDAY=1 -DHAVE_SELECT=1 -DHAVE_SOCKET=1 -DHAVE_STRERROR=1 -DHAVE_STRTOL=1 -DHAVE_STRTOUL=1 -DHAVE_STRDUP=1 -DHAVE_GETIFADDRS=1 -DHAVE_ARC4RANDOM=1 $(OPTFLAG) -DIPSEC -I. -I${RACOONSRCDIR} -DSYSCONFDIR=\"$(ETCDIR)\"
CPPFLAGS+=-DINET6 -DHAVE_FUNCTION_MACRO=1 -DHAVE_LIBCRYPTO=1 -DHAVE_LIBL=1 -DHAVE_LIBY=1 -DENABLE_IPV6=1 -DADVAPI=1 -DHAVE_GETADDRINFO=1 -DHAVE_GETNAMEINFO=1 -DSTDC_HEADERS=1 -DHAVE_SYS_WAIT_H=1 -DHAVE_LIMITS_H=1 -DHAVE_SYS_TIME_H=1 -DHAVE_UNISTD_H=1 -DHAVE_STDARG_H=1 -DHAVE_VARARGS_H=1 -DTIME_WITH_SYS_TIME=1 -DRETSIGTYPE=void -DHAVE_VPRINTF=1 -DHAVE_GETTIMEOFDAY=1 -DHAVE_SELECT=1 -DHAVE_SOCKET=1 -DHAVE_STRERROR=1 -DHAVE_STRTOL=1 -DHAVE_STRTOUL=1 -DHAVE_STRDUP=1 -DHAVE_GETIFADDRS=1 -DHAVE_ARC4RANDOM=1 $(OPTFLAG) -DIPSEC -DWITH_SHA2 -I. -I${RACOONSRCDIR} -DSYSCONFDIR=\"$(ETCDIR)\"
CPPFLAGS+=-DHAVE_OPENSSL_OPENSSLV_H=1
CPPFLAGS+=-DYY_NO_UNPUT
CPPFLAGS+=-I${LIBPFKEYSRCDIR}