diff --git a/crypto/dist/kame/racoon/crypto_openssl.c b/crypto/dist/kame/racoon/crypto_openssl.c index dcb9785ec16d..cecd3618ccd2 100644 --- a/crypto/dist/kame/racoon/crypto_openssl.c +++ b/crypto/dist/kame/racoon/crypto_openssl.c @@ -1,4 +1,4 @@ -/* $KAME: crypto_openssl.c,v 1.84 2004/04/07 01:12:46 sakane Exp $ */ +/* $KAME: crypto_openssl.c,v 1.86 2004/06/16 11:55:35 sakane Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: crypto_openssl.c,v 1.13 2004/04/12 03:34:06 itojun Exp $"); +__RCSID("$NetBSD: crypto_openssl.c,v 1.14 2004/06/17 03:42:55 itojun Exp $"); #include #include @@ -110,7 +110,8 @@ typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; */ #ifdef HAVE_SIGNING_C -static int cb_check_cert __P((int, X509_STORE_CTX *)); +static int cb_check_cert_local __P((int, X509_STORE_CTX *)); +static int cb_check_cert_remote __P((int, X509_STORE_CTX *)); static X509 *mem2x509 __P((vchar_t *)); #endif @@ -231,9 +232,10 @@ eay_cmp_asn1dn(n1, n2) * this functions is derived from apps/verify.c in OpenSSL0.9.5 */ int -eay_check_x509cert(cert, CApath) +eay_check_x509cert(cert, CApath, local) vchar_t *cert; char *CApath; + int local; { X509_STORE *cert_ctx = NULL; X509_LOOKUP *lookup = NULL; @@ -255,7 +257,11 @@ eay_check_x509cert(cert, CApath) cert_ctx = X509_STORE_new(); if (cert_ctx == NULL) goto end; - X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert); + + if (local) + X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local); + else + X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote); lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) @@ -282,6 +288,10 @@ eay_check_x509cert(cert, CApath) if (csc == NULL) goto end; X509_STORE_CTX_init(csc, cert_ctx, x509, NULL); +#if OPENSSL_VERSION_NUMBER >= 0x00907000L + X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK); + X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL); +#endif error = X509_verify_cert(csc); X509_STORE_CTX_cleanup(csc); #else @@ -308,11 +318,14 @@ end: } /* - * callback function for verifing certificate. - * this function is derived from cb() in openssl/apps/s_server.c + * Callback function for verifing certificate. + * Derived from cb() in openssl/apps/s_server.c + * + * This one is called for certificates obtained from + * 'peers_certfile' directive. */ static int -cb_check_cert(ok, ctx) +cb_check_cert_local(ok, ctx) int ok; X509_STORE_CTX *ctx; { @@ -333,9 +346,8 @@ cb_check_cert(ok, ctx) case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: #if OPENSSL_VERSION_NUMBER >= 0x00905100L - case X509_V_ERR_INVALID_CA: - case X509_V_ERR_PATH_LENGTH_EXCEEDED: case X509_V_ERR_INVALID_PURPOSE: + case X509_V_ERR_UNABLE_TO_GET_CRL: #endif ok = 1; log_tag = LLV_WARNING; @@ -343,21 +355,50 @@ cb_check_cert(ok, ctx) default: log_tag = LLV_ERROR; } -#ifndef EAYDEBUG plog(log_tag, LOCATION, NULL, "%s(%d) at depth:%d SubjectName:%s\n", X509_verify_cert_error_string(ctx->error), ctx->error, ctx->error_depth, buf); -#else - printf("%d: %s(%d) at depth:%d SubjectName:%s\n", - log_tag, + } + ERR_clear_error(); + + return ok; +} + +/* + * Similar to cb_check_cert_local() but this one is called + * for certificates obtained from the IKE payload. + */ +static int +cb_check_cert_remote(ok, ctx) + int ok; + X509_STORE_CTX *ctx; +{ + char buf[256]; + int log_tag; + + if (!ok) { + X509_NAME_oneline( + X509_get_subject_name(ctx->current_cert), + buf, + 256); + + switch (ctx->error) { + case X509_V_ERR_UNABLE_TO_GET_CRL: + ok = 1; + log_tag = LLV_WARNING; + break; + default: + log_tag = LLV_ERROR; + } + plog(log_tag, LOCATION, NULL, + "%s(%d) at depth:%d SubjectName:%s\n", X509_verify_cert_error_string(ctx->error), ctx->error, ctx->error_depth, buf); -#endif } ERR_clear_error(); @@ -396,11 +437,7 @@ eay_get_x509asn1subjectname(cert) end: if (error) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); -#else - printf("%s\n", eay_strerror()); -#endif if (name) { vfree(name); name = NULL; @@ -454,10 +491,8 @@ eay_get_x509subjectaltname(cert, altname, type, pos) /* make sure if the data is terminated by '\0'. */ if (gen->d.ia5->data[gen->d.ia5->length] != '\0') { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "data is not terminated by '\0'."); -#endif hexdump(gen->d.ia5->data, gen->d.ia5->length + 1); goto end; } @@ -478,11 +513,7 @@ eay_get_x509subjectaltname(cert, altname, type, pos) racoon_free(*altname); *altname = NULL; } -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); -#else - printf("%s\n", eay_strerror()); -#endif } if (x509) X509_free(x509); @@ -534,11 +565,7 @@ eay_get_x509text(cert) racoon_free(text); text = NULL; } -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); -#else - printf("%s\n", eay_strerror()); -#endif } if (bio) BIO_free(bio); @@ -670,18 +697,14 @@ eay_check_x509sign(source, sig, cert) x509 = d2i_X509(NULL, &bp, cert->l); if (x509 == NULL) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); -#endif return -1; } evp = X509_get_pubkey(x509); if (!evp) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey: %s\n", eay_strerror()); -#endif return -1; } @@ -898,18 +921,14 @@ eay_rsa_verify(src, sig, evp) len = RSA_size(evp->pkey.rsa); xbuf = vmalloc(len); if (xbuf == NULL) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); -#endif EVP_PKEY_free(evp); return -1; } len = RSA_public_decrypt(sig->l, sig->v, xbuf->v, evp->pkey.rsa, pad); -#ifndef EAYDEBUG if (len == 0 || len != src->l) plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); -#endif EVP_PKEY_free(evp); if (len == 0 || len != src->l) { vfree(xbuf); @@ -1597,12 +1616,8 @@ eay_hmacsha2_512_final(c) (void)racoon_free(c); if (SHA512_DIGEST_LENGTH != res->l) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "hmac sha2_512 length mismatch %d.\n", res->l); -#else - printf("hmac sha2_512 length mismatch %d.\n", res->l); -#endif vfree(res); return NULL; } @@ -1657,12 +1672,8 @@ eay_hmacsha2_384_final(c) (void)racoon_free(c); if (SHA384_DIGEST_LENGTH != res->l) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "hmac sha2_384 length mismatch %d.\n", res->l); -#else - printf("hmac sha2_384 length mismatch %d.\n", res->l); -#endif vfree(res); return NULL; } @@ -1717,12 +1728,8 @@ eay_hmacsha2_256_final(c) (void)racoon_free(c); if (SHA256_DIGEST_LENGTH != res->l) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "hmac sha2_256 length mismatch %d.\n", res->l); -#else - printf("hmac sha2_256 length mismatch %d.\n", res->l); -#endif vfree(res); return NULL; } @@ -1778,12 +1785,8 @@ eay_hmacsha1_final(c) (void)racoon_free(c); if (SHA_DIGEST_LENGTH != res->l) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "hmac sha1 length mismatch %d.\n", res->l); -#else - printf("hmac sha1 length mismatch %d.\n", res->l); -#endif vfree(res); return NULL; } @@ -1838,12 +1841,8 @@ eay_hmacmd5_final(c) (void)racoon_free(c); if (MD5_DIGEST_LENGTH != res->l) { -#ifndef EAYDEBUG plog(LLV_ERROR, LOCATION, NULL, "hmac md5 length mismatch %d.\n", res->l); -#else - printf("hmac md5 length mismatch %d.\n", res->l); -#endif vfree(res); return NULL; } diff --git a/crypto/dist/kame/racoon/eaytest.c b/crypto/dist/kame/racoon/eaytest.c index 4bdf473e04b9..d49fb23267ef 100644 --- a/crypto/dist/kame/racoon/eaytest.c +++ b/crypto/dist/kame/racoon/eaytest.c @@ -1,4 +1,4 @@ -/* $KAME: eaytest.c,v 1.43 2004/04/08 09:15:10 sakane Exp $ */ +/* $KAME: eaytest.c,v 1.45 2004/06/16 11:55:36 sakane Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: eaytest.c,v 1.5 2004/04/12 03:34:06 itojun Exp $"); +__RCSID("$NetBSD: eaytest.c,v 1.6 2004/06/17 03:42:55 itojun Exp $"); #include #include @@ -65,6 +65,7 @@ __RCSID("$NetBSD: eaytest.c,v 1.5 2004/04/12 03:34:06 itojun Exp $"); u_int32_t loglevel = 4; /* prototype */ +void plog __P((int, const char *, struct sockaddr *, const char *, ...)); void rsatest __P((int, char **)); #if 0 @@ -83,6 +84,16 @@ void dhtest __P((int, char **)); void bntest __P((int, char **)); void Usage __P((void)); +void +plog(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...) +{ + va_list ap; + + va_start(ap, fmt); + vprintf(fmt, ap); + va_end(ap); +} + /* test */ void @@ -285,7 +296,7 @@ certtest(ac, av) } } - error = eay_check_x509cert(&c, certpath); + error = eay_check_x509cert(&c, certpath, 1); if (error) printf("ERROR: cert is invalid.\n"); printf("\n"); diff --git a/crypto/dist/kame/racoon/grabmyaddr.c b/crypto/dist/kame/racoon/grabmyaddr.c index 94f4854789e5..14700648fc49 100644 --- a/crypto/dist/kame/racoon/grabmyaddr.c +++ b/crypto/dist/kame/racoon/grabmyaddr.c @@ -1,4 +1,4 @@ -/* $KAME: grabmyaddr.c,v 1.36 2003/10/23 09:53:58 itojun Exp $ */ +/* $KAME: grabmyaddr.c,v 1.37 2004/04/15 08:22:14 sakane Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: grabmyaddr.c,v 1.7 2004/04/12 03:34:07 itojun Exp $"); +__RCSID("$NetBSD: grabmyaddr.c,v 1.8 2004/06/17 03:42:55 itojun Exp $"); #include #include @@ -397,8 +397,9 @@ suitable_ifaddr6(ifname, ifaddr) close(s); - if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DUPLICATED - || ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DETACHED) + if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DUPLICATED || + ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DETACHED || + ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_ANYCAST) return 0; /* suitable */ diff --git a/crypto/dist/kame/racoon/handler.c b/crypto/dist/kame/racoon/handler.c index 36963a0ae033..d63117d4f0ca 100644 --- a/crypto/dist/kame/racoon/handler.c +++ b/crypto/dist/kame/racoon/handler.c @@ -1,4 +1,4 @@ -/* $KAME: handler.c,v 1.58 2004/03/27 03:27:45 suz Exp $ */ +/* $KAME: handler.c,v 1.59 2004/04/12 03:57:05 sakane Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: handler.c,v 1.3 2004/04/12 03:34:07 itojun Exp $"); +__RCSID("$NetBSD: handler.c,v 1.4 2004/06/17 03:42:55 itojun Exp $"); #include #include @@ -426,7 +426,7 @@ newph2() if (iph2 == NULL) return NULL; - iph2->status = PHASE1ST_SPAWN; + iph2->status = PHASE2ST_SPAWN; return iph2; } diff --git a/crypto/dist/kame/racoon/kmpstat.c b/crypto/dist/kame/racoon/kmpstat.c index 6a2390c0941d..0b9c8643c810 100644 --- a/crypto/dist/kame/racoon/kmpstat.c +++ b/crypto/dist/kame/racoon/kmpstat.c @@ -1,4 +1,4 @@ -/* $KAME: kmpstat.c,v 1.31 2003/05/23 05:15:42 sakane Exp $ */ +/* $KAME: kmpstat.c,v 1.32 2004/04/15 08:55:22 sakane Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: kmpstat.c,v 1.8 2003/07/12 09:37:11 itojun Exp $"); +__RCSID("$NetBSD: kmpstat.c,v 1.9 2004/06/17 03:42:55 itojun Exp $"); #include #include @@ -602,11 +602,13 @@ f_exchangesa(ac, av) return NULL; head = (struct admin_com *)buf->v; - head->ac_len = buf->l + index->l; - head->ac_cmd = ADMIN_DELETE_SA; + head->ac_len = buf->l; + head->ac_cmd = ADMIN_ESTABLISH_SA; head->ac_errno = 0; head->ac_proto = proto; + memcpy(buf->v+sizeof(*head), index->v, index->l); + return buf; } @@ -638,7 +640,7 @@ get_index(ac, av) { int family; - if (ac != 3) { + if (ac != 3 && ac != 4) { errno = EINVAL; return NULL; } @@ -648,6 +650,7 @@ get_index(ac, av) if (family == -1) return NULL; av++; + ac--; return get_comindexes(family, ac, av); } @@ -679,7 +682,7 @@ get_comindexes(family, ac, av) struct sockaddr *src = NULL, *dst = NULL; int ulproto; - if (ac != 2) { + if (ac != 2 && ac != 3) { errno = EINVAL; return NULL; } @@ -698,9 +701,18 @@ get_comindexes(family, ac, av) if (src == NULL) goto bad; av++; + ac--; if (get_comindex(*av, &p_name, &p_port, &p_prefd) == -1) goto bad; dst = get_sockaddr(family, p_name, p_port); + if (p_name) { + racoon_free(p_name); + p_name = NULL; + } + if (p_port) { + racoon_free(p_port); + p_port = NULL; + } if (dst == NULL) goto bad; @@ -709,19 +721,30 @@ get_comindexes(family, ac, av) goto bad; av++; - ulproto = get_ulproto(*av); - if (ulproto == -1) - goto bad; + ac--; + if(ac){ + ulproto = get_ulproto(*av); + if (ulproto == -1) + goto bad; + }else + ulproto=0; - ci = (struct admin_com_indexes *)buf; - ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */ - ci->prefd = (u_int8_t)atoi(p_prefd); /* XXX should be handled error. */ + ci = (struct admin_com_indexes *)buf->v; + if(p_prefs) + ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */ + else + ci->prefs = 32; + if(p_prefd) + ci->prefd = (u_int8_t)atoi(p_prefd); /* XXX should be handled error. */ + else + ci->prefd = 32; ci->ul_proto = ulproto; memcpy(&ci->src, src, src->sa_len); memcpy(&ci->dst, dst, dst->sa_len); if (p_name) racoon_free(p_name); + return buf; bad: @@ -778,6 +801,7 @@ get_comindex(str, name, port, pref) return 0; bad: + if (*name) racoon_free(*name); if (*port) @@ -798,6 +822,7 @@ get_sockaddr(family, name, port) memset(&hint, 0, sizeof(hint)); hint.ai_family = PF_UNSPEC; + hint.ai_family = family; hint.ai_socktype = SOCK_STREAM; error = getaddrinfo(name, port, &hint, &ai); @@ -815,6 +840,11 @@ get_ulproto(str) { struct ulproto_tag *cp; + if(str == NULL){ + errno = EINVAL; + return -1; + } + /* checking the string of upper layer protocol. */ for (cp = &ulprototab[0]; cp->str; cp++) { if (strcmp(str, cp->str) == 0) diff --git a/crypto/dist/kame/racoon/oakley.c b/crypto/dist/kame/racoon/oakley.c index 3918fdb88bbd..8108777c921e 100644 --- a/crypto/dist/kame/racoon/oakley.c +++ b/crypto/dist/kame/racoon/oakley.c @@ -1,4 +1,4 @@ -/* $KAME: oakley.c,v 1.117 2004/03/27 03:27:46 suz Exp $ */ +/* $KAME: oakley.c,v 1.118 2004/06/16 11:55:36 sakane Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: oakley.c,v 1.11 2004/04/12 03:34:07 itojun Exp $"); +__RCSID("$NetBSD: oakley.c,v 1.12 2004/06/17 03:42:55 itojun Exp $"); #include #include @@ -1326,7 +1326,7 @@ oakley_validate_auth(iph1) switch (iph1->rmconf->certtype) { case ISAKMP_CERT_X509SIGN: error = eay_check_x509cert(&iph1->cert_p->cert, - lcconf->pathinfo[LC_PATHTYPE_CERT]); + lcconf->pathinfo[LC_PATHTYPE_CERT], 0); break; default: plog(LLV_ERROR, LOCATION, NULL, diff --git a/usr.sbin/racoon/Makefile.inc b/usr.sbin/racoon/Makefile.inc index 08a5bd3a5f10..df32d7f48e15 100644 --- a/usr.sbin/racoon/Makefile.inc +++ b/usr.sbin/racoon/Makefile.inc @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.inc,v 1.15 2004/04/12 03:34:08 itojun Exp $ +# $NetBSD: Makefile.inc,v 1.16 2004/06/17 03:42:55 itojun Exp $ .include # for NETBSDSRCDIR & MKDYNAMICROOT definition @@ -19,6 +19,6 @@ LDSTATIC?= -static DBG= -g -PKGVERSION= netbsd-20040412 +PKGVERSION= netbsd-20040617 .include "../Makefile.inc"