sync w/ 20040617.

2004-06-17 03:42:55 +00:00 · 2004-06-17 03:42:55 +00:00 · 166adfa9e5
parent f7968a3c82
commit 166adfa9e5
7 changed files with 125 additions and 84 deletions
--- a/crypto/dist/kame/racoon/crypto_openssl.c
+++ b/crypto/dist/kame/racoon/crypto_openssl.c
@ -1,4 +1,4 @@
-/*	$KAME: crypto_openssl.c,v 1.84 2004/04/07 01:12:46 sakane Exp $	*/
+/*	$KAME: crypto_openssl.c,v 1.86 2004/06/16 11:55:35 sakane Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,7 +30,7 @@
 */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: crypto_openssl.c,v 1.13 2004/04/12 03:34:06 itojun Exp $");
+__RCSID("$NetBSD: crypto_openssl.c,v 1.14 2004/06/17 03:42:55 itojun Exp $");
 #include <sys/types.h>
 #include <sys/param.h>
@ -110,7 +110,8 @@ typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
 */
 #ifdef HAVE_SIGNING_C
-static int cb_check_cert __P((int, X509_STORE_CTX *));
+static int cb_check_cert_local __P((int, X509_STORE_CTX *));
 static int cb_check_cert_remote __P((int, X509_STORE_CTX *));
 static X509 *mem2x509 __P((vchar_t *));
 #endif
@ -231,9 +232,10 @@ eay_cmp_asn1dn(n1, n2)
 * this functions is derived from apps/verify.c in OpenSSL0.9.5
 */
 int
-eay_check_x509cert(cert, CApath)
+eay_check_x509cert(cert, CApath, local)
 	vchar_t *cert;
 	char *CApath;
 	int local;
 {
 	X509_STORE *cert_ctx = NULL;
 	X509_LOOKUP *lookup = NULL;
@ -255,7 +257,11 @@ eay_check_x509cert(cert, CApath)
 	cert_ctx = X509_STORE_new();
 	if (cert_ctx == NULL)
 		goto end;
-	X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert);
+
 	if (local)
 		X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local);
 	else
 		X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote);
 	lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
 	if (lookup == NULL)
@ -282,6 +288,10 @@ eay_check_x509cert(cert, CApath)
 	if (csc == NULL)
 		goto end;
 	X509_STORE_CTX_init(csc, cert_ctx, x509, NULL);
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 	X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
 	X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
 #endif
 	error = X509_verify_cert(csc);
 	X509_STORE_CTX_cleanup(csc);
 #else
@ -308,11 +318,14 @@ end:
 }
 /*
- * callback function for verifing certificate.
+ * Callback function for verifing certificate.
- * this function is derived from cb() in openssl/apps/s_server.c
+ * Derived from cb() in openssl/apps/s_server.c
 *
 * This one is called for certificates obtained from 
 * 'peers_certfile' directive.
 */
 static int
-cb_check_cert(ok, ctx)
+cb_check_cert_local(ok, ctx)
 	int ok;
 	X509_STORE_CTX *ctx;
 {
@ -333,9 +346,8 @@ cb_check_cert(ok, ctx)
 		case X509_V_ERR_CERT_HAS_EXPIRED:
 		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
 #if OPENSSL_VERSION_NUMBER >= 0x00905100L
 		case X509_V_ERR_INVALID_CA:
 		case X509_V_ERR_PATH_LENGTH_EXCEEDED:
 		case X509_V_ERR_INVALID_PURPOSE:
 		case X509_V_ERR_UNABLE_TO_GET_CRL:
 #endif
 			ok = 1;
 			log_tag = LLV_WARNING;
@ -343,21 +355,50 @@ cb_check_cert(ok, ctx)
 		default:
 			log_tag = LLV_ERROR;
 		}
 #ifndef EAYDEBUG
 		plog(log_tag, LOCATION, NULL,
 			"%s(%d) at depth:%d SubjectName:%s\n",
 			X509_verify_cert_error_string(ctx->error),
 			ctx->error,
 			ctx->error_depth,
 			buf);
-#else
+	}
-		printf("%d: %s(%d) at depth:%d SubjectName:%s\n",
+	ERR_clear_error();
-			log_tag,
+
 	return ok;
 }
 /*
 * Similar to cb_check_cert_local() but this one is called 
 * for certificates obtained from the IKE payload.
 */
 static int
 cb_check_cert_remote(ok, ctx)
 	int ok;
 	X509_STORE_CTX *ctx;
 {
 	char buf[256];
 	int log_tag;
 	if (!ok) {
 		X509_NAME_oneline(
 				X509_get_subject_name(ctx->current_cert),
 				buf,
 				256);
 		switch (ctx->error) {
 		case X509_V_ERR_UNABLE_TO_GET_CRL:
 			ok = 1;
 			log_tag = LLV_WARNING;
 			break;
 		default:
 			log_tag = LLV_ERROR;
 		}
 		plog(log_tag, LOCATION, NULL,
 			"%s(%d) at depth:%d SubjectName:%s\n",
 			X509_verify_cert_error_string(ctx->error),
 			ctx->error,
 			ctx->error_depth,
 			buf);
 #endif
 	}
 	ERR_clear_error();
@ -396,11 +437,7 @@ eay_get_x509asn1subjectname(cert)
   end:
 	if (error) {
 #ifndef EAYDEBUG
 		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
 #else
 		printf("%s\n", eay_strerror());
 #endif
 		if (name) {
 			vfree(name);
 			name = NULL;
@ -454,10 +491,8 @@ eay_get_x509subjectaltname(cert, altname, type, pos)
 	/* make sure if the data is terminated by '\0'. */
 	if (gen->d.ia5->data[gen->d.ia5->length] != '\0') {
 #ifndef EAYDEBUG
 		plog(LLV_ERROR, LOCATION, NULL,
 			"data is not terminated by '\0'.");
 #endif
 		hexdump(gen->d.ia5->data, gen->d.ia5->length + 1);
 		goto end;
 	}
@ -478,11 +513,7 @@ eay_get_x509subjectaltname(cert, altname, type, pos)
 			racoon_free(*altname);
 			*altname = NULL;
 		}
 #ifndef EAYDEBUG
 		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
 #else
 		printf("%s\n", eay_strerror());
 #endif
 	}
 	if (x509)
 		X509_free(x509);
@ -534,11 +565,7 @@ eay_get_x509text(cert)
 			racoon_free(text);
 			text = NULL;
 		}
 #ifndef EAYDEBUG
 		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
 #else
 		printf("%s\n", eay_strerror());
 #endif
 	}
 	if (bio)
 		BIO_free(bio);
@ -670,18 +697,14 @@ eay_check_x509sign(source, sig, cert)
 	x509 = d2i_X509(NULL, &bp, cert->l);
 	if (x509 == NULL) {
 #ifndef EAYDEBUG
 		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
 #endif
 		return -1;
 	}
 	evp = X509_get_pubkey(x509);
 	if (!evp) {
 #ifndef EAYDEBUG
 		plog(LLV_ERROR, LOCATION, NULL,
 		    "X509_get_pubkey: %s\n", eay_strerror());
 #endif
 		return -1;
 	}
@ -898,18 +921,14 @@ eay_rsa_verify(src, sig, evp)
 	len = RSA_size(evp->pkey.rsa);
 	xbuf = vmalloc(len);
 	if (xbuf == NULL) {
 #ifndef EAYDEBUG
 		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
 #endif
 		EVP_PKEY_free(evp);
 		return -1;
 	}
 	len = RSA_public_decrypt(sig->l, sig->v, xbuf->v, evp->pkey.rsa, pad);
 #ifndef EAYDEBUG
 	if (len == 0 || len != src->l)
 		plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
 #endif
 	EVP_PKEY_free(evp);
 	if (len == 0 || len != src->l) {
 		vfree(xbuf);
@ -1597,12 +1616,8 @@ eay_hmacsha2_512_final(c)
 	(void)racoon_free(c);
 	if (SHA512_DIGEST_LENGTH != res->l) {
 #ifndef EAYDEBUG
 		plog(LLV_ERROR, LOCATION, NULL,
 			"hmac sha2_512 length mismatch %d.\n", res->l);
 #else
 		printf("hmac sha2_512 length mismatch %d.\n", res->l);
 #endif
 		vfree(res);
 		return NULL;
 	}
@ -1657,12 +1672,8 @@ eay_hmacsha2_384_final(c)
 	(void)racoon_free(c);
 	if (SHA384_DIGEST_LENGTH != res->l) {
 #ifndef EAYDEBUG
 		plog(LLV_ERROR, LOCATION, NULL,
 			"hmac sha2_384 length mismatch %d.\n", res->l);
 #else
 		printf("hmac sha2_384 length mismatch %d.\n", res->l);
 #endif
 		vfree(res);
 		return NULL;
 	}
@ -1717,12 +1728,8 @@ eay_hmacsha2_256_final(c)
 	(void)racoon_free(c);
 	if (SHA256_DIGEST_LENGTH != res->l) {
 #ifndef EAYDEBUG
 		plog(LLV_ERROR, LOCATION, NULL,
 			"hmac sha2_256 length mismatch %d.\n", res->l);
 #else
 		printf("hmac sha2_256 length mismatch %d.\n", res->l);
 #endif
 		vfree(res);
 		return NULL;
 	}
@ -1778,12 +1785,8 @@ eay_hmacsha1_final(c)
 	(void)racoon_free(c);
 	if (SHA_DIGEST_LENGTH != res->l) {
 #ifndef EAYDEBUG
 		plog(LLV_ERROR, LOCATION, NULL,
 			"hmac sha1 length mismatch %d.\n", res->l);
 #else
 		printf("hmac sha1 length mismatch %d.\n", res->l);
 #endif
 		vfree(res);
 		return NULL;
 	}
@ -1838,12 +1841,8 @@ eay_hmacmd5_final(c)
 	(void)racoon_free(c);
 	if (MD5_DIGEST_LENGTH != res->l) {
 #ifndef EAYDEBUG
 		plog(LLV_ERROR, LOCATION, NULL,
 			"hmac md5 length mismatch %d.\n", res->l);
 #else
 		printf("hmac md5 length mismatch %d.\n", res->l);
 #endif
 		vfree(res);
 		return NULL;
 	}
--- a/crypto/dist/kame/racoon/eaytest.c
+++ b/crypto/dist/kame/racoon/eaytest.c
@ -1,4 +1,4 @@
-/*	$KAME: eaytest.c,v 1.43 2004/04/08 09:15:10 sakane Exp $	*/
+/*	$KAME: eaytest.c,v 1.45 2004/06/16 11:55:36 sakane Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,7 +30,7 @@
 */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: eaytest.c,v 1.5 2004/04/12 03:34:06 itojun Exp $");
+__RCSID("$NetBSD: eaytest.c,v 1.6 2004/06/17 03:42:55 itojun Exp $");
 #include <sys/types.h>
 #include <sys/stat.h>
@ -65,6 +65,7 @@ __RCSID("$NetBSD: eaytest.c,v 1.5 2004/04/12 03:34:06 itojun Exp $");
 u_int32_t loglevel = 4;
 /* prototype */
 void plog __P((int, const char *, struct sockaddr *, const char *, ...));
 void rsatest __P((int, char **));
 #if 0
@ -83,6 +84,16 @@ void dhtest __P((int, char **));
 void bntest __P((int, char **));
 void Usage __P((void));
 void
 plog(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...)
 {
 	va_list ap;
 	va_start(ap, fmt);
 	vprintf(fmt, ap);
 	va_end(ap);
 }
 /* test */
 void
@ -285,7 +296,7 @@ certtest(ac, av)
 		}
 	    }
-		error = eay_check_x509cert(&c, certpath);
+		error = eay_check_x509cert(&c, certpath, 1);
 		if (error)
 			printf("ERROR: cert is invalid.\n");
 		printf("\n");
--- a/crypto/dist/kame/racoon/grabmyaddr.c
+++ b/crypto/dist/kame/racoon/grabmyaddr.c
@ -1,4 +1,4 @@
-/*	$KAME: grabmyaddr.c,v 1.36 2003/10/23 09:53:58 itojun Exp $	*/
+/*	$KAME: grabmyaddr.c,v 1.37 2004/04/15 08:22:14 sakane Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,7 +30,7 @@
 */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: grabmyaddr.c,v 1.7 2004/04/12 03:34:07 itojun Exp $");
+__RCSID("$NetBSD: grabmyaddr.c,v 1.8 2004/06/17 03:42:55 itojun Exp $");
 #include <sys/types.h>
 #include <sys/param.h>
@ -397,8 +397,9 @@ suitable_ifaddr6(ifname, ifaddr)
 	close(s);
-	if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DUPLICATED
+	if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DUPLICATED ||
-	 || ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DETACHED)
+	    ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DETACHED ||
 	    ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_ANYCAST)
 		return 0;
 	/* suitable */
--- a/crypto/dist/kame/racoon/handler.c
+++ b/crypto/dist/kame/racoon/handler.c
@ -1,4 +1,4 @@
-/*	$KAME: handler.c,v 1.58 2004/03/27 03:27:45 suz Exp $	*/
+/*	$KAME: handler.c,v 1.59 2004/04/12 03:57:05 sakane Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,7 +30,7 @@
 */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: handler.c,v 1.3 2004/04/12 03:34:07 itojun Exp $");
+__RCSID("$NetBSD: handler.c,v 1.4 2004/06/17 03:42:55 itojun Exp $");
 #include <sys/types.h>
 #include <sys/param.h>
@ -426,7 +426,7 @@ newph2()
 	if (iph2 == NULL)
 		return NULL;
-	iph2->status = PHASE1ST_SPAWN;
+	iph2->status = PHASE2ST_SPAWN;
 	return iph2;
 }
--- a/crypto/dist/kame/racoon/kmpstat.c
+++ b/crypto/dist/kame/racoon/kmpstat.c
@ -1,4 +1,4 @@
-/*	$KAME: kmpstat.c,v 1.31 2003/05/23 05:15:42 sakane Exp $	*/
+/*	$KAME: kmpstat.c,v 1.32 2004/04/15 08:55:22 sakane Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,7 +30,7 @@
 */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: kmpstat.c,v 1.8 2003/07/12 09:37:11 itojun Exp $");
+__RCSID("$NetBSD: kmpstat.c,v 1.9 2004/06/17 03:42:55 itojun Exp $");
 #include <sys/types.h>
 #include <sys/param.h>
@ -602,11 +602,13 @@ f_exchangesa(ac, av)
 		return NULL;
 	head = (struct admin_com *)buf->v;
-	head->ac_len = buf->l + index->l;
+	head->ac_len = buf->l;
-	head->ac_cmd = ADMIN_DELETE_SA;
+	head->ac_cmd = ADMIN_ESTABLISH_SA;
 	head->ac_errno = 0;
 	head->ac_proto = proto;
 	memcpy(buf->v+sizeof(*head), index->v, index->l);
 	return buf;
 }
@ -638,7 +640,7 @@ get_index(ac, av)
 {
 	int family;
-	if (ac != 3) {
+	if (ac != 3 && ac != 4) {
 		errno = EINVAL;
 		return NULL;
 	}
@ -648,6 +650,7 @@ get_index(ac, av)
 	if (family == -1)
 		return NULL;
 	av++;
 	ac--;
 	return get_comindexes(family, ac, av);
 }
@ -679,7 +682,7 @@ get_comindexes(family, ac, av)
 	struct sockaddr *src = NULL, *dst = NULL;
 	int ulproto;
-	if (ac != 2) {
+	if (ac != 2 && ac != 3) {
 		errno = EINVAL;
 		return NULL;
 	}
@ -698,9 +701,18 @@ get_comindexes(family, ac, av)
 	if (src == NULL)
 		goto bad;
 	av++;
 	ac--;
 	if (get_comindex(*av, &p_name, &p_port, &p_prefd) == -1)
 		goto bad;
 	dst = get_sockaddr(family, p_name, p_port);
 	if (p_name) {
 		racoon_free(p_name);
 		p_name = NULL;
 	}
 	if (p_port) {
 		racoon_free(p_port);
 		p_port = NULL;
 	}
 	if (dst == NULL)
 		goto bad;
@ -709,19 +721,30 @@ get_comindexes(family, ac, av)
 		goto bad;
 	av++;
-	ulproto = get_ulproto(*av);
+	ac--;
-	if (ulproto == -1)
+	if(ac){
-		goto bad;
+		ulproto = get_ulproto(*av);
 		if (ulproto == -1)
 			goto bad;
 	}else
 		ulproto=0;
-	ci = (struct admin_com_indexes *)buf;
+	ci = (struct admin_com_indexes *)buf->v;
-	ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */
+	if(p_prefs)
-	ci->prefd = (u_int8_t)atoi(p_prefd); /* XXX should be handled error. */
+		ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */
 	else
 		ci->prefs = 32;
 	if(p_prefd)
 		ci->prefd = (u_int8_t)atoi(p_prefd); /* XXX should be handled error. */
 	else
 		ci->prefd = 32;
 	ci->ul_proto = ulproto;
 	memcpy(&ci->src, src, src->sa_len);
 	memcpy(&ci->dst, dst, dst->sa_len);
 	if (p_name)
 		racoon_free(p_name);
 	return buf;
   bad:
@ -778,6 +801,7 @@ get_comindex(str, name, port, pref)
 	return 0;
    bad:
 	if (*name)
 		racoon_free(*name);
 	if (*port)
@ -798,6 +822,7 @@ get_sockaddr(family, name, port)
 	memset(&hint, 0, sizeof(hint));
 	hint.ai_family = PF_UNSPEC;
 	hint.ai_family = family;
 	hint.ai_socktype = SOCK_STREAM;
 	error = getaddrinfo(name, port, &hint, &ai);
@ -815,6 +840,11 @@ get_ulproto(str)
 {
 	struct ulproto_tag *cp;
 	if(str == NULL){
 		errno = EINVAL;
 		return -1;
 	}
 	/* checking the string of upper layer protocol. */
 	for (cp = &ulprototab[0]; cp->str; cp++) {
 		if (strcmp(str, cp->str) == 0)
--- a/crypto/dist/kame/racoon/oakley.c
+++ b/crypto/dist/kame/racoon/oakley.c
@ -1,4 +1,4 @@
-/*	$KAME: oakley.c,v 1.117 2004/03/27 03:27:46 suz Exp $	*/
+/*	$KAME: oakley.c,v 1.118 2004/06/16 11:55:36 sakane Exp $	*/
 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,7 +30,7 @@
 */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: oakley.c,v 1.11 2004/04/12 03:34:07 itojun Exp $");
+__RCSID("$NetBSD: oakley.c,v 1.12 2004/06/17 03:42:55 itojun Exp $");
 #include <sys/types.h>
 #include <sys/param.h>
@ -1326,7 +1326,7 @@ oakley_validate_auth(iph1)
 			switch (iph1->rmconf->certtype) {
 			case ISAKMP_CERT_X509SIGN:
 				error = eay_check_x509cert(&iph1->cert_p->cert,
-					lcconf->pathinfo[LC_PATHTYPE_CERT]);
+					lcconf->pathinfo[LC_PATHTYPE_CERT], 0);
 				break;
 			default:
 				plog(LLV_ERROR, LOCATION, NULL,
--- a/usr.sbin/racoon/Makefile.inc
+++ b/usr.sbin/racoon/Makefile.inc
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.inc,v 1.15 2004/04/12 03:34:08 itojun Exp $
+#	$NetBSD: Makefile.inc,v 1.16 2004/06/17 03:42:55 itojun Exp $
 .include <bsd.own.mk>		# for NETBSDSRCDIR & MKDYNAMICROOT definition
@ -19,6 +19,6 @@ LDSTATIC?=      -static
 DBG=	-g
-PKGVERSION=	netbsd-20040412
+PKGVERSION=	netbsd-20040617
 .include "../Makefile.inc"