Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync w/ 20040617.

This commit is contained in:
itojun 2004-06-17 03:42:55 +00:00
parent f7968a3c82
commit 166adfa9e5
7 changed files with 125 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
crypto/dist/kame/racoon/crypto_openssl.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: crypto_openssl.c,v 1.84 2004/04/07 01:12:46 sakane Exp $ */
/* $KAME: crypto_openssl.c,v 1.86 2004/06/16 11:55:35 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: crypto_openssl.c,v 1.13 2004/04/12 03:34:06 itojun Exp $");
__RCSID("$NetBSD: crypto_openssl.c,v 1.14 2004/06/17 03:42:55 itojun Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -110,7 +110,8 @@ typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
*/
#ifdef HAVE_SIGNING_C
static int cb_check_cert __P((int, X509_STORE_CTX *));
static int cb_check_cert_local __P((int, X509_STORE_CTX *));
static int cb_check_cert_remote __P((int, X509_STORE_CTX *));
static X509 *mem2x509 __P((vchar_t *));
#endif
@ -231,9 +232,10 @@ eay_cmp_asn1dn(n1, n2)
* this functions is derived from apps/verify.c in OpenSSL0.9.5
*/
int
eay_check_x509cert(cert, CApath)
eay_check_x509cert(cert, CApath, local)
vchar_t *cert;
char *CApath;
int local;
{
X509_STORE *cert_ctx = NULL;
X509_LOOKUP *lookup = NULL;
@ -255,7 +257,11 @@ eay_check_x509cert(cert, CApath)
cert_ctx = X509_STORE_new();
if (cert_ctx == NULL)
goto end;
X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert);
if (local)
X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local);
else
X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote);
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
if (lookup == NULL)
@ -282,6 +288,10 @@ eay_check_x509cert(cert, CApath)
if (csc == NULL)
goto end;
X509_STORE_CTX_init(csc, cert_ctx, x509, NULL);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
#endif
error = X509_verify_cert(csc);
X509_STORE_CTX_cleanup(csc);
#else
@ -308,11 +318,14 @@ end:
}
/*
* callback function for verifing certificate.
* this function is derived from cb() in openssl/apps/s_server.c
* Callback function for verifing certificate.
* Derived from cb() in openssl/apps/s_server.c
*
* This one is called for certificates obtained from
* 'peers_certfile' directive.
*/
static int
cb_check_cert(ok, ctx)
cb_check_cert_local(ok, ctx)
int ok;
X509_STORE_CTX *ctx;
{
@ -333,9 +346,8 @@ cb_check_cert(ok, ctx)
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
#if OPENSSL_VERSION_NUMBER >= 0x00905100L
case X509_V_ERR_INVALID_CA:
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
case X509_V_ERR_INVALID_PURPOSE:
case X509_V_ERR_UNABLE_TO_GET_CRL:
#endif
ok = 1;
log_tag = LLV_WARNING;
@ -343,21 +355,50 @@ cb_check_cert(ok, ctx)
default:
log_tag = LLV_ERROR;
}
#ifndef EAYDEBUG
plog(log_tag, LOCATION, NULL,
"%s(%d) at depth:%d SubjectName:%s\n",
X509_verify_cert_error_string(ctx->error),
ctx->error,
ctx->error_depth,
buf);
#else
printf("%d: %s(%d) at depth:%d SubjectName:%s\n",
log_tag,
}
ERR_clear_error();
return ok;
}
/*
* Similar to cb_check_cert_local() but this one is called
* for certificates obtained from the IKE payload.
*/
static int
cb_check_cert_remote(ok, ctx)
int ok;
X509_STORE_CTX *ctx;
{
char buf[256];
int log_tag;
if (!ok) {
X509_NAME_oneline(
X509_get_subject_name(ctx->current_cert),
buf,
256);
switch (ctx->error) {
case X509_V_ERR_UNABLE_TO_GET_CRL:
ok = 1;
log_tag = LLV_WARNING;
break;
default:
log_tag = LLV_ERROR;
}
plog(log_tag, LOCATION, NULL,
"%s(%d) at depth:%d SubjectName:%s\n",
X509_verify_cert_error_string(ctx->error),
ctx->error,
ctx->error_depth,
buf);
#endif
}
ERR_clear_error();
@ -396,11 +437,7 @@ eay_get_x509asn1subjectname(cert)
end:
if (error) {
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
#else
printf("%s\n", eay_strerror());
#endif
if (name) {
vfree(name);
name = NULL;
@ -454,10 +491,8 @@ eay_get_x509subjectaltname(cert, altname, type, pos)
/* make sure if the data is terminated by '\0'. */
if (gen->d.ia5->data[gen->d.ia5->length] != '\0') {
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"data is not terminated by '\0'.");
#endif
hexdump(gen->d.ia5->data, gen->d.ia5->length + 1);
goto end;
}
@ -478,11 +513,7 @@ eay_get_x509subjectaltname(cert, altname, type, pos)
racoon_free(*altname);
*altname = NULL;
}
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
#else
printf("%s\n", eay_strerror());
#endif
}
if (x509)
X509_free(x509);
@ -534,11 +565,7 @@ eay_get_x509text(cert)
racoon_free(text);
text = NULL;
}
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
#else
printf("%s\n", eay_strerror());
#endif
}
if (bio)
BIO_free(bio);
@ -670,18 +697,14 @@ eay_check_x509sign(source, sig, cert)
x509 = d2i_X509(NULL, &bp, cert->l);
if (x509 == NULL) {
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
#endif
return -1;
}
evp = X509_get_pubkey(x509);
if (!evp) {
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"X509_get_pubkey: %s\n", eay_strerror());
#endif
return -1;
}
@ -898,18 +921,14 @@ eay_rsa_verify(src, sig, evp)
len = RSA_size(evp->pkey.rsa);
xbuf = vmalloc(len);
if (xbuf == NULL) {
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
#endif
EVP_PKEY_free(evp);
return -1;
}
len = RSA_public_decrypt(sig->l, sig->v, xbuf->v, evp->pkey.rsa, pad);
#ifndef EAYDEBUG
if (len == 0 || len != src->l)
plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
#endif
EVP_PKEY_free(evp);
if (len == 0 || len != src->l) {
vfree(xbuf);
@ -1597,12 +1616,8 @@ eay_hmacsha2_512_final(c)
(void)racoon_free(c);
if (SHA512_DIGEST_LENGTH != res->l) {
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"hmac sha2_512 length mismatch %d.\n", res->l);
#else
printf("hmac sha2_512 length mismatch %d.\n", res->l);
#endif
vfree(res);
return NULL;
}
@ -1657,12 +1672,8 @@ eay_hmacsha2_384_final(c)
(void)racoon_free(c);
if (SHA384_DIGEST_LENGTH != res->l) {
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"hmac sha2_384 length mismatch %d.\n", res->l);
#else
printf("hmac sha2_384 length mismatch %d.\n", res->l);
#endif
vfree(res);
return NULL;
}
@ -1717,12 +1728,8 @@ eay_hmacsha2_256_final(c)
(void)racoon_free(c);
if (SHA256_DIGEST_LENGTH != res->l) {
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"hmac sha2_256 length mismatch %d.\n", res->l);
#else
printf("hmac sha2_256 length mismatch %d.\n", res->l);
#endif
vfree(res);
return NULL;
}
@ -1778,12 +1785,8 @@ eay_hmacsha1_final(c)
(void)racoon_free(c);
if (SHA_DIGEST_LENGTH != res->l) {
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"hmac sha1 length mismatch %d.\n", res->l);
#else
printf("hmac sha1 length mismatch %d.\n", res->l);
#endif
vfree(res);
return NULL;
}
@ -1838,12 +1841,8 @@ eay_hmacmd5_final(c)
(void)racoon_free(c);
if (MD5_DIGEST_LENGTH != res->l) {
#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL,
"hmac md5 length mismatch %d.\n", res->l);
#else
printf("hmac md5 length mismatch %d.\n", res->l);
#endif
vfree(res);
return NULL;
}

17
crypto/dist/kame/racoon/eaytest.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: eaytest.c,v 1.43 2004/04/08 09:15:10 sakane Exp $ */
/* $KAME: eaytest.c,v 1.45 2004/06/16 11:55:36 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: eaytest.c,v 1.5 2004/04/12 03:34:06 itojun Exp $");
__RCSID("$NetBSD: eaytest.c,v 1.6 2004/06/17 03:42:55 itojun Exp $");
#include <sys/types.h>
#include <sys/stat.h>
@ -65,6 +65,7 @@ __RCSID("$NetBSD: eaytest.c,v 1.5 2004/04/12 03:34:06 itojun Exp $");
u_int32_t loglevel = 4;
/* prototype */
void plog __P((int, const char *, struct sockaddr *, const char *, ...));
void rsatest __P((int, char **));
#if 0
@ -83,6 +84,16 @@ void dhtest __P((int, char **));
void bntest __P((int, char **));
void Usage __P((void));
void
plog(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
vprintf(fmt, ap);
va_end(ap);
}
/* test */
void
@ -285,7 +296,7 @@ certtest(ac, av)
}
}
error = eay_check_x509cert(&c, certpath);
error = eay_check_x509cert(&c, certpath, 1);
if (error)
printf("ERROR: cert is invalid.\n");
printf("\n");

9
crypto/dist/kame/racoon/grabmyaddr.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: grabmyaddr.c,v 1.36 2003/10/23 09:53:58 itojun Exp $ */
/* $KAME: grabmyaddr.c,v 1.37 2004/04/15 08:22:14 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: grabmyaddr.c,v 1.7 2004/04/12 03:34:07 itojun Exp $");
__RCSID("$NetBSD: grabmyaddr.c,v 1.8 2004/06/17 03:42:55 itojun Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -397,8 +397,9 @@ suitable_ifaddr6(ifname, ifaddr)
close(s);
if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DUPLICATED
|| ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DETACHED)
if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DUPLICATED ||
ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DETACHED ||
ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_ANYCAST)
return 0;
/* suitable */

6
crypto/dist/kame/racoon/handler.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: handler.c,v 1.58 2004/03/27 03:27:45 suz Exp $ */
/* $KAME: handler.c,v 1.59 2004/04/12 03:57:05 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: handler.c,v 1.3 2004/04/12 03:34:07 itojun Exp $");
__RCSID("$NetBSD: handler.c,v 1.4 2004/06/17 03:42:55 itojun Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -426,7 +426,7 @@ newph2()
if (iph2 == NULL)
return NULL;
iph2->status = PHASE1ST_SPAWN;
iph2->status = PHASE2ST_SPAWN;
return iph2;
}

54
crypto/dist/kame/racoon/kmpstat.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: kmpstat.c,v 1.31 2003/05/23 05:15:42 sakane Exp $ */
/* $KAME: kmpstat.c,v 1.32 2004/04/15 08:55:22 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: kmpstat.c,v 1.8 2003/07/12 09:37:11 itojun Exp $");
__RCSID("$NetBSD: kmpstat.c,v 1.9 2004/06/17 03:42:55 itojun Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -602,11 +602,13 @@ f_exchangesa(ac, av)
return NULL;
head = (struct admin_com *)buf->v;
head->ac_len = buf->l + index->l;
head->ac_cmd = ADMIN_DELETE_SA;
head->ac_len = buf->l;
head->ac_cmd = ADMIN_ESTABLISH_SA;
head->ac_errno = 0;
head->ac_proto = proto;
memcpy(buf->v+sizeof(*head), index->v, index->l);
return buf;
}
@ -638,7 +640,7 @@ get_index(ac, av)
{
int family;
if (ac != 3) {
if (ac != 3 && ac != 4) {
errno = EINVAL;
return NULL;
}
@ -648,6 +650,7 @@ get_index(ac, av)
if (family == -1)
return NULL;
av++;
ac--;
return get_comindexes(family, ac, av);
}
@ -679,7 +682,7 @@ get_comindexes(family, ac, av)
struct sockaddr *src = NULL, *dst = NULL;
int ulproto;
if (ac != 2) {
if (ac != 2 && ac != 3) {
errno = EINVAL;
return NULL;
}
@ -698,9 +701,18 @@ get_comindexes(family, ac, av)
if (src == NULL)
goto bad;
av++;
ac--;
if (get_comindex(*av, &p_name, &p_port, &p_prefd) == -1)
goto bad;
dst = get_sockaddr(family, p_name, p_port);
if (p_name) {
racoon_free(p_name);
p_name = NULL;
}
if (p_port) {
racoon_free(p_port);
p_port = NULL;
}
if (dst == NULL)
goto bad;
@ -709,19 +721,30 @@ get_comindexes(family, ac, av)
goto bad;
av++;
ulproto = get_ulproto(*av);
if (ulproto == -1)
goto bad;
ac--;
if(ac){
ulproto = get_ulproto(*av);
if (ulproto == -1)
goto bad;
}else
ulproto=0;
ci = (struct admin_com_indexes *)buf;
ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */
ci->prefd = (u_int8_t)atoi(p_prefd); /* XXX should be handled error. */
ci = (struct admin_com_indexes *)buf->v;
if(p_prefs)
ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */
else
ci->prefs = 32;
if(p_prefd)
ci->prefd = (u_int8_t)atoi(p_prefd); /* XXX should be handled error. */
else
ci->prefd = 32;
ci->ul_proto = ulproto;
memcpy(&ci->src, src, src->sa_len);
memcpy(&ci->dst, dst, dst->sa_len);
if (p_name)
racoon_free(p_name);
return buf;
bad:
@ -778,6 +801,7 @@ get_comindex(str, name, port, pref)
return 0;
bad:
if (*name)
racoon_free(*name);
if (*port)
@ -798,6 +822,7 @@ get_sockaddr(family, name, port)
memset(&hint, 0, sizeof(hint));
hint.ai_family = PF_UNSPEC;
hint.ai_family = family;
hint.ai_socktype = SOCK_STREAM;
error = getaddrinfo(name, port, &hint, &ai);
@ -815,6 +840,11 @@ get_ulproto(str)
{
struct ulproto_tag *cp;
if(str == NULL){
errno = EINVAL;
return -1;
}
/* checking the string of upper layer protocol. */
for (cp = &ulprototab[0]; cp->str; cp++) {
if (strcmp(str, cp->str) == 0)

6
crypto/dist/kame/racoon/oakley.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: oakley.c,v 1.117 2004/03/27 03:27:46 suz Exp $ */
/* $KAME: oakley.c,v 1.118 2004/06/16 11:55:36 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: oakley.c,v 1.11 2004/04/12 03:34:07 itojun Exp $");
__RCSID("$NetBSD: oakley.c,v 1.12 2004/06/17 03:42:55 itojun Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -1326,7 +1326,7 @@ oakley_validate_auth(iph1)
switch (iph1->rmconf->certtype) {
case ISAKMP_CERT_X509SIGN:
error = eay_check_x509cert(&iph1->cert_p->cert,
lcconf->pathinfo[LC_PATHTYPE_CERT]);
lcconf->pathinfo[LC_PATHTYPE_CERT], 0);
break;
default:
plog(LLV_ERROR, LOCATION, NULL,

4
usr.sbin/racoon/Makefile.inc
View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile.inc,v 1.15 2004/04/12 03:34:08 itojun Exp $
# $NetBSD: Makefile.inc,v 1.16 2004/06/17 03:42:55 itojun Exp $
.include <bsd.own.mk> # for NETBSDSRCDIR & MKDYNAMICROOT definition
@ -19,6 +19,6 @@ LDSTATIC?= -static
DBG= -g
PKGVERSION= netbsd-20040412
PKGVERSION= netbsd-20040617
.include "../Makefile.inc"