Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

KAME racoon as of 2001/03/08.

This commit is contained in:
thorpej 2001-03-08 22:18:05 +00:00
parent f6c36838ae
commit 29f3673b42
12 changed files with 330 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
crypto/dist/kame/libipsec/ipsec_set_policy.3 vendored
View File

@ -1,4 +1,4 @@
.\" $KAME: ipsec_set_policy.3,v 1.12 2001/01/03 03:37:28 itojun Exp $
.\" $KAME: ipsec_set_policy.3,v 1.13 2001/02/21 09:31:11 sakane Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
@ -163,6 +163,15 @@ and
.Ar src
is the other node
.Pq peer .
If
.Ar mode
is
.Li transport ,
Both
.Ar src
and
.Ar dst
can be omited.
.Pp
.Ar level
must be set to one of the following:
@ -230,12 +239,11 @@ Here are several examples
.Pq long lines are wrapped for readability :
.Bd -literal -offset indent
in discard
out ipsec esp/transport/10.1.1.1-10.1.1.2/require
in ipsec ah/transport/10.1.1.2-10.1.1.1/require
out ipsec esp/transport/10.1.1.2-10.1.1.1/use
ah/tunnel/10.1.1.2-10.1.1.1/unique:1000
in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use
esp/transport/10.1.1.2-10.1.1.1/use
out ipsec esp/transport//require
in ipsec ah/transport//require
out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use
in ipsec ipcomp/transport//use
esp/transport//use
.Ed
.Sh RETURN VALUES
.Fn ipsec_set_policy

4
crypto/dist/kame/libipsec/libpfkey.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: libpfkey.h,v 1.5 2001/01/29 10:29:58 sakane Exp $ */
/* $KAME: libpfkey.h,v 1.6 2001/03/05 18:22:17 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -52,6 +52,8 @@ int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_delete __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_delete_all __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *));
int pfkey_send_get __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_register __P((int, u_int));

87
crypto/dist/kame/libipsec/pfkey.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: pfkey.c,v 1.38 2000/12/27 11:38:10 sakane Exp $ */
/* $KAME: pfkey.c,v 1.39 2001/03/05 18:22:17 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -541,6 +541,91 @@ pfkey_send_delete(so, satype, mode, src, dst, spi)
return len;
}
/*
* sending SADB_DELETE without spi to the kernel. This is
* the "delete all" request (an extension also present in
* Solaris).
*
* OUT:
* positive: success and return length sent
* -1 : error occured, and set errno
*/
int
pfkey_send_delete_all(so, satype, mode, src, dst)
int so;
u_int satype, mode;
struct sockaddr *src, *dst;
{
struct sadb_msg *newmsg;
int len;
caddr_t p;
int plen;
caddr_t ep;
/* validity check */
if (src == NULL || dst == NULL) {
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
if (src->sa_family != dst->sa_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
switch (src->sa_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
default:
__ipsec_errcode = EIPSEC_INVAL_FAMILY;
return -1;
}
/* create new sadb_msg to reply. */
len = sizeof(struct sadb_msg)
+ sizeof(struct sadb_address)
+ PFKEY_ALIGN8(src->sa_len)
+ sizeof(struct sadb_address)
+ PFKEY_ALIGN8(dst->sa_len);
if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
__ipsec_set_strerror(strerror(errno));
return -1;
}
ep = ((caddr_t)newmsg) + len;
p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_DELETE, len, satype, 0,
getpid());
if (!p) {
free(newmsg);
return -1;
}
p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen,
IPSEC_ULPROTO_ANY);
if (!p) {
free(newmsg);
return -1;
}
p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, plen,
IPSEC_ULPROTO_ANY);
if (!p || p != ep) {
free(newmsg);
return -1;
}
/* send message */
len = pfkey_send(so, newmsg, len);
free(newmsg);
if (len < 0)
return -1;
__ipsec_errcode = EIPSEC_NO_ERROR;
return len;
}
/*
* sending SADB_GET message to the kernel.
* OUT:

92
crypto/dist/kame/racoon/gssapi.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: gssapi.c,v 1.17 2001/01/29 23:42:57 thorpej Exp $ */
/* $KAME: gssapi.c,v 1.18 2001/03/05 23:36:31 thorpej Exp $ */
/*
* Copyright 2000 Wasabi Systems, Inc.
@ -85,12 +85,16 @@ gssapi_error(OM_uint32 status_code, const char *where,
do {
maj_stat = gss_display_status(&min_stat, status_code,
GSS_C_GSS_CODE, GSS_C_NO_OID, &message_context,
GSS_C_MECH_CODE, GSS_C_NO_OID, &message_context,
&status_string);
if (!GSS_ERROR(maj_stat))
if (GSS_ERROR(maj_stat))
plog(LLV_ERROR, LOCATION, NULL,
"UNABLE TO GET GSSAPI ERROR CODE\n");
else {
plog(LLV_ERROR, where, NULL,
"%s\n", status_string.value);
gss_release_buffer(&min_stat, &status_string);
"%s\n", status_string.value);
gss_release_buffer(&min_stat, &status_string);
}
} while (message_context != 0);
}
@ -142,15 +146,15 @@ gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service)
maj_stat = gss_import_name(&min_stat, &name_token,
GSS_C_NT_HOSTBASED_SERVICE, service);
if (GSS_ERROR(maj_stat)) {
gssapi_error(maj_stat, LOCATION, "import name\n");
gssapi_error(min_stat, LOCATION, "import name\n");
maj_stat = gss_release_buffer(&min_stat, &name_token);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release name_token");
gssapi_error(min_stat, LOCATION, "release name_token");
return -1;
}
maj_stat = gss_release_buffer(&min_stat, &name_token);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release name_token");
gssapi_error(min_stat, LOCATION, "release name_token");
return 0;
}
@ -180,7 +184,7 @@ gssapi_init(struct ph1handle *iph1)
maj_stat = gss_import_name(&min_stat, &id_token, GSS_C_NO_OID,
&princ);
if (GSS_ERROR(maj_stat)) {
gssapi_error(maj_stat, LOCATION, "import name\n");
gssapi_error(min_stat, LOCATION, "import name\n");
gssapi_free_state(iph1);
return -1;
}
@ -190,23 +194,23 @@ gssapi_init(struct ph1handle *iph1)
maj_stat = gss_canonicalize_name(&min_stat, princ, GSS_C_NO_OID,
&canon_princ);
if (GSS_ERROR(maj_stat)) {
gssapi_error(maj_stat, LOCATION, "canonicalize name\n");
gssapi_error(min_stat, LOCATION, "canonicalize name\n");
maj_stat = gss_release_name(&min_stat, &princ);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release princ\n");
gssapi_error(min_stat, LOCATION, "release princ\n");
gssapi_free_state(iph1);
return -1;
}
maj_stat = gss_release_name(&min_stat, &princ);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release princ\n");
gssapi_error(min_stat, LOCATION, "release princ\n");
maj_stat = gss_export_name(&min_stat, canon_princ, cred);
if (GSS_ERROR(maj_stat)) {
gssapi_error(maj_stat, LOCATION, "export name\n");
gssapi_error(min_stat, LOCATION, "export name\n");
maj_stat = gss_release_name(&min_stat, &canon_princ);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION,
gssapi_error(min_stat, LOCATION,
"release canon_princ\n");
gssapi_free_state(iph1);
return -1;
@ -216,22 +220,22 @@ gssapi_init(struct ph1handle *iph1)
cred->length, cred->value);
maj_stat = gss_release_buffer(&min_stat, cred);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release cred buffer\n");
gssapi_error(min_stat, LOCATION, "release cred buffer\n");
maj_stat = gss_acquire_cred(&min_stat, canon_princ, GSS_C_INDEFINITE,
GSS_C_NO_OID_SET, GSS_C_BOTH, &gps->gss_cred, NULL, NULL);
if (GSS_ERROR(maj_stat)) {
gssapi_error(maj_stat, LOCATION, "acquire cred\n");
gssapi_error(min_stat, LOCATION, "acquire cred\n");
maj_stat = gss_release_name(&min_stat, &canon_princ);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION,
gssapi_error(min_stat, LOCATION,
"release canon_princ\n");
gssapi_free_state(iph1);
return -1;
}
maj_stat = gss_release_name(&min_stat, &canon_princ);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release canon_princ\n");
gssapi_error(min_stat, LOCATION, "release canon_princ\n");
return 0;
}
@ -262,7 +266,7 @@ gssapi_get_itoken(struct ph1handle *iph1, int *lenp)
maj_stat = gss_import_name(&min_stat, &name_token,
GSS_C_NO_OID, &partner);
if (GSS_ERROR(maj_stat)) {
gssapi_error(maj_stat, LOCATION, "import of %s\n",
gssapi_error(min_stat, LOCATION, "import of %s\n",
name_token.value);
return -1;
}
@ -281,15 +285,15 @@ gssapi_get_itoken(struct ph1handle *iph1, int *lenp)
itoken, NULL, NULL);
if (GSS_ERROR(gps->gss_status)) {
gssapi_error(gps->gss_status, LOCATION, "init_sec_context\n");
gssapi_error(min_stat, LOCATION, "init_sec_context\n");
maj_stat = gss_release_name(&min_stat, &partner);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release name\n");
gssapi_error(min_stat, LOCATION, "release name\n");
return -1;
}
maj_stat = gss_release_name(&min_stat, &partner);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release name\n");
gssapi_error(min_stat, LOCATION, "release name\n");
plog(LLV_DEBUG, LOCATION, NULL, "gss_init_sec_context status %x\n",
gps->gss_status);
@ -328,29 +332,29 @@ gssapi_get_rtoken(struct ph1handle *iph1, int *lenp)
NULL, itoken, NULL, NULL, NULL);
if (GSS_ERROR(gps->gss_status)) {
gssapi_error(gps->gss_status, LOCATION, "accept_sec_context\n");
gssapi_error(min_stat, LOCATION, "accept_sec_context\n");
return -1;
}
maj_stat = gss_display_name(&min_stat, client_name, &name_token, NULL);
if (GSS_ERROR(maj_stat)) {
gssapi_error(maj_stat, LOCATION, "gss_display_name\n");
gssapi_error(min_stat, LOCATION, "gss_display_name\n");
maj_stat = gss_release_name(&min_stat, &client_name);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION,
gssapi_error(min_stat, LOCATION,
"release client_name\n");
return -1;
}
maj_stat = gss_release_name(&min_stat, &client_name);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release client_name\n");
gssapi_error(min_stat, LOCATION, "release client_name\n");
plog(LLV_DEBUG, LOCATION, NULL,
"gss_accept_sec_context: other side is %s\n",
name_token.value);
maj_stat = gss_release_buffer(&min_stat, &name_token);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release name buffer\n");
gssapi_error(min_stat, LOCATION, "release name buffer\n");
if (itoken->length != 0)
gps->gsscnt++;
@ -507,10 +511,10 @@ gssapi_wraphash(struct ph1handle *iph1)
maj_stat = gss_wrap(&min_stat, gps->gss_context, 1, GSS_C_QOP_DEFAULT,
hash_in, NULL, hash_out);
if (GSS_ERROR(maj_stat)) {
gssapi_error(maj_stat, LOCATION, "wrapping hash value\n");
gssapi_error(min_stat, LOCATION, "wrapping hash value\n");
maj_stat = gss_release_buffer(&min_stat, hash_in);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION,
gssapi_error(min_stat, LOCATION,
"release hash_in buffer\n");
return NULL;
}
@ -520,19 +524,19 @@ gssapi_wraphash(struct ph1handle *iph1)
maj_stat = gss_release_buffer(&min_stat, hash_in);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release hash_in buffer\n");
gssapi_error(min_stat, LOCATION, "release hash_in buffer\n");
if (gssapi_gss2vmbuf(hash_out, &outbuf) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
maj_stat = gss_release_buffer(&min_stat, hash_out);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION,
gssapi_error(min_stat, LOCATION,
"release hash_out buffer\n");
return NULL;
}
maj_stat = gss_release_buffer(&min_stat, hash_out);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release hash_out buffer\n");
gssapi_error(min_stat, LOCATION, "release hash_out buffer\n");
return outbuf;
}
@ -563,7 +567,7 @@ gssapi_unwraphash(struct ph1handle *iph1)
maj_stat = gss_unwrap(&min_stat, gps->gss_context, hash_in, hash_out,
NULL, NULL);
if (GSS_ERROR(maj_stat)) {
gssapi_error(maj_stat, LOCATION, "unwrapping hash value\n");
gssapi_error(min_stat, LOCATION, "unwrapping hash value\n");
return NULL;
}
@ -571,13 +575,13 @@ gssapi_unwraphash(struct ph1handle *iph1)
plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
maj_stat = gss_release_buffer(&min_stat, hash_out);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION,
gssapi_error(min_stat, LOCATION,
"release hash_out buffer\n");
return NULL;
}
maj_stat = gss_release_buffer(&min_stat, hash_out);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release hash_out buffer\n");
gssapi_error(min_stat, LOCATION, "release hash_out buffer\n");
return outbuf;
}
@ -638,7 +642,7 @@ gssapi_free_state(struct ph1handle *iph1)
if (gps->gss_cred != GSS_C_NO_CREDENTIAL) {
maj_stat = gss_release_cred(&min_stat, &gps->gss_cred);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION,
gssapi_error(min_stat, LOCATION,
"releasing credentials\n");
}
free(gps);
@ -659,29 +663,29 @@ gssapi_get_default_id(struct ph1handle *iph1)
maj_stat = gss_canonicalize_name(&min_stat, defname, GSS_C_NO_OID,
&canon_name);
if (GSS_ERROR(maj_stat)) {
gssapi_error(maj_stat, LOCATION, "canonicalize name\n");
gssapi_error(min_stat, LOCATION, "canonicalize name\n");
maj_stat = gss_release_name(&min_stat, &defname);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION,
gssapi_error(min_stat, LOCATION,
"release default name\n");
return NULL;
}
maj_stat = gss_release_name(&min_stat, &defname);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release default name\n");
gssapi_error(min_stat, LOCATION, "release default name\n");
maj_stat = gss_export_name(&min_stat, canon_name, id);
if (GSS_ERROR(maj_stat)) {
gssapi_error(maj_stat, LOCATION, "export name\n");
gssapi_error(min_stat, LOCATION, "export name\n");
maj_stat = gss_release_name(&min_stat, &canon_name);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION,
gssapi_error(min_stat, LOCATION,
"release canonical name\n");
return NULL;
}
maj_stat = gss_release_name(&min_stat, &canon_name);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release canonical name\n");
gssapi_error(min_stat, LOCATION, "release canonical name\n");
plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%*s' creds\n",
id->length, id->value);
@ -690,12 +694,12 @@ gssapi_get_default_id(struct ph1handle *iph1)
plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
maj_stat = gss_release_buffer(&min_stat, id);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release id buffer\n");
gssapi_error(min_stat, LOCATION, "release id buffer\n");
return NULL;
}
maj_stat = gss_release_buffer(&min_stat, id);
if (GSS_ERROR(maj_stat))
gssapi_error(maj_stat, LOCATION, "release id buffer\n");
gssapi_error(min_stat, LOCATION, "release id buffer\n");
return vmbuf;
}

62
crypto/dist/kame/racoon/handler.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: handler.c,v 1.43 2001/02/06 16:28:16 thorpej Exp $ */
/* $KAME: handler.c,v 1.45 2001/03/06 20:41:02 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -207,10 +207,10 @@ delph1(iph1)
VPTRINIT(iph1->authstr);
if (iph1->sce)
SCHED_KILL(iph1->sce);
if (iph1->scr)
SCHED_KILL(iph1->scr);
sched_scrub_param(iph1);
iph1->sce = NULL;
iph1->scr = NULL;
VPTRINIT(iph1->sendbuf);
flush_recvedpkt(iph1->rlist);
@ -408,14 +408,16 @@ getph2bysaidx(src, dst, proto_id, spi)
if (iph2->proposal == NULL && iph2->approval == NULL)
continue;
if (iph2->approval != NULL) {
for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
for (pr = iph2->approval->head; pr != NULL;
pr = pr->next) {
if (proto_id != pr->proto_id)
break;
if (spi == pr->spi || spi == pr->spi_p)
return iph2;
}
} else if (iph2->proposal != NULL) {
for (pr = iph2->proposal->head; pr != NULL; pr = pr->next) {
for (pr = iph2->proposal->head; pr != NULL;
pr = pr->next) {
if (proto_id != pr->proto_id)
break;
if (spi == pr->spi)
@ -454,10 +456,10 @@ void
initph2(iph2)
struct ph2handle *iph2;
{
if (iph2->sce)
SCHED_KILL(iph2->sce);
if (iph2->scr)
SCHED_KILL(iph2->scr);
sched_scrub_param(iph2);
iph2->sce = NULL;
iph2->scr = NULL;
VPTRINIT(iph2->sendbuf);
@ -577,6 +579,44 @@ flushph2()
}
}
/*
* Delete all Phase 2 handlers for this src/dst/proto. This
* is used during INITIAL-CONTACT processing (so no need to
* send a message to the peer).
*/
void
deleteallph2(src, dst, proto_id)
struct sockaddr *src, *dst;
u_int proto_id;
{
struct ph2handle *iph2, *next;
struct saproto *pr;
for (iph2 = LIST_FIRST(&ph2tree); iph2 != NULL; iph2 = next) {
next = LIST_NEXT(iph2, chain);
if (iph2->proposal == NULL && iph2->approval == NULL)
continue;
if (iph2->approval != NULL) {
for (pr = iph2->approval->head; pr != NULL;
pr = pr->next) {
if (proto_id == pr->proto_id)
goto zap_it;
}
} else if (iph2->proposal != NULL) {
for (pr = iph2->proposal->head; pr != NULL;
pr = pr->next) {
if (proto_id == pr->proto_id)
goto zap_it;
}
}
continue;
zap_it:
unbindph12(iph2);
remph2(iph2);
delph2(iph2);
}
}
/* %%% */
void
bindph12(iph1, iph2)

3
crypto/dist/kame/racoon/handler.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: handler.h,v 1.37 2001/02/06 16:28:17 thorpej Exp $ */
/* $KAME: handler.h,v 1.38 2001/03/05 18:37:07 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -391,6 +391,7 @@ extern void delph2 __P((struct ph2handle *));
extern int insph2 __P((struct ph2handle *));
extern void remph2 __P((struct ph2handle *));
extern void flushph2 __P((void));
extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int));
extern void initph2tree __P((void));
extern void bindph12 __P((struct ph1handle *, struct ph2handle *));

73
crypto/dist/kame/racoon/isakmp_inf.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: isakmp_inf.c,v 1.64 2001/02/06 16:27:52 thorpej Exp $ */
/* $KAME: isakmp_inf.c,v 1.67 2001/03/08 22:07:44 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -946,13 +946,67 @@ info_recv_initialcontact(iph1)
struct sadb_sa *sa;
struct sockaddr *src, *dst;
caddr_t mhp[SADB_EXT_MAX + 1];
int proto_id;
int proto_id, i;
struct ph2handle *iph2;
#if 0
char *loc, *rem;
#endif
if (f_local)
return;
/* purge IPsec-SA(s) */
#if 0
loc = strdup(saddrwop2str(iph1->local));
rem = strdup(saddrwop2str(iph1->remote));
/*
* Purge all IPSEC-SAs for the peer. We can do this
* the easy way (using a PF_KEY SADB_DELETE extension)
* or we can do it the hard way.
*/
for (i = 0; i < pfkey_nsatypes; i++) {
proto_id = pfkey2ipsecdoi_proto(pfkey_satypes[i].ps_satype);
plog(LLV_INFO, LOCATION, NULL,
"purging %s SAs for %s -> %s\n",
pfkey_satypes[i].ps_name, loc, rem);
if (pfkey_send_delete_all(lcconf->sock_pfkey,
pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY,
iph1->local, iph1->remote) == -1) {
plog(LLV_ERROR, LOCATION, NULL,
"delete_all %s -> %s failed for %s (%s)\n",
loc, rem,
pfkey_satypes[i].ps_name, ipsec_strerror());
goto the_hard_way;
}
deleteallph2(iph1->local, iph1->remote, proto_id);
plog(LLV_INFO, LOCATION, NULL,
"purging %s SAs for %s -> %s\n",
pfkey_satypes[i].ps_name, rem, loc);
if (pfkey_send_delete_all(lcconf->sock_pfkey,
pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY,
iph1->remote, iph1->local) == -1) {
plog(LLV_ERROR, LOCATION, NULL,
"delete_all %s -> %s failed for %s (%s)\n",
rem, loc,
pfkey_satypes[i].ps_name, ipsec_strerror());
goto the_hard_way;
}
deleteallph2(iph1->remote, iph1->local, proto_id);
}
free(loc);
free(rem);
return;
the_hard_way:
free(loc);
free(rem);
#endif
buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
if (buf == NULL) {
plog(LLV_DEBUG, LOCATION, NULL,
@ -1005,6 +1059,19 @@ info_recv_initialcontact(iph1)
continue;
}
/*
* Make sure this is an SATYPE that we manage.
* This is gross; too bad we couldn't do it the
* easy way.
*/
for (i = 0; i < pfkey_nsatypes; i++) {
if (pfkey_satypes[i].ps_satype ==
msg->sadb_msg_satype)
break;
}
if (i == pfkey_nsatypes)
continue;
plog(LLV_INFO, LOCATION, NULL,
"purging spi=%u.\n", ntohl(sa->sadb_sa_spi));
pfkey_send_delete(lcconf->sock_pfkey,

58
crypto/dist/kame/racoon/pfkey.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: pfkey.c,v 1.104 2001/02/02 12:14:02 sakane Exp $ */
/* $KAME: pfkey.c,v 1.105 2001/03/05 18:37:07 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -335,13 +335,27 @@ pfkey_flush_sadb(proto)
return;
}
/*
* These are the SATYPEs that we manage. We register to get
* PF_KEY messages related to these SATYPEs, and we also use
* this list to determine which SATYPEs to delete SAs for when
* we receive an INITIAL-CONTACT.
*/
const struct pfkey_satype pfkey_satypes[] = {
{ SADB_SATYPE_AH, "AH" },
{ SADB_SATYPE_ESP, "ESP" },
{ SADB_X_SATYPE_IPCOMP, "IPCOMP" },
};
const int pfkey_nsatypes =
sizeof(pfkey_satypes) / sizeof(pfkey_satypes[0]);
/*
* PF_KEY initialization
*/
int
pfkey_init()
{
int reg_fail = 0;
int i, reg_fail;
if ((lcconf->sock_pfkey = pfkey_open()) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
@ -349,34 +363,22 @@ pfkey_init()
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_register\n");
if (pfkey_send_register(lcconf->sock_pfkey, SADB_SATYPE_ESP) < 0
|| pfkey_recv_register(lcconf->sock_pfkey) < 0) {
plog(LLV_WARNING, LOCATION, NULL,
"failed to regist esp (%s)", ipsec_strerror());
reg_fail++;
/*FALLTHROUGH*/
for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) {
plog(LLV_DEBUG, LOCATION, NULL,
"call pfkey_send_register for %s\n",
pfkey_satypes[i].ps_name);
if (pfkey_send_register(lcconf->sock_pfkey,
pfkey_satypes[i].ps_satype) < 0 ||
pfkey_recv_register(lcconf->sock_pfkey) < 0) {
plog(LLV_WARNING, LOCATION, NULL,
"failed to register %s (%s)",
pfkey_satypes[i].ps_name,
ipsec_strerror());
reg_fail++;
}
}
plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_register\n");
if (pfkey_send_register(lcconf->sock_pfkey, SADB_SATYPE_AH) < 0
|| pfkey_recv_register(lcconf->sock_pfkey) < 0) {
plog(LLV_WARNING, LOCATION, NULL,
"failed to regist ah (%s)", ipsec_strerror());
reg_fail++;
/*FALLTHROUGH*/
}
plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_register\n");
if (pfkey_send_register(lcconf->sock_pfkey, SADB_X_SATYPE_IPCOMP) < 0
|| pfkey_recv_register(lcconf->sock_pfkey) < 0) {
plog(LLV_WARNING, LOCATION, NULL,
"failed to regist ipcomp (%s)", ipsec_strerror());
reg_fail++;
/*FALLTHROUGH*/
}
if (reg_fail == 3) {
if (reg_fail == pfkey_nsatypes) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to regist any protocol.");
pfkey_close(lcconf->sock_pfkey);

10
crypto/dist/kame/racoon/pfkey.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: pfkey.h,v 1.15 2001/01/29 10:35:00 sakane Exp $ */
/* $KAME: pfkey.h,v 1.16 2001/03/05 18:37:07 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,6 +29,14 @@
* SUCH DAMAGE.
*/
struct pfkey_satype {
u_int8_t ps_satype;
const char *ps_name;
};
extern const struct pfkey_satype pfkey_satypes[];
extern const int pfkey_nsatypes;
extern int pfkey_handler __P((void));
extern vchar_t *pfkey_dump_sadb __P((int));
extern void pfkey_flush_sadb __P((u_int));

4
crypto/dist/kame/racoon/safefile.c vendored
View File

@ -1,6 +1,4 @@
/* $KAME: safefile.c,v 1.4 2000/12/15 13:43:57 sakane Exp $ */
/* $KAME: safefile.c,v 1.4 2000/12/15 13:43:57 sakane Exp $ */
/* $KAME: safefile.c,v 1.5 2001/03/05 19:54:06 thorpej Exp $ */
/*
* Copyright (C) 2000 WIDE Project.

14
crypto/dist/kame/racoon/schedule.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: schedule.c,v 1.13 2000/12/15 13:43:57 sakane Exp $ */
/* $KAME: schedule.c,v 1.14 2001/03/06 20:41:01 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -190,6 +190,18 @@ sched_kill(sc)
return;
}
void
sched_scrub_param(param)
void *param;
{
struct sched *sc;
TAILQ_FOREACH(sc, &sctree, chain) {
if (sc->param == param)
sched_kill(sc);
}
}
/*
* for debug
*/

4
crypto/dist/kame/racoon/schedule.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: schedule.h,v 1.11 2000/10/04 17:41:03 itojun Exp $ */
/* $KAME: schedule.h,v 1.12 2001/03/06 20:41:02 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -72,4 +72,4 @@ struct sched *sched_new __P((time_t, void (*func) __P((void *)), void *));
void sched_kill __P((struct sched *));
int sched_dump __P((caddr_t *, int *));
void sched_init __P((void));
void sched_scrub_param __P((void *));