Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Get rid of the evil CMPSADDR macro. Trac #295.

This commit is contained in:
tteras 2009-07-03 06:41:46 +00:00
parent edd4f79009
commit 3d0db58d61
16 changed files with 186 additions and 555 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
crypto/dist/ipsec-tools/src/racoon/admin.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: admin.c,v 1.30 2009/04/20 13:22:00 tteras Exp $ */
/* $NetBSD: admin.c,v 1.31 2009/07/03 06:41:46 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
@ -167,6 +167,14 @@ end:
return error;
}
static int admin_ph1_delete_sa(struct ph1handle *iph1, void *arg)
{
if (iph1->status >= PHASE1ST_ESTABLISHED)
isakmp_info_send_d1(iph1);
purge_remote(iph1);
return 0;
}
/*
* main child's process.
*/
@ -257,7 +265,7 @@ admin_process(so2, combuf)
break;
}
iph1 = getph1byaddrwop(src, dst);
iph1 = getph1byaddr(src, dst, 0);
if (iph1 == NULL) {
l_ac_errno = ENOENT;
break;
@ -292,30 +300,25 @@ admin_process(so2, combuf)
case ADMIN_DELETE_SA: {
struct ph1handle *iph1;
struct sockaddr *dst;
struct sockaddr *src;
struct ph1selector sel;
char *loc, *rem;
src = (struct sockaddr *)
memset(&sel, 0, sizeof(sel));
sel.local = (struct sockaddr *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->src;
dst = (struct sockaddr *)
sel.remote = (struct sockaddr *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->dst;
loc = racoon_strdup(saddrwop2str(src));
rem = racoon_strdup(saddrwop2str(dst));
loc = racoon_strdup(saddr2str(sel.local));
rem = racoon_strdup(saddr2str(sel.remote));
STRDUP_FATAL(loc);
STRDUP_FATAL(rem);
if ((iph1 = getph1byaddrwop(src, dst)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"phase 1 for %s -> %s not found\n", loc, rem);
} else {
if (iph1->status >= PHASE1ST_ESTABLISHED)
isakmp_info_send_d1(iph1);
purge_remote(iph1);
}
plog(LLV_INFO, LOCATION, NULL,
"admin delete-sa %s %s\n", loc, rem);
enumph1(&sel, admin_ph1_delete_sa, NULL);
racoon_free(loc);
racoon_free(rem);
@ -360,7 +363,7 @@ admin_process(so2, combuf)
plog(LLV_INFO, LOCATION, NULL,
"Flushing all SAs for peer %s\n", rem);
while ((iph1 = getph1bydstaddrwop(dst)) != NULL) {
while ((iph1 = getph1bydstaddr(dst)) != NULL) {
loc = racoon_strdup(saddrwop2str(iph1->local));
STRDUP_FATAL(loc);
@ -429,7 +432,7 @@ admin_process(so2, combuf)
l_ac_errno = -1;
/* connected already? */
ph1 = getph1byaddrwop(src, dst);
ph1 = getph1byaddr(src, dst, 0);
if (ph1 != NULL) {
event_list = &ph1->evt_listeners;
if (ph1->status == PHASE1ST_ESTABLISHED)

24
crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: grabmyaddr.c,v 1.22 2009/04/21 18:38:31 tteras Exp $ */
/* $NetBSD: grabmyaddr.c,v 1.23 2009/07/03 06:41:46 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* Copyright (C) 2008 Timo Teras <timo.teras@iki.fi>.
@ -100,7 +100,7 @@ myaddr_configured(addr)
return TRUE;
LIST_FOREACH(cfg, &configured, chain) {
if (cmpsaddrstrict(addr, (struct sockaddr *) &cfg->addr) == 0)
if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0)
return TRUE;
}
@ -116,7 +116,7 @@ myaddr_open(addr, udp_encap)
/* Already open? */
LIST_FOREACH(my, &opened, chain) {
if (cmpsaddrstrict(addr, (struct sockaddr *) &my->addr) == 0)
if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0)
return TRUE;
}
@ -156,7 +156,7 @@ myaddr_open_all_configured(addr)
LIST_FOREACH(cfg, &configured, chain) {
if (addr != NULL &&
cmpsaddrwop(addr, (struct sockaddr *) &cfg->addr) != 0)
cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0)
continue;
if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap))
return FALSE;
@ -187,8 +187,8 @@ myaddr_close_all_open(addr)
for (my = LIST_FIRST(&opened); my; my = next) {
next = LIST_NEXT(my, chain);
if (!cmpsaddrwop((struct sockaddr *) &addr,
(struct sockaddr *) &my->addr))
if (!cmpsaddr((struct sockaddr *) &addr,
(struct sockaddr *) &my->addr))
myaddr_delete(my);
}
}
@ -261,7 +261,7 @@ myaddr_getfd(addr)
struct myaddr *my;
LIST_FOREACH(my, &opened, chain) {
if (cmpsaddrstrict((struct sockaddr *) &my->addr, addr) == 0)
if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
return my->fd;
}
@ -273,19 +273,13 @@ myaddr_getsport(addr)
struct sockaddr *addr;
{
struct myaddr *my;
int bestmatch_port = -1;
LIST_FOREACH(my, &opened, chain) {
if (cmpsaddrstrict((struct sockaddr *) &my->addr, addr) == 0)
if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
return extract_port((struct sockaddr *) &my->addr);
if (cmpsaddrwop((struct sockaddr *) &my->addr, addr) != 0)
continue;
if (bestmatch_port == -1 ||
extract_port((struct sockaddr *) &my->addr) == PORT_ISAKMP)
bestmatch_port = extract_port((struct sockaddr *) &my->addr);
}
return bestmatch_port;
return PORT_ISAKMP;
}
void

43
crypto/dist/ipsec-tools/src/racoon/handler.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: handler.c,v 1.28 2009/04/28 13:54:07 tteras Exp $ */
/* $NetBSD: handler.c,v 1.29 2009/07/03 06:41:46 tteras Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@ -120,11 +120,11 @@ enumph1(sel, enum_func, enum_arg)
LIST_FOREACH(p, &ph1tree, chain) {
if (sel != NULL) {
if (sel->local != NULL &&
CMPSADDR(sel->local, p->local) != 0)
cmpsaddr(sel->local, p->local) != 0)
continue;
if (sel->remote != NULL &&
CMPSADDR(sel->remote, p->remote) != 0)
cmpsaddr(sel->remote, p->remote) != 0)
continue;
}
@ -201,17 +201,12 @@ getph1(rmconf, local, remote, flags)
"status %d, skipping\n", p->status);
continue;
}
if (flags & GETPH1_F_WITHOUT_PORTS) {
if (local != NULL && cmpsaddrwop(local, p->local) != 0)
continue;
if (remote != NULL && cmpsaddrwop(remote, p->remote) != 0)
continue;
} else {
if (local != NULL && CMPSADDR(local, p->local) != 0)
continue;
if (remote != NULL && CMPSADDR(remote, p->remote) != 0)
continue;
}
if (local != NULL && cmpsaddr(local, p->local) != 0)
continue;
if (remote != NULL && cmpsaddr(remote, p->remote) != 0)
continue;
plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
return p;
@ -287,8 +282,8 @@ void migrate_dying_ph12(iph1)
if (p->status < PHASE1ST_DYING)
continue;
if (CMPSADDR(iph1->local, p->local) == 0
&& CMPSADDR(iph1->remote, p->remote) == 0)
if (cmpsaddr(iph1->local, p->local) == 0
&& cmpsaddr(iph1->remote, p->remote) == 0)
migrate_ph12(p, iph1);
}
}
@ -518,11 +513,11 @@ enumph2(sel, enum_func, enum_arg)
continue;
if (sel->src != NULL &&
CMPSADDR(sel->src, p->src) != 0)
cmpsaddr(sel->src, p->src) != 0)
continue;
if (sel->dst != NULL &&
CMPSADDR(sel->dst, p->dst) != 0)
cmpsaddr(sel->dst, p->dst) != 0)
continue;
}
@ -586,8 +581,8 @@ getph2byid(src, dst, spid)
LIST_FOREACH(p, &ph2tree, chain) {
if (spid == p->spid &&
cmpsaddrwild(src, p->src) == 0 &&
cmpsaddrwild(dst, p->dst) == 0){
cmpsaddr(src, p->src) == 0 &&
cmpsaddr(dst, p->dst) == 0){
/* Sanity check to detect zombie handlers
* XXX Sould be done "somewhere" more interesting,
* because we have lots of getph2byxxxx(), but this one
@ -614,8 +609,8 @@ getph2bysaddr(src, dst)
struct ph2handle *p;
LIST_FOREACH(p, &ph2tree, chain) {
if (cmpsaddrstrict(src, p->src) == 0 &&
cmpsaddrstrict(dst, p->dst) == 0)
if (cmpsaddr(src, p->src) == 0 &&
cmpsaddr(dst, p->dst) == 0)
return p;
}
@ -918,7 +913,7 @@ getcontacted(remote)
struct contacted *p;
LIST_FOREACH(p, &ctdtree, chain) {
if (cmpsaddrstrict(remote, p->remote) == 0)
if (cmpsaddr(remote, p->remote) == 0)
return p;
}
@ -997,7 +992,7 @@ check_recvdpkt(remote, local, rbuf)
/*
* the packet was processed before, but the remote address mismatches.
*/
if (cmpsaddrstrict(remote, r->remote) != 0)
if (cmpsaddr(remote, r->remote) != 0)
return 2;
/*

9
crypto/dist/ipsec-tools/src/racoon/handler.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: handler.h,v 1.20 2009/03/12 10:57:26 tteras Exp $ */
/* $NetBSD: handler.h,v 1.21 2009/07/03 06:41:46 tteras Exp $ */
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
@ -467,7 +467,6 @@ extern int enumph1 __P((struct ph1selector *ph1sel,
void *enum_arg));
#define GETPH1_F_ESTABLISHED 0x0001
#define GETPH1_F_WITHOUT_PORTS 0x0002
extern struct ph1handle *getph1 __P((struct remoteconf *rmconf,
struct sockaddr *local,
@ -476,10 +475,8 @@ extern struct ph1handle *getph1 __P((struct remoteconf *rmconf,
#define getph1byaddr(local, remote, est) \
getph1(NULL, local, remote, est ? GETPH1_F_ESTABLISHED : 0)
#define getph1byaddrwop(local, remote) \
getph1(NULL, local, remote, GETPH1_F_WITHOUT_PORTS)
#define getph1bydstaddrwop(remote) \
getph1(NULL, NULL, remote, GETPH1_F_WITHOUT_PORTS)
#define getph1bydstaddr(remote) \
getph1(NULL, NULL, remote, 0)
#ifdef ENABLE_HYBRID
struct ph1handle *getph1bylogin __P((char *));

92
crypto/dist/ipsec-tools/src/racoon/isakmp.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: isakmp.c,v 1.57 2009/07/03 06:40:10 tteras Exp $ */
/* $NetBSD: isakmp.c,v 1.58 2009/07/03 06:41:46 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@ -468,8 +468,8 @@ isakmp_main(msg, remote, local)
/* Floating ports for NAT-T */
if (NATT_AVAILABLE(iph1) &&
! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
((cmpsaddrstrict(iph1->remote, remote) != 0) ||
(cmpsaddrstrict(iph1->local, local) != 0)))
((cmpsaddr(iph1->remote, remote) != 0) ||
(cmpsaddr(iph1->local, local) != 0)))
{
/* prevent memory leak */
racoon_free(iph1->remote);
@ -510,7 +510,7 @@ isakmp_main(msg, remote, local)
#endif
/* must be same addresses in one stream of a phase at least. */
if (cmpsaddrstrict(iph1->remote, remote) != 0) {
if (cmpsaddr(iph1->remote, remote) != 0) {
char *saddr_db, *saddr_act;
saddr_db = racoon_strdup(saddr2str(iph1->remote));
@ -636,7 +636,7 @@ isakmp_main(msg, remote, local)
"exchange received.\n");
return -1;
}
if (cmpsaddrstrict(iph1->remote, remote) != 0) {
if (cmpsaddr(iph1->remote, remote) != 0) {
plog(LLV_WARNING, LOCATION, remote,
"remote address mismatched. "
"db=%s\n",
@ -1268,6 +1268,12 @@ isakmp_ph2begin_i(iph1, iph2)
}
#endif
/* fixup ph2 ports for this ph1 */
if (extract_port(iph2->src) == 0)
set_port(iph2->src, extract_port(iph1->local));
if (extract_port(iph2->dst) == 0)
set_port(iph2->dst, extract_port(iph1->remote));
/* found ISAKMP-SA. */
plog(LLV_DEBUG, LOCATION, NULL, "===\n");
plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
@ -1346,15 +1352,6 @@ isakmp_ph2begin_r(iph1, msg)
delph2(iph2);
return -1;
}
#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
if (set_port(iph2->dst, 0) == NULL ||
set_port(iph2->src, 0) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid family: %d\n", iph2->dst->sa_family);
delph2(iph2);
return -1;
}
#endif
/* add new entry to isakmp status table */
insph2(iph2);
@ -2179,23 +2176,12 @@ isakmp_post_acquire(iph2)
return 0;
}
/*
* Search isakmp status table by address and port
* If NAT-T is in use, consider null ports as a
* wildcard and use IKE ports instead.
/*
* XXX Searching by IP addresses + ports might fail on
* some cases, we should use the ISAKMP identity to search
* matching ISAKMP.
*/
#ifdef ENABLE_NATT
if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
set_port(iph2->src, extract_port(iph1->local));
set_port(iph2->dst, extract_port(iph1->remote));
}
} else {
iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
}
#else
iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
#endif
/* no ISAKMP-SA found. */
if (iph1 == NULL) {
@ -2373,26 +2359,8 @@ isakmp_chkph1there(iph2)
return;
}
/*
* Search isakmp status table by address and port
* If NAT-T is in use, consider null ports as a
* wildcard and use IKE ports instead.
*/
#ifdef ENABLE_NATT
if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: extract_port.\n");
if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL){
plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found a ph1 wop.\n");
}
} else {
plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: searching byaddr.\n");
iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
if(iph1 != NULL)
plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found byaddr.\n");
}
#else
/* Search isakmp status table by address and port */
iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
#endif
/* XXX Even if ph1 as responder is there, should we not start
* phase 2 negotiation ? */
@ -3314,20 +3282,10 @@ purge_remote(iph1)
msg = next;
continue;
}
pk_fixup_sa_addresses(mhp);
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
#ifdef SADB_X_NAT_T_NEW_MAPPING
if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
/* NAT-T is enabled for this SADB entry; copy
* the ports from NAT-T extensions */
if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL)
set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
}
#endif
if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
sa->sadb_sa_state != SADB_SASTATE_MATURE &&
sa->sadb_sa_state != SADB_SASTATE_DYING) {
@ -3339,22 +3297,14 @@ purge_remote(iph1)
* check in/outbound SAs.
* Select only SAs where src == local and dst == remote (outgoing)
* or src == remote and dst == local (incoming).
* XXX we sometime have src/dst ports set to 0 and want to match
* iph1->local/remote with ports set to 500. This is a bug, see trac:2
*/
#ifdef ENABLE_NATT
if ((cmpsaddrmagic(iph1->local, src) || cmpsaddrmagic(iph1->remote, dst)) &&
(cmpsaddrmagic(iph1->local, dst) || cmpsaddrmagic(iph1->remote, src))) {
if ((cmpsaddr(iph1->local, src) ||
cmpsaddr(iph1->remote, dst)) &&
(cmpsaddr(iph1->local, dst) ||
cmpsaddr(iph1->remote, src))) {
msg = next;
continue;
}
#else
if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
(CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
msg = next;
continue;
}
#endif
proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);

11
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: isakmp_cfg.c,v 1.21 2009/01/23 08:23:51 tteras Exp $ */
/* $NetBSD: isakmp_cfg.c,v 1.22 2009/07/03 06:41:46 tteras Exp $ */
/* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
@ -1151,15 +1151,6 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange)
goto end;
}
#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
if (set_port(iph2->dst, 0) == NULL ||
set_port(iph2->src, 0) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid family: %d\n", iph1->remote->sa_family);
delph2(iph2);
goto end;
}
#endif
iph2->side = INITIATOR;
iph2->status = PHASE2ST_START;

113
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: isakmp_inf.c,v 1.40 2009/07/03 06:40:10 tteras Exp $ */
/* $NetBSD: isakmp_inf.c,v 1.41 2009/07/03 06:41:46 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@ -899,15 +899,6 @@ isakmp_info_send_common(iph1, payload, np, flags)
delph2(iph2);
goto end;
}
#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
if (set_port(iph2->dst, 0) == NULL ||
set_port(iph2->src, 0) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid family: %d\n", iph1->remote->sa_family);
delph2(iph2);
goto end;
}
#endif
iph2->side = INITIATOR;
iph2->status = PHASE2ST_START;
iph2->msgid = isakmp_newmsgid2(iph1);
@ -1123,9 +1114,6 @@ purge_ipsec_spi(dst0, proto, spi, n)
u_int64_t created;
size_t i;
caddr_t mhp[SADB_EXT_MAX + 1];
#ifdef ENABLE_NATT
int natt_port_forced;
#endif
plog(LLV_DEBUG2, LOCATION, NULL,
"purge_ipsec_spi:\n");
@ -1165,6 +1153,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
msg = next;
continue;
}
pk_fixup_sa_addresses(mhp);
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
@ -1178,28 +1167,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
msg = next;
continue;
}
#ifdef ENABLE_NATT
if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
/* NAT-T is enabled for this SADB entry; copy
* the ports from NAT-T extensions */
if (extract_port(src) == 0 &&
mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) {
set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
}
if (extract_port(dst) == 0 &&
mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) {
set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
}
natt_port_forced = 0;
} else {
/* Force default UDP ports, so
* CMPSADDR will match SAs with NO encapsulation */
set_port(src, PORT_ISAKMP);
set_port(dst, PORT_ISAKMP);
natt_port_forced = 1;
}
#endif
plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst));
@ -1207,19 +1175,11 @@ purge_ipsec_spi(dst0, proto, spi, n)
/* don't delete inbound SAs at the moment */
/* XXX should we remove SAs with opposite direction as well? */
if (CMPSADDR(dst0, dst)) {
if (cmpsaddr(dst0, dst)) {
msg = next;
continue;
}
#ifdef ENABLE_NATT
if (natt_port_forced) {
/* Set back port to 0 if it was forced
* to default UDP port */
set_port(src, 0);
set_port(dst, 0);
}
#endif
for (i = 0; i < n; i++) {
plog(LLV_DEBUG, LOCATION, NULL,
"check spi(packet)=%u spi(db)=%u.\n",
@ -1350,37 +1310,33 @@ isakmp_info_recv_initialcontact(iph1, protectedph2)
msg = (struct sadb_msg *)buf->v;
end = (struct sadb_msg *)(buf->v + buf->l);
while (msg < end) {
for (; msg < end; msg = next) {
if ((msg->sadb_msg_len << 3) < sizeof(*msg))
break;
next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
if (msg->sadb_msg_type != SADB_DUMP) {
msg = next;
if (msg->sadb_msg_type != SADB_DUMP)
continue;
}
if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
plog(LLV_ERROR, LOCATION, NULL,
"pfkey_check (%s)\n", ipsec_strerror());
msg = next;
continue;
}
if (mhp[SADB_EXT_SA] == NULL
|| mhp[SADB_EXT_ADDRESS_SRC] == NULL
|| mhp[SADB_EXT_ADDRESS_DST] == NULL) {
msg = next;
|| mhp[SADB_EXT_ADDRESS_DST] == NULL)
continue;
}
sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
pk_fixup_sa_addresses(mhp);
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
if (sa->sadb_sa_state != SADB_SASTATE_MATURE
&& sa->sadb_sa_state != SADB_SASTATE_DYING) {
msg = next;
&& sa->sadb_sa_state != SADB_SASTATE_DYING)
continue;
}
/*
* RFC2407 4.6.3.3 INITIAL-CONTACT is the message that
@ -1390,39 +1346,18 @@ isakmp_info_recv_initialcontact(iph1, protectedph2)
* racoon only deletes SA which is matched both the
* source address and the destination accress.
*/
#ifdef ENABLE_NATT
/*
* XXX RFC 3947 says that whe MUST NOT use IP+port to find old SAs
* from this peer !
*/
if(iph1->natt_flags & NAT_DETECTED){
if (CMPSADDR(iph1->local, src) == 0 &&
CMPSADDR(iph1->remote, dst) == 0)
;
else if (CMPSADDR(iph1->remote, src) == 0 &&
CMPSADDR(iph1->local, dst) == 0)
;
else {
msg = next;
continue;
}
} else
#endif
/* If there is no NAT-T, we don't have to check addr + port...
* XXX what about a configuration with a remote peers which is not
* NATed, but which NATs some other peers ?
* Here, the INITIAl-CONTACT would also flush all those NATed peers !!
*/
if (cmpsaddrwop(iph1->local, src) == 0 &&
cmpsaddrwop(iph1->remote, dst) == 0)
;
else if (cmpsaddrwop(iph1->remote, src) == 0 &&
cmpsaddrwop(iph1->local, dst) == 0)
;
else {
msg = next;
/*
* Check that the IP and port match. But this is not optimal,
* since NAT-T can make the peer have multiple different
* ports. Correct thing to do is delete all entries with
* same identity. -TT
*/
if ((cmpsaddr(iph1->local, src) != 0 ||
cmpsaddr(iph1->remote, dst) != 0) &&
(cmpsaddr(iph1->local, dst) != 0 ||
cmpsaddr(iph1->remote, src) != 0))
continue;
}
/*
* Make sure this is an SATYPE that we manage.
@ -1434,10 +1369,8 @@ isakmp_info_recv_initialcontact(iph1, protectedph2)
msg->sadb_msg_satype)
break;
}
if (i == pfkey_nsatypes) {
msg = next;
if (i == pfkey_nsatypes)
continue;
}
plog(LLV_INFO, LOCATION, NULL,
"purging spi=%u.\n", ntohl(sa->sadb_sa_spi));
@ -1457,8 +1390,6 @@ isakmp_info_recv_initialcontact(iph1, protectedph2)
remph2(iph2);
delph2(iph2);
}
msg = next;
}
vfree(buf);

31
crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: isakmp_quick.c,v 1.25 2009/03/12 10:57:26 tteras Exp $ */
/* $NetBSD: isakmp_quick.c,v 1.26 2009/07/03 06:41:46 tteras Exp $ */
/* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
@ -610,17 +610,19 @@ quick_i2recv(iph2, msg0)
error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
goto end;
}
#ifdef ENABLE_NATT
set_port(iph2->natoa_src,
extract_port((struct sockaddr *) &proposed_addr));
#endif
if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
(struct sockaddr *) &got_addr) == 0) {
if (cmpsaddr((struct sockaddr *) &proposed_addr,
(struct sockaddr *) &got_addr) == 0) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDci matches proposal.\n");
#ifdef ENABLE_NATT
} else if (iph2->natoa_src != NULL
&& cmpsaddrwop(iph2->natoa_src,
(struct sockaddr *) &got_addr) == 0
&& extract_port((struct sockaddr *) &proposed_addr) ==
extract_port((struct sockaddr *) &got_addr)) {
&& cmpsaddr(iph2->natoa_src,
(struct sockaddr *) &got_addr) == 0) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDci matches NAT-OAi.\n");
#endif
@ -656,16 +658,19 @@ quick_i2recv(iph2, msg0)
goto end;
}
if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
(struct sockaddr *) &got_addr) == 0) {
#ifdef ENABLE_NATT
set_port(iph2->natoa_dst,
extract_port((struct sockaddr *) &proposed_addr));
#endif
if (cmpsaddr((struct sockaddr *) &proposed_addr,
(struct sockaddr *) &got_addr) == 0) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDcr matches proposal.\n");
#ifdef ENABLE_NATT
} else if (iph2->natoa_dst != NULL
&& cmpsaddrwop(iph2->natoa_dst,
(struct sockaddr *) &got_addr) == 0
&& extract_port((struct sockaddr *) &proposed_addr) ==
extract_port((struct sockaddr *) &got_addr)) {
&& cmpsaddr(iph2->natoa_dst,
(struct sockaddr *) &got_addr) == 0) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDcr matches NAT-OAr.\n");
#endif

10
crypto/dist/ipsec-tools/src/racoon/nattraversal.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: nattraversal.c,v 1.11 2009/05/18 17:00:42 tteras Exp $ */
/* $NetBSD: nattraversal.c,v 1.12 2009/07/03 06:41:46 tteras Exp $ */
/*
* Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
@ -379,8 +379,8 @@ natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst)
struct natt_ka_addrs *ka = NULL, *new_addr;
TAILQ_FOREACH (ka, &ka_tree, chain) {
if (cmpsaddrstrict(ka->src, src) == 0 &&
cmpsaddrstrict(ka->dst, dst) == 0) {
if (cmpsaddr(ka->src, src) == 0 &&
cmpsaddr(ka->dst, dst) == 0) {
ka->in_use++;
plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n",
saddr2str_fromto("%s->%s", src, dst), ka->in_use);
@ -443,8 +443,8 @@ natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst)
plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n",
saddr2str_fromto("%s->%s", src, dst), ka->in_use);
if (cmpsaddrstrict(ka->src, src) == 0 &&
cmpsaddrstrict(ka->dst, dst) == 0 &&
if (cmpsaddr(ka->src, src) == 0 &&
cmpsaddr(ka->dst, dst) == 0 &&
-- ka->in_use <= 0) {
plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");

56
crypto/dist/ipsec-tools/src/racoon/pfkey.c vendored
View File

@ -1,6 +1,6 @@
/* $NetBSD: pfkey.c,v 1.47 2009/07/03 06:40:10 tteras Exp $ */
/* $NetBSD: pfkey.c,v 1.48 2009/07/03 06:41:46 tteras Exp $ */
/* $Id: pfkey.c,v 1.47 2009/07/03 06:40:10 tteras Exp $ */
/* $Id: pfkey.c,v 1.48 2009/07/03 06:41:46 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -774,8 +774,12 @@ pk_fixup_sa_addresses(mhp)
caddr_t *mhp;
{
struct sockaddr *src, *dst;
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
set_port(src, PORT_ISAKMP);
set_port(dst, PORT_ISAKMP);
#ifdef ENABLE_NATT
if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
/* NAT-T is enabled for this SADB entry; copy
@ -785,9 +789,6 @@ pk_fixup_sa_addresses(mhp)
if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
}
#else
set_port(src, 0);
set_port(dst, 0);
#endif
}
@ -949,10 +950,6 @@ pk_sendgetspi(iph2)
dport=extract_port(dst);
}
#endif
/* Always remove port information, it will be sent in
* SADB_X_EXT_NAT_T_[S|D]PORT if needed */
set_port(src, 0);
set_port(dst, 0);
plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
if (pfkey_send_getspi_nat(
@ -1009,6 +1006,7 @@ pk_recvgetspi(mhp)
}
msg = (struct sadb_msg *)mhp[0];
sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
pk_fixup_sa_addresses(mhp);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
@ -1183,18 +1181,14 @@ pk_sendupdate(iph2)
#ifdef ENABLE_NATT
if (pr->udp_encap) {
sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
sa_args.l_natt_sport = extract_port (iph2->ph1->remote);
sa_args.l_natt_dport = extract_port (iph2->ph1->local);
sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
sa_args.l_natt_dport = extract_port(iph2->ph1->local);
sa_args.l_natt_oa = iph2->natoa_src;
#ifdef SADB_X_EXT_NAT_T_FRAG
sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
#endif
}
#endif
/* Always remove port information, it will be sent in
* SADB_X_EXT_NAT_T_[S|D]PORT if needed */
set_port(sa_args.src, 0);
set_port(sa_args.dst, 0);
/* more info to fill in */
sa_args.spi = pr->spi;
@ -1358,14 +1352,6 @@ pk_recvupdate(mhp)
/* turn off schedule */
sched_cancel(&iph2->scr);
/* Force the update of ph2's ports, as there is at least one
* situation where they'll mismatch with ph1's values
*/
#ifdef ENABLE_NATT
set_port(iph2->src, extract_port(iph2->ph1->local));
set_port(iph2->dst, extract_port(iph2->ph1->remote));
#endif
/*
* since we are going to reuse the phase2 handler, we need to
* remain it and refresh all the references between ph1 and ph2 to use.
@ -1418,7 +1404,7 @@ pk_sendadd(iph2)
racoon_free(sa_args.src);
racoon_free(sa_args.dst);
return -1;
}
}
for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
/* validity check */
@ -1490,11 +1476,6 @@ pk_sendadd(iph2)
#endif
}
#endif
/* Always remove port information, it will be sent in
* SADB_X_EXT_NAT_T_[S|D]PORT if needed */
set_port(sa_args.src, 0);
set_port(sa_args.dst, 0);
/* more info to fill in */
sa_args.spi = pr->spi_p;
sa_args.reqid = pr->reqid_out;
@ -1559,6 +1540,7 @@ pk_recvadd(mhp)
return -1;
}
msg = (struct sadb_msg *)mhp[0];
pk_fixup_sa_addresses(mhp);
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
@ -1749,7 +1731,9 @@ pk_recvacquire(mhp)
}
msg = (struct sadb_msg *)mhp[0];
xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
pk_fixup_sa_addresses(mhp);
/* acquire does not have nat-t ports; so do not bother setting
* the default port 500; just use the port zero for wildcard
* matching the get a valid natted destination */
sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
@ -2884,8 +2868,8 @@ migrate_ph1_ike_addresses(iph1, arg)
u_int16_t port;
/* Already up-to-date? */
if (cmpsaddrwop(iph1->local, ma->local) == 0 &&
cmpsaddrwop(iph1->remote, ma->remote) == 0)
if (cmpsaddr(iph1->local, ma->local) == 0 &&
cmpsaddr(iph1->remote, ma->remote) == 0)
return 0;
if (iph1->status < PHASE1ST_ESTABLISHED) {
@ -2985,8 +2969,8 @@ migrate_ph2_ike_addresses(iph2, arg)
migrate_ph1_ike_addresses(iph2->ph1, arg);
/* Already up-to-date? */
if (CMPSADDR(iph2->src, ma->local) == 0 &&
CMPSADDR(iph2->dst, ma->remote) == 0)
if (cmpsaddr(iph2->src, ma->local) == 0 &&
cmpsaddr(iph2->dst, ma->remote) == 0)
return 0;
/* save src/dst as sa_src/sa_dst before rewriting */
@ -3206,8 +3190,8 @@ migrate_ph2_one_isr(spid, isr_cur, xisr_old, xisr_new)
"changing address families (%d to %d) for endpoints.\n",
osaddr->sa_family, nsaddr->sa_family);
if (CMPSADDR(osaddr, (struct sockaddr *)&saidx->src) ||
CMPSADDR(odaddr, (struct sockaddr *)&saidx->dst)) {
if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) ||
cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) {
plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
"mismatch of addresses in saidx and xisr.\n");
return -1;

24
crypto/dist/ipsec-tools/src/racoon/policy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: policy.c,v 1.10 2008/12/05 06:02:20 tteras Exp $ */
/* $NetBSD: policy.c,v 1.11 2009/07/03 06:41:46 tteras Exp $ */
/* $KAME: policy.c,v 1.46 2001/11/16 04:08:10 sakane Exp $ */
@ -141,16 +141,18 @@ getsp_r(spidx, iph2)
saddr2str(iph2->src));
plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
saddr2str((struct sockaddr *)&spidx->src));
if (cmpsaddrwop(iph2->src, (struct sockaddr *)&spidx->src)
|| spidx->prefs != prefixlen)
if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) ||
spidx->prefs != prefixlen)
return NULL;
plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n",
saddr2str(iph2->dst));
plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
saddr2str((struct sockaddr *)&spidx->dst));
if (cmpsaddrwop(iph2->dst, (struct sockaddr *)&spidx->dst)
|| spidx->prefd != prefixlen)
if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) ||
spidx->prefd != prefixlen)
return NULL;
plog(LLV_DEBUG, LOCATION, NULL, "looks to be transport mode\n");
@ -198,11 +200,11 @@ cmpspidxstrict(a, b)
|| a->ul_proto != b->ul_proto)
return 1;
if (cmpsaddrstrict((struct sockaddr *)&a->src,
(struct sockaddr *)&b->src))
if (cmpsaddr((struct sockaddr *) &a->src,
(struct sockaddr *) &b->src))
return 1;
if (cmpsaddrstrict((struct sockaddr *)&a->dst,
(struct sockaddr *)&b->dst))
if (cmpsaddr((struct sockaddr *) &a->dst,
(struct sockaddr *) &b->dst))
return 1;
#ifdef HAVE_SECCTX
@ -259,7 +261,7 @@ cmpspidxwild(a, b)
a, b->prefs, saddr2str((struct sockaddr *)&sa1));
plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
b, b->prefs, saddr2str((struct sockaddr *)&sa2));
if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
return 1;
#ifndef __linux__
@ -277,7 +279,7 @@ cmpspidxwild(a, b)
a, b->prefd, saddr2str((struct sockaddr *)&sa1));
plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
b, b->prefd, saddr2str((struct sockaddr *)&sa2));
if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
return 1;
#ifdef HAVE_SECCTX

32
crypto/dist/ipsec-tools/src/racoon/remoteconf.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: remoteconf.c,v 1.14 2009/03/12 23:05:27 he Exp $ */
/* $NetBSD: remoteconf.c,v 1.15 2009/07/03 06:41:47 tteras Exp $ */
/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
@ -200,15 +200,9 @@ rmconf_match_type(rmsel, rmconf)
/* Check address */
if (rmsel->remote != NULL) {
if (rmconf->remote->sa_family != AF_UNSPEC) {
if (rmsel->flags & GETRMCONF_F_NO_PORTS) {
if (cmpsaddrwop(rmsel->remote,
rmconf->remote) != 0)
return 0;
} else {
if (cmpsaddrstrict(rmsel->remote,
rmconf->remote) != 0)
return 0;
}
if (cmpsaddr(rmsel->remote, rmconf->remote) != 0)
return 0;
/* Address matched */
ret = 2;
}
@ -262,7 +256,7 @@ void rmconf_selector_from_ph1(rmsel, iph1)
struct ph1handle *iph1;
{
memset(rmsel, 0, sizeof(*rmsel));
rmsel->flags = GETRMCONF_F_NO_PORTS;
rmsel->flags = 0;
rmsel->remote = iph1->remote;
rmsel->etype = iph1->etype;
rmsel->approval = iph1->approval;
@ -357,22 +351,8 @@ getrmconf(remote, flags)
int n = 0;
memset(&ctx, 0, sizeof(ctx));
ctx.sel.flags = flags | GETRMCONF_F_NO_PORTS;
ctx.sel.flags = flags;
ctx.sel.remote = remote;
#ifndef ENABLE_NATT
/*
* We never have ports set in our remote configurations, but when
* NAT-T is enabled, the kernel can have policies with ports and
* send us an acquire message for a destination that has a port set.
* If we do this port check here, we don't find the remote config.
*
* In an ideal world, we would be able to have remote conf with
* port, and the port could be a wildcard. That test could be used.
*/
if (remote->sa_family != AF_UNSPEC &&
extract_port(remote) != IPSEC_PORT_ANY)
ctx.sel.flags &= ~GETRMCONF_F_NO_PORTS;
#endif /* ENABLE_NATT */
if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) {
plog(LLV_ERROR, LOCATION, remote,

5
crypto/dist/ipsec-tools/src/racoon/remoteconf.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: remoteconf.h,v 1.10 2009/03/13 04:49:16 tteras Exp $ */
/* $NetBSD: remoteconf.h,v 1.11 2009/07/03 06:41:47 tteras Exp $ */
/* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
@ -189,8 +189,7 @@ extern int enumrmconf __P((struct rmconfselector *rmsel,
void *enum_arg));
#define GETRMCONF_F_NO_ANONYMOUS 0x0001
#define GETRMCONF_F_NO_PORTS 0x0002
#define GETRMCONF_F_NO_PASSIVE 0x0004
#define GETRMCONF_F_NO_PASSIVE 0x0002
#define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1)

233
crypto/dist/ipsec-tools/src/racoon/sockmisc.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sockmisc.c,v 1.15 2009/05/18 17:40:38 tteras Exp $ */
/* $NetBSD: sockmisc.c,v 1.16 2009/07/03 06:41:47 tteras Exp $ */
/* Id: sockmisc.c,v 1.24 2006/05/07 21:32:59 manubsd Exp */
@ -79,60 +79,6 @@
const int niflags = 0;
/*
* compare two sockaddr without port number.
* OUT: 0: equal.
* 1: not equal.
*/
int
cmpsaddrwop(addr1, addr2)
const struct sockaddr *addr1;
const struct sockaddr *addr2;
{
caddr_t sa1, sa2;
if (addr1 == 0 && addr2 == 0)
return 0;
if (addr1 == 0 || addr2 == 0)
return 1;
#ifdef __linux__
if (addr1->sa_family != addr2->sa_family)
return 1;
#else
if (addr1->sa_len != addr2->sa_len
|| addr1->sa_family != addr2->sa_family)
return 1;
#endif /* __linux__ */
switch (addr1->sa_family) {
case AF_UNSPEC:
break;
case AF_INET:
sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
return 1;
break;
#ifdef INET6
case AF_INET6:
sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
return 1;
if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
((struct sockaddr_in6 *)addr2)->sin6_scope_id)
return 1;
break;
#endif
default:
return 1;
}
return 0;
}
/*
* compare two sockaddr with port, taking care wildcard.
* addr1 is a subject address, addr2 is in a database entry.
@ -140,27 +86,22 @@ cmpsaddrwop(addr1, addr2)
* 1: not equal.
*/
int
cmpsaddrwild(addr1, addr2)
cmpsaddr(addr1, addr2)
const struct sockaddr *addr1;
const struct sockaddr *addr2;
{
caddr_t sa1, sa2;
u_short port1, port2;
if (addr1 == 0 && addr2 == 0)
return 0;
if (addr1 == 0 || addr2 == 0)
return 1;
if (addr1 == NULL && addr2 == NULL)
return CMPSADDR_MATCH;
#ifdef __linux__
if (addr1->sa_family != addr2->sa_family)
return 1;
#else
if (addr1->sa_len != addr2->sa_len
|| addr1->sa_family != addr2->sa_family)
return 1;
if (addr1 == NULL || addr2 == NULL)
return CMPSADDR_MISMATCH;
#endif /* __linux__ */
if (addr1->sa_family != addr2->sa_family ||
sysdep_sa_len(addr1) != sysdep_sa_len(addr2))
return CMPSADDR_MISMATCH;
switch (addr1->sa_family) {
case AF_UNSPEC:
@ -170,12 +111,8 @@ cmpsaddrwild(addr1, addr2)
sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
port1 = ((struct sockaddr_in *)addr1)->sin_port;
port2 = ((struct sockaddr_in *)addr2)->sin_port;
if (!(port1 == IPSEC_PORT_ANY ||
port2 == IPSEC_PORT_ANY ||
port1 == port2))
return 1;
if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
return 1;
return CMPSADDR_MISMATCH;
break;
#ifdef INET6
case AF_INET6:
@ -183,155 +120,23 @@ cmpsaddrwild(addr1, addr2)
sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
if (!(port1 == IPSEC_PORT_ANY ||
port2 == IPSEC_PORT_ANY ||
port1 == port2))
return 1;
if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
return 1;
return CMPSADDR_MISMATCH;
if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
((struct sockaddr_in6 *)addr2)->sin6_scope_id)
return 1;
return CMPSADDR_MISMATCH;
break;
#endif
default:
return 1;
return CMPSADDR_MISMATCH;
}
return 0;
}
if (port1 == port2 ||
port1 == IPSEC_PORT_ANY ||
port2 == IPSEC_PORT_ANY)
return CMPSADDR_MATCH;
/*
* compare two sockaddr with port, taking care specific situation:
* one addr has 0 as port, and the other has 500 (network order), return equal
* OUT: 0: equal.
* 1: not equal.
*/
int
cmpsaddrmagic(addr1, addr2)
const struct sockaddr *addr1;
const struct sockaddr *addr2;
{
caddr_t sa1, sa2;
u_short port1, port2;
if (addr1 == 0 && addr2 == 0)
return 0;
if (addr1 == 0 || addr2 == 0)
return 1;
#ifdef __linux__
if (addr1->sa_family != addr2->sa_family)
return 1;
#else
if (addr1->sa_len != addr2->sa_len
|| addr1->sa_family != addr2->sa_family)
return 1;
#endif /* __linux__ */
switch (addr1->sa_family) {
case AF_UNSPEC:
break;
case AF_INET:
sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
port1 = ((struct sockaddr_in *)addr1)->sin_port;
port2 = ((struct sockaddr_in *)addr2)->sin_port;
plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: port1 == %d, port2 == %d\n", port1, port2);
if (!((port1 == IPSEC_PORT_ANY && port2 == ntohs(PORT_ISAKMP)) ||
(port2 == IPSEC_PORT_ANY && port1 == ntohs(PORT_ISAKMP)) ||
(port1 == port2))){
plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: ports mismatch\n");
return 1;
}
plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: ports matched\n");
if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
return 1;
break;
#ifdef INET6
case AF_INET6:
sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
if (!((port1 == IPSEC_PORT_ANY && port2 == PORT_ISAKMP) ||
(port2 == IPSEC_PORT_ANY && port1 == PORT_ISAKMP) ||
(port1 == port2)))
return 1;
if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
return 1;
if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
((struct sockaddr_in6 *)addr2)->sin6_scope_id)
return 1;
break;
#endif
default:
return 1;
}
return 0;
}
/*
* compare two sockaddr with strict match on port.
* OUT: 0: equal.
* 1: not equal.
*/
int
cmpsaddrstrict(addr1, addr2)
const struct sockaddr *addr1;
const struct sockaddr *addr2;
{
caddr_t sa1, sa2;
u_short port1, port2;
if (addr1 == 0 && addr2 == 0)
return 0;
if (addr1 == 0 || addr2 == 0)
return 1;
#ifdef __linux__
if (addr1->sa_family != addr2->sa_family)
return 1;
#else
if (addr1->sa_len != addr2->sa_len
|| addr1->sa_family != addr2->sa_family)
return 1;
#endif /* __linux__ */
switch (addr1->sa_family) {
case AF_INET:
sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
port1 = ((struct sockaddr_in *)addr1)->sin_port;
port2 = ((struct sockaddr_in *)addr2)->sin_port;
if (port1 != port2)
return 1;
if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
return 1;
break;
#ifdef INET6
case AF_INET6:
sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
if (port1 != port2)
return 1;
if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
return 1;
if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
((struct sockaddr_in6 *)addr2)->sin6_scope_id)
return 1;
break;
#endif
default:
return 1;
}
return 0;
return CMPSADDR_WOP_MATCH;
}
/* get local address against the destination. */
@ -1128,7 +933,7 @@ naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr)
free(a2);
free(a3);
}
if (cmpsaddrwop(&sa, &naddr->sa.sa) == 0)
if (cmpsaddr(&sa, &naddr->sa.sa) == 0)
return naddr->prefix + port_score;
return -1;

15
crypto/dist/ipsec-tools/src/racoon/sockmisc.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: sockmisc.h,v 1.10 2009/05/18 17:40:38 tteras Exp $ */
/* $NetBSD: sockmisc.h,v 1.11 2009/07/03 06:41:47 tteras Exp $ */
/* Id: sockmisc.h,v 1.9 2005/10/05 16:55:41 manubsd Exp */
@ -56,16 +56,11 @@ struct netaddr {
extern const int niflags;
extern int cmpsaddrwop __P((const struct sockaddr *, const struct sockaddr *));
extern int cmpsaddrwild __P((const struct sockaddr *, const struct sockaddr *));
extern int cmpsaddrstrict __P((const struct sockaddr *, const struct sockaddr *));
extern int cmpsaddrmagic __P((const struct sockaddr *, const struct sockaddr *));
#define CMPSADDR_MATCH 0
#define CMPSADDR_WOP_MATCH 1
#define CMPSADDR_MISMATCH 2
#ifdef ENABLE_NATT
#define CMPSADDR(saddr1, saddr2) cmpsaddrstrict((saddr1), (saddr2))
#else
#define CMPSADDR(saddr1, saddr2) cmpsaddrwop((saddr1), (saddr2))
#endif
extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *));
extern struct sockaddr *getlocaladdr __P((struct sockaddr *));

4
crypto/dist/ipsec-tools/src/racoon/throttle.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: throttle.c,v 1.5 2009/01/23 08:25:07 tteras Exp $ */
/* $NetBSD: throttle.c,v 1.6 2009/07/03 06:41:47 tteras Exp $ */
/* Id: throttle.c,v 1.5 2006/04/05 20:54:50 manubsd Exp */
@ -104,7 +104,7 @@ restart:
goto restart;
}
if (cmpsaddrwop(addr, (struct sockaddr *)&te->host) == 0) {
if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) {
found = 1;
break;
}