diff --git a/crypto/dist/ipsec-tools/src/racoon/admin.c b/crypto/dist/ipsec-tools/src/racoon/admin.c index a3d3a5a9fd7d..cfa2a4432806 100644 --- a/crypto/dist/ipsec-tools/src/racoon/admin.c +++ b/crypto/dist/ipsec-tools/src/racoon/admin.c @@ -1,11 +1,11 @@ -/* $NetBSD: admin.c,v 1.31 2009/07/03 06:41:46 tteras Exp $ */ +/* $NetBSD: admin.c,v 1.32 2009/09/03 09:29:07 tteras Exp $ */ /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -17,7 +17,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -341,7 +341,7 @@ admin_process(so2, combuf) user[len] = 0; found = purgeph1bylogin(user); - plog(LLV_INFO, LOCATION, NULL, + plog(LLV_INFO, LOCATION, NULL, "deleted %d SA for user \"%s\"\n", found, user); break; @@ -360,7 +360,7 @@ admin_process(so2, combuf) rem = racoon_strdup(saddrwop2str(dst)); STRDUP_FATAL(rem); - plog(LLV_INFO, LOCATION, NULL, + plog(LLV_INFO, LOCATION, NULL, "Flushing all SAs for peer %s\n", rem); while ((iph1 = getph1bydstaddr(dst)) != NULL) { @@ -373,7 +373,7 @@ admin_process(so2, combuf) racoon_free(loc); } - + racoon_free(rem); break; } @@ -383,14 +383,14 @@ admin_process(so2, combuf) char *data; acp = (struct admin_com_psk *) - ((char *)com + sizeof(*com) + + ((char *)com + sizeof(*com) + sizeof(struct admin_com_indexes)); idtype = acp->id_type; if ((id = vmalloc(acp->id_len)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "cannot allocate memory: %s\n", + "cannot allocate memory: %s\n", strerror(errno)); break; } @@ -399,7 +399,7 @@ admin_process(so2, combuf) if ((key = vmalloc(acp->key_len)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "cannot allocate memory: %s\n", + "cannot allocate memory: %s\n", strerror(errno)); vfree(id); id = NULL; @@ -474,7 +474,7 @@ admin_process(so2, combuf) rmconf->xauth->pass = key; } #endif - + plog(LLV_INFO, LOCATION, NULL, "accept a request to establish IKE-SA: " "%s\n", saddrwop2str(dst)); @@ -577,7 +577,7 @@ admin_process(so2, combuf) } insph2(iph2); - if (isakmp_post_acquire(iph2) < 0) { + if (isakmp_post_acquire(iph2, NULL) < 0) { remph2(iph2); delph2(iph2); break; @@ -710,17 +710,17 @@ admin_init() } if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "chown(%s, %d, %d): %s\n", - sunaddr.sun_path, adminsock_owner, + plog(LLV_ERROR, LOCATION, NULL, + "chown(%s, %d, %d): %s\n", + sunaddr.sun_path, adminsock_owner, adminsock_group, strerror(errno)); (void)close(lcconf->sock_admin); return -1; } if (chmod(sunaddr.sun_path, adminsock_mode) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "chmod(%s, 0%03o): %s\n", + plog(LLV_ERROR, LOCATION, NULL, + "chmod(%s, 0%03o): %s\n", sunaddr.sun_path, adminsock_mode, strerror(errno)); (void)close(lcconf->sock_admin); return -1; diff --git a/crypto/dist/ipsec-tools/src/racoon/handler.c b/crypto/dist/ipsec-tools/src/racoon/handler.c index e7d6b2b2bd1d..35e6437b39f1 100644 --- a/crypto/dist/ipsec-tools/src/racoon/handler.c +++ b/crypto/dist/ipsec-tools/src/racoon/handler.c @@ -1,11 +1,11 @@ -/* $NetBSD: handler.c,v 1.29 2009/07/03 06:41:46 tteras Exp $ */ +/* $NetBSD: handler.c,v 1.30 2009/09/03 09:29:07 tteras Exp $ */ /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -17,7 +17,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -64,7 +64,7 @@ #include "evt.h" #include "isakmp.h" #ifdef ENABLE_HYBRID -#include "isakmp_xauth.h" +#include "isakmp_xauth.h" #include "isakmp_cfg.h" #endif #include "isakmp_inf.h" @@ -177,8 +177,8 @@ getph1byindex0(index) * with phase 2's destinaion. */ struct ph1handle * -getph1(rmconf, local, remote, flags) - struct remoteconf *rmconf; +getph1(ph1hint, local, remote, flags) + struct ph1handle *ph1hint; struct sockaddr *local, *remote; int flags; { @@ -202,12 +202,30 @@ getph1(rmconf, local, remote, flags) continue; } - if (local != NULL && cmpsaddr(local, p->local) != 0) + if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH) continue; - if (remote != NULL && cmpsaddr(remote, p->remote) != 0) + if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH) continue; + if (ph1hint != NULL) { + if (ph1hint->id && ph1hint->id->l && p->id && p->id->l && + (ph1hint->id->l != p->id->l || + memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) { + plog(LLV_DEBUG2, LOCATION, NULL, + "local identity does match hint\n"); + continue; + } + if (ph1hint->id_p && ph1hint->id_p->l && + p->id_p && p->id_p->l && + (ph1hint->id_p->l != p->id_p->l || + memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) { + plog(LLV_DEBUG2, LOCATION, NULL, + "remote identity does match hint\n"); + continue; + } + } + plog(LLV_DEBUG2, LOCATION, NULL, "matched\n"); return p; } @@ -1155,7 +1173,7 @@ init_recvdpkt() } #ifdef ENABLE_HYBRID -/* +/* * Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise * This should be in isakmp_cfg.c but ph1tree being private, it must be there */ @@ -1182,7 +1200,7 @@ exclude_cfg_addr(addr) -/* +/* * Reload conf code */ static int revalidate_ph2(struct ph2handle *iph2){ @@ -1192,11 +1210,11 @@ static int revalidate_ph2(struct ph2handle *iph2){ struct saprop *approval; struct ph1handle *iph1; - /* + /* * Get the new sainfo using values of the old one */ if (iph2->sainfo != NULL) { - iph2->sainfo = getsainfo(iph2->sainfo->idsrc, + iph2->sainfo = getsainfo(iph2->sainfo->idsrc, iph2->sainfo->iddst, iph2->sainfo->id_i, NULL, iph2->sainfo->remoteid); } @@ -1204,7 +1222,7 @@ static int revalidate_ph2(struct ph2handle *iph2){ sainfo = iph2->sainfo; if (sainfo == NULL) { - /* + /* * Sainfo has been removed */ plog(LLV_DEBUG, LOCATION, NULL, @@ -1219,7 +1237,7 @@ static int revalidate_ph2(struct ph2handle *iph2){ plog(LLV_DEBUG, LOCATION, NULL, "No approval found !\n"); return 0; - } + } /* * Don't care about proposals, should we do something ? @@ -1318,7 +1336,7 @@ static int revalidate_ph2(struct ph2handle *iph2){ } found = 0; - for (alg = sainfo->algs[algclass_ipsec_enc]; + for (alg = sainfo->algs[algclass_ipsec_enc]; (found == 0 && alg != NULL); alg = alg->next) { plog(LLV_DEBUG, LOCATION, NULL, "Reload: next ph2 enc alg...\n"); @@ -1351,7 +1369,7 @@ static int revalidate_ph2(struct ph2handle *iph2){ break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(LLV_ERROR, LOCATION, NULL, "unexpected check_level\n"); continue; break; @@ -1375,7 +1393,7 @@ static int revalidate_ph2(struct ph2handle *iph2){ } -static void +static void remove_ph2(struct ph2handle *iph2) { u_int32_t spis[2]; @@ -1467,7 +1485,7 @@ static int revalidate_ph2tree(void){ return 1; } -int +int revalidate_ph12(void) { diff --git a/crypto/dist/ipsec-tools/src/racoon/handler.h b/crypto/dist/ipsec-tools/src/racoon/handler.h index 3caa8de271a0..c337721e47b9 100644 --- a/crypto/dist/ipsec-tools/src/racoon/handler.h +++ b/crypto/dist/ipsec-tools/src/racoon/handler.h @@ -1,11 +1,11 @@ -/* $NetBSD: handler.h,v 1.21 2009/07/03 06:41:46 tteras Exp $ */ +/* $NetBSD: handler.h,v 1.22 2009/09/03 09:29:07 tteras Exp $ */ /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -17,7 +17,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -214,7 +214,7 @@ struct ph1handle { LIST_ENTRY(ph1handle) chain; #ifdef ENABLE_HYBRID struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */ -#endif +#endif EVT_LISTENER_LIST(evt_listeners); }; @@ -449,7 +449,7 @@ struct ph1dump { struct sockaddr_storage remote; struct sockaddr_storage local; u_int8_t version; - u_int8_t etype; + u_int8_t etype; time_t created; int ph2cnt; }; @@ -468,7 +468,7 @@ extern int enumph1 __P((struct ph1selector *ph1sel, #define GETPH1_F_ESTABLISHED 0x0001 -extern struct ph1handle *getph1 __P((struct remoteconf *rmconf, +extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint, struct sockaddr *local, struct sockaddr *remote, int flags)); diff --git a/crypto/dist/ipsec-tools/src/racoon/isakmp.c b/crypto/dist/ipsec-tools/src/racoon/isakmp.c index 2a7d47ac898d..47e55cfdba7f 100644 --- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c +++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c @@ -1,11 +1,11 @@ -/* $NetBSD: isakmp.c,v 1.59 2009/09/01 09:24:21 tteras Exp $ */ +/* $NetBSD: isakmp.c,v 1.60 2009/09/03 09:29:07 tteras Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -17,7 +17,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -176,7 +176,7 @@ static int (*ph2exchange[][2][PHASE2ST_MAX]) }; static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ - + static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); static int ph1_main __P((struct ph1handle *, vchar_t *)); static int quick_main __P((struct ph2handle *, vchar_t *)); @@ -190,7 +190,7 @@ static int isakmp_ph1resend __P((struct ph1handle *)); static int isakmp_ph2resend __P((struct ph2handle *)); #ifdef ENABLE_FRAG -static int frag_handler(struct ph1handle *, +static int frag_handler(struct ph1handle *, vchar_t *, struct sockaddr *, struct sockaddr *); #endif @@ -259,16 +259,16 @@ isakmp_handler(ctx, so_isakmp) extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl; } #endif - } + } #ifdef ENABLE_NATT - /* we don't know about portchange yet, + /* we don't know about portchange yet, look for non-esp marker instead */ if (x.non_esp[0] == 0 && x.non_esp[1] != 0) extralen = NON_ESP_MARKER_LEN; #endif - /* now we know if there is an extra non-esp + /* now we know if there is an extra non-esp marker at the beginning or not */ memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp)); @@ -309,7 +309,7 @@ isakmp_handler(ctx, so_isakmp) if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 0, (struct sockaddr *)&remote, &remote_len)) < 0) { plog(LLV_ERROR, LOCATION, NULL, - "failed to receive isakmp packet: %s\n", + "failed to receive isakmp packet: %s\n", strerror (errno)); } goto end; @@ -332,11 +332,11 @@ isakmp_handler(ctx, so_isakmp) (len - extralen)); goto end; } - + memcpy (buf->v, tmpbuf->v + extralen, buf->l); len -= extralen; - + if (len != buf->l) { plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, "received invalid length (%d != %zu), why ?\n", @@ -347,7 +347,7 @@ isakmp_handler(ctx, so_isakmp) plog(LLV_DEBUG, LOCATION, NULL, "===\n"); plog(LLV_DEBUG, LOCATION, NULL, "%d bytes message received %s\n", - len, saddr2str_fromto("from %s to %s", + len, saddr2str_fromto("from %s to %s", (struct sockaddr *)&remote, (struct sockaddr *)&local)); plogdump(LLV_DEBUG, buf->v, buf->l); @@ -496,12 +496,12 @@ isakmp_main(msg, remote, local) } /* set the flag to prevent further port floating - (FIXME: should we allow it? E.g. when the NAT gw + (FIXME: should we allow it? E.g. when the NAT gw is rebooted?) */ iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; - + /* print some neat info */ - plog (LLV_INFO, LOCATION, NULL, + plog (LLV_INFO, LOCATION, NULL, "NAT-T: ports changed to: %s\n", saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local)); @@ -668,7 +668,7 @@ isakmp_main(msg, remote, local) return -1; } #ifdef ENABLE_HYBRID - /* Reinit the IVM if it's still there */ + /* Reinit the IVM if it's still there */ if (iph1->mode_cfg && iph1->mode_cfg->ivm) { oakley_delivm(iph1->mode_cfg->ivm); iph1->mode_cfg->ivm = NULL; @@ -753,7 +753,7 @@ isakmp_main(msg, remote, local) isakmp_cfg_r(iph1, msg); break; -#endif +#endif case ISAKMP_ETYPE_NONE: default: @@ -822,7 +822,7 @@ ph1_main(iph1, msg) /* free resend buffer */ if (iph1->sendbuf == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "no buffer found as sendbuf\n"); + "no buffer found as sendbuf\n"); return -1; } #endif @@ -925,13 +925,13 @@ ph1_main(iph1, msg) log_ph1established(iph1); plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - /* + /* * SA up shell script hook: do it now,except if * ISAKMP mode config was requested. In the later * case it is done when we receive the configuration. */ if ((iph1->status == PHASE1ST_ESTABLISHED) && - !iph1->rmconf->mode_cfg) { + !iph1->rmconf->mode_cfg) { switch (iph1->approval->authmethod) { #ifdef ENABLE_HYBRID case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: @@ -1004,7 +1004,7 @@ quick_main(iph2, msg) /* free resend buffer */ if (iph2->sendbuf == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "no buffer found as sendbuf\n"); + "no buffer found as sendbuf\n"); return -1; } VPTRINIT(iph2->sendbuf); @@ -1754,23 +1754,23 @@ isakmp_send(iph1, sbuf) extralen = 0; #ifdef ENABLE_FRAG - /* + /* * Do not add the non ESP marker for a packet that will - * be fragmented. The non ESP marker should appear in + * be fragmented. The non ESP marker should appear in * all fragment's packets, but not in the fragmented packet */ - if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) + if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) extralen = 0; #endif if (extralen) plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n"); - /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) - must added just before the packet itself. For this we must + /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) + must added just before the packet itself. For this we must allocate a new buffer and release it at the end. */ if (extralen) { if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(LLV_ERROR, LOCATION, NULL, "vbuf allocation failed\n"); return -1; } @@ -1791,17 +1791,17 @@ isakmp_send(iph1, sbuf) if (s == -1) return -1; - plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, + plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, saddr2str_fromto("from %s to %s", iph1->local, iph1->remote)); #ifdef ENABLE_FRAG if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) { if (isakmp_sendfrags(iph1, sbuf) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(LLV_ERROR, LOCATION, NULL, "isakmp_sendfrags failed\n"); return -1; } - } else + } else #endif { len = sendfromto(s, sbuf->v, sbuf->l, @@ -1812,7 +1812,7 @@ isakmp_send(iph1, sbuf) return -1; } } - + return 0; } @@ -1959,7 +1959,7 @@ isakmp_ph1dying(iph1) iph1->status = PHASE1ST_DYING; /* Any fresh phase1s? */ - new_iph1 = getph1(iph1->rmconf, iph1->local, iph1->remote, 1); + new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); if (new_iph1 == NULL) { LIST_FOREACH(p, &iph1->ph2tree, ph1bind) { if (p->status != PHASE2ST_ESTABLISHED) @@ -2036,7 +2036,7 @@ isakmp_ph1delete(iph1) char *src, *dst; /* Migrate established phase2s. Any fresh phase1s? */ - new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); + new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); if (new_iph1 != NULL) migrate_ph12(iph1, new_iph1); @@ -2143,12 +2143,13 @@ isakmp_ph2delete(iph2) * if phase1 has been finished, begin phase2. */ int -isakmp_post_acquire(iph2) +isakmp_post_acquire(iph2, iph1hint) struct ph2handle *iph2; + struct ph1handle *iph1hint; { struct remoteconf *rmconf; struct ph1handle *iph1 = NULL; - + plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n"); /* Search appropriate configuration with masking port. Note that @@ -2159,12 +2160,17 @@ isakmp_post_acquire(iph2) * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS * as iph2->dst hint). This scenario would require additional changes, * so no need to bother yet. --arno */ - rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE); - if (rmconf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no configuration found for %s.\n", - saddrwop2str(iph2->dst)); - return -1; + + if (iph1hint == NULL || iph1hint->rmconf == NULL) { + rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE); + if (rmconf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "no configuration found for %s.\n", + saddrwop2str(iph2->dst)); + return -1; + } + } else { + rmconf = iph1hint->rmconf; } /* if passive mode, ignore the acquire message */ @@ -2181,7 +2187,7 @@ isakmp_post_acquire(iph2) * some cases, we should use the ISAKMP identity to search * matching ISAKMP. */ - iph1 = getph1byaddr(iph2->src, iph2->dst, 0); + iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0); /* no ISAKMP-SA found. */ if (iph1 == NULL) { @@ -2978,7 +2984,7 @@ log_ph1established(iph1) "ISAKMP-SA established %s-%s spi:%s\n", src, dst, isakmp_pindex(&iph1->index, 0)); - + evt_phase1(iph1, EVT_PHASE1_UP, NULL); if(!iph1->rmconf->mode_cfg) evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL); @@ -3011,7 +3017,7 @@ isakmp_plist_append_full (struct payload_list *plist, vchar_t *payload, return plist; } -vchar_t * +vchar_t * isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1) { struct payload_list *ptr = *plist, *first; @@ -3022,7 +3028,7 @@ isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1) /* Seek to the first item. */ while (ptr->prev) ptr = ptr->prev; first = ptr; - + /* Compute the whole length. */ while (ptr) { tlen += ptr->payload->l + sizeof (struct isakmp_gen); @@ -3064,7 +3070,7 @@ end: } #ifdef ENABLE_FRAG -int +int frag_handler(iph1, msg, remote, local) struct ph1handle *iph1; vchar_t *msg; @@ -3075,7 +3081,7 @@ frag_handler(iph1, msg, remote, local) if (isakmp_frag_extract(iph1, msg) == 1) { if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) { - plog(LLV_ERROR, LOCATION, remote, + plog(LLV_ERROR, LOCATION, remote, "Packet reassembly failed\n"); return -1; } @@ -3212,7 +3218,7 @@ script_exec(script, name, envp) argv[1] = script_names[name]; argv[2] = NULL; - switch (fork()) { + switch (fork()) { case 0: execve(argv[0], argv, envp); plog(LLV_ERROR, LOCATION, NULL, @@ -3227,7 +3233,7 @@ script_exec(script, name, envp) break; default: break; - } + } return 0; } @@ -3253,7 +3259,7 @@ purge_remote(iph1) iph1->status = PHASE1ST_EXPIRED; /* Check if we have another, still valid, phase1 SA. */ - new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); + new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED); /* * Delete all orphaned or binded to the deleting ph1handle phase2 SAs. @@ -3329,7 +3335,7 @@ purge_remote(iph1) ntohl(sa->sadb_sa_spi)); }else{ - /* + /* * If we have a new ph1, do not purge IPsec-SAs binded * to a different ISAKMP-SA */ @@ -3341,7 +3347,7 @@ purge_remote(iph1) /* If the ph2handle is established, do not purge IPsec-SA */ if (iph2->status == PHASE2ST_ESTABLISHED || iph2->status == PHASE2ST_EXPIRED) { - + plog(LLV_INFO, LOCATION, NULL, "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n", ntohl(sa->sadb_sa_spi), @@ -3352,7 +3358,7 @@ purge_remote(iph1) } } - + pfkey_send_delete(lcconf->sock_pfkey, msg->sadb_msg_satype, IPSEC_MODE_ANY, @@ -3383,7 +3389,7 @@ purge_remote(iph1) sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub); } -void +void delete_spd(iph2, created) struct ph2handle *iph2; u_int64_t created; @@ -3409,22 +3415,22 @@ delete_spd(iph2, created) plog(LLV_INFO, LOCATION, NULL, "generated policy, deleting it.\n"); - + memset(&spidx, 0, sizeof(spidx)); iph2->spidx_gen = (caddr_t )&spidx; - + /* make inbound policy */ iph2->src = dst; iph2->dst = src; spidx.dir = IPSEC_DIR_INBOUND; spidx.ul_proto = 0; - - /* + + /* * Note: code from get_proposal_r */ - + #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type - + /* * make destination address in spidx from either ID payload * or phase 1 address into a address in spidx. @@ -3440,48 +3446,48 @@ delete_spd(iph2, created) &spidx.prefd, &spidx.ul_proto); if (error) goto purge; - + #ifdef INET6 /* * get scopeid from the SA address. * note that the phase 1 source address is used as - * a destination address to search for a inbound + * a destination address to search for a inbound * policy entry because rcoon is responder. */ if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { - if ((error = + if ((error = setscopeid((struct sockaddr *)&spidx.dst, iph2->src)) != 0) goto purge; } #endif - + if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) idi2type = _XIDT(iph2->id); - + } else { - + plog(LLV_DEBUG, LOCATION, NULL, "get a destination address of SP index " "from phase1 address " "due to no ID payloads found " "OR because ID type is not address.\n"); - + /* - * copy the SOURCE address of IKE into the - * DESTINATION address of the key to search the + * copy the SOURCE address of IKE into the + * DESTINATION address of the key to search the * SPD because the direction of policy is inbound. */ memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); switch (spidx.dst.ss_family) { case AF_INET: - spidx.prefd = + spidx.prefd = sizeof(struct in_addr) << 3; break; #ifdef INET6 case AF_INET6: - spidx.prefd = + spidx.prefd = sizeof(struct in6_addr) << 3; break; #endif @@ -3490,7 +3496,7 @@ delete_spd(iph2, created) break; } } - + /* make source address in spidx */ if (iph2->id_p != NULL && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR @@ -3510,7 +3516,7 @@ delete_spd(iph2, created) * for more detail, see above of this function. */ if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { - error = + error = setscopeid((struct sockaddr *)&spidx.src, iph2->dst); if (error) @@ -3548,12 +3554,12 @@ delete_spd(iph2, created) memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); switch (spidx.src.ss_family) { case AF_INET: - spidx.prefs = + spidx.prefs = sizeof(struct in_addr) << 3; break; #ifdef INET6 case AF_INET6: - spidx.prefs = + spidx.prefs = sizeof(struct in6_addr) << 3; break; #endif @@ -3584,14 +3590,14 @@ delete_spd(iph2, created) spidx.ul_proto = IPSEC_ULPROTO_ANY; #undef _XIDT - + /* Check if the generated SPD has the same timestamp as the SA. * If timestamps are different, this means that the SPD entry has been * refreshed by another SA, and should NOT be deleted with the current SA. */ if( created ){ struct secpolicy *p; - + p = getsp(&spidx); if(p != NULL){ /* just do no test if p is NULL, because this probably just means @@ -3656,7 +3662,7 @@ setscopeid(sp_addr0, sa_addr0) struct sockaddr *sp_addr0, *sa_addr0; { struct sockaddr_in6 *sp_addr, *sa_addr; - + sp_addr = (struct sockaddr_in6 *)sp_addr0; sa_addr = (struct sockaddr_in6 *)sa_addr0; diff --git a/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h b/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h index 366ae4204fe8..9bc68560c69b 100644 --- a/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h +++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h @@ -1,11 +1,11 @@ -/* $NetBSD: isakmp_var.h,v 1.15 2009/04/20 13:24:36 tteras Exp $ */ +/* $NetBSD: isakmp_var.h,v 1.16 2009/09/03 09:29:07 tteras Exp $ */ /* Id: isakmp_var.h,v 1.12 2005/05/07 14:45:31 manubsd Exp */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -17,7 +17,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -87,7 +87,7 @@ extern void isakmp_ph2delete_stub __P((struct sched *)); extern void isakmp_ph2delete __P((struct ph2handle *)); extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *)); -extern int isakmp_post_acquire __P((struct ph2handle *)); +extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *)); extern int isakmp_post_getspi __P((struct ph2handle *)); extern void isakmp_chkph1there_stub __P((struct sched *)); extern void isakmp_chkph1there __P((struct ph2handle *)); @@ -131,7 +131,7 @@ extern int copy_ph1addresses __P(( struct ph1handle *, struct remoteconf *, struct sockaddr *, struct sockaddr *)); extern void log_ph1established __P((const struct ph1handle *)); -extern void script_hook __P((struct ph1handle *, int)); +extern void script_hook __P((struct ph1handle *, int)); extern int script_env_append __P((char ***, int *, char *, char *)); extern int script_exec __P((char *, int, char * const *)); diff --git a/crypto/dist/ipsec-tools/src/racoon/pfkey.c b/crypto/dist/ipsec-tools/src/racoon/pfkey.c index a6378230df41..57e79f3b0ace 100644 --- a/crypto/dist/ipsec-tools/src/racoon/pfkey.c +++ b/crypto/dist/ipsec-tools/src/racoon/pfkey.c @@ -1,11 +1,11 @@ -/* $NetBSD: pfkey.c,v 1.50 2009/08/10 08:22:13 tteras Exp $ */ +/* $NetBSD: pfkey.c,v 1.51 2009/09/03 09:29:07 tteras Exp $ */ -/* $Id: pfkey.c,v 1.50 2009/08/10 08:22:13 tteras Exp $ */ +/* $Id: pfkey.c,v 1.51 2009/09/03 09:29:07 tteras Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -17,7 +17,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -173,7 +173,7 @@ static int addnewsp __P((caddr_t *, struct sockaddr *, struct sockaddr *)); /* cope with old kame headers - ugly */ #ifndef SADB_X_AALG_MD5 -#define SADB_X_AALG_MD5 SADB_AALG_MD5 +#define SADB_X_AALG_MD5 SADB_AALG_MD5 #endif #ifndef SADB_X_AALG_SHA #define SADB_X_AALG_SHA SADB_AALG_SHA @@ -353,7 +353,7 @@ pfkey_dump_sadb(satype) "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid); continue; } - + ml = msg->sadb_msg_len << 3; bl = buf ? buf->l : 0; @@ -839,7 +839,7 @@ pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, goto bad; *a_keylen >>= 3; - if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 + if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 && hashtype == IPSECDOI_ATTR_AUTH_KPDK) { /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */ *a_type = SADB_X_AALG_MD5; @@ -919,7 +919,7 @@ pk_sendgetspi(iph2) racoon_free(dst); return -1; } - + for (pr = pp->head; pr != NULL; pr = pr->next) { /* validity check */ @@ -991,7 +991,7 @@ pk_sendgetspi(iph2) * receive GETSPI from kernel. */ static int -pk_recvgetspi(mhp) +pk_recvgetspi(mhp) caddr_t *mhp; { struct sadb_msg *msg; @@ -1111,7 +1111,7 @@ pk_sendupdate(iph2) sa_args.l_addtime = iph2->lifetime_secs; else sa_args.l_addtime = iph2->approval->lifetime; - sa_args.seq = iph2->seq; + sa_args.seq = iph2->seq; sa_args.wsize = 4; if (iph2->sa_src && iph2->sa_dst) { @@ -1163,7 +1163,7 @@ pk_sendupdate(iph2) pr->head->trns_id, pr->head->authtype, &sa_args.e_type, &sa_args.e_keylen, - &sa_args.a_type, &sa_args.a_keylen, + &sa_args.a_type, &sa_args.a_keylen, &sa_args.flags) < 0){ racoon_free(sa_args.src); racoon_free(sa_args.dst); @@ -1221,11 +1221,11 @@ pk_sendupdate(iph2) * But it is impossible because there is not key in the * information from the kernel. */ - + /* change some things before backing up */ sa_args.wsize = 4; sa_args.l_bytes = iph2->approval->lifebyte * 1024; - + if (backupsa_to_file(&sa_args) < 0) { plog(LLV_ERROR, LOCATION, NULL, "backuped SA failed: %s\n", @@ -1447,7 +1447,7 @@ pk_sendadd(iph2) pr->head->trns_id, pr->head->authtype, &sa_args.e_type, &sa_args.e_keylen, - &sa_args.a_type, &sa_args.a_keylen, + &sa_args.a_type, &sa_args.a_keylen, &sa_args.flags) < 0){ racoon_free(sa_args.src); racoon_free(sa_args.dst); @@ -1668,11 +1668,12 @@ pk_recvexpire(mhp) " being negotiated. Stopping negotiation.\n"); } - /* turn off the timer for calling isakmp_ph2expire() */ + /* turn off the timer for calling isakmp_ph2expire() */ sched_cancel(&iph2->sce); if (iph2->status == PHASE2ST_ESTABLISHED && iph2->side == INITIATOR) { + struct ph1handle *iph1hint; /* * Active phase 2 expired and we were initiator. * Begin new phase 2 exchange, so we can keep on sending @@ -1680,11 +1681,12 @@ pk_recvexpire(mhp) */ /* update status for re-use */ + iph1hint = iph2->ph1; initph2(iph2); iph2->status = PHASE2ST_STATUS2; /* start quick exchange */ - if (isakmp_post_acquire(iph2) < 0) { + if (isakmp_post_acquire(iph2, iph1hint) < 0) { plog(LLV_ERROR, LOCATION, iph2->dst, "failed to begin ipsec sa " "re-negotication.\n"); @@ -1750,7 +1752,7 @@ pk_recvacquire(mhp) if (m_sec_ctx != NULL) { plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n", m_sec_ctx->sadb_x_ctx_doi); - plog(LLV_INFO, LOCATION, NULL, + plog(LLV_INFO, LOCATION, NULL, "security context algorithm: %u\n", m_sec_ctx->sadb_x_ctx_alg); plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n", @@ -1960,7 +1962,7 @@ pk_recvacquire(mhp) /* start isakmp initiation by using ident exchange */ /* XXX should be looped if there are multiple phase 2 handler. */ - if (isakmp_post_acquire(iph2) < 0) { + if (isakmp_post_acquire(iph2, NULL) < 0) { plog(LLV_ERROR, LOCATION, NULL, "failed to begin ipsec sa negotication.\n"); remph2(iph2); @@ -2145,7 +2147,7 @@ getsadbpolicy(policy0, policylen0, type, iph2) p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen; p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi; p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg; - + memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen); len += ctxlen; } @@ -2184,7 +2186,7 @@ getsadbpolicy(policy0, policylen0, type, iph2) goto err; } - /* + /* * the policy level cannot be unique because the policy * is defined later than SA, so req_id cannot be bound to SA. */ @@ -2217,7 +2219,7 @@ getsadbpolicy(policy0, policylen0, type, iph2) xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen); xisr = (struct sadb_x_ipsecrequest *)p; - + } racoon_free(pr_rlist); @@ -3070,6 +3072,8 @@ migrate_ph2_sa_addresses(iph2, args) rmconf = getrmconf(iph2->dst, 0); if (rmconf && !rmconf->passive) { + struct ph1handle *iph1hint; + plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received " "*during* IPsec SA negotiation. As initiator, " "restarting it.\n"); @@ -3079,11 +3083,12 @@ migrate_ph2_sa_addresses(iph2, args) iph2->status = PHASE2ST_EXPIRED; /* ... clean Phase 2 handle ... */ + iph1hint = iph2->ph1; initph2(iph2); iph2->status = PHASE2ST_STATUS2; /* and start a new negotiation */ - if (isakmp_post_acquire(iph2) < 0) { + if (isakmp_post_acquire(iph2, iph1hint) < 0) { plog(LLV_ERROR, LOCATION, iph2->dst, "failed " "to begin IPsec SA renegotiation after " "MIGRATE reception.\n");