Fix simple DES support (security problems for racoon to racoon setups)

Fix broken generated policies flush

crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.1.1.2 2005/02/23 14:54:12 manu Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.2 2005/04/19 19:42:08 manu Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.40.4.1 2005/02/22 23:56:08 manubsd Exp */
 
@@ -1187,10 +1187,13 @@ evp_keylen(int len, const EVP_CIPHER *e)
 {
 	if (!e)
 		return -1;
-	if (len != 0 && len != EVP_CIPHER_key_length(e))
+	/* EVP functions return lengths in bytes, ipsec-tools
+	 * uses lengths in bits, therefore conversion is required. --AK
+	 */
+	if (len != 0 && len != (EVP_CIPHER_key_length(e) << 3))
 		return -1;
 	
-	return EVP_CIPHER_key_length(e);
+	return EVP_CIPHER_key_length(e) << 3;
 }
 
 /*

crypto/dist/ipsec-tools/src/racoon/handler.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.h,v 1.1.1.2 2005/02/23 14:54:15 manu Exp $	*/
+/*	$NetBSD: handler.h,v 1.2 2005/04/19 19:42:09 manu Exp $	*/
 
 /* Id: handler.h,v 1.11 2004/11/16 15:44:46 ludvigm Exp */
 
@@ -306,6 +306,8 @@ struct ph2handle {
 
 	struct isakmp_ivm *ivm;		/* IVs */
 
+	int generated_spidx;	/* mark handlers whith generated policy */
+
 #ifdef ENABLE_STATS
 	struct timeval start;
 	struct timeval end;

crypto/dist/ipsec-tools/src/racoon/isakmp.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.1.1.3 2005/03/14 08:14:29 manu Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.2 2005/04/19 19:42:09 manu Exp $	*/
 
 /* Id: isakmp.c,v 1.34.2.2 2005/03/13 17:31:55 vanhu Exp */
 
@@ -1823,18 +1823,19 @@ isakmp_ph1expire(iph1)
 {
 	char *src, *dst;
 
-	src = strdup(saddr2str(iph1->local));
-	dst = strdup(saddr2str(iph1->remote));
-	plog(LLV_INFO, LOCATION, NULL,
-		"ISAKMP-SA expired %s-%s spi:%s\n",
-		src, dst,
-		isakmp_pindex(&iph1->index, 0));
-	racoon_free(src);
-	racoon_free(dst);
-
 	SCHED_KILL(iph1->sce);
 
-	iph1->status = PHASE1ST_EXPIRED;
+	if(iph1->status != PHASE1ST_EXPIRED){
+		src = strdup(saddr2str(iph1->local));
+		dst = strdup(saddr2str(iph1->remote));
+		plog(LLV_INFO, LOCATION, NULL,
+			 "ISAKMP-SA expired %s-%s spi:%s\n",
+			 src, dst,
+			 isakmp_pindex(&iph1->index, 0));
+		racoon_free(src);
+		racoon_free(dst);
+		iph1->status = PHASE1ST_EXPIRED;
+	}
 
 	/*
 	 * the phase1 deletion is postponed until there is no phase2.

crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.1.1.3 2005/03/14 08:14:30 manu Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.2 2005/04/19 19:42:09 manu Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.14.4.2 2005/03/02 20:00:03 vanhu Exp */
 
@@ -1028,7 +1028,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
 			if (iph2) {
 				/* Delete the SPD entry if we generated it
 				 */
-				if (iph2->ph1 && iph2->ph1->rmconf && iph2->ph1->rmconf->gen_policy) {
+				if (iph2->generated_spidx) {
 					struct policyindex spidx;
 					struct sockaddr_storage addr;
 					u_int8_t pref;

crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_quick.c,v 1.1.1.3 2005/03/14 08:14:31 manu Exp $	*/
+/*	$NetBSD: isakmp_quick.c,v 1.2 2005/04/19 19:42:09 manu Exp $	*/
 
 /* Id: isakmp_quick.c,v 1.13.2.1 2005/03/02 20:00:03 vanhu Exp */
 
@@ -1700,6 +1700,7 @@ quick_r3prep(iph2, msg0)
 		delsp_bothdir((struct policyindex *)iph2->spidx_gen);
 		racoon_free(iph2->spidx_gen);
 		iph2->spidx_gen = NULL;
+		iph2->generated_spidx=1;
 	}
 
 	error = 0;

crypto/dist/ipsec-tools/src/racoon/pfkey.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.c,v 1.1.1.2 2005/02/23 14:54:24 manu Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.2 2005/04/19 19:42:09 manu Exp $	*/
 
 /* Id: pfkey.c,v 1.31.2.1 2005/02/18 10:01:40 vanhu Exp */
 
@@ -1257,9 +1257,7 @@ pk_recvupdate(mhp)
 	 * since we are going to reuse the phase2 handler, we need to
 	 * remain it and refresh all the references between ph1 and ph2 to use.
 	 */
-	/* XXX ???
-	  */
-/*	unbindph12(iph2);*/
+	unbindph12(iph2);
 
 	iph2->sce = sched_new(iph2->approval->lifetime,
 	    isakmp_ph2expire_stub, iph2);