KAME racoon as of 2001/2/22
This commit is contained in:
parent
49889b3afd
commit
98857d7198
4
crypto/dist/kame/racoon/Makefile.in
vendored
4
crypto/dist/kame/racoon/Makefile.in
vendored
@ -1,4 +1,4 @@
|
||||
# $KAME: Makefile.in,v 1.30 2000/12/12 16:59:32 thorpej Exp $
|
||||
# $KAME: Makefile.in,v 1.31 2001/01/31 05:32:55 sakane Exp $
|
||||
|
||||
@SET_MAKE@
|
||||
srcdir= @srcdir@
|
||||
@ -31,7 +31,7 @@ OBJS= main.o session.o isakmp.o handler.o random.o \
|
||||
policy.o localconf.o remoteconf.o crypto_openssl.o algorithm.o \
|
||||
proposal.o sainfo.o cfparse.o cftoken.o strnames.o \
|
||||
vmbuf.o plog.o logger.o schedule.o str2val.o misc.o sockmisc.o \
|
||||
safefile.o @LIBOBJS@
|
||||
safefile.o backupsa.o @LIBOBJS@
|
||||
# under samples
|
||||
CONF= psk.txt racoon.conf
|
||||
|
||||
|
473
crypto/dist/kame/racoon/backupsa.c
vendored
Normal file
473
crypto/dist/kame/racoon/backupsa.c
vendored
Normal file
@ -0,0 +1,473 @@
|
||||
/* $KAME: backupsa.c,v 1.7 2001/02/01 15:51:16 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <ctype.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#ifdef IPV6_INRIA_VERSION
|
||||
#include <netinet/ipsec.h>
|
||||
#else
|
||||
#include <netinet6/ipsec.h>
|
||||
#endif
|
||||
|
||||
#if TIME_WITH_SYS_TIME
|
||||
# include <sys/time.h>
|
||||
# include <time.h>
|
||||
#else
|
||||
# if HAVE_SYS_TIME_H
|
||||
# include <sys/time.h>
|
||||
# else
|
||||
# include <time.h>
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#include "var.h"
|
||||
#include "misc.h"
|
||||
#include "vmbuf.h"
|
||||
#include "str2val.h"
|
||||
#include "plog.h"
|
||||
#include "debug.h"
|
||||
|
||||
#include "localconf.h"
|
||||
#include "sockmisc.h"
|
||||
#include "safefile.h"
|
||||
#include "backupsa.h"
|
||||
#include "libpfkey.h"
|
||||
|
||||
/*
|
||||
* (time string)%(sa parameter)
|
||||
* (time string) := ex. Nov 24 18:22:48 1986
|
||||
* (sa parameter) :=
|
||||
* src dst satype spi mode reqid wsize \
|
||||
* e_type e_keylen a_type a_keylen flags \
|
||||
* l_alloc l_bytes l_addtime l_usetime seq keymat
|
||||
*/
|
||||
static char *format = "%b %d %T %Y"; /* time format */
|
||||
static char *strmon[12] = {
|
||||
"Jan", "Feb", "Mar", "Apr", "May", "Jun",
|
||||
"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
|
||||
};
|
||||
|
||||
static char *str2tmx __P((char *, struct tm *));
|
||||
static int str2num __P((char *, int));
|
||||
|
||||
/*
|
||||
* output the sa parameter.
|
||||
*/
|
||||
int
|
||||
backupsa_to_file(satype, mode, src, dst, spi, reqid, wsize,
|
||||
keymat, e_type, e_keylen, a_type, a_keylen, flags,
|
||||
l_alloc, l_bytes, l_addtime, l_usetime, seq)
|
||||
u_int satype, mode, wsize;
|
||||
struct sockaddr *src, *dst;
|
||||
u_int32_t spi, reqid;
|
||||
caddr_t keymat;
|
||||
u_int e_type, e_keylen, a_type, a_keylen, flags;
|
||||
u_int32_t l_alloc;
|
||||
u_int64_t l_bytes, l_addtime, l_usetime;
|
||||
u_int32_t seq;
|
||||
{
|
||||
char buf[1024];
|
||||
struct tm *tm;
|
||||
time_t t;
|
||||
char *p, *k;
|
||||
int len, l, i;
|
||||
FILE *fp;
|
||||
|
||||
p = buf;
|
||||
len = sizeof(buf);
|
||||
|
||||
t = time(NULL);
|
||||
tm = localtime(&t);
|
||||
l = strftime(p, len, format, tm);
|
||||
p += l;
|
||||
len -= l;
|
||||
if (len < 0)
|
||||
goto err;
|
||||
|
||||
l = snprintf(p, len, "%%");
|
||||
p += l;
|
||||
len -= l;
|
||||
if (len < 0)
|
||||
goto err;
|
||||
|
||||
i = getnameinfo(src, src->sa_len, p, len, NULL, 0, NIFLAGS);
|
||||
if (i != 0)
|
||||
goto err;
|
||||
l = strlen(p);
|
||||
p += l;
|
||||
len -= l;
|
||||
if (len < 0)
|
||||
goto err;
|
||||
|
||||
l = snprintf(p, len, " ");
|
||||
p += l;
|
||||
len -= l;
|
||||
if (len < 0)
|
||||
goto err;
|
||||
|
||||
i = getnameinfo(dst, dst->sa_len, p, len, NULL, 0, NIFLAGS);
|
||||
if (i != 0)
|
||||
goto err;
|
||||
l = strlen(p);
|
||||
p += l;
|
||||
len -= l;
|
||||
if (len < 0)
|
||||
goto err;
|
||||
|
||||
l = snprintf(p, len,
|
||||
" %u %lu %u %u %u "
|
||||
"%u %u %u %u %u "
|
||||
"%u %llu %llu %llu %u",
|
||||
satype, (unsigned long)ntohl(spi), mode, reqid, wsize,
|
||||
e_type, e_keylen, a_type, a_keylen, flags,
|
||||
l_alloc, (unsigned long long)l_bytes,
|
||||
(unsigned long long)l_addtime, (unsigned long long)l_usetime,
|
||||
seq);
|
||||
p += l;
|
||||
len -= l;
|
||||
if (len < 0)
|
||||
goto err;
|
||||
|
||||
k = val2str(keymat, e_keylen + a_keylen);
|
||||
l = snprintf(p, len, " %s", k);
|
||||
free(k);
|
||||
p += l;
|
||||
len -= l;
|
||||
if (len < 0)
|
||||
goto err;
|
||||
|
||||
/* open the file and write the SA parameter */
|
||||
if (safefile(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 1) != 0 ||
|
||||
(fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "a")) == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to open the backup file %s.\n",
|
||||
lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
|
||||
return -1;
|
||||
}
|
||||
fprintf(fp, "%s\n", buf);
|
||||
fclose(fp);
|
||||
|
||||
return 0;
|
||||
|
||||
err:
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"SA cannot be saved to a file.\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
int
|
||||
backupsa_from_file()
|
||||
{
|
||||
FILE *fp;
|
||||
char buf[512];
|
||||
struct tm tm;
|
||||
time_t created, current;
|
||||
char *p, *q;
|
||||
u_int satype, mode;
|
||||
struct sockaddr *src, *dst;
|
||||
u_int32_t spi, reqid;
|
||||
caddr_t keymat;
|
||||
int keymatlen;
|
||||
u_int wsize, e_type, e_keylen, a_type, a_keylen, flags;
|
||||
u_int32_t l_alloc;
|
||||
u_int64_t l_bytes, l_addtime, l_usetime;
|
||||
u_int32_t seq;
|
||||
int line;
|
||||
|
||||
if (safefile(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 1) == 0)
|
||||
fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "r");
|
||||
else
|
||||
fp = NULL;
|
||||
if (fp == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to open the backup file %s.\n",
|
||||
lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
|
||||
return -1;
|
||||
}
|
||||
|
||||
current = time(NULL);
|
||||
|
||||
for(line = 1; fgets(buf, sizeof(buf), fp) != NULL; line++) {
|
||||
/* comment line */
|
||||
if (buf[0] == '#')
|
||||
continue;
|
||||
|
||||
memset(&tm, 0, sizeof(tm));
|
||||
p = str2tmx(buf, &tm);
|
||||
if (*p != '%') {
|
||||
err:
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"illegal format line#%d in %s: %s\n",
|
||||
line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], buf);
|
||||
continue;
|
||||
}
|
||||
created = mktime(&tm);
|
||||
p++;
|
||||
|
||||
for (q = p; *q != '\0' && !isspace(*q); q++)
|
||||
;
|
||||
*q = '\0';
|
||||
src = str2saddr(p, NULL);
|
||||
if (src == NULL)
|
||||
goto err;
|
||||
p = q + 1;
|
||||
|
||||
for (q = p; *q != '\0' && !isspace(*q); q++)
|
||||
;
|
||||
*q = '\0';
|
||||
dst = str2saddr(p, NULL);
|
||||
if (dst == NULL) {
|
||||
free(src);
|
||||
goto err;
|
||||
}
|
||||
p = q + 1;
|
||||
|
||||
#define GETNEXTNUM(value, function) \
|
||||
do { \
|
||||
char *y; \
|
||||
for (q = p; *q != '\0' && !isspace(*q); q++) \
|
||||
; \
|
||||
*q = '\0'; \
|
||||
(value) = function(p, &y, 10); \
|
||||
if ((value) == 0 && *y != '\0') \
|
||||
goto err; \
|
||||
p = q + 1; \
|
||||
} while (0);
|
||||
|
||||
GETNEXTNUM(satype, strtoul);
|
||||
GETNEXTNUM(spi, strtoul);
|
||||
spi = ntohl(spi);
|
||||
GETNEXTNUM(mode, strtoul);
|
||||
GETNEXTNUM(reqid, strtoul);
|
||||
GETNEXTNUM(wsize, strtoul);
|
||||
GETNEXTNUM(e_type, strtoul);
|
||||
GETNEXTNUM(e_keylen, strtoul);
|
||||
GETNEXTNUM(a_type, strtoul);
|
||||
GETNEXTNUM(a_keylen, strtoul);
|
||||
GETNEXTNUM(flags, strtoul);
|
||||
GETNEXTNUM(l_alloc, strtoul);
|
||||
GETNEXTNUM(l_bytes, strtouq);
|
||||
GETNEXTNUM(l_addtime, strtouq);
|
||||
GETNEXTNUM(l_usetime, strtouq);
|
||||
GETNEXTNUM(seq, strtoul);
|
||||
|
||||
#undef GETNEXTNUM(n)
|
||||
|
||||
keymat = str2val(p, 16, &keymatlen);
|
||||
if (keymat == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"illegal format(keymat) line#%d in %s: %s\n",
|
||||
line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], buf);
|
||||
free(src);
|
||||
free(dst);
|
||||
continue;
|
||||
}
|
||||
|
||||
if (created + l_addtime < current) {
|
||||
plog(LLV_DEBUG, LOCATION, NULL,
|
||||
"ignore this line#%d in %s due to expiration\n",
|
||||
line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
|
||||
free(src);
|
||||
free(dst);
|
||||
free(keymat);
|
||||
continue;
|
||||
}
|
||||
l_addtime -= current - created;
|
||||
|
||||
if (pfkey_send_add(
|
||||
lcconf->sock_pfkey,
|
||||
satype,
|
||||
mode,
|
||||
src,
|
||||
dst,
|
||||
spi,
|
||||
reqid,
|
||||
wsize,
|
||||
keymat,
|
||||
e_type, e_keylen, a_type, a_keylen, flags,
|
||||
0, l_bytes, l_addtime, 0, seq) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"restore SA filed line#%d in %s: %s\n",
|
||||
line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], ipsec_strerror());
|
||||
}
|
||||
free(src);
|
||||
free(dst);
|
||||
free(keymat);
|
||||
}
|
||||
|
||||
fclose(fp);
|
||||
|
||||
/*
|
||||
* There is a possibility that an abnormal system down will happen
|
||||
* again. Any old SA will not be installed because racoon checks
|
||||
* the lifetime and compare with current time.
|
||||
*/
|
||||
#if 0
|
||||
/* clean the file if SA installation succeed. */
|
||||
backupsa_clean();
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
backupsa_clean()
|
||||
{
|
||||
FILE *fp;
|
||||
|
||||
fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "w+");
|
||||
if (fp == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to clean the backup file %s.\n",
|
||||
lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* convert fixed string into the tm structure.
|
||||
* The fixed string is like 'Nov 24 18:22:48 1986'.
|
||||
* static char *format = "%b %d %T %Y";
|
||||
*/
|
||||
static char *
|
||||
str2tmx(char *p, struct tm *tm)
|
||||
{
|
||||
int i, len;
|
||||
|
||||
/* Month */
|
||||
for (i = 0; i < sizeof(strmon)/sizeof(strmon[0]); i++) {
|
||||
if (strncasecmp(p, strmon[i], strlen(strmon[i])) == 0) {
|
||||
tm->tm_mon = i;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (i == sizeof(strmon)/sizeof(strmon[0]))
|
||||
return 0;
|
||||
p += strlen(strmon[i]);
|
||||
if (*p++ != ' ')
|
||||
return 0;
|
||||
|
||||
/* Day */
|
||||
len = 2;
|
||||
tm->tm_mday = str2num(p, len);
|
||||
if (tm->tm_mday == -1 || tm->tm_mday > 31)
|
||||
return 0;
|
||||
p += len;
|
||||
if (*p++ != ' ')
|
||||
return 0;
|
||||
|
||||
/* Hour */
|
||||
len = 2;
|
||||
tm->tm_hour = str2num(p, len);
|
||||
if (tm->tm_hour == -1 || tm->tm_hour > 24)
|
||||
return 0;
|
||||
p += len;
|
||||
if (*p++ != ':')
|
||||
return 0;
|
||||
|
||||
/* Min */
|
||||
len = 2;
|
||||
tm->tm_min = str2num(p, len);
|
||||
if (tm->tm_min == -1 || tm->tm_min > 60)
|
||||
return 0;
|
||||
p += len;
|
||||
if (*p++ != ':')
|
||||
return 0;
|
||||
|
||||
/* Sec */
|
||||
len = 2;
|
||||
tm->tm_sec = str2num(p, len);
|
||||
if (tm->tm_sec == -1 || tm->tm_sec > 60)
|
||||
return 0;
|
||||
p += len;
|
||||
if (*p++ != ' ')
|
||||
return 0;
|
||||
|
||||
/* Year */
|
||||
len = 4;
|
||||
tm->tm_year = str2num(p, len);
|
||||
if (tm->tm_year == -1 || tm->tm_year < 1900)
|
||||
return 0;
|
||||
tm->tm_year -= 1900;
|
||||
p += len;
|
||||
|
||||
return p;
|
||||
}
|
||||
|
||||
static int
|
||||
str2num(p, len)
|
||||
char *p;
|
||||
int len;
|
||||
{
|
||||
int res, i;
|
||||
|
||||
res = 0;
|
||||
for (i = len; i > 0; i--) {
|
||||
if (!isdigit(*p))
|
||||
return -1;
|
||||
res *= 10;
|
||||
res += *p - '0';
|
||||
p++;
|
||||
}
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
#ifdef TEST
|
||||
#include <stdio.h>
|
||||
int
|
||||
main()
|
||||
{
|
||||
struct tm tm;
|
||||
time_t t;
|
||||
char *buf = "Nov 24 18:22:48 1986 ";
|
||||
char *p;
|
||||
|
||||
memset(&tm, 0, sizeof(tm));
|
||||
p = str2tmx(buf, &tm);
|
||||
printf("[%x]\n", *p);
|
||||
t = mktime(&tm);
|
||||
if (t == -1)
|
||||
printf("mktime failed.");
|
||||
p = ctime(&t);
|
||||
printf("[%s]\n", p);
|
||||
|
||||
exit(0);
|
||||
}
|
||||
#endif
|
37
crypto/dist/kame/racoon/backupsa.h
vendored
Normal file
37
crypto/dist/kame/racoon/backupsa.h
vendored
Normal file
@ -0,0 +1,37 @@
|
||||
/* $KAME: backupsa.h,v 1.2 2001/01/31 05:38:44 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
extern int backupsa_to_file __P((u_int, u_int,
|
||||
struct sockaddr *, struct sockaddr *, u_int32_t, u_int32_t, u_int,
|
||||
caddr_t, u_int, u_int, u_int, u_int, u_int,
|
||||
u_int32_t, u_int64_t, u_int64_t, u_int64_t, u_int32_t));
|
||||
extern int backupsa_from_file __P((void));
|
||||
extern int backupsa_clean __P((void));
|
15
crypto/dist/kame/racoon/cfparse.h
vendored
15
crypto/dist/kame/racoon/cfparse.h
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: cfparse.h,v 1.7 2000/10/04 17:40:58 itojun Exp $ */
|
||||
/* $KAME: cfparse.h,v 1.10 2001/01/31 05:45:23 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -29,19 +29,6 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#define DEFAULT_CF_FILE SYSCONFDIR "/racoon.conf"
|
||||
|
||||
#define CF_PATHTYPE_INCLUDE 0
|
||||
#define CF_PATHTYPE_PSK 1
|
||||
#define CF_PATHTYPE_CERT 2
|
||||
#define CF_PATHTYPE_MAX 3
|
||||
|
||||
#define CF_PLADDR_ASSOCIATION 0
|
||||
#define CF_PLADDR_NEGOTIATION 1
|
||||
|
||||
#define CF_SIDE_LOCAL 0
|
||||
#define CF_SIDE_REMOTE 1
|
||||
|
||||
#define CF_LIFETYPE_TIME 0
|
||||
#define CF_LIFETYPE_BYTE 1
|
||||
|
||||
|
35
crypto/dist/kame/racoon/cftoken.l
vendored
35
crypto/dist/kame/racoon/cftoken.l
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: cftoken.l,v 1.47 2000/12/22 03:12:55 sakane Exp $ */
|
||||
/* $KAME: cftoken.l,v 1.51 2001/02/22 01:11:42 sakane Exp $ */
|
||||
|
||||
%{
|
||||
#include <sys/types.h>
|
||||
@ -117,11 +117,13 @@ octetstring {octet}({dot}{octet})+
|
||||
|
||||
/* path */
|
||||
<S_INI>path { BEGIN S_PTH; YYDB; return(PATH); }
|
||||
<S_PTH>include { YYD; yylval.num = CF_PATHTYPE_INCLUDE;
|
||||
<S_PTH>include { YYD; yylval.num = LC_PATHTYPE_INCLUDE;
|
||||
return(PATHTYPE); }
|
||||
<S_PTH>pre_shared_key { YYD; yylval.num = CF_PATHTYPE_PSK;
|
||||
<S_PTH>pre_shared_key { YYD; yylval.num = LC_PATHTYPE_PSK;
|
||||
return(PATHTYPE); }
|
||||
<S_PTH>certificate { YYD; yylval.num = CF_PATHTYPE_CERT;
|
||||
<S_PTH>certificate { YYD; yylval.num = LC_PATHTYPE_CERT;
|
||||
return(PATHTYPE); }
|
||||
<S_PTH>backupsa { YYD; yylval.num = LC_PATHTYPE_BACKUPSA;
|
||||
return(PATHTYPE); }
|
||||
<S_PTH>{semi} { BEGIN S_INI; YYDB; return(EOS); }
|
||||
|
||||
@ -132,6 +134,9 @@ octetstring {octet}({dot}{octet})+
|
||||
<S_INI>identifier { BEGIN S_INF; YYDB; yywarn("it is obsoleted. use \"my_identifier\" in each remote directives."); return(IDENTIFIER); }
|
||||
<S_INF>{semi} { BEGIN S_INI; return(EOS); }
|
||||
|
||||
/* special */
|
||||
<S_INI>complex_bundle { YYDB; return(COMPLEX_BUNDLE); }
|
||||
|
||||
/* logging */
|
||||
<S_INI>log { BEGIN S_LOG; YYDB; return(LOGGING); }
|
||||
<S_LOG>info { YYD; yywarn("it is obsoleted. use \"notify\""); yylval.num = 0; return(LOGLEV); }
|
||||
@ -308,28 +313,6 @@ octetstring {octet}({dot}{octet})+
|
||||
<S_RMTP>dh_group { YYD; return(DH_GROUP); }
|
||||
<S_RMTP>gssapi_id { YYD; return(GSSAPI_ID); }
|
||||
|
||||
/* static sa */
|
||||
<S_INI>static_sa {
|
||||
BEGIN S_SA; YYDB;
|
||||
yywarn("staticsa directive don't work yet.");
|
||||
return(STATICSA);
|
||||
}
|
||||
<S_SA>{semi} { YYD; BEGIN S_INI; return(EOS); }
|
||||
<S_SA>[a-zA-Z0-9:\.\-_/ \n\t\"][a-zA-Z0-9:\.\-_/ \n\t\"]* {
|
||||
yymore();
|
||||
|
||||
incstack[incstackp].lineno += yycf_count_nl(yytext);
|
||||
|
||||
yylval.val = vmalloc(yyleng + 1);
|
||||
if (yylval.val == NULL) {
|
||||
yyerror("vmalloc failed");
|
||||
return -1;
|
||||
}
|
||||
memcpy(yylval.val->v, yytext, yylval.val->l);
|
||||
|
||||
return(STATICSA_STATEMENT);
|
||||
}
|
||||
|
||||
/* parameter */
|
||||
on { YYD; yylval.num = TRUE; return(SWITCH); }
|
||||
off { YYD; yylval.num = FALSE; return(SWITCH); }
|
||||
|
27
crypto/dist/kame/racoon/crypto_openssl.c
vendored
27
crypto/dist/kame/racoon/crypto_openssl.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: crypto_openssl.c,v 1.48 2001/01/25 03:22:39 sakane Exp $ */
|
||||
/* $KAME: crypto_openssl.c,v 1.49 2001/01/31 06:21:05 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -1657,10 +1657,7 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
|
||||
BIGNUM *dh_pub = NULL;
|
||||
DH *dh = NULL;
|
||||
int l;
|
||||
caddr_t v;
|
||||
#if 0
|
||||
vchar_t *gv = 0;
|
||||
#endif
|
||||
caddr_t v = NULL;
|
||||
int error = -1;
|
||||
|
||||
/* make public number to compute */
|
||||
@ -1678,35 +1675,27 @@ eay_dh_compute(prime, g, pub, priv, pub2, key)
|
||||
goto end;
|
||||
dh->length = pub2->l * 8;
|
||||
|
||||
#if 1
|
||||
dh->g = NULL;
|
||||
if ((dh->g = BN_new()) == NULL)
|
||||
goto end;
|
||||
if (!BN_set_word(dh->g, g))
|
||||
goto end;
|
||||
#else
|
||||
if ((gv = vmalloc(sizeof(g))) == 0)
|
||||
goto end;
|
||||
memcpy(gv->v, (caddr_t)&g, sizeof(g));
|
||||
if (eay_v2bn(&dh->g, gv) < 0)
|
||||
goto end;
|
||||
#endif
|
||||
|
||||
v = (caddr_t)calloc(prime->l, sizeof(u_char));
|
||||
l = DH_compute_key(v, dh_pub, dh);
|
||||
if ((v = (caddr_t)calloc(prime->l, sizeof(u_char))) == NULL)
|
||||
goto end;
|
||||
if ((l = DH_compute_key(v, dh_pub, dh)) == -1)
|
||||
goto end;
|
||||
memcpy((*key)->v + (prime->l - l), v, l);
|
||||
free(v);
|
||||
|
||||
error = 0;
|
||||
|
||||
end:
|
||||
#if 0
|
||||
if (gv) vfree(gv);
|
||||
#endif
|
||||
if (dh_pub != NULL)
|
||||
BN_free(dh_pub);
|
||||
if (dh != NULL)
|
||||
DH_free(dh);
|
||||
if (v != NULL)
|
||||
free(v);
|
||||
return(error);
|
||||
}
|
||||
|
||||
|
26
crypto/dist/kame/racoon/handler.c
vendored
26
crypto/dist/kame/racoon/handler.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: handler.c,v 1.42 2001/01/26 04:02:45 thorpej Exp $ */
|
||||
/* $KAME: handler.c,v 1.43 2001/02/06 16:28:16 thorpej Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -132,30 +132,6 @@ getph1byaddr(local, remote)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void
|
||||
purgeph1(iph1)
|
||||
struct ph1handle *iph1;
|
||||
{
|
||||
struct ph1handle *p;
|
||||
|
||||
LIST_FOREACH(p, &ph1tree, chain) {
|
||||
if (cmpsaddrwop(iph1->remote, p->remote))
|
||||
continue;
|
||||
/* don't delete current phase 1 SA */
|
||||
if (memcmp(&iph1->index, &p->index, sizeof(isakmp_index)) == 0)
|
||||
continue; /* don't delete current phase 1 SA */
|
||||
|
||||
plog(LLV_INFO, LOCATION, iph1->remote,
|
||||
"proto_id ISAKMP purging spi:%s.\n",
|
||||
isakmp_pindex(&p->index, 0));
|
||||
|
||||
if (p->sce)
|
||||
SCHED_KILL(p->sce);
|
||||
p->status = PHASE1ST_EXPIRED;
|
||||
p->sce = sched_new(1, isakmp_ph1delete_stub, p);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* dump isakmp-sa
|
||||
*/
|
||||
|
3
crypto/dist/kame/racoon/handler.h
vendored
3
crypto/dist/kame/racoon/handler.h
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: handler.h,v 1.36 2001/01/26 04:02:46 thorpej Exp $ */
|
||||
/* $KAME: handler.h,v 1.37 2001/02/06 16:28:17 thorpej Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -371,7 +371,6 @@ extern struct ph1handle *getph1byindex __P((isakmp_index *));
|
||||
extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
|
||||
extern struct ph1handle *getph1byaddr __P((struct sockaddr *,
|
||||
struct sockaddr *));
|
||||
extern void purgeph1 __P((struct ph1handle *));
|
||||
extern vchar_t *dumpph1 __P((void));
|
||||
extern struct ph1handle *newph1 __P((void));
|
||||
extern void delph1 __P((struct ph1handle *));
|
||||
|
18
crypto/dist/kame/racoon/isakmp_inf.c
vendored
18
crypto/dist/kame/racoon/isakmp_inf.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: isakmp_inf.c,v 1.63 2000/12/15 13:43:55 sakane Exp $ */
|
||||
/* $KAME: isakmp_inf.c,v 1.64 2001/02/06 16:27:52 thorpej Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -950,16 +950,6 @@ info_recv_initialcontact(iph1)
|
||||
struct ph2handle *iph2;
|
||||
|
||||
if (f_local)
|
||||
goto step_ph1;
|
||||
|
||||
/*
|
||||
* if the initial contact is acceptable. when both ends are using
|
||||
* "use" as the policy level, both ends initiate the phase 1 and
|
||||
* send initial-contacts under each phase 1 SA. In this case, each
|
||||
* phase 1 SA will be banished by the another initial-contact.
|
||||
* Simply calling getcontacted() is the solution to avoid the case.
|
||||
*/
|
||||
if (getcontacted(iph1->remote))
|
||||
return;
|
||||
|
||||
/* purge IPsec-SA(s) */
|
||||
@ -1037,11 +1027,7 @@ info_recv_initialcontact(iph1)
|
||||
msg = next;
|
||||
}
|
||||
|
||||
if (buf)
|
||||
vfree(buf);
|
||||
|
||||
step_ph1:
|
||||
purgeph1(iph1);
|
||||
vfree(buf);
|
||||
}
|
||||
|
||||
/*
|
||||
|
103
crypto/dist/kame/racoon/isakmp_quick.c
vendored
103
crypto/dist/kame/racoon/isakmp_quick.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: isakmp_quick.c,v 1.72 2001/01/24 05:37:39 sakane Exp $ */
|
||||
/* $KAME: isakmp_quick.c,v 1.73 2001/02/02 05:44:04 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -1725,9 +1725,7 @@ get_proposal_r(iph2)
|
||||
struct ph2handle *iph2;
|
||||
{
|
||||
struct policyindex spidx;
|
||||
struct secpolicy *sp, *sp_out = NULL;
|
||||
struct ipsecrequest *req;
|
||||
struct saprop *newpp = NULL;
|
||||
struct secpolicy *sp_in, *sp_out;
|
||||
int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */
|
||||
int error;
|
||||
|
||||
@ -1856,8 +1854,8 @@ get_proposal_r(iph2)
|
||||
saddr2str((struct sockaddr *)&spidx.dst),
|
||||
spidx.prefd, spidx.ul_proto);
|
||||
|
||||
sp = getsp_r(&spidx);
|
||||
if (sp == NULL) {
|
||||
sp_in = getsp_r(&spidx);
|
||||
if (sp_in == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"no policy found: %s\n", spidx2str(&spidx));
|
||||
return ISAKMP_INTERNAL_ERROR;
|
||||
@ -1891,102 +1889,19 @@ get_proposal_r(iph2)
|
||||
* In the responder side, the inbound policy should be using IPSec.
|
||||
* outbound policy is not checked currently.
|
||||
*/
|
||||
if (sp->policy != IPSEC_POLICY_IPSEC) {
|
||||
if (sp_in->policy != IPSEC_POLICY_IPSEC) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"policy found, but no IPsec required: %s\n",
|
||||
spidx2str(&spidx));
|
||||
return ISAKMP_INTERNAL_ERROR;
|
||||
}
|
||||
|
||||
/* allocate ipsec sa proposal */
|
||||
newpp = newsaprop();
|
||||
if (newpp == NULL) {
|
||||
/* set new proposal derived from a policy into the iph2->proposal. */
|
||||
if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to allocate saprop.\n");
|
||||
goto err;
|
||||
"failed to create saprop.\n");
|
||||
return -1;
|
||||
}
|
||||
newpp->prop_no = 1;
|
||||
newpp->lifetime = iph2->sainfo->lifetime;
|
||||
newpp->lifebyte = iph2->sainfo->lifebyte;
|
||||
newpp->pfs_group = iph2->sainfo->pfs_group;
|
||||
|
||||
/* set new saprop */
|
||||
inssaprop(&iph2->proposal, newpp);
|
||||
|
||||
/* from inbound policy */
|
||||
for (req = sp->req; req; req = req->next) {
|
||||
struct saproto *newpr;
|
||||
struct sockaddr *psaddr = NULL;
|
||||
struct sockaddr *pdaddr = NULL;
|
||||
|
||||
/* check if SA bundle ? */
|
||||
if (req->saidx.src.ss_len && req->saidx.dst.ss_len) {
|
||||
|
||||
psaddr = (struct sockaddr *)&req->saidx.src;
|
||||
pdaddr = (struct sockaddr *)&req->saidx.dst;
|
||||
|
||||
/* check end addresses of SA */
|
||||
/*
|
||||
* NOTE: In inbound, SA's addresses in SP entry are
|
||||
* reverse against real SA's addresses
|
||||
*/
|
||||
if (memcmp(iph2->dst, psaddr, iph2->dst->sa_len)
|
||||
|| memcmp(iph2->src, pdaddr, iph2->src->sa_len)) {
|
||||
/* end of SA bundle */
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* allocate ipsec sa protocol */
|
||||
newpr = newsaproto();
|
||||
if (newpr == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to allocate saproto.\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
newpr->proto_id = ipproto2doi(req->saidx.proto);
|
||||
newpr->spisize = 4;
|
||||
newpr->encmode = pfkey2ipsecdoi_mode(req->saidx.mode);
|
||||
newpr->reqid_in = req->saidx.reqid;
|
||||
|
||||
if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0)
|
||||
goto err;
|
||||
|
||||
/* set new saproto */
|
||||
inssaproto(newpp, newpr);
|
||||
}
|
||||
|
||||
/* get reqid_out from outbound policy */
|
||||
if (sp_out) {
|
||||
struct saproto *pr;
|
||||
|
||||
req = sp_out->req;
|
||||
pr = newpp->head;
|
||||
while (req && pr) {
|
||||
pr->reqid_out = req->saidx.reqid;
|
||||
pr = pr->next;
|
||||
req = req->next;
|
||||
}
|
||||
if (pr || req) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"There is a difference "
|
||||
"between your out-bound policies "
|
||||
"and the policy proposed from the peer.\n");
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
plog(LLV_DEBUG, LOCATION, NULL, "my single bundle:\n");
|
||||
printsaprop0(LLV_DEBUG, newpp);
|
||||
|
||||
iph2->proposal = newpp;
|
||||
|
||||
return 0;
|
||||
|
||||
err:
|
||||
if (newpp)
|
||||
flushsaprop(newpp);
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
3
crypto/dist/kame/racoon/localconf.c
vendored
3
crypto/dist/kame/racoon/localconf.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: localconf.c,v 1.28 2000/12/15 13:43:56 sakane Exp $ */
|
||||
/* $KAME: localconf.c,v 1.29 2001/02/21 05:19:11 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -129,6 +129,7 @@ setdefault()
|
||||
lcconf->retry_checkph1 = LC_DEFAULT_RETRY_CHECKPH1;
|
||||
lcconf->wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE;
|
||||
lcconf->strict_address = FALSE;
|
||||
lcconf->complex_bundle = TRUE; /*XXX FALSE;*/
|
||||
}
|
||||
|
||||
/*
|
||||
|
16
crypto/dist/kame/racoon/localconf.h
vendored
16
crypto/dist/kame/racoon/localconf.h
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: localconf.h,v 1.22 2001/01/10 02:08:33 sakane Exp $ */
|
||||
/* $KAME: localconf.h,v 1.25 2001/02/21 05:20:44 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -38,7 +38,8 @@
|
||||
#define LC_PATHTYPE_INCLUDE 0
|
||||
#define LC_PATHTYPE_PSK 1
|
||||
#define LC_PATHTYPE_CERT 2
|
||||
#define LC_PATHTYPE_MAX 3
|
||||
#define LC_PATHTYPE_BACKUPSA 3
|
||||
#define LC_PATHTYPE_MAX 4
|
||||
|
||||
#define LC_DEFAULT_PAD_MAXSIZE 20
|
||||
#define LC_DEFAULT_PAD_RANDOM TRUE
|
||||
@ -96,6 +97,17 @@ struct localconf {
|
||||
* There is a different both of the number and the kind of
|
||||
* algorithms between oakley's and ipsec_doi's.
|
||||
*/
|
||||
|
||||
int complex_bundle;
|
||||
/*
|
||||
* If we want to make a packet "IP2 AH ESP IP1 ULP",
|
||||
* the SPD in KAME expresses AH transport + ESP tunnel.
|
||||
* So racoon sent the proposal contained such the order.
|
||||
* But lots of implementation interprets AH tunnel + ESP
|
||||
* tunnel in this case. racoon has changed the format,
|
||||
* usually uses this format. If the option, 'complex_bundle'
|
||||
* is enable, racoon uses old format.
|
||||
*/
|
||||
};
|
||||
|
||||
extern struct localconf *lcconf;
|
||||
|
191
crypto/dist/kame/racoon/pfkey.c
vendored
191
crypto/dist/kame/racoon/pfkey.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: pfkey.c,v 1.97 2001/01/26 10:14:12 sakane Exp $ */
|
||||
/* $KAME: pfkey.c,v 1.104 2001/02/02 12:14:02 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -82,6 +82,7 @@
|
||||
#include "proposal.h"
|
||||
#include "admin.h"
|
||||
#include "strnames.h"
|
||||
#include "backupsa.h"
|
||||
|
||||
/* prototype */
|
||||
static u_int ipsecdoi2pfkey_aalg __P((u_int));
|
||||
@ -1003,6 +1004,32 @@ pk_sendupdate(iph2)
|
||||
ipsec_strerror());
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
|
||||
continue;
|
||||
|
||||
/*
|
||||
* It maybe good idea to call backupsa_to_file() after
|
||||
* racoon will receive the sadb_update messages.
|
||||
* But it is impossible because there is not key in the
|
||||
* information from the kernel.
|
||||
*/
|
||||
if (backupsa_to_file(satype, mode, iph2->dst, iph2->src,
|
||||
pr->spi, pr->reqid_in, 4,
|
||||
pr->keymat->v,
|
||||
e_type, e_keylen, a_type, a_keylen, flags,
|
||||
0, iph2->approval->lifebyte * 1024,
|
||||
iph2->approval->lifetime, 0,
|
||||
iph2->seq) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"backuped SA failed: %s\n",
|
||||
sadbsecas2str(iph2->dst, iph2->src,
|
||||
satype, pr->spi, mode));
|
||||
}
|
||||
plog(LLV_DEBUG, LOCATION, NULL,
|
||||
"backuped SA: %s\n",
|
||||
sadbsecas2str(iph2->dst, iph2->src,
|
||||
satype, pr->spi, mode));
|
||||
}
|
||||
|
||||
return 0;
|
||||
@ -1192,6 +1219,32 @@ pk_sendadd(iph2)
|
||||
ipsec_strerror());
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
|
||||
continue;
|
||||
|
||||
/*
|
||||
* It maybe good idea to call backupsa_to_file() after
|
||||
* racoon will receive the sadb_update messages.
|
||||
* But it is impossible because there is not key in the
|
||||
* information from the kernel.
|
||||
*/
|
||||
if (backupsa_to_file(satype, mode, iph2->src, iph2->dst,
|
||||
pr->spi_p, pr->reqid_out, 4,
|
||||
pr->keymat_p->v,
|
||||
e_type, e_keylen, a_type, a_keylen, flags,
|
||||
0, iph2->approval->lifebyte * 1024,
|
||||
iph2->approval->lifetime, 0,
|
||||
iph2->seq) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"backuped SA failed: %s\n",
|
||||
sadbsecas2str(iph2->src, iph2->dst,
|
||||
satype, pr->spi_p, mode));
|
||||
}
|
||||
plog(LLV_DEBUG, LOCATION, NULL,
|
||||
"backuped SA: %s\n",
|
||||
sadbsecas2str(iph2->src, iph2->dst,
|
||||
satype, pr->spi_p, mode));
|
||||
}
|
||||
|
||||
return 0;
|
||||
@ -1369,11 +1422,9 @@ pk_recvacquire(mhp)
|
||||
{
|
||||
struct sadb_msg *msg;
|
||||
struct sadb_x_policy *xpl;
|
||||
struct secpolicy *sp, *sp_in = NULL;
|
||||
struct secpolicy *sp_out = NULL, *sp_in = NULL;
|
||||
#define MAXNESTEDSA 5 /* XXX */
|
||||
struct ph2handle *iph2[MAXNESTEDSA];
|
||||
struct ipsecrequest *req;
|
||||
struct saprop *newpp = NULL;
|
||||
int n; /* # of phase 2 handler */
|
||||
|
||||
/* ignore this message because of local test mode. */
|
||||
@ -1444,8 +1495,8 @@ pk_recvacquire(mhp)
|
||||
}
|
||||
|
||||
/* search for proper policyindex */
|
||||
sp = getspbyspid(xpl->sadb_x_policy_id);
|
||||
if (sp == NULL) {
|
||||
sp_out = getspbyspid(xpl->sadb_x_policy_id);
|
||||
if (sp_out == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL, "no policy found: id:%d.\n",
|
||||
xpl->sadb_x_policy_id);
|
||||
return -1;
|
||||
@ -1456,22 +1507,22 @@ pk_recvacquire(mhp)
|
||||
struct policyindex spidx;
|
||||
|
||||
spidx.dir = IPSEC_DIR_INBOUND;
|
||||
memcpy(&spidx.src, &sp->spidx.dst, sizeof(spidx.src));
|
||||
memcpy(&spidx.dst, &sp->spidx.src, sizeof(spidx.dst));
|
||||
spidx.prefs = sp->spidx.prefd;
|
||||
spidx.prefd = sp->spidx.prefs;
|
||||
spidx.ul_proto = sp->spidx.ul_proto;
|
||||
memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src));
|
||||
memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst));
|
||||
spidx.prefs = sp_out->spidx.prefd;
|
||||
spidx.prefd = sp_out->spidx.prefs;
|
||||
spidx.ul_proto = sp_out->spidx.ul_proto;
|
||||
|
||||
sp_in = getsp_r(&spidx);
|
||||
if (!sp_in) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
plog(LLV_WARNING, LOCATION, NULL,
|
||||
"no in-bound policy found: %s\n",
|
||||
spidx2str(&spidx));
|
||||
}
|
||||
}
|
||||
|
||||
plog(LLV_DEBUG, LOCATION, NULL,
|
||||
"policy found: %s.\n", spidx2str(&sp->spidx));
|
||||
"suitable SP found: %s.\n", spidx2str(&sp_out->spidx));
|
||||
|
||||
memset(iph2, 0, MAXNESTEDSA);
|
||||
|
||||
@ -1484,6 +1535,7 @@ pk_recvacquire(mhp)
|
||||
"failed to allocate phase2 entry.\n");
|
||||
return -1;
|
||||
}
|
||||
iph2[n]->side = INITIATOR;
|
||||
iph2[n]->spid = xpl->sadb_x_policy_id;
|
||||
iph2[n]->satype = msg->sadb_msg_satype;
|
||||
iph2[n]->seq = msg->sadb_msg_seq;
|
||||
@ -1502,27 +1554,27 @@ pk_recvacquire(mhp)
|
||||
}
|
||||
|
||||
plog(LLV_DEBUG, LOCATION, NULL,
|
||||
"new acquire %s\n", spidx2str(&sp->spidx));
|
||||
"new acquire %s\n", spidx2str(&sp_out->spidx));
|
||||
|
||||
/* get sainfo */
|
||||
{
|
||||
vchar_t *idsrc, *iddst;
|
||||
|
||||
idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.src,
|
||||
sp->spidx.prefs, sp->spidx.ul_proto);
|
||||
idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src,
|
||||
sp_out->spidx.prefs, sp_out->spidx.ul_proto);
|
||||
if (idsrc == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to get ID for %s\n",
|
||||
spidx2str(&sp->spidx));
|
||||
spidx2str(&sp_out->spidx));
|
||||
delph2(iph2[n]);
|
||||
return -1;
|
||||
}
|
||||
iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.dst,
|
||||
sp->spidx.prefd, sp->spidx.ul_proto);
|
||||
iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst,
|
||||
sp_out->spidx.prefd, sp_out->spidx.ul_proto);
|
||||
if (iddst == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to get ID for %s\n",
|
||||
spidx2str(&sp->spidx));
|
||||
spidx2str(&sp_out->spidx));
|
||||
vfree(idsrc);
|
||||
delph2(iph2[n]);
|
||||
return -1;
|
||||
@ -1539,108 +1591,19 @@ pk_recvacquire(mhp)
|
||||
}
|
||||
}
|
||||
|
||||
/* allocate first proposal */
|
||||
newpp = newsaprop();
|
||||
if (newpp == NULL) {
|
||||
if (set_proposal_from_policy(iph2[n], sp_in, sp_out) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to allocate saprop.\n");
|
||||
"failed to create saprop.\n");
|
||||
delph2(iph2[n]);
|
||||
return -1;
|
||||
}
|
||||
newpp->prop_no = 1;
|
||||
newpp->lifetime = iph2[n]->sainfo->lifetime;
|
||||
newpp->lifebyte = iph2[n]->sainfo->lifebyte;
|
||||
newpp->pfs_group = iph2[n]->sainfo->pfs_group;
|
||||
|
||||
/* set new saprop */
|
||||
inssaprop(&iph2[n]->proposal, newpp);
|
||||
|
||||
insph2(iph2[n]);
|
||||
|
||||
for (req = sp->req; req; req = req->next) {
|
||||
struct saproto *newpr;
|
||||
struct sockaddr *psaddr = NULL;
|
||||
struct sockaddr *pdaddr = NULL;
|
||||
|
||||
/* check if SA bundle ? */
|
||||
if (req->saidx.src.ss_len && req->saidx.dst.ss_len) {
|
||||
|
||||
psaddr = (struct sockaddr *)&req->saidx.src;
|
||||
pdaddr = (struct sockaddr *)&req->saidx.dst;
|
||||
|
||||
/* check end addresses of SA */
|
||||
if (memcmp(iph2[n]->src, psaddr, iph2[n]->src->sa_len)
|
||||
|| memcmp(iph2[n]->dst, pdaddr, iph2[n]->dst->sa_len)){
|
||||
/*
|
||||
* XXX nested SAs with each destination
|
||||
* address are different.
|
||||
* me +--- SA1 ---+ peer1
|
||||
* me +--- SA2 --------------+ peer2
|
||||
*/
|
||||
|
||||
/* check first ph2's proposal */
|
||||
if (iph2[0]->proposal == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"SA addresses mismatch.\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* XXX new ph2 should be alloated. */
|
||||
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"not supported nested SA. Ignore.\n");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* allocate ipsec sa protocol */
|
||||
newpr = newsaproto();
|
||||
if (newpr == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to allocate saproto.\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
newpr->proto_id = ipproto2doi(req->saidx.proto);
|
||||
newpr->spisize = 4;
|
||||
newpr->encmode = pfkey2ipsecdoi_mode(req->saidx.mode);
|
||||
newpr->reqid_out = req->saidx.reqid;
|
||||
|
||||
if (set_satrnsbysainfo(newpr, iph2[n]->sainfo) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to get algorithms.\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* set new saproto */
|
||||
inssaproto(newpp, newpr);
|
||||
}
|
||||
|
||||
/* get reqid_in from inbound policy */
|
||||
if (sp_in) {
|
||||
struct saproto *pr;
|
||||
|
||||
req = sp_in->req;
|
||||
pr = newpp->head;
|
||||
while (req && pr) {
|
||||
pr->reqid_in = req->saidx.reqid;
|
||||
pr = pr->next;
|
||||
req = req->next;
|
||||
}
|
||||
if (pr || req) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"There is a difference "
|
||||
"between the policies.\n");
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
/* start isakmp initiation by using ident exchange */
|
||||
/* XXX should be looped if there are multiple phase 2 handler. */
|
||||
if (isakmp_post_acquire(iph2[n]) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to begin ipsec sa negotication.\n");
|
||||
unbindph12(iph2[n]);
|
||||
goto err;
|
||||
}
|
||||
|
||||
@ -2087,6 +2050,7 @@ addnewsp(mhp)
|
||||
new->spidx.dir = xpl->sadb_x_policy_dir;
|
||||
new->id = xpl->sadb_x_policy_id;
|
||||
new->policy = xpl->sadb_x_policy_type;
|
||||
new->req = NULL;
|
||||
|
||||
/* check policy */
|
||||
switch (xpl->sadb_x_policy_type) {
|
||||
@ -2094,7 +2058,6 @@ addnewsp(mhp)
|
||||
case IPSEC_POLICY_NONE:
|
||||
case IPSEC_POLICY_ENTRUST:
|
||||
case IPSEC_POLICY_BYPASS:
|
||||
new->req = NULL;
|
||||
break;
|
||||
|
||||
case IPSEC_POLICY_IPSEC:
|
||||
@ -2264,8 +2227,8 @@ sadbsecas2str(src, dst, proto, spi, mode)
|
||||
if (spi) {
|
||||
p += i;
|
||||
blen -= i;
|
||||
snprintf(p, blen, "spi=%u(0x%x)", (u_int32_t)ntohl(spi),
|
||||
(u_int32_t)ntohl(spi));
|
||||
snprintf(p, blen, "spi=%lu(0x%lx)", (unsigned long)ntohl(spi),
|
||||
(unsigned long)ntohl(spi));
|
||||
}
|
||||
|
||||
return buf;
|
||||
|
140
crypto/dist/kame/racoon/proposal.c
vendored
140
crypto/dist/kame/racoon/proposal.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: proposal.c,v 1.24 2000/12/15 13:43:57 sakane Exp $ */
|
||||
/* $KAME: proposal.c,v 1.28 2001/02/22 00:59:03 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -49,6 +49,8 @@
|
||||
#include "sockmisc.h"
|
||||
#include "debug.h"
|
||||
|
||||
#include "policy.h"
|
||||
#include "pfkey.h"
|
||||
#include "isakmp_var.h"
|
||||
#include "isakmp.h"
|
||||
#include "ipsec_doi.h"
|
||||
@ -108,7 +110,7 @@ inssaprop(head, new)
|
||||
return;
|
||||
}
|
||||
|
||||
/* set saproto to last part of the proto tree in saprop */
|
||||
/* set saproto to the end of the proto tree in saprop */
|
||||
void
|
||||
inssaproto(pp, new)
|
||||
struct saprop *pp;
|
||||
@ -126,6 +128,18 @@ inssaproto(pp, new)
|
||||
return;
|
||||
}
|
||||
|
||||
/* set saproto to the top of the proto tree in saprop */
|
||||
void
|
||||
inssaprotorev(pp, new)
|
||||
struct saprop *pp;
|
||||
struct saproto *new;
|
||||
{
|
||||
new->next = pp->head;
|
||||
pp->head = new;
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
struct satrns *
|
||||
newsatrns()
|
||||
{
|
||||
@ -797,12 +811,12 @@ printsaproto(pri, pr)
|
||||
return;
|
||||
|
||||
plog(pri, LOCATION, NULL,
|
||||
" (proto_id=%s spisize=%d spi=%08x spi_p=%08x "
|
||||
" (proto_id=%s spisize=%d spi=%08lx spi_p=%08lx "
|
||||
"encmode=%s reqid=%d:%d)\n",
|
||||
s_ipsecdoi_proto(pr->proto_id),
|
||||
pr->spisize,
|
||||
(u_int32_t)ntohl(pr->spi),
|
||||
(u_int32_t)ntohl(pr->spi_p),
|
||||
(unsigned long)ntohl(pr->spi),
|
||||
(unsigned long)ntohl(pr->spi_p),
|
||||
s_ipsecdoi_attr_v(IPSECDOI_ATTR_ENC_MODE, pr->encmode),
|
||||
pr->reqid_in, pr->reqid_out);
|
||||
|
||||
@ -879,3 +893,119 @@ print_proppair(pri, p)
|
||||
print_proppair0(pri, p, 1);
|
||||
}
|
||||
|
||||
int
|
||||
set_proposal_from_policy(iph2, sp_in, sp_out)
|
||||
struct ph2handle *iph2;
|
||||
struct secpolicy *sp_in, *sp_out;
|
||||
{
|
||||
struct saprop *newpp;
|
||||
struct ipsecrequest *req;
|
||||
int encmodesv;
|
||||
|
||||
newpp = newsaprop();
|
||||
if (newpp == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to allocate saprop.\n");
|
||||
goto err;
|
||||
}
|
||||
newpp->prop_no = 1;
|
||||
newpp->lifetime = iph2->sainfo->lifetime;
|
||||
newpp->lifebyte = iph2->sainfo->lifebyte;
|
||||
newpp->pfs_group = iph2->sainfo->pfs_group;
|
||||
|
||||
encmodesv = IPSECDOI_ATTR_ENC_MODE_ANY;
|
||||
|
||||
if (lcconf->complex_bundle)
|
||||
goto skip1;
|
||||
|
||||
/* decide encryption mode */
|
||||
for (req = sp_out->req; req; req = req->next) {
|
||||
if (req->saidx.mode == IPSEC_MODE_TUNNEL) {
|
||||
encmodesv = pfkey2ipsecdoi_mode(req->saidx.mode);
|
||||
break;
|
||||
}
|
||||
encmodesv = pfkey2ipsecdoi_mode(req->saidx.mode);
|
||||
}
|
||||
|
||||
skip1:
|
||||
for (req = sp_out->req; req; req = req->next) {
|
||||
struct saproto *newpr;
|
||||
struct sockaddr *psaddr = NULL;
|
||||
struct sockaddr *pdaddr = NULL;
|
||||
|
||||
/* XXX check if SA bundle ? */
|
||||
if (req->saidx.src.ss_len && req->saidx.dst.ss_len) {
|
||||
|
||||
psaddr = (struct sockaddr *)&req->saidx.src;
|
||||
pdaddr = (struct sockaddr *)&req->saidx.dst;
|
||||
|
||||
/* check end addresses of SA */
|
||||
if (memcmp(iph2->src, psaddr, iph2->src->sa_len)
|
||||
|| memcmp(iph2->dst, pdaddr, iph2->dst->sa_len)){
|
||||
/*
|
||||
* XXX nested SAs with each destination
|
||||
* address are different.
|
||||
* me +--- SA1 ---+ peer1
|
||||
* me +--- SA2 --------------+ peer2
|
||||
*/
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"not supported nested SA. Ignore.\n");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* allocate ipsec sa protocol */
|
||||
newpr = newsaproto();
|
||||
if (newpr == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to allocate saproto.\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
newpr->proto_id = ipproto2doi(req->saidx.proto);
|
||||
newpr->spisize = 4;
|
||||
if (lcconf->complex_bundle)
|
||||
newpr->encmode = pfkey2ipsecdoi_mode(req->saidx.mode);
|
||||
else
|
||||
newpr->encmode = encmodesv;
|
||||
|
||||
if (iph2->side == INITIATOR)
|
||||
newpr->reqid_out = req->saidx.reqid;
|
||||
else
|
||||
newpr->reqid_in = req->saidx.reqid;
|
||||
|
||||
if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"failed to get algorithms.\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* set new saproto */
|
||||
inssaprotorev(newpp, newpr);
|
||||
}
|
||||
|
||||
/* get reqid_in from inbound policy */
|
||||
if (sp_in) {
|
||||
struct saproto *pr;
|
||||
|
||||
req = sp_in->req;
|
||||
pr = newpp->head;
|
||||
while (req && pr) {
|
||||
pr->reqid_in = req->saidx.reqid;
|
||||
pr = pr->next;
|
||||
req = req->next;
|
||||
}
|
||||
if (pr || req) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"There is a difference "
|
||||
"between the in/out bound policies.\n");
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
iph2->proposal = newpp;
|
||||
|
||||
return 0;
|
||||
err:
|
||||
return -1;
|
||||
}
|
||||
|
6
crypto/dist/kame/racoon/proposal.h
vendored
6
crypto/dist/kame/racoon/proposal.h
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: proposal.h,v 1.12 2000/12/15 13:43:57 sakane Exp $ */
|
||||
/* $KAME: proposal.h,v 1.14 2001/02/21 05:19:11 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -175,10 +175,12 @@ struct prop_pair {
|
||||
|
||||
struct sainfo;
|
||||
struct ph1handle;
|
||||
struct secpolicy;
|
||||
extern struct saprop *newsaprop __P((void));
|
||||
extern struct saproto *newsaproto __P((void));
|
||||
extern void inssaprop __P((struct saprop **, struct saprop *));
|
||||
extern void inssaproto __P((struct saprop *, struct saproto *));
|
||||
extern void inssaprotorev __P((struct saprop *, struct saproto *));
|
||||
extern struct satrns *newsatrns __P((void));
|
||||
extern void inssatrns __P((struct saproto *, struct satrns *));
|
||||
extern struct saprop *cmpsaprop_alloc __P((struct ph1handle *,
|
||||
@ -197,3 +199,5 @@ extern void printsaproto __P((const int, const struct saproto *));
|
||||
extern void printsatrns __P((const int, const int, const struct satrns *));
|
||||
extern void print_proppair0 __P((int, struct prop_pair *, int));
|
||||
extern void print_proppair __P((int, struct prop_pair *));
|
||||
extern int set_proposal_from_policy __P((struct ph2handle *,
|
||||
struct secpolicy *, struct secpolicy *));
|
||||
|
4
crypto/dist/kame/racoon/session.c
vendored
4
crypto/dist/kame/racoon/session.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $KAME: session.c,v 1.23 2001/01/05 01:14:57 jinmei Exp $ */
|
||||
/* $KAME: session.c,v 1.24 2001/01/31 05:38:44 sakane Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -77,6 +77,7 @@
|
||||
#include "handler.h"
|
||||
#include "localconf.h"
|
||||
#include "remoteconf.h"
|
||||
#include "backupsa.h"
|
||||
|
||||
static void close_session __P((void));
|
||||
static void check_rtsock __P((void *));
|
||||
@ -174,6 +175,7 @@ close_session()
|
||||
{
|
||||
flushph1();
|
||||
close_sockets();
|
||||
backupsa_clean();
|
||||
|
||||
plog(LLV_INFO, LOCATION, NULL, "racoon shutdown");
|
||||
exit(0);
|
||||
|
Loading…
Reference in New Issue
Block a user