sync with 2/22 code. -B and -Z,

bundle proposal interpretation, and some other fixes.
XXX WARNS?=0 in racoon/Makefile is necessary to compile yacc-generated files
(static function, generated by yacc, is never used).

crypto/dist/kame/racoon/cfparse.y

@@ -1,4 +1,4 @@
-/*	$KAME: cfparse.y,v 1.85 2001/01/29 11:26:50 sakane Exp $	*/
+/*	$KAME: cfparse.y,v 1.87 2001/02/22 01:11:42 sakane Exp $	*/
 
 %{
 #include <sys/types.h>
@@ -166,9 +166,6 @@ static int expand_isakmpspec __P((int, int, int *,
 %token PREFIX PORT PORTANY UL_PROTO ANY
 %token PFS_GROUP LIFETIME LIFETYPE UNITTYPE STRENGTH
 
-	/* static sa */
-%token STATICSA STATICSA_STATEMENT
-
 %token NUMBER SWITCH BOOLEAN
 %token HEXSTRING QUOTEDSTRING ADDRSTRING
 %token EOS BOC EOC COMMA
@@ -183,7 +180,7 @@ static int expand_isakmpspec __P((int, int, int *,
 %type <num> SECLEVELTYPE SECMODETYPE 
 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
 %type <num> CERTTYPE CERT_X509 PROPOSAL_CHECK_LEVEL
-%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING STATICSA_STATEMENT sainfo_id
+%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING sainfo_id
 %type <val> identifierstring
 %type <spidx> policy_index
 %type <saddr> remote_index ike_addrinfo_port
@@ -208,6 +205,7 @@ statement
 	|	sainfo_statement
 	|	remote_statement
 	|	staticsa_statement
+	|	special_statement
 	;
 
 	/* path */
@@ -229,6 +227,11 @@ path_statement
 		}
 	;
 
+	/* special */
+special_statement
+	:	COMPLEX_BUNDLE SWITCH EOS { lcconf->complex_bundle = $2; }
+	;
+
 	/* include */
 include_statement
 	:	INCLUDE QUOTEDSTRING EOS
@@ -1271,17 +1274,6 @@ isakmpproposal_spec
 		}
 	;
 
-	/* static sa */
-staticsa_statement
-	:	STATICSA STATICSA_STATEMENT
-		{
-			/* execute static sa */
-			/* like system("setkey $2->v"); */
-			vfree($2);
-		}
-		EOS
-	;
-
 %%
 
 #if 0

crypto/dist/kame/racoon/isakmp.c

@@ -1,4 +1,4 @@
-/*	$KAME: isakmp.c,v 1.125 2001/01/28 17:17:17 itojun Exp $	*/
+/*	$KAME: isakmp.c,v 1.127 2001/02/02 12:17:23 sakane Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -894,8 +894,11 @@ isakmp_ph2begin_r(iph1, msg)
 	int error;
 
 	iph2 = newph2();
-	if (iph2 == NULL)
+	if (iph2 == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"failed to allocate phase2 entry.\n");
 		return -1;
+	}
 
 	iph2->ph1 = iph1;
 	iph2->side = RESPONDER;
@@ -1618,8 +1621,10 @@ isakmp_post_acquire(iph2)
 
 	if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
 	                [iph2->side]
-	                [iph2->status])(iph2, NULL) != 0)
+	                [iph2->status])(iph2, NULL) != 0) {
+		unbindph12(iph2);
 		return -1;
+	}
 
 	return 0;
 }

crypto/dist/kame/racoon/main.c

@@ -1,4 +1,4 @@
-/*	$KAME: main.c,v 1.24 2001/01/10 02:58:58 sakane Exp $	*/
+/*	$KAME: main.c,v 1.29 2001/02/06 15:15:46 sakane Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -32,6 +32,7 @@
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/socket.h>
+#include <sys/stat.h>
 
 #include <netinet/in.h>
 
@@ -44,6 +45,7 @@
 #include <unistd.h>
 #endif
 #include <paths.h>
+#include <err.h>
 
 #include "var.h"
 #include "misc.h"
@@ -60,10 +62,12 @@
 #include "pfkey.h"
 #include "crypto_openssl.h"
 #include "random.h"
+#include "backupsa.h"
 
 int f_foreground = 0;	/* force running in foreground. */
 int f_local = 0;	/* local test mode.  behave like a wall. */
 int vflag = 1;		/* for print-isakmp.c */
+static int loading_sa = 0;	/* install sa when racoon boots up. */
 
 static char version[] = "@(#)racoon 20001216 sakane@ydc.co.jp";
 
@@ -90,6 +94,7 @@ Usage()
 #else
 		""
 #endif
+		"[-B]"
 		);
 	printf("   -d: debug level, more -d will generate more debug message.\n");
 	printf("   -F: run in foreground, do not become daemon.\n");
@@ -104,6 +109,8 @@ Usage()
 	printf("   -6: IPv6 mode.\n");
 	printf("   -4: IPv4 mode.\n");
 #endif
+	printf("   -B: install SA to the kernel from the file "
+		"specified by the configuration file.\n");
 	exit(1);
 }
 
@@ -114,6 +121,13 @@ main(ac, av)
 {
 	int error;
 
+	/* don't let anyone read files I write */
+	umask(077);
+	if (umask(077) != 077) {
+		errx(1, "could not set umask");
+		/*NOTREACHED*/
+	}
+
 	initlcconf();
 	initrmconf();
 	oakley_dhinit();
@@ -146,6 +160,15 @@ main(ac, av)
 	}
 	restore_params();
 
+	/*
+	 * install SAs from the specified file.  If the file is not specified
+	 * by the configuration file, racoon will exit.
+	 */
+	if (loading_sa && !f_local) {
+		if (backupsa_from_file() != 0)
+			exit(1);
+	}
+
 	if (f_foreground)
 		close(0);
 	else {
@@ -177,11 +200,13 @@ main(ac, av)
 			plog(LLV_ERROR, LOCATION, NULL,
 				"cannot open %s", pid_file);
 		}
+		if (!f_local) {
 			if (atexit(cleanup_pidfile) < 0) {
 				plog(LLV_ERROR, LOCATION, NULL,
 					"cannot register pidfile cleanup");
 			}
 		}
+	}
 
 	session();
 
@@ -214,7 +239,7 @@ parse(ac, av)
 	else
 		pname = *av;
 
-	while ((c = getopt(ac, av, "dFp:a:f:l:vZ"
+	while ((c = getopt(ac, av, "dFp:a:f:l:vZB"
 #ifdef YYDEBUG
 			"y"
 #endif
@@ -254,6 +279,9 @@ parse(ac, av)
 		case 'Z':
 			/*
 			 * only local test.
+			 * To specify -Z option and to choice a appropriate
+			 * port number for ISAKMP, you can launch some racoons
+			 * on the local host for debug.
 			 * pk_sendadd() on initiator side is always failed
 			 * even if this flag is used.  Because there is same
 			 * spi in the SAD which is inserted by pk_sendgetspi()
@@ -275,6 +303,9 @@ parse(ac, av)
 			lcconf->default_af = AF_INET6;
 			break;
 #endif
+		case 'B':
+			loading_sa++;
+			break;
 		default:
 			Usage();
 			break;

crypto/dist/kame/racoon/racoon.8

@@ -1,4 +1,4 @@
-.\"	$KAME: racoon.8,v 1.23 2000/12/16 15:19:00 itojun Exp $
+.\"	$KAME: racoon.8,v 1.25 2001/02/22 00:41:38 sakane Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 .\" All rights reserved.
@@ -38,7 +38,7 @@
 .Sh SYNOPSIS
 .Nm racoon
 .Bk -words
-.Op Fl dFv
+.Op Fl dFBv
 .Ek
 .Bk -words
 .Op Fl f Ar configfile
@@ -67,10 +67,14 @@ as the configuration file instead of the default.
 run
 .Nm racoon
 in the foreground.
+.It Fl B
+install SA(s) from the file which is specified in
+.Xr racoon.conf 5 .
 .It Fl l Ar logfile
 use
 .Ar logfile
-as the logging file.
+as the logging file instead of
+.Xr syslogd 8 .
 .It Fl p Ar isakmp-port
 listen for ISAKMP key exchange on port
 .Ar isakmp-port
@@ -89,8 +93,6 @@ at
 .Bl -tag -width /etc/racoon.conf -compact
 .It Pa /etc/racoon.conf
 default configuration file.
-.It Pa /var/log/racoon.log
-default log file.
 .El
 .\"
 .Sh RETURN VALUES

crypto/dist/kame/racoon/racoon.conf.5

@@ -1,4 +1,4 @@
-.\"	$KAME: racoon.conf.5,v 1.73 2001/01/26 10:16:26 sakane Exp $
+.\"	$KAME: racoon.conf.5,v 1.76 2001/02/22 01:11:42 sakane Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 .\" All rights reserved.
@@ -138,8 +138,16 @@ See
 .Sx Pre-shared key File .
 .It Ic path certificate Ar path ;
 .Xr racoon 8
-will search this directory if a certificate or certificate request
-is received.
+will search this directory if a certificate or certificate request is received.
+.It Ic path backupsa Ar file ;
+specifies a file to be stored a SA information which is negotiated by racoon.
+.Xr racoon 8
+will install SA(s) from the file with a boot option
+.Fl B .
+The file is increasing because
+.Xr racoon 8
+simply add a SA to the file at the moment.
+You should maintain the file manually.
 .El
 .\"
 .Ss File Include
@@ -563,6 +571,8 @@ and
 .Ic debug2 .
 The default is
 .Ic notify .
+If you put too high logging level on slower machines,
+IKE negotiation can fail due to timing constraint changes.
 .El
 .\"
 .Ss Specifying the way to pad
@@ -591,17 +601,6 @@ The default is off.
 .El
 .El
 .\"
-.Ss Static SA configuration
-.Bl -tag -width Ds -compact
-.It Ic static_sa Ar parameters
-specifies static SA.
-This
-.Ar parameters
-will be passed to
-.Xr setkey 8 .
-Not yet.
-.El
-.\"
 .Ss Pre-shared key File
 Pre-shared key file defines a pair of the identifier and the shared secret key
 which are used at Pre-shared key authentication method in phase 1.

usr.sbin/racoon/Makefile.inc

@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.inc,v 1.2 2000/12/29 03:16:40 itojun Exp $
+#	$NetBSD: Makefile.inc,v 1.3 2001/02/22 02:33:06 itojun Exp $
 
 # point top of your KAME tree by ${KAMEROOT}
 LIBPFKEYSRCDIR=	${.CURDIR}/../../../crypto/dist/kame/libipsec
@@ -13,4 +13,6 @@ BINDIR?=        /sbin
 LDSTATIC?=      -static
 .endif
 
+DBG=	-g
+
 .include "../Makefile.inc"

usr.sbin/racoon/racoon/Makefile

@@ -1,7 +1,8 @@
-#	$NetBSD: Makefile,v 1.3 2001/01/03 15:57:00 itojun Exp $
+#	$NetBSD: Makefile,v 1.4 2001/02/22 02:33:06 itojun Exp $
 
 .include <bsd.own.mk>
 
+WARNS?=	0
 PROG=	racoon
 SRCS=	main.c session.c isakmp.c handler.c random.c \
 	isakmp_ident.c isakmp_agg.c isakmp_base.c \
@@ -11,7 +12,7 @@ SRCS=	main.c session.c isakmp.c handler.c random.c \
 	policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \
 	cfparse.c cftoken.c strnames.c \
 	vmbuf.c plog.c logger.c schedule.c str2val.c misc.c sockmisc.c \
-	proposal.c sainfo.c vendorid.c safefile.c
+	proposal.c sainfo.c vendorid.c safefile.c backupsa.c
 
 MAN=	racoon.8 racoon.conf.5