Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS) 

ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many
enhancements.
This commit is contained in:
manu 2005-02-12 11:11:11 +00:00
parent ef3f4c0f7e
commit a8f0ad3c37
222 changed files with 88211 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
crypto/dist/ipsec-tools/.cvsignore vendored Normal file
View File

@ -0,0 +1,16 @@
Makefile
Makefile.in
aclocal.m4
autom4te*
config.*
configure
depcomp
install-sh
ltmain.sh
libtool
missing
ylwrap
mkinstalldirs
stamp-h*
*.tar.gz
package_version.h

1470
crypto/dist/ipsec-tools/ChangeLog vendored Normal file
View File

File diff suppressed because it is too large Load Diff

3
crypto/dist/ipsec-tools/Makefile.am vendored Normal file
View File

@ -0,0 +1,3 @@
SUBDIRS = src @RPM@
EXTRA_DIST = bootstrap README NEWS depcomp

99
crypto/dist/ipsec-tools/NEWS vendored Normal file
View File

@ -0,0 +1,99 @@
Version history:
----------------
0.6??? - ??
o PAM support for Xauth
o Privilege separation
o ESP fragmentation in tunnel mode can be tunned (NetBSD only)
o racoon admin interface is exported (header and library) to
help building control programs for racoon (think GUI)
0.5??? - ??
o Rewritten buildsystem. Now completely autoconfed, automaked,
libtoolized.
o IPsec-tools now compiles on NetBSD and FreeBSD again.
o Support for server-side hybrid authentication, with full
RADIUS supoort. This is interoperable with the Cisco VPN client.
o Support for client-side hybrid authentication (Tested only with
a racoon server)
o ISAKMP mode config support
o IKE fragmentation support
o Fixed FWD policy support.
o Fixed IPv6 compilation.
o Readline is optional, fixed setkey when compiled without readline.
o Configurable Root-CA certificate.
o Dead Peer Detection (DPD) support.
0.4rc1 - 09 August 2004
o Merged support for PlainRSA keys from the 'plainrsa' branch.
o Inheritance of 'remote{}' sections.
o Support for SPD policy priorities in setkey.
o Ciphers are now used through the 'EVP' interface which allows
using hardware crypto accelerators.
o Setkey has new option -n (no action).
o All source files now have 3-clause BSD license.
0.3 - 14 April 2004
o Fixed setkey to handle multiline commands again.
o Added command 'exit' to setkey.
o Fixed racoon to only Warn if no CRL was found.
o Improved testsuite.
0.3rc5 - 05 April 2004
o Security bugfix WRT handling X.509 signatures.
o Stability fix WRT unknown PF_KEY messages.
o Fixed NAT-T with more proposals (e.g. more crypto algos).
o Setkey parses lines one by one => doesn't exit on errors.
o Setkey supports readline => more user friendly.
0.3rc4 - 25 March 2004
o Fixed adding "null" encryption via 'setkey'.
o Fixed segfault when using AES in Phase1 with OpenSSL>=0.9.7
o Fixed NAT-T in aggresive mode.
o Fixed testsuite and added testsuite run into make check.
0.3rc3 - 19 March 2004
o Fixed compilation error with --enble-yydebug
o Better diagnostic when proposals don't match.
o Changed/added options to setkey.
0.3rc2 - 11 March 2004
o Added documentation for NAT-T
o Better NAT-T diagnostic.
o Test and workaround for missing va_copy()
0.3rc1 - 04 March 2004
o Support for NAT Traversal (NAT-T)
0.2.4 - 29 January 2004
o Sync with KAME as of 2004-01-07
o Fixed unauthorized deletion of SA in racoon (again).
0.2.3 - 15 January 2004
o Support for SA lifetime specified in bytes
(see setkey -bs/-bh options)
o Enhance support for OpenSSL 0.9.7
o Let racoon be more verbose
o Fixed some simple bugs (see ChangeLog for details)
o Fixed unauthorized deletion of SA in racoon
o Fixed problems on AMD64
o Ignore multicast addresses for IKE
0.2.2 - 13 March 2003
o Fix racoon to build on some systems that require linking against -lfl
o add an RPM spec to the distribution
0.2.1 - 07 March 2003
o Fix some more gcc-3.2.2 compiler warnings
o Fix racoon to actually configure with ssl in a non-standard location
o Fix racoon to not complain if krb5-config is not installed
0.2 - 06 March 2003
o Glibc-2.3 support
o OpenSSL-0.9.7 support
o Fixed duplicate-macro problems
o Fix racoon lex/yacc support
o Install psk.txt mode 600, racoon.conf mode 644
o Fix racoon to look in the correct directory for config files
0.1 - 03 March 2003
o Initial release of IPsec-Tools

31
crypto/dist/ipsec-tools/README vendored Normal file
View File

@ -0,0 +1,31 @@
IPsec-tools
===========
This package provides a way to use the native IPsec functionality
in the Linux 2.6+ kernel. It works as well on NetBSD and FreeBSD.
- libipsec, a PF_KEYv2 library
- setkey, a tool to directly manipulate policies and SAs
- racoon, an IKEv1 keying daemon
IPsec-tools were ported to Linux from the KAME project
(http://www.kame.net) by Derek Atkins <derek@ihtfp.com>.
Currently the package is actively maintained and developed
by Michal Ludvig <mludvig@suse.cz>, Aidas Kasparas <a.kasparas@gmc.lt>
and Emmanuel Dreyfus <manu@netbsd.org>.
Sources can be found at the IPsec-Tools home page at:
http://ipsec-tools.sourceforge.net/
Please report any problems to the mailing list:
ipsec-tools-devel@lists.sourceforge.net
(it is called 'devel' but feel free to send general
questions there as well :-)
You can also browse the list archive:
http://sourceforge.net/mailarchive/forum.php?forum_id=32000
Credits:
IHTFP Consulting, see http://www.ihtfp.com/
SUSE Linux AG, see http://www.suse.com/

193
crypto/dist/ipsec-tools/acracoon.m4 vendored Normal file
View File

@ -0,0 +1,193 @@
dnl RACOON_PATH_LIBS(FUNCTION, LIB, SEARCH-PATHS [, ACTION-IF-FOUND
dnl [, ACTION-IF-NOT-FOUND [, OTHER-LIBRARIES]]])
dnl Search for a library defining FUNC, if it's not already available.
AC_DEFUN([RACOON_PATH_LIBS],
[AC_PREREQ([2.13])
AC_CACHE_CHECK([for $2 containing $1], [ac_cv_search_$1],
[ac_func_search_save_LIBS="$LIBS"
ac_cv_search_$1="no"
AC_TRY_LINK_FUNC([$1], [ac_cv_search_$1="none required"],
[LIBS="-l$2 $LIBS"
AC_TRY_LINK_FUNC([$1], [ac_cv_search_$1="-l$2"], [])])
LIBS="$ac_func_search_save_LIBS"
ifelse("x$3", "x", , [ test "$ac_cv_search_$1" = "no" && for i in $3; do
LIBS="-L$i -l$2 $ac_func_search_save_LIBS"
AC_TRY_LINK_FUNC([$1],
[ac_cv_search_$1="-L$i -l$2"
break])
done
LIBS="$ac_func_search_save_LIBS" ]) ])
if test "$ac_cv_search_$1" != "no"; then
test "$ac_cv_search_$1" = "none required" || LIBS="$ac_cv_search_$1 $LIBS"
$4
else :
$5
fi])
dnl Check if either va_copy() or __va_copy() is available. On linux systems
dnl at least one of these should be present.
AC_DEFUN([RACOON_CHECK_VA_COPY], [
saved_CFLAGS=$CFLAGS
CFLAGS="-Wall -O2"
AC_CACHE_CHECK([for an implementation of va_copy()],
ac_cv_va_copy,[
AC_TRY_RUN([#include <stdarg.h>
void func (int i, ...) {
va_list args1, args2;
va_start (args1, i);
va_copy (args2, args1);
if (va_arg (args1, int) != 1 || va_arg (args2, int) != 1)
exit (1);
va_end (args1);
va_end (args2);
}
int main() {
func (0, 1);
return 0;
}],
[ac_cv_va_copy=yes],
[ac_cv_va_copy=no],
[])
])
if test x$ac_cv_va_copy != xyes; then
AC_CACHE_CHECK([for an implementation of __va_copy()],
ac_cv___va_copy,[
AC_TRY_RUN([#include <stdarg.h>
void func (int i, ...) {
va_list args1, args2;
va_start (args1, i);
__va_copy (args2, args1);
if (va_arg (args1, int) != 1 || va_arg (args2, int) != 1)
exit (1);
va_end (args1);
va_end (args2);
}
int main() {
func (0, 1);
return 0;
}],
[ac_cv___va_copy=yes],
[ac_cv___va_copy=no],
[])
])
fi
if test "x$ac_cv_va_copy" = "xyes"; then
va_copy_func=va_copy
elif test "x$ac_cv___va_copy" = "xyes"; then
va_copy_func=__va_copy
fi
if test -n "$va_copy_func"; then
AC_DEFINE_UNQUOTED(VA_COPY,$va_copy_func,
[A 'va_copy' style function])
else
AC_MSG_WARN([Hmm, neither va_copy() nor __va_copy() found.])
AC_MSG_WARN([Using a generic fallback.])
fi
CFLAGS=$saved_CFLAGS
unset saved_CFLAGS
])
AC_DEFUN([RACOON_CHECK_BUGGY_GETADDRINFO], [
AC_MSG_CHECKING(getaddrinfo bug)
saved_CFLAGS=$CFLAGS
CFLAGS="-Wall -O2"
AC_TRY_RUN([
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
int main()
{
int passive, gaierr, inet4 = 0, inet6 = 0;
struct addrinfo hints, *ai, *aitop;
char straddr[INET6_ADDRSTRLEN], strport[16];
for (passive = 0; passive <= 1; passive++) {
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_flags = passive ? AI_PASSIVE : 0;
hints.ai_protocol = IPPROTO_TCP;
hints.ai_socktype = SOCK_STREAM;
if ((gaierr = getaddrinfo(NULL, "54321", &hints, &aitop)) != 0) {
(void)gai_strerror(gaierr);
goto bad;
}
for (ai = aitop; ai; ai = ai->ai_next) {
if (ai->ai_addr == NULL ||
ai->ai_addrlen == 0 ||
getnameinfo(ai->ai_addr, ai->ai_addrlen,
straddr, sizeof(straddr), strport, sizeof(strport),
NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
goto bad;
}
switch (ai->ai_family) {
case AF_INET:
if (strcmp(strport, "54321") != 0) {
goto bad;
}
if (passive) {
if (strcmp(straddr, "0.0.0.0") != 0) {
goto bad;
}
} else {
if (strcmp(straddr, "127.0.0.1") != 0) {
goto bad;
}
}
inet4++;
break;
case AF_INET6:
if (strcmp(strport, "54321") != 0) {
goto bad;
}
if (passive) {
if (strcmp(straddr, "::") != 0) {
goto bad;
}
} else {
if (strcmp(straddr, "::1") != 0) {
goto bad;
}
}
inet6++;
break;
case AF_UNSPEC:
goto bad;
break;
default:
/* another family support? */
break;
}
}
}
if (!(inet4 == 0 || inet4 == 2))
goto bad;
if (!(inet6 == 0 || inet6 == 2))
goto bad;
if (aitop)
freeaddrinfo(aitop);
exit(0);
bad:
if (aitop)
freeaddrinfo(aitop);
exit(1);
}
],
AC_MSG_RESULT(good)
buggygetaddrinfo=no,
AC_MSG_RESULT(buggy)
buggygetaddrinfo=yes,
AC_MSG_RESULT(buggy)
buggygetaddrinfo=yes)
CFLAGS=$saved_CFLAGS
unset saved_CFLAGS
])

13
crypto/dist/ipsec-tools/bootstrap vendored Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
set -x
# Remove autoconf 2.5x's cache directory
rm -rf autom4te*.cache
aclocal -I . || exit 1
autoheader || exit 1
libtoolize --force --copy || exit 1
automake --foreign --add-missing --copy || exit 1
autoconf || exit 1

562
crypto/dist/ipsec-tools/configure.ac vendored Normal file
View File

@ -0,0 +1,562 @@
dnl -*- mode: m4 -*-
dnl $Id: configure.ac,v 1.1.1.1 2005/02/12 11:11:16 manu Exp $
AC_PREREQ(2.52)
AC_INIT(ipsec-tools, 0.5pre)
AC_CONFIG_SRCDIR([configure.ac])
AM_CONFIG_HEADER(config.h)
AM_INIT_AUTOMAKE(dist-bzip2)
AC_ENABLE_SHARED(no)
AC_PROG_CC
AM_PROG_CC_STDC
AC_HEADER_STDC
AC_PROG_LIBTOOL
AC_PROG_YACC
AM_PROG_LEX
AC_SUBST(LEXLIB)
AC_PROG_EGREP
CFLAGS_ADD="$CFLAGS_ADD -Wall -Werror -Wno-unused"
case $host in
*netbsd*)
LDFLAGS="-Wl,-R/usr/pkg/lib $LDFLAGS"
;;
*linux*)
LIBS="$LIBS -lresolv"
INSTALL_OPTS="-o bin -g bin"
INCLUDE_GLIBC="include-glibc"
RPM="rpm"
AC_SUBST(INSTALL_OPTS)
AC_SUBST(INCLUDE_GLIBC)
AC_SUBST(RPM)
;;
esac
# Look up some IPsec-related headers
AC_CHECK_HEADER(net/pfkeyv2.h, [have_net_pfkey=yes], [have_net_pfkey=no])
AC_CHECK_HEADER(netinet/ipsec.h, [have_netinet_ipsec=yes], [have_netinet_ipsec=no])
AC_CHECK_HEADER(netinet6/ipsec.h, [have_netinet6_ipsec=yes], [have_netinet6_ipsec=no])
# NetBSD has <netinet6/ipsec.h> but not <netinet/ipsec.h>
if test "$have_netinet_ipsec$have_netinet6_ipsec" = noyes; then
have_netinet_ipsec=yes
AC_DEFINE(HAVE_NETINET6_IPSEC, [], [Use <netinet6/ipsec.h>])
fi
case "$host_os" in
*linux*)
AC_ARG_WITH(kernel-headers,
AC_HELP_STRING([--with-kernel-headers=/lib/modules/<uname>/build/include],
[where your Linux Kernel headers are installed]),
[ KERNEL_INCLUDE="$with_kernel_headers"
CONFIGURE_AMFLAGS="--with-kernel-headers=$with_kernel_headers"
AC_SUBST(CONFIGURE_AMFLAGS) ],
[ KERNEL_INCLUDE="/lib/modules/`uname -r`/build/include" ])
AC_CHECK_FILE($KERNEL_INCLUDE/linux/pfkeyv2.h, ,
[ AC_CHECK_FILE(/usr/src/linux/include/linux/pfkeyv2.h,
KERNEL_INCLUDE=/usr/src/linux/include ,
[ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] )
AC_SUBST(KERNEL_INCLUDE)
# We need the configure script to run with correct kernel headers.
# However we don't want to point to kernel source tree in compile time,
# i.e. this will be removed from CPPFLAGS at the end of configure.
CPPFLAGS="-I$KERNEL_INCLUDE $CPPFLAGS"
AC_CHECK_MEMBER(struct sadb_x_policy.sadb_x_policy_priority,
[AC_DEFINE(HAVE_PFKEY_POLICY_PRIORITY, [],
[Are PF_KEY policy priorities supported?])], [],
[#include "$KERNEL_INCLUDE/linux/pfkeyv2.h"])
GLIBC_BUGS='-include ${top_srcdir}/src/include-glibc/glibc-bugs.h -I${top_srcdir}/src/include-glibc -I${top_builddir}/src/include-glibc'
AC_SUBST(GLIBC_BUGS)
GLIBC_BUGS_LOCAL="-include ${srcdir-.}/src/include-glibc/glibc-bugs.h -I${srcdir-.}/src/include-glibc -I./src/include-glibc"
CPPFLAGS="$GLIBC_BUGS_LOCAL $CPPFLAGS"
;;
*)
if test "$have_net_pfkey$have_netinet_ipsec" != yesyes; then
if test "$have_net_pfkey" = yes; then
AC_MSG_ERROR([Found net/pfkeyv2.h but not netinet/ipsec.h. Aborting.])
else
AC_MSG_ERROR([Found netinet/ipsec.h but not net/pfkeyv2.h. Aborting.])
fi
fi
;;
esac
### Some basic toolchain checks
# Checks for header files.
AC_HEADER_STDC
AC_HEADER_SYS_WAIT
AC_CHECK_HEADERS(limits.h sys/time.h unistd.h stdarg.h varargs.h)
# Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
AC_TYPE_PID_T
AC_TYPE_SIZE_T
AC_HEADER_TIME
AC_STRUCT_TM
# Checks for library functions.
AC_FUNC_MEMCMP
AC_TYPE_SIGNAL
AC_FUNC_VPRINTF
AC_CHECK_FUNCS(gettimeofday select socket strerror strtol strtoul strlcpy)
AC_REPLACE_FUNCS(strdup)
RACOON_CHECK_VA_COPY
# Check if printf accepts "%z" type modifier for size_t argument
AC_MSG_CHECKING(if printf accepts %z)
saved_CFLAGS=$CFLAGS
CFLAGS="$CFLAGS -Wall -Werror"
AC_TRY_COMPILE([
#include <stdio.h>
], [
printf("%zu\n", (size_t)-1);
],
[AC_MSG_RESULT(yes)],
[AC_MSG_RESULT(no); CFLAGS_ADD="$CFLAGS_ADD -Wno-format"])
CFLAGS=$saved_CFLAGS
# Can we use __func__ macro?
AC_MSG_CHECKING(if __func__ is available)
AC_TRY_COMPILE(
[#include <stdio.h>
], [char *x = __func__;],
[AC_DEFINE([HAVE_FUNC_MACRO], [], [Have __func__ macro])
AC_MSG_RESULT(yes)],
[AC_MSG_RESULT(no)])
# Check if readline support is requested
AC_MSG_CHECKING(if readline support is requested)
AC_ARG_WITH(readline,
[ --with-readline support readline input (yes by default)],
[with_readline="$withval"], [with_readline="yes"])
AC_MSG_RESULT($with_readline)
# Is readline available?
if test $with_readline != "no"; then
AC_CHECK_HEADER([readline/readline.h],
[AC_CHECK_LIB(readline, readline, [
AC_DEFINE(HAVE_READLINE, [],
[Is readline available?])
LIBS="$LIBS -lreadline"
], [])], [])
fi
# Check if a different OpenSSL directory was specified
AC_MSG_CHECKING(if --with-openssl option is specified)
AC_ARG_WITH(openssl, [ --with-openssl=DIR specify OpenSSL directory],
[crypto_dir=$withval])
AC_MSG_RESULT(${crypto_dir-default})
if test "x$crypto_dir" != "x"; then
LIBS="$LIBS -L${crypto_dir}/lib"
CPPFLAGS_ADD="-I${crypto_dir}/include $CPPFLAGS_ADD"
fi
AC_MSG_CHECKING(openssl version)
AC_EGREP_CPP(yes, [#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER >= 0x0090602fL
yes
#endif], [AC_MSG_RESULT(ok)], [AC_MSG_RESULT(too old)
AC_MSG_ERROR([OpenSSL version must be 0.9.6 or higher. Aborting.])
])
AC_CHECK_HEADERS(openssl/engine.h)
# checking rijndael
AC_CHECK_HEADERS([openssl/aes.h], [],
[CRYPTOBJS="$CRYPTOBJS rijndael-api-fst.o rijndael-alg-fst.o"])
# checking sha2
AC_MSG_CHECKING(sha2 support)
AC_DEFINE([WITH_SHA2], [], [SHA2 support])
AC_CHECK_HEADER(openssl/sha2.h, [], [
CPPFLAGS_ADD="$CPPFLAGS_ADD -I./\${top_srcdir}/src/racoon/missing"
AC_LIBOBJ([sha2])
CRYPTOBJS="$CRYPTOBJS sha2.o"])
AC_SUBST(CRYPTOBJS)
# Option --enable-adminport
AC_MSG_CHECKING(if --enable-adminport option is specified)
AC_ARG_ENABLE(adminport,
[ --enable-adminport enable admin port],
[], [enable_adminport=no])
if test $enable_adminport = "yes"; then
AC_DEFINE([ENABLE_ADMINPORT], [], [Enable admin port])
fi
AC_MSG_RESULT($enable_adminport)
# Check for Kerberos5 support
AC_MSG_CHECKING(if --enable-gssapi option is specified)
AC_ARG_ENABLE(gssapi,
[ --enable-gssapi enable GSS-API authentication],
[], [enable_gssapi=no])
AC_MSG_RESULT($enable_gssapi)
AC_PATH_PROG(KRB5_CONFIG,krb5-config,no)
if test "x$enable_gssapi" = "xyes"; then
if test "$KRB5_CONFIG" != "no"; then
krb5_incdir="`$KRB5_CONFIG --cflags gssapi`"
krb5_libs="`$KRB5_CONFIG --libs gssapi`"
else
# No krb5-config; let's make some assumptions based on
# the OS.
case $host_os in
netbsd*)
krb5_incdir="-I/usr/include/krb5"
krb5_libs="-lgssapi -lkrb5 -lcom_err -lroken -lasn1"
;;
*)
AC_MSG_ERROR([krb5-config not found, but needed for GSSAPI support. Aborting.])
;;
esac
fi
LIBS="$LIBS $krb5_libs"
CPPFLAGS_ADD="$krb5_incdir $CPPFLAGS_ADD"
AC_DEFINE([HAVE_GSSAPI], [], [Enable GSS API])
fi
AC_MSG_CHECKING([if --enable-hybrid option is specified])
AC_ARG_ENABLE(hybrid,
[ --enable-hybrid enable hybrid, both mode-cfg and xauth support],
[
LIBS="$LIBS -lcrypt";
enable_hybrid=yes;
HYBRID_OBJS="isakmp_xauth.o isakmp_cfg.o isakmp_unity.o throttle.o"
AC_SUBST(HYBRID_OBJS)
AC_DEFINE([ENABLE_HYBRID], [], [Hybrid authentication support])
],
[enable_hybrid=no])
AC_MSG_RESULT($enable_hybrid)
AC_MSG_CHECKING([if --enable-frag option is specified])
AC_ARG_ENABLE(frag,
[ --enable-frag enable IKE fragmentation payload support],
[
LIBS="$LIBS -lcrypt";
enable_frag=yes;
FRAG_OBJS="isakmp_frag.o"
AC_SUBST(FRAG_OBJS)
AC_DEFINE([ENABLE_FRAG], [], [IKE fragmentation support])
],
[enable_frag=no])
AC_MSG_RESULT($enable_frag)
AC_MSG_CHECKING(if --with-libradius option is specified)
AC_ARG_WITH(libradius,
[ --with-libradius=DIR specify libradius path (like/usr/pkg)],
[libradius_dir=$withval],
[libradius_dir=no])
AC_MSG_RESULT($libradius_dir)
if test "$libradius_dir" != "no"; then
if test "$libradius_dir" = "yes" ; then
libradius_dir="";
fi;
if test "x$libradius_dir" = "x"; then
RACOON_PATH_LIBS(rad_create_request, lradius)
else
if test -d "$libradius_dir/lib" -a \
-d "$libradius_dir/include" ; then
RACOON_PATH_LIBS(rad_create_request, lradius, "$libradius_dir/lib")
CPPFLAGS_ADD="$CPPFLAGS_ADD -I$libradius_dir/include"
else
AC_MSG_ERROR([RADIUS libs or includes not found. Aborting.])
fi
fi
AC_DEFINE([HAVE_LIBRADIUS], [], [Hybrid authentication uses RADIUS])
LIBS="$LIBS -L$libradius_dir/lib -R$libradius_dir/lib -lradius"
AC_CHECK_FUNCS(rad_create_request)
fi
AC_MSG_CHECKING(if --with-libpam option is specified)
AC_ARG_WITH(libpam,
[ --with-libpam=DIR specify libpam path (like/usr/pkg)],
[libpam_dir=$withval],
[libpam_dir=no])
AC_MSG_RESULT($libpam_dir)
if test "$libpam_dir" != "no"; then
if test "$libpam_dir" = "yes" ; then
libpam_dir="";
fi;
if test "x$libpam_dir" = "x"; then
RACOON_PATH_LIBS(rad_create_request, lpam)
else
if test -d "$libpam_dir/lib" -a \
-d "$libpam_dir/include" ; then
RACOON_PATH_LIBS(rad_create_request, lpam, "$libpam_dir/lib")
CPPFLAGS_ADD="$CPPFLAGS_ADD -I$libpam_dir/include"
else
AC_MSG_ERROR([PAM libs or includes not found. Aborting.])
fi
fi
AC_DEFINE([HAVE_LIBPAM], [], [Hybrid authentication uses PAM])
LIBS="$LIBS -L$libpam_dir/lib -R$libpam_dir/lib -lpam"
AC_CHECK_FUNCS(rad_create_request)
fi
AC_MSG_CHECKING(if --enable-stats option is specified)
AC_ARG_ENABLE(stats,
[ --enable-stats enable statistics logging function],
[], [enable_stats=no])
if test "x$enable_stats" = "xyes"; then
AC_DEFINE([ENABLE_STATS], [], [Enable statictics])
fi
AC_MSG_RESULT($enable_stats)
AC_MSG_CHECKING(if --enable-dpd option is specified)
AC_ARG_ENABLE(dpd,
[ --enable-dpd enable dead peer detection],
[], [enable_dpd=no])
if test "x$enable_dpd" = "xyes"; then
AC_DEFINE([ENABLE_DPD], [], [Enable dead peer detection])
fi
AC_MSG_RESULT($enable_dpd)
AC_MSG_CHECKING(if --enable-samode-unspec option is specified)
AC_ARG_ENABLE(samode-unspec,
[ --enable-samode-unspec enable to use unspecified a mode of SA],
[], [enable_samode_unspec=no])
if test "x$enable_samode_unspec" = "xyes"; then
AC_DEFINE([ENABLE_SAMODE_UNSPECIFIED], [], [Enable samode-unspec])
fi
AC_MSG_RESULT($enable_samode_unspec)
# Checks if IPv6 is requested
AC_MSG_CHECKING([whether to enable ipv6])
AC_ARG_ENABLE(ipv6,
[ --disable-ipv6 disable ipv6 support],
[ case "$enableval" in
no)
AC_MSG_RESULT(no)
ipv6=no
;;
*) AC_MSG_RESULT(yes)
ipv6=yes
;;
esac ],
AC_TRY_RUN([ /* AF_INET6 avalable check */
#include <sys/types.h>
#include <sys/socket.h>
main()
{
exit(0);
if (socket(AF_INET6, SOCK_STREAM, 0) < 0)
exit(1);
else
exit(0);
}
],
AC_MSG_RESULT(yes)
AC_DEFINE([INET6], [], [Support IPv6])
ipv6=yes,
AC_MSG_RESULT(no)
ipv6=no,
AC_MSG_RESULT(no)
ipv6=no
))
if test "$ipv6" = "yes"; then
AC_MSG_CHECKING(for advanced API support)
AC_TRY_COMPILE([#ifndef INET6
#define INET6
#endif
#include <sys/types.h>
#include <netinet/in.h>],
[struct in6_pktinfo a;],
[AC_MSG_RESULT(yes)
AC_DEFINE([INET6_ADVAPI], [], [Use advanced IPv6 API])],
[AC_MSG_RESULT(no)])
fi
RACOON_CHECK_BUGGY_GETADDRINFO
if test "$buggygetaddrinfo" = "yes"; then
AC_MSG_ERROR([Broken getaddrinfo() is no longer supported. Aborting.])
fi
# Check if kernel support is available for NAT-T, defaults to no.
kernel_natt="no"
AC_MSG_CHECKING(kernel NAT-Traversal support)
case $host_os in
linux*)
# Linux kernel NAT-T check
AC_EGREP_CPP(yes,
[#include <linux/pfkeyv2.h>
#ifdef SADB_X_EXT_NAT_T_TYPE
yes
#endif
], [kernel_natt="yes"])
;;
freebsd*|netbsd*)
# NetBSD case
# Same check for FreeBSD
AC_CHECK_MEMBER(struct sadb_x_nat_t_type.sadb_x_nat_t_type_len,
[kernel_natt="yes"],, [
#define _KERNEL
#include <sys/types.h>
#include <net/pfkeyv2.h>
])
;;
esac
AC_MSG_RESULT($kernel_natt)
AC_MSG_CHECKING(whether to support NAT-T)
AC_ARG_ENABLE(natt,
[ --enable-natt enable NAT-Traversal (yes/no/kernel)],
[if test "$enable_natt" = "kernel"; then enable_natt=$kernel_natt; fi],
[enable_natt=$kernel_natt])
AC_MSG_RESULT($enable_natt)
if test "$enable_natt" = "yes"; then
if test "$kernel_natt" = "no" ; then
AC_MSG_ERROR([NAT-T requested, but no kernel support! Aborting.])
else
AC_DEFINE([ENABLE_NATT], [], [Enable NAT-Traversal])
NATT_OBJS="nattraversal.o"
AC_SUBST(NATT_OBJS)
fi
fi
AC_ARG_ENABLE(natt_00,
[ --enable-natt_00 enable NAT-Traversal Draft 00 (yes/no)],
[],
[enable_natt_00=no])
if test "$enable_natt_00" = "yes"; then
AC_DEFINE([ENABLE_NATT_00], [], [Enable NAT-Traversal draft 00])
fi
AC_ARG_ENABLE(natt_01,
[ --enable-natt_01 enable NAT-Traversal Draft 01 (yes/no)],
[],
[enable_natt_01=no])
if test "$enable_natt_01" = "yes"; then
AC_DEFINE([ENABLE_NATT_01], [], [Enable NAT-Traversal draft 01])
fi
AC_ARG_ENABLE(natt_02,
[ --enable-natt_02 enable NAT-Traversal Draft 02 (yes/no)],
[],
[enable_natt_02=no])
if test "$enable_natt_02" = "yes"; then
AC_DEFINE([ENABLE_NATT_02], [], [Enable NAT-Traversal draft 02])
fi
AC_ARG_ENABLE(natt_03,
[ --enable-natt_03 enable NAT-Traversal Draft 03 (yes/no)],
[],
[enable_natt_03=no])
if test "$enable_natt_03" = "yes"; then
AC_DEFINE([ENABLE_NATT_03], [], [Enable NAT-Traversal draft 03])
fi
AC_ARG_ENABLE(natt_04,
[ --enable-natt_04 enable NAT-Traversal Draft 04 (yes/no)],
[],
[enable_natt_05=no])
if test "$enable_natt_04" = "yes"; then
AC_DEFINE([ENABLE_NATT_04], [], [Enable NAT-Traversal draft 04])
fi
AC_ARG_ENABLE(natt_05,
[ --enable-natt_05 enable NAT-Traversal Draft 05 (yes/no)],
[],
[enable_natt_05=no])
if test "$enable_natt_05" = "yes"; then
AC_DEFINE([ENABLE_NATT_05], [], [Enable NAT-Traversal draft 05])
fi
AC_ARG_ENABLE(natt_06,
[ --enable-natt_06 enable NAT-Traversal Draft 06 (yes/no)],
[],
[enable_natt_06=no])
if test "$enable_natt_06" = "yes"; then
AC_DEFINE([ENABLE_NATT_06], [], [Enable NAT-Traversal draft 06])
fi
AC_ARG_ENABLE(natt_07,
[ --enable-natt_07 enable NAT-Traversal Draft 07 (yes/no)],
[],
[enable_natt_07=no])
if test "$enable_natt_07" = "yes"; then
AC_DEFINE([ENABLE_NATT_07], [], [Enable NAT-Traversal draft 07])
fi
AC_ARG_ENABLE(natt_08,
[ --enable-natt_08 enable NAT-Traversal Draft 08 (yes/no)],
[],
[enable_natt_08=no])
if test "$enable_natt_08" = "yes"; then
AC_DEFINE([ENABLE_NATT_08], [], [Enable NAT-Traversal draft 08])
fi
AC_MSG_CHECKING(whether we support FWD policy)
case $host in
*linux*)
AC_TRY_COMPILE([
#include <inttypes.h>
#include <linux/ipsec.h>
], [
int fwd = IPSEC_DIR_FWD;
],
[AC_MSG_RESULT(yes)
AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])],
[AC_MSG_RESULT(no)])
;;
*)
AC_MSG_RESULT(no)
;;
esac
CFLAGS="$CFLAGS $CFLAGS_ADD"
CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
case $host in
*linux*)
# Remove KERNEL_INCLUDE from CPPFLAGS. It will
# be symlinked to src/include-glibc/linux in
# compile time.
CPPFLAGS=`echo $CPPFLAGS | sed "s,-I$KERNEL_INCLUDE,,"`
;;
esac
include_racoondir=${includedir}/racoon
AC_SUBST(include_racoondir)
AC_CONFIG_FILES([
Makefile
package_version.h
src/Makefile
src/include-glibc/Makefile
src/libipsec/Makefile
src/setkey/Makefile
src/racoon/Makefile
src/racoon/samples/psk.txt
src/racoon/samples/racoon.conf
rpm/Makefile
rpm/suse/Makefile
])
AC_OUTPUT

5
crypto/dist/ipsec-tools/package_version.h.in vendored Normal file
View File

@ -0,0 +1,5 @@
#define TOP_PACKAGE "@PACKAGE@"
#define TOP_PACKAGE_NAME "@PACKAGE_NAME@"
#define TOP_PACKAGE_VERSION "@PACKAGE_VERSION@"
#define TOP_PACKAGE_STRING "@PACKAGE_STRING@"
#define TOP_PACKAGE_URL "http://ipsec-tools.sourceforge.net"

3
crypto/dist/ipsec-tools/rpm/.cvsignore vendored Normal file
View File

@ -0,0 +1,3 @@
Makefile
Makefile.in
ipsec-tools.spec

18
crypto/dist/ipsec-tools/rpm/Makefile.am vendored Normal file
View File

@ -0,0 +1,18 @@
SUBDIRS = suse
EXTRA_DIST = \
ipsec-tools.spec.in
all-local: ipsec-tools.spec
## We borrow guile's convention and use @-...-@ as the substitution
## brackets here, instead of the usual @...@. This prevents autoconf
## from substituting the values directly into the left-hand sides of
## the sed substitutions. *sigh*
ipsec-tools.spec: ipsec-tools.spec.in Makefile
rm -f $@.tmp
sed < $< > $@.tmp \
-e 's:@-VERSION-@:${VERSION}:'
mv $@.tmp $@
CLEANFILES = ipsec-tools.spec

87
crypto/dist/ipsec-tools/rpm/ipsec-tools.FC1 vendored Normal file
View File

@ -0,0 +1,87 @@
#!/bin/sh
#
# chkconfig: 2345 08 92
# description: Starts and stops racoon and loads IPSec SPD's
#
# config: /etc/sysconfig/ipsec.spd
# config: /etc/racoon/racoon.conf
# Contributed by Kimmo Koivisto <kimmo.koivisto@surfeu.fi>
# Tested with Fedora C1
# Source function library.
. /etc/init.d/functions
RACOON=/usr/sbin/racoon
SETKEY=/sbin/setkey
IPSEC_SPD=/etc/sysconfig/ipsec.spd
VAR_SUBSYS_IPSEC=/var/lock/subsys/ipsec
if [ ! -x /usr/sbin/$RACOON ]; then
echo -n $"/usr/sbin/$RACOON does not exist."; warning; echo
exit 0
fi
start() {
# Check that SPD-file exists and load it.
if [ -f "$IPSEC_SPD" ]; then
$SETKEY -f $IPSEC_SPD
fi
$RACOON
touch $VAR_SUBSYS_IPSEC
}
stop() {
killall $RACOON 2> /dev/null
$SETKEY -FD
$SETKEY -FP
rm -f $VAR_SUBSYS_IPSEC
}
status() {
# Do not print status if lockfile is missing
if [ ! -f "$VAR_SUBSYS_IPSEC" ]; then
echo $"IPSec is stopped."
return 1
fi
if [ -f "$VAR_SUBSYS_IPSEC" ]; then
echo $"IPSec is started."
return 0
fi
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
condrestart)
[ -e "$VAR_SUBSYS_IPSEC" ] && restart
;;
status)
status
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
;;
esac
exit 0

60
crypto/dist/ipsec-tools/rpm/ipsec-tools.spec.in vendored Normal file
View File

@ -0,0 +1,60 @@
Summary: User-space IPsec tools for the Linux IPsec implementation
Name: ipsec-tools
Version: @-VERSION-@
Release: 1
Epoch: 1
License: BSD
Group: System Environment/Base
URL: http://ipsec-tools.sourceforge.net/
Source: http://prdownloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
Requires: kernel >= 2.5.54
#BuildRequires: kernel-source >= 2.5.54
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%description
IPsec-Tools is a port of the KAME Project's IPsec tools to the Linux
IPsec implementation. IPsec-Tools provides racoon, an IKE daemon; libipsec,
a PFKey implementation; and setkey, a security policy and security
association database configuration utility.
%prep
%setup -q
%build
./configure --prefix=/usr --sysconfdir=/etc --exec-prefix=/ --mandir=%{_mandir} --libdir=/%{_lib}
make
%install
rm -rf %{buildroot}
mkdir %{buildroot}
make install DESTDIR=%{buildroot}
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root)
%doc NEWS README ChangeLog
%dir %{_sysconfdir}/racoon
%config %{_sysconfdir}/racoon/*
/sbin/*
/%{_lib}/*
%{_includedir}/*
%{_mandir}/man[358]/*
%{_sbindir}/racoon
%changelog
* Fri Mar 07 2003 Derek Atkins <derek@ihtfp.com> 0.2.1-1
- Insert into code base. Dynamically generate the version string.
* Fri Mar 07 2003 Chris Ricker <kaboom@gatech.edu> 0.2.1-1
- Rev to 0.2.1 release
- Remove unneeded patch
* Thu Mar 06 2003 Chris Ricker <kaboom@gatech.edu> 0.2-1
- initial package

3
crypto/dist/ipsec-tools/rpm/suse/.cvsignore vendored Normal file
View File

@ -0,0 +1,3 @@
Makefile
Makefile.in
ipsec-tools.spec

15
crypto/dist/ipsec-tools/rpm/suse/Makefile.am vendored Normal file
View File

@ -0,0 +1,15 @@
EXTRA_DIST = ipsec-tools.spec.in racoon.init sysconfig.racoon
all-local: ipsec-tools.spec
## We borrow guile's convention and use @-...-@ as the substitution
## brackets here, instead of the usual @...@. This prevents autoconf
## from substituting the values directly into the left-hand sides of
## the sed substitutions. *sigh*
ipsec-tools.spec: ipsec-tools.spec.in Makefile
rm -f $@.tmp
sed < $< > $@.tmp \
-e 's:@-VERSION-@:${VERSION}:'
mv $@.tmp $@
CLEANFILES = ipsec-tools.spec

110
crypto/dist/ipsec-tools/rpm/suse/ipsec-tools.spec.in vendored Normal file
View File

@ -0,0 +1,110 @@
#
# spec file for package ipsec-tools
#
# Copyright (c) 2004 SUSE LINUX AG, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# Please submit bugfixes or comments via http://www.suse.de/feedback/
#
# norootforbuild
# neededforbuild kernel-source openssl openssl-devel readline-devel
BuildRequires: aaa_base acl attr bash bind-utils bison bzip2 coreutils cpio cpp cracklib cvs cyrus-sasl db devs diffutils e2fsprogs file filesystem fillup findutils flex gawk gdbm-devel glibc glibc-devel glibc-locale gpm grep groff gzip info insserv less libacl libattr libgcc libselinux libstdc++ libxcrypt libzio m4 make man mktemp module-init-tools ncurses ncurses-devel net-tools netcfg openldap2-client openssl pam pam-modules patch permissions popt procinfo procps psmisc pwdutils rcs readline sed strace syslogd sysvinit tar tcpd texinfo timezone unzip util-linux vim zlib zlib-devel autoconf automake binutils gcc gdbm gettext kernel-source libtool openssl-devel perl readline-devel rpm
Name: ipsec-tools
Version: @-VERSION-@
Release: 0
License: Other License(s), see package, BSD
Group: Productivity/Networking/Security
Provides: racoon
PreReq: %insserv_prereq %fillup_prereq
Autoreqprov: on
Summary: IPsec Utilities
Source: http://prdownloads.sourceforge.net/ipsec-tools/ipsec-tools-%{version}.tar.bz2
Source1: racoon.init
Source2: sysconfig.racoon
URL: http://ipsec-tools.sourceforge.net/
Prefix: /usr
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
This is the IPsec-Tools package. This package is needed to really make
use of the IPsec functionality in the version 2.5 and 2.6 Linux
kernels. This package builds:
- libipsec, a PFKeyV2 library
- setkey, a program to directly manipulate policies and SAs
- racoon, an IKEv1 keying daemon
These sources can be found at the IPsec-Tools home page at:
http://ipsec-tools.sourceforge.net/
Authors:
--------
Derek Atkins <derek@ihtfp.com>
Michal Ludvig <mludvig@suse.cz>
%prep
%setup
%build
%{suse_update_config -f . src/racoon}
CFLAGS="$RPM_OPT_FLAGS" \
./configure --prefix=/usr --disable-shared \
--mandir=%{_mandir} --infodir=%{_infodir} --libdir=%{_libdir} \
--libexecdir=%{_libdir} --sysconfdir=/etc/racoon \
--sharedstatedir=/var/run --localstatedir=/var \
--enable-dpd --enable-hybrid --enable-frag
make
make check
%install
rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/etc/init.d
install -m 0755 $RPM_SOURCE_DIR/racoon.init $RPM_BUILD_ROOT/etc/init.d/racoon
ln -sf /etc/init.d/racoon $RPM_BUILD_ROOT/usr/sbin/rcracoon
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 $RPM_SOURCE_DIR/sysconfig.racoon $RPM_BUILD_ROOT/var/adm/fillup-templates/
mkdir -p $RPM_BUILD_ROOT/usr/share/doc/packages/%{name}/
cp -rv src/racoon/samples $RPM_BUILD_ROOT/usr/share/doc/packages/%{name}/
cp -v src/setkey/sample* $RPM_BUILD_ROOT/usr/share/doc/packages/%{name}/
%post
%{fillup_and_insserv racoon}
%postun
%{insserv_cleanup}
%clean
if test ! -z "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != "/"; then
rm -rf $RPM_BUILD_ROOT
fi
%files
%defattr(-,root,root)
%dir /etc/racoon
%config(noreplace) /etc/racoon/psk.txt
%config(noreplace) /etc/racoon/racoon.conf
%config(noreplace) /etc/racoon/setkey.conf
%config /etc/init.d/racoon
/usr/sbin/rcracoon
%dir /usr/include/libipsec/
%doc /usr/share/doc/packages/%{name}/
/var/adm/fillup-templates/sysconfig.racoon
/usr/include/libipsec/libpfkey.h
/usr/%{_lib}/libipsec.a
/usr/%{_lib}/libipsec.la
/usr/sbin/racoon
/usr/sbin/racoonctl
/usr/sbin/setkey
/usr/sbin/plainrsa-gen
%{_mandir}/man*/*
%changelog -n ipsec-tools

168
crypto/dist/ipsec-tools/rpm/suse/racoon.init vendored Normal file
View File

@ -0,0 +1,168 @@
#! /bin/sh
# Copyright (c) 2001-2002 SuSE GmbH Nuernberg, Germany.
#
# Author: Michal Ludvig <feedback@suse.de>, 2004
#
# /etc/init.d/ipsec-tools
# and its symbolic link
# /usr/sbin/rcipsec-tools
#
# System startup script for the IPsec key management daemon
#
### BEGIN INIT INFO
# Provides: racoon
# Required-Start: $remote_fs $named $syslog
# Required-Stop: $remote_fs $named $syslog
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: IPsec key management daemon
### END INIT INFO
SETKEY="IPsec policies"
SETKEY_BIN=/usr/sbin/setkey
SETKEY_CONF=/etc/racoon/setkey.conf
RACOON="IPsec IKE daemon (racoon)"
RACOON_BIN=/usr/sbin/racoon
RACOON_CONF=/etc/racoon/racoon.conf
RACOON_PIDFILE=/var/run/racoon.pid
test -x $SETKEY_BIN || exit 5
test -x $RACOON_BIN || exit 5
test -f /etc/sysconfig/racoon && . /etc/sysconfig/racoon
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num><num>
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
. /etc/rc.status
# First reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signalling is not supported) are
# considered a success.
case "$1" in
start)
# Setting up SPD policies is not required.
if [ -f $SETKEY_CONF ]; then
echo -n "Setting up $SETKEY"
$SETKEY_BIN $SETKEY_OPTIONS -f $SETKEY_CONF
rc_status -v
rc_reset
fi
echo -n "Starting $RACOON "
## If there is no conf file, skip starting of ddtd
## and return with "program not configured"
if ! [ -f $RACOON_CONF ]; then
echo -e -n "... no configuration file found"
rc_status -s
# service is not configured
rc_failed 6
rc_exit
fi
# startproc should return 0, even if service is
# already running to match LSB spec.
startproc $RACOON_BIN $RACOON_OPTIONS -f $RACOON_CONF
rc_status -v
;;
stop)
echo -n "Shutting down $RACOON"
## Stop daemon with killproc(8) and if this fails
## set echo the echo return value.
killproc -p $RACOON_PIDFILE -TERM $RACOON_BIN
# Remember status and be verbose
rc_status -v
rc_reset
# Flush SPD policies if required
if [ -n "$SETKEY_FLUSH_OPTIONS" ]; then
echo -n "Flushing $SETKEY"
$SETKEY_BIN $SETKEY_FLUSH_OPTIONS
rc_status -v
fi
;;
try-restart)
## Stop the service and if this succeeds (i.e. the
## service was running before), start it again.
$0 stop && $0 start
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
## If it does not support it, restart.
echo -n "Reload service $RACOON"
killproc -p $RACOON_PIDFILE -HUP $RACOON_BIN
rc_status -v
;;
reload)
## Like force-reload, but if daemon does not support
## signalling, do nothing (!)
echo -n "Reload service $RACOON"
killproc -p $RACOON_PIDFILE -HUP $RACOON_BIN
rc_status -v
;;
status)
echo -n "Checking for $RACOON: "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Status has a slightly different for the status command:
# 0 - service running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running
checkproc -p $RACOON_PIDFILE $RACOON_BIN
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload,
## give out the argument which is required for a reload.
test "$RACOON_CONF" -nt "$RACOON_PIDFILE" && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit

24
crypto/dist/ipsec-tools/rpm/suse/sysconfig.racoon vendored Normal file
View File

@ -0,0 +1,24 @@
## Path: Network/IPsec
## Description: IPsec keying daemon (IKE)
## Type: string
## Default: "-v"
#
# Start-up flags for the racoon dameon.
#
RACOON_OPTIONS="-v"
## Path: Network/IPsec
## Description: Tool for manipulation IPsec SPD and SA databases
## Type: string
## Default: ""
#
# Additional flags uset when inserting SPD rules.
#
SETKEY_OPTIONS=""
## Type: string
## Default: "-FP"
#
# Flags to flush SPD on racoon exit.
#
SETKEY_FLUSH_OPTIONS="-FP"

2
crypto/dist/ipsec-tools/src/.cvsignore vendored Normal file
View File

@ -0,0 +1,2 @@
Makefile
Makefile.in

1
crypto/dist/ipsec-tools/src/Makefile.am vendored Normal file
View File

@ -0,0 +1 @@
SUBDIRS = @INCLUDE_GLIBC@ libipsec setkey racoon

3
crypto/dist/ipsec-tools/src/include-glibc/.cvsignore vendored Normal file
View File

@ -0,0 +1,3 @@
Makefile
Makefile.in
.includes

14
crypto/dist/ipsec-tools/src/include-glibc/Makefile.am vendored Normal file
View File

@ -0,0 +1,14 @@
.includes: ${top_builddir}/config.status
ln -sf $(KERNEL_INCLUDE)/linux
touch .includes
all: .includes
EXTRA_DIST = \
glibc-bugs.h \
net/pfkeyv2.h \
netinet/ipsec.h \
sys/queue.h
DISTCLEANFILES = .includes linux

10
crypto/dist/ipsec-tools/src/include-glibc/glibc-bugs.h vendored Normal file
View File

@ -0,0 +1,10 @@
#ifndef __GLIBC_BUGS_H__
#define __GLIBC_BUGS_H__ 1
#define _XOPEN_SOURCE 500
#define _BSD_SOURCE
#include <features.h>
#include <sys/types.h>
#endif

69
crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h vendored Normal file
View File

@ -0,0 +1,69 @@
#ifndef __NET_PFKEYV2_H_
#define __NET_PFKEYV2_H_ 1
#include <stdint.h>
#include <linux/pfkeyv2.h>
/* Private allocations for authentication algorithms */
#define SADB_AALG_SHA2_256 SADB_X_AALG_SHA2_256HMAC
#define SADB_X_AALG_SHA2_256 SADB_X_AALG_SHA2_256HMAC
#define SADB_AALG_SHA2_384 SADB_X_AALG_SHA2_384HMAC
#define SADB_X_AALG_SHA2_384 SADB_X_AALG_SHA2_384HMAC
#define SADB_AALG_SHA2_512 SADB_X_AALG_SHA2_512HMAC
#define SADB_X_AALG_SHA2_512 SADB_X_AALG_SHA2_512HMAC
#define SADB_AALG_RIPEMD160HMAC SADB_X_AALG_RIPEMD160HMAC
#define SADB_X_AALG_MD5 249
#define SADB_X_AALG_SHA 250
/* private allocations - based on RFC2407/IANA assignment */
#define SADB_X_EALG_CAST128CBC 5 /* SADB_X_EALG_CASTCBC? == 6 */
#define SADB_X_EALG_RIJNDAELCBC SADB_X_EALG_AESCBC
#define SADB_X_EALG_AES SADB_X_EALG_AESCBC
#define SADB_X_CALG_NONE 0
#define SADB_X_CALG_OUI 1
#define SADB_X_CALG_DEFLATE 2
#define SADB_X_CALG_LZS 3
#define SADB_X_CALG_MAX 4
#define SADB_X_EXT_NONE 0x0000 /* i.e. new format. */
#define SADB_X_EXT_OLD 0x0001 /* old format. */
#define SADB_X_EXT_IV4B 0x0010 /* IV length of 4 bytes in use */
#define SADB_X_EXT_DERIV 0x0020 /* DES derived */
#define SADB_X_EXT_CYCSEQ 0x0040 /* allowing to cyclic sequence. */
/* three of followings are exclusive flags each them */
#define SADB_X_EXT_PSEQ 0x0000 /* sequencial padding for ESP */
#define SADB_X_EXT_PRAND 0x0100 /* random padding for ESP */
#define SADB_X_EXT_PZERO 0x0200 /* zero padding for ESP */
#define SADB_X_EXT_PMASK 0x0300 /* mask for padding flag */
#define SADB_X_EXT_RAWCPI 0x0080 /* use well known CPI (IPComp) */
#define PFKEY_SOFT_LIFETIME_RATE 80
#define SADB_X_LIFETIME_ALLOCATIONS 0
#define SADB_X_LIFETIME_BYTES 1
#define SADB_X_LIFETIME_ADDTIME 2
#define SADB_X_LIFETIME_USETIME 3
#define PFKEY_ALIGN8(a) (1 + (((a) - 1) | (8 - 1)))
#define PFKEY_EXTLEN(msg) \
PFKEY_UNUNIT64(((struct sadb_ext *)(msg))->sadb_ext_len)
#define PFKEY_ADDR_PREFIX(ext) \
(((struct sadb_address *)(ext))->sadb_address_prefixlen)
#define PFKEY_ADDR_PROTO(ext) \
(((struct sadb_address *)(ext))->sadb_address_proto)
#define PFKEY_ADDR_SADDR(ext) \
((struct sockaddr *)((caddr_t)(ext) + sizeof(struct sadb_address)))
/* in 64bits */
#define PFKEY_UNUNIT64(a) ((a) << 3)
#define PFKEY_UNIT64(a) ((a) >> 3)
#endif

2
crypto/dist/ipsec-tools/src/include-glibc/netinet/ipsec.h vendored Normal file
View File

@ -0,0 +1,2 @@
#include <net/pfkeyv2.h>
#include <linux/ipsec.h>

452
crypto/dist/ipsec-tools/src/include-glibc/sys/queue.h vendored Normal file
View File

@ -0,0 +1,452 @@
/*
* Copyright (c) 1991, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)queue.h 8.5 (Berkeley) 8/20/94
* $FreeBSD: src/sys/sys/queue.h,v 1.58 2004/04/07 04:19:49 imp Exp $
*
* 04/24/2004 Backport to v1.45 functionality for ipsec-tools
* Heiko Hund <heiko@ist.eigentlich.net>
*/
#ifndef _SYS_QUEUE_H_
#define _SYS_QUEUE_H_
//#include <sys/cdefs.h>
/*
* This file defines four types of data structures: singly-linked lists,
* singly-linked tail queues, lists and tail queues.
*
* A singly-linked list is headed by a single forward pointer. The elements
* are singly linked for minimum space and pointer manipulation overhead at
* the expense of O(n) removal for arbitrary elements. New elements can be
* added to the list after an existing element or at the head of the list.
* Elements being removed from the head of the list should use the explicit
* macro for this purpose for optimum efficiency. A singly-linked list may
* only be traversed in the forward direction. Singly-linked lists are ideal
* for applications with large datasets and few or no removals or for
* implementing a LIFO queue.
*
* A singly-linked tail queue is headed by a pair of pointers, one to the
* head of the list and the other to the tail of the list. The elements are
* singly linked for minimum space and pointer manipulation overhead at the
* expense of O(n) removal for arbitrary elements. New elements can be added
* to the list after an existing element, at the head of the list, or at the
* end of the list. Elements being removed from the head of the tail queue
* should use the explicit macro for this purpose for optimum efficiency.
* A singly-linked tail queue may only be traversed in the forward direction.
* Singly-linked tail queues are ideal for applications with large datasets
* and few or no removals or for implementing a FIFO queue.
*
* A list is headed by a single forward pointer (or an array of forward
* pointers for a hash table header). The elements are doubly linked
* so that an arbitrary element can be removed without a need to
* traverse the list. New elements can be added to the list before
* or after an existing element or at the head of the list. A list
* may only be traversed in the forward direction.
*
* A tail queue is headed by a pair of pointers, one to the head of the
* list and the other to the tail of the list. The elements are doubly
* linked so that an arbitrary element can be removed without a need to
* traverse the list. New elements can be added to the list before or
* after an existing element, at the head of the list, or at the end of
* the list. A tail queue may be traversed in either direction.
*
* For details on the use of these macros, see the queue(3) manual page.
*
*
* SLIST LIST STAILQ TAILQ
* _HEAD + + + +
* _HEAD_INITIALIZER + + + +
* _ENTRY + + + +
* _INIT + + + +
* _EMPTY + + + +
* _FIRST + + + +
* _NEXT + + + +
* _PREV - - - +
* _LAST - - + +
* _FOREACH + + + +
* _FOREACH_REVERSE - - - +
* _INSERT_HEAD + + + +
* _INSERT_BEFORE - + - +
* _INSERT_AFTER + + + +
* _INSERT_TAIL - - + +
* _REMOVE_HEAD + - + -
* _REMOVE + + + +
*
*/
/*
* Singly-linked List declarations.
*/
#define SLIST_HEAD(name, type) \
struct name { \
struct type *slh_first; /* first element */ \
}
#define SLIST_HEAD_INITIALIZER(head) \
{ NULL }
#define SLIST_ENTRY(type) \
struct { \
struct type *sle_next; /* next element */ \
}
/*
* Singly-linked List functions.
*/
#define SLIST_EMPTY(head) ((head)->slh_first == NULL)
#define SLIST_FIRST(head) ((head)->slh_first)
#define SLIST_FOREACH(var, head, field) \
for ((var) = SLIST_FIRST((head)); \
(var); \
(var) = SLIST_NEXT((var), field))
#define SLIST_INIT(head) do { \
SLIST_FIRST((head)) = NULL; \
} while (0)
#define SLIST_INSERT_AFTER(slistelm, elm, field) do { \
SLIST_NEXT((elm), field) = SLIST_NEXT((slistelm), field); \
SLIST_NEXT((slistelm), field) = (elm); \
} while (0)
#define SLIST_INSERT_HEAD(head, elm, field) do { \
SLIST_NEXT((elm), field) = SLIST_FIRST((head)); \
SLIST_FIRST((head)) = (elm); \
} while (0)
#define SLIST_NEXT(elm, field) ((elm)->field.sle_next)
#define SLIST_REMOVE(head, elm, type, field) do { \
if (SLIST_FIRST((head)) == (elm)) { \
SLIST_REMOVE_HEAD((head), field); \
} \
else { \
struct type *curelm = SLIST_FIRST((head)); \
while (SLIST_NEXT(curelm, field) != (elm)) \
curelm = SLIST_NEXT(curelm, field); \
SLIST_NEXT(curelm, field) = \
SLIST_NEXT(SLIST_NEXT(curelm, field), field); \
} \
} while (0)
#define SLIST_REMOVE_HEAD(head, field) do { \
SLIST_FIRST((head)) = SLIST_NEXT(SLIST_FIRST((head)), field); \
} while (0)
/*
* Singly-linked Tail queue declarations.
*/
#define STAILQ_HEAD(name, type) \
struct name { \
struct type *stqh_first;/* first element */ \
struct type **stqh_last;/* addr of last next element */ \
}
#define STAILQ_HEAD_INITIALIZER(head) \
{ NULL, &(head).stqh_first }
#define STAILQ_ENTRY(type) \
struct { \
struct type *stqe_next; /* next element */ \
}
/*
* Singly-linked Tail queue functions.
*/
#define STAILQ_EMPTY(head) ((head)->stqh_first == NULL)
#define STAILQ_FIRST(head) ((head)->stqh_first)
#define STAILQ_FOREACH(var, head, field) \
for((var) = STAILQ_FIRST((head)); \
(var); \
(var) = STAILQ_NEXT((var), field))
#define STAILQ_INIT(head) do { \
STAILQ_FIRST((head)) = NULL; \
(head)->stqh_last = &STAILQ_FIRST((head)); \
} while (0)
#define STAILQ_INSERT_AFTER(head, tqelm, elm, field) do { \
if ((STAILQ_NEXT((elm), field) = STAILQ_NEXT((tqelm), field)) == NULL)\
(head)->stqh_last = &STAILQ_NEXT((elm), field); \
STAILQ_NEXT((tqelm), field) = (elm); \
} while (0)
#define STAILQ_INSERT_HEAD(head, elm, field) do { \
if ((STAILQ_NEXT((elm), field) = STAILQ_FIRST((head))) == NULL) \
(head)->stqh_last = &STAILQ_NEXT((elm), field); \
STAILQ_FIRST((head)) = (elm); \
} while (0)
#define STAILQ_INSERT_TAIL(head, elm, field) do { \
STAILQ_NEXT((elm), field) = NULL; \
*(head)->stqh_last = (elm); \
(head)->stqh_last = &STAILQ_NEXT((elm), field); \
} while (0)
#define STAILQ_LAST(head, type, field) \
(STAILQ_EMPTY(head) ? \
NULL : \
((struct type *) \
((char *)((head)->stqh_last) - __offsetof(struct type, field))))
#define STAILQ_NEXT(elm, field) ((elm)->field.stqe_next)
#define STAILQ_REMOVE(head, elm, type, field) do { \
if (STAILQ_FIRST((head)) == (elm)) { \
STAILQ_REMOVE_HEAD(head, field); \
} \
else { \
struct type *curelm = STAILQ_FIRST((head)); \
while (STAILQ_NEXT(curelm, field) != (elm)) \
curelm = STAILQ_NEXT(curelm, field); \
if ((STAILQ_NEXT(curelm, field) = \
STAILQ_NEXT(STAILQ_NEXT(curelm, field), field)) == NULL)\
(head)->stqh_last = &STAILQ_NEXT((curelm), field);\
} \
} while (0)
#define STAILQ_REMOVE_HEAD(head, field) do { \
if ((STAILQ_FIRST((head)) = \
STAILQ_NEXT(STAILQ_FIRST((head)), field)) == NULL) \
(head)->stqh_last = &STAILQ_FIRST((head)); \
} while (0)
#define STAILQ_REMOVE_HEAD_UNTIL(head, elm, field) do { \
if ((STAILQ_FIRST((head)) = STAILQ_NEXT((elm), field)) == NULL) \
(head)->stqh_last = &STAILQ_FIRST((head)); \
} while (0)
/*
* List declarations.
*/
#define LIST_HEAD(name, type) \
struct name { \
struct type *lh_first; /* first element */ \
}
#define LIST_HEAD_INITIALIZER(head) \
{ NULL }
#define LIST_ENTRY(type) \
struct { \
struct type *le_next; /* next element */ \
struct type **le_prev; /* address of previous next element */ \
}
/*
* List functions.
*/
#define LIST_EMPTY(head) ((head)->lh_first == NULL)
#define LIST_FIRST(head) ((head)->lh_first)
#define LIST_FOREACH(var, head, field) \
for ((var) = LIST_FIRST((head)); \
(var); \
(var) = LIST_NEXT((var), field))
#define LIST_INIT(head) do { \
LIST_FIRST((head)) = NULL; \
} while (0)
#define LIST_INSERT_AFTER(listelm, elm, field) do { \
if ((LIST_NEXT((elm), field) = LIST_NEXT((listelm), field)) != NULL)\
LIST_NEXT((listelm), field)->field.le_prev = \
&LIST_NEXT((elm), field); \
LIST_NEXT((listelm), field) = (elm); \
(elm)->field.le_prev = &LIST_NEXT((listelm), field); \
} while (0)
#define LIST_INSERT_BEFORE(listelm, elm, field) do { \
(elm)->field.le_prev = (listelm)->field.le_prev; \
LIST_NEXT((elm), field) = (listelm); \
*(listelm)->field.le_prev = (elm); \
(listelm)->field.le_prev = &LIST_NEXT((elm), field); \
} while (0)
#define LIST_INSERT_HEAD(head, elm, field) do { \
if ((LIST_NEXT((elm), field) = LIST_FIRST((head))) != NULL) \
LIST_FIRST((head))->field.le_prev = &LIST_NEXT((elm), field);\
LIST_FIRST((head)) = (elm); \
(elm)->field.le_prev = &LIST_FIRST((head)); \
} while (0)
#define LIST_NEXT(elm, field) ((elm)->field.le_next)
#define LIST_REMOVE(elm, field) do { \
if (LIST_NEXT((elm), field) != NULL) \
LIST_NEXT((elm), field)->field.le_prev = \
(elm)->field.le_prev; \
*(elm)->field.le_prev = LIST_NEXT((elm), field); \
} while (0)
/*
* Tail queue declarations.
*/
#define TAILQ_HEAD(name, type) \
struct name { \
struct type *tqh_first; /* first element */ \
struct type **tqh_last; /* addr of last next element */ \
}
#define TAILQ_HEAD_INITIALIZER(head) \
{ NULL, &(head).tqh_first }
#define TAILQ_ENTRY(type) \
struct { \
struct type *tqe_next; /* next element */ \
struct type **tqe_prev; /* address of previous next element */ \
}
/*
* Tail queue functions.
*/
#define TAILQ_EMPTY(head) ((head)->tqh_first == NULL)
#define TAILQ_FIRST(head) ((head)->tqh_first)
#define TAILQ_FOREACH(var, head, field) \
for ((var) = TAILQ_FIRST((head)); \
(var); \
(var) = TAILQ_NEXT((var), field))
#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \
for ((var) = TAILQ_LAST((head), headname); \
(var); \
(var) = TAILQ_PREV((var), headname, field))
#define TAILQ_INIT(head) do { \
TAILQ_FIRST((head)) = NULL; \
(head)->tqh_last = &TAILQ_FIRST((head)); \
} while (0)
#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do { \
if ((TAILQ_NEXT((elm), field) = TAILQ_NEXT((listelm), field)) != NULL)\
TAILQ_NEXT((elm), field)->field.tqe_prev = \
&TAILQ_NEXT((elm), field); \
else \
(head)->tqh_last = &TAILQ_NEXT((elm), field); \
TAILQ_NEXT((listelm), field) = (elm); \
(elm)->field.tqe_prev = &TAILQ_NEXT((listelm), field); \
} while (0)
#define TAILQ_INSERT_BEFORE(listelm, elm, field) do { \
(elm)->field.tqe_prev = (listelm)->field.tqe_prev; \
TAILQ_NEXT((elm), field) = (listelm); \
*(listelm)->field.tqe_prev = (elm); \
(listelm)->field.tqe_prev = &TAILQ_NEXT((elm), field); \
} while (0)
#define TAILQ_INSERT_HEAD(head, elm, field) do { \
if ((TAILQ_NEXT((elm), field) = TAILQ_FIRST((head))) != NULL) \
TAILQ_FIRST((head))->field.tqe_prev = \
&TAILQ_NEXT((elm), field); \
else \
(head)->tqh_last = &TAILQ_NEXT((elm), field); \
TAILQ_FIRST((head)) = (elm); \
(elm)->field.tqe_prev = &TAILQ_FIRST((head)); \
} while (0)
#define TAILQ_INSERT_TAIL(head, elm, field) do { \
TAILQ_NEXT((elm), field) = NULL; \
(elm)->field.tqe_prev = (head)->tqh_last; \
*(head)->tqh_last = (elm); \
(head)->tqh_last = &TAILQ_NEXT((elm), field); \
} while (0)
#define TAILQ_LAST(head, headname) \
(*(((struct headname *)((head)->tqh_last))->tqh_last))
#define TAILQ_NEXT(elm, field) ((elm)->field.tqe_next)
#define TAILQ_PREV(elm, headname, field) \
(*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
#define TAILQ_REMOVE(head, elm, field) do { \
if ((TAILQ_NEXT((elm), field)) != NULL) \
TAILQ_NEXT((elm), field)->field.tqe_prev = \
(elm)->field.tqe_prev; \
else \
(head)->tqh_last = (elm)->field.tqe_prev; \
*(elm)->field.tqe_prev = TAILQ_NEXT((elm), field); \
} while (0)
#ifdef _KERNEL
/*
* XXX insque() and remque() are an old way of handling certain queues.
* They bogusly assumes that all queue heads look alike.
*/
struct quehead {
struct quehead *qh_link;
struct quehead *qh_rlink;
};
#ifdef __GNUC__
static __inline void
insque(void *a, void *b)
{
struct quehead *element = (struct quehead *)a,
*head = (struct quehead *)b;
element->qh_link = head->qh_link;
element->qh_rlink = head;
head->qh_link = element;
element->qh_link->qh_rlink = element;
}
static __inline void
remque(void *a)
{
struct quehead *element = (struct quehead *)a;
element->qh_link->qh_rlink = element->qh_rlink;
element->qh_rlink->qh_link = element->qh_link;
element->qh_rlink = 0;
}
#else /* !__GNUC__ */
void insque __P((void *a, void *b));
void remque __P((void *a));
#endif /* __GNUC__ */
#endif /* _KERNEL */
#endif /* !_SYS_QUEUE_H_ */

9
crypto/dist/ipsec-tools/src/libipsec/.cvsignore vendored Normal file
View File

@ -0,0 +1,9 @@
policy_parse.c
policy_parse.h
policy_token.c
Makefile
Makefile.in
.libs
.deps
*.la
*.lo

39
crypto/dist/ipsec-tools/src/libipsec/Makefile.am vendored Normal file
View File

@ -0,0 +1,39 @@
#bin_PROGRAMS = test-policy test-policy-priority
lib_LTLIBRARIES = libipsec.la
libipsecdir = $(includedir)/libipsec
libipsec_HEADERS = libpfkey.h
man3_MANS = ipsec_set_policy.3 ipsec_strerror.3
AM_CFLAGS = @GLIBC_BUGS@
AM_YFLAGS = -d -p __libipsec
AM_LFLAGS = -P__libipsec -olex.yy.c
libipsec_la_SOURCES = \
ipsec_dump_policy.c \
ipsec_get_policylen.c \
ipsec_strerror.c \
key_debug.c \
pfkey.c \
pfkey_dump.c \
policy_parse.y \
policy_token.l
# version is current:revision:age.
# See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32
libipsec_la_LDFLAGS = -version-info 0:0:0
libipsec_la_LIBADD = $(LEXLIB)
noinst_HEADERS = ipsec_strerror.h policy_parse.h
#test_policy_SOURCES = test-policy.c
#test_policy_LDFLAGS = libipsec.la
#test_policy_priority_SOURCES = test-policy-priority.c
#test_policy_priority_LDFLAGS = libipsec.la
EXTRA_DIST = ${man3_MANS} test-policy.c
DISTCLEANFILES = policy_parse.c policy_parse.h policy_token.c policy_token.h

387
crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c vendored Normal file
View File

@ -0,0 +1,387 @@
/* $Id: ipsec_dump_policy.c,v 1.1.1.1 2005/02/12 11:11:23 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#else
# include <netinet/ipsec.h>
#endif
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include "ipsec_strerror.h"
#include "libpfkey.h"
static const char *ipsp_dir_strs[] = {
"any", "in", "out", "fwd"
};
static const char *ipsp_policy_strs[] = {
"discard", "none", "ipsec", "entrust", "bypass",
};
static char *ipsec_dump_ipsecrequest __P((char *, size_t,
struct sadb_x_ipsecrequest *, size_t));
static int set_addresses __P((char *, size_t, struct sockaddr *,
struct sockaddr *));
static char *set_address __P((char *, size_t, struct sockaddr *));
/*
* policy is sadb_x_policy buffer.
* Must call free() later.
* When delimiter == NULL, alternatively ' '(space) is applied.
*/
char *
ipsec_dump_policy(policy, delimiter)
caddr_t policy;
char *delimiter;
{
struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
struct sadb_x_ipsecrequest *xisr;
size_t off, buflen;
char *buf;
char isrbuf[1024];
char *newbuf;
#ifdef HAVE_PFKEY_POLICY_PRIORITY
int32_t priority_offset;
char *priority_str;
char operator;
#endif
/* sanity check */
if (policy == NULL)
return NULL;
if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
return NULL;
}
/* set delimiter */
if (delimiter == NULL)
delimiter = " ";
#ifdef HAVE_PFKEY_POLICY_PRIORITY
if (xpl->sadb_x_policy_priority == 0)
{
priority_offset = 0;
priority_str = "";
}
/* find which constant the priority is closest to */
else if (xpl->sadb_x_policy_priority <
(u_int32_t) (PRIORITY_DEFAULT / 4) * 3)
{
priority_offset = xpl->sadb_x_policy_priority - PRIORITY_HIGH;
priority_str = "prio high";
}
else if (xpl->sadb_x_policy_priority >=
(u_int32_t) (PRIORITY_DEFAULT / 4) * 3 &&
xpl->sadb_x_policy_priority <
(u_int32_t) (PRIORITY_DEFAULT / 4) * 5)
{
priority_offset = xpl->sadb_x_policy_priority - PRIORITY_DEFAULT;
priority_str = "prio def";
}
else
{
priority_offset = xpl->sadb_x_policy_priority - PRIORITY_LOW;
priority_str = "prio low";
}
/* fix sign to match the way it is input */
priority_offset *= -1;
if (priority_offset < 0)
{
operator = '-';
priority_offset *= -1;
}
else
{
operator = '+';
}
#endif
switch (xpl->sadb_x_policy_dir) {
case IPSEC_DIR_ANY:
case IPSEC_DIR_INBOUND:
case IPSEC_DIR_OUTBOUND:
#ifdef HAVE_POLICY_FWD
case IPSEC_DIR_FWD:
#endif
break;
default:
__ipsec_errcode = EIPSEC_INVAL_DIR;
return NULL;
}
switch (xpl->sadb_x_policy_type) {
case IPSEC_POLICY_DISCARD:
case IPSEC_POLICY_NONE:
case IPSEC_POLICY_IPSEC:
case IPSEC_POLICY_BYPASS:
case IPSEC_POLICY_ENTRUST:
break;
default:
__ipsec_errcode = EIPSEC_INVAL_POLICY;
return NULL;
}
buflen = strlen(ipsp_dir_strs[xpl->sadb_x_policy_dir])
+ 1 /* space */
#ifdef HAVE_PFKEY_POLICY_PRIORITY
+ strlen(priority_str)
+ ((priority_offset != 0) ? 13 : 0) /* [space operator space int] */
+ ((strlen(priority_str) != 0) ? 1 : 0) /* space */
#endif
+ strlen(ipsp_policy_strs[xpl->sadb_x_policy_type])
+ 1; /* NUL */
if ((buf = malloc(buflen)) == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
return NULL;
}
#ifdef HAVE_PFKEY_POLICY_PRIORITY
if (priority_offset != 0)
{
snprintf(buf, buflen, "%s %s %c %u %s",
ipsp_dir_strs[xpl->sadb_x_policy_dir], priority_str, operator,
priority_offset, ipsp_policy_strs[xpl->sadb_x_policy_type]);
}
else if (strlen (priority_str) != 0)
{
snprintf(buf, buflen, "%s %s %s",
ipsp_dir_strs[xpl->sadb_x_policy_dir], priority_str,
ipsp_policy_strs[xpl->sadb_x_policy_type]);
}
else
{
snprintf(buf, buflen, "%s %s",
ipsp_dir_strs[xpl->sadb_x_policy_dir],
ipsp_policy_strs[xpl->sadb_x_policy_type]);
}
#else
snprintf(buf, buflen, "%s %s", ipsp_dir_strs[xpl->sadb_x_policy_dir],
ipsp_policy_strs[xpl->sadb_x_policy_type]);
#endif
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
__ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}
/* count length of buffer for use */
off = sizeof(*xpl);
while (off < PFKEY_EXTLEN(xpl)) {
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
off += xisr->sadb_x_ipsecrequest_len;
}
/* validity check */
if (off != PFKEY_EXTLEN(xpl)) {
__ipsec_errcode = EIPSEC_INVAL_SADBMSG;
free(buf);
return NULL;
}
off = sizeof(*xpl);
while (off < PFKEY_EXTLEN(xpl)) {
int offset;
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr,
PFKEY_EXTLEN(xpl) - off) == NULL) {
free(buf);
return NULL;
}
offset = strlen(buf);
buflen = offset + strlen(delimiter) + strlen(isrbuf) + 1;
newbuf = (char *)realloc(buf, buflen);
if (newbuf == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
free(buf);
return NULL;
}
buf = newbuf;
snprintf(buf+offset, buflen-offset, "%s%s", delimiter, isrbuf);
off += xisr->sadb_x_ipsecrequest_len;
}
__ipsec_errcode = EIPSEC_NO_ERROR;
return buf;
}
static char *
ipsec_dump_ipsecrequest(buf, len, xisr, bound)
char *buf;
size_t len;
struct sadb_x_ipsecrequest *xisr;
size_t bound; /* boundary */
{
const char *proto, *mode, *level;
char abuf[NI_MAXHOST * 2 + 2];
if (xisr->sadb_x_ipsecrequest_len > bound) {
__ipsec_errcode = EIPSEC_INVAL_PROTO;
return NULL;
}
switch (xisr->sadb_x_ipsecrequest_proto) {
case IPPROTO_ESP:
proto = "esp";
break;
case IPPROTO_AH:
proto = "ah";
break;
case IPPROTO_IPCOMP:
proto = "ipcomp";
break;
default:
__ipsec_errcode = EIPSEC_INVAL_PROTO;
return NULL;
}
switch (xisr->sadb_x_ipsecrequest_mode) {
case IPSEC_MODE_ANY:
mode = "any";
break;
case IPSEC_MODE_TRANSPORT:
mode = "transport";
break;
case IPSEC_MODE_TUNNEL:
mode = "tunnel";
break;
default:
__ipsec_errcode = EIPSEC_INVAL_MODE;
return NULL;
}
abuf[0] = '\0';
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
struct sockaddr *sa1, *sa2;
caddr_t p;
p = (caddr_t)(xisr + 1);
sa1 = (struct sockaddr *)p;
sa2 = (struct sockaddr *)(p + sysdep_sa_len(sa1));
if (sizeof(*xisr) + sysdep_sa_len(sa1) + sysdep_sa_len(sa2) !=
xisr->sadb_x_ipsecrequest_len) {
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return NULL;
}
if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) {
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return NULL;
}
}
switch (xisr->sadb_x_ipsecrequest_level) {
case IPSEC_LEVEL_DEFAULT:
level = "default";
break;
case IPSEC_LEVEL_USE:
level = "use";
break;
case IPSEC_LEVEL_REQUIRE:
level = "require";
break;
case IPSEC_LEVEL_UNIQUE:
level = "unique";
break;
default:
__ipsec_errcode = EIPSEC_INVAL_LEVEL;
return NULL;
}
if (xisr->sadb_x_ipsecrequest_reqid == 0)
snprintf(buf, len, "%s/%s/%s/%s", proto, mode, abuf, level);
else {
int ch;
if (xisr->sadb_x_ipsecrequest_reqid > IPSEC_MANUAL_REQID_MAX)
ch = '#';
else
ch = ':';
snprintf(buf, len, "%s/%s/%s/%s%c%u", proto, mode, abuf, level,
ch, xisr->sadb_x_ipsecrequest_reqid);
}
return buf;
}
static int
set_addresses(buf, len, sa1, sa2)
char *buf;
size_t len;
struct sockaddr *sa1;
struct sockaddr *sa2;
{
char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST];
if (set_address(tmp1, sizeof(tmp1), sa1) == NULL ||
set_address(tmp2, sizeof(tmp2), sa2) == NULL)
return -1;
if (strlen(tmp1) + 1 + strlen(tmp2) + 1 > len)
return -1;
snprintf(buf, len, "%s-%s", tmp1, tmp2);
return 0;
}
static char *
set_address(buf, len, sa)
char *buf;
size_t len;
struct sockaddr *sa;
{
const int niflags = NI_NUMERICHOST;
if (len < 1)
return NULL;
buf[0] = '\0';
if (getnameinfo(sa, sysdep_sa_len(sa), buf, len, NULL, 0, niflags) != 0)
return NULL;
return buf;
}

55
crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c vendored Normal file
View File

@ -0,0 +1,55 @@
/* $KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <sys/types.h>
#include <sys/param.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#else
# include <netinet/ipsec.h>
#endif
#include <net/pfkeyv2.h>
#include "ipsec_strerror.h"
int
ipsec_get_policylen(policy)
caddr_t policy;
{
return policy ? PFKEY_EXTLEN(policy) : -1;
}

316
crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3 vendored Normal file
View File

@ -0,0 +1,316 @@
.\" $KAME: ipsec_set_policy.3,v 1.16 2003/01/06 21:59:03 sumikawa Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd May 5, 1998
.Dt IPSEC_SET_POLICY 3
.Os KAME
.Sh NAME
.Nm ipsec_set_policy ,
.Nm ipsec_get_policylen ,
.Nm ipsec_dump_policy
.Nd manipulate IPsec policy specification structure from readable string
.\"
.Sh LIBRARY
.Lb libipsec
.Sh SYNOPSIS
.Fd #include <netinet6/ipsec.h>
.Ft "char *"
.Fn ipsec_set_policy "char *policy" "int len"
.Ft int
.Fn ipsec_get_policylen "char *buf"
.Ft "char *"
.Fn ipsec_dump_policy "char *buf" "char *delim"
.Sh DESCRIPTION
.Fn ipsec_set_policy
generates IPsec policy specification structure, namely
.Li struct sadb_x_policy
and/or
.Li struct sadb_x_ipsecrequest
from human-readable policy specification.
policy specification must be given as C string
.Fa policy
and length
.Fa len
of
.Fa policy .
.Fn ipsec_set_policy
will return the buffer of IPsec policy specification structure.
The buffer is dynamically allocated, and must be freed by the caller by calling
.Xr free 3 .
.Pp
You may want the length of the generated buffer such when calling
.Xr setsockopt 2 .
.Fn ipsec_get_policylen
will return the length.
.Pp
.Fn ipsec_dump_policy
converts IPsec policy structure into readable form.
Therefore,
.Fn ipsec_dump_policy
can be regarded as inverse conversion of
.Fn ipsec_set_policy .
.Fa buf
points to an IPsec policy structure,
.Li struct sadb_x_policy .
.Fa delim
is a delimiter string, which is usually a blank character.
If you set
.Fa delim
to
.Dv NULL ,
single whitespace is assumed.
.Fn ipsec_dump_policy
returns pointer to dynamically allocated string.
It is caller's responsibility to reclaim the region, by using
.Xr free 3 .
.Pp
.Fa policy
is formatted as either of the following:
.Bl -tag -width "discard"
.It Ar direction [priority specification] Li discard
.Ar direction
must be
.Li in
,
.Li out
or
.Li fwd .
.Ar direction
specifies which direction the policy needs to be applied. Nonstandard
direction
.Ar fwd
is substituted with
.Ar in
on platforms which do not support forward policies.
.Pp
.Ar priority specification
is used to control the placement of the policy within the SPD. Policy position
is determined by
a signed integer where higher priorities indicate the policy is placed
closer to the beginning of the list and lower priorities indicate the
policy is placed closer to the end of the list. Policies with equal
priorities are added at the end of the group of such policies.
.Pp
Priority can only
be specified when libipsec has been compiled against kernel headers that
support policy priorities (>= 2.6.6). It takes one of the following formats:
.Bl -tag -width "discard"
.It Xo
.Ar {priority,prio} offset
.Xc
.Ar offset
is an integer in ranges -2147483647 .. 214783648.
.It Xo
.Ar {priority,prio} base {+,-} offset
.Xc
.Ar base
is either
.Li low (-1073741824),
.Li def (0),
or
.Li high (1073741824)
.Pp
.Ar offset
is an unsigned integer. It can be up to 1073741824 for
positive offsets, and up to 1073741823 for negative offsets.
.El
.Pp
The interpretation of policy priority in these functions and the kernel DOES
differ. The relationship between the two can be described as
p(kernel) = 0x80000000 - p(func)
.Pp
With
.Li discard
policy, packets will be dropped if they match the policy.
.It Ar direction [priority specification] Li entrust
.Li entrust
means to consult to SPD defined by
.Xr setkey 8 .
.It Ar direction [priority specification] Li bypass
.Li bypass
means to be bypassed the IPsec processing.
.Pq packet will be transmitted in clear .
This is for privileged socket.
.It Xo
.Ar direction
.Ar [priority specification]
.Li ipsec
.Ar request ...
.Xc
.Li ipsec
means that the matching packets are subject to IPsec processing.
.Li ipsec
can be followed by one or more
.Ar request
string, which is formatted as below:
.Bl -tag -width "discard"
.It Xo
.Ar protocol
.Li /
.Ar mode
.Li /
.Ar src
.Li -
.Ar dst
.Op Ar /level
.Xc
.Ar protocol
is either
.Li ah ,
.Li esp
or
.Li ipcomp .
.Pp
.Ar mode
is either
.Li transport
or
.Li tunnel .
.Pp
.Ar src
and
.Ar dst
specifies IPsec endpoint.
.Ar src
always means
.Dq sending node
and
.Ar dst
always means
.Dq receiving node .
Therefore, when
.Ar direction
is
.Li in ,
.Ar dst
is this node
and
.Ar src
is the other node
.Pq peer .
If
.Ar mode
is
.Li transport ,
Both
.Ar src
and
.Ar dst
can be omited.
.Pp
.Ar level
must be set to one of the following:
.Li default , use , require
or
.Li unique .
.Li default
means that the kernel should consult the system default policy
defined by
.Xr sysctl 8 ,
such as
.Li net.inet.ipsec.esp_trans_deflev .
See
.Xr ipsec 4
regarding the system default.
.Li use
means that a relevant SA can be used when available,
since the kernel may perform IPsec operation against packets when possible.
In this case, packets can be transmitted in clear
.Pq when SA is not available ,
or encrypted
.Pq when SA is available .
.Li require
means that a relevant SA is required,
since the kernel must perform IPsec operation against packets.
.Li unique
is the same as
.Li require ,
but adds the restriction that the SA for outbound traffic is used
only for this policy.
You may need the identifier in order to relate the policy and the SA
when you define the SA by manual keying.
You can put the decimal number as the identifier after
.Li unique
like
.Li unique : number .
.Li number
must be between 1 and 32767 .
If the
.Ar request
string is kept unambiguous,
.Ar level
and slash prior to
.Ar level
can be omitted.
However, it is encouraged to specify them explicitly
to avoid unintended behaviors.
If
.Ar level
is omitted, it will be interpreted as
.Li default .
.El
.Pp
Note that there is a bit difference of specification from
.Xr setkey 8 .
In specification by
.Xr setkey 8 ,
both entrust and bypass are not used.
Refer to
.Xr setkey 8
for detail.
.Pp
Here are several examples
.Pq long lines are wrapped for readability :
.Bd -literal -offset indent
in discard
out ipsec esp/transport//require
in ipsec ah/transport//require
out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use
in ipsec ipcomp/transport//use
esp/transport//use
.Ed
.El
.Sh RETURN VALUES
.Fn ipsec_set_policy
returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned.
.Fn ipsec_get_policylen
returns with positive value
.Pq meaning the buffer size
on success, and negative value on errors.
.Fn ipsec_dump_policy
returns a pointer to dynamically allocated region on success,
and
.Dv NULL
on errors.
.Sh SEE ALSO
.Xr ipsec_strerror 3 ,
.Xr ipsec 4 ,
.Xr setkey 8
.Sh HISTORY
The functions first appeared in WIDE/KAME IPv6 protocol stack kit.

84
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3 vendored Normal file
View File

@ -0,0 +1,84 @@
.\" $KAME: ipsec_strerror.3,v 1.9 2001/08/17 07:21:36 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd May 6, 1998
.Dt IPSEC_STRERROR 3
.Os KAME
.\"
.Sh NAME
.Nm ipsec_strerror
.Nd error message for IPsec policy manipulation library
.\"
.Sh SYNOPSIS
.Fd #include <netinet6/ipsec.h>
.Ft "const char *"
.Fn ipsec_strerror
.\"
.Sh DESCRIPTION
.Pa netinet6/ipsec.h
declares
.Pp
.Dl extern int ipsec_errcode;
.Pp
which is used to pass an error code from IPsec policy manipulation library
to an user program.
.Fn ipsec_strerror
can be used to obtain the error message string for the error code.
.Pp
The array pointed to is not to be modified by the program.
Since
.Fn ipsec_strerror
uses
.Xr strerror 3
as underlying function, calling
.Xr strerror 3
after
.Fn ipsec_strerror
would make the return value from
.Fn ipsec_strerror
invalid, or overwritten.
.\"
.Sh RETURN VALUES
.Fn ipsec_strerror
always return a pointer to C string.
The C string must not be overwritten by user programs.
.\"
.Sh SEE ALSO
.Xr ipsec_set_policy 3
.\"
.Sh HISTORY
.Fn ipsec_strerror
first appeared in WIDE/KAME IPv6 protocol stack kit.
.\"
.Sh BUGS
.Fn ipsec_strerror
will return its result which may be overwritten by subsequent calls.
.Pp
.Va ipsec_errcode
is not thread safe.

98
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c vendored Normal file
View File

@ -0,0 +1,98 @@
/* $KAME: ipsec_strerror.c,v 1.7 2000/07/30 00:45:12 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <string.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#else
# include <netinet/ipsec.h>
#endif
#include "ipsec_strerror.h"
int __ipsec_errcode;
static const char *ipsec_errlist[] = {
"Success", /*EIPSEC_NO_ERROR*/
"Not supported", /*EIPSEC_NOT_SUPPORTED*/
"Invalid argument", /*EIPSEC_INVAL_ARGUMENT*/
"Invalid sadb message", /*EIPSEC_INVAL_SADBMSG*/
"Invalid version", /*EIPSEC_INVAL_VERSION*/
"Invalid security policy", /*EIPSEC_INVAL_POLICY*/
"Invalid address specification", /*EIPSEC_INVAL_ADDRESS*/
"Invalid ipsec protocol", /*EIPSEC_INVAL_PROTO*/
"Invalid ipsec mode", /*EIPSEC_INVAL_MODE*/
"Invalid ipsec level", /*EIPSEC_INVAL_LEVEL*/
"Invalid SA type", /*EIPSEC_INVAL_SATYPE*/
"Invalid message type", /*EIPSEC_INVAL_MSGTYPE*/
"Invalid extension type", /*EIPSEC_INVAL_EXTTYPE*/
"Invalid algorithm type", /*EIPSEC_INVAL_ALGS*/
"Invalid key length", /*EIPSEC_INVAL_KEYLEN*/
"Invalid address family", /*EIPSEC_INVAL_FAMILY*/
"Invalid prefix length", /*EIPSEC_INVAL_PREFIXLEN*/
"Invalid direciton", /*EIPSEC_INVAL_DIR*/
"SPI range violation", /*EIPSEC_INVAL_SPI*/
"No protocol specified", /*EIPSEC_NO_PROTO*/
"No algorithm specified", /*EIPSEC_NO_ALGS*/
"No buffers available", /*EIPSEC_NO_BUFS*/
"Must get supported algorithms list first", /*EIPSEC_DO_GET_SUPP_LIST*/
"Protocol mismatch", /*EIPSEC_PROTO_MISMATCH*/
"Family mismatch", /*EIPSEC_FAMILY_MISMATCH*/
"Too few arguments", /*EIPSEC_FEW_ARGUMENTS*/
NULL, /*EIPSEC_SYSTEM_ERROR*/
"Priority offset not in valid range [-2147483647, 2147483648]", /*EIPSEC_INVAL_PRIORITY_OFFSET*/
"Priority offset from base not in valid range [0, 1073741823] for negative offsets and [0, 1073741824] for positive offsets", /* EIPSEC_INVAL_PRIORITY_OFFSET */
"Policy priority not compiled in", /*EIPSEC_PRIORITY_NOT_COMPILED*/
"Unknown error", /*EIPSEC_MAX*/
};
const char *ipsec_strerror(void)
{
if (__ipsec_errcode < 0 || __ipsec_errcode > EIPSEC_MAX)
__ipsec_errcode = EIPSEC_MAX;
return ipsec_errlist[__ipsec_errcode];
}
void __ipsec_set_strerror(const char *str)
{
__ipsec_errcode = EIPSEC_SYSTEM_ERROR;
ipsec_errlist[EIPSEC_SYSTEM_ERROR] = str;
return;
}

71
crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h vendored Normal file
View File

@ -0,0 +1,71 @@
/* $Id: ipsec_strerror.h,v 1.1.1.1 2005/02/12 11:11:30 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _IPSEC_STRERROR_H
#define _IPSEC_STRERROR_H
extern int __ipsec_errcode;
extern void __ipsec_set_strerror __P((const char *));
#define EIPSEC_NO_ERROR 0 /*success*/
#define EIPSEC_NOT_SUPPORTED 1 /*not supported*/
#define EIPSEC_INVAL_ARGUMENT 2 /*invalid argument*/
#define EIPSEC_INVAL_SADBMSG 3 /*invalid sadb message*/
#define EIPSEC_INVAL_VERSION 4 /*invalid version*/
#define EIPSEC_INVAL_POLICY 5 /*invalid security policy*/
#define EIPSEC_INVAL_ADDRESS 6 /*invalid address specification*/
#define EIPSEC_INVAL_PROTO 7 /*invalid ipsec protocol*/
#define EIPSEC_INVAL_MODE 8 /*Invalid ipsec mode*/
#define EIPSEC_INVAL_LEVEL 9 /*invalid ipsec level*/
#define EIPSEC_INVAL_SATYPE 10 /*invalid SA type*/
#define EIPSEC_INVAL_MSGTYPE 11 /*invalid message type*/
#define EIPSEC_INVAL_EXTTYPE 12 /*invalid extension type*/
#define EIPSEC_INVAL_ALGS 13 /*Invalid algorithm type*/
#define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/
#define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/
#define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/
#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/
#define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/
#define EIPSEC_NO_PROTO 19 /*no protocol specified*/
#define EIPSEC_NO_ALGS 20 /*No algorithm specified*/
#define EIPSEC_NO_BUFS 21 /*no buffers available*/
#define EIPSEC_DO_GET_SUPP_LIST 22 /*must get supported algorithm first*/
#define EIPSEC_PROTO_MISMATCH 23 /*protocol mismatch*/
#define EIPSEC_FAMILY_MISMATCH 24 /*family mismatch*/
#define EIPSEC_FEW_ARGUMENTS 25 /*Too few arguments*/
#define EIPSEC_SYSTEM_ERROR 26 /*system error*/
#define EIPSEC_INVAL_PRIORITY_OFFSET 27 /*priority offset out of range*/
#define EIPSEC_INVAL_PRIORITY_BASE_OFFSET 28 /* priority base offset too
large */
#define EIPSEC_PRIORITY_NOT_COMPILED 29 /*no priority support in libipsec*/
#define EIPSEC_MAX 30 /*unknown error*/
#endif /* _IPSEC_STRERROR_H */

817
crypto/dist/ipsec-tools/src/libipsec/key_debug.c vendored Normal file
View File

@ -0,0 +1,817 @@
/* $KAME: key_debug.c,v 1.29 2001/08/16 14:25:41 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#ifdef _KERNEL
#if defined(__FreeBSD__) && __FreeBSD__ >= 3
#include "opt_inet.h"
#include "opt_inet6.h"
#include "opt_ipsec.h"
#endif
#ifdef __NetBSD__
#include "opt_inet.h"
#endif
#endif
#include <sys/types.h>
#include <sys/param.h>
#ifdef _KERNEL
#include <sys/systm.h>
#include <sys/mbuf.h>
#include <sys/queue.h>
#endif
#include <sys/socket.h>
#include <netinet/in.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#else
# include <netinet/ipsec.h>
#endif
#ifndef _KERNEL
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#endif /* !_KERNEL */
#include "config.h"
#include "libpfkey.h"
static void kdebug_sadb_prop __P((struct sadb_ext *));
static void kdebug_sadb_identity __P((struct sadb_ext *));
static void kdebug_sadb_supported __P((struct sadb_ext *));
static void kdebug_sadb_lifetime __P((struct sadb_ext *));
static void kdebug_sadb_sa __P((struct sadb_ext *));
static void kdebug_sadb_address __P((struct sadb_ext *));
static void kdebug_sadb_key __P((struct sadb_ext *));
static void kdebug_sadb_x_sa2 __P((struct sadb_ext *));
static void kdebug_sadb_x_policy __P((struct sadb_ext *ext));
static void kdebug_sockaddr __P((struct sockaddr *addr));
#ifdef SADB_X_EXT_NAT_T_TYPE
static void kdebug_sadb_x_nat_t_type __P((struct sadb_ext *ext));
static void kdebug_sadb_x_nat_t_port __P((struct sadb_ext *ext));
#endif
#ifdef _KERNEL
static void kdebug_secreplay __P((struct secreplay *));
#endif
#ifndef _KERNEL
#define panic(param) { printf(param); exit(1); }
#endif
#include "libpfkey.h"
/* NOTE: host byte order */
/* %%%: about struct sadb_msg */
void
kdebug_sadb(base)
struct sadb_msg *base;
{
struct sadb_ext *ext;
int tlen, extlen;
/* sanity check */
if (base == NULL)
panic("kdebug_sadb: NULL pointer was passed.\n");
printf("sadb_msg{ version=%u type=%u errno=%u satype=%u\n",
base->sadb_msg_version, base->sadb_msg_type,
base->sadb_msg_errno, base->sadb_msg_satype);
printf(" len=%u reserved=%u seq=%u pid=%u\n",
base->sadb_msg_len, base->sadb_msg_reserved,
base->sadb_msg_seq, base->sadb_msg_pid);
tlen = PFKEY_UNUNIT64(base->sadb_msg_len) - sizeof(struct sadb_msg);
ext = (struct sadb_ext *)((caddr_t)base + sizeof(struct sadb_msg));
while (tlen > 0) {
printf("sadb_ext{ len=%u type=%u }\n",
ext->sadb_ext_len, ext->sadb_ext_type);
if (ext->sadb_ext_len == 0) {
printf("kdebug_sadb: invalid ext_len=0 was passed.\n");
return;
}
if (ext->sadb_ext_len > tlen) {
printf("kdebug_sadb: ext_len exceeds end of buffer.\n");
return;
}
switch (ext->sadb_ext_type) {
case SADB_EXT_SA:
kdebug_sadb_sa(ext);
break;
case SADB_EXT_LIFETIME_CURRENT:
case SADB_EXT_LIFETIME_HARD:
case SADB_EXT_LIFETIME_SOFT:
kdebug_sadb_lifetime(ext);
break;
case SADB_EXT_ADDRESS_SRC:
case SADB_EXT_ADDRESS_DST:
case SADB_EXT_ADDRESS_PROXY:
kdebug_sadb_address(ext);
break;
case SADB_EXT_KEY_AUTH:
case SADB_EXT_KEY_ENCRYPT:
kdebug_sadb_key(ext);
break;
case SADB_EXT_IDENTITY_SRC:
case SADB_EXT_IDENTITY_DST:
kdebug_sadb_identity(ext);
break;
case SADB_EXT_SENSITIVITY:
break;
case SADB_EXT_PROPOSAL:
kdebug_sadb_prop(ext);
break;
case SADB_EXT_SUPPORTED_AUTH:
case SADB_EXT_SUPPORTED_ENCRYPT:
kdebug_sadb_supported(ext);
break;
case SADB_EXT_SPIRANGE:
case SADB_X_EXT_KMPRIVATE:
break;
case SADB_X_EXT_POLICY:
kdebug_sadb_x_policy(ext);
break;
case SADB_X_EXT_SA2:
kdebug_sadb_x_sa2(ext);
break;
#ifdef SADB_X_EXT_NAT_T_TYPE
case SADB_X_EXT_NAT_T_TYPE:
kdebug_sadb_x_nat_t_type(ext);
break;
case SADB_X_EXT_NAT_T_SPORT:
case SADB_X_EXT_NAT_T_DPORT:
kdebug_sadb_x_nat_t_port(ext);
break;
case SADB_X_EXT_NAT_T_OA:
kdebug_sadb_address(ext);
break;
#endif
default:
printf("kdebug_sadb: invalid ext_type %u was passed.\n",
ext->sadb_ext_type);
return;
}
extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
tlen -= extlen;
ext = (struct sadb_ext *)((caddr_t)ext + extlen);
}
return;
}
static void
kdebug_sadb_prop(ext)
struct sadb_ext *ext;
{
struct sadb_prop *prop = (struct sadb_prop *)ext;
struct sadb_comb *comb;
int len;
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_prop: NULL pointer was passed.\n");
len = (PFKEY_UNUNIT64(prop->sadb_prop_len) - sizeof(*prop))
/ sizeof(*comb);
comb = (struct sadb_comb *)(prop + 1);
printf("sadb_prop{ replay=%u\n", prop->sadb_prop_replay);
while (len--) {
printf("sadb_comb{ auth=%u encrypt=%u "
"flags=0x%04x reserved=0x%08x\n",
comb->sadb_comb_auth, comb->sadb_comb_encrypt,
comb->sadb_comb_flags, comb->sadb_comb_reserved);
printf(" auth_minbits=%u auth_maxbits=%u "
"encrypt_minbits=%u encrypt_maxbits=%u\n",
comb->sadb_comb_auth_minbits,
comb->sadb_comb_auth_maxbits,
comb->sadb_comb_encrypt_minbits,
comb->sadb_comb_encrypt_maxbits);
printf(" soft_alloc=%u hard_alloc=%u "
"soft_bytes=%lu hard_bytes=%lu\n",
comb->sadb_comb_soft_allocations,
comb->sadb_comb_hard_allocations,
(unsigned long)comb->sadb_comb_soft_bytes,
(unsigned long)comb->sadb_comb_hard_bytes);
printf(" soft_alloc=%lu hard_alloc=%lu "
"soft_bytes=%lu hard_bytes=%lu }\n",
(unsigned long)comb->sadb_comb_soft_addtime,
(unsigned long)comb->sadb_comb_hard_addtime,
(unsigned long)comb->sadb_comb_soft_usetime,
(unsigned long)comb->sadb_comb_hard_usetime);
comb++;
}
printf("}\n");
return;
}
static void
kdebug_sadb_identity(ext)
struct sadb_ext *ext;
{
struct sadb_ident *id = (struct sadb_ident *)ext;
int len;
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_identity: NULL pointer was passed.\n");
len = PFKEY_UNUNIT64(id->sadb_ident_len) - sizeof(*id);
printf("sadb_ident_%s{",
id->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC ? "src" : "dst");
switch (id->sadb_ident_type) {
default:
printf(" type=%d id=%lu",
id->sadb_ident_type, (u_long)id->sadb_ident_id);
if (len) {
#ifdef _KERNEL
ipsec_hexdump((caddr_t)(id + 1), len); /*XXX cast ?*/
#else
char *p, *ep;
printf("\n str=\"");
p = (char *)(id + 1);
ep = p + len;
for (/*nothing*/; *p && p < ep; p++) {
if (isprint((int)*p))
printf("%c", *p & 0xff);
else
printf("\\%03o", *p & 0xff);
}
#endif
printf("\"");
}
break;
}
printf(" }\n");
return;
}
static void
kdebug_sadb_supported(ext)
struct sadb_ext *ext;
{
struct sadb_supported *sup = (struct sadb_supported *)ext;
struct sadb_alg *alg;
int len;
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_supported: NULL pointer was passed.\n");
len = (PFKEY_UNUNIT64(sup->sadb_supported_len) - sizeof(*sup))
/ sizeof(*alg);
alg = (struct sadb_alg *)(sup + 1);
printf("sadb_sup{\n");
while (len--) {
printf(" { id=%d ivlen=%d min=%d max=%d }\n",
alg->sadb_alg_id, alg->sadb_alg_ivlen,
alg->sadb_alg_minbits, alg->sadb_alg_maxbits);
alg++;
}
printf("}\n");
return;
}
static void
kdebug_sadb_lifetime(ext)
struct sadb_ext *ext;
{
struct sadb_lifetime *lft = (struct sadb_lifetime *)ext;
/* sanity check */
if (ext == NULL)
printf("kdebug_sadb_lifetime: NULL pointer was passed.\n");
printf("sadb_lifetime{ alloc=%u, bytes=%u\n",
lft->sadb_lifetime_allocations,
(u_int32_t)lft->sadb_lifetime_bytes);
printf(" addtime=%u, usetime=%u }\n",
(u_int32_t)lft->sadb_lifetime_addtime,
(u_int32_t)lft->sadb_lifetime_usetime);
return;
}
static void
kdebug_sadb_sa(ext)
struct sadb_ext *ext;
{
struct sadb_sa *sa = (struct sadb_sa *)ext;
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_sa: NULL pointer was passed.\n");
printf("sadb_sa{ spi=%u replay=%u state=%u\n",
(u_int32_t)ntohl(sa->sadb_sa_spi), sa->sadb_sa_replay,
sa->sadb_sa_state);
printf(" auth=%u encrypt=%u flags=0x%08x }\n",
sa->sadb_sa_auth, sa->sadb_sa_encrypt, sa->sadb_sa_flags);
return;
}
static void
kdebug_sadb_address(ext)
struct sadb_ext *ext;
{
struct sadb_address *addr = (struct sadb_address *)ext;
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_address: NULL pointer was passed.\n");
printf("sadb_address{ proto=%u prefixlen=%u reserved=0x%02x%02x }\n",
addr->sadb_address_proto, addr->sadb_address_prefixlen,
((u_char *)&addr->sadb_address_reserved)[0],
((u_char *)&addr->sadb_address_reserved)[1]);
kdebug_sockaddr((struct sockaddr *)((caddr_t)ext + sizeof(*addr)));
return;
}
static void
kdebug_sadb_key(ext)
struct sadb_ext *ext;
{
struct sadb_key *key = (struct sadb_key *)ext;
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_key: NULL pointer was passed.\n");
printf("sadb_key{ bits=%u reserved=%u\n",
key->sadb_key_bits, key->sadb_key_reserved);
printf(" key=");
/* sanity check 2 */
if ((key->sadb_key_bits >> 3) >
(PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key))) {
printf("kdebug_sadb_key: key length mismatch, bit:%d len:%ld.\n",
key->sadb_key_bits >> 3,
(long)PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key));
}
ipsec_hexdump((caddr_t)key + sizeof(struct sadb_key),
key->sadb_key_bits >> 3);
printf(" }\n");
return;
}
static void
kdebug_sadb_x_sa2(ext)
struct sadb_ext *ext;
{
struct sadb_x_sa2 *sa2 = (struct sadb_x_sa2 *)ext;
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_x_sa2: NULL pointer was passed.\n");
printf("sadb_x_sa2{ mode=%u reqid=%u\n",
sa2->sadb_x_sa2_mode, sa2->sadb_x_sa2_reqid);
printf(" reserved1=%u reserved2=%u sequence=%u }\n",
sa2->sadb_x_sa2_reserved1, sa2->sadb_x_sa2_reserved2,
sa2->sadb_x_sa2_sequence);
return;
}
void
kdebug_sadb_x_policy(ext)
struct sadb_ext *ext;
{
struct sadb_x_policy *xpl = (struct sadb_x_policy *)ext;
struct sockaddr *addr;
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_x_policy: NULL pointer was passed.\n");
#ifdef HAVE_PFKEY_POLICY_PRIORITY
printf("sadb_x_policy{ type=%u dir=%u id=%x priority=%u }\n",
#else
printf("sadb_x_policy{ type=%u dir=%u id=%x }\n",
#endif
xpl->sadb_x_policy_type, xpl->sadb_x_policy_dir,
#ifdef HAVE_PFKEY_POLICY_PRIORITY
xpl->sadb_x_policy_id, xpl->sadb_x_policy_priority);
#else
xpl->sadb_x_policy_id);
#endif
if (xpl->sadb_x_policy_type == IPSEC_POLICY_IPSEC) {
int tlen;
struct sadb_x_ipsecrequest *xisr;
tlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
while (tlen > 0) {
printf(" { len=%u proto=%u mode=%u level=%u reqid=%u\n",
xisr->sadb_x_ipsecrequest_len,
xisr->sadb_x_ipsecrequest_proto,
xisr->sadb_x_ipsecrequest_mode,
xisr->sadb_x_ipsecrequest_level,
xisr->sadb_x_ipsecrequest_reqid);
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
addr = (struct sockaddr *)(xisr + 1);
kdebug_sockaddr(addr);
addr = (struct sockaddr *)((caddr_t)addr
+ sysdep_sa_len(addr));
kdebug_sockaddr(addr);
}
printf(" }\n");
/* prevent infinite loop */
if (xisr->sadb_x_ipsecrequest_len <= 0) {
printf("kdebug_sadb_x_policy: wrong policy struct.\n");
return;
}
/* prevent overflow */
if (xisr->sadb_x_ipsecrequest_len > tlen) {
printf("invalid ipsec policy length\n");
return;
}
tlen -= xisr->sadb_x_ipsecrequest_len;
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+ xisr->sadb_x_ipsecrequest_len);
}
if (tlen != 0)
panic("kdebug_sadb_x_policy: wrong policy struct.\n");
}
return;
}
#ifdef SADB_X_EXT_NAT_T_TYPE
static void
kdebug_sadb_x_nat_t_type(struct sadb_ext *ext)
{
struct sadb_x_nat_t_type *ntt = (struct sadb_x_nat_t_type *)ext;
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_x_nat_t_type: NULL pointer was passed.\n");
printf("sadb_x_nat_t_type{ type=%u }\n", ntt->sadb_x_nat_t_type_type);
return;
}
static void
kdebug_sadb_x_nat_t_port(struct sadb_ext *ext)
{
struct sadb_x_nat_t_port *ntp = (struct sadb_x_nat_t_port *)ext;
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_x_nat_t_port: NULL pointer was passed.\n");
printf("sadb_x_nat_t_port{ port=%u }\n", ntohs(ntp->sadb_x_nat_t_port_port));
return;
}
#endif
#ifdef _KERNEL
/* %%%: about SPD and SAD */
void
kdebug_secpolicy(sp)
struct secpolicy *sp;
{
/* sanity check */
if (sp == NULL)
panic("kdebug_secpolicy: NULL pointer was passed.\n");
printf("secpolicy{ refcnt=%u state=%u policy=%u\n",
sp->refcnt, sp->state, sp->policy);
kdebug_secpolicyindex(&sp->spidx);
switch (sp->policy) {
case IPSEC_POLICY_DISCARD:
printf(" type=discard }\n");
break;
case IPSEC_POLICY_NONE:
printf(" type=none }\n");
break;
case IPSEC_POLICY_IPSEC:
{
struct ipsecrequest *isr;
for (isr = sp->req; isr != NULL; isr = isr->next) {
printf(" level=%u\n", isr->level);
kdebug_secasindex(&isr->saidx);
if (isr->sav != NULL)
kdebug_secasv(isr->sav);
}
printf(" }\n");
}
break;
case IPSEC_POLICY_BYPASS:
printf(" type=bypass }\n");
break;
case IPSEC_POLICY_ENTRUST:
printf(" type=entrust }\n");
break;
default:
printf("kdebug_secpolicy: Invalid policy found. %d\n",
sp->policy);
break;
}
return;
}
void
kdebug_secpolicyindex(spidx)
struct secpolicyindex *spidx;
{
/* sanity check */
if (spidx == NULL)
panic("kdebug_secpolicyindex: NULL pointer was passed.\n");
printf("secpolicyindex{ dir=%u prefs=%u prefd=%u ul_proto=%u\n",
spidx->dir, spidx->prefs, spidx->prefd, spidx->ul_proto);
ipsec_hexdump((caddr_t)&spidx->src,
sysdep_sa_len((struct sockaddr *)&spidx->src));
printf("\n");
ipsec_hexdump((caddr_t)&spidx->dst,
sysdep_sa_len((struct sockaddr *)&spidx->dst));
printf("}\n");
return;
}
void
kdebug_secasindex(saidx)
struct secasindex *saidx;
{
/* sanity check */
if (saidx == NULL)
panic("kdebug_secpolicyindex: NULL pointer was passed.\n");
printf("secasindex{ mode=%u proto=%u\n",
saidx->mode, saidx->proto);
ipsec_hexdump((caddr_t)&saidx->src,
sysdep_sa_len((struct sockaddr *)&saidx->src));
printf("\n");
ipsec_hexdump((caddr_t)&saidx->dst,
sysdep_sa_len((struct sockaddr *)&saidx->dst));
printf("\n");
return;
}
void
kdebug_secasv(sav)
struct secasvar *sav;
{
/* sanity check */
if (sav == NULL)
panic("kdebug_secasv: NULL pointer was passed.\n");
printf("secas{");
kdebug_secasindex(&sav->sah->saidx);
printf(" refcnt=%u state=%u auth=%u enc=%u\n",
sav->refcnt, sav->state, sav->alg_auth, sav->alg_enc);
printf(" spi=%u flags=%u\n",
(u_int32_t)ntohl(sav->spi), sav->flags);
if (sav->key_auth != NULL)
kdebug_sadb_key((struct sadb_ext *)sav->key_auth);
if (sav->key_enc != NULL)
kdebug_sadb_key((struct sadb_ext *)sav->key_enc);
if (sav->iv != NULL) {
printf(" iv=");
ipsec_hexdump(sav->iv, sav->ivlen ? sav->ivlen : 8);
printf("\n");
}
if (sav->replay != NULL)
kdebug_secreplay(sav->replay);
if (sav->lft_c != NULL)
kdebug_sadb_lifetime((struct sadb_ext *)sav->lft_c);
if (sav->lft_h != NULL)
kdebug_sadb_lifetime((struct sadb_ext *)sav->lft_h);
if (sav->lft_s != NULL)
kdebug_sadb_lifetime((struct sadb_ext *)sav->lft_s);
#if notyet
/* XXX: misc[123] ? */
#endif
return;
}
static void
kdebug_secreplay(rpl)
struct secreplay *rpl;
{
int len, l;
/* sanity check */
if (rpl == NULL)
panic("kdebug_secreplay: NULL pointer was passed.\n");
printf(" secreplay{ count=%u wsize=%u seq=%u lastseq=%u",
rpl->count, rpl->wsize, rpl->seq, rpl->lastseq);
if (rpl->bitmap == NULL) {
printf(" }\n");
return;
}
printf("\n bitmap { ");
for (len = 0; len < rpl->wsize; len++) {
for (l = 7; l >= 0; l--)
printf("%u", (((rpl->bitmap)[len] >> l) & 1) ? 1 : 0);
}
printf(" }\n");
return;
}
void
kdebug_mbufhdr(m)
struct mbuf *m;
{
/* sanity check */
if (m == NULL)
return;
printf("mbuf(%p){ m_next:%p m_nextpkt:%p m_data:%p "
"m_len:%d m_type:0x%02x m_flags:0x%02x }\n",
m, m->m_next, m->m_nextpkt, m->m_data,
m->m_len, m->m_type, m->m_flags);
if (m->m_flags & M_PKTHDR) {
printf(" m_pkthdr{ len:%d rcvif:%p }\n",
m->m_pkthdr.len, m->m_pkthdr.rcvif);
}
#ifdef __FreeBSD__
if (m->m_flags & M_EXT) {
printf(" m_ext{ ext_buf:%p ext_free:%p "
"ext_size:%u ext_ref:%p }\n",
m->m_ext.ext_buf, m->m_ext.ext_free,
m->m_ext.ext_size, m->m_ext.ext_ref);
}
#endif
return;
}
void
kdebug_mbuf(m0)
struct mbuf *m0;
{
struct mbuf *m = m0;
int i, j;
for (j = 0; m; m = m->m_next) {
kdebug_mbufhdr(m);
printf(" m_data:\n");
for (i = 0; i < m->m_len; i++) {
if (i && i % 32 == 0)
printf("\n");
if (i % 4 == 0)
printf(" ");
printf("%02x", mtod(m, u_char *)[i]);
j++;
}
printf("\n");
}
return;
}
#endif /* _KERNEL */
static void
kdebug_sockaddr(addr)
struct sockaddr *addr;
{
struct sockaddr_in *sin4;
#ifdef INET6
struct sockaddr_in6 *sin6;
#endif
/* sanity check */
if (addr == NULL)
panic("kdebug_sockaddr: NULL pointer was passed.\n");
/* NOTE: We deal with port number as host byte order. */
printf("sockaddr{ len=%u family=%u", sysdep_sa_len(addr), addr->sa_family);
switch (addr->sa_family) {
case AF_INET:
sin4 = (struct sockaddr_in *)addr;
printf(" port=%u\n", ntohs(sin4->sin_port));
ipsec_hexdump((caddr_t)&sin4->sin_addr, sizeof(sin4->sin_addr));
break;
#ifdef INET6
case AF_INET6:
sin6 = (struct sockaddr_in6 *)addr;
printf(" port=%u\n", ntohs(sin6->sin6_port));
printf(" flowinfo=0x%08x, scope_id=0x%08x\n",
sin6->sin6_flowinfo, sin6->sin6_scope_id);
ipsec_hexdump((caddr_t)&sin6->sin6_addr,
sizeof(sin6->sin6_addr));
break;
#endif
}
printf(" }\n");
return;
}
void
ipsec_bindump(buf, len)
caddr_t buf;
int len;
{
int i;
for (i = 0; i < len; i++)
printf("%c", (unsigned char)buf[i]);
return;
}
void
ipsec_hexdump(buf, len)
caddr_t buf;
int len;
{
int i;
for (i = 0; i < len; i++) {
if (i != 0 && i % 32 == 0) printf("\n");
if (i % 4 == 0) printf(" ");
printf("%02x", (unsigned char)buf[i]);
}
#if 0
if (i % 32 != 0) printf("\n");
#endif
return;
}

160
crypto/dist/ipsec-tools/src/libipsec/libpfkey.h vendored Normal file
View File

@ -0,0 +1,160 @@
/* $Id: libpfkey.h,v 1.1.1.1 2005/02/12 11:11:31 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _LIBPFKEY_H
#define _LIBPFKEY_H
#ifndef KAME_LIBPFKEY_H
#define KAME_LIBPFKEY_H
#define PRIORITY_LOW 0xC0000000
#define PRIORITY_DEFAULT 0x80000000
#define PRIORITY_HIGH 0x40000000
#define PRIORITY_OFFSET_POSITIVE_MAX 0x3fffffff
#define PRIORITY_OFFSET_NEGATIVE_MAX 0x40000000
struct sadb_msg;
extern void pfkey_sadump __P((struct sadb_msg *));
extern void pfkey_spdump __P((struct sadb_msg *));
struct sockaddr;
struct sadb_alg;
/* IPsec Library Routines */
int ipsec_check_keylen __P((u_int, u_int, u_int));
int ipsec_check_keylen2 __P((u_int, u_int, u_int));
int ipsec_get_keylen __P((u_int, u_int, struct sadb_alg *));
char *ipsec_dump_policy __P((caddr_t policy, char *delimiter));
void ipsec_hexdump __P((caddr_t buf, int len));
int ipsec_get_policylen __P((caddr_t policy));
caddr_t ipsec_set_policy __P((char *msg, int msglen));
const char *ipsec_strerror __P((void));
void kdebug_sadb __P((struct sadb_msg *base));
/* PFKey Routines */
u_int pfkey_set_softrate __P((u_int, u_int));
u_int pfkey_get_softrate __P((u_int));
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_update_nat __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t,
u_int8_t, u_int16_t, u_int16_t, struct sockaddr *, u_int16_t));
int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_add_nat __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t,
u_int8_t, u_int16_t, u_int16_t, struct sockaddr *, u_int16_t));
int pfkey_send_delete __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_delete_all __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *));
int pfkey_send_get __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_register __P((int, u_int));
int pfkey_recv_register __P((int));
int pfkey_set_supported __P((struct sadb_msg *, int));
int pfkey_send_flush __P((int, u_int));
int pfkey_send_dump __P((int, u_int));
int pfkey_send_promisc_toggle __P((int, int));
int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spdadd2 __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
caddr_t, int, u_int32_t));
int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spdupdate2 __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
caddr_t, int, u_int32_t));
int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spddelete2 __P((int, u_int32_t));
int pfkey_send_spdget __P((int, u_int32_t));
int pfkey_send_spdsetidx __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spdflush __P((int));
int pfkey_send_spddump __P((int));
int pfkey_open __P((void));
void pfkey_close __P((int));
struct sadb_msg *pfkey_recv __P((int));
int pfkey_send __P((int, struct sadb_msg *, int));
int pfkey_align __P((struct sadb_msg *, caddr_t *));
int pfkey_check __P((caddr_t *));
#ifndef __SYSDEP_SA_LEN__
#define __SYSDEP_SA_LEN__
#include <netinet/in.h>
#ifndef IPPROTO_IPV4
#define IPPROTO_IPV4 IPPROTO_IPIP
#endif
#ifndef IPPROTO_IPCOMP
#define IPPROTO_IPCOMP IPPROTO_COMP
#endif
static inline u_int8_t
sysdep_sa_len (const struct sockaddr *sa)
{
#ifdef __linux__
switch (sa->sa_family)
{
case AF_INET:
return sizeof (struct sockaddr_in);
case AF_INET6:
return sizeof (struct sockaddr_in6);
}
// log_print ("sysdep_sa_len: unknown sa family %d", sa->sa_family);
return sizeof (struct sockaddr_in);
#else
return sa->sa_len;
#endif
}
#endif
#endif /* KAME_LIBPFKEY_H */
#endif /* _LIBPFKEY_H */

2371
crypto/dist/ipsec-tools/src/libipsec/pfkey.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

694
crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c vendored Normal file
View File

@ -0,0 +1,694 @@
/* $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#else
# include <netinet/ipsec.h>
#endif
#include <net/pfkeyv2.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <netdb.h>
#include "ipsec_strerror.h"
#include "libpfkey.h"
/* cope with old kame headers - ugly */
#ifndef SADB_X_AALG_MD5
#define SADB_X_AALG_MD5 SADB_AALG_MD5
#endif
#ifndef SADB_X_AALG_SHA
#define SADB_X_AALG_SHA SADB_AALG_SHA
#endif
#ifndef SADB_X_AALG_NULL
#define SADB_X_AALG_NULL SADB_AALG_NULL
#endif
#ifndef SADB_X_EALG_BLOWFISHCBC
#define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC
#endif
#ifndef SADB_X_EALG_CAST128CBC
#define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC
#endif
#ifndef SADB_X_EALG_RC5CBC
#ifdef SADB_EALG_RC5CBC
#define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC
#endif
#endif
#define GETMSGSTR(str, num) \
do { \
if (sizeof((str)[0]) == 0 \
|| num >= sizeof(str)/sizeof((str)[0])) \
printf("%u ", (num)); \
else if (strlen((str)[(num)]) == 0) \
printf("%u ", (num)); \
else \
printf("%s ", (str)[(num)]); \
} while (0)
#define GETMSGV2S(v2s, num) \
do { \
struct val2str *p; \
for (p = (v2s); p && p->str; p++) { \
if (p->val == (num)) \
break; \
} \
if (p && p->str) \
printf("%s ", p->str); \
else \
printf("%u ", (num)); \
} while (0)
static char *str_ipaddr __P((struct sockaddr *));
static char *str_prefport __P((u_int, u_int, u_int, u_int));
static void str_upperspec __P((u_int, u_int, u_int));
static char *str_time __P((time_t));
static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
struct val2str {
int val;
const char *str;
};
/*
* Must to be re-written about following strings.
*/
static char *str_satype[] = {
"unspec",
"unknown",
"ah",
"esp",
"unknown",
"rsvp",
"ospfv2",
"ripv2",
"mip",
"ipcomp",
};
static char *str_mode[] = {
"any",
"transport",
"tunnel",
};
static char *str_state[] = {
"larval",
"mature",
"dying",
"dead",
};
static struct val2str str_alg_auth[] = {
{ SADB_AALG_NONE, "none", },
{ SADB_AALG_MD5HMAC, "hmac-md5", },
{ SADB_AALG_SHA1HMAC, "hmac-sha1", },
{ SADB_X_AALG_MD5, "md5", },
{ SADB_X_AALG_SHA, "sha", },
{ SADB_X_AALG_NULL, "null", },
#ifdef SADB_X_AALG_SHA2_256
{ SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
#endif
#ifdef SADB_X_AALG_SHA2_384
{ SADB_X_AALG_SHA2_384, "hmac-sha2-384", },
#endif
#ifdef SADB_X_AALG_SHA2_512
{ SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
#endif
#ifdef SADB_X_AALG_RIPEMD160HMAC
{ SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", },
#endif
#ifdef SADB_X_AALG_AES_XCBC_MAC
{ SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", },
#endif
{ -1, NULL, },
};
static struct val2str str_alg_enc[] = {
{ SADB_EALG_NONE, "none", },
{ SADB_EALG_DESCBC, "des-cbc", },
{ SADB_EALG_3DESCBC, "3des-cbc", },
{ SADB_EALG_NULL, "null", },
#ifdef SADB_X_EALG_RC5CBC
{ SADB_X_EALG_RC5CBC, "rc5-cbc", },
#endif
{ SADB_X_EALG_CAST128CBC, "cast128-cbc", },
{ SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", },
#ifdef SADB_X_EALG_AESCBC
{ SADB_X_EALG_AESCBC, "aes-cbc", },
#endif
#ifdef SADB_X_EALG_TWOFISHCBC
{ SADB_X_EALG_TWOFISHCBC, "twofish-cbc", },
#endif
#ifdef SADB_X_EALG_AESCTR
{ SADB_X_EALG_AESCTR, "aes-ctr", },
#endif
{ -1, NULL, },
};
static struct val2str str_alg_comp[] = {
{ SADB_X_CALG_NONE, "none", },
{ SADB_X_CALG_OUI, "oui", },
{ SADB_X_CALG_DEFLATE, "deflate", },
{ SADB_X_CALG_LZS, "lzs", },
{ -1, NULL, },
};
/*
* dump SADB_MSG formated. For debugging, you should use kdebug_sadb().
*/
void
pfkey_sadump(m)
struct sadb_msg *m;
{
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_sa *m_sa;
struct sadb_x_sa2 *m_sa2;
struct sadb_lifetime *m_lftc, *m_lfth, *m_lfts;
struct sadb_address *m_saddr, *m_daddr, *m_paddr;
struct sadb_key *m_auth, *m_enc;
struct sadb_ident *m_sid, *m_did;
struct sadb_sens *m_sens;
#ifdef SADB_X_EXT_NAT_T_TYPE
struct sadb_x_nat_t_type *natt_type;
struct sadb_x_nat_t_port *natt_sport, *natt_dport;
struct sadb_address *natt_oa;
int use_natt = 0;
#endif
/* check pfkey message. */
if (pfkey_align(m, mhp)) {
printf("%s\n", ipsec_strerror());
return;
}
if (pfkey_check(mhp)) {
printf("%s\n", ipsec_strerror());
return;
}
m_sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
m_sa2 = (struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2];
m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
m_lfts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT];
m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
m_paddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_PROXY];
m_auth = (struct sadb_key *)mhp[SADB_EXT_KEY_AUTH];
m_enc = (struct sadb_key *)mhp[SADB_EXT_KEY_ENCRYPT];
m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
#ifdef SADB_X_EXT_NAT_T_TYPE
natt_type = (struct sadb_x_nat_t_type *)mhp[SADB_X_EXT_NAT_T_TYPE];
natt_sport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_SPORT];
natt_dport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_DPORT];
natt_oa = (struct sadb_address *)mhp[SADB_X_EXT_NAT_T_OA];
if (natt_type && natt_type->sadb_x_nat_t_type_type)
use_natt = 1;
#endif
/* source address */
if (m_saddr == NULL) {
printf("no ADDRESS_SRC extension.\n");
return;
}
printf("%s", str_ipaddr((struct sockaddr *)(m_saddr + 1)));
#ifdef SADB_X_EXT_NAT_T_TYPE
if (use_natt && natt_sport)
printf("[%u]", ntohs(natt_sport->sadb_x_nat_t_port_port));
#endif
printf(" ");
/* destination address */
if (m_daddr == NULL) {
printf(" no ADDRESS_DST extension.\n");
return;
}
printf("%s", str_ipaddr((struct sockaddr *)(m_daddr + 1)));
#ifdef SADB_X_EXT_NAT_T_TYPE
if (use_natt && natt_dport)
printf("[%u]", ntohs(natt_dport->sadb_x_nat_t_port_port));
#endif
printf(" ");
/* SA type */
if (m_sa == NULL) {
printf("no SA extension.\n");
return;
}
if (m_sa2 == NULL) {
printf("no SA2 extension.\n");
return;
}
printf("\n\t");
#ifdef SADB_X_EXT_NAT_T_TYPE
if (use_natt && m->sadb_msg_satype == SADB_SATYPE_ESP)
printf("esp-udp ");
else if (use_natt)
printf("natt+");
if (!use_natt || m->sadb_msg_satype != SADB_SATYPE_ESP)
#endif
GETMSGSTR(str_satype, m->sadb_msg_satype);
printf("mode=");
GETMSGSTR(str_mode, m_sa2->sadb_x_sa2_mode);
printf("spi=%u(0x%08x) reqid=%u(0x%08x)\n",
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
(u_int32_t)ntohl(m_sa->sadb_sa_spi),
(u_int32_t)m_sa2->sadb_x_sa2_reqid,
(u_int32_t)m_sa2->sadb_x_sa2_reqid);
#ifdef SADB_X_EXT_NAT_T_TYPE
/* other NAT-T information */
if (use_natt && natt_oa)
printf("\tNAT OA=%s\n",
str_ipaddr((struct sockaddr *)(natt_oa + 1)));
#endif
/* encryption key */
if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
printf("\tC: ");
GETMSGV2S(str_alg_comp, m_sa->sadb_sa_encrypt);
} else if (m->sadb_msg_satype == SADB_SATYPE_ESP) {
if (m_enc != NULL) {
printf("\tE: ");
GETMSGV2S(str_alg_enc, m_sa->sadb_sa_encrypt);
ipsec_hexdump((caddr_t)m_enc + sizeof(*m_enc),
m_enc->sadb_key_bits / 8);
printf("\n");
}
}
/* authentication key */
if (m_auth != NULL) {
printf("\tA: ");
GETMSGV2S(str_alg_auth, m_sa->sadb_sa_auth);
ipsec_hexdump((caddr_t)m_auth + sizeof(*m_auth),
m_auth->sadb_key_bits / 8);
printf("\n");
}
/* replay windoe size & flags */
printf("\tseq=0x%08x replay=%u flags=0x%08x ",
m_sa2->sadb_x_sa2_sequence,
m_sa->sadb_sa_replay,
m_sa->sadb_sa_flags);
/* state */
printf("state=");
GETMSGSTR(str_state, m_sa->sadb_sa_state);
printf("\n");
/* lifetime */
if (m_lftc != NULL) {
time_t tmp_time = time(0);
printf("\tcreated: %s",
str_time(m_lftc->sadb_lifetime_addtime));
printf("\tcurrent: %s\n", str_time(tmp_time));
printf("\tdiff: %lu(s)",
(u_long)(m_lftc->sadb_lifetime_addtime == 0 ?
0 : (tmp_time - m_lftc->sadb_lifetime_addtime)));
printf("\thard: %lu(s)",
(u_long)(m_lfth == NULL ?
0 : m_lfth->sadb_lifetime_addtime));
printf("\tsoft: %lu(s)\n",
(u_long)(m_lfts == NULL ?
0 : m_lfts->sadb_lifetime_addtime));
printf("\tlast: %s",
str_time(m_lftc->sadb_lifetime_usetime));
printf("\thard: %lu(s)",
(u_long)(m_lfth == NULL ?
0 : m_lfth->sadb_lifetime_usetime));
printf("\tsoft: %lu(s)\n",
(u_long)(m_lfts == NULL ?
0 : m_lfts->sadb_lifetime_usetime));
str_lifetime_byte(m_lftc, "current");
str_lifetime_byte(m_lfth, "hard");
str_lifetime_byte(m_lfts, "soft");
printf("\n");
printf("\tallocated: %lu",
(unsigned long)m_lftc->sadb_lifetime_allocations);
printf("\thard: %lu",
(u_long)(m_lfth == NULL ?
0 : m_lfth->sadb_lifetime_allocations));
printf("\tsoft: %lu\n",
(u_long)(m_lfts == NULL ?
0 : m_lfts->sadb_lifetime_allocations));
}
printf("\tsadb_seq=%lu pid=%lu ",
(u_long)m->sadb_msg_seq,
(u_long)m->sadb_msg_pid);
/* XXX DEBUG */
printf("refcnt=%u\n", m->sadb_msg_reserved);
return;
}
void
pfkey_spdump(m)
struct sadb_msg *m;
{
char pbuf[NI_MAXSERV];
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_address *m_saddr, *m_daddr;
#ifdef SADB_X_EXT_TAG
struct sadb_x_tag *m_tag;
#endif
struct sadb_x_policy *m_xpl;
struct sadb_lifetime *m_lftc = NULL, *m_lfth = NULL;
struct sockaddr *sa;
u_int16_t sport = 0, dport = 0;
/* check pfkey message. */
if (pfkey_align(m, mhp)) {
printf("%s\n", ipsec_strerror());
return;
}
if (pfkey_check(mhp)) {
printf("%s\n", ipsec_strerror());
return;
}
m_saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
m_daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
#ifdef SADB_X_EXT_TAG
m_tag = (struct sadb_x_tag *)mhp[SADB_X_EXT_TAG];
#endif
m_xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
m_lftc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
m_lfth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
#ifdef __linux__
/* *bsd indicates per-socket policies by omiting src and dst
* extensions. Linux always includes them, but we can catch it
* by checkin for policy id.
*/
if (m_xpl->sadb_x_policy_id % 8 >= 3) {
printf("(per-socket policy) ");
} else
#endif
if (m_saddr && m_daddr) {
/* source address */
sa = (struct sockaddr *)(m_saddr + 1);
switch (sa->sa_family) {
case AF_INET:
case AF_INET6:
if (getnameinfo(sa, sysdep_sa_len(sa), NULL, 0,
pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
sport = 0; /*XXX*/
else
sport = atoi(pbuf);
printf("%s%s ", str_ipaddr(sa),
str_prefport(sa->sa_family,
m_saddr->sadb_address_prefixlen, sport,
m_saddr->sadb_address_proto));
break;
default:
printf("unknown-af ");
break;
}
/* destination address */
sa = (struct sockaddr *)(m_daddr + 1);
switch (sa->sa_family) {
case AF_INET:
case AF_INET6:
if (getnameinfo(sa, sysdep_sa_len(sa), NULL, 0,
pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
dport = 0; /*XXX*/
else
dport = atoi(pbuf);
printf("%s%s ", str_ipaddr(sa),
str_prefport(sa->sa_family,
m_daddr->sadb_address_prefixlen, dport,
m_saddr->sadb_address_proto));
break;
default:
printf("unknown-af ");
break;
}
/* upper layer protocol */
if (m_saddr->sadb_address_proto !=
m_daddr->sadb_address_proto) {
printf("upper layer protocol mismatched.\n");
return;
}
str_upperspec(m_saddr->sadb_address_proto, sport, dport);
}
#ifdef SADB_X_EXT_TAG
else if (m_tag)
printf("tagged \"%s\" ", m_tag->sadb_x_tag_name);
#endif
else
printf("(no selector, probably per-socket policy) ");
/* policy */
{
char *d_xpl;
if (m_xpl == NULL) {
printf("no X_POLICY extension.\n");
return;
}
d_xpl = ipsec_dump_policy((char *)m_xpl, "\n\t");
if (!d_xpl)
printf("\n\tPolicy:[%s]\n", ipsec_strerror());
else {
/* dump SPD */
printf("\n\t%s\n", d_xpl);
free(d_xpl);
}
}
/* lifetime */
if (m_lftc) {
printf("\tcreated: %s ",
str_time(m_lftc->sadb_lifetime_addtime));
printf("lastused: %s\n",
str_time(m_lftc->sadb_lifetime_usetime));
}
if (m_lfth) {
printf("\tlifetime: %lu(s) ",
(u_long)m_lfth->sadb_lifetime_addtime);
printf("validtime: %lu(s)\n",
(u_long)m_lfth->sadb_lifetime_usetime);
}
printf("\tspid=%ld seq=%ld pid=%ld\n",
(u_long)m_xpl->sadb_x_policy_id,
(u_long)m->sadb_msg_seq,
(u_long)m->sadb_msg_pid);
/* XXX TEST */
printf("\trefcnt=%u\n", m->sadb_msg_reserved);
return;
}
/*
* set "ipaddress" to buffer.
*/
static char *
str_ipaddr(sa)
struct sockaddr *sa;
{
static char buf[NI_MAXHOST];
const int niflag = NI_NUMERICHOST;
if (sa == NULL)
return "";
if (getnameinfo(sa, sysdep_sa_len(sa), buf, sizeof(buf), NULL, 0, niflag) == 0)
return buf;
return NULL;
}
/*
* set "/prefix[port number]" to buffer.
*/
static char *
str_prefport(family, pref, port, ulp)
u_int family, pref, port, ulp;
{
static char buf[128];
char prefbuf[128];
char portbuf[128];
int plen;
switch (family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
case AF_INET6:
plen = sizeof(struct in6_addr) << 3;
break;
default:
return "?";
}
if (pref == plen)
prefbuf[0] = '\0';
else
snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
if (ulp == IPPROTO_ICMPV6)
memset(portbuf, 0, sizeof(portbuf));
else {
if (port == IPSEC_PORT_ANY)
snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
else
snprintf(portbuf, sizeof(portbuf), "[%u]", port);
}
snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
return buf;
}
static void
str_upperspec(ulp, p1, p2)
u_int ulp, p1, p2;
{
if (ulp == IPSEC_ULPROTO_ANY)
printf("any");
else if (ulp == IPPROTO_ICMPV6) {
printf("icmp6");
if (!(p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY))
printf(" %u,%u", p1, p2);
} else {
struct protoent *ent;
switch (ulp) {
case IPPROTO_IPV4:
printf("ip4");
break;
default:
ent = getprotobynumber(ulp);
if (ent)
printf("%s", ent->p_name);
else
printf("%u", ulp);
endprotoent();
break;
}
}
}
/*
* set "Mon Day Time Year" to buffer
*/
static char *
str_time(t)
time_t t;
{
static char buf[128];
if (t == 0) {
int i = 0;
for (;i < 20;) buf[i++] = ' ';
} else {
char *t0;
t0 = ctime(&t);
memcpy(buf, t0 + 4, 20);
}
buf[20] = '\0';
return(buf);
}
static void
str_lifetime_byte(x, str)
struct sadb_lifetime *x;
char *str;
{
double y;
char *unit;
int w;
if (x == NULL) {
printf("\t%s: 0(bytes)", str);
return;
}
#if 0
if ((x->sadb_lifetime_bytes) / 1024 / 1024) {
y = (x->sadb_lifetime_bytes) * 1.0 / 1024 / 1024;
unit = "M";
w = 1;
} else if ((x->sadb_lifetime_bytes) / 1024) {
y = (x->sadb_lifetime_bytes) * 1.0 / 1024;
unit = "K";
w = 1;
} else {
y = (x->sadb_lifetime_bytes) * 1.0;
unit = "";
w = 0;
}
#else
y = (x->sadb_lifetime_bytes) * 1.0;
unit = "";
w = 0;
#endif
printf("\t%s: %.*f(%sbytes)", str, w, y, unit);
}

614
crypto/dist/ipsec-tools/src/libipsec/policy_parse.y vendored Normal file
View File

@ -0,0 +1,614 @@
/* $KAME: policy_parse.y,v 1.21 2003/12/12 08:01:26 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* IN/OUT bound policy configuration take place such below:
* in <priority> <policy>
* out <priority> <policy>
*
* <priority> is one of the following:
* priority <signed int> where the integer is an offset from the default
* priority, where negative numbers indicate lower
* priority (towards end of list) and positive numbers
* indicate higher priority (towards beginning of list)
*
* priority {low,def,high} {+,-} <unsigned int> where low and high are
* constants which are closer
* to the end of the list and
* beginning of the list,
* respectively
*
* <policy> is one of following:
* "discard", "none", "ipsec <requests>", "entrust", "bypass",
*
* The following requests are accepted as <requests>:
*
* protocol/mode/src-dst/level
* protocol/mode/src-dst parsed as protocol/mode/src-dst/default
* protocol/mode/src-dst/ parsed as protocol/mode/src-dst/default
* protocol/transport parsed as protocol/mode/any-any/default
* protocol/transport//level parsed as protocol/mode/any-any/level
*
* You can concatenate these requests with either ' '(single space) or '\n'.
*/
%{
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#else
# include <netinet/ipsec.h>
#endif
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <errno.h>
#include "config.h"
#include "ipsec_strerror.h"
#include "libpfkey.h"
#ifndef INT32_MAX
#define INT32_MAX (0xffffffff)
#endif
#ifndef INT32_MIN
#define INT32_MIN (-INT32_MAX-1)
#endif
#define ATOX(c) \
(isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
static u_int8_t *pbuf = NULL; /* sadb_x_policy buffer */
static int tlen = 0; /* total length of pbuf */
static int offset = 0; /* offset of pbuf */
static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
static u_int32_t p_priority = 0;
static long p_priority_offset = 0;
static struct sockaddr *p_src = NULL;
static struct sockaddr *p_dst = NULL;
struct _val;
extern void yyerror __P((char *msg));
static struct sockaddr *parse_sockaddr __P((struct _val *buf));
static int rule_check __P((void));
static int init_x_policy __P((void));
static int set_x_request __P((struct sockaddr *src, struct sockaddr *dst));
static int set_sockaddr __P((struct sockaddr *addr));
static void policy_parse_request_init __P((void));
static caddr_t policy_parse __P((char *msg, int msglen));
extern void __policy__strbuffer__init__ __P((char *msg));
extern void __policy__strbuffer__free__ __P((void));
extern int yyparse __P((void));
extern int yylex __P((void));
extern char *__libipsectext; /*XXX*/
%}
%union {
u_int num;
u_int32_t num32;
struct _val {
int len;
char *buf;
} val;
}
%token DIR
%token PRIORITY PLUS
%token <num32> PRIO_BASE
%token <val> PRIO_OFFSET
%token ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY IPADDRESS
%token ME ANY
%token SLASH HYPHEN
%type <num> DIR PRIORITY ACTION PROTOCOL MODE LEVEL
%type <val> IPADDRESS LEVEL_SPECIFY
%%
policy_spec
: DIR ACTION
{
p_dir = $1;
p_type = $2;
#ifdef HAVE_PFKEY_POLICY_PRIORITY
p_priority = PRIORITY_DEFAULT;
#else
p_priority = 0;
#endif
if (init_x_policy())
return -1;
}
rules
| DIR PRIORITY PRIO_OFFSET ACTION
{
char *offset_buf;
p_dir = $1;
p_type = $4;
/* buffer big enough to hold a prepended negative sign */
offset_buf = malloc($3.len + 2);
if (offset_buf == NULL)
{
__ipsec_errcode = EIPSEC_NO_BUFS;
return -1;
}
/* positive input value means higher priority, therefore lower
actual value so that is closer to the beginning of the list */
sprintf (offset_buf, "-%s", $3.buf);
errno = 0;
p_priority_offset = atol(offset_buf);
free(offset_buf);
if (errno != 0 || p_priority_offset < INT32_MIN)
{
__ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET;
return -1;
}
p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset;
if (init_x_policy())
return -1;
}
rules
| DIR PRIORITY HYPHEN PRIO_OFFSET ACTION
{
p_dir = $1;
p_type = $5;
errno = 0;
p_priority_offset = atol($4.buf);
if (errno != 0 || p_priority_offset > INT32_MAX)
{
__ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET;
return -1;
}
/* negative input value means lower priority, therefore higher
actual value so that is closer to the end of the list */
p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset;
if (init_x_policy())
return -1;
}
rules
| DIR PRIORITY PRIO_BASE ACTION
{
p_dir = $1;
p_type = $4;
p_priority = $3;
if (init_x_policy())
return -1;
}
rules
| DIR PRIORITY PRIO_BASE PLUS PRIO_OFFSET ACTION
{
p_dir = $1;
p_type = $6;
errno = 0;
p_priority_offset = atol($5.buf);
if (errno != 0 || p_priority_offset > PRIORITY_OFFSET_NEGATIVE_MAX)
{
__ipsec_errcode = EIPSEC_INVAL_PRIORITY_BASE_OFFSET;
return -1;
}
/* adding value means higher priority, therefore lower
actual value so that is closer to the beginning of the list */
p_priority = $3 - (u_int32_t) p_priority_offset;
if (init_x_policy())
return -1;
}
rules
| DIR PRIORITY PRIO_BASE HYPHEN PRIO_OFFSET ACTION
{
p_dir = $1;
p_type = $6;
errno = 0;
p_priority_offset = atol($5.buf);
if (errno != 0 || p_priority_offset > PRIORITY_OFFSET_POSITIVE_MAX)
{
__ipsec_errcode = EIPSEC_INVAL_PRIORITY_BASE_OFFSET;
return -1;
}
/* subtracting value means lower priority, therefore higher
actual value so that is closer to the end of the list */
p_priority = $3 + (u_int32_t) p_priority_offset;
if (init_x_policy())
return -1;
}
rules
| DIR
{
p_dir = $1;
p_type = 0; /* ignored it by kernel */
p_priority = 0;
if (init_x_policy())
return -1;
}
;
rules
: /*NOTHING*/
| rules rule {
if (rule_check() < 0)
return -1;
if (set_x_request(p_src, p_dst) < 0)
return -1;
policy_parse_request_init();
}
;
rule
: protocol SLASH mode SLASH addresses SLASH level
| protocol SLASH mode SLASH addresses SLASH
| protocol SLASH mode SLASH addresses
| protocol SLASH mode SLASH
| protocol SLASH mode SLASH SLASH level
| protocol SLASH mode
| protocol SLASH {
__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
return -1;
}
| protocol {
__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
return -1;
}
;
protocol
: PROTOCOL { p_protocol = $1; }
;
mode
: MODE { p_mode = $1; }
;
level
: LEVEL {
p_level = $1;
p_reqid = 0;
}
| LEVEL_SPECIFY {
p_level = IPSEC_LEVEL_UNIQUE;
p_reqid = atol($1.buf); /* atol() is good. */
}
;
addresses
: IPADDRESS {
p_src = parse_sockaddr(&$1);
if (p_src == NULL)
return -1;
}
HYPHEN
IPADDRESS {
p_dst = parse_sockaddr(&$4);
if (p_dst == NULL)
return -1;
}
| ME HYPHEN ANY {
if (p_dir != IPSEC_DIR_OUTBOUND) {
__ipsec_errcode = EIPSEC_INVAL_DIR;
return -1;
}
}
| ANY HYPHEN ME {
if (p_dir != IPSEC_DIR_INBOUND) {
__ipsec_errcode = EIPSEC_INVAL_DIR;
return -1;
}
}
/*
| ME HYPHEN ME
*/
;
%%
void
yyerror(msg)
char *msg;
{
fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
msg, __libipsectext);
return;
}
static struct sockaddr *
parse_sockaddr(buf)
struct _val *buf;
{
struct addrinfo hints, *res;
char *serv = NULL;
int error;
struct sockaddr *newaddr = NULL;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_flags = AI_NUMERICHOST;
error = getaddrinfo(buf->buf, serv, &hints, &res);
if (error != 0) {
yyerror("invalid IP address");
__ipsec_set_strerror(gai_strerror(error));
return NULL;
}
if (res->ai_addr == NULL) {
yyerror("invalid IP address");
__ipsec_set_strerror(gai_strerror(error));
return NULL;
}
newaddr = malloc(res->ai_addrlen);
if (newaddr == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
freeaddrinfo(res);
return NULL;
}
memcpy(newaddr, res->ai_addr, res->ai_addrlen);
freeaddrinfo(res);
__ipsec_errcode = EIPSEC_NO_ERROR;
return newaddr;
}
static int
rule_check()
{
if (p_type == IPSEC_POLICY_IPSEC) {
if (p_protocol == IPPROTO_IP) {
__ipsec_errcode = EIPSEC_NO_PROTO;
return -1;
}
if (p_mode != IPSEC_MODE_TRANSPORT
&& p_mode != IPSEC_MODE_TUNNEL) {
__ipsec_errcode = EIPSEC_INVAL_MODE;
return -1;
}
if (p_src == NULL && p_dst == NULL) {
if (p_mode != IPSEC_MODE_TRANSPORT) {
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return -1;
}
}
else if (p_src->sa_family != p_dst->sa_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
}
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
static int
init_x_policy()
{
struct sadb_x_policy *p;
if (pbuf) {
free(pbuf);
tlen = 0;
}
pbuf = malloc(sizeof(struct sadb_x_policy));
if (pbuf == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
return -1;
}
tlen = sizeof(struct sadb_x_policy);
memset(pbuf, 0, tlen);
p = (struct sadb_x_policy *)pbuf;
p->sadb_x_policy_len = 0; /* must update later */
p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
p->sadb_x_policy_type = p_type;
p->sadb_x_policy_dir = p_dir;
p->sadb_x_policy_id = 0;
#ifdef HAVE_PFKEY_POLICY_PRIORITY
p->sadb_x_policy_priority = p_priority;
#else
/* fail if given a priority and libipsec was not compiled with
priority support */
if (p_priority != 0)
{
__ipsec_errcode = EIPSEC_PRIORITY_NOT_COMPILED;
return -1;
}
#endif
offset = tlen;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
static int
set_x_request(src, dst)
struct sockaddr *src, *dst;
{
struct sadb_x_ipsecrequest *p;
int reqlen;
caddr_t n;
reqlen = sizeof(*p)
+ (src ? sysdep_sa_len(src) : 0)
+ (dst ? sysdep_sa_len(dst) : 0);
tlen += reqlen; /* increment to total length */
n = realloc(pbuf, tlen);
if (n == NULL) {
__ipsec_errcode = EIPSEC_NO_BUFS;
return -1;
}
pbuf = n;
p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
p->sadb_x_ipsecrequest_len = reqlen;
p->sadb_x_ipsecrequest_proto = p_protocol;
p->sadb_x_ipsecrequest_mode = p_mode;
p->sadb_x_ipsecrequest_level = p_level;
p->sadb_x_ipsecrequest_reqid = p_reqid;
offset += sizeof(*p);
if (set_sockaddr(src) || set_sockaddr(dst))
return -1;
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
static int
set_sockaddr(addr)
struct sockaddr *addr;
{
if (addr == NULL) {
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
/* tlen has already incremented */
memcpy(&pbuf[offset], addr, sysdep_sa_len(addr));
offset += sysdep_sa_len(addr);
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
static void
policy_parse_request_init()
{
p_protocol = IPPROTO_IP;
p_mode = IPSEC_MODE_ANY;
p_level = IPSEC_LEVEL_DEFAULT;
p_reqid = 0;
if (p_src != NULL) {
free(p_src);
p_src = NULL;
}
if (p_dst != NULL) {
free(p_dst);
p_dst = NULL;
}
return;
}
static caddr_t
policy_parse(msg, msglen)
char *msg;
int msglen;
{
int error;
pbuf = NULL;
tlen = 0;
/* initialize */
p_dir = IPSEC_DIR_INVALID;
p_type = IPSEC_POLICY_DISCARD;
policy_parse_request_init();
__policy__strbuffer__init__(msg);
error = yyparse(); /* it must be set errcode. */
__policy__strbuffer__free__();
if (error) {
if (pbuf != NULL)
free(pbuf);
return NULL;
}
/* update total length */
((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
__ipsec_errcode = EIPSEC_NO_ERROR;
return pbuf;
}
caddr_t
ipsec_set_policy(msg, msglen)
char *msg;
int msglen;
{
caddr_t policy;
policy = policy_parse(msg, msglen);
if (policy == NULL) {
if (__ipsec_errcode == EIPSEC_NO_ERROR)
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return NULL;
}
__ipsec_errcode = EIPSEC_NO_ERROR;
return policy;
}

185
crypto/dist/ipsec-tools/src/libipsec/policy_token.l vendored Normal file
View File

@ -0,0 +1,185 @@
/* $Id: policy_token.l,v 1.1.1.1 2005/02/12 11:11:36 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
%{
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <net/pfkeyv2.h>
#include <netinet/in.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#else
# include <netinet/ipsec.h>
#endif
#include <stdlib.h>
#include <limits.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include "libpfkey.h"
#if !defined(__NetBSD__) && !defined(__FreeBSD__) && !defined(__linux__)
#include "y.tab.h"
#else
#include "policy_parse.h"
#endif
#define yylval __libipseclval /* XXX */
int yylex __P((void));
%}
%option noyywrap
%option nounput
/* common section */
nl \n
ws [ \t]+
digit [0-9]
hexdigit [0-9A-Fa-f]
special [()+\|\?\*,]
dot \.
comma \,
hyphen \-
colon \:
slash \/
bcl \{
ecl \}
blcl \[
elcl \]
percent \%
semi \;
plus \+
usec {dot}{digit}{1,6}
comment \#.*
ccomment "/*"
bracketstring \<[^>]*\>
quotedstring \"[^"]*\"
decstring {digit}+
hexpair {hexdigit}{hexdigit}
hexstring 0[xX]{hexdigit}+
octetstring {octet}({dot}{octet})+
ipaddress [a-zA-Z0-9:\._][a-zA-Z0-9:\._]*(%[a-zA-Z0-9]+)?
%%
in { yylval.num = IPSEC_DIR_INBOUND; return(DIR); }
out { yylval.num = IPSEC_DIR_OUTBOUND; return(DIR); }
fwd {
#ifdef HAVE_POLICY_FWD
yylval.num = IPSEC_DIR_FWD; return(DIR);
#else
yylval.num = IPSEC_DIR_INBOUND; return(DIR);
#endif
}
priority { return(PRIORITY); }
prio { return(PRIORITY); }
low { yylval.num32 = PRIORITY_LOW; return(PRIO_BASE); }
def { yylval.num32 = PRIORITY_DEFAULT; return(PRIO_BASE); }
high { yylval.num32 = PRIORITY_HIGH; return(PRIO_BASE); }
{plus} { return(PLUS); }
{decstring} {
yylval.val.len = strlen(yytext);
yylval.val.buf = yytext;
return(PRIO_OFFSET);
}
discard { yylval.num = IPSEC_POLICY_DISCARD; return(ACTION); }
none { yylval.num = IPSEC_POLICY_NONE; return(ACTION); }
ipsec { yylval.num = IPSEC_POLICY_IPSEC; return(ACTION); }
bypass { yylval.num = IPSEC_POLICY_BYPASS; return(ACTION); }
entrust { yylval.num = IPSEC_POLICY_ENTRUST; return(ACTION); }
esp { yylval.num = IPPROTO_ESP; return(PROTOCOL); }
ah { yylval.num = IPPROTO_AH; return(PROTOCOL); }
ipcomp { yylval.num = IPPROTO_IPCOMP; return(PROTOCOL); }
transport { yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
tunnel { yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
me { return(ME); }
any { return(ANY); }
default { yylval.num = IPSEC_LEVEL_DEFAULT; return(LEVEL); }
use { yylval.num = IPSEC_LEVEL_USE; return(LEVEL); }
require { yylval.num = IPSEC_LEVEL_REQUIRE; return(LEVEL); }
unique{colon}{decstring} {
yylval.val.len = strlen(yytext + 7);
yylval.val.buf = yytext + 7;
return(LEVEL_SPECIFY);
}
unique { yylval.num = IPSEC_LEVEL_UNIQUE; return(LEVEL); }
{slash} { return(SLASH); }
{ipaddress} {
yylval.val.len = strlen(yytext);
yylval.val.buf = yytext;
return(IPADDRESS);
}
{hyphen} { return(HYPHEN); }
{ws} { ; }
{nl} { ; }
%%
void __policy__strbuffer__init__ __P((char *));
void __policy__strbuffer__free__ __P((void));
static YY_BUFFER_STATE strbuffer;
void
__policy__strbuffer__init__(msg)
char *msg;
{
if (YY_CURRENT_BUFFER)
yy_delete_buffer(YY_CURRENT_BUFFER);
strbuffer = (YY_BUFFER_STATE)yy_scan_string(msg);
yy_switch_to_buffer(strbuffer);
return;
}
void
__policy__strbuffer__free__()
{
yy_delete_buffer(strbuffer);
return;
}

176
crypto/dist/ipsec-tools/src/libipsec/test-policy-priority.c vendored Normal file
View File

@ -0,0 +1,176 @@
/* $KAME: test-policy.c,v 1.16 2003/08/26 03:24:08 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <net/pfkeyv2.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#else
# include <netinet/ipsec.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <err.h>
#include "libpfkey.h"
struct req_t {
int result; /* expected result; 0:ok 1:ng */
int dump_result; /* dumped result expected to match original: 1:yes 0:no */
char *str;
u_int32_t expected_priority;
} reqs[] = {
#ifdef HAVE_PFKEY_POLICY_PRIORITY
{ 0, 0, "out ipsec esp/transport//require", PRIORITY_DEFAULT },
{ 0, 0, "out prio -1 ipsec esp/transport//require", PRIORITY_DEFAULT + 1 },
{ 0, 0, "out priority 2147483648 ipsec esp/transport//require", 0 },
{ 0, 1, "in prio def ipsec esp/transport//require", PRIORITY_DEFAULT },
{ 0, 1, "in prio low ipsec esp/transport//require", PRIORITY_LOW },
{ 0, 1, "in prio high ipsec esp/transport//require", PRIORITY_HIGH },
{ 0, 1, "in prio def + 1 ipsec esp/transport//require", PRIORITY_DEFAULT - 1 },
{ 0, 1, "in prio def - 1 ipsec esp/transport//require", PRIORITY_DEFAULT + 1},
{ 0, 1, "in prio low + 1 ipsec esp/transport//require", PRIORITY_LOW - 1 },
{ 0, 1, "in prio low - 1 ipsec esp/transport//require", PRIORITY_LOW + 1 },
{ 0, 1, "in prio high + 1 ipsec esp/transport//require", PRIORITY_HIGH - 1 },
{ 0, 1, "in prio high - 1 ipsec esp/transport//require", PRIORITY_HIGH + 1 },
{ 1, 0, "in prio low - -1 ipsec esp/transport//require", 0 },
{ 1, 0, "in prio low + high ipsec esp/transport//require", 0 },
#else
{ 0, 1, "out ipsec esp/transport//require", 0 },
{ 1, 0, "out prio -1 ipsec esp/transport//require", 0 },
{ 1, 0, "in prio def ipsec esp/transport//require", 0 },
{ 1, 0, "in prio def + 1 ipsec esp/transport//require", 0 },
#endif
};
int test1 __P((void));
int test1sub1 __P((struct req_t *));
int test1sub2 __P((char *, int));
int test2 __P((void));
int test2sub __P((int));
int
main(ac, av)
int ac;
char **av;
{
return test1();
}
int
test1()
{
int i;
int result;
int error = 0;
printf("TEST1\n");
for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) {
printf("#%d [%s]\n", i + 1, reqs[i].str);
result = test1sub1(&reqs[i]);
if (result == 0 && reqs[i].result == 1) {
error = 1;
warnx("ERROR: expecting failure.");
} else if (result == 1 && reqs[i].result == 0) {
error = 1;
warnx("ERROR: expecting success.");
}
}
return error;
}
int
test1sub1(req)
struct req_t *req;
{
char *policy;
char *policy_str;
struct sadb_x_policy *xpl;
int len;
policy = ipsec_set_policy(req->str, strlen(req->str));
if (policy == NULL) {
if (req->result == 0) {
printf("ipsec_set_policy: %s\n", ipsec_strerror());
}
return 1;
}
#ifdef HAVE_PFKEY_POLICY_PRIORITY
/* check priority matches expected */
xpl = (struct sadb_x_policy *)policy;
if (xpl->sadb_x_policy_priority != req->expected_priority) {
printf("Actual priority %u does not match expected priority %u\n",
xpl->sadb_x_policy_priority, req->expected_priority);
free(policy);
return 1;
}
#endif
if (req->dump_result) {
/* invert policy */
len = ipsec_get_policylen(policy);
if ((policy_str = ipsec_dump_policy(policy, NULL)) == NULL) {
printf("%s\n", ipsec_strerror());
free(policy);
return 1;
}
/* check that they match */
if (strcmp(req->str, policy_str) != 0) {
printf("ipsec_dump_policy result (%s) does not match original "
"(%s)\n", policy_str, req->str);
free(policy_str);
free(policy);
return 1;
}
free(policy_str);
}
free(policy);
return 0;
}

330
crypto/dist/ipsec-tools/src/libipsec/test-policy.c vendored Normal file
View File

@ -0,0 +1,330 @@
/* $KAME: test-policy.c,v 1.16 2003/08/26 03:24:08 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <net/pfkeyv2.h>
#include <netinet/ipsec.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <err.h>
#include "libpfkey.h"
struct req_t {
int result; /* expected result; 0:ok 1:ng */
char *str;
} reqs[] = {
{ 0, "out ipsec" },
{ 1, "must_error" },
{ 1, "in ipsec must_error" },
{ 1, "out ipsec esp/must_error" },
{ 1, "out discard" },
{ 1, "out none" },
{ 0, "in entrust" },
{ 0, "out entrust" },
{ 1, "out ipsec esp" },
{ 0, "in ipsec ah/transport" },
{ 1, "in ipsec ah/tunnel" },
{ 0, "out ipsec ah/transport/" },
{ 1, "out ipsec ah/tunnel/" },
{ 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" },
{ 0, "in ipsec esp/tunnel/::1-::2" },
{ 1, "in ipsec esp/tunnel/10.0.0.1-::2" },
{ 0, "in ipsec esp/tunnel/::1-::2/require" },
{ 0, "out ipsec ah/transport//use" },
{ 1, "out ipsec ah/transport esp/use" },
{ 1, "in ipsec ah/transport esp/tunnel" },
{ 0, "in ipsec ah/transport esp/tunnel/::1-::1" },
{ 0, "in ipsec
ah / transport
esp / tunnel / ::1-::2" },
{ 0, "out ipsec
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
" },
{ 0, "out ipsec esp/transport/fec0::10-fec0::11/use" },
};
int test1 __P((void));
int test1sub1 __P((struct req_t *));
int test1sub2 __P((char *, int));
int test2 __P((void));
int test2sub __P((int));
int
main(ac, av)
int ac;
char **av;
{
test1();
test2();
exit(0);
}
int
test1()
{
int i;
int result;
printf("TEST1\n");
for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) {
printf("#%d [%s]\n", i + 1, reqs[i].str);
result = test1sub1(&reqs[i]);
if (result == 0 && reqs[i].result == 1) {
warnx("ERROR: expecting failure.");
} else if (result == 1 && reqs[i].result == 0) {
warnx("ERROR: expecting success.");
}
}
return 0;
}
int
test1sub1(req)
struct req_t *req;
{
char *buf;
buf = ipsec_set_policy(req->str, strlen(req->str));
if (buf == NULL) {
printf("ipsec_set_policy: %s\n", ipsec_strerror());
return 1;
}
if (test1sub2(buf, PF_INET) != 0
|| test1sub2(buf, PF_INET6) != 0) {
free(buf);
return 1;
}
#if 0
kdebug_sadb_x_policy((struct sadb_ext *)buf);
#endif
free(buf);
return 0;
}
int
test1sub2(policy, family)
char *policy;
int family;
{
int so;
int proto = 0, optname = 0;
int len;
char getbuf[1024];
switch (family) {
case PF_INET:
proto = IPPROTO_IP;
optname = IP_IPSEC_POLICY;
break;
case PF_INET6:
proto = IPPROTO_IPV6;
optname = IPV6_IPSEC_POLICY;
break;
}
if ((so = socket(family, SOCK_DGRAM, 0)) < 0)
err(1, "socket");
len = ipsec_get_policylen(policy);
#if 0
printf("\tsetlen:%d\n", len);
#endif
if (setsockopt(so, proto, optname, policy, len) < 0) {
printf("fail to set sockopt; %s\n", strerror(errno));
close(so);
return 1;
}
memset(getbuf, 0, sizeof(getbuf));
memcpy(getbuf, policy, sizeof(struct sadb_x_policy));
if (getsockopt(so, proto, optname, getbuf, &len) < 0) {
printf("fail to get sockopt; %s\n", strerror(errno));
close(so);
return 1;
}
{
char *buf = NULL;
#if 0
printf("\tgetlen:%d\n", len);
#endif
if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) {
printf("%s\n", ipsec_strerror());
close(so);
return 1;
}
#if 0
printf("\t[%s]\n", buf);
#endif
free(buf);
}
close (so);
return 0;
}
char addr[] = {
28, 28, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,
0, 0, 0, 0,
};
int
test2()
{
int so;
char *pol1 = "out ipsec";
char *pol2 = "out ipsec ah/transport//use";
char *sp1, *sp2;
int splen1, splen2;
int spid;
struct sadb_msg *m;
printf("TEST2\n");
if (getuid() != 0)
errx(1, "root privilege required.");
sp1 = ipsec_set_policy(pol1, strlen(pol1));
splen1 = ipsec_get_policylen(sp1);
sp2 = ipsec_set_policy(pol2, strlen(pol2));
splen2 = ipsec_get_policylen(sp2);
if ((so = pfkey_open()) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
printf("spdflush()\n");
if (pfkey_send_spdflush(so) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdsetidx()\n");
if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp1, splen1, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdupdate()\n");
if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp2, splen2, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("sleep(4)\n");
sleep(4);
printf("spddelete()\n");
if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp1, splen1, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdadd()\n");
if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp2, splen2, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
spid = test2sub(so);
printf("spdget(%u)\n", spid);
if (pfkey_send_spdget(so, spid) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("sleep(4)\n");
sleep(4);
printf("spddelete2()\n");
if (pfkey_send_spddelete2(so, spid) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdadd() with lifetime's 10(s)\n");
if (pfkey_send_spdadd2(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, 0, 10, sp2, splen2, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
spid = test2sub(so);
/* expecting failure */
printf("spdupdate()\n");
if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
(struct sockaddr *)addr, 128,
255, sp2, splen2, 0) == 0) {
warnx("ERROR: expecting failure.");
}
return 0;
}
int
test2sub(so)
int so;
{
struct sadb_msg *msg;
caddr_t mhp[SADB_EXT_MAX + 1];
if ((msg = pfkey_recv(so)) == NULL)
errx(1, "ERROR: pfkey_recv failure.");
if (pfkey_align(msg, mhp) < 0)
errx(1, "ERROR: pfkey_align failure.");
return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id;
}

22
crypto/dist/ipsec-tools/src/racoon/.cvsignore vendored Normal file
View File

@ -0,0 +1,22 @@
cfparse.c
cfparse.h
cftoken.c
y.tab.h
Makefile
Makefile.in
config.status
config.log
.depend
.deps
.libs
eaytest
racoon
racoonctl
autom4te.cache
configure
config.h
config.h.in
plainrsa-gen
prsa_par.c
prsa_par.h
prsa_tok.c

156
crypto/dist/ipsec-tools/src/racoon/Makefile.am vendored Normal file
View File

@ -0,0 +1,156 @@
# $Id: Makefile.am,v 1.1.1.1 2005/02/12 11:11:37 manu Exp $
sbin_PROGRAMS = racoon racoonctl plainrsa-gen
noinst_PROGRAMS = eaytest
include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \
schedule.h sockmisc.h vmbuf.h isakmp_var.h isakmp.h isakmp_xauth.h \
isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h
lib_LTLIBRARIES = libracoon.la
adminsockdir=${localstatedir}/racoon
INCLUDES = -I${srcdir}/../libipsec
AM_CFLAGS = @GLIBC_BUGS@ -DSYSCONFDIR=\"${sysconfdir}\" \
-DADMINPORTDIR=\"${adminsockdir}\"
AM_LDFLAGS = -lcrypto
MISSING_ALGOS = \
missing/crypto/sha2/sha2.c \
missing/crypto/rijndael/rijndael-api-fst.c \
missing/crypto/rijndael/rijndael-alg-fst.c
racoon_SOURCES = \
main.c session.c isakmp.c handler.c \
isakmp_ident.c isakmp_agg.c isakmp_base.c \
isakmp_quick.c isakmp_inf.c isakmp_newg.c \
gssapi.c dnssec.c getcertsbyname.c privsep.c \
pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \
policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \
proposal.c sainfo.c strnames.c \
plog.c logger.c schedule.c str2val.c \
safefile.c backupsa.c genlist.c rsalist.c \
cftoken.l cfparse.y prsa_tok.l prsa_par.y
EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
isakmp_frag.c nattraversal.c $(MISSING_ALGOS)
racoon_LDFLAGS = ../libipsec/libipsec.la
racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
vmbuf.o sockmisc.o misc.o
racoon_DEPENDENCIES = ../libipsec/libipsec.la \
$(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \
vmbuf.o sockmisc.o misc.o
racoonctl_SOURCES = racoonctl.c str2val.c
racoonctl_LDFLAGS = libracoon.la ../libipsec/libipsec.la
racoonctl_DEPENDENCIES = ../libipsec/libipsec.la libracoon.la
libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c
plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \
crypto_openssl.c logger.c
EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS)
plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o
plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o
eaytest_SOURCES = eaytest.c plog.c logger.c
EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c
eaytest_LDADD = crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \
$(CRYPTOBJS)
eaytest_DEPENDENCIES = crypto_openssl_test.o vmbuf.o str2val.o \
misc_noplog.o $(CRYPTOBJS)
noinst_HEADERS = \
admin.h dnssec.h isakmp_base.h oakley.h session.h \
admin_var.h dump.h isakmp_ident.h pfkey.h sockmisc.h \
algorithm.h gcmalloc.h isakmp_inf.h plog.h str2val.h \
backupsa.h gnuc.h isakmp_newg.h policy.h strnames.h \
grabmyaddr.h isakmp_quick.h proposal.h var.h evt.h \
gssapi.h isakmp_var.h vendorid.h nattraversal.h\
crypto_openssl.h handler.h localconf.h remoteconf.h vmbuf.h \
debug.h ipsec_doi.h logger.h safefile.h \
debugrm.h isakmp.h misc.h sainfo.h \
dhgroup.h isakmp_agg.h netdb_dnssec.h schedule.h \
isakmp_cfg.h isakmp_xauth.h isakmp_unity.h isakmp_frag.h \
throttle.h privsep.h \
cfparse_proto.h cftoken_proto.h genlist.h rsalist.h \
missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \
missing/crypto/rijndael/rijndael-api-fst.h \
missing/crypto/rijndael/rijndael-alg-fst.h \
missing/crypto/rijndael/rijndael.h
man5_MANS = racoon.conf.5
man8_MANS = racoon.8 racoonctl.8 plainrsa-gen.8
EXTRA_DIST = \
${man5_MANS} ${man8_MANS} \
missing/crypto/rijndael/boxes-fst.dat \
doc/FAQ doc/README.certificate doc/README.gssapi \
contrib/sp.pl stats.pl \
samples/psk.txt.sample samples/racoon.conf.sample \
samples/psk.txt.in samples/racoon.conf.in \
samples/racoon.conf.sample-gssapi samples/racoon.conf.sample-natt \
samples/racoon.conf.sample-inherit samples/racoon.conf.sample-plainrsa \
samples/roadwarrior/README \
samples/roadwarrior/client/phase1-down.sh \
samples/roadwarrior/client/phase1-up.sh \
samples/roadwarrior/client/racoon.conf \
samples/roadwarrior/server/phase1-down.sh \
samples/roadwarrior/server/racoon.conf \
samples/roadwarrior/server/racoon.conf-radius
DISTCLEANFILES = cfparse.c cftoken.c prsa_tok.c prsa_par.c cfparse.h prsa_par.h
TESTS = eaytest
install-exec-local:
${mkinstalldirs} $(DESTDIR)${adminsockdir}
# Config file parser
cftoken.o: cftoken.c cfparse.h
$(COMPILE) -c -o $@ $<
cfparse.o: cfparse.c
$(COMPILE) -c -o $@ $<
cftoken.c: cftoken.l
$(LEX) -ocftoken.c $(srcdir)/cftoken.l
cfparse.h cfparse.c: $(srcdir)/cfparse.y
$(YACC) -d $(srcdir)/cfparse.y
mv y.tab.c cfparse.c
mv y.tab.h cfparse.h
# Plain-RSA parser
prsa_tok.o: prsa_tok.c prsa_par.h
$(COMPILE) -c -o $@ $<
prsa_par.o: prsa_par.c
$(COMPILE) -c -o $@ $<
prsa_tok.c: $(srcdir)/prsa_tok.l
$(LEX) -Pprsa -oprsa_tok.c $(srcdir)/prsa_tok.l
prsa_par.h prsa_par.c: $(srcdir)/prsa_par.y
$(YACC) -pprsa -d $(srcdir)/prsa_par.y
mv y.tab.c prsa_par.c
mv y.tab.h prsa_par.h
# special object rules
crypto_openssl_test.o: crypto_openssl.c
$(COMPILE) -DEAYDEBUG -o crypto_openssl_test.o -c $(srcdir)/crypto_openssl.c
misc_noplog.o: misc.c
$(COMPILE) -DNOUSE_PLOG -o misc_noplog.o -c $(srcdir)/misc.c
# missing/*.c
strdup.o: $(srcdir)/missing/strdup.c
$(COMPILE) -c $(srcdir)/missing/$*.c
getaddrinfo.o: $(srcdir)/missing/getaddrinfo.c
$(COMPILE) -c $(srcdir)/missing/$*.c
getnameinfo.o: $(srcdir)/missing/getnameinfo.c
$(COMPILE) -c $(srcdir)/missing/$*.c
rijndael-api-fst.o: $(srcdir)/missing/crypto/rijndael/rijndael-api-fst.c
$(COMPILE) -c $(srcdir)/missing/crypto/rijndael/$*.c
rijndael-alg-fst.o: $(srcdir)/missing/crypto/rijndael/rijndael-alg-fst.c
$(COMPILE) -c $(srcdir)/missing/crypto/rijndael/$*.c
sha2.o: $(srcdir)/missing/crypto/sha2/sha2.c
$(COMPILE) -c $(srcdir)/missing/crypto/sha2/$*.c

131
crypto/dist/ipsec-tools/src/racoon/TODO vendored Normal file
View File

@ -0,0 +1,131 @@
$KAME: TODO,v 1.36 2001/09/19 09:41:39 sakane Exp $
Please send any questions or bug reports to snap-users@kame.net.
TODO list
URGENT
o The documents for users convenience.
o split log file based on client. printf-like config directive, i.e.
"logfile racoon.%s.log", should be useful here.
-> beware of possible security issue, don't use sprintf() directly!
make validation before giving a string to sprintf().
o save decrypted IKE packet in tcpdump format
o IPComp SA with wellknown CPI in CPI field. how to handle it?
o better rekey
MUST
o multiple certificate payload handling.
o To consider the use with certificate infrastructure. PXIX ???
o kmstat should be improved.
o Informational Exchange processing properly.
o require less configuration. phase 2 is easier (as kernel presents racoon
some hints), phase 1 is harder. for example,
- grab phase 2 lifetime and algorith configuration from sadb_comb payloads in
ACQUIRE message.
- give reasonable default behavior when no configuration file is present.
- difficult items:
how to guess a reasonable phase 1 SA lifetime
(hardcoded default? guess from phase 2 lifetime?)
guess what kind of ID payload to use
guess what kind of authentication to be used
guess phase 1 DH group (for aggressive mode, we cannot negotiate it)
guess if we need phase 2 PFS or not (we cannot negotiate it. so
we may need to pick from "no PFS" or "same as phase 1 DH group")
guess how we should negotiate lifetime
(is "strict" a reasonable default?)
guess which mode to use for phase 1 negotiation (is main mode useful?
is base mode popular enough?)
o more acceptable check.
SHOULD
o psk.txt should be a database? (psk.db?) psk_mkdb?
o Dynamically retry to exchange and resend the packet per nodes.
o To make the list of supported algorithm by sadb_supported payload
in the SADB_REGISTER message which happens asynchronously.
o fix the structure of ph2handle.
We can handle the below case.
node A node B
+--------------SA1----------------+
+--------------SA2----------------+
at node A:
kernel
acquire(A-B) ------> ph2handle(A=B) -----> ph1handle
|
policy
A=B
A=B
But we can not handle the below case because there is no x?handle.
node A node B node C
+--------------SA1----------------+
+------------------------------------------------SA2---------------+
at node A:
kernel
acquire(A-C) ---+---> x?handle ---+---> ph2handle(A=B) -------> ph1handle
| | |
acquire(A-B) ---+ policy +---> ph2handle(A=C) -------> ph1handle
A=B
A=C
o consistency of function name.
o deep copy configuration entry to hander. It's easy to reload configuration.
o don't keep to hold keymat values, do it ?
o local address's field in isakmpsa handler must be kicked out to rmconf.
o responder policy and initiator policy should be separated.
o for lifetime and key length, something like this should be useful.
- propose N
- accept between X and Y
o wildcard "accept any proposal" policy should be allowed.
o replay prevention
- limited total number of session
- limited session per peer
- number of proposal
o full support for variable length SPI. quickhack support for IPComp is done.
MAY
o Effective code.
o interaction between IKE/IPsec and socket layer.
at this moment, IKE/IPsec failure is modeled as total packet loss to other
part of network subsystem, including socket layer. this presents the
following behaviors:
- annoyingly long timeouts on tcp connection attempt, and IKE failure;
need to wait till tcp socket timeouts.
- blackhole if there's mismatching SAs.
we may be able to give socket layer some feedback from IKE/IPsec layer.
still not sure if those make sense or not.
for example:
- send PRU_HOSTDEAD to sockets if IKE negotiation failed
(sys/netkey/key.c:key_acquire2)
to do this, we need to remember which ACQUIRE was caused by which socket,
possibly into larval SAs.
- PRU_QUENCH on "no SA found on output"
- kick tcp retransmission timer on first SA establishment
o IKE daemon should handle situations where peer does not run IKE daemon
(UDP port unreach for port 500) better.
should use connected UDP sockets for sending IKE datagrams.
o rate-limit log messages from kernel IPsec errors, like "no SA found".
TO BE TESTED.
o IKE retransmit behavior
see, draft-*-ipsec-rekeying*.txt
o Reboot recovery (peer reboot losing it's security associations)
see, draft-*-ipsec-rekeying*.txt
o Scenarios
- End-to-End transport long lived security associations
(over night, data transfer >1Gb) with frequent dynamic rekey
- End-to-GW tunnel long lived security associations
(over night, data transfer >1Gb) with frequent dynamic rekey
- Policy change events while under SA load
- End-to-End SA through IPsec tunnels, initiation both ways
- Client End-to-End through client-to-GW tunnel SA, initiate from
client for tunnel, then initiation both ways for end-to-end
- Client-to-GW transport SA for secure management
o behavior to receive multiple auth method proposals and AND proposal
and to be written many many.

649
crypto/dist/ipsec-tools/src/racoon/admin.c vendored Normal file
View File

@ -0,0 +1,649 @@
/* $Id: admin.c,v 1.1.1.1 2005/02/12 11:11:38 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/signal.h>
#include <sys/stat.h>
#include <sys/un.h>
#include <net/pfkeyv2.h>
#include <netinet/in.h>
#ifndef HAVE_NETINET6_IPSEC
#include <netinet/ipsec.h>
#else
#include <netinet6/ipsec.h>
#endif
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <netdb.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "sockmisc.h"
#include "debug.h"
#include "schedule.h"
#include "localconf.h"
#include "remoteconf.h"
#include "grabmyaddr.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "oakley.h"
#include "handler.h"
#include "evt.h"
#include "pfkey.h"
#include "ipsec_doi.h"
#include "admin.h"
#include "admin_var.h"
#include "isakmp_inf.h"
#include "session.h"
#include "gcmalloc.h"
#ifdef ENABLE_ADMINPORT
char *adminsock_path = ADMINSOCK_PATH;
uid_t adminsock_owner = 0;
gid_t adminsock_group = 0;
mode_t adminsock_mode = 0600;
static struct sockaddr_un sunaddr;
static int admin_process __P((int, char *));
static int admin_reply __P((int, struct admin_com *, vchar_t *));
static void isakmp_flush_sa __P((struct ph1handle *, char *, char *));
int
admin_handler()
{
int so2;
struct sockaddr_storage from;
int fromlen = sizeof(from);
struct admin_com com;
char *combuf = NULL;
pid_t pid = -1;
int len, error = -1;
so2 = accept(lcconf->sock_admin, (struct sockaddr *)&from, &fromlen);
if (so2 < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to accept admin command: %s\n",
strerror(errno));
return -1;
}
/* get buffer length */
while ((len = recv(so2, (char *)&com, sizeof(com), MSG_PEEK)) < 0) {
if (errno == EINTR)
continue;
plog(LLV_ERROR, LOCATION, NULL,
"failed to recv admin command: %s\n",
strerror(errno));
goto end;
}
/* sanity check */
if (len < sizeof(com)) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid header length of admin command\n");
goto end;
}
/* get buffer to receive */
if ((combuf = racoon_malloc(com.ac_len)) == 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to alloc buffer for admin command\n");
goto end;
}
/* get real data */
while ((len = recv(so2, combuf, com.ac_len, 0)) < 0) {
if (errno == EINTR)
continue;
plog(LLV_ERROR, LOCATION, NULL,
"failed to recv admin command: %s\n",
strerror(errno));
goto end;
}
if (com.ac_cmd == ADMIN_RELOAD_CONF) {
/* reload does not work at all! */
signal_handler(SIGHUP);
goto end;
}
error = admin_process(so2, combuf);
end:
(void)close(so2);
if (combuf)
racoon_free(combuf);
/* exit if child's process. */
if (pid == 0 && !f_foreground)
exit(error);
return error;
}
/*
* main child's process.
*/
static int
admin_process(so2, combuf)
int so2;
char *combuf;
{
struct admin_com *com = (struct admin_com *)combuf;
vchar_t *buf = NULL;
vchar_t *id = NULL;
vchar_t *key = NULL;
int idtype = 0;
int error = 0;
com->ac_errno = 0;
switch (com->ac_cmd) {
case ADMIN_RELOAD_CONF:
/* don't entered because of proccessing it in other place. */
plog(LLV_ERROR, LOCATION, NULL, "should never reach here\n");
goto bad;
case ADMIN_SHOW_SCHED:
{
caddr_t p;
int len;
if (sched_dump(&p, &len) == -1)
com->ac_errno = -1;
buf = vmalloc(len);
if (buf == NULL)
com->ac_errno = -1;
else
memcpy(buf->v, p, len);
}
break;
case ADMIN_SHOW_EVT:
/* It's not really an error, don't force racoonctl to quit */
if ((buf = evt_dump()) == NULL)
com->ac_errno = 0;
break;
case ADMIN_SHOW_SA:
case ADMIN_FLUSH_SA:
{
switch (com->ac_proto) {
case ADMIN_PROTO_ISAKMP:
switch (com->ac_cmd) {
case ADMIN_SHOW_SA:
buf = dumpph1();
if (buf == NULL)
com->ac_errno = -1;
break;
case ADMIN_FLUSH_SA:
flushph1();
break;
}
break;
case ADMIN_PROTO_IPSEC:
case ADMIN_PROTO_AH:
case ADMIN_PROTO_ESP:
switch (com->ac_cmd) {
case ADMIN_SHOW_SA:
{
u_int p;
p = admin2pfkey_proto(com->ac_proto);
if (p == -1)
goto bad;
buf = pfkey_dump_sadb(p);
if (buf == NULL)
com->ac_errno = -1;
}
break;
case ADMIN_FLUSH_SA:
pfkey_flush_sadb(com->ac_proto);
break;
}
break;
case ADMIN_PROTO_INTERNAL:
switch (com->ac_cmd) {
case ADMIN_SHOW_SA:
buf = NULL; /*XXX dumpph2(&error);*/
if (buf == NULL)
com->ac_errno = error;
break;
case ADMIN_FLUSH_SA:
/*XXX flushph2();*/
com->ac_errno = 0;
break;
}
break;
default:
/* ignore */
com->ac_errno = -1;
}
}
break;
case ADMIN_DELETE_SA: {
struct ph1handle *iph1;
struct sockaddr *dst;
struct sockaddr *src;
char *loc, *rem;
src = (struct sockaddr *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->src;
dst = (struct sockaddr *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->dst;
if ((loc = strdup(saddrwop2str(src))) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"cannot allocate memory\n");
break;
}
if ((rem = strdup(saddrwop2str(dst))) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"cannot allocate memory\n");
break;
}
if ((iph1 = getph1byaddr(src, dst)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"phase 1 for %s -> %s not found\n", loc, rem);
} else {
isakmp_flush_sa(iph1, loc, rem);
}
racoon_free(loc);
racoon_free(rem);
break;
}
case ADMIN_DELETE_ALL_SA_DST: {
struct ph1handle *iph1;
struct sockaddr *dst;
char *loc, *rem;
dst = (struct sockaddr *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->dst;
if ((rem = strdup(saddrwop2str(dst))) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"cannot allocate memory\n");
break;
}
plog(LLV_INFO, LOCATION, NULL,
"Flushing all SA for peer %s\n", rem);
while ((iph1 = getph1bydstaddr(dst)) != NULL) {
if ((loc = strdup(saddrwop2str(iph1->local))) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"cannot allocate memory\n");
break;
}
isakmp_flush_sa(iph1, loc, rem);
racoon_free(loc);
}
racoon_free(rem);
break;
}
case ADMIN_ESTABLISH_SA_PSK: {
struct admin_com_psk *acp;
char *data;
com->ac_cmd = ADMIN_ESTABLISH_SA;
acp = (struct admin_com_psk *)
((char *)com + sizeof(*com) +
sizeof(struct admin_com_indexes));
idtype = acp->id_type;
if ((id = vmalloc(acp->id_len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"cannot allocate memory: %s\n",
strerror(errno));
break;
}
data = (char *)(acp + 1);
memcpy(id->v, data, id->l);
if ((key = vmalloc(acp->key_len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"cannot allocate memory: %s\n",
strerror(errno));
vfree(id);
break;
}
data = (char *)(data + acp->id_len);
memcpy(key->v, data, key->l);
}
/* FALLTHROUGH */
case ADMIN_ESTABLISH_SA:
{
struct sockaddr *dst;
struct sockaddr *src;
src = (struct sockaddr *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->src;
dst = (struct sockaddr *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->dst;
switch (com->ac_proto) {
case ADMIN_PROTO_ISAKMP:
{
struct remoteconf *rmconf;
struct sockaddr *remote;
struct sockaddr *local;
/* search appropreate configuration */
rmconf = getrmconf(dst);
if (rmconf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"no configuration found "
"for %s\n", saddrwop2str(dst));
com->ac_errno = -1;
break;
}
/* get remote IP address and port number. */
remote = dupsaddr(dst);
if (remote == NULL) {
com->ac_errno = -1;
break;
}
switch (remote->sa_family) {
case AF_INET:
((struct sockaddr_in *)remote)->sin_port =
((struct sockaddr_in *)rmconf->remote)->sin_port;
break;
#ifdef INET6
case AF_INET6:
((struct sockaddr_in6 *)remote)->sin6_port =
((struct sockaddr_in6 *)rmconf->remote)->sin6_port;
break;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid family: %d\n",
remote->sa_family);
com->ac_errno = -1;
break;
}
/* get local address */
local = dupsaddr(src);
if (local == NULL) {
com->ac_errno = -1;
break;
}
switch (local->sa_family) {
case AF_INET:
((struct sockaddr_in *)local)->sin_port =
getmyaddrsport(local);
break;
#ifdef INET6
case AF_INET6:
((struct sockaddr_in6 *)local)->sin6_port =
getmyaddrsport(local);
break;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid family: %d\n",
local->sa_family);
com->ac_errno = -1;
break;
}
/* Set the id and key */
if (id && key) {
if (rmconf->idv != NULL) {
vfree(rmconf->idv);
rmconf->idv = NULL;
}
if (rmconf->key != NULL) {
vfree(rmconf->key);
rmconf->key = NULL;
}
rmconf->idvtype = idtype;
rmconf->idv = id;
rmconf->key = key;
}
plog(LLV_INFO, LOCATION, NULL,
"accept a request to establish IKE-SA: "
"%s\n", saddrwop2str(remote));
/* begin ident mode */
if (isakmp_ph1begin_i(rmconf, remote, local) < 0) {
com->ac_errno = -1;
break;
}
}
break;
case ADMIN_PROTO_AH:
case ADMIN_PROTO_ESP:
break;
default:
/* ignore */
com->ac_errno = -1;
}
}
break;
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid command: %d\n", com->ac_cmd);
com->ac_errno = -1;
}
if (admin_reply(so2, com, buf) < 0)
goto bad;
if (buf != NULL)
vfree(buf);
return 0;
bad:
if (buf != NULL)
vfree(buf);
return -1;
}
static int
admin_reply(so, combuf, buf)
int so;
struct admin_com *combuf;
vchar_t *buf;
{
int tlen;
char *retbuf = NULL;
if (buf != NULL)
tlen = sizeof(*combuf) + buf->l;
else
tlen = sizeof(*combuf);
retbuf = racoon_calloc(1, tlen);
if (retbuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate admin buffer\n");
return -1;
}
memcpy(retbuf, combuf, sizeof(*combuf));
((struct admin_com *)retbuf)->ac_len = tlen;
if (buf != NULL)
memcpy(retbuf + sizeof(*combuf), buf->v, buf->l);
tlen = send(so, retbuf, tlen, 0);
racoon_free(retbuf);
if (tlen < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to send admin command: %s\n",
strerror(errno));
return -1;
}
return 0;
}
/* ADMIN_PROTO -> SADB_SATYPE */
int
admin2pfkey_proto(proto)
u_int proto;
{
switch (proto) {
case ADMIN_PROTO_IPSEC:
return SADB_SATYPE_UNSPEC;
case ADMIN_PROTO_AH:
return SADB_SATYPE_AH;
case ADMIN_PROTO_ESP:
return SADB_SATYPE_ESP;
default:
plog(LLV_ERROR, LOCATION, NULL,
"unsupported proto for admin: %d\n", proto);
return -1;
}
/*NOTREACHED*/
}
int
admin_init()
{
if (adminsock_path == NULL)
return 0;
memset(&sunaddr, 0, sizeof(sunaddr));
sunaddr.sun_family = AF_UNIX;
snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path),
"%s", adminsock_path);
lcconf->sock_admin = socket(AF_UNIX, SOCK_STREAM, 0);
if (lcconf->sock_admin == -1) {
plog(LLV_ERROR, LOCATION, NULL,
"socket: %s\n", strerror(errno));
return -1;
}
unlink(sunaddr.sun_path);
if (bind(lcconf->sock_admin, (struct sockaddr *)&sunaddr,
sizeof(sunaddr)) != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"bind(sockname:%s): %s\n",
sunaddr.sun_path, strerror(errno));
(void)close(lcconf->sock_admin);
return -1;
}
if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"chown(%s, %d, %d): %s\n",
sunaddr.sun_path, adminsock_owner,
adminsock_group, strerror(errno));
(void)close(lcconf->sock_admin);
return -1;
}
if (chmod(sunaddr.sun_path, adminsock_mode) != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"chmod(%s, 0%03o): %s\n",
sunaddr.sun_path, adminsock_mode, strerror(errno));
(void)close(lcconf->sock_admin);
return -1;
}
if (listen(lcconf->sock_admin, 5) != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"listen(sockname:%s): %s\n",
sunaddr.sun_path, strerror(errno));
(void)close(lcconf->sock_admin);
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL,
"open %s as racoon management.\n", sunaddr.sun_path);
return 0;
}
int
admin_close()
{
close(lcconf->sock_admin);
return 0;
}
#endif
static void
isakmp_flush_sa(iph1, loc, rem)
struct ph1handle *iph1;
char *loc;
char *rem;
{
plog(LLV_INFO, LOCATION, NULL,
"Flushing SA for %s -> %s\n", loc, rem);
if (iph1->status == PHASE1ST_ESTABLISHED)
isakmp_info_send_d1(iph1);
remph1(iph1);
delph1(iph1);
return;
}

107
crypto/dist/ipsec-tools/src/racoon/admin.h vendored Normal file
View File

@ -0,0 +1,107 @@
/* $Id: admin.h,v 1.1.1.1 2005/02/12 11:11:38 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _ADMIN_H
#define _ADMIN_H
#define ADMINSOCK_PATH ADMINPORTDIR "/racoon.sock"
extern char *adminsock_path;
extern uid_t adminsock_owner;
extern gid_t adminsock_group;
extern mode_t adminsock_mode;
/* command for administration. */
/* NOTE: host byte order. */
struct admin_com {
u_int16_t ac_len; /* total packet length including data */
u_int16_t ac_cmd;
int16_t ac_errno;
u_int16_t ac_proto;
};
/*
* No data follows as the data.
* These don't use proto field.
*/
#define ADMIN_RELOAD_CONF 0x0001
#define ADMIN_SHOW_SCHED 0x0002
#define ADMIN_SHOW_EVT 0x0003
/*
* No data follows as the data.
* These use proto field.
*/
#define ADMIN_SHOW_SA 0x0101
#define ADMIN_FLUSH_SA 0x0102
/*
* The admin_com_indexes follows, see below.
*/
#define ADMIN_DELETE_SA 0x0201
#define ADMIN_ESTABLISH_SA 0x0202
#define ADMIN_DELETE_ALL_SA_DST 0x0204 /* All SA for a given peer */
/*
* The admin_com_indexes and admin_com_psk follow, see below.
*/
#define ADMIN_ESTABLISH_SA_PSK 0x0203
/*
* Range 0x08xx is reserved for privilege separation, see privsep.h
*/
/* the value of proto */
#define ADMIN_PROTO_ISAKMP 0x01ff
#define ADMIN_PROTO_IPSEC 0x02ff
#define ADMIN_PROTO_AH 0x0201
#define ADMIN_PROTO_ESP 0x0202
#define ADMIN_PROTO_INTERNAL 0x0301
struct admin_com_indexes {
u_int8_t prefs;
u_int8_t prefd;
u_int8_t ul_proto;
u_int8_t reserved;
struct sockaddr_storage src;
struct sockaddr_storage dst;
};
struct admin_com_psk {
int id_type;
size_t id_len;
size_t key_len;
/* Followed by id and key */
};
extern int admin2pfkey_proto __P((u_int));
#endif /* _ADMIN_H */

39
crypto/dist/ipsec-tools/src/racoon/admin_var.h vendored Normal file
View File

@ -0,0 +1,39 @@
/* $Id: admin_var.h,v 1.1.1.1 2005/02/12 11:11:38 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _ADMIN_VAR_H
#define _ADMIN_VAR_H
extern int admin_handler __P((void));
extern int admin_init __P((void));
extern int admin_close __P((void));
#endif /* _ADMIN_VAR_H */

915
crypto/dist/ipsec-tools/src/racoon/algorithm.c vendored Normal file
View File

@ -0,0 +1,915 @@
/* $Id: algorithm.c,v 1.1.1.1 2005/02/12 11:11:39 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <sys/param.h>
#include <sys/types.h>
#include <stdlib.h>
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "debug.h"
#include "crypto_openssl.h"
#include "dhgroup.h"
#include "algorithm.h"
#include "oakley.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "ipsec_doi.h"
#include "gcmalloc.h"
static struct hash_algorithm oakley_hashdef[] = {
{ "md5", algtype_md5, OAKLEY_ATTR_HASH_ALG_MD5,
eay_md5_init, eay_md5_update,
eay_md5_final, eay_md5_hashlen,
eay_md5_one, },
{ "sha1", algtype_sha1, OAKLEY_ATTR_HASH_ALG_SHA,
eay_sha1_init, eay_sha1_update,
eay_sha1_final, eay_sha1_hashlen,
eay_sha1_one, },
#ifdef WITH_SHA2
{ "sha2_256", algtype_sha2_256, OAKLEY_ATTR_HASH_ALG_SHA2_256,
eay_sha2_256_init, eay_sha2_256_update,
eay_sha2_256_final, eay_sha2_256_hashlen,
eay_sha2_256_one, },
{ "sha2_384", algtype_sha2_384, OAKLEY_ATTR_HASH_ALG_SHA2_384,
eay_sha2_384_init, eay_sha2_384_update,
eay_sha2_384_final, eay_sha2_384_hashlen,
eay_sha2_384_one, },
{ "sha2_512", algtype_sha2_512, OAKLEY_ATTR_HASH_ALG_SHA2_512,
eay_sha2_512_init, eay_sha2_512_update,
eay_sha2_512_final, eay_sha2_512_hashlen,
eay_sha2_512_one, },
#endif
};
static struct hmac_algorithm oakley_hmacdef[] = {
{ "hmac_md5", algtype_md5, OAKLEY_ATTR_HASH_ALG_MD5,
eay_hmacmd5_init, eay_hmacmd5_update,
eay_hmacmd5_final, NULL,
eay_hmacmd5_one, },
{ "hmac_sha1", algtype_sha1, OAKLEY_ATTR_HASH_ALG_SHA,
eay_hmacsha1_init, eay_hmacsha1_update,
eay_hmacsha1_final, NULL,
eay_hmacsha1_one, },
#ifdef WITH_SHA2
{ "hmac_sha2_256", algtype_sha2_256, OAKLEY_ATTR_HASH_ALG_SHA2_256,
eay_hmacsha2_256_init, eay_hmacsha2_256_update,
eay_hmacsha2_256_final, NULL,
eay_hmacsha2_256_one, },
{ "hmac_sha2_384", algtype_sha2_384, OAKLEY_ATTR_HASH_ALG_SHA2_384,
eay_hmacsha2_384_init, eay_hmacsha2_384_update,
eay_hmacsha2_384_final, NULL,
eay_hmacsha2_384_one, },
{ "hmac_sha2_512", algtype_sha2_512, OAKLEY_ATTR_HASH_ALG_SHA2_512,
eay_hmacsha2_512_init, eay_hmacsha2_512_update,
eay_hmacsha2_512_final, NULL,
eay_hmacsha2_512_one, },
#endif
};
static struct enc_algorithm oakley_encdef[] = {
{ "des", algtype_des, OAKLEY_ATTR_ENC_ALG_DES, 8,
eay_des_encrypt, eay_des_decrypt,
eay_des_weakkey, eay_des_keylen, },
#ifdef HAVE_OPENSSL_IDEA_H
{ "idea", algtype_idea, OAKLEY_ATTR_ENC_ALG_IDEA, 8,
eay_idea_encrypt, eay_idea_decrypt,
eay_idea_weakkey, eay_idea_keylen, },
#endif
{ "blowfish", algtype_blowfish, OAKLEY_ATTR_ENC_ALG_BLOWFISH, 8,
eay_bf_encrypt, eay_bf_decrypt,
eay_bf_weakkey, eay_bf_keylen, },
#ifdef HAVE_OPENSSL_RC5_H
{ "rc5", algtype_rc5, OAKLEY_ATTR_ENC_ALG_RC5, 8,
eay_rc5_encrypt, eay_rc5_decrypt,
eay_rc5_weakkey, eay_rc5_keylen, },
#endif
{ "3des", algtype_3des, OAKLEY_ATTR_ENC_ALG_3DES, 8,
eay_3des_encrypt, eay_3des_decrypt,
eay_3des_weakkey, eay_3des_keylen, },
{ "cast", algtype_cast128, OAKLEY_ATTR_ENC_ALG_CAST, 8,
eay_cast_encrypt, eay_cast_decrypt,
eay_cast_weakkey, eay_cast_keylen, },
{ "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16,
eay_aes_encrypt, eay_aes_decrypt,
eay_aes_weakkey, eay_aes_keylen, },
};
static struct enc_algorithm ipsec_encdef[] = {
{ "des-iv64", algtype_des_iv64, IPSECDOI_ESP_DES_IV64, 8,
NULL, NULL,
NULL, eay_des_keylen, },
{ "des", algtype_des, IPSECDOI_ESP_DES, 8,
NULL, NULL,
NULL, eay_des_keylen, },
{ "3des", algtype_3des, IPSECDOI_ESP_3DES, 8,
NULL, NULL,
NULL, eay_3des_keylen, },
#ifdef HAVE_OPENSSL_RC5_H
{ "rc5", algtype_rc5, IPSECDOI_ESP_RC5, 8,
NULL, NULL,
NULL, eay_rc5_keylen, },
#endif
{ "cast", algtype_cast128, IPSECDOI_ESP_CAST, 8,
NULL, NULL,
NULL, eay_cast_keylen, },
{ "blowfish", algtype_blowfish, IPSECDOI_ESP_BLOWFISH, 8,
NULL, NULL,
NULL, eay_bf_keylen, },
{ "des-iv32", algtype_des_iv32, IPSECDOI_ESP_DES_IV32, 8,
NULL, NULL,
NULL, eay_des_keylen, },
{ "null", algtype_null_enc, IPSECDOI_ESP_NULL, 8,
NULL, NULL,
NULL, eay_null_keylen, },
{ "aes", algtype_aes, IPSECDOI_ESP_AES, 16,
NULL, NULL,
NULL, eay_aes_keylen, },
{ "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16,
NULL, NULL,
NULL, eay_twofish_keylen, },
#ifdef HAVE_OPENSSL_IDEA_H
{ "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8,
NULL, NULL,
NULL, NULL, },
{ "idea", algtype_idea, IPSECDOI_ESP_IDEA, 8,
NULL, NULL,
NULL, NULL, },
#endif
{ "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8,
NULL, NULL,
NULL, NULL, },
};
static struct hmac_algorithm ipsec_hmacdef[] = {
{ "md5", algtype_hmac_md5, IPSECDOI_ATTR_AUTH_HMAC_MD5,
NULL, NULL,
NULL, eay_md5_hashlen,
NULL, },
{ "sha1", algtype_hmac_sha1, IPSECDOI_ATTR_AUTH_HMAC_SHA1,
NULL, NULL,
NULL, eay_sha1_hashlen,
NULL, },
{ "kpdk", algtype_kpdk, IPSECDOI_ATTR_AUTH_KPDK,
NULL, NULL,
NULL, eay_kpdk_hashlen,
NULL, },
{ "null", algtype_non_auth, IPSECDOI_ATTR_AUTH_NONE,
NULL, NULL,
NULL, eay_null_hashlen,
NULL, },
#ifdef WITH_SHA2
{ "hmac_sha2_256", algtype_hmac_sha2_256, IPSECDOI_ATTR_SHA2_256,
NULL, NULL,
NULL, eay_sha2_256_hashlen,
NULL, },
{ "hmac_sha2_384", algtype_hmac_sha2_384, IPSECDOI_ATTR_SHA2_384,
NULL, NULL,
NULL, eay_sha2_384_hashlen,
NULL, },
{ "hmac_sha2_512", algtype_hmac_sha2_512, IPSECDOI_ATTR_SHA2_512,
NULL, NULL,
NULL, eay_sha2_512_hashlen,
NULL, },
#endif
};
static struct misc_algorithm ipsec_compdef[] = {
{ "oui", algtype_oui, IPSECDOI_IPCOMP_OUI, },
{ "deflate", algtype_deflate, IPSECDOI_IPCOMP_DEFLATE, },
{ "lzs", algtype_lzs, IPSECDOI_IPCOMP_LZS, },
};
static struct misc_algorithm oakley_authdef[] = {
{ "pre_shared_key", algtype_psk, OAKLEY_ATTR_AUTH_METHOD_PSKEY, },
{ "dsssig", algtype_dsssig, OAKLEY_ATTR_AUTH_METHOD_DSSSIG, },
{ "rsasig", algtype_rsasig, OAKLEY_ATTR_AUTH_METHOD_RSASIG, },
{ "rsaenc", algtype_rsaenc, OAKLEY_ATTR_AUTH_METHOD_RSAENC, },
{ "rsarev", algtype_rsarev, OAKLEY_ATTR_AUTH_METHOD_RSAREV, },
{ "gssapi_krb", algtype_gssapikrb, OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB, },
#ifdef ENABLE_HYBRID
{ "hybrid_rsa_server", algtype_hybrid_rsa_s,
OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I, },
{ "hybrid_dss_server", algtype_hybrid_dss_s,
OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I, },
{ "hybrid_rsa_client", algtype_hybrid_rsa_c,
OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R, },
{ "hybrid_dss_client", algtype_hybrid_dss_c,
OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R, },
#endif
};
static struct dh_algorithm oakley_dhdef[] = {
{ "modp768", algtype_modp768, OAKLEY_ATTR_GRP_DESC_MODP768,
&dh_modp768, },
{ "modp1024", algtype_modp1024, OAKLEY_ATTR_GRP_DESC_MODP1024,
&dh_modp1024, },
{ "modp1536", algtype_modp1536, OAKLEY_ATTR_GRP_DESC_MODP1536,
&dh_modp1536, },
{ "modp2048", algtype_modp2048, OAKLEY_ATTR_GRP_DESC_MODP2048,
&dh_modp2048, },
{ "modp3072", algtype_modp3072, OAKLEY_ATTR_GRP_DESC_MODP3072,
&dh_modp3072, },
{ "modp4096", algtype_modp4096, OAKLEY_ATTR_GRP_DESC_MODP4096,
&dh_modp4096, },
{ "modp6144", algtype_modp6144, OAKLEY_ATTR_GRP_DESC_MODP6144,
&dh_modp6144, },
{ "modp8192", algtype_modp8192, OAKLEY_ATTR_GRP_DESC_MODP8192,
&dh_modp8192, },
};
static struct hash_algorithm *alg_oakley_hashdef __P((int));
static struct hmac_algorithm *alg_oakley_hmacdef __P((int));
static struct enc_algorithm *alg_oakley_encdef __P((int));
static struct enc_algorithm *alg_ipsec_encdef __P((int));
static struct hmac_algorithm *alg_ipsec_hmacdef __P((int));
static struct dh_algorithm *alg_oakley_dhdef __P((int));
/* oakley hash algorithm */
static struct hash_algorithm *
alg_oakley_hashdef(doi)
int doi;
{
int i;
for (i = 0; i < ARRAYLEN(oakley_hashdef); i++)
if (doi == oakley_hashdef[i].doi) {
plog(LLV_DEBUG, LOCATION, NULL, "hash(%s)\n",
oakley_hashdef[i].name);
return &oakley_hashdef[i];
}
return NULL;
}
int
alg_oakley_hashdef_ok(doi)
int doi;
{
struct hash_algorithm *f;
f = alg_oakley_hashdef(doi);
if (f == NULL)
return 0;
return 1;
}
int
alg_oakley_hashdef_doi(type)
int type;
{
int i, res = -1;
for (i = 0; i < ARRAYLEN(oakley_hashdef); i++)
if (type == oakley_hashdef[i].type) {
res = oakley_hashdef[i].doi;
break;
}
return res;
}
int
alg_oakley_hashdef_hashlen(doi)
int doi;
{
struct hash_algorithm *f;
f = alg_oakley_hashdef(doi);
if (f == NULL || f->hashlen == NULL)
return 0;
return (f->hashlen)();
}
const char *
alg_oakley_hashdef_name (doi)
int doi;
{
struct hash_algorithm *f;
f = alg_oakley_hashdef(doi);
if (f == NULL)
return "*UNKNOWN*";
return f->name;
}
vchar_t *
alg_oakley_hashdef_one(doi, buf)
int doi;
vchar_t *buf;
{
struct hash_algorithm *f;
f = alg_oakley_hashdef(doi);
if (f == NULL || f->hashlen == NULL)
return NULL;
return (f->one)(buf);
}
/* oakley hmac algorithm */
static struct hmac_algorithm *
alg_oakley_hmacdef(doi)
int doi;
{
int i;
for (i = 0; i < ARRAYLEN(oakley_hmacdef); i++)
if (doi == oakley_hmacdef[i].doi) {
plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n",
oakley_hmacdef[i].name);
return &oakley_hmacdef[i];
}
return NULL;
}
int
alg_oakley_hmacdef_doi(type)
int type;
{
int i, res = -1;
for (i = 0; i < ARRAYLEN(oakley_hmacdef); i++)
if (type == oakley_hmacdef[i].type) {
res = oakley_hmacdef[i].doi;
break;
}
return res;
}
vchar_t *
alg_oakley_hmacdef_one(doi, key, buf)
int doi;
vchar_t *key, *buf;
{
struct hmac_algorithm *f;
vchar_t *res;
#ifdef ENABLE_STATS
struct timeval start, end;
#endif
f = alg_oakley_hmacdef(doi);
if (f == NULL || f->one == NULL)
return NULL;
#ifdef ENABLE_STATS
gettimeofday(&start, NULL);
#endif
res = (f->one)(key, buf);
#ifdef ENABLE_STATS
gettimeofday(&end, NULL);
syslog(LOG_NOTICE, "%s(%s size=%d): %8.6f", __func__,
f->name, buf->l, timedelta(&start, &end));
#endif
return res;
}
/* oakley encryption algorithm */
static struct enc_algorithm *
alg_oakley_encdef(doi)
int doi;
{
int i;
for (i = 0; i < ARRAYLEN(oakley_encdef); i++)
if (doi == oakley_encdef[i].doi) {
plog(LLV_DEBUG, LOCATION, NULL, "encryption(%s)\n",
oakley_encdef[i].name);
return &oakley_encdef[i];
}
return NULL;
}
int
alg_oakley_encdef_ok(doi)
int doi;
{
struct enc_algorithm *f;
f = alg_oakley_encdef(doi);
if (f == NULL)
return 0;
return 1;
}
int
alg_oakley_encdef_doi(type)
int type;
{
int i, res = -1;
for (i = 0; i < ARRAYLEN(oakley_encdef); i++)
if (type == oakley_encdef[i].type) {
res = oakley_encdef[i].doi;
break;
}
return res;
}
int
alg_oakley_encdef_keylen(doi, len)
int doi, len;
{
struct enc_algorithm *f;
f = alg_oakley_encdef(doi);
if (f == NULL || f->keylen == NULL)
return -1;
return (f->keylen)(len);
}
int
alg_oakley_encdef_blocklen(doi)
int doi;
{
struct enc_algorithm *f;
f = alg_oakley_encdef(doi);
if (f == NULL)
return -1;
return f->blocklen;
}
const char *
alg_oakley_encdef_name (doi)
int doi;
{
struct enc_algorithm *f;
f = alg_oakley_encdef(doi);
if (f == NULL)
return "*UNKNOWN*";
return f->name;
}
vchar_t *
alg_oakley_encdef_decrypt(doi, buf, key, iv)
int doi;
vchar_t *buf, *key, *iv;
{
vchar_t *res;
struct enc_algorithm *f;
#ifdef ENABLE_STATS
struct timeval start, end;
#endif
f = alg_oakley_encdef(doi);
if (f == NULL || f->decrypt == NULL)
return NULL;
#ifdef ENABLE_STATS
gettimeofday(&start, NULL);
#endif
res = (f->decrypt)(buf, key, iv);
#ifdef ENABLE_STATS
gettimeofday(&end, NULL);
syslog(LOG_NOTICE, "%s(%s klen=%d size=%d): %8.6f", __func__,
f->name, key->l << 3, buf->l, timedelta(&start, &end));
#endif
return res;
}
vchar_t *
alg_oakley_encdef_encrypt(doi, buf, key, iv)
int doi;
vchar_t *buf, *key, *iv;
{
vchar_t *res;
struct enc_algorithm *f;
#ifdef ENABLE_STATS
struct timeval start, end;
#endif
f = alg_oakley_encdef(doi);
if (f == NULL || f->encrypt == NULL)
return NULL;
#ifdef ENABLE_STATS
gettimeofday(&start, NULL);
#endif
res = (f->encrypt)(buf, key, iv);
#ifdef ENABLE_STATS
gettimeofday(&end, NULL);
syslog(LOG_NOTICE, "%s(%s klen=%d size=%d): %8.6f", __func__,
f->name, key->l << 3, buf->l, timedelta(&start, &end));
#endif
return res;
}
/* ipsec encryption algorithm */
static struct enc_algorithm *
alg_ipsec_encdef(doi)
int doi;
{
int i;
for (i = 0; i < ARRAYLEN(ipsec_encdef); i++)
if (doi == ipsec_encdef[i].doi) {
plog(LLV_DEBUG, LOCATION, NULL, "encryption(%s)\n",
ipsec_encdef[i].name);
return &ipsec_encdef[i];
}
return NULL;
}
int
alg_ipsec_encdef_doi(type)
int type;
{
int i, res = -1;
for (i = 0; i < ARRAYLEN(ipsec_encdef); i++)
if (type == ipsec_encdef[i].type) {
res = ipsec_encdef[i].doi;
break;
}
return res;
}
int
alg_ipsec_encdef_keylen(doi, len)
int doi, len;
{
struct enc_algorithm *f;
f = alg_ipsec_encdef(doi);
if (f == NULL || f->keylen == NULL)
return -1;
return (f->keylen)(len);
}
/* ipsec hmac algorithm */
static struct hmac_algorithm *
alg_ipsec_hmacdef(doi)
int doi;
{
int i;
for (i = 0; i < ARRAYLEN(ipsec_hmacdef); i++)
if (doi == ipsec_hmacdef[i].doi) {
plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n",
oakley_hmacdef[i].name);
return &ipsec_hmacdef[i];
}
return NULL;
}
int
alg_ipsec_hmacdef_doi(type)
int type;
{
int i, res = -1;
for (i = 0; i < ARRAYLEN(ipsec_hmacdef); i++)
if (type == ipsec_hmacdef[i].type) {
res = ipsec_hmacdef[i].doi;
break;
}
return res;
}
int
alg_ipsec_hmacdef_hashlen(doi)
int doi;
{
struct hmac_algorithm *f;
f = alg_ipsec_hmacdef(doi);
if (f == NULL || f->hashlen == NULL)
return -1;
return (f->hashlen)();
}
/* ip compression */
int
alg_ipsec_compdef_doi(type)
int type;
{
int i, res = -1;
for (i = 0; i < ARRAYLEN(ipsec_compdef); i++)
if (type == ipsec_compdef[i].type) {
res = ipsec_compdef[i].doi;
break;
}
return res;
}
/* dh algorithm */
static struct dh_algorithm *
alg_oakley_dhdef(doi)
int doi;
{
int i;
for (i = 0; i < ARRAYLEN(oakley_dhdef); i++)
if (doi == oakley_dhdef[i].doi) {
plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n",
oakley_dhdef[i].name);
return &oakley_dhdef[i];
}
return NULL;
}
int
alg_oakley_dhdef_ok(doi)
int doi;
{
struct dh_algorithm *f;
f = alg_oakley_dhdef(doi);
if (f == NULL)
return 0;
return 1;
}
int
alg_oakley_dhdef_doi(type)
int type;
{
int i, res = -1;
for (i = 0; i < ARRAYLEN(oakley_dhdef); i++)
if (type == oakley_dhdef[i].type) {
res = oakley_dhdef[i].doi;
break;
}
return res;
}
struct dhgroup *
alg_oakley_dhdef_group(doi)
int doi;
{
struct dh_algorithm *f;
f = alg_oakley_dhdef(doi);
if (f == NULL || f->dhgroup == NULL)
return NULL;
return f->dhgroup;
}
const char *
alg_oakley_dhdef_name (doi)
int doi;
{
struct dh_algorithm *f;
f = alg_oakley_dhdef(doi);
if (f == NULL)
return "*UNKNOWN*";
return f->name;
}
/* authentication method */
int
alg_oakley_authdef_doi(type)
int type;
{
int i, res = -1;
for (i = 0; i < ARRAYLEN(oakley_authdef); i++)
if (type == oakley_authdef[i].type) {
res = oakley_authdef[i].doi;
break;
}
return res;
}
const char *
alg_oakley_authdef_name (doi)
int doi;
{
int i;
for (i = 0; i < ARRAYLEN(oakley_authdef); i++)
if (doi == oakley_authdef[i].doi) {
return oakley_authdef[i].name;
}
return "*UNKNOWN*";
}
/*
* give the default key length
* OUT: -1: NG
* 0: fixed key cipher, key length not allowed
* positive: default key length
*/
int
default_keylen(class, type)
int class, type;
{
switch (class) {
case algclass_isakmp_enc:
case algclass_ipsec_enc:
break;
default:
return 0;
}
switch (type) {
case algtype_blowfish:
case algtype_rc5:
case algtype_cast128:
case algtype_aes:
case algtype_twofish:
return 128;
default:
return 0;
}
}
/*
* check key length
* OUT: -1: NG
* 0: OK
*/
int
check_keylen(class, type, len)
int class, type, len;
{
int badrange;
switch (class) {
case algclass_isakmp_enc:
case algclass_ipsec_enc:
break;
default:
/* unknown class, punt */
plog(LLV_ERROR, LOCATION, NULL,
"unknown algclass %d\n", class);
return -1;
}
/* key length must be multiple of 8 bytes - RFC2451 2.2 */
switch (type) {
case algtype_blowfish:
case algtype_rc5:
case algtype_cast128:
case algtype_aes:
case algtype_twofish:
if (len % 8 != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"key length %d is not multiple of 8\n", len);
return -1;
}
break;
}
/* key length range */
badrange = 0;
switch (type) {
case algtype_blowfish:
if (len < 40 || 448 < len)
badrange++;
break;
case algtype_rc5:
if (len < 40 || 2040 < len)
badrange++;
break;
case algtype_cast128:
if (len < 40 || 128 < len)
badrange++;
break;
case algtype_aes:
if (!(len == 128 || len == 192 || len == 256))
badrange++;
break;
case algtype_twofish:
if (len < 40 || 256 < len)
badrange++;
break;
default:
if (len) {
plog(LLV_ERROR, LOCATION, NULL,
"key length is not allowed");
return -1;
}
break;
}
if (badrange) {
plog(LLV_ERROR, LOCATION, NULL,
"key length out of range\n");
return -1;
}
return 0;
}
/*
* convert algorithm type to DOI value.
* OUT -1 : NG
* other: converted.
*/
int
algtype2doi(class, type)
int class, type;
{
int res = -1;
switch (class) {
case algclass_ipsec_enc:
res = alg_ipsec_encdef_doi(type);
break;
case algclass_ipsec_auth:
res = alg_ipsec_hmacdef_doi(type);
break;
case algclass_ipsec_comp:
res = alg_ipsec_compdef_doi(type);
break;
case algclass_isakmp_enc:
res = alg_oakley_encdef_doi(type);
break;
case algclass_isakmp_hash:
res = alg_oakley_hashdef_doi(type);
break;
case algclass_isakmp_dh:
res = alg_oakley_dhdef_doi(type);
break;
case algclass_isakmp_ameth:
res = alg_oakley_authdef_doi(type);
break;
}
return res;
}
/*
* convert algorithm class to DOI value.
* OUT -1 : NG
* other: converted.
*/
int
algclass2doi(class)
int class;
{
switch (class) {
case algclass_ipsec_enc:
return IPSECDOI_PROTO_IPSEC_ESP;
case algclass_ipsec_auth:
return IPSECDOI_ATTR_AUTH;
case algclass_ipsec_comp:
return IPSECDOI_PROTO_IPCOMP;
case algclass_isakmp_enc:
return OAKLEY_ATTR_ENC_ALG;
case algclass_isakmp_hash:
return OAKLEY_ATTR_HASH_ALG;
case algclass_isakmp_dh:
return OAKLEY_ATTR_GRP_DESC;
case algclass_isakmp_ameth:
return OAKLEY_ATTR_AUTH_METHOD;
default:
return -1;
}
/*NOTREACHED*/
return -1;
}

209
crypto/dist/ipsec-tools/src/racoon/algorithm.h vendored Normal file
View File

@ -0,0 +1,209 @@
/* $Id: algorithm.h,v 1.1.1.1 2005/02/12 11:11:40 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _ALGORITHM_H
#define _ALGORITHM_H
#include <gnuc.h>
/* algorithm class */
enum {
algclass_ipsec_enc,
algclass_ipsec_auth,
algclass_ipsec_comp,
algclass_isakmp_enc,
algclass_isakmp_hash,
algclass_isakmp_dh,
algclass_isakmp_ameth, /* authentication method. */
#define MAXALGCLASS 7
};
#define ALG_DEFAULT_KEYLEN 64
#define ALGTYPE_NOTHING 0
/* algorithm type */
enum algtype {
algtype_nothing = 0,
/* enc */
algtype_des_iv64,
algtype_des,
algtype_3des,
algtype_rc5,
algtype_idea,
algtype_cast128,
algtype_blowfish,
algtype_3idea,
algtype_des_iv32,
algtype_rc4,
algtype_null_enc,
algtype_aes,
algtype_twofish,
/* ipsec auth */
algtype_hmac_md5,
algtype_hmac_sha1,
algtype_des_mac,
algtype_kpdk,
algtype_non_auth,
algtype_hmac_sha2_256,
algtype_hmac_sha2_384,
algtype_hmac_sha2_512,
/* ipcomp */
algtype_oui,
algtype_deflate,
algtype_lzs,
/* hash */
algtype_md5,
algtype_sha1,
algtype_tiger,
algtype_sha2_256,
algtype_sha2_384,
algtype_sha2_512,
/* dh_group */
algtype_modp768,
algtype_modp1024,
algtype_ec2n155,
algtype_ec2n185,
algtype_modp1536,
algtype_modp2048,
algtype_modp3072,
algtype_modp4096,
algtype_modp6144,
algtype_modp8192,
/* authentication method. */
algtype_psk,
algtype_dsssig,
algtype_rsasig,
algtype_rsaenc,
algtype_rsarev,
algtype_gssapikrb,
#ifdef ENABLE_HYBRID
algtype_hybrid_rsa_s,
algtype_hybrid_dss_s,
algtype_hybrid_rsa_c,
algtype_hybrid_dss_c,
#endif
};
struct hmac_algorithm {
char *name;
int type;
int doi;
caddr_t (*init) __P((vchar_t *));
void (*update) __P((caddr_t, vchar_t *));
vchar_t *(*final) __P((caddr_t));
int (*hashlen) __P((void));
vchar_t *(*one) __P((vchar_t *, vchar_t *));
};
struct hash_algorithm {
char *name;
int type;
int doi;
caddr_t (*init) __P((void));
void (*update) __P((caddr_t, vchar_t *));
vchar_t *(*final) __P((caddr_t));
int (*hashlen) __P((void));
vchar_t *(*one) __P((vchar_t *));
};
struct enc_algorithm {
char *name;
int type;
int doi;
int blocklen;
vchar_t *(*encrypt) __P((vchar_t *, vchar_t *, vchar_t *));
vchar_t *(*decrypt) __P((vchar_t *, vchar_t *, vchar_t *));
int (*weakkey) __P((vchar_t *));
int (*keylen) __P((int));
};
/* dh group */
struct dh_algorithm {
char *name;
int type;
int doi;
struct dhgroup *dhgroup;
};
/* ipcomp, auth meth, dh group */
struct misc_algorithm {
char *name;
int type;
int doi;
};
extern int alg_oakley_hashdef_ok __P((int));
extern int alg_oakley_hashdef_doi __P((int));
extern int alg_oakley_hashdef_hashlen __P((int));
extern vchar_t *alg_oakley_hashdef_one __P((int, vchar_t *));
extern int alg_oakley_hmacdef_doi __P((int));
extern vchar_t *alg_oakley_hmacdef_one __P((int, vchar_t *, vchar_t *));
extern int alg_oakley_encdef_ok __P((int));
extern int alg_oakley_encdef_doi __P((int));
extern int alg_oakley_encdef_keylen __P((int, int));
extern int alg_oakley_encdef_blocklen __P((int));
extern vchar_t *alg_oakley_encdef_decrypt __P((int, vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *alg_oakley_encdef_encrypt __P((int, vchar_t *, vchar_t *, vchar_t *));
extern int alg_ipsec_encdef_doi __P((int));
extern int alg_ipsec_encdef_keylen __P((int, int));
extern int alg_ipsec_hmacdef_doi __P((int));
extern int alg_ipsec_hmacdef_hashlen __P((int));
extern int alg_ipsec_compdef_doi __P((int));
extern int alg_oakley_dhdef_doi __P((int));
extern int alg_oakley_dhdef_ok __P((int));
extern struct dhgroup *alg_oakley_dhdef_group __P((int));
extern int alg_oakley_authdef_doi __P((int));
extern int default_keylen __P((int, int));
extern int check_keylen __P((int, int, int));
extern int algtype2doi __P((int, int));
extern int algclass2doi __P((int));
extern const char *alg_oakley_encdef_name __P((int));
extern const char *alg_oakley_hashdef_name __P((int));
extern const char *alg_oakley_dhdef_name __P((int));
extern const char *alg_oakley_authdef_name __P((int));
#endif /* _ALGORITHM_H */

487
crypto/dist/ipsec-tools/src/racoon/backupsa.c vendored Normal file
View File

@ -0,0 +1,487 @@
/* $KAME: backupsa.c,v 1.16 2001/12/31 20:13:40 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <netinet/in.h>
#ifndef HAVE_NETINET6_IPSEC
#include <netinet/ipsec.h>
#else
#include <netinet6/ipsec.h>
#endif
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>
#else
# if HAVE_SYS_TIME_H
# include <sys/time.h>
# else
# include <time.h>
# endif
#endif
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "str2val.h"
#include "plog.h"
#include "debug.h"
#include "localconf.h"
#include "sockmisc.h"
#include "safefile.h"
#include "backupsa.h"
#include "libpfkey.h"
/*
* (time string)%(sa parameter)
* (time string) := ex. Nov 24 18:22:48 1986
* (sa parameter) :=
* src dst satype spi mode reqid wsize \
* e_type e_keylen a_type a_keylen flags \
* l_alloc l_bytes l_addtime l_usetime seq keymat
*/
static char *format = "%b %d %T %Y"; /* time format */
static char *strmon[12] = {
"Jan", "Feb", "Mar", "Apr", "May", "Jun",
"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
};
static char *str2tmx __P((char *, struct tm *));
static int str2num __P((char *, int));
/*
* output the sa parameter.
*/
int
backupsa_to_file(satype, mode, src, dst, spi, reqid, wsize,
keymat, e_type, e_keylen, a_type, a_keylen, flags,
l_alloc, l_bytes, l_addtime, l_usetime, seq)
u_int satype, mode, wsize;
struct sockaddr *src, *dst;
u_int32_t spi, reqid;
caddr_t keymat;
u_int e_type, e_keylen, a_type, a_keylen, flags;
u_int32_t l_alloc;
u_int64_t l_bytes, l_addtime, l_usetime;
u_int32_t seq;
{
char buf[1024];
struct tm *tm;
time_t t;
char *p, *k;
int len, l, i;
FILE *fp;
p = buf;
len = sizeof(buf);
t = time(NULL);
tm = localtime(&t);
l = strftime(p, len, format, tm);
p += l;
len -= l;
if (len < 0)
goto err;
l = snprintf(p, len, "%%");
if (l < 0 || l >= len)
goto err;
p += l;
len -= l;
if (len < 0)
goto err;
i = getnameinfo(src, sysdep_sa_len(src), p, len, NULL, 0, NIFLAGS);
if (i != 0)
goto err;
l = strlen(p);
p += l;
len -= l;
if (len < 0)
goto err;
l = snprintf(p, len, " ");
if (l < 0 || l >= len)
goto err;
p += l;
len -= l;
if (len < 0)
goto err;
i = getnameinfo(dst, sysdep_sa_len(dst), p, len, NULL, 0, NIFLAGS);
if (i != 0)
goto err;
l = strlen(p);
p += l;
len -= l;
if (len < 0)
goto err;
l = snprintf(p, len,
" %u %lu %u %u %u "
"%u %u %u %u %u "
"%u %llu %llu %llu %u",
satype, (unsigned long)ntohl(spi), mode, reqid, wsize,
e_type, e_keylen, a_type, a_keylen, flags,
l_alloc, (unsigned long long)l_bytes,
(unsigned long long)l_addtime, (unsigned long long)l_usetime,
seq);
if (l < 0 || l >= len)
goto err;
p += l;
len -= l;
if (len < 0)
goto err;
k = val2str(keymat, e_keylen + a_keylen);
l = snprintf(p, len, " %s", k);
if (l < 0 || l >= len)
goto err;
racoon_free(k);
p += l;
len -= l;
if (len < 0)
goto err;
/* open the file and write the SA parameter */
if (safefile(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 1) != 0 ||
(fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "a")) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to open the backup file %s.\n",
lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
return -1;
}
fprintf(fp, "%s\n", buf);
fclose(fp);
return 0;
err:
plog(LLV_ERROR, LOCATION, NULL,
"SA cannot be saved to a file.\n");
return -1;
}
int
backupsa_from_file()
{
FILE *fp;
char buf[512];
struct tm tm;
time_t created, current;
char *p, *q;
u_int satype, mode;
struct sockaddr *src, *dst;
u_int32_t spi, reqid;
caddr_t keymat;
size_t keymatlen;
u_int wsize, e_type, e_keylen, a_type, a_keylen, flags;
u_int32_t l_alloc;
u_int64_t l_bytes, l_addtime, l_usetime;
u_int32_t seq;
int line;
if (safefile(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 1) == 0)
fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "r");
else
fp = NULL;
if (fp == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to open the backup file %s.\n",
lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
return -1;
}
current = time(NULL);
for(line = 1; fgets(buf, sizeof(buf), fp) != NULL; line++) {
/* comment line */
if (buf[0] == '#')
continue;
memset(&tm, 0, sizeof(tm));
p = str2tmx(buf, &tm);
if (*p != '%') {
err:
plog(LLV_ERROR, LOCATION, NULL,
"illegal format line#%d in %s: %s\n",
line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], buf);
continue;
}
created = mktime(&tm);
p++;
for (q = p; *q != '\0' && !isspace((int)*q); q++)
;
*q = '\0';
src = str2saddr(p, NULL);
if (src == NULL)
goto err;
p = q + 1;
for (q = p; *q != '\0' && !isspace((int)*q); q++)
;
*q = '\0';
dst = str2saddr(p, NULL);
if (dst == NULL) {
racoon_free(src);
goto err;
}
p = q + 1;
#define GETNEXTNUM(value, function) \
do { \
char *y; \
for (q = p; *q != '\0' && !isspace((int)*q); q++) \
; \
*q = '\0'; \
(value) = function(p, &y, 10); \
if ((value) == 0 && *y != '\0') \
goto err; \
p = q + 1; \
} while (0);
GETNEXTNUM(satype, strtoul);
GETNEXTNUM(spi, strtoul);
spi = ntohl(spi);
GETNEXTNUM(mode, strtoul);
GETNEXTNUM(reqid, strtoul);
GETNEXTNUM(wsize, strtoul);
GETNEXTNUM(e_type, strtoul);
GETNEXTNUM(e_keylen, strtoul);
GETNEXTNUM(a_type, strtoul);
GETNEXTNUM(a_keylen, strtoul);
GETNEXTNUM(flags, strtoul);
GETNEXTNUM(l_alloc, strtoul);
GETNEXTNUM(l_bytes, strtouq);
GETNEXTNUM(l_addtime, strtouq);
GETNEXTNUM(l_usetime, strtouq);
GETNEXTNUM(seq, strtoul);
#undef GETNEXTNUM
keymat = str2val(p, 16, &keymatlen);
if (keymat == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"illegal format(keymat) line#%d in %s: %s\n",
line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], buf);
racoon_free(src);
racoon_free(dst);
continue;
}
if (created + l_addtime < current) {
plog(LLV_DEBUG, LOCATION, NULL,
"ignore this line#%d in %s due to expiration\n",
line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
racoon_free(src);
racoon_free(dst);
racoon_free(keymat);
continue;
}
l_addtime -= current - created;
if (pfkey_send_add(
lcconf->sock_pfkey,
satype,
mode,
src,
dst,
spi,
reqid,
wsize,
keymat,
e_type, e_keylen, a_type, a_keylen, flags,
0, l_bytes, l_addtime, 0, seq) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"restore SA filed line#%d in %s: %s\n",
line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], ipsec_strerror());
}
racoon_free(src);
racoon_free(dst);
racoon_free(keymat);
}
fclose(fp);
/*
* There is a possibility that an abnormal system down will happen
* again before new negotiation will be started. so racoon clears
* the backup file here. it's ok that old SAs are remained in the
* file. any old SA will not be installed because racoon checks the
* lifetime and compare with current time.
*/
return 0;
}
int
backupsa_clean()
{
FILE *fp;
/* simply return if the file is not defined. */
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
return 0;
fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "w+");
if (fp == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to clean the backup file %s.\n",
lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
return -1;
}
fclose(fp);
return 0;
}
/*
* convert fixed string into the tm structure.
* The fixed string is like 'Nov 24 18:22:48 1986'.
* static char *format = "%b %d %T %Y";
*/
static char *
str2tmx(char *p, struct tm *tm)
{
int i, len;
/* Month */
for (i = 0; i < sizeof(strmon)/sizeof(strmon[0]); i++) {
if (strncasecmp(p, strmon[i], strlen(strmon[i])) == 0) {
tm->tm_mon = i;
break;
}
}
if (i == sizeof(strmon)/sizeof(strmon[0]))
return 0;
p += strlen(strmon[i]);
if (*p++ != ' ')
return 0;
/* Day */
len = 2;
tm->tm_mday = str2num(p, len);
if (tm->tm_mday == -1 || tm->tm_mday > 31)
return 0;
p += len;
if (*p++ != ' ')
return 0;
/* Hour */
len = 2;
tm->tm_hour = str2num(p, len);
if (tm->tm_hour == -1 || tm->tm_hour > 24)
return 0;
p += len;
if (*p++ != ':')
return 0;
/* Min */
len = 2;
tm->tm_min = str2num(p, len);
if (tm->tm_min == -1 || tm->tm_min > 60)
return 0;
p += len;
if (*p++ != ':')
return 0;
/* Sec */
len = 2;
tm->tm_sec = str2num(p, len);
if (tm->tm_sec == -1 || tm->tm_sec > 60)
return 0;
p += len;
if (*p++ != ' ')
return 0;
/* Year */
len = 4;
tm->tm_year = str2num(p, len);
if (tm->tm_year == -1 || tm->tm_year < 1900)
return 0;
tm->tm_year -= 1900;
p += len;
return p;
}
static int
str2num(p, len)
char *p;
int len;
{
int res, i;
res = 0;
for (i = len; i > 0; i--) {
if (!isdigit((int)*p))
return -1;
res *= 10;
res += *p - '0';
p++;
}
return res;
}
#ifdef TEST
#include <stdio.h>
int
main()
{
struct tm tm;
time_t t;
char *buf = "Nov 24 18:22:48 1986 ";
char *p;
memset(&tm, 0, sizeof(tm));
p = str2tmx(buf, &tm);
printf("[%x]\n", *p);
t = mktime(&tm);
if (t == -1)
printf("mktime failed.");
p = ctime(&t);
printf("[%s]\n", p);
exit(0);
}
#endif

42
crypto/dist/ipsec-tools/src/racoon/backupsa.h vendored Normal file
View File

@ -0,0 +1,42 @@
/* $Id: backupsa.h,v 1.1.1.1 2005/02/12 11:11:40 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _BACKUPSA_H
#define _BACKUPSA_H
extern int backupsa_to_file __P((u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int,
u_int32_t, u_int64_t, u_int64_t, u_int64_t, u_int32_t));
extern int backupsa_from_file __P((void));
extern int backupsa_clean __P((void));
#endif /* _BACKUPSA_H */

2025
crypto/dist/ipsec-tools/src/racoon/cfparse.y vendored Normal file
View File

File diff suppressed because it is too large Load Diff

40
crypto/dist/ipsec-tools/src/racoon/cfparse_proto.h vendored Normal file
View File

@ -0,0 +1,40 @@
/* $Id: cfparse_proto.h,v 1.1.1.1 2005/02/12 11:11:36 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _CFPARSE_PROTO_H
#define _CFPARSE_PROTO_H
/* cfparse.y */
extern int yyparse __P((void));
extern int cfparse __P((void));
extern int cfreparse __P((void));
#endif /* _CFPARSE_PROTO_H */

697
crypto/dist/ipsec-tools/src/racoon/cftoken.l vendored Normal file
View File

@ -0,0 +1,697 @@
/* $Id: cftoken.l,v 1.1.1.1 2005/02/12 11:11:45 manu Exp $ */
%{
/*
* Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#else
# include <netinet/ipsec.h>
#endif
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <limits.h>
#include <ctype.h>
#include <glob.h>
#ifdef HAVE_STDARG_H
#include <stdarg.h>
#else
#include <varargs.h>
#endif
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "debug.h"
#include "algorithm.h"
#include "cfparse_proto.h"
#include "cftoken_proto.h"
#include "localconf.h"
#include "oakley.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "ipsec_doi.h"
#include "proposal.h"
#include "nattraversal.h"
#ifdef GC
#include "gcmalloc.h"
#endif
#include "cfparse.h"
int yyerrorcount = 0;
#if defined(YIPS_DEBUG)
# define YYDB plog(LLV_DEBUG2, LOCATION, NULL, \
"begin <%d>%s\n", yy_start, yytext);
# define YYD { \
plog(LLV_DEBUG2, LOCATION, NULL, "<%d>%s", \
yy_start, loglevel >= LLV_DEBUG2 ? "\n" : ""); \
}
#else
# define YYDB
# define YYD
#endif /* defined(YIPS_DEBUG) */
#define MAX_INCLUDE_DEPTH 10
static struct include_stack {
char *path;
FILE *fp;
YY_BUFFER_STATE prevstate;
int lineno;
glob_t matches;
int matchon;
} incstack[MAX_INCLUDE_DEPTH];
static int incstackp = 0;
static int yy_first_time = 1;
%}
/* common seciton */
nl \n
ws [ \t]+
digit [0-9]
letter [A-Za-z]
hexdigit [0-9A-Fa-f]
/*octet (([01]?{digit}?{digit})|((2([0-4]{digit}))|(25[0-5]))) */
special [()+\|\?\*]
comma \,
dot \.
slash \/
bcl \{
ecl \}
blcl \[
elcl \]
percent \%
semi \;
comment \#.*
ccomment "/*"
bracketstring \<[^>]*\>
quotedstring \"[^"]*\"
addrstring [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
decstring {digit}+
hexstring 0x{hexdigit}+
%s S_INI S_PRIV S_PTH S_INF S_LOG S_PAD S_LST S_RTRY S_CFG
%s S_ALGST S_ALGCL
%s S_SAINF S_SAINFS
%s S_RMT S_RMTS S_RMTP
%s S_SA
%s S_GSSENC
%%
%{
if (yy_first_time) {
BEGIN S_INI;
yy_first_time = 0;
}
%}
/* privsep */
<S_INI>privsep { BEGIN S_PRIV; YYDB; return(PRIVSEP); }
<S_PRIV>{bcl} { return(BOC); }
<S_PRIV>user { YYD; return(USER); }
<S_PRIV>group { YYD; return(GROUP); }
<S_PRIV>{ecl} { BEGIN S_INI; return(EOC); }
/* path */
<S_INI>path { BEGIN S_PTH; YYDB; return(PATH); }
<S_PTH>include { YYD; yylval.num = LC_PATHTYPE_INCLUDE;
return(PATHTYPE); }
<S_PTH>pre_shared_key { YYD; yylval.num = LC_PATHTYPE_PSK;
return(PATHTYPE); }
<S_PTH>certificate { YYD; yylval.num = LC_PATHTYPE_CERT;
return(PATHTYPE); }
<S_PTH>backupsa { YYD; yylval.num = LC_PATHTYPE_BACKUPSA;
return(PATHTYPE); }
<S_PTH>{semi} { BEGIN S_INI; YYDB; return(EOS); }
/* include */
<S_INI>include { YYDB; return(INCLUDE); }
/* self information */
<S_INI>identifier { BEGIN S_INF; YYDB; yywarn("it is obsoleted. use \"my_identifier\" in each remote directives."); return(IDENTIFIER); }
<S_INF>{semi} { BEGIN S_INI; return(EOS); }
/* special */
<S_INI>complex_bundle { YYDB; return(COMPLEX_BUNDLE); }
/* logging */
<S_INI>log { BEGIN S_LOG; YYDB; return(LOGGING); }
<S_LOG>info { YYD; yywarn("it is obsoleted. use \"notify\""); yylval.num = 0; return(LOGLEV); }
<S_LOG>notify { YYD; yylval.num = 0; return(LOGLEV); }
<S_LOG>debug { YYD; yylval.num = 1; return(LOGLEV); }
<S_LOG>debug2 { YYD; yylval.num = 2; return(LOGLEV); }
<S_LOG>debug3 { YYD; yywarn("it is osboleted. use \"debug2\""); yylval.num = 2; return(LOGLEV); }
<S_LOG>debug4 { YYD; yywarn("it is obsoleted. use \"debug2\""); yylval.num = 2; return(LOGLEV); }
<S_LOG>{semi} { BEGIN S_INI; return(EOS); }
/* padding */
<S_INI>padding { BEGIN S_PAD; YYDB; return(PADDING); }
<S_PAD>{bcl} { return(BOC); }
<S_PAD>randomize { YYD; return(PAD_RANDOMIZE); }
<S_PAD>randomize_length { YYD; return(PAD_RANDOMIZELEN); }
<S_PAD>maximum_length { YYD; return(PAD_MAXLEN); }
<S_PAD>strict_check { YYD; return(PAD_STRICT); }
<S_PAD>exclusive_tail { YYD; return(PAD_EXCLTAIL); }
<S_PAD>{ecl} { BEGIN S_INI; return(EOC); }
/* listen */
<S_INI>listen { BEGIN S_LST; YYDB; return(LISTEN); }
<S_LST>{bcl} { return(BOC); }
<S_LST>isakmp { YYD; return(X_ISAKMP); }
<S_LST>isakmp_natt { YYD; return(X_ISAKMP_NATT); }
<S_LST>admin { YYD; return(X_ADMIN); }
<S_LST>adminsock { YYD; return(ADMINSOCK); }
<S_LST>disabled { YYD; return(DISABLED); }
<S_LST>strict_address { YYD; return(STRICT_ADDRESS); }
<S_LST>{ecl} { BEGIN S_INI; return(EOC); }
/* mode_cfg */
<S_INI>mode_cfg { BEGIN S_CFG; YYDB; return(MODECFG); }
<S_CFG>{bcl} { return(BOC); }
<S_CFG>network4 { YYD; return(CFG_NET4); }
<S_CFG>netmask4 { YYD; return(CFG_MASK4); }
<S_CFG>dns4 { YYD; return(CFG_DNS4); }
<S_CFG>wins4 { YYD; return(CFG_NBNS4); }
<S_CFG>auth_source { YYD; return(CFG_AUTH_SOURCE); }
<S_CFG>conf_source { YYD; return(CFG_CONF_SOURCE); }
<S_CFG>accounting { YYD; return(CFG_ACCOUNTING); }
<S_CFG>system { YYD; return(CFG_SYSTEM); }
<S_CFG>local { YYD; return(CFG_LOCAL); }
<S_CFG>none { YYD; return(CFG_NONE); }
<S_CFG>radius { YYD; return(CFG_RADIUS); }
<S_CFG>pam { YYD; return(CFG_PAM); }
<S_CFG>pool_size { YYD; return(CFG_POOL_SIZE); }
<S_CFG>banner { YYD; return(CFG_MOTD); }
<S_CFG>auth_throttle { YYD; return(CFG_AUTH_THROTTLE); }
<S_CFG>{ecl} { BEGIN S_INI; return(EOC); }
/* timer */
<S_INI>timer { BEGIN S_RTRY; YYDB; return(RETRY); }
<S_RTRY>{bcl} { return(BOC); }
<S_RTRY>counter { YYD; return(RETRY_COUNTER); }
<S_RTRY>interval { YYD; return(RETRY_INTERVAL); }
<S_RTRY>persend { YYD; return(RETRY_PERSEND); }
<S_RTRY>phase1 { YYD; return(RETRY_PHASE1); }
<S_RTRY>phase2 { YYD; return(RETRY_PHASE2); }
<S_RTRY>natt_keepalive { YYD; return(NATT_KA); }
<S_RTRY>{ecl} { BEGIN S_INI; return(EOC); }
/* sainfo */
<S_INI>sainfo { BEGIN S_SAINF; YYDB; return(SAINFO); }
<S_SAINF>anonymous { YYD; return(ANONYMOUS); }
<S_SAINF>{blcl}any{elcl} { YYD; return(PORTANY); }
<S_SAINF>any { YYD; return(ANY); }
<S_SAINF>from { YYD; return(FROM); }
/* sainfo spec */
<S_SAINF>{bcl} { BEGIN S_SAINFS; return(BOC); }
<S_SAINF>{semi} { BEGIN S_INI; return(EOS); }
<S_SAINFS>{ecl} { BEGIN S_INI; return(EOC); }
<S_SAINFS>pfs_group { YYD; return(PFS_GROUP); }
<S_SAINFS>identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); }
<S_SAINFS>my_identifier { YYD; return(MY_IDENTIFIER); }
<S_SAINFS>lifetime { YYD; return(LIFETIME); }
<S_SAINFS>time { YYD; return(LIFETYPE_TIME); }
<S_SAINFS>byte { YYD; return(LIFETYPE_BYTE); }
<S_SAINFS>encryption_algorithm { YYD; yylval.num = algclass_ipsec_enc; return(ALGORITHM_CLASS); }
<S_SAINFS>authentication_algorithm { YYD; yylval.num = algclass_ipsec_auth; return(ALGORITHM_CLASS); }
<S_SAINFS>compression_algorithm { YYD; yylval.num = algclass_ipsec_comp; return(ALGORITHM_CLASS); }
<S_SAINFS>{comma} { YYD; return(COMMA); }
/* remote */
<S_INI>remote { BEGIN S_RMT; YYDB; return(REMOTE); }
<S_RMT>anonymous { YYD; return(ANONYMOUS); }
<S_RMT>inherit { YYD; return(INHERIT); }
/* remote spec */
<S_RMT>{bcl} { BEGIN S_RMTS; return(BOC); }
<S_RMTS>{ecl} { BEGIN S_INI; return(EOC); }
<S_RMTS>exchange_mode { YYD; return(EXCHANGE_MODE); }
<S_RMTS>{comma} { YYD; /* XXX ignored, but to be handled. */ ; }
<S_RMTS>base { YYD; yylval.num = ISAKMP_ETYPE_BASE; return(EXCHANGETYPE); }
<S_RMTS>main { YYD; yylval.num = ISAKMP_ETYPE_IDENT; return(EXCHANGETYPE); }
<S_RMTS>aggressive { YYD; yylval.num = ISAKMP_ETYPE_AGG; return(EXCHANGETYPE); }
<S_RMTS>doi { YYD; return(DOI); }
<S_RMTS>ipsec_doi { YYD; yylval.num = IPSEC_DOI; return(DOITYPE); }
<S_RMTS>situation { YYD; return(SITUATION); }
<S_RMTS>identity_only { YYD; yylval.num = IPSECDOI_SIT_IDENTITY_ONLY; return(SITUATIONTYPE); }
<S_RMTS>secrecy { YYD; yylval.num = IPSECDOI_SIT_SECRECY; return(SITUATIONTYPE); }
<S_RMTS>integrity { YYD; yylval.num = IPSECDOI_SIT_INTEGRITY; return(SITUATIONTYPE); }
<S_RMTS>identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); }
<S_RMTS>my_identifier { YYD; return(MY_IDENTIFIER); }
<S_RMTS>xauth_login { YYD; return(XAUTH_LOGIN); /* formerly identifier type login */ }
<S_RMTS>peers_identifier { YYD; return(PEERS_IDENTIFIER); }
<S_RMTS>verify_identifier { YYD; return(VERIFY_IDENTIFIER); }
<S_RMTS>certificate_type { YYD; return(CERTIFICATE_TYPE); }
<S_RMTS>ca_type { YYD; return(CA_TYPE); }
<S_RMTS>x509 { YYD; yylval.num = ISAKMP_CERT_X509SIGN; return(CERT_X509); }
<S_RMTS>plain_rsa { YYD; yylval.num = ISAKMP_CERT_PLAINRSA; return(CERT_PLAINRSA); }
<S_RMTS>peers_certfile { YYD; return(PEERS_CERTFILE); }
<S_RMTS>dnssec { YYD; return(DNSSEC); }
<S_RMTS>verify_cert { YYD; return(VERIFY_CERT); }
<S_RMTS>send_cert { YYD; return(SEND_CERT); }
<S_RMTS>send_cr { YYD; return(SEND_CR); }
<S_RMTS>dh_group { YYD; return(DH_GROUP); }
<S_RMTS>nonce_size { YYD; return(NONCE_SIZE); }
<S_RMTS>generate_policy { YYD; return(GENERATE_POLICY); }
<S_RMTS>support_mip6 { YYD; yywarn("it is obsoleted. use \"support_proxy\"."); return(SUPPORT_PROXY); }
<S_RMTS>support_proxy { YYD; return(SUPPORT_PROXY); }
<S_RMTS>initial_contact { YYD; return(INITIAL_CONTACT); }
<S_RMTS>nat_traversal { YYD; return(NAT_TRAVERSAL); }
<S_RMTS>force { YYD; yylval.num = NATT_FORCE; return(NAT_TRAVERSAL_LEVEL); }
<S_RMTS>proposal_check { YYD; return(PROPOSAL_CHECK); }
<S_RMTS>obey { YYD; yylval.num = PROP_CHECK_OBEY; return(PROPOSAL_CHECK_LEVEL); }
<S_RMTS>strict { YYD; yylval.num = PROP_CHECK_STRICT; return(PROPOSAL_CHECK_LEVEL); }
<S_RMTS>exact { YYD; yylval.num = PROP_CHECK_EXACT; return(PROPOSAL_CHECK_LEVEL); }
<S_RMTS>claim { YYD; yylval.num = PROP_CHECK_CLAIM; return(PROPOSAL_CHECK_LEVEL); }
<S_RMTS>keepalive { YYD; return(KEEPALIVE); }
<S_RMTS>passive { YYD; return(PASSIVE); }
<S_RMTS>lifetime { YYD; return(LIFETIME); }
<S_RMTS>time { YYD; return(LIFETYPE_TIME); }
<S_RMTS>byte { YYD; return(LIFETYPE_BYTE); }
<S_RMTS>dpd { YYD; return(DPD); }
<S_RMTS>dpd_delay { YYD; return(DPD_DELAY); }
<S_RMTS>dpd_retry { YYD; return(DPD_RETRY); }
<S_RMTS>dpd_maxfail { YYD; return(DPD_MAXFAIL); }
<S_RMTS>ike_frag { YYD; return(IKE_FRAG); }
<S_RMTS>esp_frag { YYD; return(ESP_FRAG); }
<S_RMTS>script { YYD; return(SCRIPT); }
<S_RMTS>phase1_up { YYD; return(PHASE1_UP); }
<S_RMTS>phase1_down { YYD; return(PHASE1_DOWN); }
<S_RMTS>mode_cfg { YYD; return(MODE_CFG); }
/* remote proposal */
<S_RMTS>proposal { BEGIN S_RMTP; YYDB; return(PROPOSAL); }
<S_RMTP>{bcl} { return(BOC); }
<S_RMTP>{ecl} { BEGIN S_RMTS; return(EOC); }
<S_RMTP>lifetime { YYD; return(LIFETIME); }
<S_RMTP>time { YYD; return(LIFETYPE_TIME); }
<S_RMTP>byte { YYD; return(LIFETYPE_BYTE); }
<S_RMTP>encryption_algorithm { YYD; yylval.num = algclass_isakmp_enc; return(ALGORITHM_CLASS); }
<S_RMTP>authentication_method { YYD; yylval.num = algclass_isakmp_ameth; return(ALGORITHM_CLASS); }
<S_RMTP>hash_algorithm { YYD; yylval.num = algclass_isakmp_hash; return(ALGORITHM_CLASS); }
<S_RMTP>dh_group { YYD; return(DH_GROUP); }
<S_RMTP>gss_id { YYD; return(GSS_ID); }
<S_RMTP>gssapi_id { YYD; return(GSS_ID); } /* for back compatibility */
/* GSS ID encoding type (global) */
<S_INI>gss_id_enc { BEGIN S_GSSENC; YYDB; return(GSS_ID_ENC); }
<S_GSSENC>latin1 { YYD; yylval.num = LC_GSSENC_LATIN1;
return(GSS_ID_ENCTYPE); }
<S_GSSENC>utf-16le { YYD; yylval.num = LC_GSSENC_UTF16LE;
return(GSS_ID_ENCTYPE); }
<S_GSSENC>{semi} { BEGIN S_INI; YYDB; return(EOS); }
/* parameter */
on { YYD; yylval.num = TRUE; return(SWITCH); }
off { YYD; yylval.num = FALSE; return(SWITCH); }
/* prefix */
{slash}{digit}{1,3} {
YYD;
yytext++;
yylval.num = atoi(yytext);
return(PREFIX);
}
/* port number */
{blcl}{decstring}{elcl} {
char *p = yytext;
YYD;
while (*++p != ']') ;
*p = 0;
yytext++;
yylval.num = atoi(yytext);
return(PORT);
}
/* upper protocol */
esp { YYD; yylval.num = IPPROTO_ESP; return(UL_PROTO); }
ah { YYD; yylval.num = IPPROTO_AH; return(UL_PROTO); }
ipcomp { YYD; yylval.num = IPPROTO_IPCOMP; return(UL_PROTO); }
icmp { YYD; yylval.num = IPPROTO_ICMP; return(UL_PROTO); }
icmp6 { YYD; yylval.num = IPPROTO_ICMPV6; return(UL_PROTO); }
tcp { YYD; yylval.num = IPPROTO_TCP; return(UL_PROTO); }
udp { YYD; yylval.num = IPPROTO_UDP; return(UL_PROTO); }
/* algorithm type */
des_iv64 { YYD; yylval.num = algtype_des_iv64; return(ALGORITHMTYPE); }
des { YYD; yylval.num = algtype_des; return(ALGORITHMTYPE); }
3des { YYD; yylval.num = algtype_3des; return(ALGORITHMTYPE); }
rc5 { YYD; yylval.num = algtype_rc5; return(ALGORITHMTYPE); }
idea { YYD; yylval.num = algtype_idea; return(ALGORITHMTYPE); }
cast128 { YYD; yylval.num = algtype_cast128; return(ALGORITHMTYPE); }
blowfish { YYD; yylval.num = algtype_blowfish; return(ALGORITHMTYPE); }
3idea { YYD; yylval.num = algtype_3idea; return(ALGORITHMTYPE); }
des_iv32 { YYD; yylval.num = algtype_des_iv32; return(ALGORITHMTYPE); }
rc4 { YYD; yylval.num = algtype_rc4; return(ALGORITHMTYPE); }
null_enc { YYD; yylval.num = algtype_null_enc; return(ALGORITHMTYPE); }
null { YYD; yylval.num = algtype_null_enc; return(ALGORITHMTYPE); }
aes { YYD; yylval.num = algtype_aes; return(ALGORITHMTYPE); }
rijndael { YYD; yylval.num = algtype_aes; return(ALGORITHMTYPE); }
twofish { YYD; yylval.num = algtype_twofish; return(ALGORITHMTYPE); }
non_auth { YYD; yylval.num = algtype_non_auth; return(ALGORITHMTYPE); }
hmac_md5 { YYD; yylval.num = algtype_hmac_md5; return(ALGORITHMTYPE); }
hmac_sha1 { YYD; yylval.num = algtype_hmac_sha1; return(ALGORITHMTYPE); }
hmac_sha2_256 { YYD; yylval.num = algtype_hmac_sha2_256; return(ALGORITHMTYPE); }
hmac_sha2_384 { YYD; yylval.num = algtype_hmac_sha2_384; return(ALGORITHMTYPE); }
hmac_sha2_512 { YYD; yylval.num = algtype_hmac_sha2_512; return(ALGORITHMTYPE); }
des_mac { YYD; yylval.num = algtype_des_mac; return(ALGORITHMTYPE); }
kpdk { YYD; yylval.num = algtype_kpdk; return(ALGORITHMTYPE); }
md5 { YYD; yylval.num = algtype_md5; return(ALGORITHMTYPE); }
sha1 { YYD; yylval.num = algtype_sha1; return(ALGORITHMTYPE); }
tiger { YYD; yylval.num = algtype_tiger; return(ALGORITHMTYPE); }
sha2_256 { YYD; yylval.num = algtype_sha2_256; return(ALGORITHMTYPE); }
sha2_384 { YYD; yylval.num = algtype_sha2_384; return(ALGORITHMTYPE); }
sha2_512 { YYD; yylval.num = algtype_sha2_512; return(ALGORITHMTYPE); }
oui { YYD; yylval.num = algtype_oui; return(ALGORITHMTYPE); }
deflate { YYD; yylval.num = algtype_deflate; return(ALGORITHMTYPE); }
lzs { YYD; yylval.num = algtype_lzs; return(ALGORITHMTYPE); }
modp768 { YYD; yylval.num = algtype_modp768; return(ALGORITHMTYPE); }
modp1024 { YYD; yylval.num = algtype_modp1024; return(ALGORITHMTYPE); }
modp1536 { YYD; yylval.num = algtype_modp1536; return(ALGORITHMTYPE); }
ec2n155 { YYD; yylval.num = algtype_ec2n155; return(ALGORITHMTYPE); }
ec2n185 { YYD; yylval.num = algtype_ec2n185; return(ALGORITHMTYPE); }
modp2048 { YYD; yylval.num = algtype_modp2048; return(ALGORITHMTYPE); }
modp3072 { YYD; yylval.num = algtype_modp3072; return(ALGORITHMTYPE); }
modp4096 { YYD; yylval.num = algtype_modp4096; return(ALGORITHMTYPE); }
modp6144 { YYD; yylval.num = algtype_modp6144; return(ALGORITHMTYPE); }
modp8192 { YYD; yylval.num = algtype_modp8192; return(ALGORITHMTYPE); }
pre_shared_key { YYD; yylval.num = algtype_psk; return(ALGORITHMTYPE); }
rsasig { YYD; yylval.num = algtype_rsasig; return(ALGORITHMTYPE); }
dsssig { YYD; yylval.num = algtype_dsssig; return(ALGORITHMTYPE); }
rsaenc { YYD; yylval.num = algtype_rsaenc; return(ALGORITHMTYPE); }
rsarev { YYD; yylval.num = algtype_rsarev; return(ALGORITHMTYPE); }
gssapi_krb { YYD; yylval.num = algtype_gssapikrb; return(ALGORITHMTYPE); }
hybrid_rsa_server {
#ifdef ENABLE_HYBRID
YYD; yylval.num = algtype_hybrid_rsa_s; return(ALGORITHMTYPE);
#else
yyerror("racoon not configured with --enable-hybrid");
#endif
}
hybrid_dss_server {
#ifdef ENABLE_HYBRID
YYD; yylval.num = algtype_hybrid_dss_s; return(ALGORITHMTYPE);
#else
yyerror("racoon not configured with --enable-hybrid");
#endif
}
hybrid_rsa_client {
#ifdef ENABLE_HYBRID
YYD; yylval.num = algtype_hybrid_rsa_c; return(ALGORITHMTYPE);
#else
yyerror("racoon not configured with --enable-hybrid");
#endif
}
hybrid_dss_client {
#ifdef ENABLE_HYBRID
YYD; yylval.num = algtype_hybrid_dss_c; return(ALGORITHMTYPE);
#else
yyerror("racoon not configured with --enable-hybrid");
#endif
}
/* identifier type */
vendor_id { YYD; yywarn("it is obsoleted."); return(VENDORID); }
user_fqdn { YYD; yylval.num = IDTYPE_USERFQDN; return(IDENTIFIERTYPE); }
fqdn { YYD; yylval.num = IDTYPE_FQDN; return(IDENTIFIERTYPE); }
keyid { YYD; yylval.num = IDTYPE_KEYID; return(IDENTIFIERTYPE); }
address { YYD; yylval.num = IDTYPE_ADDRESS; return(IDENTIFIERTYPE); }
asn1dn { YYD; yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); }
certname { YYD; yywarn("certname will be obsoleted in near future."); yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); }
/* units */
B|byte|bytes { YYD; return(UNITTYPE_BYTE); }
KB { YYD; return(UNITTYPE_KBYTES); }
MB { YYD; return(UNITTYPE_MBYTES); }
TB { YYD; return(UNITTYPE_TBYTES); }
sec|secs|second|seconds { YYD; return(UNITTYPE_SEC); }
min|mins|minute|minutes { YYD; return(UNITTYPE_MIN); }
hour|hours { YYD; return(UNITTYPE_HOUR); }
/* boolean */
yes { YYD; yylval.num = TRUE; return(BOOLEAN); }
no { YYD; yylval.num = FALSE; return(BOOLEAN); }
{decstring} {
char *bp;
YYD;
yylval.num = strtol(yytext, &bp, 10);
return(NUMBER);
}
{hexstring} {
char *p;
YYD;
yylval.val = vmalloc(yyleng + (yyleng & 1) + 1);
if (yylval.val == NULL) {
yyerror("vmalloc failed");
return -1;
}
p = yylval.val->v;
*p++ = '0';
*p++ = 'x';
/* fixed string if length is odd. */
if (yyleng & 1)
*p++ = '0';
memcpy(p, &yytext[2], yyleng - 1);
return(HEXSTRING);
}
{quotedstring} {
u_char *p = yytext;
YYD;
while (*++p != '"') ;
*p = '\0';
yylval.val = vmalloc(yyleng - 1);
if (yylval.val == NULL) {
yyerror("vmalloc failed");
return -1;
}
memcpy(yylval.val->v, &yytext[1], yylval.val->l);
return(QUOTEDSTRING);
}
{addrstring} {
YYD;
yylval.val = vmalloc(yyleng + 1);
if (yylval.val == NULL) {
yyerror("vmalloc failed");
return -1;
}
memcpy(yylval.val->v, yytext, yylval.val->l);
return(ADDRSTRING);
}
<<EOF>> {
yy_delete_buffer(YY_CURRENT_BUFFER);
incstackp--;
nextfile:
if (incstack[incstackp].matchon <
incstack[incstackp].matches.gl_pathc) {
char* filepath = incstack[incstackp].matches.gl_pathv[incstack[incstackp].matchon];
incstack[incstackp].matchon++;
incstackp++;
if (yycf_set_buffer(filepath) != 0) {
incstackp--;
goto nextfile;
}
yy_switch_to_buffer(yy_create_buffer(yyin, YY_BUF_SIZE));
BEGIN(S_INI);
} else {
globfree(&incstack[incstackp].matches);
if (incstackp == 0)
yyterminate();
else
yy_switch_to_buffer(incstack[incstackp].prevstate);
}
}
/* ... */
{ws} { ; }
{nl} { incstack[incstackp].lineno++; }
{comment} { YYD; }
{semi} { return(EOS); }
. { yymore(); }
%%
void
yyerror(char *s, ...)
{
char fmt[512];
va_list ap;
#ifdef HAVE_STDARG_H
va_start(ap, s);
#else
va_start(ap);
#endif
snprintf(fmt, sizeof(fmt), "%s:%d: \"%s\" %s\n",
incstack[incstackp].path, incstack[incstackp].lineno,
yytext, s);
plogv(LLV_ERROR, LOCATION, NULL, fmt, ap);
va_end(ap);
yyerrorcount++;
}
void
yywarn(char *s, ...)
{
char fmt[512];
va_list ap;
#ifdef HAVE_STDARG_H
va_start(ap, s);
#else
va_start(ap);
#endif
snprintf(fmt, sizeof(fmt), "%s:%d: \"%s\" %s\n",
incstack[incstackp].path, incstack[incstackp].lineno,
yytext, s);
plogv(LLV_WARNING, LOCATION, NULL, fmt, ap);
va_end(ap);
}
int
yycf_switch_buffer(path)
char *path;
{
char *filepath = NULL;
/* got the include file name */
if (incstackp >= MAX_INCLUDE_DEPTH) {
plog(LLV_ERROR, LOCATION, NULL,
"Includes nested too deeply");
return -1;
}
if (glob(path, GLOB_TILDE, NULL, &incstack[incstackp].matches) != 0 ||
incstack[incstackp].matches.gl_pathc == 0) {
plog(LLV_ERROR, LOCATION, NULL,
"glob found no matches for path");
return -1;
}
incstack[incstackp].matchon = 0;
incstack[incstackp].prevstate = YY_CURRENT_BUFFER;
nextmatch:
if (incstack[incstackp].matchon >= incstack[incstackp].matches.gl_pathc)
return -1;
filepath =
incstack[incstackp].matches.gl_pathv[incstack[incstackp].matchon];
incstack[incstackp].matchon++;
incstackp++;
if (yycf_set_buffer(filepath) != 0) {
incstackp--;
goto nextmatch;
}
yy_switch_to_buffer(yy_create_buffer(yyin, YY_BUF_SIZE));
BEGIN(S_INI);
return 0;
}
int
yycf_set_buffer(path)
char *path;
{
yyin = fopen(path, "r");
if (yyin == NULL) {
fprintf(stderr, "failed to open file %s (%s)\n",
path, strerror(errno));
plog(LLV_ERROR, LOCATION, NULL,
"failed to open file %s (%s)\n",
path, strerror(errno));
return -1;
}
/* initialize */
incstack[incstackp].fp = yyin;
incstack[incstackp].path = strdup(path);
incstack[incstackp].lineno = 1;
plog(LLV_DEBUG, LOCATION, NULL,
"reading config file %s\n", path);
return 0;
}
void
yycf_init_buffer()
{
int i;
for (i = 0; i < MAX_INCLUDE_DEPTH; i++)
memset(&incstack[i], 0, sizeof(incstack[i]));
incstackp = 0;
}
void
yycf_clean_buffer()
{
int i;
for (i = 0; i < MAX_INCLUDE_DEPTH; i++) {
if (incstack[i].path != NULL) {
fclose(incstack[i].fp);
racoon_free(incstack[i].path);
incstack[i].path = NULL;
}
}
}

46
crypto/dist/ipsec-tools/src/racoon/cftoken_proto.h vendored Normal file
View File

@ -0,0 +1,46 @@
/* $Id: cftoken_proto.h,v 1.1.1.1 2005/02/12 11:11:43 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _CFTOKEN_PROTO_H
#define _CFTOKEN_PROTO_H
extern int yyerrorcount;
extern int yylex __P((void));
extern void yyerror __P((char *, ...));
extern void yywarn __P((char *, ...));
extern int yycf_switch_buffer __P((char *));
extern int yycf_set_buffer __P((char *));
extern void yycf_init_buffer __P((void));
extern void yycf_clean_buffer __P((void));
#endif /* _CFTOKEN_PROTO_H */

21
crypto/dist/ipsec-tools/src/racoon/contrib/sp.pl vendored Normal file
View File

@ -0,0 +1,21 @@
#! /usr/pkg/bin/perl
die "insufficient arguments" if (scalar(@ARGV) < 2);
$src = $ARGV[0];
$dst = $ARGV[1];
$mode = 'transport';
if (scalar(@ARGV) > 2) {
$mode = $ARGV[2];
}
open(OUT, "|setkey -c");
if ($mode eq 'transport') {
print STDERR "install esp transport mode: $src -> $dst\n";
print OUT "spdadd $src $dst any -P out ipsec esp/transport//require;\n";
print OUT "spdadd $dst $src any -P in ipsec esp/transport//require;\n";
} elsif ($mode eq 'delete') {
print STDERR "delete policy: $src -> $dst\n";
print OUT "spddelete $src $dst any -P out;\n";
print OUT "spddelete $dst $src any -P in;\n";
}
close(OUT);

2420
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

224
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h vendored Normal file
View File

@ -0,0 +1,224 @@
/* $Id: crypto_openssl.h,v 1.1.1.1 2005/02/12 11:11:50 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _CRYPTO_OPENSSL_H
#define _CRYPTO_OPENSSL_H
#include "crypto_openssl.h"
#include <openssl/x509v3.h>
#include <openssl/rsa.h>
#define GENT_OTHERNAME GEN_OTHERNAME
#define GENT_EMAIL GEN_EMAIL
#define GENT_DNS GEN_DNS
#define GENT_X400 GEN_X400
#define GENT_DIRNAME GEN_DIRNAME
#define GENT_EDIPARTY GEN_EDIPARTY
#define GENT_URI GEN_URI
#define GENT_IPADD GEN_IPADD
#define GENT_RID GEN_RID
extern vchar_t *eay_str2asn1dn __P((const char *, int));
extern vchar_t *eay_hex2asn1dn __P((const char *, int));
extern int eay_cmp_asn1dn __P((vchar_t *, vchar_t *));
extern int eay_check_x509cert __P((vchar_t *, char *, char *, int));
extern vchar_t *eay_get_x509asn1subjectname __P((vchar_t *));
extern int eay_get_x509subjectaltname __P((vchar_t *, char **, int *, int));
extern char *eay_get_x509text __P((vchar_t *));
extern vchar_t *eay_get_x509cert __P((char *));
extern vchar_t *eay_get_x509sign __P((vchar_t *, vchar_t *));
extern int eay_check_x509sign __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_check_rsasign __P((vchar_t *, vchar_t *, RSA *));
extern vchar_t *eay_get_rsasign __P((vchar_t *, RSA *));
/* RSA */
extern vchar_t *eay_rsa_sign __P((vchar_t *, RSA *));
extern int eay_rsa_verify __P((vchar_t *, vchar_t *, RSA *));
/* ASN.1 */
extern vchar_t *eay_get_pkcs1privkey __P((char *));
extern vchar_t *eay_get_pkcs1pubkey __P((char *));
/* string error */
extern char *eay_strerror __P((void));
/* OpenSSL initialization */
extern void eay_init __P((void));
/* Generic EVP */
extern vchar_t *evp_crypt __P((vchar_t *data, vchar_t *key, vchar_t *iv,
const EVP_CIPHER *e, int enc));
extern int evp_weakkey __P((vchar_t *key, const EVP_CIPHER *e));
extern int evp_keylen __P((int len, const EVP_CIPHER *e));
/* DES */
extern vchar_t *eay_des_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *eay_des_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_des_weakkey __P((vchar_t *));
extern int eay_des_keylen __P((int));
/* IDEA */
extern vchar_t *eay_idea_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *eay_idea_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_idea_weakkey __P((vchar_t *));
extern int eay_idea_keylen __P((int));
/* blowfish */
extern vchar_t *eay_bf_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *eay_bf_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_bf_weakkey __P((vchar_t *));
extern int eay_bf_keylen __P((int));
/* RC5 */
extern vchar_t *eay_rc5_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *eay_rc5_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_rc5_weakkey __P((vchar_t *));
extern int eay_rc5_keylen __P((int));
/* 3DES */
extern vchar_t *eay_3des_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *eay_3des_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_3des_weakkey __P((vchar_t *));
extern int eay_3des_keylen __P((int));
/* CAST */
extern vchar_t *eay_cast_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *eay_cast_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_cast_weakkey __P((vchar_t *));
extern int eay_cast_keylen __P((int));
/* AES(RIJNDAEL) */
extern vchar_t *eay_aes_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_aes_weakkey __P((vchar_t *));
extern int eay_aes_keylen __P((int));
/* misc */
extern int eay_null_keylen __P((int));
extern int eay_null_hashlen __P((void));
extern int eay_kpdk_hashlen __P((void));
extern int eay_twofish_keylen __P((int));
/* hash */
#if defined(WITH_SHA2)
/* HMAC SHA2 */
extern vchar_t *eay_hmacsha2_512_one __P((vchar_t *, vchar_t *));
extern caddr_t eay_hmacsha2_512_init __P((vchar_t *));
extern void eay_hmacsha2_512_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_hmacsha2_512_final __P((caddr_t));
extern vchar_t *eay_hmacsha2_384_one __P((vchar_t *, vchar_t *));
extern caddr_t eay_hmacsha2_384_init __P((vchar_t *));
extern void eay_hmacsha2_384_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_hmacsha2_384_final __P((caddr_t));
extern vchar_t *eay_hmacsha2_256_one __P((vchar_t *, vchar_t *));
extern caddr_t eay_hmacsha2_256_init __P((vchar_t *));
extern void eay_hmacsha2_256_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_hmacsha2_256_final __P((caddr_t));
#endif
/* HMAC SHA1 */
extern vchar_t *eay_hmacsha1_one __P((vchar_t *, vchar_t *));
extern caddr_t eay_hmacsha1_init __P((vchar_t *));
extern void eay_hmacsha1_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_hmacsha1_final __P((caddr_t));
/* HMAC MD5 */
extern vchar_t *eay_hmacmd5_one __P((vchar_t *, vchar_t *));
extern caddr_t eay_hmacmd5_init __P((vchar_t *));
extern void eay_hmacmd5_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_hmacmd5_final __P((caddr_t));
#if defined(WITH_SHA2)
/* SHA2 functions */
extern caddr_t eay_sha2_512_init __P((void));
extern void eay_sha2_512_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_sha2_512_final __P((caddr_t));
extern vchar_t *eay_sha2_512_one __P((vchar_t *));
#endif
extern int eay_sha2_512_hashlen __P((void));
#if defined(WITH_SHA2)
extern caddr_t eay_sha2_384_init __P((void));
extern void eay_sha2_384_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_sha2_384_final __P((caddr_t));
extern vchar_t *eay_sha2_384_one __P((vchar_t *));
#endif
extern int eay_sha2_384_hashlen __P((void));
#if defined(WITH_SHA2)
extern caddr_t eay_sha2_256_init __P((void));
extern void eay_sha2_256_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_sha2_256_final __P((caddr_t));
extern vchar_t *eay_sha2_256_one __P((vchar_t *));
#endif
extern int eay_sha2_256_hashlen __P((void));
/* SHA functions */
extern caddr_t eay_sha1_init __P((void));
extern void eay_sha1_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_sha1_final __P((caddr_t));
extern vchar_t *eay_sha1_one __P((vchar_t *));
extern int eay_sha1_hashlen __P((void));
/* MD5 functions */
extern caddr_t eay_md5_init __P((void));
extern void eay_md5_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_md5_final __P((caddr_t));
extern vchar_t *eay_md5_one __P((vchar_t *));
extern int eay_md5_hashlen __P((void));
/* RNG */
extern vchar_t *eay_set_random __P((u_int32_t));
extern u_int32_t eay_random __P((void));
/* DH */
extern int eay_dh_generate __P((vchar_t *, u_int32_t, u_int, vchar_t **, vchar_t **));
extern int eay_dh_compute __P((vchar_t *, u_int32_t, vchar_t *, vchar_t *, vchar_t *, vchar_t **));
/* Base 64 */
vchar_t *base64_encode(char *in, long inlen);
vchar_t *base64_decode(char *in, long inlen);
RSA *base64_pubkey2rsa(char *in);
RSA *bignum_pubkey2rsa(BIGNUM *in);
/* misc */
extern int eay_revbnl __P((vchar_t *));
#include <openssl/bn.h>
extern int eay_v2bn __P((BIGNUM **, vchar_t *));
extern int eay_bn2v __P((vchar_t **, BIGNUM *));
extern const char *eay_version __P((void));
#define CBC_BLOCKLEN 8
#define IPSEC_ENCRYPTKEYLEN 8
#endif /* _CRYPTO_OPENSSL_H */

39
crypto/dist/ipsec-tools/src/racoon/debug.h vendored Normal file
View File

@ -0,0 +1,39 @@
/* $Id: debug.h,v 1.1.1.1 2005/02/12 11:11:50 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _DEBUG_H
#define _DEBUG_H
/* define by main.c */
extern int f_local;
extern int vflag;
#endif /* _DEBUG_H */

276
crypto/dist/ipsec-tools/src/racoon/debugrm.c vendored Normal file
View File

@ -0,0 +1,276 @@
/* $KAME: debugrm.c,v 1.6 2001/12/13 16:07:46 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#define NONEED_DRM
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>
#include <err.h>
#include "debugrm.h"
#include "vmbuf.h" /* need to mask vmbuf.c functions. */
#define DRMLISTSIZE 1024
struct drm_list_t {
void *ptr;
char msg[100];
};
static struct drm_list_t drmlist[DRMLISTSIZE];
static int drm_unknown;
static void DRM_add __P((void *, char *));
static void DRM_del __P((void *));
static void DRM_setmsg __P((char *, int, void *, int, char *, int, char *));
void
DRM_init()
{
int i;
drm_unknown = 0;
for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++)
drmlist[i].ptr = 0;
}
void
DRM_dump()
{
FILE *fp;
int i;
fp = fopen(DRMDUMPFILE, "w");
if (fp == NULL)
err(1, "fopen"); /*XXX*/
fprintf(fp, "drm_unknown=%d\n", drm_unknown);
for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
if (drmlist[i].ptr)
fprintf(fp, "%s\n", drmlist[i].msg);
}
fclose(fp);
}
static void
DRM_add(p, msg)
void *p;
char *msg;
{
int i;
for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
if (!drmlist[i].ptr) {
drmlist[i].ptr = p;
strlcpy(drmlist[i].msg, msg, sizeof(drmlist[i].msg));
return;
}
}
}
static void
DRM_del(p)
void *p;
{
int i;
if (!p)
return;
for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
if (drmlist[i].ptr == p) {
drmlist[i].ptr = 0;
return;
}
}
drm_unknown++;
}
static void
DRM_setmsg(buf, buflen, ptr, size, file, line, func)
char *buf, *file, *func;
int buflen, size, line;
void *ptr;
{
time_t t;
struct tm *tm;
int len;
t = time(NULL);
tm = localtime(&t);
len = strftime(buf, buflen, "%Y/%m/%d:%T ", tm);
snprintf(buf + len, buflen - len, "%p %6d %s:%d:%s",
ptr, size, file , line, func);
}
void *
DRM_malloc(file, line, func, size)
char *file, *func;
int line;
size_t size;
{
void *p;
p = malloc(size);
if (p) {
char buf[1024];
DRM_setmsg(buf, sizeof(buf), p, size, file, line, func);
DRM_add(p, buf);
}
return p;
}
void *
DRM_calloc(file, line, func, number, size)
char *file, *func;
int line;
size_t number, size;
{
void *p;
p = calloc(number, size);
if (p) {
char buf[1024];
DRM_setmsg(buf, sizeof(buf), p, number * size, file, line, func);
DRM_add(p, buf);
}
return p;
}
void *
DRM_realloc(file, line, func, ptr, size)
char *file, *func;
int line;
void *ptr;
size_t size;
{
void *p;
p = realloc(ptr, size);
if (p) {
char buf[1024];
if (ptr && p != ptr) {
DRM_del(ptr);
DRM_setmsg(buf, sizeof(buf), p, size, file, line, func);
DRM_add(p, buf);
}
}
return p;
}
void
DRM_free(file, line, func, ptr)
char *file, *func;
int line;
void *ptr;
{
DRM_del(ptr);
free(ptr);
}
/*
* mask vmbuf.c functions.
*/
void *
DRM_vmalloc(file, line, func, size)
char *file, *func;
int line;
size_t size;
{
void *p;
p = vmalloc(size);
if (p) {
char buf[1024];
DRM_setmsg(buf, sizeof(buf), p, size, file, line, func);
DRM_add(p, buf);
}
return p;
}
void *
DRM_vrealloc(file, line, func, ptr, size)
char *file, *func;
int line;
void *ptr;
size_t size;
{
void *p;
p = vrealloc(ptr, size);
if (p) {
char buf[1024];
if (ptr && p != ptr) {
DRM_del(ptr);
DRM_setmsg(buf, sizeof(buf), p, size, file, line, func);
DRM_add(p, buf);
}
}
return p;
}
void
DRM_vfree(file, line, func, ptr)
char *file, *func;
int line;
void *ptr;
{
DRM_del(ptr);
vfree(ptr);
}
void *
DRM_vdup(file, line, func, ptr)
char *file, *func;
int line;
void *ptr;
{
void *p;
p = vdup(ptr);
if (p) {
char buf[1024];
DRM_setmsg(buf, sizeof(buf), p, 0, file, line, func);
DRM_add(p, buf);
}
return p;
}

92
crypto/dist/ipsec-tools/src/racoon/debugrm.h vendored Normal file
View File

@ -0,0 +1,92 @@
/* $Id: debugrm.h,v 1.1.1.1 2005/02/12 11:11:50 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _DEBUGRM_H
#define _DEBUGRM_H
#define DRMDUMPFILE "/var/tmp/debugrm.dump"
#ifdef NONEED_DRM
#ifndef racoon_malloc
#define racoon_malloc(sz) malloc((sz))
#endif
#ifndef racoon_calloc
#define racoon_calloc(cnt, sz) calloc((cnt), (sz))
#endif
#ifndef racoon_realloc
#define racoon_realloc(old, sz) realloc((old), (sz))
#endif
#ifndef racoon_free
#define racoon_free(p) free((p))
#endif
#else /*!NONEED_DRM*/
#ifndef racoon_malloc
#define racoon_malloc(sz) \
DRM_malloc(__FILE__, __LINE__, __func__, (sz))
#endif
#ifndef racoon_calloc
#define racoon_calloc(cnt, sz) \
DRM_calloc(__FILE__, __LINE__, __func__, (cnt), (sz))
#endif
#ifndef racoon_realloc
#define racoon_realloc(old, sz) \
DRM_realloc(__FILE__, __LINE__, __func__, (old), (sz))
#endif
#ifndef racoon_free
#define racoon_free(p) \
DRM_free(__FILE__, __LINE__, __func__, (p))
#endif
#endif /*NONEED_DRM*/
extern void DRM_init __P((void));
extern void DRM_dump __P((void));
extern void *DRM_malloc __P((char *, int, char *, size_t));
extern void *DRM_calloc __P((char *, int, char *, size_t, size_t));
extern void *DRM_realloc __P((char *, int, char *, void *, size_t));
extern void DRM_free __P((char *, int, char *, void *));
#ifndef NONEED_DRM
#define vmalloc(sz) \
DRM_vmalloc(__FILE__, __LINE__, __func__, (sz))
#define vdup(old) \
DRM_vdup(__FILE__, __LINE__, __func__, (old))
#define vrealloc(old, sz) \
DRM_vrealloc(__FILE__, __LINE__, __func__, (old), (sz))
#define vfree(p) \
DRM_vfree(__FILE__, __LINE__, __func__, (p))
#endif
extern void *DRM_vmalloc __P((char *, int, char *, size_t));
extern void *DRM_vrealloc __P((char *, int, char *, void *, size_t));
extern void DRM_vfree __P((char *, int, char *, void *));
extern void *DRM_vdup __P((char *, int, char *, void *));
#endif /* _DEBUGRM_H */

203
crypto/dist/ipsec-tools/src/racoon/dhgroup.h vendored Normal file
View File

@ -0,0 +1,203 @@
/* $Id: dhgroup.h,v 1.1.1.1 2005/02/12 11:11:51 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _DHGROUP_H
#define _DHGROUP_H
#define OAKLEY_PRIME_MODP768 \
"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
"E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF"
#define OAKLEY_PRIME_MODP1024 \
"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
"E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
"EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381" \
"FFFFFFFF FFFFFFFF"
#define OAKLEY_PRIME_MODP1536 \
"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
"E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
"EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
"C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
"83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
"670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF"
/* RFC 3526 */
#define OAKLEY_PRIME_MODP2048 \
"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
"E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
"EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
"C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
"83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
"670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
"E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
"DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
"15728E5A 8AACAA68 FFFFFFFF FFFFFFFF"
#define OAKLEY_PRIME_MODP3072 \
"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
"E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
"EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
"C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
"83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
"670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
"E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
"DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
"15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
"ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
"ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
"F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
"BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
"43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF"
#define OAKLEY_PRIME_MODP4096 \
"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
"E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
"EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
"C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
"83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
"670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
"E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
"DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
"15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
"ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
"ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
"F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
"BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
"43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
"88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
"2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
"287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
"1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
"93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199" \
"FFFFFFFF FFFFFFFF"
#define OAKLEY_PRIME_MODP6144 \
"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
"E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
"EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
"C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
"83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
"670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
"E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
"DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
"15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
"ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
"ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
"F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
"BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
"43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
"88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
"2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
"287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
"1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
"93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \
"36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD" \
"F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831" \
"179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B" \
"DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF" \
"5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6" \
"D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3" \
"23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \
"CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328" \
"06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C" \
"DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE" \
"12BF2D5B 0B7474D6 E694F91E 6DCC4024 FFFFFFFF FFFFFFFF"
#define OAKLEY_PRIME_MODP8192 \
"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
"E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
"EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
"C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
"83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
"670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
"E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
"DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
"15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
"ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
"ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
"F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
"BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
"43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
"88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
"2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
"287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
"1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
"93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \
"36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD" \
"F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831" \
"179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B" \
"DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF" \
"5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6" \
"D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3" \
"23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \
"CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328" \
"06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C" \
"DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE" \
"12BF2D5B 0B7474D6 E694F91E 6DBE1159 74A3926F 12FEE5E4" \
"38777CB6 A932DF8C D8BEC4D0 73B931BA 3BC832B6 8D9DD300" \
"741FA7BF 8AFC47ED 2576F693 6BA42466 3AAB639C 5AE4F568" \
"3423B474 2BF1C978 238F16CB E39D652D E3FDB8BE FC848AD9" \
"22222E04 A4037C07 13EB57A8 1A23F0C7 3473FC64 6CEA306B" \
"4BCBC886 2F8385DD FA9D4B7F A2C087E8 79683303 ED5BDD3A" \
"062B3CF5 B3A278A6 6D2A13F8 3F44F82D DF310EE0 74AB6A36" \
"4597E899 A0255DC1 64F31CC5 0846851D F9AB4819 5DED7EA1" \
"B1D510BD 7EE74D73 FAF36BC3 1ECFA268 359046F4 EB879F92" \
"4009438B 481C6CD7 889A002E D5EE382B C9190DA6 FC026E47" \
"9558E447 5677E9AA 9E3050E2 765694DF C81F56E8 80B96E71" \
"60C980DD 98EDD3DF FFFFFFFF FFFFFFFF"
extern struct dhgroup dh_modp768;
extern struct dhgroup dh_modp1024;
extern struct dhgroup dh_modp1536;
extern struct dhgroup dh_modp2048;
extern struct dhgroup dh_modp3072;
extern struct dhgroup dh_modp4096;
extern struct dhgroup dh_modp6144;
extern struct dhgroup dh_modp8192;
#endif /* _DHGROUP_H */

149
crypto/dist/ipsec-tools/src/racoon/dnssec.c vendored Normal file
View File

@ -0,0 +1,149 @@
/* $KAME: dnssec.c,v 1.2 2001/08/05 18:46:07 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <stdlib.h>
#include <string.h>
#include "var.h"
#include "vmbuf.h"
#include "misc.h"
#include "plog.h"
#include "debug.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "ipsec_doi.h"
#include "oakley.h"
#include "netdb_dnssec.h"
#include "strnames.h"
#include "dnssec.h"
#include "gcmalloc.h"
extern int h_errno;
cert_t *
dnssec_getcert(id)
vchar_t *id;
{
cert_t *cert = NULL;
struct certinfo *res = NULL;
struct ipsecdoi_id_b *id_b;
int type;
char *name = NULL;
int namelen;
int error;
id_b = (struct ipsecdoi_id_b *)id->v;
namelen = id->l - sizeof(*id_b);
name = racoon_malloc(namelen + 1);
if (!name) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get buffer.\n");
return NULL;
}
memcpy(name, id_b + 1, namelen);
name[namelen] = '\0';
switch (id_b->type) {
case IPSECDOI_ID_FQDN:
error = getcertsbyname(name, &res);
if (error != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"getcertsbyname(\"%s\") failed.\n", name);
goto err;
}
break;
case IPSECDOI_ID_IPV4_ADDR:
case IPSECDOI_ID_IPV6_ADDR:
/* XXX should be processed to query PTR ? */
default:
plog(LLV_ERROR, LOCATION, NULL,
"inpropper ID type passed %s "
"though getcert method is dnssec.\n",
s_ipsecdoi_ident(id_b->type));
return NULL;
}
/* check response */
if (res->ci_next == NULL) {
plog(LLV_WARNING, LOCATION, NULL,
"not supported multiple CERT RR.\n");
}
switch (res->ci_type) {
case DNSSEC_TYPE_PKIX:
/* XXX is it enough condition to set this type ? */
type = ISAKMP_CERT_X509SIGN;
break;
default:
plog(LLV_ERROR, LOCATION, NULL,
"not supported CERT RR type %d.\n", res->ci_type);
goto err;
}
/* create cert holder */
cert = oakley_newcert();
if (cert == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get cert buffer.\n");
goto err;
}
cert->pl = vmalloc(res->ci_certlen + 1);
if (cert->pl == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get cert buffer.\n");
goto err;
}
memcpy(cert->pl->v + 1, res->ci_cert, res->ci_certlen);
cert->pl->v[0] = type;
cert->cert.v = cert->pl->v + 1;
cert->cert.l = cert->pl->l - 1;
plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n");
plogdump(LLV_DEBUG, cert->pl->v, cert->pl->l);
end:
if (res)
freecertinfo(res);
return cert;
err:
if (name)
racoon_free(name);
if (cert)
oakley_delcert(cert);
goto end;
}

37
crypto/dist/ipsec-tools/src/racoon/dnssec.h vendored Normal file
View File

@ -0,0 +1,37 @@
/* $Id: dnssec.h,v 1.1.1.1 2005/02/12 11:11:51 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _DNSSEC_H
#define _DNSSEC_H
extern cert_t *dnssec_getcert __P((vchar_t *));
#endif /* _DNSSEC_H */

106
crypto/dist/ipsec-tools/src/racoon/doc/FAQ vendored Normal file
View File

@ -0,0 +1,106 @@
This document is derived from the KAME racoon FAQ. Some answers do not
apply to ipsec-tools (they are obsolete or not up to date). They are
tagged [KAME]
Q: With what other IKE/IPsec implementation racoon is known to be interoperable?
A: [KAME]
See "IMPLEMENTATION" document supplied with KAME kit, or:
http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION
As we have tested/got test reports in the past, and our end and
the other end may have changed their implemenations, we are not sure
if we can interoperate with them today (we hope them to interoperate,
but we are not sure).
Also note that, IKE interoperability highly depends on configuration
on both ends. You must configure both ends exactly the same.
Q: How can I make racoon interoperate with <IKE/IPsec implementation>?
A:
Configure both ends exactly the same. With just a tiny little
differnce, you will be in trouble.
Q: How to build racoon on my platform?
A:
As usual: configure && make && make install
ipsec-tools is also available as a package in the NetBSD pkgsrc
Q: Describe me the options to "configure".
A:
--enable-adminport:
Lets racoon to listen to racoon admin port, which is to
be contacted by racoonctl(8).
--enable-natt:
Enable NAT-Traversal. This needs kernel support, which is
available on Linux. On NetBSD, NAT-Traversal kernel support
has not been integrated yet, you can get it from here:
http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff
If you live in a country where software patents are legal,
using NAT-Traversal might infringe a patent.
--enable-frag:
Enable IKE fragmentation, which is a workaround for
broken routers that drop fragmented packets
--enable-hybrid:
Enable hybrid authentication, and ISAKMP mode config and
Xauth as well. Note that plain Xauth (without hybrid auth)
is not implemented.
--with-libradius:
Enable the use of RADIUS with hybrid authentication on the
server side. RADIUS is used for authentication, configuration
and accounting.
--with-libpam:
Enable the use of PAM with hybrid authentication on the
server side. PAM can be used for authentication and accounting.
--enable-gssapi:
Enable GSS-API, for Kerberos V support.
--enable-stats:
Enable statistics logging function.
--enable-samode-unspec:
Enable to use unspecified a mode of SA.
--enable-ipv6:
Enable IPv6 support.
--with-kernel-headers:
Supply the location of Linux kernel headers.
--with-readline:
Support readline input (yes by default).
--with-openssl:
Specify OpenSSL directory.
--sysconfdir:
Where racoon config file goes. Default is /etc, which means
that racoon will look for /etc/racoon.conf
--localstatedir:
Where is the directory where racoon stores the control socket
(when using --enable-adminport). Default is /var, which
means racoon will use /var/racoon/racoon.sock
--prefix:
Where racoon gets installed.
Q: How can I get help?
A:
Always identify your operating system platforms, the versions you are
using (like "ipsec-tools-0.5"), and information to repeat the
problem. The more revelant information you supply, the better your
chances of getting help are. Useful informations include, depending
of the problem:
- version identification
- trace from racoon, taken by "racoon -d 0xffffffff"
(maximum debug level)
- configuration file you are using
- probabaly, tcpdump trace
http://orange.kame.net/dev/send-pr.html has the guideline.
If your question is not confidential, send your questions to:
<ipsec-tools-devel@lists.sourceforge.net>
If your question is confidential, send your questions to:
<ipsec-tools-core@lists.sourceforge.net>
Q: Other documents to look at?
A:
http://www.netbsd.org/Documentation/network/ipsec/
http://www.kame.net/
http://www.kame.net/newsletter/

1
crypto/dist/ipsec-tools/src/racoon/doc/README.certificate vendored Normal file
View File

@ -0,0 +1 @@
See http://www.kame.net/newsletter/20001119b/

106
crypto/dist/ipsec-tools/src/racoon/doc/README.gssapi vendored Normal file
View File

@ -0,0 +1,106 @@
The gss-api authentication mechanism implementation for racoon was
based on the ietf draft draft-ietf-ipsec-isakmp-gss-auth-06.txt.
The implementation uses the Heimdal gss-api library, i.e. gss-api
on top of Kerberos 5. The Heimdal gss-api library had to be modified
to meet the requirements of using gss-api in a daemon. More specifically,
the gss_acquire_cred() call did not work for other cases than
GSS_C_NO_CREDENTIAL ("use default creds"). Daemons are often started
as root, and have no Kerberos 5 credentials, so racoon explicitly
needs to acquire its credentials. The usual method (already used
by login authentication daemons) in these situations is to add
a set of special credentials to be used. For example, authentication
by daemons concerned with login credentials, uses 'host/fqdn' as
its credential, where fqdn is the hostname on the interface that
is being used. These special credentials need to be extracted into
a local keytab from the kdc. The default value used in racoon
is 'ike/fqdn', but it can be overridden in the racoon config file.
The modification to the Heimdal gss-api library implements the
mechanism above. If a credential other than GSS_C_NO_CREDENTIAL
is specified to gss_acquire_cred(), it first looks in the default
credential cache if it its principal matches the desired credential.
If not, it extracts it from the default keytab file, and stores
it in a memory-based credential cache, part of the gss credential
structure.
The modifcations to racoon itself are as follows:
* The racoon.conf config file accepts a new keyword, "gssapi_id",
to be used inside a proposal specification. It specifies
a string (a Kerberos 5 principal in this case), specifying the
credential that racoon will try to acquire. The default value
is 'ike/fqdn', where fqdn is the hostname for the interface
being used for the exchange. If the id is not specified, no
GSS endpoint attribute will be specified in the first SA sent.
However, if the initiator does specify a GSS endpoint attribute,
racoon will always respond with its own GSS endpoint name
in the SA (the default one if not specified by this option).
* The racoon.conf file accepts "gssapi_krb" as authentication
method inside a proposal specification. The number used
for this method is 65001, which is a temporary number as
specified in the draft.
* The cftoken.l and cfparse.y source files were modified to
pick up the configuration options. The original sources
stored algorithms in bitmask, which unfortunately meant
that the maximum value was 32, clearly not enough for 65001.
After consulting with the author (sakane@kame.net), it turned
out that method was a leftover, and no longer needed. I replaced
it with plain integers.
* The gss-api specific code was concentrated as much as possible
in gssapi.c and gssapi.h. The code to call functions defined
in these files is conditional on HAVE_GSSAPI, except for the
config scan code. Specifying this flag on the compiler commandline
is conditional on the --enable-gssapi option to the configure
script.
* Racoon seems to want to send accepted SA proposals back to
the initiator in a verbatim fashion, leaving no room to
insert the (variable-length) GSS endpoint name attribute.
I worked around this by re-assembling the extracted SA
into a new SA if the gssapi_krb method is used, and the
initiator sent the name attribute. This scheme should
possibly be re-examined by the racoon maintainers, storing
the SAs (the transformations, to be more precise) in a different
fashion to allow for variable-length attributes to be
re-inserted would be a good change, but I considered it to be
beyond the scope of this project.
* The various state functions for aggressive and main mode
(in isakmp_agg.c and isakmp_ident.c respectively) were
changed to conditionally change their behavior if the
gssapi_krb method is specified.
This implementation tried to follow the specification in the ietf draft
as close as possible. However, it has not been tested against other
IKE daemon implementations. The only other one I know of is Windows 2000,
and it has some caveats. I attempted to be Windows 2000 compatible.
Should racoon be tried against Windows 2000, the gssapi_id option in
the config file must be used, as Windows 2000 expects the GSS endpoint
name to be sent at all times. I have my doubts as to the W2K compatibility,
because the spec describes the GSS endpoint name sent by W2K as
an unicode string 'xxx@domain', which doesn't seem to match the
required standard for gss-api + kerberos 5 (i.e. I am fairly certain
that such a string will be rejected by the Heimdal gss-api library, as it
is not a valid Kerberos 5 principal).
With the Heimdal gss-api implementation, the gssapi_krb authentication
method will only work in main mode. Aggressive mode does not allow
for the extra round-trips needed by gss_init_sec_context and
gss_accept_sec_context when mutual authentication is requested.
The draft specifies that the a fallback should be done to main mode,
through the return of INVALID-EXCHANGE-TYPE if it turns out that
the gss-api mechanisms needs more roundtrips. This is implemented.
Unfortunately, racoon does not seem to properly fall back to
its next mode, and this is not specific to the gssapi_krb method.
So, to avoid problems, only specify main mode in the config file.
-- Frank van der Linden <fvdl@wasabisystems.com>

223
crypto/dist/ipsec-tools/src/racoon/dump.c vendored Normal file
View File

@ -0,0 +1,223 @@
/* $KAME: dump.c,v 1.3 2000/09/23 15:31:05 itojun Exp $ */
/*
* Copyright (C) 2000 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/queue.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <netinet/udp.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>
#else
# if HAVE_SYS_TIME_H
# include <sys/time.h>
# else
# include <time.h>
# endif
#endif
#include <netdb.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <pcap.h>
#include <fcntl.h>
#include "vmbuf.h"
/* copied from pcap-int.h */
struct pcap_timeval {
u_int32_t tv_sec; /* seconds */
u_int32_t tv_usec; /* microseconds */
};
struct pcap_sf_pkthdr {
struct pcap_timeval ts; /* time stamp */
u_int32_t caplen; /* length of portion present */
u_int32_t len; /* length this packet (off wire) */
};
#define TCPDUMP_MAGIC 0xa1b2c3d4
static int fd = -1;
int
isakmp_dump_open(path)
char *path;
{
struct pcap_file_header hdr;
path = "isakmp.dump";
if (fd >= 0)
return EBUSY;
fd = open(path, O_WRONLY|O_CREAT|O_APPEND, 0600);
if (fd < 0)
return errno;
memset(&hdr, 0, sizeof(hdr));
hdr.magic = TCPDUMP_MAGIC;
hdr.version_major = PCAP_VERSION_MAJOR;
hdr.version_minor = PCAP_VERSION_MINOR;
hdr.thiszone = 0;
hdr.snaplen = 60000; /* should be enough */
hdr.sigfigs = 0;
hdr.linktype = DLT_NULL;
if (write(fd, &hdr, sizeof(hdr)) != sizeof(hdr))
return errno;
return 0;
}
int
isakmp_dump_close()
{
close(fd);
fd = -1;
return 0;
}
int
isakmp_dump(msg, from, my)
vchar_t *msg;
struct sockaddr *from;
struct sockaddr *my;
{
struct ip ip;
#ifdef INET6
struct ip6_hdr ip6;
#endif
struct udphdr uh;
int32_t af; /*llhdr for DLT_NULL*/
struct pcap_sf_pkthdr sf_hdr;
struct timeval tv;
/* af validation */
if (from && my) {
if (from->sa_family == my->sa_family)
af = from->sa_family;
else
return EAFNOSUPPORT;
} else if (from)
af = from->sa_family;
else if (my)
af = my->sa_family;
else
af = AF_INET; /*assume it*/
switch (af) {
case AF_INET:
#ifdef INET6
case AF_INET6:
#endif
break;
default:
return EAFNOSUPPORT;
}
memset(&sf_hdr, 0, sizeof(sf_hdr));
gettimeofday(&tv, NULL);
sf_hdr.ts.tv_sec = tv.tv_sec;
sf_hdr.ts.tv_usec = tv.tv_usec;
/* write out timestamp and llhdr */
switch (af == AF_INET) {
case AF_INET:
sf_hdr.caplen = sf_hdr.len = sizeof(ip);
break;
case AF_INET6:
sf_hdr.caplen = sf_hdr.len = sizeof(ip6);
break;
}
sf_hdr.caplen += sizeof(af) + sizeof(uh) + msg->l;
sf_hdr.len += sizeof(af) + sizeof(uh) + msg->l;
if (write(fd, &sf_hdr, sizeof(sf_hdr)) < sizeof(sf_hdr))
return errno;
if (write(fd, &af, sizeof(af)) < sizeof(af))
return errno;
/* write out llhdr and ip header */
if (af == AF_INET) {
memset(&ip, 0, sizeof(ip));
ip.ip_v = IPVERSION;
ip.ip_hl = sizeof(ip) >> 2;
if (from)
ip.ip_src = ((struct sockaddr_in *)from)->sin_addr;
if (my)
ip.ip_dst = ((struct sockaddr_in *)my)->sin_addr;
ip.ip_p = IPPROTO_UDP;
ip.ip_ttl = 1;
ip.ip_len = htons(sizeof(ip) + sizeof(uh) + msg->l);
if (write(fd, &ip, sizeof(ip)) < sizeof(ip))
return errno;
} else if (af == AF_INET6) {
memset(&ip6, 0, sizeof(ip6));
ip6.ip6_vfc = IPV6_VERSION;
if (from)
ip6.ip6_src = ((struct sockaddr_in6 *)from)->sin6_addr;
if (my)
ip6.ip6_dst = ((struct sockaddr_in6 *)my)->sin6_addr;
ip6.ip6_nxt = IPPROTO_UDP;
ip6.ip6_plen = htons(sizeof(uh) + msg->l);
ip6.ip6_hlim = 1;
if (write(fd, &ip6, sizeof(ip6)) < sizeof(ip6))
return errno;
}
/* write out udp header */
memset(&uh, 0, sizeof(uh));
uh.uh_sport = htons(500);
uh.uh_dport = htons(500);
uh.uh_ulen = htons(msg->l & 0xffff);
uh.uh_sum = htons(0x0000); /*no checksum - invalid for IPv6*/
if (write(fd, &uh, sizeof(uh)) < sizeof(uh))
return errno;
/* write out payload */
if (write(fd, msg->v, msg->l) != msg->l)
return errno;
return 0;
}

39
crypto/dist/ipsec-tools/src/racoon/dump.h vendored Normal file
View File

@ -0,0 +1,39 @@
/* $Id: dump.h,v 1.1.1.1 2005/02/12 11:11:53 manu Exp $ */
/*
* Copyright (C) 2000 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _DUMP_H
#define _DUMP_H
extern int isakmp_dump_open __P((char *));
extern int isakmp_dump_close __P((void));
extern int isakmp_dump __P((vchar_t *, struct sockaddr *, struct sockaddr *));
#endif /* _DUMP_H */

1054
crypto/dist/ipsec-tools/src/racoon/eaytest.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

133
crypto/dist/ipsec-tools/src/racoon/evt.c vendored Normal file
View File

@ -0,0 +1,133 @@
/* $Id: evt.c,v 1.1.1.1 2005/02/12 11:11:53 manu Exp $ */
/*
* Copyright (C) 2004 Emmanuel Dreyfus
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <errno.h>
#include <string.h>
#include <stdio.h>
#include <time.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/queue.h>
#include <sys/socket.h>
#include "vmbuf.h"
#include "plog.h"
#include "misc.h"
#include "gcmalloc.h"
#include "evt.h"
struct evtlist evtlist = TAILQ_HEAD_INITIALIZER(evtlist);
int evtlist_len = 0;
void
evt_push(src, dst, type, optdata)
struct sockaddr *src;
struct sockaddr *dst;
int type;
vchar_t *optdata;
{
struct evtdump *evtdump;
struct evt *evt;
size_t len;
len = sizeof(*evtdump);
if (optdata)
len += optdata->l;
if ((evtdump = racoon_malloc(len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "Cannot record event: %s\n",
strerror(errno));
return;
}
if ((evt = racoon_malloc(sizeof(*evt))) == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "Cannot record event: %s\n",
strerror(errno));
racoon_free(evtdump);
return;
}
if (src)
memcpy(&evtdump->src, src, sysdep_sa_len(src));
if (dst)
memcpy(&evtdump->dst, dst, sysdep_sa_len(dst));
evtdump->len = len;
evtdump->type = type;
time(&evtdump->timestamp);
if (optdata)
memcpy(evtdump + 1, optdata->v, optdata->l);
evt->dump = evtdump;
TAILQ_INSERT_TAIL(&evtlist, evt, next);
if (evtlist_len++ == EVTLIST_MAX)
evt_push(NULL, NULL, EVTT_OVERFLOW, NULL);
return;
}
struct evtdump *
evt_pop(void) {
struct evtdump *evtdump;
struct evt *evt;
if ((evt = TAILQ_FIRST(&evtlist)) == NULL)
return NULL;
evtdump = evt->dump;
TAILQ_REMOVE(&evtlist, evt, next);
racoon_free(evt);
evtlist_len--;
return evtdump;
}
vchar_t *
evt_dump(void) {
struct evtdump *evtdump;
vchar_t *buf = NULL;
if ((evtdump = evt_pop()) != NULL) {
if ((buf = vmalloc(evtdump->len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"evt_dump failed: %s\n", strerror(errno));
return NULL;
}
memcpy(buf->v, evtdump, evtdump->len);
racoon_free(evtdump);
}
return buf;
}

84
crypto/dist/ipsec-tools/src/racoon/evt.h vendored Normal file
View File

@ -0,0 +1,84 @@
/* $Id: evt.h,v 1.1.1.1 2005/02/12 11:11:53 manu Exp $ */
/*
* Copyright (C) 2004 Emmanuel Dreyfus
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _EVT_H
#define _EVT_H
struct evtdump {
size_t len;
struct sockaddr_storage src;
struct sockaddr_storage dst;
time_t timestamp;
int type;
/*
* Optionnal list of struct isakmp_data
* for type EVTT_ISAKMP_CFG_DONE
*/
};
/* type */
#define EVTT_UNSEPC 0
#define EVTT_PHASE1_UP 1
#define EVTT_PHASE1_DOWN 2
#define EVTT_XAUTH_SUCCESS 3
#define EVTT_ISAKMP_CFG_DONE 4
#define EVTT_PHASE2_UP 5
#define EVTT_PHASE2_DOWN 6
#define EVTT_DPD_TIMEOUT 7
#define EVTT_PEER_NO_RESPONSE 8
#define EVTT_PEER_DELETE 9
#define EVTT_RACOON_QUIT 10
#define EVTT_XAUTH_FAILED 11
#define EVTT_OVERFLOW 12 /* Event queue overflowed */
#define EVTT_PEERPH1AUTH_FAILED 13
struct evt {
struct evtdump *dump;
TAILQ_ENTRY(evt) next;
};
TAILQ_HEAD(evtlist, evt);
#define EVTLIST_MAX 32
#ifdef ENABLE_ADMINPORT
struct evtdump *evt_pop(void);
vchar_t *evt_dump(void);
void evt_push(struct sockaddr *, struct sockaddr *, int, vchar_t *);
#endif
#ifdef ENABLE_ADMINPORT
#define EVT_PUSH(src, dst, type, optdata) evt_push(src, dst, type, optdata);
#else
#define EVT_PUSH(src, dst, type, optdata) ;
#endif
#endif /* _EVT_H */

114
crypto/dist/ipsec-tools/src/racoon/gcmalloc.h vendored Normal file
View File

@ -0,0 +1,114 @@
/* $KAME: gcmalloc.h,v 1.4 2001/11/16 04:34:57 sakane Exp $ */
/*
* Copyright (C) 2000, 2001 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* Debugging malloc glue for Racoon.
*/
#ifndef _GCMALLOC_H_DEFINED
#define _GCMALLOC_H_DEFINED
/* ElectricFence needs no special handling. */
/*
* Boehm-GC provides GC_malloc(), GC_realloc(), GC_free() functions,
* but not the traditional entry points. So what we do is provide
* malloc(), calloc(), realloc(), and free() entry points in the main
* program and letting the linker do the rest.
*/
#ifdef GC
#define GC_DEBUG
#include <gc.h>
#ifdef RACOON_MAIN_PROGRAM
void *
malloc(size_t size)
{
return (GC_MALLOC(size));
}
void *
calloc(size_t number, size_t size)
{
/* GC_malloc() clears the storage. */
return (GC_MALLOC(number * size));
}
void *
realloc(void *ptr, size_t size)
{
return (GC_REALLOC(ptr, size));
}
void
free(void *ptr)
{
GC_FREE(ptr);
}
#endif /* RACOON_MAIN_PROGRAM */
#define racoon_malloc(sz) GC_debug_malloc(sz, GC_EXTRAS)
#define racoon_calloc(cnt, sz) GC_debug_malloc(cnt * sz, GC_EXTRAS)
#define racoon_realloc(old, sz) GC_debug_realloc(old, sz, GC_EXTRAS)
#define racoon_free(p) GC_debug_free(p)
#endif /* GC */
/*
* Dmalloc only requires that you pull in a header file and link
* against libdmalloc.
*/
#ifdef DMALLOC
#include <dmalloc.h>
#endif /* DMALLOC */
#ifdef DEBUG_RECORD_MALLOCATION
#include <debugrm.h>
#else
#ifndef racoon_malloc
#define racoon_malloc(sz) malloc((sz))
#endif
#ifndef racoon_calloc
#define racoon_calloc(cnt, sz) calloc((cnt), (sz))
#endif
#ifndef racoon_realloc
#define racoon_realloc(old, sz) realloc((old), (sz))
#endif
#ifndef racoon_free
#define racoon_free(p) free((p))
#endif
#endif /* DEBUG_RECORD_MALLOCATION */
#endif /* _GCMALLOC_H_DEFINED */

172
crypto/dist/ipsec-tools/src/racoon/genlist.c vendored Normal file
View File

@ -0,0 +1,172 @@
/* $Id: genlist.c,v 1.1.1.1 2005/02/12 11:11:54 manu Exp $ */
/*
* Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
* Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/queue.h>
#include "genlist.h"
struct genlist *
genlist_init (void)
{
struct genlist *new = calloc(sizeof(struct genlist), 1);
TAILQ_INIT(new);
return new;
}
struct genlist_entry *
genlist_insert (struct genlist *head, void *data)
{
struct genlist_entry *entry = calloc(sizeof(struct genlist_entry), 1);
entry->data = data;
TAILQ_INSERT_HEAD(head, entry, chain);
return entry;
}
struct genlist_entry *
genlist_append (struct genlist *head, void *data)
{
struct genlist_entry *entry = calloc(sizeof(struct genlist_entry), 1);
entry->data = data;
TAILQ_INSERT_TAIL(head, entry, chain);
return entry;
}
void *
genlist_foreach (struct genlist *head, genlist_func_t func, void *arg)
{
struct genlist_entry *p;
void *ret = NULL;
TAILQ_FOREACH(p, head, chain) {
ret = (*func)(p->data, arg);
if (ret)
break;
}
return ret;
}
void *
genlist_next (struct genlist *head, struct genlist_entry **buf)
{
struct genlist_entry *p;
if (head)
p = TAILQ_FIRST(head);
else
p = (buf && *buf) ? TAILQ_NEXT(*buf, chain) : NULL;
if (buf)
*buf = p;
return (p ? p->data : NULL);
}
void
genlist_free (struct genlist *head, genlist_freedata_t func)
{
struct genlist_entry *p;
while ((p = TAILQ_LAST(head, genlist)) != NULL) {
TAILQ_REMOVE(head, p, chain);
if (func)
func(p->data);
free(p);
}
free(head);
}
#if 0
/* Here comes the example... */
struct conf {
struct genlist *l1, *l2;
};
void *
print_entry(void *entry, void *arg)
{
if (!entry)
return NULL;
printf("%s\n", (char *)entry);
return NULL;
}
void
dump_list(struct genlist *head)
{
genlist_foreach(head, print_entry, NULL);
}
void
free_data(void *data)
{
printf ("removing %s\n", (char *)data);
}
int main()
{
struct conf *cf;
char *cp;
struct genlist_entry *gpb;
cf = calloc(sizeof(struct conf), 1);
cf->l1 = genlist_init();
cf->l2 = genlist_init();
genlist_insert(cf->l1, "Ahoj");
genlist_insert(cf->l1, "Cau");
genlist_insert(cf->l1, "Nazdar");
genlist_insert(cf->l1, "Te buch");
genlist_append(cf->l2, "Curak");
genlist_append(cf->l2, "Kozy");
genlist_append(cf->l2, "Pica");
genlist_append(cf->l2, "Prdel");
printf("List 2\n");
dump_list(cf->l2);
printf("\nList 1\n");
dump_list(cf->l1);
printf("\nList 2 - using genlist_next()\n");
for (cp = genlist_next (cf->l2, &gpb); cp; cp = genlist_next (0, &gpb))
printf("%s\n", cp);
printf("\nFreeing List 1\n");
/* the data here isn't actually alloc'd so we would really call
* genlist_free (cf->l1, 0); but to illustrate the idea */
genlist_free (cf->l1, free_data);
cf->l1 = 0;
return 0;
}
#endif

80
crypto/dist/ipsec-tools/src/racoon/genlist.h vendored Normal file
View File

@ -0,0 +1,80 @@
/* $Id: genlist.h,v 1.1.1.1 2005/02/12 11:11:54 manu Exp $ */
/*
* Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
* Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _GENLIST_H
#define _GENLIST_H
#include <sys/queue.h>
/* See the bottom of genlist.c for example use. */
/* This declares 'struct genlist' */
TAILQ_HEAD(genlist, genlist_entry);
/* This is where the data are actually stored. */
struct genlist_entry {
void *data;
TAILQ_ENTRY(genlist_entry) chain;
};
/* This function returns an initialized list head. */
struct genlist *genlist_init (void);
/* Insert an entry at the beginning/end og the list. */
struct genlist_entry *genlist_insert (struct genlist *head, void *data);
struct genlist_entry *genlist_append (struct genlist *head, void *data);
/* Create a function with this prototype for use with genlist_foreach().
* See genlist_foreach() description below for details. */
typedef void *(genlist_func_t)(void *entry, void *arg);
/* Traverse the list and call 'func' for each entry. As long as func() returns
* NULL the list traversal continues, once it returns non-NULL (usually the
* 'entry' arg), the list traversal exits and the return value is returned
* further from genlist_foreach(). Optional 'arg' may be passed to func(), e.g.
* for some lookup purposes, etc. */
void *genlist_foreach (struct genlist *head, genlist_func_t func, void *arg);
/* Get first entry in list if head is not NULL, otherwise get next
* entry based on saved position in list from previous call as stored in buf.
* If buf is NULL no position is saved */
void *genlist_next (struct genlist *head, struct genlist_entry **buf);
/* Create a function with this prototype for use with genlist_free()
* to free any storage associated with genlist_entry.data */
typedef void (genlist_freedata_t)(void *entry);
/* Free all storage associated with list at head using func to free any
* alloc()d data in data field of genlist_entry */
void genlist_free (struct genlist *head, genlist_freedata_t func);
#endif /* _GENLIST_H */

412
crypto/dist/ipsec-tools/src/racoon/getcertsbyname.c vendored Normal file
View File

@ -0,0 +1,412 @@
/* $KAME: getcertsbyname.c,v 1.7 2001/11/16 04:12:59 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <resolv.h>
#ifdef HAVE_LWRES_GETRRSETBYNAME
#include <lwres/netdb.h>
#include <lwres/lwres.h>
#else
#include <netdb.h>
#endif
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#ifdef DNSSEC_DEBUG
#include <stdio.h>
#include <strings.h>
#endif
#include "netdb_dnssec.h"
/* XXX should it use ci_errno to hold errno instead of h_errno ? */
extern int h_errno;
static struct certinfo *getnewci __P((int, int, int, int, int, char *));
static struct certinfo *
getnewci(qtype, keytag, algorithm, flags, certlen, cert)
int qtype, keytag, algorithm, flags, certlen;
char *cert;
{
struct certinfo *res;
res = malloc(sizeof(*res));
if (!res)
return NULL;
memset(res, 0, sizeof(*res));
res->ci_type = qtype;
res->ci_keytag = keytag;
res->ci_algorithm = algorithm;
res->ci_flags = flags;
res->ci_certlen = certlen;
res->ci_cert = malloc(certlen);
if (!res->ci_cert) {
free(res);
return NULL;
}
memcpy(res->ci_cert, cert, certlen);
return res;
}
void
freecertinfo(ci)
struct certinfo *ci;
{
struct certinfo *next;
do {
next = ci->ci_next;
if (ci->ci_cert)
free(ci->ci_cert);
free(ci);
ci = next;
} while (ci);
}
/*
* get CERT RR by FQDN and create certinfo structure chain.
*/
#ifdef HAVE_LWRES_GETRRSETBYNAME
#define getrrsetbyname lwres_getrrsetbyname
#define freerrset lwres_freerrset
#define hstrerror lwres_hstrerror
#endif
#if defined(HAVE_LWRES_GETRRSETBYNAME) || defined(AHVE_GETRRSETBYNAME)
int
getcertsbyname(name, res)
char *name;
struct certinfo **res;
{
int rdlength;
char *cp;
int type, keytag, algorithm;
struct certinfo head, *cur;
struct rrsetinfo *rr = NULL;
int i;
int error = -1;
/* initialize res */
*res = NULL;
memset(&head, 0, sizeof(head));
cur = &head;
error = getrrsetbyname(name, C_IN, T_CERT, 0, &rr);
if (error) {
#ifdef DNSSEC_DEBUG
printf("getrrsetbyname: %s\n", hstrerror(error));
#endif
h_errno = NO_RECOVERY;
goto end;
}
if (rr->rri_rdclass != C_IN
|| rr->rri_rdtype != T_CERT
|| rr->rri_nrdatas == 0) {
#ifdef DNSSEC_DEBUG
printf("getrrsetbyname: %s", hstrerror(error));
#endif
h_errno = NO_RECOVERY;
goto end;
}
#ifdef DNSSEC_DEBUG
if (!(rr->rri_flags & LWRDATA_VALIDATED))
printf("rr is not valid");
#endif
for (i = 0; i < rr->rri_nrdatas; i++) {
rdlength = rr->rri_rdatas[i].rdi_length;
cp = rr->rri_rdatas[i].rdi_data;
GETSHORT(type, cp); /* type */
rdlength -= INT16SZ;
GETSHORT(keytag, cp); /* key tag */
rdlength -= INT16SZ;
algorithm = *cp++; /* algorithm */
rdlength -= 1;
#ifdef DNSSEC_DEBUG
printf("type=%d keytag=%d alg=%d len=%d\n",
type, keytag, algorithm, rdlength);
#endif
/* create new certinfo */
cur->ci_next = getnewci(type, keytag, algorithm,
rr->rri_flags, rdlength, cp);
if (!cur->ci_next) {
#ifdef DNSSEC_DEBUG
printf("getnewci: %s", strerror(errno));
#endif
h_errno = NO_RECOVERY;
goto end;
}
cur = cur->ci_next;
}
*res = head.ci_next;
error = 0;
end:
if (rr)
freerrset(rr);
if (error && head.ci_next)
freecertinfo(head.ci_next);
return error;
}
#else /*!HAVE_LWRES_GETRRSETBYNAME*/
int
getcertsbyname(name, res)
char *name;
struct certinfo **res;
{
caddr_t answer = NULL, p;
int buflen, anslen, len;
HEADER *hp;
int qdcount, ancount, rdlength;
char *cp, *eom;
char hostbuf[1024]; /* XXX */
int qtype, qclass, keytag, algorithm;
struct certinfo head, *cur;
int error = -1;
/* initialize res */
*res = NULL;
memset(&head, 0, sizeof(head));
cur = &head;
/* get CERT RR */
buflen = 512;
do {
buflen *= 2;
p = realloc(answer, buflen);
if (!p) {
#ifdef DNSSEC_DEBUG
printf("realloc: %s", strerror(errno));
#endif
h_errno = NO_RECOVERY;
goto end;
}
answer = p;
anslen = res_query(name, C_IN, T_CERT, answer, buflen);
if (anslen == -1)
goto end;
} while (buflen < anslen);
#ifdef DNSSEC_DEBUG
printf("get a DNS packet len=%d\n", anslen);
#endif
/* parse CERT RR */
eom = answer + anslen;
hp = (HEADER *)answer;
qdcount = ntohs(hp->qdcount);
ancount = ntohs(hp->ancount);
/* question section */
if (qdcount != 1) {
#ifdef DNSSEC_DEBUG
printf("query count is not 1.\n");
#endif
h_errno = NO_RECOVERY;
goto end;
}
cp = (char *)(hp + 1);
len = dn_expand(answer, eom, cp, hostbuf, sizeof(hostbuf));
if (len < 0) {
#ifdef DNSSEC_DEBUG
printf("dn_expand failed.\n");
#endif
goto end;
}
cp += len;
GETSHORT(qtype, cp); /* QTYPE */
GETSHORT(qclass, cp); /* QCLASS */
/* answer section */
while (ancount-- && cp < eom) {
len = dn_expand(answer, eom, cp, hostbuf, sizeof(hostbuf));
if (len < 0) {
#ifdef DNSSEC_DEBUG
printf("dn_expand failed.\n");
#endif
goto end;
}
cp += len;
GETSHORT(qtype, cp); /* TYPE */
GETSHORT(qclass, cp); /* CLASS */
cp += INT32SZ; /* TTL */
GETSHORT(rdlength, cp); /* RDLENGTH */
/* CERT RR */
if (qtype != T_CERT) {
#ifdef DNSSEC_DEBUG
printf("not T_CERT\n");
#endif
h_errno = NO_RECOVERY;
goto end;
}
GETSHORT(qtype, cp); /* type */
rdlength -= INT16SZ;
GETSHORT(keytag, cp); /* key tag */
rdlength -= INT16SZ;
algorithm = *cp++; /* algorithm */
rdlength -= 1;
if (cp + rdlength > eom) {
#ifdef DNSSEC_DEBUG
printf("rdlength is too long.\n");
#endif
h_errno = NO_RECOVERY;
goto end;
}
#ifdef DNSSEC_DEBUG
printf("type=%d keytag=%d alg=%d len=%d\n",
qtype, keytag, algorithm, rdlength);
#endif
/* create new certinfo */
cur->ci_next = getnewci(qtype, keytag, algorithm,
0, rdlength, cp);
if (!cur->ci_next) {
#ifdef DNSSEC_DEBUG
printf("getnewci: %s", strerror(errno));
#endif
h_errno = NO_RECOVERY;
goto end;
}
cur = cur->ci_next;
cp += rdlength;
}
*res = head.ci_next;
error = 0;
end:
if (answer)
free(answer);
if (error && head.ci_next)
freecertinfo(head.ci_next);
return error;
}
#endif
#ifdef DNSSEC_DEBUG
int
b64encode(p, len)
char *p;
int len;
{
static const char b64t[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789+/=";
while (len > 2) {
printf("%c", b64t[(p[0] >> 2) & 0x3f]);
printf("%c", b64t[((p[0] << 4) & 0x30) | ((p[1] >> 4) & 0x0f)]);
printf("%c", b64t[((p[1] << 2) & 0x3c) | ((p[2] >> 6) & 0x03)]);
printf("%c", b64t[p[2] & 0x3f]);
len -= 3;
p += 3;
}
if (len == 2) {
printf("%c", b64t[(p[0] >> 2) & 0x3f]);
printf("%c", b64t[((p[0] << 4) & 0x30)| ((p[1] >> 4) & 0x0f)]);
printf("%c", b64t[((p[1] << 2) & 0x3c)]);
printf("%c", '=');
} else if (len == 1) {
printf("%c", b64t[(p[0] >> 2) & 0x3f]);
printf("%c", b64t[((p[0] << 4) & 0x30)]);
printf("%c", '=');
printf("%c", '=');
}
return 0;
}
int
main(ac, av)
int ac;
char **av;
{
struct certinfo *res, *p;
int i;
if (ac < 2) {
printf("Usage: a.out (FQDN)\n");
exit(1);
}
i = getcertsbyname(*(av + 1), &res);
if (i != 0) {
herror("getcertsbyname");
exit(1);
}
printf("getcertsbyname succeeded.\n");
i = 0;
for (p = res; p; p = p->ci_next) {
printf("certinfo[%d]:\n", i);
printf("\tci_type=%d\n", p->ci_type);
printf("\tci_keytag=%d\n", p->ci_keytag);
printf("\tci_algorithm=%d\n", p->ci_algorithm);
printf("\tci_flags=%d\n", p->ci_flags);
printf("\tci_certlen=%d\n", p->ci_certlen);
printf("\tci_cert: ");
b64encode(p->ci_cert, p->ci_certlen);
printf("\n");
i++;
}
freecertinfo(res);
exit(0);
}
#endif

44
crypto/dist/ipsec-tools/src/racoon/gnuc.h vendored Normal file
View File

@ -0,0 +1,44 @@
/* $Id: gnuc.h,v 1.1.1.1 2005/02/12 11:11:57 manu Exp $ */
/* Define __P() macro, if necessary */
#undef __P
#ifndef __P
#if __STDC__
#define __P(protos) protos
#else
#define __P(protos) ()
#endif
#endif
/* inline foo */
#ifdef __GNUC__
#define inline __inline
#else
#define inline
#endif
/*
* Handle new and old "dead" routine prototypes
*
* For example:
*
* __dead void foo(void) __attribute__((volatile));
*
*/
#ifdef __GNUC__
#ifndef __dead
#define __dead volatile
#endif
#if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
#ifndef __attribute__
#define __attribute__(args)
#endif
#endif
#else
#ifndef __dead
#define __dead
#endif
#ifndef __attribute__
#define __attribute__(args)
#endif
#endif

922
crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c vendored Normal file
View File

@ -0,0 +1,922 @@
/* $Id: grabmyaddr.c,v 1.1.1.1 2005/02/12 11:11:57 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <net/if.h>
#if defined(__FreeBSD__) && __FreeBSD__ >= 3
#include <net/if_var.h>
#endif
#if defined(__NetBSD__) || defined(__FreeBSD__)
#include <netinet/in.h>
#include <netinet6/in6_var.h>
#endif
#include <net/route.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <netdb.h>
#ifdef HAVE_GETIFADDRS
#include <ifaddrs.h>
#include <net/if.h>
#endif
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "sockmisc.h"
#include "debug.h"
#include "localconf.h"
#include "handler.h"
#include "grabmyaddr.h"
#include "sockmisc.h"
#include "isakmp_var.h"
#include "gcmalloc.h"
#include "nattraversal.h"
#ifdef __linux__
#include <linux/types.h>
#include <linux/rtnetlink.h>
#ifndef HAVE_GETIFADDRS
#define HAVE_GETIFADDRS
#define NEED_LINUX_GETIFADDRS
#endif
#endif
#ifndef HAVE_GETIFADDRS
static unsigned int if_maxindex __P((void));
#endif
static struct myaddrs *find_myaddr __P((struct myaddrs *, struct myaddrs *));
static int suitable_ifaddr __P((const char *, const struct sockaddr *));
#ifdef INET6
static int suitable_ifaddr6 __P((const char *, const struct sockaddr *));
#endif
#ifdef NEED_LINUX_GETIFADDRS
/* We could do this _much_ better. kame racoon in its current form
* will esentially die at frequent changes of address configuration.
*/
struct ifaddrs
{
struct ifaddrs *ifa_next;
char ifa_name[16];
int ifa_ifindex;
struct sockaddr *ifa_addr;
struct sockaddr_storage ifa_addrbuf;
};
static int parse_rtattr(struct rtattr *tb[], int max, struct rtattr *rta, int len)
{
while (RTA_OK(rta, len)) {
if (rta->rta_type <= max)
tb[rta->rta_type] = rta;
rta = RTA_NEXT(rta,len);
}
return 0;
}
static void recvaddrs(int fd, struct ifaddrs **ifa, __u32 seq)
{
char buf[8192];
struct sockaddr_nl nladdr;
struct iovec iov = { buf, sizeof(buf) };
struct ifaddrmsg *m;
struct rtattr * rta_tb[IFA_MAX+1];
struct ifaddrs *I;
while (1) {
int status;
struct nlmsghdr *h;
struct msghdr msg = {
(void*)&nladdr, sizeof(nladdr),
&iov, 1,
NULL, 0,
0
};
status = recvmsg(fd, &msg, 0);
if (status < 0)
continue;
if (status == 0)
return;
if (nladdr.nl_pid) /* Message not from kernel */
continue;
h = (struct nlmsghdr*)buf;
while (NLMSG_OK(h, status)) {
if (h->nlmsg_seq != seq)
goto skip_it;
if (h->nlmsg_type == NLMSG_DONE)
return;
if (h->nlmsg_type == NLMSG_ERROR)
return;
if (h->nlmsg_type != RTM_NEWADDR)
goto skip_it;
m = NLMSG_DATA(h);
if (m->ifa_family != AF_INET &&
m->ifa_family != AF_INET6)
goto skip_it;
if (m->ifa_flags&IFA_F_TENTATIVE)
goto skip_it;
memset(rta_tb, 0, sizeof(rta_tb));
parse_rtattr(rta_tb, IFA_MAX, IFA_RTA(m), h->nlmsg_len - NLMSG_LENGTH(sizeof(*m)));
if (rta_tb[IFA_LOCAL] == NULL)
rta_tb[IFA_LOCAL] = rta_tb[IFA_ADDRESS];
if (rta_tb[IFA_LOCAL] == NULL)
goto skip_it;
I = malloc(sizeof(struct ifaddrs));
if (!I)
return;
memset(I, 0, sizeof(*I));
I->ifa_ifindex = m->ifa_index;
I->ifa_addr = (struct sockaddr*)&I->ifa_addrbuf;
I->ifa_addr->sa_family = m->ifa_family;
if (m->ifa_family == AF_INET) {
struct sockaddr_in *sin = (void*)I->ifa_addr;
memcpy(&sin->sin_addr, RTA_DATA(rta_tb[IFA_LOCAL]), 4);
} else {
struct sockaddr_in6 *sin = (void*)I->ifa_addr;
memcpy(&sin->sin6_addr, RTA_DATA(rta_tb[IFA_LOCAL]), 16);
if (IN6_IS_ADDR_LINKLOCAL(&sin->sin6_addr))
sin->sin6_scope_id = I->ifa_ifindex;
}
I->ifa_next = *ifa;
*ifa = I;
skip_it:
h = NLMSG_NEXT(h, status);
}
if (msg.msg_flags & MSG_TRUNC)
continue;
}
return;
}
static int getifaddrs(struct ifaddrs **ifa0)
{
struct {
struct nlmsghdr nlh;
struct rtgenmsg g;
} req;
struct sockaddr_nl nladdr;
static __u32 seq;
struct ifaddrs *i;
int fd;
fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (fd < 0)
return -1;
memset(&nladdr, 0, sizeof(nladdr));
nladdr.nl_family = AF_NETLINK;
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = RTM_GETADDR;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_pid = 0;
req.nlh.nlmsg_seq = ++seq;
req.g.rtgen_family = AF_UNSPEC;
if (sendto(fd, (void*)&req, sizeof(req), 0, (struct sockaddr*)&nladdr, sizeof(nladdr)) < 0) {
close(fd);
return -1;
}
*ifa0 = NULL;
recvaddrs(fd, ifa0, seq);
close(fd);
fd = socket(AF_INET, SOCK_DGRAM, 0);
for (i=*ifa0; i; i = i->ifa_next) {
struct ifreq ifr;
ifr.ifr_ifindex = i->ifa_ifindex;
ioctl(fd, SIOCGIFNAME, (void*)&ifr);
memcpy(i->ifa_name, ifr.ifr_name, 16);
}
return 0;
}
static void freeifaddrs(struct ifaddrs *ifa0)
{
struct ifaddrs *i;
while (ifa0) {
i = ifa0;
ifa0 = i->ifa_next;
free(i);
}
}
#endif
#ifndef HAVE_GETIFADDRS
static unsigned int
if_maxindex()
{
struct if_nameindex *p, *p0;
unsigned int max = 0;
p0 = if_nameindex();
for (p = p0; p && p->if_index && p->if_name; p++) {
if (max < p->if_index)
max = p->if_index;
}
if_freenameindex(p0);
return max;
}
#endif
void
clear_myaddr(db)
struct myaddrs **db;
{
struct myaddrs *p;
while (*db) {
p = (*db)->next;
delmyaddr(*db);
*db = p;
}
}
static struct myaddrs *
find_myaddr(db, p)
struct myaddrs *db;
struct myaddrs *p;
{
struct myaddrs *q;
char h1[NI_MAXHOST], h2[NI_MAXHOST];
if (getnameinfo(p->addr, sysdep_sa_len(p->addr), h1, sizeof(h1), NULL, 0,
NI_NUMERICHOST | niflags) != 0)
return NULL;
for (q = db; q; q = q->next) {
if (p->addr->sa_family != q->addr->sa_family)
continue;
if (getnameinfo(q->addr, sysdep_sa_len(q->addr), h2, sizeof(h2),
NULL, 0, NI_NUMERICHOST | niflags) != 0)
return NULL;
if (strcmp(h1, h2) == 0)
return q;
}
return NULL;
}
void
grab_myaddrs()
{
#ifdef HAVE_GETIFADDRS
struct myaddrs *p, *q, *old;
struct ifaddrs *ifa0, *ifap;
#ifdef INET6
struct sockaddr_in6 *sin6;
#endif
char addr1[NI_MAXHOST];
if (getifaddrs(&ifa0)) {
plog(LLV_ERROR, LOCATION, NULL,
"getifaddrs failed: %s\n", strerror(errno));
exit(1);
/*NOTREACHED*/
}
old = lcconf->myaddrs;
for (ifap = ifa0; ifap; ifap = ifap->ifa_next) {
if (! ifap->ifa_addr)
continue;
if (ifap->ifa_addr->sa_family != AF_INET
#ifdef INET6
&& ifap->ifa_addr->sa_family != AF_INET6
#endif
)
continue;
if (!suitable_ifaddr(ifap->ifa_name, ifap->ifa_addr)) {
plog(LLV_ERROR, LOCATION, NULL,
"unsuitable address: %s %s\n",
ifap->ifa_name,
saddrwop2str(ifap->ifa_addr));
continue;
}
p = newmyaddr();
if (p == NULL) {
exit(1);
/*NOTREACHED*/
}
p->addr = dupsaddr(ifap->ifa_addr);
if (p->addr == NULL) {
exit(1);
/*NOTREACHED*/
}
#ifdef INET6
#ifdef __KAME__
if (ifap->ifa_addr->sa_family == AF_INET6) {
sin6 = (struct sockaddr_in6 *)p->addr;
if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)
|| IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) {
sin6->sin6_scope_id =
ntohs(*(u_int16_t *)&sin6->sin6_addr.s6_addr[2]);
sin6->sin6_addr.s6_addr[2] = 0;
sin6->sin6_addr.s6_addr[3] = 0;
}
}
#else /* !__KAME__ */
if (ifap->ifa_addr->sa_family == AF_INET6) {
sin6 = (struct sockaddr_in6 *)p->addr;
if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)
|| IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) {
sin6->sin6_scope_id =
if_nametoindex(ifap->ifa_name);
}
}
#endif
#endif
if (getnameinfo(p->addr, sysdep_sa_len(p->addr),
addr1, sizeof(addr1),
NULL, 0,
NI_NUMERICHOST | niflags))
strlcpy(addr1, "(invalid)", sizeof(addr1));
plog(LLV_DEBUG, LOCATION, NULL,
"my interface: %s (%s)\n",
addr1, ifap->ifa_name);
q = find_myaddr(old, p);
if (q)
p->sock = q->sock;
else
p->sock = -1;
p->next = lcconf->myaddrs;
lcconf->myaddrs = p;
}
freeifaddrs(ifa0);
clear_myaddr(&old);
#else /*!HAVE_GETIFADDRS*/
int s;
unsigned int maxif;
int len;
struct ifreq *iflist;
struct ifconf ifconf;
struct ifreq *ifr, *ifr_end;
struct myaddrs *p, *q, *old;
#ifdef INET6
#ifdef __KAME__
struct sockaddr_in6 *sin6;
#endif
#endif
char addr1[NI_MAXHOST];
maxif = if_maxindex() + 1;
len = maxif * sizeof(struct sockaddr_storage) * 4; /* guess guess */
iflist = (struct ifreq *)racoon_malloc(len);
if (!iflist) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer\n");
exit(1);
/*NOTREACHED*/
}
if ((s = socket(PF_INET, SOCK_DGRAM, 0)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"socket(SOCK_DGRAM) failed: %s\n",
strerror(errno));
exit(1);
/*NOTREACHED*/
}
memset(&ifconf, 0, sizeof(ifconf));
ifconf.ifc_req = iflist;
ifconf.ifc_len = len;
if (ioctl(s, SIOCGIFCONF, &ifconf) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"ioctl(SIOCGIFCONF) failed: %s\n",
strerror(errno));
exit(1);
/*NOTREACHED*/
}
close(s);
old = lcconf->myaddrs;
/* Look for this interface in the list */
ifr_end = (struct ifreq *) (ifconf.ifc_buf + ifconf.ifc_len);
#define _IFREQ_LEN(p) \
(sizeof((p)->ifr_name) + sysdep_sa_len(&(p)->ifr_addr) > sizeof(struct ifreq) \
? sizeof((p)->ifr_name) + sysdep_sa_len(&(p)->ifr_addr) : sizeof(struct ifreq))
for (ifr = ifconf.ifc_req;
ifr < ifr_end;
ifr = (struct ifreq *)((caddr_t)ifr + _IFREQ_LEN(ifr))) {
switch (ifr->ifr_addr.sa_family) {
case AF_INET:
#ifdef INET6
case AF_INET6:
#endif
if (!suitable_ifaddr(ifr->ifr_name, &ifr->ifr_addr)) {
plog(LLV_ERROR, LOCATION, NULL,
"unsuitable address: %s %s\n",
ifr->ifr_name,
saddrwop2str(&ifr->ifr_addr));
continue;
}
p = newmyaddr();
if (p == NULL) {
exit(1);
/*NOTREACHED*/
}
p->addr = dupsaddr(&ifr->ifr_addr);
if (p->addr == NULL) {
exit(1);
/*NOTREACHED*/
}
#ifdef INET6
#ifdef __KAME__
sin6 = (struct sockaddr_in6 *)p->addr;
if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)
|| IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) {
sin6->sin6_scope_id =
ntohs(*(u_int16_t *)&sin6->sin6_addr.s6_addr[2]);
sin6->sin6_addr.s6_addr[2] = 0;
sin6->sin6_addr.s6_addr[3] = 0;
}
#endif
#endif
if (getnameinfo(p->addr, sysdep_sa_len(p->addr),
addr1, sizeof(addr1),
NULL, 0,
NI_NUMERICHOST | niflags))
strlcpy(addr1, "(invalid)", sizeof(addr1));
plog(LLV_DEBUG, LOCATION, NULL,
"my interface: %s (%s)\n",
addr1, ifr->ifr_name);
q = find_myaddr(old, p);
if (q)
p->sock = q->sock;
else
p->sock = -1;
p->next = lcconf->myaddrs;
lcconf->myaddrs = p;
break;
default:
break;
}
}
clear_myaddr(&old);
racoon_free(iflist);
#endif /*HAVE_GETIFADDRS*/
}
/*
* check the interface is suitable or not
*/
static int
suitable_ifaddr(ifname, ifaddr)
const char *ifname;
const struct sockaddr *ifaddr;
{
#ifdef ENABLE_HYBRID
/* Exclude any address we got through ISAKMP mode config */
if (exclude_cfg_addr(ifaddr) == 0)
return 0;
#endif
switch(ifaddr->sa_family) {
case AF_INET:
return 1;
#ifdef INET6
case AF_INET6:
return suitable_ifaddr6(ifname, ifaddr);
#endif
default:
return 0;
}
/*NOTREACHED*/
}
#ifdef INET6
static int
suitable_ifaddr6(ifname, ifaddr)
const char *ifname;
const struct sockaddr *ifaddr;
{
#ifndef __linux__
struct in6_ifreq ifr6;
int s;
#endif
if (ifaddr->sa_family != AF_INET6)
return 0;
#ifndef __linux__
s = socket(PF_INET6, SOCK_DGRAM, 0);
if (s == -1) {
plog(LLV_ERROR, LOCATION, NULL,
"socket(SOCK_DGRAM) failed:%s\n", strerror(errno));
return 0;
}
memset(&ifr6, 0, sizeof(ifr6));
strncpy(ifr6.ifr_name, ifname, strlen(ifname));
ifr6.ifr_addr = *(const struct sockaddr_in6 *)ifaddr;
if (ioctl(s, SIOCGIFAFLAG_IN6, &ifr6) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"ioctl(SIOCGIFAFLAG_IN6) failed:%s\n", strerror(errno));
close(s);
return 0;
}
close(s);
if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DUPLICATED
|| ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DETACHED
|| ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_ANYCAST)
return 0;
#endif
/* suitable */
return 1;
}
#endif
int
update_myaddrs()
{
#ifdef __linux__
char msg[BUFSIZ];
int len;
struct nlmsghdr *h = (void*)msg;
len = read(lcconf->rtsock, msg, sizeof(msg));
if (len < 0)
return errno == ENOBUFS;
if (len < sizeof(*h))
return 0;
if (h->nlmsg_pid) /* not from kernel! */
return 0;
if (h->nlmsg_type == RTM_NEWLINK)
return 0;
plog(LLV_DEBUG, LOCATION, NULL,
"netlink signals update interface address list\n");
return 1;
#else
char msg[BUFSIZ];
int len;
struct rt_msghdr *rtm;
len = read(lcconf->rtsock, msg, sizeof(msg));
if (len < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"read(PF_ROUTE) failed: %s\n",
strerror(errno));
return 0;
}
rtm = (struct rt_msghdr *)msg;
if (len < rtm->rtm_msglen) {
plog(LLV_ERROR, LOCATION, NULL,
"read(PF_ROUTE) short read\n");
return 0;
}
if (rtm->rtm_version != RTM_VERSION) {
plog(LLV_ERROR, LOCATION, NULL,
"routing socket version mismatch\n");
close(lcconf->rtsock);
lcconf->rtsock = -1;
return 0;
}
switch (rtm->rtm_type) {
case RTM_NEWADDR:
case RTM_DELADDR:
case RTM_DELETE:
case RTM_IFINFO:
break;
case RTM_MISS:
/* ignore this message silently */
return 0;
default:
plog(LLV_DEBUG, LOCATION, NULL,
"msg %d not interesting\n", rtm->rtm_type);
return 0;
}
/* XXX more filters here? */
plog(LLV_DEBUG, LOCATION, NULL,
"caught rtm:%d, need update interface address list\n",
rtm->rtm_type);
return 1;
#endif /* __linux__ */
}
/*
* initialize default port for ISAKMP to send, if no "listen"
* directive is specified in config file.
*
* DO NOT listen to wildcard addresses. if you receive packets to
* wildcard address, you'll be in trouble (DoS attack possible by
* broadcast storm).
*/
int
autoconf_myaddrsport()
{
struct myaddrs *p;
int n;
plog(LLV_DEBUG, LOCATION, NULL,
"configuring default isakmp port.\n");
#ifdef ENABLE_NATT
if (natt_enabled_in_rmconf ()) {
plog(LLV_NOTIFY, LOCATION, NULL, "NAT-T is enabled, autoconfiguring ports\n");
for (p = lcconf->myaddrs; p; p = p->next) {
struct myaddrs *new;
if (! p->udp_encap) {
new = dupmyaddr(p);
new->udp_encap = 1;
}
}
}
#endif
for (p = lcconf->myaddrs, n = 0; p; p = p->next, n++) {
set_port (p->addr, p->udp_encap ? lcconf->port_isakmp_natt : lcconf->port_isakmp);
}
plog(LLV_DEBUG, LOCATION, NULL,
"%d addrs are configured successfully\n", n);
return 0;
}
/*
* get a port number to which racoon binded.
* NOTE: network byte order returned.
*/
u_short
getmyaddrsport(local)
struct sockaddr *local;
{
struct myaddrs *p, *bestmatch = NULL;
u_short bestmatch_port = PORT_ISAKMP;
/* get a relative port */
for (p = lcconf->myaddrs; p; p = p->next) {
if (!p->addr)
continue;
if (!cmpsaddrwop(local, p->addr)) {
if (! bestmatch) {
bestmatch = p;
continue;
}
switch (p->addr->sa_family) {
case AF_INET:
if (((struct sockaddr_in *)p->addr)->sin_port == PORT_ISAKMP) {
bestmatch = p;
bestmatch_port = ((struct sockaddr_in *)p->addr)->sin_port;
break;
}
break;
#ifdef INET6
case AF_INET6:
if (((struct sockaddr_in6 *)p->addr)->sin6_port == PORT_ISAKMP) {
bestmatch = p;
bestmatch_port = ((struct sockaddr_in6 *)p->addr)->sin6_port;
break;
}
break;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"unsupported AF %d\n", p->addr->sa_family);
continue;
}
}
}
return htons(bestmatch_port);
}
struct myaddrs *
newmyaddr()
{
struct myaddrs *new;
new = racoon_calloc(1, sizeof(*new));
if (new == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer for myaddrs.\n");
return NULL;
}
new->next = NULL;
new->addr = NULL;
return new;
}
struct myaddrs *
dupmyaddr(struct myaddrs *old)
{
struct myaddrs *new;
new = racoon_calloc(1, sizeof(*new));
if (new == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer for myaddrs.\n");
return NULL;
}
/* Copy the whole structure and set the differences. */
memcpy (new, old, sizeof (*new));
new->addr = dupsaddr (old->addr);
new->next = old->next;
old->next = new;
return new;
}
void
insmyaddr(new, head)
struct myaddrs *new;
struct myaddrs **head;
{
new->next = *head;
*head = new;
}
void
delmyaddr(myaddr)
struct myaddrs *myaddr;
{
if (myaddr->addr)
racoon_free(myaddr->addr);
racoon_free(myaddr);
}
int
initmyaddr()
{
/* initialize routing socket */
lcconf->rtsock = socket(PF_ROUTE, SOCK_RAW, PF_UNSPEC);
if (lcconf->rtsock < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"socket(PF_ROUTE) failed: %s",
strerror(errno));
return -1;
}
#ifdef __linux__
{
struct sockaddr_nl nl;
int addr_len;
memset(&nl, 0, sizeof(nl));
nl.nl_family = AF_NETLINK;
nl.nl_groups = RTMGRP_IPV4_IFADDR|RTMGRP_LINK;
if (bind(lcconf->rtsock, (struct sockaddr*)&nl, sizeof(nl)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"bind(PF_NETLINK) failed: %s\n",
strerror(errno));
return -1;
}
addr_len = sizeof(nl);
if (getsockname(lcconf->rtsock, (struct sockaddr*)&nl, &addr_len) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"getsockname(PF_NETLINK) failed: %s\n",
strerror(errno));
return -1;
}
}
#endif
if (lcconf->myaddrs == NULL && lcconf->autograbaddr == 1) {
grab_myaddrs();
if (autoconf_myaddrsport() < 0)
return -1;
}
return 0;
}
/* select the socket to be sent */
/* should implement other method. */
int
getsockmyaddr(my)
struct sockaddr *my;
{
struct myaddrs *p, *lastresort = NULL;
#if defined(INET6) && defined(__linux__)
struct myaddrs *match_wo_scope_id = NULL;
int check_wo_scope_id = (my->sa_family == AF_INET6) &&
IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)my)->sin6_addr);
#endif
for (p = lcconf->myaddrs; p; p = p->next) {
if (p->addr == NULL)
continue;
if (my->sa_family == p->addr->sa_family) {
lastresort = p;
} else continue;
if (sysdep_sa_len(my) == sysdep_sa_len(p->addr)
&& memcmp(my, p->addr, sysdep_sa_len(my)) == 0) {
break;
}
#if defined(INET6) && defined(__linux__)
if (check_wo_scope_id && IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)p->addr)->sin6_addr) &&
/* XXX: this depends on sin6_scope_id to be last
* item in struct sockaddr_in6 */
memcmp(my, p->addr,
sysdep_sa_len(my) - sizeof(uint32_t)) == 0) {
match_wo_scope_id = p;
}
#endif
}
#if defined(INET6) && defined(__linux__)
if (!p)
p = match_wo_scope_id;
#endif
if (!p)
p = lastresort;
if (!p) {
plog(LLV_ERROR, LOCATION, NULL,
"no socket matches address family %d\n",
my->sa_family);
return -1;
}
return p->sock;
}

54
crypto/dist/ipsec-tools/src/racoon/grabmyaddr.h vendored Normal file
View File

@ -0,0 +1,54 @@
/* $Id: grabmyaddr.h,v 1.1.1.1 2005/02/12 11:11:59 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _GRABMYADDR_H
#define _GRABMYADDR_H
struct myaddrs {
struct myaddrs *next;
struct sockaddr *addr;
int sock;
int udp_encap;
};
extern void clear_myaddr __P((struct myaddrs **));
extern void grab_myaddrs __P((void));
extern int update_myaddrs __P((void));
extern int autoconf_myaddrsport __P((void));
extern u_short getmyaddrsport __P((struct sockaddr *));
extern struct myaddrs *newmyaddr __P((void));
extern struct myaddrs *dupmyaddr __P((struct myaddrs *));
extern void insmyaddr __P((struct myaddrs *, struct myaddrs **));
extern void delmyaddr __P((struct myaddrs *));
extern int initmyaddr __P((void));
extern int getsockmyaddr __P((struct sockaddr *));
#endif /* _GRABMYADDR_H */

745
crypto/dist/ipsec-tools/src/racoon/gssapi.c vendored Normal file
View File

@ -0,0 +1,745 @@
/* $KAME: gssapi.c,v 1.19 2001/04/03 15:51:55 thorpej Exp $ */
/*
* Copyright 2000 Wasabi Systems, Inc.
* All rights reserved.
*
* This software was written by Frank van der Linden of Wasabi Systems
* for Zembu Labs, Inc. http://www.zembu.com/
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of Wasabi Systems, Inc. may not be used to endorse
* or promote products derived from this software without specific prior
* written permission.
*
* THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#ifdef HAVE_GSSAPI
#include <sys/types.h>
#include <sys/queue.h>
#include <sys/socket.h>
#include <netdb.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "sockmisc.h"
#include "schedule.h"
#include "debug.h"
#include "localconf.h"
#include "remoteconf.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "oakley.h"
#include "handler.h"
#include "ipsec_doi.h"
#include "crypto_openssl.h"
#include "pfkey.h"
#include "isakmp_ident.h"
#include "isakmp_inf.h"
#include "vendorid.h"
#include "gcmalloc.h"
#include "gssapi.h"
static void
gssapi_error(OM_uint32 status_code, const char *where,
const char *fmt, ...)
{
OM_uint32 message_context, maj_stat, min_stat;
gss_buffer_desc status_string;
va_list ap;
va_start(ap, fmt);
plogv(LLV_ERROR, where, NULL, fmt, ap);
va_end(ap);
message_context = 0;
do {
maj_stat = gss_display_status(&min_stat, status_code,
GSS_C_MECH_CODE, GSS_C_NO_OID, &message_context,
&status_string);
if (GSS_ERROR(maj_stat))
plog(LLV_ERROR, LOCATION, NULL,
"UNABLE TO GET GSSAPI ERROR CODE\n");
else {
plog(LLV_ERROR, where, NULL,
"%s\n", (char *)status_string.value);
gss_release_buffer(&min_stat, &status_string);
}
} while (message_context != 0);
}
/*
* vmbufs and gss_buffer_descs are really just the same on NetBSD, but
* this is to be portable.
*/
static int
gssapi_vm2gssbuf(vchar_t *vmbuf, gss_buffer_t gsstoken)
{
gsstoken->value = racoon_malloc(vmbuf->l);
if (gsstoken->value == NULL)
return -1;
memcpy(gsstoken->value, vmbuf->v, vmbuf->l);
gsstoken->length = vmbuf->l;
return 0;
}
static int
gssapi_gss2vmbuf(gss_buffer_t gsstoken, vchar_t **vmbuf)
{
*vmbuf = vmalloc(gsstoken->length);
if (*vmbuf == NULL)
return -1;
memcpy((*vmbuf)->v, gsstoken->value, gsstoken->length);
(*vmbuf)->l = gsstoken->length;
return 0;
}
vchar_t *
gssapi_get_default_gss_id(void)
{
char name[NI_MAXHOST];
vchar_t *gssid;
if (gethostname(name, sizeof(name)) != 0) {
plog(LLV_ERROR, LOCATION, NULL, "gethostname failed: %s\n",
strerror(errno));
return (NULL);
}
name[sizeof(name) - 1] = '\0';
gssid = racoon_malloc(sizeof(*gssid));
gssid->l = asprintf(&gssid->v, "%s/%s", GSSAPI_DEF_NAME, name);
return (gssid);
}
static int
gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service)
{
char name[NI_MAXHOST];
struct sockaddr *sa;
gss_buffer_desc name_token;
OM_uint32 min_stat, maj_stat;
sa = remote ? iph1->remote : iph1->local;
if (getnameinfo(sa, sysdep_sa_len(sa), name, NI_MAXHOST, NULL, 0, 0) != 0)
return -1;
name_token.length = asprintf((char **)&name_token.value,
"%s@%s", GSSAPI_DEF_NAME, name);
maj_stat = gss_import_name(&min_stat, &name_token,
GSS_C_NT_HOSTBASED_SERVICE, service);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "import name\n");
maj_stat = gss_release_buffer(&min_stat, &name_token);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release name_token");
return -1;
}
maj_stat = gss_release_buffer(&min_stat, &name_token);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release name_token");
return 0;
}
static int
gssapi_init(struct ph1handle *iph1)
{
struct gssapi_ph1_state *gps;
gss_buffer_desc id_token, cred_token;
gss_buffer_t cred = &cred_token;
gss_name_t princ, canon_princ;
OM_uint32 maj_stat, min_stat;
gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
if (gps == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
return -1;
}
gps->gss_context = GSS_C_NO_CONTEXT;
gps->gss_cred = GSS_C_NO_CREDENTIAL;
gssapi_set_state(iph1, gps);
if (iph1->rmconf->proposal->gssid != NULL) {
id_token.length = iph1->rmconf->proposal->gssid->l;
id_token.value = iph1->rmconf->proposal->gssid->v;
maj_stat = gss_import_name(&min_stat, &id_token, GSS_C_NO_OID,
&princ);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "import name\n");
gssapi_free_state(iph1);
return -1;
}
} else
gssapi_get_default_name(iph1, 0, &princ);
maj_stat = gss_canonicalize_name(&min_stat, princ, GSS_C_NO_OID,
&canon_princ);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "canonicalize name\n");
maj_stat = gss_release_name(&min_stat, &princ);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release princ\n");
gssapi_free_state(iph1);
return -1;
}
maj_stat = gss_release_name(&min_stat, &princ);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release princ\n");
maj_stat = gss_export_name(&min_stat, canon_princ, cred);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "export name\n");
maj_stat = gss_release_name(&min_stat, &canon_princ);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION,
"release canon_princ\n");
gssapi_free_state(iph1);
return -1;
}
#if 0
/*
* XXXJRT Did this debug message ever work? This is a GSS name
* blob at this point.
*/
plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%.*s' creds\n",
cred->length, cred->value);
#endif
maj_stat = gss_release_buffer(&min_stat, cred);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release cred buffer\n");
maj_stat = gss_acquire_cred(&min_stat, canon_princ, GSS_C_INDEFINITE,
GSS_C_NO_OID_SET, GSS_C_BOTH, &gps->gss_cred, NULL, NULL);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "acquire cred\n");
maj_stat = gss_release_name(&min_stat, &canon_princ);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION,
"release canon_princ\n");
gssapi_free_state(iph1);
return -1;
}
maj_stat = gss_release_name(&min_stat, &canon_princ);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release canon_princ\n");
return 0;
}
int
gssapi_get_itoken(struct ph1handle *iph1, int *lenp)
{
struct gssapi_ph1_state *gps;
gss_buffer_desc empty, name_token;
gss_buffer_t itoken, rtoken, dummy;
OM_uint32 maj_stat, min_stat;
gss_name_t partner;
if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0)
return -1;
gps = gssapi_get_state(iph1);
empty.length = 0;
empty.value = NULL;
dummy = &empty;
if (iph1->approval != NULL && iph1->approval->gssid != NULL) {
plog(LLV_DEBUG, LOCATION, NULL,
"using provided service '%.*s'\n",
iph1->approval->gssid->l, iph1->approval->gssid->v);
name_token.length = iph1->approval->gssid->l;
name_token.value = iph1->approval->gssid->v;
maj_stat = gss_import_name(&min_stat, &name_token,
GSS_C_NO_OID, &partner);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "import of %.*s\n",
name_token.length, name_token.value);
return -1;
}
} else
if (gssapi_get_default_name(iph1, 1, &partner) < 0)
return -1;
rtoken = gps->gsscnt_p == 0 ? dummy : &gps->gss_p[gps->gsscnt_p - 1];
itoken = &gps->gss[gps->gsscnt];
gps->gss_status = gss_init_sec_context(&min_stat, gps->gss_cred,
&gps->gss_context, partner, GSS_C_NO_OID,
GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG |
GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG,
0, GSS_C_NO_CHANNEL_BINDINGS, rtoken, NULL,
itoken, NULL, NULL);
if (GSS_ERROR(gps->gss_status)) {
gssapi_error(min_stat, LOCATION, "init_sec_context\n");
maj_stat = gss_release_name(&min_stat, &partner);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release name\n");
return -1;
}
maj_stat = gss_release_name(&min_stat, &partner);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release name\n");
plog(LLV_DEBUG, LOCATION, NULL, "gss_init_sec_context status %x\n",
gps->gss_status);
if (lenp)
*lenp = itoken->length;
if (itoken->length != 0)
gps->gsscnt++;
return 0;
}
/*
* Call gss_accept_context, with token just read from the wire.
*/
int
gssapi_get_rtoken(struct ph1handle *iph1, int *lenp)
{
struct gssapi_ph1_state *gps;
gss_buffer_desc name_token;
gss_buffer_t itoken, rtoken;
OM_uint32 min_stat, maj_stat;
gss_name_t client_name;
if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0)
return -1;
gps = gssapi_get_state(iph1);
rtoken = &gps->gss_p[gps->gsscnt_p - 1];
itoken = &gps->gss[gps->gsscnt];
gps->gss_status = gss_accept_sec_context(&min_stat, &gps->gss_context,
gps->gss_cred, rtoken, GSS_C_NO_CHANNEL_BINDINGS, &client_name,
NULL, itoken, NULL, NULL, NULL);
if (GSS_ERROR(gps->gss_status)) {
gssapi_error(min_stat, LOCATION, "accept_sec_context\n");
return -1;
}
maj_stat = gss_display_name(&min_stat, client_name, &name_token, NULL);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "gss_display_name\n");
maj_stat = gss_release_name(&min_stat, &client_name);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION,
"release client_name\n");
return -1;
}
maj_stat = gss_release_name(&min_stat, &client_name);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release client_name\n");
plog(LLV_DEBUG, LOCATION, NULL,
"gss_accept_sec_context: other side is %s\n",
(char *)name_token.value);
maj_stat = gss_release_buffer(&min_stat, &name_token);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release name buffer\n");
if (itoken->length != 0)
gps->gsscnt++;
if (lenp)
*lenp = itoken->length;
return 0;
}
int
gssapi_save_received_token(struct ph1handle *iph1, vchar_t *token)
{
struct gssapi_ph1_state *gps;
gss_buffer_t gsstoken;
int ret;
if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0)
return -1;
gps = gssapi_get_state(iph1);
gsstoken = &gps->gss_p[gps->gsscnt_p];
ret = gssapi_vm2gssbuf(token, gsstoken);
if (ret < 0)
return ret;
gps->gsscnt_p++;
return 0;
}
int
gssapi_get_token_to_send(struct ph1handle *iph1, vchar_t **token)
{
struct gssapi_ph1_state *gps;
gss_buffer_t gsstoken;
int ret;
gps = gssapi_get_state(iph1);
if (gps == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"gssapi not yet initialized?\n");
return -1;
}
gsstoken = &gps->gss[gps->gsscnt - 1];
ret = gssapi_gss2vmbuf(gsstoken, token);
if (ret < 0)
return ret;
return 0;
}
int
gssapi_get_itokens(struct ph1handle *iph1, vchar_t **tokens)
{
struct gssapi_ph1_state *gps;
int len, i;
vchar_t *toks;
char *p;
gps = gssapi_get_state(iph1);
if (gps == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"gssapi not yet initialized?\n");
return -1;
}
for (i = len = 0; i < gps->gsscnt; i++)
len += gps->gss[i].length;
toks = vmalloc(len);
if (toks == 0)
return -1;
p = (char *)toks->v;
for (i = 0; i < gps->gsscnt; i++) {
memcpy(p, gps->gss[i].value, gps->gss[i].length);
p += gps->gss[i].length;
}
*tokens = toks;
plog(LLV_DEBUG, LOCATION, NULL,
"%d itokens of length %d\n", gps->gsscnt, (*tokens)->l);
return 0;
}
int
gssapi_get_rtokens(struct ph1handle *iph1, vchar_t **tokens)
{
struct gssapi_ph1_state *gps;
int len, i;
vchar_t *toks;
char *p;
gps = gssapi_get_state(iph1);
if (gps == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"gssapi not yet initialized?\n");
return -1;
}
if (gssapi_more_tokens(iph1)) {
plog(LLV_ERROR, LOCATION, NULL,
"gssapi roundtrips not complete\n");
return -1;
}
for (i = len = 0; i < gps->gsscnt_p; i++)
len += gps->gss_p[i].length;
toks = vmalloc(len);
if (toks == 0)
return -1;
p = (char *)toks->v;
for (i = 0; i < gps->gsscnt_p; i++) {
memcpy(p, gps->gss_p[i].value, gps->gss_p[i].length);
p += gps->gss_p[i].length;
}
*tokens = toks;
return 0;
}
vchar_t *
gssapi_wraphash(struct ph1handle *iph1)
{
struct gssapi_ph1_state *gps;
OM_uint32 maj_stat, min_stat;
gss_buffer_desc hash_in_buf, hash_out_buf;
gss_buffer_t hash_in = &hash_in_buf, hash_out = &hash_out_buf;
vchar_t *outbuf;
gps = gssapi_get_state(iph1);
if (gps == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"gssapi not yet initialized?\n");
return NULL;
}
if (gssapi_more_tokens(iph1)) {
plog(LLV_ERROR, LOCATION, NULL,
"gssapi roundtrips not complete\n");
return NULL;
}
if (gssapi_vm2gssbuf(iph1->hash, hash_in) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "vm2gssbuf failed\n");
return NULL;
}
maj_stat = gss_wrap(&min_stat, gps->gss_context, 1, GSS_C_QOP_DEFAULT,
hash_in, NULL, hash_out);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "wrapping hash value\n");
maj_stat = gss_release_buffer(&min_stat, hash_in);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION,
"release hash_in buffer\n");
return NULL;
}
plog(LLV_DEBUG, LOCATION, NULL, "wrapped HASH, ilen %d olen %d\n",
hash_in->length, hash_out->length);
maj_stat = gss_release_buffer(&min_stat, hash_in);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release hash_in buffer\n");
if (gssapi_gss2vmbuf(hash_out, &outbuf) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
maj_stat = gss_release_buffer(&min_stat, hash_out);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION,
"release hash_out buffer\n");
return NULL;
}
maj_stat = gss_release_buffer(&min_stat, hash_out);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release hash_out buffer\n");
return outbuf;
}
vchar_t *
gssapi_unwraphash(struct ph1handle *iph1)
{
struct gssapi_ph1_state *gps;
OM_uint32 maj_stat, min_stat;
gss_buffer_desc hashbuf, hash_outbuf;
gss_buffer_t hash_in = &hashbuf, hash_out = &hash_outbuf;
vchar_t *outbuf;
gps = gssapi_get_state(iph1);
if (gps == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"gssapi not yet initialized?\n");
return NULL;
}
hashbuf.length = ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash);
hashbuf.value = (char *)(iph1->pl_hash + 1);
plog(LLV_DEBUG, LOCATION, NULL, "unwrapping HASH of len %d\n",
hashbuf.length);
maj_stat = gss_unwrap(&min_stat, gps->gss_context, hash_in, hash_out,
NULL, NULL);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "unwrapping hash value\n");
return NULL;
}
if (gssapi_gss2vmbuf(hash_out, &outbuf) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
maj_stat = gss_release_buffer(&min_stat, hash_out);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION,
"release hash_out buffer\n");
return NULL;
}
maj_stat = gss_release_buffer(&min_stat, hash_out);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release hash_out buffer\n");
return outbuf;
}
void
gssapi_set_id_sent(struct ph1handle *iph1)
{
struct gssapi_ph1_state *gps;
gps = gssapi_get_state(iph1);
gps->gss_flags |= GSSFLAG_ID_SENT;
}
int
gssapi_id_sent(struct ph1handle *iph1)
{
struct gssapi_ph1_state *gps;
gps = gssapi_get_state(iph1);
return (gps->gss_flags & GSSFLAG_ID_SENT) != 0;
}
void
gssapi_set_id_rcvd(struct ph1handle *iph1)
{
struct gssapi_ph1_state *gps;
gps = gssapi_get_state(iph1);
gps->gss_flags |= GSSFLAG_ID_RCVD;
}
int
gssapi_id_rcvd(struct ph1handle *iph1)
{
struct gssapi_ph1_state *gps;
gps = gssapi_get_state(iph1);
return (gps->gss_flags & GSSFLAG_ID_RCVD) != 0;
}
void
gssapi_free_state(struct ph1handle *iph1)
{
struct gssapi_ph1_state *gps;
OM_uint32 maj_stat, min_stat;
gps = gssapi_get_state(iph1);
if (gps == NULL)
return;
gssapi_set_state(iph1, NULL);
if (gps->gss_cred != GSS_C_NO_CREDENTIAL) {
maj_stat = gss_release_cred(&min_stat, &gps->gss_cred);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION,
"releasing credentials\n");
}
racoon_free(gps);
}
vchar_t *
gssapi_get_id(struct ph1handle *iph1)
{
gss_buffer_desc id_buffer;
gss_buffer_t id = &id_buffer;
gss_name_t defname, canon_name;
OM_uint32 min_stat, maj_stat;
vchar_t *vmbuf;
if (iph1->rmconf->proposal->gssid != NULL)
return (vdup(iph1->rmconf->proposal->gssid));
if (gssapi_get_default_name(iph1, 0, &defname) < 0)
return NULL;
maj_stat = gss_canonicalize_name(&min_stat, defname, GSS_C_NO_OID,
&canon_name);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "canonicalize name\n");
maj_stat = gss_release_name(&min_stat, &defname);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION,
"release default name\n");
return NULL;
}
maj_stat = gss_release_name(&min_stat, &defname);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release default name\n");
maj_stat = gss_export_name(&min_stat, canon_name, id);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "export name\n");
maj_stat = gss_release_name(&min_stat, &canon_name);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION,
"release canonical name\n");
return NULL;
}
maj_stat = gss_release_name(&min_stat, &canon_name);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release canonical name\n");
#if 0
/*
* XXXJRT Did this debug message ever work? This is a GSS name
* blob at this point.
*/
plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%.*s' creds\n",
id->length, id->value);
#endif
if (gssapi_gss2vmbuf(id, &vmbuf) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
maj_stat = gss_release_buffer(&min_stat, id);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release id buffer\n");
return NULL;
}
maj_stat = gss_release_buffer(&min_stat, id);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release id buffer\n");
return vmbuf;
}
#else
int __gssapi_dUmMy;
#endif

89
crypto/dist/ipsec-tools/src/racoon/gssapi.h vendored Normal file
View File

@ -0,0 +1,89 @@
/* $Id: gssapi.h,v 1.1.1.1 2005/02/12 11:12:00 manu Exp $ */
/*
* Copyright 2000 Wasabi Systems, Inc.
* All rights reserved.
*
* This software was written by Frank van der Linden of Wasabi Systems
* for Zembu Labs, Inc. http://www.zembu.com/
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of Wasabi Systems, Inc. may not be used to endorse
* or promote products derived from this software without specific prior
* written permission.
*
* THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifdef __FreeBSD__
#include "/usr/include/gssapi.h"
#else
#include <gssapi/gssapi.h>
#endif
#define GSSAPI_DEF_NAME "host"
struct ph1handle;
struct isakmpsa;
struct gssapi_ph1_state {
int gsscnt; /* # of token we're working on */
int gsscnt_p; /* # of token we're working on */
gss_buffer_desc gss[3]; /* gss-api tokens. */
/* NOTE: XXX this restricts the max # */
/* to 3. More should never happen */
gss_buffer_desc gss_p[3];
gss_ctx_id_t gss_context; /* context for gss_init_sec_context */
OM_uint32 gss_status; /* retval from gss_init_sec_context */
gss_cred_id_t gss_cred; /* acquired credentials */
int gss_flags;
#define GSSFLAG_ID_SENT 0x0001
#define GSSFLAG_ID_RCVD 0x0001
};
#define gssapi_get_state(ph) \
((struct gssapi_ph1_state *)((ph)->gssapi_state))
#define gssapi_set_state(ph, st) \
(ph)->gssapi_state = (st)
#define gssapi_more_tokens(ph) \
((gssapi_get_state(ph)->gss_status & GSS_S_CONTINUE_NEEDED) != 0)
int gssapi_get_itoken __P((struct ph1handle *, int *));
int gssapi_get_rtoken __P((struct ph1handle *, int *));
int gssapi_save_received_token __P((struct ph1handle *, vchar_t *));
int gssapi_get_token_to_send __P((struct ph1handle *, vchar_t **));
int gssapi_get_itokens __P((struct ph1handle *, vchar_t **));
int gssapi_get_rtokens __P((struct ph1handle *, vchar_t **));
vchar_t *gssapi_wraphash __P((struct ph1handle *));
vchar_t *gssapi_unwraphash __P((struct ph1handle *));
void gssapi_set_id_sent __P((struct ph1handle *));
int gssapi_id_sent __P((struct ph1handle *));
void gssapi_set_id_rcvd __P((struct ph1handle *));
int gssapi_id_rcvd __P((struct ph1handle *));
void gssapi_free_state __P((struct ph1handle *));
vchar_t *gssapi_get_id __P((struct ph1handle *));
vchar_t *gssapi_get_default_gss_id __P((void));

953
crypto/dist/ipsec-tools/src/racoon/handler.c vendored Normal file
View File

@ -0,0 +1,953 @@
/* $Id: handler.c,v 1.1.1.1 2005/02/12 11:12:00 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <errno.h>
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "sockmisc.h"
#include "debug.h"
#include "schedule.h"
#include "grabmyaddr.h"
#include "algorithm.h"
#include "crypto_openssl.h"
#include "policy.h"
#include "proposal.h"
#include "isakmp_var.h"
#include "evt.h"
#include "isakmp.h"
#ifdef ENABLE_HYBRID
#include "isakmp_xauth.h"
#include "isakmp_cfg.h"
#endif
#include "isakmp_inf.h"
#include "oakley.h"
#include "remoteconf.h"
#include "localconf.h"
#include "handler.h"
#include "gcmalloc.h"
#include "nattraversal.h"
#ifdef HAVE_GSSAPI
#include "gssapi.h"
#endif
static LIST_HEAD(_ph1tree_, ph1handle) ph1tree;
static LIST_HEAD(_ph2tree_, ph2handle) ph2tree;
static LIST_HEAD(_ctdtree_, contacted) ctdtree;
static LIST_HEAD(_rcptree_, recvdpkt) rcptree;
static void del_recvdpkt __P((struct recvdpkt *));
static void rem_recvdpkt __P((struct recvdpkt *));
static void sweep_recvdpkt __P((void *));
/*
* functions about management of the isakmp status table
*/
/* %%% management phase 1 handler */
/*
* search for isakmpsa handler with isakmp index.
*/
extern caddr_t val2str(const char *, size_t);
struct ph1handle *
getph1byindex(index)
isakmp_index *index;
{
struct ph1handle *p;
LIST_FOREACH(p, &ph1tree, chain) {
if (p->status == PHASE1ST_EXPIRED)
continue;
if (memcmp(&p->index, index, sizeof(*index)) == 0)
return p;
}
return NULL;
}
/*
* search for isakmp handler by i_ck in index.
*/
struct ph1handle *
getph1byindex0(index)
isakmp_index *index;
{
struct ph1handle *p;
LIST_FOREACH(p, &ph1tree, chain) {
if (p->status == PHASE1ST_EXPIRED)
continue;
if (memcmp(&p->index, index, sizeof(cookie_t)) == 0)
return p;
}
return NULL;
}
/*
* search for isakmpsa handler by source and remote address.
* don't use port number to search because this function search
* with phase 2's destinaion.
*/
struct ph1handle *
getph1byaddr(local, remote)
struct sockaddr *local, *remote;
{
struct ph1handle *p;
LIST_FOREACH(p, &ph1tree, chain) {
if (p->status == PHASE1ST_EXPIRED)
continue;
if (cmpsaddrwop(local, p->local) == 0
&& cmpsaddrwop(remote, p->remote) == 0)
return p;
}
return NULL;
}
/*
* search for isakmpsa handler by remote address.
* don't use port number to search because this function search
* with phase 2's destinaion.
*/
struct ph1handle *
getph1bydstaddr(remote)
struct sockaddr *remote;
{
struct ph1handle *p;
LIST_FOREACH(p, &ph1tree, chain) {
if (p->status == PHASE1ST_EXPIRED)
continue;
if (cmpsaddrwop(remote, p->remote) == 0)
return p;
}
return NULL;
}
/*
* dump isakmp-sa
*/
vchar_t *
dumpph1()
{
struct ph1handle *iph1;
struct ph1dump *pd;
int cnt = 0;
vchar_t *buf;
/* get length of buffer */
LIST_FOREACH(iph1, &ph1tree, chain)
cnt++;
buf = vmalloc(cnt * sizeof(struct ph1dump));
if (buf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get buffer\n");
return NULL;
}
pd = (struct ph1dump *)buf->v;
LIST_FOREACH(iph1, &ph1tree, chain) {
memcpy(&pd->index, &iph1->index, sizeof(iph1->index));
pd->status = iph1->status;
pd->side = iph1->side;
memcpy(&pd->remote, iph1->remote, sysdep_sa_len(iph1->remote));
memcpy(&pd->local, iph1->local, sysdep_sa_len(iph1->local));
pd->version = iph1->version;
pd->etype = iph1->etype;
pd->created = iph1->created;
pd->ph2cnt = iph1->ph2cnt;
pd++;
}
return buf;
}
/*
* create new isakmp Phase 1 status record to handle isakmp in Phase1
*/
struct ph1handle *
newph1()
{
struct ph1handle *iph1;
/* create new iph1 */
iph1 = racoon_calloc(1, sizeof(*iph1));
if (iph1 == NULL)
return NULL;
iph1->status = PHASE1ST_SPAWN;
#ifdef ENABLE_DPD
iph1->dpd_support = 0;
iph1->dpd_lastack = 0;
iph1->dpd_seq = 0;
iph1->dpd_fails = 0;
iph1->dpd_r_u = NULL;
#endif
return iph1;
}
/*
* delete new isakmp Phase 1 status record to handle isakmp in Phase1
*/
void
delph1(iph1)
struct ph1handle *iph1;
{
/* SA down shell script hook */
if (iph1 != NULL)
script_hook(iph1, SCRIPT_PHASE1_DOWN);
EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
#ifdef ENABLE_NATT
if (iph1->natt_flags & NAT_KA_QUEUED)
natt_keepalive_remove (iph1->local, iph1->remote);
if (iph1->natt_options) {
racoon_free(iph1->natt_options);
iph1->natt_options = NULL;
}
#endif
if (iph1->remote) {
racoon_free(iph1->remote);
iph1->remote = NULL;
}
if (iph1->local) {
racoon_free(iph1->local);
iph1->local = NULL;
}
#ifdef ENABLE_HYBRID
if (iph1->mode_cfg)
isakmp_cfg_rmstate(iph1);
#endif
VPTRINIT(iph1->authstr);
sched_scrub_param(iph1);
iph1->sce = NULL;
iph1->scr = NULL;
VPTRINIT(iph1->sendbuf);
VPTRINIT(iph1->dhpriv);
VPTRINIT(iph1->dhpub);
VPTRINIT(iph1->dhpub_p);
VPTRINIT(iph1->dhgxy);
VPTRINIT(iph1->nonce);
VPTRINIT(iph1->nonce_p);
VPTRINIT(iph1->skeyid);
VPTRINIT(iph1->skeyid_d);
VPTRINIT(iph1->skeyid_a);
VPTRINIT(iph1->skeyid_e);
VPTRINIT(iph1->key);
VPTRINIT(iph1->hash);
VPTRINIT(iph1->sig);
VPTRINIT(iph1->sig_p);
oakley_delcert(iph1->cert);
iph1->cert = NULL;
oakley_delcert(iph1->cert_p);
iph1->cert_p = NULL;
oakley_delcert(iph1->crl_p);
iph1->crl_p = NULL;
oakley_delcert(iph1->cr_p);
iph1->cr_p = NULL;
VPTRINIT(iph1->id);
VPTRINIT(iph1->id_p);
if (iph1->ivm) {
oakley_delivm(iph1->ivm);
iph1->ivm = NULL;
}
VPTRINIT(iph1->sa);
VPTRINIT(iph1->sa_ret);
#ifdef HAVE_GSSAPI
VPTRINIT(iph1->gi_i);
VPTRINIT(iph1->gi_r);
gssapi_free_state(iph1);
#endif
racoon_free(iph1);
}
/*
* create new isakmp Phase 1 status record to handle isakmp in Phase1
*/
int
insph1(iph1)
struct ph1handle *iph1;
{
/* validity check */
if (iph1->remote == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid isakmp SA handler. no remote address.\n");
return -1;
}
LIST_INSERT_HEAD(&ph1tree, iph1, chain);
return 0;
}
void
remph1(iph1)
struct ph1handle *iph1;
{
LIST_REMOVE(iph1, chain);
}
/*
* flush isakmp-sa
*/
void
flushph1()
{
struct ph1handle *p, *next;
for (p = LIST_FIRST(&ph1tree); p; p = next) {
next = LIST_NEXT(p, chain);
/* send delete information */
if (p->status == PHASE1ST_ESTABLISHED)
isakmp_info_send_d1(p);
remph1(p);
delph1(p);
}
}
void
initph1tree()
{
LIST_INIT(&ph1tree);
}
/* %%% management phase 2 handler */
/*
* search ph2handle with policy id.
*/
struct ph2handle *
getph2byspid(spid)
u_int32_t spid;
{
struct ph2handle *p;
LIST_FOREACH(p, &ph2tree, chain) {
/*
* there are ph2handle independent on policy
* such like informational exchange.
*/
if (p->spid == spid)
return p;
}
return NULL;
}
/*
* search ph2handle with sequence number.
*/
struct ph2handle *
getph2byseq(seq)
u_int32_t seq;
{
struct ph2handle *p;
LIST_FOREACH(p, &ph2tree, chain) {
if (p->seq == seq)
return p;
}
return NULL;
}
/*
* search ph2handle with message id.
*/
struct ph2handle *
getph2bymsgid(iph1, msgid)
struct ph1handle *iph1;
u_int32_t msgid;
{
struct ph2handle *p;
LIST_FOREACH(p, &ph2tree, chain) {
if (p->msgid == msgid)
return p;
}
return NULL;
}
/*
* call by pk_recvexpire().
*/
struct ph2handle *
getph2bysaidx(src, dst, proto_id, spi)
struct sockaddr *src, *dst;
u_int proto_id;
u_int32_t spi;
{
struct ph2handle *iph2;
struct saproto *pr;
LIST_FOREACH(iph2, &ph2tree, chain) {
if (iph2->proposal == NULL && iph2->approval == NULL)
continue;
if (iph2->approval != NULL) {
for (pr = iph2->approval->head; pr != NULL;
pr = pr->next) {
if (proto_id != pr->proto_id)
break;
if (spi == pr->spi || spi == pr->spi_p)
return iph2;
}
} else if (iph2->proposal != NULL) {
for (pr = iph2->proposal->head; pr != NULL;
pr = pr->next) {
if (proto_id != pr->proto_id)
break;
if (spi == pr->spi)
return iph2;
}
}
}
return NULL;
}
/*
* create new isakmp Phase 2 status record to handle isakmp in Phase2
*/
struct ph2handle *
newph2()
{
struct ph2handle *iph2 = NULL;
/* create new iph2 */
iph2 = racoon_calloc(1, sizeof(*iph2));
if (iph2 == NULL)
return NULL;
iph2->status = PHASE1ST_SPAWN;
return iph2;
}
/*
* initialize ph2handle
* NOTE: don't initialize src/dst.
* SPI in the proposal is cleared.
*/
void
initph2(iph2)
struct ph2handle *iph2;
{
sched_scrub_param(iph2);
iph2->sce = NULL;
iph2->scr = NULL;
VPTRINIT(iph2->sendbuf);
VPTRINIT(iph2->msg1);
/* clear spi, keep variables in the proposal */
if (iph2->proposal) {
struct saproto *pr;
for (pr = iph2->proposal->head; pr != NULL; pr = pr->next)
pr->spi = 0;
}
/* clear approval */
if (iph2->approval) {
flushsaprop(iph2->approval);
iph2->approval = NULL;
}
/* clear the generated policy */
if (iph2->spidx_gen) {
delsp_bothdir((struct policyindex *)iph2->spidx_gen);
racoon_free(iph2->spidx_gen);
iph2->spidx_gen = NULL;
}
if (iph2->pfsgrp) {
oakley_dhgrp_free(iph2->pfsgrp);
iph2->pfsgrp = NULL;
}
VPTRINIT(iph2->dhpriv);
VPTRINIT(iph2->dhpub);
VPTRINIT(iph2->dhpub_p);
VPTRINIT(iph2->dhgxy);
VPTRINIT(iph2->id);
VPTRINIT(iph2->id_p);
VPTRINIT(iph2->nonce);
VPTRINIT(iph2->nonce_p);
VPTRINIT(iph2->sa);
VPTRINIT(iph2->sa_ret);
if (iph2->ivm) {
oakley_delivm(iph2->ivm);
iph2->ivm = NULL;
}
}
/*
* delete new isakmp Phase 2 status record to handle isakmp in Phase2
*/
void
delph2(iph2)
struct ph2handle *iph2;
{
initph2(iph2);
if (iph2->src) {
racoon_free(iph2->src);
iph2->src = NULL;
}
if (iph2->dst) {
racoon_free(iph2->dst);
iph2->dst = NULL;
}
if (iph2->src_id) {
racoon_free(iph2->src_id);
iph2->src_id = NULL;
}
if (iph2->dst_id) {
racoon_free(iph2->dst_id);
iph2->dst_id = NULL;
}
if (iph2->proposal) {
flushsaprop(iph2->proposal);
iph2->proposal = NULL;
}
racoon_free(iph2);
}
/*
* create new isakmp Phase 2 status record to handle isakmp in Phase2
*/
int
insph2(iph2)
struct ph2handle *iph2;
{
LIST_INSERT_HEAD(&ph2tree, iph2, chain);
return 0;
}
void
remph2(iph2)
struct ph2handle *iph2;
{
LIST_REMOVE(iph2, chain);
}
void
initph2tree()
{
LIST_INIT(&ph2tree);
}
void
flushph2()
{
struct ph2handle *p, *next;
for (p = LIST_FIRST(&ph2tree); p; p = next) {
next = LIST_NEXT(p, chain);
/* send delete information */
if (p->status == PHASE2ST_ESTABLISHED)
isakmp_info_send_d2(p);
unbindph12(p);
remph2(p);
delph2(p);
}
}
/*
* Delete all Phase 2 handlers for this src/dst/proto. This
* is used during INITIAL-CONTACT processing (so no need to
* send a message to the peer).
*/
void
deleteallph2(src, dst, proto_id)
struct sockaddr *src, *dst;
u_int proto_id;
{
struct ph2handle *iph2, *next;
struct saproto *pr;
for (iph2 = LIST_FIRST(&ph2tree); iph2 != NULL; iph2 = next) {
next = LIST_NEXT(iph2, chain);
if (iph2->proposal == NULL && iph2->approval == NULL)
continue;
if (iph2->approval != NULL) {
for (pr = iph2->approval->head; pr != NULL;
pr = pr->next) {
if (proto_id == pr->proto_id)
goto zap_it;
}
} else if (iph2->proposal != NULL) {
for (pr = iph2->proposal->head; pr != NULL;
pr = pr->next) {
if (proto_id == pr->proto_id)
goto zap_it;
}
}
continue;
zap_it:
unbindph12(iph2);
remph2(iph2);
delph2(iph2);
}
}
/* %%% */
void
bindph12(iph1, iph2)
struct ph1handle *iph1;
struct ph2handle *iph2;
{
iph2->ph1 = iph1;
LIST_INSERT_HEAD(&iph1->ph2tree, iph2, ph1bind);
}
void
unbindph12(iph2)
struct ph2handle *iph2;
{
if (iph2->ph1 != NULL) {
iph2->ph1 = NULL;
LIST_REMOVE(iph2, ph1bind);
}
}
/* %%% management contacted list */
/*
* search contacted list.
*/
struct contacted *
getcontacted(remote)
struct sockaddr *remote;
{
struct contacted *p;
LIST_FOREACH(p, &ctdtree, chain) {
if (cmpsaddrstrict(remote, p->remote) == 0)
return p;
}
return NULL;
}
/*
* create new isakmp Phase 2 status record to handle isakmp in Phase2
*/
int
inscontacted(remote)
struct sockaddr *remote;
{
struct contacted *new;
/* create new iph2 */
new = racoon_calloc(1, sizeof(*new));
if (new == NULL)
return -1;
new->remote = dupsaddr(remote);
LIST_INSERT_HEAD(&ctdtree, new, chain);
return 0;
}
void
initctdtree()
{
LIST_INIT(&ctdtree);
}
/*
* check the response has been sent to the peer. when not, simply reply
* the buffered packet to the peer.
* OUT:
* 0: the packet is received at the first time.
* 1: the packet was processed before.
* 2: the packet was processed before, but the address mismatches.
* -1: error happened.
*/
int
check_recvdpkt(remote, local, rbuf)
struct sockaddr *remote, *local;
vchar_t *rbuf;
{
vchar_t *hash;
struct recvdpkt *r;
time_t t;
int len, s;
/* set current time */
t = time(NULL);
hash = eay_md5_one(rbuf);
if (!hash) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
return -1;
}
LIST_FOREACH(r, &rcptree, chain) {
if (memcmp(hash->v, r->hash->v, r->hash->l) == 0)
break;
}
vfree(hash);
/* this is the first time to receive the packet */
if (r == NULL)
return 0;
/*
* the packet was processed before, but the remote address mismatches.
*/
if (cmpsaddrstrict(remote, r->remote) != 0)
return 2;
/*
* it should not check the local address because the packet
* may arrive at other interface.
*/
/* check the previous time to send */
if (t - r->time_send < 1) {
plog(LLV_WARNING, LOCATION, NULL,
"the packet retransmitted in a short time from %s\n",
saddr2str(remote));
/*XXX should it be error ? */
}
/* select the socket to be sent */
s = getsockmyaddr(r->local);
if (s == -1)
return -1;
/* resend the packet if needed */
len = sendfromto(s, r->sendbuf->v, r->sendbuf->l,
r->local, r->remote, lcconf->count_persend);
if (len == -1) {
plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
return -1;
}
/* check the retry counter */
r->retry_counter--;
if (r->retry_counter <= 0) {
rem_recvdpkt(r);
del_recvdpkt(r);
plog(LLV_DEBUG, LOCATION, NULL,
"deleted the retransmission packet to %s.\n",
saddr2str(remote));
} else
r->time_send = t;
return 1;
}
/*
* adding a hash of received packet into the received list.
*/
int
add_recvdpkt(remote, local, sbuf, rbuf)
struct sockaddr *remote, *local;
vchar_t *sbuf, *rbuf;
{
struct recvdpkt *new = NULL;
if (lcconf->retry_counter == 0) {
/* no need to add it */
return 0;
}
new = racoon_calloc(1, sizeof(*new));
if (!new) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
return -1;
}
new->hash = eay_md5_one(rbuf);
if (!new->hash) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
del_recvdpkt(new);
return -1;
}
new->remote = dupsaddr(remote);
if (new->remote == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
del_recvdpkt(new);
return -1;
}
new->local = dupsaddr(local);
if (new->local == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
del_recvdpkt(new);
return -1;
}
new->sendbuf = vdup(sbuf);
if (new->sendbuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
del_recvdpkt(new);
return -1;
}
new->retry_counter = lcconf->retry_counter;
new->time_send = 0;
new->created = time(NULL);
LIST_INSERT_HEAD(&rcptree, new, chain);
return 0;
}
void
del_recvdpkt(r)
struct recvdpkt *r;
{
if (r->remote)
racoon_free(r->remote);
if (r->local)
racoon_free(r->local);
if (r->hash)
vfree(r->hash);
if (r->sendbuf)
vfree(r->sendbuf);
racoon_free(r);
}
void
rem_recvdpkt(r)
struct recvdpkt *r;
{
LIST_REMOVE(r, chain);
}
void
sweep_recvdpkt(dummy)
void *dummy;
{
struct recvdpkt *r, *next;
time_t t, lt;
/* set current time */
t = time(NULL);
/* set the lifetime of the retransmission */
lt = lcconf->retry_counter * lcconf->retry_interval;
for (r = LIST_FIRST(&rcptree); r; r = next) {
next = LIST_NEXT(r, chain);
if (t - r->created > lt) {
rem_recvdpkt(r);
del_recvdpkt(r);
}
}
sched_new(lt, sweep_recvdpkt, NULL);
}
void
init_recvdpkt()
{
time_t lt = lcconf->retry_counter * lcconf->retry_interval;
LIST_INIT(&rcptree);
sched_new(lt, sweep_recvdpkt, NULL);
}
#ifdef ENABLE_HYBRID
/*
* Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise
* This should be in isakmp_cfg.c but ph1tree being private, it must be there
*/
int
exclude_cfg_addr(addr)
const struct sockaddr *addr;
{
struct ph1handle *p;
struct sockaddr_in *sin;
LIST_FOREACH(p, &ph1tree, chain) {
if ((p->mode_cfg != NULL) &&
(p->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) &&
(addr->sa_family == AF_INET)) {
sin = (struct sockaddr_in *)addr;
if (sin->sin_addr.s_addr == p->mode_cfg->addr4.s_addr)
return 0;
}
}
return 1;
}
#endif

463
crypto/dist/ipsec-tools/src/racoon/handler.h vendored Normal file
View File

@ -0,0 +1,463 @@
/* $Id: handler.h,v 1.1.1.1 2005/02/12 11:12:01 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _HANDLER_H
#define _HANDLER_H
#include <sys/queue.h>
#include <openssl/rsa.h>
#include <sys/time.h>
#include "isakmp_var.h"
#include "oakley.h"
/* Phase 1 handler */
/*
* main mode:
* initiator responder
* 0 (---) (---)
* 1 start start (1st msg received)
* 2 (---) 1st valid msg received
* 3 1st msg sent 1st msg sent
* 4 1st valid msg received 2st valid msg received
* 5 2nd msg sent 2nd msg sent
* 6 2nd valid msg received 3rd valid msg received
* 7 3rd msg sent 3rd msg sent
* 8 3rd valid msg received (---)
* 9 SA established SA established
*
* aggressive mode:
* initiator responder
* 0 (---) (---)
* 1 start start (1st msg received)
* 2 (---) 1st valid msg received
* 3 1st msg sent 1st msg sent
* 4 1st valid msg received 2st valid msg received
* 5 (---) (---)
* 6 (---) (---)
* 7 (---) (---)
* 8 (---) (---)
* 9 SA established SA established
*
* base mode:
* initiator responder
* 0 (---) (---)
* 1 start start (1st msg received)
* 2 (---) 1st valid msg received
* 3 1st msg sent 1st msg sent
* 4 1st valid msg received 2st valid msg received
* 5 2nd msg sent (---)
* 6 (---) (---)
* 7 (---) (---)
* 8 (---) (---)
* 9 SA established SA established
*/
#define PHASE1ST_SPAWN 0
#define PHASE1ST_START 1
#define PHASE1ST_MSG1RECEIVED 2
#define PHASE1ST_MSG1SENT 3
#define PHASE1ST_MSG2RECEIVED 4
#define PHASE1ST_MSG2SENT 5
#define PHASE1ST_MSG3RECEIVED 6
#define PHASE1ST_MSG3SENT 7
#define PHASE1ST_MSG4RECEIVED 8
#define PHASE1ST_ESTABLISHED 9
#define PHASE1ST_EXPIRED 10
#define PHASE1ST_MAX 11
/* About address semantics in each case.
* initiator(addr=I) responder(addr=R)
* src dst src dst
* (local) (remote) (local) (remote)
* phase 1 handler I R R I
* phase 2 handler I R R I
* getspi msg R I I R
* acquire msg I R
* ID payload I R I R
*/
#ifdef ENABLE_HYBRID
struct isakmp_cfg_state;
#endif
struct ph1handle {
isakmp_index index;
int status; /* status of this SA */
int side; /* INITIATOR or RESPONDER */
struct sockaddr *remote; /* remote address to negosiate ph1 */
struct sockaddr *local; /* local address to negosiate ph1 */
/* XXX copy from rmconf due to anonymous configuration.
* If anonymous will be forbidden, we do delete them. */
struct remoteconf *rmconf; /* pointer to remote configuration */
struct isakmpsa *approval; /* pointer to SA(s) approved. */
vchar_t *authstr; /* place holder of string for auth. */
/* for example pre-shared key */
u_int8_t version; /* ISAKMP version */
u_int8_t etype; /* Exchange type actually for use */
u_int8_t flags; /* Flags */
u_int32_t msgid; /* message id */
struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */
u_int32_t natt_flags; /* NAT-T related flags */
#ifdef ENABLE_FRAG
int frag; /* IKE phase 1 fragmentation */
struct isakmp_frag_item *frag_chain; /* Received fragments */
#endif
struct sched *sce; /* schedule for expire */
struct sched *scr; /* schedule for resend */
int retry_counter; /* for resend. */
vchar_t *sendbuf; /* buffer for re-sending */
vchar_t *dhpriv; /* DH; private value */
vchar_t *dhpub; /* DH; public value */
vchar_t *dhpub_p; /* DH; partner's public value */
vchar_t *dhgxy; /* DH; shared secret */
vchar_t *nonce; /* nonce value */
vchar_t *nonce_p; /* partner's nonce value */
vchar_t *skeyid; /* SKEYID */
vchar_t *skeyid_d; /* SKEYID_d */
vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */
vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */
vchar_t *key; /* cipher key */
vchar_t *hash; /* HASH minus general header */
vchar_t *sig; /* SIG minus general header */
vchar_t *sig_p; /* peer's SIG minus general header */
cert_t *cert; /* CERT minus general header */
cert_t *cert_p; /* peer's CERT minus general header */
cert_t *crl_p; /* peer's CRL minus general header */
cert_t *cr_p; /* peer's CR not including general */
RSA *rsa; /* my RSA key */
RSA *rsa_p; /* peer's RSA key */
struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */
vchar_t *id; /* ID minus gen header */
vchar_t *id_p; /* partner's ID minus general header */
/* i.e. strut ipsecdoi_id_b*. */
struct isakmp_ivm *ivm; /* IVs */
vchar_t *sa; /* whole SA payload to send/to be sent*/
/* to calculate HASH */
/* NOT INCLUDING general header. */
vchar_t *sa_ret; /* SA payload to reply/to be replyed */
/* NOT INCLUDING general header. */
/* NOTE: Should be release after use. */
#ifdef HAVE_GSSAPI
void *gssapi_state; /* GSS-API specific state. */
/* Allocated when needed */
vchar_t *gi_i; /* optional initiator GSS id */
vchar_t *gi_r; /* optional responder GSS id */
#endif
struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */
time_t created; /* timestamp for establish */
#ifdef ENABLE_STATS
struct timeval start;
struct timeval end;
#endif
int dpd_support; /* Does remote supports DPD ? */
time_t dpd_lastack; /* Last ack received */
u_int16_t dpd_seq; /* DPD seq number to receive */
u_int8_t dpd_fails; /* number of failures */
struct sched *dpd_r_u;
u_int32_t msgid2; /* msgid counter for Phase 2 */
int ph2cnt; /* the number which is negotiated by this phase 1 */
LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;
LIST_ENTRY(ph1handle) chain;
#ifdef ENABLE_HYBRID
struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */
#endif
};
/* Phase 2 handler */
/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
/*
* initiator responder
* 0 (---) (---)
* 1 start start (1st msg received)
* 2 acquire msg get 1st valid msg received
* 3 getspi request sent getspi request sent
* 4 getspi done getspi done
* 5 1st msg sent 1st msg sent
* 6 1st valid msg received 2nd valid msg received
* 7 (commit bit) (commit bit)
* 8 SAs added SAs added
* 9 SAs established SAs established
* 10 SAs expired SAs expired
*/
#define PHASE2ST_SPAWN 0
#define PHASE2ST_START 1
#define PHASE2ST_STATUS2 2
#define PHASE2ST_GETSPISENT 3
#define PHASE2ST_GETSPIDONE 4
#define PHASE2ST_MSG1SENT 5
#define PHASE2ST_STATUS6 6
#define PHASE2ST_COMMIT 7
#define PHASE2ST_ADDSA 8
#define PHASE2ST_ESTABLISHED 9
#define PHASE2ST_EXPIRED 10
#define PHASE2ST_MAX 11
struct ph2handle {
struct sockaddr *src; /* my address of SA. */
struct sockaddr *dst; /* peer's address of SA. */
/*
* copy ip address from ID payloads when ID type is ip address.
* In other case, they must be null.
*/
struct sockaddr *src_id;
struct sockaddr *dst_id;
u_int32_t spid; /* policy id by kernel */
int status; /* ipsec sa status */
u_int8_t side; /* INITIATOR or RESPONDER */
struct sched *sce; /* schedule for expire */
struct sched *scr; /* schedule for resend */
int retry_counter; /* for resend. */
vchar_t *sendbuf; /* buffer for re-sending */
vchar_t *msg1; /* buffer for re-sending */
/* used for responder's first message */
int retry_checkph1; /* counter to wait phase 1 finished. */
/* NOTE: actually it's timer. */
u_int32_t seq; /* sequence number used by PF_KEY */
/*
* NOTE: In responder side, we can't identify each SAs
* with same destination address for example, when
* socket based SA is required. So we set a identifier
* number to "seq", and sent kernel by pfkey.
*/
u_int8_t satype; /* satype in PF_KEY */
/*
* saved satype in the original PF_KEY request from
* the kernel in order to reply a error.
*/
u_int8_t flags; /* Flags for phase 2 */
u_int32_t msgid; /* msgid for phase 2 */
struct sainfo *sainfo; /* place holder of sainfo */
struct saprop *proposal; /* SA(s) proposal. */
struct saprop *approval; /* SA(s) approved. */
caddr_t spidx_gen; /* policy from peer's proposal */
struct dhgroup *pfsgrp; /* DH; prime number */
vchar_t *dhpriv; /* DH; private value */
vchar_t *dhpub; /* DH; public value */
vchar_t *dhpub_p; /* DH; partner's public value */
vchar_t *dhgxy; /* DH; shared secret */
vchar_t *id; /* ID minus gen header */
vchar_t *id_p; /* peer's ID minus general header */
vchar_t *nonce; /* nonce value in phase 2 */
vchar_t *nonce_p; /* partner's nonce value in phase 2 */
vchar_t *sa; /* whole SA payload to send/to be sent*/
/* to calculate HASH */
/* NOT INCLUDING general header. */
vchar_t *sa_ret; /* SA payload to reply/to be replyed */
/* NOT INCLUDING general header. */
/* NOTE: Should be release after use. */
struct isakmp_ivm *ivm; /* IVs */
#ifdef ENABLE_STATS
struct timeval start;
struct timeval end;
#endif
struct ph1handle *ph1; /* back pointer to isakmp status */
LIST_ENTRY(ph2handle) chain;
LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */
};
/*
* for handling initial contact.
*/
struct contacted {
struct sockaddr *remote; /* remote address to negosiate ph1 */
LIST_ENTRY(contacted) chain;
};
/*
* for checking a packet retransmited.
*/
struct recvdpkt {
struct sockaddr *remote; /* the remote address */
struct sockaddr *local; /* the local address */
vchar_t *hash; /* hash of the received packet */
vchar_t *sendbuf; /* buffer for the response */
int retry_counter; /* how many times to send */
time_t time_send; /* timestamp to send a packet */
time_t created; /* timestamp to create a queue */
struct sched *scr; /* schedule for resend, may not used */
LIST_ENTRY(recvdpkt) chain;
};
/* for parsing ISAKMP header. */
struct isakmp_parse_t {
u_char type; /* payload type of mine */
int len; /* ntohs(ptr->len) */
struct isakmp_gen *ptr;
};
/*
* for IV management.
*
* - normal case
* initiator responder
* ------------------------- --------------------------
* initialize iv(A), ive(A). initialize iv(A), ive(A).
* encode by ive(A).
* save to iv(B). ---[packet(B)]--> save to ive(B).
* decode by iv(A).
* packet consistency.
* sync iv(B) with ive(B).
* check auth, integrity.
* encode by ive(B).
* save to ive(C). <--[packet(C)]--- save to iv(C).
* decoded by iv(B).
* :
*
* - In the case that a error is found while cipher processing,
* initiator responder
* ------------------------- --------------------------
* initialize iv(A), ive(A). initialize iv(A), ive(A).
* encode by ive(A).
* save to iv(B). ---[packet(B)]--> save to ive(B).
* decode by iv(A).
* packet consistency.
* sync iv(B) with ive(B).
* check auth, integrity.
* error found.
* create notify.
* get ive2(X) from iv(B).
* encode by ive2(X).
* get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y).
* save to ive2(Y).
* decoded by iv2(X).
* :
*
* The reason why the responder synchronizes iv with ive after checking the
* packet consistency is that it is required to leave the IV for decoding
* packet. Because there is a potential of error while checking the packet
* consistency. Also the reason why that is before authentication and
* integirty check is that the IV for informational exchange has to be made
* by the IV which is after packet decoded and checking the packet consistency.
* Otherwise IV mismatched happens between the intitiator and the responder.
*/
struct isakmp_ivm {
vchar_t *iv; /* for decoding packet */
/* if phase 1, it's for computing phase2 iv */
vchar_t *ive; /* for encoding packet */
};
/* for dumping */
struct ph1dump {
isakmp_index index;
int status;
int side;
struct sockaddr_storage remote;
struct sockaddr_storage local;
u_int8_t version;
u_int8_t etype;
time_t created;
int ph2cnt;
};
struct sockaddr;
struct ph1handle;
struct ph2handle;
struct policyindex;
extern struct ph1handle *getph1byindex __P((isakmp_index *));
extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
extern struct ph1handle *getph1byaddr __P((struct sockaddr *,
struct sockaddr *));
extern struct ph1handle *getph1bydstaddr __P((struct sockaddr *));
extern vchar_t *dumpph1 __P((void));
extern struct ph1handle *newph1 __P((void));
extern void delph1 __P((struct ph1handle *));
extern int insph1 __P((struct ph1handle *));
extern void remph1 __P((struct ph1handle *));
extern void flushph1 __P((void));
extern void initph1tree __P((void));
extern struct ph2handle *getph2byspidx __P((struct policyindex *));
extern struct ph2handle *getph2byspid __P((u_int32_t));
extern struct ph2handle *getph2byseq __P((u_int32_t));
extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t));
extern struct ph2handle *getph2bysaidx __P((struct sockaddr *,
struct sockaddr *, u_int, u_int32_t));
extern struct ph2handle *newph2 __P((void));
extern void initph2 __P((struct ph2handle *));
extern void delph2 __P((struct ph2handle *));
extern int insph2 __P((struct ph2handle *));
extern void remph2 __P((struct ph2handle *));
extern void flushph2 __P((void));
extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int));
extern void initph2tree __P((void));
extern void bindph12 __P((struct ph1handle *, struct ph2handle *));
extern void unbindph12 __P((struct ph2handle *));
extern struct contacted *getcontacted __P((struct sockaddr *));
extern int inscontacted __P((struct sockaddr *));
extern void initctdtree __P((void));
extern int check_recvdpkt __P((struct sockaddr *,
struct sockaddr *, vchar_t *));
extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *,
vchar_t *, vchar_t *));
extern void init_recvdpkt __P((void));
#ifdef ENABLE_HYBRID
extern int exclude_cfg_addr __P((const struct sockaddr *));
#endif
#endif /* _HANDLER_H */

4207
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

227
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h vendored Normal file
View File

@ -0,0 +1,227 @@
/* $Id: ipsec_doi.h,v 1.1.1.1 2005/02/12 11:12:10 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _IPSEC_DOI_H
#define _IPSEC_DOI_H
/* refered to RFC2407 */
#define IPSEC_DOI 1
/* 4.2 IPSEC Situation Definition */
#define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
#define IPSECDOI_SIT_SECRECY 0x00000002
#define IPSECDOI_SIT_INTEGRITY 0x00000004
/* 4.4.1 IPSEC Security Protocol Identifiers */
/* 4.4.2 IPSEC ISAKMP Transform Values */
#define IPSECDOI_PROTO_ISAKMP 1
#define IPSECDOI_KEY_IKE 1
/* 4.4.1 IPSEC Security Protocol Identifiers */
#define IPSECDOI_PROTO_IPSEC_AH 2
/* 4.4.3 IPSEC AH Transform Values */
#define IPSECDOI_AH_MD5 2
#define IPSECDOI_AH_SHA 3
#define IPSECDOI_AH_DES 4
#define IPSECDOI_AH_SHA2_256 5
#define IPSECDOI_AH_SHA2_384 6
#define IPSECDOI_AH_SHA2_512 7
/* 4.4.1 IPSEC Security Protocol Identifiers */
#define IPSECDOI_PROTO_IPSEC_ESP 3
/* 4.4.4 IPSEC ESP Transform Identifiers */
#define IPSECDOI_ESP_DES_IV64 1
#define IPSECDOI_ESP_DES 2
#define IPSECDOI_ESP_3DES 3
#define IPSECDOI_ESP_RC5 4
#define IPSECDOI_ESP_IDEA 5
#define IPSECDOI_ESP_CAST 6
#define IPSECDOI_ESP_BLOWFISH 7
#define IPSECDOI_ESP_3IDEA 8
#define IPSECDOI_ESP_DES_IV32 9
#define IPSECDOI_ESP_RC4 10
#define IPSECDOI_ESP_NULL 11
#define IPSECDOI_ESP_AES 12
#if 1
/* draft-ietf-ipsec-ciph-aes-cbc-00.txt */
#define IPSECDOI_ESP_TWOFISH 253
#else
/* SSH uses these value for now */
#define IPSECDOI_ESP_TWOFISH 250
#endif
/* 4.4.1 IPSEC Security Protocol Identifiers */
#define IPSECDOI_PROTO_IPCOMP 4
/* 4.4.5 IPSEC IPCOMP Transform Identifiers */
#define IPSECDOI_IPCOMP_OUI 1
#define IPSECDOI_IPCOMP_DEFLATE 2
#define IPSECDOI_IPCOMP_LZS 3
/* 4.5 IPSEC Security Association Attributes */
/* NOTE: default value is not included in a packet. */
#define IPSECDOI_ATTR_SA_LD_TYPE 1 /* B */
#define IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT 1
#define IPSECDOI_ATTR_SA_LD_TYPE_SEC 1
#define IPSECDOI_ATTR_SA_LD_TYPE_KB 2
#define IPSECDOI_ATTR_SA_LD_TYPE_MAX 3
#define IPSECDOI_ATTR_SA_LD 2 /* V */
#define IPSECDOI_ATTR_SA_LD_SEC_DEFAULT 28800 /* 8 hours */
#define IPSECDOI_ATTR_SA_LD_KB_MAX (~(1 << ((sizeof(int) << 3) - 1)))
#define IPSECDOI_ATTR_GRP_DESC 3 /* B */
#define IPSECDOI_ATTR_ENC_MODE 4 /* B */
/* default value: host dependent */
#define IPSECDOI_ATTR_ENC_MODE_ANY 0 /* NOTE:internal use */
#define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
#define IPSECDOI_ATTR_ENC_MODE_TRNS 2
/* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
#define IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC 3
#define IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC 4
/* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
#define IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT 61443
#define IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT 61444
#define IPSECDOI_ATTR_AUTH 5 /* B */
/* 0 means not to use authentication. */
#define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
#define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
#define IPSECDOI_ATTR_AUTH_DES_MAC 3
#define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
#define IPSECDOI_ATTR_SHA2_256 5
#define IPSECDOI_ATTR_SHA2_384 6
#define IPSECDOI_ATTR_SHA2_512 7
#define IPSECDOI_ATTR_AUTH_NONE 254 /* NOTE:internal use */
/*
* When negotiating ESP without authentication, the Auth
* Algorithm attribute MUST NOT be included in the proposal.
* When negotiating ESP without confidentiality, the Auth
* Algorithm attribute MUST be included in the proposal and
* the ESP transform ID must be ESP_NULL.
*/
#define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
#define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
#define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
#define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
/* 4.6.1 Security Association Payload */
struct ipsecdoi_pl_sa {
struct isakmp_gen h;
struct ipsecdoi_sa_b {
u_int32_t doi; /* Domain of Interpretation */
u_int32_t sit; /* Situation */
} b;
/* followed by Leveled Domain Identifier and so on. */
} __attribute__((__packed__));
struct ipsecdoi_secrecy_h {
u_int16_t len;
u_int16_t reserved;
/* followed by the value */
} __attribute__((__packed__));
/* 4.6.2 Identification Payload Content */
struct ipsecdoi_pl_id {
struct isakmp_gen h;
struct ipsecdoi_id_b {
u_int8_t type; /* ID Type */
u_int8_t proto_id; /* Protocol ID */
u_int16_t port; /* Port */
} b;
/* followed by Identification Data */
} __attribute__((__packed__));
#define IPSECDOI_ID_IPV4_ADDR 1
#define IPSECDOI_ID_FQDN 2
#define IPSECDOI_ID_USER_FQDN 3
#define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
#define IPSECDOI_ID_IPV6_ADDR 5
#define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
#define IPSECDOI_ID_IPV4_ADDR_RANGE 7
#define IPSECDOI_ID_IPV6_ADDR_RANGE 8
#define IPSECDOI_ID_DER_ASN1_DN 9
#define IPSECDOI_ID_DER_ASN1_GN 10
#define IPSECDOI_ID_KEY_ID 11
/* compressing doi type, it's internal use. */
#define IDTYPE_UNDEFINED 0
#define IDTYPE_FQDN 1
#define IDTYPE_USERFQDN 2
#define IDTYPE_KEYID 3
#define IDTYPE_ADDRESS 4
#define IDTYPE_ASN1DN 5
#define IDTYPE_LOGIN 6
/* The use for checking proposal payload. This is not exchange type. */
#define IPSECDOI_TYPE_PH1 0
#define IPSECDOI_TYPE_PH2 1
struct isakmpsa;
struct ipsecdoi_pl_sa;
struct saprop;
struct saproto;
struct satrns;
struct prop_pair;
extern int ipsecdoi_checkph1proposal __P((vchar_t *, struct ph1handle *));
extern int ipsecdoi_selectph2proposal __P((struct ph2handle *));
extern int ipsecdoi_checkph2proposal __P((struct ph2handle *));
extern struct prop_pair **get_proppair __P((vchar_t *, int));
extern vchar_t *get_sabyproppair __P((struct prop_pair *, struct ph1handle *));
extern int ipsecdoi_updatespi __P((struct ph2handle *iph2));
extern vchar_t *get_sabysaprop __P((struct saprop *, vchar_t *));
extern int ipsecdoi_checkid1 __P((struct ph1handle *));
extern int ipsecdoi_setid1 __P((struct ph1handle *));
extern int set_identifier __P((vchar_t **, int, vchar_t *));
extern int ipsecdoi_setid2 __P((struct ph2handle *));
extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
u_int8_t *, u_int16_t *));
extern const char *ipsecdoi_id2str __P((const vchar_t *));
extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *));
extern int ipsecdoi_setph2proposal __P((struct ph2handle *));
extern int ipsecdoi_transportmode __P((struct saprop *));
extern int ipsecdoi_get_defaultlifetime __P((void));
extern int ipsecdoi_checkalgtypes __P((int, int, int, int));
extern int ipproto2doi __P((int));
extern int doi2ipproto __P((int));
extern int ipsecdoi_t2satrns __P((struct isakmp_pl_t *,
struct saprop *, struct saproto *, struct satrns *));
extern int ipsecdoi_authalg2trnsid __P((int));
extern int idtype2doi __P((int));
extern int doi2idtype __P((int));
#endif /* _IPSEC_DOI_H */

2963
crypto/dist/ipsec-tools/src/racoon/isakmp.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

425
crypto/dist/ipsec-tools/src/racoon/isakmp.h vendored Normal file
View File

@ -0,0 +1,425 @@
/* $Id: isakmp.h,v 1.1.1.1 2005/02/12 11:12:15 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _ISAKMP_H
#define _ISAKMP_H
/* refer to RFC 2408 */
/* must include <netinet/in.h> first. */
/* must include "isakmp_var.h" first. */
#define INITIATOR 0 /* synonym sender */
#define RESPONDER 1 /* synonym receiver */
#define GENERATE 1
#define VALIDATE 0
/* 3.1 ISAKMP Header Format
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Initiator !
! Cookie !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Responder !
! Cookie !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Message ID !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp {
cookie_t i_ck; /* Initiator Cookie */
cookie_t r_ck; /* Responder Cookie */
u_int8_t np; /* Next Payload Type */
u_int8_t v;
u_int8_t etype; /* Exchange Type */
u_int8_t flags; /* Flags */
u_int32_t msgid;
u_int32_t len; /* Length */
} __attribute__((__packed__));
/* Next Payload Type */
#define ISAKMP_NPTYPE_NONE 0 /* NONE*/
#define ISAKMP_NPTYPE_SA 1 /* Security Association */
#define ISAKMP_NPTYPE_P 2 /* Proposal */
#define ISAKMP_NPTYPE_T 3 /* Transform */
#define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
#define ISAKMP_NPTYPE_ID 5 /* Identification */
#define ISAKMP_NPTYPE_CERT 6 /* Certificate */
#define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
#define ISAKMP_NPTYPE_HASH 8 /* Hash */
#define ISAKMP_NPTYPE_SIG 9 /* Signature */
#define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
#define ISAKMP_NPTYPE_N 11 /* Notification */
#define ISAKMP_NPTYPE_D 12 /* Delete */
#define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
#define ISAKMP_NPTYPE_ATTR 14 /* Attribute */
/* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
/* XXX conflicts with values assigned to RFC 3547 */
#define ISAKMP_NPTYPE_NATD_BADDRAFT 15 /* NAT Discovery */
#define ISAKMP_NPTYPE_NATOA_BADDRAFT 16 /* NAT Original Address */
/* NAT-T RFC */
#define ISAKMP_NPTYPE_NATD_RFC 20 /* NAT Discovery */
#define ISAKMP_NPTYPE_NATOA_RFC 21 /* NAT Original Address */
/* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
#define ISAKMP_NPTYPE_NATD_DRAFT 130 /* NAT Discovery */
#define ISAKMP_NPTYPE_NATOA_DRAFT 131 /* NAT Original Address */
/* Frag does not seems to be documented */
#define ISAKMP_NPTYPE_FRAG 132 /* IKE fragmentation payload */
#define ISAKMP_NPTYPE_MAX 17
/* 128 - 255 Private Use */
/*
* The following are valid when the Vendor ID is one of the
* following:
*
* MD5("A GSS-API Authentication Method for IKE")
* MD5("GSSAPI") (recognized by Windows 2000)
* MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
*
* See draft-ietf-ipsec-isakmp-gss-auth-06.txt.
*/
#define ISAKMP_NPTYPE_GSS 129 /* GSS token */
#define ISAKMP_MAJOR_VERSION 1
#define ISAKMP_MINOR_VERSION 0
#define ISAKMP_VERSION_NUMBER 0x10
#define ISAKMP_GETMAJORV(v) (((v) & 0xf0) >> 4)
#define ISAKMP_SETMAJORV(v, m) ((v) = ((v) & 0x0f) | (((m) << 4) & 0xf0))
#define ISAKMP_GETMINORV(v) ((v) & 0x0f)
#define ISAKMP_SETMINORV(v, m) ((v) = ((v) & 0xf0) | ((m) & 0x0f))
/* Exchange Type */
#define ISAKMP_ETYPE_NONE 0 /* NONE */
#define ISAKMP_ETYPE_BASE 1 /* Base */
#define ISAKMP_ETYPE_IDENT 2 /* Identity Proteciton */
#define ISAKMP_ETYPE_AUTH 3 /* Authentication Only */
#define ISAKMP_ETYPE_AGG 4 /* Aggressive */
#define ISAKMP_ETYPE_INFO 5 /* Informational */
#define ISAKMP_ETYPE_CFG 6 /* Mode config */
/* Additional Exchange Type */
#define ISAKMP_ETYPE_QUICK 32 /* Quick Mode */
#define ISAKMP_ETYPE_NEWGRP 33 /* New group Mode */
#define ISAKMP_ETYPE_ACKINFO 34 /* Acknowledged Informational */
/* Flags */
#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
#define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */
/* 3.2 Payload Generic Header
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_gen {
u_int8_t np; /* Next Payload */
u_int8_t reserved; /* RESERVED, unused, must set to 0 */
u_int16_t len; /* Payload Length */
} __attribute__((__packed__));
/* 3.3 Data Attributes
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!A! Attribute Type ! AF=0 Attribute Length !
!F! ! AF=1 Attribute Value !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. AF=0 Attribute Value .
. AF=1 Not Transmitted .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_data {
u_int16_t type; /* defined by DOI-spec, and Attribute Format */
u_int16_t lorv; /* if f equal 1, Attribute Length */
/* if f equal 0, Attribute Value */
/* if f equal 1, Attribute Value */
} __attribute__((__packed__));
#define ISAKMP_GEN_TLV 0x0000
#define ISAKMP_GEN_TV 0x8000
/* mask for type of attribute format */
#define ISAKMP_GEN_MASK 0x8000
#if 0
/* MAY NOT be used, because of being defined in ipsec-doi. */
/* 3.4 Security Association Payload */
struct isakmp_pl_sa {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int32_t sit; /* Situation */
} __attribute__((__packed__));
#endif
/* 3.5 Proposal Payload */
/*
The value of the next payload field MUST only contain the value "2"
or "0". If there are additional Proposal payloads in the message,
then this field will be 2. If the current Proposal payload is the
last within the security association proposal, then this field will
be 0.
*/
struct isakmp_pl_p {
struct isakmp_gen h;
u_int8_t p_no; /* Proposal # */
u_int8_t proto_id; /* Protocol */
u_int8_t spi_size; /* SPI Size */
u_int8_t num_t; /* Number of Transforms */
/* SPI */
} __attribute__((__packed__));
/* 3.6 Transform Payload */
/*
The value of the next payload field MUST only contain the value "3"
or "0". If there are additional Transform payloads in the proposal,
then this field will be 3. If the current Transform payload is the
last within the proposal, then this field will be 0.
*/
struct isakmp_pl_t {
struct isakmp_gen h;
u_int8_t t_no; /* Transform # */
u_int8_t t_id; /* Transform-Id */
u_int16_t reserved; /* RESERVED2 */
/* SA Attributes */
} __attribute__((__packed__));
/* 3.7 Key Exchange Payload */
struct isakmp_pl_ke {
struct isakmp_gen h;
/* Key Exchange Data */
} __attribute__((__packed__));
#if 0
/* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */
/* 3.8 Identification Payload */
struct isakmp_pl_id {
struct isakmp_gen h;
union {
u_int8_t id_type; /* ID Type */
u_int32_t doi_data; /* DOI Specific ID Data */
} d;
/* Identification Data */
} __attribute__((__packed__));
/* A.4 ISAKMP Identification Type Values */
#define ISAKMP_ID_IPV4_ADDR 0
#define ISAKMP_ID_IPV4_ADDR_SUBNET 1
#define ISAKMP_ID_IPV6_ADDR 2
#define ISAKMP_ID_IPV6_ADDR_SUBNET 3
#endif
/* 3.9 Certificate Payload */
struct isakmp_pl_cert {
struct isakmp_gen h;
/*
* Encoding type of 1 octet follows immediately,
* variable length CERT data follows encoding type.
*/
} __attribute__((__packed__));
/* Certificate Type */
#define ISAKMP_CERT_NONE 0
#define ISAKMP_CERT_PKCS7 1
#define ISAKMP_CERT_PGP 2
#define ISAKMP_CERT_DNS 3
#define ISAKMP_CERT_X509SIGN 4
#define ISAKMP_CERT_X509KE 5
#define ISAKMP_CERT_KERBEROS 6
#define ISAKMP_CERT_CRL 7
#define ISAKMP_CERT_ARL 8
#define ISAKMP_CERT_SPKI 9
#define ISAKMP_CERT_X509ATTR 10
#define ISAKMP_CERT_PLAINRSA 11
/* the method to get peers certificate */
#define ISAKMP_GETCERT_PAYLOAD 1
#define ISAKMP_GETCERT_LOCALFILE 2
#define ISAKMP_GETCERT_DNS 3
/* 3.10 Certificate Request Payload */
struct isakmp_pl_cr {
struct isakmp_gen h;
u_int8_t num_cert; /* # Cert. Types */
/*
Certificate Types (variable length)
-- Contains a list of the types of certificates requested,
sorted in order of preference. Each individual certificate
type is 1 octet. This field is NOT required.
*/
/* # Certificate Authorities (1 octet) */
/* Certificate Authorities (variable length) */
} __attribute__((__packed__));
/* 3.11 Hash Payload */
struct isakmp_pl_hash {
struct isakmp_gen h;
/* Hash Data */
} __attribute__((__packed__));
/* 3.12 Signature Payload */
struct isakmp_pl_sig {
struct isakmp_gen h;
/* Signature Data */
} __attribute__((__packed__));
/* 3.13 Nonce Payload */
struct isakmp_pl_nonce {
struct isakmp_gen h;
/* Nonce Data */
} __attribute__((__packed__));
/* 3.14 Notification Payload */
struct isakmp_pl_n {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int8_t proto_id; /* Protocol-ID */
u_int8_t spi_size; /* SPI Size */
u_int16_t type; /* Notify Message Type */
/* SPI */
/* Notification Data */
} __attribute__((__packed__));
/* 3.14.1 Notify Message Types */
/* NOTIFY MESSAGES - ERROR TYPES */
#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
#define ISAKMP_NTYPE_INVALID_COOKIE 4
#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
#define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
#define ISAKMP_NTYPE_INVALID_FLAGS 8
#define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
#define ISAKMP_NTYPE_INVALID_SPI 11
#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
#define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
#define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
#define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
#define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
#define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
#define ISAKMP_NTYPE_INVALID_SIGNATURE 25
#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
#define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME 27
#define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE 28
#define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE 29
#define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS 30
/* NOTIFY MESSAGES - STATUS TYPES */
#define ISAKMP_NTYPE_CONNECTED 16384
/* 4.6.3 IPSEC DOI Notify Message Types */
#define ISAKMP_NTYPE_RESPONDER_LIFETIME 24576
#define ISAKMP_NTYPE_REPLAY_STATUS 24577
#define ISAKMP_NTYPE_INITIAL_CONTACT 24578
/* DPD */
#define ISAKMP_NTYPE_R_U_THERE 36136
#define ISAKMP_NTYPE_R_U_THERE_ACK 36137
#define ISAKMP_NTYPE_HEARTBEAT 40503
/* using only to log */
#define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530
/* XXX means internal error but it's not reserved by any drafts... */
#define ISAKMP_INTERNAL_ERROR -1
/* 3.15 Delete Payload */
struct isakmp_pl_d {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int8_t proto_id; /* Protocol-Id */
u_int8_t spi_size; /* SPI Size */
u_int16_t num_spi; /* # of SPIs */
/* SPI(es) */
} __attribute__((__packed__));
struct payload_list {
struct payload_list *next, *prev;
vchar_t *payload;
int payload_type;
};
/* See draft-ietf-ipsec-isakmp-mode-cfg-04.txt, 3.2 */
struct isakmp_pl_attr {
struct isakmp_gen h;
u_int8_t type; /* Exchange type */
u_int8_t res2;
u_int16_t id; /* Per transaction id */
} __attribute__((__packed__));
/* Exchange type */
#define ISAKMP_CFG_REQUEST 1
#define ISAKMP_CFG_REPLY 2
#define ISAKMP_CFG_SET 3
#define ISAKMP_CFG_ACK 4
/* IKE fragmentation payload */
struct isakmp_frag {
u_int16_t unknown0; /* always set to zero? */
u_int16_t len;
u_int16_t unknown1; /* always set to 1? */
u_int8_t index;
u_int8_t flags;
} __attribute__((__packed__));
/* flags */
#define ISAKMP_FRAG_LAST 1
/* DPD R-U-THERE / R-U-THERE-ACK Payload */
struct isakmp_pl_ru {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int8_t proto_id; /* Protocol-Id */
u_int8_t spi_size; /* SPI Size */
u_int16_t type; /* Notify type */
cookie_t i_ck; /* Initiator Cookie */
cookie_t r_ck; /* Responder cookie*/
u_int32_t data; /* Notification data */
} __attribute__((__packed__));
#endif /* _ISAKMP_H */

1445
crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

44
crypto/dist/ipsec-tools/src/racoon/isakmp_agg.h vendored Normal file
View File

@ -0,0 +1,44 @@
/* $Id: isakmp_agg.h,v 1.1.1.1 2005/02/12 11:12:17 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _ISAKMP_AGG_H
#define _ISAKMP_AGG_H
extern int agg_i1send __P((struct ph1handle *, vchar_t *));
extern int agg_i2recv __P((struct ph1handle *, vchar_t *));
extern int agg_i2send __P((struct ph1handle *, vchar_t *));
extern int agg_r1recv __P((struct ph1handle *, vchar_t *));
extern int agg_r1send __P((struct ph1handle *, vchar_t *));
extern int agg_r2recv __P((struct ph1handle *, vchar_t *));
extern int agg_r2send __P((struct ph1handle *, vchar_t *));
#endif /* _ISAKMP_AGG_H */

1189
crypto/dist/ipsec-tools/src/racoon/isakmp_base.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

46
crypto/dist/ipsec-tools/src/racoon/isakmp_base.h vendored Normal file
View File

@ -0,0 +1,46 @@
/* $Id: isakmp_base.h,v 1.1.1.1 2005/02/12 11:12:17 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _ISAKMP_BASE_H
#define _ISAKMP_BASE_H
extern int base_i1send __P((struct ph1handle *, vchar_t *));
extern int base_i2recv __P((struct ph1handle *, vchar_t *));
extern int base_i2send __P((struct ph1handle *, vchar_t *));
extern int base_i3recv __P((struct ph1handle *, vchar_t *));
extern int base_i3send __P((struct ph1handle *, vchar_t *));
extern int base_r1recv __P((struct ph1handle *, vchar_t *));
extern int base_r1send __P((struct ph1handle *, vchar_t *));
extern int base_r2recv __P((struct ph1handle *, vchar_t *));
extern int base_r2send __P((struct ph1handle *, vchar_t *));
#endif /* _ISAKMP_BASE_H */

1575
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

169
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.h vendored Normal file
View File

@ -0,0 +1,169 @@
/* $KAME$ */
/*
* Copyright (C) 2004 Emmanuel Dreyfus
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_LIBPAM
#include <security/pam_appl.h>
#endif
/*
* XXX don't forget to update
* src/racoon/handler.c:exclude_cfg_addr()
* if you add IPv6 capability
*/
/* Attribute types */
#define INTERNAL_IP4_ADDRESS 1
#define INTERNAL_IP4_NETMASK 2
#define INTERNAL_IP4_DNS 3
#define INTERNAL_IP4_NBNS 4
#define INTERNAL_ADDRESS_EXPIRY 5
#define INTERNAL_IP4_DHCP 6
#define APPLICATION_VERSION 7
#define INTERNAL_IP6_ADDRESS 8
#define INTERNAL_IP6_NETMASK 9
#define INTERNAL_IP6_DNS 10
#define INTERNAL_IP6_NBNS 11
#define INTERNAL_IP6_DHCP 12
#define INTERNAL_IP4_SUBNET 13
#define SUPPORTED_ATTRIBUTES 14
#define INTERNAL_IP6_SUBNET 15
/* For APPLICATION_VERSION */
#define ISAKMP_CFG_RACOON_VERSION "KAME/racoon " \
"+ Hybrid auth Patches <manu@netbsd.org>"
/*
* Global configuration for ISAKMP mode confiration address allocation
* Readen from the mode_cfg section of racoon.conf
*/
struct isakmp_cfg_port {
char used;
#ifdef HAVE_LIBPAM
pam_handle_t *pam;
#endif
};
struct isakmp_cfg_config {
in_addr_t network4;
in_addr_t netmask4;
in_addr_t dns4;
in_addr_t nbns4;
struct isakmp_cfg_port *port_pool;
int authsource;
int confsource;
int accounting;
size_t pool_size;
int auth_throttle;
char motd[MAXPATHLEN + 1];
};
/* For authsource */
#define ISAKMP_CFG_AUTH_SYSTEM 0
#define ISAKMP_CFG_AUTH_RADIUS 1
#define ISAKMP_CFG_AUTH_PAM 2
/* For confsource */
#define ISAKMP_CFG_CONF_LOCAL 0
#define ISAKMP_CFG_CONF_RADIUS 1
/* For accounting */
#define ISAKMP_CFG_ACCT_NONE 0
#define ISAKMP_CFG_ACCT_RADIUS 1
#define ISAKMP_CFG_ACCT_PAM 2
/* For pool_size */
#define ISAKMP_CFG_MAX_CNX 255
/* For motd */
#define ISAKMP_CFG_MOTD "/etc/motd"
extern struct isakmp_cfg_config isakmp_cfg_config;
/*
* ISAKMP mode config state
*/
#define LOGINLEN 31
struct isakmp_cfg_state {
int flags; /* See below */
unsigned int port; /* address index */
char login[LOGINLEN + 1]; /* login */
struct in_addr addr4; /* IPv4 address */
struct in_addr mask4; /* IPv4 netmask */
struct in_addr dns4; /* IPv4 DNS (when client only) */
struct in_addr wins4; /* IPv4 WINS (when client only) */
struct xauth_state xauth; /* Xauth state, if revelant */
struct isakmp_ivm *ivm; /* XXX Use iph1's ivm? */
};
/* flags */
#define ISAKMP_CFG_VENDORID_XAUTH 0x01 /* Supports Xauth */
#define ISAKMP_CFG_VENDORID_UNITY 0x02 /* Cisco Unity compliant */
#define ISAKMP_CFG_PORT_ALLOCATED 0x04 /* Port allocated */
#define ISAKMP_CFG_ADDR4_RADIUS 0x08 /* Address from RADIUS */
#define ISAKMP_CFG_MASK4_RADIUS 0x10 /* Netmask from RADIUS */
#define ISAKMP_CFG_ADDR4_LOCAL 0x20 /* Address from local pool */
#define ISAKMP_CFG_MASK4_LOCAL 0x40 /* Netmask from local pool */
#define ISAKMP_CFG_GOT_ADDR4 0x80 /* Client got address */
#define ISAKMP_CFG_GOT_MASK4 0x100 /* Client got mask */
#define ISAKMP_CFG_GOT_DNS4 0x200 /* Client got DNS */
#define ISAKMP_CFG_GOT_WINS4 0x400 /* Client got WINS */
#define ISAKMP_CFG_DELETE_PH1 0x800 /* phase 1 should be deleted */
struct isakmp_pl_attr;
struct ph1handle;
struct isakmp_ivm;
void isakmp_cfg_r(struct ph1handle *, vchar_t *);
int isakmp_cfg_attr_r(struct ph1handle *, u_int32_t, struct isakmp_pl_attr *);
int isakmp_cfg_reply(struct ph1handle *, struct isakmp_pl_attr *);
int isakmp_cfg_request(struct ph1handle *, struct isakmp_pl_attr *);
int isakmp_cfg_set(struct ph1handle *, struct isakmp_pl_attr *);
int isakmp_cfg_send(struct ph1handle *, vchar_t *, u_int32_t, int, int);
struct isakmp_ivm *isakmp_cfg_newiv(struct ph1handle *, u_int32_t);
void isakmp_cfg_rmstate(struct ph1handle *);
struct isakmp_cfg_state *isakmp_cfg_mkstate(void);
vchar_t *isakmp_cfg_copy(struct ph1handle *, struct isakmp_data *);
vchar_t *isakmp_cfg_short(struct ph1handle *, struct isakmp_data *, int);
vchar_t *isakmp_cfg_string(struct ph1handle *, struct isakmp_data *, char *);
int isakmp_cfg_getconfig(struct ph1handle *);
int isakmp_cfg_setenv(struct ph1handle *, char ***, int *);
int isakmp_cfg_getport(struct ph1handle *);
int isakmp_cfg_putport(struct ph1handle *, unsigned int);
#ifdef HAVE_LIBRADIUS
struct rad_handle;
int isakmp_cfg_radius_common(struct rad_handle *, int);
#endif
#ifdef HAVE_LIBPAM
int isakmp_cfg_accounting_pam(int, int);
void cleanup_pam(int);
#endif

353
crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c vendored Normal file
View File

@ -0,0 +1,353 @@
/* $Id: isakmp_frag.c,v 1.1.1.1 2005/02/12 11:12:20 manu Exp $ */
/*
* Copyright (C) 2004 Emmanuel Dreyfus
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/queue.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <openssl/md5.h>
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>
#else
# if HAVE_SYS_TIME_H
# include <sys/time.h>
# else
# include <time.h>
# endif
#endif
#include <netdb.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <ctype.h>
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "sockmisc.h"
#include "schedule.h"
#include "debug.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "handler.h"
#include "isakmp_frag.h"
#include "strnames.h"
int
isakmp_sendfrags(iph1, buf)
struct ph1handle *iph1;
vchar_t *buf;
{
struct isakmp *hdr;
struct isakmp_frag *fraghdr;
caddr_t data;
caddr_t sdata;
size_t datalen;
size_t max_datalen;
size_t fraglen;
vchar_t *frag;
unsigned int trailer;
unsigned int fragnum = 0;
size_t len;
int etype;
/*
* Catch the exchange type for later: the fragments and the
* fragmented packet must have the same exchange type.
*/
hdr = (struct isakmp *)buf->v;
etype = hdr->etype;
/*
* We want to send a a packet smaller than ISAKMP_FRAG_MAXLEN
* First compute the maximum data length that will fit in it
*/
max_datalen = ISAKMP_FRAG_MAXLEN -
(sizeof(*hdr) + sizeof(*fraghdr) + sizeof(trailer));
sdata = buf->v;
len = buf->l;
while (len > 0) {
fragnum++;
if (len > max_datalen)
datalen = max_datalen;
else
datalen = len;
fraglen = sizeof(*hdr)
+ sizeof(*fraghdr)
+ datalen;
if ((frag = vmalloc(fraglen)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"Cannot allocate memory\n");
return -1;
}
set_isakmp_header1(frag, iph1, ISAKMP_NPTYPE_FRAG);
hdr = (struct isakmp *)frag->v;
hdr->etype = etype;
fraghdr = (struct isakmp_frag *)(hdr + 1);
fraghdr->unknown0 = htons(0);
fraghdr->len = htons(fraglen - sizeof(*hdr));
fraghdr->unknown1 = htons(1);
fraghdr->index = fragnum;
if (len == datalen)
fraghdr->flags = ISAKMP_FRAG_LAST;
else
fraghdr->flags = 0;
data = (caddr_t)(fraghdr + 1);
memcpy(data, sdata, datalen);
if (isakmp_send(iph1, frag) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "isakmp_send failed\n");
return -1;
}
vfree(frag);
len -= datalen;
sdata += datalen;
}
return fragnum;
}
unsigned int
vendorid_frag_cap(gen)
struct isakmp_gen *gen;
{
int *hp;
hp = (int *)(gen + 1);
return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
}
int
isakmp_frag_extract(iph1, msg)
struct ph1handle *iph1;
vchar_t *msg;
{
struct isakmp *isakmp;
struct isakmp_frag *frag;
struct isakmp_frag_item *item;
vchar_t *buf;
size_t len;
int last_frag = 0;
char *data;
int i;
if (msg->l < sizeof(*isakmp) + sizeof(*frag)) {
plog(LLV_ERROR, LOCATION, NULL, "Message too short\n");
return -1;
}
isakmp = (struct isakmp *)msg->v;
frag = (struct isakmp_frag *)(isakmp + 1);
/*
* frag->len is the frag payload data plus the frag payload header,
* whose size is sizeof(*frag)
*/
if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {
plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
return -1;
}
if ((buf = vmalloc(ntohs(frag->len) - sizeof(*frag))) == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
return -1;
}
if ((item = racoon_malloc(sizeof(*item))) == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
vfree(buf);
return -1;
}
data = (char *)(frag + 1);
memcpy(buf->v, data, buf->l);
item->frag_num = frag->index;
item->frag_last = (frag->flags & ISAKMP_FRAG_LAST);
item->frag_next = NULL;
item->frag_packet = buf;
/* Look for the last frag while inserting the new item in the chain */
if (item->frag_last)
last_frag = item->frag_num;
if (iph1->frag_chain == NULL) {
iph1->frag_chain = item;
} else {
struct isakmp_frag_item *current;
current = iph1->frag_chain;
while (current->frag_next) {
if (current->frag_last)
last_frag = item->frag_num;
current = current->frag_next;
}
current->frag_next = item;
}
/* If we saw the last frag, check if the chain is complete */
if (last_frag != 0) {
for (i = 1; i <= last_frag; i++) {
item = iph1->frag_chain;
do {
if (item->frag_num == i)
break;
item = item->frag_next;
} while (item != NULL);
if (item == NULL) /* Not found */
break;
}
if (item != NULL) /* It is complete */
return 1;
}
return 0;
}
vchar_t *
isakmp_frag_reassembly(iph1)
struct ph1handle *iph1;
{
struct isakmp_frag_item *item;
size_t len = 0;
vchar_t *buf = NULL;
int frag_count = 0;
int i;
char *data;
if ((item = iph1->frag_chain) == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "No fragment to reassemble\n");
goto out;
}
do {
frag_count++;
len += item->frag_packet->l;
item = item->frag_next;
} while (item != NULL);
if ((buf = vmalloc(len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
goto out;
}
data = buf->v;
for (i = 1; i <= frag_count; i++) {
item = iph1->frag_chain;
do {
if (item->frag_num == i)
break;
item = item->frag_next;
} while (item != NULL);
if (item == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"Missing fragment #%d\n", i);
vfree(buf);
buf = NULL;
goto out;
}
memcpy(data, item->frag_packet->v, item->frag_packet->l);
data += item->frag_packet->l;
}
out:
item = iph1->frag_chain;
do {
struct isakmp_frag_item *next_item;
next_item = item->frag_next;
vfree(item->frag_packet);
racoon_free(item);
item = next_item;
} while (item != NULL);
iph1->frag_chain = NULL;
return buf;
}
vchar_t *
isakmp_frag_addcap(buf, cap)
vchar_t *buf;
int cap;
{
int *capp;
size_t len;
/* If the capability has not been added, add room now */
len = buf->l;
if (len == MD5_DIGEST_LENGTH) {
if ((buf = vrealloc(buf, len + sizeof(cap))) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"Cannot allocate memory\n");
return NULL;
}
capp = (int *)(buf->v + len);
*capp = htonl(0);
}
capp = (int *)(buf->v + MD5_DIGEST_LENGTH);
*capp |= htonl(cap);
return buf;
}

49
crypto/dist/ipsec-tools/src/racoon/isakmp_frag.h vendored Normal file
View File

@ -0,0 +1,49 @@
/* $Id: isakmp_frag.h,v 1.1.1.1 2005/02/12 11:12:20 manu Exp $ */
/*
* Copyright (C) 2004 Emmanuel Dreyfus
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* IKE fragmentation capabilities */
#define VENDORID_FRAG_BASE 0x40000000
#define VENDORID_FRAG_AGG 0x80000000
#define ISAKMP_FRAG_MAXLEN 552
struct isakmp_frag_item {
int frag_num;
int frag_last;
struct isakmp_frag_item *frag_next;
vchar_t *frag_packet;
};
int isakmp_sendfrags(struct ph1handle *, vchar_t *);
unsigned int vendorid_frag_cap(struct isakmp_gen *);
int isakmp_frag_extract(struct ph1handle *, vchar_t *);
vchar_t *isakmp_frag_reassembly(struct ph1handle *);
vchar_t *isakmp_frag_addcap(vchar_t *, int);

1763
crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

50
crypto/dist/ipsec-tools/src/racoon/isakmp_ident.h vendored Normal file
View File

@ -0,0 +1,50 @@
/* $Id: isakmp_ident.h,v 1.1.1.1 2005/02/12 11:12:23 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _ISAKMP_IDENT_H
#define _ISAKMP_IDENT_H
extern int ident_i1send __P((struct ph1handle *, vchar_t *));
extern int ident_i2recv __P((struct ph1handle *, vchar_t *));
extern int ident_i2send __P((struct ph1handle *, vchar_t *));
extern int ident_i3recv __P((struct ph1handle *, vchar_t *));
extern int ident_i3send __P((struct ph1handle *, vchar_t *));
extern int ident_i4recv __P((struct ph1handle *, vchar_t *));
extern int ident_i4send __P((struct ph1handle *, vchar_t *));
extern int ident_r1recv __P((struct ph1handle *, vchar_t *));
extern int ident_r1send __P((struct ph1handle *, vchar_t *));
extern int ident_r2recv __P((struct ph1handle *, vchar_t *));
extern int ident_r2send __P((struct ph1handle *, vchar_t *));
extern int ident_r3recv __P((struct ph1handle *, vchar_t *));
extern int ident_r3send __P((struct ph1handle *, vchar_t *));
#endif /* _ISAKMP_IDENT_H */

1703
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

55
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.h vendored Normal file
View File

@ -0,0 +1,55 @@
/* $Id: isakmp_inf.h,v 1.1.1.1 2005/02/12 11:12:27 manu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _ISAKMP_INF_H
#define _ISAKMP_INF_H
struct saproto;
extern int isakmp_info_recv __P((struct ph1handle *, vchar_t *));
extern int isakmp_info_send_d1 __P((struct ph1handle *));
extern int isakmp_info_send_d2 __P((struct ph2handle *));
extern int isakmp_info_send_nx __P((struct isakmp *,
struct sockaddr *, struct sockaddr *, int, vchar_t *));
extern int isakmp_info_send_n1 __P((struct ph1handle *, int, vchar_t *));
extern int isakmp_info_send_n2 __P((struct ph2handle *, int, vchar_t *));
extern int isakmp_info_send_common __P((struct ph1handle *,
vchar_t *, u_int32_t, int));
extern vchar_t * isakmp_add_pl_n __P((vchar_t *, u_int8_t **, int,
struct saproto *, vchar_t *));
extern void isakmp_check_notify __P((struct isakmp_gen *, struct ph1handle *));
#ifdef ENABLE_DPD
extern int isakmp_sched_r_u __P((struct ph1handle *, int));
#endif
#endif /* _ISAKMP_INF_H */

Some files were not shown because too many files have changed in this diff Show More