From Matthew Grooms: Added ipsecdoi_chkcmpids() function.

2006-10-19 09:35:44 +00:00 · 2006-10-19 09:35:44 +00:00 · b0f2fc5ddb
parent 4ba42a7148
commit b0f2fc5ddb
2 changed files with 158 additions and 2 deletions
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.21 2006/10/06 12:02:27 manu Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.22 2006/10/19 09:35:44 vanhu Exp $	*/

 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */

@ -3300,6 +3300,161 @@ doi2ipproto(proto)
 	return -1;	/* XXX */
 }

+/*
+ * Check and Compare two IDs
+ * - specify 0 for exact if wildcards are allowed
+ * Return value
+ * =  0 for match
+ * =  1 for misatch
+ * = -1 for integrity error
+ */
+
+int
+ipsecdoi_chkcmpids( idt, ids, exact )
+	const vchar_t *idt; /* id cmp target */
+	const vchar_t *ids; /* id cmp source */
+	int exact;
+{
+	struct ipsecdoi_id_b *id_bt;
+	struct ipsecdoi_id_b *id_bs;
+	vchar_t ident_t;
+	vchar_t ident_s;
+	int result;
+
+	/* handle wildcard IDs */
+
+	if (idt == NULL || ids == NULL)
+	{
+		if( !exact )
+		{
+			plog(LLV_DEBUG, LOCATION, NULL,
+				"check and compare ids : values matched (ANONYMOUS)\n" );
+			return 0;
+		}
+		else
+		{
+			plog(LLV_DEBUG, LOCATION, NULL,
+				"check and compare ids : value mismatch (ANONYMOUS)\n" );
+			return -1;
+		}
+	}
+
+	/* make sure the ids are of the same type */
+
+	id_bt = (struct ipsecdoi_id_b *) idt->v;
+	id_bs = (struct ipsecdoi_id_b *) ids->v;
+	if (id_bs->type != id_bt->type)
+	{
+		plog(LLV_DEBUG, LOCATION, NULL,
+			"check and compare ids : id type mismatch %s != %s\n",
+			s_ipsecdoi_ident(id_bs->type),
+			s_ipsecdoi_ident(id_bt->type));
+		return 1;
+	}
+
+	/* compare the ID data. */
+
+	ident_t.v = idt->v + sizeof(*id_bt);
+	ident_t.l = idt->l - sizeof(*id_bt);
+	ident_s.v = ids->v + sizeof(*id_bs);
+	ident_s.l = ids->l - sizeof(*id_bs);
+
+	switch (id_bt->type) {
+	        case IPSECDOI_ID_DER_ASN1_DN:
+        	case IPSECDOI_ID_DER_ASN1_GN:
+			/* compare asn1 ids */
+			result = eay_cmp_asn1dn(&ident_t, &ident_s);
+			goto cmpid_result;
+
+		case IPSECDOI_ID_IPV4_ADDR:
+			/* validate lengths */
+			if ((ident_t.l != sizeof(struct in_addr))||
+			    (ident_s.l != sizeof(struct in_addr)))
+				goto cmpid_invalid;
+			break;
+
+		case IPSECDOI_ID_IPV4_ADDR_SUBNET:
+		case IPSECDOI_ID_IPV4_ADDR_RANGE:
+			/* validate lengths */
+			if ((ident_t.l != (sizeof(struct in_addr)*2))||
+			    (ident_s.l != (sizeof(struct in_addr)*2)))
+				goto cmpid_invalid;
+			break;
+
+#ifdef INET6
+		case IPSECDOI_ID_IPV6_ADDR:
+			/* validate lengths */
+			if ((ident_t.l != sizeof(struct in6_addr))||
+			    (ident_s.l != sizeof(struct in6_addr)))
+				goto cmpid_invalid;
+			break;
+
+		case IPSECDOI_ID_IPV6_ADDR_SUBNET:
+		case IPSECDOI_ID_IPV6_ADDR_RANGE:
+			/* validate lengths */
+			if ((ident_t.l != (sizeof(struct in6_addr)*2))||
+			    (ident_s.l != (sizeof(struct in6_addr)*2)))
+				goto cmpid_invalid;
+			break;
+#endif
+		case IPSECDOI_ID_FQDN:
+		case IPSECDOI_ID_USER_FQDN:
+		case IPSECDOI_ID_KEY_ID:
+			break;
+
+		default:
+			plog(LLV_ERROR, LOCATION, NULL,
+				"Unhandled id type %i specified for comparison\n",
+				id_bt->type);
+			return -1;
+	}
+
+	/* validate matching data and length */
+	if (ident_t.l == ident_s.l)
+		result = memcmp(ident_t.v,ident_s.v,ident_t.l);
+	else
+		result = 1;
+
+cmpid_result:
+
+	/* debug level output */
+	if(loglevel >= LLV_DEBUG) {
+		char *idstrt = ipsecdoi_id2str(idt);
+		char *idstrs = ipsecdoi_id2str(ids);
+
+		if (!result)
+	 		plog(LLV_DEBUG, LOCATION, NULL,
+				"check and compare ids : values matched (%s)\n",
+				 s_ipsecdoi_ident(id_bs->type) );
+		else
+ 			plog(LLV_DEBUG, LOCATION, NULL,
+				"check and compare ids : value mismatch (%s)\n",
+				 s_ipsecdoi_ident(id_bs->type));
+
+		plog(LLV_DEBUG, LOCATION, NULL, "cmpid target: \'%s\'\n", idstrt );
+		plog(LLV_DEBUG, LOCATION, NULL, "cmpid source: \'%s\'\n", idstrs );
+
+		racoon_free(idstrs);
+		racoon_free(idstrt);
+	}
+
+	/* return result */
+	if( !result )
+		return 0;
+	else
+		return 1;
+
+cmpid_invalid:
+
+	/* id integrity error */
+	plog(LLV_DEBUG, LOCATION, NULL, "check and compare ids : %s integrity error\n",
+		s_ipsecdoi_ident(id_bs->type));
+	plog(LLV_DEBUG, LOCATION, NULL, "cmpid target: length = \'%i\'\n", ident_t.l );
+	plog(LLV_DEBUG, LOCATION, NULL, "cmpid source: length = \'%i\'\n", ident_s.l );
+
+	return -1;
+}
+
 /*
 * check the following:
 * - In main mode with pre-shared key, only address type can be used.
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.h,v 1.7 2006/10/06 12:02:27 manu Exp $	*/
+/*	$NetBSD: ipsec_doi.h,v 1.8 2006/10/19 09:35:44 vanhu Exp $	*/

 /* Id: ipsec_doi.h,v 1.15 2006/08/11 16:06:30 vanhu Exp */

@ -208,6 +208,7 @@ extern struct prop_pair **get_proppair __P((vchar_t *, int));
 extern vchar_t *get_sabyproppair __P((struct prop_pair *, struct ph1handle *));
 extern int ipsecdoi_updatespi __P((struct ph2handle *iph2));
 extern vchar_t *get_sabysaprop __P((struct saprop *, vchar_t *));
+extern int ipsecdoi_chkcmpids( const vchar_t *, const vchar_t *, int );
 extern int ipsecdoi_checkid1 __P((struct ph1handle *));
 extern int ipsecdoi_setid1 __P((struct ph1handle *));
 extern int set_identifier __P((vchar_t **, int, vchar_t *));