Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Apply patches as discussed on:

Browse Source 
http://mail-index.netbsd.org/tech-net/2004/11/05/0004.html

Slightly modified to differentiate the version string from a stock racoon.

	* auth_gssapi.h (GSSAPI_DEF_NAME): Change from "ike" to "host".
	(gssapi_get_default_id): Rename to gssapi_get_id.
	(gssapi_get_default_gss_id): New prototype.
	* cfparse.y (GSSAPI_ID): Rename to GSS_ID.
	(GSS_ID_ENC, GSS_ID_ENCTYPE): New tokens.
	(gssenc_statement): New statement.
	(isakmpproposal_spec): Use GSS_ID token.
	(expand_isakmpspec): Fill in gssid in the new proposal only
	if authmethod is OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB.  If the
	GSS ID is not provided, call gssapi_get_default_gss_id() to
	place the default ID in the proposal.
	* cftoken.l (S_GSSENC): New start condition.
	(<S_RMTP>gss_id): New, return the GSS_ID token.
	(<S_RMTP>gssapi_id): Return the GSS_ID token.
	(<S_INI>gss_id_enc, <S_GSSENC>latin1, <S_GSSENC>utf-16le)
	(<S_GSSENC>{semi}): New, tokenize the "gss_id_enc enctype;"
	statement.
	* gssapi.c: Include <unistd.h>.
	(gssapi_get_default_gss_id): New function.
	(gssapi_init): Disable a broken debugging message.  Make
	printf formats consistent in their handling of non-NUL-terminated
	strings.
	(gssapi_get_default_id): Rename to...
	(gssapi_get_id): ...this.  If the proposal has a gssid, vdup()
	that and return it.  Disable a broken debugging message.  Make
	printf formats consistent in their handling of non-NUL-terminated
	strings.
	* ipsec_doi.c: Include <iconv.h>.
	(get_ph1approval): Make printf formats consistent in their handling
	of non-NUL-terminated strings.  Call gssapi_get_id() instead of
	gssapi_get_default_id(), and remove some complexity that has been
	pushed into that function.
	(t2isakmpsa): When parsing the OAKLEY_ATTR_GSS_ID attribute,
	check convert the attribute from UTF-16LE to ISO-Latin-1, unless
	we are configured to assume the attribute is already ISO-Latin-1
	encoded.
	(setph1attr): When setting the OAKLEY_ATTR_GSS_ID attribute,
	convert the attribute from ISO-Latin-1 to UTF-16LE, unless we
	are configured to encode the attribute in ISO-Latin-1.
	* localconf.c (setdefault): Set the default GSS ID encoding type
	to UTF-16LE.
	* localconf.h (LC_GSSENC_UTF16LE, LC_GSSENC_LATIN1)
	(LC_GSSENC_MAX): New constants.
	(struct localconf): Add gss_id_enc member.
	* main.c (RACOON_VERSION): Append " - NetBSD 20041110" to the
	version string.
	* racoon.conf.5: Document changes to GSS ID encoding and default
	GSS ID computation.  Document "gss_id_enc enctype;" statement.
	* samples/racoon.conf.sample-gssapi: Update and add comments to
	provide more information.
This commit is contained in:
thorpej 2004-11-10 20:23:28 +00:00
parent dd14e8071c
commit b454543f45
10 changed files with 299 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
crypto/dist/kame/racoon/auth_gssapi.h vendored
View File

@ -42,7 +42,7 @@
#include <gssapi/gssapi.h>
#endif
#define GSSAPI_DEF_NAME "ike"
#define GSSAPI_DEF_NAME "host"
struct ph1handle;
struct isakmpsa;
@ -89,4 +89,5 @@ int gssapi_id_sent __P((struct ph1handle *));
void gssapi_set_id_rcvd __P((struct ph1handle *));
int gssapi_id_rcvd __P((struct ph1handle *));
void gssapi_free_state __P((struct ph1handle *));
vchar_t *gssapi_get_default_id __P((struct ph1handle *));
vchar_t *gssapi_get_id __P((struct ph1handle *));
vchar_t *gssapi_get_default_gss_id __P((void));

41
crypto/dist/kame/racoon/cfparse.y vendored
View File

@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: cfparse.y,v 1.20 2004/04/12 03:34:05 itojun Exp $");
__RCSID("$NetBSD: cfparse.y,v 1.21 2004/11/10 20:23:28 thorpej Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -192,7 +192,7 @@ static int fix_lifebyte __P((u_long));
%token GENERATE_POLICY SUPPORT_PROXY
%token PROPOSAL
%token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
%token GSSAPI_ID
%token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
%token COMPLEX_BUNDLE
%token PREFIX PORT PORTANY UL_PROTO ANY
@ -205,7 +205,7 @@ static int fix_lifebyte __P((u_long));
%token EOS BOC EOC COMMA
%type <num> NUMBER BOOLEAN SWITCH keylength
%type <num> PATHTYPE IDENTIFIERTYPE LOGLEV
%type <num> PATHTYPE IDENTIFIERTYPE LOGLEV GSS_ID_ENCTYPE
%type <num> ALGORITHM_CLASS dh_group_num
%type <num> ALGORITHMTYPE STRENGTHTYPE
%type <num> PREFIX prefix PORT port ike_port
@ -227,6 +227,7 @@ statements
statement
: path_statement
| include_statement
| gssenc_statement
| identifier_statement
| logging_statement
| padding_statement
@ -276,6 +277,18 @@ include_statement
}
;
/* gss_id_enc */
gssenc_statement
: GSS_ID_ENC GSS_ID_ENCTYPE EOS
{
if ($2 >= LC_GSSENC_MAX) {
yyerror("invalid GSS ID encoding %d", $2);
return -1;
}
lcconf->gss_id_enc = $2;
}
;
/* self infomation */
identifier_statement
: IDENTIFIER identifier_stmt
@ -1011,7 +1024,7 @@ isakmpproposal_spec
prhead->spspec->algclass[algclass_isakmp_dh] = $2;
}
EOS
| GSSAPI_ID QUOTEDSTRING
| GSS_ID QUOTEDSTRING
{
if (prhead->spspec->vendorid != VENDORID_GSSAPI) {
yyerror("wrong Vendor ID for gssapi_id");
@ -1364,12 +1377,20 @@ expand_isakmpspec(prop_no, trns_no, types,
new->dh_group = types[algclass_isakmp_dh];
new->vendorid = vendorid;
#ifdef HAVE_GSSAPI
if (gssid != NULL) {
new->gssid = vmalloc(strlen(gssid) + 1);
memcpy(new->gssid->v, gssid, new->gssid->l);
racoon_free(gssid);
} else
new->gssid = NULL;
if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
if (gssid != NULL) {
new->gssid = vmalloc(strlen(gssid));
memcpy(new->gssid->v, gssid, new->gssid->l);
racoon_free(gssid);
} else {
/*
* Allocate the default ID so that it gets put
* into a GSS ID attribute during the Phase 1
* exchange.
*/
new->gssid = gssapi_get_default_gss_id();
}
}
#endif
insisakmpsa(new, rmconf);

14
crypto/dist/kame/racoon/cftoken.l vendored
View File

@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: cftoken.l,v 1.14 2004/04/12 03:34:06 itojun Exp $");
__RCSID("$NetBSD: cftoken.l,v 1.15 2004/11/10 20:23:28 thorpej Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -137,6 +137,7 @@ hexstring 0x{hexdigit}+
%s S_SAINF S_SAINFS
%s S_RMT S_RMTS S_RMTP
%s S_SA
%s S_GSSENC
%%
%{
@ -282,7 +283,16 @@ hexstring 0x{hexdigit}+
<S_RMTP>authentication_method { YYD; yylval.num = algclass_isakmp_ameth; return(ALGORITHM_CLASS); }
<S_RMTP>hash_algorithm { YYD; yylval.num = algclass_isakmp_hash; return(ALGORITHM_CLASS); }
<S_RMTP>dh_group { YYD; return(DH_GROUP); }
<S_RMTP>gssapi_id { YYD; return(GSSAPI_ID); }
<S_RMTP>gss_id { YYD; return(GSS_ID); }
<S_RMTP>gssapi_id { YYD; return(GSS_ID); } /* for back compatibility */
/* GSS ID encoding type (global) */
<S_INI>gss_id_enc { BEGIN S_GSSENC; YYDB; return(GSS_ID_ENC); }
<S_GSSENC>latin1 { YYD; yylval.num = LC_GSSENC_LATIN1;
return(GSS_ID_ENCTYPE); }
<S_GSSENC>utf-16le { YYD; yylval.num = LC_GSSENC_UTF16LE;
return(GSS_ID_ENCTYPE); }
<S_GSSENC>{semi} { BEGIN S_INI; YYDB; return(EOS); }
/* parameter */
on { YYD; yylval.num = TRUE; return(SWITCH); }

53
crypto/dist/kame/racoon/gssapi.c vendored
View File

@ -37,13 +37,14 @@
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: gssapi.c,v 1.3 2004/04/12 03:34:07 itojun Exp $");
__RCSID("$NetBSD: gssapi.c,v 1.4 2004/11/10 20:23:28 thorpej Exp $");
#ifdef HAVE_GSSAPI
#include <sys/types.h>
#include <sys/queue.h>
#include <sys/socket.h>
#include <netdb.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
@ -132,6 +133,25 @@ gssapi_gss2vmbuf(gss_buffer_t gsstoken, vchar_t **vmbuf)
return 0;
}
vchar_t *
gssapi_get_default_gss_id(void)
{
char name[NI_MAXHOST];
vchar_t *gssid;
if (gethostname(name, sizeof(name)) != 0) {
plog(LLV_ERROR, LOCATION, NULL, "gethostname failed: %s\n",
strerror(errno));
return (NULL);
}
name[sizeof(name) - 1] = '\0';
gssid = racoon_malloc(sizeof(*gssid));
gssid->l = asprintf(&gssid->v, "%s/%s", GSSAPI_DEF_NAME, name);
return (gssid);
}
static int
gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service)
{
@ -220,8 +240,15 @@ gssapi_init(struct ph1handle *iph1)
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%*s' creds\n",
#if 0
/*
* XXXJRT Did this debug message ever work? This is a GSS name
* blob at this point.
*/
plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%.*s' creds\n",
cred->length, cred->value);
#endif
maj_stat = gss_release_buffer(&min_stat, cred);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release cred buffer\n");
@ -263,15 +290,16 @@ gssapi_get_itoken(struct ph1handle *iph1, int *lenp)
dummy = &empty;
if (iph1->approval != NULL && iph1->approval->gssid != NULL) {
plog(LLV_DEBUG, LOCATION, NULL, "using provided service '%s'\n",
iph1->approval->gssid->v);
plog(LLV_DEBUG, LOCATION, NULL,
"using provided service '%.*s'\n",
iph1->approval->gssid->l, iph1->approval->gssid->v);
name_token.length = iph1->approval->gssid->l;
name_token.value = iph1->approval->gssid->v;
maj_stat = gss_import_name(&min_stat, &name_token,
GSS_C_NO_OID, &partner);
if (GSS_ERROR(maj_stat)) {
gssapi_error(min_stat, LOCATION, "import of %s\n",
name_token.value);
gssapi_error(min_stat, LOCATION, "import of '%.*s'\n",
name_token.length, name_token.value);
return -1;
}
} else
@ -653,7 +681,7 @@ gssapi_free_state(struct ph1handle *iph1)
}
vchar_t *
gssapi_get_default_id(struct ph1handle *iph1)
gssapi_get_id(struct ph1handle *iph1)
{
gss_buffer_desc id_buffer;
gss_buffer_t id = &id_buffer;
@ -661,6 +689,9 @@ gssapi_get_default_id(struct ph1handle *iph1)
OM_uint32 min_stat, maj_stat;
vchar_t *vmbuf;
if (iph1->rmconf->proposal->gssid != NULL)
return (vdup(iph1->rmconf->proposal->gssid));
if (gssapi_get_default_name(iph1, 0, &defname) < 0)
return NULL;
@ -691,8 +722,14 @@ gssapi_get_default_id(struct ph1handle *iph1)
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release canonical name\n");
plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%*s' creds\n",
#if 0
/*
* XXXJRT Did this debug message ever work? This is a GSS name
* blob at this point.
*/
plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%.*s'\n",
id->length, id->value);
#endif
if (gssapi_gss2vmbuf(id, &vmbuf) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");

165
crypto/dist/kame/racoon/ipsec_doi.c vendored
View File

@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: ipsec_doi.c,v 1.15 2004/04/12 03:34:07 itojun Exp $");
__RCSID("$NetBSD: ipsec_doi.c,v 1.16 2004/11/10 20:23:28 thorpej Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -85,6 +85,7 @@ __RCSID("$NetBSD: ipsec_doi.c,v 1.15 2004/04/12 03:34:07 itojun Exp $");
#include "gcmalloc.h"
#ifdef HAVE_GSSAPI
#include <iconv.h>
#include "auth_gssapi.h"
#endif
@ -269,8 +270,8 @@ found:
saok:
#ifdef HAVE_GSSAPI
if (sa->gssid != NULL)
plog(LLV_DEBUG, LOCATION, NULL, "gss id in new sa '%s'\n",
sa->gssid->v);
plog(LLV_DEBUG, LOCATION, NULL, "gss id in new sa '%.*s'\n",
sa->gssid->l, sa->gssid->v);
if (iph1-> side == INITIATOR) {
if (iph1->rmconf->proposal->gssid != NULL)
iph1->gi_i = vdup(iph1->rmconf->proposal->gssid);
@ -280,21 +281,17 @@ saok:
} else {
if (tsa.gssid != NULL) {
iph1->gi_r = vdup(tsa.gssid);
if (iph1->rmconf->proposal->gssid != NULL)
iph1->gi_i =
vdup(iph1->rmconf->proposal->gssid);
else
iph1->gi_i = gssapi_get_default_id(iph1);
iph1->gi_i = gssapi_get_id(iph1);
if (sa->gssid == NULL && iph1->gi_i != NULL)
sa->gssid = vdup(iph1->gi_i);
}
iph1->approval = sa;
}
if (iph1->gi_i != NULL)
plog(LLV_DEBUG, LOCATION, NULL, "GIi is %*s\n",
plog(LLV_DEBUG, LOCATION, NULL, "GIi is '%.*s'\n",
iph1->gi_i->l, iph1->gi_i->v);
if (iph1->gi_r != NULL)
plog(LLV_DEBUG, LOCATION, NULL, "GIr is %*s\n",
plog(LLV_DEBUG, LOCATION, NULL, "GIr is '%.*s'\n",
iph1->gi_r->l, iph1->gi_r->v);
#else
iph1->approval = sa;
@ -662,16 +659,81 @@ t2isakmpsa(trns, sa)
#ifdef HAVE_GSSAPI
case OAKLEY_ATTR_GSS_ID:
{
iconv_t cd;
size_t srcleft, dstleft, rv;
const char *src;
char *dst;
int len = ntohs(d->lorv);
sa->gssid = vmalloc(len);
memcpy(sa->gssid->v, d + 1, len);
/*
* Older versions of racoon just placed the
* ISO-Latin-1 string on the wire directly.
* Check to see if we are configured to be
* compatible with this behavior.
*/
if (lcconf->gss_id_enc == LC_GSSENC_LATIN1) {
sa->gssid = vmalloc(len);
memcpy(sa->gssid->v, d + 1, len);
plog(LLV_DEBUG, LOCATION, NULL,
"received old-style gss id '%.*s' (len %d)\n",
sa->gssid->l, sa->gssid->v, sa->gssid->l);
break;
}
/*
* For Windows 2000 compatbility, we expect
* the GSS ID attribute on the wire to be
* encoded in UTF-16LE. Internally, we work
* in ISO-Latin-1. Therefore, we should need
* 1/2 the specified length, which should
* always be a multiple of 2 octets.
*/
cd = iconv_open("latin1", "utf-16le");
if (cd == (iconv_t) -1) {
plog(LLV_ERROR, LOCATION, NULL,
"unable to initialize utf-16le -> latin1 "
"conversion descriptor: %s\n",
strerror(errno));
break;
}
sa->gssid = vmalloc(len / 2);
src = (const char *)(d + 1);
srcleft = len;
dst = sa->gssid->v;
dstleft = len / 2;
rv = iconv(cd, &src, &srcleft, &dst, &dstleft);
if (rv != 0) {
if (rv == -1) {
plog(LLV_ERROR, LOCATION, NULL,
"unable to convert GSS ID from "
"utf-16le -> latin1: %s\n",
strerror(errno));
} else {
plog(LLV_ERROR, LOCATION, NULL,
"%zd character%s in GSS ID cannot "
"be represented in latin1\n",
rv, rv == 1 ? "" : "s");
}
(void) iconv_close(cd);
vfree(sa->gssid);
sa->gssid = NULL;
break;
}
(void) iconv_close(cd);
/* XXX dstleft should always be 0; assert it? */
sa->gssid->l = (len / 2) - dstleft;
plog(LLV_DEBUG, LOCATION, NULL,
"received gss id '%s' (len %d)\n", sa->gssid->v,
sa->gssid->l);
"received gss id '%.*s' (len %d)\n", sa->gssid->l,
sa->gssid->v, sa->gssid->l);
break;
}
#endif
#endif /* HAVE_GSSAPI */
default:
break;
@ -2583,16 +2645,77 @@ setph1attr(sa, buf)
if (sa->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
sa->gssid != NULL) {
attrlen += sizeof(struct isakmp_data);
attrlen += sa->gssid->l;
/*
* Older versions of racoon just placed the ISO-Latin-1
* string on the wire directly. Check to see if we are
* configured to be compatible with this behavior. Otherwise,
* we encode the GSS ID as UTF-16LE for Windows 2000
* comatibility, which requires twice the number of octets.
*/
if (lcconf->gss_id_enc == LC_GSSENC_LATIN1)
attrlen += sa->gssid->l;
else
attrlen += sa->gssid->l * 2;
if (buf) {
plog(LLV_DEBUG, LOCATION, NULL, "gss id attr: len %d, "
"val '%s'\n", sa->gssid->l, sa->gssid->v);
p = isakmp_set_attr_v(p, OAKLEY_ATTR_GSS_ID,
(caddr_t)sa->gssid->v,
sa->gssid->l);
"val '%.*s'\n", sa->gssid->l, sa->gssid->l,
sa->gssid->v);
if (lcconf->gss_id_enc == LC_GSSENC_LATIN1) {
p = isakmp_set_attr_v(p, OAKLEY_ATTR_GSS_ID,
(caddr_t)sa->gssid->v,
sa->gssid->l);
} else {
size_t dstleft = sa->gssid->l * 2;
size_t srcleft = sa->gssid->l;
const char *src = (const char *)sa->gssid->v;
char *odst, *dst = racoon_malloc(dstleft);
iconv_t cd;
size_t rv;
cd = iconv_open("utf-16le", "latin1");
if (cd == (iconv_t) -1) {
plog(LLV_ERROR, LOCATION, NULL,
"unable to initialize "
"latin1 -> utf-16le "
"converstion descriptor: %s\n",
strerror(errno));
attrlen -= sa->gssid->l * 2;
goto gssid_done;
}
odst = dst;
rv = iconv(cd, &src, &srcleft,
&dst, &dstleft);
if (rv != 0) {
if (rv == -1) {
plog(LLV_ERROR, LOCATION, NULL,
"unable to convert GSS ID "
"from latin1 -> utf-16le: "
"%s\n", strerror(errno));
} else {
/* should never happen */
plog(LLV_ERROR, LOCATION, NULL,
"%zd character%s in GSS ID "
"cannot be represented "
"in utf-16le\n",
rv, rv == 1 ? "" : "s");
}
(void) iconv_close(cd);
attrlen -= sa->gssid->l * 2;
goto gssid_done;
}
(void) iconv_close(cd);
/* XXX Check srcleft and dstleft? */
p = isakmp_set_attr_v(p, OAKLEY_ATTR_GSS_ID,
odst, sa->gssid->l * 2);
racoon_free(odst);
}
}
}
#endif
gssid_done:
#endif /* HAVE_GSSAPI */
return attrlen;
}

3
crypto/dist/kame/racoon/localconf.c vendored
View File

@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: localconf.c,v 1.3 2004/10/30 15:15:38 dsl Exp $");
__RCSID("$NetBSD: localconf.c,v 1.4 2004/11/10 20:23:28 thorpej Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -116,6 +116,7 @@ setdefault()
lcconf->wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE;
lcconf->strict_address = FALSE;
lcconf->complex_bundle = TRUE; /*XXX FALSE;*/
lcconf->gss_id_enc = LC_GSSENC_UTF16LE; /* Windows compatibility */
}
/*

6
crypto/dist/kame/racoon/localconf.h vendored
View File

@ -54,6 +54,10 @@
#define LC_IDENTTYPE_MAX 5 /* XXX */
#define LC_GSSENC_UTF16LE 0 /* GSS ID in UTF-16LE */
#define LC_GSSENC_LATIN1 1 /* GSS ID in ISO-Latin-1 */
#define LC_GSSENC_MAX 2
struct localconf {
char *racoon_conf; /* configuration filename */
@ -98,6 +102,8 @@ struct localconf {
* usually uses this format. If the option, 'complex_bundle'
* is enable, racoon uses old format.
*/
int gss_id_enc; /* GSS ID encoding to use */
};
extern struct localconf *lcconf;

4
crypto/dist/kame/racoon/main.c vendored
View File

@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: main.c,v 1.10 2003/07/12 09:37:11 itojun Exp $");
__RCSID("$NetBSD: main.c,v 1.11 2004/11/10 20:23:28 thorpej Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -81,7 +81,7 @@ int f_local = 0; /* local test mode. behave like a wall. */
int vflag = 1; /* for print-isakmp.c */
static int loading_sa = 0; /* install sa when racoon boots up. */
#define RACOON_VERSION "20001216 sakane@kame.net"
#define RACOON_VERSION "20001216 sakane@kame.net - NetBSD 20041110"
#ifdef RACOON_PKG_VERSION
static char version0[] = "@(#)package version " RACOON_PKG_VERSION ;
static char version[] = "@(#)internal version " RACOON_VERSION ;

42
crypto/dist/kame/racoon/racoon.conf.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: racoon.conf.5,v 1.21 2004/04/12 03:34:07 itojun Exp $
.\" $NetBSD: racoon.conf.5,v 1.22 2004/11/10 20:23:28 thorpej Exp $
.\" $KAME: racoon.conf.5,v 1.109 2003/12/17 01:43:57 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -28,7 +28,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd April 12, 2004
.Dd November 4, 2004
.Dt RACOON.CONF 5
.Os
.\"
@ -211,6 +211,36 @@ This statement will be ignored if you do not specify any addresses.
.El
.El
.\"
.Ss Miscellaneous Global Parameters
.Bl -tag -width Ds -compact
.It Ic gss_id_enc Ar enctype ;
Older versions of
.Xr racoon 8
used ISO-Latin-1 as the encoding of the GSS-API identifier attribute.
For interoperability with Microsoft Windows' GSS-API authentication
scheme, the default encoding has been changed to UTF-16LE.
The
.Ic gss_id_enc
parameter allows
.Xr racoon 8
to be configured to use the old encoding for compatibility with existing
.Xr racoon 8
installations.
The following are valid values for
.Ar enctype :
.Pp
.Bl -tag -width Ds -compact
.It Ic utf-16le
Use UTF-16LE to encode the GSS-API identifier attribute.
This is the default encoding.
This encoding is compatible with Microsoft Windows.
.It Ic latin1
Use ISO-Latin-1 to encode the GSS-API identifier attribute.
This is the encoding used by older versions of
.Xr racoon 8 .
.El
.El
.\"
.Ss Remote Nodes Specifications
.Bl -tag -width Ds -compact
.It Xo
@ -478,13 +508,15 @@ Refer to the description of
directive immediately defined in
.Ic remote
directive.
.It Ic gssapi_id Ar string ;
.It Ic gss_id Ar string ;
define the GSS-API endpoint name, to be included as an attribute in the SA,
if the
.Ic gssapi_krb
authentication method is used. If this is not defined, the default value of
.Ql ike/hostname
is used, where hostname is the FQDN of the interface being used.
.Ql host/hostname
is used, where hostname is the value returned by the
.Xr hostname 1
command.
.El
.El
.El

30
crypto/dist/kame/racoon/samples/racoon.conf.sample-gssapi vendored
View File

@ -8,32 +8,36 @@
# strict_address;
#}
# Uncomment the following for GSS-API to work with older versions of
# racoon that (incorrectly) used ISO-Latin-1 encoding for the GSS-API
# identifier attribute.
#gss_id_enc latin1;
remote anonymous {
exchange_mode main;
#exchange_mode aggressive;
# specify the identifier type
my_identifier fqdn "foo.kame.net";
lifetime time 1 min;
lifetime time 24 hour;
proposal {
encryption_algorithm blowfish;
encryption_algorithm 3des;
hash_algorithm sha1;
#authentication_method pre_shared_key;
authentication_method gssapi_krb;
gssapi_id "ike/myidentification";
# The default GSS-API ID is "host/hostname", where
# hostname is the output of the hostname(1) command.
# You probably want this to match your system's host
# principal. ktutil(8)'s "list" command will list the
# principals in your system's keytab. If you need to,
# you can change the GSS-API ID here.
#gss_id "host/some.host.name";
dh_group 1;
}
}
sainfo anonymous {
my_identifier fqdn "foo.kame.net";
lifetime time 2 hour;
lifetime time 30 min;
encryption_algorithm blowfish 448;
authentication_algorithm hmac_sha1;
encryption_algorithm rijndael, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}