Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

KAME racoon as of 2002/4/26

This commit is contained in:
itojun 2002-04-26 02:16:38 +00:00
parent 77e08f053a
commit b4df5a033c
42 changed files with 1783 additions and 920 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
crypto/dist/kame/libipsec/ipsec_dump_policy.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: ipsec_dump_policy.c,v 1.11 2000/05/07 05:29:47 itojun Exp $ */
/* $KAME: ipsec_dump_policy.c,v 1.12 2001/11/13 12:38:47 jinmei Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -291,11 +291,7 @@ set_address(buf, len, sa)
size_t len;
struct sockaddr *sa;
{
#ifdef NI_WITHSCOPEID
const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID;
#else
const int niflags = NI_NUMERICHOST;
#endif
if (len < 1)
return NULL;

84
crypto/dist/kame/libipsec/pfkey_dump.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: pfkey_dump.c,v 1.30 2001/06/27 13:20:15 sakane Exp $ */
/* $KAME: pfkey_dump.c,v 1.35 2001/11/13 12:38:47 jinmei Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -99,7 +99,8 @@ do { \
} while (0)
static char *str_ipaddr __P((struct sockaddr *));
static char *str_prefport __P((u_int, u_int, u_int));
static char *str_prefport __P((u_int, u_int, u_int, u_int));
static void str_upperspec __P((u_int, u_int, u_int));
static char *str_time __P((time_t));
static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
@ -130,22 +131,6 @@ static char *str_mode[] = {
"tunnel",
};
static char *str_upper[] = {
/*0*/ "ip", "icmp", "igmp", "ggp", "ip4",
"", "tcp", "", "egp", "",
/*10*/ "", "", "", "", "",
"", "", "udp", "", "",
/*20*/ "", "", "idp", "", "",
"", "", "", "", "tp",
/*30*/ "", "", "", "", "",
"", "", "", "", "",
/*40*/ "", "ip6", "", "rt6", "frag6",
"", "rsvp", "gre", "", "",
/*50*/ "esp", "ah", "", "", "",
"", "", "", "icmp6", "none",
/*60*/ "dst6",
};
static char *str_state[] = {
"larval",
"mature",
@ -371,7 +356,7 @@ pfkey_spdump(m)
struct sadb_x_policy *m_xpl;
struct sadb_lifetime *m_lftc = NULL, *m_lfth = NULL;
struct sockaddr *sa;
u_int16_t port;
u_int16_t sport = 0, dport = 0;
/* check pfkey message. */
if (pfkey_align(m, mhp)) {
@ -400,12 +385,13 @@ pfkey_spdump(m)
case AF_INET6:
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
NI_NUMERICSERV) != 0)
port = 0; /*XXX*/
sport = 0; /*XXX*/
else
port = atoi(pbuf);
sport = atoi(pbuf);
printf("%s%s ", str_ipaddr(sa),
str_prefport(sa->sa_family,
m_saddr->sadb_address_prefixlen, port));
m_saddr->sadb_address_prefixlen, sport,
m_saddr->sadb_address_proto));
break;
default:
printf("unknown-af ");
@ -423,12 +409,13 @@ pfkey_spdump(m)
case AF_INET6:
if (getnameinfo(sa, sa->sa_len, NULL, 0, pbuf, sizeof(pbuf),
NI_NUMERICSERV) != 0)
port = 0; /*XXX*/
dport = 0; /*XXX*/
else
port = atoi(pbuf);
dport = atoi(pbuf);
printf("%s%s ", str_ipaddr(sa),
str_prefport(sa->sa_family,
m_daddr->sadb_address_prefixlen, port));
m_daddr->sadb_address_prefixlen, dport,
m_saddr->sadb_address_proto));
break;
default:
printf("unknown-af ");
@ -440,10 +427,7 @@ pfkey_spdump(m)
printf("upper layer protocol mismatched.\n");
return;
}
if (m_saddr->sadb_address_proto == IPSEC_ULPROTO_ANY)
printf("any");
else
GETMSGSTR(str_upper, m_saddr->sadb_address_proto);
str_upperspec(m_saddr->sadb_address_proto, sport, dport);
/* policy */
{
@ -494,11 +478,7 @@ str_ipaddr(sa)
struct sockaddr *sa;
{
static char buf[NI_MAXHOST];
#ifdef NI_WITHSCOPEID
const int niflag = NI_NUMERICHOST | NI_WITHSCOPEID;
#else
const int niflag = NI_NUMERICHOST;
#endif
if (sa == NULL)
return "";
@ -512,8 +492,8 @@ str_ipaddr(sa)
* set "/prefix[port number]" to buffer.
*/
static char *
str_prefport(family, pref, port)
u_int family, pref, port;
str_prefport(family, pref, port, ulp)
u_int family, pref, port, ulp;
{
static char buf[128];
char prefbuf[10];
@ -536,7 +516,9 @@ str_prefport(family, pref, port)
else
snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
if (port == IPSEC_PORT_ANY)
if (ulp == IPPROTO_ICMPV6)
memset(portbuf, 0, sizeof(portbuf));
else if (ulp != IPPROTO_ICMPV6 && port == IPSEC_PORT_ANY)
snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
else
snprintf(portbuf, sizeof(portbuf), "[%u]", port);
@ -546,6 +528,36 @@ str_prefport(family, pref, port)
return buf;
}
static void
str_upperspec(ulp, p1, p2)
u_int ulp, p1, p2;
{
if (ulp == IPSEC_ULPROTO_ANY)
printf("any");
else if (ulp == IPPROTO_ICMPV6) {
printf("icmp6");
if (!(p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY))
printf(" %d,%d", p1, p2);
} else {
struct protoent *ent;
switch (ulp) {
case IPPROTO_IPV4:
printf("ip4");
break;
default:
ent = getprotobynumber(ulp);
if (ent)
printf("%s", ent->p_name);
else
printf("%d", ulp);
endprotoent();
break;
}
}
}
/*
* set "Mon Day Time Year" to buffer
*/

6
crypto/dist/kame/libipsec/policy_parse.y vendored
View File

@ -1,4 +1,4 @@
/* $KAME: policy_parse.y,v 1.10 2000/05/07 05:25:03 itojun Exp $ */
/* $KAME: policy_parse.y,v 1.11 2001/08/31 09:44:18 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@ -87,6 +87,8 @@ extern void __policy__strbuffer__init__ __P((char *msg));
extern int yyparse __P((void));
extern int yylex __P((void));
extern char *__libyytext; /*XXX*/
%}
%union {
@ -209,8 +211,6 @@ void
yyerror(msg)
char *msg;
{
extern char *__libyytext; /*XXX*/
fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
msg, __libyytext);

9
crypto/dist/kame/racoon/Makefile.in vendored
View File

@ -1,4 +1,4 @@
# $KAME: Makefile.in,v 1.35 2001/08/08 22:09:26 sakane Exp $
# $KAME: Makefile.in,v 1.36 2001/11/16 04:34:55 sakane Exp $
@SET_MAKE@
srcdir= @srcdir@
@ -30,7 +30,7 @@ OBJS= main.o session.o isakmp.o handler.o random.o \
policy.o localconf.o remoteconf.o crypto_openssl.o algorithm.o \
proposal.o sainfo.o cfparse.o cftoken.o strnames.o \
vmbuf.o plog.o logger.o schedule.o str2val.o misc.o sockmisc.o \
safefile.o backupsa.o @LIBOBJS@ @CRYPTOBJS@
safefile.o backupsa.o @LIBOBJS@ @CRYPTOBJS@ @DEBUGRMOBJS@
# under samples
CONF= psk.txt racoon.conf
@ -40,14 +40,15 @@ racoon: $(OBJS)
$(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
racoonctl: kmpstat.o misc_noplog.o vmbuf.o str2val.o
$(CC) $(LDFLAGS) -o $@ kmpstat.o misc_noplog.o vmbuf.o str2val.o $(LIBS)
$(CC) $(LDFLAGS) -o $@ kmpstat.o misc_noplog.o vmbuf.o str2val.o \
$(LIBS) @DEBUGRMOBJS@
pfkey: dummy.o
$(CC) $(LDFLAGS) -o $@ dummy.o
eaytest: eaytest.o crypto_openssl_test.o misc_noplog.o vmbuf.o str2val.o
$(CC) $(LDFLAGS) -o $@ eaytest.o crypto_openssl_test.o misc_noplog.o \
vmbuf.o str2val.o $(LIBS) @CRYPTOBJS@
vmbuf.o str2val.o $(LIBS) @CRYPTOBJS@ @DEBUGRMOBJS@
# special object rules
crypto_openssl_test.o: crypto_openssl.c

21
crypto/dist/kame/racoon/TODO vendored
View File

@ -1,4 +1,4 @@
$KAME: TODO,v 1.35 2000/10/04 17:40:58 itojun Exp $
$KAME: TODO,v 1.36 2001/09/19 09:41:39 sakane Exp $
Please send any questions or bug reports to snap-users@kame.net.
@ -10,23 +10,15 @@ o split log file based on client. printf-like config directive, i.e.
"logfile racoon.%s.log", should be useful here.
-> beware of possible security issue, don't use sprintf() directly!
make validation before giving a string to sprintf().
o fix flag for logging
o save decrypted IKE packet in tcpdump format
o IPComp SA with wellknown CPI in CPI field. how to handle it?
o hunt for memory leaks
o better rekey
MUST
o Certificate type handling. e.g. CRL, CR, PGP...
o multiple certificate payload handling.
o To consider the use with certificate infrastructure. PXIX ???
o Support scoped (link-local and site-local) IPv6 addresses.
It needs pfkey modification for scope IDs, and advanced API (RFC2292)
related mods in racoon itself.
o kmstat should be improved.
o aggressive mode DH group checks/handling on responder side.
o Informational Exchange processing properly.
o mandatory configuration check.
o require less configuration. phase 2 is easier (as kernel presents racoon
some hints), phase 1 is harder. for example,
- grab phase 2 lifetime and algorith configuration from sadb_comb payloads in
@ -44,18 +36,11 @@ o require less configuration. phase 2 is easier (as kernel presents racoon
(is "strict" a reasonable default?)
guess which mode to use for phase 1 negotiation (is main mode useful?
is base mode popular enough?)
o psk.txt should be a database? (psk.db?) psk_mkdb?
o more acceptable check.
SHOULD
o how to support multi interfaces ?
- perform a dummy connect(2), like ping6.
- bind multi address, like named.
now racoon uses the former way.
o DSA signature authentication method.
o more acceptable check.
o New group mode should be considered.
o psk.txt should be a database? (psk.db?) psk_mkdb?
o Dynamically retry to exchange and resend the packet per nodes.
o Remote maintenance with secure connection.
o To make the list of supported algorithm by sadb_supported payload
in the SADB_REGISTER message which happens asynchronously.
o fix the structure of ph2handle.

14
crypto/dist/kame/racoon/algorithm.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: algorithm.c,v 1.20 2001/08/16 06:17:12 sakane Exp $ */
/* $KAME: algorithm.c,v 1.23 2002/04/25 09:48:32 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -148,7 +148,7 @@ static struct enc_algorithm ipsec_encdef[] = {
NULL, eay_des_keylen, },
{ "null", algtype_null_enc, IPSECDOI_ESP_NULL, 8,
NULL, NULL,
NULL, eay_3des_keylen, },
NULL, eay_null_keylen, },
{ "rijndael", algtype_rijndael, IPSECDOI_ESP_RIJNDAEL, 16,
NULL, NULL,
NULL, eay_aes_keylen, },
@ -227,6 +227,8 @@ static struct dh_algorithm oakley_dhdef[] = {
&dh_modp3072, },
{ "modp4096", algtype_modp4096, OAKLEY_ATTR_GRP_DESC_MODP4096,
&dh_modp4096, },
{ "modp6144", algtype_modp6144, OAKLEY_ATTR_GRP_DESC_MODP6144,
&dh_modp6144, },
{ "modp8192", algtype_modp8192, OAKLEY_ATTR_GRP_DESC_MODP8192,
&dh_modp8192, },
};
@ -460,8 +462,8 @@ alg_oakley_encdef_decrypt(doi, buf, key, iv)
#ifdef ENABLE_STATS
gettimeofday(&end, NULL);
syslog(LOG_NOTICE, "%s(%s size=%d): %8.6f", __FUNCTION__,
f->name, buf->l, timedelta(&start, &end));
syslog(LOG_NOTICE, "%s(%s klen=%d size=%d): %8.6f", __FUNCTION__,
f->name, key->l << 3, buf->l, timedelta(&start, &end));
#endif
return res;
}
@ -489,8 +491,8 @@ alg_oakley_encdef_encrypt(doi, buf, key, iv)
#ifdef ENABLE_STATS
gettimeofday(&end, NULL);
syslog(LOG_NOTICE, "%s(%s size=%d): %8.6f", __FUNCTION__,
f->name, buf->l, timedelta(&start, &end));
syslog(LOG_NOTICE, "%s(%s klen=%d size=%d): %8.6f", __FUNCTION__,
f->name, key->l << 3, buf->l, timedelta(&start, &end));
#endif
return res;
}

3
crypto/dist/kame/racoon/algorithm.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: algorithm.h,v 1.19 2001/08/16 06:17:12 sakane Exp $ */
/* $KAME: algorithm.h,v 1.20 2001/12/12 18:23:41 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -96,6 +96,7 @@ enum {
algtype_modp2048,
algtype_modp3072,
algtype_modp4096,
algtype_modp6144,
algtype_modp8192,
/* authentication method. */

513
crypto/dist/kame/racoon/configure vendored
View File

File diff suppressed because it is too large Load Diff

10
crypto/dist/kame/racoon/configure.in vendored
View File

@ -21,6 +21,16 @@ AC_ARG_ENABLE(debug, [ --enable-debug build a debug version],
[OPTFLAG="-g $OPTFLAG"; enable_debug=yes], [enable_debug=no])
AC_MSG_RESULT($enable_debug)
AC_SUBST(DEBUGRMOBJS)
AC_MSG_CHECKING(if --enable-debugrm option is specified)
AC_ARG_ENABLE(debugrm, [ --enable-debugrm build with the memory allocation recorder],
[OPTFLAG="-DDEBUG_RECORD_MALLOCATION $OPTFLAG"; enable_debugrm=yes],
[enable_debugrm=no])
if test "$enable_debugrm" != "no"; then
DEBUGRMOBJS="debugrm.o"
fi
AC_MSG_RESULT($enable_debugrm)
AC_MSG_CHECKING(if --enable-yydebug option is specified)
AC_ARG_ENABLE(yydebug, [ --enable-yydebug build a yydebug version],
[AC_DEFINE(YYDEBUG)

7
crypto/dist/kame/racoon/crypto_openssl.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: crypto_openssl.h,v 1.23 2001/08/14 12:26:06 sakane Exp $ */
/* $KAME: crypto_openssl.h,v 1.25 2002/04/25 09:48:32 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -52,6 +52,10 @@ extern vchar_t *eay_get_x509sign __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_check_x509sign __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_check_pkcs7sign __P((vchar_t *, vchar_t *, vchar_t *));
/* RSA */
extern vchar_t *eay_rsa_sign __P((vchar_t *, vchar_t *));
extern int eay_rsa_verify __P((vchar_t *, vchar_t *, vchar_t *));
/* ASN.1 */
extern vchar_t *eay_get_pkcs1privkey __P((char *));
extern vchar_t *eay_get_pkcs1pubkey __P((char *));
@ -104,6 +108,7 @@ extern int eay_aes_weakkey __P((vchar_t *));
extern int eay_aes_keylen __P((int));
/* misc */
extern int eay_null_keylen __P((int));
extern int eay_null_hashlen __P((void));
extern int eay_kpdk_hashlen __P((void));
extern int eay_twofish_keylen __P((int));

274
crypto/dist/kame/racoon/debugrm.c vendored Normal file
View File

@ -0,0 +1,274 @@
/* $KAME: debugrm.c,v 1.6 2001/12/13 16:07:46 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#define NONEED_DRM
#include <sys/types.h>
#include <sys/param.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>
#include <err.h>
#include "debugrm.h"
#include "vmbuf.h" /* need to mask vmbuf.c functions. */
#define DRMLISTSIZE 1024
struct drm_list_t {
void *ptr;
char msg[100];
};
static struct drm_list_t drmlist[DRMLISTSIZE];
static int drm_unknown;
static void DRM_add __P((void *, char *));
static void DRM_del __P((void *));
static void DRM_setmsg __P((char *, int, void *, int, char *, int, char *));
void
DRM_init()
{
int i;
drm_unknown = 0;
for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++)
drmlist[i].ptr = 0;
}
void
DRM_dump()
{
FILE *fp;
int i;
fp = fopen(DRMDUMPFILE, "w");
if (fp == NULL)
err(1, "fopen"); /*XXX*/
fprintf(fp, "drm_unknown=%d\n", drm_unknown);
for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
if (drmlist[i].ptr)
fprintf(fp, "%s\n", drmlist[i].msg);
}
fclose(fp);
}
static void
DRM_add(p, msg)
void *p;
char *msg;
{
int i;
for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
if (!drmlist[i].ptr) {
drmlist[i].ptr = p;
strlcpy(drmlist[i].msg, msg, sizeof(drmlist[i].msg));
return;
}
}
}
static void
DRM_del(p)
void *p;
{
int i;
if (!p)
return;
for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
if (drmlist[i].ptr == p) {
drmlist[i].ptr = 0;
return;
}
}
drm_unknown++;
}
static void
DRM_setmsg(buf, buflen, ptr, size, file, line, func)
char *buf, *file, *func;
int buflen, size, line;
void *ptr;
{
time_t t;
struct tm *tm;
int len;
t = time(NULL);
tm = localtime(&t);
len = strftime(buf, buflen, "%Y/%m/%d:%T ", tm);
snprintf(buf + len, buflen - len, "%p %6d %s:%d:%s",
ptr, size, file , line, func);
}
void *
DRM_malloc(file, line, func, size)
char *file, *func;
int line;
size_t size;
{
void *p;
p = malloc(size);
if (p) {
char buf[1024];
DRM_setmsg(buf, sizeof(buf), p, size, file, line, func);
DRM_add(p, buf);
}
return p;
}
void *
DRM_calloc(file, line, func, number, size)
char *file, *func;
int line;
size_t number, size;
{
void *p;
p = calloc(number, size);
if (p) {
char buf[1024];
DRM_setmsg(buf, sizeof(buf), p, number * size, file, line, func);
DRM_add(p, buf);
}
return p;
}
void *
DRM_realloc(file, line, func, ptr, size)
char *file, *func;
int line;
void *ptr;
size_t size;
{
void *p;
p = realloc(ptr, size);
if (p) {
char buf[1024];
if (ptr && p != ptr) {
DRM_del(ptr);
DRM_setmsg(buf, sizeof(buf), p, size, file, line, func);
DRM_add(p, buf);
}
}
return p;
}
void
DRM_free(file, line, func, ptr)
char *file, *func;
int line;
void *ptr;
{
DRM_del(ptr);
free(ptr);
}
/*
* mask vmbuf.c functions.
*/
void *
DRM_vmalloc(file, line, func, size)
char *file, *func;
int line;
size_t size;
{
void *p;
p = vmalloc(size);
if (p) {
char buf[1024];
DRM_setmsg(buf, sizeof(buf), p, size, file, line, func);
DRM_add(p, buf);
}
return p;
}
void *
DRM_vrealloc(file, line, func, ptr, size)
char *file, *func;
int line;
void *ptr;
size_t size;
{
void *p;
p = vrealloc(ptr, size);
if (p) {
char buf[1024];
if (ptr && p != ptr) {
DRM_del(ptr);
DRM_setmsg(buf, sizeof(buf), p, size, file, line, func);
DRM_add(p, buf);
}
}
return p;
}
void
DRM_vfree(file, line, func, ptr)
char *file, *func;
int line;
void *ptr;
{
DRM_del(ptr);
vfree(ptr);
}
void *
DRM_vdup(file, line, func, ptr)
char *file, *func;
int line;
void *ptr;
{
void *p;
p = vdup(ptr);
if (p) {
char buf[1024];
DRM_setmsg(buf, sizeof(buf), p, 0, file, line, func);
DRM_add(p, buf);
}
return p;
}

87
crypto/dist/kame/racoon/debugrm.h vendored Normal file
View File

@ -0,0 +1,87 @@
/* $KAME: debugrm.h,v 1.3 2001/11/26 16:54:29 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#define DRMDUMPFILE "/var/tmp/debugrm.dump"
#ifdef NONEED_DRM
#ifndef racoon_malloc
#define racoon_malloc(sz) malloc((sz))
#endif
#ifndef racoon_calloc
#define racoon_calloc(cnt, sz) calloc((cnt), (sz))
#endif
#ifndef racoon_realloc
#define racoon_realloc(old, sz) realloc((old), (sz))
#endif
#ifndef racoon_free
#define racoon_free(p) free((p))
#endif
#else /*!NONEED_DRM*/
#ifndef racoon_malloc
#define racoon_malloc(sz) \
DRM_malloc(__FILE__, __LINE__, __FUNCTION__, (sz))
#endif
#ifndef racoon_calloc
#define racoon_calloc(cnt, sz) \
DRM_calloc(__FILE__, __LINE__, __FUNCTION__, (cnt), (sz))
#endif
#ifndef racoon_realloc
#define racoon_realloc(old, sz) \
DRM_realloc(__FILE__, __LINE__, __FUNCTION__, (old), (sz))
#endif
#ifndef racoon_free
#define racoon_free(p) \
DRM_free(__FILE__, __LINE__, __FUNCTION__, (p))
#endif
#endif /*NONEED_DRM*/
extern void DRM_init __P((void));
extern void DRM_dump __P((void));
extern void *DRM_malloc __P((char *, int, char *, size_t));
extern void *DRM_calloc __P((char *, int, char *, size_t, size_t));
extern void *DRM_realloc __P((char *, int, char *, void *, size_t));
extern void DRM_free __P((char *, int, char *, void *));
#ifndef NONEED_DRM
#define vmalloc(sz) \
DRM_vmalloc(__FILE__, __LINE__, __FUNCTION__, (sz))
#define vdup(old) \
DRM_vdup(__FILE__, __LINE__, __FUNCTION__, (old))
#define vrealloc(old, sz) \
DRM_vrealloc(__FILE__, __LINE__, __FUNCTION__, (old), (sz))
#define vfree(p) \
DRM_vfree(__FILE__, __LINE__, __FUNCTION__, (p))
#endif
extern void *DRM_vmalloc __P((char *, int, char *, size_t));
extern void *DRM_vrealloc __P((char *, int, char *, void *, size_t));
extern void DRM_vfree __P((char *, int, char *, void *));
extern void *DRM_vdup __P((char *, int, char *, void *));

39
crypto/dist/kame/racoon/dhgroup.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: dhgroup.h,v 1.1 2001/08/14 15:00:47 sakane Exp $ */
/* $KAME: dhgroup.h,v 1.2 2001/12/12 18:23:41 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -53,7 +53,7 @@
"83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
"670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF"
/* draft-ietf-ipsec-ike-modp-groups-01.txt */
/* draft-ietf-ipsec-ike-modp-groups-03.txt */
#define OAKLEY_PRIME_MODP2048 \
"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
@ -109,6 +109,40 @@
"93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199" \
"FFFFFFFF FFFFFFFF"
#define OAKLEY_PRIME_MODP6144 \
"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
"E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
"EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
"C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
"83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
"670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
"E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
"DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
"15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
"ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
"ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
"F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
"BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
"43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
"88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
"2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
"287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
"1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
"93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \
"36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD" \
"F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831" \
"179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B" \
"DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF" \
"5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6" \
"D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3" \
"23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \
"CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328" \
"06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C" \
"DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE" \
"12BF2D5B 0B7474D6 E694F91E 6DCC4024 FFFFFFFF FFFFFFFF"
#define OAKLEY_PRIME_MODP8192 \
"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
@ -160,4 +194,5 @@ extern struct dhgroup dh_modp1536;
extern struct dhgroup dh_modp2048;
extern struct dhgroup dh_modp3072;
extern struct dhgroup dh_modp4096;
extern struct dhgroup dh_modp6144;
extern struct dhgroup dh_modp8192;

14
crypto/dist/kame/racoon/doc/pattern vendored
View File

@ -1,4 +1,4 @@
IPSec transport mode
IPsec transport mode
HOST-A ================ HOST-B
(A) (B)
@ -20,7 +20,7 @@ IPSec transport mode
both racoon.conf:
no particular twists
IPSec tunnel mode
IPsec tunnel mode
HOST-A --- Gateway-A =========== Gateway-B --- HOST-B
(A) (GA) (GB) (B)
@ -70,9 +70,9 @@ MIP6
support_mip6 on;
(generate_policy on;)
o Anonymous client on IPSec transport mode
o Anonymous client on IPsec transport mode
HOST-A communicates with Server by using IPSec transport mode.
HOST-A communicates with Server by using IPsec transport mode.
HOST-A =========== Server
(A) (G)
@ -99,14 +99,14 @@ o Anonymous client on IPSec transport mode
Server's racoon.conf:
anonymous { passive on; }
due to the absense of phase 2 ID, IPSec SA will be installed for
due to the absense of phase 2 ID, IPsec SA will be installed for
A <--> S, not for net/pl <--> S.
o anonymous client allocated IP address dynamically and having a internal
address.
HOST-A communicates with hosts on Network-B through Gateway
by using IPSec tunnel mode.
by using IPsec tunnel mode.
IP address of HOST-A is allocated dynamically.
HOST-A =========== Gateway ----------- Network-B
@ -138,7 +138,7 @@ o anonymous client allocated IP address dynamically and having a internal
o anonymous client allocated IP address dynamically.
HOST-A communicates with hosts on Network-B through Gateway
by using IPSec tunnel mode, also using NAT.
by using IPsec tunnel mode, also using NAT.
IP address of HOST-A is allocated dynamically.
HOST-A =========== Gateway ----------- Network-B

36
crypto/dist/kame/racoon/doc/redmond.txt vendored
View File

@ -1,6 +1,6 @@
Appendix:
It's summary report of IPSec Interoperability Workshop Aug 31st- Sept 3 1998.
It's summary report of IPsec Interoperability Workshop Aug 31st- Sept 3 1998.
To be consider each following items.. ;-(
Location: Microsoft Campus, Redmond WA
@ -10,7 +10,7 @@ IRE, Microsoft NT5, Netscreen, Redcreek, SSH, Timestep, Worldcom/ANS, IRE,
Free SWAN
Verisign, Entrust, Worldcom Advanced Networks - James
Matheke, Digital Signature Trust Company, Microsoft PKI & Directory reps
L2TP/IPSec: Microsoft NT5 and Cisco IOS
L2TP/IPsec: Microsoft NT5 and Cisco IOS
Handouts:
(I will get these on a public web site ASAP. Stay tuned for pointer)
@ -18,21 +18,21 @@ Handouts:
Network Configuration Tear Sheet - network topology explanation & diagram
Testing Matrix: had 43 options * (transport + tunnel) * (initial + rekey) =
172 tests.
Rodney Thayer's draft IPSec certificate profile
IPSec Rekeying Issues powerpoint slides, by Tim Jenkins of Timestep
Rodney Thayer's draft IPsec certificate profile
IPsec Rekeying Issues powerpoint slides, by Tim Jenkins of Timestep
Working copy of Draft-ietf-ipsec-ldap-schema.txt
Powerpoint slides presented at IETF Policy BOF explaining
draft-ietf-ipsec-ldap-schema.txt
Microsoft Directory Enabled Networking Powerpoint slides by Steve Judd
Microsoft Public Key Infrastructure Powerpoint slides by Rick Johnson
Windows NT5.0 Beta2 walkthrough guide for creating IPSec policy
Windows NT5.0 Beta2 walkthrough guide for creating IPsec policy
Debriefing Survey
=================
On Wed and Thursday, I surveyed 8 companies with the following questions,
saying that I would compile a list of responses without indicating vendors
and post the compiled report to the IETF IPSec mailing list. Here are the
and post the compiled report to the IETF IPsec mailing list. Here are the
results. I have attempted to reduce duplication by indicating in
parentheses how many of the respondants indicated a similar response, eg (4)
means 4 out of 8 vendors. There is no priority or ordering on these
@ -98,7 +98,7 @@ as a T61String which is NOT the documented format. The cure is to have CA
vendors try to decode from both and have all new clients only do
rsaExtensionsAttribute as Seq of Ext.
What are the open IPSec design issues?
What are the open IPsec design issues?
========================================================
PKI usage, cert formats, CA enrollment, deployment model for cert-based
trust, supporting CRLs, supporting cert request payload (5)
@ -132,7 +132,7 @@ Mismatch filters in policy. When initiator should propose both the full
filter breadth, as well as the specific packet protocol type/ports to the
responder, so the responder can pick the widest clean match.
Need some kind of model for using SNMP MIB for reporting and management of
IPSec enabled devices.
IPsec enabled devices.
Think IKE is open to denial of service attack because anyone can provoke DH
computation in MM. Should only create state when get cookie back to reduce
denial of service.
@ -145,12 +145,12 @@ Need "Credential Request Payload" more general than just certificate request
payload, to support retry for authentication when both systems participate
in multiple trust models.
What are the open IPSec interop issues? If products shipped today, what
problems would customers encounter with multiple IPSec products?
What are the open IPsec interop issues? If products shipped today, what
problems would customers encounter with multiple IPsec products?
================================================================
Policy expression, configuration for interop (5)
Peer recovery of SAs, with mobile users, between two gateways (2)
US export IPSec interop- no support at all in drafts for what products have
US export IPsec interop- no support at all in drafts for what products have
to implement for ESP. Custom DH group for export not supported in drafts (2)
Understanding why proposals failed- Error messages to detail why proposal
not chosen (Michael Richardson going to collect error codes & messages from
@ -161,7 +161,7 @@ Client interop because clients haven't been tested much, mostly GW/FW
Real world application usage/admin, where systems are taken up/down, address
changes, etc.
Biggest challenge is to cover all aspects/combinations
Hard to balance tolerance of variance among IPSec implementations which is
Hard to balance tolerance of variance among IPsec implementations which is
necessary for interop with strictness of checks to fulfill security and
draft requirements.
Scalability
@ -173,7 +173,7 @@ for data encryperment. Maybe define another type of cert field encoding,
have 1-9, need 10.
How to process Subject Altname
Nobody else is doing encrypted nonces
Enforcing check that traffic sent through IPSec format matches filter which
Enforcing check that traffic sent through IPsec format matches filter which
was negotiated. This must be agreed upon by other vendors. Not covering
this in bakeoff testing because people mostly ping and ftp test, not
multi-protocol or multi-port through same SA.
@ -198,7 +198,7 @@ What wasn't so good about bakeoff?
Had to reconfigure because test net was not on Internet which for many
caused a reboot. Only really need 4-5 class C addresses with preplanned
private net space. Should have DHCP on external net. NAT from private to
public wouldn't work using IPSec, of course, because using IPSec to get back
public wouldn't work using IPsec, of course, because using IPsec to get back
home to company net. (3)
Power failure Monday morning (2)
Internet access via ISDN 128Kb was very slow (2)
@ -223,12 +223,12 @@ and http"
For next bakeoff at IBM, what should be done?
========================================================
Test rekey in each direction under stress (4). Use FTP for this.
Huge payload to test fragmentation & reassembly in IPSec ESP, AH under load
Huge payload to test fragmentation & reassembly in IPsec ESP, AH under load
(2)
Seat vendors together who more advanced in their IPSEC/IKE implementations.
Otherwise it will be n-X-n testing matrix which is impossible with 60
vendors present.
Post test matrix to the IPSec list before the event to get comments on it's
Post test matrix to the IPsec list before the event to get comments on it's
completeness
Make sure real world topology is tested: static IP client -> GW -- internal
net -- servers on PCs
@ -238,8 +238,8 @@ Not relying on non-mandatory messages
Peer recovery testing
Negotiating and maintaining many SAs
Need next NT5.0 post-beta2 release to test with
Need denial of service and IPSec knowlegable attack tests
Need a complete implementation of all IPSec capabilities to test against,
Need denial of service and IPsec knowlegable attack tests
Need a complete implementation of all IPsec capabilities to test against,
Need an attacker box to test against
All CA vendors should support Subject Altname
Need telephone at desk

624
crypto/dist/kame/racoon/eaytest.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: eaytest.c,v 1.28 2001/08/16 21:44:50 sakane Exp $ */
/* $KAME: eaytest.c,v 1.39 2001/12/12 18:23:42 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -30,6 +30,8 @@
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
@ -37,6 +39,13 @@
#include <stdio.h>
#include <string.h>
#include <limits.h>
#include <dirent.h>
#include <fcntl.h>
#include <unistd.h>
#include <err.h>
#include <openssl/bio.h>
#include <openssl/pem.h>
#include "var.h"
#include "vmbuf.h"
@ -52,8 +61,241 @@
u_int32_t loglevel = 4;
char *capath = "/usr/local/openssl/certs";
char *certs[] = {
/* prototype */
void rsatest __P((int, char **));
static vchar_t *pem_read_buf __P((char *));
void certtest __P((int, char **));
static char **getcerts __P((char *));
void ciphertest __P((int, char **));
void hmactest __P((int, char **));
void sha2test __P((int, char **));
void sha1test __P((int, char **));
void md5test __P((int, char **));
void dhtest __P((int, char **));
void bntest __P((int, char **));
void Usage __P((void));
/* test */
void
rsatest(ac, av)
int ac;
char **av;
{
char *text = "this is test.";
vchar_t src;
vchar_t *priv, *pub, *sig;
int error;
char *pkcs1 =
"-----BEGIN RSA PRIVATE KEY-----\n"
"MIICXQIBAAKBgQChe5/Fzk9SA0vCKBOcu9jBcLb9oLv50PeuEfQojhakY+OH8A3Q\n"
"M8A0qIDG6uhTNGPvzCWb/+mKeOB48n5HJpLxlDFyP3kyd2yXHIZ/MN8g1nh4FsB0\n"
"iTkk8QUCJkkan6FCOBrIeLEsGA5AdodzuR+khnCMt8vO+NFHZYKAQeynyQIDAQAB\n"
"AoGAOfDcnCHxjhDGrwyoNNWl6Yqi7hAtQm67YAbrH14UO7nnmxAENM9MyNgpFLaW\n"
"07v5m8IZQIcradcDXAJOUwNBN8E06UflwEYCaScIwndvr5UpVlN3e2NC6Wyg2yC7\n"
"GarxQput3zj35XNR5bK42UneU0H6zDxpHWqI1SwE+ToAHu0CQQDNl9gUJTpg0L09\n"
"HkbE5jeb8bA5I20nKqBOBP0v5tnzpwu41umQwk9I7Ru0ucD7j+DW4k8otadW+FnI\n"
"G1M1MpSjAkEAyRMt4bN8otfpOpsOQWzw4jQtouohOxRFCrQTntHhU20PrQnQLZWs\n"
"pOVzqCjRytYtkPEUA1z8QK5gGcVPcOQsowJBALmt2rwPB1NrEo5Bat7noO+Zb3Ob\n"
"WDiYWeE8xkHd95gDlSWiC53ur9aINo6ZeP556jGIgL+el/yHHecJLrQL84sCQH48\n"
"zUxq/C/cb++8UzneJGlPqusiJNTLiAENR1gpmlZfHT1c8Nb9phMsfu0vG29GAfuC\n"
"bzchVLljALCNQK+2gRMCQQCNIgN+R9mRWZhFAcC1sq++YnuSBlw4VwdL/fd1Yg9e\n"
"Ul+U98yPl/NXt8Rs4TRBFcOZjkFI8xv0hQtevTgTmgz+\n"
"-----END RSA PRIVATE KEY-----\n\n";
char *pubkey =
"-----BEGIN PUBLIC KEY-----\n"
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChe5/Fzk9SA0vCKBOcu9jBcLb9\n"
"oLv50PeuEfQojhakY+OH8A3QM8A0qIDG6uhTNGPvzCWb/+mKeOB48n5HJpLxlDFy\n"
"P3kyd2yXHIZ/MN8g1nh4FsB0iTkk8QUCJkkan6FCOBrIeLEsGA5AdodzuR+khnCM\n"
"t8vO+NFHZYKAQeynyQIDAQAB\n"
"-----END PUBLIC KEY-----\n\n";
priv = pem_read_buf(pkcs1);
src.v = text;
src.l = strlen(text);
/* sign */
sig = eay_rsa_sign(&src, priv);
if (sig == NULL)
printf("sign failed. %s\n", eay_strerror());
printf("RSA signed data.\n");
PVDUMP(sig);
/* verify */
pub = pem_read_buf(pubkey);
error = eay_rsa_verify(&src, sig, pub);
if (error)
printf("verifying failed.\n");
else
printf("verified.\n");
}
static vchar_t *
pem_read_buf(buf)
char *buf;
{
BIO *bio;
char *nm = NULL, *header = NULL;
unsigned char *data = NULL;
long len;
vchar_t *ret;
int error;
bio = BIO_new_mem_buf(buf, strlen(buf));
error = PEM_read_bio(bio, &nm, &header, &data, &len);
if (error == 0)
errx(1, "%s", eay_strerror());
ret = vmalloc(len);
if (ret == NULL)
err(1, "vmalloc");
memcpy(ret->v, data, len);
return ret;
}
void
certtest(ac, av)
int ac;
char **av;
{
char *certpath;
char **certs;
int type;
int error;
printf("\n**Test for Certificate.**\n");
{
char dnstr[] = "C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=Shoichi Sakane/Email=sakane@kame.net";
vchar_t *asn1dn = NULL, asn1dn0;
char dn0[] = {
0x30,0x81,0x9a,0x31,0x0b,0x30,0x09,0x06,
0x03,0x55,0x04,0x06,0x13,0x02,0x4a,0x50,
0x31,0x11,0x30,0x0f,0x06,0x03,0x55,0x04,
0x08,0x13,0x08,0x4b,0x61,0x6e,0x61,0x67,
0x61,0x77,0x61,0x31,0x11,0x30,0x0f,0x06,
0x03,0x55,0x04,0x07,0x13,0x08,0x46,0x75,
0x6a,0x69,0x73,0x61,0x77,0x61,0x31,0x15,
0x30,0x13,0x06,0x03,0x55,0x04,0x0a,0x13,
0x0c,0x57,0x49,0x44,0x45,0x20,0x50,0x72,
0x6f,0x6a,0x65,0x63,0x74,0x31,0x15,0x30,
0x13,0x06,0x03,0x55,0x04,0x0b,0x13,0x0c,
0x4b,0x41,0x4d,0x45,0x20,0x50,0x72,0x6f,
0x6a,0x65,0x63,0x74,0x31,0x17,0x30,0x15,
0x06,0x03,0x55,0x04,0x03,0x13,0x0e,0x53,
0x68,0x6f,0x69,0x63,0x68,0x69,0x20,0x53,
0x61,0x6b,0x61,0x6e,0x65,0x31,0x1e,0x30,
0x1c,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,
0x0d,0x01,0x09,0x01,
0x0c, /* <== XXX */
0x0f,0x73,0x61,
0x6b,0x61,0x6e,0x65,0x40,0x6b,0x61,0x6d,
0x65,0x2e,0x6e,0x65,0x74,
};
printf("check to convert the string into subjectName.\n");
printf("%s\n", dnstr);
asn1dn0.v = dn0;
asn1dn0.l = sizeof(dn0);
asn1dn = eay_str2asn1dn(dnstr, sizeof(dnstr));
if (asn1dn == NULL || asn1dn->l != asn1dn0.l)
errx(1, "asn1dn length mismatched.\n");
/*
* NOTE: The value pointed by "<==" above is different from the
* return of eay_str2asn1dn(). but eay_cmp_asn1dn() can distinguish
* both of the names are same name.
*/
if (eay_cmp_asn1dn(&asn1dn0, asn1dn))
errx(1, "asn1dn mismatched.\n");
vfree(asn1dn);
printf("succeed.\n");
}
eay_init_error();
/* get certs */
if (ac > 1) {
certpath = *(av + 1);
certs = getcerts(certpath);
} else {
printf("\nCAUTION: These certificates are probably invalid "
"on your environment because you don't have their "
"issuer's certs in your environment.\n\n");
certpath = "/usr/local/openssl/certs";
certs = getcerts(NULL);
}
while (*certs != NULL) {
vchar_t c;
char *str;
vchar_t *vstr;
printf("===CERT===\n");
c.v = *certs;
c.l = strlen(*certs);
/* print text */
str = eay_get_x509text(&c);
printf("%s", str);
racoon_free(str);
/* print ASN.1 of subject name */
vstr = eay_get_x509asn1subjectname(&c);
if (!vstr)
return;
PVDUMP(vstr);
printf("\n");
vfree(vstr);
/* print subject alt name */
{
int pos;
for (pos = 1; ; pos++) {
error = eay_get_x509subjectaltname(&c, &str, &type, pos);
if (error) {
printf("no subjectaltname found.\n");
break;
}
if (!str)
break;
printf("SubjectAltName: %d: %s\n", type, str);
racoon_free(str);
}
}
error = eay_check_x509cert(&c, certpath);
if (error)
printf("ERROR: cert is invalid.\n");
printf("\n");
certs++;
}
}
static char **
getcerts(path)
char *path;
{
char **certs = NULL, **p;
DIR *dirp;
struct dirent *dp;
struct stat sb;
char buf[512];
int len;
int n;
int fd;
static char *samplecerts[] = {
/* self signed */
"-----BEGIN CERTIFICATE-----\n"
"MIICpTCCAg4CAQAwDQYJKoZIhvcNAQEEBQAwgZoxCzAJBgNVBAYTAkpQMREwDwYD\n"
@ -153,148 +395,71 @@ char *certs[] = {
"Y8++0dC8NVvendIILcJBM5nbDq1TqIbb8K3SP80XhO5JLVJkoZiQftAMjo0peZPO\n"
"EQ==\n"
"-----END CERTIFICATE-----\n\n",
};
/* prototype */
void certtest __P((void));
void ciphertest __P((void));
void hmactest __P((void));
void sha2test __P((void));
void sha1test __P((void));
void md5test __P((void));
void dhtest __P((int));
void bntest __P((void));
/* test */
#include <sys/stat.h>
#include <unistd.h>
void
certtest()
{
vchar_t c;
char *str;
vchar_t *vstr;
int type;
int error;
int i;
printf("\n**Test for Certificate.**\n");
{
char dnstr[] = "C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=Shoichi Sakane/Email=sakane@kame.net";
vchar_t *asn1dn = NULL, asn1dn0;
char dn0[] = {
0x30,0x81,0x9a,0x31,0x0b,0x30,0x09,0x06,
0x03,0x55,0x04,0x06,0x13,0x02,0x4a,0x50,
0x31,0x11,0x30,0x0f,0x06,0x03,0x55,0x04,
0x08,0x13,0x08,0x4b,0x61,0x6e,0x61,0x67,
0x61,0x77,0x61,0x31,0x11,0x30,0x0f,0x06,
0x03,0x55,0x04,0x07,0x13,0x08,0x46,0x75,
0x6a,0x69,0x73,0x61,0x77,0x61,0x31,0x15,
0x30,0x13,0x06,0x03,0x55,0x04,0x0a,0x13,
0x0c,0x57,0x49,0x44,0x45,0x20,0x50,0x72,
0x6f,0x6a,0x65,0x63,0x74,0x31,0x15,0x30,
0x13,0x06,0x03,0x55,0x04,0x0b,0x13,0x0c,
0x4b,0x41,0x4d,0x45,0x20,0x50,0x72,0x6f,
0x6a,0x65,0x63,0x74,0x31,0x17,0x30,0x15,
0x06,0x03,0x55,0x04,0x03,0x13,0x0e,0x53,
0x68,0x6f,0x69,0x63,0x68,0x69,0x20,0x53,
0x61,0x6b,0x61,0x6e,0x65,0x31,0x1e,0x30,
0x1c,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,
0x0d,0x01,0x09,0x01,
0x0c, /* <== XXX */
0x0f,0x73,0x61,
0x6b,0x61,0x6e,0x65,0x40,0x6b,0x61,0x6d,
0x65,0x2e,0x6e,0x65,0x74,
NULL,
};
printf("check to convert the string into subjectName.\n");
printf("%s\n", dnstr);
if (path == NULL)
return (char **)&samplecerts;
asn1dn0.v = dn0;
asn1dn0.l = sizeof(dn0);
asn1dn = eay_str2asn1dn(dnstr, sizeof(dnstr));
if (asn1dn == NULL || asn1dn->l != asn1dn0.l) {
printf("asn1dn length mismatched.\n");
exit(1);
stat(path, &sb);
if (!(sb.st_mode & S_IFDIR)) {
printf("ERROR: %s is not directory.\n", path);
exit(0);
}
/*
* NOTE: The value pointed by "<==" above is different from the
* return of eay_str2asn1dn(). but eay_cmp_asn1dn() can distinguish
* both of the names are same name.
*/
if (eay_cmp_asn1dn(&asn1dn0, asn1dn)) {
printf("asn1dn mismatched.\n");
exit(1);
dirp = opendir(path);
if (dirp == NULL) {
printf("opendir failed.\n");
exit(0);
}
vfree(asn1dn);
printf("succeed.\n");
}
n = 0;
while ((dp = readdir(dirp)) != NULL) {
if (dp->d_type != DT_REG)
continue;
if (strcmp(dp->d_name + dp->d_namlen - 4, "cert"))
continue;
snprintf(buf, sizeof(buf), "%s/%s", path, dp->d_name);
stat(buf, &sb);
printf("\nCAUTION: These certificates may be invalid on your "
"environment because it was signed by SSH test CA and you "
"may not own their issuer's certificates.\n\n");
p = (char **)realloc(certs, (n + 1) * sizeof(certs));
if (p == NULL)
err(1, "realloc");
certs = p;
eay_init_error();
certs[n] = malloc(sb.st_size + 1);
if (certs[n] == NULL)
err(1, "malloc");
for (i = 0; i < sizeof(certs)/sizeof(certs[0]); i++) {
fd = open(buf, O_RDONLY);
if (fd == -1)
err(1, "open");
len = read(fd, certs[n], sb.st_size);
if (len == -1)
err(1, "read");
if (len != sb.st_size)
errx(1, "read: length mismatch");
certs[n][sb.st_size] = '\0';
close(fd);
printf("CERT[%d]===\n", i);
printf("%s: %d\n", dp->d_name, (int)sb.st_size);
c.v = certs[i];
c.l = strlen(certs[i]);
/* print text */
str = eay_get_x509text(&c);
printf("%s", str);
racoon_free(str);
/* print ASN.1 of subject name */
vstr = eay_get_x509asn1subjectname(&c);
if (!vstr)
return;
PVDUMP(vstr);
printf("\n");
vfree(vstr);
/* print subject alt name */
{
int pos;
for (pos = 1; ; pos++) {
error = eay_get_x509subjectaltname(&c, &str, &type, pos);
if (error) {
printf("no subjectaltname found.\n");
break;
}
if (!str)
break;
printf("SubjectAltName: %d: %s\n", type, str);
racoon_free(str);
}
}
{
struct stat sb;
stat(capath, &sb);
if (!(sb.st_mode & S_IFDIR)) {
printf("ERROR: %s is not directory.\n", capath);
return;
}
}
error = eay_check_x509cert(&c, capath);
printf("cert is %s\n", error ? "invalid" : "valid");
printf("\n");
n++;
}
p = (char **)realloc(certs, (n + 1) * sizeof(certs));
if (p == NULL)
err(1, "realloc");
certs = p;
certs[n] = NULL;
return certs;
}
void
ciphertest()
ciphertest(ac, av)
int ac;
char **av;
{
vchar_t data;
vchar_t key;
@ -469,7 +634,9 @@ ciphertest()
}
void
hmactest()
hmactest(ac, av)
int ac;
char **av;
{
char *keyword = "hehehe test secret!";
char *object = "d7e6a6c1876ef0488bb74958b9fee94e";
@ -557,7 +724,9 @@ hmactest()
}
void
sha1test()
sha1test(ac, av)
int ac;
char **av;
{
char *word1 = "1234567890", *word2 = "12345678901234567890";
caddr_t ctx;
@ -590,7 +759,9 @@ sha1test()
}
void
md5test()
md5test(ac, av)
int ac;
char **av;
{
char *word1 = "1234567890", *word2 = "12345678901234567890";
caddr_t ctx;
@ -623,68 +794,80 @@ md5test()
}
void
dhtest(f)
int f;
dhtest(ac, av)
int ac;
char **av;
{
vchar_t p1, p2, *pub1, *priv1, *pub2, *priv2, *key;
static struct {
char *name;
char *p;
} px[] = {
{ "modp768", OAKLEY_PRIME_MODP768, },
{ "modp1024", OAKLEY_PRIME_MODP1024, },
{ "modp1536", OAKLEY_PRIME_MODP1536, },
{ "modp2048", OAKLEY_PRIME_MODP2048, },
{ "modp3072", OAKLEY_PRIME_MODP3072, },
{ "modp4096", OAKLEY_PRIME_MODP4096, },
{ "modp6144", OAKLEY_PRIME_MODP6144, },
{ "modp8192", OAKLEY_PRIME_MODP8192, },
};
vchar_t p1, *pub1, *priv1, *gxy1;
vchar_t p2, *pub2, *priv2, *gxy2;
int i;
printf("\n**Test for DH.**\n");
switch (f) {
case 0:
p1.v = str2val(OAKLEY_PRIME_MODP768, 16, &p1.l);
p2.v = str2val(OAKLEY_PRIME_MODP768, 16, &p2.l);
break;
case 1:
p1.v = str2val(OAKLEY_PRIME_MODP1024, 16, &p1.l);
p2.v = str2val(OAKLEY_PRIME_MODP1024, 16, &p2.l);
break;
case 2:
default:
p1.v = str2val(OAKLEY_PRIME_MODP1536, 16, &p1.l);
p2.v = str2val(OAKLEY_PRIME_MODP1536, 16, &p2.l);
break;
for (i = 0; i < sizeof(px)/sizeof(px[0]); i++) {
printf("\n**Test for DH %s.**\n", px[i].name);
p1.v = str2val(px[i].p, 16, &p1.l);
p2.v = str2val(px[i].p, 16, &p2.l);
printf("prime number = \n"); PVDUMP(&p1);
if (eay_dh_generate(&p1, 2, 96, &pub1, &priv1) < 0) {
printf("error\n");
return;
}
printf("private key for user 1 = \n"); PVDUMP(priv1);
printf("public key for user 1 = \n"); PVDUMP(pub1);
if (eay_dh_generate(&p2, 2, 96, &pub2, &priv2) < 0) {
printf("error\n");
return;
}
printf("private key for user 2 = \n"); PVDUMP(priv2);
printf("public key for user 2 = \n"); PVDUMP(pub2);
/* process to generate key for user 1 */
gxy1 = vmalloc(p1.l);
memset(gxy1->v, 0, gxy1->l);
eay_dh_compute(&p1, 2, pub1, priv1, pub2, &gxy1);
printf("sharing gxy1 of user 1 = \n"); PVDUMP(gxy1);
/* process to generate key for user 2 */
gxy2 = vmalloc(p1.l);
memset(gxy2->v, 0, gxy2->l);
eay_dh_compute(&p2, 2, pub2, priv2, pub1, &gxy2);
printf("sharing gxy2 of user 2 = \n"); PVDUMP(gxy2);
if (memcmp(gxy1->v, gxy2->v, gxy1->l))
printf("ERROR: sharing gxy mismatched.\n");
vfree(pub1);
vfree(pub2);
vfree(priv1);
vfree(priv2);
vfree(gxy1);
vfree(gxy2);
}
printf("prime number = \n"); PVDUMP(&p1);
key = vmalloc(p1.l);
if (eay_dh_generate(&p1, 2, 96, &pub1, &priv1) < 0) {
printf("error\n");
return;
}
printf("private key for user 1 = \n"); PVDUMP(priv1);
printf("public key for user 1 = \n"); PVDUMP(pub1);
if (eay_dh_generate(&p2, 2, 96, &pub2, &priv2) < 0) {
printf("error\n");
return;
}
printf("private key for user 2 = \n"); PVDUMP(priv2);
printf("public key for user 2 = \n"); PVDUMP(pub2);
/* process to generate key for user 1 */
memset(key->v, 0, key->l);
eay_dh_compute(&p1, 2, pub1, priv1, pub2, &key);
printf("sharing key of user 1 = \n"); PVDUMP(key);
/* process to generate key for user 2 */
memset(key->v, 0, key->l);
eay_dh_compute(&p2, 2, pub2, priv2, pub1, &key);
printf("sharing key of user 2 = \n"); PVDUMP(key);
vfree(pub1);
vfree(priv1);
vfree(priv2);
vfree(key);
return;
}
void
bntest()
bntest(ac, av)
int ac;
char **av;
{
vchar_t *rn;
@ -695,42 +878,63 @@ bntest()
vfree(rn);
}
struct {
char *name;
void (*func) __P((int, char **));
} func[] = {
{ "random", bntest, },
{ "dh", dhtest, },
{ "md5", md5test, },
{ "sha1", sha1test, },
{ "hmac", hmactest, },
{ "cipher", ciphertest, },
{ "cert", certtest, },
{ "rsa", rsatest, },
};
int
main(ac, av)
int ac;
char **av;
{
int i;
int len = sizeof(func)/sizeof(func[0]);
if (strcmp(*av, "-h") == 0) {
printf("Usage: eaytest [dh|md5|sha1|hmac|cipher|cert]\n");
exit(0);
printf("Usage: eaytest [");
for (i = 0; i < len; i++) {
printf("%s", func[i].name);
if (i != len)
printf("|");
}
printf("]\n");
Usage();
}
if (ac == 1) {
bntest();
dhtest(0);
md5test();
sha1test();
hmactest();
ciphertest();
certtest();
ac--;
av++;
if (ac == 0) {
for (i = 0; i < len; i++)
(func[i].func)(ac, av);
} else {
for (av++; *av != '\0'; av++) {
if (strcmp(*av, "random") == 0)
bntest();
else if (strcmp(*av, "dh") == 0)
dhtest(0);
else if (strcmp(*av, "md5") == 0)
md5test();
else if (strcmp(*av, "sha1") == 0)
sha1test();
else if (strcmp(*av, "hmac") == 0)
hmactest();
else if (strcmp(*av, "cipher") == 0)
ciphertest();
else if (strcmp(*av, "cert") == 0)
certtest();
for (i = 0; i < len; i++) {
if (strcmp(*av, func[i].name) == 0) {
(func[i].func)(ac, av);
break;
}
}
if (i == len)
Usage();
}
exit(0);
}
void
Usage()
{
printf("Usage: eaytest [dh|md5|sha1|hmac|cipher]\n");
printf(" eaytest cert [cert_directory]\n");
exit(0);
}

6
crypto/dist/kame/racoon/gcmalloc.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: gcmalloc.h,v 1.3 2001/04/04 22:23:05 thorpej Exp $ */
/* $KAME: gcmalloc.h,v 1.4 2001/11/16 04:34:57 sakane Exp $ */
/*
* Copyright (C) 2000, 2001 WIDE Project.
@ -94,6 +94,9 @@ free(void *ptr)
#include <dmalloc.h>
#endif /* DMALLOC */
#ifdef DEBUG_RECORD_MALLOCATION
#include <debugrm.h>
#else
#ifndef racoon_malloc
#define racoon_malloc(sz) malloc((sz))
#endif
@ -106,5 +109,6 @@ free(void *ptr)
#ifndef racoon_free
#define racoon_free(p) free((p))
#endif
#endif /* DEBUG_RECORD_MALLOCATION */
#endif /* _GCMALLOC_H_DEFINED */

4
crypto/dist/kame/racoon/grabmyaddr.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: grabmyaddr.h,v 1.5 2000/10/04 17:40:59 itojun Exp $ */
/* $KAME: grabmyaddr.h,v 1.6 2001/12/12 15:29:12 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -44,4 +44,4 @@ extern struct myaddrs *newmyaddr __P((void));
extern void insmyaddr __P((struct myaddrs *, struct myaddrs **));
extern void delmyaddr __P((struct myaddrs *));
extern int initmyaddr __P((void));
extern int getsockmyaddr __P((struct sockaddr *));

239
crypto/dist/kame/racoon/handler.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: handler.c,v 1.49 2001/06/27 15:57:49 sakane Exp $ */
/* $KAME: handler.c,v 1.57 2002/01/21 08:45:54 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -36,6 +36,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <errno.h>
#include "var.h"
@ -46,6 +47,7 @@
#include "debug.h"
#include "schedule.h"
#include "grabmyaddr.h"
#include "algorithm.h"
#include "crypto_openssl.h"
#include "policy.h"
@ -55,6 +57,7 @@
#include "isakmp_inf.h"
#include "oakley.h"
#include "remoteconf.h"
#include "localconf.h"
#include "handler.h"
#include "gcmalloc.h"
@ -65,6 +68,11 @@
static LIST_HEAD(_ph1tree_, ph1handle) ph1tree;
static LIST_HEAD(_ph2tree_, ph2handle) ph2tree;
static LIST_HEAD(_ctdtree_, contacted) ctdtree;
static LIST_HEAD(_rcptree_, recvdpkt) rcptree;
static void del_recvdpkt __P((struct recvdpkt *));
static void rem_recvdpkt __P((struct recvdpkt *));
static void sweep_recvdpkt __P((void *));
/*
* functions about management of the isakmp status table
@ -214,9 +222,6 @@ delph1(iph1)
VPTRINIT(iph1->sendbuf);
flush_recvedpkt(iph1->rlist);
iph1->rlist = NULL;
VPTRINIT(iph1->dhpriv);
VPTRINIT(iph1->dhpub);
VPTRINIT(iph1->dhpub_p);
@ -312,31 +317,6 @@ initph1tree()
}
/* %%% management phase 2 handler */
/*
* search ph2handle with policyindex.
*/
#if 0
struct ph2handle *
getph2byspidx(spidx)
struct policyindex *spidx;
{
struct ph2handle *p;
LIST_FOREACH(p, &ph2tree, chain) {
/*
* there are ph2handle independent on policy
* such like informational exchange.
*/
if (p->spidx == NULL)
continue;
if (cmpspidx(spidx, p->spidx) == 0)
return p;
}
return NULL;
}
#endif
/*
* search ph2handle with policy id.
*/
@ -457,15 +437,12 @@ void
initph2(iph2)
struct ph2handle *iph2;
{
sched_scrub_param(iph2);
iph2->sce = NULL;
iph2->scr = NULL;
VPTRINIT(iph2->sendbuf);
flush_recvedpkt(iph2->rlist);
iph2->rlist = NULL;
VPTRINIT(iph2->msg1);
/* clear spi, keep variables in the proposal */
if (iph2->proposal) {
@ -500,7 +477,6 @@ initph2(iph2)
VPTRINIT(iph2->id_p);
VPTRINIT(iph2->nonce);
VPTRINIT(iph2->nonce_p);
VPTRINIT(iph2->hash);
VPTRINIT(iph2->sa);
VPTRINIT(iph2->sa_ret);
@ -656,7 +632,7 @@ getcontacted(remote)
struct contacted *p;
LIST_FOREACH(p, &ctdtree, chain) {
if (cmpsaddrwild(remote, p->remote) == 0)
if (cmpsaddrstrict(remote, p->remote) == 0)
return p;
}
@ -691,48 +667,104 @@ initctdtree()
}
/*
* checking a packet whether is received or not.
* check the response has been sent to the peer. when not, simply reply
* the buffered packet to the peer.
* OUT:
* 0: the packet is first received.
* 1: the packet was reveiced before, or error happened.
* 0: the packet is received at the first time.
* 1: the packet was processed before.
* 2: the packet was processed before, but the address mismatches.
* -1: error happened.
*/
int
check_recvedpkt(msg, list)
vchar_t *msg;
struct recvedpkt *list;
check_recvdpkt(remote, local, rbuf)
struct sockaddr *remote, *local;
vchar_t *rbuf;
{
vchar_t *buf;
struct recvedpkt *n;
vchar_t *hash;
struct recvdpkt *r;
time_t t;
int len, s;
buf = eay_md5_one(msg);
if (!buf) {
/* set current time */
t = time(NULL);
hash = eay_md5_one(rbuf);
if (!hash) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
return 1;
return -1;
}
for (n = list; n; n = n->next) {
if (memcmp(buf->v, n->hash->v, n->hash->l) == 0)
LIST_FOREACH(r, &rcptree, chain) {
if (memcmp(hash->v, r->hash->v, r->hash->l) == 0)
break;
}
vfree(hash);
vfree(buf);
/* this is the first time to receive the packet */
if (r == NULL)
return 0;
if (n)
return 1;
/*
* the packet was processed before, but the remote address mismatches.
*/
if (cmpsaddrstrict(remote, r->remote) != 0)
return 2;
return 0;
/*
* it should not check the local address because the packet
* may arrive at other interface.
*/
/* check the previous time to send */
if (t - r->time_send < 1) {
plog(LLV_WARNING, LOCATION, NULL,
"the packet retransmitted in a short time from %s\n",
saddr2str(remote));
/*XXX should it be error ? */
}
/* select the socket to be sent */
s = getsockmyaddr(r->local);
if (s == -1)
return -1;
/* resend the packet if needed */
len = sendfromto(s, r->sendbuf->v, r->sendbuf->l,
r->local, r->remote, lcconf->count_persend);
if (len == -1) {
plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
return -1;
}
/* check the retry counter */
r->retry_counter--;
if (r->retry_counter <= 0) {
rem_recvdpkt(r);
del_recvdpkt(r);
plog(LLV_DEBUG, LOCATION, NULL,
"deleted the retransmission packet to %s.\n",
saddr2str(remote));
} else
r->time_send = t;
return 1;
}
/*
* adding a hash of received packet into the received list.
*/
int
add_recvedpkt(msg, list)
vchar_t *msg;
struct recvedpkt **list;
add_recvdpkt(remote, local, sbuf, rbuf)
struct sockaddr *remote, *local;
vchar_t *sbuf, *rbuf;
{
struct recvedpkt *new;
struct recvdpkt *new = NULL;
if (lcconf->retry_counter == 0) {
/* no need to add it */
return 0;
}
new = racoon_calloc(1, sizeof(*new));
if (!new) {
@ -740,29 +772,98 @@ add_recvedpkt(msg, list)
"failed to allocate buffer.\n");
return -1;
}
new->hash = eay_md5_one(msg);
new->hash = eay_md5_one(rbuf);
if (!new->hash) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
racoon_free(new);
del_recvdpkt(new);
return -1;
}
new->remote = dupsaddr(remote);
if (new->remote == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
del_recvdpkt(new);
return -1;
}
new->local = dupsaddr(local);
if (new->local == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
del_recvdpkt(new);
return -1;
}
new->sendbuf = vdup(sbuf);
if (new->sendbuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
del_recvdpkt(new);
return -1;
}
new->next = *list;
*list = new;
new->retry_counter = lcconf->retry_counter;
new->time_send = 0;
new->created = time(NULL);
LIST_INSERT_HEAD(&rcptree, new, chain);
return 0;
}
void
flush_recvedpkt(list)
struct recvedpkt *list;
del_recvdpkt(r)
struct recvdpkt *r;
{
struct recvedpkt *n, *next;
for (n = list; n; n = next) {
next = n->next;
vfree(n->hash);
racoon_free(n);
}
if (r->remote)
racoon_free(r->remote);
if (r->local)
racoon_free(r->local);
if (r->hash)
vfree(r->hash);
if (r->sendbuf)
vfree(r->sendbuf);
racoon_free(r);
}
void
rem_recvdpkt(r)
struct recvdpkt *r;
{
LIST_REMOVE(r, chain);
}
void
sweep_recvdpkt(dummy)
void *dummy;
{
struct recvdpkt *r, *next;
time_t t, lt;
/* set current time */
t = time(NULL);
/* set the lifetime of the retransmission */
lt = lcconf->retry_counter * lcconf->retry_interval;
for (r = LIST_FIRST(&rcptree); r; r = next) {
next = LIST_NEXT(r, chain);
if (t - r->created > lt) {
rem_recvdpkt(r);
del_recvdpkt(r);
}
}
sched_new(lt, sweep_recvdpkt, NULL);
}
void
init_recvdpkt()
{
time_t lt = lcconf->retry_counter * lcconf->retry_interval;
LIST_INIT(&rcptree);
sched_new(lt, sweep_recvdpkt, NULL);
}

37
crypto/dist/kame/racoon/handler.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: handler.h,v 1.41 2001/07/14 05:48:32 sakane Exp $ */
/* $KAME: handler.h,v 1.43 2001/12/13 17:13:02 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -116,11 +116,10 @@ struct ph1handle {
u_int32_t msgid; /* message id */
struct sched *sce; /* schedule for expire */
struct sched *scr; /* schedule for resend */
int retry_counter; /* for resend. */
vchar_t *sendbuf; /* buffer for re-sending */
struct recvedpkt *rlist; /* list of all packets received. */
time_t time_sent; /* timestamp to sent packet */
vchar_t *dhpriv; /* DH; private value */
vchar_t *dhpub; /* DH; public value */
@ -169,7 +168,7 @@ struct ph1handle {
#endif
u_int32_t msgid2; /* msgid counter for Phase 2 */
int ph2cnt; /* count to negotiate phase 2. */
int ph2cnt; /* the number which is negotiated by this phase 1 */
LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;
LIST_ENTRY(ph1handle) chain;
@ -222,10 +221,10 @@ struct ph2handle {
struct sched *sce; /* schedule for expire */
struct sched *scr; /* schedule for resend */
int retry_counter; /* for resend. */
vchar_t *sendbuf; /* buffer for re-sending */
struct recvedpkt *rlist; /* list of all packets received. */
int retry_counter;
time_t sent; /* timestamp to sent packet */
vchar_t *msg1; /* buffer for re-sending */
/* used for responder's first message */
int retry_checkph1; /* counter to wait phase 1 finished. */
/* NOTE: actually it's timer. */
@ -260,7 +259,6 @@ struct ph2handle {
vchar_t *id_p; /* peer's ID minus general header */
vchar_t *nonce; /* nonce value in phase 2 */
vchar_t *nonce_p; /* partner's nonce value in phase 2 */
vchar_t *hash; /* HASH2 minus general header */
vchar_t *sa; /* whole SA payload to send/to be sent*/
/* to calculate HASH */
@ -293,9 +291,18 @@ struct contacted {
/*
* for checking a packet retransmited.
*/
struct recvedpkt {
struct recvedpkt *next;
vchar_t *hash;
struct recvdpkt {
struct sockaddr *remote; /* the remote address */
struct sockaddr *local; /* the local address */
vchar_t *hash; /* hash of the received packet */
vchar_t *sendbuf; /* buffer for the response */
int retry_counter; /* how many times to send */
time_t time_send; /* timestamp to send a packet */
time_t created; /* timestamp to create a queue */
struct sched *scr; /* schedule for resend, may not used */
LIST_ENTRY(recvdpkt) chain;
};
/* for parsing ISAKMP header. */
@ -408,6 +415,8 @@ extern struct contacted *getcontacted __P((struct sockaddr *));
extern int inscontacted __P((struct sockaddr *));
extern void initctdtree __P((void));
extern int check_recvedpkt __P((vchar_t *, struct recvedpkt *));
extern int add_recvedpkt __P((vchar_t *, struct recvedpkt **));
extern void flush_recvedpkt __P((struct recvedpkt *));
extern int check_recvdpkt __P((struct sockaddr *,
struct sockaddr *, vchar_t *));
extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *,
vchar_t *, vchar_t *));
extern void init_recvdpkt __P((void));

44
crypto/dist/kame/racoon/isakmp_agg.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: isakmp_agg.c,v 1.49 2001/03/27 02:39:57 thorpej Exp $ */
/* $KAME: isakmp_agg.c,v 1.55 2001/12/12 15:29:13 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -104,6 +104,11 @@ agg_i1send(iph1, msg)
#endif
/* validity check */
if (msg != NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"msg has to be NULL in this function.\n");
goto end;
}
if (iph1->status != PHASE1ST_START) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph1->status);
@ -222,16 +227,13 @@ agg_i1send(iph1, msg)
isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
#endif
/* send to responder */
if (isakmp_send(iph1, iph1->sendbuf) < 0)
/* send the packet, add to the schedule to resend */
iph1->retry_counter = iph1->rmconf->retry_counter;
if (isakmp_ph1resend(iph1) == -1)
goto end;
iph1->status = PHASE1ST_MSG1SENT;
iph1->retry_counter = iph1->rmconf->retry_counter;
iph1->scr = sched_new(iph1->rmconf->retry_interval,
isakmp_ph1resend_stub, iph1);
error = 0;
end:
@ -352,7 +354,7 @@ agg_i2recv(iph1, msg)
/* XXX to be checked each authentication method. */
/* verify identifier */
if (ipsecdoi_checkid1(iph1) < 0) {
if (ipsecdoi_checkid1(iph1) != 0) {
plog(LLV_ERROR, LOCATION, iph1->remote,
"invalid ID payload.\n");
goto end;
@ -574,6 +576,13 @@ agg_i2send(iph1, msg)
if (isakmp_send(iph1, iph1->sendbuf) < 0)
goto end;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
/* set encryption flag */
iph1->flags |= ISAKMP_FLAG_E;
@ -684,7 +693,7 @@ agg_r1recv(iph1, msg)
/* XXX to be checked each authentication method. */
/* verify identifier */
if (ipsecdoi_checkid1(iph1) < 0) {
if (ipsecdoi_checkid1(iph1) != 0) {
plog(LLV_ERROR, LOCATION, iph1->remote,
"invalid ID payload.\n");
goto end;
@ -1029,15 +1038,19 @@ agg_r1send(iph1, msg)
isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1);
#endif
/* send HDR;SA to responder */
if (isakmp_send(iph1, iph1->sendbuf) < 0)
/* send the packet, add to the schedule to resend */
iph1->retry_counter = iph1->rmconf->retry_counter;
if (isakmp_ph1resend(iph1) == -1)
goto end;
iph1->status = PHASE1ST_MSG1SENT;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
iph1->retry_counter = iph1->rmconf->retry_counter;
iph1->scr = sched_new(iph1->rmconf->retry_interval,
isakmp_ph1resend_stub, iph1);
iph1->status = PHASE1ST_MSG1SENT;
error = 0;
@ -1200,4 +1213,3 @@ agg_r2send(iph1, msg)
end:
return error;
}

62
crypto/dist/kame/racoon/isakmp_base.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: isakmp_base.c,v 1.41 2001/03/27 02:39:57 thorpej Exp $ */
/* $KAME: isakmp_base.c,v 1.48 2001/12/12 15:29:13 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -91,6 +91,11 @@ base_i1send(iph1, msg)
int error = -1;
/* validity check */
if (msg != NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"msg has to be NULL in this function.\n");
goto end;
}
if (iph1->status != PHASE1ST_START) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph1->status);
@ -146,16 +151,13 @@ base_i1send(iph1, msg)
isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
#endif
/* send to responder */
if (isakmp_send(iph1, iph1->sendbuf) < 0)
/* send the packet, add to the schedule to resend */
iph1->retry_counter = iph1->rmconf->retry_counter;
if (isakmp_ph1resend(iph1) == -1)
goto end;
iph1->status = PHASE1ST_MSG1SENT;
iph1->retry_counter = iph1->rmconf->retry_counter;
iph1->scr = sched_new(iph1->rmconf->retry_interval,
isakmp_ph1resend_stub, iph1);
error = 0;
end:
@ -237,8 +239,8 @@ base_i2recv(iph1, msg)
goto end;
}
/* veryfy identifier */
if (ipsecdoi_checkid1(iph1) < 0) {
/* verify identifier */
if (ipsecdoi_checkid1(iph1) != 0) {
plog(LLV_ERROR, LOCATION, iph1->remote,
"invalid ID payload.\n");
goto end;
@ -411,15 +413,19 @@ base_i2send(iph1, msg)
isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
#endif
/* send HDR;KE;NONCE to responder */
if (isakmp_send(iph1, iph1->sendbuf) < 0)
/* send the packet, add to the schedule to resend */
iph1->retry_counter = iph1->rmconf->retry_counter;
if (isakmp_ph1resend(iph1) == -1)
goto end;
iph1->status = PHASE1ST_MSG2SENT;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
iph1->retry_counter = iph1->rmconf->retry_counter;
iph1->scr = sched_new(iph1->rmconf->retry_interval,
isakmp_ph1resend_stub, iph1);
iph1->status = PHASE1ST_MSG2SENT;
error = 0;
@ -655,7 +661,7 @@ base_r1recv(iph1, msg)
}
/* verify identifier */
if (ipsecdoi_checkid1(iph1) < 0) {
if (ipsecdoi_checkid1(iph1) != 0) {
plog(LLV_ERROR, LOCATION, iph1->remote,
"invalid ID payload.\n");
goto end;
@ -753,15 +759,19 @@ base_r1send(iph1, msg)
isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
#endif
/* send to responder */
if (isakmp_send(iph1, iph1->sendbuf) < 0)
/* send the packet, add to the schedule to resend */
iph1->retry_counter = iph1->rmconf->retry_counter;
if (isakmp_ph1resend(iph1) == -1)
goto end;
iph1->status = PHASE1ST_MSG1SENT;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
iph1->retry_counter = iph1->rmconf->retry_counter;
iph1->scr = sched_new(iph1->rmconf->retry_interval,
isakmp_ph1resend_stub, iph1);
iph1->status = PHASE1ST_MSG1SENT;
error = 0;
@ -1029,6 +1039,13 @@ base_r2send(iph1, msg)
if (isakmp_send(iph1, iph1->sendbuf) < 0)
goto end;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
/* generate SKEYIDs & IV & final cipher key */
if (oakley_skeyid_dae(iph1) < 0)
goto end;
@ -1049,4 +1066,3 @@ end:
vfree(vid);
return error;
}

153
crypto/dist/kame/racoon/isakmp_ident.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: isakmp_ident.c,v 1.56 2001/08/17 06:58:59 sakane Exp $ */
/* $KAME: isakmp_ident.c,v 1.63 2001/12/12 17:57:26 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -74,8 +74,8 @@
#include "gssapi.h"
#endif
static vchar_t *ident_ir2sendmx __P((struct ph1handle *));
static vchar_t *ident_ir3sendmx __P((struct ph1handle *));
static vchar_t *ident_ir2mx __P((struct ph1handle *));
static vchar_t *ident_ir3mx __P((struct ph1handle *));
/* %%%
* begin Identity Protection Mode as initiator.
@ -98,6 +98,11 @@ ident_i1send(iph1, msg)
int error = -1;
/* validity check */
if (msg != NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"msg has to be NULL in this function.\n");
goto end;
}
if (iph1->status != PHASE1ST_START) {
plog(LLV_ERROR, LOCATION, NULL,
"status mismatched %d.\n", iph1->status);
@ -136,16 +141,13 @@ ident_i1send(iph1, msg)
isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
#endif
/* send to responder */
if (isakmp_send(iph1, iph1->sendbuf) < 0)
/* send the packet, add to the schedule to resend */
iph1->retry_counter = iph1->rmconf->retry_counter;
if (isakmp_ph1resend(iph1) == -1)
goto end;
iph1->status = PHASE1ST_MSG1SENT;
iph1->retry_counter = iph1->rmconf->retry_counter;
iph1->scr = sched_new(iph1->rmconf->retry_interval,
isakmp_ph1resend_stub, iph1);
error = 0;
end:
@ -290,16 +292,27 @@ ident_i2send(iph1, msg)
#endif
/* create buffer to send isakmp payload */
iph1->sendbuf = ident_ir2sendmx(iph1);
iph1->sendbuf = ident_ir2mx(iph1);
if (iph1->sendbuf == NULL)
goto end;
iph1->status = PHASE1ST_MSG2SENT;
#ifdef HAVE_PRINT_ISAKMP_C
isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
#endif
/* add to the schedule to resend, and seve back pointer. */
/* send the packet, add to the schedule to resend */
iph1->retry_counter = iph1->rmconf->retry_counter;
iph1->scr = sched_new(iph1->rmconf->retry_interval,
isakmp_ph1resend_stub, iph1);
if (isakmp_ph1resend(iph1) == -1)
goto end;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
iph1->status = PHASE1ST_MSG2SENT;
error = 0;
@ -419,9 +432,9 @@ end:
* rev: HDR*, HASH_I
*/
int
ident_i3send(iph1, msg)
ident_i3send(iph1, msg0)
struct ph1handle *iph1;
vchar_t *msg;
vchar_t *msg0;
{
int error = -1;
int dohash = 1;
@ -478,15 +491,26 @@ ident_i3send(iph1, msg)
iph1->flags |= ISAKMP_FLAG_E;
/* create HDR;ID;HASH payload */
iph1->sendbuf = ident_ir3sendmx(iph1);
iph1->sendbuf = ident_ir3mx(iph1);
if (iph1->sendbuf == NULL)
goto end;
iph1->status = PHASE1ST_MSG3SENT;
/* send the packet, add to the schedule to resend */
iph1->retry_counter = iph1->rmconf->retry_counter;
iph1->scr = sched_new(iph1->rmconf->retry_interval,
isakmp_ph1resend_stub, iph1);
if (isakmp_ph1resend(iph1) == -1)
goto end;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
/* see handler.h about IV synchronization. */
memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
iph1->status = PHASE1ST_MSG3SENT;
error = 0;
@ -592,7 +616,7 @@ ident_i4recv(iph1, msg0)
memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
/* verify identifier */
if (ipsecdoi_checkid1(iph1) < 0) {
if (ipsecdoi_checkid1(iph1) != 0) {
plog(LLV_ERROR, LOCATION, iph1->remote,
"invalid ID payload.\n");
goto end;
@ -843,15 +867,19 @@ ident_r1send(iph1, msg)
isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
#endif
/* send to responder */
if (isakmp_send(iph1, iph1->sendbuf) < 0)
/* send the packet, add to the schedule to resend */
iph1->retry_counter = iph1->rmconf->retry_counter;
if (isakmp_ph1resend(iph1) == -1)
goto end;
iph1->status = PHASE1ST_MSG1SENT;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
iph1->retry_counter = iph1->rmconf->retry_counter;
iph1->scr = sched_new(iph1->rmconf->retry_interval,
isakmp_ph1resend_stub, iph1);
iph1->status = PHASE1ST_MSG1SENT;
error = 0;
@ -1002,10 +1030,26 @@ ident_r2send(iph1, msg)
#endif
/* create HDR;KE;NONCE payload */
iph1->sendbuf = ident_ir2sendmx(iph1);
iph1->sendbuf = ident_ir2mx(iph1);
if (iph1->sendbuf == NULL)
goto end;
#ifdef HAVE_PRINT_ISAKMP_C
isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
#endif
/* send the packet, add to the schedule to resend */
iph1->retry_counter = iph1->rmconf->retry_counter;
if (isakmp_ph1resend(iph1) == -1)
goto end;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
/* compute sharing secret of DH */
if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
@ -1023,10 +1067,6 @@ ident_r2send(iph1, msg)
iph1->status = PHASE1ST_MSG2SENT;
iph1->retry_counter = iph1->rmconf->retry_counter;
iph1->scr = sched_new(iph1->rmconf->retry_interval,
isakmp_ph1resend_stub, iph1);
error = 0;
end:
@ -1172,7 +1212,7 @@ ident_r3recv(iph1, msg0)
memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
/* verify identifier */
if (ipsecdoi_checkid1(iph1) < 0) {
if (ipsecdoi_checkid1(iph1) != 0) {
plog(LLV_ERROR, LOCATION, iph1->remote,
"invalid ID payload.\n");
goto end;
@ -1252,11 +1292,10 @@ end:
* rev: HDR*, HASH_R
*/
int
ident_r3send(iph1, msg0)
ident_r3send(iph1, msg)
struct ph1handle *iph1;
vchar_t *msg0;
vchar_t *msg;
{
vchar_t *msg = NULL;
int error = -1;
int dohash = 1;
#ifdef HAVE_GSSAPI
@ -1296,17 +1335,29 @@ ident_r3send(iph1, msg0)
iph1->flags |= ISAKMP_FLAG_E;
/* create HDR;ID;HASH payload */
iph1->sendbuf = ident_ir3sendmx(iph1);
iph1->sendbuf = ident_ir3mx(iph1);
if (iph1->sendbuf == NULL)
goto end;
/* send HDR;ID;HASH to responder */
if (isakmp_send(iph1, iph1->sendbuf) < 0)
goto end;
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
}
/* see handler.h about IV synchronization. */
memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
iph1->status = PHASE1ST_ESTABLISHED;
error = 0;
end:
if (msg != NULL)
vfree(msg);
return error;
}
@ -1326,7 +1377,7 @@ end:
* rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
*/
static vchar_t *
ident_ir2sendmx(iph1)
ident_ir2mx(iph1)
struct ph1handle *iph1;
{
vchar_t *buf = 0;
@ -1420,14 +1471,6 @@ ident_ir2sendmx(iph1)
if (need_cr)
p = set_isakmp_payload(p, cr, ISAKMP_NPTYPE_NONE);
#ifdef HAVE_PRINT_ISAKMP_C
isakmp_printpacket(buf, iph1->local, iph1->remote, 0);
#endif
/* send HDR;KE;NONCE to responder */
if (isakmp_send(iph1, buf) < 0)
goto end;
error = 0;
end:
@ -1435,6 +1478,8 @@ end:
vfree(buf);
buf = NULL;
}
if (cr)
vfree(cr);
#ifdef HAVE_GSSAPI
if (gsstoken)
vfree(gsstoken);
@ -1461,7 +1506,7 @@ end:
* rev: HDR*, HASH_R
*/
static vchar_t *
ident_ir3sendmx(iph1)
ident_ir3mx(iph1)
struct ph1handle *iph1;
{
vchar_t *buf = NULL, *new = NULL;
@ -1640,13 +1685,6 @@ ident_ir3sendmx(iph1)
buf = new;
/* send HDR;ID;HASH to responder */
if (isakmp_send(iph1, buf) < 0)
goto end;
/* see handler.h about IV synchronization. */
memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
error = 0;
end:
@ -1659,4 +1697,3 @@ end:
return buf;
}

6
crypto/dist/kame/racoon/isakmp_var.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: isakmp_var.h,v 1.19 2000/10/04 17:41:01 itojun Exp $ */
/* $KAME: isakmp_var.h,v 1.20 2001/12/12 15:29:14 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -66,9 +66,9 @@ extern void isakmp_close __P((void));
extern int isakmp_send __P((struct ph1handle *, vchar_t *));
extern void isakmp_ph1resend_stub __P((void *));
extern void isakmp_ph1resend __P((struct ph1handle *));
extern int isakmp_ph1resend __P((struct ph1handle *));
extern void isakmp_ph2resend_stub __P((void *));
extern void isakmp_ph2resend __P((struct ph2handle *));
extern int isakmp_ph2resend __P((struct ph2handle *));
extern void isakmp_ph1expire_stub __P((void *));
extern void isakmp_ph1expire __P((struct ph1handle *));
extern void isakmp_ph1delete_stub __P((void *));

6
crypto/dist/kame/racoon/localconf.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: localconf.h,v 1.27 2001/08/09 07:32:19 sakane Exp $ */
/* $KAME: localconf.h,v 1.28 2001/12/11 23:44:08 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -47,8 +47,8 @@
#define LC_DEFAULT_RETRY_COUNTER 5
#define LC_DEFAULT_RETRY_INTERVAL 10
#define LC_DEFAULT_COUNT_PERSEND 1
#define LC_DEFAULT_RETRY_CHECKPH1 15
#define LC_DEFAULT_WAIT_PH2COMPLETE 10
#define LC_DEFAULT_RETRY_CHECKPH1 30
#define LC_DEFAULT_WAIT_PH2COMPLETE 30
#define LC_DEFAULT_SECRETSIZE 16 /* 128 bits */

3
crypto/dist/kame/racoon/oakley.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: oakley.h,v 1.27 2001/08/17 10:50:27 sakane Exp $ */
/* $KAME: oakley.h,v 1.28 2001/12/12 18:23:42 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -78,6 +78,7 @@
#define OAKLEY_ATTR_GRP_DESC_MODP3072 43072 /* make consensus */
#define OAKLEY_ATTR_GRP_DESC_MODP4096 44096 /* at the bake off */
#define OAKLEY_ATTR_GRP_DESC_MODP8192 48192 /* in helsinki */
#define OAKLEY_ATTR_GRP_DESC_MODP6144 46144 /* XXX */
/* 32768 - 65535 Private Use */
#define OAKLEY_ATTR_GRP_TYPE 5 /* B */
#define OAKLEY_ATTR_GRP_TYPE_MODP 1

52
crypto/dist/kame/racoon/pfkey.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: pfkey.c,v 1.128 2001/08/20 06:46:28 itojun Exp $ */
/* $KAME: pfkey.c,v 1.133 2001/11/16 04:07:41 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -738,7 +738,7 @@ pfkey_timeover(iph2)
plog(LLV_ERROR, LOCATION, NULL,
"%s give up to get IPsec-SA due to time up to wait.\n",
saddrwop2str(iph2->dst));
SCHED_INIT(iph2->sce);
SCHED_KILL(iph2->sce);
/* If initiator side, send error to kernel by SADB_ACQUIRE. */
if (iph2->side == INITIATOR)
@ -1516,6 +1516,8 @@ pk_recvacquire(mhp)
xpl->sadb_x_policy_id);
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL,
"suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx));
/* get inbound policy */
{
@ -1528,18 +1530,17 @@ pk_recvacquire(mhp)
spidx.prefd = sp_out->spidx.prefs;
spidx.ul_proto = sp_out->spidx.ul_proto;
sp_in = getsp_r(&spidx);
if (!sp_in) {
plog(LLV_ERROR, LOCATION, NULL,
sp_in = getsp(&spidx);
if (sp_in) {
plog(LLV_DEBUG, LOCATION, NULL,
"suitable inbound SP found: %s.\n",
spidx2str(&sp_in->spidx));
} else {
plog(LLV_NOTIFY, LOCATION, NULL,
"no in-bound policy found: %s\n",
spidx2str(&spidx));
return -1;
}
}
plog(LLV_DEBUG, LOCATION, NULL,
"suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx));
plog(LLV_DEBUG, LOCATION, NULL,
"suitable inbound SP found: %s.\n", spidx2str(&sp_in->spidx));
memset(iph2, 0, MAXNESTEDSA);
@ -1608,7 +1609,7 @@ pk_recvacquire(mhp)
}
}
if (set_proposal_from_policy(iph2[n], sp_in, sp_out) < 0) {
if (set_proposal_from_policy(iph2[n], sp_out, sp_in) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to create saprop.\n");
delph2(iph2[n]);
@ -1740,15 +1741,20 @@ getsadbpolicy(policy0, policylen0, type, iph2)
struct saproto *pr;
caddr_t policy, p;
int policylen;
int xisrlen;
u_int satype, mode;
/* get policy buffer size */
policylen = sizeof(struct sadb_x_policy);
if (type != SADB_X_SPDDELETE) {
for (pr = iph2->approval->head; pr; pr = pr->next) {
policylen += PFKEY_ALIGN8(sizeof(*xisr)
+ iph2->src->sa_len
+ iph2->dst->sa_len);
xisrlen = sizeof(*xisr);
if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
xisrlen += (iph2->src->sa_len
+ iph2->dst->sa_len);
}
policylen += PFKEY_ALIGN8(xisrlen);
}
}
@ -1798,15 +1804,19 @@ getsadbpolicy(policy0, policylen0, type, iph2)
xisr->sadb_x_ipsecrequest_reqid = 0;
p = (caddr_t)(xisr + 1);
memcpy(p, iph2->src, iph2->src->sa_len);
p += iph2->src->sa_len;
xisrlen = sizeof(*xisr);
memcpy(p, iph2->dst, iph2->dst->sa_len);
p += iph2->dst->sa_len;
if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
xisrlen += (iph2->src->sa_len + iph2->dst->sa_len);
xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(sizeof(*xisr)
+ iph2->src->sa_len
+ iph2->dst->sa_len);
memcpy(p, iph2->src, iph2->src->sa_len);
p += iph2->src->sa_len;
memcpy(p, iph2->dst, iph2->dst->sa_len);
p += iph2->dst->sa_len;
}
xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
}
end:

5
crypto/dist/kame/racoon/plog.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: plog.h,v 1.7 2001/01/10 02:58:58 sakane Exp $ */
/* $KAME: plog.h,v 1.9 2002/04/26 00:00:10 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -59,9 +59,10 @@ extern char *pname;
extern u_int32_t loglevel;
extern int f_foreground;
struct sockaddr;
extern void plog __P((int, const char *, struct sockaddr *, const char *, ...));
extern void plogv __P((int, const char *, struct sockaddr *,
const char *, va_list));
const char *, ...));
extern void plogdump __P((int, void *, size_t));
extern void ploginit __P((void));
extern void plogset __P((char *));

42
crypto/dist/kame/racoon/policy.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: policy.c,v 1.42 2001/08/20 06:46:28 itojun Exp $ */
/* $KAME: policy.c,v 1.46 2001/11/16 04:08:10 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -31,6 +31,7 @@
#include <sys/param.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/queue.h>
#include <netkey/key_var.h>
@ -84,7 +85,7 @@ getsp(spidx)
#if 1
struct secpolicy *
getsp_r(spidx)
struct policyindex *spidx; /* from peer */
struct policyindex *spidx;
{
struct secpolicy *p;
@ -98,7 +99,7 @@ getsp_r(spidx)
#else
struct secpolicy *
getsp_r(spidx, iph2)
struct policyindex *spidx; /* from peer */
struct policyindex *spidx;
struct ph2handle *iph2;
{
struct secpolicy *p;
@ -170,36 +171,6 @@ getspbyspid(spid)
return NULL;
}
/*
* compare policyindex.
* a: subject b: db
* OUT: 0: equal
* 1: not equal
*/
int
cmpspidx(a, b)
struct policyindex *a, *b;
{
plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a));
plog(LLV_DEBUG, LOCATION, NULL, "db :%p: %s\n", b, spidx2str(b));
/* XXX don't check direction now, but it's to be checked carefully. */
if (a->dir != b->dir
|| a->prefs != b->prefs
|| a->prefd != b->prefd
|| a->ul_proto != b->ul_proto)
return 1;
if (cmpsaddrwild((struct sockaddr *)&a->src,
(struct sockaddr *)&b->src))
return 1;
if (cmpsaddrwild((struct sockaddr *)&a->dst,
(struct sockaddr *)&b->dst))
return 1;
return 0;
}
/*
* compare policyindex.
* a: subject b: db
@ -248,9 +219,8 @@ cmpspidxwild(a, b)
if (!(b->dir == IPSEC_DIR_ANY || a->dir == b->dir))
return 1;
/* IPSEC_ULPROTO_ANY is represented by 0 in ID payload */
if (!(a->ul_proto == 0 ||
b->ul_proto == 0 ||
if (!(a->ul_proto == IPSEC_ULPROTO_ANY ||
b->ul_proto == IPSEC_ULPROTO_ANY ||
a->ul_proto == b->ul_proto))
return 1;

3
crypto/dist/kame/racoon/policy.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: policy.h,v 1.17 2001/06/27 15:55:58 sakane Exp $ */
/* $KAME: policy.h,v 1.18 2001/10/02 04:10:17 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -101,7 +101,6 @@ struct policyindex;
extern struct secpolicy *getsp __P((struct policyindex *));
extern struct secpolicy *getsp_r __P((struct policyindex *));
struct secpolicy *getspbyspid __P((u_int32_t));
extern int cmpspidx __P((struct policyindex *, struct policyindex *));
extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *));
extern int cmpspidxwild __P((struct policyindex *, struct policyindex *));
extern struct secpolicy *newsp __P((void));

154
crypto/dist/kame/racoon/proposal.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: proposal.c,v 1.37 2001/08/16 11:18:02 sakane Exp $ */
/* $KAME: proposal.c,v 1.47 2002/04/16 04:10:23 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -31,6 +31,7 @@
#include <sys/param.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/queue.h>
#include <netkey/key_var.h>
@ -253,10 +254,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side)
}
/* lifebyte */
if (pp1->lifebyte <= pp2->lifebyte) {
newpp->lifebyte = pp1->lifebyte;
break;
} else {
if (pp1->lifebyte > pp2->lifebyte) {
newpp->lifebyte = pp2->lifebyte;
newpp->claim |= IPSECDOI_ATTR_SA_LD_TYPE_SEC;
plog(LLV_NOTIFY, LOCATION, NULL,
@ -264,6 +262,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side)
"my:%d peer:%d\n",
pp2->lifebyte, pp1->lifebyte);
}
newpp->lifebyte = pp1->lifebyte;
goto prop_pfs_check;
break;
@ -490,14 +489,14 @@ cmpsatrns(tr1, tr2)
plog(LLV_ERROR, LOCATION, NULL,
"trns_id mismatched: "
"my:%d peer:%d\n",
tr1->trns_id, tr2->trns_id);
tr2->trns_id, tr1->trns_id);
return 1;
}
if (tr1->authtype != tr2->authtype) {
plog(LLV_ERROR, LOCATION, NULL,
"authtype mismatched: "
"my:%d peer:%d\n",
tr1->authtype, tr2->authtype);
tr2->authtype, tr1->authtype);
return 1;
}
@ -509,7 +508,7 @@ cmpsatrns(tr1, tr2)
plog(LLV_WARNING, LOCATION, NULL,
"less key length proposed, "
"mine:%d peer:%d. Use initiaotr's one.\n",
tr1->encklen, tr2->encklen);
tr2->encklen, tr1->encklen);
/* FALLTHRU */
}
@ -749,6 +748,8 @@ flushsaproto(head)
for (p = head; p != NULL; p = save) {
save = p->next;
flushsatrns(p->head);
vfree(p->keymat);
vfree(p->keymat_p);
racoon_free(p);
}
@ -905,9 +906,9 @@ print_proppair(pri, p)
}
int
set_proposal_from_policy(iph2, sp_in, sp_out)
set_proposal_from_policy(iph2, sp_main, sp_sub)
struct ph2handle *iph2;
struct secpolicy *sp_in, *sp_out;
struct secpolicy *sp_main, *sp_sub;
{
struct saprop *newpp;
struct ipsecrequest *req;
@ -934,7 +935,7 @@ set_proposal_from_policy(iph2, sp_in, sp_out)
* transport mode.
*/
encmodesv = IPSEC_MODE_TRANSPORT;
for (req = sp_out->req; req; req = req->next) {
for (req = sp_main->req; req; req = req->next) {
if (req->saidx.mode == IPSEC_MODE_TUNNEL) {
encmodesv = pfkey2ipsecdoi_mode(req->saidx.mode);
break;
@ -942,29 +943,28 @@ set_proposal_from_policy(iph2, sp_in, sp_out)
}
skip1:
for (req = sp_out->req; req; req = req->next) {
for (req = sp_main->req; req; req = req->next) {
struct saproto *newpr;
struct sockaddr *psaddr = NULL;
struct sockaddr *pdaddr = NULL;
caddr_t paddr = NULL;
/* XXX check if SA bundle ? */
/*
* check if SA bundle ?
* nested SAs negotiation is NOT supported.
* me +--- SA1 ---+ peer1
* me +--- SA2 --------------+ peer2
*/
if (req->saidx.src.ss_len && req->saidx.dst.ss_len) {
psaddr = (struct sockaddr *)&req->saidx.src;
pdaddr = (struct sockaddr *)&req->saidx.dst;
/* check the end of ip addresses of SA */
if (iph2->side == INITIATOR)
paddr = (caddr_t)&req->saidx.dst;
else
paddr = (caddr_t)&req->saidx.src;
/* check end addresses of SA */
if (memcmp(iph2->src, psaddr, iph2->src->sa_len)
|| memcmp(iph2->dst, pdaddr, iph2->dst->sa_len)){
/*
* XXX nested SAs with each destination
* address are different.
* me +--- SA1 ---+ peer1
* me +--- SA2 --------------+ peer2
*/
if (memcmp(iph2->dst, paddr, iph2->dst->sa_len)){
plog(LLV_ERROR, LOCATION, NULL,
"not supported nested SA. Ignore.\n");
break;
"not supported nested SA.");
goto err;
}
}
@ -996,10 +996,10 @@ set_proposal_from_policy(iph2, sp_in, sp_out)
}
/* get reqid_in from inbound policy */
if (sp_in) {
if (sp_sub) {
struct saproto *pr;
req = sp_in->req;
req = sp_sub->req;
pr = newpp->head;
while (req && pr) {
pr->reqid_in = req->saidx.reqid;
@ -1007,10 +1007,9 @@ set_proposal_from_policy(iph2, sp_in, sp_out)
req = req->next;
}
if (pr || req) {
plog(LLV_ERROR, LOCATION, NULL,
plog(LLV_NOTIFY, LOCATION, NULL,
"There is a difference "
"between the in/out bound policies in SPD.\n");
goto err;
}
}
@ -1032,9 +1031,9 @@ int
set_proposal_from_proposal(iph2)
struct ph2handle *iph2;
{
struct saprop *newpp = NULL, *pp0, *pp_peer = NULL;
struct saproto *newpr = NULL, *pr;
struct prop_pair **pair;
struct saprop *pp;
struct saproto *pr;
int error = -1;
int i;
@ -1043,39 +1042,74 @@ set_proposal_from_proposal(iph2)
if (pair == NULL)
goto end;
/* choice the first proposal */
for (i = 0; i < MAXPROPPAIRLEN; i++) {
if (pair[i] != NULL)
break;
/*
* make my proposal according as the client proposal.
* XXX assumed there is only one proposal even if it's the SA bundle.
*/
for (i = 0; i < MAXPROPPAIRLEN; i++) {
if (pair[i] == NULL)
continue;
pp_peer = aproppair2saprop(pair[i]);
if (pp_peer == NULL)
goto end;
pp0 = newsaprop();
if (pp0 == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate saprop.\n");
goto end;
}
pp0->prop_no = 1;
pp0->lifetime = iph2->sainfo->lifetime;
pp0->lifebyte = iph2->sainfo->lifebyte;
pp0->pfs_group = iph2->sainfo->pfs_group;
if (pp_peer->next != NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"pp_peer is inconsistency, ignore it.\n");
/*FALLTHROUGH*/
}
for (pr = pp_peer->head; pr; pr = pr->next) {
newpr = newsaproto();
if (newpr == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate saproto.\n");
goto end;
}
newpr->proto_id = pr->proto_id;
newpr->spisize = pr->spisize;
newpr->encmode = pr->encmode;
newpr->spi = 0;
newpr->spi_p = pr->spi; /* copy peer's SPI */
newpr->reqid_in = 0;
newpr->reqid_out = 0;
}
if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to get algorithms.\n");
goto end;
}
inssaproto(pp0, newpr);
inssaprop(&newpp, pp0);
}
if (i == MAXPROPPAIRLEN)
goto end;
plog(LLV_DEBUG, LOCATION, NULL, "make a proposal from peer's:\n");
printsaprop0(LLV_DEBUG, newpp);
pp = aproppair2saprop(pair[i]);
if (!pp)
goto end;
/* reverse SPI */
for (pr = pp->head; pr; pr = pr->next) {
pr->spi_p = pr->spi; /* copy peer's SPI */
pr->spi = 0; /* initialize */
}
plog(LLV_DEBUG, LOCATION, NULL, "choice a proposal from peer's:\n");
printsaprop0(LLV_DEBUG, pp);
iph2->approval = pp;
/* make a SA to be replayed. */
/* SPI must be updated later. */
iph2->sa_ret = get_sabyproppair(pair[i], iph2->ph1);
if (iph2->sa_ret == NULL)
goto end;
iph2->proposal = newpp;
error = 0;
end:
if (error && newpp)
flushsaprop(newpp);
if (pp_peer)
flushsaprop(pp_peer);
free_proppair(pair);
return error;
}

8
crypto/dist/kame/racoon/remoteconf.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: remoteconf.c,v 1.25 2001/05/24 06:43:24 sakane Exp $ */
/* $KAME: remoteconf.c,v 1.29 2001/12/07 08:39:39 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -71,7 +71,7 @@ static LIST_HEAD(_rmtree, remoteconf) rmtree;
/*%%%*/
/*
* search remote configuration.
* don't use port number to search if its value is either ~0.
* don't use port number to search if its value is either IPSEC_PORT_ANY.
* If matching anonymous entry, then new entry is copied from anonymous entry.
* If no anonymous entry found, then return NULL.
* OUT: NULL: NG
@ -114,7 +114,7 @@ getrmconf(remote)
LIST_FOREACH(p, &rmtree, chain) {
if ((!withport && cmpsaddrwop(remote, p->remote) == 0)
|| (withport && cmpsaddrwild(remote, p->remote) == 0)) {
|| (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
plog(LLV_DEBUG, LOCATION, NULL,
"configuration found for %s.\n", buf);
return p;
@ -157,6 +157,7 @@ newrmconf()
new->passive = FALSE;
new->ini_contact = TRUE;
new->pcheck_level = PROP_CHECK_STRICT;
new->verify_identifier = FALSE;
new->verify_cert = TRUE;
new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
new->send_cert = TRUE;
@ -165,7 +166,6 @@ newrmconf()
new->gen_policy = FALSE;
new->retry_counter = lcconf->retry_counter;
new->retry_interval = lcconf->retry_interval;
new->count_persend = lcconf->count_persend;
return new;
}

6
crypto/dist/kame/racoon/remoteconf.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: remoteconf.h,v 1.25 2001/05/24 06:43:24 sakane Exp $ */
/* $KAME: remoteconf.h,v 1.27 2001/12/07 08:39:39 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -61,6 +61,7 @@ struct remoteconf {
int send_cert; /* send to CERT or not */
int send_cr; /* send to CR or not */
int verify_cert; /* verify a CERT strictly */
int verify_identifier; /* vefify the peer's identifier */
int nonce_size; /* the number of bytes of nonce */
int keepalive; /* XXX may not use */
int passive; /* never initiate */
@ -75,8 +76,7 @@ struct remoteconf {
int retry_counter; /* times to retry. */
int retry_interval; /* interval each retry. */
int count_persend; /* the number of packets each retry. */
/* above 3 values are copied from localconf. */
/* above 2 values are copied from localconf. */
struct isakmpsa *proposal; /* proposal list */
LIST_ENTRY(remoteconf) chain; /* next remote conf */

3
crypto/dist/kame/racoon/sainfo.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: sainfo.c,v 1.14 2001/04/03 15:51:56 thorpej Exp $ */
/* $KAME: sainfo.c,v 1.15 2001/11/16 04:12:59 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -31,6 +31,7 @@
#include <sys/param.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/queue.h>
#include <netkey/key_var.h>

21
crypto/dist/kame/racoon/schedule.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: schedule.c,v 1.15 2001/04/03 15:51:57 thorpej Exp $ */
/* $KAME: schedule.c,v 1.19 2001/11/05 10:53:19 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -39,6 +39,8 @@
#include <string.h>
#include <errno.h>
#include "misc.h"
#include "plog.h"
#include "schedule.h"
#include "var.h"
#include "gcmalloc.h"
@ -78,14 +80,18 @@ schedular()
now = current_time();
for (p = TAILQ_FIRST(&sctree); p; p = next) {
/* if the entry has been daed, remove it */
if (p->dead)
goto next_schedule;
/* if the time hasn't come, proceed to the next entry */
if (now < p->xtime) {
next = TAILQ_NEXT(p, chain);
continue;
}
/* mark it with dead. and call the function. */
p->dead = 1;
if (p->func != NULL)
(p->func)(p->param);
@ -191,6 +197,7 @@ sched_kill(sc)
return;
}
/* XXX this function is probably unnecessary. */
void
sched_scrub_param(param)
void *param;
@ -198,8 +205,13 @@ sched_scrub_param(param)
struct sched *sc;
TAILQ_FOREACH(sc, &sctree, chain) {
if (sc->param == param)
if (sc->param == param) {
if (!sc->dead) {
plog(LLV_DEBUG, LOCATION, NULL,
"an undead schedule has been deleted.\n");
}
sched_kill(sc);
}
}
}
@ -294,10 +306,9 @@ getstdin()
sched_dump((caddr_t *)&scbuf, &len);
if (buf == NULL)
return;
for (p = scbuf; ; p++) {
for (p = scbuf; len; p++) {
printf("xtime=%ld\n", p->xtime);
if (p->last)
break;
len -= sizeof(*p);
}
racoon_free(scbuf);
return;

13
crypto/dist/kame/racoon/session.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: session.c,v 1.26 2001/08/13 10:50:42 itojun Exp $ */
/* $KAME: session.c,v 1.28 2001/12/10 18:11:20 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -101,6 +101,9 @@ session(void)
int error;
struct myaddrs *p;
/* initialize schedular */
sched_init();
init_signal();
#ifdef ENABLE_ADMINPORT
@ -116,9 +119,6 @@ session(void)
initfds();
/* initialize schedular */
sched_init();
sigreq = 0;
while (1) {
rfds = mask0;
@ -249,6 +249,11 @@ signal_handler(sig)
}
break;
#ifdef DEBUG_RECORD_MALLOCATION
case SIGUSR2:
DRM_dump();
break;
#endif
default:
/* XXX should be blocked any signal ? */
sigreq = sig;

65
crypto/dist/kame/racoon/sockmisc.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: sockmisc.c,v 1.29 2001/08/16 14:37:29 itojun Exp $ */
/* $KAME: sockmisc.c,v 1.36 2002/04/15 06:20:08 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -58,11 +58,7 @@
#include "debug.h"
#include "gcmalloc.h"
#ifdef NI_WITHSCOPEID
const int niflags = NI_WITHSCOPEID;
#else
const int niflags = 0;
#endif
/*
* compare two sockaddr without port number.
@ -112,6 +108,7 @@ cmpsaddrwop(addr1, addr2)
/*
* compare two sockaddr with port, taking care wildcard.
* addr1 is a subject address, addr2 is in a database entry.
* OUT: 0: equal.
* 1: not equal.
*/
@ -138,7 +135,9 @@ cmpsaddrwild(addr1, addr2)
sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
port1 = ((struct sockaddr_in *)addr1)->sin_port;
port2 = ((struct sockaddr_in *)addr2)->sin_port;
if (!(port1 == 0 || port2 == 0 || port1 == port2))
if (!(port1 == IPSEC_PORT_ANY ||
port2 == IPSEC_PORT_ANY ||
port1 == port2))
return 1;
if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
return 1;
@ -149,7 +148,9 @@ cmpsaddrwild(addr1, addr2)
sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
if (!(port1 == 0 || port2 == 0 || port1 == port2))
if (!(port1 == IPSEC_PORT_ANY ||
port2 == IPSEC_PORT_ANY ||
port1 == port2))
return 1;
if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
return 1;
@ -393,8 +394,8 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen)
/* send packet, with fixing src/dst address pair. */
int
sendfromto(s, buf, buflen, src, dst)
int s;
sendfromto(s, buf, buflen, src, dst, cnt)
int s, cnt;
const void *buf;
size_t buflen;
struct sockaddr *src;
@ -402,6 +403,7 @@ sendfromto(s, buf, buflen, src, dst)
{
struct sockaddr_storage ss;
int len;
int i;
if (src->sa_family != dst->sa_family) {
plog(LLV_ERROR, LOCATION, NULL,
@ -485,12 +487,20 @@ sendfromto(s, buf, buflen, src, dst)
saddr2str((struct sockaddr *)&dst6),
dst6.sin6_scope_id);
len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/);
if (len < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"sendmsg (%s)\n", strerror(errno));
return -1;
for (i = 0; i < cnt; i++) {
len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/);
if (len < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"sendmsg (%s)\n", strerror(errno));
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL,
"%d times of %d bytes message will be sent "
"to %s\n",
i + 1, len, saddr2str(src));
}
plogdump(LLV_DEBUG, (char *)buf, buflen);
return len;
}
#endif
@ -521,6 +531,7 @@ sendfromto(s, buf, buflen, src, dst)
(void *)&yes, sizeof(yes)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"setsockopt (%s)\n", strerror(errno));
close(sendsock);
return -1;
}
#ifdef IPV6_USE_MIN_MTU
@ -529,26 +540,39 @@ sendfromto(s, buf, buflen, src, dst)
(void *)&yes, sizeof(yes)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"setsockopt (%s)\n", strerror(errno));
close(sendsock);
return -1;
}
#endif
if (setsockopt_bypass(sendsock, src->sa_family) < 0)
if (setsockopt_bypass(sendsock, src->sa_family) < 0) {
close(sendsock);
return -1;
}
if (bind(sendsock, (struct sockaddr *)src, src->sa_len) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"bind 1 (%s)\n", strerror(errno));
close(sendsock);
return -1;
}
needclose = 1;
}
len = sendto(sendsock, buf, buflen, 0, dst, dst->sa_len);
if (len < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"sendto (%s)\n", strerror(errno));
return len;
for (i = 0; i < cnt; i++) {
len = sendto(sendsock, buf, buflen, 0, dst, dst->sa_len);
if (len < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"sendto (%s)\n", strerror(errno));
if (needclose)
close(sendsock);
return len;
}
plog(LLV_DEBUG, LOCATION, NULL,
"%d times of %d bytes message will be sent "
"to %s\n",
i + 1, len, saddr2str(src));
}
plogdump(LLV_DEBUG, (char *)buf, buflen);
if (needclose)
close(sendsock);
@ -766,4 +790,3 @@ mask_sockaddr(a, b, l)
for (i = l / 8 + 1; i < alen; i++)
p[i] = 0x00;
}

4
crypto/dist/kame/racoon/sockmisc.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: sockmisc.h,v 1.11 2001/08/16 14:37:29 itojun Exp $ */
/* $KAME: sockmisc.h,v 1.12 2001/12/07 08:39:39 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -40,7 +40,7 @@ extern struct sockaddr *getlocaladdr __P((struct sockaddr *));
extern int recvfromto __P((int, void *, size_t, int,
struct sockaddr *, int *, struct sockaddr *, int *));
extern int sendfromto __P((int, const void *, size_t,
struct sockaddr *, struct sockaddr *));
struct sockaddr *, struct sockaddr *, int));
extern int setsockopt_bypass __P((int, int));

7
crypto/dist/kame/racoon/strnames.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: strnames.c,v 1.21 2001/08/14 14:55:27 sakane Exp $ */
/* $KAME: strnames.c,v 1.23 2001/12/12 18:23:42 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -31,11 +31,13 @@
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <stdio.h>
#include <netinet6/ipsec.h>
#include <netinet/in.h>
#include <stdio.h>
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
@ -623,6 +625,7 @@ static struct ksmap name_attr_isakmp_desc[] = {
{ OAKLEY_ATTR_GRP_DESC_MODP2048, "2048-bit MODP group", NULL },
{ OAKLEY_ATTR_GRP_DESC_MODP3072, "3072-bit MODP group", NULL },
{ OAKLEY_ATTR_GRP_DESC_MODP4096, "4096-bit MODP group", NULL },
{ OAKLEY_ATTR_GRP_DESC_MODP6144, "6144-bit MODP group", NULL },
{ OAKLEY_ATTR_GRP_DESC_MODP8192, "8192-bit MODP group", NULL },
};

6
crypto/dist/kame/racoon/var.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: var.h,v 1.11 2001/07/14 05:48:33 sakane Exp $ */
/* $KAME: var.h,v 1.12 2001/11/13 12:38:51 jinmei Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -69,11 +69,7 @@
#include <netdb.h>
/* var.h is used from non-racoon code (like eaytest), so we can't use niflags */
#ifdef NI_WITHSCOPEID
#define NIFLAGS (NI_NUMERICHOST | NI_NUMERICSERV | NI_WITHSCOPEID)
#else
#define NIFLAGS (NI_NUMERICHOST | NI_NUMERICSERV)
#endif
#define GETNAMEINFO(x, y, z) \
do { \

3
crypto/dist/kame/racoon/vmbuf.c vendored
View File

@ -1,4 +1,4 @@
/* $KAME: vmbuf.c,v 1.10 2001/04/03 15:51:57 thorpej Exp $ */
/* $KAME: vmbuf.c,v 1.11 2001/11/26 16:54:29 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,6 +29,7 @@
* SUCH DAMAGE.
*/
#define NONEED_DRM
#include <sys/types.h>
#include <sys/param.h>

4
crypto/dist/kame/racoon/vmbuf.h vendored
View File

@ -1,4 +1,4 @@
/* $KAME: vmbuf.h,v 1.7 2000/10/04 17:41:05 itojun Exp $ */
/* $KAME: vmbuf.h,v 1.8 2001/12/12 21:18:33 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -47,8 +47,6 @@ typedef struct _vchar_t_ {
caddr_t v; /* place holder to the pointer to the value */
} vchar_t;
#define VREALLOC(ptr, size) ((ptr) = vrealloc((ptr), (size)))
#define VPTRINIT(p) \
do { \
if (p) { \