kame racoon 2003/7/12. lots of lots of stability fixes.

This commit is contained in:
itojun 2003-07-12 08:45:39 +00:00
parent 0a65bfefd2
commit dc30725eaf
13 changed files with 468 additions and 318 deletions

View File

@ -1,4 +1,4 @@
/* $KAME: admin.c,v 1.23 2001/06/01 10:12:55 sakane Exp $ */
/* $KAME: admin.c,v 1.24 2003/05/29 08:59:51 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -345,7 +345,7 @@ admin_process(so2, combuf)
"%s\n", saddrwop2str(remote));
/* begin ident mode */
if (isakmp_ph1begin_i(rmconf, remote) < 0) {
if (isakmp_ph1begin_i(rmconf, remote, local) < 0) {
com->ac_errno = -1;
break;
}

File diff suppressed because it is too large Load Diff

View File

@ -322,6 +322,7 @@ main()
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_flags = passive ? AI_PASSIVE : 0;
hints.ai_protocol = IPPROTO_TCP;
hints.ai_socktype = SOCK_STREAM;
if ((gaierr = getaddrinfo(NULL, "54321", &hints, &aitop)) != 0) {
(void)gai_strerror(gaierr);
@ -656,11 +657,20 @@ AC_CHECK_HEADER(openssl/rijndael.h, [], [
])
dnl checking sha2
AC_MSG_CHECKING(sha2 support)
AC_EGREP_CPP(yes, [#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER >= 0x0090602fL
yes
#endif],
[AC_MSG_RESULT(no)
echo "WARNING: sha2 does not work."],
[AC_MSG_RESULT(yes)
AC_SUBST(CRYPTOBJS)
AC_DEFINE(WITH_SHA2)
AC_CHECK_HEADER(openssl/sha2.h, [], [
CPPFLAGS="$CPPFLAGS -I./missing"
CRYPTOBJS="$CRYPTOBJS sha2.o"
])
CRYPTOBJS="$CRYPTOBJS sha2.o"])]
)
dnl Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST

View File

@ -1,4 +1,4 @@
/* $KAME: crypto_openssl.h,v 1.25 2002/04/25 09:48:32 sakane Exp $ */
/* $KAME: crypto_openssl.h,v 1.28 2003/06/29 04:46:14 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -31,15 +31,18 @@
#ifdef HAVE_SIGNING_C
/* X509 Certificate */
#define GENT_OTHERNAME 0
#define GENT_EMAIL 1
#define GENT_DNS 2
#define GENT_X400 3
#define GENT_DIRNAME 4
#define GENT_EDIPARTY 5
#define GENT_URI 6
#define GENT_IPADD 7
#define GENT_RID 8
#include <openssl/x509v3.h>
#define GENT_OTHERNAME GEN_OTHERNAME
#define GENT_EMAIL GEN_EMAIL
#define GENT_DNS GEN_DNS
#define GENT_X400 GEN_X400
#define GENT_DIRNAME GEN_DIRNAME
#define GENT_EDIPARTY GEN_EDIPARTY
#define GENT_URI GEN_URI
#define GENT_IPADD GEN_IPADD
#define GENT_RID GEN_RID
extern vchar_t *eay_str2asn1dn __P((char *, int));
extern int eay_cmp_asn1dn __P((vchar_t *, vchar_t *));
@ -114,6 +117,7 @@ extern int eay_kpdk_hashlen __P((void));
extern int eay_twofish_keylen __P((int));
/* hash */
#if defined(WITH_SHA2)
/* HMAC SHA2 */
extern vchar_t *eay_hmacsha2_512_one __P((vchar_t *, vchar_t *));
extern caddr_t eay_hmacsha2_512_init __P((vchar_t *));
@ -127,6 +131,7 @@ extern vchar_t *eay_hmacsha2_256_one __P((vchar_t *, vchar_t *));
extern caddr_t eay_hmacsha2_256_init __P((vchar_t *));
extern void eay_hmacsha2_256_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_hmacsha2_256_final __P((caddr_t));
#endif
/* HMAC SHA1 */
extern vchar_t *eay_hmacsha1_one __P((vchar_t *, vchar_t *));
extern caddr_t eay_hmacsha1_init __P((vchar_t *));
@ -138,23 +143,29 @@ extern caddr_t eay_hmacmd5_init __P((vchar_t *));
extern void eay_hmacmd5_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_hmacmd5_final __P((caddr_t));
#if defined(WITH_SHA2)
/* SHA2 functions */
extern caddr_t eay_sha2_512_init __P((void));
extern void eay_sha2_512_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_sha2_512_final __P((caddr_t));
extern vchar_t *eay_sha2_512_one __P((vchar_t *));
#endif
extern int eay_sha2_512_hashlen __P((void));
#if defined(WITH_SHA2)
extern caddr_t eay_sha2_384_init __P((void));
extern void eay_sha2_384_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_sha2_384_final __P((caddr_t));
extern vchar_t *eay_sha2_384_one __P((vchar_t *));
#endif
extern int eay_sha2_384_hashlen __P((void));
#if defined(WITH_SHA2)
extern caddr_t eay_sha2_256_init __P((void));
extern void eay_sha2_256_update __P((caddr_t, vchar_t *));
extern vchar_t *eay_sha2_256_final __P((caddr_t));
extern vchar_t *eay_sha2_256_one __P((vchar_t *));
#endif
extern int eay_sha2_256_hashlen __P((void));
/* SHA functions */

View File

@ -1,4 +1,6 @@
$KAME: question,v 1.27 2000/10/04 17:41:07 itojun Exp $
$KAME: question,v 1.28 2003/05/23 05:13:03 sakane Exp $
This was sent to Kivinen and Paul at 20-Sep-2000.
Q: how may policy matters are. can we interoperate ?

View File

@ -1,4 +1,4 @@
/* $KAME: ipsec_doi.h,v 1.34 2001/08/16 06:20:35 itojun Exp $ */
/* $KAME: ipsec_doi.h,v 1.35 2003/06/27 07:32:38 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -198,7 +198,7 @@ extern const char *ipsecdoi_id2str __P((const vchar_t *));
extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *));
extern int ipsecdoi_setph2proposal __P((struct ph2handle *));
extern int ipsecdoi_transportmode __P((struct ph2handle *));
extern int ipsecdoi_transportmode __P((struct saprop *));
extern int ipsecdoi_get_defaultlifetime __P((void));
extern int ipsecdoi_checkalgtypes __P((int, int, int, int));
extern int ipproto2doi __P((int));

View File

@ -1,4 +1,4 @@
/* $KAME: isakmp_var.h,v 1.20 2001/12/12 15:29:14 sakane Exp $ */
/* $KAME: isakmp_var.h,v 1.21 2003/05/29 08:59:51 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -54,7 +54,8 @@ struct isakmp_pl_ke; /* XXX */
struct isakmp_pl_nonce; /* XXX */
extern int isakmp_handler __P((int));
extern int isakmp_ph1begin_i __P((struct remoteconf *, struct sockaddr *));
extern int isakmp_ph1begin_i __P((struct remoteconf *, struct sockaddr *,
struct sockaddr *));
extern vchar_t *isakmp_parsewoh __P((int, struct isakmp_gen *, int));
extern vchar_t *isakmp_parse __P((vchar_t *));

View File

@ -1,4 +1,4 @@
/* $KAME: oakley.h,v 1.28 2001/12/12 18:23:42 sakane Exp $ */
/* $KAME: oakley.h,v 1.29 2003/06/27 12:02:41 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -46,9 +46,11 @@
#define OAKLEY_ATTR_HASH_ALG_MD5 1
#define OAKLEY_ATTR_HASH_ALG_SHA 2
#define OAKLEY_ATTR_HASH_ALG_TIGER 3
#if defined(WITH_SHA2)
#define OAKLEY_ATTR_HASH_ALG_SHA2_256 4
#define OAKLEY_ATTR_HASH_ALG_SHA2_384 5
#define OAKLEY_ATTR_HASH_ALG_SHA2_512 6
#endif
/* 65001 - 65535 Private Use */
#define OAKLEY_ATTR_AUTH_METHOD 3 /* B */
#define OAKLEY_ATTR_AUTH_METHOD_PSKEY 1

View File

@ -1,4 +1,4 @@
/* $KAME: pfkey.c,v 1.134 2002/06/04 05:20:27 itojun Exp $ */
/* $KAME: pfkey.c,v 1.138 2003/06/30 11:01:18 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -765,13 +765,30 @@ int
pk_sendgetspi(iph2)
struct ph2handle *iph2;
{
struct sockaddr *src = NULL, *dst = NULL;
u_int satype, mode;
struct saprop *pp;
struct saproto *pr;
int proxy = 0;
pp = iph2->side == INITIATOR
? iph2->proposal
: iph2->approval;
if (iph2->side == INITIATOR) {
pp = iph2->proposal;
proxy = iph2->ph1->rmconf->support_proxy;
} else {
pp = iph2->approval;
if (iph2->sainfo && iph2->sainfo->id_i)
proxy = 1;
}
/* for mobile IPv6 */
if (proxy && iph2->src_id && iph2->dst_id &&
ipsecdoi_transportmode(pp)) {
src = iph2->src_id;
dst = iph2->dst_id;
} else {
src = iph2->src;
dst = iph2->dst;
}
for (pr = pp->head; pr != NULL; pr = pr->next) {
@ -794,8 +811,8 @@ pk_sendgetspi(iph2)
lcconf->sock_pfkey,
satype,
mode,
iph2->dst, /* src of SA */
iph2->src, /* dst of SA */
dst, /* src of SA */
src, /* dst of SA */
0, 0, pr->reqid_in, iph2->seq) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"ipseclib failed send getspi (%s)\n",
@ -804,7 +821,7 @@ pk_sendgetspi(iph2)
}
plog(LLV_DEBUG, LOCATION, NULL,
"pfkey GETSPI sent: %s\n",
sadbsecas2str(iph2->dst, iph2->src, satype, 0, mode));
sadbsecas2str(dst, src, satype, 0, mode));
}
return 0;
@ -920,6 +937,7 @@ pk_sendupdate(iph2)
int e_type, e_keylen, a_type, a_keylen, flags;
u_int satype, mode;
u_int64_t lifebyte = 0;
int proxy = 0;
/* sanity check */
if (iph2->approval == NULL) {
@ -927,8 +945,14 @@ pk_sendupdate(iph2)
"no approvaled SAs found.\n");
}
if (iph2->side == INITIATOR)
proxy = iph2->ph1->rmconf->support_proxy;
else if (iph2->sainfo && iph2->sainfo->id_i)
proxy = 1;
/* for mobile IPv6 */
if (iph2->ph1->rmconf->support_mip6 && iph2->src_id && iph2->dst_id) {
if (proxy && iph2->src_id && iph2->dst_id &&
ipsecdoi_transportmode(iph2->approval)) {
src = iph2->src_id;
dst = iph2->dst_id;
} else {
@ -977,8 +1001,8 @@ pk_sendupdate(iph2)
lcconf->sock_pfkey,
satype,
mode,
iph2->dst,
iph2->src,
dst,
src,
pr->spi,
pr->reqid_in,
4, /* XXX static size of window */
@ -1001,7 +1025,7 @@ pk_sendupdate(iph2)
* But it is impossible because there is not key in the
* information from the kernel.
*/
if (backupsa_to_file(satype, mode, iph2->dst, iph2->src,
if (backupsa_to_file(satype, mode, dst, src,
pr->spi, pr->reqid_in, 4,
pr->keymat->v,
e_type, e_keylen, a_type, a_keylen, flags,
@ -1010,12 +1034,12 @@ pk_sendupdate(iph2)
iph2->seq) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"backuped SA failed: %s\n",
sadbsecas2str(iph2->dst, iph2->src,
sadbsecas2str(dst, src,
satype, pr->spi, mode));
}
plog(LLV_DEBUG, LOCATION, NULL,
"backuped SA: %s\n",
sadbsecas2str(iph2->dst, iph2->src,
sadbsecas2str(dst, src,
satype, pr->spi, mode));
}
@ -1136,6 +1160,10 @@ pk_recvupdate(mhp)
/* count up */
iph2->ph1->ph2cnt++;
/* turn off schedule */
if (iph2->scr)
SCHED_KILL(iph2->scr);
/*
* since we are going to reuse the phase2 handler, we need to
* remain it and refresh all the references between ph1 and ph2 to use.
@ -1161,6 +1189,7 @@ pk_sendadd(iph2)
int e_type, e_keylen, a_type, a_keylen, flags;
u_int satype, mode;
u_int64_t lifebyte = 0;
int proxy = 0;
/* sanity check */
if (iph2->approval == NULL) {
@ -1168,8 +1197,14 @@ pk_sendadd(iph2)
"no approvaled SAs found.\n");
}
if (iph2->side == INITIATOR)
proxy = iph2->ph1->rmconf->support_proxy;
else if (iph2->sainfo && iph2->sainfo->id_i)
proxy = 1;
/* for mobile IPv6 */
if (iph2->ph1->rmconf->support_mip6 && iph2->src_id && iph2->dst_id) {
if (proxy && iph2->src_id && iph2->dst_id &&
ipsecdoi_transportmode(iph2->approval)) {
src = iph2->src_id;
dst = iph2->dst_id;
} else {
@ -1218,8 +1253,8 @@ pk_sendadd(iph2)
lcconf->sock_pfkey,
satype,
mode,
iph2->src,
iph2->dst,
src,
dst,
pr->spi_p,
pr->reqid_out,
4, /* XXX static size of window */
@ -1242,7 +1277,7 @@ pk_sendadd(iph2)
* But it is impossible because there is not key in the
* information from the kernel.
*/
if (backupsa_to_file(satype, mode, iph2->src, iph2->dst,
if (backupsa_to_file(satype, mode, src, dst,
pr->spi_p, pr->reqid_out, 4,
pr->keymat_p->v,
e_type, e_keylen, a_type, a_keylen, flags,
@ -1251,12 +1286,12 @@ pk_sendadd(iph2)
iph2->seq) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"backuped SA failed: %s\n",
sadbsecas2str(iph2->src, iph2->dst,
sadbsecas2str(src, dst,
satype, pr->spi_p, mode));
}
plog(LLV_DEBUG, LOCATION, NULL,
"backuped SA: %s\n",
sadbsecas2str(iph2->src, iph2->dst,
sadbsecas2str(src, dst,
satype, pr->spi_p, mode));
}
@ -1468,7 +1503,7 @@ pk_recvacquire(mhp)
/* ignore if type is not IPSEC_POLICY_IPSEC */
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
plog(LLV_DEBUG, LOCATION, NULL,
"ignore SPDGET message. type is not IPsec.\n");
"ignore ACQUIRE message. type is not IPsec.\n");
return 0;
}
@ -1600,7 +1635,7 @@ pk_recvacquire(mhp)
delph2(iph2[n]);
return -1;
}
iph2[n]->sainfo = getsainfo(idsrc, iddst);
iph2[n]->sainfo = getsainfo(idsrc, iddst, NULL);
vfree(idsrc);
vfree(iddst);
if (iph2[n]->sainfo == NULL) {
@ -1880,12 +1915,44 @@ static int
pk_recvspdupdate(mhp)
caddr_t *mhp;
{
struct sadb_address *saddr, *daddr;
struct sadb_x_policy *xpl;
struct policyindex spidx;
struct secpolicy *sp;
/* sanity check */
if (mhp[0] == NULL) {
if (mhp[0] == NULL
|| mhp[SADB_EXT_ADDRESS_SRC] == NULL
|| mhp[SADB_EXT_ADDRESS_DST] == NULL
|| mhp[SADB_X_EXT_POLICY] == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"inappropriate sadb spdupdate message passed.\n");
return -1;
}
saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
saddr + 1,
daddr + 1,
saddr->sadb_address_prefixlen,
daddr->sadb_address_prefixlen,
saddr->sadb_address_proto,
&spidx);
sp = getsp(&spidx);
if (sp == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"such policy does not already exist: %s\n",
spidx2str(&spidx));
} else {
remsp(sp);
delsp(sp);
}
if (addnewsp(mhp) < 0)
return -1;
return 0;
}

View File

@ -1,4 +1,4 @@
/* $KAME: remoteconf.c,v 1.29 2001/12/07 08:39:39 sakane Exp $ */
/* $KAME: remoteconf.c,v 1.30 2003/06/27 07:32:39 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -162,7 +162,7 @@ newrmconf()
new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
new->send_cert = TRUE;
new->send_cr = TRUE;
new->support_mip6 = FALSE;
new->support_proxy = FALSE;
new->gen_policy = FALSE;
new->retry_counter = lcconf->retry_counter;
new->retry_interval = lcconf->retry_interval;

View File

@ -1,4 +1,4 @@
/* $KAME: remoteconf.h,v 1.27 2001/12/07 08:39:39 sakane Exp $ */
/* $KAME: remoteconf.h,v 1.28 2003/06/27 07:32:39 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -65,7 +65,7 @@ struct remoteconf {
int nonce_size; /* the number of bytes of nonce */
int keepalive; /* XXX may not use */
int passive; /* never initiate */
int support_mip6; /* support mip6 */
int support_proxy; /* support mip6/proxy */
int gen_policy; /* generate policy if no policy found */
int ini_contact; /* initial contact */
int pcheck_level; /* level of propocl checking */

View File

@ -1,4 +1,4 @@
/* $KAME: sainfo.c,v 1.15 2001/11/16 04:12:59 sakane Exp $ */
/* $KAME: sainfo.c,v 1.16 2003/06/27 07:32:39 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -70,15 +70,27 @@ static LIST_HEAD(_sitree, sainfo) sitree;
* no matching entry found and if there is anonymous entry, return it.
* else return NULL.
* XXX by each data type, should be changed to compare the buffer.
* First pass is for sainfo from a specified peer, second for others.
*/
struct sainfo *
getsainfo(src, dst)
const vchar_t *src, *dst;
getsainfo(src, dst, peer)
const vchar_t *src, *dst, *peer;
{
struct sainfo *s = NULL;
struct sainfo *anonymous = NULL;
int pass = 1;
if (peer == NULL)
pass = 2;
again:
LIST_FOREACH(s, &sitree, chain) {
if (s->id_i != NULL) {
if (pass == 2)
continue;
if (memcmp(peer->v, s->id_i->v, s->id_i->l) != 0)
continue;
} else if (pass == 1)
continue;
if (s->idsrc == NULL) {
anonymous = s;
continue;
@ -99,7 +111,11 @@ getsainfo(src, dst)
if (anonymous) {
plog(LLV_DEBUG, LOCATION, NULL,
"anonymous sainfo selected.\n");
} else if (pass == 1) {
pass = 2;
goto again;
}
return anonymous;
}
@ -112,7 +128,6 @@ newsainfo()
if (new == NULL)
return NULL;
new->idvtype = IDTYPE_ADDRESS;
new->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
new->lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX;
@ -214,11 +229,16 @@ sainfo2str(si)
static char buf[256];
if (si->idsrc == NULL)
return "anonymous";
snprintf(buf, sizeof(buf), "anonymous");
else {
snprintf(buf, sizeof(buf), "%s", ipsecdoi_id2str(si->idsrc));
snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
" %s", ipsecdoi_id2str(si->iddst));
}
if (si->id_i != NULL)
snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
" from %s", ipsecdoi_id2str(si->id_i));
return buf;
}

View File

@ -1,4 +1,4 @@
/* $KAME: sainfo.h,v 1.7 2000/10/11 19:54:08 sakane Exp $ */
/* $KAME: sainfo.h,v 1.8 2003/06/27 07:32:39 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -44,8 +44,7 @@ struct sainfo {
time_t lifetime;
int lifebyte;
int pfs_group; /* only use when pfs is required. */
int idvtype; /* my identifier type */
vchar_t *idv; /* my identifier */
vchar_t *id_i; /* identifier of the authorized initiator */
struct sainfoalg *algs[MAXALGCLASS];
LIST_ENTRY(sainfo) chain;
@ -58,7 +57,8 @@ struct sainfoalg {
struct sainfoalg *next;
};
extern struct sainfo *getsainfo __P((const vchar_t *, const vchar_t *));
extern struct sainfo *getsainfo __P((const vchar_t *,
const vchar_t *, const vchar_t *));
extern struct sainfo *newsainfo __P((void));
extern void delsainfo __P((struct sainfo *));
extern void inssainfo __P((struct sainfo *));